This is an archive of the discontinued LLVM Phabricator instance.

Differential D153017

[analyzer] Fix false negative when using a nullable parameter directly without binding to a variable
ClosedPublic

Authored by tripleCC on Jun 15 2023, 6:29 AM.

Details

Reviewers
NoQ
steakhal
zaks.anna
vsavchenko
xazax.hun
Commits
rG77a599ae5828: [analyzer] Fix false negative when using a nullable parameter directly without…
Summary

If a parameter has a nullability annotation, the nullability information of the parameter should be set as a NullabilityState trait at the beginning of the function.
I don't have commit access.

Diff Detail

Event Timeline

tripleCC created this revision.Jun 15 2023, 6:29 AM
Herald added a reviewer: NoQ. · View Herald TranscriptJun 15 2023, 6:29 AM
Herald added a project: Restricted Project. · View Herald Transcript
Herald added subscribers: steakhal, manas, ASDenysPetrov and 7 others. · View Herald Transcript
tripleCC requested review of this revision.Jun 15 2023, 6:29 AM
Herald added a project: Restricted Project. · View Herald TranscriptJun 15 2023, 6:29 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
tripleCC edited the summary of this revision. (Show Details)Jun 15 2023, 6:36 AM
tripleCC added a reviewer: steakhal.
tripleCC edited the summary of this revision. (Show Details)
tripleCC added reviewers: zaks.anna, vsavchenko.Jun 15 2023, 6:41 AM
steakhal added a comment.Jun 15 2023, 7:21 AM

I believe, zaks.anna and vsavchenko are no longer involved in the project.
I think it makes sense to have the code owners NoQ and xazax.hun as reviewers, and I also tend to review quite a lot nowadays.
And we usually use the [analyzer] tag instead of [StaticAnalyzer] for the patches.
It's useful to use the right tags to trigger the right herald scripts to get the right circle notified.

clang/lib/StaticAnalyzer/Checkers/NullabilityChecker.cpp
569–573

Shouldn't we only do this for the analysis entrypoints only? (aka. top-level functions)
I assume this checker already did some modeling of the attributes, hence we have the warnings in the tests.

569–594

Uh, the diffing here looks terrible.
What you probably want: Fold the States, and if you are done, transition - but only if we have any parameters.
We need to have a single addTransition() call if we want a single execution path modeled in the graph. We probably don't want one path on which the first parameter's annotation is known; and a separate one where only the second, etc.

tripleCC retitled this revision from [StaticAnalyzer] Fix false negative when using a nullable parameter directly without binding to a variable to [analyzer] Fix false negative when using a nullable parameter directly without binding to a variable.Jun 15 2023, 7:54 AM
Herald added subscribers: mikhail.ramalho, xazax.hun. · View Herald TranscriptJun 15 2023, 7:54 AM
Harbormaster completed remote builds in B239108: Diff 531728.Jun 15 2023, 8:23 AM
tripleCC added a reviewer: xazax.hun.Jun 15 2023, 8:25 AM
tripleCC updated this revision to Diff 531779.Jun 15 2023, 8:47 AM

add inTopFrame condition. call the addTransition function only once for all params.

steakhal added inline comments.Jun 15 2023, 8:58 AM
clang/lib/StaticAnalyzer/Checkers/NullabilityChecker.cpp
569–594

Please note that each iteration of the loop will overwrite the state you made in the previous iteration this way.
Its most likely not what you want.
Because C.getState() will always return the same state no matter the context here.

tripleCC added inline comments.Jun 15 2023, 9:00 AM
clang/lib/StaticAnalyzer/Checkers/NullabilityChecker.cpp
569–573

Thanking for your reviewing. You are correct, I added an inTopFrame() condition here. It only makes sense for top-level functions.

569–594

I made a rookie mistake here. I should call the addTransition function outside the for loop.

tripleCC updated this revision to Diff 531784.Jun 15 2023, 9:04 AM

Do not overwrite state

tripleCC added inline comments.Jun 15 2023, 9:13 AM
clang/lib/StaticAnalyzer/Checkers/NullabilityChecker.cpp
569–594

Updated

steakhal added a comment.Jun 15 2023, 9:15 AM

Now it looks much better. Let me check it in depth tomorrow.

Harbormaster completed remote builds in B239153: Diff 531784.Jun 15 2023, 10:51 AM
steakhal accepted this revision.Jun 16 2023, 8:33 AM

LGTM; I'll commit this on Monday.

