This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
docs/analyzer/
-
analyzer/
-
checkers.rst
-
include/clang/StaticAnalyzer/
-
clang/
-
StaticAnalyzer/
-
Checkers/
2/2
Checkers.td
-
Core/PathSensitive/
-
PathSensitive/
3/3
CallEvent.h
-
lib/StaticAnalyzer/Checkers/
-
StaticAnalyzer/
-
Checkers/
-
CMakeLists.txt
7/7
MallocChecker.cpp
12/12
UndefinedNewArraySizeChecker.cpp
-
test/Analysis/
-
Analysis/
-
Issue56873.cpp
8/8
undefined-new-element.cpp

Differential D131299

[analyzer] Warn if the size of the array in `new[]` is undefined
ClosedPublic

Authored by isuckatcs on Aug 5 2022, 2:46 PM.

Download Raw Diff

Details

Reviewers

martong
Szelethus
NoQ
xazax.hun
usama54321
t-rasmud
ziqingluo-90

Commits

rGa46154cb1cd0: [analyzer] Warn if the size of the array in `new[]` is undefined

Summary

@martong I kept your idea in mind for this warning message and implemented it as a new checker if you don't mind it.

If the size of an array is Undefined when it's allocated, this patch emits a warning, and ends the analysis.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

isuckatcs created this revision.Aug 5 2022, 2:46 PM

Herald added a project: Restricted Project. · View Herald TranscriptAug 5 2022, 2:46 PM

Herald added subscribers: steakhal, manas, ASDenysPetrov and 7 others. · View Herald Transcript

isuckatcs requested review of this revision.Aug 5 2022, 2:46 PM

Harbormaster completed remote builds in B179615: Diff 450416.Aug 5 2022, 4:10 PM

Oh thanks a lot for handling this case!

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
1511	Expressions cannot be of reference type. They use value kinds instead (lvalue, xvalue, etc). So I suspect your tests pass without this check.

NoQ added inline comments.Aug 6 2022, 3:49 PM

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
1492	A slightly more natural way to do this in path-sensitive analysis is to invoke const auto *ACE = dyn_cast<CXXAllocatorCall>(&Call); and then use that subclass's accessor methods to access values. It doesn't look like this subclass actually provides an accessor for the size value though. We should add one! Maybe also add a getter that asks whether the call is for `new[]` vs. `new`, and then assert that it's `new[]` in the size value getter.
2277–2280	I think making it a separate checker is slightly better. It's more natural to group it together with the uninitialized variable checks than with memory leak / use-after-free checks. Like, generally, I wish we had a more flexible system of "hashtags" that could allow us to group checkers in different ways, probably overlapping (so this check could be `#NewDelete #UninitializedVariable`). But that's a story for another time :D
2297	I believe you can simply add a `trackExpressionValue()` instead. It'll display where the value comes from through path notes.

Addressed comments
Separated the checker from MallocChecker to a new one

Herald added a subscriber: mgorny. · View Herald TranscriptAug 8 2022, 7:39 AM

isuckatcs added inline comments.Aug 8 2022, 7:39 AM

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
2297	I've added it but I also left this message. If someone only runs `clang++ --analyze source.cpp` then I think it feels better to receive a bit more descriptive warning message.

Fixed a typo

xazax.hun added inline comments.Aug 8 2022, 9:06 AM

clang/lib/StaticAnalyzer/Checkers/UndefinedNewArraySizeChecker.cpp
29	I think we no longer need this mutable lazy initialized BugType hack. See `FuchsiaHandleChecker.cpp` for an example. While we no longer need this hack, we have not cleaned up the existing checks yet :(
41	I think we could add a convenience function to `CXXAllocatorCall` that would return an `SVal` for the size expression.

xazax.hun added inline comments.Aug 8 2022, 9:07 AM

clang/test/Analysis/undefined-new-element.cpp
3	Is there a comment missing here?

Addressed comments

isuckatcs added inline comments.Aug 8 2022, 9:31 AM

clang/lib/StaticAnalyzer/Checkers/UndefinedNewArraySizeChecker.cpp
29	I'm not really familiar with checker developement. Why did we need this hack?
clang/test/Analysis/undefined-new-element.cpp
3	This checker is in `alpha.core` at the moment. Should I just put it directly to `core` instead?

xazax.hun added inline comments.Aug 8 2022, 9:35 AM

clang/lib/StaticAnalyzer/Checkers/UndefinedNewArraySizeChecker.cpp
29	Long story short, we need lazy initialization because some information is only available when a bug is reported (and not when the check is initialized). This is due to the architecture of CSA. In the old times the lazy initialization was the responsibility of the checks and later we moved this hack to the engine itself to make writing checks easier and cleaner.
clang/test/Analysis/undefined-new-element.cpp
3	I might be missing something, but I found it surprising that the RUN line in line 2 is not commented out while the RUN line in line 3 is.

Addressed comments

clang/lib/StaticAnalyzer/Checkers/UndefinedNewArraySizeChecker.cpp
29	I see, thanks for the explanation.
clang/test/Analysis/undefined-new-element.cpp
3	Oh, that is a typo I didn't notice. I moved the whole command into one line instead, it's short enough for that I think.

xazax.hun accepted this revision.Aug 8 2022, 9:47 AM

This revision is now accepted and ready to land.Aug 8 2022, 9:47 AM

I am not sure whether we actually use exclamation marks in diagnostic texts. Otherwise this looks good to me. Maybe adding expected-note's to the test would be nice, but overall this looks good to me.

