This is an archive of the discontinued LLVM Phabricator instance.

Differential D25876

[analyzer] Report CFNumberGetValue API misuse
ClosedPublic

Authored by zaks.anna on Oct 21 2016, 11:53 AM.

Details

Reviewers
dcoughlin
NoQ
Commits
rG5b2b39065ca6: [analyzer] Report CFNumberGetValue API misuse
rC285253: [analyzer] Report CFNumberGetValue API misuse
rL285253: [analyzer] Report CFNumberGetValue API misuse
Summary

This patch contains 2 improvements to the CFNumber checker:

  • Checking of CFNumberGetValue misuse.
  • Treating all CFNumber API misuse errors as non-fatal. (Previously we treated errors that could cause uninitialized memory as syncs and the truncation errors as non-fatal.)

This implements a subset of functionality from https://reviews.llvm.org/D17954.

Diff Detail

Event Timeline

zaks.anna updated this revision to Diff 75456.Oct 21 2016, 11:53 AM
zaks.anna retitled this revision from to [analyzer] Report CFNumberGetValue API misuse.
zaks.anna updated this object.
zaks.anna added reviewers: dcoughlin, NoQ.
zaks.anna added subscribers: cfe-commits, rgov.
dcoughlin added inline comments.Oct 21 2016, 1:13 PM
test/Analysis/CFNumber.c
51

I feel like this diagnostic is not dire enough. The problem is not that the bits will be lost -- but rather that they will be overwritten on top of something else!

How about something like "The remaining 8 bits will overwrite adjacent storage."?

57

Some grammar/style nits. (I realize these also hold for the pre-existing checks):

  • There should be a dash between the number and 'bit'. That is, it should be "16-bit" and "8-bit".
  • It is generally considered bad style to start a sentence with a number that is not written out (except for dates). How about starting the second sentence with "The remaining 8 bits ..."?
zaks.anna updated this revision to Diff 75488.Oct 21 2016, 2:38 PM

Address comments from Devin.

dcoughlin edited edge metadata.Oct 21 2016, 2:40 PM

LGTM!

dcoughlin accepted this revision.Oct 25 2016, 11:23 AM
dcoughlin edited edge metadata.
This revision is now accepted and ready to land.Oct 25 2016, 11:23 AM
NoQ added inline comments.Oct 25 2016, 11:54 AM
test/Analysis/CFNumber.c
39

We're not sure from this code if the CFNumber object x actually represents a 16-bit integer, or somebody just misplaced the kCFNumberSInt16Type thing. I think the warning message could be made more precise in this sence, but i'm not good at coming up with warning messages.

Hmm, there could actually be a separate check for detecting inconsistent type specifiers used for accessing the same CFNumber object.

zaks.anna added inline comments.Oct 25 2016, 3:47 PM
test/Analysis/CFNumber.c
39

I see your point. Looks like we'd need to modify both first part of the sentence and the second to address this concern. We could do something like "A CFNumber object treated as if it represents a 16-bit integer is used to initialize an 8-bit integer; 8 bits of the CFNumber value or the adjacent storage will overwrite adjacent storage of the integer".

Though this is more correct, I do not think it's worth the new language complexity. Also, the warning message is already quite long.

Closed by commit rL285253: [analyzer] Report CFNumberGetValue API misuse (authored by zaks). · Explain WhyOct 26 2016, 4:01 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
include/
clang/
StaticAnalyzer/
Checkers/
4 lines
lib/
StaticAnalyzer/
Checkers/
77 lines
test/
Analysis/
24 lines

