This is an archive of the discontinued LLVM Phabricator instance.

Differential D80016

[analyzer] StdLibraryFunctionsChecker: Add support to lookup types
ClosedPublic

Authored by martong on May 15 2020, 8:42 AM.

Details

Reviewers
xazax.hun
NoQ
Szelethus
balazske
Commits
rG634258b80606: [analyzer] StdLibraryFunctionsChecker: Add support to lookup types
Summary

In this patch I am trying to get rid of the Irrelevant types from the
signatures of the functions from the standard C library. For that I've
introduced lookupType() to be able to lookup arbitrary types in the global
scope. This makes it possible to define the signatures precisely.

Note 1) fread's signature is now fixed to have the proper FILE *restrict
type when C99 is the language.
Note 2) There are still existing Irrelevant types, but they are all from
POSIX. I am planning to address those together with the missing POSIX functions
(in D79433).

Diff Detail

Event Timeline

martong created this revision.May 15 2020, 8:42 AM
Herald added a project: Restricted Project. · View Herald TranscriptMay 15 2020, 8:42 AM
Herald added subscribers: cfe-commits, ASDenysPetrov, steakhal and 10 others. · View Herald Transcript
Harbormaster completed remote builds in B56875: Diff 264257.May 15 2020, 10:51 AM
balazske added inline comments.May 18 2020, 4:05 AM
clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
905

The Optional<QualType> can be left out from the right side expressions (in the ? operator part). (A QualType should be assignable to Optional<QualType>.)

martong marked 2 inline comments as done.May 26 2020, 9:05 AM
martong added inline comments.
clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
905

No that cannot be left out. Implicit conversion does not play when trying to determine the common type for the 2nd and 3rd argument of the ternary op. https://stackoverflow.com/questions/32251419/c-ternary-operator-conditional-operator-and-its-implicit-type-conversion-r
So, removing the explicit type I get a compile error.

balazske added inline comments.May 27 2020, 1:21 AM
clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
905

Still I do not like that code. Probably this is better then:

Optional<QualType> FilePtrTy, FilePtrRestrictTy;
if (FileTy) {
  FilePtrTy = ACtx.getPointerType(*FileTy);
  FilePtrRestrictTy = ACtx.getLangOpts().C99
                          ? ACtx.getRestrictType(*FilePtrTy) // FILE *restrict
                          : *FilePtrTy)
}
martong updated this revision to Diff 266834.May 28 2020, 6:07 AM
martong marked an inline comment as done.
  • Rebase to master
martong updated this revision to Diff 266858.May 28 2020, 6:55 AM
martong marked 2 inline comments as done.
  • Add if (FileTy)
clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
905

Ok, I added the if.

Harbormaster completed remote builds in B58209: Diff 266834.May 28 2020, 9:15 AM
Harbormaster completed remote builds in B58222: Diff 266858.May 28 2020, 9:50 AM
balazske accepted this revision.May 29 2020, 8:00 AM
balazske added inline comments.
clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
897

There is a ASTContext::getFILEType that can be used for this. (But if more types are needed the lookupType must be used again.)

This revision is now accepted and ready to land.May 29 2020, 8:00 AM
martong marked 2 inline comments as done.May 29 2020, 8:41 AM
martong added inline comments.
clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
897

Yeah, didn't realize that we have getFILEType until now. It's unfortunate that I added the tests for FILE in this sense.

getFILEType can return a null QualType, which unfortunately can be mixed with Irrelevant. I'd like to avoid that. Still, we could initialize the Optional<QualType> with the help of getFILEType. Maybe in a later patch it would be worth to do that (and then refactor the lookup.c[pp] tests too).

On the other hand, since we are going to use lookupType extensively with other types, I don't see much benefit to make an exemption to FILE.

xazax.hun added a comment.May 29 2020, 8:53 AM

A high level comment.

Trying to match function signatures is not a unique problem! In fact, almost all of the checks the analyzer have is trying to solve the very some problem.
One of the methods we have at this point is called CallDescription, see here: https://github.com/llvm/llvm-project/blob/master/clang/lib/StaticAnalyzer/Core/CallEvent.cpp#L358

Moreover, I would assume something similar needs to be done for APINotes.

Do you think it would be possible to extend the CallDescription interface to match your needs? In that case all of the checks could profit from this work.
What do you think?

