This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
cfe/trunk/
-
trunk/
-
lib/StaticAnalyzer/Core/
-
StaticAnalyzer/
-
Core/
-
BugReporter.cpp
-
test/Analysis/
-
Analysis/
-
max-nodes-suppress-on-sink.c

Differential D28023

[analyzer] Fix leak false positives before no-return functions caused by incomplete analyses.
ClosedPublic

Authored by NoQ on Dec 21 2016, 5:56 AM.

Download Raw Diff

Details

Reviewers

dcoughlin
a.sidorin
zaks.anna
xazax.hun

Commits

rG0e0a8b4d8569: [analyzer] Improve suppress-on-sink behavior in incomplete analyses.
rC290341: [analyzer] Improve suppress-on-sink behavior in incomplete analyses.
rL290341: [analyzer] Improve suppress-on-sink behavior in incomplete analyses.

Summary

Consider an example:

void foo(int y) {
  void *x = malloc(1);
  assert(y); // macro that expands to "if (!y) exit(1);"
  free(x);
}

In CFG block corresponding to exit(1), variable x is dead, because both CFG and LivenessAnalysis are aware of no-return functions and realize that we don't ever reach the reference to x in free(x) from this block.

Because x is dead, its binding - symbol returned by malloc - is also dead, and MallocChecker reports a memory leak warning.

However, because such warning would not be particularly useful (nobody ever frees memory before assertion failures), MallocChecker's BugType has setSuppressOnSink(true), and this warning would be discarded later by BugReporter and never presented to the user.

Warnings with suppress-on-sink are discarded during FlushReports when BugReporter notices that all paths in ExplodedGraph that pass through the warning eventually run into a sink node.

Apart from suppressing false positives similar to the example above, this mechanism has a second purpose - to filter out non-fatal bugs when the path runs into a fatal bug. For that second purpose, the mechanism works perfectly.

However, suppress-on-sink fails to filter out false positives when the analysis terminates too early - by running into analyzer limits, such as block count limits or graph size limits - and the interruption hits the narrow window between throwing the leak report and reaching the no-return function call. In such case the report is there, however suppression-on-sink doesn't work, because the sink node was never constructed in the incomplete ExplodedGraph.

In a particular report i've been investigating, the false positive disappeared when i set -analyzer-config max-nodes to less than 149995 or more than 150105 (+/- 0.08% of the default value 150000).

Note that suppress-on-sink is an "all paths" problem - we're trying to detect an event that occurs on all execution paths after a certain point. Such problems should not be solved by exploring ExplodedGraph for this very reason - the graph is not guaranteed to even contain all paths. In some cases it is acceptable to behave conservatively when the graph is known to be incomplete, however in this case it would result in disproportional amounts of leak false-negatives.

This patch implements a very partial solution: also suppress reports thrown against a statement-node that corresponds to a statement that belongs to a no-return block of the CFG.

This solution is partial because no-return functions that we failed to reach may also be found in subsequent blocks or in a different function. However, for the simple implementation of the assert() macro (that expands to an if followed by a no-return function), this patch fixes the problem.

Diff Detail

Repository: rL LLVM

Event Timeline

NoQ updated this revision to Diff 82229.Dec 21 2016, 5:56 AM

NoQ retitled this revision from to [analyzer] Fix leak false positives before no-return functions caused by incomplete analyses..

NoQ updated this object.

NoQ added reviewers: zaks.anna, dcoughlin, xazax.hun, a.sidorin.

NoQ added a subscriber: cfe-commits.

Looks useful and mostly good. A small advice is in inline comments.

lib/StaticAnalyzer/Core/BugReporter.cpp
3294 ↗	(On Diff #82229)	Maybe it is possible to use `CFGStmtMap` for search?

a.sidorin added inline comments.Dec 21 2016, 8:20 AM

lib/StaticAnalyzer/Core/BugReporter.cpp
3363 ↗	(On Diff #82229)	I took a brief look and found that we have Domination analysis for clang CFG but not PostDomination analysis. However, `llvm::DominatorTreeBase` that is used internally in `clang::DominatorTree` may be constructed for post-domination analysis. Is it possible to implement such analysis quickly (or modify `clang::DominatorTree` to support it)? If the answer is no, don't mind.

