This is an archive of the discontinued LLVM Phabricator instance.

Differential D77474

[analyzer][MallocChecker] Make NewDeleteLeaks depend on DynamicMemoryModeling rather than NewDelete
ClosedPublic

Authored by Szelethus on Apr 4 2020, 1:06 PM.

Details

Reviewers
NoQ
xazax.hun
baloghadamsoftware
martong
balazske
dcoughlin
Commits
rGefd1a8e66eaa: [analyzer][MallocChecker] Make NewDeleteLeaks depend on DynamicMemoryModeling…
Summary

If you remember the mail [1] I sent out about how I envision the future of the already existing checkers to look dependencywise, one my main points was that no checker that emits diagnostics should be a dependency. This is more problematic for some checkers (ahem, RetainCount [2]) more than for others, like this one.

The MallocChecker family is a mostly big monolithic modeling class some small reporting checkers that only come to action when we are constructing a warning message, after the actual bug was detected. The implication of this is that NewDeleteChecker doesn't really do anything to depend on, so this change was relatively simple.

The only thing that complicates this change is that FreeMemAux (MallocCheckers method that models general memory deallocation) returns after calling a bug reporting method, regardless whether the report was ever emitted (which may not always happen, for instance, if the checker responsible for the report isn't enabled). This return unfortunately happens before cleaning up the maps in the GDM keeping track of the state of symbols (whether they are released, whether that release was successful, etc). What this means is that upon disabling some checkers, we would never clean up the map and that could've lead to false positives, e.g.:

error: 'warning' diagnostics seen but not expected: 
  File clang/test/Analysis/NewDelete-intersections.mm Line 66: Potential leak of memory pointed to by 'p'
  File clang/test/Analysis/NewDelete-intersections.mm Line 73: Potential leak of memory pointed to by 'p'
  File clang/test/Analysis/NewDelete-intersections.mm Line 77: Potential leak of memory pointed to by 'p'

error: 'warning' diagnostics seen but not expected: 
  File clang/test/Analysis/NewDelete-checker-test.cpp Line 111: Undefined or garbage value returned to caller
  File clang/test/Analysis/NewDelete-checker-test.cpp Line 200: Potential leak of memory pointed to by 'p'

error: 'warning' diagnostics seen but not expected: 
  File clang/test/Analysis/new.cpp Line 137: Potential leak of memory pointed to by 'x'

There two possible approaches I had in mind:

  • Make bug reporting methods of MallocChecker returns whether they succeeded, and proceed with the rest of FreeMemAux if not,
  • Halt execution with a sink node upon failure. I decided to go with this, as described in the code.

As you can see from the removed/changed test files, before the big checker dependency effort landed, there were tests to check for all the weird configurations of enabled/disabled checkers and their messy interactions, I largely repurposed these.

[1] http://lists.llvm.org/pipermail/cfe-dev/2019-August/063070.html
[2] http://lists.llvm.org/pipermail/cfe-dev/2019-August/063205.html

Diff Detail

Event Timeline

Szelethus created this revision.Apr 4 2020, 1:06 PM
Herald added subscribers: cfe-commits, ASDenysPetrov, steakhal and 9 others. · View Herald TranscriptApr 4 2020, 1:06 PM
Szelethus edited the summary of this revision. (Show Details)Apr 4 2020, 1:08 PM
Szelethus added a comment.Apr 5 2020, 5:06 AM

Btw this branch is about 7 months old, and I just now remembered why I haven't rushed publishing it.

My ultimate idea (as opposed to the two detailed in the summary) was to introduce a subchecker system in MallocChecker, which also strongly ties into D67336. The core of the checker (unix.DynamicMemoryModeling) would be responsible for dispatching from regular checker callbacks upon seeing a call to a memory management function, and providing the general utilities for modeling it. Smaller subcheckers would then use this interface to implement the modeling of specific functions. For instance, the we could create NewDeleteChecker, a subchecker of DynamicMemoryModeling, which would get control when stumbling upon a call to a new/delete operator.

This would allow us to spread the implementation into smaller files, which is great, but upon taking a look at D68165, you can see that the bulk of the code isn't really in these modeling functions. For such a change to really make sense, the responsibility of bug emission (like ReportFunctionPointerFree) should be moved into the subcheckers as well. This would achieve my goal of smaller, self-contained subcheckers implementing something that we previously did with giants like MallocChecker is now. As to how I should actually pull this off (make an event about memory being deallocated to the subcheckers, make them check for bugs? make an event about finding a leak, double delete, etc?) is a different issue, but I'll see what makes more sense, if I choose to go forth with this project.

I do now believe that though that all of these changes would be orthogonal to this one. Just thought I'd share :^).

Szelethus mentioned this in D77845: [analyzer][CallAndMessage][NFC] Change old callbacks to rely on CallEvent.Apr 9 2020, 6:15 PM
Szelethus added a child revision: D78126: [analyzer][NFC] Don't allow dependency checkers to emit diagnostics.Apr 14 2020, 9:29 AM
balazske added inline comments.Apr 16 2020, 6:26 AM
clang/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h
195 ↗(On Diff #255070)
if (!State)
  State = getState();

is better? (I put the same comment into some (other?) patch already but maybe it disappeared?)

Szelethus added a comment.May 19 2020, 6:52 AM

Gentle ping :^)

Szelethus mentioned this in rG3d0d2fefc0a1: analyzer][CallAndMessage][NFC] Change old callbacks to rely on CallEvent.May 19 2020, 4:01 PM
martong added inline comments.May 21 2020, 4:40 AM
clang/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h
194 ↗(On Diff #255070)

I like the joke, but this comment does not have any value, could you please remove?

195 ↗(On Diff #255070)

+1 for balazske's suggestion.

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
1747–1748

This sentence is too bloated, I'd rather remove it.

AFAIU, the general rule of thumb is that if we have found a bug then we terminate further analysis, period. This is independent of whether we emit the warning or not, that actually depends on whether the corresponding subchecker is enabled or not.

2031

This seems to be inverse logic to me.
I'd expect that in a function called Report... we do stuff that is related to reporting only. That is why I think it would be better to have the condition and addSink before calling Report.... That way reporting and modeling would be even more separated.

Szelethus updated this revision to Diff 265709.May 22 2020, 5:33 AM
Szelethus marked 7 inline comments as done.

Fix according to reviewer comments! Thanks!

clang/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h
195 ↗(On Diff #255070)

Landed this part of the change in D77866.

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
2031

Very good point, but I think the actual problem lies in the name of the method. ReportBadFree in particular is called from multiple places, and I like how this is the function that takes over once we find a bug, because a bad free (which in this context means the deallocation of a non-heap allocated object) can never be a non-fatal error, so it make sense that the sink is solved here.

martong accepted this revision.May 25 2020, 6:14 AM

Looks good.

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
2031

Okay, makes sense, the new name fits this.

This revision is now accepted and ready to land.May 25 2020, 6:14 AM
Closed by commit rGefd1a8e66eaa: [analyzer][MallocChecker] Make NewDeleteLeaks depend on DynamicMemoryModeling… (authored by Szelethus). · Explain WhyMay 26 2020, 3:17 PM
This revision was automatically updated to reflect the committed changes.
Szelethus mentioned this in D80905: [analyzer] Introduce weak dependencies to express *preferred* checker callback evaluation order.May 31 2020, 7:25 PM
Szelethus mentioned this in rGe22f1c02a27f: [analyzer] Introduce weak dependencies to express *preferred* checker callback….Jun 12 2020, 5:22 AM

Revision Contents

PathSize
clang/
include/
clang/
StaticAnalyzer/
Checkers/
4 lines
lib/
StaticAnalyzer/
Checkers/
153 lines
test/
Analysis/
105 lines
47 lines
11 lines

