This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/lib/StaticAnalyzer/
-
lib/
-
StaticAnalyzer/
-
Checkers/
5/13
SmartPtrModeling.cpp
-
Core/
-
CheckerManager.cpp
-
ExprEngineCXX.cpp

Differential D105821

[analyzer] [WIP] Model destructor for std::unique_ptr
Needs ReviewPublic

Authored by RedDocMD on Jul 12 2021, 8:37 AM.

Download Raw Diff

Details

Reviewers

NoQ
vsavchenko
xazax.hun
teemperor

Summary

This is probably a "throw-away" patch which attempts
to model automatic implicit destructor calls.

Diff Detail

Repository: rG LLVM Github Monorepo

Unit TestsFailed

	Time	Test
	800 ms	x64 debian > Clang.Analysis::string.c
	2,810 ms	x64 debian > libarcher.critical::critical.c
	3,070 ms	x64 debian > libarcher.races::critical-unrelated.c
	2,780 ms	x64 debian > libarcher.races::lock-nested-unrelated.c
	2,890 ms	x64 debian > libarcher.races::lock-unrelated.c
		View Full Test Results (21 Failed)

Event Timeline

RedDocMD created this revision.Jul 12 2021, 8:37 AM

Herald added subscribers: manas, steakhal, ASDenysPetrov and 9 others. · View Herald TranscriptJul 12 2021, 8:37 AM

RedDocMD requested review of this revision.Jul 12 2021, 8:37 AM

Herald added a project: Restricted Project. · View Herald TranscriptJul 12 2021, 8:37 AM

Herald added a subscriber: cfe-commits. · View Herald Transcript

Harbormaster completed remote builds in B113514: Diff 357954.Jul 12 2021, 9:12 AM

Cleanup, still doesn't work

Harbormaster completed remote builds in B114153: Diff 358839.Jul 14 2021, 10:27 PM

Removed one bug, many more to go

Harbormaster completed remote builds in B114260: Diff 358998.Jul 15 2021, 10:55 AM

Retrieving patch

Reformat

Minimal modelling of destructor

This is a minimal model of destructors in smart-ptr.
Other than the need to probably model the destructor of the pointee, is there anything else to do?

Harbormaster completed remote builds in B115155: Diff 360218.Jul 20 2021, 1:43 PM

Yes, I think this should work.

You're invalidating less regions than a normal destructor invalidation would have caused (eg., you're not touching globals). One way to emulate that precisely would be to construct a CallEvent for the destructor and invoke CallEvent::invalidateRegions() on it, which should be relatively easy given that we don't need a pointee destructor expression for this to work (because destructors don't typically have expressions anyway; so this will be much harder in case of make_unique and the constructor as the constructor would demand a construct-expression).

Also it makes sense to omit the invalidation when the pointee type doesn't have a destructor.

But before we go there we should decide whether we want to actually go for inlining (or otherwise default-evaluating) these destructors. If we do, we should probably not spend too much time on improving invalidation in the checker, because default evaluation would do that properly for us anyway (well, it doesn't really dodge any problems such as the absence of the necessary AST so we'll probably have to solve all these problems anyway, just in a different setting). So it's great that we've fixed evalCall for destructors, this could definitely land as a separate patch (tested via debug.AnalysisOrder), but we really need to think what to do next here. So I recommend gathering some data to see if proper destructor evaluation is actually a real problem.

clang/lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp
398	`{}` are unnecessary because `llvm::ArrayRef` is implicitly constructible out of a single value. The null expression situation shouldn't be too harmful given that we've already doing this for conservatively evaluated destructors outside of `evalCall()`. That said, it's still actively incorrect because given that it's part of the symbol's identity, it causes us to use the same abstract symbol for different actual runtime values. I guess a proper fix would involve updating the identity of a `SymbolConjured` to include a `CFGElementRef` instead of a statement. Or, well, building a better `SVal` kind (or maybe even a non-value "marker") specifically for invalidation purposes, which would capture an explanation for invalidation and the role that the value played in it (was it an unknown return value? an unknown out-parameter value? a default value covering invalidated globals? a checker-specific value?) which we could introspect later (say, for suppression purposes). This doesn't seem to be urgent though.

But before we go there we should decide whether we want to actually go for inlining (or otherwise default-evaluating) these destructors. If we do, we should probably not spend too much time on improving invalidation in the checker, because default evaluation would do that properly for us anyway (well, it doesn't really dodge any problems such as the absence of the necessary AST so we'll probably have to solve all these problems anyway, just in a different setting). So it's great that we've fixed evalCall for destructors, this could definitely land as a separate patch (tested via debug.AnalysisOrder), but we really need to think what to do next here. So I recommend gathering some data to see if proper destructor evaluation is actually a real problem.

MallocChecker doesn't seem to mind not evaluating destructors properly. With the current version of the patch, the following code doesn't emit any warnings:

class SillyPtr {
	int *ptr;
	bool wasMalloced;
public:
	SillyPtr(int *ptr, bool wasMalloced = false) : 
			ptr(ptr), 
			wasMalloced(wasMalloced) {}
	~SillyPtr() {
		if (wasMalloced) free(ptr);
		else delete ptr;
	}
};

void foo() {
	int *ptr = new int(13);
	SillyPtr silly(ptr);
	// No leak here!
}

I am going to remove the debug dumps and run this patch on the projects in the clang/utils/analyzer/projects folder. If I don't find any false positives being caused due to this lack of modelling, then I think we can defer the proper handling of destructors (ie, finish up the invalidation) and move on to the other remaining problems (notes on get for an instance).

the following code doesn't emit any warnings

This code doesn't seem to have any unique_ptrs in it? It's not like you're modeling this custom class as well? Can you try the same with the actual unique_ptr?

In D105821#2897006, @NoQ wrote:

the following code doesn't emit any warnings

This code doesn't seem to have any unique_ptrs in it? It's not like you're modeling this custom class as well? Can you try the same with the actual unique_ptr?

