This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/lib/StaticAnalyzer/Checkers/
-
lib/
-
StaticAnalyzer/
-
Checkers/
24/24
MallocChecker.cpp

Differential D68165

[analyzer][MallocChecker][NFC] Split checkPostCall up, deploy CallDescriptionMap
ClosedPublic

Authored by Szelethus on Sep 27 2019, 3:18 PM.

Download Raw Diff

Details

Reviewers

NoQ
xazax.hun
rnkovacs
Charusso
baloghadamsoftware
dcoughlin
balazske

Commits

rG703a1b8caf09: [analyzer][MallocChecker][NFC] Split checkPostCall up, deploy CallDescriptionMap

Summary

Since its important to know whether a function frees memory (even if its a reallocating function!), I used two CallDescriptionMaps to merge all CallDescriptions into it. MemFunctionInfoTy no longer makes sense, it may never have, but for now, it would be more of a distraction then anything else.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

Szelethus created this revision.Sep 27 2019, 3:18 PM

Herald added subscribers: cfe-commits, gamesh411, dkrupp and 5 others. · View Herald TranscriptSep 27 2019, 3:18 PM

Szelethus added a parent revision: D68163: [analyzer][MallocChecker][NFC] Change the use of IdentifierInfo* to CallDescription.Sep 27 2019, 3:18 PM

Szelethus marked 2 inline comments as done.Sep 27 2019, 3:23 PM

Szelethus added inline comments.

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
900–902	It may be more precise to call this `isCMemCall`, because that's the question it answers.
1488	Ugh, no idea whats happening here, I'll be honest. I sweat to dig a bit deeper to find out, though I didn't want to bother delaying the publishing this patch for a feature not documented, or used anywhere.

NoQ marked an inline comment as done.Sep 27 2019, 6:42 PM

NoQ added inline comments.

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
378–379	Whenever i see a (`CE`, `State`) pair, it screams `CallEvent` to me. That said, i'm worried that `State` in these callbacks isn't necessarily equal to `C.getState()` (the latter, by the way, is always equal to the `CallEvent`'s `.getState()` - that's a relief, right?), so if you'll ever be in the mood to check that, that'd be great :)
397–398	I think `alloca` deserves `CDF_MaybeBuiltin`. This would also probably allow you to remove the second line.
402–404	These are also builtins.
407–408	And these too.
1488	I think this is about the (lack of) support for `__attribute__((malloc))`.

Szelethus marked 2 inline comments as done.Sep 28 2019, 4:51 AM

Szelethus added inline comments.

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
378–379	It should be always equal to it. I'll change it.
397–398	Actually, `BuiltinFunctionChecker` uses `evalCall` to create an `AllocaRegion` for `__builtin_alloca`. I spent an hour when writing this patch to track a crash down when I initially made this `CDF_MaybeBuiltin` :)

NoQ added inline comments.Sep 28 2019, 7:46 AM

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
397–398	Oh misery.

Szelethus mentioned this in D67706: [clang][analyzer] Using CallDescription in StreamChecker..Oct 1 2019, 4:12 AM

Szelethus marked 5 inline comments as done.Oct 2 2019, 2:38 AM

Szelethus added inline comments.

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
378–379	Hmmm, I tried making this take a (`CallEvent`, `CheckerContext`), but it bloated the code for little gain, since every handler function would start with the retrieval of the state and the call expression. That said, I could cascade these down to `FreeMemAux`, `MallocMemAux`, etc, to also take this pair instead, but I'll be honest, I don't see point until something actually breaks.

Rebase.

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
1488	This should be an NFC change, and this part of the code will have to be rewritten anyways if we want a more serious annotation guided analysis.

baloghadamsoftware added inline comments.Oct 3 2019, 7:33 AM

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
378–379	This is the standard way in the checkers: almost every handler function starts with the retrieval of the state from the `CheckerContext`. The only reason for an extra `State` parameter is that sometimes we create more states in the lower level functions but only add the final one to the `CheckerContext` as a new transition. Does something like this happen here?
887	Maybe `return !!FreeingMemFnMap.lookup(Call)`?
901	Same here: why not just `return FreeingMemFnMap.lookup(Call) \|\| NonFreeingMemFn.lookup(Call)`?

I think my strdup comments weren't addressed >.<

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
378–379	I agree with @baloghadamsoftware here. If you pass `State` explicitly, it looks like an indication for the reader that this `State` may be different from `C.getState()`. If in practice they're the same, i'd rather do `C.getState()` in every method than confuse the reader. Also do you remember what makes us query `CallExpr` so often? Given that `CallEvent` includes `CallExpr`, we should be able to expose everything we need as `CallEvent` methods. Say, we should be able to replace `MallocMemAux(C, CE, CE->getArg(0), ...)` with `MallocMemAux(C, Call, Call.getArgExpr(0), ...)` and only do `Call.getOriginExpr()` once when we report a bug.

baloghadamsoftware added inline comments.Nov 29 2019, 7:55 AM

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
887	I think the code changed after I wrote this comment, it is not valid anymore.
901	Here as well. Disregard these comments.

Szelethus mentioned this in D71524: [analyzer] Support tainted objects in GenericTaintChecker.Feb 5 2020, 7:14 AM

I've spent a lot of time on this code, and I don't think it'd be a great idea to do everything in a single step. Collapsing CallExpr, ProgramState into CallEvent is a shockingly a non-trivial task. While I'm happy to not commit this patch before uploading a solution to that problem, I'd prefer (and I think you would too!) to do them in followup patches.

The point of this revision was to drop in CallDescriptionMap -- I like to think that it introduces no new problems, it just doesn't solve many existing ones :^)

edit: I will soon address the inlines and other comments with an update

Herald added subscribers: martong, steakhal. · View Herald TranscriptMar 1 2020, 8:43 AM

Address inlines.

Szelethus marked 4 inline comments as done.Mar 1 2020, 11:47 AM

Szelethus added inline comments.

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
378–379	I'll upload followups where I'm addressing these issues -- to keep things simple, I decided against increasing this patch's scope. I won't commit until those are also accepted.

Harbormaster completed remote builds in B47726: Diff 247512.Mar 1 2020, 12:05 PM

Szelethus added a child revision: D75430: [analyzer][NFC] Introduce CXXDeallocatorCall, deploy it in MallocChecker.Mar 1 2020, 4:28 PM

balazske added inline comments.Mar 2 2020, 6:08 AM

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
358	The `CHECK_FN` could be used even here? template <bool ShouldFreeOnFail> CHECK_FN(checkRealloc)
1207	If these cases are exclusive the code looks better when `else` statements are added?

I wish for a third map, something like ReallocationMap. Other than that it is a great direction, I love it. Thanks!

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
358	I think about the opposite, passing around arguments by templates is not cool. They meant to be arguments. This type of callback simply could be a third `CallDescriptionMap` for future profeness.

Charusso accepted this revision.Mar 3 2020, 3:36 AM

This revision is now accepted and ready to land.Mar 3 2020, 3:36 AM

In D68165#1902702, @Charusso wrote:

I wish for a third map, something like ReallocationMap. Other than that it is a great direction, I love it. Thanks!

Hah, that is a neat idea.

Looks wonderful, thanks!

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
358	passing around arguments by templates is not cool. They meant to be arguments. +1! It's accidental that these values are currently known at compile time.
1207	Yup, or even better, `return`s, because this code is very fragile because it'll do horrible things if we accidentally invoke two callbacks at once.

Closed by commit rG703a1b8caf09: [analyzer][MallocChecker][NFC] Split checkPostCall up, deploy CallDescriptionMap (authored by ldionne, committed by Szelethus). · Explain WhyMar 30 2020, 7:33 AM

This revision was automatically updated to reflect the committed changes.

Szelethus marked 5 inline comments as done.

