This is an archive of the discontinued LLVM Phabricator instance.

Differential D77658

[analyzer] StdLibraryFunctionsChecker: Add sanity checks for constraints
ClosedPublic

Authored by martong on Apr 7 2020, 9:06 AM.

Details

Reviewers
NoQ
Szelethus
balazske
Commits
rG16506d789084: [analyzer] StdLibraryFunctionsChecker: Add sanity checks for constraints
Summary

Once we found a matching FunctionDecl for the given summary then we
validate the given constraints against that FunctionDecl. E.g. we
validate that a NotNull constraint is applied only on arguments that
have pointer types.

This is needed because when we matched the signature of the summary we
were working with incomplete function types, i.e. some intricate type
could have been marked as Irrelevant in the signature.

Diff Detail

Event Timeline

martong created this revision.Apr 7 2020, 9:06 AM
Herald added a project: Restricted Project. · View Herald TranscriptApr 7 2020, 9:06 AM
Herald added subscribers: cfe-commits, ASDenysPetrov, steakhal and 11 others. · View Herald Transcript
martong added a parent revision: D77641: [analyzer] StdLibraryFunctionsChecker: Associate summaries to FunctionDecls.Apr 7 2020, 9:06 AM
Harbormaster failed remote builds in B52167: Diff 255696!Apr 7 2020, 9:45 AM
balazske added inline comments.Apr 8 2020, 2:33 AM
clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
116

Is it possible to have the validate on the signature (not function decl)? Because the function decl (where the rule is applied) should match the signature already. For example, if the signature contains an irrelevant type it is not good to have a rule that expects a void* at that place. After these rules are validated with the signature, they should be applicable on a (any) function that matches the signature.

411

So this is a check to be used at debug build only to check for programming errors?
It could be better to separate this task from setting the FD itself. Or this function can be called setFD and contain a validation if in debug mode (or always). Probably it is better to do the validation always to filter out unexpected found functions (if some unusual API is encountered).

martong marked 2 inline comments as done.Apr 8 2020, 9:25 AM
martong added inline comments.
clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
116

void* would not be a problem. However, there are more intricate pointer types like FILE *. To get that type from the ASTContext we'd have to do another lookup for "FILE" which would complicate things. So, rather we mark that as Irrelevant in the signature. That's what we do in case of fread for instance. And after lookup we will have the concrete type in our hands, and that is the moment where we can do all the validation.

Perhaps we could alternatively have different kind of Irrelevant types like IrrelevantPtr, etc. But we'd forget to enumerate all of them.

411

The goal here is to avoid inadvertently adding a summary to a wrong function. This is all because of irrelevant types. The summary as described in the form of a signature and with cases and argument constraints has several presumptions on the types. And the type may be not concrete (irrelevant) so we cannot check the presumptions. We can validate those presumptions once we have the full and complete type.

It could be better to separate this task from setting the FD itself.

Yes, you are right, I am going to separate that.

Probably it is better to do the validation always to filter out unexpected found functions

Yes, I agree. I am not sure about the assertions though. Right now the programmer writes the summaries (e.g. me). But once in the future, a library author could write summaries in JSON format. Perhaps a warning diagnostic would be more appropriate that time. Or we could have a checker option that logs out if a function was added to the summary map.

Szelethus added a comment.Apr 15 2020, 4:55 AM

The idea is noble with the addition of validate functions, assert in debug builds and just move on in release. However, I'd expect it to be integrated into the signature matching function.

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
317–319

It might be worth putting a TODO here to not forget the constness methods :^)

800

This looks a bit odd, we're checking whether the function matches, and than we validate right after? Shouldn't we just not match the FD if it isn't valid?

martong marked 7 inline comments as done.May 4 2020, 9:56 AM
martong added inline comments.
clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
317–319

Two types do not match if one of them is a const and the other is non-const. Is this what you're referring for?

800

Yeah, ok, I moved the validation back into matchesSignature.

martong updated this revision to Diff 261855.May 4 2020, 9:56 AM
martong marked 2 inline comments as done.
  • Better encapsulate the data in a 'Summary'
Harbormaster completed remote builds in B55655: Diff 261855.May 4 2020, 11:49 AM
martong added a child revision: D79423: [analyzer][NFC] StdLibraryFunctionsChecker: Add empty Signatures.May 5 2020, 8:18 AM
balazske added inline comments.May 6 2020, 12:56 AM
clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
133

Function names should be verb phrases. Maybe checkSanity is good or validateInternal, validateMore (this function relates to validate, not something different from it as "sanity").

validate can be called isValid or checkValidity, so we can not think (from the name) that the function changes something on the object. (checkValidity is good, then sanityCheck can be renamed to checkSpecificValidity or like this.)

372–373

I would extend the documentation with information about that the signature and constraints together contain information about what functions are accepted by the summary. The signature can use "wildcards" (the irrelevant types) and the constraints may specify additional rules for that type (that comes from the kind of constraint).

416

Again isValid or checkValidity is a better name, or validateByConstraints, matchesConstraints. Additionally matchesSignature checks in its current form not only for signature, so its name is not correct too.

800

I think these are not related, there should be signature match and validness check, but it is natural to check first the signature, then the validness.

martong updated this revision to Diff 266879.May 28 2020, 7:42 AM
martong marked an inline comment as done.
  • Rebase to master
martong marked 7 inline comments as done.May 28 2020, 9:31 AM
martong added inline comments.
clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
133

Thanks for the naming suggestions, they are definitely better than my naming!

372–373

OK, I added some more docs to the class.

416

Ok, renamed to validateByConstraints.

