This is an archive of the discontinued LLVM Phabricator instance.

Differential D102728

[clang][Sema] removes -Wfree-nonheap-object reference param false positive
ClosedPublic

Authored by cjdb on May 18 2021, 3:02 PM.

Details

Reviewers
gbiv
manojgupta
aaron.ballman
george.burgess.iv
rriddle
dblaikie
Commits
rG9a72580a548d: [clang][Sema] removes -Wfree-nonheap-object reference param false positive
Summary

Taking the address of a reference parameter might be valid, and without
CFA, false positives are going to be more trouble than they're worth.

This reverts commit 499571ea835daf786626a0db1e12f890b6cd8f8d.

Diff Detail

Event Timeline

cjdb created this revision.May 18 2021, 3:02 PM
Herald added a reviewer: george.burgess.iv. · View Herald TranscriptMay 18 2021, 3:02 PM
Herald added a reviewer: rriddle. · View Herald Transcript
Herald added subscribers: dcaballe, cota, teijeong and 16 others. · View Herald Transcript
cjdb requested review of this revision.May 18 2021, 3:02 PM
Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptMay 18 2021, 3:02 PM
Herald added subscribers: cfe-commits, stephenneuendorffer, nicolasvasilache. · View Herald Transcript
Harbormaster completed remote builds in B105115: Diff 346280.May 18 2021, 5:20 PM
dblaikie added a subscriber: dblaikie.May 18 2021, 6:42 PM

Thanks for following up on this.

  • Probably best to commit the revert of the workarounds as a separate follow-up commit, but I appreciate seeing them here to understand that this patch addresses them
clang/lib/Sema/SemaChecking.cpp
10729–10731

It doesn't look like the parameter case is tested, is it? And is it necessary? I think it'd be reasonable to warn on void f1(int i) { free(&i); } - so I think it's only the "is it a reference type" that's the important property.

clang/test/Sema/warn-free-nonheap-object.cpp
38–41

Is it relevant that these are members? Or could they be globals just as well? Might be simpler/more obvious if they were globals, I think.

43–46

Are these notably different from the non-member examples above? I assume not & so I'd probably skip these test cases.

64–65

I don't think this code is necessary - since clang warnings aren't interprocedural, there's no need to flesh out the example this far - you can have the function standalone elsewhere, that takes a reference parameter and tries to free it after taking its address. Without any caller.

cjdb added a comment.Jun 28 2021, 11:42 AM

Oops, looks like I never submitted my replies!

clang/lib/Sema/SemaChecking.cpp
10729–10731

Right, but it's also reasonable to warn on this, which isn't a parameter.

int i = 0;
int& r = i;
std::free(&r);

However, I will take you up on making sure that parameters are tested.

clang/test/Sema/warn-free-nonheap-object.cpp
38–41

This tests that members aren't overlooked, which has a distinct code path to normal variables IIRC.

dblaikie added inline comments.Jun 28 2021, 1:07 PM
clang/lib/Sema/SemaChecking.cpp
10729–10731

Catching this case seems unlikely to be feasible in a compiler diagnostic - because differentiating the false positives and true positives would require more complicated analysis than is usually done.

eg: We shouldn't warn on this:

int *i = (int*)std::malloc(sizeof(int));
int &j = *i;
std::free(&j);
clang/test/Sema/warn-free-nonheap-object.cpp
13–16

I probably wouldn't bother testing the combinatorial expansion of all options (std versus global, rvalue versus lvalue) - if the features are treated orthogonally in the code (there's little chance that some particular combination would have a problem if each separately didn't have a problem).

& generally I don't think there's any need to have callers of these functions in any context (member function or otherwise - as mentioned further down) - clang warnings generally aren't interprocedural, so there's no real risk that checking the function alone would result in different results than checking it with a caller as well.

64–65

^ ping on this.

cjdb updated this revision to Diff 358127.Jul 12 2021, 7:45 PM
cjdb marked 6 inline comments as done.

responds to feedback

Harbormaster completed remote builds in B113636: Diff 358127.Jul 12 2021, 8:23 PM
dblaikie accepted this revision.Jul 13 2021, 10:32 AM

Could probably haggle over the tests some more, but might be diminishing returns at this point. Looks good!

Might suggest separating the code cleanup mlir changes from the warning change (committing the warning change first, then as a follow-up committing the mlir change), ideally. Not a huge deal either way - but the usual "separable changes should be separated".

This revision is now accepted and ready to land.Jul 13 2021, 10:32 AM
cjdb updated this revision to Diff 360016.Jul 19 2021, 10:51 PM

rebases to activate CI

Harbormaster completed remote builds in B115022: Diff 360016.Jul 19 2021, 11:25 PM
This revision was landed with ongoing or failed builds.Jul 21 2021, 2:30 PM
Closed by commit rG9a72580a548d: [clang][Sema] removes -Wfree-nonheap-object reference param false positive (authored by cjdb). · Explain Why
This revision was automatically updated to reflect the committed changes.
cjdb added a commit: rG9a72580a548d: [clang][Sema] removes -Wfree-nonheap-object reference param false positive.

