This is an archive of the discontinued LLVM Phabricator instance.

Differential D104925

[Analyzer] Improve report of file read at end-of-file condition.
ClosedPublic

Authored by balazske on Jun 25 2021, 8:49 AM.

Details

Reviewers
Szelethus
martong
NoQ
Commits
rG90cb5297adf0: [clang][analyzer] Improve report of file read at EOF condition (alpha.unix.
Summary

The checker warns if a stream is read that is already in EOF state.
The commit adds indication of locations where the EOF flag is set
on the stream and where it is discovered by the program.

Diff Detail

Event Timeline

balazske created this revision.Jun 25 2021, 8:49 AM
Herald added a reviewer: Szelethus. · View Herald TranscriptJun 25 2021, 8:49 AM
Herald added subscribers: manas, steakhal, ASDenysPetrov and 11 others. · View Herald Transcript
balazske requested review of this revision.Jun 25 2021, 8:49 AM
Herald added a project: Restricted Project. · View Herald TranscriptJun 25 2021, 8:49 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
balazske added reviewers: martong, NoQ.Jun 25 2021, 8:52 AM
Herald added a subscriber: rnkovacs. · View Herald TranscriptJun 25 2021, 8:52 AM
Harbormaster completed remote builds in B111015: Diff 354517.Jun 25 2021, 9:25 AM
balazske updated this revision to Diff 354791.Jun 27 2021, 11:53 PM

Add checker name to commit message.

balazske added a child revision: D105003: [Analyzer] Improve report of "indeterminate file position" condition (alpha.unix.Stream)..Jun 27 2021, 11:56 PM
Harbormaster completed remote builds in B111222: Diff 354791.Jun 28 2021, 12:28 AM
NoQ added a comment.Jun 28 2021, 11:21 AM

Thanks! Why isn't this a NoteTag?

balazske added a comment.Jun 28 2021, 11:56 PM

I could not find a way to pass the needed information from the BugReport to the NoteTag. The "sequence number" (in EofSeqMap) is only known when the bug is detected, this should be passed to the NoteTag somehow. The value is used to make the new note appear only at the last place where EOF is set.

balazske added a comment.Jun 29 2021, 9:15 AM

Is it better to save the actual ExplodedNode in the note tag? Then the error node of the BugReport can be used to search the bug path and check if the saved node is encountered. In this way a NoteTag could be used and the "sequence numbers" would be unnecessary.

NoQ added a comment.Jun 29 2021, 1:50 PM
In D104925#2846283, @balazske wrote:

I could not find a way to pass the needed information from the BugReport to the NoteTag. The "sequence number" (in EofSeqMap) is only known when the bug is detected, this should be passed to the NoteTag somehow.

You can capture it.

That's the whole point of note tags, to have access to all the information from both the bug report and the moment of time the event has happened.

martong added a comment.Jun 30 2021, 6:20 AM

+1 for note tags.

clang/test/Analysis/stream-note.c
134

Perhaps we could have some more explanatory test case names. I mean how _3 is different than _2? What is the case each of them exactly tests?

141

Strictly speaking it is not necessarily and end-of-file status, ferror indicates if there was an error.

balazske updated this revision to Diff 355594.Jun 30 2021, 9:30 AM

Using NoteTag.
Removed the EOF sequence number.
Renamed test functions.

balazske marked an inline comment as done.Jun 30 2021, 9:31 AM

Updated to use NoteTag.
Note "End-of-file status is discovered here" is removed.

clang/test/Analysis/stream-note.c
141

Exacly the ferror(F) is false here. If it is false we may have successful read or EOF after read. So the message about "Assuming that stream reaches end-of-file here" is really an assumption here (pick one from the two possible results). And if EOF happens and ferror is false the feof must be true, this is revealed when we know that ferror is false.

Harbormaster completed remote builds in B111779: Diff 355594.Jun 30 2021, 10:41 AM
NoQ added a comment.Jul 1 2021, 1:48 AM

Let's simplify this even further!

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
430–432

I guess it's a matter of preference but I really don't understand the need to define a structure when a lambda is sufficient. Lambda is the intended syntax sugar for exactly what you have written.

436–437

You can compare BugType objects directly (by address).

440–446

This code says "If there exists a state below in the path where the stream is not at EOF, drop the note". The report will not be emitted at all if the stream is not at EOF at the end, right? Are you trying to account for the situation when the stream gets reset into a non-EOF state and therefore you don't need to emit the note above that point?

In such cases the intended solution is to add another note tag to mark the stream uninteresting once it gets reset, because all the history before that point is irrelevant to our report entirely (whatever the previous position was, its get completely overwritten by the reset).

