This is an archive of the discontinued LLVM Phabricator instance.

Differential D36750

[analyzer] RetainCount: When diagnosing overrelease, mention if it's coming from a nested block.
AbandonedPublic

Authored by NoQ on Aug 15 2017, 8:55 AM.

Details

Reviewers
zaks.anna
dcoughlin
Summary

RetainCountChecker's warning message "Incorrect decrement of the reference count of an object that is not owned at this point by the caller" does not explicitly mention the caller, which may be confusing when there is a nested block, especially when the block is hard to notice. It should be obvious to which caller it refers. The patch tries to improve on that.

By the way, plist-based tests in retain-release.m are disabled since r163536 (~2012), and need to be updated. It's trivial to re-enable them but annoying to maintain - would we prefer to re-enable or delete them or replace with -analyzer-output=text tests?

Diff Detail

Event Timeline

NoQ created this revision.Aug 15 2017, 8:55 AM
Herald added a subscriber: xazax.hun. · View Herald TranscriptAug 15 2017, 8:55 AM
dcoughlin edited edge metadata.Aug 16 2017, 9:12 AM

By the way, plist-based tests in retain-release.m are disabled since r163536 (~2012), and need to be updated. It's trivial to re-enable them but annoying to maintain - would we prefer to re-enable or delete them or replace with -analyzer-output=text tests?

This is rdar://problem/33514142

My preference would be to factor out/re-target some specific tests into their own file and check that with -verify + -analyzer-output=text and with plist comparisons

lib/StaticAnalyzer/Checkers/RetainCountChecker.cpp
89

Is it possible to detect this from the location context in RetainCountChecker::processNonLeakError() rather than encoding it in the analysis state? This would avoid a multiplicity of 'ByBlock' kinds.

dcoughlin added a comment.Aug 17 2017, 2:27 PM

I forgot to say this looks like a nice usability improvement!

NoQ updated this revision to Diff 113102.Aug 29 2017, 9:12 AM
NoQ marked an inline comment as done.

Avoid creating a new RefVal kind.

In D36750#843427, @dcoughlin wrote:

By the way, plist-based tests in retain-release.m are disabled since r163536 (~2012), and need to be updated. It's trivial to re-enable them but annoying to maintain - would we prefer to re-enable or delete them or replace with -analyzer-output=text tests?

My preference would be to factor out/re-target some specific tests into their own file and check that with -verify + -analyzer-output=text and with plist comparisons

Hmm, which specific tests do you have in mind? And is it worth it to try to recover the intended arrows in plists from the old plist tests?

NoQ planned changes to this revision.Sep 1 2017, 6:51 AM

This is all wrong. While RetainCountChecker is more function-local than, say, MallocChecker, we still can't say for sure that it is the bottom frame's function (or block) that should be owning the object in this case. Ideally it should, but that's not the pattern that the checker is de facto trying to find. The checker is usually fine seeing a pointer allocated in a top function and released in a sub-block. If the bottom frame is over-releasing, we'd warn, but it wouldn't be simply because the bottom frame is over-releasing, so mentioning the particular stack frame may end up being misleading.

NoQ abandoned this revision.Oct 13 2017, 2:44 AM

Revision Contents

PathSize
lib/
StaticAnalyzer/
Checkers/
26 lines
test/
Analysis/
17 lines

Diff 113102

lib/StaticAnalyzer/Checkers/RetainCountChecker.cpp

Show First 20 LinesShow All 80 Lines▼ Show 20 Lines enum Kind {
Released, // Object has been released. Released, // Object has been released.
ReturnedOwned, // Returned object passes ownership to caller. ReturnedOwned, // Returned object passes ownership to caller.
ReturnedNotOwned, // Return object does not pass ownership to caller. ReturnedNotOwned, // Return object does not pass ownership to caller.
ERROR_START, ERROR_START,
ErrorDeallocNotOwned, // -dealloc called on non-owned object. ErrorDeallocNotOwned, // -dealloc called on non-owned object.
ErrorDeallocGC, // Calling -dealloc with GC enabled. ErrorDeallocGC, // Calling -dealloc with GC enabled.
ErrorUseAfterRelease, // Object used after released. ErrorUseAfterRelease, // Object used after released.
ErrorReleaseNotOwned, // Release of an object that was not owned. ErrorReleaseNotOwned, // Release of an object that was not owned.
ERROR_LEAK_START, ERROR_LEAK_START,
dcoughlinUnsubmitted
Done
ReplyInline Actions

