This is an archive of the discontinued LLVM Phabricator instance.

Differential D75682

[Analyzer][StreamChecker] Introduction of stream error handling.
ClosedPublic

Authored by balazske on Mar 5 2020, 7:29 AM.

Details

Reviewers
Szelethus
NoQ
Charusso
baloghadamsoftware
xazax.hun
Commits
rG11bd3e5c6549: [Analyzer][StreamChecker] Introduction of stream error handling.
Summary

A new field is added to the stream state to store the actual error.
Function fseek is implemented to set the error state.
(More are to be added later.)
Modeling of stream error state handling functions is added.

(clearerr is not done yet but should follow.)

Diff Detail

Event Timeline

balazske created this revision.Mar 5 2020, 7:29 AM
Herald added a reviewer: Szelethus. · View Herald TranscriptMar 5 2020, 7:29 AM
Herald added a project: Restricted Project. · View Herald Transcript
Herald added subscribers: cfe-commits, martong, Charusso and 9 others. · View Herald Transcript
balazske added a comment.Mar 5 2020, 7:36 AM

For older discussion see this:
https://reviews.llvm.org/D75356

Functions feof and ferror are added to show how the stream error flags are used and to make tests possible.

balazske added a comment.Mar 5 2020, 8:02 AM

Some explanation of the error states:

  • EofError indicates an EOF condition in the stream.
  • OtherError indicates a generic (I/O or other but not EOF) error.
  • AnyError is a "placeholder" if the exact error kind is not important. This is a "Schrödinger's cat" type of state: If we need to observe the exact error it can change to Eof or Other error. (See code in evalFeof and evalFerror, probably this is the only place for this event.) This error kind is used to save state splits, other solution is to make for example after fseek a new state for EofError and another for OtherError. The file error functions are relatively seldomly used (?), because checking success of an operation can be done with the return value and there is no need to check ferror or feof. And for analyzer warnings it is often enough to know if any error happened, not if exactly EOF or other error.
balazske added a comment.Mar 5 2020, 8:08 AM

We can not make a warning if a stream operation is called in failed state: The error was probably handled based on the return value of the previous failed operation. This thing is checked by the "ErrorReturnChecker" (https://reviews.llvm.org/D72705). Only some special functions like getc are to be handled specially where the error state has importance.

Harbormaster completed remote builds in B48199: Diff 248478.Mar 5 2020, 8:13 AM
balazske added a parent revision: D75614: [Analyzer][StreamChecker] Check for opened stream before operations..Mar 6 2020, 12:48 AM
Szelethus requested changes to this revision.Mar 6 2020, 6:47 AM

Let's halt this for now -- we have so many revisions going on seemingly doing the same thing, its becoming really confusing. Please finish D75356 before proceeding.

This revision now requires changes to proceed.Mar 6 2020, 6:47 AM
balazske mentioned this in D75356: [Analyzer][StreamChecker] Introduction of stream error state handling..Mar 6 2020, 7:12 AM
balazske added reviewers: NoQ, Charusso, baloghadamsoftware, xazax.hun.Mar 6 2020, 7:24 AM
Herald added a subscriber: rnkovacs. · View Herald TranscriptMar 6 2020, 7:24 AM
balazske updated this revision to Diff 249085.Mar 9 2020, 6:48 AM

Removed support for fseek, added clearerr.
This is now error handling only without fseek.
No functions set the error flags so test for
clearerr is not possible.

Harbormaster failed remote builds in B48540: Diff 249085!Mar 9 2020, 7:30 AM
balazske updated this revision to Diff 249107.Mar 9 2020, 8:23 AM

Fixed lint warnings.

balazske added a child revision: D75851: [Analyzer][StreamChecker] Added evaluation of fseek..Mar 9 2020, 8:42 AM
Harbormaster completed remote builds in B48556: Diff 249107.Mar 9 2020, 9:08 AM
Szelethus added a comment.Mar 10 2020, 6:52 AM

Can we see more test cases for when after a call to feof we indeed can tell the stream is in an EOF state? Same for ferror. I feel like there is a lot of code we don't yet cover.

Also, I see now that I didn't get in earlier revisions that OtherError actually refers to ferror() -- sorry about the confusion :)

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
68–80

Hmm, now that I think of it, could we just merge these 2 enums? Also, I fear that indexers would accidentally assign the comment to the enum after the comma:

Opened, /// Stream is opened.
Closed, /// Closed stream (an invalid stream pointer after it was closed).
OpenFailed /// The last open operation has failed.

/// Stream is opened might be assigned to Closed. How about this:

/// Stream is opened.
Opened,
/// Closed stream (an invalid stream pointer after it was closed).
Closed,
/// The last open operation has failed.
OpenFailed
78

Shouldn't we call this FError instead, if this is set precisely when ferror() is true? Despite the comments, I still managed to get myself confused with it :)

79

When do we know that the stream is in an error state, but not precisely know what that error is within the context of this patch? fseek would indeed introduce such a state, as described in D75356#inline-689287, but that should introduce its own error ErrorKind. I still don't really get why we would ever need AnyError.

88

Same, shouldn't this be isFError()?

89

This is confusing -- I would expect a method called isAnyError() to return true when isNoError() is false.

389

What if we call clearerr() on a stream that is in an feof() state? Shouln't we return if the stream is !isOtherError() (or !isFError(), if we were to rename it)?

417

Does this ever run? We never actually set the stream state to AnyError.

438–439

This function is practically the same as evalFeof, can we merge them?

Szelethus requested changes to this revision.Mar 10 2020, 6:52 AM
This revision now requires changes to proceed.Mar 10 2020, 6:52 AM
balazske marked 6 inline comments as done.Mar 10 2020, 8:34 AM

The problem here with tests is that there is no function to call that sets the error flags FEof or FError. So it is only possible to check if these are not set after opening the file.

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
68–80

Probably these can be merged, it is used for a stream that is in an indeterminate state after failed freopen, but practically it is handled the same way as a closed stream. But this change would be done in another revision.

78

Plan is to rename to NoError, FEofError, FErrorError, FEofOrFErrorError.

79

This is the problem is the change is too small: The next part of it introduces functions where the new error flags are used. In this patch the AnyError feature is not used (the feof and ferror read it but nothing sets it).

89

The error state kinds are not mutually exclusive. The "any error" means we know that there is some error but we do not know what the error is (it is not relevant because nothing was done that depends on it). If a function is called that needs to know if "ferror" or "feof" is the error, the state will be split to FErrorError and FEofError.

389

clearerr does not return any value. It only clears the error flags (sets to false). In my interpretation the stream has one error value associated with it, this value may be EOF or "other" error, or no error. There are not two error flags, only one kind of error that may be EOF or other.

438–439

It is not the same code ("EOF" and "other error" are interchanged), but can be merged somehow.

Szelethus added a comment.Mar 10 2020, 3:14 PM

You've sold me on AnyError, we should have something like that with the addition of NoteTags. With that said, I feel uneasy about adding it in this patch and not testing it properly. I can also sympathize with your anxiety against bloating the fseek patch further by simply moving the code there, but I'm just not sure there is a good way to avoid it. I have a suggestion:

  1. Remove the code that adds and handles AnyError. Merge the two enums in the StreamState, and make ensureSteamOpened emit a warning if the stream is either feof() or ferror(). Add NoteTags saying something along the lines of:
if (feof(F)) { // note: Assuming the condition is true
               // note: Stream 'F' has the EOF flag set
  fgets(F); // warning: Illegal stream operation on a stream that has EOF set
}

I think that would make this a very neat, self contained patch.

  1. Add the removed code to the fseek patch (preferably with the name UnknownError). Make ensureSteamOpened emit a warning on this enum value as well. I don't think it would bloat the patch too much -- we just simply need that much to make sense of it.

What do you think?

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
68–80

I meant to merge the two enums (StreamState and ErrorKindTy) and the fields associated with them (State and ErrorState). We could however merge Closed and OpenFailed, granted that we put a NoteTag to evalFreopen. But I agree, that should be another revision's topic :)

79

Okay, after your comment in the other revision, I see how such a kind should be left, and the bug report should rather be enriched by NoteTags. With that said, AnyError is still a bit confusing as a name -- how abour UnknownError?

86

If a stream's opening failed, its still an error, yet this getter would return true for it. I think this is yet another reason to just merge the 2 enums :)

89

How about we change the name of it to isUnknownError? My main issue is that to me, the name isAnyError() answeres the question whether the stream is in any form of erroneous state.

389

The clearerr() function clears the end-of file and error indicators for the given stream.

Yup, you're totally right on this one. My bad.

balazske marked 2 inline comments as done.Mar 11 2020, 2:27 AM

I do not understand totally this remove-of-AnyError thing. If handling the AnyError will be removed the code remains still not testable. Because none of the possible failing file operations are modeled in this revision. A test with code like if (feof(F)) { can not work because feof(F) is never true without a previously failed operation. (We decide not at the moment of calling feof that feof will return true, it is decided at a previously failed operation, together with the return value of that operation.)

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
79

I want it to rename to FEofOrFErrorError, this tells exactly what it is (UnknownError can be still thought as a third error type). For these 2 error types this naming is not too long, and new error types are not likely to appear here later.

86

But as the comment says, the error state is applicable only in the opened state. If not opened, we may not call the "error" functions at all (assertion can be added). Anyway it is possible to merge the enums, then the isOpened will be a bit difficult (true if state is one of OpenedNoError, OpenedFErrorError, OpenedFEofError, OpenedFEofOrFErrorError). Logically it is better to see that the state is an aggregation of two states, an "openedness" and an error state. Probably this does not matter much here because it is unlikely that new states will appear that make the code more complex.

xazax.hun added inline comments.Mar 11 2020, 3:53 AM
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
68–80

Since you mentioned that ErrorState is only applicable to Open streams, I am also +1 on merging the enums. These two states are not orthogonal, no reason for them to be separate.

428

As you probably know we are splitting the execution paths here. This will potentially result in doubling the analysis tome for a function for each feof call. Since state splits can be really bad for performance we need good justification for each of them.
So the questions are:

  • Is it really important to differentiate between eof and other error or is it possible to just have an any error state?
  • Do we find more bugs in real world code that justifies these state splits?
baloghadamsoftware added inline comments.Mar 11 2020, 4:47 AM
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
68–80

Not orthogonal, but rather hiearchical. That is a reason for not merging. I am completely against it.

78

If would suggest NoError, FEoF, FError, FEoFOrFError. Too many Error suffixes reduce the readability.

86

I would not merge the two enums: this way they are hierarchical. When only checking the openness we do not need to check for 4 different states. I completely agree with @balazske here.

89

Yes, "Any" usually means any of the possible kinds. But instead of UnknownError use FEoFOrFerror.

417

I suggest to move codes that are only executed after a new functionality is added in a subsequent patch to that patch.

