Skip to content

[analyzer] [MallocChecker] Assume functions with ownership_returns return unknown memory #110115

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 26, 2024
Merged

[analyzer] [MallocChecker] Assume functions with ownership_returns return unknown memory #110115

merged 1 commit into from
Sep 26, 2024

Conversation

pskrgag
Copy link
Contributor

@pskrgag pskrgag commented Sep 26, 2024

There is no good way to tell CSA if function with ownership_returns attribute returns initialized or not initialized memory. To make FP rate lower, let's assume that memory returned from such functions is unknown and do not reason about it.

In future it would be great to add a way to annotate such behavior

@pskrgag pskrgag requested a review from NagyDonat September 26, 2024 12:10
@llvmbot llvmbot added clang Clang issues not falling into any other category clang:static analyzer labels Sep 26, 2024
@llvmbot
Copy link
Member

llvmbot commented Sep 26, 2024
edited
Loading

@llvm/pr-subscribers-clang-static-analyzer-1

@llvm/pr-subscribers-clang

Author: Pavel Skripkin (pskrgag)

Changes

There is no good way to tell CSA if function with ownership_returns attribute returns initialized or not initialized memory. To make FP rate lower, let's assume that memory returned from such functions is unknown and do not reason about it.

In future it would be great to add a way to annotate such behavior

Full diff: https://github.com/llvm/llvm-project/pull/110115.diff

2 Files Affected:

  • (modified) clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp (+2-2)
  • (modified) clang/test/Analysis/malloc-annotations.c (+14)
diff --git a/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
index 81ec8e1b516986..3e95db7e97fac8 100644
--- a/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
@@ -1811,9 +1811,9 @@ MallocChecker::MallocMemReturnsAttr(CheckerContext &C, const CallEvent &Call,
   if (!Att->args().empty()) {
     return MallocMemAux(C, Call,
                         Call.getArgExpr(Att->args_begin()->getASTIndex()),
-                        UndefinedVal(), State, Family);
+                        UnknownVal(), State, Family);
   }
-  return MallocMemAux(C, Call, UnknownVal(), UndefinedVal(), State, Family);
+  return MallocMemAux(C, Call, UnknownVal(), UnknownVal(), State, Family);
 }
 
 ProgramStateRef MallocChecker::MallocBindRetVal(CheckerContext &C,
diff --git a/clang/test/Analysis/malloc-annotations.c b/clang/test/Analysis/malloc-annotations.c
index c2fdf8a5641ae4..c601a0383d2210 100644
--- a/clang/test/Analysis/malloc-annotations.c
+++ b/clang/test/Analysis/malloc-annotations.c
@@ -3,6 +3,7 @@
 // RUN:   -analyzer-checker=alpha.deadcode.UnreachableCode \
 // RUN:   -analyzer-checker=alpha.core.CastSize \
 // RUN:   -analyzer-checker=unix.Malloc \
+// RUN:   -analyzer-checker=debug.ExprInspection \
 // RUN:   -analyzer-config unix.DynamicMemoryModeling:Optimistic=true %s
 
 typedef __typeof(sizeof(int)) size_t;
@@ -23,6 +24,12 @@ void __attribute((ownership_holds(malloc, 1))) my_hold(void *);
 void __attribute((ownership_holds(malloc, 1)))
 __attribute((ownership_holds(malloc, 1)))
 __attribute((ownership_holds(malloc, 3))) my_hold2(void *, void *, void *);
+
+__attribute((ownership_returns(user_malloc, 1))) void *user_malloc(size_t);
+__attribute((ownership_takes(user_malloc, 1))) void user_free(void *);
+
+void clang_analyzer_dump(int);
+
 void *my_malloc3(size_t);
 void *myglobalpointer;
 struct stuff {
@@ -273,3 +280,10 @@ void testMultipleFreeAnnotations(void) {
   my_freeBoth(p, q);
 }
 
+void testNoUninitAttr(void) {
+  int *p = user_malloc(sizeof(int));
+  int read = p[0]; // no-warning
+  clang_analyzer_dump(p[0]); // expected-warning{{Unknown}}
+  user_free(p);
+}
+

NagyDonat
NagyDonat approved these changes Sep 26, 2024
View reviewed changes
Copy link
Contributor

@NagyDonat NagyDonat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch, thanks for the fix.

@pskrgag pskrgag merged commit 9abf6d3 into llvm:main Sep 26, 2024
11 checks passed
Sterling-Augustine pushed a commit to Sterling-Augustine/llvm-project that referenced this pull request Sep 27, 2024
@pskrgag @Sterling-Augustine
[analyzer] [MallocChecker] Assume functions with ownership_returns
35999e7 
…return unknown memory (llvm#110115)

There is no good way to tell CSA if function with `ownership_returns`
attribute returns initialized or not initialized memory. To make FP rate
lower, let's assume that memory returned from such functions is unknown
and do not reason about it.

In future it would be great to add a way to annotate such behavior
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@NagyDonat NagyDonat NagyDonat approved these changes

Assignees
No one assigned
Labels
clang:static analyzer clang Clang issues not falling into any other category
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@pskrgag @llvmbot @NagyDonat