This is an archive of the discontinued LLVM Phabricator instance.

Differential D153776

[clang][analyzer] Display notes in StdLibraryFunctionsChecker only if interesting
ClosedPublic

Authored by balazske on Jun 26 2023, 8:11 AM.

Details

Reviewers
Szelethus
NoQ
donat.nagy
Commits
rGf12808ab2036: [clang][analyzer] Display notes in StdLibraryFunctionsChecker only if…
Summary

The note tag that was previously added in all cases when a standard function call
is found is displayed now only if the function call (return value) is "interesting".
This results in less unneeded notes but some of the previously good notes disappear
too. This is because interestingness is not always set as it should be.

Diff Detail

Event Timeline

balazske created this revision.Jun 26 2023, 8:11 AM
Herald added a reviewer: Szelethus. · View Herald TranscriptJun 26 2023, 8:11 AM
Herald added a reviewer: NoQ. · View Herald Transcript
Herald added a project: Restricted Project. · View Herald Transcript
Herald added subscribers: steakhal, manas, ASDenysPetrov and 10 others. · View Herald Transcript
balazske requested review of this revision.Jun 26 2023, 8:11 AM
Herald added a project: Restricted Project. · View Herald TranscriptJun 26 2023, 8:11 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
Harbormaster completed remote builds in B241184: Diff 534566.Jun 26 2023, 8:11 AM
balazske added a parent revision: D153612: [clang][analyzer] Add and change NoteTags in StdLibraryFunctionsChecker..Jun 26 2023, 8:13 AM
balazske added a reviewer: donat.nagy.
steakhal added inline comments.Jun 26 2023, 8:48 AM
clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
1336

Why do you continue here? Do you have a case for this?

balazske updated this revision to Diff 534868.Jun 27 2023, 1:24 AM

markInteresting must be used at arguments found to be invalid

balazske added a comment.Jun 27 2023, 1:28 AM

Here are results for vim, still the fileno problem is not fixed. This run was made before the last update where markInteresting is added, then it should work.

balazske added inline comments.Jun 27 2023, 1:39 AM
clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
1336

This is only because the same loop has other failure places (if the state can not be applied) where continue is used already. The reason is that if one addTransition fails a next one may succeed. It is probably better to use break at all places. Even then what was already added to the state can not be removed, so it may be not wrong to add all states that can be added.

Harbormaster completed remote builds in B241398: Diff 534868.Jun 27 2023, 2:36 AM
donat.nagy mentioned this in D153612: [clang][analyzer] Add and change NoteTags in StdLibraryFunctionsChecker..Jun 28 2023, 4:10 AM
donat.nagy accepted this revision.Jun 29 2023, 8:14 AM

LGTM if you rebase these changes onto the most recent version of D153612. Thanks for adding this interestingness check!

This revision is now accepted and ready to land.Jun 29 2023, 8:14 AM
balazske updated this revision to Diff 536133.Jun 30 2023, 12:37 AM

Rebase to newest parent review version.

Harbormaster completed remote builds in B242342: Diff 536133.Jun 30 2023, 1:44 AM
balazske added a comment.Jun 30 2023, 5:13 AM
results with the latest version:
memcached_1.6.8_stdclf_notetag_interesting_test_2Reports
tmux_2.6_stdclf_notetag_interesting_test_2Reports
curl_curl-7_66_0_stdclf_notetag_interesting_test_2Reports
twin_v0.8.1_stdclf_notetag_interesting_test_2Reports
vim_v8.2.1920_stdclf_notetag_interesting_test_2Reports
openssl_openssl-3.0.0-alpha7_stdclf_notetag_interesting_test_2Reports
sqlite_version-3.33.0_stdclf_notetag_interesting_test_2Reports
ffmpeg_n4.3.1_stdclf_notetag_interesting_test_2Reports
postgres_REL_13_0_stdclf_notetag_interesting_test_2Reports
xerces_v3.2.3_stdclf_notetag_interesting_test_2Reports
bitcoin_v0.20.1_stdclf_notetag_interesting_test_2Reports
donat.nagy requested changes to this revision.Jun 30 2023, 8:43 AM

Thanks for attaching the test results! Unfortunately it seems that it was important to look at them, because I noticed that in the posgresql codebase there are many bug reports on calls like func1(func2(...), ...) where the checker does not print the expected "Assuming that 'func2' fails" note: fdopen/dup, fstat/fileno, isatty/fileno, another isatty/fileno, a third isatty/fileno, a second dup/fileno (this is not an exhaustive list, but I think I listed the majority of them).

Please investigate these before merging your commits.

This revision now requires changes to proceed.Jun 30 2023, 8:43 AM
balazske added a comment.Jul 2 2023, 11:52 PM

The success/failure note tags are not added to all functions, dup is one of these, this means at dup no note tag is shown. A next patch can be made to add these messages to all functions. The other places look good, but CodeChecker is a bit tricky, you must select *_stdclf_notetag_interesting_test_2 at the small arrow after the "found in:" text (upper right corner). The link is good but not that instance of the bug is displayed because only the note tags are different.

donat.nagy added a comment.Jul 3 2023, 2:56 AM
In D153776#4467627, @balazske wrote:

The success/failure note tags are not added to all functions, dup is one of these, this means at dup no note tag is shown. A next patch can be made to add these messages to all functions. The other places look good, but CodeChecker is a bit tricky, you must select *_stdclf_notetag_interesting_test_2 at the small arrow after the "found in:" text (upper right corner). The link is good but not that instance of the bug is displayed because only the note tags are different.

I think we should definitely add success/failure note tags to all functions where this checker can suddenly assume that "Oops, this failed". If this "Assuming that 'foo' fails" message is not there, it's a very natural reaction to search for some earlier note that would let the checker deduce that this function will fail here.

balazske updated this revision to Diff 537003.Jul 4 2023, 2:35 AM

rebase

balazske added a child revision: D154423: [clang][analyzer] Add all success/failure messages to StdLibraryFunctionsChecker..Jul 4 2023, 2:44 AM
Harbormaster completed remote builds in B242976: Diff 537003.Jul 4 2023, 3:54 AM
donat.nagy accepted this revision.Jul 10 2023, 2:11 AM

LGTM, thanks!

