This is an archive of the discontinued LLVM Phabricator instance.

Differential D53902

RetainCountChecker: for now, do not trust the summaries of inlined code
ClosedPublic

Authored by george.karpenkov on Oct 30 2018, 3:03 PM.

Details

Reviewers
dcoughlin
NoQ
Commits
rG6fd5c86d9805: [analyzer] RetainCountChecker: for now, do not trust the summaries of inlined…
rL345746: [analyzer] RetainCountChecker: for now, do not trust the summaries of inlined…
rC345746: [analyzer] RetainCountChecker: for now, do not trust the summaries of inlined…
Summary

Trusting summaries of inlined code would require a more thorough work,
as the current approach was causing too many false positives, as the new example in test.
The culprit lies in the fact that we currently escape all variables written into a field (but not passed off to unknown functions!), which can result in inconsistent behavior.

rdar://45655344

Diff Detail

Repository
rC Clang

Event Timeline

george.karpenkov created this revision.Oct 30 2018, 3:03 PM
Herald added a subscriber: JDevlieghere. · View Herald TranscriptOct 30 2018, 3:03 PM
george.karpenkov updated this revision to Diff 171816.Oct 30 2018, 3:09 PM
NoQ accepted this revision.Oct 30 2018, 3:11 PM

Oh well. I guess it was worth a try :)

This revision is now accepted and ready to land.Oct 30 2018, 3:11 PM
Closed by commit rC345746: [analyzer] RetainCountChecker: for now, do not trust the summaries of inlined… (authored by george.karpenkov). · Explain WhyOct 31 2018, 10:41 AM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: cfe-commits. · View Herald TranscriptOct 31 2018, 10:41 AM
NoQ mentioned this in D18860: [analyzer] Fix the "Zombie symbols" issue..Nov 13 2018, 1:34 PM

Revision Contents

PathSize
lib/
StaticAnalyzer/
Checkers/
RetainCountChecker/
12 lines
Core/
9 lines
test/
Analysis/
62 lines

Diff 171964

lib/StaticAnalyzer/Checkers/RetainCountChecker/RetainCountChecker.cpp

Show First 20 LinesShow All 414 Lines▼ Show 20 Lines if (SymbolRef Sym = MsgInvocation->getReceiverSVal().getAsLocSymbol()) {
} }
} }
} }
// Consult the summary for the return value. // Consult the summary for the return value.
RetEffect RE = Summ.getRetEffect(); RetEffect RE = Summ.getRetEffect();
if (SymbolRef Sym = CallOrMsg.getReturnValue().getAsSymbol()) { if (SymbolRef Sym = CallOrMsg.getReturnValue().getAsSymbol()) {
if (const auto *MCall = dyn_cast<CXXMemberCall>(&CallOrMsg)) {
if (Optional<RefVal> updatedRefVal =
refValFromRetEffect(RE, MCall->getResultType())) {
state = setRefBinding(state, Sym, *updatedRefVal);
}
}
if (RE.getKind() == RetEffect::NoRetHard) if (RE.getKind() == RetEffect::NoRetHard)
state = removeRefBinding(state, Sym); state = removeRefBinding(state, Sym);
} }
C.addTransition(state); C.addTransition(state);
} }
static ProgramStateRef updateOutParameter(ProgramStateRef State, static ProgramStateRef updateOutParameter(ProgramStateRef State,
▲ Show 20 LinesShow All 660 Lines▼ Show 20 LinesRetainCountChecker::checkRegionChanges(ProgramStateRef state,
llvm::SmallPtrSet<SymbolRef, 8> WhitelistedSymbols; llvm::SmallPtrSet<SymbolRef, 8> WhitelistedSymbols;
for (ArrayRef<const MemRegion *>::iterator I = ExplicitRegions.begin(), for (ArrayRef<const MemRegion *>::iterator I = ExplicitRegions.begin(),
E = ExplicitRegions.end(); I != E; ++I) { E = ExplicitRegions.end(); I != E; ++I) {
if (const SymbolicRegion *SR = (*I)->StripCasts()->getAs<SymbolicRegion>()) if (const SymbolicRegion *SR = (*I)->StripCasts()->getAs<SymbolicRegion>())
WhitelistedSymbols.insert(SR->getSymbol()); WhitelistedSymbols.insert(SR->getSymbol());
} }
for (InvalidatedSymbols::const_iterator I=invalidated->begin(), for (SymbolRef sym :
E = invalidated->end(); I!=E; ++I) { llvm::make_range(invalidated->begin(), invalidated->end())) {
SymbolRef sym = *I;
if (WhitelistedSymbols.count(sym)) if (WhitelistedSymbols.count(sym))
continue; continue;
// Remove any existing reference-count binding. // Remove any existing reference-count binding.
state = removeRefBinding(state, sym); state = removeRefBinding(state, sym);
} }
return state; return state;
} }
▲ Show 20 LinesShow All 289 LinesShow Last 20 Lines