Great!

I think this checker can be turned on by default pretty quickly. We should run it over some code but other than that it seems to be in good shape from the start.

I agree with Gabor, we don't usually have exclamation marks in warnings. It could definitely be exciting to have exclamation marks! But I'm worried that since clang is part of multiple finished GUI products, various UI/UX review boards won't be happy with us for that :( So we limit exclamation marks to assertion failures. Side note, clang warning style and grammar doesn't seem to be documented anywhere. Side note, static analyzer warning style and grammar is completely different from clang warning style and grammar (we expect our warnings to be complete sentences).

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
308	Maybe `alpha.core.uninitialized` then, with the intent to eventually put it into `core.uninitialized`?
clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h
1038–1040	This function doesn't seem to ever return `None` (?)
1043–1045	I think it's cleaner to `assert(isArray())` here and avoid the optional. The caller would do something like if (!Call->isArray()) return; SVal V = Call->getArraySizeVal(); and it communicates the intent behind the code much nicer.
clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
2297	If someone only runs `clang++ --analyze source.cpp` then I think it feels better to receive a bit more descriptive warning message. Most static analyzer warnings are barely ever understandable without path notes, your extra text won't help much most of the time. We basically don't support running the static analyzer without reading path notes, so I think we should ignore this scenario. Especially given that this facility doesn't cover all the cases so it may make diagnostics look worse. It's definitely weird that such basic invocation is unsupported. I think we should flip the default output to `--analyzer-output text`, but it may break backwards compatibility in weird ways because the current default output is actually `plist` (so the command you quoted will produce a weird .plist file in the current directory as an output) so IDEs can run this command and consume this machine-readable output.
clang/lib/StaticAnalyzer/Checkers/UndefinedNewArraySizeChecker.cpp
32	I recommend `checkPreCall`. This will cause the new checker to run before `MallocChecker`. It's also generally natural to check preconditions in PreCall and evaluate postconditions in PostCall.

Harbormaster completed remote builds in B179944: Diff 450851.Aug 8 2022, 12:11 PM

isuckatcs mentioned this in D130974: [analyzer] Fix for the crash in #56873.Aug 9 2022, 5:16 AM

@martong I kept your idea in mind for this warning message and implemented it as a new checker if you don't mind it. If the size of an array is Undefined when it's allocated, this patch emits a warning, and ends the analysis.

Thank you for taking care of this!

clang/test/Analysis/undefined-new-element.cpp
43–46	I think it would make sense to have a test for an array placement new expression as well. Something like: int n; void* buffer = malloc(sizeof(std::string) * 10); std::string* p = ::new (buffer) std::string[n]; // expected-warning{{Undefined element count!}}

Addressed comments

Harbormaster completed remote builds in B180423: Diff 451502.Aug 10 2022, 8:49 AM

Updated

clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h
1038–1040	`getArraySize()` returns an `Optional<const clang::Expr *>`, so it can return `None`.

Updated

Harbormaster completed remote builds in B180428: Diff 451507.Aug 10 2022, 10:51 AM

Ok I have some warning text bikeshedding but generally the patch looks great and the checker should probably be enabled by default from the start, or otherwise very soon.

clang/lib/StaticAnalyzer/Checkers/UndefinedNewArraySizeChecker.cpp
29	Let's point out that we're talking about `new[]`: "Undefined array element count in new[]"
50	It's probably easier to do this inside the function.
62	Static analyzer warnings are traditionally full sentences. Let's make this more complete: "Element count in new[] is a garbage value" (it also avoids the term "undefined", which we typically avoid and we should have probably avoided in `UndefinedArraySubscriptChecker` as well; it's not precise enough, may be confusing)

Addressed comments

clang/lib/StaticAnalyzer/Checkers/UndefinedNewArraySizeChecker.cpp
50	I prefer to keep the logics separated, so it's more obvious which part of the code is doing what.

Harbormaster completed remote builds in B180614: Diff 451762.Aug 11 2022, 2:04 AM

isuckatcs added inline comments.Aug 22 2022, 11:01 AM

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
1736	This doesn't fix any known bugs, I've just noticed that it's error prone and fixed it in this patch.

Looks great!

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
449	This line suggests that this checker is documented at the `checkers.rst`, however, I cannot see the corresponding entry.
clang/test/Analysis/undefined-new-element.cpp
9	IDK, it's probably personal, but I dislike newlines here. And it also feels weird that in the llvm coding style we have the curly openings at the line endings instead of at the next line.

Added a documentation into checkers.rst.

clang/test/Analysis/undefined-new-element.cpp
9	I like the newlines there. Also I reformatted this file with the llvm style.

Harbormaster completed remote builds in B183042: Diff 455109.Aug 24 2022, 2:30 AM

Fixed docs build error

Harbormaster completed remote builds in B183045: Diff 455112.Aug 24 2022, 3:13 AM

Fixed the broken test file. Clang-format put a line break between {{ and }} and that caused the failure.