This revision is now accepted and ready to land.Jul 10 2023, 2:11 AM
This revision was landed with ongoing or failed builds.Jul 18 2023, 12:29 AM
Closed by commit rGf12808ab2036: [clang][analyzer] Display notes in StdLibraryFunctionsChecker only if… (authored by balazske). · Explain Why
This revision was automatically updated to reflect the committed changes.
balazske added a commit: rGf12808ab2036: [clang][analyzer] Display notes in StdLibraryFunctionsChecker only if….

Revision Contents

Diff 541354

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp

Show First 20 LinesShow All 829 Lines▼ Show 20 Lines void reportBug(const CallEvent &Call, ExplodedNode *N,
if (!BT_InvalidArg) if (!BT_InvalidArg)
BT_InvalidArg = std::make_unique<BugType>( BT_InvalidArg = std::make_unique<BugType>(
CheckName, "Function call with invalid argument", CheckName, "Function call with invalid argument",
categories::LogicError); categories::LogicError);
auto R = std::make_unique<PathSensitiveBugReport>(*BT_InvalidArg, Msg, N); auto R = std::make_unique<PathSensitiveBugReport>(*BT_InvalidArg, Msg, N);
for (ArgNo ArgN : VC->getArgsToTrack()) { for (ArgNo ArgN : VC->getArgsToTrack()) {
bugreporter::trackExpressionValue(N, Call.getArgExpr(ArgN), *R); bugreporter::trackExpressionValue(N, Call.getArgExpr(ArgN), *R);
R->markInteresting(Call.getArgSVal(ArgN));
// All tracked arguments are important, highlight them. // All tracked arguments are important, highlight them.
R->addRange(Call.getArgSourceRange(ArgN)); R->addRange(Call.getArgSourceRange(ArgN));
} }
C.emitReport(std::move(R)); C.emitReport(std::move(R));
} }
/// These are the errno constraints that can be passed to summary cases. /// These are the errno constraints that can be passed to summary cases.
▲ Show 20 LinesShow All 447 Lines▼ Show 20 Lines for (const SummaryCase &Case : Summary.getCases()) {
// It is possible that NewState == State is true. // It is possible that NewState == State is true.
// It can occur if another checker has applied the state before us. // It can occur if another checker has applied the state before us.
// Still add these note tags, the other checker should add only its // Still add these note tags, the other checker should add only its
// specialized note tags. These general note tags are handled always by // specialized note tags. These general note tags are handled always by
// StdLibraryFunctionsChecker. // StdLibraryFunctionsChecker.
ExplodedNode *Pred = Node; ExplodedNode *Pred = Node;
if (!Case.getNote().empty()) { if (!Case.getNote().empty()) {
const SVal RV = Call.getReturnValue();
// If there is a description for this execution branch (summary case), // If there is a description for this execution branch (summary case),
// use it as a note tag. // use it as a note tag.
std::string Note = std::string Note =
llvm::formatv(Case.getNote().str().c_str(), llvm::formatv(Case.getNote().str().c_str(),
cast<NamedDecl>(Call.getDecl())->getDeclName()); cast<NamedDecl>(Call.getDecl())->getDeclName());
if (Summary.getInvalidationKd() == EvalCallAsPure) { if (Summary.getInvalidationKd() == EvalCallAsPure) {
const NoteTag *Tag = C.getNoteTag( const NoteTag *Tag = C.getNoteTag(
[Node, Note](PathSensitiveBugReport &BR) -> std::string { [Node, Note, RV](PathSensitiveBugReport &BR) -> std::string {
// Try to omit the note if we know in advance which branch is // Try to omit the note if we know in advance which branch is
// taken (this means, only one branch exists). // taken (this means, only one branch exists).
// This check is performed inside the lambda, after other // This check is performed inside the lambda, after other
// (or this) checkers had a chance to add other successors. // (or this) checkers had a chance to add other successors.
// Dereferencing the saved node object is valid because it's part // Dereferencing the saved node object is valid because it's part
// of a bug report call sequence. // of a bug report call sequence.
// FIXME: This check is not exact. We may be here after a state // FIXME: This check is not exact. We may be here after a state
// split that was performed by another checker (and can not find // split that was performed by another checker (and can not find
// the successors). This is why this check is only used in the // the successors). This is why this check is only used in the
// EvalCallAsPure case. // EvalCallAsPure case.
if (Node->succ_size() > 1) if (BR.isInteresting(RV) && Node->succ_size() > 1)
return Note; return Note;
return ""; return "";
}, });
/*IsPrunable=*/true);
Pred = C.addTransition(NewState, Pred, Tag); Pred = C.addTransition(NewState, Pred, Tag);
} else { } else {
const NoteTag *Tag = C.getNoteTag(Note, /*IsPrunable=*/true); const NoteTag *Tag =
C.getNoteTag([Note, RV](PathSensitiveBugReport &BR) -> std::string {
if (BR.isInteresting(RV))
return Note;
return "";
});
Pred = C.addTransition(NewState, Pred, Tag); Pred = C.addTransition(NewState, Pred, Tag);
} }
if (!Pred) if (!Pred)
break; continue;
steakhalUnsubmitted
Not Done
ReplyInline Actions

Why do you continue here? Do you have a case for this?

steakhal: Why do you continue here? Do you have a case for this?
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

This is only because the same loop has other failure places (if the state can not be applied) where continue is used already. The reason is that if one addTransition fails a next one may succeed. It is probably better to use break at all places. Even then what was already added to the state can not be removed, so it may be not wrong to add all states that can be added.

