This is an archive of the discontinued LLVM Phabricator instance.

Differential D75063

[analyzer] StdLibraryFunctionsChecker: Add NotNull Arg Constraint
ClosedPublic

Authored by martong on Feb 24 2020, 9:56 AM.

Details

Reviewers
NoQ
Szelethus
balazske
gamesh411
baloghadamsoftware
steakhal
Commits
rGededa65d559d: [analyzer] StdLibraryFunctionsChecker: Add NotNull Arg Constraint

Diff Detail

Event Timeline

martong created this revision.Feb 24 2020, 9:56 AM
Herald added a project: Restricted Project. · View Herald TranscriptFeb 24 2020, 9:56 AM
Herald added subscribers: cfe-commits, Charusso, dkrupp and 7 others. · View Herald Transcript
martong added a parent revision: D73898: [analyzer] StdLibraryFunctionsChecker: Add argument constraints.Feb 24 2020, 9:56 AM
Harbormaster completed remote builds in B47142: Diff 246239.Feb 24 2020, 10:30 AM
steakhal added inline comments.Mar 3 2020, 9:22 AM
clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
719

Two lines below you are using the {0U} initialization syntax, and here the simple constructor call syntax.
Shouldn't we pick one?

Szelethus added inline comments.Mar 11 2020, 8:24 AM
clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
188

What does this do? Is it ever used in the patch?

NoQ accepted this revision.Mar 15 2020, 9:54 PM

This is basically a shorthand for "outside [0, 0]", right? I don't mind ^.^

This revision is now accepted and ready to land.Mar 15 2020, 9:54 PM
balazske added inline comments.Mar 16 2020, 9:51 AM
clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
202

Is Tmp better name?

clang/test/Analysis/std-c-library-functions-arg-constraints.c
76

One difficulty is that fread can work if the buf is 0 and count is 0 too. There is for sure code that uses this feature.

martong marked 6 inline comments as done.Mar 18 2020, 6:00 AM
martong added inline comments.
clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
188

Yes, it is used. We use it in apply the value is passed to assume.
And in negate we flip the value.

202

Absolutely, yes, I should avoid lower case variables, will rename.

719

Yes, definitely. I think I am going to use brace initialization syntax everywhere.

clang/test/Analysis/std-c-library-functions-arg-constraints.c
76

My understanding is that in case of fread, if buf is 0 then that is an undefined behavior.

In the section in C11 describing the use of library functions (§7.1.4) it is stated that:

If an argument to a function has an invalid value (such as a value outside the domain of the function, or a pointer outside the address space of the program, or a null pointer, or a pointer to non-modifiable storage when the corresponding parameter is not const-qualified) or a type (after promotion) not expected by a function with variable number of arguments, the behavior is undefined. If a function argument is described as being an array, the pointer actually passed to the function shall have a value such that all address computations and accesses to objects (that would be valid if the pointer did point to the first element of such an array) are in fact valid.

I've found more details in this StackOverflow post:
https://stackoverflow.com/questions/51779960/is-it-safe-to-fread-0-bytes-into-a-null-pointer

Also note that a sane libc implementation would not dereference buf if size is 0, but we may not rely on these implementation details, that is why this is declared as undefined behavior in the standard.

Herald added a subscriber: ASDenysPetrov. · View Herald TranscriptMar 18 2020, 6:00 AM
Szelethus accepted this revision.EditedMar 18 2020, 7:12 AM

LGTM! Please address the nits before commiting, but there is no need for another round of reviews. :)

edit: from my end, that is.

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
188

Forgot my eyes in the office. Woops. I would still prefer a line of comment here :)

930–931

Not super relevant to this specific revision, but shouldn't we leave these to StreamChecker?

martong updated this revision to Diff 251674.Mar 20 2020, 9:21 AM
martong marked 9 inline comments as done.
  • Use report/bugpath verify prefixes in test
  • Address review nits
martong added a comment.Mar 20 2020, 9:28 AM
In D75063#1923780, @NoQ wrote:

This is basically a shorthand for "outside [0, 0]", right? I don't mind ^.^

Yeah, and my first attempt was exactly to implement this with ranges. However, it failed when I realized that we cannot cast a pointer to NonLoc, so the already written RangeConstraint::apply* functions could not work (I would have to add another branch for handling Loc kind of SVals for the pointer case).

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
188

Ok, I added a comment about its role.

719

Finally I ended up with the parens. :)

930–931

Well, yeah we could remove fread and fwrite from the summaries entirely at some point, but that will require changing the test files here.

