This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
lib/StaticAnalyzer/
-
StaticAnalyzer/
-
Checkers/
7/18
MallocChecker.cpp
-
Core/
1/2
CheckerHelpers.cpp
-
test/Analysis/
-
Analysis/
2/7
kmalloc-linux-1.c

Differential D76830

[Analyzer][MallocChecker] No warning for kfree of ZERO_SIZE_PTR.
ClosedPublic

Authored by balazske on Mar 26 2020, 1:54 AM.

Download Raw Diff

Details

Reviewers

Szelethus
martong

Commits

rGdcc04e09cf6e: [Analyzer][MallocChecker] No warning for kfree of ZERO_SIZE_PTR.

Summary

The kernel kmalloc function may return a constant value ZERO_SIZE_PTR
if a zero-sized block is allocated. This special value is allowed to
be passed to kfree and should produce no warning.

This is a simple version but should be no problem. The macro is always
detected independent of if this is a kernel source code or any other
code. And it is recognized in any kind of free function, not only kfree.
(These functions are used already intermixed, at least in the tests.)

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

balazske created this revision.Mar 26 2020, 1:54 AM

Herald added a reviewer: Szelethus. · View Herald TranscriptMar 26 2020, 1:54 AM

Herald added a project: Restricted Project. · View Herald Transcript

Herald added subscribers: cfe-commits, ASDenysPetrov, martong and 10 others. · View Herald Transcript

FIXME: There is a test file "kmalloc-linux.c" but it seems to be non-maintained and buggy (has no -verify option so it passes always but produces multiple warnings).

balazske marked an inline comment as done.Mar 26 2020, 1:59 AM

balazske added inline comments.

clang/lib/StaticAnalyzer/Core/CheckerHelpers.cpp
146	The function was changed to get the numeric value from the end of the macro in any case. This way it recognizes a `(void *)16` as 16 (but maybe `16+16` too as 16).

martong added inline comments.Mar 26 2020, 2:36 AM

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
396	Which one is referred to the lazy initialization? The inner or the outer? These questions actually made me to come up with a more explanatory construct here: Could we do something like this? using LazyInitialized = Optional<int>; mutable Optional<LazyInitialized> KernelZeroSizePtrValue; // Or Lazy<Optional<...>>
1696	This is a bit confusing for me. Perhaps alternatively we could have a free function `isInitialized(KernelZero...)` instead. Or maybe having a separate bool variable to indicate whether it was initialized could be cleaner?
clang/lib/StaticAnalyzer/Core/CheckerHelpers.cpp
146	Ok.

Harbormaster completed remote builds in B50506: Diff 252769.Mar 26 2020, 2:40 AM

martong added inline comments.Mar 26 2020, 2:42 AM

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
1696	Another idea: Adding a helper struct to contain the bool `initialized`? E.g. (draft): struct LazyOptional { bool initialized = false; Opt<int> value; Opt& get(); void set(const Opt&); };

balazske marked 2 inline comments as done.Mar 26 2020, 3:43 AM

balazske added inline comments.

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
396	Probably use a `std::unique_ptr<Optional<int>>` instead (like at the bug types, they could be optional too)? If there is a code like bool IsSomethingInitialized; int Something; that looks as a clear case to use an optional (or unique_ptr)? And if yes, is a reason for not using this construct if `int` is replaced by `Optional<int>`?
1696	It may be OK to have a function `lazyInitKernelZeroSizePtrValue`?

martong added inline comments.Mar 26 2020, 3:55 AM

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
396	Now I see that the lazy initialization is represented by the outer optional. So IMHO a using template could be the best to describe cleanly this construct: template <class T> using LazyInitialized = Optional<T>; mutable LazyInitialized<Optional<int>> KernelZeroSizePtrValue;

martong added inline comments.Mar 26 2020, 3:58 AM

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
1696	I don't insist, given we have a better described type for `KernelZeroSizePtrValue` (e.g. having a `using` `template`)

Improved documentation and handling of KernelZeroSizePtrValue.

balazske marked an inline comment as done.Mar 26 2020, 5:10 AM

balazske added inline comments.

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
396	With this I would wait for opinion of somebody else.

