This is an archive of the discontinued LLVM Phabricator instance.

Differential D32449

Modifying PthreadLockChecker.cpp to reduce false positives.
ClosedPublic

Authored by malhar1995 on Apr 24 2017, 12:13 PM.

Details

Reviewers
dcoughlin
cfe-commits
NoQ
Commits
rG77915931382d: [analyzer] PthreadLockChecker: model failed pthread_mutex_destroy() calls.
rC304159: [analyzer] PthreadLockChecker: model failed pthread_mutex_destroy() calls.
rL304159: [analyzer] PthreadLockChecker: model failed pthread_mutex_destroy() calls.
Summary

I am currently working on to avoid false positives which currently occur as the return values of mutex functions like pthread_mutex_destroy() are not taken into consideration.

The precise description of the bug can be found here: https://bugs.llvm.org/show_bug.cgi?id=32455

Dr. Devin and Dr. Artem have been guiding me to fix PthreadLockChecker to avoid such false positives. The patch I'm attaching is not 100% correct and hence I need your advice to proceed further.

Thank you.

Diff Detail

Repository
rL LLVM

Event Timeline

malhar1995 created this revision.Apr 24 2017, 12:13 PM
NoQ edited reviewers, added: NoQ; removed: dergachev.a.May 3 2017, 4:28 AM
NoQ added a subscriber: NoQ.

Uhm, i need to do something about this duplicate account. Sorry, I have completely forgotten that the review is already up...

NoQ edited edge metadata.May 3 2017, 5:17 AM

Thanks for uploading this to phabricator and sorry again that i was lost for a while.

As we already discussed in the mailing lists, i agree with your point that the locked-and-possibly-destroyed state should be removed, and we also had a thought of making it explicit that the patch only applies to posix thread semantics, not to XNU semantics - in other words, there should appear different branches of code depending on the lock's semantics.

Could you also upload the patch file with the "context" (eg. git diff -U999999 would include +/- 999999 unchanged lines around the changes in the patch file, and phabricator would use them fancily to make reviewing easier; otherwise i don't immediately see which callback you are changing in a particular spot).

Once the patch would reach completion, it'd need to be cleaned up for formatting/whitespace; we usually run clang-format over our changes with default settings and it does everything for us.

lib/StaticAnalyzer/Checkers/PthreadLockChecker.cpp
21 ↗(On Diff #96439)

You don't need to include <iostream even for your own debugging, because we have this other facility:

llvm::errs() << "prpr " << RetVal << '\n';

(yeah, you can put SVal and some other objects into llvm::errs() directly (which would be equivalent to .dump()ing them), which is also handy).

145–151 ↗(On Diff #96439)

This code gets duplicated multiple times - including the checkDeadSymbols callback as well; can we refactor it into a function?

154 ↗(On Diff #96439)

I'd like you to consider various corner cases. Note that because we have the REGISTER_MAP_WITH_PROGRAMSTATE privately in this file, only code in this file can affect the contents of that program state trait. So we have complete knowledge of what can and cannot be in the program state.

For example, can it be that there's a symbol in the DestroyRetVal map, but lstate is not present for the same mutex region in the LockMap? Or does the code ensure that the former implies the latter? If we are sure that some invariants hold, then we should remove the respective if () and ideally replace it with an assert().

If you find invariants that always hold, it would be great to write these down in the comments inside the code.

xiangzhai added a subscriber: xiangzhai.May 5 2017, 12:07 AM
zaks.anna added a subscriber: zaks.anna.May 10 2017, 6:32 PM

Thank you for the patch! Could you please re-submit the patch with context? Instructions on how to do that can be found here:
http://llvm.org/docs/Phabricator.html

malhar1995 updated this revision to Diff 99179.May 16 2017, 12:32 PM

Added context.
Also, I removed the inclusion of iostream and also added the repetitive code to the function setAppropriateLockState.
Currently working on finding various corner cases and invariants.

malhar1995 updated this revision to Diff 99388.May 17 2017, 8:38 PM
malhar1995 marked an inline comment as done.

Cleaned up the previous patch.
Added checking of LockState before initializing a mutex as well.
Added separate branches of execution for PthreadSemantics and XNUSemantics.
Added assert in case of checkDeadSymbols as existence in DestroyRetVal ensures existence in LockMap.

NoQ added a comment.May 20 2017, 5:30 AM

Thanks! Your code looks very clear now, and it seems correct to me.

