This is an archive of the discontinued LLVM Phabricator instance.

Differential D71510

[clang][checkers] Added new checker 'error-return-checker'.
AbandonedPublic

Authored by balazske on Dec 14 2019, 2:25 AM.

Details

Reviewers
baloghadamsoftware
Szelethus
NoQ
Summary

Adding a new checker alpha.unix.ErrorReturn.

This check should implement SEI CERT C Coding Standard rule
"ERR33-C. Detect and handle standard library errors".

Diff Detail

Event Timeline

balazske created this revision.Dec 14 2019, 2:25 AM
Herald added a project: Restricted Project. · View Herald TranscriptDec 14 2019, 2:25 AM
Herald added subscribers: cfe-commits, gamesh411, Szelethus and 2 others. · View Herald Transcript
Harbormaster completed remote builds in B42510: Diff 233926.Dec 14 2019, 2:27 AM
balazske added a comment.Dec 14 2019, 2:40 AM

Code is to be reformatted later.

balazske updated this revision to Diff 234730.Dec 19 2019, 8:40 AM

Adding a new diff over the previous one.
(The commit was amended accidentally.)

Harbormaster completed remote builds in B42783: Diff 234730.Dec 19 2019, 8:41 AM
balazske added reviewers: baloghadamsoftware, Szelethus.Dec 19 2019, 8:43 AM
Herald added a subscriber: rnkovacs. · View Herald TranscriptDec 19 2019, 8:43 AM
balazske updated this revision to Diff 236070.Jan 3 2020, 8:17 AM
  • Implemented all (now possible) functions.
  • Moved ParmVal value to own state map.
  • Improved state data and bug reporting.
Harbormaster completed remote builds in B43242: Diff 236070.Jan 3 2020, 8:22 AM
balazske added a comment.Jan 3 2020, 8:32 AM

Works relatively good now but not perfect. The tests are sometimes too strict so there are some false positives, for example this case:

unsigned long X = strtoul("345", NULL, 10);
if (X > 100) {
 // handle error
}

The result is not checked for ULONG_MAX but still the code is correct in this way. But we can not figure out the intention of the programmer to detect what is an "error handling code" to check for error handling branches. Other solution is to detect any branch condition that involves the value (returned from the function) as a "test for error return value" but this is probably not better.

balazske updated this revision to Diff 236349.Jan 6 2020, 6:20 AM
  • Added variadic functions, improved comments.
Harbormaster completed remote builds in B43341: Diff 236349.Jan 6 2020, 6:23 AM
gamesh411 added a comment.Jan 6 2020, 7:16 AM

Great job, this seems to be progressing nicely! please see my comments inline.

clang/lib/StaticAnalyzer/Checkers/ErrorReturnChecker.cpp
39

Value is not the name of the parameter, maybe a refactoring missed this comment.

78

I think the current implementation is slightly different. The ValueErrorResultChecker uses symbolic evaluation of the equation with a ConcreteInt 0 value, while the ProgramState::isNull checks if the value is a constant and if it is not a zero constant (also calls further to ConstraintManager::isNull).

159

Maybe only checking for negative value is enough? My gut feeling is that the equality check is redundant. I would argue:
let A be: Value is negative
let B be: Value is equal to -1

since B implies A, (A or B) can be simplified to just A.
This presupposes that every time B can reasoned about A can be too.
This seems to be the case for here as well, as the definiteness of being equal to -1 is stronger than being lower than 0.

clang/test/Analysis/error-return.c
271

just for the sake of completeness; mention all the cases where error checking is deemed unnecessary as per ERR-33-EX1

https://wiki.sei.cmu.edu/confluence/display/c/ERR33-C.+Detect+and+handle+standard+library+errors#ERR33-C.Detectandhandlestandardlibraryerrors-Exceptions

balazske marked 3 inline comments as done.Jan 7 2020, 12:07 AM
balazske added inline comments.
clang/lib/StaticAnalyzer/Checkers/ErrorReturnChecker.cpp
78

I think if there is a method for a special purpose (isNull) it is better to use that, it can be more efficient.

159

The test

void test_NegativeOrEofCorrectCheck1() {
  int X = fputs("", NULL);
  if (X == -1) {
  }
}

fails when only the check for negative value is there.

The problem is with the negated part: If there is a "X==-1" statement in the code to check then the "X<0" assumption is true but "X>=0" is not known because X can be less than -1. This check should accept the "X==-1" and "X<0" type of code.

clang/test/Analysis/error-return.c
271

It seems that the better solution is to check for those functions too, and add a feature to the checker that ignores functions that are casted to void. The exception list says that even in these exceptions the (void) cast is needed. (Probably a other kind of warning message can be used for these functions.) The "function can not fail" and "return value is inconsequential" cases are not detectable by the checker (these cases depend on the context of the function call, not on the function itself, otherwise the function should appear in the list of functions to be ignored).

balazske updated this revision to Diff 237053.Jan 9 2020, 6:19 AM
  • Prevent warning if call is in a return statement.
  • Prevent warning if call is casted to void.
  • Added documentation.
  • Fixed the tests.
  • Some other fixes.
Harbormaster completed remote builds in B43588: Diff 237053.Jan 9 2020, 6:27 AM
balazske retitled this revision from [clang][checkers] Added new checker 'error-return-checker'. (WIP) to [clang][checkers] Added new checker 'error-return-checker'..Jan 9 2020, 6:31 AM
balazske edited the summary of this revision. (Show Details)
balazske updated this revision to Diff 237061.Jan 9 2020, 6:41 AM
  • More fixes in test files.
Harbormaster completed remote builds in B43592: Diff 237061.Jan 9 2020, 6:46 AM
balazske added a reviewer: NoQ.Jan 10 2020, 2:41 AM

Checker was tested with tmux, no problems found (there are false positives but not easy to fix).

balazske updated this revision to Diff 237680.Jan 13 2020, 7:51 AM
  • Improved function list format in documentation.
Harbormaster completed remote builds in B43831: Diff 237680.Jan 13 2020, 7:54 AM
NoQ added a comment.Jan 13 2020, 5:05 PM

Uh-oh, what happened here?

Please don't post huge patches. 600 lines of code is huge. You could start off by implementing a single check (eg., NullErrorResultChecker) with a single library function and then add more checks and more functions in follow-up patches; this would have been much easier to review and would have made the community happy.

Ok, here's how i see this:

  1. In the beginning there was __attribute__((warn_unused_result)). It came with a compiler warning when the return value was completely discarded. Putting it into a variable or casting it to (void) silenced the warning.
  2. Then someone decided that putting that attribute on printf and scanf is not humane because it will infuriate all first-year computer science students who just want to read a number, multiply it by 2 and print the answer. So it was removed from most functions that needed it for security-related reasons, and only remained on, basically, pure functions such as std::vector::empty() (so that it wasn't confused with std::vector::clear()).
  3. Removing the attribute from library headers means that the compiler will be completely unable to diagnose upon discarded return values. After all, the compiler isn't allowed to possess knowledge of APIs.
  4. This is where @balazske comes in and decides to put the extra warning into the Static Analyzer. After all, it's allowed to possess knowledge of APIs, and it's also an opt-in tool, which avoids the first-year students problem.
  5. But then @balazske becomes obsessed with the power that the Static Analyzer gives him and decides to also make the warning perfectly precise with the help of path-sensitive analysis. This would show it to all the nasty developers who have so far got away with casting the value to (void) to suppress the warning. They can no longer trick us. They will have to actually check the value.

I want to discuss step 5. Do we really need to go that far? Your solution is mathematically perfect (it probably isn't just by looking at the set of the checker callbacks that you've subscribed so far, but suppose it is). But is it actually good for the humanity to have the perfect solution? Do you really want to uncover all the places where the developer has intentionally suppressed the warning for the unused result? Do you really want to engage in an arms race with a developer who wants to silence the warning? Or would everybody be much happier if you simply re-used the implementation of __attribute__((warn_unused_result)) and treat its limitations as if it's the intended behavior?

Like, i myself don't have an answer to this question. I kind of understand both sides. Your approach is more costly, as you'll have to re-investigate all the previous suppression sites, but it may uncover a few more bugs, as well as some accidental omissions that were accidentally suppressed (e.g., the return value was intentionally put into a variable, but the value was never read (which is btw also a dead store, so our other checker will find it)). On the other hand, I believe that a simple AST-based approach employed by warn_unused_result would be good enough for most practical purposes, it would have low false positive rate (something we really value a lot) and provide an intuitive suppression mechanism, and it will also be much easier to maintain (which really pleases me as a maintainer who'll have to fix bugs in your code once it's committed, but ideally it shouldn't outweigh the benefits of the user).

I'd love to have you collect some data on this subject, and you're in a good position to do so, given that you already have a checker. If you run your checker on a lot of code, how many warnings will be non-trivially path-sensitive (i.e., the value isn't immediately discarded but dragged around for a bit, but still not checked)? Are these warnings valuable? How many of them highlight intentional suppressions?

balazske added a comment.EditedJan 14 2020, 1:51 AM

The checker was implemented in smaller parts that are visible in the commit list. I can split the patch at the commits (and figure out how to use git history manipulations and phabricator in a better way?).
But not the line count in itself matters. Many lines are relatively "equivalent" in the FnInfo table and the tests (still these are something to look for).

balazske added a comment.Jan 14 2020, 2:09 AM

I wanted to implement the rules described here:
https://wiki.sei.cmu.edu/confluence/display/c/ERR33-C.+Detect+and+handle+standard+library+errors
This lists the functions to check so this knowledge has to be built into the checker and there are examples of this in other checkers (stream or memory or string functions for example). The functions have different kinds conditions on the return value in case of error. It is not sufficient to simply check that the return value is assigned to something or used because it may be used without check for error. So I tried to do something that can find if exactly a check for the error condition was made. (Still it is not perfect because the value can be used before the error checking.)
The cast to void is the special way to avoid the warning, in every other case the return value has to be checked for error or there is an exception that should be documented (if the function "can not fail" or the error does not matter). This may be too much warnings for a normal project but acceptable if extra safe code is needed. If we want to have that clang SA can (at least partially) check for that rule "ERR33-C" this (or similar) check is needed.

balazske added a comment.Jan 14 2020, 7:57 AM

Smaller diff with first part:
https://reviews.llvm.org/D72705

Szelethus mentioned this in D72705: [analyzer] Added new checker 'alpha.unix.ErrorReturn'..Feb 5 2020, 4:39 AM
balazske mentioned this in D70411: [analyzer] CERT STR rule checkers: STR31-C.Mar 25 2020, 1:58 AM
balazske planned changes to this revision.Aug 18 2020, 9:41 PM

This patch is here for code reference only. Although the whole checker does not work safe in this way the idea behind this approach can be useful.