Diff 266347

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td

Show First 20 LinesShow All 550 Lines▼ Show 20 Lines
def NewDeleteChecker : Checker<"NewDelete">, def NewDeleteChecker : Checker<"NewDelete">,
HelpText<"Check for double-free and use-after-free problems. Traces memory " HelpText<"Check for double-free and use-after-free problems. Traces memory "
"managed by new/delete.">, "managed by new/delete.">,
Dependencies<[DynamicMemoryModeling]>, Dependencies<[DynamicMemoryModeling]>,
Documentation<HasDocumentation>; Documentation<HasDocumentation>;
def NewDeleteLeaksChecker : Checker<"NewDeleteLeaks">, def NewDeleteLeaksChecker : Checker<"NewDeleteLeaks">,
HelpText<"Check for memory leaks. Traces memory managed by new/delete.">, HelpText<"Check for memory leaks. Traces memory managed by new/delete.">,
Dependencies<[NewDeleteChecker]>, Dependencies<[DynamicMemoryModeling]>,
Documentation<HasDocumentation>; Documentation<HasDocumentation>;
def PlacementNewChecker : Checker<"PlacementNew">, def PlacementNewChecker : Checker<"PlacementNew">,
HelpText<"Check if default placement new is provided with pointers to " HelpText<"Check if default placement new is provided with pointers to "
"sufficient storage capacity">, "sufficient storage capacity">,
Dependencies<[NewDeleteChecker]>, Dependencies<[DynamicMemoryModeling]>,
Documentation<HasDocumentation>; Documentation<HasDocumentation>;
def CXXSelfAssignmentChecker : Checker<"SelfAssignment">, def CXXSelfAssignmentChecker : Checker<"SelfAssignment">,
HelpText<"Checks C++ copy and move assignment operators for self assignment">, HelpText<"Checks C++ copy and move assignment operators for self assignment">,
Documentation<NotDocumented>, Documentation<NotDocumented>,
Hidden; Hidden;
def SmartPtrModeling: Checker<"SmartPtr">, def SmartPtrModeling: Checker<"SmartPtr">,
▲ Show 20 LinesShow All 1,053 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp

Show First 20 LinesShow All 678 Lines▼ Show 20 Lines Optional<CheckKind> getCheckIfTracked(AllocationFamily Family,
bool IsALeakCheck = false) const; bool IsALeakCheck = false) const;
Optional<CheckKind> getCheckIfTracked(CheckerContext &C, SymbolRef Sym, Optional<CheckKind> getCheckIfTracked(CheckerContext &C, SymbolRef Sym,
bool IsALeakCheck = false) const; bool IsALeakCheck = false) const;
///@} ///@}
static bool SummarizeValue(raw_ostream &os, SVal V); static bool SummarizeValue(raw_ostream &os, SVal V);
static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR); static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR);
void ReportBadFree(CheckerContext &C, SVal ArgVal, SourceRange Range, void HandleNonHeapDealloc(CheckerContext &C, SVal ArgVal, SourceRange Range,
const Expr *DeallocExpr, AllocationFamily Family) const; const Expr *DeallocExpr,
AllocationFamily Family) const;
void ReportFreeAlloca(CheckerContext &C, SVal ArgVal, void HandleFreeAlloca(CheckerContext &C, SVal ArgVal,
SourceRange Range) const; SourceRange Range) const;
void ReportMismatchedDealloc(CheckerContext &C, SourceRange Range, void HandleMismatchedDealloc(CheckerContext &C, SourceRange Range,
const Expr *DeallocExpr, const RefState *RS, const Expr *DeallocExpr, const RefState *RS,
SymbolRef Sym, bool OwnershipTransferred) const; SymbolRef Sym, bool OwnershipTransferred) const;
void ReportOffsetFree(CheckerContext &C, SVal ArgVal, SourceRange Range, void HandleOffsetFree(CheckerContext &C, SVal ArgVal, SourceRange Range,
const Expr *DeallocExpr, AllocationFamily Family, const Expr *DeallocExpr, AllocationFamily Family,
const Expr *AllocExpr = nullptr) const; const Expr *AllocExpr = nullptr) const;
void ReportUseAfterFree(CheckerContext &C, SourceRange Range, void HandleUseAfterFree(CheckerContext &C, SourceRange Range,
SymbolRef Sym) const; SymbolRef Sym) const;
void ReportDoubleFree(CheckerContext &C, SourceRange Range, bool Released, void HandleDoubleFree(CheckerContext &C, SourceRange Range, bool Released,
SymbolRef Sym, SymbolRef PrevSym) const; SymbolRef Sym, SymbolRef PrevSym) const;
void ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const; void HandleDoubleDelete(CheckerContext &C, SymbolRef Sym) const;
void ReportUseZeroAllocated(CheckerContext &C, SourceRange Range, void HandleUseZeroAlloc(CheckerContext &C, SourceRange Range,
SymbolRef Sym) const; SymbolRef Sym) const;
void ReportFunctionPointerFree(CheckerContext &C, SVal ArgVal, void HandleFunctionPtrFree(CheckerContext &C, SVal ArgVal, SourceRange Range,
SourceRange Range, const Expr *FreeExpr, const Expr *FreeExpr,
AllocationFamily Family) const; AllocationFamily Family) const;
/// Find the location of the allocation for Sym on the path leading to the /// Find the location of the allocation for Sym on the path leading to the
/// exploded node N. /// exploded node N.
static LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym, static LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym,
CheckerContext &C); CheckerContext &C);
void reportLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const; void HandleLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const;
/// Test if value in ArgVal equals to value in macro `ZERO_SIZE_PTR`. /// Test if value in ArgVal equals to value in macro `ZERO_SIZE_PTR`.
bool isArgZERO_SIZE_PTR(ProgramStateRef State, CheckerContext &C, bool isArgZERO_SIZE_PTR(ProgramStateRef State, CheckerContext &C,
SVal ArgVal) const; SVal ArgVal) const;
}; };
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Definition of MallocBugVisitor. // Definition of MallocBugVisitor.
▲ Show 20 LinesShow All 1,008 Lines▼ Show 20 LinesProgramStateRef MallocChecker::FreeMemAux(
// Unknown values could easily be okay // Unknown values could easily be okay
// Undefined values are handled elsewhere // Undefined values are handled elsewhere
if (ArgVal.isUnknownOrUndef()) if (ArgVal.isUnknownOrUndef())
return nullptr; return nullptr;
const MemRegion *R = ArgVal.getAsRegion(); const MemRegion *R = ArgVal.getAsRegion();
const Expr *ParentExpr = Call.getOriginExpr(); const Expr *ParentExpr = Call.getOriginExpr();
// NOTE: We detected a bug, but the checker under whose name we would emit the
// error could be disabled. Generally speaking, the MallocChecker family is an
martongUnsubmitted
Done
ReplyInline Actions

This sentence is too bloated, I'd rather remove it.

AFAIU, the general rule of thumb is that if we have found a bug then we terminate further analysis, period. This is independent of whether we emit the warning or not, that actually depends on whether the corresponding subchecker is enabled or not.