Diff 75488

include/clang/StaticAnalyzer/Checkers/Checkers.td

Show First 20 LinesShow All 571 Lines▼ Show 20 Lines
def DirectIvarAssignmentForAnnotatedFunctions : Checker<"DirectIvarAssignmentForAnnotatedFunctions">, def DirectIvarAssignmentForAnnotatedFunctions : Checker<"DirectIvarAssignmentForAnnotatedFunctions">,
HelpText<"Check for direct assignments to instance variables in the methods annotated with objc_no_direct_instance_variable_assignment">, HelpText<"Check for direct assignments to instance variables in the methods annotated with objc_no_direct_instance_variable_assignment">,
DescFile<"DirectIvarAssignment.cpp">; DescFile<"DirectIvarAssignment.cpp">;
} // end "alpha.osx.cocoa" } // end "alpha.osx.cocoa"
let ParentPackage = CoreFoundation in { let ParentPackage = CoreFoundation in {
def CFNumberCreateChecker : Checker<"CFNumber">, def CFNumberChecker : Checker<"CFNumber">,
HelpText<"Check for proper uses of CFNumberCreate">, HelpText<"Check for proper uses of CFNumber APIs">,
DescFile<"BasicObjCFoundationChecks.cpp">; DescFile<"BasicObjCFoundationChecks.cpp">;
def CFRetainReleaseChecker : Checker<"CFRetainRelease">, def CFRetainReleaseChecker : Checker<"CFRetainRelease">,
HelpText<"Check for null arguments to CFRetain/CFRelease/CFMakeCollectable">, HelpText<"Check for null arguments to CFRetain/CFRelease/CFMakeCollectable">,
DescFile<"BasicObjCFoundationChecks.cpp">; DescFile<"BasicObjCFoundationChecks.cpp">;
def CFErrorChecker : Checker<"CFError">, def CFErrorChecker : Checker<"CFError">,
HelpText<"Check usage of CFErrorRef* parameters">, HelpText<"Check usage of CFErrorRef* parameters">,
▲ Show 20 LinesShow All 126 LinesShow Last 20 Lines

