This is an archive of the discontinued LLVM Phabricator instance.

Differential D153612

[clang][analyzer] Add and change NoteTags in StdLibraryFunctionsChecker.
ClosedPublic

Authored by balazske on Jun 23 2023, 12:28 AM.

Details

Reviewers
Szelethus
NoQ
donat.nagy
Commits
rG39670ae3b934: [clang][analyzer] Add and change NoteTags in StdLibraryFunctionsChecker.
Summary

Change 1: ErrnoChecker notes show only messages related to errno,
not to assumption of success or failure of functions.
Change 2: StdLibraryFunctionsChecker adds its own note about success
or failure of functions, and the errno related note, independently.
Change 3: Every modeled function in StdLibraryFunctionsChecker
should have a note tag message in all "cases". This is not implemented yet,
only for file (stream) related functions.

Diff Detail

Event Timeline

balazske created this revision.Jun 23 2023, 12:28 AM
Herald added a reviewer: Szelethus. · View Herald TranscriptJun 23 2023, 12:28 AM
Herald added a reviewer: NoQ. · View Herald Transcript
Herald added a project: Restricted Project. · View Herald Transcript
Herald added subscribers: steakhal, manas, ASDenysPetrov and 10 others. · View Herald Transcript
balazske requested review of this revision.Jun 23 2023, 12:28 AM
Herald added a project: Restricted Project. · View Herald TranscriptJun 23 2023, 12:28 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
Harbormaster completed remote builds in B240707: Diff 533877.Jun 23 2023, 1:03 AM
balazske mentioned this in D152436: [clang][analyzer] Move checker alpha.unix.StdCLibraryFunctions out of alpha..Jun 23 2023, 2:28 AM
balazske added inline comments.Jun 23 2023, 2:46 AM
clang/test/Analysis/errno-stdlibraryfunctions-notes.c
17–20

This is the type of note that looks not necessary and even confusing. It could be any case of failure or success, the failure is chosen. This does not matter for the end result but can be confusing for users (one may think that there is a connection to the found bug).

clang/test/Analysis/std-c-library-functions-path-notes.c
72

Here no note is shown. Probably because the summary of islower has cases without note, these notes should be added.

clang/test/Analysis/stream-errno-note.c
25

At this place a note 'Assuming that the call is successful' should be displayed. But this is not working because StreamChecker is enabled. StreamChecker makes a state split before StdCLibraryFunctionsChecker for tmpfile failure and success, then in StdCLibraryFunctionsChecker the successor count is 1 and the note is not added. Probably the logic can be improved by finding the first node that belongs to the CallEvent. Or count how many cases are applied before adding the note tags.

balazske updated this revision to Diff 534487.Jun 26 2023, 3:40 AM

Add note tag always if function is not evaluated as "pure".
Reformat the code.

Harbormaster completed remote builds in B241126: Diff 534487.Jun 26 2023, 4:12 AM
balazske added a child revision: D153776: [clang][analyzer] Display notes in StdLibraryFunctionsChecker only if interesting.Jun 26 2023, 8:13 AM
donat.nagy added a comment.Jun 26 2023, 8:55 AM

This is a good and useful commit; but I have some questions connected to the state transition handling code that you had to modify. (The State/ExplodedNode APIs of the engine are really counter-intuitive... :( )

clang/lib/StaticAnalyzer/Checkers/ErrnoModeling.cpp
316–318

Consider using llvm:formatv() here and in other similar messages, it is much less verbose.

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
1299

Can you explain why is it safe to use const_cast here? (I don't see any concrete issue, but the engine has lots of invariants / unwritten rules and I fear that this might break one of them.)

donat.nagy added inline comments.Jun 26 2023, 9:00 AM
clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
1309

It's surprising to see this check inside the lambda, as its result does not depend on BR. My best guess is that it's performed here because the successors of Node will appear between the execution of the surrounding code and the execution of this lambda.

However, CheckerContext.h line 69-70 claims that "checkers should not retain the node in their state since the nodes might get invalidated." which would imply that the captured Node might be invalid when the lambda is called.

balazske added inline comments.Jun 27 2023, 12:02 AM
clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
1299

The node Pred should be modified only later when a successor is added (addTransition has non-const parameter).

1309

This check is to decide if multiple cases could be applied, the same as if we count how many times this place in the loop is executed (add a transition for a case, constraints could be applied). This check is problematic because other checkers can apply state splits before this checker is executed or after it, in this way StreamChecker interferes with this code (it has a state split for success/failure cases of same function, and here we see only that a single case is applied on one branch). This is why this check is only used in the EvalCallAsPure case (theoretically still another checker can make a state split in PostCall before this where the same constraint is applied, then the problem occurs again).

I made a solution that does not have this check but has 2 case loops instead, but the mentioned problem (which exists when if (Summary.getInvalidationKd() == EvalCallAsPure) is not used) did not go away. And it may not work to search backwards for the first node with the same statement, because maybe not the first one is where a state split is done.

I only think that if this lambda is called with the saved node, that node is not invalid because it is part of a bug report call sequence.

donat.nagy added inline comments.Jun 27 2023, 1:57 AM
clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
1299

I understood that you need a non-const ExplodedNode * because addTransition expects it; I want to understand why you are allowed to const_cast it (why doesn't this confuse the engine logic).

Equivalent question from the other direction: Why did the author of CheckerContext::getPredecessor() specify that its return value is a const pointer to ExplodedNode?

If we can conclude that const_cast is valid in this kind of situation, then I'd also consider simply removing the "const" from the return type of getPredecessor.

1309

This check is problematic because [...details...]

Thanks for the explanation, now I see why this roundabout solution is needed.

I only think that if this lambda is called with the saved node, that node is not invalid because it is part of a bug report call sequence.

This is a good point, I think we can keep this "check successors in the lambda" solution. Please add a comment like "This check is performed inside the lambda, after other checkers had a chance to add other successors. Dereferencing the saved node object is valid because it's part of a bug report call sequence." to record the the reasoning that we discussed.

balazske updated this revision to Diff 534991.Jun 27 2023, 8:02 AM
balazske marked 5 inline comments as done.

Fixed review issues

balazske added inline comments.Jun 27 2023, 8:07 AM
clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
1299

The const_cast is not needed at all if Pred and Node is made non-const, and getPredecessor has a non-const version. The Node is saved because we want to add transitions to it, it makes no sense to have it (a pointer to) const. (Probably the const comes from a time when the Node was used only for the lambda? In the lambda it could be const, if it matters.)

Harbormaster completed remote builds in B241491: Diff 534991.Jun 27 2023, 9:33 AM
donat.nagy added a comment.Jun 28 2023, 4:10 AM

The source code changes LGTM. I'll soon check the results on the open source projects and give a final approval based on that.

By the way, I think this commit and the "display notes only if interesting" follow-up change (D153776) should be merged at the same time (but I'd guess that you already planned to do it that way).

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
1299

Sorry, it seems that I badly misread the source code of CheckerContext.h (I probably looked at the wrong line when I briefly jumped to the definition of getPredecessor). In fact, getPredecessor has only one version and it returns non-const ExplodedNode *.

This means that your code is (of course) completely valid.

donat.nagy requested changes to this revision.Jun 28 2023, 4:39 AM

As I started to review the code of the follow-up commit D153776, I noticed a dangling StringRef bug which belongs to this review.

Moreover, as a minor remark I'd note that LLVM has a dedicated class for storing string literal constants (btw I learned this from @Szelethus yesterday).

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
1303

This variable will be captured and stored by the lambda functions, so it should own the memory area of the string.

In the current code this did not cause problems because this StringRef points to the memory area of a string literal (which stays valid); but if later changes introduced dynamically generated note tags, then this code would dump random memory garbage.

By the way, a very similar issue survived almost four years in CheckerContext.h, I'm fixing it in D153889.

1320

Also update this when you change the type of Note to std::string.

1688–1689

Consider using the StringLiteral subclass of StringRef which is designed for this kind of application (and determines the length of the string in compile time instead of calling strlen during a runtime const char * → StringRef conversion):
https://llvm.org/doxygen/classllvm_1_1StringLiteral.html
(After the suggested change, also update the code that uses these variables!)

This revision now requires changes to proceed.Jun 28 2023, 4:39 AM
balazske updated this revision to Diff 535655.Jun 29 2023, 12:26 AM
balazske marked 3 inline comments as done.

Fixed review issues.
Note tag is added for fread.
Notes contain now the function name.

balazske added a parent revision: D153889: [analyzer][NFC] Fix dangling StringRef in barely used code.Jun 29 2023, 1:24 AM
balazske mentioned this in D153889: [analyzer][NFC] Fix dangling StringRef in barely used code.Jun 29 2023, 1:28 AM
Harbormaster completed remote builds in B241991: Diff 535655.Jun 29 2023, 2:05 AM
donat.nagy added a comment.Jun 29 2023, 6:27 AM

Thanks for the update! I have two minor remarks (string handling is complicated in C++...) but the code looks good otherwise.

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
1304

Consider using the method StringRef::data() which directly converts a StringRef to a const char *. Your two-step conversion has the advantage that it adds a \0 terminator even if the StringRef isn't null-terminated, but I cannot imagine a "natural" code change that would introduce references to non-null-terminated char arrays as note message templates.

1320

The return type of this lambda is std::string, so I think it's pointless to convert std::string Note to a C string (which will be used to implicitly construct another std::string).

balazske updated this revision to Diff 535800.Jun 29 2023, 7:46 AM

Fixed review issues.

donat.nagy accepted this revision.Jun 29 2023, 8:09 AM

LGTM, but please wait until you can merge this together with D153776.

This revision is now accepted and ready to land.Jun 29 2023, 8:09 AM
donat.nagy mentioned this in D153776: [clang][analyzer] Display notes in StdLibraryFunctionsChecker only if interesting.Jun 29 2023, 8:14 AM
Szelethus added a comment.EditedJun 29 2023, 8:29 AM

This is the quintessential example of a patch where while the test files look promising, we need some evaluation on the real world. I understand that its a chore -- but this is simply the nature of the beast.

While I like how this looks like, I'd be more pleased if some real world data would back it up (I understand that we shared a link around internally, but that kind of defeats the purpose of an open source review).

Harbormaster completed remote builds in B242095: Diff 535800.Jun 29 2023, 8:56 AM
donat.nagy added a comment.Jun 30 2023, 8:46 AM

See results and their discussion on the review of the tightly connected follow-up commit D153776.

balazske updated this revision to Diff 537002.Jul 4 2023, 2:34 AM

rebase

Harbormaster completed remote builds in B242975: Diff 537002.Jul 4 2023, 4:15 AM
steakhal added a comment.Jul 10 2023, 9:34 AM

Please, let me have a look at this stack tomorrow or the day after prior landing it.

steakhal added inline comments.Jul 11 2023, 6:05 AM
clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
1304

I would prefer not to rely on that StringRefs (here) are expected to be null-terminated, unless benchmarks demonstrate that this is important. If that would turn out to be the case, then we would need to enforce this using some sort of assert expression.