Herald added a subscriber: ASDenysPetrov. · View Herald TranscriptMar 30 2020, 7:33 AM

Closed by commit rG703a1b8caf09: [analyzer][MallocChecker][NFC] Split checkPostCall up, deploy CallDescriptionMap (authored by ldionne, committed by Szelethus). · Explain Why

This is really strange -- it looks like 703a1b8caf09 was attributed to me in git, but I have nothing to do with this change. How did you commit the patch? Is that some Phabricator bug?

$ git show --pretty=full 703a1b8caf09

commit 703a1b8caf09a5262a45c2179b8131922f71cf25
Author: Louis Dionne <ldionne@apple.com>
Commit: Kirstóf Umann <dkszelethus@gmail.com>

    [analyzer][MallocChecker][NFC] Split checkPostCall up, deploy CallDescriptionMap

    ...

Not a phabricator bug. Maybe @Szelethus's local git somehow got in a weird state(?)

In D68165#1949954, @ldionne wrote:

Closed by commit rG703a1b8caf09: [analyzer][MallocChecker][NFC] Split checkPostCall up, deploy CallDescriptionMap (authored by ldionne, committed by Szelethus). · Explain Why

This is really strange -- it looks like 703a1b8caf09 was attributed to me in git, but I have nothing to do with this change. How did you commit the patch? Is that some Phabricator bug?

Ugh, I squashed my local commits and pushed, it seems like for some reason it made you the author... it has happened to me before (always with you, for some reason), but was able to notice and correct it. There is little we can do about this, right?

In D68165#1950212, @NoQ wrote:

Not a phabricator bug. Maybe @Szelethus's local git somehow got in a weird state(?)

Its been a source of endless misery :)

In D68165#1950357, @Szelethus wrote:

Ugh, I squashed my local commits and pushed, it seems like for some reason it made you the author... it has happened to me before (always with you, for some reason), but was able to notice and correct it.

Always with me? Maybe you should double-check that you don't have something weird in your git config, aliases or other? I don't know *why* it would be me in particular, but the fact that it is consistently the same person is kind of suspicious.

In D68165#1950451, @ldionne wrote:

Always with me? Maybe you should double-check that you don't have something weird in your git config, aliases or other? I don't know *why* it would be me in particular, but the fact that it is consistently the same person is kind of suspicious.

Will do. Sorry for the trouble!

Szelethus removed a child revision: D75430: [analyzer][NFC] Introduce CXXDeallocatorCall, deploy it in MallocChecker.Apr 3 2020, 6:36 AM

Szelethus mentioned this in D77474: [analyzer][MallocChecker] Make NewDeleteLeaks depend on DynamicMemoryModeling rather than NewDelete.Apr 5 2020, 5:06 AM

NoQ mentioned this in D81745: [analyzer][MallocChecker] PR46253: Correctly recognize standard realloc.Jun 13 2020, 3:29 PM

Revision Contents

Path

Size

clang/

lib/

StaticAnalyzer/

Checkers/

MallocChecker.cpp

576 lines

Diff 253593

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp

Show First 20 Lines • Show All 56 Lines • ▼ Show 20 Lines
#include "clang/StaticAnalyzer/Core/Checker.h"		#include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h"		#include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"		#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"		#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h"		#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h"		#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"		#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"		#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
		#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"		#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"
#include "llvm/ADT/STLExtras.h"		#include "llvm/ADT/STLExtras.h"
#include "llvm/ADT/SmallString.h"		#include "llvm/ADT/SmallString.h"
#include "llvm/ADT/StringExtras.h"		#include "llvm/ADT/StringExtras.h"
#include "llvm/Support/ErrorHandling.h"		#include "llvm/Support/ErrorHandling.h"
#include <climits>		#include <climits>
		#include <functional>
#include <utility>		#include <utility>

using namespace clang;		using namespace clang;
using namespace ento;		using namespace ento;
		using namespace std::placeholders;

//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
// The types of allocation we're modeling. This is used to check whether a		// The types of allocation we're modeling. This is used to check whether a
// dynamically allocated object is deallocated with the correct function, like		// dynamically allocated object is deallocated with the correct function, like
// not using operator delete on an object created by malloc(), or alloca regions		// not using operator delete on an object created by malloc(), or alloca regions
// aren't ever deallocated manually.		// aren't ever deallocated manually.
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//

namespace {		namespace {

// Used to check correspondence between allocators and deallocators.		// Used to check correspondence between allocators and deallocators.
enum AllocationFamily {		enum AllocationFamily {
AF_None,		AF_None,
AF_Malloc,		AF_Malloc,
AF_CXXNew,		AF_CXXNew,
AF_CXXNewArray,		AF_CXXNewArray,
AF_IfNameIndex,		AF_IfNameIndex,
AF_Alloca,		AF_Alloca,
AF_InnerBuffer		AF_InnerBuffer
};		};

struct MemFunctionInfoTy;

} // end of anonymous namespace		} // end of anonymous namespace

/// Print names of allocators and deallocators.		/// Print names of allocators and deallocators.
///		///
/// \returns true on success.		/// \returns true on success.
static bool printMemFnName(raw_ostream &os, CheckerContext &C, const Expr *E);		static bool printMemFnName(raw_ostream &os, CheckerContext &C, const Expr *E);

/// Print expected name of an allocator based on the deallocator's family		/// Print expected name of an allocator based on the deallocator's family
▲ Show 20 Lines • Show All 152 Lines • ▼ Show 20 Lines	return ReallocatedSym == X.ReallocatedSym &&
Kind == X.Kind;		Kind == X.Kind;
}		}
};		};

} // end of anonymous namespace		} // end of anonymous namespace

REGISTER_MAP_WITH_PROGRAMSTATE(ReallocPairs, SymbolRef, ReallocPair)		REGISTER_MAP_WITH_PROGRAMSTATE(ReallocPairs, SymbolRef, ReallocPair)

//===----------------------------------------------------------------------===//
// Kinds of memory operations, information about resource managing functions.
//===----------------------------------------------------------------------===//

namespace {

struct MemFunctionInfoTy {
/// The value of the MallocChecker:Optimistic is stored in this variable.
///
/// In pessimistic mode, the checker assumes that it does not know which
/// functions might free the memory.
/// In optimistic mode, the checker assumes that all user-defined functions
/// which might free a pointer are annotated.
DefaultBool ShouldIncludeOwnershipAnnotatedFunctions;

CallDescription CD_alloca{{"alloca"}, 1}, CD_win_alloca{{"_alloca"}, 1},
CD_malloc{{"malloc"}, 1}, CD_BSD_malloc{{"malloc"}, 3},
CD_free{{"free"}, 1}, CD_realloc{{"realloc"}, 2},
CD_calloc{{"calloc"}, 2}, CD_valloc{{"valloc"}, 1},
CD_reallocf{{"reallocf"}, 2}, CD_strndup{{"strndup"}, 2},
CD_strdup{{"strdup"}, 1}, CD_win_strdup{{"_strdup"}, 1},
CD_kmalloc{{"kmalloc"}, 2}, CD_if_nameindex{{"if_nameindex"}, 1},
CD_if_freenameindex{{"if_freenameindex"}, 1}, CD_wcsdup{{"wcsdup"}, 1},
CD_win_wcsdup{{"_wcsdup"}, 1}, CD_kfree{{"kfree"}, 1},
CD_g_malloc{{"g_malloc"}, 1}, CD_g_malloc0{{"g_malloc0"}, 1},
CD_g_realloc{{"g_realloc"}, 2}, CD_g_try_malloc{{"g_try_malloc"}, 1},
CD_g_try_malloc0{{"g_try_malloc0"}, 1},
CD_g_try_realloc{{"g_try_realloc"}, 2}, CD_g_free{{"g_free"}, 1},
CD_g_memdup{{"g_memdup"}, 2}, CD_g_malloc_n{{"g_malloc_n"}, 2},
CD_g_malloc0_n{{"g_malloc0_n"}, 2}, CD_g_realloc_n{{"g_realloc_n"}, 3},
CD_g_try_malloc_n{{"g_try_malloc_n"}, 2},
CD_g_try_malloc0_n{{"g_try_malloc0_n"}, 2},
CD_g_try_realloc_n{{"g_try_realloc_n"}, 3};

bool isMemFunction(const CallEvent &Call) const;
bool isCMemFunction(const CallEvent &Call) const;
bool isCMemFreeFunction(const CallEvent &Call) const;
bool isCMemAllocFunction(const CallEvent &Call) const;
};
} // end of anonymous namespace

