This is an archive of the discontinued LLVM Phabricator instance.

Differential D49057

[analyzer] Track multiple raw pointer symbols in DanglingInternalBufferChecker
ClosedPublic

Authored by rnkovacs on Jul 8 2018, 10:06 AM.

Details

Reviewers
NoQ
xazax.hun
george.karpenkov
Commits
rG5f70d9b9582e: [analyzer] Track multiple raw pointer symbols in DanglingInternalBufferChecker.
rL336835: [analyzer] Track multiple raw pointer symbols in DanglingInternalBufferChecker.
rC336835: [analyzer] Track multiple raw pointer symbols in DanglingInternalBufferChecker.
Summary

Previously, the checker only tracked one raw pointer symbol for each container object.
But member functions returning a pointer to the object's inner buffer may be called on the object several times.
These pointer symbols are now collected in a set inside the program state map and thus all of them is checked for use-after-free problems.

Diff Detail

Event Timeline

rnkovacs created this revision.Jul 8 2018, 10:06 AM
Herald added subscribers: mikhail.ramalho, a.sidorin, dkrupp and 3 others. · View Herald TranscriptJul 8 2018, 10:06 AM
xazax.hun accepted this revision.Jul 8 2018, 10:21 AM

Overall looks good, some nits inline. Let's run it on some projects to exercise this change.

lib/StaticAnalyzer/Checkers/DanglingInternalBufferChecker.cpp
27

I think we should use using now instead of typedef.

126

Is it possible here the set to be empty? We just added a new element to it above. Maybe turn this into an assert or just omit this if it is impossible?

138

Using both contains and get will result in two lookups. Maybe it would be better to just use get and check if the result is nullptr?

159

Same comment as above.

test/Analysis/dangling-internal-buffer.cpp
111

We started to use lowercase letters for variable names. Maybe this is not the best, since it is not following the LLVM coding guidelines. So I think it would be better to rename this Cond to start with a lowercase letter in this patch for consistency, and update the tests to follow the LLVM coding styleguide in a separate patch later.

This revision is now accepted and ready to land.Jul 8 2018, 10:21 AM
rnkovacs updated this revision to Diff 154519.Jul 8 2018, 10:57 AM
rnkovacs marked 5 inline comments as done.
rnkovacs edited the summary of this revision. (Show Details)

Addressed comments.

lib/StaticAnalyzer/Checkers/DanglingInternalBufferChecker.cpp
126

I'm not sure whether add() can fail. I turned it into an assert now and will see if it ever fails.

xazax.hun added a comment.Jul 8 2018, 10:59 AM

Thanks! The changes look good, I forgot to mark one double lookup though in my previous review.

lib/StaticAnalyzer/Checkers/DanglingInternalBufferChecker.cpp
120

Oh, there is also a double lookup here, sorry I did not spot it in the initial review.

rnkovacs updated this revision to Diff 154520.Jul 8 2018, 11:13 AM
rnkovacs marked an inline comment as done.
rnkovacs added inline comments.
lib/StaticAnalyzer/Checkers/DanglingInternalBufferChecker.cpp
120

Thanks for noticing. I should have seen it in the first place :)

rnkovacs added a child revision: D49058: [analyzer] Move InnerPointerChecker out of alpha.Jul 8 2018, 11:24 AM
NoQ added a comment.Jul 8 2018, 12:25 PM

Much symbols!

lib/StaticAnalyzer/Checkers/DanglingInternalBufferChecker.cpp
32–40

Please add a comment on how this template is useful. This trick is used by some checkers, but it's a veeeery unobvious trick. We should probably add a macro for that, i.e. REGISTER_FACTORY_WITH_PROGRAMSTATE or something like that.

113

Maybe turn the FIXME into a NOTE or something like that. It indeed seems fine, but let's still make sure the reader realizes that there's a subtle potential problem here.

115

I'd much rather unwrap the symbol here, i.e. if (SymbolRef Sym = RawPtr.getAsSymbol()). A lot of other cornercases may occur if the implementation is accidentally inlined (Undefined, concrete regions). Also, speculatively, .getAsSymbol(/* search for symbolic base = */ true) for the same reason*.

If we didn't care about inlined implementations, the Unknown check would have been redundant. So it should also be safe to straightforwardly ignore inlined implementations by consulting C.wasInlined, then the presence of the symbol can be asserted. But i'd rather speculatively care about inlined implementations as long as it seems easy.

