[StaticAnalyzer] A Static Analyzer bug related to initializing [[__no_unique_address__]] fields

[ziqingluo-90]

Hi Static Analyzer Developers,

I was investigating a downstream bug arose from C++ standard library changes.
There is a minimal reproducer:

// RUN: %clang_analyze_cc1 -analyzer-checker=cplusplus -verify %s

namespace std {
  struct default_delete {
  };

  template <class _Tp, class _Dp = default_delete >
  class unique_ptr {
    [[__no_unique_address__]]  _Tp * __ptr_;
    [[__no_unique_address__]] _Dp __deleter_;

  public:
    explicit unique_ptr(_Tp* __p) noexcept
      : __ptr_(__p),
        __deleter_() {}

    ~unique_ptr() {
      delete __ptr_;
    }
  };
}

struct X {};

int main()
{
    std::unique_ptr<X> a(new X());          // leak reported                                                                                                                                           
    return 0;
}

From what I observed, the two fields __ptr_ and __deleter_ have overlapping MemRegions (Same base and both have 0 offset) because of [[no_unique_address]]. Then, at the unique_ptr constructor call, CSA simulates the following two steps:

1. assigning __p to __ptr_; and then
2. assigning 0 to __deleter_.

Since the two fields have overlapping MemRegions, the second assignment removes the binding of __ptr_. So later the destructor is not able to delete the allocated object properly. Resulting a false leak report.

If one removes [[no_unique_address]] from __deleter_'s declaration, the false report goes away.

[llvmbot]

@llvm/issue-subscribers-clang-static-analyzer

Author: Ziqing Luo (ziqingluo-90)

Hi Static Analyzer Developers,

I was investigating a downstream bug arose from C++ standard library changes.
There is a minimal reproducer:

namespace std {
  struct default_delete {
  };

  template <class _Tp, class _Dp = default_delete >
  class unique_ptr {
    [[__no_unique_address__]]  _Tp * __ptr_;
    [[__no_unique_address__]] _Dp __deleter_;

  public:
    explicit unique_ptr(_Tp* __p) noexcept
      : __ptr_(__p),
        __deleter_() {}

    ~unique_ptr() {
      delete __ptr_;
    }
  };
}

struct X {};

int main()
{
    std::unique_ptr<X> a(new X());          // leak reported                                                                                                                                           
    return 0;
}

From what I observed, the two fields __ptr_ and __deleter_ have overlapping MemRegions (Same base and both have 0 offset) because of [[no_unique_address]]. Then, at the unique_ptr constructor call, CSA simulates the following two steps:

1. assigning __p to __ptr_; and then
2. assigning 0 to __deleter_.

Since the two fields have overlapping MemRegions, the second assignment removes the binding of __ptr_. So later the destructor is not able to delete the allocated object properly. Resulting a false leak report.

If one removes [[no_unique_address]] from __deleter_'s declaration, the false report goes away.

[ziqingluo-90]

CC: @Xazax-hun @steakhal @haoNoQ @NagyDonat @balazske @dtarditi @isuckatcs

I'm currently fully occupied so I'm just positing this bug in case anyone knows how to fix it.

[haoNoQ]

assigning 0 to __deleter_.

At a glance this is probably the source of the problem. Default zero-initialization of a zero-size field should arguably act as no-op. So, this can probably be fixed with relative ease somewhere in ExprEngineCXX.cpp where default initialization is modeled.

The surprising part here is that the assignment to a zero-size field isn't already a no-op from RegionStore's perspective. This is probably because of #43459 so it may be harder to fix.

[steakhal]

Hah, I rmember this one. I also debugged it half month ago. I'll try to get my notes, but assuming I didn't post a patch it's very likely that not too easy to fix.

[steakhal]

I couldn't exactly find my example, but I can recall what I was roughly working on.
In the exploded graph it would be nice to see PostInitializer Program Points for initializing subobjects.
These points are usually placed from the ExprEngine::ProcessInitializer() where we process the initializer lists of constructors. I had an example where was no PostInitializer program point for a field, so I changed the code a bit. Namely, I didn't like the bunch of incidental control-flow in the implementation.
I believe, this is the place where the second field gets bound - and would also overwrite the first binding because the addresses of the fields overlap.

The overlapping store happens because in the evalBind we eventually hits the Store, that will flatten the memregion into a base region and bit offset by using the getAsOffset when making a BindingKey for the store and that actually inside has this code:

const ASTRecordLayout &Layout = R->getContext().getASTRecordLayout(RD);
// This is offset in bits.
Offset += Layout.getFieldOffset(idx);

This means, if the layout suggests that the two fields overlap, then their bit offsets end up the same. Remember, the same may also apply for empty base class optimizations.

Personally, I find it handy to have PostInitializer program points for all subobjects, but it may be more practical to skip the empty subobjects this case.

Frankly, I never understood why the unique_ptr had to put the deleter as a field inside, but I have the impression that in this specific (default) case that deleter is an empty object.
It's also an option to special-case the no_unique_addr fields inside ExprEngine::ProcessInitializer() to sidestep the overwriting.

[ziqingluo-90]

assigning 0 to _deleter.
At a glance this is probably the source of the problem.

Yeah, I think this is where the simulation got wrong.

The surprising part here is that the assignment to a zero-size field isn't already a no-op from RegionStore's perspective.

Is it possible to just add the heuristic there that assignment to a zero-size field is a no-op?

And from #43459:

The word "extent" in the title refers to the length of the segment between these "from" and "to" offsets. Type-system-wise it makes sense to have such extent simply derived from the value type; in this sense the binding key doesn't really need any changes, only read/write algorithms do. But, again, the problem is that we aren't exactly type-correct. Maybe we can ignore lack of type correctness and still do better than before?

Deriving extents from values types and making value types correct feel like are two separate tasks that can be started in parallel. Arguably, I think we can assume value types are correct and start to use it. Then we will (hit bugs and) know what to fix for value types.

[ziqingluo-90]

Personally, I find it handy to have PostInitializer program points for all subobjects

Exactly, the exploded graph didn't tell me enough useful information, so I had to spend a lot of time digging into the code.

Frankly, I never understood why the unique_ptr had to put the deleter as a field inside, but I have the impression that in this specific (default) case that deleter is an empty object.

Yes, it is an empty object in my case.

It's also an option to special-case the no_unique_addr fields inside ExprEngine::ProcessInitializer() to sidestep the overwriting.

Agreed.

[steakhal]

FYI The issue that Noq linked is not relevant in this case. Or at least not that I know of.