This is an archive of the discontinued LLVM Phabricator instance.

Differential D6178

[Review request][analyzer] Duplicate '0 size allocation' check from unix.API in unix.Malloc.
Needs ReviewPublic

Authored by ayartsev on Nov 7 2014, 4:11 PM.

Details

Reviewers
zaks.anna
Summary

This duplication was motivated by the following:

  • FIXME from unix.API stating "Eventually these should be rolled into the MallocChecker, but right now they're more basic and valuable for widespread use."
  • an idea to extend the check to handle zero size allocation by 'new' and 'new[]' in the sequel.
  • create the base for implementation of undefbehavior.ZeroAllocDereference checker.

The patch is a scratch, may it make sense to make '0 size allocation' the separate checker to at least preserve handling of zero-size realloc unchanged.

I suggest the following logic for handling zero-size realloc:

  1. if the returned value of realloc(p, 0) is not assigned then silently treat it as simple 'free' (the old behavior of unix.Malloc)
  2. if the returned value is assigned then fire '0 size allocation' warning as the usage of the returned pointer is not safe.

Specification C11 n1570, 7.22.3.1 says: "If the size of the space requested is zero, the behavior is implementation-defined: either a null pointer is returned, or the behavior is as if the size were some nonzero value, except that the returned pointer shall not be used to access an object."
Usage of the returned pointer is planned to be a matter of other checkers (undefbehavior.ZeroAllocDereference + maybe another checker that checks for usage of returned pointer in comparisons)

Please review!

Diff Detail

Event Timeline

ayartsev updated this revision to Diff 15940.Nov 7 2014, 4:11 PM
ayartsev retitled this revision from to [Review request][analyzer] Duplicate '0 size allocation' check from unix.API in unix.Malloc..
ayartsev updated this object.
ayartsev edited the test plan for this revision. (Show Details)
ayartsev added a reviewer: jordan_rose.
ayartsev added subscribers: Unknown Object (MLST), zaks.anna, krememek.
zaks.anna added a comment.Nov 7 2014, 10:54 PM

Hi Anton,

Looks like the right direction. See a few comments throughout the code.

How do you plan on staging this? The current patch cannot be committed as is for the following 2 reasons:

  • Some warnings will be duplicated since we warn here and in the unix.api check.
  • We should not warn on realloc(p,0).

The proposed treatment of realloc seems fine to me. Maybe you could just start with skipping the warning on realloc to stage the commits. What do you think?

lib/StaticAnalyzer/Checkers/MallocChecker.cpp
222–226

Ho about BT_MallocZero -> BT_ZerroAllocation ?

259

Please, add oxygen comment for this and "CheckCallocZero".

261

I'd rename "SizeArg" to make it more clear it's the allocation size; for example, something like "AllocationSizeArg".

819

This comment is probably copied from the unix.api checker, where it tells which APIs are being processed below. It feels out of place here.

825

TalseState -> FalseState

Are the True and False states backwards? I would expect TrueState to mean zero allocation; but by looking at the return it seems that it's the opposite..

836

Does -> Performs

"most of the bellow"? where below?

Missing "."

847

Does it make sense to pass an extra argument just for sanity check?

868

Why is CheckCallocZero different from BasicAllocationCheck? (I feel like I am missing something..)

1502

Please, use more descriptive state name.

test/Analysis/malloc.c
932

Could you add a couple of more interesting zero allocation tests (where we are not dealing with zero constant).

Theoretically, the inlined defensive checks could be a problem here, right?
(This is where the value is assumed to be zero by an inlined function, but known not be be zero in a caller.)

ayartsev updated this revision to Diff 17135.Dec 10 2014, 6:11 PM
ayartsev edited reviewers, added: zaks.anna; removed: jordan_rose.
ayartsev edited subscribers, added: jordan_rose; removed: zaks.anna.

Addressed the comments, updated the patch, please review!

ayartsev added a comment.Dec 10 2014, 6:17 PM

Updated the patch.

lib/StaticAnalyzer/Checkers/MallocChecker.cpp
825

Inverted.

847

Removed.

868

Hm, really. Removed CheckCallocZero, added two calls to BasicAllocationCheck instead.

test/Analysis/malloc.c
932

Added a path-sensitive test (testMallocPathZero) and an additional tests for 'calloc' (testCalloc1Unknown2Zero - covers the case when the first parameter to 'calloc' is an UnknownVal).

Yes, but only with 'suppress-inlined-defensive-checks=false' given to analyzer.

ayartsev added a comment.Dec 17 2014, 12:30 PM

Ping!

zaks.anna edited edge metadata.Dec 28 2014, 12:17 PM

Hi Anton,

Thanks for the updated patch!

"Yes, but only with 'suppress-inlined-defensive-checks=false' given to analyzer."
Have you added a test to make sure that is the case? (If yes, what's the function name. I could not easily find it.) It would be similar to the path-sensitive check you've added but the check against '0' would be done in an inlined function.

Looks like you've removed the checks from the unix checker along with the tests. Can you add the tests back? I suggest adding your checker to the test file that contains the existing tests and check that it produces the same exact output. (If there are differences, I'd like to see what they are.) We can later remove the redundant tests as a separate commit.

/*
TODO: Will be uncommented when 'realloc' is handled properly (see D6178 for
details).
void testReallocZero(char *ptr) {

char *foo = realloc(ptr, 0); // TODO:expected-warning{{Call to 'realloc()' has an allocation size of 0 bytes}}
free(foo);

}
*/

  1. We should not use "/*" for comments.
  2. Why should we warn in this case? It is possible that someone is trying to free the memory by calling "realloc(ptr, 0)".. Or are you saying that if literal '0' is passed we should warn? This could potentially introduce false positives..
ayartsev updated this revision to Diff 17662.Dec 28 2014, 6:28 PM
ayartsev edited edge metadata.

"Have you added a test to make sure that is the case? (If yes, what's the function name. I could not easily find it.) It would be similar to the path-sensitive check you've added but the check against '0' would be done in an inlined function."
Done, 'void testMallocIdc(int i)' added.

"Looks like you've removed the checks from the unix checker along with the tests. Can you add the tests back? I suggest adding your checker to the test file that contains the existing tests and check that it produces the same exact output."
Done.

"char *foo = realloc(ptr, 0); // TODO:expected-warning{{Call to 'realloc()' has an allocation size of 0 bytes}}
Why should we warn in this case? It is possible that someone is trying to free the memory by calling "realloc(ptr, 0)"
It is unsafe to use the value returned from an allocation function that was asked for a zero-allocation ( C11 n1570, 7.22.3.1 ).
I changed the checkers behavior to those we've discussed above:

  1. if the returned value of realloc(p, 0) is not assigned then silently treat it as simple 'free' (the old behavior of unix.Malloc)
  2. if the returned value is assigned then fire '0 size allocation' warning as the usage of the returned pointer is not safe.

Additional changes in the new patch:

  • renamed 'BasicAllocationCheck' to 'ZeroAllocationCheck' (MallocChecker.cpp)
  • cut old zero-allocation tests that depended on the memory returned from zero-realloc:
  • reallocSizeZero1(), reallocSizeZero2() - tested specific case when we try to free memory that was already freed by zero-realloc, in the case when reallocation failed.
  • reallocSizeZero3, reallocSizeZero4, reallocSizeZero5 - tested that we don't track memory returned from zero-allocated realloc().

If the patch gets in as is all this tests will produce 'zero-size allocation warning' at the point 'char *r = realloc(p, 0);'
There is no need to modify an old code that handles 'realloc', all the code is still in use. Nothing special is done to stop tracking memory returned from zero-realloc, in case of zero-realloc we just return from the function that handles 'realloc' (MallocChecker::ReallocMem()) before the code that allocates memory and processes the return value.

Quuxplusone added a subscriber: Quuxplusone.Dec 28 2014, 7:22 PM
Quuxplusone added inline comments.
lib/StaticAnalyzer/Checkers/MallocChecker.cpp
222

This should presumably be "Zero", not "Zerro".

test/Analysis/malloc-annotations.c
51

FWIW, this maybe should give the same warning as realloc(p,1); on a line by itself: namely, because the returned pointer is never freed, this code has a memory leak on implementations where realloc(p,0) returns a non-null pointer.

If the returned pointer is captured (q = realloc(p,0);) and later freed (free(q);), there is no bug. It's not unsafe to use the return value of realloc; it's perfectly safe and well-defined. The only implementation-defined aspect of realloc is whether the returned pointer is null or not. Either way, *using* the returned pointer is fine — it's not like using a freed pointer, which is indeed undefined behavior.

ayartsev added inline comments.Dec 28 2014, 8:36 PM
lib/StaticAnalyzer/Checkers/MallocChecker.cpp
222

Thanks!

test/Analysis/malloc-annotations.c
51

FWIW, this maybe should give the same warning as realloc(p,1); on a line by itself: namely, because the returned pointer is never freed, this code has a memory leak on implementations where realloc(p,0) returns a non-null pointer.
Agree.

It's not unsafe to use the return value of realloc; it's perfectly safe and well-defined. *using* the returned pointer is fine — it's not like using a freed pointer, which is indeed undefined behavior.
It's not a safety check, just a warning that there may be an error in the code. The usage of a pointer returned from realloc(p,0) is suspicious, any bytes in the new object have indeterminate values also modifying the contents the returned memory is an error.
Zero size may be requested by reason of an error when the second parameter to realloc() is a variable.

zaks.anna added a comment.Jan 6 2015, 10:27 PM

Anton, Can you add the quote from the standard somewhere in the comments explaining the zero allocation warning?

test/Analysis/malloc-annotations.c
51

I don't think we should be warning when free is called on the returned value from realloc(p,0). We should try and stay away from reporting issues that would lead to known false positives.

We could whitelist various ways the pointer could be dereferenced and warn on those or just not warn on realloc(p,0). (I think passing '0' to other allocation functions would not likely trigger false positives.)

Anton, what do you think?

ayartsev added a comment.Jan 7 2015, 10:30 AM

Added the comment (inlined comment at MallocChecker.cpp, Line 259). OK to commit?

lib/StaticAnalyzer/Checkers/MallocChecker.cpp
259

Additional comment:

The request for zero bytes is suspicious.
C11 n1570, 7.22.3.1 "If the size of the space requested is zero, the behavior is implementation-defined: either a null pointer is returned, or the behavior is as if the size were some nonzero value, except that the returned pointer shall not be used to access an object."

test/Analysis/malloc-annotations.c
51

Currently we do not warn whether free() is called on the value returned from realloc(p, 0) or not. This is an old unmodified behavior.
The proposition is to warn if free() is *not* called on the returned value from realloc(p, 0) (other allocation functions as well) if the value is non-zero. May it is not a memory leak but I guess it may be some kind of a resource leak in case of a nonzero return because an information about a zero-allocated memory must be stored somewhere. Perhaps it is a good idea for a further enhancement.

We could whitelist various ways the pointer could be dereferenced and warn on those or just not warn on realloc(p,0). (I think passing '0' to other allocation functions would not likely trigger false positives.)
The usage of a pointer returned from a zero-allocation request is a matter of another potentional checker - ZeroAllocDereference which I plan to develop in the future. The goal of the current check is just to detect a zero-allocation. The current patch just moves '0 size allocation' check from unix.API to unix.Malloc with a small improvement - do not warn in the case when a pointer is not consumed. Perhaps as a next step it make sense to separate the check from the global unix.Malloc to a separate check - ZeroAlloc in order to make it switchable.

Revision Contents

PathSize
lib/
StaticAnalyzer/
Checkers/
MallocChecker.cpp
MallocChecker.cpp (revision 224838)
239 lines
UnixAPIChecker.cpp
UnixAPIChecker.cpp (revision 224838)
161 lines
test/
Analysis/
malloc-annotations.c
malloc-annotations.c (revision 224838)
7 lines
malloc.c
malloc.c (revision 224838)
139 lines
unix-fns.c
unix-fns.c (revision 224908)
100 lines

Diff 17662

lib/StaticAnalyzer/Checkers/MallocChecker.cpp

Show First 20 LinesShow All 154 Lines▼ Show 20 Linesclass MallocChecker : public Checker<check::DeadSymbols,
check::PreStmt<CXXDeleteExpr>, check::PreStmt<CXXDeleteExpr>,
check::PostStmt<BlockExpr>, check::PostStmt<BlockExpr>,
check::PostObjCMessage, check::PostObjCMessage,
check::Location, check::Location,
eval::Assume> eval::Assume>
{ {
public: public:
MallocChecker() MallocChecker()
: II_malloc(nullptr), II_free(nullptr), II_realloc(nullptr), : II_alloca(nullptr), II_alloca_builtin(nullptr), II_malloc(nullptr),
II_calloc(nullptr), II_valloc(nullptr), II_reallocf(nullptr), II_free(nullptr), II_realloc(nullptr), II_calloc(nullptr),
II_strndup(nullptr), II_strdup(nullptr), II_kmalloc(nullptr), II_valloc(nullptr), II_reallocf(nullptr), II_strndup(nullptr),
II_if_nameindex(nullptr), II_if_freenameindex(nullptr) {} II_strdup(nullptr), II_kmalloc(nullptr), II_if_nameindex(nullptr),
II_if_freenameindex(nullptr) {}
/// In pessimistic mode, the checker assumes that it does not know which /// In pessimistic mode, the checker assumes that it does not know which
/// functions might free the memory. /// functions might free the memory.
enum CheckKind { enum CheckKind {
CK_MallocPessimistic, CK_MallocPessimistic,
CK_MallocOptimistic, CK_MallocOptimistic,
CK_NewDeleteChecker, CK_NewDeleteChecker,
CK_NewDeleteLeaksChecker, CK_NewDeleteLeaksChecker,
Show All 38 Lines
private: private:
mutable std::unique_ptr<BugType> BT_DoubleFree[CK_NumCheckKinds]; mutable std::unique_ptr<BugType> BT_DoubleFree[CK_NumCheckKinds];
mutable std::unique_ptr<BugType> BT_DoubleDelete; mutable std::unique_ptr<BugType> BT_DoubleDelete;
mutable std::unique_ptr<BugType> BT_Leak[CK_NumCheckKinds]; mutable std::unique_ptr<BugType> BT_Leak[CK_NumCheckKinds];
mutable std::unique_ptr<BugType> BT_UseFree[CK_NumCheckKinds]; mutable std::unique_ptr<BugType> BT_UseFree[CK_NumCheckKinds];
mutable std::unique_ptr<BugType> BT_BadFree[CK_NumCheckKinds]; mutable std::unique_ptr<BugType> BT_BadFree[CK_NumCheckKinds];
mutable std::unique_ptr<BugType> BT_MismatchedDealloc; mutable std::unique_ptr<BugType> BT_MismatchedDealloc;
mutable std::unique_ptr<BugType> BT_OffsetFree[CK_NumCheckKinds]; mutable std::unique_ptr<BugType> BT_OffsetFree[CK_NumCheckKinds];
mutable IdentifierInfo *II_malloc, *II_free, *II_realloc, *II_calloc, mutable std::unique_ptr<BugType> BT_ZerroAllocation[CK_NumCheckKinds];
QuuxplusoneUnsubmitted
Not Done
ReplyInline Actions

This should presumably be "Zero", not "Zerro".

