src - FreeBSD source tree

diff options


context:
space:
mode:

author	Dimitry Andric <dim@FreeBSD.org>	2022-03-20 11:40:34 +0000
committer	Dimitry Andric <dim@FreeBSD.org>	2022-05-14 11:43:05 +0000
commit	349cc55c9796c4596a5b9904cd3281af295f878f (patch)
tree	410c5a785075730a35f1272ca6a7adf72222ad03 /contrib/llvm-project/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
parent	cb2ae6163174b90e999326ecec3699ee093a5d43 (diff)
parent	c0981da47d5696fe36474fcf86b4ce03ae3ff818 (diff)

Diffstat (limited to 'contrib/llvm-project/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp')

-rw-r--r--

contrib/llvm-project/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp

203

1 files changed, 188 insertions, 15 deletions

diff --git a/contrib/llvm-project/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp b/contrib/llvm-project/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
index a6470da09c45..10ed6149528c 100644
--- a/contrib/llvm-project/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
+++ b/contrib/llvm-project/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp

@@ -48,9 +48,13 @@

#include "InterCheckerAPI.h"

#include "clang/AST/Attr.h"

#include "clang/AST/DeclCXX.h"

+#include "clang/AST/DeclTemplate.h"

#include "clang/AST/Expr.h"

#include "clang/AST/ExprCXX.h"

#include "clang/AST/ParentMap.h"

+#include "clang/ASTMatchers/ASTMatchFinder.h"

+#include "clang/ASTMatchers/ASTMatchers.h"

+#include "clang/Analysis/ProgramPoint.h"

#include "clang/Basic/LLVM.h"

#include "clang/Basic/SourceManager.h"

#include "clang/Basic/TargetInfo.h"

@@ -60,20 +64,26 @@

#include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h"

#include "clang/StaticAnalyzer/Core/Checker.h"

#include "clang/StaticAnalyzer/Core/CheckerManager.h"

+#include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h"

+#include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"

+#include "clang/StaticAnalyzer/Core/PathSensitive/StoreRef.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"

#include "llvm/ADT/STLExtras.h"

+#include "llvm/ADT/SetOperations.h"

#include "llvm/ADT/SmallString.h"

#include "llvm/ADT/StringExtras.h"

+#include "llvm/Support/Casting.h"

#include "llvm/Support/Compiler.h"

#include "llvm/Support/ErrorHandling.h"

+#include "llvm/Support/raw_ostream.h"

#include <climits>

#include <functional>

#include <utility>

@@ -298,6 +308,8 @@ public:

/// which might free a pointer are annotated.

DefaultBool ShouldIncludeOwnershipAnnotatedFunctions;

+ DefaultBool ShouldRegisterNoOwnershipChangeVisitor;

/// Many checkers are essentially built into this one, so enabling them will

/// make MallocChecker perform additional modeling and reporting.

enum CheckKind {

@@ -722,11 +734,169 @@ private:

bool isArgZERO_SIZE_PTR(ProgramStateRef State, CheckerContext &C,

SVal ArgVal) const;

};

+} // end anonymous namespace

+//===----------------------------------------------------------------------===//

+// Definition of NoOwnershipChangeVisitor.

+//===----------------------------------------------------------------------===//

+namespace {

+class NoOwnershipChangeVisitor final : public NoStateChangeFuncVisitor {

+ SymbolRef Sym;

+ using OwnerSet = llvm::SmallPtrSet<const MemRegion *, 8>;

+ // Collect which entities point to the allocated memory, and could be

+ // responsible for deallocating it.

