This is an archive of the discontinued LLVM Phabricator instance.

Differential D41042

[analyzer] StackAddrEscape: Delay turning on by default a little bit?
ClosedPublic

Authored by NoQ on Dec 8 2017, 4:59 PM.

Details

Reviewers
alexander-shaposhnikov
dcoughlin
Commits
rGe67a575dfb38: [analyzer] StackAddrEscape: For now, disable the new async escape checks.
rC320455: [analyzer] StackAddrEscape: For now, disable the new async escape checks.
rL320455: [analyzer] StackAddrEscape: For now, disable the new async escape checks.
Summary

I'm seeing false positives on the new check added in D39438 of the following kind:

void foo() {
  T buf[16];
  for (int n = 0; n < 16; ++n) {
    T *ptr = &buf[n];
    dispatch_async(queue, ^{ use(ptr); });
  }
  dispatch_barrier_sync(queue, ^{});
}

In this case, pointer to the local variable buf is captured by a block that goes into dispatch_async, yet it is not a bug because synchronization ensures that this block quits before the variable goes out of scope.

I guess it's kinda similar to the semaphore synchronization case. We could probably add another suppression for functions that contain any dispatch_barrier_async calls. The ideal solution is to delay the warning until checkEndFunction (like the escape-to-global check does) to see if things get synced up until then (of course, once we have scopes we can make it even more fine-grained).

Alexander, do you think we should keep the checker under a flag (not enabled for regular users) until we get a better understanding of what kinds of synchronizations can get on the way? This diff splits your new check into alpha.core.StackAddressAsyncEscape. Or do you already have good quick fixes coming?

Diff Detail

Repository
rL LLVM

Event Timeline

NoQ created this revision.Dec 8 2017, 4:59 PM
Herald added subscribers: cfe-commits, a.sidorin, szepet, xazax.hun. · View Herald TranscriptDec 8 2017, 4:59 PM
NoQ edited the summary of this revision. (Show Details)Dec 8 2017, 5:00 PM
NoQ updated this revision to Diff 126247.Dec 8 2017, 5:03 PM

Update the other run-line.

alexander-shaposhnikov accepted this revision.Dec 8 2017, 9:40 PM

i see, to be honest, this is kind of unfortunate, if i am not mistaken, i've seen these false-positives, but not too many, most reports were real bugs. But if it's annoying, than i think it's fine to make it "alpha" until i figure out a good way to workaround this issue.

This revision is now accepted and ready to land.Dec 8 2017, 9:40 PM
NoQ added a comment.Dec 11 2017, 9:38 AM

Yeah, we usually try to avoid omissions of modeling in on-by-default checkers because the user may accidentally run into projects in which the unmodeled idiom is common, and then he'd get false positives all over the place. In my case it was just two new positives, both false due to this dispatch_barrier_sync idiom.

NoQ updated this revision to Diff 126390.Dec 11 2017, 9:44 AM

Add a FIXME test.

NoQ added a reviewer: dcoughlin.Dec 11 2017, 9:49 AM
Closed by commit rL320455: [analyzer] StackAddrEscape: For now, disable the new async escape checks. (authored by dergachev). · Explain WhyDec 11 2017, 6:59 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
cfe/
trunk/
include/
clang/
StaticAnalyzer/
Checkers/
4 lines
lib/
StaticAnalyzer/
Checkers/
27 lines
test/
Analysis/
16 lines
2 lines

Diff 126496

cfe/trunk/include/clang/StaticAnalyzer/Checkers/Checkers.td

Show First 20 LinesShow All 182 Lines▼ Show 20 Lines
def TestAfterDivZeroChecker : Checker<"TestAfterDivZero">, def TestAfterDivZeroChecker : Checker<"TestAfterDivZero">,
HelpText<"Check for division by variable that is later compared against 0. Either the comparison is useless or there is division by zero.">, HelpText<"Check for division by variable that is later compared against 0. Either the comparison is useless or there is division by zero.">,
DescFile<"TestAfterDivZeroChecker.cpp">; DescFile<"TestAfterDivZeroChecker.cpp">;
def DynamicTypeChecker : Checker<"DynamicTypeChecker">, def DynamicTypeChecker : Checker<"DynamicTypeChecker">,
HelpText<"Check for cases where the dynamic and the static type of an object are unrelated.">, HelpText<"Check for cases where the dynamic and the static type of an object are unrelated.">,
DescFile<"DynamicTypeChecker.cpp">; DescFile<"DynamicTypeChecker.cpp">;
def StackAddrAsyncEscapeChecker : Checker<"StackAddressAsyncEscape">,
HelpText<"Check that addresses to stack memory do not escape the function">,
DescFile<"StackAddrEscapeChecker.cpp">;
} // end "alpha.core" } // end "alpha.core"
let ParentPackage = Nullability in { let ParentPackage = Nullability in {
def NullPassedToNonnullChecker : Checker<"NullPassedToNonnull">, def NullPassedToNonnullChecker : Checker<"NullPassedToNonnull">,
HelpText<"Warns when a null pointer is passed to a pointer which has a _Nonnull type.">, HelpText<"Warns when a null pointer is passed to a pointer which has a _Nonnull type.">,
DescFile<"NullabilityChecker.cpp">; DescFile<"NullabilityChecker.cpp">;
▲ Show 20 LinesShow All 579 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/StackAddrEscapeChecker.cpp

