This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
include/clang/StaticAnalyzer/Core/
-
clang/
-
StaticAnalyzer/
-
Core/
-
RetainSummaryManager.h
-
lib/StaticAnalyzer/
-
StaticAnalyzer/
-
Checkers/RetainCountChecker/
-
RetainCountChecker/
-
RetainCountChecker.cpp
-
Core/
-
RetainSummaryManager.cpp
-
test/Analysis/
-
Analysis/
-
osobject-retain-release.cpp

Differential D53624

[analyzer] For now model that OSDynamicCast never returns 0
ClosedPublic

Authored by george.karpenkov on Oct 23 2018, 5:24 PM.

Download Raw Diff

Details

Reviewers

dcoughlin
NoQ

Commits

rG3c2ed8f3386e: [analyzer] Correct modelling of OSDynamicCast: eagerly state split
rC345338: [analyzer] Correct modelling of OSDynamicCast: eagerly state split
rL345338: [analyzer] Correct modelling of OSDynamicCast: eagerly state split

Summary

Previously, OSDynamicCast was modeled as an identity.

This is not correct: the output of OSDynamicCast may be zero even if the input was not zero (if the class is not of desired type), and thus the modeling led to false positives.
This patch adds another overapproximation: assume that OSDynamicCast never returns zero.
What we probably really want is an implication x != 0 /\ a = OSDynamicCast(x, C) => a != 0,
but that is hard to assume with our interval solver (though could be done with a table lookup hack).
Modeling checking the class hierarchy is probably not practical.

This patch required a substantial refactoring of canEval infrastructure, as now it can return different function summaries, and not just true/false.

rdar://45497400

Diff Detail

Event Timeline

george.karpenkov created this revision.Oct 23 2018, 5:24 PM

Herald added subscribers: dkrupp, donat.nagy, Szelethus and 5 others. · View Herald TranscriptOct 23 2018, 5:24 PM

Makes sense!

This revision is now accepted and ready to land.Oct 24 2018, 12:09 PM

Or maybe it does not: we should still be able to catch cases where OSDynamicCast fails.

george.karpenkov updated this revision to Diff 171192.Oct 25 2018, 1:59 PM

On second thought, i actually think this should have been done as part of the dynamic type checker. This functionality doesn't have much to do with retain counts, but for more precise modeling some sort of reasoning about dynamic types behind pointers would be absolutely necessary.

I guess let's land this improvement, unless eager splits result in too many false alarms, and move to the right place later.

Closed by commit rL345338: [analyzer] Correct modelling of OSDynamicCast: eagerly state split (authored by george.karpenkov). · Explain WhyOct 25 2018, 4:40 PM

This revision was automatically updated to reflect the committed changes.

Herald added a subscriber: llvm-commits. · View Herald TranscriptOct 25 2018, 4:40 PM

NoQ added inline comments.Oct 30 2018, 5:23 PM

cfe/trunk/lib/StaticAnalyzer/Checkers/RetainCountChecker/RetainCountChecker.cpp
813–814 ↗	(On Diff #171223)	If assume fails and yields a null state, you shouldn't transition into that state; it won't generate a sink but will instead transition into the original state (with the original program point but with checker tag).

george.karpenkov added inline comments.Oct 30 2018, 6:36 PM

cfe/trunk/lib/StaticAnalyzer/Checkers/RetainCountChecker/RetainCountChecker.cpp
813–814 ↗	(On Diff #171223)	That does not seem to be true: `addTransition` sets `Tag` to `nullptr` by default, and then `addTransitionImpl` has the following lines: if (!State \|\| (State == Pred->getState() && !Tag && !MarkAsSink)) return Pred; So if we create a transition to an empty state, that simply returns the original state, which caches out.

