This is an archive of the discontinued LLVM Phabricator instance.

Differential D15921

[analyzer] Utility to match function calls.
ClosedPublic

Authored by xazax.hun on Jan 6 2016, 5:31 AM.

Details

Reviewers
dcoughlin
zaks.anna
Commits
rG343730c58fc6: [analyzer] Utility to match function calls.
rC258572: [analyzer] Utility to match function calls.
rL258572: [analyzer] Utility to match function calls.
Summary

This patch adds a small utility to match function calls and Obj-C messages. This utility abstracts away the mutable keywords and the lazy initialization and caching logic of identifiers from the checkers. The SimpleStreamChecker is ported over this utility within this patch to show the reduction of code and to test this change.

Diff Detail

Event Timeline

xazax.hun updated this revision to Diff 44110.Jan 6 2016, 5:31 AM
xazax.hun retitled this revision from to [analyzer] Utility to match function calls..
xazax.hun updated this object.
xazax.hun added reviewers: zaks.anna, dcoughlin.
xazax.hun added subscribers: cfe-commits, dkrupp.
zaks.anna added inline comments.Jan 6 2016, 11:22 AM
include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h
307

"is call" -> "is a call"

lib/StaticAnalyzer/Core/CheckerContext.cpp
41

Please, add && "ObjC Methods are not supported"

47

You can micro optimize by checking if the identifier matches first (and only checking arguments later); in most cases it won't.

57

This will only match against the first part of the ObjC method name. Also, this is not tested. I am Ok with adding the ObjC support later and adding an assert above to error out if this is used for ObjC.

xazax.hun updated this revision to Diff 44322.Jan 8 2016, 6:52 AM
xazax.hun marked 4 inline comments as done.
  • Removed support for matching ObjC messages. It might be added in a later.
  • Addressed review comments.
xazax.hun updated this revision to Diff 44325.Jan 8 2016, 6:55 AM

Updated the comments.

zaks.anna added inline comments.Jan 11 2016, 12:47 PM
include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h
312

The API is a bit awkward. Maybe it would be better if we make this a member of CallEvent as you've suggested initially?

xazax.hun updated this revision to Diff 44721.Jan 13 2016, 2:28 AM
  • Moved the API to CallEvent.
xazax.hun marked an inline comment as done.Jan 13 2016, 2:28 AM
xazax.hun added inline comments.
include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h
312

I agree. Moved it to CallEvent.

zaks.anna accepted this revision.Jan 20 2016, 3:18 PM
zaks.anna edited edge metadata.

LGTM

This revision is now accepted and ready to land.Jan 20 2016, 3:18 PM
Closed by commit rL258572: [analyzer] Utility to match function calls. (authored by xazax). · Explain WhyJan 22 2016, 2:36 PM
This revision was automatically updated to reflect the committed changes.
krasin added a subscriber: krasin.EditedJan 22 2016, 3:59 PM

FYI: this revision has likely broken the build: http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux-fast/builds/9561

FAIL: Clang :: Analysis/simple-stream-checks.c (367 of 8927)
******************** TEST 'Clang :: Analysis/simple-stream-checks.c' FAILED ********************
Script:
--
/mnt/b/sanitizer-buildbot3/sanitizer-x86_64-linux-fast/build/llvm_build_asan/./bin/clang -cc1
-internal-isystem /mnt/b/sanitizer-buildbot3/sanitizer-x86_64-linux-fast/build/llvm_build_asan/bin/../lib/clang/3.9.0/include -nostdsysteminc -analyze -analyzer-checker=core,alpha.unix.SimpleStream
-verify /mnt/b/sanitizer-buildbot3/sanitizer-x86_64-linux-fast/build/llvm/tools/clang/test/Analysis/simple-stream-checks.c
--
zaks.anna added a comment.Jan 22 2016, 4:50 PM

Looks like the 'II' pointer wasn't initialized. Should be fixed by r258591.

xazax.hun marked an inline comment as done.Jan 23 2016, 5:09 AM

Thank you for the fix and sorry for not noticing this. I was unlucky and the tests did pass on my machine.

ariccio added a subscriber: ariccio.Mar 5 2016, 1:47 PM

Side note: Has anybody ever considered just treating fopen and fclose like malloc and free?

