This is an archive of the discontinued LLVM Phabricator instance.

Differential D120489

[analyzer] Done some changes to detect Uninitialized read by the char array manipulation functions
ClosedPublic

Authored by phyBrackets on Feb 24 2022, 7:42 AM.

Details

Reviewers
steakhal
NoQ
Szelethus
chandlerc
Commits
rG9c300c18a4ea: [analyzer] Done some changes to detect Uninitialized read by the char array…
rG56eaf869be27: [analyzer] Done some changes to detect Uninitialized read by the char array…
rGbd1917c88a32: [analyzer] Done some changes to detect Uninitialized read by the char array…
Summary

Few weeks back I was experimenting with reading the uninitialized values from src , which is actually a bug but the CSA seems to give up at that point . I was curious about that and I pinged @steakhal on the discord and according to him this seems to be a genuine issue and needs to be fix. So I goes with fixing this bug and thanks to @steakhal who help me creating this patch. This feature seems to break some tests but this was the genuine problem and the broken tests also needs to fix in certain manner. I add a test but yeah we need more tests,I'll try to add more tests.Thanks

Diff Detail

Event Timeline

phyBrackets created this revision.Feb 24 2022, 7:42 AM
Herald added subscribers: ASDenysPetrov, martong, dkrupp and 7 others. · View Herald TranscriptFeb 24 2022, 7:42 AM
phyBrackets requested review of this revision.Feb 24 2022, 7:42 AM
Herald added a project: Restricted Project. · View Herald TranscriptFeb 24 2022, 7:42 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
phyBrackets added reviewers: steakhal, NoQ, Szelethus, chandlerc.Feb 24 2022, 7:46 AM
phyBrackets retitled this revision from [analyzer][NFCi] Does some changes to detect Uninitialized read by the char array manipulation functions to [analyzer][NFCi] Done some changes to detect Uninitialized read by the char array manipulation functions.Feb 24 2022, 7:59 AM
steakhal added a comment.Feb 24 2022, 8:10 AM

I'm looking forward to this check.

clang/test/Analysis/bstring.c
299–307

Basically, the store has 4 direct bindings for the src cluster.
At bit offset 0, 32, 64, 96, the values 1, 2, 3, 4 (ints) respectively.
However, in the memcopy modeling, we calculate the byte offset of the very last touched byte, which is byte 15.
Consequently, we will do a lookup in the store for acquiring a binding starting at bit offset 15*8, aka. 120.
However, there is no binding for that offset. What we have instead, is a binding starting at offset 96, associating an integer, which is 4 bytes long, thus this entry actually refers to the bits [96-128], so it overlaps with the byte at [120-128].
From this, we should be able to prove that the given bits must have been initialized to some value.

What I cannot remember off the top of my head, what was the type of the ER. I hope it was char, but I cannot recall.
If that was char, then we have a bug in the store.

Harbormaster completed remote builds in B151280: Diff 411132.Feb 24 2022, 8:32 AM
NoQ accepted this revision.Feb 24 2022, 10:51 AM

This looks like a good check to ultimately have but we probably won't be able to move it out of alpha until the extents issue is fixed (which is going to be a fairly intrusive fix).

clang/test/Analysis/bstring.c
299–307

Yes, this is correct. It looks like we can't have this check until we address 43459.

This revision is now accepted and ready to land.Feb 24 2022, 10:51 AM
NoQ retitled this revision from [analyzer][NFCi] Done some changes to detect Uninitialized read by the char array manipulation functions to [analyzer] Done some changes to detect Uninitialized read by the char array manipulation functions.Feb 24 2022, 10:53 AM

I removed the [NFCi] marker because this commit does introduce functional change (a new checker).

NoQ added a comment.Feb 24 2022, 10:55 AM

Also I think we might be able to enable this checker for the situation when the buffer is *completely* uninitialized. It is relatively easy for RegionStore to answer whether there are any bindings in a top-level region.

steakhal requested changes to this revision.Feb 24 2022, 11:08 AM

Oh wait, should we accept this given this serious limitation?

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
479–483

We also need documentation in the clang/docs/analyzer/checkers.rst.
Please also note the limitation we experienced and described here.
Also refer back to the Umbrella GitHub issue in that section.

clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp
262
375

Remove this line.

This revision now requires changes to proceed.Feb 24 2022, 11:08 AM
phyBrackets added a comment.Feb 24 2022, 11:41 AM

@steakhal would you just help, where in the file and what exactly write to in the documentation?

NoQ added a comment.Feb 24 2022, 1:31 PM

Oh wait, should we accept this given this serious limitation?

This check lands as alpha so it's fine. We know what to do to move it out of alpha; it's somewhat difficult but definitely not impossible, so there's a way forward with this, and the code added by this patch is ultimately correct.

clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp
596

Yeah, dumps need to be removed from the final code.

phyBrackets updated this revision to Diff 411286.Feb 24 2022, 6:44 PM

Revised the changes

Harbormaster completed remote builds in B151391: Diff 411286.Feb 24 2022, 7:19 PM
steakhal added inline comments.Feb 25 2022, 12:59 AM
clang/docs/analyzer/checkers.rst
2634–2647

I was thinking about something like this.

phyBrackets updated this revision to Diff 411447.Feb 25 2022, 10:03 AM

update the documentation for the uninitialized read checker

Harbormaster completed remote builds in B151498: Diff 411447.Feb 25 2022, 10:45 AM
phyBrackets updated this revision to Diff 411601.Feb 26 2022, 4:57 AM

aligned the indentation

Harbormaster completed remote builds in B151608: Diff 411601.Feb 26 2022, 5:42 AM
phyBrackets updated this revision to Diff 411652.Feb 26 2022, 8:26 PM

fix some alignment issue

Harbormaster completed remote builds in B151644: Diff 411652.Feb 26 2022, 8:53 PM
steakhal accepted this revision.Feb 28 2022, 2:14 AM

Approved, given that it looks and compiles fine with oxygen.
Thank you.

