This is an archive of the discontinued LLVM Phabricator instance.

Differential D140387

[clang][analyzer] Add stream related functions to StdLibraryFunctionsChecker.
ClosedPublic

Authored by balazske on Dec 20 2022, 4:11 AM.

Details

Reviewers
Szelethus
NoQ
gamesh411
Commits
rG3c7fe7d09da1: [clang][analyzer] Add stream related functions to StdLibraryFunctionsChecker.
Summary

Additional stream handling functions are added.
These are partially evaluated by StreamChecker, result of the addition is
check for more preconditions and construction of success and failure branches
with specific errno handling.

Diff Detail

Event Timeline

balazske created this revision.Dec 20 2022, 4:11 AM
Herald added a reviewer: Szelethus. · View Herald TranscriptDec 20 2022, 4:11 AM
Herald added a reviewer: NoQ. · View Herald Transcript
Herald added a project: Restricted Project. · View Herald Transcript
Herald added subscribers: steakhal, manas, ASDenysPetrov and 10 others. · View Herald Transcript
balazske requested review of this revision.Dec 20 2022, 4:11 AM
Herald added a project: Restricted Project. · View Herald TranscriptDec 20 2022, 4:11 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
Harbormaster completed remote builds in B204119: Diff 484214.Dec 20 2022, 5:17 AM
Szelethus added a reviewer: gamesh411.Dec 20 2022, 5:30 AM

Some of the changes are also present in D135247. I suppose you're in the middle of splitting those patches apart and remaking the patch stack?

balazske mentioned this in D137790: [clang][analyzer] Remove report of null stream from StreamChecker..Dec 20 2022, 6:03 AM
balazske added a child revision: D140395: [clang][analyzer] Extend StreamChecker with some new functions..
balazske added a comment.Dec 20 2022, 6:08 AM

This patch and D140395 is (almost) the same code as D135360 and D135247. The changes are separated for the different checkers. Tests are added at the second patch.

Szelethus added a comment.Dec 20 2022, 8:01 AM
In D140387#4007751, @balazske wrote:

This patch and D140395 is (almost) the same code as D135360 and D135247. The changes are separated for the different checkers. Tests are added at the second patch.

Well, that is confusing. Which patches should I review? Can you please only have a single opened differential per change, and a single patch stack? If you decided that this patch is the ONE for the ErrnoModeling changes, please abandon the other patch with the very same change.

balazske mentioned this in D135360: [clang][analyzer] Add some more functions to StreamChecker and StdLibraryFunctionsChecker..Dec 20 2022, 8:59 AM
Szelethus added a comment.Jan 2 2023, 6:13 AM

Would be possible to test the errno specific changes as well?

clang/lib/StaticAnalyzer/Checkers/ErrnoModeling.cpp
310

When can this occur? Maybe we can turn this early return to an assert -- when ModelPOSIX is true, this mustn't be null (if what I'm saying is correct).

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
800

Just thinking aloud, no changes required here necesserily -- in most places, we use a combination of SmallString and raw_svector_ostream so construct strings, but I can't find anything set in stone about the practice (mostly looking at LLVM's Programmers Manual). Isn't this just good enough? Is llvm::Twine worth the hassle?

1636–1648

If I undetstand correctly, these 3 cases will cause the current path of execution to split into 3. I vaguely recall some arguments against this, but that's been a while, did the stance on this change? I see a number of already commited summaries with 3 cases, so this could be fine for all I know.

1650–1652

Maybe StreamChecker could take over the handling of that case? Seems like it also warns about the nullness of the first fread parameter.

1793–1794

Sure, but what should be fixed? We should check whether the the last argument is a SEEK_* value?

balazske added inline comments.Jan 2 2023, 7:30 AM
clang/lib/StaticAnalyzer/Checkers/ErrnoModeling.cpp
310

I am not totally sure that errno is found always (definition of errno is encountered) if a summary for a standard function is added. The standard function in itself must be there, otherwise no summary is added and this function should not be called. But definition of errno may reside in other header (errno.h) that is probably not included in the translation unit. If the errno definition is not found the ErrnoRegion is not set (the checker may still turned be on but does nothing, but these functions are allowed to be called). Existence of errno is not even dependent on ModelPOSIX, errno is defined in the (non POSIX) C standard.

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
800

The Twine may work is all partial strings are constant pointers, this is not true here. The getArgDesc does not return a constant string, the returned value must be copied. Still it may work if one single expression is used to construct the string.

1636–1648

The problematic case is if the function is not evaluated by StreamChecker, otherwise StreamChecker already sets the constraints on the return value and argument and some of the cases here should become unsatisfied. It may be known about the argument 1 that it can not be zero (or is only zero), then it is only 2 possible branches. (Still it can happen often that all 3 branches are possible.) This split is needed to make the summary correct and not dependent on if StreamChecker evaluates the function or not.

1650–1652

The current approach was that the NULL argument warning is generated by one checker only, StreamChecker or this checker. The NULL check is already built into these summaries so this is the better place for the warning. The NULL warning is removed from StreamChecker in D137790. Additionally the same problem can happen with BufferSizeConstraint at other function summaries, we can say generally (or more often) that if a buffer has size of 0 it is allowed to be NULL pointer.

Szelethus added a comment.Jan 3 2023, 7:12 AM
In D140387#4021806, @Szelethus wrote:

Would be possible to test the errno specific changes as well?

I suppose the tests are done in the followup patch mostly?

clang/lib/StaticAnalyzer/Checkers/ErrnoModeling.cpp
310

Very well, I'm sold.

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
1650–1652

Aha, okay, so we should extend the existing infrastructure to express this as well. Please do that in another patch though! Thanks!

Szelethus added inline comments.Jan 3 2023, 7:30 AM
clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
799

I don't mean to make you test every single Case or ArgumentConstraint you added, but NotZeroConstraint is brand new, and is not tested anywhere.

1056–1064

Can you name an example for that? fgetpos?

balazske marked 5 inline comments as done.Jan 3 2023, 9:04 AM

I suppose the tests are done in the followup patch mostly?

Yes the tests in the next patch should cover the cases.

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
799

This new class is probably not needed at all. It is always possible to use ReturnValueCondition(WithinRange, SingleValue(0)) or similar for nonzero cases.

1056–1064

fgetpos is a good example, the return value is already bound and a state split for success and failure was performed in the evalCall function (in StreamChecker) and the previous line Case.getErrnoConstraint().apply did not create a new state (this is true for fgetpos because it has a ErrnoUnchanged condition in the summary).

1793–1794

It could be an improvement to detect possible values for the argument 2 that are the SEEK_* values. Now the range [0,2] is used (the SEEK_* constants are usually 0,1,2).

balazske updated this revision to Diff 486252.Jan 4 2023, 6:01 AM
balazske marked an inline comment as done.

Removed class NotZeroConstraint.

Szelethus added a comment.Jan 4 2023, 6:34 AM

LGTM, granted you add that test in the followup commit. If possible, I'd prefer to have features tested in the patch that added them (but this is fine for now).

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
799

Convenience is a good enough reason. Please test this before commiting.

1793–1794

Could you please more-or-less copy-paste this inline into the code?

Szelethus accepted this revision.Jan 4 2023, 6:36 AM
This revision is now accepted and ready to land.Jan 4 2023, 6:36 AM
balazske added inline comments.Jan 4 2023, 7:21 AM
clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
799

There was no exact test for the return value condition. A following test function can be added:

addToFunctionSummaryMap(
    "__test_return_note",
    Signature(ArgTypes{}, RetType{IntTy}),
    Summary(EvalCallAsPure)
        .Case({ReturnValueCondition(WithinRange, SingleValue(0))}, ErrnoIrrelevant, "Test return 0")
        .Case({ReturnValueCondition(WithinRange, SingleValue(1))}, ErrnoIrrelevant, "Test return 1")
        );

And add this to std-c-library-functions-arg-constraints-note-tags.cpp:

int __test_return_note();
int test_return_constraint_note(int y) {
  int x = __test_return_note(); // expected-note{{Test return 0}} \
                                // expected-note{{'x' initialized here}}
  return y / x;       // expected-warning{{Division by zero}} \
                      // expected-note{{Division by zero}}
}
Harbormaster completed remote builds in B205668: Diff 486252.Jan 4 2023, 7:45 AM
Szelethus added a comment.Jan 5 2023, 4:32 AM

LGTM! I think I prefer this solution anyways. Please commit (the entire patchstack).

balazske updated this revision to Diff 486558.Jan 5 2023, 7:03 AM

Adding test for summary case, change of comment.

