This is an archive of the discontinued LLVM Phabricator instance.

Differential D143194

[clang][analyzer] Make messages of StdCLibraryFunctionsChecker user-friendly
ClosedPublic

Authored by balazske on Feb 2 2023, 8:34 AM.

Details

Reviewers
Szelethus
NoQ
gamesh411
Commits
rGddc5d40dd285: [clang][analyzer] Make messages of StdCLibraryFunctionsChecker user-friendly
Summary

Warnings and notes of checker alpha.unix.StdLibraryFunctionArgs are
improved. Previously one warning and one note was emitted for every
finding, now one warning is emitted only that contains a detailed
description of the found issue.

Diff Detail

Event Timeline

balazske created this revision.Feb 2 2023, 8:34 AM
Herald added a reviewer: Szelethus. · View Herald TranscriptFeb 2 2023, 8:34 AM
Herald added a reviewer: NoQ. · View Herald Transcript
Herald added a project: Restricted Project. · View Herald Transcript
Herald added subscribers: steakhal, manas, ASDenysPetrov and 10 others. · View Herald Transcript
balazske requested review of this revision.Feb 2 2023, 8:34 AM
Herald added a project: Restricted Project. · View Herald TranscriptFeb 2 2023, 8:34 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
Harbormaster completed remote builds in B211509: Diff 494323.Feb 2 2023, 9:52 AM
Szelethus added a reviewer: gamesh411.Feb 3 2023, 4:40 AM

Awesome, been a long time coming!!

Other than the minor observation of changing "of function" to "to", I'm inclined to accept this patch. We definitely should describe what the value IS, not just what is should be (aside from the cases concerning nullness, I think they are fine as-is), but seems to be another can of worms deserving of its own patch.

The reason why I'd solve the description of the argument separately is that other checkers also suffer from this problem (alpha.security.ArrayBoundV2, hello), and it opens conversations such as "What if we can't sensibly describe that value?", and on occasions, we have felt that the go-to solution should be just suppressing the warning. But then again, its an intentional false negative.

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
907–909

Looking at the tests, the word 'function' may be redundant and unnecessary.

924–945

Here too.

958–961

Here too.

972

We are saying what the value should be, but neglect to say what it is instead. Something like this would be good:

"The value of the 1st argument to _nonnull should be equal to or less then 10, but is 11".

This is what I (and many of our users IIRC) miss in checker messages, like in those where we are supposed to describe what the value of the index is (besides it causing a buffer overflow).

balazske added a comment.Feb 3 2023, 6:16 AM

I had the plan to add a note that tells the value that is out of range. In the most simple case it can work if we have a fixed value. But this may be the most obvious from the code too. Otherwise a new function can be added that can print the assumed constraint ranges.

balazske updated this revision to Diff 495042.Feb 6 2023, 2:08 AM

Replaced "of function" with "to" in checker messages.

Harbormaster completed remote builds in B212033: Diff 495042.Feb 6 2023, 2:50 AM
balazske added a comment.Feb 8 2023, 3:02 AM

Probably it is not always useful to explain why the argument is wrong. In cases when we can find out that the value is exactly between two consecutive valid ranges we can display a note, or when the exact value is known. Otherwise it may end up in something like "the value should be between 1 and 4 or between 6 and 10, but it is less than 1 or exactly 5 or greater than 10". The "good" cases are (when more information is available): "the value is less than 1", "the value is 5", "the value is greater than 10". If two bad ranges are known it may be OK too: "the value is less than 1 or it is exactly 5". The explanation may be possible to implement by test assumes for the negated ranges.

Szelethus added a comment.Feb 10 2023, 5:26 AM

A small nit, otherwise LGTM.

In D143194#4112538, @balazske wrote:

Probably it is not always useful to explain why the argument is wrong. In cases when we can find out that the value is exactly between two consecutive valid ranges we can display a note, or when the exact value is known. Otherwise it may end up in something like "the value should be between 1 and 4 or between 6 and 10, but it is less than 1 or exactly 5 or greater than 10".

You're totally right. I'm not sure how to approach tricky cases like that either.

The "good" cases are (when more information is available): "the value is less than 1", "the value is 5", "the value is greater than 10". If two bad ranges are known it may be OK too: "the value is less than 1 or it is exactly 5". The explanation may be possible to implement by test assumes for the negated ranges.

Maybe we can start out with the easier cases, but we should check whether there is a checker that solves a different problem, and should try to aim at a somewhat general, reusable solution.

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
95

Using a raw_ostream as a parameter sounds more elegant than a SmallString with a precise stack buffer length. Not to mention that you could call this function with llvm::errs() for easy debugging.

100

Here as well.

clang/test/Analysis/std-c-library-functions-arg-constraints-notes.cpp
51–79

Please clang-format the changes in this test file.

balazske updated this revision to Diff 496471.Feb 10 2023, 7:45 AM

change of range descriptions, align comments

balazske updated this revision to Diff 496474.Feb 10 2023, 7:48 AM

fixed another comment format problem

balazske updated this revision to Diff 496476.Feb 10 2023, 7:50 AM

fixed another comment format problem

balazske added a comment.Feb 10 2023, 7:53 AM

I changed the text descriptions to relational operators at some places, this is similar to how other clang analyzer messages look (for example notes at if statements), it is shorter, and probably more faster to understand ("<= 0" instead of "non-positive").

balazske marked an inline comment as done.Feb 10 2023, 7:56 AM
balazske added inline comments.
clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
95

I want to improve this in a later patch. The change does involve not new code too (getArgDesc should be changed too and other places where the messages are generated).

balazske marked 4 inline comments as done.Feb 10 2023, 7:58 AM
balazske added a child revision: D143751: [clang][analyzer][NFC] Refactor code of StdLibraryFunctionsChecker..Feb 10 2023, 9:02 AM
Harbormaster completed remote builds in B213058: Diff 496476.Feb 10 2023, 9:03 AM
Szelethus accepted this revision.Feb 14 2023, 7:42 AM

LGTM!

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
95

Fair enough.

This revision is now accepted and ready to land.Feb 14 2023, 7:42 AM
This revision was landed with ongoing or failed builds.Feb 15 2023, 12:23 AM
Closed by commit rGddc5d40dd285: [clang][analyzer] Make messages of StdCLibraryFunctionsChecker user-friendly (authored by balazske). · Explain Why
This revision was automatically updated to reflect the committed changes.
balazske added a commit: rGddc5d40dd285: [clang][analyzer] Make messages of StdCLibraryFunctionsChecker user-friendly.

Revision Contents

Diff 497576

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp

Show First 20 LinesShow All 78 Lines▼ Show 20 Linesclass StdLibraryFunctionsChecker
typedef std::vector<std::pair<RangeInt, RangeInt>> IntRangeVector; typedef std::vector<std::pair<RangeInt, RangeInt>> IntRangeVector;
/// A reference to an argument or return value by its number. /// A reference to an argument or return value by its number.
/// ArgNo in CallExpr and CallEvent is defined as Unsigned, but /// ArgNo in CallExpr and CallEvent is defined as Unsigned, but
/// obviously uint32_t should be enough for all practical purposes. /// obviously uint32_t should be enough for all practical purposes.
typedef uint32_t ArgNo; typedef uint32_t ArgNo;
static const ArgNo Ret; static const ArgNo Ret;
using DescString = SmallString<96>;
/// Returns the string representation of an argument index. /// Returns the string representation of an argument index.
/// E.g.: (1) -> '1st arg', (2) - > '2nd arg' /// E.g.: (1) -> '1st arg', (2) - > '2nd arg'
static SmallString<8> getArgDesc(ArgNo); static SmallString<8> getArgDesc(ArgNo);
/// Append textual description of a numeric range [RMin,RMax] to the string
/// 'Out'.
static void appendInsideRangeDesc(llvm::APSInt RMin, llvm::APSInt RMax,
QualType ArgT, BasicValueFactory &BVF,
DescString &Out);
SzelethusUnsubmitted
Not Done
ReplyInline Actions

Using a raw_ostream as a parameter sounds more elegant than a SmallString with a precise stack buffer length. Not to mention that you could call this function with llvm::errs() for easy debugging.

Szelethus: Using a `raw_ostream` as a parameter sounds more elegant than a `SmallString` with a precise…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

I want to improve this in a later patch. The change does involve not new code too (getArgDesc should be changed too and other places where the messages are generated).

balazske: I want to improve this in a later patch. The change does involve not new code too (`getArgDesc`…
SzelethusUnsubmitted
Not Done
ReplyInline Actions

Fair enough.

Szelethus: Fair enough.
/// Append textual description of a numeric range out of [RMin,RMax] to the
/// string 'Out'.
static void appendOutOfRangeDesc(llvm::APSInt RMin, llvm::APSInt RMax,
QualType ArgT, BasicValueFactory &BVF,
DescString &Out);
SzelethusUnsubmitted
Not Done
ReplyInline Actions

Here as well.