/// Tells if the callee is one of the builtin new/delete operators, including		/// Tells if the callee is one of the builtin new/delete operators, including
/// placement operators and other standard overloads.		/// placement operators and other standard overloads.
static bool isStandardNewDelete(const FunctionDecl *FD);		static bool isStandardNewDelete(const FunctionDecl *FD);
static bool isStandardNewDelete(const CallEvent &Call) {		static bool isStandardNewDelete(const CallEvent &Call) {
if (!Call.getDecl())		if (!Call.getDecl())
return false;		return false;
return isStandardNewDelete(cast<FunctionDecl>(Call.getDecl()));		return isStandardNewDelete(cast<FunctionDecl>(Call.getDecl()));
}		}

//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
// Definition of the MallocChecker class.		// Definition of the MallocChecker class.
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//

namespace {		namespace {

class MallocChecker		class MallocChecker
: public Checker<check::DeadSymbols, check::PointerEscape,		: public Checker<check::DeadSymbols, check::PointerEscape,
check::ConstPointerEscape, check::PreStmt<ReturnStmt>,		check::ConstPointerEscape, check::PreStmt<ReturnStmt>,
check::EndFunction, check::PreCall, check::PostCall,		check::EndFunction, check::PreCall, check::PostCall,
check::PostStmt<CXXNewExpr>, check::NewAllocator,		check::PostStmt<CXXNewExpr>, check::NewAllocator,
check::PreStmt<CXXDeleteExpr>, check::PostStmt<BlockExpr>,		check::PreStmt<CXXDeleteExpr>, check::PostStmt<BlockExpr>,
check::PostObjCMessage, check::Location, eval::Assume> {		check::PostObjCMessage, check::Location, eval::Assume> {
public:		public:
MemFunctionInfoTy MemFunctionInfo;		/// In pessimistic mode, the checker assumes that it does not know which
		/// functions might free the memory.
		/// In optimistic mode, the checker assumes that all user-defined functions
		/// which might free a pointer are annotated.
		DefaultBool ShouldIncludeOwnershipAnnotatedFunctions;

/// Many checkers are essentially built into this one, so enabling them will		/// Many checkers are essentially built into this one, so enabling them will
/// make MallocChecker perform additional modeling and reporting.		/// make MallocChecker perform additional modeling and reporting.
enum CheckKind {		enum CheckKind {
/// When a subchecker is enabled but MallocChecker isn't, model memory		/// When a subchecker is enabled but MallocChecker isn't, model memory
/// management but do not emit warnings emitted with MallocChecker only		/// management but do not emit warnings emitted with MallocChecker only
/// enabled.		/// enabled.
CK_MallocChecker,		CK_MallocChecker,
▲ Show 20 Lines • Show All 43 Lines • ▼ Show 20 Lines	private:
mutable std::unique_ptr<BugType> BT_Leak[CK_NumCheckKinds];		mutable std::unique_ptr<BugType> BT_Leak[CK_NumCheckKinds];
mutable std::unique_ptr<BugType> BT_UseFree[CK_NumCheckKinds];		mutable std::unique_ptr<BugType> BT_UseFree[CK_NumCheckKinds];
mutable std::unique_ptr<BugType> BT_BadFree[CK_NumCheckKinds];		mutable std::unique_ptr<BugType> BT_BadFree[CK_NumCheckKinds];
mutable std::unique_ptr<BugType> BT_FreeAlloca[CK_NumCheckKinds];		mutable std::unique_ptr<BugType> BT_FreeAlloca[CK_NumCheckKinds];
mutable std::unique_ptr<BugType> BT_MismatchedDealloc;		mutable std::unique_ptr<BugType> BT_MismatchedDealloc;
mutable std::unique_ptr<BugType> BT_OffsetFree[CK_NumCheckKinds];		mutable std::unique_ptr<BugType> BT_OffsetFree[CK_NumCheckKinds];
mutable std::unique_ptr<BugType> BT_UseZerroAllocated[CK_NumCheckKinds];		mutable std::unique_ptr<BugType> BT_UseZerroAllocated[CK_NumCheckKinds];

		#define CHECK_FN(NAME) \
		void NAME(CheckerContext &C, const CallExpr *CE, ProgramStateRef State) const;

		CHECK_FN(checkFree)
		CHECK_FN(checkIfNameIndex)
		balazskeUnsubmitted Done Reply Inline Actions The `CHECK_FN` could be used even here? template <bool ShouldFreeOnFail> CHECK_FN(checkRealloc) balazske: The `CHECK_FN` could be used even here? ``` template <bool ShouldFreeOnFail> CHECK_FN…
		CharussoUnsubmitted Done Reply Inline Actions I think about the opposite, passing around arguments by templates is not cool. They meant to be arguments. This type of callback simply could be a third `CallDescriptionMap` for future profeness. Charusso: I think about the opposite, passing around arguments by templates is not cool. They meant to be…
		NoQUnsubmitted Done Reply Inline Actions passing around arguments by templates is not cool. They meant to be arguments. +1! It's accidental that these values are currently known at compile time. NoQ: > passing around arguments by templates is not cool. They meant to be arguments. +1! It's…
		CHECK_FN(checkBasicAlloc)
		CHECK_FN(checkKernelMalloc)
		CHECK_FN(checkCalloc)
		CHECK_FN(checkAlloca)
		CHECK_FN(checkStrdup)
		CHECK_FN(checkIfFreeNameIndex)
		CHECK_FN(checkCXXNewOrCXXDelete)
		CHECK_FN(checkGMalloc0)
		CHECK_FN(checkGMemdup)
		CHECK_FN(checkGMallocN)
		CHECK_FN(checkGMallocN0)
		CHECK_FN(checkReallocN)
		CHECK_FN(checkOwnershipAttr)

		void checkRealloc(CheckerContext &C, const CallExpr *CE,
		ProgramStateRef State, bool ShouldFreeOnFail) const;

		using CheckFn =
		std::function<void(const MallocChecker *, CheckerContext &C,
		const CallExpr *CE, ProgramStateRef State)>;

		NoQUnsubmitted Done Reply Inline Actions Whenever i see a (`CE`, `State`) pair, it screams `CallEvent` to me. That said, i'm worried that `State` in these callbacks isn't necessarily equal to `C.getState()` (the latter, by the way, is always equal to the `CallEvent`'s `.getState()` - that's a relief, right?), so if you'll ever be in the mood to check that, that'd be great :) NoQ: Whenever i see a (`CE`, `State`) pair, it screams `CallEvent` to me. That said, i'm worried…
		SzelethusAuthorUnsubmitted Done Reply Inline Actions It should be always equal to it. I'll change it. Szelethus: It should be always equal to it. I'll change it.
		SzelethusAuthorUnsubmitted Done Reply Inline Actions Hmmm, I tried making this take a (`CallEvent`, `CheckerContext`), but it bloated the code for little gain, since every handler function would start with the retrieval of the state and the call expression. That said, I could cascade these down to `FreeMemAux`, `MallocMemAux`, etc, to also take this pair instead, but I'll be honest, I don't see point until something actually breaks. Szelethus: Hmmm, I tried making this take a (`CallEvent`, `CheckerContext`), but it bloated the code for…
		baloghadamsoftwareUnsubmitted Done Reply Inline Actions This is the standard way in the checkers: almost every handler function starts with the retrieval of the state from the `CheckerContext`. The only reason for an extra `State` parameter is that sometimes we create more states in the lower level functions but only add the final one to the `CheckerContext` as a new transition. Does something like this happen here? baloghadamsoftware: This is the standard way in the checkers: almost every handler function starts with the…
		NoQUnsubmitted Done Reply Inline Actions I agree with @baloghadamsoftware here. If you pass `State` explicitly, it looks like an indication for the reader that this `State` may be different from `C.getState()`. If in practice they're the same, i'd rather do `C.getState()` in every method than confuse the reader. Also do you remember what makes us query `CallExpr` so often? Given that `CallEvent` includes `CallExpr`, we should be able to expose everything we need as `CallEvent` methods. Say, we should be able to replace `MallocMemAux(C, CE, CE->getArg(0), ...)` with `MallocMemAux(C, Call, Call.getArgExpr(0), ...)` and only do `Call.getOriginExpr()` once when we report a bug. NoQ: I agree with @baloghadamsoftware here. If you pass `State` explicitly, it looks like an…
		SzelethusAuthorUnsubmitted Done Reply Inline Actions I'll upload followups where I'm addressing these issues -- to keep things simple, I decided against increasing this patch's scope. I won't commit until those are also accepted. Szelethus: I'll upload followups where I'm addressing these issues -- to keep things simple, I decided…
		const CallDescriptionMap<CheckFn> FreeingMemFnMap{
		{{"free", 1}, &MallocChecker::checkFree},
		{{"if_freenameindex", 1}, &MallocChecker::checkIfFreeNameIndex},
		{{"kfree", 1}, &MallocChecker::checkFree},
		{{"g_free", 1}, &MallocChecker::checkFree},
		};

