r357323 - [analyzer] Introduce a simplified API for adding custom path notes.
Artem Dergachev via cfe-commits
cfe-commits at lists.llvm.org
Fri Mar 29 16:43:43 PDT 2019
Yup, indeed, i reverted it in r357332.
Also, nice bot!
On 3/29/19 4:14 PM, Vitaly Buka wrote:
> Bot detects memory leak probably after this patch
>
> http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fast/builds/30957/steps/check-clang%20asan/logs/stdio
>
> =================================================================
> ==22233==ERROR: LeakSanitizer: detected memory leaks Direct leak of
> 1088 byte(s) in 17 object(s) allocated from: #0 0xc770f8 in operator
> new(unsigned long)
> /b/sanitizer-x86_64-linux-fast/build/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cc:106
> #1 0x9c6feef in __libcpp_allocate
> /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/new:238:10
> #2 0x9c6feef in allocate
> /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/memory:1813
> #3 0x9c6feef in __value_func<(lambda at
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h:236:9),
> std::__1::allocator<(lambda at
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h:236:9)>
> >
> /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/functional:1716
> #4 0x9c6feef in function<(lambda at
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h:236:9),
> void>
> /b/sanitizer-x86_64-linux-fast/build/libcxx_build_asan/include/c++/v1/functional:2290
> #5 0x9c6feef in
> clang::ento::CheckerContext::getNoteTag(std::__1::function<std::__1::basic_string<char,
> std::__1::char_traits<char>, std::__1::allocator<char> >
> (clang::ento::BugReport&)>&&)
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h:236
> #6 0x9c6f061 in checkPostCall
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Checkers/MIGChecker.cpp:165:24
> #7 0x9c6f061 in void
> clang::ento::check::PostCall::_checkCall<(anonymous
> namespace)::MIGChecker>(void*, clang::ento::CallEvent const&,
> clang::ento::CheckerContext&)
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/include/clang/StaticAnalyzer/Core/Checker.h:183
> #8 0x9fbd78c in operator()
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/include/clang/StaticAnalyzer/Core/CheckerManager.h:69:12
> #9 0x9fbd78c in runChecker
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:290
> #10 0x9fbd78c in expandGraphWithCheckers<(anonymous
> namespace)::CheckCallContext>
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:138
> #11 0x9fbd78c in
> clang::ento::CheckerManager::runCheckersForCallEvent(bool,
> clang::ento::ExplodedNodeSet&, clang::ento::ExplodedNodeSet const&,
> clang::ento::CallEvent const&, clang::ento::ExprEngine&, bool)
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/CheckerManager.cpp:307
> #12 0xa07d1ef in runCheckersForPostCall
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/include/clang/StaticAnalyzer/Core/CheckerManager.h:274:5
> #13 0xa07d1ef in
> clang::ento::ExprEngine::evalCall(clang::ento::ExplodedNodeSet&,
> clang::ento::ExplodedNode*, clang::ento::CallEvent const&)
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp:578
> #14 0xa07c657 in
> clang::ento::ExprEngine::VisitCallExpr(clang::CallExpr const*,
> clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&)
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp:495:5
> #15 0xa01249f in clang::ento::ExprEngine::Visit(clang::Stmt const*,
> clang::ento::ExplodedNode*, clang::ento::ExplodedNodeSet&)
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:1539:7
> #16 0xa003888 in clang::ento::ExprEngine::ProcessStmt(clang::Stmt
> const*, clang::ento::ExplodedNode*)
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:743:5
> #17 0xa002d48 in
> clang::ento::ExprEngine::processCFGElement(clang::CFGElement,
> clang::ento::ExplodedNode*, unsigned int,
> clang::ento::NodeBuilderContext*)
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/ExprEngine.cpp:590:7
> #18 0x9fdcdfe in
> clang::ento::CoreEngine::HandlePostStmt(clang::CFGBlock const*,
> unsigned int, clang::ento::ExplodedNode*)
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:438:12
> #19 0x9fdaa85 in
> clang::ento::CoreEngine::dispatchWorkItem(clang::ento::ExplodedNode*,
> clang::ProgramPoint, clang::ento::WorkListUnit const&)
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:192:7
> #20 0x9fd9941 in
> clang::ento::CoreEngine::ExecuteWorkList(clang::LocationContext
> const*, unsigned int,
> llvm::IntrusiveRefCntPtr<clang::ento::ProgramState const>)
