This is an archive of the discontinued LLVM Phabricator instance.

Differential D77066

[analyzer] ApiModeling: Add buffer size arg constraint
ClosedPublic

Authored by martong on Mar 30 2020, 8:53 AM.

Details

Reviewers
NoQ
Szelethus
Charusso
steakhal
Commits
rGbd03ef19beb8: [analyzer] ApiModeling: Add buffer size arg constraint
Summary

Introducing a new argument constraint to confine buffer sizes. It is typical in
C APIs that a parameter represents a buffer and another param holds the size of
the buffer (or the size of the data we want to handle from the buffer).

Diff Detail

Event Timeline

martong created this revision.Mar 30 2020, 8:53 AM
Herald added a project: Restricted Project. · View Herald TranscriptMar 30 2020, 8:53 AM
Herald added subscribers: cfe-commits, ASDenysPetrov, gamesh411 and 9 others. · View Herald Transcript
martong added a parent revision: D76790: [analyzer] StdLibraryFunctionsChecker: fix bug with arg constraints.Mar 30 2020, 8:53 AM
Harbormaster failed remote builds in B50965: Diff 253606!Mar 30 2020, 9:14 AM
martong added a child revision: D77148: [analyzer] ApiModeling: Add buffer size arg constraint with multiplier involved.Mar 31 2020, 8:44 AM
Charusso added a comment.Mar 31 2020, 1:23 PM

Please avoid to stuff in CheckerContext because this facility should be used by ExprEngine/Store as well.
Let us reword your API: getDynamicSizeWithOffset(ProgramStateRef, SVal, SValBuilder &). Of course we are trying to obtain some buffer-ish size, that is the purpose of the entire API.
I also could imagine something like getDynamicSizeMul(ProgramStateRef, const MemRegion &, const MemRegion &, SValBuilder &), as it is very common.

May it would make sense to use the API like:

getDynamicSizeWithOffset(State, MR, SVB) {
  Offset = State->getStoreManager().getStaticOffset(MR, SVB);
  ...
}

This idea is similar to MemRegionManager::getStaticSize(MR, SVB). Hopefully no-one needs dynamic offsets.

Charusso added a comment.Apr 1 2020, 12:04 AM
In D77066#1953280, @Charusso wrote:
getDynamicSizeWithOffset(State, MR, SVB) {
  Offset = State->getStoreManager().getStaticOffset(MR, SVB);
  ...
}

Hm, the MemRegion's offset should be great. I was thinking about if we would store SVal offsets in the Store.

martong marked an inline comment as done.Apr 9 2020, 8:31 AM
martong added inline comments.
clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
256

Use BinaryOperator::negateComparisonOp

martong updated this revision to Diff 257317.Apr 14 2020, 7:21 AM
martong marked an inline comment as done.
  • Rebase to master
  • Use BinaryOperator::negateComparisonOp
  • getBufferDynamicSize -> getDynamicSizeWithOffset
martong added a comment.Apr 14 2020, 7:21 AM
In D77066#1953280, @Charusso wrote:

Please avoid to stuff in CheckerContext because this facility should be used by ExprEngine/Store as well.
Let us reword your API: getDynamicSizeWithOffset(ProgramStateRef, SVal, SValBuilder &). Of course we are trying to obtain some buffer-ish size, that is the purpose of the entire API.
I also could imagine something like getDynamicSizeMul(ProgramStateRef, const MemRegion &, const MemRegion &, SValBuilder &), as it is very common.

May it would make sense to use the API like:

getDynamicSizeWithOffset(State, MR, SVB) {
  Offset = State->getStoreManager().getStaticOffset(MR, SVB);
  ...
}

This idea is similar to MemRegionManager::getStaticSize(MR, SVB). Hopefully no-one needs dynamic offsets.

Thanks for the review! I've update the API as you suggested.

