This is an archive of the discontinued LLVM Phabricator instance.

Differential D137790

[clang][analyzer] Remove report of null stream from StreamChecker.
ClosedPublic

Authored by balazske on Nov 10 2022, 8:40 AM.

Details

Reviewers
Szelethus
NoQ
gamesh411
Commits
rG570bf972f5ad: [clang][analyzer] Remove report of null stream from StreamChecker.
Summary

The case of NULL stream passed to stream functions was reported by StreamChecker.
The same condition is checked already by StdLibraryFunctionsChecker and it is
enough to check at one place. The StreamChecker stops now analysis if a passed NULL
stream is encountered but generates no report.
This change removes a dependency between StdCLibraryFunctionArgs checker and
StreamChecker. There is now no more specific message reported by StreamChecker,
the previous weak-dependency is not needed. And StreamChecker can be used
without StdCLibraryFunctions checker or its ModelPOSIX option.

Diff Detail

Event Timeline

balazske created this revision.Nov 10 2022, 8:40 AM
Herald added a reviewer: Szelethus. · View Herald TranscriptNov 10 2022, 8:40 AM
Herald added a reviewer: NoQ. · View Herald Transcript
Herald added a project: Restricted Project. · View Herald Transcript
Herald added subscribers: steakhal, manas, ASDenysPetrov and 10 others. · View Herald Transcript
balazske requested review of this revision.Nov 10 2022, 8:40 AM
Herald added a project: Restricted Project. · View Herald TranscriptNov 10 2022, 8:40 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
Harbormaster completed remote builds in B197090: Diff 474559.Nov 10 2022, 8:41 AM
balazske added parent revisions: D137722: [clang][analyzer] No new nodes when bug is detected in StdLibraryFunctionsChecker., D135360: [clang][analyzer] Add some more functions to StreamChecker and StdLibraryFunctionsChecker..Nov 10 2022, 8:45 AM
balazske added a reviewer: gamesh411.
balazske added a comment.Nov 10 2022, 8:53 AM

Test file std-c-library-functions-vs-stream-checker.c could be removed. It tests the same as the newly added stream-stdlibraryfunctionargs.c.

balazske removed a parent revision: D137722: [clang][analyzer] No new nodes when bug is detected in StdLibraryFunctionsChecker..Dec 7 2022, 12:17 AM
Szelethus added a comment.Dec 13 2022, 1:49 AM

IIRC we talked about it would only really make sense to evaluate this patch stack as a whole, not piece by piece, but I'm not seeing results on open source projects here either. Can you please post them?

balazske added a comment.Dec 13 2022, 8:49 AM

Some reports can be found here (if the link works and the data does not expire), the runs stored on 2022-12-09.

Results appeared only projects "postgres" and "curl" (from memcached,tmux,curl,twin,vim,openssl,sqlite,ffmpeg,postgres,libwebm) from checkers StdCLibraryFunctionArgs and Errno.

On the postgres results, the second is one that can be fixed in the checker (add special cases to StdLibraryFunctionsChecker for zero len or size fread and fwrite arguments). The others are false positives because the error path is impossible because implicit constraints (what is not known to the analyzer) on variables.

These curl results look faulty, the last fclose call looks not recognized.

Szelethus added a comment.Dec 19 2022, 3:30 AM
In D137790#3992216, @balazske wrote:

Some reports can be found here (if the link works and the data does not expire), the runs stored on 2022-12-09.

Results appeared only projects "postgres" and "curl" (from memcached,tmux,curl,twin,vim,openssl,sqlite,ffmpeg,postgres,libwebm) from checkers StdCLibraryFunctionArgs and Errno.

On the postgres results, the second is one that can be fixed in the checker (add special cases to StdLibraryFunctionsChecker for zero len or size fread and fwrite arguments). The others are false positives because the error path is impossible because implicit constraints (what is not known to the analyzer) on variables.

These curl results look faulty, the last fclose call looks not recognized.

Please make the link a little more reviewer friendly. You can make a CodeChecker URL where the appropriate runs are already selected, with the appropriate checkers being filtered, and uniquing turned on, like this:
https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=libwebm_libwebm-1.0.0.27_baseline&run=postgres_REL_13_0_baseline&run=ffmpeg_n4.3.1_baseline&run=sqlite_version-3.33.0_baseline&run=openssl_openssl-3.0.0-alpha7_baseline&run=vim_v8.2.1920_baseline&run=twin_v0.8.1_baseline&run=curl_curl-7_66_0_baseline&run=tmux_2.6_baseline&run=memcached_1.6.8_baseline&is-unique=on&diff-type=New&checker-name=alpha.unix.Errno&checker-name=alpha.unix.StdCLibraryFunctionArgs

Also, I'd appreciate links to the specific reports you are describing. I'm not sure what postgres results you are talking about, because I suspect I listed them differently. You made a link to the curl result, so please do it for the others as well.

Szelethus added a comment.EditedDec 19 2022, 6:09 AM
In D137790#3992216, @balazske wrote:

On the postgres results, the second is one that can be fixed in the checker (add special cases to StdLibraryFunctionsChecker for zero len or size fread and fwrite arguments). The others are false positives because the error path is impossible because implicit constraints (what is not known to the analyzer) on variables.

I'd want some more thorough explanations as well. Path events are numbered in CodeChecker, you can use them to explain why you think the report is a false positive.

balazske added a comment.Dec 19 2022, 6:12 AM

Here is a postgers result link, results are from StdCLibraryFunctionArgs checker. The second report is in file relcache.c (it looks like that data pointer is really null but the len value is 0, and in this special case the data pointer should be ignored according to the standards). A FIXME for this case was added to the code in D135247.

balazske added a comment.Dec 19 2022, 6:25 AM

About the first postgres result in pg_backup_tar.c:
At step 3 we see that original value of len is 1. The condition in step 5 is true, then th->filelen-th->pos should be < 1. This is the new value assigned to len. In step 6 len can be only <=0. Still the condition is assumed to be false what is not possible. At this point the path becomes already invalid.

