This is an archive of the discontinued LLVM Phabricator instance.

Differential D108753

[analyzer] MallocChecker: Add notes from NoOwnershipChangeVisitor only when a function "intents", but doesn't change ownership, enable by default
ClosedPublic

Authored by Szelethus on Aug 26 2021, 2:47 AM.

Details

Reviewers
NoQ
martong
steakhal
balazske
ASDenysPetrov
vsavchenko
Commits
rG9d359f6c7386: [analyzer] MallocChecker: Add notes from NoOwnershipChangeVisitor only when a…
Summary

D105819 Added NoOwnershipChangeVisitor, but it is only registered when an off-by-default, hidden checker option was enabled. The reason behind this was that it grossly overestimated the set of functions that really needed a note:

std::string getTrainName(const Train *T) {
  return T->name;
} // note: Retuning without changing the ownership of or deallocating memory
// Umm... I mean duh? Nor would I expect this function to do anything like that...

void foo() {
  Train *T = new Train("Land Plane");
  print(getTrainName(T)); // note: calling getTrainName / returning from getTrainName
} // warn: Memory leak

This patch adds a heuristic that guesses that any function that has an explicit operator delete call could have be responsible for deallocating the memory that ended up leaking. This is waaaay too conservative (see the TODOs in the new function), but it safer to err on the side of too little than too much, and would allow us to enable the option by default *now*, and add refinements one-by-one.

Diff Detail

Event Timeline

Szelethus created this revision.Aug 26 2021, 2:47 AM
Herald added subscribers: manas, gamesh411, dkrupp and 9 others. · View Herald TranscriptAug 26 2021, 2:47 AM
Szelethus requested review of this revision.Aug 26 2021, 2:47 AM
Herald added a subscriber: cfe-commits. · View Herald TranscriptAug 26 2021, 2:47 AM
Szelethus added a parent revision: D108695: [analyzer][NFCI] Allow clients of NoStateChangeFuncVisitor to check entire function calls, rather than each ExplodedNode in it.Aug 26 2021, 2:47 AM
Harbormaster completed remote builds in B121316: Diff 368836.Aug 26 2021, 2:47 AM
martong added inline comments.Aug 27 2021, 7:10 AM
clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
802

Sounds like a good idea to reuse isFreeingCall.

But interestingly delete is not listed there! Nor new in AllocatingMemFnMap. So, perhaps we need yet another abstraction. Maybe a function that iterates over FreeingMemFnMap collects the functions and then adds delete as well?

806

Good point!

clang/test/Analysis/NewDeleteLeaks.cpp
23

intent

BTW, why is this TODO here? It is obvious that sink does not have a delete, so we don't expect any warning. Or am I missing something?

Szelethus added inline comments.Sep 2 2021, 6:47 AM
clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
282–289

These serve to identify new/delete operators. I've done a lot of work to make this better, but I don't remember why isFreeingCall doesn't call these.

clang/test/Analysis/NewDeleteLeaks.cpp
23

Well, its debatable, I suppose, but in this case, sink is noteworthy, as no other function had the ability to take care of this memory.

https://lists.llvm.org/pipermail/cfe-dev/2021-June/068469.html

Kristof's case is interesting in a different manner. If taken literally, it doesn't satisfy our criteria of "there exists another execution path on which it did actually do ${Something}". We probably shouldn't emit a note every time the function simply accepts the value of interest by pointer, because this doesn't necessarily prove the intent to delete the pointer; there are a million other reasons to accept a pointer. However, Kristof's case does still deserve a note because sink() is the *only* function that had a chance to delete the pointer.

Szelethus updated this revision to Diff 370553.Sep 3 2021, 5:22 AM

indent->intent

Harbormaster completed remote builds in B122496: Diff 370553.Sep 3 2021, 6:04 AM
martong accepted this revision.Sep 3 2021, 7:38 AM

Okay, LGTM! Thanks!

