This is an archive of the discontinued LLVM Phabricator instance.

Differential D124244

[analyzer] add StoreToImmutable and ModelConstQualifiedReturn checkers
Needs ReviewPublic

Authored by zukatsinadze on Apr 22 2022, 3:58 AM.

Details

Reviewers
NoQ
martong
steakhal
balazske
vsavchenko
Summary

The patch adds two new checkers.
core.StoreToImmutable that warns binds on immutable memory and
alpha.security.cert.env.ModelConstQualifiedReturn that models return values
of some functions that should be considered const qualified. Based on SEI CERT
ENV30-C: https://wiki.sei.cmu.edu/confluence/x/79UxBQ

Diff Detail

Event Timeline

zukatsinadze created this revision.Apr 22 2022, 3:58 AM
Herald added a project: Restricted Project. · View Herald TranscriptApr 22 2022, 3:58 AM
Herald added subscribers: manas, ASDenysPetrov, dkrupp and 9 others. · View Herald Transcript
zukatsinadze requested review of this revision.Apr 22 2022, 3:58 AM
Herald added a subscriber: cfe-commits. · View Herald TranscriptApr 22 2022, 3:58 AM
Harbormaster completed remote builds in B160818: Diff 424427.Apr 22 2022, 6:32 AM
zukatsinadze updated this revision to Diff 424493.Apr 22 2022, 8:49 AM

fix clang format

Harbormaster completed remote builds in B160868: Diff 424493.Apr 22 2022, 9:31 AM
steakhal added a comment.Apr 25 2022, 12:54 AM

Looks great. I only have nits mostly for the docs.

clang/docs/analyzer/checkers.rst
2384–2386

IMO the list of functions should be mentioned separately. What if the list gets longer and longer.
A separate paragraph could list these instead. Also, wrap them with double backticks.

``getenv()``
2390

Use crossref links.

2393–2401

I don't like the fact that this example works only if the alpha.cert.pos.StoreToImmutableChecker is enabled, which is an alpha checker.

There are other places where such immutable memory regions arise, such as writable strings.
Anyway, at least let's mention that the given alpha checker has anything to do with this checker (+ crossref!).

2402

You should also embed an example of how to fix this issue: E.g. advertises making a copy of the immutable region to a mutable location and doing the mutation there instead. And use const as a preventive measure for the future for the original pointer.

clang/include/clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h
766–769

Please merge these into a single isa<T1, T2,...>().

clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt
68–70

Put this in the right alphabetical place.

clang/lib/StaticAnalyzer/Checkers/StoreToImmutableChecker.cpp
28–30

You could expose a pointer to this by creating a const BugType *getBugType() const; getter method, which could be used by other checkers.

52

We capitalize the static analyzer warnings and notes.

clang/lib/StaticAnalyzer/Checkers/cert/ModelConstQualifiedReturnChecker.cpp
2–3

Fix the comment.

11–12

Comments should be capitalized and punctuated as usual.

31–44

I can see a small issue by evaCall-ing these functions.
The problem is that we might not model all aspects of these functions, thus the modeling can cause harm to the analysis. E.g. by not doing invalidation where we actually would need invalidation to kick in, or anything else really.
Consequently, another problem is that no other checker can evaluate these, since we evaluate them here.
Thus, fixing such improper modeling could end up in further changes down the line.
Unfortunately, I don't have any better ATM, so let's go with this evalCall approach.

67

One should achieve this by comparing the BugType pointers.

clang/test/Analysis/cert/env30-c.cpp
3

Also enable the 'core' package.

NoQ added inline comments.Apr 28 2022, 2:14 PM
clang/lib/StaticAnalyzer/Checkers/StoreToImmutableChecker.cpp
44

This check catches a lot more regions than the ones produced by the other checker. In particular, it'll warn on all global constants. Did you intend this to happen? You don't seem to have tests for that.

53

I also recommend trackExpressionValue to make sure we have all reassignments highlighted as the value gets bounced between pointer variables. The user will need proof that the pointer actually points to const memory.

clang/lib/StaticAnalyzer/Checkers/cert/ModelConstQualifiedReturnChecker.cpp
31–44

Right, this definitely shouldn't be evalCall. Post-call seems to be sufficient for this checker.

martong added a comment.May 5 2022, 2:26 AM

The patch adds two new checkers.

I don't see any technical dependencies between the two, so, please split it into two independent patches.

martong added a comment.May 5 2022, 2:33 AM

Also, could you please update the Static Analyzer section of clang/docs/ReleaseNotes.rst with the new checkers and their description?

zukatsinadze updated this revision to Diff 430204.May 17 2022, 4:02 PM
zukatsinadze marked 14 inline comments as done.
zukatsinadze added inline comments.
clang/include/clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h
766–769

error: macro "assert" passed 4 arguments, but takes just 1
assert(isa<UnknownSpaceRegion, HeapSpaceRegion, GlobalSystemSpaceRegion, GlobalImmutableSpaceRegion>(sreg));

So I had to add extra ()-s around isa, I guess macro expands weirdly?

clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt
68–70

I think it is in the right alphabetical place not considering cert/ (other certs are in similar order), but maybe I should remove the cert directory, what do you think?
It was created by me a few years ago, but I don't see a point now anymore.

clang/lib/StaticAnalyzer/Checkers/StoreToImmutableChecker.cpp
28–30

I did something similar based on SmartPtrChecker.

44

Could you give an example? I tried with the following snippet and it didn't give a warning

int a = 1, b = 1;
void foo(int *p) {
  a = 2;
  p[b++] = 3;
  int *c = &a;
  *c = 5;
}
53

What expression should I use for tracking? I tried to simply cast S to Expr, but it didn't really work.
Then I came up with something ugly: cast S to BinaryOperator -> getLHS -> getSubExpr -> ignoreImpCasts.

zukatsinadze marked 4 inline comments as not done.May 17 2022, 4:04 PM
zukatsinadze added a comment.May 17 2022, 4:09 PM
In D124244#3493307, @martong wrote:

The patch adds two new checkers.

I don't see any technical dependencies between the two, so, please split it into two independent patches.

StoreToImmutable does not depend on the modeling checker, but I am using the BugType pointer from StoreToImmutable in the modeling checker for Note diagnostics.
Should it still be split and just not merge the second patch until the first one is committed?

