This is an archive of the discontinued LLVM Phabricator instance.

Differential D105819

[analyzer] MallocChecker: Add a visitor to leave a note on functions that could have, but did not change ownership on leaked memory
ClosedPublic

Authored by Szelethus on Jul 12 2021, 8:28 AM.

Details

Reviewers
NoQ
vsavchenko
steakhal
martong
ASDenysPetrov
Summary

This is a rather common feedback we get from out leak checkers: bug reports are really short, and are contain barely any usable information on what the analyzer did to conclude that a leak actually happened.

This happens because of our bug report minimizing effort. We construct bug reports by inspecting the ExplodedNodes that lead to the error from the bottom up (from the error node all the way to the root of the exploded graph), and mark entities that were the cause of a bug, or have interacted with it as interesting. In order to make the bug report a bit less verbose, whenever we find an entire function call (from CallEnter to CallExitEnd) that didn't talk about any interesting entity, we prune it (click here for more info on bug report generation). Even if the event to highlight is exactly this lack of interaction with interesting entities.

D105553 generalized the visitor that creates notes for these cases. This patch adds a new kind of NoStateChangeVisitor that leaves notes in functions that took a piece of dynamically allocated memory that later leaked as parameter, and didn't change its ownership status.

While there is some code to talk over in MallocChecker.cpp, the main thing to discuss in my mind are the test cases, where I display where I want to see this visitor end up. I hope to be able to reach a point sometime soon when I can run on this on some real projects and post screenshots about it!

Diff Detail

Event Timeline

Szelethus created this revision.Jul 12 2021, 8:28 AM
Herald added subscribers: manas, gamesh411, dkrupp and 9 others. · View Herald TranscriptJul 12 2021, 8:28 AM
Szelethus requested review of this revision.Jul 12 2021, 8:28 AM
Herald added subscribers: cfe-commits, aheejin. · View Herald TranscriptJul 12 2021, 8:28 AM
Harbormaster completed remote builds in B113511: Diff 357949.Jul 12 2021, 8:49 AM
NoQ added a parent revision: D105553: [analyzer][NFC] Split the main logic of NoStoreFuncVisitor to an abstract NoStateChangeVisitor class.Jul 12 2021, 7:42 PM
NoQ added a comment.Jul 12 2021, 8:08 PM

This is amazing, great progress!

I added the parent revision because it didn't compile on pre-merge checks otherwise.

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
803

Can you also comment on what's, generally, the default scenario / motivating example where this is necessary? What makes you hunt down store bindings that didn't cause an escape to happen (given that an escape would have been a state change)? IIUC this is for the situation when the callee stores the pointer in a caller-local variable and in this case you don't want to claim that ownership didn't change?

811–812

I suggest: "Returning without deallocating memory or storing the pointer for later deallocation". Still a bit flimsy but less jargony.

834–835

How difficult would it be to re-use this part as well?

clang/test/Analysis/NewDeleteLeaks.cpp
105–107

How do you think this is different from the very first test, memory_allocated_in_fn_call()? Is this just because of how the pointer is put into a variable first? This function is kinda still the only place that could free memory.

Szelethus updated this revision to Diff 358883.Jul 15 2021, 2:55 AM
  • Fixes according to reviewer comments!
  • Rebase on D105553.
  • Primitively check whether the allocated memory was actually passed into the function.
Szelethus marked 2 inline comments as done.Jul 15 2021, 2:55 AM
Szelethus added inline comments.
clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
803

The comment above is meant to explain it.

// [...] Any pointers
// inside the call that pointed to the allocated memory are of little
// consequence if their lifetime ends before within the function
834–835

Ugh, I gave this a shot, and its worse then expected. I think the original patch that George made was intended to be used by NoStoreFuncVisitor, and nothing else. As a consequence, its practically impossible to factor out without rewriting the whole thing.

At this point, I'm more in favor of just biting the bullet, and reuse how pointees and casts are printed from D50506, and maybe some of the dereferencing technology as well. It might be sliiiiiightly slower, but the majority of the price is only paid when FieldChainInfo is printed, not when its constructed.

For the time being, I made a rather primitive implementation here, which should lean on the conservative side (we under approximate the set of function calls where the allocated memory was actually passed into).

clang/test/Analysis/NewDeleteLeaks.cpp
105–107

That was my idea, yes, but you have a point there...

Harbormaster completed remote builds in B114184: Diff 358883.Jul 15 2021, 3:34 AM
Szelethus updated this revision to Diff 358927.Jul 15 2021, 5:07 AM
Szelethus marked an inline comment as done.
  • Fix testfiles.
  • Fix a typo in the comments.
clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
803

Oh, speaking of which, that is a gramarr eror.

Harbormaster completed remote builds in B114208: Diff 358927.Jul 15 2021, 5:43 AM
Szelethus added a comment.Jul 20 2021, 2:37 AM

An ever so gentle ping :^)

Szelethus added a comment.Jul 26 2021, 1:32 AM

Ping

NoQ accepted this revision.Jul 26 2021, 8:52 AM

This is amazing and I think we should land this and see how it goes.

clang/test/Analysis/self-assign.cpp
1 ↗(On Diff #358927)

Changes in this file seem to be formatting-only, maybe they could be committed separately?

This revision is now accepted and ready to land.Jul 26 2021, 8:52 AM
NoQ added inline comments.Jul 26 2021, 4:04 PM
clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
841

Actually you know what, I'm curious about some IRL data on this.

With uninitialized variable warnings this whole thing worked out really well because there are very few reasons to pass a pointer to an uninitialized local variable into a function, other than to initialize it. There's a lot more reasons to pass allocated memory into a function than to free it though. So I'm curious whether this is going to emit unnecessary notes in such cases and we'll have to tighten this heuristic.

Szelethus added a comment.Jul 29 2021, 12:10 PM

Thanks! Here are some results:

All runs can be found here: https://codechecker-demo.eastus.cloudapp.azure.com/Default/runs

Protobuf, Bitcoin, Xerces, TinyXML, PostgreSQL, FFMPEG, OpenSSL, Vim, Redis, Twin, curl:

Nothing changed.

libWebM:

Ignoring the fact that at both places where memory was allocated there is a // NOLINT comment, I think these bug reports have improved greatly. A function is highlighted where each of those memory region could have been added to a container, but were not. Not that I wrote any code to look for this, this is purely luck ;)

No1., No2.

SQLite:

This one isn't as great. I wouldn't expect a function called buildshifts to do any sort of dynamic memory management, and its contents support this claim. stp is only referencing to retrieve one of its members. More worrying is the fact that State_insert seems like the function (or macro, as they are not always capitalized in this project) to deal with this, yet it isn't noted at all in the bug report.

No1.

Szelethus added a comment.Aug 4 2021, 3:17 AM

Maybe if I added this under an alpha checker option?

Szelethus updated this revision to Diff 366269.Aug 13 2021, 6:54 AM
Szelethus set the repository for this revision to rG LLVM Github Monorepo.
  • Add the new feature behind a new, off-by-default alpha checker option.
  • Restore test/Analysis/self-assign.cpp (to be formatted in a standalone commit).

If you don't mind, I'll commit this as is. We seem to agree on the general direction, and doesn't bother any users from now on.

Harbormaster completed remote builds in B119439: Diff 366269.Aug 13 2021, 6:55 AM
NoQ closed this revision.Aug 17 2021, 12:30 PM

Committed as rG2d3668c997faac1f64cd3b8eb336af989069d135 (broken phabricator link).

Yes, great, thanks!, sounds like the right thing to do. I guess the next potential step is to set up syntactic analysis that would tell us whether the function *could have* deallocated memory or stored it for later deallocation. One trivial step would be to scan for free()/delete invocations with the parameter variable as an argument. That would probably turn the feature into a strict improvement that we can turn on by default. The next step would be to figure out what could constitute an escape; a binding to non-local storage might be a good first approximation but i'm not sure how to cover potentially-escaping functions which is probably the most beneficial part.

