This is an archive of the discontinued LLVM Phabricator instance.

Differential D139604

[PATCH] Github Issue: Create a check that warns about using %p printf specifier #43453
Needs RevisionPublic

Authored by giannicrivello on Dec 7 2022, 10:32 PM.

Details

Reviewers
NoQ
tbaeder
sscalpone
steakhal
Summary

Patched llvm-project/clang/lib/StaticAnalyzer/Checkers/UnixAPIChecker.cpp to account for the user passing a nullptr to the implementation dependent function printf(). Invoked with bin/scan-build -enable-checker optin.portability bin/clang -g test.cpp where the contents of test.cpp is:

c++
#include <stdio.h>
#include <stdlib.h>

int main() {
    int *p = nullptr;
    printf("%p", p);
}

now produces the warning:

test.cpp:6:5: warning: Passing a null pointer to printf() is implementation dependant. Portability warning [optin.portability.UnixAPI]
    printf("%p", p);
    ^~~~~~~~~~~~~~~
1 warning generated.

Diff Detail

Event Timeline

giannicrivello created this revision.Dec 7 2022, 10:32 PM
Herald added a reviewer: sscalpone. · View Herald TranscriptDec 7 2022, 10:32 PM
Herald added projects: Restricted Project, Restricted Project. · View Herald Transcript
Herald added subscribers: steakhal, martong. · View Herald Transcript
giannicrivello requested review of this revision.Dec 7 2022, 10:32 PM
Herald added subscribers: cfe-commits, jdoerfert. · View Herald TranscriptDec 7 2022, 10:32 PM
Harbormaster completed remote builds in B201880: Diff 481150.Dec 7 2022, 10:33 PM
giannicrivello updated this revision to Diff 481154.Dec 7 2022, 10:51 PM
clementval removed a project: Restricted Project.Dec 7 2022, 11:35 PM
Harbormaster completed remote builds in B201881: Diff 481154.Dec 8 2022, 6:34 AM
steakhal requested changes to this revision.Dec 16 2022, 6:23 AM

I appreciate that you are interested in tackling this. I do think it's a low-hanging fruit, so it's a good choice!

However, there are a couple of things we need to improve before we could proceed:

  1. Add tests demonstrating all possible aspects of your change.
  2. Generally, one should check preconditions in the Pre checker callbacks, and apply postconditions (effects) in Post checker callbacks.
  3. We should have a specific BugType pointer for the specific bug you hunt - in other words you should not reuse BT_mallocZero for your checker.
  4. One should be able to disable your rule in case something goes wild. So, your checker should be registered at the end of the file by applying the REGISTER_CHECKER() macro.
  5. One should update the documentation and also mention the new check in the release docs to give visibility.
  6. For matching if a function is interesting or not, you should use CallDescriptions instead of looking at the IdentifierInfo directly - unless there are other cases in the scope where we don't use this facility. However, for those case we should consider updating those to use CallDescriptionSet|Map.
  7. I can see that you directly use the isZeroConstant() on the value of the pointer. This might not work for all cases, e.g. when the pointer is symbolic. In that case, we might be able to prove that the pointer should be null, because the path-constraints we collected so far imply that.

Thanks for improving the detection!

This revision now requires changes to proceed.Dec 16 2022, 6:23 AM
CuriousGeorgiy mentioned this in D154838: [analyzer] Add check for null pointer passed to the %p of printf family.Jul 10 2023, 5:59 AM

Revision Contents

PathSize
clang/
include/
clang/
StaticAnalyzer/
Checkers/
2 lines
lib/
StaticAnalyzer/
Checkers/
42 lines

Diff 481154

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td

Show First 20 LinesShow All 1,661 Lines▼ Show 20 Lines
// Portability checkers. // Portability checkers.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
let ParentPackage = PortabilityOptIn in { let ParentPackage = PortabilityOptIn in {
def UnixAPIPortabilityChecker : Checker<"UnixAPI">, def UnixAPIPortabilityChecker : Checker<"UnixAPI">,
HelpText<"Finds implementation-defined behavior in UNIX/Posix functions">, HelpText<"Finds implementation-defined behavior in UNIX/Posix functions">,
Documentation<NotDocumented>; Documentation<NotDocumented>;
} // end optin.portability } // end optin.portability
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// NonDeterminism checkers. // NonDeterminism checkers.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
let ParentPackage = NonDeterminismAlpha in { let ParentPackage = NonDeterminismAlpha in {
▲ Show 20 LinesShow All 62 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/UnixAPIChecker.cpp

