This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
lib/StaticAnalyzer/Checkers/
-
StaticAnalyzer/
-
Checkers/
8/11
StdLibraryFunctionsChecker.cpp
-
test/Analysis/
-
Analysis/
2/2
std-c-library-functions-arg-constraints.c

Differential D77148

[analyzer] ApiModeling: Add buffer size arg constraint with multiplier involved
ClosedPublic

Authored by martong on Mar 31 2020, 8:44 AM.

Download Raw Diff

Details

Reviewers

Szelethus
NoQ
steakhal

Commits

rG41928c97b6a1: [analyzer] ApiModeling: Add buffer size arg constraint with multiplier involved

Summary

Further develop the buffer size argumentum constraint so it can handle sizes
that we can get by multiplying two variables.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

martong created this revision.Mar 31 2020, 8:44 AM

Herald added a project: Restricted Project. · View Herald TranscriptMar 31 2020, 8:44 AM

Herald added subscribers: cfe-commits, ASDenysPetrov, Charusso and 10 others. · View Herald Transcript

martong added a parent revision: D77066: [analyzer] ApiModeling: Add buffer size arg constraint.Mar 31 2020, 8:44 AM

Harbormaster failed remote builds in B51140: Diff 253899!Mar 31 2020, 8:53 AM

balazske added a subscriber: balazske.Apr 1 2020, 5:57 AM

balazske added inline comments.

clang/test/Analysis/std-c-library-functions-arg-constraints.c
163	`s <= 3` is better here? We know that the buffer has space for 3 short's. But it is better to assume nothing about `sizeof(short)`.

martong marked 2 inline comments as done.Apr 1 2020, 7:16 AM

martong added inline comments.

clang/test/Analysis/std-c-library-functions-arg-constraints.c
163	That would have been better if the range based constraint solver was able to solve the in-equation to `s`. So, even though the analyzer knows that `s * 2 <= 6` it cannot reason about `s` itself. This is the limitation of the solver. I believe @baloghadamsoftware has a few patches that directs this deficiency: D49074 and D50256

Szelethus added inline comments.Apr 15 2020, 3:52 AM

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
231–239	I don't know, these constructors don't look overly talkative.
986	So this is supposed to mean that the 1st argument has the size of the argument of 2nd argument times the 3rd argument? Unlike the other summaries, this feels a bit cryptic. Something like this might look better: .ArgConstraint(0, BufferSize(/BufSize/1, /BufSizeMultiplier/)) .ArgConstraint(BufferSize(/Buffer/0, /BufSize/1, /BufSizeMultiplier/2)) .ArgConstraint(0, BufferSizeMul(1, 2)) WDYT?

Rebase to latest parent patch
Create BufSize constraints in a more descriptive way

martong marked 3 inline comments as done.May 5 2020, 6:51 AM

martong added inline comments.

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
231–239	Yeah, renamed the params a bit.
986	Ok, I updated with the 2nd option. :)

Harbormaster failed remote builds in B55786: Diff 262098!May 5 2020, 7:31 AM

LGTM!

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
225	fread-like
986	Very well!

This revision is now accepted and ready to land.May 5 2020, 9:38 AM

martong added a child revision: D79432: [analyzer] StdLibraryFunctionsChecker: Add summaries for libc.May 5 2020, 10:15 AM

martong added a child revision: D79433: [analyzer] StdLibraryFunctionsChecker: Add summaries for POSIX.May 5 2020, 10:32 AM

Overall looks good to me, I have one question inline.

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
1008	Why do we need these test functions? Above I saw `fread` as an example that requires this capability. Wouldn't it be better to make its summary utilize the new feature and use `fread` in tests? Do I miss something?

martong marked 3 inline comments as done.May 26 2020, 9:09 AM

martong added inline comments.

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
1008	Yeah, we could test that with `fread`. However, in `fread` there are multiple argument constraints for the different args. I wanted a test function which has this arg constraint in an isolation. In my opinion it is good to have small isolated unit tests that test only one functionality. Also if we decide to remove or modify `fread`s summary for any reason, then we should modify this test too, on the other hand, with this test function it is not a problem.

xazax.hun added inline comments.May 26 2020, 9:36 AM

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
1008	I see. The plan in the future is to split this checker up a bit. In this case I'd like to have these test functions in a separate test checker. Until then I'm fine with a FIXME/TODO.

martong marked 3 inline comments as done.May 26 2020, 9:47 AM

martong added inline comments.