Harbormaster completed remote builds in B50519: Diff 252804.Mar 26 2020, 5:55 AM

LGTM!

clang/test/Analysis/kmalloc-linux-1.c
15	Do you plan to sniff around a bit about the arguments (as part of another patch)? Would be good to handle both old and new signature kernel allocation functions.

This revision is now accepted and ready to land.Mar 26 2020, 7:12 AM

Herald added a subscriber: rnkovacs. · View Herald TranscriptMar 26 2020, 7:12 AM

In D76830#1943133, @balazske wrote:

FIXME: There is a test file "kmalloc-linux.c" but it seems to be non-maintained and buggy (has no -verify option so it passes always but produces multiple warnings).

Crap, even I did some changes on that file, and never noticed the lack of verify, or the lack of -analyzer-checker flags.

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
1690–1700	I found this article on the subject: https://lwn.net/Articles/236920/ That brings us to the third possibility: this patch from Christoph Lameter which causes kmalloc(0) to return a special ZERO_SIZE_PTR value. It is a non-NULL value which looks like a legitimate pointer, but which causes a fault on any attempt at dereferencing it. Any attempt to call kfree() with this special value will do the right thing, of course. But I would argue that using `delete` on such a pointer might still be a sign of code smell. Granted, if the source code is hacking the kernel this is very unlikely, but still, I think this code should be placed...
1696	`AnalysisManager` has access to the `Preprocessor`, and it is also responsible for the construction of the `CheckerManager` object. This would make moving such code to the checker registry function! I'll gladly take this issue off your hand and patch it in once rG2aac0c47aed8d1eff7ab6d858173c532b881d948 settles :)
1707–1708	...here! bool isArgZERO_SIZE_PTR(ArgVal) const { const llvm::APSInt ArgValKnown = C.getSValBuilder().getKnownValue(State, ArgVal); if (ArgValKnown) { initKernelZeroSizePtrValue(C.getPreprocessor()); if (KernelZeroSizePtrValue && ArgValKnown->getSExtValue() == **KernelZeroSizePtrValue) return true; } return false; } // ... if (ArgVal has no associated MemRegion) // If there is a macro called ZERO_SIZE_PTR, it could be a kernel source code // and this value indicates a special value used for a zero-sized memory // block. It is a constant value that is allowed to be freed. if (!isArgZERO_SIZE_PTR(ArgVal) ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, Family); return nullptr; } // Still check for incorrect deallocator usage, etc. } Or something like this. WDYT?
clang/test/Analysis/kmalloc-linux-1.c
15	I'll take a quick look as well, I am quite familiar with MallocChecker.

balazske marked an inline comment as done.Mar 26 2020, 8:56 AM

balazske added inline comments.

clang/test/Analysis/kmalloc-linux-1.c
15	I found that `kfree` has one argument, not two (even in the 2.6 kernel). Probably argument count was wrong in the last change when `CallDescription` was introduced.

Szelethus added inline comments.Mar 26 2020, 9:25 AM

clang/test/Analysis/kmalloc-linux-1.c
15	Yup, you're totally right, this was on me :) I'll get that fixed.

Szelethus added inline comments.Mar 26 2020, 9:32 AM

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
1696	Just pushed rG4dc8472942ce60f29de9587b9451cc3d49df7abf. It it settles (no buildbots complain), you could rebase and the lazy initialization could be a thing of the past! :)

balazske marked an inline comment as done.Mar 27 2020, 12:43 AM

balazske added inline comments.

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
1696	This makes it possible to have a generic one-time initialization function in the checker (`CheckerBase`)? The functionality is needed in more than one checker, at least for the bug types it can be used in almost every checker (that has bugtypes).

Szelethus added inline comments.Mar 27 2020, 2:41 AM

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
1696	I'm not sure I understand what you mean -- do you want to add `CheckerManager` to `CheckerBase`'s constructor? In any case, I remember reading something around `CheckerBase`'s or `BugType`'s implementation the way the checker receives its name is a bit tricky and not a part of the construction.

balazske marked an inline comment as done.Mar 27 2020, 2:55 AM

balazske added inline comments.

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
1696	Initialization in register function does not work: The `MacroInfo` is not found in the preprocessor. Probably the code is not parsed normally at that time. For now only the lazy initialization is working.

Checking for the macro value only if no memory region was found.

Harbormaster failed remote builds in B50667: Diff 253066!Mar 27 2020, 4:17 AM

Applied the code reformattings.