Quuxplusone: This should presumably be "Zero", not "Zerro".
ayartsevAuthorUnsubmitted
Not Done
ReplyInline Actions

Thanks!

ayartsev: Thanks!
*II_valloc, *II_reallocf, *II_strndup, *II_strdup, mutable IdentifierInfo *II_alloca, *II_alloca_builtin, *II_malloc, *II_free,
*II_kmalloc, *II_if_nameindex, *II_if_freenameindex; *II_realloc, *II_calloc, *II_valloc, *II_reallocf,
*II_strndup, *II_strdup, *II_kmalloc, *II_if_nameindex,
*II_if_freenameindex;
zaks.annaUnsubmitted
Not Done
ReplyInline Actions

Ho about BT_MallocZero -> BT_ZerroAllocation ?

zaks.anna: Ho about BT_MallocZero -> BT_ZerroAllocation ?
mutable Optional<uint64_t> KernelZeroFlagVal; mutable Optional<uint64_t> KernelZeroFlagVal;
void initIdentifierInfo(ASTContext &C) const; void initIdentifierInfo(ASTContext &C) const;
/// \brief Determine family of a deallocation expression. /// \brief Determine family of a deallocation expression.
AllocationFamily getAllocationFamily(CheckerContext &C, const Stmt *S) const; AllocationFamily getAllocationFamily(CheckerContext &C, const Stmt *S) const;
/// \brief Print names of allocators and deallocators. /// \brief Print names of allocators and deallocators.
Show All 15 Linesprivate:
/// pointed to by one of its arguments. /// pointed to by one of its arguments.
bool isMemFunction(const FunctionDecl *FD, ASTContext &C) const; bool isMemFunction(const FunctionDecl *FD, ASTContext &C) const;
bool isCMemFunction(const FunctionDecl *FD, bool isCMemFunction(const FunctionDecl *FD,
ASTContext &C, ASTContext &C,
AllocationFamily Family, AllocationFamily Family,
MemoryOperationKind MemKind) const; MemoryOperationKind MemKind) const;
bool isStandardNewDelete(const FunctionDecl *FD, ASTContext &C) const; bool isStandardNewDelete(const FunctionDecl *FD, ASTContext &C) const;
///@} ///@}
/// \brief Perform a zero-allocation check.
zaks.annaUnsubmitted
Not Done
ReplyInline Actions

Please, add oxygen comment for this and "CheckCallocZero".

zaks.anna: Please, add oxygen comment for this and "CheckCallocZero".
ayartsevAuthorUnsubmitted
Not Done
ReplyInline Actions

Additional comment:

The request for zero bytes is suspicious.
C11 n1570, 7.22.3.1 "If the size of the space requested is zero, the behavior is implementation-defined: either a null pointer is returned, or the behavior is as if the size were some nonzero value, except that the returned pointer shall not be used to access an object."

ayartsev: Additional comment: The request for zero bytes is suspicious. C11 n1570, 7.22.3.1 "If the size…
ProgramStateRef ZeroAllocationCheck(CheckerContext &C, const CallExpr *CE,
const unsigned AllocationSizeArg,
zaks.annaUnsubmitted
Not Done
ReplyInline Actions

I'd rename "SizeArg" to make it more clear it's the allocation size; for example, something like "AllocationSizeArg".

zaks.anna: I'd rename "SizeArg" to make it more clear it's the allocation size; for example, something…
ProgramStateRef State) const;
ProgramStateRef MallocMemReturnsAttr(CheckerContext &C, ProgramStateRef MallocMemReturnsAttr(CheckerContext &C,
const CallExpr *CE, const CallExpr *CE,
const OwnershipAttr* Att) const; const OwnershipAttr* Att,
ProgramStateRef State) const;
static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE,
const Expr *SizeEx, SVal Init, const Expr *SizeEx, SVal Init,
ProgramStateRef State, ProgramStateRef State,
AllocationFamily Family = AF_Malloc) { AllocationFamily Family = AF_Malloc);
return MallocMemAux(C, CE,
State->getSVal(SizeEx, C.getLocationContext()),
Init, State, Family);
}
static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE,
SVal SizeEx, SVal Init, SVal SizeEx, SVal Init,
ProgramStateRef State, ProgramStateRef State,
AllocationFamily Family = AF_Malloc); AllocationFamily Family = AF_Malloc);
// Check if this malloc() for special flags. At present that means M_ZERO or // Check if this malloc() for special flags. At present that means M_ZERO or
// __GFP_ZERO (in which case, treat it like calloc). // __GFP_ZERO (in which case, treat it like calloc).
llvm::Optional<ProgramStateRef> llvm::Optional<ProgramStateRef>
performKernelMalloc(const CallExpr *CE, CheckerContext &C, performKernelMalloc(const CallExpr *CE, CheckerContext &C,
const ProgramStateRef &State) const; const ProgramStateRef &State) const;
/// Update the RefState to reflect the new memory allocation. /// Update the RefState to reflect the new memory allocation.
static ProgramStateRef static ProgramStateRef
MallocUpdateRefState(CheckerContext &C, const Expr *E, ProgramStateRef State, MallocUpdateRefState(CheckerContext &C, const Expr *E, ProgramStateRef State,
AllocationFamily Family = AF_Malloc); AllocationFamily Family = AF_Malloc);
ProgramStateRef FreeMemAttr(CheckerContext &C, const CallExpr *CE, ProgramStateRef FreeMemAttr(CheckerContext &C, const CallExpr *CE,
const OwnershipAttr* Att) const; const OwnershipAttr* Att,
ProgramStateRef State) const;
ProgramStateRef FreeMemAux(CheckerContext &C, const CallExpr *CE, ProgramStateRef FreeMemAux(CheckerContext &C, const CallExpr *CE,
ProgramStateRef state, unsigned Num, ProgramStateRef state, unsigned Num,
bool Hold, bool Hold,
bool &ReleasedAllocated, bool &ReleasedAllocated,
bool ReturnsNullOnFailure = false) const; bool ReturnsNullOnFailure = false) const;
ProgramStateRef FreeMemAux(CheckerContext &C, const Expr *Arg, ProgramStateRef FreeMemAux(CheckerContext &C, const Expr *Arg,
const Expr *ParentExpr, const Expr *ParentExpr,
ProgramStateRef State, ProgramStateRef State,
bool Hold, bool Hold,
bool &ReleasedAllocated, bool &ReleasedAllocated,
bool ReturnsNullOnFailure = false) const; bool ReturnsNullOnFailure = false) const;
ProgramStateRef ReallocMem(CheckerContext &C, const CallExpr *CE, ProgramStateRef ReallocMem(CheckerContext &C, const CallExpr *CE,
bool FreesMemOnFailure) const; bool FreesMemOnFailure,
static ProgramStateRef CallocMem(CheckerContext &C, const CallExpr *CE); ProgramStateRef State) const;
static ProgramStateRef CallocMem(CheckerContext &C, const CallExpr *CE,
ProgramStateRef State);
///\brief Check if the memory associated with this symbol was released. ///\brief Check if the memory associated with this symbol was released.
bool isReleased(SymbolRef Sym, CheckerContext &C) const; bool isReleased(SymbolRef Sym, CheckerContext &C) const;
bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C, const Stmt *S) const; bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C, const Stmt *S) const;
bool checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const; bool checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const;
Show All 24 Linesprivate:
/// family/call/symbol. /// family/call/symbol.
Optional<CheckKind> getCheckIfTracked(AllocationFamily Family) const; Optional<CheckKind> getCheckIfTracked(AllocationFamily Family) const;
Optional<CheckKind> getCheckIfTracked(CheckerContext &C, Optional<CheckKind> getCheckIfTracked(CheckerContext &C,
const Stmt *AllocDeallocStmt) const; const Stmt *AllocDeallocStmt) const;
Optional<CheckKind> getCheckIfTracked(CheckerContext &C, SymbolRef Sym) const; Optional<CheckKind> getCheckIfTracked(CheckerContext &C, SymbolRef Sym) const;
///@} ///@}
static bool SummarizeValue(raw_ostream &os, SVal V); static bool SummarizeValue(raw_ostream &os, SVal V);
static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR); static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR);
void ReportZeroByteAllocation(CheckerContext &C, ProgramStateRef FalseState,
const Expr *Arg, const Expr *AllocExpr) const;
void ReportBadFree(CheckerContext &C, SVal ArgVal, SourceRange Range, void ReportBadFree(CheckerContext &C, SVal ArgVal, SourceRange Range,
const Expr *DeallocExpr) const; const Expr *DeallocExpr) const;
void ReportMismatchedDealloc(CheckerContext &C, SourceRange Range, void ReportMismatchedDealloc(CheckerContext &C, SourceRange Range,
const Expr *DeallocExpr, const RefState *RS, const Expr *DeallocExpr, const RefState *RS,
SymbolRef Sym, bool OwnershipTransferred) const; SymbolRef Sym, bool OwnershipTransferred) const;
void ReportOffsetFree(CheckerContext &C, SVal ArgVal, SourceRange Range, void ReportOffsetFree(CheckerContext &C, SVal ArgVal, SourceRange Range,
const Expr *DeallocExpr, const Expr *DeallocExpr,
const Expr *AllocExpr = nullptr) const; const Expr *AllocExpr = nullptr) const;
▲ Show 20 LinesShow All 144 Lines▼ Show 20 Lines bool VisitSymbol(SymbolRef sym) override {
return true; return true;
} }
}; };
} // end anonymous namespace } // end anonymous namespace
void MallocChecker::initIdentifierInfo(ASTContext &Ctx) const { void MallocChecker::initIdentifierInfo(ASTContext &Ctx) const {
if (II_malloc) if (II_malloc)
return; return;
II_alloca = &Ctx.Idents.get("alloca");
II_alloca_builtin = &Ctx.Idents.get("__builtin_alloca");
II_malloc = &Ctx.Idents.get("malloc"); II_malloc = &Ctx.Idents.get("malloc");
II_free = &Ctx.Idents.get("free"); II_free = &Ctx.Idents.get("free");
II_realloc = &Ctx.Idents.get("realloc"); II_realloc = &Ctx.Idents.get("realloc");
II_reallocf = &Ctx.Idents.get("reallocf"); II_reallocf = &Ctx.Idents.get("reallocf");
II_calloc = &Ctx.Idents.get("calloc"); II_calloc = &Ctx.Idents.get("calloc");
II_valloc = &Ctx.Idents.get("valloc"); II_valloc = &Ctx.Idents.get("valloc");
II_strdup = &Ctx.Idents.get("strdup"); II_strdup = &Ctx.Idents.get("strdup");
II_strndup = &Ctx.Idents.get("strndup"); II_strndup = &Ctx.Idents.get("strndup");
Show All 32 Lines if (FD->getKind() == Decl::Function) {
initIdentifierInfo(C); initIdentifierInfo(C);
if (Family == AF_Malloc && CheckFree) { if (Family == AF_Malloc && CheckFree) {
if (FunI == II_free || FunI == II_realloc || FunI == II_reallocf) if (FunI == II_free || FunI == II_realloc || FunI == II_reallocf)
return true; return true;
} }
if (Family == AF_Malloc && CheckAlloc) { if (Family == AF_Malloc && CheckAlloc) {
if (FunI == II_malloc || FunI == II_realloc || FunI == II_reallocf || if (FunI == II_alloca || FunI == II_alloca_builtin || FunI == II_malloc ||
FunI == II_calloc || FunI == II_valloc || FunI == II_strdup || FunI == II_realloc || FunI == II_reallocf || FunI == II_calloc ||
FunI == II_strndup || FunI == II_kmalloc) FunI == II_valloc || FunI == II_strdup || FunI == II_strndup ||
FunI == II_kmalloc)
return true; return true;
} }
if (Family == AF_IfNameIndex && CheckFree) { if (Family == AF_IfNameIndex && CheckFree) {
if (FunI == II_if_freenameindex) if (FunI == II_if_freenameindex)
return true; return true;
} }
▲ Show 20 LinesShow All 146 Lines▼ Show 20 Linesvoid MallocChecker::checkPostStmt(const CallExpr *CE, CheckerContext &C) const {
if (FD->getKind() == Decl::Function) { if (FD->getKind() == Decl::Function) {
initIdentifierInfo(C.getASTContext()); initIdentifierInfo(C.getASTContext());
IdentifierInfo *FunI = FD->getIdentifier(); IdentifierInfo *FunI = FD->getIdentifier();
if (FunI == II_malloc) { if (FunI == II_malloc) {
if (CE->getNumArgs() < 1) if (CE->getNumArgs() < 1)
return; return;
else if (CE->getNumArgs() == 1)
State = ZeroAllocationCheck(C, CE, 0, State);
if (CE->getNumArgs() < 3) { if (CE->getNumArgs() < 3) {
State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);
} else if (CE->getNumArgs() == 3) { } else if (CE->getNumArgs() == 3) {
llvm::Optional<ProgramStateRef> MaybeState = llvm::Optional<ProgramStateRef> MaybeState =
performKernelMalloc(CE, C, State); performKernelMalloc(CE, C, State);
if (MaybeState.hasValue()) if (MaybeState.hasValue())
State = MaybeState.getValue(); State = MaybeState.getValue();
else else
State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);
} }
} else if (FunI == II_kmalloc) { } else if (FunI == II_kmalloc) {
llvm::Optional<ProgramStateRef> MaybeState = llvm::Optional<ProgramStateRef> MaybeState =
performKernelMalloc(CE, C, State); performKernelMalloc(CE, C, State);
if (MaybeState.hasValue()) if (MaybeState.hasValue())
State = MaybeState.getValue(); State = MaybeState.getValue();
else else
State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);
} else if (FunI == II_valloc) { } else if (FunI == II_valloc) {
if (CE->getNumArgs() < 1) if (CE->getNumArgs() < 1)
return; return;
State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State); State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);
State = ZeroAllocationCheck(C, CE, 0, State);
} else if (FunI == II_realloc) { } else if (FunI == II_realloc) {
State = ReallocMem(C, CE, false); State = ReallocMem(C, CE, false, State);
ParentMap &PM = C.getLocationContext()->getParentMap();
if (PM.isConsumedExpr(CE))
State = ZeroAllocationCheck(C, CE, 1, State);
} else if (FunI == II_reallocf) { } else if (FunI == II_reallocf) {
State = ReallocMem(C, CE, true); State = ReallocMem(C, CE, true, State);
ParentMap &PM = C.getLocationContext()->getParentMap();
if (PM.isConsumedExpr(CE))
State = ZeroAllocationCheck(C, CE, 1, State);
} else if (FunI == II_calloc) { } else if (FunI == II_calloc) {
State = CallocMem(C, CE); State = CallocMem(C, CE, State);
State = ZeroAllocationCheck(C, CE, 0, State);
State = ZeroAllocationCheck(C, CE, 1, State);
} else if (FunI == II_free) { } else if (FunI == II_free) {
State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory); State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory);
} else if (FunI == II_strdup) { } else if (FunI == II_strdup) {
State = MallocUpdateRefState(C, CE, State); State = MallocUpdateRefState(C, CE, State);
} else if (FunI == II_strndup) { } else if (FunI == II_strndup) {
State = MallocUpdateRefState(C, CE, State); State = MallocUpdateRefState(C, CE, State);
} } else if (FunI == II_alloca || FunI == II_alloca_builtin) {
else if (isStandardNewDelete(FD, C.getASTContext())) { State = ZeroAllocationCheck(C, CE, 0, State);
} else if (isStandardNewDelete(FD, C.getASTContext())) {
// Process direct calls to operator new/new[]/delete/delete[] functions // Process direct calls to operator new/new[]/delete/delete[] functions
// as distinct from new/new[]/delete/delete[] expressions that are // as distinct from new/new[]/delete/delete[] expressions that are
// processed by the checkPostStmt callbacks for CXXNewExpr and // processed by the checkPostStmt callbacks for CXXNewExpr and
// CXXDeleteExpr. // CXXDeleteExpr.
OverloadedOperatorKind K = FD->getOverloadedOperator(); OverloadedOperatorKind K = FD->getOverloadedOperator();
if (K == OO_New) if (K == OO_New)
State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State,
AF_CXXNew); AF_CXXNew);
Show All 17 Linesvoid MallocChecker::checkPostStmt(const CallExpr *CE, CheckerContext &C) const {
if (ChecksEnabled[CK_MallocOptimistic] || if (ChecksEnabled[CK_MallocOptimistic] ||
ChecksEnabled[CK_MismatchedDeallocatorChecker]) { ChecksEnabled[CK_MismatchedDeallocatorChecker]) {
// Check all the attributes, if there are any. // Check all the attributes, if there are any.
// There can be multiple of these attributes. // There can be multiple of these attributes.
if (FD->hasAttrs()) if (FD->hasAttrs())
for (const auto *I : FD->specific_attrs<OwnershipAttr>()) { for (const auto *I : FD->specific_attrs<OwnershipAttr>()) {
switch (I->getOwnKind()) { switch (I->getOwnKind()) {
case OwnershipAttr::Returns: case OwnershipAttr::Returns:
State = MallocMemReturnsAttr(C, CE, I); State = MallocMemReturnsAttr(C, CE, I, State);
break; break;
case OwnershipAttr::Takes: case OwnershipAttr::Takes:
case OwnershipAttr::Holds: case OwnershipAttr::Holds:
State = FreeMemAttr(C, CE, I); State = FreeMemAttr(C, CE, I, State);
break; break;
} }
} }
} }
C.addTransition(State); C.addTransition(State);
} }
// Performs a 0-sized allocations check.
zaks.annaUnsubmitted
Not Done
ReplyInline Actions