800

@Szelethus, @balazske : I agree with both of you so I renamed matchesSignature to matches, which is a shorthand to the the signature match and then the validity check (and added a comment):

// Returns true if the summary should be applied to the given function.
bool matches(const FunctionDecl *FD) const {
  return Sign.matches(FD) && validateByConstraints(FD);
}
martong updated this revision to Diff 266918.May 28 2020, 9:31 AM
martong marked 4 inline comments as done.
  • Rename: validate -> checkValidity, sanityCheck -> checkSpecificValidity
  • Rename: Summary::checkValidity -> validateByConstraints
  • Add more docs to the Summary class
  • Rename matchesSignature -> matches
Harbormaster completed remote builds in B58233: Diff 266879.May 28 2020, 10:24 AM
Harbormaster completed remote builds in B58249: Diff 266918.May 28 2020, 12:08 PM
balazske added a comment.May 29 2020, 2:59 AM

The code looks basically good to me, some documentations can be improved.

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
66–67

This text above is not the documentation of Summary (is it attached to Summary by doxygen?). Probably not /// is needed, only //. And it is probably out of date now, at least I can not understand immediately what is it about (what typedef's are these, what kind of "nesting types").

116

We check here that a function is a suitable candidate to be used with the constraint? (We select a function for the constraint, not a constraint for a function.) Maybe a better description would help to clarify this.

643

It may be better to see type of VRS instead of auto (and know what the VRS abbrevation means, why not CC for case constraint and not VC for ValueConstraint). Same for VR below.

800

Suggestion: Maybe we can have one function for matches and setFunctionDecl (set it if matches). We do not want to change the function decl later anyway, and not to something that does not match.

martong updated this revision to Diff 267177.May 29 2020, 4:31 AM
martong marked 8 inline comments as done.
  • Add comments, remove auto from 'for' loops, matches -> matchesAndSet
balazske accepted this revision.May 29 2020, 5:33 AM
This revision is now accepted and ready to land.May 29 2020, 5:33 AM
Harbormaster completed remote builds in B58403: Diff 267177.May 29 2020, 5:56 AM
Closed by commit rG16506d789084: [analyzer] StdLibraryFunctionsChecker: Add sanity checks for constraints (authored by martong). · Explain WhyMay 29 2020, 8:07 AM
This revision was automatically updated to reflect the committed changes.
MaskRay added a subscriber: MaskRay.May 30 2020, 5:34 PM

arc adds many unneeded tags from Phabricator. You can drop Reviewers: Subscribers: Tags: and the text Summary: with the following script:

arcfilter () {
  arc amend
  git log -1 --pretty=%B | awk '/Reviewers:|Subscribers:/{p=1} /Reviewed By:|Differential Revision:/{p=0} !p && !/^Summary:$/ {sub(/^Summary: /,"");print}' | git commit --amend --date=now -F -
}

Reviewed By: is considered important by some people (https://lists.llvm.org/pipermail/llvm-dev/2020-January/137889.html). You should keep the tag. (I started to use --date=now because some people find author date != committer date annoying. The committer date is usually what people care.))

martong added a comment.Jun 18 2020, 7:17 AM
In D77658#2065174, @MaskRay wrote:

arc adds many unneeded tags from Phabricator. You can drop Reviewers: Subscribers: Tags: and the text Summary: with the following script:

arcfilter () {
  arc amend
  git log -1 --pretty=%B | awk '/Reviewers:|Subscribers:/{p=1} /Reviewed By:|Differential Revision:/{p=0} !p && !/^Summary:$/ {sub(/^Summary: /,"");print}' | git commit --amend --date=now -F -
}

Reviewed By: is considered important by some people (https://lists.llvm.org/pipermail/llvm-dev/2020-January/137889.html). You should keep the tag. (I started to use --date=now because some people find author date != committer date annoying. The committer date is usually what people care.))

Thanks for pointing this out and for the script! I'll try to omit unnecessary tags from arc in the future.

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
66–67

Ok, I removed this outdated comment.

116

We check here, whether the constraint is malformed or not. It is malformed if the specified argument has a mismatch with the given FunctionDecl (e.g. the arg number is out-of-range of the function's arguments list).

Added a comment in the code about that.

643

Indeed, I agree. Removed auto and refreshed the outdated variable names.

800

Alright, I renamed matches to matchesAndSet and we set the FD in this function now. Also setFunctionDecl is removed.

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
204 lines

Diff 267243

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp

Show First 20 LinesShow All 57 Lines▼ Show 20 Lines
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h" #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h"
using namespace clang; using namespace clang;
using namespace clang::ento; using namespace clang::ento;
namespace { namespace {
class StdLibraryFunctionsChecker class StdLibraryFunctionsChecker
: public Checker<check::PreCall, check::PostCall, eval::Call> { : public Checker<check::PreCall, check::PostCall, eval::Call> {
/// Below is a series of typedefs necessary to define function specs.
balazskeUnsubmitted
Done
ReplyInline Actions

This text above is not the documentation of Summary (is it attached to Summary by doxygen?). Probably not /// is needed, only //. And it is probably out of date now, at least I can not understand immediately what is it about (what typedef's are these, what kind of "nesting types").

balazske: This text above is not the documentation of `Summary` (is it attached to `Summary` by doxygen?).
martongAuthorUnsubmitted
Done
ReplyInline Actions

Ok, I removed this outdated comment.

martong: Ok, I removed this outdated comment.
/// We avoid nesting types here because each additional qualifier class Summary;
/// would need to be repeated in every function spec.
struct Summary;
/// Specify how much the analyzer engine should entrust modeling this function /// Specify how much the analyzer engine should entrust modeling this function
/// to us. If he doesn't, he performs additional invalidations. /// to us. If he doesn't, he performs additional invalidations.
enum InvalidationKind { NoEvalCall, EvalCallAsPure }; enum InvalidationKind { NoEvalCall, EvalCallAsPure };
// The universal integral type to use in value range descriptions. // The universal integral type to use in value range descriptions.
// Unsigned to make sure overflows are well-defined. // Unsigned to make sure overflows are well-defined.
typedef uint64_t RangeInt; typedef uint64_t RangeInt;
Show All 30 Lines public:
/// Apply the effects of the constraint on the given program state. If null /// Apply the effects of the constraint on the given program state. If null
/// is returned then the constraint is not feasible. /// is returned then the constraint is not feasible.
virtual ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call, virtual ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
const Summary &Summary, const Summary &Summary,
CheckerContext &C) const = 0; CheckerContext &C) const = 0;
virtual ValueConstraintPtr negate() const { virtual ValueConstraintPtr negate() const {
llvm_unreachable("Not implemented"); llvm_unreachable("Not implemented");
}; };
// Check whether the constraint is malformed or not. It is malformed if the
balazskeUnsubmitted
Done
ReplyInline Actions

