This is an archive of the discontinued LLVM Phabricator instance.

Differential D155445

[analyzer][docs] Add CSA release notes
ClosedPublic

Authored by steakhal on Jul 17 2023, 5:12 AM.

Details

Reviewers
NoQ
xazax.hun
Szelethus
donat.nagy
balazske
gamesh411
tripleCC
tomasz-kaminski-sonarsource
OikawaKirie
Commits
rG862b93a8095c: [analyzer][docs] Add CSA release notes
Summary

We'll soon branch off, and start releasing clang-17.
Here is a patch, adjusting the release notes for what we achieved since
the last release.

I used this command to inspect the interesting commits:

git log --oneline llvmorg-16.0.0..llvm/main \
  clang/{lib/StaticAnalyzer,include/clang/StaticAnalyzer} | \
  grep -v NFC | grep -v -i revert

This filters in CSA directories and filters out NFC and revert commits.

Given that in the release-notes, we usually don't put links to commits,
I'll remove them from this patch as well. I just put them there to make
it easier to review for you.

I tried to group the changes into meaningful chunks, and dropped some of
the uninteresting commits.
I've also dropped the commits that were backported to clang-16.

Check out how it looks, and propose changes like usual.

Here is a preview of how the CSA section looks with this:


ReleaseNotes.html95 KBDownload

FYI the ninja docs-clang-html produces the html docs, including the ReleaseNotes.
And the produced artifact will be at build/tools/clang/docs/html/ReleaseNotes.html.

Diff Detail

Event Timeline

steakhal created this revision.Jul 17 2023, 5:12 AM
Herald added a project: Restricted Project. · View Herald TranscriptJul 17 2023, 5:12 AM
Herald added subscribers: manas, ASDenysPetrov, martong and 5 others. · View Herald Transcript
steakhal requested review of this revision.Jul 17 2023, 5:12 AM
Herald added a project: Restricted Project. · View Herald TranscriptJul 17 2023, 5:12 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
steakhal edited the summary of this revision. (Show Details)Jul 17 2023, 5:14 AM
xazax.hun accepted this revision.Jul 17 2023, 5:41 AM
xazax.hun added inline comments.
clang/docs/ReleaseNotes.rst
1013

I think we should mention something like "Use -fstrict-flex-array=<N> instead if necessary."

1014

I think we usually do not mention crash fixes in the changelog. We have them in almost every release and sometimes there are quite a few of them.

This revision is now accepted and ready to land.Jul 17 2023, 5:41 AM
steakhal added inline comments.Jul 17 2023, 6:09 AM
clang/docs/ReleaseNotes.rst
1013

Good point.

1014

I won't mention the explicit commit where it was fixed.
However, downstream users might wanna know about crashes and fixes that happened in this release.
And speaking about past practices about release notes, I think we can improve on that TBH.
We can move it down on the list if you want, but I'd rather keep it.

xazax.hun added inline comments.Jul 17 2023, 7:06 AM
clang/docs/ReleaseNotes.rst
1014

Is this the only crash fix we had? Moving crash fixes to the bottom of the list sounds good to me.

Harbormaster completed remote builds in B245797: Diff 540961.Jul 17 2023, 7:38 AM
OikawaKirie added a comment.Jul 17 2023, 10:43 AM

The key idea of my commit 1bd2d335b649:

  • For string APIs that will not provide the copy length (strcpy), we will use the buffer decl and literal length to infer whether it overflows. If the copy operation does not overflow, we will now only invalidate the buffer string being copied to.
  • For string APIs that never overflow (strsep), we will always invalidate the target buffer only.
  • For those that we cannot correctly handle now (std::copy), we will also invalidate the base region and make all pointers in the base region escape.

Hence,
For strcpys, we infer through buffer size and string literals.
For strsep, we believe it never overflows through its functionality specification. It is also an inference.

