This is an archive of the discontinued LLVM Phabricator instance.

Differential D111655

[analyzer] non-obvious analyzer warning: Use of zero-allocated memory
ClosedPublic

Authored by chrisdangelo on Oct 12 2021, 9:16 AM.

Details

Reviewers
NoQ
Commits
rGf3ec9d8501c9: [analyzer] Fix non-obvious analyzer warning: Use of zero-allocated memory.
Summary

This change clarifies the message provided when the analyzer catches the use of memory that is allocated with size zero.

Diff Detail

Event Timeline

chrisdangelo created this revision.Oct 12 2021, 9:16 AM
Herald added subscribers: manas, steakhal, ASDenysPetrov and 9 others. · View Herald TranscriptOct 12 2021, 9:16 AM
chrisdangelo requested review of this revision.Oct 12 2021, 9:16 AM
Herald added a project: Restricted Project. · View Herald TranscriptOct 12 2021, 9:16 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
NoQ accepted this revision.Oct 12 2021, 10:08 AM

LGTM! Can confirm, people were confused.

I'll commit.

This revision is now accepted and ready to land.Oct 12 2021, 10:08 AM
Quuxplusone added a subscriber: Quuxplusone.Oct 12 2021, 10:11 AM
Quuxplusone added inline comments.
clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
2474–2476

Peanut gallery says:
(1) Might want to fix the typo in "Zerro" at the same time, or in a followup commit.
(2) I would naively have expected all the test cases below to give something simple like "Read/write beyond end of allocated space," because they allocate N bytes and then try to read/write into byte number N. This is never allowed in C or C++, regardless of the value of N; there's nothing special about N=0. So I don't see why it needs any special diagnostic (confusing or otherwise).

Harbormaster completed remote builds in B128394: Diff 379069.Oct 12 2021, 10:15 AM
Closed by commit rGf3ec9d8501c9: [analyzer] Fix non-obvious analyzer warning: Use of zero-allocated memory. (authored by dergachev.a). · Explain WhyOct 12 2021, 10:41 AM
This revision was automatically updated to reflect the committed changes.
dergachev.a added a commit: rGf3ec9d8501c9: [analyzer] Fix non-obvious analyzer warning: Use of zero-allocated memory..
NoQ added a comment.Oct 12 2021, 11:29 AM

Yuck I forgot to forge commit author. Sorry!!

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
2474–2476

The only thing special about N=0 is that the static analyzer is currently better at catching it. It's much easier to catch correctly and avoid false positives when *any* use is disallowed than when some uses are allowed but some aren't.

Speaking of typos, it probably also makes sense to fix the bug type message ("Use of zero allocated") to include a subject.

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
3 lines
test/
Analysis/
6 lines
24 lines

Diff 379107

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp

Show First 20 LinesShow All 2,465 Lines▼ Show 20 Linesvoid MallocChecker::HandleUseZeroAlloc(CheckerContext &C, SourceRange Range,
if (ExplodedNode *N = C.generateErrorNode()) { if (ExplodedNode *N = C.generateErrorNode()) {
if (!BT_UseZerroAllocated[*CheckKind]) if (!BT_UseZerroAllocated[*CheckKind])
BT_UseZerroAllocated[*CheckKind].reset( BT_UseZerroAllocated[*CheckKind].reset(
new BugType(CheckNames[*CheckKind], "Use of zero allocated", new BugType(CheckNames[*CheckKind], "Use of zero allocated",
categories::MemoryError)); categories::MemoryError));
auto R = std::make_unique<PathSensitiveBugReport>( auto R = std::make_unique<PathSensitiveBugReport>(
*BT_UseZerroAllocated[*CheckKind], "Use of zero-allocated memory", N); *BT_UseZerroAllocated[*CheckKind],
"Use of memory allocated with size zero", N);
QuuxplusoneUnsubmitted
Not Done
ReplyInline Actions

Peanut gallery says:
(1) Might want to fix the typo in "Zerro" at the same time, or in a followup commit.
(2) I would naively have expected all the test cases below to give something simple like "Read/write beyond end of allocated space," because they allocate N bytes and then try to read/write into byte number N. This is never allowed in C or C++, regardless of the value of N; there's nothing special about N=0. So I don't see why it needs any special diagnostic (confusing or otherwise).

