This is an archive of the discontinued LLVM Phabricator instance.

Differential D9040

[analyzer] Make realloc(ptr, 0) handling equivalent to malloc(0).
ClosedPublic

Authored by ayartsev on Apr 15 2015, 2:33 PM.

Details

Reviewers
zaks.anna
Commits
rG817717375710: [analyzer] Make realloc(ptr, 0) handling equivalent to malloc(0).
rC248336: [analyzer] Make realloc(ptr, 0) handling equivalent to malloc(0).
rL248336: [analyzer] Make realloc(ptr, 0) handling equivalent to malloc(0).
Summary

Currently realloc(ptr, 0) is treated as free() which seems to be not correct. C standard (N1570) establishes equivalent behavior for malloc(0) and realloc(ptr, 0):
"7.22.3 Memory management functions calloc, malloc, realloc: If the size of the space requested is zero, the behavior is implementation-defined: either a null pointer is returned, or the behavior is as if the size were some nonzero value, except that the returned pointer shall not be used to access an object."
The patch equalizes the processing of malloc(0) and realloc(ptr,0).
The patch also enables unix.Malloc checker to detect references to zero-allocated memory returned by realloc(ptr,0) ("Use of zero-allocated memory" warning).
Please review.

Diff Detail

Repository
rL LLVM

Event Timeline

ayartsev updated this revision to Diff 23800.Apr 15 2015, 2:33 PM
ayartsev retitled this revision from to [analyzer] Make realloc(ptr, 0) handling equivalent to malloc(0)..
ayartsev updated this object.
ayartsev edited the test plan for this revision. (Show Details)
ayartsev added a reviewer: zaks.anna.
ayartsev added subscribers: jordan_rose, krememek, Unknown Object (MLST).
ayartsev added a comment.Apr 30 2015, 6:37 AM

Ping.

ayartsev added a comment.May 14 2015, 5:24 PM

Ping.

zaks.anna edited edge metadata.May 14 2015, 6:13 PM

C89 says: "If size is zero and ptr is not a null pointer, the object it points to is freed." I believe C89 and C99 disagree here.

I don't think we should add warnings for code that follows C89.

joerg added a subscriber: joerg.May 15 2015, 1:53 AM

I don't believe we have to change anything here. The historic behavior of realloc(ptr, 0) is free(ptr) + returning NULL. That is also valid behavior under C11 where the behavior of malloc(0) is implemtation defined.

ayartsev updated this revision to Diff 26046.May 19 2015, 4:31 AM
ayartsev edited edge metadata.

Updated the patch. Left an old behavior for C89. Please review.

In D9040#173371, @joerg wrote:

I don't believe we have to change anything here. The historic behavior of realloc(ptr, 0) is free(ptr) + returning NULL. That is also valid behavior under C11 where the behavior of malloc(0) is implemtation defined.

This behavior is not valid since C99. Under C99 and C11 the pure "If the size of the space requested is zero, the behavior is implementation-defined" (The C89 Draft) was restricted to "If the size of the space requested is zero, the ehavior is implementation-defined: either a null pointer is returned, or the behavior is as if the size were some nonzero value, except that the returned pointer shall not be used to access an object." (C99 N1256 p.7.20.3; C11 N1570 p.7.22.3).

Another reason for tracking the return value from realloc(ptr, 0) is in ability to detect accesses to zero-allocated memory in realloc case which is currently missing. (http://reviews.llvm.org/D8273).

joerg added a comment.May 19 2015, 4:35 AM

With malloc(0) returning NULL, it is exactly the same behavior as historically observed for realloc(foo, 0).

ayartsev added a comment.May 19 2015, 6:11 AM

Yes, the behavior for realloc returning NULL remained unchanged (reallocPtrZero2() test handles this).

ayartsev added a comment.May 27 2015, 8:34 AM

Ping.

zaks.anna added a comment.May 27 2015, 10:59 AM

I am not convinced that this is the right approach.

Adding warnings about use of zero allocated memory is fine. However, introducing the new leak warnings is not as this might be the behavior people expect.

Keep in mind that we try to minimize the number of false positives in the analyzer; even if that means we are reducing the number of true positives.

ayartsev updated this revision to Diff 26647.May 27 2015, 5:03 PM

Got it. Attached is an updated patch, please review.

zaks.anna added a comment.May 29 2015, 9:49 AM

Here is a related enhancement request: https://llvm.org/bugs/show_bug.cgi?id=23695

ayartsev added a comment.Jun 1 2015, 6:42 AM

The request is cancelled, unix.Malloc already handles both cases (usage after free and leak if realloc fails and reallocated memory is not freed.

ayartsev added a comment.Jun 17 2015, 5:43 PM

Ping.

zaks.anna added inline comments.Jun 17 2015, 10:23 PM
lib/StaticAnalyzer/Checkers/MallocChecker.cpp
158 ↗(On Diff #26647)

This struct does not contain any fields. What's its purpose?

