This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
lib/StaticAnalyzer/Checkers/
-
StaticAnalyzer/
-
Checkers/
-
MallocChecker.cpp
-
test/Analysis/
-
Analysis/
-
malloc.c

Differential D79415

[analyzer][MallocChecker] When modeling realloc-like functions, don't early return if the argument is symbolic
ClosedPublic

Authored by Szelethus on May 5 2020, 6:13 AM.

Download Raw Diff

Details

Reviewers

NoQ
balazske
martong
baloghadamsoftware
vsavchenko
xazax.hun
dcoughlin

Commits

rG2e5e42d4aeab: [analyzer][MallocChecker] When modeling realloc-like functions, don't early…

Summary

The very essence of MallocChecker lies in 2 overload sets: the FreeMemAux functions and the MallocMemAux functions. The former houses most of the error checking as well (aside from leaks), such as incorrect deallocation. There, we check whether the argument's [[ https://clang.llvm.org/doxygen/classclang_1_1ento_1_1MemSpaceRegion.html | MemSpaceRegion]] is the heap or unknown, and if it isn't, we know we encountered a bug (aside from a corner case patched by @balazske in D76830), as specified by MEM34-C.

In ReallocMemAux, which really is the combination of FreeMemAux and MallocMemAux, we incorrectly early returned if the memory argument of realloc is non-symbolic. The problem is, one of the cases where this happens when we know precisely what the region is, like an array, as demonstrated in the test file. So, lets get rid of this false negative :^)

Side note, I dislike the warning message and the associated checker name, but I'll address it in a later patch.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

Szelethus created this revision.May 5 2020, 6:13 AM

Herald added subscribers: cfe-commits, ASDenysPetrov, steakhal and 9 others. · View Herald TranscriptMay 5 2020, 6:13 AM

Szelethus edited the summary of this revision. (Show Details)May 5 2020, 6:19 AM

Szelethus edited the summary of this revision. (Show Details)

Harbormaster failed remote builds in B55782: Diff 262088!May 5 2020, 7:31 AM

whisperity retitled this revision from [analyzer][MalloChecker] When modeling realloc-like functions, don't early return if the argument is symbolic to [analyzer][MallocChecker] When modeling realloc-like functions, don't early return if the argument is symbolic.May 6 2020, 5:08 AM

LGTM, thanks!

I do agree that the warning message is not the best but it is not horrible either :)

This revision is now accepted and ready to land.May 6 2020, 5:25 AM

Closed by commit rG2e5e42d4aeab: [analyzer][MallocChecker] When modeling realloc-like functions, don't early… (authored by Szelethus). · Explain WhyMay 19 2020, 5:23 AM

This revision was automatically updated to reflect the committed changes.

Revision Contents

Path

Size

clang/

lib/

StaticAnalyzer/

Checkers/

MallocChecker.cpp

14 lines

test/

Analysis/

malloc.c

15 lines

Diff 264867

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp

Show First 20 Lines • Show All 2,365 Lines • ▼ Show 20 Lines	if (PrtIsNull && !SizeIsZero) {
ProgramStateRef stateMalloc =		ProgramStateRef stateMalloc =
MallocMemAux(C, CE, TotalSize, UndefinedVal(), StatePtrIsNull, Family);		MallocMemAux(C, CE, TotalSize, UndefinedVal(), StatePtrIsNull, Family);
return stateMalloc;		return stateMalloc;
}		}

if (PrtIsNull && SizeIsZero)		if (PrtIsNull && SizeIsZero)
return State;		return State;

// Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size).
assert(!PrtIsNull);		assert(!PrtIsNull);
SymbolRef FromPtr = arg0Val.getAsSymbol();
SVal RetVal = C.getSVal(CE);
SymbolRef ToPtr = RetVal.getAsSymbol();
if (!FromPtr \|\| !ToPtr)
return nullptr;

bool IsKnownToBeAllocated = false;		bool IsKnownToBeAllocated = false;

