This is an archive of the discontinued LLVM Phabricator instance.

Differential D58108

[sanitizer]: fix warnings reported by SVACE static analyzer.
Needs ReviewPublic

Authored by drmtmych on Feb 12 2019, 1:09 AM.

Details

Reviewers
kcc
yuri
Summary

The warnings are:

  • lsan_thread.cc: return value of a function '__lsan::CurrentThreadContext' is dereferenced without checking.
  • sanitizer_libc.cc: casting a signed value which has type 'char' to a bigger unsigned integer type 'unsigned int' while initializing a variable.
  • sanitizer_libignore.cc: constructor may not initialize class members of '__sanitizer::LibIgnore'.
  • sanitizer_printf.cc: 'minimal_num_length' with type 'u8', is promoted to type 'int' 32b in 'minimal_num_length - pos', then sign-extended to type 'unsigned long' 64b.
  • sanitizer_symbolizer_posix_libcdep.cc: after having been compared to NULL value, pointer (...)->path is passed as 1st parameter in call to function '__sanitizer::LLVMSymbolizer::LLVMSymbolizer', where it is dereferenced.

Diff Detail

Event Timeline

drmtmych created this revision.Feb 12 2019, 1:09 AM
Herald added a project: Restricted Project. · View Herald TranscriptFeb 12 2019, 1:09 AM
Herald added subscribers: Restricted Project, llvm-commits, jdoerfert and 7 others. · View Herald Transcript
dvyukov added inline comments.Feb 12 2019, 1:24 AM
lib/lsan/lsan_thread.cc
125

Please add a test that triggers NULL deref here. It worked all the time, so this must be some tricky corner case. It would be useful to have it captured in a test.

lib/sanitizer_common/sanitizer_libc.cc
118

c1 and c2 are compared with less below. It looks like this can change semantics. Is it intentional? How does it change semantics? Char can be either signed or unsigned, so result of this function will be implementation defined, which looks strange.

lib/sanitizer_common/sanitizer_libignore.cc
26

This breaks linker-initialized-ness. It looks like this makes correct code incorrect...

lib/sanitizer_common/sanitizer_printf.cc
65

What is the type of bug this warning finds? Does it find any true positives in this code base? Or is this a true positive? If yes, then please add a test.

lib/sanitizer_common/sanitizer_symbolizer_posix_libcdep.cc
458

How can NULL path be passed to LLVMSymbolizer? I fail to see the exact scenario.

dvyukov removed a reviewer: dvyukov.Jul 15 2020, 11:51 PM
Herald added a subscriber: ASDenysPetrov. · View Herald TranscriptJul 15 2020, 11:51 PM

Revision Contents

Diff 186412

lib/lsan/lsan_thread.cc

Show First 20 LinesShow All 114 Lines▼ Show 20 Lines
} }
void ThreadJoin(u32 tid) { void ThreadJoin(u32 tid) {
CHECK_NE(tid, kInvalidTid); CHECK_NE(tid, kInvalidTid);
thread_registry->JoinThread(tid, /* arg */nullptr); thread_registry->JoinThread(tid, /* arg */nullptr);
} }
void EnsureMainThreadIDIsCorrect() { void EnsureMainThreadIDIsCorrect() {
if (GetCurrentThread() == 0) if (GetCurrentThread() == 0) {
CurrentThreadContext()->os_id = GetTid(); ThreadContext *tc = CurrentThreadContext();
if (tc) tc->os_id = GetTid();
dvyukovUnsubmitted
Not Done
ReplyInline Actions

Please add a test that triggers NULL deref here. It worked all the time, so this must be some tricky corner case. It would be useful to have it captured in a test.

dvyukov: Please add a test that triggers NULL deref here. It worked all the time, so this must be some…
}
} }
///// Interface to the common LSan module. ///// ///// Interface to the common LSan module. /////
bool GetThreadRangesLocked(tid_t os_id, uptr *stack_begin, uptr *stack_end, bool GetThreadRangesLocked(tid_t os_id, uptr *stack_begin, uptr *stack_end,
uptr *tls_begin, uptr *tls_end, uptr *cache_begin, uptr *tls_begin, uptr *tls_end, uptr *cache_begin,
uptr *cache_end, DTLS **dtls) { uptr *cache_end, DTLS **dtls) {
ThreadContext *context = static_cast<ThreadContext *>( ThreadContext *context = static_cast<ThreadContext *>(
Show All 30 Lines

lib/sanitizer_common/sanitizer_libc.cc

Show First 20 LinesShow All 108 Lines▼ Show 20 Lineschar* internal_strdup(const char *s) {
char *s2 = (char*)InternalAlloc(len + 1); char *s2 = (char*)InternalAlloc(len + 1);
internal_memcpy(s2, s, len); internal_memcpy(s2, s, len);
s2[len] = 0; s2[len] = 0;
return s2; return s2;
} }
int internal_strcmp(const char *s1, const char *s2) { int internal_strcmp(const char *s1, const char *s2) {
while (true) { while (true) {
unsigned c1 = *s1; char c1 = *s1;
unsigned c2 = *s2; char c2 = *s2;
dvyukovUnsubmitted
Not Done
ReplyInline Actions

c1 and c2 are compared with less below. It looks like this can change semantics. Is it intentional? How does it change semantics? Char can be either signed or unsigned, so result of this function will be implementation defined, which looks strange.