Herald added subscribers: martong, Charusso. · View Herald TranscriptAug 18 2020, 9:41 PM
balazske abandoned this revision.Jan 5 2021, 8:21 AM

Revision Contents

PathSize
clang/
docs/
analyzer/
63 lines
include/
clang/
StaticAnalyzer/
Checkers/
4 lines
lib/
StaticAnalyzer/
Checkers/
1 line
694 lines
test/
Analysis/
Inputs/
24 lines
625 lines

Diff 237680

clang/docs/analyzer/checkers.rst

Show First 20 LinesShow All 2,077 Lines▼ Show 20 Lines
void f(); void f();
void test() { void test() {
chroot("/usr/local"); chroot("/usr/local");
f(); // warn: no call of chdir("/") immediately after chroot f(); // warn: no call of chdir("/") immediately after chroot
} }
.. _alpha-unix-ErrorReturn:
alpha.unix.ErrorReturn (C)
""""""""""""""""""""""""""
Check for unchecked return value from certain API functions.
A warning is produced if the function is used without checking the return value of it for error condition.
No warning is produced when the function call is explicitly casted to ``void``.
Limitations:
* To be found by the checker, the error checking should occur on the same stack level as the function call to check or in a called function.
* For functions that return the smallest or largest representable numeric value on error, the error check should test specifically for these
values, not for a smaller interval.
* Implicit conversion to condition type (``if (value)``) is not detected. You can use code like ``if (!value)`` or ``if (value != NULL)`` instead.
The following functions are supported:
``aligned_alloc, asctime_s, at_quick_exit, atexit, bsearch, bsearch_s, btowc, c16rtomb, c32rtomb, calloc, clock, ctime_s, fclose, fflush,
fgetc, fgetpos, fgets, fgetwc, fopen, fopen_s, fprintf, fprintf_s, fputc, fputs, fputwc, fputws, fread, freopen, freopen_s, fscanf, fscanf_s,
fseek, fsetpos, ftell, fwprintf, fwprintf_s, fwrite, fwscanf, fwscanf_s, getc, getchar, getenv, getenv_s, gets_s, getwc, getwchar, gmtime,
gmtime_s, localtime, localtime_s, malloc, mblen, mbrlen, mbrtoc16, mbrtoc32, mbrtowc, mbsrtowcs, mbsrtowcs_s, mbstowcs, mbstowcs_s, mbtowc,
memchr, mktime, printf_s, putc, putwc, raise, realloc, remove, rename, setlocale, setvbuf, scanf, scanf_s, snprintf, snprintf_s,
snwprintf_s, sprintf, sprintf_s, sscanf, sscanf_s, strchr, strerror_s, strftime, strpbrk, strrchr, strstr, strtod, strtof,
strtoimax, strtok, strtok_s, strtol, strtoll, strtoumax, strtoul, strtoull, swprintf, swprintf_s, swscanf, swscanf_s, time, timespec_get,
tmpfile, tmpfile_s, tmpnam, tmpnam_s, tss_get, ungetc, ungetwc, vfprintf, vfprintf_s, vfscanf, vfscanf_s, vfwprintf, vfwprintf_s,
vfwscanf, vfwscanf_s, vprintf, vprintf_s, vscanf, vscanf_s, vsnprintf, vsnprintf_s, vsnwprintf_s, vsprintf, vsprintf_s, vsscanf,
vsscanf_s, vswprintf, vswprintf_s, vswscanf, vswscanf_s, vwprintf_s, vwscanf, vwscanf_s, wcrtomb, wcrtomb_s, wcschr, wcsftime,
wcspbrk, wcsrchr, wcsrtombs, wcsrtombs_s, wcsstr, wcstod, wcstof, wcstoimax, wcstok, wcstok_s, wcstol, wcstold, wcstoll, wcstombs,
wcstombs_s, wcstoumax, wcstoul, wcstoull, wctob, wctomb, wctomb_s, wctrans, wctype, wmemchr, wprintf_s, wscanf, wscanf_s``
The following functions are not supported:
``cnd_broadcast, cnd_init, cnd_signal, cnd_timedwait, cnd_wait, mtx_init, mtx_lock, mtx_timedlock, mtx_trylock, mtx_unlock, signal, strtold,
thrd_create, thrd_detach, thrd_join, thrd_sleep, tss_create, tss_set``
The following functions are not checked:
``putchar, putwchar, puts, printf, vprintf, wprintf, vwprintf, strxfrm, wcsxfrm¸
kill_dependency, memcpy, wmemcpy, memmove, wmemmove, strcpy, wcscpy, strncpy, wcsncpy,
strcat, wcscat, strncat, wcsncat, memset, wmemset``
Return value of these functions is traditionally not checked for error or there is no specific error condition.
.. code-block:: c
void test1() {
void *p = malloc(10);
// warn: missing or incomplete error check of return value
}
void test2() {
FILE* fp = fopen("test.txt", "r");
// warn: missing or incomplete error check of return value
fclose(fp);
// warn: missing or incomplete error check of return value
}
void test3() {
FILE* fp = fopen("test.txt", "r");
if (!fp) {
perror("File opening failed");
return;
}
(void)fclose(fp);
// warning is suppressed by explicit cast to void
}
.. _alpha-unix-PthreadLock: .. _alpha-unix-PthreadLock:
alpha.unix.PthreadLock (C) alpha.unix.PthreadLock (C)
"""""""""""""""""""""""""" """"""""""""""""""""""""""
Simple lock -> unlock checker. Simple lock -> unlock checker.
Applies to: ``pthread_mutex_lock, pthread_rwlock_rdlock, pthread_rwlock_wrlock, lck_mtx_lock, lck_rw_lock_exclusive`` Applies to: ``pthread_mutex_lock, pthread_rwlock_rdlock, pthread_rwlock_wrlock, lck_mtx_lock, lck_rw_lock_exclusive``
``lck_rw_lock_shared, pthread_mutex_trylock, pthread_rwlock_tryrdlock, pthread_rwlock_tryrwlock, lck_mtx_try_lock, ``lck_rw_lock_shared, pthread_mutex_trylock, pthread_rwlock_tryrdlock, pthread_rwlock_tryrwlock, lck_mtx_try_lock,
lck_rw_try_lock_exclusive, lck_rw_try_lock_shared, pthread_mutex_unlock, pthread_rwlock_unlock, lck_mtx_unlock, lck_rw_done``. lck_rw_try_lock_exclusive, lck_rw_try_lock_shared, pthread_mutex_unlock, pthread_rwlock_unlock, lck_mtx_unlock, lck_rw_done``.
▲ Show 20 LinesShow All 263 LinesShow Last 20 Lines

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td

Show First 20 LinesShow All 421 Lines▼ Show 20 Lines
} // end "unix" } // end "unix"
let ParentPackage = UnixAlpha in { let ParentPackage = UnixAlpha in {
def ChrootChecker : Checker<"Chroot">, def ChrootChecker : Checker<"Chroot">,
HelpText<"Check improper use of chroot">, HelpText<"Check improper use of chroot">,
Documentation<HasAlphaDocumentation>; Documentation<HasAlphaDocumentation>;
def ErrorReturnChecker : Checker<"ErrorReturn">,
HelpText<"Check for unchecked error return values">,
Documentation<HasAlphaDocumentation>;
def PthreadLockChecker : Checker<"PthreadLock">, def PthreadLockChecker : Checker<"PthreadLock">,
HelpText<"Simple lock -> unlock checker">, HelpText<"Simple lock -> unlock checker">,
Documentation<HasAlphaDocumentation>; Documentation<HasAlphaDocumentation>;
def StreamChecker : Checker<"Stream">, def StreamChecker : Checker<"Stream">,
HelpText<"Check stream handling functions">, HelpText<"Check stream handling functions">,
Documentation<HasAlphaDocumentation>; Documentation<HasAlphaDocumentation>;
▲ Show 20 LinesShow All 977 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt

Show All 29 Linesadd_clang_library(clangStaticAnalyzerCheckers
DebugCheckers.cpp DebugCheckers.cpp
DeleteWithNonVirtualDtorChecker.cpp DeleteWithNonVirtualDtorChecker.cpp
DereferenceChecker.cpp DereferenceChecker.cpp
DirectIvarAssignment.cpp DirectIvarAssignment.cpp
DivZeroChecker.cpp DivZeroChecker.cpp
DynamicTypePropagation.cpp DynamicTypePropagation.cpp
DynamicTypeChecker.cpp DynamicTypeChecker.cpp
EnumCastOutOfRangeChecker.cpp EnumCastOutOfRangeChecker.cpp
ErrorReturnChecker.cpp
ExprInspectionChecker.cpp ExprInspectionChecker.cpp
FixedAddressChecker.cpp FixedAddressChecker.cpp
GCDAntipatternChecker.cpp GCDAntipatternChecker.cpp
GenericTaintChecker.cpp GenericTaintChecker.cpp
GTestChecker.cpp GTestChecker.cpp
IdenticalExprChecker.cpp IdenticalExprChecker.cpp
InnerPointerChecker.cpp InnerPointerChecker.cpp
IteratorChecker.cpp IteratorChecker.cpp
▲ Show 20 LinesShow All 75 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/ErrorReturnChecker.cpp

  • This file was added.
//===-- ErrorReturnChecker.cpp ------------------------------------*- C++ -*--//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// This file defines ErrorReturnChecker, a builtin checker that checks for
// error checking of certain C API function return values.
// This check corresponds to SEI CERT ERR33-C.
//
//===----------------------------------------------------------------------===//
#include "clang/AST/Expr.h"
#include "clang/AST/ParentMap.h"
#include "clang/AST/Stmt.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"
#include <functional>
using namespace clang;
using namespace ento;
using namespace std::placeholders;
REGISTER_MAP_WITH_PROGRAMSTATE(ParmValMap, SymbolRef, llvm::APSInt)
namespace {
class CheckForErrorResultChecker {
public:
// The idea for this check is that the constraints (generated by branch
gamesh411Unsubmitted
Not Done
ReplyInline Actions

Value is not the name of the parameter, maybe a refactoring missed this comment.