This comment is probably copied from the unix.api checker, where it tells which APIs are being processed below. It feels out of place here.

zaks.anna: This comment is probably copied from the unix.api checker, where it tells which APIs are being…
ProgramStateRef MallocChecker::ZeroAllocationCheck(CheckerContext &C,
const CallExpr *CE,
const unsigned AllocationSizeArg,
ProgramStateRef State) const {
if (!State)
return nullptr;
zaks.annaUnsubmitted
Not Done
ReplyInline Actions

TalseState -> FalseState

Are the True and False states backwards? I would expect TrueState to mean zero allocation; but by looking at the return it seems that it's the opposite..

zaks.anna: TalseState -> FalseState Are the True and False states backwards? I would expect TrueState to…
ayartsevAuthorUnsubmitted
Not Done
ReplyInline Actions

Inverted.

ayartsev: Inverted.
const Expr *Arg = CE->getArg(AllocationSizeArg);
Optional<DefinedSVal> DefArgVal =
State->getSVal(Arg, C.getLocationContext()).getAs<DefinedSVal>();
if (!DefArgVal)
return State;
// Check if the allocation size is 0.
ProgramStateRef TrueState, FalseState;
zaks.annaUnsubmitted
Not Done
ReplyInline Actions

Does -> Performs

"most of the bellow"? where below?

Missing "."

zaks.anna: Does -> Performs "most of the bellow"? where below? Missing "."
SValBuilder &SvalBuilder = C.getSValBuilder();
DefinedSVal Zero =
SvalBuilder.makeZeroVal(Arg->getType()).castAs<DefinedSVal>();
std::tie(TrueState, FalseState) =
State->assume(SvalBuilder.evalEQ(State, *DefArgVal, Zero));
if (TrueState && !FalseState) {
ReportZeroByteAllocation(C, FalseState, Arg, CE);
return nullptr;
}
zaks.annaUnsubmitted
Not Done
ReplyInline Actions

Does it make sense to pass an extra argument just for sanity check?

zaks.anna: Does it make sense to pass an extra argument just for sanity check?
ayartsevAuthorUnsubmitted
Not Done
ReplyInline Actions

Removed.

ayartsev: Removed.
// Assume the value is non-zero going forward.
assert(FalseState);
return FalseState;
}
static QualType getDeepPointeeType(QualType T) { static QualType getDeepPointeeType(QualType T) {
QualType Result = T, PointeeType = T->getPointeeType(); QualType Result = T, PointeeType = T->getPointeeType();
while (!PointeeType.isNull()) { while (!PointeeType.isNull()) {
Result = PointeeType; Result = PointeeType;
PointeeType = PointeeType->getPointeeType(); PointeeType = PointeeType->getPointeeType();
} }
return Result; return Result;
} }
static bool treatUnusedNewEscaped(const CXXNewExpr *NE) { static bool treatUnusedNewEscaped(const CXXNewExpr *NE) {
const CXXConstructExpr *ConstructE = NE->getConstructExpr(); const CXXConstructExpr *ConstructE = NE->getConstructExpr();
if (!ConstructE) if (!ConstructE)
return false; return false;
zaks.annaUnsubmitted
Not Done
ReplyInline Actions

Why is CheckCallocZero different from BasicAllocationCheck? (I feel like I am missing something..)

zaks.anna: Why is CheckCallocZero different from BasicAllocationCheck? (I feel like I am missing something.
ayartsevAuthorUnsubmitted
Not Done
ReplyInline Actions

Hm, really. Removed CheckCallocZero, added two calls to BasicAllocationCheck instead.

ayartsev: Hm, really. Removed CheckCallocZero, added two calls to BasicAllocationCheck instead.
if (!NE->getAllocatedType()->getAsCXXRecordDecl()) if (!NE->getAllocatedType()->getAsCXXRecordDecl())
return false; return false;
const CXXConstructorDecl *CtorD = ConstructE->getConstructor(); const CXXConstructorDecl *CtorD = ConstructE->getConstructor();
// Iterate over the constructor parameters. // Iterate over the constructor parameters.
for (const auto *CtorParam : CtorD->params()) { for (const auto *CtorParam : CtorD->params()) {
▲ Show 20 LinesShow All 98 Lines▼ Show 20 Lines ProgramStateRef State = FreeMemAux(C, Call.getArgExpr(0),
/*Hold=*/true, ReleasedAllocatedMemory, /*Hold=*/true, ReleasedAllocatedMemory,
/*RetNullOnFailure=*/true); /*RetNullOnFailure=*/true);
C.addTransition(State); C.addTransition(State);
} }
ProgramStateRef ProgramStateRef
MallocChecker::MallocMemReturnsAttr(CheckerContext &C, const CallExpr *CE, MallocChecker::MallocMemReturnsAttr(CheckerContext &C, const CallExpr *CE,
const OwnershipAttr *Att) const { const OwnershipAttr *Att,
ProgramStateRef State) const {
if (!State)
return nullptr;
if (Att->getModule() != II_malloc) if (Att->getModule() != II_malloc)
return nullptr; return nullptr;
OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end(); OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end();
if (I != E) { if (I != E) {
return MallocMemAux(C, CE, CE->getArg(*I), UndefinedVal(), C.getState()); return MallocMemAux(C, CE, CE->getArg(*I), UndefinedVal(), State);
}
return MallocMemAux(C, CE, UnknownVal(), UndefinedVal(), State);
} }
return MallocMemAux(C, CE, UnknownVal(), UndefinedVal(), C.getState());
ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
const CallExpr *CE,
const Expr *SizeEx, SVal Init,
ProgramStateRef State,
AllocationFamily Family) {
if (!State)
return nullptr;
return MallocMemAux(C, CE, State->getSVal(SizeEx, C.getLocationContext()),
Init, State, Family);
} }
ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C, ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
const CallExpr *CE, const CallExpr *CE,
SVal Size, SVal Init, SVal Size, SVal Init,
ProgramStateRef State, ProgramStateRef State,
AllocationFamily Family) { AllocationFamily Family) {
if (!State)
return nullptr;
// We expect the malloc functions to return a pointer. // We expect the malloc functions to return a pointer.
if (!Loc::isLocType(CE->getType())) if (!Loc::isLocType(CE->getType()))
return nullptr; return nullptr;
// Bind the return value to the symbolic value from the heap region. // Bind the return value to the symbolic value from the heap region.
// TODO: We could rewrite post visit to eval call; 'malloc' does not have // TODO: We could rewrite post visit to eval call; 'malloc' does not have
// side effects other than what we model here. // side effects other than what we model here.
Show All 25 LinesProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
return MallocUpdateRefState(C, CE, State, Family); return MallocUpdateRefState(C, CE, State, Family);
} }
ProgramStateRef MallocChecker::MallocUpdateRefState(CheckerContext &C, ProgramStateRef MallocChecker::MallocUpdateRefState(CheckerContext &C,
const Expr *E, const Expr *E,
ProgramStateRef State, ProgramStateRef State,
AllocationFamily Family) { AllocationFamily Family) {
if (!State)
return nullptr;
// Get the return value. // Get the return value.
SVal retVal = State->getSVal(E, C.getLocationContext()); SVal retVal = State->getSVal(E, C.getLocationContext());
// We expect the malloc functions to return a pointer. // We expect the malloc functions to return a pointer.
if (!retVal.getAs<Loc>()) if (!retVal.getAs<Loc>())
return nullptr; return nullptr;
SymbolRef Sym = retVal.getAsLocSymbol(); SymbolRef Sym = retVal.getAsLocSymbol();
assert(Sym); assert(Sym);
// Set the symbol's state to Allocated. // Set the symbol's state to Allocated.
return State->set<RegionState>(Sym, RefState::getAllocated(Family, E)); return State->set<RegionState>(Sym, RefState::getAllocated(Family, E));
} }
ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C, ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C,
const CallExpr *CE, const CallExpr *CE,
const OwnershipAttr *Att) const { const OwnershipAttr *Att,
ProgramStateRef State) const {
if (!State)
return nullptr;
if (Att->getModule() != II_malloc) if (Att->getModule() != II_malloc)
return nullptr; return nullptr;
ProgramStateRef State = C.getState();
bool ReleasedAllocated = false; bool ReleasedAllocated = false;
for (const auto &Arg : Att->args()) { for (const auto &Arg : Att->args()) {
ProgramStateRef StateI = FreeMemAux(C, CE, State, Arg, ProgramStateRef StateI = FreeMemAux(C, CE, State, Arg,
Att->getOwnKind() == OwnershipAttr::Holds, Att->getOwnKind() == OwnershipAttr::Holds,
ReleasedAllocated); ReleasedAllocated);
if (StateI) if (StateI)
State = StateI; State = StateI;
} }
return State; return State;
} }
ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C, ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C,
const CallExpr *CE, const CallExpr *CE,
ProgramStateRef state, ProgramStateRef State,
unsigned Num, unsigned Num,
bool Hold, bool Hold,
bool &ReleasedAllocated, bool &ReleasedAllocated,
bool ReturnsNullOnFailure) const { bool ReturnsNullOnFailure) const {
if (!State)
return nullptr;
if (CE->getNumArgs() < (Num + 1)) if (CE->getNumArgs() < (Num + 1))
return nullptr; return nullptr;
return FreeMemAux(C, CE->getArg(Num), CE, state, Hold, return FreeMemAux(C, CE->getArg(Num), CE, State, Hold,
ReleasedAllocated, ReturnsNullOnFailure); ReleasedAllocated, ReturnsNullOnFailure);
} }
/// Checks if the previous call to free on the given symbol failed - if free /// Checks if the previous call to free on the given symbol failed - if free
/// failed, returns true. Also, returns the corresponding return value symbol. /// failed, returns true. Also, returns the corresponding return value symbol.
static bool didPreviousFreeFail(ProgramStateRef State, static bool didPreviousFreeFail(ProgramStateRef State,
SymbolRef Sym, SymbolRef &RetStatusSymbol) { SymbolRef Sym, SymbolRef &RetStatusSymbol) {
const SymbolRef *Ret = State->get<FreeReturnValue>(Sym); const SymbolRef *Ret = State->get<FreeReturnValue>(Sym);
▲ Show 20 LinesShow All 116 Lines▼ Show 20 Lines
ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C, ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C,
const Expr *ArgExpr, const Expr *ArgExpr,
const Expr *ParentExpr, const Expr *ParentExpr,
ProgramStateRef State, ProgramStateRef State,
bool Hold, bool Hold,
bool &ReleasedAllocated, bool &ReleasedAllocated,
bool ReturnsNullOnFailure) const { bool ReturnsNullOnFailure) const {
if (!State)
return nullptr;
SVal ArgVal = State->getSVal(ArgExpr, C.getLocationContext()); SVal ArgVal = State->getSVal(ArgExpr, C.getLocationContext());
if (!ArgVal.getAs<DefinedOrUnknownSVal>()) if (!ArgVal.getAs<DefinedOrUnknownSVal>())
return nullptr; return nullptr;
DefinedOrUnknownSVal location = ArgVal.castAs<DefinedOrUnknownSVal>(); DefinedOrUnknownSVal location = ArgVal.castAs<DefinedOrUnknownSVal>();
// Check for null dereferences. // Check for null dereferences.
if (!location.getAs<Loc>()) if (!location.getAs<Loc>())
return nullptr; return nullptr;
▲ Show 20 LinesShow All 239 Lines▼ Show 20 Lines if (isa<GlobalsSpaceRegion>(MS)) {
return true; return true;
} }
return false; return false;
} }
} }
} }
void MallocChecker::ReportZeroByteAllocation(CheckerContext &C,
ProgramStateRef FalseState,
zaks.annaUnsubmitted
Not Done
ReplyInline Actions