Is it possible to have the validate on the signature (not function decl)? Because the function decl (where the rule is applied) should match the signature already. For example, if the signature contains an irrelevant type it is not good to have a rule that expects a void* at that place. After these rules are validated with the signature, they should be applicable on a (any) function that matches the signature.

balazske: Is it possible to have the validate on the signature (not function decl)? Because the function…
martongAuthorUnsubmitted
Done
ReplyInline Actions

void* would not be a problem. However, there are more intricate pointer types like FILE *. To get that type from the ASTContext we'd have to do another lookup for "FILE" which would complicate things. So, rather we mark that as Irrelevant in the signature. That's what we do in case of fread for instance. And after lookup we will have the concrete type in our hands, and that is the moment where we can do all the validation.

Perhaps we could alternatively have different kind of Irrelevant types like IrrelevantPtr, etc. But we'd forget to enumerate all of them.

martong: `void*` would not be a problem. However, there are more intricate pointer types like `FILE *`.
balazskeUnsubmitted
Done
ReplyInline Actions

We check here that a function is a suitable candidate to be used with the constraint? (We select a function for the constraint, not a constraint for a function.) Maybe a better description would help to clarify this.

balazske: We check here that a function is a suitable candidate to be used with the constraint? (We…
martongAuthorUnsubmitted
Done
ReplyInline Actions

We check here, whether the constraint is malformed or not. It is malformed if the specified argument has a mismatch with the given FunctionDecl (e.g. the arg number is out-of-range of the function's arguments list).

Added a comment in the code about that.

martong: We check here, whether the constraint is malformed or not. It is malformed if the specified…
// specified argument has a mismatch with the given FunctionDecl (e.g. the
// arg number is out-of-range of the function's argument list).
bool checkValidity(const FunctionDecl *FD) const {
const bool ValidArg = ArgN == Ret || ArgN < FD->getNumParams();
assert(ValidArg && "Arg out of range!");
if (!ValidArg)
return false;
// Subclasses may further refine the validation.
return checkSpecificValidity(FD);
}
ArgNo getArgNo() const { return ArgN; } ArgNo getArgNo() const { return ArgN; }
protected: protected:
ArgNo ArgN; // Argument to which we apply the constraint. ArgNo ArgN; // Argument to which we apply the constraint.
/// Do polymorphic sanity check on the constraint.
virtual bool checkSpecificValidity(const FunctionDecl *FD) const {
balazskeUnsubmitted
Done
ReplyInline Actions

Function names should be verb phrases. Maybe checkSanity is good or validateInternal, validateMore (this function relates to validate, not something different from it as "sanity").

validate can be called isValid or checkValidity, so we can not think (from the name) that the function changes something on the object. (checkValidity is good, then sanityCheck can be renamed to checkSpecificValidity or like this.)

balazske: Function names should be verb phrases. Maybe `checkSanity` is good or `validateInternal`…
martongAuthorUnsubmitted
Done
ReplyInline Actions

Thanks for the naming suggestions, they are definitely better than my naming!

martong: Thanks for the naming suggestions, they are definitely better than my naming!
return true;
}
}; };
/// Given a range, should the argument stay inside or outside this range? /// Given a range, should the argument stay inside or outside this range?
enum RangeKind { OutOfRange, WithinRange }; enum RangeKind { OutOfRange, WithinRange };
/// Encapsulates a single range on a single symbol within a branch. /// Encapsulates a single range on a single symbol within a branch.
class RangeConstraint : public ValueConstraint { class RangeConstraint : public ValueConstraint {
RangeKind Kind; // Kind of range definition. RangeKind Kind; // Kind of range definition.
Show All 34 Lines ValueConstraintPtr negate() const override {
Tmp.Kind = WithinRange; Tmp.Kind = WithinRange;
break; break;
case WithinRange: case WithinRange:
Tmp.Kind = OutOfRange; Tmp.Kind = OutOfRange;
break; break;
} }
return std::make_shared<RangeConstraint>(Tmp); return std::make_shared<RangeConstraint>(Tmp);
} }
bool checkSpecificValidity(const FunctionDecl *FD) const override {
const bool ValidArg =
getArgType(FD, ArgN)->isIntegralType(FD->getASTContext());
assert(ValidArg &&
"This constraint should be applied on an integral type");
return ValidArg;
}
}; };
class ComparisonConstraint : public ValueConstraint { class ComparisonConstraint : public ValueConstraint {
BinaryOperator::Opcode Opcode; BinaryOperator::Opcode Opcode;
ArgNo OtherArgN; ArgNo OtherArgN;
public: public:
ComparisonConstraint(ArgNo ArgN, BinaryOperator::Opcode Opcode, ComparisonConstraint(ArgNo ArgN, BinaryOperator::Opcode Opcode,
Show All 26 Lines ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
return State->assume(L, CannotBeNull); return State->assume(L, CannotBeNull);
} }
ValueConstraintPtr negate() const override { ValueConstraintPtr negate() const override {
NotNullConstraint Tmp(*this); NotNullConstraint Tmp(*this);
Tmp.CannotBeNull = !this->CannotBeNull; Tmp.CannotBeNull = !this->CannotBeNull;
return std::make_shared<NotNullConstraint>(Tmp); return std::make_shared<NotNullConstraint>(Tmp);
} }
bool checkSpecificValidity(const FunctionDecl *FD) const override {
const bool ValidArg = getArgType(FD, ArgN)->isPointerType();
assert(ValidArg &&
"This constraint should be applied only on a pointer type");
return ValidArg;
}
}; };
// Represents a buffer argument with an additional size argument. // Represents a buffer argument with an additional size argument.
// E.g. the first two arguments here: // E.g. the first two arguments here:
// ctime_s(char *buffer, rsize_t bufsz, const time_t *time); // ctime_s(char *buffer, rsize_t bufsz, const time_t *time);
// Another example: // Another example:
// size_t fread(void *ptr, size_t size, size_t nmemb, FILE *stream); // size_t fread(void *ptr, size_t size, size_t nmemb, FILE *stream);
// // Here, ptr is the buffer, and its minimum size is `size * nmemb`. // // Here, ptr is the buffer, and its minimum size is `size * nmemb`.
▲ Show 20 LinesShow All 52 Lines▼ Show 20 Lines ValueConstraintPtr negate() const override {
return std::make_shared<BufferSizeConstraint>(Tmp); return std::make_shared<BufferSizeConstraint>(Tmp);
} }
}; };
/// The complete list of constraints that defines a single branch. /// The complete list of constraints that defines a single branch.
typedef std::vector<ValueConstraintPtr> ConstraintSet; typedef std::vector<ValueConstraintPtr> ConstraintSet;
using ArgTypes = std::vector<QualType>; using ArgTypes = std::vector<QualType>;
// A placeholder type, we use it whenever we do not care about the concrete
// type in a Signature.
const QualType Irrelevant{};
bool static isIrrelevant(QualType T) { return T.isNull(); }
// The signature of a function we want to describe with a summary. This is a
// concessive signature, meaning there may be irrelevant types in the
// signature which we do not check against a function with concrete types.
SzelethusUnsubmitted
Done
ReplyInline Actions