428

I agree here. Do not introduce such forks without specific reason.

438–439

Maybe using a template with a functor parameter and pass a lambda in the two instantiations? (See DebugContainerModeling and DebugIteratorModeling) and also some example is Iterator.cpp.

balazske marked 2 inline comments as done.Mar 11 2020, 5:14 AM
balazske added inline comments.
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
428

feof and ferror should return the same value if called multiple times (and no other file operations in between). If the exact error is not saved in the state, how can we ensure that the calls return the same value?

438–439

I have already a template implementation, but probably it is not needed now.

xazax.hun added inline comments.Mar 11 2020, 5:22 AM
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
68–80

In a more expressive language each enum value could have parameters and we could have

Opened(ErrorKind),
Closed,
OpenFailed

While we do not have such an expressive language, we can simulate this using the current constructs such as a variant. The question is, does this worth the effort? At this point this is more like the matter of taste as long as it is properly documented.

baloghadamsoftware added inline comments.Mar 11 2020, 5:51 AM
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
78

I suggest to omit the last error state in this patch and introduce it in the patch which uses it.

balazske added a comment.Mar 11 2020, 6:21 AM

What is better? Have this (or similar) change that adds a feature that is used in a later change and is only testable in that later change, or have a bigger change that contains real use of the added features? (This means: Add fseek to this change or not.) The error handling is not normally testable if there is no function that generates error state, fseek could be one.

balazske marked 4 inline comments as done.Mar 11 2020, 7:06 AM
balazske added inline comments.
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
68–80

Have a bool isOpened and an error kind is better?

baloghadamsoftware added a comment.Mar 11 2020, 7:14 AM
In D75682#1916809, @balazske wrote:

What is better? Have this (or similar) change that adds a feature that is used in a later change and is only testable in that later change, or have a bigger change that contains real use of the added features? (This means: Add fseek to this change or not.) The error handling is not normally testable if there is no function that generates error state, fseek could be one.

I think neither: add the feature (the last enum value and its handling in the functions) in the fseek() patch were it is used.

balazske added a comment.Mar 11 2020, 7:51 AM

And why not add first the "unknown error" state and later the feof and ferror error states? Or add every error state but not the feof and ferror functions? Every way results in an intermediate state of the checker.

Szelethus added a comment.Mar 11 2020, 7:51 AM

I see that we're a bit stuck on naming, and that is largely my fault. Apologies, let us focus on high level stuff for a bit.

In D75682#1916435, @balazske wrote:

I do not understand totally this remove-of-AnyError thing. If handling the AnyError will be removed the code remains still not testable.

In D75682#1915809, @Szelethus wrote:

Remove the code that adds and handles AnyError. Merge the two enums in the StreamState, and make ensureSteamOpened emit a warning if the stream is either feof() or ferror(). Add NoteTags saying something along the lines of:

if (feof(F)) { // note: Assuming the condition is true
               // note: Stream 'F' has the EOF flag set
  fgets(F); // warning: Illegal stream operation on a stream that has EOF set
}

If we added warnings to this patch, that would be testable.

In D75682#1916809, @balazske wrote:

What is better? Have this (or similar) change that adds a feature that is used in a later change and is only testable in that later change, or have a bigger change that contains real use of the added features? (This means: Add fseek to this change or not.) The error handling is not normally testable if there is no function that generates error state, fseek could be one.

Definitely the latter, and all you need to do is check whether the stream is in an error state in ensureStreamOpened, no need for fseek just yet.

In D75682#1916867, @baloghadamsoftware wrote:

I think neither: add the feature (the last enum value and its handling in the functions) in the fseek() patch were it is used.

Yup.

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
68–80

That sounds wonderful, @balazske! :)

79

Okay, sure.

Szelethus added a comment.Mar 11 2020, 7:54 AM

Also, thank you guys for chipping in!

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
428

This is a very interesting question indeed, never crossed my mind before. I think it would be better to move AnyError to the next revision and discuss it there.

baloghadamsoftware added inline comments.Mar 11 2020, 8:05 AM
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
68–80

Yes, we do not need the OpenFailed state either. A stream is either opened or not. This is the state of the stream. If there is any error, there are the error codes for.

balazske updated this revision to Diff 249642.Mar 11 2020, 8:42 AM
  • Removed AnyError.
  • Using common code for evalFeof and ferror.
balazske updated this revision to Diff 249643.Mar 11 2020, 8:45 AM

Adding correct diff.

Harbormaster completed remote builds in B48824: Diff 249642.Mar 11 2020, 9:37 AM
Harbormaster completed remote builds in B48825: Diff 249643.
Szelethus added a comment.Mar 11 2020, 9:54 AM

Could you please add the warning we discussed? That would be a great demonstration of this patch's capabilities, and wouldn't deserve its own patch.

balazske added a comment.Mar 12 2020, 1:26 AM
In D75682#1917257, @Szelethus wrote:

Could you please add the warning we discussed? That would be a great demonstration of this patch's capabilities, and wouldn't deserve its own patch.

Was it this warning?

if (feof(F)) { // note: Assuming the condition is true
               // note: Stream 'F' has the EOF flag set
  fgets(F); // warning: Illegal stream operation on a stream that has EOF set
}

The checker does not work by "assuming feof is true" (this can be a later feature, if the F is not tracked and a feof call is encountered). Value of feof (more precisely: if any error happened) is fixed when the file operation is called that causes the error. The warning above should be get even if the feof call is missing because it is still possible that the previous operation resulted in EOF state. Adding a similar warning is not a small change and the "infrastructure" for it is not ready in this revision. And still that warning would not be testable because FEof error state is never set in this patch. By the way, a file read is not invalid if any error is there, it simply fails again. But there is many possibility for warnings such as "file read called in EOF state", "feof called when it is proven to be false/true", "invalid file read/write after failed fseek/fread/fwrite" but these belong to next revisions.

Probably it would be better to make a full working prototype first, because the design decisions made now can turn out to be wrong later when the new functionality would be added and we do "not see the full picture" now.

balazske marked 9 inline comments as done.Mar 13 2020, 1:47 AM
balazske added inline comments.
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
68–80

The "error kind" concept is needed separately from the stream state, see D75851. This is a reason for not merging them.

417

This is not applicable any more, AnyError is removed (from here).

428

The state fork problem is solved with UnknownError is the later revision, here it is no problem any more. A single state split is always needed because the return values differ in the failed and success case, and I want to make correlation between return values and stream error state.

Szelethus added a comment.Mar 13 2020, 8:08 AM

Thanks for sticking this out! It just takes me a while to get to the mental space regarding this patch you are already in, sometimes through saying incorrect statements or stupid suggestions! :) If others could chip in in this discussion, it would be most appreciated, because I fear that otherwise this patch is a bit too exposed to my own wrongs.

In D75682#1918839, @balazske wrote:
In D75682#1917257, @Szelethus wrote:

Could you please add the warning we discussed? That would be a great demonstration of this patch's capabilities, and wouldn't deserve its own patch.

Was it this warning?

if (feof(F)) { // note: Assuming the condition is true
               // note: Stream 'F' has the EOF flag set
  fgets(F); // warning: Illegal stream operation on a stream that has EOF set
}

The warning above should be get even if the feof call is missing because it is still possible that the previous operation resulted in EOF state.

What I meant to demonstrate (but failed to describe) is that if the condition of the if statement is !feof(F), we shouldn't get the warning.

The checker does not work by "assuming feof is true" (this can be a later feature, if the F is not tracked and a feof call is encountered). Value of feof (more precisely: if any error happened) is fixed when the file operation is called that causes the error. [...] And still that warning would not be testable because FEof error state is never set in this patch.

I suspect that at this point you are 2 steps ahead of me, but this is how I would imagine such a patch to look like: we evaluate feof() by splitting the state (this should be worth the cost, because why would we ever call feof if the state couldn't be EOF or non-EOF?), associate the state where its return value is true with the argument being marked as EOF, and the other as non-EOF.

This obviously wouldn't be sufficient -- values retrieved from stream reading operations may be EOF themselves, which should make us set the appropriate state for the originating stream, but that should indeed be the topic of a followup patch.

What is the goal here if not this? I have a suspicion I'm just not seeing the obvious here, but I don't get it just yet.

By the way, a file read is not invalid if any error is there, it simply fails again.

Oh, yea, silly me. You're totally right :)

Probably it would be better to make a full working prototype first, because the design decisions made now can turn out to be wrong later when the new functionality would be added and we do "not see the full picture" now.

If you try to implement a warning just to see how this would turn out long term, that would indeed be a good idea. Feel free to upload them, if you prefer, as a WIP patch!

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
419–420

Is this correct? We set the feof() return value whether we know the state of the stream to be EOF, but in this case we would incorrectly mark it as non-EOF:

$ cat a.txt # contains a single newline

$ cat test.cpp
#include <cstdio>

void tryRead(FILE *F) {
  char C = fgetc(F);

  if (feof(F))
    printf("The stream is EOF!\n");
  else
    printf("The stream is good! Read '%c'\n", C);
}

int main() {
  FILE *F = fopen("a.txt", "r");
  tryRead(F);
  tryRead(F); // Incorrectly mark F to be non-EOF
}
$ clang test.cpp -fsanitize=address && ./a.out 
The stream is good! Read '
'
The stream is EOF!

Wouldn't it be safer to assume it to be true if we know its EOF and do nothing otherwise? How about a state split?

(I know this functions also handler FError, but you see what my point is.)

clang/test/Analysis/stream-error.c
34–35

Sure, we don't, but the bigger issue here is that we wouldn't mark F to be in EOF even if we did handle it, we would also need to understand that ch == EOF is the telling sign. But that also ins't in the scope of this patch :)

balazske marked an inline comment as done.Mar 13 2020, 9:14 AM
balazske added inline comments.
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
419–420

The problem in this code seems to be that fgetc is not handled (yet) by the checker. The plan is to handle every possible file operation. The handler of fgetc would split the state to EOF and non-EOF case. In the current state this is a real "bug", it could be handled somehow by checking for escaped stream (the fgetc here should cause escape of the file pointer if not recognized as file operation). But this means again a new patch before this one. Or add every file operation to this patch with some simple implementation or with "forgetting" the stream?

NoQ added a comment.Mar 15 2020, 7:54 PM

It looks like for now there's no way to put the stream into an error state, right?

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
68–80

Yes, we do not need the OpenFailed state either. A stream is either opened or not. This is the state of the stream. If there is any error, there are the error codes for.

Nope, there's also the state in which the stream was before it was opened, and it's different from being opened and closed. Most of the time we simply don't track the stream in such state, but when an open fails, we suddenly start tracking it, so we need a separate enum. Like, we'll have to emit different diagnostic messages depending on whether the stream is in Closed state or in an OpenFailed state and this information should be there at the bug report site, so it's part of the program state.

88

llvm::function_ref?

