[gcc r12-7525] analyzer: fix leak suppression at end of 'main' [PR101983]

public inbox for gcc-cvs@sourceware.org
help / color / mirror / Atom feed

From: David Malcolm <dmalcolm@gcc.gnu.org>
To: gcc-cvs@gcc.gnu.org
Subject: [gcc r12-7525] analyzer: fix leak suppression at end of 'main' [PR101983]
Date: Mon,  7 Mar 2022 19:21:28 +0000 (GMT)	[thread overview]
Message-ID: <20220307192128.B7A6B385841F@sourceware.org> (raw)

https://gcc.gnu.org/g:0af37ad4422052be4b7f779737e14c80e57d0ad9

commit r12-7525-g0af37ad4422052be4b7f779737e14c80e57d0ad9
Author: David Malcolm <dmalcolm@redhat.com>
Date:   Mon Mar 7 14:19:30 2022 -0500

    analyzer: fix leak suppression at end of 'main' [PR101983]
    
    PR analyzer/101983 reports what I thought were false positives
    from -Wanalyzer-malloc-leak, but on closer inspection, the
    analyzer is correctly reporting heap-allocated buffers that are
    no longer reachable.
    
    However, these "leaks" occur at the end of "main".  The analyzer already
    has some logic to avoid reporting leaks at the end of main, where the
    leak is detected at the end of the EXIT basic block.  However, in this case,
    the leak is detected at the clobber in BB 2 here:
      <bb 2> :
      func (&res);
      res ={v} {CLOBBER(eol)};
      _4 = 0;
    
      <bb 3> :
    <L0>:
      return _4;
    
    where we have a chain BB 2 -> BB 3 -> EXIT BB.
    
    This patch generalizes the "are we at the end of 'main'" detection to
    handle such cases, silencing -Wanalyzer-malloc-leak on them.
    
    There's a remaining issue where the analyzer unhelpfully describes one
    of the leaking values as '<unknown>', rather than 'res.a', but I'm
    leaving that for a followup (covered by PR analyzer/99771).
    
    gcc/analyzer/ChangeLog:
            PR analyzer/101983
            * engine.cc (returning_from_function_p): New.
            (impl_region_model_context::on_state_leak): Use it when rejecting
            leaks at the return from "main".
    
    gcc/testsuite/ChangeLog:
            PR analyzer/101983
            * gcc.dg/analyzer/pr101983-main.c: New test.
            * gcc.dg/analyzer/pr101983-not-main.c: New test.
    
    Signed-off-by: David Malcolm <dmalcolm@redhat.com>

Diff:
---
 gcc/analyzer/engine.cc                            | 48 ++++++++++++++++++++++-
 gcc/testsuite/gcc.dg/analyzer/pr101983-main.c     | 38 ++++++++++++++++++
 gcc/testsuite/gcc.dg/analyzer/pr101983-not-main.c | 40 +++++++++++++++++++
 3 files changed, 124 insertions(+), 2 deletions(-)

diff --git a/gcc/analyzer/engine.cc b/gcc/analyzer/engine.cc
index 94c13d4e1cf..8c3133e2444 100644
--- a/gcc/analyzer/engine.cc
+++ b/gcc/analyzer/engine.cc
@@ -740,6 +740,51 @@ readability_comparator (const void *p1, const void *p2)
   return 0;
 }
 