__
* In fact your code relies on a very wonky implementation detail of our SVal hierarchy: namely, pointer-type return values of conservatively evaluated functions are always expressed as &SymRegion{conj_$N<pointer type>} and never as &element{SymRegion{conj_$N<pointer type>}, 0 S32b, pointee type}. Currently nobody knows the rules under which zero element regions are added in different parts of the analyzer, i.e. what is the "canonical" representation of the symbolic pointer, though i made a few attempts to speculate.

118

My favorite idiom for such cases, looks a bit cleaner:

const PtrSet *SetPtr = State->get<RawPtrMap>(ObjRegion)
PtrSet Set = SetPtr ? *SetPtr : F.getEmptySet()
121

This contains check is very unlikely to yield true because if the implementation is not inlined, the symbol is newly born. I'd much rather skip the check; it doesn't sound like it'd make things any faster.

Even better, let's assert that: assert(C.wasInlined || !Set.contains(Sym)). It'll probably help us catch some "reincarnated symbol" bugs in the core.

126

It totally can't. We're just adding an object to a set. What could possibly go wrong?

rnkovacs updated this revision to Diff 154556.Jul 9 2018, 2:33 AM
rnkovacs marked 5 inline comments as done.

Thanks very much for your review!

lib/StaticAnalyzer/Checkers/DanglingInternalBufferChecker.cpp
32–40

Should I do that then? Maybe in CheckerContext.h?

115

I wasn't aware of much of this. Thanks for the detailed explanation :)

NoQ accepted this revision.Jul 10 2018, 11:06 AM

Looks great, thanks!

Closed by commit rC336835: [analyzer] Track multiple raw pointer symbols in DanglingInternalBufferChecker. (authored by rkovacs). · Explain WhyJul 11 2018, 12:13 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
lib/
StaticAnalyzer/
Checkers/
75 lines
test/
Analysis/
22 lines

Diff 154518

lib/StaticAnalyzer/Checkers/DanglingInternalBufferChecker.cpp

Show All 18 Lines
#include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h" #include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
// FIXME: member functions that return a pointer to the container's internal typedef llvm::ImmutableSet<SymbolRef> PtrSet;
xazax.hunUnsubmitted
Done
ReplyInline Actions

I think we should use using now instead of typedef.

xazax.hun: I think we should use `using` now instead of `typedef`.
// buffer may be called on the object many times, so the object's memory
// region should have a list of pointer symbols associated with it. // Associate container objects with a set of raw pointer symbols.
REGISTER_MAP_WITH_PROGRAMSTATE(RawPtrMap, const MemRegion *, SymbolRef) REGISTER_MAP_WITH_PROGRAMSTATE(RawPtrMap, const MemRegion *, PtrSet)
namespace clang {
namespace ento {
template<> struct ProgramStateTrait<PtrSet>
: public ProgramStatePartialTrait<PtrSet> {
static void *GDMIndex() {
static int Index = 0;
return &Index;
}
};
NoQUnsubmitted
Done
ReplyInline Actions

Please add a comment on how this template is useful. This trick is used by some checkers, but it's a veeeery unobvious trick. We should probably add a macro for that, i.e. REGISTER_FACTORY_WITH_PROGRAMSTATE or something like that.

NoQ: Please add a comment on how this template is useful. This trick is used by some checkers, but…
rnkovacsAuthorUnsubmitted
Not Done
ReplyInline Actions

Should I do that then? Maybe in CheckerContext.h?