524 ↗(On Diff #26647)

Maybe you should use a set of SymbolRefs instead?

ayartsev updated this revision to Diff 33134.Aug 25 2015, 3:12 PM

Please review!

lib/StaticAnalyzer/Checkers/MallocChecker.cpp
158 ↗(On Diff #26647)

This struct is a flag that if attached indicates a zero-size reallocation. Improved class description in the updated patch.

524 ↗(On Diff #26647)

This may produce false-positives as you explained me in D8273. Here is a modified example from D8273:

if (b)
  s= 10;
else
  s = 0;
int *p = malloc(8);
int *q = realloc(p, s);
if (b)
  *q = 1;

If the checker explores "realloc(p, s)" along the "s=0" path and add it to the set we'll get a false-positive along the "s=10" path later.

Included corresponding tests to the updated patch.

ayartsev added a comment.Sep 1 2015, 1:41 PM

Ping

zaks.anna added inline comments.Sep 1 2015, 2:03 PM
lib/StaticAnalyzer/Checkers/MallocChecker.cpp
523 ↗(On Diff #33134)

I do not think this is related to my question.

You add a map from a symbol to a "flag" here; not really a flag but the empty struct ReallocSizeZero. The only ways this is used is to set in the state that the symbol is zero realloced or query if the specific symbol is zero realloced. It seems that using the set of zero realloced symbols would be the right data structure here.

Why do we need the extra complexity of the map and the empty struct?

ayartsev updated this revision to Diff 33740.Sep 1 2015, 3:01 PM
ayartsev added inline comments.
lib/StaticAnalyzer/Checkers/MallocChecker.cpp
523 ↗(On Diff #33134)

Got it! Updated the patch.

ayartsev added a comment.Sep 7 2015, 3:46 PM

Ping.

ayartsev updated this revision to Diff 34583.Sep 11 2015, 1:49 PM

Updated the patch after r246978. Please review!

ayartsev added a comment.Sep 16 2015, 10:22 AM

Ping.

ayartsev added a comment.Sep 21 2015, 4:15 PM

Ping.

zaks.anna accepted this revision.Sep 21 2015, 6:45 PM
zaks.anna edited edge metadata.

See the suggestion for an improved comment. Otherwise, LGTM!

Thanks!
Anna.

lib/StaticAnalyzer/Checkers/MallocChecker.cpp
902 ↗(On Diff #34583)

"Historically 'realloc(ptr, 0)' is treated as 'free(ptr)' and the returned value from 'realloc(ptr, 0)' is not tracked." -> "The value returned from 'realloc(ptr, 0)' is not tracked since historically 'realloc(ptr, 0)' is treated as 'free(ptr)' and the analyzer supports that model. However, we want to report uses of zero-allocated memory that get returned by realloc."

This revision is now accepted and ready to land.Sep 21 2015, 6:45 PM
Closed by commit rL248336: [analyzer] Make realloc(ptr, 0) handling equivalent to malloc(0). (authored by dcoughlin). · Explain WhySep 22 2015, 3:48 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
cfe/
trunk/
lib/
StaticAnalyzer/
Checkers/
38 lines
test/
Analysis/
34 lines

