This is an archive of the discontinued LLVM Phabricator instance.

[analyzer] Implementation of potential undefbehavior.ZeroAllocDereference checker.
ClosedPublic

Authored by ayartsev on Mar 11 2015, 3:21 PM.

Download Raw Diff

Details

Reviewers

zaks.anna
ayartsev

Summary

Proposed patch implements undefbehavior.ZeroAllocDereference checker as part of unix.Malloc and cplusplus.NewDelete checkers.
The patch doesn't handle zero-size realloc()s due to specifics of current handling of realloc() by unix.Malloc that need to be discussed.
Please review!

Diff Detail

Event Timeline

ayartsev updated this revision to Diff 21772.Mar 11 2015, 3:21 PM

ayartsev retitled this revision from to [analyzer] Implementation of potential undefbehavior.ZeroAllocDereference checker..

ayartsev updated this object.

ayartsev edited the test plan for this revision. (Show Details)

ayartsev added a reviewer: zaks.anna.

ayartsev added subscribers: jordan_rose, krememek, Unknown Object (MLST).

**As a rule of thumb, checkers should be stateless.

http://clang-analyzer.llvm.org/checker_dev_manual.html

When you introduce mutable members you are most likely making a mistake. The state should track properties of symbols; specifically to check with symbol corresponds to a '0' allocation.

The specific example that might break with your patch (depending on the order in which the states are being explored) is something along these lines:
if (b)

s= 10;

else

s = 0;

p = malloc(s);
if (b)
*p = 1;

When the checker explores "malloc(s)" along the "s=0" path, the expression will be added to the set. If "*p = 1" along the "s=10" path is explored later on, we are going to produce a false positive.

Please, provide better testing so the cases like this one are exposed.

Aaa, I see, thank you!

Updated the patch, made the checker stateless, please review!

zaks.anna added inline comments.Mar 20 2015, 6:38 PM

lib/StaticAnalyzer/Checkers/MallocChecker.cpp
67–68	I think you could just fold it into the Kind, by adding AllocatedOfSizeZero or do we think that Relinquished or Escaped should be treated differently if they were zero allocated..?
850	"ProcessZeroAllocation" ? We are not checking anything here.
895	It should not be possible to have non allocated symbol here.. Is it? Maybe we should assert?
1860	I's call this "Use of zero allocated" or "Zero allocation"
2311	this seems unrelated to the patch. Can it be submitted separately with a testcase that it is trying to address?

Thanks for review!

lib/StaticAnalyzer/Checkers/MallocChecker.cpp
67–68	Implemented with a new AllocatedOfSizeZero kind. Theoretically Relinquished may be treated differently if we would like to track usage of zero-allocated memory after relinquish but there are no cases yet.
850	Fixed!
895	Agree, done!
1860	Done!
2311	Cleaned.

New patch with comments addressed, please review!

lib/StaticAnalyzer/Checkers/MallocChecker.cpp
895	Pardon, currently zero-allocated realloc do not attach a RefState so it is still early to assert for now.

Ping!

Hi Anton,

Have you tested the patch on anything but the regression tests? If yes,
what are the results? Did this catch any issues? Are there any false
positives? Since this will be a turned on by default new warning, I'd like
make sure we test on real code before committing.

Other than testing, this looks good to me. Thank you!
Anna.

Yes, please, commit!

Thank you,
Anna.

Committed as r234889.

ayartsev accepted this revision.Aug 25 2015, 2:30 PM

ayartsev added a reviewer: ayartsev.

This revision is now accepted and ready to land.Aug 25 2015, 2:30 PM

ayartsev closed this revision.Aug 25 2015, 2:30 PM

ayartsev mentioned this in D9040: [analyzer] Make realloc(ptr, 0) handling equivalent to malloc(0)..Aug 25 2015, 3:13 PM

Revision Contents

Path

Size

lib/

StaticAnalyzer/

Checkers/

	MallocChecker.cpp
	MallocChecker.cpp (revision 232641)

164 lines

test/

Analysis/

	Malloc+MismatchedDeallocator_intersections.cpp
	Malloc+MismatchedDeallocator_intersections.cpp (revision 232641)

13 lines

	NewDelete-checker-test.cpp
	NewDelete-checker-test.cpp (revision 232641)

24 lines

	NewDelete-intersections.mm
	NewDelete-intersections.mm (revision 232641)

5 lines

	malloc.c
	malloc.c (revision 232641)

74 lines

Diff 22411

lib/StaticAnalyzer/Checkers/MallocChecker.cpp

Show First 20 Lines • Show All 44 Lines • ▼ Show 20 Lines	enum AllocationFamily {
AF_CXXNewArray,		AF_CXXNewArray,
AF_IfNameIndex,		AF_IfNameIndex,
AF_Alloca		AF_Alloca
};		};

class RefState {		class RefState {
enum Kind { // Reference to allocated memory.		enum Kind { // Reference to allocated memory.
Allocated,		Allocated,
		// Reference to zero-allocated memory.
		AllocatedOfSizeZero,
// Reference to released/freed memory.		// Reference to released/freed memory.
Released,		Released,
// The responsibility for freeing resources has transferred from		// The responsibility for freeing resources has transferred from
// this reference. A relinquished symbol should not be freed.		// this reference. A relinquished symbol should not be freed.
Relinquished,		Relinquished,
// We are no longer guaranteed to have observed all manipulations		// We are no longer guaranteed to have observed all manipulations
// of this pointer/memory. For example, it could have been		// of this pointer/memory. For example, it could have been
// passed as a parameter to an opaque function.		// passed as a parameter to an opaque function.
Escaped		Escaped
};		};

const Stmt *S;		const Stmt *S;
unsigned K : 2; // Kind enum, but stored as a bitfield.		unsigned K : 3; // Kind enum, but stored as a bitfield.
unsigned Family : 30; // Rest of 32-bit word, currently just an allocation		unsigned Family : 29; // Rest of 32-bit word, currently just an allocation
		zaks.annaUnsubmitted Not Done Reply Inline Actions I think you could just fold it into the Kind, by adding AllocatedOfSizeZero or do we think that Relinquished or Escaped should be treated differently if they were zero allocated..? zaks.anna: I think you could just fold it into the Kind, by adding AllocatedOfSizeZero or do we think that…
		ayartsevAuthorUnsubmitted Not Done Reply Inline Actions Implemented with a new AllocatedOfSizeZero kind. Theoretically Relinquished may be treated differently if we would like to track usage of zero-allocated memory after relinquish but there are no cases yet. ayartsev: Implemented with a new AllocatedOfSizeZero kind. Theoretically Relinquished may be treated…
// family.		// family.

