This is an archive of the discontinued LLVM Phabricator instance.

Differential D70805

[analyzer] SValHasDescendant: Determine whether the SVal has an SVal descendant
AbandonedPublic

Authored by Charusso on Nov 28 2019, 1:40 AM.

Details

Reviewers
NoQ
Summary

This relies on the SValVisitor and behaves something similar to the
Clang Tidy's hasDescendant(). The difference is it allows equality.

Diff Detail

Event Timeline

Charusso created this revision.Nov 28 2019, 1:40 AM
Herald added subscribers: cfe-commits, dkrupp, donat.nagy and 6 others. · View Herald TranscriptNov 28 2019, 1:40 AM
Charusso added a parent revision: D70411: [analyzer] CERT STR rule checkers: STR31-C.Nov 28 2019, 1:40 AM
Charusso added a comment.EditedNov 28 2019, 1:47 AM

It suppresses stuff in curl like:

char buf[4096];
size_t linelen = strlen(line);
char *ptr = realloc(line, linelen + strlen(buf) + 1);
strcpy(&line[linelen], buf);
char buffer[256];
char *string = NULL;
size_t buflen = strlen(buffer);
char *ptr = realloc(string, stringlen + buflen + 1);
string = ptr;
strcpy(string + stringlen, buffer);
char *enc = curl_easy_escape(NULL, postdata, (int)size);
size_t outlen = nlen + strlen(enc) + 2;
char *n = malloc(outlen);
strcpy(n, enc);
Charusso updated this revision to Diff 232203.Dec 4 2019, 2:02 PM
Charusso edited the summary of this revision. (Show Details)
  • Add more tests.
  • Let us specify the descendant as allowing equality of symbols.
Charusso updated this revision to Diff 232206.Dec 4 2019, 2:04 PM
  • Add back a comment.
Charusso added a comment.Dec 4 2019, 2:09 PM

Here is a possible piece of code from the Tidy world: anyOf(declRefExpr(), hasDescendant(declRefExpr()), integerLiteral(), hasDescendant(integerLiteral())), that is why I recommend to allow equality of symbols to prevent boilerplate.

Charusso added a child revision: D71033: [analyzer] CERT STR rule checkers: STR32-C.Dec 4 2019, 2:26 PM
NoQ added a comment.Dec 9 2019, 7:41 PM

Usually this kind of code is hard to re-use because all use cases require different definitions of "has descendant". We already have at least 3 such definitions floating around and we can't re-use them.

Even in the world of ASTMatchers the actual hasDescendant matcher is basically an anti-pattern as you always want to use a matcher for a specific parent-child relation instead (cf. http://lists.llvm.org/pipermail/cfe-dev/2019-September/063260.html).

Charusso added a comment.Dec 9 2019, 8:20 PM
In D70805#1776527, @NoQ wrote:

Usually this kind of code is hard to re-use because all use cases require different definitions of "has descendant". We already have at least 3 such definitions floating around and we can't re-use them.

Even in the world of ASTMatchers the actual hasDescendant matcher is basically an anti-pattern as you always want to use a matcher for a specific parent-child relation instead (cf. http://lists.llvm.org/pipermail/cfe-dev/2019-September/063260.html).

When I encounter the following:

unsigned Foo = Foo.Bar[Baz]->Qux;
malloc(strlen(src) + Foo + 1);

At the moment I cannot lookup the strlen(src) and nor the + 1. There is no way to say the strlen(src) which parent is a malloc(). I do not think we could make the full support of pattern-matching on symbolic level, so at least I wanted to see if it is possible. I am even thinking of using the ASTImporter to normalize the expression so that in a flatten/serialized form the AST-matcher could look for such constructs without any wonky DeclRefExpr or ReturnStmt matching. I believe the latter is the way we could benefit a lot, and the former, the current patch needs to be eliminated. For now I cannot relax the AST or invent a symbolic-matcher language so I would prefer this simple workaround and may we will have better ideas later.

NoQ added inline comments.Dec 10 2019, 4:28 PM
clang/include/clang/StaticAnalyzer/Core/PathSensitive/SValHasDescendant.h
55

Arithmetic is indeed easy, but for example this part requires a much deeper justification.

Charusso marked 2 inline comments as done.Jan 31 2020, 9:22 AM
Charusso added inline comments.
clang/include/clang/StaticAnalyzer/Core/PathSensitive/SValHasDescendant.h
55

Well, this is an experiment. I have checked out the Clang Tidy's matcher-writing language's framework so I believe their own language is way more better, than implementing hasDescendant() only. Some kind of framework would be neat, but this is what I came up with as the hasDescendant() is the most powerful matcher in their world.