The following code emits a warning for leaked memory:

#include <memory>

class Lame {
	int *ptr;
public:
	explicit Lame(int *ptr) : ptr(ptr) {}
	~Lame() { delete ptr; }
};

void foo() {
	int *ptr = new int(13);
	auto smart = std::make_unique<Lame>(ptr);
	// No leak here
}

It seems that there is a flaw in the way I was testing for warnings.
Why does the following command not display the warnings? ./llvm/release/bin/clang -std=c++17 -Xclang -analyze -Xclang -analyzer-checker=core,cplusplus.Move,cplusplus.NewDelete,alpha.cplusplus.SmartPtr -Xclang -analyzer-output=text -Xclang -analyzer-config -Xclang cplusplus.SmartPtrModeling:ModelSmartPtrDereference=true -c lame-class.cpp

Removed a fatal bug

Harbormaster completed remote builds in B116127: Diff 361581.Jul 25 2021, 11:00 PM

In D105821#2903606, @RedDocMD wrote:

The following code emits a warning for leaked memory:
...
Why does the following command not display the warnings?

Wait, what's the difference between this command and the command that did emit the warning for you?

With that specific invocation, apart from the missing cplusplus.NewDeleteLeaks, and apart from noticing that std::make_unique isn't actually getting modeled but inlined instead (I have all your patches pulled and this patch applied; and the object-under-construction seems to be available later, in both C++11 and C++17, so it's kinda weird and needs more debugging), I think the reason this doesn't warn is that the pointer is technically put on the heap (when stored into Lame::ptr) which makes it accessible for the entire program and therefore potentially delete-able by anybody and we suppress the warning (it's kinda frustrating but we already have the opposite problem for locals and we don't really know how to solve either of those: D71041#inline-641497, the reverted D71152, etc.)

So basically it sounds like this is indeed not going to be too big of a problem, given that memory managed by unique_ptr is always heap memory, so everything that's ever put there during analysis is never going to produce any leak warnings. Maybe we could indeed get away with conservative modeling of constructors (inside make_unique) and destructors.

We do need conservative modeling of constructors in make_unique though, otherwise your pointer never reaches Lame::ptr which means an actual leak warning.

In D105821#2904870, @NoQ wrote:

std::make_unique isn't actually getting modeled but inlined instead (I have all your patches pulled and this patch applied; and the object-under-construction seems to be available later, in both C++11 and C++17, so it's kinda weird and needs more debugging)

Uh-oh, sorry, wrong clang! std::make_unique is indeed modeled. I think the only problem with your invocation is the missing checker. And it also indeed confirms my suggestion that the constructor inside make_unique should be modeled, at least conservatively like we did with destructor.

Invalidating via the CallEvent

Harbormaster completed remote builds in B116638: Diff 362310.Jul 28 2021, 3:41 AM

No, that's the wrong destructor. We don't want to invalidate the smart pointer; we've already modeled it precisely. What i meant was construct a new CallEvent (through CallEventManager) for the destructor of the pointee and use that.

Ah I see.
As a side note, without the "redundant" invalidation that is being done, the analyzer crashes on shared_ptr. (Because the State essentially remains the same and that's what causes the crash).

Regardless of the kind of pointer, sounds like we need to do something about that API quirk. Eg., it *must* be possible to model a destructor of a std::unique_ptr<int> as a no-op when the tracked raw pointer value is an UnknownVal.

vsavchenko added inline comments.Jul 29 2021, 4:13 AM

clang/lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp
147	And why can't we pass `STD_PTR_NAMES` directly to `llvm::is_contained`?
393–402	I suggest to add a ton of comments with the reasoning behind these actions.
396	And if it happens we are going to crash with assertion failure?
437–439	Okay, I'm either missing something or this condition is missing `!` here.

RedDocMD added inline comments.Jul 29 2021, 5:45 AM

clang/lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp
437–439	And that's the ghost bug I am chasing around for the last few hours. Thanks :)

RedDocMD added inline comments.Jul 29 2021, 5:49 AM

clang/lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp
147	Ooh, so there is an overload for that as well. :)
396	Assuming assertions are enabled, that is.

Bug fixes, some cleanup

vsavchenko added inline comments.Jul 29 2021, 5:52 AM

clang/lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp
396	We should never crash or fail on valid C++ code. We can abandon everything, forbid checker to report anything on a function that has something that we don't know how to handle properly, but never fail the overall analysis process because of that.

RedDocMD added inline comments.Jul 29 2021, 5:55 AM

clang/lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp
396	Ah right, I should have put in a TODO. This assert was put to see how often I run into this (none so far). It must be removed before this patch is accepted.

Put in a TODO

Harbormaster completed remote builds in B116951: Diff 362741.Jul 29 2021, 7:03 AM

On running this patch on the projects directory, a bunch of projects emit false-positives: mostly of the form Potential memory leak. This points to the fact that without calling the destructor of the pointee type, we are going to have a lot of false positives (408 for one project is the worst I have seen). I have attached the result file.

destructor1.txt89 KBDownload

Invalidating using inner pointer destructor call

In D105821#2914082, @RedDocMD wrote:

On running this patch on the projects directory, a bunch of projects emit false-positives: mostly of the form Potential memory leak. This points to the fact that without calling the destructor of the pointee type, we are going to have a lot of false positives (408 for one project is the worst I have seen). I have attached the result file.

Can you attach all or some of the newly found html reports?

Is this about invalidation in ~unique_ptr() modeling being insufficient, or about us not doing anything at all with pointee on other occasions such as .reset() or might it be that the lack of invalidation for constructor inside make_unique() also plays its part?