112

Simply C.getLocationContext().

392

So what exactly happens when you're calling clearerr on a closed stream? Does it actually become opened? Also what happens when you're calling it on an open-failed stream?

405–407

Maybe we should add a helper function for this, CallEvent::getOriginCallExpr(). That's an otherwise ugly function given that CallEvent is a class hierarchy and the superclass doesn't need to know about subclasses, but most users do in fact only care about call-expressions and concise checker API is important. Same with dyn_cast_or_null<FunctionDecl>(Call.getDecl()) that could be written as Call.getFunctionDecl().

414

I recommend not introducing a new symbol when you're going to return 0 anyway. A plain 0 is easier on the constraint solver than a symbol constrained to 0.

clang/test/Analysis/stream-error.c
34–35

Yeah, that's gonna be fun.

balazske marked 6 inline comments as done.Mar 16 2020, 2:00 AM
balazske added inline comments.
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
88

function_ref's documentation says:

This class does not own the callable, so it is not in general safe to store a function_ref.

The FnDescription stores these functions so it is not safe to use llvm::function_ref?

392

The stream gets always in opened and error-free state. The preDefault checks that the stream is opened (not closed and not open-failed) and creates error node if not. If this create fails that is a problem case, the stream will be opened after clearerr. Should check in the eval functions for closed stream even if the pre-functions (in preCall callback) have normally checked this?

405–407

Can be done in another revision together with changing every use of dyn_cast_or_null<CallExpr>(Call.getOriginExpr()) to the new function.

clang/test/Analysis/stream-error.c
34–35

If there is a fputc call (for example) that is recognized (has recognized stream and no functions "fail") there is already an error and non-error branch created for it. On the error branch the return value of fputc would be EOF and the stream state is set to error. (The fputc should be later modeled by this checker, not done yet.)

If the ch == EOF is found then to figure out if this ch comes from an fputc that is called on a stream that is not recognized (it may be function parameter) and then make a "tracked" stream with error state for it, this is another thing.

NoQ added inline comments.Mar 16 2020, 7:02 AM
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
88

I think you're using it only for global function pointers, no?

392

Aha, ok, got it.
Let's assert it then?

clang/test/Analysis/stream-error.c
34–35

Aha, fair enough, that's probably a well-justified state split.

balazske updated this revision to Diff 250588.Mar 16 2020, 10:07 AM
balazske marked 2 inline comments as done.

Addressed some comments.

balazske marked 3 inline comments as done.Mar 16 2020, 10:10 AM
balazske added inline comments.
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
88

Probably can work but I tried it and got compile errors.

Harbormaster completed remote builds in B49327: Diff 250588.Mar 16 2020, 10:24 AM
Szelethus added a comment.Mar 17 2020, 8:32 AM

Riiiight I think I finally get it. You don't want to state split on feof() and ferror(), but rather on the stream operations! This is why you only want to tell the analyzer what the return value of these functions are going to be, because the state of the stream should be set by the time we reach these functions, right?

How about untracked streams? What if we call feof() on a stream we got from a parameter, wouldn't that suggest that the stream is probably non-null and could either be EOF or non-EOF?

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
88

It doesn't matter a whole lot, we could leave this as-is :)

balazske added a comment.Mar 17 2020, 9:56 AM
In D75682#1926732, @Szelethus wrote:

Riiiight I think I finally get it. You don't want to state split on feof() and ferror(), but rather on the stream operations!

Yes the split is at the operations. I did not think even of splitting at start of feof to determine "backwards" the result of the previous operation. This could be another approach. But the way of split depends on the previous operation (to check if error is possible based on possible constraints on its return value), probably not better (but less state split?).

balazske added a comment.Mar 17 2020, 10:00 AM
In D75682#1926732, @Szelethus wrote:

How about untracked streams? What if we call feof() on a stream we got from a parameter, wouldn't that suggest that the stream is probably non-null and could either be EOF or non-EOF?

Currently the operation is completely ignored on untracked stream. Could start with a non-null stream and every error case is possible.

Herald added a subscriber: DenisDvlp. · View Herald TranscriptMar 17 2020, 10:00 AM
Szelethus added a comment.Mar 18 2020, 5:18 AM
In D75682#1926889, @balazske wrote:
In D75682#1926732, @Szelethus wrote:

Riiiight I think I finally get it. You don't want to state split on feof() and ferror(), but rather on the stream operations!

Yes the split is at the operations. I did not think even of splitting at start of feof() to determine "backwards" the result of the previous operation. This could be another approach. But the way of split depends on the previous operation (to check if error is possible based on possible constraints on its return value), probably not better (but less state split?).

This is probably why it took a bit for us to understand each other! :) Generally speaking, we try to avoid state splitting as much as possible, but you totally convinced me, this isn't the place where we should be conservative. One should always expect stream operations to potentially fail, and that really does introduce two separate paths of execution.

The main issue that remains is testability, and now that we are on the same page, I see why you were concerned about it. I have a couple ideas:

  • For streams where the precise state is unknown (they are not tracked), start tracking. If we explicitly check whether a state is foef(), we can rightfully assume both of those possibilities.
  • Add debug function similar to clang_analyzer_express, like clang_analyzer_set_eof(FILE *), etc.
  • Evalulate a less complicated stream modeling function that sets such flags, though I suspect the followup patch is supposed to be the one doing this.

What do you think?

Herald added a subscriber: ASDenysPetrov. · View Herald TranscriptMar 18 2020, 5:18 AM
balazske added a comment.Mar 18 2020, 8:08 AM
In D75682#1928716, @Szelethus wrote:
  • For streams where the precise state is unknown (they are not tracked), start tracking. If we explicitly check whether a state is foef(), we can rightfully assume both of those possibilities.

This can follow in a later revision only. The new stream should have every error state possible, so when it is introduced 3 new states are required (with the error types), or an "unknown error" is needed that will be added later.

  • Add debug function similar to clang_analyzer_express, like clang_analyzer_set_eof(FILE *), etc.

How to add this? Probably it is too much work and I do not like if separate such debug functions are there for "every" checker (or many of).

  • Evalulate a less complicated stream modeling function that sets such flags, though I suspect the followup patch is supposed to be the one doing this.

The fseek patch can do this.

Szelethus added a subscriber: steakhal.Mar 18 2020, 9:30 AM
In D75682#1929093, @balazske wrote:
In D75682#1928716, @Szelethus wrote:
  • For streams where the precise state is unknown (they are not tracked), start tracking. If we explicitly check whether a state is foef(), we can rightfully assume both of those possibilities.

This can follow in a later revision only. The new stream should have every error state possible, so when it is introduced 3 new states are required (with the error types), or an "unknown error" is needed that will be added later.

  • Evalulate a less complicated stream modeling function that sets such flags, though I suspect the followup patch is supposed to be the one doing this.

The fseek patch can do this.

Very well.

  • Add debug function similar to clang_analyzer_express, like clang_analyzer_set_eof(FILE *), etc.

How to add this? Probably it is too much work and I do not like if separate such debug functions are there for "every" checker (or many of).

@steakhal recently made a patch that contained that and not much else: D74131. I share you dislike with the debug function, but I suspect that it wouldn't be too much work, especially compared to my other suggestions that would introduce testability, unless you have some other ideas (to which I'd be open to!).

DenisDvlp removed a subscriber: DenisDvlp.Mar 18 2020, 2:28 PM
baloghadamsoftware added inline comments.Mar 19 2020, 1:10 AM
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
28

Create -> Creation

balazske added a comment.Mar 19 2020, 4:51 AM

Adding special test functions is not as easy, then StreamState should be accessible from another checker. It could be added to the same file, or new file but then moving the data structures into header is needed. At least for short-term it is more simple to add a stream function that generates error state (fseek is applicable or other). This is why the fseek patch is better to be included in this change (but makes it more complicated). Otherwise this revision must be added without tests for state observer functions.

Szelethus added a comment.Mar 24 2020, 8:57 AM
In D75682#1931108, @balazske wrote:

Adding special test functions is not as easy, then StreamState should be accessible from another checker. It could be added to the same file, or new file but then moving the data structures into header is needed.

For the time being, I don't fancy the idea of moving code to a header file.

At least for short-term it is more simple to add a stream function that generates error state (fseek is applicable or other). This is why the fseek patch is better to be included in this change (but makes it more complicated). Otherwise this revision must be added without tests for state observer functions.

It seems like D75356 should have been the revision to finish, after all :^). I agree -- don't worry about bloating the patch a bit, I've spend a lot of time with your patches, I feel confident in my ability at this point to be able to thoroughly review it.

balazske added a comment.Mar 25 2020, 2:12 AM

So what is missing or wrong in this change to be accepted?

Szelethus added a comment.Mar 27 2020, 5:15 AM
In D75682#1940901, @balazske wrote:

So what is missing or wrong in this change to be accepted?

This change is functional but is not testable. But the high level idea is great! I think we should maybe merge this with the followup, as you originally intended to.

Also, judging from the fact that how differently we imagined this to go (even though imo your idea is superior to mine), we should explain what our state splitting ideology is in the code.

balazske updated this revision to Diff 253587.Mar 30 2020, 7:06 AM

Added test checker.

Harbormaster failed remote builds in B50954: Diff 253587!Mar 30 2020, 8:03 AM
balazske added a comment.Apr 6 2020, 12:58 AM

Ping.
It is now testable, a sub-checker was added for testing (that can be useful at later improvements too).

Szelethus accepted this revision.Apr 6 2020, 3:39 AM

LGTM, let's go! Thank you so much for sticking this out!

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
29–30

Can a stream be both feof and ferror? Let's not delay this patch one moment longer, but a TODO to give this some thought might be nice.

clang/test/Analysis/stream-error.c
1

core isn't enabled! :o

This revision is now accepted and ready to land.Apr 6 2020, 3:39 AM
balazske marked an inline comment as done.Apr 6 2020, 5:45 AM
balazske added inline comments.
clang/test/Analysis/stream-error.c
1

Is it needed? It was probably not set (and is not) in the original test in stream.c.

balazske updated this revision to Diff 255360.Apr 6 2020, 8:39 AM
  • Adding comment about ferror, feof.
  • Enabled core checker in test file.
Harbormaster failed remote builds in B51959: Diff 255360!Apr 6 2020, 9:45 AM
NoQ added inline comments.Apr 6 2020, 11:29 AM
clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
462

This should go into the debug package. We don't want users to enable it accidentally by enabling the whole unix package.

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
25–27

assertStreamStateOpened(SS); isn't much harder to type. Can we make it a function please?

Szelethus added inline comments.Apr 6 2020, 12:09 PM
clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
462

Oh, nice catch!

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
25–27

Mind that this is completely stripped from release builds, unlike a function call. I think.

NoQ added inline comments.Apr 6 2020, 12:47 PM
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
25–27

I'd be shocked if that's the case. In LLVM we have a lot of tiny functions all over the place and we'd better have them inlined most of the time.