Harbormaster failed remote builds in B53131: Diff 257317!Apr 14 2020, 8:00 AM
martong added a comment.May 5 2020, 6:27 AM

Ping

martong updated this revision to Diff 262095.May 5 2020, 6:39 AM
  • Rebase to master
Harbormaster failed remote builds in B55784: Diff 262095!May 5 2020, 7:31 AM
Szelethus added a comment.May 6 2020, 4:18 AM

I'm not familiar enough with DynamicSize.cpp to judge the changes there, but aside from a few nits, this LGTM.

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
249–250

Would an unreachable be appropriate here then?

988

In most places, where we refer to an argument number, we use ArgNo. Is there a reason we don't do that here? Can we enforce greater type safety?

martong updated this revision to Diff 266287.EditedMay 26 2020, 11:59 AM
martong marked 4 inline comments as done.
  • REBASE to master
  • Add assert
  • Create the BufferSize arg constraints in a more readable way

The rebase to master makes a bit hard to see the exact changes in this update. I should have done the rebase in a separate update, sorry about that.

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
249–250

Yes, good point, just added that. CallAndMessage is already a dependency, so this must not fire.

988

Yeah, good point, I am going with this:

BufferSize(/*Buffer=*/ArgNo(0), /*BufSize=*/ArgNo(1))));

About type safety: I was thinking about a strong typedef, but we don't actually have a convenient template for that in LLVM. And most of the time here in LLVM people just apply the /*Arg=*/ pythonish form.

martong mentioned this in D77148: [analyzer] ApiModeling: Add buffer size arg constraint with multiplier involved.May 29 2020, 1:31 AM
Szelethus accepted this revision.May 29 2020, 5:02 AM
Szelethus added a subscriber: balazske.

LGTM! I think you could remove the extra parameter, but I don't think this warrants another round of review on my end. However, the dynamic size change seems very unfamiliar to me. @baloghadamsoftware, @balazske, could you take a peek?

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
237

You can retrieve SValBuilder from ProgramState: State->getStateManager().getSValBuilder().

This revision is now accepted and ready to land.May 29 2020, 5:02 AM
martong updated this revision to Diff 267216.May 29 2020, 6:20 AM
martong marked 2 inline comments as done.
  • Remove SValBuilder param
clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
237

Thanks!

Harbormaster completed remote builds in B58419: Diff 267216.May 29 2020, 7:34 AM
Closed by commit rGbd03ef19beb8: [analyzer] ApiModeling: Add buffer size arg constraint (authored by martong). · Explain WhyMay 29 2020, 7:34 AM
This revision was automatically updated to reflect the committed changes.
Szelethus added a comment.May 30 2020, 6:16 AM
In D77066#2062849, @martong wrote:
  • Remove SValBuilder param

I failed to emphasize that the point was to remove the new CheckerContext parameters :)

Revision Contents

PathSize
clang/
include/
clang/
StaticAnalyzer/
Core/
PathSensitive/
15 lines
lib/
StaticAnalyzer/
Checkers/
22 lines
77 lines
Core/
23 lines
test/
Analysis/
27 lines

Diff 267230

clang/include/clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h

Show All 26 LinesDefinedOrUnknownSVal getDynamicSize(ProgramStateRef State, const MemRegion *MR,
SValBuilder &SVB); SValBuilder &SVB);
/// Get the stored element count of the region \p MR. /// Get the stored element count of the region \p MR.
DefinedOrUnknownSVal getDynamicElementCount(ProgramStateRef State, DefinedOrUnknownSVal getDynamicElementCount(ProgramStateRef State,
const MemRegion *MR, const MemRegion *MR,
SValBuilder &SVB, SValBuilder &SVB,
QualType ElementTy); QualType ElementTy);
/// Get the dynamic size for a symbolic value that represents a buffer. If
/// there is an offsetting to the underlying buffer we consider that too.
/// Returns with an SVal that represents the size, this is Unknown if the
/// engine cannot deduce the size.
/// E.g.
/// char buf[3];
/// (buf); // size is 3
/// (buf + 1); // size is 2
/// (buf + 3); // size is 0
/// (buf + 4); // size is -1
///
/// char *bufptr;
/// (bufptr) // size is unknown
SVal getDynamicSizeWithOffset(ProgramStateRef State, const SVal &BufV);
} // namespace ento } // namespace ento
} // namespace clang } // namespace clang
#endif // LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICSIZE_H #endif // LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICSIZE_H

