This is an archive of the discontinued LLVM Phabricator instance.

Differential D82845

[Analyzer][StreamChecker] Report every leak, clean up state.
ClosedPublic

Authored by balazske on Jun 30 2020, 12:24 AM.

Details

Reviewers
Szelethus
baloghadamsoftware
NoQ
Commits
rG9b7c43d341da: [Analyzer][StreamChecker] Report every leak, clean up state.
Summary

Report resource leaks with non-fatal error.
Report every resource leak.
Stream state is cleaned up at checkDeadSymbols.

Diff Detail

Unit TestsFailed

TimeTest
820 mslinux > SanitizerCommon-asan-x86_64-Linux.Linux::Unknown Unit Message ("")
550 mslinux > SanitizerCommon-lsan-x86_64-Linux.Linux::Unknown Unit Message ("")
680 mslinux > SanitizerCommon-msan-x86_64-Linux.Linux::Unknown Unit Message ("")
920 mslinux > SanitizerCommon-tsan-x86_64-Linux.Linux::Unknown Unit Message ("")
570 mslinux > SanitizerCommon-ubsan-x86_64-Linux.Linux::Unknown Unit Message ("")
View Full Test Results (7 Failed)

Event Timeline

balazske created this revision.Jun 30 2020, 12:24 AM
Herald added a reviewer: Szelethus. · View Herald TranscriptJun 30 2020, 12:24 AM
Herald added a project: Restricted Project. · View Herald Transcript
Herald added subscribers: cfe-commits, ASDenysPetrov, martong and 10 others. · View Herald Transcript
balazske added a comment.Jun 30 2020, 12:26 AM

Why does this not work?
I get only warning for the first resource leak (in the test f_leak_2). How to fix this?

balazske added reviewers: baloghadamsoftware, NoQ.Jun 30 2020, 12:27 AM
Herald added a subscriber: rnkovacs. · View Herald TranscriptJun 30 2020, 12:27 AM
Harbormaster failed remote builds in B62282: Diff 274348!Jun 30 2020, 2:08 AM
Szelethus added a comment.Jun 30 2020, 3:07 AM
In D82845#2121940, @balazske wrote:

Why does this not work?
I get only warning for the first resource leak (in the test f_leak_2). How to fix this?

First off, are two errors detected by the checker? You could check this with debug.ViewExplodedGraph + clang/tools/analyzer/exploded-graph-rewriter.py.

I do suspect though that this is a uniqueing issue. Just out of curiosity, what would happen is you dump the leaked stream symbol into the warning message? (or whatever, just so that two distinct warning messages are emitted)

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
969

It is a realistic worry that either the predecessor exploded node or the CFGBlock is null? Could we assert this instead?

971

Ah, I see, we made it fatal accidentally.

balazske added a comment.Jun 30 2020, 8:26 AM

I checked it with simple debug print, the LeakedSyms will contain 2 items with different StreamOpenNode. So I think these should be independent problem reports for the bug reporter.

balazske marked an inline comment as done.Jun 30 2020, 9:02 AM
balazske added inline comments.
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
969

It may be simply more safe to check for it. I do not know if exactly if these can be null at this place.

Szelethus added a comment.Jun 30 2020, 9:18 AM
In D82845#2122984, @balazske wrote:

I checked it with simple debug print, the LeakedSyms will contain 2 items with different StreamOpenNode. So I think these should be independent problem reports for the bug reporter.

It would still be beneficial to check the exploded graph to see whether it was constructed correctly, find the error nodes, etc. Have you tried modifying the warning message? That is considered during uniquing.

baloghadamsoftware added a comment.Jun 30 2020, 9:55 AM
In D82845#2122984, @balazske wrote:

I checked it with simple debug print, the LeakedSyms will contain 2 items with different StreamOpenNode. So I think these should be independent problem reports for the bug reporter.

I wonder whether you can report two bugs on the same error node.

Szelethus added a comment.Jun 30 2020, 10:19 AM
In D82845#2123283, @baloghadamsoftware wrote:
In D82845#2122984, @balazske wrote:

I checked it with simple debug print, the LeakedSyms will contain 2 items with different StreamOpenNode. So I think these should be independent problem reports for the bug reporter.

I wonder whether you can report two bugs on the same error node.

I recall that i did something similar in UninitializedObjectChecker when the option NotesAsWarnings is true.

balazske added a comment.Jul 1 2020, 9:03 AM

The problem is that PathDiagnostic::Profile does not use the uniqueing locations. Two PathDiagnostic objects with different uniqueing location but otherwise same data are counted as "same" and only one is kept (BugReporter::FlushReport). How to fix this?