Please, use more descriptive state name.

zaks.anna: Please, use more descriptive state name.
const Expr *Arg,
const Expr *AllocExpr) const {
if (!ChecksEnabled[CK_MallocOptimistic] &&
!ChecksEnabled[CK_MallocPessimistic])
return;
auto CheckKind = getCheckIfTracked(C, AllocExpr);
if (!CheckKind.hasValue())
return;
if (ExplodedNode *N = C.generateSink(FalseState)) {
if (!BT_ZerroAllocation[*CheckKind])
BT_ZerroAllocation[*CheckKind].reset(new BugType(
CheckNames[*CheckKind], "Zero allocation", "Memory Error"));
SmallString<256> S;
llvm::raw_svector_ostream os(S);
os << "Call to '";
printAllocDeallocName(os, C, AllocExpr);
os << "' has an allocation size of 0 bytes";
BugReport *Report =
new BugReport(*BT_ZerroAllocation[*CheckKind], os.str(), N);
Report->addRange(Arg->getSourceRange());
bugreporter::trackNullOrUndefValue(N, Arg, *Report);
C.emitReport(Report);
}
}
void MallocChecker::ReportBadFree(CheckerContext &C, SVal ArgVal, void MallocChecker::ReportBadFree(CheckerContext &C, SVal ArgVal,
SourceRange Range, SourceRange Range,
const Expr *DeallocExpr) const { const Expr *DeallocExpr) const {
if (!ChecksEnabled[CK_MallocOptimistic] && if (!ChecksEnabled[CK_MallocOptimistic] &&
!ChecksEnabled[CK_MallocPessimistic] && !ChecksEnabled[CK_MallocPessimistic] &&
!ChecksEnabled[CK_NewDeleteChecker]) !ChecksEnabled[CK_NewDeleteChecker])
return; return;
▲ Show 20 LinesShow All 232 Lines▼ Show 20 Lines if (ExplodedNode *N = C.generateSink()) {
R->markInteresting(Sym); R->markInteresting(Sym);
R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym)); R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym));
C.emitReport(R); C.emitReport(R);
} }
} }
ProgramStateRef MallocChecker::ReallocMem(CheckerContext &C, ProgramStateRef MallocChecker::ReallocMem(CheckerContext &C,
const CallExpr *CE, const CallExpr *CE,
bool FreesOnFail) const { bool FreesOnFail,
ProgramStateRef State) const {
if (!State)
return nullptr;
if (CE->getNumArgs() < 2) if (CE->getNumArgs() < 2)
return nullptr; return nullptr;
ProgramStateRef state = C.getState();
const Expr *arg0Expr = CE->getArg(0); const Expr *arg0Expr = CE->getArg(0);
const LocationContext *LCtx = C.getLocationContext(); const LocationContext *LCtx = C.getLocationContext();
SVal Arg0Val = state->getSVal(arg0Expr, LCtx); SVal Arg0Val = State->getSVal(arg0Expr, LCtx);
if (!Arg0Val.getAs<DefinedOrUnknownSVal>()) if (!Arg0Val.getAs<DefinedOrUnknownSVal>())
return nullptr; return nullptr;
DefinedOrUnknownSVal arg0Val = Arg0Val.castAs<DefinedOrUnknownSVal>(); DefinedOrUnknownSVal arg0Val = Arg0Val.castAs<DefinedOrUnknownSVal>();
SValBuilder &svalBuilder = C.getSValBuilder(); SValBuilder &svalBuilder = C.getSValBuilder();
DefinedOrUnknownSVal PtrEQ = DefinedOrUnknownSVal PtrEQ =
svalBuilder.evalEQ(state, arg0Val, svalBuilder.makeNull()); svalBuilder.evalEQ(State, arg0Val, svalBuilder.makeNull());
// Get the size argument. If there is no size arg then give up. // Get the size argument. If there is no size arg then give up.
const Expr *Arg1 = CE->getArg(1); const Expr *Arg1 = CE->getArg(1);
if (!Arg1) if (!Arg1)
return nullptr; return nullptr;
// Get the value of the size argument. // Get the value of the size argument.
SVal Arg1ValG = state->getSVal(Arg1, LCtx); SVal Arg1ValG = State->getSVal(Arg1, LCtx);
if (!Arg1ValG.getAs<DefinedOrUnknownSVal>()) if (!Arg1ValG.getAs<DefinedOrUnknownSVal>())
return nullptr; return nullptr;
DefinedOrUnknownSVal Arg1Val = Arg1ValG.castAs<DefinedOrUnknownSVal>(); DefinedOrUnknownSVal Arg1Val = Arg1ValG.castAs<DefinedOrUnknownSVal>();
// Compare the size argument to 0. // Compare the size argument to 0.
DefinedOrUnknownSVal SizeZero = DefinedOrUnknownSVal SizeZero =
svalBuilder.evalEQ(state, Arg1Val, svalBuilder.evalEQ(State, Arg1Val,
svalBuilder.makeIntValWithPtrWidth(0, false)); svalBuilder.makeIntValWithPtrWidth(0, false));
ProgramStateRef StatePtrIsNull, StatePtrNotNull; ProgramStateRef StatePtrIsNull, StatePtrNotNull;
std::tie(StatePtrIsNull, StatePtrNotNull) = state->assume(PtrEQ); std::tie(StatePtrIsNull, StatePtrNotNull) = State->assume(PtrEQ);
ProgramStateRef StateSizeIsZero, StateSizeNotZero; ProgramStateRef StateSizeIsZero, StateSizeNotZero;
std::tie(StateSizeIsZero, StateSizeNotZero) = state->assume(SizeZero); std::tie(StateSizeIsZero, StateSizeNotZero) = State->assume(SizeZero);
// We only assume exceptional states if they are definitely true; if the // We only assume exceptional states if they are definitely true; if the
// state is under-constrained, assume regular realloc behavior. // state is under-constrained, assume regular realloc behavior.
bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull; bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull;
bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero; bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero;
// If the ptr is NULL and the size is not 0, the call is equivalent to // If the ptr is NULL and the size is not 0, the call is equivalent to
// malloc(size). // malloc(size).
if ( PrtIsNull && !SizeIsZero) { if ( PrtIsNull && !SizeIsZero) {
ProgramStateRef stateMalloc = MallocMemAux(C, CE, CE->getArg(1), ProgramStateRef stateMalloc = MallocMemAux(C, CE, CE->getArg(1),
UndefinedVal(), StatePtrIsNull); UndefinedVal(), StatePtrIsNull);
return stateMalloc; return stateMalloc;
} }
if (PrtIsNull && SizeIsZero) if (PrtIsNull && SizeIsZero)
return nullptr; return nullptr;
// Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size). // Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size).
assert(!PrtIsNull); assert(!PrtIsNull);
SymbolRef FromPtr = arg0Val.getAsSymbol(); SymbolRef FromPtr = arg0Val.getAsSymbol();
SVal RetVal = state->getSVal(CE, LCtx); SVal RetVal = State->getSVal(CE, LCtx);
SymbolRef ToPtr = RetVal.getAsSymbol(); SymbolRef ToPtr = RetVal.getAsSymbol();
if (!FromPtr || !ToPtr) if (!FromPtr || !ToPtr)
return nullptr; return nullptr;
bool ReleasedAllocated = false; bool ReleasedAllocated = false;
// If the size is 0, free the memory. // If the size is 0, free the memory.
if (SizeIsZero) if (SizeIsZero)
if (ProgramStateRef stateFree = FreeMemAux(C, CE, StateSizeIsZero, 0, if (ProgramStateRef stateFree = FreeMemAux(C, CE, StateSizeIsZero, 0,
false, ReleasedAllocated)){ false, ReleasedAllocated)){
// The semantics of the return value are: // The semantics of the return value are:
// If size was equal to 0, either NULL or a pointer suitable to be passed // If size was equal to 0, either NULL or a pointer suitable to be passed
// to free() is returned. We just free the input pointer and do not add // to free() is returned. We just free the input pointer and do not add
// any constrains on the output pointer. // any constrains on the output pointer.
return stateFree; return stateFree;
} }
// Default behavior. // Default behavior.
if (ProgramStateRef stateFree = if (ProgramStateRef stateFree =
FreeMemAux(C, CE, state, 0, false, ReleasedAllocated)) { FreeMemAux(C, CE, State, 0, false, ReleasedAllocated)) {
ProgramStateRef stateRealloc = MallocMemAux(C, CE, CE->getArg(1), ProgramStateRef stateRealloc = MallocMemAux(C, CE, CE->getArg(1),
UnknownVal(), stateFree); UnknownVal(), stateFree);
if (!stateRealloc) if (!stateRealloc)
return nullptr; return nullptr;
ReallocPairKind Kind = RPToBeFreedAfterFailure; ReallocPairKind Kind = RPToBeFreedAfterFailure;
if (FreesOnFail) if (FreesOnFail)
Kind = RPIsFreeOnFailure; Kind = RPIsFreeOnFailure;
else if (!ReleasedAllocated) else if (!ReleasedAllocated)
Kind = RPDoNotTrackAfterFailure; Kind = RPDoNotTrackAfterFailure;
// Record the info about the reallocated symbol so that we could properly // Record the info about the reallocated symbol so that we could properly
// process failed reallocation. // process failed reallocation.
stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr, stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr,
ReallocPair(FromPtr, Kind)); ReallocPair(FromPtr, Kind));
// The reallocated symbol should stay alive for as long as the new symbol. // The reallocated symbol should stay alive for as long as the new symbol.
C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr); C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr);
return stateRealloc; return stateRealloc;
} }
return nullptr; return nullptr;
} }
ProgramStateRef MallocChecker::CallocMem(CheckerContext &C, const CallExpr *CE){ ProgramStateRef MallocChecker::CallocMem(CheckerContext &C, const CallExpr *CE,
ProgramStateRef State) {
if (!State)
return nullptr;
if (CE->getNumArgs() < 2) if (CE->getNumArgs() < 2)
return nullptr; return nullptr;
ProgramStateRef state = C.getState();
SValBuilder &svalBuilder = C.getSValBuilder(); SValBuilder &svalBuilder = C.getSValBuilder();
const LocationContext *LCtx = C.getLocationContext(); const LocationContext *LCtx = C.getLocationContext();
SVal count = state->getSVal(CE->getArg(0), LCtx); SVal count = State->getSVal(CE->getArg(0), LCtx);
SVal elementSize = state->getSVal(CE->getArg(1), LCtx); SVal elementSize = State->getSVal(CE->getArg(1), LCtx);
SVal TotalSize = svalBuilder.evalBinOp(state, BO_Mul, count, elementSize, SVal TotalSize = svalBuilder.evalBinOp(State, BO_Mul, count, elementSize,
svalBuilder.getContext().getSizeType()); svalBuilder.getContext().getSizeType());
SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy); SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy);
return MallocMemAux(C, CE, TotalSize, zeroVal, state); return MallocMemAux(C, CE, TotalSize, zeroVal, State);
} }
LeakInfo LeakInfo
MallocChecker::getAllocationSite(const ExplodedNode *N, SymbolRef Sym, MallocChecker::getAllocationSite(const ExplodedNode *N, SymbolRef Sym,
CheckerContext &C) const { CheckerContext &C) const {
const LocationContext *LeakContext = N->getLocationContext(); const LocationContext *LeakContext = N->getLocationContext();
// Walk the ExplodedGraph backwards and find the first node that referred to // Walk the ExplodedGraph backwards and find the first node that referred to
// the tracked symbol. // the tracked symbol.
▲ Show 20 LinesShow All 701 LinesShow Last 20 Lines