balazske: This is only because the same loop has other failure places (if the state can not be applied)…
} }
// If we can get a note tag for the errno change, add this additionally to // If we can get a note tag for the errno change, add this additionally to
// the previous. This note is only about value of 'errno' and is displayed // the previous. This note is only about value of 'errno' and is displayed
// if 'errno' is interesting. // if 'errno' is interesting.
if (const auto *D = dyn_cast<FunctionDecl>(Call.getDecl())) if (const auto *D = dyn_cast<FunctionDecl>(Call.getDecl()))
if (const NoteTag *NT = if (const NoteTag *NT =
Case.getErrnoConstraint().describe(C, D->getNameAsString())) Case.getErrnoConstraint().describe(C, D->getNameAsString()))
▲ Show 20 LinesShow All 2,307 LinesShow Last 20 Lines

clang/test/Analysis/errno-stdlibraryfunctions-notes.c

// RUN: %clang_analyze_cc1 -verify -analyzer-output text %s \ // RUN: %clang_analyze_cc1 -verify -analyzer-output text %s \
// RUN: -analyzer-checker=core \ // RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=debug.ExprInspection \ // RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -analyzer-checker=alpha.unix.StdCLibraryFunctions \ // RUN: -analyzer-checker=alpha.unix.StdCLibraryFunctions \
// RUN: -analyzer-checker=apiModeling.Errno \ // RUN: -analyzer-checker=apiModeling.Errno \
// RUN: -analyzer-checker=alpha.unix.Errno \ // RUN: -analyzer-checker=alpha.unix.Errno \
// RUN: -analyzer-config alpha.unix.StdCLibraryFunctions:ModelPOSIX=true // RUN: -analyzer-config alpha.unix.StdCLibraryFunctions:ModelPOSIX=true
#include "Inputs/errno_var.h" #include "Inputs/errno_var.h"
int access(const char *path, int amode); int access(const char *path, int amode);
void clang_analyzer_warnIfReached(); void clang_analyzer_warnIfReached();
void test1() { void test1() {
access("path", 0); access("path", 0);
// expected-note@-1{{Assuming that 'access' fails}}
access("path", 0); access("path", 0);
// expected-note@-1{{Assuming that 'access' is successful}} // expected-note@-1{{'errno' may be undefined after successful call to 'access'}}
// expected-note@-2{{'errno' may be undefined after successful call to 'access'}}
if (errno != 0) { if (errno != 0) {
// expected-warning@-1{{An undefined value may be read from 'errno'}} // expected-warning@-1{{An undefined value may be read from 'errno'}}
// expected-note@-2{{An undefined value may be read from 'errno'}} // expected-note@-2{{An undefined value may be read from 'errno'}}
} }
} }
void test2() { void test2() {
if (access("path", 0) == -1) { if (access("path", 0) == -1) {
// expected-note@-1{{Assuming that 'access' fails}} // expected-note@-1{{Taking true branch}}
// expected-note@-2{{Taking true branch}}
// Failure path. // Failure path.
if (errno != 0) { if (errno != 0) {
// expected-note@-1{{'errno' is not equal to 0}} // expected-note@-1{{'errno' is not equal to 0}}
// expected-note@-2{{Taking true branch}} // expected-note@-2{{Taking true branch}}
clang_analyzer_warnIfReached(); // expected-note {{REACHABLE}} expected-warning {{REACHABLE}} clang_analyzer_warnIfReached(); // expected-note {{REACHABLE}} expected-warning {{REACHABLE}}
} else { } else {
clang_analyzer_warnIfReached(); // no-warning: We are on the failure path. clang_analyzer_warnIfReached(); // no-warning: We are on the failure path.
} }
} }
} }
void test3() { void test3() {
if (access("path", 0) != -1) { if (access("path", 0) != -1) {
// Success path. // Success path.
// expected-note@-2{{Assuming that 'access' is successful}} // expected-note@-2{{'errno' may be undefined after successful call to 'access'}}
// expected-note@-3{{'errno' may be undefined after successful call to 'access'}} // expected-note@-3{{Taking true branch}}
// expected-note@-4{{Taking true branch}}
if (errno != 0) { if (errno != 0) {
// expected-warning@-1{{An undefined value may be read from 'errno'}} // expected-warning@-1{{An undefined value may be read from 'errno'}}
// expected-note@-2{{An undefined value may be read from 'errno'}} // expected-note@-2{{An undefined value may be read from 'errno'}}
} }
} }
} }

clang/test/Analysis/std-c-library-functions-arg-constraints-note-tags.cpp

Show First 20 LinesShow All 46 Lines▼ Show 20 Linesvoid test_buffer_size_note(char *buf, int y) {
// clang_analyzer_express marks the argument as interesting. // clang_analyzer_express marks the argument as interesting.
clang_analyzer_express(buf); // expected-warning {{}} // the message does not really matter \ clang_analyzer_express(buf); // expected-warning {{}} // the message does not really matter \
// expected-note {{}} // expected-note {{}}
} }
int __test_case_note(); int __test_case_note();
int test_case_note_1(int y) { int test_case_note_1(int y) {
int x0 = __test_case_note(); // expected-note{{Function returns 1}} int x0 = __test_case_note();
int x = __test_case_note(); // expected-note{{Function returns 0}} \ int x = __test_case_note(); // expected-note{{Function returns 0}} \
// expected-note{{'x' initialized here}} // expected-note{{'x' initialized here}}
return y / x; // expected-warning{{Division by zero}} \ return y / x; // expected-warning{{Division by zero}} \
// expected-note{{Division by zero}} // expected-note{{Division by zero}}
} }
int test_case_note_2(int y) { int test_case_note_2(int y) {
int x = __test_case_note(); // expected-note{{Function returns 1}} int x = __test_case_note();
return y / (x - 1); // expected-warning{{Division by zero}} \ return y / (x - 1); // expected-warning{{Division by zero}} \
// expected-note{{Division by zero}} // expected-note{{Division by zero}}
} }

