This is an archive of the discontinued LLVM Phabricator instance.

Differential D119509

[analyzer] Fix a crash in NoStateChangeVisitor with body-farmed stack frames.
ClosedPublic

Authored by NoQ on Feb 10 2022, 7:36 PM.

Details

Reviewers
Szelethus
t-rasmud
martong
steakhal
ASDenysPetrov
balazske
gamesh411
Commits
rGe0e174845b08: [analyzer] Fix a crash in NoStateChangeVisitor with body-farmed stack frames.
Summary

LocationContext::getDecl() isn't useful for obtaining the "farmed" body because the (synthetic) body statement isn't actually attached to the (natural-grown) declaration in the AST. This manifests in hard crashes every time the visitor tries to scan the body-farmed stack frame.

Note that it's technically possible to obtain and scan the body. It's useless to do so though, given that you can't put notes into it, given that it doesn't map into any user source code.

The C test case is libdispatch/blocks-specific but the C++ test case is something that can happen to everybody, even though the premise is roughly the same.

Diff Detail

Event Timeline

NoQ created this revision.Feb 10 2022, 7:36 PM
Herald added subscribers: manas, dkrupp, donat.nagy and 7 others. · View Herald TranscriptFeb 10 2022, 7:36 PM
NoQ requested review of this revision.Feb 10 2022, 7:36 PM
Harbormaster completed remote builds in B148894: Diff 407748.Feb 10 2022, 8:35 PM
steakhal added a comment.Feb 10 2022, 10:54 PM

I dont even see why should the no-state-changed-visitor attempt to do anything with that call. It should have disarm itself when it reaches the allocation. It its not the case, we should probably consider fixing that as well in a followup.
Please consider rearranging the code to make it possible for the synthetized callee to actually deallocate the memory.

NoQ updated this revision to Diff 408012.Feb 11 2022, 1:09 PM

Oh, great point. Added tests that were crashing the other way round so that to demonstrate that this fix is still justified. But I agree that the visitor can totally terminate early so that to make the original tests pass for two reasons!

Harbormaster completed remote builds in B149077: Diff 408012.Feb 11 2022, 2:20 PM
steakhal accepted this revision.Feb 14 2022, 9:40 AM

Thanks.

This revision is now accepted and ready to land.Feb 14 2022, 9:40 AM
Closed by commit rGe0e174845b08: [analyzer] Fix a crash in NoStateChangeVisitor with body-farmed stack frames. (authored by dergachev.a). · Explain WhyFeb 17 2022, 10:13 AM
This revision was automatically updated to reflect the committed changes.
dergachev.a added a commit: rGe0e174845b08: [analyzer] Fix a crash in NoStateChangeVisitor with body-farmed stack frames..
Herald added a project: Restricted Project. · View Herald TranscriptFeb 17 2022, 10:13 AM

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
10 lines
test/
Analysis/
19 lines
28 lines

Diff 409708

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp

Show First 20 LinesShow All 791 Lines▼ Show 20 Lines if (const CallExpr *CE = llvm::dyn_cast_or_null<CallExpr>(
if (const FunctionDecl *FD = CE->getDirectCallee()) if (const FunctionDecl *FD = CE->getDirectCallee())
return FD->getQualifiedNameAsString(); return FD->getQualifiedNameAsString();
return ""; return "";
} }
bool doesFnIntendToHandleOwnership(const Decl *Callee, ASTContext &ACtx) { bool doesFnIntendToHandleOwnership(const Decl *Callee, ASTContext &ACtx) {
using namespace clang::ast_matchers; using namespace clang::ast_matchers;
const FunctionDecl *FD = dyn_cast<FunctionDecl>(Callee); const FunctionDecl *FD = dyn_cast<FunctionDecl>(Callee);
if (!FD)
// Given that the stack frame was entered, the body should always be
// theoretically obtainable. In case of body farms, the synthesized body
// is not attached to declaration, thus triggering the '!FD->hasBody()'
// branch. That said, would a synthesized body ever intend to handle
// ownership? As of today they don't. And if they did, how would we
// put notes inside it, given that it doesn't match any source locations?
if (!FD || !FD->hasBody())
return false; return false;
// TODO: Operator delete is hardly the only deallocator -- Can we reuse // TODO: Operator delete is hardly the only deallocator -- Can we reuse
// isFreeingCall() or something thats already here? // isFreeingCall() or something thats already here?
auto Deallocations = match( auto Deallocations = match(
stmt(hasDescendant(cxxDeleteExpr().bind("delete")) stmt(hasDescendant(cxxDeleteExpr().bind("delete"))
), *FD->getBody(), ACtx); ), *FD->getBody(), ACtx);
// TODO: Ownership my change with an attempt to store the allocated memory. // TODO: Ownership my change with an attempt to store the allocated memory.
return !Deallocations.empty(); return !Deallocations.empty();
} }
▲ Show 20 LinesShow All 2,781 LinesShow Last 20 Lines

clang/test/Analysis/malloc-bodyfarms.c

  • This file was added.
// RUN: %clang_analyze_cc1 -fblocks -analyzer-checker core,unix -verify %s
typedef __typeof(sizeof(int)) size_t;
void *calloc(size_t, size_t);
typedef struct dispatch_queue_s *dispatch_queue_t;
typedef void (^dispatch_block_t)(void);
void dispatch_sync(dispatch_queue_t, dispatch_block_t);
void test_no_state_change_in_body_farm(dispatch_queue_t queue) {
dispatch_sync(queue, ^{}); // no-crash
calloc(1, 1);
} // expected-warning{{Potential memory leak}}
void test_no_state_change_in_body_farm_2(dispatch_queue_t queue) {
void *p = calloc(1, 1);
dispatch_sync(queue, ^{}); // no-crash
p = 0;
} // expected-warning{{Potential leak of memory pointed to by 'p'}}

clang/test/Analysis/malloc-bodyfarms.cpp

  • This file was added.
// RUN: %clang_analyze_cc1 -fblocks -analyzer-checker core,unix -verify %s
namespace std {
typedef struct once_flag_s {
int _M_once = 0;
} once_flag;
template <class Callable, class... Args>
void call_once(once_flag &o, Callable&& func, Args&&... args);
} // namespace std
typedef __typeof(sizeof(int)) size_t;
void *malloc(size_t);
void callee() {}
void test_no_state_change_in_body_farm() {
std::once_flag flag;
call_once(flag, callee); // no-crash
malloc(1);
} // expected-warning{{Potential memory leak}}
void test_no_state_change_in_body_farm_2() {
void *p = malloc(1);
std::once_flag flag;
call_once(flag, callee); // no-crash
p = 0;
} // expected-warning{{Potential leak of memory pointed to by 'p'}}