This is an archive of the discontinued LLVM Phabricator instance.

Differential D77410

[analyzer] StdLibraryFunctionsChecker: match signature based on FunctionDecl
ClosedPublic

Authored by martong on Apr 3 2020, 8:37 AM.

Details

Reviewers
NoQ
Szelethus
gamesh411
baloghadamsoftware
Commits
rG8f961399739f: [analyzer] StdLibraryFunctionsChecker: match signature based on FunctionDecl
Summary

Currently we match the summary signature based on the arguments in the CallExpr.
There are a few problems with this approach.

  1. Variadic arguments are handled badly. Consider the below code:
int foo(void *stream, const char *format, ...);
void test_arg_constraint_on_variadic_fun() {
   foo(0, "%d%d", 1, 2); // CallExpr
}

Here the call expression holds 4 arguments, whereas the function declaration
has only 2 ParmVarDecls. So there is no way to create a summary that
matches the call expression, because the discrepancy in the number of
arguments causes a mismatch.

  1. The call expression does not handle the restrict type qualifier. In C99, fwrite's signature is the following:
size_t fwrite(const void *restrict, size_t, size_t, FILE *restrict);

However, in a call expression, like below, the type of the argument does not
have the restrict qualifier.

void test_fread_fwrite(FILE *fp, int *buf) {
  size_t x = fwrite(buf, sizeof(int), 10, fp);
}

The type of the 1st argument in the CallExpr is

PointerType 0x55b7168af2e0 'const void *'
`-QualType 0x55b7168373c1 'const void' const
  `-BuiltinType 0x55b7168373c0 'void'

However, the type in the signature of the FunctionDecl and in the summary map is

QualType 0x55b7168af2e2 'const void *__restrict' __restrict
`-PointerType 0x55b7168af2e0 'const void *'
  `-QualType 0x55b7168373c1 'const void' const
    `-BuiltinType 0x55b7168373c0 'void'

The restrict qualifier is not in the call expression (actually, why would it be?). So, this results in an unmatched signature and the summary is not applied.

The solution is to match the summary against the referened callee
FunctionDecl that we can query from the CallExpr.

Further patches will continue with additional refactoring where I am going to
do a lookup during the checker initialization and the signature match will
happen there. That way, we will not check the signature during every call,
rather we will compare only two FunctionDecl pointers.

Diff Detail

Event Timeline

martong created this revision.Apr 3 2020, 8:37 AM
Herald added a project: Restricted Project. · View Herald TranscriptApr 3 2020, 8:37 AM
Herald added subscribers: cfe-commits, ASDenysPetrov, danielkiss and 11 others. · View Herald Transcript
martong edited the summary of this revision. (Show Details)Apr 3 2020, 8:39 AM
martong edited the summary of this revision. (Show Details)
martong edited the summary of this revision. (Show Details)Apr 3 2020, 8:45 AM
Harbormaster failed remote builds in B51650: Diff 254824!Apr 3 2020, 10:15 AM
NoQ accepted this revision.Apr 6 2020, 1:15 AM

Excellent! No objections. It should have absolutely been like that from the start: summaries are of functions, not of call sites.

This revision is now accepted and ready to land.Apr 6 2020, 1:15 AM
balazske added a subscriber: balazske.Apr 6 2020, 1:21 AM
balazske added inline comments.
clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
552

This assert can be removed, after the previous getCanonicalType call it looks redundant.

Szelethus accepted this revision.Apr 6 2020, 2:39 AM

LGTM! Maybe its worth glancing over the rest of the code (comments in particular) whether anything would be outdated by this change.

martong marked 2 inline comments as done.Apr 6 2020, 8:33 AM
In D77410#1963288, @Szelethus wrote:

LGTM! Maybe its worth glancing over the rest of the code (comments in particular) whether anything would be outdated by this change.

Yeah, seems like the comments are still aligned. Also, I am going to submit the next patch, which will scramble the current structures (and probably the related comments as well).

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
552

Thanks, good catch!

