This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
include/clang/
-
clang/
-
Basic/
4
Attr.td
5
AttrDocs.td
4
DiagnosticSemaKinds.td
-
StaticAnalyzer/Checkers/
-
Checkers/
-
Checkers.td
-
lib/
-
Sema/
6
SemaChecking.cpp
2
SemaDeclAttr.cpp
-
StaticAnalyzer/Checkers/
-
Checkers/
-
CMakeLists.txt
2
ReturnNonBoolChecker.cpp
-
test/
4
ReturnNonBoolTest.c
-
ReturnNonBoolTest.cpp
2
ReturnNonBoolTestCompileTime.cpp

Differential D24507

Add attribute for return values that shouldn't be cast to bool
Needs ReviewPublic

Authored by urusant on Sep 13 2016, 7:32 AM.

Download Raw Diff

Details

Reviewers

dcoughlin
aaron.ballman
zaks.anna
NoQ
jordan_rose

Summary

Hi,

I am interested in feedback on a patch I was working on that adds a new attribute (warn_impcast_to_bool) to indicate that the return value of a function shouldn't be used as a boolean, as well as a compile warning and a StaticAnalyzer checker to warn about misusing functions with this attribute. I'd also appreciate any suggestions for how to deal with a class of false positives that the static analysis checker produces.

The change was originally inspired by CVE-2008-5077 [1], which was the result of an odd design choice in OpenSSL: having an API that returns 1 for success, 0 for failure... and -1 for catastrophic failure. Various API users fell into the trap of treating the return value as a boolean, so the patch adds an attribute to allow this to trigger a warning.

As well as generating a compile-time warning, the patch also includes a new static analyzer checker to catch more indirect uses, where the non-boolean integer value gets propagated via function wrappers or local variables. However, it gives a false positive for cases when the code using the return value actually checks the value in a non-boolean way (because the SVal doesn't reflect the fact that the value has been further constrained). I couldn't see an obvious way to get anything relevant from the RangeConstraintManager; any suggestions?

To test the check (beyond the included unit tests), I annotated dangerous OpenSSL functions and tried building 8 OpenSSL-using codebases with it. So far, this didn't give many results for them: the only possible problem was found in ruby2.1, which was already fixed a few months ago. However, this change is still potentially useful - even 7 years after the original CVE, there are still codebases that fall into OpenSSL's API trap.

[1] https://www.openssl.org/news/secadv/20090107.txt

Diff Detail

Repository: rL LLVM

Event Timeline

urusant updated this revision to Diff 71157.Sep 13 2016, 7:32 AM

urusant retitled this revision from to Add attribute for return values that shouldn't be cast to bool.

urusant updated this object.

urusant added reviewers: zaks.anna, dcoughlin, jordan_rose, NoQ.

urusant set the repository for this revision to rL LLVM.

urusant added subscribers: cfe-commits, daviddrysdale.

Herald added subscribers: mgorny, beanz. · View Herald TranscriptSep 13 2016, 7:32 AM

aaron.ballman added a reviewer: aaron.ballman.Sep 13 2016, 8:30 AM

Thank you for working on this check! A few comments:

The patch is missing Sema tests for the attribute (that it only applies to declarations you expect, accepts no args, etc).

Have you considered making this a type attribute on the return type of the function rather than a declaration attribute on the function declaration? Right now, the diagnostic you receive on a conversion may be spatially separated from where the user called the function (including crossing translation unit boundaries, which the static analyzer doesn't currently handle). By putting the attribute on the type, it carries more obvious semantic meaning and means the check can happen entirely in the frontend (no static analyzer required). For instance: typedef __attribute__((warn_impcast_to_bool)) IntNotABool; I'm not certain if this is a better design or not, but I am wondering if it was something you had considered.

include/clang/Basic/Attr.td
1138	This should not use a GCC spelling because it's not an attribute that GCC supports. You should probably use GNU instead, since I suspect this attribute will be useful in C as well as C++.
1140	No need to specify the WarnDiag or ExpectedFunctionOrMethod arguments; they will be handled automatically.
include/clang/Basic/AttrDocs.td
2058	You should manually wrap this to roughly the 80 col limit. Instead of "he", can you use "they" please?
include/clang/Basic/DiagnosticGroups.td
57 ↗	(On Diff #71157)	I'm not certain this requires its own diagnostic group. This can probably be handled under `BoolConversion`
include/clang/Basic/DiagnosticSemaKinds.td
2259	How about: ...only applies to integer return types?
2883	I don't think this should be a DefaultIgnore diagnostic -- if the user wrote the attribute, they should get the diagnostic when appropriate.
lib/Sema/SemaChecking.cpp
8262	Should use `if (const auto *CE = dyn_cast<CallExpr>(E)) {`
8263–8264	Then you can do `if (const auto *Fn = CE->getDirectCallee()) {`
8269	You can pass in `fn` directly, the diagnostics engine will properly get the name out of it because it's derived from `NamedDecl`.
lib/Sema/SemaDeclAttr.cpp
1316	Formatting seems off -- you should run the patch through clang-format. Also, why are you passing an empty `SourceRange`?
test/ReturnNonBoolTestCompileTime.cpp
38	Can you end the file with a newline?

zaks.anna added inline comments.Sep 15 2016, 9:34 PM

include/clang/Basic/AttrDocs.td
2055	You probably need to "propose" the attribute to the clang community. I'd send an email to the cfe-dev as it might not have enough attention if it's just the patch.
test/ReturnNonBoolTest.c
75	I do not understand why this is a false positive. In restricted_wrap, r can be any value. You only return '0' if r is '-1', but it could be '-2' or '100', which are also not bool and this values would just get returned. You should be able to query the state to check if a value is a zero or one using code like this from CStringChecker.cpp: " SValBuilder &svalBuilder = C.getSValBuilder(); DefinedOrUnknownSVal zero = svalBuilder.makeZeroVal(Ty); return state->assume(svalBuilder.evalEQ(state, *val, zero)) "

Made some changes based on the comments. Please refer to the replies below.