It might be worth putting a TODO here to not forget the constness methods :^)

Szelethus: It might be worth putting a `TODO` here to not forget the constness methods :^)
martongAuthorUnsubmitted
Done
ReplyInline Actions

Two types do not match if one of them is a const and the other is non-const. Is this what you're referring for?

martong: Two types do not match if one of them is a const and the other is non-const. Is this what…
struct Signature {
const ArgTypes ArgTys;
const QualType RetTy;
Signature(ArgTypes ArgTys, QualType RetTy) : ArgTys(ArgTys), RetTy(RetTy) {
assertRetTypeSuitableForSignature(RetTy);
for (size_t I = 0, E = ArgTys.size(); I != E; ++I) {
QualType ArgTy = ArgTys[I];
assertArgTypeSuitableForSignature(ArgTy);
}
}
bool matches(const FunctionDecl *FD) const;
private:
static void assertArgTypeSuitableForSignature(QualType T) {
assert((T.isNull() || !T->isVoidType()) &&
"We should have no void types in the spec");
assert((T.isNull() || T.isCanonical()) &&
"We should only have canonical types in the spec");
}
static void assertRetTypeSuitableForSignature(QualType T) {
assert((T.isNull() || T.isCanonical()) &&
"We should only have canonical types in the spec");
}
};
static QualType getArgType(const FunctionDecl *FD, ArgNo ArgN) {
assert(FD && "Function must be set");
QualType T = (ArgN == Ret)
? FD->getReturnType().getCanonicalType()
: FD->getParamDecl(ArgN)->getType().getCanonicalType();
return T;
}
using Cases = std::vector<ConstraintSet>; using Cases = std::vector<ConstraintSet>;
/// Includes information about /// A summary includes information about
/// * function prototype (which is necessary to /// * function prototype (signature)
/// ensure we're modeling the right function and casting values properly),
/// * approach to invalidation, /// * approach to invalidation,
/// * a list of branches - a list of list of ranges - /// * a list of branches - a list of list of ranges -
/// A branch represents a path in the exploded graph of a function (which /// A branch represents a path in the exploded graph of a function (which
/// is a tree). So, a branch is a series of assumptions. In other words, /// is a tree). So, a branch is a series of assumptions. In other words,
/// branches represent split states and additional assumptions on top of /// branches represent split states and additional assumptions on top of
/// the splitting assumption. /// the splitting assumption.
/// For example, consider the branches in `isalpha(x)` /// For example, consider the branches in `isalpha(x)`
/// Branch 1) /// Branch 1)
/// x is in range ['A', 'Z'] or in ['a', 'z'] /// x is in range ['A', 'Z'] or in ['a', 'z']
/// then the return value is not 0. (I.e. out-of-range [0, 0]) /// then the return value is not 0. (I.e. out-of-range [0, 0])
/// Branch 2) /// Branch 2)
/// x is out-of-range ['A', 'Z'] and out-of-range ['a', 'z'] /// x is out-of-range ['A', 'Z'] and out-of-range ['a', 'z']
/// then the return value is 0. /// then the return value is 0.
/// * a list of argument constraints, that must be true on every branch. /// * a list of argument constraints, that must be true on every branch.
/// If these constraints are not satisfied that means a fatal error /// If these constraints are not satisfied that means a fatal error
/// usually resulting in undefined behaviour. /// usually resulting in undefined behaviour.
struct Summary { ///
balazskeUnsubmitted
Done
ReplyInline Actions

I would extend the documentation with information about that the signature and constraints together contain information about what functions are accepted by the summary. The signature can use "wildcards" (the irrelevant types) and the constraints may specify additional rules for that type (that comes from the kind of constraint).

balazske: I would extend the documentation with information about that the signature and constraints…
martongAuthorUnsubmitted
Done
ReplyInline Actions

OK, I added some more docs to the class.