Harbormaster completed remote builds in B117217: Diff 363138.Jul 30 2021, 11:27 AM

Well some of them are exactly the same type as the Lame class example above. Like: simbody/report-TestArray.cpp-testMoveConstructionAndAssignment-27-1.html#EndPath. (So the incomplete modelling of the destructor is at least one cause. The other reason that you suggested might as well be true).
Btw, the destructor1.txt file from my previous comment should be used to drill down the newly added reports. (Sorry for the inconvenience, sshfs is really slow and so it was more convenient to tar the whole folder and scp it).

simbody.tar.xz7 MBDownload

fmt.tar.xz477 KBDownload

faiss.tar.xz212 KBDownload

re2.tar.xz233 KBDownload

oatpp.tar.xz45 KBDownload

drogon.tar.xz75 KBDownload

Well some of them are exactly the same type as the Lame class example above. Like: simbody/report-TestArray.cpp-testMoveConstructionAndAssignment-27-1.html#EndPath. (So the incomplete modelling of the destructor is at least one cause. The other reason that you suggested might as well be true).

The problem with the Lame class above was the constructor in make_unique, not the destructor.

But more importantly, in this case the destructor most likely isn't responsible for freeing memory. The push_back() method most likely *moves* the smart pointer into the array, so by the time ~unique_ptr() hits the smart pointer is already empty, there's nothing to free. What we're missing is a "pointer escape" event for the raw pointer. It sounds like a feature we have to implement: when the smart pointer region pointer-escapes (in this case, due to being passed into an unknown function via rvalue reference), the raw pointer region should also pointer-escape. (Or, if push_back() is inlined then there's a different reason for escape, something along the lines of getting move-assigned into the heap, which we should probably also implement separately!). Damn, that's an interesting can of worms.

Better modelling, bug fixes

I have incorporated the bug-fixes suggested last meeting (except the pointer escape one). And it seems to have had dramatic results - now the only extra errors being reported are the pointer escape ones (5 of them, from 3 different projects). Some projects are actually reporting that bug reports have been removed due to this patch.

Error List 2.pdf26 KBDownload

Harbormaster completed remote builds in B117885: Diff 364074.Aug 4 2021, 7:19 AM

NoQ added inline comments.Aug 4 2021, 11:37 AM

clang/lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp
288	Something's not right. Returning `true` here would discard the state and terminate `evalCall` as failed. Why compute the invalidated state if we throw it away?

Bug fix in modelling

Never gonna give you up.

Harbormaster completed remote builds in B118171: Diff 364490.Aug 5 2021, 9:20 AM

Further pointer escape

RedDocMD added inline comments.Aug 8 2021, 9:39 AM

clang/lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp
444	It seems to me that this pointer escape doesn't work. For the following code: void foo() { auto ptr = std::unique_ptr<int>(new int(13)); // Leak warning emitted here } the exploded graph shows the SVal for `new int(13)` as allocated instead of escaped (which eventually triggers the warning).

Harbormaster completed remote builds in B118561: Diff 365031.Aug 8 2021, 10:25 AM

NoQ added inline comments.Aug 8 2021, 9:48 PM

clang/lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp
444	It shouldn't work in this case. The variable is local. Write to a local variable doesn't constitute an escape because access to a local variable from elsewhere is impossible. I believe we should explicitly tell `MallocChecker` that memory is released, given that we know that this is exactly what happens. We could do this similarly to how `InnerPointerChecker` tells `MallocChecker` that `std::string::c_str()` is released when the string is destroyed. Another solution would be to force an escape by calling `escapeValue()` directly. That'll definitely notify all checkers that the raw pointer value should be dropped but that wouldn't allow us to ultimately find use-after-free of that value.

Connecting to MallocChecker

Harbormaster completed remote builds in B119660: Diff 366558.Aug 16 2021, 1:11 AM

The code looks great, I don't see any major problems.

We still need tests, I can't stress this enough. All the real-world cornercases you've covered here as you updated the patch deserve a test case.

Some of these changes should probably be separated into other patches, eg. invalidation and pointer escape for non-destructor operations.

Revision Contents

Path

Size

clang/

lib/

StaticAnalyzer/

Checkers/

SmartPtrModeling.cpp

129 lines

Core/

CheckerManager.cpp

5 lines

ExprEngineCXX.cpp

11 lines

Diff 366558

clang/lib/StaticAnalyzer/Checkers/SmartPtrModeling.cpp

// SmartPtrModeling.cpp - Model behavior of C++ smart pointers - C++ ------===//		// SmartPtrModeling.cpp - Model behavior of C++ smart pointers - C++ ------===//
//		//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.		// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.		// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception		// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//		//
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
//		//
// This file defines a checker that models various aspects of		// This file defines a checker that models various aspects of
// C++ smart pointer behavior.		// C++ smart pointer behavior.
//		//
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//

		#include "AllocationState.h"
#include "Move.h"		#include "Move.h"
#include "SmartPtr.h"		#include "SmartPtr.h"

#include "clang/AST/DeclCXX.h"		#include "clang/AST/DeclCXX.h"
#include "clang/AST/DeclarationName.h"		#include "clang/AST/DeclarationName.h"
#include "clang/AST/ExprCXX.h"		#include "clang/AST/ExprCXX.h"
#include "clang/AST/Type.h"		#include "clang/AST/Type.h"
#include "clang/Basic/LLVM.h"		#include "clang/Basic/LLVM.h"
Show All 19 Lines

class SmartPtrModeling		class SmartPtrModeling
: public Checker<eval::Call, check::DeadSymbols, check::RegionChanges,		: public Checker<eval::Call, check::DeadSymbols, check::RegionChanges,
check::LiveSymbols> {		check::LiveSymbols> {

bool isBoolConversionMethod(const CallEvent &Call) const;		bool isBoolConversionMethod(const CallEvent &Call) const;