		bool isFreeingCall(const CallEvent &Call) const;

		CallDescriptionMap<CheckFn> AllocatingMemFnMap{
		{{"alloca", 1}, &MallocChecker::checkAlloca},
		{{"_alloca", 1}, &MallocChecker::checkAlloca},
		{{"malloc", 1}, &MallocChecker::checkBasicAlloc},
		{{"malloc", 3}, &MallocChecker::checkKernelMalloc},
		{{"calloc", 2}, &MallocChecker::checkCalloc},
		{{"valloc", 1}, &MallocChecker::checkBasicAlloc},
		{{CDF_MaybeBuiltin, "strndup", 2}, &MallocChecker::checkStrdup},
		{{CDF_MaybeBuiltin, "strdup", 1}, &MallocChecker::checkStrdup},
		{{"_strdup", 1}, &MallocChecker::checkStrdup},
		NoQUnsubmitted Done Reply Inline Actions I think `alloca` deserves `CDF_MaybeBuiltin`. This would also probably allow you to remove the second line. NoQ: I think `alloca` deserves `CDF_MaybeBuiltin`. This would also probably allow you to remove the…
		SzelethusAuthorUnsubmitted Done Reply Inline Actions Actually, `BuiltinFunctionChecker` uses `evalCall` to create an `AllocaRegion` for `__builtin_alloca`. I spent an hour when writing this patch to track a crash down when I initially made this `CDF_MaybeBuiltin` :) Szelethus: Actually, `BuiltinFunctionChecker` uses `evalCall` to create an `AllocaRegion` for…
		NoQUnsubmitted Done Reply Inline Actions Oh misery. NoQ: Oh misery.
		{{"kmalloc", 2}, &MallocChecker::checkKernelMalloc},
		{{"if_nameindex", 1}, &MallocChecker::checkIfNameIndex},
		{{CDF_MaybeBuiltin, "wcsdup", 1}, &MallocChecker::checkStrdup},
		{{CDF_MaybeBuiltin, "_wcsdup", 1}, &MallocChecker::checkStrdup},
		{{"g_malloc", 1}, &MallocChecker::checkBasicAlloc},
		{{"g_malloc0", 1}, &MallocChecker::checkGMalloc0},
		NoQUnsubmitted Done Reply Inline Actions These are also builtins. NoQ: These are also builtins.
		{{"g_try_malloc", 1}, &MallocChecker::checkBasicAlloc},
		{{"g_try_malloc0", 1}, &MallocChecker::checkGMalloc0},
		{{"g_memdup", 2}, &MallocChecker::checkGMemdup},
		{{"g_malloc_n", 2}, &MallocChecker::checkGMallocN},
		NoQUnsubmitted Done Reply Inline Actions And these too. NoQ: And these too.
		{{"g_malloc0_n", 2}, &MallocChecker::checkGMallocN0},
		{{"g_try_malloc_n", 2}, &MallocChecker::checkGMallocN},
		{{"g_try_malloc0_n", 2}, &MallocChecker::checkGMallocN0},
		};

		CallDescriptionMap<CheckFn> ReallocatingMemFnMap{
		{{"realloc", 2},
		std::bind(&MallocChecker::checkRealloc, _1, _2, _3, _4, false)},
		{{"reallocf", 2},
		std::bind(&MallocChecker::checkRealloc, _1, _2, _3, _4, true)},
		{{"g_realloc", 2},
		std::bind(&MallocChecker::checkRealloc, _1, _2, _3, _4, false)},
		{{"g_try_realloc", 2},
		std::bind(&MallocChecker::checkRealloc, _1, _2, _3, _4, false)},
		{{"g_realloc_n", 3}, &MallocChecker::checkReallocN},
		{{"g_try_realloc_n", 3}, &MallocChecker::checkReallocN},
		};

		bool isMemCall(const CallEvent &Call) const;

// TODO: Remove mutable by moving the initializtaion to the registry function.		// TODO: Remove mutable by moving the initializtaion to the registry function.
mutable Optional<uint64_t> KernelZeroFlagVal;		mutable Optional<uint64_t> KernelZeroFlagVal;

using KernelZeroSizePtrValueTy = Optional<int>;		using KernelZeroSizePtrValueTy = Optional<int>;
/// Store the value of macro called `ZERO_SIZE_PTR`.		/// Store the value of macro called `ZERO_SIZE_PTR`.
/// The value is initialized at first use, before first use the outer		/// The value is initialized at first use, before first use the outer
/// Optional is empty, afterwards it contains another Optional that indicates		/// Optional is empty, afterwards it contains another Optional that indicates
/// if the macro value could be determined, and if yes the value itself.		/// if the macro value could be determined, and if yes the value itself.
▲ Show 20 Lines • Show All 419 Lines • ▼ Show 20 Lines	public:

bool VisitSymbol(SymbolRef sym) override {		bool VisitSymbol(SymbolRef sym) override {
state = state->remove<RegionState>(sym);		state = state->remove<RegionState>(sym);
return true;		return true;
}		}
};		};
} // end anonymous namespace		} // end anonymous namespace

//===----------------------------------------------------------------------===//		static bool isStandardNewDelete(const FunctionDecl *FD) {
// Methods of MemFunctionInfoTy.		if (!FD)
//===----------------------------------------------------------------------===//		return false;

bool MemFunctionInfoTy::isMemFunction(const CallEvent &Call) const {		OverloadedOperatorKind Kind = FD->getOverloadedOperator();
return isCMemFunction(Call) \|\| isStandardNewDelete(Call);		if (Kind != OO_New && Kind != OO_Array_New && Kind != OO_Delete &&
}		Kind != OO_Array_Delete)
		return false;

bool MemFunctionInfoTy::isCMemFunction(const CallEvent &Call) const {		// This is standard if and only if it's not defined in a user file.
return isCMemFreeFunction(Call) \|\| isCMemAllocFunction(Call);		SourceLocation L = FD->getLocation();
		// If the header for operator delete is not included, it's still defined
		// in an invalid source location. Check to make sure we don't crash.
		return !L.isValid() \|\|
		FD->getASTContext().getSourceManager().isInSystemHeader(L);
}		}

bool MemFunctionInfoTy::isCMemFreeFunction(const CallEvent &Call) const {		//===----------------------------------------------------------------------===//
if (Call.isCalled(CD_free, CD_realloc, CD_reallocf, CD_g_free, CD_kfree))		// Methods of MallocChecker and MallocBugVisitor.
return true;		//===----------------------------------------------------------------------===//

if (Call.isCalled(CD_if_freenameindex))		bool MallocChecker::isFreeingCall(const CallEvent &Call) const {
		if (FreeingMemFnMap.lookup(Call) \|\| ReallocatingMemFnMap.lookup(Call))
return true;		return true;
		baloghadamsoftwareUnsubmitted Done Reply Inline Actions Maybe `return !!FreeingMemFnMap.lookup(Call)`? baloghadamsoftware: Maybe `return !!FreeingMemFnMap.lookup(Call)`?
		baloghadamsoftwareUnsubmitted Done Reply Inline Actions I think the code changed after I wrote this comment, it is not valid anymore. baloghadamsoftware: I think the code changed after I wrote this comment, it is not valid anymore.