martong: This sentence is too bloated, I'd rather remove it. AFAIU, the general rule of thumb is that…
// integral part of the Static Analyzer, and disabling any part of it should
// only be done under exceptional circumstances, such as frequent false
// positives. If this is the case, we can reasonably believe that there are
// serious faults in our understanding of the source code, and even if we
// don't emit an warning, we should terminate further analysis with a sink
// node.
// Nonlocs can't be freed, of course. // Nonlocs can't be freed, of course.
// Non-region locations (labels and fixed addresses) also shouldn't be freed. // Non-region locations (labels and fixed addresses) also shouldn't be freed.
if (!R) { if (!R) {
// Exception: // Exception:
// If the macro ZERO_SIZE_PTR is defined, this could be a kernel source // If the macro ZERO_SIZE_PTR is defined, this could be a kernel source
// code. In that case, the ZERO_SIZE_PTR defines a special value used for a // code. In that case, the ZERO_SIZE_PTR defines a special value used for a
// zero-sized memory block which is allowed to be freed, despite not being a // zero-sized memory block which is allowed to be freed, despite not being a
// null pointer. // null pointer.
if (Family != AF_Malloc || !isArgZERO_SIZE_PTR(State, C, ArgVal)) if (Family != AF_Malloc || !isArgZERO_SIZE_PTR(State, C, ArgVal))
ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, Family); HandleNonHeapDealloc(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr,
Family);
return nullptr; return nullptr;
} }
R = R->StripCasts(); R = R->StripCasts();
// Blocks might show up as heap data, but should not be free()d // Blocks might show up as heap data, but should not be free()d
if (isa<BlockDataRegion>(R)) { if (isa<BlockDataRegion>(R)) {
ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, Family); HandleNonHeapDealloc(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr,
Family);
return nullptr; return nullptr;
} }
const MemSpaceRegion *MS = R->getMemorySpace(); const MemSpaceRegion *MS = R->getMemorySpace();
// Parameters, locals, statics, globals, and memory returned by // Parameters, locals, statics, globals, and memory returned by
// __builtin_alloca() shouldn't be freed. // __builtin_alloca() shouldn't be freed.
if (!(isa<UnknownSpaceRegion>(MS) || isa<HeapSpaceRegion>(MS))) { if (!(isa<UnknownSpaceRegion>(MS) || isa<HeapSpaceRegion>(MS))) {
// FIXME: at the time this code was written, malloc() regions were // FIXME: at the time this code was written, malloc() regions were
// represented by conjured symbols, which are all in UnknownSpaceRegion. // represented by conjured symbols, which are all in UnknownSpaceRegion.
// This means that there isn't actually anything from HeapSpaceRegion // This means that there isn't actually anything from HeapSpaceRegion
// that should be freed, even though we allow it here. // that should be freed, even though we allow it here.
// Of course, free() can work on memory allocated outside the current // Of course, free() can work on memory allocated outside the current
// function, so UnknownSpaceRegion is always a possibility. // function, so UnknownSpaceRegion is always a possibility.
// False negatives are better than false positives. // False negatives are better than false positives.
if (isa<AllocaRegion>(R)) if (isa<AllocaRegion>(R))
ReportFreeAlloca(C, ArgVal, ArgExpr->getSourceRange()); HandleFreeAlloca(C, ArgVal, ArgExpr->getSourceRange());
else else
ReportBadFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, Family); HandleNonHeapDealloc(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr,
Family);
return nullptr; return nullptr;
} }
const SymbolicRegion *SrBase = dyn_cast<SymbolicRegion>(R->getBaseRegion()); const SymbolicRegion *SrBase = dyn_cast<SymbolicRegion>(R->getBaseRegion());
// Various cases could lead to non-symbol values here. // Various cases could lead to non-symbol values here.
// For now, ignore them. // For now, ignore them.
if (!SrBase) if (!SrBase)
return nullptr; return nullptr;
SymbolRef SymBase = SrBase->getSymbol(); SymbolRef SymBase = SrBase->getSymbol();
const RefState *RsBase = State->get<RegionState>(SymBase); const RefState *RsBase = State->get<RegionState>(SymBase);
SymbolRef PreviousRetStatusSymbol = nullptr; SymbolRef PreviousRetStatusSymbol = nullptr;
IsKnownToBeAllocated = IsKnownToBeAllocated =
RsBase && (RsBase->isAllocated() || RsBase->isAllocatedOfSizeZero()); RsBase && (RsBase->isAllocated() || RsBase->isAllocatedOfSizeZero());
if (RsBase) { if (RsBase) {
// Memory returned by alloca() shouldn't be freed. // Memory returned by alloca() shouldn't be freed.
if (RsBase->getAllocationFamily() == AF_Alloca) { if (RsBase->getAllocationFamily() == AF_Alloca) {
ReportFreeAlloca(C, ArgVal, ArgExpr->getSourceRange()); HandleFreeAlloca(C, ArgVal, ArgExpr->getSourceRange());
return nullptr; return nullptr;
} }
// Check for double free first. // Check for double free first.
if ((RsBase->isReleased() || RsBase->isRelinquished()) && if ((RsBase->isReleased() || RsBase->isRelinquished()) &&
!didPreviousFreeFail(State, SymBase, PreviousRetStatusSymbol)) { !didPreviousFreeFail(State, SymBase, PreviousRetStatusSymbol)) {
ReportDoubleFree(C, ParentExpr->getSourceRange(), RsBase->isReleased(), HandleDoubleFree(C, ParentExpr->getSourceRange(), RsBase->isReleased(),
SymBase, PreviousRetStatusSymbol); SymBase, PreviousRetStatusSymbol);
return nullptr; return nullptr;
// If the pointer is allocated or escaped, but we are now trying to free it, // If the pointer is allocated or escaped, but we are now trying to free it,
// check that the call to free is proper. // check that the call to free is proper.
} else if (RsBase->isAllocated() || RsBase->isAllocatedOfSizeZero() || } else if (RsBase->isAllocated() || RsBase->isAllocatedOfSizeZero() ||
RsBase->isEscaped()) { RsBase->isEscaped()) {
// Check if an expected deallocation function matches the real one. // Check if an expected deallocation function matches the real one.
bool DeallocMatchesAlloc = RsBase->getAllocationFamily() == Family; bool DeallocMatchesAlloc = RsBase->getAllocationFamily() == Family;
if (!DeallocMatchesAlloc) { if (!DeallocMatchesAlloc) {
ReportMismatchedDealloc(C, ArgExpr->getSourceRange(), HandleMismatchedDealloc(C, ArgExpr->getSourceRange(), ParentExpr,
ParentExpr, RsBase, SymBase, Hold); RsBase, SymBase, Hold);
return nullptr; return nullptr;
} }
// Check if the memory location being freed is the actual location // Check if the memory location being freed is the actual location
// allocated, or an offset. // allocated, or an offset.
RegionOffset Offset = R->getAsOffset(); RegionOffset Offset = R->getAsOffset();
if (Offset.isValid() && if (Offset.isValid() &&
!Offset.hasSymbolicOffset() && !Offset.hasSymbolicOffset() &&
Offset.getOffset() != 0) { Offset.getOffset() != 0) {
const Expr *AllocExpr = cast<Expr>(RsBase->getStmt()); const Expr *AllocExpr = cast<Expr>(RsBase->getStmt());
ReportOffsetFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, HandleOffsetFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr,
Family, AllocExpr); Family, AllocExpr);
return nullptr; return nullptr;
} }
} }
} }
if (SymBase->getType()->isFunctionPointerType()) { if (SymBase->getType()->isFunctionPointerType()) {
ReportFunctionPointerFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr, HandleFunctionPtrFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr,
Family); Family);
return nullptr; return nullptr;
} }
// Clean out the info on previous call to free return info. // Clean out the info on previous call to free return info.
State = State->remove<FreeReturnValue>(SymBase); State = State->remove<FreeReturnValue>(SymBase);
// Keep track of the return value. If it is NULL, we will know that free // Keep track of the return value. If it is NULL, we will know that free
// failed. // failed.
▲ Show 20 LinesShow All 150 Lines▼ Show 20 Lines if (isa<GlobalsSpaceRegion>(MS)) {
return true; return true;
} }
return false; return false;
} }
} }
} }
void MallocChecker::ReportBadFree(CheckerContext &C, SVal ArgVal, void MallocChecker::HandleNonHeapDealloc(CheckerContext &C, SVal ArgVal,
SourceRange Range, const Expr *DeallocExpr, SourceRange Range,
const Expr *DeallocExpr,
AllocationFamily Family) const { AllocationFamily Family) const {
if (!ChecksEnabled[CK_MallocChecker] && if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker]) {
!ChecksEnabled[CK_NewDeleteChecker]) C.addSink();
martongUnsubmitted
Done
ReplyInline Actions

This seems to be inverse logic to me.
I'd expect that in a function called Report... we do stuff that is related to reporting only. That is why I think it would be better to have the condition and addSink before calling Report.... That way reporting and modeling would be even more separated.

martong: This seems to be inverse logic to me. I'd expect that in a function called `Report...` we do…
SzelethusAuthorUnsubmitted
Done
ReplyInline Actions

Very good point, but I think the actual problem lies in the name of the method. ReportBadFree in particular is called from multiple places, and I like how this is the function that takes over once we find a bug, because a bad free (which in this context means the deallocation of a non-heap allocated object) can never be a non-fatal error, so it make sense that the sink is solved here.