This revision is now accepted and ready to land.Jun 16 2023, 8:33 AM
xazax.hun accepted this revision.Jun 16 2023, 8:57 AM
tripleCC marked an inline comment as done.EditedJul 1 2023, 9:55 PM
In D153017#4428432, @steakhal wrote:

LGTM; I'll commit this on Monday.

Hi steakhal, sorry to bother you again. Do you mind committing the revision for me ?

tripleCC added a comment.Jul 2 2023, 8:03 AM
In D153017#4428432, @steakhal wrote:

LGTM; I'll commit this on Monday.

Oops, It seems that I missed the invitation, I just noticed the invitation email in my gmail now ...
I will request Chris to send the invitation again.
Thank you for your recommendation.

Closed by commit rG77a599ae5828: [analyzer] Fix false negative when using a nullable parameter directly without… (authored by tripleCC, committed by steakhal). · Explain WhyJul 3 2023, 12:29 AM
This revision was automatically updated to reflect the committed changes.
steakhal added a commit: rG77a599ae5828: [analyzer] Fix false negative when using a nullable parameter directly without….

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
40 lines
test/
Analysis/
11 lines

Diff 531784

clang/lib/StaticAnalyzer/Checkers/NullabilityChecker.cpp

Show All 20 Lines
// to suppress warnings would be to add asserts or guarding if statements to the // to suppress warnings would be to add asserts or guarding if statements to the
// code. In addition to the nullability propagation this checker also uses some // code. In addition to the nullability propagation this checker also uses some
// heuristics to suppress potential false positives. // heuristics to suppress potential false positives.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/Analysis/AnyCall.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h"
#include "llvm/ADT/StringExtras.h" #include "llvm/ADT/StringExtras.h"
#include "llvm/Support/Path.h" #include "llvm/Support/Path.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
namespace { namespace {
Show All 33 Linesenum class ErrorKind : int {
NullableDereferenced, NullableDereferenced,
NullablePassedToNonnull NullablePassedToNonnull
}; };
class NullabilityChecker class NullabilityChecker
: public Checker<check::Bind, check::PreCall, check::PreStmt<ReturnStmt>, : public Checker<check::Bind, check::PreCall, check::PreStmt<ReturnStmt>,
check::PostCall, check::PostStmt<ExplicitCastExpr>, check::PostCall, check::PostStmt<ExplicitCastExpr>,
check::PostObjCMessage, check::DeadSymbols, eval::Assume, check::PostObjCMessage, check::DeadSymbols, eval::Assume,
check::Location, check::Event<ImplicitNullDerefEvent>> { check::Location, check::Event<ImplicitNullDerefEvent>,
check::BeginFunction> {
public: public:
// If true, the checker will not diagnose nullabilility issues for calls // If true, the checker will not diagnose nullabilility issues for calls
// to system headers. This option is motivated by the observation that large // to system headers. This option is motivated by the observation that large
// projects may have many nullability warnings. These projects may // projects may have many nullability warnings. These projects may
// find warnings about nullability annotations that they have explicitly // find warnings about nullability annotations that they have explicitly
// added themselves higher priority to fix than warnings on calls to system // added themselves higher priority to fix than warnings on calls to system
// libraries. // libraries.
bool NoDiagnoseCallsToSystemHeaders = false; bool NoDiagnoseCallsToSystemHeaders = false;
void checkBind(SVal L, SVal V, const Stmt *S, CheckerContext &C) const; void checkBind(SVal L, SVal V, const Stmt *S, CheckerContext &C) const;
void checkPostStmt(const ExplicitCastExpr *CE, CheckerContext &C) const; void checkPostStmt(const ExplicitCastExpr *CE, CheckerContext &C) const;
void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const; void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const;
void checkPostObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const; void checkPostObjCMessage(const ObjCMethodCall &M, CheckerContext &C) const;
void checkPostCall(const CallEvent &Call, CheckerContext &C) const; void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
void checkPreCall(const CallEvent &Call, CheckerContext &C) const; void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const; void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
void checkEvent(ImplicitNullDerefEvent Event) const; void checkEvent(ImplicitNullDerefEvent Event) const;
void checkLocation(SVal Location, bool IsLoad, const Stmt *S, void checkLocation(SVal Location, bool IsLoad, const Stmt *S,
CheckerContext &C) const; CheckerContext &C) const;
void checkBeginFunction(CheckerContext &Ctx) const;
ProgramStateRef evalAssume(ProgramStateRef State, SVal Cond, ProgramStateRef evalAssume(ProgramStateRef State, SVal Cond,
bool Assumption) const; bool Assumption) const;
void printState(raw_ostream &Out, ProgramStateRef State, const char *NL, void printState(raw_ostream &Out, ProgramStateRef State, const char *NL,
const char *Sep) const override; const char *Sep) const override;
enum CheckKind { enum CheckKind {
CK_NullPassedToNonnull, CK_NullPassedToNonnull,
▲ Show 20 LinesShow All 445 Lines▼ Show 20 Lines else {
reportBug("Nullable pointer is passed to a callee that requires a " reportBug("Nullable pointer is passed to a callee that requires a "
"non-null", "non-null",
ErrorKind::NullablePassedToNonnull, CK_NullableDereferenced, ErrorKind::NullablePassedToNonnull, CK_NullableDereferenced,
Event.SinkNode, Region, BR); Event.SinkNode, Region, BR);
} }
} }
} }
void NullabilityChecker::checkBeginFunction(CheckerContext &C) const {
if (!C.inTopFrame())
return;
const LocationContext *LCtx = C.getLocationContext();
steakhalUnsubmitted
Not Done
ReplyInline Actions

