This is an archive of the discontinued LLVM Phabricator instance.

Differential D70725

[analyzer] Add path notes to FuchsiaHandleCheck
ClosedPublic

Authored by xazax.hun on Nov 26 2019, 9:22 AM.

Details

Reviewers
NoQ
haowei
Szelethus
Commits
rG59878ec8092b: [analyzer] Add path notes to FuchsiaHandleCheck.
Summary

I also added a missing const to a BugReporter API.

There are some TODOs for potential future updates if we want richer notes during reporting.

Diff Detail

Event Timeline

xazax.hun created this revision.Nov 26 2019, 9:22 AM
Herald added subscribers: Charusso, gamesh411, dkrupp and 7 others. · View Herald TranscriptNov 26 2019, 9:22 AM
xazax.hun added a reviewer: Szelethus.Nov 26 2019, 9:22 AM
xazax.hun added a parent revision: D70470: [analyzer] Add FuchsiaHandleCheck to catch handle leaks, use after frees and double frees.
NoQ added a comment.Dec 2 2019, 12:41 PM

Sooooo... note tags?

clang/lib/StaticAnalyzer/Checkers/FuchsiaHandleChecker.cpp
234

Will we ever emit a report against an escaped symbol? If not, there will never be a report to attach the note to.

235–236

If the function is implemented as an eager state split, having a note is great and easy to implement.

If it's implemented as a Schrödinger state split, then i think we should still emit a note at the collapse point (especially given that it may happen in a deeper stack frame than the call that produced the symbol). But this makes me recognize the need for note tags in evalAssume.

513

I wonder how terrible would it be to allow bug visitors (or note tags, which are just an "API sugar" for bug visitors) to mutate the uniqueing location. Because such information is naturally available in the visitor.

It most likely won't work because the information is necessary before the visitors are run. But it would have been nice though, so i feel as if we're missing an opportunity here.

xazax.hun added a comment.Dec 2 2019, 1:44 PM

I was thinking about note tags, but since we iterate on the argument/parameter pairs and might change the state in each iteration we would need to add a new transition after each change. I was wondering if using note tags would worth the cost (both in performance due to the additional number of nodes and in code complexity due to making transitions more often).

xazax.hun added a comment.Dec 2 2019, 1:54 PM

Sorry, my previous comment might not be clear. The point is, the same call might both acquire and release handles (there are such calls in Fuchsia), so we might end up adding more than one note for a call for which we would need to add more than one transitions. If you think it is still cleaner that way, I could do that as well :)

xazax.hun marked 3 inline comments as done.Dec 2 2019, 1:58 PM
xazax.hun added inline comments.
clang/lib/StaticAnalyzer/Checkers/FuchsiaHandleChecker.cpp
234

I think there might be cases where we go from an escaped symbol to released and so on. But you are right, it would not contribute to understanding the actual bug report.

235–236

I agree.

513

On one hand, it would be nice :) On the other hand we could have more than one visitor and it would be a hell to debug when the visitors disagree an the uniqueing location. If we can come up with an API that is not that easy to misuse, I am in favor of a change like that.

NoQ added a comment.Dec 2 2019, 8:04 PM
In D70725#1765981, @xazax.hun wrote:

the same call might both acquire and release handles (there are such calls in Fuchsia), so we might end up adding more than one note for a call for which we would need to add more than one transitions

Hmm, would this be too functional?:

std::vector<std::function> notes;
for (arg : args) {
  if (isAcquired(param)) {
    State = State->set(arg, Acquired);
    notes.push_back([](Report) {
      if (Report.isInteresting(arg))
        return "Handle acquired here";
    });
  }
  if (isReleased(param)) {
    State = State->set(arg, Released);
    notes.push_back([](Report) {
      if (Report.isInteresting(arg))
        return "Handle released here";
    });
  }
}

C.addTransition(State, C.getNoteTag(
    // We might as well add a C.getNoteTag() overload
    // to do this automatically.
    [std::move(notes)](Report) {
      for (note : notes)
        note();
    }));

Or, well, yeah, chain the nodes together; you anyway have to do this occasionally due to clumsiness of the rest of the API.