Szelethus: Very good point, but I think the actual problem lies in the name of the method. `ReportBadFree`…
martongUnsubmitted
Not Done
ReplyInline Actions

Okay, makes sense, the new name fits this.

martong: Okay, makes sense, the new name fits this.
return; return;
}
Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family); Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family);
if (!CheckKind.hasValue()) if (!CheckKind.hasValue())
return; return;
if (ExplodedNode *N = C.generateErrorNode()) { if (ExplodedNode *N = C.generateErrorNode()) {
if (!BT_BadFree[*CheckKind]) if (!BT_BadFree[*CheckKind])
BT_BadFree[*CheckKind].reset(new BugType( BT_BadFree[*CheckKind].reset(new BugType(
Show All 23 Lines if (ExplodedNode *N = C.generateErrorNode()) {
auto R = std::make_unique<PathSensitiveBugReport>(*BT_BadFree[*CheckKind], auto R = std::make_unique<PathSensitiveBugReport>(*BT_BadFree[*CheckKind],
os.str(), N); os.str(), N);
R->markInteresting(MR); R->markInteresting(MR);
R->addRange(Range); R->addRange(Range);
C.emitReport(std::move(R)); C.emitReport(std::move(R));
} }
} }
void MallocChecker::ReportFreeAlloca(CheckerContext &C, SVal ArgVal, void MallocChecker::HandleFreeAlloca(CheckerContext &C, SVal ArgVal,
SourceRange Range) const { SourceRange Range) const {
Optional<MallocChecker::CheckKind> CheckKind; Optional<MallocChecker::CheckKind> CheckKind;
if (ChecksEnabled[CK_MallocChecker]) if (ChecksEnabled[CK_MallocChecker])
CheckKind = CK_MallocChecker; CheckKind = CK_MallocChecker;
else if (ChecksEnabled[CK_MismatchedDeallocatorChecker]) else if (ChecksEnabled[CK_MismatchedDeallocatorChecker])
CheckKind = CK_MismatchedDeallocatorChecker; CheckKind = CK_MismatchedDeallocatorChecker;
else else {
C.addSink();
return; return;
}
if (ExplodedNode *N = C.generateErrorNode()) { if (ExplodedNode *N = C.generateErrorNode()) {
if (!BT_FreeAlloca[*CheckKind]) if (!BT_FreeAlloca[*CheckKind])
BT_FreeAlloca[*CheckKind].reset(new BugType( BT_FreeAlloca[*CheckKind].reset(new BugType(
CheckNames[*CheckKind], "Free alloca()", categories::MemoryError)); CheckNames[*CheckKind], "Free alloca()", categories::MemoryError));
auto R = std::make_unique<PathSensitiveBugReport>( auto R = std::make_unique<PathSensitiveBugReport>(
*BT_FreeAlloca[*CheckKind], *BT_FreeAlloca[*CheckKind],
"Memory allocated by alloca() should not be deallocated", N); "Memory allocated by alloca() should not be deallocated", N);
R->markInteresting(ArgVal.getAsRegion()); R->markInteresting(ArgVal.getAsRegion());
R->addRange(Range); R->addRange(Range);
C.emitReport(std::move(R)); C.emitReport(std::move(R));
} }
} }
void MallocChecker::ReportMismatchedDealloc(CheckerContext &C, void MallocChecker::HandleMismatchedDealloc(CheckerContext &C,
SourceRange Range, SourceRange Range,
const Expr *DeallocExpr, const Expr *DeallocExpr,
const RefState *RS, const RefState *RS, SymbolRef Sym,
SymbolRef Sym,
bool OwnershipTransferred) const { bool OwnershipTransferred) const {
if (!ChecksEnabled[CK_MismatchedDeallocatorChecker]) if (!ChecksEnabled[CK_MismatchedDeallocatorChecker]) {
C.addSink();
return; return;
}
if (ExplodedNode *N = C.generateErrorNode()) { if (ExplodedNode *N = C.generateErrorNode()) {
if (!BT_MismatchedDealloc) if (!BT_MismatchedDealloc)
BT_MismatchedDealloc.reset( BT_MismatchedDealloc.reset(
new BugType(CheckNames[CK_MismatchedDeallocatorChecker], new BugType(CheckNames[CK_MismatchedDeallocatorChecker],
"Bad deallocator", categories::MemoryError)); "Bad deallocator", categories::MemoryError));
SmallString<100> buf; SmallString<100> buf;
Show All 31 Lines auto R = std::make_unique<PathSensitiveBugReport>(*BT_MismatchedDealloc,
os.str(), N); os.str(), N);
R->markInteresting(Sym); R->markInteresting(Sym);
R->addRange(Range); R->addRange(Range);
R->addVisitor(std::make_unique<MallocBugVisitor>(Sym)); R->addVisitor(std::make_unique<MallocBugVisitor>(Sym));
C.emitReport(std::move(R)); C.emitReport(std::move(R));
} }
} }
void MallocChecker::ReportOffsetFree(CheckerContext &C, SVal ArgVal, void MallocChecker::HandleOffsetFree(CheckerContext &C, SVal ArgVal,
SourceRange Range, const Expr *DeallocExpr, SourceRange Range, const Expr *DeallocExpr,
AllocationFamily Family, AllocationFamily Family,
const Expr *AllocExpr) const { const Expr *AllocExpr) const {
if (!ChecksEnabled[CK_MallocChecker] && if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker]) {
!ChecksEnabled[CK_NewDeleteChecker]) C.addSink();
return; return;
}
Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family); Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family);
if (!CheckKind.hasValue()) if (!CheckKind.hasValue())
return; return;
ExplodedNode *N = C.generateErrorNode(); ExplodedNode *N = C.generateErrorNode();
if (!N) if (!N)
return; return;
Show All 33 Linesvoid MallocChecker::HandleOffsetFree(CheckerContext &C, SVal ArgVal,
auto R = std::make_unique<PathSensitiveBugReport>(*BT_OffsetFree[*CheckKind], auto R = std::make_unique<PathSensitiveBugReport>(*BT_OffsetFree[*CheckKind],
os.str(), N); os.str(), N);
R->markInteresting(MR->getBaseRegion()); R->markInteresting(MR->getBaseRegion());
R->addRange(Range); R->addRange(Range);
C.emitReport(std::move(R)); C.emitReport(std::move(R));
} }
void MallocChecker::ReportUseAfterFree(CheckerContext &C, SourceRange Range, void MallocChecker::HandleUseAfterFree(CheckerContext &C, SourceRange Range,
SymbolRef Sym) const { SymbolRef Sym) const {
if (!ChecksEnabled[CK_MallocChecker] && if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker] &&
!ChecksEnabled[CK_NewDeleteChecker] && !ChecksEnabled[CK_InnerPointerChecker]) {
!ChecksEnabled[CK_InnerPointerChecker]) C.addSink();
return; return;
}
Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
if (!CheckKind.hasValue()) if (!CheckKind.hasValue())
return; return;
if (ExplodedNode *N = C.generateErrorNode()) { if (ExplodedNode *N = C.generateErrorNode()) {
if (!BT_UseFree[*CheckKind]) if (!BT_UseFree[*CheckKind])
BT_UseFree[*CheckKind].reset(new BugType( BT_UseFree[*CheckKind].reset(new BugType(
Show All 15 Lines if (ExplodedNode *N = C.generateErrorNode()) {
if (AF == AF_InnerBuffer) if (AF == AF_InnerBuffer)
R->addVisitor(allocation_state::getInnerPointerBRVisitor(Sym)); R->addVisitor(allocation_state::getInnerPointerBRVisitor(Sym));
C.emitReport(std::move(R)); C.emitReport(std::move(R));
} }
} }
void MallocChecker::ReportDoubleFree(CheckerContext &C, SourceRange Range, void MallocChecker::HandleDoubleFree(CheckerContext &C, SourceRange Range,
bool Released, SymbolRef Sym, bool Released, SymbolRef Sym,
SymbolRef PrevSym) const { SymbolRef PrevSym) const {
if (!ChecksEnabled[CK_MallocChecker] && if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker]) {
!ChecksEnabled[CK_NewDeleteChecker]) C.addSink();
return; return;
}
Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
if (!CheckKind.hasValue()) if (!CheckKind.hasValue())
return; return;
if (ExplodedNode *N = C.generateErrorNode()) { if (ExplodedNode *N = C.generateErrorNode()) {
if (!BT_DoubleFree[*CheckKind]) if (!BT_DoubleFree[*CheckKind])
BT_DoubleFree[*CheckKind].reset(new BugType( BT_DoubleFree[*CheckKind].reset(new BugType(
CheckNames[*CheckKind], "Double free", categories::MemoryError)); CheckNames[*CheckKind], "Double free", categories::MemoryError));
auto R = std::make_unique<PathSensitiveBugReport>( auto R = std::make_unique<PathSensitiveBugReport>(
*BT_DoubleFree[*CheckKind], *BT_DoubleFree[*CheckKind],
(Released ? "Attempt to free released memory" (Released ? "Attempt to free released memory"
: "Attempt to free non-owned memory"), : "Attempt to free non-owned memory"),
N); N);
R->addRange(Range); R->addRange(Range);
R->markInteresting(Sym); R->markInteresting(Sym);
if (PrevSym) if (PrevSym)
R->markInteresting(PrevSym); R->markInteresting(PrevSym);
