This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
docs/
1
ReleaseNotes.rst
-
analyzer/
10/10
checkers.rst
-
include/clang/StaticAnalyzer/Checkers/
-
clang/
-
StaticAnalyzer/
-
Checkers/
11/11
Checkers.td
-
lib/StaticAnalyzer/Checkers/
-
StaticAnalyzer/
-
Checkers/
-
CMakeLists.txt
26/27
ErrnoChecker.cpp
5/6
ErrnoModeling.h
9/10
ErrnoModeling.cpp
-
ErrnoTesterChecker.cpp
-
test/Analysis/
-
Analysis/
-
analyzer-config.c
-
errno-notes.c
-
errno-options.c
3/3
errno.c

Differential D122150

[clang][analyzer] Add checker for bad use of 'errno'.
ClosedPublic

Authored by balazske on Mar 21 2022, 8:30 AM.

Download Raw Diff

Details

Reviewers

Szelethus
martong
steakhal
NoQ
ASDenysPetrov

Commits

rG60f3b071185b: [clang][analyzer] Add checker for bad use of 'errno'.

Summary

Extend checker 'ErrnoModeling' with a state of 'errno' to indicate
the importance of the 'errno' value and how it should be used.
Add a new checker 'ErrnoChecker' that observes use of 'errno' and
finds possible wrong uses, based on the "errno state".
The "errno state" should be set (together with value of 'errno')
by other checkers (that perform modeling of the given function)
in the future. Currently only a test function can set this value.
The new checker has no user-observable effect yet.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

balazske created this revision.Mar 21 2022, 8:30 AM

Herald added a reviewer: Szelethus. · View Herald TranscriptMar 21 2022, 8:30 AM

Herald added a project: Restricted Project. · View Herald Transcript

Herald added subscribers: steakhal, manas, ASDenysPetrov and 11 others. · View Herald Transcript

balazske requested review of this revision.Mar 21 2022, 8:30 AM

Herald added a project: Restricted Project. · View Herald TranscriptMar 21 2022, 8:30 AM

Herald added a subscriber: cfe-commits. · View Herald Transcript

Harbormaster completed remote builds in B155410: Diff 416967.Mar 21 2022, 10:10 AM

This checker is made to add a partial support for CERT rule ERR30-C . One part of the rule is "check errno only after the function returns a value indicating failure".

To make this check possible the function (one that sets errno in some way) should be modeled by another checker that knows when a failure-indication value is returned from the function. In (but only in) that case the function sets value of errno. Return value of the function call should be constrained by the modeling checker to the failure-indicating values if the errno value is set, otherwise to some other values (a state split is needed).

The new API allows to set the errno value only together with an "errno check state". This state indicates how to handle the errno value by the ErrnoChecker. This information is available at the modeling of the errno-setting function. The CERT rule specifies classes of functions, including "functions that set errno and return an out-of-band error indicator" and "set errno and return an in-band error indicator". At the out-of-band case the errno value is not required to be checked, failure can be observed by check of the return value. At the in-band case the return value at failure is a valid return value too, here errno must be checked to observe if the function has failed. This case is modeled by the Errno_MustBeChecked errno check state. At many functions value of errno may be undefined after the function call if the function has not failed (the function is not required to not change errno), this is modeled by the Errno_MustNotBeChecked value.

Herald added a subscriber: rnkovacs. · View Herald TranscriptMar 22 2022, 2:35 AM

Szelethus added a reviewer: ASDenysPetrov.Mar 22 2022, 5:51 AM

I'm liking it. We need to improve the diagnostics and the user-facing docs as well.

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
552	Then we should have documentation, and examples for it.
clang/lib/StaticAnalyzer/Checkers/ErrnoChecker.cpp
48–50	One should not define member variables like this. The analysis engine might explore exploded nodes in an unpredictable order, invoking the checker's handler callbacks in an indeterminate order. You should have registered simple value traits for this purpose, associating the necessary information with a given State.
69–72	`Loc` always wrap a memregion of some sort.
115–117	I think an early return could have spared an indentation level in the outer scope.
199
204–207
clang/lib/StaticAnalyzer/Checkers/ErrnoModeling.cpp
265–266
clang/lib/StaticAnalyzer/Checkers/ErrnoModeling.h
24	Did you consider enum classes?
42	I would appreciate some notes about when it returns `None`.
clang/test/Analysis/errno.c
73–75	We should have a note describing which function left the `errno` in an undefined/indeterminate state. You can chain multiple NoteTags by using the ExplodedNode returned by the `addTransition()` and passing it along if needed.
170	So this is the case when `errno` gets indirectly invalidated by some opaque function call. I see. However, it will test that the value associated with the errno region gets invalidated, that's fine. However, you should test if the metadata (the enum value) attached to memregion also gets invalidated. Please make sure you have tests for that as well. A `ErrnoTesterChecker_dumpCheckState()` should be perfect for this.

This revision now requires changes to proceed.Mar 22 2022, 5:56 AM

NoQ added inline comments.Mar 22 2022, 10:48 AM

clang/lib/StaticAnalyzer/Checkers/ErrnoChecker.cpp
48–50	In this case it's probably fine given that the variable doesn't really change throughout a single ExplodedGraph construction. But I agree that it doesn't really make sense to cache this data; `getErrnoLoc()` an O(1) lookup anyway.
69–72	Nope; null pointer is a `Loc` but doesn't correspond to any memory region. I usually print out doxygen inheritance graphs: https://clang.llvm.org/doxygen/classclang_1_1ento_1_1SVal__inherit__graph.png https://clang.llvm.org/doxygen/classclang_1_1ento_1_1SymExpr__inherit__graph.png https://clang.llvm.org/doxygen/classclang_1_1ento_1_1MemRegion__inherit__graph.png and hang them on the wall near my desk. They're really handy. On a separate note, why not make this assertion part of `getErrnoLoc()`?
94	"May" is more neutral.
98	This path-insensitive note is attached to the exact same source location as the warning, right? I think this should be part of the warning instead. Something like this: foo(); // (1) path note: Call to 'foo()' indicates failure only by setting 'errno' bar(); // (2) warning: Value of 'errno' potentially overwritten by 'bar()' was not checked
105	Note that `checkBeginFunction()` is every time a nested stack frame is entered. This happens much more often than an update to the variable is needed.

steakhal added inline comments.Mar 22 2022, 11:31 AM

clang/lib/StaticAnalyzer/Checkers/ErrnoChecker.cpp
69–72	ah true

balazske updated this revision to Diff 418238.Mar 25 2022, 8:34 AM

Address review comments.

Removed caching of errno-related values from the checker.
Added note tags.
Added documentation comments.

balazske marked 2 inline comments as done.Mar 25 2022, 8:37 AM

balazske added inline comments.

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
552	Yes this is missing. But currently the errno value is not set by any non-debug checker, if there is any real example in the documentation it will not work (until the function is modeled correctly). Adding errno support for the functions (or some of them) is a separate change, we can add documentation here and commit the changes together (as close as possible).
clang/lib/StaticAnalyzer/Checkers/ErrnoChecker.cpp
69–72	This assert is not needed, the errno value has always a place that is a `MemRegion` according to how the `ErrnoModeling` works.
105	The "cached" errno values are removed, this function is not needed.
clang/lib/StaticAnalyzer/Checkers/ErrnoModeling.h
24	Originally it was enum class but I had to change it for some reason. Probably it did not have a default value.
clang/test/Analysis/errno.c
170	The check is now done indirectly by checking that no warning is produced.

This errno check will work if a state split is added at every standard function that may set errno at failure. (The success and failure branches have different errno check state, and probably different return value for the function.) Probably this is too many state splits. But a correct program should have anyway checks for the return value that make the same state splits.

Harbormaster completed remote builds in B156299: Diff 418238.Mar 25 2022, 9:49 AM

In D122150#3408156, @balazske wrote:

This errno check will work if a state split is added at every standard function that may set errno at failure. (The success and failure branches have different errno check state, and probably different return value for the function.) Probably this is too many state splits. But a correct program should have anyway checks for the return value that make the same state splits.

I think this is a good initiative and valuable work. You might be right about the too many state splits, however, we should measure this empirically. We should have a measurement on opensource projects to highlight peak memory usage and runtime discrepancies compared to the baseline. It might turn out that we indeed have to create a list of functions on which we are allowed to do the state split. Also, would be useful to evaluate the new reports.

balazske added a child revision: D125400: [clang][Analyzer] Add errno state to standard functions modeling..May 11 2022, 9:38 AM

added option to allow read-only of errno
other small change in the test checker

Harbormaster completed remote builds in B166923: Diff 432929.May 30 2022, 8:56 AM

rebase, fix of failing tests

Harbormaster completed remote builds in B167014: Diff 433046.May 31 2022, 4:24 AM

martong added inline comments.Jun 1 2022, 8:24 AM

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
554	I think this name would be much more easier to read.
clang/lib/StaticAnalyzer/Checkers/ErrnoChecker.cpp
47	Or `in a statement without a condition` ?
68	Please add a documentation to this.

D126801 should simplify the reinterpret casts.

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
558	I think we have 'Hidden', but not 'Hide'. It means that it is a modeling checker. Any checker that emits diagnostics, should not be marked 'Hidden'.
clang/lib/StaticAnalyzer/Checkers/ErrnoModeling.cpp
261–262	It looks odd that in the very next `if` block you have `II` and here you don't.
clang/lib/StaticAnalyzer/Checkers/ErrnoModeling.h
34	You don't need to prefix these with `Errno_`. It's already contained by a specific namespace. https://llvm.org/docs/CodingStandards.html#name-types-functions-variables-and-enumerators-properly Unless the enumerators are defined in their own small namespace or inside a class, enumerators should have a prefix corresponding to the enum declaration name

applied review comments, test improvement

balazske added inline comments.Jun 8 2022, 2:36 AM

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
558	This "Hide" applies for the option, not for the checker. It was copied from another place. I am not sure if it must be used here.

Harbormaster completed remote builds in B168501: Diff 435081.Jun 8 2022, 3:06 AM

martong added inline comments.Jun 9 2022, 3:24 AM

clang/docs/analyzer/checkers.rst
2553–2555	This sentence is a bit hard to follow, I'd split this up.
2559–2560	"all times" and "the first read" seems to be in contradiction to each other. Could you please rephrase? Use a standalone sentence that explains the "(at the first read)" part.
2560	?

fixed documentation, added release note

LGTM, it is a good start for an alpha checker.

clang/docs/ReleaseNotes.rst
585

Harbormaster completed remote builds in B168830: Diff 435557.Jun 9 2022, 8:44 AM

balazske mentioned this in D125400: [clang][Analyzer] Add errno state to standard functions modeling..Jun 10 2022, 12:24 AM

I believe evalAssume would be a better fit for diagnosing such issues, but I can see your point that we don't have CheckerContext there to emit reports.
That being said, the check::Location is the best alternative.