Szelethus mentioned this in D108695: [analyzer][NFCI] Allow clients of NoStateChangeFuncVisitor to check entire function calls, rather than each ExplodedNode in it.Aug 25 2021, 5:18 AM
Szelethus mentioned this in D108753: [analyzer] MallocChecker: Add notes from NoOwnershipChangeVisitor only when a function "intents", but doesn't change ownership, enable by default.Aug 26 2021, 2:47 AM
Szelethus mentioned this in rG7d0e62bfb773: [analyzer][NFCI] Allow clients of NoStateChangeFuncVisitor to check entire….Sep 2 2021, 7:57 AM
Szelethus mentioned this in rGa375bfb5b729: [analyzer][NFCI] Allow clients of NoStateChangeFuncVisitor to check entire….Sep 3 2021, 4:50 AM
Szelethus mentioned this in rG9d359f6c7386: [analyzer] MallocChecker: Add notes from NoOwnershipChangeVisitor only when a….Sep 13 2021, 6:02 AM
Szelethus mentioned this in D118880: [analyzer] Improve NoOwnershipChangeVisitor's understanding of deallocators.Feb 3 2022, 1:34 AM
Szelethus mentioned this in rGd832078904c6: [analyzer] Improve NoOwnershipChangeVisitor's understanding of deallocators.Mar 3 2022, 2:28 AM

Revision Contents

PathSize
clang/
include/
clang/
StaticAnalyzer/
Checkers/
12 lines
Core/
BugReporter/
79 lines
lib/
StaticAnalyzer/
Checkers/
147 lines
Core/
358 lines
test/
Analysis/
142 lines
1 line

Diff 366269

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td

Show First 20 LinesShow All 479 Lines▼ Show 20 Lines HelpText<"The base of several malloc() related checkers. On it's own it "
"when enabled.">, "when enabled.">,
CheckerOptions<[ CheckerOptions<[
CmdLineOption<Boolean, CmdLineOption<Boolean,
"Optimistic", "Optimistic",
"If set to true, the checker assumes that all the " "If set to true, the checker assumes that all the "
"allocating and deallocating functions are annotated with " "allocating and deallocating functions are annotated with "
"ownership_holds, ownership_takes and ownership_returns.", "ownership_holds, ownership_takes and ownership_returns.",
"false", "false",
InAlpha> InAlpha>,
CmdLineOption<Boolean,
"AddNoOwnershipChangeNotes",
"Add an additional note to the bug report for leak-like "
"bugs. Dynamically allocated objects passed to functions "
"that neither deallocated it, or have taken responsibility "
"of the ownership are noted, similarly to "
"NoStoreFuncVisitor.",
"false",
InAlpha,
Hide>
]>, ]>,
Dependencies<[CStringModeling]>, Dependencies<[CStringModeling]>,
Documentation<NotDocumented>, Documentation<NotDocumented>,
Hidden; Hidden;
def MallocChecker: Checker<"Malloc">, def MallocChecker: Checker<"Malloc">,
HelpText<"Check for memory leaks, double free, and use-after-free problems. " HelpText<"Check for memory leaks, double free, and use-after-free problems. "
"Traces memory managed by malloc()/free().">, "Traces memory managed by malloc()/free().">,
▲ Show 20 LinesShow All 1,179 LinesShow Last 20 Lines

clang/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h

Show All 15 Lines
#include "clang/Analysis/ProgramPoint.h" #include "clang/Analysis/ProgramPoint.h"
#include "clang/Basic/LLVM.h" #include "clang/Basic/LLVM.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/RangedConstraintManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/RangedConstraintManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
#include "llvm/ADT/FoldingSet.h" #include "llvm/ADT/FoldingSet.h"
#include "llvm/ADT/IntrusiveRefCntPtr.h" #include "llvm/ADT/IntrusiveRefCntPtr.h"
#include "llvm/ADT/STLExtras.h" #include "llvm/ADT/STLExtras.h"
#include "llvm/ADT/SmallPtrSet.h"
#include "llvm/ADT/StringRef.h" #include "llvm/ADT/StringRef.h"
#include <list> #include <list>
#include <memory> #include <memory>
#include <utility> #include <utility>
namespace clang { namespace clang {
class BinaryOperator; class BinaryOperator;
▲ Show 20 LinesShow All 585 Lines▼ Show 20 Lines
public: public:
void Profile(llvm::FoldingSetNodeID &ID) const override; void Profile(llvm::FoldingSetNodeID &ID) const override;
PathDiagnosticPieceRef VisitNode(const ExplodedNode *N, PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
BugReporterContext &BRC, BugReporterContext &BRC,
PathSensitiveBugReport &R) override; PathSensitiveBugReport &R) override;
}; };
class ObjCMethodCall;
class CXXConstructorCall;
/// Put a diagnostic on return statement (or on } in its absence) of all inlined
/// functions for which some property remained unchanged.
/// Resulting diagnostics may read such as "Returning without writing to X".
///
/// Descendants can define what a "state change is", like a change of value
/// to a memory region, liveness, etc. For function calls where the state did
/// not change as defined, a custom note may be constructed.
class NoStateChangeFuncVisitor : public BugReporterVisitor {
private:
/// Frames modifying the state as defined in \c wasModifiedBeforeCallExit.
/// This visitor generates a note only if a function does *not* change the
/// state that way. This information is not immediately available
/// by looking at the node associated with the exit from the function
/// (usually the return statement). To avoid recomputing the same information
/// many times (going up the path for each node and checking whether the
/// region was written into) we instead lazily compute the stack frames
/// along the path.
llvm::SmallPtrSet<const StackFrameContext *, 32> FramesModifying;
llvm::SmallPtrSet<const StackFrameContext *, 32> FramesModifyingCalculated;
/// Check and lazily calculate whether the state is modified in the stack
/// frame to which \p CallExitBeginN belongs.
/// The calculation is cached in FramesModifying.
bool isModifiedInFrame(const ExplodedNode *CallExitBeginN);
/// Write to \c FramesModifying all stack frames along the path in the current
/// stack frame which modifies the state.
void findModifyingFrames(const ExplodedNode *const CallExitBeginN);
protected:
bugreporter::TrackingKind TKind;
/// \return Whether the state was modified from the current node, \CurrN, to
/// the end of the stack fram, at \p CallExitBeginN.
virtual bool
wasModifiedBeforeCallExit(const ExplodedNode *CurrN,
const ExplodedNode *CallExitBeginN) = 0;
/// Consume the information on the non-modifying stack frame in order to
/// either emit a note or not. May suppress the report entirely.
/// \return Diagnostics piece for the unmodified state in the current
/// function, if it decides to emit one. A good description might start with
/// "Returning without...".
virtual PathDiagnosticPieceRef
maybeEmitNoteForObjCSelf(PathSensitiveBugReport &R,
const ObjCMethodCall &Call,
const ExplodedNode *N) = 0;
/// Consume the information on the non-modifying stack frame in order to
/// either emit a note or not. May suppress the report entirely.
/// \return Diagnostics piece for the unmodified state in the current
/// function, if it decides to emit one. A good description might start with
/// "Returning without...".
virtual PathDiagnosticPieceRef
maybeEmitNoteForCXXThis(PathSensitiveBugReport &R,
const CXXConstructorCall &Call,
const ExplodedNode *N) = 0;
/// Consume the information on the non-modifying stack frame in order to
/// either emit a note or not. May suppress the report entirely.
/// \return Diagnostics piece for the unmodified state in the current
/// function, if it decides to emit one. A good description might start with
/// "Returning without...".
virtual PathDiagnosticPieceRef
maybeEmitNoteForParameters(PathSensitiveBugReport &R, const CallEvent &Call,
const ExplodedNode *N) = 0;
public:
NoStateChangeFuncVisitor(bugreporter::TrackingKind TKind) : TKind(TKind) {}
PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
BugReporterContext &BR,
PathSensitiveBugReport &R) override final;
};
} // namespace ento } // namespace ento
} // namespace clang } // namespace clang
#endif // LLVM_CLANG_STATICANALYZER_CORE_BUGREPORTER_BUGREPORTERVISITORS_H #endif // LLVM_CLANG_STATICANALYZER_CORE_BUGREPORTER_BUGREPORTERVISITORS_H