public:		public:
		SmartPtrModeling(CheckerManager &ChkMgr) : ChkMgr(ChkMgr) {}

// Whether the checker should model for null dereferences of smart pointers.		// Whether the checker should model for null dereferences of smart pointers.
DefaultBool ModelSmartPtrDereference;		DefaultBool ModelSmartPtrDereference;
bool evalCall(const CallEvent &Call, CheckerContext &C) const;		bool evalCall(const CallEvent &Call, CheckerContext &C) const;
void checkPreCall(const CallEvent &Call, CheckerContext &C) const;		void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;		void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
ProgramStateRef		ProgramStateRef
checkRegionChanges(ProgramStateRef State,		checkRegionChanges(ProgramStateRef State,
const InvalidatedSymbols *Invalidated,		const InvalidatedSymbols *Invalidated,
Show All 30 Lines	CallDescriptionMap<SmartPtrMethodHandlerFn> SmartPtrMethodHandlers{
{{"reset"}, &SmartPtrModeling::handleReset},		{{"reset"}, &SmartPtrModeling::handleReset},
{{"release"}, &SmartPtrModeling::handleRelease},		{{"release"}, &SmartPtrModeling::handleRelease},
{{"swap", 1}, &SmartPtrModeling::handleSwapMethod},		{{"swap", 1}, &SmartPtrModeling::handleSwapMethod},
{{"get"}, &SmartPtrModeling::handleGet}};		{{"get"}, &SmartPtrModeling::handleGet}};
const CallDescription StdSwapCall{{"std", "swap"}, 2};		const CallDescription StdSwapCall{{"std", "swap"}, 2};
const CallDescription StdMakeUniqueCall{{"std", "make_unique"}};		const CallDescription StdMakeUniqueCall{{"std", "make_unique"}};
const CallDescription StdMakeUniqueForOverwriteCall{		const CallDescription StdMakeUniqueForOverwriteCall{
{"std", "make_unique_for_overwrite"}};		{"std", "make_unique_for_overwrite"}};
		CheckerManager &ChkMgr;
};		};
} // end of anonymous namespace		} // end of anonymous namespace

REGISTER_MAP_WITH_PROGRAMSTATE(TrackedRegionMap, const MemRegion *, SVal)		REGISTER_MAP_WITH_PROGRAMSTATE(TrackedRegionMap, const MemRegion *, SVal)

// Checks if RD has name in Names and is in std namespace		// Checks if RD has name in Names and is in std namespace
static bool hasStdClassWithName(const CXXRecordDecl *RD,		static bool hasStdClassWithName(const CXXRecordDecl *RD,
ArrayRef<llvm::StringLiteral> Names) {		ArrayRef<llvm::StringLiteral> Names) {
Show All 31 Lines
}		}

bool isStdSmartPtr(const CXXRecordDecl *RD) {		bool isStdSmartPtr(const CXXRecordDecl *RD) {
if (!RD \|\| !RD->getDeclContext()->isStdNamespace())		if (!RD \|\| !RD->getDeclContext()->isStdNamespace())
return false;		return false;

if (RD->getDeclName().isIdentifier()) {		if (RD->getDeclName().isIdentifier()) {
StringRef Name = RD->getName();		StringRef Name = RD->getName();
return Name == "shared_ptr" \|\| Name == "unique_ptr" \|\| Name == "weak_ptr";		return llvm::is_contained(STD_PTR_NAMES, Name);
}		}
		vsavchenkoUnsubmitted Not Done Reply Inline Actions And why can't we pass `STD_PTR_NAMES` directly to `llvm::is_contained`? vsavchenko: And why can't we pass `STD_PTR_NAMES` directly to `llvm::is_contained`?
		RedDocMDAuthorUnsubmitted Done Reply Inline Actions Ooh, so there is an overload for that as well. :) RedDocMD: Ooh, so there is an overload for that as well. :)
return false;		return false;
}		}

bool isStdSmartPtr(const Expr *E) {		bool isStdSmartPtr(const Expr *E) {
return isStdSmartPtr(E->getType()->getAsCXXRecordDecl());		return isStdSmartPtr(E->getType()->getAsCXXRecordDecl());
}		}

bool isNullSmartPtr(const ProgramStateRef State, const MemRegion *ThisRegion) {		bool isNullSmartPtr(const ProgramStateRef State, const MemRegion *ThisRegion) {
const auto *InnerPointVal = State->get<TrackedRegionMap>(ThisRegion);		const auto *InnerPointVal = State->get<TrackedRegionMap>(ThisRegion);
return InnerPointVal &&		return InnerPointVal &&
!State->assume(InnerPointVal->castAs<DefinedOrUnknownSVal>(), true);		!State->assume(InnerPointVal->castAs<DefinedOrUnknownSVal>(), true);
}		}
} // namespace smartptr		} // namespace smartptr
} // namespace ento		} // namespace ento
} // namespace clang		} // namespace clang

// If a region is removed all of the subregions need to be removed too.
static TrackedRegionMapTy
removeTrackedSubregions(TrackedRegionMapTy RegionMap,
TrackedRegionMapTy::Factory &RegionMapFactory,
const MemRegion *Region) {
if (!Region)
return RegionMap;
for (const auto &E : RegionMap) {
if (E.first->isSubRegionOf(Region))
RegionMap = RegionMapFactory.remove(RegionMap, E.first);
}
return RegionMap;
}

static ProgramStateRef updateSwappedRegion(ProgramStateRef State,		static ProgramStateRef updateSwappedRegion(ProgramStateRef State,
const MemRegion *Region,		const MemRegion *Region,
const SVal *RegionInnerPointerVal) {		const SVal *RegionInnerPointerVal) {
if (RegionInnerPointerVal) {		if (RegionInnerPointerVal) {
State = State->set<TrackedRegionMap>(Region, *RegionInnerPointerVal);		State = State->set<TrackedRegionMap>(Region, *RegionInnerPointerVal);
} else {		} else {
State = State->remove<TrackedRegionMap>(Region);		State = State->remove<TrackedRegionMap>(Region);
}		}
▲ Show 20 Lines • Show All 88 Lines • ▼ Show 20 Lines

static bool isPotentiallyComparisionOpCall(const CallEvent &Call) {		static bool isPotentiallyComparisionOpCall(const CallEvent &Call) {
if (Call.getNumArgs() != 2 \|\| !isStdFunctionCall(Call))		if (Call.getNumArgs() != 2 \|\| !isStdFunctionCall(Call))
return false;		return false;
return smartptr::isStdSmartPtr(Call.getArgExpr(0)) \|\|		return smartptr::isStdSmartPtr(Call.getArgExpr(0)) \|\|
smartptr::isStdSmartPtr(Call.getArgExpr(1));		smartptr::isStdSmartPtr(Call.getArgExpr(1));
}		}

