This is an archive of the discontinued LLVM Phabricator instance.

Differential D152435

[analyzer][CStringChecker] Adjust the invalidation operation on the super region of the destination buffer during string copy
ClosedPublic

Authored by OikawaKirie on Jun 8 2023, 5:21 AM.

Details

Reviewers
pgousseau
NoQ
steakhal
balazske
xazax.hun
Commits
rG1bd2d335b649: [analyzer][CStringChecker] Adjust the invalidation operation on the super…
Summary

Fixing GitHub issue: https://github.com/llvm/llvm-project/issues/55019
Following the previous fix https://reviews.llvm.org/D12571 on issue https://github.com/llvm/llvm-project/issues/23328

The two issues report false memory leaks after calling string-copy APIs with a buffer field in an object as the destination.
The buffer invalidation incorrectly drops the assignment to a heap memory block when no overflow problems happen.
And the pointer of the dropped assignment is declared in the same object of the destination buffer.

The previous fix only considers the memcpy functions whose copy length is available from arguments.
In this issue, the copy length is inferable from the buffer declaration and string literals being copied.
Therefore, I have adjusted the previous fix to reuse the copy length computed before.

Besides, for APIs that never overflow (strsep) or we never know whether they can overflow (std::copy),
new invalidation operations have been introduced to inform CStringChecker::InvalidateBuffer whether or not to
invalidate the super region that encompasses the destination buffer.

Diff Detail

Event Timeline

OikawaKirie created this revision.Jun 8 2023, 5:21 AM
Herald added a project: Restricted Project. · View Herald TranscriptJun 8 2023, 5:21 AM
Herald added subscribers: manas, ASDenysPetrov, martong and 7 others. · View Herald Transcript
OikawaKirie requested review of this revision.Jun 8 2023, 5:21 AM
Herald added a subscriber: cfe-commits. · View Herald TranscriptJun 8 2023, 5:21 AM
Harbormaster completed remote builds in B237468: Diff 529555.Jun 8 2023, 6:30 AM
steakhal added a comment.Jun 11 2023, 4:04 AM

I left my comment at https://github.com/llvm/llvm-project/issues/55019

steakhal added a comment.Jun 13 2023, 4:09 AM

Thanks for the elaborated answer on the GH issue. Now it makes sense. And the fix is align with the observations, which is good.
I only have concerns about the code quality of the modifier code. It was already in pretty bad shape, and I cannot say we improve it with this patch.
However, I can also see that it might require a bit engineering to refactor it into something cleaner, so I won't object if you push back.

Thanks for the patch!

clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp
263–280

I don't think this is the cleanest way to achieve this.
To me, it feels like it might make sense to have distinct invalidation functions for each scenario and mentally share the same overload-set.
Right now, the API looks really complicated: using enum values along with default parameters. Not to speak of how many parameters it accepts.
However, I won't object this time given that it was already pretty bad, and unreadable - so in that sense, it's not much worse this way and it was not the point to improve the quality of the code.

1005–1006

The type of the SVal might not be always accurate.
in fact, we try to move away from using that in the future - whenever possible.
Consequently, I'd prefer passing down the type as an additional parameter instead, or just keeping the Expr along with the corresponding SVal.

1139–1140

Again, it's not your fault, but this code just looks insane.
I'm not surprised it had a bug, and likely it still has.

clang/test/Analysis/issue-55019.c
3 ↗(On Diff #529555)

Why do you need the Wno-strict-prototypes? Can we make it work with it?

8 ↗(On Diff #529555)

I guess this include is only for the size_t, right?
In c++, you could use using size_t = decltype(sizeof(int)); to define it.

Ah, I see that it's for c function declarations. If that's the case, have you considered adding the malloc and free declarations to that header?

26 ↗(On Diff #529555)

I believe you can use the sizeof(x.arr) instead.

28 ↗(On Diff #529555)

I would rather use no-leak-warning here to be more specific about what we don't expect.

clang/test/Analysis/issue-55019.cpp
2–5

I think you can just append the C file to this one.
This shouldn't make a difference. And if it does, you can still guard that test code using macro ifndef trickery in addition to distinct -verify=xxx prefixes.

25–27

So, you say that It should be HeapSymRegion instead because x.arr shouldn't be invalidated because the std::copy` won't modify it. Right?

clang/test/Analysis/pr22954.c
560

Ah, the leak should have been reported at the end of the full-expression of memcpy.
If we have this expect line here it could mislead the reader that it has anything to do with the eval call before.

In fact, any statement after memcpy would have this diagnostic.
I have seen cases where we have a next_line() opaque call after such places to anchor the leak diagnostic.
I think we can do the same here.

OikawaKirie updated this revision to Diff 532372.Jun 17 2023, 1:06 AM
OikawaKirie edited the summary of this revision. (Show Details)

Update the implementation of InvalidateBuffer in a multi-entrance-with-callback manner.
Update test cases as suggested.

OikawaKirie added inline comments.Jun 17 2023, 1:09 AM
clang/test/Analysis/issue-55019.cpp
14–15

Ah, I see that it's for c function declarations. If that's the case, have you considered adding the malloc and free declarations to that header?

What about doing this in another patch and updating all test cases that use malloc and free? Maybe other libc APIs as well?
The test case malloc-three-arg.c declares malloc and in a different signature and also includes this header. Simply doing so in this patch will lead to other conflicts.

clang/test/Analysis/pr22954.c
581

Do I need to update all other leak expectation directions in this file as well? Such as this one here.

Harbormaster completed remote builds in B239585: Diff 532372.Jun 17 2023, 1:44 AM
steakhal added a comment.Jun 17 2023, 6:20 AM

Let me come back to this once again in the upcoming days to make sure everything is good.

clang/test/Analysis/pr22954.c
581

Definitely no.
Its not advised to have different, but similar looking hunks out of which some are the consequence of the semantic change we made and also have others where they are just refactors.

steakhal added inline comments.Jun 19 2023, 1:08 AM
clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp
286–287

I'd highly suggest making this a template taking the functor that way.
Given that we modify these functions, we should make them comply with the lower camel case naming convention.
And their variables with upper camel case.

1056

Shouldn't we assert that SizeV is some known value or at least smaller than (or equal to) the extent of the buffer?

1077–1079

The lambdas inline in the call look a bit messy. I would prefer declaring it and passing it as an argument separately.
This applies to the rest of the lambdas as well.

clang/test/Analysis/issue-55019.cpp
14–15

Okay.

OikawaKirie added a comment.Jun 19 2023, 9:24 AM

BTW, what does the Done checkbox mean in the code comments?

clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp
286–287

I'd highly suggest making this a template taking the functor that way.

Any examples?
Do you mean

template <typename T>
static ProgramStateRef
InvalidateBufferAux(CheckerContext &C, ProgramStateRef state, const Expr *Ex,
                    SVal V, std::function<T> CallBack);
1056

The calls in CStringChecker::evalCopyCommon and CStringChecker::evalStrcpyCommon seem to have chances able to pass an unknown value. But I am not very sure about this.

