This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/lib/StaticAnalyzer/Checkers/
-
lib/
-
StaticAnalyzer/
-
Checkers/
2
StdLibraryFunctionsChecker.cpp

Differential D77641

[analyzer] StdLibraryFunctionsChecker: Associate summaries to FunctionDecls
ClosedPublic

Authored by martong on Apr 7 2020, 5:05 AM.

Download Raw Diff

Details

Reviewers

NoQ
Szelethus
balazske
jdoerfert
sstefan1
uenoku

Commits

rG62e747f61729: [analyzer] StdLibraryFunctionsChecker: Associate summaries to FunctionDecls

Summary

Currently we map function summaries to names (i.e. strings). We can
associate more summaries with different signatures to one name, this way
we support overloading. During a call event we check whether the
signature of the summary matches the signature of the callee and we
apply the summary only in that case.

In this patch we change this mapping to associate a summary to a
FunctionDecl. We do lookup operations when the summary map is
initialized. We lookup the given name and we match the signature of the
given summary against the lookup results. If the summary matches the
FunctionDecl (got from the lookup result) then we add that to the
summary map. During a call event we compare FunctionDecl pointers.
Advantages of this new refactor:

Cleaner mapping and structure for the checker.
Possibly way more efficient handling of call events.
A summary is added only if that is relevant for the given TU.
We can get the concrete FunctionDecl by the time when we create the summary, this opens up possibilities of further sanity checks regarding the summary cases and argument constraints.
Opens up to future work when we'd like to store summaries from IR to a FunctionDecl (or from the Attributor results of the given FunctionDecl).

Note, we cannot support old C functions without prototypes.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

martong created this revision.Apr 7 2020, 5:05 AM

Herald added a reviewer: jdoerfert. · View Herald TranscriptApr 7 2020, 5:06 AM

Herald added a reviewer: sstefan1. · View Herald Transcript

Herald added a reviewer: uenoku. · View Herald Transcript

Herald added a project: Restricted Project. · View Herald Transcript

Herald added subscribers: cfe-commits, ASDenysPetrov, uenoku and 12 others. · View Herald Transcript

martong marked an inline comment as done.Apr 7 2020, 5:12 AM

martong added inline comments.

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
570	Ups, this function is unused I'll remove.

martong marked an inline comment as not done.Apr 7 2020, 5:13 AM

Harbormaster failed remote builds in B52143: Diff 255647!Apr 7 2020, 5:55 AM

martong added a child revision: D77658: [analyzer] StdLibraryFunctionsChecker: Add sanity checks for constraints.Apr 7 2020, 9:06 AM

LGTM! Its always a joy to see you do C++. I suspect your change made compiler errors a bit nicer as well, so you don't get one giant "Well, this huuuuuge single argument doesn't match any of the assignment operators".

We don't have any function names that have multiple summaries just yet, correct? Also, this change is NFC, right? Could you make a tag about that to the revision title in the future?

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
554	How about `FSMIt`? :^)

This revision is now accepted and ready to land.Apr 8 2020, 5:53 AM

Also, if you gave a bit of time for anyone else to have a say, that might be nice. :)

So you only do the lookup in the global scope? What about namespace std?

Do you also plan to support class methods by looking up the class first and then looking up the method in the class?

In D77641#1969291, @Szelethus wrote:

I suspect your change made compiler errors a bit nicer as well, so you don't get one giant "Well, this huuuuuge single argument doesn't match any of the assignment operators".

The reason why I added addToFunctionSummaryMap calls is because we have to do a lookup and based on the lookup result we either map the summary or not. (I did not have any problems with the compiler diagnostics regarding the initializer list.)

We don't have any function names that have multiple summaries just yet, correct?

No, we already have a few: e.g. read, write. The reason is that we may not know what is the real type of ssize_t in different platforms, so rather we add int, long and long long return type variants. (An alternative solution could be to support lookup for types as well, so we'd lookup ssize_t in this case.)

Also, this change is NFC, right? Could you make a tag about that to the revision title in the future?

Well, there are functional changes. We exercise the lookup mechanism that we had not done before. We do not add a summary to the map if we cannot lookup the matching prototype. This could lead to different behavior in some cases, hard to find one, but at least in CTU if the ASTImporter assembled an AST where the Decls are not added properly to their DeclContext, then lookup would not find a function.

In D77641#1969412, @NoQ wrote:

So you only do the lookup in the global scope? What about namespace std?

Do you also plan to support class methods by looking up the class first and then looking up the method in the class?

Yes, I had been planning with those. When it comes to the point where we'd like to add summaries for C++ functions (in namespaces or member functions) then we can add a new overloaded operator() to AddToFunctionSummaryMap. In this new function we could handle a fully qualified name (e.g. std::map::insert) by doing the lookup in each found DeclContext starting from the TranslationUnitDecl. (Naturally, we'd not support ADL or using declaration kind of lookup modifications, only fully qualified names would be allowed.) Note that we could give a summary only to those functions that can be found by qualified [Obj]C/C++ lookup. So, e.g. functions in unnamed namespaces or in-class defined friend functions are out of this game.

martong added a child revision: D78118: [analyzer] StdLibraryFunctionsChecker: Add option to display loaded summaries.Apr 14 2020, 8:43 AM

martong added a child revision: D78189: [analyzer] StdLibraryFunctionsChecker: Add statistics.Apr 15 2020, 3:08 AM

@NoQ Do these changes look okay to land? Thanks :)

Ping

I think you can go ahead and commit. You seem to have a firm grasp on this project, I believe your experience with ASTImporter has more then prepared you for digging functions out of the std namespace, or whatever else that might come up :^)

Closed by commit rG62e747f61729: [analyzer] StdLibraryFunctionsChecker: Associate summaries to FunctionDecls (authored by martong). · Explain WhyApr 28 2020, 1:02 AM

This revision was automatically updated to reflect the committed changes.

