This is an archive of the discontinued LLVM Phabricator instance.

Differential D113530

[wip] [analyzer] support use-after-free checking with parameter annotation
Needs ReviewPublic

Authored by chrisdangelo on Nov 9 2021, 5:17 PM.

Details

Reviewers
NoQ
aaron.ballman
Summary

This change adds a more ergonomic alternative to the function-based attribute ownership_takes, ownership_holds, and ownership_returns.

This change is a work in progress. This change is planned for posting privately for initial review with Artem Dergachev. After which, this is planned for sharing with Aaron Ballman.

Diff Detail

Unit TestsFailed

TimeTest
60 msx64 debian > LLVM.Bindings/Go::go.test

Event Timeline

chrisdangelo requested review of this revision.Nov 9 2021, 5:17 PM
chrisdangelo created this revision.
chrisdangelo created this object with visibility "chrisdangelo (Chris D'Angelo)".
Herald added a project: Restricted Project. · View Herald TranscriptNov 9 2021, 5:17 PM
chrisdangelo added a reviewer: NoQ.Nov 15 2021, 1:06 PM
chrisdangelo retitled this revision from [analyzer] support use-after-free checking with parameter annotation to [wip] [analyzer] support use-after-free checking with parameter annotation.
chrisdangelo changed the visibility from "chrisdangelo (Chris D'Angelo)" to "Public (No Login Required)".Nov 15 2021, 2:16 PM
Herald added a reviewer: aaron.ballman. · View Herald TranscriptNov 15 2021, 2:16 PM
Herald added subscribers: cfe-commits, manas, steakhal and 10 others. · View Herald Transcript
chrisdangelo added inline comments.Nov 15 2021, 3:10 PM
clang/include/clang/Basic/Attr.td
2263

I've discussed this a bit with Artem in person today. Artem would like to see if the existing "ownership_takes" attribute can be adjusted to include the ability to be used against a parameter. I'm looking into this now.

chrisdangelo mentioned this in D113622: [analyzer] support ignoring use-after-free checking with reference_counted attribute.Dec 14 2021, 1:22 PM
chrisdangelo updated this revision to Diff 395726.EditedDec 21 2021, 11:36 AM
chrisdangelo edited the summary of this revision. (Show Details)

This change removes the previous ownership_takes_param work. This change augments the existing Ownership attribute so that it is now applicable to function parameters.

Theses changes have been used to run the analyzer on a large C / C++ project. The tests have been run locally and successfully with ninja check-clang-analysis and ninja check-clang.

This diff is functional but is not fully complete. As of this iteration, these are the current tasks unresolved...

  1. This change does not fully validate correct usage in SemaDeclAttr.cpp. More can be done to validate that ownership attributes are not used in ways that are in conflict with one another. This conflict can occur with a combination of ownership attributes applied to the function declaration simultaneously with parameter annotations.
  1. We are interested in deprecating the use of function based ownership attributes in favor of using function parameter annotations. This change does not currently provide deprecation warnings.
  1. This change does not test semantic analysis of ownership parameters (attr-ownership.c/cpp).
  1. This change does not fully test static analysis of ownership parameters (malloc-annotations.c).
chrisdangelo updated this revision to Diff 395734.Dec 21 2021, 12:12 PM

This change includes clang-format edits.

NoQ added a comment.Dec 21 2021, 12:28 PM

I'm really glad it actually works!

We are interested in deprecating the use of function based ownership attributes in favor of using function parameter annotations. This change does not currently provide deprecation warnings.

Do we also need to convert ownership_holds to parameter attribute? I think it doesn't make sense to deprecate until we convert all of them.

This change does not fully test static analysis of ownership parameters (malloc-annotations.c).

I think it makes sense to simply copy that file and replace function attributes with parameter attributes and see if it still passes.

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
1528

Call.getDecl() is intended to be the ultimate source of truth on this subject.

Harbormaster completed remote builds in B140294: Diff 395734.Dec 21 2021, 12:45 PM
chrisdangelo added inline comments.Dec 21 2021, 5:31 PM
clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
1528

Thank you. This function definition has been removed and the call-site has changed to...

const Decl *D = Call.getDecl();
const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(D);
if (!FD)
  return;

... I plan to push the above changes soon to Differential. The tests pass successfully using ninja check-clang-analysis.

Previously, functionDeclForCall mimicked the existing solution using const FunctionDecl *FD = C.getCalleeDecl(CE);. I'm not sure what that existing solution provided differently from Call.getDecl().

chrisdangelo updated this revision to Diff 395926.EditedDec 22 2021, 1:55 PM

A) "I think it makes sense to simply copy that file and replace function attributes with parameter attributes and see if it still passes." - @NoQ (Tue, Dec 21, 12:28 PM)

Sounds good. This newest change adds malloc-annotations-param.c and malloc-annotations-param.cpp.

This change begins work to use ownership_takes and ownership_holds parameter attributes for the same tests still using function attributes in malloc-annotations.c and malloc-annotations.cpp respectively.

Note that this is just the beginning of the work to test parameter based ownership attributes. There are many misuse scenarios that are currently not supported in these changes, and not tested.

I've explained a bit more below, and plan to explain a bit more on the comment coinciding with the next Differential attachment.

B) "Do we also need to convert ownership_holds to parameter attribute? I think it doesn't make sense to deprecate until we convert all of them." - @NoQ (Tue, Dec 21, 12:28 PM)

ownership_holds is expected to be functioning. However, there are several misuse scenarios that I've not yet accounted for.

Example 1: What happens if the developer uses the function attribute and parameter attribute on the same parameter with different ownership types?

Example 2: What happens if the developer uses multiple parameter attributes of varying owernship types on the same parameter?

Additionally, ownership_returns compile-time or analysis-time validation is not completely or correctly supported today. For example, nothing prevents the developer from attempting to apply ownership_returns to a parameter in a function.

C) These changes have been tested by successfully running ninja check-clang-analysis.