Szelethus added a comment.EditedDec 19 2022, 6:29 AM

I have a fear that we may have too few results as well -- maybe we should expand our testing infrastructure with more POSIX API heavy codebases. Looking at a few new projects, https://github.com/audacity/audacity looks like a good candidate, but of course it often turns out that adding a new project to the benchmark is more troublesome than it appears...

In D137790#4004803, @balazske wrote:

Here is a postgers result link, results are from StdCLibraryFunctionArgs checker. The second report is in file relcache.c (it looks like that data pointer is really null but the len value is 0, and in this special case the data pointer should be ignored according to the standards). A FIXME for this case was added to the code in D135247.

Could you please re-evaluate the patch stack with the new fix?
edit: Sorry, realized you said FIXME, not fix :)

balazske added a comment.Dec 19 2022, 9:17 AM

I would split the patches D135360 and D135247 (the two before this) into new patches, one for StreamChecker, other for StdLibraryFunctionsChecker only. This can make review (and commit history) more clear. And StdLibraryFunctionsChecker can be modified probably in a new patch that comes before these, to change how NoteTags are added.

balazske added a comment.Dec 20 2022, 6:03 AM

The changes D135360 and D135247 are now replaced by D140387 and D140395. The two new patches together add out almost the same code as the two old ones, except small differences in comments.

balazske edited parent revisions, added: D140395: [clang][analyzer] Extend StreamChecker with some new functions.; removed: D135360: [clang][analyzer] Add some more functions to StreamChecker and StdLibraryFunctionsChecker..Dec 20 2022, 8:51 AM
balazske mentioned this in D140387: [clang][analyzer] Add stream related functions to StdLibraryFunctionsChecker..Jan 2 2023, 7:30 AM
Szelethus added a comment.Jan 2 2023, 8:31 AM

Are you sure that the refactoring made no changes to the results? Could you maybe just run a nightly or something like that to confirm?

Szelethus accepted this revision.Jan 4 2023, 6:38 AM

Please rerun the evaluation before commiting to confirm the results haven't changed! Otherwise, LGTM.

clang/test/Analysis/stream.c
89
This revision is now accepted and ready to land.Jan 4 2023, 6:38 AM
Szelethus added inline comments.Jan 4 2023, 6:41 AM
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
507–511

Okay, but how does CheckerContext::isDifferent() misbehave in that case?

balazske added inline comments.Jan 4 2023, 7:40 AM
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
507–511

I do not know exactly why I put this this FIXME here. I was probably thinking about a situation when errno does not change in any case and the modeled function (feof) has no other effect. But feof should not change errno only if the stream is valid, and if the stream is unknown it may be invalid. Now the evalCall returns false, a default evaluation follows and errno is invalidated, this is how it should work. The FIXME can be removed.

This revision was landed with ongoing or failed builds.Jan 9 2023, 12:49 AM
Closed by commit rG570bf972f5ad: [clang][analyzer] Remove report of null stream from StreamChecker. (authored by balazske). · Explain Why
This revision was automatically updated to reflect the committed changes.
balazske added a commit: rG570bf972f5ad: [clang][analyzer] Remove report of null stream from StreamChecker..

Revision Contents

PathSize
clang/
include/
clang/
StaticAnalyzer/
Checkers/
2 lines
lib/
StaticAnalyzer/
Checkers/
20 lines
test/
Analysis/
2 lines
7 lines
45 lines
14 lines
142 lines
77 lines

Diff 474559

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td

Show First 20 LinesShow All 582 Lines▼ Show 20 Linesdef BlockInCriticalSectionChecker : Checker<"BlockInCriticalSection">,
HelpText<"Check for calls to blocking functions inside a critical section">, HelpText<"Check for calls to blocking functions inside a critical section">,
Documentation<HasDocumentation>; Documentation<HasDocumentation>;
def StdCLibraryFunctionArgsChecker : Checker<"StdCLibraryFunctionArgs">, def StdCLibraryFunctionArgsChecker : Checker<"StdCLibraryFunctionArgs">,
HelpText<"Check constraints of arguments of C standard library functions, " HelpText<"Check constraints of arguments of C standard library functions, "
"such as whether the parameter of isalpha is in the range [0, 255] " "such as whether the parameter of isalpha is in the range [0, 255] "
"or is EOF.">, "or is EOF.">,
Dependencies<[StdCLibraryFunctionsChecker]>, Dependencies<[StdCLibraryFunctionsChecker]>,
WeakDependencies<[CallAndMessageChecker, NonNullParamChecker, StreamChecker]>, WeakDependencies<[CallAndMessageChecker, NonNullParamChecker]>,
Documentation<HasDocumentation>; Documentation<HasDocumentation>;
} // end "alpha.unix" } // end "alpha.unix"
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// C++ checkers. // C++ checkers.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
▲ Show 20 LinesShow All 1,141 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp

Show First 20 LinesShow All 204 Lines▼ Show 20 LinesProgramStateRef bindInt(uint64_t Value, ProgramStateRef State,
CheckerContext &C, const CallExpr *CE) { CheckerContext &C, const CallExpr *CE) {
State = State->BindExpr(CE, C.getLocationContext(), State = State->BindExpr(CE, C.getLocationContext(),
C.getSValBuilder().makeIntVal(Value, CE->getType())); C.getSValBuilder().makeIntVal(Value, CE->getType()));
return State; return State;
} }
class StreamChecker : public Checker<check::PreCall, eval::Call, class StreamChecker : public Checker<check::PreCall, eval::Call,
check::DeadSymbols, check::PointerEscape> { check::DeadSymbols, check::PointerEscape> {
BugType BT_FileNull{this, "NULL stream pointer", "Stream handling error"};
BugType BT_UseAfterClose{this, "Closed stream", "Stream handling error"}; BugType BT_UseAfterClose{this, "Closed stream", "Stream handling error"};
BugType BT_UseAfterOpenFailed{this, "Invalid stream", BugType BT_UseAfterOpenFailed{this, "Invalid stream",
"Stream handling error"}; "Stream handling error"};
BugType BT_IndeterminatePosition{this, "Invalid stream state", BugType BT_IndeterminatePosition{this, "Invalid stream state",
"Stream handling error"}; "Stream handling error"};
BugType BT_IllegalWhence{this, "Illegal whence argument", BugType BT_IllegalWhence{this, "Illegal whence argument",
"Stream handling error"}; "Stream handling error"};
BugType BT_StreamEof{this, "Stream already in EOF", "Stream handling error"}; BugType BT_StreamEof{this, "Stream already in EOF", "Stream handling error"};
▲ Show 20 LinesShow All 111 Lines▼ Show 20 Lines void evalFeofFerror(const FnDescription *Desc, const CallEvent &Call,
CheckerContext &C, CheckerContext &C,
const StreamErrorState &ErrorKind) const; const StreamErrorState &ErrorKind) const;
void evalSetFeofFerror(const FnDescription *Desc, const CallEvent &Call, void evalSetFeofFerror(const FnDescription *Desc, const CallEvent &Call,
CheckerContext &C, CheckerContext &C,
const StreamErrorState &ErrorKind) const; const StreamErrorState &ErrorKind) const;
/// Check that the stream (in StreamVal) is not NULL. /// Check that the stream (in StreamVal) is not NULL.
/// If it can only be NULL a fatal error is emitted and nullptr returned. /// If it can only be NULL a sink node is generated and nullptr returned.
/// Otherwise the return value is a new state where the stream is constrained /// Otherwise the return value is a new state where the stream is constrained
/// to be non-null. /// to be non-null.
ProgramStateRef ensureStreamNonNull(SVal StreamVal, const Expr *StreamE, ProgramStateRef ensureStreamNonNull(SVal StreamVal, const Expr *StreamE,
CheckerContext &C, CheckerContext &C,
ProgramStateRef State) const; ProgramStateRef State) const;
/// Check that the stream is the opened state. /// Check that the stream is the opened state.
/// If the stream is known to be not opened an error is generated /// If the stream is known to be not opened an error is generated
▲ Show 20 LinesShow All 150 Lines▼ Show 20 Linesbool StreamChecker::evalCall(const CallEvent &Call, CheckerContext &C) const {
const FnDescription *Desc = lookupFn(Call); const FnDescription *Desc = lookupFn(Call);
if (!Desc && TestMode) if (!Desc && TestMode)
Desc = FnTestDescriptions.lookup(Call); Desc = FnTestDescriptions.lookup(Call);
if (!Desc || !Desc->EvalFn) if (!Desc || !Desc->EvalFn)
return false; return false;
Desc->EvalFn(this, Desc, Call, C); Desc->EvalFn(this, Desc, Call, C);
// FIXME: Use a return value from EvalFn instead of isDifferent.
// Some functions should not change state and not have any other
// (invalidation, including errno) effect.
// For example if 'feof' is used with unknown stream we know that errno does
// not change (and presumably no other state that is otherwise invalidated).
SzelethusUnsubmitted
Not Done
ReplyInline Actions

Okay, but how does CheckerContext::isDifferent() misbehave in that case?

Szelethus: Okay, but how does `CheckerContext::isDifferent()` misbehave in that case?
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

I do not know exactly why I put this this FIXME here. I was probably thinking about a situation when errno does not change in any case and the modeled function (feof) has no other effect. But feof should not change errno only if the stream is valid, and if the stream is unknown it may be invalid. Now the evalCall returns false, a default evaluation follows and errno is invalidated, this is how it should work. The FIXME can be removed.

balazske: I do not know exactly why I put this this FIXME here. I was probably thinking about a situation…
return C.isDifferent(); return C.isDifferent();
} }
void StreamChecker::evalFopen(const FnDescription *Desc, const CallEvent &Call, void StreamChecker::evalFopen(const FnDescription *Desc, const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
const CallExpr *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr()); const CallExpr *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
if (!CE) if (!CE)
▲ Show 20 LinesShow All 524 Lines▼ Show 20 Lines if (!Stream)
return State; return State;
ConstraintManager &CM = C.getConstraintManager(); ConstraintManager &CM = C.getConstraintManager();
ProgramStateRef StateNotNull, StateNull; ProgramStateRef StateNotNull, StateNull;
std::tie(StateNotNull, StateNull) = CM.assumeDual(C.getState(), *Stream); std::tie(StateNotNull, StateNull) = CM.assumeDual(C.getState(), *Stream);
if (!StateNotNull && StateNull) { if (!StateNotNull && StateNull) {
if (ExplodedNode *N = C.generateErrorNode(StateNull)) { // Stream argument is NULL, stop analysis on this path.
auto R = std::make_unique<PathSensitiveBugReport>( // This case should occur only if StdLibraryFunctionsChecker (or ModelPOSIX
BT_FileNull, "Stream pointer might be NULL.", N); // option of it) is not turned on, otherwise that checker ensures non-null
if (StreamE) // argument.
bugreporter::trackExpressionValue(N, StreamE, *R); C.generateSink(StateNull, C.getPredecessor());
C.emitReport(std::move(R));
}
return nullptr; return nullptr;
} }
return StateNotNull; return StateNotNull;
} }
ProgramStateRef StreamChecker::ensureStreamOpened(SVal StreamVal, ProgramStateRef StreamChecker::ensureStreamOpened(SVal StreamVal,
CheckerContext &C, CheckerContext &C,
▲ Show 20 LinesShow All 232 LinesShow Last 20 Lines

