This is an archive of the discontinued LLVM Phabricator instance.

Differential D106644

[clang][analyzer] Add standard streams to alpha.unix.Stream checker.
AcceptedPublic

Authored by balazske on Jul 23 2021, 3:18 AM.

Details

Reviewers
Szelethus
NoQ
steakhal
martong
vsavchenko
Summary

Recognize initial value of standard streams (stdin, ...)
and assume that a new opened stream is not equal to these.

Diff Detail

Event Timeline

balazske created this revision.Jul 23 2021, 3:18 AM
Herald added a reviewer: Szelethus. · View Herald TranscriptJul 23 2021, 3:18 AM
Herald added subscribers: manas, steakhal, ASDenysPetrov and 11 others. · View Herald Transcript
balazske requested review of this revision.Jul 23 2021, 3:18 AM
Herald added a project: Restricted Project. · View Herald TranscriptJul 23 2021, 3:18 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
Harbormaster completed remote builds in B115815: Diff 361147.Jul 23 2021, 3:19 AM
balazske added a parent revision: D106262: [clang][analyzer] Use generic note tag in alpha.unix.Stream ..Jul 23 2021, 3:19 AM
martong added inline comments.Jul 23 2021, 6:05 AM
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
233–236

Would it be possible to reuse (i.e put in a common place) the StdLibraryFunctionChecker's lookupTy? That also handles the cases when FILEType is null or when we have a typedef struct FILE FILE;.

balazske added reviewers: NoQ, steakhal, martong.Jul 29 2021, 12:55 AM
Herald added a subscriber: rnkovacs. · View Herald TranscriptJul 29 2021, 12:55 AM
martong added inline comments.Jul 29 2021, 1:48 AM
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
233–236

Could you please consider the above question?

Szelethus added a reviewer: vsavchenko.Jul 29 2021, 5:45 AM

I like the idea, though I wonder whether evalAssume would be a better callback for this. That way, you'd only need to add an assumption when you reach a condition where one of the operands is standard.

Though it may be more trouble than its worth. I don't have strong feelings on this.

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
256

How about getStdStreamSymbol?

balazske updated this revision to Diff 362775.Jul 29 2021, 7:41 AM

Split some type lookup functions from StdLibraryFunctionsChecker into separate files.

Herald added a subscriber: mgorny. · View Herald TranscriptJul 29 2021, 7:41 AM
martong added a comment.Jul 29 2021, 8:02 AM
In D106644#2913676, @balazske wrote:

Split some type lookup functions from StdLibraryFunctionsChecker into separate files.

Thank you, this is awesome!

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
490

We should be careful, to cache the results (either here, or deeper in the call stack).
I mean, we certainly don't want to do a lookup of "stdin" every time a function is evaluated. We should do this lazily, only once.

Harbormaster completed remote builds in B116977: Diff 362775.Jul 29 2021, 8:35 AM
steakhal added inline comments.Aug 5 2021, 9:03 AM
clang/lib/StaticAnalyzer/Checkers/ASTLookup.cpp
27

Decl *D -> const Decl *D. Same for the other loop.

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
242

You calculate this 3 times now. I mean it's not a big deal, but we could save this to do it only once.

244–253

It will early return and uses one fewer continue.

490

I agree. We should do this only for the first top-level function, instead of doing this for every top-level function.

573

It might be a personal preference but I think lambdas should be pure in the sense that it takes something and produces something else.
Regardless of your choice, the trailing return type would highlight it.

577

SValBuilder::getConditionType(), oh they are the same under the hood. We should still probably prefer this one instead.
It might worth hoisting C.getSValBuilder() to a local variable though.
The symbol for StdStream also deserves a separate variable IMO.

578–581

I think you should be fine with castAs(). I'm not expecting this to fail.

clang/test/Analysis/stream.c
278–279

How about checking this way instead?

clang_analyzer_eval(F != stdin);  // TRUE
clang_analyzer_eval(F != stdout); // TRUE
clang_analyzer_eval(F != stderr); // TRUE
balazske added inline comments.Aug 6 2021, 4:02 AM
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
244–253

The intent was that if no FILEType is found we find just the first VarDecl and do not check the type. This recommended change returns always null if no FILEType is found.

490

I am not sure if the SymbolRef values are safe to store between top-level function analyses. The FILE type and std stream declarations are safe to cache, but the SymbolRef values of these variables probably not.

balazske updated this revision to Diff 364787.Aug 6 2021, 7:07 AM

Init std declarations and FILE type only once.
Make a lambda not operate on captured data.
Simplify test.

Harbormaster completed remote builds in B118377: Diff 364787.Aug 6 2021, 7:07 AM
balazske marked 8 inline comments as done.Aug 6 2021, 7:08 AM
steakhal added a comment.Aug 6 2021, 8:06 AM

Let's see if we can cache the stream symbols across top-level analyses.

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
244–253

Hm, it was not immediately clear to me.

490

I think it should be safe. But place there an assert and run the test suite. If it won't trigger, that means that we have high confidentiality that this is safe. I know it's not 100%, but pretty close.

493
497
538

This should be probably at the definition of StdinSym and getStdStreamSym().

balazske marked an inline comment as done.Aug 6 2021, 8:43 AM
balazske added inline comments.
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
490

I tried to check if these SymbolRef's are the same at checkBeginFunction after initialized once. The assertion for equality failed sometimes, or other crash happened when dump was called on the value. So it looks not safe to cache these. And should we add assumptions about that these StdinSym, StdoutSym, StderrSym are not equal to each other?