NoQ added inline comments.Oct 30 2018, 7:34 PM

cfe/trunk/lib/StaticAnalyzer/Checkers/RetainCountChecker/RetainCountChecker.cpp
813–814 ↗	(On Diff #171223)	Aha, aha, that's right, i was wrong and confused it with `generateNonFatalErrorNode()`. runs away and blames API

Revision Contents

Path

Size

clang/

include/

clang/

StaticAnalyzer/

Core/

RetainSummaryManager.h

41 lines

lib/

StaticAnalyzer/

Checkers/

RetainCountChecker/

RetainCountChecker.cpp

13 lines

Core/

RetainSummaryManager.cpp

43 lines

test/

Analysis/

osobject-retain-release.cpp

16 lines

Diff 170790

clang/include/clang/StaticAnalyzer/Core/RetainSummaryManager.h

Show First 20 Lines • Show All 630 Lines • ▼ Show 20 Lines	: Ctx(ctx),
ObjCAllocRetE(usesARC ? RetEffect::MakeNotOwned(RetEffect::ObjC)		ObjCAllocRetE(usesARC ? RetEffect::MakeNotOwned(RetEffect::ObjC)
: RetEffect::MakeOwned(RetEffect::ObjC)),		: RetEffect::MakeOwned(RetEffect::ObjC)),
ObjCInitRetE(usesARC ? RetEffect::MakeNotOwned(RetEffect::ObjC)		ObjCInitRetE(usesARC ? RetEffect::MakeNotOwned(RetEffect::ObjC)
: RetEffect::MakeOwnedWhenTrackedReceiver()) {		: RetEffect::MakeOwnedWhenTrackedReceiver()) {
InitializeClassMethodSummaries();		InitializeClassMethodSummaries();
InitializeMethodSummaries();		InitializeMethodSummaries();
}		}

bool canEval(const CallExpr *CE,		class BehaviorSummary {
const FunctionDecl *FD,		bool IsIdentity;
		bool IsNoop;
		bool IsNonZero;

		public:
		BehaviorSummary(bool IsIdentity,
		bool IsNoop,
		bool IsNonZero)
		: IsIdentity(IsIdentity),
		IsNoop(IsNoop),
		IsNonZero(IsNonZero) {}

		bool isIdentity() {
		return IsIdentity;
		}

		bool isNonZero() {
		return IsNonZero;
		}

		bool isNoop() {
		return IsNoop;
		}

		// Function does not do anything.
		static const BehaviorSummary NoOp;

		// Function returns the first argument.
		static const BehaviorSummary Identity;

		// Function is an identity, and both input and output are
		// guaranteed to be non zero.
		static const BehaviorSummary IdentityNonZero;
		};

		Optional<BehaviorSummary> canEval(const CallExpr CE, const FunctionDecl FD,
bool &hasTrustedImplementationAnnotation);		bool &hasTrustedImplementationAnnotation);

bool isTrustedReferenceCountImplementation(const FunctionDecl *FD);		bool isTrustedReferenceCountImplementation(const FunctionDecl *FD);

const RetainSummary *getSummary(const CallEvent &Call,		const RetainSummary *getSummary(const CallEvent &Call,
QualType ReceiverType=QualType());		QualType ReceiverType=QualType());

const RetainSummary getFunctionSummary(const FunctionDecl FD);		const RetainSummary getFunctionSummary(const FunctionDecl FD);

▲ Show 20 Lines • Show All 89 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/RetainCountChecker/RetainCountChecker.cpp

Show First 20 Lines • Show All 768 Lines • ▼ Show 20 Lines	bool RetainCountChecker::evalCall(const CallExpr *CE, CheckerContext &C) const {
QualType ResultTy = CE->getCallReturnType(C.getASTContext());		QualType ResultTy = CE->getCallReturnType(C.getASTContext());

// See if the function has 'rc_ownership_trusted_implementation'		// See if the function has 'rc_ownership_trusted_implementation'
// annotate attribute. If it does, we will not inline it.		// annotate attribute. If it does, we will not inline it.
bool hasTrustedImplementationAnnotation = false;		bool hasTrustedImplementationAnnotation = false;

const LocationContext *LCtx = C.getLocationContext();		const LocationContext *LCtx = C.getLocationContext();