Szelethus: Here as well.
class ValueConstraint; class ValueConstraint;
// Pointer to the ValueConstraint. We need a copyable, polymorphic and // Pointer to the ValueConstraint. We need a copyable, polymorphic and
// default initialize able type (vector needs that). A raw pointer was good, // default initialize able type (vector needs that). A raw pointer was good,
// however, we cannot default initialize that. unique_ptr makes the Summary // however, we cannot default initialize that. unique_ptr makes the Summary
// class non-copyable, therefore not an option. Releasing the copyability // class non-copyable, therefore not an option. Releasing the copyability
// requirement would render the initialization of the Summary map infeasible. // requirement would render the initialization of the Summary map infeasible.
using ValueConstraintPtr = std::shared_ptr<ValueConstraint>; using ValueConstraintPtr = std::shared_ptr<ValueConstraint>;
/// Polymorphic base class that represents a constraint on a given argument /// Polymorphic base class that represents a constraint on a given argument
/// (or return value) of a function. Derived classes implement different kind /// (or return value) of a function. Derived classes implement different kind
/// of constraints, e.g range constraints or correlation between two /// of constraints, e.g range constraints or correlation between two
/// arguments. /// arguments.
/// These are used as argument constraints (preconditions) of functions, in
/// which case a bug report may be emitted if the constraint is not satisfied.
/// Another use is as conditions for summary cases, to create different
/// classes of behavior for a function. In this case no description of the
/// constraint is needed because the summary cases have an own (not generated)
/// description string.
class ValueConstraint { class ValueConstraint {
public: public:
ValueConstraint(ArgNo ArgN) : ArgN(ArgN) {} ValueConstraint(ArgNo ArgN) : ArgN(ArgN) {}
virtual ~ValueConstraint() {} virtual ~ValueConstraint() {}
/// Apply the effects of the constraint on the given program state. If null /// Apply the effects of the constraint on the given program state. If null
/// is returned then the constraint is not feasible. /// is returned then the constraint is not feasible.
virtual ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call, virtual ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
const Summary &Summary, const Summary &Summary,
CheckerContext &C) const = 0; CheckerContext &C) const = 0;
virtual ValueConstraintPtr negate() const { virtual ValueConstraintPtr negate() const {
llvm_unreachable("Not implemented"); llvm_unreachable("Not implemented");
}; };
// Check whether the constraint is malformed or not. It is malformed if the /// Check whether the constraint is malformed or not. It is malformed if the
// specified argument has a mismatch with the given FunctionDecl (e.g. the /// specified argument has a mismatch with the given FunctionDecl (e.g. the
// arg number is out-of-range of the function's argument list). /// arg number is out-of-range of the function's argument list).
bool checkValidity(const FunctionDecl *FD) const { bool checkValidity(const FunctionDecl *FD) const {
const bool ValidArg = ArgN == Ret || ArgN < FD->getNumParams(); const bool ValidArg = ArgN == Ret || ArgN < FD->getNumParams();
assert(ValidArg && "Arg out of range!"); assert(ValidArg && "Arg out of range!");
if (!ValidArg) if (!ValidArg)
return false; return false;
// Subclasses may further refine the validation. // Subclasses may further refine the validation.
return checkSpecificValidity(FD); return checkSpecificValidity(FD);
} }
ArgNo getArgNo() const { return ArgN; } ArgNo getArgNo() const { return ArgN; }
// Return those arguments that should be tracked when we report a bug. By /// Return those arguments that should be tracked when we report a bug. By
// default it is the argument that is constrained, however, in some special /// default it is the argument that is constrained, however, in some special
// cases we need to track other arguments as well. E.g. a buffer size might /// cases we need to track other arguments as well. E.g. a buffer size might
// be encoded in another argument. /// be encoded in another argument.
virtual std::vector<ArgNo> getArgsToTrack() const { return {ArgN}; } virtual std::vector<ArgNo> getArgsToTrack() const { return {ArgN}; }
virtual StringRef getName() const = 0; virtual StringRef getName() const = 0;
// Represents that in which context do we require a description of the /// Represents that in which context do we require a description of the
// constraint. /// constraint.
enum class DescriptionKind { enum class DescriptionKind {
// The constraint is violated. /// The constraint is violated.
Violation, Violation,
// We assume that the constraint is satisfied. /// We assume that the constraint is satisfied.
Assumption Assumption
}; };
// Give a description that explains the constraint to the user. Used when /// Give a description that explains the constraint to the user. Used when
// the bug is reported. /// a bug is reported or when the constraint is applied and displayed as a
virtual std::string describe(DescriptionKind DK, ProgramStateRef State, /// note.
virtual std::string describe(DescriptionKind DK, const CallEvent &Call,
ProgramStateRef State,
const Summary &Summary) const { const Summary &Summary) const {
// There are some descendant classes that are not used as argument // There are some descendant classes that are not used as argument
// constraints, e.g. ComparisonConstraint. In that case we can safely // constraints, e.g. ComparisonConstraint. In that case we can safely
// ignore the implementation of this function. // ignore the implementation of this function.
llvm_unreachable("Not implemented"); llvm_unreachable(
"Description not implemented for summary case constraints");
} }
protected: protected:
ArgNo ArgN; // Argument to which we apply the constraint. ArgNo ArgN; // Argument to which we apply the constraint.
/// Do polymorphic validation check on the constraint. /// Do polymorphic validation check on the constraint.
virtual bool checkSpecificValidity(const FunctionDecl *FD) const { virtual bool checkSpecificValidity(const FunctionDecl *FD) const {
return true; return true;
Show All 10 Lines class RangeConstraint : public ValueConstraint {
// E.g. {['A', 'Z'], ['a', 'z']} // E.g. {['A', 'Z'], ['a', 'z']}
// //
// The default constructed RangeConstraint has an empty range set, applying // The default constructed RangeConstraint has an empty range set, applying
// such constraint does not involve any assumptions, thus the State remains // such constraint does not involve any assumptions, thus the State remains
// unchanged. This is meaningful, if the range is dependent on a looked up // unchanged. This is meaningful, if the range is dependent on a looked up
// type (e.g. [0, Socklen_tMax]). If the type is not found, then the range // type (e.g. [0, Socklen_tMax]). If the type is not found, then the range
// is default initialized to be empty. // is default initialized to be empty.
IntRangeVector Ranges; IntRangeVector Ranges;
// A textual description of this constraint for the specific case where the
// constraint is used. If empty a generated description will be used.
StringRef Description;
public: public:
StringRef getName() const override { return "Range"; } StringRef getName() const override { return "Range"; }
RangeConstraint(ArgNo ArgN, RangeKind Kind, const IntRangeVector &Ranges) RangeConstraint(ArgNo ArgN, RangeKind Kind, const IntRangeVector &Ranges,
: ValueConstraint(ArgN), Kind(Kind), Ranges(Ranges) {} StringRef Desc = "")
: ValueConstraint(ArgN), Kind(Kind), Ranges(Ranges), Description(Desc) {
}
std::string describe(DescriptionKind DK, ProgramStateRef State, std::string describe(DescriptionKind DK, const CallEvent &Call,
ProgramStateRef State,
const Summary &Summary) const override; const Summary &Summary) const override;
const IntRangeVector &getRanges() const { return Ranges; } const IntRangeVector &getRanges() const { return Ranges; }
private: private:
ProgramStateRef applyAsOutOfRange(ProgramStateRef State, ProgramStateRef applyAsOutOfRange(ProgramStateRef State,
const CallEvent &Call, const CallEvent &Call,
const Summary &Summary) const; const Summary &Summary) const;
▲ Show 20 LinesShow All 55 Lines▼ Show 20 Linesclass StdLibraryFunctionsChecker
class NotNullConstraint : public ValueConstraint { class NotNullConstraint : public ValueConstraint {
using ValueConstraint::ValueConstraint; using ValueConstraint::ValueConstraint;
// This variable has a role when we negate the constraint. // This variable has a role when we negate the constraint.
bool CannotBeNull = true; bool CannotBeNull = true;
public: public:
NotNullConstraint(ArgNo ArgN, bool CannotBeNull = true) NotNullConstraint(ArgNo ArgN, bool CannotBeNull = true)
: ValueConstraint(ArgN), CannotBeNull(CannotBeNull) {} : ValueConstraint(ArgN), CannotBeNull(CannotBeNull) {}
std::string describe(DescriptionKind DK, ProgramStateRef State, std::string describe(DescriptionKind DK, const CallEvent &Call,
ProgramStateRef State,
const Summary &Summary) const override; const Summary &Summary) const override;
StringRef getName() const override { return "NonNull"; } StringRef getName() const override { return "NonNull"; }
ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call, ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
const Summary &Summary, const Summary &Summary,
CheckerContext &C) const override { CheckerContext &C) const override {
SVal V = getArgSVal(Call, getArgNo()); SVal V = getArgSVal(Call, getArgNo());
if (V.isUndef()) if (V.isUndef())
return State; return State;
▲ Show 20 LinesShow All 55 Lines▼ Show 20 Lines std::vector<ArgNo> getArgsToTrack() const override {
std::vector<ArgNo> Result{ArgN}; std::vector<ArgNo> Result{ArgN};
if (SizeArgN) if (SizeArgN)
Result.push_back(*SizeArgN); Result.push_back(*SizeArgN);
if (SizeMultiplierArgN) if (SizeMultiplierArgN)
Result.push_back(*SizeMultiplierArgN); Result.push_back(*SizeMultiplierArgN);
return Result; return Result;
} }
std::string describe(DescriptionKind DK, ProgramStateRef State, std::string describe(DescriptionKind DK, const CallEvent &Call,
ProgramStateRef State,
const Summary &Summary) const override; const Summary &Summary) const override;
ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call, ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
const Summary &Summary, const Summary &Summary,
CheckerContext &C) const override { CheckerContext &C) const override {
SValBuilder &SvalBuilder = C.getSValBuilder(); SValBuilder &SvalBuilder = C.getSValBuilder();
// The buffer argument. // The buffer argument.
SVal BufV = getArgSVal(Call, getArgNo()); SVal BufV = getArgSVal(Call, getArgNo());
▲ Show 20 LinesShow All 353 Lines▼ Show 20 Linesclass StdLibraryFunctionsChecker
mutable FunctionSummaryMapType FunctionSummaryMap; mutable FunctionSummaryMapType FunctionSummaryMap;
mutable std::unique_ptr<BugType> BT_InvalidArg; mutable std::unique_ptr<BugType> BT_InvalidArg;
mutable bool SummariesInitialized = false; mutable bool SummariesInitialized = false;
static SVal getArgSVal(const CallEvent &Call, ArgNo ArgN) { static SVal getArgSVal(const CallEvent &Call, ArgNo ArgN) {
return ArgN == Ret ? Call.getReturnValue() : Call.getArgSVal(ArgN); return ArgN == Ret ? Call.getReturnValue() : Call.getArgSVal(ArgN);
} }
static std::string getFunctionName(const CallEvent &Call) {
assert(Call.getDecl() &&
"Call was found by a summary, should have declaration");
return cast<NamedDecl>(Call.getDecl())->getNameAsString();
}
public: public:
void checkPreCall(const CallEvent &Call, CheckerContext &C) const; void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
void checkPostCall(const CallEvent &Call, CheckerContext &C) const; void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
bool evalCall(const CallEvent &Call, CheckerContext &C) const; bool evalCall(const CallEvent &Call, CheckerContext &C) const;
enum CheckKind { enum CheckKind {
CK_StdCLibraryFunctionArgsChecker, CK_StdCLibraryFunctionArgsChecker,
Show All 15 Linesprivate:
void initFunctionSummaries(CheckerContext &C) const; void initFunctionSummaries(CheckerContext &C) const;
void reportBug(const CallEvent &Call, ExplodedNode *N, void reportBug(const CallEvent &Call, ExplodedNode *N,
const ValueConstraint *VC, const Summary &Summary, const ValueConstraint *VC, const Summary &Summary,
CheckerContext &C) const { CheckerContext &C) const {
if (!ChecksEnabled[CK_StdCLibraryFunctionArgsChecker]) if (!ChecksEnabled[CK_StdCLibraryFunctionArgsChecker])
return; return;
std::string Msg = assert(Call.getDecl() &&
(Twine("Function argument constraint is not satisfied, constraint: ") + "Function found in summary must have a declaration available");
VC->getName().data()) std::string Msg = VC->describe(ValueConstraint::DescriptionKind::Violation,
.str(); Call, C.getState(), Summary);
Msg[0] = toupper(Msg[0]);
if (!BT_InvalidArg) if (!BT_InvalidArg)
BT_InvalidArg = std::make_unique<BugType>( BT_InvalidArg = std::make_unique<BugType>(
CheckNames[CK_StdCLibraryFunctionArgsChecker], CheckNames[CK_StdCLibraryFunctionArgsChecker],
"Unsatisfied argument constraints", categories::LogicError); "Function call with invalid argument", categories::LogicError);
auto R = std::make_unique<PathSensitiveBugReport>(*BT_InvalidArg, Msg, N); auto R = std::make_unique<PathSensitiveBugReport>(*BT_InvalidArg, Msg, N);
for (ArgNo ArgN : VC->getArgsToTrack()) for (ArgNo ArgN : VC->getArgsToTrack()) {
bugreporter::trackExpressionValue(N, Call.getArgExpr(ArgN), *R); bugreporter::trackExpressionValue(N, Call.getArgExpr(ArgN), *R);
// All tracked arguments are important, highlight them.
// Highlight the range of the argument that was violated. R->addRange(Call.getArgSourceRange(ArgN));
R->addRange(Call.getArgSourceRange(VC->getArgNo())); }
// Describe the argument constraint violation in a note.
std::string Descr = VC->describe(
ValueConstraint::DescriptionKind::Violation, C.getState(), Summary);
// Capitalize the first letter b/c we want a full sentence.
Descr[0] = toupper(Descr[0]);
R->addNote(Descr, R->getLocation(), Call.getArgSourceRange(VC->getArgNo()));
C.emitReport(std::move(R)); C.emitReport(std::move(R));
} }
/// These are the errno constraints that can be passed to summary cases. /// These are the errno constraints that can be passed to summary cases.
/// One of these should fit for a single summary case. /// One of these should fit for a single summary case.
/// Usually if a failure return value exists for function, that function /// Usually if a failure return value exists for function, that function
/// needs different cases for success and failure with different errno /// needs different cases for success and failure with different errno
/// constraints (and different return value constraints). /// constraints (and different return value constraints).
const NoErrnoConstraint ErrnoUnchanged{}; const NoErrnoConstraint ErrnoUnchanged{};
const ResetErrnoConstraint ErrnoIrrelevant{}; const ResetErrnoConstraint ErrnoIrrelevant{};
const ErrnoMustBeCheckedConstraint ErrnoMustBeChecked{}; const ErrnoMustBeCheckedConstraint ErrnoMustBeChecked{};
const SuccessErrnoConstraint ErrnoMustNotBeChecked{}; const SuccessErrnoConstraint ErrnoMustNotBeChecked{};
const FailureErrnoConstraint ErrnoNEZeroIrrelevant{}; const FailureErrnoConstraint ErrnoNEZeroIrrelevant{};
}; };
int StdLibraryFunctionsChecker::ErrnoConstraintBase::Tag = 0; int StdLibraryFunctionsChecker::ErrnoConstraintBase::Tag = 0;
const StdLibraryFunctionsChecker::ArgNo StdLibraryFunctionsChecker::Ret = const StdLibraryFunctionsChecker::ArgNo StdLibraryFunctionsChecker::Ret =
std::numeric_limits<ArgNo>::max(); std::numeric_limits<ArgNo>::max();
} // end of anonymous namespace
static BasicValueFactory &getBVF(ProgramStateRef State) { static BasicValueFactory &getBVF(ProgramStateRef State) {
ProgramStateManager &Mgr = State->getStateManager(); ProgramStateManager &Mgr = State->getStateManager();
SValBuilder &SVB = Mgr.getSValBuilder(); SValBuilder &SVB = Mgr.getSValBuilder();
return SVB.getBasicValueFactory(); return SVB.getBasicValueFactory();
} }
} // end of anonymous namespace
SmallString<8>
StdLibraryFunctionsChecker::getArgDesc(StdLibraryFunctionsChecker::ArgNo ArgN) {
SmallString<8> Result;
Result += std::to_string(ArgN + 1);
Result += llvm::getOrdinalSuffix(ArgN + 1);
Result += " argument";
return Result;
}
void StdLibraryFunctionsChecker::appendInsideRangeDesc(llvm::APSInt RMin,
llvm::APSInt RMax,
QualType ArgT,
BasicValueFactory &BVF,
DescString &Out) {
if (RMin.isZero() && RMax.isZero())
Out.append("zero");
else if (RMin == RMax)
RMin.toString(Out);
else if (RMin == BVF.getMinValue(ArgT)) {
if (RMax == -1)
Out.append("< 0");
else {
Out.append("<= ");
RMax.toString(Out);
}
} else if (RMax == BVF.getMaxValue(ArgT)) {
if (RMin.isOne())
Out.append("> 0");
else {
Out.append(">= ");
RMin.toString(Out);
}
} else if (RMin.isNegative() == RMax.isNegative() &&
RMin.getLimitedValue() == RMax.getLimitedValue() - 1) {
RMin.toString(Out);
Out.append(" or ");
RMax.toString(Out);
} else if (RMin.isNegative() == RMax.isNegative() &&
RMin.getLimitedValue() == RMax.getLimitedValue() - 2) {
RMin.toString(Out);
Out.append(", ");
(RMin + 1).toString(Out, 10, RMin.isSigned());
Out.append(" or ");
RMax.toString(Out);
} else {
Out.append("between ");
RMin.toString(Out);
Out.append(" and ");
RMax.toString(Out);
}
}
void StdLibraryFunctionsChecker::appendOutOfRangeDesc(llvm::APSInt RMin,
llvm::APSInt RMax,
QualType ArgT,
BasicValueFactory &BVF,
DescString &Out) {
if (RMin.isZero() && RMax.isZero())
Out.append("nonzero");
else if (RMin == RMax) {
Out.append("not equal to ");
RMin.toString(Out);
} else if (RMin == BVF.getMinValue(ArgT)) {
if (RMax == -1)
Out.append(">= 0");
else {
Out.append("> ");
RMax.toString(Out);
}
} else if (RMax == BVF.getMaxValue(ArgT)) {
if (RMin.isOne())
Out.append("<= 0");
else {
Out.append("< ");
RMin.toString(Out);
}
} else if (RMin.isNegative() == RMax.isNegative() &&
RMin.getLimitedValue() == RMax.getLimitedValue() - 1) {
Out.append("not ");
RMin.toString(Out);
Out.append(" and not ");
RMax.toString(Out);
} else {
Out.append("not between ");
RMin.toString(Out);
Out.append(" and ");
RMax.toString(Out);
}
}
std::string StdLibraryFunctionsChecker::NotNullConstraint::describe( std::string StdLibraryFunctionsChecker::NotNullConstraint::describe(
DescriptionKind DK, ProgramStateRef State, const Summary &Summary) const { DescriptionKind DK, const CallEvent &Call, ProgramStateRef State,
const Summary &Summary) const {
SmallString<48> Result; SmallString<48> Result;
const auto Violation = ValueConstraint::DescriptionKind::Violation; const auto Violation = ValueConstraint::DescriptionKind::Violation;
Result += "the "; Result += "the ";
Result += getArgDesc(ArgN); Result += getArgDesc(ArgN);
Result += DK == Violation ? " should not be NULL" : " is not NULL"; Result += " to '";
Result += getFunctionName(Call);
Result += DK == Violation ? "' should not be NULL" : "' is not NULL";
SzelethusUnsubmitted
Done
ReplyInline Actions
Result += getArgDesc(ArgN);
- Result += " of function '";
+ Result += " to '";
Result += getFunctionName(Call);