RefState(Kind k, const Stmt *s, unsigned family)		RefState(Kind k, const Stmt *s, unsigned family)
: S(s), K(k), Family(family) {		: S(s), K(k), Family(family) {
assert(family != AF_None);		assert(family != AF_None);
}		}
public:		public:
bool isAllocated() const { return K == Allocated; }		bool isAllocated() const { return K == Allocated; }
		bool isAllocatedOfSizeZero() const { return K == AllocatedOfSizeZero; }
bool isReleased() const { return K == Released; }		bool isReleased() const { return K == Released; }
bool isRelinquished() const { return K == Relinquished; }		bool isRelinquished() const { return K == Relinquished; }
bool isEscaped() const { return K == Escaped; }		bool isEscaped() const { return K == Escaped; }
AllocationFamily getAllocationFamily() const {		AllocationFamily getAllocationFamily() const {
return (AllocationFamily)Family;		return (AllocationFamily)Family;
}		}
const Stmt *getStmt() const { return S; }		const Stmt *getStmt() const { return S; }

bool operator==(const RefState &X) const {		bool operator==(const RefState &X) const {
return K == X.K && S == X.S && Family == X.Family;		return K == X.K && S == X.S && Family == X.Family;
}		}

static RefState getAllocated(unsigned family, const Stmt *s) {		static RefState getAllocated(unsigned family, const Stmt *s) {
return RefState(Allocated, s, family);		return RefState(Allocated, s, family);
}		}
		static RefState getAllocatedOfSizeZero(const RefState *RS) {
		return RefState(AllocatedOfSizeZero, RS->getStmt(),
		RS->getAllocationFamily());
		}
static RefState getReleased(unsigned family, const Stmt *s) {		static RefState getReleased(unsigned family, const Stmt *s) {
return RefState(Released, s, family);		return RefState(Released, s, family);
}		}
static RefState getRelinquished(unsigned family, const Stmt *s) {		static RefState getRelinquished(unsigned family, const Stmt *s) {
return RefState(Relinquished, s, family);		return RefState(Relinquished, s, family);
}		}
static RefState getEscaped(const RefState *RS) {		static RefState getEscaped(const RefState *RS) {
return RefState(Escaped, RS->getStmt(), RS->getAllocationFamily());		return RefState(Escaped, RS->getStmt(), RS->getAllocationFamily());
}		}

void Profile(llvm::FoldingSetNodeID &ID) const {		void Profile(llvm::FoldingSetNodeID &ID) const {
ID.AddInteger(K);		ID.AddInteger(K);
ID.AddPointer(S);		ID.AddPointer(S);
ID.AddInteger(Family);		ID.AddInteger(Family);
}		}

void dump(raw_ostream &OS) const {		void dump(raw_ostream &OS) const {
switch (static_cast<Kind>(K)) {		switch (static_cast<Kind>(K)) {
#define CASE(ID) case ID: OS << #ID; break;		#define CASE(ID) case ID: OS << #ID; break;
CASE(Allocated)		CASE(Allocated)
		CASE(AllocatedOfSizeZero)
CASE(Released)		CASE(Released)
CASE(Relinquished)		CASE(Relinquished)
CASE(Escaped)		CASE(Escaped)
}		}
}		}

LLVM_DUMP_METHOD void dump() const { dump(llvm::errs()); }		LLVM_DUMP_METHOD void dump() const { dump(llvm::errs()); }
};		};
▲ Show 20 Lines • Show All 99 Lines • ▼ Show 20 Lines	private:
mutable std::unique_ptr<BugType> BT_DoubleFree[CK_NumCheckKinds];		mutable std::unique_ptr<BugType> BT_DoubleFree[CK_NumCheckKinds];
mutable std::unique_ptr<BugType> BT_DoubleDelete;		mutable std::unique_ptr<BugType> BT_DoubleDelete;
mutable std::unique_ptr<BugType> BT_Leak[CK_NumCheckKinds];		mutable std::unique_ptr<BugType> BT_Leak[CK_NumCheckKinds];
mutable std::unique_ptr<BugType> BT_UseFree[CK_NumCheckKinds];		mutable std::unique_ptr<BugType> BT_UseFree[CK_NumCheckKinds];
mutable std::unique_ptr<BugType> BT_BadFree[CK_NumCheckKinds];		mutable std::unique_ptr<BugType> BT_BadFree[CK_NumCheckKinds];
mutable std::unique_ptr<BugType> BT_FreeAlloca[CK_NumCheckKinds];		mutable std::unique_ptr<BugType> BT_FreeAlloca[CK_NumCheckKinds];
mutable std::unique_ptr<BugType> BT_MismatchedDealloc;		mutable std::unique_ptr<BugType> BT_MismatchedDealloc;
mutable std::unique_ptr<BugType> BT_OffsetFree[CK_NumCheckKinds];		mutable std::unique_ptr<BugType> BT_OffsetFree[CK_NumCheckKinds];
		mutable std::unique_ptr<BugType> BT_UseZerroAllocated[CK_NumCheckKinds];
mutable IdentifierInfo II_alloca, II_malloc, II_free, II_realloc,		mutable IdentifierInfo II_alloca, II_malloc, II_free, II_realloc,
II_calloc, II_valloc, II_reallocf, II_strndup,		II_calloc, II_valloc, II_reallocf, II_strndup,
II_strdup, II_kmalloc, *II_if_nameindex,		II_strdup, II_kmalloc, *II_if_nameindex,
*II_if_freenameindex;		*II_if_freenameindex;
mutable Optional<uint64_t> KernelZeroFlagVal;		mutable Optional<uint64_t> KernelZeroFlagVal;

void initIdentifierInfo(ASTContext &C) const;		void initIdentifierInfo(ASTContext &C) const;