		ProgramStateRef
		Lint: Pre-merge checks Inline Actions clang-format: please reformat the code -ProgramStateRef -invalidateInnerPointer(const MemRegion ThisRegion, ProgramStateRef State, - const CallEvent &Call, CheckerContext &C) { +ProgramStateRef invalidateInnerPointer(const MemRegion ThisRegion, + ProgramStateRef State, + const CallEvent &Call, + CheckerContext &C) { Lint: Pre-merge checks: clang-format: please reformat the code ``` -ProgramStateRef -invalidateInnerPointer(const…
		invalidateInnerPointer(const MemRegion *ThisRegion, ProgramStateRef State,
		const CallEvent &Call, CheckerContext &C) {
		const auto *InnerPtrVal = State->get<TrackedRegionMap>(ThisRegion);
		if (InnerPtrVal) {
		const auto *Sym = InnerPtrVal->getAsSymbol();
		if (Sym)
		State = allocation_state::markReleased(State, Sym, Call.getOriginExpr());
		State = State->invalidateRegions(*InnerPtrVal, nullptr, C.blockCount(),
		C.getLocationContext(), true);

		const QualType &Type = getInnerPointerType(Call, C);
		const auto *RD = Type->getAsCXXRecordDecl();
		if (!RD)
		return State;
		const auto *DD = RD->getDestructor();

		const auto InnerDestrCall =
		C.getStateManager().getCallEventManager().getCXXDestructorCall(
		DD, nullptr, InnerPtrVal->getAsRegion(), RD->bases().empty(), State,
		C.getLocationContext());
		NoQUnsubmitted Not Done Reply Inline Actions Something's not right. Returning `true` here would discard the state and terminate `evalCall` as failed. Why compute the invalidated state if we throw it away? NoQ: Something's not right. Returning `true` here would discard the state and terminate `evalCall`…
		State = InnerDestrCall->invalidateRegions(C.blockCount(), State);
		}
		return State;
		}

bool SmartPtrModeling::evalCall(const CallEvent &Call,		bool SmartPtrModeling::evalCall(const CallEvent &Call,
CheckerContext &C) const {		CheckerContext &C) const {

ProgramStateRef State = C.getState();		ProgramStateRef State = C.getState();

// If any one of the arg is a unique_ptr, then		// If any one of the arg is a unique_ptr, then
// we can try this function		// we can try this function
if (ModelSmartPtrDereference && isPotentiallyComparisionOpCall(Call))		if (ModelSmartPtrDereference && isPotentiallyComparisionOpCall(Call))
▲ Show 20 Lines • Show All 48 Lines • ▼ Show 20 Lines	if (Call.isCalled(StdMakeUniqueCall) \|\|
auto &Engine = State->getStateManager().getOwningEngine();		auto &Engine = State->getStateManager().getOwningEngine();
State = Engine.updateObjectsUnderConstruction(		State = Engine.updateObjectsUnderConstruction(
*ThisRegionOpt, nullptr, State, C.getLocationContext(),		*ThisRegionOpt, nullptr, State, C.getLocationContext(),
Call.getConstructionContext(), {});		Call.getConstructionContext(), {});

// We don't leave a note here since it is guaranteed the		// We don't leave a note here since it is guaranteed the
// unique_ptr from this call is non-null (hence is safe to de-reference).		// unique_ptr from this call is non-null (hence is safe to de-reference).
C.addTransition(State);		C.addTransition(State);
		// FIXME: Invalidate globals on object construction
return true;		return true;
}		}

if (!smartptr::isStdSmartPtrCall(Call))		if (!smartptr::isStdSmartPtrCall(Call))
return false;		return false;

if (isBoolConversionMethod(Call)) {		if (isBoolConversionMethod(Call)) {
const MemRegion *ThisR =		const MemRegion *ThisR =
Show All 17 Lines	if (ModelSmartPtrDereference) {
C.addTransition(State->BindExpr(		C.addTransition(State->BindExpr(
Call.getOriginExpr(), C.getLocationContext(),		Call.getOriginExpr(), C.getLocationContext(),
C.getSValBuilder().makeZeroVal(Call.getResultType())));		C.getSValBuilder().makeZeroVal(Call.getResultType())));