//= UnixAPIChecker.h - Checks preconditions for various Unix APIs --*- C++ -*-// //= UnixAPIChecker.h - Checks preconditions for various Unix APIs --*- C++ -*-//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This defines UnixAPIChecker, which is an assortment of checks on calls // This defines UnixAPIChecker, which is an assortment of checks on calls
// to various, widely used UNIX/Posix functions. // to various, widely used UNIX/Posix functions.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/Basic/TargetInfo.h" #include "clang/Basic/TargetInfo.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "llvm/ADT/Optional.h" #include "llvm/ADT/Optional.h"
#include "llvm/ADT/STLExtras.h" #include "llvm/ADT/STLExtras.h"
#include "llvm/ADT/SmallString.h" #include "llvm/ADT/SmallString.h"
#include "llvm/ADT/StringExtras.h" #include "llvm/ADT/StringExtras.h"
#include "llvm/Support/raw_ostream.h" #include "llvm/Support/raw_ostream.h"
using namespace clang; using namespace clang;
Show All 27 Linespublic:
void ReportOpenBug(CheckerContext &C, void ReportOpenBug(CheckerContext &C,
ProgramStateRef State, ProgramStateRef State,
const char *Msg, const char *Msg,
SourceRange SR) const; SourceRange SR) const;
}; };
class UnixAPIPortabilityChecker : public Checker< check::PreStmt<CallExpr> > { class UnixAPIPortabilityChecker
: public Checker<check::PreStmt<CallExpr>, check::PostCall> {
public: public:
void checkPreStmt(const CallExpr *CE, CheckerContext &C) const; void checkPreStmt(const CallExpr *CE, CheckerContext &C) const;
void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
private: private:
mutable std::unique_ptr<BugType> BT_mallocZero; mutable std::unique_ptr<BugType> BT_mallocZero;
void CheckCallocZero(CheckerContext &C, const CallExpr *CE) const; void CheckCallocZero(CheckerContext &C, const CallExpr *CE) const;
void CheckMallocZero(CheckerContext &C, const CallExpr *CE) const; void CheckMallocZero(CheckerContext &C, const CallExpr *CE) const;
void CheckReallocZero(CheckerContext &C, const CallExpr *CE) const; void CheckReallocZero(CheckerContext &C, const CallExpr *CE) const;
void CheckReallocfZero(CheckerContext &C, const CallExpr *CE) const; void CheckReallocfZero(CheckerContext &C, const CallExpr *CE) const;
▲ Show 20 LinesShow All 415 Lines▼ Show 20 Linesvoid UnixAPIPortabilityChecker::checkPreStmt(const CallExpr *CE,
else if (FName == "__builtin_alloca_with_align") else if (FName == "__builtin_alloca_with_align")
CheckAllocaWithAlignZero(C, CE); CheckAllocaWithAlignZero(C, CE);
else if (FName == "valloc") else if (FName == "valloc")
CheckVallocZero(C, CE); CheckVallocZero(C, CE);
} }
void UnixAPIPortabilityChecker::checkPostCall(const CallEvent &Call,
CheckerContext &C) const {
auto State = C.getState();
const IdentifierInfo *II = Call.getCalleeIdentifier();
if (!II)
return;
if (!II->isStr("printf"))
return;
if (!BT_mallocZero)
BT_mallocZero.reset(new BugType(this, "Call to printf", "Example checker"));
for (unsigned int i = 0; i < Call.getNumArgs(); i++) {
const auto *Arg = Call.getArgExpr(i);
if (!Arg)
return;
const auto *LC = C.getLocationContext();
auto Val = State->getSVal(Arg, LC);
if (Val.isZeroConstant()) {
ExplodedNode *N = C.generateErrorNode();
// Further better the diagnostic message by adding a bug report visitor
auto Report = std::make_unique<PathSensitiveBugReport>(
*BT_mallocZero,
"Passing a null pointer to printf() is implementation dependant. "
"Portability warning.",
N);
Report->addRange(Arg->getSourceRange());
C.emitReport(std::move(Report));
}
}
}
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Registration. // Registration.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#define REGISTER_CHECKER(CHECKERNAME) \ #define REGISTER_CHECKER(CHECKERNAME) \
void ento::register##CHECKERNAME(CheckerManager &mgr) { \ void ento::register##CHECKERNAME(CheckerManager &mgr) { \
mgr.registerChecker<CHECKERNAME>(); \ mgr.registerChecker<CHECKERNAME>(); \
} \ } \
\ \
bool ento::shouldRegister##CHECKERNAME(const CheckerManager &mgr) { \ bool ento::shouldRegister##CHECKERNAME(const CheckerManager &mgr) { \
return true; \ return true; \
} }
REGISTER_CHECKER(UnixAPIMisuseChecker) REGISTER_CHECKER(UnixAPIMisuseChecker)
REGISTER_CHECKER(UnixAPIPortabilityChecker) REGISTER_CHECKER(UnixAPIPortabilityChecker)