Please also check the not done comments.

clang/docs/analyzer/checkers.rst
2529	successful
2538–2539	Maybe place a crossref for this. Also, am I right that there is a CERT rule about this issue? We should probably mention that, while placing a crossref too.
clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
550	antipatterns?
554	My problem with this name is that `Unconditional` seems to bind to the action, not to the place where the read happens (inside condition expressions). I find this pretty confusing. How about calling this `AllowReadingErrnoInsideConditionExpressions`. Still bad, but probably better.
558	Quote `CheckerBase.td:39` /// Marks the entry hidden. Hidden entries won't be displayed in /// -analyzer-checker-option-help. class HiddenEnum<bit val> { bit Val = val; } def DontHide : HiddenEnum<0>; def Hide : HiddenEnum<1>; I believe, we should expose this option. Otherwise why would we introduce it in the first place? The default value of this is actually `DontHide` in the `CmdLineOption<>` td class. So, you should be fine by simply omitting this keyword here.
clang/lib/StaticAnalyzer/Checkers/ErrnoChecker.cpp
11–12	and the StdLibraryFunctionsChecker per D125400.
102–103	We should also handle `BinaryOperator` for conditional operators (EQ, NE, LT, LE, ...). Or at least leave a FIXME about this. Have a test demonstrating the behavior.
clang/lib/StaticAnalyzer/Checkers/ErrnoModeling.cpp
255	I believe you no longer need to cast enums to numbers and back for enums and other types. `get<ErrnoState>()` should return the right type. See D126801.
274

applied review comments

balazske added inline comments.Jun 16 2022, 1:39 AM

clang/docs/analyzer/checkers.rst
2538–2539	Probably there is not a preferred or "standard" site for man page lookup and it can be done from command line too. But I can include a POSIX link https://pubs.opengroup.org/onlinepubs/9699919799/.
clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
550	I like "improper use of `errno`" better, it is similar to `HelpText` of other checkers.
clang/lib/StaticAnalyzer/Checkers/ErrnoChecker.cpp
102–103	The idea is here that this search does not stop at binary operators but goes up the AST until a condition is found.
clang/lib/StaticAnalyzer/Checkers/ErrnoModeling.cpp
255	How to handle if no value exists?
261–262	I do not get what you mean here.
274	I can not omit `c_str`, there is a compile error probably related to lambda return type.
clang/lib/StaticAnalyzer/Checkers/ErrnoModeling.h
34	Without `Errno_` these sound too generic. Probably have only `Errno` prefix, not `Errno_`?

Harbormaster completed remote builds in B170210: Diff 437471.Jun 16 2022, 3:20 AM

Use typed state trait.

Harbormaster completed remote builds in B170240: Diff 437513.Jun 16 2022, 5:51 AM

It looks great.
Let me check the test coverage and the generated docs page it everything looks great.

clang/docs/analyzer/checkers.rst
2538
2540	Please mention at least one of those functions.
clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
553–554	Well, now I see why you marked this `Hide` previously. This is a modeling checker, thus it won't appear in the documentation nor in the `-analyzer-checker-help` etc. Interestingly, other checkers mark some options `Hide` and other times `DontHide`. E.g. `DynamicMemoryModeling.Optimistic` is displayed, but the `DynamicMemoryModeling.AddNoOwnershipChangeNotes` is hidden. Whatever.
clang/lib/StaticAnalyzer/Checkers/ErrnoChecker.cpp
47	I don't really understand this comment. What is a non-condition part of a statement?
146	Might be more readable to early return instead.
206	Does this refer to the callsite or to the Decl location? I think the former, which would be a bug I think.
clang/lib/StaticAnalyzer/Checkers/ErrnoModeling.cpp
261–262	I was thinking about this: bool isErrno(const Decl D) { if (const auto VD = dyn_cast_or_null<VarDecl>(D)) if (const IdentifierInfo II = VD->getIdentifier()) return II->getName() == ErrnoVarName; if (const auto FD = dyn_cast_or_null<FunctionDecl>(D)) if (const IdentifierInfo *II = FD->getIdentifier()) return llvm::is_contained(ErrnoLocationFuncNames, II->getName()); return false; } This way both checks would follow the same pattern, symmetry.
274	Yes, you will need to specify explicitly the return type of the lambda: `-> std::string`.
clang/lib/StaticAnalyzer/Checkers/ErrnoModeling.h
34	But you always refer to it by it's qualified name: `errno_modeling::Errno_Irrelevant`. In which case this prefix is just noise IMO. That's what I'm about.

steakhal added inline comments.Jun 16 2022, 6:36 AM

clang/lib/StaticAnalyzer/Checkers/ErrnoModeling.cpp
73	You will need this to get it compiled.

Awesome!

The generated doc section looks great. The test coverage it excellent, but I would recommend adding tests for covering the following lines:

ErrnoChecker.cpp:99
ErrnoModeling.cpp:259
ErrnoModeling.cpp:264

There are two other uncovered cases, but those are mainly defensive checks, so I don't mind them.

clang/docs/analyzer/checkers.rst
2565	by
2586	I think it should be surrounded by double backticks. It looks ugly this way:

Removed Errno_ prefix from ErrnoCheckState, documentation fixes, other small fixes.

Harbormaster completed remote builds in B170528: Diff 437922.Jun 17 2022, 10:06 AM

steakhal accepted this revision.Jun 19 2022, 12:57 AM

steakhal added inline comments.

clang/lib/StaticAnalyzer/Checkers/ErrnoChecker.cpp
48	You prefixed the previous two keywords with the `\c` marker. Why is it missing from the `switch`?
101	Oh, so the test added for this actually uncovered a bug?

This revision is now accepted and ready to land.Jun 19 2022, 12:57 AM

balazske marked an inline comment as done.Jun 20 2022, 12:41 AM

balazske added inline comments.

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
553–554	It looks good now, `ErrnoChecker` is not a modeling checker and the option should be accessible for users.
clang/lib/StaticAnalyzer/Checkers/ErrnoChecker.cpp
48	Is it really missing? (I do not check Doxygen documentation, probably the new documentation appears in the online pages after the commit.)
101	Yes: Even if it looks natural that `getCond` can be used the same way as at normal `ConditionalOperator` this is not true: It returns something other (casted or converted) than the root condition expressions.
146	There is a `else` part.
206	`CallF` is a `FunctionDecl` that should be the original (first) declaration of the function.

This revision was landed with ongoing or failed builds.Jun 20 2022, 1:08 AM

Closed by commit rG60f3b071185b: [clang][analyzer] Add checker for bad use of 'errno'. (authored by balazske). · Explain Why

This revision was automatically updated to reflect the committed changes.

balazske marked an inline comment as done.

balazske added a commit: rG60f3b071185b: [clang][analyzer] Add checker for bad use of 'errno'..

Revision Contents

Path

Size

clang/

docs/

ReleaseNotes.rst

4 lines

analyzer/

checkers.rst

69 lines

include/

clang/

StaticAnalyzer/

Checkers/

Checkers.td

12 lines

lib/

StaticAnalyzer/

Checkers/

1 line

249 lines

43 lines

59 lines

ErrnoTesterChecker.cpp

78 lines

test/

Analysis/

1 line

62 lines

55 lines

200 lines

Diff 438281

clang/docs/ReleaseNotes.rst

Show First 20 Lines • Show All 575 Lines • ▼ Show 20 Lines

- `New CTU implementation

to single-TU analysis, the lost reports are highly likely to be false

positives.

- Added a new checker ``alpha.unix.cstring.UninitializedRead`` this will check for uninitialized reads

from common memory copy/manipulation functions such as ``memcpy``, ``mempcpy``, ``memmove``, ``memcmp``, `

`strcmp``, ``strncmp``, ``strcpy``, ``strlen``, ``strsep`` and many more. Although

this checker currently is in list of alpha checkers due to a false positive.

- Added a new checker ``alpha.unix.Errno``. This can find the first read

of ``errno`` after successful standard function calls, such use of ``errno``

martongUnsubmitted

Not Done

- Added a new checker ``alpha.unix.Errno``. This can find the first read

- of ``errno`` after not failed standard function calls, such use of ``errno``

+ of ``errno`` after successful standard function calls, such use of ``errno``

could be unsafe.

martong:

could be unsafe.

- Deprecate the ``-analyzer-store region`` and

``-analyzer-opt-analyze-nested-blocks`` analyzer flags.

These flags are still accepted, but a warning will be displayed.

These flags will be rejected, thus turned into a hard error starting with

``clang-16``.

.. _release-notes-ubsan:

Show All 36 Lines

clang/docs/analyzer/checkers.rst

Show First 20 Lines • Show All 2,514 Lines • ▼ Show 20 Lines

void f();

void test() {

chroot("/usr/local");

f(); // warn: no call of chdir("/") immediately after chroot

}

.. _alpha-unix-Errno:

alpha.unix.Errno (C)

""""""""""""""""""""

Check for improper use of ``errno``.

This checker implements partially CERT rule

steakhalUnsubmitted

Done

successful

steakhal: successful

`ERR30-C. Set errno to zero before calling a library function known to set errno,

and check errno only after the function returns a value indicating failure

<https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152351>`_.

The checker can find the first read of ``errno`` after successful standard

function calls.

The C and POSIX standards often do not define if a standard library function

may change value of ``errno`` if the call does not fail.

Therefore, ``errno`` should only be used if it is known from the return value

steakhalUnsubmitted

Done

may change value of ``errno`` if the call does not fail.

- Therefore ``errno`` should only be used if it is known from the return value

+ Therefore, ``errno`` should only be used if it is known from the return value

of a function that the call has failed.

steakhal:

of a function that the call has failed.

steakhalUnsubmitted

Done

Maybe place a crossref for this.

Also, am I right that there is a CERT rule about this issue?
We should probably mention that, while placing a crossref too.

steakhal: Maybe place a crossref for this. Also, am I right that there is a CERT rule about this issue?

balazskeAuthorUnsubmitted

Done

Probably there is not a preferred or "standard" site for man page lookup and it can be done from command line too. But I can include a POSIX link https://pubs.opengroup.org/onlinepubs/9699919799/.

balazske: Probably there is not a preferred or "standard" site for man page lookup and it can be done…

There are exceptions to this rule (for example ``strtol``) but the affected

steakhalUnsubmitted

Done

Please mention at least one of those functions.

steakhal: Please mention at least one of those functions.

functions are not yet supported by the checker.

The return values for the failure cases are documented in the standard Linux man

pages of the functions and in the `POSIX standard <https://pubs.opengroup.org/onlinepubs/9699919799/>`_.

.. code-block:: c

int unsafe_errno_read(int sock, void *data, int data_size) {

if (send(sock, data, data_size, 0) != data_size) {

// 'send' can be successful even if not all data was sent

if (errno == 1) { // An undefined value may be read from 'errno'

return 0;

}

return 1;

}

martongUnsubmitted

Done

return 1;

}

The supported functions are the same that are modeled by checker

- :doc:`alpha.unix.StdCLibraryFunctionArgs` (and affect value of ``errno``),

- including effect of the ``ModelPOSIX`` option of that checker.

+ :doc:`alpha.unix.StdCLibraryFunctionArgs`. The ``ModelPOSIX`` option ...

**Parameters**

This sentence is a bit hard to follow, I'd split this up.

martong: This sentence is a bit hard to follow, I'd split this up.

The supported functions are the same that are modeled by checker

:ref:`alpha-unix-StdCLibraryFunctionArgs`.

The ``ModelPOSIX`` option of that checker affects the set of checked functions.

martongUnsubmitted

Done

The ``AllowUnconditionalErrnoRead`` option allows reads of the errno value all

- times if the value is not used as a condition (at the first read). For example

+ times if the value is not used in a condition (at the first read). For example

``errno`` can be stored into a variable without getting a warning from the

martong: ?

martongUnsubmitted

Done

"all times" and "the first read" seems to be in contradiction to each other. Could you please rephrase? Use a standalone sentence that explains the "(at the first read)" part.

martong: "all times" and "the first read" seems to be in contradiction to each other. Could you please…

**Parameters**

The ``AllowErrnoReadOutsideConditionExpressions`` option allows read of the

errno value if the value is not used in a condition (in ``if`` statements,

loops, conditional expressions, ``switch`` statements). For example ``errno``

steakhalUnsubmitted

Done

steakhal: by

can be stored into a variable without getting a warning by the checker.

.. code-block:: c

int unsafe_errno_read(int sock, void *data, int data_size) {

if (send(sock, data, data_size, 0) != data_size) {

int err = errno;

// warning if 'AllowErrnoReadOutsideConditionExpressions' is false

// no warning if 'AllowErrnoReadOutsideConditionExpressions' is true

}

return 1;

}

Default value of this option is ``true``. This allows save of the errno value

for possible later error handling.

**Limitations**

- Only the very first usage of ``errno`` is checked after an affected function

call. Value of ``errno`` is not followed when it is stored into a variable

or returned from a function.

steakhalUnsubmitted

Done

I think it should be surrounded by double backticks. It looks ugly this way:

steakhal: I think it should be surrounded by double backticks. It looks ugly this way: {F23478405}

- Documentation of function ``lseek`` is not clear about what happens if the

function returns different value than the expected file position but not -1.

To avoid possible false-positives ``errno`` is allowed to be used in this

case.