Thank you for the feedback.

The patch is missing Sema tests for the attribute (that it only applies to declarations you expect, accepts no args, etc).

There is one test case for that in test/ReturnNonBoolTestCompileTime.cpp. I've added another one for attribute accepting no args, so now the last two test cases in this file are those you were asking about. Can you think of any other cases of invalid attribute usage?

Have you considered making this a type attribute on the return type of the function rather than a declaration attribute on the function declaration?

No, I hadn't. On a quick look though, I couldn't find a way to simplify my solution using this idea, because as far as I understand, the type attribute isn't inherited, so, for example, if I have something like int r = X509_verify_cert(...) and the function X509_verify_cert has a return type with attribute, r won't have the attribute. If that is correct, we still need to backtrace the value to the function declaration. Is there something I am missing?

include/clang/Basic/Attr.td
1138	Yeah, makes sense.
1140	I didn't know that, thanks.
include/clang/Basic/AttrDocs.td
2055	OK, will do.
2058	OK, I did that. However, 80 col limit in this case feels a bit inconsistent with the rest of the file to me because most of other similar descriptions don't follow it.
include/clang/Basic/DiagnosticGroups.td
57 ↗	(On Diff #71157)	OK.
include/clang/Basic/DiagnosticSemaKinds.td
2259	Yeah, that sounds better.
2883	Makes sense.
lib/Sema/SemaChecking.cpp
8262	Done.
8263–8264	Done.
8269	Thanks, didn't notice that.
lib/Sema/SemaDeclAttr.cpp
1316	Ok, I ran clang-format. Good spot, it seems that I don't need that `SourceRange`.
test/ReturnNonBoolTest.c
75	I have replaced this test case with another one that illustrates the problem I am referring to clearer. Ideally it would be great to have some indicator to tell the StaticAnalyzer that we have handled all the dangerous return values, and from this point it is safe to use it as a boolean. You can use explicit cast to bool or `rc != 0` every time you want to use it, but it is not very convenient. Do you have any suggestions on this matter? As for your proposal, it is not very difficult to add, however, it is not very likely to be useful in real codebases for the same reason as in the testcase. Do you still think it should be added?
test/ReturnNonBoolTestCompileTime.cpp
38	Done.

In D24507#546241, @urusant wrote:

Thank you for the feedback.

The patch is missing Sema tests for the attribute (that it only applies to declarations you expect, accepts no args, etc).

There is one test case for that in test/ReturnNonBoolTestCompileTime.cpp. I've added another one for attribute accepting no args, so now the last two test cases in this file are those you were asking about. Can you think of any other cases of invalid attribute usage?

We try to keep our tests segregated by functionality. e.g., tests relating to the way the attribute is handled (what it appertains to, args, etc) should live in Sema, tests relating to the static analyzer behavior should live in test/Analysis, etc.

Tests that are still missing are: applying to a non-function type, applying to a member function, applying to an Obj-C method. For member functions, what should happen if the function is virtual? What if the overriders do not specify the attribute? What if an override specifies the attribute but the base does not?

Have you considered making this a type attribute on the return type of the function rather than a declaration attribute on the function declaration?

No, I hadn't. On a quick look though, I couldn't find a way to simplify my solution using this idea, because as far as I understand, the type attribute isn't inherited, so, for example, if I have something like int r = X509_verify_cert(...) and the function X509_verify_cert has a return type with attribute, r won't have the attribute. If that is correct, we still need to backtrace the value to the function declaration. Is there something I am missing?

I was thinking it would be diagnosed if you attempted to assign from your attributed type to a type that is not compatible. However, that may still be problematic because it raises other questions (can you SFINAE on it? Overload? etc).

In D24507#546380, @aaron.ballman wrote:

We try to keep our tests segregated by functionality. e.g., tests relating to the way the attribute is handled (what it appertains to, args, etc) should live in Sema, tests relating to the static analyzer behavior should live in test/Analysis, etc.

Tests that are still missing are: applying to a non-function type, applying to a member function, applying to an Obj-C method. For member functions, what should happen if the function is virtual? What if the overriders do not specify the attribute? What if an override specifies the attribute but the base does not?

I have added the test cases about member functions.
As for ObjC methods, I didn't pay much attention to them while developing the check as ObjC wasn't the primary target. I tried to make a test case for it, and it turned out that it is OK to put an attribute on ObjC method, but you wouldn't get neither compiler warning nor StaticAnalyzer report. That is why I removed ObjC methods from the attribute subjects and replaced the ObjC test case with another one that shows that you cannot apply the attribute to ObjC methods (not sure if it is still necessary, because it seems not very different from applying the attribute to a non-function variable - in both cases we get the same warning). Do you think it's worth digging into how to make it work with ObjC? In this case I might need some help because I don't really speak Objective C.