+ class OwnershipBindingsHandler : public StoreManager::BindingsHandler {

+ SymbolRef Sym;

+ OwnerSet &Owners;

+ public:

+ OwnershipBindingsHandler(SymbolRef Sym, OwnerSet &Owners)

+ : Sym(Sym), Owners(Owners) {}

+ bool HandleBinding(StoreManager &SMgr, Store Store, const MemRegion *Region,

+ SVal Val) override {

+ if (Val.getAsSymbol() == Sym)

+ Owners.insert(Region);

+ return true;

+ }

+ LLVM_DUMP_METHOD void dump() const { dumpToStream(llvm::errs()); }

+ LLVM_DUMP_METHOD void dumpToStream(llvm::raw_ostream &out) const {

+ out << "Owners: {\n";

+ for (const MemRegion *Owner : Owners) {

+ out << " ";

+ Owner->dumpToStream(out);

+ out << ",\n";

+ }

+ out << "}\n";

+ }

+ };

+protected:

+ OwnerSet getOwnersAtNode(const ExplodedNode *N) {

+ OwnerSet Ret;

+ ProgramStateRef State = N->getState();

+ OwnershipBindingsHandler Handler{Sym, Ret};

+ State->getStateManager().getStoreManager().iterBindings(State->getStore(),

+ Handler);

+ return Ret;

+ }

+ LLVM_DUMP_METHOD static std::string

+ getFunctionName(const ExplodedNode *CallEnterN) {

+ if (const CallExpr *CE = llvm::dyn_cast_or_null<CallExpr>(

+ CallEnterN->getLocationAs<CallEnter>()->getCallExpr()))

+ if (const FunctionDecl *FD = CE->getDirectCallee())

+ return FD->getQualifiedNameAsString();

+ return "";

+ }

+ bool doesFnIntendToHandleOwnership(const Decl *Callee, ASTContext &ACtx) {

+ using namespace clang::ast_matchers;

+ const FunctionDecl *FD = dyn_cast<FunctionDecl>(Callee);

+ if (!FD)

+ return false;

+ // TODO: Operator delete is hardly the only deallocator -- Can we reuse

+ // isFreeingCall() or something thats already here?

+ auto Deallocations = match(

+ stmt(hasDescendant(cxxDeleteExpr().bind("delete"))

+ ), *FD->getBody(), ACtx);

+ // TODO: Ownership my change with an attempt to store the allocated memory.

+ return !Deallocations.empty();

+ }

+ virtual bool

+ wasModifiedInFunction(const ExplodedNode *CallEnterN,

+ const ExplodedNode *CallExitEndN) override {

+ if (!doesFnIntendToHandleOwnership(

+ CallExitEndN->getFirstPred()->getLocationContext()->getDecl(),

+ CallExitEndN->getState()->getAnalysisManager().getASTContext()))

+ return true;

+ if (CallEnterN->getState()->get<RegionState>(Sym) !=

+ CallExitEndN->getState()->get<RegionState>(Sym))

+ return true;

+ OwnerSet CurrOwners = getOwnersAtNode(CallEnterN);

+ OwnerSet ExitOwners = getOwnersAtNode(CallExitEndN);

+ // Owners in the current set may be purged from the analyzer later on.

+ // If a variable is dead (is not referenced directly or indirectly after

+ // some point), it will be removed from the Store before the end of its

+ // actual lifetime.

+ // This means that that if the ownership status didn't change, CurrOwners

+ // must be a superset of, but not necessarily equal to ExitOwners.

+ return !llvm::set_is_subset(ExitOwners, CurrOwners);

+ }

+ static PathDiagnosticPieceRef emitNote(const ExplodedNode *N) {

+ PathDiagnosticLocation L = PathDiagnosticLocation::create(

+ N->getLocation(),

+ N->getState()->getStateManager().getContext().getSourceManager());

+ return std::make_shared<PathDiagnosticEventPiece>(

+ L, "Returning without deallocating memory or storing the pointer for "

+ "later deallocation");

+ }

+ virtual PathDiagnosticPieceRef

+ maybeEmitNoteForObjCSelf(PathSensitiveBugReport &R,

+ const ObjCMethodCall &Call,

+ const ExplodedNode *N) override {

+ // TODO: Implement.

+ return nullptr;

+ }

+ virtual PathDiagnosticPieceRef

+ maybeEmitNoteForCXXThis(PathSensitiveBugReport &R,

+ const CXXConstructorCall &Call,

+ const ExplodedNode *N) override {

+ // TODO: Implement.