Harbormaster completed remote builds in B183333: Diff 455533.Aug 25 2022, 5:04 AM

This comment has been deleted.

clang/lib/StaticAnalyzer/Checkers/UndefinedNewArraySizeChecker.cpp
80	You can use `mgr.getLangOpts().CPlusPlus` to avoid registering the checker on non-C++ translation units.
clang/test/Analysis/undefined-new-element.cpp
2	Let's make sure tracking works by adding `-analyzer-output=text`.

Addressed comments
Moved the checker to core from alpha.core

Harbormaster completed remote builds in B184255: Diff 456814.Aug 30 2022, 4:37 PM

Updated

Harbormaster completed remote builds in B184259: Diff 456818.Aug 30 2022, 5:19 PM

Looks great. I agree that it can go straight to core because our undefined value checkers are roughly all the same and we're already pretty good at writing them. The checker appears to be very quiet in my experience, I'm yet to see a warning in the wild, but I think the path note tests give enough signal that warnings are going to look good.

I have one tiny nitpick that should be addressed before committing.

clang/lib/StaticAnalyzer/Checkers/UndefinedNewArraySizeChecker.cpp
63	Static analyzer warnings start with a capital letter! The idea is that they're complete sentences, unlike compiler warnings.

Addressed the nit

Harbormaster completed remote builds in B184908: Diff 457728.Sep 2 2022, 4:32 PM

Updated the documentation

Harbormaster completed remote builds in B184953: Diff 457788.Sep 3 2022, 6:57 AM

Closed by commit rGa46154cb1cd0: [analyzer] Warn if the size of the array in `new[]` is undefined (authored by isuckatcs). · Explain WhySep 4 2022, 2:07 PM

This revision was automatically updated to reflect the committed changes.

isuckatcs added a commit: rGa46154cb1cd0: [analyzer] Warn if the size of the array in `new[]` is undefined.

Herald added a project: Restricted Project. · View Herald TranscriptSep 4 2022, 2:07 PM

Herald added a subscriber: cfe-commits. · View Herald Transcript

Revision Contents

Path

Size

clang/

docs/

analyzer/

checkers.rst

16 lines

include/

clang/

StaticAnalyzer/

Checkers/

Checkers.td

4 lines

Core/

PathSensitive/

CallEvent.h

12 lines

lib/

StaticAnalyzer/

Checkers/

CMakeLists.txt

1 line

MallocChecker.cpp

4 lines

UndefinedNewArraySizeChecker.cpp

80 lines

test/

Analysis/

Issue56873.cpp

2 lines

undefined-new-element.cpp

69 lines

Diff 457872

clang/docs/analyzer/checkers.rst

	Show First 20 Lines • Show All 239 Lines • ▼ Show 20 Lines

	.. code-block:: c			.. code-block:: c

	int test() {			int test() {
	int x;			int x;
	return x; // warn			return x; // warn
	}			}

				.. _core-uninitialized-NewArraySize:

				core.uninitialized.NewArraySize (C++)
				"""""""""""""""""""""""""""""""""""""

				Check if the element count in new[] is garbage or undefined.

				.. code-block:: cpp

				void test() {
				int n;
				int *arr = new int[n]; // warn: Element count in new[] is a garbage value
				delete[] arr;
				}


	.. _cplusplus-checkers:			.. _cplusplus-checkers:


	cplusplus			cplusplus
	^^^^^^^^^			^^^^^^^^^

	C++ Checkers.			C++ Checkers.

	▲ Show 20 Lines • Show All 2,792 Lines • Show Last 20 Lines

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td

Show First 20 Lines • Show All 299 Lines • ▼ Show 20 Lines	def PthreadLockBase : Checker<"PthreadLockBase">,
Documentation<NotDocumented>,		Documentation<NotDocumented>,
Hidden;		Hidden;

def C11LockChecker : Checker<"C11Lock">,		def C11LockChecker : Checker<"C11Lock">,
HelpText<"Simple lock -> unlock checker">,		HelpText<"Simple lock -> unlock checker">,
Dependencies<[PthreadLockBase]>,		Dependencies<[PthreadLockBase]>,
Documentation<HasDocumentation>;		Documentation<HasDocumentation>;

} // end "alpha.core"		} // end "alpha.core"
		NoQUnsubmitted Done Reply Inline Actions Maybe `alpha.core.uninitialized` then, with the intent to eventually put it into `core.uninitialized`? NoQ: Maybe `alpha.core.uninitialized` then, with the intent to eventually put it into `core.