577

This lambda is possible to improve.

steakhal added inline comments.Aug 6 2021, 8:45 AM
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
490

Good to know. I don't think it's necessary to add assertions.

balazske updated this revision to Diff 365175.Aug 9 2021, 6:27 AM

Simplified a lambda usage.
Moved some functions, changed documentation.

Harbormaster completed remote builds in B118669: Diff 365175.Aug 9 2021, 6:28 AM
steakhal accepted this revision.Aug 9 2021, 8:41 AM

It's fine on my part.

This revision is now accepted and ready to land.Aug 9 2021, 8:41 AM
martong added inline comments.Aug 30 2021, 7:03 AM
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
490

Okay, so we should not cache the SymbolRefs then. But we must cache the VarDecls. I mean, we should avoid calling

StdinDecl = findStdStreamDecl("stdin", C);

more than once for each TU.

I think you could use and Optional for StdinDecl (and the others) to achieve this.

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
83 lines
78 lines
1 line
90 lines
113 lines
test/
Analysis/
24 lines

Diff 365175

clang/lib/StaticAnalyzer/Checkers/ASTLookup.h

  • This file was added.
//=== ASTLookup.h - Lookup and construct objects from AST. ---------*- C++ -*-//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// Defines a simple interface to search for specific objects (types) in a clang
// AST and compute derived objects (types) from these.
// This is designed to be useful in checkers that need to lookup big amount of
// specific types and properties of them.
//
//===----------------------------------------------------------------------===//
#ifndef LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_ASTLOOKUP_H
#define LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_ASTLOOKUP_H
#include "clang/AST/ASTContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/BasicValueFactory.h"
namespace clang {
namespace ento {
namespace ast_lookup {
/// Try to find a type with specific name.
/// If there is a typedef with same name use this instead.
class LookupType {
const ASTContext &ACtx;
public:
LookupType(const ASTContext &ACtx) : ACtx(ACtx) {}
// Find the type. If not found then the optional is not set.
llvm::Optional<QualType> operator()(StringRef Name);
};
/// Construct the "restrict" (C99) version of a type.
/// If not applicable or empty is passed in, return the same value.
class GetRestrictTy {
const ASTContext &ACtx;
public:
GetRestrictTy(const ASTContext &ACtx) : ACtx(ACtx) {}
QualType operator()(QualType Ty);
Optional<QualType> operator()(Optional<QualType> Ty);
};
/// Construct a pointer to a type.
class GetPointerTy {
const ASTContext &ACtx;
public:
GetPointerTy(const ASTContext &ACtx) : ACtx(ACtx) {}
QualType operator()(QualType Ty);
Optional<QualType> operator()(Optional<QualType> Ty);
};
/// Construct a const version of a type.
class GetConstTy {
public:
Optional<QualType> operator()(Optional<QualType> Ty);
QualType operator()(QualType Ty);
};
/// Get the maximum possible value of a type.
class GetMaxValue {
BasicValueFactory &BVF;
public:
GetMaxValue(BasicValueFactory &BVF) : BVF(BVF) {}
Optional<uint64_t> operator()(QualType Ty);
Optional<uint64_t> operator()(Optional<QualType> Ty);
};
} // namespace ast_lookup
} // namespace ento
} // namespace clang
#endif // LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_ASTLOOKUP_H

clang/lib/StaticAnalyzer/Checkers/ASTLookup.cpp

  • This file was added.
//== ASTLookup.cpp ----------------------------------------------*- C++ -*--==//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
#include "ASTLookup.h"
namespace clang {
namespace ento {
namespace ast_lookup {
llvm::Optional<QualType> LookupType::operator()(StringRef Name) {
IdentifierInfo &II = ACtx.Idents.get(Name);
auto LookupRes = ACtx.getTranslationUnitDecl()->lookup(&II);
if (LookupRes.empty())
return None;
// Prioritze typedef declarations.
// This is needed in case of C struct typedefs. E.g.:
// typedef struct FILE FILE;
// In this case, we have a RecordDecl 'struct FILE' with the name 'FILE'
// and we have a TypedefDecl with the name 'FILE'.
for (const Decl *D : LookupRes)
if (const auto *TD = dyn_cast<TypedefNameDecl>(D))
steakhalUnsubmitted
Done
ReplyInline Actions

Decl *D -> const Decl *D. Same for the other loop.