The API for marking objects uninteresting is not yet there but it's suggested in D104300. I believe you should rebase your patch on top of it and take advantage of it as it lands.

balazske added inline comments.Jul 1 2021, 8:52 AM
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
430–432

The reason is that the NoteTag is added at more than one place. And I do not want a function that returns a lambda.

440–446

It was unknown to me if the visit of NoteTag's happens from the bug path end to begin or in different way. If it is from end to begin it may be enough to remove the interestingness in the current NoteTag function when a message is produced, it should find exactly the last place where that EOF flag is set to true. And NotePosition is not needed.

440–446

I tried it out, seems to work. But to continue D104300 should be finished or the "reset of interestingness" must be split to a separate change (or into this patch), is this possible?

martong added inline comments.Jul 2 2021, 5:43 AM
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
440–446

I tried it out, seems to work. But to continue D104300 should be finished or the "reset of interestingness" must be split to a separate change (or into this patch), is this possible?

Yes, I think it would be the logical way forward if we want a smooth development with this change. So let's create a parent patch that implements solely markNotInteresting from D104300. And that new patch should be the parent of this patch, also D104300 could be rebased once the new patch of markNotInteresting is landed.

balazske mentioned this in D104300: [analyzer] Handle std::swap for std::unique_ptr.Jul 8 2021, 9:08 AM
balazske mentioned this in D105637: [clang][Analyzer] Add symbol uninterestingness to bug report..Jul 8 2021, 9:11 AM
balazske updated this revision to Diff 357947.Jul 12 2021, 8:09 AM

Using the new symbol "uninterestingness" feature.

balazske added a parent revision: D105637: [clang][Analyzer] Add symbol uninterestingness to bug report..Jul 12 2021, 8:09 AM
Harbormaster completed remote builds in B113509: Diff 357947.Jul 12 2021, 8:45 AM
balazske marked 4 inline comments as done.Jul 15 2021, 12:55 AM
balazske added inline comments.
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
430–432

Problem solved: see constructSetEofNoteTag

Szelethus added a comment.Jul 16 2021, 7:16 AM

The bug reports speak for themselves, they are awesome. Nice work!

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
28–30

Thank you! Big fan of these.

34–35

You don't seem to reuse these in this or the followup patch? Its not a big deal, I don't mind you creating them, just feels a bit odd to me.

402

Can you not capture this as well? We could eliminate StreamChecker::Instance that way I suppose.

705–711

Oh, this took me quite a bit. Can we change SS to something that reflects that its the current error state, not the new one? Like CurrSS?

Szelethus mentioned this in D105003: [Analyzer] Improve report of "indeterminate file position" condition (alpha.unix.Stream)..Jul 16 2021, 7:34 AM
NoQ added a comment.Jul 16 2021, 7:58 PM

Looks great now!

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
409

The word "that" looks redundant, we don't use it in any other similar notes, eg. "Assuming that 'ptr' is null" etc.

balazske updated this revision to Diff 359694.Jul 19 2021, 1:19 AM

Removed Instance, small rename, fix of warning text.

balazske marked 3 inline comments as done.Jul 19 2021, 1:20 AM
balazske added inline comments.
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
34–35

These remained from old version of the patch, removed.

Harbormaster completed remote builds in B114790: Diff 359694.Jul 19 2021, 2:11 AM
balazske added a child revision: D106262: [clang][analyzer] Use generic note tag in alpha.unix.Stream ..Jul 19 2021, 5:50 AM
balazske removed a child revision: D105003: [Analyzer] Improve report of "indeterminate file position" condition (alpha.unix.Stream)..
Szelethus accepted this revision.Jul 19 2021, 6:36 AM

LGTM!

This revision is now accepted and ready to land.Jul 19 2021, 6:36 AM
This revision was landed with ongoing or failed builds.Jul 20 2021, 11:42 PM
Closed by commit rG90cb5297adf0: [clang][analyzer] Improve report of file read at EOF condition (alpha.unix. (authored by balazske). · Explain Why
This revision was automatically updated to reflect the committed changes.
balazske added a commit: rG90cb5297adf0: [clang][analyzer] Improve report of file read at EOF condition (alpha.unix..

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
83 lines
test/
Analysis/
57 lines

Diff 360366

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp

Show All 19 Lines
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"
#include <functional> #include <functional>
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
using namespace std::placeholders; using namespace std::placeholders;
//===----------------------------------------------------------------------===//
// Definition of state data structures.
//===----------------------------------------------------------------------===//
SzelethusUnsubmitted
Done
ReplyInline Actions

Thank you! Big fan of these.

Szelethus: Thank you! Big fan of these.
namespace { namespace {
struct FnDescription; struct FnDescription;
SzelethusUnsubmitted
Not Done
ReplyInline Actions

You don't seem to reuse these in this or the followup patch? Its not a big deal, I don't mind you creating them, just feels a bit odd to me.