clang/test/Analysis/std-c-library-functions-arg-enabled-checkers.c

Show All 12 Lines
// RUN: 2>&1 | FileCheck %s --implicit-check-not=ANALYZE \ // RUN: 2>&1 | FileCheck %s --implicit-check-not=ANALYZE \
// RUN: --implicit-check-not=\. // RUN: --implicit-check-not=\.
// CHECK: OVERVIEW: Clang Static Analyzer Enabled Checkers List // CHECK: OVERVIEW: Clang Static Analyzer Enabled Checkers List
// CHECK-EMPTY: // CHECK-EMPTY:
// CHECK-NEXT: core.CallAndMessageModeling // CHECK-NEXT: core.CallAndMessageModeling
// CHECK-NEXT: core.CallAndMessage // CHECK-NEXT: core.CallAndMessage
// CHECK-NEXT: core.NonNullParamChecker // CHECK-NEXT: core.NonNullParamChecker
// CHECK-NEXT: alpha.unix.Stream
// CHECK-NEXT: apiModeling.StdCLibraryFunctions // CHECK-NEXT: apiModeling.StdCLibraryFunctions
// CHECK-NEXT: alpha.unix.StdCLibraryFunctionArgs // CHECK-NEXT: alpha.unix.StdCLibraryFunctionArgs
// CHECK-NEXT: alpha.unix.Stream
// CHECK-NEXT: apiModeling.Errno // CHECK-NEXT: apiModeling.Errno
// CHECK-NEXT: apiModeling.TrustNonnull // CHECK-NEXT: apiModeling.TrustNonnull
// CHECK-NEXT: apiModeling.TrustReturnsNonnull // CHECK-NEXT: apiModeling.TrustReturnsNonnull
// CHECK-NEXT: apiModeling.llvm.CastValue // CHECK-NEXT: apiModeling.llvm.CastValue
// CHECK-NEXT: apiModeling.llvm.ReturnValue // CHECK-NEXT: apiModeling.llvm.ReturnValue
// CHECK-NEXT: core.DivideZero // CHECK-NEXT: core.DivideZero
// CHECK-NEXT: core.DynamicTypePropagation // CHECK-NEXT: core.DynamicTypePropagation
// CHECK-NEXT: core.NonnilStringConstants // CHECK-NEXT: core.NonnilStringConstants
Show All 37 Lines

clang/test/Analysis/std-c-library-functions-arg-weakdeps.c

// Check that the more specific checkers report and not the generic // Check that the more specific checkers report and not the generic
// StdCLibraryFunctionArgs checker. // StdCLibraryFunctionArgs checker.
// RUN: %clang_analyze_cc1 %s \ // RUN: %clang_analyze_cc1 %s \
// RUN: -analyzer-checker=core \ // RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=apiModeling.StdCLibraryFunctions \ // RUN: -analyzer-checker=apiModeling.StdCLibraryFunctions \
// RUN: -analyzer-config apiModeling.StdCLibraryFunctions:ModelPOSIX=true \ // RUN: -analyzer-config apiModeling.StdCLibraryFunctions:ModelPOSIX=true \
// RUN: -analyzer-checker=alpha.unix.StdCLibraryFunctionArgs \ // RUN: -analyzer-checker=alpha.unix.StdCLibraryFunctionArgs \
// RUN: -analyzer-checker=alpha.unix.Stream \
// RUN: -triple x86_64-unknown-linux-gnu \ // RUN: -triple x86_64-unknown-linux-gnu \
// RUN: -verify // RUN: -verify
// Make sure that all used functions have their summary loaded. // Make sure that all used functions have their summary loaded.
// RUN: %clang_analyze_cc1 %s \ // RUN: %clang_analyze_cc1 %s \
// RUN: -analyzer-checker=core \ // RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=apiModeling.StdCLibraryFunctions \ // RUN: -analyzer-checker=apiModeling.StdCLibraryFunctions \
// RUN: -analyzer-config apiModeling.StdCLibraryFunctions:ModelPOSIX=true \ // RUN: -analyzer-config apiModeling.StdCLibraryFunctions:ModelPOSIX=true \
// RUN: -analyzer-checker=alpha.unix.StdCLibraryFunctionArgs \ // RUN: -analyzer-checker=alpha.unix.StdCLibraryFunctionArgs \
// RUN: -analyzer-checker=alpha.unix.Stream \
// RUN: -analyzer-config apiModeling.StdCLibraryFunctions:DisplayLoadedSummaries=true \ // RUN: -analyzer-config apiModeling.StdCLibraryFunctions:DisplayLoadedSummaries=true \
// RUN: -triple x86_64-unknown-linux 2>&1 | FileCheck %s // RUN: -triple x86_64-unknown-linux 2>&1 | FileCheck %s
// CHECK: Loaded summary for: int isalnum(int) // CHECK: Loaded summary for: int isalnum(int)
// CHECK: Loaded summary for: unsigned long fread(void *restrict, size_t, size_t, FILE *restrict) __attribute__((nonnull(1))) // CHECK: Loaded summary for: unsigned long fread(void *restrict, size_t, size_t, FILE *restrict) __attribute__((nonnull(1)))
// CHECK: Loaded summary for: int fileno(FILE *stream) // CHECK: Loaded summary for: int fileno(FILE *stream)
void initializeSummaryMap(void); void initializeSummaryMap(void);
Show All 22 Linesvoid test_uninit_arg(void) {
(void)r; (void)r;
} }
void test_notnull_arg(FILE *F) { void test_notnull_arg(FILE *F) {
int *p = 0; int *p = 0;
fread(p, sizeof(int), 5, F); // \ fread(p, sizeof(int), 5, F); // \
expected-warning{{Null pointer passed to 1st parameter expecting 'nonnull' [core.NonNullParamChecker]}} expected-warning{{Null pointer passed to 1st parameter expecting 'nonnull' [core.NonNullParamChecker]}}
} }
void test_notnull_stream_arg(void) {
fileno(0); // \
// expected-warning{{Stream pointer might be NULL [alpha.unix.Stream]}}
}