.. _alpha-unix-PthreadLock:

alpha.unix.PthreadLock (C)

""""""""""""""""""""""""""

Simple lock -> unlock checker.

Applies to: ``pthread_mutex_lock, pthread_rwlock_rdlock, pthread_rwlock_wrlock, lck_mtx_lock, lck_rw_lock_exclusive``

``lck_rw_lock_shared, pthread_mutex_trylock, pthread_rwlock_tryrdlock, pthread_rwlock_tryrwlock, lck_mtx_try_lock,

lck_rw_try_lock_exclusive, lck_rw_try_lock_shared, pthread_mutex_unlock, pthread_rwlock_unlock, lck_mtx_unlock, lck_rw_done``.

▲ Show 20 Lines • Show All 436 Lines • Show Last 20 Lines

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td

Show First 20 Lines • Show All 540 Lines • ▼ Show 20 Lines

def VforkChecker : Checker<"Vfork">, def VforkChecker : Checker<"Vfork">,

HelpText<"Check for proper usage of vfork">, HelpText<"Check for proper usage of vfork">,

Documentation<HasDocumentation>; Documentation<HasDocumentation>;

} // end "unix" } // end "unix"

let ParentPackage = UnixAlpha in { let ParentPackage = UnixAlpha in {

def ErrnoChecker : Checker<"Errno">,

HelpText<"Check for improper use of 'errno'">,

steakhalUnsubmitted

Done

antipatterns?

steakhal: antipatterns?

balazskeAuthorUnsubmitted

Done

I like "improper use of errno" better, it is similar to HelpText of other checkers.

balazske: I like "improper use of `errno`" better, it is similar to `HelpText` of other checkers.

Dependencies<[ErrnoModeling]>,

CheckerOptions<[

steakhalUnsubmitted

Done

Then we should have documentation, and examples for it.

steakhal: Then we should have documentation, and examples for it.

balazskeAuthorUnsubmitted

Done

Yes this is missing. But currently the errno value is not set by any non-debug checker, if there is any real example in the documentation it will not work (until the function is modeled correctly). Adding errno support for the functions (or some of them) is a separate change, we can add documentation here and commit the changes together (as close as possible).

balazske: Yes this is missing. But currently the errno value is not set by any non-debug checker, if…

CmdLineOption<Boolean,

"AllowErrnoReadOutsideConditionExpressions",

martongUnsubmitted

Done

CmdLineOption<Boolean,

- "AllowNonConditionErrnoRead",

+ "AllowUnconditionalErrnoRead",

"Allow read of undefined value from errno outside of conditions",

I think this name would be much more easier to read.

martong: I think this name would be much more easier to read.

steakhalUnsubmitted

Done

My problem with this name is that Unconditional seems to bind to the action, not to the place where the read happens (inside condition expressions).
I find this pretty confusing.

How about calling this AllowReadingErrnoInsideConditionExpressions. Still bad, but probably better.

steakhal: My problem with this name is that `Unconditional` seems to bind to the action, not to the place…

steakhalUnsubmitted

Done

Well, now I see why you marked this Hide previously.
This is a modeling checker, thus it won't appear in the documentation nor in the -analyzer-checker-help etc.

Interestingly, other checkers mark some options Hide and other times DontHide.
E.g. DynamicMemoryModeling.Optimistic is displayed, but the DynamicMemoryModeling.AddNoOwnershipChangeNotes is hidden.
Whatever.

steakhal: Well, now I see why you marked this `Hide` previously. This is a //modeling// checker, thus it…

balazskeAuthorUnsubmitted

Done

It looks good now, ErrnoChecker is not a modeling checker and the option should be accessible for users.

balazske: It looks good now, `ErrnoChecker` is not a modeling checker and the option should be accessible…

"Allow read of undefined value from errno outside of conditions",

"true",

InAlpha>,

]>,

steakhalUnsubmitted

Done

I think we have 'Hidden', but not 'Hide'.
It means that it is a modeling checker. Any checker that emits diagnostics, should not be marked 'Hidden'.

steakhal: I think we have 'Hidden', but not 'Hide'. It means that it is a modeling checker. Any checker…

balazskeAuthorUnsubmitted

Done

This "Hide" applies for the option, not for the checker. It was copied from another place. I am not sure if it must be used here.

balazske: This "Hide" applies for the option, not for the checker. It was copied from another place. I am…

steakhalUnsubmitted

Done

Quote CheckerBase.td:39

/// Marks the entry hidden. Hidden entries won't be displayed in
/// -analyzer-checker-option-help.
class HiddenEnum<bit val> {
  bit Val = val;
}
def DontHide : HiddenEnum<0>;
def Hide : HiddenEnum<1>;

I believe, we should expose this option. Otherwise why would we introduce it in the first place?
The default value of this is actually DontHide in the CmdLineOption<> td class. So, you should be fine by simply omitting this keyword here.

steakhal: Quote `CheckerBase.td:39` ``` /// Marks the entry hidden. Hidden entries won't be displayed in…

Documentation<HasDocumentation>;

def ChrootChecker : Checker<"Chroot">, def ChrootChecker : Checker<"Chroot">,

HelpText<"Check improper use of chroot">, HelpText<"Check improper use of chroot">,

Documentation<HasDocumentation>; Documentation<HasDocumentation>;

def PthreadLockChecker : Checker<"PthreadLock">, def PthreadLockChecker : Checker<"PthreadLock">,

HelpText<"Simple lock -> unlock checker">, HelpText<"Simple lock -> unlock checker">,

Dependencies<[PthreadLockBase]>, Dependencies<[PthreadLockBase]>,

Documentation<HasDocumentation>; Documentation<HasDocumentation>;

▲ Show 20 Lines • Show All 1,168 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt

Show All 34 Lines	add_clang_library(clangStaticAnalyzerCheckers
DebugIteratorModeling.cpp		DebugIteratorModeling.cpp
DeleteWithNonVirtualDtorChecker.cpp		DeleteWithNonVirtualDtorChecker.cpp
DereferenceChecker.cpp		DereferenceChecker.cpp
DirectIvarAssignment.cpp		DirectIvarAssignment.cpp
DivZeroChecker.cpp		DivZeroChecker.cpp
DynamicTypePropagation.cpp		DynamicTypePropagation.cpp
DynamicTypeChecker.cpp		DynamicTypeChecker.cpp
EnumCastOutOfRangeChecker.cpp		EnumCastOutOfRangeChecker.cpp
		ErrnoChecker.cpp
ErrnoModeling.cpp		ErrnoModeling.cpp
ErrnoTesterChecker.cpp		ErrnoTesterChecker.cpp
ExprInspectionChecker.cpp		ExprInspectionChecker.cpp
FixedAddressChecker.cpp		FixedAddressChecker.cpp
FuchsiaHandleChecker.cpp		FuchsiaHandleChecker.cpp
GCDAntipatternChecker.cpp		GCDAntipatternChecker.cpp
GenericTaintChecker.cpp		GenericTaintChecker.cpp
GTestChecker.cpp		GTestChecker.cpp
▲ Show 20 Lines • Show All 98 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/ErrnoChecker.cpp

This file was added.

//=== ErrnoChecker.cpp ------------------------------------------*- C++ -*-===//

// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.

// See https://llvm.org/LICENSE.txt for license information.

// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

//===----------------------------------------------------------------------===//

// This defines an "errno checker" that can detect some invalid use of the

// system-defined value 'errno'. This checker works together with the

// ErrnoModeling checker and other checkers like StdCLibraryFunctions.

steakhalUnsubmitted

Done

and the StdLibraryFunctionsChecker per D125400.

steakhal: and the StdLibraryFunctionsChecker per D125400.

//===----------------------------------------------------------------------===//

#include "ErrnoModeling.h"

#include "clang/AST/ParentMapContext.h"

#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"

#include "clang/StaticAnalyzer/Core/Checker.h"

#include "clang/StaticAnalyzer/Core/CheckerManager.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"

#include "llvm/ADT/STLExtras.h"

using namespace clang;

using namespace ento;

using namespace errno_modeling;

namespace {

class ErrnoChecker

: public Checker<check::Location, check::PreCall, check::RegionChanges> {

public:

void checkLocation(SVal Loc, bool IsLoad, const Stmt *S,

CheckerContext &) const;

void checkPreCall(const CallEvent &Call, CheckerContext &C) const;

ProgramStateRef

checkRegionChanges(ProgramStateRef State,

const InvalidatedSymbols *Invalidated,

ArrayRef<const MemRegion *> ExplicitRegions,

ArrayRef<const MemRegion *> Regions,

const LocationContext *LCtx, const CallEvent *Call) const;

void checkBranchCondition(const Stmt *Condition, CheckerContext &Ctx) const;

/// Indicates if a read (load) of \c errno is allowed in a non-condition part

/// of \c if, \c switch, loop and conditional statements when the errno

martongUnsubmitted

Done

void checkBranchCondition(const Stmt *Condition, CheckerContext &Ctx) const;

- /// Indicates if a read (load) of 'errno' is allowed in a non-conditional

+ /// Indicates if a read (load) of 'errno' is allowed in a unconditional

/// statement.

Or in a statement without a condition ?

martong: Or `in a statement without a condition` ?

steakhalUnsubmitted

Done

I don't really understand this comment. What is a non-condition part of a statement?

steakhal: I don't really understand this comment. What is a //non-condition part of a statement//?

/// value may be undefined.

steakhalUnsubmitted

Done

You prefixed the previous two keywords with the \c marker. Why is it missing from the switch?

steakhal: You prefixed the previous two keywords with the `\c` marker. Why is it missing from the…

balazskeAuthorUnsubmitted

Done

Is it really missing? (I do not check Doxygen documentation, probably the new documentation appears in the online pages after the commit.)

balazske: Is it really missing? (I do not check Doxygen documentation, probably the new documentation…

bool AllowErrnoReadOutsideConditions = true;

steakhalUnsubmitted

Done

One should not define member variables like this.
The analysis engine might explore exploded nodes in an unpredictable order, invoking the checker's handler callbacks in an indeterminate order.
You should have registered simple value traits for this purpose, associating the necessary information with a given State.

steakhal: One should not define member variables like this. The analysis engine might explore exploded…

NoQUnsubmitted

Done

In this case it's probably fine given that the variable doesn't really change throughout a single ExplodedGraph construction. But I agree that it doesn't really make sense to cache this data; getErrnoLoc() an O(1) lookup anyway.

NoQ: In this case it's probably fine given that the variable doesn't really change throughout a…

private:

void generateErrnoNotCheckedBug(CheckerContext &C, ProgramStateRef State,

const MemRegion *ErrnoRegion,

const CallEvent *CallMayChangeErrno) const;

BugType BT_InvalidErrnoRead{this, "Value of 'errno' could be undefined",

"Error handling"};

BugType BT_ErrnoNotChecked{this, "Value of 'errno' was not checked",

"Error handling"};

};

} // namespace

static ProgramStateRef setErrnoStateIrrelevant(ProgramStateRef State) {

return setErrnoState(State, Irrelevant);

}

/// Check if a statement (expression) or an ancestor of it is in a condition

martongUnsubmitted

Done

Please add a documentation to this.

martong: Please add a documentation to this.

/// part of a (conditional, loop, switch) statement.

static bool isInCondition(const Stmt *S, CheckerContext &C) {

ParentMapContext &ParentCtx = C.getASTContext().getParentMapContext();

bool CondFound = false;

steakhalUnsubmitted

Done

Loc always wrap a memregion of some sort.

steakhal: `Loc` always wrap a memregion of some sort.

NoQUnsubmitted

Done

Nope; null pointer is a Loc but doesn't correspond to any memory region.

I usually print out doxygen inheritance graphs:

and hang them on the wall near my desk. They're really handy.

On a separate note, why not make this assertion part of getErrnoLoc()?