Harbormaster completed remote builds in B205897: Diff 486558.Jan 5 2023, 9:10 AM
Closed by commit rG3c7fe7d09da1: [clang][analyzer] Add stream related functions to StdLibraryFunctionsChecker. (authored by balazske). · Explain WhyJan 6 2023, 2:05 AM
This revision was automatically updated to reflect the committed changes.
balazske added a commit: rG3c7fe7d09da1: [clang][analyzer] Add stream related functions to StdLibraryFunctionsChecker..
Szelethus mentioned this in D152436: [clang][analyzer] Move checker alpha.unix.StdCLibraryFunctions out of alpha..Jun 9 2023, 3:42 AM

Revision Contents

Diff 486778

clang/lib/StaticAnalyzer/Checkers/ErrnoChecker.cpp

Show First 20 LinesShow All 221 Lines▼ Show 20 LinesProgramStateRef ErrnoChecker::checkRegionChanges(
Optional<ento::Loc> ErrnoLoc = getErrnoLoc(State); Optional<ento::Loc> ErrnoLoc = getErrnoLoc(State);
if (!ErrnoLoc) if (!ErrnoLoc)
return State; return State;
const MemRegion *ErrnoRegion = ErrnoLoc->getAsRegion(); const MemRegion *ErrnoRegion = ErrnoLoc->getAsRegion();
// If 'errno' is invalidated we can not know if it is checked or written into, // If 'errno' is invalidated we can not know if it is checked or written into,
// allow read and write without bug reports. // allow read and write without bug reports.
if (llvm::is_contained(Regions, ErrnoRegion)) if (llvm::is_contained(Regions, ErrnoRegion))
return setErrnoStateIrrelevant(State); return clearErrnoState(State);
// Always reset errno state when the system memory space is invalidated. // Always reset errno state when the system memory space is invalidated.
// The ErrnoRegion is not always found in the list in this case. // The ErrnoRegion is not always found in the list in this case.
if (llvm::is_contained(Regions, ErrnoRegion->getMemorySpace())) if (llvm::is_contained(Regions, ErrnoRegion->getMemorySpace()))
return setErrnoStateIrrelevant(State); return clearErrnoState(State);
return State; return State;
} }
void ento::registerErrnoChecker(CheckerManager &mgr) { void ento::registerErrnoChecker(CheckerManager &mgr) {
const AnalyzerOptions &Opts = mgr.getAnalyzerOptions(); const AnalyzerOptions &Opts = mgr.getAnalyzerOptions();
auto *Checker = mgr.registerChecker<ErrnoChecker>(); auto *Checker = mgr.registerChecker<ErrnoChecker>();
Checker->AllowErrnoReadOutsideConditions = Opts.getCheckerBooleanOption( Checker->AllowErrnoReadOutsideConditions = Opts.getCheckerBooleanOption(
Checker, "AllowErrnoReadOutsideConditionExpressions"); Checker, "AllowErrnoReadOutsideConditionExpressions");
} }
bool ento::shouldRegisterErrnoChecker(const CheckerManager &mgr) { bool ento::shouldRegisterErrnoChecker(const CheckerManager &mgr) {
return true; return true;
} }

clang/lib/StaticAnalyzer/Checkers/ErrnoModeling.h

Show First 20 LinesShow All 61 Lines▼ Show 20 Lines
/// Set value of 'errno' to a concrete (signed) integer, if possible. /// Set value of 'errno' to a concrete (signed) integer, if possible.
/// The errno check state is set always when the 'errno' value is set. /// The errno check state is set always when the 'errno' value is set.
ProgramStateRef setErrnoValue(ProgramStateRef State, CheckerContext &C, ProgramStateRef setErrnoValue(ProgramStateRef State, CheckerContext &C,
uint64_t Value, ErrnoCheckState EState); uint64_t Value, ErrnoCheckState EState);
/// Set the errno check state, do not modify the errno value. /// Set the errno check state, do not modify the errno value.
ProgramStateRef setErrnoState(ProgramStateRef State, ErrnoCheckState EState); ProgramStateRef setErrnoState(ProgramStateRef State, ErrnoCheckState EState);
/// Clear state of errno (make it irrelevant).
ProgramStateRef clearErrnoState(ProgramStateRef State);
/// Determine if a `Decl` node related to 'errno'. /// Determine if a `Decl` node related to 'errno'.
/// This is true if the declaration is the errno variable or a function /// This is true if the declaration is the errno variable or a function
/// that returns a pointer to the 'errno' value (usually the 'errno' macro is /// that returns a pointer to the 'errno' value (usually the 'errno' macro is
/// defined with this function). \p D is not required to be a canonical /// defined with this function). \p D is not required to be a canonical
/// declaration. /// declaration.
bool isErrno(const Decl *D); bool isErrno(const Decl *D);
/// Produce a textual description about how \c errno is allowed to be used /// Produce a textual description about how \c errno is allowed to be used
Show All 18 Lines
/// Set \c errno value to be not equal to zero and \c ErrnoCheckState to /// Set \c errno value to be not equal to zero and \c ErrnoCheckState to
/// \c Irrelevant . The irrelevant errno state ensures that no related bug /// \c Irrelevant . The irrelevant errno state ensures that no related bug
/// report is emitted later and no note tag is needed. /// report is emitted later and no note tag is needed.
/// \arg \c ErrnoSym Value to be used for \c errno and constrained to be /// \arg \c ErrnoSym Value to be used for \c errno and constrained to be
/// non-zero. /// non-zero.
ProgramStateRef setErrnoForStdFailure(ProgramStateRef State, CheckerContext &C, ProgramStateRef setErrnoForStdFailure(ProgramStateRef State, CheckerContext &C,
NonLoc ErrnoSym); NonLoc ErrnoSym);
/// Set errno state for the common case when a standard function indicates
/// failure only by \c errno. Sets \c ErrnoCheckState to \c MustBeChecked, and
/// invalidates the errno region (clear of previous value).
/// At the state transition a note tag created by
/// \c getNoteTagForStdMustBeChecked can be used.
/// \arg \c InvalE Expression that causes invalidation of \c errno.
ProgramStateRef setErrnoStdMustBeChecked(ProgramStateRef State,
CheckerContext &C, const Expr *InvalE);
/// Generate the note tag that can be applied at the state generated by /// Generate the note tag that can be applied at the state generated by
/// \c setErrnoForStdSuccess . /// \c setErrnoForStdSuccess .
/// \arg \c Fn Name of the (standard) function that is modeled. /// \arg \c Fn Name of the (standard) function that is modeled.
const NoteTag *getNoteTagForStdSuccess(CheckerContext &C, llvm::StringRef Fn); const NoteTag *getNoteTagForStdSuccess(CheckerContext &C, llvm::StringRef Fn);
/// Generate the note tag that can be applied at the state generated by
/// \c setErrnoStdMustBeChecked .
/// \arg \c Fn Name of the (standard) function that is modeled.
const NoteTag *getNoteTagForStdMustBeChecked(CheckerContext &C,
llvm::StringRef Fn);
} // namespace errno_modeling } // namespace errno_modeling
} // namespace ento } // namespace ento
} // namespace clang } // namespace clang
#endif // LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_ERRNOMODELING_H #endif // LLVM_CLANG_LIB_STATICANALYZER_CHECKERS_ERRNOMODELING_H

