This is an archive of the discontinued LLVM Phabricator instance.

Differential D75432

[analyzer][NFC][MallocChecker] Convert many parameters into CallEvent
ClosedPublic

Authored by Szelethus on Mar 1 2020, 5:14 PM.

Details

Reviewers
NoQ
xazax.hun
baloghadamsoftware
dcoughlin
rnkovacs
balazske
martong
Charusso
Commits
rG392222dd7265: [analyzer][NFC][MallocChecker] Convert many parameters into CallEvent
Summary

Exactly what it says on the tin! This is clearly not the end of the road in this direction, the parameters could be merged far more with the use of CallEvent or a better value type in the CallDescriptionMap, but this was shockingly difficult enough on its own. I expect that simplifying the file further will be far easier moving forward.

The end goal is to research how we could create a more mature checker interaction infrastructure for more complicated C++ modeling, and I'm pretty sure that being able successfully split up our giants is the first step in this direction.

Also... as to why I added so much LLVM_UNREACHABLE annotations, I'll provide the following image:

One could explain why this restroom looks like this -- but you could guess what the horrifying story must have been :^)

Diff Detail

Event Timeline

Szelethus created this revision.Mar 1 2020, 5:14 PM
Herald added subscribers: cfe-commits, steakhal, Charusso and 7 others. · View Herald TranscriptMar 1 2020, 5:14 PM
Szelethus added a parent revision: D75431: [analyzer][NFC] Merge checkNewAllocator's paramaters into CXXAllocatorCall.Mar 1 2020, 5:14 PM
Harbormaster completed remote builds in B47739: Diff 247534.Mar 1 2020, 5:20 PM
Charusso accepted this revision.Mar 3 2020, 3:53 AM

Also... as to why I added so much LLVM_UNREACHABLE annotations

I believe it is not necessary to add LLVM_NODISCARD, but as it perfectly works here, I like it.

I would mention the mailing list here as well: http://lists.llvm.org/pipermail/cfe-dev/2020-February/064754.html

This revision is now accepted and ready to land.Mar 3 2020, 3:53 AM
Charusso added a comment.EditedMar 3 2020, 4:00 AM

I have added green markers to all of your patches as well. I really appreciate the simplification of the MallocChecker. May you would commit it as soon as possible, given that you have nailed what Artem has suggested. Cool^2.

xazax.hun added a comment.Mar 3 2020, 5:00 AM

Some nits inline.

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
1017–1022

What is the main reason of getting rid of the state parameter? I think this could make using these functions more error prone overall as it would be easier to introduce splits in the exploded graph this way (if we somehow wanted to model a function as successive calls of some other functions).

1273–1275

Use auto here to avoid repeating the type.

1676

In functions where we only use ArgExpr to retrieve the corresponding SVal we could pass the SVal in the first place.

Szelethus marked 2 inline comments as done.Mar 3 2020, 5:38 AM
Szelethus added inline comments.
clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
1017–1022

Refer to @NoQ's earlier inline.

I think this could make using these functions more error prone overall as it would be easier to introduce splits in the exploded graph this way (if we somehow wanted to model a function as successive calls of some other functions).

Why would the removal of a ProgramStateRef parameter cause that?

1676

Long term, I plan to find a better value type for the CallDescriptionMap where information such as this could be retrieved easier, which is why I focused on nothing but the task at hand.

While I would like to see MallocChecker in a healthier state, at times I find the development effort I'm putting into it questionable, so I'll probably stop at the point where I can comfortably split it.

NoQ accepted this revision.Mar 15 2020, 10:50 PM

Must have been annoying, thanks a lot!

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
441–444

Excellent, we should totally do this more often wherever necessary.

631

Is the state parameter still necessary here?

970

CallDescriptionMap was supposed to verify this for us.

1017–1022

if we somehow wanted to model a function as successive calls of some other functions

If we ever want to compose our evaluations, we should do it as a sequence of composable operations on a state, i.e. by not only accepting the state but also returning the state.

2810–2811

Maybe iterate over CallEvent's argument SVals directly? We probably don't have a method for this but it doesn't sound like a too uncommon of a task.

Closed by commit rG392222dd7265: [analyzer][NFC][MallocChecker] Convert many parameters into CallEvent (authored by Szelethus). · Explain WhyMay 19 2020, 5:07 PM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: ASDenysPetrov. · View Herald TranscriptMay 19 2020, 5:07 PM
balazske added inline comments.May 20 2020, 6:00 AM
clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
1194

This should be added to avoid later crash (probably not needed for every check kind?):

const FunctionDecl *FD = C.getCalleeDecl(CE);
if (!FD)
  return;
Szelethus marked 3 inline comments as done.May 20 2020, 6:39 AM

I though I addressed the inlines months ago, but seems like I did not. I'll get this done post-commit. Oops.

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
1194

Not all CallEvents have a corresponding FunctionDecl or a CallExpr, for instance, CXXAllocatorCall corresponds with CXXNewExpr, which is not a CallExpr, but it is handled by this checker. For this reason, I decided to move this check to the individual modeling functions.

Szelethus marked 4 inline comments as done.May 20 2020, 6:48 AM
Szelethus added inline comments.
clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
631

Not as per its current usages in the code, but it does make sense, if we do some prechecks and modify the state before calling this functions.

1194

Oh I'm sorry, do we have an actual crash resulting from this?

balazske added inline comments.May 20 2020, 7:13 AM
clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
1194

I did not look into it by detail but the problem is in MallocChecker::checkOwnershipAttr with a null FD. Probably it is enough to insert a return at that point (makes the crash gone on that analyzed project).

Szelethus marked 2 inline comments as done.May 20 2020, 7:41 AM
Szelethus added inline comments.
clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
1194

I'm sorry but I don't have enough to follow up on this. On the master branch, everything seems to work smoothly for me (all tests pass) and I didn't get any buildbot failures. Can you post a code snippet?

Szelethus marked an inline comment as done.May 20 2020, 7:44 AM
Szelethus added inline comments.
clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
1194

If you have a project name, I can analyze that myself to save you the trouble.

vsavchenko added a subscriber: vsavchenko.May 20 2020, 7:47 AM

Hi, @Szelethus, I don't know exactly which of the changes (this one, https://reviews.llvm.org/D75430, or https://reviews.llvm.org/D75431) causes a crash on SQLite, but it's definitely one of these.

Steps to reproduce

clang -cc1 -Wdeprecated-objc-isa-usage -Werror=deprecated-objc-isa-usage -Werror=implicit-function-declaration -analyze -disable-free -main-file-name sqlite3.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=osx -analyzer-checker=security.insecureAPI.decodeValueOfObjCType -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -analyzer-config-compatibility-mode=true -mrelocation-model pic -pic-level 2 -mthread-model posix -mframe-pointer=all -fno-strict-return -fno-rounding-math -munwind-tables -faligned-alloc-unavailable -target-cpu core2 -dwarf-column-info -target-linker-version 556.6 -Wno-reorder-init-list -Wno-implicit-int-float-conversion -Wno-c99-designator -Wno-final-dtor-non-final-class -Wno-extra-semi-stmt -Wno-misleading-indentation -Wno-quoted-include-in-framework-header -Wno-implicit-fallthrough -Wno-enum-enum-conversion -Wno-enum-float-conversion -ferror-limit 19 -stack-protector 1 -fblocks -fencode-extended-block-signature -fregister-global-dtors-with-atexit -fgnuc-version=4.2.1 -fmax-type-align=16 -analyzer-checker=alpha.unix.SimpleStream,alpha.security.taint,cplusplus.NewDeleteLeaks,core,cplusplus,deadcode,security,unix,osx,nullability -analyzer-config serialize-stats=true,stable-report-filename=true -x c sqlite3-258aa5.c

Output

Assertion failed: (FromPtr && ToPtr && "By this point, FreeMemAux and MallocMemAux should have checked " "whether the argument or the return value is symbolic!"), function ReallocMemAux, file /Users/vsavchenko/source/llvm-project/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp, line 2409.

Attached file is the exact version of SQLite source code to reproduce the issue:

sqlite3-258aa5.c8 MBDownload

Szelethus added a comment.May 20 2020, 7:55 AM

Thanks, I'll get right to it.

balazske added inline comments.May 20 2020, 8:17 AM
clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
1194

Could not debug the problem because debug info was not there for unknown reason (no exact line locations were printed). But the project was emacs 26.3 configure --with-xpm=no --with-gif=no --with-tiff=no --with-gnutls=no, failed at one of the the first files with CodeChecker analyze.

Szelethus marked an inline comment as done.May 20 2020, 8:47 AM

This will take a while for me to fix (couple hours, wanna wait for creduce to finish running, and I needed to compile llvm on the server as well), but I'll get it done probably today.

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
1194

No worries, I'll attend to it myself. Thank you for the quick response though!

Szelethus added a comment.May 20 2020, 4:05 PM

rG1d393eac8f6907074138612e18d5d1da803b4ad0 should fix this.

Szelethus mentioned this in rG1d393eac8f69: [analyzer] Fix a null FunctionDecl dereference bug after D75432.May 20 2020, 4:34 PM
Szelethus mentioned this in D102835: [analyzer] Correctly propagate ConstructionContextLayer thru ParenExpr.May 20 2021, 4:27 AM