In D124244#3493310, @martong wrote:

Also, could you please update the Static Analyzer section of clang/docs/ReleaseNotes.rst with the new checkers and their description?

Sorry, I missed this comment. I will add release notes in the next round.

Harbormaster completed remote builds in B164997: Diff 430204.May 17 2022, 4:50 PM
steakhal added a comment.May 18 2022, 3:22 AM

I found this report at vim/src/term.c (https://github.com/vim/vim.git at v8.2.1920):

I'm not sure what the exact type of BC global variable is but I think it's declared as either extern char *BC; or just char *BC;.
empty_option is declared as either extern unsigned char *empty_option; or unsigned char *empty_option = (unsigned char *)"";

Could you please have a look at this FP @zukatsinadze?

clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt
68–70

Leave it here.

clang/lib/StaticAnalyzer/Checkers/StoreToImmutableChecker.cpp
53

Transitive interestingness might be related to this: D125362

steakhal added a comment.Jun 2 2022, 11:04 AM

Any update on this. I'm really excited about this one. Let me know if something blocks you.

steakhal mentioned this in D127306: [analyzer] Treat system globals as mutable if they are not const.Jun 8 2022, 7:10 AM
steakhal added a comment.Jun 8 2022, 7:13 AM
In D124244#3521728, @steakhal wrote:

I found this report at vim/src/term.c (https://github.com/vim/vim.git at v8.2.1920):

I'm not sure what the exact type of BC global variable is but I think it's declared as either extern char *BC; or just char *BC;.
empty_option is declared as either extern unsigned char *empty_option; or unsigned char *empty_option = (unsigned char *)"";

Could you please have a look at this FP @zukatsinadze?

I've checked why we report this. It turns out mutable global variables were considered immutable (except the errno), which caused FPs in this proposed checker.
I made D127306 to keep mutable (system) globals as mutable memory.

NoQ added inline comments.Jun 9 2022, 3:26 PM
clang/lib/StaticAnalyzer/Checkers/StoreToImmutableChecker.cpp
44

I was thinking about constants, i.e. const int a etc.

clang/lib/StaticAnalyzer/Checkers/cert/ModelConstQualifiedReturnChecker.cpp
31–44

Yeah so the reason why this was made an evalCall is because we needed to replace the memory space for the return value. I think the right solution is to re-implement SymRegion memory spaces as traits, so that they could be updated during analysis at any time (under the natural condition that they only ever get narrower). So like dynamic type, just dynamic memory space.

steakhal mentioned this in rGf4fc3f6ba319: [analyzer] Treat system globals as mutable if they are not const.Jun 15 2022, 8:08 AM
steakhal added a comment.Jun 16 2022, 5:53 AM

Sorry for my late reply.

It feels like we have some serious obstacles.
The check::PostCall handler wants to mark some memory region immutable. Currently, the checker creates a new symbolic memregion, spawned into the immutable memory space. After this it simply re-binds the return value.
However, only eval::Call handler is supposed (must) to bind the return value, so the current implementation cannot land.

I played with the trait idea, which was this:

  1. Introduce a new program state trait with the REGISTER_SET_WITH_PROGRAMSTATE(ImmutableRegions, const ento::MemRegion *). One should not bind values to these regions. (*)
  2. The check::PostCall would simply insert into this set.
  3. The StoreToImmutableChecker, at the check::Bind handler, would verify that the region is not contained by the set - otherwise emit a report...
  4. Surface this new trait to be reachable by the Core infrastructure.
  5. Refactor all the Core functions introducing or expecting MemRegionManager::getGlobalsRegions to insert the region in question into this ImmutableRegions set associated with the current State, producing some new State.

The last point is the most critical. Now, by design, MemRegionManager does not refer to the ProgramState, hence we don't have one that we could mutate by inserting into the ImmutableRegions set. Passing a ProgramStateRef along all the functions is a nightmare. Trust me, I've tried it.
That being said, eradicating GlobalImmutableSpaceRegion seems to be challenging.

I've settled on using the custom trait, and the GlobalImmutableSpaceRegion memspace kind to detect if the store (bind) should be allowed or not.

UsingTraitsForTrackingImmutability.patch6 KBDownload

WDYT @NoQ, how could we get rid of the GlobalImmutableSpaceRegion?

(*): Originally I wanted a set of const MemSpaceRegion *, but it turns out a default eval called function which returns a plain old mutable pointer is of SymRegion{conj{}} at the UnknownSpaceRegion. And we probably don't want to mark immutable the whole UnknownSpaceRegion xD.

zukatsinadze added a comment.Jul 12 2022, 6:02 AM
In D124244#3588671, @steakhal wrote:

Sorry for my late reply.

It feels like we have some serious obstacles.
The check::PostCall handler wants to mark some memory region immutable. Currently, the checker creates a new symbolic memregion, spawned into the immutable memory space. After this it simply re-binds the return value.
However, only eval::Call handler is supposed (must) to bind the return value, so the current implementation cannot land.

I played with the trait idea, which was this:

  1. Introduce a new program state trait with the REGISTER_SET_WITH_PROGRAMSTATE(ImmutableRegions, const ento::MemRegion *). One should not bind values to these regions. (*)
  2. The check::PostCall would simply insert into this set.
  3. The StoreToImmutableChecker, at the check::Bind handler, would verify that the region is not contained by the set - otherwise emit a report...
  4. Surface this new trait to be reachable by the Core infrastructure.
  5. Refactor all the Core functions introducing or expecting MemRegionManager::getGlobalsRegions to insert the region in question into this ImmutableRegions set associated with the current State, producing some new State.

The last point is the most critical. Now, by design, MemRegionManager does not refer to the ProgramState, hence we don't have one that we could mutate by inserting into the ImmutableRegions set. Passing a ProgramStateRef along all the functions is a nightmare. Trust me, I've tried it.
That being said, eradicating GlobalImmutableSpaceRegion seems to be challenging.

I've settled on using the custom trait, and the GlobalImmutableSpaceRegion memspace kind to detect if the store (bind) should be allowed or not.

UsingTraitsForTrackingImmutability.patch6 KBDownload

WDYT @NoQ, how could we get rid of the GlobalImmutableSpaceRegion?