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp

Show First 20 LinesShow All 42 Lines▼ Show 20 Lines
// related headers and non-static functions. // related headers and non-static functions.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "AllocationState.h" #include "AllocationState.h"
#include "InterCheckerAPI.h" #include "InterCheckerAPI.h"
#include "clang/AST/Attr.h" #include "clang/AST/Attr.h"
#include "clang/AST/DeclCXX.h" #include "clang/AST/DeclCXX.h"
#include "clang/AST/DeclTemplate.h"
#include "clang/AST/Expr.h" #include "clang/AST/Expr.h"
#include "clang/AST/ExprCXX.h" #include "clang/AST/ExprCXX.h"
#include "clang/AST/ParentMap.h" #include "clang/AST/ParentMap.h"
#include "clang/Basic/LLVM.h" #include "clang/Basic/LLVM.h"
#include "clang/Basic/SourceManager.h" #include "clang/Basic/SourceManager.h"
#include "clang/Basic/TargetInfo.h" #include "clang/Basic/TargetInfo.h"
#include "clang/Lex/Lexer.h" #include "clang/Lex/Lexer.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h" #include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/StoreRef.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"
#include "llvm/ADT/STLExtras.h" #include "llvm/ADT/STLExtras.h"
#include "llvm/ADT/SetOperations.h"
#include "llvm/ADT/SmallString.h" #include "llvm/ADT/SmallString.h"
#include "llvm/ADT/StringExtras.h" #include "llvm/ADT/StringExtras.h"
#include "llvm/Support/Compiler.h" #include "llvm/Support/Compiler.h"
#include "llvm/Support/ErrorHandling.h" #include "llvm/Support/ErrorHandling.h"
#include <climits> #include <climits>
#include <functional> #include <functional>
#include <utility> #include <utility>
▲ Show 20 LinesShow All 212 Lines▼ Show 20 Lines : public Checker<check::DeadSymbols, check::PointerEscape,
check::PostObjCMessage, check::Location, eval::Assume> { check::PostObjCMessage, check::Location, eval::Assume> {
public: public:
/// In pessimistic mode, the checker assumes that it does not know which /// In pessimistic mode, the checker assumes that it does not know which
/// functions might free the memory. /// functions might free the memory.
/// In optimistic mode, the checker assumes that all user-defined functions /// In optimistic mode, the checker assumes that all user-defined functions
/// which might free a pointer are annotated. /// which might free a pointer are annotated.
DefaultBool ShouldIncludeOwnershipAnnotatedFunctions; DefaultBool ShouldIncludeOwnershipAnnotatedFunctions;
DefaultBool ShouldRegisterNoOwnershipChangeVisitor;
/// Many checkers are essentially built into this one, so enabling them will /// Many checkers are essentially built into this one, so enabling them will
/// make MallocChecker perform additional modeling and reporting. /// make MallocChecker perform additional modeling and reporting.
enum CheckKind { enum CheckKind {
/// When a subchecker is enabled but MallocChecker isn't, model memory /// When a subchecker is enabled but MallocChecker isn't, model memory
/// management but do not emit warnings emitted with MallocChecker only /// management but do not emit warnings emitted with MallocChecker only
/// enabled. /// enabled.
CK_MallocChecker, CK_MallocChecker,
CK_NewDeleteChecker, CK_NewDeleteChecker,
▲ Show 20 LinesShow All 408 Lines▼ Show 20 Lines static LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym,
CheckerContext &C); CheckerContext &C);
void HandleLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const; void HandleLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const;
/// Test if value in ArgVal equals to value in macro `ZERO_SIZE_PTR`. /// Test if value in ArgVal equals to value in macro `ZERO_SIZE_PTR`.
bool isArgZERO_SIZE_PTR(ProgramStateRef State, CheckerContext &C, bool isArgZERO_SIZE_PTR(ProgramStateRef State, CheckerContext &C,
SVal ArgVal) const; SVal ArgVal) const;
}; };
} // end anonymous namespace
//===----------------------------------------------------------------------===//
// Definition of NoOwnershipChangeVisitor.
//===----------------------------------------------------------------------===//
namespace {
class NoOwnershipChangeVisitor final : public NoStateChangeFuncVisitor {
SymbolRef Sym;
using OwnerSet = llvm::SmallPtrSet<const MemRegion *, 8>;
// Collect which entities point to the allocated memory, and could be
// responsible for deallocating it.
class OwnershipBindingsHandler : public StoreManager::BindingsHandler {
SymbolRef Sym;
OwnerSet &Owners;
public:
OwnershipBindingsHandler(SymbolRef Sym, OwnerSet &Owners)
: Sym(Sym), Owners(Owners) {}
bool HandleBinding(StoreManager &SMgr, Store Store, const MemRegion *Region,
SVal Val) override {
if (Val.getAsSymbol() == Sym)
Owners.insert(Region);
return true;
}
};
protected:
OwnerSet getOwnersAtNode(const ExplodedNode *N) {
OwnerSet Ret;
ProgramStateRef State = N->getState();
OwnershipBindingsHandler Handler{Sym, Ret};
State->getStateManager().getStoreManager().iterBindings(State->getStore(),
Handler);
return Ret;
}
static const ExplodedNode *getCallExitEnd(const ExplodedNode *N) {
while (N && !N->getLocationAs<CallExitEnd>())
N = N->getFirstSucc();
return N;
}
virtual bool
wasModifiedBeforeCallExit(const ExplodedNode *CurrN,
const ExplodedNode *CallExitN) override {
if (CurrN->getLocationAs<CallEnter>())
return true;
// Its the state right *after* the call that is interesting. Any pointers
// inside the call that pointed to the allocated memory are of little
// consequence if their lifetime ends within the function.
CallExitN = getCallExitEnd(CallExitN);
if (!CallExitN)
return true;
if (CurrN->getState()->get<RegionState>(Sym) !=
CallExitN->getState()->get<RegionState>(Sym))
return true;
OwnerSet CurrOwners = getOwnersAtNode(CurrN);
OwnerSet ExitOwners = getOwnersAtNode(CallExitN);
// Owners in the current set may be purged from the analyzer later on.
// If a variable is dead (is not referenced directly or indirectly after
// some point), it will be removed from the Store before the end of its
// actual lifetime.
// This means that that if the ownership status didn't change, CurrOwners
// must be a superset of, but not necessarily equal to ExitOwners.
return !llvm::set_is_subset(ExitOwners, CurrOwners);
NoQUnsubmitted
Not Done
ReplyInline Actions

Can you also comment on what's, generally, the default scenario / motivating example where this is necessary? What makes you hunt down store bindings that didn't cause an escape to happen (given that an escape would have been a state change)? IIUC this is for the situation when the callee stores the pointer in a caller-local variable and in this case you don't want to claim that ownership didn't change?

NoQ: Can you also comment on what's, generally, the default scenario / motivating example where this…
SzelethusAuthorUnsubmitted
Done
ReplyInline Actions

The comment above is meant to explain it.

// [...] Any pointers
// inside the call that pointed to the allocated memory are of little
// consequence if their lifetime ends before within the function
Szelethus: The comment above is meant to explain it. // [...] Any pointers // inside the call…
SzelethusAuthorUnsubmitted
Done
ReplyInline Actions

Oh, speaking of which, that is a gramarr eror.

Szelethus: Oh, speaking of which, that is a gramarr eror.
}
static PathDiagnosticPieceRef emitNote(const ExplodedNode *N) {
PathDiagnosticLocation L = PathDiagnosticLocation::create(
N->getLocation(),
N->getState()->getStateManager().getContext().getSourceManager());
return std::make_shared<PathDiagnosticEventPiece>(
L, "Returning without deallocating memory or storing the pointer for "
"later deallocation");
NoQUnsubmitted
Done
ReplyInline Actions

I suggest: "Returning without deallocating memory or storing the pointer for later deallocation". Still a bit flimsy but less jargony.

NoQ: I suggest: `"Returning without deallocating memory or storing the pointer for later…
}
virtual PathDiagnosticPieceRef
maybeEmitNoteForObjCSelf(PathSensitiveBugReport &R,
const ObjCMethodCall &Call,
const ExplodedNode *N) override {
// TODO: Implement.
return nullptr;
}
virtual PathDiagnosticPieceRef
maybeEmitNoteForCXXThis(PathSensitiveBugReport &R,
const CXXConstructorCall &Call,
const ExplodedNode *N) override {
// TODO: Implement.
return nullptr;
}
virtual PathDiagnosticPieceRef
maybeEmitNoteForParameters(PathSensitiveBugReport &R, const CallEvent &Call,
const ExplodedNode *N) override {
// TODO: Factor the logic of "what constitutes as an entity being passed
// into a function call" out by reusing the code in
NoQUnsubmitted
Done
ReplyInline Actions

How difficult would it be to re-use this part as well?