One last thing we definitely should do here would be add regression tests for the new functionality. I guess you already have your tests, otherwise you wouldn't know if your code works, so you'd just need to append them to the patch, somewhere at the bottom of test/Analysis/pthreadlock.c, and make sure that make -j4 check-clang-analysis passes. Ideally, we should cover as many branches as possible.

A few ideas of what to test (you might have thought about most of them already, and i expect them to actually work by just looking at what your code accomplishes):

  • What we can/cannot do with the mutex in the failed-to-be-destroyed state, depending on the state of the mutex before destruction was attempted.
  • What we can/cannot do with the mutex in each of the "Schrodinger" states - in particular, do we display the double-destroy warning in such cases?
  • How return-symbol death races against resolving success of the destroy operation: what if the programmer first tries to destroy mutex, then uses the mutex, then checks the return value?
  • Are you sure we cannot assert(lstate) on line 137? - a test could be added that would cause such assertion to fail if someone tries to impose it.

Apart from that, i guess it'd be good to use more informative variable names in a few places (see inline comments), and fix the formatting, i.e. spaces and line breaks (should be easy with clang-format). Also you shouldn't add the .DS_Store files :) And then we'd accept and commit this patch.

lib/StaticAnalyzer/Checkers/PthreadLockChecker.cpp
28 ↗(On Diff #99388)

I still think these names, no matter if a good metaphor or not and no matter how much i enjoyed them, should be toned down :) Suggesting UntouchedAndPossiblyDestroyed and UnlockedAndPossiblyDestroyed.

77 ↗(On Diff #99388)

I suggest renaming to something like "resolvePossiblyDestroyedMutex()".

Also, i'm for passing the symbol by value (with * dereference at most call sites) because it's less surprising/confusing to the reader.

I also suggest a comment explaining what the function does. Eg., "When a lock is destroyed, in some semantics we are not sure if the destroy call has succeeded or failed, and the lock enters one of the 'possibly destroyed' state. There is a short time frame for the programmer to check the return value to see if the lock was successfully destroyed. Before we model the next operation over that lock, we call this function to see if the return value was checked by now and set the lock state - either to destroyed state or back to its previous state."

81–85 ↗(On Diff #99388)

Because there's only one comment per three traits, it'd be great to clean this up a bit together with commenting up your new trait:

// A stack of locks for tracking lock-unlock order.
REGISTER_LIST_WITH_PROGRAMSTATE(LockSet, const MemRegion *)

// An entry for tracking lock states.
REGISTER_MAP_WITH_PROGRAMSTATE(LockMap, const MemRegion *, LockState)

// Return values for unresolved destroy calls.
REGISTER_MAP_WITH_PROGRAMSTATE(DestroyRetVal, const MemRegion *, SymbolRef)
143–146 ↗(On Diff #99388)

I think we can be certain that the lock is in one of these states, and assert that.

149–151 ↗(On Diff #99388)

Assert the lock state here as well?

302–308 ↗(On Diff #99388)

A bit shorter and more stylish:

SymbolRef RetSym = C.getSVal(CE).getAsSymbol();
if (!RetSym)
  return;

Also, we may want to see what happens when the value is not a symbol. This would be surprising, but it may happen if the body of pthread_mutex_destroy() is suddenly available in our translation unit and we modeled the call, or another checker has assisted with modeling it. In this case the return value may be a concrete integer (say 0 or 1) or an UnknownVal or an UndefinedVal. It may also be something completely weird such as a pointer or a structure if the user defines his own function that is called "pthread_mutex_destroy()" but does something completely different.

I suggest to stop tracking the lock region in case RetSym is null (remove LockR from the LockMap), because in the really weird case when this code actually gets triggered, we'd at least not say that the mutex is still locked later on the path.

Additionally, by adding the transition before that return, we ensure that setAppropriateLockState above has taken effect.

399 ↗(On Diff #99388)

Could you add here a

// TODO: Clean LockMap when a mutex region dies.

That's not something you should instantly do, but it's definitely something that needs to be done for this checker some day.

malhar1995 marked 2 inline comments as done.May 20 2017, 5:54 AM
In D32449#760141, @NoQ wrote:

Thanks! Your code looks very clear now, and it seems correct to me.

One last thing we definitely should do here would be add regression tests for the new functionality. I guess you already have your tests, otherwise you wouldn't know if your code works, so you'd just need to append them to the patch, somewhere at the bottom of test/Analysis/pthreadlock.c, and make sure that make -j4 check-clang-analysis passes. Ideally, we should cover as many branches as possible.