If the SizeV is sure to be smaller or equal to the extent of the buffer, the IsFirstBufInBound check seems useless.
Maybe I need to dig deeper into the callers.

1077–1079

And their variables with upper camel case.

What about the variable names for the lambdas? Lower camel or upper camel?
I cannot find the rules for named lambdas from the guidance https://llvm.org/docs/CodingStandards.html.

clang/test/Analysis/issue-55019.cpp
81–88

So, you say that It should be HeapSymRegion instead because x.arr shouldn't be invalidated because the std::copy won't modify it. Right?

Yes, but just in this test case.

The size of x.arr is 4 and the copy length is 1, which means the call to std::copy here never overflows.
Therefore, we should not invalidate the super region x and keep x.ptr still pointing to the original HeapSymRegion unchanged.
However, the copy length computed through iterators is not modeled currently in CStringChecker::evalStdCopyCommon, where InvalidateDestinationBufferAlwaysEscapeSuperRegion is called.
When it is modeled in the future, the function should call InvalidateDestinationBufferBySize instead to make the invalidation of the super region determined by the copy length to report potential leaks.

clang/test/Analysis/pr22954.c
560

Its not advised to have different, but similar looking hunks out of which some are the consequence of the semantic change we made and also have others where they are just refactors.

Do you mean I only need to update the verification direction here as you suggested above and leave others unchanged?

steakhal added a comment.Jun 22 2023, 8:56 AM
In D152435#4433147, @OikawaKirie wrote:

BTW, what does the Done checkbox mean in the code comments?

"Done" means "Resolved" on GitHub - which is basically that some action was taken or the person who raised the issue withdrew.
In general, no revision/pull request should be merged with having open/unresolved discussions.
Usually, the patch author marks comments as "Done" and on the next update (by pressing the "Submit" button) all those threads will be closed automatically.

clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp
286–287

My problem is that std::function owns the callback, and really likely to allocate for doing so.
And in this context a more lightweight approach would be also good.
What I had in mind was:

template <typename Callback>
static ProgramStateRef
InvalidateBufferAux(CheckerContext &C, ProgramStateRef state, const Expr *Ex,
                    SVal V, Callback F);
...
bool asd = F(a, b);

But actually, llvm::function_ref would be probably even better, so use that instead.
Also, add some comments on what the callback's return type means etc.

1056

Indeed.

1077–1079

I think I asked the same question some time ago.
https://discourse.llvm.org/t/naming-lambdas-in-llvm-coding-standards/62689/3

clang/test/Analysis/issue-55019.cpp
81–88

Makes sense. Thanks.

OikawaKirie updated this revision to Diff 536578.Jul 2 2023, 3:19 AM
OikawaKirie marked 12 inline comments as done and an inline comment as not done.
  1. Function and variable names: functions: lower camel, variables: upper camel, lambdas: upper camel
  2. std::function -> llvm::function_ref
  3. update test case verification directions by following others in this file.
clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp
1056

Function CStringChecker::CheckBufferAccess is responsible to check whether the size overflows.
However, when Filter.CheckCStringOutOfBounds is set to false, the function will skip the overflow checking.
This makes that we cannot assert SizeV is always inbound, and the check in IsFirstBufInBound seems to be necessary.
(evalMemset -> CheckBufferAccess(skip overflow checking) -> memsetAux -> InvalidateDestinationBufferBySize with function call of memset(x.arr, 'a', 42))

Besides, if the size argument is originally an unknown value expression (e.g. (unsigned char) 1.0), the unknown value can be passed to this function.
(CStringChecker::evalCopyCommon -> invalidateDestinationBufferBySize, with function call of memcpy(x.arr, "hi", (unsigned char) 1.0))

Hence, we cannot make such an assertion here. : (

Harbormaster completed remote builds in B242671: Diff 536578.Jul 2 2023, 3:49 AM
OikawaKirie updated this revision to Diff 536662.Jul 2 2023, 11:17 PM

Sorry for the formatting error... :(

steakhal accepted this revision.Jul 2 2023, 11:53 PM
steakhal added inline comments.
clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp
1078
This revision is now accepted and ready to land.Jul 2 2023, 11:53 PM
Harbormaster completed remote builds in B242737: Diff 536662.Jul 3 2023, 12:04 AM
OikawaKirie added a comment.Jul 3 2023, 12:19 AM

I will submit it again later to update the code as you suggested.

Besides,

Build Status
Buildable 242737
Build 376801: pre-merge checks libcxx CI FAILED

What does this mean? Was this patch correctly compiled and checked in the previous build? How can I avoid this failure?

Thx

steakhal added a comment.Jul 3 2023, 12:27 AM
In D152435#4467672, @OikawaKirie wrote:

I will submit it again later to update the code as you suggested.

Feel free to commit it with that modifications included.

Besides,

Build Status
Buildable 242737
Build 376801: pre-merge checks libcxx CI FAILED

What does this mean? Was this patch correctly compiled and checked in the previous build? How can I avoid this failure?

This is likely some anomaly. In general, you should check those logs to see if it's related to your patch. If not, than you can proceed and check if any of the bots cry after you commit.
If they do, triage what went wrong and decide if you attempt a fix commit or a revert.

This revision was landed with ongoing or failed builds.Jul 3 2023, 1:15 AM
Closed by commit rG1bd2d335b649: [analyzer][CStringChecker] Adjust the invalidation operation on the super… (authored by OikawaKirie). · Explain Why
This revision was automatically updated to reflect the committed changes.
OikawaKirie added a commit: rG1bd2d335b649: [analyzer][CStringChecker] Adjust the invalidation operation on the super….

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
210 lines
test/
Analysis/
Inputs/
2 lines
89 lines
5 lines

Diff 536683

clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp

Show First 20 LinesShow All 254 Lines▼ Show 20 Lines SVal getCStringLength(CheckerContext &C,
SVal Buf, SVal Buf,
bool hypothetical = false) const; bool hypothetical = false) const;
const StringLiteral *getCStringLiteral(CheckerContext &C, const StringLiteral *getCStringLiteral(CheckerContext &C,
ProgramStateRef &state, ProgramStateRef &state,
const Expr *expr, const Expr *expr,
SVal val) const; SVal val) const;
static ProgramStateRef InvalidateBuffer(CheckerContext &C, /// Invalidate the destination buffer determined by characters copied.
ProgramStateRef state, static ProgramStateRef
const Expr *Ex, SVal V, invalidateDestinationBufferBySize(CheckerContext &C, ProgramStateRef S,
bool IsSourceBuffer, const Expr *BufE, SVal BufV, SVal SizeV,
const Expr *Size); QualType SizeTy);
/// Operation never overflows, do not invalidate the super region.
static ProgramStateRef invalidateDestinationBufferNeverOverflows(
CheckerContext &C, ProgramStateRef S, const Expr *BufE, SVal BufV);
/// We do not know whether the operation can overflow (e.g. size is unknown),
/// invalidate the super region and escape related pointers.
static ProgramStateRef invalidateDestinationBufferAlwaysEscapeSuperRegion(
CheckerContext &C, ProgramStateRef S, const Expr *BufE, SVal BufV);
/// Invalidate the source buffer for escaping pointers.
static ProgramStateRef invalidateSourceBuffer(CheckerContext &C,
ProgramStateRef S,
steakhalUnsubmitted
Done
ReplyInline Actions