(*): Originally I wanted a set of const MemSpaceRegion *, but it turns out a default eval called function which returns a plain old mutable pointer is of SymRegion{conj{}} at the UnknownSpaceRegion. And we probably don't want to mark immutable the whole UnknownSpaceRegion xD.

@NoQ what do you think about steakhal's proposal?

zukatsinadze added a comment.Sep 8 2022, 4:42 AM

@NoQ gentle ping.

donat.nagy added a comment.May 19 2023, 8:00 AM

Overall this seems to be a promising checker; I added a few minor remarks as inline comments. Unfortunately @steakhal's comment that

The check::PostCall handler wants to mark some memory region immutable. Currently, the checker creates a new symbolic memregion, spawned into the immutable memory space. After this it simply re-binds the return value.
However, only eval::Call handler is supposed (must) to bind the return value, so the current implementation cannot land.

highlights question that is as far as I see a blocking obstacle. I hope that you can find a solution for that technical difficulty.

Moreover, I agree with @martong's comment that you should probably create two commits for these two checkers. (One-way dependency between the checkers is not an obstacle: simply pay attention to merging the commits in the right order.)

clang/lib/StaticAnalyzer/Checkers/StoreToImmutableChecker.cpp
68–72

This code is a bit hard to understand, perhaps add a comment like
// If the binding statement looks like "*ptr = ...", then track the pointer "ptr"

clang/lib/StaticAnalyzer/Checkers/cert/ModelConstQualifiedReturnChecker.cpp
39

If you don't have concrete plans for extending this checker to cases where you need a different HandlerFn, then I strongly suggest replacing this map with a set (or a CallDescriptionMap<bool> where the bool is just a dummy placeholder). There is no reason to juggle member function pointers when they are always pointing to the same function.

Revision Contents

PathSize
clang/
docs/
analyzer/
59 lines
include/
clang/
StaticAnalyzer/
Checkers/
10 lines
Core/
PathSensitive/
4 lines
lib/
StaticAnalyzer/
Checkers/
2 lines
29 lines
84 lines
cert/
102 lines
test/
Analysis/
1 line
cert/
222 lines
1 line

Diff 430204

clang/docs/analyzer/checkers.rst

Show First 20 LinesShow All 139 Lines▼ Show 20 Lines
} }
void test() { void test() {
static int *x; static int *x;
int y; int y;
x = &y; // warn x = &y; // warn
} }
.. _core-StoreToImmutable:
core.StoreToImmutable (C, C++)
"""""""""""""""""""""""""""""""""""""""
Check for writes to immutable memory.
.. code-block:: cpp
void write_to_envvar() {
char *p = getenv("VAR");
if (!p)
return;
p[0] = '\0'; // warn
}
Note that this example depends on :ref:`_alpha-security-cert-env-ModelConstQualifiedReturn`
checker that models return value of getenv as const-qualified, however there are other
scenarios where such immutable memory regions arise.
To fix the error, user can add `const` as preventive measure and make a copy of the
immutable memory region to a mutable location and do the mutation there instead.
.. code-block:: cpp
void write_to_envvar() {
const char *p = getenv("VAR");
if (!p)
return;
copy_of_p = (char *)malloc(strlen(p) + 1);
strcpy(copy_of_p, p);
copy_of_p[0] = '\0';
}
.. _core-UndefinedBinaryOperatorResult: .. _core-UndefinedBinaryOperatorResult:
core.UndefinedBinaryOperatorResult (C) core.UndefinedBinaryOperatorResult (C)
"""""""""""""""""""""""""""""""""""""" """"""""""""""""""""""""""""""""""""""
Check for undefined results of binary operators. Check for undefined results of binary operators.
.. code-block:: c .. code-block:: c
▲ Show 20 LinesShow All 2,179 Lines▼ Show 20 Lines void previous_call_invalidation() {
p = getenv("VAR"); p = getenv("VAR");
pp = getenv("VAR2"); pp = getenv("VAR2");
// subsequent call to 'getenv' invalidated previous one // subsequent call to 'getenv' invalidated previous one
*p; *p;
// dereferencing invalid pointer // dereferencing invalid pointer
} }
.. _alpha-security-cert-env-ModelConstQualifiedReturn:
alpha.security.cert.env.ModelConstQualifiedReturn
"""""""""""""""""""""""""""""""""""""""""""""""""
Corresponds to SEI CERT Rules ENV30-C.
Some functions return a pointer to an object that cannot be
modified without causing undefined behavior. In such cases,
the function call results must be treated as being const-qualified.
steakhalUnsubmitted
Done
ReplyInline Actions

IMO the list of functions should be mentioned separately. What if the list gets longer and longer.
A separate paragraph could list these instead. Also, wrap them with double backticks.

``getenv()``
steakhal: IMO the list of functions should be mentioned separately. What if the list gets longer and…
These functions include ``getenv(), setlocale(), localeconv(), asctime(), strerror()``.
Checker models return values of these functions as const
qualified. Their modification is checked in :ref:`_core-StoreToImmutable`.
steakhalUnsubmitted
Done
ReplyInline Actions
Checker models return values of these functions as const
- qualified. Their modification is checked in StoreToImmutable
+ qualified. Their modification is checked in :ref:`_core-StoreToImmutable`.
core checker.

Use crossref links.

steakhal: Use crossref links.
.. code-block:: c
void writing_to_envvar() {
char *p = getenv("VAR"); // note: getenv return value
// should be treated as const
if (!p)
return;
p[0] = '\0'; // warn
}
steakhalUnsubmitted
Done
ReplyInline Actions

I don't like the fact that this example works only if the alpha.cert.pos.StoreToImmutableChecker is enabled, which is an alpha checker.

