This is an archive of the discontinued LLVM Phabricator instance.

Differential D76790

[analyzer] StdLibraryFunctionsChecker: fix bug with arg constraints
ClosedPublic

Authored by martong on Mar 25 2020, 11:15 AM.
Tokens
"Burninate" token, awarded by martong.

Details

Reviewers
NoQ
Szelethus
baloghadamsoftware
Commits
rG1525232e2761: [analyzer] StdLibraryFunctionsChecker: fix bug with arg constraints
Summary

Previously we induced a state split if there were multiple argument
constraints given for a function. This was because we called
addTransition inside the for loop.
The fix is to is to store the state and apply the next argument
constraint on that. And once the loop is finished we call addTransition.

Diff Detail

Event Timeline

martong created this revision.Mar 25 2020, 11:15 AM
Herald added a project: Restricted Project. · View Herald TranscriptMar 25 2020, 11:15 AM
Herald added subscribers: cfe-commits, ASDenysPetrov, steakhal and 10 others. · View Herald Transcript
martong added a comment.Mar 25 2020, 11:17 AM

I was thinking about the below test, but then I reverted back because I don't want to add "fake" summaries for testing purposes. Perhaps adding a new checker option could enable these "fake" summaries, @Szelethus what's your opinion?

diff --git a/clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
index 64a412bb4db..c1022492429 100644
--- a/clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
@@ -736,6 +736,14 @@ void StdLibraryFunctionsChecker::initFunctionSummaries(
   };

   FunctionSummaryMap = {
+      {
+        "__test",
+        Summaries{
+          Summary(ArgTypes{IntTy, IntTy}, RetType{IntTy}, EvalCallAsPure)
+            .ArgConstraint(ArgumentCondition(0U, WithinRange, SingleValue(1)))
+            .ArgConstraint(ArgumentCondition(1U, WithinRange, SingleValue(1)))
+        }
+      },
       // The isascii() family of functions.
       // The behavior is undefined if the value of the argument is not
       // representable as unsigned char or is not equal to EOF. See e.g. C99
diff --git a/clang/test/Analysis/std-c-library-functions-arg-constraints.c b/clang/test/Analysis/std-c-library-functions-arg-constraints.c
index a20b90ad1cc..01109e28b99 100644
--- a/clang/test/Analysis/std-c-library-functions-arg-constraints.c
+++ b/clang/test/Analysis/std-c-library-functions-arg-constraints.c
@@ -85,3 +85,18 @@ void test_notnull_symbolic2(FILE *fp, int *buf) {
     // bugpath-warning{{Function argument constraint is not satisfied}} \
     // bugpath-note{{Function argument constraint is not satisfied}}
 }
+
+int __test(int, int);
+
+void test_multiple_constraints(int x, int y) {
+  __test(x, y);
+  clang_analyzer_eval(x == 1); // \
+  // report-warning{{TRUE}} \
+  // bugpath-warning{{TRUE}} \
+  // bugpath-note{{TRUE}}
+  clang_analyzer_eval(y == 1); // \
+  // report-warning{{TRUE}} \
+  // bugpath-warning{{TRUE}} \
+  // bugpath-note{{TRUE}}
+}
+
Harbormaster failed remote builds in B50413: Diff 252631!Mar 25 2020, 11:53 AM
Szelethus added a comment.Mar 27 2020, 5:39 AM

The fix looks great!

In D76790#1941857, @martong wrote:

I was thinking about the below test, but then I reverted back because I don't want to add "fake" summaries for testing purposes. Perhaps adding a new checker option could enable these "fake" summaries, @Szelethus what's your opinion?

The fake summary sounds great. You could hide it behind a debug checker, if we are to be that cautious.

martong updated this revision to Diff 253174.Mar 27 2020, 11:01 AM
  • Add tests with a subchecker
Harbormaster failed remote builds in B50711: Diff 253174!Mar 27 2020, 11:29 AM
martong updated this revision to Diff 253595.Mar 30 2020, 7:35 AM
  • Test multiple constraints on the same arg
Harbormaster failed remote builds in B50957: Diff 253595!Mar 30 2020, 8:04 AM
martong added a child revision: D77066: [analyzer] ApiModeling: Add buffer size arg constraint.Mar 30 2020, 8:53 AM
martong added a comment.Apr 1 2020, 7:50 AM

Ping :)

martong awarded a token.Apr 1 2020, 7:51 AM
Szelethus accepted this revision.Apr 2 2020, 6:19 AM

Yup, looks great, sorry for the slack!