if (!ShouldIncludeOwnershipAnnotatedFunctions)
return false;

const auto *Func = dyn_cast<FunctionDecl>(Call.getDecl());		const auto *Func = dyn_cast<FunctionDecl>(Call.getDecl());
if (Func && Func->hasAttrs()) {		if (Func && Func->hasAttrs()) {
for (const auto *I : Func->specific_attrs<OwnershipAttr>()) {		for (const auto *I : Func->specific_attrs<OwnershipAttr>()) {
OwnershipAttr::OwnershipKind OwnKind = I->getOwnKind();		OwnershipAttr::OwnershipKind OwnKind = I->getOwnKind();
if (OwnKind == OwnershipAttr::Takes \|\| OwnKind == OwnershipAttr::Holds)		if (OwnKind == OwnershipAttr::Takes \|\| OwnKind == OwnershipAttr::Holds)
return true;		return true;
}		}
}		}
return false;		return false;
}		}

bool MemFunctionInfoTy::isCMemAllocFunction(const CallEvent &Call) const {		bool MallocChecker::isMemCall(const CallEvent &Call) const {
if (Call.isCalled(CD_malloc, CD_realloc, CD_reallocf, CD_calloc, CD_valloc,		if (FreeingMemFnMap.lookup(Call) \|\| AllocatingMemFnMap.lookup(Call) \|\|
		baloghadamsoftwareUnsubmitted Done Reply Inline Actions Same here: why not just `return FreeingMemFnMap.lookup(Call) \|\| NonFreeingMemFn.lookup(Call)`? baloghadamsoftware: Same here: why not just `return FreeingMemFnMap.lookup(Call) \|\| NonFreeingMemFn.lookup(Call)`?
		baloghadamsoftwareUnsubmitted Done Reply Inline Actions Here as well. Disregard these comments. baloghadamsoftware: Here as well. Disregard these comments.
CD_strdup, CD_win_strdup, CD_strndup, CD_wcsdup,		ReallocatingMemFnMap.lookup(Call))
		SzelethusAuthorUnsubmitted Done Reply Inline Actions It may be more precise to call this `isCMemCall`, because that's the question it answers. Szelethus: It may be more precise to call this `isCMemCall`, because that's the question it answers.
CD_win_wcsdup, CD_kmalloc, CD_g_malloc, CD_g_malloc0,
CD_g_realloc, CD_g_try_malloc, CD_g_try_malloc0,
CD_g_try_realloc, CD_g_memdup, CD_g_malloc_n,
CD_g_malloc0_n, CD_g_realloc_n, CD_g_try_malloc_n,
CD_g_try_malloc0_n, CD_g_try_realloc_n))
return true;

if (Call.isCalled(CD_if_nameindex))
return true;

if (Call.isCalled(CD_alloca, CD_win_alloca))
return true;		return true;

if (!ShouldIncludeOwnershipAnnotatedFunctions)		if (!ShouldIncludeOwnershipAnnotatedFunctions)
return false;		return false;

const auto *Func = dyn_cast<FunctionDecl>(Call.getDecl());		const auto *Func = dyn_cast<FunctionDecl>(Call.getDecl());
if (Func && Func->hasAttrs()) {		return Func && Func->hasAttr<OwnershipAttr>();
for (const auto *I : Func->specific_attrs<OwnershipAttr>()) {
OwnershipAttr::OwnershipKind OwnKind = I->getOwnKind();
if (OwnKind == OwnershipAttr::Returns)
return true;
}
}		}

return false;		llvm::Optional<ProgramStateRef>
}		MallocChecker::performKernelMalloc(const CallExpr *CE, CheckerContext &C,
		const ProgramStateRef &State) const {
static bool isStandardNewDelete(const FunctionDecl *FD) {
if (!FD)
return false;

OverloadedOperatorKind Kind = FD->getOverloadedOperator();
if (Kind != OO_New && Kind != OO_Array_New && Kind != OO_Delete &&
Kind != OO_Array_Delete)
return false;

// This is standard if and only if it's not defined in a user file.
SourceLocation L = FD->getLocation();
// If the header for operator delete is not included, it's still defined
// in an invalid source location. Check to make sure we don't crash.
return !L.isValid() \|\|
FD->getASTContext().getSourceManager().isInSystemHeader(L);
}

//===----------------------------------------------------------------------===//
// Methods of MallocChecker and MallocBugVisitor.
//===----------------------------------------------------------------------===//

llvm::Optional<ProgramStateRef> MallocChecker::performKernelMalloc(
const CallExpr *CE, CheckerContext &C, const ProgramStateRef &State) const {
// 3-argument malloc(), as commonly used in {Free,Net,Open}BSD Kernels:		// 3-argument malloc(), as commonly used in {Free,Net,Open}BSD Kernels:
//		//
// void malloc(unsigned long size, struct malloc_type mtp, int flags);		// void malloc(unsigned long size, struct malloc_type mtp, int flags);
//		//
// One of the possible flags is M_ZERO, which means 'give me back an		// One of the possible flags is M_ZERO, which means 'give me back an
// allocation which is already zeroed', like calloc.		// allocation which is already zeroed', like calloc.

// 2-argument kmalloc(), as used in the Linux kernel:		// 2-argument kmalloc(), as used in the Linux kernel:
▲ Show 20 Lines • Show All 71 Lines • ▼ Show 20 Lines	SVal MallocChecker::evalMulForBufferSize(CheckerContext &C, const Expr *Blocks,
SVal BlocksVal = C.getSVal(Blocks);		SVal BlocksVal = C.getSVal(Blocks);
SVal BlockBytesVal = C.getSVal(BlockBytes);		SVal BlockBytesVal = C.getSVal(BlockBytes);
ProgramStateRef State = C.getState();		ProgramStateRef State = C.getState();
SVal TotalSize = SB.evalBinOp(State, BO_Mul, BlocksVal, BlockBytesVal,		SVal TotalSize = SB.evalBinOp(State, BO_Mul, BlocksVal, BlockBytesVal,
SB.getContext().getSizeType());		SB.getContext().getSizeType());
return TotalSize;		return TotalSize;
}		}

void MallocChecker::checkPostCall(const CallEvent &Call,		void MallocChecker::checkBasicAlloc(CheckerContext &C, const CallExpr *CE,
CheckerContext &C) const {		ProgramStateRef State) const {
if (C.wasInlined)		State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, AF_Malloc);
return;

const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
if (!CE)
return;

const FunctionDecl *FD = C.getCalleeDecl(CE);
if (!FD)
return;

