This is an archive of the discontinued LLVM Phabricator instance.

Differential D41799

[analyzer] PtrArithChecker: Update to use check::NewAllocator
Changes PlannedPublic

Authored by NoQ on Jan 5 2018, 5:41 PM.

Details

Reviewers
dcoughlin
xazax.hun
a.sidorin
george.karpenkov
szepet
Summary

Make use of the new callback introduced in D41406 for tracking values allocated by operator new() in -analyzer-config c++-allocator-inlining=true mode. Most of the patch actually has no intended functional changes, apart from the StripCasts part, which is similar to D41796 and fixes two tests in ptr-arith.cpp (checkNew() and getArray()).

(@xazax.hun - this is an alpha checker last touched by you, do you still have plans for it?)

Diff Detail

Event Timeline

NoQ created this revision.Jan 5 2018, 5:41 PM
Herald added subscribers: cfe-commits, rnkovacs. · View Herald TranscriptJan 5 2018, 5:41 PM
NoQ added a parent revision: D41797: [analyzer] Suppress escape of this-pointer during construction..Jan 5 2018, 5:41 PM
xazax.hun added a comment.Jan 9 2018, 6:36 AM

(@xazax.hun - this is an alpha checker last touched by you, do you still have plans for it?)

I think this check could be very useful. Last I checked it was too noisy (e.g.: around 850 hits on LLVM), and I did plan to look into what are the main sources of false positives, but I did not have time to do so yet.

NoQ planned changes to this revision.Jan 9 2018, 7:51 PM

D41250#971888 reverts the change in how casts work, and the checker doesn't really need the casted value, because it only tracks the pointer.

This still leaves us with the problem of PostStmt<CXXNewExpr> being called twice, so i'd keep this revision around so that i didn't forget to fix this; same probably needs to be done for dynamic type checker.