Have you considered making this a type attribute on the return type of the function rather than a declaration attribute on the function declaration?

No, I hadn't. On a quick look though, I couldn't find a way to simplify my solution using this idea, because as far as I understand, the type attribute isn't inherited, so, for example, if I have something like int r = X509_verify_cert(...) and the function X509_verify_cert has a return type with attribute, r won't have the attribute. If that is correct, we still need to backtrace the value to the function declaration. Is there something I am missing?

I was thinking it would be diagnosed if you attempted to assign from your attributed type to a type that is not compatible. However, that may still be problematic because it raises other questions (can you SFINAE on it? Overload? etc).

This might also make the check itself easier (as we don't need path-sensitive analysis), however, it would make the use more complicated as all the users of the dangerous function would have to change their code (even if they are using it correctly). For example, if we refer to the original motivation, annotating dangerous OpenSSL functions would allow us to protect dozens of codebases using them without changing every one of them.

danielmarjamaki added a subscriber: danielmarjamaki.Sep 20 2016, 6:33 AM

danielmarjamaki added inline comments.

include/clang/Basic/AttrDocs.td
2055	I saw your email on cfe-dev. This sounds like a good idea to me.
lib/StaticAnalyzer/Checkers/ReturnNonBoolChecker.cpp
49	It seems you need to run clang-format on this file also.
test/ReturnNonBoolTest.c
7	sorry but why do you have a #ifdef clang isn't it always defined?

urusant updated this revision to Diff 71927.Sep 20 2016, 7:13 AM

urusant added inline comments.

lib/StaticAnalyzer/Checkers/ReturnNonBoolChecker.cpp
51	I have just noticed that I didn't specify the style option when I ran it the first time. Now it should be fine.
test/ReturnNonBoolTest.c
7	If I were to add the attribute to a function in some real codebase, I would probably want to save different compilers compatibility. However, it might not be necessary for the testcases.

zaks.anna added inline comments.Sep 20 2016, 11:14 AM

test/Analysis/ReturnNonBoolTest.c
67 ↗	(On Diff #71927)	How about addressing this as follows: in checkBranchCondition, you check for any comparisons of the tracked value other than comparisons to bool. If you see such a comparison, you assume that the error handling has occurred and remove the symbol from the set of tracked symbols. This will ensure that any code after the cleansing condition (error handling) can cast the return value to bool. The warning will still get triggered if the error handling is after the comparison to bool. That could be avoided as well, but the solution would be more complicated. I am thinking something along the lines of tracking all comparisons until the symbol goes out of scope. For each symbol, you'd track it's state (for example, "performedErrorHandling \| comparedToBoolAndNoErrorHandling \| notSeen"). You can draw the automaton to see what the transitions should be. When the symbol goes out of scope, you'd check if it's state is "comparedToBoolAndNoErrorHandling". Further, we'd need to walk up the path to find the location where we compared the symbol and use that for error reporting.

Revision Contents

Path

Size

include/

clang/

Basic/

Attr.td

8 lines

AttrDocs.td

25 lines

DiagnosticSemaKinds.td

8 lines

StaticAnalyzer/

Checkers/

Checkers.td

3 lines

lib/

Sema/

SemaChecking.cpp

16 lines

SemaDeclAttr.cpp

17 lines

StaticAnalyzer/

Checkers/

CMakeLists.txt

1 line

ReturnNonBoolChecker.cpp

134 lines

test/

ReturnNonBoolTest.c

79 lines

ReturnNonBoolTest.cpp

87 lines

ReturnNonBoolTestCompileTime.cpp

37 lines

Diff 71807

include/clang/Basic/Attr.td

Context not available.
	let Documentation = [Undocumented];	let Documentation = [Undocumented];
	}	}

		// An attribute indicating that a function/method return value is not safe to be
		// treated as bool.
		def WarnImpcastToBool : InheritableAttr {
		let Spellings = [GNU<"warn_impcast_to_bool">];
		aaron.ballmanUnsubmitted Not Done Reply Inline Actions This should not use a GCC spelling because it's not an attribute that GCC supports. You should probably use GNU instead, since I suspect this attribute will be useful in C as well as C++. aaron.ballman: This should not use a GCC spelling because it's not an attribute that GCC supports. You should…
		urusantAuthorUnsubmitted Not Done Reply Inline Actions Yeah, makes sense. urusant: Yeah, makes sense.
		let Subjects = SubjectList<[ObjCMethod, Function]>;
		let Documentation = [WarnImpcastToBoolDocs];
		aaron.ballmanUnsubmitted Not Done Reply Inline Actions No need to specify the WarnDiag or ExpectedFunctionOrMethod arguments; they will be handled automatically. aaron.ballman: No need to specify the WarnDiag or ExpectedFunctionOrMethod arguments; they will be handled…
		urusantAuthorUnsubmitted Not Done Reply Inline Actions I didn't know that, thanks. urusant: I didn't know that, thanks.
		}

	def AssumeAligned : InheritableAttr {	def AssumeAligned : InheritableAttr {
	let Spellings = [GCC<"assume_aligned">];	let Spellings = [GCC<"assume_aligned">];
	let Subjects = SubjectList<[ObjCMethod, Function]>;	let Subjects = SubjectList<[ObjCMethod, Function]>;
Context not available.