Szelethus: You don't seem to reuse these in this or the followup patch? Its not a big deal, I don't mind…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

These remained from old version of the patch, removed.

balazske: These remained from old version of the patch, removed.
/// State of the stream error flags. /// State of the stream error flags.
/// Sometimes it is not known to the checker what error flags are set. /// Sometimes it is not known to the checker what error flags are set.
/// This is indicated by setting more than one flag to true. /// This is indicated by setting more than one flag to true.
/// This is an optimization to avoid state splits. /// This is an optimization to avoid state splits.
/// A stream can either be in FEOF or FERROR but not both at the same time. /// A stream can either be in FEOF or FERROR but not both at the same time.
/// Multiple flags are set to handle the corresponding states together. /// Multiple flags are set to handle the corresponding states together.
struct StreamErrorState { struct StreamErrorState {
/// The stream can be in state where none of the error flags set. /// The stream can be in state where none of the error flags set.
▲ Show 20 LinesShow All 101 Lines▼ Show 20 Linesstruct StreamState {
void Profile(llvm::FoldingSetNodeID &ID) const { void Profile(llvm::FoldingSetNodeID &ID) const {
ID.AddPointer(LastOperation); ID.AddPointer(LastOperation);
ID.AddInteger(State); ID.AddInteger(State);
ID.AddInteger(ErrorState); ID.AddInteger(ErrorState);
ID.AddBoolean(FilePositionIndeterminate); ID.AddBoolean(FilePositionIndeterminate);
} }
}; };
} // namespace
//===----------------------------------------------------------------------===//
// StreamChecker class and utility functions.
//===----------------------------------------------------------------------===//
namespace {
class StreamChecker; class StreamChecker;
using FnCheck = std::function<void(const StreamChecker *, const FnDescription *, using FnCheck = std::function<void(const StreamChecker *, const FnDescription *,
const CallEvent &, CheckerContext &)>; const CallEvent &, CheckerContext &)>;
using ArgNoTy = unsigned int; using ArgNoTy = unsigned int;
static const ArgNoTy ArgNone = std::numeric_limits<ArgNoTy>::max(); static const ArgNoTy ArgNone = std::numeric_limits<ArgNoTy>::max();
struct FnDescription { struct FnDescription {
▲ Show 20 LinesShow All 57 Lines▼ Show 20 Linespublic:
ProgramStateRef checkPointerEscape(ProgramStateRef State, ProgramStateRef checkPointerEscape(ProgramStateRef State,
const InvalidatedSymbols &Escaped, const InvalidatedSymbols &Escaped,
const CallEvent *Call, const CallEvent *Call,
PointerEscapeKind Kind) const; PointerEscapeKind Kind) const;
/// If true, evaluate special testing stream functions. /// If true, evaluate special testing stream functions.
bool TestMode = false; bool TestMode = false;
const BugType *getBT_StreamEof() const { return &BT_StreamEof; }
private: private:
CallDescriptionMap<FnDescription> FnDescriptions = { CallDescriptionMap<FnDescription> FnDescriptions = {
{{"fopen"}, {nullptr, &StreamChecker::evalFopen, ArgNone}}, {{"fopen"}, {nullptr, &StreamChecker::evalFopen, ArgNone}},
{{"freopen", 3}, {{"freopen", 3},
{&StreamChecker::preFreopen, &StreamChecker::evalFreopen, 2}}, {&StreamChecker::preFreopen, &StreamChecker::evalFreopen, 2}},
{{"tmpfile"}, {nullptr, &StreamChecker::evalFopen, ArgNone}}, {{"tmpfile"}, {nullptr, &StreamChecker::evalFopen, ArgNone}},
{{"fclose", 1}, {{"fclose", 1},
{&StreamChecker::preDefault, &StreamChecker::evalFclose, 0}}, {&StreamChecker::preDefault, &StreamChecker::evalFclose, 0}},
▲ Show 20 LinesShow All 102 Lines▼ Show 20 Linesprivate:
/// (State is not changed here because the "whence" value is already known.) /// (State is not changed here because the "whence" value is already known.)
ProgramStateRef ensureFseekWhenceCorrect(SVal WhenceVal, CheckerContext &C, ProgramStateRef ensureFseekWhenceCorrect(SVal WhenceVal, CheckerContext &C,
ProgramStateRef State) const; ProgramStateRef State) const;
/// Generate warning about stream in EOF state. /// Generate warning about stream in EOF state.
/// There will be always a state transition into the passed State, /// There will be always a state transition into the passed State,
/// by the new non-fatal error node or (if failed) a normal transition, /// by the new non-fatal error node or (if failed) a normal transition,
/// to ensure uniform handling. /// to ensure uniform handling.
void reportFEofWarning(CheckerContext &C, ProgramStateRef State) const; void reportFEofWarning(SymbolRef StreamSym, CheckerContext &C,
ProgramStateRef State) const;
/// Emit resource leak warnings for the given symbols. /// Emit resource leak warnings for the given symbols.
/// Createn a non-fatal error node for these, and returns it (if any warnings /// Createn a non-fatal error node for these, and returns it (if any warnings
/// were generated). Return value is non-null. /// were generated). Return value is non-null.
ExplodedNode *reportLeaks(const SmallVector<SymbolRef, 2> &LeakedSyms, ExplodedNode *reportLeaks(const SmallVector<SymbolRef, 2> &LeakedSyms,
CheckerContext &C, ExplodedNode *Pred) const; CheckerContext &C, ExplodedNode *Pred) const;
/// Find the description data of the function called by a call event. /// Find the description data of the function called by a call event.
Show All 9 Lines for (auto P : Call.parameters()) {
return nullptr; return nullptr;
} }
return FnDescriptions.lookup(Call); return FnDescriptions.lookup(Call);
} }
/// Generate a message for BugReporterVisitor if the stored symbol is /// Generate a message for BugReporterVisitor if the stored symbol is
/// marked as interesting by the actual bug report. /// marked as interesting by the actual bug report.
// FIXME: Use lambda instead.
struct NoteFn { struct NoteFn {
const CheckerNameRef CheckerName; const BugType *BT_ResourceLeak;
SymbolRef StreamSym; SymbolRef StreamSym;
std::string Message; std::string Message;
std::string operator()(PathSensitiveBugReport &BR) const { std::string operator()(PathSensitiveBugReport &BR) const {
if (BR.isInteresting(StreamSym) && if (BR.isInteresting(StreamSym) && &BR.getBugType() == BT_ResourceLeak)
CheckerName == BR.getBugType().getCheckerName())
return Message; return Message;
return ""; return "";
} }
}; };
const NoteTag *constructNoteTag(CheckerContext &C, SymbolRef StreamSym, const NoteTag *constructNoteTag(CheckerContext &C, SymbolRef StreamSym,
const std::string &Message) const { const std::string &Message) const {
return C.getNoteTag(NoteFn{getCheckerName(), StreamSym, Message}); return C.getNoteTag(NoteFn{&BT_ResourceLeak, StreamSym, Message});
}
const NoteTag *constructSetEofNoteTag(CheckerContext &C,
SymbolRef StreamSym) const {
return C.getNoteTag([this, StreamSym](PathSensitiveBugReport &BR) {
SzelethusUnsubmitted
Done
ReplyInline Actions

