This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
include/clang/StaticAnalyzer/Core/BugReporter/
-
clang/
-
StaticAnalyzer/
-
Core/
-
BugReporter/
4/7
BugType.h
-
lib/StaticAnalyzer/Checkers/
-
StaticAnalyzer/
-
Checkers/
-
MallocChecker.cpp
1/6
ValistChecker.cpp
-
test/Analysis/
-
Analysis/
1/3
malloc.c

Differential D41538

[analyzer] Fix some checker's output plist not containing the checker name #2
ClosedPublic

Authored by xazax.hun on Dec 22 2017, 3:13 AM.

Download Raw Diff

Details

Reviewers

NoQ
dcoughlin
george.karpenkov

Commits

rGe2c7eaa7d66c: Merging r321933: --------------------------------------------------------------…
rGb77bc6bb8b1d: [analyzer] Fix some check's output plist not containing the check name
rL322550: Merging r321933:
rL321933: [analyzer] Fix some check's output plist not containing the check name
rC321933: [analyzer] Fix some check's output plist not containing the check name

Summary

Unfortunately, currently, the analyzer core sets the checker name after the constructor was already run. So if we set the BugType in the constructor, the output plist will not contain a checker name. Right now the idiomatic solution is to create the BugType lazily. This patch moves the lazy initialization from the checker side to the analyzer core. I also found some bugs, when some checkers were triggered even if they were not enabled or wrong checker name is emitted to the plist.

In the future probably it would be better to alter the signature of the checkers' constructor to set the name in the constructor so it is possible to create the BugType eagerly.

This patch is an alternative approach to https://reviews.llvm.org/D37437.

Diff Detail

Repository: rC Clang

Event Timeline

xazax.hun created this revision.Dec 22 2017, 3:13 AM

Herald added subscribers: dkrupp, a.sidorin, rnkovacs and 3 others. · View Herald TranscriptDec 22 2017, 3:14 AM

Hello Gabor,

For me, this patch looks much better than previous. I have some questions inline.

include/clang/StaticAnalyzer/Core/BugReporter/BugType.h
49	Hm, do we really want to use elaborated name here: `class CheckName`?
59	Looks like a misspell. Should it be "The check names are set after the constructors are run"?
63	Possibly I am missing the context, but could you please explain, why do we modify CheckName in getName() but not in getCheckName()? It seems a bit unclear to me.
lib/StaticAnalyzer/Checkers/ValistChecker.cpp
277	If I understand correctly, if we report uninitialized and then unterminated, the second report will have wrong CheckName because it is never reset.
test/Analysis/malloc.c
1723	Should we enable the checker instead of removing test?

Address review comments.

include/clang/StaticAnalyzer/Core/BugReporter/BugType.h
63	Good catch, it is just an oversight. I got confused by `CheckName` vs `Name`. And since the analyzer called `getName` before `getCheckName` the tests passed.
lib/StaticAnalyzer/Checkers/ValistChecker.cpp
277	That is right. Unfortunately, If unterminated check is not turned on but uninitialized is, we can end up with empty check names. I replaced this workaround with a slightly more robust one.
test/Analysis/malloc.c
1723	I tried that once, but this caused more new warnings (and sinks) so more changes would be required to make the tests pass. And this case is already tested in `string.c`.

a.sidorin added inline comments.Dec 29 2017, 7:48 AM

lib/StaticAnalyzer/Checkers/ValistChecker.cpp
277	Maybe we should use different BugTypes for Uninitialized and Unterminated?
test/Analysis/malloc.c
1723	Thank you, I got it.

I'm still not quite sure what's the whole point of having BugType without a checker. We can still easily write anything we want in the "category" and "name" fields anyways, so we can easily produce bugs that are indistinguishable to the user from different checkers, while being able to distinguish them when we, as developers, want to figure out what checker throws them, so what was the whole point this whole time? I might be missing something, but if you have time, maybe remove the whole CheckName-based constructor and just tie every BugType to the checker? The current approach is totally fine though :)

include/clang/StaticAnalyzer/Core/BugReporter/BugType.h
51–61	I suggest: if (Checker) return Checker->getCheckname().getName(); return Check.getName(); Like, what's the point of storing the StringRef if we can retrieve it any time anyway? I guess `Checker` does live long enough?
lib/StaticAnalyzer/Checkers/ValistChecker.cpp
277	Yep, this rings my bells too. We shouldn't race on how do we initialize a `BugType` depending on what bug is encountered first in the translation unit.