NoQ: How difficult would it be to re-use this part as well?
SzelethusAuthorUnsubmitted
Done
ReplyInline Actions

Ugh, I gave this a shot, and its worse then expected. I think the original patch that George made was intended to be used by NoStoreFuncVisitor, and nothing else. As a consequence, its practically impossible to factor out without rewriting the whole thing.

At this point, I'm more in favor of just biting the bullet, and reuse how pointees and casts are printed from D50506, and maybe some of the dereferencing technology as well. It might be sliiiiiightly slower, but the majority of the price is only paid when FieldChainInfo is printed, not when its constructed.

For the time being, I made a rather primitive implementation here, which should lean on the conservative side (we under approximate the set of function calls where the allocated memory was actually passed into).

Szelethus: Ugh, I gave this a shot, and its worse then expected. I think the original patch that George…
// NoStoreFuncVisitor::maybeEmitNoteForParameters, maybe by incorporating
// the printing technology in UninitializedObject's FieldChainInfo.
ArrayRef<ParmVarDecl *> Parameters = Call.parameters();
for (unsigned I = 0; I < Call.getNumArgs() && I < Parameters.size(); ++I) {
SVal V = Call.getArgSVal(I);
if (V.getAsSymbol() == Sym)
NoQUnsubmitted
Not Done
ReplyInline Actions

Actually you know what, I'm curious about some IRL data on this.

With uninitialized variable warnings this whole thing worked out really well because there are very few reasons to pass a pointer to an uninitialized local variable into a function, other than to initialize it. There's a lot more reasons to pass allocated memory into a function than to free it though. So I'm curious whether this is going to emit unnecessary notes in such cases and we'll have to tighten this heuristic.

NoQ: Actually you know what, I'm curious about some IRL data on this. With uninitialized variable…
return emitNote(N);
}
return nullptr;
}
public:
NoOwnershipChangeVisitor(SymbolRef Sym)
: NoStateChangeFuncVisitor(bugreporter::TrackingKind::Thorough),
Sym(Sym) {}
void Profile(llvm::FoldingSetNodeID &ID) const override {
static int Tag = 0;
ID.AddPointer(&Tag);
ID.AddPointer(Sym);
}
void *getTag() const {
static int Tag = 0;
return static_cast<void *>(&Tag);
}
};
} // end anonymous namespace
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Definition of MallocBugVisitor. // Definition of MallocBugVisitor.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
namespace {
/// The bug visitor which allows us to print extra diagnostics along the /// The bug visitor which allows us to print extra diagnostics along the
/// BugReport path. For example, showing the allocation site of the leaked /// BugReport path. For example, showing the allocation site of the leaked
/// region. /// region.
class MallocBugVisitor final : public BugReporterVisitor { class MallocBugVisitor final : public BugReporterVisitor {
protected: protected:
enum NotificationMode { Normal, ReallocationFailed }; enum NotificationMode { Normal, ReallocationFailed };
// The allocated region symbol tracked by the main analysis. // The allocated region symbol tracked by the main analysis.
▲ Show 20 LinesShow All 108 Lines▼ Show 20 Lines std::string getMessageForArg(const Expr *ArgE, unsigned ArgIndex) override {
return std::string(os.str()); return std::string(os.str());
} }
std::string getMessageForReturn(const CallExpr *CallExpr) override { std::string getMessageForReturn(const CallExpr *CallExpr) override {
return "Reallocation of returned value failed"; return "Reallocation of returned value failed";
} }
}; };
}; };
} // end anonymous namespace } // end anonymous namespace
// A map from the freed symbol to the symbol representing the return value of // A map from the freed symbol to the symbol representing the return value of
// the free function. // the free function.
REGISTER_MAP_WITH_PROGRAMSTATE(FreeReturnValue, SymbolRef, SymbolRef) REGISTER_MAP_WITH_PROGRAMSTATE(FreeReturnValue, SymbolRef, SymbolRef)
namespace { namespace {
class StopTrackingCallback final : public SymbolVisitor { class StopTrackingCallback final : public SymbolVisitor {
▲ Show 20 LinesShow All 1,711 Lines▼ Show 20 Lines if (Region && Region->canPrintPretty()) {
os << "Potential memory leak"; os << "Potential memory leak";
} }
auto R = std::make_unique<PathSensitiveBugReport>( auto R = std::make_unique<PathSensitiveBugReport>(
*BT_Leak[*CheckKind], os.str(), N, LocUsedForUniqueing, *BT_Leak[*CheckKind], os.str(), N, LocUsedForUniqueing,
AllocNode->getLocationContext()->getDecl()); AllocNode->getLocationContext()->getDecl());
R->markInteresting(Sym); R->markInteresting(Sym);
R->addVisitor<MallocBugVisitor>(Sym, true); R->addVisitor<MallocBugVisitor>(Sym, true);
if (ShouldRegisterNoOwnershipChangeVisitor)
R->addVisitor<NoOwnershipChangeVisitor>(Sym);
C.emitReport(std::move(R)); C.emitReport(std::move(R));
} }
void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper, void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper,
CheckerContext &C) const CheckerContext &C) const
{ {
ProgramStateRef state = C.getState(); ProgramStateRef state = C.getState();
RegionStateTy OldRS = state->get<RegionState>(); RegionStateTy OldRS = state->get<RegionState>();
▲ Show 20 LinesShow All 800 Lines▼ Show 20 Linesvoid ento::registerInnerPointerCheckerAux(CheckerManager &mgr) {
checker->CheckNames[MallocChecker::CK_InnerPointerChecker] = checker->CheckNames[MallocChecker::CK_InnerPointerChecker] =
mgr.getCurrentCheckerName(); mgr.getCurrentCheckerName();
} }
void ento::registerDynamicMemoryModeling(CheckerManager &mgr) { void ento::registerDynamicMemoryModeling(CheckerManager &mgr) {
auto *checker = mgr.registerChecker<MallocChecker>(); auto *checker = mgr.registerChecker<MallocChecker>();
checker->ShouldIncludeOwnershipAnnotatedFunctions = checker->ShouldIncludeOwnershipAnnotatedFunctions =
mgr.getAnalyzerOptions().getCheckerBooleanOption(checker, "Optimistic"); mgr.getAnalyzerOptions().getCheckerBooleanOption(checker, "Optimistic");
checker->ShouldRegisterNoOwnershipChangeVisitor =
mgr.getAnalyzerOptions().getCheckerBooleanOption(
checker, "AddNoOwnershipChangeNotes");
} }
bool ento::shouldRegisterDynamicMemoryModeling(const CheckerManager &mgr) { bool ento::shouldRegisterDynamicMemoryModeling(const CheckerManager &mgr) {
return true; return true;
} }
#define REGISTER_CHECKER(name) \ #define REGISTER_CHECKER(name) \
void ento::register##name(CheckerManager &mgr) { \ void ento::register##name(CheckerManager &mgr) { \
Show All 12 Lines

clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp

Show First 20 LinesShow All 338 Lines▼ Show 20 Lines auto P = std::make_shared<PathDiagnosticEventPiece>(
L, BR.getDescription(), Ranges.begin() == Ranges.end()); L, BR.getDescription(), Ranges.begin() == Ranges.end());
for (SourceRange Range : Ranges) for (SourceRange Range : Ranges)
P->addRange(Range); P->addRange(Range);
return P; return P;
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Implementation of NoStateChangeFuncVisitor.
//===----------------------------------------------------------------------===//
bool NoStateChangeFuncVisitor::isModifiedInFrame(const ExplodedNode *N) {
const LocationContext *Ctx = N->getLocationContext();
const StackFrameContext *SCtx = Ctx->getStackFrame();
if (!FramesModifyingCalculated.count(SCtx))
findModifyingFrames(N);
return FramesModifying.count(SCtx);
}
void NoStateChangeFuncVisitor::findModifyingFrames(
const ExplodedNode *const CallExitBeginN) {
assert(CallExitBeginN->getLocationAs<CallExitBegin>());
const ExplodedNode *LastReturnN = CallExitBeginN;
const StackFrameContext *const OriginalSCtx =
CallExitBeginN->getLocationContext()->getStackFrame();
const ExplodedNode *CurrN = CallExitBeginN;
do {
ProgramStateRef State = CurrN->getState();
auto CallExitLoc = CurrN->getLocationAs<CallExitBegin>();
if (CallExitLoc) {
LastReturnN = CurrN;
}
FramesModifyingCalculated.insert(
CurrN->getLocationContext()->getStackFrame());
if (wasModifiedBeforeCallExit(CurrN, LastReturnN)) {
const StackFrameContext *SCtx = CurrN->getStackFrame();
while (!SCtx->inTopFrame()) {
auto p = FramesModifying.insert(SCtx);
if (!p.second)
break; // Frame and all its parents already inserted.
SCtx = SCtx->getParent()->getStackFrame();
}
}
// Stop calculation at the call to the current function.
if (auto CE = CurrN->getLocationAs<CallEnter>())
if (CE->getCalleeContext() == OriginalSCtx)
break;
CurrN = CurrN->getFirstPred();
} while (CurrN);
}
PathDiagnosticPieceRef NoStateChangeFuncVisitor::VisitNode(
const ExplodedNode *N, BugReporterContext &BR, PathSensitiveBugReport &R) {
const LocationContext *Ctx = N->getLocationContext();
const StackFrameContext *SCtx = Ctx->getStackFrame();
ProgramStateRef State = N->getState();
auto CallExitLoc = N->getLocationAs<CallExitBegin>();
// No diagnostic if region was modified inside the frame.
if (!CallExitLoc || isModifiedInFrame(N))
return nullptr;
CallEventRef<> Call =
BR.getStateManager().getCallEventManager().getCaller(SCtx, State);
// Optimistically suppress uninitialized value bugs that result
// from system headers having a chance to initialize the value
// but failing to do so. It's too unlikely a system header's fault.
// It's much more likely a situation in which the function has a failure
// mode that the user decided not to check. If we want to hunt such
// omitted checks, we should provide an explicit function-specific note
// describing the precondition under which the function isn't supposed to
// initialize its out-parameter, and additionally check that such
// precondition can actually be fulfilled on the current path.
if (Call->isInSystemHeader()) {
// We make an exception for system header functions that have no branches.
// Such functions unconditionally fail to initialize the variable.
// If they call other functions that have more paths within them,
// this suppression would still apply when we visit these inner functions.
// One common example of a standard function that doesn't ever initialize
// its out parameter is operator placement new; it's up to the follow-up
// constructor (if any) to initialize the memory.
if (!N->getStackFrame()->getCFG()->isLinear()) {
static int i = 0;
R.markInvalid(&i, nullptr);
}
return nullptr;
}
if (const auto *MC = dyn_cast<ObjCMethodCall>(Call)) {
// If we failed to construct a piece for self, we still want to check
// whether the entity of interest is in a parameter.
if (PathDiagnosticPieceRef Piece = maybeEmitNoteForObjCSelf(R, *MC, N))
return Piece;
}
if (const auto *CCall = dyn_cast<CXXConstructorCall>(Call)) {
// Do not generate diagnostics for not modified parameters in
// constructors.
return maybeEmitNoteForCXXThis(R, *CCall, N);
}
return maybeEmitNoteForParameters(R, *Call, N);
}
//===----------------------------------------------------------------------===//
// Implementation of NoStoreFuncVisitor. // Implementation of NoStoreFuncVisitor.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
namespace { namespace {
/// Put a diagnostic on return statement of all inlined functions /// Put a diagnostic on return statement of all inlined functions
/// for which the region of interest \p RegionOfInterest was passed into, /// for which the region of interest \p RegionOfInterest was passed into,
/// but not written inside, and it has caused an undefined read or a null /// but not written inside, and it has caused an undefined read or a null
/// pointer dereference outside. /// pointer dereference outside.
class NoStoreFuncVisitor final : public BugReporterVisitor { class NoStoreFuncVisitor final : public NoStateChangeFuncVisitor {
const SubRegion *RegionOfInterest; const SubRegion *RegionOfInterest;
MemRegionManager &MmrMgr; MemRegionManager &MmrMgr;
const SourceManager &SM; const SourceManager &SM;
const PrintingPolicy &PP; const PrintingPolicy &PP;
bugreporter::TrackingKind TKind;
/// Recursion limit for dereferencing fields when looking for the /// Recursion limit for dereferencing fields when looking for the
/// region of interest. /// region of interest.
/// The limit of two indicates that we will dereference fields only once. /// The limit of two indicates that we will dereference fields only once.
static const unsigned DEREFERENCE_LIMIT = 2; static const unsigned DEREFERENCE_LIMIT = 2;
/// Frames writing into \c RegionOfInterest.
/// This visitor generates a note only if a function does not write into
/// a region of interest. This information is not immediately available
/// by looking at the node associated with the exit from the function
/// (usually the return statement). To avoid recomputing the same information
/// many times (going up the path for each node and checking whether the
/// region was written into) we instead lazily compute the
/// stack frames along the path which write into the region of interest.
llvm::SmallPtrSet<const StackFrameContext *, 32> FramesModifyingRegion;
llvm::SmallPtrSet<const StackFrameContext *, 32> FramesModifyingCalculated;
using RegionVector = SmallVector<const MemRegion *, 5>; using RegionVector = SmallVector<const MemRegion *, 5>;
public: public:
NoStoreFuncVisitor(const SubRegion *R, bugreporter::TrackingKind TKind) NoStoreFuncVisitor(const SubRegion *R, bugreporter::TrackingKind TKind)
: RegionOfInterest(R), MmrMgr(R->getMemRegionManager()), : NoStateChangeFuncVisitor(TKind), RegionOfInterest(R),
MmrMgr(R->getMemRegionManager()),
SM(MmrMgr.getContext().getSourceManager()), SM(MmrMgr.getContext().getSourceManager()),
PP(MmrMgr.getContext().getPrintingPolicy()), TKind(TKind) {} PP(MmrMgr.getContext().getPrintingPolicy()) {}
void Profile(llvm::FoldingSetNodeID &ID) const override { void Profile(llvm::FoldingSetNodeID &ID) const override {
static int Tag = 0; static int Tag = 0;
ID.AddPointer(&Tag); ID.AddPointer(&Tag);
ID.AddPointer(RegionOfInterest); ID.AddPointer(RegionOfInterest);
} }
void *getTag() const { void *getTag() const {
static int Tag = 0; static int Tag = 0;
return static_cast<void *>(&Tag); return static_cast<void *>(&Tag);
} }
PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
BugReporterContext &BR,
PathSensitiveBugReport &R) override;
private: private:
/// \return Whether \c RegionOfInterest was modified at \p CurrN compared to
/// the value it holds in \p CallExitBeginN.
virtual bool
wasModifiedBeforeCallExit(const ExplodedNode *CurrN,
const ExplodedNode *CallExitBeginN) override;
/// Attempts to find the region of interest in a given record decl, /// Attempts to find the region of interest in a given record decl,
/// by either following the base classes or fields. /// by either following the base classes or fields.
/// Dereferences fields up to a given recursion limit. /// Dereferences fields up to a given recursion limit.
/// Note that \p Vec is passed by value, leading to quadratic copying cost, /// Note that \p Vec is passed by value, leading to quadratic copying cost,
/// but it's OK in practice since its length is limited to DEREFERENCE_LIMIT. /// but it's OK in practice since its length is limited to DEREFERENCE_LIMIT.