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
1008	They are already enabled only if a test checker is enabled, check out the enclosing `if` of this block: if (ChecksEnabled[CK_StdCLibraryFunctionsTesterChecker]) {

xazax.hun added inline comments.May 26 2020, 9:51 AM

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
1008	Oh, sorry, my bad :)

Rebase to D77066

Harbormaster failed remote builds in B58386: Diff 267141!May 29 2020, 2:41 AM

Closed by commit rG41928c97b6a1: [analyzer] ApiModeling: Add buffer size arg constraint with multiplier involved (authored by martong). · Explain WhyMay 29 2020, 7:35 AM

This revision was automatically updated to reflect the committed changes.

Revision Contents

Path

Size

clang/

lib/

StaticAnalyzer/

Checkers/

StdLibraryFunctionsChecker.cpp

29 lines

test/

Analysis/

std-c-library-functions-arg-constraints.c

24 lines

Diff 267232

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp

Show First 20 Lines • Show All 209 Lines • ▼ Show 20 Lines	ValueConstraintPtr negate() const override {
Tmp.CannotBeNull = !this->CannotBeNull;		Tmp.CannotBeNull = !this->CannotBeNull;
return std::make_shared<NotNullConstraint>(Tmp);		return std::make_shared<NotNullConstraint>(Tmp);
}		}
};		};

// Represents a buffer argument with an additional size argument.		// Represents a buffer argument with an additional size argument.
// E.g. the first two arguments here:		// E.g. the first two arguments here:
// ctime_s(char buffer, rsize_t bufsz, const time_t time);		// ctime_s(char buffer, rsize_t bufsz, const time_t time);
		// Another example:
		// size_t fread(void ptr, size_t size, size_t nmemb, FILE stream);
		// // Here, ptr is the buffer, and its minimum size is `size * nmemb`.
class BufferSizeConstraint : public ValueConstraint {		class BufferSizeConstraint : public ValueConstraint {
// The argument which holds the size of the buffer.		// The argument which holds the size of the buffer.
ArgNo SizeArgN;		ArgNo SizeArgN;
		// The argument which is a multiplier to size. This is set in case of
		// `fread` like functions where the size is computed as a multiplication of
		SzelethusUnsubmitted Not Done Reply Inline Actions fread-like Szelethus: fread-like
		// two arguments.
		llvm::Optional<ArgNo> SizeMultiplierArgN;
// The operator we use in apply. This is negated in negate().		// The operator we use in apply. This is negated in negate().
BinaryOperator::Opcode Op = BO_LE;		BinaryOperator::Opcode Op = BO_LE;

public:		public:
BufferSizeConstraint(ArgNo Buffer, ArgNo BufSize)		BufferSizeConstraint(ArgNo Buffer, ArgNo BufSize)
: ValueConstraint(Buffer), SizeArgN(BufSize) {}		: ValueConstraint(Buffer), SizeArgN(BufSize) {}

		BufferSizeConstraint(ArgNo Buffer, ArgNo BufSize, ArgNo BufSizeMultiplier)
		: ValueConstraint(Buffer), SizeArgN(BufSize),
		SizeMultiplierArgN(BufSizeMultiplier) {}

ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,		ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
		SzelethusUnsubmitted Done Reply Inline Actions I don't know, these constructors don't look overly talkative. Szelethus: I don't know, these constructors don't look overly talkative.
		martongAuthorUnsubmitted Done Reply Inline Actions Yeah, renamed the params a bit. martong: Yeah, renamed the params a bit.
const Summary &Summary,		const Summary &Summary,
CheckerContext &C) const override {		CheckerContext &C) const override {
		SValBuilder &SvalBuilder = C.getSValBuilder();
// The buffer argument.		// The buffer argument.
SVal BufV = getArgSVal(Call, getArgNo());		SVal BufV = getArgSVal(Call, getArgNo());
// The size argument.		// The size argument.
SVal SizeV = getArgSVal(Call, SizeArgN);		SVal SizeV = getArgSVal(Call, SizeArgN);
		// Multiply with another argument if given.
		if (SizeMultiplierArgN) {
		SVal SizeMulV = getArgSVal(Call, *SizeMultiplierArgN);
		SizeV = SvalBuilder.evalBinOp(State, BO_Mul, SizeV, SizeMulV,
		Summary.getArgType(SizeArgN));
		}
// The dynamic size of the buffer argument, got from the analyzer engine.		// The dynamic size of the buffer argument, got from the analyzer engine.
SVal BufDynSize = getDynamicSizeWithOffset(State, BufV);		SVal BufDynSize = getDynamicSizeWithOffset(State, BufV);

