This is an archive of the discontinued LLVM Phabricator instance.

Differential D132017

[clang][analyzer] Add errno modeling to StreamChecker
AbandonedPublic

Authored by balazske on Aug 17 2022, 2:30 AM.

Details

Reviewers
Szelethus
NoQ
martong
Summary

Update the existing modeling of stream functions in StreamChecker
with 'errno' modeling. The not (yet) evaluated stream functions
are not updated.

Diff Detail

Event Timeline

balazske created this revision.Aug 17 2022, 2:30 AM
Herald added a reviewer: Szelethus. · View Herald TranscriptAug 17 2022, 2:30 AM
Herald added a reviewer: NoQ. · View Herald Transcript
Herald added a project: Restricted Project. · View Herald Transcript
Herald added subscribers: steakhal, manas, ASDenysPetrov and 10 others. · View Herald Transcript
balazske requested review of this revision.Aug 17 2022, 2:30 AM
Herald added a project: Restricted Project. · View Herald TranscriptAug 17 2022, 2:30 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
balazske added a parent revision: D131879: [clang][analyzer] Errno modeling code refactor (NFC)..Aug 17 2022, 2:31 AM
Harbormaster completed remote builds in B181704: Diff 453238.Aug 17 2022, 2:43 AM
steakhal added inline comments.Aug 17 2022, 2:58 AM
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
283–284

Have you considered using llvm::Optional<int> for this?

537

I believe, getDecl() might return null, e.g. for calling a function pointer.

clang/test/Analysis/stream-errno.c
13–14

So these two lines correspond to the following clang_analyzer_eval().
It took me a while to make sense of the two independent note streams at once.
Please consider splitting this and similar cases to have a single stream of notes.

balazske updated this revision to Diff 453297.Aug 17 2022, 8:46 AM

StdLibraryFunctionsChecker should not overwrite errno constraints
that are set by StreamChecker.

Harbormaster completed remote builds in B181744: Diff 453297.Aug 17 2022, 9:20 AM
balazske updated this revision to Diff 454026.Aug 19 2022, 8:49 AM
balazske marked 2 inline comments as done.
  • Use Optional for EofInitialized
  • Split tests into two files with and without note check.
balazske added a child revision: D132249: [clang][analyzer] Add some functions to StreamChecker with errno modeling..Aug 19 2022, 9:11 AM
Harbormaster completed remote builds in B182239: Diff 454026.Aug 19 2022, 9:41 AM
balazske added a reviewer: martong.Aug 29 2022, 8:58 AM
balazske added inline comments.
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
537

In this case the function should be known (we know that fopen is the called function, if the name is known the Decl should be known too), I think it can not be null here.

Herald added a subscriber: rnkovacs. · View Herald TranscriptAug 29 2022, 8:58 AM
martong accepted this revision.Sep 28 2022, 12:31 AM

LGTM, thanks!

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
465

Makes sense.

This revision is now accepted and ready to land.Sep 28 2022, 12:31 AM
balazske mentioned this in D135247: [clang][analyzer] Add stream functions to StdLibraryFunctionsChecker..Oct 5 2022, 1:27 AM
balazske abandoned this revision.Dec 20 2022, 1:32 AM

A new solution is in D135247. The new approach is that only StdLibraryFunctionsChecker adds the errno modeling part, together with other checks (that are applicable if StreamChecker is turned off) for pre and post conditions at the stream functions.

Revision Contents

PathSize
clang/
docs/
4 lines
lib/
StaticAnalyzer/
Checkers/
25 lines
89 lines
test/
Analysis/
99 lines
123 lines

Diff 454026

clang/docs/ReleaseNotes.rst

Show First 20 LinesShow All 201 Lines▼ Show 20 Lines
-------------------- --------------------
libclang libclang
-------- --------
Static Analyzer Static Analyzer
--------------- ---------------
- Checker ``alpha.unix.Stream`` is improved to be able to detect bugs related
to bad ``errno`` usage. The effects are visible if checker
``alpha.unix.Errno`` is turned on additionally.
.. _release-notes-ubsan: .. _release-notes-ubsan:
Undefined Behavior Sanitizer (UBSan) Undefined Behavior Sanitizer (UBSan)
------------------------------------ ------------------------------------
Core Analysis Improvements Core Analysis Improvements
========================== ==========================
Show All 30 Lines

