[PATCH][Review request] unix.Malloc checker improvement: +handling new/delete, +memory.MismatchedFree, +memory.MismatchedDelete, +improved display names for allocators/deallocators

Anton Yartsev anton.yartsev at gmail.com
Wed Mar 27 10:13:09 PDT 2013


On 27.03.2013 20:58, Anna Zaks wrote:
>
> On Mar 26, 2013, at 6:10 PM, Anna Zaks <ganna at apple.com 
> <mailto:ganna at apple.com>> wrote:
>
>>
>> On Mar 26, 2013, at 5:10 PM, Anton Yartsev <anton.yartsev at gmail.com 
>> <mailto:anton.yartsev at gmail.com>> wrote:
>>
>>> On 25.03.2013 21:39, Anna Zaks wrote:
>>>> On Mar 25, 2013, at 9:30 AM, Jordan Rose <jordan_rose at apple.com 
>>>> <mailto:jordan_rose at apple.com>> wrote:
>>>>
>>>>>
>>>>> On Mar 25, 2013, at 8:01 , Anton Yartsev <anton.yartsev at gmail.com 
>>>>> <mailto:anton.yartsev at gmail.com>> wrote:
>>>>>
>>>>>> Committed as r177849
>>>>>>
>>>>>> Manage to find several random real bugs (report-843813.html, 
>>>>>> report-230257.html, recursive case in report-727931.html), but 
>>>>>> for now it is hard to detect real bugs among tons of false-positives.
>>>>>>
>>>>>> There are two types of false-positives that form the majority of 
>>>>>> reports:
>>>>>> 1) Illustrated by the following test (added similar test to 
>>>>>> NewDelete-checker-test.mm):
>>>>>> int *global;
>>>>>> void testMemIsOnHeap() {
>>>>>>   int *p = new int; // FIXME: currently not heap allocated!
>>>>>>   if (global != p) // evaluates to UnknownVal() rather then 'true'
>>>>>>     global = p;
>>>>>> } // report false-positive leak
>>>>>>
>>>>>> As I understand the problem is that currently a memory region for 
>>>>>> 'new' is not a heap region and this lead to false-positives like 
>>>>>> report-863595.html and others. (e.g. that causes 'global != p' 
>>>>>> evaluate to UnknownVal() rather then 'true' (logic of 
>>>>>> SimpleSValBuilder::evalBinOpLL))
>>>>>>
>>>>>> Attached is the proposed patch that fixes these issues.
>>>>>
>>>>> There are two reasons I didn't use getConjuredHeapSymbol when I 
>>>>> originally put in this code:
>>>>> (1) It handles all CXXNewExprs, even if the allocator is not one 
>>>>> of the global ones.
>>>>> (2) Heap symbols weren't used yet (Anna added them later for 
>>>>> MallocChecker).
>>>>>
>>>>> Obviously #2 is bogus now. #1 worries me a bit because it requires 
>>>>> duplicating some of the checks you just added to MallocChecker.
>>>>>
>>>>> In the long run, the design would be to get the appropriate memory 
>>>>> from the allocator call, and we have PR12014's restructuring of 
>>>>> the CFG blocking that. I'm not sure if we'd then move the heap 
>>>>> symbol logic into a checker, or if it would still stay in Core.
>>>>>
>>>>> In the short term, I guess the best idea is to duplicate some of 
>>>>> the checks (or refactor them to a helper function 
>>>>> somewhere...though probably/not/ into AST) and then conjure a heap 
>>>>> symbol if we know we can.
>>> Failed to find any suitable place other then AST :) Eventually 
>>> noticed, that actually only a single check should be duplicated. 
>>> Decided to leave the wide comment added when I tried to find the 
>>> proper place for isStandardNewDelete().
>>> New fix attached.
>>>
>>>>>
>>>>>
>>>>>> 2) The second type of false-positives is illustrated by the 
>>>>>> following minimal test:
>>>>>> void f(const int & x);
>>>>>>
>>>>>> void test() {
>>>>>>   int *p = (int *)malloc(sizeof(int));
>>>>>>   f(*p);
>>>>>> } // report false-positive leak
>>>>>>
>>>>>> report-218274.html shows how it looks like in reality.
>>>>>> Haven't addressed this yet. Removing 'const' from the declaration 
>>>>>> eliminates the leak report.
>>>>>
>>>>> Interesting. You can't change a const region (and pedantically you 
>>>>> can't free() it either), but you certainly can 'delete' it. (C++11 
>>>>> [expr.delete]p2)
>>>>>
>>>>> Anna, any thoughts on this? Should these also count as "pointer 
>>>>> escaped" even though their contents have not been invalidated?
>>>>>
>>>>
>>>> I think handling this similarly to pointer escape is the best. 
>>>> However, I am concerned that if we simply extend pointer escape to 
>>>> trigger on another "Kind" of escape, all the other users of 
>>>> pointerEscape will need to know about it (and do nothing for this 
>>>> kind of escape). How about a new checker callback, which will rely 
>>>> on the same core code as _checkPointerEscape? This way the checker 
>>>> developers would not need to know about this special case, and we 
>>>> can reuse all the code that determines when the escape should be 
>>>> triggered.
>>> As for me it would be better to leave the single callback as this is 
>>> just another type of pointer escape, if I understand correctly. Have 
>>> no other arguments for this :)
>>> In addition, the "Kind" approach is relatively new, so hopefully a 
>>> few users of pointerEscape be affected.
>> The main concern is that every user of the callback will now have to 
>> check if the kind is ConstPointer (or whatever we call it, maybe 
>> multiple kinds..) and do nothing in that case. So every user will 
>> need to know about this special case and handle it specially.
> Anton,
>
> If you don't mind, I am going to work on this one. I have some spare 
> time and we'd like to get the new/delete checker out in the next open 
> source build.
I am OK with this, thanx!

>
> Cheers,
> Anna.
>
>>>
>>>
>>> Evolved another issue, that I first thought to be related to case 
>>> 1), here is the minimal test:
>>> struct S {
>>>   int **p;
>>> };
>>> void testOk(S &s) {
>>>   new(s.p) (int*)(new int); // false-positive leak
>>> }
>>> void testLeak() {
>>>   S s;
>>>   new(s.p) (int*)(new int); // real leak
>>> }
>>>
>>> Haven't addressed these yet. The leak is reported for cases of the 
>>> form 'small_vector.push_back(new Something)', where push_back() uses 
>>> placement new to store data.
>>>
>>> -- 
>>> Anton
>>> <FixForCase1.patch>
>>
>> _______________________________________________
>> cfe-commits mailing list
>> cfe-commits at cs.uiuc.edu <mailto:cfe-commits at cs.uiuc.edu>
>> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits
>

-- 
Anton

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20130327/3c076425/attachment.html>


More information about the cfe-commits mailing list