[StaticAnalyzer] Threshold on number of checks

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[StaticAnalyzer] Threshold on number of checks

Sumner, Brian via cfe-dev

Hi,

I have a trivial case where the Static Analyzer is not catching a double free bug:

==============
  char *s;

  for(int i = 0; i < 4; i++)

 {

     s = (char*)malloc(10);

     free(s);

  }

  free(s);

================

However, if I change the code to:

 

==============
  char *s;

  for(int i = 0; i < 3; i++)

  {

     s = (char*)malloc(10);

     free(s);

  }

  free(s);

================

A double free warning is thrown.

 

 

On exploring this further, I noticed that the function MallocChecker::FreeMemAux is called no more than 4 times. Ie: I can place as many “free(s)” after the last one in the first code chunk and it will never be caught.

Its calling method MallocChecker::CheckPostStmt seems to be limited to being called a maximum of 8 times.

 

Is there a threshold set on the number of times a checker can be called? If so, can that be tweaked?

 

Thanks in advance!

 

Regards,

Nikhil


_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [StaticAnalyzer] Threshold on number of checks

Sumner, Brian via cfe-dev
Hello,

you are probably seeing this behavior as a result of the maximum number of times a loop is unrolled during the symbolic execution of the program (by default, 4 times).

You can change the unroll limit with the following command line argument:

clang -cc1 -analyze -analyzer-max-loop 100 -analyzer-checker=core [...]

The command above will change the unroll limit to 100 (however, you will probably see performance issues). The loop widening project (http://lists.llvm.org/pipermail/cfe-dev/2017-March/053060.html) might help with your issue once finished.

Best,
Stefan

On Mon, Jul 31, 2017 at 11:26 PM, Gupta Nikhil via cfe-dev <[hidden email]> wrote:

Hi,

I have a trivial case where the Static Analyzer is not catching a double free bug:

==============
  char *s;

  for(int i = 0; i < 4; i++)

 {

     s = (char*)malloc(10);

     free(s);

  }

  free(s);

================

However, if I change the code to:

 

==============
  char *s;

  for(int i = 0; i < 3; i++)

  {

     s = (char*)malloc(10);

     free(s);

  }

  free(s);

================

A double free warning is thrown.

 

 

On exploring this further, I noticed that the function MallocChecker::FreeMemAux is called no more than 4 times. Ie: I can place as many “free(s)” after the last one in the first code chunk and it will never be caught.

Its calling method MallocChecker::CheckPostStmt seems to be limited to being called a maximum of 8 times.

 

Is there a threshold set on the number of times a checker can be called? If so, can that be tweaked?

 

Thanks in advance!

 

Regards,

Nikhil


_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev



_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [StaticAnalyzer] Threshold on number of checks

Sumner, Brian via cfe-dev

Thanks Stefan,

The bug is being caught now. Our present use case favors precision over speed so this would solve our problem.

 

From: Stefan Ciobaca [mailto:[hidden email]]
Sent: Monday, July 31, 2017 3:59 PM
To: Gupta Nikhil <[hidden email]>
Cc: [hidden email]
Subject: Re: [cfe-dev] [StaticAnalyzer] Threshold on number of checks

 

Hello,

 

you are probably seeing this behavior as a result of the maximum number of times a loop is unrolled during the symbolic execution of the program (by default, 4 times).


You can change the unroll limit with the following command line argument:

 

clang -cc1 -analyze -analyzer-max-loop 100 -analyzer-checker=core [...]

 

The command above will change the unroll limit to 100 (however, you will probably see performance issues). The loop widening project (http://lists.llvm.org/pipermail/cfe-dev/2017-March/053060.html) might help with your issue once finished.

Best,
Stefan

 

On Mon, Jul 31, 2017 at 11:26 PM, Gupta Nikhil via cfe-dev <[hidden email]> wrote:

Hi,

I have a trivial case where the Static Analyzer is not catching a double free bug:

==============
  char *s;

  for(int i = 0; i < 4; i++)

 {

     s = (char*)malloc(10);

     free(s);

  }

  free(s);

================

However, if I change the code to:

 

==============
  char *s;

  for(int i = 0; i < 3; i++)

  {

     s = (char*)malloc(10);

     free(s);

  }

  free(s);

================

A double free warning is thrown.

 

 

On exploring this further, I noticed that the function MallocChecker::FreeMemAux is called no more than 4 times. Ie: I can place as many “free(s)” after the last one in the first code chunk and it will never be caught.

Its calling method MallocChecker::CheckPostStmt seems to be limited to being called a maximum of 8 times.

 

Is there a threshold set on the number of times a checker can be called? If so, can that be tweaked?

 

Thanks in advance!

 

Regards,

Nikhil


_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev

 


_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Loading...