clang/lib/StaticAnalyzer/Checkers/ErrnoModeling.cpp

Show First 20 LinesShow All 240 Lines▼ Show 20 Lines
Optional<Loc> getErrnoLoc(ProgramStateRef State) { Optional<Loc> getErrnoLoc(ProgramStateRef State) {
const MemRegion *ErrnoR = State->get<ErrnoRegion>(); const MemRegion *ErrnoR = State->get<ErrnoRegion>();
if (!ErrnoR) if (!ErrnoR)
return {}; return {};
return loc::MemRegionVal{ErrnoR}; return loc::MemRegionVal{ErrnoR};
} }
ErrnoCheckState getErrnoState(ProgramStateRef State) {
return State->get<ErrnoState>();
}
ProgramStateRef setErrnoState(ProgramStateRef State, ErrnoCheckState EState) { ProgramStateRef setErrnoState(ProgramStateRef State, ErrnoCheckState EState) {
return State->set<ErrnoState>(EState); return State->set<ErrnoState>(EState);
} }
ErrnoCheckState getErrnoState(ProgramStateRef State) { ProgramStateRef clearErrnoState(ProgramStateRef State) {
return State->get<ErrnoState>(); return setErrnoState(State, Irrelevant);
} }
bool isErrno(const Decl *D) { bool isErrno(const Decl *D) {
if (const auto *VD = dyn_cast_or_null<VarDecl>(D)) if (const auto *VD = dyn_cast_or_null<VarDecl>(D))
if (const IdentifierInfo *II = VD->getIdentifier()) if (const IdentifierInfo *II = VD->getIdentifier())
return II->getName() == ErrnoVarName; return II->getName() == ErrnoVarName;
if (const auto *FD = dyn_cast_or_null<FunctionDecl>(D)) if (const auto *FD = dyn_cast_or_null<FunctionDecl>(D))
if (const IdentifierInfo *II = FD->getIdentifier()) if (const IdentifierInfo *II = FD->getIdentifier())
Show All 31 Lines DefinedOrUnknownSVal Cond =
SVB.evalBinOp(State, BO_NE, ErrnoSym, ZeroVal, SVB.getConditionType()) SVB.evalBinOp(State, BO_NE, ErrnoSym, ZeroVal, SVB.getConditionType())
.castAs<DefinedOrUnknownSVal>(); .castAs<DefinedOrUnknownSVal>();
State = State->assume(Cond, true); State = State->assume(Cond, true);
if (!State) if (!State)
return nullptr; return nullptr;
return setErrnoValue(State, C.getLocationContext(), ErrnoSym, Irrelevant); return setErrnoValue(State, C.getLocationContext(), ErrnoSym, Irrelevant);
} }
ProgramStateRef setErrnoStdMustBeChecked(ProgramStateRef State,
CheckerContext &C,
const Expr *InvalE) {
const MemRegion *ErrnoR = State->get<ErrnoRegion>();
if (!ErrnoR)
SzelethusUnsubmitted
Done
ReplyInline Actions

When can this occur? Maybe we can turn this early return to an assert -- when ModelPOSIX is true, this mustn't be null (if what I'm saying is correct).

Szelethus: When can this occur? Maybe we can turn this early return to an assert -- when `ModelPOSIX` is…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

I am not totally sure that errno is found always (definition of errno is encountered) if a summary for a standard function is added. The standard function in itself must be there, otherwise no summary is added and this function should not be called. But definition of errno may reside in other header (errno.h) that is probably not included in the translation unit. If the errno definition is not found the ErrnoRegion is not set (the checker may still turned be on but does nothing, but these functions are allowed to be called). Existence of errno is not even dependent on ModelPOSIX, errno is defined in the (non POSIX) C standard.

balazske: I am not totally sure that `errno` is found always (definition of `errno` is encountered) if a…
SzelethusUnsubmitted
Done
ReplyInline Actions

Very well, I'm sold.

Szelethus: Very well, I'm sold.
return State;
State = State->invalidateRegions(ErrnoR, InvalE, C.blockCount(),
C.getLocationContext(), false);
if (!State)
return nullptr;
return setErrnoState(State, MustBeChecked);
}
const NoteTag *getNoteTagForStdSuccess(CheckerContext &C, llvm::StringRef Fn) { const NoteTag *getNoteTagForStdSuccess(CheckerContext &C, llvm::StringRef Fn) {
return getErrnoNoteTag( return getErrnoNoteTag(
C, (Twine("Assuming that function '") + Twine(Fn) + C, (Twine("Assuming that function '") + Twine(Fn) +
Twine("' is successful, in this case the value 'errno' ") + Twine("' is successful, in this case the value 'errno' ") +
Twine(describeErrnoCheckState(MustNotBeChecked))) Twine(describeErrnoCheckState(MustNotBeChecked)))
.str()); .str());
} }
const NoteTag *getNoteTagForStdMustBeChecked(CheckerContext &C,
llvm::StringRef Fn) {
return getErrnoNoteTag(
C, (Twine("Function '") + Twine(Fn) +
Twine("' indicates failure only by setting of 'errno'"))
.str());
}
} // namespace errno_modeling } // namespace errno_modeling
} // namespace ento } // namespace ento
} // namespace clang } // namespace clang
void ento::registerErrnoModeling(CheckerManager &mgr) { void ento::registerErrnoModeling(CheckerManager &mgr) {
mgr.registerChecker<ErrnoModeling>(); mgr.registerChecker<ErrnoModeling>();
} }
bool ento::shouldRegisterErrnoModeling(const CheckerManager &mgr) { bool ento::shouldRegisterErrnoModeling(const CheckerManager &mgr) {
return true; return true;
} }

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp

Show First 20 LinesShow All 248 Lines▼ Show 20 Linesclass StdLibraryFunctionsChecker
}; };
class NotNullConstraint : public ValueConstraint { class NotNullConstraint : public ValueConstraint {
using ValueConstraint::ValueConstraint; using ValueConstraint::ValueConstraint;
// This variable has a role when we negate the constraint. // This variable has a role when we negate the constraint.
bool CannotBeNull = true; bool CannotBeNull = true;
public: public:
NotNullConstraint(ArgNo ArgN, bool CannotBeNull = true)
: ValueConstraint(ArgN), CannotBeNull(CannotBeNull) {}
std::string describe(DescriptionKind DK, ProgramStateRef State, std::string describe(DescriptionKind DK, ProgramStateRef State,
const Summary &Summary) const override; const Summary &Summary) const override;
StringRef getName() const override { return "NonNull"; } StringRef getName() const override { return "NonNull"; }
ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call, ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
const Summary &Summary, const Summary &Summary,
CheckerContext &C) const override { CheckerContext &C) const override {
SVal V = getArgSVal(Call, getArgNo()); SVal V = getArgSVal(Call, getArgNo());
if (V.isUndef()) if (V.isUndef())
▲ Show 20 LinesShow All 149 Lines▼ Show 20 Linesclass StdLibraryFunctionsChecker
protected: protected:
ErrnoConstraintBase() = default; ErrnoConstraintBase() = default;
/// This is used for conjure symbol for errno to differentiate from the /// This is used for conjure symbol for errno to differentiate from the
/// original call expression (same expression is used for the errno symbol). /// original call expression (same expression is used for the errno symbol).
static int Tag; static int Tag;
}; };
/// Reset errno constraints to irrelevant.
/// This is applicable to functions that may change 'errno' and are not
/// modeled elsewhere.
class ResetErrnoConstraint : public ErrnoConstraintBase {
public:
ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
const Summary &Summary,
CheckerContext &C) const override {
return errno_modeling::setErrnoState(State, errno_modeling::Irrelevant);
}
};
/// Do not change errno constraints.
/// This is applicable to functions that are modeled in another checker
/// and the already set errno constraints should not be changed in the
/// post-call event.
class NoErrnoConstraint : public ErrnoConstraintBase {
public:
ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
const Summary &Summary,
CheckerContext &C) const override {
return State;
}
};
/// Set errno constraint at failure cases of standard functions. /// Set errno constraint at failure cases of standard functions.
/// Failure case: 'errno' becomes not equal to 0 and may or may not be checked /// Failure case: 'errno' becomes not equal to 0 and may or may not be checked
/// by the program. \c ErrnoChecker does not emit a bug report after such a /// by the program. \c ErrnoChecker does not emit a bug report after such a
/// function call. /// function call.
class FailureErrnoConstraint : public ErrnoConstraintBase { class FailureErrnoConstraint : public ErrnoConstraintBase {
public: public:
ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call, ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
const Summary &Summary, const Summary &Summary,
Show All 21 Lines public:
} }
const NoteTag *describe(CheckerContext &C, const NoteTag *describe(CheckerContext &C,
StringRef FunctionName) const override { StringRef FunctionName) const override {
return errno_modeling::getNoteTagForStdSuccess(C, FunctionName); return errno_modeling::getNoteTagForStdSuccess(C, FunctionName);
} }
}; };
/// Set errno constraints if use of 'errno' is irrelevant to the class ErrnoMustBeCheckedConstraint : public ErrnoConstraintBase {
/// modeled function or modeling is not possible.
class NoErrnoConstraint : public ErrnoConstraintBase {
public: public:
ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call, ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
const Summary &Summary, const Summary &Summary,
CheckerContext &C) const override { CheckerContext &C) const override {
return errno_modeling::setErrnoState(State, errno_modeling::Irrelevant); return errno_modeling::setErrnoStdMustBeChecked(State, C,
Call.getOriginExpr());
}
const NoteTag *describe(CheckerContext &C,
StringRef FunctionName) const override {
return errno_modeling::getNoteTagForStdMustBeChecked(C, FunctionName);
} }
}; };
/// A single branch of a function summary. /// A single branch of a function summary.
/// ///
/// A branch is defined by a series of constraints - "assumptions" - /// A branch is defined by a series of constraints - "assumptions" -
/// that together form a single possible outcome of invoking the function. /// that together form a single possible outcome of invoking the function.
/// When static analyzer considers a branch, it tries to introduce /// When static analyzer considers a branch, it tries to introduce
▲ Show 20 LinesShow All 249 Lines▼ Show 20 Lines void reportBug(const CallEvent &Call, ExplodedNode *N,
C.emitReport(std::move(R)); C.emitReport(std::move(R));
} }
/// These are the errno constraints that can be passed to summary cases. /// These are the errno constraints that can be passed to summary cases.
/// One of these should fit for a single summary case. /// One of these should fit for a single summary case.
/// Usually if a failure return value exists for function, that function /// Usually if a failure return value exists for function, that function
/// needs different cases for success and failure with different errno /// needs different cases for success and failure with different errno
/// constraints (and different return value constraints). /// constraints (and different return value constraints).
const NoErrnoConstraint ErrnoIrrelevant{}; const NoErrnoConstraint ErrnoUnchanged{};
const ResetErrnoConstraint ErrnoIrrelevant{};
const ErrnoMustBeCheckedConstraint ErrnoMustBeChecked{};
const SuccessErrnoConstraint ErrnoMustNotBeChecked{}; const SuccessErrnoConstraint ErrnoMustNotBeChecked{};
const FailureErrnoConstraint ErrnoNEZeroIrrelevant{}; const FailureErrnoConstraint ErrnoNEZeroIrrelevant{};
}; };
int StdLibraryFunctionsChecker::ErrnoConstraintBase::Tag = 0; int StdLibraryFunctionsChecker::ErrnoConstraintBase::Tag = 0;
const StdLibraryFunctionsChecker::ArgNo StdLibraryFunctionsChecker::Ret = const StdLibraryFunctionsChecker::ArgNo StdLibraryFunctionsChecker::Ret =
std::numeric_limits<ArgNo>::max(); std::numeric_limits<ArgNo>::max();
Show All 17 Lines
} }
std::string StdLibraryFunctionsChecker::RangeConstraint::describe( std::string StdLibraryFunctionsChecker::RangeConstraint::describe(
DescriptionKind DK, ProgramStateRef State, const Summary &Summary) const { DescriptionKind DK, ProgramStateRef State, const Summary &Summary) const {
BasicValueFactory &BVF = getBVF(State); BasicValueFactory &BVF = getBVF(State);
QualType T = Summary.getArgType(getArgNo()); QualType T = Summary.getArgType(getArgNo());
SmallString<48> Result; SmallString<48> Result;
SzelethusUnsubmitted
Not Done
ReplyInline Actions