Charusso updated this revision to Diff 241758.Jan 31 2020, 9:43 AM
Charusso marked an inline comment as done.
  • Rebase.
Charusso abandoned this revision.May 24 2020, 9:26 PM

Way more sophisticated matching: https://reviews.llvm.org/D77745

Herald added subscribers: ASDenysPetrov, martong, steakhal. · View Herald TranscriptMay 24 2020, 9:26 PM
Charusso removed a child revision: D71033: [analyzer] CERT STR rule checkers: STR32-C.May 24 2020, 9:26 PM
Charusso removed a parent revision: D70411: [analyzer] CERT STR rule checkers: STR31-C.

Revision Contents

PathSize
clang/
include/
clang/
StaticAnalyzer/
Core/
PathSensitive/
108 lines
lib/
StaticAnalyzer/
Checkers/
18 lines
cert/
12 lines
test/
Analysis/
cert/
7 lines
23 lines

Diff 232206

clang/include/clang/StaticAnalyzer/Core/PathSensitive/SValHasDescendant.h

  • This file was added.
//===- SValHasDescendant.h - Symbolic value traversing ----------*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// This file defines SValHasDescendant which returns whether the given
// symbol or region has a descendant symbol.
//
//===----------------------------------------------------------------------===//
#ifndef LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_SVALHASDESCENDANT_H
#define LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_SVALHASDESCENDANT_H
#include "clang/AST/DeclCXX.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SValVisitor.h"
namespace clang {
namespace ento {
class SValHasDescendant : public FullSValVisitor<SValHasDescendant, bool> {
Optional<SVal> StoredV;
const MemRegion *StoredMR;
public:
SValHasDescendant(SVal V) : StoredV(V) {}
SValHasDescendant(const MemRegion *MR) : StoredMR(MR) { assert(MR); }
bool VisitLocMemRegionVal(loc::MemRegionVal V) {
if (StoredV)
if (const auto MRV = StoredV->getAs<loc::MemRegionVal>())
if (V == MRV)
return true;
return Visit(V.getRegion());
}
bool VisitNonLocSymbolVal(nonloc::SymbolVal V) {
if (StoredV && *StoredV == V)
return true;
return Visit(V.getSymbol());
}
bool VisitNonLocLazyCompoundVal(nonloc::LazyCompoundVal V) {
if (StoredV && *StoredV == V)
return true;
return Visit(V.getRegion());
}
bool VisitSymbolRegionValue(const SymbolRegionValue *S) {
return Visit(S->getRegion());
NoQUnsubmitted
Done
ReplyInline Actions

Arithmetic is indeed easy, but for example this part requires a much deeper justification.

NoQ: Arithmetic is indeed easy, but for example this part requires a much deeper justification.
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

Well, this is an experiment. I have checked out the Clang Tidy's matcher-writing language's framework so I believe their own language is way more better, than implementing hasDescendant() only. Some kind of framework would be neat, but this is what I came up with as the hasDescendant() is the most powerful matcher in their world.

Charusso: Well, this is an experiment. I have checked out the Clang Tidy's matcher-writing language's…
}
bool VisitSymbolExtent(const SymbolExtent *S) {
return Visit(S->getRegion());
}
bool VisitSymbolMetadata(const SymbolMetadata *S) {
return Visit(S->getRegion());
}
bool VisitSymIntExpr(const SymIntExpr *S) { return Visit(S->getLHS()); }
// TODO: IntSymExpr doesn't appear in practice.
// Add the relevant code once it does.
bool VisitSymSymExpr(const SymSymExpr *S) {
if (Visit(S->getLHS()))
return true;
return Visit(S->getRHS());
}
// TODO: SymbolCast doesn't appear in practice.
// Add the relevant code once it does.
bool VisitSymbolicRegion(const SymbolicRegion *SR) {
if (SR == StoredMR)
return true;
if (StoredV)
if (auto MRV = StoredV->getAs<loc::MemRegionVal>())
if (MRV->getRegion() == SR)
return true;
return Visit(SR->getSymbol());
}
bool VisitMemRegion(const MemRegion *MR) {
if (StoredV)
if (auto MRV = StoredV->getAs<loc::MemRegionVal>())
if (MRV->getRegion() == MR)
return true;
return StoredMR && StoredMR == MR;
}
bool VisitSVal(SVal V) { return StoredV && *StoredV == V; }
};
} // end namespace ento
} // end namespace clang
#endif // LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_SVALHASDESCENDANT_H