Address some review comments.

include/clang/StaticAnalyzer/Core/BugReporter/BugType.h
51–61	I slightly modified your snippet to preserve the assertion that can be useful to not to reintroduce this bug in the future.
lib/StaticAnalyzer/Checkers/ValistChecker.cpp
277	Maybe I am missing something but right now there is no race on how we initialize the `BugType`. The result of the initialization can depend on, however, the set of checks that are registered. I agree that this is unfortunate but introducing a new `BugType` does not solve this problem or at least it is not apparent for me how would it solve this. One option would be to simply not report these issues unless the corresponding check is registered. The other option would be to make this depend on a new check name that needs to be enabled.

NoQ accepted this revision.Jan 4 2018, 4:52 PM

NoQ added inline comments.

include/clang/StaticAnalyzer/Core/BugReporter/BugType.h
51–61	Yep, totally!
lib/StaticAnalyzer/Checkers/ValistChecker.cpp
277	Aha, that's right, yep, so this BugType's checker name would be different depending on which checks are enabled, not on bug first encountered, sorry. So it'd only have any effect if someone is grepping through bug types and turns these checkers on and off individually at the same time. Still worth a FIXME i guess? Is it hard to make a third bugtype with a hardcoded name that doesn't rely on the checker?

This revision is now accepted and ready to land.Jan 4 2018, 4:52 PM

Closed by commit rC321933: [analyzer] Fix some check's output plist not containing the check name (authored by xazax). · Explain WhyJan 6 2018, 2:52 AM

This revision was automatically updated to reflect the committed changes.

It missed the 6.0 branching. Will you try to get it on this branch?
Thanks

In D41538#969205, @sylvestre.ledru wrote:

It missed the 6.0 branching. Will you try to get it on this branch?
Thanks

Sure! I will try to do so: https://reviews.llvm.org/rC321933

In D41538#969207, @xazax.hun wrote:

In D41538#969205, @sylvestre.ledru wrote:

It missed the 6.0 branching. Will you try to get it on this branch?
Thanks

Sure! I will try to do so: https://reviews.llvm.org/rC321933

Merged in r322550. Thanks, Hans.

Revision Contents

Path

Size

include/

clang/

StaticAnalyzer/

Core/

BugReporter/

BugType.h

36 lines

lib/

StaticAnalyzer/

Checkers/

MallocChecker.cpp

7 lines

ValistChecker.cpp

18 lines

test/

Analysis/

malloc.c

7 lines

Diff 128845

include/clang/StaticAnalyzer/Core/BugReporter/BugType.h

	Show All 26 Lines
	class ExplodedNode;			class ExplodedNode;
	class ExprEngine;			class ExprEngine;

	class BugType {			class BugType {
	private:			private:
	const CheckName Check;			const CheckName Check;
	const std::string Name;			const std::string Name;
	const std::string Category;			const std::string Category;
	bool SuppressonSink;			const CheckerBase *Checker;
				bool SuppressOnSink;

	virtual void anchor();			virtual void anchor();

	public:			public:
	BugType(class CheckName check, StringRef name, StringRef cat)			BugType(CheckName Check, StringRef Name, StringRef Cat)
	: Check(check), Name(name), Category(cat), SuppressonSink(false) {}			: Check(Check), Name(Name), Category(Cat), Checker(nullptr),
	BugType(const CheckerBase *checker, StringRef name, StringRef cat)			SuppressOnSink(false) {}
	: Check(checker->getCheckName()), Name(name), Category(cat),			BugType(const CheckerBase *Checker, StringRef Name, StringRef Cat)
	SuppressonSink(false) {}			: Check(Checker->getCheckName()), Name(Name), Category(Cat),
	virtual ~BugType() {}			Checker(Checker), SuppressOnSink(false) {}
				virtual ~BugType() = default;