1336

Previously, we had a cast<>(Call.getDecl()), thus we should only have a dyn_cast here.

clang/test/Analysis/stream-note.c
61–62

Why are these notes doubled?

balazske marked 3 inline comments as done.Jul 12 2023, 1:39 AM
balazske added inline comments.
clang/test/Analysis/stream-note.c
61–62

There are 2 cases of resource leak reported (for F1 and F2) and a note tag is there for both of these.

steakhal added inline comments.Jul 12 2023, 7:10 AM
clang/test/Analysis/stream-note.c
61–62

I still think we should only have a single note there given that F2 is completely unrelated to the initialization of F1.
Do I miss something?

steakhal added inline comments.Jul 12 2023, 7:15 AM
clang/test/Analysis/stream-note.c
61–62

Oo, now I see. D153776 is supposed to fix limit the notes to be displayed only for the interesting values. nvm.

donat.nagy added a comment.Jul 13 2023, 1:44 AM

(Just added some side remarks about string handling annoyances.)

@balazske Please (1) handle the dyn_cast request of @steakhal and also (2) do something with this "how to convert StringRef to char *" question that we're bikeshedding. I hope that after those we could finally merge this commit sequence.

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
1304

I think the way of expressing this concrete conversion is a very low priority question (a.k.a. bikeshedding), so returning to the previously used two-step conversion is also fine for me.

The primary goal of this ".data()" shortcut was not performance, but clarity: those chained conversions triggered my "detect suspicious code" instincts and this was the best alternative that I could find. In general I feel that the LLVM codebase has way too many string types, and the back-and-forth conversions between them add lots of unnecessary noise to the code.

In this particular case I think it's the fault of llvm::formatv that it doesn't accept StringRef (the most commonly used non-owning string) and in general it's problematic design that there is no "good" conversion between StringRef and C-style strings in either direction.

balazske updated this revision to Diff 540015.Jul 13 2023, 7:13 AM
balazske marked 6 inline comments as done.

Changed format string back to str().c_str(),
changed dyn_cast_or_null.

Harbormaster completed remote builds in B245107: Diff 540015.Jul 13 2023, 9:15 AM
balazske added a comment.Jul 17 2023, 3:20 AM

No major problems were indicated with the patch stack, I plan to merge all of these soon. Small problems can be still corrected before or when the checker is put out from the alpha package.

steakhal added a comment.Jul 17 2023, 12:31 PM
In D153612#4505307, @balazske wrote:

No major problems were indicated with the patch stack, I plan to merge all of these soon. Small problems can be still corrected before or when the checker is put out from the alpha package.

Make sure features are consistent as clang-17 will branch off next Tuesday if you want these to be part of that release.
Also, consider fine-tuning the proposed release-notes for the features you developed. See D155445.

Closed by commit rG39670ae3b934: [clang][analyzer] Add and change NoteTags in StdLibraryFunctionsChecker. (authored by balazske). · Explain WhyJul 18 2023, 12:29 AM
This revision was automatically updated to reflect the committed changes.
balazske added a commit: rG39670ae3b934: [clang][analyzer] Add and change NoteTags in StdLibraryFunctionsChecker..

Revision Contents

Diff 541353

clang/lib/StaticAnalyzer/Checkers/ErrnoModeling.h

Show First 20 LinesShow All 72 Lines▼ Show 20 Lines
/// Determine if a `Decl` node related to 'errno'. /// Determine if a `Decl` node related to 'errno'.
/// This is true if the declaration is the errno variable or a function /// This is true if the declaration is the errno variable or a function
/// that returns a pointer to the 'errno' value (usually the 'errno' macro is /// that returns a pointer to the 'errno' value (usually the 'errno' macro is
/// defined with this function). \p D is not required to be a canonical /// defined with this function). \p D is not required to be a canonical
/// declaration. /// declaration.
bool isErrno(const Decl *D); bool isErrno(const Decl *D);
/// Produce a textual description about how \c errno is allowed to be used
/// (in a \c ErrnoCheckState).
/// The returned string is insertable into a longer warning message in the form
/// "the value 'errno' <...>".
/// Currently only the \c errno_modeling::MustNotBeChecked state is supported,
/// others are not used by the clients.
const char *describeErrnoCheckState(ErrnoCheckState CS);
/// Create a NoteTag that displays the message if the 'errno' memory region is /// Create a NoteTag that displays the message if the 'errno' memory region is
/// marked as interesting, and resets the interestingness. /// marked as interesting, and resets the interestingness.
const NoteTag *getErrnoNoteTag(CheckerContext &C, const std::string &Message); const NoteTag *getErrnoNoteTag(CheckerContext &C, const std::string &Message);
/// Set errno state for the common case when a standard function is successful. /// Set errno state for the common case when a standard function is successful.
/// Set \c ErrnoCheckState to \c MustNotBeChecked (the \c errno value is not /// Set \c ErrnoCheckState to \c MustNotBeChecked (the \c errno value is not
/// affected). At the state transition a note tag created by /// affected). At the state transition a note tag created by
/// \c getNoteTagForStdSuccess can be used. /// \c getNoteTagForStdSuccess can be used.
Show All 36 Lines

clang/lib/StaticAnalyzer/Checkers/ErrnoModeling.cpp

Show All 22 Lines
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
#include "llvm/ADT/STLExtras.h" #include "llvm/ADT/STLExtras.h"
#include "llvm/Support/FormatVariadic.h"
#include <optional> #include <optional>
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
namespace { namespace {
// Name of the "errno" variable. // Name of the "errno" variable.
▲ Show 20 LinesShow All 225 Lines▼ Show 20 Lines if (const auto *VD = dyn_cast_or_null<VarDecl>(D))
if (const IdentifierInfo *II = VD->getIdentifier()) if (const IdentifierInfo *II = VD->getIdentifier())
return II->getName() == ErrnoVarName; return II->getName() == ErrnoVarName;
if (const auto *FD = dyn_cast_or_null<FunctionDecl>(D)) if (const auto *FD = dyn_cast_or_null<FunctionDecl>(D))
if (const IdentifierInfo *II = FD->getIdentifier()) if (const IdentifierInfo *II = FD->getIdentifier())
return llvm::is_contained(ErrnoLocationFuncNames, II->getName()); return llvm::is_contained(ErrnoLocationFuncNames, II->getName());
return false; return false;
} }
const char *describeErrnoCheckState(ErrnoCheckState CS) {
assert(CS == errno_modeling::MustNotBeChecked &&
"Errno description not applicable.");
return "may be undefined after the call and should not be used";
}
const NoteTag *getErrnoNoteTag(CheckerContext &C, const std::string &Message) { const NoteTag *getErrnoNoteTag(CheckerContext &C, const std::string &Message) {
return C.getNoteTag([Message](PathSensitiveBugReport &BR) -> std::string { return C.getNoteTag([Message](PathSensitiveBugReport &BR) -> std::string {
const MemRegion *ErrnoR = BR.getErrorNode()->getState()->get<ErrnoRegion>(); const MemRegion *ErrnoR = BR.getErrorNode()->getState()->get<ErrnoRegion>();
if (ErrnoR && BR.isInteresting(ErrnoR)) { if (ErrnoR && BR.isInteresting(ErrnoR)) {
BR.markNotInteresting(ErrnoR); BR.markNotInteresting(ErrnoR);
return Message; return Message;
} }
return ""; return "";
Show All 27 LinesProgramStateRef setErrnoStdMustBeChecked(ProgramStateRef State,
State = State->invalidateRegions(ErrnoR, InvalE, C.blockCount(), State = State->invalidateRegions(ErrnoR, InvalE, C.blockCount(),
C.getLocationContext(), false); C.getLocationContext(), false);
if (!State) if (!State)
return nullptr; return nullptr;
return setErrnoState(State, MustBeChecked); return setErrnoState(State, MustBeChecked);
} }
const NoteTag *getNoteTagForStdSuccess(CheckerContext &C, llvm::StringRef Fn) { const NoteTag *getNoteTagForStdSuccess(CheckerContext &C, llvm::StringRef Fn) {
return getErrnoNoteTag( return getErrnoNoteTag(
C, (Twine("Assuming that function '") + Twine(Fn) + C, llvm::formatv(
Twine("' is successful, in this case the value 'errno' ") + "'errno' may be undefined after successful call to '{0}'", Fn));
donat.nagyUnsubmitted
Done
ReplyInline Actions
return getErrnoNoteTag(
- C, (Twine("'errno'") +
- Twine(" may be undefined after successful call to '") + Twine(Fn) +
- Twine("'"))
- .str());
- }
+ C, llvm::formatv("'errno' may be undefined after successful call to '{0}'", Fn));}
const NoteTag *getNoteTagForStdMustBeChecked(CheckerContext &C,

Consider using llvm:formatv() here and in other similar messages, it is much less verbose.

donat.nagy: Consider using `llvm:formatv()` here and in other similar messages, it is much less verbose.
Twine(describeErrnoCheckState(MustNotBeChecked)))
.str());
} }
const NoteTag *getNoteTagForStdMustBeChecked(CheckerContext &C, const NoteTag *getNoteTagForStdMustBeChecked(CheckerContext &C,
llvm::StringRef Fn) { llvm::StringRef Fn) {
return getErrnoNoteTag( return getErrnoNoteTag(
C, (Twine("Function '") + Twine(Fn) + C, llvm::formatv("'{0}' indicates failure only by setting 'errno'", Fn));
Twine("' indicates failure only by setting of 'errno'"))
.str());
} }
} // namespace errno_modeling } // namespace errno_modeling
} // namespace ento } // namespace ento
} // namespace clang } // namespace clang
void ento::registerErrnoModeling(CheckerManager &mgr) { void ento::registerErrnoModeling(CheckerManager &mgr) {
mgr.registerChecker<ErrnoModeling>(); mgr.registerChecker<ErrnoModeling>();
} }
bool ento::shouldRegisterErrnoModeling(const CheckerManager &mgr) { bool ento::shouldRegisterErrnoModeling(const CheckerManager &mgr) {
return true; return true;
} }