Looking at the tests, the word 'function' may be redundant and unnecessary.

Szelethus: Looking at the tests, the word 'function' may be redundant and unnecessary.
return Result.c_str(); return Result.c_str();
} }
std::string StdLibraryFunctionsChecker::RangeConstraint::describe( std::string StdLibraryFunctionsChecker::RangeConstraint::describe(
DescriptionKind DK, ProgramStateRef State, const Summary &Summary) const { DescriptionKind DK, const CallEvent &Call, ProgramStateRef State,
const Summary &Summary) const {
BasicValueFactory &BVF = getBVF(State); BasicValueFactory &BVF = getBVF(State);
QualType T = Summary.getArgType(getArgNo()); QualType T = Summary.getArgType(getArgNo());
SmallString<48> Result; DescString Result;
const auto Violation = ValueConstraint::DescriptionKind::Violation; const auto Violation = ValueConstraint::DescriptionKind::Violation;
Result += "the "; Result += "the ";
Result += getArgDesc(ArgN); Result += getArgDesc(ArgN);
Result += DK == Violation ? " should be " : " is "; Result += " to '";
Result += getFunctionName(Call);
// Range kind as a string. Result += DK == Violation ? "' should be " : "' is ";
Kind == OutOfRange ? Result += "out of" : Result += "within"; if (!Description.empty()) {
Result += Description;
// Get the range values as a string. } else {
Result += " the range ";
if (Ranges.size() > 1)
Result += "[";
unsigned I = Ranges.size(); unsigned I = Ranges.size();
if (Kind == WithinRange) {
for (const std::pair<RangeInt, RangeInt> &R : Ranges) { for (const std::pair<RangeInt, RangeInt> &R : Ranges) {
Result += "["; appendInsideRangeDesc(BVF.getValue(R.first, T),
const llvm::APSInt &Min = BVF.getValue(R.first, T); BVF.getValue(R.second, T), T, BVF, Result);
const llvm::APSInt &Max = BVF.getValue(R.second, T);
Min.toString(Result);
Result += ", ";
Max.toString(Result);
Result += "]";
if (--I > 0) if (--I > 0)
Result += ", "; Result += " or ";
}
} else {
for (const std::pair<RangeInt, RangeInt> &R : Ranges) {
appendOutOfRangeDesc(BVF.getValue(R.first, T),
BVF.getValue(R.second, T), T, BVF, Result);
if (--I > 0)
Result += " and ";
}
} }
SzelethusUnsubmitted
Done
ReplyInline Actions

Here too.

Szelethus: Here too.
if (Ranges.size() > 1)
Result += "]";
return Result.c_str();
} }
SmallString<8> return Result.c_str();
StdLibraryFunctionsChecker::getArgDesc(StdLibraryFunctionsChecker::ArgNo ArgN) {
SmallString<8> Result;
Result += std::to_string(ArgN + 1);
Result += llvm::getOrdinalSuffix(ArgN + 1);
Result += " argument";
return Result;
} }
std::string StdLibraryFunctionsChecker::BufferSizeConstraint::describe( std::string StdLibraryFunctionsChecker::BufferSizeConstraint::describe(
DescriptionKind DK, ProgramStateRef State, const Summary &Summary) const { DescriptionKind DK, const CallEvent &Call, ProgramStateRef State,
const Summary &Summary) const {
SmallString<96> Result; SmallString<96> Result;
const auto Violation = ValueConstraint::DescriptionKind::Violation; const auto Violation = ValueConstraint::DescriptionKind::Violation;
Result += "the size of the "; Result += "the size of the ";
Result += getArgDesc(ArgN); Result += getArgDesc(ArgN);
Result += DK == Violation ? " should be " : " is "; Result += " to '";
Result += "equal to or greater than the value of "; Result += getFunctionName(Call);
Result += DK == Violation ? "' should be " : "' is ";
Result += "equal to or greater than ";
SzelethusUnsubmitted
Done
ReplyInline Actions

Here too.

Szelethus: Here too.
if (ConcreteSize) { if (ConcreteSize) {
ConcreteSize->toString(Result); ConcreteSize->toString(Result);
} else if (SizeArgN) { } else if (SizeArgN) {
Result += "the "; Result += "the value of the ";
Result += getArgDesc(*SizeArgN); Result += getArgDesc(*SizeArgN);
if (SizeMultiplierArgN) { if (SizeMultiplierArgN) {
Result += " times the "; Result += " times the ";
Result += getArgDesc(*SizeMultiplierArgN); Result += getArgDesc(*SizeMultiplierArgN);
} }
} }
return Result.c_str(); return Result.c_str();
SzelethusUnsubmitted
Done
ReplyInline Actions

We are saying what the value should be, but neglect to say what it is instead. Something like this would be good:

"The value of the 1st argument to _nonnull should be equal to or less then 10, but is 11".

This is what I (and many of our users IIRC) miss in checker messages, like in those where we are supposed to describe what the value of the index is (besides it causing a buffer overflow).