rnkovacs: Should I do that then? Maybe in `CheckerContext.h`?
} // end namespace ento
} // end namespace clang
namespace { namespace {
class DanglingInternalBufferChecker class DanglingInternalBufferChecker
: public Checker<check::DeadSymbols, check::PostCall> { : public Checker<check::DeadSymbols, check::PostCall> {
CallDescription CStrFn, DataFn; CallDescription CStrFn, DataFn;
public: public:
Show All 16 Lines std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N,
const ExplodedNode *PrevN, const ExplodedNode *PrevN,
BugReporterContext &BRC, BugReporterContext &BRC,
BugReport &BR) override; BugReport &BR) override;
// FIXME: Scan the map once in the visitor's constructor and do a direct // FIXME: Scan the map once in the visitor's constructor and do a direct
// lookup by region. // lookup by region.
bool isSymbolTracked(ProgramStateRef State, SymbolRef Sym) { bool isSymbolTracked(ProgramStateRef State, SymbolRef Sym) {
RawPtrMapTy Map = State->get<RawPtrMap>(); RawPtrMapTy Map = State->get<RawPtrMap>();
for (const auto Entry : Map) { for (const auto &Entry : Map) {
if (Entry.second == Sym) if (Entry.second.contains(Sym))
return true; return true;
} }
return false; return false;
} }
}; };
DanglingInternalBufferChecker() : CStrFn("c_str"), DataFn("data") {} DanglingInternalBufferChecker() : CStrFn("c_str"), DataFn("data") {}
Show All 10 Lines
void DanglingInternalBufferChecker::checkPostCall(const CallEvent &Call, void DanglingInternalBufferChecker::checkPostCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
const auto *ICall = dyn_cast<CXXInstanceCall>(&Call); const auto *ICall = dyn_cast<CXXInstanceCall>(&Call);
if (!ICall) if (!ICall)
return; return;
SVal Obj = ICall->getCXXThisVal(); SVal Obj = ICall->getCXXThisVal();
const auto *TypedR = dyn_cast_or_null<TypedValueRegion>(Obj.getAsRegion()); const auto *ObjRegion = dyn_cast_or_null<TypedValueRegion>(Obj.getAsRegion());
if (!TypedR) if (!ObjRegion)
return; return;
auto *TypeDecl = TypedR->getValueType()->getAsCXXRecordDecl(); auto *TypeDecl = ObjRegion->getValueType()->getAsCXXRecordDecl();
if (TypeDecl->getName() != "basic_string") if (TypeDecl->getName() != "basic_string")
return; return;
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
if (Call.isCalled(CStrFn) || Call.isCalled(DataFn)) { if (Call.isCalled(CStrFn) || Call.isCalled(DataFn)) {
SVal RawPtr = Call.getReturnValue(); SVal RawPtr = Call.getReturnValue();
if (!RawPtr.isUnknown()) { if (!RawPtr.isUnknown()) {
NoQUnsubmitted
Done
ReplyInline Actions

I'd much rather unwrap the symbol here, i.e. if (SymbolRef Sym = RawPtr.getAsSymbol()). A lot of other cornercases may occur if the implementation is accidentally inlined (Undefined, concrete regions). Also, speculatively, .getAsSymbol(/* search for symbolic base = */ true) for the same reason*.

If we didn't care about inlined implementations, the Unknown check would have been redundant. So it should also be safe to straightforwardly ignore inlined implementations by consulting C.wasInlined, then the presence of the symbol can be asserted. But i'd rather speculatively care about inlined implementations as long as it seems easy.

__
* In fact your code relies on a very wonky implementation detail of our SVal hierarchy: namely, pointer-type return values of conservatively evaluated functions are always expressed as &SymRegion{conj_$N<pointer type>} and never as &element{SymRegion{conj_$N<pointer type>}, 0 S32b, pointee type}. Currently nobody knows the rules under which zero element regions are added in different parts of the analyzer, i.e. what is the "canonical" representation of the symbolic pointer, though i made a few attempts to speculate.

NoQ: I'd much rather unwrap the symbol here, i.e. `if (SymbolRef Sym = RawPtr.getAsSymbol())`. A lot…
rnkovacsAuthorUnsubmitted
Not Done
ReplyInline Actions

I wasn't aware of much of this. Thanks for the detailed explanation :)

rnkovacs: I wasn't aware of much of this. Thanks for the detailed explanation :)
State = State->set<RawPtrMap>(TypedR, RawPtr.getAsSymbol()); // Start tracking this raw pointer by adding it to the set of symbols
// associated with this container object in the program state map.
PtrSet::Factory &F = State->getStateManager().get_context<PtrSet>();
NoQUnsubmitted
Done
ReplyInline Actions

My favorite idiom for such cases, looks a bit cleaner:

const PtrSet *SetPtr = State->get<RawPtrMap>(ObjRegion)
PtrSet Set = SetPtr ? *SetPtr : F.getEmptySet()
NoQ: My favorite idiom for such cases, looks a bit cleaner: ``` const PtrSet *SetPtr = State…
PtrSet NewSet = F.getEmptySet();
if (State->contains<RawPtrMap>(ObjRegion)) {
xazax.hunUnsubmitted
Done
ReplyInline Actions

