This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
lib/StaticAnalyzer/Checkers/
-
StaticAnalyzer/
-
Checkers/
31/41
StreamChecker.cpp
-
test/Analysis/
-
Analysis/
-
stream.c
-
stream.cpp

Differential D67706

[clang][analyzer] Using CallDescription in StreamChecker.
ClosedPublic

Authored by balazske on Sep 18 2019, 6:47 AM.

Download Raw Diff

Details

Reviewers

Szelethus
NoQ
baloghadamsoftware
Charusso

Commits

rG4980c1333fa4: [clang][analyzer] Using CallDescription in StreamChecker.

Summary

Recognization of function names is done now with the CallDescription
class instead of using IdentifierInfo. This means function name and
argument count is compared too.
A new check for filtering not global-C-functions was added.
Test was updated.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

balazske created this revision.Sep 18 2019, 6:47 AM

Herald added a project: Restricted Project. · View Herald TranscriptSep 18 2019, 6:47 AM

Herald added subscribers: cfe-commits, gamesh411, Szelethus, dkrupp. · View Herald Transcript

Harbormaster completed remote builds in B38252: Diff 220658.Sep 18 2019, 6:50 AM

Szelethus retitled this revision from [clang][checkers] Using CallDescription in StreamChecker. to [clang][analyzer] Using CallDescription in StreamChecker..Sep 18 2019, 9:55 AM

Szelethus added reviewers: Szelethus, NoQ.

Herald added subscribers: Charusso, donat.nagy, mikhail.ramalho and 4 others. · View Herald TranscriptSep 18 2019, 9:55 AM

Thanks! Woohoo, tests!

You can go one step further to have a CallDescriptionMap, like in D62557. This would replace the whole chain of ifs with a map lookup (which is currently still a chain of ifs under the hood, but a lot less code anyway and we'll probably optimize it under the hood later).

Using CallDescriptionMap.

Harbormaster completed remote builds in B38660: Diff 222138.Sep 27 2019, 5:17 AM

It seems like this patch is diffed against your latest commit, not the master branch.

In D67706#1685963, @Szelethus wrote:

It seems like this patch is diffed against your latest commit, not the master branch.

Yeah, seems so. The code looks great tho, thanks!

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
57–58	Feel free to omit the constructor entirely. We almost never have constructors in our checkers.
65–78	Are you sure these functions are actually sometimes implemented as builtins? I think they're required to be regular functions.
81–97	For most purposes it's more convenient to pass `CallEvent` around. The only moment when you actually need the `CallExpr` is when you're doing the binding for the return value, which happens once, so it's fine to call `.getOriginExpr()` directly at this point.
112–114	(not your fault but before i forget) This check is actually redundant.
212	(not your fault but before i forget) This condition is actually always true here.

balazske marked an inline comment as done.Sep 30 2019, 3:58 AM

balazske added inline comments.

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
81–97	The CallExpr is used at many places to get arguments and other data. There is a `CallEvent::getArgSVal` that can be used instead but at some places CallExpr is used in other ways. I do not see much benefit of change the passed `CallExpr` to `CallEvent`.

NoQ added inline comments.Sep 30 2019, 12:49 PM

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
81–97	at some places CallExpr is used in other ways Can we add more convenient getters to `CallEvent` to help with those? 'Cause `CallEvent` has strictly more information than `CallExpr` (combining syntactic information with path-sensitive information), it's all about convenience. I also see that `CallExpr` is stored in `StreamState` (which is something you can't do with a `CallEvent` because it's short-lived) but i suspect that it's actually never read from there and i doubt that it was the right solution anyway. I.e., no other checker needs that and i don't have a reason to believe that `StreamChecker` is special.

Various code cleanups. Eval functions use CallEvent, CallExpr is removed from state.

Harbormaster completed remote builds in B38796: Diff 222566.Oct 1 2019, 2:26 AM

A few nits inline, otherwise the patch is awesome, thank you!!

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
62–104	Prefer using. When I wrote D68165, I spent about 10 minutes figuring out how to do it... Ah, the joys of the C++ syntax. using FnCheck = void (StreamChecker::*)(const CallEvent &, CheckerContext &) const;
112–113	Isn't this redundant with my other inline about parameter types?
135–139	I'm not sure why we need this, is it true that all stream related functions return a pointer or a numerical value? Are we actually checking whether this really is a library function? If so, this looks pretty arbitrary.
154	Why the need for `(void)`? `CheckNullSteam` doesn't seem to have an `LLVM_NODISCARD` attribute.

balazske marked 3 inline comments as done.Oct 1 2019, 6:29 AM

balazske added inline comments.

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
112–113	Probably change to `isInSystemHeader` or use both?
135–139	This comes from code of CStringChecker: // Pro-actively check that argument types are safe to do arithmetic upon. // We do not want to crash if someone accidentally passes a structure // into, say, a C++ overload of any of these functions. We could not check // that for std::copy because they may have arguments of other types. Still I am not sure that the checker works correct with code that contains similar named but "arbitrary" functions.
154	I wanted to be sure to get no buildbot compile errors (where -Werror is used).

Szelethus added inline comments.Oct 1 2019, 6:41 AM

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
135–139	Oops, meant to write that ", is it true that all stream related functions have only pointer or a numerical parameters?".

Szelethus added inline comments.Oct 1 2019, 6:57 AM

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
112–113	Actually, this looks fine. How about preserving this...
135–139	...and removing this one, or changing it to an assert?
154	They actually break on this?? Let me guess, is it the windows one? :D

balazske marked 2 inline comments as done.Oct 1 2019, 7:59 AM

balazske added inline comments.

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
112–113	Should be the "stream functions" always in system header? If no `isInSystemHeader` call is used any global function called "fopen" with 2 arguments is recognized as stream opening function. If it returns a pointer and no "fclose" is called on that we will get a resource leak warning for that code. (But for this case the user will probably not enable the checker?).
135–139	This can not be an assert because it is possible to have global functions with same name but different signature. The check can be kept to filter out such cases. The wanted stream functions have only integral or enum or pointer arguments.

NoQ added inline comments.Oct 1 2019, 12:45 PM

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
62–104	It's actually very easy to remember, it's just an alien kiss smiley ::*)
135–139	Clang shouldn't crash even when the library definition is incorrect.
154	I'd rather not discard the return value, but allow callbacks indicate an error when something goes wrong, so that to allow them to abort `evalCall()`. But more importantly, note how `CheckNullStream` actually returns a `ProgramStateRef` that was meant to be transitioned into. Which means that the primary execution path actually gets cut off. So even if buildbots didn't warn on this, i wish they did.

Re-design of eval functions.
Added a C++ test with fopen-looking function.

Harbormaster completed remote builds in B38885: Diff 222795.Oct 2 2019, 3:40 AM

Ping

Szelethus added inline comments.Oct 11 2019, 8:04 AM

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
197–199	Why is there a need to use an `Optional`? Why not just return a `nullptr`? As I saw it, each time we check both whether the optional has a value and whether the state within it is null.
203–205	Aha, so we're no longer checking whether `Sym` is null, because why would we, we literally made created it as a symbol a couple lines up. Is it worth `assert()`ing though?
247–250	And here too?

balazske marked 3 inline comments as done.Oct 11 2019, 8:49 AM

balazske added inline comments.

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
197–199	The idea was that there are 3 kind of return values: Change to a new state, do not change to new state, or error was found. In the first and last case we should return `true` from `evalCall` but not if there is no state to change into and the analysis can proceed in default way.
203–205	Probably better to have the assert.