	// FIXME: Should these be made strings as well?
	StringRef getName() const { return Name; }			StringRef getName() const { return Name; }
				a.sidorinUnsubmitted Done Reply Inline Actions Hm, do we really want to use elaborated name here: `class CheckName`? a.sidorin: Hm, do we really want to use elaborated name here: `class CheckName`?
	StringRef getCategory() const { return Category; }			StringRef getCategory() const { return Category; }
	StringRef getCheckName() const { return Check.getName(); }			StringRef getCheckName() const {
				// FIXME: This is a workaround to ensure that the correct check name is used
				// The check names are set after the constructors are run.
				// In case the BugType object is initialized in the checker's ctor
				// the Check field will be empty. To circumvent this problem we use
				// CheckerBase whenever it is possible.
				StringRef CheckName =
				Checker ? Checker->getCheckName().getName() : Check.getName();
				assert(!CheckName.empty() && "Check name is not set properly.");
				a.sidorinUnsubmitted Done Reply Inline Actions Looks like a misspell. Should it be "The check names are set after the constructors are run"? a.sidorin: Looks like a misspell. Should it be "The check names are set after the constructors are run"?
				return CheckName;
				}
				NoQUnsubmitted Done Reply Inline Actions I suggest: if (Checker) return Checker->getCheckname().getName(); return Check.getName(); Like, what's the point of storing the StringRef if we can retrieve it any time anyway? I guess `Checker` does live long enough? NoQ: I suggest: ``` if (Checker) return Checker->getCheckname().getName(); return Check.getName()…
				xazax.hunAuthorUnsubmitted Not Done Reply Inline Actions I slightly modified your snippet to preserve the assertion that can be useful to not to reintroduce this bug in the future. xazax.hun: I slightly modified your snippet to preserve the assertion that can be useful to not to…
				NoQUnsubmitted Not Done Reply Inline Actions Yep, totally! NoQ: Yep, totally!

	/// isSuppressOnSink - Returns true if bug reports associated with this bug			/// isSuppressOnSink - Returns true if bug reports associated with this bug
				a.sidorinUnsubmitted Done Reply Inline Actions Possibly I am missing the context, but could you please explain, why do we modify CheckName in getName() but not in getCheckName()? It seems a bit unclear to me. a.sidorin: Possibly I am missing the context, but could you please explain, why do we modify CheckName in…
				xazax.hunAuthorUnsubmitted Not Done Reply Inline Actions Good catch, it is just an oversight. I got confused by `CheckName` vs `Name`. And since the analyzer called `getName` before `getCheckName` the tests passed. xazax.hun: Good catch, it is just an oversight. I got confused by `CheckName` vs `Name`. And since the…
	/// type should be suppressed if the end node of the report is post-dominated			/// type should be suppressed if the end node of the report is post-dominated
	/// by a sink node.			/// by a sink node.
	bool isSuppressOnSink() const { return SuppressonSink; }			bool isSuppressOnSink() const { return SuppressOnSink; }
	void setSuppressOnSink(bool x) { SuppressonSink = x; }			void setSuppressOnSink(bool x) { SuppressOnSink = x; }

	virtual void FlushReports(BugReporter& BR);			virtual void FlushReports(BugReporter& BR);
	};			};

	class BuiltinBug : public BugType {			class BuiltinBug : public BugType {
	const std::string desc;			const std::string desc;
	void anchor() override;			void anchor() override;
	public:			public:
	BuiltinBug(class CheckName check, const char name, const char description)			BuiltinBug(class CheckName check, const char name, const char description)
	: BugType(check, name, categories::LogicError), desc(description) {}			: BugType(check, name, categories::LogicError), desc(description) {}

	BuiltinBug(const CheckerBase checker, const char name,			BuiltinBug(const CheckerBase checker, const char name,
	const char *description)			const char *description)
	: BugType(checker, name, categories::LogicError), desc(description) {}			: BugType(checker, name, categories::LogicError), desc(description) {}

	BuiltinBug(const CheckerBase checker, const char name)			BuiltinBug(const CheckerBase checker, const char name)
	: BugType(checker, name, categories::LogicError), desc(name) {}			: BugType(checker, name, categories::LogicError), desc(name) {}

	StringRef getDescription() const { return desc; }			StringRef getDescription() const { return desc; }
	};			};