This revision is now accepted and ready to land.Apr 2 2020, 6:19 AM
Closed by commit rG1525232e2761: [analyzer] StdLibraryFunctionsChecker: fix bug with arg constraints (authored by martong). · Explain WhyApr 2 2020, 8:06 AM
This revision was automatically updated to reflect the committed changes.
NoQ added a comment.Apr 6 2020, 11:55 AM
In D76790#1957061, @Szelethus wrote:

Yup, looks great

Can confirm.

Revision Contents

PathSize
clang/
include/
clang/
StaticAnalyzer/
Checkers/
6 lines
lib/
StaticAnalyzer/
Checkers/
52 lines
test/
Analysis/
29 lines

Diff 254530

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td

Show First 20 LinesShow All 1,416 Lines▼ Show 20 Linesdef DebugContainerModeling : Checker<"DebugContainerModeling">,
Dependencies<[ContainerModeling]>, Dependencies<[ContainerModeling]>,
Documentation<NotDocumented>; Documentation<NotDocumented>;
def DebugIteratorModeling : Checker<"DebugIteratorModeling">, def DebugIteratorModeling : Checker<"DebugIteratorModeling">,
HelpText<"Check the analyzer's understanding of C++ iterators">, HelpText<"Check the analyzer's understanding of C++ iterators">,
Dependencies<[DebugContainerModeling, IteratorModeling]>, Dependencies<[DebugContainerModeling, IteratorModeling]>,
Documentation<NotDocumented>; Documentation<NotDocumented>;
def StdCLibraryFunctionsTesterChecker : Checker<"StdCLibraryFunctionsTester">,
HelpText<"Add test functions to the summary map, so testing of individual "
"summary constituents becomes possible.">,
Dependencies<[StdCLibraryFunctionsChecker]>,
Documentation<NotDocumented>;
} // end "debug" } // end "debug"
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Clone Detection // Clone Detection
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
let ParentPackage = CloneDetectionAlpha in { let ParentPackage = CloneDetectionAlpha in {
▲ Show 20 LinesShow All 78 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp

Show First 20 LinesShow All 300 Lines▼ Show 20 Lines static SVal getArgSVal(const CallEvent &Call, ArgNo ArgN) {
return ArgN == Ret ? Call.getReturnValue() : Call.getArgSVal(ArgN); return ArgN == Ret ? Call.getReturnValue() : Call.getArgSVal(ArgN);
} }
public: public:
void checkPreCall(const CallEvent &Call, CheckerContext &C) const; void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
void checkPostCall(const CallEvent &Call, CheckerContext &C) const; void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
bool evalCall(const CallEvent &Call, CheckerContext &C) const; bool evalCall(const CallEvent &Call, CheckerContext &C) const;
enum CheckKind { CK_StdCLibraryFunctionArgsChecker, CK_NumCheckKinds }; enum CheckKind {
CK_StdCLibraryFunctionArgsChecker,
CK_StdCLibraryFunctionsTesterChecker,
CK_NumCheckKinds
};
DefaultBool ChecksEnabled[CK_NumCheckKinds]; DefaultBool ChecksEnabled[CK_NumCheckKinds];
CheckerNameRef CheckNames[CK_NumCheckKinds]; CheckerNameRef CheckNames[CK_NumCheckKinds];
private: private:
Optional<Summary> findFunctionSummary(const FunctionDecl *FD, Optional<Summary> findFunctionSummary(const FunctionDecl *FD,
const CallExpr *CE, const CallExpr *CE,
CheckerContext &C) const; CheckerContext &C) const;
Optional<Summary> findFunctionSummary(const CallEvent &Call, Optional<Summary> findFunctionSummary(const CallEvent &Call,
▲ Show 20 LinesShow All 132 Lines▼ Show 20 Linesvoid StdLibraryFunctionsChecker::checkPreCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
Optional<Summary> FoundSummary = findFunctionSummary(Call, C); Optional<Summary> FoundSummary = findFunctionSummary(Call, C);
if (!FoundSummary) if (!FoundSummary)
return; return;
const Summary &Summary = *FoundSummary; const Summary &Summary = *FoundSummary;
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
ProgramStateRef NewState = State;
for (const ValueConstraintPtr& VC : Summary.ArgConstraints) { for (const ValueConstraintPtr& VC : Summary.ArgConstraints) {
ProgramStateRef SuccessSt = VC->apply(State, Call, Summary); ProgramStateRef SuccessSt = VC->apply(NewState, Call, Summary);
ProgramStateRef FailureSt = VC->negate()->apply(State, Call, Summary); ProgramStateRef FailureSt = VC->negate()->apply(NewState, Call, Summary);
// The argument constraint is not satisfied. // The argument constraint is not satisfied.
if (FailureSt && !SuccessSt) { if (FailureSt && !SuccessSt) {
if (ExplodedNode *N = C.generateErrorNode(State)) if (ExplodedNode *N = C.generateErrorNode(NewState))
reportBug(Call, N, C); reportBug(Call, N, C);
break; break;
} else { } else {
// Apply the constraint even if we cannot reason about the argument. This // We will apply the constraint even if we cannot reason about the
// means both SuccessSt and FailureSt can be true. If we weren't applying // argument. This means both SuccessSt and FailureSt can be true. If we
// the constraint that would mean that symbolic execution continues on a // weren't applying the constraint that would mean that symbolic
// code whose behaviour is undefined. // execution continues on a code whose behaviour is undefined.
assert(SuccessSt); assert(SuccessSt);
C.addTransition(SuccessSt); NewState = SuccessSt;
} }
} }
if (NewState && NewState != State)
C.addTransition(NewState);
} }
void StdLibraryFunctionsChecker::checkPostCall(const CallEvent &Call, void StdLibraryFunctionsChecker::checkPostCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
Optional<Summary> FoundSummary = findFunctionSummary(Call, C); Optional<Summary> FoundSummary = findFunctionSummary(Call, C);
if (!FoundSummary) if (!FoundSummary)
return; return;
▲ Show 20 LinesShow All 448 Lines▼ Show 20 Lines FunctionSummaryMap = {
{"fread", Summaries{Fread()}}, {"fread", Summaries{Fread()}},
{"fwrite", Summaries{Fwrite()}}, {"fwrite", Summaries{Fwrite()}},
// getline()-like functions either fail or read at least the delimiter. // getline()-like functions either fail or read at least the delimiter.
{"getline", Summaries{Getline(IntTy, IntMax), Getline(LongTy, LongMax), {"getline", Summaries{Getline(IntTy, IntMax), Getline(LongTy, LongMax),
Getline(LongLongTy, LongLongMax)}}, Getline(LongLongTy, LongLongMax)}},
{"getdelim", Summaries{Getline(IntTy, IntMax), Getline(LongTy, LongMax), {"getdelim", Summaries{Getline(IntTy, IntMax), Getline(LongTy, LongMax),
Getline(LongLongTy, LongLongMax)}}, Getline(LongLongTy, LongLongMax)}},
}; };
// Functions for testing.
if (ChecksEnabled[CK_StdCLibraryFunctionsTesterChecker]) {
llvm::StringMap<Summaries> TestFunctionSummaryMap = {
{"__two_constrained_args",
Summaries{
Summary(ArgTypes{IntTy, IntTy}, RetType{IntTy}, EvalCallAsPure)
.ArgConstraint(
ArgumentCondition(0U, WithinRange, SingleValue(1)))
.ArgConstraint(
ArgumentCondition(1U, WithinRange, SingleValue(1)))}},
{"__arg_constrained_twice",
Summaries{Summary(ArgTypes{IntTy}, RetType{IntTy}, EvalCallAsPure)
.ArgConstraint(
ArgumentCondition(0U, OutOfRange, SingleValue(1)))
.ArgConstraint(
ArgumentCondition(0U, OutOfRange, SingleValue(2)))}},
};
for (auto &E : TestFunctionSummaryMap) {
auto InsertRes =
FunctionSummaryMap.insert({std::string(E.getKey()), E.getValue()});
assert(InsertRes.second &&
"Test functions must not clash with modeled functions");
(void)InsertRes;
}
}
} }
void ento::registerStdCLibraryFunctionsChecker(CheckerManager &mgr) { void ento::registerStdCLibraryFunctionsChecker(CheckerManager &mgr) {
mgr.registerChecker<StdLibraryFunctionsChecker>(); mgr.registerChecker<StdLibraryFunctionsChecker>();
} }
bool ento::shouldRegisterStdCLibraryFunctionsChecker(const CheckerManager &mgr) { bool ento::shouldRegisterStdCLibraryFunctionsChecker(const CheckerManager &mgr) {
return true; return true;
} }
#define REGISTER_CHECKER(name) \ #define REGISTER_CHECKER(name) \
void ento::register##name(CheckerManager &mgr) { \ void ento::register##name(CheckerManager &mgr) { \
StdLibraryFunctionsChecker *checker = \ StdLibraryFunctionsChecker *checker = \
mgr.getChecker<StdLibraryFunctionsChecker>(); \ mgr.getChecker<StdLibraryFunctionsChecker>(); \
checker->ChecksEnabled[StdLibraryFunctionsChecker::CK_##name] = true; \ checker->ChecksEnabled[StdLibraryFunctionsChecker::CK_##name] = true; \
checker->CheckNames[StdLibraryFunctionsChecker::CK_##name] = \ checker->CheckNames[StdLibraryFunctionsChecker::CK_##name] = \
mgr.getCurrentCheckerName(); \ mgr.getCurrentCheckerName(); \
} \ } \
\ \
bool ento::shouldRegister##name(const CheckerManager &mgr) { return true; } bool ento::shouldRegister##name(const CheckerManager &mgr) { return true; }
REGISTER_CHECKER(StdCLibraryFunctionArgsChecker) REGISTER_CHECKER(StdCLibraryFunctionArgsChecker)
REGISTER_CHECKER(StdCLibraryFunctionsTesterChecker)