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp

Show First 20 LinesShow All 440 Lines▼ Show 20 Lines public:
} }
const NoteTag *describe(CheckerContext &C, const NoteTag *describe(CheckerContext &C,
StringRef FunctionName) const override { StringRef FunctionName) const override {
return errno_modeling::getNoteTagForStdSuccess(C, FunctionName); return errno_modeling::getNoteTagForStdSuccess(C, FunctionName);
} }
}; };
/// Set errno constraints if use of 'errno' is irrelevant to the /// Reset errno constraints to irrelevant.
/// modeled function or modeling is not possible. /// This is applicable to functions that may change 'errno' and are not
class NoErrnoConstraint : public ErrnoConstraintBase { /// modeled elsewhere.
class ResetErrnoConstraint : public ErrnoConstraintBase {
public: public:
ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call, ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
const Summary &Summary, const Summary &Summary,
CheckerContext &C) const override { CheckerContext &C) const override {
return errno_modeling::setErrnoState(State, errno_modeling::Irrelevant); return errno_modeling::setErrnoState(State, errno_modeling::Irrelevant);
} }
}; };
/// Do not change errno constraints.
/// This is applicable to functions that are modeled in another checker
/// and the already set errno constraints should not be changed in the
/// post-call event.
class NoErrnoConstraint : public ErrnoConstraintBase {
martongUnsubmitted
Not Done
ReplyInline Actions

Makes sense.

martong: Makes sense.
public:
ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
const Summary &Summary,
CheckerContext &C) const override {
return State;
}
};
/// A single branch of a function summary. /// A single branch of a function summary.
/// ///
/// A branch is defined by a series of constraints - "assumptions" - /// A branch is defined by a series of constraints - "assumptions" -
/// that together form a single possible outcome of invoking the function. /// that together form a single possible outcome of invoking the function.
/// When static analyzer considers a branch, it tries to introduce /// When static analyzer considers a branch, it tries to introduce
/// a child node in the Exploded Graph. The child node has to include /// a child node in the Exploded Graph. The child node has to include
/// constraints that define the branch. If the constraints contradict /// constraints that define the branch. If the constraints contradict
/// existing constraints in the state, the node is not created and the branch /// existing constraints in the state, the node is not created and the branch
▲ Show 20 LinesShow All 243 Lines▼ Show 20 Lines void reportBug(const CallEvent &Call, ExplodedNode *N,
C.emitReport(std::move(R)); C.emitReport(std::move(R));
} }
/// These are the errno constraints that can be passed to summary cases. /// These are the errno constraints that can be passed to summary cases.
/// One of these should fit for a single summary case. /// One of these should fit for a single summary case.
/// Usually if a failure return value exists for function, that function /// Usually if a failure return value exists for function, that function
/// needs different cases for success and failure with different errno /// needs different cases for success and failure with different errno
/// constraints (and different return value constraints). /// constraints (and different return value constraints).
const NoErrnoConstraint ErrnoIrrelevant{}; const NoErrnoConstraint ErrnoAlreadySet{};
const ResetErrnoConstraint ErrnoIrrelevant{};
const SuccessErrnoConstraint ErrnoMustNotBeChecked{}; const SuccessErrnoConstraint ErrnoMustNotBeChecked{};
const FailureErrnoConstraint ErrnoNEZeroIrrelevant{}; const FailureErrnoConstraint ErrnoNEZeroIrrelevant{};
}; };
int StdLibraryFunctionsChecker::ErrnoConstraintBase::Tag = 0; int StdLibraryFunctionsChecker::ErrnoConstraintBase::Tag = 0;
const StdLibraryFunctionsChecker::ArgNo StdLibraryFunctionsChecker::Ret = const StdLibraryFunctionsChecker::ArgNo StdLibraryFunctionsChecker::Ret =
std::numeric_limits<ArgNo>::max(); std::numeric_limits<ArgNo>::max();
▲ Show 20 LinesShow All 822 Lines▼ Show 20 Lines addToFunctionSummaryMap(
{{EOFv, EOFv}, {0, UCharRangeMax}})}, {{EOFv, EOFv}, {0, UCharRangeMax}})},
ErrnoIrrelevant)); ErrnoIrrelevant));
// read()-like functions that never return more than buffer size. // read()-like functions that never return more than buffer size.
auto FreadSummary = auto FreadSummary =
Summary(NoEvalCall) Summary(NoEvalCall)
.Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)), .Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)),
ReturnValueCondition(WithinRange, Range(0, SizeMax))}, ReturnValueCondition(WithinRange, Range(0, SizeMax))},
ErrnoIrrelevant) ErrnoAlreadySet)
.ArgConstraint(NotNull(ArgNo(0))) .ArgConstraint(NotNull(ArgNo(0)))
.ArgConstraint(NotNull(ArgNo(3))) .ArgConstraint(NotNull(ArgNo(3)))
.ArgConstraint(BufferSize(/*Buffer=*/ArgNo(0), /*BufSize=*/ArgNo(1), .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(0), /*BufSize=*/ArgNo(1),
/*BufSizeMultiplier=*/ArgNo(2))); /*BufSizeMultiplier=*/ArgNo(2)));
// size_t fread(void *restrict ptr, size_t size, size_t nitems, // size_t fread(void *restrict ptr, size_t size, size_t nitems,
// FILE *restrict stream); // FILE *restrict stream);
addToFunctionSummaryMap( addToFunctionSummaryMap(
▲ Show 20 LinesShow All 1,419 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp

//===-- StreamChecker.cpp -----------------------------------------*- C++ -*--// //===-- StreamChecker.cpp -----------------------------------------*- C++ -*--//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This file defines checkers that model and check stream handling functions. // This file defines checkers that model and check stream handling functions.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "ErrnoModeling.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"
#include <functional> #include <functional>
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
using namespace std::placeholders; using namespace std::placeholders;
▲ Show 20 LinesShow All 245 Lines▼ Show 20 Lines CallDescriptionMap<FnDescription> FnTestDescriptions = {
0}}, 0}},
{{"StreamTesterChecker_make_ferror_stream", 1}, {{"StreamTesterChecker_make_ferror_stream", 1},
{nullptr, {nullptr,
std::bind(&StreamChecker::evalSetFeofFerror, _1, _2, _3, _4, std::bind(&StreamChecker::evalSetFeofFerror, _1, _2, _3, _4,
ErrorFError), ErrorFError),
0}}, 0}},
}; };
mutable Optional<int> EofVal;
steakhalUnsubmitted
Done
ReplyInline Actions

Have you considered using llvm::Optional<int> for this?

steakhal: Have you considered using `llvm::Optional<int>` for this?
void evalFopen(const FnDescription *Desc, const CallEvent &Call, void evalFopen(const FnDescription *Desc, const CallEvent &Call,
CheckerContext &C) const; CheckerContext &C) const;
void preFreopen(const FnDescription *Desc, const CallEvent &Call, void preFreopen(const FnDescription *Desc, const CallEvent &Call,
CheckerContext &C) const; CheckerContext &C) const;
void evalFreopen(const FnDescription *Desc, const CallEvent &Call, void evalFreopen(const FnDescription *Desc, const CallEvent &Call,
CheckerContext &C) const; CheckerContext &C) const;
▲ Show 20 LinesShow All 117 Lines▼ Show 20 Lines return C.getNoteTag([this, StreamSym](PathSensitiveBugReport &BR) {
return ""; return "";
BR.markNotInteresting(StreamSym); BR.markNotInteresting(StreamSym);
return "Assuming stream reaches end-of-file here"; return "Assuming stream reaches end-of-file here";
}); });
} }
/// Get a SVal to be used as new errno value at failure cases of stream
/// functions.
NonLoc getErrnoSVal(CheckerContext &C, const CallEvent &Call) const {
return C.getSValBuilder()
.conjureSymbolVal(this, Call.getOriginExpr(), C.getLocationContext(),
C.getASTContext().IntTy, C.blockCount())
.castAs<NonLoc>();
}
void initEof(CheckerContext &C) const {
if (EofVal)
return;
if (const llvm::Optional<int> OptInt =
tryExpandAsInteger("EOF", C.getPreprocessor()))
EofVal = *OptInt;
else
EofVal = -1;
}
/// Searches for the ExplodedNode where the file descriptor was acquired for /// Searches for the ExplodedNode where the file descriptor was acquired for
/// StreamSym. /// StreamSym.
static const ExplodedNode *getAcquisitionSite(const ExplodedNode *N, static const ExplodedNode *getAcquisitionSite(const ExplodedNode *N,
SymbolRef StreamSym, SymbolRef StreamSym,
CheckerContext &C); CheckerContext &C);
}; };
} // end anonymous namespace } // end anonymous namespace
Show All 30 Lines
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Methods of StreamChecker. // Methods of StreamChecker.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
void StreamChecker::checkPreCall(const CallEvent &Call, void StreamChecker::checkPreCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
initEof(C);
const FnDescription *Desc = lookupFn(Call); const FnDescription *Desc = lookupFn(Call);
if (!Desc || !Desc->PreFn) if (!Desc || !Desc->PreFn)
return; return;
Desc->PreFn(this, Desc, Call, C); Desc->PreFn(this, Desc, Call, C);
} }
bool StreamChecker::evalCall(const CallEvent &Call, CheckerContext &C) const { bool StreamChecker::evalCall(const CallEvent &Call, CheckerContext &C) const {
Show All 24 Linesvoid StreamChecker::evalFopen(const FnDescription *Desc, const CallEvent &Call,
// Bifurcate the state into two: one with a valid FILE* pointer, the other // Bifurcate the state into two: one with a valid FILE* pointer, the other
// with a NULL. // with a NULL.
ProgramStateRef StateNotNull, StateNull; ProgramStateRef StateNotNull, StateNull;
std::tie(StateNotNull, StateNull) = std::tie(StateNotNull, StateNull) =
C.getConstraintManager().assumeDual(State, RetVal); C.getConstraintManager().assumeDual(State, RetVal);
StateNotNull = StateNotNull =
StateNotNull->set<StreamMap>(RetSym, StreamState::getOpened(Desc)); StateNotNull->set<StreamMap>(RetSym, StreamState::getOpened(Desc));
StateNotNull = errno_modeling::setErrnoForStdSuccess(StateNotNull, C);
StateNull = StateNull =
StateNull->set<StreamMap>(RetSym, StreamState::getOpenFailed(Desc)); StateNull->set<StreamMap>(RetSym, StreamState::getOpenFailed(Desc));
StateNull = errno_modeling::setErrnoForStdFailure(StateNull, C,
getErrnoSVal(C, Call));
C.addTransition(StateNotNull, ExplodedNode *N = C.addTransition(
constructNoteTag(C, RetSym, "Stream opened here")); StateNotNull, constructNoteTag(C, RetSym, "Stream opened here"));
C.addTransition(N->getState(), N,
errno_modeling::getNoteTagForStdSuccess(
C, cast<NamedDecl>(Call.getDecl())->getNameAsString()));
steakhalUnsubmitted
Not Done
ReplyInline Actions

