This is an archive of the discontinued LLVM Phabricator instance.

Differential D41266

[analyzer] With c++-allocator-inlining, fix memory space for operator new pointers.
ClosedPublic

Authored by NoQ on Dec 14 2017, 5:17 PM.

Details

Reviewers
dcoughlin
xazax.hun
a.sidorin
george.karpenkov
szepet
Commits
rG1084de520b61: [analyzer] operator new: Fix memory space for the returned region.
rL322780: [analyzer] operator new: Fix memory space for the returned region.
rC322780: [analyzer] operator new: Fix memory space for the returned region.
Summary

Default global operator new(), like malloc(), should return heap pointers, which in the analyzer are represented by SymbolicRegions with HeapSpaceRegion as their parent.

In the -analyzer-config c++-allocator-inlining mode, this was broken, and regular SymbolicRegions were returned instead, which have UnknownSpaceRegion as their parent.

This patch fixes this straightforwardly on ExprEngine side. We may want to delegate this job to the checkers though evalCall, but for now this mode doesn't support evalCall for operator new(), and i'm not sure if it'd be used much.

With this patch going on top of previous patches, enabling c++-allocator-inlining by default causes no regressions on tests (causes some improvements though). It doesn't mean it works (we still have callbacks broken, path diagnostic pieces unsupported, and i've just noticed one more void element region crash), just a psychological checkpoint.

Diff Detail

Repository
rC Clang

Event Timeline

NoQ created this revision.Dec 14 2017, 5:17 PM
Herald added subscribers: cfe-commits, rnkovacs. · View Herald TranscriptDec 14 2017, 5:17 PM
xazax.hun accepted this revision.Dec 16 2017, 9:51 AM

In the future, we might want to model the standard placement new and return a symbol with the correct SpaceRegion (i.e.: the space region of the argument).

lib/StaticAnalyzer/Core/ExprEngineCXX.cpp
523

The parens are redundant here.

This revision is now accepted and ready to land.Dec 16 2017, 9:51 AM
NoQ updated this revision to Diff 127560.Dec 19 2017, 10:33 AM

Rebase.

Remove the redundant cast that is done in c++-allocator-inlining mode when modeling array new. After rebase it started causing two identical element regions top appear on top of each other.

NoQ added a parent revision: D41250: [analyzer] Model implied cast around operator new()..Dec 19 2017, 11:53 AM
NoQ added a child revision: D41406: [analyzer] Add a new checker callback, check::NewAllocator..
dcoughlin added inline comments.Jan 8 2018, 6:31 PM
lib/StaticAnalyzer/Core/ExprEngineCXX.cpp
513

I realize this isn't your code, but could we use FunctionDecl::isReplaceableGlobalAllocationFunction() here?

NoQ updated this revision to Diff 129213.Jan 9 2018, 7:37 PM

Rebase. Address the comment.

In D41266#959763, @NoQ wrote:

Remove the redundant cast that is done in c++-allocator-inlining mode when modeling array new. After rebase it started causing two identical element regions top appear on top of each other.

Remove this workaround because i reverted the change for which it is a workaround in D41250#971888: we no longer add the redundant ElementRegion, so we don't need to defend from double ElementRegions here. I guess it all finally starts to make sense.

lib/StaticAnalyzer/Core/ExprEngineCXX.cpp
513

Hmm. Totally. That's much better.

NoQ updated this revision to Diff 129367.Jan 10 2018, 4:19 PM

Rebase (fix minor conflict).

dcoughlin accepted this revision.Jan 12 2018, 4:59 PM

LGTM as well.

Closed by commit rC322780: [analyzer] operator new: Fix memory space for the returned region. (authored by NoQ). · Explain WhyJan 17 2018, 3:00 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
lib/
StaticAnalyzer/
Core/
24 lines
14 lines
test/
Analysis/
2 lines
23 lines