I don't mean to make you test every single Case or ArgumentConstraint you added, but NotZeroConstraint is brand new, and is not tested anywhere.

Szelethus: I don't mean to make you test every single `Case` or `ArgumentConstraint` you added, but…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

This new class is probably not needed at all. It is always possible to use ReturnValueCondition(WithinRange, SingleValue(0)) or similar for nonzero cases.

balazske: This new class is probably not needed at all. It is always possible to use…
SzelethusUnsubmitted
Not Done
ReplyInline Actions

Convenience is a good enough reason. Please test this before commiting.

Szelethus: Convenience is a good enough reason. Please test this before commiting.
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

There was no exact test for the return value condition. A following test function can be added:

addToFunctionSummaryMap(
    "__test_return_note",
    Signature(ArgTypes{}, RetType{IntTy}),
    Summary(EvalCallAsPure)
        .Case({ReturnValueCondition(WithinRange, SingleValue(0))}, ErrnoIrrelevant, "Test return 0")
        .Case({ReturnValueCondition(WithinRange, SingleValue(1))}, ErrnoIrrelevant, "Test return 1")
        );

And add this to std-c-library-functions-arg-constraints-note-tags.cpp:

int __test_return_note();
int test_return_constraint_note(int y) {
  int x = __test_return_note(); // expected-note{{Test return 0}} \
                                // expected-note{{'x' initialized here}}
  return y / x;       // expected-warning{{Division by zero}} \
                      // expected-note{{Division by zero}}
}
balazske: There was no exact test for the return value condition. A following test function can be added…
const auto Violation = ValueConstraint::DescriptionKind::Violation; const auto Violation = ValueConstraint::DescriptionKind::Violation;
SzelethusUnsubmitted
Done
ReplyInline Actions

Just thinking aloud, no changes required here necesserily -- in most places, we use a combination of SmallString and raw_svector_ostream so construct strings, but I can't find anything set in stone about the practice (mostly looking at LLVM's Programmers Manual). Isn't this just good enough? Is llvm::Twine worth the hassle?

Szelethus: Just thinking aloud, no changes required here necesserily -- in most places, we use a…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

The Twine may work is all partial strings are constant pointers, this is not true here. The getArgDesc does not return a constant string, the returned value must be copied. Still it may work if one single expression is used to construct the string.

balazske: The `Twine` may work is all partial strings are constant pointers, this is not true here. The…
Result += "the "; Result += "the ";
Result += getArgDesc(ArgN); Result += getArgDesc(ArgN);
Result += DK == Violation ? " should be " : " is "; Result += DK == Violation ? " should be " : " is ";
// Range kind as a string. // Range kind as a string.
Kind == OutOfRange ? Result += "out of" : Result += "within"; Kind == OutOfRange ? Result += "out of" : Result += "within";
// Get the range values as a string. // Get the range values as a string.
▲ Show 20 LinesShow All 238 Lines▼ Show 20 Lines if (NewState && NewState != State) {
[Node, Note]() -> std::string { [Node, Note]() -> std::string {
// Don't emit "Assuming..." note when we ended up // Don't emit "Assuming..." note when we ended up
// knowing in advance which branch is taken. // knowing in advance which branch is taken.
return (Node->succ_size() > 1) ? Note.str() : ""; return (Node->succ_size() > 1) ? Note.str() : "";
}, },
/*IsPrunable=*/true); /*IsPrunable=*/true);
C.addTransition(NewState, Tag); C.addTransition(NewState, Tag);
} }
} else if (NewState == State) {
// It is possible that the function was evaluated in a checker callback
// where the state constraints are already applied, then no change happens
// here to the state (if the ErrnoConstraint did not change it either).
// If the evaluated function requires a NoteTag for errno change, it is
// added here.
if (const auto *D = dyn_cast_or_null<FunctionDecl>(Call.getDecl()))
if (const NoteTag *NT =
Case.getErrnoConstraint().describe(C, D->getNameAsString()))
C.addTransition(NewState, NT);
SzelethusUnsubmitted
Done
ReplyInline Actions

Can you name an example for that? fgetpos?

