This is an archive of the discontinued LLVM Phabricator instance.

Differential D80018

[Analyzer][StreamChecker] Added check for "indeterminate file position".
ClosedPublic

Authored by balazske on May 15 2020, 9:23 AM.

Details

Reviewers
Szelethus
baloghadamsoftware
martong
NoQ
xazax.hun
dcoughlin
Commits
rG9081fa20991d: [Analyzer][StreamChecker] Added check for "indeterminate file position".
Summary

According to the standard, after a wread or fwrite call the file position
becomes "indeterminate". It is assumable that a next read or write causes
undefined behavior, so a (fatal error) warning is added for this case.
The indeterminate position can be cleared by some operations, for example
fseek or freopen, not with clearerr.

Diff Detail

Event Timeline

balazske created this revision.May 15 2020, 9:23 AM
Herald added a reviewer: Szelethus. · View Herald TranscriptMay 15 2020, 9:24 AM
Herald added a project: Restricted Project. · View Herald Transcript
Herald added subscribers: cfe-commits, ASDenysPetrov, martong and 10 others. · View Herald Transcript
Harbormaster failed remote builds in B56880: Diff 264265!May 15 2020, 9:46 AM
balazske added a parent revision: D80015: [Analyzer][StreamChecker] Added support for 'fread' and 'fwrite'..May 18 2020, 12:58 AM
Szelethus added a subscriber: NoQ.May 21 2020, 3:02 AM

I have more questions than actual objections, but here we go! The patch looks nice overall, we just need to iron a few things out ahead of time.

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
124

What does this mean? "An EOF+indeterminate state is the same as EOF state." I don't understand the message you want to convey here -- is it that we cannot have an indeterminate file position indicator if we hit EOF, hence we regard a stream that is known to be EOF to have its file position indicator determinate?

A good followup question for the uninitiated would be that "Well why is it ever legal to construct a StreamState object that can both have the FilePositionIndeterminate set to true and the ErrorState indicate that the steam is known to be in EOF?" Well, the answer is that we may only realize later that the error state can only be EOF, like in here:

void f() {
 FILE *F = fopen(...);
 if (fseek(F, ...)) {
    // Could be either EOF, ERROR, and ofc indeterminate
    if (eof(F)) {
      // This is where we have a seemingly impossible stream state, but its not a programming error, its a design decision.
    }
}

This might warrant a bit on explanation either here, or in ensureNoFilePositionIndeterminate. Probably the latter.

With that said, can SteamState's constructor ensure that we do not create a known to be EOF stream that is indeterminate?

131

Let's not cheap out on this parameter name :^)

198–201

In time, we could create a new checker for each of these bug types, similar to how D77866 does it. But this is clearly a low prio issue, I'm just talking aloud.

313

Ooooor ensureFilePositionDeterminate? :D

845–846

I think we shouldn't say its ignored, but rather its impossible. I mean, if we have reached the end of the file, how could the file position indicator be indeterminate?

860

Good question. It would make sense... @NoQ, @xazax.hun?

863–874

Ugh, tough one. I think this just isn't really *the* error to highlight here, but rather that its bad practice to not check on the stream after an operation. But I'm willing to accept I might be wrong here.

clang/test/Analysis/stream-error.c
182

Here the user checked whether F is in eof or in ferror, and its in neither. Isn't it reasonable to assume then that the stream is fine?

Szelethus added inline comments.May 21 2020, 3:04 AM
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
124

Actually, not enforcing this could leave to false positives:

void f() {
 FILE *F = fopen(...);
 if (fseek(F, ...)) {
    // Could be either EOF, ERROR, and ofc indeterminate
    if (eof(F)) {
      clearerr(F);
      fseek(F, ...); // false positive warning
    }
}
Szelethus added reviewers: baloghadamsoftware, martong, NoQ, xazax.hun, dcoughlin.May 21 2020, 3:04 AM
Herald added a subscriber: rnkovacs. · View Herald TranscriptMay 21 2020, 3:04 AM
Szelethus added inline comments.May 21 2020, 3:29 AM
clang/test/Analysis/stream-error.c
182

Oh wow I meant to delete this inline. Please disregard.

balazske marked 4 inline comments as done.May 21 2020, 4:08 AM
balazske added inline comments.
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
124

The comment wants to say only that if the ErrorState contains the ErrorFEof the value of filePositionIndeterminate is to be ignored for the EOF case. If the file is in EOF it does not matter what value filePositionIndeterminate has. The cause for this handling is that ErrorState handles multiple possible errors together but the indeterminate position does not apply to all. If ErrorState contains ErrorFEof and ErrorFError together and the filePositionIndeterminate is set, the position is not indeterminate in the EOF case. For EOF case we should know that the position is at the end of the file, not indeterminate.