Szelethus: We are saying what the value should be, but neglect to say what it is instead. Something like…
} }
ProgramStateRef StdLibraryFunctionsChecker::RangeConstraint::applyAsOutOfRange( ProgramStateRef StdLibraryFunctionsChecker::RangeConstraint::applyAsOutOfRange(
ProgramStateRef State, const CallEvent &Call, ProgramStateRef State, const CallEvent &Call,
const Summary &Summary) const { const Summary &Summary) const {
if (Ranges.empty()) if (Ranges.empty())
return State; return State;
▲ Show 20 LinesShow All 127 Lines▼ Show 20 Lines for (const ValueConstraintPtr &Constraint : Summary.getArgConstraints()) {
// weren't applying the constraint that would mean that symbolic // weren't applying the constraint that would mean that symbolic
// execution continues on a code whose behaviour is undefined. // execution continues on a code whose behaviour is undefined.
assert(SuccessSt); assert(SuccessSt);
NewState = SuccessSt; NewState = SuccessSt;
if (NewState != State) { if (NewState != State) {
SmallString<64> Msg; SmallString<64> Msg;
Msg += "Assuming "; Msg += "Assuming ";
Msg += Constraint->describe(ValueConstraint::DescriptionKind::Assumption, Msg += Constraint->describe(ValueConstraint::DescriptionKind::Assumption,
NewState, Summary); Call, NewState, Summary);
const auto ArgSVal = Call.getArgSVal(Constraint->getArgNo()); const auto ArgSVal = Call.getArgSVal(Constraint->getArgNo());
NewNode = C.addTransition( NewNode = C.addTransition(
NewState, NewNode, NewState, NewNode,
C.getNoteTag([Msg = std::move(Msg), ArgSVal]( C.getNoteTag([Msg = std::move(Msg), ArgSVal](
PathSensitiveBugReport &BR, llvm::raw_ostream &OS) { PathSensitiveBugReport &BR, llvm::raw_ostream &OS) {
if (BR.isInteresting(ArgSVal)) if (BR.isInteresting(ArgSVal))
OS << Msg; OS << Msg;
})); }));
▲ Show 20 LinesShow All 343 Lines▼ Show 20 Lines struct AddToFunctionSummaryMap {
// given. // given.
void operator()(std::vector<StringRef> Names, Signature Sign, Summary Sum) { void operator()(std::vector<StringRef> Names, Signature Sign, Summary Sum) {
for (StringRef Name : Names) for (StringRef Name : Names)
operator()(Name, Sign, Sum); operator()(Name, Sign, Sum);
} }
} addToFunctionSummaryMap(ACtx, FunctionSummaryMap, DisplayLoadedSummaries); } addToFunctionSummaryMap(ACtx, FunctionSummaryMap, DisplayLoadedSummaries);
// Below are helpers functions to create the summaries. // Below are helpers functions to create the summaries.
auto ArgumentCondition = [](ArgNo ArgN, RangeKind Kind, auto ArgumentCondition = [](ArgNo ArgN, RangeKind Kind, IntRangeVector Ranges,
IntRangeVector Ranges) { StringRef Desc = "") {
return std::make_shared<RangeConstraint>(ArgN, Kind, Ranges); return std::make_shared<RangeConstraint>(ArgN, Kind, Ranges, Desc);
}; };
auto BufferSize = [](auto... Args) { auto BufferSize = [](auto... Args) {
return std::make_shared<BufferSizeConstraint>(Args...); return std::make_shared<BufferSizeConstraint>(Args...);
}; };
struct { struct {
auto operator()(RangeKind Kind, IntRangeVector Ranges) { auto operator()(RangeKind Kind, IntRangeVector Ranges) {
return std::make_shared<RangeConstraint>(Ret, Kind, Ranges); return std::make_shared<RangeConstraint>(Ret, Kind, Ranges);
} }
▲ Show 20 LinesShow All 66 Lines▼ Show 20 Lines addToFunctionSummaryMap(
.Case({ArgumentCondition(0U, WithinRange, {{128, UCharRangeMax}})}, .Case({ArgumentCondition(0U, WithinRange, {{128, UCharRangeMax}})},
ErrnoIrrelevant) ErrnoIrrelevant)
.Case( .Case(
{ArgumentCondition( {ArgumentCondition(
0U, OutOfRange, 0U, OutOfRange,
{{'0', '9'}, {'A', 'Z'}, {'a', 'z'}, {128, UCharRangeMax}}), {{'0', '9'}, {'A', 'Z'}, {'a', 'z'}, {128, UCharRangeMax}}),
ReturnValueCondition(WithinRange, SingleValue(0))}, ReturnValueCondition(WithinRange, SingleValue(0))},
ErrnoIrrelevant, "Assuming the character is non-alphanumeric") ErrnoIrrelevant, "Assuming the character is non-alphanumeric")
.ArgConstraint(ArgumentCondition( .ArgConstraint(ArgumentCondition(0U, WithinRange,
0U, WithinRange, {{EOFv, EOFv}, {0, UCharRangeMax}}))); {{EOFv, EOFv}, {0, UCharRangeMax}},
"an unsigned char value or EOF")));
addToFunctionSummaryMap( addToFunctionSummaryMap(
"isalpha", Signature(ArgTypes{IntTy}, RetType{IntTy}), "isalpha", Signature(ArgTypes{IntTy}, RetType{IntTy}),
Summary(EvalCallAsPure) Summary(EvalCallAsPure)
.Case({ArgumentCondition(0U, WithinRange, {{'A', 'Z'}, {'a', 'z'}}), .Case({ArgumentCondition(0U, WithinRange, {{'A', 'Z'}, {'a', 'z'}}),
ReturnValueCondition(OutOfRange, SingleValue(0))}, ReturnValueCondition(OutOfRange, SingleValue(0))},
ErrnoIrrelevant, "Assuming the character is alphabetical") ErrnoIrrelevant, "Assuming the character is alphabetical")
// The locale-specific range. // The locale-specific range.
.Case({ArgumentCondition(0U, WithinRange, {{128, UCharRangeMax}})}, .Case({ArgumentCondition(0U, WithinRange, {{128, UCharRangeMax}})},
▲ Show 20 LinesShow All 142 Lines▼ Show 20 Lines addToFunctionSummaryMap(
.Case({ArgumentCondition(0U, OutOfRange, .Case({ArgumentCondition(0U, OutOfRange,
{{'0', '9'}, {'A', 'F'}, {'a', 'f'}}), {{'0', '9'}, {'A', 'F'}, {'a', 'f'}}),
ReturnValueCondition(WithinRange, SingleValue(0))}, ReturnValueCondition(WithinRange, SingleValue(0))},
ErrnoIrrelevant, ErrnoIrrelevant,
"Assuming the character is not a hexadecimal digit")); "Assuming the character is not a hexadecimal digit"));
addToFunctionSummaryMap( addToFunctionSummaryMap(
"toupper", Signature(ArgTypes{IntTy}, RetType{IntTy}), "toupper", Signature(ArgTypes{IntTy}, RetType{IntTy}),
Summary(EvalCallAsPure) Summary(EvalCallAsPure)
.ArgConstraint(ArgumentCondition( .ArgConstraint(ArgumentCondition(0U, WithinRange,
0U, WithinRange, {{EOFv, EOFv}, {0, UCharRangeMax}}))); {{EOFv, EOFv}, {0, UCharRangeMax}},
"an unsigned char value or EOF")));
addToFunctionSummaryMap( addToFunctionSummaryMap(
"tolower", Signature(ArgTypes{IntTy}, RetType{IntTy}), "tolower", Signature(ArgTypes{IntTy}, RetType{IntTy}),
Summary(EvalCallAsPure) Summary(EvalCallAsPure)
.ArgConstraint(ArgumentCondition( .ArgConstraint(ArgumentCondition(0U, WithinRange,
0U, WithinRange, {{EOFv, EOFv}, {0, UCharRangeMax}}))); {{EOFv, EOFv}, {0, UCharRangeMax}},
"an unsigned char value or EOF")));
addToFunctionSummaryMap( addToFunctionSummaryMap(
"toascii", Signature(ArgTypes{IntTy}, RetType{IntTy}), "toascii", Signature(ArgTypes{IntTy}, RetType{IntTy}),
Summary(EvalCallAsPure) Summary(EvalCallAsPure)
.ArgConstraint(ArgumentCondition( .ArgConstraint(ArgumentCondition(0U, WithinRange,
0U, WithinRange, {{EOFv, EOFv}, {0, UCharRangeMax}}))); {{EOFv, EOFv}, {0, UCharRangeMax}},
"an unsigned char value or EOF")));
// The getc() family of functions that returns either a char or an EOF. // The getc() family of functions that returns either a char or an EOF.
addToFunctionSummaryMap( addToFunctionSummaryMap(
{"getc", "fgetc"}, Signature(ArgTypes{FilePtrTy}, RetType{IntTy}), {"getc", "fgetc"}, Signature(ArgTypes{FilePtrTy}, RetType{IntTy}),
Summary(NoEvalCall) Summary(NoEvalCall)
.Case({ReturnValueCondition(WithinRange, .Case({ReturnValueCondition(WithinRange,
{{EOFv, EOFv}, {0, UCharRangeMax}})}, {{EOFv, EOFv}, {0, UCharRangeMax}})},
ErrnoIrrelevant)); ErrnoIrrelevant));
▲ Show 20 LinesShow All 1,466 Lines▼ Show 20 Lines addToFunctionSummaryMap(
{"pthread_mutex_destroy", "pthread_mutex_lock", "pthread_mutex_trylock", {"pthread_mutex_destroy", "pthread_mutex_lock", "pthread_mutex_trylock",
"pthread_mutex_unlock"}, "pthread_mutex_unlock"},
Signature(ArgTypes{Pthread_mutex_tPtrTy}, RetType{IntTy}), Signature(ArgTypes{Pthread_mutex_tPtrTy}, RetType{IntTy}),
Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
} }
// Functions for testing. // Functions for testing.
if (ChecksEnabled[CK_StdCLibraryFunctionsTesterChecker]) { if (ChecksEnabled[CK_StdCLibraryFunctionsTesterChecker]) {
const RangeInt IntMin = BVF.getMinValue(IntTy).getLimitedValue();
addToFunctionSummaryMap( addToFunctionSummaryMap(
"__not_null", Signature(ArgTypes{IntPtrTy}, RetType{IntTy}), "__not_null", Signature(ArgTypes{IntPtrTy}, RetType{IntTy}),
Summary(EvalCallAsPure).ArgConstraint(NotNull(ArgNo(0)))); Summary(EvalCallAsPure).ArgConstraint(NotNull(ArgNo(0))));
// Test range values. // Test inside range constraints.
addToFunctionSummaryMap( addToFunctionSummaryMap(
"__single_val_0", Signature(ArgTypes{IntTy}, RetType{IntTy}), "__single_val_0", Signature(ArgTypes{IntTy}, RetType{IntTy}),
Summary(EvalCallAsPure) Summary(EvalCallAsPure)
.ArgConstraint(ArgumentCondition(0U, WithinRange, SingleValue(0)))); .ArgConstraint(ArgumentCondition(0U, WithinRange, SingleValue(0))));
addToFunctionSummaryMap( addToFunctionSummaryMap(
"__single_val_1", Signature(ArgTypes{IntTy}, RetType{IntTy}), "__single_val_1", Signature(ArgTypes{IntTy}, RetType{IntTy}),
Summary(EvalCallAsPure) Summary(EvalCallAsPure)
.ArgConstraint(ArgumentCondition(0U, WithinRange, SingleValue(1)))); .ArgConstraint(ArgumentCondition(0U, WithinRange, SingleValue(1))));
addToFunctionSummaryMap( addToFunctionSummaryMap(
"__range_1_2", Signature(ArgTypes{IntTy}, RetType{IntTy}), "__range_1_2", Signature(ArgTypes{IntTy}, RetType{IntTy}),
Summary(EvalCallAsPure) Summary(EvalCallAsPure)
.ArgConstraint(ArgumentCondition(0U, WithinRange, Range(1, 2)))); .ArgConstraint(ArgumentCondition(0U, WithinRange, Range(1, 2))));
addToFunctionSummaryMap("__range_1_2__4_5", addToFunctionSummaryMap(
"__range_m1_1", Signature(ArgTypes{IntTy}, RetType{IntTy}),
Summary(EvalCallAsPure)
.ArgConstraint(ArgumentCondition(0U, WithinRange, Range(-1, 1))));
addToFunctionSummaryMap(
"__range_m2_m1", Signature(ArgTypes{IntTy}, RetType{IntTy}),
Summary(EvalCallAsPure)
.ArgConstraint(ArgumentCondition(0U, WithinRange, Range(-2, -1))));
addToFunctionSummaryMap(
"__range_m10_10", Signature(ArgTypes{IntTy}, RetType{IntTy}),
Summary(EvalCallAsPure)
.ArgConstraint(ArgumentCondition(0U, WithinRange, Range(-10, 10))));
addToFunctionSummaryMap("__range_m1_inf",
Signature(ArgTypes{IntTy}, RetType{IntTy}),
Summary(EvalCallAsPure)
.ArgConstraint(ArgumentCondition(
0U, WithinRange, Range(-1, IntMax))));
addToFunctionSummaryMap("__range_0_inf",
Signature(ArgTypes{IntTy}, RetType{IntTy}),
Summary(EvalCallAsPure)
.ArgConstraint(ArgumentCondition(
0U, WithinRange, Range(0, IntMax))));
addToFunctionSummaryMap("__range_1_inf",
Signature(ArgTypes{IntTy}, RetType{IntTy}),
Summary(EvalCallAsPure)
.ArgConstraint(ArgumentCondition(
0U, WithinRange, Range(1, IntMax))));
addToFunctionSummaryMap("__range_minf_m1",
Signature(ArgTypes{IntTy}, RetType{IntTy}),
Summary(EvalCallAsPure)
.ArgConstraint(ArgumentCondition(
0U, WithinRange, Range(IntMin, -1))));
addToFunctionSummaryMap("__range_minf_0",
Signature(ArgTypes{IntTy}, RetType{IntTy}),
Summary(EvalCallAsPure)
.ArgConstraint(ArgumentCondition(
0U, WithinRange, Range(IntMin, 0))));
addToFunctionSummaryMap("__range_minf_1",
Signature(ArgTypes{IntTy}, RetType{IntTy}),
Summary(EvalCallAsPure)
.ArgConstraint(ArgumentCondition(
0U, WithinRange, Range(IntMin, 1))));
addToFunctionSummaryMap("__range_1_2__4_6",
Signature(ArgTypes{IntTy}, RetType{IntTy}), Signature(ArgTypes{IntTy}, RetType{IntTy}),
Summary(EvalCallAsPure) Summary(EvalCallAsPure)
.ArgConstraint(ArgumentCondition( .ArgConstraint(ArgumentCondition(
0U, WithinRange, Range({1, 2}, {4, 5})))); 0U, WithinRange, Range({1, 2}, {4, 6}))));
addToFunctionSummaryMap(
"__range_1_2__4_inf", Signature(ArgTypes{IntTy}, RetType{IntTy}),
Summary(EvalCallAsPure)
.ArgConstraint(ArgumentCondition(0U, WithinRange,
Range({1, 2}, {4, IntMax}))));
// Test out of range constraints.
addToFunctionSummaryMap(
"__single_val_out_0", Signature(ArgTypes{IntTy}, RetType{IntTy}),
Summary(EvalCallAsPure)
.ArgConstraint(ArgumentCondition(0U, OutOfRange, SingleValue(0))));
addToFunctionSummaryMap(
"__single_val_out_1", Signature(ArgTypes{IntTy}, RetType{IntTy}),
Summary(EvalCallAsPure)
.ArgConstraint(ArgumentCondition(0U, OutOfRange, SingleValue(1))));
addToFunctionSummaryMap(
"__range_out_1_2", Signature(ArgTypes{IntTy}, RetType{IntTy}),
Summary(EvalCallAsPure)
.ArgConstraint(ArgumentCondition(0U, OutOfRange, Range(1, 2))));
addToFunctionSummaryMap(
"__range_out_m1_1", Signature(ArgTypes{IntTy}, RetType{IntTy}),
Summary(EvalCallAsPure)
.ArgConstraint(ArgumentCondition(0U, OutOfRange, Range(-1, 1))));
addToFunctionSummaryMap(
"__range_out_m2_m1", Signature(ArgTypes{IntTy}, RetType{IntTy}),
Summary(EvalCallAsPure)
.ArgConstraint(ArgumentCondition(0U, OutOfRange, Range(-2, -1))));
addToFunctionSummaryMap(
"__range_out_m10_10", Signature(ArgTypes{IntTy}, RetType{IntTy}),
Summary(EvalCallAsPure)
.ArgConstraint(ArgumentCondition(0U, OutOfRange, Range(-10, 10))));
addToFunctionSummaryMap("__range_out_m1_inf",
Signature(ArgTypes{IntTy}, RetType{IntTy}),
Summary(EvalCallAsPure)
.ArgConstraint(ArgumentCondition(
0U, OutOfRange, Range(-1, IntMax))));
addToFunctionSummaryMap("__range_out_0_inf",
Signature(ArgTypes{IntTy}, RetType{IntTy}),
Summary(EvalCallAsPure)
.ArgConstraint(ArgumentCondition(
0U, OutOfRange, Range(0, IntMax))));
addToFunctionSummaryMap("__range_out_1_inf",
Signature(ArgTypes{IntTy}, RetType{IntTy}),
Summary(EvalCallAsPure)
.ArgConstraint(ArgumentCondition(
0U, OutOfRange, Range(1, IntMax))));
addToFunctionSummaryMap("__range_out_minf_m1",
Signature(ArgTypes{IntTy}, RetType{IntTy}),
Summary(EvalCallAsPure)
.ArgConstraint(ArgumentCondition(
0U, OutOfRange, Range(IntMin, -1))));
addToFunctionSummaryMap("__range_out_minf_0",
Signature(ArgTypes{IntTy}, RetType{IntTy}),
Summary(EvalCallAsPure)
.ArgConstraint(ArgumentCondition(
0U, OutOfRange, Range(IntMin, 0))));
addToFunctionSummaryMap("__range_out_minf_1",
Signature(ArgTypes{IntTy}, RetType{IntTy}),
Summary(EvalCallAsPure)
.ArgConstraint(ArgumentCondition(
0U, OutOfRange, Range(IntMin, 1))));
addToFunctionSummaryMap("__range_out_1_2__4_6",
Signature(ArgTypes{IntTy}, RetType{IntTy}),
Summary(EvalCallAsPure)
.ArgConstraint(ArgumentCondition(
0U, OutOfRange, Range({1, 2}, {4, 6}))));
addToFunctionSummaryMap(
"__range_out_1_2__4_inf", Signature(ArgTypes{IntTy}, RetType{IntTy}),
Summary(EvalCallAsPure)
.ArgConstraint(
ArgumentCondition(0U, OutOfRange, Range({1, 2}, {4, IntMax}))));
// Test range kind. // Test range kind.
addToFunctionSummaryMap( addToFunctionSummaryMap(
"__within", Signature(ArgTypes{IntTy}, RetType{IntTy}), "__within", Signature(ArgTypes{IntTy}, RetType{IntTy}),
Summary(EvalCallAsPure) Summary(EvalCallAsPure)
.ArgConstraint(ArgumentCondition(0U, WithinRange, SingleValue(1)))); .ArgConstraint(ArgumentCondition(0U, WithinRange, SingleValue(1))));
addToFunctionSummaryMap( addToFunctionSummaryMap(
"__out_of", Signature(ArgTypes{IntTy}, RetType{IntTy}), "__out_of", Signature(ArgTypes{IntTy}, RetType{IntTy}),
▲ Show 20 LinesShow All 89 LinesShow Last 20 Lines