Harbormaster completed remote builds in B140438: Diff 395926.Dec 22 2021, 2:53 PM

Revision Contents

PathSize
clang/
include/
clang/
Basic/
2 lines
lib/
Sema/
63 lines
StaticAnalyzer/
Checkers/
216 lines
test/
Analysis/
270 lines
98 lines
3 lines

Diff 395926

clang/include/clang/Basic/Attr.td

Show First 20 LinesShow All 2,249 Lines▼ Show 20 Lines let AdditionalMembers = [{
OwnershipKind getOwnKind() const { OwnershipKind getOwnKind() const {
return isHolds() ? Holds : return isHolds() ? Holds :
isTakes() ? Takes : isTakes() ? Takes :
Returns; Returns;
} }
}]; }];
let Args = [IdentifierArgument<"Module">, let Args = [IdentifierArgument<"Module">,
VariadicParamIdxArgument<"Args">]; VariadicParamIdxArgument<"Args">];
let Subjects = SubjectList<[HasFunctionProto]>; let Subjects = SubjectList<[HasFunctionProto, ParmVar]>;
let Documentation = [Undocumented]; let Documentation = [Undocumented];
} }
def Packed : InheritableAttr { def Packed : InheritableAttr {
let Spellings = [GCC<"packed">]; let Spellings = [GCC<"packed">];
chrisdangeloAuthorUnsubmitted
Done
ReplyInline Actions

I've discussed this a bit with Artem in person today. Artem would like to see if the existing "ownership_takes" attribute can be adjusted to include the ability to be used against a parameter. I'm looking into this now.

chrisdangelo: I've discussed this a bit with Artem in person today. Artem would like to see if the existing…
// let Subjects = [Tag, Field]; // let Subjects = [Tag, Field];
let Documentation = [Undocumented]; let Documentation = [Undocumented];
} }
def IntelOclBicc : DeclOrTypeAttr { def IntelOclBicc : DeclOrTypeAttr {
let Spellings = [Clang<"intel_ocl_bicc", 0>]; let Spellings = [Clang<"intel_ocl_bicc", 0>];
// let Subjects = [Function, ObjCMethod]; // let Subjects = [Function, ObjCMethod];
let Documentation = [Undocumented]; let Documentation = [Undocumented];
▲ Show 20 LinesShow All 1,593 LinesShow Last 20 Lines

clang/lib/Sema/SemaDeclAttr.cpp

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 1,708 Lines▼ Show 20 Linesstatic bool normalizeName(StringRef &AttrName) {
if (AttrName.size() > 4 && AttrName.startswith("__") && if (AttrName.size() > 4 && AttrName.startswith("__") &&
AttrName.endswith("__")) { AttrName.endswith("__")) {
AttrName = AttrName.drop_front(2).drop_back(2); AttrName = AttrName.drop_front(2).drop_back(2);
return true; return true;
} }
return false; return false;
} }
static void handleOwnershipAttr(Sema &S, Decl *D, const ParsedAttr &AL) { static IdentifierInfo *handleOwnershipAttrModule(Sema &S,
const ParsedAttr &AL) {
if (!AL.isArgIdent(0)) {
S.Diag(AL.getLoc(), diag::err_attribute_argument_n_type)
<< AL << 1 << AANT_ArgumentIdentifier;
return nullptr;
}
IdentifierInfo *Module = AL.getArgAsIdent(0)->Ident;
StringRef ModuleName = Module->getName();
if (normalizeName(ModuleName)) {
Module = &S.PP.getIdentifierTable().get(ModuleName);
}
return Module;
}
static void handleOwnershipParamAttr(Sema &S, ParmVarDecl *D,
const ParsedAttr &AL) {
IdentifierInfo *M = handleOwnershipAttrModule(S, AL);
if (!M)
return;
if (AL.getNumArgs() > 1) {
S.Diag(AL.getLoc(), diag::err_attribute_too_many_arguments) << AL << 1;
return;
}
QualType QT = D->getType();
if (!S.isValidPointerAttrType(QT)) {
SourceRange AttrParmRange = SourceRange();
SourceRange TypeRange = D->getSourceRange();
S.Diag(AL.getLoc(), diag::warn_attribute_pointers_only)
<< AL << AttrParmRange << TypeRange << 0;
return;
}
ParamIdx *Start = nullptr;
unsigned Size = 0;
llvm::array_pod_sort(Start, Start + Size);
D->addAttr(::new (S.Context) OwnershipAttr(S.Context, AL, M, Start, Size));
}
static void handleOwnershipFuncAttr(Sema &S, Decl *D, const ParsedAttr &AL) {
// This attribute must be applied to a function declaration. The first // This attribute must be applied to a function declaration. The first