This revision is now accepted and ready to land.Feb 28 2022, 2:14 AM
Herald added a subscriber: manas. · View Herald TranscriptFeb 28 2022, 2:14 AM
NoQ added inline comments.Feb 28 2022, 10:18 AM
clang/test/Analysis/bstring.c
306

Hmm, given that your change suppresses some existing tests, maybe disable your checker on this file and copy the updated tests to a new file that would have the checker enabled?

phyBrackets added inline comments.Feb 28 2022, 11:27 AM
clang/test/Analysis/bstring.c
306

I don't know how will it affect that but still that's an exception and from these exceptions test cases, we are updated about how it gonna fail on some tests cases and try to work on those exceptions.

phyBrackets added a comment.Feb 28 2022, 9:41 PM

Hey @NoQ and @steakhal , can i land this patch ?

steakhal added a comment.Mar 1 2022, 1:55 AM

You should copy the mempcpy14, mempcpy15 test cases into a separate file, and cut the top; while disabling this alpha.unix.cstring.UninitializedRead checker in the existing test file(s) and explicitly enable in the new separated file.
This way it wouldn't interfere with the existing test cases, since it would halt the analyzer (emits a sink node).
After that, you could land it.

steakhal added inline comments.Mar 1 2022, 8:29 AM
clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp
374

You should make this check optional, only if the 'checker' was enabled.

phyBrackets updated this revision to Diff 412391.Mar 2 2022, 6:03 AM

Created the separate test file for UninitializedRead checker

Herald added a project: Restricted Project. · View Herald TranscriptMar 2 2022, 6:03 AM
phyBrackets added a comment.Mar 2 2022, 6:32 AM

Hey @NoQ and @steakhal , will you just check , if everything looks fine or not! The test cases run successfully tho now!

Harbormaster completed remote builds in B152144: Diff 412391.Mar 2 2022, 7:06 AM
steakhal added a comment.Mar 2 2022, 7:56 AM

Please mark the done comments as "done" with the corresponding button prior to submitting an update.

clang/test/Analysis/bstring_UninitRead.c
68–86

I don't think you should copy these as well.
The matching logic is already tested in bstring.c.

That being said, a single RUN line should be enough in this file.

92–95
phyBrackets added inline comments.Mar 2 2022, 8:28 AM
clang/test/Analysis/bstring_UninitRead.c
68–86

I'm not able to run test successfully with single RUN ,

// RUN: -analyzer-checker=alpha.unix.cstring.UninitializedRead
phyBrackets marked 6 inline comments as done.Mar 2 2022, 8:30 AM
steakhal added inline comments.Mar 2 2022, 9:14 AM
clang/test/Analysis/bstring_UninitRead.c
2–85

I was thinking about something like this.

phyBrackets added inline comments.Mar 2 2022, 9:17 AM
clang/test/Analysis/bstring_UninitRead.c
68–86

wait , I think I got this! Thanks

phyBrackets updated this revision to Diff 412452.Mar 2 2022, 9:24 AM

Remove unneccesary RUN and some macros definitions

phyBrackets marked 2 inline comments as done.Mar 2 2022, 9:25 AM
steakhal accepted this revision.Mar 2 2022, 9:33 AM

The core checkers should be always enabled.

clang/test/Analysis/bstring_UninitRead.c
3
phyBrackets updated this revision to Diff 412464.Mar 2 2022, 9:40 AM

enabled the core checker

phyBrackets marked an inline comment as done.Mar 2 2022, 9:41 AM
phyBrackets added inline comments.
clang/test/Analysis/bstring_UninitRead.c
3

Yeah done! Thanks

Harbormaster completed remote builds in B152197: Diff 412464.Mar 2 2022, 10:28 AM
phyBrackets added a comment.Mar 2 2022, 10:34 AM

@steakhal , if everything looks fine, can i land this ?

steakhal added a comment.Mar 2 2022, 10:39 AM

Yup, land it!

Closed by commit rGbd1917c88a32: [analyzer] Done some changes to detect Uninitialized read by the char array… (authored by Shivam <75530356+phyBrackets@users.noreply.github.com>, committed by phyBrackets). · Explain WhyMar 3 2022, 9:51 AM
This revision was automatically updated to reflect the committed changes.
phyBrackets added a commit: rGbd1917c88a32: [analyzer] Done some changes to detect Uninitialized read by the char array….
phyBrackets added a comment.Mar 3 2022, 10:04 AM

https://github.com/llvm/llvm-project/commit/bd1917c88a32c0930864d04f4e71155dcc3fa592 , Hey @steakhal , I land it but why it is not showing the