On Windows I use a trick that I discovered what I call "the _Post_ptr_invalid_ hack" because* the _Post_ptr_invalid_ SAL annotation lets me treat the argument to CloseHandle like the argument to free, and reports double closes as double frees.

Here we'd just treat the FILE* as a different region of memory, to check that they're not mixed.

  • this also works in part because a Windows HANDLE is just a typedefd void*
cfe/trunk/lib/StaticAnalyzer/Checkers/SimpleStreamChecker.cpp
106 ↗(On Diff #45748)

Why specify the RequiredArgs for fclose, and not fopen?

zaks.anna added a comment.Mar 7 2016, 2:56 PM

Side note: Has anybody ever considered just treating fopen and fclose like malloc and free?

Yes, there are a few checkers that follow the same open/close rule and could in theory be merged together.

cfe/trunk/lib/StaticAnalyzer/Checkers/SimpleStreamChecker.cpp
106 ↗(On Diff #45748)

Not sure. Maybe it's an omission.

Revision Contents

PathSize
include/
clang/
StaticAnalyzer/
Core/
PathSensitive/
27 lines
lib/
StaticAnalyzer/
Checkers/
25 lines
Core/
11 lines

Diff 44325

include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h

Show First 20 LinesShow All 60 Lines▼ Show 20 Linesnamespace ento {
/// NameTy List = State->get<Name>(); /// NameTy List = State->get<Name>();
/// \endcode /// \endcode
/// ///
/// The macro should not be used inside namespaces, or for traits that must /// The macro should not be used inside namespaces, or for traits that must
/// be accessible from more than one translation unit. /// be accessible from more than one translation unit.
#define REGISTER_LIST_WITH_PROGRAMSTATE(Name, Elem) \ #define REGISTER_LIST_WITH_PROGRAMSTATE(Name, Elem) \
REGISTER_TRAIT_WITH_PROGRAMSTATE(Name, llvm::ImmutableList<Elem>) REGISTER_TRAIT_WITH_PROGRAMSTATE(Name, llvm::ImmutableList<Elem>)
/// This class represents a description of a function call using the number of
/// arguments and the name of the function.
class CallDescription {
friend class CheckerContext;
mutable IdentifierInfo *II;
StringRef FuncName;
unsigned RequiredArgs;
public:
const static unsigned NoArgRequirement = ~0;
/// \brief Constructs a CallDescription object.
///
/// @param FuncName The name of the function that will be matched.
///
/// @param RequiredArgs The number of arguments that is expected to match a
/// call. Omit this parameter to match every occurance of call with a given
/// name regardless the number of arguments.
CallDescription(StringRef FuncName, unsigned RequiredArgs = NoArgRequirement)
: FuncName(FuncName), RequiredArgs(RequiredArgs) {}
};
class CheckerContext { class CheckerContext {
ExprEngine &Eng; ExprEngine &Eng;
/// The current exploded(symbolic execution) graph node. /// The current exploded(symbolic execution) graph node.
ExplodedNode *Pred; ExplodedNode *Pred;
/// The flag is true if the (state of the execution) has been modified /// The flag is true if the (state of the execution) has been modified
/// by the checker using this context. For example, a new transition has been /// by the checker using this context. For example, a new transition has been
/// added or a bug report issued. /// added or a bug report issued.
▲ Show 20 LinesShow All 202 Lines▼ Show 20 Linespublic:
} }
/// \brief Get the name of the called function (path-sensitive). /// \brief Get the name of the called function (path-sensitive).
StringRef getCalleeName(const CallExpr *CE) const { StringRef getCalleeName(const CallExpr *CE) const {
const FunctionDecl *FunDecl = getCalleeDecl(CE); const FunctionDecl *FunDecl = getCalleeDecl(CE);
return getCalleeName(FunDecl); return getCalleeName(FunDecl);
} }
/// \brief Returns true if the CallEvent is a call to a function that matches
zaks.annaUnsubmitted
Done
ReplyInline Actions