Quuxplusone: Peanut gallery says: (1) Might want to fix the typo in "Zerro" at the same time, or in a…
NoQUnsubmitted
Not Done
ReplyInline Actions

The only thing special about N=0 is that the static analyzer is currently better at catching it. It's much easier to catch correctly and avoid false positives when *any* use is disallowed than when some uses are allowed but some aren't.

Speaking of typos, it probably also makes sense to fix the bug type message ("Use of zero allocated") to include a subject.

NoQ: The only thing special about N=0 is that the static analyzer is currently better at catching it.
R->addRange(Range); R->addRange(Range);
if (Sym) { if (Sym) {
R->markInteresting(Sym); R->markInteresting(Sym);
R->addVisitor<MallocBugVisitor>(Sym); R->addVisitor<MallocBugVisitor>(Sym);
} }
C.emitReport(std::move(R)); C.emitReport(std::move(R));
} }
} }
▲ Show 20 LinesShow All 1,107 LinesShow Last 20 Lines

clang/test/Analysis/NewDelete-checker-test.cpp

Show First 20 LinesShow All 99 Lines▼ Show 20 Lines
} }
//----------------------------------------- //-----------------------------------------
// check for usage of zero-allocated memory // check for usage of zero-allocated memory
//----------------------------------------- //-----------------------------------------
void testUseZeroAlloc1() { void testUseZeroAlloc1() {
int *p = (int *)operator new(0); int *p = (int *)operator new(0);
*p = 1; // newdelete-warning {{Use of zero-allocated memory}} *p = 1; // newdelete-warning {{Use of memory allocated with size zero}}
delete p; delete p;
} }
int testUseZeroAlloc2() { int testUseZeroAlloc2() {
int *p = (int *)operator new[](0); int *p = (int *)operator new[](0);
return p[0]; // newdelete-warning {{Use of zero-allocated memory}} return p[0]; // newdelete-warning {{Use of memory allocated with size zero}}
delete[] p; delete[] p;
} }
void f(int); void f(int);
void testUseZeroAlloc3() { void testUseZeroAlloc3() {
int *p = new int[0]; int *p = new int[0];
f(*p); // newdelete-warning {{Use of zero-allocated memory}} f(*p); // newdelete-warning {{Use of memory allocated with size zero}}
delete[] p; delete[] p;
} }
//--------------- //---------------
// other checks // other checks
//--------------- //---------------
class SomeClass { class SomeClass {
▲ Show 20 LinesShow All 326 LinesShow Last 20 Lines