Closed by commit rG8f961399739f: [analyzer] StdLibraryFunctionsChecker: match signature based on FunctionDecl (authored by martong). · Explain WhyApr 6 2020, 8:39 AM
This revision was automatically updated to reflect the committed changes.
martong marked an inline comment as done.
Szelethus mentioned this in D81059: [analyzer] CallDescriptionMap: Support CXXOperatorCallExpr.Jul 2 2020, 9:03 AM

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
46 lines
test/
Analysis/
10 lines
2 lines

Diff 255359

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp

Show First 20 LinesShow All 262 Lines▼ Show 20 Lines public:
QualType getArgType(ArgNo ArgN) const { QualType getArgType(ArgNo ArgN) const {
QualType T = (ArgN == Ret) ? RetTy : ArgTys[ArgN]; QualType T = (ArgN == Ret) ? RetTy : ArgTys[ArgN];
assertTypeSuitableForSummary(T); assertTypeSuitableForSummary(T);
return T; return T;
} }
/// Try our best to figure out if the call expression is the call of /// Try our best to figure out if the call expression is the call of
/// *the* library function to which this specification applies. /// *the* library function to which this specification applies.
bool matchesCall(const CallExpr *CE) const; bool matchesCall(const FunctionDecl *FD) const;
}; };
// The same function (as in, function identifier) may have different // The same function (as in, function identifier) may have different
// summaries assigned to it, with different argument and return value types. // summaries assigned to it, with different argument and return value types.
// We call these "variants" of the function. This can be useful for handling // We call these "variants" of the function. This can be useful for handling
// C++ function overloads, and also it can be used when the same function // C++ function overloads, and also it can be used when the same function
// may have different definitions on different platforms. // may have different definitions on different platforms.
typedef std::vector<Summary> Summaries; typedef std::vector<Summary> Summaries;
Show All 31 Lines enum CheckKind {
CK_StdCLibraryFunctionsTesterChecker, CK_StdCLibraryFunctionsTesterChecker,
CK_NumCheckKinds CK_NumCheckKinds
}; };
DefaultBool ChecksEnabled[CK_NumCheckKinds]; DefaultBool ChecksEnabled[CK_NumCheckKinds];
CheckerNameRef CheckNames[CK_NumCheckKinds]; CheckerNameRef CheckNames[CK_NumCheckKinds];
private: private:
Optional<Summary> findFunctionSummary(const FunctionDecl *FD, Optional<Summary> findFunctionSummary(const FunctionDecl *FD,
const CallExpr *CE,
CheckerContext &C) const; CheckerContext &C) const;
Optional<Summary> findFunctionSummary(const CallEvent &Call, Optional<Summary> findFunctionSummary(const CallEvent &Call,
CheckerContext &C) const; CheckerContext &C) const;
void initFunctionSummaries(CheckerContext &C) const; void initFunctionSummaries(CheckerContext &C) const;
void reportBug(const CallEvent &Call, ExplodedNode *N, void reportBug(const CallEvent &Call, ExplodedNode *N,
CheckerContext &C) const { CheckerContext &C) const {
▲ Show 20 LinesShow All 199 Lines▼ Show 20 Lines case NoEvalCall:
// Summary tells us to avoid performing eval::Call. The function is possibly // Summary tells us to avoid performing eval::Call. The function is possibly
// evaluated by another checker, or evaluated conservatively. // evaluated by another checker, or evaluated conservatively.
return false; return false;
} }
llvm_unreachable("Unknown invalidation kind!"); llvm_unreachable("Unknown invalidation kind!");
} }
bool StdLibraryFunctionsChecker::Summary::matchesCall( bool StdLibraryFunctionsChecker::Summary::matchesCall(
const CallExpr *CE) const { const FunctionDecl *FD) const {
// Check number of arguments: // Check number of arguments:
if (CE->getNumArgs() != ArgTys.size()) if (FD->param_size() != ArgTys.size())
return false; return false;
// Check return type if relevant: // Check return type if relevant:
if (!RetTy.isNull() && RetTy != CE->getType().getCanonicalType()) if (!RetTy.isNull() && RetTy != FD->getReturnType().getCanonicalType())
return false; return false;
// Check argument types when relevant: // Check argument types when relevant:
for (size_t I = 0, E = ArgTys.size(); I != E; ++I) { for (size_t I = 0, E = ArgTys.size(); I != E; ++I) {
QualType FormalT = ArgTys[I]; QualType FormalT = ArgTys[I];
// Null type marks irrelevant arguments. // Null type marks irrelevant arguments.
if (FormalT.isNull()) if (FormalT.isNull())
continue; continue;
assertTypeSuitableForSummary(FormalT); assertTypeSuitableForSummary(FormalT);
QualType ActualT = StdLibraryFunctionsChecker::getArgType(CE, I); QualType ActualT = FD->getParamDecl(I)->getType().getCanonicalType();
balazskeUnsubmitted
Done
ReplyInline Actions