Whereas for memcpy where the copy length is given in arguments, the non-inferring circumstances, it was implemented previously in patch D12571, not a part of my changes.

clang/docs/ReleaseNotes.rst
1026–1028

One tiny change to the abstraction.
The `CStringChecker` will invalidate less if the copy operation is inferable to be bounded.

steakhal updated this revision to Diff 541175.Jul 17 2023, 12:01 PM
steakhal marked 4 inline comments as done.

Currentl look:

let me know if you like it.
Feel free to propose changes.

I'm not sure about the relative ordering. We should consider some semantic ordering. Such as perceived impact on the regular user?

IMO the taint tracking and the ArrayBoundCheckerV2 improvements were quite impactful, as both of those were up on the table for a really long time now.
Also, for a similar reason, I think Objective-C improvements definitely deserve the spotlight.

@balazske @donat.nagy WDYT about the StreamChecker and the StdCLibraryFunctions entries? I didn't follow those patches, thus I cannot write the notes for it either.

steakhal mentioned this in D153612: [clang][analyzer] Add and change NoteTags in StdLibraryFunctionsChecker..Jul 17 2023, 12:31 PM
Harbormaster completed remote builds in B245965: Diff 541175.Jul 17 2023, 6:43 PM
OikawaKirie accepted this revision.Jul 17 2023, 9:30 PM

LGTM for my part. Thx.

Since I am not very familiar with other changes, I have no detailed suggestions for the order.

clang/docs/ReleaseNotes.rst
1026–1027

The lengths of both src and dst buffers need to be known.

1041

I think this may be a typo here, as we do not invalidate the source buffer originally.

steakhal updated this revision to Diff 541356.Jul 18 2023, 12:33 AM
steakhal marked 2 inline comments as done.
In D155445#4508728, @OikawaKirie wrote:

LGTM for my part. Thx.

Since I am not very familiar with other changes, I have no detailed suggestions for the order.

Thanks for the feedback. Applied!

clang/docs/ReleaseNotes.rst
1014

No, it wasn't. We also had one for init-expr global variable initializers. See
I swept that fix under the carpet of "Fixed some bugs around the handling of constant global arrays and their initializer expressions". I made it more explicit now.

However, at this point, I think it's okay to simply omit the mention of the null deref crash fix.
Second thoughts?

1026–1027

Applied!

1026–1028

I decided to elaborate on this a bit. Let me know if it's too thorough now.

1041

Exactly. Thanks!

Harbormaster completed remote builds in B246096: Diff 541356.Jul 18 2023, 4:16 AM
xazax.hun accepted this revision.Jul 18 2023, 5:13 AM
xazax.hun added inline comments.
clang/docs/ReleaseNotes.rst
1014

I have no strong preference, I am fine with both :)

balazske added inline comments.Jul 19 2023, 12:59 AM
clang/docs/ReleaseNotes.rst
1068

The checker checks for much more functions in POSIX mode.
These additional commits:
6dccf5b8d550911f06e492a3a75c640c05efdab3
f12808ab20369c85ddb602e5a78bab40d16bb83f
39670ae3b93470b2d29fe78e6d40c5d82a05e4a1

steakhal added a comment.Jul 23 2023, 11:26 PM

After removing all commit refs, here is how it looks:

Closed by commit rG862b93a8095c: [analyzer][docs] Add CSA release notes (authored by steakhal). · Explain WhyJul 23 2023, 11:27 PM
This revision was automatically updated to reflect the committed changes.
steakhal added a commit: rG862b93a8095c: [analyzer][docs] Add CSA release notes.