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Core/CoreEngine.cpp:148:5
> #21 0x987ae4f in ExecuteWorkList
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h:170:19
> #22 0x987ae4f in RunPathSensitiveChecks
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:740
> #23 0x987ae4f in (anonymous
> namespace)::AnalysisConsumer::HandleCode(clang::Decl*, unsigned int,
> clang::ento::ExprEngine::InliningModes, llvm::DenseSet<clang::Decl
> const*, llvm::DenseMapInfo<clang::Decl const*> >*)
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:715
> #24 0x98619d5 in HandleDeclsCallGraph
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:506:5
> #25 0x98619d5 in runAnalysisOnTranslationUnit
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:553
> #26 0x98619d5 in (anonymous
> namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&)
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp:584
> #27 0xa2a0d52 in clang::ParseAST(clang::Sema&, bool, bool)
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/Parse/ParseAST.cpp:169:13
> #28 0x742e94d in clang::FrontendAction::Execute()
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/Frontend/FrontendAction.cpp:934:8
> #29 0x731950a in
> clang::CompilerInstance::ExecuteAction(clang::FrontendAction&)
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/Frontend/CompilerInstance.cpp:949:11
> #30 0x764c8c8 in
> clang::ExecuteCompilerInvocation(clang::CompilerInstance*)
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/lib/FrontendTool/ExecuteCompilerInvocation.cpp:271:25
> #31 0xc8b2ee in cc1_main(llvm::ArrayRef<char const*>, char const*,
> void*)
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/tools/driver/cc1_main.cpp:218:13
> #32 0xc83732 in ExecuteCC1Tool
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/tools/driver/driver.cpp:309:12
> #33 0xc83732 in main
> /b/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/tools/driver/driver.cpp:381
> #34 0x7facad0612e0 in __libc_start_main
> (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) SUMMARY: AddressSanitizer:
> 1088 byte(s) leaked in 17 allocation(s).
>
>
> On Fri, Mar 29, 2019 at 3:19 PM Artem Dergachev via cfe-commits
> <cfe-commits at lists.llvm.org <mailto:cfe-commits at lists.llvm.org>> wrote:
>
> Author: dergachev
> Date: Fri Mar 29 15:21:00 2019
> New Revision: 357323
>
> URL: http://llvm.org/viewvc/llvm-project?rev=357323&view=rev
> Log:
> [analyzer] Introduce a simplified API for adding custom path notes.
>
> Almost all path-sensitive checkers need to tell the user when
> something specific
> to that checker happens along the execution path but does not
> constitute a bug
> on its own. For instance, a call to operator delete in C++ has
> consequences
> that are specific to a use-after-free bug. Deleting an object is
> not a bug
> on its own, but when the Analyzer finds an execution path on which
> a deleted
> object is used, it'll have to explain to the user when exactly
> during that path
> did the deallocation take place.
>
> Historically such custom notes were added by implementing "bug
> report visitors".
> These visitors were post-processing bug reports by visiting every
> ExplodedNode
> along the path and emitting path notes whenever they noticed that
> a change that
> is relevant to a bug report occurs within the program state. For
> example,
> it emits a "memory is deallocated" note when it notices that a
> pointer changes
> its state from "allocated" to "deleted".
>
> The "visitor" approach is powerful and efficient but hard to use
> because
> such preprocessing implies that the developer first models the effects
> of the event (say, changes the pointer's state from "allocated" to
> "deleted"
> as part of operator delete()'s transfer function) and then forgets
> what happened
> and later tries to reverse-engineer itself and figure out what did
> it do
> by looking at the report.
>
> The proposed approach tries to avoid discarding the information
> that was
> available when the transfer function was evaluated. Instead, it
> allows the
> developer to capture all the necessary information into a closure that
> will be automatically invoked later in order to produce the actual
> note.
>
> This should reduce boilerplate and avoid very painful logic
> duplication.
>
> On the technical side, the closure is a lambda that's put into a
> special kind of
> a program point tag, and a special bug report visitor visits all
> nodes in the
> report and invokes all note-producing closures it finds along the
> path.