// argument to the attribute must be an identifier, the name of the resource, // argument to the attribute must be an identifier, the name of the resource,
// for example: malloc. The following arguments must be argument indexes, the // for example: malloc. The following arguments must be argument indexes, the
// arguments must be of integer type for Returns, otherwise of pointer type. // arguments must be of integer type for Returns, otherwise of pointer type.
// The difference between Holds and Takes is that a pointer may still be used // The difference between Holds and Takes is that a pointer may still be used
// after being held. free() should be __attribute((ownership_takes)), whereas // after being held. free() should be __attribute((ownership_takes)), whereas
// a list append function may well be __attribute((ownership_holds)). // a list append function may well be __attribute((ownership_holds)).
if (!AL.isArgIdent(0)) { IdentifierInfo *Module = handleOwnershipAttrModule(S, AL);
S.Diag(AL.getLoc(), diag::err_attribute_argument_n_type) if (!Module)
<< AL << 1 << AANT_ArgumentIdentifier;
return; return;
}
// Figure out our Kind. // Figure out our Kind.
OwnershipAttr::OwnershipKind K = OwnershipAttr::OwnershipKind K =
OwnershipAttr(S.Context, AL, nullptr, nullptr, 0).getOwnKind(); OwnershipAttr(S.Context, AL, nullptr, nullptr, 0).getOwnKind();
// Check arguments. // Check arguments.
switch (K) { switch (K) {
case OwnershipAttr::Takes: case OwnershipAttr::Takes:
case OwnershipAttr::Holds: case OwnershipAttr::Holds:
if (AL.getNumArgs() < 2) { if (AL.getNumArgs() < 2) {
S.Diag(AL.getLoc(), diag::err_attribute_too_few_arguments) << AL << 2; S.Diag(AL.getLoc(), diag::err_attribute_too_few_arguments) << AL << 2;
return; return;
} }
break; break;
case OwnershipAttr::Returns: case OwnershipAttr::Returns:
if (AL.getNumArgs() > 2) { if (AL.getNumArgs() > 2) {
S.Diag(AL.getLoc(), diag::err_attribute_too_many_arguments) << AL << 1; S.Diag(AL.getLoc(), diag::err_attribute_too_many_arguments) << AL << 1;
return; return;
} }
break; break;
} }
IdentifierInfo *Module = AL.getArgAsIdent(0)->Ident;
StringRef ModuleName = Module->getName();
if (normalizeName(ModuleName)) {
Module = &S.PP.getIdentifierTable().get(ModuleName);
}
SmallVector<ParamIdx, 8> OwnershipArgs; SmallVector<ParamIdx, 8> OwnershipArgs;
for (unsigned i = 1; i < AL.getNumArgs(); ++i) { for (unsigned i = 1; i < AL.getNumArgs(); ++i) {
Expr *Ex = AL.getArgAsExpr(i); Expr *Ex = AL.getArgAsExpr(i);
ParamIdx Idx; ParamIdx Idx;
if (!checkFunctionOrMethodParameterIndex(S, D, AL, i, Ex, Idx)) if (!checkFunctionOrMethodParameterIndex(S, D, AL, i, Ex, Idx))
return; return;
// Is the function argument a pointer type? // Is the function argument a pointer type?
▲ Show 20 LinesShow All 6,332 Lines▼ Show 20 Lines case ParsedAttr::AT_NoEscape:
break; break;
case ParsedAttr::AT_AssumeAligned: case ParsedAttr::AT_AssumeAligned:
handleAssumeAlignedAttr(S, D, AL); handleAssumeAlignedAttr(S, D, AL);
break; break;
case ParsedAttr::AT_AllocAlign: case ParsedAttr::AT_AllocAlign:
handleAllocAlignAttr(S, D, AL); handleAllocAlignAttr(S, D, AL);
break; break;
case ParsedAttr::AT_Ownership: case ParsedAttr::AT_Ownership:
handleOwnershipAttr(S, D, AL); if (auto *PVD = dyn_cast<ParmVarDecl>(D))
handleOwnershipParamAttr(S, PVD, AL);
else
handleOwnershipFuncAttr(S, D, AL);
break; break;
case ParsedAttr::AT_Naked: case ParsedAttr::AT_Naked:
handleNakedAttr(S, D, AL); handleNakedAttr(S, D, AL);
break; break;
case ParsedAttr::AT_NoReturn: case ParsedAttr::AT_NoReturn:
handleNoReturnAttr(S, D, AL); handleNoReturnAttr(S, D, AL);
break; break;
case ParsedAttr::AT_AnyX86NoCfCheck: case ParsedAttr::AT_AnyX86NoCfCheck:
▲ Show 20 LinesShow All 798 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp

Show First 20 LinesShow All 295 Lines▼ Show 20 Lines
class MallocChecker class MallocChecker
: public Checker<check::DeadSymbols, check::PointerEscape, : public Checker<check::DeadSymbols, check::PointerEscape,
check::ConstPointerEscape, check::PreStmt<ReturnStmt>, check::ConstPointerEscape, check::PreStmt<ReturnStmt>,
check::EndFunction, check::PreCall, check::PostCall, check::EndFunction, check::PreCall, check::PostCall,
check::NewAllocator, check::PostStmt<BlockExpr>, check::NewAllocator, check::PostStmt<BlockExpr>,
check::PostObjCMessage, check::Location, eval::Assume> { check::PostObjCMessage, check::Location, eval::Assume> {
public: public:
/// In pessimistic mode, the checker assumes that it does not know which DefaultBool IsOptimisticAnalyzerOptionEnabled;
/// functions might free the memory.
/// In optimistic mode, the checker assumes that all user-defined functions
/// which might free a pointer are annotated.
DefaultBool ShouldIncludeOwnershipAnnotatedFunctions;
DefaultBool ShouldRegisterNoOwnershipChangeVisitor; DefaultBool ShouldRegisterNoOwnershipChangeVisitor;
/// Many checkers are essentially built into this one, so enabling them will /// Many checkers are essentially built into this one, so enabling them will
/// make MallocChecker perform additional modeling and reporting. /// make MallocChecker perform additional modeling and reporting.
enum CheckKind { enum CheckKind {
/// When a subchecker is enabled but MallocChecker isn't, model memory /// When a subchecker is enabled but MallocChecker isn't, model memory
/// management but do not emit warnings emitted with MallocChecker only /// management but do not emit warnings emitted with MallocChecker only
▲ Show 20 LinesShow All 126 Lines▼ Show 20 Lines#define CHECK_FN(NAME) \
using KernelZeroSizePtrValueTy = Optional<int>; using KernelZeroSizePtrValueTy = Optional<int>;
/// Store the value of macro called `ZERO_SIZE_PTR`. /// Store the value of macro called `ZERO_SIZE_PTR`.
/// The value is initialized at first use, before first use the outer /// The value is initialized at first use, before first use the outer
/// Optional is empty, afterwards it contains another Optional that indicates /// Optional is empty, afterwards it contains another Optional that indicates
/// if the macro value could be determined, and if yes the value itself. /// if the macro value could be determined, and if yes the value itself.
mutable Optional<KernelZeroSizePtrValueTy> KernelZeroSizePtrValue; mutable Optional<KernelZeroSizePtrValueTy> KernelZeroSizePtrValue;
LLVM_NODISCARD
ProgramStateRef ownershipFuncAttr(const CallEvent &Call, CheckerContext &C,
const FunctionDecl *FD,
ProgramStateRef S) const;
LLVM_NODISCARD
ProgramStateRef ownershipParamAttr(const CallEvent &Call, CheckerContext &C,
const FunctionDecl *FD,
ProgramStateRef S) const;
/// Process C++ operator new()'s allocation, which is the part of C++ /// Process C++ operator new()'s allocation, which is the part of C++
/// new-expression that goes before the constructor. /// new-expression that goes before the constructor.
LLVM_NODISCARD LLVM_NODISCARD
ProgramStateRef processNewAllocation(const CXXAllocatorCall &Call, ProgramStateRef processNewAllocation(const CXXAllocatorCall &Call,
CheckerContext &C, CheckerContext &C,
AllocationFamily Family) const; AllocationFamily Family) const;
/// Perform a zero-allocation check. /// Perform a zero-allocation check.
Show All 22 Lines#define CHECK_FN(NAME) \
/// - first: name of the resource (e.g. 'malloc') /// - first: name of the resource (e.g. 'malloc')
/// - (OPTIONAL) second: size of the allocated region /// - (OPTIONAL) second: size of the allocated region
/// ///
/// \param [in] Call The expression that allocates memory. /// \param [in] Call The expression that allocates memory.
/// \param [in] Att The ownership_returns attribute. /// \param [in] Att The ownership_returns attribute.
/// \param [in] State The \c ProgramState right before allocation. /// \param [in] State The \c ProgramState right before allocation.
/// \returns The ProgramState right after allocation. /// \returns The ProgramState right after allocation.
LLVM_NODISCARD LLVM_NODISCARD
ProgramStateRef MallocMemReturnsAttr(CheckerContext &C, const CallEvent &Call, ProgramStateRef ownershipReturnsFuncAttr(CheckerContext &C,
const CallEvent &Call,
const OwnershipAttr *Att, const OwnershipAttr *Att,
ProgramStateRef State) const; ProgramStateRef State) const;
/// Models memory allocation. /// Models memory allocation.
/// ///
/// \param [in] Call The expression that allocates memory. /// \param [in] Call The expression that allocates memory.
/// \param [in] SizeEx Size of the memory that needs to be allocated. /// \param [in] SizeEx Size of the memory that needs to be allocated.
/// \param [in] Init The value the allocated memory needs to be initialized. /// \param [in] Init The value the allocated memory needs to be initialized.
/// with. For example, \c calloc initializes the allocated memory to 0, /// with. For example, \c calloc initializes the allocated memory to 0,
/// malloc leaves it undefined. /// malloc leaves it undefined.
Show All 40 Lines#define CHECK_FN(NAME) \
/// - first: name of the resource (e.g. 'malloc') /// - first: name of the resource (e.g. 'malloc')
/// - second: index of the parameter the attribute applies to /// - second: index of the parameter the attribute applies to
/// ///
/// \param [in] Call The expression that frees memory. /// \param [in] Call The expression that frees memory.
/// \param [in] Att The ownership_takes or ownership_holds attribute. /// \param [in] Att The ownership_takes or ownership_holds attribute.
/// \param [in] State The \c ProgramState right before allocation. /// \param [in] State The \c ProgramState right before allocation.
/// \returns The ProgramState right after deallocation. /// \returns The ProgramState right after deallocation.
LLVM_NODISCARD LLVM_NODISCARD
ProgramStateRef FreeMemAttr(CheckerContext &C, const CallEvent &Call, ProgramStateRef ownershipTakesFuncAttr(CheckerContext &C,
const CallEvent &Call,
const OwnershipAttr *Att, const OwnershipAttr *Att,
ProgramStateRef State) const; ProgramStateRef State) const;
/// Models memory deallocation. /// Models memory deallocation.
/// ///
/// \param [in] Call The expression that frees memory. /// \param [in] Call The expression that frees memory.
/// \param [in] State The \c ProgramState right before allocation. /// \param [in] State The \c ProgramState right before allocation.
/// \param [in] Num Index of the argument that needs to be freed. This is /// \param [in] Num Index of the argument that needs to be freed. This is