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp

Show First 20 LinesShow All 46 Lines▼ Show 20 Lines
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h"
#include "llvm/ADT/STLExtras.h" #include "llvm/ADT/STLExtras.h"
#include "llvm/ADT/SmallString.h" #include "llvm/ADT/SmallString.h"
#include "llvm/ADT/StringExtras.h" #include "llvm/ADT/StringExtras.h"
#include "llvm/Support/FormatVariadic.h"
#include <optional> #include <optional>
#include <string> #include <string>
using namespace clang; using namespace clang;
using namespace clang::ento; using namespace clang::ento;
namespace { namespace {
▲ Show 20 LinesShow All 1,205 Lines▼ Show 20 Linesvoid StdLibraryFunctionsChecker::checkPostCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
std::optional<Summary> FoundSummary = findFunctionSummary(Call, C); std::optional<Summary> FoundSummary = findFunctionSummary(Call, C);
if (!FoundSummary) if (!FoundSummary)
return; return;
// Now apply the constraints. // Now apply the constraints.
const Summary &Summary = *FoundSummary; const Summary &Summary = *FoundSummary;
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
const ExplodedNode *Node = C.getPredecessor(); ExplodedNode *Node = C.getPredecessor();
// Apply case/branch specifications. // Apply case/branch specifications.
for (const SummaryCase &Case : Summary.getCases()) { for (const SummaryCase &Case : Summary.getCases()) {
ProgramStateRef NewState = State; ProgramStateRef NewState = State;
for (const ValueConstraintPtr &Constraint : Case.getConstraints()) { for (const ValueConstraintPtr &Constraint : Case.getConstraints()) {
NewState = Constraint->apply(NewState, Call, Summary, C); NewState = Constraint->apply(NewState, Call, Summary, C);
if (!NewState) if (!NewState)
break; break;
} }
if (NewState) if (NewState)
NewState = Case.getErrnoConstraint().apply(NewState, Call, Summary, C); NewState = Case.getErrnoConstraint().apply(NewState, Call, Summary, C);
if (NewState && NewState != State) { if (!NewState)
if (Case.getNote().empty()) { continue;
const NoteTag *NT = nullptr;
if (const auto *D = dyn_cast_or_null<FunctionDecl>(Call.getDecl())) // It is possible that NewState == State is true.
NT = Case.getErrnoConstraint().describe(C, D->getNameAsString()); // It can occur if another checker has applied the state before us.
C.addTransition(NewState, NT); // Still add these note tags, the other checker should add only its
} else { // specialized note tags. These general note tags are handled always by
StringRef Note = Case.getNote(); // StdLibraryFunctionsChecker.
ExplodedNode *Pred = Node;
donat.nagyUnsubmitted
Done
ReplyInline Actions

Can you explain why is it safe to use const_cast here? (I don't see any concrete issue, but the engine has lots of invariants / unwritten rules and I fear that this might break one of them.)

donat.nagy: Can you explain why is it safe to use `const_cast` here? (I don't see any concrete issue, but…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

The node Pred should be modified only later when a successor is added (addTransition has non-const parameter).

balazske: The node `Pred` should be modified only later when a successor is added (`addTransition` has…
donat.nagyUnsubmitted
Done
ReplyInline Actions

I understood that you need a non-const ExplodedNode * because addTransition expects it; I want to understand why you are allowed to const_cast it (why doesn't this confuse the engine logic).

Equivalent question from the other direction: Why did the author of CheckerContext::getPredecessor() specify that its return value is a const pointer to ExplodedNode?

If we can conclude that const_cast is valid in this kind of situation, then I'd also consider simply removing the "const" from the return type of getPredecessor.

donat.nagy: I understood that you //need// a non-const `ExplodedNode *` because `addTransition` expects it…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

The const_cast is not needed at all if Pred and Node is made non-const, and getPredecessor has a non-const version. The Node is saved because we want to add transitions to it, it makes no sense to have it (a pointer to) const. (Probably the const comes from a time when the Node was used only for the lambda? In the lambda it could be const, if it matters.)

balazske: The `const_cast` is not needed at all if `Pred` and `Node` is made non-const, and…
donat.nagyUnsubmitted
Done
ReplyInline Actions

Sorry, it seems that I badly misread the source code of CheckerContext.h (I probably looked at the wrong line when I briefly jumped to the definition of getPredecessor). In fact, getPredecessor has only one version and it returns non-const ExplodedNode *.

This means that your code is (of course) completely valid.

donat.nagy: Sorry, it seems that I badly misread the source code of CheckerContext.h (I probably looked at…
if (!Case.getNote().empty()) {
// If there is a description for this execution branch (summary case),
// use it as a note tag.
std::string Note =
donat.nagyUnsubmitted
Done
ReplyInline Actions
// use it as a note tag.
- StringRef Note = Case.getNote();
+ std::string Note = Case.getNote();
if (Summary.getInvalidationKd() == EvalCallAsPure) {

This variable will be captured and stored by the lambda functions, so it should own the memory area of the string.

In the current code this did not cause problems because this StringRef points to the memory area of a string literal (which stays valid); but if later changes introduced dynamically generated note tags, then this code would dump random memory garbage.

By the way, a very similar issue survived almost four years in CheckerContext.h, I'm fixing it in D153889.

donat.nagy: This variable will be captured and stored by the lambda functions, so it should own the memory…
llvm::formatv(Case.getNote().str().c_str(),
donat.nagyUnsubmitted
Done
ReplyInline Actions
std::string Note =
- llvm::formatv(Case.getNote().str().c_str(),
+ llvm::formatv(Case.getNote().data(),
cast<NamedDecl>(Call.getDecl())->getDeclName());

Consider using the method StringRef::data() which directly converts a StringRef to a const char *. Your two-step conversion has the advantage that it adds a \0 terminator even if the StringRef isn't null-terminated, but I cannot imagine a "natural" code change that would introduce references to non-null-terminated char arrays as note message templates.

donat.nagy: Consider using the method `StringRef::data()` which directly converts a `StringRef` to a `const…
steakhalUnsubmitted
Done
ReplyInline Actions

I would prefer not to rely on that StringRefs (here) are expected to be null-terminated, unless benchmarks demonstrate that this is important. If that would turn out to be the case, then we would need to enforce this using some sort of assert expression.

steakhal: I would prefer not to rely on that `StringRef`s (here) are expected to be null-terminated…
donat.nagyUnsubmitted
Done
ReplyInline Actions

I think the way of expressing this concrete conversion is a very low priority question (a.k.a. bikeshedding), so returning to the previously used two-step conversion is also fine for me.

The primary goal of this ".data()" shortcut was not performance, but clarity: those chained conversions triggered my "detect suspicious code" instincts and this was the best alternative that I could find. In general I feel that the LLVM codebase has way too many string types, and the back-and-forth conversions between them add lots of unnecessary noise to the code.

In this particular case I think it's the fault of llvm::formatv that it doesn't accept StringRef (the most commonly used non-owning string) and in general it's problematic design that there is no "good" conversion between StringRef and C-style strings in either direction.

donat.nagy: I think the way of expressing this concrete conversion is a very low priority question (a.k.a.
cast<NamedDecl>(Call.getDecl())->getDeclName());
if (Summary.getInvalidationKd() == EvalCallAsPure) {
const NoteTag *Tag = C.getNoteTag( const NoteTag *Tag = C.getNoteTag(
// Sorry couldn't help myself. [Node, Note](PathSensitiveBugReport &BR) -> std::string {
[Node, Note]() -> std::string { // Try to omit the note if we know in advance which branch is
donat.nagyUnsubmitted
Done
ReplyInline Actions

It's surprising to see this check inside the lambda, as its result does not depend on BR. My best guess is that it's performed here because the successors of Node will appear between the execution of the surrounding code and the execution of this lambda.

However, CheckerContext.h line 69-70 claims that "checkers should not retain the node in their state since the nodes might get invalidated." which would imply that the captured Node might be invalid when the lambda is called.

donat.nagy: It's surprising to see this check inside the lambda, as its result does not depend on `BR`. My…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

This check is to decide if multiple cases could be applied, the same as if we count how many times this place in the loop is executed (add a transition for a case, constraints could be applied). This check is problematic because other checkers can apply state splits before this checker is executed or after it, in this way StreamChecker interferes with this code (it has a state split for success/failure cases of same function, and here we see only that a single case is applied on one branch). This is why this check is only used in the EvalCallAsPure case (theoretically still another checker can make a state split in PostCall before this where the same constraint is applied, then the problem occurs again).

I made a solution that does not have this check but has 2 case loops instead, but the mentioned problem (which exists when if (Summary.getInvalidationKd() == EvalCallAsPure) is not used) did not go away. And it may not work to search backwards for the first node with the same statement, because maybe not the first one is where a state split is done.

I only think that if this lambda is called with the saved node, that node is not invalid because it is part of a bug report call sequence.

balazske: This check is to decide if multiple cases could be applied, the same as if we count how many…
donat.nagyUnsubmitted
Done
ReplyInline Actions

This check is problematic because [...details...]

Thanks for the explanation, now I see why this roundabout solution is needed.

I only think that if this lambda is called with the saved node, that node is not invalid because it is part of a bug report call sequence.

This is a good point, I think we can keep this "check successors in the lambda" solution. Please add a comment like "This check is performed inside the lambda, after other checkers had a chance to add other successors. Dereferencing the saved node object is valid because it's part of a bug report call sequence." to record the the reasoning that we discussed.

donat.nagy: > This check is problematic because [...details...] Thanks for the explanation, now I see why…
// Don't emit "Assuming..." note when we ended up // taken (this means, only one branch exists).
// knowing in advance which branch is taken. // This check is performed inside the lambda, after other
return (Node->succ_size() > 1) ? Note.str() : ""; // (or this) checkers had a chance to add other successors.
// Dereferencing the saved node object is valid because it's part
// of a bug report call sequence.
// FIXME: This check is not exact. We may be here after a state
// split that was performed by another checker (and can not find
// the successors). This is why this check is only used in the
// EvalCallAsPure case.
if (Node->succ_size() > 1)
return Note;
donat.nagyUnsubmitted
Done
ReplyInline Actions
if (Node->succ_size() > 1)
- return Note.str();
+ return Note;
return "";

Also update this when you change the type of Note to std::string.

donat.nagy: Also update this when you change the type of `Note` to `std::string`.
donat.nagyUnsubmitted
Done
ReplyInline Actions
if (Node->succ_size() > 1)
- return Note.c_str();
+ return Note;
return "";

The return type of this lambda is std::string, so I think it's pointless to convert std::string Note to a C string (which will be used to implicitly construct another std::string).

donat.nagy: The return type of this lambda is `std::string`, so I think it's pointless to convert `std…
return "";
}, },
/*IsPrunable=*/true); /*IsPrunable=*/true);
C.addTransition(NewState, Tag); Pred = C.addTransition(NewState, Pred, Tag);
} else {
const NoteTag *Tag = C.getNoteTag(Note, /*IsPrunable=*/true);
Pred = C.addTransition(NewState, Pred, Tag);
}
if (!Pred)
break;
} }
} else if (NewState == State) {
// It is possible that the function was evaluated in a checker callback // If we can get a note tag for the errno change, add this additionally to
// where the state constraints are already applied, then no change happens // the previous. This note is only about value of 'errno' and is displayed
// here to the state (if the ErrnoConstraint did not change it either). // if 'errno' is interesting.
// If the evaluated function requires a NoteTag for errno change, it is if (const auto *D = dyn_cast<FunctionDecl>(Call.getDecl()))
steakhalUnsubmitted
Done
ReplyInline Actions

Previously, we had a cast<>(Call.getDecl()), thus we should only have a dyn_cast here.