Closed by commit rG634258b80606: [analyzer] StdLibraryFunctionsChecker: Add support to lookup types (authored by martong). · Explain WhyMay 29 2020, 9:13 AM
This revision was automatically updated to reflect the committed changes.
martong marked an inline comment as done.
martong added a comment.May 29 2020, 12:49 PM
In D80016#2063234, @xazax.hun wrote:

A high level comment.

Trying to match function signatures is not a unique problem! In fact, almost all of the checks the analyzer have is trying to solve the very some problem.
One of the methods we have at this point is called CallDescription, see here: https://github.com/llvm/llvm-project/blob/master/clang/lib/StaticAnalyzer/Core/CallEvent.cpp#L358

Moreover, I would assume something similar needs to be done for APINotes.

Do you think it would be possible to extend the CallDescription interface to match your needs? In that case all of the checks could profit from this work.
What do you think?

Yes, viewing from this angle, I am trying to solve a problem here that perhaps could be handled by CallDescription and CallDescriptionMap with some extensions.

Here are the differences between the two approaches so far:

  • CallDescription is evaluated for every call event (e.g. checkPreCall), the names - strings - are compared; containing declaration contexts are compared by names (see CallEvent::isCalled). Contrary to this, summaries are associated directly to FunctionDecls, so during a call event we compare two FunctionDecl pointers.
  • A CallDescription does not support overloading on different types if the number of parameters are the same. With summaries this works.
  • A CallDescriptionMap is a static map with fixed number of entries. Contrary to this, the FunctionSummaryMap contains an entry (a summary) for a function only if we can lookup a matching FunctionDecl in the TU. The initialization of the FunctionSummaryMap happens lazily during the first call event.

Except the lack of proper overloading support, these differences are in the implementation. So, yes, giving it more thought, maybe we could refactor CallDescriptionMap to behave this way, but that would be some very heavy refactoring :) Still, would be possible, I guess.

Moreover, I would assume something similar needs to be done for APINotes.

Yes, I agree, I could not find out (yet) how the do it, but somehow they must match a given FunctionDecl to the Name in the YAML.

I was thinking about an alternative method for a long time now.
Making one step backwards: what we need is to be able to associate some data to a given function. And we can perfectly identify the function with it's prototype written in C/C++.
So, what if we'd be able to write a CallDescriptionMap (or a FunctionSummaryMap) like this:

CallDescriptionMap<FnCheck> Callbacks = {
    {{"void *memcpy(void *dest, const void *src, size_t n)"}, &CStringChecker::evalMemcpy},
    ...

Actually, we could reuse the Parser and the Sema itself to solve this issue. In fact, we could achieve this by reusing the ExternalASTSource together with the ASTImporter to find precisely the existing redecl chain in the TU for memcpy.

martong mentioned this in D81745: [analyzer][MallocChecker] PR46253: Correctly recognize standard realloc.Jun 16 2020, 8:02 AM
martong mentioned this in D79423: [analyzer][NFC] StdLibraryFunctionsChecker: Add empty Signatures.Jun 22 2020, 2:34 AM
martong mentioned this in D79430: [analyzer] StdLibraryFunctionsChecker: Add LazyRanges to support type dependent Max.Jun 22 2020, 2:36 AM