martong: OK, I added some more docs to the class.
const ArgTypes ArgTys; /// Application of a summary:
const QualType RetTy; /// The signature and argument constraints together contain information
/// about which functions are handled by the summary. The signature can use
/// "wildcards", i.e. Irrelevant types. Irrelevant type of a parameter in
/// a signature means that type is not compared to the type of the parameter
/// in the found FunctionDecl. Argument constraints may specify additional
/// rules for the given parameter's type, those rules are checked once the
/// signature is matched.
class Summary {
const Signature Sign;
const InvalidationKind InvalidationKd; const InvalidationKind InvalidationKd;
Cases CaseConstraints; Cases CaseConstraints;
ConstraintSet ArgConstraints; ConstraintSet ArgConstraints;
// The function to which the summary applies. This is set after lookup and
// match to the signature.
const FunctionDecl *FD = nullptr;
public:
Summary(ArgTypes ArgTys, QualType RetTy, InvalidationKind InvalidationKd) Summary(ArgTypes ArgTys, QualType RetTy, InvalidationKind InvalidationKd)
: ArgTys(ArgTys), RetTy(RetTy), InvalidationKd(InvalidationKd) {} : Sign(ArgTys, RetTy), InvalidationKd(InvalidationKd) {}
Summary &Case(ConstraintSet&& CS) { Summary &Case(ConstraintSet&& CS) {
CaseConstraints.push_back(std::move(CS)); CaseConstraints.push_back(std::move(CS));
return *this; return *this;
} }
Summary &ArgConstraint(ValueConstraintPtr VC) { Summary &ArgConstraint(ValueConstraintPtr VC) {
ArgConstraints.push_back(VC); ArgConstraints.push_back(VC);
return *this; return *this;
} }
private: InvalidationKind getInvalidationKd() const { return InvalidationKd; }
static void assertTypeSuitableForSummary(QualType T) { const Cases &getCaseConstraints() const { return CaseConstraints; }
assert(!T->isVoidType() && const ConstraintSet &getArgConstraints() const { return ArgConstraints; }
"We should have had no significant void types in the spec");
assert(T.isCanonical() &&
"We should only have canonical types in the spec");
}
public:
QualType getArgType(ArgNo ArgN) const { QualType getArgType(ArgNo ArgN) const {
QualType T = (ArgN == Ret) ? RetTy : ArgTys[ArgN]; return StdLibraryFunctionsChecker::getArgType(FD, ArgN);
assertTypeSuitableForSummary(T); }
balazskeUnsubmitted
Done
ReplyInline Actions

So this is a check to be used at debug build only to check for programming errors?
It could be better to separate this task from setting the FD itself. Or this function can be called setFD and contain a validation if in debug mode (or always). Probably it is better to do the validation always to filter out unexpected found functions (if some unusual API is encountered).

balazske: So this is a check to be used at debug build only to check for programming errors? It could be…
martongAuthorUnsubmitted
Done
ReplyInline Actions

The goal here is to avoid inadvertently adding a summary to a wrong function. This is all because of irrelevant types. The summary as described in the form of a signature and with cases and argument constraints has several presumptions on the types. And the type may be not concrete (irrelevant) so we cannot check the presumptions. We can validate those presumptions once we have the full and complete type.

It could be better to separate this task from setting the FD itself.

Yes, you are right, I am going to separate that.

Probably it is better to do the validation always to filter out unexpected found functions

Yes, I agree. I am not sure about the assertions though. Right now the programmer writes the summaries (e.g. me). But once in the future, a library author could write summaries in JSON format. Perhaps a warning diagnostic would be more appropriate that time. Or we could have a checker option that logs out if a function was added to the summary map.

martong: The goal here is to avoid inadvertently adding a summary to a wrong function. This is all…
return T;
// Returns true if the summary should be applied to the given function.
// And if yes then store the function declaration.
bool matchesAndSet(const FunctionDecl *FD) {
bool Result = Sign.matches(FD) && validateByConstraints(FD);
balazskeUnsubmitted
Done
ReplyInline Actions

Again isValid or checkValidity is a better name, or validateByConstraints, matchesConstraints. Additionally matchesSignature checks in its current form not only for signature, so its name is not correct too.

balazske: Again `isValid` or `checkValidity` is a better name, or `validateByConstraints`…
martongAuthorUnsubmitted
Done
ReplyInline Actions

Ok, renamed to validateByConstraints.