include/clang/Basic/AttrDocs.td

Context not available.
	The ``_Null_unspecified`` nullability qualifier indicates that neither the ``_Nonnull`` nor ``_Nullable`` qualifiers make sense for a particular pointer type. It is used primarily to indicate that the role of null with specific pointers in a nullability-annotated header is unclear, e.g., due to overly-complex implementations or historical factors with a long-lived API.	The ``_Null_unspecified`` nullability qualifier indicates that neither the ``_Nonnull`` nor ``_Nullable`` qualifiers make sense for a particular pointer type. It is used primarily to indicate that the role of null with specific pointers in a nullability-annotated header is unclear, e.g., due to overly-complex implementations or historical factors with a long-lived API.
	}];	}];
	}	}
		def WarnImpcastToBoolDocs : Documentation {
		zaks.annaUnsubmitted Not Done Reply Inline Actions You probably need to "propose" the attribute to the clang community. I'd send an email to the cfe-dev as it might not have enough attention if it's just the patch. zaks.anna: You probably need to "propose" the attribute to the clang community. I'd send an email to the…
		urusantAuthorUnsubmitted Not Done Reply Inline Actions OK, will do. urusant: OK, will do.
		danielmarjamakiUnsubmitted Not Done Reply Inline Actions I saw your email on cfe-dev. This sounds like a good idea to me. danielmarjamaki: I saw your email on cfe-dev. This sounds like a good idea to me.
		let Category = DocCatFunction;
		let Content = [{
		The ``warn_impcast_to_bool`` attribute is used to indicate that the return
		aaron.ballmanUnsubmitted Not Done Reply Inline Actions You should manually wrap this to roughly the 80 col limit. Instead of "he", can you use "they" please? aaron.ballman: You should manually wrap this to roughly the 80 col limit. Instead of "he", can you use "they"…
		urusantAuthorUnsubmitted Not Done Reply Inline Actions OK, I did that. However, 80 col limit in this case feels a bit inconsistent with the rest of the file to me because most of other similar descriptions don't follow it. urusant: OK, I did that. However, 80 col limit in this case feels a bit inconsistent with the rest of…
		value of a function with integral return type cannot be used as a boolean
		value. For example, if a function returns -1 if it couldn't efficiently read
		the data, 0 if the data is invalid and 1 for success, it might be dangerous
		to implicitly cast the return value to bool, e.g. to indicate success.
		Therefore, it is a good idea to trigger a warning about such cases. However,
		in case a programmer uses an explicit cast to bool, that probably means that
		they know what they are doing, therefore a warning should be triggered only
		for implicit casts.

		.. code-block:: c

		int f(int x) __attribute__((warn_impcast_to_bool));

		void test(int x) {
		if (f(x)) { // diagnoses
		}
		if ((bool)f(x)) { // Does not diagnose, explicit cast.
		}
		}
		}];
		}

	def NonNullDocs : Documentation {	def NonNullDocs : Documentation {
	let Category = NullabilityDocs;	let Category = NullabilityDocs;
Context not available.

include/clang/Basic/DiagnosticSemaKinds.td

Context not available.
	"%0 attribute can only be applied once per parameter">;	"%0 attribute can only be applied once per parameter">;
	def err_attribute_uuid_malformed_guid : Error<	def err_attribute_uuid_malformed_guid : Error<
	"uuid attribute contains a malformed GUID">;	"uuid attribute contains a malformed GUID">;
		def warn_attribute_return_int_only : Warning<
		"%0 attribute only applies to integer return types">,
		aaron.ballmanUnsubmitted Not Done Reply Inline Actions How about: ...only applies to integer return types? aaron.ballman: How about: ...only applies to integer return types?
		urusantAuthorUnsubmitted Not Done Reply Inline Actions Yeah, that sounds better. urusant: Yeah, that sounds better.
		InGroup<IgnoredAttributes>;

	def warn_attribute_pointers_only : Warning<	def warn_attribute_pointers_only : Warning<
	"%0 attribute only applies to%select{\| constant}1 pointer arguments">,	"%0 attribute only applies to%select{\| constant}1 pointer arguments">,
	InGroup<IgnoredAttributes>;	InGroup<IgnoredAttributes>;
Context not available.
	def warn_impcast_string_literal_to_bool : Warning<	def warn_impcast_string_literal_to_bool : Warning<
	"implicit conversion turns string literal into bool: %0 to %1">,	"implicit conversion turns string literal into bool: %0 to %1">,
	InGroup<StringConversion>, DefaultIgnore;	InGroup<StringConversion>, DefaultIgnore;
		def warn_impcast_non_bool_to_bool : Warning<
		"implicit conversion turns non-bool into bool: %0 to %1">,
		InGroup<BoolConversion>;
		aaron.ballmanUnsubmitted Not Done Reply Inline Actions I don't think this should be a DefaultIgnore diagnostic -- if the user wrote the attribute, they should get the diagnostic when appropriate. aaron.ballman: I don't think this should be a DefaultIgnore diagnostic -- if the user wrote the attribute…
		urusantAuthorUnsubmitted Not Done Reply Inline Actions Makes sense. urusant: Makes sense.

	def warn_impcast_different_enum_types : Warning<	def warn_impcast_different_enum_types : Warning<
	"implicit conversion from enumeration type %0 to different enumeration type "	"implicit conversion from enumeration type %0 to different enumeration type "
	"%1">, InGroup<EnumConversion>;	"%1">, InGroup<EnumConversion>;
Context not available.

