This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
lib/StaticAnalyzer/Checkers/
-
StaticAnalyzer/
-
Checkers/
1/3
PthreadLockChecker.cpp
-
test/Analysis/
-
Analysis/
-
pthreadlock.c

Differential D98504

[clang][Checkers] Fix PthreadLockChecker state cleanup at dead symbol.
ClosedPublic

Authored by balazske on Mar 12 2021, 7:10 AM.

Download Raw Diff

Details

Reviewers

Szelethus
dergachev.a
ASDenysPetrov
NoQ

Commits

rGbee4813789a3: [clang][Checkers] Fix PthreadLockChecker state cleanup at dead symbol.

Summary

It is possible that an entry in 'DestroyRetVal' lives longer
than an entry in 'LockMap' if not removed at checkDeadSymbols.
The added test case demonstrates this.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

balazske created this revision.Mar 12 2021, 7:10 AM

Herald added a reviewer: Szelethus. · View Herald TranscriptMar 12 2021, 7:10 AM

Herald added subscribers: martong, gamesh411, Szelethus, dkrupp. · View Herald Transcript

balazske requested review of this revision.Mar 12 2021, 7:10 AM

Herald added a project: Restricted Project. · View Herald TranscriptMar 12 2021, 7:10 AM

Herald added a subscriber: cfe-commits. · View Herald Transcript

Improved commit message.

balazske retitled this revision from [clang][Checkers] Fix state cleanup at dead symbol. to [clang][Checkers] Fix PthreadLockChecker state cleanup at dead symbol..Mar 12 2021, 7:27 AM

balazske added reviewers: dergachev.a, ASDenysPetrov.

Herald added a subscriber: Charusso. · View Herald TranscriptMar 12 2021, 7:27 AM

balazske added a parent revision: D98502: [clang][Checkers] Extend PthreadLockChecker state dump (NFC)..Mar 12 2021, 7:28 AM

Harbormaster completed remote builds in B93493: Diff 330238.Mar 12 2021, 8:01 AM

Harbormaster completed remote builds in B93498: Diff 330243.Mar 12 2021, 8:33 AM

Hi, @balazske

clang/lib/StaticAnalyzer/Checkers/PthreadLockChecker.cpp
290–305	I'm just wondering, did you think about such way of fixing?

Hmm this probably even deserves a warning? Like, the mutex goes out of scope but we don't know whether we've successfully destroyed it? Even if we perform the check later, we can't do anything about it anymore? (not sure how bad it is in practice)

clang/lib/StaticAnalyzer/Checkers/PthreadLockChecker.cpp
290–305	This involves keeping dead regions in the program state. I'd be pretty worried about it.

This revision is now accepted and ready to land.Mar 12 2021, 9:46 PM

Exactly the case is (I think) that the mutex goes out of scope and we have not checked if it was really destroyed. Still the program can check later if it was destroyed (like the if in the test case). A resource leak may be the problem (if destroy failed) so a warning like "possible resource leak if destroy call fails" can be added. The case is detected in checkDeadSymbols that may make adding a good warning more difficult.

clang/lib/StaticAnalyzer/Checkers/PthreadLockChecker.cpp
290–305	This was my first idea but did not like it because state is not cleaned up correctly. (And `LockMap` contains data about unaccessible mutex.)

steakhal added a subscriber: steakhal.Mar 22 2021, 8:29 AM

Closed by commit rGbee4813789a3: [clang][Checkers] Fix PthreadLockChecker state cleanup at dead symbol. (authored by balazske). · Explain WhyApr 6 2021, 2:04 AM

This revision was automatically updated to reflect the committed changes.

balazske added a commit: rGbee4813789a3: [clang][Checkers] Fix PthreadLockChecker state cleanup at dead symbol..

Revision Contents

Path

Size

clang/

lib/

StaticAnalyzer/

Checkers/

PthreadLockChecker.cpp

4 lines

test/

Analysis/

pthreadlock.c

6 lines

Diff 335436

clang/lib/StaticAnalyzer/Checkers/PthreadLockChecker.cpp

Show First 20 Lines • Show All 281 Lines • ▼ Show 20 Lines

// function to see if the return value was checked by now and set the lock state // function to see if the return value was checked by now and set the lock state

// - either to destroyed state or back to its previous state. // - either to destroyed state or back to its previous state.