lib/StaticAnalyzer/Core/RetainSummaryManager.cpp

Show First 20 LinesShow All 95 Lines▼ Show 20 Lines
/// A function is OSObject related if it is declared on a subclass /// A function is OSObject related if it is declared on a subclass
/// of OSObject, or any of the parameters is a subclass of an OSObject. /// of OSObject, or any of the parameters is a subclass of an OSObject.
static bool isOSObjectRelated(const CXXMethodDecl *MD) { static bool isOSObjectRelated(const CXXMethodDecl *MD) {
if (isOSObjectSubclass(MD->getParent())) if (isOSObjectSubclass(MD->getParent()))
return true; return true;
for (ParmVarDecl *Param : MD->parameters()) { for (ParmVarDecl *Param : MD->parameters()) {
QualType PT = Param->getType(); QualType PT = Param->getType()->getPointeeType();
if (CXXRecordDecl *RD = PT->getPointeeType()->getAsCXXRecordDecl()) if (!PT.isNull())
if (CXXRecordDecl *RD = PT->getAsCXXRecordDecl())
if (isOSObjectSubclass(RD)) if (isOSObjectSubclass(RD))
return true; return true;
} }
return false; return false;
} }
const RetainSummary * const RetainSummary *
RetainSummaryManager::generateSummary(const FunctionDecl *FD, RetainSummaryManager::generateSummary(const FunctionDecl *FD,
bool &AllowAnnotations) { bool &AllowAnnotations) {
▲ Show 20 LinesShow All 896 LinesShow Last 20 Lines