steakhal: `Decl *D` -> `const Decl *D`. Same for the other loop.
return ACtx.getTypeDeclType(TD).getCanonicalType();
// Find the first TypeDecl.
// There maybe cases when a function has the same name as a struct.
// E.g. in POSIX: `struct stat` and the function `stat()`:
// int stat(const char *restrict path, struct stat *restrict buf);
for (const Decl *D : LookupRes)
if (const auto *TD = dyn_cast<TypeDecl>(D))
return ACtx.getTypeDeclType(TD).getCanonicalType();
return None;
}
QualType GetRestrictTy::operator()(QualType Ty) {
return ACtx.getLangOpts().C99 ? ACtx.getRestrictType(Ty) : Ty;
}
Optional<QualType> GetRestrictTy::operator()(Optional<QualType> Ty) {
if (Ty)
return operator()(*Ty);
return None;
}
QualType GetPointerTy::operator()(QualType Ty) {
return ACtx.getPointerType(Ty);
}
Optional<QualType> GetPointerTy::operator()(Optional<QualType> Ty) {
if (Ty)
return operator()(*Ty);
return None;
}
Optional<QualType> GetConstTy::operator()(Optional<QualType> Ty) {
return Ty ? Optional<QualType>(Ty->withConst()) : None;
}
QualType GetConstTy::operator()(QualType Ty) { return Ty.withConst(); }
Optional<uint64_t> GetMaxValue::operator()(QualType Ty) {
return BVF.getMaxValue(Ty).getLimitedValue();
}
Optional<uint64_t> GetMaxValue::operator()(Optional<QualType> Ty) {
if (Ty) {
return operator()(*Ty);
}
return None;
}
} // namespace ast_lookup
} // namespace ento
} // namespace clang

clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt

set(LLVM_LINK_COMPONENTS set(LLVM_LINK_COMPONENTS
FrontendOpenMP FrontendOpenMP
Support Support
) )
add_clang_library(clangStaticAnalyzerCheckers add_clang_library(clangStaticAnalyzerCheckers
AnalysisOrderChecker.cpp AnalysisOrderChecker.cpp
AnalyzerStatsChecker.cpp AnalyzerStatsChecker.cpp
ArrayBoundChecker.cpp ArrayBoundChecker.cpp
ArrayBoundCheckerV2.cpp ArrayBoundCheckerV2.cpp
ASTLookup.cpp
BasicObjCFoundationChecks.cpp BasicObjCFoundationChecks.cpp
BlockInCriticalSectionChecker.cpp BlockInCriticalSectionChecker.cpp
BoolAssignmentChecker.cpp BoolAssignmentChecker.cpp
BuiltinFunctionChecker.cpp BuiltinFunctionChecker.cpp
CStringChecker.cpp CStringChecker.cpp
CStringSyntaxChecker.cpp CStringSyntaxChecker.cpp
CallAndMessageChecker.cpp CallAndMessageChecker.cpp
CastSizeChecker.cpp CastSizeChecker.cpp
▲ Show 20 LinesShow All 125 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp

Show First 20 LinesShow All 43 Lines▼ Show 20 Lines
// fread isalnum isgraph isxdigit // fread isalnum isgraph isxdigit
// fwrite isalpha islower read // fwrite isalpha islower read
// getc isascii isprint write // getc isascii isprint write
// getchar isblank ispunct toupper // getchar isblank ispunct toupper
// getdelim iscntrl isspace tolower // getdelim iscntrl isspace tolower
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "ASTLookup.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h"
▲ Show 20 LinesShow All 890 Lines▼ Show 20 Linesvoid StdLibraryFunctionsChecker::initFunctionSummaries(
CheckerContext &C) const { CheckerContext &C) const {
if (SummariesInitialized) if (SummariesInitialized)
return; return;
SValBuilder &SVB = C.getSValBuilder(); SValBuilder &SVB = C.getSValBuilder();
BasicValueFactory &BVF = SVB.getBasicValueFactory(); BasicValueFactory &BVF = SVB.getBasicValueFactory();
const ASTContext &ACtx = BVF.getContext(); const ASTContext &ACtx = BVF.getContext();
// Helper class to lookup a type by its name. ast_lookup::LookupType lookupTy(ACtx);
class LookupType { ast_lookup::GetRestrictTy getRestrictTy(ACtx);
const ASTContext &ACtx; ast_lookup::GetPointerTy getPointerTy(ACtx);
ast_lookup::GetConstTy getConstTy;
public: ast_lookup::GetMaxValue getMaxValue(BVF);
LookupType(const ASTContext &ACtx) : ACtx(ACtx) {}
// Find the type. If not found then the optional is not set.
llvm::Optional<QualType> operator()(StringRef Name) {
IdentifierInfo &II = ACtx.Idents.get(Name);
auto LookupRes = ACtx.getTranslationUnitDecl()->lookup(&II);
if (LookupRes.empty())
return None;
// Prioritze typedef declarations.
// This is needed in case of C struct typedefs. E.g.:
// typedef struct FILE FILE;
// In this case, we have a RecordDecl 'struct FILE' with the name 'FILE'
// and we have a TypedefDecl with the name 'FILE'.
for (Decl *D : LookupRes)
if (auto *TD = dyn_cast<TypedefNameDecl>(D))
return ACtx.getTypeDeclType(TD).getCanonicalType();
// Find the first TypeDecl.
// There maybe cases when a function has the same name as a struct.
// E.g. in POSIX: `struct stat` and the function `stat()`:
// int stat(const char *restrict path, struct stat *restrict buf);
for (Decl *D : LookupRes)
if (auto *TD = dyn_cast<TypeDecl>(D))
return ACtx.getTypeDeclType(TD).getCanonicalType();
return None;
}
} lookupTy(ACtx);
// Below are auxiliary classes to handle optional types that we get as a
// result of the lookup.
class GetRestrictTy {
const ASTContext &ACtx;
public:
GetRestrictTy(const ASTContext &ACtx) : ACtx(ACtx) {}
QualType operator()(QualType Ty) {
return ACtx.getLangOpts().C99 ? ACtx.getRestrictType(Ty) : Ty;
}
Optional<QualType> operator()(Optional<QualType> Ty) {
if (Ty)
return operator()(*Ty);
return None;
}
} getRestrictTy(ACtx);
class GetPointerTy {
const ASTContext &ACtx;
public:
GetPointerTy(const ASTContext &ACtx) : ACtx(ACtx) {}
QualType operator()(QualType Ty) { return ACtx.getPointerType(Ty); }
Optional<QualType> operator()(Optional<QualType> Ty) {
if (Ty)
return operator()(*Ty);
return None;
}
} getPointerTy(ACtx);
class {
public:
Optional<QualType> operator()(Optional<QualType> Ty) {
return Ty ? Optional<QualType>(Ty->withConst()) : None;
}
QualType operator()(QualType Ty) { return Ty.withConst(); }
} getConstTy;
class GetMaxValue {
BasicValueFactory &BVF;
public:
GetMaxValue(BasicValueFactory &BVF) : BVF(BVF) {}
Optional<RangeInt> operator()(QualType Ty) {
return BVF.getMaxValue(Ty).getLimitedValue();
}
Optional<RangeInt> operator()(Optional<QualType> Ty) {
if (Ty) {
return operator()(*Ty);
}
return None;
}
} getMaxValue(BVF);
// These types are useful for writing specifications quickly, // These types are useful for writing specifications quickly,
// New specifications should probably introduce more types. // New specifications should probably introduce more types.
// Some types are hard to obtain from the AST, eg. "ssize_t". // Some types are hard to obtain from the AST, eg. "ssize_t".
// In such cases it should be possible to provide multiple variants // In such cases it should be possible to provide multiple variants
// of function summary for common cases (eg. ssize_t could be int or long // of function summary for common cases (eg. ssize_t could be int or long
// or long long, so three summary variants would be enough). // or long long, so three summary variants would be enough).
// Of course, function variants are also useful for C++ overloads. // Of course, function variants are also useful for C++ overloads.
▲ Show 20 LinesShow All 1,623 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp

//===-- StreamChecker.cpp -----------------------------------------*- C++ -*--// //===-- StreamChecker.cpp -----------------------------------------*- C++ -*--//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This file defines checkers that model and check stream handling functions. // This file defines checkers that model and check stream handling functions.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "ASTLookup.h"
#include "clang/AST/ParentMapContext.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
▲ Show 20 LinesShow All 131 Lines▼ Show 20 Lines
}; };
} // namespace } // namespace
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// StreamChecker class and utility functions. // StreamChecker class and utility functions.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// This map holds the state of a stream.
// The stream is identified with a SymbolRef that is created when a stream
// opening function is modeled by the checker.
REGISTER_MAP_WITH_PROGRAMSTATE(StreamMap, SymbolRef, StreamState)
namespace { namespace {
class StreamChecker; class StreamChecker;
using FnCheck = std::function<void(const StreamChecker *, const FnDescription *, using FnCheck = std::function<void(const StreamChecker *, const FnDescription *,
const CallEvent &, CheckerContext &)>; const CallEvent &, CheckerContext &)>;
using ArgNoTy = unsigned int; using ArgNoTy = unsigned int;
static const ArgNoTy ArgNone = std::numeric_limits<ArgNoTy>::max(); static const ArgNoTy ArgNone = std::numeric_limits<ArgNoTy>::max();
struct FnDescription { struct FnDescription {
FnCheck PreFn; FnCheck PreFn;
FnCheck EvalFn; FnCheck EvalFn;
ArgNoTy StreamArgNo; ArgNoTy StreamArgNo;
}; };
/// Find symbolic value of a global "standard stream"
/// (stdin, stdout, stderr) variable.
/// The StdDecl value is allowed to be nullptr.
SymbolRef getStdStreamSym(const VarDecl *StdDecl, CheckerContext &C) {
if (!StdDecl)
return nullptr;
const LocationContext *LCtx = C.getLocationContext();
const VarRegion *RegionOfStdStreamVar =
C.getState()->getRegion(StdDecl, LCtx);
if (!RegionOfStdStreamVar)
return nullptr;
SVal StdVal = C.getState()->getSVal(RegionOfStdStreamVar, StdDecl->getType());
return StdVal.getAsSymbol();
}
/// Get the value of the stream argument out of the passed call event. /// Get the value of the stream argument out of the passed call event.
/// The call should contain a function that is described by Desc. /// The call should contain a function that is described by Desc.
SVal getStreamArg(const FnDescription *Desc, const CallEvent &Call) { SVal getStreamArg(const FnDescription *Desc, const CallEvent &Call) {
assert(Desc && Desc->StreamArgNo != ArgNone && assert(Desc && Desc->StreamArgNo != ArgNone &&
"Try to get a non-existing stream argument."); "Try to get a non-existing stream argument.");
return Call.getArgSVal(Desc->StreamArgNo); return Call.getArgSVal(Desc->StreamArgNo);
} }
Show All 18 Lines
ProgramStateRef bindInt(uint64_t Value, ProgramStateRef State, ProgramStateRef bindInt(uint64_t Value, ProgramStateRef State,
CheckerContext &C, const CallExpr *CE) { CheckerContext &C, const CallExpr *CE) {
State = State->BindExpr(CE, C.getLocationContext(), State = State->BindExpr(CE, C.getLocationContext(),
C.getSValBuilder().makeIntVal(Value, false)); C.getSValBuilder().makeIntVal(Value, false));
return State; return State;
} }
class StreamChecker : public Checker<check::PreCall, eval::Call, class StreamChecker
: public Checker<check::BeginFunction, check::PreCall, eval::Call,
check::DeadSymbols, check::PointerEscape> { check::DeadSymbols, check::PointerEscape> {
BugType BT_FileNull{this, "NULL stream pointer", "Stream handling error"}; BugType BT_FileNull{this, "NULL stream pointer", "Stream handling error"};
martongUnsubmitted
Done
ReplyInline Actions