  void emitUninitializedReadBug(CheckerContext &C, ProgramStateRef State,
                             const Expr *E) const;
``` ?
ymandel added a subscriber: ymandel.EditedMar 3 2022, 10:08 AM

Looks like this broke the build. I'm getting:

FAILED: tools/clang/lib/StaticAnalyzer/Checkers/CMakeFiles/obj.clangStaticAnalyzerCheckers.dir/CStringChecker.cpp.o
/usr/bin/clang++-11 ... -std=c++14 -MD -MT tools/clang/lib/StaticAnalyzer/Checkers/CMakeFiles/obj.clangStaticAnalyzerCheckers.dir/CStringChecker.cpp.o -MF tools/clang/lib/StaticAnalyzer/Checkers/CMakeFiles/obj.clangStaticAnalyzerCheckers.dir/CStringChecker.cpp.o.d -o tools/clang/lib/StaticAnalyzer/Checkers/CMakeFiles/obj.clangStaticAnalyzerCheckers.dir/CStringChecker.cpp.o -c .../llvm-project/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp
.../llvm-project/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp:376:7: error: use of undeclared identifier 'emitUninitializedReadBug'
      emitUninitializedReadBug(C, StInBound, Buffer.Expression);
      ^
/usr/local/.../llvm-project/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp:592:22: error: out-of-line definition of 'emitUninitializedReadBug' does not match any declaration in '(anonymous namespace)::CStringChecker'
void CStringChecker::emitUninitializedReadBug(CheckerContext &C,
                     ^~~~~~~~~~~~~~~~~~~~~~~~
2 errors generated.
FAILED: tools/clang/lib/StaticAnalyzer/Checkers/CMakeFiles/obj.clangStaticAnalyzerCheckers.dir/CStringChecker.cpp.o
/usr/bin/clang++-11 ... -std=c++14 -MD -MT tools/clang/lib/StaticAnalyzer/Checkers/CMakeFiles/obj.clangStaticAnalyzerCheckers.dir/CStringChecker.cpp.o -MF tools/clang/lib/StaticAnalyzer/Checkers/CMakeFiles/obj.clangStaticAnalyzerCheckers.dir/CStringChecker.cpp.o.d -o tools/clang/lib/StaticAnalyzer/Checkers/CMakeFiles/obj.clangStaticAnalyzerCheckers.dir/CStringChecker.cpp.o -c .../llvm-project/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp
.../llvm-project/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp:376:7: error: use of undeclared identifier 'emitUninitializedReadBug'
      emitUninitializedReadBug(C, StInBound, Buffer.Expression);
      ^
.../llvm-project/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp:592:22: error: out-of-line definition of 'emitUninitializedReadBug' does not match any declaration in '(anonymous namespace)::CStringChecker'
void CStringChecker::emitUninitializedReadBug(CheckerContext &C,
                     ^~~~~~~~~~~~~~~~~~~~~~~~
2 errors generated.
ronlieb added a subscriber: ronlieb.Mar 3 2022, 10:32 AM

broke our hip buildbot as well.

https://lab.llvm.org/buildbot/#/builders/165/builds/17076

dyung added a subscriber: dyung.Mar 3 2022, 10:50 AM

And the PS4 build bots:

https://lab.llvm.org/buildbot/#/builders/139/builds/18001
https://lab.llvm.org/buildbot/#/builders/216/builds/801

phyBrackets added a commit: rG56eaf869be27: [analyzer] Done some changes to detect Uninitialized read by the char array….Mar 3 2022, 10:51 AM
ymandel added a comment.Mar 3 2022, 10:51 AM

Can you rollback until a fix is found?

shafik added a subscriber: shafik.Mar 3 2022, 11:26 AM

Looks like it also broke lldb green dragon incremental as well: https://green.lab.llvm.org/green/view/LLDB/job/lldb-cmake/41865/consoleFull#-27141295349ba4694-19c4-4d7e-bec5-911270d8a58c

phyBrackets added a commit: rG9c300c18a4ea: [analyzer] Done some changes to detect Uninitialized read by the char array….Mar 3 2022, 10:48 PM
dyung added a comment.Mar 3 2022, 11:52 PM

Thanks for fixing the problem with the original commit, but in the future, if you make follow-up commits, can you change the commit message to reflect what the commit contains? Having three different commits with the exact same commit message can be very confusing.

steakhal added a comment.Mar 3 2022, 11:55 PM

I would recommend committing changes in the morning, to give some time for the bots to chew through your commit. This way you could react to breakages and revert if needed.

aaron.ballman added a reverting change: rG6afe0354048f: Revert "[analyzer] Done some changes to detect Uninitialized read by the char….Mar 4 2022, 4:22 AM
martong added a comment.May 5 2022, 2:39 AM

Maybe it is not too late to update the clang/docs/ReleaseNotes.rst? A new checker is certainly important for the users. Many thanks!

phyBrackets added a comment.May 6 2022, 12:52 PM
In D120489#3493313, @martong wrote:

Maybe it is not too late to update the clang/docs/ReleaseNotes.rst? A new checker is certainly important for the users. Many thanks!

Yeah done! Thanks.

Revision Contents

PathSize
clang/
docs/
analyzer/
33 lines
include/
clang/
StaticAnalyzer/
Checkers/
7 lines
lib/
StaticAnalyzer/
Checkers/
34 lines
test/
Analysis/
8 lines
59 lines

Diff 412750

clang/docs/analyzer/checkers.rst