Szelethus: Can you name an example for that? `fgetpos`?
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

fgetpos is a good example, the return value is already bound and a state split for success and failure was performed in the evalCall function (in StreamChecker) and the previous line Case.getErrnoConstraint().apply did not create a new state (this is true for fgetpos because it has a ErrnoUnchanged condition in the summary).

balazske: `fgetpos` is a good example, the return value is already bound and a state split for success…
} }
} }
} }
bool StdLibraryFunctionsChecker::evalCall(const CallEvent &Call, bool StdLibraryFunctionsChecker::evalCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
Optional<Summary> FoundSummary = findFunctionSummary(Call, C); Optional<Summary> FoundSummary = findFunctionSummary(Call, C);
if (!FoundSummary) if (!FoundSummary)
▲ Show 20 LinesShow All 318 Lines▼ Show 20 Linesvoid StdLibraryFunctionsChecker::initFunctionSummaries(
} Range; } Range;
auto SingleValue = [](RangeInt v) { auto SingleValue = [](RangeInt v) {
return IntRangeVector{std::pair<RangeInt, RangeInt>{v, v}}; return IntRangeVector{std::pair<RangeInt, RangeInt>{v, v}};
}; };
auto LessThanOrEq = BO_LE; auto LessThanOrEq = BO_LE;
auto NotNull = [&](ArgNo ArgN) { auto NotNull = [&](ArgNo ArgN) {
return std::make_shared<NotNullConstraint>(ArgN); return std::make_shared<NotNullConstraint>(ArgN);
}; };
auto IsNull = [&](ArgNo ArgN) {
return std::make_shared<NotNullConstraint>(ArgN, false);
};
Optional<QualType> FileTy = lookupTy("FILE"); Optional<QualType> FileTy = lookupTy("FILE");
Optional<QualType> FilePtrTy = getPointerTy(FileTy); Optional<QualType> FilePtrTy = getPointerTy(FileTy);
Optional<QualType> FilePtrRestrictTy = getRestrictTy(FilePtrTy); Optional<QualType> FilePtrRestrictTy = getRestrictTy(FilePtrTy);
Optional<QualType> FPosTTy = lookupTy("fpos_t");
Optional<QualType> FPosTPtrTy = getPointerTy(FPosTTy);
Optional<QualType> ConstFPosTPtrTy = getPointerTy(getConstTy(FPosTTy));
Optional<QualType> FPosTPtrRestrictTy = getRestrictTy(FPosTPtrTy);
// We are finally ready to define specifications for all supported functions. // We are finally ready to define specifications for all supported functions.
// //
// Argument ranges should always cover all variants. If return value // Argument ranges should always cover all variants. If return value
// is completely unknown, omit it from the respective range set. // is completely unknown, omit it from the respective range set.
// //
// Every item in the list of range sets represents a particular // Every item in the list of range sets represents a particular
// execution path the analyzer would need to explore once // execution path the analyzer would need to explore once
// the call is modeled - a new program state is constructed // the call is modeled - a new program state is constructed
▲ Show 20 LinesShow All 208 Lines▼ Show 20 Lines addToFunctionSummaryMap(
Summary(NoEvalCall) Summary(NoEvalCall)
.Case({ReturnValueCondition(WithinRange, .Case({ReturnValueCondition(WithinRange,
{{EOFv, EOFv}, {0, UCharRangeMax}})}, {{EOFv, EOFv}, {0, UCharRangeMax}})},
ErrnoIrrelevant)); ErrnoIrrelevant));
// read()-like functions that never return more than buffer size. // read()-like functions that never return more than buffer size.
auto FreadSummary = auto FreadSummary =
Summary(NoEvalCall) Summary(NoEvalCall)
.Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)), .Case({ArgumentCondition(1U, WithinRange, Range(1, SizeMax)),
ArgumentCondition(2U, WithinRange, Range(1, SizeMax)),
ReturnValueCondition(BO_LT, ArgNo(2)),
ReturnValueCondition(WithinRange, Range(0, SizeMax))}, ReturnValueCondition(WithinRange, Range(0, SizeMax))},
ErrnoIrrelevant) ErrnoNEZeroIrrelevant)
.Case({ArgumentCondition(1U, WithinRange, Range(1, SizeMax)),
ReturnValueCondition(BO_EQ, ArgNo(2)),
ReturnValueCondition(WithinRange, Range(0, SizeMax))},
ErrnoMustNotBeChecked)
.Case({ArgumentCondition(1U, WithinRange, SingleValue(0)),
ReturnValueCondition(WithinRange, SingleValue(0))},
ErrnoMustNotBeChecked)
.ArgConstraint(NotNull(ArgNo(0))) .ArgConstraint(NotNull(ArgNo(0)))
SzelethusUnsubmitted
Not Done
ReplyInline Actions

If I undetstand correctly, these 3 cases will cause the current path of execution to split into 3. I vaguely recall some arguments against this, but that's been a while, did the stance on this change? I see a number of already commited summaries with 3 cases, so this could be fine for all I know.

Szelethus: If I undetstand correctly, these 3 cases will cause the current path of execution to split into…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

The problematic case is if the function is not evaluated by StreamChecker, otherwise StreamChecker already sets the constraints on the return value and argument and some of the cases here should become unsatisfied. It may be known about the argument 1 that it can not be zero (or is only zero), then it is only 2 possible branches. (Still it can happen often that all 3 branches are possible.) This split is needed to make the summary correct and not dependent on if StreamChecker evaluates the function or not.

balazske: The problematic case is if the function is not evaluated by `StreamChecker`, otherwise…
.ArgConstraint(NotNull(ArgNo(3))) .ArgConstraint(NotNull(ArgNo(3)))
// FIXME: It should be allowed to have a null buffer if any of
// args 1 or 2 are zero. Remove NotNull check of arg 0, add a check
// for non-null buffer if non-zero size to BufferSizeConstraint?
SzelethusUnsubmitted
Done
ReplyInline Actions

Maybe StreamChecker could take over the handling of that case? Seems like it also warns about the nullness of the first fread parameter.

Szelethus: Maybe `StreamChecker` could take over the handling of that case? Seems like it also warns about…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

The current approach was that the NULL argument warning is generated by one checker only, StreamChecker or this checker. The NULL check is already built into these summaries so this is the better place for the warning. The NULL warning is removed from StreamChecker in D137790. Additionally the same problem can happen with BufferSizeConstraint at other function summaries, we can say generally (or more often) that if a buffer has size of 0 it is allowed to be NULL pointer.

balazske: The current approach was that the NULL argument warning is generated by one checker only…
SzelethusUnsubmitted
Not Done
ReplyInline Actions

Aha, okay, so we should extend the existing infrastructure to express this as well. Please do that in another patch though! Thanks!

Szelethus: Aha, okay, so we should extend the existing infrastructure to express this as well. Please do…
.ArgConstraint(BufferSize(/*Buffer=*/ArgNo(0), /*BufSize=*/ArgNo(1), .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(0), /*BufSize=*/ArgNo(1),
/*BufSizeMultiplier=*/ArgNo(2))); /*BufSizeMultiplier=*/ArgNo(2)));
// size_t fread(void *restrict ptr, size_t size, size_t nitems, // size_t fread(void *restrict ptr, size_t size, size_t nitems,
// FILE *restrict stream); // FILE *restrict stream);
addToFunctionSummaryMap( addToFunctionSummaryMap(
"fread", "fread",
Signature(ArgTypes{VoidPtrRestrictTy, SizeTy, SizeTy, FilePtrRestrictTy}, Signature(ArgTypes{VoidPtrRestrictTy, SizeTy, SizeTy, FilePtrRestrictTy},
▲ Show 20 LinesShow All 69 Lines▼ Show 20 Lines addToFunctionSummaryMap(
// char *getenv(const char *name); // char *getenv(const char *name);
addToFunctionSummaryMap( addToFunctionSummaryMap(
"getenv", Signature(ArgTypes{ConstCharPtrTy}, RetType{CharPtrTy}), "getenv", Signature(ArgTypes{ConstCharPtrTy}, RetType{CharPtrTy}),
std::move(GetenvSummary)); std::move(GetenvSummary));
} }
if (ModelPOSIX) { if (ModelPOSIX) {
const auto ReturnsZeroOrMinusOne =
ConstraintSet{ReturnValueCondition(WithinRange, Range(-1, 0))};
const auto ReturnsZero =
ConstraintSet{ReturnValueCondition(WithinRange, SingleValue(0))};
const auto ReturnsMinusOne =
ConstraintSet{ReturnValueCondition(WithinRange, SingleValue(-1))};
const auto ReturnsNonnegative =
ConstraintSet{ReturnValueCondition(WithinRange, Range(0, IntMax))};
const auto ReturnsNonZero =
ConstraintSet{ReturnValueCondition(OutOfRange, SingleValue(0))};
const auto ReturnsFileDescriptor =
ConstraintSet{ReturnValueCondition(WithinRange, Range(-1, IntMax))};
const auto &ReturnsValidFileDescriptor = ReturnsNonnegative;
// FILE *fopen(const char *restrict pathname, const char *restrict mode);
addToFunctionSummaryMap(
"fopen",
Signature(ArgTypes{ConstCharPtrRestrictTy, ConstCharPtrRestrictTy},
RetType{FilePtrTy}),
Summary(NoEvalCall)
.Case({NotNull(Ret)}, ErrnoMustNotBeChecked)
.Case({IsNull(Ret)}, ErrnoNEZeroIrrelevant)
.ArgConstraint(NotNull(ArgNo(0)))
.ArgConstraint(NotNull(ArgNo(1))));
// FILE *tmpfile(void);
addToFunctionSummaryMap("tmpfile",
Signature(ArgTypes{}, RetType{FilePtrTy}),
Summary(NoEvalCall)
.Case({NotNull(Ret)}, ErrnoMustNotBeChecked)
.Case({IsNull(Ret)}, ErrnoNEZeroIrrelevant));
// FILE *freopen(const char *restrict pathname, const char *restrict mode,
// FILE *restrict stream);
addToFunctionSummaryMap(
"freopen",
Signature(ArgTypes{ConstCharPtrRestrictTy, ConstCharPtrRestrictTy,
FilePtrRestrictTy},
RetType{FilePtrTy}),
Summary(NoEvalCall)
.Case({ReturnValueCondition(BO_EQ, ArgNo(2))},
ErrnoMustNotBeChecked)
.Case({IsNull(Ret)}, ErrnoNEZeroIrrelevant)
.ArgConstraint(NotNull(ArgNo(1)))
.ArgConstraint(NotNull(ArgNo(2))));
// int fclose(FILE *stream);
addToFunctionSummaryMap(
"fclose", Signature(ArgTypes{FilePtrTy}, RetType{IntTy}),
Summary(NoEvalCall)
.Case(ReturnsZero, ErrnoMustNotBeChecked)
.Case({ReturnValueCondition(WithinRange, SingleValue(EOFv))},
ErrnoNEZeroIrrelevant)
.ArgConstraint(NotNull(ArgNo(0))));
// int fseek(FILE *stream, long offset, int whence);
// FIXME: It can be possible to get the 'SEEK_' values (like EOFv) and use
SzelethusUnsubmitted
Not Done
ReplyInline Actions