clang/lib/StaticAnalyzer/Checkers/CheckPlacementNew.cpp

Show First 20 LinesShow All 57 Lines▼ Show 20 Lines BugType SBT{this, "Insufficient storage for placement new",
categories::MemoryError}; categories::MemoryError};
BugType ABT{this, "Bad align storage for placement new", BugType ABT{this, "Bad align storage for placement new",
categories::MemoryError}; categories::MemoryError};
}; };
} // namespace } // namespace
SVal PlacementNewChecker::getExtentSizeOfPlace(const CXXNewExpr *NE, SVal PlacementNewChecker::getExtentSizeOfPlace(const CXXNewExpr *NE,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState();
const Expr *Place = NE->getPlacementArg(0); const Expr *Place = NE->getPlacementArg(0);
return getDynamicSizeWithOffset(C.getState(), C.getSVal(Place));
const MemRegion *MRegion = C.getSVal(Place).getAsRegion();
if (!MRegion)
return UnknownVal();
RegionOffset Offset = MRegion->getAsOffset();
if (Offset.hasSymbolicOffset())
return UnknownVal();
const MemRegion *BaseRegion = MRegion->getBaseRegion();
if (!BaseRegion)
return UnknownVal();
SValBuilder &SvalBuilder = C.getSValBuilder();
NonLoc OffsetInBytes = SvalBuilder.makeArrayIndex(
Offset.getOffset() / C.getASTContext().getCharWidth());
DefinedOrUnknownSVal ExtentInBytes =
getDynamicSize(State, BaseRegion, SvalBuilder);
return SvalBuilder.evalBinOp(State, BinaryOperator::Opcode::BO_Sub,
ExtentInBytes, OffsetInBytes,
SvalBuilder.getArrayIndexType());
} }
SVal PlacementNewChecker::getExtentSizeOfNewTarget(const CXXNewExpr *NE, SVal PlacementNewChecker::getExtentSizeOfNewTarget(const CXXNewExpr *NE,
CheckerContext &C, CheckerContext &C,
bool &IsArray) const { bool &IsArray) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
SValBuilder &SvalBuilder = C.getSValBuilder(); SValBuilder &SvalBuilder = C.getSValBuilder();
QualType ElementType = NE->getAllocatedType(); QualType ElementType = NE->getAllocatedType();
▲ Show 20 LinesShow All 241 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp

Show First 20 LinesShow All 50 Lines▼ Show 20 Lines
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h"
using namespace clang; using namespace clang;
using namespace clang::ento; using namespace clang::ento;
namespace { namespace {
class StdLibraryFunctionsChecker class StdLibraryFunctionsChecker
: public Checker<check::PreCall, check::PostCall, eval::Call> { : public Checker<check::PreCall, check::PostCall, eval::Call> {
/// Below is a series of typedefs necessary to define function specs. /// Below is a series of typedefs necessary to define function specs.
Show All 36 Linesclass StdLibraryFunctionsChecker
/// arguments. /// arguments.
class ValueConstraint { class ValueConstraint {
public: public:
ValueConstraint(ArgNo ArgN) : ArgN(ArgN) {} ValueConstraint(ArgNo ArgN) : ArgN(ArgN) {}
virtual ~ValueConstraint() {} virtual ~ValueConstraint() {}
/// Apply the effects of the constraint on the given program state. If null /// Apply the effects of the constraint on the given program state. If null
/// is returned then the constraint is not feasible. /// is returned then the constraint is not feasible.
virtual ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call, virtual ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
const Summary &Summary) const = 0; const Summary &Summary,
CheckerContext &C) const = 0;
virtual ValueConstraintPtr negate() const { virtual ValueConstraintPtr negate() const {
llvm_unreachable("Not implemented"); llvm_unreachable("Not implemented");
}; };
ArgNo getArgNo() const { return ArgN; } ArgNo getArgNo() const { return ArgN; }
protected: protected:
ArgNo ArgN; // Argument to which we apply the constraint. ArgNo ArgN; // Argument to which we apply the constraint.
}; };
Show All 18 Lines private:
ProgramStateRef applyAsOutOfRange(ProgramStateRef State, ProgramStateRef applyAsOutOfRange(ProgramStateRef State,
const CallEvent &Call, const CallEvent &Call,
const Summary &Summary) const; const Summary &Summary) const;
ProgramStateRef applyAsWithinRange(ProgramStateRef State, ProgramStateRef applyAsWithinRange(ProgramStateRef State,
const CallEvent &Call, const CallEvent &Call,
const Summary &Summary) const; const Summary &Summary) const;
public: public:
ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call, ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
const Summary &Summary) const override { const Summary &Summary,
CheckerContext &C) const override {
switch (Kind) { switch (Kind) {
case OutOfRange: case OutOfRange:
return applyAsOutOfRange(State, Call, Summary); return applyAsOutOfRange(State, Call, Summary);
case WithinRange: case WithinRange:
return applyAsWithinRange(State, Call, Summary); return applyAsWithinRange(State, Call, Summary);
} }
llvm_unreachable("Unknown range kind!"); llvm_unreachable("Unknown range kind!");
} }
Show All 18 Linesclass StdLibraryFunctionsChecker
public: public:
ComparisonConstraint(ArgNo ArgN, BinaryOperator::Opcode Opcode, ComparisonConstraint(ArgNo ArgN, BinaryOperator::Opcode Opcode,
ArgNo OtherArgN) ArgNo OtherArgN)
: ValueConstraint(ArgN), Opcode(Opcode), OtherArgN(OtherArgN) {} : ValueConstraint(ArgN), Opcode(Opcode), OtherArgN(OtherArgN) {}
ArgNo getOtherArgNo() const { return OtherArgN; } ArgNo getOtherArgNo() const { return OtherArgN; }
BinaryOperator::Opcode getOpcode() const { return Opcode; } BinaryOperator::Opcode getOpcode() const { return Opcode; }
ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call, ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
const Summary &Summary) const override; const Summary &Summary,
CheckerContext &C) const override;
}; };
class NotNullConstraint : public ValueConstraint { class NotNullConstraint : public ValueConstraint {
using ValueConstraint::ValueConstraint; using ValueConstraint::ValueConstraint;
// This variable has a role when we negate the constraint. // This variable has a role when we negate the constraint.
bool CannotBeNull = true; bool CannotBeNull = true;
public: public:
ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call, ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
const Summary &Summary) const override { const Summary &Summary,
CheckerContext &C) const override {
SVal V = getArgSVal(Call, getArgNo()); SVal V = getArgSVal(Call, getArgNo());
if (V.isUndef()) if (V.isUndef())
return State; return State;
DefinedOrUnknownSVal L = V.castAs<DefinedOrUnknownSVal>(); DefinedOrUnknownSVal L = V.castAs<DefinedOrUnknownSVal>();
if (!L.getAs<Loc>()) if (!L.getAs<Loc>())
return State; return State;
return State->assume(L, CannotBeNull); return State->assume(L, CannotBeNull);
} }
ValueConstraintPtr negate() const override { ValueConstraintPtr negate() const override {
NotNullConstraint Tmp(*this); NotNullConstraint Tmp(*this);
Tmp.CannotBeNull = !this->CannotBeNull; Tmp.CannotBeNull = !this->CannotBeNull;
return std::make_shared<NotNullConstraint>(Tmp); return std::make_shared<NotNullConstraint>(Tmp);
} }
}; };
// Represents a buffer argument with an additional size argument.
// E.g. the first two arguments here:
// ctime_s(char *buffer, rsize_t bufsz, const time_t *time);
class BufferSizeConstraint : public ValueConstraint {
// The argument which holds the size of the buffer.
ArgNo SizeArgN;
// The operator we use in apply. This is negated in negate().
BinaryOperator::Opcode Op = BO_LE;
public:
BufferSizeConstraint(ArgNo Buffer, ArgNo BufSize)
: ValueConstraint(Buffer), SizeArgN(BufSize) {}
ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
const Summary &Summary,
CheckerContext &C) const override {
// The buffer argument.
SVal BufV = getArgSVal(Call, getArgNo());
// The size argument.
SVal SizeV = getArgSVal(Call, SizeArgN);
// The dynamic size of the buffer argument, got from the analyzer engine.
SVal BufDynSize = getDynamicSizeWithOffset(State, BufV);
SzelethusUnsubmitted
Done
ReplyInline Actions