Ping again

balazske added a reviewer: baloghadamsoftware.Oct 29 2019, 4:05 AM

Herald added a subscriber: rnkovacs. · View Herald TranscriptOct 29 2019, 4:05 AM

Could you please mark resolved issues as resolved? I would like to see what we miss, and what has been done.

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
63	I prefer `std::function`, because it is modern. using StreamCheck = std::function<void(const StreamChecker *, const CallEvent &, CheckerContext &)>; I think it is fine with pointers, but at some point we need to modernize this.
66	Because `evalFopen()` is basically the `OpenFileAux(Call, C);`, I think we could simplify the API by removing unnecessary one-liners so here you could write `{{"fopen"}, &StreamChecker::OpenFileAux`, that is why the `CallEvent` parameter is so generic and useful.
101	This `Optional` is not necessary. When the state is changed, you can rely on `CheckerContext::isDifferent()` to see whether the modeling was succeeded. Therefore you could revert the `bool` return values as well.
120–123	Why do you inject `this`?
130	I would move this tiny `identifyCall()` into `evalCall()` as the purpose of `evalCall()` is the validation of the `Callback` in this case.

This revision now requires changes to proceed.Oct 29 2019, 4:29 AM

NoQ added inline comments.Oct 29 2019, 4:17 PM

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
158–159	This is getting pretty messy, given that you've already made a transition in this function. If you do `addTransition` and then `generateNonFatalErrorNode`, then you'll get two parallel successor nodes, but you only need one. You should either delay the transition that happens immediately after `CheckNullStream`, or chain the two transitions together sequentially (as opposed to in parallel).

Redesign again.

Harbormaster completed remote builds in B40271: Diff 227093.Oct 30 2019, 7:37 AM

Its becoming a bit difficult to navigate inlines, could you please mark them as done as you address them?

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
63	But its also a lot more expensive. https://blog.demofox.org/2015/02/25/avoiding-the-performance-hazzards-of-stdfunction/ `std::function` is able to wrap lambdas with different captures and all sorts of things like that, which comes at a cost.

balazske marked 22 inline comments as done and an inline comment as not done.Oct 30 2019, 8:22 AM

balazske added inline comments.

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
63	Now `std::function` and `std::bind` is used. Probably more expensive but it is called once in a `evalCall`, that should be no problem?
81–97	In the new code `CallEvent` is passed.
101	`Optional` is not used now. The functions only return if the passed state was modified (if applicable). To detect if error was generated the `isDifferent` is used.
130	`identifyCall` is removed now.
158–159	`evalFseek` has now a transition to new (non-null stream) state or transition to (non-fatal) error.

Let's land this patch, given that it grew way too big for a refactoring pass, and let @balazske further clean things up later in his follow-up patches. This is already a large improvement and i'm very grateful!

For the Optional vs. bool debate: let's see. For now we have roughly the following:

bool checkNullStream(..., ProgramStateRef *State) {
  if (!NonBuggyState && BuggyState) {
    C.emitReport(..., C.generateErrorNode(BuggyState));
    return false;
  }

  if (NonBuggyState) {
    *State = NonBuggyState;
    return true;
  }

  return false;
}

void checkFseekWhence(..., ProgramStateRef *State) const {
  if (!isBuggy(State))
    return;

  C.emitReport(..., C.generateNonFatalErrorNode(State));
}

void evalFseek(...) {
  ProgramStateRef State = C.getState();
  bool StateChanged = checkNullStream(..., &State);
  if (C.isDifferent())
    return;

  checkFseekWhence(..., &State);
  if (!C.isDifferent() && StateChanged)
    C.addTransition(State);
}

In this code functions checkNullStream and checkFseekWhence are very similar. Both of them do some checking and potentially emit a report. In high-level terms, all you're trying to do is conduct two checks at the same program point.

How did these two functions end up being so completely different? What will you do if you have not 2 but, say, 10 different checks that you need to conduct? That's not a random question; checkers do tend to grow this way, so i'm pretty sure you'll eventually need to answer this question.

In ExprEngine, the class that's responsible for modeling all statements that have effect on the program state, we have a very common idiom for chaining pieces of work together. It looks roughly like this:

void modelSomethingPart1(ExplodedNode *Pred, set<ExplodedNode> *Succs);
void modelSomethingPart2(ExplodedNode *Pred, set<ExplodedNode> *Succs);
void modelSomethingPart3(ExplodedNode *Pred, set<ExplodedNode> *Succs);
...
void modelSomethingPartK(ExplodedNode *Pred, set<ExplodedNode> *Succs);


void modelSomething(ExplodedNode *Pred) {
  set<ExplodedNode> Set0 = { Pred };

  set<ExplodedNode> Set1;
  for (P : Set0)
    modelSomethingPart1(P, &Set1);
  
  set<ExplodedNode> Set2;
  for (P : Set1)
    modelSomethingPart2(P, &Set2);
  
  set<ExplodedNode> Set3;
  for (P : Set2)
    modelSomethingPart3(P, &Set3);

  ...

  set<ExplodedNode> SetK;
  for (P : SetKMinus1)
    modelSomethingPartK(P, &SetK);

  for (N : SetK)
    addTransition(N);
}

As you see, it scales nicely for any number of sub-tasks and you don't need to juggle boolean flags or optionals when you add another sub-task. Moreover, you can further split each of your sub-tasks into even smaller sub-sub-tasks in a similar manner.

In ExprEngine this idiom is completely essential due to how arbitrary most of the effects-of-statements tend to be. In checkers, however, this level of complexity has never been necessary so far because most sub-methods either produce exactly one new state, or sink completely. For checkers like this one, which do multiple checks, i recommend passing a single node around:

ExplodedNode *checkNullStream(..., ExplodedNode *Pred) {
  if (!NonBuggyState && BuggyState)
    C.emitReport(..., C.generateErrorNode(BuggyState, Pred));

  return C.addTransition(NonBuggyState, Pred);
}

ExplodedNode *checkFseekWhence(..., ExplodedNode *Pred) const {
  State = Pred->getState();
  if (!isBuggy(State))
    return Pred;
  ExplodedNode *N = C.generateNonFatalErrorNode(State);
  if (N)
    C.emitReport(..., N);
  return N;
}

void evalFseek(...) {
  ExplodedNode *N = C.getPredecessor();

  N = checkNullStream(..., N);
  if (!N)
    return;

  N = checkFseekWhence(..., N);
  if (!N)
    return;

  N = checkSomethingElse1(..., N);
  if (!N)
    return;

  N = checkSomethingElse2(..., N);
  if (!N)
    return;

  ...

  checkSomethingElseK(..., N);
}

This wastes exploded nodes a little bit but that's fine. It's much less scary than accidentally adding unnecessary state splits.

My concern was the too heavy Optional and bool usage. Cool patch!

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
63	There is no real overhead, yes.

This revision is now accepted and ready to land.Oct 30 2019, 4:09 PM

Let's make it 3! Thank you so much for sticking by, I guess one of the reasons why a patch so obviously great and desired took so long is that we still didn't figure out how we imagine the CallDescriptionMap to be integrated into larger checkers :) In any case, this is a major step in the right direction, MallocChecker and some of the others should take notes.

Closed by commit rG4980c1333fa4: [clang][analyzer] Using CallDescription in StreamChecker. (authored by balazske). · Explain WhyOct 31 2019, 4:40 AM

This revision was automatically updated to reflect the committed changes.

balazske marked 3 inline comments as done.