steakhal: Previously, we had a `cast<>(Call.getDecl())`, thus we should only have a `dyn_cast` here.
// added here.
if (const auto *D = dyn_cast_or_null<FunctionDecl>(Call.getDecl()))
if (const NoteTag *NT = if (const NoteTag *NT =
Case.getErrnoConstraint().describe(C, D->getNameAsString())) Case.getErrnoConstraint().describe(C, D->getNameAsString()))
C.addTransition(NewState, NT); Pred = C.addTransition(NewState, Pred, NT);
}
// Add the transition if no note tag could be added.
if (Pred == Node && NewState != State)
C.addTransition(NewState);
} }
} }
bool StdLibraryFunctionsChecker::evalCall(const CallEvent &Call, bool StdLibraryFunctionsChecker::evalCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
std::optional<Summary> FoundSummary = findFunctionSummary(Call, C); std::optional<Summary> FoundSummary = findFunctionSummary(Call, C);
if (!FoundSummary) if (!FoundSummary)
return false; return false;
▲ Show 20 LinesShow All 328 Lines▼ Show 20 Linesvoid StdLibraryFunctionsChecker::initFunctionSummaries(
std::optional<QualType> FilePtrTy = getPointerTy(FileTy); std::optional<QualType> FilePtrTy = getPointerTy(FileTy);
std::optional<QualType> FilePtrRestrictTy = getRestrictTy(FilePtrTy); std::optional<QualType> FilePtrRestrictTy = getRestrictTy(FilePtrTy);
std::optional<QualType> FPosTTy = lookupTy("fpos_t"); std::optional<QualType> FPosTTy = lookupTy("fpos_t");
std::optional<QualType> FPosTPtrTy = getPointerTy(FPosTTy); std::optional<QualType> FPosTPtrTy = getPointerTy(FPosTTy);
std::optional<QualType> ConstFPosTPtrTy = getPointerTy(getConstTy(FPosTTy)); std::optional<QualType> ConstFPosTPtrTy = getPointerTy(getConstTy(FPosTTy));
std::optional<QualType> FPosTPtrRestrictTy = getRestrictTy(FPosTPtrTy); std::optional<QualType> FPosTPtrRestrictTy = getRestrictTy(FPosTPtrTy);
constexpr llvm::StringLiteral GenericSuccessMsg(
"Assuming that '{0}' is successful");
donat.nagyUnsubmitted
Done
ReplyInline Actions
std::optional<QualType> FPosTPtrRestrictTy = getRestrictTy(FPosTPtrTy);
- const char *GenericSuccessMsg = "Assuming that the call is successful";
- const char *GenericFailureMsg = "Assuming that the call fails";
+ constexpr StringLiteral GenericSuccessMsg("Assuming that the call is successful");
+ constexpr StringLiteral GenericFailureMsg("Assuming that the call fails");
// We are finally ready to define specifications for all supported functions.

Consider using the StringLiteral subclass of StringRef which is designed for this kind of application (and determines the length of the string in compile time instead of calling strlen during a runtime const char * → StringRef conversion):
https://llvm.org/doxygen/classllvm_1_1StringLiteral.html
(After the suggested change, also update the code that uses these variables!)