NoQ: Nope; null pointer is a `Loc` but doesn't correspond to any memory region. I usually print out…

steakhalUnsubmitted

Done

ah true

steakhal: ah true

balazskeAuthorUnsubmitted

Done

This assert is not needed, the errno value has always a place that is a MemRegion according to how the ErrnoModeling works.

balazske: This assert is not needed, the errno value has always a place that is a `MemRegion` according…

while (S && !CondFound) {

const DynTypedNodeList Parents = ParentCtx.getParents(*S);

if (Parents.empty())

break;

const auto *ParentS = Parents[0].get<Stmt>();

if (!ParentS || isa<CallExpr>(ParentS))

break;

switch (ParentS->getStmtClass()) {

case Expr::IfStmtClass:

CondFound = (S == cast<IfStmt>(ParentS)->getCond());

break;

case Expr::ForStmtClass:

CondFound = (S == cast<ForStmt>(ParentS)->getCond());

break;

case Expr::DoStmtClass:

CondFound = (S == cast<DoStmt>(ParentS)->getCond());

break;

case Expr::WhileStmtClass:

CondFound = (S == cast<WhileStmt>(ParentS)->getCond());

break;

case Expr::SwitchStmtClass:

CondFound = (S == cast<SwitchStmt>(ParentS)->getCond());

NoQUnsubmitted

Done

"May" is more neutral.

NoQ: "May" is more neutral.

break;

case Expr::ConditionalOperatorClass:

CondFound = (S == cast<ConditionalOperator>(ParentS)->getCond());

break;

NoQUnsubmitted

Done

This path-insensitive note is attached to the exact same source location as the warning, right? I think this should be part of the warning instead. Something like this:

foo(); // (1) path note: Call to 'foo()' indicates failure only by setting 'errno'
bar(); // (2) warning: Value of 'errno' potentially overwritten by 'bar()' was not checked

NoQ: This path-insensitive note is attached to the exact same source location as the warning, right?

case Expr::BinaryConditionalOperatorClass:

CondFound = (S == cast<BinaryConditionalOperator>(ParentS)->getCommon());

break;

steakhalUnsubmitted

Not Done

Oh, so the test added for this actually uncovered a bug?

steakhal: Oh, so the test added for this actually uncovered a bug?

balazskeAuthorUnsubmitted

Done

Yes: Even if it looks natural that getCond can be used the same way as at normal ConditionalOperator this is not true: It returns something other (casted or converted) than the root condition expressions.

balazske: Yes: Even if it looks natural that `getCond` can be used the same way as at normal…

default:

break;

steakhalUnsubmitted

Done

We should also handle BinaryOperator for conditional operators (EQ, NE, LT, LE, ...). Or at least leave a FIXME about this.
Have a test demonstrating the behavior.

steakhal: We should also handle `BinaryOperator` for conditional operators (EQ, NE, LT, LE, ...). Or at…

balazskeAuthorUnsubmitted

Done

The idea is here that this search does not stop at binary operators but goes up the AST until a condition is found.

balazske: The idea is here that this search does not stop at binary operators but goes up the AST until a…

}

S = ParentS;

NoQUnsubmitted

Done

Note that checkBeginFunction() is every time a nested stack frame is entered. This happens much more often than an update to the variable is needed.

NoQ: Note that `checkBeginFunction()` is every time a nested stack frame is entered. This happens…

balazskeAuthorUnsubmitted

Done

The "cached" errno values are removed, this function is not needed.

balazske: The "cached" errno values are removed, this function is not needed.

}

return CondFound;

}

void ErrnoChecker::generateErrnoNotCheckedBug(

CheckerContext &C, ProgramStateRef State, const MemRegion *ErrnoRegion,

const CallEvent *CallMayChangeErrno) const {

if (ExplodedNode *N = C.generateNonFatalErrorNode(State)) {

SmallString<100> StrBuf;

llvm::raw_svector_ostream OS(StrBuf);

if (CallMayChangeErrno) {

OS << "Value of 'errno' was not checked and may be overwritten by "

steakhalUnsubmitted

Done

I think an early return could have spared an indentation level in the outer scope.

steakhal: I think an early return could have spared an indentation level in the outer scope.

"function '";

const auto *CallD =

dyn_cast_or_null<FunctionDecl>(CallMayChangeErrno->getDecl());

assert(CallD && CallD->getIdentifier());

OS << CallD->getIdentifier()->getName() << "'";

} else {

OS << "Value of 'errno' was not checked and is overwritten here";

}

auto BR = std::make_unique<PathSensitiveBugReport>(BT_ErrnoNotChecked,

OS.str(), N);

BR->markInteresting(ErrnoRegion);

C.emitReport(std::move(BR));

}

void ErrnoChecker::checkLocation(SVal Loc, bool IsLoad, const Stmt *S,

CheckerContext &C) const {

Optional<ento::Loc> ErrnoLoc = getErrnoLoc(C.getState());

if (!ErrnoLoc)

return;

auto L = Loc.getAs<ento::Loc>();

if (!L || *ErrnoLoc != *L)

return;

ProgramStateRef State = C.getState();

ErrnoCheckState EState = getErrnoState(State);

if (IsLoad) {

steakhalUnsubmitted

Done

Might be more readable to early return instead.

steakhal: Might be more readable to early return instead.

balazskeAuthorUnsubmitted

Done

There is a else part.

balazske: There is a `else` part.

switch (EState) {

case MustNotBeChecked:

// Read of 'errno' when it may have undefined value.

if (!AllowErrnoReadOutsideConditions || isInCondition(S, C)) {

if (ExplodedNode *N = C.generateErrorNode()) {

auto BR = std::make_unique<PathSensitiveBugReport>(

BT_InvalidErrnoRead,

"An undefined value may be read from 'errno'", N);

BR->markInteresting(ErrnoLoc->getAsRegion());

C.emitReport(std::move(BR));

}

break;

case MustBeChecked:

// 'errno' has to be checked. A load is required for this, with no more

// information we can assume that it is checked somehow.

// After this place 'errno' is allowed to be read and written.

State = setErrnoStateIrrelevant(State);

C.addTransition(State);

break;

default:

break;

}

} else {

switch (EState) {

case MustBeChecked:

// 'errno' is overwritten without a read before but it should have been

// checked.

generateErrnoNotCheckedBug(C, setErrnoStateIrrelevant(State),

ErrnoLoc->getAsRegion(), nullptr);

break;

case MustNotBeChecked:

// Write to 'errno' when it is not allowed to be read.

// After this place 'errno' is allowed to be read and written.

State = setErrnoStateIrrelevant(State);

C.addTransition(State);

break;

default:

break;

}

void ErrnoChecker::checkPreCall(const CallEvent &Call,

CheckerContext &C) const {

const auto *CallF = dyn_cast_or_null<FunctionDecl>(Call.getDecl());

if (!CallF)

return;

CallF = CallF->getCanonicalDecl();

// If 'errno' must be checked, it should be done as soon as possible, and

// before any other call to a system function (something in a system header).

// To avoid use of a long list of functions that may change 'errno'

steakhalUnsubmitted

Done

// allow read and write without bug reports.

- if (llvm::find(Regions, ErrnoRegion) != Regions.end())

+ if (llvm::is_contained(Regions, ErrnoRegion))

return setErrnoStateIrrelevant(State);

steakhal:

// (which may be different with standard library versions) assume that any

// function can change it.

// A list of special functions can be used that are allowed here without

// generation of diagnostic. For now the only such case is 'errno' itself.

// Probably 'strerror'?

if (CallF->isExternC() && CallF->isGlobal() &&

C.getSourceManager().isInSystemHeader(CallF->getLocation()) &&

steakhalUnsubmitted

Done

Does this refer to the callsite or to the Decl location?
I think the former, which would be a bug I think.

steakhal: Does this refer to the callsite or to the Decl location? I think the former, which would be a…

balazskeAuthorUnsubmitted

Done

CallF is a FunctionDecl that should be the original (first) declaration of the function.

balazske: `CallF` is a `FunctionDecl` that should be the original (first) declaration of the function.

!isErrno(CallF)) {

steakhalUnsubmitted

Done

// The ErrnoRegion is not always found in the list in this case.

- const MemSpaceRegion *GlobalSystemSpace =

- State->getStateManager().getRegionManager().getGlobalsRegion(

- MemRegion::GlobalSystemSpaceRegionKind);

- if (llvm::find(Regions, GlobalSystemSpace) != Regions.end())

+ if (llvm::is_contained(Regions, ErrnoRegion->getMemorySpace()))

return setErrnoStateIrrelevant(State);

steakhal:

if (getErrnoState(C.getState()) == MustBeChecked) {

Optional<ento::Loc> ErrnoLoc = getErrnoLoc(C.getState());

assert(ErrnoLoc && "ErrnoLoc should exist if an errno state is set.");

generateErrnoNotCheckedBug(C, setErrnoStateIrrelevant(C.getState()),

ErrnoLoc->getAsRegion(), &Call);

}

ProgramStateRef ErrnoChecker::checkRegionChanges(

ProgramStateRef State, const InvalidatedSymbols *Invalidated,

ArrayRef<const MemRegion *> ExplicitRegions,

ArrayRef<const MemRegion *> Regions, const LocationContext *LCtx,

const CallEvent *Call) const {

Optional<ento::Loc> ErrnoLoc = getErrnoLoc(State);

if (!ErrnoLoc)

return State;

const MemRegion *ErrnoRegion = ErrnoLoc->getAsRegion();

// If 'errno' is invalidated we can not know if it is checked or written into,

// allow read and write without bug reports.

if (llvm::is_contained(Regions, ErrnoRegion))

return setErrnoStateIrrelevant(State);

// Always reset errno state when the system memory space is invalidated.

// The ErrnoRegion is not always found in the list in this case.

if (llvm::is_contained(Regions, ErrnoRegion->getMemorySpace()))

return setErrnoStateIrrelevant(State);

return State;

}

void ento::registerErrnoChecker(CheckerManager &mgr) {

const AnalyzerOptions &Opts = mgr.getAnalyzerOptions();

auto *Checker = mgr.registerChecker<ErrnoChecker>();

Checker->AllowErrnoReadOutsideConditions = Opts.getCheckerBooleanOption(

Checker, "AllowErrnoReadOutsideConditionExpressions");

}

bool ento::shouldRegisterErrnoChecker(const CheckerManager &mgr) {

return true;

}

clang/lib/StaticAnalyzer/Checkers/ErrnoModeling.h

Show All 15 Lines

#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"

namespace clang { namespace clang {

namespace ento { namespace ento {

namespace errno_modeling { namespace errno_modeling {

enum ErrnoCheckState : unsigned {

steakhalUnsubmitted

Not Done

Did you consider enum classes?

steakhal: Did you consider enum classes?

balazskeAuthorUnsubmitted

Done

Originally it was enum class but I had to change it for some reason. Probably it did not have a default value.

balazske: Originally it was enum class but I had to change it for some reason. Probably it did not have a…

/// We do not know anything about 'errno'.

Irrelevant = 0,

/// Value of 'errno' should be checked to find out if a previous function call

/// has failed.

MustBeChecked = 1,

/// Value of 'errno' is not allowed to be read, it can contain an unspecified

/// value.

MustNotBeChecked = 2

steakhalUnsubmitted

Done

/// value.

- Errno_MustNotBeChecked = 2

+ Errno_MustNotBeChecked = 2,

};

/// Returns the value of 'errno', if 'errno' was found in the AST.

You don't need to prefix these with Errno_. It's already contained by a specific namespace.
https://llvm.org/docs/CodingStandards.html#name-types-functions-variables-and-enumerators-properly

Unless the enumerators are defined in their own small namespace or inside a class, enumerators should have a prefix corresponding to the enum declaration name

steakhal: You don't need to prefix these with `Errno_`. It's already contained by a specific namespace.

balazskeAuthorUnsubmitted

Done

Without Errno_ these sound too generic. Probably have only Errno prefix, not Errno_?

balazske: Without `Errno_` these sound too generic. Probably have only `Errno` prefix, not `Errno_`?

steakhalUnsubmitted

Done

But you always refer to it by it's qualified name: errno_modeling::Errno_Irrelevant.
In which case this prefix is just noise IMO. That's what I'm about.

steakhal: But you always refer to it by it's qualified name: `errno_modeling::Errno_Irrelevant`. In which…

};

/// Returns the value of 'errno', if 'errno' was found in the AST. /// Returns the value of 'errno', if 'errno' was found in the AST.

llvm::Optional<SVal> getErrnoValue(ProgramStateRef State); llvm::Optional<SVal> getErrnoValue(ProgramStateRef State);

/// Returns the errno check state, \c Errno_Irrelevant if 'errno' was not found

/// (this is not the only case for that value).