/// normally 0, but for custom free functions it may be different. /// normally 0, but for custom free functions it may be different.
/// \param [in] Hold Whether the parameter at \p Index has the ownership_holds /// \param [in] Hold Whether the parameter at \p Index has the ownership_holds
▲ Show 20 LinesShow All 500 Lines▼ Show 20 Lines
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Methods of MallocChecker and MallocBugVisitor. // Methods of MallocChecker and MallocBugVisitor.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
bool MallocChecker::isFreeingCall(const CallEvent &Call) const { bool MallocChecker::isFreeingCall(const CallEvent &Call) const {
if (FreeingMemFnMap.lookup(Call) || ReallocatingMemFnMap.lookup(Call)) if (FreeingMemFnMap.lookup(Call) || ReallocatingMemFnMap.lookup(Call))
return true; return true;
const auto *Func = dyn_cast<FunctionDecl>(Call.getDecl()); const auto *FD = dyn_cast<FunctionDecl>(Call.getDecl());
if (Func && Func->hasAttrs()) { if (!FD)
for (const auto *I : Func->specific_attrs<OwnershipAttr>()) { return false;
if (FD->hasAttrs()) {
for (const auto *I : FD->specific_attrs<OwnershipAttr>()) {
OwnershipAttr::OwnershipKind OwnKind = I->getOwnKind(); OwnershipAttr::OwnershipKind OwnKind = I->getOwnKind();
if (OwnKind == OwnershipAttr::Takes || OwnKind == OwnershipAttr::Holds) if (OwnKind == OwnershipAttr::Takes || OwnKind == OwnershipAttr::Holds)
return true; return true;
} }
} }
for (const auto *P : FD->parameters()) {
unsigned int Index = P->getFunctionScopeIndex();
bool IsParamInBounds = Index >= 0 && Index < Call.getNumArgs();
if (!IsParamInBounds)
continue;
if (!P->hasAttrs())
continue;
for (const auto *I : P->specific_attrs<OwnershipAttr>()) {
if (I->getModule()->getName() != "malloc")
continue;
switch (I->getOwnKind()) {
case OwnershipAttr::Returns:
continue;
case OwnershipAttr::Holds:
case OwnershipAttr::Takes:
return true;
}
}
}
return false; return false;
} }
bool MallocChecker::isMemCall(const CallEvent &Call) const { bool MallocChecker::isMemCall(const CallEvent &Call) const {
if (FreeingMemFnMap.lookup(Call) || AllocatingMemFnMap.lookup(Call) || if (FreeingMemFnMap.lookup(Call) || AllocatingMemFnMap.lookup(Call) ||
ReallocatingMemFnMap.lookup(Call)) ReallocatingMemFnMap.lookup(Call))
return true; return true;
if (!ShouldIncludeOwnershipAnnotatedFunctions) if (!IsOptimisticAnalyzerOptionEnabled)
return false;
const auto *FD = dyn_cast<FunctionDecl>(Call.getDecl());
if (!FD)
return false; return false;
const auto *Func = dyn_cast<FunctionDecl>(Call.getDecl()); if (FD->hasAttr<OwnershipAttr>())
return Func && Func->hasAttr<OwnershipAttr>(); return true;
for (const auto *P : FD->parameters()) {
unsigned int Index = P->getFunctionScopeIndex();
bool IsParamInBounds = Index >= 0 && Index < Call.getNumArgs();
if (!IsParamInBounds)
continue;
if (!P->hasAttrs())
continue;
for (const auto *I : P->specific_attrs<OwnershipAttr>()) {
if (I->getModule()->getName() != "malloc")
continue;
return true;
}
}
return false;
} }
llvm::Optional<ProgramStateRef> llvm::Optional<ProgramStateRef>
MallocChecker::performKernelMalloc(const CallEvent &Call, CheckerContext &C, MallocChecker::performKernelMalloc(const CallEvent &Call, CheckerContext &C,
const ProgramStateRef &State) const { const ProgramStateRef &State) const {
// 3-argument malloc(), as commonly used in {Free,Net,Open}BSD Kernels: // 3-argument malloc(), as commonly used in {Free,Net,Open}BSD Kernels:
// //
// void *malloc(unsigned long size, struct malloc_type *mtp, int flags); // void *malloc(unsigned long size, struct malloc_type *mtp, int flags);
▲ Show 20 LinesShow All 295 Lines▼ Show 20 Linesvoid MallocChecker::checkReallocN(const CallEvent &Call,
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
State = ReallocMemAux(C, Call, /*ShouldFreeOnFail=*/false, State, AF_Malloc, State = ReallocMemAux(C, Call, /*ShouldFreeOnFail=*/false, State, AF_Malloc,
/*SuffixWithN=*/true); /*SuffixWithN=*/true);
State = ProcessZeroAllocCheck(Call, 1, State); State = ProcessZeroAllocCheck(Call, 1, State);
State = ProcessZeroAllocCheck(Call, 2, State); State = ProcessZeroAllocCheck(Call, 2, State);
C.addTransition(State); C.addTransition(State);
} }
void MallocChecker::checkOwnershipAttr(const CallEvent &Call, ProgramStateRef MallocChecker::ownershipFuncAttr(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C,
ProgramStateRef State = C.getState(); const FunctionDecl *FD,
const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr()); ProgramStateRef S) const {
if (!CE) if (!FD->hasAttrs())
return; return S;
const FunctionDecl *FD = C.getCalleeDecl(CE);
if (!FD)
return;
if (ShouldIncludeOwnershipAnnotatedFunctions ||
ChecksEnabled[CK_MismatchedDeallocatorChecker]) {
// Check all the attributes, if there are any.
// There can be multiple of these attributes.
if (FD->hasAttrs())
for (const auto *I : FD->specific_attrs<OwnershipAttr>()) { for (const auto *I : FD->specific_attrs<OwnershipAttr>()) {
ProgramStateRef AttrS = nullptr;
switch (I->getOwnKind()) { switch (I->getOwnKind()) {
case OwnershipAttr::Returns: case OwnershipAttr::Returns:
State = MallocMemReturnsAttr(C, Call, I, State); AttrS = ownershipReturnsFuncAttr(C, Call, I, S);
break; break;
case OwnershipAttr::Takes: case OwnershipAttr::Takes:
case OwnershipAttr::Holds: case OwnershipAttr::Holds:
State = FreeMemAttr(C, Call, I, State); AttrS = ownershipTakesFuncAttr(C, Call, I, S);
break; break;
} }
if (AttrS)
S = AttrS;
} }
return S;
} }
C.addTransition(State);
ProgramStateRef MallocChecker::ownershipParamAttr(const CallEvent &Call,
CheckerContext &C,
const FunctionDecl *FD,
ProgramStateRef S) const {
for (const auto *P : FD->parameters()) {
unsigned int Index = P->getFunctionScopeIndex();
bool IsParamInBounds = Index >= 0 && Index < Call.getNumArgs();
if (!IsParamInBounds)
continue;
if (!P->hasAttrs())
continue;
for (const auto *I : P->specific_attrs<OwnershipAttr>()) {
if (I->getModule()->getName() != "malloc")
continue;
bool IsAlloc = false;
bool Holds = false;
ProgramStateRef AttrS = nullptr;
const Expr *SizeEx = Call.getArgExpr(Index);
const SVal Init = UndefinedVal();
switch (I->getOwnKind()) {
case OwnershipAttr::Returns:
AttrS = MallocMemAux(C, Call, SizeEx, Init, S, AF_Malloc);
break;
case OwnershipAttr::Holds:
Holds = true;
LLVM_FALLTHROUGH;
case OwnershipAttr::Takes:
AttrS = FreeMemAux(C, Call, S, Index, Holds, IsAlloc, AF_Malloc);
break;
}
if (AttrS)
S = AttrS;
}
}
return S;
}
void MallocChecker::checkOwnershipAttr(const CallEvent &Call,
CheckerContext &C) const {
NoQUnsubmitted
Not Done
ReplyInline Actions