clang/test/Analysis/std-c-library-functions-arg-constraints-note-tags.cpp

Show All 13 Lines
void clang_analyzer_express(T x); void clang_analyzer_express(T x);
void clang_analyzer_eval(bool); void clang_analyzer_eval(bool);
int clang_analyzer_getExtent(void *); int clang_analyzer_getExtent(void *);
// Check NotNullConstraint assumption notes. // Check NotNullConstraint assumption notes.
int __not_null(int *); int __not_null(int *);
int test_not_null_note(int *x, int y) { int test_not_null_note(int *x, int y) {
__not_null(x); // expected-note{{Assuming the 1st argument is not NULL}} __not_null(x); // expected-note{{Assuming the 1st argument to '__not_null' is not NULL}}
if (x) // expected-note{{'x' is non-null}} \ if (x) // expected-note{{'x' is non-null}} \
// expected-note{{Taking true branch}} // expected-note{{Taking true branch}}
if (!y) // expected-note{{Assuming 'y' is 0}} \ if (!y) // expected-note{{Assuming 'y' is 0}} \
// expected-note{{Taking true branch}} // expected-note{{Taking true branch}}
return 1 / y; // expected-warning{{Division by zero}} \ return 1 / y; // expected-warning{{Division by zero}} \
// expected-note{{Division by zero}} // expected-note{{Division by zero}}
return 0; return 0;
} }
// Check the RangeConstraint assumption notes. // Check the RangeConstraint assumption notes.
int __single_val_0(int); // [0, 0] int __single_val_0(int); // [0, 0]
int test_range_constraint_note(int x, int y) { int test_range_constraint_note(int x, int y) {
__single_val_0(x); // expected-note{{Assuming the 1st argument is within the range [0, 0]}} __single_val_0(x); // expected-note{{Assuming the 1st argument to '__single_val_0' is zero}}
return y / x; // expected-warning{{Division by zero}} \ return y / x; // expected-warning{{Division by zero}} \
// expected-note{{Division by zero}} // expected-note{{Division by zero}}
} }
// Check the BufferSizeConstraint assumption notes. // Check the BufferSizeConstraint assumption notes.
int __buf_size_arg_constraint_concrete(const void *buf); // size of buf must be >= 10 int __buf_size_arg_constraint_concrete(const void *buf); // size of buf must be >= 10
void test_buffer_size_note(char *buf, int y) { void test_buffer_size_note(char *buf, int y) {
__buf_size_arg_constraint_concrete(buf); // expected-note {{Assuming the size of the 1st argument is equal to or greater than the value of 10}} __buf_size_arg_constraint_concrete(buf); // expected-note {{Assuming the size of the 1st argument to '__buf_size_arg_constraint_concrete' is equal to or greater than 10}}
clang_analyzer_eval(clang_analyzer_getExtent(buf) >= 10); // expected-warning{{TRUE}} \ clang_analyzer_eval(clang_analyzer_getExtent(buf) >= 10); // expected-warning{{TRUE}} \
// expected-note{{TRUE}} // expected-note{{TRUE}}
// clang_analyzer_express marks the argument as interesting. // clang_analyzer_express marks the argument as interesting.
clang_analyzer_express(buf); // expected-warning {{}} // the message does not really matter \ clang_analyzer_express(buf); // expected-warning {{}} // the message does not really matter \
// expected-note {{}} // expected-note {{}}
} }
Show All 14 Lines

clang/test/Analysis/std-c-library-functions-arg-constraints-notes.cpp

Show All 9 Lines
// RUN: -verify // RUN: -verify
// In this test we verify that each argument constraints are described properly. // In this test we verify that each argument constraints are described properly.
// Check NotNullConstraint violation notes. // Check NotNullConstraint violation notes.
int __not_null(int *); int __not_null(int *);
void test_not_null(int *x) { void test_not_null(int *x) {
__not_null(nullptr); // \ __not_null(nullptr); // \
// expected-note{{The 1st argument should not be NULL}} \ // expected-warning{{The 1st argument to '__not_null' should not be NULL}}
// expected-warning{{}}
} }
// Check the BufferSizeConstraint violation notes. // Check the BufferSizeConstraint violation notes.
using size_t = decltype(sizeof(int)); using size_t = decltype(sizeof(int));
int __buf_size_arg_constraint_concrete(const void *); // size <= 10 int __buf_size_arg_constraint_concrete(const void *); // size <= 10
int __buf_size_arg_constraint(const void *, size_t); // size <= Arg1 int __buf_size_arg_constraint(const void *, size_t); // size <= Arg1
int __buf_size_arg_constraint_mul(const void *, size_t, size_t); // size <= Arg1 * Arg2 int __buf_size_arg_constraint_mul(const void *, size_t, size_t); // size <= Arg1 * Arg2
void test_buffer_size(int x) { void test_buffer_size(int x) {
switch (x) { switch (x) {
case 1: { case 1: {
char buf[9]; char buf[9];
__buf_size_arg_constraint_concrete(buf); // \ __buf_size_arg_constraint_concrete(buf); // \
// expected-note{{The size of the 1st argument should be equal to or greater than the value of 10}} \ // expected-warning{{The size of the 1st argument to '__buf_size_arg_constraint_concrete' should be equal to or greater than 10}}
// expected-warning{{}}
break; break;
} }
case 2: { case 2: {
char buf[3]; char buf[3];
__buf_size_arg_constraint(buf, 4); // \ __buf_size_arg_constraint(buf, 4); // \
// expected-note{{The size of the 1st argument should be equal to or greater than the value of the 2nd arg}} \ // expected-warning{{The size of the 1st argument to '__buf_size_arg_constraint' should be equal to or greater than the value of the 2nd argument}}
// expected-warning{{}}
break; break;
} }
case 3: { case 3: {
char buf[3]; char buf[3];
__buf_size_arg_constraint_mul(buf, 4, 2); // \ __buf_size_arg_constraint_mul(buf, 4, 2); // \
// expected-note{{The size of the 1st argument should be equal to or greater than the value of the 2nd argument times the 3rd argument}} \ // expected-warning{{The size of the 1st argument to '__buf_size_arg_constraint_mul' should be equal to or greater than the value of the 2nd argument times the 3rd argument}}
// expected-warning{{}}
break; break;
} }
} }
} }
// Check the RangeConstraint violation notes. // Check the RangeConstraint violation notes.
int __single_val_0(int); // [0, 0]
int __single_val_1(int); // [1, 1] int __single_val_1(int); // [1, 1]
int __range_1_2(int); // [1, 2] int __range_1_2(int); // [1, 2]
int __range_1_2__4_5(int); // [1, 2], [4, 5] int __range_m1_1(int); // [-1, 1]
void test_range(int x) { int __range_m2_m1(int); // [-2, -1]
__single_val_1(2); // \ int __range_m10_10(int); // [-10, 10]
// expected-note{{The 1st argument should be within the range [1, 1]}} \ int __range_m1_inf(int); // [-1, inf]
// expected-warning{{}} int __range_0_inf(int); // [0, inf]
} int __range_1_inf(int); // [1, inf]
// Do more specific check against the range strings. int __range_minf_m1(int); // [-inf, -1]
int __range_minf_0(int); // [-inf, 0]
int __range_minf_1(int); // [-inf, 1]
int __range_1_2__4_6(int); // [1, 2], [4, 6]
int __range_1_2__4_inf(int); // [1, 2], [4, inf]
int __single_val_out_0(int); // [0, 0]
int __single_val_out_1(int); // [1, 1]
int __range_out_1_2(int); // [1, 2]
int __range_out_m1_1(int); // [-1, 1]
int __range_out_m2_m1(int); // [-2, -1]
int __range_out_m10_10(int); // [-10, 10]
int __range_out_m1_inf(int); // [-1, inf]
int __range_out_0_inf(int); // [0, inf]
int __range_out_1_inf(int); // [1, inf]
int __range_out_minf_m1(int); // [-inf, -1]
int __range_out_minf_0(int); // [-inf, 0]
int __range_out_minf_1(int); // [-inf, 1]
int __range_out_1_2__4_6(int); // [1, 2], [4, 6]
int __range_out_1_2__4_inf(int); // [1, 2], [4, inf]
SzelethusUnsubmitted
Done
ReplyInline Actions

Please clang-format the changes in this test file.

Szelethus: Please clang-format the changes in this test file.
void test_range_values(int x) { void test_range_values(int x) {
switch (x) { switch (x) {
case 0:
__single_val_0(1); // expected-warning{{should be zero}}
break;
case 1: case 1:
__single_val_1(2); // expected-note{{[1, 1]}} \ __single_val_1(2); // expected-warning{{should be 1}}
// expected-warning{{}}
break; break;
case 2: case 2:
__range_1_2(3); // expected-note{{[1, 2]}} \ __range_1_2(3); // expected-warning{{should be 1 or 2}}
// expected-warning{{}}
break; break;
case 3: case 3:
__range_1_2__4_5(3); // expected-note{{[[1, 2], [4, 5]]}} \ __range_m1_1(3); // expected-warning{{should be between -1 and 1}}
// expected-warning{{}} break;
case 4:
__range_m2_m1(1); // expected-warning{{should be -2 or -1}}
break;
case 5:
__range_m10_10(11); // expected-warning{{should be between -10 and 10}}
break;
case 6:
__range_m10_10(-11); // expected-warning{{should be between -10 and 10}}
break;
case 7:
__range_1_2__4_6(3); // expected-warning{{should be 1 or 2 or 4, 5 or 6}}
break;
case 8:
__range_1_2__4_inf(3); // expected-warning{{should be 1 or 2 or >= 4}}
break; break;
} }
} }
// Do more specific check against the range kinds.
int __within(int); // [1, 1] void test_range_values_inf(int x) {
int __out_of(int); // [1, 1]
void test_range_kind(int x) {
switch (x) { switch (x) {
case 1: case 1:
__within(2); // expected-note{{within}} \ __range_m1_inf(-2); // expected-warning{{should be >= -1}}
// expected-warning{{}}
break; break;
case 2: case 2:
__out_of(1); // expected-note{{out of}} \ __range_0_inf(-1); // expected-warning{{should be >= 0}}
// expected-warning{{}} break;
case 3:
__range_1_inf(0); // expected-warning{{should be > 0}}
break;
case 4:
__range_minf_m1(0); // expected-warning{{should be < 0}}
break;
case 5:
__range_minf_0(1); // expected-warning{{should be <= 0}}
break;
case 6:
__range_minf_1(2); // expected-warning{{should be <= 1}}
break; break;
} }
} }
void test_range_values_out(int x) {
switch (x) {
case 0:
__single_val_out_0(0); // expected-warning{{should be nonzero}}
break;
case 1:
__single_val_out_1(1); // expected-warning{{should be not equal to 1}}
break;
case 2:
__range_out_1_2(2); // expected-warning{{should be not 1 and not 2}}
break;
case 3:
__range_out_m1_1(-1); // expected-warning{{should be not between -1 and 1}}
break;
case 4:
__range_out_m2_m1(-2); // expected-warning{{should be not -2 and not -1}}
break;
case 5:
__range_out_m10_10(0); // expected-warning{{should be not between -10 and 10}}
break;
case 6:
__range_out_1_2__4_6(1); // expected-warning{{should be not 1 and not 2 and not between 4 and 6}}
break;
case 7:
__range_out_1_2__4_inf(4); // expected-warning{{should be not 1 and not 2 and < 4}}
break;
}
}
void test_range_values_out_inf(int x) {
switch (x) {
case 1:
__range_out_minf_m1(-1); // expected-warning{{should be >= 0}}
break;
case 2:
__range_out_minf_0(0); // expected-warning{{should be > 0}}
break;
case 3:
__range_out_minf_1(1); // expected-warning{{should be > 1}}
break;
case 4:
__range_out_m1_inf(-1); // expected-warning{{should be < -1}}
break;
case 5:
__range_out_0_inf(0); // expected-warning{{should be < 0}}
break;
case 6:
__range_out_1_inf(1); // expected-warning{{should be <= 0}}
break;
}
}

