This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
lib/StaticAnalyzer/Checkers/
-
StaticAnalyzer/
-
Checkers/
2
MallocChecker.cpp
-
test/Analysis/
-
Analysis/
-
malloc.cpp

Differential D81745

[analyzer][MallocChecker] PR46253: Correctly recognize standard realloc
ClosedPublic

Authored by Szelethus on Jun 12 2020, 9:11 AM.

Download Raw Diff

Details

Reviewers

NoQ
hokein
baloghadamsoftware
balazske
xazax.hun
dcoughlin
vsavchenko
martong

Commits

rG1614e3540827: [analyzer][MallocChecker] PR46253: Correctly recognize standard realloc

Summary

https://bugs.llvm.org/show_bug.cgi?id=46253

This is an obvious hack because realloc isn't any more affected than other functions modeled by MallocChecker (or any user of CallDescription really), but the nice solution will take some time to implement.

Diff Detail

Event Timeline

Szelethus created this revision.Jun 12 2020, 9:11 AM

Herald added subscribers: cfe-commits, ASDenysPetrov, steakhal and 9 others. · View Herald TranscriptJun 12 2020, 9:11 AM

Harbormaster failed remote builds in B60130: Diff 270417!Jun 12 2020, 9:45 AM

Thanks! Yeah, that's a lot of annoying code to write that doesn't need to be imperative at all.

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
1074–1075	https://bugs.llvm.org/show_bug.cgi?id=46253#c1 Uh-oh, did we lose some sanity checking during CallDescription conversion? While modeling of all functions is probably incorrect, the crash can be bisected down to D68165. I think other functions don't crash because they already have similar type checks in them, just more spread out around the code rather than concentrated in one place. It might still be worth it to try to figure out why exactly did D68165 cause it in order to double-check for more regressions.

This revision is now accepted and ready to land.Jun 13 2020, 3:29 PM

martong added inline comments.Jun 16 2020, 8:02 AM

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
1071–1072	Indeed. CallDescrtiption could be improved to do precise type checking. Also it could be matching FunctionDecls instead of names of functions (strings), we see how error prone this can be. I think, the mechanisms in StdCLibraryFunctionChecker could be integrated into CallDescription, so all other checkers could benefit. See also the discussion we had on this with @xazax.hun : In D80016#2063978, @martong wrote: In D80016#2063234, @xazax.hun wrote: A high level comment. Trying to match function signatures is not a unique problem! In fact, almost all of the checks the analyzer have is trying to solve the very some problem. One of the methods we have at this point is called CallDescription, see here: https://github.com/llvm/llvm-project/blob/master/clang/lib/StaticAnalyzer/Core/CallEvent.cpp#L358 Moreover, I would assume something similar needs to be done for APINotes. Do you think it would be possible to extend the CallDescription interface to match your needs? In that case all of the checks could profit from this work. What do you think? Yes, viewing from this angle, I am trying to solve a problem here that perhaps could be handled by CallDescription and CallDescriptionMap with some extensions. Here are the differences between the two approaches so far: CallDescription is evaluated for every call event (e.g. checkPreCall), the names - strings - are compared; containing declaration contexts are compared by names (see CallEvent::isCalled). Contrary to this, summaries are associated directly to FunctionDecls, so during a call event we compare two FunctionDecl pointers. A CallDescription does not support overloading on different types if the number of parameters are the same. With summaries this works. A CallDescriptionMap is a static map with fixed number of entries. Contrary to this, the FunctionSummaryMap contains an entry (a summary) for a function only if we can lookup a matching FunctionDecl in the TU. The initialization of the FunctionSummaryMap happens lazily during the first call event. Except the lack of proper overloading support, these differences are in the implementation. So, yes, giving it more thought, maybe we could refactor CallDescriptionMap to behave this way, but that would be some very heavy refactoring :) Still, would be possible, I guess. Moreover, I would assume something similar needs to be done for APINotes. Yes, I agree, I could not find out (yet) how the do it, but somehow they must match a given FunctionDecl to the Name in the YAML. I was thinking about an alternative method for a long time now. Making one step backwards: what we need is to be able to associate some data to a given function. And we can perfectly identify the function with it's prototype written in C/C++. So, what if we'd be able to write a CallDescriptionMap (or a FunctionSummaryMap) like this: CallDescriptionMap<FnCheck> Callbacks = { {{"void memcpy(void dest, const void *src, size_t n)"}, &CStringChecker::evalMemcpy}, ... Actually, we could reuse the Parser and the Sema itself to solve this issue. In fact, we could achieve this by reusing the ExternalASTSource together with the ASTImporter to find precisely the existing redecl chain in the TU for memcpy.

Closed by commit rG1614e3540827: [analyzer][MallocChecker] PR46253: Correctly recognize standard realloc (authored by Szelethus). · Explain WhyJun 16 2020, 9:22 AM

This revision was automatically updated to reflect the committed changes.