Closed by commit rGededa65d559d: [analyzer] StdLibraryFunctionsChecker: Add NotNull Arg Constraint (authored by martong). · Explain WhyMar 20 2020, 9:45 AM
This revision was automatically updated to reflect the committed changes.
Harbormaster completed remote builds in B49904: Diff 251674.Mar 20 2020, 10:17 AM

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
47 lines
test/
Analysis/
26 lines
3 lines

Diff 251677

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp

Show First 20 LinesShow All 177 Lines▼ Show 20 Lines ComparisonConstraint(ArgNo ArgN, BinaryOperator::Opcode Opcode,
ArgNo OtherArgN) ArgNo OtherArgN)
: ValueConstraint(ArgN), Opcode(Opcode), OtherArgN(OtherArgN) {} : ValueConstraint(ArgN), Opcode(Opcode), OtherArgN(OtherArgN) {}
ArgNo getOtherArgNo() const { return OtherArgN; } ArgNo getOtherArgNo() const { return OtherArgN; }
BinaryOperator::Opcode getOpcode() const { return Opcode; } BinaryOperator::Opcode getOpcode() const { return Opcode; }
ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call, ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
const Summary &Summary) const override; const Summary &Summary) const override;
}; };
class NotNullConstraint : public ValueConstraint {
using ValueConstraint::ValueConstraint;
// This variable has a role when we negate the constraint.
SzelethusUnsubmitted
Done
ReplyInline Actions

What does this do? Is it ever used in the patch?

Szelethus: What does this do? Is it ever used in the patch?
martongAuthorUnsubmitted
Done
ReplyInline Actions

Yes, it is used. We use it in apply the value is passed to assume.
And in negate we flip the value.

martong: Yes, it is used. We use it in `apply` the value is passed to `assume`. And in `negate` we flip…
SzelethusUnsubmitted
Done
ReplyInline Actions

Forgot my eyes in the office. Woops. I would still prefer a line of comment here :)

Szelethus: Forgot my eyes in the office. Woops. I would still prefer a line of comment here :)
martongAuthorUnsubmitted
Done
ReplyInline Actions

Ok, I added a comment about its role.

martong: Ok, I added a comment about its role.
bool CannotBeNull = true;
public:
ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
const Summary &Summary) const override {
SVal V = getArgSVal(Call, getArgNo());
DefinedOrUnknownSVal L = V.castAs<DefinedOrUnknownSVal>();
if (!L.getAs<Loc>())
return State;
return State->assume(L, CannotBeNull);
}
ValueConstraintPtr negate() const override {
balazskeUnsubmitted
Done
ReplyInline Actions

Is Tmp better name?

balazske: Is `Tmp` better name?
martongAuthorUnsubmitted
Done
ReplyInline Actions

Absolutely, yes, I should avoid lower case variables, will rename.