Revision Contents

PathSize
clang/
docs/
63 lines

Diff 543390

clang/docs/ReleaseNotes.rst

Show First 20 LinesShow All 996 Lines▼ Show 20 Lines- Added check in ``clang_getFieldDeclBitWidth`` for whether a bit-field
has an evaluable bit width. Fixes undefined behavior when called on a has an evaluable bit width. Fixes undefined behavior when called on a
bit-field whose width depends on a template parameter. bit-field whose width depends on a template parameter.
- Added ``CXBinaryOperatorKind`` and ``CXUnaryOperatorKind``. - Added ``CXBinaryOperatorKind`` and ``CXUnaryOperatorKind``.
(`#29138 <https://github.com/llvm/llvm-project/issues/29138>`_) (`#29138 <https://github.com/llvm/llvm-project/issues/29138>`_)
Static Analyzer Static Analyzer
--------------- ---------------
- Fix incorrect alignment attribute on the this parameter of certain - Fix incorrect alignment attribute on the this parameter of certain
non-complete destructors when using the Microsoft ABI. non-complete destructors when using the Microsoft ABI.
(`#60465 <https://github.com/llvm/llvm-project/issues/60465>`_) (`#60465 <https://github.com/llvm/llvm-project/issues/60465>`_)
- Removed the deprecated
``consider-single-element-arrays-as-flexible-array-members`` analyzer option.
Any use of this flag will result in an error.
Use `-fstrict-flex-arrays=<n>
xazax.hunUnsubmitted
Done
ReplyInline Actions

I think we should mention something like "Use -fstrict-flex-array=<N> instead if necessary."

xazax.hun: I think we should mention something like "Use -fstrict-flex-array=<N> instead if necessary."
steakhalAuthorUnsubmitted
Done
ReplyInline Actions

Good point.

steakhal: Good point.
<https://clang.llvm.org/docs/ClangCommandLineReference.html#cmdoption-clang-fstrict-flex-arrays>`_
xazax.hunUnsubmitted
Done
ReplyInline Actions

I think we usually do not mention crash fixes in the changelog. We have them in almost every release and sometimes there are quite a few of them.

xazax.hun: I think we usually do not mention crash fixes in the changelog. We have them in almost every…
steakhalAuthorUnsubmitted
Done
ReplyInline Actions

I won't mention the explicit commit where it was fixed.
However, downstream users might wanna know about crashes and fixes that happened in this release.
And speaking about past practices about release notes, I think we can improve on that TBH.
We can move it down on the list if you want, but I'd rather keep it.

steakhal: I won't mention the explicit commit where it was fixed. However, downstream users might wanna…
xazax.hunUnsubmitted
Done
ReplyInline Actions

Is this the only crash fix we had? Moving crash fixes to the bottom of the list sounds good to me.

xazax.hun: Is this the only crash fix we had? Moving crash fixes to the bottom of the list sounds good to…
steakhalAuthorUnsubmitted
Done
ReplyInline Actions

No, it wasn't. We also had one for init-expr global variable initializers. See
I swept that fix under the carpet of "Fixed some bugs around the handling of constant global arrays and their initializer expressions". I made it more explicit now.

However, at this point, I think it's okay to simply omit the mention of the null deref crash fix.
Second thoughts?

steakhal: No, it wasn't. We also had one for init-expr global variable initializers. [[ https://github.
xazax.hunUnsubmitted
Not Done
ReplyInline Actions

I have no strong preference, I am fine with both :)

xazax.hun: I have no strong preference, I am fine with both :)
- Better modeling of lifetime-extended memory regions. As a result, the
``MoveChecker`` raises more true-positive reports.
- Fixed some bugs (including crashes) around the handling of constant global
arrays and their initializer expressions.
- The ``CStringChecker`` will invalidate less if the copy operation is
inferable to be bounded. For example, if the arguments of ``strcpy`` are
known to be of certain lengths and that are in-bounds.
.. code-block:: c++
OikawaKirieUnsubmitted
Done
ReplyInline Actions
- The ``CStringChecker`` will invalidate less if the copy operation is
- inferable to be bounded. For example, if the argument of ``strcpy`` is known
- to be of certain length and that is in-bounds.
+ inferable to be bounded. For example, if the arguments of ``strcpy`` are known
+ to be of certain lengths and that are in-bounds.
.. code-block:: c++

The lengths of both src and dst buffers need to be known.

