Fix 2 crashes seen when analyzing memcached

Current changes were causing analysis of memcached to crash. This
update addresses 2 of 3 crashes found so far, adds a covering LIT
test and improves LIT test coverage. All clang/test/Analysis
LITs now pass.

Author: einvbri

clang/lib/StaticAnalyzer/Checkers/ThreadModeling.cpp

@@ -32,6 +32,8 @@ class ThreadModeling : public Checker<check::PreCall> {
 
 
 void ThreadModeling::checkPreCall(const CallEvent &Call, CheckerContext &C) const {
+  return;
+#if 0
   if (!ThreadCreateCalls.contains(Call)) {
     return;
   }
@@ -67,7 +69,7 @@ void ThreadModeling::checkPreCall(const CallEvent &Call, CheckerContext &C) cons
   // 6. Resolve AST to Call
   // 7. Inline Call
 
-
+#endif
 }
 
 const FunctionDecl *ThreadModeling::GetFunctionDecl(SVal V, CheckerContext &C) const {
@@ -82,4 +84,4 @@ void clang::ento::registerThreadModeling(CheckerManager &Mgr) {
 
 bool clang::ento::shouldRegisterThreadModeling(const CheckerManager &) {
   return true;
-}
+}

clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp

@@ -561,6 +561,12 @@ void ExprEngine::threadBifurcate(CallEvent const &Call, Decl const *D,
   if (auto const *FR = dyn_cast<FunctionCodeRegion>(SRR))
     StartRoutine = dyn_cast<FunctionDecl>(FR->getDecl());
 
+  // There may not be an actual function bound to the 3rd
+  // argument of pthread_create because of analyzer limitations,
+  // so detect that case and return at this point since it cannot be modeled
+  if (!StartRoutine)
+    return;
+
   assert(StartRoutine && "start_routine should be a valid function pointer");
   assert(StartRoutine->hasBody() && "start_routine must be well defined");
 

clang/test/Analysis/SD-tests/thread-modeling-funcptr.c

@@ -0,0 +1,64 @@
+// RUN: %clang_analyze_cc1 -Wno-strict-prototypes -Wno-error=implicit-int -verify  %s \
+// RUN:   -analyzer-checker=core,unix -DPTHREAD_MODEL=1 \
+// RUN:   -analyzer-checker=debug.ExprInspection -analyzer-config model-pthreads=true
+//
+// RUN: %clang_analyze_cc1 -Wno-strict-prototypes -Wno-error=implicit-int -verify  %s \
+// RUN:   -analyzer-checker=core,unix -DNO_PTHREAD_MODEL=1 \
+// RUN:   -analyzer-checker=debug.ExprInspection -analyzer-config model-pthreads=false
+
+#define NULL ((void*) 0)
+typedef __typeof(sizeof(int)) size_t;
+typedef unsigned long int pthread_t;
+typedef struct __pthread_attr pthread_attr_t;
+
+int pthread_create(pthread_t *thread, const pthread_attr_t *attr, void *(*start_routine)(void *), void *arg);
+
+void clang_analyzer_checkInlined(int);
+void clang_analyzer_dump(int);
+
+typedef struct _mystruct {
+  int a;
+  int b;
+} mystruct, *pmystruct;
+
+void *malloc(size_t sz);
+void free (void* ptr);
+
+static void* thread_function(void* arg)
+{
+   pmystruct ps = (pmystruct) arg;
+   // should expect to fail the test at this line if you set the checkInlined to true
+   int *ptr = (int *)arg;
+   clang_analyzer_dump(*ptr);      // expected-warning-re{{reg_${{[[:digit:]]+}}<int Element{SymRegion{reg_${{[[:digit:]]+}}<void * arg>},0 S64b,int}}}
+   free(arg);
+   return NULL;
+}
+
+void create_worker( void *(*func)(void *), void * arg) {
+  pthread_t p1;
+  pthread_create(&p1, NULL, func, arg);
+}
+
+int mem[256]; 
+
+int test()
+{
+  pmystruct ps = (pmystruct) malloc(sizeof(mystruct));
+  ps->a = 1;
+  ps->b = 2;
+
+  // The static analyzer gives up on analyzing a code path for
+  // iterations that exceed a limit.
+  // See https://discourse.llvm.org/t/loop-handling-improvement-plans/80417
+  //
+  // To prove this to yourself, change 256 to 1 and rerun. Change
+  // to a few different numbers and explore where the LIT test
+  // starts to produce unexpected values.
+  for (int i=0; i<256; i++) {
+    mem[i] = 0;
+  }
+  create_worker(thread_function, ps);
+
+  return 0;
+}
+