dvyukov: c1 and c2 are compared with less below. It looks like this can change semantics. Is it…
if (c1 != c2) return (c1 < c2) ? -1 : 1; if (c1 != c2) return (c1 < c2) ? -1 : 1;
if (c1 == 0) break; if (c1 == 0) break;
s1++; s1++;
s2++; s2++;
} }
return 0; return 0;
} }
int internal_strncmp(const char *s1, const char *s2, uptr n) { int internal_strncmp(const char *s1, const char *s2, uptr n) {
for (uptr i = 0; i < n; i++) { for (uptr i = 0; i < n; i++) {
unsigned c1 = *s1; char c1 = *s1;
unsigned c2 = *s2; char c2 = *s2;
if (c1 != c2) return (c1 < c2) ? -1 : 1; if (c1 != c2) return (c1 < c2) ? -1 : 1;
if (c1 == 0) break; if (c1 == 0) break;
s1++; s1++;
s2++; s2++;
} }
return 0; return 0;
} }
▲ Show 20 LinesShow All 141 LinesShow Last 20 Lines

lib/sanitizer_common/sanitizer_libignore.cc

Show All 12 Lines
#include "sanitizer_libignore.h" #include "sanitizer_libignore.h"
#include "sanitizer_flags.h" #include "sanitizer_flags.h"
#include "sanitizer_posix.h" #include "sanitizer_posix.h"
#include "sanitizer_procmaps.h" #include "sanitizer_procmaps.h"
namespace __sanitizer { namespace __sanitizer {
LibIgnore::LibIgnore(LinkerInitialized) { LibIgnore::LibIgnore(LinkerInitialized)
: mutex_(), count_(0),
track_instrumented_libs_(false) {
atomic_store_relaxed(&ignored_ranges_count_, 0);
atomic_store_relaxed(&instrumented_ranges_count_, 0);
internal_memset(ignored_code_ranges_, 0, sizeof(ignored_code_ranges_));
dvyukovUnsubmitted
Not Done
ReplyInline Actions

This breaks linker-initialized-ness. It looks like this makes correct code incorrect...

dvyukov: This breaks linker-initialized-ness. It looks like this makes correct code incorrect...
internal_memset(instrumented_code_ranges_, 0,
sizeof(instrumented_code_ranges_));
internal_memset(libs_, 0, sizeof(libs_));
} }
void LibIgnore::AddIgnoredLibrary(const char *name_templ) { void LibIgnore::AddIgnoredLibrary(const char *name_templ) {
BlockingMutexLock lock(&mutex_); BlockingMutexLock lock(&mutex_);
if (count_ >= kMaxLibs) { if (count_ >= kMaxLibs) {
Report("%s: too many ignored libraries (max: %d)\n", SanitizerToolName, Report("%s: too many ignored libraries (max: %d)\n", SanitizerToolName,
kMaxLibs); kMaxLibs);
Die(); Die();
▲ Show 20 LinesShow All 100 LinesShow Last 20 Lines

lib/sanitizer_common/sanitizer_printf.cc

Show First 20 LinesShow All 55 Lines▼ Show 20 Linesstatic int AppendNumber(char **buff, const char *buff_end, u64 absolute_value,
do { do {
RAW_CHECK_MSG((uptr)pos < kMaxLen, "AppendNumber buffer overflow"); RAW_CHECK_MSG((uptr)pos < kMaxLen, "AppendNumber buffer overflow");
num_buffer[pos++] = absolute_value % base; num_buffer[pos++] = absolute_value % base;
absolute_value /= base; absolute_value /= base;
} while (absolute_value > 0); } while (absolute_value > 0);
if (pos < minimal_num_length) { if (pos < minimal_num_length) {
// Make sure compiler doesn't insert call to memset here. // Make sure compiler doesn't insert call to memset here.
internal_memset(&num_buffer[pos], 0, internal_memset(&num_buffer[pos], 0,
sizeof(num_buffer[0]) * (minimal_num_length - pos)); sizeof(num_buffer[0]) *
((u64)minimal_num_length - (u64)pos));
dvyukovUnsubmitted
Not Done
ReplyInline Actions

What is the type of bug this warning finds? Does it find any true positives in this code base? Or is this a true positive? If yes, then please add a test.