Revision Contents

Diff 267263

clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp

Show First 20 LinesShow All 719 Lines▼ Show 20 Lines
StdLibraryFunctionsChecker::findFunctionSummary(const CallEvent &Call, StdLibraryFunctionsChecker::findFunctionSummary(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(Call.getDecl()); const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
if (!FD) if (!FD)
return None; return None;
return findFunctionSummary(FD, C); return findFunctionSummary(FD, C);
} }
llvm::Optional<QualType> lookupType(StringRef Name, const ASTContext &ACtx) {
IdentifierInfo &II = ACtx.Idents.get(Name);
auto LookupRes = ACtx.getTranslationUnitDecl()->lookup(&II);
if (LookupRes.size() == 0)
return None;
// Prioritze typedef declarations.
// This is needed in case of C struct typedefs. E.g.:
// typedef struct FILE FILE;
// In this case, we have a RecordDecl 'struct FILE' with the name 'FILE' and
// we have a TypedefDecl with the name 'FILE'.
for (Decl *D : LookupRes) {
if (auto *TD = dyn_cast<TypedefNameDecl>(D))
return ACtx.getTypeDeclType(TD).getCanonicalType();
}
assert(LookupRes.size() == 1 && "Type identifier should be unique");
auto *D = cast<TypeDecl>(LookupRes.front());
return ACtx.getTypeDeclType(D).getCanonicalType();
}
void StdLibraryFunctionsChecker::initFunctionSummaries( void StdLibraryFunctionsChecker::initFunctionSummaries(
CheckerContext &C) const { CheckerContext &C) const {
if (!FunctionSummaryMap.empty()) if (!FunctionSummaryMap.empty())
return; return;
SValBuilder &SVB = C.getSValBuilder(); SValBuilder &SVB = C.getSValBuilder();
BasicValueFactory &BVF = SVB.getBasicValueFactory(); BasicValueFactory &BVF = SVB.getBasicValueFactory();
const ASTContext &ACtx = BVF.getContext(); const ASTContext &ACtx = BVF.getContext();
// These types are useful for writing specifications quickly, // These types are useful for writing specifications quickly,
// New specifications should probably introduce more types. // New specifications should probably introduce more types.
// Some types are hard to obtain from the AST, eg. "ssize_t". // Some types are hard to obtain from the AST, eg. "ssize_t".
// In such cases it should be possible to provide multiple variants // In such cases it should be possible to provide multiple variants
// of function summary for common cases (eg. ssize_t could be int or long // of function summary for common cases (eg. ssize_t could be int or long
// or long long, so three summary variants would be enough). // or long long, so three summary variants would be enough).
// Of course, function variants are also useful for C++ overloads. // Of course, function variants are also useful for C++ overloads.
const QualType IntTy = ACtx.IntTy; const QualType IntTy = ACtx.IntTy;
const QualType LongTy = ACtx.LongTy; const QualType LongTy = ACtx.LongTy;
const QualType LongLongTy = ACtx.LongLongTy; const QualType LongLongTy = ACtx.LongLongTy;
const QualType SizeTy = ACtx.getSizeType(); const QualType SizeTy = ACtx.getSizeType();
const QualType VoidPtrTy = ACtx.VoidPtrTy; // void * const QualType VoidPtrTy = ACtx.VoidPtrTy; // void *
const QualType VoidPtrRestrictTy = const QualType VoidPtrRestrictTy =
ACtx.getRestrictType(VoidPtrTy); // void *restrict ACtx.getLangOpts().C99 ? ACtx.getRestrictType(VoidPtrTy) // void *restrict
: VoidPtrTy;
const QualType ConstVoidPtrTy = const QualType ConstVoidPtrTy =
ACtx.getPointerType(ACtx.VoidTy.withConst()); // const void * ACtx.getPointerType(ACtx.VoidTy.withConst()); // const void *
const QualType ConstCharPtrTy = const QualType ConstCharPtrTy =
ACtx.getPointerType(ACtx.CharTy.withConst()); // const char * ACtx.getPointerType(ACtx.CharTy.withConst()); // const char *
const QualType ConstVoidPtrRestrictTy = const QualType ConstVoidPtrRestrictTy =
ACtx.getRestrictType(ConstVoidPtrTy); // const void *restrict ACtx.getLangOpts().C99
? ACtx.getRestrictType(ConstVoidPtrTy) // const void *restrict
: ConstVoidPtrTy;
const RangeInt IntMax = BVF.getMaxValue(IntTy).getLimitedValue(); const RangeInt IntMax = BVF.getMaxValue(IntTy).getLimitedValue();
const RangeInt LongMax = BVF.getMaxValue(LongTy).getLimitedValue(); const RangeInt LongMax = BVF.getMaxValue(LongTy).getLimitedValue();
const RangeInt LongLongMax = BVF.getMaxValue(LongLongTy).getLimitedValue(); const RangeInt LongLongMax = BVF.getMaxValue(LongLongTy).getLimitedValue();
// Set UCharRangeMax to min of int or uchar maximum value. // Set UCharRangeMax to min of int or uchar maximum value.
// The C standard states that the arguments of functions like isalpha must // The C standard states that the arguments of functions like isalpha must
// be representable as an unsigned char. Their type is 'int', so the max // be representable as an unsigned char. Their type is 'int', so the max
▲ Show 20 LinesShow All 101 Lines▼ Show 20 Linesvoid StdLibraryFunctionsChecker::initFunctionSummaries(
auto SingleValue = [](RangeInt v) { auto SingleValue = [](RangeInt v) {
return IntRangeVector{std::pair<RangeInt, RangeInt>{v, v}}; return IntRangeVector{std::pair<RangeInt, RangeInt>{v, v}};
}; };
auto LessThanOrEq = BO_LE; auto LessThanOrEq = BO_LE;
auto NotNull = [&](ArgNo ArgN) { auto NotNull = [&](ArgNo ArgN) {
return std::make_shared<NotNullConstraint>(ArgN); return std::make_shared<NotNullConstraint>(ArgN);
}; };
Optional<QualType> FileTy = lookupType("FILE", ACtx);
balazskeUnsubmitted
Done
ReplyInline Actions