gamesh411: Value is not the name of the parameter, maybe a refactoring missed this comment.
// conditions) on the return value of a function call to check point out what
// checks are done in the code. At each branch condition test the constraints
// on the function return value by making assumptions that it satisfies the
// error condition. If at one point the return value is sure to satisfy or
// non-satisfy the error condition we assume that there was a branch condition
// that makes these constraints so the error check is there. (The code seems
// to work even if the function is modeled by some other checker.)
//
// 'Sym' is the symbol for the function call to check (key in GDM).
// 'Value' is the current value of the symbol.
// 'RetTy' is the return type of the function (obtained from the AST).
// Return true if correct error checking was found.
virtual bool checkBranchCondition(CheckerContext &C, ProgramStateRef State,
SymbolRef Sym, DefinedOrUnknownSVal Value,
const QualType &RetTy) const = 0;
};
// Error return is a fixed value (default zero).
class ValueErrorResultChecker : public CheckForErrorResultChecker {
public:
ValueErrorResultChecker(uint64_t ErrorResultValue = 0)
: ErrorResultValue(ErrorResultValue) {
;
}
bool checkBranchCondition(CheckerContext &C, ProgramStateRef State,
SymbolRef Sym, DefinedOrUnknownSVal Value,
const QualType &RetTy) const override {
SValBuilder &SVB = C.getSValBuilder();
// Test if the return value equals a fixed error code.
DefinedOrUnknownSVal Eval =
SVB.evalEQ(State, Value, SVB.makeIntVal(ErrorResultValue, RetTy));
auto Assumed = State->assume(Eval);
// The error check is correct if we know that the error or the non-error
// condition exactly is satisfied.
return ((Assumed.first && !Assumed.second) ||
(!Assumed.first && Assumed.second));
}
gamesh411Unsubmitted
Not Done
ReplyInline Actions

I think the current implementation is slightly different. The ValueErrorResultChecker uses symbolic evaluation of the equation with a ConcreteInt 0 value, while the ProgramState::isNull checks if the value is a constant and if it is not a zero constant (also calls further to ConstraintManager::isNull).

gamesh411: I think the current implementation is slightly different. The ValueErrorResultChecker uses…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

I think if there is a method for a special purpose (isNull) it is better to use that, it can be more efficient.

balazske: I think if there is a method for a special purpose (`isNull`) it is better to use that, it can…
private:
uint64_t ErrorResultValue;
};
// Error return is a NULL value.
// This should work with any type of null value.
class NullErrorResultChecker : public CheckForErrorResultChecker {
public:
bool checkBranchCondition(CheckerContext &C, ProgramStateRef State,
SymbolRef Sym, DefinedOrUnknownSVal Value,
const QualType &RetTy) const override {
ConditionTruthVal Nullness = State->isNull(Value);
return Nullness.isConstrained();
}
};
// Error return is any negative value.
// This should check for the "return value < 0" type of code.
class NegativeErrorResultChecker : public CheckForErrorResultChecker {
public:
bool checkBranchCondition(CheckerContext &C, ProgramStateRef State,
SymbolRef Sym, DefinedOrUnknownSVal Value,
const QualType &RetTy) const override {
SValBuilder &SVB = C.getSValBuilder();
// Test if the return value is negative.
SVal Eval = SVB.evalBinOp(State, clang::BO_LT, Value,
SVB.makeZeroVal(RetTy), SVB.getConditionType());
auto DefEval = Eval.getAs<DefinedOrUnknownSVal>();
if (DefEval) {
auto Assumed = State->assume(*DefEval);
// The error check is correct if we know that the error or the non-error
// condition exactly is satisfied.
return ((Assumed.first && !Assumed.second) ||
(!Assumed.first && Assumed.second));
}
return true; // Assume that the check is correct if we could not evaluate
// (to avoid false positives).
}
};
// Error return is any positive (or non-positive) value.
// This can be used when zero or negative return value indicates some kind of
// error.
class PositiveErrorResultChecker : public CheckForErrorResultChecker {
public:
bool checkBranchCondition(CheckerContext &C, ProgramStateRef State,
SymbolRef Sym, DefinedOrUnknownSVal Value,
const QualType &RetTy) const override {
SValBuilder &SVB = C.getSValBuilder();
// Test if the return value is negative.
SVal Eval = SVB.evalBinOp(State, clang::BO_GT, Value,
SVB.makeZeroVal(RetTy), SVB.getConditionType());
auto DefEval = Eval.getAs<DefinedOrUnknownSVal>();
if (DefEval) {
auto Assumed = State->assume(*DefEval);
// The error check is correct if we know that the error or the non-error
// condition exactly is satisfied.
return ((Assumed.first && !Assumed.second) ||
(!Assumed.first && Assumed.second));
}
return true;
}
};
// 0 is success, -1 (EOF) is error, no other values possible.
class ZeroOrEofErrorResultChecker : public CheckForErrorResultChecker {
public:
bool checkBranchCondition(CheckerContext &C, ProgramStateRef State,
SymbolRef Sym, DefinedOrUnknownSVal Value,
const QualType &RetTy) const override {
SValBuilder &SVB = C.getSValBuilder();
DefinedOrUnknownSVal Eval1 =
SVB.evalEQ(State, Value, SVB.makeIntVal(0, RetTy));
DefinedOrUnknownSVal Eval2 =
SVB.evalEQ(State, Value, SVB.makeIntVal(-1, RetTy));
auto Assumed1 = State->assume(Eval1);
auto Assumed2 = State->assume(Eval2);
return ((Assumed1.first && !Assumed1.second) ||
(!Assumed1.first && Assumed1.second)) ||
((Assumed2.first && !Assumed2.second) ||
(!Assumed2.first && Assumed2.second));
gamesh411Unsubmitted
Not Done
ReplyInline Actions

Maybe only checking for negative value is enough? My gut feeling is that the equality check is redundant. I would argue:
let A be: Value is negative
let B be: Value is equal to -1

since B implies A, (A or B) can be simplified to just A.
This presupposes that every time B can reasoned about A can be too.
This seems to be the case for here as well, as the definiteness of being equal to -1 is stronger than being lower than 0.

gamesh411: Maybe only checking for negative value is enough? My gut feeling is that the equality check is…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

The test

void test_NegativeOrEofCorrectCheck1() {
  int X = fputs("", NULL);
  if (X == -1) {
  }
}

fails when only the check for negative value is there.

The problem is with the negated part: If there is a "X==-1" statement in the code to check then the "X<0" assumption is true but "X>=0" is not known because X can be less than -1. This check should accept the "X==-1" and "X<0" type of code.