Call.getDecl() is intended to be the ultimate source of truth on this subject.

NoQ: `Call.getDecl()` is intended to be the ultimate source of truth on this subject.
chrisdangeloAuthorUnsubmitted
Done
ReplyInline Actions

Thank you. This function definition has been removed and the call-site has changed to...

const Decl *D = Call.getDecl();
const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(D);
if (!FD)
  return;

... I plan to push the above changes soon to Differential. The tests pass successfully using ninja check-clang-analysis.

Previously, functionDeclForCall mimicked the existing solution using const FunctionDecl *FD = C.getCalleeDecl(CE);. I'm not sure what that existing solution provided differently from Call.getDecl().

chrisdangelo: Thank you. This function definition has been removed and the call-site has changed to... ```…
bool IsEnabled = IsOptimisticAnalyzerOptionEnabled ||
ChecksEnabled[CK_MismatchedDeallocatorChecker];
if (!IsEnabled)
return;
ProgramStateRef S = C.getState();
if (!S)
return;
const Decl *D = Call.getDecl();
const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(D);
if (!FD)
return;
S = ownershipFuncAttr(Call, C, FD, S);
S = ownershipParamAttr(Call, C, FD, S);
C.addTransition(S);
} }
void MallocChecker::checkPostCall(const CallEvent &Call, void MallocChecker::checkPostCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
if (C.wasInlined) if (C.wasInlined)
return; return;
if (!Call.getOriginExpr()) if (!Call.getOriginExpr())
return; return;
▲ Show 20 LinesShow All 208 Lines▼ Show 20 Linesvoid MallocChecker::checkPostObjCMessage(const ObjCMethodCall &Call,
ProgramStateRef State = ProgramStateRef State =
FreeMemAux(C, Call.getArgExpr(0), Call, C.getState(), FreeMemAux(C, Call.getArgExpr(0), Call, C.getState(),
/*Hold=*/true, IsKnownToBeAllocatedMemory, AF_Malloc, /*Hold=*/true, IsKnownToBeAllocatedMemory, AF_Malloc,
/*RetNullOnFailure=*/true); /*RetNullOnFailure=*/true);
C.addTransition(State); C.addTransition(State);
} }
ProgramStateRef ProgramStateRef MallocChecker::ownershipReturnsFuncAttr(
MallocChecker::MallocMemReturnsAttr(CheckerContext &C, const CallEvent &Call, CheckerContext &C, const CallEvent &Call, const OwnershipAttr *Att,
const OwnershipAttr *Att,
ProgramStateRef State) const { ProgramStateRef State) const {
if (!State) if (!State)
return nullptr; return nullptr;
if (Att->getModule()->getName() != "malloc") if (Att->getModule()->getName() != "malloc")
return nullptr; return nullptr;
OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end(); OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end();
if (I != E) { if (I != E) {
▲ Show 20 LinesShow All 67 Lines▼ Show 20 Linesstatic ProgramStateRef MallocUpdateRefState(CheckerContext &C, const Expr *E,
// This is a return value of a function that was not inlined, such as malloc() // This is a return value of a function that was not inlined, such as malloc()
// or new(). We've checked that in the caller. Therefore, it must be a symbol. // or new(). We've checked that in the caller. Therefore, it must be a symbol.
assert(Sym); assert(Sym);
// Set the symbol's state to Allocated. // Set the symbol's state to Allocated.
return State->set<RegionState>(Sym, RefState::getAllocated(Family, E)); return State->set<RegionState>(Sym, RefState::getAllocated(Family, E));
} }
ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C, ProgramStateRef
const CallEvent &Call, MallocChecker::ownershipTakesFuncAttr(CheckerContext &C, const CallEvent &Call,
const OwnershipAttr *Att, const OwnershipAttr *Att,
ProgramStateRef State) const { ProgramStateRef State) const {
if (!State) if (!State)
return nullptr; return nullptr;
if (Att->getModule()->getName() != "malloc") if (Att->getModule()->getName() != "malloc")
return nullptr; return nullptr;
bool IsKnownToBeAllocated = false; bool IsKnownToBeAllocated = false;
▲ Show 20 LinesShow All 1,808 Lines▼ Show 20 Linesvoid ento::registerInnerPointerCheckerAux(CheckerManager &mgr) {
MallocChecker *checker = mgr.getChecker<MallocChecker>(); MallocChecker *checker = mgr.getChecker<MallocChecker>();
checker->ChecksEnabled[MallocChecker::CK_InnerPointerChecker] = true; checker->ChecksEnabled[MallocChecker::CK_InnerPointerChecker] = true;
checker->CheckNames[MallocChecker::CK_InnerPointerChecker] = checker->CheckNames[MallocChecker::CK_InnerPointerChecker] =
mgr.getCurrentCheckerName(); mgr.getCurrentCheckerName();
} }
void ento::registerDynamicMemoryModeling(CheckerManager &mgr) { void ento::registerDynamicMemoryModeling(CheckerManager &mgr) {
auto *checker = mgr.registerChecker<MallocChecker>(); auto *checker = mgr.registerChecker<MallocChecker>();
checker->ShouldIncludeOwnershipAnnotatedFunctions = checker->IsOptimisticAnalyzerOptionEnabled =
mgr.getAnalyzerOptions().getCheckerBooleanOption(checker, "Optimistic"); mgr.getAnalyzerOptions().getCheckerBooleanOption(checker, "Optimistic");
checker->ShouldRegisterNoOwnershipChangeVisitor = checker->ShouldRegisterNoOwnershipChangeVisitor =
mgr.getAnalyzerOptions().getCheckerBooleanOption( mgr.getAnalyzerOptions().getCheckerBooleanOption(
checker, "AddNoOwnershipChangeNotes"); checker, "AddNoOwnershipChangeNotes");
} }
bool ento::shouldRegisterDynamicMemoryModeling(const CheckerManager &mgr) { bool ento::shouldRegisterDynamicMemoryModeling(const CheckerManager &mgr) {
return true; return true;
Show All 16 Lines