Szelethus mentioned this in D70818: [Analyzer] Model STL Algoirthms to improve the iterator checkers.Feb 5 2020, 5:59 AM

Szelethus mentioned this in D71524: [analyzer] Support tainted objects in GenericTaintChecker.Feb 5 2020, 7:14 AM

Revision Contents

Path

Size

clang/

lib/

StaticAnalyzer/

Checkers/

StreamChecker.cpp

400 lines

test/

Analysis/

stream.c

103 lines

stream.cpp

22 lines

Diff 227264

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp

	Show All 13 Lines
	#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"			#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
	#include "clang/StaticAnalyzer/Core/Checker.h"			#include "clang/StaticAnalyzer/Core/Checker.h"
	#include "clang/StaticAnalyzer/Core/CheckerManager.h"			#include "clang/StaticAnalyzer/Core/CheckerManager.h"
	#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"			#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
	#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"			#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
	#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"			#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
	#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"			#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
	#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"			#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"
				#include <functional>

	using namespace clang;			using namespace clang;
	using namespace ento;			using namespace ento;
				using namespace std::placeholders;

	namespace {			namespace {

	struct StreamState {			struct StreamState {
	enum Kind { Opened, Closed, OpenFailed, Escaped } K;			enum Kind { Opened, Closed, OpenFailed, Escaped } K;
	const Stmt *S;

	StreamState(Kind k, const Stmt *s) : K(k), S(s) {}			StreamState(Kind k) : K(k) {}

	bool isOpened() const { return K == Opened; }			bool isOpened() const { return K == Opened; }
	bool isClosed() const { return K == Closed; }			bool isClosed() const { return K == Closed; }
	//bool isOpenFailed() const { return K == OpenFailed; }			//bool isOpenFailed() const { return K == OpenFailed; }
	//bool isEscaped() const { return K == Escaped; }			//bool isEscaped() const { return K == Escaped; }

	bool operator==(const StreamState &X) const {			bool operator==(const StreamState &X) const { return K == X.K; }
	return K == X.K && S == X.S;
	}

	static StreamState getOpened(const Stmt *s) { return StreamState(Opened, s); }			static StreamState getOpened() { return StreamState(Opened); }
	static StreamState getClosed(const Stmt *s) { return StreamState(Closed, s); }			static StreamState getClosed() { return StreamState(Closed); }
	static StreamState getOpenFailed(const Stmt *s) {			static StreamState getOpenFailed() { return StreamState(OpenFailed); }
	return StreamState(OpenFailed, s);			static StreamState getEscaped() { return StreamState(Escaped); }
	}
	static StreamState getEscaped(const Stmt *s) {
	return StreamState(Escaped, s);
	}

	void Profile(llvm::FoldingSetNodeID &ID) const {			void Profile(llvm::FoldingSetNodeID &ID) const {
	ID.AddInteger(K);			ID.AddInteger(K);
	ID.AddPointer(S);
	}			}
	};			};

	class StreamChecker : public Checker<eval::Call,			class StreamChecker : public Checker<eval::Call,
	check::DeadSymbols > {			check::DeadSymbols > {
	mutable IdentifierInfo II_fopen, II_tmpfile, II_fclose, II_fread,
	*II_fwrite,
	II_fseek, II_ftell, II_rewind, II_fgetpos, *II_fsetpos,
	II_clearerr, II_feof, II_ferror, II_fileno;
	mutable std::unique_ptr<BuiltinBug> BT_nullfp, BT_illegalwhence,			mutable std::unique_ptr<BuiltinBug> BT_nullfp, BT_illegalwhence,
	BT_doubleclose, BT_ResourceLeak;			BT_doubleclose, BT_ResourceLeak;

	public:			public:
	StreamChecker()
	: II_fopen(nullptr), II_tmpfile(nullptr), II_fclose(nullptr),
	II_fread(nullptr), II_fwrite(nullptr), II_fseek(nullptr),
	II_ftell(nullptr), II_rewind(nullptr), II_fgetpos(nullptr),
	II_fsetpos(nullptr), II_clearerr(nullptr), II_feof(nullptr),
	II_ferror(nullptr), II_fileno(nullptr) {}

	bool evalCall(const CallEvent &Call, CheckerContext &C) const;			bool evalCall(const CallEvent &Call, CheckerContext &C) const;
				NoQUnsubmitted Done Reply Inline Actions Feel free to omit the constructor entirely. We almost never have constructors in our checkers. NoQ: Feel free to omit the constructor entirely. We almost never have constructors in our checkers.
	void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;			void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;

	private:			private:
	void Fopen(CheckerContext &C, const CallExpr *CE) const;			using FnCheck = std::function<void(const StreamChecker *, const CallEvent &,
	void Tmpfile(CheckerContext &C, const CallExpr *CE) const;			CheckerContext &)>;
				CharussoUnsubmitted Done Reply Inline Actions I prefer `std::function`, because it is modern. using StreamCheck = std::function<void(const StreamChecker , const CallEvent &, CheckerContext &)>; I think it is fine with pointers, but at some point we need to modernize this. Charusso:* I prefer `std::function`, because it is modern. ``` using StreamCheck = std…
				SzelethusUnsubmitted Not Done Reply Inline Actions But its also a lot more expensive. https://blog.demofox.org/2015/02/25/avoiding-the-performance-hazzards-of-stdfunction/ `std::function` is able to wrap lambdas with different captures and all sorts of things like that, which comes at a cost. Szelethus: But its also a lot more expensive. https://blog.demofox.org/2015/02/25/avoiding-the-performance…
				balazskeAuthorUnsubmitted Done Reply Inline Actions Now `std::function` and `std::bind` is used. Probably more expensive but it is called once in a `evalCall`, that should be no problem? balazske: Now `std::function` and `std::bind` is used. Probably more expensive but it is called once in a…
				CharussoUnsubmitted Done Reply Inline Actions There is no real overhead, yes. Charusso: There is no real overhead, yes.
	void Fclose(CheckerContext &C, const CallExpr *CE) const;
	void Fread(CheckerContext &C, const CallExpr *CE) const;			CallDescriptionMap<FnCheck> Callbacks = {
	void Fwrite(CheckerContext &C, const CallExpr *CE) const;			{{"fopen"}, &StreamChecker::evalFopen},
				CharussoUnsubmitted Done Reply Inline Actions Because `evalFopen()` is basically the `OpenFileAux(Call, C);`, I think we could simplify the API by removing unnecessary one-liners so here you could write `{{"fopen"}, &StreamChecker::OpenFileAux`, that is why the `CallEvent` parameter is so generic and useful. Charusso: Because `evalFopen()` is basically the `OpenFileAux(Call, C);`, I think we could simplify the…
	void Fseek(CheckerContext &C, const CallExpr *CE) const;			{{"tmpfile"}, &StreamChecker::evalFopen},
	void Ftell(CheckerContext &C, const CallExpr *CE) const;			{{"fclose", 1}, &StreamChecker::evalFclose},
	void Rewind(CheckerContext &C, const CallExpr *CE) const;			{{"fread", 4},
	void Fgetpos(CheckerContext &C, const CallExpr *CE) const;			std::bind(&StreamChecker::checkArgNullStream, _1, _2, _3, 3)},
	void Fsetpos(CheckerContext &C, const CallExpr *CE) const;			{{"fwrite", 4},
	void Clearerr(CheckerContext &C, const CallExpr *CE) const;			std::bind(&StreamChecker::checkArgNullStream, _1, _2, _3, 3)},
	void Feof(CheckerContext &C, const CallExpr *CE) const;			{{"fseek", 3}, &StreamChecker::evalFseek},
	void Ferror(CheckerContext &C, const CallExpr *CE) const;			{{"ftell", 1},
	void Fileno(CheckerContext &C, const CallExpr *CE) const;			std::bind(&StreamChecker::checkArgNullStream, _1, _2, _3, 0)},
				{{"rewind", 1},
	void OpenFileAux(CheckerContext &C, const CallExpr *CE) const;			std::bind(&StreamChecker::checkArgNullStream, _1, _2, _3, 0)},
				{{"fgetpos", 2},
				NoQUnsubmitted Done Reply Inline Actions Are you sure these functions are actually sometimes implemented as builtins? I think they're required to be regular functions. NoQ: Are you sure these functions are actually sometimes implemented as builtins? I think they're…
	ProgramStateRef CheckNullStream(SVal SV, ProgramStateRef state,			std::bind(&StreamChecker::checkArgNullStream, _1, _2, _3, 0)},
	CheckerContext &C) const;			{{"fsetpos", 2},
	ProgramStateRef CheckDoubleClose(const CallExpr *CE, ProgramStateRef state,			std::bind(&StreamChecker::checkArgNullStream, _1, _2, _3, 0)},
	CheckerContext &C) const;			{{"clearerr", 1},
				std::bind(&StreamChecker::checkArgNullStream, _1, _2, _3, 0)},
				{{"feof", 1},
				std::bind(&StreamChecker::checkArgNullStream, _1, _2, _3, 0)},
				{{"ferror", 1},
				std::bind(&StreamChecker::checkArgNullStream, _1, _2, _3, 0)},
				{{"fileno", 1},
				std::bind(&StreamChecker::checkArgNullStream, _1, _2, _3, 0)},
				};