+ return nullptr;

+ }

+ virtual PathDiagnosticPieceRef

+ maybeEmitNoteForParameters(PathSensitiveBugReport &R, const CallEvent &Call,

+ const ExplodedNode *N) override {

+ // TODO: Factor the logic of "what constitutes as an entity being passed

+ // into a function call" out by reusing the code in

+ // NoStoreFuncVisitor::maybeEmitNoteForParameters, maybe by incorporating

+ // the printing technology in UninitializedObject's FieldChainInfo.

+ ArrayRef<ParmVarDecl *> Parameters = Call.parameters();

+ for (unsigned I = 0; I < Call.getNumArgs() && I < Parameters.size(); ++I) {

+ SVal V = Call.getArgSVal(I);

+ if (V.getAsSymbol() == Sym)

+ return emitNote(N);

+ }

+ return nullptr;

+ }

+public:

+ NoOwnershipChangeVisitor(SymbolRef Sym)

+ : NoStateChangeFuncVisitor(bugreporter::TrackingKind::Thorough),

+ Sym(Sym) {}

+ void Profile(llvm::FoldingSetNodeID &ID) const override {

+ static int Tag = 0;

+ ID.AddPointer(&Tag);

+ ID.AddPointer(Sym);

+ }

+ void *getTag() const {

+ static int Tag = 0;

+ return static_cast<void *>(&Tag);

+ }

+};

+} // end anonymous namespace

//===----------------------------------------------------------------------===//

// Definition of MallocBugVisitor.

//===----------------------------------------------------------------------===//

+namespace {

/// The bug visitor which allows us to print extra diagnostics along the

/// BugReport path. For example, showing the allocation site of the leaked

/// region.

@@ -767,7 +937,7 @@ public:

/// Did not track -> allocated. Other state (released) -> allocated.

static inline bool isAllocated(const RefState *RSCurr, const RefState *RSPrev,

const Stmt *Stmt) {

- return (Stmt && (isa<CallExpr>(Stmt) || isa<CXXNewExpr>(Stmt)) &&

+ return (isa_and_nonnull<CallExpr, CXXNewExpr>(Stmt) &&

(RSCurr &&

(RSCurr->isAllocated() || RSCurr->isAllocatedOfSizeZero())) &&

(!RSPrev ||

@@ -780,8 +950,7 @@ public:

const Stmt *Stmt) {

bool IsReleased =

(RSCurr && RSCurr->isReleased()) && (!RSPrev || !RSPrev->isReleased());

- assert(!IsReleased ||

- (Stmt && (isa<CallExpr>(Stmt) || isa<CXXDeleteExpr>(Stmt))) ||

+ assert(!IsReleased || (isa_and_nonnull<CallExpr, CXXDeleteExpr>(Stmt)) ||

(!Stmt && RSCurr->getAllocationFamily() == AF_InnerBuffer));

return IsReleased;

}

@@ -789,11 +958,10 @@ public:

/// Did not track -> relinquished. Other state (allocated) -> relinquished.

static inline bool isRelinquished(const RefState *RSCurr,

const RefState *RSPrev, const Stmt *Stmt) {

- return (Stmt &&

- (isa<CallExpr>(Stmt) || isa<ObjCMessageExpr>(Stmt) ||

- isa<ObjCPropertyRefExpr>(Stmt)) &&

- (RSCurr && RSCurr->isRelinquished()) &&

- (!RSPrev || !RSPrev->isRelinquished()));

+ return (

+ isa_and_nonnull<CallExpr, ObjCMessageExpr, ObjCPropertyRefExpr>(Stmt) &&

+ (RSCurr && RSCurr->isRelinquished()) &&

+ (!RSPrev || !RSPrev->isRelinquished()));

}

/// If the expression is not a call, and the state change is

@@ -803,7 +971,7 @@ public:

static inline bool hasReallocFailed(const RefState *RSCurr,

const RefState *RSPrev,

const Stmt *Stmt) {

- return ((!Stmt || !isa<CallExpr>(Stmt)) &&

+ return ((!isa_and_nonnull<CallExpr>(Stmt)) &&

(RSCurr &&

(RSCurr->isAllocated() || RSCurr->isAllocatedOfSizeZero())) &&

(RSPrev &&

@@ -851,7 +1019,6 @@ private:

}

};

} // end anonymous namespace

// A map from the freed symbol to the symbol representing the return value of

@@ -1753,7 +1920,7 @@ ProgramStateRef MallocChecker::FreeMemAux(

// Parameters, locals, statics, globals, and memory returned by

// __builtin_alloca() shouldn't be freed.