// In PthreadSemantics, pthread_mutex_destroy() returns zero if the lock is // In PthreadSemantics, pthread_mutex_destroy() returns zero if the lock is

// successfully destroyed and it returns a non-zero value otherwise. // successfully destroyed and it returns a non-zero value otherwise.

ProgramStateRef PthreadLockChecker::resolvePossiblyDestroyedMutex( ProgramStateRef PthreadLockChecker::resolvePossiblyDestroyedMutex(

ProgramStateRef state, const MemRegion *lockR, const SymbolRef *sym) const { ProgramStateRef state, const MemRegion *lockR, const SymbolRef *sym) const {

const LockState *lstate = state->get<LockMap>(lockR); const LockState *lstate = state->get<LockMap>(lockR);

// Existence in DestroyRetVal ensures existence in LockMap. // Existence in DestroyRetVal ensures existence in LockMap.

// Existence in Destroyed also ensures that the lock state for lockR is either // Existence in Destroyed also ensures that the lock state for lockR is either

// UntouchedAndPossiblyDestroyed or UnlockedAndPossiblyDestroyed. // UntouchedAndPossiblyDestroyed or UnlockedAndPossiblyDestroyed.

assert(lstate->isUntouchedAndPossiblyDestroyed() || assert(lstate->isUntouchedAndPossiblyDestroyed() ||

lstate->isUnlockedAndPossiblyDestroyed()); lstate->isUnlockedAndPossiblyDestroyed());

ConstraintManager &CMgr = state->getConstraintManager(); ConstraintManager &CMgr = state->getConstraintManager();

ConditionTruthVal retZero = CMgr.isNull(state, *sym); ConditionTruthVal retZero = CMgr.isNull(state, *sym);

if (retZero.isConstrainedFalse()) { if (retZero.isConstrainedFalse()) {

if (lstate->isUntouchedAndPossiblyDestroyed()) if (lstate->isUntouchedAndPossiblyDestroyed())

state = state->remove<LockMap>(lockR); state = state->remove<LockMap>(lockR);

else if (lstate->isUnlockedAndPossiblyDestroyed()) else if (lstate->isUnlockedAndPossiblyDestroyed())

state = state->set<LockMap>(lockR, LockState::getUnlocked()); state = state->set<LockMap>(lockR, LockState::getUnlocked());

} else } else

state = state->set<LockMap>(lockR, LockState::getDestroyed()); state = state->set<LockMap>(lockR, LockState::getDestroyed());

ASDenysPetrovUnsubmitted

Not Done

const LockState *lstate = state->get<LockMap>(lockR);

- // Existence in DestroyRetVal ensures existence in LockMap.

- // Existence in Destroyed also ensures that the lock state for lockR is either

- // UntouchedAndPossiblyDestroyed or UnlockedAndPossiblyDestroyed.

- assert(lstate->isUntouchedAndPossiblyDestroyed() ||

- lstate->isUnlockedAndPossiblyDestroyed());

+ if (lstate) {

+ // Existence in DestroyRetVal ensures existence in LockMap.

+ // Existence in Destroyed also ensures that the lock state for lockR is either

+ // UntouchedAndPossiblyDestroyed or UnlockedAndPossiblyDestroyed.

+ assert(lstate->isUntouchedAndPossiblyDestroyed() ||

+ lstate->isUnlockedAndPossiblyDestroyed());

- ConstraintManager &CMgr = state->getConstraintManager();

- ConditionTruthVal retZero = CMgr.isNull(state, *sym);

- if (retZero.isConstrainedFalse()) {

- if (lstate->isUntouchedAndPossiblyDestroyed())

- state = state->remove<LockMap>(lockR);

- else if (lstate->isUnlockedAndPossiblyDestroyed())

- state = state->set<LockMap>(lockR, LockState::getUnlocked());

- } else

- state = state->set<LockMap>(lockR, LockState::getDestroyed());