NoQ added a comment.Dec 2 2019, 11:03 PM

note()

Of course i mean something like this:

std::string text = note();
if (!text.empty())
  return text;

(and return something like "" on the other return path in the inner lambdas).

xazax.hun updated this revision to Diff 231955.Dec 3 2019, 11:32 AM
  • Use the new notes API for path notes.
xazax.hun added a comment.Dec 3 2019, 11:33 AM

You were right, the new API looks cleaner even in this case :)

xazax.hun added a comment.Dec 3 2019, 11:35 AM

Just a small side note. If the state was same as the previous we do not end up creating a new ExplodedNode right? Is this also the case when we add a NoteTag?

xazax.hun marked an inline comment as done.Dec 3 2019, 11:38 AM
xazax.hun added inline comments.
clang/lib/StaticAnalyzer/Checkers/FuchsiaHandleChecker.cpp
358–374

Hmm, so we have C++14 now and I can do a move capture right? Will update in the next iteration.

Charusso added a comment.Dec 3 2019, 12:11 PM
In D70725#1767579, @xazax.hun wrote:

Just a small side note. If the state was same as the previous we do not end up creating a new ExplodedNode right? Is this also the case when we add a NoteTag?

It only happens for evaluation when you cannot evaluate something. Other than that Pre/PostCall working fine to add a node with the NoteTag.

NoQ added a comment.Dec 3 2019, 12:35 PM

Yay, it actually works!

I only have minor comments and ignorable hand-waving now.

In D70725#1767643, @Charusso wrote:
In D70725#1767579, @xazax.hun wrote:

Just a small side note. If the state was same as the previous we do not end up creating a new ExplodedNode right? Is this also the case when we add a NoteTag?

It only happens for evaluation when you cannot evaluate something. Other than that Pre/PostCall working fine to add a node with the NoteTag.

Tag pointers are part of the ProgramPoint's identity, which in turn are part of the ExplodedNode's identity. If you make a new note tag and transition into it for the first time, the new node is guaranteed to be fresh.

clang/lib/StaticAnalyzer/Checkers/FuchsiaHandleChecker.cpp
210

N = N->getFirstPred().

219

return N;? (eliminates a variable)

223

N = N->getFirstPred().

359–362

Ugh, it sucks that we have to do this by hand.

Why would the symbol be interesting if the bugtype is wrong? You imagine something like division by a zero handle? Do we really mind the updates to the handle highlighted in this case? I guess we do.

Maybe we should make "note tag tags" to avoid users writing this by hand. Like, note tags are tagged with note tag tags and the report is also tagged with a note tag tag and the tag is invoked only if the tag tag on the report matches the tag tag on the tag. Setting a tag tag on the report will be equivalent to calling an "addVisitor" on the report in the visitor API, which was actually a good part of the visitor API.

Just thinking out loud, please ignore. This code is a nice example to generalize from.

365

Another option here is to concatenate the notes if there are indeed two interesting handles at once: `Handle is allocated through 2nd parameter; Handle is released through 3rd parameter". In this checker it probably never happens, as every report is about exactly one handle (is it true for leak reports though?).

xazax.hun updated this revision to Diff 231989.Dec 3 2019, 2:13 PM
xazax.hun marked 5 inline comments as done.
  • Address review comments.
clang/lib/StaticAnalyzer/Checkers/FuchsiaHandleChecker.cpp
359–362

I totally agree :) But if we do something like this please do not call the tag tag a tag. It will confuse people. :D

365

I think this is true for leaks as well, as we will generate a new report for each of the symbols.

xazax.hun added a comment.EditedDec 3 2019, 2:17 PM
In D70725#1767673, @NoQ wrote:
In D70725#1767643, @Charusso wrote:
In D70725#1767579, @xazax.hun wrote:

Just a small side note. If the state was same as the previous we do not end up creating a new ExplodedNode right? Is this also the case when we add a NoteTag?

It only happens for evaluation when you cannot evaluate something. Other than that Pre/PostCall working fine to add a node with the NoteTag.

Tag pointers are part of the ProgramPoint's identity, which in turn are part of the ExplodedNode's identity. If you make a new note tag and transition into it for the first time, the new node is guaranteed to be fresh.

This is what I suspected. I wonder if all the checks end up using NoteTags will the increased number of nodes ever be a concern? Maybe if the state is the same as the previous we should just not add the note tag?

For example, my checker before the note tag would only generate new nodes if there was an actual change to the state. After this change it probably ends up adding new nodes with empty note tags all the time. This could be bad both for performance and debugging. What do you think?