Show All 19 Lines	private:
/// pointed to by one of its arguments.		/// pointed to by one of its arguments.
bool isMemFunction(const FunctionDecl *FD, ASTContext &C) const;		bool isMemFunction(const FunctionDecl *FD, ASTContext &C) const;
bool isCMemFunction(const FunctionDecl *FD,		bool isCMemFunction(const FunctionDecl *FD,
ASTContext &C,		ASTContext &C,
AllocationFamily Family,		AllocationFamily Family,
MemoryOperationKind MemKind) const;		MemoryOperationKind MemKind) const;
bool isStandardNewDelete(const FunctionDecl *FD, ASTContext &C) const;		bool isStandardNewDelete(const FunctionDecl *FD, ASTContext &C) const;
///@}		///@}

		/// \brief Perform a zero-allocation check.
		ProgramStateRef ProcessZeroAllocation(CheckerContext &C, const Expr *E,
		const unsigned AllocationSizeArg,
		ProgramStateRef State) const;

ProgramStateRef MallocMemReturnsAttr(CheckerContext &C,		ProgramStateRef MallocMemReturnsAttr(CheckerContext &C,
const CallExpr *CE,		const CallExpr *CE,
const OwnershipAttr* Att,		const OwnershipAttr* Att,
ProgramStateRef State) const;		ProgramStateRef State) const;
static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE,		static ProgramStateRef MallocMemAux(CheckerContext &C, const CallExpr *CE,
const Expr *SizeEx, SVal Init,		const Expr *SizeEx, SVal Init,
ProgramStateRef State,		ProgramStateRef State,
AllocationFamily Family = AF_Malloc);		AllocationFamily Family = AF_Malloc);
Show All 34 Lines	private:
static ProgramStateRef CallocMem(CheckerContext &C, const CallExpr *CE,		static ProgramStateRef CallocMem(CheckerContext &C, const CallExpr *CE,
ProgramStateRef State);		ProgramStateRef State);

///\brief Check if the memory associated with this symbol was released.		///\brief Check if the memory associated with this symbol was released.
bool isReleased(SymbolRef Sym, CheckerContext &C) const;		bool isReleased(SymbolRef Sym, CheckerContext &C) const;

bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C, const Stmt *S) const;		bool checkUseAfterFree(SymbolRef Sym, CheckerContext &C, const Stmt *S) const;

		void checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C,
		const Stmt *S) const;

bool checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const;		bool checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const;

/// Check if the function is known free memory, or if it is		/// Check if the function is known free memory, or if it is
/// "interesting" and should be modeled explicitly.		/// "interesting" and should be modeled explicitly.
///		///
/// \param [out] EscapingSymbol A function might not free memory in general,		/// \param [out] EscapingSymbol A function might not free memory in general,
/// but could be known to free a particular symbol. In this case, false is		/// but could be known to free a particular symbol. In this case, false is
/// returned and the single escaping symbol is returned through the out		/// returned and the single escaping symbol is returned through the out
Show All 38 Lines	void ReportOffsetFree(CheckerContext &C, SVal ArgVal, SourceRange Range,
const Expr *AllocExpr = nullptr) const;		const Expr *AllocExpr = nullptr) const;
void ReportUseAfterFree(CheckerContext &C, SourceRange Range,		void ReportUseAfterFree(CheckerContext &C, SourceRange Range,
SymbolRef Sym) const;		SymbolRef Sym) const;
void ReportDoubleFree(CheckerContext &C, SourceRange Range, bool Released,		void ReportDoubleFree(CheckerContext &C, SourceRange Range, bool Released,
SymbolRef Sym, SymbolRef PrevSym) const;		SymbolRef Sym, SymbolRef PrevSym) const;

void ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const;		void ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const;

		void ReportUseZeroAllocated(CheckerContext &C, SourceRange Range,
		SymbolRef Sym) const;

/// Find the location of the allocation for Sym on the path leading to the		/// Find the location of the allocation for Sym on the path leading to the
/// exploded node N.		/// exploded node N.
LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym,		LeakInfo getAllocationSite(const ExplodedNode *N, SymbolRef Sym,
CheckerContext &C) const;		CheckerContext &C) const;

void reportLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const;		void reportLeak(SymbolRef Sym, ExplodedNode *N, CheckerContext &C) const;

/// The bug visitor which allows us to print extra diagnostics along the		/// The bug visitor which allows us to print extra diagnostics along the
Show All 28 Lines	void Profile(llvm::FoldingSetNodeID &ID) const override {
ID.AddPointer(&X);		ID.AddPointer(&X);
ID.AddPointer(Sym);		ID.AddPointer(Sym);
}		}

inline bool isAllocated(const RefState S, const RefState SPrev,		inline bool isAllocated(const RefState S, const RefState SPrev,
const Stmt *Stmt) {		const Stmt *Stmt) {
// Did not track -> allocated. Other state (released) -> allocated.		// Did not track -> allocated. Other state (released) -> allocated.
return (Stmt && (isa<CallExpr>(Stmt) \|\| isa<CXXNewExpr>(Stmt)) &&		return (Stmt && (isa<CallExpr>(Stmt) \|\| isa<CXXNewExpr>(Stmt)) &&
(S && S->isAllocated()) && (!SPrev \|\| !SPrev->isAllocated()));		(S && (S->isAllocated() \|\| S->isAllocatedOfSizeZero())) &&
		(!SPrev \|\| !(SPrev->isAllocated() \|\|
		SPrev->isAllocatedOfSizeZero())));
}		}