There are other places where such immutable memory regions arise, such as writable strings.
Anyway, at least let's mention that the given alpha checker has anything to do with this checker (+ crossref!).

steakhal: I don't like the fact that this example works only if the `alpha.cert.pos.
alpha.security.taint alpha.security.taint
steakhalUnsubmitted
Done
ReplyInline Actions

You should also embed an example of how to fix this issue: E.g. advertises making a copy of the immutable region to a mutable location and doing the mutation there instead. And use const as a preventive measure for the future for the original pointer.

steakhal: You should also embed an example of how to fix this issue: E.g. advertises making a copy of the…
^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^
Checkers implementing `taint analysis <https://en.wikipedia.org/wiki/Taint_checking>`_. Checkers implementing `taint analysis <https://en.wikipedia.org/wiki/Taint_checking>`_.
.. _alpha-security-taint-TaintPropagation: .. _alpha-security-taint-TaintPropagation:
alpha.security.taint.TaintPropagation (C, C++) alpha.security.taint.TaintPropagation (C, C++)
"""""""""""""""""""""""""""""""""""""""""""""" """"""""""""""""""""""""""""""""""""""""""""""
▲ Show 20 LinesShow All 615 LinesShow Last 20 Lines

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td

Show First 20 LinesShow All 221 Lines▼ Show 20 Linesdef StackAddrEscapeBase : Checker<"StackAddrEscapeBase">,
Documentation<NotDocumented>, Documentation<NotDocumented>,
Hidden; Hidden;
def StackAddrEscapeChecker : Checker<"StackAddressEscape">, def StackAddrEscapeChecker : Checker<"StackAddressEscape">,
HelpText<"Check that addresses to stack memory do not escape the function">, HelpText<"Check that addresses to stack memory do not escape the function">,
Dependencies<[StackAddrEscapeBase]>, Dependencies<[StackAddrEscapeBase]>,
Documentation<HasDocumentation>; Documentation<HasDocumentation>;
def StoreToImmutableChecker : Checker<"StoreToImmutable">,
HelpText<"Check for writes to immutable memory.">,
Documentation<HasDocumentation>;
def DynamicTypePropagation : Checker<"DynamicTypePropagation">, def DynamicTypePropagation : Checker<"DynamicTypePropagation">,
HelpText<"Generate dynamic type information">, HelpText<"Generate dynamic type information">,
Documentation<NotDocumented>, Documentation<NotDocumented>,
Hidden; Hidden;
def NonnullGlobalConstantsChecker: Checker<"NonnilStringConstants">, def NonnullGlobalConstantsChecker: Checker<"NonnilStringConstants">,
HelpText<"Assume that const string-like globals are non-null">, HelpText<"Assume that const string-like globals are non-null">,
Documentation<NotDocumented>, Documentation<NotDocumented>,
▲ Show 20 LinesShow All 736 Lines▼ Show 20 Lines
} // end "alpha.cert.pos" } // end "alpha.cert.pos"
let ParentPackage = ENV in { let ParentPackage = ENV in {
def InvalidPtrChecker : Checker<"InvalidPtr">, def InvalidPtrChecker : Checker<"InvalidPtr">,
HelpText<"Finds usages of possibly invalidated pointers">, HelpText<"Finds usages of possibly invalidated pointers">,
Documentation<HasDocumentation>; Documentation<HasDocumentation>;
def ModelConstQualifiedReturnChecker : Checker<"ModelConstQualifiedReturn">,
HelpText<"Model return values of some functions as const-qualified. "
"StoreToImmutable checker would warn on their modification.">,
Documentation<HasDocumentation>;
} // end "alpha.cert.env" } // end "alpha.cert.env"
let ParentPackage = SecurityAlpha in { let ParentPackage = SecurityAlpha in {
def ArrayBoundChecker : Checker<"ArrayBound">, def ArrayBoundChecker : Checker<"ArrayBound">,
HelpText<"Warn about buffer overflows (older checker)">, HelpText<"Warn about buffer overflows (older checker)">,
Documentation<HasDocumentation>; Documentation<HasDocumentation>;
▲ Show 20 LinesShow All 735 LinesShow Last 20 Lines

clang/include/clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h

Show First 20 LinesShow All 757 Lines▼ Show 20 Linesclass SymbolicRegion : public SubRegion {
SymbolicRegion(const SymbolRef s, const MemSpaceRegion *sreg) SymbolicRegion(const SymbolRef s, const MemSpaceRegion *sreg)
: SubRegion(sreg, SymbolicRegionKind), sym(s) { : SubRegion(sreg, SymbolicRegionKind), sym(s) {
// Because pointer arithmetic is represented by ElementRegion layers, // Because pointer arithmetic is represented by ElementRegion layers,
// the base symbol here should not contain any arithmetic. // the base symbol here should not contain any arithmetic.
assert(s && isa<SymbolData>(s)); assert(s && isa<SymbolData>(s));
assert(s->getType()->isAnyPointerType() || assert(s->getType()->isAnyPointerType() ||
s->getType()->isReferenceType() || s->getType()->isReferenceType() ||
s->getType()->isBlockPointerType()); s->getType()->isBlockPointerType());
assert(isa<UnknownSpaceRegion>(sreg) || isa<HeapSpaceRegion>(sreg) || assert((isa<UnknownSpaceRegion, HeapSpaceRegion, GlobalSystemSpaceRegion,
isa<GlobalSystemSpaceRegion>(sreg)); GlobalImmutableSpaceRegion>(sreg)));
} }
steakhalUnsubmitted
Done
ReplyInline Actions

Please merge these into a single isa<T1, T2,...>().

steakhal: Please merge these into a single `isa<T1, T2,...>()`.
zukatsinadzeAuthorUnsubmitted
Done
ReplyInline Actions

error: macro "assert" passed 4 arguments, but takes just 1
assert(isa<UnknownSpaceRegion, HeapSpaceRegion, GlobalSystemSpaceRegion, GlobalImmutableSpaceRegion>(sreg));

So I had to add extra ()-s around isa, I guess macro expands weirdly?

zukatsinadze: error: macro "assert" passed 4 arguments, but takes just 1 `assert(isa<UnknownSpaceRegion…
public: public:
SymbolRef getSymbol() const { return sym; } SymbolRef getSymbol() const { return sym; }
bool isBoundable() const override { return true; } bool isBoundable() const override { return true; }
void Profile(llvm::FoldingSetNodeID& ID) const override; void Profile(llvm::FoldingSetNodeID& ID) const override;
▲ Show 20 LinesShow All 791 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt

Show First 20 LinesShow All 59 Lines▼ Show 20 Linesadd_clang_library(clangStaticAnalyzerCheckers
LocalizationChecker.cpp LocalizationChecker.cpp
MacOSKeychainAPIChecker.cpp MacOSKeychainAPIChecker.cpp
MacOSXAPIChecker.cpp MacOSXAPIChecker.cpp
MallocChecker.cpp MallocChecker.cpp
MallocOverflowSecurityChecker.cpp MallocOverflowSecurityChecker.cpp
MallocSizeofChecker.cpp MallocSizeofChecker.cpp
MismatchedIteratorChecker.cpp MismatchedIteratorChecker.cpp
MmapWriteExecChecker.cpp MmapWriteExecChecker.cpp
MIGChecker.cpp MIGChecker.cpp
cert/ModelConstQualifiedReturnChecker.cpp
MoveChecker.cpp MoveChecker.cpp
steakhalUnsubmitted
Not Done
ReplyInline Actions