donat.nagy: Consider using the `StringLiteral` subclass of `StringRef` which is designed for this kind of…
constexpr llvm::StringLiteral GenericFailureMsg("Assuming that '{0}' fails");
// We are finally ready to define specifications for all supported functions. // We are finally ready to define specifications for all supported functions.
// //
// Argument ranges should always cover all variants. If return value // Argument ranges should always cover all variants. If return value
// is completely unknown, omit it from the respective range set. // is completely unknown, omit it from the respective range set.
// //
// Every item in the list of range sets represents a particular // Every item in the list of range sets represents a particular
// execution path the analyzer would need to explore once // execution path the analyzer would need to explore once
// the call is modeled - a new program state is constructed // the call is modeled - a new program state is constructed
▲ Show 20 LinesShow All 216 Lines▼ Show 20 Linesvoid StdLibraryFunctionsChecker::initFunctionSummaries(
// read()-like functions that never return more than buffer size. // read()-like functions that never return more than buffer size.
auto FreadSummary = auto FreadSummary =
Summary(NoEvalCall) Summary(NoEvalCall)
.Case({ArgumentCondition(1U, WithinRange, Range(1, SizeMax)), .Case({ArgumentCondition(1U, WithinRange, Range(1, SizeMax)),
ArgumentCondition(2U, WithinRange, Range(1, SizeMax)), ArgumentCondition(2U, WithinRange, Range(1, SizeMax)),
ReturnValueCondition(BO_LT, ArgNo(2)), ReturnValueCondition(BO_LT, ArgNo(2)),
ReturnValueCondition(WithinRange, Range(0, SizeMax))}, ReturnValueCondition(WithinRange, Range(0, SizeMax))},
ErrnoNEZeroIrrelevant) ErrnoNEZeroIrrelevant, GenericFailureMsg)
.Case({ArgumentCondition(1U, WithinRange, Range(1, SizeMax)), .Case({ArgumentCondition(1U, WithinRange, Range(1, SizeMax)),
ReturnValueCondition(BO_EQ, ArgNo(2)), ReturnValueCondition(BO_EQ, ArgNo(2)),
ReturnValueCondition(WithinRange, Range(0, SizeMax))}, ReturnValueCondition(WithinRange, Range(0, SizeMax))},
ErrnoMustNotBeChecked) ErrnoMustNotBeChecked, GenericSuccessMsg)
.Case({ArgumentCondition(1U, WithinRange, SingleValue(0)), .Case({ArgumentCondition(1U, WithinRange, SingleValue(0)),
ReturnValueCondition(WithinRange, SingleValue(0))}, ReturnValueCondition(WithinRange, SingleValue(0))},
ErrnoMustNotBeChecked) ErrnoMustNotBeChecked, GenericSuccessMsg)
.ArgConstraint(NotNull(ArgNo(0))) .ArgConstraint(NotNull(ArgNo(0)))
.ArgConstraint(NotNull(ArgNo(3))) .ArgConstraint(NotNull(ArgNo(3)))
// FIXME: It should be allowed to have a null buffer if any of // FIXME: It should be allowed to have a null buffer if any of
// args 1 or 2 are zero. Remove NotNull check of arg 0, add a check // args 1 or 2 are zero. Remove NotNull check of arg 0, add a check
// for non-null buffer if non-zero size to BufferSizeConstraint? // for non-null buffer if non-zero size to BufferSizeConstraint?
.ArgConstraint(BufferSize(/*Buffer=*/ArgNo(0), /*BufSize=*/ArgNo(1), .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(0), /*BufSize=*/ArgNo(1),
/*BufSizeMultiplier=*/ArgNo(2))); /*BufSizeMultiplier=*/ArgNo(2)));
▲ Show 20 LinesShow All 100 Lines▼ Show 20 Lines if (ModelPOSIX) {
}; };
// FILE *fopen(const char *restrict pathname, const char *restrict mode); // FILE *fopen(const char *restrict pathname, const char *restrict mode);
addToFunctionSummaryMap( addToFunctionSummaryMap(
"fopen", "fopen",
Signature(ArgTypes{ConstCharPtrRestrictTy, ConstCharPtrRestrictTy}, Signature(ArgTypes{ConstCharPtrRestrictTy, ConstCharPtrRestrictTy},
RetType{FilePtrTy}), RetType{FilePtrTy}),
Summary(NoEvalCall) Summary(NoEvalCall)
.Case({NotNull(Ret)}, ErrnoMustNotBeChecked) .Case({NotNull(Ret)}, ErrnoMustNotBeChecked, GenericSuccessMsg)
.Case({IsNull(Ret)}, ErrnoNEZeroIrrelevant) .Case({IsNull(Ret)}, ErrnoNEZeroIrrelevant, GenericFailureMsg)
.ArgConstraint(NotNull(ArgNo(0))) .ArgConstraint(NotNull(ArgNo(0)))
.ArgConstraint(NotNull(ArgNo(1)))); .ArgConstraint(NotNull(ArgNo(1))));
// FILE *tmpfile(void); // FILE *tmpfile(void);
addToFunctionSummaryMap("tmpfile", addToFunctionSummaryMap(
Signature(ArgTypes{}, RetType{FilePtrTy}), "tmpfile", Signature(ArgTypes{}, RetType{FilePtrTy}),
Summary(NoEvalCall) Summary(NoEvalCall)
.Case({NotNull(Ret)}, ErrnoMustNotBeChecked) .Case({NotNull(Ret)}, ErrnoMustNotBeChecked, GenericSuccessMsg)
.Case({IsNull(Ret)}, ErrnoNEZeroIrrelevant)); .Case({IsNull(Ret)}, ErrnoNEZeroIrrelevant, GenericFailureMsg));
// FILE *freopen(const char *restrict pathname, const char *restrict mode, // FILE *freopen(const char *restrict pathname, const char *restrict mode,
// FILE *restrict stream); // FILE *restrict stream);
addToFunctionSummaryMap( addToFunctionSummaryMap(
"freopen", "freopen",
Signature(ArgTypes{ConstCharPtrRestrictTy, ConstCharPtrRestrictTy, Signature(ArgTypes{ConstCharPtrRestrictTy, ConstCharPtrRestrictTy,
FilePtrRestrictTy}, FilePtrRestrictTy},
RetType{FilePtrTy}), RetType{FilePtrTy}),
Summary(NoEvalCall) Summary(NoEvalCall)
.Case({ReturnValueCondition(BO_EQ, ArgNo(2))}, .Case({ReturnValueCondition(BO_EQ, ArgNo(2))},
ErrnoMustNotBeChecked) ErrnoMustNotBeChecked, GenericSuccessMsg)
.Case({IsNull(Ret)}, ErrnoNEZeroIrrelevant) .Case({IsNull(Ret)}, ErrnoNEZeroIrrelevant, GenericFailureMsg)
.ArgConstraint(NotNull(ArgNo(1))) .ArgConstraint(NotNull(ArgNo(1)))
.ArgConstraint(NotNull(ArgNo(2)))); .ArgConstraint(NotNull(ArgNo(2))));
// int fclose(FILE *stream); // int fclose(FILE *stream);
addToFunctionSummaryMap( addToFunctionSummaryMap(
"fclose", Signature(ArgTypes{FilePtrTy}, RetType{IntTy}), "fclose", Signature(ArgTypes{FilePtrTy}, RetType{IntTy}),
Summary(NoEvalCall) Summary(NoEvalCall)
.Case(ReturnsZero, ErrnoMustNotBeChecked) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg)
.Case({ReturnValueCondition(WithinRange, SingleValue(EOFv))}, .Case({ReturnValueCondition(WithinRange, SingleValue(EOFv))},
ErrnoNEZeroIrrelevant) ErrnoNEZeroIrrelevant, GenericFailureMsg)
.ArgConstraint(NotNull(ArgNo(0)))); .ArgConstraint(NotNull(ArgNo(0))));
// int fseek(FILE *stream, long offset, int whence); // int fseek(FILE *stream, long offset, int whence);
// FIXME: It can be possible to get the 'SEEK_' values (like EOFv) and use // FIXME: It can be possible to get the 'SEEK_' values (like EOFv) and use
// these for condition of arg 2. // these for condition of arg 2.
// Now the range [0,2] is used (the `SEEK_*` constants are usually 0,1,2). // Now the range [0,2] is used (the `SEEK_*` constants are usually 0,1,2).
addToFunctionSummaryMap( addToFunctionSummaryMap(
"fseek", Signature(ArgTypes{FilePtrTy, LongTy, IntTy}, RetType{IntTy}), "fseek", Signature(ArgTypes{FilePtrTy, LongTy, IntTy}, RetType{IntTy}),
Summary(NoEvalCall) Summary(NoEvalCall)
.Case(ReturnsZero, ErrnoMustNotBeChecked) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg)
.Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg)
.ArgConstraint(NotNull(ArgNo(0))) .ArgConstraint(NotNull(ArgNo(0)))
.ArgConstraint(ArgumentCondition(2, WithinRange, {{0, 2}}))); .ArgConstraint(ArgumentCondition(2, WithinRange, {{0, 2}})));
// int fgetpos(FILE *restrict stream, fpos_t *restrict pos); // int fgetpos(FILE *restrict stream, fpos_t *restrict pos);
// From 'The Open Group Base Specifications Issue 7, 2018 edition': // From 'The Open Group Base Specifications Issue 7, 2018 edition':
// "The fgetpos() function shall not change the setting of errno if // "The fgetpos() function shall not change the setting of errno if
// successful." // successful."
addToFunctionSummaryMap( addToFunctionSummaryMap(
"fgetpos", "fgetpos",
Signature(ArgTypes{FilePtrRestrictTy, FPosTPtrRestrictTy}, Signature(ArgTypes{FilePtrRestrictTy, FPosTPtrRestrictTy},
RetType{IntTy}), RetType{IntTy}),
Summary(NoEvalCall) Summary(NoEvalCall)
.Case(ReturnsZero, ErrnoUnchanged) .Case(ReturnsZero, ErrnoUnchanged, GenericSuccessMsg)
.Case(ReturnsNonZero, ErrnoNEZeroIrrelevant) .Case(ReturnsNonZero, ErrnoNEZeroIrrelevant, GenericFailureMsg)
.ArgConstraint(NotNull(ArgNo(0))) .ArgConstraint(NotNull(ArgNo(0)))
.ArgConstraint(NotNull(ArgNo(1)))); .ArgConstraint(NotNull(ArgNo(1))));
// int fsetpos(FILE *stream, const fpos_t *pos); // int fsetpos(FILE *stream, const fpos_t *pos);
// From 'The Open Group Base Specifications Issue 7, 2018 edition': // From 'The Open Group Base Specifications Issue 7, 2018 edition':
// "The fsetpos() function shall not change the setting of errno if // "The fsetpos() function shall not change the setting of errno if
// successful." // successful."
addToFunctionSummaryMap( addToFunctionSummaryMap(
"fsetpos", "fsetpos",
Signature(ArgTypes{FilePtrTy, ConstFPosTPtrTy}, RetType{IntTy}), Signature(ArgTypes{FilePtrTy, ConstFPosTPtrTy}, RetType{IntTy}),
Summary(NoEvalCall) Summary(NoEvalCall)
.Case(ReturnsZero, ErrnoUnchanged) .Case(ReturnsZero, ErrnoUnchanged, GenericSuccessMsg)
.Case(ReturnsNonZero, ErrnoNEZeroIrrelevant) .Case(ReturnsNonZero, ErrnoNEZeroIrrelevant, GenericFailureMsg)
.ArgConstraint(NotNull(ArgNo(0))) .ArgConstraint(NotNull(ArgNo(0)))
.ArgConstraint(NotNull(ArgNo(1)))); .ArgConstraint(NotNull(ArgNo(1))));
// long ftell(FILE *stream); // long ftell(FILE *stream);
// From 'The Open Group Base Specifications Issue 7, 2018 edition': // From 'The Open Group Base Specifications Issue 7, 2018 edition':
// "The ftell() function shall not change the setting of errno if // "The ftell() function shall not change the setting of errno if
// successful." // successful."
addToFunctionSummaryMap( addToFunctionSummaryMap(
"ftell", Signature(ArgTypes{FilePtrTy}, RetType{LongTy}), "ftell", Signature(ArgTypes{FilePtrTy}, RetType{LongTy}),
Summary(NoEvalCall) Summary(NoEvalCall)
.Case({ReturnValueCondition(WithinRange, Range(1, LongMax))}, .Case({ReturnValueCondition(WithinRange, Range(1, LongMax))},
ErrnoUnchanged) ErrnoUnchanged, GenericSuccessMsg)
.Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg)
.ArgConstraint(NotNull(ArgNo(0)))); .ArgConstraint(NotNull(ArgNo(0))));
// int fileno(FILE *stream); // int fileno(FILE *stream);
addToFunctionSummaryMap( addToFunctionSummaryMap(
"fileno", Signature(ArgTypes{FilePtrTy}, RetType{IntTy}), "fileno", Signature(ArgTypes{FilePtrTy}, RetType{IntTy}),
Summary(NoEvalCall) Summary(NoEvalCall)
.Case(ReturnsValidFileDescriptor, ErrnoMustNotBeChecked) .Case(ReturnsValidFileDescriptor, ErrnoMustNotBeChecked,
.Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant) GenericSuccessMsg)
.Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg)
.ArgConstraint(NotNull(ArgNo(0)))); .ArgConstraint(NotNull(ArgNo(0))));
// void rewind(FILE *stream); // void rewind(FILE *stream);
// This function indicates error only by setting of 'errno'. // This function indicates error only by setting of 'errno'.
addToFunctionSummaryMap("rewind", addToFunctionSummaryMap("rewind",
Signature(ArgTypes{FilePtrTy}, RetType{VoidTy}), Signature(ArgTypes{FilePtrTy}, RetType{VoidTy}),
Summary(NoEvalCall) Summary(NoEvalCall)
.Case({}, ErrnoMustBeChecked) .Case({}, ErrnoMustBeChecked)
Show All 25 Lines addToFunctionSummaryMap("l64a",
Summary(NoEvalCall) Summary(NoEvalCall)
.ArgConstraint(ArgumentCondition( .ArgConstraint(ArgumentCondition(
0, WithinRange, Range(0, LongMax)))); 0, WithinRange, Range(0, LongMax))));
// int access(const char *pathname, int amode); // int access(const char *pathname, int amode);
addToFunctionSummaryMap( addToFunctionSummaryMap(
"access", Signature(ArgTypes{ConstCharPtrTy, IntTy}, RetType{IntTy}), "access", Signature(ArgTypes{ConstCharPtrTy, IntTy}, RetType{IntTy}),
Summary(NoEvalCall) Summary(NoEvalCall)
.Case(ReturnsZero, ErrnoMustNotBeChecked) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg)
.Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg)
.ArgConstraint(NotNull(ArgNo(0)))); .ArgConstraint(NotNull(ArgNo(0))));
// int faccessat(int dirfd, const char *pathname, int mode, int flags); // int faccessat(int dirfd, const char *pathname, int mode, int flags);
addToFunctionSummaryMap( addToFunctionSummaryMap(
"faccessat", "faccessat",
Signature(ArgTypes{IntTy, ConstCharPtrTy, IntTy, IntTy}, Signature(ArgTypes{IntTy, ConstCharPtrTy, IntTy, IntTy},
RetType{IntTy}), RetType{IntTy}),
Summary(NoEvalCall) Summary(NoEvalCall)
▲ Show 20 LinesShow All 1,454 LinesShow Last 20 Lines

clang/test/Analysis/errno-stdlibraryfunctions-notes.c

// RUN: %clang_analyze_cc1 -verify -analyzer-output text %s \ // RUN: %clang_analyze_cc1 -verify -analyzer-output text %s \
// RUN: -analyzer-checker=core \ // RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=debug.ExprInspection \ // RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -analyzer-checker=alpha.unix.StdCLibraryFunctions \ // RUN: -analyzer-checker=alpha.unix.StdCLibraryFunctions \
// RUN: -analyzer-checker=apiModeling.Errno \ // RUN: -analyzer-checker=apiModeling.Errno \
// RUN: -analyzer-checker=alpha.unix.Errno \ // RUN: -analyzer-checker=alpha.unix.Errno \
// RUN: -analyzer-config alpha.unix.StdCLibraryFunctions:ModelPOSIX=true // RUN: -analyzer-config alpha.unix.StdCLibraryFunctions:ModelPOSIX=true
#include "Inputs/errno_var.h" #include "Inputs/errno_var.h"
int access(const char *path, int amode); int access(const char *path, int amode);
void clang_analyzer_warnIfReached(); void clang_analyzer_warnIfReached();
void test1() { void test1() {
access("path", 0); // no note here
access("path", 0); access("path", 0);
// expected-note@-1{{Assuming that function 'access' is successful, in this case the value 'errno' may be undefined after the call and should not be used}} // expected-note@-1{{Assuming that 'access' fails}}
access("path", 0);
// expected-note@-1{{Assuming that 'access' is successful}}
// expected-note@-2{{'errno' may be undefined after successful call to 'access'}}
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

This is the type of note that looks not necessary and even confusing. It could be any case of failure or success, the failure is chosen. This does not matter for the end result but can be confusing for users (one may think that there is a connection to the found bug).

