This is an archive of the discontinued LLVM Phabricator instance.

Differential D31684

[sanitizer] Fix various issues reported by Clang Static Analyzer [NFC]
Needs ReviewPublic

Authored by kubamracek on Apr 4 2017, 4:06 PM.

Details

Reviewers
kcc
filcab
dvyukov
eugenis
rnk
Summary

There's several issues reported by Clang Static Analyzer: Some dead stores, some potential null-pointer dereferences, and a possible garbage value read. They are all pretty straightforward, so this patch fixes them all at once. NFC.

Diff Detail

Event Timeline

kubamracek created this revision.Apr 4 2017, 4:06 PM
dvyukov added inline comments.Apr 21 2017, 5:21 AM
lib/asan/asan_descriptions.cc
455

This is funny.
The code is incorrect. Your fix is incorrect. And we almost printed a wild address on wild address access. Still it worked correctly. The bug was masked by the fact that GetGlobalAddressInformation initializes first field with address when it must not, and the field is magically collocated with the addr field. So it all kinda worked in the end.

This needs to be:

data.addr = addr;
lib/tsan/rtl/tsan_stack_trace.cc
41

What's wrong with new_size=0? ResizeBuffer works for size=0, and in fact we call ResizeBuffer(0) in dtor.

lib/tsan/rtl/tsan_sync.cc
82

Is it the only potential nullptr-deref warning in sanitizer code? There are usually tons of them. So I am confused, is it really so special place? why?

Revision Contents

PathSize
lib/
asan/
2 lines
sanitizer_common/
2 lines
3 lines
tsan/
rtl/
4 lines
1 line

Diff 94134

lib/asan/asan_descriptions.cc

Show First 20 LinesShow All 446 Lines▼ Show 20 Lines if (isStackMemory) {
return; return;
} }
if (GetGlobalAddressInformation(addr, access_size, &data.global)) { if (GetGlobalAddressInformation(addr, access_size, &data.global)) {
data.kind = kAddressKindGlobal; data.kind = kAddressKindGlobal;
return; return;
} }
data.kind = kAddressKindWild; data.kind = kAddressKindWild;
addr = 0; data.addr = 0;
dvyukovUnsubmitted
Not Done
ReplyInline Actions

This is funny.
The code is incorrect. Your fix is incorrect. And we almost printed a wild address on wild address access. Still it worked correctly. The bug was masked by the fact that GetGlobalAddressInformation initializes first field with address when it must not, and the field is magically collocated with the addr field. So it all kinda worked in the end.

This needs to be:

data.addr = addr;
dvyukov: This is funny. The code is incorrect. Your fix is incorrect. And we almost printed a wild…
} }
void PrintAddressDescription(uptr addr, uptr access_size, void PrintAddressDescription(uptr addr, uptr access_size,
const char *bug_type) { const char *bug_type) {
ShadowAddressDescription shadow_descr; ShadowAddressDescription shadow_descr;
if (GetShadowAddressInformation(addr, &shadow_descr)) { if (GetShadowAddressInformation(addr, &shadow_descr)) {
shadow_descr.Print(); shadow_descr.Print();
return; return;
Show All 26 Lines

lib/sanitizer_common/sanitizer_symbolizer_libcdep.cc

Show First 20 LinesShow All 318 Lines▼ Show 20 Lines
// Parses a two-line string in the following format: // Parses a two-line string in the following format:
// <symbol_name> // <symbol_name>
// <start_address> <size> // <start_address> <size>
// Used by LLVMSymbolizer and InternalSymbolizer. // Used by LLVMSymbolizer and InternalSymbolizer.
void ParseSymbolizeDataOutput(const char *str, DataInfo *info) { void ParseSymbolizeDataOutput(const char *str, DataInfo *info) {
str = ExtractToken(str, "\n", &info->name); str = ExtractToken(str, "\n", &info->name);
str = ExtractUptr(str, " ", &info->start); str = ExtractUptr(str, " ", &info->start);
str = ExtractUptr(str, "\n", &info->size); ExtractUptr(str, "\n", &info->size);
} }
bool LLVMSymbolizer::SymbolizePC(uptr addr, SymbolizedStack *stack) { bool LLVMSymbolizer::SymbolizePC(uptr addr, SymbolizedStack *stack) {
AddressInfo *info = &stack->info; AddressInfo *info = &stack->info;
const char *buf = FormatAndSendCommand( const char *buf = FormatAndSendCommand(
/*is_data*/ false, info->module, info->module_offset, info->module_arch); /*is_data*/ false, info->module, info->module_offset, info->module_arch);
if (buf) { if (buf) {
ParseSymbolizePCOutput(buf, stack); ParseSymbolizePCOutput(buf, stack);
▲ Show 20 LinesShow All 140 LinesShow Last 20 Lines