clang/test/Analysis/std-c-library-functions-arg-constraints.c

Show All 29 Linesvoid test_alnum_concrete(int v) {
int ret = isalnum(256); // \ int ret = isalnum(256); // \
// report-warning{{The 1st argument to 'isalnum' is 256 but should be an unsigned char value or EOF}} \ // report-warning{{The 1st argument to 'isalnum' is 256 but should be an unsigned char value or EOF}} \
// bugpath-warning{{The 1st argument to 'isalnum' is 256 but should be an unsigned char value or EOF}} \ // bugpath-warning{{The 1st argument to 'isalnum' is 256 but should be an unsigned char value or EOF}} \
// bugpath-note{{The 1st argument to 'isalnum' is 256 but should be an unsigned char value or EOF}} // bugpath-note{{The 1st argument to 'isalnum' is 256 but should be an unsigned char value or EOF}}
(void)ret; (void)ret;
} }
void test_alnum_symbolic(int x) { void test_alnum_symbolic(int x) {
int ret = isalnum(x); // \ int ret = isalnum(x);
// bugpath-note{{Assuming the character is non-alphanumeric}}
(void)ret; (void)ret;
clang_analyzer_eval(EOF <= x && x <= 255); // \ clang_analyzer_eval(EOF <= x && x <= 255); // \
// report-warning{{TRUE}} \ // report-warning{{TRUE}} \
// bugpath-warning{{TRUE}} \ // bugpath-warning{{TRUE}} \
// bugpath-note{{TRUE}} \ // bugpath-note{{TRUE}} \
// bugpath-note{{Left side of '&&' is true}} \ // bugpath-note{{Left side of '&&' is true}} \
// bugpath-note{{'x' is <= 255}} // bugpath-note{{'x' is <= 255}}
▲ Show 20 LinesShow All 117 Lines▼ Show 20 Lines
void test_notnull_concrete(FILE *fp) { void test_notnull_concrete(FILE *fp) {
fread(0, sizeof(int), 10, fp); // \ fread(0, sizeof(int), 10, fp); // \
// report-warning{{The 1st argument to 'fread' is NULL but should not be NULL}} \ // report-warning{{The 1st argument to 'fread' is NULL but should not be NULL}} \
// bugpath-warning{{The 1st argument to 'fread' is NULL but should not be NULL}} \ // bugpath-warning{{The 1st argument to 'fread' is NULL but should not be NULL}} \
// bugpath-note{{The 1st argument to 'fread' is NULL but should not be NULL}} // bugpath-note{{The 1st argument to 'fread' is NULL but should not be NULL}}
} }
void test_notnull_symbolic(FILE *fp, int *buf) { void test_notnull_symbolic(FILE *fp, int *buf) {
fread(buf, sizeof(int), 10, fp); // \ fread(buf, sizeof(int), 10, fp);
// bugpath-note{{'fread' fails}}
clang_analyzer_eval(buf != 0); // \ clang_analyzer_eval(buf != 0); // \
// report-warning{{TRUE}} \ // report-warning{{TRUE}} \
// bugpath-warning{{TRUE}} \ // bugpath-warning{{TRUE}} \
// bugpath-note{{TRUE}} \ // bugpath-note{{TRUE}} \
// bugpath-note{{'buf' is not equal to null}} // bugpath-note{{'buf' is not equal to null}}
} }
void test_notnull_symbolic2(FILE *fp, int *buf) { void test_notnull_symbolic2(FILE *fp, int *buf) {
if (!buf) // bugpath-note{{Assuming 'buf' is null}} \ if (!buf) // bugpath-note{{Assuming 'buf' is null}} \
▲ Show 20 LinesShow All 153 LinesShow Last 20 Lines

clang/test/Analysis/std-c-library-functions-path-notes.c

Show All 16 Lineschar test_getenv() {
// expected-note{{'env' initialized here}} // expected-note{{'env' initialized here}}
return env[0]; // \ return env[0]; // \
// expected-warning{{Array access (from variable 'env') results in a null pointer dereference}} \ // expected-warning{{Array access (from variable 'env') results in a null pointer dereference}} \
// expected-note {{Array access (from variable 'env') results in a null pointer dereference}} // expected-note {{Array access (from variable 'env') results in a null pointer dereference}}
} }
int test_isalpha(int *x, char c, char d) { int test_isalpha(int *x, char c, char d) {
int iad = isalpha(d);// \ int iad = isalpha(d);
// expected-note{{Assuming the character is non-alphabetical}}
if (isalpha(c)) {// \ if (isalpha(c)) {// \
// expected-note{{Taking true branch}} \ // expected-note{{Taking true branch}}
// expected-note{{Assuming the character is alphabetical}}
x = NULL; // \ x = NULL; // \
// expected-note{{Null pointer value stored to 'x'}} // expected-note{{Null pointer value stored to 'x'}}
} }
return *x; // \ return *x; // \
// expected-warning{{Dereference of null pointer (loaded from variable 'x')}} \ // expected-warning{{Dereference of null pointer (loaded from variable 'x')}} \
// expected-note {{Dereference of null pointer (loaded from variable 'x')}} // expected-note {{Dereference of null pointer (loaded from variable 'x')}}
} }
int test_isdigit(int *x, char c) { int test_isdigit(int *x, char c) {
if (!isdigit(c)) {// \ if (!isdigit(c)) {// \
// expected-note{{Assuming the character is not a digit}} \
// expected-note{{Taking true branch}} // expected-note{{Taking true branch}}
x = NULL; // \ x = NULL; // \
// expected-note{{Null pointer value stored to 'x'}} // expected-note{{Null pointer value stored to 'x'}}
} }
return *x; // \ return *x; // \
// expected-warning{{Dereference of null pointer (loaded from variable 'x')}} \ // expected-warning{{Dereference of null pointer (loaded from variable 'x')}} \
// expected-note {{Dereference of null pointer (loaded from variable 'x')}} // expected-note {{Dereference of null pointer (loaded from variable 'x')}}
Show All 9 Linesint test_islower(int *x) {
} }
return *x; // \ return *x; // \
// expected-warning{{Dereference of null pointer (loaded from variable 'x')}} \ // expected-warning{{Dereference of null pointer (loaded from variable 'x')}} \
// expected-note {{Dereference of null pointer (loaded from variable 'x')}} // expected-note {{Dereference of null pointer (loaded from variable 'x')}}
} }
int test_bugpath_notes(FILE *f1, char c, FILE *f2) { int test_bugpath_notes(FILE *f1, char c, FILE *f2) {
int f = fileno(f2); // \ int f = fileno(f2);
// expected-note{{Assuming that 'fileno' is successful}}
if (f == -1) // \ if (f == -1) // \
// expected-note{{Taking false branch}} // expected-note{{Taking false branch}}
return 0; return 0;
int l = islower(c); int l = islower(c);
f = fileno(f1); // \ f = fileno(f1); // \
// expected-note{{Value assigned to 'f'}} \ // expected-note{{Value assigned to 'f'}} \
// expected-note{{Assuming that 'fileno' fails}} // expected-note{{Assuming that 'fileno' fails}}
return dup(f); // \ return dup(f); // \
// expected-warning{{The 1st argument to 'dup' is -1 but should be >= 0}} \ // expected-warning{{The 1st argument to 'dup' is -1 but should be >= 0}} \
// expected-note{{The 1st argument to 'dup' is -1 but should be >= 0}} // expected-note{{The 1st argument to 'dup' is -1 but should be >= 0}}
} }
int test_fileno_arg_note(FILE *f1) {
return dup(fileno(f1)); // \
// expected-warning{{The 1st argument to 'dup' is < 0 but should be >= 0}} \
// expected-note{{The 1st argument to 'dup' is < 0 but should be >= 0}} \
// expected-note{{Assuming that 'fileno' fails}}
}