ErrnoCheckState getErrnoState(ProgramStateRef State);

steakhalUnsubmitted

Done

I would appreciate some notes about when it returns None.

steakhal: I would appreciate some notes about when it returns `None`.

/// Returns the location that points to the \c MemoryRegion where the 'errno'

/// value is stored. Returns \c None if 'errno' was not found. Otherwise it

/// always returns a valid memory region in the system global memory space.

llvm::Optional<Loc> getErrnoLoc(ProgramStateRef State);

/// Set value of 'errno' to any SVal, if possible. /// Set value of 'errno' to any SVal, if possible.

/// The errno check state is set always when the 'errno' value is set.

ProgramStateRef setErrnoValue(ProgramStateRef State, ProgramStateRef setErrnoValue(ProgramStateRef State,

const LocationContext *LCtx, SVal Value); const LocationContext *LCtx, SVal Value,

ErrnoCheckState EState);

/// Set value of 'errno' to a concrete (signed) integer, if possible. /// Set value of 'errno' to a concrete (signed) integer, if possible.

/// The errno check state is set always when the 'errno' value is set.

ProgramStateRef setErrnoValue(ProgramStateRef State, CheckerContext &C, ProgramStateRef setErrnoValue(ProgramStateRef State, CheckerContext &C,

uint64_t Value); uint64_t Value, ErrnoCheckState EState);

/// Set the errno check state, do not modify the errno value.

ProgramStateRef setErrnoState(ProgramStateRef State, ErrnoCheckState EState);

/// Determine if a `Decl` node related to 'errno'.

/// This is true if the declaration is the errno variable or a function

/// that returns a pointer to the 'errno' value (usually the 'errno' macro is

/// defined with this function). \p D is not required to be a canonical

/// declaration.

bool isErrno(const Decl *D);

/// Create a NoteTag that displays the message if the 'errno' memory region is

/// marked as interesting, and resets the interestingness.

const NoteTag *getErrnoNoteTag(CheckerContext &C, const std::string &Message);

} // namespace errno_modeling } // namespace errno_modeling

} // namespace ento } // namespace ento

} // namespace clang } // namespace clang

#endif // LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_ERRNOMODELING_H #endif // LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_ERRNOMODELING_H

clang/lib/StaticAnalyzer/Checkers/ErrnoModeling.cpp

Show First 20 Lines • Show All 64 Lines • ▼ Show 20 Lines

}; };

} // namespace } // namespace

/// Store a MemRegion that contains the 'errno' integer value. /// Store a MemRegion that contains the 'errno' integer value.

/// The value is null if the 'errno' value was not recognized in the AST. /// The value is null if the 'errno' value was not recognized in the AST.

REGISTER_TRAIT_WITH_PROGRAMSTATE(ErrnoRegion, const MemRegion *) REGISTER_TRAIT_WITH_PROGRAMSTATE(ErrnoRegion, const MemRegion *)

REGISTER_TRAIT_WITH_PROGRAMSTATE(ErrnoState, errno_modeling::ErrnoCheckState)

steakhalUnsubmitted

Done

REGISTER_TRAIT_WITH_PROGRAMSTATE(ErrnoRegion, const MemRegion *)

- REGISTER_TRAIT_WITH_PROGRAMSTATE(ErrnoState, ErrnoCheckState)

+ REGISTER_TRAIT_WITH_PROGRAMSTATE(ErrnoState, errno_modeling::ErrnoCheckState)

/// Search for a variable called "errno" in the AST.

You will need this to get it compiled.

steakhal: You will need this to get it compiled.

/// Search for a variable called "errno" in the AST. /// Search for a variable called "errno" in the AST.

/// Return nullptr if not found. /// Return nullptr if not found.

static const VarDecl *getErrnoVar(ASTContext &ACtx) { static const VarDecl *getErrnoVar(ASTContext &ACtx) {

IdentifierInfo &II = ACtx.Idents.get(ErrnoVarName); IdentifierInfo &II = ACtx.Idents.get(ErrnoVarName);

auto LookupRes = ACtx.getTranslationUnitDecl()->lookup(&II); auto LookupRes = ACtx.getTranslationUnitDecl()->lookup(&II);

auto Found = llvm::find_if(LookupRes, [&ACtx](const Decl *D) { auto Found = llvm::find_if(LookupRes, [&ACtx](const Decl *D) {

if (auto *VD = dyn_cast<VarDecl>(D)) if (auto *VD = dyn_cast<VarDecl>(D))

return ACtx.getSourceManager().isInSystemHeader(VD->getLocation()) && return ACtx.getSourceManager().isInSystemHeader(VD->getLocation()) &&

▲ Show 20 Lines • Show All 55 Lines • ▼ Show 20 Lines if (const auto *ErrnoVar = dyn_cast_or_null<VarDecl>(ErrnoDecl)) {

// There is an external 'errno' variable. // There is an external 'errno' variable.

// Use its memory region. // Use its memory region.

// The memory region for an 'errno'-like variable is allocated in system // The memory region for an 'errno'-like variable is allocated in system

// space by MemRegionManager. // space by MemRegionManager.

const MemRegion *ErrnoR = const MemRegion *ErrnoR =

State->getRegion(ErrnoVar, C.getLocationContext()); State->getRegion(ErrnoVar, C.getLocationContext());

assert(ErrnoR && "Memory region should exist for the 'errno' variable."); assert(ErrnoR && "Memory region should exist for the 'errno' variable.");

State = State->set<ErrnoRegion>(ErrnoR); State = State->set<ErrnoRegion>(ErrnoR);

State = errno_modeling::setErrnoValue(State, C, 0); State =

errno_modeling::setErrnoValue(State, C, 0, errno_modeling::Irrelevant);

C.addTransition(State); C.addTransition(State);

} else if (ErrnoDecl) { } else if (ErrnoDecl) {

assert(isa<FunctionDecl>(ErrnoDecl) && "Invalid errno location function."); assert(isa<FunctionDecl>(ErrnoDecl) && "Invalid errno location function.");

// There is a function that returns the location of 'errno'. // There is a function that returns the location of 'errno'.

// We must create a memory region for it in system space. // We must create a memory region for it in system space.

// Currently a symbolic region is used with an artifical symbol. // Currently a symbolic region is used with an artifical symbol.

// FIXME: It is better to have a custom (new) kind of MemRegion for such // FIXME: It is better to have a custom (new) kind of MemRegion for such

// cases. // cases.

Show All 10 Lines const SymbolConjured *Sym = SVB.conjureSymbol(

ACtx.getLValueReferenceType(ACtx.IntTy), C.blockCount(), &ErrnoDecl); ACtx.getLValueReferenceType(ACtx.IntTy), C.blockCount(), &ErrnoDecl);

// The symbolic region is untyped, create a typed sub-region in it. // The symbolic region is untyped, create a typed sub-region in it.

// The ElementRegion is used to make the errno region a typed region. // The ElementRegion is used to make the errno region a typed region.

const MemRegion *ErrnoR = RMgr.getElementRegion( const MemRegion *ErrnoR = RMgr.getElementRegion(

ACtx.IntTy, SVB.makeZeroArrayIndex(), ACtx.IntTy, SVB.makeZeroArrayIndex(),

RMgr.getSymbolicRegion(Sym, GlobalSystemSpace), C.getASTContext()); RMgr.getSymbolicRegion(Sym, GlobalSystemSpace), C.getASTContext());

State = State->set<ErrnoRegion>(ErrnoR); State = State->set<ErrnoRegion>(ErrnoR);

State = errno_modeling::setErrnoValue(State, C, 0); State =

errno_modeling::setErrnoValue(State, C, 0, errno_modeling::Irrelevant);

C.addTransition(State); C.addTransition(State);

} }

bool ErrnoModeling::evalCall(const CallEvent &Call, CheckerContext &C) const { bool ErrnoModeling::evalCall(const CallEvent &Call, CheckerContext &C) const {

// Return location of "errno" at a call to an "errno address returning" // Return location of "errno" at a call to an "errno address returning"

// function. // function.

if (ErrnoLocationCalls.contains(Call)) { if (ErrnoLocationCalls.contains(Call)) {

Show All 10 Lines bool ErrnoModeling::evalCall(const CallEvent &Call, CheckerContext &C) const {

} }

return false; return false;

} }

void ErrnoModeling::checkLiveSymbols(ProgramStateRef State, void ErrnoModeling::checkLiveSymbols(ProgramStateRef State,

SymbolReaper &SR) const { SymbolReaper &SR) const {

// The special errno region should never garbage collected. // The special errno region should never garbage collected.

if (const MemRegion *ErrnoR = State->get<ErrnoRegion>()) if (const auto *ErrnoR = State->get<ErrnoRegion>())

SR.markLive(ErrnoR); SR.markLive(ErrnoR);

} }

namespace clang { namespace clang {

namespace ento { namespace ento {

namespace errno_modeling { namespace errno_modeling {

Optional<SVal> getErrnoValue(ProgramStateRef State) { Optional<SVal> getErrnoValue(ProgramStateRef State) {

const MemRegion *ErrnoR = State->get<ErrnoRegion>(); const MemRegion *ErrnoR = State->get<ErrnoRegion>();

if (!ErrnoR) if (!ErrnoR)

return {}; return {};

QualType IntTy = State->getAnalysisManager().getASTContext().IntTy; QualType IntTy = State->getAnalysisManager().getASTContext().IntTy;

return State->getSVal(ErrnoR, IntTy); return State->getSVal(ErrnoR, IntTy);

} }

ProgramStateRef setErrnoValue(ProgramStateRef State, ProgramStateRef setErrnoValue(ProgramStateRef State,

const LocationContext *LCtx, SVal Value) { const LocationContext *LCtx, SVal Value,

ErrnoCheckState EState) {

const MemRegion *ErrnoR = State->get<ErrnoRegion>(); const MemRegion *ErrnoR = State->get<ErrnoRegion>();

if (!ErrnoR) if (!ErrnoR)

return State; return State;

return State->bindLoc(loc::MemRegionVal{ErrnoR}, Value, LCtx); // First set the errno value, the old state is still available at 'checkBind'

// or 'checkLocation' for errno value.