SValBuilder &SvalBuilder = C.getSValBuilder();
SVal Feasible = SvalBuilder.evalBinOp(State, Op, SizeV, BufDynSize,		SVal Feasible = SvalBuilder.evalBinOp(State, Op, SizeV, BufDynSize,
SvalBuilder.getContext().BoolTy);		SvalBuilder.getContext().BoolTy);
if (auto F = Feasible.getAs<DefinedOrUnknownSVal>())		if (auto F = Feasible.getAs<DefinedOrUnknownSVal>())
return State->assume(*F, true);		return State->assume(*F, true);

// We can get here only if the size argument or the dynamic size is		// We can get here only if the size argument or the dynamic size is
// undefined. But the dynamic size should never be undefined, only		// undefined. But the dynamic size should never be undefined, only
// unknown. So, here, the size of the argument is undefined, i.e. we		// unknown. So, here, the size of the argument is undefined, i.e. we
▲ Show 20 Lines • Show All 492 Lines • ▼ Show 20 Lines	void StdLibraryFunctionsChecker::initFunctionSummaries(
//		//
// Please update the list of functions in the header after editing!		// Please update the list of functions in the header after editing!

// Below are helpers functions to create the summaries.		// Below are helpers functions to create the summaries.
auto ArgumentCondition = [](ArgNo ArgN, RangeKind Kind,		auto ArgumentCondition = [](ArgNo ArgN, RangeKind Kind,
IntRangeVector Ranges) {		IntRangeVector Ranges) {
return std::make_shared<RangeConstraint>(ArgN, Kind, Ranges);		return std::make_shared<RangeConstraint>(ArgN, Kind, Ranges);
};		};
auto BufferSize = [](ArgNo BufArgN, ArgNo SizeArgN) {		auto BufferSize = [](auto... Args) {
return std::make_shared<BufferSizeConstraint>(BufArgN, SizeArgN);		return std::make_shared<BufferSizeConstraint>(Args...);
};		};
struct {		struct {
auto operator()(RangeKind Kind, IntRangeVector Ranges) {		auto operator()(RangeKind Kind, IntRangeVector Ranges) {
return std::make_shared<RangeConstraint>(Ret, Kind, Ranges);		return std::make_shared<RangeConstraint>(Ret, Kind, Ranges);
}		}
auto operator()(BinaryOperator::Opcode Op, ArgNo OtherArgN) {		auto operator()(BinaryOperator::Opcode Op, ArgNo OtherArgN) {
return std::make_shared<ComparisonConstraint>(Ret, Op, OtherArgN);		return std::make_shared<ComparisonConstraint>(Ret, Op, OtherArgN);
}		}
▲ Show 20 Lines • Show All 204 Lines • ▼ Show 20 Lines	addToFunctionSummaryMap("getdelim",
{Getline(IntTy, IntMax), Getline(LongTy, LongMax),		{Getline(IntTy, IntMax), Getline(LongTy, LongMax),
Getline(LongLongTy, LongLongMax)});		Getline(LongLongTy, LongLongMax)});