Shouldn't we only do this for the analysis entrypoints only? (aka. top-level functions)
I assume this checker already did some modeling of the attributes, hence we have the warnings in the tests.

steakhal: Shouldn't we only do this for the analysis entrypoints only? (aka. top-level functions) I…
tripleCCAuthorUnsubmitted
Done
ReplyInline Actions

Thanking for your reviewing. You are correct, I added an inTopFrame() condition here. It only makes sense for top-level functions.

tripleCC: Thanking for your reviewing. You are correct, I added an `inTopFrame()` condition here. It…
auto AbstractCall = AnyCall::forDecl(LCtx->getDecl());
if (!AbstractCall || AbstractCall->parameters().empty())
return;
ProgramStateRef State = C.getState();
for (const ParmVarDecl *Param : AbstractCall->parameters()) {
if (!isValidPointerType(Param->getType()))
continue;
Nullability RequiredNullability =
getNullabilityAnnotation(Param->getType());
if (RequiredNullability != Nullability::Nullable)
continue;
const VarRegion *ParamRegion = State->getRegion(Param, LCtx);
const MemRegion *ParamPointeeRegion =
State->getSVal(ParamRegion).getAsRegion();
if (!ParamPointeeRegion)
continue;
State = State->set<NullabilityMap>(ParamPointeeRegion,
steakhalUnsubmitted
Not Done
ReplyInline Actions
}
}
void NullabilityChecker::checkBeginFunction(CheckerContext &C) const {
const LocationContext *LCtx = C.getLocationContext();
auto AbstractCall = AnyCall::forDecl(LCtx->getDecl());
- if (!AbstractCall)
+ if (!AbstractCall || AbstractCall->parameters().empty())
return;
ProgramStateRef State = C.getState();
- for (auto Parameter : AbstractCall->parameters()) {
+ for (const Expr *Parameter : AbstractCall->parameters()) {
if (!isValidPointerType(Parameter->getType()))
continue;
Nullability RequiredNullability =
getNullabilityAnnotation(Parameter->getType());
if (RequiredNullability != Nullability::Nullable)
continue;
const VarRegion *ParamRegion = State->getRegion(Parameter, LCtx);
- auto StoredVal = State->getSVal(ParamRegion).getAs<loc::MemRegionVal>();
- if (!StoredVal)
+ const MemRegion *ParamPointeeRegion = State->getSVal(ParamRegion).getAsRegion();
+ if (!ParamPointeeRegion)
continue;
- State = C.getState()->set<NullabilityMap>(
- StoredVal->getRegion(), NullabilityState(RequiredNullability));
- C.addTransition(State);
+ State = State->set<NullabilityMap>(
+ ParamPointeeRegion, NullabilityState(RequiredNullability));
}
+ C.addTransition(State);
}
// Whenever we see a load from a typed memory region that's been annotated as

Uh, the diffing here looks terrible.
What you probably want: Fold the States, and if you are done, transition - but only if we have any parameters.
We need to have a single addTransition() call if we want a single execution path modeled in the graph. We probably don't want one path on which the first parameter's annotation is known; and a separate one where only the second, etc.

steakhal: Uh, the diffing here looks terrible. What you probably want: Fold the `State`s, and if you are…
tripleCCAuthorUnsubmitted
Done
ReplyInline Actions

I made a rookie mistake here. I should call the addTransition function outside the for loop.