martong: Absolutely, yes, I should avoid lower case variables, will rename.
NotNullConstraint Tmp(*this);
Tmp.CannotBeNull = !this->CannotBeNull;
return std::make_shared<NotNullConstraint>(Tmp);
}
};
/// The complete list of constraints that defines a single branch. /// The complete list of constraints that defines a single branch.
typedef std::vector<ValueConstraintPtr> ConstraintSet; typedef std::vector<ValueConstraintPtr> ConstraintSet;
using ArgTypes = std::vector<QualType>; using ArgTypes = std::vector<QualType>;
using Cases = std::vector<ConstraintSet>; using Cases = std::vector<ConstraintSet>;
/// Includes information about /// Includes information about
/// * function prototype (which is necessary to /// * function prototype (which is necessary to
Show All 34 Lines struct Summary {
} }
private: private:
static void assertTypeSuitableForSummary(QualType T) { static void assertTypeSuitableForSummary(QualType T) {
assert(!T->isVoidType() && assert(!T->isVoidType() &&
"We should have had no significant void types in the spec"); "We should have had no significant void types in the spec");
assert(T.isCanonical() && assert(T.isCanonical() &&
"We should only have canonical types in the spec"); "We should only have canonical types in the spec");
// FIXME: lift this assert (but not the ones above!)
assert(T->isIntegralOrEnumerationType() &&
"We only support integral ranges in the spec");
} }
public: public:
QualType getArgType(ArgNo ArgN) const { QualType getArgType(ArgNo ArgN) const {
QualType T = (ArgN == Ret) ? RetTy : ArgTys[ArgN]; QualType T = (ArgN == Ret) ? RetTy : ArgTys[ArgN];
assertTypeSuitableForSummary(T); assertTypeSuitableForSummary(T);
return T; return T;
} }
▲ Show 20 LinesShow All 350 Lines▼ Show 20 Linesvoid StdLibraryFunctionsChecker::initFunctionSummaries(
// or long long, so three summary variants would be enough). // or long long, so three summary variants would be enough).
// Of course, function variants are also useful for C++ overloads. // Of course, function variants are also useful for C++ overloads.
const QualType const QualType
Irrelevant{}; // A placeholder, whenever we do not care about the type. Irrelevant{}; // A placeholder, whenever we do not care about the type.
const QualType IntTy = ACtx.IntTy; const QualType IntTy = ACtx.IntTy;
const QualType LongTy = ACtx.LongTy; const QualType LongTy = ACtx.LongTy;
const QualType LongLongTy = ACtx.LongLongTy; const QualType LongLongTy = ACtx.LongLongTy;
const QualType SizeTy = ACtx.getSizeType(); const QualType SizeTy = ACtx.getSizeType();
const QualType VoidPtrTy = ACtx.VoidPtrTy; // void *T
const QualType ConstVoidPtrTy =
ACtx.getPointerType(ACtx.VoidTy.withConst()); // const void *T
const RangeInt IntMax = BVF.getMaxValue(IntTy).getLimitedValue(); const RangeInt IntMax = BVF.getMaxValue(IntTy).getLimitedValue();
const RangeInt LongMax = BVF.getMaxValue(LongTy).getLimitedValue(); const RangeInt LongMax = BVF.getMaxValue(LongTy).getLimitedValue();
const RangeInt LongLongMax = BVF.getMaxValue(LongLongTy).getLimitedValue(); const RangeInt LongLongMax = BVF.getMaxValue(LongLongTy).getLimitedValue();
// Set UCharRangeMax to min of int or uchar maximum value. // Set UCharRangeMax to min of int or uchar maximum value.
// The C standard states that the arguments of functions like isalpha must // The C standard states that the arguments of functions like isalpha must
// be representable as an unsigned char. Their type is 'int', so the max // be representable as an unsigned char. Their type is 'int', so the max
▲ Show 20 LinesShow All 54 Lines▼ Show 20 Linesvoid StdLibraryFunctionsChecker::initFunctionSummaries(
} ReturnValueCondition; } ReturnValueCondition;
auto Range = [](RangeInt b, RangeInt e) { auto Range = [](RangeInt b, RangeInt e) {
return IntRangeVector{std::pair<RangeInt, RangeInt>{b, e}}; return IntRangeVector{std::pair<RangeInt, RangeInt>{b, e}};
}; };
auto SingleValue = [](RangeInt v) { auto SingleValue = [](RangeInt v) {
return IntRangeVector{std::pair<RangeInt, RangeInt>{v, v}}; return IntRangeVector{std::pair<RangeInt, RangeInt>{v, v}};
}; };
auto LessThanOrEq = BO_LE; auto LessThanOrEq = BO_LE;
auto NotNull = [&](ArgNo ArgN) {
return std::make_shared<NotNullConstraint>(ArgN);
};
using RetType = QualType; using RetType = QualType;
// Templates for summaries that are reused by many functions. // Templates for summaries that are reused by many functions.
auto Getc = [&]() { auto Getc = [&]() {
return Summary(ArgTypes{Irrelevant}, RetType{IntTy}, NoEvalCall) return Summary(ArgTypes{Irrelevant}, RetType{IntTy}, NoEvalCall)
.Case({ReturnValueCondition(WithinRange, .Case({ReturnValueCondition(WithinRange,
{{EOFv, EOFv}, {0, UCharRangeMax}})}); {{EOFv, EOFv}, {0, UCharRangeMax}})});
}; };
auto Read = [&](RetType R, RangeInt Max) { auto Read = [&](RetType R, RangeInt Max) {
return Summary(ArgTypes{Irrelevant, Irrelevant, SizeTy}, RetType{R}, return Summary(ArgTypes{Irrelevant, Irrelevant, SizeTy}, RetType{R},
NoEvalCall) NoEvalCall)
.Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)), .Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)),
ReturnValueCondition(WithinRange, Range(-1, Max))}); ReturnValueCondition(WithinRange, Range(-1, Max))});
}; };
auto Fread = [&]() { auto Fread = [&]() {
return Summary(ArgTypes{Irrelevant, Irrelevant, SizeTy, Irrelevant}, return Summary(ArgTypes{VoidPtrTy, Irrelevant, SizeTy, Irrelevant},
RetType{SizeTy}, NoEvalCall)
.Case({
ReturnValueCondition(LessThanOrEq, ArgNo(2)),
steakhalUnsubmitted
Done
ReplyInline Actions

Two lines below you are using the {0U} initialization syntax, and here the simple constructor call syntax.
Shouldn't we pick one?