In D77641#2004273, @Szelethus wrote:

I think you can go ahead and commit. You seem to have a firm grasp on this project, I believe your experience with ASTImporter has more then prepared you for digging functions out of the std namespace, or whatever else that might come up :^)

Alright, thanks, just did the commit. Let me know guys if you find anything else and I'll address the concerns. Also, if there is any regression I'll do the revert, just leave a note here.

Revision Contents

Path

Size

clang/

lib/

StaticAnalyzer/

Checkers/

StdLibraryFunctionsChecker.cpp

500 lines

Diff 260560

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp

Show First 20 Lines • Show All 260 Lines • ▼ Show 20 Lines	class StdLibraryFunctionsChecker

public:		public:
QualType getArgType(ArgNo ArgN) const {		QualType getArgType(ArgNo ArgN) const {
QualType T = (ArgN == Ret) ? RetTy : ArgTys[ArgN];		QualType T = (ArgN == Ret) ? RetTy : ArgTys[ArgN];
assertTypeSuitableForSummary(T);		assertTypeSuitableForSummary(T);
return T;		return T;
}		}

/// Try our best to figure out if the call expression is the call of		/// Try our best to figure out if the summary's signature matches
/// the library function to which this specification applies.		/// the library function to which this specification applies.
bool matchesCall(const FunctionDecl *FD) const;		bool matchesSignature(const FunctionDecl *FD) const;
};		};

// The same function (as in, function identifier) may have different
// summaries assigned to it, with different argument and return value types.
// We call these "variants" of the function. This can be useful for handling
// C++ function overloads, and also it can be used when the same function
// may have different definitions on different platforms.
typedef std::vector<Summary> Summaries;

// The map of all functions supported by the checker. It is initialized		// The map of all functions supported by the checker. It is initialized
// lazily, and it doesn't change after initialization.		// lazily, and it doesn't change after initialization.
mutable llvm::StringMap<Summaries> FunctionSummaryMap;		using FunctionSummaryMapType = llvm::DenseMap<const FunctionDecl *, Summary>;
		mutable FunctionSummaryMapType FunctionSummaryMap;

mutable std::unique_ptr<BugType> BT_InvalidArg;		mutable std::unique_ptr<BugType> BT_InvalidArg;

// Auxiliary functions to support ArgNo within all structures		// Auxiliary functions to support ArgNo within all structures
// in a unified manner.		// in a unified manner.
static QualType getArgType(const Summary &Summary, ArgNo ArgN) {		static QualType getArgType(const Summary &Summary, ArgNo ArgN) {
return Summary.getArgType(ArgN);		return Summary.getArgType(ArgN);
}		}
static QualType getArgType(const CallEvent &Call, ArgNo ArgN) {
return ArgN == Ret ? Call.getResultType().getCanonicalType()
: Call.getArgExpr(ArgN)->getType().getCanonicalType();
}
static QualType getArgType(const CallExpr *CE, ArgNo ArgN) {
return ArgN == Ret ? CE->getType().getCanonicalType()
: CE->getArg(ArgN)->getType().getCanonicalType();
}
static SVal getArgSVal(const CallEvent &Call, ArgNo ArgN) {		static SVal getArgSVal(const CallEvent &Call, ArgNo ArgN) {
return ArgN == Ret ? Call.getReturnValue() : Call.getArgSVal(ArgN);		return ArgN == Ret ? Call.getReturnValue() : Call.getArgSVal(ArgN);
}		}

public:		public:
void checkPreCall(const CallEvent &Call, CheckerContext &C) const;		void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
void checkPostCall(const CallEvent &Call, CheckerContext &C) const;		void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
bool evalCall(const CallEvent &Call, CheckerContext &C) const;		bool evalCall(const CallEvent &Call, CheckerContext &C) const;
▲ Show 20 Lines • Show All 127 Lines • ▼ Show 20 Lines	ProgramStateRef StdLibraryFunctionsChecker::ComparisonConstraint::apply(
SValBuilder &SVB = Mgr.getSValBuilder();		SValBuilder &SVB = Mgr.getSValBuilder();
QualType CondT = SVB.getConditionType();		QualType CondT = SVB.getConditionType();
QualType T = getArgType(Summary, getArgNo());		QualType T = getArgType(Summary, getArgNo());
SVal V = getArgSVal(Call, getArgNo());		SVal V = getArgSVal(Call, getArgNo());

BinaryOperator::Opcode Op = getOpcode();		BinaryOperator::Opcode Op = getOpcode();
ArgNo OtherArg = getOtherArgNo();		ArgNo OtherArg = getOtherArgNo();
SVal OtherV = getArgSVal(Call, OtherArg);		SVal OtherV = getArgSVal(Call, OtherArg);
QualType OtherT = getArgType(Call, OtherArg);		QualType OtherT = getArgType(Summary, OtherArg);
// Note: we avoid integral promotion for comparison.		// Note: we avoid integral promotion for comparison.
OtherV = SVB.evalCast(OtherV, T, OtherT);		OtherV = SVB.evalCast(OtherV, T, OtherT);
if (auto CompV = SVB.evalBinOp(State, Op, V, OtherV, CondT)		if (auto CompV = SVB.evalBinOp(State, Op, V, OtherV, CondT)
.getAs<DefinedOrUnknownSVal>())		.getAs<DefinedOrUnknownSVal>())
State = State->assume(*CompV, true);		State = State->assume(*CompV, true);
return State;		return State;
}		}