NoQ added a comment.EditedDec 3 2019, 2:29 PM

Mmm, right, i guess you should also skip adding the tag if the notes array is empty.

There might be more complicated use-cases (especially in ExprEngine itself) where you may end up adding a tag even if the state doesn't change. For instance, when changing an Environment value from absent to UnknownVal, the state doesn't get actually updated. Or making range assumptions over UnknownVal. But i'd argue that we do indeed want the note tag in such cases because it is still worth annotating the ExplodedGraph with an explanation of what's happening. Eg., a note "Assuming a condition is false" makes sense even if the condition is an UnknownVal and no actual constraints are added.

Another example: in a recent StreamChecker review we've been talking about a peculiar stream function that by design closes a file descriptor if it's open but does nothing if the descriptor is already closed. I believe this event deserves a note "The descriptor remains closed" (possibly prunable) even though there is no change in the state. This is something we couldn't do with our usual visitor-based approach which involves observing changes in the state (we technically could, via pattern-matching over the program point, but that'd directly duplicate a lot more of checker logic than usual).

xazax.hun updated this revision to Diff 231996.Dec 3 2019, 2:45 PM
  • Only add note tag if we have actual notes.
xazax.hun added a comment.Dec 3 2019, 2:46 PM
In D70725#1767942, @NoQ wrote:

Mmm, right, i guess you should also skip adding the tag if the notes array is empty.

There might be more complicated use-cases (especially in ExprEngine itself) where you may end up adding a tag even if the state doesn't change. For instance, when changing an Environment value from absent to UnknownVal, the state doesn't get actually updated. Or making range assumptions over UnknownVal. But i'd argue that we do indeed want the note tag in such cases because it is still worth annotating the ExplodedGraph with an explanation of what's happening. Eg., a note "Assuming a condition is false" makes sense even if the condition is an UnknownVal and no actual constraints are added.

Another example: in a recent StreamChecker review we've been talking about a peculiar stream function that by design closes a file descriptor if it's open but does nothing if the descriptor is already closed. I believe this event deserves a note "The descriptor remains closed" (possibly prunable) even though there is no change in the state. This is something we couldn't do with our usual visitor-based approach which involves observing changes in the state (we technically could, via pattern-matching over the program point, but that'd directly duplicate a lot more of checker logic than usual).

I see, that makes sense. I updated the code. I was hoping for a low hanging fruit to make this more user friendly :)

xazax.hun marked an inline comment as done.Dec 3 2019, 2:48 PM
xazax.hun added inline comments.
clang/lib/StaticAnalyzer/Checkers/FuchsiaHandleChecker.cpp
307

I will capitalize this name.

NoQ accepted this revision.Dec 9 2019, 7:36 PM

Looks great, thanks!~

This revision is now accepted and ready to land.Dec 9 2019, 7:36 PM
xazax.hun added a comment.Dec 20 2019, 12:39 PM

Thanks for the reviews!

Closed by commit rG59878ec8092b: [analyzer] Add path notes to FuchsiaHandleCheck. (authored by xazax.hun). · Explain WhyDec 20 2019, 12:50 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
clang/
include/
clang/
StaticAnalyzer/
Core/
BugReporter/
2 lines
lib/
StaticAnalyzer/
Checkers/
76 lines
test/
Analysis/
60 lines

Diff 234952

clang/include/clang/StaticAnalyzer/Core/BugReporter/BugReporter.h

Show First 20 LinesShow All 380 Lines▼ Show 20 Linespublic:
/// Create a PathSensitiveBugReport with a custom uniqueing location. /// Create a PathSensitiveBugReport with a custom uniqueing location.
/// ///
/// The reports that have the same report location, description, bug type, and /// The reports that have the same report location, description, bug type, and
/// ranges are uniqued - only one of the equivalent reports will be presented /// ranges are uniqued - only one of the equivalent reports will be presented
/// to the user. This method allows to rest the location which should be used /// to the user. This method allows to rest the location which should be used
/// for uniquing reports. For example, memory leaks checker, could set this to /// for uniquing reports. For example, memory leaks checker, could set this to
/// the allocation site, rather then the location where the bug is reported. /// the allocation site, rather then the location where the bug is reported.
PathSensitiveBugReport(BugType &bt, StringRef desc, PathSensitiveBugReport(const BugType &bt, StringRef desc,
const ExplodedNode *errorNode, const ExplodedNode *errorNode,
PathDiagnosticLocation LocationToUnique, PathDiagnosticLocation LocationToUnique,
const Decl *DeclToUnique) const Decl *DeclToUnique)
: BugReport(Kind::PathSensitive, bt, desc), ErrorNode(errorNode), : BugReport(Kind::PathSensitive, bt, desc), ErrorNode(errorNode),
ErrorNodeRange(getStmt() ? getStmt()->getSourceRange() : SourceRange()), ErrorNodeRange(getStmt() ? getStmt()->getSourceRange() : SourceRange()),
UniqueingLocation(LocationToUnique), UniqueingDecl(DeclToUnique) { UniqueingLocation(LocationToUnique), UniqueingDecl(DeclToUnique) {
assert(errorNode); assert(errorNode);
} }
▲ Show 20 LinesShow All 383 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/FuchsiaHandleChecker.cpp

