This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
lib/StaticAnalyzer/Core/
-
StaticAnalyzer/
-
Core/
2/4
CheckerContext.cpp
-
unittests/StaticAnalyzer/
-
StaticAnalyzer/
-
CallDescriptionTest.cpp

Differential D118388

[analyzer] Restrict CallDescription fuzzy builtin matching
ClosedPublic

Authored by steakhal on Jan 27 2022, 9:13 AM.

Download Raw Diff

Details

Reviewers

NoQ
xazax.hun
martong
ASDenysPetrov
Szelethus

Commits

rGabc873694ff7: [analyzer] Restrict CallDescription fuzzy builtin matching

Summary

CallDescriptions for builtin functions relaxes the match rules
somewhat, so that the CallDescription will match for calls that have
some prefix or suffix. This was achieved by doing a StringRef::contains().
However, this is somewhat problematic for builtins that are substrings
of each other.

Consider the following:

CallDescription{ builtin, "memcpy"} will match for
__builtin_wmemcpy() calls, which is unfortunate.

This patch addresses/works around the issue by checking if the
characters around the function's name are not part of the 'name'
semantically. In other words, to accept a match for "memcpy" the call
should not have alphanumeric ([a-zA-Z]) characters around the 'match'.

So, CallDescription{ builtin, "memcpy"} will not match on:

__builtin_wmemcpy: there is a w alphanumeric character before the match.
__builtin_memcpyFOoBar_inline: there is a F character after the match.
__builtin_memcpyX_inline: there is an X character after the match.

But it will still match for:

memcpy: exact match
__builtin_memcpy: there is an _ before the match
__builtin_memcpy_inline: there is an _ after the match
memcpy_inline_builtinFooBar: there is an _ after the match

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

steakhal created this revision.Jan 27 2022, 9:13 AM

Herald added subscribers: manas, dkrupp, donat.nagy and 5 others. · View Herald TranscriptJan 27 2022, 9:13 AM

steakhal requested review of this revision.Jan 27 2022, 9:13 AM

Harbormaster completed remote builds in B146062: Diff 403693.Jan 27 2022, 12:14 PM

steakhal added inline comments.Jan 28 2022, 1:21 AM

clang/lib/StaticAnalyzer/Core/CheckerContext.cpp
58–80	`std::size_t`

NoQ added inline comments.Jan 28 2022, 11:35 AM

clang/lib/StaticAnalyzer/Core/CheckerContext.cpp
107–111	Do these need fixing as well? Though honestly I'd remove `isCLibraryFunction()` as an API entirely, people should just use `CallDescription` for everything.

Looks great overall!

This revision is now accepted and ready to land.Jan 28 2022, 11:35 AM

In D118388#3280439, @NoQ wrote:

Looks great overall!

Thanks!

clang/lib/StaticAnalyzer/Core/CheckerContext.cpp
107–111	Probably yes. I dont know how i missed this. I probably tunnel visioned too much. Btw CDs are calling back to this API. So unless we settle on the exact semantics for builtins we should keep it. Do you have anything specific in mind?

martong added inline comments.Feb 1 2022, 9:31 AM

clang/lib/StaticAnalyzer/Core/CheckerContext.cpp
107–111	Good catch! I am suggesting to move your new logic that replaces `contains` into a member function (or lambda?) and then use that in the remaining two cases.

This revision was landed with ongoing or failed builds.Feb 11 2022, 1:45 AM

Closed by commit rGabc873694ff7: [analyzer] Restrict CallDescription fuzzy builtin matching (authored by steakhal). · Explain Why

This revision was automatically updated to reflect the committed changes.

steakhal added a commit: rGabc873694ff7: [analyzer] Restrict CallDescription fuzzy builtin matching.

Herald added a project: Restricted Project. · View Herald TranscriptFeb 11 2022, 1:45 AM

Herald added a subscriber: cfe-commits. · View Herald Transcript

I decided to land it as-is.
I tried to refactor the rest of the isCLibraryFunction() to reuse the new detection logic, but I run into issues by doing that.
BTW I'm not sure if we should support anything besides the builtins defined in clang/include/clang/Basic/Builtins*.def files.
Given that the parser should recognize these and use the appropriate Builtin for the FunctionDecl, getBuiltinID() should return the given ID.
Anyway. I decided to take it slowly and fix only the issue causing the crashes.