▲ Show 20 Lines • Show All 73 Lines • ▼ Show 20 Lines	bool StdLibraryFunctionsChecker::evalCall(const CallEvent &Call,
case NoEvalCall:		case NoEvalCall:
// Summary tells us to avoid performing eval::Call. The function is possibly		// Summary tells us to avoid performing eval::Call. The function is possibly
// evaluated by another checker, or evaluated conservatively.		// evaluated by another checker, or evaluated conservatively.
return false;		return false;
}		}
llvm_unreachable("Unknown invalidation kind!");		llvm_unreachable("Unknown invalidation kind!");
}		}

bool StdLibraryFunctionsChecker::Summary::matchesCall(		bool StdLibraryFunctionsChecker::Summary::matchesSignature(
const FunctionDecl *FD) const {		const FunctionDecl *FD) const {
// Check number of arguments:		// Check number of arguments:
if (FD->param_size() != ArgTys.size())		if (FD->param_size() != ArgTys.size())
return false;		return false;

// Check return type if relevant:		// Check return type if relevant:
if (!RetTy.isNull() && RetTy != FD->getReturnType().getCanonicalType())		if (!RetTy.isNull() && RetTy != FD->getReturnType().getCanonicalType())
return false;		return false;
Show All 18 Lines
Optional<StdLibraryFunctionsChecker::Summary>		Optional<StdLibraryFunctionsChecker::Summary>
StdLibraryFunctionsChecker::findFunctionSummary(const FunctionDecl *FD,		StdLibraryFunctionsChecker::findFunctionSummary(const FunctionDecl *FD,
CheckerContext &C) const {		CheckerContext &C) const {
if (!FD)		if (!FD)
return None;		return None;

initFunctionSummaries(C);		initFunctionSummaries(C);

IdentifierInfo *II = FD->getIdentifier();		auto FSMI = FunctionSummaryMap.find(FD->getCanonicalDecl());
		SzelethusUnsubmitted Not Done Reply Inline Actions How about `FSMIt`? :^) Szelethus: How about `FSMIt`? :^)
if (!II)
return None;
StringRef Name = II->getName();
if (Name.empty() \|\| !C.isCLibraryFunction(FD, Name))
return None;

auto FSMI = FunctionSummaryMap.find(Name);
if (FSMI == FunctionSummaryMap.end())		if (FSMI == FunctionSummaryMap.end())
return None;		return None;
		return FSMI->second;
// Verify that function signature matches the spec in advance.
// Otherwise we might be modeling the wrong function.
// Strict checking is important because we will be conducting
// very integral-type-sensitive operations on arguments and
// return values.
const Summaries &SpecVariants = FSMI->second;
for (const Summary &Spec : SpecVariants)
if (Spec.matchesCall(FD))
return Spec;

return None;
}		}

Optional<StdLibraryFunctionsChecker::Summary>		Optional<StdLibraryFunctionsChecker::Summary>
StdLibraryFunctionsChecker::findFunctionSummary(const CallEvent &Call,		StdLibraryFunctionsChecker::findFunctionSummary(const CallEvent &Call,
CheckerContext &C) const {		CheckerContext &C) const {
const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(Call.getDecl());		const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
if (!FD)		if (!FD)
return None;		return None;
return findFunctionSummary(FD, C);		return findFunctionSummary(FD, C);
}		}

		llvm::Optional<const FunctionDecl *>
		lookupGlobalCFunction(StringRef Name, const ASTContext &ACtx) {
		martongAuthorUnsubmitted Not Done Reply Inline Actions Ups, this function is unused I'll remove. martong: Ups, this function is unused I'll remove.
		IdentifierInfo &II = ACtx.Idents.get(Name);
		auto LookupRes = ACtx.getTranslationUnitDecl()->lookup(&II);
		if (LookupRes.size() == 0)
		return None;

		assert(LookupRes.size() == 1 && "In C, identifiers should be unique");
		Decl *D = LookupRes.front()->getCanonicalDecl();
		auto *FD = dyn_cast<FunctionDecl>(D);
		if (!FD)
		return None;
		return FD->getCanonicalDecl();
		}

void StdLibraryFunctionsChecker::initFunctionSummaries(		void StdLibraryFunctionsChecker::initFunctionSummaries(
CheckerContext &C) const {		CheckerContext &C) const {
if (!FunctionSummaryMap.empty())		if (!FunctionSummaryMap.empty())
return;		return;