You can retrieve SValBuilder from ProgramState: State->getStateManager().getSValBuilder().

Szelethus: You can retrieve `SValBuilder` from `ProgramState`: `State->getStateManager().getSValBuilder()`.
martongAuthorUnsubmitted
Done
ReplyInline Actions

Thanks!

martong: Thanks!
SValBuilder &SvalBuilder = C.getSValBuilder();
SVal Feasible = SvalBuilder.evalBinOp(State, Op, SizeV, BufDynSize,
SvalBuilder.getContext().BoolTy);
if (auto F = Feasible.getAs<DefinedOrUnknownSVal>())
return State->assume(*F, true);
// We can get here only if the size argument or the dynamic size is
// undefined. But the dynamic size should never be undefined, only
// unknown. So, here, the size of the argument is undefined, i.e. we
// cannot apply the constraint. Actually, other checkers like
// CallAndMessage should catch this situation earlier, because we call a
// function with an uninitialized argument.
llvm_unreachable("Size argument or the dynamic size is Undefined");
SzelethusUnsubmitted
Done
ReplyInline Actions

Would an unreachable be appropriate here then?

Szelethus: Would an unreachable be appropriate here then?
martongAuthorUnsubmitted
Done
ReplyInline Actions

Yes, good point, just added that. CallAndMessage is already a dependency, so this must not fire.

martong: Yes, good point, just added that. CallAndMessage is already a dependency, so this must not fire.
}
ValueConstraintPtr negate() const override {
BufferSizeConstraint Tmp(*this);
Tmp.Op = BinaryOperator::negateComparisonOp(Op);
return std::make_shared<BufferSizeConstraint>(Tmp);
martongAuthorUnsubmitted
Done
ReplyInline Actions