inline bool isReleased(const RefState S, const RefState SPrev,		inline bool isReleased(const RefState S, const RefState SPrev,
const Stmt *Stmt) {		const Stmt *Stmt) {
// Did not track -> released. Other state (allocated) -> released.		// Did not track -> released. Other state (allocated) -> released.
return (Stmt && (isa<CallExpr>(Stmt) \|\| isa<CXXDeleteExpr>(Stmt)) &&		return (Stmt && (isa<CallExpr>(Stmt) \|\| isa<CXXDeleteExpr>(Stmt)) &&
(S && S->isReleased()) && (!SPrev \|\| !SPrev->isReleased()));		(S && S->isReleased()) && (!SPrev \|\| !SPrev->isReleased()));
}		}
Show All 9 Lines	public:

inline bool isReallocFailedCheck(const RefState S, const RefState SPrev,		inline bool isReallocFailedCheck(const RefState S, const RefState SPrev,
const Stmt *Stmt) {		const Stmt *Stmt) {
// If the expression is not a call, and the state change is		// If the expression is not a call, and the state change is
// released -> allocated, it must be the realloc return value		// released -> allocated, it must be the realloc return value
// check. If we have to handle more cases here, it might be cleaner just		// check. If we have to handle more cases here, it might be cleaner just
// to track this extra bit in the state itself.		// to track this extra bit in the state itself.
return ((!Stmt \|\| !isa<CallExpr>(Stmt)) &&		return ((!Stmt \|\| !isa<CallExpr>(Stmt)) &&
(S && S->isAllocated()) && (SPrev && !SPrev->isAllocated()));		(S && (S->isAllocated() \|\| S->isAllocatedOfSizeZero())) &&
		(SPrev && !(SPrev->isAllocated() \|\|
		SPrev->isAllocatedOfSizeZero())));
}		}

PathDiagnosticPiece VisitNode(const ExplodedNode N,		PathDiagnosticPiece VisitNode(const ExplodedNode N,
const ExplodedNode *PrevN,		const ExplodedNode *PrevN,
BugReporterContext &BRC,		BugReporterContext &BRC,
BugReport &BR) override;		BugReport &BR) override;

std::unique_ptr<PathDiagnosticPiece>		std::unique_ptr<PathDiagnosticPiece>
▲ Show 20 Lines • Show All 282 Lines • ▼ Show 20 Lines	if (FD->getKind() == Decl::Function) {
initIdentifierInfo(C.getASTContext());		initIdentifierInfo(C.getASTContext());
IdentifierInfo *FunI = FD->getIdentifier();		IdentifierInfo *FunI = FD->getIdentifier();

if (FunI == II_malloc) {		if (FunI == II_malloc) {
if (CE->getNumArgs() < 1)		if (CE->getNumArgs() < 1)
return;		return;
if (CE->getNumArgs() < 3) {		if (CE->getNumArgs() < 3) {
State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);		State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);
		if (CE->getNumArgs() == 1)
		State = ProcessZeroAllocation(C, CE, 0, State);
} else if (CE->getNumArgs() == 3) {		} else if (CE->getNumArgs() == 3) {
llvm::Optional<ProgramStateRef> MaybeState =		llvm::Optional<ProgramStateRef> MaybeState =
performKernelMalloc(CE, C, State);		performKernelMalloc(CE, C, State);
if (MaybeState.hasValue())		if (MaybeState.hasValue())
State = MaybeState.getValue();		State = MaybeState.getValue();
else		else
State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);		State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);
}		}
} else if (FunI == II_kmalloc) {		} else if (FunI == II_kmalloc) {
llvm::Optional<ProgramStateRef> MaybeState =		llvm::Optional<ProgramStateRef> MaybeState =
performKernelMalloc(CE, C, State);		performKernelMalloc(CE, C, State);
if (MaybeState.hasValue())		if (MaybeState.hasValue())
State = MaybeState.getValue();		State = MaybeState.getValue();
else		else
State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);		State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);
} else if (FunI == II_valloc) {		} else if (FunI == II_valloc) {
if (CE->getNumArgs() < 1)		if (CE->getNumArgs() < 1)
return;		return;
State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);		State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State);
		State = ProcessZeroAllocation(C, CE, 0, State);
} else if (FunI == II_realloc) {		} else if (FunI == II_realloc) {
State = ReallocMem(C, CE, false, State);		State = ReallocMem(C, CE, false, State);
		State = ProcessZeroAllocation(C, CE, 1, State);
} else if (FunI == II_reallocf) {		} else if (FunI == II_reallocf) {
State = ReallocMem(C, CE, true, State);		State = ReallocMem(C, CE, true, State);
		State = ProcessZeroAllocation(C, CE, 1, State);
} else if (FunI == II_calloc) {		} else if (FunI == II_calloc) {
State = CallocMem(C, CE, State);		State = CallocMem(C, CE, State);
		State = ProcessZeroAllocation(C, CE, 0, State);
		State = ProcessZeroAllocation(C, CE, 1, State);
} else if (FunI == II_free) {		} else if (FunI == II_free) {
State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory);		State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory);
} else if (FunI == II_strdup) {		} else if (FunI == II_strdup) {
State = MallocUpdateRefState(C, CE, State);		State = MallocUpdateRefState(C, CE, State);
} else if (FunI == II_strndup) {		} else if (FunI == II_strndup) {
State = MallocUpdateRefState(C, CE, State);		State = MallocUpdateRefState(C, CE, State);
} else if (FunI == II_alloca) {		} else if (FunI == II_alloca) {
State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State,		State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State,
AF_Alloca);		AF_Alloca);
		State = ProcessZeroAllocation(C, CE, 0, State);
} else if (isStandardNewDelete(FD, C.getASTContext())) {		} else if (isStandardNewDelete(FD, C.getASTContext())) {
// Process direct calls to operator new/new[]/delete/delete[] functions		// Process direct calls to operator new/new[]/delete/delete[] functions
// as distinct from new/new[]/delete/delete[] expressions that are		// as distinct from new/new[]/delete/delete[] expressions that are
// processed by the checkPostStmt callbacks for CXXNewExpr and		// processed by the checkPostStmt callbacks for CXXNewExpr and
// CXXDeleteExpr.		// CXXDeleteExpr.
OverloadedOperatorKind K = FD->getOverloadedOperator();		OverloadedOperatorKind K = FD->getOverloadedOperator();
if (K == OO_New)		if (K == OO_New) {
State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State,		State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State,
AF_CXXNew);		AF_CXXNew);
else if (K == OO_Array_New)		State = ProcessZeroAllocation(C, CE, 0, State);
		}
		else if (K == OO_Array_New) {
State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State,		State = MallocMemAux(C, CE, CE->getArg(0), UndefinedVal(), State,
AF_CXXNewArray);		AF_CXXNewArray);
		State = ProcessZeroAllocation(C, CE, 0, State);
		}
else if (K == OO_Delete \|\| K == OO_Array_Delete)		else if (K == OO_Delete \|\| K == OO_Array_Delete)
State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory);		State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory);
else		else
llvm_unreachable("not a new/delete operator");		llvm_unreachable("not a new/delete operator");
} else if (FunI == II_if_nameindex) {		} else if (FunI == II_if_nameindex) {
// Should we model this differently? We can allocate a fixed number of		// Should we model this differently? We can allocate a fixed number of
// elements with zeros in the last one.		// elements with zeros in the last one.
State = MallocMemAux(C, CE, UnknownVal(), UnknownVal(), State,		State = MallocMemAux(C, CE, UnknownVal(), UnknownVal(), State,
Show All 17 Lines	if (FD->hasAttrs())
State = FreeMemAttr(C, CE, I, State);		State = FreeMemAttr(C, CE, I, State);
break;		break;
}		}
}		}
}		}
C.addTransition(State);		C.addTransition(State);
}		}