lib/StaticAnalyzer/Checkers/UnixAPIChecker.cpp

Show All 24 Lines
#include "llvm/Support/raw_ostream.h" #include "llvm/Support/raw_ostream.h"
#include <fcntl.h> #include <fcntl.h>
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
namespace { namespace {
class UnixAPIChecker : public Checker< check::PreStmt<CallExpr> > { class UnixAPIChecker : public Checker< check::PreStmt<CallExpr> > {
mutable std::unique_ptr<BugType> BT_open, BT_pthreadOnce, BT_mallocZero; mutable std::unique_ptr<BugType> BT_open, BT_pthreadOnce;
mutable Optional<uint64_t> Val_O_CREAT; mutable Optional<uint64_t> Val_O_CREAT;
public: public:
void checkPreStmt(const CallExpr *CE, CheckerContext &C) const; void checkPreStmt(const CallExpr *CE, CheckerContext &C) const;
void CheckOpen(CheckerContext &C, const CallExpr *CE) const; void CheckOpen(CheckerContext &C, const CallExpr *CE) const;
void CheckPthreadOnce(CheckerContext &C, const CallExpr *CE) const; void CheckPthreadOnce(CheckerContext &C, const CallExpr *CE) const;
void CheckCallocZero(CheckerContext &C, const CallExpr *CE) const;
void CheckMallocZero(CheckerContext &C, const CallExpr *CE) const;
void CheckReallocZero(CheckerContext &C, const CallExpr *CE) const;
void CheckReallocfZero(CheckerContext &C, const CallExpr *CE) const;
void CheckAllocaZero(CheckerContext &C, const CallExpr *CE) const;
void CheckVallocZero(CheckerContext &C, const CallExpr *CE) const;
typedef void (UnixAPIChecker::*SubChecker)(CheckerContext &, typedef void (UnixAPIChecker::*SubChecker)(CheckerContext &,
const CallExpr *) const; const CallExpr *) const;
private: private:
bool ReportZeroByteAllocation(CheckerContext &C,
ProgramStateRef falseState,
const Expr *arg,
const char *fn_name) const;
void BasicAllocationCheck(CheckerContext &C,
const CallExpr *CE,
const unsigned numArgs,
const unsigned sizeArg,
const char *fn) const;
void LazyInitialize(std::unique_ptr<BugType> &BT, const char *name) const { void LazyInitialize(std::unique_ptr<BugType> &BT, const char *name) const {
if (BT) if (BT)
return; return;
BT.reset(new BugType(this, name, categories::UnixAPI)); BT.reset(new BugType(this, name, categories::UnixAPI));
} }
void ReportOpenBug(CheckerContext &C, void ReportOpenBug(CheckerContext &C,
ProgramStateRef State, ProgramStateRef State,
const char *Msg, const char *Msg,
▲ Show 20 LinesShow All 133 Lines▼ Show 20 Linesvoid UnixAPIChecker::CheckPthreadOnce(CheckerContext &C,
LazyInitialize(BT_pthreadOnce, "Improper use of 'pthread_once'"); LazyInitialize(BT_pthreadOnce, "Improper use of 'pthread_once'");
BugReport *report = new BugReport(*BT_pthreadOnce, os.str(), N); BugReport *report = new BugReport(*BT_pthreadOnce, os.str(), N);
report->addRange(CE->getArg(0)->getSourceRange()); report->addRange(CE->getArg(0)->getSourceRange());
C.emitReport(report); C.emitReport(report);
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// "calloc", "malloc", "realloc", "reallocf", "alloca" and "valloc"
// with allocation size 0
//===----------------------------------------------------------------------===//
// FIXME: Eventually these should be rolled into the MallocChecker, but right now
// they're more basic and valuable for widespread use.
// Returns true if we try to do a zero byte allocation, false otherwise.
// Fills in trueState and falseState.
static bool IsZeroByteAllocation(ProgramStateRef state,
const SVal argVal,
ProgramStateRef *trueState,
ProgramStateRef *falseState) {
std::tie(*trueState, *falseState) =
state->assume(argVal.castAs<DefinedSVal>());
return (*falseState && !*trueState);
}
// Generates an error report, indicating that the function whose name is given
// will perform a zero byte allocation.
// Returns false if an error occurred, true otherwise.
bool UnixAPIChecker::ReportZeroByteAllocation(CheckerContext &C,
ProgramStateRef falseState,
const Expr *arg,
const char *fn_name) const {
ExplodedNode *N = C.generateSink(falseState);
if (!N)
return false;
LazyInitialize(BT_mallocZero,
"Undefined allocation of 0 bytes (CERT MEM04-C; CWE-131)");
SmallString<256> S;
llvm::raw_svector_ostream os(S);
os << "Call to '" << fn_name << "' has an allocation size of 0 bytes";
BugReport *report = new BugReport(*BT_mallocZero, os.str(), N);
report->addRange(arg->getSourceRange());
bugreporter::trackNullOrUndefValue(N, arg, *report);
C.emitReport(report);
return true;
}
// Does a basic check for 0-sized allocations suitable for most of the below
// functions (modulo "calloc")
void UnixAPIChecker::BasicAllocationCheck(CheckerContext &C,
const CallExpr *CE,
const unsigned numArgs,
const unsigned sizeArg,
const char *fn) const {
// Sanity check for the correct number of arguments
if (CE->getNumArgs() != numArgs)
return;
// Check if the allocation size is 0.
ProgramStateRef state = C.getState();
ProgramStateRef trueState = nullptr, falseState = nullptr;
const Expr *arg = CE->getArg(sizeArg);
SVal argVal = state->getSVal(arg, C.getLocationContext());
if (argVal.isUnknownOrUndef())
return;
// Is the value perfectly constrained to zero?
if (IsZeroByteAllocation(state, argVal, &trueState, &falseState)) {
(void) ReportZeroByteAllocation(C, falseState, arg, fn);
return;
}
// Assume the value is non-zero going forward.
assert(trueState);
if (trueState != state)
C.addTransition(trueState);
}
void UnixAPIChecker::CheckCallocZero(CheckerContext &C,
const CallExpr *CE) const {
unsigned int nArgs = CE->getNumArgs();
if (nArgs != 2)
return;
ProgramStateRef state = C.getState();
ProgramStateRef trueState = nullptr, falseState = nullptr;
unsigned int i;
for (i = 0; i < nArgs; i++) {
const Expr *arg = CE->getArg(i);
SVal argVal = state->getSVal(arg, C.getLocationContext());
if (argVal.isUnknownOrUndef()) {
if (i == 0)
continue;
else
return;
}
if (IsZeroByteAllocation(state, argVal, &trueState, &falseState)) {
if (ReportZeroByteAllocation(C, falseState, arg, "calloc"))
return;
else if (i == 0)
continue;
else
return;
}
}
// Assume the value is non-zero going forward.
assert(trueState);
if (trueState != state)
C.addTransition(trueState);
}
void UnixAPIChecker::CheckMallocZero(CheckerContext &C,
const CallExpr *CE) const {
BasicAllocationCheck(C, CE, 1, 0, "malloc");
}
void UnixAPIChecker::CheckReallocZero(CheckerContext &C,
const CallExpr *CE) const {
BasicAllocationCheck(C, CE, 2, 1, "realloc");
}
void UnixAPIChecker::CheckReallocfZero(CheckerContext &C,
const CallExpr *CE) const {
BasicAllocationCheck(C, CE, 2, 1, "reallocf");
}
void UnixAPIChecker::CheckAllocaZero(CheckerContext &C,
const CallExpr *CE) const {
BasicAllocationCheck(C, CE, 1, 0, "alloca");
}
void UnixAPIChecker::CheckVallocZero(CheckerContext &C,
const CallExpr *CE) const {
BasicAllocationCheck(C, CE, 1, 0, "valloc");
}
//===----------------------------------------------------------------------===//
// Central dispatch function. // Central dispatch function.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
void UnixAPIChecker::checkPreStmt(const CallExpr *CE, void UnixAPIChecker::checkPreStmt(const CallExpr *CE,
CheckerContext &C) const { CheckerContext &C) const {
const FunctionDecl *FD = C.getCalleeDecl(CE); const FunctionDecl *FD = C.getCalleeDecl(CE);
if (!FD || FD->getKind() != Decl::Function) if (!FD || FD->getKind() != Decl::Function)
return; return;
StringRef FName = C.getCalleeName(FD); StringRef FName = C.getCalleeName(FD);
if (FName.empty()) if (FName.empty())
return; return;
SubChecker SC = SubChecker SC =
llvm::StringSwitch<SubChecker>(FName) llvm::StringSwitch<SubChecker>(FName)
.Case("open", &UnixAPIChecker::CheckOpen) .Case("open", &UnixAPIChecker::CheckOpen)
.Case("pthread_once", &UnixAPIChecker::CheckPthreadOnce) .Case("pthread_once", &UnixAPIChecker::CheckPthreadOnce)
.Case("calloc", &UnixAPIChecker::CheckCallocZero)
.Case("malloc", &UnixAPIChecker::CheckMallocZero)
.Case("realloc", &UnixAPIChecker::CheckReallocZero)
.Case("reallocf", &UnixAPIChecker::CheckReallocfZero)
.Cases("alloca", "__builtin_alloca", &UnixAPIChecker::CheckAllocaZero)
.Case("valloc", &UnixAPIChecker::CheckVallocZero)
.Default(nullptr); .Default(nullptr);
if (SC) if (SC)
(this->*SC)(C, CE); (this->*SC)(C, CE);
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Registration. // Registration.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
void ento::registerUnixAPIChecker(CheckerManager &mgr) { void ento::registerUnixAPIChecker(CheckerManager &mgr) {
mgr.registerChecker<UnixAPIChecker>(); mgr.registerChecker<UnixAPIChecker>();
} }

test/Analysis/malloc-annotations.c

Show All 37 Lines
void f2_realloc_0() { void f2_realloc_0() {
int *p = malloc(12); int *p = malloc(12);
realloc(p,0); realloc(p,0);
realloc(p,0); // expected-warning{{Attempt to free released memory}} realloc(p,0); // expected-warning{{Attempt to free released memory}}
} }
void f2_realloc_1() { void f2_realloc_1() {
int *p = malloc(12); int *p = malloc(12);
int *q = realloc(p,0); // no-warning int *q = realloc(p,0); // expected-warning{{Call to 'realloc()' has an allocation size of 0 bytes}}
}
void f2_realloc_2() {
int *p = malloc(12);
realloc(p,0); // no-warning
QuuxplusoneUnsubmitted
Not Done
ReplyInline Actions

FWIW, this maybe should give the same warning as realloc(p,1); on a line by itself: namely, because the returned pointer is never freed, this code has a memory leak on implementations where realloc(p,0) returns a non-null pointer.

If the returned pointer is captured (q = realloc(p,0);) and later freed (free(q);), there is no bug. It's not unsafe to use the return value of realloc; it's perfectly safe and well-defined. The only implementation-defined aspect of realloc is whether the returned pointer is null or not. Either way, *using* the returned pointer is fine — it's not like using a freed pointer, which is indeed undefined behavior.

Quuxplusone: FWIW, this maybe should give the same warning as `realloc(p,1);` on a line by itself: namely…
ayartsevAuthorUnsubmitted
Not Done
ReplyInline Actions

FWIW, this maybe should give the same warning as realloc(p,1); on a line by itself: namely, because the returned pointer is never freed, this code has a memory leak on implementations where realloc(p,0) returns a non-null pointer.
Agree.

It's not unsafe to use the return value of realloc; it's perfectly safe and well-defined. *using* the returned pointer is fine — it's not like using a freed pointer, which is indeed undefined behavior.
It's not a safety check, just a warning that there may be an error in the code. The usage of a pointer returned from realloc(p,0) is suspicious, any bytes in the new object have indeterminate values also modifying the contents the returned memory is an error.
Zero size may be requested by reason of an error when the second parameter to realloc() is a variable.

ayartsev: //FWIW, this maybe should give the same warning as realloc(p,1); on a line by itself: namely…
zaks.annaUnsubmitted
Not Done
ReplyInline Actions

I don't think we should be warning when free is called on the returned value from realloc(p,0). We should try and stay away from reporting issues that would lead to known false positives.

We could whitelist various ways the pointer could be dereferenced and warn on those or just not warn on realloc(p,0). (I think passing '0' to other allocation functions would not likely trigger false positives.)

Anton, what do you think?

zaks.anna: I don't think we should be warning when free is called on the returned value from realloc(p,0).
ayartsevAuthorUnsubmitted
Not Done
ReplyInline Actions

Currently we do not warn whether free() is called on the value returned from realloc(p, 0) or not. This is an old unmodified behavior.
The proposition is to warn if free() is *not* called on the returned value from realloc(p, 0) (other allocation functions as well) if the value is non-zero. May it is not a memory leak but I guess it may be some kind of a resource leak in case of a nonzero return because an information about a zero-allocated memory must be stored somewhere. Perhaps it is a good idea for a further enhancement.