lib/StaticAnalyzer/Checkers/BasicObjCFoundationChecks.cpp

Show First 20 LinesShow All 330 Lines▼ Show 20 Linesvoid NilArgChecker::checkPostStmt(const ObjCDictionaryLiteral *DL,
for (unsigned i = 0; i < NumOfElements; ++i) { for (unsigned i = 0; i < NumOfElements; ++i) {
ObjCDictionaryElement Element = DL->getKeyValueElement(i); ObjCDictionaryElement Element = DL->getKeyValueElement(i);
warnIfNilExpr(Element.Key, "Dictionary key cannot be nil", C); warnIfNilExpr(Element.Key, "Dictionary key cannot be nil", C);
warnIfNilExpr(Element.Value, "Dictionary value cannot be nil", C); warnIfNilExpr(Element.Value, "Dictionary value cannot be nil", C);
} }
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Error reporting. // Checking for mismatched types passed to CFNumberCreate/CFNumberGetValue.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
namespace { namespace {
class CFNumberCreateChecker : public Checker< check::PreStmt<CallExpr> > { class CFNumberChecker : public Checker< check::PreStmt<CallExpr> > {
mutable std::unique_ptr<APIMisuse> BT; mutable std::unique_ptr<APIMisuse> BT;
mutable IdentifierInfo* II; mutable IdentifierInfo *ICreate, *IGetValue;
public: public:
CFNumberCreateChecker() : II(nullptr) {} CFNumberChecker() : ICreate(nullptr), IGetValue(nullptr) {}
void checkPreStmt(const CallExpr *CE, CheckerContext &C) const; void checkPreStmt(const CallExpr *CE, CheckerContext &C) const;
private: private:
void EmitError(const TypedRegion* R, const Expr *Ex, void EmitError(const TypedRegion* R, const Expr *Ex,
uint64_t SourceSize, uint64_t TargetSize, uint64_t NumberKind); uint64_t SourceSize, uint64_t TargetSize, uint64_t NumberKind);
}; };
} // end anonymous namespace } // end anonymous namespace
▲ Show 20 LinesShow All 64 Lines▼ Show 20 Lines static const char* Names[] = {
"kCFNumberNSIntegerType", "kCFNumberNSIntegerType",
"kCFNumberCGFloatType" "kCFNumberCGFloatType"
}; };
return i <= kCFNumberCGFloatType ? Names[i-1] : "Invalid CFNumberType"; return i <= kCFNumberCGFloatType ? Names[i-1] : "Invalid CFNumberType";
} }
#endif #endif
void CFNumberCreateChecker::checkPreStmt(const CallExpr *CE, void CFNumberChecker::checkPreStmt(const CallExpr *CE,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef state = C.getState(); ProgramStateRef state = C.getState();
const FunctionDecl *FD = C.getCalleeDecl(CE); const FunctionDecl *FD = C.getCalleeDecl(CE);
if (!FD) if (!FD)
return; return;
ASTContext &Ctx = C.getASTContext(); ASTContext &Ctx = C.getASTContext();
if (!II) if (!ICreate) {
II = &Ctx.Idents.get("CFNumberCreate"); ICreate = &Ctx.Idents.get("CFNumberCreate");
IGetValue = &Ctx.Idents.get("CFNumberGetValue");
if (FD->getIdentifier() != II || CE->getNumArgs() != 3) }
if (!(FD->getIdentifier() == ICreate || FD->getIdentifier() == IGetValue) ||
CE->getNumArgs() != 3)
return; return;
// Get the value of the "theType" argument. // Get the value of the "theType" argument.
const LocationContext *LCtx = C.getLocationContext(); const LocationContext *LCtx = C.getLocationContext();
SVal TheTypeVal = state->getSVal(CE->getArg(1), LCtx); SVal TheTypeVal = state->getSVal(CE->getArg(1), LCtx);
// FIXME: We really should allow ranges of valid theType values, and // FIXME: We really should allow ranges of valid theType values, and
// bifurcate the state appropriately. // bifurcate the state appropriately.
Optional<nonloc::ConcreteInt> V = TheTypeVal.getAs<nonloc::ConcreteInt>(); Optional<nonloc::ConcreteInt> V = TheTypeVal.getAs<nonloc::ConcreteInt>();
if (!V) if (!V)
return; return;
uint64_t NumberKind = V->getValue().getLimitedValue(); uint64_t NumberKind = V->getValue().getLimitedValue();
Optional<uint64_t> OptTargetSize = GetCFNumberSize(Ctx, NumberKind); Optional<uint64_t> OptCFNumberSize = GetCFNumberSize(Ctx, NumberKind);
// FIXME: In some cases we can emit an error. // FIXME: In some cases we can emit an error.
if (!OptTargetSize) if (!OptCFNumberSize)
return; return;
uint64_t TargetSize = *OptTargetSize; uint64_t CFNumberSize = *OptCFNumberSize;
// Look at the value of the integer being passed by reference. Essentially // Look at the value of the integer being passed by reference. Essentially
// we want to catch cases where the value passed in is not equal to the // we want to catch cases where the value passed in is not equal to the
// size of the type being created. // size of the type being created.
SVal TheValueExpr = state->getSVal(CE->getArg(2), LCtx); SVal TheValueExpr = state->getSVal(CE->getArg(2), LCtx);
// FIXME: Eventually we should handle arbitrary locations. We can do this // FIXME: Eventually we should handle arbitrary locations. We can do this