LGTM! Mind that I just published D76917, you can, if you prefer, rebase on top of that. Also, a test case for deleteing a ZERO_SIZE_PTR valued pointer might be nice :)

If you prefer, feel free to commit without another round of reviews.

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
396	What @martong is saying is indeed nice, but the comments explain whats happening as well -- I'll leave it up to you how you want to commit this.
1696	Initialization in register function does not work: The MacroInfo is not found in the preprocessor. Probably the code is not parsed normally at that time. For now only the lazy initialization is working. Well that is super annoying. I don't object to the lazy initialization then.
1708–1710	Just a bit of word smithing :) If the macro ZERO_SIZE_PTR is defined, this could be a kernel source code. In that case, the ZERO_SIZE_PTR defines indicates a special value used for a zero-sized memory block which is allowed to be freed, despite not being a null pointer.

balazske marked an inline comment as done.Mar 27 2020, 5:03 AM

balazske added inline comments.

clang/test/Analysis/kmalloc-linux-1.c
15	Is it better to add these tests to kmalloc-linux.c?

Szelethus added inline comments.Mar 27 2020, 5:15 AM

clang/test/Analysis/kmalloc-linux-1.c
15	I think so, yea.

Harbormaster completed remote builds in B50675: Diff 253088.Mar 27 2020, 5:57 AM

Removed test file malloc-linux-1.c
Prevent warning only if "malloc family" free is done (Do not recognize ZERO_SIZE_PTR at a delete call.)

Harbormaster failed remote builds in B50706: Diff 253163!Mar 27 2020, 11:28 AM

LGTM, thanks!

clang/test/Analysis/kmalloc-linux-1.c
2	Oh, I almost forgot, the `core` package is supposed to be present :)

Closed by commit rGdcc04e09cf6e: [Analyzer][MallocChecker] No warning for kfree of ZERO_SIZE_PTR. (authored by balazske). · Explain WhyMar 30 2020, 2:07 AM

This revision was automatically updated to reflect the committed changes.

Szelethus mentioned this in D79415: [analyzer][MallocChecker] When modeling realloc-like functions, don't early return if the argument is symbolic.May 5 2020, 6:13 AM

Szelethus mentioned this in rG2e5e42d4aeab: [analyzer][MallocChecker] When modeling realloc-like functions, don't early….May 19 2020, 5:23 AM

Revision Contents

Path

Size

clang/

lib/

StaticAnalyzer/

Checkers/

MallocChecker.cpp

27 lines

Core/

CheckerHelpers.cpp

10 lines

test/

Analysis/

kmalloc-linux-1.c

27 lines

Diff 252804

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp

Show First 20 Lines • Show All 52 Lines • ▼ Show 20 Lines
#include "clang/Lex/Lexer.h"		#include "clang/Lex/Lexer.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"		#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"		#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h"		#include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h"
#include "clang/StaticAnalyzer/Core/Checker.h"		#include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h"		#include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"		#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"		#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
		#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h"		#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"		#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"		#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"		#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"
#include "llvm/ADT/STLExtras.h"		#include "llvm/ADT/STLExtras.h"
#include "llvm/ADT/SmallString.h"		#include "llvm/ADT/SmallString.h"
#include "llvm/ADT/StringExtras.h"		#include "llvm/ADT/StringExtras.h"
#include "llvm/Support/ErrorHandling.h"		#include "llvm/Support/ErrorHandling.h"
▲ Show 20 Lines • Show All 315 Lines • ▼ Show 20 Lines	private:
mutable std::unique_ptr<BugType> BT_FreeAlloca[CK_NumCheckKinds];		mutable std::unique_ptr<BugType> BT_FreeAlloca[CK_NumCheckKinds];
mutable std::unique_ptr<BugType> BT_MismatchedDealloc;		mutable std::unique_ptr<BugType> BT_MismatchedDealloc;
mutable std::unique_ptr<BugType> BT_OffsetFree[CK_NumCheckKinds];		mutable std::unique_ptr<BugType> BT_OffsetFree[CK_NumCheckKinds];
mutable std::unique_ptr<BugType> BT_UseZerroAllocated[CK_NumCheckKinds];		mutable std::unique_ptr<BugType> BT_UseZerroAllocated[CK_NumCheckKinds];