I don't think this is the cleanest way to achieve this.
To me, it feels like it might make sense to have distinct invalidation functions for each scenario and mentally share the same overload-set.
Right now, the API looks really complicated: using enum values along with default parameters. Not to speak of how many parameters it accepts.
However, I won't object this time given that it was already pretty bad, and unreadable - so in that sense, it's not much worse this way and it was not the point to improve the quality of the code.

steakhal: I don't think this is the cleanest way to achieve this. To me, it feels like it might make…
const Expr *BufE, SVal BufV);
/// @param InvalidationTraitOperations Determine how to invlidate the
/// MemRegion by setting the invalidation traits. Return true to cause pointer
/// escape, or false otherwise.
static ProgramStateRef invalidateBufferAux(
CheckerContext &C, ProgramStateRef State, const Expr *Ex, SVal V,
steakhalUnsubmitted
Done
ReplyInline Actions

I'd highly suggest making this a template taking the functor that way.
Given that we modify these functions, we should make them comply with the lower camel case naming convention.
And their variables with upper camel case.

steakhal: I'd highly suggest making this a template taking the functor that way. Given that we modify…
OikawaKirieAuthorUnsubmitted
Done
ReplyInline Actions

I'd highly suggest making this a template taking the functor that way.

Any examples?
Do you mean

template <typename T>
static ProgramStateRef
InvalidateBufferAux(CheckerContext &C, ProgramStateRef state, const Expr *Ex,
                    SVal V, std::function<T> CallBack);
OikawaKirie: > I'd highly suggest making this a template taking the functor that way. Any examples? Do you…
steakhalUnsubmitted
Done
ReplyInline Actions

My problem is that std::function owns the callback, and really likely to allocate for doing so.
And in this context a more lightweight approach would be also good.
What I had in mind was:

template <typename Callback>
static ProgramStateRef
InvalidateBufferAux(CheckerContext &C, ProgramStateRef state, const Expr *Ex,
                    SVal V, Callback F);
...
bool asd = F(a, b);

But actually, llvm::function_ref would be probably even better, so use that instead.
Also, add some comments on what the callback's return type means etc.

steakhal: My problem is that `std::function` owns the callback, and really likely to allocate for doing…
llvm::function_ref<bool(RegionAndSymbolInvalidationTraits &,
const MemRegion *)>
InvalidationTraitOperations);
static bool SummarizeRegion(raw_ostream &os, ASTContext &Ctx, static bool SummarizeRegion(raw_ostream &os, ASTContext &Ctx,
const MemRegion *MR); const MemRegion *MR);
static bool memsetAux(const Expr *DstBuffer, SVal CharE, static bool memsetAux(const Expr *DstBuffer, SVal CharE,
const Expr *Size, CheckerContext &C, const Expr *Size, CheckerContext &C,
ProgramStateRef &State); ProgramStateRef &State);
Show All 29 Linespublic:
ProgramStateRef checkAdditionOverflow(CheckerContext &C, ProgramStateRef checkAdditionOverflow(CheckerContext &C,
ProgramStateRef state, ProgramStateRef state,
NonLoc left, NonLoc left,
NonLoc right) const; NonLoc right) const;
// Return true if the destination buffer of the copy function may be in bound. // Return true if the destination buffer of the copy function may be in bound.
// Expects SVal of Size to be positive and unsigned. // Expects SVal of Size to be positive and unsigned.
// Expects SVal of FirstBuf to be a FieldRegion. // Expects SVal of FirstBuf to be a FieldRegion.
static bool IsFirstBufInBound(CheckerContext &C, static bool isFirstBufInBound(CheckerContext &C, ProgramStateRef State,
ProgramStateRef state, SVal BufVal, QualType BufTy, SVal LengthVal,
const Expr *FirstBuf, QualType LengthTy);
const Expr *Size);
}; };
} //end anonymous namespace } //end anonymous namespace
REGISTER_MAP_WITH_PROGRAMSTATE(CStringLength, const MemRegion *, SVal) REGISTER_MAP_WITH_PROGRAMSTATE(CStringLength, const MemRegion *, SVal)
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Individual checks and utility methods. // Individual checks and utility methods.
▲ Show 20 LinesShow All 637 Lines▼ Show 20 Linesconst StringLiteral *CStringChecker::getCStringLiteral(CheckerContext &C,
const StringRegion *strRegion= dyn_cast<StringRegion>(bufRegion); const StringRegion *strRegion= dyn_cast<StringRegion>(bufRegion);
if (!strRegion) if (!strRegion)
return nullptr; return nullptr;
// Return the actual string in the string region. // Return the actual string in the string region.
return strRegion->getStringLiteral(); return strRegion->getStringLiteral();
} }
bool CStringChecker::IsFirstBufInBound(CheckerContext &C, bool CStringChecker::isFirstBufInBound(CheckerContext &C, ProgramStateRef State,
ProgramStateRef state, SVal BufVal, QualType BufTy,
const Expr *FirstBuf, SVal LengthVal, QualType LengthTy) {
const Expr *Size) {
// If we do not know that the buffer is long enough we return 'true'. // If we do not know that the buffer is long enough we return 'true'.
// Otherwise the parent region of this field region would also get // Otherwise the parent region of this field region would also get
// invalidated, which would lead to warnings based on an unknown state. // invalidated, which would lead to warnings based on an unknown state.
if (LengthVal.isUnknown())
return false;
// Originally copied from CheckBufferAccess and CheckLocation. // Originally copied from CheckBufferAccess and CheckLocation.
SValBuilder &svalBuilder = C.getSValBuilder(); SValBuilder &SB = C.getSValBuilder();
ASTContext &Ctx = svalBuilder.getContext(); ASTContext &Ctx = C.getASTContext();
const LocationContext *LCtx = C.getLocationContext();
QualType sizeTy = Size->getType();
QualType PtrTy = Ctx.getPointerType(Ctx.CharTy); QualType PtrTy = Ctx.getPointerType(Ctx.CharTy);
steakhalUnsubmitted
Done
ReplyInline Actions

The type of the SVal might not be always accurate.
in fact, we try to move away from using that in the future - whenever possible.
Consequently, I'd prefer passing down the type as an additional parameter instead, or just keeping the Expr along with the corresponding SVal.