  • Add uniqueing locations to the profile. May have unexpected effects to other checkers.
  • Change something in the leak bug reports to make these different. Probably the location can be set to the allocation site (but the full path should be reported). Or include name of the leaked symbol in the report, but it may not exists always.
NoQ added inline comments.Jul 1 2020, 2:41 PM
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
969

Please use SuppressOnSink instead.

balazske marked an inline comment as done.Jul 2 2020, 12:10 AM
balazske added inline comments.
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
969

That was my plan for the next patch. So I want to leave this as is for now (add a FIXME), it should be removed anyway.

balazske added a parent revision: D83115: [Analyzer] Report every bug if only uniqueing location differs..Jul 2 2020, 11:58 PM
balazske updated this revision to Diff 275311.Jul 3 2020, 12:38 AM

Rebase, added a FIXME

balazske added a child revision: D83120: [Analyzer][StreamChecker] Use BugType::SuppressOnSink at resource leak report..Jul 3 2020, 1:51 AM
Harbormaster failed remote builds in B62808: Diff 275311!Jul 3 2020, 2:40 AM
Szelethus accepted this revision.Jul 10 2020, 4:17 AM

I'd prefer if you moved f_leak_2 to stream-notes.c. Otherwise, LGTM.

clang/test/Analysis/stream.c
147–150 ↗(On Diff #275311)

I'd prefer to see notes from D81407 here.

This revision is now accepted and ready to land.Jul 10 2020, 4:17 AM
balazske updated this revision to Diff 278755.Jul 17 2020, 6:34 AM

Checking notes in test f_leak_2.

Harbormaster failed remote builds in B64675: Diff 278755!Jul 17 2020, 7:16 AM
balazske updated this revision to Diff 279131.Jul 19 2020, 11:50 PM

Fixed formatting.

balazske updated this revision to Diff 279133.Jul 20 2020, 12:03 AM

Rebase to master.

Harbormaster failed remote builds in B64870: Diff 279133!Jul 20 2020, 12:33 AM
Harbormaster failed remote builds in B64868: Diff 279131!
Closed by commit rG9b7c43d341da: [Analyzer][StreamChecker] Report every leak, clean up state. (authored by balazske). · Explain WhyJul 20 2020, 2:46 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
70 lines
test/
Analysis/
31 lines

Diff 278755

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp

Show First 20 LinesShow All 331 Lines▼ Show 20 Lines ProgramStateRef ensureFseekWhenceCorrect(SVal WhenceVal, CheckerContext &C,
ProgramStateRef State) const; ProgramStateRef State) const;
/// Generate warning about stream in EOF state. /// Generate warning about stream in EOF state.
/// There will be always a state transition into the passed State, /// There will be always a state transition into the passed State,
/// by the new non-fatal error node or (if failed) a normal transition, /// by the new non-fatal error node or (if failed) a normal transition,
/// to ensure uniform handling. /// to ensure uniform handling.
void reportFEofWarning(CheckerContext &C, ProgramStateRef State) const; void reportFEofWarning(CheckerContext &C, ProgramStateRef State) const;
/// Emit resource leak warnings for the given symbols.
/// Createn a non-fatal error node for these, and returns it (if any warnings
/// were generated). Return value is non-null.
ExplodedNode *reportLeaks(const SmallVector<SymbolRef, 2> &LeakedSyms,
CheckerContext &C, ExplodedNode *Pred) const;
/// Find the description data of the function called by a call event. /// Find the description data of the function called by a call event.
/// Returns nullptr if no function is recognized. /// Returns nullptr if no function is recognized.
const FnDescription *lookupFn(const CallEvent &Call) const { const FnDescription *lookupFn(const CallEvent &Call) const {
// Recognize "global C functions" with only integral or pointer arguments // Recognize "global C functions" with only integral or pointer arguments
// (and matching name) as stream functions. // (and matching name) as stream functions.
if (!Call.isGlobalCFunction()) if (!Call.isGlobalCFunction())
return nullptr; return nullptr;
for (auto P : Call.parameters()) { for (auto P : Call.parameters()) {
▲ Show 20 LinesShow All 603 Lines▼ Show 20 Lines C.emitReport(std::make_unique<PathSensitiveBugReport>(
"Read function called when stream is in EOF state. " "Read function called when stream is in EOF state. "
"Function has no effect.", "Function has no effect.",
N)); N));
return; return;
} }
C.addTransition(State); C.addTransition(State);
} }
void StreamChecker::checkDeadSymbols(SymbolReaper &SymReaper, ExplodedNode *
CheckerContext &C) const { StreamChecker::reportLeaks(const SmallVector<SymbolRef, 2> &LeakedSyms,
ProgramStateRef State = C.getState(); CheckerContext &C, ExplodedNode *Pred) const {
// TODO: Clean up the state.
const StreamMapTy &Map = State->get<StreamMap>();
for (const auto &I : Map) {
SymbolRef Sym = I.first;
const StreamState &SS = I.second;
if (!SymReaper.isDead(Sym) || !SS.isOpened())
continue;
ExplodedNode *N = C.generateErrorNode();
SzelethusUnsubmitted
Not Done
ReplyInline Actions