include/clang/StaticAnalyzer/Checkers/Checkers.td

Context not available.
	HelpText<"Check for cases where the dynamic and the static type of an object are unrelated.">,	HelpText<"Check for cases where the dynamic and the static type of an object are unrelated.">,
	DescFile<"DynamicTypeChecker.cpp">;	DescFile<"DynamicTypeChecker.cpp">;

		def ReturnNonBoolChecker : Checker<"ReturnNonBool">,
		HelpText<"Check for dangerous conversion of integral return values to bool.">,
		DescFile<"ReturnNonBoolChecker.cpp">;
	} // end "alpha.core"	} // end "alpha.core"

	let ParentPackage = Nullability in {	let ParentPackage = Nullability in {
Context not available.

lib/Sema/SemaChecking.cpp

Context not available.

	// Diagnose implicit casts to bool.	// Diagnose implicit casts to bool.
	if (Target->isSpecificBuiltinType(BuiltinType::Bool)) {	if (Target->isSpecificBuiltinType(BuiltinType::Bool)) {
		/// Warn if the expression is the return value of a function call being
		/// implicitly cast to bool, while it's specified that it shouldn't be by a
		/// 'warn_impcast_to_bool' attribute.
		///
		/// Note that this isn't triggered if the function call is part of a more
		/// complicated expression, which in turn is cast to bool,
		/// e.g. (x ? f : g)(y)
		if (const auto *CE = dyn_cast<CallExpr>(E)) {
		aaron.ballmanUnsubmitted Not Done Reply Inline Actions Should use `if (const auto CE = dyn_cast<CallExpr>(E)) {` aaron.ballman:* Should use `if (const auto *CE = dyn_cast<CallExpr>(E)) {`
		urusantAuthorUnsubmitted Not Done Reply Inline Actions Done. urusant: Done.
		if (const auto Fn = CE->getDirectCallee()) {
		if (Fn->hasAttr<WarnImpcastToBoolAttr>()) {
		aaron.ballmanUnsubmitted Not Done Reply Inline Actions Then you can do `if (const auto Fn = CE->getDirectCallee()) {` aaron.ballman:* Then you can do `if (const auto *Fn = CE->getDirectCallee()) {`
		urusantAuthorUnsubmitted Not Done Reply Inline Actions Done. urusant: Done.
		DiagnoseImpCast(S, E, T, CC, diag::warn_impcast_non_bool_to_bool);
		S.Diag(Fn->getLocation(), diag::note_entity_declared_at) << Fn;
		return;
		}
		}
		aaron.ballmanUnsubmitted Not Done Reply Inline Actions You can pass in `fn` directly, the diagnostics engine will properly get the name out of it because it's derived from `NamedDecl`. aaron.ballman: You can pass in `fn` directly, the diagnostics engine will properly get the name out of it…
		urusantAuthorUnsubmitted Not Done Reply Inline Actions Thanks, didn't notice that. urusant: Thanks, didn't notice that.
		}
	if (isa<StringLiteral>(E))	if (isa<StringLiteral>(E))
	// Warn on string literal to bool. Checks for string literals in logical	// Warn on string literal to bool. Checks for string literals in logical
	// and expressions, for instance, assert(0 && "error here"), are	// and expressions, for instance, assert(0 && "error here"), are
Context not available.

lib/Sema/SemaDeclAttr.cpp

Context not available.
	Attr.getAttributeSpellingListIndex()));	Attr.getAttributeSpellingListIndex()));
	}	}

		static void handleWarnImpcastToBoolAttr(Sema &S, Decl *D,
		const AttributeList &Attr) {
		QualType ResultType = getFunctionOrMethodResultType(D);
		SourceRange SR = getFunctionOrMethodResultSourceRange(D);
		if (!ResultType->isIntegralOrEnumerationType()) {
		S.Diag(Attr.getLoc(), diag::warn_attribute_return_int_only)
		<< Attr.getName() << SR;
		aaron.ballmanUnsubmitted Not Done Reply Inline Actions Formatting seems off -- you should run the patch through clang-format. Also, why are you passing an empty `SourceRange`? aaron.ballman: Formatting seems off -- you should run the patch through clang-format. Also, why are you…
		urusantAuthorUnsubmitted Not Done Reply Inline Actions Ok, I ran clang-format. Good spot, it seems that I don't need that `SourceRange`. urusant: Ok, I ran clang-format. Good spot, it seems that I don't need that `SourceRange`.
		return;
		}

		D->addAttr(::new (S.Context) WarnImpcastToBoolAttr(
		Attr.getRange(), S.Context, Attr.getAttributeSpellingListIndex()));
		}

	static void handleAssumeAlignedAttr(Sema &S, Decl *D,	static void handleAssumeAlignedAttr(Sema &S, Decl *D,
	const AttributeList &Attr) {	const AttributeList &Attr) {
	Expr *E = Attr.getArgAsExpr(0),	Expr *E = Attr.getArgAsExpr(0),
Context not available.
	case AttributeList::AT_ReturnsNonNull:	case AttributeList::AT_ReturnsNonNull:
	handleReturnsNonNullAttr(S, D, Attr);	handleReturnsNonNullAttr(S, D, Attr);
	break;	break;
		case AttributeList::AT_WarnImpcastToBool:
		handleWarnImpcastToBoolAttr(S, D, Attr);
		break;
	case AttributeList::AT_AssumeAligned:	case AttributeList::AT_AssumeAligned:
	handleAssumeAlignedAttr(S, D, Attr);	handleAssumeAlignedAttr(S, D, Attr);
	break;	break;
Context not available.