Szelethus added inline comments.Apr 6 2020, 1:14 PM
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
25–27

Ah, okay. Lets turn this into a regular function then!

balazske updated this revision to Diff 255602.Apr 6 2020, 11:58 PM
balazske marked an inline comment as done.

Moved test checker to debug package, changed macro to function.

Harbormaster failed remote builds in B52120: Diff 255602!Apr 7 2020, 12:30 AM
Szelethus accepted this revision.Apr 7 2020, 5:22 AM

Whoo!

balazske updated this revision to Diff 255906.Apr 7 2020, 11:51 PM

Adding diff to master.

Harbormaster failed remote builds in B52299: Diff 255906!Apr 8 2020, 12:30 AM
Closed by commit rG11bd3e5c6549: [Analyzer][StreamChecker] Introduction of stream error handling. (authored by balazske). · Explain WhyApr 8 2020, 2:40 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
clang/
include/
clang/
StaticAnalyzer/
Checkers/
5 lines
lib/
StaticAnalyzer/
Checkers/
210 lines
test/
Analysis/
Inputs/
55 lines
54 lines
22 lines

Diff 255935

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td

Show First 20 LinesShow All 453 Lines▼ Show 20 Linesdef PthreadLockChecker : Checker<"PthreadLock">,
HelpText<"Simple lock -> unlock checker">, HelpText<"Simple lock -> unlock checker">,
Dependencies<[PthreadLockBase]>, Dependencies<[PthreadLockBase]>,
Documentation<HasAlphaDocumentation>; Documentation<HasAlphaDocumentation>;
def StreamChecker : Checker<"Stream">, def StreamChecker : Checker<"Stream">,
HelpText<"Check stream handling functions">, HelpText<"Check stream handling functions">,
Documentation<HasAlphaDocumentation>; Documentation<HasAlphaDocumentation>;
def SimpleStreamChecker : Checker<"SimpleStream">, def SimpleStreamChecker : Checker<"SimpleStream">,
NoQUnsubmitted
Done
ReplyInline Actions

This should go into the debug package. We don't want users to enable it accidentally by enabling the whole unix package.

NoQ: This should go into the debug package. We don't want users to enable it accidentally by…
SzelethusUnsubmitted
Not Done
ReplyInline Actions

Oh, nice catch!

Szelethus: Oh, nice catch!
HelpText<"Check for misuses of stream APIs">, HelpText<"Check for misuses of stream APIs">,
Documentation<HasAlphaDocumentation>; Documentation<HasAlphaDocumentation>;
def BlockInCriticalSectionChecker : Checker<"BlockInCriticalSection">, def BlockInCriticalSectionChecker : Checker<"BlockInCriticalSection">,
HelpText<"Check for calls to blocking functions inside a critical section">, HelpText<"Check for calls to blocking functions inside a critical section">,
Documentation<HasAlphaDocumentation>; Documentation<HasAlphaDocumentation>;
} // end "alpha.unix" } // end "alpha.unix"
▲ Show 20 LinesShow All 924 Lines▼ Show 20 Lines
def AnalyzerStatsChecker : Checker<"Stats">, def AnalyzerStatsChecker : Checker<"Stats">,
HelpText<"Emit warnings with analyzer statistics">, HelpText<"Emit warnings with analyzer statistics">,
Documentation<NotDocumented>; Documentation<NotDocumented>;
def TaintTesterChecker : Checker<"TaintTest">, def TaintTesterChecker : Checker<"TaintTest">,
HelpText<"Mark tainted symbols as such.">, HelpText<"Mark tainted symbols as such.">,
Documentation<NotDocumented>; Documentation<NotDocumented>;
def StreamTesterChecker : Checker<"StreamTester">,
HelpText<"Add test functions to StreamChecker for test and debugging purposes.">,
Dependencies<[StreamChecker]>,
Documentation<NotDocumented>;
def ExprInspectionChecker : Checker<"ExprInspection">, def ExprInspectionChecker : Checker<"ExprInspection">,
HelpText<"Check the analyzer's understanding of expressions">, HelpText<"Check the analyzer's understanding of expressions">,
Documentation<NotDocumented>; Documentation<NotDocumented>;
def ExplodedGraphViewer : Checker<"ViewExplodedGraph">, def ExplodedGraphViewer : Checker<"ViewExplodedGraph">,
HelpText<"View Exploded Graphs using GraphViz">, HelpText<"View Exploded Graphs using GraphViz">,
Documentation<NotDocumented>; Documentation<NotDocumented>;
▲ Show 20 LinesShow All 106 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp

Show All 13 Lines
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"
#include <functional>
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
using namespace std::placeholders;
namespace { namespace {
NoQUnsubmitted
Not Done
ReplyInline Actions

assertStreamStateOpened(SS); isn't much harder to type. Can we make it a function please?

NoQ: `assertStreamStateOpened(SS);` isn't much harder to type. Can we make it a function please?
SzelethusUnsubmitted
Not Done
ReplyInline Actions

Mind that this is completely stripped from release builds, unlike a function call. I think.

Szelethus: Mind that this is completely stripped from release builds, unlike a function call. I think.
NoQUnsubmitted
Not Done
ReplyInline Actions

I'd be shocked if that's the case. In LLVM we have a lot of tiny functions all over the place and we'd better have them inlined most of the time.

NoQ: I'd be shocked if that's the case. In LLVM we have a lot of tiny functions all over the place…
SzelethusUnsubmitted
Not Done
ReplyInline Actions

Ah, okay. Lets turn this into a regular function then!

Szelethus: Ah, okay. Lets turn this into a regular function then!
/// Full state information about a stream pointer.
baloghadamsoftwareUnsubmitted
Not Done
ReplyInline Actions

Create -> Creation

baloghadamsoftware: Create -> Creation
struct StreamState { struct StreamState {
enum Kind { Opened, Closed, OpenFailed, Escaped } K; /// State of a stream symbol.
SzelethusUnsubmitted
Not Done
ReplyInline Actions

Can a stream be both feof and ferror? Let's not delay this patch one moment longer, but a TODO to give this some thought might be nice.

Szelethus: Can a stream be both `feof` and `ferror`? Let's not delay this patch one moment longer, but a…
/// FIXME: We need maybe an "escaped" state later.
StreamState(Kind k) : K(k) {} enum KindTy {
Opened, /// Stream is opened.
bool isOpened() const { return K == Opened; } Closed, /// Closed stream (an invalid stream pointer after it was closed).
bool isClosed() const { return K == Closed; } OpenFailed /// The last open operation has failed.
bool isOpenFailed() const { return K == OpenFailed; } } State;
//bool isEscaped() const { return K == Escaped; }
/// The error state of a stream.
bool operator==(const StreamState &X) const { return K == X.K; } /// Valid only if the stream is opened.
/// It is assumed that feof and ferror flags are never true at the same time.
static StreamState getOpened() { return StreamState(Opened); } enum ErrorKindTy {
static StreamState getClosed() { return StreamState(Closed); } /// No error flag is set (or stream is not open).
static StreamState getOpenFailed() { return StreamState(OpenFailed); } NoError,
static StreamState getEscaped() { return StreamState(Escaped); } /// EOF condition (`feof` is true).
FEof,
/// Other generic (non-EOF) error (`ferror` is true).
FError,
} ErrorState = NoError;
bool isOpened() const { return State == Opened; }
bool isClosed() const { return State == Closed; }
bool isOpenFailed() const { return State == OpenFailed; }
bool isNoError() const {
assert(State == Opened && "Error undefined for closed stream.");
return ErrorState == NoError;
}
bool isFEof() const {
assert(State == Opened && "Error undefined for closed stream.");
return ErrorState == FEof;
}
bool isFError() const {
assert(State == Opened && "Error undefined for closed stream.");
return ErrorState == FError;
}
bool operator==(const StreamState &X) const {
// In not opened state error should always NoError.
return State == X.State && ErrorState == X.ErrorState;
}
static StreamState getOpened() { return StreamState{Opened}; }
static StreamState getClosed() { return StreamState{Closed}; }
static StreamState getOpenFailed() { return StreamState{OpenFailed}; }
static StreamState getOpenedWithFEof() { return StreamState{Opened, FEof}; }
static StreamState getOpenedWithFError() {
return StreamState{Opened, FError};
}
SzelethusUnsubmitted
Not Done
ReplyInline Actions

Shouldn't we call this FError instead, if this is set precisely when ferror() is true? Despite the comments, I still managed to get myself confused with it :)

Szelethus: Shouldn't we call this `FError` instead, if this is set precisely when `ferror()` is true?
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

Plan is to rename to NoError, FEofError, FErrorError, FEofOrFErrorError.

balazske: Plan is to rename to `NoError`, `FEofError`, `FErrorError`, `FEofOrFErrorError`.
baloghadamsoftwareUnsubmitted
Not Done
ReplyInline Actions

If would suggest NoError, FEoF, FError, FEoFOrFError. Too many Error suffixes reduce the readability.

baloghadamsoftware: If would suggest `NoError`, `FEoF`, `FError`, `FEoFOrFError`. Too many `Error` suffixes reduce…
baloghadamsoftwareUnsubmitted
Not Done
ReplyInline Actions

I suggest to omit the last error state in this patch and introduce it in the patch which uses it.

baloghadamsoftware: I suggest to omit the last error state in this patch and introduce it in the patch which uses…
SzelethusUnsubmitted
Not Done
ReplyInline Actions

When do we know that the stream is in an error state, but not precisely know what that error is within the context of this patch? fseek would indeed introduce such a state, as described in D75356#inline-689287, but that should introduce its own error ErrorKind. I still don't really get why we would ever need AnyError.

Szelethus: When do we know that the stream is in an error state, but not precisely know what that error is…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

This is the problem is the change is too small: The next part of it introduces functions where the new error flags are used. In this patch the AnyError feature is not used (the feof and ferror read it but nothing sets it).

balazske: This is the problem is the change is too small: The next part of it introduces functions where…
SzelethusUnsubmitted
Not Done
ReplyInline Actions

Okay, after your comment in the other revision, I see how such a kind should be left, and the bug report should rather be enriched by NoteTags. With that said, AnyError is still a bit confusing as a name -- how abour UnknownError?

Szelethus: Okay, after your comment in the other revision, I see how such a kind should be left, and the…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

I want it to rename to FEofOrFErrorError, this tells exactly what it is (UnknownError can be still thought as a third error type). For these 2 error types this naming is not too long, and new error types are not likely to appear here later.

balazske: I want it to rename to `FEofOrFErrorError`, this tells exactly what it is (`UnknownError` can…
SzelethusUnsubmitted
Not Done
ReplyInline Actions

Okay, sure.