balazske: The test ``` void test_NegativeOrEofCorrectCheck1() { int X = fputs("", NULL); if (X == -1)…
}
};
// Only EOF is the possible negative return value, and it is OK to have "return
// value < 0" check too.
class NegativeOrEofErrorResultChecker : public CheckForErrorResultChecker {
public:
bool checkBranchCondition(CheckerContext &C, ProgramStateRef State,
SymbolRef Sym, DefinedOrUnknownSVal Value,
const QualType &RetTy) const override {
SValBuilder &SVB = C.getSValBuilder();
SVal EvalNegative =
SVB.evalBinOp(State, clang::BO_LT, Value, SVB.makeZeroVal(RetTy),
SVB.getConditionType());
auto DefEvalNegative = EvalNegative.getAs<DefinedOrUnknownSVal>();
if (!DefEvalNegative)
return true;
DefinedOrUnknownSVal EvalEof =
SVB.evalEQ(State, Value, SVB.makeIntVal(-1, RetTy));
auto AssumedNegative = State->assume(*DefEvalNegative);
auto AssumedEof = State->assume(EvalEof);
return ((AssumedNegative.first && !AssumedNegative.second) ||
(!AssumedNegative.first && AssumedNegative.second)) ||
((AssumedEof.first && !AssumedEof.second) ||
(!AssumedEof.first && AssumedEof.second));
}
};
// Error value is minimal or maximal value of the return type.
class MinMaxErrorResultChecker : public CheckForErrorResultChecker {
public:
bool checkBranchCondition(CheckerContext &C, ProgramStateRef State,
SymbolRef Sym, DefinedOrUnknownSVal Value,
const QualType &RetTy) const override {
SValBuilder &SVB = C.getSValBuilder();
BasicValueFactory &BVF = SVB.getBasicValueFactory();
DefinedOrUnknownSVal EvalMin =
SVB.evalEQ(State, Value, SVB.makeIntVal(BVF.getMinValue(RetTy)));
DefinedOrUnknownSVal EvalMax =
SVB.evalEQ(State, Value, SVB.makeIntVal(BVF.getMaxValue(RetTy)));
auto AssumedMin = State->assume(EvalMin);
auto AssumedMax = State->assume(EvalMax);
return ((AssumedMin.first && !AssumedMin.second) ||
(!AssumedMin.first && AssumedMin.second)) &&
((AssumedMax.first && !AssumedMax.second) ||
(!AssumedMax.first && AssumedMax.second));
}
};
// Error value is maximal value of the return type.
class MaxErrorResultChecker : public CheckForErrorResultChecker {
public:
bool checkBranchCondition(CheckerContext &C, ProgramStateRef State,
SymbolRef Sym, DefinedOrUnknownSVal Value,
const QualType &RetTy) const override {
SValBuilder &SVB = C.getSValBuilder();
BasicValueFactory &BVF = SVB.getBasicValueFactory();
DefinedOrUnknownSVal EvalMax =
SVB.evalEQ(State, Value, SVB.makeIntVal(BVF.getMaxValue(RetTy)));
auto AssumedMax = State->assume(EvalMax);
return ((AssumedMax.first && !AssumedMax.second) ||
(!AssumedMax.first && AssumedMax.second));
}
};
// Error return value is something less than the value of an argument passed to
// the function. Typical case: The 'fread' function.
class LessThanParmValErrorResultChecker : public CheckForErrorResultChecker {
public:
bool checkBranchCondition(CheckerContext &C, ProgramStateRef State,
SymbolRef Sym, DefinedOrUnknownSVal Value,
const QualType &RetTy) const override {
const llvm::APSInt *ParmVal = State->get<ParmValMap>(Sym);
if (!ParmVal)
return true;
SValBuilder &SVB = C.getSValBuilder();
DefinedOrUnknownSVal Eval1 =
SVB.evalEQ(State, Value, SVB.makeIntVal(*ParmVal));
auto Assumed1 = State->assume(Eval1);
SVal Eval2 = SVB.evalBinOp(State, BO_LT, Value, SVB.makeIntVal(*ParmVal),
SVB.getConditionType());
auto DefEval2 = Eval2.getAs<DefinedOrUnknownSVal>();
if (DefEval2) {
auto Assumed2 = State->assume(*DefEval2);
return ((Assumed1.first && !Assumed1.second) ||
(!Assumed1.first && Assumed1.second)) ||
((Assumed2.first && !Assumed2.second) ||
(!Assumed2.first && Assumed2.second));
} else {
return ((Assumed1.first && !Assumed1.second) ||
(!Assumed1.first && Assumed1.second));
}
}
};
using FnFilter = std::function<bool(const CallEvent &, CheckerContext &)>;
struct FnInfo {
Optional<unsigned int> MinArgCount;
CheckForErrorResultChecker *Checker;
Optional<unsigned int> ParmI;
FnFilter Filter;
mutable QualType RetTy;
FnInfo(CheckForErrorResultChecker *Checker, Optional<unsigned int> ParmI = {},
FnFilter Filter = {})
: Checker(Checker), ParmI(ParmI), Filter(Filter) {
;
}
FnInfo(unsigned int MinArgCount, CheckForErrorResultChecker *Checker,
Optional<unsigned int> ParmI = {}, FnFilter Filter = {})
: MinArgCount(MinArgCount), Checker(Checker), ParmI(ParmI),
Filter(Filter) {
;
}
};
bool filterNullArg(const CallEvent &Call, CheckerContext &C,
unsigned int ArgI) {
ConditionTruthVal IsNull = C.getState()->isNull(Call.getArgSVal(ArgI));
return IsNull.isConstrainedTrue();
}
class ErrorReturnChecker
: public Checker<check::PostCall, check::BranchCondition,
check::DeadSymbols> {
mutable std::unique_ptr<BuiltinBug> BT_Unchecked;
public:
void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
void checkBranchCondition(const Stmt *S, CheckerContext &C) const;
void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
private:
void emitUnchecked(CheckerContext &C, ExplodedNode *N, SymbolRef Sym) const;
// These checkers are symmetric for the error condition.
// (The 'zero error' works with check for zero or nonzero error return value.)
ValueErrorResultChecker CheckZeroErrorResult;
NullErrorResultChecker CheckNullErrorResult;
// Assume that any kind of EOF is the representation of a -1 value.
ValueErrorResultChecker CheckEofErrorResult{-1ul};
NegativeErrorResultChecker CheckNegativeErrorResult;
PositiveErrorResultChecker CheckPositiveErrorResult;
ZeroOrEofErrorResultChecker CheckZeroOrEofErrorResult;
NegativeOrEofErrorResultChecker CheckNegativeOrEofErrorResult;
MinMaxErrorResultChecker CheckMinMaxErrorResult;
MaxErrorResultChecker CheckMaxErrorResult;
LessThanParmValErrorResultChecker CheckLessThanParmValErrorResult;
CallDescriptionMap<FnInfo> CheckedFunctions = {
{{"aligned_alloc", 2}, FnInfo{&CheckNullErrorResult}},
{{"asctime_s", 3}, FnInfo{&CheckZeroErrorResult}},
{{"at_quick_exit", 1}, FnInfo{&CheckZeroErrorResult}},
{{"atexit", 1}, FnInfo{&CheckZeroErrorResult}},
{{"bsearch", 5}, FnInfo{&CheckNullErrorResult}},
{{"bsearch_s", 6}, FnInfo{&CheckNullErrorResult}},
{{"btowc", 1}, FnInfo{&CheckEofErrorResult}},
{{"c16rtomb", 3}, FnInfo{&CheckEofErrorResult}},
{{"c32rtomb", 3}, FnInfo{&CheckEofErrorResult}},
{{"calloc", 2}, FnInfo{&CheckNullErrorResult}},
{{"clock", 0}, FnInfo{&CheckEofErrorResult}},
// FIXME: Knowledge of enum values is needed for these.
//{{"cnd_broadcast", 1}, FnInfo{&CheckZeroErrorResult}},
//{{"cnd_init", 1}, FnInfo{&CheckZeroErrorResult}},
//{{"cnd_signal", 1}, FnInfo{&CheckZeroErrorResult}},
//{{"cnd_timedwait", 3}, FnInfo{&CheckZeroErrorResult}},
//{{"cnd_wait", 2}, FnInfo{&CheckZeroErrorResult}},
{{"ctime_s", 3}, FnInfo{&CheckZeroErrorResult}},
{{"fclose", 1}, FnInfo{&CheckZeroOrEofErrorResult}},
{{"fflush", 1}, FnInfo{&CheckZeroOrEofErrorResult}},
{{"fgetc", 1}, FnInfo{&CheckEofErrorResult}},
{{"fgetpos", 2}, FnInfo{&CheckZeroErrorResult}},
{{"fgets", 3}, FnInfo{&CheckNullErrorResult}},
{{"fgetwc", 1}, FnInfo{&CheckEofErrorResult}},
{{"fopen", 2}, FnInfo{&CheckNullErrorResult}},
{{"fopen_s", 3}, FnInfo{&CheckZeroErrorResult}},
{{"fprintf"}, FnInfo{2, &CheckNegativeErrorResult}},
{{"fprintf_s"}, FnInfo{2, &CheckNegativeErrorResult}},
{{"fputc", 2}, FnInfo{&CheckEofErrorResult}},
{{"fputs", 2}, FnInfo{&CheckNegativeOrEofErrorResult}},
{{"fputwc", 2}, FnInfo{&CheckEofErrorResult}},
{{"fputws", 2}, FnInfo{&CheckNegativeOrEofErrorResult}},
{{"fread", 4}, FnInfo{&CheckLessThanParmValErrorResult, 2}},
{{"freopen", 3}, FnInfo{&CheckNullErrorResult}},
{{"freopen_s", 4}, FnInfo{&CheckZeroErrorResult}},
{{"fscanf"}, FnInfo{2, &CheckNegativeOrEofErrorResult}},
{{"fscanf_s"}, FnInfo{2, &CheckNegativeOrEofErrorResult}},
{{"fseek", 3}, FnInfo{&CheckZeroErrorResult}},
{{"fsetpos", 2}, FnInfo{&CheckZeroErrorResult}},
{{"ftell", 1}, FnInfo{&CheckEofErrorResult}},
{{"fwprintf"}, FnInfo{2, &CheckNegativeErrorResult}},
{{"fwprintf_s"}, FnInfo{2, &CheckNegativeErrorResult}},
{{"fwrite", 4}, FnInfo{&CheckLessThanParmValErrorResult, 2}},
{{"fwscanf"}, FnInfo{2, &CheckNegativeOrEofErrorResult}},
{{"fwscanf_s"}, FnInfo{2, &CheckNegativeOrEofErrorResult}},
{{"getc", 1}, FnInfo{&CheckEofErrorResult}},
{{"getchar", 0}, FnInfo{&CheckEofErrorResult}},
{{"getenv", 1}, FnInfo{&CheckNullErrorResult}},
{{"getenv_s", 4}, FnInfo{&CheckNullErrorResult}},
{{"gets_s", 2}, FnInfo{&CheckNullErrorResult}},
{{"getwc", 1}, FnInfo{&CheckEofErrorResult}},
{{"getwchar", 0}, FnInfo{&CheckEofErrorResult}},
{{"gmtime", 1}, FnInfo{&CheckNullErrorResult}},
{{"gmtime_s", 2}, FnInfo{&CheckNullErrorResult}},
{{"localtime", 1}, FnInfo{&CheckNullErrorResult}},
{{"localtime_s", 2}, FnInfo{&CheckNullErrorResult}},
{{"malloc", 1}, FnInfo{&CheckNullErrorResult}},
{{"mblen", 2},
FnInfo{&CheckEofErrorResult, {}, std::bind(&filterNullArg, _1, _2, 0)}},
{{"mbrlen", 3},
FnInfo{&CheckEofErrorResult, {}, std::bind(&filterNullArg, _1, _2, 0)}},
{{"mbrtoc16", 4}, FnInfo{&CheckEofErrorResult}},
{{"mbrtoc32", 4}, FnInfo{&CheckEofErrorResult}},
{{"mbrtowc", 4},
FnInfo{&CheckEofErrorResult, {}, std::bind(&filterNullArg, _1, _2, 1)}},
{{"mbsrtowcs", 4}, FnInfo{&CheckEofErrorResult}},
{{"mbsrtowcs_s", 6}, FnInfo{&CheckZeroErrorResult}},
{{"mbstowcs", 3}, FnInfo{&CheckEofErrorResult}},
{{"mbstowcs_s", 5}, FnInfo{&CheckZeroErrorResult}},
{{"mbtowc", 3},
FnInfo{&CheckZeroErrorResult, {}, std::bind(&filterNullArg, _1, _2, 1)}},
{{"memchr", 3}, FnInfo{&CheckNullErrorResult}},
{{"mktime", 1}, FnInfo{&CheckEofErrorResult}},
// FIXME: Knowledge of enum values is needed for these.
//{{"mtx_init", 2}, FnInfo{&CheckZeroErrorResult}},
//{{"mtx_lock", 1}, FnInfo{&CheckZeroErrorResult}},
//{{"mtx_timedlock", 2}, FnInfo{&CheckZeroErrorResult}},
//{{"mtx_trylock", 1}, FnInfo{&CheckZeroErrorResult}},
//{{"mtx_unlock", 1}, FnInfo{&CheckZeroErrorResult}},
{{"printf_s"}, FnInfo{1, &CheckNegativeErrorResult}},
{{"putc", 2}, FnInfo{&CheckEofErrorResult}},
{{"putwc", 2}, FnInfo{&CheckEofErrorResult}},
{{"raise", 1}, FnInfo{&CheckZeroErrorResult}},
{{"realloc", 2}, FnInfo{&CheckNullErrorResult}},
{{"remove", 1}, FnInfo{&CheckZeroErrorResult}},
{{"rename", 2}, FnInfo{&CheckZeroErrorResult}},
{{"setlocale", 2}, FnInfo{&CheckNullErrorResult}},
{{"setvbuf", 4}, FnInfo{&CheckZeroErrorResult}},
{{"scanf"}, FnInfo{1, &CheckNegativeOrEofErrorResult}},
{{"scanf_s"}, FnInfo{1, &CheckNegativeOrEofErrorResult}},
// FIXME: Should find value of SIG_ERR macro.
//{{"signal", 2}, FnInfo{&CheckZeroErrorResult}},
{{"snprintf"}, FnInfo{3, &CheckNegativeErrorResult}},
{{"snprintf_s"}, FnInfo{3, &CheckNegativeErrorResult}},
{{"snwprintf_s"}, FnInfo{3, &CheckNegativeErrorResult}},
{{"sprintf"}, FnInfo{2, &CheckNegativeErrorResult}},