// by having an enhanced memory model that does low-level typing. // by having an enhanced memory model that does low-level typing.
Optional<loc::MemRegionVal> LV = TheValueExpr.getAs<loc::MemRegionVal>(); Optional<loc::MemRegionVal> LV = TheValueExpr.getAs<loc::MemRegionVal>();
if (!LV) if (!LV)
return; return;
const TypedValueRegion* R = dyn_cast<TypedValueRegion>(LV->stripCasts()); const TypedValueRegion* R = dyn_cast<TypedValueRegion>(LV->stripCasts());
if (!R) if (!R)
return; return;
QualType T = Ctx.getCanonicalType(R->getValueType()); QualType T = Ctx.getCanonicalType(R->getValueType());
// FIXME: If the pointee isn't an integer type, should we flag a warning? // FIXME: If the pointee isn't an integer type, should we flag a warning?
// People can do weird stuff with pointers. // People can do weird stuff with pointers.
if (!T->isIntegralOrEnumerationType()) if (!T->isIntegralOrEnumerationType())
return; return;
uint64_t SourceSize = Ctx.getTypeSize(T); uint64_t PrimitiveTypeSize = Ctx.getTypeSize(T);
// CHECK: is SourceSize == TargetSize if (PrimitiveTypeSize == CFNumberSize)
if (SourceSize == TargetSize)
return; return;
// Generate an error. Only generate a sink error node
// if 'SourceSize < TargetSize'; otherwise generate a non-fatal error node.
//
// FIXME: We can actually create an abstract "CFNumber" object that has // FIXME: We can actually create an abstract "CFNumber" object that has
// the bits initialized to the provided values. // the bits initialized to the provided values.
// ExplodedNode *N = C.generateNonFatalErrorNode();
ExplodedNode *N = SourceSize < TargetSize ? C.generateErrorNode()
: C.generateNonFatalErrorNode();
if (N) { if (N) {
SmallString<128> sbuf; SmallString<128> sbuf;
llvm::raw_svector_ostream os(sbuf); llvm::raw_svector_ostream os(sbuf);
bool isCreate = (FD->getIdentifier() == ICreate);
if (isCreate) {
os << (PrimitiveTypeSize == 8 ? "An " : "A ")
<< PrimitiveTypeSize << "-bit integer is used to initialize a "
<< "CFNumber object that represents "
<< (CFNumberSize == 8 ? "an " : "a ")
<< CFNumberSize << "-bit integer; ";
} else {
os << "A CFNumber object that represents "
<< (CFNumberSize == 8 ? "an " : "a ")
<< CFNumberSize << "-bit integer is used to initialize "
<< (PrimitiveTypeSize == 8 ? "an " : "a ")
<< PrimitiveTypeSize << "-bit integer; ";
}
os << (SourceSize == 8 ? "An " : "A ") if (PrimitiveTypeSize < CFNumberSize)
<< SourceSize << " bit integer is used to initialize a CFNumber " os << (CFNumberSize - PrimitiveTypeSize)
"object that represents " << " bits of the CFNumber value will "
<< (TargetSize == 8 ? "an " : "a ") << (isCreate ? "be garbage." : "overwrite adjacent storage.");
<< TargetSize << " bit integer. ";
if (SourceSize < TargetSize)
os << (TargetSize - SourceSize)
<< " bits of the CFNumber value will be garbage." ;
else else
os << (SourceSize - TargetSize) os << (PrimitiveTypeSize - CFNumberSize)
<< " bits of the input integer will be lost."; << " bits of the integer value will be "
<< (isCreate ? "lost." : "garbage.");
if (!BT) if (!BT)
BT.reset(new APIMisuse(this, "Bad use of CFNumberCreate")); BT.reset(new APIMisuse(this, "Bad use of CFNumber APIs"));
auto report = llvm::make_unique<BugReport>(*BT, os.str(), N); auto report = llvm::make_unique<BugReport>(*BT, os.str(), N);
report->addRange(CE->getArg(2)->getSourceRange()); report->addRange(CE->getArg(2)->getSourceRange());
C.emitReport(std::move(report)); C.emitReport(std::move(report));
} }
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
▲ Show 20 LinesShow All 742 Lines▼ Show 20 Lines
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Check registration. // Check registration.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
void ento::registerNilArgChecker(CheckerManager &mgr) { void ento::registerNilArgChecker(CheckerManager &mgr) {
mgr.registerChecker<NilArgChecker>(); mgr.registerChecker<NilArgChecker>();
} }
void ento::registerCFNumberCreateChecker(CheckerManager &mgr) { void ento::registerCFNumberChecker(CheckerManager &mgr) {
mgr.registerChecker<CFNumberCreateChecker>(); mgr.registerChecker<CFNumberChecker>();
} }
void ento::registerCFRetainReleaseChecker(CheckerManager &mgr) { void ento::registerCFRetainReleaseChecker(CheckerManager &mgr) {
mgr.registerChecker<CFRetainReleaseChecker>(); mgr.registerChecker<CFRetainReleaseChecker>();
} }
void ento::registerClassReleaseChecker(CheckerManager &mgr) { void ento::registerClassReleaseChecker(CheckerManager &mgr) {
mgr.registerChecker<ClassReleaseChecker>(); mgr.registerChecker<ClassReleaseChecker>();
Show All 14 Lines