	} // end GR namespace			} // end ento namespace

	} // end clang namespace			} // end clang namespace
	#endif			#endif

lib/StaticAnalyzer/Checkers/MallocChecker.cpp

Show First 20 Lines • Show All 2,894 Lines • ▼ Show 20 Lines	void ento::registerNewDeleteLeaksChecker(CheckerManager &mgr) {
MallocChecker *checker = mgr.registerChecker<MallocChecker>();		MallocChecker *checker = mgr.registerChecker<MallocChecker>();
checker->IsOptimistic = mgr.getAnalyzerOptions().getBooleanOption(		checker->IsOptimistic = mgr.getAnalyzerOptions().getBooleanOption(
"Optimistic", false, checker);		"Optimistic", false, checker);
checker->ChecksEnabled[MallocChecker::CK_NewDeleteLeaksChecker] = true;		checker->ChecksEnabled[MallocChecker::CK_NewDeleteLeaksChecker] = true;
checker->CheckNames[MallocChecker::CK_NewDeleteLeaksChecker] =		checker->CheckNames[MallocChecker::CK_NewDeleteLeaksChecker] =
mgr.getCurrentCheckName();		mgr.getCurrentCheckName();
// We currently treat NewDeleteLeaks checker as a subchecker of NewDelete		// We currently treat NewDeleteLeaks checker as a subchecker of NewDelete
// checker.		// checker.
if (!checker->ChecksEnabled[MallocChecker::CK_NewDeleteChecker])		if (!checker->ChecksEnabled[MallocChecker::CK_NewDeleteChecker]) {
checker->ChecksEnabled[MallocChecker::CK_NewDeleteChecker] = true;		checker->ChecksEnabled[MallocChecker::CK_NewDeleteChecker] = true;
		// FIXME: This does not set the correct name, but without this workaround
		// no name will be set at all.
		checker->CheckNames[MallocChecker::CK_NewDeleteChecker] =
		mgr.getCurrentCheckName();
		}
}		}

#define REGISTER_CHECKER(name) \		#define REGISTER_CHECKER(name) \
void ento::register##name(CheckerManager &mgr) { \		void ento::register##name(CheckerManager &mgr) { \
registerCStringCheckerBasic(mgr); \		registerCStringCheckerBasic(mgr); \
MallocChecker *checker = mgr.registerChecker<MallocChecker>(); \		MallocChecker *checker = mgr.registerChecker<MallocChecker>(); \
checker->IsOptimistic = mgr.getAnalyzerOptions().getBooleanOption( \		checker->IsOptimistic = mgr.getAnalyzerOptions().getBooleanOption( \
"Optimistic", false, checker); \		"Optimistic", false, checker); \
checker->ChecksEnabled[MallocChecker::CK_##name] = true; \		checker->ChecksEnabled[MallocChecker::CK_##name] = true; \
checker->CheckNames[MallocChecker::CK_##name] = mgr.getCurrentCheckName(); \		checker->CheckNames[MallocChecker::CK_##name] = mgr.getCurrentCheckName(); \
}		}

REGISTER_CHECKER(MallocChecker)		REGISTER_CHECKER(MallocChecker)
REGISTER_CHECKER(NewDeleteChecker)		REGISTER_CHECKER(NewDeleteChecker)
REGISTER_CHECKER(MismatchedDeallocatorChecker)		REGISTER_CHECKER(MismatchedDeallocatorChecker)

lib/StaticAnalyzer/Checkers/ValistChecker.cpp

Show First 20 Lines • Show All 58 Lines • ▼ Show 20 Lines	private:
StringRef getVariableNameFromRegion(const MemRegion *Reg) const;		StringRef getVariableNameFromRegion(const MemRegion *Reg) const;
const ExplodedNode getStartCallSite(const ExplodedNode N,		const ExplodedNode getStartCallSite(const ExplodedNode N,
const MemRegion *Reg) const;		const MemRegion *Reg) const;

void reportUninitializedAccess(const MemRegion *VAList, StringRef Msg,		void reportUninitializedAccess(const MemRegion *VAList, StringRef Msg,
CheckerContext &C) const;		CheckerContext &C) const;
void reportLeakedVALists(const RegionVector &LeakedVALists, StringRef Msg1,		void reportLeakedVALists(const RegionVector &LeakedVALists, StringRef Msg1,
StringRef Msg2, CheckerContext &C, ExplodedNode *N,		StringRef Msg2, CheckerContext &C, ExplodedNode *N,
bool ForceReport = false) const;		bool ReportUninit = false) const;