There is a ASTContext::getFILEType that can be used for this. (But if more types are needed the lookupType must be used again.)

balazske: There is a `ASTContext::getFILEType` that can be used for this. (But if more types are needed…
martongAuthorUnsubmitted
Done
ReplyInline Actions

Yeah, didn't realize that we have getFILEType until now. It's unfortunate that I added the tests for FILE in this sense.

getFILEType can return a null QualType, which unfortunately can be mixed with Irrelevant. I'd like to avoid that. Still, we could initialize the Optional<QualType> with the help of getFILEType. Maybe in a later patch it would be worth to do that (and then refactor the lookup.c[pp] tests too).

On the other hand, since we are going to use lookupType extensively with other types, I don't see much benefit to make an exemption to FILE.

martong: Yeah, didn't realize that we have `getFILEType` until now. It's unfortunate that I added the…
Optional<QualType> FilePtrTy, FilePtrRestrictTy;
if (FileTy) {
// FILE *
FilePtrTy = ACtx.getPointerType(*FileTy);
// FILE *restrict
FilePtrRestrictTy =
ACtx.getLangOpts().C99 ? ACtx.getRestrictType(*FilePtrTy) : *FilePtrTy;
}
balazskeUnsubmitted
Done
ReplyInline Actions

The Optional<QualType> can be left out from the right side expressions (in the ? operator part). (A QualType should be assignable to Optional<QualType>.)

balazske: The `Optional<QualType>` can be left out from the right side expressions (in the `?` operator…
martongAuthorUnsubmitted
Done
ReplyInline Actions

No that cannot be left out. Implicit conversion does not play when trying to determine the common type for the 2nd and 3rd argument of the ternary op. https://stackoverflow.com/questions/32251419/c-ternary-operator-conditional-operator-and-its-implicit-type-conversion-r
So, removing the explicit type I get a compile error.

martong: No that cannot be left out. Implicit conversion does not play when trying to determine the…
balazskeUnsubmitted
Done
ReplyInline Actions

Still I do not like that code. Probably this is better then:

Optional<QualType> FilePtrTy, FilePtrRestrictTy;
if (FileTy) {
  FilePtrTy = ACtx.getPointerType(*FileTy);
  FilePtrRestrictTy = ACtx.getLangOpts().C99
                          ? ACtx.getRestrictType(*FilePtrTy) // FILE *restrict
                          : *FilePtrTy)
}
balazske: Still I do not like that code. Probably this is better then: ``` Optional<QualType> FilePtrTy…
martongAuthorUnsubmitted
Done
ReplyInline Actions

Ok, I added the if.