Put this in the right alphabetical place.

steakhal: Put this in the right alphabetical place.
zukatsinadzeAuthorUnsubmitted
Not Done
ReplyInline Actions

I think it is in the right alphabetical place not considering cert/ (other certs are in similar order), but maybe I should remove the cert directory, what do you think?
It was created by me a few years ago, but I don't see a point now anymore.

zukatsinadze: I think it is in the right alphabetical place not considering cert/ (other certs are in similar…
steakhalUnsubmitted
Not Done
ReplyInline Actions

Leave it here.

steakhal: Leave it here.
MPI-Checker/MPIBugReporter.cpp MPI-Checker/MPIBugReporter.cpp
MPI-Checker/MPIChecker.cpp MPI-Checker/MPIChecker.cpp
MPI-Checker/MPIFunctionClassifier.cpp MPI-Checker/MPIFunctionClassifier.cpp
NSAutoreleasePoolChecker.cpp NSAutoreleasePoolChecker.cpp
NSErrorChecker.cpp NSErrorChecker.cpp
NoReturnFunctionChecker.cpp NoReturnFunctionChecker.cpp
NonNullParamChecker.cpp NonNullParamChecker.cpp
NonnullGlobalConstantsChecker.cpp NonnullGlobalConstantsChecker.cpp
Show All 23 Linesadd_clang_library(clangStaticAnalyzerCheckers
ReturnValueChecker.cpp ReturnValueChecker.cpp
RunLoopAutoreleaseLeakChecker.cpp RunLoopAutoreleaseLeakChecker.cpp
SimpleStreamChecker.cpp SimpleStreamChecker.cpp
SmartPtrChecker.cpp SmartPtrChecker.cpp
SmartPtrModeling.cpp SmartPtrModeling.cpp
StackAddrEscapeChecker.cpp StackAddrEscapeChecker.cpp
StdLibraryFunctionsChecker.cpp StdLibraryFunctionsChecker.cpp
STLAlgorithmModeling.cpp STLAlgorithmModeling.cpp
StoreToImmutableChecker.cpp
StreamChecker.cpp StreamChecker.cpp
StringChecker.cpp StringChecker.cpp
Taint.cpp Taint.cpp
TaintTesterChecker.cpp TaintTesterChecker.cpp
TestAfterDivZeroChecker.cpp TestAfterDivZeroChecker.cpp
TraversalChecker.cpp TraversalChecker.cpp
TrustNonnullChecker.cpp TrustNonnullChecker.cpp
TrustReturnsNonnullChecker.cpp TrustReturnsNonnullChecker.cpp
Show All 32 Lines

clang/lib/StaticAnalyzer/Checkers/StoreToImmutable.h

  • This file was added.
//=== StoreToImmutable.h - Expose ImmutableMemoryBind BugType ------*- C++ -*-//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// Defines getter function for ImmutableMemoryBind BugType
//
//===----------------------------------------------------------------------===//
#ifndef LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_STORETOIMMUTABLE_H
#define LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_STORETOIMMUTABLE_H
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
namespace clang {
namespace ento {
namespace immutablestore {
const BugType *getImmutableMemoryBindBugType();
} // namespace immutablestore
} // namespace ento
} // namespace clang
#endif // LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_STORETOIMMUTABLE_H

clang/lib/StaticAnalyzer/Checkers/StoreToImmutableChecker.cpp

  • This file was added.
//== StoreToImmutableChecker.cpp ------------------------------- -*- C++ -*--=//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// This file defines StoreToImmutableChecker which warns binds on immutable
// memory.
//===----------------------------------------------------------------------===//
#include "clang/AST/Type.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
using namespace clang;
using namespace ento;
namespace {
static const BugType *ImmutableMemoryBindPtr;
class StoreToImmutableChecker : public Checker<check::Bind> {
public:
BugType ImmutableMemoryBind{this,
"Immutable memory should not be overwritten",
steakhalUnsubmitted
Done
ReplyInline Actions

You could expose a pointer to this by creating a const BugType *getBugType() const; getter method, which could be used by other checkers.

steakhal: You could expose a pointer to this by creating a `const BugType *getBugType() const;` getter…
zukatsinadzeAuthorUnsubmitted
Done
ReplyInline Actions

I did something similar based on SmartPtrChecker.

zukatsinadze: I did something similar based on SmartPtrChecker.
categories::MemoryError};
void checkBind(SVal loc, SVal val, const Stmt *S, CheckerContext &C) const;
};
} // namespace
namespace clang {
namespace ento {
namespace immutablestore {
const BugType *getImmutableMemoryBindBugType() { return ImmutableMemoryBindPtr; }
} // namespace immutablestore
} // namespace ento
NoQUnsubmitted
Not Done
ReplyInline Actions

This check catches a lot more regions than the ones produced by the other checker. In particular, it'll warn on all global constants. Did you intend this to happen? You don't seem to have tests for that.

NoQ: This check catches a lot more regions than the ones produced by the other checker. In…
zukatsinadzeAuthorUnsubmitted
Not Done
ReplyInline Actions

Could you give an example? I tried with the following snippet and it didn't give a warning

int a = 1, b = 1;
void foo(int *p) {
  a = 2;
  p[b++] = 3;
  int *c = &a;
  *c = 5;
}
zukatsinadze: Could you give an example? I tried with the following snippet and it didn't give a warning ```…
NoQUnsubmitted
Not Done
ReplyInline Actions

I was thinking about constants, i.e. const int a etc.

NoQ: I was thinking about constants, i.e. `const int a` etc.
} // namespace clang
// Check if region that should be immutable is being modified
void StoreToImmutableChecker::checkBind(SVal Loc, SVal Val, const Stmt *S,
CheckerContext &C) const {
steakhalUnsubmitted
Done
ReplyInline Actions

We capitalize the static analyzer warnings and notes.

steakhal: We capitalize the static analyzer warnings and notes.
const MemRegion *R = Loc.getAsRegion();
NoQUnsubmitted
Not Done
ReplyInline Actions

I also recommend trackExpressionValue to make sure we have all reassignments highlighted as the value gets bounced between pointer variables. The user will need proof that the pointer actually points to const memory.

