This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
lib/StaticAnalyzer/Checkers/
-
StaticAnalyzer/
-
Checkers/
1/1
MallocChecker.cpp
-
test/Analysis/
-
Analysis/
-
NewDelete-custom.cpp

Differential D37189

Fix an assertion failure that occured when custom 'operator new[]' return non-ElementRegion and 'c++-allocator-inlining' sets true.
AbandonedPublic

Authored by MTC on Aug 27 2017, 4:36 AM.

Download Raw Diff

Details

Reviewers

zaks.anna

Summary

Hi All,

MallocChecker::addExtentSize() assumes that the region returned by CXXNewExpr is ElementRegion, but when the custom operator new [] is inlined, the region returned is not necessarily an ElementRegion.

Given the below code sippet:

#include <stdlib.h>
void *operator new[](std::size_t size)
{
    void *p = malloc(size);
	return p;
}
int main()
{
    int *ptr = new int[10];
}

When operator new[] is inlined, the return region is Symbolic Region, which violates the MallocChecker::addExtentSize() assumption.

Diff Detail

Repository: rC Clang

Event Timeline

MTC created this revision.Aug 27 2017, 4:36 AM

MTC edited the summary of this revision. (Show Details)Aug 27 2017, 4:37 AM

MTC mentioned this in D36708: [analyzer] Fix Bug34144-[MallocChecker] MallocChecker::MallocUpdateRefState(): Assertion `Sym' failed..Aug 27 2017, 5:20 AM

I believe a custom operator new (or new[], regardless) can always return anything it wants. It can return a pointer to a concrete global variable, for example. So the only thing we can assert is that our operator is custom.

In D37189#854062, @NoQ wrote:

I believe a custom operator new (or new[], regardless) can always return anything it wants. It can return a pointer to a concrete global variable, for example. So the only thing we can assert is that our operator is custom.

Thank you for taking the time to do the code review, and I'll update diff along with the relevant code annotations.

Update the 'assert' condition and the code comment.

NoQ added inline comments.Dec 7 2017, 4:29 PM

lib/StaticAnalyzer/Checkers/MallocChecker.cpp
1108	Digged a bit into this. This line should say `return State;`, otherwise it destroys the effort in `checkPostStmt(const CXXNewExpr...)` to actually track the pointer in the state. However, testing for that would be really problematic because MallocChecker is suffering from another big problem in `c++-allocator-inlining` mode, namely this callback fires twice. I'm going to describe this problem on the mailing list, because it's nasty. I'd still wholeheartedly approve this patch with the `return State` change, because fixing crashes is important :)

Use 'return State' instead of 'return nullptr'.

Herald added a subscriber: cfe-commits. · View Herald TranscriptDec 8 2017, 8:10 PM

Thank you for your constant attention to this problem, Artem. I've updated the diff. As you said, this is a complex problem and look forward to your work on this issue.

Oh well, i guess i covered this in my recent patches anyway (esp. r322787/D41406). Sorry, i just fixed everything differently and it became unclear how to integrate your patch into the whole thing.

In D37189#979795, @NoQ wrote:

Oh well, i guess i covered this in my recent patches anyway (esp. r322787/D41406). Sorry, i just fixed everything differently and it became unclear how to integrate your patch into the whole thing.

Hi NoQ, that's all right, I'm totally fine with it :). And I don’t know how to abandon this patch, if you have the authority, please help me to abandon it, thank you!

That's the "Add Action..." list-box above the comment box.

MTC abandoned this revision.Jan 17 2018, 6:36 PM

Revision Contents

Path

Size

lib/

StaticAnalyzer/

Checkers/

MallocChecker.cpp

8 lines

test/

Analysis/

NewDelete-custom.cpp

1 line

Diff 126262

lib/StaticAnalyzer/Checkers/MallocChecker.cpp

Show First 20 Lines • Show All 1,094 Lines • ▼ Show 20 Lines	if (NE->isArray()) {
ElementCount = State->getSVal(SizeExpr, C.getLocationContext());		ElementCount = State->getSVal(SizeExpr, C.getLocationContext());
// Store the extent size for the (symbolic)region		// Store the extent size for the (symbolic)region
// containing the elements.		// containing the elements.
Region = (State->getSVal(NE, LCtx))		Region = (State->getSVal(NE, LCtx))
.getAsRegion()		.getAsRegion()
->getAs<SubRegion>()		->getAs<SubRegion>()
->getSuperRegion()		->getSuperRegion()
->getAs<SubRegion>();		->getAs<SubRegion>();
		// At present, custom 'operator new[]' returns a symboic region when
		// 'c++-allocator-inlining' sets true.
		if (!Region) {
		assert(!C.getSourceManager().isInSystemHeader(
		NE->getOperatorNew()->getLocStart()) &&
		"This should be a custom 'operator new[]'");
		NoQUnsubmitted Done Reply Inline Actions Digged a bit into this. This line should say `return State;`, otherwise it destroys the effort in `checkPostStmt(const CXXNewExpr...)` to actually track the pointer in the state. However, testing for that would be really problematic because MallocChecker is suffering from another big problem in `c++-allocator-inlining` mode, namely this callback fires twice. I'm going to describe this problem on the mailing list, because it's nasty. I'd still wholeheartedly approve this patch with the `return State` change, because fixing crashes is important :) NoQ: Digged a bit into this. This line should say `return State;`, otherwise it destroys the effort…
		return State;
		}
} else {		} else {
ElementCount = svalBuilder.makeIntVal(1, true);		ElementCount = svalBuilder.makeIntVal(1, true);
Region = (State->getSVal(NE, LCtx)).getAsRegion()->getAs<SubRegion>();		Region = (State->getSVal(NE, LCtx)).getAsRegion()->getAs<SubRegion>();
}		}
assert(Region);		assert(Region);

// Set the region's extent equal to the Size in Bytes.		// Set the region's extent equal to the Size in Bytes.
QualType ElementType = NE->getAllocatedType();		QualType ElementType = NE->getAllocatedType();
▲ Show 20 Lines • Show All 1,809 Lines • Show Last 20 Lines

test/Analysis/NewDelete-custom.cpp

	// RUN: %clang_analyze_cc1 -analyzer-checker=core,cplusplus.NewDelete,unix.Malloc -std=c++11 -fblocks -verify %s			// RUN: %clang_analyze_cc1 -analyzer-checker=core,cplusplus.NewDelete,unix.Malloc -std=c++11 -fblocks -verify %s
	// RUN: %clang_analyze_cc1 -analyzer-checker=core,cplusplus.NewDelete,cplusplus.NewDeleteLeaks,unix.Malloc -std=c++11 -DLEAKS -fblocks -verify %s			// RUN: %clang_analyze_cc1 -analyzer-checker=core,cplusplus.NewDelete,cplusplus.NewDeleteLeaks,unix.Malloc -std=c++11 -DLEAKS -fblocks -verify %s
				// RUN: %clang_analyze_cc1 -analyzer-checker=cplusplus.NewDelete -analyzer-config c++-allocator-inlining=true -std=c++11 -fblocks -verify %s
	#include "Inputs/system-header-simulator-cxx.h"			#include "Inputs/system-header-simulator-cxx.h"

	#ifndef LEAKS			#ifndef LEAKS
	// expected-no-diagnostics			// expected-no-diagnostics
	#endif			#endif


	void *allocator(std::size_t size);			void *allocator(std::size_t size);
	▲ Show 20 Lines • Show All 70 Lines • Show Last 20 Lines