test/Analysis/osobject-retain-release.cpp

// RUN: %clang_analyze_cc1 -analyze -analyzer-checker=core,osx.cocoa.RetainCount -analyzer-output=text -verify %s // RUN: %clang_analyze_cc1 -analyze -analyzer-checker=core,osx.cocoa.RetainCount -analyzer-output=text -verify %s
struct OSMetaClass; struct OSMetaClass;
#define TRUSTED __attribute__((annotate("rc_ownership_trusted_implementation"))) #define OS_CONSUME __attribute__((annotate("rc_ownership_consumed")))
#define OS_CONSUME TRUSTED __attribute__((annotate("rc_ownership_consumed"))) #define OS_RETURNS_RETAINED __attribute__((annotate("rc_ownership_returns_retained")))
#define OS_RETURNS_RETAINED TRUSTED __attribute__((annotate("rc_ownership_returns_retained"))) #define OS_RETURNS_NOT_RETAINED __attribute__((annotate("rc_ownership_returns_not_retained")))
#define OS_RETURNS_NOT_RETAINED TRUSTED __attribute__((annotate("rc_ownership_returns_not_retained")))
#define OSTypeID(type) (type::metaClass) #define OSTypeID(type) (type::metaClass)
#define OSDynamicCast(type, inst) \ #define OSDynamicCast(type, inst) \
((type *) OSMetaClassBase::safeMetaCast((inst), OSTypeID(type))) ((type *) OSMetaClassBase::safeMetaCast((inst), OSTypeID(type)))
struct OSObject { struct OSObject {
virtual void retain(); virtual void retain();
Show All 40 Linesvoid check_no_invalidation() {
// expected-note@-1{{Object leaked}} // expected-note@-1{{Object leaked}}
void check_no_invalidation_other_struct() { void check_no_invalidation_other_struct() {
OSArray *arr = OSArray::withCapacity(10); // expected-note{{Call to function 'withCapacity' returns an OSObject of type struct OSArray * with a +1 retain count}} OSArray *arr = OSArray::withCapacity(10); // expected-note{{Call to function 'withCapacity' returns an OSObject of type struct OSArray * with a +1 retain count}}
OtherStruct other(arr); // expected-warning{{Potential leak}} OtherStruct other(arr); // expected-warning{{Potential leak}}
// expected-note@-1{{Object leaked}} // expected-note@-1{{Object leaked}}
} }
struct ArrayOwner : public OSObject {
OSArray *arr;
ArrayOwner(OSArray *arr) : arr(arr) {}
static ArrayOwner* create(OSArray *arr) {
return new ArrayOwner(arr);
}
OSArray *getArray() {
return arr;
}
OSArray *createArray() {
return OSArray::withCapacity(10);
}
OSArray *createArraySourceUnknown();
OSArray *getArraySourceUnknown();
};
void check_confusing_getters() {
OSArray *arr = OSArray::withCapacity(10);
ArrayOwner *AO = ArrayOwner::create(arr);
AO->getArray();
AO->release();
arr->release();
}
void check_rc_consumed() { void check_rc_consumed() {
OSArray *arr = OSArray::withCapacity(10); OSArray *arr = OSArray::withCapacity(10);
OSArray::consumeArray(arr); OSArray::consumeArray(arr);
} }
void check_rc_consume_temporary() { void check_rc_consume_temporary() {
OSArray::consumeArray(OSArray::withCapacity(10)); OSArray::consumeArray(OSArray::withCapacity(10));
} }
▲ Show 20 LinesShow All 62 Lines▼ Show 20 Lines
void proper_cleanup() { void proper_cleanup() {
OSArray *arr = OSArray::withCapacity(10); // +1 OSArray *arr = OSArray::withCapacity(10); // +1
arr->retain(); // +2 arr->retain(); // +2
arr->release(); // +1 arr->release(); // +1
arr->getCount(); arr->getCount();
arr->release(); // 0 arr->release(); // 0
} }
struct ArrayOwner {
OSArray *arr;
OSArray *getArray() {
return arr;
}
OSArray *createArray() {
return OSArray::withCapacity(10);
}
OSArray *createArraySourceUnknown();
OSArray *getArraySourceUnknown();
};
unsigned int no_warning_on_getter(ArrayOwner *owner) { unsigned int no_warning_on_getter(ArrayOwner *owner) {
OSArray *arr = owner->getArray(); OSArray *arr = owner->getArray();
return arr->getCount(); return arr->getCount();
} }
unsigned int warn_on_overrelease(ArrayOwner *owner) { unsigned int warn_on_overrelease(ArrayOwner *owner) {
OSArray *arr = owner->getArray(); // expected-note{{function call returns an OSObject of type struct OSArray * with a +0 retain count}} // FIXME: summaries are not applied in case the source of the getter/setter
arr->release(); // expected-warning{{Incorrect decrement of the reference count of an object that is not owned at this point by the caller}} // is known.
// expected-note@-1{{Incorrect decrement of the reference count of an object that is not owned at this point by the caller}} // rdar://45681203
OSArray *arr = owner->getArray();
arr->release();
return arr->getCount(); return arr->getCount();
} }
unsigned int nowarn_on_release_of_created(ArrayOwner *owner) { unsigned int nowarn_on_release_of_created(ArrayOwner *owner) {
OSArray *arr = owner->createArray(); OSArray *arr = owner->createArray();
unsigned int out = arr->getCount(); unsigned int out = arr->getCount();
arr->release(); arr->release();
return out; return out;
Show All 29 Lines