Show First 20 LinesShow All 193 Lines▼ Show 20 Linespublic:
void printState(raw_ostream &Out, ProgramStateRef State, const char *NL, void printState(raw_ostream &Out, ProgramStateRef State, const char *NL,
const char *Sep) const override; const char *Sep) const override;
}; };
} // end anonymous namespace } // end anonymous namespace
REGISTER_MAP_WITH_PROGRAMSTATE(HStateMap, SymbolRef, HandleState) REGISTER_MAP_WITH_PROGRAMSTATE(HStateMap, SymbolRef, HandleState)
static const ExplodedNode *getAcquireSite(const ExplodedNode *N, SymbolRef Sym,
CheckerContext &Ctx) {
ProgramStateRef State = N->getState();
// When bug type is handle leak, exploded node N does not have state info for
// leaking handle. Get the predecessor of N instead.
if (!State->get<HStateMap>(Sym))
N = N->getFirstPred();
const ExplodedNode *Pred = N;
NoQUnsubmitted
Done
ReplyInline Actions

N = N->getFirstPred().

NoQ: `N = N->getFirstPred()`.
while (N) {
State = N->getState();
if (!State->get<HStateMap>(Sym)) {
const HandleState *HState = Pred->getState()->get<HStateMap>(Sym);
if (HState && (HState->isAllocated() || HState->maybeAllocated()))
return N;
}
Pred = N;
N = N->getFirstPred();
NoQUnsubmitted
Done
ReplyInline Actions

return N;? (eliminates a variable)

NoQ: `return N;`? (eliminates a variable)
}
return nullptr;
}
NoQUnsubmitted
Done
ReplyInline Actions

N = N->getFirstPred().

NoQ: `N = N->getFirstPred()`.
/// Returns the symbols extracted from the argument or null if it cannot be /// Returns the symbols extracted from the argument or null if it cannot be
/// found. /// found.
SymbolRef getFuchsiaHandleSymbol(QualType QT, SVal Arg, ProgramStateRef State) { SymbolRef getFuchsiaHandleSymbol(QualType QT, SVal Arg, ProgramStateRef State) {
int PtrToHandleLevel = 0; int PtrToHandleLevel = 0;
while (QT->isAnyPointerType() || QT->isReferenceType()) { while (QT->isAnyPointerType() || QT->isReferenceType()) {
++PtrToHandleLevel; ++PtrToHandleLevel;
QT = QT->getPointeeType(); QT = QT->getPointeeType();
} }
if (const auto *HandleType = QT->getAs<TypedefType>()) { if (const auto *HandleType = QT->getAs<TypedefType>()) {
if (HandleType->getDecl()->getName() != HandleTypeName) if (HandleType->getDecl()->getName() != HandleTypeName)
return nullptr; return nullptr;
NoQUnsubmitted
Not Done
ReplyInline Actions

Will we ever emit a report against an escaped symbol? If not, there will never be a report to attach the note to.

NoQ: Will we ever emit a report against an escaped symbol? If not, there will never be a report to…
xazax.hunAuthorUnsubmitted
Done
ReplyInline Actions

I think there might be cases where we go from an escaped symbol to released and so on. But you are right, it would not contribute to understanding the actual bug report.

xazax.hun: I think there might be cases where we go from an escaped symbol to released and so on. But you…
if (PtrToHandleLevel > 1) { if (PtrToHandleLevel > 1) {
// Not supported yet. // Not supported yet.
NoQUnsubmitted
Not Done
ReplyInline Actions

If the function is implemented as an eager state split, having a note is great and easy to implement.