ProgramStateRef State = C.getState();
bool IsKnownToBeAllocatedMemory = false;

if (FD->getKind() == Decl::Function) {
if (Call.isCalled(MemFunctionInfo.CD_malloc, MemFunctionInfo.CD_BSD_malloc,
MemFunctionInfo.CD_g_malloc,
MemFunctionInfo.CD_g_try_malloc)) {
switch (CE->getNumArgs()) {
default:
return;
case 1:
State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State,
AF_Malloc);
State = ProcessZeroAllocCheck(C, CE, 0, State);		State = ProcessZeroAllocCheck(C, CE, 0, State);
break;		C.addTransition(State);
case 2:
llvm_unreachable("There shouldn't be a 2-argument malloc!");
break;
case 3:
llvm::Optional<ProgramStateRef> MaybeState =
performKernelMalloc(CE, C, State);
if (MaybeState.hasValue())
State = MaybeState.getValue();
else
State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State,
AF_Malloc);
break;
}		}
} else if (Call.isCalled(MemFunctionInfo.CD_kmalloc)) {
if (CE->getNumArgs() < 1)		void MallocChecker::checkKernelMalloc(CheckerContext &C, const CallExpr *CE,
return;		ProgramStateRef State) const {
llvm::Optional<ProgramStateRef> MaybeState =		llvm::Optional<ProgramStateRef> MaybeState =
performKernelMalloc(CE, C, State);		performKernelMalloc(CE, C, State);
if (MaybeState.hasValue())		if (MaybeState.hasValue())
State = MaybeState.getValue();		State = MaybeState.getValue();
else		else
State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State,
AF_Malloc);
} else if (Call.isCalled(MemFunctionInfo.CD_valloc)) {
if (CE->getNumArgs() < 1)
return;
State =		State =
MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, AF_Malloc);		MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, AF_Malloc);
State = ProcessZeroAllocCheck(C, CE, 0, State);		C.addTransition(State);
} else if (Call.isCalled(MemFunctionInfo.CD_realloc,		}
MemFunctionInfo.CD_g_realloc,
MemFunctionInfo.CD_g_try_realloc)) {		void MallocChecker::checkRealloc(CheckerContext &C, const CallExpr *CE,
State =		ProgramStateRef State,
ReallocMemAux(C, CE, /ShouldFreeOnFail/ false, State, AF_Malloc);		bool ShouldFreeOnFail) const {
State = ProcessZeroAllocCheck(C, CE, 1, State);		State = ReallocMemAux(C, CE, ShouldFreeOnFail, State, AF_Malloc);
} else if (Call.isCalled(MemFunctionInfo.CD_reallocf)) {
State = ReallocMemAux(C, CE, /ShouldFreeOnFail/ true, State, AF_Malloc);
State = ProcessZeroAllocCheck(C, CE, 1, State);		State = ProcessZeroAllocCheck(C, CE, 1, State);
} else if (Call.isCalled(MemFunctionInfo.CD_calloc)) {		C.addTransition(State);
		}

		void MallocChecker::checkCalloc(CheckerContext &C, const CallExpr *CE,
		ProgramStateRef State) const {
State = CallocMem(C, CE, State);		State = CallocMem(C, CE, State);
State = ProcessZeroAllocCheck(C, CE, 0, State);		State = ProcessZeroAllocCheck(C, CE, 0, State);
State = ProcessZeroAllocCheck(C, CE, 1, State);		State = ProcessZeroAllocCheck(C, CE, 1, State);
} else if (Call.isCalled(MemFunctionInfo.CD_free, MemFunctionInfo.CD_g_free,		C.addTransition(State);
MemFunctionInfo.CD_kfree)) {		}

		void MallocChecker::checkFree(CheckerContext &C, const CallExpr *CE,
		ProgramStateRef State) const {
		bool IsKnownToBeAllocatedMemory = false;
if (suppressDeallocationsInSuspiciousContexts(CE, C))		if (suppressDeallocationsInSuspiciousContexts(CE, C))
return;		return;
		State =
		FreeMemAux(C, CE, State, 0, false, IsKnownToBeAllocatedMemory, AF_Malloc);
		C.addTransition(State);
		}

State = FreeMemAux(C, CE, State, 0, false, IsKnownToBeAllocatedMemory,		void MallocChecker::checkAlloca(CheckerContext &C, const CallExpr *CE,
AF_Malloc);		ProgramStateRef State) const {
} else if (Call.isCalled(		State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, AF_Alloca);
MemFunctionInfo.CD_strdup, MemFunctionInfo.CD_win_strdup,		State = ProcessZeroAllocCheck(C, CE, 0, State);
MemFunctionInfo.CD_wcsdup, MemFunctionInfo.CD_win_wcsdup)) {		C.addTransition(State);
State = MallocUpdateRefState(C, CE, State, AF_Malloc);		}
} else if (Call.isCalled(MemFunctionInfo.CD_strndup)) {
		void MallocChecker::checkStrdup(CheckerContext &C, const CallExpr *CE,
		ProgramStateRef State) const {
State = MallocUpdateRefState(C, CE, State, AF_Malloc);		State = MallocUpdateRefState(C, CE, State, AF_Malloc);
} else if (Call.isCalled(MemFunctionInfo.CD_alloca,
MemFunctionInfo.CD_win_alloca)) {		C.addTransition(State);
if (CE->getNumArgs() < 1)		}
return;
		void MallocChecker::checkIfNameIndex(CheckerContext &C, const CallExpr *CE,
		ProgramStateRef State) const {
		// Should we model this differently? We can allocate a fixed number of
		// elements with zeros in the last one.
State =		State =
MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, AF_Alloca);		MallocMemAux(C, CE, UnknownVal(), UnknownVal(), State, AF_IfNameIndex);
State = ProcessZeroAllocCheck(C, CE, 0, State);
} else if (isStandardNewDelete(FD)) {		C.addTransition(State);
		}

		void MallocChecker::checkIfFreeNameIndex(CheckerContext &C, const CallExpr *CE,
		ProgramStateRef State) const {
		bool IsKnownToBeAllocatedMemory = false;
		State = FreeMemAux(C, CE, State, 0, false, IsKnownToBeAllocatedMemory,
		AF_IfNameIndex);
		C.addTransition(State);
		}

		void MallocChecker::checkCXXNewOrCXXDelete(CheckerContext &C,
		const CallExpr *CE,
		ProgramStateRef State) const {
		bool IsKnownToBeAllocatedMemory = false;