Revision Contents

PathSize
clang/
lib/
Sema/
5 lines
test/
Sema/
35 lines

Diff 360602

clang/lib/Sema/SemaChecking.cpp

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 10,720 Lines▼ Show 20 Lines if (isa<FieldDecl, FunctionDecl, VarDecl>(D)) {
return; return;
} }
} }
void CheckFreeArgumentsAddressof(Sema &S, const std::string &CalleeName, void CheckFreeArgumentsAddressof(Sema &S, const std::string &CalleeName,
const UnaryOperator *UnaryExpr) { const UnaryOperator *UnaryExpr) {
if (const auto *Lvalue = dyn_cast<DeclRefExpr>(UnaryExpr->getSubExpr())) { if (const auto *Lvalue = dyn_cast<DeclRefExpr>(UnaryExpr->getSubExpr())) {
const Decl *D = Lvalue->getDecl(); const Decl *D = Lvalue->getDecl();
if (isa<VarDecl, FunctionDecl>(D)) if (isa<DeclaratorDecl>(D))
if (!dyn_cast<DeclaratorDecl>(D)->getType()->isReferenceType())
return CheckFreeArgumentsOnLvalue(S, CalleeName, UnaryExpr, D); return CheckFreeArgumentsOnLvalue(S, CalleeName, UnaryExpr, D);
dblaikieUnsubmitted
Done
ReplyInline Actions

It doesn't look like the parameter case is tested, is it? And is it necessary? I think it'd be reasonable to warn on void f1(int i) { free(&i); } - so I think it's only the "is it a reference type" that's the important property.

dblaikie: It doesn't look like the parameter case is tested, is it? And is it necessary? I think it'd be…
cjdbAuthorUnsubmitted
Done
ReplyInline Actions

Right, but it's also reasonable to warn on this, which isn't a parameter.

int i = 0;
int& r = i;
std::free(&r);

However, I will take you up on making sure that parameters are tested.

cjdb: Right, but it's also reasonable to warn on this, which isn't a parameter. ``` int i = 0; int& r…
dblaikieUnsubmitted
Done
ReplyInline Actions

Catching this case seems unlikely to be feasible in a compiler diagnostic - because differentiating the false positives and true positives would require more complicated analysis than is usually done.

eg: We shouldn't warn on this:

int *i = (int*)std::malloc(sizeof(int));
int &j = *i;
std::free(&j);
dblaikie: Catching this case seems unlikely to be feasible in a compiler diagnostic - because…
} }
if (const auto *Lvalue = dyn_cast<MemberExpr>(UnaryExpr->getSubExpr())) if (const auto *Lvalue = dyn_cast<MemberExpr>(UnaryExpr->getSubExpr()))
return CheckFreeArgumentsOnLvalue(S, CalleeName, UnaryExpr, return CheckFreeArgumentsOnLvalue(S, CalleeName, UnaryExpr,
Lvalue->getMemberDecl()); Lvalue->getMemberDecl());
} }
void CheckFreeArgumentsPlus(Sema &S, const std::string &CalleeName, void CheckFreeArgumentsPlus(Sema &S, const std::string &CalleeName,
▲ Show 20 LinesShow All 5,959 LinesShow Last 20 Lines

clang/test/Sema/warn-free-nonheap-object.cpp

// RUN: %clang_cc1 -Wfree-nonheap-object -std=c++11 -x c++ -fsyntax-only -verify %s // RUN: %clang_cc1 -Wfree-nonheap-object -std=c++11 -x c++ -fsyntax-only -verify %s
extern "C" void free(void *) {} extern "C" void free(void *) {}
namespace std { namespace std {
using size_t = decltype(sizeof(0)); using size_t = decltype(sizeof(0));
void *malloc(size_t); void *malloc(size_t);
void free(void *p); void free(void *p);
} // namespace std } // namespace std
int GI; int GI;
void free_reference(char &x) { ::free(&x); }
void free_reference(char &&x) { ::free(&x); }
void std_free_reference(char &x) { std::free(&x); }
void std_free_reference(char &&x) { std::free(&x); }
dblaikieUnsubmitted
Not Done
ReplyInline Actions

I probably wouldn't bother testing the combinatorial expansion of all options (std versus global, rvalue versus lvalue) - if the features are treated orthogonally in the code (there's little chance that some particular combination would have a problem if each separately didn't have a problem).