test/Analysis/CFNumber.c

// RUN: %clang_cc1 -analyze -analyzer-checker=core,osx.coreFoundation.CFNumber,osx.cocoa.RetainCount -analyzer-store=region -analyzer-constraints=range -verify -triple x86_64-apple-darwin9 %s // RUN: %clang_cc1 -analyze -analyzer-checker=core,osx.coreFoundation.CFNumber,osx.cocoa.RetainCount -analyzer-store=region -analyzer-constraints=range -verify -triple x86_64-apple-darwin9 %s
typedef signed long CFIndex; typedef signed long CFIndex;
typedef const struct __CFAllocator * CFAllocatorRef; typedef const struct __CFAllocator * CFAllocatorRef;
enum { kCFNumberSInt8Type = 1, kCFNumberSInt16Type = 2, enum { kCFNumberSInt8Type = 1, kCFNumberSInt16Type = 2,
kCFNumberSInt32Type = 3, kCFNumberSInt64Type = 4, kCFNumberSInt32Type = 3, kCFNumberSInt64Type = 4,
kCFNumberFloat32Type = 5, kCFNumberFloat64Type = 6, kCFNumberFloat32Type = 5, kCFNumberFloat64Type = 6,
kCFNumberCharType = 7, kCFNumberShortType = 8, kCFNumberCharType = 7, kCFNumberShortType = 8,
kCFNumberIntType = 9, kCFNumberLongType = 10, kCFNumberIntType = 9, kCFNumberLongType = 10,
kCFNumberLongLongType = 11, kCFNumberFloatType = 12, kCFNumberLongLongType = 11, kCFNumberFloatType = 12,
kCFNumberDoubleType = 13, kCFNumberCFIndexType = 14, kCFNumberDoubleType = 13, kCFNumberCFIndexType = 14,
kCFNumberNSIntegerType = 15, kCFNumberCGFloatType = 16, kCFNumberNSIntegerType = 15, kCFNumberCGFloatType = 16,
kCFNumberMaxType = 16 }; kCFNumberMaxType = 16 };
typedef CFIndex CFNumberType; typedef CFIndex CFNumberType;
typedef const struct __CFNumber * CFNumberRef; typedef const struct __CFNumber * CFNumberRef;
typedef unsigned char Boolean;
extern CFNumberRef CFNumberCreate(CFAllocatorRef allocator, CFNumberType theType, const void *valuePtr); extern CFNumberRef CFNumberCreate(CFAllocatorRef allocator, CFNumberType theType, const void *valuePtr);
Boolean CFNumberGetValue(CFNumberRef number, CFNumberType theType, void *valuePtr);
CFNumberRef f1(unsigned char x) { __attribute__((cf_returns_retained)) CFNumberRef f1(unsigned char x) {
return CFNumberCreate(0, kCFNumberSInt16Type, &x); // expected-warning{{An 8 bit integer is used to initialize a CFNumber object that represents a 16 bit integer. 8 bits of the CFNumber value will be garbage}} return CFNumberCreate(0, kCFNumberSInt16Type, &x); // expected-warning{{An 8-bit integer is used to initialize a CFNumber object that represents a 16-bit integer; 8 bits of the CFNumber value will be garbage}}
} }
__attribute__((cf_returns_retained)) CFNumberRef f2(unsigned short x) { __attribute__((cf_returns_retained)) CFNumberRef f2(unsigned short x) {
return CFNumberCreate(0, kCFNumberSInt8Type, &x); // expected-warning{{A 16 bit integer is used to initialize a CFNumber object that represents an 8 bit integer. 8 bits of the input integer will be lost}} return CFNumberCreate(0, kCFNumberSInt8Type, &x); // expected-warning{{A 16-bit integer is used to initialize a CFNumber object that represents an 8-bit integer; 8 bits of the integer value will be lost}}
} }
// test that the attribute overrides the naming convention. // test that the attribute overrides the naming convention.
__attribute__((cf_returns_not_retained)) CFNumberRef CreateNum(unsigned char x) { __attribute__((cf_returns_not_retained)) CFNumberRef CreateNum(unsigned char x) {
return CFNumberCreate(0, kCFNumberSInt8Type, &x); // expected-warning{{leak}} return CFNumberCreate(0, kCFNumberSInt8Type, &x); // expected-warning{{leak}}
} }
CFNumberRef f3(unsigned i) { __attribute__((cf_returns_retained)) CFNumberRef f3(unsigned i) {
return CFNumberCreate(0, kCFNumberLongType, &i); // expected-warning{{A 32 bit integer is used to initialize a CFNumber object that represents a 64 bit integer}} return CFNumberCreate(0, kCFNumberLongType, &i); // expected-warning{{A 32-bit integer is used to initialize a CFNumber object that represents a 64-bit integer}}
}
unsigned char getValueTest1(CFNumberRef x) {
unsigned char scalar = 0;
CFNumberGetValue(x, kCFNumberSInt16Type, &scalar); // expected-warning{{A CFNumber object that represents a 16-bit integer is used to initialize an 8-bit integer; 8 bits of the CFNumber value will overwrite adjacent storage}}
NoQUnsubmitted
Not Done
ReplyInline Actions