// TODO: Remove mutable by moving the initializtaion to the registry function.		// TODO: Remove mutable by moving the initializtaion to the registry function.
mutable Optional<uint64_t> KernelZeroFlagVal;		mutable Optional<uint64_t> KernelZeroFlagVal;

		// This type stores obtained value of macro `ZERO_SIZE_PTR`, and if it could
		// be obtained.
		using KernelZeroSizePtrValueTy = Optional<int>;
		/// Store the optional value of macro called `ZERO_SIZE_PTR`.
		martongUnsubmitted Not Done Reply Inline Actions Which one is referred to the lazy initialization? The inner or the outer? These questions actually made me to come up with a more explanatory construct here: Could we do something like this? using LazyInitialized = Optional<int>; mutable Optional<LazyInitialized> KernelZeroSizePtrValue; // Or Lazy<Optional<...>> martong: Which one is referred to the lazy initialization? The inner or the outer? These questions…
		balazskeAuthorUnsubmitted Done Reply Inline Actions Probably use a `std::unique_ptr<Optional<int>>` instead (like at the bug types, they could be optional too)? If there is a code like bool IsSomethingInitialized; int Something; that looks as a clear case to use an optional (or unique_ptr)? And if yes, is a reason for not using this construct if `int` is replaced by `Optional<int>`? balazske: Probably use a `std::unique_ptr<Optional<int>>` instead (like at the bug types, they could be…
		martongUnsubmitted Not Done Reply Inline Actions Now I see that the lazy initialization is represented by the outer optional. So IMHO a using template could be the best to describe cleanly this construct: template <class T> using LazyInitialized = Optional<T>; mutable LazyInitialized<Optional<int>> KernelZeroSizePtrValue; martong: Now I see that the lazy initialization is represented by the outer optional. So IMHO a using…
		balazskeAuthorUnsubmitted Done Reply Inline Actions With this I would wait for opinion of somebody else. balazske: With this I would wait for opinion of somebody else.
		SzelethusUnsubmitted Done Reply Inline Actions What @martong is saying is indeed nice, but the comments explain whats happening as well -- I'll leave it up to you how you want to commit this. Szelethus: What @martong is saying is indeed nice, but the comments explain whats happening as well…
		/// The value is initialized at first use.
		mutable Optional<KernelZeroSizePtrValueTy> KernelZeroSizePtrValue;

/// Process C++ operator new()'s allocation, which is the part of C++		/// Process C++ operator new()'s allocation, which is the part of C++
/// new-expression that goes before the constructor.		/// new-expression that goes before the constructor.
void processNewAllocation(const CXXNewExpr *NE, CheckerContext &C,		void processNewAllocation(const CXXNewExpr *NE, CheckerContext &C,
SVal Target, AllocationFamily Family) const;		SVal Target, AllocationFamily Family) const;

/// Perform a zero-allocation check.		/// Perform a zero-allocation check.
///		///
/// \param [in] E The expression that allocates memory.		/// \param [in] E The expression that allocates memory.
▲ Show 20 Lines • Show All 253 Lines • ▼ Show 20 Lines	void ReportFunctionPointerFree(CheckerContext &C, SVal ArgVal,
AllocationFamily Family) const;		AllocationFamily Family) const;

/// Find the location of the allocation for Sym on the path leading to the		/// Find the location of the allocation for Sym on the path leading to the
/// exploded node N.		/// exploded node N.
static LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym,		static LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym,
CheckerContext &C);		CheckerContext &C);

void reportLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const;		void reportLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const;

		void initKernelZeroSizePtrValue(Preprocessor &PP) const {
		// If not initialized yet,
		if (!KernelZeroSizePtrValue)
		// try to get the value.
		KernelZeroSizePtrValue = tryExpandAsInteger("ZERO_SIZE_PTR", PP);
		}
};		};

//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
// Definition of MallocBugVisitor.		// Definition of MallocBugVisitor.
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//

/// The bug visitor which allows us to print extra diagnostics along the		/// The bug visitor which allows us to print extra diagnostics along the
/// BugReport path. For example, showing the allocation site of the leaked		/// BugReport path. For example, showing the allocation site of the leaked
▲ Show 20 Lines • Show All 998 Lines • ▼ Show 20 Lines	ProgramStateRef MallocChecker::FreeMemAux(
if (nullState && !notNullState)		if (nullState && !notNullState)
return nullptr;		return nullptr;