steakhal: The type of the `SVal` might not be always accurate. in fact, we try to move away from using…
SVal BufVal = state->getSVal(FirstBuf, LCtx);
SVal LengthVal = state->getSVal(Size, LCtx);
std::optional<NonLoc> Length = LengthVal.getAs<NonLoc>(); std::optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
if (!Length) if (!Length)
return true; // cf top comment. return true; // cf top comment.
// Compute the offset of the last element to be accessed: size-1. // Compute the offset of the last element to be accessed: size-1.
NonLoc One = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>(); NonLoc One = SB.makeIntVal(1, LengthTy).castAs<NonLoc>();
SVal Offset = svalBuilder.evalBinOpNN(state, BO_Sub, *Length, One, sizeTy); SVal Offset = SB.evalBinOpNN(State, BO_Sub, *Length, One, LengthTy);
if (Offset.isUnknown()) if (Offset.isUnknown())
return true; // cf top comment return true; // cf top comment
NonLoc LastOffset = Offset.castAs<NonLoc>(); NonLoc LastOffset = Offset.castAs<NonLoc>();
// Check that the first buffer is sufficiently long. // Check that the first buffer is sufficiently long.
SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType()); SVal BufStart = SB.evalCast(BufVal, PtrTy, BufTy);
std::optional<Loc> BufLoc = BufStart.getAs<Loc>(); std::optional<Loc> BufLoc = BufStart.getAs<Loc>();
if (!BufLoc) if (!BufLoc)
return true; // cf top comment. return true; // cf top comment.
SVal BufEnd = SVal BufEnd = SB.evalBinOpLN(State, BO_Add, *BufLoc, LastOffset, PtrTy);
svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc, LastOffset, PtrTy);
// Check for out of bound array element access. // Check for out of bound array element access.
const MemRegion *R = BufEnd.getAsRegion(); const MemRegion *R = BufEnd.getAsRegion();
if (!R) if (!R)
return true; // cf top comment. return true; // cf top comment.
const ElementRegion *ER = dyn_cast<ElementRegion>(R); const ElementRegion *ER = dyn_cast<ElementRegion>(R);
if (!ER) if (!ER)
return true; // cf top comment. return true; // cf top comment.
// FIXME: Does this crash when a non-standard definition // FIXME: Does this crash when a non-standard definition
// of a library function is encountered? // of a library function is encountered?
assert(ER->getValueType() == C.getASTContext().CharTy && assert(ER->getValueType() == C.getASTContext().CharTy &&
"IsFirstBufInBound should only be called with char* ElementRegions"); "isFirstBufInBound should only be called with char* ElementRegions");
// Get the size of the array. // Get the size of the array.
const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion()); const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion());
DefinedOrUnknownSVal SizeDV = getDynamicExtent(state, superReg, svalBuilder); DefinedOrUnknownSVal SizeDV = getDynamicExtent(State, superReg, SB);
// Get the index of the accessed element. // Get the index of the accessed element.
DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>(); DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();
ProgramStateRef StInBound = state->assumeInBound(Idx, SizeDV, true); ProgramStateRef StInBound = State->assumeInBound(Idx, SizeDV, true);
return static_cast<bool>(StInBound); return static_cast<bool>(StInBound);
} }
ProgramStateRef CStringChecker::InvalidateBuffer(CheckerContext &C, ProgramStateRef CStringChecker::invalidateDestinationBufferBySize(
ProgramStateRef state, CheckerContext &C, ProgramStateRef S, const Expr *BufE, SVal BufV,
const Expr *E, SVal V, SVal SizeV, QualType SizeTy) {
bool IsSourceBuffer, auto InvalidationTraitOperations =
steakhalUnsubmitted
Done
ReplyInline Actions

Shouldn't we assert that SizeV is some known value or at least smaller than (or equal to) the extent of the buffer?

steakhal: Shouldn't we assert that `SizeV` is some known value or at least smaller than (or equal to) the…
OikawaKirieAuthorUnsubmitted
Done
ReplyInline Actions

The calls in CStringChecker::evalCopyCommon and CStringChecker::evalStrcpyCommon seem to have chances able to pass an unknown value. But I am not very sure about this.

If the SizeV is sure to be smaller or equal to the extent of the buffer, the IsFirstBufInBound check seems useless.
Maybe I need to dig deeper into the callers.

OikawaKirie: The calls in `CStringChecker::evalCopyCommon` and `CStringChecker::evalStrcpyCommon` seem to…
steakhalUnsubmitted
Done
ReplyInline Actions

Indeed.

steakhal: Indeed.
OikawaKirieAuthorUnsubmitted
Done
ReplyInline Actions

Function CStringChecker::CheckBufferAccess is responsible to check whether the size overflows.
However, when Filter.CheckCStringOutOfBounds is set to false, the function will skip the overflow checking.
This makes that we cannot assert SizeV is always inbound, and the check in IsFirstBufInBound seems to be necessary.
(evalMemset -> CheckBufferAccess(skip overflow checking) -> memsetAux -> InvalidateDestinationBufferBySize with function call of memset(x.arr, 'a', 42))

Besides, if the size argument is originally an unknown value expression (e.g. (unsigned char) 1.0), the unknown value can be passed to this function.
(CStringChecker::evalCopyCommon -> invalidateDestinationBufferBySize, with function call of memcpy(x.arr, "hi", (unsigned char) 1.0))

Hence, we cannot make such an assertion here. : (

OikawaKirie: Function `CStringChecker::CheckBufferAccess` is responsible to check whether the size overflows.
const Expr *Size) { [&C, S, BufTy = BufE->getType(), BufV, SizeV,
SizeTy](RegionAndSymbolInvalidationTraits &ITraits, const MemRegion *R) {
// If destination buffer is a field region and access is in bound, do
// not invalidate its super region.
if (MemRegion::FieldRegionKind == R->getKind() &&
isFirstBufInBound(C, S, BufV, BufTy, SizeV, SizeTy)) {
ITraits.setTrait(
R,
RegionAndSymbolInvalidationTraits::TK_DoNotInvalidateSuperRegion);
}
return false;
};
return invalidateBufferAux(C, S, BufE, BufV, InvalidationTraitOperations);
}
ProgramStateRef
CStringChecker::invalidateDestinationBufferAlwaysEscapeSuperRegion(
CheckerContext &C, ProgramStateRef S, const Expr *BufE, SVal BufV) {
auto InvalidationTraitOperations = [](RegionAndSymbolInvalidationTraits &,
const MemRegion *R) {
return isa<FieldRegion>(R);
steakhalUnsubmitted
Not Done
ReplyInline Actions
const MemRegion *R) {
- return MemRegion::FieldRegionKind == R->getKind();
+ return llvm::isa<FieldRegion>(R);
};
return invalidateBufferAux(C, S, BufE, BufV, InvalidationTraitOperations);
steakhal:
};
steakhalUnsubmitted
Done
ReplyInline Actions

The lambdas inline in the call look a bit messy. I would prefer declaring it and passing it as an argument separately.
This applies to the rest of the lambdas as well.

steakhal: The lambdas inline in the call look a bit messy. I would prefer declaring it and passing it as…
OikawaKirieAuthorUnsubmitted
Done
ReplyInline Actions

And their variables with upper camel case.

What about the variable names for the lambdas? Lower camel or upper camel?
I cannot find the rules for named lambdas from the guidance https://llvm.org/docs/CodingStandards.html.