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
411 lines

Diff 265091

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp

Show First 20 LinesShow All 41 Lines▼ Show 20 Lines
// the above checkers, it has it's own file, hence the many InnerPointerChecker // the above checkers, it has it's own file, hence the many InnerPointerChecker
// related headers and non-static functions. // related headers and non-static functions.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "AllocationState.h" #include "AllocationState.h"
#include "InterCheckerAPI.h" #include "InterCheckerAPI.h"
#include "clang/AST/Attr.h" #include "clang/AST/Attr.h"
#include "clang/AST/Expr.h"
#include "clang/AST/ExprCXX.h"
#include "clang/AST/ParentMap.h" #include "clang/AST/ParentMap.h"
#include "clang/Basic/LLVM.h"
#include "clang/Basic/SourceManager.h" #include "clang/Basic/SourceManager.h"
#include "clang/Basic/TargetInfo.h" #include "clang/Basic/TargetInfo.h"
#include "clang/Lex/Lexer.h" #include "clang/Lex/Lexer.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h" #include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h" #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"
#include "llvm/ADT/STLExtras.h" #include "llvm/ADT/STLExtras.h"
#include "llvm/ADT/SmallString.h" #include "llvm/ADT/SmallString.h"
#include "llvm/ADT/StringExtras.h" #include "llvm/ADT/StringExtras.h"
#include "llvm/Support/Compiler.h"
#include "llvm/Support/ErrorHandling.h" #include "llvm/Support/ErrorHandling.h"
#include <climits> #include <climits>
#include <functional> #include <functional>
#include <utility> #include <utility>
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
using namespace std::placeholders; using namespace std::placeholders;
▲ Show 20 LinesShow All 185 Lines▼ Show 20 Lines
} // end of anonymous namespace } // end of anonymous namespace
REGISTER_MAP_WITH_PROGRAMSTATE(ReallocPairs, SymbolRef, ReallocPair) REGISTER_MAP_WITH_PROGRAMSTATE(ReallocPairs, SymbolRef, ReallocPair)
/// Tells if the callee is one of the builtin new/delete operators, including /// Tells if the callee is one of the builtin new/delete operators, including
/// placement operators and other standard overloads. /// placement operators and other standard overloads.
static bool isStandardNewDelete(const FunctionDecl *FD); static bool isStandardNewDelete(const FunctionDecl *FD);
static bool isStandardNewDelete(const CallEvent &Call) { static bool isStandardNewDelete(const CallEvent &Call) {
if (!Call.getDecl()) if (!Call.getDecl() || !isa<FunctionDecl>(Call.getDecl()))
return false; return false;
return isStandardNewDelete(cast<FunctionDecl>(Call.getDecl())); return isStandardNewDelete(cast<FunctionDecl>(Call.getDecl()));
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Definition of the MallocChecker class. // Definition of the MallocChecker class.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
namespace { namespace {
class MallocChecker class MallocChecker
: public Checker<check::DeadSymbols, check::PointerEscape, : public Checker<check::DeadSymbols, check::PointerEscape,
check::ConstPointerEscape, check::PreStmt<ReturnStmt>, check::ConstPointerEscape, check::PreStmt<ReturnStmt>,
check::EndFunction, check::PreCall, check::PostCall, check::EndFunction, check::PreCall, check::PostCall,
check::PostStmt<CXXNewExpr>, check::NewAllocator, check::NewAllocator, check::PostStmt<BlockExpr>,
check::PostStmt<BlockExpr>, check::PostObjCMessage, check::PostObjCMessage, check::Location, eval::Assume> {
check::Location, eval::Assume> {
public: public:
/// In pessimistic mode, the checker assumes that it does not know which /// In pessimistic mode, the checker assumes that it does not know which
/// functions might free the memory. /// functions might free the memory.
/// In optimistic mode, the checker assumes that all user-defined functions /// In optimistic mode, the checker assumes that all user-defined functions
/// which might free a pointer are annotated. /// which might free a pointer are annotated.
DefaultBool ShouldIncludeOwnershipAnnotatedFunctions; DefaultBool ShouldIncludeOwnershipAnnotatedFunctions;
/// Many checkers are essentially built into this one, so enabling them will /// Many checkers are essentially built into this one, so enabling them will
Show All 12 Linespublic:
using LeakInfo = std::pair<const ExplodedNode *, const MemRegion *>; using LeakInfo = std::pair<const ExplodedNode *, const MemRegion *>;
DefaultBool ChecksEnabled[CK_NumCheckKinds]; DefaultBool ChecksEnabled[CK_NumCheckKinds];
CheckerNameRef CheckNames[CK_NumCheckKinds]; CheckerNameRef CheckNames[CK_NumCheckKinds];
void checkPreCall(const CallEvent &Call, CheckerContext &C) const; void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
void checkPostCall(const CallEvent &Call, CheckerContext &C) const; void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
void checkPostStmt(const CXXNewExpr *NE, CheckerContext &C) const;
void checkPreStmt(const CXXDeleteExpr *DE, CheckerContext &C) const;
void checkNewAllocator(const CXXAllocatorCall &Call, CheckerContext &C) const; void checkNewAllocator(const CXXAllocatorCall &Call, CheckerContext &C) const;
void checkPostObjCMessage(const ObjCMethodCall &Call, CheckerContext &C) const; void checkPostObjCMessage(const ObjCMethodCall &Call, CheckerContext &C) const;
void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const; void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const;
void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const; void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const; void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const;
void checkEndFunction(const ReturnStmt *S, CheckerContext &C) const; void checkEndFunction(const ReturnStmt *S, CheckerContext &C) const;
ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond, ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond,
bool Assumption) const; bool Assumption) const;
Show All 19 Linesprivate:
mutable std::unique_ptr<BugType> BT_UseFree[CK_NumCheckKinds]; mutable std::unique_ptr<BugType> BT_UseFree[CK_NumCheckKinds];
mutable std::unique_ptr<BugType> BT_BadFree[CK_NumCheckKinds]; mutable std::unique_ptr<BugType> BT_BadFree[CK_NumCheckKinds];
mutable std::unique_ptr<BugType> BT_FreeAlloca[CK_NumCheckKinds]; mutable std::unique_ptr<BugType> BT_FreeAlloca[CK_NumCheckKinds];
mutable std::unique_ptr<BugType> BT_MismatchedDealloc; mutable std::unique_ptr<BugType> BT_MismatchedDealloc;
mutable std::unique_ptr<BugType> BT_OffsetFree[CK_NumCheckKinds]; mutable std::unique_ptr<BugType> BT_OffsetFree[CK_NumCheckKinds];
mutable std::unique_ptr<BugType> BT_UseZerroAllocated[CK_NumCheckKinds]; mutable std::unique_ptr<BugType> BT_UseZerroAllocated[CK_NumCheckKinds];
#define CHECK_FN(NAME) \ #define CHECK_FN(NAME) \
void NAME(CheckerContext &C, const CallExpr *CE, ProgramStateRef State) const; void NAME(const CallEvent &Call, CheckerContext &C) const;
CHECK_FN(checkFree) CHECK_FN(checkFree)
CHECK_FN(checkIfNameIndex) CHECK_FN(checkIfNameIndex)
CHECK_FN(checkBasicAlloc) CHECK_FN(checkBasicAlloc)
CHECK_FN(checkKernelMalloc) CHECK_FN(checkKernelMalloc)
CHECK_FN(checkCalloc) CHECK_FN(checkCalloc)
CHECK_FN(checkAlloca) CHECK_FN(checkAlloca)
CHECK_FN(checkStrdup) CHECK_FN(checkStrdup)
CHECK_FN(checkIfFreeNameIndex) CHECK_FN(checkIfFreeNameIndex)
CHECK_FN(checkCXXNewOrCXXDelete) CHECK_FN(checkCXXNewOrCXXDelete)
CHECK_FN(checkGMalloc0) CHECK_FN(checkGMalloc0)
CHECK_FN(checkGMemdup) CHECK_FN(checkGMemdup)
CHECK_FN(checkGMallocN) CHECK_FN(checkGMallocN)
CHECK_FN(checkGMallocN0) CHECK_FN(checkGMallocN0)
CHECK_FN(checkReallocN) CHECK_FN(checkReallocN)
CHECK_FN(checkOwnershipAttr) CHECK_FN(checkOwnershipAttr)
void checkRealloc(CheckerContext &C, const CallExpr *CE, void checkRealloc(const CallEvent &Call, CheckerContext &C,
ProgramStateRef State, bool ShouldFreeOnFail) const; bool ShouldFreeOnFail) const;
using CheckFn = using CheckFn = std::function<void(const MallocChecker *,
std::function<void(const MallocChecker *, CheckerContext &C, const CallEvent &Call, CheckerContext &C)>;
const CallExpr *CE, ProgramStateRef State)>;
const CallDescriptionMap<CheckFn> FreeingMemFnMap{ const CallDescriptionMap<CheckFn> FreeingMemFnMap{
{{"free", 1}, &MallocChecker::checkFree}, {{"free", 1}, &MallocChecker::checkFree},
{{"if_freenameindex", 1}, &MallocChecker::checkIfFreeNameIndex}, {{"if_freenameindex", 1}, &MallocChecker::checkIfFreeNameIndex},
{{"kfree", 1}, &MallocChecker::checkFree}, {{"kfree", 1}, &MallocChecker::checkFree},
{{"g_free", 1}, &MallocChecker::checkFree}, {{"g_free", 1}, &MallocChecker::checkFree},
}; };
Show All 21 Lines CallDescriptionMap<CheckFn> AllocatingMemFnMap{
{{"g_malloc_n", 2}, &MallocChecker::checkGMallocN}, {{"g_malloc_n", 2}, &MallocChecker::checkGMallocN},
{{"g_malloc0_n", 2}, &MallocChecker::checkGMallocN0}, {{"g_malloc0_n", 2}, &MallocChecker::checkGMallocN0},
{{"g_try_malloc_n", 2}, &MallocChecker::checkGMallocN}, {{"g_try_malloc_n", 2}, &MallocChecker::checkGMallocN},
{{"g_try_malloc0_n", 2}, &MallocChecker::checkGMallocN0}, {{"g_try_malloc0_n", 2}, &MallocChecker::checkGMallocN0},
}; };
CallDescriptionMap<CheckFn> ReallocatingMemFnMap{ CallDescriptionMap<CheckFn> ReallocatingMemFnMap{
{{"realloc", 2}, {{"realloc", 2},
std::bind(&MallocChecker::checkRealloc, _1, _2, _3, _4, false)}, std::bind(&MallocChecker::checkRealloc, _1, _2, _3, false)},
{{"reallocf", 2}, {{"reallocf", 2},
std::bind(&MallocChecker::checkRealloc, _1, _2, _3, _4, true)}, std::bind(&MallocChecker::checkRealloc, _1, _2, _3, true)},
{{"g_realloc", 2}, {{"g_realloc", 2},
std::bind(&MallocChecker::checkRealloc, _1, _2, _3, _4, false)}, std::bind(&MallocChecker::checkRealloc, _1, _2, _3, false)},
{{"g_try_realloc", 2}, {{"g_try_realloc", 2},
std::bind(&MallocChecker::checkRealloc, _1, _2, _3, _4, false)}, std::bind(&MallocChecker::checkRealloc, _1, _2, _3, false)},
{{"g_realloc_n", 3}, &MallocChecker::checkReallocN}, {{"g_realloc_n", 3}, &MallocChecker::checkReallocN},
{{"g_try_realloc_n", 3}, &MallocChecker::checkReallocN}, {{"g_try_realloc_n", 3}, &MallocChecker::checkReallocN},
}; };
bool isMemCall(const CallEvent &Call) const; bool isMemCall(const CallEvent &Call) const;
// TODO: Remove mutable by moving the initializtaion to the registry function. // TODO: Remove mutable by moving the initializtaion to the registry function.
mutable Optional<uint64_t> KernelZeroFlagVal; mutable Optional<uint64_t> KernelZeroFlagVal;
using KernelZeroSizePtrValueTy = Optional<int>; using KernelZeroSizePtrValueTy = Optional<int>;
/// Store the value of macro called `ZERO_SIZE_PTR`. /// Store the value of macro called `ZERO_SIZE_PTR`.
/// The value is initialized at first use, before first use the outer /// The value is initialized at first use, before first use the outer
/// Optional is empty, afterwards it contains another Optional that indicates /// Optional is empty, afterwards it contains another Optional that indicates
/// if the macro value could be determined, and if yes the value itself. /// if the macro value could be determined, and if yes the value itself.
mutable Optional<KernelZeroSizePtrValueTy> KernelZeroSizePtrValue; mutable Optional<KernelZeroSizePtrValueTy> KernelZeroSizePtrValue;
/// Process C++ operator new()'s allocation, which is the part of C++ /// Process C++ operator new()'s allocation, which is the part of C++
/// new-expression that goes before the constructor. /// new-expression that goes before the constructor.
void processNewAllocation(const CXXNewExpr *NE, CheckerContext &C, LLVM_NODISCARD
SVal Target, AllocationFamily Family) const; ProgramStateRef processNewAllocation(const CXXAllocatorCall &Call,
CheckerContext &C,
AllocationFamily Family) const;
NoQUnsubmitted
Done
ReplyInline Actions

Excellent, we should totally do this more often wherever necessary.