clang/test/Analysis/stream-noopen.c

Show All 27 Lines if (F) {
if (errno) {} // expected-warning{{undefined}} if (errno) {} // expected-warning{{undefined}}
} else { } else {
clang_analyzer_eval(errno != 0); // expected-warning {{TRUE}} clang_analyzer_eval(errno != 0); // expected-warning {{TRUE}}
} }
} }
void test_fread(FILE *F) { void test_fread(FILE *F) {
size_t Ret = fread(RBuf, 1, 10, F); size_t Ret = fread(RBuf, 1, 10, F);
clang_analyzer_eval(F != NULL); // expected-warning {{TRUE}}
if (Ret == 10) { if (Ret == 10) {
if (errno) {} // expected-warning{{undefined}} if (errno) {} // expected-warning{{undefined}}
} else { } else {
clang_analyzer_eval(Ret < 10); // expected-warning {{TRUE}}
clang_analyzer_eval(errno != 0); // expected-warning {{TRUE}} clang_analyzer_eval(errno != 0); // expected-warning {{TRUE}}
} }
clang_analyzer_eval(feof(F)); // expected-warning {{UNKNOWN}} clang_analyzer_eval(feof(F)); // expected-warning {{UNKNOWN}}
clang_analyzer_eval(ferror(F)); // expected-warning {{UNKNOWN}} clang_analyzer_eval(ferror(F)); // expected-warning {{UNKNOWN}}
} }
void test_fwrite(FILE *F) { void test_fwrite(FILE *F) {
size_t Ret = fwrite(WBuf, 1, 10, F); size_t Ret = fwrite(WBuf, 1, 10, F);
clang_analyzer_eval(F != NULL); // expected-warning {{TRUE}}
if (Ret == 10) { if (Ret == 10) {
if (errno) {} // expected-warning{{undefined}} if (errno) {} // expected-warning{{undefined}}
} else { } else {
clang_analyzer_eval(Ret < 10); // expected-warning {{TRUE}}
clang_analyzer_eval(errno != 0); // expected-warning {{TRUE}} clang_analyzer_eval(errno != 0); // expected-warning {{TRUE}}
} }
clang_analyzer_eval(feof(F)); // expected-warning {{UNKNOWN}} clang_analyzer_eval(feof(F)); // expected-warning {{UNKNOWN}}
clang_analyzer_eval(ferror(F)); // expected-warning {{UNKNOWN}} clang_analyzer_eval(ferror(F)); // expected-warning {{UNKNOWN}}
} }
void test_fclose(FILE *F) { void test_fclose(FILE *F) {
int Ret = fclose(F); int Ret = fclose(F);
clang_analyzer_eval(F != NULL); // expected-warning {{TRUE}}
if (Ret == 0) { if (Ret == 0) {
if (errno) {} // expected-warning{{undefined}} if (errno) {} // expected-warning{{undefined}}
} else { } else {
clang_analyzer_eval(Ret == EOF); // expected-warning {{TRUE}} clang_analyzer_eval(Ret == EOF); // expected-warning {{TRUE}}
clang_analyzer_eval(errno != 0); // expected-warning {{TRUE}} clang_analyzer_eval(errno != 0); // expected-warning {{TRUE}}
} }
clang_analyzer_eval(feof(F)); // expected-warning {{UNKNOWN}} clang_analyzer_eval(feof(F)); // expected-warning {{UNKNOWN}}
clang_analyzer_eval(ferror(F)); // expected-warning {{UNKNOWN}} clang_analyzer_eval(ferror(F)); // expected-warning {{UNKNOWN}}
} }
void test_fseek(FILE *F) { void test_fseek(FILE *F) {
int Ret = fseek(F, SEEK_SET, 1); int Ret = fseek(F, SEEK_SET, 1);
clang_analyzer_eval(F != NULL); // expected-warning {{TRUE}}
if (Ret == 0) { if (Ret == 0) {
if (errno) {} // expected-warning{{undefined}} if (errno) {} // expected-warning{{undefined}}
} else { } else {
clang_analyzer_eval(Ret == -1); // expected-warning {{TRUE}} clang_analyzer_eval(Ret == -1); // expected-warning {{TRUE}}
clang_analyzer_eval(errno != 0); // expected-warning {{TRUE}} clang_analyzer_eval(errno != 0); // expected-warning {{TRUE}}
} }
clang_analyzer_eval(feof(F)); // expected-warning {{UNKNOWN}} clang_analyzer_eval(feof(F)); // expected-warning {{UNKNOWN}}
clang_analyzer_eval(ferror(F)); // expected-warning {{UNKNOWN}} clang_analyzer_eval(ferror(F)); // expected-warning {{UNKNOWN}}
} }
void check_fgetpos(FILE *F) { void check_fgetpos(FILE *F) {
errno = 0; errno = 0;
fpos_t Pos; fpos_t Pos;
int Ret = fgetpos(F, &Pos); int Ret = fgetpos(F, &Pos);
clang_analyzer_eval(F != NULL); // expected-warning {{TRUE}}
if (Ret) if (Ret)
clang_analyzer_eval(errno != 0); // expected-warning{{TRUE}} clang_analyzer_eval(errno != 0); // expected-warning{{TRUE}}
else else