OikawaKirie: > And their variables with upper camel case. What about the variable names for the lambdas?
steakhalUnsubmitted
Done
ReplyInline Actions

I think I asked the same question some time ago.
https://discourse.llvm.org/t/naming-lambdas-in-llvm-coding-standards/62689/3

steakhal: I think I asked the same question some time ago. https://discourse.llvm.org/t/naming-lambdas-in…
return invalidateBufferAux(C, S, BufE, BufV, InvalidationTraitOperations);
}
ProgramStateRef CStringChecker::invalidateDestinationBufferNeverOverflows(
CheckerContext &C, ProgramStateRef S, const Expr *BufE, SVal BufV) {
auto InvalidationTraitOperations =
[](RegionAndSymbolInvalidationTraits &ITraits, const MemRegion *R) {
if (MemRegion::FieldRegionKind == R->getKind())
ITraits.setTrait(
R,
RegionAndSymbolInvalidationTraits::TK_DoNotInvalidateSuperRegion);
return false;
};
return invalidateBufferAux(C, S, BufE, BufV, InvalidationTraitOperations);
}
ProgramStateRef CStringChecker::invalidateSourceBuffer(CheckerContext &C,
ProgramStateRef S,
const Expr *BufE,
SVal BufV) {
auto InvalidationTraitOperations =
[](RegionAndSymbolInvalidationTraits &ITraits, const MemRegion *R) {
ITraits.setTrait(
R->getBaseRegion(),
RegionAndSymbolInvalidationTraits::TK_PreserveContents);
ITraits.setTrait(R,
RegionAndSymbolInvalidationTraits::TK_SuppressEscape);
return true;
};
return invalidateBufferAux(C, S, BufE, BufV, InvalidationTraitOperations);
}
ProgramStateRef CStringChecker::invalidateBufferAux(
CheckerContext &C, ProgramStateRef State, const Expr *E, SVal V,
llvm::function_ref<bool(RegionAndSymbolInvalidationTraits &,
const MemRegion *)>
InvalidationTraitOperations) {
std::optional<Loc> L = V.getAs<Loc>(); std::optional<Loc> L = V.getAs<Loc>();
if (!L) if (!L)
return state; return State;
// FIXME: This is a simplified version of what's in CFRefCount.cpp -- it makes // FIXME: This is a simplified version of what's in CFRefCount.cpp -- it makes
// some assumptions about the value that CFRefCount can't. Even so, it should // some assumptions about the value that CFRefCount can't. Even so, it should
// probably be refactored. // probably be refactored.
if (std::optional<loc::MemRegionVal> MR = L->getAs<loc::MemRegionVal>()) { if (std::optional<loc::MemRegionVal> MR = L->getAs<loc::MemRegionVal>()) {
const MemRegion *R = MR->getRegion()->StripCasts(); const MemRegion *R = MR->getRegion()->StripCasts();
// Are we dealing with an ElementRegion? If so, we should be invalidating // Are we dealing with an ElementRegion? If so, we should be invalidating
// the super-region. // the super-region.
if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) { if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) {
R = ER->getSuperRegion(); R = ER->getSuperRegion();
// FIXME: What about layers of ElementRegions? // FIXME: What about layers of ElementRegions?
} }
// Invalidate this region. // Invalidate this region.
const LocationContext *LCtx = C.getPredecessor()->getLocationContext(); const LocationContext *LCtx = C.getPredecessor()->getLocationContext();
bool CausesPointerEscape = false;
RegionAndSymbolInvalidationTraits ITraits; RegionAndSymbolInvalidationTraits ITraits;
// Invalidate and escape only indirect regions accessible through the source bool CausesPointerEscape = InvalidationTraitOperations(ITraits, R);
steakhalUnsubmitted
Done
ReplyInline Actions

Again, it's not your fault, but this code just looks insane.
I'm not surprised it had a bug, and likely it still has.