>
> For now it is up to the lambda to make sure that the note is
> actually relevant
> to the report. For instance, a memory deallocation note would be
> irrelevant when
> we're reporting a division by zero bug or if we're reporting a
> use-after-free
> of a different, unrelated chunk of memory. The lambda can figure
> these thing out
> by looking at the bug report object that's passed into it.
>
> A single checker is refactored to make use of the new
> functionality: MIGChecker.
> Its program state is trivial, making it an easy testing ground for
> the first
> version of the API.
>
> Differential Revision: https://reviews.llvm.org/D58367
>
> Modified:
> cfe/trunk/include/clang/Analysis/ProgramPoint.h
> cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/BugReporter.h
> cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h
> cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h
> cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h
> cfe/trunk/lib/StaticAnalyzer/Checkers/MIGChecker.cpp
> cfe/trunk/lib/StaticAnalyzer/Core/BugReporter.cpp
> cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
> cfe/trunk/lib/StaticAnalyzer/Core/ExprEngine.cpp
> cfe/trunk/test/Analysis/mig.mm <http://mig.mm>
>
> Modified: cfe/trunk/include/clang/Analysis/ProgramPoint.h
> URL:
> http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/Analysis/ProgramPoint.h?rev=357323&r1=357322&r2=357323&view=diff
> ==============================================================================
> --- cfe/trunk/include/clang/Analysis/ProgramPoint.h (original)
> +++ cfe/trunk/include/clang/Analysis/ProgramPoint.h Fri Mar 29
> 15:21:00 2019
> @@ -42,12 +42,11 @@ public:
> virtual ~ProgramPointTag();
> virtual StringRef getTagDescription() const = 0;
>
> -protected:
> /// Used to implement 'isKind' in subclasses.
> - const void *getTagKind() { return TagKind; }
> + const void *getTagKind() const { return TagKind; }
>
> private:
> - const void *TagKind;
> + const void *const TagKind;
> };
>
> class SimpleProgramPointTag : public ProgramPointTag {
>
> Modified:
> cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/BugReporter.h
> URL:
> http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/BugReporter.h?rev=357323&r1=357322&r2=357323&view=diff
> ==============================================================================
> ---
> cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/BugReporter.h
> (original)
> +++
> cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/BugReporter.h
> Fri Mar 29 15:21:00 2019
> @@ -592,6 +592,60 @@ public:
> NodeMapClosure& getNodeResolver() { return NMC; }
> };
>
> +
> +/// The tag upon which the TagVisitor reacts. Add these in order
> to display
> +/// additional PathDiagnosticEventPieces along the path.
> +class NoteTag : public ProgramPointTag {
> +public:
> + using Callback =
> + std::function<std::string(BugReporterContext &, BugReport &)>;
> +
> +private:
> + static int Kind;
> +
> + const Callback Cb;
> +
> + NoteTag(Callback &&Cb) : ProgramPointTag(&Kind),
> Cb(std::move(Cb)) {}
> +
> +public:
> + static bool classof(const ProgramPointTag *T) {
> + return T->getTagKind() == &Kind;
> + }
> +
> + Optional<std::string> generateMessage(BugReporterContext &BRC,
> + BugReport &R) const {
> + std::string Msg = Cb(BRC, R);
> + if (Msg.empty())
> + return None;
> +
> + return std::move(Msg);
> + }
> +
> + StringRef getTagDescription() const override {
> + // TODO: Remember a few examples of generated messages
> + // and display them in the ExplodedGraph dump by
> + // returning them from this function.
> + return "Note Tag";
> + }
> +
> + // Manage memory for NoteTag objects.
> + class Factory {
> + llvm::BumpPtrAllocator &Alloc;
> +
> + public:
> + Factory(llvm::BumpPtrAllocator &Alloc) : Alloc(Alloc) {}
> +
> + const NoteTag *makeNoteTag(Callback &&Cb) {
> + // We cannot use make_unique because we cannot access the
> private
> + // constructor from inside it.