NoQ: Excellent, we should totally do this more often wherever necessary.
/// Perform a zero-allocation check. /// Perform a zero-allocation check.
/// ///
/// \param [in] E The expression that allocates memory. /// \param [in] E The expression that allocates memory.
/// \param [in] IndexOfSizeArg Index of the argument that specifies the size /// \param [in] IndexOfSizeArg Index of the argument that specifies the size
/// of the memory that needs to be allocated. E.g. for malloc, this would be /// of the memory that needs to be allocated. E.g. for malloc, this would be
/// 0. /// 0.
/// \param [in] RetVal Specifies the newly allocated pointer value; /// \param [in] RetVal Specifies the newly allocated pointer value;
/// if unspecified, the value of expression \p E is used. /// if unspecified, the value of expression \p E is used.
static ProgramStateRef ProcessZeroAllocCheck(CheckerContext &C, const Expr *E, LLVM_NODISCARD
static ProgramStateRef ProcessZeroAllocCheck(const CallEvent &Call,
const unsigned IndexOfSizeArg, const unsigned IndexOfSizeArg,
ProgramStateRef State, ProgramStateRef State,
Optional<SVal> RetVal = None); Optional<SVal> RetVal = None);
/// Model functions with the ownership_returns attribute. /// Model functions with the ownership_returns attribute.
/// ///
/// User-defined function may have the ownership_returns attribute, which /// User-defined function may have the ownership_returns attribute, which
/// annotates that the function returns with an object that was allocated on /// annotates that the function returns with an object that was allocated on
/// the heap, and passes the ownertship to the callee. /// the heap, and passes the ownertship to the callee.
/// ///
/// void __attribute((ownership_returns(malloc, 1))) *my_malloc(size_t); /// void __attribute((ownership_returns(malloc, 1))) *my_malloc(size_t);
/// ///
/// It has two parameters: /// It has two parameters:
/// - first: name of the resource (e.g. 'malloc') /// - first: name of the resource (e.g. 'malloc')
/// - (OPTIONAL) second: size of the allocated region /// - (OPTIONAL) second: size of the allocated region
/// ///
/// \param [in] CE The expression that allocates memory. /// \param [in] CE The expression that allocates memory.
/// \param [in] Att The ownership_returns attribute. /// \param [in] Att The ownership_returns attribute.
/// \param [in] State The \c ProgramState right before allocation. /// \param [in] State The \c ProgramState right before allocation.
/// \returns The ProgramState right after allocation. /// \returns The ProgramState right after allocation.
ProgramStateRef MallocMemReturnsAttr(CheckerContext &C, LLVM_NODISCARD
const CallExpr *CE, ProgramStateRef MallocMemReturnsAttr(CheckerContext &C, const CallEvent &Call,
const OwnershipAttr* Att, const OwnershipAttr *Att,
ProgramStateRef State) const; ProgramStateRef State) const;
/// Models memory allocation. /// Models memory allocation.
/// ///
/// \param [in] CE The expression that allocates memory. /// \param [in] CE The expression that allocates memory.
/// \param [in] SizeEx Size of the memory that needs to be allocated. /// \param [in] SizeEx Size of the memory that needs to be allocated.
/// \param [in] Init The value the allocated memory needs to be initialized. /// \param [in] Init The value the allocated memory needs to be initialized.
/// with. For example, \c calloc initializes the allocated memory to 0, /// with. For example, \c calloc initializes the allocated memory to 0,
/// malloc leaves it undefined. /// malloc leaves it undefined.
/// \param [in] State The \c ProgramState right before allocation. /// \param [in] State The \c ProgramState right before allocation.
/// \returns The ProgramState right after allocation. /// \returns The ProgramState right after allocation.
static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, LLVM_NODISCARD
static ProgramStateRef MallocMemAux(CheckerContext &C, const CallEvent &Call,
const Expr *SizeEx, SVal Init, const Expr *SizeEx, SVal Init,
ProgramStateRef State, ProgramStateRef State,
AllocationFamily Family); AllocationFamily Family);
/// Models memory allocation. /// Models memory allocation.
/// ///
/// \param [in] CE The expression that allocates memory. /// \param [in] CE The expression that allocates memory.
/// \param [in] Size Size of the memory that needs to be allocated. /// \param [in] Size Size of the memory that needs to be allocated.
/// \param [in] Init The value the allocated memory needs to be initialized. /// \param [in] Init The value the allocated memory needs to be initialized.
/// with. For example, \c calloc initializes the allocated memory to 0, /// with. For example, \c calloc initializes the allocated memory to 0,
/// malloc leaves it undefined. /// malloc leaves it undefined.
/// \param [in] State The \c ProgramState right before allocation. /// \param [in] State The \c ProgramState right before allocation.
/// \returns The ProgramState right after allocation. /// \returns The ProgramState right after allocation.
static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE, LLVM_NODISCARD
static ProgramStateRef MallocMemAux(CheckerContext &C, const CallEvent &Call,
SVal Size, SVal Init, SVal Size, SVal Init,
ProgramStateRef State, ProgramStateRef State,
AllocationFamily Family); AllocationFamily Family);
LLVM_NODISCARD
static ProgramStateRef addExtentSize(CheckerContext &C, const CXXNewExpr *NE, static ProgramStateRef addExtentSize(CheckerContext &C, const CXXNewExpr *NE,
ProgramStateRef State, SVal Target); ProgramStateRef State, SVal Target);
// Check if this malloc() for special flags. At present that means M_ZERO or // Check if this malloc() for special flags. At present that means M_ZERO or
// __GFP_ZERO (in which case, treat it like calloc). // __GFP_ZERO (in which case, treat it like calloc).
LLVM_NODISCARD
llvm::Optional<ProgramStateRef> llvm::Optional<ProgramStateRef>
performKernelMalloc(const CallExpr *CE, CheckerContext &C, performKernelMalloc(const CallEvent &Call, CheckerContext &C,
const ProgramStateRef &State) const; const ProgramStateRef &State) const;
/// Model functions with the ownership_takes and ownership_holds attributes. /// Model functions with the ownership_takes and ownership_holds attributes.
/// ///
/// User-defined function may have the ownership_takes and/or ownership_holds /// User-defined function may have the ownership_takes and/or ownership_holds
/// attributes, which annotates that the function frees the memory passed as a /// attributes, which annotates that the function frees the memory passed as a
/// parameter. /// parameter.
/// ///
/// void __attribute((ownership_takes(malloc, 1))) my_free(void *); /// void __attribute((ownership_takes(malloc, 1))) my_free(void *);
/// void __attribute((ownership_holds(malloc, 1))) my_hold(void *); /// void __attribute((ownership_holds(malloc, 1))) my_hold(void *);
/// ///
/// They have two parameters: /// They have two parameters:
/// - first: name of the resource (e.g. 'malloc') /// - first: name of the resource (e.g. 'malloc')
/// - second: index of the parameter the attribute applies to /// - second: index of the parameter the attribute applies to
/// ///
/// \param [in] CE The expression that frees memory. /// \param [in] CE The expression that frees memory.
/// \param [in] Att The ownership_takes or ownership_holds attribute. /// \param [in] Att The ownership_takes or ownership_holds attribute.
/// \param [in] State The \c ProgramState right before allocation. /// \param [in] State The \c ProgramState right before allocation.
/// \returns The ProgramState right after deallocation. /// \returns The ProgramState right after deallocation.
ProgramStateRef FreeMemAttr(CheckerContext &C, const CallExpr *CE, LLVM_NODISCARD
ProgramStateRef FreeMemAttr(CheckerContext &C, const CallEvent &Call,
const OwnershipAttr* Att, const OwnershipAttr *Att,
ProgramStateRef State) const; ProgramStateRef State) const;
/// Models memory deallocation. /// Models memory deallocation.
/// ///
/// \param [in] CE The expression that frees memory. /// \param [in] CE The expression that frees memory.
/// \param [in] State The \c ProgramState right before allocation. /// \param [in] State The \c ProgramState right before allocation.
/// \param [in] Num Index of the argument that needs to be freed. This is /// \param [in] Num Index of the argument that needs to be freed. This is
/// normally 0, but for custom free functions it may be different. /// normally 0, but for custom free functions it may be different.
/// \param [in] Hold Whether the parameter at \p Index has the ownership_holds /// \param [in] Hold Whether the parameter at \p Index has the ownership_holds
/// attribute. /// attribute.
/// \param [out] IsKnownToBeAllocated Whether the memory to be freed is known /// \param [out] IsKnownToBeAllocated Whether the memory to be freed is known
/// to have been allocated, or in other words, the symbol to be freed was /// to have been allocated, or in other words, the symbol to be freed was
/// registered as allocated by this checker. In the following case, \c ptr /// registered as allocated by this checker. In the following case, \c ptr
/// isn't known to be allocated. /// isn't known to be allocated.
/// void Haha(int *ptr) { /// void Haha(int *ptr) {
/// ptr = realloc(ptr, 67); /// ptr = realloc(ptr, 67);
/// // ... /// // ...
/// } /// }
/// \param [in] ReturnsNullOnFailure Whether the memory deallocation function /// \param [in] ReturnsNullOnFailure Whether the memory deallocation function
/// we're modeling returns with Null on failure. /// we're modeling returns with Null on failure.
/// \returns The ProgramState right after deallocation. /// \returns The ProgramState right after deallocation.
ProgramStateRef FreeMemAux(CheckerContext &C, const CallExpr *CE, LLVM_NODISCARD
ProgramStateRef FreeMemAux(CheckerContext &C, const CallEvent &Call,
ProgramStateRef State, unsigned Num, bool Hold, ProgramStateRef State, unsigned Num, bool Hold,
bool &IsKnownToBeAllocated, bool &IsKnownToBeAllocated,
AllocationFamily Family, AllocationFamily Family,
bool ReturnsNullOnFailure = false) const; bool ReturnsNullOnFailure = false) const;
/// Models memory deallocation. /// Models memory deallocation.
/// ///
/// \param [in] ArgExpr The variable who's pointee needs to be freed. /// \param [in] ArgExpr The variable who's pointee needs to be freed.
/// \param [in] ParentExpr The expression that frees the memory. /// \param [in] ParentExpr The expression that frees the memory.
/// \param [in] State The \c ProgramState right before allocation. /// \param [in] State The \c ProgramState right before allocation.
/// normally 0, but for custom free functions it may be different. /// normally 0, but for custom free functions it may be different.
/// \param [in] Hold Whether the parameter at \p Index has the ownership_holds /// \param [in] Hold Whether the parameter at \p Index has the ownership_holds
/// attribute. /// attribute.
/// \param [out] IsKnownToBeAllocated Whether the memory to be freed is known /// \param [out] IsKnownToBeAllocated Whether the memory to be freed is known
/// to have been allocated, or in other words, the symbol to be freed was /// to have been allocated, or in other words, the symbol to be freed was
/// registered as allocated by this checker. In the following case, \c ptr /// registered as allocated by this checker. In the following case, \c ptr
/// isn't known to be allocated. /// isn't known to be allocated.
/// void Haha(int *ptr) { /// void Haha(int *ptr) {
/// ptr = realloc(ptr, 67); /// ptr = realloc(ptr, 67);
/// // ... /// // ...
/// } /// }
/// \param [in] ReturnsNullOnFailure Whether the memory deallocation function /// \param [in] ReturnsNullOnFailure Whether the memory deallocation function
/// we're modeling returns with Null on failure. /// we're modeling returns with Null on failure.
/// \returns The ProgramState right after deallocation. /// \returns The ProgramState right after deallocation.
LLVM_NODISCARD
ProgramStateRef FreeMemAux(CheckerContext &C, const Expr *ArgExpr, ProgramStateRef FreeMemAux(CheckerContext &C, const Expr *ArgExpr,
const Expr *ParentExpr, ProgramStateRef State, const CallEvent &Call, ProgramStateRef State,
bool Hold, bool &IsKnownToBeAllocated, bool Hold, bool &IsKnownToBeAllocated,
AllocationFamily Family, AllocationFamily Family,
bool ReturnsNullOnFailure = false) const; bool ReturnsNullOnFailure = false) const;
// TODO: Needs some refactoring, as all other deallocation modeling // TODO: Needs some refactoring, as all other deallocation modeling
// functions are suffering from out parameters and messy code due to how // functions are suffering from out parameters and messy code due to how
// realloc is handled. // realloc is handled.
// //
/// Models memory reallocation. /// Models memory reallocation.
/// ///
/// \param [in] CE The expression that reallocated memory /// \param [in] CE The expression that reallocated memory
/// \param [in] ShouldFreeOnFail Whether if reallocation fails, the supplied /// \param [in] ShouldFreeOnFail Whether if reallocation fails, the supplied
/// memory should be freed. /// memory should be freed.
/// \param [in] State The \c ProgramState right before reallocation. /// \param [in] State The \c ProgramState right before reallocation.
/// \param [in] SuffixWithN Whether the reallocation function we're modeling /// \param [in] SuffixWithN Whether the reallocation function we're modeling
/// has an '_n' suffix, such as g_realloc_n. /// has an '_n' suffix, such as g_realloc_n.
/// \returns The ProgramState right after reallocation. /// \returns The ProgramState right after reallocation.
ProgramStateRef ReallocMemAux(CheckerContext &C, const CallExpr *CE, LLVM_NODISCARD
ProgramStateRef ReallocMemAux(CheckerContext &C, const CallEvent &Call,
bool ShouldFreeOnFail, ProgramStateRef State, bool ShouldFreeOnFail, ProgramStateRef State,
AllocationFamily Family, AllocationFamily Family,
bool SuffixWithN = false) const; bool SuffixWithN = false) const;
/// Evaluates the buffer size that needs to be allocated. /// Evaluates the buffer size that needs to be allocated.
/// ///
/// \param [in] Blocks The amount of blocks that needs to be allocated. /// \param [in] Blocks The amount of blocks that needs to be allocated.
/// \param [in] BlockBytes The size of a block. /// \param [in] BlockBytes The size of a block.
/// \returns The symbolic value of \p Blocks * \p BlockBytes. /// \returns The symbolic value of \p Blocks * \p BlockBytes.
LLVM_NODISCARD
static SVal evalMulForBufferSize(CheckerContext &C, const Expr *Blocks, static SVal evalMulForBufferSize(CheckerContext &C, const Expr *Blocks,
const Expr *BlockBytes); const Expr *BlockBytes);
/// Models zero initialized array allocation. /// Models zero initialized array allocation.
/// ///
/// \param [in] CE The expression that reallocated memory /// \param [in] CE The expression that reallocated memory
/// \param [in] State The \c ProgramState right before reallocation. /// \param [in] State The \c ProgramState right before reallocation.
/// \returns The ProgramState right after allocation. /// \returns The ProgramState right after allocation.
static ProgramStateRef CallocMem(CheckerContext &C, const CallExpr *CE, LLVM_NODISCARD
static ProgramStateRef CallocMem(CheckerContext &C, const CallEvent &Call,
ProgramStateRef State); ProgramStateRef State);
NoQUnsubmitted
Done
ReplyInline Actions