R->addVisitor(std::make_unique<MallocBugVisitor>(Sym)); R->addVisitor(std::make_unique<MallocBugVisitor>(Sym));
C.emitReport(std::move(R)); C.emitReport(std::move(R));
} }
} }
void MallocChecker::ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const { void MallocChecker::HandleDoubleDelete(CheckerContext &C, SymbolRef Sym) const {
if (!ChecksEnabled[CK_NewDeleteChecker]) if (!ChecksEnabled[CK_NewDeleteChecker]) {
C.addSink();
return; return;
}
Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
if (!CheckKind.hasValue()) if (!CheckKind.hasValue())
return; return;
if (ExplodedNode *N = C.generateErrorNode()) { if (ExplodedNode *N = C.generateErrorNode()) {
if (!BT_DoubleDelete) if (!BT_DoubleDelete)
BT_DoubleDelete.reset(new BugType(CheckNames[CK_NewDeleteChecker], BT_DoubleDelete.reset(new BugType(CheckNames[CK_NewDeleteChecker],
"Double delete", "Double delete",
categories::MemoryError)); categories::MemoryError));
auto R = std::make_unique<PathSensitiveBugReport>( auto R = std::make_unique<PathSensitiveBugReport>(
*BT_DoubleDelete, "Attempt to delete released memory", N); *BT_DoubleDelete, "Attempt to delete released memory", N);
R->markInteresting(Sym); R->markInteresting(Sym);
R->addVisitor(std::make_unique<MallocBugVisitor>(Sym)); R->addVisitor(std::make_unique<MallocBugVisitor>(Sym));
C.emitReport(std::move(R)); C.emitReport(std::move(R));
} }
} }
void MallocChecker::ReportUseZeroAllocated(CheckerContext &C, void MallocChecker::HandleUseZeroAlloc(CheckerContext &C, SourceRange Range,
SourceRange Range,
SymbolRef Sym) const { SymbolRef Sym) const {
if (!ChecksEnabled[CK_MallocChecker] && if (!ChecksEnabled[CK_MallocChecker] && !ChecksEnabled[CK_NewDeleteChecker]) {
!ChecksEnabled[CK_NewDeleteChecker]) C.addSink();
return; return;
}
Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
if (!CheckKind.hasValue()) if (!CheckKind.hasValue())
return; return;
if (ExplodedNode *N = C.generateErrorNode()) { if (ExplodedNode *N = C.generateErrorNode()) {
if (!BT_UseZerroAllocated[*CheckKind]) if (!BT_UseZerroAllocated[*CheckKind])
BT_UseZerroAllocated[*CheckKind].reset( BT_UseZerroAllocated[*CheckKind].reset(
new BugType(CheckNames[*CheckKind], "Use of zero allocated", new BugType(CheckNames[*CheckKind], "Use of zero allocated",
categories::MemoryError)); categories::MemoryError));
auto R = std::make_unique<PathSensitiveBugReport>( auto R = std::make_unique<PathSensitiveBugReport>(
*BT_UseZerroAllocated[*CheckKind], "Use of zero-allocated memory", N); *BT_UseZerroAllocated[*CheckKind], "Use of zero-allocated memory", N);
R->addRange(Range); R->addRange(Range);
if (Sym) { if (Sym) {
R->markInteresting(Sym); R->markInteresting(Sym);
R->addVisitor(std::make_unique<MallocBugVisitor>(Sym)); R->addVisitor(std::make_unique<MallocBugVisitor>(Sym));
} }
C.emitReport(std::move(R)); C.emitReport(std::move(R));
} }
} }
void MallocChecker::ReportFunctionPointerFree(CheckerContext &C, SVal ArgVal, void MallocChecker::HandleFunctionPtrFree(CheckerContext &C, SVal ArgVal,
SourceRange Range, SourceRange Range,
const Expr *FreeExpr, const Expr *FreeExpr,
AllocationFamily Family) const { AllocationFamily Family) const {
if (!ChecksEnabled[CK_MallocChecker]) if (!ChecksEnabled[CK_MallocChecker]) {
C.addSink();
return; return;
}
Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family); Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family);
if (!CheckKind.hasValue()) if (!CheckKind.hasValue())
return; return;
if (ExplodedNode *N = C.generateErrorNode()) { if (ExplodedNode *N = C.generateErrorNode()) {
if (!BT_BadFree[*CheckKind]) if (!BT_BadFree[*CheckKind])
BT_BadFree[*CheckKind].reset(new BugType( BT_BadFree[*CheckKind].reset(new BugType(
▲ Show 20 LinesShow All 181 Lines▼ Show 20 Lines if (NContext == LeakContext ||
NContext->isParentOf(LeakContext)) NContext->isParentOf(LeakContext))
AllocNode = N; AllocNode = N;
N = N->pred_empty() ? nullptr : *(N->pred_begin()); N = N->pred_empty() ? nullptr : *(N->pred_begin());
} }
return LeakInfo(AllocNode, ReferenceRegion); return LeakInfo(AllocNode, ReferenceRegion);
} }
void MallocChecker::reportLeak(SymbolRef Sym, ExplodedNode *N, void MallocChecker::HandleLeak(SymbolRef Sym, ExplodedNode *N,
CheckerContext &C) const { CheckerContext &C) const {
if (!ChecksEnabled[CK_MallocChecker] && if (!ChecksEnabled[CK_MallocChecker] &&
!ChecksEnabled[CK_NewDeleteLeaksChecker]) !ChecksEnabled[CK_NewDeleteLeaksChecker])
return; return;
const RefState *RS = C.getState()->get<RegionState>(Sym); const RefState *RS = C.getState()->get<RegionState>(Sym);
assert(RS && "cannot leak an untracked symbol"); assert(RS && "cannot leak an untracked symbol");
▲ Show 20 LinesShow All 99 Lines▼ Show 20 Linesvoid MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper,
// Generate leak node. // Generate leak node.
ExplodedNode *N = C.getPredecessor(); ExplodedNode *N = C.getPredecessor();
if (!Errors.empty()) { if (!Errors.empty()) {
static CheckerProgramPointTag Tag("MallocChecker", "DeadSymbolsLeak"); static CheckerProgramPointTag Tag("MallocChecker", "DeadSymbolsLeak");
N = C.generateNonFatalErrorNode(C.getState(), &Tag); N = C.generateNonFatalErrorNode(C.getState(), &Tag);
if (N) { if (N) {
for (SmallVectorImpl<SymbolRef>::iterator for (SmallVectorImpl<SymbolRef>::iterator
I = Errors.begin(), E = Errors.end(); I != E; ++I) { I = Errors.begin(), E = Errors.end(); I != E; ++I) {
reportLeak(*I, N, C); HandleLeak(*I, N, C);
} }
} }
} }
C.addTransition(state->set<RegionState>(RS), N); C.addTransition(state->set<RegionState>(RS), N);
} }
void MallocChecker::checkPreCall(const CallEvent &Call, void MallocChecker::checkPreCall(const CallEvent &Call,
▲ Show 20 LinesShow All 168 Lines▼ Show 20 Linesbool MallocChecker::suppressDeallocationsInSuspiciousContexts(
C.addTransition(State); C.addTransition(State);
return true; return true;
} }
bool MallocChecker::checkUseAfterFree(SymbolRef Sym, CheckerContext &C, bool MallocChecker::checkUseAfterFree(SymbolRef Sym, CheckerContext &C,
const Stmt *S) const { const Stmt *S) const {
if (isReleased(Sym, C)) { if (isReleased(Sym, C)) {
ReportUseAfterFree(C, S->getSourceRange(), Sym); HandleUseAfterFree(C, S->getSourceRange(), Sym);
return true; return true;
} }
return false; return false;
} }
void MallocChecker::checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C, void MallocChecker::checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C,
const Stmt *S) const { const Stmt *S) const {
assert(Sym); assert(Sym);
if (const RefState *RS = C.getState()->get<RegionState>(Sym)) { if (const RefState *RS = C.getState()->get<RegionState>(Sym)) {
if (RS->isAllocatedOfSizeZero()) if (RS->isAllocatedOfSizeZero())
ReportUseZeroAllocated(C, RS->getStmt()->getSourceRange(), Sym); HandleUseZeroAlloc(C, RS->getStmt()->getSourceRange(), Sym);
} }
else if (C.getState()->contains<ReallocSizeZeroSymbols>(Sym)) { else if (C.getState()->contains<ReallocSizeZeroSymbols>(Sym)) {
ReportUseZeroAllocated(C, S->getSourceRange(), Sym); HandleUseZeroAlloc(C, S->getSourceRange(), Sym);
} }
} }
bool MallocChecker::checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const { bool MallocChecker::checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const {
if (isReleased(Sym, C)) { if (isReleased(Sym, C)) {
ReportDoubleDelete(C, Sym); HandleDoubleDelete(C, Sym);
return true; return true;
} }
return false; return false;
} }
// Check if the location is a freed symbolic region. // Check if the location is a freed symbolic region.
void MallocChecker::checkLocation(SVal l, bool isLoad, const Stmt *S, void MallocChecker::checkLocation(SVal l, bool isLoad, const Stmt *S,
CheckerContext &C) const { CheckerContext &C) const {
▲ Show 20 LinesShow All 565 LinesShow Last 20 Lines