// Unknown values could easily be okay		// Unknown values could easily be okay
// Undefined values are handled elsewhere		// Undefined values are handled elsewhere
if (ArgVal.isUnknownOrUndef())		if (ArgVal.isUnknownOrUndef())
return nullptr;		return nullptr;

		// If there is a macro called ZERO_SIZE_PTR, it could be a kernel source code
		// and this value indicates a special value used for a zero-sized memory
		// block. It is a constant value that is allowed to be freed.
		const llvm::APSInt *ArgValKnown =
		C.getSValBuilder().getKnownValue(State, ArgVal);
		if (ArgValKnown) {
		initKernelZeroSizePtrValue(C.getPreprocessor());
		martongUnsubmitted Not Done Reply Inline Actions This is a bit confusing for me. Perhaps alternatively we could have a free function `isInitialized(KernelZero...)` instead. Or maybe having a separate bool variable to indicate whether it was initialized could be cleaner? martong: This is a bit confusing for me. Perhaps alternatively we could have a free function…
		martongUnsubmitted Not Done Reply Inline Actions Another idea: Adding a helper struct to contain the bool `initialized`? E.g. (draft): struct LazyOptional { bool initialized = false; Opt<int> value; Opt& get(); void set(const Opt&); }; martong: Another idea: Adding a helper struct to contain the bool `initialized`? E.g. (draft): ```…
		balazskeAuthorUnsubmitted Done Reply Inline Actions It may be OK to have a function `lazyInitKernelZeroSizePtrValue`? balazske: It may be OK to have a function `lazyInitKernelZeroSizePtrValue`?
		martongUnsubmitted Not Done Reply Inline Actions I don't insist, given we have a better described type for `KernelZeroSizePtrValue` (e.g. having a `using` `template`) martong: I don't insist, given we have a better described type for `KernelZeroSizePtrValue` (e.g. having…
		SzelethusUnsubmitted Not Done Reply Inline Actions `AnalysisManager` has access to the `Preprocessor`, and it is also responsible for the construction of the `CheckerManager` object. This would make moving such code to the checker registry function! I'll gladly take this issue off your hand and patch it in once rG2aac0c47aed8d1eff7ab6d858173c532b881d948 settles :) Szelethus: `AnalysisManager` has access to the `Preprocessor`, and it is also responsible for the…
		SzelethusUnsubmitted Not Done Reply Inline Actions Just pushed rG4dc8472942ce60f29de9587b9451cc3d49df7abf. It it settles (no buildbots complain), you could rebase and the lazy initialization could be a thing of the past! :) Szelethus: Just pushed rG4dc8472942ce60f29de9587b9451cc3d49df7abf. It it settles (no buildbots complain)…
		balazskeAuthorUnsubmitted Done Reply Inline Actions This makes it possible to have a generic one-time initialization function in the checker (`CheckerBase`)? The functionality is needed in more than one checker, at least for the bug types it can be used in almost every checker (that has bugtypes). balazske: This makes it possible to have a generic one-time initialization function in the checker…
		SzelethusUnsubmitted Not Done Reply Inline Actions I'm not sure I understand what you mean -- do you want to add `CheckerManager` to `CheckerBase`'s constructor? In any case, I remember reading something around `CheckerBase`'s or `BugType`'s implementation the way the checker receives its name is a bit tricky and not a part of the construction. Szelethus: I'm not sure I understand what you mean -- do you want to add `CheckerManager` to…
		SzelethusUnsubmitted Done Reply Inline Actions Initialization in register function does not work: The MacroInfo is not found in the preprocessor. Probably the code is not parsed normally at that time. For now only the lazy initialization is working. Well that is super annoying. I don't object to the lazy initialization then. Szelethus: > Initialization in register function does not work: The MacroInfo is not found in the…
		balazskeAuthorUnsubmitted Done Reply Inline Actions Initialization in register function does not work: The `MacroInfo` is not found in the preprocessor. Probably the code is not parsed normally at that time. For now only the lazy initialization is working. balazske: Initialization in register function does not work: The `MacroInfo` is not found in the…
		if (*KernelZeroSizePtrValue &&
		ArgValKnown->getSExtValue() == **KernelZeroSizePtrValue)
		return nullptr;
		}
		SzelethusUnsubmitted Not Done Reply Inline Actions I found this article on the subject: https://lwn.net/Articles/236920/ That brings us to the third possibility: this patch from Christoph Lameter which causes kmalloc(0) to return a special ZERO_SIZE_PTR value. It is a non-NULL value which looks like a legitimate pointer, but which causes a fault on any attempt at dereferencing it. Any attempt to call kfree() with this special value will do the right thing, of course. But I would argue that using `delete` on such a pointer might still be a sign of code smell. Granted, if the source code is hacking the kernel this is very unlikely, but still, I think this code should be placed... Szelethus: I found this article on the subject: https://lwn.net/Articles/236920/ > That brings us to the…