Is the state parameter still necessary here?

NoQ: Is the state parameter still necessary here?
SzelethusAuthorUnsubmitted
Done
ReplyInline Actions

Not as per its current usages in the code, but it does make sense, if we do some prechecks and modify the state before calling this functions.

Szelethus: Not as per its current usages in the code, but it does make sense, if we do some prechecks and…
/// See if deallocation happens in a suspicious context. If so, escape the /// See if deallocation happens in a suspicious context. If so, escape the
/// pointers that otherwise would have been deallocated and return true. /// pointers that otherwise would have been deallocated and return true.
bool suppressDeallocationsInSuspiciousContexts(const CallExpr *CE, bool suppressDeallocationsInSuspiciousContexts(const CallEvent &Call,
CheckerContext &C) const; CheckerContext &C) const;
/// If in \p S \p Sym is used, check whether \p Sym was already freed. /// If in \p S \p Sym is used, check whether \p Sym was already freed.
bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C, const Stmt *S) const; bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C, const Stmt *S) const;
/// If in \p S \p Sym is used, check whether \p Sym was allocated as a zero /// If in \p S \p Sym is used, check whether \p Sym was allocated as a zero
/// sized memory region. /// sized memory region.
void checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C, void checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C,
Show All 12 Lines#define CHECK_FN(NAME) \
/// ///
/// We assume that pointers do not escape through calls to system functions /// We assume that pointers do not escape through calls to system functions
/// not handled by this checker. /// not handled by this checker.
bool mayFreeAnyEscapedMemoryOrIsModeledExplicitly(const CallEvent *Call, bool mayFreeAnyEscapedMemoryOrIsModeledExplicitly(const CallEvent *Call,
ProgramStateRef State, ProgramStateRef State,
SymbolRef &EscapingSymbol) const; SymbolRef &EscapingSymbol) const;
/// Implementation of the checkPointerEscape callbacks. /// Implementation of the checkPointerEscape callbacks.
LLVM_NODISCARD
ProgramStateRef checkPointerEscapeAux(ProgramStateRef State, ProgramStateRef checkPointerEscapeAux(ProgramStateRef State,
const InvalidatedSymbols &Escaped, const InvalidatedSymbols &Escaped,
const CallEvent *Call, const CallEvent *Call,
PointerEscapeKind Kind, PointerEscapeKind Kind,
bool IsConstPointerEscape) const; bool IsConstPointerEscape) const;
// Implementation of the checkPreStmt and checkEndFunction callbacks. // Implementation of the checkPreStmt and checkEndFunction callbacks.
void checkEscapeOnReturn(const ReturnStmt *S, CheckerContext &C) const; void checkEscapeOnReturn(const ReturnStmt *S, CheckerContext &C) const;
▲ Show 20 LinesShow All 246 Lines▼ Show 20 Linesbool MallocChecker::isMemCall(const CallEvent &Call) const {
if (!ShouldIncludeOwnershipAnnotatedFunctions) if (!ShouldIncludeOwnershipAnnotatedFunctions)
return false; return false;
const auto *Func = dyn_cast<FunctionDecl>(Call.getDecl()); const auto *Func = dyn_cast<FunctionDecl>(Call.getDecl());
return Func && Func->hasAttr<OwnershipAttr>(); return Func && Func->hasAttr<OwnershipAttr>();
} }
llvm::Optional<ProgramStateRef> llvm::Optional<ProgramStateRef>
MallocChecker::performKernelMalloc(const CallExpr *CE, CheckerContext &C, MallocChecker::performKernelMalloc(const CallEvent &Call, CheckerContext &C,
const ProgramStateRef &State) const { const ProgramStateRef &State) const {
// 3-argument malloc(), as commonly used in {Free,Net,Open}BSD Kernels: // 3-argument malloc(), as commonly used in {Free,Net,Open}BSD Kernels:
// //
// void *malloc(unsigned long size, struct malloc_type *mtp, int flags); // void *malloc(unsigned long size, struct malloc_type *mtp, int flags);
// //
// One of the possible flags is M_ZERO, which means 'give me back an // One of the possible flags is M_ZERO, which means 'give me back an
// allocation which is already zeroed', like calloc. // allocation which is already zeroed', like calloc.
Show All 26 Lines else
// Fall back to normal malloc behavior on platforms where we don't // Fall back to normal malloc behavior on platforms where we don't
// know M_ZERO. // know M_ZERO.
return None; return None;
} }
// We treat the last argument as the flags argument, and callers fall-back to // We treat the last argument as the flags argument, and callers fall-back to
// normal malloc on a None return. This works for the FreeBSD kernel malloc // normal malloc on a None return. This works for the FreeBSD kernel malloc
// as well as Linux kmalloc. // as well as Linux kmalloc.
if (CE->getNumArgs() < 2) if (Call.getNumArgs() < 2)
NoQUnsubmitted
Not Done
ReplyInline Actions

CallDescriptionMap was supposed to verify this for us.

NoQ: `CallDescriptionMap` was supposed to verify this for us.
return None; return None;
const Expr *FlagsEx = CE->getArg(CE->getNumArgs() - 1); const Expr *FlagsEx = Call.getArgExpr(Call.getNumArgs() - 1);
const SVal V = C.getSVal(FlagsEx); const SVal V = C.getSVal(FlagsEx);
if (!V.getAs<NonLoc>()) { if (!V.getAs<NonLoc>()) {
// The case where 'V' can be a location can only be due to a bad header, // The case where 'V' can be a location can only be due to a bad header,
// so in this case bail out. // so in this case bail out.
return None; return None;
} }
NonLoc Flags = V.castAs<NonLoc>(); NonLoc Flags = V.castAs<NonLoc>();
Show All 9 LinesMallocChecker::performKernelMalloc(const CallEvent &Call, CheckerContext &C,
// Check if maskedFlags is non-zero. // Check if maskedFlags is non-zero.
ProgramStateRef TrueState, FalseState; ProgramStateRef TrueState, FalseState;
std::tie(TrueState, FalseState) = State->assume(MaskedFlags); std::tie(TrueState, FalseState) = State->assume(MaskedFlags);
// If M_ZERO is set, treat this like calloc (initialized). // If M_ZERO is set, treat this like calloc (initialized).
if (TrueState && !FalseState) { if (TrueState && !FalseState) {
SVal ZeroVal = C.getSValBuilder().makeZeroVal(Ctx.CharTy); SVal ZeroVal = C.getSValBuilder().makeZeroVal(Ctx.CharTy);
return MallocMemAux(C, CE, CE->getArg(0), ZeroVal, TrueState, AF_Malloc); return MallocMemAux(C, Call, Call.getArgExpr(0), ZeroVal, TrueState,
AF_Malloc);
} }
return None; return None;
} }
SVal MallocChecker::evalMulForBufferSize(CheckerContext &C, const Expr *Blocks, SVal MallocChecker::evalMulForBufferSize(CheckerContext &C, const Expr *Blocks,
const Expr *BlockBytes) { const Expr *BlockBytes) {
SValBuilder &SB = C.getSValBuilder(); SValBuilder &SB = C.getSValBuilder();
SVal BlocksVal = C.getSVal(Blocks); SVal BlocksVal = C.getSVal(Blocks);
SVal BlockBytesVal = C.getSVal(BlockBytes); SVal BlockBytesVal = C.getSVal(BlockBytes);
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
SVal TotalSize = SB.evalBinOp(State, BO_Mul, BlocksVal, BlockBytesVal, SVal TotalSize = SB.evalBinOp(State, BO_Mul, BlocksVal, BlockBytesVal,
SB.getContext().getSizeType()); SB.getContext().getSizeType());
return TotalSize; return TotalSize;
} }
void MallocChecker::checkBasicAlloc(CheckerContext &C, const CallExpr *CE, void MallocChecker::checkBasicAlloc(const CallEvent &Call,
ProgramStateRef State) const { CheckerContext &C) const {
State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, AF_Malloc); ProgramStateRef State = C.getState();
State = ProcessZeroAllocCheck(C, CE, 0, State); State = MallocMemAux(C, Call, Call.getArgExpr(0), UndefinedVal(), State,
AF_Malloc);
State = ProcessZeroAllocCheck(Call, 0, State);
xazax.hunUnsubmitted
Not Done
ReplyInline Actions

What is the main reason of getting rid of the state parameter? I think this could make using these functions more error prone overall as it would be easier to introduce splits in the exploded graph this way (if we somehow wanted to model a function as successive calls of some other functions).

xazax.hun: What is the main reason of getting rid of the state parameter? I think this could make using…
SzelethusAuthorUnsubmitted
Done
ReplyInline Actions

Refer to @NoQ's earlier inline.

I think this could make using these functions more error prone overall as it would be easier to introduce splits in the exploded graph this way (if we somehow wanted to model a function as successive calls of some other functions).

Why would the removal of a ProgramStateRef parameter cause that?

Szelethus: Refer to @NoQ's [[https://reviews.llvm.org/D68165?id=222257#inline-612842|earlier inline]]. >…
NoQUnsubmitted
Not Done
ReplyInline Actions

if we somehow wanted to model a function as successive calls of some other functions

If we ever want to compose our evaluations, we should do it as a sequence of composable operations on a state, i.e. by not only accepting the state but also returning the state.