tripleCC: I made a rookie mistake here. I should call the `addTransition` function outside the for loop.
steakhalUnsubmitted
Done
ReplyInline Actions

Please note that each iteration of the loop will overwrite the state you made in the previous iteration this way.
Its most likely not what you want.
Because C.getState() will always return the same state no matter the context here.

steakhal: Please note that each iteration of the loop will overwrite the state you made in the previous…
tripleCCAuthorUnsubmitted
Done
ReplyInline Actions

Updated

tripleCC: Updated
NullabilityState(RequiredNullability));
}
C.addTransition(State);
}
// Whenever we see a load from a typed memory region that's been annotated as // Whenever we see a load from a typed memory region that's been annotated as
// 'nonnull', we want to trust the user on that and assume that it is is indeed // 'nonnull', we want to trust the user on that and assume that it is is indeed
// non-null. // non-null.
// //
// We do so even if the value is known to have been assigned to null. // We do so even if the value is known to have been assigned to null.
// The user should be warned on assigning the null value to a non-null pointer // The user should be warned on assigning the null value to a non-null pointer
// as opposed to warning on the later dereference of this pointer. // as opposed to warning on the later dereference of this pointer.
// //
▲ Show 20 LinesShow All 812 LinesShow Last 20 Lines

clang/test/Analysis/nullability.mm

Show First 20 LinesShow All 139 Lines▼ Show 20 Linesvoid testArgumentTracking(Dummy *_Nonnull nonnull, Dummy *_Nullable nullable) {
case 5: testMultiParamChecking(nonnull, nonnull, nonnull); break; case 5: testMultiParamChecking(nonnull, nonnull, nonnull); break;
case 6: testMultiParamChecking(nonnull, nullable, nullable); break; // expected-warning {{Nullable pointer is passed to a callee that requires a non-null 3rd parameter}} case 6: testMultiParamChecking(nonnull, nullable, nullable); break; // expected-warning {{Nullable pointer is passed to a callee that requires a non-null 3rd parameter}}
case 7: testMultiParamChecking(nullable, nullable, nonnull); // expected-warning {{Nullable pointer is passed to a callee that requires a non-null 1st parameter}} case 7: testMultiParamChecking(nullable, nullable, nonnull); // expected-warning {{Nullable pointer is passed to a callee that requires a non-null 1st parameter}}
case 8: testMultiParamChecking(nullable, nullable, nullable); // expected-warning {{Nullable pointer is passed to a callee that requires a non-null 1st parameter}} case 8: testMultiParamChecking(nullable, nullable, nullable); // expected-warning {{Nullable pointer is passed to a callee that requires a non-null 1st parameter}}
case 9: testMultiParamChecking((Dummy *_Nonnull)0, nullable, nonnull); break; case 9: testMultiParamChecking((Dummy *_Nonnull)0, nullable, nonnull); break;
} }
} }
void testArgumentTrackingDirectly(Dummy *_Nonnull nonnull, Dummy *_Nullable nullable) {
switch(getRandom()) {
case 1: testMultiParamChecking(nonnull, nullable, nonnull); break;
case 2: testMultiParamChecking(nonnull, nonnull, nonnull); break;
case 3: testMultiParamChecking(nonnull, nullable, nullable); break; // expected-warning {{Nullable pointer is passed to a callee that requires a non-null 3rd parameter}}
case 4: testMultiParamChecking(nullable, nullable, nonnull); // expected-warning {{Nullable pointer is passed to a callee that requires a non-null 1st parameter}}
case 5: testMultiParamChecking(nullable, nullable, nullable); // expected-warning {{Nullable pointer is passed to a callee that requires a non-null 1st parameter}}
case 6: testMultiParamChecking((Dummy *_Nonnull)0, nullable, nonnull); break;
}
}
Dummy *_Nonnull testNullableReturn(Dummy *_Nullable a) { Dummy *_Nonnull testNullableReturn(Dummy *_Nullable a) {
Dummy *p = a; Dummy *p = a;
return p; // expected-warning {{Nullable pointer is returned from a function that is expected to return a non-null value}} return p; // expected-warning {{Nullable pointer is returned from a function that is expected to return a non-null value}}
} }
Dummy *_Nonnull testNullReturn() { Dummy *_Nonnull testNullReturn() {
Dummy *p = 0; Dummy *p = 0;
return p; // expected-warning {{Null returned from a function that is expected to return a non-null value}} return p; // expected-warning {{Null returned from a function that is expected to return a non-null value}}
▲ Show 20 LinesShow All 473 LinesShow Last 20 Lines