I believe, getDecl() might return null, e.g. for calling a function pointer.

steakhal: I believe, `getDecl()` might return null, e.g. for calling a function pointer.
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

In this case the function should be known (we know that fopen is the called function, if the name is known the Decl should be known too), I think it can not be null here.

balazske: In this case the function should be known (we know that `fopen` is the called function, if the…
C.addTransition(StateNull); C.addTransition(StateNull);
} }
void StreamChecker::preFreopen(const FnDescription *Desc, const CallEvent &Call, void StreamChecker::preFreopen(const FnDescription *Desc, const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
// Do not allow NULL as passed stream pointer but allow a closed stream. // Do not allow NULL as passed stream pointer but allow a closed stream.
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
State = ensureStreamNonNull(getStreamArg(Desc, Call), State = ensureStreamNonNull(getStreamArg(Desc, Call),
Show All 37 Linesvoid StreamChecker::evalFreopen(const FnDescription *Desc,
// Generate state for NULL return value. // Generate state for NULL return value.
// Stream switches to OpenFailed state. // Stream switches to OpenFailed state.
ProgramStateRef StateRetNull = ProgramStateRef StateRetNull =
State->BindExpr(CE, C.getLocationContext(), State->BindExpr(CE, C.getLocationContext(),
C.getSValBuilder().makeNullWithType(CE->getType())); C.getSValBuilder().makeNullWithType(CE->getType()));
StateRetNotNull = StateRetNotNull =
StateRetNotNull->set<StreamMap>(StreamSym, StreamState::getOpened(Desc)); StateRetNotNull->set<StreamMap>(StreamSym, StreamState::getOpened(Desc));
StateRetNotNull = errno_modeling::setErrnoForStdSuccess(StateRetNotNull, C);
StateRetNull = StateRetNull =
StateRetNull->set<StreamMap>(StreamSym, StreamState::getOpenFailed(Desc)); StateRetNull->set<StreamMap>(StreamSym, StreamState::getOpenFailed(Desc));
StateRetNull = errno_modeling::setErrnoForStdFailure(StateRetNull, C,
getErrnoSVal(C, Call));
C.addTransition(StateRetNotNull, ExplodedNode *N = C.addTransition(
constructNoteTag(C, StreamSym, "Stream reopened here")); StateRetNotNull, constructNoteTag(C, StreamSym, "Stream reopened here"));
C.addTransition(N->getState(), N,
errno_modeling::getNoteTagForStdSuccess(C, "freopen"));
C.addTransition(StateRetNull); C.addTransition(StateRetNull);
} }
void StreamChecker::evalFclose(const FnDescription *Desc, const CallEvent &Call, void StreamChecker::evalFclose(const FnDescription *Desc, const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
SymbolRef Sym = getStreamArg(Desc, Call).getAsSymbol(); SymbolRef Sym = getStreamArg(Desc, Call).getAsSymbol();
if (!Sym) if (!Sym)
return; return;
const StreamState *SS = State->get<StreamMap>(Sym); const StreamState *SS = State->get<StreamMap>(Sym);
if (!SS) if (!SS)
return; return;
auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
if (!CE)
return;
assertStreamStateOpened(SS); assertStreamStateOpened(SS);
// Close the File Descriptor. // Close the File Descriptor.
// Regardless if the close fails or not, stream becomes "closed" // Regardless if the close fails or not, stream becomes "closed"
// and can not be used any more. // and can not be used any more.
State = State->set<StreamMap>(Sym, StreamState::getClosed(Desc)); State = State->set<StreamMap>(Sym, StreamState::getClosed(Desc));
C.addTransition(State); // Return 0 on success, EOF on failure.
SValBuilder &SVB = C.getSValBuilder();
ProgramStateRef StateSuccess = State->BindExpr(
CE, C.getLocationContext(), SVB.makeIntVal(0, C.getASTContext().IntTy));
ProgramStateRef StateFailure =
State->BindExpr(CE, C.getLocationContext(),
SVB.makeIntVal(*EofVal, C.getASTContext().IntTy));
StateSuccess = errno_modeling::setErrnoForStdSuccess(StateSuccess, C);