				void evalFopen(const CallEvent &Call, CheckerContext &C) const;
				void evalFclose(const CallEvent &Call, CheckerContext &C) const;
				void evalFseek(const CallEvent &Call, CheckerContext &C) const;

				void checkArgNullStream(const CallEvent &Call, CheckerContext &C,
				unsigned ArgI) const;
				NoQUnsubmitted Done Reply Inline Actions For most purposes it's more convenient to pass `CallEvent` around. The only moment when you actually need the `CallExpr` is when you're doing the binding for the return value, which happens once, so it's fine to call `.getOriginExpr()` directly at this point. NoQ: For most purposes it's more convenient to pass `CallEvent` around. The only moment when you…
				balazskeAuthorUnsubmitted Done Reply Inline Actions The CallExpr is used at many places to get arguments and other data. There is a `CallEvent::getArgSVal` that can be used instead but at some places CallExpr is used in other ways. I do not see much benefit of change the passed `CallExpr` to `CallEvent`. balazske: The CallExpr is used at many places to get arguments and other data. There is a `CallEvent…
				NoQUnsubmitted Done Reply Inline Actions at some places CallExpr is used in other ways Can we add more convenient getters to `CallEvent` to help with those? 'Cause `CallEvent` has strictly more information than `CallExpr` (combining syntactic information with path-sensitive information), it's all about convenience. I also see that `CallExpr` is stored in `StreamState` (which is something you can't do with a `CallEvent` because it's short-lived) but i suspect that it's actually never read from there and i doubt that it was the right solution anyway. I.e., no other checker needs that and i don't have a reason to believe that `StreamChecker` is special. NoQ: > at some places CallExpr is used in other ways Can we add more convenient getters to…
				balazskeAuthorUnsubmitted Done Reply Inline Actions In the new code `CallEvent` is passed. balazske: In the new code `CallEvent` is passed.
				bool checkNullStream(SVal SV, CheckerContext &C,
				ProgramStateRef &State) const;
				void checkFseekWhence(SVal SV, CheckerContext &C,
				ProgramStateRef &State) const;
				CharussoUnsubmitted Done Reply Inline Actions This `Optional` is not necessary. When the state is changed, you can rely on `CheckerContext::isDifferent()` to see whether the modeling was succeeded. Therefore you could revert the `bool` return values as well. Charusso: This `Optional` is not necessary. When the state is changed, you can rely on `CheckerContext…
				balazskeAuthorUnsubmitted Done Reply Inline Actions `Optional` is not used now. The functions only return if the passed state was modified (if applicable). To detect if error was generated the `isDifferent` is used. balazske: `Optional` is not used now. The functions only return if the passed state was modified (if…
				bool checkDoubleClose(const CallEvent &Call, CheckerContext &C,
				ProgramStateRef &State) const;
	};			};
				SzelethusUnsubmitted Done Reply Inline Actions Prefer using. When I wrote D68165, I spent about 10 minutes figuring out how to do it... Ah, the joys of the C++ syntax. using FnCheck = void (StreamChecker::)(const CallEvent &, CheckerContext &) const; Szelethus:* Prefer using. When I wrote D68165, I spent about 10 minutes figuring out how to do it... Ah…
				NoQUnsubmitted Done Reply Inline Actions It's actually very easy to remember, it's just an alien kiss smiley ::) NoQ:* It's actually very easy to remember, it's just an alien kiss smiley ::*)

	} // end anonymous namespace			} // end anonymous namespace

	REGISTER_MAP_WITH_PROGRAMSTATE(StreamMap, SymbolRef, StreamState)			REGISTER_MAP_WITH_PROGRAMSTATE(StreamMap, SymbolRef, StreamState)


	bool StreamChecker::evalCall(const CallEvent &Call, CheckerContext &C) const {			bool StreamChecker::evalCall(const CallEvent &Call, CheckerContext &C) const {
	const auto *FD = dyn_cast_or_null<FunctionDecl>(Call.getDecl());			const auto *FD = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
	if (!FD \|\| FD->getKind() != Decl::Function)			if (!FD \|\| FD->getKind() != Decl::Function)
				SzelethusUnsubmitted Done Reply Inline Actions Isn't this redundant with my other inline about parameter types? Szelethus: Isn't this redundant with my other inline about parameter types?
				balazskeAuthorUnsubmitted Done Reply Inline Actions Probably change to `isInSystemHeader` or use both? balazske: Probably change to `isInSystemHeader` or use both?
				SzelethusUnsubmitted Done Reply Inline Actions Actually, this looks fine. How about preserving this... Szelethus: Actually, this looks fine. How about preserving this...
				balazskeAuthorUnsubmitted Done Reply Inline Actions Should be the "stream functions" always in system header? If no `isInSystemHeader` call is used any global function called "fopen" with 2 arguments is recognized as stream opening function. If it returns a pointer and no "fclose" is called on that we will get a resource leak warning for that code. (But for this case the user will probably not enable the checker?). balazske: Should be the "stream functions" always in system header? If no `isInSystemHeader` call is used…
	return false;			return false;
				NoQUnsubmitted Not Done Reply Inline Actions (not your fault but before i forget) This check is actually redundant. NoQ: (not your fault but before i forget) This check is actually redundant.

	const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());			// Recognize "global C functions" with only integral or pointer arguments
	if (!CE)			// (and matching name) as stream functions.
				if (!Call.isGlobalCFunction())
				return false;
				for (auto P : Call.parameters()) {
				QualType T = P->getType();
				if (!T->isIntegralOrEnumerationType() && !T->isPointerType())
	return false;			return false;
				CharussoUnsubmitted Done Reply Inline Actions Why do you inject `this`? Charusso: Why do you inject `this`?