We're not sure from this code if the CFNumber object x actually represents a 16-bit integer, or somebody just misplaced the kCFNumberSInt16Type thing. I think the warning message could be made more precise in this sence, but i'm not good at coming up with warning messages.

Hmm, there could actually be a separate check for detecting inconsistent type specifiers used for accessing the same CFNumber object.

NoQ: We're not sure from this code if the `CFNumber` object `x` actually represents a 16-bit integer…
zaks.annaAuthorUnsubmitted
Not Done
ReplyInline Actions

I see your point. Looks like we'd need to modify both first part of the sentence and the second to address this concern. We could do something like "A CFNumber object treated as if it represents a 16-bit integer is used to initialize an 8-bit integer; 8 bits of the CFNumber value or the adjacent storage will overwrite adjacent storage of the integer".

Though this is more correct, I do not think it's worth the new language complexity. Also, the warning message is already quite long.

zaks.anna: I see your point. Looks like we'd need to modify both first part of the sentence and the second…
return scalar;
}
unsigned char getValueTest2(CFNumberRef x) {
unsigned short scalar = 0;
CFNumberGetValue(x, kCFNumberSInt8Type, &scalar); // expected-warning{{A CFNumber object that represents an 8-bit integer is used to initialize a 16-bit integer; 8 bits of the integer value will be garbage}}
return scalar;
} }
dcoughlinUnsubmitted
Not Done
ReplyInline Actions

Some grammar/style nits. (I realize these also hold for the pre-existing checks):

  • There should be a dash between the number and 'bit'. That is, it should be "16-bit" and "8-bit".
  • It is generally considered bad style to start a sentence with a number that is not written out (except for dates). How about starting the second sentence with "The remaining 8 bits ..."?
dcoughlin: Some grammar/style nits. (I realize these also hold for the pre-existing checks): - There…
dcoughlinUnsubmitted
Not Done
ReplyInline Actions

I feel like this diagnostic is not dire enough. The problem is not that the bits will be lost -- but rather that they will be overwritten on top of something else!

How about something like "The remaining 8 bits will overwrite adjacent storage."?

dcoughlin: I feel like this diagnostic is not dire enough. The problem is not that the bits will be lost…