{{"sprintf_s"}, FnInfo{3, &CheckNegativeErrorResult}},
{{"sscanf"}, FnInfo{2, &CheckNegativeOrEofErrorResult}},
{{"sscanf_s"}, FnInfo{3, &CheckNegativeOrEofErrorResult}},
{{"strchr", 2}, FnInfo{&CheckNullErrorResult}},
{{"strerror_s", 3}, FnInfo{&CheckZeroErrorResult}},
{{"strftime", 4}, FnInfo{&CheckZeroErrorResult}},
{{"strpbrk", 2}, FnInfo{&CheckNullErrorResult}},
{{"strrchr", 2}, FnInfo{&CheckNullErrorResult}},
{{"strstr", 2}, FnInfo{&CheckNullErrorResult}},
{{"strtod", 2}, FnInfo{&CheckZeroErrorResult}},
{{"strtof", 2}, FnInfo{&CheckZeroErrorResult}},
{{"strtoimax", 3}, FnInfo{&CheckMinMaxErrorResult}},
{{"strtok", 2}, FnInfo{&CheckNullErrorResult}},
{{"strtok_s", 4}, FnInfo{&CheckNullErrorResult}},
{{"strtol", 3}, FnInfo{&CheckMinMaxErrorResult}},
// FIXME: Floating-point is not doable and need to know HUGE_VAL.
//{{"strtold", 2}, FnInfo{&CheckZeroErrorResult}},
{{"strtoll", 3}, FnInfo{&CheckMinMaxErrorResult}},
{{"strtoumax", 3}, FnInfo{&CheckMinMaxErrorResult}},
{{"strtoul", 3}, FnInfo{&CheckMaxErrorResult}},
{{"strtoull", 3}, FnInfo{&CheckMaxErrorResult}},
// FIXME: strxfrm can not fail according to cppreference.com?
//{{"strxfrm", 3}, FnInfo{&CheckZeroErrorResult}},
{{"swprintf"}, FnInfo{3, &CheckNegativeErrorResult}},
{{"swprintf_s"}, FnInfo{3, &CheckNegativeErrorResult}},
{{"swscanf"}, FnInfo{2, &CheckNegativeOrEofErrorResult}},
{{"swscanf_s"}, FnInfo{2, &CheckNegativeOrEofErrorResult}},
// FIXME: Knowledge of enum values is needed for these.
//{{"thrd_create", 3}, FnInfo{&CheckZeroErrorResult}},
//{{"thrd_detach", 1}, FnInfo{&CheckZeroErrorResult}},
//{{"thrd_join", 2}, FnInfo{&CheckZeroErrorResult}},
//{{"thrd_sleep", 2}, FnInfo{&CheckZeroErrorResult}},
{{"time", 1}, FnInfo{&CheckEofErrorResult}},
{{"timespec_get", 2}, FnInfo{&CheckZeroErrorResult}},
{{"tmpfile", 0}, FnInfo{&CheckNullErrorResult}},
{{"tmpfile_s", 1}, FnInfo{&CheckZeroErrorResult}},
{{"tmpnam", 1}, FnInfo{&CheckNullErrorResult}},
{{"tmpnam_s", 2}, FnInfo{&CheckZeroErrorResult}},
// FIXME: Knowledge of enum values is needed.
//{{"tss_create", 2}, FnInfo{&CheckZeroErrorResult}},
{{"tss_get", 1}, FnInfo{&CheckZeroErrorResult}},
// FIXME: Knowledge of enum value is needed.
//{{"tss_set", 2}, FnInfo{&CheckZeroErrorResult}},
{{"ungetc", 2}, FnInfo{&CheckEofErrorResult}},
{{"ungetwc", 2}, FnInfo{&CheckEofErrorResult}},
{{"vfprintf", 3}, FnInfo{&CheckNegativeErrorResult}},
{{"vfprintf_s", 3}, FnInfo{&CheckNegativeErrorResult}},
{{"vfscanf", 3}, FnInfo{&CheckNegativeOrEofErrorResult}},
{{"vfscanf_s", 3}, FnInfo{&CheckNegativeOrEofErrorResult}},
{{"vfwprintf", 3}, FnInfo{&CheckNegativeErrorResult}},
{{"vfwprintf_s", 3}, FnInfo{&CheckNegativeErrorResult}},
{{"vfwscanf", 3}, FnInfo{&CheckNegativeOrEofErrorResult}},
{{"vfwscanf_s", 3}, FnInfo{&CheckNegativeOrEofErrorResult}},
{{"vprintf", 2}, FnInfo{&CheckNegativeErrorResult}},
{{"vprintf_s", 2}, FnInfo{&CheckNegativeErrorResult}},
{{"vscanf", 2}, FnInfo{&CheckNegativeOrEofErrorResult}},
{{"vscanf_s", 2}, FnInfo{&CheckNegativeOrEofErrorResult}},
{{"vsnprintf", 4}, FnInfo{&CheckNegativeErrorResult}},
{{"vsnprintf_s", 4}, FnInfo{&CheckNegativeErrorResult}},
{{"vsnwprintf_s", 4}, FnInfo{&CheckPositiveErrorResult}},
{{"vsprintf", 3}, FnInfo{&CheckNegativeErrorResult}},
{{"vsprintf_s", 4}, FnInfo{&CheckNegativeErrorResult}},
{{"vsscanf", 3}, FnInfo{&CheckNegativeOrEofErrorResult}},
{{"vsscanf_s", 3}, FnInfo{&CheckNegativeOrEofErrorResult}},
{{"vswprintf", 4}, FnInfo{&CheckNegativeErrorResult}},
{{"vswprintf_s", 4}, FnInfo{&CheckNegativeErrorResult}},
{{"vswscanf", 3}, FnInfo{&CheckNegativeOrEofErrorResult}},
{{"vswscanf_s", 3}, FnInfo{&CheckNegativeOrEofErrorResult}},
{{"vwprintf_s", 2}, FnInfo{&CheckNegativeErrorResult}},
{{"vwscanf", 2}, FnInfo{&CheckNegativeOrEofErrorResult}},
{{"vwscanf_s", 2}, FnInfo{&CheckNegativeOrEofErrorResult}},
{{"wcrtomb", 3}, FnInfo{&CheckEofErrorResult}},
{{"wcrtomb_s", 5}, FnInfo{&CheckZeroErrorResult}},
{{"wcschr", 2}, FnInfo{&CheckNullErrorResult}},
{{"wcsftime", 4}, FnInfo{&CheckZeroErrorResult}},
{{"wcspbrk", 2}, FnInfo{&CheckNullErrorResult}},
{{"wcsrchr", 2}, FnInfo{&CheckNullErrorResult}},
{{"wcsrtombs", 4}, FnInfo{&CheckEofErrorResult}},
{{"wcsrtombs_s", 5}, FnInfo{&CheckZeroErrorResult}},
{{"wcsstr", 2}, FnInfo{&CheckNullErrorResult}},
{{"wcstod", 2}, FnInfo{&CheckZeroErrorResult}},
{{"wcstof", 2}, FnInfo{&CheckZeroErrorResult}},
{{"wcstoimax", 3}, FnInfo{&CheckMinMaxErrorResult}},
{{"wcstok", 3}, FnInfo{&CheckNullErrorResult}},
{{"wcstok_s", 4}, FnInfo{&CheckNullErrorResult}},
{{"wcstol", 3}, FnInfo{&CheckMinMaxErrorResult}},
{{"wcstold", 2}, FnInfo{&CheckZeroErrorResult}},
{{"wcstoll", 3}, FnInfo{&CheckMinMaxErrorResult}},
{{"wcstombs", 3}, FnInfo{&CheckEofErrorResult}},
{{"wcstombs_s", 5}, FnInfo{&CheckZeroErrorResult}},
{{"wcstoumax", 3}, FnInfo{&CheckMaxErrorResult}},
{{"wcstoul", 3}, FnInfo{&CheckMaxErrorResult}},
{{"wcstoull", 3}, FnInfo{&CheckMaxErrorResult}},
// FIXME: wcsxfrm can not fail according to cppreference.com?
//{{"wcsxfrm", 3}, FnInfo{&CheckZeroErrorResult}},
{{"wctob", 1}, FnInfo{&CheckEofErrorResult}},
{{"wctomb", 2},
FnInfo{&CheckEofErrorResult, {}, std::bind(&filterNullArg, _1, _2, 0)}},
{{"wctomb_s", 4}, FnInfo{&CheckZeroErrorResult}},
{{"wctrans", 1}, FnInfo{&CheckZeroErrorResult}},
{{"wctype", 1}, FnInfo{&CheckZeroErrorResult}},
{{"wmemchr", 3}, FnInfo{&CheckNullErrorResult}},
{{"wprintf_s"}, FnInfo{1, &CheckNegativeErrorResult}},
{{"wscanf"}, FnInfo{1, &CheckNegativeOrEofErrorResult}},
{{"wscanf_s"}, FnInfo{1, &CheckNegativeOrEofErrorResult}},
// Functions where the return value is not needed to be checked.
//{{"putchar", 1}, FnInfo{&CheckEofErrorResult}},
//{{"putwchar", 1}, FnInfo{&CheckEofErrorResult}},
//{{"puts", 1}, FnInfo{&CheckNegativeOrEofErrorResult}},
//{{"printf"}, FnInfo{1, &CheckNegativeErrorResult}},
//{{"vprintf", 2}, FnInfo{&CheckNegativeErrorResult}},
//{{"wprintf"}, FnInfo{1, &CheckNegativeErrorResult}},
//{{"vwprintf", 2}, FnInfo{&CheckNegativeErrorResult}},
};
};
struct CalledFunctionData {
const FnInfo *Info;
SourceRange CallLocation;
void Profile(llvm::FoldingSetNodeID &ID) const {
ID.AddPointer(Info);
ID.AddInteger(CallLocation.getBegin().getRawEncoding());
}
bool operator==(const CalledFunctionData &CFD) const {
return Info == CFD.Info && CallLocation == CFD.CallLocation;
}
};
} // end anonymous namespace
REGISTER_MAP_WITH_PROGRAMSTATE(FunctionCalledMap, SymbolRef, CalledFunctionData)
void ErrorReturnChecker::checkPostCall(const CallEvent &Call,
CheckerContext &C) const {
const auto *FD = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
ProgramStateRef State = C.getState();
const ParentMap &PM = C.getLocationContext()->getParentMap();
if (!FD || FD->getKind() != Decl::Function)
return;
if (!Call.isGlobalCFunction())
return;
const FnInfo *Fn = CheckedFunctions.lookup(Call);
if (!Fn)
return;
// For variadic functions check for minimal argument count.
if (Fn->MinArgCount && Call.getNumArgs() < *(Fn->MinArgCount))
return;
const Stmt *S = PM.getParent(Call.getOriginExpr());
// Check for explicit cast to void.
if (auto *Cast = dyn_cast<const CStyleCastExpr>(S)) {
if (Cast->getTypeAsWritten().getTypePtr()->isVoidType())
return;
}
// Check if the call is inside a return statement (can not evaluate this
// case).
while (S) {
if (isa<ReturnStmt>(S))
return;
S = PM.getParent(S);
}
// Use a function-specific rule to omit specific calls.
if (Fn->Filter && Fn->Filter(Call, C))
return;
// The call should have a symbolic return value to analyze it.
SVal RetSV = Call.getReturnValue();
if (RetSV.isUnknownOrUndef())
return;
SymbolRef RetSym = RetSV.getAsSymbol();
if (!RetSym)
return;
// Lazy-init the return type when the function is found.
if (Fn->RetTy.isNull())
Fn->RetTy = FD->getReturnType();
CalledFunctionData CFD{Fn, Call.getSourceRange()};
State = State->set<FunctionCalledMap>(RetSym, CFD);
// Try to compute value of specific argument at the time of call (if needed).
if (Fn->ParmI) {
const llvm::APSInt *ParmVal =
C.getSValBuilder().getKnownValue(State, Call.getArgSVal(*Fn->ParmI));
if (ParmVal)
State = State->set<ParmValMap>(RetSym, *ParmVal);
}
C.addTransition(State);
}
void ErrorReturnChecker::checkBranchCondition(const Stmt *S,
CheckerContext &C) const {
ProgramStateRef State = C.getState();
SValBuilder &SVB = C.getSValBuilder();
const FunctionCalledMapTy &Map = State->get<FunctionCalledMap>();
llvm::SmallSet<SymbolRef, 10> SymbolsToRemove;
for (const auto &I : Map) {
SymbolRef Sym = I.first;
auto Val = SVB.makeSymbolVal(Sym).getAs<DefinedOrUnknownSVal>();
if (Val) {
// Check if we know that in the current state there was error check.
bool IsCompleteErrorCheck = I.second.Info->Checker->checkBranchCondition(
C, State, I.first, *Val, I.second.Info->RetTy);
// If the error check was found, remove the function call, no more need
// for handle it.
if (IsCompleteErrorCheck)
SymbolsToRemove.insert(Sym);
}
}
for (const auto I : SymbolsToRemove) {
State = State->remove<FunctionCalledMap>(I);
State = State->remove<ParmValMap>(I);
}
if (!SymbolsToRemove.empty())
C.addTransition(State);
}
void ErrorReturnChecker::checkDeadSymbols(SymbolReaper &SymReaper,
CheckerContext &C) const {
ProgramStateRef State = C.getState();
llvm::SmallSet<SymbolRef, 10> BugSymbols;
const FunctionCalledMapTy &Map = State->get<FunctionCalledMap>();
for (const auto &I : Map) {
SymbolRef Sym = I.first;
if (!SymReaper.isDead(Sym))
continue;
// If a function call is stored in the state at this point, no error
// check was found for it.
BugSymbols.insert(Sym);
}
if (BugSymbols.empty())
return;
for (const auto I : BugSymbols)
State = State->remove<ParmValMap>(I);
ExplodedNode *N = C.generateNonFatalErrorNode(State);
for (const auto I : BugSymbols) {
emitUnchecked(C, N, I);
}
// FIXME: Remove items from FunctionCalledMap.
}
void ErrorReturnChecker::emitUnchecked(CheckerContext &C, ExplodedNode *N,
SymbolRef Sym) const {
if (N) {
const CalledFunctionData *CFD = C.getState()->get<FunctionCalledMap>(Sym);
assert(CFD && "Function data not found.");
if (!BT_Unchecked)
BT_Unchecked.reset(
new BuiltinBug(this, "Unchecked return value",
"Missing or incomplete error check of return value"));
auto Report = std::make_unique<BasicBugReport>(
*BT_Unchecked, BT_Unchecked->getDescription(),
PathDiagnosticLocation{CFD->CallLocation.getBegin(),
C.getSourceManager()});
Report->addRange(CFD->CallLocation);
C.emitReport(std::move(Report));
}
}
void ento::registerErrorReturnChecker(CheckerManager &mgr) {
mgr.registerChecker<ErrorReturnChecker>();
}
bool ento::shouldRegisterErrorReturnChecker(const LangOptions &LO) {
return true;
}