Use BinaryOperator::negateComparisonOp

martong: Use BinaryOperator::negateComparisonOp
}
};
/// The complete list of constraints that defines a single branch. /// The complete list of constraints that defines a single branch.
typedef std::vector<ValueConstraintPtr> ConstraintSet; typedef std::vector<ValueConstraintPtr> ConstraintSet;
using ArgTypes = std::vector<QualType>; using ArgTypes = std::vector<QualType>;
using Cases = std::vector<ConstraintSet>; using Cases = std::vector<ConstraintSet>;
/// Includes information about /// Includes information about
/// * function prototype (which is necessary to /// * function prototype (which is necessary to
▲ Show 20 LinesShow All 193 Lines▼ Show 20 Lines for (size_t I = 1; I != E; ++I) {
} }
} }
} }
return State; return State;
} }
ProgramStateRef StdLibraryFunctionsChecker::ComparisonConstraint::apply( ProgramStateRef StdLibraryFunctionsChecker::ComparisonConstraint::apply(
ProgramStateRef State, const CallEvent &Call, ProgramStateRef State, const CallEvent &Call, const Summary &Summary,
const Summary &Summary) const { CheckerContext &C) const {
ProgramStateManager &Mgr = State->getStateManager(); ProgramStateManager &Mgr = State->getStateManager();
SValBuilder &SVB = Mgr.getSValBuilder(); SValBuilder &SVB = Mgr.getSValBuilder();
QualType CondT = SVB.getConditionType(); QualType CondT = SVB.getConditionType();
QualType T = getArgType(Summary, getArgNo()); QualType T = getArgType(Summary, getArgNo());
SVal V = getArgSVal(Call, getArgNo()); SVal V = getArgSVal(Call, getArgNo());
BinaryOperator::Opcode Op = getOpcode(); BinaryOperator::Opcode Op = getOpcode();
Show All 14 Linesvoid StdLibraryFunctionsChecker::checkPreCall(const CallEvent &Call,
if (!FoundSummary) if (!FoundSummary)
return; return;
const Summary &Summary = *FoundSummary; const Summary &Summary = *FoundSummary;
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
ProgramStateRef NewState = State; ProgramStateRef NewState = State;
for (const ValueConstraintPtr& VC : Summary.ArgConstraints) { for (const ValueConstraintPtr& VC : Summary.ArgConstraints) {
ProgramStateRef SuccessSt = VC->apply(NewState, Call, Summary); ProgramStateRef SuccessSt = VC->apply(NewState, Call, Summary, C);
ProgramStateRef FailureSt = VC->negate()->apply(NewState, Call, Summary); ProgramStateRef FailureSt = VC->negate()->apply(NewState, Call, Summary, C);
// The argument constraint is not satisfied. // The argument constraint is not satisfied.
if (FailureSt && !SuccessSt) { if (FailureSt && !SuccessSt) {
if (ExplodedNode *N = C.generateErrorNode(NewState)) if (ExplodedNode *N = C.generateErrorNode(NewState))
reportBug(Call, N, C); reportBug(Call, N, C);
break; break;
} else { } else {
// We will apply the constraint even if we cannot reason about the // We will apply the constraint even if we cannot reason about the
// argument. This means both SuccessSt and FailureSt can be true. If we // argument. This means both SuccessSt and FailureSt can be true. If we
Show All 16 Linesvoid StdLibraryFunctionsChecker::checkPostCall(const CallEvent &Call,
// Now apply the constraints. // Now apply the constraints.
const Summary &Summary = *FoundSummary; const Summary &Summary = *FoundSummary;
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
// Apply case/branch specifications. // Apply case/branch specifications.
for (const auto &VRS : Summary.CaseConstraints) { for (const auto &VRS : Summary.CaseConstraints) {
ProgramStateRef NewState = State; ProgramStateRef NewState = State;
for (const auto &VR: VRS) { for (const auto &VR: VRS) {
NewState = VR->apply(NewState, Call, Summary); NewState = VR->apply(NewState, Call, Summary, C);
if (!NewState) if (!NewState)
break; break;
} }
if (NewState && NewState != State) if (NewState && NewState != State)
C.addTransition(NewState); C.addTransition(NewState);
} }
} }
▲ Show 20 LinesShow All 195 Lines▼ Show 20 Linesvoid StdLibraryFunctionsChecker::initFunctionSummaries(
// //
// Please update the list of functions in the header after editing! // Please update the list of functions in the header after editing!
// Below are helpers functions to create the summaries. // Below are helpers functions to create the summaries.
auto ArgumentCondition = [](ArgNo ArgN, RangeKind Kind, auto ArgumentCondition = [](ArgNo ArgN, RangeKind Kind,
IntRangeVector Ranges) { IntRangeVector Ranges) {
return std::make_shared<RangeConstraint>(ArgN, Kind, Ranges); return std::make_shared<RangeConstraint>(ArgN, Kind, Ranges);
}; };
auto BufferSize = [](ArgNo BufArgN, ArgNo SizeArgN) {
return std::make_shared<BufferSizeConstraint>(BufArgN, SizeArgN);
};
struct { struct {
auto operator()(RangeKind Kind, IntRangeVector Ranges) { auto operator()(RangeKind Kind, IntRangeVector Ranges) {
return std::make_shared<RangeConstraint>(Ret, Kind, Ranges); return std::make_shared<RangeConstraint>(Ret, Kind, Ranges);
} }
auto operator()(BinaryOperator::Opcode Op, ArgNo OtherArgN) { auto operator()(BinaryOperator::Opcode Op, ArgNo OtherArgN) {
return std::make_shared<ComparisonConstraint>(Ret, Op, OtherArgN); return std::make_shared<ComparisonConstraint>(Ret, Op, OtherArgN);
} }
} ReturnValueCondition; } ReturnValueCondition;
▲ Show 20 LinesShow All 219 Lines▼ Show 20 Lines addToFunctionSummaryMap(
"__defaultparam", "__defaultparam",
Summary(ArgTypes{Irrelevant, IntTy}, RetType{IntTy}, EvalCallAsPure) Summary(ArgTypes{Irrelevant, IntTy}, RetType{IntTy}, EvalCallAsPure)
.ArgConstraint(NotNull(ArgNo(0)))); .ArgConstraint(NotNull(ArgNo(0))));
addToFunctionSummaryMap("__variadic", addToFunctionSummaryMap("__variadic",
Summary(ArgTypes{VoidPtrTy, ConstCharPtrTy}, Summary(ArgTypes{VoidPtrTy, ConstCharPtrTy},
RetType{IntTy}, EvalCallAsPure) RetType{IntTy}, EvalCallAsPure)
.ArgConstraint(NotNull(ArgNo(0))) .ArgConstraint(NotNull(ArgNo(0)))
.ArgConstraint(NotNull(ArgNo(1)))); .ArgConstraint(NotNull(ArgNo(1))));
addToFunctionSummaryMap(
"__buf_size_arg_constraint",
Summary(ArgTypes{ConstVoidPtrTy, SizeTy}, RetType{IntTy},
EvalCallAsPure)
SzelethusUnsubmitted
Done
ReplyInline Actions