		// Performs a 0-sized allocations check.
		ProgramStateRef MallocChecker::ProcessZeroAllocation(CheckerContext &C,
		zaks.annaUnsubmitted Not Done Reply Inline Actions "ProcessZeroAllocation" ? We are not checking anything here. zaks.anna: "ProcessZeroAllocation" ? We are not checking anything here.
		ayartsevAuthorUnsubmitted Not Done Reply Inline Actions Fixed! ayartsev: Fixed!
		const Expr *E,
		const unsigned AllocationSizeArg,
		ProgramStateRef State) const {
		if (!State)
		return nullptr;

		const Expr *Arg = nullptr;

		if (const CallExpr *CE = dyn_cast<CallExpr>(E)) {
		Arg = CE->getArg(AllocationSizeArg);
		}
		else if (const CXXNewExpr *NE = dyn_cast<CXXNewExpr>(E)) {
		if (NE->isArray())
		Arg = NE->getArraySize();
		else
		return State;
		}
		else
		llvm_unreachable("not a CallExpr or CXXNewExpr");

		assert(Arg);

		Optional<DefinedSVal> DefArgVal =
		State->getSVal(Arg, C.getLocationContext()).getAs<DefinedSVal>();

		if (!DefArgVal)
		return State;

		// Check if the allocation size is 0.
		ProgramStateRef TrueState, FalseState;
		SValBuilder &SvalBuilder = C.getSValBuilder();
		DefinedSVal Zero =
		SvalBuilder.makeZeroVal(Arg->getType()).castAs<DefinedSVal>();

		std::tie(TrueState, FalseState) =
		State->assume(SvalBuilder.evalEQ(State, *DefArgVal, Zero));

		if (TrueState && !FalseState) {
		SVal retVal = State->getSVal(E, C.getLocationContext());
		SymbolRef Sym = retVal.getAsLocSymbol();
		if (!Sym)
		return State;

		const RefState *RS = State->get<RegionState>(Sym);
		assert(RS);
		zaks.annaUnsubmitted Not Done Reply Inline Actions It should not be possible to have non allocated symbol here.. Is it? Maybe we should assert? zaks.anna: It should not be possible to have non allocated symbol here.. Is it? Maybe we should assert?
		ayartsevAuthorUnsubmitted Not Done Reply Inline Actions Agree, done! ayartsev: Agree, done!
		ayartsevAuthorUnsubmitted Not Done Reply Inline Actions Pardon, currently zero-allocated realloc do not attach a RefState so it is still early to assert for now. ayartsev: Pardon, currently zero-allocated realloc do not attach a RefState so it is still early to…

		if (!RS->isAllocated())
		return State;

		return TrueState->set<RegionState>(Sym,
		RefState::getAllocatedOfSizeZero(RS));
		}

		// Assume the value is non-zero going forward.
		assert(FalseState);
		return FalseState;
		}

static QualType getDeepPointeeType(QualType T) {		static QualType getDeepPointeeType(QualType T) {
QualType Result = T, PointeeType = T->getPointeeType();		QualType Result = T, PointeeType = T->getPointeeType();
while (!PointeeType.isNull()) {		while (!PointeeType.isNull()) {
Result = PointeeType;		Result = PointeeType;
PointeeType = PointeeType->getPointeeType();		PointeeType = PointeeType->getPointeeType();
}		}
return Result;		return Result;
}		}
▲ Show 20 Lines • Show All 43 Lines • ▼ Show 20 Lines	void MallocChecker::checkPostStmt(const CXXNewExpr *NE,

