This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
lib/Analysis/
-
Analysis/
2/6
PathDiagnostic.cpp
-
test/Analysis/
-
Analysis/
2
malloc.c
1
pr22954.c

Differential D83115

[Analyzer] Report every bug if only uniqueing location differs.
ClosedPublic

Authored by balazske on Jul 2 2020, 11:57 PM.

Download Raw Diff

Details

Reviewers

Szelethus
baloghadamsoftware
NoQ
vsavchenko
xazax.hun
martong

Commits

rG22a084cfa337: [Analyzer] Report every bug if only uniqueing location differs.

Summary

Two CSA bug reports where only the uniqueing location is different
should be treated as different problems. The role of uniqueing location
is to differentiate bug reports.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

balazske created this revision.Jul 2 2020, 11:57 PM

Herald added a reviewer: Szelethus. · View Herald TranscriptJul 2 2020, 11:57 PM

Herald added a project: Restricted Project. · View Herald Transcript

Herald added subscribers: cfe-commits, ASDenysPetrov, martong and 10 others. · View Herald Transcript

balazske added a child revision: D82845: [Analyzer][StreamChecker] Report every leak, clean up state..Jul 2 2020, 11:58 PM

balazske added a reviewer: baloghadamsoftware.Jul 3 2020, 12:03 AM

Herald added a subscriber: rnkovacs. · View Herald TranscriptJul 3 2020, 12:03 AM

Harbormaster failed remote builds in B62805: Diff 275301!Jul 3 2020, 1:03 AM

baloghadamsoftware added inline comments.Jul 3 2020, 2:46 AM

clang/lib/Analysis/PathDiagnostic.cpp
333	Why this asymmetry?
389	Asymmetry again. What if YUL is valid?

balazske marked 2 inline comments as done.Jul 3 2020, 3:46 AM

balazske added inline comments.

clang/lib/Analysis/PathDiagnostic.cpp
333	The function returns something like "`XL` is less than `YL`". The invalid source locations should come always as first (or last?) in the ordering.
389	Here we have already a precondition that `XUL == YUL` (from line 358).

Szelethus added reviewers: NoQ, vsavchenko, xazax.hun, martong.Jul 10 2020, 4:29 AM

Szelethus added a subscriber: NoQ.

Szelethus added inline comments.

clang/lib/Analysis/PathDiagnostic.cpp
1136–1137	This looks a bit odd -- why do we need both of these? Also, didn't we use uniqueing location in the `BugReportEquivClass` or whatever its called? Why do we need to add this here as well? I would like some technical explanation.
clang/test/Analysis/malloc.c
793	On an unrelated note, shouldn't one of the notes be here? @NoQ, is this the same issue as the one you raised with zombie symbols? http://lists.llvm.org/pipermail/cfe-dev/2016-March/047922.html
clang/test/Analysis/pr22954.c
346–357	What a god awful test case.

balazske mentioned this in D83120: [Analyzer][StreamChecker] Use BugType::SuppressOnSink at resource leak report..Jul 10 2020, 7:01 AM

NoQ accepted this revision.Jul 13 2020, 10:38 PM

NoQ added inline comments.

clang/lib/Analysis/PathDiagnostic.cpp
1136–1137	As of now it probably does nothing. But technically we allow our users to set a completely arbitrary uniqueing decl that doesn't necessarily correspond to the uniqueing location, so we'll probably need to take it into account. Generally, uniqueing decls are for uniqueing and otherwise identifying bugs regardless of slight changes in the source code. Currently this means issue hashes.
clang/test/Analysis/malloc.c
793	The warning about the first malloc indeed probably required the zombie symbol bug to be fixed. That said, the warning isn't really guaranteed to be on that line, because there's no guarantee that dead symbol collection runs immediately after the overwrite (which causes the symbol to become dead), and the overwrite is in fact the last thing that happens in this function.