return true;		return true;
}		}
}		}

		if (const auto *DC = dyn_cast<CXXDestructorCall>(&Call)) {
		const MemRegion *ThisRegion = DC->getCXXThisVal().getAsRegion();
		if (!ThisRegion)
		return false;
		State = invalidateInnerPointer(ThisRegion, State, Call, C);
		vsavchenkoUnsubmitted Not Done Reply Inline Actions And if it happens we are going to crash with assertion failure? vsavchenko: And if it happens we are going to crash with assertion failure?
		RedDocMDAuthorUnsubmitted Done Reply Inline Actions Assuming assertions are enabled, that is. RedDocMD: Assuming assertions are enabled, that is.
		vsavchenkoUnsubmitted Not Done Reply Inline Actions We should never crash or fail on valid C++ code. We can abandon everything, forbid checker to report anything on a function that has something that we don't know how to handle properly, but never fail the overall analysis process because of that. vsavchenko: We should never crash or fail on valid C++ code. We can abandon everything, forbid checker to…
		RedDocMDAuthorUnsubmitted Done Reply Inline Actions Ah right, I should have put in a TODO. This assert was put to see how often I run into this (none so far). It must be removed before this patch is accepted. RedDocMD: Ah right, I should have put in a TODO. This assert was put to see how often I run into this…
		State = State->remove<TrackedRegionMap>(ThisRegion);
		// This tag is required to prevent later crashes due to the non-addition
		NoQUnsubmitted Not Done Reply Inline Actions `{}` are unnecessary because `llvm::ArrayRef` is implicitly constructible out of a single value. The null expression situation shouldn't be too harmful given that we've already doing this for conservatively evaluated destructors outside of `evalCall()`. That said, it's still actively incorrect because given that it's part of the symbol's identity, it causes us to use the same abstract symbol for different actual runtime values. I guess a proper fix would involve updating the identity of a `SymbolConjured` to include a `CFGElementRef` instead of a statement. Or, well, building a better `SVal` kind (or maybe even a non-value "marker") specifically for invalidation purposes, which would capture an explanation for invalidation and the role that the value played in it (was it an unknown return value? an unknown out-parameter value? a default value covering invalidated globals? a checker-specific value?) which we could introspect later (say, for suppression purposes). This doesn't seem to be urgent though. NoQ: `{}` are unnecessary because `llvm::ArrayRef` is [[ https://llvm.
		// of new States. Having a tag ensures that the call to addTransition
		// actually adds a new state.
		static SimpleProgramPointTag SPPT("SmartPtrModeling",
		"on destructor modeling");
		vsavchenkoUnsubmitted Not Done Reply Inline Actions I suggest to add a ton of comments with the reasoning behind these actions. vsavchenko: I suggest to add a ton of comments with the reasoning behind these actions.
		C.addTransition(State, &SPPT);
		return true;
		}

if (!ModelSmartPtrDereference)		if (!ModelSmartPtrDereference)
return false;		return false;

if (const auto *CC = dyn_cast<CXXConstructorCall>(&Call)) {		if (const auto *CC = dyn_cast<CXXConstructorCall>(&Call)) {
if (CC->getDecl()->isCopyConstructor())		if (CC->getDecl()->isCopyConstructor())
return false;		return false;

const MemRegion *ThisRegion = CC->getCXXThisVal().getAsRegion();		const MemRegion *ThisRegion = CC->getCXXThisVal().getAsRegion();
Show All 14 Lines	if (Call.getNumArgs() == 0) {
!BR.isInteresting(ThisRegion))		!BR.isInteresting(ThisRegion))
return;		return;
OS << "Default constructed smart pointer";		OS << "Default constructed smart pointer";
checkAndPrettyPrintRegion(OS, ThisRegion);		checkAndPrettyPrintRegion(OS, ThisRegion);
OS << " is null";		OS << " is null";
}));		}));
} else {		} else {
const auto *TrackingExpr = Call.getArgExpr(0);		const auto *TrackingExpr = Call.getArgExpr(0);
assert(TrackingExpr->getType()->isPointerType() &&		if (!TrackingExpr->getType()->isPointerType())
"Adding a non pointer value to TrackedRegionMap");		return false;
auto ArgVal = Call.getArgSVal(0);		auto ArgVal = Call.getArgSVal(0);
		vsavchenkoUnsubmitted Not Done Reply Inline Actions Okay, I'm either missing something or this condition is missing `!` here. vsavchenko: Okay, I'm either missing something or this condition is missing `!` here.
		RedDocMDAuthorUnsubmitted Done Reply Inline Actions And that's the ghost bug I am chasing around for the last few hours. Thanks :) RedDocMD: And that's the ghost bug I am chasing around for the last few hours. Thanks :)
State = State->set<TrackedRegionMap>(ThisRegion, ArgVal);		State = State->set<TrackedRegionMap>(ThisRegion, ArgVal);
		// Escape the pointer passed here
		State = C.getStateManager().getOwningEngine().processPointerEscapedOnBind(
		State, {std::make_pair(CC->getCXXThisVal(), ArgVal)},
		C.getLocationContext(), PSK_DirectEscapeOnCall, &Call);
		RedDocMDAuthorUnsubmitted Done Reply Inline Actions It seems to me that this pointer escape doesn't work. For the following code: void foo() { auto ptr = std::unique_ptr<int>(new int(13)); // Leak warning emitted here } the exploded graph shows the SVal for `new int(13)` as allocated instead of escaped (which eventually triggers the warning). RedDocMD: It seems to me that this pointer escape doesn't work. For the following code: ```lang=cpp void…
		NoQUnsubmitted Not Done Reply Inline Actions It shouldn't work in this case. The variable is local. Write to a local variable doesn't constitute an escape because access to a local variable from elsewhere is impossible. I believe we should explicitly tell `MallocChecker` that memory is released, given that we know that this is exactly what happens. We could do this similarly to how `InnerPointerChecker` tells `MallocChecker` that `std::string::c_str()` is released when the string is destroyed. Another solution would be to force an escape by calling `escapeValue()` directly. That'll definitely notify all checkers that the raw pointer value should be dropped but that wouldn't allow us to ultimately find use-after-free of that value. NoQ: It shouldn't work in this case. The variable is local. Write to a local variable doesn't…