balazske: This is the type of note that looks not necessary and even confusing. It could be any case of…
if (errno != 0) { if (errno != 0) {
// expected-warning@-1{{An undefined value may be read from 'errno'}} // expected-warning@-1{{An undefined value may be read from 'errno'}}
// expected-note@-2{{An undefined value may be read from 'errno'}} // expected-note@-2{{An undefined value may be read from 'errno'}}
} }
} }
void test2() { void test2() {
if (access("path", 0) == -1) { if (access("path", 0) == -1) {
// expected-note@-1{{Taking true branch}} // expected-note@-1{{Assuming that 'access' fails}}
// expected-note@-2{{Taking true branch}}
// Failure path. // Failure path.
if (errno != 0) { if (errno != 0) {
// expected-note@-1{{'errno' is not equal to 0}} // expected-note@-1{{'errno' is not equal to 0}}
// expected-note@-2{{Taking true branch}} // expected-note@-2{{Taking true branch}}
clang_analyzer_warnIfReached(); // expected-note {{REACHABLE}} expected-warning {{REACHABLE}} clang_analyzer_warnIfReached(); // expected-note {{REACHABLE}} expected-warning {{REACHABLE}}
} else { } else {
clang_analyzer_warnIfReached(); // no-warning: We are on the failure path. clang_analyzer_warnIfReached(); // no-warning: We are on the failure path.
} }
} }
} }
void test3() { void test3() {
if (access("path", 0) != -1) { if (access("path", 0) != -1) {
// Success path. // Success path.
// expected-note@-2{{Assuming that function 'access' is successful, in this case the value 'errno' may be undefined after the call and should not be used}} // expected-note@-2{{Assuming that 'access' is successful}}
// expected-note@-3{{Taking true branch}} // expected-note@-3{{'errno' may be undefined after successful call to 'access'}}
// expected-note@-4{{Taking true branch}}
if (errno != 0) { if (errno != 0) {
// expected-warning@-1{{An undefined value may be read from 'errno'}} // expected-warning@-1{{An undefined value may be read from 'errno'}}
// expected-note@-2{{An undefined value may be read from 'errno'}} // expected-note@-2{{An undefined value may be read from 'errno'}}
} }
} }
} }

clang/test/Analysis/std-c-library-functions-arg-constraints-note-tags.cpp

Show First 20 LinesShow All 46 Lines▼ Show 20 Linesvoid test_buffer_size_note(char *buf, int y) {
// clang_analyzer_express marks the argument as interesting. // clang_analyzer_express marks the argument as interesting.
clang_analyzer_express(buf); // expected-warning {{}} // the message does not really matter \ clang_analyzer_express(buf); // expected-warning {{}} // the message does not really matter \
// expected-note {{}} // expected-note {{}}
} }
int __test_case_note(); int __test_case_note();
int test_case_note_1(int y) { int test_case_note_1(int y) {
int x0 = __test_case_note(); // expected-note{{Function returns 1}}
int x = __test_case_note(); // expected-note{{Function returns 0}} \ int x = __test_case_note(); // expected-note{{Function returns 0}} \
// expected-note{{'x' initialized here}} // expected-note{{'x' initialized here}}
return y / x; // expected-warning{{Division by zero}} \ return y / x; // expected-warning{{Division by zero}} \
// expected-note{{Division by zero}} // expected-note{{Division by zero}}
} }
int test_case_note_2(int y) { int test_case_note_2(int y) {
int x = __test_case_note(); // expected-note{{Function returns 1}} int x = __test_case_note(); // expected-note{{Function returns 1}}
return y / (x - 1); // expected-warning{{Division by zero}} \ return y / (x - 1); // expected-warning{{Division by zero}} \
// expected-note{{Division by zero}} // expected-note{{Division by zero}}
} }

clang/test/Analysis/std-c-library-functions-arg-constraints.c

Show First 20 LinesShow All 164 Lines▼ Show 20 Lines
void test_notnull_concrete(FILE *fp) { void test_notnull_concrete(FILE *fp) {
fread(0, sizeof(int), 10, fp); // \ fread(0, sizeof(int), 10, fp); // \
// report-warning{{The 1st argument to 'fread' is NULL but should not be NULL}} \ // report-warning{{The 1st argument to 'fread' is NULL but should not be NULL}} \
// bugpath-warning{{The 1st argument to 'fread' is NULL but should not be NULL}} \ // bugpath-warning{{The 1st argument to 'fread' is NULL but should not be NULL}} \
// bugpath-note{{The 1st argument to 'fread' is NULL but should not be NULL}} // bugpath-note{{The 1st argument to 'fread' is NULL but should not be NULL}}
} }
void test_notnull_symbolic(FILE *fp, int *buf) { void test_notnull_symbolic(FILE *fp, int *buf) {
fread(buf, sizeof(int), 10, fp); fread(buf, sizeof(int), 10, fp); // \
// bugpath-note{{'fread' fails}}
clang_analyzer_eval(buf != 0); // \ clang_analyzer_eval(buf != 0); // \
// report-warning{{TRUE}} \ // report-warning{{TRUE}} \
// bugpath-warning{{TRUE}} \ // bugpath-warning{{TRUE}} \
// bugpath-note{{TRUE}} \ // bugpath-note{{TRUE}} \
// bugpath-note{{'buf' is not equal to null}} // bugpath-note{{'buf' is not equal to null}}
} }
void test_notnull_symbolic2(FILE *fp, int *buf) { void test_notnull_symbolic2(FILE *fp, int *buf) {
if (!buf) // bugpath-note{{Assuming 'buf' is null}} \ if (!buf) // bugpath-note{{Assuming 'buf' is null}} \
▲ Show 20 LinesShow All 153 LinesShow Last 20 Lines

clang/test/Analysis/std-c-library-functions-path-notes.c

// RUN: %clang_analyze_cc1 -verify %s \ // RUN: %clang_analyze_cc1 -verify %s \
// RUN: -analyzer-checker=core,alpha.unix.StdCLibraryFunctions \ // RUN: -analyzer-checker=core,alpha.unix.StdCLibraryFunctions \
// RUN: -analyzer-config alpha.unix.StdCLibraryFunctions:ModelPOSIX=true \
// RUN: -analyzer-output=text // RUN: -analyzer-output=text
#include "Inputs/std-c-library-functions-POSIX.h"
#define NULL ((void *)0) #define NULL ((void *)0)
char *getenv(const char *); char *getenv(const char *);
int isalpha(int); int isalpha(int);
int isdigit(int); int isdigit(int);
int islower(int); int islower(int);
char test_getenv() { char test_getenv() {
char *env = getenv("VAR"); // \ char *env = getenv("VAR"); // \
// expected-note{{Assuming the environment variable does not exist}} \ // expected-note{{Assuming the environment variable does not exist}} \
// expected-note{{'env' initialized here}} // expected-note{{'env' initialized here}}
return env[0]; // \ return env[0]; // \
// expected-warning{{Array access (from variable 'env') results in a null pointer dereference}} \ // expected-warning{{Array access (from variable 'env') results in a null pointer dereference}} \
// expected-note {{Array access (from variable 'env') results in a null pointer dereference}} // expected-note {{Array access (from variable 'env') results in a null pointer dereference}}
} }
int test_isalpha(int *x, char c) { int test_isalpha(int *x, char c, char d) {
int iad = isalpha(d);// \
// expected-note{{Assuming the character is non-alphabetical}}
if (isalpha(c)) {// \ if (isalpha(c)) {// \
// expected-note{{Assuming the character is alphabetical}} \ // expected-note{{Taking true branch}} \
// expected-note{{Taking true branch}} // expected-note{{Assuming the character is alphabetical}}
x = NULL; // \ x = NULL; // \
// expected-note{{Null pointer value stored to 'x'}} // expected-note{{Null pointer value stored to 'x'}}
} }
return *x; // \ return *x; // \
// expected-warning{{Dereference of null pointer (loaded from variable 'x')}} \ // expected-warning{{Dereference of null pointer (loaded from variable 'x')}} \
// expected-note {{Dereference of null pointer (loaded from variable 'x')}} // expected-note {{Dereference of null pointer (loaded from variable 'x')}}
} }
int test_isdigit(int *x, char c) { int test_isdigit(int *x, char c) {
if (!isdigit(c)) {// \ if (!isdigit(c)) {// \
// expected-note{{Assuming the character is not a digit}} \ // expected-note{{Assuming the character is not a digit}} \
// expected-note{{Taking true branch}} // expected-note{{Taking true branch}}
x = NULL; // \ x = NULL; // \
// expected-note{{Null pointer value stored to 'x'}} // expected-note{{Null pointer value stored to 'x'}}
} }
return *x; // \ return *x; // \
// expected-warning{{Dereference of null pointer (loaded from variable 'x')}} \ // expected-warning{{Dereference of null pointer (loaded from variable 'x')}} \
// expected-note {{Dereference of null pointer (loaded from variable 'x')}} // expected-note {{Dereference of null pointer (loaded from variable 'x')}}
} }
int test_islower(int *x) { int test_islower(int *x) {
char c = 'c'; char c = 'c';
// No "Assuming..." note. We aren't assuming anything. We *know*. // No "Assuming..." note. We aren't assuming anything. We *know*.
if (islower(c)) { // \ if (islower(c)) { // \
// expected-note{{Taking true branch}} // expected-note{{Taking true branch}}
x = NULL; // \ x = NULL; // \
// expected-note{{Null pointer value stored to 'x'}} // expected-note{{Null pointer value stored to 'x'}}
} }
return *x; // \ return *x; // \
// expected-warning{{Dereference of null pointer (loaded from variable 'x')}} \ // expected-warning{{Dereference of null pointer (loaded from variable 'x')}} \
// expected-note {{Dereference of null pointer (loaded from variable 'x')}} // expected-note {{Dereference of null pointer (loaded from variable 'x')}}
} }
int test_bugpath_notes(FILE *f1, char c, FILE *f2) {
int f = fileno(f2); // \
// expected-note{{Assuming that 'fileno' is successful}}
if (f == -1) // \
// expected-note{{Taking false branch}}
return 0;
int l = islower(c);
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

Here no note is shown. Probably because the summary of islower has cases without note, these notes should be added.

balazske: Here no note is shown. Probably because the summary of `islower` has cases without note, these…
f = fileno(f1); // \
// expected-note{{Value assigned to 'f'}} \
// expected-note{{Assuming that 'fileno' fails}}
return dup(f); // \
// expected-warning{{The 1st argument to 'dup' is -1 but should be >= 0}} \
// expected-note{{The 1st argument to 'dup' is -1 but should be >= 0}}
}

clang/test/Analysis/stream-errno-note.c

// RUN: %clang_analyze_cc1 -analyzer-checker=core \ // RUN: %clang_analyze_cc1 -analyzer-checker=core \
// RUN: -analyzer-checker=alpha.unix.Stream \ // RUN: -analyzer-checker=alpha.unix.Stream \
// RUN: -analyzer-checker=alpha.unix.Errno \ // RUN: -analyzer-checker=alpha.unix.Errno \
// RUN: -analyzer-checker=alpha.unix.StdCLibraryFunctions \ // RUN: -analyzer-checker=alpha.unix.StdCLibraryFunctions \
// RUN: -analyzer-config alpha.unix.StdCLibraryFunctions:ModelPOSIX=true \ // RUN: -analyzer-config alpha.unix.StdCLibraryFunctions:ModelPOSIX=true \
// RUN: -analyzer-output text -verify %s // RUN: -analyzer-output text -verify %s
#include "Inputs/system-header-simulator.h" #include "Inputs/system-header-simulator.h"
#include "Inputs/errno_func.h" #include "Inputs/errno_func.h"
void check_fopen(void) { void check_fopen(void) {
FILE *F = fopen("xxx", "r"); FILE *F = fopen("xxx", "r");
// expected-note@-1{{Assuming that function 'fopen' is successful, in this case the value 'errno' may be undefined after the call and should not be used}} // expected-note@-1{{'errno' may be undefined after successful call to 'fopen'}}
// expected-note@-2{{'fopen' is successful}}
// expected-note@+2{{'F' is non-null}} // expected-note@+2{{'F' is non-null}}
// expected-note@+1{{Taking false branch}} // expected-note@+1{{Taking false branch}}
if (!F) if (!F)
return; return;
if (errno) {} // expected-warning{{An undefined value may be read from 'errno' [alpha.unix.Errno]}} if (errno) {} // expected-warning{{An undefined value may be read from 'errno' [alpha.unix.Errno]}}
// expected-note@-1{{An undefined value may be read from 'errno'}} // expected-note@-1{{An undefined value may be read from 'errno'}}
fclose(F); fclose(F);
} }
void check_tmpfile(void) { void check_tmpfile(void) {
FILE *F = tmpfile(); FILE *F = tmpfile();
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