Can you not capture this as well? We could eliminate StreamChecker::Instance that way I suppose.

Szelethus: Can you not capture `this` as well? We could eliminate `StreamChecker::Instance` that way I…
if (!BR.isInteresting(StreamSym) ||
&BR.getBugType() != this->getBT_StreamEof())
return "";
BR.markNotInteresting(StreamSym);
return "Assuming stream reaches end-of-file here";
NoQUnsubmitted
Done
ReplyInline Actions

The word "that" looks redundant, we don't use it in any other similar notes, eg. "Assuming that 'ptr' is null" etc.

NoQ: The word "that" looks redundant, we don't use it in any other similar notes, eg. "Assuming…
});
} }
/// Searches for the ExplodedNode where the file descriptor was acquired for /// Searches for the ExplodedNode where the file descriptor was acquired for
/// StreamSym. /// StreamSym.
static const ExplodedNode *getAcquisitionSite(const ExplodedNode *N, static const ExplodedNode *getAcquisitionSite(const ExplodedNode *N,
SymbolRef StreamSym, SymbolRef StreamSym,
CheckerContext &C); CheckerContext &C);
}; };
} // end anonymous namespace } // end anonymous namespace
// This map holds the state of a stream.
// The stream is identified with a SymbolRef that is created when a stream
// opening function is modeled by the checker.
REGISTER_MAP_WITH_PROGRAMSTATE(StreamMap, SymbolRef, StreamState) REGISTER_MAP_WITH_PROGRAMSTATE(StreamMap, SymbolRef, StreamState)
inline void assertStreamStateOpened(const StreamState *SS) { inline void assertStreamStateOpened(const StreamState *SS) {
assert(SS->isOpened() && assert(SS->isOpened() &&
"Previous create of error node for non-opened stream failed?"); "Previous create of error node for non-opened stream failed?");
} }
const ExplodedNode *StreamChecker::getAcquisitionSite(const ExplodedNode *N, const ExplodedNode *StreamChecker::getAcquisitionSite(const ExplodedNode *N,
NoQUnsubmitted
Done
ReplyInline Actions

I guess it's a matter of preference but I really don't understand the need to define a structure when a lambda is sufficient. Lambda is the intended syntax sugar for exactly what you have written.