Szelethus: Okay, sure.
void Profile(llvm::FoldingSetNodeID &ID) const { void Profile(llvm::FoldingSetNodeID &ID) const {
SzelethusUnsubmitted
Not Done
ReplyInline Actions

Hmm, now that I think of it, could we just merge these 2 enums? Also, I fear that indexers would accidentally assign the comment to the enum after the comma:

Opened, /// Stream is opened.
Closed, /// Closed stream (an invalid stream pointer after it was closed).
OpenFailed /// The last open operation has failed.

/// Stream is opened might be assigned to Closed. How about this:

/// Stream is opened.
Opened,
/// Closed stream (an invalid stream pointer after it was closed).
Closed,
/// The last open operation has failed.
OpenFailed
Szelethus: Hmm, now that I think of it, could we just merge these 2 enums? Also, I fear that indexers…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

Probably these can be merged, it is used for a stream that is in an indeterminate state after failed freopen, but practically it is handled the same way as a closed stream. But this change would be done in another revision.

balazske: Probably these can be merged, it is used for a stream that is in an indeterminate state after…
SzelethusUnsubmitted
Not Done
ReplyInline Actions

I meant to merge the two enums (StreamState and ErrorKindTy) and the fields associated with them (State and ErrorState). We could however merge Closed and OpenFailed, granted that we put a NoteTag to evalFreopen. But I agree, that should be another revision's topic :)

Szelethus: I meant to merge the two enums (`StreamState` and `ErrorKindTy`) and the fields associated with…
xazax.hunUnsubmitted
Not Done
ReplyInline Actions

Since you mentioned that ErrorState is only applicable to Open streams, I am also +1 on merging the enums. These two states are not orthogonal, no reason for them to be separate.

xazax.hun: Since you mentioned that ErrorState is only applicable to Open streams, I am also +1 on merging…
baloghadamsoftwareUnsubmitted
Not Done
ReplyInline Actions

Not orthogonal, but rather hiearchical. That is a reason for not merging. I am completely against it.

baloghadamsoftware: Not orthogonal, but rather hiearchical. That is a reason for not merging. I am completely…
xazax.hunUnsubmitted
Not Done
ReplyInline Actions

In a more expressive language each enum value could have parameters and we could have

Opened(ErrorKind),
Closed,
OpenFailed

While we do not have such an expressive language, we can simulate this using the current constructs such as a variant. The question is, does this worth the effort? At this point this is more like the matter of taste as long as it is properly documented.

xazax.hun: In a more expressive language each enum value could have parameters and we could have ```…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

Have a bool isOpened and an error kind is better?

balazske: Have a `bool isOpened` and an error kind is better?
SzelethusUnsubmitted
Not Done
ReplyInline Actions

That sounds wonderful, @balazske! :)

Szelethus: That sounds wonderful, @balazske! :)
baloghadamsoftwareUnsubmitted
Not Done
ReplyInline Actions

Yes, we do not need the OpenFailed state either. A stream is either opened or not. This is the state of the stream. If there is any error, there are the error codes for.

baloghadamsoftware: Yes, we do not need the `OpenFailed` state either. A stream is either opened or not. This is…
NoQUnsubmitted
Not Done
ReplyInline Actions

Yes, we do not need the OpenFailed state either. A stream is either opened or not. This is the state of the stream. If there is any error, there are the error codes for.

Nope, there's also the state in which the stream was before it was opened, and it's different from being opened and closed. Most of the time we simply don't track the stream in such state, but when an open fails, we suddenly start tracking it, so we need a separate enum. Like, we'll have to emit different diagnostic messages depending on whether the stream is in Closed state or in an OpenFailed state and this information should be there at the bug report site, so it's part of the program state.

NoQ: > Yes, we do not need the `OpenFailed` state either. A stream is either opened or not. This is…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

The "error kind" concept is needed separately from the stream state, see D75851. This is a reason for not merging them.

balazske: The "error kind" concept is needed separately from the stream state, see D75851. This is a…
ID.AddInteger(K); ID.AddInteger(State);
ID.AddInteger(ErrorState);
} }
}; };
class StreamChecker; class StreamChecker;
SzelethusUnsubmitted
Not Done
ReplyInline Actions

If a stream's opening failed, its still an error, yet this getter would return true for it. I think this is yet another reason to just merge the 2 enums :)

Szelethus: If a stream's opening failed, its still an error, yet this getter would return true for it. I…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

But as the comment says, the error state is applicable only in the opened state. If not opened, we may not call the "error" functions at all (assertion can be added). Anyway it is possible to merge the enums, then the isOpened will be a bit difficult (true if state is one of OpenedNoError, OpenedFErrorError, OpenedFEofError, OpenedFEofOrFErrorError). Logically it is better to see that the state is an aggregation of two states, an "openedness" and an error state. Probably this does not matter much here because it is unlikely that new states will appear that make the code more complex.

balazske: But as the comment says, the error state is applicable only in the opened state. If not opened…
baloghadamsoftwareUnsubmitted
Not Done
ReplyInline Actions

I would not merge the two enums: this way they are hierarchical. When only checking the openness we do not need to check for 4 different states. I completely agree with @balazske here.

baloghadamsoftware: I would not merge the two enums: this way they are hierarchical. When only checking the…
struct FnDescription; struct FnDescription;
using FnCheck = std::function<void(const StreamChecker *, const FnDescription *, using FnCheck = std::function<void(const StreamChecker *, const FnDescription *,
SzelethusUnsubmitted
Not Done
ReplyInline Actions

Same, shouldn't this be isFError()?

Szelethus: Same, shouldn't this be `isFError()`?
NoQUnsubmitted
Done
ReplyInline Actions

llvm::function_ref?

NoQ: `llvm::function_ref`?
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

function_ref's documentation says:

This class does not own the callable, so it is not in general safe to store a function_ref.

The FnDescription stores these functions so it is not safe to use llvm::function_ref?

balazske: `function_ref`'s documentation says: > This class does not own the callable, so it is not in…
NoQUnsubmitted
Not Done
ReplyInline Actions

I think you're using it only for global function pointers, no?

NoQ: I think you're using it only for global function pointers, no?
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

Probably can work but I tried it and got compile errors.

balazske: Probably can work but I tried it and got compile errors.
SzelethusUnsubmitted
Not Done
ReplyInline Actions

It doesn't matter a whole lot, we could leave this as-is :)

Szelethus: It doesn't matter a whole lot, we could leave this as-is :)
const CallEvent &, CheckerContext &)>; const CallEvent &, CheckerContext &)>;
SzelethusUnsubmitted
Not Done
ReplyInline Actions

This is confusing -- I would expect a method called isAnyError() to return true when isNoError() is false.

Szelethus: This is confusing -- I would expect a method called `isAnyError()` to return true when…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

The error state kinds are not mutually exclusive. The "any error" means we know that there is some error but we do not know what the error is (it is not relevant because nothing was done that depends on it). If a function is called that needs to know if "ferror" or "feof" is the error, the state will be split to FErrorError and FEofError.

balazske: The error state kinds are not mutually exclusive. The "any error" means we know that there is…
SzelethusUnsubmitted
Not Done
ReplyInline Actions

How about we change the name of it to isUnknownError? My main issue is that to me, the name isAnyError() answeres the question whether the stream is in any form of erroneous state.

Szelethus: How about we change the name of it to `isUnknownError`? My main issue is that to me, the name…
baloghadamsoftwareUnsubmitted
Not Done
ReplyInline Actions

Yes, "Any" usually means any of the possible kinds. But instead of UnknownError use FEoFOrFerror.

baloghadamsoftware: Yes, "Any" usually means //any// of the possible kinds. But instead of `UnknownError` use…
using ArgNoTy = unsigned int; using ArgNoTy = unsigned int;
static const ArgNoTy ArgNone = std::numeric_limits<ArgNoTy>::max(); static const ArgNoTy ArgNone = std::numeric_limits<ArgNoTy>::max();
struct FnDescription { struct FnDescription {
FnCheck PreFn; FnCheck PreFn;
FnCheck EvalFn; FnCheck EvalFn;
ArgNoTy StreamArgNo; ArgNoTy StreamArgNo;
}; };
/// Get the value of the stream argument out of the passed call event. /// Get the value of the stream argument out of the passed call event.
/// The call should contain a function that is described by Desc. /// The call should contain a function that is described by Desc.
SVal getStreamArg(const FnDescription *Desc, const CallEvent &Call) { SVal getStreamArg(const FnDescription *Desc, const CallEvent &Call) {
assert(Desc && Desc->StreamArgNo != ArgNone && assert(Desc && Desc->StreamArgNo != ArgNone &&
"Try to get a non-existing stream argument."); "Try to get a non-existing stream argument.");
return Call.getArgSVal(Desc->StreamArgNo); return Call.getArgSVal(Desc->StreamArgNo);
} }
/// Create a conjured symbol return value for a call expression.
DefinedSVal makeRetVal(CheckerContext &C, const CallExpr *CE) {
assert(CE && "Expecting a call expression.");
const LocationContext *LCtx = C.getLocationContext();
NoQUnsubmitted
Done
ReplyInline Actions

Simply C.getLocationContext().