We could whitelist various ways the pointer could be dereferenced and warn on those or just not warn on realloc(p,0). (I think passing '0' to other allocation functions would not likely trigger false positives.)
The usage of a pointer returned from a zero-allocation request is a matter of another potentional checker - ZeroAllocDereference which I plan to develop in the future. The goal of the current check is just to detect a zero-allocation. The current patch just moves '0 size allocation' check from unix.API to unix.Malloc with a small improvement - do not warn in the case when a pointer is not consumed. Perhaps as a next step it make sense to separate the check from the global unix.Malloc to a separate check - ZeroAlloc in order to make it switchable.

ayartsev: Currently we do not warn whether `free()` is called on the value returned from `realloc(p, 0)`…
} }
// ownership attributes tests // ownership attributes tests
void naf1() { void naf1() {
int *p = my_malloc3(12); int *p = my_malloc3(12);
return; // no-warning return; // no-warning
} }
▲ Show 20 LinesShow All 215 LinesShow Last 20 Lines

test/Analysis/malloc.c

// RUN: %clang_cc1 -analyze -analyzer-checker=core,alpha.deadcode.UnreachableCode,alpha.core.CastSize,unix.Malloc,debug.ExprInspection -analyzer-store=region -verify %s // RUN: %clang_cc1 -analyze -analyzer-checker=core,alpha.deadcode.UnreachableCode,alpha.core.CastSize,unix.Malloc,debug.ExprInspection -analyzer-store=region -verify %s
#include "Inputs/system-header-simulator.h" #include "Inputs/system-header-simulator.h"
void clang_analyzer_eval(int); void clang_analyzer_eval(int);
typedef __typeof(sizeof(int)) size_t; typedef __typeof(sizeof(int)) size_t;
void *alloca(size_t);
void *malloc(size_t); void *malloc(size_t);
void *valloc(size_t); void *valloc(size_t);
void free(void *); void free(void *);
void *realloc(void *ptr, size_t size); void *realloc(void *ptr, size_t size);
void *reallocf(void *ptr, size_t size); void *reallocf(void *ptr, size_t size);
void *calloc(size_t nmemb, size_t size); void *calloc(size_t nmemb, size_t size);
char *strdup(const char *s); char *strdup(const char *s);
char *strndup(const char *s, size_t n); char *strndup(const char *s, size_t n);
Show All 17 Lines
void f2_realloc_0() { void f2_realloc_0() {
int *p = malloc(12); int *p = malloc(12);
realloc(p,0); realloc(p,0);
realloc(p,0); // expected-warning{{Attempt to free released memory}} realloc(p,0); // expected-warning{{Attempt to free released memory}}
} }
void f2_realloc_1() { void f2_realloc_1() {
int *p = malloc(12); int *p = malloc(12);
int *q = realloc(p,0); // no-warning realloc(p,0); // no-warning
} }
void reallocNotNullPtr(unsigned sizeIn) { void reallocNotNullPtr(unsigned sizeIn) {
unsigned size = 12; unsigned size = 12;
char *p = (char*)malloc(size); char *p = (char*)malloc(size);
if (p) { if (p) {
char *q = (char*)realloc(p, sizeIn); char *q = (char*)realloc(p, sizeIn);
char x = *q; // expected-warning {{Potential leak of memory pointed to by 'q'}} char x = *q; // expected-warning {{Potential leak of memory pointed to by 'q'}}
Show All 14 Lines if (!r) {
free(p); free(p);
} else { } else {
free(r); free(r);
} }
} }
void reallocSizeZero1() { void reallocSizeZero1() {
char *p = malloc(12); char *p = malloc(12);
char *r = realloc(p, 0); realloc(p, 0);
if (!r) {
free(p); // expected-warning {{Attempt to free released memory}}
} else {
free(r);
}
} }
void reallocSizeZero2() { void reallocSizeZero2() {
char *p = malloc(12); char *p = malloc(12);
char *r = realloc(p, 0); realloc(p, 0);
if (!r) {
free(p); // expected-warning {{Attempt to free released memory}}
} else {
free(r);
}
free(p); // expected-warning {{Attempt to free released memory}} free(p); // expected-warning {{Attempt to free released memory}}
} }
void reallocSizeZero3() { void reallocSizeZero3() {
char *p = malloc(12); realloc(0, 0);
char *r = realloc(p, 0);
free(r);
}
void reallocSizeZero4() {
char *r = realloc(0, 0);
free(r);
}
void reallocSizeZero5() {
char *r = realloc(0, 0);
} }
void reallocPtrZero1() { void reallocPtrZero1() {
char *r = realloc(0, 12); char *r = realloc(0, 12);
} // expected-warning {{Potential leak of memory pointed to by 'r'}} } // expected-warning {{Potential leak of memory pointed to by 'r'}}
void reallocPtrZero2() { void reallocPtrZero2() {
char *r = realloc(0, 12); char *r = realloc(0, 12);
▲ Show 20 LinesShow All 832 Lines▼ Show 20 Lines
void testStrdupContentIsDefined(const char *s, unsigned validIndex) { void testStrdupContentIsDefined(const char *s, unsigned validIndex) {
char *s2 = strdup(s); char *s2 = strdup(s);
char result = s2[1];// no warning char result = s2[1];// no warning
free(s2); free(s2);
} }
// ---------------------------------------------------------------------------- // ----------------------------------------------------------------------------
// Test zero-sized allocations.
zaks.annaUnsubmitted
Not Done
ReplyInline Actions

Could you add a couple of more interesting zero allocation tests (where we are not dealing with zero constant).

Theoretically, the inlined defensive checks could be a problem here, right?
(This is where the value is assumed to be zero by an inlined function, but known not be be zero in a caller.)

zaks.anna: Could you add a couple of more interesting zero allocation tests (where we are not dealing with…
ayartsevAuthorUnsubmitted
Not Done
ReplyInline Actions

Added a path-sensitive test (testMallocPathZero) and an additional tests for 'calloc' (testCalloc1Unknown2Zero - covers the case when the first parameter to 'calloc' is an UnknownVal).

Yes, but only with 'suppress-inlined-defensive-checks=false' given to analyzer.

ayartsev: Added a path-sensitive test (testMallocPathZero) and an additional tests for 'calloc'…
void testMallocZero() {
char* foo = malloc(0); // expected-warning{{Call to 'malloc()' has an allocation size of 0 bytes}}
free(foo);
}
void testMallocZeroNoWarn(size_t size) {
char* foo = malloc(size); // no-warning
free(foo);
}
void testMallocPathZero(int i) {
if (!i) {
char* foo = malloc(i); // expected-warning{{Call to 'malloc()' has an allocation size of 0 bytes}}
free(foo);
}
}
// Perform inline defensive check.
void idc(int i) {
if (i)
;
}
void testMallocIdc(int i) {
idc(i);
char* foo = malloc(i); // no-warning
free(foo);
}
void testCallocZero(void) {
char *foo = calloc(0, 0); // expected-warning{{Call to 'calloc()' has an allocation size of 0 bytes}}
free(foo);
}
void testCalloc1Zero(void) {
char *foo = calloc(0, 42); // expected-warning{{Call to 'calloc()' has an allocation size of 0 bytes}}
free(foo);
}
void testCalloc2Zero(void) {
char *foo = calloc(42, 0); // expected-warning{{Call to 'calloc()' has an allocation size of 0 bytes}}
free(foo);
}
void testCalloc1Unknown2Zero(int *i, int j) {
char *foo = calloc(*(i+j), 0); // expected-warning{{Call to 'calloc()' has an allocation size of 0 bytes}}
free(foo);
}
void testCallocZeroNoWarn(size_t nmemb, size_t size) {
char *foo = calloc(nmemb, size); // no-warning
free(foo);
}
void testReallocZero(char *ptr) {
char *foo = realloc(ptr, 0); // expected-warning{{Call to 'realloc()' has an allocation size of 0 bytes}}
free(foo);
}
void testReallocZeroNoWarn1(char *ptr) {
realloc(ptr, 0); // no-warning
}
void testReallocZeroNoWarn2(char *ptr, size_t size) {
char *foo = realloc(ptr, size); // no-warning
free(foo);
}
void testReallocfZero(char *ptr) {
char *foo = reallocf(ptr, 0); // expected-warning{{Call to 'reallocf()' has an allocation size of 0 bytes}}
free(foo);
}
void testReallocfZeroNoWarn1(char *ptr) {
reallocf(ptr, 0); // no-warning
}
void testReallocfZeroNoWarn2(char *ptr, size_t size) {
char *foo = reallocf(ptr, size); // no-warning
free(foo);
}
void testAllocaZero() {
char *foo = alloca(0); // expected-warning{{Call to 'alloca()' has an allocation size of 0 bytes}}
}
void testAllocaZeroNoWarn(size_t sz) {
char *foo = alloca(sz); // no-warning
}
void testBuiltinAllocaZero() {
char *foo2 = __builtin_alloca(0); // expected-warning{{Call to '__builtin_alloca()' has an allocation size of 0 bytes}}
}
void testBuiltinAllocaZeroNoWarn(size_t sz) {
char *foo2 = __builtin_alloca(sz); // no-warning
}
void testVallocZero() {
char *foo = valloc(0); // expected-warning{{Call to 'valloc()' has an allocation size of 0 bytes}}
free(foo);
}
void testVallocZeroNoWarn(size_t sz) {
char *foo = valloc(sz); // no-warning
free(foo);
}
// ----------------------------------------------------------------------------
// Test the system library functions to which the pointer can escape. // Test the system library functions to which the pointer can escape.
// This tests false positive suppression. // This tests false positive suppression.
// For now, we assume memory passed to pthread_specific escapes. // For now, we assume memory passed to pthread_specific escapes.
// TODO: We could check that if a new pthread binding is set, the existing // TODO: We could check that if a new pthread binding is set, the existing
// binding must be freed; otherwise, a memory leak can occur. // binding must be freed; otherwise, a memory leak can occur.
void testPthereadSpecificEscape(pthread_key_t key) { void testPthereadSpecificEscape(pthread_key_t key) {
void *buf = malloc(12); void *buf = malloc(12);
▲ Show 20 LinesShow All 574 LinesShow Last 20 Lines

