[PATCH] D21081: MPI-Checker patch for Clang Static Analyzer
Alexander Droste via cfe-commits
cfe-commits at lists.llvm.org
Wed Jun 8 04:38:18 PDT 2016
Alexander_Droste added a comment.
Hi Devin,
thanks for fixing the GCC build errors and setting up the commit!
Unfortunately, creating an `MPIBugReporter` instance only when a bug occurs does cause a separate issue.
The instance seems to be freed, before the reports get flushed.
void MPIChecker::checkDoubleNonblocking(const CallEvent &PreCallEvent,
CheckerContext &Ctx) const {
if (!FuncClassifier->isNonBlockingType(PreCallEvent.getCalleeIdentifier())) {
return;
}
const MemRegion *const MR =
PreCallEvent.getArgSVal(PreCallEvent.getNumArgs() - 1).getAsRegion();
if (!MR)
return;
const ElementRegion *const ER = dyn_cast<ElementRegion>(MR);
// The region must be typed, in order to reason about it.
if (!isa<TypedRegion>(MR) || (ER && !isa<TypedRegion>(ER->getSuperRegion())))
return;
ProgramStateRef State = Ctx.getState();
const Request *const Req = State->get<RequestMap>(MR);
// double nonblocking detected
if (Req && Req->CurrentState == Request::State::Nonblocking) {
ExplodedNode *ErrorNode = Ctx.generateNonFatalErrorNode();
std::unique_ptr<MPIBugReporter> BReporter{new MPIBugReporter{ // <------------------------
Ctx.getBugReporter(), *this, Ctx.getAnalysisManager().getASTContext()}};
BReporter->reportDoubleNonblocking(PreCallEvent, *Req, MR, ErrorNode);
Ctx.addTransition(ErrorNode->getState(), ErrorNode);
}
// no error
else {
State = State->set<RequestMap>(MR, Request::State::Nonblocking);
Ctx.addTransition(State);
}
}
Command Output (stderr):
------------------------
55584==ERROR: AddressSanitizer: heap-use-after-free on address 0x60700000b540 at pc 0x00011391de54 bp 0x7fff51337e30 sp 0x7fff51337e28
--------------------------------------------------------------------------------------------------------------------------------------
READ of size 8 at 0x60700000b540 thread T0
#0 0x11391de53 in clang::ento::BugReporter::FlushReports() (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x105059e53)
#1 0x1126c561c in (anonymous namespace)::AnalysisConsumer::ActionExprEngine(clang::Decl*, bool, clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*, llvm::DenseMapInfo<clang::Decl const*> >*) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x103e0161c)
#2 0x1126c4c06 in (anonymous namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int, clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*, llvm::DenseMapInfo<clang::Decl const*> >*) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x103e00c06)
#3 0x1126bf06a in (anonymous namespace)::AnalysisConsumer::HandleDeclsCallGraph(unsigned int) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x103dfb06a)
#4 0x1126bb50e in (anonymous namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x103df750e)
#5 0x11273ea4b in clang::ParseAST(clang::Sema&, bool, bool) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x103e7aa4b)
#6 0x1119faf2f in clang::FrontendAction::Execute() (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x103136f2f)
#7 0x111962b04 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x10309eb04)
#8 0x111a7ba23 in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x1031b7a23)
#9 0x10e8d3e8c (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x10000fe8c)
#10 0x10e8c9116 (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x100005116)
#11 0x10e8c73d1 (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x1000033d1)
LLVMSymbolizer: error reading file: No object file for requested architecture
#12 0x7fff86f395ac (/usr/lib/system/libdyld.dylib+0x35ac)
#13 0x8 (<unknown module>)
0x60700000b540 is located 0 bytes inside of 80-byte region [0x60700000b540,0x60700000b590)
freed by thread T0 here:
#0 0x11df36d1b in wrap__ZdlPv (/usr/local/lib/clang/3.8.1/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x57d1b)
#1 0x1137dd0cf in clang::ento::mpi::MPIBugReporter::~MPIBugReporter() (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x104f190cf)
#2 0x1137db9a1 in clang::ento::mpi::MPIChecker::checkMissingWaits(clang::ento::SymbolReaper&, clang::ento::CheckerContext&) const (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x104f179a1)
#3 0x11398de38 in (anonymous namespace)::CheckDeadSymbolsContext::runChecker(clang::ento::CheckerFn<void (clang::ento::SymbolReaper&, clang::ento::CheckerContext&)>, clang::ento::NodeBuilder&, clang::ento::ExplodedNode*) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x1050c9e38)