clang/test/Analysis/Malloc+NewDelete_intersections.cpp

  • This file was deleted.
// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix.Malloc,cplusplus.NewDelete -std=c++11 -verify %s
// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix.Malloc,cplusplus.NewDelete,cplusplus.NewDeleteLeaks -std=c++11 -verify %s
typedef __typeof(sizeof(int)) size_t;
void *malloc(size_t);
void free(void *);
//-------------------------------------------------------------------
// Check that unix.Malloc + cplusplus.NewDelete does not enable
// warnings produced by unix.MismatchedDeallocator.
//-------------------------------------------------------------------
void testMismatchedDeallocator() {
int *p = (int *)malloc(sizeof(int));
delete p;
} // expected-warning{{Potential leak of memory pointed to by 'p'}}

clang/test/Analysis/NewDelete-checker-test.cpp

// RUN: %clang_analyze_cc1 -std=c++11 -fblocks -verify %s \ // RUN: %clang_analyze_cc1 -std=c++11 -fblocks %s \
// RUN: -verify=expected,newdelete \
// RUN: -analyzer-checker=core \ // RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=cplusplus.NewDelete // RUN: -analyzer-checker=cplusplus.NewDelete
// //
// RUN: %clang_analyze_cc1 -DLEAKS -std=c++11 -fblocks -verify %s \ // RUN: %clang_analyze_cc1 -DLEAKS -std=c++11 -fblocks %s \
// RUN: -verify=expected,newdelete,leak \
// RUN: -analyzer-checker=core \ // RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=cplusplus.NewDelete \
// RUN: -analyzer-checker=cplusplus.NewDeleteLeaks // RUN: -analyzer-checker=cplusplus.NewDeleteLeaks
// //
// RUN: %clang_analyze_cc1 -std=c++11 -fblocks -verify %s \ // RUN: %clang_analyze_cc1 -std=c++11 -fblocks %s \
// RUN: -verify=expected,newdelete \
// RUN: -analyzer-checker=core \ // RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=cplusplus.NewDelete \ // RUN: -analyzer-checker=cplusplus.NewDelete \
// RUN: -analyzer-config c++-allocator-inlining=true // RUN: -analyzer-config c++-allocator-inlining=true
// //
// RUN: %clang_analyze_cc1 -DLEAKS -std=c++11 -fblocks -verify %s \ // RUN: %clang_analyze_cc1 -std=c++11 -fblocks -verify %s \
// RUN: -verify=expected,newdelete,leak \
// RUN: -analyzer-checker=core \ // RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=cplusplus.NewDelete \
// RUN: -analyzer-checker=cplusplus.NewDeleteLeaks \ // RUN: -analyzer-checker=cplusplus.NewDeleteLeaks \
// RUN: -analyzer-config c++-allocator-inlining=true // RUN: -analyzer-config c++-allocator-inlining=true
// //
// RUN: %clang_analyze_cc1 -DTEST_INLINABLE_ALLOCATORS \ // RUN: %clang_analyze_cc1 -std=c++11 -fblocks -verify %s \
// RUN: -std=c++11 -fblocks -verify %s \ // RUN: -verify=expected,leak \
// RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=cplusplus.NewDelete
//
// RUN: %clang_analyze_cc1 -DLEAKS -DTEST_INLINABLE_ALLOCATORS \
// RUN: -std=c++11 -fblocks -verify %s \
// RUN: -analyzer-checker=core \ // RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=cplusplus.NewDeleteLeaks // RUN: -analyzer-checker=cplusplus.NewDeleteLeaks
//
// RUN: %clang_analyze_cc1 -DTEST_INLINABLE_ALLOCATORS \
// RUN: -std=c++11 -fblocks -verify %s \
// RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=cplusplus.NewDelete \
// RUN: -analyzer-config c++-allocator-inlining=true
//
// RUN: %clang_analyze_cc1 -DLEAKS -DTEST_INLINABLE_ALLOCATORS \
// RUN: -std=c++11 -fblocks -verify %s \
// RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=cplusplus.NewDeleteLeaks \
// RUN: -analyzer-config c++-allocator-inlining=true
#include "Inputs/system-header-simulator-cxx.h" #include "Inputs/system-header-simulator-cxx.h"
typedef __typeof__(sizeof(int)) size_t; typedef __typeof__(sizeof(int)) size_t;
extern "C" void *malloc(size_t); extern "C" void *malloc(size_t);
extern "C" void free (void* ptr); extern "C" void free (void* ptr);
int *global; int *global;
//------------------ //------------------
// check for leaks // check for leaks
//------------------ //------------------
//----- Standard non-placement operators //----- Standard non-placement operators
void testGlobalOpNew() { void testGlobalOpNew() {
void *p = operator new(0); void *p = operator new(0);
} } // leak-warning{{Potential leak of memory pointed to by 'p'}}
#ifdef LEAKS
// expected-warning@-2{{Potential leak of memory pointed to by 'p'}}
#endif
void testGlobalOpNewArray() { void testGlobalOpNewArray() {
void *p = operator new[](0); void *p = operator new[](0);
} } // leak-warning{{Potential leak of memory pointed to by 'p'}}
#ifdef LEAKS
// expected-warning@-2{{Potential leak of memory pointed to by 'p'}}
#endif
void testGlobalNewExpr() { void testGlobalNewExpr() {
int *p = new int; int *p = new int;
} } // leak-warning{{Potential leak of memory pointed to by 'p'}}
#ifdef LEAKS
// expected-warning@-2{{Potential leak of memory pointed to by 'p'}}
#endif
void testGlobalNewExprArray() { void testGlobalNewExprArray() {
int *p = new int[0]; int *p = new int[0];
} } // leak-warning{{Potential leak of memory pointed to by 'p'}}
#ifdef LEAKS
// expected-warning@-2{{Potential leak of memory pointed to by 'p'}}
#endif
//----- Standard nothrow placement operators //----- Standard nothrow placement operators
void testGlobalNoThrowPlacementOpNewBeforeOverload() { void testGlobalNoThrowPlacementOpNewBeforeOverload() {
void *p = operator new(0, std::nothrow); void *p = operator new(0, std::nothrow);
} } // leak-warning{{Potential leak of memory pointed to by 'p'}}
#ifdef LEAKS
#ifndef TEST_INLINABLE_ALLOCATORS
// expected-warning@-3{{Potential leak of memory pointed to by 'p'}}
#endif
#endif
void testGlobalNoThrowPlacementExprNewBeforeOverload() { void testGlobalNoThrowPlacementExprNewBeforeOverload() {
int *p = new(std::nothrow) int; int *p = new(std::nothrow) int;
} } // leak-warning{{Potential leak of memory pointed to by 'p'}}
#ifdef LEAKS
#ifndef TEST_INLINABLE_ALLOCATORS
// expected-warning@-3{{Potential leak of memory pointed to by 'p'}}
#endif
#endif
//----- Standard pointer placement operators //----- Standard pointer placement operators
void testGlobalPointerPlacementNew() { void testGlobalPointerPlacementNew() {
int i; int i;
void *p1 = operator new(0, &i); // no warn void *p1 = operator new(0, &i); // no warn
void *p2 = operator new[](0, &i); // no warn void *p2 = operator new[](0, &i); // no warn
Show All 23 Lines
} }