NoQ: I also recommend `trackExpressionValue` to make sure we have all reassignments highlighted as…
zukatsinadzeAuthorUnsubmitted
Not Done
ReplyInline Actions

What expression should I use for tracking? I tried to simply cast S to Expr, but it didn't really work.
Then I came up with something ugly: cast S to BinaryOperator -> getLHS -> getSubExpr -> ignoreImpCasts.

zukatsinadze: What expression should I use for tracking? I tried to simply cast `S` to `Expr`, but it didn't…
steakhalUnsubmitted
Not Done
ReplyInline Actions

Transitive interestingness might be related to this: D125362

steakhal: Transitive interestingness might be related to this: D125362
if (!R)
return;
if (!isa<GlobalImmutableSpaceRegion>(R->getMemorySpace()))
return;
ExplodedNode *ErrorNode = C.generateErrorNode();
if (!ErrorNode)
return;
auto Report = std::make_unique<PathSensitiveBugReport>(
ImmutableMemoryBind, "Modifying immutable memory", ErrorNode);
Report->markInteresting(R);
if (const auto *BP = dyn_cast<BinaryOperator>(S))
if (const auto *UP = dyn_cast<UnaryOperator>(BP->getLHS())) {
bugreporter::trackExpressionValue(
Report->getErrorNode(), UP->getSubExpr()->IgnoreImpCasts(), *Report);
}
donat.nagyUnsubmitted
Not Done
ReplyInline Actions

This code is a bit hard to understand, perhaps add a comment like
// If the binding statement looks like "*ptr = ...", then track the pointer "ptr"

donat.nagy: This code is a bit hard to understand, perhaps add a comment like `// If the binding statement…
C.emitReport(std::move(Report));
}
void ento::registerStoreToImmutableChecker(CheckerManager &Mgr) {
StoreToImmutableChecker *Checker = Mgr.registerChecker<StoreToImmutableChecker>();
ImmutableMemoryBindPtr = &Checker->ImmutableMemoryBind;
}
bool ento::shouldRegisterStoreToImmutableChecker(const CheckerManager &) {
return true;
}

clang/lib/StaticAnalyzer/Checkers/cert/ModelConstQualifiedReturnChecker.cpp

  • This file was added.
//== ModelConstQualifiedReturnChecker.cpp ----------------------- -*- C++ -*--=//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
steakhalUnsubmitted
Done
ReplyInline Actions

Fix the comment.

steakhal: Fix the comment.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// This file defines ModelConstQualifiedReturnChecker.
// Return values of certain functions should be treated as const-qualified.
//
// Checker is based on CERT SEI Rule ENV30-C.
steakhalUnsubmitted
Done
ReplyInline Actions

Comments should be capitalized and punctuated as usual.

steakhal: Comments should be capitalized and punctuated as usual.
// For more information see: https://wiki.sei.cmu.edu/confluence/x/79UxBQ
//===----------------------------------------------------------------------===//
#include "../StoreToImmutable.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
using namespace clang;
using namespace ento;
namespace {
class ModelConstQualifiedReturnChecker : public Checker<check::PostCall> {
private:
using HandlerFn = void (ModelConstQualifiedReturnChecker::*)(
const CallEvent &Call, CheckerContext &C) const;
void postConstQualifiedReturnCall(const CallEvent &Call,
CheckerContext &C) const;
// SEI CERT ENV30-C
const CallDescriptionMap<HandlerFn> ConstQualifiedReturnFunctions = {
donat.nagyUnsubmitted
Not Done
ReplyInline Actions

If you don't have concrete plans for extending this checker to cases where you need a different HandlerFn, then I strongly suggest replacing this map with a set (or a CallDescriptionMap<bool> where the bool is just a dummy placeholder). There is no reason to juggle member function pointers when they are always pointing to the same function.

donat.nagy: If you don't have concrete plans for extending this checker to cases where you need a different…
{{"getenv", 1},
&ModelConstQualifiedReturnChecker::postConstQualifiedReturnCall},
{{"setlocale", 2},
&ModelConstQualifiedReturnChecker::postConstQualifiedReturnCall},
{{"strerror", 1},
steakhalUnsubmitted
Done
ReplyInline Actions

I can see a small issue by evaCall-ing these functions.
The problem is that we might not model all aspects of these functions, thus the modeling can cause harm to the analysis. E.g. by not doing invalidation where we actually would need invalidation to kick in, or anything else really.
Consequently, another problem is that no other checker can evaluate these, since we evaluate them here.
Thus, fixing such improper modeling could end up in further changes down the line.
Unfortunately, I don't have any better ATM, so let's go with this evalCall approach.

steakhal: I can see a small issue by `evaCall`-ing these functions. The problem is that we might not…
NoQUnsubmitted
Done
ReplyInline Actions

Right, this definitely shouldn't be evalCall. Post-call seems to be sufficient for this checker.

NoQ: Right, this definitely shouldn't be `evalCall`. Post-call seems to be sufficient for this…
NoQUnsubmitted
Not Done
ReplyInline Actions

Yeah so the reason why this was made an evalCall is because we needed to replace the memory space for the return value. I think the right solution is to re-implement SymRegion memory spaces as traits, so that they could be updated during analysis at any time (under the natural condition that they only ever get narrower). So like dynamic type, just dynamic memory space.