Diff 35432

cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp

Show First 20 LinesShow All 502 Lines▼ Show 20 Lines public:
} }
}; };
}; };
}; };
} // end anonymous namespace } // end anonymous namespace
REGISTER_MAP_WITH_PROGRAMSTATE(RegionState, SymbolRef, RefState) REGISTER_MAP_WITH_PROGRAMSTATE(RegionState, SymbolRef, RefState)
REGISTER_MAP_WITH_PROGRAMSTATE(ReallocPairs, SymbolRef, ReallocPair) REGISTER_MAP_WITH_PROGRAMSTATE(ReallocPairs, SymbolRef, ReallocPair)
REGISTER_SET_WITH_PROGRAMSTATE(ReallocSizeZeroSymbols, SymbolRef)
// A map from the freed symbol to the symbol representing the return value of // A map from the freed symbol to the symbol representing the return value of
// the free function. // the free function.
REGISTER_MAP_WITH_PROGRAMSTATE(FreeReturnValue, SymbolRef, SymbolRef) REGISTER_MAP_WITH_PROGRAMSTATE(FreeReturnValue, SymbolRef, SymbolRef)
namespace { namespace {
class StopTrackingCallback final : public SymbolVisitor { class StopTrackingCallback final : public SymbolVisitor {
ProgramStateRef state; ProgramStateRef state;
▲ Show 20 LinesShow All 367 Lines▼ Show 20 LinesProgramStateRef MallocChecker::ProcessZeroAllocation(CheckerContext &C,
if (TrueState && !FalseState) { if (TrueState && !FalseState) {
SVal retVal = State->getSVal(E, C.getLocationContext()); SVal retVal = State->getSVal(E, C.getLocationContext());
SymbolRef Sym = retVal.getAsLocSymbol(); SymbolRef Sym = retVal.getAsLocSymbol();
if (!Sym) if (!Sym)
return State; return State;
const RefState *RS = State->get<RegionState>(Sym); const RefState *RS = State->get<RegionState>(Sym);
if (!RS) if (RS) {
return State; // TODO: change to assert(RS); after realloc() will if (RS->isAllocated())
// guarantee have a RegionState attached.
if (!RS->isAllocated())
return State;
return TrueState->set<RegionState>(Sym, return TrueState->set<RegionState>(Sym,
RefState::getAllocatedOfSizeZero(RS)); RefState::getAllocatedOfSizeZero(RS));
else
return State;
} else {
// Case of zero-size realloc. Historically 'realloc(ptr, 0)' is treated as
// 'free(ptr)' and the returned value from 'realloc(ptr, 0)' is not
// tracked. Add zero-reallocated Sym to the state to catch references
// to zero-allocated memory.
return TrueState->add<ReallocSizeZeroSymbols>(Sym);
}
} }
// Assume the value is non-zero going forward. // Assume the value is non-zero going forward.
assert(FalseState); assert(FalseState);
return FalseState; return FalseState;
} }
static QualType getDeepPointeeType(QualType T) { static QualType getDeepPointeeType(QualType T) {
▲ Show 20 LinesShow All 571 Lines▼ Show 20 LinesMallocChecker::getCheckIfTracked(CheckerContext &C,
bool IsALeakCheck) const { bool IsALeakCheck) const {
return getCheckIfTracked(getAllocationFamily(C, AllocDeallocStmt), return getCheckIfTracked(getAllocationFamily(C, AllocDeallocStmt),
IsALeakCheck); IsALeakCheck);
} }
Optional<MallocChecker::CheckKind> Optional<MallocChecker::CheckKind>
MallocChecker::getCheckIfTracked(CheckerContext &C, SymbolRef Sym, MallocChecker::getCheckIfTracked(CheckerContext &C, SymbolRef Sym,
bool IsALeakCheck) const { bool IsALeakCheck) const {
if (C.getState()->contains<ReallocSizeZeroSymbols>(Sym))
return CK_MallocChecker;
const RefState *RS = C.getState()->get<RegionState>(Sym); const RefState *RS = C.getState()->get<RegionState>(Sym);
assert(RS); assert(RS);
return getCheckIfTracked(RS->getAllocationFamily(), IsALeakCheck); return getCheckIfTracked(RS->getAllocationFamily(), IsALeakCheck);
} }
bool MallocChecker::SummarizeValue(raw_ostream &os, SVal V) { bool MallocChecker::SummarizeValue(raw_ostream &os, SVal V) {
if (Optional<nonloc::ConcreteInt> IntVal = V.getAs<nonloc::ConcreteInt>()) if (Optional<nonloc::ConcreteInt> IntVal = V.getAs<nonloc::ConcreteInt>())
os << "an integer (" << IntVal->getValue() << ")"; os << "an integer (" << IntVal->getValue() << ")";
▲ Show 20 LinesShow All 426 Lines▼ Show 20 LinesProgramStateRef MallocChecker::ReallocMem(CheckerContext &C,
// malloc(size). // malloc(size).
if ( PrtIsNull && !SizeIsZero) { if ( PrtIsNull && !SizeIsZero) {
ProgramStateRef stateMalloc = MallocMemAux(C, CE, CE->getArg(1), ProgramStateRef stateMalloc = MallocMemAux(C, CE, CE->getArg(1),
UndefinedVal(), StatePtrIsNull); UndefinedVal(), StatePtrIsNull);
return stateMalloc; return stateMalloc;
} }
if (PrtIsNull && SizeIsZero) if (PrtIsNull && SizeIsZero)
return nullptr; return State;
// Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size). // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size).
assert(!PrtIsNull); assert(!PrtIsNull);
SymbolRef FromPtr = arg0Val.getAsSymbol(); SymbolRef FromPtr = arg0Val.getAsSymbol();
SVal RetVal = State->getSVal(CE, LCtx); SVal RetVal = State->getSVal(CE, LCtx);
SymbolRef ToPtr = RetVal.getAsSymbol(); SymbolRef ToPtr = RetVal.getAsSymbol();
if (!FromPtr || !ToPtr) if (!FromPtr || !ToPtr)
return nullptr; return nullptr;
▲ Show 20 LinesShow All 347 Lines▼ Show 20 Linesbool MallocChecker::checkUseAfterFree(SymbolRef Sym, CheckerContext &C,
} }
return false; return false;
} }
void MallocChecker::checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C, void MallocChecker::checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C,
const Stmt *S) const { const Stmt *S) const {
assert(Sym); assert(Sym);
const RefState *RS = C.getState()->get<RegionState>(Sym);
if (RS && RS->isAllocatedOfSizeZero()) if (const RefState *RS = C.getState()->get<RegionState>(Sym)) {
if (RS->isAllocatedOfSizeZero())
ReportUseZeroAllocated(C, RS->getStmt()->getSourceRange(), Sym); ReportUseZeroAllocated(C, RS->getStmt()->getSourceRange(), Sym);
} }
else if (C.getState()->contains<ReallocSizeZeroSymbols>(Sym)) {
ReportUseZeroAllocated(C, S->getSourceRange(), Sym);
}
}
bool MallocChecker::checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const { bool MallocChecker::checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const {
if (isReleased(Sym, C)) { if (isReleased(Sym, C)) {
ReportDoubleDelete(C, Sym); ReportDoubleDelete(C, Sym);
return true; return true;
} }
return false; return false;
▲ Show 20 LinesShow All 417 LinesShow Last 20 Lines