"is call" -> "is a call"

zaks.anna: "is call" -> "is a call"
/// the CallDescription.
///
/// Note that this function is not intended to be used to match Obj-C method
/// calls.
bool isCalled(const CallEvent &Call, const CallDescription &CD);
zaks.annaUnsubmitted
Done
ReplyInline Actions

The API is a bit awkward. Maybe it would be better if we make this a member of CallEvent as you've suggested initially?

zaks.anna: The API is a bit awkward. Maybe it would be better if we make this a member of CallEvent as…
xazax.hunAuthorUnsubmitted
Not Done
ReplyInline Actions

I agree. Moved it to CallEvent.

xazax.hun: I agree. Moved it to CallEvent.
/// \brief Returns true if the callee is an externally-visible function in the /// \brief Returns true if the callee is an externally-visible function in the
/// top-level namespace, such as \c malloc. /// top-level namespace, such as \c malloc.
/// ///
/// If a name is provided, the function must additionally match the given /// If a name is provided, the function must additionally match the given
/// name. /// name.
/// ///
/// Note that this deliberately excludes C++ library functions in the \c std /// Note that this deliberately excludes C++ library functions in the \c std
/// namespace, but will include C library functions accessed through the /// namespace, but will include C library functions accessed through the
▲ Show 20 LinesShow All 55 LinesShow Last 20 Lines