lib/StaticAnalyzer/Checkers/CMakeLists.txt

Context not available.
	PointerSubChecker.cpp	PointerSubChecker.cpp
	PthreadLockChecker.cpp	PthreadLockChecker.cpp
	RetainCountChecker.cpp	RetainCountChecker.cpp
		ReturnNonBoolChecker.cpp
	ReturnPointerRangeChecker.cpp	ReturnPointerRangeChecker.cpp
	ReturnUndefChecker.cpp	ReturnUndefChecker.cpp
	SimpleStreamChecker.cpp	SimpleStreamChecker.cpp
Context not available.

lib/StaticAnalyzer/Checkers/ReturnNonBoolChecker.cpp

This file was added.

				//=== ReturnNonBoolChecker.cpp - Non-boolean returns checker ----- C++ --===//
				//
				// The LLVM Compiler Infrastructure
				//
				// This file is distributed under the University of Illinois Open Source
				// License. See LICENSE.TXT for details.
				//
				//===----------------------------------------------------------------------===//
				//
				// This defines ReturnNonBoolChecker that warns about dangerous conversions of
				// integral return values to bool. Such impcast is considered dangerous if this
				// is specified by a warn_impcast_to_bool attribute.
				//
				//===----------------------------------------------------------------------===//

				#include "ClangSACheckers.h"
				#include "clang/AST/ParentMap.h"
				#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
				#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
				#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"

				using namespace clang;
				using namespace ento;

				namespace {
				class ReturnNonBoolChecker
				: public Checker<check::BranchCondition, check::PreStmt<ImplicitCastExpr>,
				check::PreStmt<UnaryOperator>, check::PostCall> {
				mutable std::unique_ptr<BuiltinBug> BT_impcast;
				void checkExprValue(CheckerContext &C, const Expr *E) const;

				public:
				void checkBranchCondition(const Stmt *Condition, CheckerContext &C) const;
				void checkPreStmt(const ImplicitCastExpr *ICE, CheckerContext &C) const;
				void checkPreStmt(const UnaryOperator *UO, CheckerContext &C) const;
				void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
				};
				} // end anonymous namespace

				// A set of values specified to be dangerous for conversion to bool.
				REGISTER_SET_WITH_PROGRAMSTATE(NonBoolValues, SymbolRef)

				void ReturnNonBoolChecker::checkExprValue(CheckerContext &C,
				const Expr *E) const {
				ProgramStateRef State = C.getState();
				SymbolRef SR = State->getSVal(E, C.getLocationContext()).getAsSymbol();
				// If the value isn't marked as dangerous to be cast to bool, no warning is
				// needed.
				if (!State->contains<NonBoolValues>(SR)) return;
				danielmarjamakiUnsubmitted Not Done Reply Inline Actions It seems you need to run clang-format on this file also. danielmarjamaki: It seems you need to run clang-format on this file also.

				ExplodedNode *N = C.generateErrorNode(C.getState());
				urusantAuthorUnsubmitted Not Done Reply Inline Actions I have just noticed that I didn't specify the style option when I ran it the first time. Now it should be fine. urusant: I have just noticed that I didn't specify the style option when I ran it the first time. Now it…
				if (!N) return;
				if (!BT_impcast)
				BT_impcast.reset(new BuiltinBug(
				this, "implicit cast to bool is dangerous for this value"));
				C.emitReport(llvm::make_unique<BugReport>(*BT_impcast,
				BT_impcast->getDescription(), N));
				}

				// This catches 'conversion to bool'-like cases in C, where there is no boolean
				// type or implicit cast to bool.
				void ReturnNonBoolChecker::checkBranchCondition(const Stmt *Condition,
				CheckerContext &C) const {
				const Expr *E = dyn_cast<Expr>(Condition);
				if (!E) return;
				const Type *TypePtr = E->getType().getCanonicalType().getTypePtr();
				// If the expression is boolean, then either it is fine to use it or it is
				// a cast expression. If it is an explicit cast, it is fine because this means
				// that author knows what he is doing, otherwise it will be caught by
				// checkPreStmt<ImplicitCastExpr>, so we don't need to do anything here.
				if (!TypePtr->isSpecificBuiltinType(BuiltinType::Bool)) checkExprValue(C, E);
				}

				// Checks if the parent of the specified implicit cast in the AST is a CastExpr.
				static bool hasParentCast(const ImplicitCastExpr *ICE,
				const LocationContext *LC) {
				const Stmt *Parent = LC->getParentMap().getParent(ICE);
				return Parent && dyn_cast<CastExpr>(Parent);
				}

				// Checks if the given cast expression is an integral to boolean cast.
				static bool isIntToBoolCast(const CastExpr *CE) {
				const Type *TypePtr = CE->getType().getCanonicalType().getTypePtr();
				const Type *OrigTypePtr =
				CE->getSubExpr()->getType().getCanonicalType().getTypePtr();
				return OrigTypePtr->isIntegralOrEnumerationType() &&
				TypePtr->isSpecificBuiltinType(BuiltinType::Bool);
				}