This assert can be removed, after the previous getCanonicalType call it looks redundant.

balazske: This assert can be removed, after the previous `getCanonicalType` call it looks redundant.
martongAuthorUnsubmitted
Done
ReplyInline Actions

Thanks, good catch!

martong: Thanks, good catch!
assert(ActualT.isCanonical());
if (ActualT != FormalT) if (ActualT != FormalT)
return false; return false;
} }
return true; return true;
} }
Optional<StdLibraryFunctionsChecker::Summary> Optional<StdLibraryFunctionsChecker::Summary>
StdLibraryFunctionsChecker::findFunctionSummary(const FunctionDecl *FD, StdLibraryFunctionsChecker::findFunctionSummary(const FunctionDecl *FD,
const CallExpr *CE,
CheckerContext &C) const { CheckerContext &C) const {
// Note: we cannot always obtain FD from CE
// (eg. virtual call, or call by pointer).
assert(CE);
if (!FD) if (!FD)
return None; return None;
initFunctionSummaries(C); initFunctionSummaries(C);
IdentifierInfo *II = FD->getIdentifier(); IdentifierInfo *II = FD->getIdentifier();
if (!II) if (!II)
return None; return None;
StringRef Name = II->getName(); StringRef Name = II->getName();
if (Name.empty() || !C.isCLibraryFunction(FD, Name)) if (Name.empty() || !C.isCLibraryFunction(FD, Name))
return None; return None;
auto FSMI = FunctionSummaryMap.find(Name); auto FSMI = FunctionSummaryMap.find(Name);
if (FSMI == FunctionSummaryMap.end()) if (FSMI == FunctionSummaryMap.end())
return None; return None;
// Verify that function signature matches the spec in advance. // Verify that function signature matches the spec in advance.
// Otherwise we might be modeling the wrong function. // Otherwise we might be modeling the wrong function.
// Strict checking is important because we will be conducting // Strict checking is important because we will be conducting
// very integral-type-sensitive operations on arguments and // very integral-type-sensitive operations on arguments and
// return values. // return values.
const Summaries &SpecVariants = FSMI->second; const Summaries &SpecVariants = FSMI->second;
for (const Summary &Spec : SpecVariants) for (const Summary &Spec : SpecVariants)
if (Spec.matchesCall(CE)) if (Spec.matchesCall(FD))
return Spec; return Spec;
return None; return None;
} }
Optional<StdLibraryFunctionsChecker::Summary> Optional<StdLibraryFunctionsChecker::Summary>
StdLibraryFunctionsChecker::findFunctionSummary(const CallEvent &Call, StdLibraryFunctionsChecker::findFunctionSummary(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(Call.getDecl()); const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
if (!FD) if (!FD)
return None; return None;
const CallExpr *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr()); return findFunctionSummary(FD, C);
if (!CE)
return None;
return findFunctionSummary(FD, CE, C);
} }
void StdLibraryFunctionsChecker::initFunctionSummaries( void StdLibraryFunctionsChecker::initFunctionSummaries(
CheckerContext &C) const { CheckerContext &C) const {
if (!FunctionSummaryMap.empty()) if (!FunctionSummaryMap.empty())
return; return;
SValBuilder &SVB = C.getSValBuilder(); SValBuilder &SVB = C.getSValBuilder();