//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
// Nullability checkers.		// Nullability checkers.
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//

let ParentPackage = Nullability in {		let ParentPackage = Nullability in {

def NullabilityBase : Checker<"NullabilityBase">,		def NullabilityBase : Checker<"NullabilityBase">,
▲ Show 20 Lines • Show All 115 Lines • ▼ Show 20 Lines
def UndefCapturedBlockVarChecker : Checker<"CapturedBlockVariable">,		def UndefCapturedBlockVarChecker : Checker<"CapturedBlockVariable">,
HelpText<"Check for blocks that capture uninitialized values">,		HelpText<"Check for blocks that capture uninitialized values">,
Documentation<NotDocumented>;		Documentation<NotDocumented>;

def ReturnUndefChecker : Checker<"UndefReturn">,		def ReturnUndefChecker : Checker<"UndefReturn">,
HelpText<"Check for uninitialized values being returned to the caller">,		HelpText<"Check for uninitialized values being returned to the caller">,
Documentation<HasDocumentation>;		Documentation<HasDocumentation>;

		def UndefinedNewArraySizeChecker : Checker<"NewArraySize">,
		HelpText<"Check if the size of the array in a new[] expression is undefined">,
		Documentation<HasDocumentation>;

} // end "core.uninitialized"		} // end "core.uninitialized"

//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
// Unix API checkers.		// Unix API checkers.
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//

		steakhalUnsubmitted Done Reply Inline Actions This line suggests that this checker is documented at the `checkers.rst`, however, I cannot see the corresponding entry. steakhal: This line suggests that this checker is documented at the `checkers.rst`, however, I cannot see…
let ParentPackage = CString in {		let ParentPackage = CString in {

def CStringModeling : Checker<"CStringModeling">,		def CStringModeling : Checker<"CStringModeling">,
HelpText<"The base of several CString related checkers. On it's own it emits "		HelpText<"The base of several CString related checkers. On it's own it emits "
"no reports, but adds valuable information to the analysis when "		"no reports, but adds valuable information to the analysis when "
"enabled.">,		"enabled.">,
Documentation<NotDocumented>,		Documentation<NotDocumented>,
Hidden;		Hidden;
▲ Show 20 Lines • Show All 1,283 Lines • Show Last 20 Lines

clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h

Show First 20 Lines • Show All 1,027 Lines • ▼ Show 20 Lines	public:
unsigned getNumImplicitArgs() const {		unsigned getNumImplicitArgs() const {
return getOriginExpr()->passAlignment() ? 2 : 1;		return getOriginExpr()->passAlignment() ? 2 : 1;
}		}

unsigned getNumArgs() const override {		unsigned getNumArgs() const override {
return getOriginExpr()->getNumPlacementArgs() + getNumImplicitArgs();		return getOriginExpr()->getNumPlacementArgs() + getNumImplicitArgs();
}		}

		bool isArray() const { return getOriginExpr()->isArray(); }

		Optional<const clang::Expr *> getArraySizeExpr() const {
		return getOriginExpr()->getArraySize();
		}
		NoQUnsubmitted Done Reply Inline Actions This function doesn't seem to ever return `None` (?) NoQ: This function doesn't seem to ever return `None` (?)
		isuckatcsAuthorUnsubmitted Done Reply Inline Actions `getArraySize()` returns an `Optional<const clang::Expr >`, so it can return `None`. isuckatcs:* `getArraySize()` returns an `Optional<const clang::Expr *>`, so it can return `None`.

		SVal getArraySizeVal() const {
		assert(isArray() && "The allocator call doesn't allocate and array!");

		return getState()->getSVal(*getArraySizeExpr(), getLocationContext());
		NoQUnsubmitted Done Reply Inline Actions I think it's cleaner to `assert(isArray())` here and avoid the optional. The caller would do something like if (!Call->isArray()) return; SVal V = Call->getArraySizeVal(); and it communicates the intent behind the code much nicer. NoQ: I think it's cleaner to `assert(isArray())` here and avoid the optional. The caller would do…
		}

const Expr *getArgExpr(unsigned Index) const override {		const Expr *getArgExpr(unsigned Index) const override {
// The first argument of an allocator call is the size of the allocation.		// The first argument of an allocator call is the size of the allocation.
if (Index < getNumImplicitArgs())		if (Index < getNumImplicitArgs())
return nullptr;		return nullptr;
return getOriginExpr()->getPlacementArg(Index - getNumImplicitArgs());		return getOriginExpr()->getPlacementArg(Index - getNumImplicitArgs());
}		}

/// Number of placement arguments to the operator new() call. For example,		/// Number of placement arguments to the operator new() call. For example,
▲ Show 20 Lines • Show All 347 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt

Show First 20 Lines • Show All 114 Lines • ▼ Show 20 Lines	add_clang_library(clangStaticAnalyzerCheckers
TraversalChecker.cpp		TraversalChecker.cpp
TrustNonnullChecker.cpp		TrustNonnullChecker.cpp
TrustReturnsNonnullChecker.cpp		TrustReturnsNonnullChecker.cpp
UndefBranchChecker.cpp		UndefBranchChecker.cpp
UndefCapturedBlockVarChecker.cpp		UndefCapturedBlockVarChecker.cpp
UndefResultChecker.cpp		UndefResultChecker.cpp
UndefinedArraySubscriptChecker.cpp		UndefinedArraySubscriptChecker.cpp
UndefinedAssignmentChecker.cpp		UndefinedAssignmentChecker.cpp
		UndefinedNewArraySizeChecker.cpp
UninitializedObject/UninitializedObjectChecker.cpp		UninitializedObject/UninitializedObjectChecker.cpp
UninitializedObject/UninitializedPointee.cpp		UninitializedObject/UninitializedPointee.cpp
UnixAPIChecker.cpp		UnixAPIChecker.cpp
UnreachableCodeChecker.cpp		UnreachableCodeChecker.cpp
VforkChecker.cpp		VforkChecker.cpp
VLASizeChecker.cpp		VLASizeChecker.cpp
ValistChecker.cpp		ValistChecker.cpp
VirtualCallChecker.cpp		VirtualCallChecker.cpp
Show All 19 Lines