steakhal: Again, it's not your fault, but this code just looks insane. I'm not surprised it had a bug…
// buffer.
if (IsSourceBuffer) {
ITraits.setTrait(R->getBaseRegion(),
RegionAndSymbolInvalidationTraits::TK_PreserveContents);
ITraits.setTrait(R, RegionAndSymbolInvalidationTraits::TK_SuppressEscape);
CausesPointerEscape = true;
} else {
const MemRegion::Kind& K = R->getKind();
if (K == MemRegion::FieldRegionKind)
if (Size && IsFirstBufInBound(C, state, E, Size)) {
// If destination buffer is a field region and access is in bound,
// do not invalidate its super region.
ITraits.setTrait(
R,
RegionAndSymbolInvalidationTraits::TK_DoNotInvalidateSuperRegion);
}
}
return state->invalidateRegions(R, E, C.blockCount(), LCtx, return State->invalidateRegions(R, E, C.blockCount(), LCtx,
CausesPointerEscape, nullptr, nullptr, CausesPointerEscape, nullptr, nullptr,
&ITraits); &ITraits);
} }
// If we have a non-region value by chance, just remove the binding. // If we have a non-region value by chance, just remove the binding.
// FIXME: is this necessary or correct? This handles the non-Region // FIXME: is this necessary or correct? This handles the non-Region
// cases. Is it ever valid to store to these? // cases. Is it ever valid to store to these?
return state->killBinding(*L); return State->killBinding(*L);
} }
bool CStringChecker::SummarizeRegion(raw_ostream &os, ASTContext &Ctx, bool CStringChecker::SummarizeRegion(raw_ostream &os, ASTContext &Ctx,
const MemRegion *MR) { const MemRegion *MR) {
switch (MR->getKind()) { switch (MR->getKind()) {
case MemRegion::FunctionCodeRegionKind: { case MemRegion::FunctionCodeRegionKind: {
if (const auto *FD = cast<FunctionCodeRegion>(MR)->getDecl()) if (const auto *FD = cast<FunctionCodeRegion>(MR)->getDecl())
os << "the address of the function '" << *FD << '\''; os << "the address of the function '" << *FD << '\'';
▲ Show 20 LinesShow All 80 Lines▼ Show 20 Lines if (StateWholeReg && !StateNotWholeReg && StateNullChar &&
// FIXME: Since there is no perfect way to bind the non-zero character, we // FIXME: Since there is no perfect way to bind the non-zero character, we
// can only deal with zero value here. In the future, we need to deal with // can only deal with zero value here. In the future, we need to deal with
// the binding of non-zero value in the case of whole region. // the binding of non-zero value in the case of whole region.
State = State->bindDefaultZero(svalBuilder.makeLoc(BR), State = State->bindDefaultZero(svalBuilder.makeLoc(BR),
C.getLocationContext()); C.getLocationContext());
} else { } else {
// If the destination buffer's extent is not equal to the value of // If the destination buffer's extent is not equal to the value of
// third argument, just invalidate buffer. // third argument, just invalidate buffer.
State = InvalidateBuffer(C, State, DstBuffer, MemVal, State = invalidateDestinationBufferBySize(C, State, DstBuffer, MemVal,
/*IsSourceBuffer*/ false, Size); SizeVal, Size->getType());
} }
if (StateNullChar && !StateNonNullChar) { if (StateNullChar && !StateNonNullChar) {
// If the value of the second argument of 'memset()' is zero, set the // If the value of the second argument of 'memset()' is zero, set the
// string length of destination buffer to 0 directly. // string length of destination buffer to 0 directly.
State = setCStringLength(State, MR, State = setCStringLength(State, MR,
svalBuilder.makeZeroVal(Ctx.getSizeType())); svalBuilder.makeZeroVal(Ctx.getSizeType()));
} else if (!StateNullChar && StateNonNullChar) { } else if (!StateNullChar && StateNonNullChar) {
SVal NewStrLen = svalBuilder.getMetadataSymbolVal( SVal NewStrLen = svalBuilder.getMetadataSymbolVal(
CStringChecker::getTag(), MR, DstBuffer, Ctx.getSizeType(), CStringChecker::getTag(), MR, DstBuffer, Ctx.getSizeType(),
C.getLocationContext(), C.blockCount()); C.getLocationContext(), C.blockCount());
// If the value of second argument is not zero, then the string length // If the value of second argument is not zero, then the string length
// is at least the size argument. // is at least the size argument.
SVal NewStrLenGESize = svalBuilder.evalBinOp( SVal NewStrLenGESize = svalBuilder.evalBinOp(
State, BO_GE, NewStrLen, SizeVal, svalBuilder.getConditionType()); State, BO_GE, NewStrLen, SizeVal, svalBuilder.getConditionType());
State = setCStringLength( State = setCStringLength(
State->assume(NewStrLenGESize.castAs<DefinedOrUnknownSVal>(), true), State->assume(NewStrLenGESize.castAs<DefinedOrUnknownSVal>(), true),
MR, NewStrLen); MR, NewStrLen);
} }
} else { } else {
// If the offset is not zero and char value is not concrete, we can do // If the offset is not zero and char value is not concrete, we can do
// nothing but invalidate the buffer. // nothing but invalidate the buffer.
State = InvalidateBuffer(C, State, DstBuffer, MemVal, State = invalidateDestinationBufferBySize(C, State, DstBuffer, MemVal,
/*IsSourceBuffer*/ false, Size); SizeVal, Size->getType());
} }
return true; return true;
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// evaluation of individual function calls. // evaluation of individual function calls.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
▲ Show 20 LinesShow All 79 Lines▼ Show 20 Lines if (stateNonZeroSize) {
} }
// Invalidate the destination (regular invalidation without pointer-escaping // Invalidate the destination (regular invalidation without pointer-escaping
// the address of the top-level region). // the address of the top-level region).
// FIXME: Even if we can't perfectly model the copy, we should see if we // FIXME: Even if we can't perfectly model the copy, we should see if we
// can use LazyCompoundVals to copy the source values into the destination. // can use LazyCompoundVals to copy the source values into the destination.
// This would probably remove any existing bindings past the end of the // This would probably remove any existing bindings past the end of the
// copied region, but that's still an improvement over blank invalidation. // copied region, but that's still an improvement over blank invalidation.
state = state = invalidateDestinationBufferBySize(
InvalidateBuffer(C, state, Dest.Expression, C.getSVal(Dest.Expression), C, state, Dest.Expression, C.getSVal(Dest.Expression), sizeVal,
/*IsSourceBuffer*/ false, Size.Expression); Size.Expression->getType());
// Invalidate the source (const-invalidation without const-pointer-escaping // Invalidate the source (const-invalidation without const-pointer-escaping
// the address of the top-level region). // the address of the top-level region).
state = InvalidateBuffer(C, state, Source.Expression, state = invalidateSourceBuffer(C, state, Source.Expression,
C.getSVal(Source.Expression), C.getSVal(Source.Expression));
/*IsSourceBuffer*/ true, nullptr);
C.addTransition(state); C.addTransition(state);
} }
} }
void CStringChecker::evalMemcpy(CheckerContext &C, const CallExpr *CE, void CStringChecker::evalMemcpy(CheckerContext &C, const CallExpr *CE,
CharKind CK) const { CharKind CK) const {
// void *memcpy(void *restrict dst, const void *restrict src, size_t n); // void *memcpy(void *restrict dst, const void *restrict src, size_t n);
▲ Show 20 LinesShow All 655 Lines▼ Show 20 Lines if (std::optional<loc::MemRegionVal> dstRegVal =
// Invalidate the destination (regular invalidation without pointer-escaping // Invalidate the destination (regular invalidation without pointer-escaping
// the address of the top-level region). This must happen before we set the // the address of the top-level region). This must happen before we set the
// C string length because invalidation will clear the length. // C string length because invalidation will clear the length.
// FIXME: Even if we can't perfectly model the copy, we should see if we // FIXME: Even if we can't perfectly model the copy, we should see if we
// can use LazyCompoundVals to copy the source values into the destination. // can use LazyCompoundVals to copy the source values into the destination.
// This would probably remove any existing bindings past the end of the // This would probably remove any existing bindings past the end of the
// string, but that's still an improvement over blank invalidation. // string, but that's still an improvement over blank invalidation.
state = InvalidateBuffer(C, state, Dst.Expression, *dstRegVal, state = invalidateDestinationBufferBySize(C, state, Dst.Expression,
/*IsSourceBuffer*/ false, nullptr); *dstRegVal, amountCopied,
C.getASTContext().getSizeType());
// Invalidate the source (const-invalidation without const-pointer-escaping // Invalidate the source (const-invalidation without const-pointer-escaping
// the address of the top-level region). // the address of the top-level region).
state = InvalidateBuffer(C, state, srcExpr.Expression, srcVal, state = invalidateSourceBuffer(C, state, srcExpr.Expression, srcVal);
/*IsSourceBuffer*/ true, nullptr);
// Set the C string length of the destination, if we know it. // Set the C string length of the destination, if we know it.
if (IsBounded && (appendK == ConcatFnKind::none)) { if (IsBounded && (appendK == ConcatFnKind::none)) {
// strncpy is annoying in that it doesn't guarantee to null-terminate // strncpy is annoying in that it doesn't guarantee to null-terminate
// the result string. If the original string didn't fit entirely inside // the result string. If the original string didn't fit entirely inside
// the bound (including the null-terminator), we don't know how long the // the bound (including the null-terminator), we don't know how long the
// result is. // result is.
if (amountCopied != strLength) if (amountCopied != strLength)
▲ Show 20 LinesShow All 198 Lines▼ Show 20 Linesvoid CStringChecker::evalStrsep(CheckerContext &C, const CallExpr *CE) const {
SValBuilder &SVB = C.getSValBuilder(); SValBuilder &SVB = C.getSValBuilder();
SVal Result; SVal Result;
if (std::optional<Loc> SearchStrLoc = SearchStrVal.getAs<Loc>()) { if (std::optional<Loc> SearchStrLoc = SearchStrVal.getAs<Loc>()) {
// Get the current value of the search string pointer, as a char*. // Get the current value of the search string pointer, as a char*.
Result = State->getSVal(*SearchStrLoc, CharPtrTy); Result = State->getSVal(*SearchStrLoc, CharPtrTy);
// Invalidate the search string, representing the change of one delimiter // Invalidate the search string, representing the change of one delimiter
// character to NUL. // character to NUL.
State = InvalidateBuffer(C, State, SearchStrPtr.Expression, Result, // As the replacement never overflows, do not invalidate its super region.
/*IsSourceBuffer*/ false, nullptr); State = invalidateDestinationBufferNeverOverflows(
C, State, SearchStrPtr.Expression, Result);
// Overwrite the search string pointer. The new value is either an address // Overwrite the search string pointer. The new value is either an address
// further along in the same string, or NULL if there are no more tokens. // further along in the same string, or NULL if there are no more tokens.
State = State->bindLoc(*SearchStrLoc, State = State->bindLoc(*SearchStrLoc,
SVB.conjureSymbolVal(getTag(), SVB.conjureSymbolVal(getTag(),
CE, CE,
LCtx, LCtx,
CharPtrTy, CharPtrTy,
Show All 32 Linesvoid CStringChecker::evalStdCopyCommon(CheckerContext &C,
// template <class _InputIterator, class _OutputIterator> // template <class _InputIterator, class _OutputIterator>
// _OutputIterator // _OutputIterator
// copy(_InputIterator __first, _InputIterator __last, // copy(_InputIterator __first, _InputIterator __last,
// _OutputIterator __result) // _OutputIterator __result)
// Invalidate the destination buffer // Invalidate the destination buffer
const Expr *Dst = CE->getArg(2); const Expr *Dst = CE->getArg(2);
SVal DstVal = State->getSVal(Dst, LCtx); SVal DstVal = State->getSVal(Dst, LCtx);
State = InvalidateBuffer(C, State, Dst, DstVal, /*IsSource=*/false, // FIXME: As we do not know how many items are copied, we also invalidate the
/*Size=*/nullptr); // super region containing the target location.
State =
invalidateDestinationBufferAlwaysEscapeSuperRegion(C, State, Dst, DstVal);
SValBuilder &SVB = C.getSValBuilder(); SValBuilder &SVB = C.getSValBuilder();
SVal ResultVal = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount()); SVal ResultVal = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
State = State->BindExpr(CE, LCtx, ResultVal); State = State->BindExpr(CE, LCtx, ResultVal);
C.addTransition(State); C.addTransition(State);
} }
▲ Show 20 LinesShow All 342 LinesShow Last 20 Lines