NoQ: I guess it's a matter of preference but I really don't understand the need to define a…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

The reason is that the NoteTag is added at more than one place. And I do not want a function that returns a lambda.

balazske: The reason is that the `NoteTag` is added at more than one place. And I do not want a function…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

Problem solved: see constructSetEofNoteTag

balazske: Problem solved: see `constructSetEofNoteTag`
SymbolRef StreamSym, SymbolRef StreamSym,
CheckerContext &C) { CheckerContext &C) {
ProgramStateRef State = N->getState(); ProgramStateRef State = N->getState();
// When bug type is resource leak, exploded node N may not have state info // When bug type is resource leak, exploded node N may not have state info
// for leaked file descriptor, but predecessor should have it. // for leaked file descriptor, but predecessor should have it.
NoQUnsubmitted
Done
ReplyInline Actions

You can compare BugType objects directly (by address).

NoQ: You can compare `BugType` objects directly (by address).
if (!State->get<StreamMap>(StreamSym)) if (!State->get<StreamMap>(StreamSym))
N = N->getFirstPred(); N = N->getFirstPred();
const ExplodedNode *Pred = N; const ExplodedNode *Pred = N;
while (N) { while (N) {
State = N->getState(); State = N->getState();
if (!State->get<StreamMap>(StreamSym)) if (!State->get<StreamMap>(StreamSym))
return Pred; return Pred;
Pred = N; Pred = N;
NoQUnsubmitted
Done
ReplyInline Actions

This code says "If there exists a state below in the path where the stream is not at EOF, drop the note". The report will not be emitted at all if the stream is not at EOF at the end, right? Are you trying to account for the situation when the stream gets reset into a non-EOF state and therefore you don't need to emit the note above that point?

In such cases the intended solution is to add another note tag to mark the stream uninteresting once it gets reset, because all the history before that point is irrelevant to our report entirely (whatever the previous position was, its get completely overwritten by the reset).

The API for marking objects uninteresting is not yet there but it's suggested in D104300. I believe you should rebase your patch on top of it and take advantage of it as it lands.

NoQ: This code says "If there exists a state below in the path where the stream is not at EOF, drop…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

It was unknown to me if the visit of NoteTag's happens from the bug path end to begin or in different way. If it is from end to begin it may be enough to remove the interestingness in the current NoteTag function when a message is produced, it should find exactly the last place where that EOF flag is set to true. And NotePosition is not needed.

balazske: It was unknown to me if the visit of `NoteTag`'s happens from the bug path end to begin or in…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

I tried it out, seems to work. But to continue D104300 should be finished or the "reset of interestingness" must be split to a separate change (or into this patch), is this possible?

balazske: I tried it out, seems to work. But to continue D104300 should be finished or the "reset of…
martongUnsubmitted
Done
ReplyInline Actions

I tried it out, seems to work. But to continue D104300 should be finished or the "reset of interestingness" must be split to a separate change (or into this patch), is this possible?

Yes, I think it would be the logical way forward if we want a smooth development with this change. So let's create a parent patch that implements solely markNotInteresting from D104300. And that new patch should be the parent of this patch, also D104300 could be rebased once the new patch of markNotInteresting is landed.