		const FunctionDecl *FD = C.getCalleeDecl(CE);
// Process direct calls to operator new/new[]/delete/delete[] functions		// Process direct calls to operator new/new[]/delete/delete[] functions
// as distinct from new/new[]/delete/delete[] expressions that are		// as distinct from new/new[]/delete/delete[] expressions that are
// processed by the checkPostStmt callbacks for CXXNewExpr and		// processed by the checkPostStmt callbacks for CXXNewExpr and
// CXXDeleteExpr.		// CXXDeleteExpr.
switch (FD->getOverloadedOperator()) {		switch (FD->getOverloadedOperator()) {
case OO_New:		case OO_New:
State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State,		State =
AF_CXXNew);		MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, AF_CXXNew);
State = ProcessZeroAllocCheck(C, CE, 0, State);		State = ProcessZeroAllocCheck(C, CE, 0, State);
break;		break;
case OO_Array_New:		case OO_Array_New:
State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State,		State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State,
AF_CXXNewArray);		AF_CXXNewArray);
State = ProcessZeroAllocCheck(C, CE, 0, State);		State = ProcessZeroAllocCheck(C, CE, 0, State);
break;		break;
case OO_Delete:		case OO_Delete:
State = FreeMemAux(C, CE, State, 0, false, IsKnownToBeAllocatedMemory,		State = FreeMemAux(C, CE, State, 0, false, IsKnownToBeAllocatedMemory,
AF_CXXNew);		AF_CXXNew);
break;		break;
case OO_Array_Delete:		case OO_Array_Delete:
State = FreeMemAux(C, CE, State, 0, false, IsKnownToBeAllocatedMemory,		State = FreeMemAux(C, CE, State, 0, false, IsKnownToBeAllocatedMemory,
AF_CXXNewArray);		AF_CXXNewArray);
break;		break;
default:		default:
llvm_unreachable("not a new/delete operator");		llvm_unreachable("not a new/delete operator");
}		}
} else if (Call.isCalled(MemFunctionInfo.CD_if_nameindex)) {
// Should we model this differently? We can allocate a fixed number of		C.addTransition(State);
// elements with zeros in the last one.		}
State = MallocMemAux(C, CE, UnknownVal(), UnknownVal(), State,
AF_IfNameIndex);		void MallocChecker::checkGMalloc0(CheckerContext &C, const CallExpr *CE,
} else if (Call.isCalled(MemFunctionInfo.CD_if_freenameindex)) {		ProgramStateRef State) const {
State = FreeMemAux(C, CE, State, 0, false, IsKnownToBeAllocatedMemory,
AF_IfNameIndex);
} else if (Call.isCalled(MemFunctionInfo.CD_g_malloc0,
MemFunctionInfo.CD_g_try_malloc0)) {
if (CE->getNumArgs() < 1)
return;
SValBuilder &svalBuilder = C.getSValBuilder();		SValBuilder &svalBuilder = C.getSValBuilder();
SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy);		SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy);
State = MallocMemAux(C, CE, CE->getArg(0), zeroVal, State, AF_Malloc);		State = MallocMemAux(C, CE, CE->getArg(0), zeroVal, State, AF_Malloc);
State = ProcessZeroAllocCheck(C, CE, 0, State);		State = ProcessZeroAllocCheck(C, CE, 0, State);
} else if (Call.isCalled(MemFunctionInfo.CD_g_memdup)) {		C.addTransition(State);
if (CE->getNumArgs() < 2)		}
return;
State =		void MallocChecker::checkGMemdup(CheckerContext &C, const CallExpr *CE,
MallocMemAux(C, CE, CE->getArg(1), UndefinedVal(), State, AF_Malloc);		ProgramStateRef State) const {
		State = MallocMemAux(C, CE, CE->getArg(1), UndefinedVal(), State, AF_Malloc);
State = ProcessZeroAllocCheck(C, CE, 1, State);		State = ProcessZeroAllocCheck(C, CE, 1, State);
} else if (Call.isCalled(MemFunctionInfo.CD_g_malloc_n,		C.addTransition(State);
MemFunctionInfo.CD_g_try_malloc_n,		}
MemFunctionInfo.CD_g_malloc0_n,
MemFunctionInfo.CD_g_try_malloc0_n)) {		void MallocChecker::checkGMallocN(CheckerContext &C, const CallExpr *CE,
if (CE->getNumArgs() < 2)		ProgramStateRef State) const {
return;
SVal Init = UndefinedVal();		SVal Init = UndefinedVal();
if (Call.isCalled(MemFunctionInfo.CD_g_malloc0_n,		SVal TotalSize = evalMulForBufferSize(C, CE->getArg(0), CE->getArg(1));
MemFunctionInfo.CD_g_try_malloc0_n)) {		State = MallocMemAux(C, CE, TotalSize, Init, State, AF_Malloc);
SValBuilder &SB = C.getSValBuilder();		State = ProcessZeroAllocCheck(C, CE, 0, State);
Init = SB.makeZeroVal(SB.getContext().CharTy);		State = ProcessZeroAllocCheck(C, CE, 1, State);
		C.addTransition(State);
}		}

		void MallocChecker::checkGMallocN0(CheckerContext &C, const CallExpr *CE,
		ProgramStateRef State) const {
		SValBuilder &SB = C.getSValBuilder();
		SVal Init = SB.makeZeroVal(SB.getContext().CharTy);
SVal TotalSize = evalMulForBufferSize(C, CE->getArg(0), CE->getArg(1));		SVal TotalSize = evalMulForBufferSize(C, CE->getArg(0), CE->getArg(1));
State = MallocMemAux(C, CE, TotalSize, Init, State, AF_Malloc);		State = MallocMemAux(C, CE, TotalSize, Init, State, AF_Malloc);
State = ProcessZeroAllocCheck(C, CE, 0, State);		State = ProcessZeroAllocCheck(C, CE, 0, State);
State = ProcessZeroAllocCheck(C, CE, 1, State);		State = ProcessZeroAllocCheck(C, CE, 1, State);
} else if (Call.isCalled(MemFunctionInfo.CD_g_realloc_n,		C.addTransition(State);
MemFunctionInfo.CD_g_try_realloc_n)) {		}
if (CE->getNumArgs() < 3)
return;		void MallocChecker::checkReallocN(CheckerContext &C, const CallExpr *CE,
State = ReallocMemAux(C, CE, /ShouldFreeOnFail/ false, State, AF_Malloc,		ProgramStateRef State) const {
/SuffixWithN/ true);		State = ReallocMemAux(C, CE, /ShouldFreeOnFail=/false, State, AF_Malloc,
		/SuffixWithN=/true);
State = ProcessZeroAllocCheck(C, CE, 1, State);		State = ProcessZeroAllocCheck(C, CE, 1, State);
State = ProcessZeroAllocCheck(C, CE, 2, State);		State = ProcessZeroAllocCheck(C, CE, 2, State);
}		C.addTransition(State);
}		}

if (MemFunctionInfo.ShouldIncludeOwnershipAnnotatedFunctions \|\|		void MallocChecker::checkOwnershipAttr(CheckerContext &C, const CallExpr *CE,
		ProgramStateRef State) const {
		const FunctionDecl *FD = C.getCalleeDecl(CE);
		if (ShouldIncludeOwnershipAnnotatedFunctions \|\|
ChecksEnabled[CK_MismatchedDeallocatorChecker]) {		ChecksEnabled[CK_MismatchedDeallocatorChecker]) {
// Check all the attributes, if there are any.		// Check all the attributes, if there are any.
// There can be multiple of these attributes.		// There can be multiple of these attributes.
if (FD->hasAttrs())		if (FD->hasAttrs())
for (const auto *I : FD->specific_attrs<OwnershipAttr>()) {		for (const auto *I : FD->specific_attrs<OwnershipAttr>()) {
switch (I->getOwnKind()) {		switch (I->getOwnKind()) {
case OwnershipAttr::Returns:		case OwnershipAttr::Returns:
State = MallocMemReturnsAttr(C, CE, I, State);		State = MallocMemReturnsAttr(C, CE, I, State);
break;		break;
case OwnershipAttr::Takes:		case OwnershipAttr::Takes:
case OwnershipAttr::Holds:		case OwnershipAttr::Holds:
State = FreeMemAttr(C, CE, I, State);		State = FreeMemAttr(C, CE, I, State);
break;		break;
}		}
}		}
}		}
C.addTransition(State);		C.addTransition(State);
}		}

		void MallocChecker::checkPostCall(const CallEvent &Call,
		CheckerContext &C) const {
		if (C.wasInlined)
		return;

		const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
		if (!CE)
		return;

		const FunctionDecl *FD = C.getCalleeDecl(CE);
		if (!FD)
		return;

		ProgramStateRef State = C.getState();

		if (const CheckFn *Callback = FreeingMemFnMap.lookup(Call)) {
		(*Callback)(this, C, CE, State);
		return;
		}

		if (const CheckFn *Callback = AllocatingMemFnMap.lookup(Call)) {
		(*Callback)(this, C, CE, State);
		return;
		}
		balazskeUnsubmitted Done Reply Inline Actions If these cases are exclusive the code looks better when `else` statements are added? balazske: If these cases are exclusive the code looks better when `else` statements are added?
		NoQUnsubmitted Done Reply Inline Actions Yup, or even better, `return`s, because this code is very fragile because it'll do horrible things if we accidentally invoke two callbacks at once. NoQ: Yup, or even better, `return`s, because this code is very fragile because it'll do horrible…

		if (const CheckFn *Callback = ReallocatingMemFnMap.lookup(Call)) {
		(*Callback)(this, C, CE, State);
		return;
		}

		if (isStandardNewDelete(Call)) {
		checkCXXNewOrCXXDelete(C, CE, State);
		return;
		}

		checkOwnershipAttr(C, CE, State);
		}

// Performs a 0-sized allocations check.		// Performs a 0-sized allocations check.
ProgramStateRef MallocChecker::ProcessZeroAllocCheck(		ProgramStateRef MallocChecker::ProcessZeroAllocCheck(
CheckerContext &C, const Expr *E, const unsigned IndexOfSizeArg,		CheckerContext &C, const Expr *E, const unsigned IndexOfSizeArg,
ProgramStateRef State, Optional<SVal> RetVal) {		ProgramStateRef State, Optional<SVal> RetVal) {
if (!State)		if (!State)
return nullptr;		return nullptr;

if (!RetVal)		if (!RetVal)
▲ Show 20 Lines • Show All 250 Lines • ▼ Show 20 Lines