clang/lib/StaticAnalyzer/Checkers/ExprInspectionChecker.cpp

//==- ExprInspectionChecker.cpp - Used for regression tests ------*- C++ -*-==// //==- ExprInspectionChecker.cpp - Used for regression tests ------*- C++ -*-==//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Checkers/SValExplainer.h" #include "clang/StaticAnalyzer/Checkers/SValExplainer.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/IssueHash.h" #include "clang/StaticAnalyzer/Core/IssueHash.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h" #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SValHasDescendant.h"
#include "llvm/ADT/StringSwitch.h" #include "llvm/ADT/StringSwitch.h"
#include "llvm/Support/ScopedPrinter.h" #include "llvm/Support/ScopedPrinter.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
namespace { namespace {
class ExprInspectionChecker : public Checker<eval::Call, check::DeadSymbols, class ExprInspectionChecker : public Checker<eval::Call, check::DeadSymbols,
Show All 11 Linesclass ExprInspectionChecker : public Checker<eval::Call, check::DeadSymbols,
void analyzerEval(const CallExpr *CE, CheckerContext &C) const; void analyzerEval(const CallExpr *CE, CheckerContext &C) const;
void analyzerCheckInlined(const CallExpr *CE, CheckerContext &C) const; void analyzerCheckInlined(const CallExpr *CE, CheckerContext &C) const;
void analyzerWarnIfReached(const CallExpr *CE, CheckerContext &C) const; void analyzerWarnIfReached(const CallExpr *CE, CheckerContext &C) const;
void analyzerNumTimesReached(const CallExpr *CE, CheckerContext &C) const; void analyzerNumTimesReached(const CallExpr *CE, CheckerContext &C) const;
void analyzerCrash(const CallExpr *CE, CheckerContext &C) const; void analyzerCrash(const CallExpr *CE, CheckerContext &C) const;
void analyzerWarnOnDeadSymbol(const CallExpr *CE, CheckerContext &C) const; void analyzerWarnOnDeadSymbol(const CallExpr *CE, CheckerContext &C) const;
void analyzerDump(const CallExpr *CE, CheckerContext &C) const; void analyzerDump(const CallExpr *CE, CheckerContext &C) const;
void analyzerExplain(const CallExpr *CE, CheckerContext &C) const; void analyzerExplain(const CallExpr *CE, CheckerContext &C) const;
void analyzerHasDescendant(const CallExpr *CE, CheckerContext &C) const;
void analyzerPrintState(const CallExpr *CE, CheckerContext &C) const; void analyzerPrintState(const CallExpr *CE, CheckerContext &C) const;
void analyzerGetExtent(const CallExpr *CE, CheckerContext &C) const; void analyzerGetExtent(const CallExpr *CE, CheckerContext &C) const;
void analyzerHashDump(const CallExpr *CE, CheckerContext &C) const; void analyzerHashDump(const CallExpr *CE, CheckerContext &C) const;
void analyzerDenote(const CallExpr *CE, CheckerContext &C) const; void analyzerDenote(const CallExpr *CE, CheckerContext &C) const;
void analyzerExpress(const CallExpr *CE, CheckerContext &C) const; void analyzerExpress(const CallExpr *CE, CheckerContext &C) const;
typedef void (ExprInspectionChecker::*FnCheck)(const CallExpr *, typedef void (ExprInspectionChecker::*FnCheck)(const CallExpr *,
CheckerContext &C) const; CheckerContext &C) const;
Show All 26 Lines FnCheck Handler = llvm::StringSwitch<FnCheck>(C.getCalleeName(CE))
.Case("clang_analyzer_checkInlined", .Case("clang_analyzer_checkInlined",
&ExprInspectionChecker::analyzerCheckInlined) &ExprInspectionChecker::analyzerCheckInlined)
.Case("clang_analyzer_crash", &ExprInspectionChecker::analyzerCrash) .Case("clang_analyzer_crash", &ExprInspectionChecker::analyzerCrash)
.Case("clang_analyzer_warnIfReached", .Case("clang_analyzer_warnIfReached",
&ExprInspectionChecker::analyzerWarnIfReached) &ExprInspectionChecker::analyzerWarnIfReached)
.Case("clang_analyzer_warnOnDeadSymbol", .Case("clang_analyzer_warnOnDeadSymbol",
&ExprInspectionChecker::analyzerWarnOnDeadSymbol) &ExprInspectionChecker::analyzerWarnOnDeadSymbol)
.StartsWith("clang_analyzer_explain", &ExprInspectionChecker::analyzerExplain) .StartsWith("clang_analyzer_explain", &ExprInspectionChecker::analyzerExplain)
.StartsWith("clang_analyzer_hasDescendant", &ExprInspectionChecker::analyzerHasDescendant)
.StartsWith("clang_analyzer_dump", &ExprInspectionChecker::analyzerDump) .StartsWith("clang_analyzer_dump", &ExprInspectionChecker::analyzerDump)
.Case("clang_analyzer_getExtent", &ExprInspectionChecker::analyzerGetExtent) .Case("clang_analyzer_getExtent", &ExprInspectionChecker::analyzerGetExtent)
.Case("clang_analyzer_printState", .Case("clang_analyzer_printState",
&ExprInspectionChecker::analyzerPrintState) &ExprInspectionChecker::analyzerPrintState)
.Case("clang_analyzer_numTimesReached", .Case("clang_analyzer_numTimesReached",
&ExprInspectionChecker::analyzerNumTimesReached) &ExprInspectionChecker::analyzerNumTimesReached)
.Case("clang_analyzer_hashDump", &ExprInspectionChecker::analyzerHashDump) .Case("clang_analyzer_hashDump", &ExprInspectionChecker::analyzerHashDump)
.Case("clang_analyzer_denote", &ExprInspectionChecker::analyzerDenote) .Case("clang_analyzer_denote", &ExprInspectionChecker::analyzerDenote)
▲ Show 20 LinesShow All 107 Lines▼ Show 20 Lines if (CE->getNumArgs() == 0) {
return; return;
} }
SVal V = C.getSVal(CE->getArg(0)); SVal V = C.getSVal(CE->getArg(0));
SValExplainer Ex(C.getASTContext()); SValExplainer Ex(C.getASTContext());
reportBug(Ex.Visit(V), C); reportBug(Ex.Visit(V), C);
} }
void ExprInspectionChecker::analyzerHasDescendant(const CallExpr *CE,
CheckerContext &C) const {
if (CE->getNumArgs() < 2) {
reportBug("Missing argument for descending", C);
return;
}
SVal LhsV = C.getSVal(CE->getArg(0));
SVal RhsV = C.getSVal(CE->getArg(1));
SValHasDescendant Desc(RhsV);
reportBug(Desc.Visit(LhsV) ? "TRUE" : "FALSE", C);
}
void ExprInspectionChecker::analyzerDump(const CallExpr *CE, void ExprInspectionChecker::analyzerDump(const CallExpr *CE,
CheckerContext &C) const { CheckerContext &C) const {
if (CE->getNumArgs() == 0) { if (CE->getNumArgs() == 0) {
reportBug("Missing argument for dumping", C); reportBug("Missing argument for dumping", C);
return; return;
} }
SVal V = C.getSVal(CE->getArg(0)); SVal V = C.getSVal(CE->getArg(0));
▲ Show 20 LinesShow All 205 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/cert/StrChecker.cpp