test/Analysis/unix-fns.c

// RUN: %clang_cc1 -triple x86_64-apple-darwin10 -analyze -analyzer-checker=core,unix.API,osx.API %s -analyzer-store=region -analyzer-output=plist -analyzer-eagerly-assume -analyzer-config faux-bodies=true -analyzer-config path-diagnostics-alternate=false -fblocks -verify -o %t.plist // RUN: %clang_cc1 -triple x86_64-apple-darwin10 -analyze -analyzer-checker=core,unix.API,osx.API,unix.Malloc %s -analyzer-store=region -analyzer-output=plist -analyzer-eagerly-assume -analyzer-config faux-bodies=true -analyzer-config path-diagnostics-alternate=false -fblocks -verify -o %t.plist
// RUN: FileCheck --input-file=%t.plist %s // RUN: FileCheck --input-file=%t.plist %s
// RUN: mkdir -p %t.dir // RUN: mkdir -p %t.dir
// RUN: %clang_cc1 -analyze -analyzer-checker=core,unix.API,osx.API -analyzer-output=html -analyzer-config faux-bodies=true -fblocks -o %t.dir %s // RUN: %clang_cc1 -analyze -analyzer-checker=core,unix.API,osx.API,unix.Malloc -analyzer-output=html -analyzer-config faux-bodies=true -fblocks -o %t.dir %s
// RUN: rm -fR %t.dir // RUN: rm -fR %t.dir
struct _opaque_pthread_once_t { struct _opaque_pthread_once_t {
long __sig; long __sig;
char __opaque[8]; char __opaque[8];
}; };
typedef struct _opaque_pthread_once_t __darwin_pthread_once_t; typedef struct _opaque_pthread_once_t __darwin_pthread_once_t;
typedef __darwin_pthread_once_t pthread_once_t; typedef __darwin_pthread_once_t pthread_once_t;
int pthread_once(pthread_once_t *, void (*)(void)); int pthread_once(pthread_once_t *, void (*)(void));
▲ Show 20 LinesShow All 61 Lines▼ Show 20 Lines
} }
void test_pthread_once_neg() { void test_pthread_once_neg() {
static pthread_once_t pred = {0x30B1BCBA, {0}}; static pthread_once_t pred = {0x30B1BCBA, {0}};
pthread_once(&pred, test_pthread_once_aux); // no-warning pthread_once(&pred, test_pthread_once_aux); // no-warning
} }
// PR 2899 - warn of zero-sized allocations to malloc(). // PR 2899 - warn of zero-sized allocations to malloc().
void pr2899() { void pr2899() {
char* foo = malloc(0); // expected-warning{{Call to 'malloc' has an allocation size of 0 bytes}} char* foo = malloc(0); // expected-warning{{Call to 'malloc()' has an allocation size of 0 bytes}}
for (unsigned i = 0; i < 100; i++) { for (unsigned i = 0; i < 100; i++) {
foo[i] = 0; foo[i] = 0;
} }
} }
void pr2899_nowarn(size_t size) { void pr2899_nowarn(size_t size) {
char* foo = malloc(size); // no-warning char* foo = malloc(size); // no-warning
for (unsigned i = 0; i < 100; i++) { for (unsigned i = 0; i < 100; i++) {
foo[i] = 0; foo[i] = 0;
} }
} }
void test_calloc(void) { void test_calloc(void) {
char *foo = calloc(0, 42); // expected-warning{{Call to 'calloc' has an allocation size of 0 bytes}} char *foo = calloc(0, 42); // expected-warning{{Call to 'calloc()' has an allocation size of 0 bytes}}
for (unsigned i = 0; i < 100; i++) { for (unsigned i = 0; i < 100; i++) {
foo[i] = 0; foo[i] = 0;
} }
} }
void test_calloc2(void) { void test_calloc2(void) {
char *foo = calloc(42, 0); // expected-warning{{Call to 'calloc' has an allocation size of 0 bytes}} char *foo = calloc(42, 0); // expected-warning{{Call to 'calloc()' has an allocation size of 0 bytes}}
for (unsigned i = 0; i < 100; i++) { for (unsigned i = 0; i < 100; i++) {
foo[i] = 0; foo[i] = 0;
} }
} }
void test_calloc_nowarn(size_t nmemb, size_t size) { void test_calloc_nowarn(size_t nmemb, size_t size) {
char *foo = calloc(nmemb, size); // no-warning char *foo = calloc(nmemb, size); // no-warning
for (unsigned i = 0; i < 100; i++) { for (unsigned i = 0; i < 100; i++) {
foo[i] = 0; foo[i] = 0;
} }
} }
void test_realloc(char *ptr) { void test_realloc(char *ptr) {
char *foo = realloc(ptr, 0); // expected-warning{{Call to 'realloc' has an allocation size of 0 bytes}} char *foo = realloc(ptr, 0); // expected-warning{{Call to 'realloc()' has an allocation size of 0 bytes}}
for (unsigned i = 0; i < 100; i++) { for (unsigned i = 0; i < 100; i++) {
foo[i] = 0; foo[i] = 0;
} }
} }
void test_reallocf(char *ptr) { void test_reallocf(char *ptr) {
char *foo = reallocf(ptr, 0); // expected-warning{{Call to 'reallocf' has an allocation size of 0 bytes}} char *foo = reallocf(ptr, 0); // expected-warning{{Call to 'reallocf()' has an allocation size of 0 bytes}}
for (unsigned i = 0; i < 100; i++) { for (unsigned i = 0; i < 100; i++) {
foo[i] = 0; foo[i] = 0;
} }
} }
void test_realloc_nowarn(char *ptr, size_t size) { void test_realloc_nowarn(char *ptr, size_t size) {
char *foo = realloc(ptr, size); // no-warning char *foo = realloc(ptr, size); // no-warning
for (unsigned i = 0; i < 100; i++) { for (unsigned i = 0; i < 100; i++) {
foo[i] = 0; foo[i] = 0;
} }
} }
void test_reallocf_nowarn(char *ptr, size_t size) { void test_reallocf_nowarn(char *ptr, size_t size) {
char *foo = reallocf(ptr, size); // no-warning char *foo = reallocf(ptr, size); // no-warning
for (unsigned i = 0; i < 100; i++) { for (unsigned i = 0; i < 100; i++) {
foo[i] = 0; foo[i] = 0;
} }
} }
void test_alloca() { void test_alloca() {
char *foo = alloca(0); // expected-warning{{Call to 'alloca' has an allocation size of 0 bytes}} char *foo = alloca(0); // expected-warning{{Call to 'alloca()' has an allocation size of 0 bytes}}
for(unsigned i = 0; i < 100; i++) { for(unsigned i = 0; i < 100; i++) {
foo[i] = 0; foo[i] = 0;
} }
} }
void test_alloca_nowarn(size_t sz) { void test_alloca_nowarn(size_t sz) {
char *foo = alloca(sz); // no-warning char *foo = alloca(sz); // no-warning
for(unsigned i = 0; i < 100; i++) { for(unsigned i = 0; i < 100; i++) {
foo[i] = 0; foo[i] = 0;
} }
} }
void test_builtin_alloca() { void test_builtin_alloca() {
char *foo2 = __builtin_alloca(0); // expected-warning{{Call to 'alloca' has an allocation size of 0 bytes}} char *foo2 = __builtin_alloca(0); // expected-warning{{Call to '__builtin_alloca()' has an allocation size of 0 bytes}}
for(unsigned i = 0; i < 100; i++) { for(unsigned i = 0; i < 100; i++) {
foo2[i] = 0; foo2[i] = 0;
} }
} }
void test_builtin_alloca_nowarn(size_t sz) { void test_builtin_alloca_nowarn(size_t sz) {
char *foo2 = __builtin_alloca(sz); // no-warning char *foo2 = __builtin_alloca(sz); // no-warning
for(unsigned i = 0; i < 100; i++) { for(unsigned i = 0; i < 100; i++) {
foo2[i] = 0; foo2[i] = 0;
} }
} }
void test_valloc() { void test_valloc() {
char *foo = valloc(0); // expected-warning{{Call to 'valloc' has an allocation size of 0 bytes}} char *foo = valloc(0); // expected-warning{{Call to 'valloc()' has an allocation size of 0 bytes}}
for(unsigned i = 0; i < 100; i++) { for(unsigned i = 0; i < 100; i++) {
foo[i] = 0; foo[i] = 0;
} }
} }
void test_valloc_nowarn(size_t sz) { void test_valloc_nowarn(size_t sz) {
char *foo = valloc(sz); // no-warning char *foo = valloc(sz); // no-warning
for(unsigned i = 0; i < 100; i++) { for(unsigned i = 0; i < 100; i++) {
foo[i] = 0; foo[i] = 0;
▲ Show 20 LinesShow All 532 Lines▼ Show 20 Lines
// CHECK-NEXT: <key>line</key><integer>82</integer> // CHECK-NEXT: <key>line</key><integer>82</integer>
// CHECK-NEXT: <key>col</key><integer>22</integer> // CHECK-NEXT: <key>col</key><integer>22</integer>
// CHECK-NEXT: <key>file</key><integer>0</integer> // CHECK-NEXT: <key>file</key><integer>0</integer>
// CHECK-NEXT: </dict> // CHECK-NEXT: </dict>
// CHECK-NEXT: </array> // CHECK-NEXT: </array>
// CHECK-NEXT: </array> // CHECK-NEXT: </array>
// CHECK-NEXT: <key>depth</key><integer>0</integer> // CHECK-NEXT: <key>depth</key><integer>0</integer>
// CHECK-NEXT: <key>extended_message</key> // CHECK-NEXT: <key>extended_message</key>
// CHECK-NEXT: <string>Call to &apos;malloc&apos; has an allocation size of 0 bytes</string> // CHECK-NEXT: <string>Call to &apos;malloc()&apos; has an allocation size of 0 bytes</string>
// CHECK-NEXT: <key>message</key> // CHECK-NEXT: <key>message</key>
// CHECK-NEXT: <string>Call to &apos;malloc&apos; has an allocation size of 0 bytes</string> // CHECK-NEXT: <string>Call to &apos;malloc()&apos; has an allocation size of 0 bytes</string>
// CHECK-NEXT: </dict> // CHECK-NEXT: </dict>
// CHECK-NEXT: </array> // CHECK-NEXT: </array>
// CHECK-NEXT: <key>description</key><string>Call to &apos;malloc&apos; has an allocation size of 0 bytes</string> // CHECK-NEXT: <key>description</key><string>Call to &apos;malloc()&apos; has an allocation size of 0 bytes</string>
// CHECK-NEXT: <key>category</key><string>Unix API</string> // CHECK-NEXT: <key>category</key><string>Memory Error</string>
// CHECK-NEXT: <key>type</key><string>Undefined allocation of 0 bytes (CERT MEM04-C; CWE-131)</string> // CHECK-NEXT: <key>type</key><string>Zero allocation</string>
// CHECK-NEXT: <key>issue_context_kind</key><string>function</string> // CHECK-NEXT: <key>issue_context_kind</key><string>function</string>
// CHECK-NEXT: <key>issue_context</key><string>pr2899</string> // CHECK-NEXT: <key>issue_context</key><string>pr2899</string>
// CHECK-NEXT: <key>issue_hash</key><string>1</string> // CHECK-NEXT: <key>issue_hash</key><string>1</string>
// CHECK-NEXT: <key>location</key> // CHECK-NEXT: <key>location</key>
// CHECK-NEXT: <dict> // CHECK-NEXT: <dict>
// CHECK-NEXT: <key>line</key><integer>82</integer> // CHECK-NEXT: <key>line</key><integer>82</integer>
// CHECK-NEXT: <key>col</key><integer>15</integer> // CHECK-NEXT: <key>col</key><integer>15</integer>
// CHECK-NEXT: <key>file</key><integer>0</integer> // CHECK-NEXT: <key>file</key><integer>0</integer>
▲ Show 20 LinesShow All 56 Lines▼ Show 20 Lines
// CHECK-NEXT: <key>line</key><integer>94</integer> // CHECK-NEXT: <key>line</key><integer>94</integer>
// CHECK-NEXT: <key>col</key><integer>22</integer> // CHECK-NEXT: <key>col</key><integer>22</integer>
// CHECK-NEXT: <key>file</key><integer>0</integer> // CHECK-NEXT: <key>file</key><integer>0</integer>
// CHECK-NEXT: </dict> // CHECK-NEXT: </dict>
// CHECK-NEXT: </array> // CHECK-NEXT: </array>
// CHECK-NEXT: </array> // CHECK-NEXT: </array>
// CHECK-NEXT: <key>depth</key><integer>0</integer> // CHECK-NEXT: <key>depth</key><integer>0</integer>
// CHECK-NEXT: <key>extended_message</key> // CHECK-NEXT: <key>extended_message</key>
// CHECK-NEXT: <string>Call to &apos;calloc&apos; has an allocation size of 0 bytes</string> // CHECK-NEXT: <string>Call to &apos;calloc()&apos; has an allocation size of 0 bytes</string>
// CHECK-NEXT: <key>message</key> // CHECK-NEXT: <key>message</key>
// CHECK-NEXT: <string>Call to &apos;calloc&apos; has an allocation size of 0 bytes</string> // CHECK-NEXT: <string>Call to &apos;calloc()&apos; has an allocation size of 0 bytes</string>
// CHECK-NEXT: </dict> // CHECK-NEXT: </dict>
// CHECK-NEXT: </array> // CHECK-NEXT: </array>
// CHECK-NEXT: <key>description</key><string>Call to &apos;calloc&apos; has an allocation size of 0 bytes</string> // CHECK-NEXT: <key>description</key><string>Call to &apos;calloc()&apos; has an allocation size of 0 bytes</string>
// CHECK-NEXT: <key>category</key><string>Unix API</string> // CHECK-NEXT: <key>category</key><string>Memory Error</string>
// CHECK-NEXT: <key>type</key><string>Undefined allocation of 0 bytes (CERT MEM04-C; CWE-131)</string> // CHECK-NEXT: <key>type</key><string>Zero allocation</string>
// CHECK-NEXT: <key>issue_context_kind</key><string>function</string> // CHECK-NEXT: <key>issue_context_kind</key><string>function</string>
// CHECK-NEXT: <key>issue_context</key><string>test_calloc</string> // CHECK-NEXT: <key>issue_context</key><string>test_calloc</string>
// CHECK-NEXT: <key>issue_hash</key><string>1</string> // CHECK-NEXT: <key>issue_hash</key><string>1</string>
// CHECK-NEXT: <key>location</key> // CHECK-NEXT: <key>location</key>
// CHECK-NEXT: <dict> // CHECK-NEXT: <dict>
// CHECK-NEXT: <key>line</key><integer>94</integer> // CHECK-NEXT: <key>line</key><integer>94</integer>
// CHECK-NEXT: <key>col</key><integer>15</integer> // CHECK-NEXT: <key>col</key><integer>15</integer>
// CHECK-NEXT: <key>file</key><integer>0</integer> // CHECK-NEXT: <key>file</key><integer>0</integer>
▲ Show 20 LinesShow All 56 Lines▼ Show 20 Lines
// CHECK-NEXT: <key>line</key><integer>100</integer> // CHECK-NEXT: <key>line</key><integer>100</integer>
// CHECK-NEXT: <key>col</key><integer>26</integer> // CHECK-NEXT: <key>col</key><integer>26</integer>
// CHECK-NEXT: <key>file</key><integer>0</integer> // CHECK-NEXT: <key>file</key><integer>0</integer>
// CHECK-NEXT: </dict> // CHECK-NEXT: </dict>
// CHECK-NEXT: </array> // CHECK-NEXT: </array>
// CHECK-NEXT: </array> // CHECK-NEXT: </array>
// CHECK-NEXT: <key>depth</key><integer>0</integer> // CHECK-NEXT: <key>depth</key><integer>0</integer>
// CHECK-NEXT: <key>extended_message</key> // CHECK-NEXT: <key>extended_message</key>
// CHECK-NEXT: <string>Call to &apos;calloc&apos; has an allocation size of 0 bytes</string> // CHECK-NEXT: <string>Call to &apos;calloc()&apos; has an allocation size of 0 bytes</string>
// CHECK-NEXT: <key>message</key> // CHECK-NEXT: <key>message</key>
// CHECK-NEXT: <string>Call to &apos;calloc&apos; has an allocation size of 0 bytes</string> // CHECK-NEXT: <string>Call to &apos;calloc()&apos; has an allocation size of 0 bytes</string>
// CHECK-NEXT: </dict> // CHECK-NEXT: </dict>
// CHECK-NEXT: </array> // CHECK-NEXT: </array>
// CHECK-NEXT: <key>description</key><string>Call to &apos;calloc&apos; has an allocation size of 0 bytes</string> // CHECK-NEXT: <key>description</key><string>Call to &apos;calloc()&apos; has an allocation size of 0 bytes</string>
// CHECK-NEXT: <key>category</key><string>Unix API</string> // CHECK-NEXT: <key>category</key><string>Memory Error</string>
// CHECK-NEXT: <key>type</key><string>Undefined allocation of 0 bytes (CERT MEM04-C; CWE-131)</string> // CHECK-NEXT: <key>type</key><string>Zero allocation</string>