#4 0x113982269 in void expandGraphWithCheckers<(anonymous namespace)::CheckDeadSymbolsContext>((anonymous namespace)::CheckDeadSymbolsContext, clang::ento::ExplodedNodeSet&, clang::ento::ExplodedNodeSet const&) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x1050be269)
#5 0x113981f24 in clang::ento::CheckerManager::runCheckersForDeadSymbols(clang::ento::ExplodedNodeSet&, clang::ento::ExplodedNodeSet const&, clang::ento::SymbolReaper&, clang::Stmt const*, clang::ento::ExprEngine&, clang::ProgramPoint::Kind) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x1050bdf24)
#6 0x1139c1bc7 in clang::ento::ExprEngine::removeDead(clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&, clang::Stmt const*, clang::LocationContext const*, clang::Stmt const*, clang::ProgramPoint::Kind) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x1050fdbc7)
#7 0x1139fefb6 in clang::ento::ExprEngine::removeDeadOnEndOfFunction(clang::ento::NodeBuilderContext&, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x10513afb6)
#8 0x1139d1d24 in clang::ento::ExprEngine::processEndOfFunction(clang::ento::NodeBuilderContext&, clang::ento::ExplodedNode*) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x10510dd24)
#9 0x1139a14db in clang::ento::CoreEngine::HandleBlockEdge(clang::BlockEdge const&, clang::ento::ExplodedNode*) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x1050dd4db)
#10 0x1139a0ea5 in clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*, clang::ProgramPoint, clang::ento::WorkListUnit const&) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x1050dcea5)
#11 0x1139a0198 in clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x1050dc198)
#12 0x1126c5c79 in clang::ento::ExprEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x103e01c79)
#13 0x1126c5599 in (anonymous namespace)::AnalysisConsumer::ActionExprEngine(clang::Decl*, bool, clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*, llvm::DenseMapInfo<clang::Decl const*> >*) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x103e01599)
#14 0x1126c4c06 in (anonymous namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int, clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*, llvm::DenseMapInfo<clang::Decl const*> >*) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x103e00c06)
#15 0x1126bf06a in (anonymous namespace)::AnalysisConsumer::HandleDeclsCallGraph(unsigned int) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x103dfb06a)
#16 0x1126bb50e in (anonymous namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x103df750e)
#17 0x11273ea4b in clang::ParseAST(clang::Sema&, bool, bool) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x103e7aa4b)
#18 0x1119faf2f in clang::FrontendAction::Execute() (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x103136f2f)
#19 0x111962b04 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x10309eb04)
#20 0x111a7ba23 in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x1031b7a23)
#21 0x10e8d3e8c (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x10000fe8c)
#22 0x10e8c9116 (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x100005116)
#23 0x10e8c73d1 (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x1000033d1)
#24 0x7fff86f395ac (/usr/lib/system/libdyld.dylib+0x35ac)
#25 0x8 (<unknown module>)
previously allocated by thread T0 here:
#0 0x11df3675b in wrap__Znwm (/usr/local/lib/clang/3.8.1/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x5775b)
#1 0x1137dc60b in clang::ento::mpi::MPIBugReporter::MPIBugReporter(clang::ento::BugReporter&, clang::ento::CheckerBase const&, clang::ento::mpi::MPIFunctionClassifier const&) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x104f1860b)
#2 0x1137db973 in clang::ento::mpi::MPIChecker::checkMissingWaits(clang::ento::SymbolReaper&, clang::ento::CheckerContext&) const (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x104f17973)
#3 0x11398de38 in (anonymous namespace)::CheckDeadSymbolsContext::runChecker(clang::ento::CheckerFn<void (clang::ento::SymbolReaper&, clang::ento::CheckerContext&)>, clang::ento::NodeBuilder&, clang::ento::ExplodedNode*) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x1050c9e38)
#4 0x113982269 in void expandGraphWithCheckers<(anonymous namespace)::CheckDeadSymbolsContext>((anonymous namespace)::CheckDeadSymbolsContext, clang::ento::ExplodedNodeSet&, clang::ento::ExplodedNodeSet const&) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x1050be269)