martong: Ok, renamed to `validateByConstraints`.
if (Result) {
assert(!this->FD && "FD must not be set more than once");
this->FD = FD;
}
return Result;
} }
/// Try our best to figure out if the summary's signature matches private:
/// *the* library function to which this specification applies. // Once we know the exact type of the function then do sanity check on all
bool matchesSignature(const FunctionDecl *FD) const; // the given constraints.
bool validateByConstraints(const FunctionDecl *FD) const {
for (const ConstraintSet &Case : CaseConstraints)
for (const ValueConstraintPtr &Constraint : Case)
if (!Constraint->checkValidity(FD))
return false;
for (const ValueConstraintPtr &Constraint : ArgConstraints)
if (!Constraint->checkValidity(FD))
return false;
return true;
}
}; };
// The map of all functions supported by the checker. It is initialized // The map of all functions supported by the checker. It is initialized
// lazily, and it doesn't change after initialization. // lazily, and it doesn't change after initialization.
using FunctionSummaryMapType = llvm::DenseMap<const FunctionDecl *, Summary>; using FunctionSummaryMapType = llvm::DenseMap<const FunctionDecl *, Summary>;
mutable FunctionSummaryMapType FunctionSummaryMap; mutable FunctionSummaryMapType FunctionSummaryMap;
mutable std::unique_ptr<BugType> BT_InvalidArg; mutable std::unique_ptr<BugType> BT_InvalidArg;
// Auxiliary functions to support ArgNo within all structures
// in a unified manner.
static QualType getArgType(const Summary &Summary, ArgNo ArgN) {
return Summary.getArgType(ArgN);
}
static SVal getArgSVal(const CallEvent &Call, ArgNo ArgN) { static SVal getArgSVal(const CallEvent &Call, ArgNo ArgN) {
return ArgN == Ret ? Call.getReturnValue() : Call.getArgSVal(ArgN); return ArgN == Ret ? Call.getReturnValue() : Call.getArgSVal(ArgN);
} }
public: public:
void checkPreCall(const CallEvent &Call, CheckerContext &C) const; void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
void checkPostCall(const CallEvent &Call, CheckerContext &C) const; void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
bool evalCall(const CallEvent &Call, CheckerContext &C) const; bool evalCall(const CallEvent &Call, CheckerContext &C) const;
Show All 40 Lines
ProgramStateRef StdLibraryFunctionsChecker::RangeConstraint::applyAsOutOfRange( ProgramStateRef StdLibraryFunctionsChecker::RangeConstraint::applyAsOutOfRange(
ProgramStateRef State, const CallEvent &Call, ProgramStateRef State, const CallEvent &Call,
const Summary &Summary) const { const Summary &Summary) const {
ProgramStateManager &Mgr = State->getStateManager(); ProgramStateManager &Mgr = State->getStateManager();
SValBuilder &SVB = Mgr.getSValBuilder(); SValBuilder &SVB = Mgr.getSValBuilder();
BasicValueFactory &BVF = SVB.getBasicValueFactory(); BasicValueFactory &BVF = SVB.getBasicValueFactory();
ConstraintManager &CM = Mgr.getConstraintManager(); ConstraintManager &CM = Mgr.getConstraintManager();
QualType T = getArgType(Summary, getArgNo()); QualType T = Summary.getArgType(getArgNo());
SVal V = getArgSVal(Call, getArgNo()); SVal V = getArgSVal(Call, getArgNo());
if (auto N = V.getAs<NonLoc>()) { if (auto N = V.getAs<NonLoc>()) {
const IntRangeVector &R = getRanges(); const IntRangeVector &R = getRanges();
size_t E = R.size(); size_t E = R.size();
for (size_t I = 0; I != E; ++I) { for (size_t I = 0; I != E; ++I) {
const llvm::APSInt &Min = BVF.getValue(R[I].first, T); const llvm::APSInt &Min = BVF.getValue(R[I].first, T);
const llvm::APSInt &Max = BVF.getValue(R[I].second, T); const llvm::APSInt &Max = BVF.getValue(R[I].second, T);
Show All 10 Lines
ProgramStateRef StdLibraryFunctionsChecker::RangeConstraint::applyAsWithinRange( ProgramStateRef StdLibraryFunctionsChecker::RangeConstraint::applyAsWithinRange(
ProgramStateRef State, const CallEvent &Call, ProgramStateRef State, const CallEvent &Call,
const Summary &Summary) const { const Summary &Summary) const {
ProgramStateManager &Mgr = State->getStateManager(); ProgramStateManager &Mgr = State->getStateManager();
SValBuilder &SVB = Mgr.getSValBuilder(); SValBuilder &SVB = Mgr.getSValBuilder();
BasicValueFactory &BVF = SVB.getBasicValueFactory(); BasicValueFactory &BVF = SVB.getBasicValueFactory();
ConstraintManager &CM = Mgr.getConstraintManager(); ConstraintManager &CM = Mgr.getConstraintManager();
QualType T = getArgType(Summary, getArgNo()); QualType T = Summary.getArgType(getArgNo());
SVal V = getArgSVal(Call, getArgNo()); SVal V = getArgSVal(Call, getArgNo());
// "WithinRange R" is treated as "outside [T_MIN, T_MAX] \ R". // "WithinRange R" is treated as "outside [T_MIN, T_MAX] \ R".
// We cut off [T_MIN, min(R) - 1] and [max(R) + 1, T_MAX] if necessary, // We cut off [T_MIN, min(R) - 1] and [max(R) + 1, T_MAX] if necessary,
// and then cut away all holes in R one by one. // and then cut away all holes in R one by one.
// //
// E.g. consider a range list R as [A, B] and [C, D] // E.g. consider a range list R as [A, B] and [C, D]
// -------+--------+------------------+------------+-----------> // -------+--------+------------------+------------+----------->
Show All 39 Lines
ProgramStateRef StdLibraryFunctionsChecker::ComparisonConstraint::apply( ProgramStateRef StdLibraryFunctionsChecker::ComparisonConstraint::apply(
ProgramStateRef State, const CallEvent &Call, const Summary &Summary, ProgramStateRef State, const CallEvent &Call, const Summary &Summary,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateManager &Mgr = State->getStateManager(); ProgramStateManager &Mgr = State->getStateManager();
SValBuilder &SVB = Mgr.getSValBuilder(); SValBuilder &SVB = Mgr.getSValBuilder();
QualType CondT = SVB.getConditionType(); QualType CondT = SVB.getConditionType();
QualType T = getArgType(Summary, getArgNo()); QualType T = Summary.getArgType(getArgNo());
SVal V = getArgSVal(Call, getArgNo()); SVal V = getArgSVal(Call, getArgNo());
BinaryOperator::Opcode Op = getOpcode(); BinaryOperator::Opcode Op = getOpcode();
ArgNo OtherArg = getOtherArgNo(); ArgNo OtherArg = getOtherArgNo();
SVal OtherV = getArgSVal(Call, OtherArg); SVal OtherV = getArgSVal(Call, OtherArg);
QualType OtherT = getArgType(Summary, OtherArg); QualType OtherT = Summary.getArgType(OtherArg);
// Note: we avoid integral promotion for comparison. // Note: we avoid integral promotion for comparison.
OtherV = SVB.evalCast(OtherV, T, OtherT); OtherV = SVB.evalCast(OtherV, T, OtherT);
if (auto CompV = SVB.evalBinOp(State, Op, V, OtherV, CondT) if (auto CompV = SVB.evalBinOp(State, Op, V, OtherV, CondT)
.getAs<DefinedOrUnknownSVal>()) .getAs<DefinedOrUnknownSVal>())
State = State->assume(*CompV, true); State = State->assume(*CompV, true);
return State; return State;
} }
void StdLibraryFunctionsChecker::checkPreCall(const CallEvent &Call, void StdLibraryFunctionsChecker::checkPreCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
Optional<Summary> FoundSummary = findFunctionSummary(Call, C); Optional<Summary> FoundSummary = findFunctionSummary(Call, C);
if (!FoundSummary) if (!FoundSummary)
return; return;
const Summary &Summary = *FoundSummary; const Summary &Summary = *FoundSummary;
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
ProgramStateRef NewState = State; ProgramStateRef NewState = State;
for (const ValueConstraintPtr& VC : Summary.ArgConstraints) { for (const ValueConstraintPtr &Constraint : Summary.getArgConstraints()) {
ProgramStateRef SuccessSt = VC->apply(NewState, Call, Summary, C); ProgramStateRef SuccessSt = Constraint->apply(NewState, Call, Summary, C);
ProgramStateRef FailureSt = VC->negate()->apply(NewState, Call, Summary, C); ProgramStateRef FailureSt =
Constraint->negate()->apply(NewState, Call, Summary, C);
// The argument constraint is not satisfied. // The argument constraint is not satisfied.
if (FailureSt && !SuccessSt) { if (FailureSt && !SuccessSt) {
if (ExplodedNode *N = C.generateErrorNode(NewState)) if (ExplodedNode *N = C.generateErrorNode(NewState))
reportBug(Call, N, C); reportBug(Call, N, C);
break; break;
} else { } else {
// We will apply the constraint even if we cannot reason about the // We will apply the constraint even if we cannot reason about the
// argument. This means both SuccessSt and FailureSt can be true. If we // argument. This means both SuccessSt and FailureSt can be true. If we
Show All 13 Linesvoid StdLibraryFunctionsChecker::checkPostCall(const CallEvent &Call,
if (!FoundSummary) if (!FoundSummary)
return; return;
// Now apply the constraints. // Now apply the constraints.
const Summary &Summary = *FoundSummary; const Summary &Summary = *FoundSummary;
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
// Apply case/branch specifications. // Apply case/branch specifications.
for (const auto &VRS : Summary.CaseConstraints) { for (const ConstraintSet &Case : Summary.getCaseConstraints()) {
balazskeUnsubmitted
Done
ReplyInline Actions

