This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
lib/StaticAnalyzer/Checkers/
-
StaticAnalyzer/
-
Checkers/
2/2
FuchsiaHandleChecker.cpp
-
test/Analysis/
-
Analysis/
2/2
fuchsia_handle.cpp

Differential D91902

[analyzer] Ignore annotations if func is inlined.
ClosedPublic

Authored by aabbaabb on Nov 20 2020, 5:18 PM.

Download Raw Diff

Details

Reviewers

xazax.hun
phosek
haowei

Commits

rG3ce78f54edcf: [analyzer] Ignore annotations if func is inlined.

Summary

When we annotating a function header so that it could be used by other TU, we also need to make sure the function is parsed correctly within the same TU.
So if we can find the function's implementation, ignore the annotations, otherwise, false positive would occur.
Move the escape by value case to post call and do not escape the handle if the function is inlined and we have analyzed the handle.

Tests: unit test.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

aabbaabb created this revision.Nov 20 2020, 5:18 PM

Herald added subscribers: martong, rnkovacs. · View Herald TranscriptNov 20 2020, 5:18 PM

aabbaabb requested review of this revision.Nov 20 2020, 5:18 PM

Thanks for working on this check! Please add the [analyzer] tag to the title of these patches.

Unfortunately, might be a hard problem to solve depending on what you want, see my comments inline.
The question is, do you actually need to skip annotation processing both in pre and postCall?

We usually check preconditions in pre, and apply effects from postconditions in post. So you might be
lucky, and it might be enough to only modify the checkPostCall. Do you observe any false positives
from checkPreCall?

clang/lib/StaticAnalyzer/Checkers/FuchsiaHandleChecker.cpp
312	The analyzer has complex logic to decide when to "inline" a function. In this context, inline means to analyze the body at this call site (not actual inlining). Unfortunately, the analyzer might not inline a function even when the body is available (e.g. when running out of some budget like max call stack). Moreover, it might inline functions without a body (see BodyFarm for details). The bottom line is that having a function body is not a good proxy to determine whether a function body will be analyzed or not. Fortunately, it is much easier in the post-call statement as we can observe after the fact whether inlining was done.
347	Here you can use `C.wasInlined` to achieve what you want. See my comment above why.

xazax.hun requested changes to this revision.Nov 26 2020, 3:03 AM

This revision now requires changes to proceed.Nov 26 2020, 3:03 AM

aabbaabb updated this revision to Diff 308828.Dec 1 2020, 5:51 PM

aabbaabb marked 2 inline comments as done.

aabbaabb retitled this revision from Ignore annotations if func implementation is known. to [analyzer] Ignore annotations if func is inlined..

aabbaabb edited the summary of this revision. (Show Details)

Herald added subscribers: steakhal, ASDenysPetrov, Charusso and 7 others. · View Herald TranscriptDec 1 2020, 5:51 PM

LGTM, thanks!

This revision is now accepted and ready to land.Dec 2 2020, 3:49 AM

martong removed a subscriber: martong.Dec 2 2020, 3:51 AM

steakhal added inline comments.Dec 2 2020, 11:08 AM

clang/test/Analysis/fuchsia_handle.cpp
352	Could we see which handle leaked? Oh, I see, `a` is closed, so the only handle that could leak is `b`. Before the patch, it was not reported, but now it is. Am I right? Regardless, IMO it would be cleaner to have some note about this in the expected message.

aabbaabb updated this revision to Diff 309122.Dec 2 2020, 6:57 PM

aabbaabb marked an inline comment as done.

aabbaabb added inline comments.

clang/test/Analysis/fuchsia_handle.cpp
352	updated comment.

aabbaabb marked an inline comment as done.Dec 2 2020, 7:09 PM

Closed by commit rG3ce78f54edcf: [analyzer] Ignore annotations if func is inlined. (authored by aabbaabb, committed by haowei). · Explain WhyDec 7 2020, 11:28 AM

This revision was automatically updated to reflect the committed changes.

haowei added a commit: rG3ce78f54edcf: [analyzer] Ignore annotations if func is inlined..

Herald added a project: Restricted Project. · View Herald TranscriptDec 7 2020, 11:28 AM