State = State->bindLoc(loc::MemRegionVal{ErrnoR}, Value, LCtx);

return State->set<ErrnoState>(EState);

} }

ProgramStateRef setErrnoValue(ProgramStateRef State, CheckerContext &C, ProgramStateRef setErrnoValue(ProgramStateRef State, CheckerContext &C,

uint64_t Value) { uint64_t Value, ErrnoCheckState EState) {

const MemRegion *ErrnoR = State->get<ErrnoRegion>(); const MemRegion *ErrnoR = State->get<ErrnoRegion>();

if (!ErrnoR) if (!ErrnoR)

return State; return State;

return State->bindLoc( State = State->bindLoc(

loc::MemRegionVal{ErrnoR}, loc::MemRegionVal{ErrnoR},

C.getSValBuilder().makeIntVal(Value, C.getASTContext().IntTy), C.getSValBuilder().makeIntVal(Value, C.getASTContext().IntTy),

C.getLocationContext()); C.getLocationContext());

return State->set<ErrnoState>(EState);

}

Optional<Loc> getErrnoLoc(ProgramStateRef State) {

const MemRegion *ErrnoR = State->get<ErrnoRegion>();

if (!ErrnoR)

return {};

return loc::MemRegionVal{ErrnoR};

}

ProgramStateRef setErrnoState(ProgramStateRef State, ErrnoCheckState EState) {

return State->set<ErrnoState>(EState);

}

ErrnoCheckState getErrnoState(ProgramStateRef State) {

return State->get<ErrnoState>();

}

steakhalUnsubmitted

Done

I believe you no longer need to cast enums to numbers and back for enums and other types.
get<ErrnoState>() should return the right type.
See D126801.

steakhal: I believe you no longer need to cast enums to numbers and back for enums and other types.

balazskeAuthorUnsubmitted

Done

How to handle if no value exists?

balazske: How to handle if no value exists?

bool isErrno(const Decl *D) {

if (const auto *VD = dyn_cast_or_null<VarDecl>(D))

if (const IdentifierInfo *II = VD->getIdentifier())

return II->getName() == ErrnoVarName;

if (const auto *FD = dyn_cast_or_null<FunctionDecl>(D))

if (const IdentifierInfo *II = FD->getIdentifier())

steakhalUnsubmitted

Not Done

It looks odd that in the very next if block you have II and here you don't.

steakhal: It looks odd that in the very next `if` block you have `II` and here you don't.

balazskeAuthorUnsubmitted

Done

I do not get what you mean here.

balazske: I do not get what you mean here.

steakhalUnsubmitted

Done

I was thinking about this:

bool isErrno(const Decl *D) {
  if (const auto *VD = dyn_cast_or_null<VarDecl>(D))
    if (const IdentifierInfo *II = VD->getIdentifier())
      return II->getName() == ErrnoVarName;
  if (const auto *FD = dyn_cast_or_null<FunctionDecl>(D))
    if (const IdentifierInfo *II = FD->getIdentifier())
      return llvm::is_contained(ErrnoLocationFuncNames, II->getName());
  return false;
}

This way both checks would follow the same pattern, symmetry.

steakhal: I was thinking about this: ```lang=C++ bool isErrno(const Decl *D) { if (const auto *VD =…

return llvm::is_contained(ErrnoLocationFuncNames, II->getName());

return false;

}

steakhalUnsubmitted

Done

if (IdentifierInfo *II = FD->getIdentifier())

- return llvm::find(ErrnoLocationFuncNames, II->getName()) !=

- std::end(ErrnoLocationFuncNames);

+ return llvm::is_contained(ErrnoLocationFuncNames, II->getName());

return false;

steakhal:

const NoteTag *getErrnoNoteTag(CheckerContext &C, const std::string &Message) {

return C.getNoteTag([Message](PathSensitiveBugReport &BR) -> std::string {

const MemRegion *ErrnoR = BR.getErrorNode()->getState()->get<ErrnoRegion>();

if (ErrnoR && BR.isInteresting(ErrnoR)) {

BR.markNotInteresting(ErrnoR);

return Message;

}

return "";

steakhalUnsubmitted

Done

BR.markNotInteresting(ErrnoR);

- return Message.c_str();

+ return Message;

}

return "";

steakhal:

balazskeAuthorUnsubmitted

Done

I can not omit c_str, there is a compile error probably related to lambda return type.

balazske: I can not omit `c_str`, there is a compile error probably related to lambda return type.

steakhalUnsubmitted

Done

Yes, you will need to specify explicitly the return type of the lambda: -> std::string.

steakhal: Yes, you will need to specify explicitly the return type of the lambda: `-> std::string`.

});

} }

} // namespace errno_modeling } // namespace errno_modeling

} // namespace ento } // namespace ento

} // namespace clang } // namespace clang

void ento::registerErrnoModeling(CheckerManager &mgr) { void ento::registerErrnoModeling(CheckerManager &mgr) {

mgr.registerChecker<ErrnoModeling>(); mgr.registerChecker<ErrnoModeling>();

} }

bool ento::shouldRegisterErrnoModeling(const CheckerManager &mgr) { bool ento::shouldRegisterErrnoModeling(const CheckerManager &mgr) {

return true; return true;

} }

clang/lib/StaticAnalyzer/Checkers/ErrnoTesterChecker.cpp

	Show All 14 Lines
	#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"			#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
	#include "clang/StaticAnalyzer/Core/Checker.h"			#include "clang/StaticAnalyzer/Core/Checker.h"
	#include "clang/StaticAnalyzer/Core/CheckerManager.h"			#include "clang/StaticAnalyzer/Core/CheckerManager.h"
	#include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"			#include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
	#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"			#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"

	using namespace clang;			using namespace clang;
	using namespace ento;			using namespace ento;
				using namespace errno_modeling;

	namespace {			namespace {

	class ErrnoTesterChecker : public Checker<eval::Call> {			class ErrnoTesterChecker : public Checker<eval::Call> {
	public:			public:
	bool evalCall(const CallEvent &Call, CheckerContext &C) const;			bool evalCall(const CallEvent &Call, CheckerContext &C) const;

	private:			private:
				/// Evaluate function \code void ErrnoTesterChecker_setErrno(int) \endcode.
				/// Set value of \c errno to the argument.
	static void evalSetErrno(CheckerContext &C, const CallEvent &Call);			static void evalSetErrno(CheckerContext &C, const CallEvent &Call);
				/// Evaluate function \code int ErrnoTesterChecker_getErrno() \endcode.
				/// Return the value of \c errno.
	static void evalGetErrno(CheckerContext &C, const CallEvent &Call);			static void evalGetErrno(CheckerContext &C, const CallEvent &Call);
				/// Evaluate function \code int ErrnoTesterChecker_setErrnoIfError() \endcode.
				/// Simulate a standard library function tha returns 0 on success and 1 on
				/// failure. On the success case \c errno is not allowed to be used (may be
				/// undefined). On the failure case \c errno is set to a fixed value 11 and
				/// is not needed to be checked.
	static void evalSetErrnoIfError(CheckerContext &C, const CallEvent &Call);			static void evalSetErrnoIfError(CheckerContext &C, const CallEvent &Call);
				/// Evaluate function \code int ErrnoTesterChecker_setErrnoIfErrorRange()
				/// \endcode. Same as \c ErrnoTesterChecker_setErrnoIfError but \c errno is
				/// set to a range (to be nonzero) at the failure case.
	static void evalSetErrnoIfErrorRange(CheckerContext &C,			static void evalSetErrnoIfErrorRange(CheckerContext &C,
	const CallEvent &Call);			const CallEvent &Call);
				/// Evaluate function \code int ErrnoTesterChecker_setErrnoCheckState()
				/// \endcode. This function simulates the following:
				/// - Return 0 and leave \c errno with undefined value.
				/// This is the case of a successful standard function call.
				/// For example if \c ftell returns not -1.
				/// - Return 1 and sets \c errno to a specific error code (1).
				/// This is the case of a failed standard function call.
				/// The function indicates the failure by a special return value
				/// that is returned only at failure.
				/// \c errno can be checked but it is not required.
				/// For example if \c ftell returns -1.
				/// - Return 2 and may set errno to a value (actually it does not set it).
				/// This is the case of a standard function call where the failure can only
				/// be checked by reading from \c errno. The value of \c errno is changed by
				/// the function only at failure, the user should set \c errno to 0 before
				/// the call (\c ErrnoChecker does not check for this rule).
				/// \c strtol is an example of this case, if it returns \c LONG_MIN (or
				/// \c LONG_MAX). This case applies only if \c LONG_MIN or \c LONG_MAX is
				/// returned, otherwise the first case in this list applies.
				static void evalSetErrnoCheckState(CheckerContext &C, const CallEvent &Call);

	using EvalFn = std::function<void(CheckerContext &, const CallEvent &)>;			using EvalFn = std::function<void(CheckerContext &, const CallEvent &)>;
	const CallDescriptionMap<EvalFn> TestCalls{			const CallDescriptionMap<EvalFn> TestCalls{
	{{"ErrnoTesterChecker_setErrno", 1}, &ErrnoTesterChecker::evalSetErrno},			{{"ErrnoTesterChecker_setErrno", 1}, &ErrnoTesterChecker::evalSetErrno},
	{{"ErrnoTesterChecker_getErrno", 0}, &ErrnoTesterChecker::evalGetErrno},			{{"ErrnoTesterChecker_getErrno", 0}, &ErrnoTesterChecker::evalGetErrno},
	{{"ErrnoTesterChecker_setErrnoIfError", 0},			{{"ErrnoTesterChecker_setErrnoIfError", 0},
	&ErrnoTesterChecker::evalSetErrnoIfError},			&ErrnoTesterChecker::evalSetErrnoIfError},
	{{"ErrnoTesterChecker_setErrnoIfErrorRange", 0},			{{"ErrnoTesterChecker_setErrnoIfErrorRange", 0},
	&ErrnoTesterChecker::evalSetErrnoIfErrorRange}};			&ErrnoTesterChecker::evalSetErrnoIfErrorRange},
				{{"ErrnoTesterChecker_setErrnoCheckState", 0},
				&ErrnoTesterChecker::evalSetErrnoCheckState}};
	};			};

	} // namespace			} // namespace

	void ErrnoTesterChecker::evalSetErrno(CheckerContext &C,			void ErrnoTesterChecker::evalSetErrno(CheckerContext &C,
	const CallEvent &Call) {			const CallEvent &Call) {
	C.addTransition(errno_modeling::setErrnoValue(			C.addTransition(setErrnoValue(C.getState(), C.getLocationContext(),
	C.getState(), C.getLocationContext(), Call.getArgSVal(0)));			Call.getArgSVal(0), Irrelevant));
	}			}

	void ErrnoTesterChecker::evalGetErrno(CheckerContext &C,			void ErrnoTesterChecker::evalGetErrno(CheckerContext &C,
	const CallEvent &Call) {			const CallEvent &Call) {
	ProgramStateRef State = C.getState();			ProgramStateRef State = C.getState();

	Optional<SVal> ErrnoVal = errno_modeling::getErrnoValue(State);			Optional<SVal> ErrnoVal = getErrnoValue(State);
	assert(ErrnoVal && "Errno value should be available.");			assert(ErrnoVal && "Errno value should be available.");
	State =			State =
	State->BindExpr(Call.getOriginExpr(), C.getLocationContext(), *ErrnoVal);			State->BindExpr(Call.getOriginExpr(), C.getLocationContext(), *ErrnoVal);

	C.addTransition(State);			C.addTransition(State);
	}			}

	void ErrnoTesterChecker::evalSetErrnoIfError(CheckerContext &C,			void ErrnoTesterChecker::evalSetErrnoIfError(CheckerContext &C,
	const CallEvent &Call) {			const CallEvent &Call) {
	ProgramStateRef State = C.getState();			ProgramStateRef State = C.getState();
	SValBuilder &SVB = C.getSValBuilder();			SValBuilder &SVB = C.getSValBuilder();

	ProgramStateRef StateSuccess = State->BindExpr(			ProgramStateRef StateSuccess = State->BindExpr(
	Call.getOriginExpr(), C.getLocationContext(), SVB.makeIntVal(0, true));			Call.getOriginExpr(), C.getLocationContext(), SVB.makeIntVal(0, true));
				StateSuccess = setErrnoState(StateSuccess, MustNotBeChecked);

	ProgramStateRef StateFailure = State->BindExpr(			ProgramStateRef StateFailure = State->BindExpr(
	Call.getOriginExpr(), C.getLocationContext(), SVB.makeIntVal(1, true));			Call.getOriginExpr(), C.getLocationContext(), SVB.makeIntVal(1, true));
	StateFailure = errno_modeling::setErrnoValue(StateFailure, C, 11);			StateFailure = setErrnoValue(StateFailure, C, 11, Irrelevant);

	C.addTransition(StateSuccess);			C.addTransition(StateSuccess);
	C.addTransition(StateFailure);			C.addTransition(StateFailure);
	}			}

	void ErrnoTesterChecker::evalSetErrnoIfErrorRange(CheckerContext &C,			void ErrnoTesterChecker::evalSetErrnoIfErrorRange(CheckerContext &C,
	const CallEvent &Call) {			const CallEvent &Call) {
	ProgramStateRef State = C.getState();			ProgramStateRef State = C.getState();
	SValBuilder &SVB = C.getSValBuilder();			SValBuilder &SVB = C.getSValBuilder();