Show All 31 Lines : public Checker<check::PreCall, check::PreStmt<ReturnStmt>,
check::EndFunction> { check::EndFunction> {
mutable IdentifierInfo *dispatch_semaphore_tII; mutable IdentifierInfo *dispatch_semaphore_tII;
mutable std::unique_ptr<BuiltinBug> BT_stackleak; mutable std::unique_ptr<BuiltinBug> BT_stackleak;
mutable std::unique_ptr<BuiltinBug> BT_returnstack; mutable std::unique_ptr<BuiltinBug> BT_returnstack;
mutable std::unique_ptr<BuiltinBug> BT_capturedstackasync; mutable std::unique_ptr<BuiltinBug> BT_capturedstackasync;
mutable std::unique_ptr<BuiltinBug> BT_capturedstackret; mutable std::unique_ptr<BuiltinBug> BT_capturedstackret;
public: public:
enum CheckKind {
CK_StackAddrEscapeChecker,
CK_StackAddrAsyncEscapeChecker,
CK_NumCheckKinds
};
DefaultBool ChecksEnabled[CK_NumCheckKinds];
void checkPreCall(const CallEvent &Call, CheckerContext &C) const; void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
void checkPreStmt(const ReturnStmt *RS, CheckerContext &C) const; void checkPreStmt(const ReturnStmt *RS, CheckerContext &C) const;
void checkEndFunction(CheckerContext &Ctx) const; void checkEndFunction(CheckerContext &Ctx) const;
private: private:
void checkReturnedBlockCaptures(const BlockDataRegion &B, void checkReturnedBlockCaptures(const BlockDataRegion &B,
CheckerContext &C) const; CheckerContext &C) const;
void checkAsyncExecutedBlockCaptures(const BlockDataRegion &B, void checkAsyncExecutedBlockCaptures(const BlockDataRegion &B,
▲ Show 20 LinesShow All 172 Lines▼ Show 20 Lines for (const MemRegion *Region : getCapturedStackRegions(B, C)) {
if (Range.isValid()) if (Range.isValid())
Report->addRange(Range); Report->addRange(Range);
C.emitReport(std::move(Report)); C.emitReport(std::move(Report));
} }
} }
void StackAddrEscapeChecker::checkPreCall(const CallEvent &Call, void StackAddrEscapeChecker::checkPreCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
if (!ChecksEnabled[CK_StackAddrAsyncEscapeChecker])
return;
if (!Call.isGlobalCFunction("dispatch_after") && if (!Call.isGlobalCFunction("dispatch_after") &&
!Call.isGlobalCFunction("dispatch_async")) !Call.isGlobalCFunction("dispatch_async"))
return; return;
for (unsigned Idx = 0, NumArgs = Call.getNumArgs(); Idx < NumArgs; ++Idx) { for (unsigned Idx = 0, NumArgs = Call.getNumArgs(); Idx < NumArgs; ++Idx) {
if (const BlockDataRegion *B = dyn_cast_or_null<BlockDataRegion>( if (const BlockDataRegion *B = dyn_cast_or_null<BlockDataRegion>(
Call.getArgSVal(Idx).getAsRegion())) Call.getArgSVal(Idx).getAsRegion()))
checkAsyncExecutedBlockCaptures(*B, C); checkAsyncExecutedBlockCaptures(*B, C);
} }
} }
void StackAddrEscapeChecker::checkPreStmt(const ReturnStmt *RS, void StackAddrEscapeChecker::checkPreStmt(const ReturnStmt *RS,
CheckerContext &C) const { CheckerContext &C) const {
if (!ChecksEnabled[CK_StackAddrEscapeChecker])
return;
const Expr *RetE = RS->getRetValue(); const Expr *RetE = RS->getRetValue();
if (!RetE) if (!RetE)
return; return;
RetE = RetE->IgnoreParens(); RetE = RetE->IgnoreParens();
const LocationContext *LCtx = C.getLocationContext(); const LocationContext *LCtx = C.getLocationContext();
SVal V = C.getState()->getSVal(RetE, LCtx); SVal V = C.getState()->getSVal(RetE, LCtx);
Show All 24 Lines if (isa<BlockDataRegion>(R) &&
return; return;
} }
} }
EmitStackError(C, R, RetE); EmitStackError(C, R, RetE);
} }
void StackAddrEscapeChecker::checkEndFunction(CheckerContext &Ctx) const { void StackAddrEscapeChecker::checkEndFunction(CheckerContext &Ctx) const {
if (!ChecksEnabled[CK_StackAddrEscapeChecker])
return;
ProgramStateRef State = Ctx.getState(); ProgramStateRef State = Ctx.getState();
// Iterate over all bindings to global variables and see if it contains // Iterate over all bindings to global variables and see if it contains
// a memory region in the stack space. // a memory region in the stack space.
class CallBack : public StoreManager::BindingsHandler { class CallBack : public StoreManager::BindingsHandler {
private: private:
CheckerContext &Ctx; CheckerContext &Ctx;
const StackFrameContext *CurSFC; const StackFrameContext *CurSFC;
▲ Show 20 LinesShow All 53 Lines▼ Show 20 Lines for (const auto &P : Cb.V) {
auto Report = llvm::make_unique<BugReport>(*BT_stackleak, Out.str(), N); auto Report = llvm::make_unique<BugReport>(*BT_stackleak, Out.str(), N);
if (Range.isValid()) if (Range.isValid())
Report->addRange(Range); Report->addRange(Range);
Ctx.emitReport(std::move(Report)); Ctx.emitReport(std::move(Report));
} }
} }
void ento::registerStackAddrEscapeChecker(CheckerManager &Mgr) { #define REGISTER_CHECKER(name) \
Mgr.registerChecker<StackAddrEscapeChecker>(); void ento::register##name(CheckerManager &Mgr) { \
StackAddrEscapeChecker *Chk = \
Mgr.registerChecker<StackAddrEscapeChecker>(); \
Chk->ChecksEnabled[StackAddrEscapeChecker::CK_##name] = true; \
} }
REGISTER_CHECKER(StackAddrEscapeChecker)
REGISTER_CHECKER(StackAddrAsyncEscapeChecker)