Show First 20 LinesShow All 2,619 Lines▼ Show 20 Lines
} }
.. _alpha-unix-cstring-OutOfBounds: .. _alpha-unix-cstring-OutOfBounds:
alpha.unix.cstring.OutOfBounds (C) alpha.unix.cstring.OutOfBounds (C)
"""""""""""""""""""""""""""""""""" """"""""""""""""""""""""""""""""""
Check for out-of-bounds access in string functions; applies to:`` strncopy, strncat``. Check for out-of-bounds access in string functions; applies to:`` strncopy, strncat``.
.. code-block:: c .. code-block:: c
void test() { void test() {
int y = strlen((char *)&test); // warn int y = strlen((char *)&test); // warn
} }
.. _alpha-unix-cstring-UninitializedRead:
alpha.unix.cstring.UninitializedRead (C)
""""""""""""""""""""""""""""""""""""""""
Check for uninitialized reads from common memory copy/manipulation functions such as:
``memcpy, mempcpy, memmove, memcmp, strcmp, strncmp, strcpy, strlen, strsep`` and many more.
.. code-block:: c
void test() {
char src[10];
char dst[5];
memcpy(dst,src,sizeof(dst)); // warn: Bytes string function accesses uninitialized/garbage values
}
steakhalUnsubmitted
Not Done
ReplyInline Actions
int y = strlen((char *)&test); // warn
}
.. _alpha-unix-cstring-UninitializedRead:
alpha.unix.cstring.UninitializedRead (C)
- """"""""""""""""""""""""""""""""""
- Check for uninitialized read from source in memory copy function: ``memcpy,mempcpy``.
+ """"""""""""""""""""""""""""""""""""""""
+ Check for uninitialized reads from common memory copy/manipulation functions such as:
+ ``memcpy, mempcpy, memmove, memcmp, strcmp, strncmp, strcpy, strlen, strsep`` and many more.
.. code-block:: c
void test() {
- char src[10];
- char dst[5];
- memcpy(dst,src,sizeof(dst)); // warn
+ char src[10];
+ char dst[5];
+ memcpy(dst, src, sizeof(dst)); // warn: Bytes string function accesses uninitialized/garbage values
}
-
+
+ Limitations:
+
+ - Due to limitations of the memory modeling in the analyzer, one can likely
+ observe a lot of false-positive reports like this:
+ .. code-block:: c
+
+ void false_positive() {
+ int src[] = {1, 2, 3, 4};
+ int dst[5] = {0};
+ memcpy(dst, src, 4 * sizeof(int)); // false-positive:
+ // The 'src' buffer was correctly initialized, yet we cannot conclude
+ // that since the analyzer could not see a direct initialization of the
+ // very last byte of the source buffer.
+ }
+
+ More details at the corresponding `GitHub issue <https://github.com/llvm/llvm-project/issues/43459>`_.
+
.. _alpha-nondeterminism-PointerIteration:

I was thinking about something like this.

steakhal: I was thinking about something like this.
Limitations:
- Due to limitations of the memory modeling in the analyzer, one can likely
observe a lot of false-positive reports like this:
.. code-block:: c
void false_positive() {
int src[] = {1, 2, 3, 4};
int dst[5] = {0};
memcpy(dst, src, 4 * sizeof(int)); // false-positive:
// The 'src' buffer was correctly initialized, yet we cannot conclude
// that since the analyzer could not see a direct initialization of the
// very last byte of the source buffer.
}
More details at the corresponding `GitHub issue <https://github.com/llvm/llvm-project/issues/43459>`_.
.. _alpha-nondeterminism-PointerIteration: .. _alpha-nondeterminism-PointerIteration:
alpha.nondeterminism.PointerIteration (C++) alpha.nondeterminism.PointerIteration (C++)
""""""""""""""""""""""""""""""""""""""""""" """""""""""""""""""""""""""""""""""""""""""
Check for non-determinism caused by iterating unordered containers of pointers. Check for non-determinism caused by iterating unordered containers of pointers.
.. code-block:: c .. code-block:: c
▲ Show 20 LinesShow All 260 LinesShow Last 20 Lines

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td

Show First 20 LinesShow All 469 Lines▼ Show 20 Linesdef CStringBufferOverlap : Checker<"BufferOverlap">,
HelpText<"Checks for overlap in two buffer arguments">, HelpText<"Checks for overlap in two buffer arguments">,
Dependencies<[CStringModeling]>, Dependencies<[CStringModeling]>,
Documentation<HasAlphaDocumentation>; Documentation<HasAlphaDocumentation>;
def CStringNotNullTerm : Checker<"NotNullTerminated">, def CStringNotNullTerm : Checker<"NotNullTerminated">,
HelpText<"Check for arguments which are not null-terminating strings">, HelpText<"Check for arguments which are not null-terminating strings">,
Dependencies<[CStringModeling]>, Dependencies<[CStringModeling]>,
Documentation<HasAlphaDocumentation>; Documentation<HasAlphaDocumentation>;
def CStringUninitializedRead : Checker<"UninitializedRead">,
HelpText<"Checks if the string manipulation function would read uninitialized bytes">,
Dependencies<[CStringModeling]>,
Documentation<HasAlphaDocumentation>;
steakhalUnsubmitted
Done
ReplyInline Actions

We also need documentation in the clang/docs/analyzer/checkers.rst.