Revision Contents

Path

Size

clang/

lib/

StaticAnalyzer/

Core/

CheckerContext.cpp

25 lines

unittests/

StaticAnalyzer/

CallDescriptionTest.cpp

54 lines

Diff 407809

clang/lib/StaticAnalyzer/Core/CheckerContext.cpp

Show First 20 Lines • Show All 49 Lines • ▼ Show 20 Lines	bool CheckerContext::isCLibraryFunction(const FunctionDecl *FD,
// To avoid false positives (Ex: finding user defined functions with		// To avoid false positives (Ex: finding user defined functions with
// similar names), only perform fuzzy name matching when it's a builtin.		// similar names), only perform fuzzy name matching when it's a builtin.
// Using a string compare is slow, we might want to switch on BuiltinID here.		// Using a string compare is slow, we might want to switch on BuiltinID here.
unsigned BId = FD->getBuiltinID();		unsigned BId = FD->getBuiltinID();
if (BId != 0) {		if (BId != 0) {
if (Name.empty())		if (Name.empty())
return true;		return true;
StringRef BName = FD->getASTContext().BuiltinInfo.getName(BId);		StringRef BName = FD->getASTContext().BuiltinInfo.getName(BId);
if (BName.contains(Name))		size_t start = BName.find(Name);
		if (start != StringRef::npos) {
		// Accept exact match.
		if (BName.size() == Name.size())
		return true;

		// v-- match starts here
		// ...xxxxx...
		// _xxxxx_
		// ^ ^ lookbehind and lookahead characters

		const auto MatchPredecessor = [=]() -> bool {
		return start <= 0 \|\| !llvm::isAlpha(BName[start - 1]);
		};
		const auto MatchSuccessor = [=]() -> bool {
		std::size_t LookbehindPlace = start + Name.size();
		return LookbehindPlace >= BName.size() \|\|
		!llvm::isAlpha(BName[LookbehindPlace]);
		};

		if (MatchPredecessor() && MatchSuccessor())
return true;		return true;
}		}
		steakhalAuthorUnsubmitted Done Reply Inline Actions `std::size_t` steakhal: `std::size_t`
		}

const IdentifierInfo *II = FD->getIdentifier();		const IdentifierInfo *II = FD->getIdentifier();
// If this is a special C++ name without IdentifierInfo, it can't be a		// If this is a special C++ name without IdentifierInfo, it can't be a
// C library function.		// C library function.
if (!II)		if (!II)
return false;		return false;

// Look through 'extern "C"' and anything similar invented in the future.		// Look through 'extern "C"' and anything similar invented in the future.
Show All 9 Lines	bool CheckerContext::isCLibraryFunction(const FunctionDecl *FD,

if (Name.empty())		if (Name.empty())
return true;		return true;

StringRef FName = II->getName();		StringRef FName = II->getName();
if (FName.equals(Name))		if (FName.equals(Name))
return true;		return true;

if (FName.startswith("__inline") && FName.contains(Name))		if (FName.startswith("__inline") && FName.contains(Name))
return true;		return true;

if (FName.startswith("__") && FName.endswith("_chk") && FName.contains(Name))		if (FName.startswith("__") && FName.endswith("_chk") && FName.contains(Name))
return true;		return true;
		NoQUnsubmitted Not Done Reply Inline Actions Do these need fixing as well? Though honestly I'd remove `isCLibraryFunction()` as an API entirely, people should just use `CallDescription` for everything. NoQ: Do these need fixing as well? Though honestly I'd remove `isCLibraryFunction()` as an API…
		steakhalAuthorUnsubmitted Done Reply Inline Actions Probably yes. I dont know how i missed this. I probably tunnel visioned too much. Btw CDs are calling back to this API. So unless we settle on the exact semantics for builtins we should keep it. Do you have anything specific in mind? steakhal: Probably yes. I dont know how i missed this. I probably tunnel visioned too much. Btw CDs are…
		martongUnsubmitted Not Done Reply Inline Actions Good catch! I am suggesting to move your new logic that replaces `contains` into a member function (or lambda?) and then use that in the remaining two cases. martong: Good catch! I am suggesting to move your new logic that replaces `contains` into a member…