cfe/trunk/test/Analysis/malloc.c

Show First 20 LinesShow All 257 Lines▼ Show 20 Lines
void CheckUseZeroAllocated6() { void CheckUseZeroAllocated6() {
int *p = calloc(2, 0); int *p = calloc(2, 0);
*p = 1; // expected-warning {{Use of zero-allocated memory}} *p = 1; // expected-warning {{Use of zero-allocated memory}}
free(p); free(p);
} }
void CheckUseZeroAllocated7() { void CheckUseZeroAllocated7() {
int *p = realloc(0, 0); int *p = realloc(0, 0);
*p = 1; //TODO: warn about use of zero-allocated memory *p = 1; // expected-warning {{Use of zero-allocated memory}}
free(p); free(p);
} }
void CheckUseZeroAllocated8() { void CheckUseZeroAllocated8() {
int *p = malloc(8); int *p = malloc(8);
int *q = realloc(p, 0); int *q = realloc(p, 0);
*q = 1; //TODO: warn about use of zero-allocated memory *q = 1; // expected-warning {{Use of zero-allocated memory}}
free(q); free(q);
} }
void CheckUseZeroAllocated9() { void CheckUseZeroAllocated9() {
int *p = realloc(0, 0); int *p = realloc(0, 0);
int *q = realloc(p, 0); int *q = realloc(p, 0);
*q = 1; //TODO: warn about use of zero-allocated memory *q = 1; // expected-warning {{Use of zero-allocated memory}}
free(q); free(q);
} }
void CheckUseZeroAllocatedPathNoWarn(_Bool b) { void CheckUseZeroAllocatedPathNoWarn(_Bool b) {
int s = 0; int s = 0;
if (b) if (b)
s= 10; s= 10;
Show All 13 Linesvoid CheckUseZeroAllocatedPathWarn(_Bool b) {
char *p = malloc(s); char *p = malloc(s);
if (b) if (b)
*p = 1; // expected-warning {{Use of zero-allocated memory}} *p = 1; // expected-warning {{Use of zero-allocated memory}}
free(p); free(p);
} }
void CheckUseZeroReallocatedPathNoWarn(_Bool b) {
int s = 0;
if (b)
s= 10;
char *p = malloc(8);
char *q = realloc(p, s);
if (b)
*q = 1; // no warning
free(q);
}
void CheckUseZeroReallocatedPathWarn(_Bool b) {
int s = 10;
if (b)
s= 0;
char *p = malloc(8);
char *q = realloc(p, s);
if (b)
*q = 1; // expected-warning {{Use of zero-allocated memory}}
free(q);
}
// This case tests that storing malloc'ed memory to a static variable which is // This case tests that storing malloc'ed memory to a static variable which is
// then returned is not leaked. In the absence of known contracts for functions // then returned is not leaked. In the absence of known contracts for functions
// or inter-procedural analysis, this is a conservative answer. // or inter-procedural analysis, this is a conservative answer.
int *f3() { int *f3() {
static int *p = 0; static int *p = 0;
p = malloc(12); p = malloc(12);
return p; // no-warning return p; // no-warning
} }
▲ Show 20 LinesShow All 1,333 LinesShow Last 20 Lines