clang/test/Analysis/Inputs/system-header-simulator.h

Show First 20 LinesShow All 57 Lines▼ Show 20 Lines
int feof(FILE *stream); int feof(FILE *stream);
int ferror(FILE *stream); int ferror(FILE *stream);
int fileno(FILE *stream); int fileno(FILE *stream);
size_t strlen(const char *); size_t strlen(const char *);
char *strcpy(char *restrict, const char *restrict); char *strcpy(char *restrict, const char *restrict);
char *strncpy(char *dst, const char *src, size_t n); char *strncpy(char *dst, const char *src, size_t n);
char *strsep(char **stringp, const char *delim);
void *memcpy(void *dst, const void *src, size_t n); void *memcpy(void *dst, const void *src, size_t n);
void *memset(void *s, int c, size_t n);
typedef unsigned long __darwin_pthread_key_t; typedef unsigned long __darwin_pthread_key_t;
typedef __darwin_pthread_key_t pthread_key_t; typedef __darwin_pthread_key_t pthread_key_t;
int pthread_setspecific(pthread_key_t, const void *); int pthread_setspecific(pthread_key_t, const void *);
int sqlite3_bind_text_my(int, const char*, int n, void(*)(void*)); int sqlite3_bind_text_my(int, const char*, int n, void(*)(void*));
typedef void (*freeCallback) (void*); typedef void (*freeCallback) (void*);
▲ Show 20 LinesShow All 63 LinesShow Last 20 Lines

clang/test/Analysis/issue-55019.cpp

  • This file was added.
// Refer issue 55019 for more details.
// A supplemental test case of pr22954.c for other functions modeled in
// the CStringChecker.
// RUN: %clang_analyze_cc1 %s -verify \
steakhalUnsubmitted
Done
ReplyInline Actions

I think you can just append the C file to this one.
This shouldn't make a difference. And if it does, you can still guard that test code using macro ifndef trickery in addition to distinct -verify=xxx prefixes.

steakhal: I think you can just append the C file to this one. This shouldn't make a difference. And if it…
// RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=unix \
// RUN: -analyzer-checker=debug.ExprInspection
#include "Inputs/system-header-simulator.h"
#include "Inputs/system-header-simulator-cxx.h"
void *malloc(size_t);
void free(void *);
OikawaKirieAuthorUnsubmitted
Not Done
ReplyInline Actions

Ah, I see that it's for c function declarations. If that's the case, have you considered adding the malloc and free declarations to that header?

What about doing this in another patch and updating all test cases that use malloc and free? Maybe other libc APIs as well?
The test case malloc-three-arg.c declares malloc and in a different signature and also includes this header. Simply doing so in this patch will lead to other conflicts.

OikawaKirie: > Ah, I see that it's for c function declarations. If that's the case, have you considered…
steakhalUnsubmitted
Not Done
ReplyInline Actions

Okay.

steakhal: Okay.
struct mystruct {
void *ptr;
char arr[4];
};
void clang_analyzer_dump(const void *);
// CStringChecker::memsetAux
void fmemset() {
mystruct x;
x.ptr = malloc(1);
clang_analyzer_dump(x.ptr); // expected-warning {{HeapSymRegion}}
steakhalUnsubmitted
Done
ReplyInline Actions

So, you say that It should be HeapSymRegion instead because x.arr shouldn't be invalidated because the std::copy` won't modify it. Right?

steakhal: So, you say that `It should be HeapSymRegion instead` because `x.arr` shouldn't be invalidated…
memset(x.arr, 0, sizeof(x.arr));
clang_analyzer_dump(x.ptr); // expected-warning {{HeapSymRegion}}
free(x.ptr); // no-leak-warning
}
// CStringChecker::evalCopyCommon
void fmemcpy() {
mystruct x;
x.ptr = malloc(1);
clang_analyzer_dump(x.ptr); // expected-warning {{HeapSymRegion}}
memcpy(x.arr, "hi", 2);
clang_analyzer_dump(x.ptr); // expected-warning {{HeapSymRegion}}
free(x.ptr); // no-leak-warning
}
// CStringChecker::evalStrcpyCommon
void fstrcpy() {
mystruct x;
x.ptr = malloc(1);
clang_analyzer_dump(x.ptr); // expected-warning {{HeapSymRegion}}
strcpy(x.arr, "hi");
clang_analyzer_dump(x.ptr); // expected-warning {{HeapSymRegion}}
free(x.ptr); // no-leak-warning
}
void fstrncpy() {
mystruct x;
x.ptr = malloc(1);
clang_analyzer_dump(x.ptr); // expected-warning {{HeapSymRegion}}
strncpy(x.arr, "hi", sizeof(x.arr));
clang_analyzer_dump(x.ptr); // expected-warning {{HeapSymRegion}}
free(x.ptr); // no-leak-warning
}
// CStringChecker::evalStrsep
void fstrsep() {
mystruct x;
x.ptr = malloc(1);
clang_analyzer_dump(x.ptr); // expected-warning {{HeapSymRegion}}
char *p = x.arr;
(void)strsep(&p, "x");
clang_analyzer_dump(x.ptr); // expected-warning {{HeapSymRegion}}
free(x.ptr); // no-leak-warning
}
// CStringChecker::evalStdCopyCommon
void fstdcopy() {
mystruct x;
x.ptr = new char;
clang_analyzer_dump(x.ptr); // expected-warning {{HeapSymRegion}}
const char *p = "x";
std::copy(p, p + 1, x.arr);
// FIXME: As we currently cannot know whether the copy overflows, the checker
// invalidates the entire `x` object. When the copy size through iterators
// can be correctly modeled, we can then update the verify direction from
// SymRegion to HeapSymRegion as this std::copy call never overflows and
// hence the pointer `x.ptr` shall not be invalidated.
clang_analyzer_dump(x.ptr); // expected-warning {{SymRegion}}
delete static_cast<char*>(x.ptr); // no-leak-warning
OikawaKirieAuthorUnsubmitted
Done
ReplyInline Actions