Ah, I see, we made it fatal accidentally.

Szelethus: Ah, I see, we made it fatal accidentally.
if (!N)
continue;
// Do not warn for non-closed stream at program exit. // Do not warn for non-closed stream at program exit.
ExplodedNode *Pred = C.getPredecessor(); // FIXME: Use BugType::SuppressOnSink instead.
SzelethusUnsubmitted
Not Done
ReplyInline Actions

It is a realistic worry that either the predecessor exploded node or the CFGBlock is null? Could we assert this instead?

Szelethus: It is a realistic worry that either the predecessor exploded node or the CFGBlock is null?
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

It may be simply more safe to check for it. I do not know if exactly if these can be null at this place.

balazske: It may be simply more safe to check for it. I do not know if exactly if these can be null at…
NoQUnsubmitted
Not Done
ReplyInline Actions

Please use SuppressOnSink instead.

NoQ: Please use `SuppressOnSink` instead.
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

That was my plan for the next patch. So I want to leave this as is for now (add a FIXME), it should be removed anyway.

balazske: That was my plan for the next patch. So I want to leave this as is for now (add a FIXME), it…
if (Pred && Pred->getCFGBlock() && if (Pred && Pred->getCFGBlock() && Pred->getCFGBlock()->hasNoReturnElement())
Pred->getCFGBlock()->hasNoReturnElement()) return Pred;
continue;
ExplodedNode *Err = C.generateNonFatalErrorNode(C.getState(), Pred);
if (!Err)
return Pred;
for (SymbolRef LeakSym : LeakedSyms) {
// Resource leaks can result in multiple warning that describe the same kind // Resource leaks can result in multiple warning that describe the same kind
// of programming error: // of programming error:
// void f() { // void f() {
// FILE *F = fopen("a.txt"); // FILE *F = fopen("a.txt");
// if (rand()) // state split // if (rand()) // state split
// return; // warning // return; // warning
// } // warning // } // warning
// While this isn't necessarily true (leaking the same stream could result // While this isn't necessarily true (leaking the same stream could result
// from a different kinds of errors), the reduction in redundant reports // from a different kinds of errors), the reduction in redundant reports
// makes this a worthwhile heuristic. // makes this a worthwhile heuristic.
// FIXME: Add a checker option to turn this uniqueing feature off. // FIXME: Add a checker option to turn this uniqueing feature off.
const ExplodedNode *StreamOpenNode = getAcquisitionSite(Err, LeakSym, C);
const ExplodedNode *StreamOpenNode = getAcquisitionSite(N, Sym, C);
assert(StreamOpenNode && "Could not find place of stream opening."); assert(StreamOpenNode && "Could not find place of stream opening.");
PathDiagnosticLocation LocUsedForUniqueing = PathDiagnosticLocation LocUsedForUniqueing =
PathDiagnosticLocation::createBegin( PathDiagnosticLocation::createBegin(
StreamOpenNode->getStmtForDiagnostics(), C.getSourceManager(), StreamOpenNode->getStmtForDiagnostics(), C.getSourceManager(),
StreamOpenNode->getLocationContext()); StreamOpenNode->getLocationContext());
std::unique_ptr<PathSensitiveBugReport> R = std::unique_ptr<PathSensitiveBugReport> R =
std::make_unique<PathSensitiveBugReport>( std::make_unique<PathSensitiveBugReport>(
BT_ResourceLeak, BT_ResourceLeak,
"Opened stream never closed. Potential resource leak.", N, "Opened stream never closed. Potential resource leak.", Err,
LocUsedForUniqueing, LocUsedForUniqueing,
StreamOpenNode->getLocationContext()->getDecl()); StreamOpenNode->getLocationContext()->getDecl());
R->markInteresting(Sym); R->markInteresting(LeakSym);
C.emitReport(std::move(R)); C.emitReport(std::move(R));
} }
return Err;
}
void StreamChecker::checkDeadSymbols(SymbolReaper &SymReaper,
CheckerContext &C) const {
ProgramStateRef State = C.getState();
llvm::SmallVector<SymbolRef, 2> LeakedSyms;
const StreamMapTy &Map = State->get<StreamMap>();
for (const auto &I : Map) {
SymbolRef Sym = I.first;
const StreamState &SS = I.second;
if (!SymReaper.isDead(Sym))
continue;
if (SS.isOpened())
LeakedSyms.push_back(Sym);
State = State->remove<StreamMap>(Sym);
}
ExplodedNode *N = C.getPredecessor();
if (!LeakedSyms.empty())
N = reportLeaks(LeakedSyms, C, N);
C.addTransition(State, N);
} }
ProgramStateRef StreamChecker::checkPointerEscape( ProgramStateRef StreamChecker::checkPointerEscape(
ProgramStateRef State, const InvalidatedSymbols &Escaped, ProgramStateRef State, const InvalidatedSymbols &Escaped,
const CallEvent *Call, PointerEscapeKind Kind) const { const CallEvent *Call, PointerEscapeKind Kind) const {
// Check for file-handling system call that is not handled by the checker. // Check for file-handling system call that is not handled by the checker.
// FIXME: The checker should be updated to handle all system calls that take // FIXME: The checker should be updated to handle all system calls that take
// 'FILE*' argument. These are now ignored. // 'FILE*' argument. These are now ignored.
Show All 32 Lines