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp

Show First 20 Lines • Show All 1,483 Lines • ▼ Show 20 Lines	if (isStandardNewDelete(Call)) {
return;		return;
}		}

checkOwnershipAttr(Call, C);		checkOwnershipAttr(Call, C);
}		}

// Performs a 0-sized allocations check.		// Performs a 0-sized allocations check.
ProgramStateRef MallocChecker::ProcessZeroAllocCheck(		ProgramStateRef MallocChecker::ProcessZeroAllocCheck(
const CallEvent &Call, const unsigned IndexOfSizeArg, ProgramStateRef State,		const CallEvent &Call, const unsigned IndexOfSizeArg, ProgramStateRef State,
		NoQUnsubmitted Done Reply Inline Actions A slightly more natural way to do this in path-sensitive analysis is to invoke const auto ACE = dyn_cast<CXXAllocatorCall>(&Call); and then use that subclass's accessor methods to access values. It doesn't look like this subclass actually provides an accessor for the size value though. We should add one! Maybe also add a getter that asks whether the call is for `new[]` vs. `new`, and then assert that it's `new[]` in the size value getter. NoQ:* A slightly more natural way to do this in path-sensitive analysis is to invoke ```lang=c++…
Optional<SVal> RetVal) {		Optional<SVal> RetVal) {
if (!State)		if (!State)
return nullptr;		return nullptr;

if (!RetVal)		if (!RetVal)
RetVal = Call.getReturnValue();		RetVal = Call.getReturnValue();

const Expr *Arg = nullptr;		const Expr *Arg = nullptr;

if (const CallExpr *CE = dyn_cast<CallExpr>(Call.getOriginExpr())) {		if (const CallExpr *CE = dyn_cast<CallExpr>(Call.getOriginExpr())) {
Arg = CE->getArg(IndexOfSizeArg);		Arg = CE->getArg(IndexOfSizeArg);
} else if (const CXXNewExpr *NE =		} else if (const CXXNewExpr *NE =
dyn_cast<CXXNewExpr>(Call.getOriginExpr())) {		dyn_cast<CXXNewExpr>(Call.getOriginExpr())) {
if (NE->isArray()) {		if (NE->isArray()) {
Arg = *NE->getArraySize();		Arg = *NE->getArraySize();
} else {		} else {
return State;		return State;
}		}
} else		} else
		NoQUnsubmitted Done Reply Inline Actions Expressions cannot be of reference type. They use value kinds instead (lvalue, xvalue, etc). So I suspect your tests pass without this check. NoQ: Expressions cannot be of reference type. They use value kinds instead (lvalue, xvalue, etc). So…
llvm_unreachable("not a CallExpr or CXXNewExpr");		llvm_unreachable("not a CallExpr or CXXNewExpr");

assert(Arg);		assert(Arg);

auto DefArgVal =		auto DefArgVal =
State->getSVal(Arg, Call.getLocationContext()).getAs<DefinedSVal>();		State->getSVal(Arg, Call.getLocationContext()).getAs<DefinedSVal>();

if (!DefArgVal)		if (!DefArgVal)
▲ Show 20 Lines • Show All 208 Lines • ▼ Show 20 Lines	ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
const LocationContext *LCtx = C.getPredecessor()->getLocationContext();		const LocationContext *LCtx = C.getPredecessor()->getLocationContext();
DefinedSVal RetVal = svalBuilder.getConjuredHeapSymbolVal(CE, LCtx, Count)		DefinedSVal RetVal = svalBuilder.getConjuredHeapSymbolVal(CE, LCtx, Count)
.castAs<DefinedSVal>();		.castAs<DefinedSVal>();
State = State->BindExpr(CE, C.getLocationContext(), RetVal);		State = State->BindExpr(CE, C.getLocationContext(), RetVal);

// Fill the region with the initialization value.		// Fill the region with the initialization value.
State = State->bindDefaultInitial(RetVal, Init, LCtx);		State = State->bindDefaultInitial(RetVal, Init, LCtx);

		// If Size is somehow undefined at this point, this line prevents a crash.
		isuckatcsAuthorUnsubmitted Done Reply Inline Actions This doesn't fix any known bugs, I've just noticed that it's error prone and fixed it in this patch. isuckatcs: This doesn't fix any known bugs, I've just noticed that it's error prone and fixed it in this…
		if (Size.isUndef())
		Size = UnknownVal();