clang_analyzer_eval(errno == 0); // expected-warning{{TRUE}} clang_analyzer_eval(errno == 0); // expected-warning{{TRUE}}
// expected-warning@-1{{FALSE}} // expected-warning@-1{{FALSE}}
if (errno) {} // no-warning if (errno) {} // no-warning
clang_analyzer_eval(feof(F)); // expected-warning {{UNKNOWN}} clang_analyzer_eval(feof(F)); // expected-warning {{UNKNOWN}}
clang_analyzer_eval(ferror(F)); // expected-warning {{UNKNOWN}} clang_analyzer_eval(ferror(F)); // expected-warning {{UNKNOWN}}
} }
void check_fsetpos(FILE *F) { void check_fsetpos(FILE *F) {
errno = 0; errno = 0;
fpos_t Pos; fpos_t Pos;
int Ret = fsetpos(F, &Pos); int Ret = fsetpos(F, &Pos);
clang_analyzer_eval(F != NULL); // expected-warning {{TRUE}}
if (Ret) if (Ret)
clang_analyzer_eval(errno != 0); // expected-warning{{TRUE}} clang_analyzer_eval(errno != 0); // expected-warning{{TRUE}}
else else
clang_analyzer_eval(errno == 0); // expected-warning{{TRUE}} clang_analyzer_eval(errno == 0); // expected-warning{{TRUE}}
// expected-warning@-1{{FALSE}} // expected-warning@-1{{FALSE}}
if (errno) {} // no-warning if (errno) {} // no-warning
clang_analyzer_eval(feof(F)); // expected-warning {{UNKNOWN}} clang_analyzer_eval(feof(F)); // expected-warning {{UNKNOWN}}
clang_analyzer_eval(ferror(F)); // expected-warning {{UNKNOWN}} clang_analyzer_eval(ferror(F)); // expected-warning {{UNKNOWN}}
} }
void check_ftell(FILE *F) { void check_ftell(FILE *F) {
errno = 0; errno = 0;
long Ret = ftell(F); long Ret = ftell(F);
clang_analyzer_eval(F != NULL); // expected-warning {{TRUE}}
if (Ret == -1) { if (Ret == -1) {
clang_analyzer_eval(errno != 0); // expected-warning{{TRUE}} clang_analyzer_eval(errno != 0); // expected-warning{{TRUE}}
} else { } else {
clang_analyzer_eval(errno == 0); // expected-warning{{TRUE}} clang_analyzer_eval(errno == 0); // expected-warning{{TRUE}}
// expected-warning@-1{{FALSE}} // expected-warning@-1{{FALSE}}
clang_analyzer_eval(Ret >= 0); // expected-warning{{TRUE}} clang_analyzer_eval(Ret >= 0); // expected-warning{{TRUE}}
} }
if (errno) {} // no-warning if (errno) {} // no-warning
clang_analyzer_eval(feof(F)); // expected-warning {{UNKNOWN}} clang_analyzer_eval(feof(F)); // expected-warning {{UNKNOWN}}
clang_analyzer_eval(ferror(F)); // expected-warning {{UNKNOWN}} clang_analyzer_eval(ferror(F)); // expected-warning {{UNKNOWN}}
} }
void test_rewind(FILE *F) {
errno = 0;
rewind(F);
clang_analyzer_eval(F != NULL); // expected-warning{{TRUE}}
clang_analyzer_eval(errno == 0); // expected-warning{{TRUE}}
// expected-warning@-1{{FALSE}}
rewind(F);
}
void test_feof(FILE *F) {
errno = 0;
feof(F);
clang_analyzer_eval(F != NULL); // expected-warning{{TRUE}}
if (errno) {} // no-warning
clang_analyzer_eval(errno == 0); // expected-warning{{TRUE}}
// expected-warning@-1{{FALSE}}
}
void test_ferror(FILE *F) {
errno = 0;
ferror(F);
clang_analyzer_eval(F != NULL); // expected-warning{{TRUE}}
if (errno) {} // no-warning
clang_analyzer_eval(errno == 0); // expected-warning{{TRUE}}
// expected-warning@-1{{FALSE}}
}
void test_clearerr(FILE *F) {
errno = 0;
clearerr(F);
clang_analyzer_eval(F != NULL); // expected-warning{{TRUE}}
if (errno) {} // no-warning
clang_analyzer_eval(errno == 0); // expected-warning{{TRUE}}
// expected-warning@-1{{FALSE}}
}
void freadwrite_zerosize(FILE *F) { void freadwrite_zerosize(FILE *F) {
fwrite(WBuf, 1, 0, F); fwrite(WBuf, 1, 0, F);
clang_analyzer_eval(feof(F)); // expected-warning {{UNKNOWN}} clang_analyzer_eval(feof(F)); // expected-warning {{UNKNOWN}}
clang_analyzer_eval(ferror(F)); // expected-warning {{UNKNOWN}} clang_analyzer_eval(ferror(F)); // expected-warning {{UNKNOWN}}
if (errno) {} // no-warning if (errno) {} // no-warning
fwrite(WBuf, 0, 1, F); fwrite(WBuf, 0, 1, F);
clang_analyzer_eval(feof(F)); // expected-warning {{UNKNOWN}} clang_analyzer_eval(feof(F)); // expected-warning {{UNKNOWN}}
clang_analyzer_eval(ferror(F)); // expected-warning {{UNKNOWN}} clang_analyzer_eval(ferror(F)); // expected-warning {{UNKNOWN}}
Show All 10 Lines