& generally I don't think there's any need to have callers of these functions in any context (member function or otherwise - as mentioned further down) - clang warnings generally aren't interprocedural, so there's no real risk that checking the function alone would result in different results than checking it with a caller as well.

dblaikie: I probably wouldn't bother testing the combinatorial expansion of all options (std versus…
struct S { struct S {
operator char *() { return ptr; } operator char *() { return ptr1; }
void CFree() { void CFree() {
::free(&ptr); // expected-warning {{attempt to call free on non-heap object 'ptr'}} ::free(&ptr1); // expected-warning {{attempt to call free on non-heap object 'ptr1'}}
::free(&I); // expected-warning {{attempt to call free on non-heap object 'I'}} ::free(&I); // expected-warning {{attempt to call free on non-heap object 'I'}}
::free(ptr); ::free(ptr1);
free_reference(*ptr2);
free_reference(static_cast<char&&>(*ptr3));
} }
void CXXFree() { void CXXFree() {
std::free(&ptr); // expected-warning {{attempt to call std::free on non-heap object 'ptr'}} std::free(&ptr1); // expected-warning {{attempt to call std::free on non-heap object 'ptr1'}}
std::free(&I); // expected-warning {{attempt to call std::free on non-heap object 'I'}} std::free(&I); // expected-warning {{attempt to call std::free on non-heap object 'I'}}
std::free(ptr); std::free(ptr1);
std_free_reference(*ptr2);
std_free_reference(static_cast<char&&>(*ptr3));
} }
private: private:
char *ptr = (char *)std::malloc(10); char *ptr1 = (char *)std::malloc(10);
char *ptr2 = (char *)std::malloc(10);
char *ptr3 = (char *)std::malloc(10);
static int I; static int I;
dblaikieUnsubmitted
Done
ReplyInline Actions

Is it relevant that these are members? Or could they be globals just as well? Might be simpler/more obvious if they were globals, I think.

dblaikie: Is it relevant that these are members? Or could they be globals just as well? Might be…
cjdbAuthorUnsubmitted
Done
ReplyInline Actions

This tests that members aren't overlooked, which has a distinct code path to normal variables IIRC.

cjdb: This tests that members aren't overlooked, which has a distinct code path to normal variables…
}; };
int S::I = 0; int S::I = 0;
void test1() { void test1() {
dblaikieUnsubmitted
Done
ReplyInline Actions

Are these notably different from the non-member examples above? I assume not & so I'd probably skip these test cases.

dblaikie: Are these notably different from the non-member examples above? I assume not & so I'd probably…
{ {
free(&GI); // expected-warning {{attempt to call free on non-heap object 'GI'}} free(&GI); // expected-warning {{attempt to call free on non-heap object 'GI'}}
} }
{ {
static int SI = 0; static int SI = 0;
free(&SI); // expected-warning {{attempt to call free on non-heap object 'SI'}} free(&SI); // expected-warning {{attempt to call free on non-heap object 'SI'}}
} }
{ {
int I = 0; int I = 0;
free(&I); // expected-warning {{attempt to call free on non-heap object 'I'}} free(&I); // expected-warning {{attempt to call free on non-heap object 'I'}}
} }
{ {
int I = 0; int I = 0;
int *P = &I; int *P = &I;
free(P); free(P);
} }
{ {
void *P = std::malloc(8); void *P = std::malloc(8);
free(P); // FIXME diagnosing this would require control flow analysis. free(P); // FIXME diagnosing this would require control flow analysis.
dblaikieUnsubmitted
Done
ReplyInline Actions

I don't think this code is necessary - since clang warnings aren't interprocedural, there's no need to flesh out the example this far - you can have the function standalone elsewhere, that takes a reference parameter and tries to free it after taking its address. Without any caller.

dblaikie: I don't think this code is necessary - since clang warnings aren't interprocedural, there's no…
dblaikieUnsubmitted
Done
ReplyInline Actions

^ ping on this.

dblaikie: ^ ping on this.
} }
{ {
int A[] = {0, 1, 2, 3}; int A[] = {0, 1, 2, 3};
free(A); // expected-warning {{attempt to call free on non-heap object 'A'}} free(A); // expected-warning {{attempt to call free on non-heap object 'A'}}
} }
{ {
int A[] = {0, 1, 2, 3}; int A[] = {0, 1, 2, 3};
free(&A); // expected-warning {{attempt to call free on non-heap object 'A'}} free(&A); // expected-warning {{attempt to call free on non-heap object 'A'}}
Show All 26 Linesvoid test2() {
int *P = &I; int *P = &I;
std::free(P); // FIXME diagnosing this would require control flow analysis. std::free(P); // FIXME diagnosing this would require control flow analysis.
} }
{ {
void *P = std::malloc(8); void *P = std::malloc(8);
std::free(P); std::free(P);
} }
{ {
char* P = (char *)std::malloc(2);
std_free_reference(*P);
}
{
char* P = (char *)std::malloc(2);
std_free_reference(static_cast<char&&>(*P));
}
{
int A[] = {0, 1, 2, 3}; int A[] = {0, 1, 2, 3};
std::free(A); // expected-warning {{attempt to call std::free on non-heap object 'A'}} std::free(A); // expected-warning {{attempt to call std::free on non-heap object 'A'}}
} }
{ {
int A[] = {0, 1, 2, 3}; int A[] = {0, 1, 2, 3};
std::free(&A); // expected-warning {{attempt to call std::free on non-heap object 'A'}} std::free(&A); // expected-warning {{attempt to call std::free on non-heap object 'A'}}
} }
{ {
Show All 9 Lines