This is an archive of the discontinued LLVM Phabricator instance.

Differential D156787

[analyzer][attr] Add docs to ownership_* attributes
Needs ReviewPublic

Authored by Szelethus on Aug 1 2023, 6:08 AM.

Details

Reviewers
NoQ
steakhal
donat.nagy
balazske
gamesh411
aaron.ballman
Summary

Pretty much what it says on the tin! I worked a bunch on this checker so I had some vague memory (hehe) what these annotations mean, and also found this thread in the mailing list:
https://discourse.llvm.org/t/ownership-attribute-for-malloc-etc-checking/16260

Diff Detail

Event Timeline

Szelethus created this revision.Aug 1 2023, 6:08 AM
Herald added a reviewer: aaron.ballman. · View Herald TranscriptAug 1 2023, 6:08 AM
Herald added a project: Restricted Project. · View Herald Transcript
Herald added subscribers: manas, ASDenysPetrov, martong and 7 others. · View Herald Transcript
Szelethus requested review of this revision.Aug 1 2023, 6:08 AM
Herald added a project: Restricted Project. · View Herald TranscriptAug 1 2023, 6:08 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
aaron.ballman added a comment.Aug 1 2023, 8:15 AM

Thank you for adding documentation for these attributes, it's greatly appreciated!

clang/include/clang/Basic/AttrDocs.td
1171–1175
1177–1180
1189

I'm a bit confused on this last bit; how is the user supposed to statically know that value? I read this as claiming my_malloc returns 1 byte of dynamic storage; can the user tie the allocation to a parameter value instead?

1192–1193

We should document whether this is a 1-based index or a 0-based index, and we should also explain how the index works for member functions where there may be an implicit this argument involved.

steakhal added a comment.Aug 1 2023, 8:26 AM

I haven't looked at the content but I have the feeling that we should probably backport this to release/17.x

Harbormaster completed remote builds in B249459: Diff 546016.Aug 1 2023, 8:43 AM
steakhal added inline comments.Aug 3 2023, 12:55 AM
clang/test/Analysis/malloc-annotations.c
151–155

Please, consider elaborating on this test with some comments, as it's not clear to me at first glance - without reading anything about the attributes - what's going on here.

Szelethus updated this revision to Diff 548116.Aug 8 2023, 2:12 AM
Szelethus marked 4 inline comments as done.

Fixes according to reviewer comments.

Szelethus added inline comments.Aug 8 2023, 2:15 AM
clang/include/clang/Basic/AttrDocs.td
1189

I share your confusion, I guess. What I've written here is my best understanding of how this works, unfortunately, these annotations were made in ~2010 (when I was still in elementary school) and abandoned since.

I read this as claiming my_malloc returns 1 byte of dynamic storage;

Thats what the corresponding code in the Static Analyzer leads me to believe as well.

can the user tie the allocation to a parameter value instead?

No.

Harbormaster completed remote builds in B251030: Diff 548116.Aug 8 2023, 3:39 AM
donat.nagy added inline comments.Aug 8 2023, 4:07 AM
clang/include/clang/Basic/AttrDocs.td
1189

I'd guess that this annotation was designed for factory functions that construct an instance of a concrete struct type on the heap. Allowing "generic" malloc variants (where the allocation size is specified by a parameter) would be a good additional feature, but I think that the current annotation also has its own uses.

Perhaps it would be good to provide examples like

void __attribute((ownership_takes(malloc, 1))) free_widget(struct widget *);
struct widget *__attribute((ownership_returns(malloc, sizeof(struct widget)))) create_widget(void);
void __attribute((ownership_holds(malloc, 1))) hold_widget(struct widget *);

that correspond to this use case. (By the way, does the checker handle non-void* pointers?)

aaron.ballman added inline comments.Aug 8 2023, 7:57 AM
clang/include/clang/Basic/AttrDocs.td
1189

I share your confusion, I guess. What I've written here is my best understanding of how this works, unfortunately, these annotations were made in ~2010 (when I was still in elementary school) and abandoned since.

