This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/lib/StaticAnalyzer/Checkers/
-
lib/
-
StaticAnalyzer/
-
Checkers/
1
MallocChecker.cpp

Differential D63093

[analyzer] WIP: MallocChecker: Release temporary CXXNewExpr
AbandonedPublic

Authored by Charusso on Jun 10 2019, 1:10 PM.

Download Raw Diff

Details

Reviewers

NoQ
xazax.hun
ravikandhadai
baloghadamsoftware
Szelethus

Summary

Diff Detail

Event Timeline

Charusso created this revision.Jun 10 2019, 1:10 PM

Herald added subscribers: cfe-commits, dkrupp, donat.nagy and 4 others. · View Herald TranscriptJun 10 2019, 1:10 PM

This is heavily WIP as sometimes we have to release a new after we return it or a constructor did something with that. The direction is okay?

In such cases i recommend starting with writing down a test. Like in TDD: first test, then code.

The general direction doesn't seem reasonable to me; it introduces some pattern-matching for a specific scenario, but it's unclear why is this scenario a problem on its own. We might eventually do something similar, but I recommend fully debugging the false positive - i.e., understanding what exactly is wrong with it, before picking a suppression mechanism.

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
1119–1122	I think it's clearly too early for marking the pointer as released. I.e., what about: auto x = std::shared_ptr(new int); // the pointer is marked as released use(x.get()); // use-after-free???

The seen error solved by D63720.

Revision Contents

Path

Size

clang/

lib/

StaticAnalyzer/

Checkers/

MallocChecker.cpp

55 lines

Diff 203885

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp

Show First 20 Lines • Show All 150 Lines • ▼ Show 20 Lines	struct ReallocPair {
bool operator==(const ReallocPair &X) const {		bool operator==(const ReallocPair &X) const {
return ReallocatedSym == X.ReallocatedSym &&		return ReallocatedSym == X.ReallocatedSym &&
Kind == X.Kind;		Kind == X.Kind;
}		}
};		};

typedef std::pair<const ExplodedNode, const MemRegion> LeakInfo;		typedef std::pair<const ExplodedNode, const MemRegion> LeakInfo;

class MallocChecker : public Checker<check::DeadSymbols,		class MallocChecker
check::PointerEscape,		: public Checker<check::DeadSymbols, check::PointerEscape,
check::ConstPointerEscape,		check::ConstPointerEscape, check::PreStmt<ReturnStmt>,
check::PreStmt<ReturnStmt>,		check::EndFunction, check::PreCall,
check::EndFunction,		check::PostStmt<CallExpr>, check::PostStmt<CXXNewExpr>,
check::PreCall,		check::PostStmt<CXXBindTemporaryExpr>, check::NewAllocator,
check::PostStmt<CallExpr>,		check::PreStmt<CXXDeleteExpr>, check::PostStmt<BlockExpr>,
check::PostStmt<CXXNewExpr>,		check::PostObjCMessage, check::Location, eval::Assume> {
check::NewAllocator,
check::PreStmt<CXXDeleteExpr>,
check::PostStmt<BlockExpr>,
check::PostObjCMessage,
check::Location,
eval::Assume>
{
public:		public:
MallocChecker()		MallocChecker()
: II_alloca(nullptr), II_win_alloca(nullptr), II_malloc(nullptr),		: II_alloca(nullptr), II_win_alloca(nullptr), II_malloc(nullptr),
II_free(nullptr), II_realloc(nullptr), II_calloc(nullptr),		II_free(nullptr), II_realloc(nullptr), II_calloc(nullptr),
II_valloc(nullptr), II_reallocf(nullptr), II_strndup(nullptr),		II_valloc(nullptr), II_reallocf(nullptr), II_strndup(nullptr),
II_strdup(nullptr), II_win_strdup(nullptr), II_kmalloc(nullptr),		II_strdup(nullptr), II_win_strdup(nullptr), II_kmalloc(nullptr),
II_if_nameindex(nullptr), II_if_freenameindex(nullptr),		II_if_nameindex(nullptr), II_if_freenameindex(nullptr),
II_wcsdup(nullptr), II_win_wcsdup(nullptr), II_g_malloc(nullptr),		II_wcsdup(nullptr), II_win_wcsdup(nullptr), II_g_malloc(nullptr),
Show All 24 Lines	public:
DefaultBool IsOptimistic;		DefaultBool IsOptimistic;

DefaultBool ChecksEnabled[CK_NumCheckKinds];		DefaultBool ChecksEnabled[CK_NumCheckKinds];
CheckName CheckNames[CK_NumCheckKinds];		CheckName CheckNames[CK_NumCheckKinds];