clang/test/Analysis/stream-note.c

Show All 40 Linesvoid check_note_freopen() {
F = freopen(0, "w", F); // expected-note {{Stream reopened here}} F = freopen(0, "w", F); // expected-note {{Stream reopened here}}
if (!F) if (!F)
// expected-note@-1 {{'F' is non-null}} // expected-note@-1 {{'F' is non-null}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
return; return;
} }
// expected-warning@-1 {{Opened stream never closed. Potential resource leak}} // expected-warning@-1 {{Opened stream never closed. Potential resource leak}}
// expected-note@-2 {{Opened stream never closed. Potential resource leak}} // expected-note@-2 {{Opened stream never closed. Potential resource leak}}
void check_note_leak_2(int c) {
FILE *F1 = fopen("foo1.c", "r"); // expected-note {{Stream opened here}}
if (!F1)
// expected-note@-1 {{'F1' is non-null}}
// expected-note@-2 {{Taking false branch}}
// expected-note@-3 {{'F1' is non-null}}
// expected-note@-4 {{Taking false branch}}
return;
FILE *F2 = fopen("foo2.c", "r"); // expected-note {{Stream opened here}}
if (!F2) {
// expected-note@-1 {{'F2' is non-null}}
// expected-note@-2 {{Taking false branch}}
// expected-note@-3 {{'F2' is non-null}}
// expected-note@-4 {{Taking false branch}}
fclose(F1);
return;
}
if(c)
Lint: Pre-merge checks
Inline Actions

clang-format: please reformat the code

-  if(c)
+  if (c)
Lint: Pre-merge checks: clang-format: please reformat the code ``` - if(c) + if (c) ```
// expected-note@-1 {{Assuming 'c' is not equal to 0}}
// expected-note@-2 {{Taking true branch}}
// expected-note@-3 {{Assuming 'c' is not equal to 0}}
// expected-note@-4 {{Taking true branch}}
return;
// expected-warning@-1 {{Opened stream never closed. Potential resource leak}}
Lint: Pre-merge checks
Inline Actions

clang-format: please reformat the code

-    // expected-warning@-1 {{Opened stream never closed. Potential resource leak}}
-    // expected-note@-2 {{Opened stream never closed. Potential resource leak}}
-    // expected-warning@-3 {{Opened stream never closed. Potential resource leak}}
-    // expected-note@-4 {{Opened stream never closed. Potential resource leak}}
+  // expected-warning@-1 {{Opened stream never closed. Potential resource leak}}
+  // expected-note@-2 {{Opened stream never closed. Potential resource leak}}
+  // expected-warning@-3 {{Opened stream never closed. Potential resource leak}}
+  // expected-note@-4 {{Opened stream never closed. Potential resource leak}}
Lint: Pre-merge checks: clang-format: please reformat the code ``` - // expected-warning@-1 {{Opened stream never…
// expected-note@-2 {{Opened stream never closed. Potential resource leak}}
// expected-warning@-3 {{Opened stream never closed. Potential resource leak}}
// expected-note@-4 {{Opened stream never closed. Potential resource leak}}
fclose(F1);
fclose(F2);
}