	ProgramStateRef StateSuccess = State->BindExpr(			ProgramStateRef StateSuccess = State->BindExpr(
	Call.getOriginExpr(), C.getLocationContext(), SVB.makeIntVal(0, true));			Call.getOriginExpr(), C.getLocationContext(), SVB.makeIntVal(0, true));
				StateSuccess = setErrnoState(StateSuccess, MustNotBeChecked);

	ProgramStateRef StateFailure = State->BindExpr(			ProgramStateRef StateFailure = State->BindExpr(
	Call.getOriginExpr(), C.getLocationContext(), SVB.makeIntVal(1, true));			Call.getOriginExpr(), C.getLocationContext(), SVB.makeIntVal(1, true));
	DefinedOrUnknownSVal ErrnoVal = SVB.conjureSymbolVal(			DefinedOrUnknownSVal ErrnoVal = SVB.conjureSymbolVal(
	nullptr, Call.getOriginExpr(), C.getLocationContext(), C.blockCount());			nullptr, Call.getOriginExpr(), C.getLocationContext(), C.blockCount());
	StateFailure = StateFailure->assume(ErrnoVal, true);			StateFailure = StateFailure->assume(ErrnoVal, true);
	assert(StateFailure && "Failed to assume on an initial value.");			assert(StateFailure && "Failed to assume on an initial value.");
	StateFailure = errno_modeling::setErrnoValue(			StateFailure =
	StateFailure, C.getLocationContext(), ErrnoVal);			setErrnoValue(StateFailure, C.getLocationContext(), ErrnoVal, Irrelevant);

	C.addTransition(StateSuccess);			C.addTransition(StateSuccess);
	C.addTransition(StateFailure);			C.addTransition(StateFailure);
	}			}

				void ErrnoTesterChecker::evalSetErrnoCheckState(CheckerContext &C,
				const CallEvent &Call) {
				ProgramStateRef State = C.getState();
				SValBuilder &SVB = C.getSValBuilder();

				ProgramStateRef StateSuccess = State->BindExpr(
				Call.getOriginExpr(), C.getLocationContext(), SVB.makeIntVal(0, true));
				StateSuccess = setErrnoState(StateSuccess, MustNotBeChecked);

				ProgramStateRef StateFailure1 = State->BindExpr(
				Call.getOriginExpr(), C.getLocationContext(), SVB.makeIntVal(1, true));
				StateFailure1 = setErrnoValue(StateFailure1, C, 1, Irrelevant);

				ProgramStateRef StateFailure2 = State->BindExpr(
				Call.getOriginExpr(), C.getLocationContext(), SVB.makeIntVal(2, true));
				StateFailure2 = setErrnoValue(StateFailure2, C, 2, MustBeChecked);

				C.addTransition(StateSuccess,
				getErrnoNoteTag(C, "Assuming that this function succeeds but "
				"sets 'errno' to an unspecified value."));
				C.addTransition(StateFailure1);
				C.addTransition(
				StateFailure2,
				getErrnoNoteTag(C, "Assuming that this function returns 2. 'errno' "
				"should be checked to test for failure."));
				}

	bool ErrnoTesterChecker::evalCall(const CallEvent &Call,			bool ErrnoTesterChecker::evalCall(const CallEvent &Call,
	CheckerContext &C) const {			CheckerContext &C) const {
	const EvalFn *Fn = TestCalls.lookup(Call);			const EvalFn *Fn = TestCalls.lookup(Call);
	if (Fn) {			if (Fn) {
	(*Fn)(C, Call);			(*Fn)(C, Call);
	return C.isDifferent();			return C.isDifferent();
	}			}
	return false;			return false;
	Show All 9 Lines

clang/test/Analysis/analyzer-config.c

	// RUN: %clang_analyze_cc1 -analyzer-checker=debug.ConfigDumper > %t 2>&1			// RUN: %clang_analyze_cc1 -analyzer-checker=debug.ConfigDumper > %t 2>&1
	// RUN: FileCheck --input-file=%t %s --match-full-lines			// RUN: FileCheck --input-file=%t %s --match-full-lines

	// CHECK: [config]			// CHECK: [config]
	// CHECK-NEXT: add-pop-up-notes = true			// CHECK-NEXT: add-pop-up-notes = true
	// CHECK-NEXT: aggressive-binary-operation-simplification = false			// CHECK-NEXT: aggressive-binary-operation-simplification = false
	// CHECK-NEXT: alpha.clone.CloneChecker:IgnoredFilesPattern = ""			// CHECK-NEXT: alpha.clone.CloneChecker:IgnoredFilesPattern = ""
	// CHECK-NEXT: alpha.clone.CloneChecker:MinimumCloneComplexity = 50			// CHECK-NEXT: alpha.clone.CloneChecker:MinimumCloneComplexity = 50
	// CHECK-NEXT: alpha.clone.CloneChecker:ReportNormalClones = true			// CHECK-NEXT: alpha.clone.CloneChecker:ReportNormalClones = true
	// CHECK-NEXT: alpha.cplusplus.STLAlgorithmModeling:AggressiveStdFindModeling = false			// CHECK-NEXT: alpha.cplusplus.STLAlgorithmModeling:AggressiveStdFindModeling = false
	// CHECK-NEXT: alpha.osx.cocoa.DirectIvarAssignment:AnnotatedFunctions = false			// CHECK-NEXT: alpha.osx.cocoa.DirectIvarAssignment:AnnotatedFunctions = false
	// CHECK-NEXT: alpha.security.MmapWriteExec:MmapProtExec = 0x04			// CHECK-NEXT: alpha.security.MmapWriteExec:MmapProtExec = 0x04
	// CHECK-NEXT: alpha.security.MmapWriteExec:MmapProtRead = 0x01			// CHECK-NEXT: alpha.security.MmapWriteExec:MmapProtRead = 0x01
	// CHECK-NEXT: alpha.security.taint.TaintPropagation:Config = ""			// CHECK-NEXT: alpha.security.taint.TaintPropagation:Config = ""
				// CHECK-NEXT: alpha.unix.Errno:AllowErrnoReadOutsideConditionExpressions = true
	// CHECK-NEXT: apiModeling.StdCLibraryFunctions:DisplayLoadedSummaries = false			// CHECK-NEXT: apiModeling.StdCLibraryFunctions:DisplayLoadedSummaries = false
	// CHECK-NEXT: apiModeling.StdCLibraryFunctions:ModelPOSIX = false			// CHECK-NEXT: apiModeling.StdCLibraryFunctions:ModelPOSIX = false
	// CHECK-NEXT: apply-fixits = false			// CHECK-NEXT: apply-fixits = false
	// CHECK-NEXT: assume-controlled-environment = false			// CHECK-NEXT: assume-controlled-environment = false
	// CHECK-NEXT: avoid-suppressing-null-argument-paths = false			// CHECK-NEXT: avoid-suppressing-null-argument-paths = false
	// CHECK-NEXT: c++-allocator-inlining = true			// CHECK-NEXT: c++-allocator-inlining = true
	// CHECK-NEXT: c++-container-inlining = false			// CHECK-NEXT: c++-container-inlining = false
	// CHECK-NEXT: c++-inlining = destructors			// CHECK-NEXT: c++-inlining = destructors
	▲ Show 20 Lines • Show All 111 Lines • Show Last 20 Lines

clang/test/Analysis/errno-notes.c

This file was added.

				// RUN: %clang_analyze_cc1 -verify -analyzer-output text %s \
				// RUN: -analyzer-checker=core \
				// RUN: -analyzer-checker=apiModeling.Errno \
				// RUN: -analyzer-checker=debug.ExprInspection \
				// RUN: -analyzer-checker=debug.ErrnoTest \
				// RUN: -analyzer-checker=alpha.unix.Errno \
				// RUN: -DERRNO_VAR

				// RUN: %clang_analyze_cc1 -verify -analyzer-output text %s \
				// RUN: -analyzer-checker=core \
				// RUN: -analyzer-checker=apiModeling.Errno \
				// RUN: -analyzer-checker=debug.ExprInspection \
				// RUN: -analyzer-checker=debug.ErrnoTest \
				// RUN: -analyzer-checker=alpha.unix.Errno \
				// RUN: -DERRNO_FUNC

				#include "Inputs/errno_var.h"
				#include "Inputs/system-header-simulator.h"
				#ifdef ERRNO_VAR
				#include "Inputs/errno_var.h"
				#endif
				#ifdef ERRNO_FUNC
				#include "Inputs/errno_func.h"
				#endif

				int ErrnoTesterChecker_setErrnoCheckState();

				void something();

				void testErrnoCheckUndefRead() {
				int X = ErrnoTesterChecker_setErrnoCheckState();
				something();
				X = ErrnoTesterChecker_setErrnoCheckState(); // expected-note{{Assuming that this function succeeds but sets 'errno' to an unspecified value}}
				if (X == 0) { // expected-note{{'X' is equal to 0}}
				// expected-note@-1{{Taking true branch}}
				if (errno) {
				} // expected-warning@-1{{An undefined value may be read from 'errno'}}
				// expected-note@-2{{An undefined value may be read from 'errno'}}
				}
				}

				void testErrnoCheckOverwrite() {
				int X = ErrnoTesterChecker_setErrnoCheckState();
				something();
				X = ErrnoTesterChecker_setErrnoCheckState(); // expected-note{{Assuming that this function returns 2. 'errno' should be checked to test for failure}}
				if (X == 2) { // expected-note{{'X' is equal to 2}}
				// expected-note@-1{{Taking true branch}}
				errno = 0; // expected-warning{{Value of 'errno' was not checked and is overwritten here}}
				// expected-note@-1{{Value of 'errno' was not checked and is overwritten here}}
				}
				}

				void testErrnoCheckOverwriteStdCall() {
				int X = ErrnoTesterChecker_setErrnoCheckState();
				something();
				X = ErrnoTesterChecker_setErrnoCheckState(); // expected-note{{Assuming that this function returns 2. 'errno' should be checked to test for failure}}
				if (X == 2) { // expected-note{{'X' is equal to 2}}
				// expected-note@-1{{Taking true branch}}
				printf(""); // expected-warning{{Value of 'errno' was not checked and may be overwritten by function 'printf'}}
				// expected-note@-1{{Value of 'errno' was not checked and may be overwritten by function 'printf'}}
				}
				}

clang/test/Analysis/errno-options.c

This file was added.

				// RUN: %clang_analyze_cc1 -verify %s \
				// RUN: -analyzer-checker=core \
				// RUN: -analyzer-checker=apiModeling.Errno \
				// RUN: -analyzer-checker=debug.ErrnoTest \
				// RUN: -analyzer-checker=alpha.unix.Errno \
				// RUN: -analyzer-config alpha.unix.Errno:AllowErrnoReadOutsideConditionExpressions=false \
				// RUN: -DERRNO_VAR

				// RUN: %clang_analyze_cc1 -verify %s \
				// RUN: -analyzer-checker=core \
				// RUN: -analyzer-checker=apiModeling.Errno \
				// RUN: -analyzer-checker=debug.ErrnoTest \
				// RUN: -analyzer-checker=alpha.unix.Errno \
				// RUN: -analyzer-config alpha.unix.Errno:AllowErrnoReadOutsideConditionExpressions=false \
				// RUN: -DERRNO_FUNC