If it's implemented as a Schrödinger state split, then i think we should still emit a note at the collapse point (especially given that it may happen in a deeper stack frame than the call that produced the symbol). But this makes me recognize the need for note tags in evalAssume.

NoQ: If the function is implemented as an eager state split, having a note is great and easy to…
xazax.hunAuthorUnsubmitted
Done
ReplyInline Actions

I agree.

xazax.hun: I agree.
return nullptr; return nullptr;
} }
if (PtrToHandleLevel == 0) { if (PtrToHandleLevel == 0) {
return Arg.getAsSymbol(); return Arg.getAsSymbol();
} else { } else {
assert(PtrToHandleLevel == 1); assert(PtrToHandleLevel == 1);
if (Optional<Loc> ArgLoc = Arg.getAs<Loc>()) if (Optional<Loc> ArgLoc = Arg.getAs<Loc>())
▲ Show 20 LinesShow All 54 Lines▼ Show 20 Lines
void FuchsiaHandleChecker::checkPostCall(const CallEvent &Call, void FuchsiaHandleChecker::checkPostCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
const FunctionDecl *FuncDecl = dyn_cast_or_null<FunctionDecl>(Call.getDecl()); const FunctionDecl *FuncDecl = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
if (!FuncDecl) if (!FuncDecl)
return; return;
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
std::vector<std::function<std::string(BugReport & BR)>> Notes;
xazax.hunAuthorUnsubmitted
Done
ReplyInline Actions

I will capitalize this name.

xazax.hun: I will capitalize this name.
SymbolRef ResultSymbol = nullptr; SymbolRef ResultSymbol = nullptr;
if (const auto *TypeDefTy = FuncDecl->getReturnType()->getAs<TypedefType>()) if (const auto *TypeDefTy = FuncDecl->getReturnType()->getAs<TypedefType>())
if (TypeDefTy->getDecl()->getName() == ErrorTypeName) if (TypeDefTy->getDecl()->getName() == ErrorTypeName)
ResultSymbol = Call.getReturnValue().getAsSymbol(); ResultSymbol = Call.getReturnValue().getAsSymbol();
// Function returns an open handle. // Function returns an open handle.
if (hasFuchsiaAttr<AcquireHandleAttr>(FuncDecl)) { if (hasFuchsiaAttr<AcquireHandleAttr>(FuncDecl)) {
SymbolRef RetSym = Call.getReturnValue().getAsSymbol(); SymbolRef RetSym = Call.getReturnValue().getAsSymbol();
Show All 12 Lines for (unsigned Arg = 0; Arg < Call.getNumArgs(); ++Arg) {
const HandleState *HState = State->get<HStateMap>(Handle); const HandleState *HState = State->get<HStateMap>(Handle);
if (HState && HState->isEscaped()) if (HState && HState->isEscaped())
continue; continue;
if (hasFuchsiaAttr<ReleaseHandleAttr>(PVD)) { if (hasFuchsiaAttr<ReleaseHandleAttr>(PVD)) {
if (HState && HState->isReleased()) { if (HState && HState->isReleased()) {
reportDoubleRelease(Handle, Call.getArgSourceRange(Arg), C); reportDoubleRelease(Handle, Call.getArgSourceRange(Arg), C);
return; return;
} else {
Notes.push_back([Handle](BugReport &BR) {
auto *PathBR = static_cast<PathSensitiveBugReport *>(&BR);
if (auto IsInteresting = PathBR->getInterestingnessKind(Handle)) {
return "Handle released here.";
} else } else
return "";
});
State = State->set<HStateMap>(Handle, HandleState::getReleased()); State = State->set<HStateMap>(Handle, HandleState::getReleased());
}
} else if (hasFuchsiaAttr<AcquireHandleAttr>(PVD)) { } else if (hasFuchsiaAttr<AcquireHandleAttr>(PVD)) {
Notes.push_back([Handle](BugReport &BR) {
auto *PathBR = static_cast<PathSensitiveBugReport *>(&BR);
if (auto IsInteresting = PathBR->getInterestingnessKind(Handle)) {
return "Handle allocated here.";
} else
return "";
});
State = State->set<HStateMap>( State = State->set<HStateMap>(
Handle, HandleState::getMaybeAllocated(ResultSymbol)); Handle, HandleState::getMaybeAllocated(ResultSymbol));
} }
} }
C.addTransition(State); const NoteTag *T = nullptr;
if (!Notes.empty()) {
T = C.getNoteTag(
[this, Notes{std::move(Notes)}](BugReport &BR) -> std::string {
if (&BR.getBugType() != &UseAfterReleaseBugType &&
NoQUnsubmitted
Not Done
ReplyInline Actions

Ugh, it sucks that we have to do this by hand.