SValBuilder &SVB = C.getSValBuilder();		SValBuilder &SVB = C.getSValBuilder();
BasicValueFactory &BVF = SVB.getBasicValueFactory();		BasicValueFactory &BVF = SVB.getBasicValueFactory();
const ASTContext &ACtx = BVF.getContext();		const ASTContext &ACtx = BVF.getContext();
Show All 38 Lines	void StdLibraryFunctionsChecker::initFunctionSummaries(
// Try our best to parse this from the Preprocessor, otherwise fallback to -1.		// Try our best to parse this from the Preprocessor, otherwise fallback to -1.
const auto EOFv = [&C]() -> RangeInt {		const auto EOFv = [&C]() -> RangeInt {
if (const llvm::Optional<int> OptInt =		if (const llvm::Optional<int> OptInt =
tryExpandAsInteger("EOF", C.getPreprocessor()))		tryExpandAsInteger("EOF", C.getPreprocessor()))
return *OptInt;		return *OptInt;
return -1;		return -1;
}();		}();

		// Auxiliary class to aid adding summaries to the summary map.
		struct AddToFunctionSummaryMap {
		const ASTContext &ACtx;
		FunctionSummaryMapType &Map;
		AddToFunctionSummaryMap(const ASTContext &ACtx, FunctionSummaryMapType &FSM)
		: ACtx(ACtx), Map(FSM) {}
		// Add a summary to a FunctionDecl found by lookup. The lookup is performed
		// by the given Name, and in the global scope. The summary will be attached
		// to the found FunctionDecl only if the signatures match.
		void operator()(StringRef Name, const Summary &S) {
		IdentifierInfo &II = ACtx.Idents.get(Name);
		auto LookupRes = ACtx.getTranslationUnitDecl()->lookup(&II);
		if (LookupRes.size() == 0)
		return;
		for (Decl *D : LookupRes) {
		if (auto *FD = dyn_cast<FunctionDecl>(D)) {
		if (S.matchesSignature(FD)) {
		auto Res = Map.insert({FD->getCanonicalDecl(), S});
		assert(Res.second && "Function already has a summary set!");
		(void)Res;
		return;
		}
		}
		}
		}
		// Add several summaries for the given name.
		void operator()(StringRef Name, const std::vector<Summary> &Summaries) {
		for (const Summary &S : Summaries)
		operator()(Name, S);
		}
		} addToFunctionSummaryMap(ACtx, FunctionSummaryMap);

// We are finally ready to define specifications for all supported functions.		// We are finally ready to define specifications for all supported functions.
//		//
// The signature needs to have the correct number of arguments.		// The signature needs to have the correct number of arguments.
// However, we insert `Irrelevant' when the type is insignificant.		// However, we insert `Irrelevant' when the type is insignificant.
//		//
// Argument ranges should always cover all variants. If return value		// Argument ranges should always cover all variants. If return value
// is completely unknown, omit it from the respective range set.		// is completely unknown, omit it from the respective range set.
//		//
Show All 9 Lines	void StdLibraryFunctionsChecker::initFunctionSummaries(
// to the current argument's type. This avoids proper promotion but		// to the current argument's type. This avoids proper promotion but
// seems useful. For example, read() receives size_t argument,		// seems useful. For example, read() receives size_t argument,
// and its return value, which is of type ssize_t, cannot be greater		// and its return value, which is of type ssize_t, cannot be greater
// than this argument. If we made a promotion, and the size argument		// than this argument. If we made a promotion, and the size argument
// is equal to, say, 10, then we'd impose a range of [0, 10] on the		// is equal to, say, 10, then we'd impose a range of [0, 10] on the
// return value, however the correct range is [-1, 10].		// return value, however the correct range is [-1, 10].
//		//
// Please update the list of functions in the header after editing!		// Please update the list of functions in the header after editing!
//

// Below are helpers functions to create the summaries.		// Below are helpers functions to create the summaries.
auto ArgumentCondition = [](ArgNo ArgN, RangeKind Kind,		auto ArgumentCondition = [](ArgNo ArgN, RangeKind Kind,
IntRangeVector Ranges) {		IntRangeVector Ranges) {
return std::make_shared<RangeConstraint>(ArgN, Kind, Ranges);		return std::make_shared<RangeConstraint>(ArgN, Kind, Ranges);
};		};
struct {		struct {
auto operator()(RangeKind Kind, IntRangeVector Ranges) {		auto operator()(RangeKind Kind, IntRangeVector Ranges) {
▲ Show 20 Lines • Show All 45 Lines • ▼ Show 20 Lines	return Summary(
.ArgConstraint(NotNull(ArgNo(0)));		.ArgConstraint(NotNull(ArgNo(0)));
};		};
auto Getline = [&](RetType R, RangeInt Max) {		auto Getline = [&](RetType R, RangeInt Max) {
return Summary(ArgTypes{Irrelevant, Irrelevant, Irrelevant}, RetType{R},		return Summary(ArgTypes{Irrelevant, Irrelevant, Irrelevant}, RetType{R},
NoEvalCall)		NoEvalCall)
.Case({ReturnValueCondition(WithinRange, {{-1, -1}, {1, Max}})});		.Case({ReturnValueCondition(WithinRange, {{-1, -1}, {1, Max}})});
};		};