clang/test/Analysis/std-c-library-functions-arg-constraints-tracking-notes.c

Show All 10 Lines
typedef typeof(sizeof(int)) size_t; typedef typeof(sizeof(int)) size_t;
int __buf_size_arg_constraint(const void *, size_t); int __buf_size_arg_constraint(const void *, size_t);
void test_buf_size_concrete(void) { void test_buf_size_concrete(void) {
char buf[3]; // bugpath-note{{'buf' initialized here}} char buf[3]; // bugpath-note{{'buf' initialized here}}
int s = 4; // bugpath-note{{'s' initialized to 4}} int s = 4; // bugpath-note{{'s' initialized to 4}}
__buf_size_arg_constraint(buf, s); // \ __buf_size_arg_constraint(buf, s); // \
// bugpath-warning{{Function argument constraint is not satisfied}} \ // bugpath-warning{{The size of the 1st argument to '__buf_size_arg_constraint' should be equal to or greater than the value of the 2nd argument}} \
// bugpath-note{{}} \ // bugpath-note{{The size of the 1st argument to '__buf_size_arg_constraint' should be equal to or greater than the value of the 2nd argument}}
// bugpath-note{{Function argument constraint is not satisfied}}
} }
int __buf_size_arg_constraint_mul(const void *, size_t, size_t); int __buf_size_arg_constraint_mul(const void *, size_t, size_t);
void test_buf_size_concrete_with_multiplication(void) { void test_buf_size_concrete_with_multiplication(void) {
short buf[3]; // bugpath-note{{'buf' initialized here}} short buf[3]; // bugpath-note{{'buf' initialized here}}
int s1 = 4; // bugpath-note{{'s1' initialized to 4}} int s1 = 4; // bugpath-note{{'s1' initialized to 4}}
int s2 = sizeof(short); // bugpath-note{{'s2' initialized to}} int s2 = sizeof(short); // bugpath-note{{'s2' initialized to}}
__buf_size_arg_constraint_mul(buf, s1, s2); // \ __buf_size_arg_constraint_mul(buf, s1, s2); // \
// bugpath-warning{{Function argument constraint is not satisfied}} \ // bugpath-warning{{The size of the 1st argument to '__buf_size_arg_constraint_mul' should be equal to or greater than the value of the 2nd argument times the 3rd argument}} \
// bugpath-note{{}} \ // bugpath-note{{The size of the 1st argument to '__buf_size_arg_constraint_mul' should be equal to or greater than the value of the 2nd argument times the 3rd argument}}
// bugpath-note{{Function argument constraint is not satisfied}}
} }