ProgramStateRef		ProgramStateRef
MallocChecker::MallocMemReturnsAttr(CheckerContext &C, const CallExpr *CE,		MallocChecker::MallocMemReturnsAttr(CheckerContext &C, const CallExpr *CE,
const OwnershipAttr *Att,		const OwnershipAttr *Att,
ProgramStateRef State) const {		ProgramStateRef State) const {
if (!State)		if (!State)
return nullptr;		return nullptr;

if (Att->getModule()->getName() !=		if (Att->getModule()->getName() != "malloc")
		SzelethusAuthorUnsubmitted Done Reply Inline Actions Ugh, no idea whats happening here, I'll be honest. I sweat to dig a bit deeper to find out, though I didn't want to bother delaying the publishing this patch for a feature not documented, or used anywhere. Szelethus: Ugh, no idea whats happening here, I'll be honest. I sweat to dig a bit deeper to find out…
		NoQUnsubmitted Done Reply Inline Actions I think this is about the (lack of) support for `__attribute__((malloc))`. NoQ: I think this is about the (lack of) support for `__attribute__((malloc))`.
		SzelethusAuthorUnsubmitted Done Reply Inline Actions This should be an NFC change, and this part of the code will have to be rewritten anyways if we want a more serious annotation guided analysis. Szelethus: This should be an NFC change, and this part of the code will have to be rewritten anyways if we…
MemFunctionInfo.CD_malloc.getFunctionName())
return nullptr;		return nullptr;

OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end();		OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end();
if (I != E) {		if (I != E) {
return MallocMemAux(C, CE, CE->getArg(I->getASTIndex()), UndefinedVal(),		return MallocMemAux(C, CE, CE->getArg(I->getASTIndex()), UndefinedVal(),
State, AF_Malloc);		State, AF_Malloc);
}		}
return MallocMemAux(C, CE, UnknownVal(), UndefinedVal(), State, AF_Malloc);		return MallocMemAux(C, CE, UnknownVal(), UndefinedVal(), State, AF_Malloc);
▲ Show 20 Lines • Show All 79 Lines • ▼ Show 20 Lines

ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C,		ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C,
const CallExpr *CE,		const CallExpr *CE,
const OwnershipAttr *Att,		const OwnershipAttr *Att,
ProgramStateRef State) const {		ProgramStateRef State) const {
if (!State)		if (!State)
return nullptr;		return nullptr;

if (Att->getModule()->getName() !=		if (Att->getModule()->getName() != "malloc")
MemFunctionInfo.CD_malloc.getFunctionName())
return nullptr;		return nullptr;

bool IsKnownToBeAllocated = false;		bool IsKnownToBeAllocated = false;

for (const auto &Arg : Att->args()) {		for (const auto &Arg : Att->args()) {
ProgramStateRef StateI =		ProgramStateRef StateI =
FreeMemAux(C, CE, State, Arg.getASTIndex(),		FreeMemAux(C, CE, State, Arg.getASTIndex(),
Att->getOwnKind() == OwnershipAttr::Holds,		Att->getOwnKind() == OwnershipAttr::Holds,
▲ Show 20 Lines • Show All 1,034 Lines • ▼ Show 20 Lines	void MallocChecker::checkPreCall(const CallEvent &Call,
}		}

// We will check for double free in the post visit.		// We will check for double free in the post visit.
if (const AnyFunctionCall *FC = dyn_cast<AnyFunctionCall>(&Call)) {		if (const AnyFunctionCall *FC = dyn_cast<AnyFunctionCall>(&Call)) {
const FunctionDecl *FD = FC->getDecl();		const FunctionDecl *FD = FC->getDecl();
if (!FD)		if (!FD)
return;		return;

if (ChecksEnabled[CK_MallocChecker] &&		if (ChecksEnabled[CK_MallocChecker] && isFreeingCall(Call))
(MemFunctionInfo.isCMemFreeFunction(Call)))
return;		return;
}		}

// Check if the callee of a method is deleted.		// Check if the callee of a method is deleted.
if (const CXXInstanceCall *CC = dyn_cast<CXXInstanceCall>(&Call)) {		if (const CXXInstanceCall *CC = dyn_cast<CXXInstanceCall>(&Call)) {
SymbolRef Sym = CC->getCXXThisVal().getAsSymbol();		SymbolRef Sym = CC->getCXXThisVal().getAsSymbol();
if (!Sym \|\| checkUseAfterFree(Sym, C, CC->getCXXThisExpr()))		if (!Sym \|\| checkUseAfterFree(Sym, C, CC->getCXXThisExpr()))
return;		return;
▲ Show 20 Lines • Show All 282 Lines • ▼ Show 20 Lines	bool MallocChecker::mayFreeAnyEscapedMemoryOrIsModeledExplicitly(

// At this point the only thing left to handle is straight function calls.		// At this point the only thing left to handle is straight function calls.
const FunctionDecl *FD = cast<SimpleFunctionCall>(Call)->getDecl();		const FunctionDecl *FD = cast<SimpleFunctionCall>(Call)->getDecl();
if (!FD)		if (!FD)
return true;		return true;

// If it's one of the allocation functions we can reason about, we model		// If it's one of the allocation functions we can reason about, we model
// its behavior explicitly.		// its behavior explicitly.
if (MemFunctionInfo.isMemFunction(*Call))		if (isMemCall(*Call))
return false;		return false;

// If it's not a system call, assume it frees memory.		// If it's not a system call, assume it frees memory.
if (!Call->isInSystemHeader())		if (!Call->isInSystemHeader())
return true;		return true;

// White list the system functions whose arguments escape.		// White list the system functions whose arguments escape.
const IdentifierInfo *II = FD->getIdentifier();		const IdentifierInfo *II = FD->getIdentifier();
▲ Show 20 Lines • Show All 401 Lines • ▼ Show 20 Lines	void ento::registerInnerPointerCheckerAux(CheckerManager &mgr) {
MallocChecker *checker = mgr.getChecker<MallocChecker>();		MallocChecker *checker = mgr.getChecker<MallocChecker>();
checker->ChecksEnabled[MallocChecker::CK_InnerPointerChecker] = true;		checker->ChecksEnabled[MallocChecker::CK_InnerPointerChecker] = true;
checker->CheckNames[MallocChecker::CK_InnerPointerChecker] =		checker->CheckNames[MallocChecker::CK_InnerPointerChecker] =
mgr.getCurrentCheckerName();		mgr.getCurrentCheckerName();
}		}

void ento::registerDynamicMemoryModeling(CheckerManager &mgr) {		void ento::registerDynamicMemoryModeling(CheckerManager &mgr) {
auto *checker = mgr.registerChecker<MallocChecker>();		auto *checker = mgr.registerChecker<MallocChecker>();
checker->MemFunctionInfo.ShouldIncludeOwnershipAnnotatedFunctions =		checker->ShouldIncludeOwnershipAnnotatedFunctions =
mgr.getAnalyzerOptions().getCheckerBooleanOption(checker, "Optimistic");		mgr.getAnalyzerOptions().getCheckerBooleanOption(checker, "Optimistic");
}		}

bool ento::shouldRegisterDynamicMemoryModeling(const CheckerManager &mgr) {		bool ento::shouldRegisterDynamicMemoryModeling(const CheckerManager &mgr) {
return true;		return true;
}		}

#define REGISTER_CHECKER(name) \		#define REGISTER_CHECKER(name) \
Show All 13 Lines

This is an archive of the discontinued LLVM Phabricator instance.

[analyzer][MallocChecker][NFC] Split checkPostCall up, deploy CallDescriptionMapClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 253593

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp

[analyzer][MallocChecker][NFC] Split checkPostCall up, deploy CallDescriptionMap
ClosedPublic