Diff 130283

lib/StaticAnalyzer/Core/ExprEngineCXX.cpp

Show First 20 LinesShow All 473 Lines▼ Show 20 Lines CallEventRef<CXXAllocatorCall> Call =
CEMgr.getCXXAllocatorCall(CNE, State, LCtx); CEMgr.getCXXAllocatorCall(CNE, State, LCtx);
ExplodedNodeSet DstPreCall; ExplodedNodeSet DstPreCall;
getCheckerManager().runCheckersForPreCall(DstPreCall, Pred, getCheckerManager().runCheckersForPreCall(DstPreCall, Pred,
*Call, *this); *Call, *this);
ExplodedNodeSet DstPostCall; ExplodedNodeSet DstPostCall;
StmtNodeBuilder CallBldr(DstPreCall, DstPostCall, *currBldrCtx); StmtNodeBuilder CallBldr(DstPreCall, DstPostCall, *currBldrCtx);
for (auto I : DstPreCall) for (auto I : DstPreCall) {
// FIXME: Provide evalCall for checkers?
defaultEvalCall(CallBldr, I, *Call); defaultEvalCall(CallBldr, I, *Call);
}
// If the call is inlined, DstPostCall will be empty and we bail out now. // If the call is inlined, DstPostCall will be empty and we bail out now.
// Store return value of operator new() for future use, until the actual // Store return value of operator new() for future use, until the actual
// CXXNewExpr gets processed. // CXXNewExpr gets processed.
ExplodedNodeSet DstPostValue; ExplodedNodeSet DstPostValue;
StmtNodeBuilder ValueBldr(DstPostCall, DstPostValue, *currBldrCtx); StmtNodeBuilder ValueBldr(DstPostCall, DstPostValue, *currBldrCtx);
for (auto I : DstPostCall) { for (auto I : DstPostCall) {
// FIXME: Because CNE serves as the "call site" for the allocator (due to // FIXME: Because CNE serves as the "call site" for the allocator (due to
Show All 10 Lines ValueBldr.generateNode(
CNE, I, CNE, I,
setCXXNewAllocatorValue(State, CNE, LCtx, State->getSVal(CNE, LCtx))); setCXXNewAllocatorValue(State, CNE, LCtx, State->getSVal(CNE, LCtx)));
} }
getCheckerManager().runCheckersForPostCall(Dst, DstPostValue, getCheckerManager().runCheckersForPostCall(Dst, DstPostValue,
*Call, *this); *Call, *this);
} }
void ExprEngine::VisitCXXNewExpr(const CXXNewExpr *CNE, ExplodedNode *Pred, void ExprEngine::VisitCXXNewExpr(const CXXNewExpr *CNE, ExplodedNode *Pred,
ExplodedNodeSet &Dst) { ExplodedNodeSet &Dst) {
dcoughlinUnsubmitted
Not Done
ReplyInline Actions

I realize this isn't your code, but could we use FunctionDecl::isReplaceableGlobalAllocationFunction() here?

dcoughlin: I realize this isn't your code, but could we use `FunctionDecl…
NoQAuthorUnsubmitted
Not Done
ReplyInline Actions

Hmm. Totally. That's much better.

NoQ: Hmm. Totally. That's much better.
// FIXME: Much of this should eventually migrate to CXXAllocatorCall. // FIXME: Much of this should eventually migrate to CXXAllocatorCall.
// Also, we need to decide how allocators actually work -- they're not // Also, we need to decide how allocators actually work -- they're not
// really part of the CXXNewExpr because they happen BEFORE the // really part of the CXXNewExpr because they happen BEFORE the
// CXXConstructExpr subexpression. See PR12014 for some discussion. // CXXConstructExpr subexpression. See PR12014 for some discussion.
unsigned blockCount = currBldrCtx->blockCount(); unsigned blockCount = currBldrCtx->blockCount();
const LocationContext *LCtx = Pred->getLocationContext(); const LocationContext *LCtx = Pred->getLocationContext();
SVal symVal = UnknownVal(); SVal symVal = UnknownVal();
FunctionDecl *FD = CNE->getOperatorNew(); FunctionDecl *FD = CNE->getOperatorNew();
xazax.hunUnsubmitted
Not Done
ReplyInline Actions

The parens are redundant here.

xazax.hun: The parens are redundant here.
bool IsStandardGlobalOpNewFunction = false; bool IsStandardGlobalOpNewFunction =
if (FD && !isa<CXXMethodDecl>(FD) && !FD->isVariadic()) { FD->isReplaceableGlobalAllocationFunction();
if (FD->getNumParams() == 2) {
QualType T = FD->getParamDecl(1)->getType();
if (const IdentifierInfo *II = T.getBaseTypeIdentifier())
// NoThrow placement new behaves as a standard new.
IsStandardGlobalOpNewFunction = II->getName().equals("nothrow_t");
}
else
// Placement forms are considered non-standard.
IsStandardGlobalOpNewFunction = (FD->getNumParams() == 1);
}
ProgramStateRef State = Pred->getState(); ProgramStateRef State = Pred->getState();
// Retrieve the stored operator new() return value. // Retrieve the stored operator new() return value.
if (AMgr.getAnalyzerOptions().mayInlineCXXAllocator()) { if (AMgr.getAnalyzerOptions().mayInlineCXXAllocator()) {
symVal = getCXXNewAllocatorValue(State, CNE, LCtx); symVal = getCXXNewAllocatorValue(State, CNE, LCtx);
State = clearCXXNewAllocatorValue(State, CNE, LCtx); State = clearCXXNewAllocatorValue(State, CNE, LCtx);
} }
Show All 39 Linesvoid ExprEngine::VisitCXXNewExpr(const CXXNewExpr *CNE, ExplodedNode *Pred,
StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx); StmtNodeBuilder Bldr(Pred, Dst, *currBldrCtx);
SVal Result = symVal; SVal Result = symVal;
if (CNE->isArray()) { if (CNE->isArray()) {
// FIXME: allocating an array requires simulating the constructors. // FIXME: allocating an array requires simulating the constructors.
// For now, just return a symbolicated region. // For now, just return a symbolicated region.
if (!AMgr.getAnalyzerOptions().mayInlineCXXAllocator()) { if (const SubRegion *NewReg =
const SubRegion *NewReg = dyn_cast_or_null<SubRegion>(symVal.getAsRegion())) {
symVal.castAs<loc::MemRegionVal>().getRegionAs<SubRegion>();
QualType ObjTy = CNE->getType()->getAs<PointerType>()->getPointeeType(); QualType ObjTy = CNE->getType()->getAs<PointerType>()->getPointeeType();
const ElementRegion *EleReg = const ElementRegion *EleReg =
getStoreManager().GetElementZeroRegion(NewReg, ObjTy); getStoreManager().GetElementZeroRegion(NewReg, ObjTy);
Result = loc::MemRegionVal(EleReg); Result = loc::MemRegionVal(EleReg);
} }
State = State->BindExpr(CNE, Pred->getLocationContext(), Result); State = State->BindExpr(CNE, Pred->getLocationContext(), Result);
Bldr.generateNode(CNE, Pred, State); Bldr.generateNode(CNE, Pred, State);
return; return;
▲ Show 20 LinesShow All 124 LinesShow Last 20 Lines

lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp

Show First 20 LinesShow All 567 Lines▼ Show 20 Lines if (const ObjCMethodCall *Msg = dyn_cast<ObjCMethodCall>(&Call)) {
return State->BindExpr(E, LCtx, ThisV); return State->BindExpr(E, LCtx, ThisV);
} }
// Conjure a symbol if the return value is unknown. // Conjure a symbol if the return value is unknown.
QualType ResultTy = Call.getResultType(); QualType ResultTy = Call.getResultType();
SValBuilder &SVB = getSValBuilder(); SValBuilder &SVB = getSValBuilder();
unsigned Count = currBldrCtx->blockCount(); unsigned Count = currBldrCtx->blockCount();
SVal R = SVB.conjureSymbolVal(nullptr, E, LCtx, ResultTy, Count);
// See if we need to conjure a heap pointer instead of
// a regular unknown pointer.
bool IsHeapPointer = false;
if (const auto *CNE = dyn_cast<CXXNewExpr>(E))
if (CNE->getOperatorNew()->isReplaceableGlobalAllocationFunction()) {
// FIXME: Delegate this to evalCall in MallocChecker?
IsHeapPointer = true;
}
SVal R = IsHeapPointer
? SVB.getConjuredHeapSymbolVal(E, LCtx, Count)
: SVB.conjureSymbolVal(nullptr, E, LCtx, ResultTy, Count);
return State->BindExpr(E, LCtx, R); return State->BindExpr(E, LCtx, R);
} }
// Conservatively evaluate call by invalidating regions and binding // Conservatively evaluate call by invalidating regions and binding
// a conjured return value. // a conjured return value.
void ExprEngine::conservativeEvalCall(const CallEvent &Call, NodeBuilder &Bldr, void ExprEngine::conservativeEvalCall(const CallEvent &Call, NodeBuilder &Bldr,
ExplodedNode *Pred, ExplodedNode *Pred,
ProgramStateRef State) { ProgramStateRef State) {
▲ Show 20 LinesShow All 439 LinesShow Last 20 Lines

test/Analysis/NewDelete-checker-test.cpp

// RUN: %clang_analyze_cc1 -analyzer-checker=core,cplusplus.NewDelete -std=c++11 -fblocks -verify %s // RUN: %clang_analyze_cc1 -analyzer-checker=core,cplusplus.NewDelete -std=c++11 -fblocks -verify %s
// RUN: %clang_analyze_cc1 -analyzer-checker=core,cplusplus.NewDeleteLeaks -DLEAKS -std=c++11 -fblocks -verify %s // RUN: %clang_analyze_cc1 -analyzer-checker=core,cplusplus.NewDeleteLeaks -DLEAKS -std=c++11 -fblocks -verify %s
// RUN: %clang_analyze_cc1 -analyzer-checker=core,cplusplus.NewDelete -std=c++11 -fblocks -analyzer-config c++-allocator-inlining=true -verify %s
// RUN: %clang_analyze_cc1 -analyzer-checker=core,cplusplus.NewDeleteLeaks -DLEAKS -std=c++11 -fblocks -analyzer-config c++-allocator-inlining=true -verify %s
#include "Inputs/system-header-simulator-cxx.h" #include "Inputs/system-header-simulator-cxx.h"
typedef __typeof__(sizeof(int)) size_t; typedef __typeof__(sizeof(int)) size_t;
extern "C" void *malloc(size_t); extern "C" void *malloc(size_t);
extern "C" void free (void* ptr); extern "C" void free (void* ptr);
int *global; int *global;
//------------------ //------------------
▲ Show 20 LinesShow All 385 LinesShow Last 20 Lines

test/Analysis/new-ctor-null.cpp

// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection -analyzer-config c++-allocator-inlining=true -std=c++11 -verify %s
void clang_analyzer_eval(bool);
typedef __typeof__(sizeof(int)) size_t;
void *operator new(size_t size) throw() {
return nullptr;
}
void *operator new[](size_t size) throw() {
return nullptr;
}
struct S {
int x;
S() : x(1) {}
~S() {}
};
void testArrays() {
S *s = new S[10]; // no-crash
s[0].x = 2; // expected-warning{{Dereference of null pointer}}
}