		Optional<RetainSummaryManager::BehaviorSummary> BSmr =
		SmrMgr.canEval(CE, FD, hasTrustedImplementationAnnotation);

// See if it's one of the specific functions we know how to eval.		// See if it's one of the specific functions we know how to eval.
if (!SmrMgr.canEval(CE, FD, hasTrustedImplementationAnnotation))		if (!BSmr)
return false;		return false;

// Bind the return value.		// Bind the return value.
// For now, all the functions which we can evaluate and which take		// For now, all the functions which we can evaluate and which take
// at least one argument are identities.		// at least one argument are identities.
if (CE->getNumArgs() >= 1) {		if (BSmr->isIdentity()) {
SVal RetVal = state->getSVal(CE->getArg(0), LCtx);		SVal RetVal = state->getSVal(CE->getArg(0), LCtx);

// If the receiver is unknown or the function has		// If the receiver is unknown or the function has
// 'rc_ownership_trusted_implementation' annotate attribute, conjure a		// 'rc_ownership_trusted_implementation' annotate attribute, conjure a
// return value.		// return value.
if (RetVal.isUnknown() \|\|		if (RetVal.isUnknown() \|\|
(hasTrustedImplementationAnnotation && !ResultTy.isNull())) {		(hasTrustedImplementationAnnotation && !ResultTy.isNull())) {
SValBuilder &SVB = C.getSValBuilder();		SValBuilder &SVB = C.getSValBuilder();
RetVal =		RetVal =
SVB.conjureSymbolVal(nullptr, CE, LCtx, ResultTy, C.blockCount());		SVB.conjureSymbolVal(nullptr, CE, LCtx, ResultTy, C.blockCount());
}		}
state = state->BindExpr(CE, LCtx, RetVal, false);		state = state->BindExpr(CE, LCtx, RetVal, false);

		if (BSmr->isNonZero()) {
		if (auto L = RetVal.getAs<DefinedOrUnknownSVal>())
		// Assume that both input and output has to be non-zero.
		state = state->assume(L, /Assumption=*/true);
		}
}		}

C.addTransition(state);		C.addTransition(state);
return true;		return true;
}		}

ExplodedNode * RetainCountChecker::processReturn(const ReturnStmt *S,		ExplodedNode * RetainCountChecker::processReturn(const ReturnStmt *S,
CheckerContext &C) const {		CheckerContext &C) const {
▲ Show 20 Lines • Show All 581 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Core/RetainSummaryManager.cpp

Show First 20 Lines • Show All 509 Lines • ▼ Show 20 Lines	RetainSummaryManager::getCFCreateGetRuleSummary(const FunctionDecl *FD) {
return getCFSummaryGetRule(FD);		return getCFSummaryGetRule(FD);
}		}

bool RetainSummaryManager::isTrustedReferenceCountImplementation(		bool RetainSummaryManager::isTrustedReferenceCountImplementation(
const FunctionDecl *FD) {		const FunctionDecl *FD) {
return hasRCAnnotation(FD, "rc_ownership_trusted_implementation");		return hasRCAnnotation(FD, "rc_ownership_trusted_implementation");
}		}

bool RetainSummaryManager::canEval(const CallExpr *CE,		Optional<RetainSummaryManager::BehaviorSummary>
const FunctionDecl *FD,		RetainSummaryManager::canEval(const CallExpr CE, const FunctionDecl FD,
bool &hasTrustedImplementationAnnotation) {		bool &hasTrustedImplementationAnnotation) {

IdentifierInfo *II = FD->getIdentifier();		IdentifierInfo *II = FD->getIdentifier();
if (!II)		if (!II)
return false;		return None;

StringRef FName = II->getName();		StringRef FName = II->getName();
FName = FName.substr(FName.find_first_not_of('_'));		FName = FName.substr(FName.find_first_not_of('_'));