NoQ: > if we somehow wanted to model a function as successive calls of some other functions If we…
C.addTransition(State); C.addTransition(State);
} }
void MallocChecker::checkKernelMalloc(CheckerContext &C, const CallExpr *CE, void MallocChecker::checkKernelMalloc(const CallEvent &Call,
ProgramStateRef State) const { CheckerContext &C) const {
ProgramStateRef State = C.getState();
llvm::Optional<ProgramStateRef> MaybeState = llvm::Optional<ProgramStateRef> MaybeState =
performKernelMalloc(CE, C, State); performKernelMalloc(Call, C, State);
if (MaybeState.hasValue()) if (MaybeState.hasValue())
State = MaybeState.getValue(); State = MaybeState.getValue();
else else
State = State = MallocMemAux(C, Call, Call.getArgExpr(0), UndefinedVal(), State,
MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, AF_Malloc); AF_Malloc);
C.addTransition(State); C.addTransition(State);
} }
void MallocChecker::checkRealloc(CheckerContext &C, const CallExpr *CE, void MallocChecker::checkRealloc(const CallEvent &Call,
ProgramStateRef State, CheckerContext &C,
bool ShouldFreeOnFail) const { bool ShouldFreeOnFail) const {
State = ReallocMemAux(C, CE, ShouldFreeOnFail, State, AF_Malloc); ProgramStateRef State = C.getState();
State = ProcessZeroAllocCheck(C, CE, 1, State); State = ReallocMemAux(C, Call, ShouldFreeOnFail, State, AF_Malloc);
State = ProcessZeroAllocCheck(Call, 1, State);
C.addTransition(State); C.addTransition(State);
} }
void MallocChecker::checkCalloc(CheckerContext &C, const CallExpr *CE, void MallocChecker::checkCalloc(const CallEvent &Call,
ProgramStateRef State) const { CheckerContext &C) const {
State = CallocMem(C, CE, State); ProgramStateRef State = C.getState();
State = ProcessZeroAllocCheck(C, CE, 0, State); State = CallocMem(C, Call, State);
State = ProcessZeroAllocCheck(C, CE, 1, State); State = ProcessZeroAllocCheck(Call, 0, State);
State = ProcessZeroAllocCheck(Call, 1, State);
C.addTransition(State); C.addTransition(State);
} }
void MallocChecker::checkFree(CheckerContext &C, const CallExpr *CE, void MallocChecker::checkFree(const CallEvent &Call, CheckerContext &C) const {
ProgramStateRef State) const { ProgramStateRef State = C.getState();
bool IsKnownToBeAllocatedMemory = false; bool IsKnownToBeAllocatedMemory = false;
if (suppressDeallocationsInSuspiciousContexts(CE, C)) if (suppressDeallocationsInSuspiciousContexts(Call, C))
return; return;
State = State = FreeMemAux(C, Call, State, 0, false, IsKnownToBeAllocatedMemory,
FreeMemAux(C, CE, State, 0, false, IsKnownToBeAllocatedMemory, AF_Malloc); AF_Malloc);
C.addTransition(State); C.addTransition(State);
} }
void MallocChecker::checkAlloca(CheckerContext &C, const CallExpr *CE, void MallocChecker::checkAlloca(const CallEvent &Call,
ProgramStateRef State) const { CheckerContext &C) const {
State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, AF_Alloca); ProgramStateRef State = C.getState();
State = ProcessZeroAllocCheck(C, CE, 0, State); State = MallocMemAux(C, Call, Call.getArgExpr(0), UndefinedVal(), State,
AF_Alloca);
State = ProcessZeroAllocCheck(Call, 0, State);
C.addTransition(State); C.addTransition(State);
} }
void MallocChecker::checkStrdup(CheckerContext &C, const CallExpr *CE, void MallocChecker::checkStrdup(const CallEvent &Call,
ProgramStateRef State) const { CheckerContext &C) const {
ProgramStateRef State = C.getState();
const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
if (!CE)
return;
State = MallocUpdateRefState(C, CE, State, AF_Malloc); State = MallocUpdateRefState(C, CE, State, AF_Malloc);
C.addTransition(State); C.addTransition(State);
} }
void MallocChecker::checkIfNameIndex(CheckerContext &C, const CallExpr *CE, void MallocChecker::checkIfNameIndex(const CallEvent &Call,
ProgramStateRef State) const { CheckerContext &C) const {
ProgramStateRef State = C.getState();
// Should we model this differently? We can allocate a fixed number of // Should we model this differently? We can allocate a fixed number of
// elements with zeros in the last one. // elements with zeros in the last one.
State = State =
MallocMemAux(C, CE, UnknownVal(), UnknownVal(), State, AF_IfNameIndex); MallocMemAux(C, Call, UnknownVal(), UnknownVal(), State, AF_IfNameIndex);
C.addTransition(State); C.addTransition(State);
} }
void MallocChecker::checkIfFreeNameIndex(CheckerContext &C, const CallExpr *CE, void MallocChecker::checkIfFreeNameIndex(const CallEvent &Call,
ProgramStateRef State) const { CheckerContext &C) const {
ProgramStateRef State = C.getState();
bool IsKnownToBeAllocatedMemory = false; bool IsKnownToBeAllocatedMemory = false;
State = FreeMemAux(C, CE, State, 0, false, IsKnownToBeAllocatedMemory, State = FreeMemAux(C, Call, State, 0, false, IsKnownToBeAllocatedMemory,
AF_IfNameIndex); AF_IfNameIndex);
C.addTransition(State); C.addTransition(State);
} }
void MallocChecker::checkCXXNewOrCXXDelete(CheckerContext &C, void MallocChecker::checkCXXNewOrCXXDelete(const CallEvent &Call,
const CallExpr *CE, CheckerContext &C) const {
ProgramStateRef State) const { ProgramStateRef State = C.getState();
bool IsKnownToBeAllocatedMemory = false; bool IsKnownToBeAllocatedMemory = false;
const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
if (!CE)
return;
assert(isStandardNewDelete(Call));
const FunctionDecl *FD = C.getCalleeDecl(CE);
// Process direct calls to operator new/new[]/delete/delete[] functions // Process direct calls to operator new/new[]/delete/delete[] functions
// as distinct from new/new[]/delete/delete[] expressions that are // as distinct from new/new[]/delete/delete[] expressions that are
// processed by the checkPostStmt callbacks for CXXNewExpr and // processed by the checkPostStmt callbacks for CXXNewExpr and
// CXXDeleteExpr. // CXXDeleteExpr.
const FunctionDecl *FD = C.getCalleeDecl(CE);
switch (FD->getOverloadedOperator()) { switch (FD->getOverloadedOperator()) {
case OO_New: case OO_New:
State = State =
MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, AF_CXXNew); MallocMemAux(C, Call, CE->getArg(0), UndefinedVal(), State, AF_CXXNew);
State = ProcessZeroAllocCheck(C, CE, 0, State); State = ProcessZeroAllocCheck(Call, 0, State);
break; break;
case OO_Array_New: case OO_Array_New:
State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State, State = MallocMemAux(C, Call, CE->getArg(0), UndefinedVal(), State,
AF_CXXNewArray); AF_CXXNewArray);
State = ProcessZeroAllocCheck(C, CE, 0, State); State = ProcessZeroAllocCheck(Call, 0, State);
break; break;
case OO_Delete: case OO_Delete:
State = FreeMemAux(C, CE, State, 0, false, IsKnownToBeAllocatedMemory, State = FreeMemAux(C, Call, State, 0, false, IsKnownToBeAllocatedMemory,
AF_CXXNew); AF_CXXNew);
break; break;
case OO_Array_Delete: case OO_Array_Delete:
State = FreeMemAux(C, CE, State, 0, false, IsKnownToBeAllocatedMemory, State = FreeMemAux(C, Call, State, 0, false, IsKnownToBeAllocatedMemory,
AF_CXXNewArray); AF_CXXNewArray);
break; break;
default: default:
llvm_unreachable("not a new/delete operator"); llvm_unreachable("not a new/delete operator");
} }
C.addTransition(State); C.addTransition(State);
} }
void MallocChecker::checkGMalloc0(CheckerContext &C, const CallExpr *CE, void MallocChecker::checkGMalloc0(const CallEvent &Call,
ProgramStateRef State) const { CheckerContext &C) const {
ProgramStateRef State = C.getState();
SValBuilder &svalBuilder = C.getSValBuilder(); SValBuilder &svalBuilder = C.getSValBuilder();
SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy); SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy);
State = MallocMemAux(C, CE, CE->getArg(0), zeroVal, State, AF_Malloc); State = MallocMemAux(C, Call, Call.getArgExpr(0), zeroVal, State, AF_Malloc);
State = ProcessZeroAllocCheck(C, CE, 0, State); State = ProcessZeroAllocCheck(Call, 0, State);
C.addTransition(State); C.addTransition(State);
} }
void MallocChecker::checkGMemdup(CheckerContext &C, const CallExpr *CE, void MallocChecker::checkGMemdup(const CallEvent &Call,
ProgramStateRef State) const { CheckerContext &C) const {
State = MallocMemAux(C, CE, CE->getArg(1), UndefinedVal(), State, AF_Malloc); ProgramStateRef State = C.getState();
State = ProcessZeroAllocCheck(C, CE, 1, State); State = MallocMemAux(C, Call, Call.getArgExpr(1), UndefinedVal(), State,
AF_Malloc);
State = ProcessZeroAllocCheck(Call, 1, State);
C.addTransition(State); C.addTransition(State);
} }
void MallocChecker::checkGMallocN(CheckerContext &C, const CallExpr *CE, void MallocChecker::checkGMallocN(const CallEvent &Call,
ProgramStateRef State) const { CheckerContext &C) const {
ProgramStateRef State = C.getState();
SVal Init = UndefinedVal(); SVal Init = UndefinedVal();
SVal TotalSize = evalMulForBufferSize(C, CE->getArg(0), CE->getArg(1)); SVal TotalSize = evalMulForBufferSize(C, Call.getArgExpr(0), Call.getArgExpr(1));
State = MallocMemAux(C, CE, TotalSize, Init, State, AF_Malloc); State = MallocMemAux(C, Call, TotalSize, Init, State, AF_Malloc);
State = ProcessZeroAllocCheck(C, CE, 0, State); State = ProcessZeroAllocCheck(Call, 0, State);
State = ProcessZeroAllocCheck(C, CE, 1, State); State = ProcessZeroAllocCheck(Call, 1, State);
C.addTransition(State); C.addTransition(State);
} }
void MallocChecker::checkGMallocN0(CheckerContext &C, const CallExpr *CE, void MallocChecker::checkGMallocN0(const CallEvent &Call,
ProgramStateRef State) const { CheckerContext &C) const {
ProgramStateRef State = C.getState();
SValBuilder &SB = C.getSValBuilder(); SValBuilder &SB = C.getSValBuilder();
SVal Init = SB.makeZeroVal(SB.getContext().CharTy); SVal Init = SB.makeZeroVal(SB.getContext().CharTy);
SVal TotalSize = evalMulForBufferSize(C, CE->getArg(0), CE->getArg(1)); SVal TotalSize = evalMulForBufferSize(C, Call.getArgExpr(0), Call.getArgExpr(1));
State = MallocMemAux(C, CE, TotalSize, Init, State, AF_Malloc); State = MallocMemAux(C, Call, TotalSize, Init, State, AF_Malloc);
State = ProcessZeroAllocCheck(C, CE, 0, State); State = ProcessZeroAllocCheck(Call, 0, State);
State = ProcessZeroAllocCheck(C, CE, 1, State); State = ProcessZeroAllocCheck(Call, 1, State);
C.addTransition(State); C.addTransition(State);
} }
void MallocChecker::checkReallocN(CheckerContext &C, const CallExpr *CE, void MallocChecker::checkReallocN(const CallEvent &Call,
ProgramStateRef State) const { CheckerContext &C) const {
State = ReallocMemAux(C, CE, /*ShouldFreeOnFail=*/false, State, AF_Malloc, ProgramStateRef State = C.getState();
State = ReallocMemAux(C, Call, /*ShouldFreeOnFail=*/false, State, AF_Malloc,
/*SuffixWithN=*/true); /*SuffixWithN=*/true);
State = ProcessZeroAllocCheck(C, CE, 1, State); State = ProcessZeroAllocCheck(Call, 1, State);
State = ProcessZeroAllocCheck(C, CE, 2, State); State = ProcessZeroAllocCheck(Call, 2, State);
C.addTransition(State); C.addTransition(State);
} }
void MallocChecker::checkOwnershipAttr(CheckerContext &C, const CallExpr *CE, void MallocChecker::checkOwnershipAttr(const CallEvent &Call,
ProgramStateRef State) const { CheckerContext &C) const {
ProgramStateRef State = C.getState();
const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
if (!CE)
return;
const FunctionDecl *FD = C.getCalleeDecl(CE); const FunctionDecl *FD = C.getCalleeDecl(CE);
if (ShouldIncludeOwnershipAnnotatedFunctions || if (ShouldIncludeOwnershipAnnotatedFunctions ||
ChecksEnabled[CK_MismatchedDeallocatorChecker]) { ChecksEnabled[CK_MismatchedDeallocatorChecker]) {
// Check all the attributes, if there are any. // Check all the attributes, if there are any.
// There can be multiple of these attributes. // There can be multiple of these attributes.
if (FD->hasAttrs()) if (FD->hasAttrs())
for (const auto *I : FD->specific_attrs<OwnershipAttr>()) { for (const auto *I : FD->specific_attrs<OwnershipAttr>()) {
switch (I->getOwnKind()) { switch (I->getOwnKind()) {
case OwnershipAttr::Returns: case OwnershipAttr::Returns:
State = MallocMemReturnsAttr(C, CE, I, State); State = MallocMemReturnsAttr(C, Call, I, State);
break; break;
case OwnershipAttr::Takes: case OwnershipAttr::Takes:
case OwnershipAttr::Holds: case OwnershipAttr::Holds:
State = FreeMemAttr(C, CE, I, State); State = FreeMemAttr(C, Call, I, State);
break; break;
} }
} }
} }
C.addTransition(State); C.addTransition(State);
} }
void MallocChecker::checkPostCall(const CallEvent &Call, void MallocChecker::checkPostCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
if (C.wasInlined) if (C.wasInlined)
return; return;
if (!Call.getOriginExpr())
const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
if (!CE)
return;
const FunctionDecl *FD = C.getCalleeDecl(CE);
if (!FD)
return; return;
balazskeUnsubmitted
Done
ReplyInline Actions