Why would the symbol be interesting if the bugtype is wrong? You imagine something like division by a zero handle? Do we really mind the updates to the handle highlighted in this case? I guess we do.

Maybe we should make "note tag tags" to avoid users writing this by hand. Like, note tags are tagged with note tag tags and the report is also tagged with a note tag tag and the tag is invoked only if the tag tag on the report matches the tag tag on the tag. Setting a tag tag on the report will be equivalent to calling an "addVisitor" on the report in the visitor API, which was actually a good part of the visitor API.

Just thinking out loud, please ignore. This code is a nice example to generalize from.

NoQ: Ugh, it sucks that we have to do this by hand. Why would the symbol be interesting if the…
xazax.hunAuthorUnsubmitted
Done
ReplyInline Actions

I totally agree :) But if we do something like this please do not call the tag tag a tag. It will confuse people. :D

xazax.hun: I totally agree :) But if we do something like this please do not call the tag tag a tag. It…
&BR.getBugType() != &LeakBugType &&
&BR.getBugType() != &DoubleReleaseBugType)
return "";
NoQUnsubmitted
Not Done
ReplyInline Actions

Another option here is to concatenate the notes if there are indeed two interesting handles at once: `Handle is allocated through 2nd parameter; Handle is released through 3rd parameter". In this checker it probably never happens, as every report is about exactly one handle (is it true for leak reports though?).

NoQ: Another option here is to concatenate the notes if there are indeed two interesting handles at…
xazax.hunAuthorUnsubmitted
Done
ReplyInline Actions

I think this is true for leaks as well, as we will generate a new report for each of the symbols.

xazax.hun: I think this is true for leaks as well, as we will generate a new report for each of the…
for (auto &Note : Notes) {
std::string Text = Note(BR);
if (!Text.empty())
return Text;
}
return "";
});
}
C.addTransition(State, T);
xazax.hunAuthorUnsubmitted
Done
ReplyInline Actions

Hmm, so we have C++14 now and I can do a move capture right? Will update in the next iteration.

xazax.hun: Hmm, so we have C++14 now and I can do a move capture right? Will update in the next iteration.
} }
void FuchsiaHandleChecker::checkDeadSymbols(SymbolReaper &SymReaper, void FuchsiaHandleChecker::checkDeadSymbols(SymbolReaper &SymReaper,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
SmallVector<SymbolRef, 2> LeakedSyms; SmallVector<SymbolRef, 2> LeakedSyms;
HStateMapTy TrackedHandles = State->get<HStateMap>(); HStateMapTy TrackedHandles = State->get<HStateMap>();
for (auto &CurItem : TrackedHandles) { for (auto &CurItem : TrackedHandles) {
Show All 19 Lines
// the function failed. // the function failed.
// Moreover, when a handle is known to be zero (the invalid handle), // Moreover, when a handle is known to be zero (the invalid handle),
// we no longer can follow the symbol on the path, becaue the constant // we no longer can follow the symbol on the path, becaue the constant
// zero will be used instead of the symbol. We also do not need to release // zero will be used instead of the symbol. We also do not need to release
// an invalid handle, so we remove the corresponding symbol from the state. // an invalid handle, so we remove the corresponding symbol from the state.
ProgramStateRef FuchsiaHandleChecker::evalAssume(ProgramStateRef State, ProgramStateRef FuchsiaHandleChecker::evalAssume(ProgramStateRef State,
SVal Cond, SVal Cond,
bool Assumption) const { bool Assumption) const {
// TODO: add notes about successes/fails for APIs.
ConstraintManager &Cmr = State->getConstraintManager(); ConstraintManager &Cmr = State->getConstraintManager();
HStateMapTy TrackedHandles = State->get<HStateMap>(); HStateMapTy TrackedHandles = State->get<HStateMap>();
for (auto &CurItem : TrackedHandles) { for (auto &CurItem : TrackedHandles) {
ConditionTruthVal HandleVal = Cmr.isNull(State, CurItem.first); ConditionTruthVal HandleVal = Cmr.isNull(State, CurItem.first);
if (HandleVal.isConstrainedTrue()) { if (HandleVal.isConstrainedTrue()) {
// The handle is invalid. We can no longer follow the symbol on this path. // The handle is invalid. We can no longer follow the symbol on this path.
State = State->remove<HStateMap>(CurItem.first); State = State->remove<HStateMap>(CurItem.first);
} }
▲ Show 20 LinesShow All 84 Lines▼ Show 20 Lines
void FuchsiaHandleChecker::reportBug(SymbolRef Sym, ExplodedNode *ErrorNode, void FuchsiaHandleChecker::reportBug(SymbolRef Sym, ExplodedNode *ErrorNode,
CheckerContext &C, CheckerContext &C,
const SourceRange *Range, const SourceRange *Range,
const BugType &Type, StringRef Msg) const { const BugType &Type, StringRef Msg) const {
if (!ErrorNode) if (!ErrorNode)
return; return;
auto R = std::make_unique<PathSensitiveBugReport>(Type, Msg, ErrorNode); std::unique_ptr<PathSensitiveBugReport> R;
if (Type.isSuppressOnSink()) {
const ExplodedNode *AcquireNode = getAcquireSite(ErrorNode, Sym, C);
NoQUnsubmitted
Not Done
ReplyInline Actions