// CHECK-NEXT: <key>issue_context_kind</key><string>function</string> // CHECK-NEXT: <key>issue_context_kind</key><string>function</string>
// CHECK-NEXT: <key>issue_context</key><string>test_calloc2</string> // CHECK-NEXT: <key>issue_context</key><string>test_calloc2</string>
// CHECK-NEXT: <key>issue_hash</key><string>1</string> // CHECK-NEXT: <key>issue_hash</key><string>1</string>
// CHECK-NEXT: <key>location</key> // CHECK-NEXT: <key>location</key>
// CHECK-NEXT: <dict> // CHECK-NEXT: <dict>
// CHECK-NEXT: <key>line</key><integer>100</integer> // CHECK-NEXT: <key>line</key><integer>100</integer>
// CHECK-NEXT: <key>col</key><integer>15</integer> // CHECK-NEXT: <key>col</key><integer>15</integer>
// CHECK-NEXT: <key>file</key><integer>0</integer> // CHECK-NEXT: <key>file</key><integer>0</integer>
▲ Show 20 LinesShow All 56 Lines▼ Show 20 Lines
// CHECK-NEXT: <key>line</key><integer>112</integer> // CHECK-NEXT: <key>line</key><integer>112</integer>
// CHECK-NEXT: <key>col</key><integer>28</integer> // CHECK-NEXT: <key>col</key><integer>28</integer>
// CHECK-NEXT: <key>file</key><integer>0</integer> // CHECK-NEXT: <key>file</key><integer>0</integer>
// CHECK-NEXT: </dict> // CHECK-NEXT: </dict>
// CHECK-NEXT: </array> // CHECK-NEXT: </array>
// CHECK-NEXT: </array> // CHECK-NEXT: </array>
// CHECK-NEXT: <key>depth</key><integer>0</integer> // CHECK-NEXT: <key>depth</key><integer>0</integer>
// CHECK-NEXT: <key>extended_message</key> // CHECK-NEXT: <key>extended_message</key>
// CHECK-NEXT: <string>Call to &apos;realloc&apos; has an allocation size of 0 bytes</string> // CHECK-NEXT: <string>Call to &apos;realloc()&apos; has an allocation size of 0 bytes</string>
// CHECK-NEXT: <key>message</key> // CHECK-NEXT: <key>message</key>
// CHECK-NEXT: <string>Call to &apos;realloc&apos; has an allocation size of 0 bytes</string> // CHECK-NEXT: <string>Call to &apos;realloc()&apos; has an allocation size of 0 bytes</string>
// CHECK-NEXT: </dict> // CHECK-NEXT: </dict>
// CHECK-NEXT: </array> // CHECK-NEXT: </array>
// CHECK-NEXT: <key>description</key><string>Call to &apos;realloc&apos; has an allocation size of 0 bytes</string> // CHECK-NEXT: <key>description</key><string>Call to &apos;realloc()&apos; has an allocation size of 0 bytes</string>
// CHECK-NEXT: <key>category</key><string>Unix API</string> // CHECK-NEXT: <key>category</key><string>Memory Error</string>
// CHECK-NEXT: <key>type</key><string>Undefined allocation of 0 bytes (CERT MEM04-C; CWE-131)</string> // CHECK-NEXT: <key>type</key><string>Zero allocation</string>
// CHECK-NEXT: <key>issue_context_kind</key><string>function</string> // CHECK-NEXT: <key>issue_context_kind</key><string>function</string>
// CHECK-NEXT: <key>issue_context</key><string>test_realloc</string> // CHECK-NEXT: <key>issue_context</key><string>test_realloc</string>
// CHECK-NEXT: <key>issue_hash</key><string>1</string> // CHECK-NEXT: <key>issue_hash</key><string>1</string>
// CHECK-NEXT: <key>location</key> // CHECK-NEXT: <key>location</key>
// CHECK-NEXT: <dict> // CHECK-NEXT: <dict>
// CHECK-NEXT: <key>line</key><integer>112</integer> // CHECK-NEXT: <key>line</key><integer>112</integer>
// CHECK-NEXT: <key>col</key><integer>15</integer> // CHECK-NEXT: <key>col</key><integer>15</integer>
// CHECK-NEXT: <key>file</key><integer>0</integer> // CHECK-NEXT: <key>file</key><integer>0</integer>
▲ Show 20 LinesShow All 56 Lines▼ Show 20 Lines
// CHECK-NEXT: <key>line</key><integer>118</integer> // CHECK-NEXT: <key>line</key><integer>118</integer>
// CHECK-NEXT: <key>col</key><integer>29</integer> // CHECK-NEXT: <key>col</key><integer>29</integer>
// CHECK-NEXT: <key>file</key><integer>0</integer> // CHECK-NEXT: <key>file</key><integer>0</integer>
// CHECK-NEXT: </dict> // CHECK-NEXT: </dict>
// CHECK-NEXT: </array> // CHECK-NEXT: </array>
// CHECK-NEXT: </array> // CHECK-NEXT: </array>
// CHECK-NEXT: <key>depth</key><integer>0</integer> // CHECK-NEXT: <key>depth</key><integer>0</integer>
// CHECK-NEXT: <key>extended_message</key> // CHECK-NEXT: <key>extended_message</key>
// CHECK-NEXT: <string>Call to &apos;reallocf&apos; has an allocation size of 0 bytes</string> // CHECK-NEXT: <string>Call to &apos;reallocf()&apos; has an allocation size of 0 bytes</string>
// CHECK-NEXT: <key>message</key> // CHECK-NEXT: <key>message</key>
// CHECK-NEXT: <string>Call to &apos;reallocf&apos; has an allocation size of 0 bytes</string> // CHECK-NEXT: <string>Call to &apos;reallocf()&apos; has an allocation size of 0 bytes</string>
// CHECK-NEXT: </dict> // CHECK-NEXT: </dict>
// CHECK-NEXT: </array> // CHECK-NEXT: </array>
// CHECK-NEXT: <key>description</key><string>Call to &apos;reallocf&apos; has an allocation size of 0 bytes</string> // CHECK-NEXT: <key>description</key><string>Call to &apos;reallocf()&apos; has an allocation size of 0 bytes</string>
// CHECK-NEXT: <key>category</key><string>Unix API</string> // CHECK-NEXT: <key>category</key><string>Memory Error</string>
// CHECK-NEXT: <key>type</key><string>Undefined allocation of 0 bytes (CERT MEM04-C; CWE-131)</string> // CHECK-NEXT: <key>type</key><string>Zero allocation</string>
// CHECK-NEXT: <key>issue_context_kind</key><string>function</string> // CHECK-NEXT: <key>issue_context_kind</key><string>function</string>
// CHECK-NEXT: <key>issue_context</key><string>test_reallocf</string> // CHECK-NEXT: <key>issue_context</key><string>test_reallocf</string>
// CHECK-NEXT: <key>issue_hash</key><string>1</string> // CHECK-NEXT: <key>issue_hash</key><string>1</string>
// CHECK-NEXT: <key>location</key> // CHECK-NEXT: <key>location</key>
// CHECK-NEXT: <dict> // CHECK-NEXT: <dict>
// CHECK-NEXT: <key>line</key><integer>118</integer> // CHECK-NEXT: <key>line</key><integer>118</integer>
// CHECK-NEXT: <key>col</key><integer>15</integer> // CHECK-NEXT: <key>col</key><integer>15</integer>
// CHECK-NEXT: <key>file</key><integer>0</integer> // CHECK-NEXT: <key>file</key><integer>0</integer>
▲ Show 20 LinesShow All 56 Lines▼ Show 20 Lines
// CHECK-NEXT: <key>line</key><integer>136</integer> // CHECK-NEXT: <key>line</key><integer>136</integer>
// CHECK-NEXT: <key>col</key><integer>22</integer> // CHECK-NEXT: <key>col</key><integer>22</integer>
// CHECK-NEXT: <key>file</key><integer>0</integer> // CHECK-NEXT: <key>file</key><integer>0</integer>
// CHECK-NEXT: </dict> // CHECK-NEXT: </dict>
// CHECK-NEXT: </array> // CHECK-NEXT: </array>
// CHECK-NEXT: </array> // CHECK-NEXT: </array>
// CHECK-NEXT: <key>depth</key><integer>0</integer> // CHECK-NEXT: <key>depth</key><integer>0</integer>
// CHECK-NEXT: <key>extended_message</key> // CHECK-NEXT: <key>extended_message</key>
// CHECK-NEXT: <string>Call to &apos;alloca&apos; has an allocation size of 0 bytes</string> // CHECK-NEXT: <string>Call to &apos;alloca()&apos; has an allocation size of 0 bytes</string>
// CHECK-NEXT: <key>message</key> // CHECK-NEXT: <key>message</key>
// CHECK-NEXT: <string>Call to &apos;alloca&apos; has an allocation size of 0 bytes</string> // CHECK-NEXT: <string>Call to &apos;alloca()&apos; has an allocation size of 0 bytes</string>
// CHECK-NEXT: </dict> // CHECK-NEXT: </dict>
// CHECK-NEXT: </array> // CHECK-NEXT: </array>
// CHECK-NEXT: <key>description</key><string>Call to &apos;alloca&apos; has an allocation size of 0 bytes</string> // CHECK-NEXT: <key>description</key><string>Call to &apos;alloca()&apos; has an allocation size of 0 bytes</string>
// CHECK-NEXT: <key>category</key><string>Unix API</string> // CHECK-NEXT: <key>category</key><string>Memory Error</string>
// CHECK-NEXT: <key>type</key><string>Undefined allocation of 0 bytes (CERT MEM04-C; CWE-131)</string> // CHECK-NEXT: <key>type</key><string>Zero allocation</string>
// CHECK-NEXT: <key>issue_context_kind</key><string>function</string> // CHECK-NEXT: <key>issue_context_kind</key><string>function</string>
// CHECK-NEXT: <key>issue_context</key><string>test_alloca</string> // CHECK-NEXT: <key>issue_context</key><string>test_alloca</string>
// CHECK-NEXT: <key>issue_hash</key><string>1</string> // CHECK-NEXT: <key>issue_hash</key><string>1</string>
// CHECK-NEXT: <key>location</key> // CHECK-NEXT: <key>location</key>
// CHECK-NEXT: <dict> // CHECK-NEXT: <dict>
// CHECK-NEXT: <key>line</key><integer>136</integer> // CHECK-NEXT: <key>line</key><integer>136</integer>
// CHECK-NEXT: <key>col</key><integer>15</integer> // CHECK-NEXT: <key>col</key><integer>15</integer>
// CHECK-NEXT: <key>file</key><integer>0</integer> // CHECK-NEXT: <key>file</key><integer>0</integer>
▲ Show 20 LinesShow All 56 Lines▼ Show 20 Lines
// CHECK-NEXT: <key>line</key><integer>148</integer> // CHECK-NEXT: <key>line</key><integer>148</integer>
// CHECK-NEXT: <key>col</key><integer>33</integer> // CHECK-NEXT: <key>col</key><integer>33</integer>
// CHECK-NEXT: <key>file</key><integer>0</integer> // CHECK-NEXT: <key>file</key><integer>0</integer>
// CHECK-NEXT: </dict> // CHECK-NEXT: </dict>
// CHECK-NEXT: </array> // CHECK-NEXT: </array>
// CHECK-NEXT: </array> // CHECK-NEXT: </array>
// CHECK-NEXT: <key>depth</key><integer>0</integer> // CHECK-NEXT: <key>depth</key><integer>0</integer>
// CHECK-NEXT: <key>extended_message</key> // CHECK-NEXT: <key>extended_message</key>
// CHECK-NEXT: <string>Call to &apos;alloca&apos; has an allocation size of 0 bytes</string> // CHECK-NEXT: <string>Call to &apos;__builtin_alloca()&apos; has an allocation size of 0 bytes</string>
// CHECK-NEXT: <key>message</key> // CHECK-NEXT: <key>message</key>
// CHECK-NEXT: <string>Call to &apos;alloca&apos; has an allocation size of 0 bytes</string> // CHECK-NEXT: <string>Call to &apos;__builtin_alloca()&apos; has an allocation size of 0 bytes</string>
// CHECK-NEXT: </dict> // CHECK-NEXT: </dict>
// CHECK-NEXT: </array> // CHECK-NEXT: </array>
// CHECK-NEXT: <key>description</key><string>Call to &apos;alloca&apos; has an allocation size of 0 bytes</string> // CHECK-NEXT: <key>description</key><string>Call to &apos;__builtin_alloca()&apos; has an allocation size of 0 bytes</string>
// CHECK-NEXT: <key>category</key><string>Unix API</string> // CHECK-NEXT: <key>category</key><string>Memory Error</string>
// CHECK-NEXT: <key>type</key><string>Undefined allocation of 0 bytes (CERT MEM04-C; CWE-131)</string> // CHECK-NEXT: <key>type</key><string>Zero allocation</string>
// CHECK-NEXT: <key>issue_context_kind</key><string>function</string> // CHECK-NEXT: <key>issue_context_kind</key><string>function</string>
// CHECK-NEXT: <key>issue_context</key><string>test_builtin_alloca</string> // CHECK-NEXT: <key>issue_context</key><string>test_builtin_alloca</string>
// CHECK-NEXT: <key>issue_hash</key><string>1</string> // CHECK-NEXT: <key>issue_hash</key><string>1</string>
// CHECK-NEXT: <key>location</key> // CHECK-NEXT: <key>location</key>
// CHECK-NEXT: <dict> // CHECK-NEXT: <dict>
// CHECK-NEXT: <key>line</key><integer>148</integer> // CHECK-NEXT: <key>line</key><integer>148</integer>
// CHECK-NEXT: <key>col</key><integer>16</integer> // CHECK-NEXT: <key>col</key><integer>16</integer>
// CHECK-NEXT: <key>file</key><integer>0</integer> // CHECK-NEXT: <key>file</key><integer>0</integer>
▲ Show 20 LinesShow All 56 Lines▼ Show 20 Lines
// CHECK-NEXT: <key>line</key><integer>160</integer> // CHECK-NEXT: <key>line</key><integer>160</integer>
// CHECK-NEXT: <key>col</key><integer>22</integer> // CHECK-NEXT: <key>col</key><integer>22</integer>
// CHECK-NEXT: <key>file</key><integer>0</integer> // CHECK-NEXT: <key>file</key><integer>0</integer>
// CHECK-NEXT: </dict> // CHECK-NEXT: </dict>
// CHECK-NEXT: </array> // CHECK-NEXT: </array>
// CHECK-NEXT: </array> // CHECK-NEXT: </array>
// CHECK-NEXT: <key>depth</key><integer>0</integer> // CHECK-NEXT: <key>depth</key><integer>0</integer>
// CHECK-NEXT: <key>extended_message</key> // CHECK-NEXT: <key>extended_message</key>
// CHECK-NEXT: <string>Call to &apos;valloc&apos; has an allocation size of 0 bytes</string> // CHECK-NEXT: <string>Call to &apos;valloc()&apos; has an allocation size of 0 bytes</string>
// CHECK-NEXT: <key>message</key> // CHECK-NEXT: <key>message</key>
// CHECK-NEXT: <string>Call to &apos;valloc&apos; has an allocation size of 0 bytes</string> // CHECK-NEXT: <string>Call to &apos;valloc()&apos; has an allocation size of 0 bytes</string>
// CHECK-NEXT: </dict> // CHECK-NEXT: </dict>
// CHECK-NEXT: </array> // CHECK-NEXT: </array>
// CHECK-NEXT: <key>description</key><string>Call to &apos;valloc&apos; has an allocation size of 0 bytes</string> // CHECK-NEXT: <key>description</key><string>Call to &apos;valloc()&apos; has an allocation size of 0 bytes</string>
// CHECK-NEXT: <key>category</key><string>Unix API</string> // CHECK-NEXT: <key>category</key><string>Memory Error</string>
// CHECK-NEXT: <key>type</key><string>Undefined allocation of 0 bytes (CERT MEM04-C; CWE-131)</string> // CHECK-NEXT: <key>type</key><string>Zero allocation</string>
// CHECK-NEXT: <key>issue_context_kind</key><string>function</string> // CHECK-NEXT: <key>issue_context_kind</key><string>function</string>
// CHECK-NEXT: <key>issue_context</key><string>test_valloc</string> // CHECK-NEXT: <key>issue_context</key><string>test_valloc</string>
// CHECK-NEXT: <key>issue_hash</key><string>1</string> // CHECK-NEXT: <key>issue_hash</key><string>1</string>
// CHECK-NEXT: <key>location</key> // CHECK-NEXT: <key>location</key>
// CHECK-NEXT: <dict> // CHECK-NEXT: <dict>
// CHECK-NEXT: <key>line</key><integer>160</integer> // CHECK-NEXT: <key>line</key><integer>160</integer>
// CHECK-NEXT: <key>col</key><integer>15</integer> // CHECK-NEXT: <key>col</key><integer>15</integer>
// CHECK-NEXT: <key>file</key><integer>0</integer> // CHECK-NEXT: <key>file</key><integer>0</integer>
▲ Show 20 LinesShow All 875 LinesShow Last 20 Lines