A few ideas of what to test (you might have thought about most of them already, and i expect them to actually work by just looking at what your code accomplishes):

  • What we can/cannot do with the mutex in the failed-to-be-destroyed state, depending on the state of the mutex before destruction was attempted.
  • What we can/cannot do with the mutex in each of the "Schrodinger" states - in particular, do we display the double-destroy warning in such cases?
  • How return-symbol death races against resolving success of the destroy operation: what if the programmer first tries to destroy mutex, then uses the mutex, then checks the return value?
  • Are you sure we cannot assert(lstate) on line 137? - a test could be added that would cause such assertion to fail if someone tries to impose it.

Apart from that, i guess it'd be good to use more informative variable names in a few places (see inline comments), and fix the formatting, i.e. spaces and line breaks (should be easy with clang-format). Also you shouldn't add the .DS_Store files :) And then we'd accept and commit this patch.

Dear Dr. Artem,

Thank you so much for such a detailed review. I'll work on addressing these comments ASAP and reach out to you in case I have any queries.

Regards,
Malhar Thakkar

malhar1995 added inline comments.May 20 2017, 9:41 AM
lib/StaticAnalyzer/Checkers/PthreadLockChecker.cpp
143–146 ↗(On Diff #99388)

We can be certain that the lock state will be either of the two only if I add the following statement before returning from this function.

state = state->remove<DestroyRetVal>(lockR);

If I don't add the above statement, a return value symbol for the region specified by lockR will still be in DestroyRetVal and it may have an actual lock state (locked, unlocked or destroyed).

malhar1995 updated this revision to Diff 99750.May 22 2017, 6:10 AM

Addressed previous comments (removed Schrodinger from lock state names, changed method name setAppropriateLockState to resolvePossiblyDestroyedMutex, added an assert in resolvePossiblyDestroyedMutex, formatted the code using clang-format and added some test-cases to test/Analysis/pthreadlock.c)

malhar1995 marked 6 inline comments as done.May 22 2017, 8:13 AM
NoQ added a comment.May 22 2017, 12:14 PM

Thanks, this is great! Two more things:

  • You have touched other code, unrelated to your patch, with clang-format; we're usually trying to avoid that, because it creates merge conflicts out of nowhere, and because some of that code actually seems formatted by hand intentionally. It's better to revert these changes; you can use the git clang-format thing to format only actual changes.
  • Updating .gitignore sounds like the right thing to do (llvm's .gitignore already has this), but i guess we'd better make a separate commit for that.
lib/StaticAnalyzer/Checkers/PthreadLockChecker.cpp
143–146 ↗(On Diff #99388)

Yep, that's a great thing to do. I didn't notice this.

Generally, it's great to keep the program state free from stuff that would no longer be necessary.

malhar1995 added a comment.May 23 2017, 7:43 AM
In D32449#761303, @NoQ wrote:

Thanks, this is great! Two more things:

  • You have touched other code, unrelated to your patch, with clang-format; we're usually trying to avoid that, because it creates merge conflicts out of nowhere, and because some of that code actually seems formatted by hand intentionally. It's better to revert these changes; you can use the git clang-format thing to format only actual changes.

I did not apply clang-format to any file except for PthreadLockChecker.cpp. Do you think the merge conflict is due to me not applying clang-format to test/Analysis/pthreadlock.c? The only files I changed were .gitignore, PthreadLockChecker.cpp and test/Analysis/pthreadlock.c.
Also, when you asked me to revert the changes, did you mean revert the changes made by clang-format? If yes, how do I do that?
I apologize for asking such silly questions. The thing is I'm new to all this and I don't really know how to proceed further.

  • Updating .gitignore sounds like the right thing to do (llvm's .gitignore already has this), but i guess we'd better make a separate commit for that.
NoQ added a comment.May 23 2017, 9:01 AM

No-no, all i was trying to say is that there's code in PthreadLockChecker.cpp that you haven't changed, but accidentally reformatted - and this is something we normally try to avoid. Like, for example, changing enum LockingSemantics {...} from vertical to horizontal - that wasn't your intention, it just accidentally happened because you auto-reformatted the whole file. I don't mind these changes, and i didn't mean they introduce any merge conflicts for now, though they tend to do so in the future for other people working on the same code, as we have a few downstream users, and magenta guys who are working on this checker as part of D26342), so most of the time it's better not to introduce unnecessary changes.

I'm not sure if you can easily revert the style-only changes via git clang-format, but you should be able to find them with the help of git reflog if you made a local commit before running clang-format (even if it was later discarded or amended), otherwise only manually i guess.

malhar1995 updated this revision to Diff 99970.May 23 2017, 12:23 PM

Applied clang-format only to the changed lines in the final code.