This revision is now accepted and ready to land.Sep 3 2021, 7:38 AM
NoQ accepted this revision.Sep 7 2021, 9:50 PM

This looks good!

I guess one way to make this even more conservative would be to match the variable inside the delete-expression to the one we expect to get deallocated.

Szelethus added a comment.Sep 8 2021, 3:40 PM
In D108753#2988632, @NoQ wrote:

This looks good!

I guess one way to make this even more conservative would be to match the variable inside the delete-expression to the one we expect to get deallocated.

Yeah, I thought about that, but one counter argument to that is that once an intent to do some deallocation is already there, its possible that the wrong variable was deleted, or the deallocation wasn't thorough enough.

Thanks for the reviews!

This revision was landed with ongoing or failed builds.Sep 13 2021, 6:02 AM
Closed by commit rG9d359f6c7386: [analyzer] MallocChecker: Add notes from NoOwnershipChangeVisitor only when a… (authored by Szelethus). · Explain Why
This revision was automatically updated to reflect the committed changes.
Szelethus added a commit: rG9d359f6c7386: [analyzer] MallocChecker: Add notes from NoOwnershipChangeVisitor only when a….
Szelethus mentioned this in D118880: [analyzer] Improve NoOwnershipChangeVisitor's understanding of deallocators.Feb 3 2022, 1:34 AM
Szelethus mentioned this in rGd832078904c6: [analyzer] Improve NoOwnershipChangeVisitor's understanding of deallocators.Mar 3 2022, 2:28 AM

Revision Contents

PathSize
clang/
include/
clang/
StaticAnalyzer/
Checkers/
4 lines
lib/
StaticAnalyzer/
Checkers/
21 lines
test/
Analysis/
14 lines
2 lines

Diff 372226

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td

Show First 20 LinesShow All 487 Lines▼ Show 20 Lines CmdLineOption<Boolean,
InAlpha>, InAlpha>,
CmdLineOption<Boolean, CmdLineOption<Boolean,
"AddNoOwnershipChangeNotes", "AddNoOwnershipChangeNotes",
"Add an additional note to the bug report for leak-like " "Add an additional note to the bug report for leak-like "
"bugs. Dynamically allocated objects passed to functions " "bugs. Dynamically allocated objects passed to functions "
"that neither deallocated it, or have taken responsibility " "that neither deallocated it, or have taken responsibility "
"of the ownership are noted, similarly to " "of the ownership are noted, similarly to "
"NoStoreFuncVisitor.", "NoStoreFuncVisitor.",
"false", "true",
InAlpha, Released,
Hide> Hide>
]>, ]>,
Dependencies<[CStringModeling]>, Dependencies<[CStringModeling]>,
Documentation<NotDocumented>, Documentation<NotDocumented>,
Hidden; Hidden;
def MallocChecker: Checker<"Malloc">, def MallocChecker: Checker<"Malloc">,
HelpText<"Check for memory leaks, double free, and use-after-free problems. " HelpText<"Check for memory leaks, double free, and use-after-free problems. "
▲ Show 20 LinesShow All 1,180 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp

Show First 20 LinesShow All 46 Lines▼ Show 20 Lines
#include "AllocationState.h" #include "AllocationState.h"
#include "InterCheckerAPI.h" #include "InterCheckerAPI.h"
#include "clang/AST/Attr.h" #include "clang/AST/Attr.h"
#include "clang/AST/DeclCXX.h" #include "clang/AST/DeclCXX.h"
#include "clang/AST/DeclTemplate.h" #include "clang/AST/DeclTemplate.h"
#include "clang/AST/Expr.h" #include "clang/AST/Expr.h"
#include "clang/AST/ExprCXX.h" #include "clang/AST/ExprCXX.h"
#include "clang/AST/ParentMap.h" #include "clang/AST/ParentMap.h"
#include "clang/ASTMatchers/ASTMatchFinder.h"
#include "clang/ASTMatchers/ASTMatchers.h"
#include "clang/Analysis/ProgramPoint.h" #include "clang/Analysis/ProgramPoint.h"
#include "clang/Basic/LLVM.h" #include "clang/Basic/LLVM.h"
#include "clang/Basic/SourceManager.h" #include "clang/Basic/SourceManager.h"
#include "clang/Basic/TargetInfo.h" #include "clang/Basic/TargetInfo.h"
#include "clang/Lex/Lexer.h" #include "clang/Lex/Lexer.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h" #include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h"
▲ Show 20 LinesShow All 209 Lines▼ Show 20 Lines return ReallocatedSym == X.ReallocatedSym &&
Kind == X.Kind; Kind == X.Kind;
} }
}; };
} // end of anonymous namespace } // end of anonymous namespace
REGISTER_MAP_WITH_PROGRAMSTATE(ReallocPairs, SymbolRef, ReallocPair) REGISTER_MAP_WITH_PROGRAMSTATE(ReallocPairs, SymbolRef, ReallocPair)
/// Tells if the callee is one of the builtin new/delete operators, including /// Tells if the callee is one of the builtin new/delete operators, including
/// placement operators and other standard overloads. /// placement operators and other standard overloads.
static bool isStandardNewDelete(const FunctionDecl *FD); static bool isStandardNewDelete(const FunctionDecl *FD);
static bool isStandardNewDelete(const CallEvent &Call) { static bool isStandardNewDelete(const CallEvent &Call) {
if (!Call.getDecl() || !isa<FunctionDecl>(Call.getDecl())) if (!Call.getDecl() || !isa<FunctionDecl>(Call.getDecl()))
return false; return false;
return isStandardNewDelete(cast<FunctionDecl>(Call.getDecl())); return isStandardNewDelete(cast<FunctionDecl>(Call.getDecl()));
} }
SzelethusAuthorUnsubmitted
Done
ReplyInline Actions

These serve to identify new/delete operators. I've done a lot of work to make this better, but I don't remember why isFreeingCall doesn't call these.

Szelethus: These serve to identify new/delete operators. I've done a lot of work to make this better, but…
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Definition of the MallocChecker class. // Definition of the MallocChecker class.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
namespace { namespace {
class MallocChecker class MallocChecker
▲ Show 20 LinesShow All 490 Lines▼ Show 20 Linesprotected:
getFunctionName(const ExplodedNode *CallEnterN) { getFunctionName(const ExplodedNode *CallEnterN) {
if (const CallExpr *CE = llvm::dyn_cast_or_null<CallExpr>( if (const CallExpr *CE = llvm::dyn_cast_or_null<CallExpr>(
CallEnterN->getLocationAs<CallEnter>()->getCallExpr())) CallEnterN->getLocationAs<CallEnter>()->getCallExpr()))
if (const FunctionDecl *FD = CE->getDirectCallee()) if (const FunctionDecl *FD = CE->getDirectCallee())
return FD->getQualifiedNameAsString(); return FD->getQualifiedNameAsString();
return ""; return "";
} }
bool doesFnIntendToHandleOwnership(const Decl *Callee, ASTContext &ACtx) {
using namespace clang::ast_matchers;
const FunctionDecl *FD = dyn_cast<FunctionDecl>(Callee);
if (!FD)
return false;
// TODO: Operator delete is hardly the only deallocator -- Can we reuse
// isFreeingCall() or something thats already here?
martongUnsubmitted
Not Done
ReplyInline Actions

Sounds like a good idea to reuse isFreeingCall.