//----------------------------------------- //-----------------------------------------
// check for usage of zero-allocated memory // check for usage of zero-allocated memory
//----------------------------------------- //-----------------------------------------
void testUseZeroAlloc1() { void testUseZeroAlloc1() {
int *p = (int *)operator new(0); int *p = (int *)operator new(0);
*p = 1; // expected-warning {{Use of zero-allocated memory}} *p = 1; // newdelete-warning {{Use of zero-allocated memory}}
delete p; delete p;
} }
int testUseZeroAlloc2() { int testUseZeroAlloc2() {
int *p = (int *)operator new[](0); int *p = (int *)operator new[](0);
return p[0]; // expected-warning {{Use of zero-allocated memory}} return p[0]; // newdelete-warning {{Use of zero-allocated memory}}
delete[] p; delete[] p;
} }
void f(int); void f(int);
void testUseZeroAlloc3() { void testUseZeroAlloc3() {
int *p = new int[0]; int *p = new int[0];
f(*p); // expected-warning {{Use of zero-allocated memory}} f(*p); // newdelete-warning {{Use of zero-allocated memory}}
delete[] p; delete[] p;
} }
//--------------- //---------------
// other checks // other checks
//--------------- //---------------
class SomeClass { class SomeClass {
public: public:
void f(int *p); void f(int *p);
}; };
void f(int *p1, int *p2 = 0, int *p3 = 0); void f(int *p1, int *p2 = 0, int *p3 = 0);
void g(SomeClass &c, ...); void g(SomeClass &c, ...);
void testUseFirstArgAfterDelete() { void testUseFirstArgAfterDelete() {
int *p = new int; int *p = new int;
delete p; delete p;
f(p); // expected-warning{{Use of memory after it is freed}} f(p); // newdelete-warning{{Use of memory after it is freed}}
} }
void testUseMiddleArgAfterDelete(int *p) { void testUseMiddleArgAfterDelete(int *p) {
delete p; delete p;
f(0, p); // expected-warning{{Use of memory after it is freed}} f(0, p); // newdelete-warning{{Use of memory after it is freed}}
} }
void testUseLastArgAfterDelete(int *p) { void testUseLastArgAfterDelete(int *p) {
delete p; delete p;
f(0, 0, p); // expected-warning{{Use of memory after it is freed}} f(0, 0, p); // newdelete-warning{{Use of memory after it is freed}}
} }
void testUseSeveralArgsAfterDelete(int *p) { void testUseSeveralArgsAfterDelete(int *p) {
delete p; delete p;
f(p, p, p); // expected-warning{{Use of memory after it is freed}} f(p, p, p); // newdelete-warning{{Use of memory after it is freed}}
} }
void testUseRefArgAfterDelete(SomeClass &c) { void testUseRefArgAfterDelete(SomeClass &c) {
delete &c; delete &c;
g(c); // expected-warning{{Use of memory after it is freed}} g(c); // newdelete-warning{{Use of memory after it is freed}}
} }
void testVariadicArgAfterDelete() { void testVariadicArgAfterDelete() {
SomeClass c; SomeClass c;
int *p = new int; int *p = new int;
delete p; delete p;
g(c, 0, p); // expected-warning{{Use of memory after it is freed}} g(c, 0, p); // newdelete-warning{{Use of memory after it is freed}}
} }
void testUseMethodArgAfterDelete(int *p) { void testUseMethodArgAfterDelete(int *p) {
SomeClass *c = new SomeClass; SomeClass *c = new SomeClass;
delete p; delete p;
c->f(p); // expected-warning{{Use of memory after it is freed}} c->f(p); // newdelete-warning{{Use of memory after it is freed}}
} }
void testUseThisAfterDelete() { void testUseThisAfterDelete() {
SomeClass *c = new SomeClass; SomeClass *c = new SomeClass;
delete c; delete c;
c->f(0); // expected-warning{{Use of memory after it is freed}} c->f(0); // newdelete-warning{{Use of memory after it is freed}}
} }
void testDoubleDelete() { void testDoubleDelete() {
int *p = new int; int *p = new int;
delete p; delete p;
delete p; // expected-warning{{Attempt to free released memory}} delete p; // newdelete-warning{{Attempt to free released memory}}
} }
void testExprDeleteArg() { void testExprDeleteArg() {
int i; int i;
delete &i; // expected-warning{{Argument to 'delete' is the address of the local variable 'i', which is not memory allocated by 'new'}} delete &i; // newdelete-warning{{Argument to 'delete' is the address of the local variable 'i', which is not memory allocated by 'new'}}
} }
void testExprDeleteArrArg() { void testExprDeleteArrArg() {
int i; int i;
delete[] &i; // expected-warning{{Argument to 'delete[]' is the address of the local variable 'i', which is not memory allocated by 'new[]'}} delete[] & i; // newdelete-warning{{Argument to 'delete[]' is the address of the local variable 'i', which is not memory allocated by 'new[]'}}
} }
void testAllocDeallocNames() { void testAllocDeallocNames() {
int *p = new(std::nothrow) int[1]; int *p = new(std::nothrow) int[1];
delete[] (++p); delete[] (++p);
#ifndef TEST_INLINABLE_ALLOCATORS // newdelete-warning@-1{{Argument to 'delete[]' is offset by 4 bytes from the start of memory allocated by 'new[]'}}
// expected-warning@-2{{Argument to 'delete[]' is offset by 4 bytes from the start of memory allocated by 'new[]'}}
#endif
} }
//-------------------------------- //--------------------------------
// Test escape of newed const pointer. Note, a const pointer can be deleted. // Test escape of newed const pointer. Note, a const pointer can be deleted.
//-------------------------------- //--------------------------------
struct StWithConstPtr { struct StWithConstPtr {
const int *memp; const int *memp;
}; };
▲ Show 20 LinesShow All 160 Lines▼ Show 20 Linespublic:
int *x; int *x;
DerefClass() {} DerefClass() {}
~DerefClass() {*x = 1;} ~DerefClass() {*x = 1;}
}; };
void testDoubleDeleteClassInstance() { void testDoubleDeleteClassInstance() {
DerefClass *foo = new DerefClass(); DerefClass *foo = new DerefClass();
delete foo; delete foo;
delete foo; // expected-warning {{Attempt to delete released memory}} delete foo; // newdelete-warning {{Attempt to delete released memory}}
} }
class EmptyClass{ class EmptyClass{
public: public:
EmptyClass() {} EmptyClass() {}
~EmptyClass() {} ~EmptyClass() {}
}; };
void testDoubleDeleteEmptyClass() { void testDoubleDeleteEmptyClass() {
EmptyClass *foo = new EmptyClass(); EmptyClass *foo = new EmptyClass();
delete foo; delete foo;
delete foo; // expected-warning {{Attempt to delete released memory}} delete foo; // newdelete-warning {{Attempt to delete released memory}}
} }
struct Base { struct Base {
virtual ~Base() {} virtual ~Base() {}
}; };
struct Derived : Base { struct Derived : Base {
}; };
Show All 9 Lines