clang/test/Analysis/SD-tests/thread-modeling-malloc.c

@@ -0,0 +1,59 @@
+// RUN: %clang_analyze_cc1 -Wno-strict-prototypes -Wno-error=implicit-int -verify  %s \
+// RUN:   -analyzer-checker=core,unix -DPTHREAD_MODEL=1 \
+// RUN:   -analyzer-checker=debug.ExprInspection -analyzer-config model-pthreads=true
+//
+// RUN: %clang_analyze_cc1 -Wno-strict-prototypes -Wno-error=implicit-int -verify  %s \
+// RUN:   -analyzer-checker=core,unix -DNO_PTHREAD_MODEL=1 \
+// RUN:   -analyzer-checker=debug.ExprInspection -analyzer-config model-pthreads=false
+
+#define NULL ((void*) 0)
+typedef __typeof(sizeof(int)) size_t;
+typedef unsigned long int pthread_t;
+typedef struct __pthread_attr pthread_attr_t;
+
+int pthread_create(pthread_t *thread, const pthread_attr_t *attr, void *(*start_routine)(void *), void *arg);
+
+void clang_analyzer_checkInlined(int);
+void clang_analyzer_dump(int);
+
+typedef struct _mystruct {
+  int a;
+  int b;
+} mystruct, *pmystruct;
+
+void *malloc(size_t sz);
+void free (void* ptr);
+
+void* thread_function(void* arg)
+{
+   pmystruct ps = (pmystruct) arg;
+   // should expect to fail the test at this line if you set the checkInlined to true
+#ifdef PTHREAD_MODEL
+   clang_analyzer_checkInlined(1); // expected-warning{{TRUE}}
+#endif
+   int *ptr = (int *)arg;
+#ifdef PTHREAD_MODEL
+   clang_analyzer_dump(ps->a);      // expected-warning{{1 S32b}}
+   clang_analyzer_dump(ps->b);      // expected-warning{{2 S32b}}
+#endif
+#ifdef NO_PTHREAD_MODEL
+   clang_analyzer_dump(*ptr);      // expected-warning-re{{reg_${{[[:digit:]]+}}<int Element{SymRegion{reg_${{[[:digit:]]+}}<void * arg>},0 S64b,int}}}
+#endif
+   return NULL;
+}
+
+int test()
+{
+  pmystruct ps = (pmystruct) malloc(sizeof(mystruct));
+  ps->a = 1;
+  ps->b = 2;
+  pthread_t p1;
+  pthread_create(&p1, NULL, &thread_function, ps);
+
+#ifdef PTHREAD_MODEL
+  return 0; // expected-warning{{Potential leak of memory pointed to by 'ps'}}
+#endif
+#ifdef NO_PTHREAD_MODEL
+  return 0;
+#endif
+}

clang/test/Analysis/SD-tests/thread-modeling-struct.c

@@ -0,0 +1,56 @@
+// RUN: %clang_analyze_cc1 -Wno-strict-prototypes -Wno-error=implicit-int -verify  %s \
+// RUN:   -analyzer-checker=core,unix -DPTHREAD_MODEL=1 \
+// RUN:   -analyzer-checker=debug.ExprInspection -analyzer-config model-pthreads=true
+//
+// RUN: %clang_analyze_cc1 -Wno-strict-prototypes -Wno-error=implicit-int -verify  %s \
+// RUN:   -analyzer-checker=core,unix -DNO_PTHREAD_MODEL=1 \
+// RUN:   -analyzer-checker=debug.ExprInspection -analyzer-config model-pthreads=false
+
+#define NULL ((void*) 0)
+typedef __typeof(sizeof(int)) size_t;
+typedef unsigned long int pthread_t;
+typedef struct __pthread_attr pthread_attr_t;
+
+int pthread_create(pthread_t *thread, const pthread_attr_t *attr, void *(*start_routine)(void *), void *arg);
+
+void clang_analyzer_checkInlined(int);
+void clang_analyzer_dump(int);
+
+typedef struct _mystruct {
+  int a;
+  int b;
+} mystruct, *pmystruct;
+
+void *malloc(size_t sz);
+void free (void* ptr);
+
+void* thread_function(void* arg)
+{
+   pmystruct ps = (pmystruct) arg;
+   // should expect to fail the test at this line if you set the checkInlined to true
+#ifdef PTHREAD_MODEL
+   clang_analyzer_checkInlined(1); // expected-warning{{TRUE}}
+#endif
+   int *ptr = (int *)arg;
+#ifdef PTHREAD_MODEL
+   clang_analyzer_dump(ps->a);      // expected-warning{{1 S32b}}
+   clang_analyzer_dump(ps->b);      // expected-warning{{2 S32b}}
+#endif
+#ifdef NO_PTHREAD_MODEL
+   clang_analyzer_dump(*ptr);      // expected-warning-re{{reg_${{[[:digit:]]+}}<int Element{SymRegion{reg_${{[[:digit:]]+}}<void * arg>},0 S64b,int}}}
+#endif
+   free(arg);
+   return NULL;
+}
+
+int test()
+{
+  pmystruct ps = (pmystruct) malloc(sizeof(mystruct));
+  ps->a = 1;
+  ps->b = 2;
+  pthread_t p1;
+  pthread_create(&p1, NULL, &thread_function, ps);
+
+  return 0;
+}
+