clang/test/Analysis/stream-note.c

// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.unix.Stream -analyzer-output text -verify %s // RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.unix.Stream -analyzer-output text \
// RUN: -verify %s
// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.unix.Stream,alpha.unix.StdCLibraryFunctionArgs -analyzer-output text \
// RUN: -analyzer-config apiModeling.StdCLibraryFunctions:ModelPOSIX=true -verify=expected,stdargs %s
#include "Inputs/system-header-simulator.h" #include "Inputs/system-header-simulator.h"
void check_note_at_correct_open(void) { void check_note_at_correct_open(void) {
FILE *F1 = tmpfile(); // expected-note {{Stream opened here}} FILE *F1 = tmpfile(); // expected-note {{Stream opened here}}
if (!F1) if (!F1)
// expected-note@-1 {{'F1' is non-null}} // expected-note@-1 {{'F1' is non-null}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
▲ Show 20 LinesShow All 65 Lines▼ Show 20 Linesvoid check_note_leak_2(int c) {
// expected-warning@-3 {{Opened stream never closed. Potential resource leak}} // expected-warning@-3 {{Opened stream never closed. Potential resource leak}}
// expected-note@-4 {{Opened stream never closed. Potential resource leak}} // expected-note@-4 {{Opened stream never closed. Potential resource leak}}
fclose(F1); fclose(F1);
fclose(F2); fclose(F2);
} }
void check_track_null(void) { void check_track_null(void) {
FILE *F; FILE *F;
F = fopen("foo1.c", "r"); // expected-note {{Value assigned to 'F'}} expected-note {{Assuming pointer value is null}} F = fopen("foo1.c", "r"); // stdargs-note {{Value assigned to 'F'}} stdargs-note {{Assuming pointer value is null}}
if (F != NULL) { // expected-note {{Taking false branch}} expected-note {{'F' is equal to NULL}} if (F != NULL) { // stdargs-note {{Taking false branch}} stdargs-note {{'F' is equal to NULL}}
fclose(F); fclose(F);
return; return;
} }
fclose(F); // expected-warning {{Stream pointer might be NULL}} fclose(F); // stdargs-warning {{Function argument constraint is not satisfied}}
// expected-note@-1 {{Stream pointer might be NULL}} // stdargs-note@-1 {{Function argument constraint is not satisfied}}
// stdargs-note@-2 {{The 1st argument should not be NULL}}
} }
void check_eof_notes_feof_after_feof(void) { void check_eof_notes_feof_after_feof(void) {
FILE *F; FILE *F;
char Buf[10]; char Buf[10];
F = fopen("foo1.c", "r"); F = fopen("foo1.c", "r");
if (F == NULL) { // expected-note {{Taking false branch}} expected-note {{'F' is not equal to NULL}} if (F == NULL) { // expected-note {{Taking false branch}} expected-note {{'F' is not equal to NULL}}
return; return;
▲ Show 20 LinesShow All 50 LinesShow Last 20 Lines

clang/test/Analysis/stream-stdlibraryfunctionargs.c

  • This file was added.
// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.unix.Stream,alpha.unix.StdCLibraryFunctionArgs,debug.ExprInspection \
// RUN: -analyzer-config apiModeling.StdCLibraryFunctions:ModelPOSIX=true -verify=stdargs,any %s
// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.unix.Stream,debug.ExprInspection \
// RUN: -analyzer-config apiModeling.StdCLibraryFunctions:ModelPOSIX=true -verify=any %s
// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.unix.StdCLibraryFunctionArgs,debug.ExprInspection \
// RUN: -analyzer-config apiModeling.StdCLibraryFunctions:ModelPOSIX=true -verify=stdargs,any %s
#include "Inputs/system-header-simulator.h"
extern void clang_analyzer_eval(int);
void *buf;
size_t size;
size_t n;
void test_fopen(void) {
FILE *fp = fopen("path", "r");
clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}} any-warning{{FALSE}}
fclose(fp); // stdargs-warning{{Function argument constraint is not satisfied}} \
// stdargs-note{{The 1st argument should not be NULL}}
}
void test_tmpfile(void) {
FILE *fp = tmpfile();
clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}} any-warning{{FALSE}}
fclose(fp); // stdargs-warning{{Function argument constraint is not satisfied}} \
// stdargs-note{{The 1st argument should not be NULL}}
}
void test_fclose(void) {
FILE *fp = tmpfile();
fclose(fp); // stdargs-warning{{Function argument constraint is not satisfied}} \
// stdargs-note{{The 1st argument should not be NULL}}
clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}}
}
void test_freopen(void) {
FILE *fp = tmpfile();
fp = freopen("file", "w", fp); // stdargs-warning{{Function argument constraint is not satisfied}} \
// stdargs-note{{The 3rd argument should not be NULL}}
fclose(fp); // stdargs-warning{{Function argument constraint is not satisfied}} \
// stdargs-note{{The 1st argument should not be NULL}}
clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}}
}
void test_fread(void) {
FILE *fp = tmpfile();
size_t ret = fread(buf, size, n, fp); // stdargs-warning{{Function argument constraint is not satisfied}} \
// stdargs-note{{The 4th argument should not be NULL}}
clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}}
clang_analyzer_eval(ret <= n); // any-warning{{TRUE}}
clang_analyzer_eval(ret == n); // any-warning{{TRUE}} any-warning{{FALSE}}
fclose(fp);
}
void test_fwrite(void) {
FILE *fp = tmpfile();
size_t ret = fwrite(buf, size, n, fp); // stdargs-warning{{Function argument constraint is not satisfied}} \
// stdargs-note{{The 4th argument should not be NULL}}
clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}}
clang_analyzer_eval(ret <= n); // any-warning{{TRUE}}
clang_analyzer_eval(ret == n); // any-warning{{TRUE}} any-warning{{FALSE}}
fclose(fp);
}
void test_fseek(void) {
FILE *fp = tmpfile();
fseek(fp, 0, 0); // stdargs-warning{{Function argument constraint is not satisfied}} \
// stdargs-note{{The 1st argument should not be NULL}}
clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}}
fclose(fp);
}
void test_ftell(void) {
FILE *fp = tmpfile();
ftell(fp); // stdargs-warning{{Function argument constraint is not satisfied}} \
// stdargs-note{{The 1st argument should not be NULL}}
clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}}
fclose(fp);
}
void test_rewind(void) {
FILE *fp = tmpfile();
rewind(fp); // stdargs-warning{{Function argument constraint is not satisfied}} \
// stdargs-note{{The 1st argument should not be NULL}}
clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}}
fclose(fp);
}
void test_fgetpos(void) {
FILE *fp = tmpfile();
fpos_t pos;
fgetpos(fp, &pos); // stdargs-warning{{Function argument constraint is not satisfied}} \
// stdargs-note{{The 1st argument should not be NULL}}
clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}}
fclose(fp);
}
void test_fsetpos(void) {
FILE *fp = tmpfile();
fpos_t pos;
fsetpos(fp, &pos); // stdargs-warning{{Function argument constraint is not satisfied}} \
// stdargs-note{{The 1st argument should not be NULL}}
clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}}
fclose(fp);
}
void test_clearerr(void) {
FILE *fp = tmpfile();
clearerr(fp); // stdargs-warning{{Function argument constraint is not satisfied}} \
// stdargs-note{{The 1st argument should not be NULL}}
clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}}
fclose(fp);
}
void test_feof(void) {
FILE *fp = tmpfile();
feof(fp); // stdargs-warning{{Function argument constraint is not satisfied}} \
// stdargs-note{{The 1st argument should not be NULL}}
clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}}
fclose(fp);
}
void test_ferror(void) {
FILE *fp = tmpfile();
ferror(fp); // stdargs-warning{{Function argument constraint is not satisfied}} \
// stdargs-note{{The 1st argument should not be NULL}}
clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}}
fclose(fp);
}
void test_fileno(void) {
FILE *fp = tmpfile();
fileno(fp); // stdargs-warning{{Function argument constraint is not satisfied}} \
// stdargs-note{{The 1st argument should not be NULL}}
clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}}
fclose(fp);
}