Please also note the limitation we experienced and described here.
Also refer back to the Umbrella GitHub issue in that section.

steakhal: We also need documentation in the `clang/docs/analyzer/checkers.rst`. Please also note the…
} // end "alpha.unix.cstring" } // end "alpha.unix.cstring"
let ParentPackage = Unix in { let ParentPackage = Unix in {
def UnixAPIMisuseChecker : Checker<"API">, def UnixAPIMisuseChecker : Checker<"API">,
HelpText<"Check calls to various UNIX/Posix functions">, HelpText<"Check calls to various UNIX/Posix functions">,
Documentation<HasDocumentation>; Documentation<HasDocumentation>;
▲ Show 20 LinesShow All 1,226 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp

Show First 20 LinesShow All 74 Lines▼ Show 20 Lines
enum class ConcatFnKind { none = 0, strcat = 1, strlcat = 2 }; enum class ConcatFnKind { none = 0, strcat = 1, strlcat = 2 };
class CStringChecker : public Checker< eval::Call, class CStringChecker : public Checker< eval::Call,
check::PreStmt<DeclStmt>, check::PreStmt<DeclStmt>,
check::LiveSymbols, check::LiveSymbols,
check::DeadSymbols, check::DeadSymbols,
check::RegionChanges check::RegionChanges
> { > {
mutable std::unique_ptr<BugType> BT_Null, BT_Bounds, BT_Overlap, mutable std::unique_ptr<BugType> BT_Null, BT_Bounds, BT_Overlap,
BT_NotCString, BT_AdditionOverflow; BT_NotCString, BT_AdditionOverflow, BT_UninitRead;
mutable const char *CurrentFunctionDescription; mutable const char *CurrentFunctionDescription;
public: public:
/// The filter is used to filter out the diagnostics which are not enabled by /// The filter is used to filter out the diagnostics which are not enabled by
/// the user. /// the user.
struct CStringChecksFilter { struct CStringChecksFilter {
DefaultBool CheckCStringNullArg; DefaultBool CheckCStringNullArg;
DefaultBool CheckCStringOutOfBounds; DefaultBool CheckCStringOutOfBounds;
DefaultBool CheckCStringBufferOverlap; DefaultBool CheckCStringBufferOverlap;
DefaultBool CheckCStringNotNullTerm; DefaultBool CheckCStringNotNullTerm;
DefaultBool CheckCStringUninitializedRead;
CheckerNameRef CheckNameCStringNullArg; CheckerNameRef CheckNameCStringNullArg;
CheckerNameRef CheckNameCStringOutOfBounds; CheckerNameRef CheckNameCStringOutOfBounds;
CheckerNameRef CheckNameCStringBufferOverlap; CheckerNameRef CheckNameCStringBufferOverlap;
CheckerNameRef CheckNameCStringNotNullTerm; CheckerNameRef CheckNameCStringNotNullTerm;
CheckerNameRef CheckNameCStringUninitializedRead;
}; };
CStringChecksFilter Filter; CStringChecksFilter Filter;
static void *getTag() { static int tag; return &tag; } static void *getTag() { static int tag; return &tag; }
bool evalCall(const CallEvent &Call, CheckerContext &C) const; bool evalCall(const CallEvent &Call, CheckerContext &C) const;
void checkPreStmt(const DeclStmt *DS, CheckerContext &C) const; void checkPreStmt(const DeclStmt *DS, CheckerContext &C) const;
▲ Show 20 LinesShow All 144 Lines▼ Show 20 Linespublic:
void emitNullArgBug(CheckerContext &C, ProgramStateRef State, const Stmt *S, void emitNullArgBug(CheckerContext &C, ProgramStateRef State, const Stmt *S,
StringRef WarningMsg) const; StringRef WarningMsg) const;
void emitOutOfBoundsBug(CheckerContext &C, ProgramStateRef State, void emitOutOfBoundsBug(CheckerContext &C, ProgramStateRef State,
const Stmt *S, StringRef WarningMsg) const; const Stmt *S, StringRef WarningMsg) const;
void emitNotCStringBug(CheckerContext &C, ProgramStateRef State, void emitNotCStringBug(CheckerContext &C, ProgramStateRef State,
const Stmt *S, StringRef WarningMsg) const; const Stmt *S, StringRef WarningMsg) const;
void emitAdditionOverflowBug(CheckerContext &C, ProgramStateRef State) const; void emitAdditionOverflowBug(CheckerContext &C, ProgramStateRef State) const;
ProgramStateRef checkAdditionOverflow(CheckerContext &C, ProgramStateRef checkAdditionOverflow(CheckerContext &C,
steakhalUnsubmitted
Done
ReplyInline Actions
void emitAdditionOverflowBug(CheckerContext &C, ProgramStateRef State) const;
- void emitUninitializedRead(CheckerContext &C, ProgramStateRef State,
+ void emitUninitializedReadBug(CheckerContext &C, ProgramStateRef State,
const Expr *E) const;
steakhal:
ProgramStateRef state, ProgramStateRef state,
NonLoc left, NonLoc left,
NonLoc right) const; NonLoc right) const;
// Return true if the destination buffer of the copy function may be in bound. // Return true if the destination buffer of the copy function may be in bound.
// Expects SVal of Size to be positive and unsigned. // Expects SVal of Size to be positive and unsigned.
// Expects SVal of FirstBuf to be a FieldRegion. // Expects SVal of FirstBuf to be a FieldRegion.
static bool IsFirstBufInBound(CheckerContext &C, static bool IsFirstBufInBound(CheckerContext &C,
▲ Show 20 LinesShow All 93 Lines▼ Show 20 Lines if (StOutBound && !StInBound) {