Is it possible to detect this from the location context in RetainCountChecker::processNonLeakError() rather than encoding it in the analysis state? This would avoid a multiplicity of 'ByBlock' kinds.

dcoughlin: Is it possible to detect this from the location context in RetainCountChecker…
ErrorLeak, // A memory leak due to excessive reference counts. ErrorLeak, // A memory leak due to excessive reference counts.
ErrorLeakReturned, // A memory leak due to the returning method not having ErrorLeakReturned, // A memory leak due to the returning method not having
// the correct naming conventions. // the correct naming conventions.
ErrorGCLeakReturned, ErrorGCLeakReturned,
ErrorOverAutorelease, ErrorOverAutorelease,
ErrorReturnedNotOwned ErrorReturnedNotOwned
}; };
▲ Show 20 LinesShow All 1,619 Lines▼ Show 20 Lines public:
BadRelease(const CheckerBase *checker) : CFRefBug(checker, "Bad release") {} BadRelease(const CheckerBase *checker) : CFRefBug(checker, "Bad release") {}
const char *getDescription() const override { const char *getDescription() const override {
return "Incorrect decrement of the reference count of an object that is " return "Incorrect decrement of the reference count of an object that is "
"not owned at this point by the caller"; "not owned at this point by the caller";
} }
}; };
class BadReleaseByBlock : public CFRefBug {
public:
BadReleaseByBlock(const CheckerBase *checker)
: CFRefBug(checker, "Bad release") {}
const char *getDescription() const override {
return "Incorrect decrement of the reference count of an object that is "
"not owned at this point by the current block";
}
};
class DeallocGC : public CFRefBug { class DeallocGC : public CFRefBug {
public: public:
DeallocGC(const CheckerBase *checker) DeallocGC(const CheckerBase *checker)
: CFRefBug(checker, "-dealloc called while using garbage collection") {} : CFRefBug(checker, "-dealloc called while using garbage collection") {}
const char *getDescription() const override { const char *getDescription() const override {
return "-dealloc called while using garbage collection"; return "-dealloc called while using garbage collection";
} }
▲ Show 20 LinesShow All 822 Lines▼ Show 20 Lines : public Checker< check::Bind,
check::PostStmt<ObjCDictionaryLiteral>, check::PostStmt<ObjCDictionaryLiteral>,
check::PostStmt<ObjCBoxedExpr>, check::PostStmt<ObjCBoxedExpr>,
check::PostStmt<ObjCIvarRefExpr>, check::PostStmt<ObjCIvarRefExpr>,
check::PostCall, check::PostCall,
check::PreStmt<ReturnStmt>, check::PreStmt<ReturnStmt>,
check::RegionChanges, check::RegionChanges,
eval::Assume, eval::Assume,
eval::Call > { eval::Call > {
mutable std::unique_ptr<CFRefBug> useAfterRelease, releaseNotOwned; mutable std::unique_ptr<CFRefBug> useAfterRelease;
mutable std::unique_ptr<CFRefBug> releaseNotOwned, releaseNotOwnedByBlock;
mutable std::unique_ptr<CFRefBug> deallocGC, deallocNotOwned; mutable std::unique_ptr<CFRefBug> deallocGC, deallocNotOwned;
mutable std::unique_ptr<CFRefBug> overAutorelease, returnNotOwnedForOwned; mutable std::unique_ptr<CFRefBug> overAutorelease, returnNotOwnedForOwned;
mutable std::unique_ptr<CFRefBug> leakWithinFunction, leakAtReturn; mutable std::unique_ptr<CFRefBug> leakWithinFunction, leakAtReturn;
mutable std::unique_ptr<CFRefBug> leakWithinFunctionGC, leakAtReturnGC; mutable std::unique_ptr<CFRefBug> leakWithinFunctionGC, leakAtReturnGC;
typedef llvm::DenseMap<SymbolRef, const CheckerProgramPointTag *> SymbolTagMap; typedef llvm::DenseMap<SymbolRef, const CheckerProgramPointTag *> SymbolTagMap;
// This map is only used to ensure proper deletion of any allocated tags. // This map is only used to ensure proper deletion of any allocated tags.
▲ Show 20 LinesShow All 819 Lines▼ Show 20 Lines switch (ErrorKind) {
default: default:
llvm_unreachable("Unhandled error."); llvm_unreachable("Unhandled error.");
case RefVal::ErrorUseAfterRelease: case RefVal::ErrorUseAfterRelease:
if (!useAfterRelease) if (!useAfterRelease)
useAfterRelease.reset(new UseAfterRelease(this)); useAfterRelease.reset(new UseAfterRelease(this));
BT = useAfterRelease.get(); BT = useAfterRelease.get();
break; break;
case RefVal::ErrorReleaseNotOwned: case RefVal::ErrorReleaseNotOwned:
if (isa<BlockDecl>(C.getLocationContext()->getDecl())) {
if (!releaseNotOwnedByBlock)
releaseNotOwnedByBlock.reset(new BadReleaseByBlock(this));
BT = releaseNotOwnedByBlock.get();
} else {
if (!releaseNotOwned) if (!releaseNotOwned)
releaseNotOwned.reset(new BadRelease(this)); releaseNotOwned.reset(new BadRelease(this));
BT = releaseNotOwned.get(); BT = releaseNotOwned.get();
}
break; break;
case RefVal::ErrorDeallocGC: case RefVal::ErrorDeallocGC:
if (!deallocGC) if (!deallocGC)
deallocGC.reset(new DeallocGC(this)); deallocGC.reset(new DeallocGC(this));
BT = deallocGC.get(); BT = deallocGC.get();
break; break;
case RefVal::ErrorDeallocNotOwned: case RefVal::ErrorDeallocNotOwned:
if (!deallocNotOwned) if (!deallocNotOwned)
▲ Show 20 LinesShow All 739 LinesShow Last 20 Lines