clang/test/Analysis/malloc-annotations-param.c

  • This file was added.
// RUN: %clang_analyze_cc1 -analyzer-store=region -verify \
// RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=alpha.deadcode.UnreachableCode \
// RUN: -analyzer-checker=alpha.core.CastSize \
// RUN: -analyzer-checker=unix.Malloc \
// RUN: -analyzer-config unix.DynamicMemoryModeling:Optimistic=true %s
typedef __typeof(sizeof(int)) size_t;
void *malloc(size_t);
void free(void *);
void *realloc(void *ptr, size_t size);
void *calloc(size_t nmemb, size_t size);
void __attribute((ownership_returns(malloc))) * my_malloc(size_t);
void my_free(void *__attribute__((ownership_takes(malloc))));
void my_freeBoth(void *__attribute__((ownership_takes(malloc))), void *__attribute__((ownership_takes(malloc))));
void __attribute((ownership_returns(malloc, 1))) * my_malloc2(size_t);
void my_hold(void *__attribute__((ownership_holds(malloc))));
// Duplicate attributes are silly, but not an error.
// Duplicate attribute has no extra effect.
// If two are of different kinds, that is an error and reported as such.
void __attribute((ownership_holds(malloc, 1)))
__attribute((ownership_holds(malloc, 1)))
__attribute((ownership_holds(malloc, 3))) my_hold2(void *, void *, void *);
void *my_malloc3(size_t);
void *myglobalpointer;
struct stuff {
void *somefield;
};
struct stuff myglobalstuff;
void f1() {
int *p = malloc(12);
return; // expected-warning{{Potential leak of memory pointed to by}}
}
void f2() {
int *p = malloc(12);
free(p);
free(p); // expected-warning{{Attempt to free released memory}}
}
void f2_realloc_0() {
int *p = malloc(12);
realloc(p, 0);
realloc(p, 0); // expected-warning{{Attempt to free released memory}}
}
void f2_realloc_1() {
int *p = malloc(12);
int *q = realloc(p, 0); // no-warning
}
// ownership attributes tests
void naf1() {
int *p = my_malloc3(12);
return; // no-warning
}
void n2af1() {
int *p = my_malloc2(12);
return; // expected-warning{{Potential leak of memory pointed to by}}
}
void af1() {
int *p = my_malloc(12);
return; // expected-warning{{Potential leak of memory pointed to by}}
}
void af1_b() {
int *p = my_malloc(12);
} // expected-warning{{Potential leak of memory pointed to by}}
void af1_c() {
myglobalpointer = my_malloc(12); // no-warning
}
void af1_d() {
struct stuff mystuff;
mystuff.somefield = my_malloc(12);
} // expected-warning{{Potential leak of memory pointed to by}}
// Test that we can pass out allocated memory via pointer-to-pointer.
void af1_e(void **pp) {
*pp = my_malloc(42); // no-warning
}
void af1_f(struct stuff *somestuff) {
somestuff->somefield = my_malloc(12); // no-warning
}
// Allocating memory for a field via multiple indirections to our arguments is OK.
void af1_g(struct stuff **pps) {
*pps = my_malloc(sizeof(struct stuff)); // no-warning
(*pps)->somefield = my_malloc(42); // no-warning
}
void af2() {
int *p = my_malloc(12);
my_free(p);
free(p); // expected-warning{{Attempt to free released memory}}
}
void af2b() {
int *p = my_malloc(12);
free(p);
my_free(p); // expected-warning{{Attempt to free released memory}}
}
void af2c() {
int *p = my_malloc(12);
free(p);
my_hold(p); // expected-warning{{Attempt to free released memory}}
}
void af2d() {
int *p = my_malloc(12);
free(p);
my_hold2(0, 0, p); // expected-warning{{Attempt to free released memory}}
}
// No leak if malloc returns null.
void af2e() {
int *p = my_malloc(12);
if (!p)
return; // no-warning
free(p); // no-warning
}
// This case inflicts a possible double-free.
void af3() {
int *p = my_malloc(12);
my_hold(p);
free(p); // expected-warning{{Attempt to free non-owned memory}}
}
int *af4() {
int *p = my_malloc(12);
my_free(p);
return p; // expected-warning{{Use of memory after it is freed}}
}
// This case is (possibly) ok, be conservative
int *af5() {
int *p = my_malloc(12);
my_hold(p);
return p; // no-warning
}
// This case tests that storing malloc'ed memory to a static variable which is
// then returned is not leaked. In the absence of known contracts for functions
// or inter-procedural analysis, this is a conservative answer.
int *f3() {
static int *p = 0;
p = malloc(12);
return p; // no-warning
}
// This case tests that storing malloc'ed memory to a static global variable
// which is then returned is not leaked. In the absence of known contracts for
// functions or inter-procedural analysis, this is a conservative answer.
static int *p_f4 = 0;
int *f4() {
p_f4 = malloc(12);
return p_f4; // no-warning
}
int *f5() {
int *q = malloc(12);
q = realloc(q, 20);
return q; // no-warning
}
void f6() {
int *p = malloc(12);
if (!p)
return; // no-warning
else
free(p);
}
void f6_realloc() {
int *p = malloc(12);
if (!p)
return; // no-warning
else
realloc(p, 0);
}
char *doit2();
void pr6069() {
char *buf = doit2();
free(buf);
}
void pr6293() {
free(0);
}
void f7() {
char *x = (char *)malloc(4);
free(x);
x[0] = 'a'; // expected-warning{{Use of memory after it is freed}}
}
void f7_realloc() {
char *x = (char *)malloc(4);
realloc(x, 0);
x[0] = 'a'; // expected-warning{{Use of memory after it is freed}}
}
void PR6123() {
int *x = malloc(11); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
}
void PR7217() {
int *buf = malloc(2); // expected-warning{{Cast a region whose size is not a multiple of the destination type size}}
buf[1] = 'c'; // not crash
}
void mallocCastToVoid() {
void *p = malloc(2);
const void *cp = p; // not crash
free(p);
}
void mallocCastToFP() {
void *p = malloc(2);
void (*fp)() = p; // not crash
free(p);
}
// This tests that malloc() buffers are undefined by default
char mallocGarbage() {
char *buf = malloc(2);
char result = buf[1]; // expected-warning{{undefined}}
free(buf);
return result;
}
// This tests that calloc() buffers need to be freed
void callocNoFree() {
char *buf = calloc(2, 2);
return; // expected-warning{{Potential leak of memory pointed to by}}
}
// These test that calloc() buffers are zeroed by default
char callocZeroesGood() {
char *buf = calloc(2, 2);
char result = buf[3]; // no-warning
if (buf[1] == 0) {
free(buf);
}
return result; // no-warning
}
char callocZeroesBad() {
char *buf = calloc(2, 2);
char result = buf[3]; // no-warning
if (buf[1] != 0) {
free(buf); // expected-warning{{never executed}}
}
return result; // expected-warning{{Potential leak of memory pointed to by}}
}
void testMultipleFreeAnnotations() {
int *p = malloc(12);
int *q = malloc(12);
my_freeBoth(p, q);
}