FunctionSummaryMap = {
// The isascii() family of functions.		// The isascii() family of functions.
// The behavior is undefined if the value of the argument is not		// The behavior is undefined if the value of the argument is not
// representable as unsigned char or is not equal to EOF. See e.g. C99		// representable as unsigned char or is not equal to EOF. See e.g. C99
// 7.4.1.2 The isalpha function (p: 181-182).		// 7.4.1.2 The isalpha function (p: 181-182).
{		addToFunctionSummaryMap(
"isalnum",		"isalnum",
Summaries{
Summary(ArgTypes{IntTy}, RetType{IntTy}, EvalCallAsPure)		Summary(ArgTypes{IntTy}, RetType{IntTy}, EvalCallAsPure)
// Boils down to isupper() or islower() or isdigit().		// Boils down to isupper() or islower() or isdigit().
.Case(		.Case({ArgumentCondition(0U, WithinRange,
{ArgumentCondition(0U, WithinRange,
{{'0', '9'}, {'A', 'Z'}, {'a', 'z'}}),		{{'0', '9'}, {'A', 'Z'}, {'a', 'z'}}),
ReturnValueCondition(OutOfRange, SingleValue(0))})		ReturnValueCondition(OutOfRange, SingleValue(0))})
// The locale-specific range.		// The locale-specific range.
// No post-condition. We are completely unaware of		// No post-condition. We are completely unaware of
// locale-specific return values.		// locale-specific return values.
.Case({ArgumentCondition(0U, WithinRange,		.Case({ArgumentCondition(0U, WithinRange, {{128, UCharRangeMax}})})
{{128, UCharRangeMax}})})		.Case(
.Case({ArgumentCondition(0U, OutOfRange,		{ArgumentCondition(
{{'0', '9'},		0U, OutOfRange,
{'A', 'Z'},		{{'0', '9'}, {'A', 'Z'}, {'a', 'z'}, {128, UCharRangeMax}}),
{'a', 'z'},
{128, UCharRangeMax}}),
ReturnValueCondition(WithinRange, SingleValue(0))})		ReturnValueCondition(WithinRange, SingleValue(0))})
.ArgConstraint(ArgumentCondition(		.ArgConstraint(ArgumentCondition(
0U, WithinRange, {{EOFv, EOFv}, {0, UCharRangeMax}}))},		0U, WithinRange, {{EOFv, EOFv}, {0, UCharRangeMax}})));
},		addToFunctionSummaryMap(
{
"isalpha",		"isalpha",
Summaries{
Summary(ArgTypes{IntTy}, RetType{IntTy}, EvalCallAsPure)		Summary(ArgTypes{IntTy}, RetType{IntTy}, EvalCallAsPure)
.Case({ArgumentCondition(0U, WithinRange,		.Case({ArgumentCondition(0U, WithinRange, {{'A', 'Z'}, {'a', 'z'}}),
{{'A', 'Z'}, {'a', 'z'}}),
ReturnValueCondition(OutOfRange, SingleValue(0))})		ReturnValueCondition(OutOfRange, SingleValue(0))})
// The locale-specific range.		// The locale-specific range.
.Case({ArgumentCondition(0U, WithinRange,		.Case({ArgumentCondition(0U, WithinRange, {{128, UCharRangeMax}})})
{{128, UCharRangeMax}})})
.Case({ArgumentCondition(		.Case({ArgumentCondition(
0U, OutOfRange,		0U, OutOfRange,
{{'A', 'Z'}, {'a', 'z'}, {128, UCharRangeMax}}),		{{'A', 'Z'}, {'a', 'z'}, {128, UCharRangeMax}}),
ReturnValueCondition(WithinRange, SingleValue(0))})},		ReturnValueCondition(WithinRange, SingleValue(0))}));
},		addToFunctionSummaryMap(
{
"isascii",		"isascii",
Summaries{
Summary(ArgTypes{IntTy}, RetType{IntTy}, EvalCallAsPure)		Summary(ArgTypes{IntTy}, RetType{IntTy}, EvalCallAsPure)
.Case({ArgumentCondition(0U, WithinRange, Range(0, 127)),		.Case({ArgumentCondition(0U, WithinRange, Range(0, 127)),
ReturnValueCondition(OutOfRange, SingleValue(0))})		ReturnValueCondition(OutOfRange, SingleValue(0))})
.Case({ArgumentCondition(0U, OutOfRange, Range(0, 127)),		.Case({ArgumentCondition(0U, OutOfRange, Range(0, 127)),
ReturnValueCondition(WithinRange, SingleValue(0))})},		ReturnValueCondition(WithinRange, SingleValue(0))}));
},		addToFunctionSummaryMap(
{
"isblank",		"isblank",
Summaries{
Summary(ArgTypes{IntTy}, RetType{IntTy}, EvalCallAsPure)		Summary(ArgTypes{IntTy}, RetType{IntTy}, EvalCallAsPure)
.Case({ArgumentCondition(0U, WithinRange,		.Case({ArgumentCondition(0U, WithinRange, {{'\t', '\t'}, {' ', ' '}}),
{{'\t', '\t'}, {' ', ' '}}),
ReturnValueCondition(OutOfRange, SingleValue(0))})		ReturnValueCondition(OutOfRange, SingleValue(0))})
.Case({ArgumentCondition(0U, OutOfRange,		.Case({ArgumentCondition(0U, OutOfRange, {{'\t', '\t'}, {' ', ' '}}),
{{'\t', '\t'}, {' ', ' '}}),		ReturnValueCondition(WithinRange, SingleValue(0))}));
ReturnValueCondition(WithinRange, SingleValue(0))})},		addToFunctionSummaryMap(
},
{
"iscntrl",		"iscntrl",
Summaries{
Summary(ArgTypes{IntTy}, RetType{IntTy}, EvalCallAsPure)		Summary(ArgTypes{IntTy}, RetType{IntTy}, EvalCallAsPure)
.Case({ArgumentCondition(0U, WithinRange,		.Case({ArgumentCondition(0U, WithinRange, {{0, 32}, {127, 127}}),
{{0, 32}, {127, 127}}),
ReturnValueCondition(OutOfRange, SingleValue(0))})		ReturnValueCondition(OutOfRange, SingleValue(0))})
.Case(		.Case({ArgumentCondition(0U, OutOfRange, {{0, 32}, {127, 127}}),
{ArgumentCondition(0U, OutOfRange, {{0, 32}, {127, 127}}),		ReturnValueCondition(WithinRange, SingleValue(0))}));
ReturnValueCondition(WithinRange, SingleValue(0))})},		addToFunctionSummaryMap(
},
{
"isdigit",		"isdigit",
Summaries{
Summary(ArgTypes{IntTy}, RetType{IntTy}, EvalCallAsPure)		Summary(ArgTypes{IntTy}, RetType{IntTy}, EvalCallAsPure)
.Case({ArgumentCondition(0U, WithinRange, Range('0', '9')),		.Case({ArgumentCondition(0U, WithinRange, Range('0', '9')),
ReturnValueCondition(OutOfRange, SingleValue(0))})		ReturnValueCondition(OutOfRange, SingleValue(0))})
.Case({ArgumentCondition(0U, OutOfRange, Range('0', '9')),		.Case({ArgumentCondition(0U, OutOfRange, Range('0', '9')),
ReturnValueCondition(WithinRange, SingleValue(0))})},		ReturnValueCondition(WithinRange, SingleValue(0))}));
},		addToFunctionSummaryMap(
{
"isgraph",		"isgraph",
Summaries{
Summary(ArgTypes{IntTy}, RetType{IntTy}, EvalCallAsPure)		Summary(ArgTypes{IntTy}, RetType{IntTy}, EvalCallAsPure)
.Case({ArgumentCondition(0U, WithinRange, Range(33, 126)),		.Case({ArgumentCondition(0U, WithinRange, Range(33, 126)),