// Set the region's extent.		// Set the region's extent.
State = setDynamicExtent(State, RetVal.getAsRegion(),		State = setDynamicExtent(State, RetVal.getAsRegion(),
Size.castAs<DefinedOrUnknownSVal>(), svalBuilder);		Size.castAs<DefinedOrUnknownSVal>(), svalBuilder);

return MallocUpdateRefState(C, CE, State, Family);		return MallocUpdateRefState(C, CE, State, Family);
}		}

static ProgramStateRef MallocUpdateRefState(CheckerContext &C, const Expr *E,		static ProgramStateRef MallocUpdateRefState(CheckerContext &C, const Expr *E,
▲ Show 20 Lines • Show All 521 Lines • ▼ Show 20 Lines	if (ExplodedNode *N = C.generateErrorNode()) {
R->addRange(Range);		R->addRange(Range);
C.emitReport(std::move(R));		C.emitReport(std::move(R));
}		}
}		}

void MallocChecker::HandleMismatchedDealloc(CheckerContext &C,		void MallocChecker::HandleMismatchedDealloc(CheckerContext &C,
SourceRange Range,		SourceRange Range,
const Expr *DeallocExpr,		const Expr *DeallocExpr,
const RefState *RS, SymbolRef Sym,		const RefState *RS, SymbolRef Sym,
bool OwnershipTransferred) const {		bool OwnershipTransferred) const {

if (!ChecksEnabled[CK_MismatchedDeallocatorChecker]) {		if (!ChecksEnabled[CK_MismatchedDeallocatorChecker]) {
		NoQUnsubmitted Done Reply Inline Actions I think making it a separate checker is slightly better. It's more natural to group it together with the uninitialized variable checks than with memory leak / use-after-free checks. Like, generally, I wish we had a more flexible system of "hashtags" that could allow us to group checkers in different ways, probably overlapping (so this check could be `#NewDelete #UninitializedVariable`). But that's a story for another time :D NoQ: I think making it a separate checker is slightly better. It's more natural to group it together…
C.addSink();		C.addSink();
return;		return;
}		}

if (ExplodedNode *N = C.generateErrorNode()) {		if (ExplodedNode *N = C.generateErrorNode()) {
if (!BT_MismatchedDealloc)		if (!BT_MismatchedDealloc)
BT_MismatchedDealloc.reset(		BT_MismatchedDealloc.reset(
new BugType(CheckNames[CK_MismatchedDeallocatorChecker],		new BugType(CheckNames[CK_MismatchedDeallocatorChecker],
"Bad deallocator", categories::MemoryError));		"Bad deallocator", categories::MemoryError));

SmallString<100> buf;		SmallString<100> buf;
llvm::raw_svector_ostream os(buf);		llvm::raw_svector_ostream os(buf);

const Expr *AllocExpr = cast<Expr>(RS->getStmt());		const Expr *AllocExpr = cast<Expr>(RS->getStmt());
SmallString<20> AllocBuf;		SmallString<20> AllocBuf;
llvm::raw_svector_ostream AllocOs(AllocBuf);		llvm::raw_svector_ostream AllocOs(AllocBuf);
SmallString<20> DeallocBuf;		SmallString<20> DeallocBuf;
		NoQUnsubmitted Done Reply Inline Actions I believe you can simply add a `trackExpressionValue()` instead. It'll display where the value comes from through path notes. NoQ: I believe you can simply add a `trackExpressionValue()` instead. It'll display where the value…
		isuckatcsAuthorUnsubmitted Done Reply Inline Actions I've added it but I also left this message. If someone only runs `clang++ --analyze source.cpp` then I think it feels better to receive a bit more descriptive warning message. isuckatcs: I've added it but I also left this message. If someone only runs `clang++ --analyze source.cpp`…
		NoQUnsubmitted Done Reply Inline Actions If someone only runs `clang++ --analyze source.cpp` then I think it feels better to receive a bit more descriptive warning message. Most static analyzer warnings are barely ever understandable without path notes, your extra text won't help much most of the time. We basically don't support running the static analyzer without reading path notes, so I think we should ignore this scenario. Especially given that this facility doesn't cover all the cases so it may make diagnostics look worse. It's definitely weird that such basic invocation is unsupported. I think we should flip the default output to `--analyzer-output text`, but it may break backwards compatibility in weird ways because the current default output is actually `plist` (so the command you quoted will produce a weird .plist file in the current directory as an output) so IDEs can run this command and consume this machine-readable output. NoQ: > If someone only runs `clang++ --analyze source.cpp` then I think it feels better to receive a…
llvm::raw_svector_ostream DeallocOs(DeallocBuf);		llvm::raw_svector_ostream DeallocOs(DeallocBuf);

if (OwnershipTransferred) {		if (OwnershipTransferred) {
if (printMemFnName(DeallocOs, C, DeallocExpr))		if (printMemFnName(DeallocOs, C, DeallocExpr))
os << DeallocOs.str() << " cannot";		os << DeallocOs.str() << " cannot";
else		else
os << "Cannot";		os << "Cannot";

▲ Show 20 Lines • Show All 1,319 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/UndefinedNewArraySizeChecker.cpp

This file was added.

//===--- UndefinedNewArraySizeChecker.cpp -----------------------*- C++ -*--==//

// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.

// See https://llvm.org/LICENSE.txt for license information.

// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

//===----------------------------------------------------------------------===//

// This defines UndefinedNewArraySizeChecker, a builtin check in ExprEngine

// that checks if the size of the array in a new[] expression is undefined.