This should be added to avoid later crash (probably not needed for every check kind?):

const FunctionDecl *FD = C.getCalleeDecl(CE);
if (!FD)
  return;
balazske: This should be added to avoid later crash (probably not needed for every check kind?): ```…
SzelethusAuthorUnsubmitted
Done
ReplyInline Actions

Not all CallEvents have a corresponding FunctionDecl or a CallExpr, for instance, CXXAllocatorCall corresponds with CXXNewExpr, which is not a CallExpr, but it is handled by this checker. For this reason, I decided to move this check to the individual modeling functions.

Szelethus: Not all `CallEvent`s have a corresponding `FunctionDecl` or a `CallExpr`, for instance…
SzelethusAuthorUnsubmitted
Done
ReplyInline Actions

Oh I'm sorry, do we have an actual crash resulting from this?

Szelethus: Oh I'm sorry, do we have an actual crash resulting from this?
balazskeUnsubmitted
Not Done
ReplyInline Actions

I did not look into it by detail but the problem is in MallocChecker::checkOwnershipAttr with a null FD. Probably it is enough to insert a return at that point (makes the crash gone on that analyzed project).

balazske: I did not look into it by detail but the problem is in `MallocChecker::checkOwnershipAttr` with…
SzelethusAuthorUnsubmitted
Done
ReplyInline Actions

I'm sorry but I don't have enough to follow up on this. On the master branch, everything seems to work smoothly for me (all tests pass) and I didn't get any buildbot failures. Can you post a code snippet?

Szelethus: I'm sorry but I don't have enough to follow up on this. On the master branch, everything seems…
SzelethusAuthorUnsubmitted
Done
ReplyInline Actions

If you have a project name, I can analyze that myself to save you the trouble.

Szelethus: If you have a project name, I can analyze that myself to save you the trouble.
balazskeUnsubmitted
Not Done
ReplyInline Actions

Could not debug the problem because debug info was not there for unknown reason (no exact line locations were printed). But the project was emacs 26.3 configure --with-xpm=no --with-gif=no --with-tiff=no --with-gnutls=no, failed at one of the the first files with CodeChecker analyze.

balazske: Could not debug the problem because debug info was not there for unknown reason (no exact line…
SzelethusAuthorUnsubmitted
Done
ReplyInline Actions

No worries, I'll attend to it myself. Thank you for the quick response though!

Szelethus: No worries, I'll attend to it myself. Thank you for the quick response though!
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
if (const CheckFn *Callback = FreeingMemFnMap.lookup(Call)) { if (const CheckFn *Callback = FreeingMemFnMap.lookup(Call)) {
(*Callback)(this, C, CE, State); (*Callback)(this, Call, C);
return; return;
} }
if (const CheckFn *Callback = AllocatingMemFnMap.lookup(Call)) { if (const CheckFn *Callback = AllocatingMemFnMap.lookup(Call)) {
(*Callback)(this, C, CE, State); (*Callback)(this, Call, C);
return; return;
} }
if (const CheckFn *Callback = ReallocatingMemFnMap.lookup(Call)) { if (const CheckFn *Callback = ReallocatingMemFnMap.lookup(Call)) {
(*Callback)(this, C, CE, State); (*Callback)(this, Call, C);
return; return;
} }
if (isStandardNewDelete(Call)) { if (isStandardNewDelete(Call)) {
checkCXXNewOrCXXDelete(C, CE, State); checkCXXNewOrCXXDelete(Call, C);
return; return;
} }
checkOwnershipAttr(C, CE, State); checkOwnershipAttr(Call, C);
} }
// Performs a 0-sized allocations check. // Performs a 0-sized allocations check.
ProgramStateRef MallocChecker::ProcessZeroAllocCheck( ProgramStateRef MallocChecker::ProcessZeroAllocCheck(
CheckerContext &C, const Expr *E, const unsigned IndexOfSizeArg, const CallEvent &Call, const unsigned IndexOfSizeArg, ProgramStateRef State,
ProgramStateRef State, Optional<SVal> RetVal) { Optional<SVal> RetVal) {
if (!State) if (!State)
return nullptr; return nullptr;
if (!RetVal) if (!RetVal)
RetVal = C.getSVal(E); RetVal = Call.getReturnValue();
const Expr *Arg = nullptr; const Expr *Arg = nullptr;
if (const CallExpr *CE = dyn_cast<CallExpr>(E)) { if (const CallExpr *CE = dyn_cast<CallExpr>(Call.getOriginExpr())) {
Arg = CE->getArg(IndexOfSizeArg); Arg = CE->getArg(IndexOfSizeArg);
} } else if (const CXXNewExpr *NE =
else if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(E)) { dyn_cast<CXXNewExpr>(Call.getOriginExpr())) {
if (NE->isArray()) if (NE->isArray()) {
xazax.hunUnsubmitted
Not Done
ReplyInline Actions

Use auto here to avoid repeating the type.