ReturnValueCondition(OutOfRange, SingleValue(0))})		ReturnValueCondition(OutOfRange, SingleValue(0))})
.Case({ArgumentCondition(0U, OutOfRange, Range(33, 126)),		.Case({ArgumentCondition(0U, OutOfRange, Range(33, 126)),
ReturnValueCondition(WithinRange, SingleValue(0))})},		ReturnValueCondition(WithinRange, SingleValue(0))}));
},		addToFunctionSummaryMap(
{
"islower",		"islower",
Summaries{
Summary(ArgTypes{IntTy}, RetType{IntTy}, EvalCallAsPure)		Summary(ArgTypes{IntTy}, RetType{IntTy}, EvalCallAsPure)
// Is certainly lowercase.		// Is certainly lowercase.
.Case({ArgumentCondition(0U, WithinRange, Range('a', 'z')),		.Case({ArgumentCondition(0U, WithinRange, Range('a', 'z')),
ReturnValueCondition(OutOfRange, SingleValue(0))})		ReturnValueCondition(OutOfRange, SingleValue(0))})
// Is ascii but not lowercase.		// Is ascii but not lowercase.
.Case({ArgumentCondition(0U, WithinRange, Range(0, 127)),		.Case({ArgumentCondition(0U, WithinRange, Range(0, 127)),
ArgumentCondition(0U, OutOfRange, Range('a', 'z')),		ArgumentCondition(0U, OutOfRange, Range('a', 'z')),
ReturnValueCondition(WithinRange, SingleValue(0))})		ReturnValueCondition(WithinRange, SingleValue(0))})
// The locale-specific range.		// The locale-specific range.
.Case({ArgumentCondition(0U, WithinRange,		.Case({ArgumentCondition(0U, WithinRange, {{128, UCharRangeMax}})})
{{128, UCharRangeMax}})})
// Is not an unsigned char.		// Is not an unsigned char.
.Case({ArgumentCondition(0U, OutOfRange,		.Case({ArgumentCondition(0U, OutOfRange, Range(0, UCharRangeMax)),
Range(0, UCharRangeMax)),		ReturnValueCondition(WithinRange, SingleValue(0))}));
ReturnValueCondition(WithinRange, SingleValue(0))})},		addToFunctionSummaryMap(
},
{
"isprint",		"isprint",
Summaries{
Summary(ArgTypes{IntTy}, RetType{IntTy}, EvalCallAsPure)		Summary(ArgTypes{IntTy}, RetType{IntTy}, EvalCallAsPure)
.Case({ArgumentCondition(0U, WithinRange, Range(32, 126)),		.Case({ArgumentCondition(0U, WithinRange, Range(32, 126)),
ReturnValueCondition(OutOfRange, SingleValue(0))})		ReturnValueCondition(OutOfRange, SingleValue(0))})
.Case({ArgumentCondition(0U, OutOfRange, Range(32, 126)),		.Case({ArgumentCondition(0U, OutOfRange, Range(32, 126)),
ReturnValueCondition(WithinRange, SingleValue(0))})},		ReturnValueCondition(WithinRange, SingleValue(0))}));
},		addToFunctionSummaryMap(
{
"ispunct",		"ispunct",
Summaries{
Summary(ArgTypes{IntTy}, RetType{IntTy}, EvalCallAsPure)		Summary(ArgTypes{IntTy}, RetType{IntTy}, EvalCallAsPure)
.Case({ArgumentCondition(		.Case({ArgumentCondition(
0U, WithinRange,		0U, WithinRange,
{{'!', '/'}, {':', '@'}, {'[', '`'}, {'{', '~'}}),		{{'!', '/'}, {':', '@'}, {'[', '`'}, {'{', '~'}}),
ReturnValueCondition(OutOfRange, SingleValue(0))})		ReturnValueCondition(OutOfRange, SingleValue(0))})
.Case({ArgumentCondition(		.Case({ArgumentCondition(
0U, OutOfRange,		0U, OutOfRange,
{{'!', '/'}, {':', '@'}, {'[', '`'}, {'{', '~'}}),		{{'!', '/'}, {':', '@'}, {'[', '`'}, {'{', '~'}}),
ReturnValueCondition(WithinRange, SingleValue(0))})},		ReturnValueCondition(WithinRange, SingleValue(0))}));
},		addToFunctionSummaryMap(
{
"isspace",		"isspace",
Summaries{
Summary(ArgTypes{IntTy}, RetType{IntTy}, EvalCallAsPure)		Summary(ArgTypes{IntTy}, RetType{IntTy}, EvalCallAsPure)
// Space, '\f', '\n', '\r', '\t', '\v'.		// Space, '\f', '\n', '\r', '\t', '\v'.
.Case({ArgumentCondition(0U, WithinRange,		.Case({ArgumentCondition(0U, WithinRange, {{9, 13}, {' ', ' '}}),
{{9, 13}, {' ', ' '}}),
ReturnValueCondition(OutOfRange, SingleValue(0))})		ReturnValueCondition(OutOfRange, SingleValue(0))})
// The locale-specific range.		// The locale-specific range.
.Case({ArgumentCondition(0U, WithinRange,		.Case({ArgumentCondition(0U, WithinRange, {{128, UCharRangeMax}})})
{{128, UCharRangeMax}})})		.Case({ArgumentCondition(0U, OutOfRange,
.Case({ArgumentCondition(
0U, OutOfRange,
{{9, 13}, {' ', ' '}, {128, UCharRangeMax}}),		{{9, 13}, {' ', ' '}, {128, UCharRangeMax}}),
ReturnValueCondition(WithinRange, SingleValue(0))})},		ReturnValueCondition(WithinRange, SingleValue(0))}));
},		addToFunctionSummaryMap(
{
"isupper",		"isupper",
Summaries{
Summary(ArgTypes{IntTy}, RetType{IntTy}, EvalCallAsPure)		Summary(ArgTypes{IntTy}, RetType{IntTy}, EvalCallAsPure)
// Is certainly uppercase.		// Is certainly uppercase.
.Case({ArgumentCondition(0U, WithinRange, Range('A', 'Z')),		.Case({ArgumentCondition(0U, WithinRange, Range('A', 'Z')),
ReturnValueCondition(OutOfRange, SingleValue(0))})		ReturnValueCondition(OutOfRange, SingleValue(0))})
// The locale-specific range.		// The locale-specific range.
.Case({ArgumentCondition(0U, WithinRange,		.Case({ArgumentCondition(0U, WithinRange, {{128, UCharRangeMax}})})
{{128, UCharRangeMax}})})
// Other.		// Other.
.Case({ArgumentCondition(0U, OutOfRange,		.Case({ArgumentCondition(0U, OutOfRange,
{{'A', 'Z'}, {128, UCharRangeMax}}),		{{'A', 'Z'}, {128, UCharRangeMax}}),
ReturnValueCondition(WithinRange, SingleValue(0))})},		ReturnValueCondition(WithinRange, SingleValue(0))}));
},		addToFunctionSummaryMap(
{
"isxdigit",		"isxdigit",
Summaries{
Summary(ArgTypes{IntTy}, RetType{IntTy}, EvalCallAsPure)		Summary(ArgTypes{IntTy}, RetType{IntTy}, EvalCallAsPure)
.Case(		.Case({ArgumentCondition(0U, WithinRange,
{ArgumentCondition(0U, WithinRange,
{{'0', '9'}, {'A', 'F'}, {'a', 'f'}}),		{{'0', '9'}, {'A', 'F'}, {'a', 'f'}}),
ReturnValueCondition(OutOfRange, SingleValue(0))})		ReturnValueCondition(OutOfRange, SingleValue(0))})
.Case(		.Case({ArgumentCondition(0U, OutOfRange,
{ArgumentCondition(0U, OutOfRange,
{{'0', '9'}, {'A', 'F'}, {'a', 'f'}}),		{{'0', '9'}, {'A', 'F'}, {'a', 'f'}}),
ReturnValueCondition(WithinRange, SingleValue(0))})},		ReturnValueCondition(WithinRange, SingleValue(0))}));
},