NoQ accepted this revision.May 29 2017, 5:25 AM

I'd commit your patch without the .gitignore change, as it deserves a separate commit and more attention; will have a look at it myself - llvm's and clang's .gitignores have diverged quite a bit.

Thanks for taking this up!~

This revision is now accepted and ready to land.May 29 2017, 5:25 AM
Closed by commit rL304159: [analyzer] PthreadLockChecker: model failed pthread_mutex_destroy() calls. (authored by dergachev). · Explain WhyMay 29 2017, 7:52 AM
This revision was automatically updated to reflect the committed changes.
haowei mentioned this in D34724: [analyzer] Add MagentaHandleChecker for the Magenta kernel.Jul 18 2017, 5:22 PM
NoQ mentioned this in D48427: [Analyzer] Iterator Checker Hotfix: Defer deletion of container data until its last iterator is cleaned up.Jun 27 2018, 11:37 AM
NoQ mentioned this in D69948: [Checkers] Added support for freopen to StreamChecker..Nov 19 2019, 3:45 PM

Revision Contents

PathSize
cfe/
trunk/
lib/
StaticAnalyzer/
Checkers/
146 lines
test/
Analysis/
79 lines

Diff 100615

cfe/trunk/lib/StaticAnalyzer/Checkers/PthreadLockChecker.cpp

Show All 19 Lines
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
namespace { namespace {
struct LockState { struct LockState {
enum Kind { Destroyed, Locked, Unlocked } K; enum Kind {
Destroyed,
Locked,
Unlocked,
UntouchedAndPossiblyDestroyed,
UnlockedAndPossiblyDestroyed
} K;
private: private:
LockState(Kind K) : K(K) {} LockState(Kind K) : K(K) {}
public: public:
static LockState getLocked() { return LockState(Locked); } static LockState getLocked() { return LockState(Locked); }
static LockState getUnlocked() { return LockState(Unlocked); } static LockState getUnlocked() { return LockState(Unlocked); }
static LockState getDestroyed() { return LockState(Destroyed); } static LockState getDestroyed() { return LockState(Destroyed); }
static LockState getUntouchedAndPossiblyDestroyed() {
return LockState(UntouchedAndPossiblyDestroyed);
}
static LockState getUnlockedAndPossiblyDestroyed() {
return LockState(UnlockedAndPossiblyDestroyed);
}
bool operator==(const LockState &X) const { bool operator==(const LockState &X) const {
return K == X.K; return K == X.K;
} }
bool isLocked() const { return K == Locked; } bool isLocked() const { return K == Locked; }
bool isUnlocked() const { return K == Unlocked; } bool isUnlocked() const { return K == Unlocked; }
bool isDestroyed() const { return K == Destroyed; } bool isDestroyed() const { return K == Destroyed; }
bool isUntouchedAndPossiblyDestroyed() const {
return K == UntouchedAndPossiblyDestroyed;
}
bool isUnlockedAndPossiblyDestroyed() const {
return K == UnlockedAndPossiblyDestroyed;
}
void Profile(llvm::FoldingSetNodeID &ID) const { void Profile(llvm::FoldingSetNodeID &ID) const {
ID.AddInteger(K); ID.AddInteger(K);
} }
}; };
class PthreadLockChecker : public Checker< check::PostStmt<CallExpr> > { class PthreadLockChecker
: public Checker<check::PostStmt<CallExpr>, check::DeadSymbols> {
mutable std::unique_ptr<BugType> BT_doublelock; mutable std::unique_ptr<BugType> BT_doublelock;
mutable std::unique_ptr<BugType> BT_doubleunlock; mutable std::unique_ptr<BugType> BT_doubleunlock;
mutable std::unique_ptr<BugType> BT_destroylock; mutable std::unique_ptr<BugType> BT_destroylock;
mutable std::unique_ptr<BugType> BT_initlock; mutable std::unique_ptr<BugType> BT_initlock;
mutable std::unique_ptr<BugType> BT_lor; mutable std::unique_ptr<BugType> BT_lor;
enum LockingSemantics { enum LockingSemantics {
NotApplicable = 0, NotApplicable = 0,
PthreadSemantics, PthreadSemantics,
XNUSemantics XNUSemantics
}; };
public: public:
void checkPostStmt(const CallExpr *CE, CheckerContext &C) const; void checkPostStmt(const CallExpr *CE, CheckerContext &C) const;