clang/test/Analysis/std-c-library-functions-arg-constraints.c

// Check the basic reporting/warning and the application of constraints. // Check the basic reporting/warning and the application of constraints.
// RUN: %clang_analyze_cc1 %s \ // RUN: %clang_analyze_cc1 %s \
// RUN: -analyzer-checker=core \ // RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=apiModeling.StdCLibraryFunctions \ // RUN: -analyzer-checker=apiModeling.StdCLibraryFunctions \
// RUN: -analyzer-checker=apiModeling.StdCLibraryFunctionArgs \ // RUN: -analyzer-checker=apiModeling.StdCLibraryFunctionArgs \
// RUN: -analyzer-checker=debug.StdCLibraryFunctionsTester \
// RUN: -analyzer-checker=debug.ExprInspection \ // RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -triple x86_64-unknown-linux-gnu \ // RUN: -triple x86_64-unknown-linux-gnu \
// RUN: -verify=report // RUN: -verify=report
// Check the bugpath related to the reports. // Check the bugpath related to the reports.
// RUN: %clang_analyze_cc1 %s \ // RUN: %clang_analyze_cc1 %s \
// RUN: -analyzer-checker=core \ // RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=apiModeling.StdCLibraryFunctions \ // RUN: -analyzer-checker=apiModeling.StdCLibraryFunctions \
// RUN: -analyzer-checker=apiModeling.StdCLibraryFunctionArgs \ // RUN: -analyzer-checker=apiModeling.StdCLibraryFunctionArgs \
// RUN: -analyzer-checker=debug.StdCLibraryFunctionsTester \
// RUN: -analyzer-checker=debug.ExprInspection \ // RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -triple x86_64-unknown-linux-gnu \ // RUN: -triple x86_64-unknown-linux-gnu \
// RUN: -analyzer-output=text \ // RUN: -analyzer-output=text \
// RUN: -verify=bugpath // RUN: -verify=bugpath
void clang_analyzer_eval(int); void clang_analyzer_eval(int);
int glob; int glob;
▲ Show 20 LinesShow All 57 Lines▼ Show 20 Lines
void test_notnull_symbolic2(FILE *fp, int *buf) { void test_notnull_symbolic2(FILE *fp, int *buf) {
if (!buf) // bugpath-note{{Assuming 'buf' is null}} \ if (!buf) // bugpath-note{{Assuming 'buf' is null}} \
// bugpath-note{{Taking true branch}} // bugpath-note{{Taking true branch}}
fread(buf, sizeof(int), 10, fp); // \ fread(buf, sizeof(int), 10, fp); // \
// report-warning{{Function argument constraint is not satisfied}} \ // report-warning{{Function argument constraint is not satisfied}} \
// bugpath-warning{{Function argument constraint is not satisfied}} \ // bugpath-warning{{Function argument constraint is not satisfied}} \
// bugpath-note{{Function argument constraint is not satisfied}} // bugpath-note{{Function argument constraint is not satisfied}}
} }
int __two_constrained_args(int, int);
void test_constraints_on_multiple_args(int x, int y) {
// State split should not happen here. I.e. x == 1 should not be evaluated
// FALSE.
__two_constrained_args(x, y);
clang_analyzer_eval(x == 1); // \
// report-warning{{TRUE}} \
// bugpath-warning{{TRUE}} \
// bugpath-note{{TRUE}}
clang_analyzer_eval(y == 1); // \
// report-warning{{TRUE}} \
// bugpath-warning{{TRUE}} \
// bugpath-note{{TRUE}}
}
int __arg_constrained_twice(int);
void test_multiple_constraints_on_same_arg(int x) {
__arg_constrained_twice(x);
// Check that both constraints are applied and only one branch is there.
clang_analyzer_eval(x < 1 || x > 2); // \
// report-warning{{TRUE}} \
// bugpath-warning{{TRUE}} \
// bugpath-note{{TRUE}} \
// bugpath-note{{Assuming 'x' is < 1}} \
// bugpath-note{{Left side of '||' is true}}
}