NoQ: Yeah so the reason why this was made an `evalCall` is because we needed to replace the memory…
&ModelConstQualifiedReturnChecker::postConstQualifiedReturnCall},
{{"localeconv", 0},
&ModelConstQualifiedReturnChecker::postConstQualifiedReturnCall},
{{"asctime", 1},
&ModelConstQualifiedReturnChecker::postConstQualifiedReturnCall},
};
public:
void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
};
} // namespace
void ModelConstQualifiedReturnChecker::postConstQualifiedReturnCall(
const CallEvent &Call, CheckerContext &C) const {
const LocationContext *LCtx = C.getLocationContext();
SValBuilder &SVB = C.getSValBuilder();
MemRegionManager &RegMgr = SVB.getRegionManager();
// Function call will return a pointer to the new symbolic region.
SymbolRef FreshSym = SVB.getSymbolManager().conjureSymbol(
Call.getOriginExpr(), LCtx, C.blockCount());
const SymbolicRegion *SymReg = RegMgr.getSymbolicRegion(
FreshSym,
steakhalUnsubmitted
Done
ReplyInline Actions

One should achieve this by comparing the BugType pointers.

steakhal: One should achieve this by comparing the BugType pointers.
RegMgr.getGlobalsRegion(MemRegion::GlobalImmutableSpaceRegionKind));
ProgramStateRef State = C.getState();
State =
State->BindExpr(Call.getOriginExpr(), LCtx, loc::MemRegionVal{SymReg});
StringRef FunctionName = Call.getCalleeIdentifier()->getName();
const NoteTag *Note = C.getNoteTag(
[SymReg, FunctionName](PathSensitiveBugReport &BR, llvm::raw_ostream &Out) {
if (&BR.getBugType() != immutablestore::getImmutableMemoryBindBugType() ||
!BR.isInteresting(SymReg))
return;
Out << "Return value of '" << FunctionName
<< "' should be treated as const-qualified";
});
C.addTransition(State, Note);
}
void ModelConstQualifiedReturnChecker::checkPostCall(const CallEvent &Call, CheckerContext &C) const {
// Check if function return value should be const qualified
const auto *Handler = ConstQualifiedReturnFunctions.lookup(Call);
if (!Handler)
return;
(this->**Handler)(Call, C);
}
void ento::registerModelConstQualifiedReturnChecker(CheckerManager &Mgr) {
Mgr.registerChecker<ModelConstQualifiedReturnChecker>();
}
bool ento::shouldRegisterModelConstQualifiedReturnChecker(const CheckerManager &) {
return true;
}

clang/test/Analysis/analyzer-enabled-checkers.c

Show All 15 Lines
// CHECK-NEXT: core.CallAndMessage // CHECK-NEXT: core.CallAndMessage
// CHECK-NEXT: core.DivideZero // CHECK-NEXT: core.DivideZero
// CHECK-NEXT: core.DynamicTypePropagation // CHECK-NEXT: core.DynamicTypePropagation
// CHECK-NEXT: core.NonNullParamChecker // CHECK-NEXT: core.NonNullParamChecker
// CHECK-NEXT: core.NonnilStringConstants // CHECK-NEXT: core.NonnilStringConstants
// CHECK-NEXT: core.NullDereference // CHECK-NEXT: core.NullDereference
// CHECK-NEXT: core.StackAddrEscapeBase // CHECK-NEXT: core.StackAddrEscapeBase
// CHECK-NEXT: core.StackAddressEscape // CHECK-NEXT: core.StackAddressEscape
// CHECK-NEXT: core.StoreToImmutable
// CHECK-NEXT: core.UndefinedBinaryOperatorResult // CHECK-NEXT: core.UndefinedBinaryOperatorResult
// CHECK-NEXT: core.VLASize // CHECK-NEXT: core.VLASize
// CHECK-NEXT: core.builtin.BuiltinFunctions // CHECK-NEXT: core.builtin.BuiltinFunctions
// CHECK-NEXT: core.builtin.NoReturnFunctions // CHECK-NEXT: core.builtin.NoReturnFunctions
// CHECK-NEXT: core.uninitialized.ArraySubscript // CHECK-NEXT: core.uninitialized.ArraySubscript
// CHECK-NEXT: core.uninitialized.Assign // CHECK-NEXT: core.uninitialized.Assign
// CHECK-NEXT: core.uninitialized.Branch // CHECK-NEXT: core.uninitialized.Branch
// CHECK-NEXT: core.uninitialized.CapturedBlockVariable // CHECK-NEXT: core.uninitialized.CapturedBlockVariable
Show All 26 Lines

clang/test/Analysis/cert/env30-c.cpp

  • This file was added.
// RUN: %clang_analyze_cc1 \
// RUN: -analyzer-checker=core,alpha.security.cert.env.ModelConstQualifiedReturn \
// RUN: -analyzer-output=text -verify -Wno-unused %s
steakhalUnsubmitted
Done
ReplyInline Actions

Also enable the 'core' package.