	ASTContext &Ctx = C.getASTContext();
	if (!II_fopen)
	II_fopen = &Ctx.Idents.get("fopen");
	if (!II_tmpfile)
	II_tmpfile = &Ctx.Idents.get("tmpfile");
	if (!II_fclose)
	II_fclose = &Ctx.Idents.get("fclose");
	if (!II_fread)
	II_fread = &Ctx.Idents.get("fread");
	if (!II_fwrite)
	II_fwrite = &Ctx.Idents.get("fwrite");
	if (!II_fseek)
	II_fseek = &Ctx.Idents.get("fseek");
	if (!II_ftell)
	II_ftell = &Ctx.Idents.get("ftell");
	if (!II_rewind)
	II_rewind = &Ctx.Idents.get("rewind");
	if (!II_fgetpos)
	II_fgetpos = &Ctx.Idents.get("fgetpos");
	if (!II_fsetpos)
	II_fsetpos = &Ctx.Idents.get("fsetpos");
	if (!II_clearerr)
	II_clearerr = &Ctx.Idents.get("clearerr");
	if (!II_feof)
	II_feof = &Ctx.Idents.get("feof");
	if (!II_ferror)
	II_ferror = &Ctx.Idents.get("ferror");
	if (!II_fileno)
	II_fileno = &Ctx.Idents.get("fileno");

	if (FD->getIdentifier() == II_fopen) {
	Fopen(C, CE);
	return true;
	}
	if (FD->getIdentifier() == II_tmpfile) {
	Tmpfile(C, CE);
	return true;
	}
	if (FD->getIdentifier() == II_fclose) {
	Fclose(C, CE);
	return true;
	}
	if (FD->getIdentifier() == II_fread) {
	Fread(C, CE);
	return true;
	}
	if (FD->getIdentifier() == II_fwrite) {
	Fwrite(C, CE);
	return true;
	}
	if (FD->getIdentifier() == II_fseek) {
	Fseek(C, CE);
	return true;
	}
	if (FD->getIdentifier() == II_ftell) {
	Ftell(C, CE);
	return true;
	}
	if (FD->getIdentifier() == II_rewind) {
	Rewind(C, CE);
	return true;
	}
	if (FD->getIdentifier() == II_fgetpos) {
	Fgetpos(C, CE);
	return true;
	}
	if (FD->getIdentifier() == II_fsetpos) {
	Fsetpos(C, CE);
	return true;
	}
	if (FD->getIdentifier() == II_clearerr) {
	Clearerr(C, CE);
	return true;
	}
	if (FD->getIdentifier() == II_feof) {
	Feof(C, CE);
	return true;
	}
	if (FD->getIdentifier() == II_ferror) {
	Ferror(C, CE);
	return true;
	}
	if (FD->getIdentifier() == II_fileno) {
	Fileno(C, CE);
	return true;
	}			}

				const FnCheck *Callback = Callbacks.lookup(Call);
				if (!Callback)
	return false;			return false;
	}

	void StreamChecker::Fopen(CheckerContext &C, const CallExpr *CE) const {			(*Callback)(this, Call, C);
				CharussoUnsubmitted Done Reply Inline Actions I would move this tiny `identifyCall()` into `evalCall()` as the purpose of `evalCall()` is the validation of the `Callback` in this case. Charusso: I would move this tiny `identifyCall()` into `evalCall()` as the purpose of `evalCall()` is the…
				balazskeAuthorUnsubmitted Done Reply Inline Actions `identifyCall` is removed now. balazske: `identifyCall` is removed now.
	OpenFileAux(C, CE);
	}

	void StreamChecker::Tmpfile(CheckerContext &C, const CallExpr *CE) const {			return C.isDifferent();
	OpenFileAux(C, CE);
	}			}

	void StreamChecker::OpenFileAux(CheckerContext &C, const CallExpr *CE) const {			void StreamChecker::evalFopen(const CallEvent &Call, CheckerContext &C) const {
	ProgramStateRef state = C.getState();			ProgramStateRef state = C.getState();
	SValBuilder &svalBuilder = C.getSValBuilder();			SValBuilder &svalBuilder = C.getSValBuilder();
	const LocationContext *LCtx = C.getPredecessor()->getLocationContext();			const LocationContext *LCtx = C.getPredecessor()->getLocationContext();
	DefinedSVal RetVal = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx,			auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
				SzelethusUnsubmitted Not Done Reply Inline Actions I'm not sure why we need this, is it true that all stream related functions return a pointer or a numerical value? Are we actually checking whether this really is a library function? If so, this looks pretty arbitrary. Szelethus: I'm not sure why we need this, is it true that all stream related functions return a pointer…
				balazskeAuthorUnsubmitted Done Reply Inline Actions This comes from code of CStringChecker: // Pro-actively check that argument types are safe to do arithmetic upon. // We do not want to crash if someone accidentally passes a structure // into, say, a C++ overload of any of these functions. We could not check // that for std::copy because they may have arguments of other types. Still I am not sure that the checker works correct with code that contains similar named but "arbitrary" functions. balazske: This comes from code of CStringChecker: ``` // Pro-actively check that argument types are…
				SzelethusUnsubmitted Not Done Reply Inline Actions Oops, meant to write that ", is it true that all stream related functions have only pointer or a numerical parameters?". Szelethus: Oops, meant to write that ", is it true that all stream related functions have only pointer…
				SzelethusUnsubmitted Not Done Reply Inline Actions ...and removing this one, or changing it to an assert? Szelethus: ...and removing this one, or changing it to an assert?
				balazskeAuthorUnsubmitted Done Reply Inline Actions This can not be an assert because it is possible to have global functions with same name but different signature. The check can be kept to filter out such cases. The wanted stream functions have only integral or enum or pointer arguments. balazske: This can not be an assert because it is possible to have global functions with same name but…
				NoQUnsubmitted Done Reply Inline Actions Clang shouldn't crash even when the library definition is incorrect. NoQ: Clang shouldn't crash even when the library definition is incorrect.
	C.blockCount())			if (!CE)
				return;

				DefinedSVal RetVal =
				svalBuilder.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount())
	.castAs<DefinedSVal>();			.castAs<DefinedSVal>();
	state = state->BindExpr(CE, C.getLocationContext(), RetVal);			state = state->BindExpr(CE, C.getLocationContext(), RetVal);

	ConstraintManager &CM = C.getConstraintManager();			ConstraintManager &CM = C.getConstraintManager();
	// Bifurcate the state into two: one with a valid FILE* pointer, the other			// Bifurcate the state into two: one with a valid FILE* pointer, the other
	// with a NULL.			// with a NULL.
	ProgramStateRef stateNotNull, stateNull;			ProgramStateRef stateNotNull, stateNull;
	std::tie(stateNotNull, stateNull) = CM.assumeDual(state, RetVal);			std::tie(stateNotNull, stateNull) = CM.assumeDual(state, RetVal);

	if (SymbolRef Sym = RetVal.getAsSymbol()) {			SymbolRef Sym = RetVal.getAsSymbol();
				SzelethusUnsubmitted Not Done Reply Inline Actions Why the need for `(void)`? `CheckNullSteam` doesn't seem to have an `LLVM_NODISCARD` attribute. Szelethus: Why the need for `(void)`? `CheckNullSteam` doesn't seem to have an `LLVM_NODISCARD` attribute.
				balazskeAuthorUnsubmitted Done Reply Inline Actions I wanted to be sure to get no buildbot compile errors (where -Werror is used). balazske: I wanted to be sure to get no buildbot compile errors (where -Werror is used).
				SzelethusUnsubmitted Not Done Reply Inline Actions They actually break on this?? Let me guess, is it the windows one? :D Szelethus: They actually break on this?? Let me guess, is it the windows one? :D
				NoQUnsubmitted Done Reply Inline Actions I'd rather not discard the return value, but allow callbacks indicate an error when something goes wrong, so that to allow them to abort `evalCall()`. But more importantly, note how `CheckNullStream` actually returns a `ProgramStateRef` that was meant to be transitioned into. Which means that the primary execution path actually gets cut off. So even if buildbots didn't warn on this, i wish they did. NoQ: I'd rather not discard the return value, but allow callbacks indicate an error when something…
	// if RetVal is not NULL, set the symbol's state to Opened.			assert(Sym && "RetVal must be a symbol here.");
	stateNotNull =			stateNotNull = stateNotNull->set<StreamMap>(Sym, StreamState::getOpened());
	stateNotNull->set<StreamMap>(Sym,StreamState::getOpened(CE));			stateNull = stateNull->set<StreamMap>(Sym, StreamState::getOpenFailed());
	stateNull =
	stateNull->set<StreamMap>(Sym, StreamState::getOpenFailed(CE));