// Functions for testing.		// Functions for testing.
if (ChecksEnabled[CK_StdCLibraryFunctionsTesterChecker]) {		if (ChecksEnabled[CK_StdCLibraryFunctionsTesterChecker]) {
addToFunctionSummaryMap(		addToFunctionSummaryMap(
"__two_constrained_args",		"__two_constrained_args",
Summary(ArgTypes{IntTy, IntTy}, RetType{IntTy}, EvalCallAsPure)		Summary(ArgTypes{IntTy, IntTy}, RetType{IntTy}, EvalCallAsPure)
.ArgConstraint(ArgumentCondition(0U, WithinRange, SingleValue(1)))		.ArgConstraint(ArgumentCondition(0U, WithinRange, SingleValue(1)))
		SzelethusUnsubmitted Done Reply Inline Actions So this is supposed to mean that the 1st argument has the size of the argument of 2nd argument times the 3rd argument? Unlike the other summaries, this feels a bit cryptic. Something like this might look better: .ArgConstraint(0, BufferSize(/BufSize/1, /BufSizeMultiplier/)) .ArgConstraint(BufferSize(/Buffer/0, /BufSize/1, /BufSizeMultiplier/2)) .ArgConstraint(0, BufferSizeMul(1, 2)) WDYT? Szelethus: So this is supposed to mean that the 1st argument has the size of the argument of 2nd argument…
		martongAuthorUnsubmitted Done Reply Inline Actions Ok, I updated with the 2nd option. :) martong: Ok, I updated with the 2nd option. :)
		SzelethusUnsubmitted Not Done Reply Inline Actions Very well! Szelethus: Very well!
.ArgConstraint(ArgumentCondition(1U, WithinRange, SingleValue(1))));		.ArgConstraint(ArgumentCondition(1U, WithinRange, SingleValue(1))));
addToFunctionSummaryMap(		addToFunctionSummaryMap(
"__arg_constrained_twice",		"__arg_constrained_twice",
Summary(ArgTypes{IntTy}, RetType{IntTy}, EvalCallAsPure)		Summary(ArgTypes{IntTy}, RetType{IntTy}, EvalCallAsPure)
.ArgConstraint(ArgumentCondition(0U, OutOfRange, SingleValue(1)))		.ArgConstraint(ArgumentCondition(0U, OutOfRange, SingleValue(1)))
.ArgConstraint(ArgumentCondition(0U, OutOfRange, SingleValue(2))));		.ArgConstraint(ArgumentCondition(0U, OutOfRange, SingleValue(2))));
addToFunctionSummaryMap(		addToFunctionSummaryMap(
"__defaultparam",		"__defaultparam",
Summary(ArgTypes{Irrelevant, IntTy}, RetType{IntTy}, EvalCallAsPure)		Summary(ArgTypes{Irrelevant, IntTy}, RetType{IntTy}, EvalCallAsPure)
.ArgConstraint(NotNull(ArgNo(0))));		.ArgConstraint(NotNull(ArgNo(0))));
addToFunctionSummaryMap("__variadic",		addToFunctionSummaryMap("__variadic",
Summary(ArgTypes{VoidPtrTy, ConstCharPtrTy},		Summary(ArgTypes{VoidPtrTy, ConstCharPtrTy},
RetType{IntTy}, EvalCallAsPure)		RetType{IntTy}, EvalCallAsPure)
.ArgConstraint(NotNull(ArgNo(0)))		.ArgConstraint(NotNull(ArgNo(0)))
.ArgConstraint(NotNull(ArgNo(1))));		.ArgConstraint(NotNull(ArgNo(1))));
addToFunctionSummaryMap(		addToFunctionSummaryMap(
"__buf_size_arg_constraint",		"__buf_size_arg_constraint",
Summary(ArgTypes{ConstVoidPtrTy, SizeTy}, RetType{IntTy},		Summary(ArgTypes{ConstVoidPtrTy, SizeTy}, RetType{IntTy},
EvalCallAsPure)		EvalCallAsPure)
.ArgConstraint(		.ArgConstraint(
BufferSize(/Buffer=/ArgNo(0), /BufSize=/ArgNo(1))));		BufferSize(/Buffer=/ArgNo(0), /BufSize=/ArgNo(1))));
		addToFunctionSummaryMap(
		xazax.hunUnsubmitted Done Reply Inline Actions Why do we need these test functions? Above I saw `fread` as an example that requires this capability. Wouldn't it be better to make its summary utilize the new feature and use `fread` in tests? Do I miss something? xazax.hun: Why do we need these test functions? Above I saw `fread` as an example that requires this…
		martongAuthorUnsubmitted Done Reply Inline Actions Yeah, we could test that with `fread`. However, in `fread` there are multiple argument constraints for the different args. I wanted a test function which has this arg constraint in an isolation. In my opinion it is good to have small isolated unit tests that test only one functionality. Also if we decide to remove or modify `fread`s summary for any reason, then we should modify this test too, on the other hand, with this test function it is not a problem. martong: Yeah, we could test that with `fread`. However, in `fread` there are multiple argument…
		xazax.hunUnsubmitted Done Reply Inline Actions I see. The plan in the future is to split this checker up a bit. In this case I'd like to have these test functions in a separate test checker. Until then I'm fine with a FIXME/TODO. xazax.hun: I see. The plan in the future is to split this checker up a bit. In this case I'd like to have…
		martongAuthorUnsubmitted Done Reply Inline Actions They are already enabled only if a test checker is enabled, check out the enclosing `if` of this block: if (ChecksEnabled[CK_StdCLibraryFunctionsTesterChecker]) { martong: They are already enabled only if a test checker is enabled, check out the enclosing `if` of…
		xazax.hunUnsubmitted Not Done Reply Inline Actions Oh, sorry, my bad :) xazax.hun: Oh, sorry, my bad :)
		"__buf_size_arg_constraint_mul",
		Summary(ArgTypes{ConstVoidPtrTy, SizeTy, SizeTy}, RetType{IntTy},
		EvalCallAsPure)
		.ArgConstraint(BufferSize(/Buffer=/ArgNo(0), /BufSize=/ArgNo(1),
		/BufSizeMultiplier=/ArgNo(2))));
}		}
}		}