// The getc() family of functions that returns either a char or an EOF.		// The getc() family of functions that returns either a char or an EOF.
{"getc", Summaries{Getc()}},		addToFunctionSummaryMap("getc", Getc());
{"fgetc", Summaries{Getc()}},		addToFunctionSummaryMap("fgetc", Getc());
{"getchar",		addToFunctionSummaryMap(
Summaries{Summary(ArgTypes{}, RetType{IntTy}, NoEvalCall)		"getchar", Summary(ArgTypes{}, RetType{IntTy}, NoEvalCall)
.Case({ReturnValueCondition(		.Case({ReturnValueCondition(
WithinRange, {{EOFv, EOFv}, {0, UCharRangeMax}})})}},		WithinRange, {{EOFv, EOFv}, {0, UCharRangeMax}})}));

// read()-like functions that never return more than buffer size.		// read()-like functions that never return more than buffer size.
// We are not sure how ssize_t is defined on every platform, so we		// We are not sure how ssize_t is defined on every platform, so we
// provide three variants that should cover common cases.		// provide three variants that should cover common cases.
{"read", Summaries{Read(IntTy, IntMax), Read(LongTy, LongMax),		addToFunctionSummaryMap("read", {Read(IntTy, IntMax), Read(LongTy, LongMax),
Read(LongLongTy, LongLongMax)}},		Read(LongLongTy, LongLongMax)});
{"write", Summaries{Read(IntTy, IntMax), Read(LongTy, LongMax),		addToFunctionSummaryMap("write", {Read(IntTy, IntMax), Read(LongTy, LongMax),
Read(LongLongTy, LongLongMax)}},		Read(LongLongTy, LongLongMax)});
{"fread", Summaries{Fread()}},		addToFunctionSummaryMap("fread", Fread());
{"fwrite", Summaries{Fwrite()}},		addToFunctionSummaryMap("fwrite", Fwrite());
// getline()-like functions either fail or read at least the delimiter.		// getline()-like functions either fail or read at least the delimiter.
{"getline", Summaries{Getline(IntTy, IntMax), Getline(LongTy, LongMax),		addToFunctionSummaryMap("getline",
Getline(LongLongTy, LongLongMax)}},		{Getline(IntTy, IntMax), Getline(LongTy, LongMax),
{"getdelim", Summaries{Getline(IntTy, IntMax), Getline(LongTy, LongMax),		Getline(LongLongTy, LongLongMax)});
Getline(LongLongTy, LongLongMax)}},		addToFunctionSummaryMap("getdelim",
};		{Getline(IntTy, IntMax), Getline(LongTy, LongMax),
		Getline(LongLongTy, LongLongMax)});