Oh, there is also a double lookup here, sorry I did not spot it in the initial review.

xazax.hun: Oh, there is also a double lookup here, sorry I did not spot it in the initial review.
rnkovacsAuthorUnsubmitted
Not Done
ReplyInline Actions

Thanks for noticing. I should have seen it in the first place :)

rnkovacs: Thanks for noticing. I should have seen it in the first place :)
NewSet = *State->get<RawPtrMap>(ObjRegion);
NoQUnsubmitted
Done
ReplyInline Actions

This contains check is very unlikely to yield true because if the implementation is not inlined, the symbol is newly born. I'd much rather skip the check; it doesn't sound like it'd make things any faster.

Even better, let's assert that: assert(C.wasInlined || !Set.contains(Sym)). It'll probably help us catch some "reincarnated symbol" bugs in the core.

NoQ: This `contains` check is very unlikely to yield true because if the implementation is not…
if (NewSet.contains(RawPtr.getAsSymbol()))
return;
}
NewSet = F.add(NewSet, RawPtr.getAsSymbol());
if (!NewSet.isEmpty()) {
xazax.hunUnsubmitted
Done
ReplyInline Actions

Is it possible here the set to be empty? We just added a new element to it above. Maybe turn this into an assert or just omit this if it is impossible?

xazax.hun: Is it possible here the set to be empty? We just added a new element to it above. Maybe turn…
rnkovacsAuthorUnsubmitted
Not Done
ReplyInline Actions

I'm not sure whether add() can fail. I turned it into an assert now and will see if it ever fails.

rnkovacs: I'm not sure whether `add()` can fail. I turned it into an assert now and will see if it ever…
NoQUnsubmitted
Not Done
ReplyInline Actions

It totally can't. We're just adding an object to a set. What could possibly go wrong?

NoQ: It totally can't. We're just adding an object to a set. What could possibly go wrong?
State = State->set<RawPtrMap>(ObjRegion, NewSet);
C.addTransition(State); C.addTransition(State);
} }
}
return; return;
} }
if (isa<CXXDestructorCall>(ICall)) { if (isa<CXXDestructorCall>(ICall)) {
if (State->contains<RawPtrMap>(TypedR)) { if (State->contains<RawPtrMap>(ObjRegion)) {
const SymbolRef *StrBufferPtr = State->get<RawPtrMap>(TypedR); // Mark all pointer symbols associated with the deleted object released.
// FIXME: What if Origin is null?
NoQUnsubmitted
Done
ReplyInline Actions

Maybe turn the FIXME into a NOTE or something like that. It indeed seems fine, but let's still make sure the reader realizes that there's a subtle potential problem here.

NoQ: Maybe turn the FIXME into a NOTE or something like that. It indeed seems fine, but let's still…
const Expr *Origin = Call.getOriginExpr(); const Expr *Origin = Call.getOriginExpr();
State = allocation_state::markReleased(State, *StrBufferPtr, Origin); const PtrSet *PS = State->get<RawPtrMap>(ObjRegion);
xazax.hunUnsubmitted
Done
ReplyInline Actions

Using both contains and get will result in two lookups. Maybe it would be better to just use get and check if the result is nullptr?

xazax.hun: Using both contains and get will result in two lookups. Maybe it would be better to just use…
State = State->remove<RawPtrMap>(TypedR); for (const auto &Symbol : *PS)
State = allocation_state::markReleased(State, Symbol, Origin);
State = State->remove<RawPtrMap>(ObjRegion);
C.addTransition(State); C.addTransition(State);
return; return;
} }
} }
} }
void DanglingInternalBufferChecker::checkDeadSymbols(SymbolReaper &SymReaper, void DanglingInternalBufferChecker::checkDeadSymbols(SymbolReaper &SymReaper,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
PtrSet::Factory &F = State->getStateManager().get_context<PtrSet>();
RawPtrMapTy RPM = State->get<RawPtrMap>(); RawPtrMapTy RPM = State->get<RawPtrMap>();
for (const auto Entry : RPM) { for (const auto &Entry : RPM) {
if (!SymReaper.isLive(Entry.second))
State = State->remove<RawPtrMap>(Entry.first);
if (!SymReaper.isLiveRegion(Entry.first)) { if (!SymReaper.isLiveRegion(Entry.first)) {
// Due to incomplete destructor support, some dead regions might still // Due to incomplete destructor support, some dead regions might
// remain in the program state map. Clean them up. // remain in the program state map. Clean them up.
State = State->remove<RawPtrMap>(Entry.first); State = State->remove<RawPtrMap>(Entry.first);
} }
if (State->contains<RawPtrMap>(Entry.first)) {
xazax.hunUnsubmitted
Done
ReplyInline Actions