Would it be possible to reuse (i.e put in a common place) the StdLibraryFunctionChecker's lookupTy? That also handles the cases when FILEType is null or when we have a typedef struct FILE FILE;.

martong: Would it be possible to reuse (i.e put in a common place) the StdLibraryFunctionChecker's…
martongUnsubmitted
Done
ReplyInline Actions

Could you please consider the above question?

martong: Could you please consider the above question?
BugType BT_UseAfterClose{this, "Closed stream", "Stream handling error"}; BugType BT_UseAfterClose{this, "Closed stream", "Stream handling error"};
BugType BT_UseAfterOpenFailed{this, "Invalid stream", BugType BT_UseAfterOpenFailed{this, "Invalid stream",
"Stream handling error"}; "Stream handling error"};
BugType BT_IndeterminatePosition{this, "Invalid stream state", BugType BT_IndeterminatePosition{this, "Invalid stream state",
"Stream handling error"}; "Stream handling error"};
BugType BT_IllegalWhence{this, "Illegal whence argument", BugType BT_IllegalWhence{this, "Illegal whence argument",
steakhalUnsubmitted
Done
ReplyInline Actions

You calculate this 3 times now. I mean it's not a big deal, but we could save this to do it only once.

steakhal: You calculate this 3 times now. I mean it's not a big deal, but we could save this to do it…
"Stream handling error"}; "Stream handling error"};
BugType BT_StreamEof{this, "Stream already in EOF", "Stream handling error"}; BugType BT_StreamEof{this, "Stream already in EOF", "Stream handling error"};
BugType BT_ResourceLeak{this, "Resource leak", "Stream handling error", BugType BT_ResourceLeak{this, "Resource leak", "Stream handling error",
/*SuppressOnSink =*/true}; /*SuppressOnSink =*/true};
public: public:
void checkBeginFunction(CheckerContext &C) const;
void checkPreCall(const CallEvent &Call, CheckerContext &C) const; void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
bool evalCall(const CallEvent &Call, CheckerContext &C) const; bool evalCall(const CallEvent &Call, CheckerContext &C) const;
void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const; void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
ProgramStateRef checkPointerEscape(ProgramStateRef State, ProgramStateRef checkPointerEscape(ProgramStateRef State,
steakhalUnsubmitted
Not Done
ReplyInline Actions
Optional<QualType> FILEType = GetPointer(LookupType("FILE"));
- for (Decl *D : LookupRes) {
+ if (!FILEType.hasValue())
+ return nullptr;
+
+ for (const Decl *D : LookupRes) {
D = D->getCanonicalDecl();
if (!C.getSourceManager().isInSystemHeader(D->getLocation()))
continue;
- if (auto *VD = dyn_cast<VarDecl>(D)) {
- if (FILEType && !ACtx.hasSameType(*FILEType, VD->getType()))
- continue;
- return VD;
- }
- }
+ if (auto *VD = dyn_cast<VarDecl>(D))
+ if (ACtx.hasSameType(*FILEType, VD->getType()))
+ return VD;
+ }
return nullptr;

It will early return and uses one fewer continue.

steakhal: It will early return and uses one fewer `continue`.
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

The intent was that if no FILEType is found we find just the first VarDecl and do not check the type. This recommended change returns always null if no FILEType is found.

balazske: The intent was that if no `FILEType` is found we find just the first `VarDecl` and do not check…
steakhalUnsubmitted
Not Done
ReplyInline Actions

Hm, it was not immediately clear to me.

steakhal: Hm, it was not immediately clear to me.
const InvalidatedSymbols &Escaped, const InvalidatedSymbols &Escaped,
const CallEvent *Call, const CallEvent *Call,
PointerEscapeKind Kind) const; PointerEscapeKind Kind) const;
SzelethusUnsubmitted
Done
ReplyInline Actions

How about getStdStreamSymbol?