So, you say that It should be HeapSymRegion instead because x.arr shouldn't be invalidated because the std::copy won't modify it. Right?

Yes, but just in this test case.

The size of x.arr is 4 and the copy length is 1, which means the call to std::copy here never overflows.
Therefore, we should not invalidate the super region x and keep x.ptr still pointing to the original HeapSymRegion unchanged.
However, the copy length computed through iterators is not modeled currently in CStringChecker::evalStdCopyCommon, where InvalidateDestinationBufferAlwaysEscapeSuperRegion is called.
When it is modeled in the future, the function should call InvalidateDestinationBufferBySize instead to make the invalidation of the super region determined by the copy length to report potential leaks.

OikawaKirie: > So, you say that It should be `HeapSymRegion` instead because `x.arr` shouldn't be…
steakhalUnsubmitted
Done
ReplyInline Actions

Makes sense. Thanks.

steakhal: Makes sense. Thanks.
}

clang/test/Analysis/pr22954.c

Show First 20 LinesShow All 550 Lines▼ Show 20 Linesstruct xx {
char * s2; char * s2;
}; };
int f263(int n, char * len) { int f263(int n, char * len) {
struct xx x263 = {0}; struct xx x263 = {0};
x263.s2 = strdup("hello"); x263.s2 = strdup("hello");
char input[] = {'a', 'b', 'c', 'd'}; char input[] = {'a', 'b', 'c', 'd'};
memcpy(x263.s1, input, *(len + n)); memcpy(x263.s1, input, *(len + n));
clang_analyzer_eval(x263.s1[0] == 0); // expected-warning{{UNKNOWN}} clang_analyzer_eval(x263.s1[0] == 0); // expected-warning{{UNKNOWN}}\
expected-warning{{Potential leak of memory pointed to by 'x263.s2'}}
steakhalUnsubmitted
Not Done
ReplyInline Actions

Ah, the leak should have been reported at the end of the full-expression of memcpy.
If we have this expect line here it could mislead the reader that it has anything to do with the eval call before.

In fact, any statement after memcpy would have this diagnostic.
I have seen cases where we have a next_line() opaque call after such places to anchor the leak diagnostic.
I think we can do the same here.

steakhal: Ah, the leak should have been reported at the end of the full-expression of `memcpy`. If we…
OikawaKirieAuthorUnsubmitted
Done
ReplyInline Actions

Its not advised to have different, but similar looking hunks out of which some are the consequence of the semantic change we made and also have others where they are just refactors.

Do you mean I only need to update the verification direction here as you suggested above and leave others unchanged?

OikawaKirie: > Its not advised to have different, but similar looking hunks out of which some are the…
clang_analyzer_eval(x263.s1[1] == 0); // expected-warning{{UNKNOWN}} clang_analyzer_eval(x263.s1[1] == 0); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(x263.s1[2] == 0); // expected-warning{{UNKNOWN}} clang_analyzer_eval(x263.s1[2] == 0); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(x263.s1[3] == 0); // expected-warning{{UNKNOWN}} clang_analyzer_eval(x263.s1[3] == 0); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(x263.s2 == 0); // expected-warning{{UNKNOWN}} clang_analyzer_eval(x263.s2 == 0); // expected-warning{{UNKNOWN}}
return 0; // expected-warning{{Potential leak of memory pointed to by 'x263.s2'}} return 0;
} }
// Test casting regions with symbolic offseted sub regions. // Test casting regions with symbolic offseted sub regions.
int f27(int i) { int f27(int i) {
struct mm m27 = {{1, 2, 3, 4}, 0}; struct mm m27 = {{1, 2, 3, 4}, 0};
m27.s4 = strdup("hello"); m27.s4 = strdup("hello");
m27.s3[i] = 5; m27.s3[i] = 5;
char input[] = {'a', 'b', 'c', 'd'}; char input[] = {'a', 'b', 'c', 'd'};
memcpy(((struct ll*)(&m27))->s1, input, 4); memcpy(((struct ll*)(&m27))->s1, input, 4);
clang_analyzer_eval(m27.s3[0] == 1); // expected-warning{{UNKNOWN}} clang_analyzer_eval(m27.s3[0] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m27.s3[1] == 1); // expected-warning{{UNKNOWN}} clang_analyzer_eval(m27.s3[1] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m27.s3[2] == 1); // expected-warning{{UNKNOWN}} clang_analyzer_eval(m27.s3[2] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m27.s3[3] == 1); // expected-warning{{UNKNOWN}} clang_analyzer_eval(m27.s3[3] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(m27.s3[i] == 1); // expected-warning{{UNKNOWN}}\ clang_analyzer_eval(m27.s3[i] == 1); // expected-warning{{UNKNOWN}}\
expected-warning{{Potential leak of memory pointed to by 'm27.s4'}} expected-warning{{Potential leak of memory pointed to by 'm27.s4'}}
OikawaKirieAuthorUnsubmitted
Done
ReplyInline Actions

Do I need to update all other leak expectation directions in this file as well? Such as this one here.

OikawaKirie: Do I need to update all other leak expectation directions in this file as well? Such as this…
steakhalUnsubmitted
Done
ReplyInline Actions

Definitely no.
Its not advised to have different, but similar looking hunks out of which some are the consequence of the semantic change we made and also have others where they are just refactors.

steakhal: Definitely no. Its not advised to have different, but similar looking hunks out of which some…
return 0; return 0;
} }
int f28(int i, int j, int k, int l) { int f28(int i, int j, int k, int l) {
struct mm m28[2]; struct mm m28[2];
m28[i].s4 = strdup("hello"); m28[i].s4 = strdup("hello");
m28[j].s3[k] = 1; m28[j].s3[k] = 1;
struct ll * l28 = (struct ll*)(&m28[1]); struct ll * l28 = (struct ll*)(&m28[1]);
▲ Show 20 LinesShow All 331 LinesShow Last 20 Lines