StateFailure = errno_modeling::setErrnoForStdFailure(StateFailure, C,
getErrnoSVal(C, Call));
C.addTransition(StateSuccess,
errno_modeling::getNoteTagForStdSuccess(C, "fclose"));
C.addTransition(StateFailure);
} }
void StreamChecker::preFread(const FnDescription *Desc, const CallEvent &Call, void StreamChecker::preFread(const FnDescription *Desc, const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
SVal StreamVal = getStreamArg(Desc, Call); SVal StreamVal = getStreamArg(Desc, Call);
State = ensureStreamNonNull(StreamVal, Call.getArgExpr(Desc->StreamArgNo), C, State = ensureStreamNonNull(StreamVal, Call.getArgExpr(Desc->StreamArgNo), C,
State); State);
▲ Show 20 LinesShow All 65 Lines▼ Show 20 Linesvoid StreamChecker::evalFreadFwrite(const FnDescription *Desc,
// size or nmemb is zero, fread returns zero and the contents of the array and // size or nmemb is zero, fread returns zero and the contents of the array and
// the state of the stream remain unchanged. // the state of the stream remain unchanged.
if (State->isNull(*SizeVal).isConstrainedTrue() || if (State->isNull(*SizeVal).isConstrainedTrue() ||
State->isNull(*NMembVal).isConstrainedTrue()) { State->isNull(*NMembVal).isConstrainedTrue()) {
// This is the "size or nmemb is zero" case. // This is the "size or nmemb is zero" case.
// Just return 0, do nothing more (not clear the error flags). // Just return 0, do nothing more (not clear the error flags).
State = bindInt(0, State, C, CE); State = bindInt(0, State, C, CE);
// It is unspecified what can happen with 'errno'.
State = errno_modeling::setErrnoState(State, errno_modeling::Irrelevant);
C.addTransition(State); C.addTransition(State);
return; return;
} }
// Generate a transition for the success state. // Generate a transition for the success state.
// If we know the state to be FEOF at fread, do not add a success state. // If we know the state to be FEOF at fread, do not add a success state.
if (!IsFread || (OldSS->ErrorState != ErrorFEof)) { if (!IsFread || (OldSS->ErrorState != ErrorFEof)) {
ProgramStateRef StateNotFailed = ProgramStateRef StateNotFailed =
State->BindExpr(CE, C.getLocationContext(), *NMembVal); State->BindExpr(CE, C.getLocationContext(), *NMembVal);
StateNotFailed = StateNotFailed =
StateNotFailed->set<StreamMap>(StreamSym, StreamState::getOpened(Desc)); StateNotFailed->set<StreamMap>(StreamSym, StreamState::getOpened(Desc));
C.addTransition(StateNotFailed); StateNotFailed = errno_modeling::setErrnoForStdSuccess(StateNotFailed, C);
C.addTransition(StateNotFailed,
errno_modeling::getNoteTagForStdSuccess(
C, cast<NamedDecl>(Call.getDecl())->getNameAsString()));
} }
// Add transition for the failed state. // Add transition for the failed state.
NonLoc RetVal = makeRetVal(C, CE).castAs<NonLoc>(); NonLoc RetVal = makeRetVal(C, CE).castAs<NonLoc>();
ProgramStateRef StateFailed = ProgramStateRef StateFailed =
State->BindExpr(CE, C.getLocationContext(), RetVal); State->BindExpr(CE, C.getLocationContext(), RetVal);
auto Cond = auto Cond =
C.getSValBuilder() C.getSValBuilder()
Show All 10 Lines if (IsFread)
NewES = NewES =
(OldSS->ErrorState == ErrorFEof) ? ErrorFEof : ErrorFEof | ErrorFError; (OldSS->ErrorState == ErrorFEof) ? ErrorFEof : ErrorFEof | ErrorFError;
else else
NewES = ErrorFError; NewES = ErrorFError;
// If a (non-EOF) error occurs, the resulting value of the file position // If a (non-EOF) error occurs, the resulting value of the file position
// indicator for the stream is indeterminate. // indicator for the stream is indeterminate.
StreamState NewSS = StreamState::getOpened(Desc, NewES, !NewES.isFEof()); StreamState NewSS = StreamState::getOpened(Desc, NewES, !NewES.isFEof());
StateFailed = StateFailed->set<StreamMap>(StreamSym, NewSS); StateFailed = StateFailed->set<StreamMap>(StreamSym, NewSS);
StateFailed = errno_modeling::setErrnoForStdFailure(StateFailed, C,