clang/test/Analysis/stream-errno-note.c

// RUN: %clang_analyze_cc1 -analyzer-checker=core \ // RUN: %clang_analyze_cc1 -analyzer-checker=core \
// RUN: -analyzer-checker=alpha.unix.Stream \ // RUN: -analyzer-checker=alpha.unix.Stream \
// RUN: -analyzer-checker=alpha.unix.Errno \ // RUN: -analyzer-checker=alpha.unix.Errno \
// RUN: -analyzer-checker=alpha.unix.StdCLibraryFunctions \ // RUN: -analyzer-checker=alpha.unix.StdCLibraryFunctions \
// RUN: -analyzer-config alpha.unix.StdCLibraryFunctions:ModelPOSIX=true \ // RUN: -analyzer-config alpha.unix.StdCLibraryFunctions:ModelPOSIX=true \
// RUN: -analyzer-output text -verify %s // RUN: -analyzer-output text -verify %s
#include "Inputs/system-header-simulator.h" #include "Inputs/system-header-simulator.h"
#include "Inputs/errno_func.h" #include "Inputs/errno_func.h"
void check_fopen(void) { void check_fopen(void) {
FILE *F = fopen("xxx", "r"); FILE *F = fopen("xxx", "r");
// expected-note@-1{{'errno' may be undefined after successful call to 'fopen'}} // expected-note@-1{{'errno' may be undefined after successful call to 'fopen'}}
// expected-note@-2{{'fopen' is successful}}
// expected-note@+2{{'F' is non-null}} // expected-note@+2{{'F' is non-null}}
// expected-note@+1{{Taking false branch}} // expected-note@+1{{Taking false branch}}
if (!F) if (!F)
return; return;
if (errno) {} // expected-warning{{An undefined value may be read from 'errno' [alpha.unix.Errno]}} if (errno) {} // expected-warning{{An undefined value may be read from 'errno' [alpha.unix.Errno]}}
// expected-note@-1{{An undefined value may be read from 'errno'}} // expected-note@-1{{An undefined value may be read from 'errno'}}
fclose(F); fclose(F);
} }
void check_tmpfile(void) { void check_tmpfile(void) {
FILE *F = tmpfile(); FILE *F = tmpfile();
// expected-note@-1{{'errno' may be undefined after successful call to 'tmpfile'}} // expected-note@-1{{'errno' may be undefined after successful call to 'tmpfile'}}
// expected-note@-2{{'tmpfile' is successful}}
// expected-note@+2{{'F' is non-null}} // expected-note@+2{{'F' is non-null}}
// expected-note@+1{{Taking false branch}} // expected-note@+1{{Taking false branch}}
if (!F) if (!F)
return; return;
if (errno) {} // expected-warning{{An undefined value may be read from 'errno' [alpha.unix.Errno]}} if (errno) {} // expected-warning{{An undefined value may be read from 'errno' [alpha.unix.Errno]}}
// expected-note@-1{{An undefined value may be read from 'errno'}} // expected-note@-1{{An undefined value may be read from 'errno'}}
fclose(F); fclose(F);
} }
void check_freopen(void) { void check_freopen(void) {
FILE *F = tmpfile(); FILE *F = tmpfile();
// expected-note@-1{{'tmpfile' is successful}}
// expected-note@+2{{'F' is non-null}} // expected-note@+2{{'F' is non-null}}
// expected-note@+1{{Taking false branch}} // expected-note@+1{{Taking false branch}}
if (!F) if (!F)
return; return;
F = freopen("xxx", "w", F); F = freopen("xxx", "w", F);
// expected-note@-1{{'errno' may be undefined after successful call to 'freopen'}} // expected-note@-1{{'errno' may be undefined after successful call to 'freopen'}}
// expected-note@-2{{'freopen' is successful}}
// expected-note@+2{{'F' is non-null}} // expected-note@+2{{'F' is non-null}}
// expected-note@+1{{Taking false branch}} // expected-note@+1{{Taking false branch}}
if (!F) if (!F)
return; return;
if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}} if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}}
// expected-note@-1{{An undefined value may be read from 'errno'}} // expected-note@-1{{An undefined value may be read from 'errno'}}
fclose(F); fclose(F);
} }
void check_fclose(void) { void check_fclose(void) {
FILE *F = tmpfile(); FILE *F = tmpfile();
// expected-note@-1{{'tmpfile' is successful}}
// expected-note@+2{{'F' is non-null}} // expected-note@+2{{'F' is non-null}}
// expected-note@+1{{Taking false branch}} // expected-note@+1{{Taking false branch}}
if (!F) if (!F)
return; return;
(void)fclose(F); (void)fclose(F);
// expected-note@-1{{'errno' may be undefined after successful call to 'fclose'}} // expected-note@-1{{'errno' may be undefined after successful call to 'fclose'}}
// expected-note@-2{{'fclose' is successful}}
if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}} if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}}
// expected-note@-1{{An undefined value may be read from 'errno'}} // expected-note@-1{{An undefined value may be read from 'errno'}}
} }
void check_fread(void) { void check_fread(void) {
char Buf[10]; char Buf[10];
FILE *F = tmpfile(); FILE *F = tmpfile();
// expected-note@-1{{'tmpfile' is successful}}
// expected-note@+2{{'F' is non-null}} // expected-note@+2{{'F' is non-null}}
// expected-note@+1{{Taking false branch}} // expected-note@+1{{Taking false branch}}
if (!F) if (!F)
return; return;
(void)fread(Buf, 1, 10, F); (void)fread(Buf, 1, 10, F);
// expected-note@-1{{'errno' may be undefined after successful call to 'fread'}} // expected-note@-1{{'errno' may be undefined after successful call to 'fread'}}
// expected-note@-2{{'fread' is successful}}
if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}} if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}}
// expected-note@-1{{An undefined value may be read from 'errno'}} // expected-note@-1{{An undefined value may be read from 'errno'}}
(void)fclose(F); (void)fclose(F);
} }
void check_fread_size0(void) { void check_fread_size0(void) {