// If the size is 0, free the memory.		// If the size is 0, free the memory.
if (SizeIsZero)		if (SizeIsZero)
// The semantics of the return value are:		// The semantics of the return value are:
// If size was equal to 0, either NULL or a pointer suitable to be passed		// If size was equal to 0, either NULL or a pointer suitable to be passed
// to free() is returned. We just free the input pointer and do not add		// to free() is returned. We just free the input pointer and do not add
Show All 12 Lines	if (!stateRealloc)
return nullptr;		return nullptr;

OwnershipAfterReallocKind Kind = OAR_ToBeFreedAfterFailure;		OwnershipAfterReallocKind Kind = OAR_ToBeFreedAfterFailure;
if (ShouldFreeOnFail)		if (ShouldFreeOnFail)
Kind = OAR_FreeOnFailure;		Kind = OAR_FreeOnFailure;
else if (!IsKnownToBeAllocated)		else if (!IsKnownToBeAllocated)
Kind = OAR_DoNotTrackAfterFailure;		Kind = OAR_DoNotTrackAfterFailure;

		// Get the from and to pointer symbols as in toPtr = realloc(fromPtr, size).
		SymbolRef FromPtr = arg0Val.getAsSymbol();
		SVal RetVal = C.getSVal(CE);
		SymbolRef ToPtr = RetVal.getAsSymbol();
		assert(FromPtr && ToPtr &&
		"By this point, FreeMemAux and MallocMemAux should have checked "
		"whether the argument or the return value is symbolic!");

// Record the info about the reallocated symbol so that we could properly		// Record the info about the reallocated symbol so that we could properly
// process failed reallocation.		// process failed reallocation.
stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr,		stateRealloc = stateRealloc->set<ReallocPairs>(ToPtr,
ReallocPair(FromPtr, Kind));		ReallocPair(FromPtr, Kind));
// The reallocated symbol should stay alive for as long as the new symbol.		// The reallocated symbol should stay alive for as long as the new symbol.
C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr);		C.getSymbolManager().addSymbolDependency(ToPtr, FromPtr);
return stateRealloc;		return stateRealloc;
}		}
▲ Show 20 Lines • Show All 957 Lines • Show Last 20 Lines

clang/test/Analysis/malloc.c

	Show First 20 Lines • Show All 1,822 Lines • ▼ Show 20 Lines

	void list_add(struct ListInfo list, struct ListInfo item);			void list_add(struct ListInfo list, struct ListInfo item);

	void testCStyleListItems(struct ListInfo *list) {			void testCStyleListItems(struct ListInfo *list) {
	struct ConcreteListItem *x = malloc(sizeof(struct ConcreteListItem));			struct ConcreteListItem *x = malloc(sizeof(struct ConcreteListItem));
	list_add(list, &x->li); // will free 'x'.			list_add(list, &x->li); // will free 'x'.
	}			}

				// MEM34-C. Only free memory allocated dynamically
				// Second non-compliant example.
				// https://wiki.sei.cmu.edu/confluence/display/c/MEM34-C.+Only+free+memory+allocated+dynamically
				enum { BUFSIZE = 256 };

				void MEM34_C(void) {
				char buf[BUFSIZE];
				char p = (char )realloc(buf, 2 * BUFSIZE);
				// expected-warning@-1{{Argument to realloc() is the address of the local \
				variable 'buf', which is not memory allocated by malloc() [unix.Malloc]}}
				if (p == NULL) {
				/* Handle error */
				}
				}

	// ----------------------------------------------------------------------------			// ----------------------------------------------------------------------------
	// False negatives.			// False negatives.

	void testMallocWithParam(int **p) {			void testMallocWithParam(int **p) {
	p = (int) malloc(sizeof(int));			p = (int) malloc(sizeof(int));
	*p = 0; // FIXME: should warn here			*p = 0; // FIXME: should warn here
	}			}

	Show All 17 Lines