C.addTransition(State, C.getNoteTag([ThisRegion, TrackingExpr,		C.addTransition(State, C.getNoteTag([ThisRegion, TrackingExpr,
ArgVal](PathSensitiveBugReport &BR,		ArgVal](PathSensitiveBugReport &BR,
llvm::raw_ostream &OS) {		llvm::raw_ostream &OS) {
if (&BR.getBugType() != smartptr::getNullDereferenceBugType() \|\|		if (&BR.getBugType() != smartptr::getNullDereferenceBugType() \|\|
!BR.isInteresting(ThisRegion))		!BR.isInteresting(ThisRegion))
return;		return;
bugreporter::trackExpressionValue(BR.getErrorNode(), TrackingExpr, BR);		bugreporter::trackExpressionValue(BR.getErrorNode(), TrackingExpr, BR);
▲ Show 20 Lines • Show All 139 Lines • ▼ Show 20 Lines
void SmartPtrModeling::printState(raw_ostream &Out, ProgramStateRef State,		void SmartPtrModeling::printState(raw_ostream &Out, ProgramStateRef State,
const char NL, const char Sep) const {		const char NL, const char Sep) const {
TrackedRegionMapTy RS = State->get<TrackedRegionMap>();		TrackedRegionMapTy RS = State->get<TrackedRegionMap>();

if (!RS.isEmpty()) {		if (!RS.isEmpty()) {
Out << Sep << "Smart ptr regions :" << NL;		Out << Sep << "Smart ptr regions :" << NL;
for (auto I : RS) {		for (auto I : RS) {
I.first->dumpToStream(Out);		I.first->dumpToStream(Out);
if (smartptr::isNullSmartPtr(State, I.first))		Out << ": ";
Out << ": Null";		I.second.dumpToStream(Out);
else
Out << ": Non Null";
Out << NL;		Out << NL;
}		}
}		}
}		}

ProgramStateRef SmartPtrModeling::checkRegionChanges(		ProgramStateRef SmartPtrModeling::checkRegionChanges(
ProgramStateRef State, const InvalidatedSymbols *Invalidated,		ProgramStateRef State, const InvalidatedSymbols *Invalidated,
ArrayRef<const MemRegion *> ExplicitRegions,		ArrayRef<const MemRegion *> ExplicitRegions,
ArrayRef<const MemRegion > Regions, const LocationContext LCtx,		ArrayRef<const MemRegion > Regions, const LocationContext LCtx,
const CallEvent *Call) const {		const CallEvent *Call) const {
TrackedRegionMapTy RegionMap = State->get<TrackedRegionMap>();
TrackedRegionMapTy::Factory &RegionMapFactory =		class CollectReachableSymbolsCallback final : public SymbolVisitor {
State->get_context<TrackedRegionMap>();		InvalidatedSymbols &Symbols;
for (const auto *Region : Regions)
RegionMap = removeTrackedSubregions(RegionMap, RegionMapFactory,		public:
Region->getBaseRegion());		explicit CollectReachableSymbolsCallback(InvalidatedSymbols &Symbols)
		: Symbols(Symbols){}
		Lint: Pre-merge checks Inline Actions clang-format: please reformat the code - : Symbols(Symbols){} + : Symbols(Symbols) {} Lint: Pre-merge checks: clang-format: please reformat the code ``` - : Symbols(Symbols){} + : Symbols…

		const InvalidatedSymbols &getSymbols() const { return Symbols; }

		bool VisitSymbol(SymbolRef Sym) override {
		Symbols.insert(Sym);
		return true;
		}
		};

		InvalidatedSymbols Symbols;
		CollectReachableSymbolsCallback CallBack(Symbols);
		auto RegionMap = State->get<TrackedRegionMap>();
		auto &RegionMapFactory = State->get_context<TrackedRegionMap>();

		for (const auto *Region : Regions) {
		for (const auto &E : RegionMap) {
		if (E.first->isSubRegionOf(Region)) {
		State->scanReachableSymbols(E.second, CallBack);
		RegionMap = RegionMapFactory.remove(RegionMap, E.first);
		State->scanReachableSymbols(loc::MemRegionVal(E.first), CallBack);
		}
		}
		}

		const auto &EscapeeSymbols = CallBack.getSymbols();
		if (!EscapeeSymbols.empty()) {
		PointerEscapeKind Kind = Call ? PSK_IndirectEscapeOnCall : PSK_EscapeOther;
		State = ChkMgr.runCheckersForPointerEscape(State, EscapeeSymbols, Call,
		Kind, nullptr);
		}
return State->set<TrackedRegionMap>(RegionMap);		return State->set<TrackedRegionMap>(RegionMap);
}		}

void SmartPtrModeling::checkLiveSymbols(ProgramStateRef State,		void SmartPtrModeling::checkLiveSymbols(ProgramStateRef State,
SymbolReaper &SR) const {		SymbolReaper &SR) const {
// Marking tracked symbols alive		// Marking tracked symbols alive
TrackedRegionMapTy TrackedRegions = State->get<TrackedRegionMap>();		TrackedRegionMapTy TrackedRegions = State->get<TrackedRegionMap>();
for (auto I = TrackedRegions.begin(), E = TrackedRegions.end(); I != E; ++I) {		for (auto I = TrackedRegions.begin(), E = TrackedRegions.end(); I != E; ++I) {
Show All 12 Lines	if (!IC)
return;		return;

const MemRegion *ThisRegion = IC->getCXXThisVal().getAsRegion();		const MemRegion *ThisRegion = IC->getCXXThisVal().getAsRegion();
if (!ThisRegion)		if (!ThisRegion)
return;		return;

assert(Call.getArgExpr(0)->getType()->isPointerType() &&		assert(Call.getArgExpr(0)->getType()->isPointerType() &&
"Adding a non pointer value to TrackedRegionMap");		"Adding a non pointer value to TrackedRegionMap");
State = State->set<TrackedRegionMap>(ThisRegion, Call.getArgSVal(0));		State = invalidateInnerPointer(ThisRegion, State, Call, C);
		const auto ArgVal = Call.getArgSVal(0);
		State = State->set<TrackedRegionMap>(ThisRegion, ArgVal);
		// Escape the pointer passed here
		State = C.getStateManager().getOwningEngine().processPointerEscapedOnBind(
		State, {std::make_pair(IC->getCXXThisVal(), ArgVal)},
		C.getLocationContext(), PSK_DirectEscapeOnCall, &Call);
const auto *TrackingExpr = Call.getArgExpr(0);		const auto *TrackingExpr = Call.getArgExpr(0);
C.addTransition(		C.addTransition(
State, C.getNoteTag([ThisRegion, TrackingExpr](PathSensitiveBugReport &BR,		State, C.getNoteTag([ThisRegion, TrackingExpr](PathSensitiveBugReport &BR,
llvm::raw_ostream &OS) {		llvm::raw_ostream &OS) {
if (&BR.getBugType() != smartptr::getNullDereferenceBugType() \|\|		if (&BR.getBugType() != smartptr::getNullDereferenceBugType() \|\|
!BR.isInteresting(ThisRegion))		!BR.isInteresting(ThisRegion))
return;		return;
bugreporter::trackExpressionValue(BR.getErrorNode(), TrackingExpr, BR);		bugreporter::trackExpressionValue(BR.getErrorNode(), TrackingExpr, BR);
▲ Show 20 Lines • Show All 277 Lines • ▼ Show 20 Lines	C.addTransition(
OS << " is non-null";		OS << " is non-null";
},		},
/IsPrunable=/true));		/IsPrunable=/true));
return;		return;
}		}
}		}