NoQ: Simply `C.getLocationContext()`.
return C.getSValBuilder()
.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount())
.castAs<DefinedSVal>();
}
class StreamChecker class StreamChecker
: public Checker<check::PreCall, eval::Call, check::DeadSymbols> { : public Checker<check::PreCall, eval::Call, check::DeadSymbols> {
mutable std::unique_ptr<BuiltinBug> BT_nullfp, BT_illegalwhence, mutable std::unique_ptr<BuiltinBug> BT_nullfp, BT_illegalwhence,
BT_UseAfterClose, BT_UseAfterOpenFailed, BT_ResourceLeak; BT_UseAfterClose, BT_UseAfterOpenFailed, BT_ResourceLeak;
public: public:
void checkPreCall(const CallEvent &Call, CheckerContext &C) const; void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
bool evalCall(const CallEvent &Call, CheckerContext &C) const; bool evalCall(const CallEvent &Call, CheckerContext &C) const;
void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const; void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
/// If true, evaluate special testing stream functions.
bool TestMode = false;
private: private:
CallDescriptionMap<FnDescription> FnDescriptions = { CallDescriptionMap<FnDescription> FnDescriptions = {
{{"fopen"}, {nullptr, &StreamChecker::evalFopen, ArgNone}}, {{"fopen"}, {nullptr, &StreamChecker::evalFopen, ArgNone}},
{{"freopen", 3}, {{"freopen", 3},
{&StreamChecker::preFreopen, &StreamChecker::evalFreopen, 2}}, {&StreamChecker::preFreopen, &StreamChecker::evalFreopen, 2}},
{{"tmpfile"}, {nullptr, &StreamChecker::evalFopen, ArgNone}}, {{"tmpfile"}, {nullptr, &StreamChecker::evalFopen, ArgNone}},
{{"fclose", 1}, {{"fclose", 1},
{&StreamChecker::preDefault, &StreamChecker::evalFclose, 0}}, {&StreamChecker::preDefault, &StreamChecker::evalFclose, 0}},
{{"fread", 4}, {&StreamChecker::preDefault, nullptr, 3}}, {{"fread", 4}, {&StreamChecker::preDefault, nullptr, 3}},
{{"fwrite", 4}, {&StreamChecker::preDefault, nullptr, 3}}, {{"fwrite", 4}, {&StreamChecker::preDefault, nullptr, 3}},
{{"fseek", 3}, {&StreamChecker::preFseek, nullptr, 0}}, {{"fseek", 3}, {&StreamChecker::preFseek, nullptr, 0}},
{{"ftell", 1}, {&StreamChecker::preDefault, nullptr, 0}}, {{"ftell", 1}, {&StreamChecker::preDefault, nullptr, 0}},
{{"rewind", 1}, {&StreamChecker::preDefault, nullptr, 0}}, {{"rewind", 1}, {&StreamChecker::preDefault, nullptr, 0}},
{{"fgetpos", 2}, {&StreamChecker::preDefault, nullptr, 0}}, {{"fgetpos", 2}, {&StreamChecker::preDefault, nullptr, 0}},
{{"fsetpos", 2}, {&StreamChecker::preDefault, nullptr, 0}}, {{"fsetpos", 2}, {&StreamChecker::preDefault, nullptr, 0}},
{{"clearerr", 1}, {&StreamChecker::preDefault, nullptr, 0}}, {{"clearerr", 1},
{{"feof", 1}, {&StreamChecker::preDefault, nullptr, 0}}, {&StreamChecker::preDefault, &StreamChecker::evalClearerr, 0}},
{{"ferror", 1}, {&StreamChecker::preDefault, nullptr, 0}}, {{"feof", 1},
{&StreamChecker::preDefault,
&StreamChecker::evalFeofFerror<&StreamState::isFEof>, 0}},
{{"ferror", 1},
{&StreamChecker::preDefault,
&StreamChecker::evalFeofFerror<&StreamState::isFError>, 0}},
{{"fileno", 1}, {&StreamChecker::preDefault, nullptr, 0}}, {{"fileno", 1}, {&StreamChecker::preDefault, nullptr, 0}},
}; };
CallDescriptionMap<FnDescription> FnTestDescriptions = {
{{"StreamTesterChecker_make_feof_stream", 1},
{nullptr,
&StreamChecker::evalSetFeofFerror<&StreamState::getOpenedWithFEof>, 0}},
{{"StreamTesterChecker_make_ferror_stream", 1},
{nullptr,
&StreamChecker::evalSetFeofFerror<&StreamState::getOpenedWithFError>,
0}},
};
void evalFopen(const FnDescription *Desc, const CallEvent &Call, void evalFopen(const FnDescription *Desc, const CallEvent &Call,
CheckerContext &C) const; CheckerContext &C) const;
void preFreopen(const FnDescription *Desc, const CallEvent &Call, void preFreopen(const FnDescription *Desc, const CallEvent &Call,
CheckerContext &C) const; CheckerContext &C) const;
void evalFreopen(const FnDescription *Desc, const CallEvent &Call, void evalFreopen(const FnDescription *Desc, const CallEvent &Call,
CheckerContext &C) const; CheckerContext &C) const;
void evalFclose(const FnDescription *Desc, const CallEvent &Call, void evalFclose(const FnDescription *Desc, const CallEvent &Call,
CheckerContext &C) const; CheckerContext &C) const;
void preFseek(const FnDescription *Desc, const CallEvent &Call, void preFseek(const FnDescription *Desc, const CallEvent &Call,
CheckerContext &C) const; CheckerContext &C) const;
void preDefault(const FnDescription *Desc, const CallEvent &Call, void preDefault(const FnDescription *Desc, const CallEvent &Call,
CheckerContext &C) const; CheckerContext &C) const;
void evalClearerr(const FnDescription *Desc, const CallEvent &Call,
CheckerContext &C) const;
template <bool (StreamState::*IsOfError)() const>
void evalFeofFerror(const FnDescription *Desc, const CallEvent &Call,
CheckerContext &C) const;
template <StreamState (*GetState)()>
void evalSetFeofFerror(const FnDescription *Desc, const CallEvent &Call,
CheckerContext &C) const;
/// Check that the stream (in StreamVal) is not NULL. /// Check that the stream (in StreamVal) is not NULL.
/// If it can only be NULL a fatal error is emitted and nullptr returned. /// If it can only be NULL a fatal error is emitted and nullptr returned.
/// Otherwise the return value is a new state where the stream is constrained /// Otherwise the return value is a new state where the stream is constrained
/// to be non-null. /// to be non-null.
ProgramStateRef ensureStreamNonNull(SVal StreamVal, CheckerContext &C, ProgramStateRef ensureStreamNonNull(SVal StreamVal, CheckerContext &C,
ProgramStateRef State) const; ProgramStateRef State) const;
/// Check that the stream is the opened state. /// Check that the stream is the opened state.
Show All 25 Lines const FnDescription *lookupFn(const CallEvent &Call) const {
return FnDescriptions.lookup(Call); return FnDescriptions.lookup(Call);
} }
}; };
} // end anonymous namespace } // end anonymous namespace
REGISTER_MAP_WITH_PROGRAMSTATE(StreamMap, SymbolRef, StreamState) REGISTER_MAP_WITH_PROGRAMSTATE(StreamMap, SymbolRef, StreamState)
inline void assertStreamStateOpened(const StreamState *SS) {
assert(SS->isOpened() &&
"Previous create of error node for non-opened stream failed?");
}
void StreamChecker::checkPreCall(const CallEvent &Call, void StreamChecker::checkPreCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
const FnDescription *Desc = lookupFn(Call); const FnDescription *Desc = lookupFn(Call);
if (!Desc || !Desc->PreFn) if (!Desc || !Desc->PreFn)
return; return;
Desc->PreFn(this, Desc, Call, C); Desc->PreFn(this, Desc, Call, C);
} }
bool StreamChecker::evalCall(const CallEvent &Call, CheckerContext &C) const { bool StreamChecker::evalCall(const CallEvent &Call, CheckerContext &C) const {
const FnDescription *Desc = lookupFn(Call); const FnDescription *Desc = lookupFn(Call);
if (!Desc && TestMode)
Desc = FnTestDescriptions.lookup(Call);
if (!Desc || !Desc->EvalFn) if (!Desc || !Desc->EvalFn)
return false; return false;
Desc->EvalFn(this, Desc, Call, C); Desc->EvalFn(this, Desc, Call, C);
return C.isDifferent(); return C.isDifferent();
} }
void StreamChecker::evalFopen(const FnDescription *Desc, const CallEvent &Call, void StreamChecker::evalFopen(const FnDescription *Desc, const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
SValBuilder &SVB = C.getSValBuilder(); const CallExpr *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
const LocationContext *LCtx = C.getPredecessor()->getLocationContext();
auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
if (!CE) if (!CE)
return; return;
DefinedSVal RetVal = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount()) DefinedSVal RetVal = makeRetVal(C, CE);
.castAs<DefinedSVal>();
SymbolRef RetSym = RetVal.getAsSymbol(); SymbolRef RetSym = RetVal.getAsSymbol();
assert(RetSym && "RetVal must be a symbol here."); assert(RetSym && "RetVal must be a symbol here.");
State = State->BindExpr(CE, C.getLocationContext(), RetVal); State = State->BindExpr(CE, C.getLocationContext(), RetVal);
// Bifurcate the state into two: one with a valid FILE* pointer, the other // Bifurcate the state into two: one with a valid FILE* pointer, the other
// with a NULL. // with a NULL.
ProgramStateRef StateNotNull, StateNull; ProgramStateRef StateNotNull, StateNull;
▲ Show 20 LinesShow All 64 Lines▼ Show 20 Linesvoid StreamChecker::evalFclose(const FnDescription *Desc, const CallEvent &Call,
SymbolRef Sym = getStreamArg(Desc, Call).getAsSymbol(); SymbolRef Sym = getStreamArg(Desc, Call).getAsSymbol();
if (!Sym) if (!Sym)
return; return;
const StreamState *SS = State->get<StreamMap>(Sym); const StreamState *SS = State->get<StreamMap>(Sym);
if (!SS) if (!SS)
return; return;
assertStreamStateOpened(SS);
// Close the File Descriptor. // Close the File Descriptor.
// Regardless if the close fails or not, stream becomes "closed" // Regardless if the close fails or not, stream becomes "closed"
// and can not be used any more. // and can not be used any more.
State = State->set<StreamMap>(Sym, StreamState::getClosed()); State = State->set<StreamMap>(Sym, StreamState::getClosed());
C.addTransition(State); C.addTransition(State);
} }
Show All 9 Lines if (!State)
return; return;
State = ensureFseekWhenceCorrect(Call.getArgSVal(2), C, State); State = ensureFseekWhenceCorrect(Call.getArgSVal(2), C, State);
if (!State) if (!State)
return; return;
C.addTransition(State); C.addTransition(State);
} }
void StreamChecker::evalClearerr(const FnDescription *Desc,
const CallEvent &Call,
CheckerContext &C) const {
ProgramStateRef State = C.getState();
SymbolRef StreamSym = getStreamArg(Desc, Call).getAsSymbol();
if (!StreamSym)
return;
const StreamState *SS = State->get<StreamMap>(StreamSym);
if (!SS)
return;
assertStreamStateOpened(SS);
SzelethusUnsubmitted
Done
ReplyInline Actions

What if we call clearerr() on a stream that is in an feof() state? Shouln't we return if the stream is !isOtherError() (or !isFError(), if we were to rename it)?

Szelethus: What if we call `clearerr()` on a stream that is in an `feof()` state? Shouln't we return if…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

clearerr does not return any value. It only clears the error flags (sets to false). In my interpretation the stream has one error value associated with it, this value may be EOF or "other" error, or no error. There are not two error flags, only one kind of error that may be EOF or other.

balazske: `clearerr` does not return any value. It only clears the error flags (sets to false). In my…
SzelethusUnsubmitted
Done
ReplyInline Actions

The clearerr() function clears the end-of file and error indicators for the given stream.

Yup, you're totally right on this one. My bad.

Szelethus: > The `clearerr()` function clears the end-of file and error indicators for the given stream.
if (SS->isNoError())
return;
NoQUnsubmitted
Done
ReplyInline Actions

So what exactly happens when you're calling clearerr on a closed stream? Does it actually become opened? Also what happens when you're calling it on an open-failed stream?