ProgramStateRef State = C.getState();		ProgramStateRef State = C.getState();
// The return value from operator new is bound to a specified initialization		// The return value from operator new is bound to a specified initialization
// value (if any) and we don't want to loose this value. So we call		// value (if any) and we don't want to loose this value. So we call
// MallocUpdateRefState() instead of MallocMemAux() which breakes the		// MallocUpdateRefState() instead of MallocMemAux() which breakes the
// existing binding.		// existing binding.
State = MallocUpdateRefState(C, NE, State, NE->isArray() ? AF_CXXNewArray		State = MallocUpdateRefState(C, NE, State, NE->isArray() ? AF_CXXNewArray
: AF_CXXNew);		: AF_CXXNew);
		State = ProcessZeroAllocation(C, NE, 0, State);
C.addTransition(State);		C.addTransition(State);
}		}

void MallocChecker::checkPreStmt(const CXXDeleteExpr *DE,		void MallocChecker::checkPreStmt(const CXXDeleteExpr *DE,
CheckerContext &C) const {		CheckerContext &C) const {

if (!ChecksEnabled[CK_NewDeleteChecker])		if (!ChecksEnabled[CK_NewDeleteChecker])
if (SymbolRef Sym = C.getSVal(DE->getArgument()).getAsSymbol())		if (SymbolRef Sym = C.getSVal(DE->getArgument()).getAsSymbol())
▲ Show 20 Lines • Show All 407 Lines • ▼ Show 20 Lines	if (RsBase) {
if ((RsBase->isReleased() \|\| RsBase->isRelinquished()) &&		if ((RsBase->isReleased() \|\| RsBase->isRelinquished()) &&
!didPreviousFreeFail(State, SymBase, PreviousRetStatusSymbol)) {		!didPreviousFreeFail(State, SymBase, PreviousRetStatusSymbol)) {
ReportDoubleFree(C, ParentExpr->getSourceRange(), RsBase->isReleased(),		ReportDoubleFree(C, ParentExpr->getSourceRange(), RsBase->isReleased(),
SymBase, PreviousRetStatusSymbol);		SymBase, PreviousRetStatusSymbol);
return nullptr;		return nullptr;

// If the pointer is allocated or escaped, but we are now trying to free it,		// If the pointer is allocated or escaped, but we are now trying to free it,
// check that the call to free is proper.		// check that the call to free is proper.
} else if (RsBase->isAllocated() \|\| RsBase->isEscaped()) {		} else if (RsBase->isAllocated() \|\| RsBase->isAllocatedOfSizeZero() \|\|
		RsBase->isEscaped()) {

// Check if an expected deallocation function matches the real one.		// Check if an expected deallocation function matches the real one.
bool DeallocMatchesAlloc =		bool DeallocMatchesAlloc =
RsBase->getAllocationFamily() == getAllocationFamily(C, ParentExpr);		RsBase->getAllocationFamily() == getAllocationFamily(C, ParentExpr);
if (!DeallocMatchesAlloc) {		if (!DeallocMatchesAlloc) {
ReportMismatchedDealloc(C, ArgExpr->getSourceRange(),		ReportMismatchedDealloc(C, ArgExpr->getSourceRange(),
ParentExpr, RsBase, SymBase, Hold);		ParentExpr, RsBase, SymBase, Hold);
return nullptr;		return nullptr;
}		}

// Check if the memory location being freed is the actual location		// Check if the memory location being freed is the actual location
// allocated, or an offset.		// allocated, or an offset.
RegionOffset Offset = R->getAsOffset();		RegionOffset Offset = R->getAsOffset();
if (Offset.isValid() &&		if (Offset.isValid() &&
!Offset.hasSymbolicOffset() &&		!Offset.hasSymbolicOffset() &&
Offset.getOffset() != 0) {		Offset.getOffset() != 0) {
const Expr *AllocExpr = cast<Expr>(RsBase->getStmt());		const Expr *AllocExpr = cast<Expr>(RsBase->getStmt());
ReportOffsetFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr,		ReportOffsetFree(C, ArgVal, ArgExpr->getSourceRange(), ParentExpr,
AllocExpr);		AllocExpr);
return nullptr;		return nullptr;
}		}
}		}
}		}

ReleasedAllocated = (RsBase != nullptr) && RsBase->isAllocated();		ReleasedAllocated = (RsBase != nullptr) && (RsBase->isAllocated() \|\|
		RsBase->isAllocatedOfSizeZero());

// Clean out the info on previous call to free return info.		// Clean out the info on previous call to free return info.
State = State->remove<FreeReturnValue>(SymBase);		State = State->remove<FreeReturnValue>(SymBase);

// Keep track of the return value. If it is NULL, we will know that free		// Keep track of the return value. If it is NULL, we will know that free
// failed.		// failed.
if (ReturnsNullOnFailure) {		if (ReturnsNullOnFailure) {
SVal RetVal = C.getSVal(ParentExpr);		SVal RetVal = C.getSVal(ParentExpr);
▲ Show 20 Lines • Show All 408 Lines • ▼ Show 20 Lines	BugReport R = new BugReport(BT_DoubleDelete,
"Attempt to delete released memory", N);		"Attempt to delete released memory", N);

R->markInteresting(Sym);		R->markInteresting(Sym);
R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym));		R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym));
C.emitReport(R);		C.emitReport(R);
}		}
}		}

		void MallocChecker::ReportUseZeroAllocated(CheckerContext &C,
		SourceRange Range,
		SymbolRef Sym) const {

		if (!ChecksEnabled[CK_MallocChecker] &&
		!ChecksEnabled[CK_NewDeleteChecker])
		return;

		Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);

		if (!CheckKind.hasValue())
		return;

		if (ExplodedNode *N = C.generateSink()) {
		if (!BT_UseZerroAllocated[*CheckKind])
		BT_UseZerroAllocated[*CheckKind].reset(new BugType(
		CheckNames[*CheckKind], "Use of zero allocated", "Memory Error"));
		zaks.annaUnsubmitted Not Done Reply Inline Actions I's call this "Use of zero allocated" or "Zero allocation" zaks.anna: I's call this "Use of zero allocated" or "Zero allocation"
		ayartsevAuthorUnsubmitted Not Done Reply Inline Actions Done! ayartsev: Done!