martong: > I tried it out, seems to work. But to continue D104300 should be finished or the "reset of…
N = N->getFirstPred(); N = N->getFirstPred();
} }
return nullptr; return nullptr;
} }
//===----------------------------------------------------------------------===//
// Methods of StreamChecker.
//===----------------------------------------------------------------------===//
void StreamChecker::checkPreCall(const CallEvent &Call, void StreamChecker::checkPreCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
const FnDescription *Desc = lookupFn(Call); const FnDescription *Desc = lookupFn(Call);
if (!Desc || !Desc->PreFn) if (!Desc || !Desc->PreFn)
return; return;
Desc->PreFn(this, Desc, Call, C); Desc->PreFn(this, Desc, Call, C);
} }
▲ Show 20 LinesShow All 131 Lines▼ Show 20 Linesvoid StreamChecker::preFread(const FnDescription *Desc, const CallEvent &Call,
State = ensureNoFilePositionIndeterminate(StreamVal, C, State); State = ensureNoFilePositionIndeterminate(StreamVal, C, State);
if (!State) if (!State)
return; return;
SymbolRef Sym = StreamVal.getAsSymbol(); SymbolRef Sym = StreamVal.getAsSymbol();
if (Sym && State->get<StreamMap>(Sym)) { if (Sym && State->get<StreamMap>(Sym)) {
const StreamState *SS = State->get<StreamMap>(Sym); const StreamState *SS = State->get<StreamMap>(Sym);
if (SS->ErrorState & ErrorFEof) if (SS->ErrorState & ErrorFEof)
reportFEofWarning(C, State); reportFEofWarning(Sym, C, State);
} else { } else {
C.addTransition(State); C.addTransition(State);
} }
} }
void StreamChecker::preFwrite(const FnDescription *Desc, const CallEvent &Call, void StreamChecker::preFwrite(const FnDescription *Desc, const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
Show All 26 Linesvoid StreamChecker::evalFreadFwrite(const FnDescription *Desc,
Optional<NonLoc> SizeVal = Call.getArgSVal(1).getAs<NonLoc>(); Optional<NonLoc> SizeVal = Call.getArgSVal(1).getAs<NonLoc>();
if (!SizeVal) if (!SizeVal)
return; return;
Optional<NonLoc> NMembVal = Call.getArgSVal(2).getAs<NonLoc>(); Optional<NonLoc> NMembVal = Call.getArgSVal(2).getAs<NonLoc>();
if (!NMembVal) if (!NMembVal)
return; return;
const StreamState *SS = State->get<StreamMap>(StreamSym); const StreamState *OldSS = State->get<StreamMap>(StreamSym);
if (!SS) if (!OldSS)
return; return;
assertStreamStateOpened(SS); assertStreamStateOpened(OldSS);
// C'99 standard, §7.19.8.1.3, the return value of fread: // C'99 standard, §7.19.8.1.3, the return value of fread:
// The fread function returns the number of elements successfully read, which // The fread function returns the number of elements successfully read, which
// may be less than nmemb if a read error or end-of-file is encountered. If // may be less than nmemb if a read error or end-of-file is encountered. If
// size or nmemb is zero, fread returns zero and the contents of the array and // size or nmemb is zero, fread returns zero and the contents of the array and
// the state of the stream remain unchanged. // the state of the stream remain unchanged.
if (State->isNull(*SizeVal).isConstrainedTrue() || if (State->isNull(*SizeVal).isConstrainedTrue() ||
State->isNull(*NMembVal).isConstrainedTrue()) { State->isNull(*NMembVal).isConstrainedTrue()) {
// This is the "size or nmemb is zero" case. // This is the "size or nmemb is zero" case.
// Just return 0, do nothing more (not clear the error flags). // Just return 0, do nothing more (not clear the error flags).
State = bindInt(0, State, C, CE); State = bindInt(0, State, C, CE);
C.addTransition(State); C.addTransition(State);
return; return;
} }
// Generate a transition for the success state. // Generate a transition for the success state.
// If we know the state to be FEOF at fread, do not add a success state. // If we know the state to be FEOF at fread, do not add a success state.
if (!IsFread || (SS->ErrorState != ErrorFEof)) { if (!IsFread || (OldSS->ErrorState != ErrorFEof)) {
ProgramStateRef StateNotFailed = ProgramStateRef StateNotFailed =
State->BindExpr(CE, C.getLocationContext(), *NMembVal); State->BindExpr(CE, C.getLocationContext(), *NMembVal);
if (StateNotFailed) { if (StateNotFailed) {
StateNotFailed = StateNotFailed->set<StreamMap>( StateNotFailed = StateNotFailed->set<StreamMap>(
StreamSym, StreamState::getOpened(Desc)); StreamSym, StreamState::getOpened(Desc));
C.addTransition(StateNotFailed); C.addTransition(StateNotFailed);
} }
} }
Show All 12 Linesvoid StreamChecker::evalFreadFwrite(const FnDescription *Desc,
if (!Cond) if (!Cond)
return; return;
StateFailed = StateFailed->assume(*Cond, true); StateFailed = StateFailed->assume(*Cond, true);
if (!StateFailed) if (!StateFailed)
return; return;
StreamErrorState NewES; StreamErrorState NewES;
if (IsFread) if (IsFread)
NewES = (SS->ErrorState == ErrorFEof) ? ErrorFEof : ErrorFEof | ErrorFError; NewES =
(OldSS->ErrorState == ErrorFEof) ? ErrorFEof : ErrorFEof | ErrorFError;
else else
NewES = ErrorFError; NewES = ErrorFError;
// If a (non-EOF) error occurs, the resulting value of the file position // If a (non-EOF) error occurs, the resulting value of the file position
// indicator for the stream is indeterminate. // indicator for the stream is indeterminate.
StreamState NewState = StreamState::getOpened(Desc, NewES, !NewES.isFEof()); StreamState NewSS = StreamState::getOpened(Desc, NewES, !NewES.isFEof());
StateFailed = StateFailed->set<StreamMap>(StreamSym, NewState); StateFailed = StateFailed->set<StreamMap>(StreamSym, NewSS);
if (IsFread && OldSS->ErrorState != ErrorFEof)
C.addTransition(StateFailed, constructSetEofNoteTag(C, StreamSym));
else
C.addTransition(StateFailed); C.addTransition(StateFailed);
} }
SzelethusUnsubmitted
Done
ReplyInline Actions

Oh, this took me quite a bit. Can we change SS to something that reflects that its the current error state, not the new one? Like CurrSS?