#5 0x113981f24 in clang::ento::CheckerManager::runCheckersForDeadSymbols(clang::ento::ExplodedNodeSet&, clang::ento::ExplodedNodeSet const&, clang::ento::SymbolReaper&, clang::Stmt const*, clang::ento::ExprEngine&, clang::ProgramPoint::Kind) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x1050bdf24)
#6 0x1139c1bc7 in clang::ento::ExprEngine::removeDead(clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&, clang::Stmt const*, clang::LocationContext const*, clang::Stmt const*, clang::ProgramPoint::Kind) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x1050fdbc7)
#7 0x1139fefb6 in clang::ento::ExprEngine::removeDeadOnEndOfFunction(clang::ento::NodeBuilderContext&, clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x10513afb6)
#8 0x1139d1d24 in clang::ento::ExprEngine::processEndOfFunction(clang::ento::NodeBuilderContext&, clang::ento::ExplodedNode*) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x10510dd24)
#9 0x1139a14db in clang::ento::CoreEngine::HandleBlockEdge(clang::BlockEdge const&, clang::ento::ExplodedNode*) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x1050dd4db)
#10 0x1139a0ea5 in clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*, clang::ProgramPoint, clang::ento::WorkListUnit const&) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x1050dcea5)
#11 0x1139a0198 in clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int, llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x1050dc198)
#12 0x1126c5c79 in clang::ento::ExprEngine::ExecuteWorkList(clang::LocationContext const*, unsigned int) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x103e01c79)
#13 0x1126c5599 in (anonymous namespace)::AnalysisConsumer::ActionExprEngine(clang::Decl*, bool, clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*, llvm::DenseMapInfo<clang::Decl const*> >*) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x103e01599)
#14 0x1126c4c06 in (anonymous namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int, clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl const*, llvm::DenseMapInfo<clang::Decl const*> >*) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x103e00c06)
#15 0x1126bf06a in (anonymous namespace)::AnalysisConsumer::HandleDeclsCallGraph(unsigned int) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x103dfb06a)
#16 0x1126bb50e in (anonymous namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x103df750e)
#17 0x11273ea4b in clang::ParseAST(clang::Sema&, bool, bool) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x103e7aa4b)
#18 0x1119faf2f in clang::FrontendAction::Execute() (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x103136f2f)
#19 0x111962b04 in clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x10309eb04)
#20 0x111a7ba23 in clang::ExecuteCompilerInvocation(clang::CompilerInstance*) (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x1031b7a23)
#21 0x10e8d3e8c (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x10000fe8c)
#22 0x10e8c9116 (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x100005116)
#23 0x10e8c73d1 (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x1000033d1)
#24 0x7fff86f395ac (/usr/lib/system/libdyld.dylib+0x35ac)
#25 0x8 (<unknown module>)
SUMMARY: AddressSanitizer: heap-use-after-free (/Users/lx/Documents/Text/Code/Open_Source/llvm_trunk_git/build/debug/./bin/clang+0x105059e53) in clang::ento::BugReporter::FlushReports()
Shadow bytes around the buggy address:
0x1c0e00001650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0e00001660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0e00001670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0e00001680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0e00001690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>0x1c0e000016a0: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
================================================================
0x1c0e000016b0: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fd
0x1c0e000016c0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
0x1c0e000016d0: fa fa 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
0x1c0e000016e0: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 00 00
0x1c0e000016f0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
55584==ABORTING
---------------
================
Comment at: lib/StaticAnalyzer/Checkers/MPI-Checker/MPIFunctionClassifier.h:26
@@ +25,3 @@
+public:
+ MPIFunctionClassifier(AnalysisManager &AM) { identifierInit(AM); }
+
----------------
dcoughlin wrote:
> Can this be changed to take an `ASTContext&` instead?
That works, I changed type to `ASTContext`.
http://reviews.llvm.org/D21081
More information about the cfe-commits
mailing list