Herald added a subscriber: cfe-commits. · View Herald Transcript

Revision Contents

Path

Size

clang/

lib/

StaticAnalyzer/

Checkers/

FuchsiaHandleChecker.cpp

17 lines

test/

Analysis/

fuchsia_handle.cpp

39 lines

Diff 309968

clang/lib/StaticAnalyzer/Checkers/FuchsiaHandleChecker.cpp

Show First 20 Lines • Show All 303 Lines • ▼ Show 20 Lines	for (unsigned Arg = 0; Arg < Call.getNumArgs(); ++Arg) {
State = State->set<HStateMap>(Handle, HandleState::getEscaped());		State = State->set<HStateMap>(Handle, HandleState::getEscaped());
}		}
C.addTransition(State);		C.addTransition(State);
return;		return;
}		}

for (unsigned Arg = 0; Arg < Call.getNumArgs(); ++Arg) {		for (unsigned Arg = 0; Arg < Call.getNumArgs(); ++Arg) {
if (Arg >= FuncDecl->getNumParams())		if (Arg >= FuncDecl->getNumParams())
break;		break;
		xazax.hunUnsubmitted Done Reply Inline Actions The analyzer has complex logic to decide when to "inline" a function. In this context, inline means to analyze the body at this call site (not actual inlining). Unfortunately, the analyzer might not inline a function even when the body is available (e.g. when running out of some budget like max call stack). Moreover, it might inline functions without a body (see BodyFarm for details). The bottom line is that having a function body is not a good proxy to determine whether a function body will be analyzed or not. Fortunately, it is much easier in the post-call statement as we can observe after the fact whether inlining was done. xazax.hun: The analyzer has complex logic to decide when to "inline" a function. In this context, inline…
const ParmVarDecl *PVD = FuncDecl->getParamDecl(Arg);		const ParmVarDecl *PVD = FuncDecl->getParamDecl(Arg);
SmallVector<SymbolRef, 1024> Handles =		SmallVector<SymbolRef, 1024> Handles =
getFuchsiaHandleSymbols(PVD->getType(), Call.getArgSVal(Arg), State);		getFuchsiaHandleSymbols(PVD->getType(), Call.getArgSVal(Arg), State);

// Handled in checkPostCall.		// Handled in checkPostCall.
if (hasFuchsiaAttr<ReleaseHandleAttr>(PVD) \|\|		if (hasFuchsiaAttr<ReleaseHandleAttr>(PVD) \|\|
hasFuchsiaAttr<AcquireHandleAttr>(PVD))		hasFuchsiaAttr<AcquireHandleAttr>(PVD))
continue;		continue;

for (SymbolRef Handle : Handles) {		for (SymbolRef Handle : Handles) {
const HandleState *HState = State->get<HStateMap>(Handle);		const HandleState *HState = State->get<HStateMap>(Handle);
if (!HState \|\| HState->isEscaped())		if (!HState \|\| HState->isEscaped())
continue;		continue;

if (hasFuchsiaAttr<UseHandleAttr>(PVD) \|\|		if (hasFuchsiaAttr<UseHandleAttr>(PVD) \|\|
PVD->getType()->isIntegerType()) {		PVD->getType()->isIntegerType()) {
if (HState->isReleased()) {		if (HState->isReleased()) {
reportUseAfterFree(Handle, Call.getArgSourceRange(Arg), C);		reportUseAfterFree(Handle, Call.getArgSourceRange(Arg), C);
return;		return;
}		}
}		}
if (!hasFuchsiaAttr<UseHandleAttr>(PVD) &&
PVD->getType()->isIntegerType()) {
// Working around integer by-value escapes.
State = State->set<HStateMap>(Handle, HandleState::getEscaped());
}
}		}
}		}
C.addTransition(State);		C.addTransition(State);
}		}

void FuchsiaHandleChecker::checkPostCall(const CallEvent &Call,		void FuchsiaHandleChecker::checkPostCall(const CallEvent &Call,
CheckerContext &C) const {		CheckerContext &C) const {
const FunctionDecl *FuncDecl = dyn_cast_or_null<FunctionDecl>(Call.getDecl());		const FunctionDecl *FuncDecl = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
if (!FuncDecl)		if (!FuncDecl)
return;		return;

		// If we analyzed the function body, then ignore the annotations.
		if (C.wasInlined)
		return;
		xazax.hunUnsubmitted Done Reply Inline Actions Here you can use `C.wasInlined` to achieve what you want. See my comment above why. xazax.hun: Here you can use `C.wasInlined` to achieve what you want. See my comment above why.

ProgramStateRef State = C.getState();		ProgramStateRef State = C.getState();

std::vector<std::function<std::string(BugReport & BR)>> Notes;		std::vector<std::function<std::string(BugReport & BR)>> Notes;
SymbolRef ResultSymbol = nullptr;		SymbolRef ResultSymbol = nullptr;
if (const auto *TypeDefTy = FuncDecl->getReturnType()->getAs<TypedefType>())		if (const auto *TypeDefTy = FuncDecl->getReturnType()->getAs<TypedefType>())
if (TypeDefTy->getDecl()->getName() == ErrorTypeName)		if (TypeDefTy->getDecl()->getName() == ErrorTypeName)
ResultSymbol = Call.getReturnValue().getAsSymbol();		ResultSymbol = Call.getReturnValue().getAsSymbol();