Szelethus: Oh, this took me quite a bit. Can we change `SS` to something that reflects that its the…
void StreamChecker::preFseek(const FnDescription *Desc, const CallEvent &Call, void StreamChecker::preFseek(const FnDescription *Desc, const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
SVal StreamVal = getStreamArg(Desc, Call); SVal StreamVal = getStreamArg(Desc, Call);
State = ensureStreamNonNull(StreamVal, Call.getArgExpr(Desc->StreamArgNo), C, State = ensureStreamNonNull(StreamVal, Call.getArgExpr(Desc->StreamArgNo), C,
State); State);
if (!State) if (!State)
▲ Show 20 LinesShow All 41 Lines▼ Show 20 Linesvoid StreamChecker::evalFseek(const FnDescription *Desc, const CallEvent &Call,
// It is possible that fseek fails but sets none of the error flags. // It is possible that fseek fails but sets none of the error flags.
// If fseek failed, assume that the file position becomes indeterminate in any // If fseek failed, assume that the file position becomes indeterminate in any
// case. // case.
StateFailed = StateFailed->set<StreamMap>( StateFailed = StateFailed->set<StreamMap>(
StreamSym, StreamSym,
StreamState::getOpened(Desc, ErrorNone | ErrorFEof | ErrorFError, true)); StreamState::getOpened(Desc, ErrorNone | ErrorFEof | ErrorFError, true));
C.addTransition(StateNotFailed); C.addTransition(StateNotFailed);
C.addTransition(StateFailed); C.addTransition(StateFailed, constructSetEofNoteTag(C, StreamSym));
} }
void StreamChecker::evalClearerr(const FnDescription *Desc, void StreamChecker::evalClearerr(const FnDescription *Desc,
const CallEvent &Call, const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
SymbolRef StreamSym = getStreamArg(Desc, Call).getAsSymbol(); SymbolRef StreamSym = getStreamArg(Desc, Call).getAsSymbol();
if (!StreamSym) if (!StreamSym)
▲ Show 20 LinesShow All 216 Lines▼ Show 20 Lines C.emitReport(std::make_unique<PathSensitiveBugReport>(
"SEEK_SET, SEEK_END, or SEEK_CUR.", "SEEK_SET, SEEK_END, or SEEK_CUR.",
N)); N));
return nullptr; return nullptr;
} }
return State; return State;
} }
void StreamChecker::reportFEofWarning(CheckerContext &C, void StreamChecker::reportFEofWarning(SymbolRef StreamSym, CheckerContext &C,
ProgramStateRef State) const { ProgramStateRef State) const {
if (ExplodedNode *N = C.generateNonFatalErrorNode(State)) { if (ExplodedNode *N = C.generateNonFatalErrorNode(State)) {
C.emitReport(std::make_unique<PathSensitiveBugReport>( auto R = std::make_unique<PathSensitiveBugReport>(
BT_StreamEof, BT_StreamEof,
"Read function called when stream is in EOF state. " "Read function called when stream is in EOF state. "
"Function has no effect.", "Function has no effect.",
N)); N);
R->markInteresting(StreamSym);
C.emitReport(std::move(R));
return; return;
} }
C.addTransition(State); C.addTransition(State);
} }
ExplodedNode * ExplodedNode *
StreamChecker::reportLeaks(const SmallVector<SymbolRef, 2> &LeakedSyms, StreamChecker::reportLeaks(const SmallVector<SymbolRef, 2> &LeakedSyms,
CheckerContext &C, ExplodedNode *Pred) const { CheckerContext &C, ExplodedNode *Pred) const {
▲ Show 20 LinesShow All 74 Lines▼ Show 20 Lines for (SymbolRef Sym : Escaped) {
// somewhere else. // somewhere else.
// Remove symbol from state so the following stream calls on this symbol are // Remove symbol from state so the following stream calls on this symbol are
// not handled by the checker. // not handled by the checker.
State = State->remove<StreamMap>(Sym); State = State->remove<StreamMap>(Sym);
} }
return State; return State;
} }
//===----------------------------------------------------------------------===//
// Checker registration.
//===----------------------------------------------------------------------===//
void ento::registerStreamChecker(CheckerManager &Mgr) { void ento::registerStreamChecker(CheckerManager &Mgr) {
Mgr.registerChecker<StreamChecker>(); Mgr.registerChecker<StreamChecker>();
} }
bool ento::shouldRegisterStreamChecker(const CheckerManager &Mgr) { bool ento::shouldRegisterStreamChecker(const CheckerManager &Mgr) {
return true; return true;
} }
void ento::registerStreamTesterChecker(CheckerManager &Mgr) { void ento::registerStreamTesterChecker(CheckerManager &Mgr) {
auto *Checker = Mgr.getChecker<StreamChecker>(); auto *Checker = Mgr.getChecker<StreamChecker>();
Checker->TestMode = true; Checker->TestMode = true;
} }
bool ento::shouldRegisterStreamTesterChecker(const CheckerManager &Mgr) { bool ento::shouldRegisterStreamTesterChecker(const CheckerManager &Mgr) {
return true; return true;
} }
No newline at end of file