getErrnoSVal(C, Call));
if (IsFread && OldSS->ErrorState != ErrorFEof) if (IsFread && OldSS->ErrorState != ErrorFEof)
C.addTransition(StateFailed, constructSetEofNoteTag(C, StreamSym)); C.addTransition(StateFailed, constructSetEofNoteTag(C, StreamSym));
else else
C.addTransition(StateFailed); C.addTransition(StateFailed);
} }
void StreamChecker::preFseek(const FnDescription *Desc, const CallEvent &Call, void StreamChecker::preFseek(const FnDescription *Desc, const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
▲ Show 20 LinesShow All 45 Lines▼ Show 20 Linesvoid StreamChecker::evalFseek(const FnDescription *Desc, const CallEvent &Call,
// We get error. // We get error.
// It is possible that fseek fails but sets none of the error flags. // It is possible that fseek fails but sets none of the error flags.
// If fseek failed, assume that the file position becomes indeterminate in any // If fseek failed, assume that the file position becomes indeterminate in any
// case. // case.
StateFailed = StateFailed->set<StreamMap>( StateFailed = StateFailed->set<StreamMap>(
StreamSym, StreamSym,
StreamState::getOpened(Desc, ErrorNone | ErrorFEof | ErrorFError, true)); StreamState::getOpened(Desc, ErrorNone | ErrorFEof | ErrorFError, true));
C.addTransition(StateNotFailed); StateNotFailed = errno_modeling::setErrnoForStdSuccess(StateNotFailed, C);
StateFailed = errno_modeling::setErrnoForStdFailure(StateFailed, C,
getErrnoSVal(C, Call));
C.addTransition(StateNotFailed,
errno_modeling::getNoteTagForStdSuccess(C, "fseek"));
C.addTransition(StateFailed, constructSetEofNoteTag(C, StreamSym)); C.addTransition(StateFailed, constructSetEofNoteTag(C, StreamSym));
} }
void StreamChecker::evalClearerr(const FnDescription *Desc, void StreamChecker::evalClearerr(const FnDescription *Desc,
const CallEvent &Call, const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
SymbolRef StreamSym = getStreamArg(Desc, Call).getAsSymbol(); SymbolRef StreamSym = getStreamArg(Desc, Call).getAsSymbol();
if (!StreamSym) if (!StreamSym)
return; return;
const StreamState *SS = State->get<StreamMap>(StreamSym); const StreamState *SS = State->get<StreamMap>(StreamSym);
if (!SS) if (!SS)
return; return;
assertStreamStateOpened(SS); assertStreamStateOpened(SS);
// According to POSIX no change to 'errno' shall happen.
// FilePositionIndeterminate is not cleared. // FilePositionIndeterminate is not cleared.
State = State->set<StreamMap>( State = State->set<StreamMap>(
StreamSym, StreamSym,
StreamState::getOpened(Desc, ErrorNone, SS->FilePositionIndeterminate)); StreamState::getOpened(Desc, ErrorNone, SS->FilePositionIndeterminate));
C.addTransition(State); C.addTransition(State);
} }
void StreamChecker::evalFeofFerror(const FnDescription *Desc, void StreamChecker::evalFeofFerror(const FnDescription *Desc,
Show All 9 Lines if (!CE)
return; return;
const StreamState *SS = State->get<StreamMap>(StreamSym); const StreamState *SS = State->get<StreamMap>(StreamSym);
if (!SS) if (!SS)
return; return;
assertStreamStateOpened(SS); assertStreamStateOpened(SS);
// According to POSIX no change to 'errno' shall happen.
if (SS->ErrorState & ErrorKind) { if (SS->ErrorState & ErrorKind) {
// Execution path with error of ErrorKind. // Execution path with error of ErrorKind.
// Function returns true. // Function returns true.
// From now on it is the only one error state. // From now on it is the only one error state.
ProgramStateRef TrueState = bindAndAssumeTrue(State, C, CE); ProgramStateRef TrueState = bindAndAssumeTrue(State, C, CE);
C.addTransition(TrueState->set<StreamMap>( C.addTransition(TrueState->set<StreamMap>(
StreamSym, StreamState::getOpened(Desc, ErrorKind, StreamSym, StreamState::getOpened(Desc, ErrorKind,
SS->FilePositionIndeterminate && SS->FilePositionIndeterminate &&
▲ Show 20 LinesShow All 303 LinesShow Last 20 Lines