void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
void AcquireLock(CheckerContext &C, const CallExpr *CE, SVal lock, void AcquireLock(CheckerContext &C, const CallExpr *CE, SVal lock,
bool isTryLock, enum LockingSemantics semantics) const; bool isTryLock, enum LockingSemantics semantics) const;
void ReleaseLock(CheckerContext &C, const CallExpr *CE, SVal lock) const; void ReleaseLock(CheckerContext &C, const CallExpr *CE, SVal lock) const;
void DestroyLock(CheckerContext &C, const CallExpr *CE, SVal Lock) const; void DestroyLock(CheckerContext &C, const CallExpr *CE, SVal Lock,
enum LockingSemantics semantics) const;
void InitLock(CheckerContext &C, const CallExpr *CE, SVal Lock) const; void InitLock(CheckerContext &C, const CallExpr *CE, SVal Lock) const;
void reportUseDestroyedBug(CheckerContext &C, const CallExpr *CE) const; void reportUseDestroyedBug(CheckerContext &C, const CallExpr *CE) const;
ProgramStateRef resolvePossiblyDestroyedMutex(ProgramStateRef state,
const MemRegion *lockR,
const SymbolRef *sym) const;
}; };
} // end anonymous namespace } // end anonymous namespace
// GDM Entry for tracking lock state. // A stack of locks for tracking lock-unlock order.
REGISTER_LIST_WITH_PROGRAMSTATE(LockSet, const MemRegion *) REGISTER_LIST_WITH_PROGRAMSTATE(LockSet, const MemRegion *)
// An entry for tracking lock states.
REGISTER_MAP_WITH_PROGRAMSTATE(LockMap, const MemRegion *, LockState) REGISTER_MAP_WITH_PROGRAMSTATE(LockMap, const MemRegion *, LockState)
// Return values for unresolved calls to pthread_mutex_destroy().
REGISTER_MAP_WITH_PROGRAMSTATE(DestroyRetVal, const MemRegion *, SymbolRef)
void PthreadLockChecker::checkPostStmt(const CallExpr *CE, void PthreadLockChecker::checkPostStmt(const CallExpr *CE,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef state = C.getState(); ProgramStateRef state = C.getState();
const LocationContext *LCtx = C.getLocationContext(); const LocationContext *LCtx = C.getLocationContext();
StringRef FName = C.getCalleeName(CE); StringRef FName = C.getCalleeName(CE);
if (FName.empty()) if (FName.empty())
return; return;
Show All 20 Lines else if (FName == "lck_mtx_try_lock" ||
FName == "lck_rw_try_lock_shared") FName == "lck_rw_try_lock_shared")
AcquireLock(C, CE, state->getSVal(CE->getArg(0), LCtx), AcquireLock(C, CE, state->getSVal(CE->getArg(0), LCtx),
true, XNUSemantics); true, XNUSemantics);
else if (FName == "pthread_mutex_unlock" || else if (FName == "pthread_mutex_unlock" ||
FName == "pthread_rwlock_unlock" || FName == "pthread_rwlock_unlock" ||
FName == "lck_mtx_unlock" || FName == "lck_mtx_unlock" ||
FName == "lck_rw_done") FName == "lck_rw_done")
ReleaseLock(C, CE, state->getSVal(CE->getArg(0), LCtx)); ReleaseLock(C, CE, state->getSVal(CE->getArg(0), LCtx));
else if (FName == "pthread_mutex_destroy" || else if (FName == "pthread_mutex_destroy")
FName == "lck_mtx_destroy") DestroyLock(C, CE, state->getSVal(CE->getArg(0), LCtx), PthreadSemantics);
DestroyLock(C, CE, state->getSVal(CE->getArg(0), LCtx)); else if (FName == "lck_mtx_destroy")
DestroyLock(C, CE, state->getSVal(CE->getArg(0), LCtx), XNUSemantics);
else if (FName == "pthread_mutex_init") else if (FName == "pthread_mutex_init")
InitLock(C, CE, state->getSVal(CE->getArg(0), LCtx)); InitLock(C, CE, state->getSVal(CE->getArg(0), LCtx));
} }
// When a lock is destroyed, in some semantics(like PthreadSemantics) we are not
// sure if the destroy call has succeeded or failed, and the lock enters one of
// the 'possibly destroyed' state. There is a short time frame for the
// programmer to check the return value to see if the lock was successfully
// destroyed. Before we model the next operation over that lock, we call this
// function to see if the return value was checked by now and set the lock state