clang/test/Analysis/malloc.c

Show First 20 LinesShow All 255 Lines▼ Show 20 Lines
void CheckUseZeroAllocatedNoWarn4() { void CheckUseZeroAllocatedNoWarn4() {
int *p = realloc(0, 8); int *p = realloc(0, 8);
*p = 1; // no warning *p = 1; // no warning
free(p); free(p);
} }
void CheckUseZeroAllocated1() { void CheckUseZeroAllocated1() {
int *p = malloc(0); int *p = malloc(0);
*p = 1; // expected-warning {{Use of zero-allocated memory}} *p = 1; // expected-warning {{Use of memory allocated with size zero}}
free(p); free(p);
} }
char CheckUseZeroAllocated2() { char CheckUseZeroAllocated2() {
char *p = alloca(0); char *p = alloca(0);
return *p; // expected-warning {{Use of zero-allocated memory}} return *p; // expected-warning {{Use of memory allocated with size zero}}
} }
char CheckUseZeroWinAllocated2() { char CheckUseZeroWinAllocated2() {
char *p = _alloca(0); char *p = _alloca(0);
return *p; // expected-warning {{Use of zero-allocated memory}} return *p; // expected-warning {{Use of memory allocated with size zero}}
} }
void UseZeroAllocated(int *p) { void UseZeroAllocated(int *p) {
if (p) if (p)
*p = 7; // expected-warning {{Use of zero-allocated memory}} *p = 7; // expected-warning {{Use of memory allocated with size zero}}
} }
void CheckUseZeroAllocated3() { void CheckUseZeroAllocated3() {
int *p = malloc(0); int *p = malloc(0);
UseZeroAllocated(p); UseZeroAllocated(p);
} }
void f(char); void f(char);
void CheckUseZeroAllocated4() { void CheckUseZeroAllocated4() {
char *p = valloc(0); char *p = valloc(0);
f(*p); // expected-warning {{Use of zero-allocated memory}} f(*p); // expected-warning {{Use of memory allocated with size zero}}
free(p); free(p);
} }
void CheckUseZeroAllocated5() { void CheckUseZeroAllocated5() {
int *p = calloc(0, 2); int *p = calloc(0, 2);
*p = 1; // expected-warning {{Use of zero-allocated memory}} *p = 1; // expected-warning {{Use of memory allocated with size zero}}
free(p); free(p);
} }
void CheckUseZeroAllocated6() { void CheckUseZeroAllocated6() {
int *p = calloc(2, 0); int *p = calloc(2, 0);
*p = 1; // expected-warning {{Use of zero-allocated memory}} *p = 1; // expected-warning {{Use of memory allocated with size zero}}
free(p); free(p);
} }
void CheckUseZeroAllocated7() { void CheckUseZeroAllocated7() {
int *p = realloc(0, 0); int *p = realloc(0, 0);
*p = 1; // expected-warning {{Use of zero-allocated memory}} *p = 1; // expected-warning {{Use of memory allocated with size zero}}
free(p); free(p);
} }
void CheckUseZeroAllocated8() { void CheckUseZeroAllocated8() {
int *p = malloc(8); int *p = malloc(8);
int *q = realloc(p, 0); int *q = realloc(p, 0);
*q = 1; // expected-warning {{Use of zero-allocated memory}} *q = 1; // expected-warning {{Use of memory allocated with size zero}}
free(q); free(q);
} }
void CheckUseZeroAllocated9() { void CheckUseZeroAllocated9() {
int *p = realloc(0, 0); int *p = realloc(0, 0);
int *q = realloc(p, 0); int *q = realloc(p, 0);
*q = 1; // expected-warning {{Use of zero-allocated memory}} *q = 1; // expected-warning {{Use of memory allocated with size zero}}
free(q); free(q);
} }
void CheckUseZeroAllocatedPathNoWarn(_Bool b) { void CheckUseZeroAllocatedPathNoWarn(_Bool b) {
int s = 0; int s = 0;
if (b) if (b)
s= 10; s= 10;
char *p = malloc(s); char *p = malloc(s);
if (b) if (b)
*p = 1; // no warning *p = 1; // no warning
free(p); free(p);
} }
void CheckUseZeroAllocatedPathWarn(_Bool b) { void CheckUseZeroAllocatedPathWarn(_Bool b) {
int s = 10; int s = 10;
if (b) if (b)
s= 0; s= 0;
char *p = malloc(s); char *p = malloc(s);
if (b) if (b)
*p = 1; // expected-warning {{Use of zero-allocated memory}} *p = 1; // expected-warning {{Use of memory allocated with size zero}}
free(p); free(p);
} }
void CheckUseZeroReallocatedPathNoWarn(_Bool b) { void CheckUseZeroReallocatedPathNoWarn(_Bool b) {
int s = 0; int s = 0;
if (b) if (b)
s= 10; s= 10;
Show All 11 Linesvoid CheckUseZeroReallocatedPathWarn(_Bool b) {
int s = 10; int s = 10;
if (b) if (b)
s= 0; s= 0;
char *p = malloc(8); char *p = malloc(8);
char *q = realloc(p, s); char *q = realloc(p, s);
if (b) if (b)
*q = 1; // expected-warning {{Use of zero-allocated memory}} *q = 1; // expected-warning {{Use of memory allocated with size zero}}
free(q); free(q);
} }
// This case tests that storing malloc'ed memory to a static variable which is // This case tests that storing malloc'ed memory to a static variable which is
// then returned is not leaked. In the absence of known contracts for functions // then returned is not leaked. In the absence of known contracts for functions
// or inter-procedural analysis, this is a conservative answer. // or inter-procedural analysis, this is a conservative answer.
int *f3() { int *f3() {
▲ Show 20 LinesShow All 1,515 LinesShow Last 20 Lines