> + NoteTag *Tag = Alloc.Allocate<NoteTag>();
> + return new (Tag) NoteTag(std::move(Cb));
> + }
> + };
> +
> + friend class TagVisitor;
> +};
> +
> } // namespace ento
>
> } // namespace clang
>
> Modified:
> cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h
> URL:
> http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h?rev=357323&r1=357322&r2=357323&view=diff
> ==============================================================================
> ---
> cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h
> (original)
> +++
> cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h
> Fri Mar 29 15:21:00 2019
> @@ -14,6 +14,7 @@
> #ifndef
> LLVM_CLANG_STATICANALYZER_CORE_BUGREPORTER_BUGREPORTERVISITORS_H
> #define
> LLVM_CLANG_STATICANALYZER_CORE_BUGREPORTER_BUGREPORTERVISITORS_H
>
> +#include "clang/Analysis/ProgramPoint.h"
> #include "clang/Basic/LLVM.h"
> #include
> "clang/StaticAnalyzer/Core/PathSensitive/RangedConstraintManager.h"
> #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
> @@ -342,6 +343,17 @@ public:
> BugReport &BR) override;
> };
>
> +
> +/// The visitor detects NoteTags and displays the event notes
> they contain.
> +class TagVisitor : public BugReporterVisitor {
> +public:
> + void Profile(llvm::FoldingSetNodeID &ID) const override;
> +
> + std::shared_ptr<PathDiagnosticPiece> VisitNode(const
> ExplodedNode *N,
> + BugReporterContext &BRC,
> + BugReport &R)
> override;
> +};
> +
> namespace bugreporter {
>
> /// Attempts to add visitors to track expression value back to
> its point of
>
> Modified:
> cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h
> URL:
> http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h?rev=357323&r1=357322&r2=357323&view=diff
> ==============================================================================
> ---
> cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h
> (original)
> +++
> cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h
> Fri Mar 29 15:21:00 2019
> @@ -219,6 +219,24 @@ public:
> Eng.getBugReporter().emitReport(std::move(R));
> }
>
> +
> + /// Produce a program point tag that displays an additional
> path note
> + /// to the user. This is a lightweight alternative to the
> + /// BugReporterVisitor mechanism: instead of visiting the bug
> report
> + /// node-by-node to restore the sequence of events that led to
> discovering
> + /// a bug, you can add notes as you add your transitions.
> + const NoteTag *getNoteTag(NoteTag::Callback &&Cb) {
> + return Eng.getNoteTags().makeNoteTag(std::move(Cb));
> + }
> +
> + /// A shorthand version of getNoteTag that doesn't require you
> to accept
> + /// the BugReporterContext arguments when you don't need it.
> + const NoteTag *getNoteTag(std::function<std::string(BugReport
> &)> &&Cb) {
> + return getNoteTag(
> + [Cb](BugReporterContext &, BugReport &BR) { return
> Cb(BR); });
> + }
> +
> +
> /// Returns the word that should be used to refer to the
> declaration
> /// in the report.
> StringRef getDeclDescription(const Decl *D);
>
> Modified:
> cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h
> URL:
> http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h?rev=357323&r1=357322&r2=357323&view=diff
> ==============================================================================
> ---
> cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h
> (original)
> +++
> cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h
> Fri Mar 29 15:21:00 2019
> @@ -22,6 +22,7 @@
> #include "clang/Analysis/ProgramPoint.h"
> #include "clang/Basic/LLVM.h"
> #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
> +#include
> "clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h"
> #include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
> #include "clang/StaticAnalyzer/Core/PathSensitive/CoreEngine.h"
> #include "clang/StaticAnalyzer/Core/PathSensitive/FunctionSummary.h"
> @@ -155,6 +156,8 @@ private:
> /// The flag, which specifies the mode of inlining for the engine.