return false;		return false;
}		}

StringRef CheckerContext::getMacroNameOrSpelling(SourceLocation &Loc) {		StringRef CheckerContext::getMacroNameOrSpelling(SourceLocation &Loc) {
if (Loc.isMacroID())		if (Loc.isMacroID())
return Lexer::getImmediateMacroName(Loc, getSourceManager(),		return Lexer::getImmediateMacroName(Loc, getSourceManager(),
getLangOpts());		getLangOpts());
Show All 36 Lines

clang/unittests/StaticAnalyzer/CallDescriptionTest.cpp

Show First 20 Lines • Show All 481 Lines • ▼ Show 20 Lines	TEST(CallDescription, MatchBuiltins) {
EXPECT_TRUE(tooling::runToolOnCode(		EXPECT_TRUE(tooling::runToolOnCode(
std::unique_ptr<FrontendAction>(new CallDescriptionAction<>(		std::unique_ptr<FrontendAction>(new CallDescriptionAction<>(
{{{"memset", 3}, false}, {{CDF_MaybeBuiltin, "memset", 3}, true}})),		{{{"memset", 3}, false}, {{CDF_MaybeBuiltin, "memset", 3}, true}})),
"void foo() {"		"void foo() {"
" int x;"		" int x;"
" __builtin___memset_chk(&x, 0, sizeof(x),"		" __builtin___memset_chk(&x, 0, sizeof(x),"
" __builtin_object_size(&x, 0));"		" __builtin_object_size(&x, 0));"
"}"));		"}"));

		{
		SCOPED_TRACE("multiple similar builtins");
		EXPECT_TRUE(tooling::runToolOnCode(
		std::unique_ptr<FrontendAction>(new CallDescriptionAction<>(
		{{{CDF_MaybeBuiltin, "memcpy", 3}, false},
		{{CDF_MaybeBuiltin, "wmemcpy", 3}, true}})),
		R"(void foo(wchar_t x, wchar_t y) {
		__builtin_wmemcpy(x, y, sizeof(wchar_t));
		})"));
		}
		{
		SCOPED_TRACE("multiple similar builtins reversed order");
		EXPECT_TRUE(tooling::runToolOnCode(
		std::unique_ptr<FrontendAction>(new CallDescriptionAction<>(
		{{{CDF_MaybeBuiltin, "wmemcpy", 3}, true},
		{{CDF_MaybeBuiltin, "memcpy", 3}, false}})),
		R"(void foo(wchar_t x, wchar_t y) {
		__builtin_wmemcpy(x, y, sizeof(wchar_t));
		})"));
		}
		{
		SCOPED_TRACE("lookbehind and lookahead mismatches");
		EXPECT_TRUE(tooling::runToolOnCode(
		std::unique_ptr<FrontendAction>(
		new CallDescriptionAction<>({{{CDF_MaybeBuiltin, "func"}, false}})),
		R"(
		void funcXXX();
		void XXXfunc();
		void XXXfuncXXX();
		void test() {
		funcXXX();
		XXXfunc();
		XXXfuncXXX();
		})"));
		}
		{
		SCOPED_TRACE("lookbehind and lookahead matches");
		EXPECT_TRUE(tooling::runToolOnCode(
		std::unique_ptr<FrontendAction>(
		new CallDescriptionAction<>({{{CDF_MaybeBuiltin, "func"}, true}})),
		R"(
		void func();
		void func_XXX();
		void XXX_func();
		void XXX_func_XXX();

		void test() {
		func(); // exact match
		func_XXX();
		XXX_func();
		XXX_func_XXX();
		})"));
		}
}		}

} // namespace		} // namespace
} // namespace ento		} // namespace ento
} // namespace clang		} // namespace clang