void checkPreCall(const CallEvent &Call, CheckerContext &C) const;		void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
void checkPostStmt(const CallExpr *CE, CheckerContext &C) const;		void checkPostStmt(const CallExpr *CE, CheckerContext &C) const;
void checkPostStmt(const CXXNewExpr *NE, CheckerContext &C) const;		void checkPostStmt(const CXXNewExpr *NE, CheckerContext &C) const;
		void checkPostStmt(const CXXBindTemporaryExpr *BTE, CheckerContext &C) const;
void checkNewAllocator(const CXXNewExpr *NE, SVal Target,		void checkNewAllocator(const CXXNewExpr *NE, SVal Target,
CheckerContext &C) const;		CheckerContext &C) const;
void checkPreStmt(const CXXDeleteExpr *DE, CheckerContext &C) const;		void checkPreStmt(const CXXDeleteExpr *DE, CheckerContext &C) const;
void checkPostObjCMessage(const ObjCMethodCall &Call, CheckerContext &C) const;		void checkPostObjCMessage(const ObjCMethodCall &Call, CheckerContext &C) const;
void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const;		void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const;
void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;		void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const;		void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const;
void checkEndFunction(const ReturnStmt *S, CheckerContext &C) const;		void checkEndFunction(const ReturnStmt *S, CheckerContext &C) const;
▲ Show 20 Lines • Show All 262 Lines • ▼ Show 20 Lines	public:

inline bool isReleased(const RefState S, const RefState SPrev,		inline bool isReleased(const RefState S, const RefState SPrev,
const Stmt *Stmt) {		const Stmt *Stmt) {
// Did not track -> released. Other state (allocated) -> released.		// Did not track -> released. Other state (allocated) -> released.
// The statement associated with the release might be missing.		// The statement associated with the release might be missing.
bool IsReleased = (S && S->isReleased()) &&		bool IsReleased = (S && S->isReleased()) &&
(!SPrev \|\| !SPrev->isReleased());		(!SPrev \|\| !SPrev->isReleased());
assert(!IsReleased \|\|		assert(!IsReleased \|\|
(Stmt && (isa<CallExpr>(Stmt) \|\| isa<CXXDeleteExpr>(Stmt))) \|\|		(Stmt && (isa<CallExpr>(Stmt) \|\| isa<CXXDeleteExpr>(Stmt) \|\|
		isa<CXXBindTemporaryExpr>(Stmt))) \|\|
(!Stmt && S->getAllocationFamily() == AF_InnerBuffer));		(!Stmt && S->getAllocationFamily() == AF_InnerBuffer));
return IsReleased;		return IsReleased;
}		}

inline bool isRelinquished(const RefState S, const RefState SPrev,		inline bool isRelinquished(const RefState S, const RefState SPrev,
const Stmt *Stmt) {		const Stmt *Stmt) {
// Did not track -> relinquished. Other state (allocated) -> relinquished.		// Did not track -> relinquished. Other state (allocated) -> relinquished.
return (Stmt && (isa<CallExpr>(Stmt) \|\| isa<ObjCMessageExpr>(Stmt) \|\|		return (Stmt && (isa<CallExpr>(Stmt) \|\| isa<ObjCMessageExpr>(Stmt) \|\|
▲ Show 20 Lines • Show All 597 Lines • ▼ Show 20 Lines
}		}

void MallocChecker::checkNewAllocator(const CXXNewExpr *NE, SVal Target,		void MallocChecker::checkNewAllocator(const CXXNewExpr *NE, SVal Target,
CheckerContext &C) const {		CheckerContext &C) const {
if (!C.wasInlined)		if (!C.wasInlined)
processNewAllocation(NE, C, Target);		processNewAllocation(NE, C, Target);
}		}

		void MallocChecker::checkPostStmt(const CXXBindTemporaryExpr *BTE,
		CheckerContext &C) const {
		if (const auto *CE = dyn_cast<CXXConstructExpr>(BTE->getSubExpr())) {
		if (CE->getNumArgs() == 0)
		return;

		// If we catch a 'CXXNewExpr' set it is released as it is temporary.
		if (const auto *NE = dyn_cast<CXXNewExpr>(CE->getArg(0))) {
		ProgramStateRef State = C.getState();
		Optional<SVal> RetVal = C.getSVal(NE);

		SymbolRef Sym = RetVal->getAsLocSymbol();
		assert(Sym);

		if (const RefState *RS = State->get<RegionState>(Sym))
		if (RS->isReleased())
		return;

		// Set the symbol's state to Released.
		State = State->set<RegionState>(
		Sym, RefState::getReleased(NE->isArray() ? AF_CXXNewArray : AF_CXXNew,
		NE));
		NoQUnsubmitted Not Done Reply Inline Actions I think it's clearly too early for marking the pointer as released. I.e., what about: auto x = std::shared_ptr(new int); // the pointer is marked as released use(x.get()); // use-after-free??? NoQ: I think it's clearly too early for marking the pointer as released. I.e., what about…

		C.addTransition(State);
		}
		}
		}

// Sets the extent value of the MemRegion allocated by		// Sets the extent value of the MemRegion allocated by
// new expression NE to its size in Bytes.		// new expression NE to its size in Bytes.
//		//
ProgramStateRef MallocChecker::addExtentSize(CheckerContext &C,		ProgramStateRef MallocChecker::addExtentSize(CheckerContext &C,
const CXXNewExpr *NE,		const CXXNewExpr *NE,
ProgramStateRef State,		ProgramStateRef State,
SVal Target) {		SVal Target) {
if (!State)		if (!State)
▲ Show 20 Lines • Show All 2,009 Lines • Show Last 20 Lines