Revision Contents

PathSize
lib/
StaticAnalyzer/
Checkers/
38 lines
test/
Analysis/
1 line

Diff 128832

lib/StaticAnalyzer/Checkers/PointerArithChecker.cpp

Show All 40 Lines
} // end namespace llvm } // end namespace llvm
namespace { namespace {
class PointerArithChecker class PointerArithChecker
: public Checker< : public Checker<
check::PreStmt<BinaryOperator>, check::PreStmt<UnaryOperator>, check::PreStmt<BinaryOperator>, check::PreStmt<UnaryOperator>,
check::PreStmt<ArraySubscriptExpr>, check::PreStmt<CastExpr>, check::PreStmt<ArraySubscriptExpr>, check::PreStmt<CastExpr>,
check::PostStmt<CastExpr>, check::PostStmt<CXXNewExpr>, check::PostStmt<CastExpr>, check::PostStmt<CXXNewExpr>,
check::PostStmt<CallExpr>, check::DeadSymbols> { check::PostStmt<CallExpr>, check::DeadSymbols, check::NewAllocator> {
AllocKind getKindOfNewOp(const CXXNewExpr *NE, const FunctionDecl *FD) const; AllocKind getKindOfNewOp(const CXXNewExpr *NE, const FunctionDecl *FD) const;
const MemRegion *getArrayRegion(const MemRegion *Region, bool &Polymorphic, const MemRegion *getArrayRegion(const MemRegion *Region, bool &Polymorphic,
AllocKind &AKind, CheckerContext &C) const; AllocKind &AKind, CheckerContext &C) const;
const MemRegion *getPointedRegion(const MemRegion *Region, const MemRegion *getPointedRegion(const MemRegion *Region,
CheckerContext &C) const; CheckerContext &C) const;
void reportPointerArithMisuse(const Expr *E, CheckerContext &C, void reportPointerArithMisuse(const Expr *E, CheckerContext &C,
bool PointedNeeded = false) const; bool PointedNeeded = false) const;
void initAllocIdentifiers(ASTContext &C) const; void initAllocIdentifiers(ASTContext &C) const;
void processNewAllocatorAux(const CXXNewExpr *NE, SVal Target,
CheckerContext &C) const;
mutable std::unique_ptr<BuiltinBug> BT_pointerArith; mutable std::unique_ptr<BuiltinBug> BT_pointerArith;
mutable std::unique_ptr<BuiltinBug> BT_polyArray; mutable std::unique_ptr<BuiltinBug> BT_polyArray;
mutable llvm::SmallSet<IdentifierInfo *, 8> AllocFunctions; mutable llvm::SmallSet<IdentifierInfo *, 8> AllocFunctions;
public: public:
void checkPreStmt(const UnaryOperator *UOp, CheckerContext &C) const; void checkPreStmt(const UnaryOperator *UOp, CheckerContext &C) const;
void checkPreStmt(const BinaryOperator *BOp, CheckerContext &C) const; void checkPreStmt(const BinaryOperator *BOp, CheckerContext &C) const;
void checkPreStmt(const ArraySubscriptExpr *SubExpr, CheckerContext &C) const; void checkPreStmt(const ArraySubscriptExpr *SubExpr, CheckerContext &C) const;
void checkPreStmt(const CastExpr *CE, CheckerContext &C) const; void checkPreStmt(const CastExpr *CE, CheckerContext &C) const;
void checkPostStmt(const CastExpr *CE, CheckerContext &C) const; void checkPostStmt(const CastExpr *CE, CheckerContext &C) const;
void checkPostStmt(const CXXNewExpr *NE, CheckerContext &C) const; void checkPostStmt(const CXXNewExpr *NE, CheckerContext &C) const;
void checkPostStmt(const CallExpr *CE, CheckerContext &C) const; void checkPostStmt(const CallExpr *CE, CheckerContext &C) const;
void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const; void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
void checkNewAllocator(const CXXNewExpr *NE, SVal Target,
CheckerContext &C) const;
}; };
} // end namespace } // end namespace
REGISTER_MAP_WITH_PROGRAMSTATE(RegionState, const MemRegion *, AllocKind) REGISTER_MAP_WITH_PROGRAMSTATE(RegionState, const MemRegion *, AllocKind)
void PointerArithChecker::checkDeadSymbols(SymbolReaper &SR, void PointerArithChecker::checkDeadSymbols(SymbolReaper &SR,
CheckerContext &C) const { CheckerContext &C) const {
// TODO: intentional leak. Some information is garbage collected too early, // TODO: intentional leak. Some information is garbage collected too early,
▲ Show 20 LinesShow All 154 Lines▼ Show 20 Linesvoid PointerArithChecker::checkPostStmt(const CallExpr *CE,
// Assume that C allocation functions allocate arrays to avoid false // Assume that C allocation functions allocate arrays to avoid false
// positives. // positives.
// TODO: Add heuristics to distinguish alloc calls that allocates single // TODO: Add heuristics to distinguish alloc calls that allocates single
// objecs. // objecs.
State = State->set<RegionState>(Region, AllocKind::Array); State = State->set<RegionState>(Region, AllocKind::Array);
C.addTransition(State); C.addTransition(State);
} }
void PointerArithChecker::checkPostStmt(const CXXNewExpr *NE, void PointerArithChecker::processNewAllocatorAux(const CXXNewExpr *NE,
SVal Target,
CheckerContext &C) const { CheckerContext &C) const {
const FunctionDecl *FD = NE->getOperatorNew(); const FunctionDecl *FD = NE->getOperatorNew();
if (!FD) if (!FD)
return; return;
AllocKind Kind = getKindOfNewOp(NE, FD); const MemRegion *Region = Target.getAsRegion();
ProgramStateRef State = C.getState();
SVal AllocedVal = State->getSVal(NE, C.getLocationContext());
const MemRegion *Region = AllocedVal.getAsRegion();
if (!Region) if (!Region)
return; return;
State = State->set<RegionState>(Region, Kind);
C.addTransition(State); Region = Region->StripCasts();
AllocKind Kind = getKindOfNewOp(NE, FD);
C.addTransition(C.getState()->set<RegionState>(Region, Kind));
}
void PointerArithChecker::checkPostStmt(const CXXNewExpr *NE,
CheckerContext &C) const {
if (!C.getAnalysisManager().getAnalyzerOptions().mayInlineCXXAllocator())
processNewAllocatorAux(NE, C.getSVal(NE), C);
}
void PointerArithChecker::checkNewAllocator(const CXXNewExpr *NE,
SVal Target, CheckerContext &C) const {
if (!C.wasInlined)
processNewAllocatorAux(NE, Target, C);
} }
void PointerArithChecker::checkPostStmt(const CastExpr *CE, void PointerArithChecker::checkPostStmt(const CastExpr *CE,
CheckerContext &C) const { CheckerContext &C) const {
if (CE->getCastKind() != CastKind::CK_BitCast) if (CE->getCastKind() != CastKind::CK_BitCast)
return; return;
const Expr *CastedExpr = CE->getSubExpr(); const Expr *CastedExpr = CE->getSubExpr();
▲ Show 20 LinesShow All 79 LinesShow Last 20 Lines

test/Analysis/ptr-arith.cpp

// RUN: %clang_analyze_cc1 -Wno-unused-value -std=c++14 -analyzer-checker=core,debug.ExprInspection,alpha.core.PointerArithm -verify %s // RUN: %clang_analyze_cc1 -Wno-unused-value -std=c++14 -analyzer-checker=core,debug.ExprInspection,alpha.core.PointerArithm -verify %s
// RUN: %clang_analyze_cc1 -Wno-unused-value -std=c++14 -analyzer-checker=core,debug.ExprInspection,alpha.core.PointerArithm -analyzer-config c++-allocator-inlining=true -verify %s
struct X { struct X {
int *p; int *p;
int zero; int zero;
void foo () { void foo () {
reset(p - 1); reset(p - 1);
} }
void reset(int *in) { void reset(int *in) {
while (in != p) // Loop must be entered. while (in != p) // Loop must be entered.
▲ Show 20 LinesShow All 110 LinesShow Last 20 Lines