clang/test/Analysis/stream.c

// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.unix.Stream -verify %s // RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.unix.Stream -verify %s
#include "Inputs/system-header-simulator.h" #include "Inputs/system-header-simulator.h"
void check_fread(void) {
FILE *fp = tmpfile();
fread(0, 0, 0, fp); // expected-warning {{Stream pointer might be NULL}}
fclose(fp);
}
void check_fwrite(void) {
FILE *fp = tmpfile();
fwrite(0, 0, 0, fp); // expected-warning {{Stream pointer might be NULL}}
fclose(fp);
}
void check_fseek(void) {
FILE *fp = tmpfile();
fseek(fp, 0, 0); // expected-warning {{Stream pointer might be NULL}}
fclose(fp);
}
void check_ftell(void) {
FILE *fp = tmpfile();
ftell(fp); // expected-warning {{Stream pointer might be NULL}}
fclose(fp);
}
void check_rewind(void) {
FILE *fp = tmpfile();
rewind(fp); // expected-warning {{Stream pointer might be NULL}}
fclose(fp);
}
void check_fgetpos(void) {
FILE *fp = tmpfile();
fpos_t pos;
fgetpos(fp, &pos); // expected-warning {{Stream pointer might be NULL}}
fclose(fp);
}
void check_fsetpos(void) {
FILE *fp = tmpfile();
fpos_t pos;
fsetpos(fp, &pos); // expected-warning {{Stream pointer might be NULL}}
fclose(fp);
}
void check_clearerr(void) {
FILE *fp = tmpfile();
clearerr(fp); // expected-warning {{Stream pointer might be NULL}}
fclose(fp);
}
void check_feof(void) {
FILE *fp = tmpfile();
feof(fp); // expected-warning {{Stream pointer might be NULL}}
fclose(fp);
}
void check_ferror(void) {
FILE *fp = tmpfile();
ferror(fp); // expected-warning {{Stream pointer might be NULL}}
fclose(fp);
}
void check_fileno(void) {
FILE *fp = tmpfile();
fileno(fp); // expected-warning {{Stream pointer might be NULL}}
fclose(fp);
}
void f_open(void) {
FILE *p = fopen("foo", "r");
char buf[1024];
fread(buf, 1, 1, p); // expected-warning {{Stream pointer might be NULL}}
fclose(p);
}
void f_seek(void) { void f_seek(void) {
FILE *p = fopen("foo", "r"); FILE *p = fopen("foo", "r");
if (!p) if (!p)
return; return;
fseek(p, 1, SEEK_SET); // no-warning fseek(p, 1, SEEK_SET); // no-warning
fseek(p, 1, 3); // expected-warning {{The whence argument to fseek() should be SEEK_SET, SEEK_END, or SEEK_CUR}} fseek(p, 1, 3); // expected-warning {{The whence argument to fseek() should be SEEK_SET, SEEK_END, or SEEK_CUR}}
fclose(p); fclose(p);
} }
▲ Show 20 LinesShow All 68 Lines▼ Show 20 Lines
} }
// PR 8081 - null pointer crash when 'whence' is not an integer constant // PR 8081 - null pointer crash when 'whence' is not an integer constant
void pr8081(FILE *stream, long offset, int whence) { void pr8081(FILE *stream, long offset, int whence) {
fseek(stream, offset, whence); fseek(stream, offset, whence);
} }
void check_freopen_1(void) { void check_freopen_1(void) {
FILE *f1 = freopen("foo.c", "r", (FILE *)0); // expected-warning {{Stream pointer might be NULL}} FILE *f1 = freopen("foo.c", "r", (FILE *)0); // Not reported by the stream checker.
SzelethusUnsubmitted
Not Done
ReplyInline Actions
void check_freopen_1(void) {
- FILE *f1 = freopen("foo.c", "r", (FILE *)0); // Not reported by the stream checker.
+ FILE *f1 = freopen("foo.c", "r", (FILE *)0); // Reported by StdLibraryFunctionArgs checker
+ // (which is not tested here).
f1 = freopen(0, "w", (FILE *)0x123456); // Do not report this as error.
Szelethus:
f1 = freopen(0, "w", (FILE *)0x123456); // Do not report this as error. f1 = freopen(0, "w", (FILE *)0x123456); // Do not report this as error.
} }
void check_freopen_2(void) { void check_freopen_2(void) {
FILE *f1 = fopen("foo.c", "r"); FILE *f1 = fopen("foo.c", "r");
if (f1) { if (f1) {
FILE *f2 = freopen(0, "w", f1); FILE *f2 = freopen(0, "w", f1);
if (f2) { if (f2) {
▲ Show 20 LinesShow All 97 LinesShow Last 20 Lines