This comment came on the same week when I had someone much younger than me ask me what Tetris was. I'll go shake my cane at some passing clouds, now. ;-)

1189

That code doesn't compile because the argument is somehow "out of bounds": https://godbolt.org/z/3e4TbhcT6

I did some digging and the second argument in all three cases is a parameter index, at least according to the attribute handling code: https://github.com/llvm/llvm-project/blob/895c4ac33fc8b21bd69b017d1cecf874ca47e178/clang/lib/Sema/SemaDeclAttr.cpp#L1857

The static analyzer uses that information to determine which expression specifies the size: https://github.com/llvm/llvm-project/blob/895c4ac33fc8b21bd69b017d1cecf874ca47e178/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp#L1693

So I think the way to document this is that the second argument to ownership_returns specifies the parameter index which will specify the size of the the allocation. e.g.,

__attribute__((ownership_returns(malloc, 2))) void *func(unsigned val, unsigned size);

this doesn't return 2 bytes of allocated storage, it's saying the second parameter specifies the size of what's returned, in bytes.

(Someone should double-check my logic against how the static analyzer actually behaves just to be sure I'm right about this.)

Revision Contents

PathSize
clang/
include/
clang/
Basic/
2 lines
55 lines
lib/
StaticAnalyzer/
Checkers/
2 lines
test/
Analysis/
8 lines

Diff 548116

clang/include/clang/Basic/Attr.td

Show First 20 LinesShow All 2,349 Lines▼ Show 20 Lines OwnershipKind getOwnKind() const {
return isHolds() ? Holds : return isHolds() ? Holds :
isTakes() ? Takes : isTakes() ? Takes :
Returns; Returns;
} }
}]; }];
let Args = [IdentifierArgument<"Module">, let Args = [IdentifierArgument<"Module">,
VariadicParamIdxArgument<"Args">]; VariadicParamIdxArgument<"Args">];
let Subjects = SubjectList<[HasFunctionProto]>; let Subjects = SubjectList<[HasFunctionProto]>;
let Documentation = [Undocumented]; let Documentation = [OwnershipDocs];
} }
def Packed : InheritableAttr { def Packed : InheritableAttr {
let Spellings = [GCC<"packed">]; let Spellings = [GCC<"packed">];
// let Subjects = [Tag, Field]; // let Subjects = [Tag, Field];
let Documentation = [Undocumented]; let Documentation = [Undocumented];
} }
▲ Show 20 LinesShow All 1,763 LinesShow Last 20 Lines

clang/include/clang/Basic/AttrDocs.td

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 1,158 Lines▼ Show 20 Lines
Support for unmarked overloads is not present in some versions of clang. You may Support for unmarked overloads is not present in some versions of clang. You may
query for it using ``__has_extension(overloadable_unmarked)``. query for it using ``__has_extension(overloadable_unmarked)``.
Query for this attribute with ``__has_attribute(overloadable)``. Query for this attribute with ``__has_attribute(overloadable)``.
}]; }];
} }
def OwnershipDocs : Documentation {
let Category = DocCatFunction;
let Heading = "ownership_holds, ownership_returns, ownership_takes";
let Content = [{
These attributes help the static analyzer understand custom ownership management
functions. None of these affect the generated binary in any way, they are only
meant to assist the Clang Static Analyzer. You can use these annotations if your
code uses wrapper functions around ``malloc`` or ``free``, or uses functions
that take over ownership altogether.
aaron.ballmanUnsubmitted
Done
ReplyInline Actions
let Content = [{
These attributes help the static analyzer understand custom ownership management
- functions. Neither of these affect the generated binary in any way, its only
+ functions. None of these affect the generated binary in any way, they are only
meant to assist the Clang Static Analyzer. You can use these annotations if your
code uses wrapper functions around ``malloc`` or ``free``, or uses functions
that take over ownership altogether.
All 3 annotations have two parameters: the first is type of allocator used to
aaron.ballman:
Each annotation has two parameters: the first is the type of allocator used to
allocate the memory (the only accepted value currently is ``malloc``, but
we intend to recognize ``new`` in the future). We use this to check whether the
correct deallocator is used. The second is an integer value, described below.
aaron.ballmanUnsubmitted
Done
ReplyInline Actions
that take over ownership altogether.
- All 3 annotations have two parameters: the first is type of allocator used to
- allocate the memory (as of writing, the only accepted value is ``malloc``, but
- we intend to recognize ``new`` as well). We use this to check whether the
- correct deallocator is used. The second is an integer value.
+ Each annotation has two parameters: the first is the type of allocator used to
+ allocate the memory (the only accepted value currently is ``malloc``, but
+ we intend to recognize ``new`` in the future). We use this to check whether the
+ correct deallocator is used. The second is an integer value, described below.
.. code-block:: c
aaron.ballman:
.. code-block:: c
void __attribute((ownership_takes(malloc, 1))) my_free(void *);
void *__attribute((ownership_returns(malloc, 1))) my_malloc(size_t);
void __attribute((ownership_holds(malloc, 1))) my_hold(void *);
``onwership_returns``: Functions with this annotation return dynamic memory.
The second annotation parameter is the size of the returned memory in bytes.
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