This revision is now accepted and ready to land.Jul 13 2020, 10:38 PM

Closed by commit rG22a084cfa337: [Analyzer] Report every bug if only uniqueing location differs. (authored by balazske). · Explain WhyJul 15 2020, 3:17 AM

This revision was automatically updated to reflect the committed changes.

balazske mentioned this in D83190: [analyzer] Model iterator random incrementation symmetrically.Jul 21 2020, 9:20 AM

Whoops, i meant to post the comment in https://reviews.llvm.org/rG22a084cfa337d5e5ea90eba5261f7937e28d250b#937772 here. Anyway, i found a crash caused by this patch.

Crash is fixed here: D84843

Revision Contents

Path

Size

clang/

lib/

Analysis/

PathDiagnostic.cpp

37 lines

test/

Analysis/

malloc.c

3 lines

pr22954.c

2 lines

Diff 278126

clang/lib/Analysis/PathDiagnostic.cpp

Show First 20 Lines • Show All 321 Lines • ▼ Show 20 Lines	for ( ; X_I != X_end && Y_I != Y_end; ++X_I, ++Y_I) {
if (b.hasValue())		if (b.hasValue())
return b.getValue();		return b.getValue();
}		}

return None;		return None;
}		}

static bool compareCrossTUSourceLocs(FullSourceLoc XL, FullSourceLoc YL) {		static bool compareCrossTUSourceLocs(FullSourceLoc XL, FullSourceLoc YL) {
		if (XL.isInvalid() && YL.isValid())
		return true;
		if (XL.isValid() && YL.isInvalid())
		return false;
		baloghadamsoftwareUnsubmitted Not Done Reply Inline Actions Why this asymmetry? baloghadamsoftware: Why this asymmetry?
		balazskeAuthorUnsubmitted Done Reply Inline Actions The function returns something like "`XL` is less than `YL`". The invalid source locations should come always as first (or last?) in the ordering. balazske: The function returns something like "`XL` is less than `YL`". The invalid source locations…
std::pair<FileID, unsigned> XOffs = XL.getDecomposedLoc();		std::pair<FileID, unsigned> XOffs = XL.getDecomposedLoc();
std::pair<FileID, unsigned> YOffs = YL.getDecomposedLoc();		std::pair<FileID, unsigned> YOffs = YL.getDecomposedLoc();
const SourceManager &SM = XL.getManager();		const SourceManager &SM = XL.getManager();
std::pair<bool, bool> InSameTU = SM.isInTheSameTranslationUnit(XOffs, YOffs);		std::pair<bool, bool> InSameTU = SM.isInTheSameTranslationUnit(XOffs, YOffs);
if (InSameTU.first)		if (InSameTU.first)
return XL.isBeforeInTranslationUnitThan(YL);		return XL.isBeforeInTranslationUnitThan(YL);
const FileEntry *XFE = SM.getFileEntryForID(XL.getSpellingLoc().getFileID());		const FileEntry *XFE = SM.getFileEntryForID(XL.getSpellingLoc().getFileID());
const FileEntry *YFE = SM.getFileEntryForID(YL.getSpellingLoc().getFileID());		const FileEntry *YFE = SM.getFileEntryForID(YL.getSpellingLoc().getFileID());
if (!XFE \|\| !YFE)		if (!XFE \|\| !YFE)
return XFE && !YFE;		return XFE && !YFE;
int NameCmp = XFE->getName().compare(YFE->getName());		int NameCmp = XFE->getName().compare(YFE->getName());
if (NameCmp != 0)		if (NameCmp != 0)
return NameCmp == -1;		return NameCmp == -1;
// Last resort: Compare raw file IDs that are possibly expansions.		// Last resort: Compare raw file IDs that are possibly expansions.
return XL.getFileID() < YL.getFileID();		return XL.getFileID() < YL.getFileID();
}		}