/// \return A chain fields leading to the region of interest or None. /// \return A chain fields leading to the region of interest or None.
const Optional<RegionVector> const Optional<RegionVector>
findRegionOfInterestInRecord(const RecordDecl *RD, ProgramStateRef State, findRegionOfInterestInRecord(const RecordDecl *RD, ProgramStateRef State,
const MemRegion *R, const RegionVector &Vec = {}, const MemRegion *R, const RegionVector &Vec = {},
int depth = 0); int depth = 0);
/// Check and lazily calculate whether the region of interest is // Region of interest corresponds to an IVar, exiting a method
/// modified in the stack frame to which \p N belongs. // which could have written into that IVar, but did not.
/// The calculation is cached in FramesModifyingRegion. virtual PathDiagnosticPieceRef
bool isRegionOfInterestModifiedInFrame(const ExplodedNode *N) { maybeEmitNoteForObjCSelf(PathSensitiveBugReport &R,
const LocationContext *Ctx = N->getLocationContext(); const ObjCMethodCall &Call,
const StackFrameContext *SCtx = Ctx->getStackFrame(); const ExplodedNode *N) override final;
if (!FramesModifyingCalculated.count(SCtx))
findModifyingFrames(N); virtual PathDiagnosticPieceRef
return FramesModifyingRegion.count(SCtx); maybeEmitNoteForCXXThis(PathSensitiveBugReport &R,
} const CXXConstructorCall &Call,
const ExplodedNode *N) override final;
/// Write to \c FramesModifyingRegion all stack frames along
/// the path in the current stack frame which modify \c RegionOfInterest. virtual PathDiagnosticPieceRef
void findModifyingFrames(const ExplodedNode *N); maybeEmitNoteForParameters(PathSensitiveBugReport &R, const CallEvent &Call,
const ExplodedNode *N) override final;
/// Consume the information on the no-store stack frame in order to /// Consume the information on the no-store stack frame in order to
/// either emit a note or suppress the report enirely. /// either emit a note or suppress the report enirely.
/// \return Diagnostics piece for region not modified in the current function, /// \return Diagnostics piece for region not modified in the current function,
/// if it decides to emit one. /// if it decides to emit one.
PathDiagnosticPieceRef PathDiagnosticPieceRef
maybeEmitNote(PathSensitiveBugReport &R, const CallEvent &Call, maybeEmitNote(PathSensitiveBugReport &R, const CallEvent &Call,
const ExplodedNode *N, const RegionVector &FieldChain, const ExplodedNode *N, const RegionVector &FieldChain,
const MemRegion *MatchedRegion, StringRef FirstElement, const MemRegion *MatchedRegion, StringRef FirstElement,
bool FirstIsReferenceType, unsigned IndirectionLevel); bool FirstIsReferenceType, unsigned IndirectionLevel);
/// Pretty-print region \p MatchedRegion to \p os. bool prettyPrintRegionName(const RegionVector &FieldChain,
/// \return Whether printing succeeded.
bool prettyPrintRegionName(StringRef FirstElement, bool FirstIsReferenceType,
const MemRegion *MatchedRegion, const MemRegion *MatchedRegion,
const RegionVector &FieldChain, StringRef FirstElement, bool FirstIsReferenceType,
int IndirectionLevel, unsigned IndirectionLevel,
llvm::raw_svector_ostream &os); llvm::raw_svector_ostream &os);
/// Print first item in the chain, return new separator. StringRef prettyPrintFirstElement(StringRef FirstElement,
static StringRef prettyPrintFirstElement(StringRef FirstElement,
bool MoreItemsExpected, bool MoreItemsExpected,
int IndirectionLevel, int IndirectionLevel,
llvm::raw_svector_ostream &os); llvm::raw_svector_ostream &os);
}; };
} // namespace
} // end of anonymous namespace
/// \return Whether the method declaration \p Parent /// \return Whether the method declaration \p Parent
/// syntactically has a binary operation writing into the ivar \p Ivar. /// syntactically has a binary operation writing into the ivar \p Ivar.
static bool potentiallyWritesIntoIvar(const Decl *Parent, static bool potentiallyWritesIntoIvar(const Decl *Parent,
const ObjCIvarDecl *Ivar) { const ObjCIvarDecl *Ivar) {
using namespace ast_matchers; using namespace ast_matchers;
const char *IvarBind = "Ivar"; const char *IvarBind = "Ivar";
if (!Parent || !Parent->hasBody()) if (!Parent || !Parent->hasBody())
Show All 18 Lines if (const auto *DRE = dyn_cast<DeclRefExpr>(Base))
if (ID->getParameterKind() == ImplicitParamDecl::ObjCSelf) if (ID->getParameterKind() == ImplicitParamDecl::ObjCSelf)
return true; return true;
return false; return false;
} }
return false; return false;
} }
/// Get parameters associated with runtime definition in order
/// to get the correct parameter name.
static ArrayRef<ParmVarDecl *> getCallParameters(CallEventRef<> Call) {
// Use runtime definition, if available.
RuntimeDefinition RD = Call->getRuntimeDefinition();
if (const auto *FD = dyn_cast_or_null<FunctionDecl>(RD.getDecl()))
return FD->parameters();
if (const auto *MD = dyn_cast_or_null<ObjCMethodDecl>(RD.getDecl()))
return MD->parameters();
return Call->parameters();
}
/// \return whether \p Ty points to a const type, or is a const reference.
static bool isPointerToConst(QualType Ty) {
return !Ty->getPointeeType().isNull() &&
Ty->getPointeeType().getCanonicalType().isConstQualified();
}
/// Attempts to find the region of interest in a given CXX decl, /// Attempts to find the region of interest in a given CXX decl,
/// by either following the base classes or fields. /// by either following the base classes or fields.
/// Dereferences fields up to a given recursion limit. /// Dereferences fields up to a given recursion limit.
/// Note that \p Vec is passed by value, leading to quadratic copying cost, /// Note that \p Vec is passed by value, leading to quadratic copying cost,
/// but it's OK in practice since its length is limited to DEREFERENCE_LIMIT. /// but it's OK in practice since its length is limited to DEREFERENCE_LIMIT.
/// \return A chain fields leading to the region of interest or None. /// \return A chain fields leading to the region of interest or None.
const Optional<NoStoreFuncVisitor::RegionVector> const Optional<NoStoreFuncVisitor::RegionVector>
NoStoreFuncVisitor::findRegionOfInterestInRecord( NoStoreFuncVisitor::findRegionOfInterestInRecord(
▲ Show 20 LinesShow All 43 Lines▼ Show 20 Lines if (const RecordDecl *RRD = PT->getAsRecordDecl())
findRegionOfInterestInRecord(RRD, State, VR, VecF, depth + 1)) findRegionOfInterestInRecord(RRD, State, VR, VecF, depth + 1))
return Out; return Out;
} }
return None; return None;
} }
PathDiagnosticPieceRef PathDiagnosticPieceRef
NoStoreFuncVisitor::VisitNode(const ExplodedNode *N, BugReporterContext &BR, NoStoreFuncVisitor::maybeEmitNoteForObjCSelf(PathSensitiveBugReport &R,
PathSensitiveBugReport &R) { const ObjCMethodCall &Call,
const ExplodedNode *N) {
const LocationContext *Ctx = N->getLocationContext();
const StackFrameContext *SCtx = Ctx->getStackFrame();
ProgramStateRef State = N->getState();
auto CallExitLoc = N->getLocationAs<CallExitBegin>();
// No diagnostic if region was modified inside the frame.
if (!CallExitLoc || isRegionOfInterestModifiedInFrame(N))
return nullptr;
CallEventRef<> Call =
BR.getStateManager().getCallEventManager().getCaller(SCtx, State);
// Region of interest corresponds to an IVar, exiting a method
// which could have written into that IVar, but did not.
if (const auto *MC = dyn_cast<ObjCMethodCall>(Call)) {
if (const auto *IvarR = dyn_cast<ObjCIvarRegion>(RegionOfInterest)) { if (const auto *IvarR = dyn_cast<ObjCIvarRegion>(RegionOfInterest)) {
const MemRegion *SelfRegion = MC->getReceiverSVal().getAsRegion(); const MemRegion *SelfRegion = Call.getReceiverSVal().getAsRegion();
if (RegionOfInterest->isSubRegionOf(SelfRegion) && if (RegionOfInterest->isSubRegionOf(SelfRegion) &&
potentiallyWritesIntoIvar(Call->getRuntimeDefinition().getDecl(), potentiallyWritesIntoIvar(Call.getRuntimeDefinition().getDecl(),
IvarR->getDecl())) IvarR->getDecl()))
return maybeEmitNote(R, *Call, N, {}, SelfRegion, "self", return maybeEmitNote(R, Call, N, {}, SelfRegion, "self",
/*FirstIsReferenceType=*/false, 1); /*FirstIsReferenceType=*/false, 1);
} }
return nullptr;
} }
if (const auto *CCall = dyn_cast<CXXConstructorCall>(Call)) { PathDiagnosticPieceRef
const MemRegion *ThisR = CCall->getCXXThisVal().getAsRegion(); NoStoreFuncVisitor::maybeEmitNoteForCXXThis(PathSensitiveBugReport &R,
if (RegionOfInterest->isSubRegionOf(ThisR) && const CXXConstructorCall &Call,
!CCall->getDecl()->isImplicit()) const ExplodedNode *N) {