xazax.hun: Use `auto` here to avoid repeating the type.
Arg = *NE->getArraySize(); Arg = *NE->getArraySize();
else } else {
return State; return State;
} }
else } else
llvm_unreachable("not a CallExpr or CXXNewExpr"); llvm_unreachable("not a CallExpr or CXXNewExpr");
assert(Arg); assert(Arg);
Optional<DefinedSVal> DefArgVal = C.getSVal(Arg).getAs<DefinedSVal>(); auto DefArgVal =
State->getSVal(Arg, Call.getLocationContext()).getAs<DefinedSVal>();
if (!DefArgVal) if (!DefArgVal)
return State; return State;
// Check if the allocation size is 0. // Check if the allocation size is 0.
ProgramStateRef TrueState, FalseState; ProgramStateRef TrueState, FalseState;
SValBuilder &SvalBuilder = C.getSValBuilder(); SValBuilder &SvalBuilder = State->getStateManager().getSValBuilder();
DefinedSVal Zero = DefinedSVal Zero =
SvalBuilder.makeZeroVal(Arg->getType()).castAs<DefinedSVal>(); SvalBuilder.makeZeroVal(Arg->getType()).castAs<DefinedSVal>();
std::tie(TrueState, FalseState) = std::tie(TrueState, FalseState) =
State->assume(SvalBuilder.evalEQ(State, *DefArgVal, Zero)); State->assume(SvalBuilder.evalEQ(State, *DefArgVal, Zero));
if (TrueState && !FalseState) { if (TrueState && !FalseState) {
SymbolRef Sym = RetVal->getAsLocSymbol(); SymbolRef Sym = RetVal->getAsLocSymbol();
▲ Show 20 LinesShow All 54 Lines▼ Show 20 Lines for (const auto *CtorParam : CtorD->parameters()) {
if (CtorParamPointeeT->getAsCXXRecordDecl()) if (CtorParamPointeeT->getAsCXXRecordDecl())
return true; return true;
} }
return false; return false;
} }
void MallocChecker::processNewAllocation(const CXXNewExpr *NE, ProgramStateRef
CheckerContext &C, SVal Target, MallocChecker::processNewAllocation(const CXXAllocatorCall &Call,
CheckerContext &C,
AllocationFamily Family) const { AllocationFamily Family) const {
if (!isStandardNewDelete(NE->getOperatorNew())) if (!isStandardNewDelete(Call))
return; return nullptr;
const CXXNewExpr *NE = Call.getOriginExpr();
const ParentMap &PM = C.getLocationContext()->getParentMap(); const ParentMap &PM = C.getLocationContext()->getParentMap();
ProgramStateRef State = C.getState();
// Non-trivial constructors have a chance to escape 'this', but marking all // Non-trivial constructors have a chance to escape 'this', but marking all
// invocations of trivial constructors as escaped would cause too great of // invocations of trivial constructors as escaped would cause too great of
// reduction of true positives, so let's just do that for constructors that // reduction of true positives, so let's just do that for constructors that
// have an argument of a pointer-to-record type. // have an argument of a pointer-to-record type.
if (!PM.isConsumedExpr(NE) && hasNonTrivialConstructorCall(NE)) if (!PM.isConsumedExpr(NE) && hasNonTrivialConstructorCall(NE))
return; return State;
ProgramStateRef State = C.getState();
// The return value from operator new is bound to a specified initialization // The return value from operator new is bound to a specified initialization
// value (if any) and we don't want to loose this value. So we call // value (if any) and we don't want to loose this value. So we call
// MallocUpdateRefState() instead of MallocMemAux() which breaks the // MallocUpdateRefState() instead of MallocMemAux() which breaks the
// existing binding. // existing binding.
SVal Target = Call.getObjectUnderConstruction();
State = MallocUpdateRefState(C, NE, State, Family, Target); State = MallocUpdateRefState(C, NE, State, Family, Target);
State = addExtentSize(C, NE, State, Target); State = addExtentSize(C, NE, State, Target);
State = ProcessZeroAllocCheck(C, NE, 0, State, Target); State = ProcessZeroAllocCheck(Call, 0, State, Target);
C.addTransition(State); return State;
}
void MallocChecker::checkPostStmt(const CXXNewExpr *NE,
CheckerContext &C) const {
if (!C.getAnalysisManager().getAnalyzerOptions().MayInlineCXXAllocator) {
if (NE->isArray())
processNewAllocation(NE, C, C.getSVal(NE),
(NE->isArray() ? AF_CXXNewArray : AF_CXXNew));
}
} }
void MallocChecker::checkNewAllocator(const CXXAllocatorCall &Call, void MallocChecker::checkNewAllocator(const CXXAllocatorCall &Call,
CheckerContext &C) const { CheckerContext &C) const {
if (!C.wasInlined) { if (!C.wasInlined) {
processNewAllocation( ProgramStateRef State = processNewAllocation(
Call.getOriginExpr(), C, Call.getObjectUnderConstruction(), Call, C,
(Call.getOriginExpr()->isArray() ? AF_CXXNewArray : AF_CXXNew)); (Call.getOriginExpr()->isArray() ? AF_CXXNewArray : AF_CXXNew));
C.addTransition(State);
} }
} }
// Sets the extent value of the MemRegion allocated by // Sets the extent value of the MemRegion allocated by
// new expression NE to its size in Bytes. // new expression NE to its size in Bytes.
// //
ProgramStateRef MallocChecker::addExtentSize(CheckerContext &C, ProgramStateRef MallocChecker::addExtentSize(CheckerContext &C,
const CXXNewExpr *NE, const CXXNewExpr *NE,
▲ Show 20 LinesShow All 73 Lines▼ Show 20 Lines if (Optional<bool> FreeWhenDone = getFreeWhenDoneArg(Call))
if (!*FreeWhenDone) if (!*FreeWhenDone)
return; return;
if (Call.hasNonZeroCallbackArg()) if (Call.hasNonZeroCallbackArg())
return; return;
bool IsKnownToBeAllocatedMemory; bool IsKnownToBeAllocatedMemory;
ProgramStateRef State = ProgramStateRef State =
FreeMemAux(C, Call.getArgExpr(0), Call.getOriginExpr(), C.getState(), FreeMemAux(C, Call.getArgExpr(0), Call, C.getState(),
/*Hold=*/true, IsKnownToBeAllocatedMemory, AF_Malloc, /*Hold=*/true, IsKnownToBeAllocatedMemory, AF_Malloc,
/*RetNullOnFailure=*/true); /*RetNullOnFailure=*/true);
C.addTransition(State); C.addTransition(State);
} }
ProgramStateRef ProgramStateRef
MallocChecker::MallocMemReturnsAttr(CheckerContext &C, const CallExpr *CE, MallocChecker::MallocMemReturnsAttr(CheckerContext &C, const CallEvent &Call,
const OwnershipAttr *Att, const OwnershipAttr *Att,
ProgramStateRef State) const { ProgramStateRef State) const {
if (!State) if (!State)
return nullptr; return nullptr;
if (Att->getModule()->getName() != "malloc") if (Att->getModule()->getName() != "malloc")
return nullptr; return nullptr;
OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end(); OwnershipAttr::args_iterator I = Att->args_begin(), E = Att->args_end();
if (I != E) { if (I != E) {
return MallocMemAux(C, CE, CE->getArg(I->getASTIndex()), UndefinedVal(), return MallocMemAux(C, Call, Call.getArgExpr(I->getASTIndex()),
State, AF_Malloc); UndefinedVal(), State, AF_Malloc);
} }
return MallocMemAux(C, CE, UnknownVal(), UndefinedVal(), State, AF_Malloc); return MallocMemAux(C, Call, UnknownVal(), UndefinedVal(), State, AF_Malloc);
} }
ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C, ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
const CallExpr *CE, const CallEvent &Call,
const Expr *SizeEx, SVal Init, const Expr *SizeEx, SVal Init,
ProgramStateRef State, ProgramStateRef State,
AllocationFamily Family) { AllocationFamily Family) {
if (!State) if (!State)
return nullptr; return nullptr;
return MallocMemAux(C, CE, C.getSVal(SizeEx), Init, State, Family); assert(SizeEx);
return MallocMemAux(C, Call, C.getSVal(SizeEx), Init, State, Family);
} }
ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C, ProgramStateRef MallocChecker::MallocMemAux(CheckerContext &C,
const CallExpr *CE, SVal Size, const CallEvent &Call, SVal Size,
SVal Init, ProgramStateRef State, SVal Init, ProgramStateRef State,
AllocationFamily Family) { AllocationFamily Family) {
if (!State) if (!State)
return nullptr; return nullptr;
const Expr *CE = Call.getOriginExpr();
// We expect the malloc functions to return a pointer. // We expect the malloc functions to return a pointer.
if (!Loc::isLocType(CE->getType())) if (!Loc::isLocType(CE->getType()))
return nullptr; return nullptr;
// Bind the return value to the symbolic value from the heap region. // Bind the return value to the symbolic value from the heap region.
// TODO: We could rewrite post visit to eval call; 'malloc' does not have // TODO: We could rewrite post visit to eval call; 'malloc' does not have
// side effects other than what we model here. // side effects other than what we model here.
unsigned Count = C.blockCount(); unsigned Count = C.blockCount();
▲ Show 20 LinesShow All 45 Lines▼ Show 20 Linesstatic ProgramStateRef MallocUpdateRefState(CheckerContext &C, const Expr *E,
// or new(). We've checked that in the caller. Therefore, it must be a symbol. // or new(). We've checked that in the caller. Therefore, it must be a symbol.
assert(Sym); assert(Sym);
// Set the symbol's state to Allocated. // Set the symbol's state to Allocated.
return State->set<RegionState>(Sym, RefState::getAllocated(Family, E)); return State->set<RegionState>(Sym, RefState::getAllocated(Family, E));
} }
ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C, ProgramStateRef MallocChecker::FreeMemAttr(CheckerContext &C,
const CallExpr *CE, const CallEvent &Call,
const OwnershipAttr *Att, const OwnershipAttr *Att,
ProgramStateRef State) const { ProgramStateRef State) const {
if (!State) if (!State)
return nullptr; return nullptr;
if (Att->getModule()->getName() != "malloc") if (Att->getModule()->getName() != "malloc")
return nullptr; return nullptr;
bool IsKnownToBeAllocated = false; bool IsKnownToBeAllocated = false;
for (const auto &Arg : Att->args()) { for (const auto &Arg : Att->args()) {
ProgramStateRef StateI = ProgramStateRef StateI =
FreeMemAux(C, CE, State, Arg.getASTIndex(), FreeMemAux(C, Call, State, Arg.getASTIndex(),
Att->getOwnKind() == OwnershipAttr::Holds, Att->getOwnKind() == OwnershipAttr::Holds,
IsKnownToBeAllocated, AF_Malloc); IsKnownToBeAllocated, AF_Malloc);
if (StateI) if (StateI)
State = StateI; State = StateI;
} }
return State; return State;
} }
ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C, const CallExpr *CE, ProgramStateRef MallocChecker::FreeMemAux(CheckerContext &C,
const CallEvent &Call,
ProgramStateRef State, unsigned Num, ProgramStateRef State, unsigned Num,
bool Hold, bool &IsKnownToBeAllocated, bool Hold, bool &IsKnownToBeAllocated,
AllocationFamily Family, AllocationFamily Family,
bool ReturnsNullOnFailure) const { bool ReturnsNullOnFailure) const {
if (!State) if (!State)
return nullptr; return nullptr;
if (CE->getNumArgs() < (Num + 1)) if (Call.getNumArgs() < (Num + 1))
return nullptr; return nullptr;
return FreeMemAux(C, CE->getArg(Num), CE, State, Hold, IsKnownToBeAllocated, return FreeMemAux(C, Call.getArgExpr(Num), Call, State, Hold,
Family, ReturnsNullOnFailure); IsKnownToBeAllocated, Family, ReturnsNullOnFailure);
} }
/// Checks if the previous call to free on the given symbol failed - if free /// Checks if the previous call to free on the given symbol failed - if free
/// failed, returns true. Also, returns the corresponding return value symbol. /// failed, returns true. Also, returns the corresponding return value symbol.
static bool didPreviousFreeFail(ProgramStateRef State, static bool didPreviousFreeFail(ProgramStateRef State,
SymbolRef Sym, SymbolRef &RetStatusSymbol) { SymbolRef Sym, SymbolRef &RetStatusSymbol) {
const SymbolRef *Ret = State->get<FreeReturnValue>(Sym); const SymbolRef *Ret = State->get<FreeReturnValue>(Sym);
if (Ret) { if (Ret) {
▲ Show 20 LinesShow All 66 Lines▼ Show 20 Lines switch(Family) {
case AF_IfNameIndex: os << "'if_freenameindex()'"; return; case AF_IfNameIndex: os << "'if_freenameindex()'"; return;
case AF_InnerBuffer: os << "container-specific deallocator"; return; case AF_InnerBuffer: os << "container-specific deallocator"; return;
case AF_Alloca: case AF_Alloca:
case AF_None: llvm_unreachable("suspicious argument"); case AF_None: llvm_unreachable("suspicious argument");
} }
} }
ProgramStateRef MallocChecker::FreeMemAux( ProgramStateRef MallocChecker::FreeMemAux(
CheckerContext &C, const Expr *ArgExpr, const Expr *ParentExpr, CheckerContext &C, const Expr *ArgExpr, const CallEvent &Call,
xazax.hunUnsubmitted
Not Done
ReplyInline Actions

In functions where we only use ArgExpr to retrieve the corresponding SVal we could pass the SVal in the first place.

xazax.hun: In functions where we only use `ArgExpr` to retrieve the corresponding `SVal` we could pass the…
SzelethusAuthorUnsubmitted
Done
ReplyInline Actions

Long term, I plan to find a better value type for the CallDescriptionMap where information such as this could be retrieved easier, which is why I focused on nothing but the task at hand.

While I would like to see MallocChecker in a healthier state, at times I find the development effort I'm putting into it questionable, so I'll probably stop at the point where I can comfortably split it.