cfe/trunk/test/Analysis/stack-capture-leak-arc.mm

// RUN: %clang_analyze_cc1 -triple x86_64-apple-darwin10 -analyzer-checker=core -fblocks -fobjc-arc -verify %s // RUN: %clang_analyze_cc1 -triple x86_64-apple-darwin10 -analyzer-checker=core,alpha.core.StackAddressAsyncEscape -fblocks -fobjc-arc -verify %s
typedef struct dispatch_queue_s *dispatch_queue_t; typedef struct dispatch_queue_s *dispatch_queue_t;
typedef void (^dispatch_block_t)(void); typedef void (^dispatch_block_t)(void);
void dispatch_async(dispatch_queue_t queue, dispatch_block_t block); void dispatch_async(dispatch_queue_t queue, dispatch_block_t block);
typedef long dispatch_once_t; typedef long dispatch_once_t;
void dispatch_once(dispatch_once_t *predicate, dispatch_block_t block); void dispatch_once(dispatch_once_t *predicate, dispatch_block_t block);
typedef long dispatch_time_t; typedef long dispatch_time_t;
void dispatch_after(dispatch_time_t when, dispatch_queue_t queue, dispatch_block_t block); void dispatch_after(dispatch_time_t when, dispatch_queue_t queue, dispatch_block_t block);
void dispatch_barrier_sync(dispatch_queue_t queue, dispatch_block_t block);
extern dispatch_queue_t queue; extern dispatch_queue_t queue;
extern dispatch_once_t *predicate; extern dispatch_once_t *predicate;
extern dispatch_time_t when; extern dispatch_time_t when;
void test_block_expr_async() { void test_block_expr_async() {
int x = 123; int x = 123;
int *p = &x; int *p = &x;
▲ Show 20 LinesShow All 150 Lines▼ Show 20 Lines dispatch_async(queue, ^{
// Some work. // Some work.
dispatch_semaphore_signal(semaphore); dispatch_semaphore_signal(semaphore);
}); // no-warning }); // no-warning
// Do some other work concurrently with the asynchronous work // Do some other work concurrently with the asynchronous work
// Wait for the asynchronous work to finish // Wait for the asynchronous work to finish
dispatch_semaphore_wait(semaphore, 1000); dispatch_semaphore_wait(semaphore, 1000);
} }
void test_dispatch_barrier_sync() {
int buf[16];
for (int n = 0; n < 16; ++n) {
int *ptr = &buf[n];
// FIXME: Should not warn. The dispatch_barrier_sync() call ensures
// that the block does not outlive 'buf'.
dispatch_async(queue, ^{ // expected-warning{{Address of stack memory associated with local variable 'buf' is captured by an asynchronously-executed block}}
(void)ptr;
});
}
dispatch_barrier_sync(queue, ^{});
}

cfe/trunk/test/Analysis/stack-capture-leak-no-arc.mm

// RUN: %clang_analyze_cc1 -triple x86_64-apple-darwin10 -analyzer-checker=core -fblocks -verify %s // RUN: %clang_analyze_cc1 -triple x86_64-apple-darwin10 -analyzer-checker=core,alpha.core.StackAddressAsyncEscape -fblocks -verify %s
typedef struct dispatch_queue_s *dispatch_queue_t; typedef struct dispatch_queue_s *dispatch_queue_t;
typedef void (^dispatch_block_t)(void); typedef void (^dispatch_block_t)(void);
void dispatch_async(dispatch_queue_t queue, dispatch_block_t block); void dispatch_async(dispatch_queue_t queue, dispatch_block_t block);
extern dispatch_queue_t queue; extern dispatch_queue_t queue;
void test_block_inside_block_async_no_leak() { void test_block_inside_block_async_no_leak() {
int x = 123; int x = 123;
Show All 28 Lines