char Buf[10]; char Buf[10];
FILE *F = tmpfile(); FILE *F = tmpfile();
// expected-note@-1{{'tmpfile' is successful}}
// expected-note@+2{{'F' is non-null}} // expected-note@+2{{'F' is non-null}}
// expected-note@+1{{Taking false branch}} // expected-note@+1{{Taking false branch}}
if (!F) if (!F)
return; return;
fread(Buf, 0, 1, F); fread(Buf, 0, 1, F);
// expected-note@-1{{'errno' may be undefined after successful call to 'fread'}} // expected-note@-1{{'errno' may be undefined after successful call to 'fread'}}
// expected-note@-2{{'fread' is successful}}
if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}} if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}}
// expected-note@-1{{An undefined value may be read from 'errno'}} // expected-note@-1{{An undefined value may be read from 'errno'}}
} }
void check_fread_nmemb0(void) { void check_fread_nmemb0(void) {
char Buf[10]; char Buf[10];
FILE *F = tmpfile(); FILE *F = tmpfile();
// expected-note@-1{{'tmpfile' is successful}}
// expected-note@+2{{'F' is non-null}} // expected-note@+2{{'F' is non-null}}
// expected-note@+1{{Taking false branch}} // expected-note@+1{{Taking false branch}}
if (!F) if (!F)
return; return;
fread(Buf, 1, 0, F); fread(Buf, 1, 0, F);
// expected-note@-1{{'errno' may be undefined after successful call to 'fread'}} // expected-note@-1{{'errno' may be undefined after successful call to 'fread'}}
// expected-note@-2{{'fread' is successful}}
if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}} if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}}
// expected-note@-1{{An undefined value may be read from 'errno'}} // expected-note@-1{{An undefined value may be read from 'errno'}}
} }
void check_fwrite(void) { void check_fwrite(void) {
char Buf[] = "0123456789"; char Buf[] = "0123456789";
FILE *F = tmpfile(); FILE *F = tmpfile();
// expected-note@-1{{'tmpfile' is successful}}
// expected-note@+2{{'F' is non-null}} // expected-note@+2{{'F' is non-null}}
// expected-note@+1{{Taking false branch}} // expected-note@+1{{Taking false branch}}
if (!F) if (!F)
return; return;
int R = fwrite(Buf, 1, 10, F); int R = fwrite(Buf, 1, 10, F);
// expected-note@-1{{'errno' may be undefined after successful call to 'fwrite'}} // expected-note@-1{{'errno' may be undefined after successful call to 'fwrite'}}
// expected-note@-2{{'fwrite' is successful}}
if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}} if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}}
// expected-note@-1{{An undefined value may be read from 'errno'}} // expected-note@-1{{An undefined value may be read from 'errno'}}
(void)fclose(F); (void)fclose(F);
} }
void check_fseek(void) { void check_fseek(void) {
FILE *F = tmpfile(); FILE *F = tmpfile();
// expected-note@-1{{'tmpfile' is successful}}
// expected-note@+2{{'F' is non-null}} // expected-note@+2{{'F' is non-null}}
// expected-note@+1{{Taking false branch}} // expected-note@+1{{Taking false branch}}
if (!F) if (!F)
return; return;
(void)fseek(F, 11, SEEK_SET); (void)fseek(F, 11, SEEK_SET);
// expected-note@-1{{'errno' may be undefined after successful call to 'fseek'}} // expected-note@-1{{'errno' may be undefined after successful call to 'fseek'}}
// expected-note@-2{{'fseek' is successful}}
if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}} if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}}
// expected-note@-1{{An undefined value may be read from 'errno'}} // expected-note@-1{{An undefined value may be read from 'errno'}}
(void)fclose(F); (void)fclose(F);
} }
void check_rewind_errnocheck(void) { void check_rewind_errnocheck(void) {
FILE *F = tmpfile(); FILE *F = tmpfile();
// expected-note@-1{{'tmpfile' is successful}}
// expected-note@+2{{'F' is non-null}} // expected-note@+2{{'F' is non-null}}
// expected-note@+1{{Taking false branch}} // expected-note@+1{{Taking false branch}}
if (!F) if (!F)
return; return;
errno = 0; errno = 0;
rewind(F); // expected-note{{'rewind' indicates failure only by setting 'errno'}} rewind(F); // expected-note{{'rewind' indicates failure only by setting 'errno'}}
fclose(F); // expected-warning{{Value of 'errno' was not checked and may be overwritten by function 'fclose' [alpha.unix.Errno]}} fclose(F); // expected-warning{{Value of 'errno' was not checked and may be overwritten by function 'fclose' [alpha.unix.Errno]}}
// expected-note@-1{{Value of 'errno' was not checked and may be overwritten by function 'fclose'}} // expected-note@-1{{Value of 'errno' was not checked and may be overwritten by function 'fclose'}}
} }
void check_fileno(void) { void check_fileno(void) {
FILE *F = tmpfile(); FILE *F = tmpfile();
// expected-note@-1{{'tmpfile' is successful}}
// expected-note@+2{{'F' is non-null}} // expected-note@+2{{'F' is non-null}}
// expected-note@+1{{Taking false branch}} // expected-note@+1{{Taking false branch}}
if (!F) if (!F)
return; return;
fileno(F); fileno(F);
// expected-note@-1{{Assuming that 'fileno' is successful}} // expected-note@-1{{'errno' may be undefined after successful call to 'fileno'}}
// expected-note@-2{{'errno' may be undefined after successful call to 'fileno'}}
if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}} if (errno) {} // expected-warning{{An undefined value may be read from 'errno'}}
// expected-note@-1{{An undefined value may be read from 'errno'}} // expected-note@-1{{An undefined value may be read from 'errno'}}
(void)fclose(F); (void)fclose(F);
} }