QualType ResultTy = CE->getCallReturnType(Ctx);		QualType ResultTy = CE->getCallReturnType(Ctx);
if (ResultTy->isObjCIdType()) {		if (ResultTy->isObjCIdType()) {
return II->isStr("NSMakeCollectable");		if (II->isStr("NSMakeCollectable"))
		return BehaviorSummary::Identity;
} else if (ResultTy->isPointerType()) {		} else if (ResultTy->isPointerType()) {
// Handle: (CF\|CG\|CV)Retain		// Handle: (CF\|CG\|CV)Retain
// CFAutorelease		// CFAutorelease
// It's okay to be a little sloppy here.		// It's okay to be a little sloppy here.
if (cocoa::isRefType(ResultTy, "CF", FName) \|\|		if (cocoa::isRefType(ResultTy, "CF", FName) \|\|
cocoa::isRefType(ResultTy, "CG", FName) \|\|		cocoa::isRefType(ResultTy, "CG", FName) \|\|
cocoa::isRefType(ResultTy, "CV", FName))		cocoa::isRefType(ResultTy, "CV", FName))
return isRetain(FD, FName) \|\| isAutorelease(FD, FName) \|\|		if (isRetain(FD, FName) \|\| isAutorelease(FD, FName) \|\|
isMakeCollectable(FName);		isMakeCollectable(FName))
		return BehaviorSummary::Identity;

// Process OSDynamicCast: should just return the first argument.		// Process OSDynamicCast: should just return the first argument.
// For now, treating the cast as a no-op, and disregarding the case where		// For now, treating the cast as a no-op, and disregarding the case where
// the output becomes null due to the type mismatch.		// the output becomes null due to the type mismatch.
if (TrackOSObjects && FName == "safeMetaCast") {		if (TrackOSObjects && FName == "safeMetaCast") {
return true;		return BehaviorSummary::IdentityNonZero;
}		}

const FunctionDecl* FDD = FD->getDefinition();		const FunctionDecl* FDD = FD->getDefinition();
if (FDD && isTrustedReferenceCountImplementation(FDD)) {		if (FDD && isTrustedReferenceCountImplementation(FDD)) {
hasTrustedImplementationAnnotation = true;		hasTrustedImplementationAnnotation = true;
return true;		return BehaviorSummary::Identity;
}		}
}		}

if (const auto *MD = dyn_cast<CXXMethodDecl>(FD)) {		if (const auto *MD = dyn_cast<CXXMethodDecl>(FD)) {
const CXXRecordDecl *Parent = MD->getParent();		const CXXRecordDecl *Parent = MD->getParent();
if (TrackOSObjects && Parent && isOSObjectSubclass(Parent))		if (TrackOSObjects && Parent && isOSObjectSubclass(Parent))
return FName == "release" \|\| FName == "retain";		if (FName == "release" \|\| FName == "retain")
		return BehaviorSummary::NoOp;
}		}

return false;		return None;

}		}

const RetainSummary *		const RetainSummary *
RetainSummaryManager::getUnarySummary(const FunctionType* FT,		RetainSummaryManager::getUnarySummary(const FunctionType* FT,
UnaryFuncKind func) {		UnaryFuncKind func) {

// Sanity check that this is really a unary function. This can		// Sanity check that this is really a unary function. This can
// happen if people do weird things.		// happen if people do weird things.
▲ Show 20 Lines • Show All 425 Lines • ▼ Show 20 Lines	CallEffects CallEffects::getEffect(const FunctionDecl *FD) {
const RetainSummary *S = M.getFunctionSummary(FD);		const RetainSummary *S = M.getFunctionSummary(FD);
CallEffects CE(S->getRetEffect());		CallEffects CE(S->getRetEffect());
unsigned N = FD->param_size();		unsigned N = FD->param_size();
for (unsigned i = 0; i < N; ++i) {		for (unsigned i = 0; i < N; ++i) {
CE.Args.push_back(S->getArg(i));		CE.Args.push_back(S->getArg(i));
}		}
return CE;		return CE;
}		}