clang/test/Analysis/NewDelete-intersections.mm

// RUN: %clang_analyze_cc1 -analyzer-checker=core,cplusplus.NewDelete -std=c++11 -fblocks -verify %s // RUN: %clang_analyze_cc1 -std=c++11 -fblocks %s \
// RUN: %clang_analyze_cc1 -analyzer-checker=core,cplusplus.NewDelete,cplusplus.NewDeleteLeaks -std=c++11 -DLEAKS -fblocks -verify %s // RUN: -verify=newdelete \
// RUN: %clang_analyze_cc1 -analyzer-checker=core,cplusplus.NewDelete -std=c++11 -fblocks -DTEST_INLINABLE_ALLOCATORS -verify %s // RUN: -analyzer-checker=core \
// RUN: %clang_analyze_cc1 -analyzer-checker=core,cplusplus.NewDelete,cplusplus.NewDeleteLeaks -std=c++11 -DLEAKS -fblocks -DTEST_INLINABLE_ALLOCATORS -verify %s // RUN: -analyzer-checker=cplusplus.NewDelete
// RUN: %clang_analyze_cc1 -std=c++11 -DLEAKS -fblocks %s \
// RUN: -verify=leak \
// RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=cplusplus.NewDeleteLeaks
// leak-no-diagnostics
// RUN: %clang_analyze_cc1 -std=c++11 -DLEAKS -fblocks %s \
// RUN: -verify=mismatch \
// RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=unix.MismatchedDeallocator
#include "Inputs/system-header-simulator-cxx.h" #include "Inputs/system-header-simulator-cxx.h"
#include "Inputs/system-header-simulator-objc.h" #include "Inputs/system-header-simulator-objc.h"
typedef __typeof__(sizeof(int)) size_t; typedef __typeof__(sizeof(int)) size_t;
extern "C" void *malloc(size_t); extern "C" void *malloc(size_t);
extern "C" void *alloca(size_t); extern "C" void *alloca(size_t);
extern "C" void free(void *); extern "C" void free(void *);
//----------------------------------------------------------------------------
// Check for intersections with unix.Malloc and unix.MallocWithAnnotations
// checkers bounded with cplusplus.NewDelete.
//----------------------------------------------------------------------------
//----- malloc()/free() are subjects of unix.Malloc and unix.MallocWithAnnotations
void testMallocFreeNoWarn() { void testMallocFreeNoWarn() {
int i; int i;
free(&i); // no warn free(&i); // no warn
int *p1 = (int *)malloc(sizeof(int)); int *p1 = (int *)malloc(sizeof(int));
free(++p1); // no warn free(++p1); // no warn
int *p2 = (int *)malloc(sizeof(int)); int *p2 = (int *)malloc(sizeof(int));
free(p2); free(p2);
free(p2); // no warn free(p2); // no warn
int *p3 = (int *)malloc(sizeof(int)); // no warn int *p3 = (int *)malloc(sizeof(int)); // no warn
int *p4 = (int *)malloc(sizeof(int)); int *p4 = (int *)malloc(sizeof(int));
free(p4); free(p4);
int j = *p4; // no warn int j = *p4; // no warn
int *p5 = (int *)alloca(sizeof(int)); int *p5 = (int *)alloca(sizeof(int));
free(p5); // no warn free(p5); // no warn
} }
void testDeleteMalloced() { void testDeleteMalloced() {
int *p1 = (int *)malloc(sizeof(int)); int *p1 = (int *)malloc(sizeof(int));
delete p1; // no warn delete p1;
// mismatch-warning@-1{{Memory allocated by malloc() should be deallocated by free(), not 'delete'}}
int *p2 = (int *)__builtin_alloca(sizeof(int)); int *p2 = (int *)__builtin_alloca(sizeof(int));
delete p2; // no warn delete p2; // no warn
} }
void testUseZeroAllocatedMalloced() { void testUseZeroAllocatedMalloced() {
int *p1 = (int *)malloc(0); int *p1 = (int *)malloc(0);
*p1 = 1; // no warn *p1 = 1; // no warn
} }
//----- Test free standard new //----- Test free standard new
void testFreeOpNew() { void testFreeOpNew() {
void *p = operator new(0); void *p = operator new(0);
free(p); free(p);
// mismatch-warning@-1{{Memory allocated by operator new should be deallocated by 'delete', not free()}}
} }
#ifdef LEAKS
// expected-warning@-2 {{Potential leak of memory pointed to by 'p'}}
#endif
void testFreeNewExpr() { void testFreeNewExpr() {
int *p = new int; int *p = new int;
free(p); free(p);
// mismatch-warning@-1{{Memory allocated by 'new' should be deallocated by 'delete', not free()}}
free(p);
} }
#ifdef LEAKS
// expected-warning@-2 {{Potential leak of memory pointed to by 'p'}}
#endif
void testObjcFreeNewed() { void testObjcFreeNewed() {
int *p = new int; int *p = new int;
NSData *nsdata = [NSData dataWithBytesNoCopy:p length:sizeof(int) freeWhenDone:1]; NSData *nsdata = [NSData dataWithBytesNoCopy:p length:sizeof(int) freeWhenDone:1];
#ifdef LEAKS // mismatch-warning@-1{{+dataWithBytesNoCopy:length:freeWhenDone: cannot take ownership of memory allocated by 'new'}}
// expected-warning@-2 {{Potential leak of memory pointed to by 'p'}}
#endif
} }
void testFreeAfterDelete() { void testFreeAfterDelete() {
int *p = new int; int *p = new int;
delete p; delete p;
free(p); // expected-warning{{Use of memory after it is freed}} free(p); // newdelete-warning{{Use of memory after it is freed}}
} }
void testStandardPlacementNewAfterDelete() { void testStandardPlacementNewAfterDelete() {
int *p = new int; int *p = new int;
delete p; delete p;
p = new(p) int; // expected-warning{{Use of memory after it is freed}} p = new (p) int; // newdelete-warning{{Use of memory after it is freed}}
} }

clang/test/Analysis/new.cpp

Show First 20 LinesShow All 109 Lines▼ Show 20 Lines
void testUseAfter(int *p) { void testUseAfter(int *p) {
SomeClass *c = new SomeClass; SomeClass *c = new SomeClass;
free(p); free(p);
c->f(p); // expected-warning{{Use of memory after it is freed}} c->f(p); // expected-warning{{Use of memory after it is freed}}
delete c; delete c;
} }
//--------------------------------------------------------------------
// Check for intersection with other checkers from MallocChecker.cpp
// bounded with unix.Malloc
//--------------------------------------------------------------------
// new/delete oparators are subjects of cplusplus.NewDelete. // new/delete oparators are subjects of cplusplus.NewDelete.
void testNewDeleteNoWarn() { void testNewDeleteNoWarn() {
int i; int i;
delete &i; // no-warning delete &i; // no-warning
int *p1 = new int; int *p1 = new int;
delete ++p1; // no-warning delete ++p1; // no-warning
int *p2 = new int; int *p2 = new int;
delete p2; delete p2;
delete p2; // no-warning delete p2; // no-warning
int *p3 = new int; // no-warning int *p3 = new int; // no-warning
} }
// unix.Malloc does not know about operators new/delete.
void testDeleteMallocked() { void testDeleteMallocked() {
int *x = (int *)malloc(sizeof(int)); int *x = (int *)malloc(sizeof(int));
delete x; // FIXME: Should detect pointer escape and keep silent after 'delete' is modeled properly. // unix.MismatchedDeallocator would catch this, but we're not testing it here.
} // expected-warning{{Potential leak of memory pointed to by 'x'}} delete x;
}
void testDeleteOpAfterFree() { void testDeleteOpAfterFree() {
int *p = (int *)malloc(sizeof(int)); int *p = (int *)malloc(sizeof(int));
free(p); free(p);
operator delete(p); // expected-warning{{Use of memory after it is freed}} operator delete(p); // expected-warning{{Use of memory after it is freed}}
} }
void testDeleteAfterFree() { void testDeleteAfterFree() {
▲ Show 20 LinesShow All 221 LinesShow Last 20 Lines
clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp