This is an archive of the discontinued LLVM Phabricator instance.

Differential D120310

[clang][analyzer] Add modeling of 'errno'.
ClosedPublic

Authored by balazske on Feb 22 2022, 1:08 AM.

Details

Reviewers
Szelethus
NoQ
steakhal
martong
Commits
rGd8a2afb244da: [clang][analyzer] Add modeling of 'errno'.
rG29b512ba322c: [clang][analyzer] Add modeling of 'errno'.
Summary

Add a checker to maintain the system-defined value 'errno'.
The value is supposed to be set in the future by existing or
new checkers that evaluate errno-modifying function calls.

Diff Detail

Event Timeline

balazske created this revision.Feb 22 2022, 1:08 AM
Herald added a reviewer: Szelethus. · View Herald TranscriptFeb 22 2022, 1:08 AM
Herald added subscribers: steakhal, ASDenysPetrov, martong and 10 others. · View Herald Transcript
balazske requested review of this revision.Feb 22 2022, 1:08 AM
Herald added a project: Restricted Project. · View Herald TranscriptFeb 22 2022, 1:08 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
balazske added reviewers: NoQ, steakhal, martong.Feb 22 2022, 1:16 AM

Documentation not added yet.

Herald added subscribers: ormris, rnkovacs. · View Herald TranscriptFeb 22 2022, 1:16 AM
Harbormaster completed remote builds in B150826: Diff 410471.Feb 22 2022, 1:40 AM
steakhal added a comment.Feb 22 2022, 7:56 AM

Good start!

However, I'm not a big fan of coupling the testing checker with the actual modeling checker.
IMO we should have a distinct checker, similarly to TaintTester. That way you could do even fancier things like:
define mylib_may_fail(), bifurcate and return true for the success case, on which it wouldn't touch errno; and on the failure case return false and set the errno to some concrete value that we could check against.

But I'm also fine with the current approach, providing the set_errno(SVal) introspection function.

clang/include/clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h
767–769

At this point, I'm not even sure if we should assert any of these.

1378
clang/lib/StaticAnalyzer/Checkers/Errno.h
22 ↗(On Diff #410471)

I think we can settle on something better. What about calling it simply errno?

24–26 ↗(On Diff #410471)

I don't think we need this.
In getErrnoValue() we should simply return UnknownVal if we don't have 'errno.
And in setErrnoValue() we should return the incoming State unmodified.

THat being said, only a top-level Check::BeginFunction callback could see an 'errno' uninitialized, which I don't think is a real issue.
All the rest of the callbacks would run after it's initialized, thus would behave as expected.
And in case the translation unit doesn't have nor 'errno' variable nor 'errno_location_ish' functions, ignoring these set/get functions is actually the expected behavior.

Having to check isErrnoAvailable() would be really an anti-pattern.

clang/lib/StaticAnalyzer/Checkers/ErrnoChecker.cpp
32 ↗(On Diff #410471)

Why don't you use StringRef here as well?

35 ↗(On Diff #410471)

compiler-rt/lib/sanitizer_common/sanitizer_errno.h has a list of the possible names for this API.:
__error, __errno, ___errno, _errno or __errno_location

That being said, you should eval::Call all of these, and bind the return value to the memorized errno region.
At this point, this should be a CallDescriptionSet within the checker.

60 ↗(On Diff #410471)

For function definitions, we should use static instead of anonymous namespaces.
That being said, I don't think inline will do anything in this context.

66 ↗(On Diff #410471)

I would expect a comment stating that:

  • We inspect if we have a VarDecl naming "errno", it returns that Decl.
  • Otherwise, it will look for some common errno_location function names and return that Decl.
88 ↗(On Diff #410471)

I think you can hoist these lambdas into static functions.
This handler is already big enough.

99 ↗(On Diff #410471)

I don't think any of these actually return the canonic versions.

118 ↗(On Diff #410471)

Ah, I've seen and done these reinterpret casts.
Could you please check why don't we have a partial specialization allowing any const pointers besides void pointers?
That way it would look much better.

134 ↗(On Diff #410471)
146–149 ↗(On Diff #410471)

You should sink these lines to the corresponding branches.

180–181 ↗(On Diff #410471)

Fuse these two lines.

clang/test/Analysis/Inputs/errno_var.h
4
clang/test/Analysis/errno.c
23

Please call a different function, which is definitely not from glibc.
We might model this in the future using eval::Call in which case no invalidation will happen breaking the test.

clang/test/Analysis/global-region-invalidation.c
7

If you were eval::Calling the errno_location functions, and used the corresponding header, would the tests pass?

ormris removed a subscriber: ormris.Feb 22 2022, 9:59 AM
NoQ added inline comments.Feb 23 2022, 1:17 AM
clang/include/clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h
767–769

I mean, ideally this should be just UnknownSpaceRegion. For everything else we should have made a fresh MemRegion class. It is absurd that the same numeric address value (represented the symbol s) can correspond to two (now three) different locations in memory.

clang/lib/StaticAnalyzer/Checkers/Errno.h
24–26 ↗(On Diff #410471)

UnknownVal implies that it's an actual value but we don't know which one. If the value doesn't exist we shouldn't use it. And if the user doesn't include the appropriate header then the value really doesn't exist in the translation unit. So flavor-wise I think we shouldn't use UnknownVal here; I'd rather have an Optional<SVal>.

Other than that, yeah, I think this is a good suggestion.

clang/lib/StaticAnalyzer/Checkers/ErrnoChecker.cpp
32 ↗(On Diff #410471)

There's that rule against static constructors/destructors. We should use a lot of constexpr in these situations and/or try to turn these structures into plain C arrays as much as possible.

66 ↗(On Diff #410471)

Ok so the first part of the function (identifying how the system headers represent errno) depends entirely on the AST right? In this case you can probably perform the AST scan only once during checkASTDecl<TranslationUnitDecl> and stash the result in a global variable. It shouldn't be re-run on every analysis. So whatever you do with isErrnoAvailable(), it shouldn't accept ProgramStateRef at all, it can simply query that global variable. You'll still need the state trait because SVal objects only make sense within a single analysis but the AST scan can be made only once.

134 ↗(On Diff #410471)

This is literally the first step of the analysis. The block count is known.

What I really want to see here is a non-trivial custom tag (i.e., the const void *symbolTag parameter on some of the overloads of conjureSymbolVal()) to make sure this symbol isn't treated as a duplicate of any other symbol some other checker conjures initially. Like all tags, you can initialize it with some address of some checker-static variable.

steakhal added inline comments.Feb 23 2022, 3:48 AM
clang/include/clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h
767–769

From my perspective, a symbolic region is just a region that we don't know what its parent region is - let it be part of an object or an entire memory space.
The memory space is what we use for communicating some constraints on where that symbolic region.
E.g. a symbolic region of a stack memory space should never alias with any memory region of the heap memory space.

It is absurd that the same numeric address value (represented the symbol s) can correspond to two (now three) different locations in memory.

IMO a given s should indeed refer to a single location in memory, but that's not a property we can enforce here in the constructor.
And my guess is that by removing this assertion, we would still have this invariant. What we should do instead, put an assertion into the SymbolManager, to enforce that with the same s symbol, one cannot construct two SymbolicRegions with different memory spaces.
Alternatively, we could remove the memory space from the Profile to map to the same entity in the Map; which would enforce this invariant on its own. WDYT?

clang/lib/StaticAnalyzer/Checkers/Errno.h
24–26 ↗(On Diff #410471)

Yeah, probably the Optional is a better alternative.

However, I'd like to explain my reasoning behind my previous suggestion:
Unknown can/should model any values that the analyzer cannot currently reason about: e.g. floating-point numbers.
In this case, we cannot reason about the errno, thus I recommended it.

My point is, that we shouldn't regress our API for a marginal problem. And according to my reasoning, this seems to be a marginal issue.
Using Optional here is better than the current implementation, but not by much.
It would still result in a suboptimal coding pattern, where we guard each access to get/set errno by an if statement. In the cases where we would use the getOr() getter, I'm expecting to see the users pass the UnknownVal() as the fallback value in most cases anyway.

clang/lib/StaticAnalyzer/Checkers/ErrnoChecker.cpp
32 ↗(On Diff #410471)

Ah, I see, thanks!

134 ↗(On Diff #410471)

I would still use the C.blockCount() to make it more in-line with the rest of the uses of conjureSymbol().

balazske updated this revision to Diff 410824.Feb 23 2022, 7:39 AM
balazske marked 7 inline comments as done.

Addressed a part of the review comments.
The test checker is now a separate checker.
Initialization is simplified, checkASTDecl is used.

balazske added inline comments.Feb 23 2022, 7:44 AM
clang/lib/StaticAnalyzer/Checkers/Errno.h
22 ↗(On Diff #410471)

Just errno may not work because it collides with the "real" errno (that is a macro).

24–26 ↗(On Diff #410471)

These work now if no ErrnoRegion is available. Returning Optional seems not better than a required check before the call. I think the current version is not the best: It can be possible to make assumptions using assume on the returned SVal value, but this must not be done on a non-existing errno value. For this case probably isErrnoAvailable is required to be used.

The isErrnoAvailable can be useful for a checker that does special things only if there is a working errno modeling.

clang/lib/StaticAnalyzer/Checkers/ErrnoChecker.cpp
35 ↗(On Diff #410471)

The list is needed to build CallDescriptions and to lookup the errno location function. A CallDescriptionSet can not be used to get the function names from it. Is there a way to build a initializer_list of CallDescription objects in compile time (from a string array)?

99 ↗(On Diff #410471)

ACtx.IntTy and value from getPointerType should be canonical (it is a CanQualType).

balazske marked 6 inline comments as done.Feb 23 2022, 7:56 AM
Harbormaster completed remote builds in B151064: Diff 410824.Feb 23 2022, 8:11 AM
steakhal added inline comments.Feb 23 2022, 8:13 AM
clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
351–353

I think ErrnoModeling would be more appropriate.

1564–1567

If this is the case, it should have a Dependency<Errno>

clang/lib/StaticAnalyzer/Checkers/Errno.h
22 ↗(On Diff #410471)

Ah, I see. Ugly macros!
Then why not simply leave it in the clang::ento namespace?

clang/lib/StaticAnalyzer/Core/MemRegion.cpp
1155–1156

I would recommend removing this comment alltogether.
The header is already annotated, by the time this will get out-of-sync anyway.

clang/test/Analysis/errno.c
16–22

Fun fact, I think you can #include ERRNO_HEADER, if you pass the -DERRNO_HEADER=\"Inputs/errno_var.h\" :D

NoQ added inline comments.Feb 23 2022, 7:40 PM
clang/include/clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h
767–769

The memory space is what we use for communicating some constraints on where that symbolic region.

I agree that it's a constraint. And as such, I believe it shouldn't be made part of the region's identity. Just like "$x < 5" is not a field inside symbol $x but a separate state trait. Similarly we can turn SymbolicRegion's memory space constraint into a state trait. Then we can express more sophisticated constraints ("this symbolic region is either on the heap or a global variable but definitely not a local variable"), or we can have constraints become more precise over time ("this symbolic region was compared as "less than" another heap region, therefore it itself must be on the heap").

What we should do instead, put an assertion into the SymbolManager, to enforce that with the same s symbol, one cannot construct two SymbolicRegions with different memory spaces.

This could be a nice temporary solution.

balazske updated this revision to Diff 411131.Feb 24 2022, 7:40 AM

Improved the tests.

balazske marked 4 inline comments as done.Feb 24 2022, 7:46 AM
balazske added inline comments.
clang/test/Analysis/global-region-invalidation.c
7

It is now executed wit both versions.

balazske retitled this revision from [clang][analyzer] Add modeling of 'errno' (work-in-progress). to [clang][analyzer] Add modeling of 'errno'..Feb 24 2022, 7:46 AM
balazske edited the summary of this revision. (Show Details)
Harbormaster completed remote builds in B151279: Diff 411131.Feb 24 2022, 8:11 AM
balazske updated this revision to Diff 411149.Feb 24 2022, 8:50 AM
balazske marked 3 inline comments as done.
balazske edited the summary of this revision. (Show Details)

Changed name of the checker to ErrnoModeling, other small cleanup.

Harbormaster completed remote builds in B151293: Diff 411149.Feb 24 2022, 9:41 AM
NoQ accepted this revision.Feb 24 2022, 10:40 AM

The patch looks great to me now. As soon as you address comments about isErrnoAvailable() (at least, the parameter can now be removed), I think you can commit.

This revision is now accepted and ready to land.Feb 24 2022, 10:40 AM
balazske updated this revision to Diff 411340.Feb 25 2022, 12:27 AM

Removed isErrnoAvailable, added test for getErrnoValue.

balazske marked an inline comment as done.Feb 25 2022, 12:28 AM
balazske added inline comments.
clang/lib/StaticAnalyzer/Checkers/Errno.h
22 ↗(On Diff #410471)

It is better to have separate namespaces for the different inter-checker API's. Probably more functions will be added later to the errno_modeling.

24–26 ↗(On Diff #410471)

I have removed now isErrnoAvailable and the get function returns Optional. I am not sure if this is the best option, if more functions will be added (to get the errno location, and get and set an "errno state").

steakhal accepted this revision.Feb 25 2022, 12:36 AM

Looks great, thanks.

Harbormaster completed remote builds in B151429: Diff 411340.Feb 25 2022, 12:47 AM
balazske updated this revision to Diff 411363.Feb 25 2022, 2:51 AM

Fixed remaining problems.

Harbormaster completed remote builds in B151445: Diff 411363.Feb 25 2022, 3:22 AM
This revision was landed with ongoing or failed builds.Feb 25 2022, 3:44 AM
Closed by commit rG29b512ba322c: [clang][analyzer] Add modeling of 'errno'. (authored by balazske). · Explain Why
This revision was automatically updated to reflect the committed changes.
balazske added a commit: rG29b512ba322c: [clang][analyzer] Add modeling of 'errno'..
aaron.ballman added a reverting change: rGf9e8e92cf586: Revert "[clang][analyzer] Add modeling of 'errno'.".Feb 25 2022, 4:21 AM
aaron.ballman added a subscriber: aaron.ballman.Feb 25 2022, 4:22 AM

Hello! I had to revert in f9e8e92cf586d9cf077139a338f062a91b8ce2d2 because this broke all of the builds on Windows. Here are some sample failures:

https://lab.llvm.org/buildbot/#/builders/86/builds/30183
https://lab.llvm.org/buildbot/#/builders/216/builds/488

balazske reopened this revision.Feb 25 2022, 6:13 AM
This revision is now accepted and ready to land.Feb 25 2022, 6:13 AM
balazske updated this revision to Diff 411398.Feb 25 2022, 6:14 AM

Rename of "Errno.h", maybe fixes Windows build problem.

Harbormaster completed remote builds in B151470: Diff 411398.Feb 25 2022, 6:56 AM
steakhal added a comment.Feb 25 2022, 7:14 AM

according to the pre-merge checks it still fails on windows and Debian.
https://buildkite.com/llvm-project/premerge-checks/builds/81130#ce8f3062-699e-4043-aed9-b891ec8ebee6
https://buildkite.com/llvm-project/premerge-checks/builds/81130#53beb4a2-2c53-4ff0-b60f-6130ed5d25cd

********************
Failed Tests (3):
  Clang :: Analysis/errno.c
  Clang :: Analysis/global-region-invalidation.c
  Clang :: Driver/hip-link-bundle-archive.hip
 
Testing Time: 836.49s
  Skipped          :     3
  Unsupported      :   201
  Passed           : 29682
  Expectedly Failed:    31
  Failed           :     3
balazske added a comment.Feb 25 2022, 7:52 AM

The "hip-link-bundle-archive" test looks really unrelated, the others are fixed if we go back to -DERRNO_VAR (no " characters in command line, and probably / does not work too). There are Debian build errors but these look unrelated(?).

balazske updated this revision to Diff 411421.Feb 25 2022, 8:04 AM

Another try to fix the test failures, rebased to current main.

steakhal added a comment.Feb 25 2022, 8:15 AM
In D120310#3345696, @balazske wrote:

The "hip-link-bundle-archive" test looks really unrelated, the others are fixed if we go back to -DERRNO_VAR (no " characters in command line, and probably / does not work too). There are Debian build errors but these look unrelated(?).

I think its the forward slashes.

We could workaround the issue by adding this line to the test files: // REQUIRES: system-linux

Harbormaster completed remote builds in B151482: Diff 411421.Feb 25 2022, 8:42 AM
balazske updated this revision to Diff 411750.Feb 28 2022, 12:49 AM

Removed the static variable.

Herald added a subscriber: manas. · View Herald TranscriptFeb 28 2022, 12:49 AM
Harbormaster completed remote builds in B151718: Diff 411750.Feb 28 2022, 1:30 AM
balazske added a comment.Feb 28 2022, 5:14 AM

The current build errors are probably not related, the Windows test failure shows up in other differential objects.

This revision was landed with ongoing or failed builds.Feb 28 2022, 11:22 PM
Closed by commit rGd8a2afb244da: [clang][analyzer] Add modeling of 'errno'. (authored by balazske). · Explain Why
This revision was automatically updated to reflect the committed changes.
balazske added a commit: rGd8a2afb244da: [clang][analyzer] Add modeling of 'errno'..
kwk mentioned this in D125005: Make standalone-build-x86_64 a standalone builder.May 5 2022, 5:10 AM

Revision Contents

PathSize
clang/
include/
clang/
StaticAnalyzer/
Checkers/
9 lines
Core/
PathSensitive/
7 lines
lib/
StaticAnalyzer/
Checkers/
2 lines
39 lines
249 lines
120 lines
Core/
9 lines
test/
Analysis/
Inputs/
5 lines
5 lines
3 lines
1 line
63 lines
49 lines
31 lines
1 line

Diff 411980

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td

Show First 20 LinesShow All 342 Lines▼ Show 20 Lines
} // end "nullability" } // end "nullability"
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// APIModeling. // APIModeling.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
let ParentPackage = APIModeling in { let ParentPackage = APIModeling in {
def ErrnoModeling : Checker<"Errno">,
HelpText<"Make the special value 'errno' available to other checkers.">,
Documentation<NotDocumented>;
steakhalUnsubmitted
Done
ReplyInline Actions

I think ErrnoModeling would be more appropriate.

steakhal: I think `ErrnoModeling` would be more appropriate.
def StdCLibraryFunctionsChecker : Checker<"StdCLibraryFunctions">, def StdCLibraryFunctionsChecker : Checker<"StdCLibraryFunctions">,
HelpText<"Improve modeling of the C standard library functions">, HelpText<"Improve modeling of the C standard library functions">,
// Uninitialized value check is a mandatory dependency. This Checker asserts // Uninitialized value check is a mandatory dependency. This Checker asserts
// that arguments are always initialized. // that arguments are always initialized.
Dependencies<[CallAndMessageModeling]>, Dependencies<[CallAndMessageModeling]>,
CheckerOptions<[ CheckerOptions<[
CmdLineOption<Boolean, CmdLineOption<Boolean,
"DisplayLoadedSummaries", "DisplayLoadedSummaries",
▲ Show 20 LinesShow All 1,192 Lines▼ Show 20 Lines
// the chore needed to create a modeling portion on its own. Since this checker // the chore needed to create a modeling portion on its own. Since this checker
// is for development purposes only anyways, make sure that StreamChecker is // is for development purposes only anyways, make sure that StreamChecker is
// also enabled, at least for the time being. // also enabled, at least for the time being.
def StreamTesterChecker : Checker<"StreamTester">, def StreamTesterChecker : Checker<"StreamTester">,
HelpText<"Add test functions to StreamChecker for test and debugging " HelpText<"Add test functions to StreamChecker for test and debugging "
"purposes.">, "purposes.">,
Documentation<NotDocumented>; Documentation<NotDocumented>;
def ErrnoTesterChecker : Checker<"ErrnoTest">,
HelpText<"Check modeling aspects of 'errno'.">,
Dependencies<[ErrnoModeling]>,
Documentation<NotDocumented>;
steakhalUnsubmitted
Done
ReplyInline Actions

If this is the case, it should have a Dependency<Errno>

steakhal: If this is the case, it should have a `Dependency<Errno>`
def ExprInspectionChecker : Checker<"ExprInspection">, def ExprInspectionChecker : Checker<"ExprInspection">,
HelpText<"Check the analyzer's understanding of expressions">, HelpText<"Check the analyzer's understanding of expressions">,
Documentation<NotDocumented>; Documentation<NotDocumented>;
def ExplodedGraphViewer : Checker<"ViewExplodedGraph">, def ExplodedGraphViewer : Checker<"ViewExplodedGraph">,
HelpText<"View Exploded Graphs using GraphViz">, HelpText<"View Exploded Graphs using GraphViz">,
Documentation<NotDocumented>; Documentation<NotDocumented>;
▲ Show 20 LinesShow All 137 LinesShow Last 20 Lines

clang/include/clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h

Show First 20 LinesShow All 758 Lines▼ Show 20 Linesclass SymbolicRegion : public SubRegion {
SymbolicRegion(const SymbolRef s, const MemSpaceRegion *sreg) SymbolicRegion(const SymbolRef s, const MemSpaceRegion *sreg)
: SubRegion(sreg, SymbolicRegionKind), sym(s) { : SubRegion(sreg, SymbolicRegionKind), sym(s) {
// Because pointer arithmetic is represented by ElementRegion layers, // Because pointer arithmetic is represented by ElementRegion layers,
// the base symbol here should not contain any arithmetic. // the base symbol here should not contain any arithmetic.
assert(s && isa<SymbolData>(s)); assert(s && isa<SymbolData>(s));
assert(s->getType()->isAnyPointerType() || assert(s->getType()->isAnyPointerType() ||
s->getType()->isReferenceType() || s->getType()->isReferenceType() ||
s->getType()->isBlockPointerType()); s->getType()->isBlockPointerType());
assert(isa<UnknownSpaceRegion>(sreg) || isa<HeapSpaceRegion>(sreg)); assert(isa<UnknownSpaceRegion>(sreg) || isa<HeapSpaceRegion>(sreg) ||
isa<GlobalSystemSpaceRegion>(sreg));
} }
steakhalUnsubmitted
Not Done
ReplyInline Actions

At this point, I'm not even sure if we should assert any of these.

steakhal: At this point, I'm not even sure if we should assert any of these.
NoQUnsubmitted
Not Done
ReplyInline Actions

I mean, ideally this should be just UnknownSpaceRegion. For everything else we should have made a fresh MemRegion class. It is absurd that the same numeric address value (represented the symbol s) can correspond to two (now three) different locations in memory.

NoQ: I mean, ideally this should be just `UnknownSpaceRegion`. For everything else we should have…
steakhalUnsubmitted
Not Done
ReplyInline Actions

From my perspective, a symbolic region is just a region that we don't know what its parent region is - let it be part of an object or an entire memory space.
The memory space is what we use for communicating some constraints on where that symbolic region.
E.g. a symbolic region of a stack memory space should never alias with any memory region of the heap memory space.

It is absurd that the same numeric address value (represented the symbol s) can correspond to two (now three) different locations in memory.

IMO a given s should indeed refer to a single location in memory, but that's not a property we can enforce here in the constructor.
And my guess is that by removing this assertion, we would still have this invariant. What we should do instead, put an assertion into the SymbolManager, to enforce that with the same s symbol, one cannot construct two SymbolicRegions with different memory spaces.
Alternatively, we could remove the memory space from the Profile to map to the same entity in the Map; which would enforce this invariant on its own. WDYT?

steakhal: From my perspective, a symbolic region is just a region that we don't know what its parent…
NoQUnsubmitted
Not Done
ReplyInline Actions

The memory space is what we use for communicating some constraints on where that symbolic region.

I agree that it's a constraint. And as such, I believe it shouldn't be made part of the region's identity. Just like "$x < 5" is not a field inside symbol $x but a separate state trait. Similarly we can turn SymbolicRegion's memory space constraint into a state trait. Then we can express more sophisticated constraints ("this symbolic region is either on the heap or a global variable but definitely not a local variable"), or we can have constraints become more precise over time ("this symbolic region was compared as "less than" another heap region, therefore it itself must be on the heap").

What we should do instead, put an assertion into the SymbolManager, to enforce that with the same s symbol, one cannot construct two SymbolicRegions with different memory spaces.

This could be a nice temporary solution.

NoQ: > The memory space is what we use for communicating some constraints on where that symbolic…
public: public:
SymbolRef getSymbol() const { return sym; } SymbolRef getSymbol() const { return sym; }
bool isBoundable() const override { return true; } bool isBoundable() const override { return true; }
void Profile(llvm::FoldingSetNodeID& ID) const override; void Profile(llvm::FoldingSetNodeID& ID) const override;
▲ Show 20 LinesShow All 592 Lines▼ Show 20 Linespublic:
getCompoundLiteralRegion(const CompoundLiteralExpr *CL, getCompoundLiteralRegion(const CompoundLiteralExpr *CL,
const LocationContext *LC); const LocationContext *LC);
/// getCXXThisRegion - Retrieve the [artificial] region associated with the /// getCXXThisRegion - Retrieve the [artificial] region associated with the
/// parameter 'this'. /// parameter 'this'.
const CXXThisRegion *getCXXThisRegion(QualType thisPointerTy, const CXXThisRegion *getCXXThisRegion(QualType thisPointerTy,
const LocationContext *LC); const LocationContext *LC);
/// Retrieve or create a "symbolic" memory region. /// Retrieve or create a "symbolic" memory region.
steakhalUnsubmitted
Done
ReplyInline Actions
const LocationContext *LC);
/// Retrieve or create a "symbolic" memory region.
+ /// If no memory regions specified, `UnknownSpaceRegion` will be used.
const SymbolicRegion *
steakhal:
const SymbolicRegion* getSymbolicRegion(SymbolRef Sym); /// If no memory space is specified, `UnknownSpaceRegion` will be used.
const SymbolicRegion *
getSymbolicRegion(SymbolRef Sym, const MemSpaceRegion *MemSpace = nullptr);
/// Return a unique symbolic region belonging to heap memory space. /// Return a unique symbolic region belonging to heap memory space.
const SymbolicRegion *getSymbolicHeapRegion(SymbolRef sym); const SymbolicRegion *getSymbolicHeapRegion(SymbolRef sym);
const StringRegion *getStringRegion(const StringLiteral *Str); const StringRegion *getStringRegion(const StringLiteral *Str);
const ObjCStringRegion *getObjCStringRegion(const ObjCStringLiteral *Str); const ObjCStringRegion *getObjCStringRegion(const ObjCStringLiteral *Str);
▲ Show 20 LinesShow All 179 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt

Show All 34 Linesadd_clang_library(clangStaticAnalyzerCheckers
DebugIteratorModeling.cpp DebugIteratorModeling.cpp
DeleteWithNonVirtualDtorChecker.cpp DeleteWithNonVirtualDtorChecker.cpp
DereferenceChecker.cpp DereferenceChecker.cpp
DirectIvarAssignment.cpp DirectIvarAssignment.cpp
DivZeroChecker.cpp DivZeroChecker.cpp
DynamicTypePropagation.cpp DynamicTypePropagation.cpp
DynamicTypeChecker.cpp DynamicTypeChecker.cpp
EnumCastOutOfRangeChecker.cpp EnumCastOutOfRangeChecker.cpp
ErrnoModeling.cpp
ErrnoTesterChecker.cpp
ExprInspectionChecker.cpp ExprInspectionChecker.cpp
FixedAddressChecker.cpp FixedAddressChecker.cpp
FuchsiaHandleChecker.cpp FuchsiaHandleChecker.cpp
GCDAntipatternChecker.cpp GCDAntipatternChecker.cpp
GenericTaintChecker.cpp GenericTaintChecker.cpp
GTestChecker.cpp GTestChecker.cpp
IdenticalExprChecker.cpp IdenticalExprChecker.cpp
InnerPointerChecker.cpp InnerPointerChecker.cpp
▲ Show 20 LinesShow All 96 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/ErrnoModeling.h

  • This file was added.
//=== ErrnoModeling.h - Tracking value of 'errno'. -----------------*- C++ -*-//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// Defines inter-checker API for using the system value 'errno'.
//
//===----------------------------------------------------------------------===//
#ifndef LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_ERRNOMODELING_H
#define LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_ERRNOMODELING_H
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
namespace clang {
namespace ento {
namespace errno_modeling {
/// Returns the value of 'errno', if 'errno' was found in the AST.
llvm::Optional<SVal> getErrnoValue(ProgramStateRef State);
/// Set value of 'errno' to any SVal, if possible.
ProgramStateRef setErrnoValue(ProgramStateRef State,
const LocationContext *LCtx, SVal Value);
/// Set value of 'errno' to a concrete (signed) integer, if possible.
ProgramStateRef setErrnoValue(ProgramStateRef State, CheckerContext &C,
uint64_t Value);
} // namespace errno_modeling
} // namespace ento
} // namespace clang
#endif // LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_ERRNOMODELING_H

clang/lib/StaticAnalyzer/Checkers/ErrnoModeling.cpp

  • This file was added.
//=== ErrnoModeling.cpp -----------------------------------------*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// This defines a checker `ErrnoModeling`, which is used to make the system
// value 'errno' available to other checkers.
// The 'errno' value is stored at a special memory region that is accessible
// through the `errno_modeling` namespace. The memory region is either the
// region of `errno` itself if it is a variable, otherwise an artifically
// created region (in the system memory space). If `errno` is defined by using
// a function which returns the address of it (this is always the case if it is
// not a variable) this function is recognized and evaluated. In this way
// `errno` becomes visible to the analysis and checkers can change its value.
//
//===----------------------------------------------------------------------===//
#include "ErrnoModeling.h"
#include "clang/AST/ParentMapContext.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
#include "llvm/ADT/STLExtras.h"
using namespace clang;
using namespace ento;
namespace {
// Name of the "errno" variable.
// FIXME: Is there a system where it is not called "errno" but is a variable?
const char *ErrnoVarName = "errno";
// Names of functions that return a location of the "errno" value.
// FIXME: Are there other similar function names?
const char *ErrnoLocationFuncNames[] = {"__errno_location", "___errno",
"__errno", "_errno", "__error"};
class ErrnoModeling
: public Checker<check::ASTDecl<TranslationUnitDecl>, check::BeginFunction,
check::LiveSymbols, eval::Call> {
public:
void checkASTDecl(const TranslationUnitDecl *D, AnalysisManager &Mgr,
BugReporter &BR) const;
void checkBeginFunction(CheckerContext &C) const;
void checkLiveSymbols(ProgramStateRef State, SymbolReaper &SR) const;
bool evalCall(const CallEvent &Call, CheckerContext &C) const;
// The declaration of an "errno" variable or "errno location" function.
mutable const Decl *ErrnoDecl = nullptr;
private:
// FIXME: Names from `ErrnoLocationFuncNames` are used to build this set.
CallDescriptionSet ErrnoLocationCalls{{"__errno_location", 0, 0},
{"___errno", 0, 0},
{"__errno", 0, 0},
{"_errno", 0, 0},
{"__error", 0, 0}};
};
} // namespace
/// Store a MemRegion that contains the 'errno' integer value.
/// The value is null if the 'errno' value was not recognized in the AST.
REGISTER_TRAIT_WITH_PROGRAMSTATE(ErrnoRegion, const void *)
/// An internal function accessing the errno region.
/// Returns null if there isn't any associated memory region.
static const MemRegion *getErrnoRegion(ProgramStateRef State) {
return reinterpret_cast<const MemRegion *>(State->get<ErrnoRegion>());
}
/// Search for a variable called "errno" in the AST.
/// Return nullptr if not found.
static const VarDecl *getErrnoVar(ASTContext &ACtx) {
IdentifierInfo &II = ACtx.Idents.get(ErrnoVarName);
auto LookupRes = ACtx.getTranslationUnitDecl()->lookup(&II);
auto Found = llvm::find_if(LookupRes, [&ACtx](const Decl *D) {
if (auto *VD = dyn_cast<VarDecl>(D))
return ACtx.getSourceManager().isInSystemHeader(VD->getLocation()) &&
VD->hasExternalStorage() &&
VD->getType().getCanonicalType() == ACtx.IntTy;
return false;
});
if (Found == LookupRes.end())
return nullptr;
return cast<VarDecl>(*Found);
}
/// Search for a function with a specific name that is used to return a pointer
/// to "errno".
/// Return nullptr if no such function was found.
static const FunctionDecl *getErrnoFunc(ASTContext &ACtx) {
SmallVector<const Decl *> LookupRes;
for (StringRef ErrnoName : ErrnoLocationFuncNames) {
IdentifierInfo &II = ACtx.Idents.get(ErrnoName);
llvm::append_range(LookupRes, ACtx.getTranslationUnitDecl()->lookup(&II));
}
auto Found = llvm::find_if(LookupRes, [&ACtx](const Decl *D) {
if (auto *FD = dyn_cast<FunctionDecl>(D))
return ACtx.getSourceManager().isInSystemHeader(FD->getLocation()) &&
FD->isExternC() && FD->getNumParams() == 0 &&
FD->getReturnType().getCanonicalType() ==
ACtx.getPointerType(ACtx.IntTy);
return false;
});
if (Found == LookupRes.end())
return nullptr;
return cast<FunctionDecl>(*Found);
}
void ErrnoModeling::checkASTDecl(const TranslationUnitDecl *D,
AnalysisManager &Mgr, BugReporter &BR) const {
// Try to find an usable `errno` value.
// It can be an external variable called "errno" or a function that returns a
// pointer to the "errno" value. This function can have different names.
// The actual case is dependent on the C library implementation, we
// can only search for a match in one of these variations.
// We assume that exactly one of these cases might be true.
ErrnoDecl = getErrnoVar(Mgr.getASTContext());
if (!ErrnoDecl)
ErrnoDecl = getErrnoFunc(Mgr.getASTContext());
}
void ErrnoModeling::checkBeginFunction(CheckerContext &C) const {
if (!C.inTopFrame())
return;
ASTContext &ACtx = C.getASTContext();
ProgramStateRef State = C.getState();
if (const auto *ErrnoVar = dyn_cast_or_null<VarDecl>(ErrnoDecl)) {
// There is an external 'errno' variable.
// Use its memory region.
// The memory region for an 'errno'-like variable is allocated in system
// space by MemRegionManager.
const MemRegion *ErrnoR =
State->getRegion(ErrnoVar, C.getLocationContext());
assert(ErrnoR && "Memory region should exist for the 'errno' variable.");
State = State->set<ErrnoRegion>(ErrnoR);
State = errno_modeling::setErrnoValue(State, C, 0);
C.addTransition(State);
} else if (ErrnoDecl) {
assert(isa<FunctionDecl>(ErrnoDecl) && "Invalid errno location function.");
// There is a function that returns the location of 'errno'.
// We must create a memory region for it in system space.
// Currently a symbolic region is used with an artifical symbol.
// FIXME: It is better to have a custom (new) kind of MemRegion for such
// cases.
SValBuilder &SVB = C.getSValBuilder();
MemRegionManager &RMgr = C.getStateManager().getRegionManager();
const MemSpaceRegion *GlobalSystemSpace =
RMgr.getGlobalsRegion(MemRegion::GlobalSystemSpaceRegionKind);
// Create an artifical symbol for the region.
// It is not possible to associate a statement or expression in this case.
const SymbolConjured *Sym = SVB.conjureSymbol(
nullptr, C.getLocationContext(),
ACtx.getLValueReferenceType(ACtx.IntTy), C.blockCount(), &ErrnoDecl);
// The symbolic region is untyped, create a typed sub-region in it.
// The ElementRegion is used to make the errno region a typed region.
const MemRegion *ErrnoR = RMgr.getElementRegion(
ACtx.IntTy, SVB.makeZeroArrayIndex(),
RMgr.getSymbolicRegion(Sym, GlobalSystemSpace), C.getASTContext());
State = State->set<ErrnoRegion>(ErrnoR);
State = errno_modeling::setErrnoValue(State, C, 0);
C.addTransition(State);
}
}
bool ErrnoModeling::evalCall(const CallEvent &Call, CheckerContext &C) const {
// Return location of "errno" at a call to an "errno address returning"
// function.
if (ErrnoLocationCalls.contains(Call)) {
ProgramStateRef State = C.getState();
const MemRegion *ErrnoR = getErrnoRegion(State);
if (!ErrnoR)
return false;
State = State->BindExpr(Call.getOriginExpr(), C.getLocationContext(),
loc::MemRegionVal{ErrnoR});
C.addTransition(State);
return true;
}
return false;
}
void ErrnoModeling::checkLiveSymbols(ProgramStateRef State,
SymbolReaper &SR) const {
// The special errno region should never garbage collected.
if (const auto *ErrnoR = getErrnoRegion(State))
SR.markLive(ErrnoR);
}
namespace clang {
namespace ento {
namespace errno_modeling {
Optional<SVal> getErrnoValue(ProgramStateRef State) {
const MemRegion *ErrnoR = getErrnoRegion(State);
if (!ErrnoR)
return {};
QualType IntTy = State->getAnalysisManager().getASTContext().IntTy;
return State->getSVal(ErrnoR, IntTy);
}
ProgramStateRef setErrnoValue(ProgramStateRef State,
const LocationContext *LCtx, SVal Value) {
const MemRegion *ErrnoR = getErrnoRegion(State);
if (!ErrnoR)
return State;
return State->bindLoc(loc::MemRegionVal{ErrnoR}, Value, LCtx);
}
ProgramStateRef setErrnoValue(ProgramStateRef State, CheckerContext &C,
uint64_t Value) {
const MemRegion *ErrnoR = getErrnoRegion(State);
if (!ErrnoR)
return State;
return State->bindLoc(
loc::MemRegionVal{ErrnoR},
C.getSValBuilder().makeIntVal(Value, C.getASTContext().IntTy),
C.getLocationContext());
}
} // namespace errno_modeling
} // namespace ento
} // namespace clang
void ento::registerErrnoModeling(CheckerManager &mgr) {
mgr.registerChecker<ErrnoModeling>();
}
bool ento::shouldRegisterErrnoModeling(const CheckerManager &mgr) {
return true;
}

clang/lib/StaticAnalyzer/Checkers/ErrnoTesterChecker.cpp

  • This file was added.
//=== ErrnoTesterChecker.cpp ------------------------------------*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// This defines ErrnoTesterChecker, which is used to test functionality of the
// errno_check API.
//
//===----------------------------------------------------------------------===//
#include "ErrnoModeling.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
using namespace clang;
using namespace ento;
namespace {
class ErrnoTesterChecker : public Checker<eval::Call> {
public:
bool evalCall(const CallEvent &Call, CheckerContext &C) const;
private:
static void evalSetErrno(CheckerContext &C, const CallEvent &Call);
static void evalGetErrno(CheckerContext &C, const CallEvent &Call);
static void evalSetErrnoIfError(CheckerContext &C, const CallEvent &Call);
static void evalSetErrnoIfErrorRange(CheckerContext &C,
const CallEvent &Call);
using EvalFn = std::function<void(CheckerContext &, const CallEvent &)>;
const CallDescriptionMap<EvalFn> TestCalls{
{{"ErrnoTesterChecker_setErrno", 1}, &ErrnoTesterChecker::evalSetErrno},
{{"ErrnoTesterChecker_getErrno", 0}, &ErrnoTesterChecker::evalGetErrno},
{{"ErrnoTesterChecker_setErrnoIfError", 0},
&ErrnoTesterChecker::evalSetErrnoIfError},
{{"ErrnoTesterChecker_setErrnoIfErrorRange", 0},
&ErrnoTesterChecker::evalSetErrnoIfErrorRange}};
};
} // namespace
void ErrnoTesterChecker::evalSetErrno(CheckerContext &C,
const CallEvent &Call) {
C.addTransition(errno_modeling::setErrnoValue(
C.getState(), C.getLocationContext(), Call.getArgSVal(0)));
}
void ErrnoTesterChecker::evalGetErrno(CheckerContext &C,
const CallEvent &Call) {
ProgramStateRef State = C.getState();
Optional<SVal> ErrnoVal = errno_modeling::getErrnoValue(State);
assert(ErrnoVal && "Errno value should be available.");
State =
State->BindExpr(Call.getOriginExpr(), C.getLocationContext(), *ErrnoVal);
C.addTransition(State);
}
void ErrnoTesterChecker::evalSetErrnoIfError(CheckerContext &C,
const CallEvent &Call) {
ProgramStateRef State = C.getState();
SValBuilder &SVB = C.getSValBuilder();
ProgramStateRef StateSuccess = State->BindExpr(
Call.getOriginExpr(), C.getLocationContext(), SVB.makeIntVal(0, true));
ProgramStateRef StateFailure = State->BindExpr(
Call.getOriginExpr(), C.getLocationContext(), SVB.makeIntVal(1, true));
StateFailure = errno_modeling::setErrnoValue(StateFailure, C, 11);
C.addTransition(StateSuccess);
C.addTransition(StateFailure);
}
void ErrnoTesterChecker::evalSetErrnoIfErrorRange(CheckerContext &C,
const CallEvent &Call) {
ProgramStateRef State = C.getState();
SValBuilder &SVB = C.getSValBuilder();
ProgramStateRef StateSuccess = State->BindExpr(
Call.getOriginExpr(), C.getLocationContext(), SVB.makeIntVal(0, true));
ProgramStateRef StateFailure = State->BindExpr(
Call.getOriginExpr(), C.getLocationContext(), SVB.makeIntVal(1, true));
DefinedOrUnknownSVal ErrnoVal = SVB.conjureSymbolVal(
nullptr, Call.getOriginExpr(), C.getLocationContext(), C.blockCount());
StateFailure = StateFailure->assume(ErrnoVal, true);
assert(StateFailure && "Failed to assume on an initial value.");
StateFailure = errno_modeling::setErrnoValue(
StateFailure, C.getLocationContext(), ErrnoVal);
C.addTransition(StateSuccess);
C.addTransition(StateFailure);
}
bool ErrnoTesterChecker::evalCall(const CallEvent &Call,
CheckerContext &C) const {
const EvalFn *Fn = TestCalls.lookup(Call);
if (Fn) {
(*Fn)(C, Call);
return C.isDifferent();
}
return false;
}
void ento::registerErrnoTesterChecker(CheckerManager &Mgr) {
Mgr.registerChecker<ErrnoTesterChecker>();
}
bool ento::shouldRegisterErrnoTesterChecker(const CheckerManager &Mgr) {
return true;
}

clang/lib/StaticAnalyzer/Core/MemRegion.cpp

Show First 20 LinesShow All 1,146 Lines▼ Show 20 LinesMemRegionManager::getFunctionCodeRegion(const NamedDecl *FD) {
return getSubRegion<FunctionCodeRegion>(FD, getCodeRegion()); return getSubRegion<FunctionCodeRegion>(FD, getCodeRegion());
} }
const BlockCodeRegion * const BlockCodeRegion *
MemRegionManager::getBlockCodeRegion(const BlockDecl *BD, CanQualType locTy, MemRegionManager::getBlockCodeRegion(const BlockDecl *BD, CanQualType locTy,
AnalysisDeclContext *AC) { AnalysisDeclContext *AC) {
return getSubRegion<BlockCodeRegion>(BD, locTy, AC, getCodeRegion()); return getSubRegion<BlockCodeRegion>(BD, locTy, AC, getCodeRegion());
} }
/// getSymbolicRegion - Retrieve or create a "symbolic" memory region. const SymbolicRegion *
steakhalUnsubmitted
Not Done
ReplyInline Actions

I would recommend removing this comment alltogether.
The header is already annotated, by the time this will get out-of-sync anyway.

steakhal: I would recommend removing this comment alltogether. The header is already annotated, by the…
const SymbolicRegion *MemRegionManager::getSymbolicRegion(SymbolRef sym) { MemRegionManager::getSymbolicRegion(SymbolRef sym,
return getSubRegion<SymbolicRegion>(sym, getUnknownRegion()); const MemSpaceRegion *MemSpace) {
if (MemSpace == nullptr)
MemSpace = getUnknownRegion();
return getSubRegion<SymbolicRegion>(sym, MemSpace);
} }
const SymbolicRegion *MemRegionManager::getSymbolicHeapRegion(SymbolRef Sym) { const SymbolicRegion *MemRegionManager::getSymbolicHeapRegion(SymbolRef Sym) {
return getSubRegion<SymbolicRegion>(Sym, getHeapRegion()); return getSubRegion<SymbolicRegion>(Sym, getHeapRegion());
} }
const FieldRegion* const FieldRegion*
MemRegionManager::getFieldRegion(const FieldDecl *d, MemRegionManager::getFieldRegion(const FieldDecl *d,
▲ Show 20 LinesShow All 588 LinesShow Last 20 Lines

clang/test/Analysis/Inputs/errno_func.h

  • This file was added.
#pragma clang system_header
// Define 'errno' as a macro that calls a function.
int *__errno_location();
#define errno (*__errno_location())

clang/test/Analysis/Inputs/errno_var.h

  • This file was added.
#pragma clang system_header
// Declare 'errno' as an extern variable in a system header.
// This may be not allowed in C99.
steakhalUnsubmitted
Done
ReplyInline Actions
#pragma clang system_header
- // Define 'errno' as an extern variable in a system header.
+ // Declare 'errno' as an extern variable in a system header.
// This may be not allowed in C99.
steakhal:
extern int errno;

clang/test/Analysis/Inputs/system-header-simulator.h

Show First 20 LinesShow All 53 Lines▼ Show 20 Lines
void rewind(FILE *__stream); void rewind(FILE *__stream);
int fgetpos(FILE *stream, fpos_t *pos); int fgetpos(FILE *stream, fpos_t *pos);
int fsetpos(FILE *stream, const fpos_t *pos); int fsetpos(FILE *stream, const fpos_t *pos);
void clearerr(FILE *stream); void clearerr(FILE *stream);
int feof(FILE *stream); int feof(FILE *stream);
int ferror(FILE *stream); int ferror(FILE *stream);
int fileno(FILE *stream); int fileno(FILE *stream);
// Note, on some platforms errno macro gets replaced with a function call.
extern int errno;
size_t strlen(const char *); size_t strlen(const char *);
char *strcpy(char *restrict, const char *restrict); char *strcpy(char *restrict, const char *restrict);
char *strncpy(char *dst, const char *src, size_t n); char *strncpy(char *dst, const char *src, size_t n);
void *memcpy(void *dst, const void *src, size_t n); void *memcpy(void *dst, const void *src, size_t n);
typedef unsigned long __darwin_pthread_key_t; typedef unsigned long __darwin_pthread_key_t;
typedef __darwin_pthread_key_t pthread_key_t; typedef __darwin_pthread_key_t pthread_key_t;
▲ Show 20 LinesShow All 68 LinesShow Last 20 Lines

clang/test/Analysis/analyzer-enabled-checkers.c

// RUN: %clang --analyze %s --target=x86_64-pc-linux-gnu \ // RUN: %clang --analyze %s --target=x86_64-pc-linux-gnu \
// RUN: -Xclang -analyzer-list-enabled-checkers \ // RUN: -Xclang -analyzer-list-enabled-checkers \
// RUN: -Xclang -analyzer-display-progress \ // RUN: -Xclang -analyzer-display-progress \
// RUN: 2>&1 | FileCheck %s --implicit-check-not=ANALYZE \ // RUN: 2>&1 | FileCheck %s --implicit-check-not=ANALYZE \
// RUN: --implicit-check-not=\. // RUN: --implicit-check-not=\.
// CHECK: OVERVIEW: Clang Static Analyzer Enabled Checkers List // CHECK: OVERVIEW: Clang Static Analyzer Enabled Checkers List
// CHECK-EMPTY: // CHECK-EMPTY:
// CHECK-NEXT: apiModeling.Errno
// CHECK-NEXT: core.CallAndMessageModeling // CHECK-NEXT: core.CallAndMessageModeling
// CHECK-NEXT: apiModeling.StdCLibraryFunctions // CHECK-NEXT: apiModeling.StdCLibraryFunctions
// CHECK-NEXT: apiModeling.TrustNonnull // CHECK-NEXT: apiModeling.TrustNonnull
// CHECK-NEXT: apiModeling.TrustReturnsNonnull // CHECK-NEXT: apiModeling.TrustReturnsNonnull
// CHECK-NEXT: apiModeling.llvm.CastValue // CHECK-NEXT: apiModeling.llvm.CastValue
// CHECK-NEXT: apiModeling.llvm.ReturnValue // CHECK-NEXT: apiModeling.llvm.ReturnValue
// CHECK-NEXT: core.CallAndMessage // CHECK-NEXT: core.CallAndMessage
// CHECK-NEXT: core.DivideZero // CHECK-NEXT: core.DivideZero
Show All 40 Lines

clang/test/Analysis/errno.c

  • This file was added.
// RUN: %clang_analyze_cc1 -verify %s \
// RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=apiModeling.Errno \
// RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -analyzer-checker=debug.ErrnoTest \
// RUN: -DERRNO_VAR
// RUN: %clang_analyze_cc1 -verify %s \
// RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=apiModeling.Errno \
// RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -analyzer-checker=debug.ErrnoTest \
// RUN: -DERRNO_FUNC
#ifdef ERRNO_VAR
#include "Inputs/errno_var.h"
#endif
#ifdef ERRNO_FUNC
#include "Inputs/errno_func.h"
#endif
void clang_analyzer_eval(int);
steakhalUnsubmitted
Done
ReplyInline Actions

Fun fact, I think you can #include ERRNO_HEADER, if you pass the -DERRNO_HEADER=\"Inputs/errno_var.h\" :D

steakhal: Fun fact, I think you can `#include ERRNO_HEADER`, if you pass the `…
void ErrnoTesterChecker_setErrno(int);
steakhalUnsubmitted
Done
ReplyInline Actions

Please call a different function, which is definitely not from glibc.
We might model this in the future using eval::Call in which case no invalidation will happen breaking the test.

steakhal: Please call a different function, which is definitely not from glibc. We might model this in…
int ErrnoTesterChecker_getErrno();
int ErrnoTesterChecker_setErrnoIfError();
int ErrnoTesterChecker_setErrnoIfErrorRange();
void something();
void test() {
// Test if errno is initialized.
clang_analyzer_eval(errno == 0); // expected-warning{{TRUE}}
ErrnoTesterChecker_setErrno(1);
// Test if errno was recognized and changed.
clang_analyzer_eval(errno == 1); // expected-warning{{TRUE}}
clang_analyzer_eval(ErrnoTesterChecker_getErrno() == 1); // expected-warning{{TRUE}}
something();
// Test if errno was invalidated.
clang_analyzer_eval(errno); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(ErrnoTesterChecker_getErrno()); // expected-warning{{UNKNOWN}}
}
void testRange(int X) {
if (X > 0) {
ErrnoTesterChecker_setErrno(X);
clang_analyzer_eval(errno > 0); // expected-warning{{TRUE}}
}
}
void testIfError() {
if (ErrnoTesterChecker_setErrnoIfError())
clang_analyzer_eval(errno == 11); // expected-warning{{TRUE}}
}
void testIfErrorRange() {
if (ErrnoTesterChecker_setErrnoIfErrorRange()) {
clang_analyzer_eval(errno != 0); // expected-warning{{TRUE}}
clang_analyzer_eval(errno == 1); // expected-warning{{FALSE}} expected-warning{{TRUE}}
}
}

clang/test/Analysis/global-region-invalidation-errno.c

  • This file was added.
// RUN: %clang_analyze_cc1 -triple x86_64-apple-darwin10 -disable-free -verify %s \
// RUN: -analyzer-checker=core,deadcode,alpha.security.taint \
// RUN: -DERRNO_VAR
// RUN: %clang_analyze_cc1 -triple x86_64-apple-darwin10 -disable-free -verify %s \
// RUN: -analyzer-checker=core,deadcode,alpha.security.taint \
// RUN: -DERRNO_FUNC
// Note, we do need to include headers here, since the analyzer checks if the function declaration is located in a system header.
// The errno value can be defined in multiple ways, test with each one.
#ifdef ERRNO_VAR
#include "Inputs/errno_var.h"
#endif
#ifdef ERRNO_FUNC
#include "Inputs/errno_func.h"
#endif
#include "Inputs/system-header-simulator.h"
void foo(void);
// expected-no-diagnostics
// Test errno gets invalidated by a system call.
int testErrnoSystem(void) {
int i;
int *p = 0;
fscanf(stdin, "%d", &i);
if (errno == 0) {
fscanf(stdin, "%d", &i); // errno gets invalidated here.
return 5 / errno; // no-warning
}
errno = 0;
fscanf(stdin, "%d", &i); // errno gets invalidated here.
return 5 / errno; // no-warning
}
// Test that errno gets invalidated by internal calls.
int testErrnoInternal(void) {
int i;
int *p = 0;
fscanf(stdin, "%d", &i);
if (errno == 0) {
foo(); // errno gets invalidated here.
return 5 / errno; // no-warning
}
return 0;
}

clang/test/Analysis/global-region-invalidation.c

// RUN: %clang_analyze_cc1 -triple x86_64-apple-darwin10 -disable-free -analyzer-checker=core,deadcode,alpha.security.taint,debug.TaintTest,debug.ExprInspection -verify %s // RUN: %clang_analyze_cc1 -triple x86_64-apple-darwin10 -disable-free -verify %s \
// RUN: -analyzer-checker=core,deadcode,alpha.security.taint,debug.TaintTest,debug.ExprInspection
void clang_analyzer_eval(int); void clang_analyzer_eval(int);
// Note, we do need to include headers here, since the analyzer checks if the function declaration is located in a system header. // Note, we do need to include headers here, since the analyzer checks if the function declaration is located in a system header.
#include "Inputs/system-header-simulator.h" #include "Inputs/system-header-simulator.h"
steakhalUnsubmitted
Done
ReplyInline Actions

If you were eval::Calling the errno_location functions, and used the corresponding header, would the tests pass?

steakhal: If you were `eval::Calling` the `errno_location` functions, and used the corresponding header…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

It is now executed wit both versions.

balazske: It is now executed wit both versions.
// Test that system header does not invalidate the internal global. // Test that system header does not invalidate the internal global.
int size_rdar9373039 = 1; int size_rdar9373039 = 1;
int rdar9373039(void) { int rdar9373039(void) {
int x; int x;
int j = 0; int j = 0;
for (int i = 0 ; i < size_rdar9373039 ; ++i) for (int i = 0 ; i < size_rdar9373039 ; ++i)
Show All 15 Linesint stdinTest(void) {
fscanf(stdin, "%d", &i); fscanf(stdin, "%d", &i);
foo(); foo();
int m = i; // expected-warning + {{tainted}} int m = i; // expected-warning + {{tainted}}
fscanf(stdin, "%d", &i); fscanf(stdin, "%d", &i);
int j = i; // expected-warning + {{tainted}} int j = i; // expected-warning + {{tainted}}
return m + j; // expected-warning + {{tainted}} return m + j; // expected-warning + {{tainted}}
} }
// Test errno gets invalidated by a system call.
int testErrnoSystem(void) {
int i;
int *p = 0;
fscanf(stdin, "%d", &i);
if (errno == 0) {
fscanf(stdin, "%d", &i); // errno gets invalidated here.
return 5 / errno; // no-warning
}
errno = 0;
fscanf(stdin, "%d", &i); // errno gets invalidated here.
return 5 / errno; // no-warning
}
// Test that errno gets invalidated by internal calls.
int testErrnoInternal(void) {
int i;
int *p = 0;
fscanf(stdin, "%d", &i);
if (errno == 0) {
foo(); // errno gets invalidated here.
return 5 / errno; // no-warning
}
return 0;
}
// Test that const integer does not get invalidated. // Test that const integer does not get invalidated.
const int x = 0; const int x = 0;
int constIntGlob(void) { int constIntGlob(void) {
const int *m = &x; const int *m = &x;
foo(); foo();
return 3 / *m; // expected-warning {{Division by zero}} return 3 / *m; // expected-warning {{Division by zero}}
} }
▲ Show 20 LinesShow All 46 Lines▼ Show 20 Lines
void Function2(void) { void Function2(void) {
Function1(); Function1();
} }
void SetToNonZero(void) { void SetToNonZero(void) {
static int g = 5; static int g = 5;
clang_analyzer_eval(g == 5); // expected-warning{{TRUE}} clang_analyzer_eval(g == 5); // expected-warning{{TRUE}}
} }

clang/test/Analysis/std-c-library-functions-arg-enabled-checkers.c

Show All 15 Lines
// CHECK: OVERVIEW: Clang Static Analyzer Enabled Checkers List // CHECK: OVERVIEW: Clang Static Analyzer Enabled Checkers List
// CHECK-EMPTY: // CHECK-EMPTY:
// CHECK-NEXT: core.CallAndMessageModeling // CHECK-NEXT: core.CallAndMessageModeling
// CHECK-NEXT: core.CallAndMessage // CHECK-NEXT: core.CallAndMessage
// CHECK-NEXT: core.NonNullParamChecker // CHECK-NEXT: core.NonNullParamChecker
// CHECK-NEXT: alpha.unix.Stream // CHECK-NEXT: alpha.unix.Stream
// CHECK-NEXT: apiModeling.StdCLibraryFunctions // CHECK-NEXT: apiModeling.StdCLibraryFunctions
// CHECK-NEXT: alpha.unix.StdCLibraryFunctionArgs // CHECK-NEXT: alpha.unix.StdCLibraryFunctionArgs
// CHECK-NEXT: apiModeling.Errno
// CHECK-NEXT: apiModeling.TrustNonnull // CHECK-NEXT: apiModeling.TrustNonnull
// CHECK-NEXT: apiModeling.TrustReturnsNonnull // CHECK-NEXT: apiModeling.TrustReturnsNonnull
// CHECK-NEXT: apiModeling.llvm.CastValue // CHECK-NEXT: apiModeling.llvm.CastValue
// CHECK-NEXT: apiModeling.llvm.ReturnValue // CHECK-NEXT: apiModeling.llvm.ReturnValue
// CHECK-NEXT: core.DivideZero // CHECK-NEXT: core.DivideZero
// CHECK-NEXT: core.DynamicTypePropagation // CHECK-NEXT: core.DynamicTypePropagation
// CHECK-NEXT: core.NonnilStringConstants // CHECK-NEXT: core.NonnilStringConstants
// CHECK-NEXT: core.NullDereference // CHECK-NEXT: core.NullDereference
Show All 36 Lines