> InliningModes HowToInline;
>
> + NoteTag::Factory NoteTags;
> +
> public:
> ExprEngine(cross_tu::CrossTranslationUnitContext &CTU,
> AnalysisManager &mgr,
> SetOfConstDecls *VisitedCalleesIn,
> @@ -396,6 +399,8 @@ public:
> SymbolManager &getSymbolManager() { return SymMgr; }
> MemRegionManager &getRegionManager() { return MRMgr; }
>
> + NoteTag::Factory &getNoteTags() { return NoteTags; }
> +
>
> // Functions for external checking of whether we have
> unfinished work
> bool wasBlocksExhausted() const { return
> Engine.wasBlocksExhausted(); }
>
> Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/MIGChecker.cpp
> URL:
> http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/MIGChecker.cpp?rev=357323&r1=357322&r2=357323&view=diff
> ==============================================================================
> --- cfe/trunk/lib/StaticAnalyzer/Checkers/MIGChecker.cpp (original)
> +++ cfe/trunk/lib/StaticAnalyzer/Checkers/MIGChecker.cpp Fri Mar
> 29 15:21:00 2019
> @@ -80,43 +80,10 @@ public:
> checkReturnAux(RS, C);
> }
>
> - class Visitor : public BugReporterVisitor {
> - public:
> - void Profile(llvm::FoldingSetNodeID &ID) const {
> - static int X = 0;
> - ID.AddPointer(&X);
> - }
> -
> - std::shared_ptr<PathDiagnosticPiece> VisitNode(const
> ExplodedNode *N,
> - BugReporterContext &BRC, BugReport &R);
> - };
> };
> } // end anonymous namespace
>
> -// FIXME: It's a 'const ParmVarDecl *' but there's no ready-made
> GDM traits
> -// specialization for this sort of types.
> -REGISTER_TRAIT_WITH_PROGRAMSTATE(ReleasedParameter, const void *)
> -
> -std::shared_ptr<PathDiagnosticPiece>
> -MIGChecker::Visitor::VisitNode(const ExplodedNode *N,
> BugReporterContext &BRC,
> - BugReport &R) {
> - const auto *NewPVD = static_cast<const ParmVarDecl *>(
> - N->getState()->get<ReleasedParameter>());
> - const auto *OldPVD = static_cast<const ParmVarDecl *>(
> - N->getFirstPred()->getState()->get<ReleasedParameter>());
> - if (OldPVD == NewPVD)
> - return nullptr;
> -
> - assert(NewPVD && "What is deallocated cannot be un-deallocated!");
> - SmallString<64> Str;
> - llvm::raw_svector_ostream OS(Str);
> - OS << "Value passed through parameter '" << NewPVD->getName()
> - << "' is deallocated";
> -
> - PathDiagnosticLocation Loc =
> - PathDiagnosticLocation::create(N->getLocation(),
> BRC.getSourceManager());
> - return std::make_shared<PathDiagnosticEventPiece>(Loc, OS.str());
> -}
> +REGISTER_TRAIT_WITH_PROGRAMSTATE(ReleasedParameter, bool)
>
> static const ParmVarDecl *getOriginParam(SVal V, CheckerContext &C) {
> SymbolRef Sym = V.getAsSymbol();
> @@ -195,7 +162,16 @@ void MIGChecker::checkPostCall(const Cal
> if (!PVD)
> return;
>
> - C.addTransition(C.getState()->set<ReleasedParameter>(PVD));
> + const NoteTag *T = C.getNoteTag([this, PVD](BugReport &BR) ->
> std::string {
> + if (&BR.getBugType() != &BT)
> + return "";
> + SmallString<64> Str;
> + llvm::raw_svector_ostream OS(Str);
> + OS << "Value passed through parameter '" << PVD->getName()
> + << "\' is deallocated";
> + return OS.str();
> + });
> + C.addTransition(C.getState()->set<ReleasedParameter>(true), T);
> }
>
> // Returns true if V can potentially represent a "successful"
> kern_return_t.