				// This catches implicit casts from integral types to bool in case they exist,
				// i.e. for C++.
				void ReturnNonBoolChecker::checkPreStmt(const ImplicitCastExpr *ICE,
				CheckerContext &C) const {
				// Some types of casts (e.g. C-style cast) have implicit cast as a child,
				// which we don't really care about because in this case this is actually an
				// explicit cast, which means that the programmer is aware that it's
				// dangerous, but still wants to do it.
				if (hasParentCast(ICE, C.getLocationContext())) return;
				// This checker is only for integral to boolean casts.
				if (!isIntToBoolCast(dyn_cast<CastExpr>(ICE))) return;
				checkExprValue(C, ICE->getSubExpr());
				}

				// This is to catch logical negotiation operator, which is an int->int operator
				// in C, so it is not caught by either of the two previous methods.
				void ReturnNonBoolChecker::checkPreStmt(const UnaryOperator *UO,
				CheckerContext &C) const {
				if (UO->getOpcode() != UO_LNot) return;
				const Expr *E = UO->getSubExpr();
				const Type *TypePtr = E->getType().getCanonicalType().getTypePtr();
				if (!TypePtr->isIntegralOrEnumerationType()) return;
				checkExprValue(C, E);
				}

				// Store the symbolic reference for return value of "ReturnsNonBool" function
				// in the set.
				void ReturnNonBoolChecker::checkPostCall(const CallEvent &Call,
				CheckerContext &C) const {
				const Decl *Function = Call.getDecl();
				if (!Function \|\| !Function->hasAttr<WarnImpcastToBoolAttr>()) return;
				SymbolRef ReturnValue = Call.getReturnValue().getAsSymbol();
				// If the return value cannot be taken as symbol, we don't want to add it
				// to the set because it can be achieved by many different ways, and we don't
				// want them to be treated as equals.
				if (!ReturnValue) return;
				ProgramStateRef State = C.getState();
				State = State->add<NonBoolValues>(ReturnValue);
				C.addTransition(State);
				return;
				}

				void ento::registerReturnNonBoolChecker(CheckerManager &mgr) {
				mgr.registerChecker<ReturnNonBoolChecker>();
				}

test/ReturnNonBoolTest.c

This file was added.

				// RUN: %clang_cc1 -analyze -analyzer-checker=alpha.core.ReturnNonBool -Wno-bool-conversion -verify %s

				/// C is checked slightly differently than C++, in particular, C doesn't have
				/// implicit casts to bool, so we need to test different branching situations,
				/// like if, for, while, etc.

				#ifdef __clang__
				danielmarjamakiUnsubmitted Not Done Reply Inline Actions sorry but why do you have a #ifdef clang isn't it always defined? danielmarjamaki: sorry but why do you have a #ifdef __clang__ isn't it always defined?
				urusantAuthorUnsubmitted Not Done Reply Inline Actions If I were to add the attribute to a function in some real codebase, I would probably want to save different compilers compatibility. However, it might not be necessary for the testcases. urusant: If I were to add the attribute to a function in some real codebase, I would probably want to…
				#define RETURNS_NON_BOOL __attribute__((warn_impcast_to_bool))
				#else
				#define RETURNS_NON_BOOL
				#endif

				int NonBool(int x) RETURNS_NON_BOOL;

				void test_if() {
				if (NonBool(2)) // expected-warning{{implicit cast to bool is dangerous for this value}}
				return;
				}

				void test_while() {
				while (NonBool(2)) // expected-warning{{implicit cast to bool is dangerous for this value}}
				continue;
				}

				void test_for() {
				for (; NonBool(2);) // expected-warning{{implicit cast to bool is dangerous for this value}}
				continue;
				}

				void test_and(int x, int y) {
				if (NonBool(2) && (x == y)) // expected-warning{{implicit cast to bool is dangerous for this value}}
				return;
				}

				void test_or() {
				if (NonBool(2) \|\| (1 != 1)) // expected-warning{{implicit cast to bool is dangerous for this value}}
				return;
				}

				void test_not() {
				if (!NonBool(2)) // expected-warning{{implicit cast to bool is dangerous for this value}}
				return;
				}

				int test_ternary() {
				return NonBool(2) ? 1 : 0; // expected-warning{{implicit cast to bool is dangerous for this value}}
				}

				int wrap(int x) {
				int r = NonBool(x);
				return r;
				}

				void test_wrap() {
				if (wrap(2)) // expected-warning{{implicit cast to bool is dangerous for this value}}
				return;
				}

				// Example inspired by CVE-2008-5077:
				// Returns 1 on success, 0 on failure and something negative on catastrophic
				// failure
				int verify_cert() __attribute__((warn_impcast_to_bool));

				void correctly_handled() {
				int rc = verify_cert();