It may be better to see type of VRS instead of auto (and know what the VRS abbrevation means, why not CC for case constraint and not VC for ValueConstraint). Same for VR below.

balazske: It may be better to see type of `VRS` instead of `auto` (and know what the `VRS` abbrevation…
martongAuthorUnsubmitted
Done
ReplyInline Actions

Indeed, I agree. Removed auto and refreshed the outdated variable names.

martong: Indeed, I agree. Removed `auto` and refreshed the outdated variable names.
ProgramStateRef NewState = State; ProgramStateRef NewState = State;
for (const auto &VR: VRS) { for (const ValueConstraintPtr &Constraint : Case) {
NewState = VR->apply(NewState, Call, Summary, C); NewState = Constraint->apply(NewState, Call, Summary, C);
if (!NewState) if (!NewState)
break; break;
} }
if (NewState && NewState != State) if (NewState && NewState != State)
C.addTransition(NewState); C.addTransition(NewState);
} }
} }
bool StdLibraryFunctionsChecker::evalCall(const CallEvent &Call, bool StdLibraryFunctionsChecker::evalCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
Optional<Summary> FoundSummary = findFunctionSummary(Call, C); Optional<Summary> FoundSummary = findFunctionSummary(Call, C);
if (!FoundSummary) if (!FoundSummary)
return false; return false;
const Summary &Summary = *FoundSummary; const Summary &Summary = *FoundSummary;
switch (Summary.InvalidationKd) { switch (Summary.getInvalidationKd()) {
case EvalCallAsPure: { case EvalCallAsPure: {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
const LocationContext *LC = C.getLocationContext(); const LocationContext *LC = C.getLocationContext();
const auto *CE = cast_or_null<CallExpr>(Call.getOriginExpr()); const auto *CE = cast_or_null<CallExpr>(Call.getOriginExpr());
SVal V = C.getSValBuilder().conjureSymbolVal( SVal V = C.getSValBuilder().conjureSymbolVal(
CE, LC, CE->getType().getCanonicalType(), C.blockCount()); CE, LC, CE->getType().getCanonicalType(), C.blockCount());
State = State->BindExpr(CE, LC, V); State = State->BindExpr(CE, LC, V);
C.addTransition(State); C.addTransition(State);
return true; return true;
} }
case NoEvalCall: case NoEvalCall:
// Summary tells us to avoid performing eval::Call. The function is possibly // Summary tells us to avoid performing eval::Call. The function is possibly
// evaluated by another checker, or evaluated conservatively. // evaluated by another checker, or evaluated conservatively.
return false; return false;
} }
llvm_unreachable("Unknown invalidation kind!"); llvm_unreachable("Unknown invalidation kind!");
} }
bool StdLibraryFunctionsChecker::Summary::matchesSignature( bool StdLibraryFunctionsChecker::Signature::matches(
const FunctionDecl *FD) const { const FunctionDecl *FD) const {
// Check number of arguments: // Check number of arguments:
if (FD->param_size() != ArgTys.size()) if (FD->param_size() != ArgTys.size())
return false; return false;
// Check return type if relevant: // Check return type.
if (!RetTy.isNull() && RetTy != FD->getReturnType().getCanonicalType()) if (!isIrrelevant(RetTy))
if (RetTy != FD->getReturnType().getCanonicalType())
return false; return false;
// Check argument types when relevant: // Check argument types.
for (size_t I = 0, E = ArgTys.size(); I != E; ++I) { for (size_t I = 0, E = ArgTys.size(); I != E; ++I) {
QualType FormalT = ArgTys[I]; QualType ArgTy = ArgTys[I];
// Null type marks irrelevant arguments. if (isIrrelevant(ArgTy))
if (FormalT.isNull())
continue; continue;
if (ArgTy != FD->getParamDecl(I)->getType().getCanonicalType())
assertTypeSuitableForSummary(FormalT);
QualType ActualT = FD->getParamDecl(I)->getType().getCanonicalType();
if (ActualT != FormalT)
return false; return false;
} }
return true; return true;
} }
Optional<StdLibraryFunctionsChecker::Summary> Optional<StdLibraryFunctionsChecker::Summary>
StdLibraryFunctionsChecker::findFunctionSummary(const FunctionDecl *FD, StdLibraryFunctionsChecker::findFunctionSummary(const FunctionDecl *FD,
Show All 29 Linesvoid StdLibraryFunctionsChecker::initFunctionSummaries(
// These types are useful for writing specifications quickly, // These types are useful for writing specifications quickly,
// New specifications should probably introduce more types. // New specifications should probably introduce more types.
// Some types are hard to obtain from the AST, eg. "ssize_t". // Some types are hard to obtain from the AST, eg. "ssize_t".
// In such cases it should be possible to provide multiple variants // In such cases it should be possible to provide multiple variants
// of function summary for common cases (eg. ssize_t could be int or long // of function summary for common cases (eg. ssize_t could be int or long
// or long long, so three summary variants would be enough). // or long long, so three summary variants would be enough).
// Of course, function variants are also useful for C++ overloads. // Of course, function variants are also useful for C++ overloads.
const QualType
Irrelevant{}; // A placeholder, whenever we do not care about the type.
const QualType IntTy = ACtx.IntTy; const QualType IntTy = ACtx.IntTy;
const QualType LongTy = ACtx.LongTy; const QualType LongTy = ACtx.LongTy;
const QualType LongLongTy = ACtx.LongLongTy; const QualType LongLongTy = ACtx.LongLongTy;
const QualType SizeTy = ACtx.getSizeType(); const QualType SizeTy = ACtx.getSizeType();
const QualType VoidPtrTy = ACtx.VoidPtrTy; // void * const QualType VoidPtrTy = ACtx.VoidPtrTy; // void *
const QualType VoidPtrRestrictTy = const QualType VoidPtrRestrictTy =
ACtx.getRestrictType(VoidPtrTy); // void *restrict ACtx.getRestrictType(VoidPtrTy); // void *restrict
const QualType ConstVoidPtrTy = const QualType ConstVoidPtrTy =
Show All 33 Lines struct AddToFunctionSummaryMap {
AddToFunctionSummaryMap(const ASTContext &ACtx, FunctionSummaryMapType &FSM, AddToFunctionSummaryMap(const ASTContext &ACtx, FunctionSummaryMapType &FSM,
bool DisplayLoadedSummaries) bool DisplayLoadedSummaries)
: ACtx(ACtx), Map(FSM), DisplayLoadedSummaries(DisplayLoadedSummaries) { : ACtx(ACtx), Map(FSM), DisplayLoadedSummaries(DisplayLoadedSummaries) {
} }
// Add a summary to a FunctionDecl found by lookup. The lookup is performed // Add a summary to a FunctionDecl found by lookup. The lookup is performed
// by the given Name, and in the global scope. The summary will be attached // by the given Name, and in the global scope. The summary will be attached
// to the found FunctionDecl only if the signatures match. // to the found FunctionDecl only if the signatures match.
void operator()(StringRef Name, const Summary &S) { void operator()(StringRef Name, Summary S) {
IdentifierInfo &II = ACtx.Idents.get(Name); IdentifierInfo &II = ACtx.Idents.get(Name);
auto LookupRes = ACtx.getTranslationUnitDecl()->lookup(&II); auto LookupRes = ACtx.getTranslationUnitDecl()->lookup(&II);
if (LookupRes.size() == 0) if (LookupRes.size() == 0)
return; return;
for (Decl *D : LookupRes) { for (Decl *D : LookupRes) {
if (auto *FD = dyn_cast<FunctionDecl>(D)) { if (auto *FD = dyn_cast<FunctionDecl>(D)) {
if (S.matchesSignature(FD)) { if (S.matchesAndSet(FD)) {
SzelethusUnsubmitted
Done
ReplyInline Actions