static bool compare(const PathDiagnostic &X, const PathDiagnostic &Y) {		static bool compare(const PathDiagnostic &X, const PathDiagnostic &Y) {
FullSourceLoc XL = X.getLocation().asLocation();		FullSourceLoc XL = X.getLocation().asLocation();
FullSourceLoc YL = Y.getLocation().asLocation();		FullSourceLoc YL = Y.getLocation().asLocation();
if (XL != YL)		if (XL != YL)
return compareCrossTUSourceLocs(XL, YL);		return compareCrossTUSourceLocs(XL, YL);
		FullSourceLoc XUL = X.getUniqueingLoc().asLocation();
		FullSourceLoc YUL = Y.getUniqueingLoc().asLocation();
		if (XUL != YUL)
		return compareCrossTUSourceLocs(XUL, YUL);
if (X.getBugType() != Y.getBugType())		if (X.getBugType() != Y.getBugType())
return X.getBugType() < Y.getBugType();		return X.getBugType() < Y.getBugType();
if (X.getCategory() != Y.getCategory())		if (X.getCategory() != Y.getCategory())
return X.getCategory() < Y.getCategory();		return X.getCategory() < Y.getCategory();
if (X.getVerboseDescription() != Y.getVerboseDescription())		if (X.getVerboseDescription() != Y.getVerboseDescription())
return X.getVerboseDescription() < Y.getVerboseDescription();		return X.getVerboseDescription() < Y.getVerboseDescription();
if (X.getShortDescription() != Y.getShortDescription())		if (X.getShortDescription() != Y.getShortDescription())
return X.getShortDescription() < Y.getShortDescription();		return X.getShortDescription() < Y.getShortDescription();
if (X.getDeclWithIssue() != Y.getDeclWithIssue()) {		auto CompareDecls = [&XL](const Decl D1, const Decl D2) -> Optional<bool> {
const Decl *XD = X.getDeclWithIssue();		if (D1 == D2)
if (!XD)		return None;
		if (!D1)
return true;		return true;
const Decl *YD = Y.getDeclWithIssue();		if (!D2)
if (!YD)
return false;		return false;
SourceLocation XDL = XD->getLocation();		SourceLocation D1L = D1->getLocation();
SourceLocation YDL = YD->getLocation();		SourceLocation D2L = D2->getLocation();
if (XDL != YDL) {		if (D1L != D2L) {
const SourceManager &SM = XL.getManager();		const SourceManager &SM = XL.getManager();
return compareCrossTUSourceLocs(FullSourceLoc(XDL, SM),		return compareCrossTUSourceLocs(FullSourceLoc(D1L, SM),
FullSourceLoc(YDL, SM));		FullSourceLoc(D2L, SM));
}		}
		return None;
		};
		if (auto Result = CompareDecls(X.getDeclWithIssue(), Y.getDeclWithIssue()))
		return *Result;
		if (XUL.isValid()) {
		if (auto Result = CompareDecls(X.getUniqueingDecl(), Y.getUniqueingDecl()))
		return *Result;
}		}
		baloghadamsoftwareUnsubmitted Not Done Reply Inline Actions Asymmetry again. What if YUL is valid? baloghadamsoftware: Asymmetry again. What if YUL is valid?
		balazskeAuthorUnsubmitted Done Reply Inline Actions Here we have already a precondition that `XUL == YUL` (from line 358). balazske: Here we have already a precondition that `XUL == YUL` (from line 358).
PathDiagnostic::meta_iterator XI = X.meta_begin(), XE = X.meta_end();		PathDiagnostic::meta_iterator XI = X.meta_begin(), XE = X.meta_end();
PathDiagnostic::meta_iterator YI = Y.meta_begin(), YE = Y.meta_end();		PathDiagnostic::meta_iterator YI = Y.meta_begin(), YE = Y.meta_end();
if (XE - XI != YE - YI)		if (XE - XI != YE - YI)
return (XE - XI) < (YE - YI);		return (XE - XI) < (YE - YI);
for ( ; XI != XE ; ++XI, ++YI) {		for ( ; XI != XE ; ++XI, ++YI) {
if (XI != YI)		if (XI != YI)
return (XI) < (YI);		return (XI) < (YI);
}		}
▲ Show 20 Lines • Show All 730 Lines • ▼ Show 20 Lines
}		}