BasicValueFactory &BVF = SVB.getBasicValueFactory(); BasicValueFactory &BVF = SVB.getBasicValueFactory();
const ASTContext &ACtx = BVF.getContext(); const ASTContext &ACtx = BVF.getContext();
// These types are useful for writing specifications quickly, // These types are useful for writing specifications quickly,
// New specifications should probably introduce more types. // New specifications should probably introduce more types.
// Some types are hard to obtain from the AST, eg. "ssize_t". // Some types are hard to obtain from the AST, eg. "ssize_t".
// In such cases it should be possible to provide multiple variants // In such cases it should be possible to provide multiple variants
// of function summary for common cases (eg. ssize_t could be int or long // of function summary for common cases (eg. ssize_t could be int or long
// or long long, so three summary variants would be enough). // or long long, so three summary variants would be enough).
// Of course, function variants are also useful for C++ overloads. // Of course, function variants are also useful for C++ overloads.
const QualType const QualType
Irrelevant{}; // A placeholder, whenever we do not care about the type. Irrelevant{}; // A placeholder, whenever we do not care about the type.
const QualType IntTy = ACtx.IntTy; const QualType IntTy = ACtx.IntTy;
const QualType LongTy = ACtx.LongTy; const QualType LongTy = ACtx.LongTy;
const QualType LongLongTy = ACtx.LongLongTy; const QualType LongLongTy = ACtx.LongLongTy;
const QualType SizeTy = ACtx.getSizeType(); const QualType SizeTy = ACtx.getSizeType();
const QualType VoidPtrTy = ACtx.VoidPtrTy; // void *T const QualType VoidPtrTy = ACtx.VoidPtrTy; // void *
const QualType VoidPtrRestrictTy =
ACtx.getRestrictType(VoidPtrTy); // void *restrict
const QualType ConstVoidPtrTy = const QualType ConstVoidPtrTy =
ACtx.getPointerType(ACtx.VoidTy.withConst()); // const void *T ACtx.getPointerType(ACtx.VoidTy.withConst()); // const void *
const QualType ConstCharPtrTy =
ACtx.getPointerType(ACtx.CharTy.withConst()); // const char *
const QualType ConstVoidPtrRestrictTy =
ACtx.getRestrictType(ConstVoidPtrTy); // const void *restrict
const RangeInt IntMax = BVF.getMaxValue(IntTy).getLimitedValue(); const RangeInt IntMax = BVF.getMaxValue(IntTy).getLimitedValue();
const RangeInt LongMax = BVF.getMaxValue(LongTy).getLimitedValue(); const RangeInt LongMax = BVF.getMaxValue(LongTy).getLimitedValue();
const RangeInt LongLongMax = BVF.getMaxValue(LongLongTy).getLimitedValue(); const RangeInt LongLongMax = BVF.getMaxValue(LongLongTy).getLimitedValue();
// Set UCharRangeMax to min of int or uchar maximum value. // Set UCharRangeMax to min of int or uchar maximum value.
// The C standard states that the arguments of functions like isalpha must // The C standard states that the arguments of functions like isalpha must
// be representable as an unsigned char. Their type is 'int', so the max // be representable as an unsigned char. Their type is 'int', so the max
▲ Show 20 LinesShow All 72 Lines▼ Show 20 Linesvoid StdLibraryFunctionsChecker::initFunctionSummaries(