martong: Ok, I added the `if`.
using RetType = QualType; using RetType = QualType;
// Templates for summaries that are reused by many functions. // Templates for summaries that are reused by many functions.
auto Getc = [&]() { auto Getc = [&]() {
return Summary(ArgTypes{Irrelevant}, RetType{IntTy}, NoEvalCall) return Summary(ArgTypes{*FilePtrTy}, RetType{IntTy}, NoEvalCall)
.Case({ReturnValueCondition(WithinRange, .Case({ReturnValueCondition(WithinRange,
{{EOFv, EOFv}, {0, UCharRangeMax}})}); {{EOFv, EOFv}, {0, UCharRangeMax}})});
}; };
auto Read = [&](RetType R, RangeInt Max) { auto Read = [&](RetType R, RangeInt Max) {
return Summary(ArgTypes{Irrelevant, Irrelevant, SizeTy}, RetType{R}, return Summary(ArgTypes{Irrelevant, Irrelevant, SizeTy}, RetType{R},
NoEvalCall) NoEvalCall)
.Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)), .Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)),
ReturnValueCondition(WithinRange, Range(-1, Max))}); ReturnValueCondition(WithinRange, Range(-1, Max))});
}; };
auto Fread = [&]() { auto Fread = [&]() {
return Summary(ArgTypes{VoidPtrRestrictTy, Irrelevant, SizeTy, Irrelevant}, return Summary(
ArgTypes{VoidPtrRestrictTy, SizeTy, SizeTy, *FilePtrRestrictTy},
RetType{SizeTy}, NoEvalCall) RetType{SizeTy}, NoEvalCall)
.Case({ .Case({
ReturnValueCondition(LessThanOrEq, ArgNo(2)), ReturnValueCondition(LessThanOrEq, ArgNo(2)),
}) })
.ArgConstraint(NotNull(ArgNo(0))); .ArgConstraint(NotNull(ArgNo(0)));
}; };
auto Fwrite = [&]() { auto Fwrite = [&]() {
return Summary( return Summary(ArgTypes{ConstVoidPtrRestrictTy, SizeTy, SizeTy,
ArgTypes{ConstVoidPtrRestrictTy, Irrelevant, SizeTy, Irrelevant}, *FilePtrRestrictTy},
RetType{SizeTy}, NoEvalCall) RetType{SizeTy}, NoEvalCall)
.Case({ .Case({
ReturnValueCondition(LessThanOrEq, ArgNo(2)), ReturnValueCondition(LessThanOrEq, ArgNo(2)),
}) })
.ArgConstraint(NotNull(ArgNo(0))); .ArgConstraint(NotNull(ArgNo(0)));
}; };
auto Getline = [&](RetType R, RangeInt Max) { auto Getline = [&](RetType R, RangeInt Max) {
return Summary(ArgTypes{Irrelevant, Irrelevant, Irrelevant}, RetType{R}, return Summary(ArgTypes{Irrelevant, Irrelevant, Irrelevant}, RetType{R},
NoEvalCall) NoEvalCall)
▲ Show 20 LinesShow All 130 Lines▼ Show 20 Lines addToFunctionSummaryMap(
.Case({ArgumentCondition(0U, WithinRange, .Case({ArgumentCondition(0U, WithinRange,
{{'0', '9'}, {'A', 'F'}, {'a', 'f'}}), {{'0', '9'}, {'A', 'F'}, {'a', 'f'}}),
ReturnValueCondition(OutOfRange, SingleValue(0))}) ReturnValueCondition(OutOfRange, SingleValue(0))})
.Case({ArgumentCondition(0U, OutOfRange, .Case({ArgumentCondition(0U, OutOfRange,
{{'0', '9'}, {'A', 'F'}, {'a', 'f'}}), {{'0', '9'}, {'A', 'F'}, {'a', 'f'}}),
ReturnValueCondition(WithinRange, SingleValue(0))})); ReturnValueCondition(WithinRange, SingleValue(0))}));
// The getc() family of functions that returns either a char or an EOF. // The getc() family of functions that returns either a char or an EOF.
if (FilePtrTy) {
addToFunctionSummaryMap("getc", Getc()); addToFunctionSummaryMap("getc", Getc());
addToFunctionSummaryMap("fgetc", Getc()); addToFunctionSummaryMap("fgetc", Getc());
}
addToFunctionSummaryMap( addToFunctionSummaryMap(
"getchar", Summary(ArgTypes{}, RetType{IntTy}, NoEvalCall) "getchar", Summary(ArgTypes{}, RetType{IntTy}, NoEvalCall)
.Case({ReturnValueCondition( .Case({ReturnValueCondition(
WithinRange, {{EOFv, EOFv}, {0, UCharRangeMax}})})); WithinRange, {{EOFv, EOFv}, {0, UCharRangeMax}})}));
// read()-like functions that never return more than buffer size. // read()-like functions that never return more than buffer size.
if (FilePtrRestrictTy) {
addToFunctionSummaryMap("fread", Fread());
addToFunctionSummaryMap("fwrite", Fwrite());
}
// We are not sure how ssize_t is defined on every platform, so we // We are not sure how ssize_t is defined on every platform, so we
// provide three variants that should cover common cases. // provide three variants that should cover common cases.
// FIXME these are actually defined by POSIX and not by the C standard, we
// should handle them together with the rest of the POSIX functions.
addToFunctionSummaryMap("read", {Read(IntTy, IntMax), Read(LongTy, LongMax), addToFunctionSummaryMap("read", {Read(IntTy, IntMax), Read(LongTy, LongMax),
Read(LongLongTy, LongLongMax)}); Read(LongLongTy, LongLongMax)});
addToFunctionSummaryMap("write", {Read(IntTy, IntMax), Read(LongTy, LongMax), addToFunctionSummaryMap("write", {Read(IntTy, IntMax), Read(LongTy, LongMax),
Read(LongLongTy, LongLongMax)}); Read(LongLongTy, LongLongMax)});
addToFunctionSummaryMap("fread", Fread());
addToFunctionSummaryMap("fwrite", Fwrite());
// getline()-like functions either fail or read at least the delimiter. // getline()-like functions either fail or read at least the delimiter.
// FIXME these are actually defined by POSIX and not by the C standard, we
// should handle them together with the rest of the POSIX functions.
addToFunctionSummaryMap("getline", addToFunctionSummaryMap("getline",
{Getline(IntTy, IntMax), Getline(LongTy, LongMax), {Getline(IntTy, IntMax), Getline(LongTy, LongMax),
Getline(LongLongTy, LongLongMax)}); Getline(LongLongTy, LongLongMax)});
addToFunctionSummaryMap("getdelim", addToFunctionSummaryMap("getdelim",
{Getline(IntTy, IntMax), Getline(LongTy, LongMax), {Getline(IntTy, IntMax), Getline(LongTy, LongMax),
Getline(LongLongTy, LongLongMax)}); Getline(LongLongTy, LongLongMax)});
// Functions for testing. // Functions for testing.
▲ Show 20 LinesShow All 59 LinesShow Last 20 Lines