clang/test/Analysis/stream-errno-note.c

  • This file was added.
// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.unix.Stream,alpha.unix.Errno,apiModeling.StdCLibraryFunctions \
// RUN: -analyzer-output text -verify %s
#include "Inputs/system-header-simulator.h"
#include "Inputs/errno_func.h"
void check_fopen(void) {
FILE *F = fopen("xxx", "r");
// expected-note@-1{{Assuming that function 'fopen' is successful, in this case the value 'errno' may be undefined after the call and should not be used}}
// expected-note@+2{{'F' is non-null}}
// expected-note@+1{{Taking false branch}}
if (!F)
return;
if (errno) {} // expected-warning{{An undefined value may be read from 'errno' [alpha.unix.Errno]}}
// expected-note@-1{{An undefined value may be read from 'errno'}}
fclose(F);
}
void check_tmpfile(void) {
FILE *F = tmpfile();
// expected-note@-1{{Assuming that function 'tmpfile' is successful, in this case the value 'errno' may be undefined after the call and should not be used}}
// expected-note@+2{{'F' is non-null}}
// expected-note@+1{{Taking false branch}}
if (!F)
return;
if (errno) {} // expected-warning{{An undefined value may be read from 'errno' [alpha.unix.Errno]}}
// expected-note@-1{{An undefined value may be read from 'errno'}}
fclose(F);
}
void check_freopen(void) {
FILE *F = tmpfile();
// expected-note@+2{{'F' is non-null}}
// expected-note@+1{{Taking false branch}}
if (!F)
return;
F = freopen("xxx", "w", F);
// expected-note@-1{{Assuming that function 'freopen' is successful}}
// expected-note@+2{{'F' is non-null}}
// expected-note@+1{{Taking false branch}}
if (!F)
return;
if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}}
// expected-note@-1{{An undefined value may be read from 'errno'}}
fclose(F);
}
void check_fclose(void) {
FILE *F = tmpfile();
// expected-note@+2{{'F' is non-null}}
// expected-note@+1{{Taking false branch}}
if (!F)
return;
(void)fclose(F);
// expected-note@-1{{Assuming that function 'fclose' is successful}}
if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}}
// expected-note@-1{{An undefined value may be read from 'errno'}}
}
void check_fread(void) {
char Buf[10];
FILE *F = tmpfile();
// expected-note@+2{{'F' is non-null}}
// expected-note@+1{{Taking false branch}}
if (!F)
return;
(void)fread(Buf, 1, 10, F);
// expected-note@-1{{Assuming that function 'fread' is successful}}
if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}}
// expected-note@-1{{An undefined value may be read from 'errno'}}
(void)fclose(F);
}
void check_fwrite(void) {
char Buf[] = "0123456789";
FILE *F = tmpfile();
// expected-note@+2{{'F' is non-null}}
// expected-note@+1{{Taking false branch}}
if (!F)
return;
int R = fwrite(Buf, 1, 10, F);
// expected-note@-1{{Assuming that function 'fwrite' is successful}}
if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}}
// expected-note@-1{{An undefined value may be read from 'errno'}}
(void)fclose(F);
}
void check_fseek(void) {
FILE *F = tmpfile();
// expected-note@+2{{'F' is non-null}}
// expected-note@+1{{Taking false branch}}
if (!F)
return;
(void)fseek(F, 11, SEEK_SET);
// expected-note@-1{{Assuming that function 'fseek' is successful}}
if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}}
// expected-note@-1{{An undefined value may be read from 'errno'}}
(void)fclose(F);
}