}; };
auto Read = [&](RetType R, RangeInt Max) { auto Read = [&](RetType R, RangeInt Max) {
return Summary(ArgTypes{Irrelevant, Irrelevant, SizeTy}, RetType{R}, return Summary(ArgTypes{Irrelevant, Irrelevant, SizeTy}, RetType{R},
NoEvalCall) NoEvalCall)
.Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)), .Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)),
ReturnValueCondition(WithinRange, Range(-1, Max))}); ReturnValueCondition(WithinRange, Range(-1, Max))});
}; };
auto Fread = [&]() { auto Fread = [&]() {
return Summary(ArgTypes{VoidPtrTy, Irrelevant, SizeTy, Irrelevant}, return Summary(ArgTypes{VoidPtrRestrictTy, Irrelevant, SizeTy, Irrelevant},
RetType{SizeTy}, NoEvalCall) RetType{SizeTy}, NoEvalCall)
.Case({ .Case({
ReturnValueCondition(LessThanOrEq, ArgNo(2)), ReturnValueCondition(LessThanOrEq, ArgNo(2)),
}) })
.ArgConstraint(NotNull(ArgNo(0))); .ArgConstraint(NotNull(ArgNo(0)));
}; };
auto Fwrite = [&]() { auto Fwrite = [&]() {
return Summary(ArgTypes{ConstVoidPtrTy, Irrelevant, SizeTy, Irrelevant}, return Summary(
ArgTypes{ConstVoidPtrRestrictTy, Irrelevant, SizeTy, Irrelevant},
RetType{SizeTy}, NoEvalCall) RetType{SizeTy}, NoEvalCall)
.Case({ .Case({
ReturnValueCondition(LessThanOrEq, ArgNo(2)), ReturnValueCondition(LessThanOrEq, ArgNo(2)),
}) })
.ArgConstraint(NotNull(ArgNo(0))); .ArgConstraint(NotNull(ArgNo(0)));
}; };
auto Getline = [&](RetType R, RangeInt Max) { auto Getline = [&](RetType R, RangeInt Max) {
return Summary(ArgTypes{Irrelevant, Irrelevant, Irrelevant}, RetType{R}, return Summary(ArgTypes{Irrelevant, Irrelevant, Irrelevant}, RetType{R},
NoEvalCall) NoEvalCall)
▲ Show 20 LinesShow All 216 Lines▼ Show 20 Lines llvm::StringMap<Summaries> TestFunctionSummaryMap = {
Summaries{Summary(ArgTypes{IntTy}, RetType{IntTy}, EvalCallAsPure) Summaries{Summary(ArgTypes{IntTy}, RetType{IntTy}, EvalCallAsPure)
.ArgConstraint( .ArgConstraint(
ArgumentCondition(0U, OutOfRange, SingleValue(1))) ArgumentCondition(0U, OutOfRange, SingleValue(1)))
.ArgConstraint( .ArgConstraint(
ArgumentCondition(0U, OutOfRange, SingleValue(2)))}}, ArgumentCondition(0U, OutOfRange, SingleValue(2)))}},
{"__defaultparam", Summaries{Summary(ArgTypes{Irrelevant, IntTy}, {"__defaultparam", Summaries{Summary(ArgTypes{Irrelevant, IntTy},
RetType{IntTy}, EvalCallAsPure) RetType{IntTy}, EvalCallAsPure)
.ArgConstraint(NotNull(ArgNo(0)))}}, .ArgConstraint(NotNull(ArgNo(0)))}},
}; {"__variadic", Summaries{Summary(ArgTypes{VoidPtrTy, ConstCharPtrTy},
RetType{IntTy}, EvalCallAsPure)
.ArgConstraint(NotNull(ArgNo(0)))
.ArgConstraint(NotNull(ArgNo(1)))}}};
for (auto &E : TestFunctionSummaryMap) { for (auto &E : TestFunctionSummaryMap) {
auto InsertRes = auto InsertRes =
FunctionSummaryMap.insert({std::string(E.getKey()), E.getValue()}); FunctionSummaryMap.insert({std::string(E.getKey()), E.getValue()});
assert(InsertRes.second && assert(InsertRes.second &&
"Test functions must not clash with modeled functions"); "Test functions must not clash with modeled functions");
(void)InsertRes; (void)InsertRes;
} }
} }
Show All 23 Lines