		const RetainSummaryManager::BehaviorSummary
		RetainSummaryManager::BehaviorSummary::NoOp = {/Identity=/false,
		/IsNoop=/true,
		/IsNonZero=/false};

		const RetainSummaryManager::BehaviorSummary
		RetainSummaryManager::BehaviorSummary::Identity = {/Identity=/true,
		/IsNoop=/false,
		/IsNonZero=/false};

		const RetainSummaryManager::BehaviorSummary
		RetainSummaryManager::BehaviorSummary::IdentityNonZero = {
		/Identity=/true,
		/IsNoop=/false,
		/IsNonZero=/true};

clang/test/Analysis/osobject-retain-release.cpp

Show All 11 Lines
#define OSDynamicCast(type, inst) \		#define OSDynamicCast(type, inst) \
((type *) OSMetaClassBase::safeMetaCast((inst), OSTypeID(type)))		((type *) OSMetaClassBase::safeMetaCast((inst), OSTypeID(type)))

struct OSObject {		struct OSObject {
virtual void retain();		virtual void retain();
virtual void release() {};		virtual void release() {};
virtual ~OSObject(){}		virtual ~OSObject(){}

		unsigned int foo() { return 42; }

static OSObject *generateObject(int);		static OSObject *generateObject(int);

static const OSMetaClass * const metaClass;		static const OSMetaClass * const metaClass;
};		};

struct OSArray : public OSObject {		struct OSArray : public OSObject {
unsigned int getCount();		unsigned int getCount();

Show All 11 Lines	struct OSArray : public OSObject {
static const OSMetaClass * const metaClass;		static const OSMetaClass * const metaClass;
};		};

struct OtherStruct {		struct OtherStruct {
static void doNothingToArray(OSArray *array);		static void doNothingToArray(OSArray *array);
};		};

struct OSMetaClassBase {		struct OSMetaClassBase {
static OSObject safeMetaCast(const OSObject inst, const OSMetaClass *meta);		static OS_RETURNS_NOT_RETAINED OSObject safeMetaCast(const OSObject inst, const OSMetaClass *meta);
};		};

void check_no_invalidation() {		void check_no_invalidation() {
OSArray arr = OSArray::withCapacity(10); // expected-note{{Call to function 'withCapacity' returns an OSObject of type struct OSArray with a +1 retain count}}		OSArray arr = OSArray::withCapacity(10); // expected-note{{Call to function 'withCapacity' returns an OSObject of type struct OSArray with a +1 retain count}}
OtherStruct::doNothingToArray(arr);		OtherStruct::doNothingToArray(arr);
} // expected-warning{{Potential leak of an object stored into 'arr'}}		} // expected-warning{{Potential leak of an object stored into 'arr'}}
// expected-note@-1{{Object leaked}}		// expected-note@-1{{Object leaked}}

Show All 17 Lines
}		}


void check_dynamic_cast() {		void check_dynamic_cast() {
OSArray *arr = OSDynamicCast(OSArray, OSObject::generateObject(1));		OSArray *arr = OSDynamicCast(OSArray, OSObject::generateObject(1));
arr->release();		arr->release();
}		}

		unsigned int check_dynamic_cast_no_null(OSObject *obj) {
		OSArray *arr = OSDynamicCast(OSArray, obj);
		if (arr) {
		return arr->getCount();
		} else {

		// The fact that dynamic cast has failed should not imply that
		// the input object was null.
		return obj->foo(); // no-warning
		}
		}

void check_dynamic_cast_null_check() {		void check_dynamic_cast_null_check() {
OSArray *arr = OSDynamicCast(OSArray, OSObject::generateObject(1));		OSArray *arr = OSDynamicCast(OSArray, OSObject::generateObject(1));
if (!arr)		if (!arr)
return;		return;
arr->release();		arr->release();
}		}

void use_after_release() {		void use_after_release() {
▲ Show 20 Lines • Show All 84 Lines • Show Last 20 Lines