return maybeEmitNote(R, *Call, N, {}, ThisR, "this", const MemRegion *ThisR = Call.getCXXThisVal().getAsRegion();
if (RegionOfInterest->isSubRegionOf(ThisR) && !Call.getDecl()->isImplicit())
return maybeEmitNote(R, Call, N, {}, ThisR, "this",
/*FirstIsReferenceType=*/false, 1); /*FirstIsReferenceType=*/false, 1);
// Do not generate diagnostics for not modified parameters in // Do not generate diagnostics for not modified parameters in
// constructors. // constructors.
return nullptr; return nullptr;
} }
ArrayRef<ParmVarDecl *> parameters = getCallParameters(Call); /// \return whether \p Ty points to a const type, or is a const reference.
for (unsigned I = 0; I < Call->getNumArgs() && I < parameters.size(); ++I) { static bool isPointerToConst(QualType Ty) {
const ParmVarDecl *PVD = parameters[I]; return !Ty->getPointeeType().isNull() &&
SVal V = Call->getArgSVal(I); Ty->getPointeeType().getCanonicalType().isConstQualified();
}
PathDiagnosticPieceRef NoStoreFuncVisitor::maybeEmitNoteForParameters(
PathSensitiveBugReport &R, const CallEvent &Call, const ExplodedNode *N) {
ArrayRef<ParmVarDecl *> Parameters = Call.parameters();
for (unsigned I = 0; I < Call.getNumArgs() && I < Parameters.size(); ++I) {
const ParmVarDecl *PVD = Parameters[I];
SVal V = Call.getArgSVal(I);
bool ParamIsReferenceType = PVD->getType()->isReferenceType(); bool ParamIsReferenceType = PVD->getType()->isReferenceType();
std::string ParamName = PVD->getNameAsString(); std::string ParamName = PVD->getNameAsString();
int IndirectionLevel = 1; unsigned IndirectionLevel = 1;
QualType T = PVD->getType(); QualType T = PVD->getType();
while (const MemRegion *MR = V.getAsRegion()) { while (const MemRegion *MR = V.getAsRegion()) {
if (RegionOfInterest->isSubRegionOf(MR) && !isPointerToConst(T)) if (RegionOfInterest->isSubRegionOf(MR) && !isPointerToConst(T))
return maybeEmitNote(R, *Call, N, {}, MR, ParamName, return maybeEmitNote(R, Call, N, {}, MR, ParamName,
ParamIsReferenceType, IndirectionLevel); ParamIsReferenceType, IndirectionLevel);
QualType PT = T->getPointeeType(); QualType PT = T->getPointeeType();
if (PT.isNull() || PT->isVoidType()) if (PT.isNull() || PT->isVoidType())
break; break;
ProgramStateRef State = N->getState();
if (const RecordDecl *RD = PT->getAsRecordDecl()) if (const RecordDecl *RD = PT->getAsRecordDecl())
if (Optional<RegionVector> P = if (Optional<RegionVector> P =
findRegionOfInterestInRecord(RD, State, MR)) findRegionOfInterestInRecord(RD, State, MR))
return maybeEmitNote(R, *Call, N, *P, RegionOfInterest, ParamName, return maybeEmitNote(R, Call, N, *P, RegionOfInterest, ParamName,
ParamIsReferenceType, IndirectionLevel); ParamIsReferenceType, IndirectionLevel);
V = State->getSVal(MR, PT); V = State->getSVal(MR, PT);
T = PT; T = PT;
IndirectionLevel++; IndirectionLevel++;
} }
} }
return nullptr; return nullptr;
} }
void NoStoreFuncVisitor::findModifyingFrames(const ExplodedNode *N) { bool NoStoreFuncVisitor::wasModifiedBeforeCallExit(
assert(N->getLocationAs<CallExitBegin>()); const ExplodedNode *CurrN, const ExplodedNode *CallExitBeginN) {
ProgramStateRef LastReturnState = N->getState(); return ::wasRegionOfInterestModifiedAt(
SVal ValueAtReturn = LastReturnState->getSVal(RegionOfInterest); RegionOfInterest, CurrN,
const LocationContext *Ctx = N->getLocationContext(); CallExitBeginN->getState()->getSVal(RegionOfInterest));
const StackFrameContext *OriginalSCtx = Ctx->getStackFrame();
do {
ProgramStateRef State = N->getState();
auto CallExitLoc = N->getLocationAs<CallExitBegin>();
if (CallExitLoc) {
LastReturnState = State;
ValueAtReturn = LastReturnState->getSVal(RegionOfInterest);
}
FramesModifyingCalculated.insert(N->getLocationContext()->getStackFrame());
if (wasRegionOfInterestModifiedAt(RegionOfInterest, N, ValueAtReturn)) {
const StackFrameContext *SCtx = N->getStackFrame();
while (!SCtx->inTopFrame()) {
auto p = FramesModifyingRegion.insert(SCtx);
if (!p.second)
break; // Frame and all its parents already inserted.
SCtx = SCtx->getParent()->getStackFrame();
}
}
// Stop calculation at the call to the current function.
if (auto CE = N->getLocationAs<CallEnter>())
if (CE->getCalleeContext() == OriginalSCtx)
break;
N = N->getFirstPred();
} while (N);
} }
static llvm::StringLiteral WillBeUsedForACondition = static llvm::StringLiteral WillBeUsedForACondition =
", which participates in a condition later"; ", which participates in a condition later";
PathDiagnosticPieceRef NoStoreFuncVisitor::maybeEmitNote( PathDiagnosticPieceRef NoStoreFuncVisitor::maybeEmitNote(
PathSensitiveBugReport &R, const CallEvent &Call, const ExplodedNode *N, PathSensitiveBugReport &R, const CallEvent &Call, const ExplodedNode *N,
const RegionVector &FieldChain, const MemRegion *MatchedRegion, const RegionVector &FieldChain, const MemRegion *MatchedRegion,
StringRef FirstElement, bool FirstIsReferenceType, StringRef FirstElement, bool FirstIsReferenceType,
unsigned IndirectionLevel) { unsigned IndirectionLevel) {
// Optimistically suppress uninitialized value bugs that result
// from system headers having a chance to initialize the value
// but failing to do so. It's too unlikely a system header's fault.
// It's much more likely a situation in which the function has a failure
// mode that the user decided not to check. If we want to hunt such
// omitted checks, we should provide an explicit function-specific note
// describing the precondition under which the function isn't supposed to
// initialize its out-parameter, and additionally check that such
// precondition can actually be fulfilled on the current path.
if (Call.isInSystemHeader()) {
// We make an exception for system header functions that have no branches.
// Such functions unconditionally fail to initialize the variable.
// If they call other functions that have more paths within them,
// this suppression would still apply when we visit these inner functions.
// One common example of a standard function that doesn't ever initialize
// its out parameter is operator placement new; it's up to the follow-up
// constructor (if any) to initialize the memory.
if (!N->getStackFrame()->getCFG()->isLinear())
R.markInvalid(getTag(), nullptr);
return nullptr;
}
PathDiagnosticLocation L = PathDiagnosticLocation L =
PathDiagnosticLocation::create(N->getLocation(), SM); PathDiagnosticLocation::create(N->getLocation(), SM);
// For now this shouldn't trigger, but once it does (as we add more // For now this shouldn't trigger, but once it does (as we add more
// functions to the body farm), we'll need to decide if these reports // functions to the body farm), we'll need to decide if these reports
// are worth suppressing as well. // are worth suppressing as well.
if (!L.hasValidLocation()) if (!L.hasValidLocation())
return nullptr; return nullptr;
SmallString<256> sbuf; SmallString<256> sbuf;
llvm::raw_svector_ostream os(sbuf); llvm::raw_svector_ostream os(sbuf);
os << "Returning without writing to '"; os << "Returning without writing to '";
// Do not generate the note if failed to pretty-print. // Do not generate the note if failed to pretty-print.
if (!prettyPrintRegionName(FirstElement, FirstIsReferenceType, MatchedRegion, if (!prettyPrintRegionName(FieldChain, MatchedRegion, FirstElement,
FieldChain, IndirectionLevel, os)) FirstIsReferenceType, IndirectionLevel, os))
return nullptr; return nullptr;
os << "'"; os << "'";
if (TKind == bugreporter::TrackingKind::Condition) if (TKind == bugreporter::TrackingKind::Condition)
os << WillBeUsedForACondition; os << WillBeUsedForACondition;
return std::make_shared<PathDiagnosticEventPiece>(L, os.str()); return std::make_shared<PathDiagnosticEventPiece>(L, os.str());
} }
bool NoStoreFuncVisitor::prettyPrintRegionName(StringRef FirstElement, bool NoStoreFuncVisitor::prettyPrintRegionName(const RegionVector &FieldChain,
bool FirstIsReferenceType,
const MemRegion *MatchedRegion, const MemRegion *MatchedRegion,
const RegionVector &FieldChain, StringRef FirstElement,
int IndirectionLevel, bool FirstIsReferenceType,
unsigned IndirectionLevel,
llvm::raw_svector_ostream &os) { llvm::raw_svector_ostream &os) {
if (FirstIsReferenceType) if (FirstIsReferenceType)
IndirectionLevel--; IndirectionLevel--;
RegionVector RegionSequence; RegionVector RegionSequence;
// Add the regions in the reverse order, then reverse the resulting array. // Add the regions in the reverse order, then reverse the resulting array.
▲ Show 20 LinesShow All 2,523 LinesShow Last 20 Lines