// Emit a bug report. // Emit a bug report.
ErrorMessage Message = ErrorMessage Message =
createOutOfBoundErrorMsg(CurrentFunctionDescription, Access); createOutOfBoundErrorMsg(CurrentFunctionDescription, Access);
emitOutOfBoundsBug(C, StOutBound, Buffer.Expression, Message); emitOutOfBoundsBug(C, StOutBound, Buffer.Expression, Message);
return nullptr; return nullptr;
} }
// Ensure that we wouldn't read uninitialized value.
if (Access == AccessKind::read) {
if (Filter.CheckCStringUninitializedRead &&
steakhalUnsubmitted
Done
ReplyInline Actions
if (Access == AccessKind::read) {
- if (StInBound->getSVal(ER).isUndef()) {
+ if (CheckCStringUninitializedRead && StInBound->getSVal(ER).isUndef()) {
emitUninitializedReadBug(C, StInBound, Buffer.Expression);

You should make this check optional, only if the 'checker' was enabled.

steakhal: You should make this check optional, only if the 'checker' was enabled.
StInBound->getSVal(ER).isUndef()) {
steakhalUnsubmitted
Done
ReplyInline Actions

Remove this line.

steakhal: Remove this line.
emitUninitializedReadBug(C, StInBound, Buffer.Expression);
return nullptr;
}
}
// Array bound check succeeded. From this point forward the array bound // Array bound check succeeded. From this point forward the array bound
// should always succeed. // should always succeed.
return StInBound; return StInBound;
} }
ProgramStateRef CStringChecker::CheckBufferAccess(CheckerContext &C, ProgramStateRef CStringChecker::CheckBufferAccess(CheckerContext &C,
ProgramStateRef State, ProgramStateRef State,
AnyArgExpr Buffer, AnyArgExpr Buffer,
▲ Show 20 LinesShow All 195 Lines▼ Show 20 Lines if (ExplodedNode *N = C.generateErrorNode(State)) {
auto Report = std::make_unique<PathSensitiveBugReport>(*BT, WarningMsg, N); auto Report = std::make_unique<PathSensitiveBugReport>(*BT, WarningMsg, N);
Report->addRange(S->getSourceRange()); Report->addRange(S->getSourceRange());
if (const auto *Ex = dyn_cast<Expr>(S)) if (const auto *Ex = dyn_cast<Expr>(S))
bugreporter::trackExpressionValue(N, Ex, *Report); bugreporter::trackExpressionValue(N, Ex, *Report);
C.emitReport(std::move(Report)); C.emitReport(std::move(Report));
} }
} }
void CStringChecker::emitUninitializedReadBug(CheckerContext &C,
ProgramStateRef State,
const Expr *E) const {
if (ExplodedNode *N = C.generateErrorNode(State)) {
const char *Msg =
NoQUnsubmitted
Done
ReplyInline Actions

Yeah, dumps need to be removed from the final code.

NoQ: Yeah, dumps need to be removed from the final code.
"Bytes string function accesses uninitialized/garbage values";
if (!BT_UninitRead)
BT_UninitRead.reset(
new BuiltinBug(Filter.CheckNameCStringUninitializedRead,
"Accessing unitialized/garbage values", Msg));
BuiltinBug *BT = static_cast<BuiltinBug *>(BT_UninitRead.get());
auto Report = std::make_unique<PathSensitiveBugReport>(*BT, Msg, N);
Report->addRange(E->getSourceRange());
bugreporter::trackExpressionValue(N, E, *Report);
C.emitReport(std::move(Report));
}
}
void CStringChecker::emitOutOfBoundsBug(CheckerContext &C, void CStringChecker::emitOutOfBoundsBug(CheckerContext &C,
ProgramStateRef State, const Stmt *S, ProgramStateRef State, const Stmt *S,
StringRef WarningMsg) const { StringRef WarningMsg) const {
if (ExplodedNode *N = C.generateErrorNode(State)) { if (ExplodedNode *N = C.generateErrorNode(State)) {
if (!BT_Bounds) if (!BT_Bounds)
BT_Bounds.reset(new BuiltinBug( BT_Bounds.reset(new BuiltinBug(
Filter.CheckCStringOutOfBounds ? Filter.CheckNameCStringOutOfBounds Filter.CheckCStringOutOfBounds ? Filter.CheckNameCStringOutOfBounds
: Filter.CheckNameCStringNullArg, : Filter.CheckNameCStringNullArg,
▲ Show 20 LinesShow All 1,864 Lines▼ Show 20 Lines#define REGISTER_CHECKER(name) \
} \ } \
\ \
bool ento::shouldRegister##name(const CheckerManager &mgr) { return true; } bool ento::shouldRegister##name(const CheckerManager &mgr) { return true; }
REGISTER_CHECKER(CStringNullArg) REGISTER_CHECKER(CStringNullArg)
REGISTER_CHECKER(CStringOutOfBounds) REGISTER_CHECKER(CStringOutOfBounds)
REGISTER_CHECKER(CStringBufferOverlap) REGISTER_CHECKER(CStringBufferOverlap)
REGISTER_CHECKER(CStringNotNullTerm) REGISTER_CHECKER(CStringNotNullTerm)
REGISTER_CHECKER(CStringUninitializedRead)
No newline at end of file

clang/test/Analysis/bstring.c

// RUN: %clang_analyze_cc1 -verify %s \ // RUN: %clang_analyze_cc1 -verify %s \
// RUN: -analyzer-checker=core \ // RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=unix.cstring \ // RUN: -analyzer-checker=unix.cstring \
// RUN: -analyzer-checker=alpha.unix.cstring \ // RUN: -analyzer-checker=alpha.unix.cstring \
// RUN: -analyzer-disable-checker=alpha.unix.cstring.UninitializedRead \
// RUN: -analyzer-checker=debug.ExprInspection \ // RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -analyzer-config eagerly-assume=false // RUN: -analyzer-config eagerly-assume=false