void ento::registerSmartPtrModeling(CheckerManager &Mgr) {		void ento::registerSmartPtrModeling(CheckerManager &Mgr) {
auto *Checker = Mgr.registerChecker<SmartPtrModeling>();		auto *Checker = Mgr.registerChecker<SmartPtrModeling>(Mgr);
Checker->ModelSmartPtrDereference =		Checker->ModelSmartPtrDereference =
Mgr.getAnalyzerOptions().getCheckerBooleanOption(		Mgr.getAnalyzerOptions().getCheckerBooleanOption(
Checker, "ModelSmartPtrDereference");		Checker, "ModelSmartPtrDereference");
}		}

bool ento::shouldRegisterSmartPtrModeling(const CheckerManager &mgr) {		bool ento::shouldRegisterSmartPtrModeling(const CheckerManager &mgr) {
const LangOptions &LO = mgr.getLangOpts();		const LangOptions &LO = mgr.getLangOpts();
return LO.CPlusPlus;		return LO.CPlusPlus;
}		}

clang/lib/StaticAnalyzer/Core/CheckerManager.cpp

Show First 20 Lines • Show All 658 Lines • ▼ Show 20 Lines	for (auto *const Pred : Src) {

ExplodedNodeSet checkDst;		ExplodedNodeSet checkDst;
NodeBuilder B(Pred, checkDst, Eng.getBuilderContext());		NodeBuilder B(Pred, checkDst, Eng.getBuilderContext());

// Check if any of the EvalCall callbacks can evaluate the call.		// Check if any of the EvalCall callbacks can evaluate the call.
for (const auto &EvalCallChecker : EvalCallCheckers) {		for (const auto &EvalCallChecker : EvalCallCheckers) {
// TODO: Support the situation when the call doesn't correspond		// TODO: Support the situation when the call doesn't correspond
// to any Expr.		// to any Expr.
ProgramPoint L = ProgramPoint::getProgramPoint(
Call.getOriginExpr(), ProgramPoint::PostStmtKind,
Pred->getLocationContext(), EvalCallChecker.Checker);
bool evaluated = false;		bool evaluated = false;
{ // CheckerContext generates transitions(populates checkDest) on		{ // CheckerContext generates transitions(populates checkDest) on
// destruction, so introduce the scope to make sure it gets properly		// destruction, so introduce the scope to make sure it gets properly
// populated.		// populated.
CheckerContext C(B, Eng, Pred, L);		CheckerContext C(B, Eng, Pred, Call.getProgramPoint());
evaluated = EvalCallChecker(Call, C);		evaluated = EvalCallChecker(Call, C);
}		}
assert(!(evaluated && anyEvaluated)		assert(!(evaluated && anyEvaluated)
&& "There are more than one checkers evaluating the call");		&& "There are more than one checkers evaluating the call");
if (evaluated) {		if (evaluated) {
anyEvaluated = true;		anyEvaluated = true;
Dst.insert(checkDst);		Dst.insert(checkDst);
#ifdef NDEBUG		#ifdef NDEBUG
▲ Show 20 Lines • Show All 223 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp

Show First 20 Lines • Show All 747 Lines • ▼ Show 20 Lines	PrettyStackTraceLoc CrashInfo(getContext().getSourceManager(),
Call->getSourceRange().getBegin(),		Call->getSourceRange().getBegin(),
"Error evaluating destructor");		"Error evaluating destructor");

ExplodedNodeSet DstPreCall;		ExplodedNodeSet DstPreCall;
getCheckerManager().runCheckersForPreCall(DstPreCall, Pred,		getCheckerManager().runCheckersForPreCall(DstPreCall, Pred,
Call, this);		Call, this);

ExplodedNodeSet DstInvalidated;		ExplodedNodeSet DstInvalidated;
StmtNodeBuilder Bldr(DstPreCall, DstInvalidated, *currBldrCtx);		// StmtNodeBuilder Bldr(DstPreCall, DstInvalidated, *currBldrCtx);
for (ExplodedNodeSet::iterator I = DstPreCall.begin(), E = DstPreCall.end();		// for (ExplodedNodeSet::iterator I = DstPreCall.begin(), E =
I != E; ++I)		// DstPreCall.end();
defaultEvalCall(Bldr, I, Call, CallOpts);		// I != E; ++I)
		// defaultEvalCall(Bldr, I, Call, CallOpts);
		getCheckerManager().runCheckersForEvalCall(DstInvalidated, DstPreCall, *Call,
		*this, CallOpts);

getCheckerManager().runCheckersForPostCall(Dst, DstInvalidated,		getCheckerManager().runCheckersForPostCall(Dst, DstInvalidated,
Call, this);		Call, this);
}		}

void ExprEngine::VisitCXXNewAllocatorCall(const CXXNewExpr *CNE,		void ExprEngine::VisitCXXNewAllocatorCall(const CXXNewExpr *CNE,
ExplodedNode *Pred,		ExplodedNode *Pred,
ExplodedNodeSet &Dst) {		ExplodedNodeSet &Dst) {
▲ Show 20 Lines • Show All 272 Lines • Show Last 20 Lines