steakhal: Two lines below you are using the `{0U}` initialization syntax, and here the simple constructor…
martongAuthorUnsubmitted
Done
ReplyInline Actions

Yes, definitely. I think I am going to use brace initialization syntax everywhere.

martong: Yes, definitely. I think I am going to use brace initialization syntax everywhere.
martongAuthorUnsubmitted
Done
ReplyInline Actions

Finally I ended up with the parens. :)

martong: Finally I ended up with the parens. :)
})
.ArgConstraint(NotNull(ArgNo(0)));
};
auto Fwrite = [&]() {
return Summary(ArgTypes{ConstVoidPtrTy, Irrelevant, SizeTy, Irrelevant},
RetType{SizeTy}, NoEvalCall) RetType{SizeTy}, NoEvalCall)
.Case({ .Case({
ReturnValueCondition(LessThanOrEq, ArgNo(2)), ReturnValueCondition(LessThanOrEq, ArgNo(2)),
}); })
.ArgConstraint(NotNull(ArgNo(0)));
}; };
auto Getline = [&](RetType R, RangeInt Max) { auto Getline = [&](RetType R, RangeInt Max) {
return Summary(ArgTypes{Irrelevant, Irrelevant, Irrelevant}, RetType{R}, return Summary(ArgTypes{Irrelevant, Irrelevant, Irrelevant}, RetType{R},
NoEvalCall) NoEvalCall)
.Case({ReturnValueCondition(WithinRange, {{-1, -1}, {1, Max}})}); .Case({ReturnValueCondition(WithinRange, {{-1, -1}, {1, Max}})});
}; };
FunctionSummaryMap = { FunctionSummaryMap = {
▲ Show 20 LinesShow All 184 Lines▼ Show 20 Lines FunctionSummaryMap = {
// read()-like functions that never return more than buffer size. // read()-like functions that never return more than buffer size.
// We are not sure how ssize_t is defined on every platform, so we // We are not sure how ssize_t is defined on every platform, so we
// provide three variants that should cover common cases. // provide three variants that should cover common cases.
{"read", Summaries{Read(IntTy, IntMax), Read(LongTy, LongMax), {"read", Summaries{Read(IntTy, IntMax), Read(LongTy, LongMax),
Read(LongLongTy, LongLongMax)}}, Read(LongLongTy, LongLongMax)}},
{"write", Summaries{Read(IntTy, IntMax), Read(LongTy, LongMax), {"write", Summaries{Read(IntTy, IntMax), Read(LongTy, LongMax),
Read(LongLongTy, LongLongMax)}}, Read(LongLongTy, LongLongMax)}},
{"fread", Summaries{Fread()}}, {"fread", Summaries{Fread()}},
{"fwrite", Summaries{Fread()}}, {"fwrite", Summaries{Fwrite()}},
SzelethusUnsubmitted
Done
ReplyInline Actions

Not super relevant to this specific revision, but shouldn't we leave these to StreamChecker?

Szelethus: Not super relevant to this specific revision, but shouldn't we leave these to `StreamChecker`?
martongAuthorUnsubmitted
Done
ReplyInline Actions

Well, yeah we could remove fread and fwrite from the summaries entirely at some point, but that will require changing the test files here.

martong: Well, yeah we could remove `fread` and `fwrite` from the summaries entirely at some point, but…
// getline()-like functions either fail or read at least the delimiter. // getline()-like functions either fail or read at least the delimiter.
{"getline", Summaries{Getline(IntTy, IntMax), Getline(LongTy, LongMax), {"getline", Summaries{Getline(IntTy, IntMax), Getline(LongTy, LongMax),
Getline(LongLongTy, LongLongMax)}}, Getline(LongLongTy, LongLongMax)}},
{"getdelim", Summaries{Getline(IntTy, IntMax), Getline(LongTy, LongMax), {"getdelim", Summaries{Getline(IntTy, IntMax), Getline(LongTy, LongMax),
Getline(LongLongTy, LongLongMax)}}, Getline(LongLongTy, LongLongMax)}},
}; };
} }
Show All 20 Lines