In most places, where we refer to an argument number, we use ArgNo. Is there a reason we don't do that here? Can we enforce greater type safety?

Szelethus: In most places, where we refer to an argument number, we use `ArgNo`. Is there a reason we…
martongAuthorUnsubmitted
Done
ReplyInline Actions

Yeah, good point, I am going with this:

BufferSize(/*Buffer=*/ArgNo(0), /*BufSize=*/ArgNo(1))));

About type safety: I was thinking about a strong typedef, but we don't actually have a convenient template for that in LLVM. And most of the time here in LLVM people just apply the /*Arg=*/ pythonish form.

martong: Yeah, good point, I am going with this: ``` BufferSize(/*Buffer=*/ArgNo(0)…
.ArgConstraint(
BufferSize(/*Buffer=*/ArgNo(0), /*BufSize=*/ArgNo(1))));
} }
} }
void ento::registerStdCLibraryFunctionsChecker(CheckerManager &mgr) { void ento::registerStdCLibraryFunctionsChecker(CheckerManager &mgr) {
auto *Checker = mgr.registerChecker<StdLibraryFunctionsChecker>(); auto *Checker = mgr.registerChecker<StdLibraryFunctionsChecker>();
Checker->DisplayLoadedSummaries = Checker->DisplayLoadedSummaries =
mgr.getAnalyzerOptions().getCheckerBooleanOption( mgr.getAnalyzerOptions().getCheckerBooleanOption(
Checker, "DisplayLoadedSummaries"); Checker, "DisplayLoadedSummaries");
Show All 19 Lines