// - either to destroyed state or back to its previous state.
// In PthreadSemantics, pthread_mutex_destroy() returns zero if the lock is
// successfully destroyed and it returns a non-zero value otherwise.
ProgramStateRef PthreadLockChecker::resolvePossiblyDestroyedMutex(
ProgramStateRef state, const MemRegion *lockR, const SymbolRef *sym) const {
const LockState *lstate = state->get<LockMap>(lockR);
// Existence in DestroyRetVal ensures existence in LockMap.
// Existence in Destroyed also ensures that the lock state for lockR is either
// UntouchedAndPossiblyDestroyed or UnlockedAndPossiblyDestroyed.
assert(lstate->isUntouchedAndPossiblyDestroyed() ||
lstate->isUnlockedAndPossiblyDestroyed());
ConstraintManager &CMgr = state->getConstraintManager();
ConditionTruthVal retZero = CMgr.isNull(state, *sym);
if (retZero.isConstrainedFalse()) {
if (lstate->isUntouchedAndPossiblyDestroyed())
state = state->remove<LockMap>(lockR);
else if (lstate->isUnlockedAndPossiblyDestroyed())
state = state->set<LockMap>(lockR, LockState::getUnlocked());
} else
state = state->set<LockMap>(lockR, LockState::getDestroyed());
// Removing the map entry (lockR, sym) from DestroyRetVal as the lock state is
// now resolved.
state = state->remove<DestroyRetVal>(lockR);
return state;
}
void PthreadLockChecker::AcquireLock(CheckerContext &C, const CallExpr *CE, void PthreadLockChecker::AcquireLock(CheckerContext &C, const CallExpr *CE,
SVal lock, bool isTryLock, SVal lock, bool isTryLock,
enum LockingSemantics semantics) const { enum LockingSemantics semantics) const {
const MemRegion *lockR = lock.getAsRegion(); const MemRegion *lockR = lock.getAsRegion();
if (!lockR) if (!lockR)
return; return;
ProgramStateRef state = C.getState(); ProgramStateRef state = C.getState();
const SymbolRef *sym = state->get<DestroyRetVal>(lockR);
if (sym)
state = resolvePossiblyDestroyedMutex(state, lockR, sym);
SVal X = state->getSVal(CE, C.getLocationContext()); SVal X = state->getSVal(CE, C.getLocationContext());
if (X.isUnknownOrUndef()) if (X.isUnknownOrUndef())
return; return;
DefinedSVal retVal = X.castAs<DefinedSVal>(); DefinedSVal retVal = X.castAs<DefinedSVal>();
if (const LockState *LState = state->get<LockMap>(lockR)) { if (const LockState *LState = state->get<LockMap>(lockR)) {
▲ Show 20 LinesShow All 52 Lines▼ Show 20 Lines
void PthreadLockChecker::ReleaseLock(CheckerContext &C, const CallExpr *CE, void PthreadLockChecker::ReleaseLock(CheckerContext &C, const CallExpr *CE,
SVal lock) const { SVal lock) const {
const MemRegion *lockR = lock.getAsRegion(); const MemRegion *lockR = lock.getAsRegion();
if (!lockR) if (!lockR)
return; return;
ProgramStateRef state = C.getState(); ProgramStateRef state = C.getState();
const SymbolRef *sym = state->get<DestroyRetVal>(lockR);
if (sym)
state = resolvePossiblyDestroyedMutex(state, lockR, sym);
if (const LockState *LState = state->get<LockMap>(lockR)) { if (const LockState *LState = state->get<LockMap>(lockR)) {
if (LState->isUnlocked()) { if (LState->isUnlocked()) {
if (!BT_doubleunlock) if (!BT_doubleunlock)
BT_doubleunlock.reset(new BugType(this, "Double unlocking", BT_doubleunlock.reset(new BugType(this, "Double unlocking",
"Lock checker")); "Lock checker"));
ExplodedNode *N = C.generateErrorNode(); ExplodedNode *N = C.generateErrorNode();
if (!N) if (!N)
Show All 32 Lines if (!LS.isEmpty()) {
state = state->set<LockSet>(LS.getTail()); state = state->set<LockSet>(LS.getTail());
} }
state = state->set<LockMap>(lockR, LockState::getUnlocked()); state = state->set<LockMap>(lockR, LockState::getUnlocked());
C.addTransition(state); C.addTransition(state);
} }
void PthreadLockChecker::DestroyLock(CheckerContext &C, const CallExpr *CE, void PthreadLockChecker::DestroyLock(CheckerContext &C, const CallExpr *CE,
SVal Lock) const { SVal Lock,