+/* Return true is SNODE is the EXIT node of a function, or is one
+   of the final snodes within its function.
+
+   Specifically, handle the final supernodes before the EXIT node,
+   for the case of clobbers that happen immediately before exiting.
+   We need a run of snodes leading to the return_p snode, where all edges are
+   intraprocedural, and every snode has just one successor.
+
+   We use this when suppressing leak reports at the end of "main".  */
+
+static bool
+returning_from_function_p (const supernode *snode)
+{
+  if (!snode)
+    return false;
+
+  unsigned count = 0;
+  const supernode *iter = snode;
+  while (true)
+    {
+      if (iter->return_p ())
+	return true;
+      if (iter->m_succs.length () != 1)
+	return false;
+      const superedge *sedge = iter->m_succs[0];
+      if (sedge->get_kind () != SUPEREDGE_CFG_EDGE)
+	return false;
+      iter = sedge->m_dest;
+
+      /* Impose a limit to ensure we terminate for pathological cases.
+
+	 We only care about the final 3 nodes, due to cases like:
+	   BB:
+	     (clobber causing leak)
+
+	   BB:
+	   <label>:
+	   return _val;
+
+	   EXIT BB.*/
+      if (++count > 3)
+	return false;
+    }
+}
+
 /* Find the best tree for SVAL and call SM's on_leak vfunc with it.
    If on_leak returns a pending_diagnostic, queue it up to be reported,
    so that we potentially complain about a leak of SVAL in the given STATE.  */
@@ -794,8 +839,7 @@ impl_region_model_context::on_state_leak (const state_machine &sm,
   gcc_assert (m_enode_for_diag);
 
   /* Don't complain about leaks when returning from "main".  */
-  if (m_enode_for_diag->get_supernode ()
-      && m_enode_for_diag->get_supernode ()->return_p ())
+  if (returning_from_function_p (m_enode_for_diag->get_supernode ()))
     {
       tree fndecl = m_enode_for_diag->get_function ()->decl;
       if (id_equal (DECL_NAME (fndecl), "main"))
diff --git a/gcc/testsuite/gcc.dg/analyzer/pr101983-main.c b/gcc/testsuite/gcc.dg/analyzer/pr101983-main.c
new file mode 100644
index 00000000000..a84353be35a
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/pr101983-main.c
@@ -0,0 +1,38 @@
+/* { dg-additional-options "-Wno-analyzer-too-complex -fno-analyzer-call-summaries" } */
+
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdlib.h>
+
+struct list {
+	struct list* next;
+	void *a;
+};
+
+void func(struct list **res)
+{
+	struct list *cur = NULL;
+	do {
+		struct list *n = malloc(sizeof(struct list));
+		void *a = malloc(1);
+		if (n == NULL || a == NULL) {
+			if (n != NULL) free(n);
+			if (a != NULL) free(a);
+			break;
+		}
+
+		if (cur == NULL) {
+			*res = cur = n;
+		} else {
+			cur->next = n;
+			cur = n;
+		}
+		n->a = a;
+	} while (true);
+}
+
+int main()
+{
+	struct list *res;
+	func(&res);
+}
diff --git a/gcc/testsuite/gcc.dg/analyzer/pr101983-not-main.c b/gcc/testsuite/gcc.dg/analyzer/pr101983-not-main.c
new file mode 100644
index 00000000000..fbf3a393ebb
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/analyzer/pr101983-not-main.c
@@ -0,0 +1,40 @@
+/* { dg-additional-options "-Wno-analyzer-too-complex -fno-analyzer-call-summaries" } */
+
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdlib.h>
+
+struct list {
+	struct list* next;
+	void *a;
+};
+
+void func(struct list **res)
+{
+	struct list *cur = NULL;
+	do {
+		struct list *n = malloc(sizeof(struct list));
+		void *a = malloc(1);
+		if (n == NULL || a == NULL) {
+			if (n != NULL) free(n);
+			if (a != NULL) free(a);
+			break;
+		}
+
+		if (cur == NULL) {
+			*res = cur = n;
+		} else {
+			cur->next = n;
+			cur = n;
+		}
+		n->a = a;
+	} while (true);
+}
+
+int not_main()
+{
+	struct list *res;
+	func(&res);
+} /* { dg-warning "leak of 'res'" "leak of res" } */
+/* { dg-warning "leak of '<unknown>'" "leak of res->a" { target *-*-* } .-1 } */
+/* TODO: we should emit 'res->a' rather than '<unknown>' here.  */

                 reply	other threads:[~2022-03-07 19:21 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220307192128.B7A6B385841F@sourceware.org \
    --to=dmalcolm@gcc.gnu.org \
    --cc=gcc-cvs@gcc.gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).