test/Analysis/retain-release.m

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 2,294 Lines▼ Show 20 Lines
void testCFReturnsRetainedError() { void testCFReturnsRetainedError() {
extern int copyViaParam(CFTypeRef * CF_RETURNS_RETAINED outObj); extern int copyViaParam(CFTypeRef * CF_RETURNS_RETAINED outObj);
CFTypeRef obj; CFTypeRef obj;
if (copyViaParam(&obj) == -42) if (copyViaParam(&obj) == -42)
return; // no-warning return; // no-warning
CFRelease(obj); CFRelease(obj);
} }
//===----------------------------------------------------------------------===//
// When warning within blocks make it obvious that warnings refer to blocks.
//===----------------------------------------------------------------------===//
int useBlock(int (^block)());
void rdar31699502_hardToNoticeBlocks() {
if (useBlock(^{
NSAutoreleasePool * pool = [[NSAutoreleasePool alloc] init];
NSArray *array = [NSArray array];
[array release]; // expected-warning{{Incorrect decrement of the reference count of an object that is not owned at this point by the current block}}
[pool drain];
return 0;
})) {
return;
}
}
// CHECK: <key>diagnostics</key> // CHECK: <key>diagnostics</key>
// CHECK-NEXT: <array> // CHECK-NEXT: <array>
// CHECK-NEXT: <dict> // CHECK-NEXT: <dict>
// CHECK-NEXT: <key>path</key> // CHECK-NEXT: <key>path</key>
// CHECK-NEXT: <array> // CHECK-NEXT: <array>
// CHECK-NEXT: <dict> // CHECK-NEXT: <dict>
// CHECK-NEXT: <key>kind</key><string>control</string> // CHECK-NEXT: <key>kind</key><string>control</string>
// CHECK-NEXT: <key>edges</key> // CHECK-NEXT: <key>edges</key>
▲ Show 20 LinesShow All 24,020 LinesShow Last 20 Lines