const MemRegion *R = ArgVal.getAsRegion();		const MemRegion *R = ArgVal.getAsRegion();

// Nonlocs can't be freed, of course.		// Nonlocs can't be freed, of course.
// Non-region locations (labels and fixed addresses) also shouldn't be freed.		// Non-region locations (labels and fixed addresses) also shouldn't be freed.
if (!R) {		if (!R) {
ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, Family);		ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, Family);
return nullptr;		return nullptr;
		SzelethusUnsubmitted Not Done Reply Inline Actions ...here! bool isArgZERO_SIZE_PTR(ArgVal) const { const llvm::APSInt ArgValKnown = C.getSValBuilder().getKnownValue(State, ArgVal); if (ArgValKnown) { initKernelZeroSizePtrValue(C.getPreprocessor()); if (KernelZeroSizePtrValue && ArgValKnown->getSExtValue() == KernelZeroSizePtrValue) return true; } return false; } // ... if (ArgVal has no associated MemRegion) // If there is a macro called ZERO_SIZE_PTR, it could be a kernel source code // and this value indicates a special value used for a zero-sized memory // block. It is a constant value that is allowed to be freed. if (!isArgZERO_SIZE_PTR(ArgVal) ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, Family); return nullptr; } // Still check for incorrect deallocator usage, etc. } Or something like this. WDYT? Szelethus:** ...here! ```lang=cpp bool isArgZERO_SIZE_PTR(ArgVal) const { const llvm::APSInt *ArgValKnown…
}		}

		SzelethusUnsubmitted Not Done Reply Inline Actions Just a bit of word smithing :) If the macro ZERO_SIZE_PTR is defined, this could be a kernel source code. In that case, the ZERO_SIZE_PTR defines indicates a special value used for a zero-sized memory block which is allowed to be freed, despite not being a null pointer. Szelethus: Just a bit of word smithing :) If the macro ZERO_SIZE_PTR is defined, this could be a kernel…
R = R->StripCasts();		R = R->StripCasts();

// Blocks might show up as heap data, but should not be free()d		// Blocks might show up as heap data, but should not be free()d
if (isa<BlockDataRegion>(R)) {		if (isa<BlockDataRegion>(R)) {
ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, Family);		ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, Family);
return nullptr;		return nullptr;
}		}

▲ Show 20 Lines • Show All 1,618 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Core/CheckerHelpers.cpp

Show First 20 Lines • Show All 120 Lines • ▼ Show 20 Lines	llvm::Optional<int> tryExpandAsInteger(StringRef Macro,

// Filter out parens.		// Filter out parens.
std::vector<Token> FilteredTokens;		std::vector<Token> FilteredTokens;
FilteredTokens.reserve(MI->tokens().size());		FilteredTokens.reserve(MI->tokens().size());
for (auto &T : MI->tokens())		for (auto &T : MI->tokens())
if (!T.isOneOf(tok::l_paren, tok::r_paren))		if (!T.isOneOf(tok::l_paren, tok::r_paren))
FilteredTokens.push_back(T);		FilteredTokens.push_back(T);

if (FilteredTokens.size() > 2)
return llvm::None;

// Parse an integer at the end of the macro definition.		// Parse an integer at the end of the macro definition.
const Token &T = FilteredTokens.back();		const Token &T = FilteredTokens.back();
if (!T.isLiteral())		if (!T.isLiteral())
return llvm::None;		return llvm::None;
StringRef ValueStr = StringRef(T.getLiteralData(), T.getLength());		StringRef ValueStr = StringRef(T.getLiteralData(), T.getLength());
llvm::APInt IntValue;		llvm::APInt IntValue;
constexpr unsigned AutoSenseRadix = 0;		constexpr unsigned AutoSenseRadix = 0;
if (ValueStr.getAsInteger(AutoSenseRadix, IntValue))		if (ValueStr.getAsInteger(AutoSenseRadix, IntValue))
return llvm::None;		return llvm::None;