//===----------------------------------------------------------------------===//

#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"

#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"

#include "clang/StaticAnalyzer/Core/Checker.h"

#include "clang/StaticAnalyzer/Core/CheckerManager.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"

using namespace clang;

using namespace ento;

namespace {

class UndefinedNewArraySizeChecker : public Checker<check::PreCall> {

private:

BugType BT{this, "Undefined array element count in new[]",

categories::LogicError};

xazax.hunUnsubmitted

Done

I think we no longer need this mutable lazy initialized BugType hack. See FuchsiaHandleChecker.cpp for an example. While we no longer need this hack, we have not cleaned up the existing checks yet :(

xazax.hun: I think we no longer need this mutable lazy initialized BugType hack. See `FuchsiaHandleChecker.

isuckatcsAuthorUnsubmitted

Done

I'm not really familiar with checker developement. Why did we need this hack?

isuckatcs: I'm not really familiar with checker developement. Why did we need this hack?

xazax.hunUnsubmitted

Done

Long story short, we need lazy initialization because some information is only available when a bug is reported (and not when the check is initialized). This is due to the architecture of CSA. In the old times the lazy initialization was the responsibility of the checks and later we moved this hack to the engine itself to make writing checks easier and cleaner.

xazax.hun: Long story short, we need lazy initialization because some information is only available when a…

isuckatcsAuthorUnsubmitted

Done

I see, thanks for the explanation.

isuckatcs: I see, thanks for the explanation.

NoQUnsubmitted

Done

Let's point out that we're talking about new[]:

"Undefined array element count in new[]"

NoQ: Let's point out that we're talking about `new[]`: ``` "Undefined array element count in new[]"…

public:

void checkPreCall(const CallEvent &Call, CheckerContext &C) const;

NoQUnsubmitted

Done

I recommend checkPreCall. This will cause the new checker to run *before* MallocChecker. It's also generally natural to check preconditions in PreCall and evaluate postconditions in PostCall.

NoQ: I recommend `checkPreCall`. This will cause the new checker to run *before* `MallocChecker`.

void HandleUndefinedArrayElementCount(CheckerContext &C, SVal ArgVal,

const Expr *Init,

SourceRange Range) const;

};

} // namespace

void UndefinedNewArraySizeChecker::checkPreCall(const CallEvent &Call,

CheckerContext &C) const {

if (const auto *AC = dyn_cast<CXXAllocatorCall>(&Call)) {

xazax.hunUnsubmitted

Done

I think we could add a convenience function to CXXAllocatorCall that would return an SVal for the size expression.

xazax.hun: I think we could add a convenience function to `CXXAllocatorCall` that would return an `SVal`…

if (!AC->isArray())

return;

auto *SizeEx = *AC->getArraySizeExpr();

auto SizeVal = AC->getArraySizeVal();

if (SizeVal.isUndef())

HandleUndefinedArrayElementCount(C, SizeVal, SizeEx,

SizeEx->getSourceRange());

NoQUnsubmitted

Done

It's probably easier to do this inside the function.

NoQ: It's probably easier to do this inside the function.

isuckatcsAuthorUnsubmitted

Done

I prefer to keep the logics separated, so it's more obvious which part of the code is doing what.

isuckatcs: I prefer to keep the logics separated, so it's more obvious which part of the code is doing…

}

void UndefinedNewArraySizeChecker::HandleUndefinedArrayElementCount(

CheckerContext &C, SVal ArgVal, const Expr *Init, SourceRange Range) const {

if (ExplodedNode *N = C.generateErrorNode()) {

SmallString<100> buf;

llvm::raw_svector_ostream os(buf);

os << "Element count in new[] is a garbage value";

NoQUnsubmitted

Done

Static analyzer warnings are traditionally full sentences. Let's make this more complete:

"Element count in new[] is a garbage value"

(it also avoids the term "undefined", which we typically avoid and we should have probably avoided in UndefinedArraySubscriptChecker as well; it's not precise enough, may be confusing)

NoQ: Static analyzer warnings are traditionally full sentences. Let's make this more complete: ```…

NoQUnsubmitted

Done

llvm::raw_svector_ostream os(buf);

- os << "element count in new[] is a garbage value";

+ os << "Element count in new[] is a garbage value";

auto R = std::make_unique<PathSensitiveBugReport>(BT, os.str(), N);

Static analyzer warnings start with a capital letter! The idea is that they're complete sentences, unlike compiler warnings.

NoQ: Static analyzer warnings start with a capital letter! The idea is that they're complete…

auto R = std::make_unique<PathSensitiveBugReport>(BT, os.str(), N);

R->markInteresting(ArgVal);

R->addRange(Range);

bugreporter::trackExpressionValue(N, Init, *R);

C.emitReport(std::move(R));

}

void ento::registerUndefinedNewArraySizeChecker(CheckerManager &mgr) {

mgr.registerChecker<UndefinedNewArraySizeChecker>();

}

bool ento::shouldRegisterUndefinedNewArraySizeChecker(

const CheckerManager &mgr) {

return mgr.getLangOpts().CPlusPlus;

}

NoQUnsubmitted

Done

You can use mgr.getLangOpts().CPlusPlus to avoid registering the checker on non-C++ translation units.

NoQ: You can use `mgr.getLangOpts().CPlusPlus` to avoid registering the checker on non-C++…

clang/test/Analysis/Issue56873.cpp

	// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection -verify %s			// RUN: %clang_analyze_cc1 -analyzer-checker=debug.ExprInspection -verify %s

	void clang_analyzer_warnIfReached();			void clang_analyzer_warnIfReached();

	struct S {			struct S {
	};			};

	void Issue56873_1() {			void Issue56873_1() {
	int n;			int n;
	Show All 15 Lines

clang/test/Analysis/undefined-new-element.cpp

This file was added.