With the change Aleksei suggested (can you get the CFGStmtMap from the AnalysisDeclContext?), looks good to me.

I especially like the test!

lib/StaticAnalyzer/Core/BugReporter.cpp
3363 ↗	(On Diff #82229)	Do you actually want a FIXME here? Are you certain it would it be a good use of some future contributor's time to rewrite this? If not then you might want to soften it to a normal comment. (New contributors often search the codebase for FIXMEs to address as their first patch -- so a FIXME is a recommendation that someone actually fix it, rather than an acknowledgement/documentation of some known limitation).
test/Analysis/max-nodes-suppress-on-sink.c
6 ↗	(On Diff #82229)	Using "throw" is not correct here. I would suggest "emit" or"report".
27 ↗	(On Diff #82229)	This is great.

This revision is now accepted and ready to land.Dec 21 2016, 8:49 AM

Closed by commit rL290341: [analyzer] Improve suppress-on-sink behavior in incomplete analyses. (authored by dergachev). · Explain WhyDec 22 2016, 6:59 AM

This revision was automatically updated to reflect the committed changes.

NoQ mentioned this in D35673: [analyzer] A better CFG-based suppress-on-sink..Jul 20 2017, 3:37 AM

Revision Contents

Path

Size

cfe/

trunk/

lib/

StaticAnalyzer/

Core/

BugReporter.cpp

26 lines

test/

Analysis/

max-nodes-suppress-on-sink.c

31 lines

Diff 82339

cfe/trunk/lib/StaticAnalyzer/Core/BugReporter.cpp

Show All 15 Lines
#include "clang/AST/ASTContext.h"		#include "clang/AST/ASTContext.h"
#include "clang/AST/DeclObjC.h"		#include "clang/AST/DeclObjC.h"
#include "clang/AST/Expr.h"		#include "clang/AST/Expr.h"
#include "clang/AST/ExprCXX.h"		#include "clang/AST/ExprCXX.h"
#include "clang/AST/ParentMap.h"		#include "clang/AST/ParentMap.h"
#include "clang/AST/StmtCXX.h"		#include "clang/AST/StmtCXX.h"
#include "clang/AST/StmtObjC.h"		#include "clang/AST/StmtObjC.h"
#include "clang/Analysis/CFG.h"		#include "clang/Analysis/CFG.h"
		#include "clang/Analysis/CFGStmtMap.h"
#include "clang/Analysis/ProgramPoint.h"		#include "clang/Analysis/ProgramPoint.h"
#include "clang/Basic/SourceManager.h"		#include "clang/Basic/SourceManager.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"		#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/BugReporter/PathDiagnostic.h"		#include "clang/StaticAnalyzer/Core/BugReporter/PathDiagnostic.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"		#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
#include "llvm/ADT/DenseMap.h"		#include "llvm/ADT/DenseMap.h"
#include "llvm/ADT/IntrusiveRefCntPtr.h"		#include "llvm/ADT/IntrusiveRefCntPtr.h"
#include "llvm/ADT/STLExtras.h"		#include "llvm/ADT/STLExtras.h"
▲ Show 20 Lines • Show All 3,248 Lines • ▼ Show 20 Lines	struct FRIEC_WLItem {
const ExplodedNode *N;		const ExplodedNode *N;
ExplodedNode::const_succ_iterator I, E;		ExplodedNode::const_succ_iterator I, E;

FRIEC_WLItem(const ExplodedNode *n)		FRIEC_WLItem(const ExplodedNode *n)
: N(n), I(N->succ_begin()), E(N->succ_end()) {}		: N(n), I(N->succ_begin()), E(N->succ_end()) {}
};		};
}		}

		static const CFGBlock findBlockForNode(const ExplodedNode N) {
		ProgramPoint P = N->getLocation();
		if (auto BEP = P.getAs<BlockEntrance>())
		return BEP->getBlock();