Same comment as above.

xazax.hun: Same comment as above.
const PtrSet *OldSet = State->get<RawPtrMap>(Entry.first);
PtrSet CleanedUpSet = *OldSet;
for (const auto &Symbol : Entry.second) {
if (!SymReaper.isLive(Symbol))
CleanedUpSet = F.remove(CleanedUpSet, Symbol);
}
State = CleanedUpSet.isEmpty()
? State->remove<RawPtrMap>(Entry.first)
: State->set<RawPtrMap>(Entry.first, CleanedUpSet);
}
} }
C.addTransition(State); C.addTransition(State);
} }
std::shared_ptr<PathDiagnosticPiece> std::shared_ptr<PathDiagnosticPiece>
DanglingInternalBufferChecker::DanglingBufferBRVisitor::VisitNode( DanglingInternalBufferChecker::DanglingBufferBRVisitor::VisitNode(
const ExplodedNode *N, const ExplodedNode *PrevN, BugReporterContext &BRC, const ExplodedNode *N, const ExplodedNode *PrevN, BugReporterContext &BRC,
BugReport &BR) { BugReport &BR) {
Show All 35 Lines

test/Analysis/dangling-internal-buffer.cpp

Show First 20 LinesShow All 102 Lines▼ Show 20 Lines const char32_t *c32;
c32 = s32.data(); // expected-note {{Pointer to dangling buffer was obtained here}} c32 = s32.data(); // expected-note {{Pointer to dangling buffer was obtained here}}
} // expected-note {{Internal buffer is released because the object was destroyed}} } // expected-note {{Internal buffer is released because the object was destroyed}}
std::u32string s32; std::u32string s32;
const char32_t *c32_2 = s32.data(); const char32_t *c32_2 = s32.data();
consume(c32); // expected-warning {{Use of memory after it is freed}} consume(c32); // expected-warning {{Use of memory after it is freed}}
// expected-note@-1 {{Use of memory after it is freed}} // expected-note@-1 {{Use of memory after it is freed}}
} }
void multiple_symbols(bool Cond) {
xazax.hunUnsubmitted
Done
ReplyInline Actions

We started to use lowercase letters for variable names. Maybe this is not the best, since it is not following the LLVM coding guidelines. So I think it would be better to rename this Cond to start with a lowercase letter in this patch for consistency, and update the tests to follow the LLVM coding styleguide in a separate patch later.

xazax.hun: We started to use lowercase letters for variable names. Maybe this is not the best, since it is…
const char *c1, *d1;
{
std::string s1;
c1 = s1.c_str(); // expected-note {{Pointer to dangling buffer was obtained here}}
d1 = s1.data(); // expected-note {{Pointer to dangling buffer was obtained here}}
const char *local = s1.c_str();
consume(local); // no-warning
} // expected-note {{Internal buffer is released because the object was destroyed}}
// expected-note@-1 {{Internal buffer is released because the object was destroyed}}
std::string s2;
const char *c2 = s2.c_str();
if (Cond) {
// expected-note@-1 {{Assuming 'Pred' is not equal to 0}} // expected-note@-1 {{Taking true branch}}
// expected-note@-2 {{Assuming 'Pred' is 0}} // expected-note@-2 {{Taking false branch}}
consume(c1); // expected-warning {{Use of memory after it is freed}}
// expected-note@-1 {{Use of memory after it is freed}}
} else {
consume(d1); // expected-warning {{Use of memory after it is freed}}
} // expected-note@-1 {{Use of memory after it is freed}}
}
void deref_after_scope_cstr_ok() { void deref_after_scope_cstr_ok() {
const char *c; const char *c;
std::string s; std::string s;
{ {
c = s.c_str(); c = s.c_str();
} }
consume(c); // no-warning consume(c); // no-warning
} }
Show All 9 Lines