clang/test/Analysis/std-c-library-functions-arg-constraints.c

Show All 24 Lines
int glob; int glob;
#define EOF -1 #define EOF -1
int isalnum(int); int isalnum(int);
void test_alnum_concrete(int v) { void test_alnum_concrete(int v) {
int ret = isalnum(256); // \ int ret = isalnum(256); // \
// report-warning{{Function argument constraint is not satisfied}} \ // report-warning{{The 1st argument to 'isalnum' should be an unsigned char value or EOF}} \
// report-note{{}} \ // bugpath-warning{{The 1st argument to 'isalnum' should be an unsigned char value or EOF}} \
// bugpath-warning{{Function argument constraint is not satisfied}} \ // bugpath-note{{The 1st argument to 'isalnum' should be an unsigned char value or EOF}}
// bugpath-note{{}} \
// bugpath-note{{Function argument constraint is not satisfied}}
(void)ret; (void)ret;
} }
void test_alnum_symbolic(int x) { void test_alnum_symbolic(int x) {
int ret = isalnum(x); // \ int ret = isalnum(x); // \
// bugpath-note{{Assuming the character is non-alphanumeric}} // bugpath-note{{Assuming the character is non-alphanumeric}}
(void)ret; (void)ret;
clang_analyzer_eval(EOF <= x && x <= 255); // \ clang_analyzer_eval(EOF <= x && x <= 255); // \
// report-warning{{TRUE}} \ // report-warning{{TRUE}} \
// bugpath-warning{{TRUE}} \ // bugpath-warning{{TRUE}} \
// bugpath-note{{TRUE}} \ // bugpath-note{{TRUE}} \
// bugpath-note{{Left side of '&&' is true}} \ // bugpath-note{{Left side of '&&' is true}} \
// bugpath-note{{'x' is <= 255}} // bugpath-note{{'x' is <= 255}}
} }
void test_alnum_symbolic2(int x) { void test_alnum_symbolic2(int x) {
if (x > 255) { // \ if (x > 255) { // \
// bugpath-note{{Assuming 'x' is > 255}} \ // bugpath-note{{Assuming 'x' is > 255}} \
// bugpath-note{{Taking true branch}} // bugpath-note{{Taking true branch}}
int ret = isalnum(x); // \ int ret = isalnum(x); // \
// report-warning{{Function argument constraint is not satisfied}} \ // report-warning{{The 1st argument to 'isalnum' should be an unsigned char value or EOF}} \
// report-note{{}} \ // bugpath-warning{{The 1st argument to 'isalnum' should be an unsigned char value or EOF}} \
// bugpath-warning{{Function argument constraint is not satisfied}} \ // bugpath-note{{The 1st argument to 'isalnum' should be an unsigned char value or EOF}}
// bugpath-note{{}} \
// bugpath-note{{Function argument constraint is not satisfied}}
(void)ret; (void)ret;
} }
} }
int toupper(int); int toupper(int);
void test_toupper_concrete(int v) { void test_toupper_concrete(int v) {
int ret = toupper(256); // \ int ret = toupper(256); // \
// report-warning{{Function argument constraint is not satisfied}} \ // report-warning{{The 1st argument to 'toupper' should be an unsigned char value or EOF}} \
// report-note{{}} \ // bugpath-warning{{The 1st argument to 'toupper' should be an unsigned char value or EOF}} \
// bugpath-warning{{Function argument constraint is not satisfied}} \ // bugpath-note{{The 1st argument to 'toupper' should be an unsigned char value or EOF}}
// bugpath-note{{}} \
// bugpath-note{{Function argument constraint is not satisfied}}
(void)ret; (void)ret;
} }
void test_toupper_symbolic(int x) { void test_toupper_symbolic(int x) {
int ret = toupper(x); int ret = toupper(x);
(void)ret; (void)ret;
clang_analyzer_eval(EOF <= x && x <= 255); // \ clang_analyzer_eval(EOF <= x && x <= 255); // \
// report-warning{{TRUE}} \ // report-warning{{TRUE}} \
// bugpath-warning{{TRUE}} \ // bugpath-warning{{TRUE}} \
// bugpath-note{{TRUE}} \ // bugpath-note{{TRUE}} \
// bugpath-note{{Left side of '&&' is true}} \ // bugpath-note{{Left side of '&&' is true}} \
// bugpath-note{{'x' is <= 255}} // bugpath-note{{'x' is <= 255}}
} }
void test_toupper_symbolic2(int x) { void test_toupper_symbolic2(int x) {
if (x > 255) { // \ if (x > 255) { // \
// bugpath-note{{Assuming 'x' is > 255}} \ // bugpath-note{{Assuming 'x' is > 255}} \
// bugpath-note{{Taking true branch}} // bugpath-note{{Taking true branch}}
int ret = toupper(x); // \ int ret = toupper(x); // \
// report-warning{{Function argument constraint is not satisfied}} \ // report-warning{{The 1st argument to 'toupper' should be an unsigned char value or EOF}} \
// report-note{{}} \ // bugpath-warning{{The 1st argument to 'toupper' should be an unsigned char value or EOF}} \
// bugpath-warning{{Function argument constraint is not satisfied}} \ // bugpath-note{{The 1st argument to 'toupper' should be an unsigned char value or EOF}}
// bugpath-note{{}} \
// bugpath-note{{Function argument constraint is not satisfied}}
(void)ret; (void)ret;
} }
} }
int tolower(int); int tolower(int);
void test_tolower_concrete(int v) { void test_tolower_concrete(int v) {
int ret = tolower(256); // \ int ret = tolower(256); // \
// report-warning{{Function argument constraint is not satisfied}} \ // report-warning{{The 1st argument to 'tolower' should be an unsigned char value or EOF}} \
// report-note{{}} \ // bugpath-warning{{The 1st argument to 'tolower' should be an unsigned char value or EOF}} \
// bugpath-warning{{Function argument constraint is not satisfied}} \ // bugpath-note{{The 1st argument to 'tolower' should be an unsigned char value or EOF}}
// bugpath-note{{}} \
// bugpath-note{{Function argument constraint is not satisfied}}
(void)ret; (void)ret;
} }
void test_tolower_symbolic(int x) { void test_tolower_symbolic(int x) {
int ret = tolower(x); int ret = tolower(x);
(void)ret; (void)ret;
clang_analyzer_eval(EOF <= x && x <= 255); // \ clang_analyzer_eval(EOF <= x && x <= 255); // \
// report-warning{{TRUE}} \ // report-warning{{TRUE}} \
// bugpath-warning{{TRUE}} \ // bugpath-warning{{TRUE}} \
// bugpath-note{{TRUE}} \ // bugpath-note{{TRUE}} \
// bugpath-note{{Left side of '&&' is true}} \ // bugpath-note{{Left side of '&&' is true}} \
// bugpath-note{{'x' is <= 255}} // bugpath-note{{'x' is <= 255}}
} }
void test_tolower_symbolic2(int x) { void test_tolower_symbolic2(int x) {
if (x > 255) { // \ if (x > 255) { // \
// bugpath-note{{Assuming 'x' is > 255}} \ // bugpath-note{{Assuming 'x' is > 255}} \
// bugpath-note{{Taking true branch}} // bugpath-note{{Taking true branch}}
int ret = tolower(x); // \ int ret = tolower(x); // \
// report-warning{{Function argument constraint is not satisfied}} \ // report-warning{{The 1st argument to 'tolower' should be an unsigned char value or EOF}} \
// report-note{{}} \ // bugpath-warning{{The 1st argument to 'tolower' should be an unsigned char value or EOF}} \
// bugpath-warning{{Function argument constraint is not satisfied}} \ // bugpath-note{{The 1st argument to 'tolower' should be an unsigned char value or EOF}}
// bugpath-note{{}} \
// bugpath-note{{Function argument constraint is not satisfied}}
(void)ret; (void)ret;
} }
} }
int toascii(int); int toascii(int);
void test_toascii_concrete(int v) { void test_toascii_concrete(int v) {
int ret = toascii(256); // \ int ret = toascii(256); // \
// report-warning{{Function argument constraint is not satisfied}} \ // report-warning{{The 1st argument to 'toascii' should be an unsigned char value or EOF}} \
// report-note{{}} \ // bugpath-warning{{The 1st argument to 'toascii' should be an unsigned char value or EOF}} \
// bugpath-warning{{Function argument constraint is not satisfied}} \ // bugpath-note{{The 1st argument to 'toascii' should be an unsigned char value or EOF}}
// bugpath-note{{}} \
// bugpath-note{{Function argument constraint is not satisfied}}
(void)ret; (void)ret;
} }
void test_toascii_symbolic(int x) { void test_toascii_symbolic(int x) {
int ret = toascii(x); int ret = toascii(x);
(void)ret; (void)ret;
clang_analyzer_eval(EOF <= x && x <= 255); // \ clang_analyzer_eval(EOF <= x && x <= 255); // \
// report-warning{{TRUE}} \ // report-warning{{TRUE}} \
// bugpath-warning{{TRUE}} \ // bugpath-warning{{TRUE}} \
// bugpath-note{{TRUE}} \ // bugpath-note{{TRUE}} \
// bugpath-note{{Left side of '&&' is true}} \ // bugpath-note{{Left side of '&&' is true}} \
// bugpath-note{{'x' is <= 255}} // bugpath-note{{'x' is <= 255}}
} }
void test_toascii_symbolic2(int x) { void test_toascii_symbolic2(int x) {
if (x > 255) { // \ if (x > 255) { // \
// bugpath-note{{Assuming 'x' is > 255}} \ // bugpath-note{{Assuming 'x' is > 255}} \
// bugpath-note{{Taking true branch}} // bugpath-note{{Taking true branch}}
int ret = toascii(x); // \ int ret = toascii(x); // \
// report-warning{{Function argument constraint is not satisfied}} \ // report-warning{{The 1st argument to 'toascii' should be an unsigned char value or EOF}} \
// report-note{{}} \ // bugpath-warning{{The 1st argument to 'toascii' should be an unsigned char value or EOF}} \
// bugpath-warning{{Function argument constraint is not satisfied}} \ // bugpath-note{{The 1st argument to 'toascii' should be an unsigned char value or EOF}}
// bugpath-note{{}} \
// bugpath-note{{Function argument constraint is not satisfied}}
(void)ret; (void)ret;
} }
} }
typedef struct FILE FILE; typedef struct FILE FILE;
typedef typeof(sizeof(int)) size_t; typedef typeof(sizeof(int)) size_t;
size_t fread(void *restrict, size_t, size_t, FILE *restrict); size_t fread(void *restrict, size_t, size_t, FILE *restrict);
void test_notnull_concrete(FILE *fp) { void test_notnull_concrete(FILE *fp) {
fread(0, sizeof(int), 10, fp); // \ fread(0, sizeof(int), 10, fp); // \
// report-warning{{Function argument constraint is not satisfied}} \ // report-warning{{The 1st argument to 'fread' should not be NULL}} \
// report-note{{}} \ // bugpath-warning{{The 1st argument to 'fread' should not be NULL}} \
// bugpath-warning{{Function argument constraint is not satisfied}} \ // bugpath-note{{The 1st argument to 'fread' should not be NULL}}
// bugpath-note{{}} \
// bugpath-note{{Function argument constraint is not satisfied}}
} }
void test_notnull_symbolic(FILE *fp, int *buf) { void test_notnull_symbolic(FILE *fp, int *buf) {
fread(buf, sizeof(int), 10, fp); fread(buf, sizeof(int), 10, fp);
clang_analyzer_eval(buf != 0); // \ clang_analyzer_eval(buf != 0); // \
// report-warning{{TRUE}} \ // report-warning{{TRUE}} \
// bugpath-warning{{TRUE}} \ // bugpath-warning{{TRUE}} \
// bugpath-note{{TRUE}} \ // bugpath-note{{TRUE}} \
// bugpath-note{{'buf' is not equal to null}} // bugpath-note{{'buf' is not equal to null}}
} }
void test_notnull_symbolic2(FILE *fp, int *buf) { void test_notnull_symbolic2(FILE *fp, int *buf) {
if (!buf) // bugpath-note{{Assuming 'buf' is null}} \ if (!buf) // bugpath-note{{Assuming 'buf' is null}} \
// bugpath-note{{Taking true branch}} // bugpath-note{{Taking true branch}}
fread(buf, sizeof(int), 10, fp); // \ fread(buf, sizeof(int), 10, fp); // \
// report-warning{{Function argument constraint is not satisfied}} \ // report-warning{{The 1st argument to 'fread' should not be NULL}} \
// report-note{{}} \ // bugpath-warning{{The 1st argument to 'fread' should not be NULL}} \
// bugpath-warning{{Function argument constraint is not satisfied}} \ // bugpath-note{{The 1st argument to 'fread' should not be NULL}}
// bugpath-note{{}} \
// bugpath-note{{Function argument constraint is not satisfied}}
} }
void test_no_node_after_bug(FILE *fp, size_t size, size_t n, void *buf) { void test_no_node_after_bug(FILE *fp, size_t size, size_t n, void *buf) {
if (fp) // \ if (fp) // \
// bugpath-note{{Assuming 'fp' is null}} \ // bugpath-note{{Assuming 'fp' is null}} \
// bugpath-note{{Taking false branch}} // bugpath-note{{Taking false branch}}
return; return;
size_t ret = fread(buf, size, n, fp); // \ size_t ret = fread(buf, size, n, fp); // \
// report-warning{{Function argument constraint is not satisfied}} \ // report-warning{{The 4th argument to 'fread' should not be NULL}} \
// report-note{{}} \ // bugpath-warning{{The 4th argument to 'fread' should not be NULL}} \
// bugpath-warning{{Function argument constraint is not satisfied}} \ // bugpath-note{{The 4th argument to 'fread' should not be NULL}}
// bugpath-note{{}} \
// bugpath-note{{Function argument constraint is not satisfied}}
clang_analyzer_warnIfReached(); // not reachable clang_analyzer_warnIfReached(); // not reachable
} }
typedef __WCHAR_TYPE__ wchar_t; typedef __WCHAR_TYPE__ wchar_t;
// This is one test case for the ARR38-C SEI-CERT rule. // This is one test case for the ARR38-C SEI-CERT rule.
void ARR38_C_F(FILE *file) { void ARR38_C_F(FILE *file) {
enum { BUFFER_SIZE = 1024 }; enum { BUFFER_SIZE = 1024 };
wchar_t wbuf[BUFFER_SIZE]; // bugpath-note{{'wbuf' initialized here}} wchar_t wbuf[BUFFER_SIZE]; // bugpath-note{{'wbuf' initialized here}}
const size_t size = sizeof(*wbuf); // bugpath-note{{'size' initialized to}} const size_t size = sizeof(*wbuf); // bugpath-note{{'size' initialized to}}
const size_t nitems = sizeof(wbuf); // bugpath-note{{'nitems' initialized to}} const size_t nitems = sizeof(wbuf); // bugpath-note{{'nitems' initialized to}}
// The 3rd parameter should be the number of elements to read, not // The 3rd parameter should be the number of elements to read, not
// the size in bytes. // the size in bytes.
fread(wbuf, size, nitems, file); // \ fread(wbuf, size, nitems, file); // \
// report-warning{{Function argument constraint is not satisfied}} \ // report-warning{{The size of the 1st argument to 'fread' should be equal to or greater than the value of the 2nd argument times the 3rd argument}} \
// report-note{{}} \ // bugpath-warning{{The size of the 1st argument to 'fread' should be equal to or greater than the value of the 2nd argument times the 3rd argument}} \
// bugpath-warning{{Function argument constraint is not satisfied}} \ // bugpath-note{{The size of the 1st argument to 'fread' should be equal to or greater than the value of the 2nd argument times the 3rd argument}}
// bugpath-note{{}} \
// bugpath-note{{Function argument constraint is not satisfied}}
} }
int __two_constrained_args(int, int); int __two_constrained_args(int, int);
void test_constraints_on_multiple_args(int x, int y) { void test_constraints_on_multiple_args(int x, int y) {
// State split should not happen here. I.e. x == 1 should not be evaluated // State split should not happen here. I.e. x == 1 should not be evaluated
// FALSE. // FALSE.
__two_constrained_args(x, y); __two_constrained_args(x, y);
//NOTE! Because of the second `clang_analyzer_eval` call we have two bug //NOTE! Because of the second `clang_analyzer_eval` call we have two bug
Show All 16 Linesvoid test_multiple_constraints_on_same_arg(int x) {
// bugpath-note{{TRUE}} \ // bugpath-note{{TRUE}} \
// bugpath-note{{Assuming 'x' is < 1}} \ // bugpath-note{{Assuming 'x' is < 1}} \
// bugpath-note{{Left side of '||' is true}} // bugpath-note{{Left side of '||' is true}}
} }
int __variadic(void *stream, const char *format, ...); int __variadic(void *stream, const char *format, ...);
void test_arg_constraint_on_variadic_fun(void) { void test_arg_constraint_on_variadic_fun(void) {
__variadic(0, "%d%d", 1, 2); // \ __variadic(0, "%d%d", 1, 2); // \
// report-warning{{Function argument constraint is not satisfied}} \ // report-warning{{The 1st argument to '__variadic' should not be NULL}} \
// report-note{{}} \ // bugpath-warning{{The 1st argument to '__variadic' should not be NULL}} \
// bugpath-warning{{Function argument constraint is not satisfied}} \ // bugpath-note{{The 1st argument to '__variadic' should not be NULL}}
// bugpath-note{{}} \
// bugpath-note{{Function argument constraint is not satisfied}}
} }
int __buf_size_arg_constraint(const void *, size_t); int __buf_size_arg_constraint(const void *, size_t);
void test_buf_size_concrete(void) { void test_buf_size_concrete(void) {
char buf[3]; // bugpath-note{{'buf' initialized here}} char buf[3]; // bugpath-note{{'buf' initialized here}}
__buf_size_arg_constraint(buf, 4); // \ __buf_size_arg_constraint(buf, 4); // \
// report-warning{{Function argument constraint is not satisfied}} \ // report-warning{{The size of the 1st argument to '__buf_size_arg_constraint' should be equal to or greater than the value of the 2nd argument}} \
// report-note{{}} \ // bugpath-warning{{The size of the 1st argument to '__buf_size_arg_constraint' should be equal to or greater than the value of the 2nd argument}} \
// bugpath-warning{{Function argument constraint is not satisfied}} \ // bugpath-note{{The size of the 1st argument to '__buf_size_arg_constraint' should be equal to or greater than the value of the 2nd argument}}
// bugpath-note{{}} \
// bugpath-note{{Function argument constraint is not satisfied}}
} }
void test_buf_size_symbolic(int s) { void test_buf_size_symbolic(int s) {
char buf[3]; char buf[3];
__buf_size_arg_constraint(buf, s); __buf_size_arg_constraint(buf, s);
clang_analyzer_eval(s <= 3); // \ clang_analyzer_eval(s <= 3); // \
// report-warning{{TRUE}} \ // report-warning{{TRUE}} \
// bugpath-warning{{TRUE}} \ // bugpath-warning{{TRUE}} \
// bugpath-note{{TRUE}} \ // bugpath-note{{TRUE}} \
// bugpath-note{{'s' is <= 3}} // bugpath-note{{'s' is <= 3}}
} }
void test_buf_size_symbolic_and_offset(int s) { void test_buf_size_symbolic_and_offset(int s) {
char buf[3]; char buf[3];
__buf_size_arg_constraint(buf + 1, s); __buf_size_arg_constraint(buf + 1, s);
clang_analyzer_eval(s <= 2); // \ clang_analyzer_eval(s <= 2); // \
// report-warning{{TRUE}} \ // report-warning{{TRUE}} \
// bugpath-warning{{TRUE}} \ // bugpath-warning{{TRUE}} \
// bugpath-note{{TRUE}} \ // bugpath-note{{TRUE}} \
// bugpath-note{{'s' is <= 2}} // bugpath-note{{'s' is <= 2}}
} }
int __buf_size_arg_constraint_mul(const void *, size_t, size_t); int __buf_size_arg_constraint_mul(const void *, size_t, size_t);
void test_buf_size_concrete_with_multiplication(void) { void test_buf_size_concrete_with_multiplication(void) {
short buf[3]; // bugpath-note{{'buf' initialized here}} short buf[3]; // bugpath-note{{'buf' initialized here}}
__buf_size_arg_constraint_mul(buf, 4, sizeof(short)); // \ __buf_size_arg_constraint_mul(buf, 4, sizeof(short)); // \
// report-warning{{Function argument constraint is not satisfied}} \ // report-warning{{The size of the 1st argument to '__buf_size_arg_constraint_mul' should be equal to or greater than the value of the 2nd argument times the 3rd argument}} \
// report-note{{}} \ // bugpath-warning{{The size of the 1st argument to '__buf_size_arg_constraint_mul' should be equal to or greater than the value of the 2nd argument times the 3rd argument}} \
// bugpath-warning{{Function argument constraint is not satisfied}} \ // bugpath-note{{The size of the 1st argument to '__buf_size_arg_constraint_mul' should be equal to or greater than the value of the 2nd argument times the 3rd argument}}
// bugpath-note{{}} \
// bugpath-note{{Function argument constraint is not satisfied}}
} }
void test_buf_size_symbolic_with_multiplication(size_t s) { void test_buf_size_symbolic_with_multiplication(size_t s) {
short buf[3]; short buf[3];
__buf_size_arg_constraint_mul(buf, s, sizeof(short)); __buf_size_arg_constraint_mul(buf, s, sizeof(short));
clang_analyzer_eval(s * sizeof(short) <= 6); // \ clang_analyzer_eval(s * sizeof(short) <= 6); // \
// report-warning{{TRUE}} \ // report-warning{{TRUE}} \
// bugpath-warning{{TRUE}} \ // bugpath-warning{{TRUE}} \
// bugpath-note{{TRUE}} // bugpath-note{{TRUE}}
} }
void test_buf_size_symbolic_and_offset_with_multiplication(size_t s) { void test_buf_size_symbolic_and_offset_with_multiplication(size_t s) {
short buf[3]; short buf[3];
__buf_size_arg_constraint_mul(buf + 1, s, sizeof(short)); __buf_size_arg_constraint_mul(buf + 1, s, sizeof(short));
clang_analyzer_eval(s * sizeof(short) <= 4); // \ clang_analyzer_eval(s * sizeof(short) <= 4); // \
// report-warning{{TRUE}} \ // report-warning{{TRUE}} \
// bugpath-warning{{TRUE}} \ // bugpath-warning{{TRUE}} \
// bugpath-note{{TRUE}} // bugpath-note{{TRUE}}
} }
// The minimum buffer size for this function is set to 10. // The minimum buffer size for this function is set to 10.
int __buf_size_arg_constraint_concrete(const void *); int __buf_size_arg_constraint_concrete(const void *);
void test_min_buf_size(void) { void test_min_buf_size(void) {
char buf[9];// bugpath-note{{'buf' initialized here}} char buf[9];// bugpath-note{{'buf' initialized here}}
__buf_size_arg_constraint_concrete(buf); // \ __buf_size_arg_constraint_concrete(buf); // \
// report-warning{{Function argument constraint is not satisfied}} \ // report-warning{{The size of the 1st argument to '__buf_size_arg_constraint_concrete' should be equal to or greater than 10}} \
// report-note{{}} \ // bugpath-warning{{The size of the 1st argument to '__buf_size_arg_constraint_concrete' should be equal to or greater than 10}} \
// bugpath-warning{{Function argument constraint is not satisfied}} \ // bugpath-note{{The size of the 1st argument to '__buf_size_arg_constraint_concrete' should be equal to or greater than 10}}
// bugpath-note{{}} \
// bugpath-note{{Function argument constraint is not satisfied}}
} }