				#include "Inputs/system-header-simulator.h"
				#ifdef ERRNO_VAR
				#include "Inputs/errno_var.h"
				#endif
				#ifdef ERRNO_FUNC
				#include "Inputs/errno_func.h"
				#endif

				int ErrnoTesterChecker_setErrnoIfError();

				void test_cond() {
				ErrnoTesterChecker_setErrnoIfError();
				int A = errno ? 1 : 2;
				// expected-warning@-1{{An undefined value may be read from 'errno'}}
				}

				void test_errno_store_into_variable() {
				ErrnoTesterChecker_setErrnoIfError();
				int a = errno;
				// expected-warning@-1{{An undefined value may be read from 'errno'}}
				}

				void test_errno_store_into_variable_in_expr() {
				ErrnoTesterChecker_setErrnoIfError();
				int a = 4 + errno;
				// expected-warning@-1{{An undefined value may be read from 'errno'}}
				}

				int test_errno_return() {
				ErrnoTesterChecker_setErrnoIfError();
				return errno;
				// expected-warning@-1{{An undefined value may be read from 'errno'}}
				}

				int test_errno_return_expr() {
				ErrnoTesterChecker_setErrnoIfError();
				return errno > 10;
				// expected-warning@-1{{An undefined value may be read from 'errno'}}
				}

clang/test/Analysis/errno.c

	// RUN: %clang_analyze_cc1 -verify %s \			// RUN: %clang_analyze_cc1 -verify %s \
	// RUN: -analyzer-checker=core \			// RUN: -analyzer-checker=core \
	// RUN: -analyzer-checker=apiModeling.Errno \			// RUN: -analyzer-checker=apiModeling.Errno \
	// RUN: -analyzer-checker=debug.ExprInspection \			// RUN: -analyzer-checker=debug.ExprInspection \
	// RUN: -analyzer-checker=debug.ErrnoTest \			// RUN: -analyzer-checker=debug.ErrnoTest \
				// RUN: -analyzer-checker=alpha.unix.Errno \
	// RUN: -DERRNO_VAR			// RUN: -DERRNO_VAR

	// RUN: %clang_analyze_cc1 -verify %s \			// RUN: %clang_analyze_cc1 -verify %s \
	// RUN: -analyzer-checker=core \			// RUN: -analyzer-checker=core \
	// RUN: -analyzer-checker=apiModeling.Errno \			// RUN: -analyzer-checker=apiModeling.Errno \
	// RUN: -analyzer-checker=debug.ExprInspection \			// RUN: -analyzer-checker=debug.ExprInspection \
	// RUN: -analyzer-checker=debug.ErrnoTest \			// RUN: -analyzer-checker=debug.ErrnoTest \
				// RUN: -analyzer-checker=alpha.unix.Errno \
	// RUN: -DERRNO_FUNC			// RUN: -DERRNO_FUNC

				#include "Inputs/system-header-simulator.h"
	#ifdef ERRNO_VAR			#ifdef ERRNO_VAR
	#include "Inputs/errno_var.h"			#include "Inputs/errno_var.h"
	#endif			#endif
	#ifdef ERRNO_FUNC			#ifdef ERRNO_FUNC
	#include "Inputs/errno_func.h"			#include "Inputs/errno_func.h"
	#endif			#endif

	void clang_analyzer_eval(int);			void clang_analyzer_eval(int);
	void ErrnoTesterChecker_setErrno(int);			void ErrnoTesterChecker_setErrno(int);
	int ErrnoTesterChecker_getErrno();			int ErrnoTesterChecker_getErrno();
	int ErrnoTesterChecker_setErrnoIfError();			int ErrnoTesterChecker_setErrnoIfError();
	int ErrnoTesterChecker_setErrnoIfErrorRange();			int ErrnoTesterChecker_setErrnoIfErrorRange();
				int ErrnoTesterChecker_setErrnoCheckState();

	void something();			void something();

	void test() {			void test() {
	// Test if errno is initialized.			// Test if errno is initialized.
	clang_analyzer_eval(errno == 0); // expected-warning{{TRUE}}			clang_analyzer_eval(errno == 0); // expected-warning{{TRUE}}

	ErrnoTesterChecker_setErrno(1);			ErrnoTesterChecker_setErrno(1);
	Show All 21 Lines
	}			}

	void testIfErrorRange() {			void testIfErrorRange() {
	if (ErrnoTesterChecker_setErrnoIfErrorRange()) {			if (ErrnoTesterChecker_setErrnoIfErrorRange()) {
	clang_analyzer_eval(errno != 0); // expected-warning{{TRUE}}			clang_analyzer_eval(errno != 0); // expected-warning{{TRUE}}
	clang_analyzer_eval(errno == 1); // expected-warning{{FALSE}} expected-warning{{TRUE}}			clang_analyzer_eval(errno == 1); // expected-warning{{FALSE}} expected-warning{{TRUE}}
	}			}
	}			}

				void testErrnoCheck0() {
				// If the function returns a success result code, value of 'errno'
				// is unspecified and it is unsafe to make any decision with it.
				// The function did not promise to not change 'errno' if no failure happens.
				int X = ErrnoTesterChecker_setErrnoCheckState();
				if (X == 0) {
				if (errno) { // expected-warning{{An undefined value may be read from 'errno' [alpha.unix.Errno]}}
				steakhalUnsubmitted Done Reply Inline Actions We should have a note describing which function left the `errno` in an undefined/indeterminate state. You can chain multiple NoteTags by using the ExplodedNode returned by the `addTransition()` and passing it along if needed. steakhal: We should have a note describing which function left the `errno` in an undefined/indeterminate…
				}
				if (errno) { // no warning for second time (analysis stops at the first warning)
				}
				}
				X = ErrnoTesterChecker_setErrnoCheckState();
				if (X == 0) {
				if (errno) { // expected-warning{{An undefined value may be read from 'errno' [alpha.unix.Errno]}}
				}
				errno = 0;
				}
				X = ErrnoTesterChecker_setErrnoCheckState();
				if (X == 0) {
				errno = 0;
				if (errno) { // no warning after overwritten 'errno'
				}
				}
				}

				void testErrnoCheck1() {
				// If the function returns error result code that is out-of-band (not a valid
				// non-error return value) the value of 'errno' can be checked but it is not
				// required to do so.
				int X = ErrnoTesterChecker_setErrnoCheckState();
				if (X == 1) {
				if (errno) { // no warning
				}
				}
				X = ErrnoTesterChecker_setErrnoCheckState();
				if (X == 1) {
				errno = 0; // no warning
				}
				}

				void testErrnoCheck2() {
				// If the function returns an in-band error result the value of 'errno' is
				// required to be checked to verify if error happened.
				// The same applies to other functions that can indicate failure only by
				// change of 'errno'.
				int X = ErrnoTesterChecker_setErrnoCheckState();
				if (X == 2) {
				errno = 0; // expected-warning{{Value of 'errno' was not checked and is overwritten here [alpha.unix.Errno]}}
				errno = 0;
				}
				X = ErrnoTesterChecker_setErrnoCheckState();
				if (X == 2) {
				errno = 0; // expected-warning{{Value of 'errno' was not checked and is overwritten here [alpha.unix.Errno]}}
				if (errno) {
				}
				}
				}

				void testErrnoCheck3() {
				int X = ErrnoTesterChecker_setErrnoCheckState();
				if (X == 2) {
				if (errno) {
				}
				errno = 0; // no warning after 'errno' was read
				}
				X = ErrnoTesterChecker_setErrnoCheckState();
				if (X == 2) {
				int A = errno;
				errno = 0; // no warning after 'errno' was read
				}
				}

				void testErrnoCheckUndefinedLoad() {
				int X = ErrnoTesterChecker_setErrnoCheckState();
				if (X == 0) {
				if (errno) { // expected-warning{{An undefined value may be read from 'errno' [alpha.unix.Errno]}}
				}
				}
				}

				void testErrnoNotCheckedAtSystemCall() {
				int X = ErrnoTesterChecker_setErrnoCheckState();
				if (X == 2) {
				printf("%i", 1); // expected-warning{{Value of 'errno' was not checked and may be overwritten by function 'printf' [alpha.unix.Errno]}}
				printf("%i", 1); // no warning ('printf' does not change errno state)
				}
				}

				void testErrnoCheckStateInvalidate() {
				int X = ErrnoTesterChecker_setErrnoCheckState();
				if (X == 0) {
				something();
				if (errno) { // no warning after an invalidating function call
				}
				}
				X = ErrnoTesterChecker_setErrnoCheckState();
				if (X == 0) {
				printf("%i", 1);
				if (errno) { // no warning after an invalidating standard function call
				}
				}
				}
				steakhalUnsubmitted Done Reply Inline Actions So this is the case when `errno` gets indirectly invalidated by some opaque function call. I see. However, it will test that the value associated with the errno region gets invalidated, that's fine. However, you should test if the metadata (the enum value) attached to memregion also gets invalidated. Please make sure you have tests for that as well. A `ErrnoTesterChecker_dumpCheckState()` should be perfect for this. steakhal: So this is the case when `errno` gets indirectly invalidated by some opaque function call. I…
				balazskeAuthorUnsubmitted Done Reply Inline Actions The check is now done indirectly by checking that no warning is produced. balazske: The check is now done indirectly by checking that no warning is produced.

				void testErrnoCheckStateInvalidate1() {
				int X = ErrnoTesterChecker_setErrnoCheckState();
				if (X == 2) {
				clang_analyzer_eval(errno); // expected-warning{{TRUE}}
				something();
				clang_analyzer_eval(errno); // expected-warning{{UNKNOWN}}
				errno = 0; // no warning after invalidation
				}
				}

				void test_if_cond_in_expr() {
				ErrnoTesterChecker_setErrnoIfError();
				if (errno + 10 > 2) {
				// expected-warning@-1{{An undefined value may be read from 'errno'}}
				}
				}

				void test_for_cond() {
				ErrnoTesterChecker_setErrnoIfError();
				for (; errno != 0;) {
				// expected-warning@-1{{An undefined value may be read from 'errno'}}
				}
				}

				void test_do_cond() {
				ErrnoTesterChecker_setErrnoIfError();
				do {
				} while (errno != 0);
				// expected-warning@-1{{An undefined value may be read from 'errno'}}
				}

				void test_while_cond() {
				ErrnoTesterChecker_setErrnoIfError();
				while (errno != 0) {
				// expected-warning@-1{{An undefined value may be read from 'errno'}}
				}
				}

				void test_switch_cond() {
				ErrnoTesterChecker_setErrnoIfError();
				switch (errno) {}
				// expected-warning@-1{{An undefined value may be read from 'errno'}}
				}

				void test_conditional_cond() {
				ErrnoTesterChecker_setErrnoIfError();
				int A = errno ? 1 : 2;
				// expected-warning@-1{{An undefined value may be read from 'errno'}}
				}

				void test_binary_conditional_cond() {
				ErrnoTesterChecker_setErrnoIfError();
				int A = errno ?: 2;
				// expected-warning@-1{{An undefined value may be read from 'errno'}}
				}

				void test_errno_store_into_variable() {
				ErrnoTesterChecker_setErrnoIfError();
				int a = errno; // AllowNonConditionErrnoRead is on by default, no warning
				}

				void test_errno_store_into_variable_in_expr() {
				ErrnoTesterChecker_setErrnoIfError();
				int a = errno > 1; // AllowNonConditionErrnoRead is on by default, no warning
				}

				int test_errno_return() {
				ErrnoTesterChecker_setErrnoIfError();
				return errno;
				}

				void test_errno_pointer1() {
				ErrnoTesterChecker_setErrnoIfError();
				int *ErrnoP = &errno;
				int A = errno ? 1 : 2;
				// expected-warning@-1{{An undefined value may be read from 'errno'}}
				}

				void test_errno_pointer2() {
				ErrnoTesterChecker_setErrnoIfError();
				int *ErrnoP = &errno;
				int A = (*ErrnoP) ? 1 : 2;
				// expected-warning@-1{{An undefined value may be read from 'errno'}}
				}

				int f(int);

				void test_errno_in_condition_in_function_call() {
				ErrnoTesterChecker_setErrnoIfError();
				if (f(errno) != 0) {
				}
				}

This is an archive of the discontinued LLVM Phabricator instance.

[clang][analyzer] Add checker for bad use of 'errno'.ClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 438281

clang/docs/ReleaseNotes.rst

clang/docs/analyzer/checkers.rst

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td

clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt

clang/lib/StaticAnalyzer/Checkers/ErrnoChecker.cpp

clang/lib/StaticAnalyzer/Checkers/ErrnoModeling.h

clang/lib/StaticAnalyzer/Checkers/ErrnoModeling.cpp

clang/lib/StaticAnalyzer/Checkers/ErrnoTesterChecker.cpp

clang/test/Analysis/analyzer-config.c

clang/test/Analysis/errno-notes.c

clang/test/Analysis/errno-options.c

clang/test/Analysis/errno.c

[clang][analyzer] Add checker for bad use of 'errno'.
ClosedPublic