At this place a note 'Assuming that the call is successful' should be displayed. But this is not working because StreamChecker is enabled. StreamChecker makes a state split before StdCLibraryFunctionsChecker for tmpfile failure and success, then in StdCLibraryFunctionsChecker the successor count is 1 and the note is not added. Probably the logic can be improved by finding the first node that belongs to the CallEvent. Or count how many cases are applied before adding the note tags.

balazske: At this place a note 'Assuming that the call is successful' should be displayed. But this is…
// expected-note@-1{{Assuming that function 'tmpfile' is successful, in this case the value 'errno' may be undefined after the call and should not be used}} // expected-note@-1{{'errno' may be undefined after successful call to 'tmpfile'}}
// expected-note@-2{{'tmpfile' is successful}}
// expected-note@+2{{'F' is non-null}} // expected-note@+2{{'F' is non-null}}
// expected-note@+1{{Taking false branch}} // expected-note@+1{{Taking false branch}}
if (!F) if (!F)
return; return;
if (errno) {} // expected-warning{{An undefined value may be read from 'errno' [alpha.unix.Errno]}} if (errno) {} // expected-warning{{An undefined value may be read from 'errno' [alpha.unix.Errno]}}
// expected-note@-1{{An undefined value may be read from 'errno'}} // expected-note@-1{{An undefined value may be read from 'errno'}}
fclose(F); fclose(F);
} }
void check_freopen(void) { void check_freopen(void) {
FILE *F = tmpfile(); FILE *F = tmpfile();
// expected-note@-1{{'tmpfile' is successful}}
// expected-note@+2{{'F' is non-null}} // expected-note@+2{{'F' is non-null}}
// expected-note@+1{{Taking false branch}} // expected-note@+1{{Taking false branch}}
if (!F) if (!F)
return; return;
F = freopen("xxx", "w", F); F = freopen("xxx", "w", F);
// expected-note@-1{{Assuming that function 'freopen' is successful}} // expected-note@-1{{'errno' may be undefined after successful call to 'freopen'}}
// expected-note@-2{{'freopen' is successful}}
// expected-note@+2{{'F' is non-null}} // expected-note@+2{{'F' is non-null}}
// expected-note@+1{{Taking false branch}} // expected-note@+1{{Taking false branch}}
if (!F) if (!F)
return; return;
if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}} if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}}
// expected-note@-1{{An undefined value may be read from 'errno'}} // expected-note@-1{{An undefined value may be read from 'errno'}}
fclose(F); fclose(F);
} }
void check_fclose(void) { void check_fclose(void) {
FILE *F = tmpfile(); FILE *F = tmpfile();
// expected-note@-1{{'tmpfile' is successful}}
// expected-note@+2{{'F' is non-null}} // expected-note@+2{{'F' is non-null}}
// expected-note@+1{{Taking false branch}} // expected-note@+1{{Taking false branch}}
if (!F) if (!F)
return; return;
(void)fclose(F); (void)fclose(F);
// expected-note@-1{{Assuming that function 'fclose' is successful}} // expected-note@-1{{'errno' may be undefined after successful call to 'fclose'}}
// expected-note@-2{{'fclose' is successful}}
if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}} if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}}
// expected-note@-1{{An undefined value may be read from 'errno'}} // expected-note@-1{{An undefined value may be read from 'errno'}}
} }
void check_fread(void) { void check_fread(void) {
char Buf[10]; char Buf[10];
FILE *F = tmpfile(); FILE *F = tmpfile();
// expected-note@-1{{'tmpfile' is successful}}
// expected-note@+2{{'F' is non-null}} // expected-note@+2{{'F' is non-null}}
// expected-note@+1{{Taking false branch}} // expected-note@+1{{Taking false branch}}
if (!F) if (!F)
return; return;
(void)fread(Buf, 1, 10, F); (void)fread(Buf, 1, 10, F);
// expected-note@-1{{Assuming that function 'fread' is successful}} // expected-note@-1{{'errno' may be undefined after successful call to 'fread'}}
// expected-note@-2{{'fread' is successful}}
if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}} if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}}
// expected-note@-1{{An undefined value may be read from 'errno'}} // expected-note@-1{{An undefined value may be read from 'errno'}}
(void)fclose(F); (void)fclose(F);
} }
void check_fread_size0(void) {
char Buf[10];
FILE *F = tmpfile();
// expected-note@-1{{'tmpfile' is successful}}
// expected-note@+2{{'F' is non-null}}
// expected-note@+1{{Taking false branch}}
if (!F)
return;
fread(Buf, 0, 1, F);
// expected-note@-1{{'errno' may be undefined after successful call to 'fread'}}
// expected-note@-2{{'fread' is successful}}
if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}}
// expected-note@-1{{An undefined value may be read from 'errno'}}
}
void check_fread_nmemb0(void) {
char Buf[10];
FILE *F = tmpfile();
// expected-note@-1{{'tmpfile' is successful}}
// expected-note@+2{{'F' is non-null}}
// expected-note@+1{{Taking false branch}}
if (!F)
return;
fread(Buf, 1, 0, F);
// expected-note@-1{{'errno' may be undefined after successful call to 'fread'}}
// expected-note@-2{{'fread' is successful}}
if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}}
// expected-note@-1{{An undefined value may be read from 'errno'}}
}
void check_fwrite(void) { void check_fwrite(void) {
char Buf[] = "0123456789"; char Buf[] = "0123456789";
FILE *F = tmpfile(); FILE *F = tmpfile();
// expected-note@-1{{'tmpfile' is successful}}
// expected-note@+2{{'F' is non-null}} // expected-note@+2{{'F' is non-null}}
// expected-note@+1{{Taking false branch}} // expected-note@+1{{Taking false branch}}
if (!F) if (!F)
return; return;
int R = fwrite(Buf, 1, 10, F); int R = fwrite(Buf, 1, 10, F);
// expected-note@-1{{Assuming that function 'fwrite' is successful}} // expected-note@-1{{'errno' may be undefined after successful call to 'fwrite'}}
// expected-note@-2{{'fwrite' is successful}}
if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}} if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}}
// expected-note@-1{{An undefined value may be read from 'errno'}} // expected-note@-1{{An undefined value may be read from 'errno'}}
(void)fclose(F); (void)fclose(F);
} }
void check_fseek(void) { void check_fseek(void) {
FILE *F = tmpfile(); FILE *F = tmpfile();
// expected-note@-1{{'tmpfile' is successful}}
// expected-note@+2{{'F' is non-null}} // expected-note@+2{{'F' is non-null}}
// expected-note@+1{{Taking false branch}} // expected-note@+1{{Taking false branch}}
if (!F) if (!F)
return; return;
(void)fseek(F, 11, SEEK_SET); (void)fseek(F, 11, SEEK_SET);
// expected-note@-1{{Assuming that function 'fseek' is successful}} // expected-note@-1{{'errno' may be undefined after successful call to 'fseek'}}
// expected-note@-2{{'fseek' is successful}}
if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}} if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}}
// expected-note@-1{{An undefined value may be read from 'errno'}} // expected-note@-1{{An undefined value may be read from 'errno'}}
(void)fclose(F); (void)fclose(F);
} }
void check_rewind_errnocheck(void) { void check_rewind_errnocheck(void) {
FILE *F = tmpfile(); FILE *F = tmpfile();
// expected-note@-1{{'tmpfile' is successful}}
// expected-note@+2{{'F' is non-null}} // expected-note@+2{{'F' is non-null}}
// expected-note@+1{{Taking false branch}} // expected-note@+1{{Taking false branch}}
if (!F) if (!F)
return; return;
errno = 0; errno = 0;
rewind(F); // expected-note{{Function 'rewind' indicates failure only by setting of 'errno'}} rewind(F); // expected-note{{'rewind' indicates failure only by setting 'errno'}}
fclose(F); // expected-warning{{Value of 'errno' was not checked and may be overwritten by function 'fclose' [alpha.unix.Errno]}} fclose(F); // expected-warning{{Value of 'errno' was not checked and may be overwritten by function 'fclose' [alpha.unix.Errno]}}
// expected-note@-1{{Value of 'errno' was not checked and may be overwritten by function 'fclose'}} // expected-note@-1{{Value of 'errno' was not checked and may be overwritten by function 'fclose'}}
} }
void check_fileno(void) { void check_fileno(void) {
FILE *F = tmpfile(); FILE *F = tmpfile();
// expected-note@-1{{'tmpfile' is successful}}
// expected-note@+2{{'F' is non-null}} // expected-note@+2{{'F' is non-null}}
// expected-note@+1{{Taking false branch}} // expected-note@+1{{Taking false branch}}
if (!F) if (!F)
return; return;
fileno(F); fileno(F);
// expected-note@-1{{Assuming that function 'fileno' is successful}} // expected-note@-1{{Assuming that 'fileno' is successful}}
// expected-note@-2{{'errno' may be undefined after successful call to 'fileno'}}
if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}} if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}}
// expected-note@-1{{An undefined value may be read from 'errno'}} // expected-note@-1{{An undefined value may be read from 'errno'}}
(void)fclose(F); (void)fclose(F);
} }