NoQ: So what exactly happens when you're calling `clearerr` on a closed stream? Does it actually…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

The stream gets always in opened and error-free state. The preDefault checks that the stream is opened (not closed and not open-failed) and creates error node if not. If this create fails that is a problem case, the stream will be opened after clearerr. Should check in the eval functions for closed stream even if the pre-functions (in preCall callback) have normally checked this?

balazske: The stream gets always in opened and error-free state. The `preDefault` checks that the stream…
NoQUnsubmitted
Not Done
ReplyInline Actions

Aha, ok, got it.
Let's assert it then?

NoQ: Aha, ok, got it. Let's assert it then?
State = State->set<StreamMap>(StreamSym, StreamState::getOpened());
C.addTransition(State);
}
template <bool (StreamState::*IsOfError)() const>
void StreamChecker::evalFeofFerror(const FnDescription *Desc,
const CallEvent &Call,
CheckerContext &C) const {
ProgramStateRef State = C.getState();
SymbolRef StreamSym = getStreamArg(Desc, Call).getAsSymbol();
if (!StreamSym)
return;
const CallExpr *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
NoQUnsubmitted
Not Done
ReplyInline Actions

Maybe we should add a helper function for this, CallEvent::getOriginCallExpr(). That's an otherwise ugly function given that CallEvent is a class hierarchy and the superclass doesn't need to know about subclasses, but most users do in fact only care about call-expressions and concise checker API is important. Same with dyn_cast_or_null<FunctionDecl>(Call.getDecl()) that could be written as Call.getFunctionDecl().

NoQ: Maybe we should add a helper function for this, `CallEvent::getOriginCallExpr()`. That's an…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

Can be done in another revision together with changing every use of dyn_cast_or_null<CallExpr>(Call.getOriginExpr()) to the new function.

balazske: Can be done in another revision together with changing every use of `dyn_cast_or_null<CallExpr>…
if (!CE)
return;
const StreamState *SS = State->get<StreamMap>(StreamSym);
// Ignore the call if the stream is not tracked.
if (!SS)
return;
NoQUnsubmitted
Done
ReplyInline Actions

I recommend not introducing a new symbol when you're going to return 0 anyway. A plain 0 is easier on the constraint solver than a symbol constrained to 0.

NoQ: I recommend not introducing a new symbol when you're going to return 0 anyway. A plain 0 is…
assertStreamStateOpened(SS);
SzelethusUnsubmitted
Done
ReplyInline Actions

Does this ever run? We never actually set the stream state to AnyError.

Szelethus: Does this ever run? We never actually set the stream state to `AnyError`.
baloghadamsoftwareUnsubmitted
Done
ReplyInline Actions

I suggest to move codes that are only executed after a new functionality is added in a subsequent patch to that patch.

baloghadamsoftware: I suggest to move codes that are only executed after a new functionality is added in a…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

This is not applicable any more, AnyError is removed (from here).

balazske: This is not applicable any more, `AnyError` is removed (from here).
if ((SS->*IsOfError)()) {
// Function returns nonzero.
DefinedSVal RetVal = makeRetVal(C, CE);
SzelethusUnsubmitted
Not Done
ReplyInline Actions

Is this correct? We set the feof() return value whether we know the state of the stream to be EOF, but in this case we would incorrectly mark it as non-EOF:

$ cat a.txt # contains a single newline

$ cat test.cpp
#include <cstdio>

void tryRead(FILE *F) {
  char C = fgetc(F);

  if (feof(F))
    printf("The stream is EOF!\n");
  else
    printf("The stream is good! Read '%c'\n", C);
}

int main() {
  FILE *F = fopen("a.txt", "r");
  tryRead(F);
  tryRead(F); // Incorrectly mark F to be non-EOF
}
$ clang test.cpp -fsanitize=address && ./a.out 
The stream is good! Read '
'
The stream is EOF!

Wouldn't it be safer to assume it to be true if we know its EOF and do nothing otherwise? How about a state split?

(I know this functions also handler FError, but you see what my point is.)

Szelethus: Is this correct? We set the `feof()` return value whether we know the state of the stream to be…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

The problem in this code seems to be that fgetc is not handled (yet) by the checker. The plan is to handle every possible file operation. The handler of fgetc would split the state to EOF and non-EOF case. In the current state this is a real "bug", it could be handled somehow by checking for escaped stream (the fgetc here should cause escape of the file pointer if not recognized as file operation). But this means again a new patch before this one. Or add every file operation to this patch with some simple implementation or with "forgetting" the stream?

balazske: The problem in this code seems to be that `fgetc` is not handled (yet) by the checker. The plan…
State = State->BindExpr(CE, C.getLocationContext(), RetVal);
State = State->assume(RetVal, true);
assert(State && "Assumption on new value should not fail.");
} else {
// Return zero.
State = State->BindExpr(CE, C.getLocationContext(),
C.getSValBuilder().makeIntVal(0, false));
}
xazax.hunUnsubmitted
Done
ReplyInline Actions

As you probably know we are splitting the execution paths here. This will potentially result in doubling the analysis tome for a function for each feof call. Since state splits can be really bad for performance we need good justification for each of them.
So the questions are:

  • Is it really important to differentiate between eof and other error or is it possible to just have an any error state?
  • Do we find more bugs in real world code that justifies these state splits?
xazax.hun: As you probably know we are splitting the execution paths here. This will potentially result in…
baloghadamsoftwareUnsubmitted
Done
ReplyInline Actions

I agree here. Do not introduce such forks without specific reason.

baloghadamsoftware: I agree here. Do not introduce such forks without specific reason.
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

feof and ferror should return the same value if called multiple times (and no other file operations in between). If the exact error is not saved in the state, how can we ensure that the calls return the same value?

balazske: `feof` and `ferror` should return the same value if called multiple times (and no other file…
SzelethusUnsubmitted
Done
ReplyInline Actions

This is a very interesting question indeed, never crossed my mind before. I think it would be better to move AnyError to the next revision and discuss it there.

Szelethus: This is a very interesting question indeed, never crossed my mind before. I think it would be…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

The state fork problem is solved with UnknownError is the later revision, here it is no problem any more. A single state split is always needed because the return values differ in the failed and success case, and I want to make correlation between return values and stream error state.

balazske: The state fork problem is solved with `UnknownError` is the later revision, here it is no…
C.addTransition(State);
}
void StreamChecker::preDefault(const FnDescription *Desc, const CallEvent &Call, void StreamChecker::preDefault(const FnDescription *Desc, const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
SVal StreamVal = getStreamArg(Desc, Call); SVal StreamVal = getStreamArg(Desc, Call);
State = ensureStreamNonNull(StreamVal, C, State); State = ensureStreamNonNull(StreamVal, C, State);
if (!State) if (!State)
return; return;
State = ensureStreamOpened(StreamVal, C, State); State = ensureStreamOpened(StreamVal, C, State);
SzelethusUnsubmitted
Done
ReplyInline Actions

This function is practically the same as evalFeof, can we merge them?

Szelethus: This function is practically the same as `evalFeof`, can we merge them?
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

It is not the same code ("EOF" and "other error" are interchanged), but can be merged somehow.

balazske: It is not the same code ("EOF" and "other error" are interchanged), but can be merged somehow.
baloghadamsoftwareUnsubmitted
Done
ReplyInline Actions

Maybe using a template with a functor parameter and pass a lambda in the two instantiations? (See DebugContainerModeling and DebugIteratorModeling) and also some example is Iterator.cpp.

baloghadamsoftware: Maybe using a template with a functor parameter and pass a lambda in the two instantiations?
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

I have already a template implementation, but probably it is not needed now.

balazske: I have already a template implementation, but probably it is not needed now.
if (!State) if (!State)
return; return;
C.addTransition(State); C.addTransition(State);
} }
template <StreamState (*GetState)()>
void StreamChecker::evalSetFeofFerror(const FnDescription *Desc,
const CallEvent &Call,
CheckerContext &C) const {
ProgramStateRef State = C.getState();
SymbolRef StreamSym = getStreamArg(Desc, Call).getAsSymbol();
assert(StreamSym && "Operation not permitted on non-symbolic stream value.");
State = State->set<StreamMap>(StreamSym, (*GetState)());
C.addTransition(State);
}
ProgramStateRef ProgramStateRef
StreamChecker::ensureStreamNonNull(SVal StreamVal, CheckerContext &C, StreamChecker::ensureStreamNonNull(SVal StreamVal, CheckerContext &C,
ProgramStateRef State) const { ProgramStateRef State) const {
auto Stream = StreamVal.getAs<DefinedSVal>(); auto Stream = StreamVal.getAs<DefinedSVal>();
if (!Stream) if (!Stream)
return State; return State;
ConstraintManager &CM = C.getConstraintManager(); ConstraintManager &CM = C.getConstraintManager();
▲ Show 20 LinesShow All 111 Lines▼ Show 20 Lines if (!BT_ResourceLeak)
BT_ResourceLeak.reset( BT_ResourceLeak.reset(
new BuiltinBug(this, "Resource Leak", new BuiltinBug(this, "Resource Leak",
"Opened File never closed. Potential Resource leak.")); "Opened File never closed. Potential Resource leak."));
C.emitReport(std::make_unique<PathSensitiveBugReport>( C.emitReport(std::make_unique<PathSensitiveBugReport>(
*BT_ResourceLeak, BT_ResourceLeak->getDescription(), N)); *BT_ResourceLeak, BT_ResourceLeak->getDescription(), N));
} }
} }
void ento::registerStreamChecker(CheckerManager &mgr) { void ento::registerStreamChecker(CheckerManager &Mgr) {
mgr.registerChecker<StreamChecker>(); Mgr.registerChecker<StreamChecker>();
}
bool ento::shouldRegisterStreamChecker(const CheckerManager &Mgr) {
return true;
}
void ento::registerStreamTesterChecker(CheckerManager &Mgr) {
auto *Checker = Mgr.getChecker<StreamChecker>();
Checker->TestMode = true;
} }
bool ento::shouldRegisterStreamChecker(const CheckerManager &mgr) { bool ento::shouldRegisterStreamTesterChecker(const CheckerManager &Mgr) {
return true; return true;
} }