// //
// RUN: %clang_analyze_cc1 -verify %s -DUSE_BUILTINS \ // RUN: %clang_analyze_cc1 -verify %s -DUSE_BUILTINS \
// RUN: -analyzer-checker=core \ // RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=unix.cstring \ // RUN: -analyzer-checker=unix.cstring \
// RUN: -analyzer-checker=alpha.unix.cstring \ // RUN: -analyzer-checker=alpha.unix.cstring \
// RUN: -analyzer-disable-checker=alpha.unix.cstring.UninitializedRead \
// RUN: -analyzer-checker=debug.ExprInspection \ // RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -analyzer-config eagerly-assume=false // RUN: -analyzer-config eagerly-assume=false
// //
// RUN: %clang_analyze_cc1 -verify %s -DVARIANT \ // RUN: %clang_analyze_cc1 -verify %s -DVARIANT \
// RUN: -analyzer-checker=core \ // RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=unix.cstring \ // RUN: -analyzer-checker=unix.cstring \
// RUN: -analyzer-checker=alpha.unix.cstring \ // RUN: -analyzer-checker=alpha.unix.cstring \
// RUN: -analyzer-disable-checker=alpha.unix.cstring.UninitializedRead \
// RUN: -analyzer-checker=debug.ExprInspection \ // RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -analyzer-config eagerly-assume=false // RUN: -analyzer-config eagerly-assume=false
// //
// RUN: %clang_analyze_cc1 -verify %s -DUSE_BUILTINS -DVARIANT \ // RUN: %clang_analyze_cc1 -verify %s -DUSE_BUILTINS -DVARIANT \
// RUN: -analyzer-checker=core \ // RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=unix.cstring \ // RUN: -analyzer-checker=unix.cstring \
// RUN: -analyzer-checker=alpha.unix.cstring \ // RUN: -analyzer-checker=alpha.unix.cstring \
// RUN: -analyzer-disable-checker=alpha.unix.cstring.UninitializedRead \
// RUN: -analyzer-checker=debug.ExprInspection \ // RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -analyzer-config eagerly-assume=false // RUN: -analyzer-config eagerly-assume=false
//===----------------------------------------------------------------------=== //===----------------------------------------------------------------------===
// Declarations // Declarations
//===----------------------------------------------------------------------=== //===----------------------------------------------------------------------===
// Some functions are so similar to each other that they follow the same code // Some functions are so similar to each other that they follow the same code
▲ Show 20 LinesShow All 253 Lines▼ Show 20 Linesvoid mempcpy12(void) {
mempcpy(0, a, 0); // no-warning mempcpy(0, a, 0); // no-warning
} }
void mempcpy13(void) { void mempcpy13(void) {
char a[4] = {0}; char a[4] = {0};
mempcpy(a, 0, 0); // no-warning mempcpy(a, 0, 0); // no-warning
} }
void mempcpy14(void) { void mempcpy14(void) {
int src[] = {1, 2, 3, 4}; int src[] = {1, 2, 3, 4};
int dst[5] = {0}; int dst[5] = {0};
int *p; int *p;
p = mempcpy(dst, src, 4 * sizeof(int)); p = mempcpy(dst, src, 4 * sizeof(int));
clang_analyzer_eval(p == &dst[4]); // expected-warning{{TRUE}} clang_analyzer_eval(p == &dst[4]); // expected-warning{{TRUE}}
NoQUnsubmitted
Done
ReplyInline Actions

Hmm, given that your change suppresses some existing tests, maybe disable your checker on this file and copy the updated tests to a new file that would have the checker enabled?

NoQ: Hmm, given that your change suppresses some existing tests, maybe disable your checker on this…
phyBracketsAuthorUnsubmitted
Not Done
ReplyInline Actions

I don't know how will it affect that but still that's an exception and from these exceptions test cases, we are updated about how it gonna fail on some tests cases and try to work on those exceptions.

phyBrackets: I don't know how will it affect that but still that's an exception and from these exceptions…
} }
steakhalUnsubmitted
Not Done
ReplyInline Actions

Basically, the store has 4 direct bindings for the src cluster.
At bit offset 0, 32, 64, 96, the values 1, 2, 3, 4 (ints) respectively.
However, in the memcopy modeling, we calculate the byte offset of the very last touched byte, which is byte 15.
Consequently, we will do a lookup in the store for acquiring a binding starting at bit offset 15*8, aka. 120.
However, there is no binding for that offset. What we have instead, is a binding starting at offset 96, associating an integer, which is 4 bytes long, thus this entry actually refers to the bits [96-128], so it overlaps with the byte at [120-128].
From this, we should be able to prove that the given bits must have been initialized to some value.

What I cannot remember off the top of my head, what was the type of the ER. I hope it was char, but I cannot recall.
If that was char, then we have a bug in the store.

steakhal: Basically, the store has 4 direct bindings for the `src` cluster. At bit offset 0, 32, 64, 96…
NoQUnsubmitted