Szelethus: How about `getStdStreamSymbol`?
/// If true, evaluate special testing stream functions. /// If true, evaluate special testing stream functions.
bool TestMode = false; bool TestMode = false;
using BugMessageMap = llvm::DenseMap<const BugType *, const char *>; using BugMessageMap = llvm::DenseMap<const BugType *, const char *>;
const BugMessageMap BugMessages = { const BugMessageMap BugMessages = {
{&BT_FileNull, "Assuming opening the stream fails here"}, {&BT_FileNull, "Assuming opening the stream fails here"},
{&BT_UseAfterClose, "Stream closed here"}, {&BT_UseAfterClose, "Stream closed here"},
▲ Show 20 LinesShow All 41 Lines▼ Show 20 Lines CallDescriptionMap<FnDescription> FnTestDescriptions = {
0}}, 0}},
{{"StreamTesterChecker_make_ferror_stream", 1}, {{"StreamTesterChecker_make_ferror_stream", 1},
{nullptr, {nullptr,
std::bind(&StreamChecker::evalSetFeofFerror, _1, _2, _3, _4, std::bind(&StreamChecker::evalSetFeofFerror, _1, _2, _3, _4,
ErrorFError), ErrorFError),
0}}, 0}},
}; };
mutable bool StdStreamsInitialized = false;
mutable Optional<QualType> FILEType;
// These can be nullptr if not found.
mutable const VarDecl *StdinDecl;
mutable const VarDecl *StdoutDecl;
mutable const VarDecl *StderrDecl;
// These can be nullptr if not found.
mutable SymbolRef StdinSym;
mutable SymbolRef StdoutSym;
mutable SymbolRef StderrSym;
void evalFopen(const FnDescription *Desc, const CallEvent &Call, void evalFopen(const FnDescription *Desc, const CallEvent &Call,
CheckerContext &C) const; CheckerContext &C) const;
void preFreopen(const FnDescription *Desc, const CallEvent &Call, void preFreopen(const FnDescription *Desc, const CallEvent &Call,
CheckerContext &C) const; CheckerContext &C) const;
void evalFreopen(const FnDescription *Desc, const CallEvent &Call, void evalFreopen(const FnDescription *Desc, const CallEvent &Call,
CheckerContext &C) const; CheckerContext &C) const;
▲ Show 20 LinesShow All 109 Lines▼ Show 20 Lines constructNoteTag(CheckerContext &C, SymbolRef StreamSym,
}); });
} }
/// Searches for the ExplodedNode where the file descriptor was acquired for /// Searches for the ExplodedNode where the file descriptor was acquired for
/// StreamSym. /// StreamSym.
static const ExplodedNode *getAcquisitionSite(const ExplodedNode *N, static const ExplodedNode *getAcquisitionSite(const ExplodedNode *N,
SymbolRef StreamSym, SymbolRef StreamSym,
CheckerContext &C); CheckerContext &C);
const VarDecl *findStdStreamDecl(StringRef StdName, CheckerContext &C) const;
}; };
} // end anonymous namespace } // end anonymous namespace
// This map holds the state of a stream.
// The stream is identified with a SymbolRef that is created when a stream
// opening function is modeled by the checker.
REGISTER_MAP_WITH_PROGRAMSTATE(StreamMap, SymbolRef, StreamState)
inline void assertStreamStateOpened(const StreamState *SS) { inline void assertStreamStateOpened(const StreamState *SS) {
assert(SS->isOpened() && assert(SS->isOpened() &&
"Previous create of error node for non-opened stream failed?"); "Previous create of error node for non-opened stream failed?");
} }
//===----------------------------------------------------------------------===//
// Methods of StreamChecker.
//===----------------------------------------------------------------------===//
const ExplodedNode *StreamChecker::getAcquisitionSite(const ExplodedNode *N, const ExplodedNode *StreamChecker::getAcquisitionSite(const ExplodedNode *N,
SymbolRef StreamSym, SymbolRef StreamSym,
CheckerContext &C) { CheckerContext &C) {
ProgramStateRef State = N->getState(); ProgramStateRef State = N->getState();
// When bug type is resource leak, exploded node N may not have state info // When bug type is resource leak, exploded node N may not have state info
// for leaked file descriptor, but predecessor should have it. // for leaked file descriptor, but predecessor should have it.
if (!State->get<StreamMap>(StreamSym)) if (!State->get<StreamMap>(StreamSym))
N = N->getFirstPred(); N = N->getFirstPred();
const ExplodedNode *Pred = N; const ExplodedNode *Pred = N;
while (N) { while (N) {
State = N->getState(); State = N->getState();
if (!State->get<StreamMap>(StreamSym)) if (!State->get<StreamMap>(StreamSym))
return Pred; return Pred;
Pred = N; Pred = N;
N = N->getFirstPred(); N = N->getFirstPred();
} }
return nullptr; return nullptr;
} }
//===----------------------------------------------------------------------===// const VarDecl *StreamChecker::findStdStreamDecl(StringRef StdName,
// Methods of StreamChecker. CheckerContext &C) const {
//===----------------------------------------------------------------------===// ASTContext &ACtx = C.getASTContext();
IdentifierInfo &II = ACtx.Idents.get(StdName);
martongUnsubmitted
Done
ReplyInline Actions

We should be careful, to cache the results (either here, or deeper in the call stack).
I mean, we certainly don't want to do a lookup of "stdin" every time a function is evaluated. We should do this lazily, only once.

martong: We should be careful, to cache the results (either here, or deeper in the call stack). I mean…
steakhalUnsubmitted
Done
ReplyInline Actions

I agree. We should do this only for the first top-level function, instead of doing this for every top-level function.

steakhal: I agree. We should do this only for the first top-level function, instead of doing this for…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

I am not sure if the SymbolRef values are safe to store between top-level function analyses. The FILE type and std stream declarations are safe to cache, but the SymbolRef values of these variables probably not.

balazske: I am not sure if the `SymbolRef` values are safe to store between top-level function analyses.
steakhalUnsubmitted
Not Done
ReplyInline Actions

I think it should be safe. But place there an assert and run the test suite. If it won't trigger, that means that we have high confidentiality that this is safe. I know it's not 100%, but pretty close.