lib/sanitizer_common/sanitizer_symbolizer_mac.cc

Show First 20 LinesShow All 105 Lines▼ Show 20 Linesstatic bool ParseCommandOutput(const char *str, uptr addr, char **out_name,
} }
if (internal_strncmp(symbol_name, "0x", 2) != 0) if (internal_strncmp(symbol_name, "0x", 2) != 0)
*out_name = symbol_name; *out_name = symbol_name;
else else
InternalFree(symbol_name); InternalFree(symbol_name);
rest = ExtractTokenUpToDelimiter(rest, ") ", out_module); rest = ExtractTokenUpToDelimiter(rest, ") ", out_module);
if (line) *line = 0;
if (rest[0] == '(') { if (rest[0] == '(') {
if (out_file) { if (out_file) {
rest++; rest++;
rest = ExtractTokenUpToDelimiter(rest, ":", out_file); rest = ExtractTokenUpToDelimiter(rest, ":", out_file);
char *extracted_line_number; char *extracted_line_number;
rest = ExtractTokenUpToDelimiter(rest, ")", &extracted_line_number); ExtractTokenUpToDelimiter(rest, ")", &extracted_line_number);
if (line) *line = (uptr)internal_atoll(extracted_line_number); if (line) *line = (uptr)internal_atoll(extracted_line_number);
InternalFree(extracted_line_number); InternalFree(extracted_line_number);
} }
} else if (rest[0] == '+') { } else if (rest[0] == '+') {
rest += 2; rest += 2;
uptr offset = internal_atoll(rest); uptr offset = internal_atoll(rest);
if (start_address) *start_address = addr - offset; if (start_address) *start_address = addr - offset;
} }
▲ Show 20 LinesShow All 42 LinesShow Last 20 Lines

lib/tsan/rtl/tsan_stack_trace.cc

Show All 31 Lines trace_buffer =
? (uptr *)internal_alloc(MBlockStackTrace, ? (uptr *)internal_alloc(MBlockStackTrace,
new_size * sizeof(trace_buffer[0])) new_size * sizeof(trace_buffer[0]))
: nullptr; : nullptr;
trace = trace_buffer; trace = trace_buffer;
size = new_size; size = new_size;
} }
void VarSizeStackTrace::Init(const uptr *pcs, uptr cnt, uptr extra_top_pc) { void VarSizeStackTrace::Init(const uptr *pcs, uptr cnt, uptr extra_top_pc) {
ResizeBuffer(cnt + !!extra_top_pc); uptr new_size = cnt + !!extra_top_pc;
CHECK(new_size);
dvyukovUnsubmitted
Not Done
ReplyInline Actions

What's wrong with new_size=0? ResizeBuffer works for size=0, and in fact we call ResizeBuffer(0) in dtor.

dvyukov: What's wrong with new_size=0? ResizeBuffer works for size=0, and in fact we call ResizeBuffer…
ResizeBuffer(new_size);
internal_memcpy(trace_buffer, pcs, cnt * sizeof(trace_buffer[0])); internal_memcpy(trace_buffer, pcs, cnt * sizeof(trace_buffer[0]));
if (extra_top_pc) if (extra_top_pc)
trace_buffer[cnt] = extra_top_pc; trace_buffer[cnt] = extra_top_pc;
} }
} // namespace __tsan } // namespace __tsan

lib/tsan/rtl/tsan_sync.cc

Show First 20 LinesShow All 73 Lines▼ Show 20 Linesuptr MetaMap::FreeBlock(Processor *proc, uptr p) {
if (b == 0) if (b == 0)
return 0; return 0;
uptr sz = RoundUpTo(b->siz, kMetaShadowCell); uptr sz = RoundUpTo(b->siz, kMetaShadowCell);
FreeRange(proc, p, sz); FreeRange(proc, p, sz);
return sz; return sz;
} }
bool MetaMap::FreeRange(Processor *proc, uptr p, uptr sz) { bool MetaMap::FreeRange(Processor *proc, uptr p, uptr sz) {
CHECK(proc);
dvyukovUnsubmitted
Not Done
ReplyInline Actions

Is it the only potential nullptr-deref warning in sanitizer code? There are usually tons of them. So I am confused, is it really so special place? why?

dvyukov: Is it the only potential nullptr-deref warning in sanitizer code? There are usually tons of…
bool has_something = false; bool has_something = false;
u32 *meta = MemToMeta(p); u32 *meta = MemToMeta(p);
u32 *end = MemToMeta(p + sz); u32 *end = MemToMeta(p + sz);
if (end == meta) if (end == meta)
end++; end++;
for (; meta < end; meta++) { for (; meta < end; meta++) {
u32 idx = *meta; u32 idx = *meta;
if (idx == 0) { if (idx == 0) {
▲ Show 20 LinesShow All 205 LinesShow Last 20 Lines