void ento::registerStdCLibraryFunctionsChecker(CheckerManager &mgr) {		void ento::registerStdCLibraryFunctionsChecker(CheckerManager &mgr) {
auto *Checker = mgr.registerChecker<StdLibraryFunctionsChecker>();		auto *Checker = mgr.registerChecker<StdLibraryFunctionsChecker>();
Checker->DisplayLoadedSummaries =		Checker->DisplayLoadedSummaries =
mgr.getAnalyzerOptions().getCheckerBooleanOption(		mgr.getAnalyzerOptions().getCheckerBooleanOption(
Checker, "DisplayLoadedSummaries");		Checker, "DisplayLoadedSummaries");
Show All 19 Lines

clang/test/Analysis/std-c-library-functions-arg-constraints.c

Show First 20 Lines • Show All 143 Lines • ▼ Show 20 Lines	void test_buf_size_symbolic_and_offset(int s) {
char buf[3];		char buf[3];
__buf_size_arg_constraint(buf + 1, s);		__buf_size_arg_constraint(buf + 1, s);
clang_analyzer_eval(s <= 2); // \		clang_analyzer_eval(s <= 2); // \
// report-warning{{TRUE}} \		// report-warning{{TRUE}} \
// bugpath-warning{{TRUE}} \		// bugpath-warning{{TRUE}} \
// bugpath-note{{TRUE}} \		// bugpath-note{{TRUE}} \
// bugpath-note{{'s' is <= 2}}		// bugpath-note{{'s' is <= 2}}
}		}
		int __buf_size_arg_constraint_mul(const void *, size_t, size_t);
		void test_buf_size_concrete_with_multiplication() {
		short buf[3]; // bugpath-note{{'buf' initialized here}}
		__buf_size_arg_constraint_mul(buf, 4, sizeof(short)); // \
		// report-warning{{Function argument constraint is not satisfied}} \
		// bugpath-warning{{Function argument constraint is not satisfied}} \
		// bugpath-note{{Function argument constraint is not satisfied}}
		}
		void test_buf_size_symbolic_with_multiplication(size_t s) {
		short buf[3];
		__buf_size_arg_constraint_mul(buf, s, sizeof(short));
		clang_analyzer_eval(s * sizeof(short) <= 6); // \
		balazskeUnsubmitted Done Reply Inline Actions `s <= 3` is better here? We know that the buffer has space for 3 short's. But it is better to assume nothing about `sizeof(short)`. balazske: `s <= 3` is better here? We know that the buffer has space for 3 short's. But it is better to…
		martongAuthorUnsubmitted Done Reply Inline Actions That would have been better if the range based constraint solver was able to solve the in-equation to `s`. So, even though the analyzer knows that `s * 2 <= 6` it cannot reason about `s` itself. This is the limitation of the solver. I believe @baloghadamsoftware has a few patches that directs this deficiency: D49074 and D50256 martong: That would have been better if the range based constraint solver was able to solve the in…
		// report-warning{{TRUE}} \
		// bugpath-warning{{TRUE}} \
		// bugpath-note{{TRUE}}
		}
		void test_buf_size_symbolic_and_offset_with_multiplication(size_t s) {
		short buf[3];
		__buf_size_arg_constraint_mul(buf + 1, s, sizeof(short));
		clang_analyzer_eval(s * sizeof(short) <= 4); // \
		// report-warning{{TRUE}} \
		// bugpath-warning{{TRUE}} \
		// bugpath-note{{TRUE}}
		}

This is an archive of the discontinued LLVM Phabricator instance.

[analyzer] ApiModeling: Add buffer size arg constraint with multiplier involvedClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 267232

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp

clang/test/Analysis/std-c-library-functions-arg-constraints.c

[analyzer] ApiModeling: Add buffer size arg constraint with multiplier involved
ClosedPublic