OikawaKirie: The lengths of both src and dst buffers need to be known.
steakhalAuthorUnsubmitted
Done
ReplyInline Actions

Applied!

steakhal: Applied!
struct {
OikawaKirieUnsubmitted
Done
ReplyInline Actions

One tiny change to the abstraction.
The `CStringChecker` will invalidate less if the copy operation is inferable to be bounded.

OikawaKirie: One tiny change to the abstraction. The ``CStringChecker`` will invalidate less if the copy…
steakhalAuthorUnsubmitted
Done
ReplyInline Actions

I decided to elaborate on this a bit. Let me know if it's too thorough now.

steakhal: I decided to elaborate on this a bit. Let me know if it's too thorough now.
void *ptr;
char arr[4];
} x;
x.ptr = malloc(1);
// extent of 'arr' is 4, and writing "hi\n" (4 characters),
// thus no buffer overflow can happen
strcpy(x.arr, "hi\n");
free(x.ptr); // no longer reports memory leak here
Similarly, functions like ``strsep`` now won't invalidate the object
containing the destination buffer, because it can never overflow.
Note that, ``std::copy`` is still not modeled, and as such, it will still
invalidate the enclosing object on call.
OikawaKirieUnsubmitted
Done
ReplyInline Actions
free(x.ptr); // no longer reports memory leak here
- Similarly, functions like ``strsep`` now won't invalidate the source buffer,
+ Similarly, functions like ``strsep`` now won't invalidate the object containing the destination buffer,
because it can never overflow.

I think this may be a typo here, as we do not invalidate the source buffer originally.

OikawaKirie: I think this may be a typo here, as we do not invalidate the source buffer originally.
steakhalAuthorUnsubmitted
Done
ReplyInline Actions

Exactly. Thanks!

steakhal: Exactly. Thanks!
(`#55019 <https://github.com/llvm/llvm-project/issues/55019>`_)
- Implement ``BufferOverlap`` check for ``sprint``/``snprintf``
The ``CStringChecker`` checks for buffer overlaps for ``sprintf`` and
``snprintf``.
- Objective-C support was improved around checking ``_Nonnull`` and
``_Nullable`` including block pointers and literal objects.
- Let the ``StreamChecker`` detect ``NULL`` streams instead of by
``StdCLibraryFunctions``.
``StreamChecker`` improved on the ``fseek`` modeling for the ``SEEK_SET``,
``SEEK_END``, ``SEEK_CUR`` arguments.
- ``StdCLibraryFunctionArgs`` was merged into the ``StdCLibraryFunctions``.
The diagnostics of the ``StdCLibraryFunctions`` was improved.
- ``QTimer::singleShot`` now doesn't raise false-positives for memory leaks by
the ``MallocChecker``.
(`#39713 <https://github.com/llvm/llvm-project/issues/39713>`_)
- Fixed the infamous unsigned index false-positives in the
``ArrayBoundCheckerV2`` checker.
(`#44493 <https://github.com/llvm/llvm-project/issues/44493>`_)
- Now, taint propagations are tracked further back until the real taint source.
This improves all taint-related diagnostics.
balazskeUnsubmitted
Not Done
ReplyInline Actions

The checker checks for much more functions in POSIX mode.
These additional commits:
6dccf5b8d550911f06e492a3a75c640c05efdab3
f12808ab20369c85ddb602e5a78bab40d16bb83f
39670ae3b93470b2d29fe78e6d40c5d82a05e4a1

balazske: The checker checks for much more functions in POSIX mode. These additional commits…
- Fixed a null-pointer dereference crash inside the ``MoveChecker``.
.. _release-notes-sanitizers: .. _release-notes-sanitizers:
Sanitizers Sanitizers
---------- ----------
Python Binding Changes Python Binding Changes
---------------------- ----------------------
The following methods have been added: The following methods have been added:
Show All 17 Lines