Sure, but what should be fixed? We should check whether the the last argument is a SEEK_* value?

Szelethus: Sure, but what should be fixed? We should check whether the the last argument is a `SEEK_*`…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

It could be an improvement to detect possible values for the argument 2 that are the SEEK_* values. Now the range [0,2] is used (the SEEK_* constants are usually 0,1,2).

balazske: It could be an improvement to detect possible values for the argument 2 that are the `SEEK_*`…
SzelethusUnsubmitted
Not Done
ReplyInline Actions

Could you please more-or-less copy-paste this inline into the code?

Szelethus: Could you please more-or-less copy-paste this inline into the code?
// these for condition of arg 2.
// Now the range [0,2] is used (the `SEEK_*` constants are usually 0,1,2).
addToFunctionSummaryMap(
"fseek", Signature(ArgTypes{FilePtrTy, LongTy, IntTy}, RetType{IntTy}),
Summary(NoEvalCall)
.Case(ReturnsZero, ErrnoMustNotBeChecked)
.Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
.ArgConstraint(NotNull(ArgNo(0)))
.ArgConstraint(ArgumentCondition(2, WithinRange, {{0, 2}})));
// int fgetpos(FILE *restrict stream, fpos_t *restrict pos);
// From 'The Open Group Base Specifications Issue 7, 2018 edition':
// "The fgetpos() function shall not change the setting of errno if
// successful."
addToFunctionSummaryMap(
"fgetpos",
Signature(ArgTypes{FilePtrRestrictTy, FPosTPtrRestrictTy},
RetType{IntTy}),
Summary(NoEvalCall)
.Case(ReturnsZero, ErrnoUnchanged)
.Case(ReturnsNonZero, ErrnoNEZeroIrrelevant)
.ArgConstraint(NotNull(ArgNo(0)))
.ArgConstraint(NotNull(ArgNo(1))));
// int fsetpos(FILE *stream, const fpos_t *pos);
// From 'The Open Group Base Specifications Issue 7, 2018 edition':
// "The fsetpos() function shall not change the setting of errno if
// successful."
addToFunctionSummaryMap(
"fsetpos",
Signature(ArgTypes{FilePtrTy, ConstFPosTPtrTy}, RetType{IntTy}),
Summary(NoEvalCall)
.Case(ReturnsZero, ErrnoUnchanged)
.Case(ReturnsNonZero, ErrnoNEZeroIrrelevant)
.ArgConstraint(NotNull(ArgNo(0)))
.ArgConstraint(NotNull(ArgNo(1))));
// long ftell(FILE *stream);
// From 'The Open Group Base Specifications Issue 7, 2018 edition':
// "The ftell() function shall not change the setting of errno if
// successful."
addToFunctionSummaryMap(
"ftell", Signature(ArgTypes{FilePtrTy}, RetType{LongTy}),
Summary(NoEvalCall)
.Case({ReturnValueCondition(WithinRange, Range(1, LongMax))},
ErrnoUnchanged)
.Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
.ArgConstraint(NotNull(ArgNo(0))));
// int fileno(FILE *stream);
addToFunctionSummaryMap(
"fileno", Signature(ArgTypes{FilePtrTy}, RetType{IntTy}),
Summary(NoEvalCall)
.Case(ReturnsValidFileDescriptor, ErrnoMustNotBeChecked)
.Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
.ArgConstraint(NotNull(ArgNo(0))));
// void rewind(FILE *stream);
// This function indicates error only by setting of 'errno'.
addToFunctionSummaryMap("rewind",
Signature(ArgTypes{FilePtrTy}, RetType{VoidTy}),
Summary(NoEvalCall)
.Case({}, ErrnoMustBeChecked)
.ArgConstraint(NotNull(ArgNo(0))));
// void clearerr(FILE *stream);
addToFunctionSummaryMap(
"clearerr", Signature(ArgTypes{FilePtrTy}, RetType{VoidTy}),
Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
// int feof(FILE *stream);
addToFunctionSummaryMap(
"feof", Signature(ArgTypes{FilePtrTy}, RetType{IntTy}),
Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
// int ferror(FILE *stream);
addToFunctionSummaryMap(
"ferror", Signature(ArgTypes{FilePtrTy}, RetType{IntTy}),
Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
// long a64l(const char *str64); // long a64l(const char *str64);
addToFunctionSummaryMap( addToFunctionSummaryMap(
"a64l", Signature(ArgTypes{ConstCharPtrTy}, RetType{LongTy}), "a64l", Signature(ArgTypes{ConstCharPtrTy}, RetType{LongTy}),
Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
// char *l64a(long value); // char *l64a(long value);
addToFunctionSummaryMap("l64a", addToFunctionSummaryMap("l64a",
Signature(ArgTypes{LongTy}, RetType{CharPtrTy}), Signature(ArgTypes{LongTy}, RetType{CharPtrTy}),
Summary(NoEvalCall) Summary(NoEvalCall)
.ArgConstraint(ArgumentCondition( .ArgConstraint(ArgumentCondition(
0, WithinRange, Range(0, LongMax)))); 0, WithinRange, Range(0, LongMax))));
const auto ReturnsZeroOrMinusOne =
ConstraintSet{ReturnValueCondition(WithinRange, Range(-1, 0))};
const auto ReturnsZero =
ConstraintSet{ReturnValueCondition(WithinRange, SingleValue(0))};
const auto ReturnsMinusOne =
ConstraintSet{ReturnValueCondition(WithinRange, SingleValue(-1))};
const auto ReturnsNonnegative =
ConstraintSet{ReturnValueCondition(WithinRange, Range(0, IntMax))};
const auto ReturnsFileDescriptor =
ConstraintSet{ReturnValueCondition(WithinRange, Range(-1, IntMax))};
const auto &ReturnsValidFileDescriptor = ReturnsNonnegative;
// int access(const char *pathname, int amode); // int access(const char *pathname, int amode);
addToFunctionSummaryMap( addToFunctionSummaryMap(
"access", Signature(ArgTypes{ConstCharPtrTy, IntTy}, RetType{IntTy}), "access", Signature(ArgTypes{ConstCharPtrTy, IntTy}, RetType{IntTy}),
Summary(NoEvalCall) Summary(NoEvalCall)
.Case(ReturnsZero, ErrnoMustNotBeChecked) .Case(ReturnsZero, ErrnoMustNotBeChecked)
.Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
.ArgConstraint(NotNull(ArgNo(0)))); .ArgConstraint(NotNull(ArgNo(0))));
▲ Show 20 LinesShow All 470 Lines▼ Show 20 Lines addToFunctionSummaryMap(
"seekdir", Signature(ArgTypes{DirPtrTy, LongTy}, RetType{VoidTy}), "seekdir", Signature(ArgTypes{DirPtrTy, LongTy}, RetType{VoidTy}),
Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
// int rand_r(unsigned int *seedp); // int rand_r(unsigned int *seedp);
addToFunctionSummaryMap( addToFunctionSummaryMap(
"rand_r", Signature(ArgTypes{UnsignedIntPtrTy}, RetType{IntTy}), "rand_r", Signature(ArgTypes{UnsignedIntPtrTy}, RetType{IntTy}),
Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
// int fileno(FILE *stream);
addToFunctionSummaryMap(
"fileno", Signature(ArgTypes{FilePtrTy}, RetType{IntTy}),
Summary(NoEvalCall)
.Case(ReturnsValidFileDescriptor, ErrnoMustNotBeChecked)
.Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
.ArgConstraint(NotNull(ArgNo(0))));
// int fseeko(FILE *stream, off_t offset, int whence); // int fseeko(FILE *stream, off_t offset, int whence);
addToFunctionSummaryMap( addToFunctionSummaryMap(
"fseeko", "fseeko",
Signature(ArgTypes{FilePtrTy, Off_tTy, IntTy}, RetType{IntTy}), Signature(ArgTypes{FilePtrTy, Off_tTy, IntTy}, RetType{IntTy}),
Summary(NoEvalCall) Summary(NoEvalCall)
.Case(ReturnsZeroOrMinusOne, ErrnoIrrelevant) .Case(ReturnsZeroOrMinusOne, ErrnoIrrelevant)
.ArgConstraint(NotNull(ArgNo(0)))); .ArgConstraint(NotNull(ArgNo(0))));
▲ Show 20 LinesShow All 776 Lines▼ Show 20 Lines addToFunctionSummaryMap(
Summary(EvalCallAsPure) Summary(EvalCallAsPure)
.ArgConstraint(BufferSize(/*Buffer=*/ArgNo(0), .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(0),
/*BufSize=*/BVF.getValue(10, IntTy)))); /*BufSize=*/BVF.getValue(10, IntTy))));
addToFunctionSummaryMap( addToFunctionSummaryMap(
{"__test_restrict_param_0", "__test_restrict_param_1", {"__test_restrict_param_0", "__test_restrict_param_1",
"__test_restrict_param_2"}, "__test_restrict_param_2"},
Signature(ArgTypes{VoidPtrRestrictTy}, RetType{VoidTy}), Signature(ArgTypes{VoidPtrRestrictTy}, RetType{VoidTy}),
Summary(EvalCallAsPure)); Summary(EvalCallAsPure));
// Test the application of cases.
addToFunctionSummaryMap(
"__test_case_note", Signature(ArgTypes{}, RetType{IntTy}),
Summary(EvalCallAsPure)
.Case({ReturnValueCondition(WithinRange, SingleValue(0))},
ErrnoIrrelevant, "Function returns 0")
.Case({ReturnValueCondition(WithinRange, SingleValue(1))},
ErrnoIrrelevant, "Function returns 1"));
} }
SummariesInitialized = true; SummariesInitialized = true;
} }
void ento::registerStdCLibraryFunctionsChecker(CheckerManager &mgr) { void ento::registerStdCLibraryFunctionsChecker(CheckerManager &mgr) {
auto *Checker = mgr.registerChecker<StdLibraryFunctionsChecker>(); auto *Checker = mgr.registerChecker<StdLibraryFunctionsChecker>();
const AnalyzerOptions &Opts = mgr.getAnalyzerOptions(); const AnalyzerOptions &Opts = mgr.getAnalyzerOptions();
Show All 25 Lines