void checkVAListStartCall(const CallEvent &Call, CheckerContext &C,		void checkVAListStartCall(const CallEvent &Call, CheckerContext &C,
bool IsCopy) const;		bool IsCopy) const;
void checkVAListEndCall(const CallEvent &Call, CheckerContext &C) const;		void checkVAListEndCall(const CallEvent &Call, CheckerContext &C) const;

class ValistBugVisitor : public BugReporterVisitorImpl<ValistBugVisitor> {		class ValistBugVisitor : public BugReporterVisitorImpl<ValistBugVisitor> {
public:		public:
ValistBugVisitor(const MemRegion *Reg, bool IsLeak = false)		ValistBugVisitor(const MemRegion *Reg, bool IsLeak = false)
▲ Show 20 Lines • Show All 186 Lines • ▼ Show 20 Lines	if (ExplodedNode *N = C.generateErrorNode()) {
R->addVisitor(llvm::make_unique<ValistBugVisitor>(VAList));		R->addVisitor(llvm::make_unique<ValistBugVisitor>(VAList));
C.emitReport(std::move(R));		C.emitReport(std::move(R));
}		}
}		}

void ValistChecker::reportLeakedVALists(const RegionVector &LeakedVALists,		void ValistChecker::reportLeakedVALists(const RegionVector &LeakedVALists,
StringRef Msg1, StringRef Msg2,		StringRef Msg1, StringRef Msg2,
CheckerContext &C, ExplodedNode *N,		CheckerContext &C, ExplodedNode *N,
bool ForceReport) const {		bool ReportUninit) const {
if (!(ChecksEnabled[CK_Unterminated] \|\|		if (!(ChecksEnabled[CK_Unterminated] \|\|
(ChecksEnabled[CK_Uninitialized] && ForceReport)))		(ChecksEnabled[CK_Uninitialized] && ReportUninit)))
return;		return;
for (auto Reg : LeakedVALists) {		for (auto Reg : LeakedVALists) {
if (!BT_leakedvalist) {		if (!BT_leakedvalist) {
BT_leakedvalist.reset(new BugType(CheckNames[CK_Unterminated],		// FIXME: maybe creating a new check name for this type of bug is a better
"Leaked va_list",		// solution.
		a.sidorinUnsubmitted Done Reply Inline Actions If I understand correctly, if we report uninitialized and then unterminated, the second report will have wrong CheckName because it is never reset. a.sidorin: If I understand correctly, if we report uninitialized and then unterminated, the second report…
		xazax.hunAuthorUnsubmitted Not Done Reply Inline Actions That is right. Unfortunately, If unterminated check is not turned on but uninitialized is, we can end up with empty check names. I replaced this workaround with a slightly more robust one. xazax.hun: That is right. Unfortunately, If unterminated check is not turned on but uninitialized is, we…
		a.sidorinUnsubmitted Not Done Reply Inline Actions Maybe we should use different BugTypes for Uninitialized and Unterminated? a.sidorin: Maybe we should use different BugTypes for Uninitialized and Unterminated?
		NoQUnsubmitted Not Done Reply Inline Actions Yep, this rings my bells too. We shouldn't race on how do we initialize a `BugType` depending on what bug is encountered first in the translation unit. NoQ: Yep, this rings my bells too. We shouldn't race on how do we initialize a `BugType` depending…
		xazax.hunAuthorUnsubmitted Not Done Reply Inline Actions Maybe I am missing something but right now there is no race on how we initialize the `BugType`. The result of the initialization can depend on, however, the set of checks that are registered. I agree that this is unfortunate but introducing a new `BugType` does not solve this problem or at least it is not apparent for me how would it solve this. One option would be to simply not report these issues unless the corresponding check is registered. The other option would be to make this depend on a new check name that needs to be enabled. xazax.hun: Maybe I am missing something but right now there is no race on how we initialize the `BugType`.
		NoQUnsubmitted Not Done Reply Inline Actions Aha, that's right, yep, so this BugType's checker name would be different depending on which checks are enabled, not on bug first encountered, sorry. So it'd only have any effect if someone is grepping through bug types and turns these checkers on and off individually at the same time. Still worth a FIXME i guess? Is it hard to make a third bugtype with a hardcoded name that doesn't rely on the checker? NoQ: Aha, that's right, yep, so this BugType's checker name would be different depending on which…
categories::MemoryError));		BT_leakedvalist.reset(
		new BugType(CheckNames[CK_Unterminated].getName().empty()
		? CheckNames[CK_Uninitialized]
		: CheckNames[CK_Unterminated],
		"Leaked va_list", categories::MemoryError));
BT_leakedvalist->setSuppressOnSink(true);		BT_leakedvalist->setSuppressOnSink(true);
}		}