But interestingly delete is not listed there! Nor new in AllocatingMemFnMap. So, perhaps we need yet another abstraction. Maybe a function that iterates over FreeingMemFnMap collects the functions and then adds delete as well?

martong: Sounds like a good idea to reuse `isFreeingCall`. But interestingly `delete` is not listed…
auto Deallocations = match(
stmt(hasDescendant(cxxDeleteExpr().bind("delete"))
), *FD->getBody(), ACtx);
// TODO: Ownership my change with an attempt to store the allocated memory.
martongUnsubmitted
Not Done
ReplyInline Actions

Good point!

martong: Good point!
return !Deallocations.empty();
}
virtual bool virtual bool
wasModifiedInFunction(const ExplodedNode *CallEnterN, wasModifiedInFunction(const ExplodedNode *CallEnterN,
const ExplodedNode *CallExitEndN) override { const ExplodedNode *CallExitEndN) override {
if (!doesFnIntendToHandleOwnership(
CallExitEndN->getFirstPred()->getLocationContext()->getDecl(),
CallExitEndN->getState()->getAnalysisManager().getASTContext()))
return true;
if (CallEnterN->getState()->get<RegionState>(Sym) != if (CallEnterN->getState()->get<RegionState>(Sym) !=
CallExitEndN->getState()->get<RegionState>(Sym)) CallExitEndN->getState()->get<RegionState>(Sym))
return true; return true;
OwnerSet CurrOwners = getOwnersAtNode(CallEnterN); OwnerSet CurrOwners = getOwnersAtNode(CallEnterN);
OwnerSet ExitOwners = getOwnersAtNode(CallExitEndN); OwnerSet ExitOwners = getOwnersAtNode(CallExitEndN);
// Owners in the current set may be purged from the analyzer later on. // Owners in the current set may be purged from the analyzer later on.
▲ Show 20 LinesShow All 2,765 LinesShow Last 20 Lines

clang/test/Analysis/NewDeleteLeaks.cpp

Show All 14 Lines
#include "Inputs/system-header-simulator-for-malloc.h" #include "Inputs/system-header-simulator-for-malloc.h"
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Report for which we expect NoOwnershipChangeVisitor to add a new note. // Report for which we expect NoOwnershipChangeVisitor to add a new note.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
bool coin(); bool coin();
// TODO: AST analysis of sink would reveal that it doesn't intent to free the
martongUnsubmitted
Not Done
ReplyInline Actions

intent

BTW, why is this TODO here? It is obvious that sink does not have a delete, so we don't expect any warning. Or am I missing something?

martong: intent BTW, why is this TODO here? It is obvious that `sink` does not have a `delete`, so we…
SzelethusAuthorUnsubmitted
Done
ReplyInline Actions

Well, its debatable, I suppose, but in this case, sink is noteworthy, as no other function had the ability to take care of this memory.

https://lists.llvm.org/pipermail/cfe-dev/2021-June/068469.html

Kristof's case is interesting in a different manner. If taken literally, it doesn't satisfy our criteria of "there exists another execution path on which it did actually do ${Something}". We probably shouldn't emit a note every time the function simply accepts the value of interest by pointer, because this doesn't necessarily prove the intent to delete the pointer; there are a million other reasons to accept a pointer. However, Kristof's case does still deserve a note because sink() is the *only* function that had a chance to delete the pointer.