clang/lib/StaticAnalyzer/Core/DynamicSize.cpp

Show All 38 Lines SVal ElementSizeV = SVB.makeIntVal(
Ctx.getTypeSizeInChars(ElementTy).getQuantity(), SVB.getArrayIndexType()); Ctx.getTypeSizeInChars(ElementTy).getQuantity(), SVB.getArrayIndexType());
SVal DivisionV = SVal DivisionV =
SVB.evalBinOp(State, BO_Div, Size, ElementSizeV, SVB.getArrayIndexType()); SVB.evalBinOp(State, BO_Div, Size, ElementSizeV, SVB.getArrayIndexType());
return DivisionV.castAs<DefinedOrUnknownSVal>(); return DivisionV.castAs<DefinedOrUnknownSVal>();
} }
SVal getDynamicSizeWithOffset(ProgramStateRef State, const SVal &BufV) {
SValBuilder &SvalBuilder = State->getStateManager().getSValBuilder();
const MemRegion *MRegion = BufV.getAsRegion();
if (!MRegion)
return UnknownVal();
RegionOffset Offset = MRegion->getAsOffset();
if (Offset.hasSymbolicOffset())
return UnknownVal();
const MemRegion *BaseRegion = MRegion->getBaseRegion();
if (!BaseRegion)
return UnknownVal();
NonLoc OffsetInBytes = SvalBuilder.makeArrayIndex(
Offset.getOffset() /
MRegion->getMemRegionManager().getContext().getCharWidth());
DefinedOrUnknownSVal ExtentInBytes =
getDynamicSize(State, BaseRegion, SvalBuilder);
return SvalBuilder.evalBinOp(State, BinaryOperator::Opcode::BO_Sub,
ExtentInBytes, OffsetInBytes,
SvalBuilder.getArrayIndexType());
}
} // namespace ento } // namespace ento
} // namespace clang } // namespace clang

clang/test/Analysis/std-c-library-functions-arg-constraints.c

Show First 20 LinesShow All 116 Lines▼ Show 20 Lines
int __variadic(void *stream, const char *format, ...); int __variadic(void *stream, const char *format, ...);
void test_arg_constraint_on_variadic_fun() { void test_arg_constraint_on_variadic_fun() {
__variadic(0, "%d%d", 1, 2); // \ __variadic(0, "%d%d", 1, 2); // \
// report-warning{{Function argument constraint is not satisfied}} \ // report-warning{{Function argument constraint is not satisfied}} \
// bugpath-warning{{Function argument constraint is not satisfied}} \ // bugpath-warning{{Function argument constraint is not satisfied}} \
// bugpath-note{{Function argument constraint is not satisfied}} // bugpath-note{{Function argument constraint is not satisfied}}
} }
int __buf_size_arg_constraint(const void *, size_t);
void test_buf_size_concrete() {
char buf[3]; // bugpath-note{{'buf' initialized here}}
__buf_size_arg_constraint(buf, 4); // \
// report-warning{{Function argument constraint is not satisfied}} \
// bugpath-warning{{Function argument constraint is not satisfied}} \
// bugpath-note{{Function argument constraint is not satisfied}}
}
void test_buf_size_symbolic(int s) {
char buf[3];
__buf_size_arg_constraint(buf, s);
clang_analyzer_eval(s <= 3); // \
// report-warning{{TRUE}} \
// bugpath-warning{{TRUE}} \
// bugpath-note{{TRUE}} \
// bugpath-note{{'s' is <= 3}}
}
void test_buf_size_symbolic_and_offset(int s) {
char buf[3];
__buf_size_arg_constraint(buf + 1, s);
clang_analyzer_eval(s <= 2); // \
// report-warning{{TRUE}} \
// bugpath-warning{{TRUE}} \
// bugpath-note{{TRUE}} \
// bugpath-note{{'s' is <= 2}}
}