clang/test/Analysis/Inputs/system-header-simulator.h

Show First 20 LinesShow All 106 Lines▼ Show 20 Lines
#define INT64_MIN (-INT64_MAX-1) #define INT64_MIN (-INT64_MAX-1)
#define __DBL_MAX__ 1.7976931348623157e+308 #define __DBL_MAX__ 1.7976931348623157e+308
#define DBL_MAX __DBL_MAX__ #define DBL_MAX __DBL_MAX__
#ifndef NULL #ifndef NULL
#define __DARWIN_NULL 0 #define __DARWIN_NULL 0
#define NULL __DARWIN_NULL #define NULL __DARWIN_NULL
#endif #endif
#define offsetof(t, d) __builtin_offsetof(t, d) #define offsetof(t, d) __builtin_offsetof(t, d)
No newline at end of file
// Some more functions.
typedef __typeof(errno) errno_t;
typedef size_t rsize_t;
typedef unsigned int wint_t;
#define WEOF (0xffffffffu)
typedef long long intmax_t;
#define INTMAX_MAX 9223372036854775807ll
#define INTMAX_MIN (-INTMAX_MAX - 1)
#define ULONG_MAX 18446744073709551615ul
void *aligned_alloc(size_t alignment, size_t size);
errno_t asctime_s(char *buf, rsize_t bufsz, const struct tm *time_ptr);
wint_t btowc(int c);
int fputs(const char *restrict str, FILE *restrict stream);
size_t fread(void *restrict buffer, size_t size, size_t count, FILE *restrict stream);
int mblen(const char *s, size_t n);
intmax_t strtoimax(const char *restrict nptr, char **restrict endptr, int base);
unsigned long strtoul(const char *restrict str, char **restrict str_end, int base);
// A fake function that should not be recognized as the normal fprintf_s system function.
extern int fprintf_s(int);