clang/test/Analysis/std-c-library-functions-POSIX.c

// RUN: %clang_analyze_cc1 %s \ // RUN: %clang_analyze_cc1 %s \
// RUN: -analyzer-checker=core \ // RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=apiModeling.StdCLibraryFunctions \ // RUN: -analyzer-checker=apiModeling.StdCLibraryFunctions \
// RUN: -analyzer-config apiModeling.StdCLibraryFunctions:ModelPOSIX=true \ // RUN: -analyzer-config apiModeling.StdCLibraryFunctions:ModelPOSIX=true \
// RUN: -analyzer-config apiModeling.StdCLibraryFunctions:DisplayLoadedSummaries=true \ // RUN: -analyzer-config apiModeling.StdCLibraryFunctions:DisplayLoadedSummaries=true \
// RUN: -analyzer-checker=debug.ExprInspection \ // RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -analyzer-config eagerly-assume=false \ // RUN: -analyzer-config eagerly-assume=false \
// RUN: -triple i686-unknown-linux 2>&1 | FileCheck %s // RUN: -triple i686-unknown-linux 2>&1 | FileCheck %s
// CHECK: Loaded summary for: FILE *fopen(const char *restrict pathname, const char *restrict mode)
// CHECK: Loaded summary for: FILE *tmpfile(void)
// CHECK: Loaded summary for: FILE *freopen(const char *restrict pathname, const char *restrict mode, FILE *restrict stream)
// CHECK: Loaded summary for: int fclose(FILE *stream)
// CHECK: Loaded summary for: int fseek(FILE *stream, long offset, int whence)
// CHECK: Loaded summary for: int fileno(FILE *stream)
// CHECK: Loaded summary for: long a64l(const char *str64) // CHECK: Loaded summary for: long a64l(const char *str64)
// CHECK: Loaded summary for: char *l64a(long value) // CHECK: Loaded summary for: char *l64a(long value)
// CHECK: Loaded summary for: int access(const char *pathname, int amode) // CHECK: Loaded summary for: int access(const char *pathname, int amode)
// CHECK: Loaded summary for: int faccessat(int dirfd, const char *pathname, int mode, int flags) // CHECK: Loaded summary for: int faccessat(int dirfd, const char *pathname, int mode, int flags)
// CHECK: Loaded summary for: int dup(int fildes) // CHECK: Loaded summary for: int dup(int fildes)
// CHECK: Loaded summary for: int dup2(int fildes1, int filedes2) // CHECK: Loaded summary for: int dup2(int fildes1, int filedes2)
// CHECK: Loaded summary for: int fdatasync(int fildes) // CHECK: Loaded summary for: int fdatasync(int fildes)
// CHECK: Loaded summary for: int fnmatch(const char *pattern, const char *string, int flags) // CHECK: Loaded summary for: int fnmatch(const char *pattern, const char *string, int flags)
Show All 40 Lines
// CHECK: Loaded summary for: int pclose(FILE *stream) // CHECK: Loaded summary for: int pclose(FILE *stream)
// CHECK: Loaded summary for: int close(int fildes) // CHECK: Loaded summary for: int close(int fildes)
// CHECK: Loaded summary for: long fpathconf(int fildes, int name) // CHECK: Loaded summary for: long fpathconf(int fildes, int name)
// CHECK: Loaded summary for: long pathconf(const char *path, int name) // CHECK: Loaded summary for: long pathconf(const char *path, int name)
// CHECK: Loaded summary for: FILE *fdopen(int fd, const char *mode) // CHECK: Loaded summary for: FILE *fdopen(int fd, const char *mode)
// CHECK: Loaded summary for: void rewinddir(DIR *dir) // CHECK: Loaded summary for: void rewinddir(DIR *dir)
// CHECK: Loaded summary for: void seekdir(DIR *dirp, long loc) // CHECK: Loaded summary for: void seekdir(DIR *dirp, long loc)
// CHECK: Loaded summary for: int rand_r(unsigned int *seedp) // CHECK: Loaded summary for: int rand_r(unsigned int *seedp)
// CHECK: Loaded summary for: int fileno(FILE *stream)
// CHECK: Loaded summary for: int fseeko(FILE *stream, off_t offset, int whence) // CHECK: Loaded summary for: int fseeko(FILE *stream, off_t offset, int whence)
// CHECK: Loaded summary for: off_t ftello(FILE *stream) // CHECK: Loaded summary for: off_t ftello(FILE *stream)
// CHECK: Loaded summary for: void *mmap(void *addr, size_t length, int prot, int flags, int fd, off_t offset) // CHECK: Loaded summary for: void *mmap(void *addr, size_t length, int prot, int flags, int fd, off_t offset)
// CHECK: Loaded summary for: void *mmap64(void *addr, size_t length, int prot, int flags, int fd, off64_t offset) // CHECK: Loaded summary for: void *mmap64(void *addr, size_t length, int prot, int flags, int fd, off64_t offset)
// CHECK: Loaded summary for: int pipe(int fildes[2]) // CHECK: Loaded summary for: int pipe(int fildes[2])
// CHECK: Loaded summary for: off_t lseek(int fildes, off_t offset, int whence) // CHECK: Loaded summary for: off_t lseek(int fildes, off_t offset, int whence)
// CHECK: Loaded summary for: ssize_t readlink(const char *restrict path, char *restrict buf, size_t bufsize) // CHECK: Loaded summary for: ssize_t readlink(const char *restrict path, char *restrict buf, size_t bufsize)
// CHECK: Loaded summary for: ssize_t readlinkat(int fd, const char *restrict path, char *restrict buf, size_t bufsize) // CHECK: Loaded summary for: ssize_t readlinkat(int fd, const char *restrict path, char *restrict buf, size_t bufsize)
▲ Show 20 LinesShow All 41 Lines▼ Show 20 Lines
// CHECK: Loaded summary for: int pthread_attr_setstacksize(pthread_attr_t *attr, size_t stacksize) // CHECK: Loaded summary for: int pthread_attr_setstacksize(pthread_attr_t *attr, size_t stacksize)
// CHECK: Loaded summary for: int pthread_attr_setguardsize(pthread_attr_t *attr, size_t guardsize) // CHECK: Loaded summary for: int pthread_attr_setguardsize(pthread_attr_t *attr, size_t guardsize)
