This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
cfe/trunk/
-
trunk/
-
lib/StaticAnalyzer/Checkers/
-
StaticAnalyzer/
-
Checkers/
-
MIGChecker.cpp
-
test/Analysis/
-
Analysis/
-
mig.mm

Differential D58392

[analyzer] MIGChecker: Fix false negatives for releases in automatic destructors.
ClosedPublic

Authored by NoQ on Feb 19 2019, 10:47 AM.

Download Raw Diff

Details

Reviewers

dcoughlin

Commits

rG10dd12360934: [analyzer] MIGChecker: Fix an FN when the object is released in a destructor.
rC354642: [analyzer] MIGChecker: Fix an FN when the object is released in a destructor.
rL354642: [analyzer] MIGChecker: Fix an FN when the object is released in a destructor.

Summary

The problem that was fixed in D25326 for inlined functions keeps biting us for the top-level functions as well. Namely, i had to use check::PreStmt<ReturnStmt> rather than check::EndFunction in D57558 because in the basic_test test the paths get merged before invoking the check::EndFunction callback, which makes it impossible to recover the return value (which never gets stored in the Environment because it's, well, a literal). I don't have an immediate fix for the whole overall problem, so for now, as a hack, check::PreStmt<ReturnStmt> keeps being used.

However, the problem with check::PreStmt<ReturnStmt> is that automatic destructors for function-local variables are not yet evaluated when this callback is invoked. This causes false negatives in MIGChecker: if memory is released in an automatic destructor and then an error code is returned, the bug is not found because the Static Analyzer evalues the destructor *after* the pre-return. Arguably, this may also be treated as a bug, depending on what does the "Pre" in PreStmt<ReturnStmt> stand for.

But regardless, for now it seems that we'd have to subscribe on both callbacks.

Diff Detail

Repository: rL LLVM

Event Timeline

NoQ created this revision.Feb 19 2019, 10:47 AM

Herald added a project: Restricted Project. · View Herald TranscriptFeb 19 2019, 10:47 AM

Herald added subscribers: cfe-commits, dkrupp, donat.nagy and 6 others. · View Herald Transcript

NoQ added a parent revision: D58368: [analyzer] MIGChecker: Implement bug reporter visitors..Feb 19 2019, 10:47 AM

NoQ edited the summary of this revision. (Show Details)Feb 19 2019, 10:57 AM

NoQ added a child revision: D58397: [analyzer] MIGChecker: Pour more data into the checker..Feb 19 2019, 11:23 AM

Rebase.

Oh, interesting. I'm glad you thought of this!

This revision is now accepted and ready to land.Feb 19 2019, 9:07 PM

Rebase.

Closed by commit rL354642: [analyzer] MIGChecker: Fix an FN when the object is released in a destructor. (authored by NoQ). · Explain WhyFeb 21 2019, 4:13 PM

This revision was automatically updated to reflect the committed changes.

Herald added a project: Restricted Project. · View Herald TranscriptFeb 21 2019, 4:13 PM

Herald added a subscriber: llvm-commits. · View Herald Transcript

Revision Contents

Path

Size

cfe/

trunk/

lib/

StaticAnalyzer/

Checkers/

MIGChecker.cpp

21 lines

test/

Analysis/

mig.mm

25 lines

Diff 187886

cfe/trunk/lib/StaticAnalyzer/Checkers/MIGChecker.cpp

Show All 26 Lines
#include "clang/StaticAnalyzer/Core/CheckerManager.h"		#include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"		#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"		#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"

using namespace clang;		using namespace clang;
using namespace ento;		using namespace ento;

namespace {		namespace {
class MIGChecker : public Checker<check::PostCall, check::PreStmt<ReturnStmt>> {		class MIGChecker : public Checker<check::PostCall, check::PreStmt<ReturnStmt>,
		check::EndFunction> {
BugType BT{this, "Use-after-free (MIG calling convention violation)",		BugType BT{this, "Use-after-free (MIG calling convention violation)",
categories::MemoryError};		categories::MemoryError};

CallDescription vm_deallocate { "vm_deallocate", 3 };		CallDescription vm_deallocate { "vm_deallocate", 3 };

		void checkReturnAux(const ReturnStmt *RS, CheckerContext &C) const;

public:		public:
void checkPostCall(const CallEvent &Call, CheckerContext &C) const;		void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
void checkPreStmt(const ReturnStmt *RS, CheckerContext &C) const;
		// HACK: We're making two attempts to find the bug: checkEndFunction
		// should normally be enough but it fails when the return value is a literal
		// that never gets put into the Environment and ends of function with multiple
		// returns get agglutinated across returns, preventing us from obtaining
		// the return value. The problem is similar to https://reviews.llvm.org/D25326
		// but now we step into it in the top-level function.
		void checkPreStmt(const ReturnStmt *RS, CheckerContext &C) const {
		checkReturnAux(RS, C);
		}
		void checkEndFunction(const ReturnStmt *RS, CheckerContext &C) const {
		checkReturnAux(RS, C);
		}

class Visitor : public BugReporterVisitor {		class Visitor : public BugReporterVisitor {
public:		public:
void Profile(llvm::FoldingSetNodeID &ID) const {		void Profile(llvm::FoldingSetNodeID &ID) const {
static int X = 0;		static int X = 0;
ID.AddPointer(&X);		ID.AddPointer(&X);
}		}