clang/test/Analysis/stream-note.c

// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.unix.Stream -analyzer-output text \ // RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.unix.Stream -analyzer-output text \
// RUN: -verify %s // RUN: -verify %s
// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.unix.Stream,alpha.unix.StdCLibraryFunctions -analyzer-output text \ // RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.unix.Stream,alpha.unix.StdCLibraryFunctions -analyzer-output text \
// RUN: -analyzer-config alpha.unix.StdCLibraryFunctions:ModelPOSIX=true -verify=expected,stdargs %s // RUN: -analyzer-config alpha.unix.StdCLibraryFunctions:ModelPOSIX=true -verify=expected,stdargs %s
#include "Inputs/system-header-simulator.h" #include "Inputs/system-header-simulator.h"
void check_note_at_correct_open(void) { void check_note_at_correct_open(void) {
FILE *F1 = tmpfile(); // expected-note {{Stream opened here}} FILE *F1 = tmpfile(); // expected-note {{Stream opened here}}
// stdargs-note@-1 {{'tmpfile' is successful}}
if (!F1) if (!F1)
// expected-note@-1 {{'F1' is non-null}} // expected-note@-1 {{'F1' is non-null}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
return; return;
FILE *F2 = tmpfile(); FILE *F2 = tmpfile();
// stdargs-note@-1 {{'tmpfile' is successful}}
if (!F2) { if (!F2) {
// expected-note@-1 {{'F2' is non-null}} // expected-note@-1 {{'F2' is non-null}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
fclose(F1); fclose(F1);
return; return;
} }
rewind(F2); rewind(F2);
fclose(F2); fclose(F2);
// stdargs-note@-1 {{'fclose' fails}}
rewind(F1); rewind(F1);
} }
// expected-warning@-1 {{Opened stream never closed. Potential resource leak}} // expected-warning@-1 {{Opened stream never closed. Potential resource leak}}
// expected-note@-2 {{Opened stream never closed. Potential resource leak}} // expected-note@-2 {{Opened stream never closed. Potential resource leak}}
void check_note_fopen(void) { void check_note_fopen(void) {
FILE *F = fopen("file", "r"); // expected-note {{Stream opened here}} FILE *F = fopen("file", "r"); // expected-note {{Stream opened here}}
// stdargs-note@-1 {{'fopen' is successful}}
if (!F) if (!F)
// expected-note@-1 {{'F' is non-null}} // expected-note@-1 {{'F' is non-null}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
return; return;
} }
// expected-warning@-1 {{Opened stream never closed. Potential resource leak}} // expected-warning@-1 {{Opened stream never closed. Potential resource leak}}
// expected-note@-2 {{Opened stream never closed. Potential resource leak}} // expected-note@-2 {{Opened stream never closed. Potential resource leak}}
void check_note_freopen(void) { void check_note_freopen(void) {
FILE *F = fopen("file", "r"); // expected-note {{Stream opened here}} FILE *F = fopen("file", "r"); // expected-note {{Stream opened here}}
// stdargs-note@-1 {{'fopen' is successful}}
if (!F) if (!F)
// expected-note@-1 {{'F' is non-null}} // expected-note@-1 {{'F' is non-null}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
return; return;
F = freopen(0, "w", F); // expected-note {{Stream reopened here}} F = freopen(0, "w", F); // expected-note {{Stream reopened here}}
// stdargs-note@-1 {{'freopen' is successful}}
if (!F) if (!F)
// expected-note@-1 {{'F' is non-null}} // expected-note@-1 {{'F' is non-null}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
return; return;
} }
// expected-warning@-1 {{Opened stream never closed. Potential resource leak}} // expected-warning@-1 {{Opened stream never closed. Potential resource leak}}
// expected-note@-2 {{Opened stream never closed. Potential resource leak}} // expected-note@-2 {{Opened stream never closed. Potential resource leak}}
void check_note_leak_2(int c) { void check_note_leak_2(int c) {
FILE *F1 = fopen("foo1.c", "r"); // expected-note {{Stream opened here}} FILE *F1 = fopen("foo1.c", "r"); // expected-note {{Stream opened here}}
// stdargs-note@-1 {{'fopen' is successful}}
// stdargs-note@-2 {{'fopen' is successful}}
steakhalUnsubmitted
Done
ReplyInline Actions

Why are these notes doubled?

steakhal: Why are these notes doubled?
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

There are 2 cases of resource leak reported (for F1 and F2) and a note tag is there for both of these.

balazske: There are 2 cases of resource leak reported (for `F1` and `F2`) and a note tag is there for…
steakhalUnsubmitted
Done
ReplyInline Actions

I still think we should only have a single note there given that F2 is completely unrelated to the initialization of F1.
Do I miss something?

steakhal: I still think we should only have a single note there given that `F2` is completely unrelated…
steakhalUnsubmitted
Done
ReplyInline Actions

Oo, now I see. D153776 is supposed to fix limit the notes to be displayed only for the interesting values. nvm.

steakhal: Oo, now I see. D153776 is supposed to fix limit the notes to be displayed only for the…
if (!F1) if (!F1)
// expected-note@-1 {{'F1' is non-null}} // expected-note@-1 {{'F1' is non-null}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
// expected-note@-3 {{'F1' is non-null}} // expected-note@-3 {{'F1' is non-null}}
// expected-note@-4 {{Taking false branch}} // expected-note@-4 {{Taking false branch}}
return; return;
FILE *F2 = fopen("foo2.c", "r"); // expected-note {{Stream opened here}} FILE *F2 = fopen("foo2.c", "r"); // expected-note {{Stream opened here}}
// stdargs-note@-1 {{'fopen' is successful}}
// stdargs-note@-2 {{'fopen' is successful}}
if (!F2) { if (!F2) {
// expected-note@-1 {{'F2' is non-null}} // expected-note@-1 {{'F2' is non-null}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
// expected-note@-3 {{'F2' is non-null}} // expected-note@-3 {{'F2' is non-null}}
// expected-note@-4 {{Taking false branch}} // expected-note@-4 {{Taking false branch}}
fclose(F1); fclose(F1);
return; return;
} }
Show All 9 Linesvoid check_note_leak_2(int c) {
// expected-note@-4 {{Opened stream never closed. Potential resource leak}} // expected-note@-4 {{Opened stream never closed. Potential resource leak}}
fclose(F1); fclose(F1);
fclose(F2); fclose(F2);
} }
void check_track_null(void) { void check_track_null(void) {
FILE *F; FILE *F;
F = fopen("foo1.c", "r"); // expected-note {{Value assigned to 'F'}} expected-note {{Assuming pointer value is null}} F = fopen("foo1.c", "r"); // expected-note {{Value assigned to 'F'}} expected-note {{Assuming pointer value is null}}
// stdargs-note@-1 {{'fopen' fails}}
if (F != NULL) { // expected-note {{Taking false branch}} expected-note {{'F' is equal to NULL}} if (F != NULL) { // expected-note {{Taking false branch}} expected-note {{'F' is equal to NULL}}
fclose(F); fclose(F);
return; return;
} }
fclose(F); // expected-warning {{Stream pointer might be NULL}} fclose(F); // expected-warning {{Stream pointer might be NULL}}
// expected-note@-1 {{Stream pointer might be NULL}} // expected-note@-1 {{Stream pointer might be NULL}}
} }
void check_eof_notes_feof_after_feof(void) { void check_eof_notes_feof_after_feof(void) {
FILE *F; FILE *F;
char Buf[10]; char Buf[10];
F = fopen("foo1.c", "r"); F = fopen("foo1.c", "r");
// stdargs-note@-1 {{'fopen' is successful}}
if (F == NULL) { // expected-note {{Taking false branch}} expected-note {{'F' is not equal to NULL}} if (F == NULL) { // expected-note {{Taking false branch}} expected-note {{'F' is not equal to NULL}}
return; return;
} }
fread(Buf, 1, 1, F); fread(Buf, 1, 1, F);
// stdargs-note@-1 {{'fread' fails}}
if (feof(F)) { // expected-note {{Taking true branch}} if (feof(F)) { // expected-note {{Taking true branch}}
clearerr(F); clearerr(F);
fread(Buf, 1, 1, F); // expected-note {{Assuming stream reaches end-of-file here}} fread(Buf, 1, 1, F); // expected-note {{Assuming stream reaches end-of-file here}}
// stdargs-note@-1 {{'fread' fails}}
if (feof(F)) { // expected-note {{Taking true branch}} if (feof(F)) { // expected-note {{Taking true branch}}
fread(Buf, 1, 1, F); // expected-warning {{Read function called when stream is in EOF state. Function has no effect}} fread(Buf, 1, 1, F); // expected-warning {{Read function called when stream is in EOF state. Function has no effect}}
// expected-note@-1 {{Read function called when stream is in EOF state. Function has no effect}} // expected-note@-1 {{Read function called when stream is in EOF state. Function has no effect}}
} }
} }
fclose(F); fclose(F);
} }
void check_eof_notes_feof_after_no_feof(void) { void check_eof_notes_feof_after_no_feof(void) {
FILE *F; FILE *F;
char Buf[10]; char Buf[10];
F = fopen("foo1.c", "r"); F = fopen("foo1.c", "r");
// stdargs-note@-1 {{'fopen' is successful}}
if (F == NULL) { // expected-note {{Taking false branch}} expected-note {{'F' is not equal to NULL}} if (F == NULL) { // expected-note {{Taking false branch}} expected-note {{'F' is not equal to NULL}}
return; return;
} }
fread(Buf, 1, 1, F); fread(Buf, 1, 1, F);
// stdargs-note@-1 {{'fread' is successful}}
if (feof(F)) { // expected-note {{Taking false branch}} if (feof(F)) { // expected-note {{Taking false branch}}
fclose(F); fclose(F);
return; return;
} else if (ferror(F)) { // expected-note {{Taking false branch}} } else if (ferror(F)) { // expected-note {{Taking false branch}}
fclose(F); fclose(F);
return; return;
} }
fread(Buf, 1, 1, F); // expected-note {{Assuming stream reaches end-of-file here}} fread(Buf, 1, 1, F); // expected-note {{Assuming stream reaches end-of-file here}}
// stdargs-note@-1 {{'fread' fails}}
if (feof(F)) { // expected-note {{Taking true branch}} if (feof(F)) { // expected-note {{Taking true branch}}
fread(Buf, 1, 1, F); // expected-warning {{Read function called when stream is in EOF state. Function has no effect}} fread(Buf, 1, 1, F); // expected-warning {{Read function called when stream is in EOF state. Function has no effect}}
// expected-note@-1 {{Read function called when stream is in EOF state. Function has no effect}} // expected-note@-1 {{Read function called when stream is in EOF state. Function has no effect}}
} }
fclose(F); fclose(F);
} }
void check_eof_notes_feof_or_no_error(void) { void check_eof_notes_feof_or_no_error(void) {
FILE *F; FILE *F;
char Buf[10]; char Buf[10];
F = fopen("foo1.c", "r"); F = fopen("foo1.c", "r");
// stdargs-note@-1 {{'fopen' is successful}}
if (F == NULL) // expected-note {{Taking false branch}} expected-note {{'F' is not equal to NULL}} if (F == NULL) // expected-note {{Taking false branch}} expected-note {{'F' is not equal to NULL}}
return; return;
int RRet = fread(Buf, 1, 1, F); // expected-note {{Assuming stream reaches end-of-file here}} int RRet = fread(Buf, 1, 1, F); // expected-note {{Assuming stream reaches end-of-file here}}
// stdargs-note@-1 {{'fread' fails}}
if (ferror(F)) { // expected-note {{Taking false branch}} if (ferror(F)) { // expected-note {{Taking false branch}}
} else { } else {
fread(Buf, 1, 1, F); // expected-warning {{Read function called when stream is in EOF state. Function has no effect}} fread(Buf, 1, 1, F); // expected-warning {{Read function called when stream is in EOF state. Function has no effect}}
// expected-note@-1 {{Read function called when stream is in EOF state. Function has no effect}} // expected-note@-1 {{Read function called when stream is in EOF state. Function has no effect}}
} }
fclose(F); fclose(F);
} }