// Parse an optional minus sign.		// Parse an optional minus sign.
if (FilteredTokens.size() == 2) {		size_t Size = FilteredTokens.size();
if (FilteredTokens.front().is(tok::minus))		if (Size >= 2) {
		if (FilteredTokens[Size - 2].is(tok::minus))
IntValue = -IntValue;		IntValue = -IntValue;
else
return llvm::None;
}		}

return IntValue.getSExtValue();		return IntValue.getSExtValue();
		balazskeAuthorUnsubmitted Done Reply Inline Actions The function was changed to get the numeric value from the end of the macro in any case. This way it recognizes a `(void )16` as 16 (but maybe `16+16` too as 16). balazske:* The function was changed to get the numeric value from the end of the macro in any case. This…
		martongUnsubmitted Not Done Reply Inline Actions Ok. martong: Ok.
}		}

} // namespace ento		} // namespace ento
} // namespace clang		} // namespace clang

clang/test/Analysis/kmalloc-linux-1.c

This file was added.

				// RUN: %clang_analyze_cc1 -triple x86_64-unknown-linux -analyzer-checker=unix.Malloc -verify %s

				SzelethusUnsubmitted Not Done Reply Inline Actions Oh, I almost forgot, the `core` package is supposed to be present :) Szelethus: Oh, I almost forgot, the `core` package is supposed to be present :)
				#define ZERO_SIZE_PTR ((void *)16)

				void *__kmalloc(int size, int flags);

				// Linux kmalloc looks like this.
				// (simplified)
				void *kmalloc(int size, int flags) {
				if (size == 0)
				return ZERO_SIZE_PTR;
				return __kmalloc(size, flags);
				}

				// FIXME: malloc checker expects kfree with 2 arguments, is this correct?
				martongUnsubmitted Not Done Reply Inline Actions Do you plan to sniff around a bit about the arguments (as part of another patch)? Would be good to handle both old and new signature kernel allocation functions. martong: Do you plan to sniff around a bit about the arguments (as part of another patch)? Would be good…
				SzelethusUnsubmitted Not Done Reply Inline Actions I'll take a quick look as well, I am quite familiar with MallocChecker. Szelethus: I'll take a quick look as well, I am quite familiar with MallocChecker.
				balazskeAuthorUnsubmitted Done Reply Inline Actions I found that `kfree` has one argument, not two (even in the 2.6 kernel). Probably argument count was wrong in the last change when `CallDescription` was introduced. balazske: I found that `kfree` has one argument, not two (even in the 2.6 kernel). Probably argument…
				SzelethusUnsubmitted Not Done Reply Inline Actions Yup, you're totally right, this was on me :) I'll get that fixed. Szelethus: Yup, you're totally right, this was on me :) I'll get that fixed.
				balazskeAuthorUnsubmitted Done Reply Inline Actions Is it better to add these tests to kmalloc-linux.c? balazske: Is it better to add these tests to kmalloc-linux.c?
				SzelethusUnsubmitted Not Done Reply Inline Actions I think so, yea. Szelethus: I think so, yea.
				// (recent kernel source code contains a `kfree(const void *)`)
				void kfree(void *, int);

				void test_kmalloc_zero_sized_block_fixed_value_address() {
				void *ptr = kmalloc(0, 0); // kmalloc returns a constant address
				kfree(ptr, 0); // no warning about freeing a constant value
				}

				void test_kfree_constant_value() {
				void ptr = (void )1;
				kfree(ptr, 0); // expected-warning{{Argument to kfree() is a constant address (1)}}
				}

This is an archive of the discontinued LLVM Phabricator instance.

[Analyzer][MallocChecker] No warning for kfree of ZERO_SIZE_PTR.ClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 252804

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp

clang/lib/StaticAnalyzer/Core/CheckerHelpers.cpp

clang/test/Analysis/kmalloc-linux-1.c

[Analyzer][MallocChecker] No warning for kfree of ZERO_SIZE_PTR.
ClosedPublic