lib/StaticAnalyzer/Checkers/SimpleStreamChecker.cpp

Show First 20 LinesShow All 45 Lines▼ Show 20 Lines void Profile(llvm::FoldingSetNodeID &ID) const {
ID.AddInteger(K); ID.AddInteger(K);
} }
}; };
class SimpleStreamChecker : public Checker<check::PostCall, class SimpleStreamChecker : public Checker<check::PostCall,
check::PreCall, check::PreCall,
check::DeadSymbols, check::DeadSymbols,
check::PointerEscape> { check::PointerEscape> {
CallDescription OpenFn, CloseFn;
mutable IdentifierInfo *IIfopen, *IIfclose;
std::unique_ptr<BugType> DoubleCloseBugType; std::unique_ptr<BugType> DoubleCloseBugType;
std::unique_ptr<BugType> LeakBugType; std::unique_ptr<BugType> LeakBugType;
void initIdentifierInfo(ASTContext &Ctx) const;
void reportDoubleClose(SymbolRef FileDescSym, void reportDoubleClose(SymbolRef FileDescSym,
const CallEvent &Call, const CallEvent &Call,
CheckerContext &C) const; CheckerContext &C) const;
void reportLeaks(ArrayRef<SymbolRef> LeakedStreams, CheckerContext &C, void reportLeaks(ArrayRef<SymbolRef> LeakedStreams, CheckerContext &C,
ExplodedNode *ErrNode) const; ExplodedNode *ErrNode) const;
bool guaranteedNotToCloseFile(const CallEvent &Call) const; bool guaranteedNotToCloseFile(const CallEvent &Call) const;
Show All 31 Linespublic:
bool VisitSymbol(SymbolRef sym) override { bool VisitSymbol(SymbolRef sym) override {
state = state->remove<StreamMap>(sym); state = state->remove<StreamMap>(sym);
return true; return true;
} }
}; };
} // end anonymous namespace } // end anonymous namespace
SimpleStreamChecker::SimpleStreamChecker() SimpleStreamChecker::SimpleStreamChecker()
: IIfopen(nullptr), IIfclose(nullptr) { : OpenFn("fopen"), CloseFn("fclose", 1) {
// Initialize the bug types. // Initialize the bug types.
DoubleCloseBugType.reset( DoubleCloseBugType.reset(
new BugType(this, "Double fclose", "Unix Stream API Error")); new BugType(this, "Double fclose", "Unix Stream API Error"));
LeakBugType.reset( LeakBugType.reset(
new BugType(this, "Resource Leak", "Unix Stream API Error")); new BugType(this, "Resource Leak", "Unix Stream API Error"));
// Sinks are higher importance bugs as well as calls to assert() or exit(0). // Sinks are higher importance bugs as well as calls to assert() or exit(0).
LeakBugType->setSuppressOnSink(true); LeakBugType->setSuppressOnSink(true);
} }
void SimpleStreamChecker::checkPostCall(const CallEvent &Call, void SimpleStreamChecker::checkPostCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
initIdentifierInfo(C.getASTContext());
if (!Call.isGlobalCFunction()) if (!Call.isGlobalCFunction())
return; return;
if (Call.getCalleeIdentifier() != IIfopen) if (!C.isCalled(Call, OpenFn))
return; return;
// Get the symbolic value corresponding to the file handle. // Get the symbolic value corresponding to the file handle.
SymbolRef FileDesc = Call.getReturnValue().getAsSymbol(); SymbolRef FileDesc = Call.getReturnValue().getAsSymbol();
if (!FileDesc) if (!FileDesc)
return; return;
// Generate the next transition (an edge in the exploded graph). // Generate the next transition (an edge in the exploded graph).
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
State = State->set<StreamMap>(FileDesc, StreamState::getOpened()); State = State->set<StreamMap>(FileDesc, StreamState::getOpened());
C.addTransition(State); C.addTransition(State);
} }
void SimpleStreamChecker::checkPreCall(const CallEvent &Call, void SimpleStreamChecker::checkPreCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
initIdentifierInfo(C.getASTContext());
if (!Call.isGlobalCFunction()) if (!Call.isGlobalCFunction())
return; return;
if (Call.getCalleeIdentifier() != IIfclose) if (!C.isCalled(Call, CloseFn))
return;
if (Call.getNumArgs() != 1)
return; return;
// Get the symbolic value corresponding to the file handle. // Get the symbolic value corresponding to the file handle.
SymbolRef FileDesc = Call.getArgSVal(0).getAsSymbol(); SymbolRef FileDesc = Call.getArgSVal(0).getAsSymbol();
if (!FileDesc) if (!FileDesc)
return; return;
// Check if the stream has already been closed. // Check if the stream has already been closed.
▲ Show 20 LinesShow All 110 Lines▼ Show 20 Lines for (InvalidatedSymbols::const_iterator I = Escaped.begin(),
// The symbol escaped. Optimistically, assume that the corresponding file // The symbol escaped. Optimistically, assume that the corresponding file
// handle will be closed somewhere else. // handle will be closed somewhere else.
State = State->remove<StreamMap>(Sym); State = State->remove<StreamMap>(Sym);
} }
return State; return State;
} }
void SimpleStreamChecker::initIdentifierInfo(ASTContext &Ctx) const {
if (IIfopen)
return;
IIfopen = &Ctx.Idents.get("fopen");
IIfclose = &Ctx.Idents.get("fclose");
}
void ento::registerSimpleStreamChecker(CheckerManager &mgr) { void ento::registerSimpleStreamChecker(CheckerManager &mgr) {
mgr.registerChecker<SimpleStreamChecker>(); mgr.registerChecker<SimpleStreamChecker>();
} }