		BugReport R = new BugReport(BT_UseZerroAllocated[*CheckKind],
		"Use of zero-allocated memory", N);

		R->addRange(Range);
		if (Sym) {
		R->markInteresting(Sym);
		R->addVisitor(llvm::make_unique<MallocBugVisitor>(Sym));
		}
		C.emitReport(R);
		}
		}

ProgramStateRef MallocChecker::ReallocMem(CheckerContext &C,		ProgramStateRef MallocChecker::ReallocMem(CheckerContext &C,
const CallExpr *CE,		const CallExpr *CE,
bool FreesOnFail,		bool FreesOnFail,
ProgramStateRef State) const {		ProgramStateRef State) const {
if (!State)		if (!State)
return nullptr;		return nullptr;

if (CE->getNumArgs() < 2)		if (CE->getNumArgs() < 2)
▲ Show 20 Lines • Show All 231 Lines • ▼ Show 20 Lines	void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper,

ProgramStateRef state = C.getState();		ProgramStateRef state = C.getState();
RegionStateTy RS = state->get<RegionState>();		RegionStateTy RS = state->get<RegionState>();
RegionStateTy::Factory &F = state->get_context<RegionState>();		RegionStateTy::Factory &F = state->get_context<RegionState>();

SmallVector<SymbolRef, 2> Errors;		SmallVector<SymbolRef, 2> Errors;
for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) {		for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) {
if (SymReaper.isDead(I->first)) {		if (SymReaper.isDead(I->first)) {
if (I->second.isAllocated())		if (I->second.isAllocated() \|\| I->second.isAllocatedOfSizeZero())
Errors.push_back(I->first);		Errors.push_back(I->first);
// Remove the dead symbol from the map.		// Remove the dead symbol from the map.
RS = F.remove(RS, I->first);		RS = F.remove(RS, I->first);

}		}
}		}

// Cleanup the Realloc Pairs Map.		// Cleanup the Realloc Pairs Map.
▲ Show 20 Lines • Show All 151 Lines • ▼ Show 20 Lines	bool MallocChecker::checkUseAfterFree(SymbolRef Sym, CheckerContext &C,
if (isReleased(Sym, C)) {		if (isReleased(Sym, C)) {
ReportUseAfterFree(C, S->getSourceRange(), Sym);		ReportUseAfterFree(C, S->getSourceRange(), Sym);
return true;		return true;
}		}

return false;		return false;
}		}

		void MallocChecker::checkUseZeroAllocated(SymbolRef Sym, CheckerContext &C,
		const Stmt *S) const {
		assert(Sym);
		const RefState *RS = C.getState()->get<RegionState>(Sym);

		if (RS && RS->isAllocatedOfSizeZero())
		ReportUseZeroAllocated(C, RS->getStmt()->getSourceRange(), Sym);
		}

bool MallocChecker::checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const {		bool MallocChecker::checkDoubleDelete(SymbolRef Sym, CheckerContext &C) const {

if (isReleased(Sym, C)) {		if (isReleased(Sym, C)) {
ReportDoubleDelete(C, Sym);		ReportDoubleDelete(C, Sym);
return true;		return true;
}		}
return false;		return false;
}		}

// Check if the location is a freed symbolic region.		// Check if the location is a freed symbolic region.
void MallocChecker::checkLocation(SVal l, bool isLoad, const Stmt *S,		void MallocChecker::checkLocation(SVal l, bool isLoad, const Stmt *S,
CheckerContext &C) const {		CheckerContext &C) const {
SymbolRef Sym = l.getLocSymbolInBase();		SymbolRef Sym = l.getLocSymbolInBase();
if (Sym)		if (Sym) {
		zaks.annaUnsubmitted Not Done Reply Inline Actions this seems unrelated to the patch. Can it be submitted separately with a testcase that it is trying to address? zaks.anna: this seems unrelated to the patch. Can it be submitted separately with a testcase that it is…
		ayartsevAuthorUnsubmitted Not Done Reply Inline Actions Cleaned. ayartsev: Cleaned.
checkUseAfterFree(Sym, C, S);		checkUseAfterFree(Sym, C, S);
		checkUseZeroAllocated(Sym, C, S);
		}
}		}

// If a symbolic region is assumed to NULL (or another constant), stop tracking		// If a symbolic region is assumed to NULL (or another constant), stop tracking
// it - assuming that allocation failed on this path.		// it - assuming that allocation failed on this path.
ProgramStateRef MallocChecker::evalAssume(ProgramStateRef state,		ProgramStateRef MallocChecker::evalAssume(ProgramStateRef state,
SVal Cond,		SVal Cond,
bool Assumption) const {		bool Assumption) const {
RegionStateTy RS = state->get<RegionState>();		RegionStateTy RS = state->get<RegionState>();
▲ Show 20 Lines • Show All 227 Lines • ▼ Show 20 Lines	for (InvalidatedSymbols::const_iterator I = Escaped.begin(),
E = Escaped.end();		E = Escaped.end();
I != E; ++I) {		I != E; ++I) {
SymbolRef sym = *I;		SymbolRef sym = *I;

if (EscapingSymbol && EscapingSymbol != sym)		if (EscapingSymbol && EscapingSymbol != sym)
continue;		continue;

if (const RefState *RS = State->get<RegionState>(sym)) {		if (const RefState *RS = State->get<RegionState>(sym)) {
if (RS->isAllocated() && CheckRefState(RS)) {		if ((RS->isAllocated() \|\| RS->isAllocatedOfSizeZero()) &&
		CheckRefState(RS)) {
State = State->remove<RegionState>(sym);		State = State->remove<RegionState>(sym);
State = State->set<RegionState>(sym, RefState::getEscaped(RS));		State = State->set<RegionState>(sym, RefState::getEscaped(RS));
}		}
}		}
}		}
return State;		return State;
}		}