clang/test/Analysis/stream-errno.c

  • This file was added.
// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.unix.Stream,alpha.unix.Errno,apiModeling.StdCLibraryFunctions,debug.ExprInspection \
// RUN: -verify %s
#include "Inputs/system-header-simulator.h"
#include "Inputs/errno_func.h"
extern void clang_analyzer_eval(int);
extern void clang_analyzer_dump(int);
void check_fopen(void) {
FILE *F = fopen("xxx", "r");
if (!F) {
clang_analyzer_eval(errno != 0); // expected-warning{{TRUE}}
if (errno) {} // no-warning
steakhalUnsubmitted
Done
ReplyInline Actions

So these two lines correspond to the following clang_analyzer_eval().
It took me a while to make sense of the two independent note streams at once.
Please consider splitting this and similar cases to have a single stream of notes.

steakhal: So these two lines correspond to the following `clang_analyzer_eval()`. It took me a while to…
return;
}
if (errno) {} // expected-warning{{An undefined value may be read from 'errno' [alpha.unix.Errno]}}
}
void check_tmpfile(void) {
FILE *F = tmpfile();
if (!F) {
clang_analyzer_eval(errno != 0); // expected-warning{{TRUE}}
if (errno) {} // no-warning
return;
}
if (errno) {} // expected-warning{{An undefined value may be read from 'errno' [alpha.unix.Errno]}}
}
void check_freopen(void) {
FILE *F = tmpfile();
if (!F)
return;
F = freopen("xxx", "w", F);
if (!F) {
clang_analyzer_eval(errno != 0); // expected-warning{{TRUE}}
if (errno) {} // no-warning
return;
}
if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}}
}
void check_fclose(void) {
FILE *F = tmpfile();
if (!F)
return;
int Ret = fclose(F);
if (Ret == EOF) {
clang_analyzer_eval(errno != 0); // expected-warning{{TRUE}}
if (errno) {} // no-warning
return;
}
if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}}
}
void check_fread(void) {
char Buf[10];
FILE *F = tmpfile();
if (!F)
return;
fread(Buf, 0, 1, F);
if (errno) {} // no-warning
fread(Buf, 1, 0, F);
if (errno) {} // no-warning
int R = fread(Buf, 1, 10, F);
if (R < 10) {
clang_analyzer_eval(errno != 0); // expected-warning{{TRUE}}
if (errno) {} // no-warning
fclose(F);
return;
}
if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}}
}
void check_fwrite(void) {
char Buf[] = "0123456789";
FILE *F = tmpfile();
if (!F)
return;
fwrite(Buf, 0, 1, F);
if (errno) {} // no-warning
fwrite(Buf, 1, 0, F);
if (errno) {} // no-warning
int R = fwrite(Buf, 1, 10, F);
if (R < 10) {
clang_analyzer_eval(errno != 0); // expected-warning{{TRUE}}
if (errno) {} // no-warning
fclose(F);
return;
}
if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}}
}
void check_fseek(void) {
FILE *F = tmpfile();
if (!F)
return;
int S = fseek(F, 11, SEEK_SET);
if (S != 0) {
clang_analyzer_eval(errno != 0); // expected-warning{{TRUE}}
if (errno) {} // no-warning
fclose(F);
return;
}
if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}}
}
void check_no_errno_change(void) {
FILE *F = tmpfile();
if (!F)
return;
errno = 1;
clearerr(F);
if (errno) {} // no-warning
feof(F);
if (errno) {} // no-warning
ferror(F);
if (errno) {} // no-warning
clang_analyzer_eval(errno == 1); // expected-warning{{TRUE}}
fclose(F);
}