clang/test/Analysis/std-c-library-functions-arg-constraints.c

Show First 20 LinesShow All 58 Lines▼ Show 20 Lines if (x > 255) { // \
// bugpath-note{{Function argument constraint is not satisfied}} // bugpath-note{{Function argument constraint is not satisfied}}
(void)ret; (void)ret;
} }
} }
typedef struct FILE FILE; typedef struct FILE FILE;
typedef typeof(sizeof(int)) size_t; typedef typeof(sizeof(int)) size_t;
size_t fread(void *, size_t, size_t, FILE *); size_t fread(void *restrict, size_t, size_t, FILE *);
void test_notnull_concrete(FILE *fp) { void test_notnull_concrete(FILE *fp) {
fread(0, sizeof(int), 10, fp); // \ fread(0, sizeof(int), 10, fp); // \
// report-warning{{Function argument constraint is not satisfied}} \ // report-warning{{Function argument constraint is not satisfied}} \
// bugpath-warning{{Function argument constraint is not satisfied}} \ // bugpath-warning{{Function argument constraint is not satisfied}} \
// bugpath-note{{Function argument constraint is not satisfied}} // bugpath-note{{Function argument constraint is not satisfied}}
} }
void test_notnull_symbolic(FILE *fp, int *buf) { void test_notnull_symbolic(FILE *fp, int *buf) {
fread(buf, sizeof(int), 10, fp); fread(buf, sizeof(int), 10, fp);
Show All 33 Linesvoid test_multiple_constraints_on_same_arg(int x) {
// Check that both constraints are applied and only one branch is there. // Check that both constraints are applied and only one branch is there.
clang_analyzer_eval(x < 1 || x > 2); // \ clang_analyzer_eval(x < 1 || x > 2); // \
// report-warning{{TRUE}} \ // report-warning{{TRUE}} \
// bugpath-warning{{TRUE}} \ // bugpath-warning{{TRUE}} \
// bugpath-note{{TRUE}} \ // bugpath-note{{TRUE}} \
// bugpath-note{{Assuming 'x' is < 1}} \ // bugpath-note{{Assuming 'x' is < 1}} \
// bugpath-note{{Left side of '||' is true}} // bugpath-note{{Left side of '||' is true}}
} }
int __variadic(void *stream, const char *format, ...);
void test_arg_constraint_on_variadic_fun() {
__variadic(0, "%d%d", 1, 2); // \
// report-warning{{Function argument constraint is not satisfied}} \
// bugpath-warning{{Function argument constraint is not satisfied}} \
// bugpath-note{{Function argument constraint is not satisfied}}
}

clang/test/Analysis/std-c-library-functions.c

Show First 20 LinesShow All 69 Lines▼ Show 20 Lines if (y >= 0) {
// -1 overflows on promotion! // -1 overflows on promotion!
clang_analyzer_eval(y <= sizeof(glob)); // expected-warning{{FALSE}} clang_analyzer_eval(y <= sizeof(glob)); // expected-warning{{FALSE}}
} }
} else { } else {
clang_analyzer_eval(x == -1); // expected-warning{{TRUE}} clang_analyzer_eval(x == -1); // expected-warning{{TRUE}}
} }
} }
size_t fread(void *, size_t, size_t, FILE *); size_t fread(void *restrict, size_t, size_t, FILE *);
size_t fwrite(const void *restrict, size_t, size_t, FILE *restrict); size_t fwrite(const void *restrict, size_t, size_t, FILE *restrict);
void test_fread_fwrite(FILE *fp, int *buf) { void test_fread_fwrite(FILE *fp, int *buf) {
size_t x = fwrite(buf, sizeof(int), 10, fp); size_t x = fwrite(buf, sizeof(int), 10, fp);
clang_analyzer_eval(x <= 10); // expected-warning{{TRUE}} clang_analyzer_eval(x <= 10); // expected-warning{{TRUE}}
size_t y = fread(buf, sizeof(int), 10, fp); size_t y = fread(buf, sizeof(int), 10, fp);
clang_analyzer_eval(y <= 10); // expected-warning{{TRUE}} clang_analyzer_eval(y <= 10); // expected-warning{{TRUE}}
▲ Show 20 LinesShow All 138 LinesShow Last 20 Lines