clang/test/Analysis/error-return.c

  • This file was added.
// RUN: %clang_cc1 -analyze -analyzer-checker=alpha.unix.ErrorReturn -verify %s
#include "Inputs/system-header-simulator.h"
/*
Functions from CERT ERR33-C that should be checked for error:
void *aligned_alloc( size_t alignment, size_t size );
errno_t asctime_s(char *buf, rsize_t bufsz, const struct tm *time_ptr);
int at_quick_exit( void (*func)(void) );
int atexit( void (*func)(void) );
void* bsearch( const void *key, const void *ptr, size_t count, size_t size,
int (*comp)(const void*, const void*) );
void* bsearch_s( const void *key, const void *ptr, rsize_t count, rsize_t size,
int (*comp)(const void *, const void *, void *),
void *context );
wint_t btowc( int c );
size_t c16rtomb( char * restrict s, char16_t c16, mbstate_t * restrict ps );
size_t c32rtomb( char * restrict s, char32_t c32, mbstate_t * restrict ps );
void* calloc( size_t num, size_t size );
clock_t clock(void);
int cnd_broadcast( cnd_t *cond );
int cnd_init( cnd_t* cond );
int cnd_signal( cnd_t *cond );
int cnd_timedwait( cnd_t* restrict cond, mtx_t* restrict mutex,
const struct timespec* restrict time_point );
int cnd_wait( cnd_t* cond, mtx_t* mutex );
errno_t ctime_s(char *buffer, rsize_t bufsz, const time_t *time);
int fclose( FILE *stream );
int fflush( FILE *stream );
int fgetc( FILE *stream );
int fgetpos( FILE *restrict stream, fpos_t *restrict pos );
char *fgets( char *restrict str, int count, FILE *restrict stream );
wint_t fgetwc( FILE *stream );
FILE *fopen( const char *restrict filename, const char *restrict mode );
errno_t fopen_s(FILE *restrict *restrict streamptr,
const char *restrict filename,
const char *restrict mode);
int fprintf( FILE *restrict stream, const char *restrict format, ... );
int fprintf_s(FILE *restrict stream, const char *restrict format, ...);
int fputc( int ch, FILE *stream );
int fputs( const char *restrict str, FILE *restrict stream );
wint_t fputwc( wchar_t ch, FILE *stream );
int fputws( const wchar_t * restrict str, FILE * restrict stream );
size_t fread( void *restrict buffer, size_t size, size_t count,
FILE *restrict stream );
FILE *freopen( const char *restrict filename, const char *restrict mode,
FILE *restrict stream );
errno_t freopen_s(FILE *restrict *restrict newstreamptr,
const char *restrict filename, const char *restrict mode,
FILE *restrict stream);
int fscanf( FILE *restrict stream, const char *restrict format, ... );
int fscanf_s(FILE *restrict stream, const char *restrict format, ...);
int fseek( FILE *stream, long offset, int origin );
int fsetpos( FILE *stream, const fpos_t *pos );
long ftell( FILE *stream );
int fwprintf( FILE *restrict stream,
const wchar_t *restrict format, ... );
int fwprintf_s( FILE *restrict stream,
const wchar_t *restrict format, ...);
size_t fwrite( const void *restrict buffer, size_t size, size_t count,
FILE *restrict stream ); // more exact error return: < count
int fwscanf( FILE *restrict stream,
const wchar_t *restrict format, ... );
int fwscanf_s( FILE *restrict stream,
const wchar_t *restrict format, ...);
int getc( FILE *stream );
int getchar(void);
char *getenv( const char *name );
errno_t getenv_s( size_t *restrict len, char *restrict value,
rsize_t valuesz, const char *restrict name );
char *gets_s( char *str, rsize_t n );
wint_t getwc( FILE *stream );
wint_t getwchar(void);
struct tm *gmtime( const time_t *time );
struct tm *gmtime_s(const time_t *restrict time, struct tm *restrict result);
struct tm *localtime( const time_t *time );
struct tm *localtime_s(const time_t *restrict time, struct tm *restrict result);
void* malloc( size_t size );
int mblen( const char* s, size_t n );
size_t mbrlen( const char *restrict s, size_t n, mbstate_t *restrict ps );
size_t mbrtoc16( char16_t * restrict pc16, const char * restrict s,
size_t n, mbstate_t * restrict ps );
size_t mbrtoc32( char32_t restrict * pc32, const char * restrict s,
size_t n, mbstate_t * restrict ps );
size_t mbrtowc( wchar_t *restrict pwc, const char *restrict s, size_t n,
mbstate_t *restrict ps );
size_t mbsrtowcs( wchar_t *restrict dst, const char **restrict src, size_t len,
mbstate_t *restrict ps);
errno_t mbsrtowcs_s( size_t *restrict retval,
wchar_t *restrict dst, rsize_t dstsz,
const char **restrict src, rsize_t len,
mbstate_t *restrict ps);
size_t mbstowcs( wchar_t *restrict dst, const char *restrict src, size_t len);
errno_t mbstowcs_s(size_t *restrict retval, wchar_t *restrict dst,
rsize_t dstsz, const char *restrict src, rsize_t len);
int mbtowc( wchar_t *restrict pwc, const char *restrict s, size_t n );
void* memchr( const void* ptr, int ch, size_t count );
time_t mktime( struct tm *time );
int mtx_init( mtx_t* mutex, int type );
int mtx_lock( mtx_t* mutex );
int mtx_timedlock( mtx_t *restrict mutex,
const struct timespec *restrict time_point );
int mtx_trylock( mtx_t *mutex );
int mtx_unlock( mtx_t *mutex );
int printf_s(const char *restrict format, ...);
int putc( int ch, FILE *stream );
wint_t putwc( wchar_t ch, FILE *stream );
int raise( int sig );
void *realloc( void *ptr, size_t new_size );
int remove( const char *fname );
int rename( const char *old_filename, const char *new_filename );
char* setlocale( int category, const char* locale);
int setvbuf( FILE *restrict stream, char *restrict buffer,
int mode, size_t size );
!int scanf( const char *restrict format, ... );!
int scanf_s(const char *restrict format, ...);
void (*signal( int sig, void (*handler) (int))) (int);
int snprintf( char *restrict buffer, size_t bufsz,
const char *restrict format, ... );
int snprintf_s(char *restrict buffer, rsize_t bufsz,
const char *restrict format, ...);
int snwprintf_s( wchar_t * restrict s, rsize_t n,
const wchar_t * restrict format, ...); // missing from CERT list
int sprintf( char *restrict buffer, const char *restrict format, ... );
int sprintf_s(char *restrict buffer, rsize_t bufsz,
const char *restrict format, ...);
int sscanf( const char *restrict buffer, const char *restrict format, ... );
int sscanf_s(const char *restrict buffer, const char *restrict format, ...);
char *strchr( const char *str, int ch );
errno_t strerror_s( char *buf, rsize_t bufsz, errno_t errnum );
size_t strftime( char *restrict str, size_t count,
const char *restrict format, const struct tm *restrict time );
char* strpbrk( const char* dest, const char* breakset );
char *strrchr( const char *str, int ch );
char *strstr( const char* str, const char* substr );
double strtod( const char *restrict str, char **restrict str_end );
float strtof( const char *restrict str, char **restrict str_end );
intmax_t strtoimax( const char *restrict nptr,
char **restrict endptr, int base );
char *strtok( char *restrict str, const char *restrict delim );
char *strtok_s(char *restrict str, rsize_t *restrict strmax,
const char *restrict delim, char **restrict ptr);
long strtol( const char *restrict str, char **restrict str_end, int base );
long double strtold( const char *restrict str, char **restrict str_end );
long long strtoll( const char *restrict str, char **restrict str_end, int base );
uintmax_t strtoumax( const char *restrict nptr,
char **restrict endptr, int base );
unsigned long strtoul( const char *restrict str, char **restrict str_end,
int base );
unsigned long long strtoull( const char *restrict str, char **restrict str_end,
int base );
size_t strxfrm( char *restrict dest, const char *restrict src,
size_t count );
int swprintf( wchar_t *restrict buffer, size_t bufsz,
const wchar_t *restrict format, ... );
int swprintf_s( wchar_t *restrict buffer, rsize_t bufsz,
const wchar_t* restrict format, ...);
int swscanf( const wchar_t *restrict buffer,
const wchar_t *restrict format, ... );
int swscanf_s( const wchar_t *restrict s,
const wchar_t *restrict format, ...);
int thrd_create( thrd_t *thr, thrd_start_t func, void *arg );
int thrd_detach( thrd_t thr );
int thrd_join( thrd_t thr, int *res );
int thrd_sleep( const struct timespec* duration,
struct timespec* remaining );
time_t time( time_t *arg );
int timespec_get( struct timespec *ts, int base);
FILE *tmpfile(void);
errno_t tmpfile_s(FILE * restrict * restrict streamptr);
char *tmpnam( char *filename );
errno_t tmpnam_s(char *filename_s, rsize_t maxsize);
int tss_create( tss_t* tss_key, tss_dtor_t destructor );
void *tss_get( tss_t tss_key );
int tss_set( tss_t tss_id, void *val );
int ungetc( int ch, FILE *stream );
wint_t ungetwc( wint_t ch, FILE *stream );
int vfprintf( FILE *restrict stream, const char *restrict format,
va_list vlist );
int vfprintf_s( FILE *restrict stream, const char *restrict format,
va_list arg);
int vfscanf( FILE *restrict stream, const char *restrict format,
va_list vlist );
int vfscanf_s( FILE *restrict stream, const char *restrict format,
va_list vlist);
int vfwprintf( FILE *restrict stream,
const wchar_t *restrict format, va_list vlist );
int vfwprintf_s( FILE * restrict stream,
const wchar_t *restrict format, va_list vlist);
int vfwscanf( FILE *restrict stream,
const wchar_t *restrict format, va_list vlist );
int vfwscanf_s( FILE *restrict stream,
const wchar_t *restrict format, va_list vlist );
!int vprintf( const char *restrict format, va_list vlist );! // missing from CERT list
int vprintf_s( const char *restrict format, va_list arg);
!int vscanf( const char *restrict format, va_list vlist );!
int vscanf_s(const char *restrict format, va_list vlist);
int vsnprintf( char *restrict buffer, size_t bufsz,
const char *restrict format, va_list vlist );
int vsnprintf_s(char *restrict buffer, rsize_t bufsz,
const char *restrict format, va_list arg);
int vsnwprintf_s( wchar_t *restrict buffer, rsize_t bufsz,
const wchar_t *restrict format, va_list vlist); // missing from CERT list
int vsprintf( char *restrict buffer, const char *restrict format,
va_list vlist );
int vsprintf_s( char *restrict buffer, rsize_t bufsz,
const char *restrict format, va_list arg);
int vsscanf( const char *restrict buffer, const char *restrict format,
va_list vlist );
int vsscanf_s( const char *restrict buffer, const char *restrict format,
va_list vlist);
int vswprintf( wchar_t *restrict buffer, size_t bufsz,
const wchar_t *restrict format, va_list vlist );
int vswprintf_s( wchar_t *restrict buffer, rsize_t bufsz,
const wchar_t * restrict format, va_list vlist);
int vswscanf( const wchar_t *restrict buffer,
const wchar_t *restrict format, va_list vlist );
int vswscanf_s( const wchar_t *restrict buffer,
const wchar_t *restrict format, va_list vlist );
int vwprintf_s( const wchar_t *restrict format, va_list vlist);
int vwscanf( const wchar_t *restrict format, va_list vlist );
int vwscanf_s( const wchar_t *restrict format, va_list vlist );
size_t wcrtomb( char *restrict s, wchar_t wc, mbstate_t *restrict ps);
errno_t wcrtomb_s(size_t *restrict retval, char *restrict s, rsize_t ssz,
wchar_t wc, mbstate_t *restrict ps); // missing from CERT list
wchar_t* wcschr( const wchar_t* str, wchar_t ch );
size_t wcsftime( wchar_t* str, size_t count, const wchar_t* format, tm* time );
wchar_t* wcspbrk( const wchar_t* dest, const wchar_t* str );
wchar_t* wcsrchr( const wchar_t* str, wchar_t ch );
size_t wcsrtombs( char *restrict dst, const wchar_t **restrict src, size_t len,
mbstate_t *restrict ps);
errno_t wcsrtombs_s( size_t *restrict retval, char *restrict dst, rsize_t dstsz,
const wchar_t **restrict src, rsize_t len,
mbstate_t *restrict ps);
wchar_t* wcsstr( const wchar_t* dest, const wchar_t* src );
double wcstod( const wchar_t * restrict str, wchar_t ** restrict str_end );
float wcstof( const wchar_t * restrict str, wchar_t ** restrict str_end );
intmax_t wcstoimax( const wchar_t *restrict nptr,
wchar_t **restrict endptr, int base );
wchar_t *wcstok(wchar_t * restrict str, const wchar_t * restrict delim,
wchar_t **restrict ptr);
wchar_t *wcstok_s( wchar_t *restrict str, rsize_t *restrict strmax,
const wchar_t *restrict delim, wchar_t **restrict ptr);
long wcstol( const wchar_t * str, wchar_t ** restrict str_end,
int base );
long double wcstold( const wchar_t * restrict str, wchar_t ** restrict str_end );
long long wcstoll( const wchar_t * restrict str, wchar_t ** restrict str_end,
int base );
size_t wcstombs( char *restrict dst, const wchar_t *restrict src, size_t len );
errno_t wcstombs_s( size_t *restrict retval, char *restrict dst, rsize_t dstsz,
const wchar_t *restrict src, rsize_t len );
uintmax_t wcstoumax( const wchar_t *restrict nptr,
wchar_t **restrict endptr, int base );
unsigned long wcstoul( const wchar_t * restrict str,
wchar_t ** restrict str_end, int base );
unsigned long long wcstoull( const wchar_t * restrict str,
wchar_t ** restrict str_end, int base );
size_t wcsxfrm( wchar_t* restrict dest, const wchar_t* restrict src, size_t count );
int wctob( wint_t c );
int wctomb( char *s, wchar_t wc );
errno_t wctomb_s(int *restrict status, char *restrict s, rsize_t ssz, wchar_t wc); // CERT list contains wrong description?
wctrans_t wctrans( const char* str );
wctype_t wctype( const char* str );
wchar_t *wmemchr( const wchar_t *ptr, wchar_t ch, size_t count );
int wprintf_s( const wchar_t *restrict format, ...);
int wscanf( const wchar_t *restrict format, ... );
int wscanf_s( const wchar_t *restrict format, ...);
These are OK if not checked:
int putchar( int ch );
gamesh411Unsubmitted
Not Done
ReplyInline Actions

just for the sake of completeness; mention all the cases where error checking is deemed unnecessary as per ERR-33-EX1

https://wiki.sei.cmu.edu/confluence/display/c/ERR33-C.+Detect+and+handle+standard+library+errors#ERR33-C.Detectandhandlestandardlibraryerrors-Exceptions

gamesh411: just for the sake of completeness; mention all the cases where error checking is deemed…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