// Functions for testing.		// Functions for testing.
if (ChecksEnabled[CK_StdCLibraryFunctionsTesterChecker]) {		if (ChecksEnabled[CK_StdCLibraryFunctionsTesterChecker]) {
llvm::StringMap<Summaries> TestFunctionSummaryMap = {		addToFunctionSummaryMap(
{"__two_constrained_args",		"__two_constrained_args",
Summaries{
Summary(ArgTypes{IntTy, IntTy}, RetType{IntTy}, EvalCallAsPure)		Summary(ArgTypes{IntTy, IntTy}, RetType{IntTy}, EvalCallAsPure)
.ArgConstraint(		.ArgConstraint(ArgumentCondition(0U, WithinRange, SingleValue(1)))
ArgumentCondition(0U, WithinRange, SingleValue(1)))		.ArgConstraint(ArgumentCondition(1U, WithinRange, SingleValue(1))));
.ArgConstraint(		addToFunctionSummaryMap(
ArgumentCondition(1U, WithinRange, SingleValue(1)))}},		"__arg_constrained_twice",
{"__arg_constrained_twice",		Summary(ArgTypes{IntTy}, RetType{IntTy}, EvalCallAsPure)
Summaries{Summary(ArgTypes{IntTy}, RetType{IntTy}, EvalCallAsPure)		.ArgConstraint(ArgumentCondition(0U, OutOfRange, SingleValue(1)))
.ArgConstraint(		.ArgConstraint(ArgumentCondition(0U, OutOfRange, SingleValue(2))));
ArgumentCondition(0U, OutOfRange, SingleValue(1)))		addToFunctionSummaryMap(
.ArgConstraint(		"__defaultparam",
ArgumentCondition(0U, OutOfRange, SingleValue(2)))}},		Summary(ArgTypes{Irrelevant, IntTy}, RetType{IntTy}, EvalCallAsPure)
{"__defaultparam", Summaries{Summary(ArgTypes{Irrelevant, IntTy},		.ArgConstraint(NotNull(ArgNo(0))));
RetType{IntTy}, EvalCallAsPure)		addToFunctionSummaryMap("__variadic",
.ArgConstraint(NotNull(ArgNo(0)))}},		Summary(ArgTypes{VoidPtrTy, ConstCharPtrTy},
{"__variadic", Summaries{Summary(ArgTypes{VoidPtrTy, ConstCharPtrTy},
RetType{IntTy}, EvalCallAsPure)		RetType{IntTy}, EvalCallAsPure)
.ArgConstraint(NotNull(ArgNo(0)))		.ArgConstraint(NotNull(ArgNo(0)))
.ArgConstraint(NotNull(ArgNo(1)))}}};		.ArgConstraint(NotNull(ArgNo(1))));
for (auto &E : TestFunctionSummaryMap) {
auto InsertRes =
FunctionSummaryMap.insert({std::string(E.getKey()), E.getValue()});
assert(InsertRes.second &&
"Test functions must not clash with modeled functions");
(void)InsertRes;
}
}		}
}		}

void ento::registerStdCLibraryFunctionsChecker(CheckerManager &mgr) {		void ento::registerStdCLibraryFunctionsChecker(CheckerManager &mgr) {
mgr.registerChecker<StdLibraryFunctionsChecker>();		mgr.registerChecker<StdLibraryFunctionsChecker>();
}		}

bool ento::shouldRegisterStdCLibraryFunctionsChecker(const CheckerManager &mgr) {		bool ento::shouldRegisterStdCLibraryFunctionsChecker(const CheckerManager &mgr) {
Show All 16 Lines