Show All 21 Lines
#include "clang/Lex/Lexer.h" #include "clang/Lex/Lexer.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h" #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SValHasDescendant.h"
#include "llvm/ADT/Optional.h" #include "llvm/ADT/Optional.h"
#include <utility> #include <utility>
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
using namespace ast_matchers; using namespace ast_matchers;
namespace { namespace {
▲ Show 20 LinesShow All 176 Lines▼ Show 20 Linesvoid StrCheckerBase::checkStrcpy(const CallEvent &Call,
const MemRegion *DestMR = getRegion(DestV); const MemRegion *DestMR = getRegion(DestV);
if (!SrcMR || !DestMR) if (!SrcMR || !DestMR)
return; return;
DefinedOrUnknownSVal SrcSize = getDynamicSize(State, SrcMR, SVB); DefinedOrUnknownSVal SrcSize = getDynamicSize(State, SrcMR, SVB);
DefinedOrUnknownSVal DestSize = getDynamicSize(State, DestMR, SVB); DefinedOrUnknownSVal DestSize = getDynamicSize(State, DestMR, SVB);
// 'strlen(src) + integer' is most likely fine. // 'strlen(src) + integer' is most likely fine.
// FIXME: Use the 'SValVisitor' to catch every such constructs of the symbol.
// FIXME: We cannot catch every '+ integer' part at the moment so we do not // FIXME: We cannot catch every '+ integer' part at the moment so we do not
// check that property for now. // check that property for now.
if (const SymExpr *SE = DestSize.getAsSymExpr()) SValHasDescendant HasDescendantSrc(SrcMR);
for (const auto &Sym : SE->symbols()) if (HasDescendantSrc.Visit(DestSize))
if (const auto *SIE = dyn_cast<SymIntExpr>(Sym))
if (SIE->getOpcode() == BO_Add)
if (const auto *SM = dyn_cast<SymbolMetadata>(SIE->getLHS()))
if (SM->getRegion() == SrcMR)
return; return;
// 'StringRegion' returns the size with the null-terminator. // 'StringRegion' returns the size with the null-terminator.
if (const llvm::APSInt *SrcSizeInt = SVB.getKnownValue(State, SrcSize)) if (const llvm::APSInt *SrcSizeInt = SVB.getKnownValue(State, SrcSize))
if (const llvm::APSInt *DestSizeInt = SVB.getKnownValue(State, DestSize)) if (const llvm::APSInt *DestSizeInt = SVB.getKnownValue(State, DestSize))
if (SrcSizeInt->getZExtValue() <= DestSizeInt->getZExtValue()) if (SrcSizeInt->getZExtValue() <= DestSizeInt->getZExtValue())
return; return;
createOverflowNote(Call, CallC, C); createOverflowNote(Call, CallC, C);
▲ Show 20 LinesShow All 93 LinesShow Last 20 Lines