▲ Show 20 Lines • Show All 83 Lines • ▼ Show 20 Lines	void MIGChecker::checkPostCall(const CallEvent &Call, CheckerContext &C) const {
SVal Arg = Call.getArgSVal(1);		SVal Arg = Call.getArgSVal(1);
const ParmVarDecl *PVD = getOriginParam(Arg, C);		const ParmVarDecl *PVD = getOriginParam(Arg, C);
if (!PVD)		if (!PVD)
return;		return;

C.addTransition(C.getState()->set<ReleasedParameter>(PVD));		C.addTransition(C.getState()->set<ReleasedParameter>(PVD));
}		}

void MIGChecker::checkPreStmt(const ReturnStmt *RS, CheckerContext &C) const {		void MIGChecker::checkReturnAux(const ReturnStmt *RS, CheckerContext &C) const {
// It is very unlikely that a MIG callback will be called from anywhere		// It is very unlikely that a MIG callback will be called from anywhere
// within the project under analysis and the caller isn't itself a routine		// within the project under analysis and the caller isn't itself a routine
// that follows the MIG calling convention. Therefore we're safe to believe		// that follows the MIG calling convention. Therefore we're safe to believe
// that it's always the top frame that is of interest. There's a slight chance		// that it's always the top frame that is of interest. There's a slight chance
// that the user would want to enforce the MIG calling convention upon		// that the user would want to enforce the MIG calling convention upon
// a random routine in the middle of nowhere, but given that the convention is		// a random routine in the middle of nowhere, but given that the convention is
// fairly weird and hard to follow in the first place, there's relatively		// fairly weird and hard to follow in the first place, there's relatively
// little motivation to spread it this way.		// little motivation to spread it this way.
▲ Show 20 Lines • Show All 43 Lines • Show Last 20 Lines

cfe/trunk/test/Analysis/mig.mm

	Show First 20 Lines • Show All 50 Lines • ▼ Show 20 Lines
	kern_return_t release_twice(mach_port_name_t port, vm_address_t addr1, vm_address_t addr2, vm_size_t size) {			kern_return_t release_twice(mach_port_name_t port, vm_address_t addr1, vm_address_t addr2, vm_size_t size) {
	kern_return_t ret = KERN_ERROR; // expected-note{{'ret' initialized to 1}}			kern_return_t ret = KERN_ERROR; // expected-note{{'ret' initialized to 1}}
	vm_deallocate(port, addr1, size); // expected-note{{Value passed through parameter 'addr1' is deallocated}}			vm_deallocate(port, addr1, size); // expected-note{{Value passed through parameter 'addr1' is deallocated}}
	vm_deallocate(port, addr2, size); // expected-note{{Value passed through parameter 'addr2' is deallocated}}			vm_deallocate(port, addr2, size); // expected-note{{Value passed through parameter 'addr2' is deallocated}}
	return ret; // expected-warning{{MIG callback fails with error after deallocating argument value. This is a use-after-free vulnerability because the caller will try to deallocate it again}}			return ret; // expected-warning{{MIG callback fails with error after deallocating argument value. This is a use-after-free vulnerability because the caller will try to deallocate it again}}
	// expected-note@-1{{MIG callback fails with error after deallocating argument value. This is a use-after-free vulnerability because the caller will try to deallocate it again}}			// expected-note@-1{{MIG callback fails with error after deallocating argument value. This is a use-after-free vulnerability because the caller will try to deallocate it again}}
	}			}

				// Make sure we find the bug when the object is destroyed within an
				// automatic destructor.
				MIG_SERVER_ROUTINE
				kern_return_t test_vm_deallocate_in_automatic_dtor(mach_port_name_t port, vm_address_t address, vm_size_t size) {
				struct WillDeallocate {
				mach_port_name_t port;
				vm_address_t address;
				vm_size_t size;
				~WillDeallocate() {
				vm_deallocate(port, address, size); // expected-note{{Value passed through parameter 'address' is deallocated}}
				}
				} will_deallocate{port, address, size};

				if (size > 10) {
				// expected-note@-1{{Assuming 'size' is > 10}}
				// expected-note@-2{{Taking true branch}}
				return KERN_ERROR;
				// expected-note@-1{{Calling '~WillDeallocate'}}
				// expected-note@-2{{Returning from '~WillDeallocate'}}
				// expected-warning@-3{{MIG callback fails with error after deallocating argument value. This is a use-after-free vulnerability because the caller will try to deallocate it again}}
				// expected-note@-4 {{MIG callback fails with error after deallocating argument value. This is a use-after-free vulnerability because the caller will try to deallocate it again}}
				}
				return KERN_SUCCESS;
				}

	// Check that we work on Objective-C messages and blocks.			// Check that we work on Objective-C messages and blocks.
	@interface I			@interface I
	- (kern_return_t)fooAtPort:(mach_port_name_t)port withAddress:(vm_address_t)address ofSize:(vm_size_t)size;			- (kern_return_t)fooAtPort:(mach_port_name_t)port withAddress:(vm_address_t)address ofSize:(vm_size_t)size;
	@end			@end

	@implementation I			@implementation I
	- (kern_return_t)fooAtPort:(mach_port_name_t)port			- (kern_return_t)fooAtPort:(mach_port_name_t)port
	withAddress:(vm_address_t)address			withAddress:(vm_address_t)address
	Show All 34 Lines