Szelethus: Well, its debatable, I suppose, but in this case, `sink` is noteworthy, as no other function…
// allocated memory, but in this instance, its also the only function with
// the ability to do so, we should see a note here.
namespace memory_allocated_in_fn_call { namespace memory_allocated_in_fn_call {
void sink(int *P) { void sink(int *P) {
} // ownership-note {{Returning without deallocating memory or storing the pointer for later deallocation}} }
void foo() { void foo() {
sink(new int(5)); // expected-note {{Memory is allocated}} sink(new int(5)); // expected-note {{Memory is allocated}}
// ownership-note@-1 {{Calling 'sink'}}
// ownership-note@-2 {{Returning from 'sink'}}
} // expected-warning {{Potential memory leak [cplusplus.NewDeleteLeaks]}} } // expected-warning {{Potential memory leak [cplusplus.NewDeleteLeaks]}}
// expected-note@-1 {{Potential memory leak}} // expected-note@-1 {{Potential memory leak}}
} // namespace memory_allocated_in_fn_call } // namespace memory_allocated_in_fn_call
namespace memory_passed_to_fn_call { namespace memory_passed_to_fn_call {
void sink(int *P) { void sink(int *P) {
▲ Show 20 LinesShow All 64 Lines▼ Show 20 Linesvoid foo() {
int *ptr = new int(5); // expected-note {{Memory is allocated}} int *ptr = new int(5); // expected-note {{Memory is allocated}}
int *q = nullptr; int *q = nullptr;
sink(ptr, &q); sink(ptr, &q);
} // expected-warning {{Potential leak of memory pointed to by 'q' [cplusplus.NewDeleteLeaks]}} } // expected-warning {{Potential leak of memory pointed to by 'q' [cplusplus.NewDeleteLeaks]}}
// expected-note@-1 {{Potential leak}} // expected-note@-1 {{Potential leak}}
} // namespace memory_shared_with_ptr_of_same_lifetime } // namespace memory_shared_with_ptr_of_same_lifetime
// TODO: We don't want a note here. sink() doesn't seem like a function that
// even attempts to take care of any memory ownership problems.
namespace memory_passed_into_fn_that_doesnt_intend_to_free { namespace memory_passed_into_fn_that_doesnt_intend_to_free {
void sink(int *P) { void sink(int *P) {
} // ownership-note {{Returning without deallocating memory or storing the pointer for later deallocation}} }
void foo() { void foo() {
int *ptr = new int(5); // expected-note {{Memory is allocated}} int *ptr = new int(5); // expected-note {{Memory is allocated}}
sink(ptr); // ownership-note {{Calling 'sink'}} sink(ptr);
// ownership-note@-1 {{Returning from 'sink'}}
} // expected-warning {{Potential leak of memory pointed to by 'ptr' [cplusplus.NewDeleteLeaks]}} } // expected-warning {{Potential leak of memory pointed to by 'ptr' [cplusplus.NewDeleteLeaks]}}
// expected-note@-1 {{Potential leak}} // expected-note@-1 {{Potential leak}}
} // namespace memory_passed_into_fn_that_doesnt_intend_to_free } // namespace memory_passed_into_fn_that_doesnt_intend_to_free
namespace refkind_from_unoallocated_to_allocated { namespace refkind_from_unoallocated_to_allocated {
// RefKind of the symbol changed from nothing to Allocated. We don't want to // RefKind of the symbol changed from nothing to Allocated. We don't want to
Show All 12 Lines

clang/test/Analysis/analyzer-config.c

Show First 20 LinesShow All 111 Lines▼ Show 20 Lines
// CHECK-NEXT: serialize-stats = false // CHECK-NEXT: serialize-stats = false
// CHECK-NEXT: silence-checkers = "" // CHECK-NEXT: silence-checkers = ""
// CHECK-NEXT: stable-report-filename = false // CHECK-NEXT: stable-report-filename = false
// CHECK-NEXT: suppress-c++-stdlib = true // CHECK-NEXT: suppress-c++-stdlib = true
// CHECK-NEXT: suppress-inlined-defensive-checks = true // CHECK-NEXT: suppress-inlined-defensive-checks = true
// CHECK-NEXT: suppress-null-return-paths = true // CHECK-NEXT: suppress-null-return-paths = true
// CHECK-NEXT: track-conditions = true // CHECK-NEXT: track-conditions = true
// CHECK-NEXT: track-conditions-debug = false // CHECK-NEXT: track-conditions-debug = false
// CHECK-NEXT: unix.DynamicMemoryModeling:AddNoOwnershipChangeNotes = false // CHECK-NEXT: unix.DynamicMemoryModeling:AddNoOwnershipChangeNotes = true
// CHECK-NEXT: unix.DynamicMemoryModeling:Optimistic = false // CHECK-NEXT: unix.DynamicMemoryModeling:Optimistic = false
// CHECK-NEXT: unroll-loops = false // CHECK-NEXT: unroll-loops = false
// CHECK-NEXT: verbose-report-filename = false // CHECK-NEXT: verbose-report-filename = false
// CHECK-NEXT: widen-loops = false // CHECK-NEXT: widen-loops = false