// CHECK: Loaded summary for: int pthread_mutex_init(pthread_mutex_t *restrict mutex, const pthread_mutexattr_t *restrict attr) // CHECK: Loaded summary for: int pthread_mutex_init(pthread_mutex_t *restrict mutex, const pthread_mutexattr_t *restrict attr)
// CHECK: Loaded summary for: int pthread_mutex_destroy(pthread_mutex_t *mutex) // CHECK: Loaded summary for: int pthread_mutex_destroy(pthread_mutex_t *mutex)
// CHECK: Loaded summary for: int pthread_mutex_lock(pthread_mutex_t *mutex) // CHECK: Loaded summary for: int pthread_mutex_lock(pthread_mutex_t *mutex)
// CHECK: Loaded summary for: int pthread_mutex_trylock(pthread_mutex_t *mutex) // CHECK: Loaded summary for: int pthread_mutex_trylock(pthread_mutex_t *mutex)
// CHECK: Loaded summary for: int pthread_mutex_unlock(pthread_mutex_t *mutex) // CHECK: Loaded summary for: int pthread_mutex_unlock(pthread_mutex_t *mutex)
typedef struct {
int x;
} FILE;
FILE *fopen(const char *restrict pathname, const char *restrict mode);
FILE *tmpfile(void);
FILE *freopen(const char *restrict pathname, const char *restrict mode,
FILE *restrict stream);
int fclose(FILE *stream);
int fseek(FILE *stream, long offset, int whence);
int fileno(FILE *stream);
long a64l(const char *str64); long a64l(const char *str64);
char *l64a(long value); char *l64a(long value);
int access(const char *pathname, int amode); int access(const char *pathname, int amode);
int faccessat(int dirfd, const char *pathname, int mode, int flags); int faccessat(int dirfd, const char *pathname, int mode, int flags);
int dup(int fildes); int dup(int fildes);
int dup2(int fildes1, int filedes2); int dup2(int fildes1, int filedes2);
int fdatasync(int fildes); int fdatasync(int fildes);
int fnmatch(const char *pattern, const char *string, int flags); int fnmatch(const char *pattern, const char *string, int flags);
▲ Show 20 LinesShow All 44 Lines▼ Show 20 Lines
struct stat; struct stat;
int fstat(int fd, struct stat *statbuf); int fstat(int fd, struct stat *statbuf);
int stat(const char *restrict path, struct stat *restrict buf); int stat(const char *restrict path, struct stat *restrict buf);
int lstat(const char *restrict path, struct stat *restrict buf); int lstat(const char *restrict path, struct stat *restrict buf);
int fstatat(int fd, const char *restrict path, struct stat *restrict buf, int flag); int fstatat(int fd, const char *restrict path, struct stat *restrict buf, int flag);
DIR *opendir(const char *name); DIR *opendir(const char *name);
DIR *fdopendir(int fd); DIR *fdopendir(int fd);
int isatty(int fildes); int isatty(int fildes);
typedef struct {
int x;
} FILE;
FILE *popen(const char *command, const char *type); FILE *popen(const char *command, const char *type);
int pclose(FILE *stream); int pclose(FILE *stream);
int close(int fildes); int close(int fildes);
long fpathconf(int fildes, int name); long fpathconf(int fildes, int name);
long pathconf(const char *path, int name); long pathconf(const char *path, int name);
FILE *fdopen(int fd, const char *mode); FILE *fdopen(int fd, const char *mode);
void rewinddir(DIR *dir); void rewinddir(DIR *dir);
void seekdir(DIR *dirp, long loc); void seekdir(DIR *dirp, long loc);
▲ Show 20 LinesShow All 110 LinesShow Last 20 Lines

clang/test/Analysis/std-c-library-functions-arg-constraints-note-tags.cpp

Show First 20 LinesShow All 43 Lines▼ Show 20 Linesvoid test_buffer_size_note(char *buf, int y) {
__buf_size_arg_constraint_concrete(buf); // expected-note {{Assuming the size of the 1st argument is equal to or greater than the value of 10}} __buf_size_arg_constraint_concrete(buf); // expected-note {{Assuming the size of the 1st argument is equal to or greater than the value of 10}}
clang_analyzer_eval(clang_analyzer_getExtent(buf) >= 10); // expected-warning{{TRUE}} \ clang_analyzer_eval(clang_analyzer_getExtent(buf) >= 10); // expected-warning{{TRUE}} \
// expected-note{{TRUE}} // expected-note{{TRUE}}
// clang_analyzer_express marks the argument as interesting. // clang_analyzer_express marks the argument as interesting.
clang_analyzer_express(buf); // expected-warning {{}} // the message does not really matter \ clang_analyzer_express(buf); // expected-warning {{}} // the message does not really matter \
// expected-note {{}} // expected-note {{}}
} }
int __test_case_note();
int test_case_note_1(int y) {
int x = __test_case_note(); // expected-note{{Function returns 0}} \
// expected-note{{'x' initialized here}}
return y / x; // expected-warning{{Division by zero}} \
// expected-note{{Division by zero}}
}
int test_case_note_2(int y) {
int x = __test_case_note(); // expected-note{{Function returns 1}}
return y / (x - 1); // expected-warning{{Division by zero}} \
// expected-note{{Division by zero}}
}

clang/test/Analysis/std-c-library-functions-vs-stream-checker.c

Show All 39 Linesvoid test_fread_fwrite(FILE *fp, int *buf) {
fp = fopen("foo", "r"); fp = fopen("foo", "r");
if (!fp) if (!fp)
return; return;
size_t x = fwrite(buf, sizeof(int), 10, fp); size_t x = fwrite(buf, sizeof(int), 10, fp);
clang_analyzer_eval(x <= 10); // \ clang_analyzer_eval(x <= 10); // \
// stream-warning{{TRUE}} \ // stream-warning{{TRUE}} \
// stdLib-warning{{TRUE}} \ // stdLib-warning{{TRUE}} \
// both-warning{{TRUE}} \ // both-warning{{TRUE}}
clang_analyzer_eval(x == 10); // \ clang_analyzer_eval(x == 10); // \
// stream-warning{{TRUE}} \ // stream-warning{{TRUE}} \
// stream-warning{{FALSE}} \ // stream-warning{{FALSE}} \
// stdLib-warning{{UNKNOWN}} \ // stdLib-warning{{TRUE}} \
// stdLib-warning{{FALSE}} \
// both-warning{{TRUE}} \ // both-warning{{TRUE}} \
// both-warning{{FALSE}} // both-warning{{FALSE}}
fclose(fp); fclose(fp);
} }