		// Find the node's current statement in the CFG.
		if (const Stmt *S = PathDiagnosticLocation::getStmt(N))
		return N->getLocationContext()->getAnalysisDeclContext()
		->getCFGStmtMap()->getBlock(S);

		return nullptr;
		}

static BugReport *		static BugReport *
FindReportInEquivalenceClass(BugReportEquivClass& EQ,		FindReportInEquivalenceClass(BugReportEquivClass& EQ,
SmallVectorImpl<BugReport*> &bugReports) {		SmallVectorImpl<BugReport*> &bugReports) {

BugReportEquivClass::iterator I = EQ.begin(), E = EQ.end();		BugReportEquivClass::iterator I = EQ.begin(), E = EQ.end();
assert(I != E);		assert(I != E);
BugType& BT = I->getBugType();		BugType& BT = I->getBugType();

Show All 32 Lines	for (; I != E; ++I) {
// No successors? By definition this nodes isn't post-dominated by a sink.		// No successors? By definition this nodes isn't post-dominated by a sink.
if (errorNode->succ_empty()) {		if (errorNode->succ_empty()) {
bugReports.push_back(&*I);		bugReports.push_back(&*I);
if (!exampleReport)		if (!exampleReport)
exampleReport = &*I;		exampleReport = &*I;
continue;		continue;
}		}

		// See if we are in a no-return CFG block. If so, treat this similarly
		// to being post-dominated by a sink. This works better when the analysis
		// is incomplete and we have never reached a no-return function
		// we're post-dominated by.
		// This is not quite enough to handle the incomplete analysis case.
		// We may be post-dominated in subsequent blocks, or even
		// inter-procedurally. However, it is not clear if more complicated
		// cases are generally worth suppressing.
		if (const CFGBlock *B = findBlockForNode(errorNode))
		if (B->hasNoReturnElement())
		continue;

// At this point we know that 'N' is not a sink and it has at least one		// At this point we know that 'N' is not a sink and it has at least one
// successor. Use a DFS worklist to find a non-sink end-of-path node.		// successor. Use a DFS worklist to find a non-sink end-of-path node.
typedef FRIEC_WLItem WLItem;		typedef FRIEC_WLItem WLItem;
typedef SmallVector<WLItem, 10> DFSWorkList;		typedef SmallVector<WLItem, 10> DFSWorkList;
llvm::DenseMap<const ExplodedNode *, unsigned> Visited;		llvm::DenseMap<const ExplodedNode *, unsigned> Visited;

DFSWorkList WL;		DFSWorkList WL;
WL.push_back(errorNode);		WL.push_back(errorNode);
▲ Show 20 Lines • Show All 249 Lines • Show Last 20 Lines

cfe/trunk/test/Analysis/max-nodes-suppress-on-sink.c

				// RUN: %clang_cc1 -analyze -analyzer-checker=core,unix.Malloc,debug.ExprInspection -analyzer-config max-nodes=12 -verify %s

				// Here we test how "suppress on sink" feature of certain bugtypes interacts
				// with reaching analysis limits.

				// If we report a warning of a bug-type with "suppress on sink" attribute set
				// (such as MallocChecker's memory leak warning), then failing to reach the
				// reason for the sink (eg. no-return function such as "exit()") due to analysis
				// limits (eg. max-nodes option), we may produce a false positive.

				typedef __typeof(sizeof(int)) size_t;
				void *malloc(size_t);

				extern void exit(int) __attribute__ ((__noreturn__));

				void clang_analyzer_warnIfReached(void);

				void test_single_cfg_block_sink() {
				void *p = malloc(1); // no-warning (wherever the leak warning may occur here)

				// Due to max-nodes option in the run line, we should reach the first call
				// but bail out before the second call.
				// If the test on these two lines starts failing, see if modifying
				// the max-nodes run-line helps.
				clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}}
				clang_analyzer_warnIfReached(); // no-warning

				// Even though we do not reach this line, we should still suppress
				// the leak report.
				exit(0);
				}