I'm a bit confused on this last bit; how is the user supposed to statically know that value? I read this as claiming my_malloc returns 1 byte of dynamic storage; can the user tie the allocation to a parameter value instead?

aaron.ballman: I'm a bit confused on this last bit; how is the user supposed to statically know that value? I…
SzelethusAuthorUnsubmitted
Done
ReplyInline Actions

I share your confusion, I guess. What I've written here is my best understanding of how this works, unfortunately, these annotations were made in ~2010 (when I was still in elementary school) and abandoned since.

I read this as claiming my_malloc returns 1 byte of dynamic storage;

Thats what the corresponding code in the Static Analyzer leads me to believe as well.

can the user tie the allocation to a parameter value instead?

No.

Szelethus: I share your confusion, I guess. What I've written here is my best understanding of how this…
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

I share your confusion, I guess. What I've written here is my best understanding of how this works, unfortunately, these annotations were made in ~2010 (when I was still in elementary school) and abandoned since.

This comment came on the same week when I had someone much younger than me ask me what Tetris was. I'll go shake my cane at some passing clouds, now. ;-)

aaron.ballman: > I share your confusion, I guess. What I've written here is my best understanding of how this…
donat.nagyUnsubmitted
Not Done
ReplyInline Actions

I'd guess that this annotation was designed for factory functions that construct an instance of a concrete struct type on the heap. Allowing "generic" malloc variants (where the allocation size is specified by a parameter) would be a good additional feature, but I think that the current annotation also has its own uses.

Perhaps it would be good to provide examples like

void __attribute((ownership_takes(malloc, 1))) free_widget(struct widget *);
struct widget *__attribute((ownership_returns(malloc, sizeof(struct widget)))) create_widget(void);
void __attribute((ownership_holds(malloc, 1))) hold_widget(struct widget *);

that correspond to this use case. (By the way, does the checker handle non-void* pointers?)

donat.nagy: I'd guess that this annotation was designed for factory functions that construct an instance of…
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

That code doesn't compile because the argument is somehow "out of bounds": https://godbolt.org/z/3e4TbhcT6

I did some digging and the second argument in all three cases is a parameter index, at least according to the attribute handling code: https://github.com/llvm/llvm-project/blob/895c4ac33fc8b21bd69b017d1cecf874ca47e178/clang/lib/Sema/SemaDeclAttr.cpp#L1857

The static analyzer uses that information to determine which expression specifies the size: https://github.com/llvm/llvm-project/blob/895c4ac33fc8b21bd69b017d1cecf874ca47e178/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp#L1693

So I think the way to document this is that the second argument to ownership_returns specifies the parameter index which will specify the size of the the allocation. e.g.,

__attribute__((ownership_returns(malloc, 2))) void *func(unsigned val, unsigned size);

this doesn't return 2 bytes of allocated storage, it's saying the second parameter specifies the size of what's returned, in bytes.