	C.addTransition(stateNotNull);			C.addTransition(stateNotNull);
				NoQUnsubmitted Done Reply Inline Actions This is getting pretty messy, given that you've already made a transition in this function. If you do `addTransition` and then `generateNonFatalErrorNode`, then you'll get two parallel successor nodes, but you only need one. You should either delay the transition that happens immediately after `CheckNullStream`, or chain the two transitions together sequentially (as opposed to in parallel). NoQ: This is getting pretty messy, given that you've already made a transition in this function. If…
				balazskeAuthorUnsubmitted Done Reply Inline Actions `evalFseek` has now a transition to new (non-null stream) state or transition to (non-fatal) error. balazske: `evalFseek` has now a transition to new (non-null stream) state or transition to (non-fatal)…
	C.addTransition(stateNull);			C.addTransition(stateNull);
	}			}
	}

	void StreamChecker::Fclose(CheckerContext &C, const CallExpr *CE) const {			void StreamChecker::evalFclose(const CallEvent &Call, CheckerContext &C) const {
	ProgramStateRef state = CheckDoubleClose(CE, C.getState(), C);			ProgramStateRef State = C.getState();
	if (state)			if (checkDoubleClose(Call, C, State))
	C.addTransition(state);			C.addTransition(State);
	}			}

	void StreamChecker::Fread(CheckerContext &C, const CallExpr *CE) const {			void StreamChecker::evalFseek(const CallEvent &Call, CheckerContext &C) const {
	ProgramStateRef state = C.getState();			const Expr *AE2 = Call.getArgExpr(2);
	if (!CheckNullStream(C.getSVal(CE->getArg(3)), state, C))			if (!AE2)
	return;			return;
	}

	void StreamChecker::Fwrite(CheckerContext &C, const CallExpr *CE) const {			ProgramStateRef State = C.getState();
	ProgramStateRef state = C.getState();
	if (!CheckNullStream(C.getSVal(CE->getArg(3)), state, C))
	return;
	}

	void StreamChecker::Fseek(CheckerContext &C, const CallExpr *CE) const {			bool StateChanged = checkNullStream(Call.getArgSVal(0), C, State);
	ProgramStateRef state = C.getState();			// Check if error was generated.
	if (!(state = CheckNullStream(C.getSVal(CE->getArg(0)), state, C)))			if (C.isDifferent())
	return;			return;

	// Check the legality of the 'whence' argument of 'fseek'.			// Check the legality of the 'whence' argument of 'fseek'.
	SVal Whence = state->getSVal(CE->getArg(2), C.getLocationContext());			checkFseekWhence(State->getSVal(AE2, C.getLocationContext()), C, State);
	Optional<nonloc::ConcreteInt> CI = Whence.getAs<nonloc::ConcreteInt>();

	if (!CI)			if (!C.isDifferent() && StateChanged)
	return;			C.addTransition(State);

	int64_t x = CI->getValue().getSExtValue();
	if (x >= 0 && x <= 2)
	return;			return;

	if (ExplodedNode *N = C.generateNonFatalErrorNode(state)) {
	if (!BT_illegalwhence)
	BT_illegalwhence.reset(
	new BuiltinBug(this, "Illegal whence argument",
	"The whence argument to fseek() should be "
	"SEEK_SET, SEEK_END, or SEEK_CUR."));
	C.emitReport(std::make_unique<PathSensitiveBugReport>(
	*BT_illegalwhence, BT_illegalwhence->getDescription(), N));
	}
	}			}

	void StreamChecker::Ftell(CheckerContext &C, const CallExpr *CE) const {			void StreamChecker::checkArgNullStream(const CallEvent &Call, CheckerContext &C,
	ProgramStateRef state = C.getState();			unsigned ArgI) const {
	if (!CheckNullStream(C.getSVal(CE->getArg(0)), state, C))			ProgramStateRef State = C.getState();
	return;			if (checkNullStream(Call.getArgSVal(ArgI), C, State))
				C.addTransition(State);
	}			}

	void StreamChecker::Rewind(CheckerContext &C, const CallExpr *CE) const {			bool StreamChecker::checkNullStream(SVal SV, CheckerContext &C,
	ProgramStateRef state = C.getState();			ProgramStateRef &State) const {
	if (!CheckNullStream(C.getSVal(CE->getArg(0)), state, C))			Optional<DefinedSVal> DV = SV.getAs<DefinedSVal>();
				SzelethusUnsubmitted Not Done Reply Inline Actions Why is there a need to use an `Optional`? Why not just return a `nullptr`? As I saw it, each time we check both whether the optional has a value and whether the state within it is null. Szelethus: Why is there a need to use an `Optional`? Why not just return a `nullptr`? As I saw it, each…
				balazskeAuthorUnsubmitted Done Reply Inline Actions The idea was that there are 3 kind of return values: Change to a new state, do not change to new state, or error was found. In the first and last case we should return `true` from `evalCall` but not if there is no state to change into and the analysis can proceed in default way. balazske: The idea was that there are 3 kind of return values: Change to a new state, do not change to…
	return;			if (!DV)
	}			return false;

	void StreamChecker::Fgetpos(CheckerContext &C, const CallExpr *CE) const {			ConstraintManager &CM = C.getConstraintManager();
	ProgramStateRef state = C.getState();			ProgramStateRef StateNotNull, StateNull;
	if (!CheckNullStream(C.getSVal(CE->getArg(0)), state, C))			std::tie(StateNotNull, StateNull) = CM.assumeDual(C.getState(), *DV);
				SzelethusUnsubmitted Not Done Reply Inline Actions Aha, so we're no longer checking whether `Sym` is null, because why would we, we literally made created it as a symbol a couple lines up. Is it worth `assert()`ing though? Szelethus: Aha, so we're no longer checking whether `Sym` is null, because why would we, we literally made…
				balazskeAuthorUnsubmitted Not Done Reply Inline Actions Probably better to have the assert. balazske: Probably better to have the assert.
	return;
	}

	void StreamChecker::Fsetpos(CheckerContext &C, const CallExpr *CE) const {			if (!StateNotNull && StateNull) {
	ProgramStateRef state = C.getState();			if (ExplodedNode *N = C.generateErrorNode(StateNull)) {
	if (!CheckNullStream(C.getSVal(CE->getArg(0)), state, C))			if (!BT_nullfp)
	return;			BT_nullfp.reset(new BuiltinBug(this, "NULL stream pointer",
				"Stream pointer might be NULL."));
				C.emitReport(std::make_unique<PathSensitiveBugReport>(
				NoQUnsubmitted Done Reply Inline Actions (not your fault but before i forget) This condition is actually always true here. NoQ: (not your fault but before i forget) This condition is actually always true here.
				*BT_nullfp, BT_nullfp->getDescription(), N));
	}			}
				return false;
	void StreamChecker::Clearerr(CheckerContext &C, const CallExpr *CE) const {
	ProgramStateRef state = C.getState();
	if (!CheckNullStream(C.getSVal(CE->getArg(0)), state, C))
	return;
	}			}