clang/test/Analysis/std-c-library-functions-arg-constraints.cpp

// RUN: %clang_analyze_cc1 %s \ // RUN: %clang_analyze_cc1 %s \
// RUN: -analyzer-checker=core \ // RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=apiModeling.StdCLibraryFunctions \ // RUN: -analyzer-checker=apiModeling.StdCLibraryFunctions \
// RUN: -analyzer-checker=alpha.unix.StdCLibraryFunctionArgs \ // RUN: -analyzer-checker=alpha.unix.StdCLibraryFunctionArgs \
// RUN: -analyzer-checker=debug.StdCLibraryFunctionsTester \ // RUN: -analyzer-checker=debug.StdCLibraryFunctionsTester \
// RUN: -analyzer-checker=debug.ExprInspection \ // RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -analyzer-config eagerly-assume=false \ // RUN: -analyzer-config eagerly-assume=false \
// RUN: -triple i686-unknown-linux \ // RUN: -triple i686-unknown-linux \
// RUN: -verify // RUN: -verify
void clang_analyzer_eval(int); void clang_analyzer_eval(int);
int __defaultparam(void *, int y = 3); int __defaultparam(void *, int y = 3);
void test_arg_constraint_on_fun_with_default_param() { void test_arg_constraint_on_fun_with_default_param() {
__defaultparam(nullptr); // \ __defaultparam(nullptr); // \
// expected-warning{{Function argument constraint is not satisfied}} \ // expected-warning{{The 1st argument to '__defaultparam' should not be NULL}}
// expected-note{{}}
} }

clang/test/Analysis/stream-note.c

Show First 20 LinesShow All 82 Lines▼ Show 20 Lines
void check_track_null(void) { void check_track_null(void) {
FILE *F; FILE *F;
F = fopen("foo1.c", "r"); // stdargs-note {{Value assigned to 'F'}} stdargs-note {{Assuming pointer value is null}} F = fopen("foo1.c", "r"); // stdargs-note {{Value assigned to 'F'}} stdargs-note {{Assuming pointer value is null}}
if (F != NULL) { // stdargs-note {{Taking false branch}} stdargs-note {{'F' is equal to NULL}} if (F != NULL) { // stdargs-note {{Taking false branch}} stdargs-note {{'F' is equal to NULL}}
fclose(F); fclose(F);
return; return;
} }
fclose(F); // stdargs-warning {{Function argument constraint is not satisfied}} fclose(F); // stdargs-warning {{The 1st argument to 'fclose' should not be NULL}}
// stdargs-note@-1 {{Function argument constraint is not satisfied}} // stdargs-note@-1 {{The 1st argument to 'fclose' should not be NULL}}
// stdargs-note@-2 {{The 1st argument should not be NULL}}
} }
void check_eof_notes_feof_after_feof(void) { void check_eof_notes_feof_after_feof(void) {
FILE *F; FILE *F;
char Buf[10]; char Buf[10];
F = fopen("foo1.c", "r"); F = fopen("foo1.c", "r");
if (F == NULL) { // expected-note {{Taking false branch}} expected-note {{'F' is not equal to NULL}} if (F == NULL) { // expected-note {{Taking false branch}} expected-note {{'F' is not equal to NULL}}
return; return;
▲ Show 20 LinesShow All 50 LinesShow Last 20 Lines

clang/test/Analysis/stream-stdlibraryfunctionargs.c

Show All 12 Lines
void *buf; void *buf;
size_t size; size_t size;
size_t n; size_t n;
void test_fopen(void) { void test_fopen(void) {
FILE *fp = fopen("path", "r"); FILE *fp = fopen("path", "r");
clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}} any-warning{{FALSE}} clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}} any-warning{{FALSE}}
fclose(fp); // stdargs-warning{{Function argument constraint is not satisfied}} \ fclose(fp); // stdargs-warning{{should not be NULL}}
// stdargs-note{{The 1st argument should not be NULL}}
} }
void test_tmpfile(void) { void test_tmpfile(void) {
FILE *fp = tmpfile(); FILE *fp = tmpfile();
clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}} any-warning{{FALSE}} clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}} any-warning{{FALSE}}
fclose(fp); // stdargs-warning{{Function argument constraint is not satisfied}} \ fclose(fp); // stdargs-warning{{should not be NULL}}
// stdargs-note{{The 1st argument should not be NULL}}
} }
void test_fclose(void) { void test_fclose(void) {
FILE *fp = tmpfile(); FILE *fp = tmpfile();
fclose(fp); // stdargs-warning{{Function argument constraint is not satisfied}} \ fclose(fp); // stdargs-warning{{should not be NULL}}
// stdargs-note{{The 1st argument should not be NULL}}
clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}} clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}}
} }
void test_freopen(void) { void test_freopen(void) {
FILE *fp = tmpfile(); FILE *fp = tmpfile();
fp = freopen("file", "w", fp); // stdargs-warning{{Function argument constraint is not satisfied}} \ fp = freopen("file", "w", fp); // stdargs-warning{{should not be NULL}}
// stdargs-note{{The 3rd argument should not be NULL}} fclose(fp); // stdargs-warning{{should not be NULL}}
fclose(fp); // stdargs-warning{{Function argument constraint is not satisfied}} \
// stdargs-note{{The 1st argument should not be NULL}}
clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}} clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}}
} }
void test_fread(void) { void test_fread(void) {
FILE *fp = tmpfile(); FILE *fp = tmpfile();
size_t ret = fread(buf, size, n, fp); // stdargs-warning{{Function argument constraint is not satisfied}} \ size_t ret = fread(buf, size, n, fp); // stdargs-warning{{The 4th argument to 'fread' should not be NULL}}
// stdargs-note{{The 4th argument should not be NULL}}
clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}} clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}}
clang_analyzer_eval(ret <= n); // any-warning{{TRUE}} clang_analyzer_eval(ret <= n); // any-warning{{TRUE}}
clang_analyzer_eval(ret == n); // any-warning{{TRUE}} any-warning{{FALSE}} clang_analyzer_eval(ret == n); // any-warning{{TRUE}} any-warning{{FALSE}}
fclose(fp); fclose(fp);
} }
void test_fwrite(void) { void test_fwrite(void) {
FILE *fp = tmpfile(); FILE *fp = tmpfile();
size_t ret = fwrite(buf, size, n, fp); // stdargs-warning{{Function argument constraint is not satisfied}} \ size_t ret = fwrite(buf, size, n, fp); // stdargs-warning{{The 4th argument to 'fwrite' should not be NULL}}
// stdargs-note{{The 4th argument should not be NULL}}
clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}} clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}}
clang_analyzer_eval(ret <= n); // any-warning{{TRUE}} clang_analyzer_eval(ret <= n); // any-warning{{TRUE}}
clang_analyzer_eval(ret == n); // any-warning{{TRUE}} any-warning{{FALSE}} clang_analyzer_eval(ret == n); // any-warning{{TRUE}} any-warning{{FALSE}}
fclose(fp); fclose(fp);
} }
void test_fseek(void) { void test_fseek(void) {
FILE *fp = tmpfile(); FILE *fp = tmpfile();
fseek(fp, 0, 0); // stdargs-warning{{Function argument constraint is not satisfied}} \ fseek(fp, 0, 0); // stdargs-warning{{should not be NULL}}
// stdargs-note{{The 1st argument should not be NULL}}
clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}} clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}}
fclose(fp); fclose(fp);
} }
void test_ftell(void) { void test_ftell(void) {
FILE *fp = tmpfile(); FILE *fp = tmpfile();
ftell(fp); // stdargs-warning{{Function argument constraint is not satisfied}} \ ftell(fp); // stdargs-warning{{should not be NULL}}
// stdargs-note{{The 1st argument should not be NULL}}
clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}} clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}}
fclose(fp); fclose(fp);
} }
void test_rewind(void) { void test_rewind(void) {
FILE *fp = tmpfile(); FILE *fp = tmpfile();
rewind(fp); // stdargs-warning{{Function argument constraint is not satisfied}} \ rewind(fp); // stdargs-warning{{should not be NULL}}
// stdargs-note{{The 1st argument should not be NULL}}
clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}} clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}}
fclose(fp); fclose(fp);
} }
void test_fgetpos(void) { void test_fgetpos(void) {
FILE *fp = tmpfile(); FILE *fp = tmpfile();
fpos_t pos; fpos_t pos;
fgetpos(fp, &pos); // stdargs-warning{{Function argument constraint is not satisfied}} \ fgetpos(fp, &pos); // stdargs-warning{{should not be NULL}}
// stdargs-note{{The 1st argument should not be NULL}}
clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}} clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}}
fclose(fp); fclose(fp);
} }
void test_fsetpos(void) { void test_fsetpos(void) {
FILE *fp = tmpfile(); FILE *fp = tmpfile();
fpos_t pos; fpos_t pos;
fsetpos(fp, &pos); // stdargs-warning{{Function argument constraint is not satisfied}} \ fsetpos(fp, &pos); // stdargs-warning{{should not be NULL}}
// stdargs-note{{The 1st argument should not be NULL}}
clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}} clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}}
fclose(fp); fclose(fp);
} }
void test_clearerr(void) { void test_clearerr(void) {
FILE *fp = tmpfile(); FILE *fp = tmpfile();
clearerr(fp); // stdargs-warning{{Function argument constraint is not satisfied}} \ clearerr(fp); // stdargs-warning{{should not be NULL}}
// stdargs-note{{The 1st argument should not be NULL}}
clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}} clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}}
fclose(fp); fclose(fp);
} }
void test_feof(void) { void test_feof(void) {
FILE *fp = tmpfile(); FILE *fp = tmpfile();
feof(fp); // stdargs-warning{{Function argument constraint is not satisfied}} \ feof(fp); // stdargs-warning{{should not be NULL}}
// stdargs-note{{The 1st argument should not be NULL}}
clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}} clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}}
fclose(fp); fclose(fp);
} }
void test_ferror(void) { void test_ferror(void) {
FILE *fp = tmpfile(); FILE *fp = tmpfile();
ferror(fp); // stdargs-warning{{Function argument constraint is not satisfied}} \ ferror(fp); // stdargs-warning{{should not be NULL}}
// stdargs-note{{The 1st argument should not be NULL}}
clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}} clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}}
fclose(fp); fclose(fp);
} }
void test_fileno(void) { void test_fileno(void) {
FILE *fp = tmpfile(); FILE *fp = tmpfile();
fileno(fp); // stdargs-warning{{Function argument constraint is not satisfied}} \ fileno(fp); // stdargs-warning{{should not be NULL}}
// stdargs-note{{The 1st argument should not be NULL}}
clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}} clang_analyzer_eval(fp != NULL); // any-warning{{TRUE}}
fclose(fp); fclose(fp);
} }