- // Removing the map entry (lockR, sym) from DestroyRetVal as the lock state is

+ ConstraintManager &CMgr = state->getConstraintManager();

+ ConditionTruthVal retZero = CMgr.isNull(state, *sym);

+ if (retZero.isConstrainedFalse()) {

+ if (lstate->isUntouchedAndPossiblyDestroyed())

+ state = state->remove<LockMap>(lockR);

+ else if (lstate->isUnlockedAndPossiblyDestroyed())

+ state = state->set<LockMap>(lockR, LockState::getUnlocked());

+ } else

+ state = state->set<LockMap>(lockR, LockState::getDestroyed());

+ } // Removing the map entry (lockR, sym) from DestroyRetVal as the lock state is

I'm just wondering, did you think about such way of fixing?

ASDenysPetrov: I'm just wondering, did you think about such way of fixing?

NoQUnsubmitted

Not Done

This involves keeping dead regions in the program state. I'd be pretty worried about it.

NoQ: This involves keeping dead regions in the program state. I'd be pretty worried about it.

balazskeAuthorUnsubmitted

Done

This was my first idea but did not like it because state is not cleaned up correctly. (And LockMap contains data about unaccessible mutex.)

balazske: This was my first idea but did not like it because state is not cleaned up correctly. (And…

// Removing the map entry (lockR, sym) from DestroyRetVal as the lock state is // Removing the map entry (lockR, sym) from DestroyRetVal as the lock state is

// now resolved. // now resolved.

state = state->remove<DestroyRetVal>(lockR); state = state->remove<DestroyRetVal>(lockR);

return state; return state;

} }

void PthreadLockChecker::printState(raw_ostream &Out, ProgramStateRef State, void PthreadLockChecker::printState(raw_ostream &Out, ProgramStateRef State,

const char *NL, const char *Sep) const { const char *NL, const char *Sep) const {

▲ Show 20 Lines • Show All 328 Lines • ▼ Show 20 Lines for (auto I : State->get<DestroyRetVal>()) {

// against it. See if the return value was checked before this point. // against it. See if the return value was checked before this point.

// This would remove the symbol from the map as well. // This would remove the symbol from the map as well.

if (SymReaper.isDead(I.second)) if (SymReaper.isDead(I.second))

State = resolvePossiblyDestroyedMutex(State, I.first, &I.second); State = resolvePossiblyDestroyedMutex(State, I.first, &I.second);

} }

for (auto I : State->get<LockMap>()) { for (auto I : State->get<LockMap>()) {

// Stop tracking dead mutex regions as well. // Stop tracking dead mutex regions as well.

if (!SymReaper.isLiveRegion(I.first)) if (!SymReaper.isLiveRegion(I.first)) {

State = State->remove<LockMap>(I.first); State = State->remove<LockMap>(I.first);

State = State->remove<DestroyRetVal>(I.first);

}

} }

// TODO: We probably need to clean up the lock stack as well. // TODO: We probably need to clean up the lock stack as well.

// It is tricky though: even if the mutex cannot be unlocked anymore, // It is tricky though: even if the mutex cannot be unlocked anymore,

// it can still participate in lock order reversal resolution. // it can still participate in lock order reversal resolution.

C.addTransition(State); C.addTransition(State);

} }

▲ Show 20 Lines • Show All 57 Lines • Show Last 20 Lines

clang/test/Analysis/pthreadlock.c

Show First 20 Lines • Show All 507 Lines • ▼ Show 20 Lines	void bad32(void) {
lck_rw_unlock_shared(&rw); // FIXME: warn - should be exclusive?		lck_rw_unlock_shared(&rw); // FIXME: warn - should be exclusive?
}		}

void bad33(void) {		void bad33(void) {
pthread_mutex_lock(pmtx);		pthread_mutex_lock(pmtx);
fake_system_function();		fake_system_function();
pthread_mutex_lock(pmtx); // expected-warning{{This lock has already been acquired}}		pthread_mutex_lock(pmtx); // expected-warning{{This lock has already been acquired}}
}		}

		void nocrash1(pthread_mutex_t *mutex) {
		int ret = pthread_mutex_destroy(mutex);
		if (ret == 0) // no crash
		;
		}