steakhal: I think it should be safe. But place there an assert and run the test suite. If it won't…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

I tried to check if these SymbolRef's are the same at checkBeginFunction after initialized once. The assertion for equality failed sometimes, or other crash happened when dump was called on the value. So it looks not safe to cache these. And should we add assumptions about that these StdinSym, StdoutSym, StderrSym are not equal to each other?

balazske: I tried to check if these `SymbolRef`'s are the same at `checkBeginFunction` after initialized…
steakhalUnsubmitted
Not Done
ReplyInline Actions

Good to know. I don't think it's necessary to add assertions.

steakhal: Good to know. I don't think it's necessary to add assertions.
martongUnsubmitted
Not Done
ReplyInline Actions

Okay, so we should not cache the SymbolRefs then. But we must cache the VarDecls. I mean, we should avoid calling

StdinDecl = findStdStreamDecl("stdin", C);

more than once for each TU.

I think you could use and Optional for StdinDecl (and the others) to achieve this.

martong: Okay, so we should not cache the SymbolRefs then. But we must cache the VarDecls. I mean, we…
auto LookupRes = ACtx.getTranslationUnitDecl()->lookup(&II);
for (Decl *D : LookupRes) {
steakhalUnsubmitted
Not Done
ReplyInline Actions
auto LookupRes = ACtx.getTranslationUnitDecl()->lookup(&II);
- for (Decl *D : LookupRes) {
+ for (const Decl *D : LookupRes) {
D = D->getCanonicalDecl();
steakhal:
D = D->getCanonicalDecl();
if (!C.getSourceManager().isInSystemHeader(D->getLocation()))
continue;
if (auto *VD = dyn_cast<VarDecl>(D)) {
steakhalUnsubmitted
Not Done
ReplyInline Actions
continue;
- if (auto *VD = dyn_cast<VarDecl>(D)) {
+ if (const auto *VD = dyn_cast<VarDecl>(D)) {
if (FILEType && !ACtx.hasSameType(*FILEType, VD->getType()))
steakhal:
if (FILEType && !ACtx.hasSameType(*FILEType, VD->getType()))
continue;
return VD;
}
}
return nullptr;
}
void StreamChecker::checkBeginFunction(CheckerContext &C) const {
if (!C.inTopFrame())
return;
if (!StdStreamsInitialized) {
StdStreamsInitialized = true;
ast_lookup::LookupType LookupType(C.getASTContext());
ast_lookup::GetPointerTy GetPointer(C.getASTContext());
FILEType = GetPointer(LookupType("FILE"));
StdinDecl = findStdStreamDecl("stdin", C);
StdoutDecl = findStdStreamDecl("stdout", C);
StderrDecl = findStdStreamDecl("stderr", C);
}
StdinSym = getStdStreamSym(StdinDecl, C);
StdoutSym = getStdStreamSym(StdoutDecl, C);
StderrSym = getStdStreamSym(StderrDecl, C);
}
void StreamChecker::checkPreCall(const CallEvent &Call, void StreamChecker::checkPreCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
const FnDescription *Desc = lookupFn(Call); const FnDescription *Desc = lookupFn(Call);
if (!Desc || !Desc->PreFn) if (!Desc || !Desc->PreFn)
return; return;
Desc->PreFn(this, Desc, Call, C); Desc->PreFn(this, Desc, Call, C);
} }
bool StreamChecker::evalCall(const CallEvent &Call, CheckerContext &C) const { bool StreamChecker::evalCall(const CallEvent &Call, CheckerContext &C) const {
const FnDescription *Desc = lookupFn(Call); const FnDescription *Desc = lookupFn(Call);
steakhalUnsubmitted
Not Done
ReplyInline Actions

This should be probably at the definition of StdinSym and getStdStreamSym().

steakhal: This should be probably at the definition of `StdinSym` and `getStdStreamSym()`.
if (!Desc && TestMode) if (!Desc && TestMode)
Desc = FnTestDescriptions.lookup(Call); Desc = FnTestDescriptions.lookup(Call);
if (!Desc || !Desc->EvalFn) if (!Desc || !Desc->EvalFn)
return false; return false;
Desc->EvalFn(this, Desc, Call, C); Desc->EvalFn(this, Desc, Call, C);
return C.isDifferent(); return C.isDifferent();
Show All 18 Linesvoid StreamChecker::evalFopen(const FnDescription *Desc, const CallEvent &Call,
std::tie(StateNotNull, StateNull) = std::tie(StateNotNull, StateNull) =
C.getConstraintManager().assumeDual(State, RetVal); C.getConstraintManager().assumeDual(State, RetVal);
StateNotNull = StateNotNull =
StateNotNull->set<StreamMap>(RetSym, StreamState::getOpened(Desc)); StateNotNull->set<StreamMap>(RetSym, StreamState::getOpened(Desc));
StateNull = StateNull =
StateNull->set<StreamMap>(RetSym, StreamState::getOpenFailed(Desc)); StateNull->set<StreamMap>(RetSym, StreamState::getOpenFailed(Desc));
SValBuilder &SVB = C.getSValBuilder();
steakhalUnsubmitted
Done
ReplyInline Actions

It might be a personal preference but I think lambdas should be pure in the sense that it takes something and produces something else.
Regardless of your choice, the trailing return type would highlight it.