clang/test/Analysis/NewDeleteLeaks.cpp

  • This file was added.
// RUN: %clang_analyze_cc1 -verify -analyzer-output=text %s \
// RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=cplusplus \
// RUN: -analyzer-checker=unix \
// RUN: -analyzer-config \
// RUN: unix.DynamicMemoryModeling:AddNoOwnershipChangeNotes=false
// RUN: %clang_analyze_cc1 -verify=expected,ownership -analyzer-output=text %s \
// RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=cplusplus \
// RUN: -analyzer-checker=unix \
// RUN: -analyzer-config \
// RUN: unix.DynamicMemoryModeling:AddNoOwnershipChangeNotes=true
#include "Inputs/system-header-simulator-for-malloc.h"
//===----------------------------------------------------------------------===//
// Report for which we expect NoOwnershipChangeVisitor to add a new note.
//===----------------------------------------------------------------------===//
bool coin();
namespace memory_allocated_in_fn_call {
void sink(int *P) {
} // ownership-note {{Returning without deallocating memory or storing the pointer for later deallocation}}
void foo() {
sink(new int(5)); // expected-note {{Memory is allocated}}
// ownership-note@-1 {{Calling 'sink'}}
// ownership-note@-2 {{Returning from 'sink'}}
} // expected-warning {{Potential memory leak [cplusplus.NewDeleteLeaks]}}
// expected-note@-1 {{Potential memory leak}}
} // namespace memory_allocated_in_fn_call
namespace memory_passed_to_fn_call {
void sink(int *P) {
if (coin()) // ownership-note {{Assuming the condition is false}}
// ownership-note@-1 {{Taking false branch}}
delete P;
} // ownership-note {{Returning without deallocating memory or storing the pointer for later deallocation}}
void foo() {
int *ptr = new int(5); // expected-note {{Memory is allocated}}
sink(ptr); // ownership-note {{Calling 'sink'}}
// ownership-note@-1 {{Returning from 'sink'}}
} // expected-warning {{Potential leak of memory pointed to by 'ptr' [cplusplus.NewDeleteLeaks]}}
// expected-note@-1 {{Potential leak}}
} // namespace memory_passed_to_fn_call
namespace memory_shared_with_ptr_of_shorter_lifetime {
void sink(int *P) {
int *Q = P;
if (coin()) // ownership-note {{Assuming the condition is false}}
// ownership-note@-1 {{Taking false branch}}
delete P;
(void)Q;
} // ownership-note {{Returning without deallocating memory or storing the pointer for later deallocation}}
void foo() {
int *ptr = new int(5); // expected-note {{Memory is allocated}}
sink(ptr); // ownership-note {{Calling 'sink'}}
// ownership-note@-1 {{Returning from 'sink'}}
} // expected-warning {{Potential leak of memory pointed to by 'ptr' [cplusplus.NewDeleteLeaks]}}
// expected-note@-1 {{Potential leak}}
} // namespace memory_shared_with_ptr_of_shorter_lifetime
//===----------------------------------------------------------------------===//
// Report for which we *do not* expect NoOwnershipChangeVisitor add a new note,
// nor do we want it to.
//===----------------------------------------------------------------------===//
namespace memory_not_passed_to_fn_call {
void sink(int *P) {
if (coin())
delete P;
}
void foo() {
int *ptr = new int(5); // expected-note {{Memory is allocated}}
int *q = nullptr;
sink(q);
(void)ptr;
} // expected-warning {{Potential leak of memory pointed to by 'ptr' [cplusplus.NewDeleteLeaks]}}
// expected-note@-1 {{Potential leak}}
} // namespace memory_not_passed_to_fn_call
namespace memory_shared_with_ptr_of_same_lifetime {
void sink(int *P, int **Q) {
// NOTE: Not a job of NoOwnershipChangeVisitor, but maybe this could be
// highlighted still?
*Q = P;
}
void foo() {
int *ptr = new int(5); // expected-note {{Memory is allocated}}
int *q = nullptr;
sink(ptr, &q);
} // expected-warning {{Potential leak of memory pointed to by 'q' [cplusplus.NewDeleteLeaks]}}
NoQUnsubmitted
Not Done
ReplyInline Actions

How do you think this is different from the very first test, memory_allocated_in_fn_call()? Is this just because of how the pointer is put into a variable first? This function is kinda still the only place that could free memory.

NoQ: How do you think this is different from the very first test, `memory_allocated_in_fn_call()`?
SzelethusAuthorUnsubmitted
Done
ReplyInline Actions

That was my idea, yes, but you have a point there...

Szelethus: That was my idea, yes, but you have a point there...
// expected-note@-1 {{Potential leak}}
} // namespace memory_shared_with_ptr_of_same_lifetime
// TODO: We don't want a note here. sink() doesn't seem like a function that
// even attempts to take care of any memory ownership problems.
namespace memory_passed_into_fn_that_doesnt_intend_to_free {
void sink(int *P) {
} // ownership-note {{Returning without deallocating memory or storing the pointer for later deallocation}}
void foo() {
int *ptr = new int(5); // expected-note {{Memory is allocated}}
sink(ptr); // ownership-note {{Calling 'sink'}}
// ownership-note@-1 {{Returning from 'sink'}}
} // expected-warning {{Potential leak of memory pointed to by 'ptr' [cplusplus.NewDeleteLeaks]}}
// expected-note@-1 {{Potential leak}}
} // namespace memory_passed_into_fn_that_doesnt_intend_to_free
namespace refkind_from_unoallocated_to_allocated {
// RefKind of the symbol changed from nothing to Allocated. We don't want to
// emit notes when the RefKind changes in the stack frame.
static char *malloc_wrapper_ret() {
return (char *)malloc(12); // expected-note {{Memory is allocated}}
}
void use_ret() {
char *v;
v = malloc_wrapper_ret(); // expected-note {{Calling 'malloc_wrapper_ret'}}
// expected-note@-1 {{Returned allocated memory}}
} // expected-warning {{Potential leak of memory pointed to by 'v' [unix.Malloc]}}
// expected-note@-1 {{Potential leak of memory pointed to by 'v'}}
} // namespace refkind_from_unoallocated_to_allocated

clang/test/Analysis/analyzer-config.c

Show First 20 LinesShow All 110 Lines▼ Show 20 Lines
// CHECK-NEXT: serialize-stats = false // CHECK-NEXT: serialize-stats = false
// CHECK-NEXT: silence-checkers = "" // CHECK-NEXT: silence-checkers = ""
// CHECK-NEXT: stable-report-filename = false // CHECK-NEXT: stable-report-filename = false
// CHECK-NEXT: suppress-c++-stdlib = true // CHECK-NEXT: suppress-c++-stdlib = true
// CHECK-NEXT: suppress-inlined-defensive-checks = true // CHECK-NEXT: suppress-inlined-defensive-checks = true
// CHECK-NEXT: suppress-null-return-paths = true // CHECK-NEXT: suppress-null-return-paths = true
// CHECK-NEXT: track-conditions = true // CHECK-NEXT: track-conditions = true
// CHECK-NEXT: track-conditions-debug = false // CHECK-NEXT: track-conditions-debug = false
// CHECK-NEXT: unix.DynamicMemoryModeling:AddNoOwnershipChangeNotes = false
// CHECK-NEXT: unix.DynamicMemoryModeling:Optimistic = false // CHECK-NEXT: unix.DynamicMemoryModeling:Optimistic = false
// CHECK-NEXT: unroll-loops = false // CHECK-NEXT: unroll-loops = false
// CHECK-NEXT: widen-loops = false // CHECK-NEXT: widen-loops = false