clang/test/Analysis/cert/str31-c-fp-suppression.cpp

Show First 20 LinesShow All 65 Lines▼ Show 20 Lines
void test_everything_known() { void test_everything_known() {
char *dest = (char *)malloc(strlen("Foo") + 1); char *dest = (char *)malloc(strlen("Foo") + 1);
if (dest) if (dest)
strcpy(dest, "Foo"); strcpy(dest, "Foo");
free(dest); // no-warning free(dest); // no-warning
} }
// FIXME: Suppress that with 'SValVisitor' or something similar.
void test_complex_size_false_positive(const char *src) { void test_complex_size_false_positive(const char *src) {
char *dest; char *dest;
size_t size; size_t size;
size = strlen(src); size = strlen(src);
dest = (char *)malloc(size * 2 + 2); dest = (char *)malloc(size * 2 + 2);
strcpy(dest, &src[13]); strcpy(dest, &src[13]);
free(dest); free(dest); // no-warning
// expected-warning@-1 {{'dest' is not null-terminated}}
} }
void test_complex_size_wrong_size(const char *src) { void test_complex_size_wrong_size(const char *src) {
char *dest; char *dest;
size_t size; size_t size;
size = strlen(src); size = strlen(src);
// FIXME: '+ 2' is missing so there is not enough space for the null terminator. // FIXME: '+ 2' is missing so there is not enough space for the null terminator.
dest = (char *)malloc(size * 2); dest = (char *)malloc(size * 2);
strcpy(dest, &src[13]); strcpy(dest, &src[13]);
free(dest); free(dest); // no-warning
// expected-warning@-1 {{'dest' is not null-terminated}}
} }
void test_char_by_char(const char *src, size_t size) { void test_char_by_char(const char *src, size_t size) {
const char *s; const char *s;
unsigned char c; unsigned char c;
char *escape = (char *)malloc(size); char *escape = (char *)malloc(size);
char *e = escape; char *e = escape;
for (s = src; (c = *s) != '\0'; ++s) { for (s = src; (c = *s) != '\0'; ++s) {
Show All 11 Lines

clang/test/Analysis/sval-has-desc.c

  • This file was added.
// RUN: %clang_analyze_cc1 \
// RUN: -analyzer-checker=core,unix,debug.ExprInspection \
// RUN: -verify %s
#include "Inputs/system-header-simulator.h"
void clang_analyzer_hasDescendantTrue(size_t, const char *);
void clang_analyzer_hasDescendantFalse(const char *, size_t);
void clang_analyzer_hasDescendantEquals(const char *, const char *);
void test_desc(const char *src) {
size_t size = strlen(src);
clang_analyzer_hasDescendantTrue(size, src); // expected-warning {{TRUE}}
}
void test_non_desc(const char *src) {
size_t size = strlen(src);
clang_analyzer_hasDescendantFalse(src, size); // expected-warning {{FALSE}}
}
void test_equality_is_desc(const char *src) {
clang_analyzer_hasDescendantEquals(src, src); // expected-warning {{TRUE}}
}