void PathDiagnosticPopUpPiece::Profile(llvm::FoldingSetNodeID &ID) const {		void PathDiagnosticPopUpPiece::Profile(llvm::FoldingSetNodeID &ID) const {
PathDiagnosticSpotPiece::Profile(ID);		PathDiagnosticSpotPiece::Profile(ID);
}		}

void PathDiagnostic::Profile(llvm::FoldingSetNodeID &ID) const {		void PathDiagnostic::Profile(llvm::FoldingSetNodeID &ID) const {
ID.Add(getLocation());		ID.Add(getLocation());
		ID.Add(getUniqueingLoc());
		ID.AddPointer(getUniqueingLoc().isValid() ? getUniqueingDecl() : nullptr);
		SzelethusUnsubmitted Not Done Reply Inline Actions This looks a bit odd -- why do we need both of these? Also, didn't we use uniqueing location in the `BugReportEquivClass` or whatever its called? Why do we need to add this here as well? I would like some technical explanation. Szelethus: This looks a bit odd -- why do we need both of these? Also, didn't we use uniqueing location…
		NoQUnsubmitted Not Done Reply Inline Actions As of now it probably does nothing. But technically we allow our users to set a completely arbitrary uniqueing decl that doesn't necessarily correspond to the uniqueing location, so we'll probably need to take it into account. Generally, uniqueing decls are for uniqueing and otherwise identifying bugs regardless of slight changes in the source code. Currently this means issue hashes. NoQ: As of now it probably does nothing. But technically we allow our users to set a completely…
ID.AddString(BugType);		ID.AddString(BugType);
ID.AddString(VerboseDesc);		ID.AddString(VerboseDesc);
ID.AddString(Category);		ID.AddString(Category);
}		}

void PathDiagnostic::FullProfile(llvm::FoldingSetNodeID &ID) const {		void PathDiagnostic::FullProfile(llvm::FoldingSetNodeID &ID) const {
Profile(ID);		Profile(ID);
for (const auto &I : path)		for (const auto &I : path)
▲ Show 20 Lines • Show All 92 Lines • Show Last 20 Lines

clang/test/Analysis/malloc.c

	Show First 20 Lines • Show All 784 Lines • ▼ Show 20 Lines
	void mallocEscapeMalloc() {			void mallocEscapeMalloc() {
	int *p = malloc(12);			int *p = malloc(12);
	myfoo(p);			myfoo(p);
	p = malloc(12);			p = malloc(12);
	} // expected-warning{{Potential leak of memory pointed to by}}			} // expected-warning{{Potential leak of memory pointed to by}}

	void mallocMalloc() {			void mallocMalloc() {
	int *p = malloc(12);			int *p = malloc(12);
	p = malloc(12);			p = malloc(12);
				SzelethusUnsubmitted Not Done Reply Inline Actions On an unrelated note, shouldn't one of the notes be here? @NoQ, is this the same issue as the one you raised with zombie symbols? http://lists.llvm.org/pipermail/cfe-dev/2016-March/047922.html Szelethus: On an unrelated note, shouldn't one of the notes be here? @NoQ, is this the same issue as the…
				NoQUnsubmitted Not Done Reply Inline Actions The warning about the first malloc indeed probably required the zombie symbol bug to be fixed. That said, the warning isn't really guaranteed to be on that line, because there's no guarantee that dead symbol collection runs immediately after the overwrite (which causes the symbol to become dead), and the overwrite is in fact the last thing that happens in this function. NoQ: The warning about the first malloc indeed probably required the zombie symbol bug to be fixed.
	} // expected-warning {{Potential leak of memory pointed to by}}			} // expected-warning {{Potential leak of memory pointed to by}}\
				// expected-warning {{Potential leak of memory pointed to by}}

	void mallocFreeMalloc() {			void mallocFreeMalloc() {
	int *p = malloc(12);			int *p = malloc(12);
	free(p);			free(p);
	p = malloc(12);			p = malloc(12);
	free(p);			free(p);
	}			}