steakhal: It might be a personal preference but I think lambdas should be pure in the sense that it takes…
auto AssumeRetValNotEq = [&SVB, RetVal](SymbolRef StdSym,
ProgramStateRef State) {
if (!StdSym)
return State;
steakhalUnsubmitted
Not Done
ReplyInline Actions

SValBuilder::getConditionType(), oh they are the same under the hood. We should still probably prefer this one instead.
It might worth hoisting C.getSValBuilder() to a local variable though.
The symbol for StdStream also deserves a separate variable IMO.

steakhal: `SValBuilder::getConditionType()`, oh they are the same under the hood. We should still…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

This lambda is possible to improve.

balazske: This lambda is possible to improve.
SVal StdVal = SVB.makeSymbolVal(StdSym);
SVal NotEqS =
SVB.evalBinOp(State, BO_NE, RetVal, StdVal, SVB.getConditionType());
DefinedOrUnknownSVal NotEqDef = NotEqS.castAs<DefinedOrUnknownSVal>();
steakhalUnsubmitted
Not Done
ReplyInline Actions

I think you should be fine with castAs(). I'm not expecting this to fail.

steakhal: I think you should be fine with `castAs()`. I'm not expecting this to fail.
return State->assume(NotEqDef, true);
};
StateNotNull = AssumeRetValNotEq(StdinSym, StateNotNull);
StateNotNull = AssumeRetValNotEq(StdoutSym, StateNotNull);
StateNotNull = AssumeRetValNotEq(StderrSym, StateNotNull);
C.addTransition(StateNotNull, C.addTransition(StateNotNull,
constructNoteTag(C, RetSym, {&BT_ResourceLeak})); constructNoteTag(C, RetSym, {&BT_ResourceLeak}));
C.addTransition(StateNull, constructNoteTag(C, RetSym, {&BT_FileNull})); C.addTransition(StateNull, constructNoteTag(C, RetSym, {&BT_FileNull}));
} }
void StreamChecker::preFreopen(const FnDescription *Desc, const CallEvent &Call, void StreamChecker::preFreopen(const FnDescription *Desc, const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
// Do not allow NULL as passed stream pointer but allow a closed stream. // Do not allow NULL as passed stream pointer but allow a closed stream.
▲ Show 20 LinesShow All 619 Lines▼ Show 20 Lines
void ento::registerStreamTesterChecker(CheckerManager &Mgr) { void ento::registerStreamTesterChecker(CheckerManager &Mgr) {
auto *Checker = Mgr.getChecker<StreamChecker>(); auto *Checker = Mgr.getChecker<StreamChecker>();
Checker->TestMode = true; Checker->TestMode = true;
} }
bool ento::shouldRegisterStreamTesterChecker(const CheckerManager &Mgr) { bool ento::shouldRegisterStreamTesterChecker(const CheckerManager &Mgr) {
return true; return true;
} }
No newline at end of file

clang/test/Analysis/stream.c

// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.unix.Stream -verify %s // RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.unix.Stream,debug.ExprInspection -verify %s
#include "Inputs/system-header-simulator.h" #include "Inputs/system-header-simulator.h"
void clang_analyzer_eval(int);
void check_fread() { void check_fread() {
FILE *fp = tmpfile(); FILE *fp = tmpfile();
fread(0, 0, 0, fp); // expected-warning {{Stream pointer might be NULL}} fread(0, 0, 0, fp); // expected-warning {{Stream pointer might be NULL}}
fclose(fp); fclose(fp);
} }
void check_fwrite() { void check_fwrite() {
FILE *fp = tmpfile(); FILE *fp = tmpfile();
▲ Show 20 LinesShow All 249 Lines▼ Show 20 Lines if (!F1)
return; return;
if (Test == 1) { if (Test == 1) {
return; // no warning return; // no warning
} }
rewind(F1); rewind(F1);
} // expected-warning {{Opened stream never closed. Potential resource leak}} } // expected-warning {{Opened stream never closed. Potential resource leak}}
// FIXME: This warning should be placed at the `return` above. // FIXME: This warning should be placed at the `return` above.
// See https://reviews.llvm.org/D83120 about details. // See https://reviews.llvm.org/D83120 about details.
void check_fopen_is_not_std() {
FILE *F = fopen("file", "r");
if (!F)
return;
clang_analyzer_eval(F != stdin); // expected-warning{{TRUE}}
clang_analyzer_eval(F != stdout); // expected-warning{{TRUE}}
clang_analyzer_eval(F != stderr); // expected-warning{{TRUE}}
steakhalUnsubmitted
Done
ReplyInline Actions

How about checking this way instead?

clang_analyzer_eval(F != stdin);  // TRUE
clang_analyzer_eval(F != stdout); // TRUE
clang_analyzer_eval(F != stderr); // TRUE
steakhal: How about checking this way instead? ```lang=C++ clang_analyzer_eval(F != stdin); // TRUE…
fclose(F);
}
void check_tmpfile_is_not_std() {
FILE *F = tmpfile();
if (!F)
return;
clang_analyzer_eval(F != stdin); // expected-warning{{TRUE}}
clang_analyzer_eval(F != stdout); // expected-warning{{TRUE}}
clang_analyzer_eval(F != stderr); // expected-warning{{TRUE}}
fclose(F);
}