				// RUN: %clang_analyze_cc1 %s -analyzer-checker=core.uninitialized.NewArraySize -analyzer-output=text -verify

				NoQUnsubmitted Done Reply Inline Actions Let's make sure tracking works by adding `-analyzer-output=text`. NoQ: Let's make sure tracking works by adding `-analyzer-output=text`.
				#include "Inputs/system-header-simulator-cxx.h"
				xazax.hunUnsubmitted Done Reply Inline Actions Is there a comment missing here? xazax.hun: Is there a comment missing here?
				isuckatcsAuthorUnsubmitted Done Reply Inline Actions This checker is in `alpha.core` at the moment. Should I just put it directly to `core` instead? isuckatcs: This checker is in `alpha.core` at the moment. Should I just put it directly to `core` instead?
				xazax.hunUnsubmitted Done Reply Inline Actions I might be missing something, but I found it surprising that the RUN line in line 2 is not commented out while the RUN line in line 3 is. xazax.hun: I might be missing something, but I found it surprising that the RUN line in line 2 is not…
				isuckatcsAuthorUnsubmitted Done Reply Inline Actions Oh, that is a typo I didn't notice. I moved the whole command into one line instead, it's short enough for that I think. isuckatcs: Oh, that is a typo I didn't notice. I moved the whole command into one line instead, it's short…

				void checkUndefinedElmenetCountValue() {
				int n;
				// expected-note@-1{{'n' declared without an initial value}}

				int *arr = new int[n]; // expected-warning{{Element count in new[] is a garbage value}}
				steakhalUnsubmitted Done Reply Inline Actions IDK, it's probably personal, but I dislike newlines here. And it also feels weird that in the llvm coding style we have the curly openings at the line endings instead of at the next line. steakhal: IDK, it's probably personal, but I dislike newlines here. And it also feels weird that in the…
				isuckatcsAuthorUnsubmitted Done Reply Inline Actions I like the newlines there. Also I reformatted this file with the llvm style. isuckatcs: I like the newlines there. Also I reformatted this file with the llvm style.
				// expected-note@-1{{Element count in new[] is a garbage value}}
				}

				void checkUndefinedElmenetCountMultiDimensionalValue() {
				int n;
				// expected-note@-1{{'n' declared without an initial value}}

				auto *arr = new int[n][5]; // expected-warning{{Element count in new[] is a garbage value}}
				// expected-note@-1{{Element count in new[] is a garbage value}}
				}

				void checkUndefinedElmenetCountReference() {
				int n;
				// expected-note@-1{{'n' declared without an initial value}}

				int &ref = n;
				// expected-note@-1{{'ref' initialized here}}

				int *arr = new int[ref]; // expected-warning{{Element count in new[] is a garbage value}}
				// expected-note@-1{{Element count in new[] is a garbage value}}
				}

				void checkUndefinedElmenetCountMultiDimensionalReference() {
				int n;
				// expected-note@-1{{'n' declared without an initial value}}

				int &ref = n;
				// expected-note@-1{{'ref' initialized here}}

				auto *arr = new int[ref][5]; // expected-warning{{Element count in new[] is a garbage value}}
				// expected-note@-1{{Element count in new[] is a garbage value}}
				}

				int foo() {
				int n;

				return n;
				martongUnsubmitted Done Reply Inline Actions I think it would make sense to have a test for an array placement new expression as well. Something like: int n; void* buffer = malloc(sizeof(std::string) * 10); std::string* p = ::new (buffer) std::string[n]; // expected-warning{{Undefined element count!}} martong: I think it would make sense to have a test for an array placement new expression as well.
				}

				void checkUndefinedElmenetCountFunction() {
				int *arr = new int[foo()]; // expected-warning{{Element count in new[] is a garbage value}}
				// expected-note@-1{{Element count in new[] is a garbage value}}
				}

				void checkUndefinedElmenetCountMultiDimensionalFunction() {
				auto *arr = new int[foo()][5]; // expected-warning{{Element count in new[] is a garbage value}}
				// expected-note@-1{{Element count in new[] is a garbage value}}
				}

				void *malloc(size_t);

				void checkUndefinedPlacementElementCount() {
				int n;
				// expected-note@-1{{'n' declared without an initial value}}

				void buffer = malloc(sizeof(std::string) 10);
				std::string *p =
				::new (buffer) std::string[n]; // expected-warning{{Element count in new[] is a garbage value}}
				// expected-note@-1{{Element count in new[] is a garbage value}}
				}

This is an archive of the discontinued LLVM Phabricator instance.

[analyzer] Warn if the size of the array in `new[]` is undefinedClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 457872

clang/docs/analyzer/checkers.rst

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td

clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h

clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp

clang/lib/StaticAnalyzer/Checkers/UndefinedNewArraySizeChecker.cpp

clang/test/Analysis/Issue56873.cpp

clang/test/Analysis/undefined-new-element.cpp

[analyzer] Warn if the size of the array in `new[]` is undefined
ClosedPublic