clang/test/Analysis/stream-note.c

Show First 20 LinesShow All 82 Lines▼ Show 20 Linesvoid check_track_null() {
F = fopen("foo1.c", "r"); // expected-note {{Value assigned to 'F'}} expected-note {{Assuming pointer value is null}} F = fopen("foo1.c", "r"); // expected-note {{Value assigned to 'F'}} expected-note {{Assuming pointer value is null}}
if (F != NULL) { // expected-note {{Taking false branch}} expected-note {{'F' is equal to NULL}} if (F != NULL) { // expected-note {{Taking false branch}} expected-note {{'F' is equal to NULL}}
fclose(F); fclose(F);
return; return;
} }
fclose(F); // expected-warning {{Stream pointer might be NULL}} fclose(F); // expected-warning {{Stream pointer might be NULL}}
// expected-note@-1 {{Stream pointer might be NULL}} // expected-note@-1 {{Stream pointer might be NULL}}
} }
void check_eof_notes_feof_after_feof() {
FILE *F;
char Buf[10];
F = fopen("foo1.c", "r");
if (F == NULL) { // expected-note {{Taking false branch}} expected-note {{'F' is not equal to NULL}}
return;
}
fread(Buf, 1, 1, F);
if (feof(F)) { // expected-note {{Taking true branch}}
clearerr(F);
fread(Buf, 1, 1, F); // expected-note {{Assuming stream reaches end-of-file here}}
if (feof(F)) { // expected-note {{Taking true branch}}
fread(Buf, 1, 1, F); // expected-warning {{Read function called when stream is in EOF state. Function has no effect}}
// expected-note@-1 {{Read function called when stream is in EOF state. Function has no effect}}
}
}
fclose(F);
}
void check_eof_notes_feof_after_no_feof() {
FILE *F;
char Buf[10];
F = fopen("foo1.c", "r");
if (F == NULL) { // expected-note {{Taking false branch}} expected-note {{'F' is not equal to NULL}}
return;
}
fread(Buf, 1, 1, F);
if (feof(F)) { // expected-note {{Taking false branch}}
fclose(F);
return;
} else if (ferror(F)) { // expected-note {{Taking false branch}}
fclose(F);
return;
}
fread(Buf, 1, 1, F); // expected-note {{Assuming stream reaches end-of-file here}}
if (feof(F)) { // expected-note {{Taking true branch}}
fread(Buf, 1, 1, F); // expected-warning {{Read function called when stream is in EOF state. Function has no effect}}
// expected-note@-1 {{Read function called when stream is in EOF state. Function has no effect}}
}
fclose(F);
}
void check_eof_notes_feof_or_no_error() {
martongUnsubmitted
Done
ReplyInline Actions

Perhaps we could have some more explanatory test case names. I mean how _3 is different than _2? What is the case each of them exactly tests?

martong: Perhaps we could have some more explanatory test case names. I mean how _3 is different than _2?
FILE *F;
char Buf[10];
F = fopen("foo1.c", "r");
if (F == NULL) // expected-note {{Taking false branch}} expected-note {{'F' is not equal to NULL}}
return;
int RRet = fread(Buf, 1, 1, F); // expected-note {{Assuming stream reaches end-of-file here}}
if (ferror(F)) { // expected-note {{Taking false branch}}
martongUnsubmitted
Not Done
ReplyInline Actions

Strictly speaking it is not necessarily and end-of-file status, ferror indicates if there was an error.

martong: Strictly speaking it is not necessarily and end-of-file status, `ferror` indicates if there was…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

Exacly the ferror(F) is false here. If it is false we may have successful read or EOF after read. So the message about "Assuming that stream reaches end-of-file here" is really an assumption here (pick one from the two possible results). And if EOF happens and ferror is false the feof must be true, this is revealed when we know that ferror is false.

balazske: Exacly the `ferror(F)` is false here. If it is false we may have successful read or EOF after…
} else {
fread(Buf, 1, 1, F); // expected-warning {{Read function called when stream is in EOF state. Function has no effect}}
// expected-note@-1 {{Read function called when stream is in EOF state. Function has no effect}}
}
fclose(F);
}