(Someone should double-check my logic against how the static analyzer actually behaves just to be sure I'm right about this.)

aaron.ballman: That code doesn't compile because the argument is somehow "out of bounds": https://godbolt.
``ownership_takes``: Functions with this annotation deallocate one of the
function parameters. The second annotation parameter is the index of the
function parameter to deallocate.
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

We should document whether this is a 1-based index or a 0-based index, and we should also explain how the index works for member functions where there may be an implicit this argument involved.

aaron.ballman: We should document whether this is a 1-based index or a 0-based index, and we should also…
``ownership_holds``: Functions with this annotation take over the ownership of
one of the parameters. The static analyzer doesn't assume it to be deallocated
immediately, but assumes that it will be before the end of the program. The
second annotation parameter is the index of the function parameter to take hold
of. Indexing starts at 1, so the first parameter's index is 1. The implicit this
parameter is not supported at this time.
.. code-block:: c
void foobar() {
int *p = my_malloc(sizeof(int));
} // warn: Memory leak
void foo() {
int *p = my_malloc(sizeof(int));
my_free(p);
free(p); // warn: Attempt to free released memory
}
void bar() {
int *p = my_malloc(sizeof(int));
my_hold(p);
*p = 4; // no warn: Pointer is not released
} // no warn: Ownership is transferred and assumed to have not escaped
}];
}
def ObjCMethodFamilyDocs : Documentation { def ObjCMethodFamilyDocs : Documentation {
let Category = DocCatFunction; let Category = DocCatFunction;
let Content = [{ let Content = [{
Many methods in Objective-C have conventional meanings determined by their Many methods in Objective-C have conventional meanings determined by their
selectors. It is sometimes useful to be able to mark a method as having a selectors. It is sometimes useful to be able to mark a method as having a
particular conventional meaning despite not having the right selector, or as particular conventional meaning despite not having the right selector, or as
not having the conventional meaning that its selector would suggest. For these not having the conventional meaning that its selector would suggest. For these
use cases, we provide an attribute to specifically describe the "method family" use cases, we provide an attribute to specifically describe the "method family"
▲ Show 20 LinesShow All 5,675 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp

Show First 20 LinesShow All 1,770 Lines▼ Show 20 Lines
ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C, ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C,
const CallEvent &Call, const CallEvent &Call,
const OwnershipAttr *Att, const OwnershipAttr *Att,
ProgramStateRef State) const { ProgramStateRef State) const {
if (!State) if (!State)
return nullptr; return nullptr;
// TODO: Check the attribute docs in AttrDocs.td, it states that only malloc
// is accepted. Please adjust if we start supporting "new".
if (Att->getModule()->getName() != "malloc") if (Att->getModule()->getName() != "malloc")
return nullptr; return nullptr;
bool IsKnownToBeAllocated = false; bool IsKnownToBeAllocated = false;
for (const auto &Arg : Att->args()) { for (const auto &Arg : Att->args()) {
ProgramStateRef StateI = ProgramStateRef StateI =
FreeMemAux(C, Call, State, Arg.getASTIndex(), FreeMemAux(C, Call, State, Arg.getASTIndex(),
▲ Show 20 LinesShow All 1,842 LinesShow Last 20 Lines

clang/test/Analysis/malloc-annotations.c

Show First 20 LinesShow All 142 Lines▼ Show 20 Lines
// This case is (possibly) ok, be conservative // This case is (possibly) ok, be conservative
int * af5(void) { int * af5(void) {
int *p = my_malloc(12); int *p = my_malloc(12);
my_hold(p); my_hold(p);
return p; // no-warning return p; // no-warning
} }
// Test ownership_holds -- we expect the ownership to be taken over, and a
// result assume that the memory will not leak, but also not released yet.
void af6(void) {
int *p = my_malloc(12);
my_hold(p);
steakhalUnsubmitted
Done
ReplyInline Actions

Please, consider elaborating on this test with some comments, as it's not clear to me at first glance - without reading anything about the attributes - what's going on here.

steakhal: Please, consider elaborating on this test with some comments, as it's not clear to me at first…
*p = 4; // no-warn: memory is not released yet
} // no-warn: assume my_hold takes care of releasing the memory
// This case tests that storing malloc'ed memory to a static variable which is // This case tests that storing malloc'ed memory to a static variable which is
// then returned is not leaked. In the absence of known contracts for functions // then returned is not leaked. In the absence of known contracts for functions
// or inter-procedural analysis, this is a conservative answer. // or inter-procedural analysis, this is a conservative answer.
int *f3(void) { int *f3(void) {
static int *p = 0; static int *p = 0;
p = malloc(12); p = malloc(12);
▲ Show 20 LinesShow All 117 LinesShow Last 20 Lines