enum LockingSemantics semantics) const {
const MemRegion *LockR = Lock.getAsRegion(); const MemRegion *LockR = Lock.getAsRegion();
if (!LockR) if (!LockR)
return; return;
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
const SymbolRef *sym = State->get<DestroyRetVal>(LockR);
if (sym)
State = resolvePossiblyDestroyedMutex(State, LockR, sym);
const LockState *LState = State->get<LockMap>(LockR); const LockState *LState = State->get<LockMap>(LockR);
// Checking the return value of the destroy method only in the case of
// PthreadSemantics
if (semantics == PthreadSemantics) {
if (!LState || LState->isUnlocked()) {
SymbolRef sym = C.getSVal(CE).getAsSymbol();
if (!sym) {
State = State->remove<LockMap>(LockR);
C.addTransition(State);
return;
}
State = State->set<DestroyRetVal>(LockR, sym);
if (LState && LState->isUnlocked())
State = State->set<LockMap>(
LockR, LockState::getUnlockedAndPossiblyDestroyed());
else
State = State->set<LockMap>(
LockR, LockState::getUntouchedAndPossiblyDestroyed());
C.addTransition(State);
return;
}
} else {
if (!LState || LState->isUnlocked()) { if (!LState || LState->isUnlocked()) {
State = State->set<LockMap>(LockR, LockState::getDestroyed()); State = State->set<LockMap>(LockR, LockState::getDestroyed());
C.addTransition(State); C.addTransition(State);
return; return;
} }
}
StringRef Message; StringRef Message;
if (LState->isLocked()) { if (LState->isLocked()) {
Message = "This lock is still locked"; Message = "This lock is still locked";
} else { } else {
Message = "This lock has already been destroyed"; Message = "This lock has already been destroyed";
} }
Show All 12 Linesvoid PthreadLockChecker::InitLock(CheckerContext &C, const CallExpr *CE,
SVal Lock) const { SVal Lock) const {
const MemRegion *LockR = Lock.getAsRegion(); const MemRegion *LockR = Lock.getAsRegion();
if (!LockR) if (!LockR)
return; return;
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
const SymbolRef *sym = State->get<DestroyRetVal>(LockR);
if (sym)
State = resolvePossiblyDestroyedMutex(State, LockR, sym);
const struct LockState *LState = State->get<LockMap>(LockR); const struct LockState *LState = State->get<LockMap>(LockR);
if (!LState || LState->isDestroyed()) { if (!LState || LState->isDestroyed()) {
State = State->set<LockMap>(LockR, LockState::getUnlocked()); State = State->set<LockMap>(LockR, LockState::getUnlocked());
C.addTransition(State); C.addTransition(State);
return; return;
} }
StringRef Message; StringRef Message;
Show All 24 Linesvoid PthreadLockChecker::reportUseDestroyedBug(CheckerContext &C,
if (!N) if (!N)
return; return;
auto Report = llvm::make_unique<BugReport>( auto Report = llvm::make_unique<BugReport>(
*BT_destroylock, "This lock has already been destroyed", N); *BT_destroylock, "This lock has already been destroyed", N);
Report->addRange(CE->getArg(0)->getSourceRange()); Report->addRange(CE->getArg(0)->getSourceRange());
C.emitReport(std::move(Report)); C.emitReport(std::move(Report));
} }
void PthreadLockChecker::checkDeadSymbols(SymbolReaper &SymReaper,
CheckerContext &C) const {
ProgramStateRef State = C.getState();
// TODO: Clean LockMap when a mutex region dies.
DestroyRetValTy TrackedSymbols = State->get<DestroyRetVal>();
for (DestroyRetValTy::iterator I = TrackedSymbols.begin(),
E = TrackedSymbols.end();
I != E; ++I) {
const SymbolRef Sym = I->second;
const MemRegion *lockR = I->first;
bool IsSymDead = SymReaper.isDead(Sym);
// Remove the dead symbol from the return value symbols map.
if (IsSymDead)
State = resolvePossiblyDestroyedMutex(State, lockR, &Sym);
}
C.addTransition(State);
}
void ento::registerPthreadLockChecker(CheckerManager &mgr) { void ento::registerPthreadLockChecker(CheckerManager &mgr) {
mgr.registerChecker<PthreadLockChecker>(); mgr.registerChecker<PthreadLockChecker>();
} }