▲ Show 20 Lines • Show All 154 Lines • Show Last 20 Lines

test/Analysis/Malloc+MismatchedDeallocator_intersections.cpp

Show All 18 Lines	void testNewDeleteNoWarn() {
int *p2 = new int;		int *p2 = new int;
delete p2;		delete p2;
delete p2; // no-warning		delete p2; // no-warning

int *p3 = new int; // no-warning		int *p3 = new int; // no-warning

int *p4 = new int;		int *p4 = new int;
delete p4;		delete p4;
int j = *p4; // no-warning		int j = *p4; // no-warning
}		}

		void testUseZeroAllocNoWarn() {
		int p1 = (int )operator new(0);
		*p1 = 1; // no-warning

		int p2 = (int )operator new[](0);
		p2[0] = 1; // no-warning

		int *p3 = new int[0];
		p3[0] = 1; // no-warning
		}

test/Analysis/NewDelete-checker-test.cpp

Show First 20 Lines • Show All 81 Lines • ▼ Show 20 Lines	struct PtrWrapper {
PtrWrapper(int *input) : x(input) {}		PtrWrapper(int *input) : x(input) {}
};		};

void testNewInvalidationPlacement(PtrWrapper *w) {		void testNewInvalidationPlacement(PtrWrapper *w) {
// Ensure that we don't consider this a leak.		// Ensure that we don't consider this a leak.
new (w) PtrWrapper(new int); // no warn		new (w) PtrWrapper(new int); // no warn
}		}

		//-----------------------------------------
		// check for usage of zero-allocated memory
		//-----------------------------------------

		void testUseZeroAlloc1() {
		int p = (int )operator new(0);
		*p = 1; // expected-warning {{Use of zero-allocated memory}}
		delete p;
		}

		int testUseZeroAlloc2() {
		int p = (int )operator new[](0);
		return p[0]; // expected-warning {{Use of zero-allocated memory}}
		delete[] p;
		}

		void f(int);

		void testUseZeroAlloc3() {
		int *p = new int[0];
		f(*p); // expected-warning {{Use of zero-allocated memory}}
		delete[] p;
		}

//---------------		//---------------
// other checks		// other checks
//---------------		//---------------

class SomeClass {		class SomeClass {
public:		public:
void f(int *p);		void f(int *p);
};		};
▲ Show 20 Lines • Show All 258 Lines • Show Last 20 Lines

test/Analysis/NewDelete-intersections.mm

	Show All 37 Lines
	void testDeleteMalloced() {			void testDeleteMalloced() {
	int p1 = (int )malloc(sizeof(int));			int p1 = (int )malloc(sizeof(int));
	delete p1; // no warn			delete p1; // no warn

	int p2 = (int )__builtin_alloca(sizeof(int));			int p2 = (int )__builtin_alloca(sizeof(int));
	delete p2; // no warn			delete p2; // no warn
	}			}

				void testUseZeroAllocatedMalloced() {
				int p1 = (int )malloc(0);
				*p1 = 1; // no warn
				}

	//----- Test free standard new			//----- Test free standard new
	void testFreeOpNew() {			void testFreeOpNew() {
	void *p = operator new(0);			void *p = operator new(0);
	free(p);			free(p);
	}			}
	#ifdef LEAKS			#ifdef LEAKS
	// expected-warning@-2 {{Potential leak of memory pointed to by 'p'}}			// expected-warning@-2 {{Potential leak of memory pointed to by 'p'}}
	#endif			#endif
	Show All 28 Lines

test/Analysis/malloc.c

Show First 20 Lines • Show All 194 Lines • ▼ Show 20 Lines	void reallocfRadar6337483_3() {
buf = tmp;		buf = tmp;
free(buf);		free(buf);
}		}

void reallocfPtrZero1() {		void reallocfPtrZero1() {
char *r = reallocf(0, 12);		char *r = reallocf(0, 12);
} // expected-warning {{Potential leak of memory pointed to by}}		} // expected-warning {{Potential leak of memory pointed to by}}

		//------------------- Check usage of zero-allocated memory ---------------------
		void CheckUseZeroAllocatedNoWarn1() {
		int *p = malloc(0);
		free(p); // no warning
		}

		void CheckUseZeroAllocatedNoWarn2() {
		int *p = alloca(0); // no warning
		}

		void CheckUseZeroAllocated1() {
		int *p = malloc(0);
		*p = 1; // expected-warning {{Use of zero-allocated memory}}
		free(p);
		}

		char CheckUseZeroAllocated2() {
		char *p = alloca(0);
		return *p; // expected-warning {{Use of zero-allocated memory}}
		}

		void UseZeroAllocated(int *p) {
		if (p)
		*p = 7; // expected-warning {{Use of zero-allocated memory}}
		}
		void CheckUseZeroAllocated3() {
		int *p = malloc(0);
		UseZeroAllocated(p);
		}

		void f(char);
		void CheckUseZeroAllocated4() {
		char *p = valloc(0);
		f(*p); // expected-warning {{Use of zero-allocated memory}}
		free(p);
		}

		void CheckUseZeroAllocated5() {
		int *p = calloc(0, 2);
		*p = 1; // expected-warning {{Use of zero-allocated memory}}
		free(p);
		}

		void CheckUseZeroAllocated6() {
		int *p = calloc(2, 0);
		*p = 1; // expected-warning {{Use of zero-allocated memory}}
		free(p);
		}

		void CheckUseZeroAllocatedPathNoWarn(_Bool b) {
		int s = 0;
		if (b)
		s= 10;

		char *p = malloc(s);

		if (b)
		*p = 1; // no warning

		free(p);
		}

		void CheckUseZeroAllocatedPathWarn(_Bool b) {
		int s = 10;
		if (b)
		s= 0;

		char *p = malloc(s);

		if (b)
		*p = 1; // expected-warning {{Use of zero-allocated memory}}

		free(p);
		}

// This case tests that storing malloc'ed memory to a static variable which is		// This case tests that storing malloc'ed memory to a static variable which is
// then returned is not leaked. In the absence of known contracts for functions		// then returned is not leaked. In the absence of known contracts for functions
// or inter-procedural analysis, this is a conservative answer.		// or inter-procedural analysis, this is a conservative answer.
int *f3() {		int *f3() {
static int *p = 0;		static int *p = 0;
p = malloc(12);		p = malloc(12);
return p; // no-warning		return p; // no-warning
▲ Show 20 Lines • Show All 1,332 Lines • Show Last 20 Lines