Szelethus: Long term, I plan to find a better value type for the `CallDescriptionMap` where information…
ProgramStateRef State, bool Hold, bool &IsKnownToBeAllocated, ProgramStateRef State, bool Hold, bool &IsKnownToBeAllocated,
AllocationFamily Family, bool ReturnsNullOnFailure) const { AllocationFamily Family, bool ReturnsNullOnFailure) const {
if (!State) if (!State)
return nullptr; return nullptr;
SVal ArgVal = C.getSVal(ArgExpr); SVal ArgVal = C.getSVal(ArgExpr);
if (!ArgVal.getAs<DefinedOrUnknownSVal>()) if (!ArgVal.getAs<DefinedOrUnknownSVal>())
Show All 11 Lines if (nullState && !notNullState)
return nullptr; return nullptr;
// Unknown values could easily be okay // Unknown values could easily be okay
// Undefined values are handled elsewhere // Undefined values are handled elsewhere
if (ArgVal.isUnknownOrUndef()) if (ArgVal.isUnknownOrUndef())
return nullptr; return nullptr;
const MemRegion *R = ArgVal.getAsRegion(); const MemRegion *R = ArgVal.getAsRegion();
const Expr *ParentExpr = Call.getOriginExpr();
// Nonlocs can't be freed, of course. // Nonlocs can't be freed, of course.
// Non-region locations (labels and fixed addresses) also shouldn't be freed. // Non-region locations (labels and fixed addresses) also shouldn't be freed.
if (!R) { if (!R) {
// Exception: // Exception:
// If the macro ZERO_SIZE_PTR is defined, this could be a kernel source // If the macro ZERO_SIZE_PTR is defined, this could be a kernel source
// code. In that case, the ZERO_SIZE_PTR defines a special value used for a // code. In that case, the ZERO_SIZE_PTR defines a special value used for a
// zero-sized memory block which is allowed to be freed, despite not being a // zero-sized memory block which is allowed to be freed, despite not being a
▲ Show 20 LinesShow All 598 Lines▼ Show 20 Lines auto R = std::make_unique<PathSensitiveBugReport>(*BT_BadFree[*CheckKind],
Os.str(), N); Os.str(), N);
R->markInteresting(MR); R->markInteresting(MR);
R->addRange(Range); R->addRange(Range);
C.emitReport(std::move(R)); C.emitReport(std::move(R));
} }
} }
ProgramStateRef ProgramStateRef
MallocChecker::ReallocMemAux(CheckerContext &C, const CallExpr *CE, MallocChecker::ReallocMemAux(CheckerContext &C, const CallEvent &Call,
bool ShouldFreeOnFail, ProgramStateRef State, bool ShouldFreeOnFail, ProgramStateRef State,
AllocationFamily Family, bool SuffixWithN) const { AllocationFamily Family, bool SuffixWithN) const {
if (!State) if (!State)
return nullptr; return nullptr;
const CallExpr *CE = cast<CallExpr>(Call.getOriginExpr());
if (SuffixWithN && CE->getNumArgs() < 3) if (SuffixWithN && CE->getNumArgs() < 3)
return nullptr; return nullptr;
else if (CE->getNumArgs() < 2) else if (CE->getNumArgs() < 2)
return nullptr; return nullptr;
const Expr *arg0Expr = CE->getArg(0); const Expr *arg0Expr = CE->getArg(0);
SVal Arg0Val = C.getSVal(arg0Expr); SVal Arg0Val = C.getSVal(arg0Expr);
if (!Arg0Val.getAs<DefinedOrUnknownSVal>()) if (!Arg0Val.getAs<DefinedOrUnknownSVal>())
Show All 27 LinesMallocChecker::ReallocMemAux(CheckerContext &C, const CallEvent &Call,
// We only assume exceptional states if they are definitely true; if the // We only assume exceptional states if they are definitely true; if the
// state is under-constrained, assume regular realloc behavior. // state is under-constrained, assume regular realloc behavior.
bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull; bool PrtIsNull = StatePtrIsNull && !StatePtrNotNull;
bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero; bool SizeIsZero = StateSizeIsZero && !StateSizeNotZero;
// If the ptr is NULL and the size is not 0, the call is equivalent to // If the ptr is NULL and the size is not 0, the call is equivalent to
// malloc(size). // malloc(size).
if (PrtIsNull && !SizeIsZero) { if (PrtIsNull && !SizeIsZero) {
ProgramStateRef stateMalloc = ProgramStateRef stateMalloc = MallocMemAux(
MallocMemAux(C, CE, TotalSize, UndefinedVal(), StatePtrIsNull, Family); C, Call, TotalSize, UndefinedVal(), StatePtrIsNull, Family);
return stateMalloc; return stateMalloc;
} }
if (PrtIsNull && SizeIsZero) if (PrtIsNull && SizeIsZero)
return State; return State;
assert(!PrtIsNull); assert(!PrtIsNull);
bool IsKnownToBeAllocated = false; bool IsKnownToBeAllocated = false;
// If the size is 0, free the memory. // If the size is 0, free the memory.
if (SizeIsZero) if (SizeIsZero)
// The semantics of the return value are: // The semantics of the return value are:
// If size was equal to 0, either NULL or a pointer suitable to be passed // If size was equal to 0, either NULL or a pointer suitable to be passed
// to free() is returned. We just free the input pointer and do not add // to free() is returned. We just free the input pointer and do not add
// any constrains on the output pointer. // any constrains on the output pointer.
if (ProgramStateRef stateFree = FreeMemAux(C, CE, StateSizeIsZero, 0, false, if (ProgramStateRef stateFree = FreeMemAux(
IsKnownToBeAllocated, Family)) C, Call, StateSizeIsZero, 0, false, IsKnownToBeAllocated, Family))
return stateFree; return stateFree;
// Default behavior. // Default behavior.
if (ProgramStateRef stateFree = if (ProgramStateRef stateFree =
FreeMemAux(C, CE, State, 0, false, IsKnownToBeAllocated, Family)) { FreeMemAux(C, Call, State, 0, false, IsKnownToBeAllocated, Family)) {
ProgramStateRef stateRealloc = ProgramStateRef stateRealloc =
MallocMemAux(C, CE, TotalSize, UnknownVal(), stateFree, Family); MallocMemAux(C, Call, TotalSize, UnknownVal(), stateFree, Family);
if (!stateRealloc) if (!stateRealloc)
return nullptr; return nullptr;
OwnershipAfterReallocKind Kind = OAR_ToBeFreedAfterFailure; OwnershipAfterReallocKind Kind = OAR_ToBeFreedAfterFailure;
if (ShouldFreeOnFail) if (ShouldFreeOnFail)
Kind = OAR_FreeOnFailure; Kind = OAR_FreeOnFailure;
else if (!IsKnownToBeAllocated) else if (!IsKnownToBeAllocated)
Kind = OAR_DoNotTrackAfterFailure; Kind = OAR_DoNotTrackAfterFailure;
Show All 12 Lines stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr,
ReallocPair(FromPtr, Kind)); ReallocPair(FromPtr, Kind));
// The reallocated symbol should stay alive for as long as the new symbol. // The reallocated symbol should stay alive for as long as the new symbol.
C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr); C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr);
return stateRealloc; return stateRealloc;
} }
return nullptr; return nullptr;
} }
ProgramStateRef MallocChecker::CallocMem(CheckerContext &C, const CallExpr *CE, ProgramStateRef MallocChecker::CallocMem(CheckerContext &C,
const CallEvent &Call,
ProgramStateRef State) { ProgramStateRef State) {
if (!State) if (!State)
return nullptr; return nullptr;
if (CE->getNumArgs() < 2) if (Call.getNumArgs() < 2)
return nullptr; return nullptr;
SValBuilder &svalBuilder = C.getSValBuilder(); SValBuilder &svalBuilder = C.getSValBuilder();
SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy); SVal zeroVal = svalBuilder.makeZeroVal(svalBuilder.getContext().CharTy);
SVal TotalSize = evalMulForBufferSize(C, CE->getArg(0), CE->getArg(1)); SVal TotalSize =
evalMulForBufferSize(C, Call.getArgExpr(0), Call.getArgExpr(1));
return MallocMemAux(C, CE, TotalSize, zeroVal, State, AF_Malloc); return MallocMemAux(C, Call, TotalSize, zeroVal, State, AF_Malloc);
} }
MallocChecker::LeakInfo MallocChecker::getAllocationSite(const ExplodedNode *N, MallocChecker::LeakInfo MallocChecker::getAllocationSite(const ExplodedNode *N,
SymbolRef Sym, SymbolRef Sym,
CheckerContext &C) { CheckerContext &C) {
const LocationContext *LeakContext = N->getLocationContext(); const LocationContext *LeakContext = N->getLocationContext();
// Walk the ExplodedGraph backwards and find the first node that referred to // Walk the ExplodedGraph backwards and find the first node that referred to
// the tracked symbol. // the tracked symbol.
▲ Show 20 LinesShow All 166 Lines▼ Show 20 Lines if (!ChecksEnabled[CK_NewDeleteChecker])
if (SymbolRef Sym = C.getSVal(DE->getArgument()).getAsSymbol()) if (SymbolRef Sym = C.getSVal(DE->getArgument()).getAsSymbol())
checkUseAfterFree(Sym, C, DE->getArgument()); checkUseAfterFree(Sym, C, DE->getArgument());
if (!isStandardNewDelete(DC->getDecl())) if (!isStandardNewDelete(DC->getDecl()))
return; return;
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
bool IsKnownToBeAllocated; bool IsKnownToBeAllocated;
State = FreeMemAux(C, DE->getArgument(), DE, State, State = FreeMemAux(C, DE->getArgument(), Call, State,
/*Hold*/ false, IsKnownToBeAllocated, /*Hold*/ false, IsKnownToBeAllocated,
(DE->isArrayForm() ? AF_CXXNewArray : AF_CXXNew)); (DE->isArrayForm() ? AF_CXXNewArray : AF_CXXNew));
C.addTransition(State); C.addTransition(State);
return; return;
} }
if (const auto *DC = dyn_cast<CXXDestructorCall>(&Call)) { if (const auto *DC = dyn_cast<CXXDestructorCall>(&Call)) {
▲ Show 20 LinesShow All 113 Lines▼ Show 20 Lines
static bool isReleased(SymbolRef Sym, CheckerContext &C) { static bool isReleased(SymbolRef Sym, CheckerContext &C) {
assert(Sym); assert(Sym);
const RefState *RS = C.getState()->get<RegionState>(Sym); const RefState *RS = C.getState()->get<RegionState>(Sym);
return (RS && RS->isReleased()); return (RS && RS->isReleased());
} }
bool MallocChecker::suppressDeallocationsInSuspiciousContexts( bool MallocChecker::suppressDeallocationsInSuspiciousContexts(
const CallExpr *CE, CheckerContext &C) const { const CallEvent &Call, CheckerContext &C) const {
if (CE->getNumArgs() == 0) if (Call.getNumArgs() == 0)
return false; return false;
StringRef FunctionStr = ""; StringRef FunctionStr = "";
if (const auto *FD = dyn_cast<FunctionDecl>(C.getStackFrame()->getDecl())) if (const auto *FD = dyn_cast<FunctionDecl>(C.getStackFrame()->getDecl()))
if (const Stmt *Body = FD->getBody()) if (const Stmt *Body = FD->getBody())
if (Body->getBeginLoc().isValid()) if (Body->getBeginLoc().isValid())
FunctionStr = FunctionStr =
Lexer::getSourceText(CharSourceRange::getTokenRange( Lexer::getSourceText(CharSourceRange::getTokenRange(
{FD->getBeginLoc(), Body->getBeginLoc()}), {FD->getBeginLoc(), Body->getBeginLoc()}),
C.getSourceManager(), C.getLangOpts()); C.getSourceManager(), C.getLangOpts());
// We do not model the Integer Set Library's retain-count based allocation. // We do not model the Integer Set Library's retain-count based allocation.
if (!FunctionStr.contains("__isl_")) if (!FunctionStr.contains("__isl_"))
return false; return false;
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
for (const Expr *Arg : CE->arguments()) for (const Expr *Arg : cast<CallExpr>(Call.getOriginExpr())->arguments())
if (SymbolRef Sym = C.getSVal(Arg).getAsSymbol()) if (SymbolRef Sym = C.getSVal(Arg).getAsSymbol())
NoQUnsubmitted
Not Done
ReplyInline Actions

Maybe iterate over CallEvent's argument SVals directly? We probably don't have a method for this but it doesn't sound like a too uncommon of a task.

NoQ: Maybe iterate over `CallEvent`'s argument `SVal`s directly? We probably don't have a method for…
if (const RefState *RS = State->get<RegionState>(Sym)) if (const RefState *RS = State->get<RegionState>(Sym))
State = State->set<RegionState>(Sym, RefState::getEscaped(RS)); State = State->set<RegionState>(Sym, RefState::getEscaped(RS));
C.addTransition(State); C.addTransition(State);
return true; return true;
} }
bool MallocChecker::checkUseAfterFree(SymbolRef Sym, CheckerContext &C, bool MallocChecker::checkUseAfterFree(SymbolRef Sym, CheckerContext &C,
▲ Show 20 LinesShow All 600 LinesShow Last 20 Lines