clang/test/Analysis/malloc-annotations-param.cpp

  • This file was added.
// RUN: %clang_analyze_cc1 -analyzer-store=region -verify \
// RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=alpha.deadcode.UnreachableCode \
// RUN: -analyzer-checker=alpha.core.CastSize \
// RUN: -analyzer-checker=unix.Malloc \
// RUN: -analyzer-config unix.DynamicMemoryModeling:Optimistic=true %s
typedef __typeof(sizeof(int)) size_t;
void *malloc(size_t);
void free(void *);
struct MemoryAllocator {
void __attribute((ownership_returns(malloc))) * my_malloc(size_t);
void __attribute((ownership_takes(malloc, 2))) my_free(void *);
void __attribute((ownership_holds(malloc, 2))) my_hold(void *);
};
void *myglobalpointer;
struct stuff {
void *somefield;
};
struct stuff myglobalstuff;
void af1(MemoryAllocator &Alloc) {
void *p = Alloc.my_malloc(12);
return; // expected-warning{{Potential leak of memory pointed to by}}
}
void af1_b(MemoryAllocator &Alloc) {
void *p = Alloc.my_malloc(12);
} // expected-warning{{Potential leak of memory pointed to by}}
void af1_c(MemoryAllocator &Alloc) {
myglobalpointer = Alloc.my_malloc(12); // no-warning
}
// Test that we can pass out allocated memory via pointer-to-pointer.
void af1_e(MemoryAllocator &Alloc, void **pp) {
*pp = Alloc.my_malloc(42); // no-warning
}
void af1_f(MemoryAllocator &Alloc, struct stuff *somestuff) {
somestuff->somefield = Alloc.my_malloc(12); // no-warning
}
// Allocating memory for a field via multiple indirections to our arguments is OK.
void af1_g(MemoryAllocator &Alloc, struct stuff **pps) {
*pps = (struct stuff *)Alloc.my_malloc(sizeof(struct stuff)); // no-warning
(*pps)->somefield = Alloc.my_malloc(42); // no-warning
}
void af2(MemoryAllocator &Alloc) {
void *p = Alloc.my_malloc(12);
Alloc.my_free(p);
free(p); // expected-warning{{Attempt to free released memory}}
}
void af2b(MemoryAllocator &Alloc) {
void *p = Alloc.my_malloc(12);
free(p);
Alloc.my_free(p); // expected-warning{{Attempt to free released memory}}
}
void af2c(MemoryAllocator &Alloc) {
void *p = Alloc.my_malloc(12);
free(p);
Alloc.my_hold(p); // expected-warning{{Attempt to free released memory}}
}
// No leak if malloc returns null.
void af2e(MemoryAllocator &Alloc) {
void *p = Alloc.my_malloc(12);
if (!p)
return; // no-warning
free(p); // no-warning
}
// This case inflicts a possible double-free.
void af3(MemoryAllocator &Alloc) {
void *p = Alloc.my_malloc(12);
Alloc.my_hold(p);
free(p); // expected-warning{{Attempt to free non-owned memory}}
}
void *af4(MemoryAllocator &Alloc) {
void *p = Alloc.my_malloc(12);
Alloc.my_free(p);
return p; // expected-warning{{Use of memory after it is freed}}
}
// This case is (possibly) ok, be conservative
void *af5(MemoryAllocator &Alloc) {
void *p = Alloc.my_malloc(12);
Alloc.my_hold(p);
return p; // no-warning
}

clang/test/Analysis/malloc-annotations.c

Show First 20 LinesShow All 265 Lines▼ Show 20 Lineschar callocZeroesBad () {
} }
return result; // expected-warning{{Potential leak of memory pointed to by}} return result; // expected-warning{{Potential leak of memory pointed to by}}
} }
void testMultipleFreeAnnotations() { void testMultipleFreeAnnotations() {
int *p = malloc(12); int *p = malloc(12);
int *q = malloc(12); int *q = malloc(12);
my_freeBoth(p, q); my_freeBoth(p, q);
} }
No newline at end of file