Szelethus mentioned this in D81059: [analyzer] CallDescriptionMap: Support CXXOperatorCallExpr.Jul 2 2020, 9:03 AM

Szelethus mentioned this in D90691: [analyzer] Add new checker for unchecked return value..Feb 10 2021, 8:02 PM

Szelethus mentioned this in D119004: [NFC][analyzer] Allow CallDescriptions to be matched with CallExprs.Feb 4 2022, 8:23 AM

Revision Contents

Path

Size

clang/

lib/

StaticAnalyzer/

Checkers/

MallocChecker.cpp

40 lines

test/

Analysis/

malloc.cpp

18 lines

Diff 270417

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp

Show First 20 Lines • Show All 41 Lines • ▼ Show 20 Lines
// the above checkers, it has it's own file, hence the many InnerPointerChecker		// the above checkers, it has it's own file, hence the many InnerPointerChecker
// related headers and non-static functions.		// related headers and non-static functions.
//		//
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//

#include "AllocationState.h"		#include "AllocationState.h"
#include "InterCheckerAPI.h"		#include "InterCheckerAPI.h"
#include "clang/AST/Attr.h"		#include "clang/AST/Attr.h"
		#include "clang/AST/DeclCXX.h"
#include "clang/AST/Expr.h"		#include "clang/AST/Expr.h"
#include "clang/AST/ExprCXX.h"		#include "clang/AST/ExprCXX.h"
#include "clang/AST/ParentMap.h"		#include "clang/AST/ParentMap.h"
#include "clang/Basic/LLVM.h"		#include "clang/Basic/LLVM.h"
#include "clang/Basic/SourceManager.h"		#include "clang/Basic/SourceManager.h"
#include "clang/Basic/TargetInfo.h"		#include "clang/Basic/TargetInfo.h"
#include "clang/Lex/Lexer.h"		#include "clang/Lex/Lexer.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"		#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
▲ Show 20 Lines • Show All 974 Lines • ▼ Show 20 Lines	void MallocChecker::checkKernelMalloc(const CallEvent &Call,
if (MaybeState.hasValue())		if (MaybeState.hasValue())
State = MaybeState.getValue();		State = MaybeState.getValue();
else		else
State = MallocMemAux(C, Call, Call.getArgExpr(0), UndefinedVal(), State,		State = MallocMemAux(C, Call, Call.getArgExpr(0), UndefinedVal(), State,
AF_Malloc);		AF_Malloc);
C.addTransition(State);		C.addTransition(State);
}		}

void MallocChecker::checkRealloc(const CallEvent &Call,		static bool isStandardRealloc(const CallEvent &Call) {
CheckerContext &C,		const FunctionDecl *FD = dyn_cast<FunctionDecl>(Call.getDecl());
		assert(FD);
		ASTContext &AC = FD->getASTContext();

		if (isa<CXXMethodDecl>(FD))
		return false;

		return FD->getDeclaredReturnType().getDesugaredType(AC) == AC.VoidPtrTy &&
		FD->getParamDecl(0)->getType().getDesugaredType(AC) == AC.VoidPtrTy &&
		FD->getParamDecl(1)->getType().getDesugaredType(AC) ==
		AC.getSizeType();
		}

		static bool isGRealloc(const CallEvent &Call) {
		const FunctionDecl *FD = dyn_cast<FunctionDecl>(Call.getDecl());
		assert(FD);
		ASTContext &AC = FD->getASTContext();

		if (isa<CXXMethodDecl>(FD))
		return false;

		return FD->getDeclaredReturnType().getDesugaredType(AC) == AC.VoidPtrTy &&
		FD->getParamDecl(0)->getType().getDesugaredType(AC) == AC.VoidPtrTy &&
		FD->getParamDecl(1)->getType().getDesugaredType(AC) ==
		AC.UnsignedLongTy;
		}