I wonder how terrible would it be to allow bug visitors (or note tags, which are just an "API sugar" for bug visitors) to mutate the uniqueing location. Because such information is naturally available in the visitor.

It most likely won't work because the information is necessary before the visitors are run. But it would have been nice though, so i feel as if we're missing an opportunity here.

NoQ: I wonder how terrible would it be to allow bug visitors (or note tags, which are just an "API…
xazax.hunAuthorUnsubmitted
Done
ReplyInline Actions

On one hand, it would be nice :) On the other hand we could have more than one visitor and it would be a hell to debug when the visitors disagree an the uniqueing location. If we can come up with an API that is not that easy to misuse, I am in favor of a change like that.

xazax.hun: On one hand, it would be nice :) On the other hand we could have more than one visitor and it…
if (AcquireNode) {
PathDiagnosticLocation LocUsedForUniqueing =
PathDiagnosticLocation::createBegin(
AcquireNode->getStmtForDiagnostics(), C.getSourceManager(),
AcquireNode->getLocationContext());
R = std::make_unique<PathSensitiveBugReport>(
Type, Msg, ErrorNode, LocUsedForUniqueing,
AcquireNode->getLocationContext()->getDecl());
}
}
if (!R)
R = std::make_unique<PathSensitiveBugReport>(Type, Msg, ErrorNode);
if (Range) if (Range)
R->addRange(*Range); R->addRange(*Range);
R->markInteresting(Sym); R->markInteresting(Sym);
C.emitReport(std::move(R)); C.emitReport(std::move(R));
} }
void ento::registerFuchsiaHandleChecker(CheckerManager &mgr) { void ento::registerFuchsiaHandleChecker(CheckerManager &mgr) {
mgr.registerChecker<FuchsiaHandleChecker>(); mgr.registerChecker<FuchsiaHandleChecker>();
Show All 22 Lines