steakhal: Also enable the 'core' package.
#include "../Inputs/system-header-simulator.h"
char *getenv(const char *name);
char *setlocale(int category, const char *locale);
char *strerror(int errnum);
int setenv(const char *name, const char *value, int overwrite);
void free(void *memblock);
void *malloc(size_t size);
char *strdup(const char *s);
typedef struct {
} tm;
char *asctime(const tm *timeptr);
int strcmp(const char *, const char *);
void const_parameter_function(const char *);
void getenv_test1() {
char *a, *b, *c;
a = getenv("VAR");
// expected-note@-1{{Return value of 'getenv' should be treated as const-qualified}}
// expected-note@-2{{Value assigned to 'a'}}
b = a;
// expected-note@-1{{The value of 'a' is assigned to 'b'}}
c = b;
// expected-note@-1{{The value of 'b' is assigned to 'c'}}
*c = 'A';
// expected-warning@-1{{Modifying immutable memory [core.StoreToImmutable]}}
// expected-note@-2{{Modifying immutable memory}}
}
void getenv_test2() {
char *p;
p = getenv("VAR");
const_parameter_function(p); // no-warning
}
void modify(char *p) {
*p = 'A';
// expected-warning@-1{{Modifying immutable memory [core.StoreToImmutable]}}
// expected-note@-2{{Modifying immutable memory}}
}
void getenv_test3() {
char *p = getenv("VAR");
// expected-note@-1{{Return value of 'getenv' should be treated as const-qualified}}
// expected-note@-2{{'p' initialized here}}
char *pp = p;
// expected-note@-1{{'pp' initialized to the value of 'p'}}
modify(pp); // Writing to immutable region within the call.
// expected-note@-1{{Calling 'modify'}}
// expected-note@-2{{Passing value via 1st parameter 'p'}}
}
void does_not_modify(char *p) {
*p;
}
void getenv_test4() {
char *p = getenv("VAR");
does_not_modify(p); // no-warning
}
void getenv_test5() {
static char *array[] = {0};
if (!array[0]) {
// expected-note@-1{{Taking true branch}}
array[0] = getenv("TEMPDIR");
// expected-note@-1{{Return value of 'getenv' should be treated as const-qualified}}
// expected-note@-2{{Assigning value}}
}
*array[0] = 'A';
// expected-warning@-1{{Modifying immutable memory [core.StoreToImmutable]}}
// expected-note@-2{{Modifying immutable memory}}
}
void getenv_test6() {
char *p = getenv("VAR");
// expected-note@-1{{Return value of 'getenv' should be treated as const-qualified}}
if (!p)
// expected-note@-1{{Assuming 'p' is non-null}}
// expected-note@-2{{Taking false branch}}
return;
p[0] = '\0';
// expected-warning@-1{{Modifying immutable memory [core.StoreToImmutable]}}
// expected-note@-2{{Modifying immutable memory}}
}
void setlocale_test() {
char *p = setlocale(0, "VAR");
// expected-note@-1{{Return value of 'setlocale' should be treated as const-qualified}}
// expected-note@-2{{'p' initialized here}}
*p = 'A';
// expected-warning@-1{{Modifying immutable memory [core.StoreToImmutable]}}
// expected-note@-2{{Modifying immutable memory}}
}
void strerror_test() {
char *p = strerror(0);
// expected-note@-1{{Return value of 'strerror' should be treated as const-qualified}}
// expected-note@-2{{'p' initialized here}}
*p = 'A';
// expected-warning@-1{{Modifying immutable memory [core.StoreToImmutable]}}
// expected-note@-2{{Modifying immutable memory}}
}
void asctime_test() {
char* p = asctime(nullptr);
// expected-note@-1{{Return value of 'asctime' should be treated as const-qualified}}
// expected-note@-2{{'p' initialized here}}
*p = 'A';
// expected-warning@-1{{Modifying immutable memory [core.StoreToImmutable]}}
// expected-note@-2{{Modifying immutable memory}}
}
// Test cases from CERT Rule Page
namespace noncompliant {
void trstr(char *c_str, char orig, char rep) {
while (*c_str != '\0') {
// expected-note@-1{{Assuming the condition is true}}
// expected-note@-2{{Loop condition is true. Entering loop body}}
if (*c_str == orig) {
// expected-note@-1{{Assuming the condition is true}}
// expected-note@-2{{Taking true branch}}
*c_str = rep;
// expected-warning@-1{{Modifying immutable memory [core.StoreToImmutable]}}
// expected-note@-2{{Modifying immutable memory}}
}
++c_str;
}
}
void func(void) {
char *env = getenv("TEST_ENV");
// expected-note@-1{{Return value of 'getenv' should be treated as const-qualified}}
// expected-note@-2{{'env' initialized here}}
if (env == NULL) {
// expected-note@-1{{Assuming 'env' is not equal to NULL}}
// expected-note@-2{{Taking false branch}}
return;
}
trstr(env, '"', '_'); // Writing to immutable region within the call.
// expected-note@-1{{Calling 'trstr'}}
// expected-note@-2{{Passing value via 1st parameter 'c_str'}}
}
} // namespace noncompliant
namespace compliant1 {
void trstr(char *c_str, char orig, char rep) {
while (*c_str != '\0') {
if (*c_str == orig) {
*c_str = rep; // no-warning
}
++c_str;
}
}
void func(void) {
const char *env;
char *copy_of_env;
env = getenv("TEST_ENV");
if (env == NULL) {
return;
}
copy_of_env = (char *)malloc(strlen(env) + 1);
if (copy_of_env == NULL) {
return;
}
strcpy(copy_of_env, env);
trstr(copy_of_env, '"', '_');
/* ... */
free(copy_of_env);
}
} // namespace compliant1
namespace compliant2 {
void trstr(char *c_str, char orig, char rep) {
while (*c_str != '\0') {
if (*c_str == orig) {
*c_str = rep; // no-warning
}
++c_str;
}
}
void func(void) {
const char *env;
char *copy_of_env;
env = getenv("TEST_ENV");
if (env == NULL) {
return;
}
copy_of_env = strdup(env);
if (copy_of_env == NULL) {
return;
}
trstr(copy_of_env, '"', '_');
if (setenv("TEST_ENV", copy_of_env, 1) != 0) {
return;
}
/* ... */
free(copy_of_env);
}
} // namespace compliant2

clang/test/Analysis/std-c-library-functions-arg-enabled-checkers.c

Show All 26 Lines
// CHECK-NEXT: apiModeling.llvm.CastValue // CHECK-NEXT: apiModeling.llvm.CastValue
// CHECK-NEXT: apiModeling.llvm.ReturnValue // CHECK-NEXT: apiModeling.llvm.ReturnValue
// CHECK-NEXT: core.DivideZero // CHECK-NEXT: core.DivideZero
// CHECK-NEXT: core.DynamicTypePropagation // CHECK-NEXT: core.DynamicTypePropagation
// CHECK-NEXT: core.NonnilStringConstants // CHECK-NEXT: core.NonnilStringConstants
// CHECK-NEXT: core.NullDereference // CHECK-NEXT: core.NullDereference
// CHECK-NEXT: core.StackAddrEscapeBase // CHECK-NEXT: core.StackAddrEscapeBase
// CHECK-NEXT: core.StackAddressEscape // CHECK-NEXT: core.StackAddressEscape
// CHECK-NEXT: core.StoreToImmutable
// CHECK-NEXT: core.UndefinedBinaryOperatorResult // CHECK-NEXT: core.UndefinedBinaryOperatorResult
// CHECK-NEXT: core.VLASize // CHECK-NEXT: core.VLASize
// CHECK-NEXT: core.builtin.BuiltinFunctions // CHECK-NEXT: core.builtin.BuiltinFunctions
// CHECK-NEXT: core.builtin.NoReturnFunctions // CHECK-NEXT: core.builtin.NoReturnFunctions
// CHECK-NEXT: core.uninitialized.ArraySubscript // CHECK-NEXT: core.uninitialized.ArraySubscript
// CHECK-NEXT: core.uninitialized.Assign // CHECK-NEXT: core.uninitialized.Assign
// CHECK-NEXT: core.uninitialized.Branch // CHECK-NEXT: core.uninitialized.Branch
// CHECK-NEXT: core.uninitialized.CapturedBlockVariable // CHECK-NEXT: core.uninitialized.CapturedBlockVariable
Show All 26 Lines