clang/test/Analysis/stream-note.c

// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.unix.Stream -analyzer-output text \ // RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.unix.Stream -analyzer-output text \
// RUN: -verify %s // RUN: -verify %s
// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.unix.Stream,alpha.unix.StdCLibraryFunctions -analyzer-output text \ // RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.unix.Stream,alpha.unix.StdCLibraryFunctions -analyzer-output text \
// RUN: -analyzer-config alpha.unix.StdCLibraryFunctions:ModelPOSIX=true -verify=expected,stdargs %s // RUN: -analyzer-config alpha.unix.StdCLibraryFunctions:ModelPOSIX=true -verify=expected,stdargs %s
#include "Inputs/system-header-simulator.h" #include "Inputs/system-header-simulator.h"
void check_note_at_correct_open(void) { void check_note_at_correct_open(void) {
FILE *F1 = tmpfile(); // expected-note {{Stream opened here}} FILE *F1 = tmpfile(); // expected-note {{Stream opened here}}
// stdargs-note@-1 {{'tmpfile' is successful}} // stdargs-note@-1 {{'tmpfile' is successful}}
if (!F1) if (!F1)
// expected-note@-1 {{'F1' is non-null}} // expected-note@-1 {{'F1' is non-null}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
return; return;
FILE *F2 = tmpfile(); FILE *F2 = tmpfile();
// stdargs-note@-1 {{'tmpfile' is successful}}
if (!F2) { if (!F2) {
// expected-note@-1 {{'F2' is non-null}} // expected-note@-1 {{'F2' is non-null}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
fclose(F1); fclose(F1);
return; return;
} }
rewind(F2); rewind(F2);
fclose(F2); fclose(F2);
// stdargs-note@-1 {{'fclose' fails}}
rewind(F1); rewind(F1);
} }
// expected-warning@-1 {{Opened stream never closed. Potential resource leak}} // expected-warning@-1 {{Opened stream never closed. Potential resource leak}}
// expected-note@-2 {{Opened stream never closed. Potential resource leak}} // expected-note@-2 {{Opened stream never closed. Potential resource leak}}
void check_note_fopen(void) { void check_note_fopen(void) {
FILE *F = fopen("file", "r"); // expected-note {{Stream opened here}} FILE *F = fopen("file", "r"); // expected-note {{Stream opened here}}
// stdargs-note@-1 {{'fopen' is successful}} // stdargs-note@-1 {{'fopen' is successful}}
Show All 20 Lines if (!F)
return; return;
} }
// expected-warning@-1 {{Opened stream never closed. Potential resource leak}} // expected-warning@-1 {{Opened stream never closed. Potential resource leak}}
// expected-note@-2 {{Opened stream never closed. Potential resource leak}} // expected-note@-2 {{Opened stream never closed. Potential resource leak}}
void check_note_leak_2(int c) { void check_note_leak_2(int c) {
FILE *F1 = fopen("foo1.c", "r"); // expected-note {{Stream opened here}} FILE *F1 = fopen("foo1.c", "r"); // expected-note {{Stream opened here}}
// stdargs-note@-1 {{'fopen' is successful}} // stdargs-note@-1 {{'fopen' is successful}}
// stdargs-note@-2 {{'fopen' is successful}}
if (!F1) if (!F1)
// expected-note@-1 {{'F1' is non-null}} // expected-note@-1 {{'F1' is non-null}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
// expected-note@-3 {{'F1' is non-null}} // expected-note@-3 {{'F1' is non-null}}
// expected-note@-4 {{Taking false branch}} // expected-note@-4 {{Taking false branch}}
return; return;
FILE *F2 = fopen("foo2.c", "r"); // expected-note {{Stream opened here}} FILE *F2 = fopen("foo2.c", "r"); // expected-note {{Stream opened here}}
// stdargs-note@-1 {{'fopen' is successful}} // stdargs-note@-1 {{'fopen' is successful}}
// stdargs-note@-2 {{'fopen' is successful}}
if (!F2) { if (!F2) {
// expected-note@-1 {{'F2' is non-null}} // expected-note@-1 {{'F2' is non-null}}
// expected-note@-2 {{Taking false branch}} // expected-note@-2 {{Taking false branch}}
// expected-note@-3 {{'F2' is non-null}} // expected-note@-3 {{'F2' is non-null}}
// expected-note@-4 {{Taking false branch}} // expected-note@-4 {{Taking false branch}}
fclose(F1); fclose(F1);
return; return;
} }
Show All 22 Linesvoid check_track_null(void) {
fclose(F); // expected-warning {{Stream pointer might be NULL}} fclose(F); // expected-warning {{Stream pointer might be NULL}}
// expected-note@-1 {{Stream pointer might be NULL}} // expected-note@-1 {{Stream pointer might be NULL}}
} }