	void StreamChecker::Feof(CheckerContext &C, const CallExpr *CE) const {			if (StateNotNull) {
	ProgramStateRef state = C.getState();			State = StateNotNull;
	if (!CheckNullStream(C.getSVal(CE->getArg(0)), state, C))			return true;
	return;
	}			}

	void StreamChecker::Ferror(CheckerContext &C, const CallExpr *CE) const {			return false;
	ProgramStateRef state = C.getState();
	if (!CheckNullStream(C.getSVal(CE->getArg(0)), state, C))
	return;
	}			}

	void StreamChecker::Fileno(CheckerContext &C, const CallExpr *CE) const {			void StreamChecker::checkFseekWhence(SVal SV, CheckerContext &C,
	ProgramStateRef state = C.getState();			ProgramStateRef &State) const {
	if (!CheckNullStream(C.getSVal(CE->getArg(0)), state, C))			Optional<nonloc::ConcreteInt> CI = SV.getAs<nonloc::ConcreteInt>();
				if (!CI)
	return;			return;
	}

	ProgramStateRef StreamChecker::CheckNullStream(SVal SV, ProgramStateRef state,
	CheckerContext &C) const {
	Optional<DefinedSVal> DV = SV.getAs<DefinedSVal>();
	if (!DV)
	return nullptr;

	ConstraintManager &CM = C.getConstraintManager();			int64_t X = CI->getValue().getSExtValue();
	ProgramStateRef stateNotNull, stateNull;			if (X >= 0 && X <= 2)
	std::tie(stateNotNull, stateNull) = CM.assumeDual(state, *DV);			return;

	if (!stateNotNull && stateNull) {			if (ExplodedNode *N = C.generateNonFatalErrorNode(State)) {
	if (ExplodedNode *N = C.generateErrorNode(stateNull)) {			if (!BT_illegalwhence)
	if (!BT_nullfp)			BT_illegalwhence.reset(
	BT_nullfp.reset(new BuiltinBug(this, "NULL stream pointer",			new BuiltinBug(this, "Illegal whence argument",
	"Stream pointer might be NULL."));			"The whence argument to fseek() should be "
				"SEEK_SET, SEEK_END, or SEEK_CUR."));
	C.emitReport(std::make_unique<PathSensitiveBugReport>(			C.emitReport(std::make_unique<PathSensitiveBugReport>(
	*BT_nullfp, BT_nullfp->getDescription(), N));			*BT_illegalwhence, BT_illegalwhence->getDescription(), N));
	}
	return nullptr;
	}			}
	return stateNotNull;
	}			}

	ProgramStateRef StreamChecker::CheckDoubleClose(const CallExpr *CE,			bool StreamChecker::checkDoubleClose(const CallEvent &Call, CheckerContext &C,
	ProgramStateRef state,			ProgramStateRef &State) const {
	CheckerContext &C) const {			SymbolRef Sym = Call.getArgSVal(0).getAsSymbol();
	SymbolRef Sym = C.getSVal(CE->getArg(0)).getAsSymbol();
	if (!Sym)			if (!Sym)
				SzelethusUnsubmitted Done Reply Inline Actions And here too? Szelethus: And here too?
	return state;			return false;

	const StreamState *SS = state->get<StreamMap>(Sym);			const StreamState *SS = State->get<StreamMap>(Sym);

	// If the file stream is not tracked, return.			// If the file stream is not tracked, return.
	if (!SS)			if (!SS)
	return state;			return false;

	// Check: Double close a File Descriptor could cause undefined behaviour.			// Check: Double close a File Descriptor could cause undefined behaviour.
	// Conforming to man-pages			// Conforming to man-pages
	if (SS->isClosed()) {			if (SS->isClosed()) {
	ExplodedNode *N = C.generateErrorNode();			ExplodedNode *N = C.generateErrorNode();
	if (N) {			if (N) {
	if (!BT_doubleclose)			if (!BT_doubleclose)
	BT_doubleclose.reset(new BuiltinBug(			BT_doubleclose.reset(new BuiltinBug(
	this, "Double fclose", "Try to close a file Descriptor already"			this, "Double fclose", "Try to close a file Descriptor already"
	" closed. Cause undefined behaviour."));			" closed. Cause undefined behaviour."));
	C.emitReport(std::make_unique<PathSensitiveBugReport>(			C.emitReport(std::make_unique<PathSensitiveBugReport>(
	*BT_doubleclose, BT_doubleclose->getDescription(), N));			*BT_doubleclose, BT_doubleclose->getDescription(), N));
	}			}
	return nullptr;			return false;
	}			}

	// Close the File Descriptor.			// Close the File Descriptor.
	return state->set<StreamMap>(Sym, StreamState::getClosed(CE));			State = State->set<StreamMap>(Sym, StreamState::getClosed());

				return true;
	}			}

	void StreamChecker::checkDeadSymbols(SymbolReaper &SymReaper,			void StreamChecker::checkDeadSymbols(SymbolReaper &SymReaper,
	CheckerContext &C) const {			CheckerContext &C) const {
	ProgramStateRef state = C.getState();			ProgramStateRef State = C.getState();

	// TODO: Clean up the state.			// TODO: Clean up the state.
	const StreamMapTy &Map = state->get<StreamMap>();			const StreamMapTy &Map = State->get<StreamMap>();
	for (const auto &I: Map) {			for (const auto &I: Map) {
	SymbolRef Sym = I.first;			SymbolRef Sym = I.first;
	const StreamState &SS = I.second;			const StreamState &SS = I.second;
	if (!SymReaper.isDead(Sym) \|\| !SS.isOpened())			if (!SymReaper.isDead(Sym) \|\| !SS.isOpened())
	continue;			continue;

	ExplodedNode *N = C.generateErrorNode();			ExplodedNode *N = C.generateErrorNode();
	if (!N)			if (!N)
	return;			continue;

	if (!BT_ResourceLeak)			if (!BT_ResourceLeak)
	BT_ResourceLeak.reset(			BT_ResourceLeak.reset(
	new BuiltinBug(this, "Resource Leak",			new BuiltinBug(this, "Resource Leak",
	"Opened File never closed. Potential Resource leak."));			"Opened File never closed. Potential Resource leak."));
	C.emitReport(std::make_unique<PathSensitiveBugReport>(			C.emitReport(std::make_unique<PathSensitiveBugReport>(
	*BT_ResourceLeak, BT_ResourceLeak->getDescription(), N));			*BT_ResourceLeak, BT_ResourceLeak->getDescription(), N));
	}			}
	Show All 9 Lines

clang/test/Analysis/stream.c

	// RUN: %clang_analyze_cc1 -analyzer-checker=alpha.unix.Stream -analyzer-store region -verify %s			// RUN: %clang_analyze_cc1 -analyzer-checker=alpha.unix.Stream -analyzer-store region -verify %s