clang/test/Analysis/fuchsia_handle.cpp

// RUN: %clang_analyze_cc1 -analyzer-checker=core,fuchsia.HandleChecker -verify %s // RUN: %clang_analyze_cc1 -analyzer-checker=core,fuchsia.HandleChecker -analyzer-output=text \
// RUN: -verify %s
typedef __typeof__(sizeof(int)) size_t; typedef __typeof__(sizeof(int)) size_t;
typedef int zx_status_t; typedef int zx_status_t;
typedef __typeof__(sizeof(int)) zx_handle_t; typedef __typeof__(sizeof(int)) zx_handle_t;
typedef unsigned int uint32_t; typedef unsigned int uint32_t;
#define NULL ((void *)0) #define NULL ((void *)0)
#define ZX_HANDLE_INVALID 0 #define ZX_HANDLE_INVALID 0
▲ Show 20 LinesShow All 101 Lines▼ Show 20 Linesvoid checkNoLeak06() {
if (zx_channel_create(0, &sa, &sb)) if (zx_channel_create(0, &sa, &sb))
return; return;
zx_handle_close(sa); zx_handle_close(sa);
zx_handle_close(sb); zx_handle_close(sb);
} }
void checkLeak01(int tag) { void checkLeak01(int tag) {
zx_handle_t sa, sb; zx_handle_t sa, sb;
if (zx_channel_create(0, &sa, &sb)) if (zx_channel_create(0, &sa, &sb)) // expected-note {{Handle allocated here}}
return; return; // expected-note@-1 {{Assuming the condition is false}}
// expected-note@-2 {{Taking false branch}}
use1(&sa); use1(&sa);
if (tag) if (tag) // expected-note {{Assuming 'tag' is 0}}
zx_handle_close(sa); zx_handle_close(sa);
// expected-note@-2 {{Taking false branch}}
use2(sb); // expected-warning {{Potential leak of handle}} use2(sb); // expected-warning {{Potential leak of handle}}
// expected-note@-1 {{Potential leak of handle}}
zx_handle_close(sb); zx_handle_close(sb);
} }
void checkReportLeakOnOnePath(int tag) {
zx_handle_t sa, sb;
if (zx_channel_create(0, &sa, &sb)) // expected-note {{Handle allocated here}}
return; // expected-note@-1 {{Assuming the condition is false}}
// expected-note@-2 {{Taking false branch}}
zx_handle_close(sb);
switch(tag) { // expected-note {{Control jumps to the 'default' case at line}}
case 0:
use2(sa);
return;
case 1:
use2(sa);
return;
case 2:
use2(sa);
return;
case 3:
use2(sa);
return;
case 4:
use2(sa);
return;
default:
use2(sa);
return; // expected-warning {{Potential leak of handle}}
// expected-note@-1 {{Potential leak of handle}}
}
}
void checkDoubleRelease01(int tag) { void checkDoubleRelease01(int tag) {
zx_handle_t sa, sb; zx_handle_t sa, sb;
zx_channel_create(0, &sa, &sb); zx_channel_create(0, &sa, &sb);
if (tag) // expected-note@-1 {{Handle allocated here}}
zx_handle_close(sa); if (tag) // expected-note {{Assuming 'tag' is not equal to 0}}
zx_handle_close(sa); // expected-note {{Handle released here}}
// expected-note@-2 {{Taking true branch}}
zx_handle_close(sa); // expected-warning {{Releasing a previously released handle}} zx_handle_close(sa); // expected-warning {{Releasing a previously released handle}}
// expected-note@-1 {{Releasing a previously released handle}}
zx_handle_close(sb); zx_handle_close(sb);
} }
void checkUseAfterFree01(int tag) { void checkUseAfterFree01(int tag) {
zx_handle_t sa, sb; zx_handle_t sa, sb;
zx_channel_create(0, &sa, &sb); zx_channel_create(0, &sa, &sb);
// expected-note@-1 {{Handle allocated here}}
// expected-note@-2 {{Handle allocated here}}
// expected-note@+2 {{Taking true branch}}
// expected-note@+1 {{Taking false branch}}
if (tag) { if (tag) {
zx_handle_close(sa); // expected-note@-1 {{Assuming 'tag' is not equal to 0}}
zx_handle_close(sa); // expected-note {{Handle released here}}
use1(&sa); // expected-warning {{Using a previously released handle}} use1(&sa); // expected-warning {{Using a previously released handle}}
// expected-note@-1 {{Using a previously released handle}}
} }
zx_handle_close(sb); // expected-note@-6 {{Assuming 'tag' is 0}}
zx_handle_close(sb); // expected-note {{Handle released here}}
use2(sb); // expected-warning {{Using a previously released handle}} use2(sb); // expected-warning {{Using a previously released handle}}
// expected-note@-1 {{Using a previously released handle}}
} }
void checkMemberOperatorIndices() { void checkMemberOperatorIndices() {
zx_handle_t sa, sb, sc; zx_handle_t sa, sb, sc;
zx_channel_create(0, &sa, &sb); zx_channel_create(0, &sa, &sb);
zx_handle_close(sb); zx_handle_close(sb);
MyType t; MyType t;
sc = t + sa; sc = t + sa;
▲ Show 20 LinesShow All 132 LinesShow Last 20 Lines