				if (rc < 0)
				// error handling

				if (rc) { // expected-warning{{implicit cast to bool is dangerous for this value}}
				// Here we unfortunately get a warning although the code does correctly
				// handle the documented return codes. However, the static analysis checker
				// can't read the comment (or the manpage)...
				}
				// However, the warning can be easily suppressed, for example, like this:
				zaks.annaUnsubmitted Not Done Reply Inline Actions I do not understand why this is a false positive. In restricted_wrap, r can be any value. You only return '0' if r is '-1', but it could be '-2' or '100', which are also not bool and this values would just get returned. You should be able to query the state to check if a value is a zero or one using code like this from CStringChecker.cpp: " SValBuilder &svalBuilder = C.getSValBuilder(); DefinedOrUnknownSVal zero = svalBuilder.makeZeroVal(Ty); return state->assume(svalBuilder.evalEQ(state, val, zero)) " zaks.anna:* I do not understand why this is a false positive. In restricted_wrap, r can be any value. You…
				urusantAuthorUnsubmitted Not Done Reply Inline Actions I have replaced this test case with another one that illustrates the problem I am referring to clearer. Ideally it would be great to have some indicator to tell the StaticAnalyzer that we have handled all the dangerous return values, and from this point it is safe to use it as a boolean. You can use explicit cast to bool or `rc != 0` every time you want to use it, but it is not very convenient. Do you have any suggestions on this matter? As for your proposal, it is not very difficult to add, however, it is not very likely to be useful in real codebases for the same reason as in the testcase. Do you still think it should be added? urusant: I have replaced this test case with another one that illustrates the problem I am referring to…
				if (rc != 0) {
				}
				// In C++ you can use explicit cast to bool as well.
				}

test/ReturnNonBoolTest.cpp

This file was added.

				// RUN: %clang_cc1 -std=c++11 -analyze -analyzer-checker=alpha.core.ReturnNonBool -Wno-bool-conversion -verify %s
				#ifdef __clang__
				#define RETURNS_NON_BOOL __attribute__((warn_impcast_to_bool))
				#else
				#define RETURNS_NON_BOOL
				#endif

				int NoAttributes() { return 2; }

				int NonBool(int x) RETURNS_NON_BOOL;

				int good(int x);

				int wrap(int x) {
				int r = NonBool(x);
				return r;
				}

				void test1() {
				if (NonBool(1)) { // expected-warning{{implicit cast to bool is dangerous for this value}}
				return;
				}
				}

				void test2() {
				if (wrap(2)) { // expected-warning{{implicit cast to bool is dangerous for this value}}
				return;
				}
				}

				void test3() {
				if ((bool)NonBool(3)) { // no warning, explicit cast
				return;
				}
				}

				void test4(int x) {
				if (bool(wrap(2 * x))) { // no warning, explicit cast
				return;
				}
				}

				void test5() {
				if (good(5)) { // no warning, return value isn't marked as dangerous
				return;
				}
				}

				void test6() {
				if (good(wrap(2))) { // no warning, wrap is treated as int, not as bool
				return;
				}
				}

				double InvalidAttributeUsage()
				RETURNS_NON_BOOL; // expected-warning{{'warn_impcast_to_bool' attribute only applies to integer return types}}

				void test_function_pointer(void (*f)()) {
				// This is to test the case when Call.getDecl() returns NULL, because f()
				// doesn't have a declaration
				f();
				}

				bool universal_bool_wrapper(int (*f)(int), int x) {
				// When we call universal_bool_wrapper from test_universal_bool_wrapper, the
				// analyzer follows the path and detects that in this line we are doing
				// something wrong (assuming that f is actually NonBool). So if we didn't call
				// universal_bool_wrapper with any dangerous function, there would be no
				// warning.
				return f(x); // expected-warning {{implicit cast to bool is dangerous for this value}}
				}

				int universal_int_wrapper(int (*f)(int), int x) { return f(x); }

				void test_universal_bool_wrapper(int x) {
				if (universal_bool_wrapper(NonBool, x)) return;
				}

				void test_universal_int_wrapper(int x) {
				if (universal_int_wrapper(NonBool, x)) // expected-warning{{implicit cast to bool is dangerous for this value}}
				return;
				}

				void test_lambdas(int x) {
				if ([](int a) __attribute__((warn_impcast_to_bool))-> int{ return a; }(x)) { // expected-warning{{implicit cast to bool is dangerous for this value}}
				}
				}

test/ReturnNonBoolTestCompileTime.cpp

This file was added.

				// RUN: %clang_cc1 -std=c++11 -fsyntax-only -Wbool-conversion -verify %s
				#ifdef __clang__
				#define RETURNS_NON_BOOL __attribute__((warn_impcast_to_bool))
				#else
				#define RETURNS_NON_BOOL
				#endif

				int NoAttributes() { return 2; }

				int NonBool(int x) RETURNS_NON_BOOL;
				int NonBool(int x) { // expected-note{{'NonBool' declared here}}
				return x * 2;
				}

				int good(int x) { return x * 2; }

				void test1() {
				if (NonBool(2)) { // expected-warning{{implicit conversion turns non-bool into bool: 'int' to 'bool'}}
				return;
				}
				}

				void test3() {
				if ((bool)NonBool(2)) { // no warning, explicit cast
				return;
				}
				}

				void test5() {
				if (good(2)) { // no warning, return value isn't marked as dangerous
				return;
				}
				}

				double InvalidReturnType() RETURNS_NON_BOOL; // expected-warning{{'warn_impcast_to_bool' attribute only applies to integer return types}}

				int AttributeWithArguments() __attribute__((warn_impcast_to_bool(2))); // expected-error {{'warn_impcast_to_bool' attribute takes no arguments}}
				aaron.ballmanUnsubmitted Not Done Reply Inline Actions Can you end the file with a newline? aaron.ballman: Can you end the file with a newline?
				urusantAuthorUnsubmitted Not Done Reply Inline Actions Done. urusant: Done.