clang/test/Analysis/std-c-library-functions-arg-constraints.c

Show First 20 LinesShow All 58 Lines▼ Show 20 Lines if (x > 255) { // \
// bugpath-note{{Function argument constraint is not satisfied}} // bugpath-note{{Function argument constraint is not satisfied}}
(void)ret; (void)ret;
} }
} }
typedef struct FILE FILE; typedef struct FILE FILE;
typedef typeof(sizeof(int)) size_t; typedef typeof(sizeof(int)) size_t;
size_t fread(void *restrict, size_t, size_t, FILE *); size_t fread(void *restrict, size_t, size_t, FILE *restrict);
void test_notnull_concrete(FILE *fp) { void test_notnull_concrete(FILE *fp) {
fread(0, sizeof(int), 10, fp); // \ fread(0, sizeof(int), 10, fp); // \
// report-warning{{Function argument constraint is not satisfied}} \ // report-warning{{Function argument constraint is not satisfied}} \
// bugpath-warning{{Function argument constraint is not satisfied}} \ // bugpath-warning{{Function argument constraint is not satisfied}} \
// bugpath-note{{Function argument constraint is not satisfied}} // bugpath-note{{Function argument constraint is not satisfied}}
} }
void test_notnull_symbolic(FILE *fp, int *buf) { void test_notnull_symbolic(FILE *fp, int *buf) {
fread(buf, sizeof(int), 10, fp); fread(buf, sizeof(int), 10, fp);
▲ Show 20 LinesShow All 100 LinesShow Last 20 Lines

clang/test/Analysis/std-c-library-functions-lookup.c

  • This file was added.
// RUN: %clang_analyze_cc1 %s \
// RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=apiModeling.StdCLibraryFunctions \
// RUN: -analyzer-config apiModeling.StdCLibraryFunctions:DisplayLoadedSummaries=true \
// RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -analyzer-config eagerly-assume=false \
// RUN: -triple i686-unknown-linux 2>&1 | FileCheck %s
// CHECK: Loaded summary for: unsigned int fread(void *restrict, size_t, size_t, FILE *restrict)
typedef typeof(sizeof(int)) size_t;
typedef struct FILE FILE;
size_t fread(void *restrict, size_t, size_t, FILE *restrict);
// Must have at least one call expression to initialize the summary map.
int bar(void);
void foo() {
bar();
}

clang/test/Analysis/std-c-library-functions-lookup.cpp

  • This file was added.
// RUN: %clang_analyze_cc1 %s \
// RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=apiModeling.StdCLibraryFunctions \
// RUN: -analyzer-config apiModeling.StdCLibraryFunctions:DisplayLoadedSummaries=true \
// RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -analyzer-config eagerly-assume=false \
// RUN: -triple i686-unknown-linux 2>&1 | FileCheck %s
// CHECK: Loaded summary for: size_t fread(void *, size_t, size_t, FILE *)
// CHECK-NOT: Loaded summary for: size_t fread(void *, size_t, size_t, MyFile *)
typedef unsigned int size_t;
typedef struct FILE FILE;
size_t fread(void *, size_t, size_t, FILE *);
struct MyFile;
size_t fread(void *, size_t, size_t, MyFile *);
// Must have at least one call expression to initialize the summary map.
int bar(void);
void foo() {
bar();
}