It seems that the better solution is to check for those functions too, and add a feature to the checker that ignores functions that are casted to void. The exception list says that even in these exceptions the (void) cast is needed. (Probably a other kind of warning message can be used for these functions.) The "function can not fail" and "return value is inconsequential" cases are not detectable by the checker (these cases depend on the context of the function call, not on the function itself, otherwise the function should appear in the list of functions to be ignored).

balazske: It seems that the better solution is to check for those functions too, and add a feature to the…
wint_t putwchar( wchar_t ch );
int puts( const char *str );
!int printf( const char *restrict format, ... );!
!int vprintf( const char *restrict format, va_list vlist );
int wprintf( const wchar_t *restrict format, ... );
int vwprintf( const wchar_t *restrict format, va_list vlist );
The following functions are OK if not checked.
These have no error return value therefore can not be handled by this checker:
kill_dependency()
memcpy(), wmemcpy()
memmove(), wmemmove()
strcpy(), wcscpy()
strncpy(), wcsncpy()
strcat(), wcscat()
strncat(), wcsncat()
memset(), wmemset()
*/
void CheckError(errno_t e) {
if (e == 0) {
}
}
void test_ZeroCorrectCheck1() {
char buf[1];
errno_t err = asctime_s(buf, 1, NULL);
if (err == 0) {
}
}
void test_ZeroCorrectCheck2() {
char buf[1];
errno_t err = asctime_s(buf, 1, NULL);
if (err != 0) {
}
}
void test_ZeroCorrectCheck3() {
char buf[1];
errno_t err = asctime_s(buf, 1, NULL);
if (err > 0) {
} else if (err < 0) {
}
}
void test_ZeroCorrectCheck4() {
char buf[1];
errno_t err = asctime_s(buf, 1, NULL);
CheckError(err);
}
void test_ZeroCorrectCheck5() {
char buf[1];
errno_t err = asctime_s(buf, 1, NULL);
if (err + 1 == 1) {
}
}
void test_ZeroCorrectCheck6() {
char buf[1];
// FIXME: This is a false positive.
errno_t err = asctime_s(buf, 1, NULL); // expected-warning{{Missing or incomplete error check}}
if (err) {
}
}
void test_ZeroCorrectCheck7() {
char buf[1];
errno_t err = asctime_s(buf, 1, NULL);
if (!err) {
}
}
void test_ZeroCorrectCheck8() {
char buf[1];
if (asctime_s(buf, 1, NULL) == 0) {
}
}
void test_ZeroBadCheck1() {
char buf[1];
asctime_s(buf, 9, NULL); // expected-warning{{Missing or incomplete error check}}
}
void test_ZeroBadCheck2() {
char buf[1];
errno_t err = asctime_s(buf, 1, NULL); // expected-warning{{Missing or incomplete error check}}
if (err == 1) {
}
}
void test_ZeroBadCheck3() {
char buf[1];
errno_t err = asctime_s(buf, 1, NULL); // expected-warning{{Missing or incomplete error check}}
if (err < 0) {
}
}
void test_ZeroBadCheck4() {
char buf[1];
errno_t err = asctime_s(buf, 1, NULL); // expected-warning{{Missing or incomplete error check}}
if (err < 0 || err > 2) {
}
}
void test_ZeroBadCheck5() {
char buf[1];
errno_t err = asctime_s(buf, 1, NULL); // expected-warning{{Missing or incomplete error check}}
if (err > -2) {
}
}
void test_ZeroBadCheck6() {
char buf[1];
errno_t err = asctime_s(buf, 1, NULL); // expected-warning{{Missing or incomplete error check}}
err = asctime_s(buf, 1, NULL);
if (err == 0) {
}
}
void test_NullCorrectCheck1() {
// FIXME: This is a false positive.
void *P = aligned_alloc(4, 8); // expected-warning{{Missing or incomplete error check}}
if (P) {
}
}
void test_NullCorrectCheck2() {
void *P = aligned_alloc(4, 8);
if (!P) {
}
}
void test_NullCorrectCheck3() {
void *P = aligned_alloc(4, 8);
if (P == NULL) {
}
}
void test_NullCorrectCheck4() {
if (aligned_alloc(4, 8) == NULL) {
}
}
int test_NullCorrectCheck5() {
// No warning for this case.
return aligned_alloc(4, 8) == NULL;
}
void test_NullBadCheck1() {
void *P = aligned_alloc(4, 8); // expected-warning{{Missing or incomplete error check}}
}
void test_WEofCorrectCheck1() {
wint_t X = btowc(3);
if (X == WEOF) {
}
}
void test_WEofBadCheck1() {
btowc(3); // expected-warning{{Missing or incomplete error check}}
}
void test_ZeroOrEofCorrectCheck1() {
int X = fclose(NULL);
if (X == -1) {
}
}
void test_ZeroOrEofCorrectCheck2() {
int X = fclose(NULL);
if (X < 0) {
}
}
void test_ZeroOrEofCorrectCheck3() {
int X = fclose(NULL);
if (X == 0) {
}
}
void test_ZeroOrEofBadCheck1() {
int X = fclose(NULL); // expected-warning{{Missing or incomplete error check}}
if (X == -2) {
}
}
void test_ZeroOrEofBadCheck2() {
int X = fclose(NULL); // expected-warning{{Missing or incomplete error check}}
if (X < 1) {
}
}
void test_ZeroOrEofBadCheck3() {
int X = fclose(NULL); // expected-warning{{Missing or incomplete error check}}
if (X > 0) {
}
}
void test_NegativeOrEofCorrectCheck1() {
int X = fputs("", NULL);
if (X == -1) {
}
}
void test_NegativeOrEofCorrectCheck2() {
int X = fputs("", NULL);
if (X < 0) {
}
}
void test_NegativeOrEofCorrectCheck3() {
int X = fputs("", NULL);
if (X >= 0) {
}
}
void test_NegativeOrEofBadCheck1() {
int X = fputs("", NULL); // expected-warning{{Missing or incomplete error check}}
if (X == -2) {
}
}
void test_NegativeOrEofBadCheck2() {
int X = fputs("", NULL); // expected-warning{{Missing or incomplete error check}}
if (X == 0) {
}
}
void test_NegativeOrEofBadCheck3() {
int X = fputs("", NULL); // expected-warning{{Missing or incomplete error check}}
if (X < -1) {
}
}
void test_LessThanParmValCorrectCheck1() {
int X = fread(NULL, 1, 2, NULL);
if (X == 2) {
}
}
void test_LessThanParmValCorrectCheck2() {
int X = fread(NULL, 1, 2, NULL);
if (X < 2) {
}
}
void test_LessThanParmValCorrectCheck3() {
int X = fread(NULL, 1, 2, NULL);
if (X >= 2) {
} else {
}
}
void test_LessThanParmValBadCheck1() {
int X = fread(NULL, 1, 2, NULL); // expected-warning{{Missing or incomplete error check}}
if (X == 1) {
}
}
void test_LessThanParmValBadCheck2() {
int X = fread(NULL, 1, 2, NULL); // expected-warning{{Missing or incomplete error check}}
if (X < 3) {
}
}
void test_FilterEofCorrectCheck1() {
int X = mblen("xxx", 1);
if (X == -1) {
}
}
void test_FilterEofCorrectCheck2() {
int X = mblen(NULL, 1);
if (X == 0) {
}
}
void test_FilterEofCorrectCheck3() {
mblen(NULL, 1);
}
void test_FilterEofBadCheck1() {
mblen("xxx", 1); // expected-warning{{Missing or incomplete error check}}
}
void test_FilterEofBadCheck2() {
int X = mblen("xxx", 1); // expected-warning{{Missing or incomplete error check}}
if (X == 0) {
}
}
void test_MinMaxCorrectCheck1() {
intmax_t X = strtoimax("", NULL, 10);
if (X == INTMAX_MIN) {
} else if (X == INTMAX_MAX) {
}
}
void test_MinMaxCorrectCheck2() {
intmax_t X = strtoimax("", NULL, 10);
if (X > INTMAX_MIN && X < INTMAX_MAX) {
}
}
void test_MinMaxCorrectCheck3() {
intmax_t X = strtoimax("", NULL, 10);
if (X > INTMAX_MIN) {
}
if (X < INTMAX_MAX) {
}
}
void test_MinMaxCorrectCheck4() {
// FIXME: This case is like false positive.
intmax_t X = strtoimax("", NULL, 10); // expected-warning{{Missing or incomplete error check}}
if (X < 0 || X > 10) {
}
}
void test_MinMaxBadCheck1() {
intmax_t X = strtoimax("", NULL, 10); // expected-warning{{Missing or incomplete error check}}
if (X == INTMAX_MIN) {
}
}
void test_MinMaxBadCheck2() {
intmax_t X = strtoimax("", NULL, 10); // expected-warning{{Missing or incomplete error check}}
if (X > 0) {
}
}
void test_MaxCorrectCheck1() {
unsigned long X = strtoul("", NULL, 10);
if (X == ULONG_MAX) {
}
}
void test_MaxBadCheck1() {
unsigned long X = strtoul("", NULL, 10); // expected-warning{{Missing or incomplete error check}}
if (X == 0) {
}
}
void test_Variadic() {
fprintf(NULL, "xxx"); // expected-warning{{Missing or incomplete error check}}
fprintf(NULL, "%i", 0); // expected-warning{{Missing or incomplete error check}}
fprintf_s(1);
}
void test_VoidCast() {
(void)fprintf(NULL, "xxx");
}