dvyukov: What is the type of bug this warning finds? Does it find any true positives in this code base?
pos = minimal_num_length; pos = minimal_num_length;
} }
RAW_CHECK(pos > 0); RAW_CHECK(pos > 0);
pos--; pos--;
for (; pos >= 0 && num_buffer[pos] == 0; pos--) { for (; pos >= 0 && num_buffer[pos] == 0; pos--) {
char c = (pad_with_zero || pos == 0) ? '0' : ' '; char c = (pad_with_zero || pos == 0) ? '0' : ' ';
result += AppendChar(buff, buff_end, c); result += AppendChar(buff, buff_end, c);
} }
▲ Show 20 LinesShow All 286 LinesShow Last 20 Lines

lib/sanitizer_common/sanitizer_symbolizer_posix_libcdep.cc

Show First 20 LinesShow All 442 Lines▼ Show 20 Lines
const char *Symbolizer::PlatformDemangle(const char *name) { const char *Symbolizer::PlatformDemangle(const char *name) {
return DemangleSwiftAndCXX(name); return DemangleSwiftAndCXX(name);
} }
static SymbolizerTool *ChooseExternalSymbolizer(LowLevelAllocator *allocator) { static SymbolizerTool *ChooseExternalSymbolizer(LowLevelAllocator *allocator) {
const char *path = common_flags()->external_symbolizer_path; const char *path = common_flags()->external_symbolizer_path;
const char *binary_name = path ? StripModuleName(path) : ""; const char *binary_name = path ? StripModuleName(path) : "";
if (path && path[0] == '\0') {
if (path) {
if (path[0] == '\0') {
VReport(2, "External symbolizer is explicitly disabled.\n"); VReport(2, "External symbolizer is explicitly disabled.\n");
return nullptr; return nullptr;
} else if (!internal_strcmp(binary_name, "llvm-symbolizer")) { } else if (!internal_strcmp(binary_name, "llvm-symbolizer")) {
VReport(2, "Using llvm-symbolizer at user-specified path: %s\n", path); VReport(2, "Using llvm-symbolizer at user-specified path: %s\n", path);
return new(*allocator) LLVMSymbolizer(path, allocator); return new(*allocator) LLVMSymbolizer(path, allocator);
dvyukovUnsubmitted
Not Done
ReplyInline Actions

How can NULL path be passed to LLVMSymbolizer? I fail to see the exact scenario.

dvyukov: How can NULL path be passed to LLVMSymbolizer? I fail to see the exact scenario.
} else if (!internal_strcmp(binary_name, "atos")) { } else if (!internal_strcmp(binary_name, "atos")) {
#if SANITIZER_MAC #if SANITIZER_MAC
VReport(2, "Using atos at user-specified path: %s\n", path); VReport(2, "Using atos at user-specified path: %s\n", path);
return new(*allocator) AtosSymbolizer(path, allocator); return new(*allocator) AtosSymbolizer(path, allocator);
#else // SANITIZER_MAC #else // SANITIZER_MAC
Report("ERROR: Using `atos` is only supported on Darwin.\n"); Report("ERROR: Using `atos` is only supported on Darwin.\n");
Die(); Die();
#endif // SANITIZER_MAC #endif // SANITIZER_MAC
} else if (!internal_strcmp(binary_name, "addr2line")) { } else if (!internal_strcmp(binary_name, "addr2line")) {
VReport(2, "Using addr2line at user-specified path: %s\n", path); VReport(2, "Using addr2line at user-specified path: %s\n", path);
return new(*allocator) Addr2LinePool(path, allocator); return new(*allocator) Addr2LinePool(path, allocator);
} else if (path) { } else {
Report("ERROR: External symbolizer path is set to '%s' which isn't " Report("ERROR: External symbolizer path is set to '%s' which isn't "
"a known symbolizer. Please set the path to the llvm-symbolizer " "a known symbolizer. Please set the path to the llvm-symbolizer "
"binary or other known tool.\n", path); "binary or other known tool.\n", path);
Die(); Die();
} }
}
// Otherwise symbolizer program is unknown, let's search $PATH // Otherwise symbolizer program is unknown, let's search $PATH
CHECK(path == nullptr); CHECK(path == nullptr);
#if SANITIZER_MAC #if SANITIZER_MAC
if (const char *found_path = FindPathToBinary("atos")) { if (const char *found_path = FindPathToBinary("atos")) {
VReport(2, "Using atos found at: %s\n", found_path); VReport(2, "Using atos found at: %s\n", found_path);
return new(*allocator) AtosSymbolizer(found_path, allocator); return new(*allocator) AtosSymbolizer(found_path, allocator);
} }
▲ Show 20 LinesShow All 58 LinesShow Last 20 Lines