This looks a bit odd, we're checking whether the function matches, and than we validate right after? Shouldn't we just not match the FD if it isn't valid?

Szelethus: This looks a bit odd, we're checking whether the function matches, and than we validate right…
martongAuthorUnsubmitted
Done
ReplyInline Actions

Yeah, ok, I moved the validation back into matchesSignature.

martong: Yeah, ok, I moved the validation back into `matchesSignature`.
balazskeUnsubmitted
Done
ReplyInline Actions

I think these are not related, there should be signature match and validness check, but it is natural to check first the signature, then the validness.

balazske: I think these are not related, there should be signature match and validness check, but it is…
martongAuthorUnsubmitted
Done
ReplyInline Actions

@Szelethus, @balazske : I agree with both of you so I renamed matchesSignature to matches, which is a shorthand to the the signature match and then the validity check (and added a comment):

// Returns true if the summary should be applied to the given function.
bool matches(const FunctionDecl *FD) const {
  return Sign.matches(FD) && validateByConstraints(FD);
}
martong: @Szelethus, @balazske : I agree with both of you so I renamed `matchesSignature` to `matches`…
balazskeUnsubmitted
Done
ReplyInline Actions

Suggestion: Maybe we can have one function for matches and setFunctionDecl (set it if matches). We do not want to change the function decl later anyway, and not to something that does not match.

balazske: Suggestion: Maybe we can have one function for `matches` and `setFunctionDecl` (set it if…
martongAuthorUnsubmitted
Done
ReplyInline Actions

Alright, I renamed matches to matchesAndSet and we set the FD in this function now. Also setFunctionDecl is removed.

martong: Alright, I renamed `matches` to `matchesAndSet` and we set the FD in this function now. Also…
auto Res = Map.insert({FD->getCanonicalDecl(), S}); auto Res = Map.insert({FD->getCanonicalDecl(), S});
assert(Res.second && "Function already has a summary set!"); assert(Res.second && "Function already has a summary set!");
(void)Res; (void)Res;
if (DisplayLoadedSummaries) { if (DisplayLoadedSummaries) {
llvm::errs() << "Loaded summary for: "; llvm::errs() << "Loaded summary for: ";
FD->print(llvm::errs()); FD->print(llvm::errs());
llvm::errs() << "\n"; llvm::errs() << "\n";
} }
▲ Show 20 LinesShow All 320 LinesShow Last 20 Lines