void check_eof_notes_feof_after_feof(void) { void check_eof_notes_feof_after_feof(void) {
FILE *F; FILE *F;
char Buf[10]; char Buf[10];
F = fopen("foo1.c", "r"); F = fopen("foo1.c", "r");
// stdargs-note@-1 {{'fopen' is successful}}
if (F == NULL) { // expected-note {{Taking false branch}} expected-note {{'F' is not equal to NULL}} if (F == NULL) { // expected-note {{Taking false branch}} expected-note {{'F' is not equal to NULL}}
return; return;
} }
fread(Buf, 1, 1, F); fread(Buf, 1, 1, F);
// stdargs-note@-1 {{'fread' fails}}
if (feof(F)) { // expected-note {{Taking true branch}} if (feof(F)) { // expected-note {{Taking true branch}}
clearerr(F); clearerr(F);
fread(Buf, 1, 1, F); // expected-note {{Assuming stream reaches end-of-file here}} fread(Buf, 1, 1, F); // expected-note {{Assuming stream reaches end-of-file here}}
// stdargs-note@-1 {{'fread' fails}}
if (feof(F)) { // expected-note {{Taking true branch}} if (feof(F)) { // expected-note {{Taking true branch}}
fread(Buf, 1, 1, F); // expected-warning {{Read function called when stream is in EOF state. Function has no effect}} fread(Buf, 1, 1, F); // expected-warning {{Read function called when stream is in EOF state. Function has no effect}}
// expected-note@-1 {{Read function called when stream is in EOF state. Function has no effect}} // expected-note@-1 {{Read function called when stream is in EOF state. Function has no effect}}
} }
} }
fclose(F); fclose(F);
} }
void check_eof_notes_feof_after_no_feof(void) { void check_eof_notes_feof_after_no_feof(void) {
FILE *F; FILE *F;
char Buf[10]; char Buf[10];
F = fopen("foo1.c", "r"); F = fopen("foo1.c", "r");
// stdargs-note@-1 {{'fopen' is successful}}
if (F == NULL) { // expected-note {{Taking false branch}} expected-note {{'F' is not equal to NULL}} if (F == NULL) { // expected-note {{Taking false branch}} expected-note {{'F' is not equal to NULL}}
return; return;
} }
fread(Buf, 1, 1, F); fread(Buf, 1, 1, F);
// stdargs-note@-1 {{'fread' is successful}}
if (feof(F)) { // expected-note {{Taking false branch}} if (feof(F)) { // expected-note {{Taking false branch}}
fclose(F); fclose(F);
return; return;
} else if (ferror(F)) { // expected-note {{Taking false branch}} } else if (ferror(F)) { // expected-note {{Taking false branch}}
fclose(F); fclose(F);
return; return;
} }
fread(Buf, 1, 1, F); // expected-note {{Assuming stream reaches end-of-file here}} fread(Buf, 1, 1, F); // expected-note {{Assuming stream reaches end-of-file here}}
// stdargs-note@-1 {{'fread' fails}}
if (feof(F)) { // expected-note {{Taking true branch}} if (feof(F)) { // expected-note {{Taking true branch}}
fread(Buf, 1, 1, F); // expected-warning {{Read function called when stream is in EOF state. Function has no effect}} fread(Buf, 1, 1, F); // expected-warning {{Read function called when stream is in EOF state. Function has no effect}}
// expected-note@-1 {{Read function called when stream is in EOF state. Function has no effect}} // expected-note@-1 {{Read function called when stream is in EOF state. Function has no effect}}
} }
fclose(F); fclose(F);
} }
void check_eof_notes_feof_or_no_error(void) { void check_eof_notes_feof_or_no_error(void) {
FILE *F; FILE *F;
char Buf[10]; char Buf[10];
F = fopen("foo1.c", "r"); F = fopen("foo1.c", "r");
// stdargs-note@-1 {{'fopen' is successful}}
if (F == NULL) // expected-note {{Taking false branch}} expected-note {{'F' is not equal to NULL}} if (F == NULL) // expected-note {{Taking false branch}} expected-note {{'F' is not equal to NULL}}
return; return;
int RRet = fread(Buf, 1, 1, F); // expected-note {{Assuming stream reaches end-of-file here}} int RRet = fread(Buf, 1, 1, F); // expected-note {{Assuming stream reaches end-of-file here}}
// stdargs-note@-1 {{'fread' fails}}
if (ferror(F)) { // expected-note {{Taking false branch}} if (ferror(F)) { // expected-note {{Taking false branch}}
} else { } else {
fread(Buf, 1, 1, F); // expected-warning {{Read function called when stream is in EOF state. Function has no effect}} fread(Buf, 1, 1, F); // expected-warning {{Read function called when stream is in EOF state. Function has no effect}}
// expected-note@-1 {{Read function called when stream is in EOF state. Function has no effect}} // expected-note@-1 {{Read function called when stream is in EOF state. Function has no effect}}
} }
fclose(F); fclose(F);
} }