- if (!(isa<UnknownSpaceRegion>(MS) || isa<HeapSpaceRegion>(MS))) {

+ if (!isa<UnknownSpaceRegion, HeapSpaceRegion>(MS)) {

// FIXME: at the time this code was written, malloc() regions were

// represented by conjured symbols, which are all in UnknownSpaceRegion.

// This means that there isn't actually anything from HeapSpaceRegion

@@ -2303,7 +2470,8 @@ void MallocChecker::HandleUseZeroAlloc(CheckerContext &C, SourceRange Range,

categories::MemoryError));

auto R = std::make_unique<PathSensitiveBugReport>(

- *BT_UseZerroAllocated[*CheckKind], "Use of zero-allocated memory", N);

+ *BT_UseZerroAllocated[*CheckKind],

+ "Use of memory allocated with size zero", N);

R->addRange(Range);

if (Sym) {

@@ -2579,6 +2747,8 @@ void MallocChecker::HandleLeak(SymbolRef Sym, ExplodedNode *N,

AllocNode->getLocationContext()->getDecl());

R->markInteresting(Sym);

R->addVisitor<MallocBugVisitor>(Sym, true);

+ if (ShouldRegisterNoOwnershipChangeVisitor)

+ R->addVisitor<NoOwnershipChangeVisitor>(Sym);

C.emitReport(std::move(R));

}

@@ -2733,7 +2903,7 @@ void MallocChecker::checkEscapeOnReturn(const ReturnStmt *S,

// the callee could still free the memory.

// TODO: This logic should be a part of generic symbol escape callback.

if (const MemRegion *MR = RetVal.getAsRegion())

- if (isa<FieldRegion>(MR) || isa<ElementRegion>(MR))

+ if (isa<FieldRegion, ElementRegion>(MR))

if (const SymbolicRegion *BMR =

dyn_cast<SymbolicRegion>(MR->getBaseRegion()))

Sym = BMR->getSymbol();

@@ -2916,7 +3086,7 @@ bool MallocChecker::mayFreeAnyEscapedMemoryOrIsModeledExplicitly(

// TODO: If we want to be more optimistic here, we'll need to make sure that

// regions escape to C++ containers. They seem to do that even now, but for

// mysterious reasons.

- if (!(isa<SimpleFunctionCall>(Call) || isa<ObjCMethodCall>(Call)))

+ if (!isa<SimpleFunctionCall, ObjCMethodCall>(Call))

return true;

// Check Objective-C messages by selector name.

@@ -3024,7 +3194,7 @@ bool MallocChecker::mayFreeAnyEscapedMemoryOrIsModeledExplicitly(

const Expr *ArgE = Call->getArgExpr(0)->IgnoreParenCasts();

if (const DeclRefExpr *ArgDRE = dyn_cast<DeclRefExpr>(ArgE))

if (const VarDecl *D = dyn_cast<VarDecl>(ArgDRE->getDecl()))

- if (D->getCanonicalDecl()->getName().find("std") != StringRef::npos)

+ if (D->getCanonicalDecl()->getName().contains("std"))

return true;

}

@@ -3395,6 +3565,9 @@ void ento::registerDynamicMemoryModeling(CheckerManager &mgr) {

auto *checker = mgr.registerChecker<MallocChecker>();

checker->ShouldIncludeOwnershipAnnotatedFunctions =

mgr.getAnalyzerOptions().getCheckerBooleanOption(checker, "Optimistic");

+ checker->ShouldRegisterNoOwnershipChangeVisitor =

+ mgr.getAnalyzerOptions().getCheckerBooleanOption(

+ checker, "AddNoOwnershipChangeNotes");

}

bool ento::shouldRegisterDynamicMemoryModeling(const CheckerManager &mgr) {