lib/StaticAnalyzer/Core/CheckerContext.cpp

//== CheckerContext.cpp - Context info for path-sensitive checkers-----------=// //== CheckerContext.cpp - Context info for path-sensitive checkers-----------=//
// //
// The LLVM Compiler Infrastructure // The LLVM Compiler Infrastructure
// //
// This file is distributed under the University of Illinois Open Source // This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details. // License. See LICENSE.TXT for details.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This file defines CheckerContext that provides contextual info for // This file defines CheckerContext that provides contextual info for
// path-sensitive checkers. // path-sensitive checkers.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/Basic/Builtins.h" #include "clang/Basic/Builtins.h"
#include "clang/Lex/Lexer.h" #include "clang/Lex/Lexer.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
const FunctionDecl *CheckerContext::getCalleeDecl(const CallExpr *CE) const { const FunctionDecl *CheckerContext::getCalleeDecl(const CallExpr *CE) const {
ProgramStateRef State = getState(); ProgramStateRef State = getState();
const Expr *Callee = CE->getCallee(); const Expr *Callee = CE->getCallee();
SVal L = State->getSVal(Callee, Pred->getLocationContext()); SVal L = State->getSVal(Callee, Pred->getLocationContext());
return L.getAsFunctionDecl(); return L.getAsFunctionDecl();
} }
StringRef CheckerContext::getCalleeName(const FunctionDecl *FunDecl) const { StringRef CheckerContext::getCalleeName(const FunctionDecl *FunDecl) const {
if (!FunDecl) if (!FunDecl)
return StringRef(); return StringRef();
IdentifierInfo *funI = FunDecl->getIdentifier(); IdentifierInfo *funI = FunDecl->getIdentifier();
if (!funI) if (!funI)
return StringRef(); return StringRef();
return funI->getName(); return funI->getName();
} }
bool CheckerContext::isCalled(const CallEvent &Call,
const CallDescription &CD) {
assert(Call.getKind() != CE_ObjCMessage && "Obj-C methods are not supported");
zaks.annaUnsubmitted
Done
ReplyInline Actions

Please, add && "ObjC Methods are not supported"

zaks.anna: Please, add && "ObjC Methods are not supported"
if (!CD.II)
CD.II = &getASTContext().Idents.get(CD.FuncName);
if (Call.getCalleeIdentifier() != CD.II)
return false;
return (CD.RequiredArgs == CallDescription::NoArgRequirement ||
CD.RequiredArgs == Call.getNumArgs());
zaks.annaUnsubmitted
Done
ReplyInline Actions

You can micro optimize by checking if the identifier matches first (and only checking arguments later); in most cases it won't.

zaks.anna: You can micro optimize by checking if the identifier matches first (and only checking arguments…
}
bool CheckerContext::isCLibraryFunction(const FunctionDecl *FD, bool CheckerContext::isCLibraryFunction(const FunctionDecl *FD,
StringRef Name) { StringRef Name) {
// To avoid false positives (Ex: finding user defined functions with // To avoid false positives (Ex: finding user defined functions with
// similar names), only perform fuzzy name matching when it's a builtin. // similar names), only perform fuzzy name matching when it's a builtin.
// Using a string compare is slow, we might want to switch on BuiltinID here. // Using a string compare is slow, we might want to switch on BuiltinID here.
unsigned BId = FD->getBuiltinID(); unsigned BId = FD->getBuiltinID();
if (BId != 0) { if (BId != 0) {
if (Name.empty()) if (Name.empty())
zaks.annaUnsubmitted
Done
ReplyInline Actions

This will only match against the first part of the ObjC method name. Also, this is not tested. I am Ok with adding the ObjC support later and adding an assert above to error out if this is used for ObjC.

zaks.anna: This will only match against the first part of the ObjC method name. Also, this is not tested.
return true; return true;
StringRef BName = FD->getASTContext().BuiltinInfo.getName(BId); StringRef BName = FD->getASTContext().BuiltinInfo.getName(BId);
if (BName.find(Name) != StringRef::npos) if (BName.find(Name) != StringRef::npos)
return true; return true;
} }
const IdentifierInfo *II = FD->getIdentifier(); const IdentifierInfo *II = FD->getIdentifier();
// If this is a special C++ name without IdentifierInfo, it can't be a // If this is a special C++ name without IdentifierInfo, it can't be a
Show All 40 Lines