	▲ Show 20 Lines • Show All 1,080 Lines • Show Last 20 Lines

clang/test/Analysis/pr22954.c

	Show First 20 Lines • Show All 337 Lines • ▼ Show 20 Lines
	};			};

	struct JJ {			struct JJ {
	struct jj s1[3];			struct jj s1[3];
	char * s2;			char * s2;
	};			};

	int f19(int i) {			int f19(int i) {
	struct JJ J0 = {{{1, 2, 0}, {3, 4, 0}, {5, 6, 0}}, 0};			struct JJ J0 = {{{1, 2, 0}, {3, 4, 0}, {5, 6, 0}}, 0};
	J0.s2 = strdup("hello");			J0.s2 = strdup("hello");
	J0.s1[0].s2 = strdup("hello");			J0.s1[0].s2 = strdup("hello");
	J0.s1[1].s2 = strdup("hi");			J0.s1[1].s2 = strdup("hi");
	J0.s1[2].s2 = strdup("world");			J0.s1[2].s2 = strdup("world");
	char input[2] = {'a', 'b'};			char input[2] = {'a', 'b'};
	memcpy(J0.s1[i].s1, input, 2);			memcpy(J0.s1[i].s1, input, 2);
	clang_analyzer_eval(J0.s1[0].s1[0] == 1); // expected-warning{{UNKNOWN}}\			clang_analyzer_eval(J0.s1[0].s1[0] == 1); // expected-warning{{UNKNOWN}}\
	expected-warning{{Potential leak of memory pointed to by field 's2'}}\			expected-warning{{Potential leak of memory pointed to by field 's2'}}\
				expected-warning{{Potential leak of memory pointed to by field 's2'}}\
				expected-warning{{Potential leak of memory pointed to by field 's2'}}\
	expected-warning{{Potential leak of memory pointed to by 'J0.s2'}}			expected-warning{{Potential leak of memory pointed to by 'J0.s2'}}
				SzelethusUnsubmitted Not Done Reply Inline Actions What a god awful test case. Szelethus: What a god awful test case.
	clang_analyzer_eval(J0.s1[0].s1[1] == 2); // expected-warning{{UNKNOWN}}			clang_analyzer_eval(J0.s1[0].s1[1] == 2); // expected-warning{{UNKNOWN}}
	clang_analyzer_eval(J0.s1[1].s1[0] == 3); // expected-warning{{UNKNOWN}}			clang_analyzer_eval(J0.s1[1].s1[0] == 3); // expected-warning{{UNKNOWN}}
	clang_analyzer_eval(J0.s1[1].s1[1] == 4); // expected-warning{{UNKNOWN}}			clang_analyzer_eval(J0.s1[1].s1[1] == 4); // expected-warning{{UNKNOWN}}
	clang_analyzer_eval(J0.s1[2].s1[0] == 5); // expected-warning{{UNKNOWN}}			clang_analyzer_eval(J0.s1[2].s1[0] == 5); // expected-warning{{UNKNOWN}}
	clang_analyzer_eval(J0.s1[2].s1[1] == 6); // expected-warning{{UNKNOWN}}			clang_analyzer_eval(J0.s1[2].s1[1] == 6); // expected-warning{{UNKNOWN}}
	clang_analyzer_eval(J0.s1[i].s1[0] == 5); // expected-warning{{UNKNOWN}}			clang_analyzer_eval(J0.s1[i].s1[0] == 5); // expected-warning{{UNKNOWN}}
	clang_analyzer_eval(J0.s1[i].s1[1] == 6); // expected-warning{{UNKNOWN}}			clang_analyzer_eval(J0.s1[i].s1[1] == 6); // expected-warning{{UNKNOWN}}
	// FIXME: memory leak warning for J0.s2 should be emitted here instead of after memcpy call.			// FIXME: memory leak warning for J0.s2 should be emitted here instead of after memcpy call.
	▲ Show 20 Lines • Show All 554 Lines • Show Last 20 Lines