	typedef __typeof__(sizeof(int)) size_t;			typedef __typeof__(sizeof(int)) size_t;
				typedef __typeof__(sizeof(int)) fpos_t;
	typedef struct _IO_FILE FILE;			typedef struct _IO_FILE FILE;
	#define SEEK_SET 0 /* Seek from beginning of file. */			#define SEEK_SET 0 /* Seek from beginning of file. */
	#define SEEK_CUR 1 /* Seek from current position. */			#define SEEK_CUR 1 /* Seek from current position. */
	#define SEEK_END 2 /* Seek from end of file. */			#define SEEK_END 2 /* Seek from end of file. */
	extern FILE fopen(const char path, const char *mode);			extern FILE fopen(const char path, const char *mode);
	extern FILE *tmpfile(void);			extern FILE *tmpfile(void);
	extern int fclose(FILE *fp);			extern int fclose(FILE *fp);
	extern size_t fread(void ptr, size_t size, size_t nmemb, FILE stream);			extern size_t fread(void ptr, size_t size, size_t nmemb, FILE stream);
				extern size_t fwrite(const void ptr, size_t size, size_t nmemb, FILE stream);
	extern int fseek (FILE *__stream, long int __off, int __whence);			extern int fseek (FILE *__stream, long int __off, int __whence);
	extern long int ftell (FILE *__stream);			extern long int ftell (FILE *__stream);
	extern void rewind (FILE *__stream);			extern void rewind (FILE *__stream);
				extern int fgetpos(FILE stream, fpos_t pos);
				extern int fsetpos(FILE stream, const fpos_t pos);
				extern void clearerr(FILE *stream);
				extern int feof(FILE *stream);
				extern int ferror(FILE *stream);
				extern int fileno(FILE *stream);

	void f1(void) {			void check_fread() {
	FILE *p = fopen("foo", "r");			FILE *fp = tmpfile();
	char buf[1024];			fread(0, 0, 0, fp); // expected-warning {{Stream pointer might be NULL}}
	fread(buf, 1, 1, p); // expected-warning {{Stream pointer might be NULL}}			fclose(fp);
	fclose(p);
	}			}

	void f2(void) {			void check_fwrite() {
	FILE *p = fopen("foo", "r");			FILE *fp = tmpfile();
	fseek(p, 1, SEEK_SET); // expected-warning {{Stream pointer might be NULL}}			fwrite(0, 0, 0, fp); // expected-warning {{Stream pointer might be NULL}}
	fclose(p);			fclose(fp);
	}			}

	void f3(void) {			void check_fseek() {
	FILE *p = fopen("foo", "r");			FILE *fp = tmpfile();
	ftell(p); // expected-warning {{Stream pointer might be NULL}}			fseek(fp, 0, 0); // expected-warning {{Stream pointer might be NULL}}
	fclose(p);			fclose(fp);
				}

				void check_ftell() {
				FILE *fp = tmpfile();
				ftell(fp); // expected-warning {{Stream pointer might be NULL}}
				fclose(fp);
				}

				void check_rewind() {
				FILE *fp = tmpfile();
				rewind(fp); // expected-warning {{Stream pointer might be NULL}}
				fclose(fp);
				}

				void check_fgetpos() {
				FILE *fp = tmpfile();
				fpos_t pos;
				fgetpos(fp, &pos); // expected-warning {{Stream pointer might be NULL}}
				fclose(fp);
				}

				void check_fsetpos() {
				FILE *fp = tmpfile();
				fpos_t pos;
				fsetpos(fp, &pos); // expected-warning {{Stream pointer might be NULL}}
				fclose(fp);
				}

				void check_clearerr() {
				FILE *fp = tmpfile();
				clearerr(fp); // expected-warning {{Stream pointer might be NULL}}
				fclose(fp);
				}

				void check_feof() {
				FILE *fp = tmpfile();
				feof(fp); // expected-warning {{Stream pointer might be NULL}}
				fclose(fp);
				}

				void check_ferror() {
				FILE *fp = tmpfile();
				ferror(fp); // expected-warning {{Stream pointer might be NULL}}
				fclose(fp);
	}			}

	void f4(void) {			void check_fileno() {
				FILE *fp = tmpfile();
				fileno(fp); // expected-warning {{Stream pointer might be NULL}}
				fclose(fp);
				}

				void f_open(void) {
	FILE *p = fopen("foo", "r");			FILE *p = fopen("foo", "r");
	rewind(p); // expected-warning {{Stream pointer might be NULL}}			char buf[1024];
				fread(buf, 1, 1, p); // expected-warning {{Stream pointer might be NULL}}
	fclose(p);			fclose(p);
	}			}

	void f5(void) {			void f_seek(void) {
	FILE *p = fopen("foo", "r");			FILE *p = fopen("foo", "r");
	if (!p)			if (!p)
	return;			return;
	fseek(p, 1, SEEK_SET); // no-warning			fseek(p, 1, SEEK_SET); // no-warning
	fseek(p, 1, 3); // expected-warning {{The whence argument to fseek() should be SEEK_SET, SEEK_END, or SEEK_CUR}}			fseek(p, 1, 3); // expected-warning {{The whence argument to fseek() should be SEEK_SET, SEEK_END, or SEEK_CUR}}
	fclose(p);			fclose(p);
	}			}

	void f6(void) {			void f_double_close(void) {
	FILE *p = fopen("foo", "r");			FILE *p = fopen("foo", "r");
	fclose(p);			fclose(p);
	fclose(p); // expected-warning {{Try to close a file Descriptor already closed. Cause undefined behaviour}}			fclose(p); // expected-warning {{Try to close a file Descriptor already closed. Cause undefined behaviour}}
	}			}

	void f7(void) {			void f_leak(int c) {
	FILE *p = tmpfile();
	ftell(p); // expected-warning {{Stream pointer might be NULL}}
	fclose(p);
	}

	void f8(int c) {
	FILE *p = fopen("foo.c", "r");			FILE *p = fopen("foo.c", "r");
	if(c)			if(c)
	return; // expected-warning {{Opened File never closed. Potential Resource leak}}			return; // expected-warning {{Opened File never closed. Potential Resource leak}}
	fclose(p);			fclose(p);
	}			}

	FILE *f9(void) {			FILE *f_null_checked(void) {
	FILE *p = fopen("foo.c", "r");			FILE *p = fopen("foo.c", "r");
	if (p)			if (p)
	return p; // no-warning			return p; // no-warning
	else			else
	return 0;			return 0;
	}			}

	void pr7831(FILE *fp) {			void pr7831(FILE *fp) {
	fclose(fp); // no-warning			fclose(fp); // no-warning
	}			}

	// PR 8081 - null pointer crash when 'whence' is not an integer constant			// PR 8081 - null pointer crash when 'whence' is not an integer constant
	void pr8081(FILE *stream, long offset, int whence) {			void pr8081(FILE *stream, long offset, int whence) {
	fseek(stream, offset, whence);			fseek(stream, offset, whence);
	}			}

clang/test/Analysis/stream.cpp

This file was added.

				// RUN: %clang_analyze_cc1 -analyzer-checker=alpha.unix.Stream -analyzer-store region -verify %s

				typedef struct _IO_FILE FILE;
				extern FILE fopen(const char path, const char *mode);

				struct X {
				int A;
				int B;
				};

				void fopen(X x, const char mode) {
				return new char[4];
				}

				void f1() {
				X X1;
				void *p = fopen(X1, "oo");
				} // no-warning

				void f2() {
				FILE *f = fopen("file", "r");
				} // expected-warning {{Opened File never closed. Potential Resource leak}}

This is an archive of the discontinued LLVM Phabricator instance.

[clang][analyzer] Using CallDescription in StreamChecker.ClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 227264

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp

clang/test/Analysis/stream.c

clang/test/Analysis/stream.cpp

[clang][analyzer] Using CallDescription in StreamChecker.
ClosedPublic