clang/test/Analysis/std-c-library-functions.c

Show First 20 LinesShow All 47 Lines▼ Show 20 Lines
// CHECK-NEXT: Loaded summary for: int isprint(int) // CHECK-NEXT: Loaded summary for: int isprint(int)
// CHECK-NEXT: Loaded summary for: int ispunct(int) // CHECK-NEXT: Loaded summary for: int ispunct(int)
// CHECK-NEXT: Loaded summary for: int isspace(int) // CHECK-NEXT: Loaded summary for: int isspace(int)
// CHECK-NEXT: Loaded summary for: int isupper(int) // CHECK-NEXT: Loaded summary for: int isupper(int)
// CHECK-NEXT: Loaded summary for: int isxdigit(int) // CHECK-NEXT: Loaded summary for: int isxdigit(int)
// CHECK-NEXT: Loaded summary for: int getc(FILE *) // CHECK-NEXT: Loaded summary for: int getc(FILE *)
// CHECK-NEXT: Loaded summary for: int fgetc(FILE *) // CHECK-NEXT: Loaded summary for: int fgetc(FILE *)
// CHECK-NEXT: Loaded summary for: int getchar() // CHECK-NEXT: Loaded summary for: int getchar()
// CHECK-NEXT: Loaded summary for: unsigned int fread(void *restrict, size_t, size_t, FILE *restrict)
// CHECK-NEXT: Loaded summary for: unsigned int fwrite(const void *restrict, size_t, size_t, FILE *restrict)
// CHECK-NEXT: Loaded summary for: ssize_t read(int, void *, size_t) // CHECK-NEXT: Loaded summary for: ssize_t read(int, void *, size_t)
// CHECK-NEXT: Loaded summary for: ssize_t write(int, const void *, size_t) // CHECK-NEXT: Loaded summary for: ssize_t write(int, const void *, size_t)
// CHECK-NEXT: Loaded summary for: unsigned int fread(void *restrict, size_t, size_t, FILE *)
// CHECK-NEXT: Loaded summary for: unsigned int fwrite(const void *restrict, size_t, size_t, FILE *restrict)
// CHECK-NEXT: Loaded summary for: ssize_t getline(char **, size_t *, FILE *) // CHECK-NEXT: Loaded summary for: ssize_t getline(char **, size_t *, FILE *)
void clang_analyzer_eval(int); void clang_analyzer_eval(int);
int glob; int glob;
typedef struct FILE FILE; typedef struct FILE FILE;
#define EOF -1 #define EOF -1
Show All 31 Lines if (y >= 0) {
// -1 overflows on promotion! // -1 overflows on promotion!
clang_analyzer_eval(y <= sizeof(glob)); // expected-warning{{FALSE}} clang_analyzer_eval(y <= sizeof(glob)); // expected-warning{{FALSE}}
} }
} else { } else {
clang_analyzer_eval(x == -1); // expected-warning{{TRUE}} clang_analyzer_eval(x == -1); // expected-warning{{TRUE}}
} }
} }
size_t fread(void *restrict, size_t, size_t, FILE *); size_t fread(void *restrict, size_t, size_t, FILE *restrict);
size_t fwrite(const void *restrict, size_t, size_t, FILE *restrict); size_t fwrite(const void *restrict, size_t, size_t, FILE *restrict);
void test_fread_fwrite(FILE *fp, int *buf) { void test_fread_fwrite(FILE *fp, int *buf) {
size_t x = fwrite(buf, sizeof(int), 10, fp); size_t x = fwrite(buf, sizeof(int), 10, fp);
clang_analyzer_eval(x <= 10); // expected-warning{{TRUE}} clang_analyzer_eval(x <= 10); // expected-warning{{TRUE}}
size_t y = fread(buf, sizeof(int), 10, fp); size_t y = fread(buf, sizeof(int), 10, fp);
clang_analyzer_eval(y <= 10); // expected-warning{{TRUE}} clang_analyzer_eval(y <= 10); // expected-warning{{TRUE}}
▲ Show 20 LinesShow All 138 LinesShow Last 20 Lines