clang/test/Analysis/Inputs/system-header-simulator.h

// Like the compiler, the static analyzer treats some functions differently if // Like the compiler, the static analyzer treats some functions differently if
// they come from a system header -- for example, it is assumed that system // they come from a system header -- for example, it is assumed that system
// functions do not arbitrarily free() their parameters, and that some bugs // functions do not arbitrarily free() their parameters, and that some bugs
// found in system headers cannot be fixed by the user and should be // found in system headers cannot be fixed by the user and should be
// suppressed. // suppressed.
#pragma clang system_header #pragma clang system_header
#ifdef __cplusplus #ifdef __cplusplus
#define restrict /*restrict*/ #define restrict /*restrict*/
#endif #endif
typedef __typeof(sizeof(int)) size_t;
typedef long long __int64_t;
typedef __int64_t __darwin_off_t;
typedef __darwin_off_t fpos_t;
typedef struct _FILE FILE; typedef struct _FILE FILE;
#define SEEK_SET 0 /* Seek from beginning of file. */
#define SEEK_CUR 1 /* Seek from current position. */
#define SEEK_END 2 /* Seek from end of file. */
extern FILE *stdin; extern FILE *stdin;
extern FILE *stdout; extern FILE *stdout;
extern FILE *stderr; extern FILE *stderr;
// Include a variant of standard streams that occur in the pre-processed file. // Include a variant of standard streams that occur in the pre-processed file.
extern FILE *__stdinp; extern FILE *__stdinp;
extern FILE *__stdoutp; extern FILE *__stdoutp;
extern FILE *__stderrp; extern FILE *__stderrp;
int scanf(const char *restrict format, ...); int scanf(const char *restrict format, ...);
int fscanf(FILE *restrict, const char *restrict, ...); int fscanf(FILE *restrict, const char *restrict, ...);
int printf(const char *restrict format, ...); int printf(const char *restrict format, ...);
int fprintf(FILE *restrict, const char *restrict, ...); int fprintf(FILE *restrict, const char *restrict, ...);
int getchar(void); int getchar(void);
void setbuf(FILE *restrict, char *restrict);
int setvbuf(FILE *restrict, char *restrict, int, size_t);
FILE *funopen(const void *,
int (*)(void *, char *, int),
int (*)(void *, const char *, int),
fpos_t (*)(void *, fpos_t, int),
int (*)(void *));
FILE *fopen(const char *path, const char *mode);
FILE *tmpfile(void);
FILE *freopen(const char *pathname, const char *mode, FILE *stream);
int fclose(FILE *fp);
size_t fread(void *ptr, size_t size, size_t nmemb, FILE *stream);
size_t fwrite(const void *ptr, size_t size, size_t nmemb, FILE *stream);
int fputc(int ch, FILE *stream);
int fseek(FILE *__stream, long int __off, int __whence);
long int ftell(FILE *__stream);
void rewind(FILE *__stream);
int fgetpos(FILE *stream, fpos_t *pos);
int fsetpos(FILE *stream, const fpos_t *pos);
void clearerr(FILE *stream);
int feof(FILE *stream);
int ferror(FILE *stream);
int fileno(FILE *stream);
// Note, on some platforms errno macro gets replaced with a function call. // Note, on some platforms errno macro gets replaced with a function call.
extern int errno; extern int errno;
typedef __typeof(sizeof(int)) size_t;
size_t strlen(const char *); size_t strlen(const char *);
char *strcpy(char *restrict, const char *restrict); char *strcpy(char *restrict, const char *restrict);
char *strncpy(char *dst, const char *src, size_t n); char *strncpy(char *dst, const char *src, size_t n);
void *memcpy(void *dst, const void *src, size_t n); void *memcpy(void *dst, const void *src, size_t n);
typedef unsigned long __darwin_pthread_key_t; typedef unsigned long __darwin_pthread_key_t;
typedef __darwin_pthread_key_t pthread_key_t; typedef __darwin_pthread_key_t pthread_key_t;
int pthread_setspecific(pthread_key_t, const void *); int pthread_setspecific(pthread_key_t, const void *);
typedef long long __int64_t;
typedef __int64_t __darwin_off_t;
typedef __darwin_off_t fpos_t;
void setbuf(FILE * restrict, char * restrict);
int setvbuf(FILE * restrict, char * restrict, int, size_t);
FILE *fopen(const char * restrict, const char * restrict);
int fclose(FILE *);
FILE *funopen(const void *,
int (*)(void *, char *, int),
int (*)(void *, const char *, int),
fpos_t (*)(void *, fpos_t, int),
int (*)(void *));
int sqlite3_bind_text_my(int, const char*, int n, void(*)(void*)); int sqlite3_bind_text_my(int, const char*, int n, void(*)(void*));
typedef void (*freeCallback) (void*); typedef void (*freeCallback) (void*);
typedef struct { typedef struct {
int i; int i;
freeCallback fc; freeCallback fc;
} StWithCallback; } StWithCallback;
▲ Show 20 LinesShow All 47 Lines▼ Show 20 Lines
#define UINT32_MAX 4294967295U #define UINT32_MAX 4294967295U
#define INT64_MIN (-INT64_MAX-1) #define INT64_MIN (-INT64_MAX-1)
#define __DBL_MAX__ 1.7976931348623157e+308 #define __DBL_MAX__ 1.7976931348623157e+308
#define DBL_MAX __DBL_MAX__ #define DBL_MAX __DBL_MAX__
#ifndef NULL #ifndef NULL
#define __DARWIN_NULL 0 #define __DARWIN_NULL 0
#define NULL __DARWIN_NULL #define NULL __DARWIN_NULL
#endif #endif
#define EOF (-1)
#define offsetof(t, d) __builtin_offsetof(t, d) #define offsetof(t, d) __builtin_offsetof(t, d)
No newline at end of file

clang/test/Analysis/stream-error.c

  • This file was added.
// RUN: %clang_analyze_cc1 -analyzer-checker=core -analyzer-checker=debug.StreamTester,debug.ExprInspection -analyzer-store region -verify %s
SzelethusUnsubmitted
Not Done
ReplyInline Actions

core isn't enabled! :o

Szelethus: `core` isn't enabled! :o
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

Is it needed? It was probably not set (and is not) in the original test in stream.c.

balazske: Is it needed? It was probably not set (and is not) in the original test in `stream.c`.
#include "Inputs/system-header-simulator.h"
void clang_analyzer_eval(int);
void StreamTesterChecker_make_feof_stream(FILE *);
void StreamTesterChecker_make_ferror_stream(FILE *);
void error_fopen() {
FILE *F = fopen("file", "r");
if (!F)
return;
clang_analyzer_eval(feof(F)); // expected-warning {{FALSE}}
clang_analyzer_eval(ferror(F)); // expected-warning {{FALSE}}
fclose(F);
}
void error_freopen() {
FILE *F = fopen("file", "r");
if (!F)
return;
F = freopen(0, "w", F);
if (!F)
return;
clang_analyzer_eval(feof(F)); // expected-warning {{FALSE}}
clang_analyzer_eval(ferror(F)); // expected-warning {{FALSE}}
fclose(F);
}
void stream_error_feof() {
FILE *F = fopen("file", "r");
if (!F)
return;
StreamTesterChecker_make_feof_stream(F);
clang_analyzer_eval(feof(F)); // expected-warning {{TRUE}}
SzelethusUnsubmitted
Not Done
ReplyInline Actions

Sure, we don't, but the bigger issue here is that we wouldn't mark F to be in EOF even if we did handle it, we would also need to understand that ch == EOF is the telling sign. But that also ins't in the scope of this patch :)

Szelethus: Sure, we don't, but the bigger issue here is that we wouldn't mark `F` to be in EOF even if we…
NoQUnsubmitted
Not Done
ReplyInline Actions

Yeah, that's gonna be fun.

NoQ: Yeah, that's gonna be fun.
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

If there is a fputc call (for example) that is recognized (has recognized stream and no functions "fail") there is already an error and non-error branch created for it. On the error branch the return value of fputc would be EOF and the stream state is set to error. (The fputc should be later modeled by this checker, not done yet.)

If the ch == EOF is found then to figure out if this ch comes from an fputc that is called on a stream that is not recognized (it may be function parameter) and then make a "tracked" stream with error state for it, this is another thing.

balazske: If there is a `fputc` call (for example) that is recognized (has recognized stream and no…
NoQUnsubmitted
Not Done
ReplyInline Actions

Aha, fair enough, that's probably a well-justified state split.

NoQ: Aha, fair enough, that's probably a well-justified state split.
clang_analyzer_eval(ferror(F)); // expected-warning {{FALSE}}
clearerr(F);
clang_analyzer_eval(feof(F)); // expected-warning {{FALSE}}
clang_analyzer_eval(ferror(F)); // expected-warning {{FALSE}}
fclose(F);
}
void stream_error_ferror() {
FILE *F = fopen("file", "r");
if (!F)
return;
StreamTesterChecker_make_ferror_stream(F);
clang_analyzer_eval(feof(F)); // expected-warning {{FALSE}}
clang_analyzer_eval(ferror(F)); // expected-warning {{TRUE}}
clearerr(F);
clang_analyzer_eval(feof(F)); // expected-warning {{FALSE}}
clang_analyzer_eval(ferror(F)); // expected-warning {{FALSE}}
fclose(F);
}

clang/test/Analysis/stream.c

// RUN: %clang_analyze_cc1 -analyzer-checker=alpha.unix.Stream -analyzer-store region -verify %s // RUN: %clang_analyze_cc1 -analyzer-checker=alpha.unix.Stream -analyzer-store region -verify %s
typedef __typeof__(sizeof(int)) size_t; #include "Inputs/system-header-simulator.h"
typedef __typeof__(sizeof(int)) fpos_t;
typedef struct _IO_FILE FILE;
#define SEEK_SET 0 /* Seek from beginning of file. */
#define SEEK_CUR 1 /* Seek from current position. */
#define SEEK_END 2 /* Seek from end of file. */
extern FILE *fopen(const char *path, const char *mode);
extern FILE *tmpfile(void);
extern int fclose(FILE *fp);
extern size_t fread(void *ptr, size_t size, size_t nmemb, FILE *stream);
extern size_t fwrite(const void *ptr, size_t size, size_t nmemb, FILE *stream);
extern int fseek (FILE *__stream, long int __off, int __whence);
extern long int ftell (FILE *__stream);
extern void rewind (FILE *__stream);
extern int fgetpos(FILE *stream, fpos_t *pos);
extern int fsetpos(FILE *stream, const fpos_t *pos);
extern void clearerr(FILE *stream);
extern int feof(FILE *stream);
extern int ferror(FILE *stream);
extern int fileno(FILE *stream);
extern FILE *freopen(const char *pathname, const char *mode, FILE *stream);
void check_fread() { void check_fread() {
FILE *fp = tmpfile(); FILE *fp = tmpfile();
fread(0, 0, 0, fp); // expected-warning {{Stream pointer might be NULL}} fread(0, 0, 0, fp); // expected-warning {{Stream pointer might be NULL}}
fclose(fp); fclose(fp);
} }
void check_fwrite() { void check_fwrite() {
▲ Show 20 LinesShow All 176 Lines▼ Show 20 Linesvoid check_freopen_3() {
if (f1) { if (f1) {
// Unchecked result of freopen. // Unchecked result of freopen.
// The f1 may be invalid after this call. // The f1 may be invalid after this call.
freopen(0, "w", f1); freopen(0, "w", f1);
rewind(f1); // expected-warning {{Stream might be invalid}} rewind(f1); // expected-warning {{Stream might be invalid}}
fclose(f1); fclose(f1);
} }
} }
No newline at end of file No newline at end of file