Not Done
ReplyInline Actions

Yes, this is correct. It looks like we can't have this check until we address 43459.

NoQ: Yes, this is correct. It looks like we can't have this check until we address [[ https://github.
struct st { struct st {
int i; int i;
int j; int j;
}; };
void mempcpy15(void) { void mempcpy15(void) {
struct st s1 = {0}; struct st s1 = {0};
struct st s2; struct st s2;
struct st *p1; struct st *p1;
struct st *p2; struct st *p2;
p1 = (&s2) + 1; p1 = (&s2) + 1;
p2 = mempcpy(&s2, &s1, sizeof(struct st)); p2 = mempcpy(&s2, &s1, sizeof(struct st));
clang_analyzer_eval(p1 == p2); // expected-warning{{TRUE}} clang_analyzer_eval(p1 == p2); // expected-warning{{TRUE}}
} }
void mempcpy16(void) { void mempcpy16(void) {
struct st s1[10] = {{0}}; struct st s1[10] = {{0}};
struct st s2[10]; struct st s2[10];
struct st *p1; struct st *p1;
struct st *p2; struct st *p2;
▲ Show 20 LinesShow All 202 LinesShow Last 20 Lines

clang/test/Analysis/bstring_UninitRead.c

  • This file was added.
// RUN: %clang_analyze_cc1 -verify %s \
// RUN: -analyzer-checker=core,alpha.unix.cstring
steakhalUnsubmitted
Done
ReplyInline Actions
// RUN: %clang_analyze_cc1 -verify %s \
- // RUN: -analyzer-checker=alpha.unix.cstring
+ // RUN: -analyzer-checker=core,alpha.unix.cstring
// This file is generally for the alpha.unix.cstring.UninitializedRead Checker, the reason for putting it into
steakhal:
phyBracketsAuthorUnsubmitted
Done
ReplyInline Actions

Yeah done! Thanks

phyBrackets: Yeah done! Thanks
// This file is generally for the alpha.unix.cstring.UninitializedRead Checker, the reason for putting it into
// the separate file because the checker is break the some existing test cases in bstring.c file , so we don't
// wanna mess up with some existing test case so it's better to create separate file for it, this file also include
// the broken test for the reference in future about the broken tests.
typedef typeof(sizeof(int)) size_t;
void clang_analyzer_eval(int);
void *memcpy(void *restrict s1, const void *restrict s2, size_t n);
void top(char *dst) {
char buf[10];
memcpy(dst, buf, 10); // expected-warning{{Bytes string function accesses uninitialized/garbage values}}
(void)buf;
}
//===----------------------------------------------------------------------===
// mempcpy()
//===----------------------------------------------------------------------===
void *mempcpy(void *restrict s1, const void *restrict s2, size_t n);
void mempcpy14() {
int src[] = {1, 2, 3, 4};
int dst[5] = {0};
int *p;
p = mempcpy(dst, src, 4 * sizeof(int)); // expected-warning{{Bytes string function accesses uninitialized/garbage values}}
// FIXME: This behaviour is actually surprising and needs to be fixed,
// mempcpy seems to consider the very last byte of the src buffer uninitialized
// and returning undef unfortunately. It should have returned unknown or a conjured value instead.
clang_analyzer_eval(p == &dst[4]); // no-warning (above is fatal)
}
struct st {
int i;
int j;
};
void mempcpy15() {
struct st s1 = {0};
struct st s2;
struct st *p1;
struct st *p2;
p1 = (&s2) + 1;
p2 = mempcpy(&s2, &s1, sizeof(struct st)); // expected-warning{{Bytes string function accesses uninitialized/garbage values}}
// FIXME: It seems same as mempcpy14() case.
clang_analyzer_eval(p1 == p2); // no-warning (above is fatal)
}
steakhalUnsubmitted
Done
ReplyInline Actions
int *p;
p = mempcpy(dst, src, 4 * sizeof(int)); // expected-warning{{Bytes string function accesses uninitialized/garbage values}}
- // FIXME: This behaviour is actually Unexpected and needs to be fix,
- // mempcpy seems to consider the src buffered byte as uninitialized
- // and returning undef which is actually not the case It should return something like Unknown .
+ // FIXME: This behaviour is actually surprising and needs to be fixed,
+ // mempcpy seems to consider the very last byte of the src buffer uninitialized
+ // and returning undef unfortunately. It should have returned unknown or a conjured value instead.
clang_analyzer_eval(p == &dst[4]); // no-warning (above is fatal)
steakhal:
steakhalUnsubmitted
Done
ReplyInline Actions

I don't think you should copy these as well.
The matching logic is already tested in bstring.c.

That being said, a single RUN line should be enough in this file.

steakhal: I don't think you should copy these as well. The matching logic is already tested in `bstring.
phyBracketsAuthorUnsubmitted
Done
ReplyInline Actions

I'm not able to run test successfully with single RUN ,

// RUN: -analyzer-checker=alpha.unix.cstring.UninitializedRead
phyBrackets: I'm not able to run test successfully with single RUN , ``` // RUN: -analyzer-checker=alpha.
phyBracketsAuthorUnsubmitted
Done
ReplyInline Actions

wait , I think I got this! Thanks

phyBrackets: wait , I think I got this! Thanks