▲ Show 20 Lines • Show All 54 Lines • ▼ Show 20 Lines	for (SymbolRef Handle : Handles) {
OS << "Handle allocated through " << ParamDiagIdx		OS << "Handle allocated through " << ParamDiagIdx
<< llvm::getOrdinalSuffix(ParamDiagIdx) << " parameter";		<< llvm::getOrdinalSuffix(ParamDiagIdx) << " parameter";
return OS.str();		return OS.str();
} else		} else
return "";		return "";
});		});
State = State->set<HStateMap>(		State = State->set<HStateMap>(
Handle, HandleState::getMaybeAllocated(ResultSymbol));		Handle, HandleState::getMaybeAllocated(ResultSymbol));
		} else if (!hasFuchsiaAttr<UseHandleAttr>(PVD) &&
		PVD->getType()->isIntegerType()) {
		// Working around integer by-value escapes.
		// The by-value escape would not be captured in checkPointerEscape.
		// If the function was not analyzed (otherwise wasInlined should be
		// true) and there is no annotation on the handle, we assume the handle
		// is escaped.
		State = State->set<HStateMap>(Handle, HandleState::getEscaped());
}		}
}		}
}		}
const NoteTag *T = nullptr;		const NoteTag *T = nullptr;
if (!Notes.empty()) {		if (!Notes.empty()) {
T = C.getNoteTag([this, Notes{std::move(Notes)}](		T = C.getNoteTag([this, Notes{std::move(Notes)}](
PathSensitiveBugReport &BR) -> std::string {		PathSensitiveBugReport &BR) -> std::string {
if (&BR.getBugType() != &UseAfterReleaseBugType &&		if (&BR.getBugType() != &UseAfterReleaseBugType &&
▲ Show 20 Lines • Show All 201 Lines • Show Last 20 Lines

clang/test/Analysis/fuchsia_handle.cpp

Show First 20 Lines • Show All 309 Lines • ▼ Show 20 Lines	void checkHandlePtrInStructureLeak() {
zx_handle_t sa, sb;		zx_handle_t sa, sb;
zx_channel_create(0, &sa, &sb); // expected-note {{Handle allocated through 3rd parameter}}		zx_channel_create(0, &sa, &sb); // expected-note {{Handle allocated through 3rd parameter}}
HandlePtrStruct hs;		HandlePtrStruct hs;
hs.h = &sb;		hs.h = &sb;
zx_handle_close(sa); // expected-warning {{Potential leak of handle}}		zx_handle_close(sa); // expected-warning {{Potential leak of handle}}
// expected-note@-1 {{Potential leak of handle}}		// expected-note@-1 {{Potential leak of handle}}
}		}

		// Assume this function's declaration that has the release annotation is in one
		// header file while its implementation is in another file. We have to annotate
		// the declaration because it might be used outside the TU.
		// We also want to make sure it is okay to call the function within the same TU.
		zx_status_t test_release_handle(zx_handle_t handle ZX_HANDLE_RELEASE) {
		return zx_handle_close(handle);
		}

		void checkReleaseImplementedFunc() {
		zx_handle_t a, b;
		zx_channel_create(0, &a, &b);
		zx_handle_close(a);
		test_release_handle(b);
		}

		void use_handle(zx_handle_t handle) {
		// Do nothing.
		}

		void test_call_by_value() {
		zx_handle_t a, b;
		zx_channel_create(0, &a, &b);
		zx_handle_close(a);
		use_handle(b);
		zx_handle_close(b);
		}

		void test_call_by_value_leak() {
		zx_handle_t a, b;
		zx_channel_create(0, &a, &b); // expected-note {{Handle allocated through 3rd parameter}}
		zx_handle_close(a);
		// Here we are passing handle b as integer value to a function that could be
		// analyzed by the analyzer, thus the handle should not be considered escaped.
		// After the function 'use_handle', handle b is still tracked and should be
		// reported leaked.
		steakhalUnsubmitted Done Reply Inline Actions Could we see which handle leaked? Oh, I see, `a` is closed, so the only handle that could leak is `b`. Before the patch, it was not reported, but now it is. Am I right? Regardless, IMO it would be cleaner to have some note about this in the expected message. steakhal: Could we see which handle //leaked//? Oh, I see, `a` is closed, so the only handle that could…
		aabbaabbAuthorUnsubmitted Done Reply Inline Actions updated comment. aabbaabb: updated comment.
		use_handle(b);
		} // expected-warning {{Potential leak of handle}}
		// expected-note@-1 {{Potential leak of handle}}

// RAII		// RAII

template <typename T>		template <typename T>
struct HandleWrapper {		struct HandleWrapper {
~HandleWrapper() { close(); }		~HandleWrapper() { close(); }
void close() {		void close() {
if (handle != ZX_HANDLE_INVALID)		if (handle != ZX_HANDLE_INVALID)
zx_handle_close(handle);		zx_handle_close(handle);
▲ Show 20 Lines • Show All 123 Lines • Show Last 20 Lines