> @@ -260,7 +236,6 @@ void MIGChecker::checkReturnAux(const Re
>
> R->addRange(RS->getSourceRange());
> bugreporter::trackExpressionValue(N, RS->getRetValue(), *R, false);
> - R->addVisitor(llvm::make_unique<Visitor>());
> C.emitReport(std::move(R));
> }
>
>
> Modified: cfe/trunk/lib/StaticAnalyzer/Core/BugReporter.cpp
> URL:
> http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/BugReporter.cpp?rev=357323&r1=357322&r2=357323&view=diff
> ==============================================================================
> --- cfe/trunk/lib/StaticAnalyzer/Core/BugReporter.cpp (original)
> +++ cfe/trunk/lib/StaticAnalyzer/Core/BugReporter.cpp Fri Mar 29
> 15:21:00 2019
> @@ -2612,6 +2612,7 @@ std::pair<BugReport*, std::unique_ptr<Vi
> R->addVisitor(llvm::make_unique<NilReceiverBRVisitor>());
> R->addVisitor(llvm::make_unique<ConditionBRVisitor>());
> R->addVisitor(llvm::make_unique<CXXSelfAssignmentBRVisitor>());
> + R->addVisitor(llvm::make_unique<TagVisitor>());
>
> BugReporterContext BRC(Reporter, ErrorGraph.BackMap);
>
>
> Modified: cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
> URL:
> http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp?rev=357323&r1=357322&r2=357323&view=diff
> ==============================================================================
> --- cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
> (original)
> +++ cfe/trunk/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp Fri
> Mar 29 15:21:00 2019
> @@ -2492,6 +2492,30 @@ FalsePositiveRefutationBRVisitor::VisitN
> return nullptr;
> }
>
> +int NoteTag::Kind = 0;
> +
> +void TagVisitor::Profile(llvm::FoldingSetNodeID &ID) const {
> + static int Tag = 0;
> + ID.AddPointer(&Tag);
> +}
> +
> +std::shared_ptr<PathDiagnosticPiece>
> +TagVisitor::VisitNode(const ExplodedNode *N, BugReporterContext &BRC,
> + BugReport &R) {
> + ProgramPoint PP = N->getLocation();
> + const NoteTag *T = dyn_cast_or_null<NoteTag>(PP.getTag());
> + if (!T)
> + return nullptr;
> +
> + if (Optional<std::string> Msg = T->generateMessage(BRC, R)) {
> + PathDiagnosticLocation Loc =
> + PathDiagnosticLocation::create(PP, BRC.getSourceManager());
> + return std::make_shared<PathDiagnosticEventPiece>(Loc, *Msg);
> + }
> +
> + return nullptr;
> +}
> +
> void FalsePositiveRefutationBRVisitor::Profile(
> llvm::FoldingSetNodeID &ID) const {
> static int Tag = 0;
>
> Modified: cfe/trunk/lib/StaticAnalyzer/Core/ExprEngine.cpp
> URL:
> http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/ExprEngine.cpp?rev=357323&r1=357322&r2=357323&view=diff
> ==============================================================================
> --- cfe/trunk/lib/StaticAnalyzer/Core/ExprEngine.cpp (original)
> +++ cfe/trunk/lib/StaticAnalyzer/Core/ExprEngine.cpp Fri Mar 29
> 15:21:00 2019
> @@ -201,7 +201,9 @@ ExprEngine::ExprEngine(cross_tu::CrossTr
> svalBuilder(StateMgr.getSValBuilder()),
> ObjCNoRet(mgr.getASTContext()),
> BR(mgr, *this),
> - VisitedCallees(VisitedCalleesIn), HowToInline(HowToInlineIn) {
> + VisitedCallees(VisitedCalleesIn),
> + HowToInline(HowToInlineIn),
> + NoteTags(G.getAllocator()) {
> unsigned TrimInterval = mgr.options.GraphTrimInterval;
> if (TrimInterval != 0) {
> // Enable eager node reclamation when constructing the
> ExplodedGraph.
>
> Modified: cfe/trunk/test/Analysis/mig.mm <http://mig.mm>
> URL:
> http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/mig.mm?rev=357323&r1=357322&r2=357323&view=diff
> ==============================================================================
> --- cfe/trunk/test/Analysis/mig.mm <http://mig.mm> (original)
> +++ cfe/trunk/test/Analysis/mig.mm <http://mig.mm> Fri Mar 29
> 15:21:00 2019
> @@ -91,6 +91,14 @@ kern_return_t release_twice(mach_port_na
> // expected-note at -1{{MIG callback fails with
> error after deallocating argument value. This is a use-after-free
> vulnerability because the caller will try to deallocate it again}}
> }
>
> +MIG_SERVER_ROUTINE
> +kern_return_t no_unrelated_notes(mach_port_name_t port,
> vm_address_t address, vm_size_t size) {
> + vm_deallocate(port, address, size); // no-note
> + 1 / 0; // expected-warning{{Division by zero}}
> + // expected-note at -1{{Division by zero}}
> + return KERN_SUCCESS;
> +}
> +
> // Make sure we find the bug when the object is destroyed within an
> // automatic destructor.
> MIG_SERVER_ROUTINE
>
>
> _______________________________________________
> cfe-commits mailing list
> cfe-commits at lists.llvm.org <mailto:cfe-commits at lists.llvm.org>
> https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20190329/c061b708/attachment-0001.html>
More information about the cfe-commits
mailing list