clang/test/Analysis/std-c-library-functions-arg-constraints.c

Show First 20 LinesShow All 53 Lines▼ Show 20 Lines if (x > 255) { // \
int ret = isalnum(x); // \ int ret = isalnum(x); // \
// report-warning{{Function argument constraint is not satisfied}} \ // report-warning{{Function argument constraint is not satisfied}} \
// bugpath-warning{{Function argument constraint is not satisfied}} \ // bugpath-warning{{Function argument constraint is not satisfied}} \
// bugpath-note{{Function argument constraint is not satisfied}} // bugpath-note{{Function argument constraint is not satisfied}}
(void)ret; (void)ret;
} }
} }
typedef struct FILE FILE;
typedef typeof(sizeof(int)) size_t;
size_t fread(void *, size_t, size_t, FILE *);
void test_notnull_concrete(FILE *fp) {
fread(0, sizeof(int), 10, fp); // \
// report-warning{{Function argument constraint is not satisfied}} \
// bugpath-warning{{Function argument constraint is not satisfied}} \
// bugpath-note{{Function argument constraint is not satisfied}}
}
void test_notnull_symbolic(FILE *fp, int *buf) {
fread(buf, sizeof(int), 10, fp);
clang_analyzer_eval(buf != 0); // \
// report-warning{{TRUE}} \
// bugpath-warning{{TRUE}} \
balazskeUnsubmitted
Done
ReplyInline Actions

One difficulty is that fread can work if the buf is 0 and count is 0 too. There is for sure code that uses this feature.

balazske: One difficulty is that `fread` can work if the `buf` is 0 and `count` is 0 too. There is for…
martongAuthorUnsubmitted
Done
ReplyInline Actions

My understanding is that in case of fread, if buf is 0 then that is an undefined behavior.

In the section in C11 describing the use of library functions (§7.1.4) it is stated that:

If an argument to a function has an invalid value (such as a value outside the domain of the function, or a pointer outside the address space of the program, or a null pointer, or a pointer to non-modifiable storage when the corresponding parameter is not const-qualified) or a type (after promotion) not expected by a function with variable number of arguments, the behavior is undefined. If a function argument is described as being an array, the pointer actually passed to the function shall have a value such that all address computations and accesses to objects (that would be valid if the pointer did point to the first element of such an array) are in fact valid.

I've found more details in this StackOverflow post:
https://stackoverflow.com/questions/51779960/is-it-safe-to-fread-0-bytes-into-a-null-pointer

Also note that a sane libc implementation would not dereference buf if size is 0, but we may not rely on these implementation details, that is why this is declared as undefined behavior in the standard.

martong: My understanding is that in case of `fread`, if `buf` is 0 then that is an undefined behavior.
// bugpath-note{{TRUE}} \
// bugpath-note{{'buf' is not equal to null}}
}
void test_notnull_symbolic2(FILE *fp, int *buf) {
if (!buf) // bugpath-note{{Assuming 'buf' is null}} \
// bugpath-note{{Taking true branch}}
fread(buf, sizeof(int), 10, fp); // \
// report-warning{{Function argument constraint is not satisfied}} \
// bugpath-warning{{Function argument constraint is not satisfied}} \
// bugpath-note{{Function argument constraint is not satisfied}}
}

clang/test/Analysis/std-c-library-functions.c

Show First 20 LinesShow All 72 Lines▼ Show 20 Linesvoid test_read_write(int fd, char *buf) {
} else { } else {
clang_analyzer_eval(x == -1); // expected-warning{{TRUE}} clang_analyzer_eval(x == -1); // expected-warning{{TRUE}}
} }
} }
size_t fread(void *, size_t, size_t, FILE *); size_t fread(void *, size_t, size_t, FILE *);
size_t fwrite(const void *restrict, size_t, size_t, FILE *restrict); size_t fwrite(const void *restrict, size_t, size_t, FILE *restrict);
void test_fread_fwrite(FILE *fp, int *buf) { void test_fread_fwrite(FILE *fp, int *buf) {
size_t x = fwrite(buf, sizeof(int), 10, fp); size_t x = fwrite(buf, sizeof(int), 10, fp);
clang_analyzer_eval(x <= 10); // expected-warning{{TRUE}} clang_analyzer_eval(x <= 10); // expected-warning{{TRUE}}
size_t y = fread(buf, sizeof(int), 10, fp); size_t y = fread(buf, sizeof(int), 10, fp);
clang_analyzer_eval(y <= 10); // expected-warning{{TRUE}} clang_analyzer_eval(y <= 10); // expected-warning{{TRUE}}
size_t z = fwrite(buf, sizeof(int), y, fp); size_t z = fwrite(buf, sizeof(int), y, fp);
clang_analyzer_eval(z <= y); // expected-warning{{TRUE}} clang_analyzer_eval(z <= y); // expected-warning{{TRUE}}
} }
ssize_t getline(char **, size_t *, FILE *); ssize_t getline(char **, size_t *, FILE *);
void test_getline(FILE *fp) { void test_getline(FILE *fp) {
char *line = 0; char *line = 0;
size_t n = 0; size_t n = 0;
▲ Show 20 LinesShow All 121 LinesShow Last 20 Lines