const ExplodedNode *StartNode = getStartCallSite(N, Reg);		const ExplodedNode *StartNode = getStartCallSite(N, Reg);
PathDiagnosticLocation LocUsedForUniqueing;		PathDiagnosticLocation LocUsedForUniqueing;

if (const Stmt *StartCallStmt = PathDiagnosticLocation::getStmt(StartNode))		if (const Stmt *StartCallStmt = PathDiagnosticLocation::getStmt(StartNode))
LocUsedForUniqueing = PathDiagnosticLocation::createBegin(		LocUsedForUniqueing = PathDiagnosticLocation::createBegin(
▲ Show 20 Lines • Show All 83 Lines • ▼ Show 20 Lines	void ValistChecker::checkVAListEndCall(const CallEvent &Call,
}		}
ProgramStateRef State = C.getState();		ProgramStateRef State = C.getState();
State = State->remove<InitializedVALists>(VAList);		State = State->remove<InitializedVALists>(VAList);
C.addTransition(State);		C.addTransition(State);
}		}

std::shared_ptr<PathDiagnosticPiece> ValistChecker::ValistBugVisitor::VisitNode(		std::shared_ptr<PathDiagnosticPiece> ValistChecker::ValistBugVisitor::VisitNode(
const ExplodedNode N, const ExplodedNode PrevN, BugReporterContext &BRC,		const ExplodedNode N, const ExplodedNode PrevN, BugReporterContext &BRC,
BugReport &BR) {		BugReport &) {
ProgramStateRef State = N->getState();		ProgramStateRef State = N->getState();
ProgramStateRef StatePrev = PrevN->getState();		ProgramStateRef StatePrev = PrevN->getState();

const Stmt *S = PathDiagnosticLocation::getStmt(N);		const Stmt *S = PathDiagnosticLocation::getStmt(N);
if (!S)		if (!S)
return nullptr;		return nullptr;

StringRef Msg;		StringRef Msg;
Show All 25 Lines

test/Analysis/malloc.c

Show First 20 Lines • Show All 1,714 Lines • ▼ Show 20 Lines	void *smallocWarn(size_t size) {
if (size == 2) {		if (size == 2) {
return malloc(1);		return malloc(1);
}		}
else {		else {
return malloc(size);		return malloc(size);
}		}
}		}

char dupstrWarn(const char s) {
a.sidorinUnsubmitted Done Reply Inline Actions Should we enable the checker instead of removing test? a.sidorin: Should we enable the checker instead of removing test?
xazax.hunAuthorUnsubmitted Not Done Reply Inline Actions I tried that once, but this caused more new warnings (and sinks) so more changes would be required to make the tests pass. And this case is already tested in `string.c`. xazax.hun: I tried that once, but this caused more new warnings (and sinks) so more changes would be…
a.sidorinUnsubmitted Not Done Reply Inline Actions Thank you, I got it. a.sidorin: Thank you, I got it.
const int len = strlen(s);
char p = (char) smallocWarn(len + 1);
strcpy(p, s); // expected-warning{{String copy function overflows destination buffer}}
return p;
}

int *radar15580979() {		int *radar15580979() {
int data = (int )malloc(32);		int data = (int )malloc(32);
int p = data ?: (int)malloc(32); // no warning		int p = data ?: (int)malloc(32); // no warning
return p;		return p;
}		}

// Some data structures may hold onto the pointer and free it later.		// Some data structures may hold onto the pointer and free it later.
void testEscapeThroughSystemCallTakingVoidPointer1(void *queue) {		void testEscapeThroughSystemCallTakingVoidPointer1(void *queue) {
▲ Show 20 Lines • Show All 74 Lines • Show Last 20 Lines