cfe/trunk/test/Analysis/pthreadlock.c

Show First 20 LinesShow All 170 Lines▼ Show 20 Lines
void void
ok22(void) { ok22(void) {
pthread_mutex_lock(pmtx); // no-warning pthread_mutex_lock(pmtx); // no-warning
pthread_mutex_unlock(pmtx); // no-warning pthread_mutex_unlock(pmtx); // no-warning
pthread_mutex_lock(pmtx); // no-warning pthread_mutex_lock(pmtx); // no-warning
pthread_mutex_unlock(pmtx); // no-warning pthread_mutex_unlock(pmtx); // no-warning
} }
void ok23(void) {
if (pthread_mutex_destroy(&mtx1) != 0) // no-warning
pthread_mutex_destroy(&mtx1); // no-warning
}
void ok24(void) {
if (pthread_mutex_destroy(&mtx1) != 0) // no-warning
pthread_mutex_lock(&mtx1); // no-warning
}
void ok25(void) {
if (pthread_mutex_destroy(&mtx1) != 0) // no-warning
pthread_mutex_unlock(&mtx1); // no-warning
}
void ok26(void) {
pthread_mutex_unlock(&mtx1); // no-warning
if (pthread_mutex_destroy(&mtx1) != 0) // no-warning
pthread_mutex_lock(&mtx1); // no-warning
}
void ok27(void) {
pthread_mutex_unlock(&mtx1); // no-warning
if (pthread_mutex_destroy(&mtx1) != 0) // no-warning
pthread_mutex_lock(&mtx1); // no-warning
else
pthread_mutex_init(&mtx1, NULL); // no-warning
}
void ok28(void) {
if (pthread_mutex_destroy(&mtx1) != 0) { // no-warning
pthread_mutex_lock(&mtx1); // no-warning
pthread_mutex_unlock(&mtx1); // no-warning
pthread_mutex_destroy(&mtx1); // no-warning
}
}
void void
bad1(void) bad1(void)
{ {
pthread_mutex_lock(&mtx1); // no-warning pthread_mutex_lock(&mtx1); // no-warning
pthread_mutex_lock(&mtx1); // expected-warning{{This lock has already been acquired}} pthread_mutex_lock(&mtx1); // expected-warning{{This lock has already been acquired}}
} }
▲ Show 20 LinesShow All 200 Lines▼ Show 20 Lines
} }
void void
bad26(void) bad26(void)
{ {
pthread_mutex_unlock(&mtx1); // no-warning pthread_mutex_unlock(&mtx1); // no-warning
pthread_mutex_init(&mtx1, NULL); // expected-warning{{This lock has already been initialized}} pthread_mutex_init(&mtx1, NULL); // expected-warning{{This lock has already been initialized}}
} }
void bad27(void) {
pthread_mutex_unlock(&mtx1); // no-warning
int ret = pthread_mutex_destroy(&mtx1); // no-warning
if (ret != 0) // no-warning
pthread_mutex_lock(&mtx1); // no-warning
else
pthread_mutex_unlock(&mtx1); // expected-warning{{This lock has already been destroyed}}
}
void bad28(void) {
pthread_mutex_unlock(&mtx1); // no-warning
int ret = pthread_mutex_destroy(&mtx1); // no-warning
if (ret != 0) // no-warning
pthread_mutex_lock(&mtx1); // no-warning
else
pthread_mutex_lock(&mtx1); // expected-warning{{This lock has already been destroyed}}
}
void bad29(void) {
pthread_mutex_lock(&mtx1); // no-warning
pthread_mutex_unlock(&mtx1); // no-warning
if (pthread_mutex_destroy(&mtx1) != 0) // no-warning
pthread_mutex_init(&mtx1, NULL); // expected-warning{{This lock has already been initialized}}
else
pthread_mutex_init(&mtx1, NULL); // no-warning
}
void bad30(void) {
pthread_mutex_lock(&mtx1); // no-warning
pthread_mutex_unlock(&mtx1); // no-warning
if (pthread_mutex_destroy(&mtx1) != 0) // no-warning
pthread_mutex_init(&mtx1, NULL); // expected-warning{{This lock has already been initialized}}
else
pthread_mutex_destroy(&mtx1); // expected-warning{{This lock has already been destroyed}}
}
void bad31(void) {
int ret = pthread_mutex_destroy(&mtx1); // no-warning
pthread_mutex_lock(&mtx1); // expected-warning{{This lock has already been destroyed}}
if (ret != 0)
pthread_mutex_lock(&mtx1);
}