[clang] [analyzer] [MallocChecker] Assume functions with `ownership_returns` return unknown memory (PR #110115)

Pavel Skripkin via cfe-commits Thu, 26 Sep 2024 05:10:21 -0700

https://github.com/pskrgag created 
https://github.com/llvm/llvm-project/pull/110115


There is no good way to tell CSA if function with `ownership_returns`  
attribute returns initialized or not initialized memory. To make FP rate lower, 
let's assume that memory returned from such functions is unknown and do not 
reason about it.

In future it would be great to add a way to annotate such behavior

>From 4d70d1269f61a1d32f7b11536d3c02a5f14c558e Mon Sep 17 00:00:00 2001
From: Pavel Skripkin <paskrip...@gmail.com>
Date: Thu, 26 Sep 2024 15:06:48 +0300
Subject: [PATCH] clang/csa: assume annotated allocation functions return
 unknown val

---
 .../lib/StaticAnalyzer/Checkers/MallocChecker.cpp  |  4 ++--
 clang/test/Analysis/malloc-annotations.c           | 14 ++++++++++++++
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp 
b/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
index 81ec8e1b516986..3e95db7e97fac8 100644
--- a/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
@@ -1811,9 +1811,9 @@ MallocChecker::MallocMemReturnsAttr(CheckerContext &C, 
const CallEvent &Call,
   if (!Att->args().empty()) {
     return MallocMemAux(C, Call,
                         Call.getArgExpr(Att->args_begin()->getASTIndex()),
-                        UndefinedVal(), State, Family);
+                        UnknownVal(), State, Family);
   }
-  return MallocMemAux(C, Call, UnknownVal(), UndefinedVal(), State, Family);
+  return MallocMemAux(C, Call, UnknownVal(), UnknownVal(), State, Family);
 }
 
 ProgramStateRef MallocChecker::MallocBindRetVal(CheckerContext &C,
diff --git a/clang/test/Analysis/malloc-annotations.c 
b/clang/test/Analysis/malloc-annotations.c
index c2fdf8a5641ae4..c601a0383d2210 100644
--- a/clang/test/Analysis/malloc-annotations.c
+++ b/clang/test/Analysis/malloc-annotations.c
@@ -3,6 +3,7 @@
 // RUN:   -analyzer-checker=alpha.deadcode.UnreachableCode \
 // RUN:   -analyzer-checker=alpha.core.CastSize \
 // RUN:   -analyzer-checker=unix.Malloc \
+// RUN:   -analyzer-checker=debug.ExprInspection \
 // RUN:   -analyzer-config unix.DynamicMemoryModeling:Optimistic=true %s
 
 typedef __typeof(sizeof(int)) size_t;
@@ -23,6 +24,12 @@ void __attribute((ownership_holds(malloc, 1))) my_hold(void 
*);
 void __attribute((ownership_holds(malloc, 1)))
 __attribute((ownership_holds(malloc, 1)))
 __attribute((ownership_holds(malloc, 3))) my_hold2(void *, void *, void *);
+
+__attribute((ownership_returns(user_malloc, 1))) void *user_malloc(size_t);
+__attribute((ownership_takes(user_malloc, 1))) void user_free(void *);
+
+void clang_analyzer_dump(int);
+
 void *my_malloc3(size_t);
 void *myglobalpointer;
 struct stuff {
@@ -273,3 +280,10 @@ void testMultipleFreeAnnotations(void) {
   my_freeBoth(p, q);
 }
 
+void testNoUninitAttr(void) {
+  int *p = user_malloc(sizeof(int));
+  int read = p[0]; // no-warning
+  clang_analyzer_dump(p[0]); // expected-warning{{Unknown}}
+  user_free(p);
+}
+

_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer] [MallocChecker] Assume functions with `ownership_returns` return unknown memory (PR #110115)

Reply via email to