		void MallocChecker::checkRealloc(const CallEvent &Call, CheckerContext &C,
bool ShouldFreeOnFail) const {		bool ShouldFreeOnFail) const {
		// HACK: CallDescription currently recognizes non-standard realloc functions
		// as standard because it doesn't check the type, or wether its a non-method
		martongUnsubmitted Not Done Reply Inline Actions Indeed. CallDescrtiption could be improved to do precise type checking. Also it could be matching FunctionDecls instead of names of functions (strings), we see how error prone this can be. I think, the mechanisms in StdCLibraryFunctionChecker could be integrated into CallDescription, so all other checkers could benefit. See also the discussion we had on this with @xazax.hun : In D80016#2063978, @martong wrote: In D80016#2063234, @xazax.hun wrote: A high level comment. Trying to match function signatures is not a unique problem! In fact, almost all of the checks the analyzer have is trying to solve the very some problem. One of the methods we have at this point is called CallDescription, see here: https://github.com/llvm/llvm-project/blob/master/clang/lib/StaticAnalyzer/Core/CallEvent.cpp#L358 Moreover, I would assume something similar needs to be done for APINotes. Do you think it would be possible to extend the CallDescription interface to match your needs? In that case all of the checks could profit from this work. What do you think? Yes, viewing from this angle, I am trying to solve a problem here that perhaps could be handled by CallDescription and CallDescriptionMap with some extensions. Here are the differences between the two approaches so far: CallDescription is evaluated for every call event (e.g. checkPreCall), the names - strings - are compared; containing declaration contexts are compared by names (see CallEvent::isCalled). Contrary to this, summaries are associated directly to FunctionDecls, so during a call event we compare two FunctionDecl pointers. A CallDescription does not support overloading on different types if the number of parameters are the same. With summaries this works. A CallDescriptionMap is a static map with fixed number of entries. Contrary to this, the FunctionSummaryMap contains an entry (a summary) for a function only if we can lookup a matching FunctionDecl in the TU. The initialization of the FunctionSummaryMap happens lazily during the first call event. Except the lack of proper overloading support, these differences are in the implementation. So, yes, giving it more thought, maybe we could refactor CallDescriptionMap to behave this way, but that would be some very heavy refactoring :) Still, would be possible, I guess. Moreover, I would assume something similar needs to be done for APINotes. Yes, I agree, I could not find out (yet) how the do it, but somehow they must match a given FunctionDecl to the Name in the YAML. I was thinking about an alternative method for a long time now. Making one step backwards: what we need is to be able to associate some data to a given function. And we can perfectly identify the function with it's prototype written in C/C++. So, what if we'd be able to write a CallDescriptionMap (or a FunctionSummaryMap) like this: CallDescriptionMap<FnCheck> Callbacks = { {{"void memcpy(void dest, const void src, size_t n)"}, &CStringChecker::evalMemcpy}, ... Actually, we could reuse the Parser and the Sema itself to solve this issue. In fact, we could achieve this by reusing the ExternalASTSource together with the ASTImporter to find precisely the existing redecl chain in the TU for memcpy. martong:* Indeed. CallDescrtiption could be improved to do precise type checking. Also it could be…
		// function. This should be solved by making CallDescription smarter.
		// Mind that this came from a bug report, and all other functions suffer from
		// this.
		NoQUnsubmitted Not Done Reply Inline Actions https://bugs.llvm.org/show_bug.cgi?id=46253#c1 Uh-oh, did we lose some sanity checking during CallDescription conversion? While modeling of all functions is probably incorrect, the crash can be bisected down to D68165. I think other functions don't crash because they already have similar type checks in them, just more spread out around the code rather than concentrated in one place. It might still be worth it to try to figure out why exactly did D68165 cause it in order to double-check for more regressions. NoQ: > https://bugs.llvm.org/show_bug.cgi?id=46253#c1 > Uh-oh, did we lose some sanity checking…
		// https://bugs.llvm.org/show_bug.cgi?id=46253
		if (!isStandardRealloc(Call) && !isGRealloc(Call))
		return;
ProgramStateRef State = C.getState();		ProgramStateRef State = C.getState();
State = ReallocMemAux(C, Call, ShouldFreeOnFail, State, AF_Malloc);		State = ReallocMemAux(C, Call, ShouldFreeOnFail, State, AF_Malloc);
State = ProcessZeroAllocCheck(Call, 1, State);		State = ProcessZeroAllocCheck(Call, 1, State);
C.addTransition(State);		C.addTransition(State);
}		}

void MallocChecker::checkCalloc(const CallEvent &Call,		void MallocChecker::checkCalloc(const CallEvent &Call,
CheckerContext &C) const {		CheckerContext &C) const {
▲ Show 20 Lines • Show All 2,396 Lines • Show Last 20 Lines

clang/test/Analysis/malloc.cpp

	Show First 20 Lines • Show All 166 Lines • ▼ Show 20 Lines

	#define ZERO_SIZE_PTR ((void *)16)			#define ZERO_SIZE_PTR ((void *)16)

	void test_delete_ZERO_SIZE_PTR() {			void test_delete_ZERO_SIZE_PTR() {
	int Ptr = (int )ZERO_SIZE_PTR;			int Ptr = (int )ZERO_SIZE_PTR;
	// ZERO_SIZE_PTR is specially handled but only for malloc family			// ZERO_SIZE_PTR is specially handled but only for malloc family
	delete Ptr; // expected-warning{{Argument to 'delete' is a constant address (16)}}			delete Ptr; // expected-warning{{Argument to 'delete' is a constant address (16)}}
	}			}

				namespace pr46253_class {
				class a {
				void *realloc(int, bool = false) { realloc(1); } // no-crash
				};
				} // namespace pr46253_class

				namespace pr46253_retty{
				void realloc(void *ptr, size_t size) { realloc(ptr, size); } // no-crash
				} // namespace pr46253_retty

				namespace pr46253_paramty{
				void realloc(void *ptr, size_t size) { realloc(ptr, size); } // no-crash
				} // namespace pr46253_paramty

				namespace pr46253_paramty2{
				void realloc(void ptr, int size) { realloc(ptr, size); } // no-crash
				} // namespace pr46253_paramty2