Another solution for this problem can be to have a "ErrorFErrorIndeterminate" and "ErrorNoneIndeterminate" error type but this makes things more difficult to handle.

313

It is better to call "Invalid" or "Unknown" position, "indeterminate" is taken from the text of the C standard. I think "indeterminate" is a special name here that is better to have in this form always.

595

This is a place where FilePositionIndeterminate is set in the state. We do not know if FEOF or FERROR will happen. If it is FERROR the position is indeterminate, if it is FEOF the position is not indeterminate.

845–846

The previous comment tells why it is set. The FEOF case is represented in the data structure with indeterminate flag set or not set. Both mean the same state of the modeled stream: FEOF and not indeterminate.

Szelethus marked an inline comment as done.May 25 2020, 7:13 AM
Szelethus added inline comments.
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
124

What do you mean under the term "the EOF case"? When we know the stream to only be in the EOF state? The overall modeling seems correct, its just that little corner case that if we know that the stream hit EOF, the file position must be determinate.

313

Sure, I'm sold.

balazske marked an inline comment as done.May 26 2020, 12:30 AM
balazske added inline comments.
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
124

The "difficult" case is when we do not know if the stream is in error or EOF state. We know only that it is in one of these. And the FilePositionIndeterminate is set to true. In this state FEof and FError are true in ErrorState. If the program should know what the error is, it needs to generate 2 new states, one with only FEof true and other with FError. And how to set the FilePositionIndeterminate for the new states? For FError it must be set to true because it was true before, for FEof it is set to false because by definition it is not applied to FEof case. (This last is the EOF case above.)

This table shows what (real) stream state is represented (values at right) by what values in StreamState (values at left side):

FEofFErrorFilePositionIndeterminatestream feof?stream ferror?position indeterminate?
falsefalsetruefalsefalsetrue
truefalsetruetruefalsefalse
falsetruetruefalsetruetrue
truetruetrue---
Szelethus added inline comments.May 26 2020, 2:48 AM
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
124

Right. How about we make this field private and create a an isFilePositionIndeterminate() method that ensures that for the second row of that table we always return false? That would take some responsibility off of this interface's users.

847–848

This branch could be removed in its entirety.

860

Well, looking at other checkers, they usually early return and don't modify the state if the creation of the error node failed, so a nullptr return would be more appropriate.

863–874

Actually, I take this back. If we had NoteTags to explain that "this stream operation failed and left the stream file position indication in an indeterminate state", this would be great.

balazske marked an inline comment as done.May 26 2020, 8:06 AM
balazske added inline comments.
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
863–874

Adding of NoteTag and other bug path improvements are planned in the next changes. (The message text could mention that error check was probably forgotten. But the faulty function can be called despite the error check was done.)

Szelethus added inline comments.May 26 2020, 12:20 PM
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
863–874

Cool! Proceed as its most convenient, no need to rush it while the checker is in alpha.

balazske updated this revision to Diff 266434.May 26 2020, 11:52 PM
  • Rebase
  • Some StreamState members are const and checked in constructor
  • Restructuring of some functions.
balazske updated this revision to Diff 266440.May 27 2020, 12:29 AM
balazske marked 2 inline comments as done.
  • Fixed a bug in previous update
  • Added new tests
balazske marked 10 inline comments as done.May 27 2020, 12:32 AM
Harbormaster completed remote builds in B58001: Diff 266434.May 27 2020, 1:02 AM
Harbormaster completed remote builds in B58005: Diff 266440.May 27 2020, 1:35 AM
Szelethus added a comment.May 27 2020, 1:49 AM

LGTM, I just have one question in the inlines.

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
111–114

Cool! Though it makes me wish we had a constructor that just constructs a stream in EOF that doesn't require a file position argument, because this will ensure that the state is correct, but its still the user of this interface who is responsible for making it so.

With that said, feel free to leave it as-is, if there ever emerges a desire for such an interface, we can make that happen anytime.

670–673

But what if I inspect errno and conclude that the file position is intact? Is there such a thing? After a call to stream operation that might leave the file position indicator indeterminate and getting ferror, am I supposed to fseek or reopen the file no matter what?

balazske marked an inline comment as done.May 27 2020, 2:47 AM
balazske added inline comments.
clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
670–673

There is not much information about what errno values mean an indeterminate file position (and what errno values are possible at all after a specific operation). Probably we can assume that only position reset (fseek, fsetpos, rewind) and fflush fixes the wrong state. Many of stream handling code anyway aborts the operation if error happens.

Szelethus accepted this revision.May 27 2020, 5:24 AM

LGTM! This patch is great! I think you're doing a great job with this project.

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp
670–673

Yeah, this makes sense. We should double check the standard in time though.

This revision is now accepted and ready to land.May 27 2020, 5:24 AM
Closed by commit rG9081fa20991d: [Analyzer][StreamChecker] Added check for "indeterminate file position". (authored by balazske). · Explain WhyMay 27 2020, 11:25 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
124 lines
test/
Analysis/
71 lines

Diff 266752

clang/lib/StaticAnalyzer/Checkers/StreamChecker.cpp

Show First 20 LinesShow All 86 Lines▼ Show 20 Linesstruct StreamState {
enum KindTy { enum KindTy {
Opened, /// Stream is opened. Opened, /// Stream is opened.
Closed, /// Closed stream (an invalid stream pointer after it was closed). Closed, /// Closed stream (an invalid stream pointer after it was closed).
OpenFailed /// The last open operation has failed. OpenFailed /// The last open operation has failed.
} State; } State;
/// State of the error flags. /// State of the error flags.
/// Ignored in non-opened stream state but must be NoError. /// Ignored in non-opened stream state but must be NoError.
StreamErrorState ErrorState; StreamErrorState const ErrorState;
/// Indicate if the file has an "indeterminate file position indicator".
/// This can be set at a failing read or write or seek operation.
/// If it is set no more read or write is allowed.
/// This value is not dependent on the stream error flags:
/// The error flag may be cleared with `clearerr` but the file position
/// remains still indeterminate.
/// This value applies to all error states in ErrorState except FEOF.
/// An EOF+indeterminate state is the same as EOF state.
bool const FilePositionIndeterminate = false;
StreamState(const FnDescription *L, KindTy S, const StreamErrorState &ES,
bool IsFilePositionIndeterminate)
: LastOperation(L), State(S), ErrorState(ES),
FilePositionIndeterminate(IsFilePositionIndeterminate) {
assert((!ES.isFEof() || !IsFilePositionIndeterminate) &&
"FilePositionIndeterminate should be false in FEof case.");
assert((State == Opened || ErrorState.isNoError()) &&
"ErrorState should be None in non-opened stream state.");
SzelethusUnsubmitted
Not Done
ReplyInline Actions

Cool! Though it makes me wish we had a constructor that just constructs a stream in EOF that doesn't require a file position argument, because this will ensure that the state is correct, but its still the user of this interface who is responsible for making it so.

With that said, feel free to leave it as-is, if there ever emerges a desire for such an interface, we can make that happen anytime.

Szelethus: Cool! Though it makes me wish we had a constructor that just constructs a stream in EOF that…
}
bool isOpened() const { return State == Opened; } bool isOpened() const { return State == Opened; }
bool isClosed() const { return State == Closed; } bool isClosed() const { return State == Closed; }
bool isOpenFailed() const { return State == OpenFailed; } bool isOpenFailed() const { return State == OpenFailed; }
bool operator==(const StreamState &X) const { bool operator==(const StreamState &X) const {
// In not opened state error state should always NoError, so comparison // In not opened state error state should always NoError, so comparison
// here is no problem. // here is no problem.
return LastOperation == X.LastOperation && State == X.State && return LastOperation == X.LastOperation && State == X.State &&
SzelethusUnsubmitted
Done
ReplyInline Actions

What does this mean? "An EOF+indeterminate state is the same as EOF state." I don't understand the message you want to convey here -- is it that we cannot have an indeterminate file position indicator if we hit EOF, hence we regard a stream that is known to be EOF to have its file position indicator determinate?

A good followup question for the uninitiated would be that "Well why is it ever legal to construct a StreamState object that can both have the FilePositionIndeterminate set to true and the ErrorState indicate that the steam is known to be in EOF?" Well, the answer is that we may only realize later that the error state can only be EOF, like in here:

void f() {
 FILE *F = fopen(...);
 if (fseek(F, ...)) {
    // Could be either EOF, ERROR, and ofc indeterminate
    if (eof(F)) {
      // This is where we have a seemingly impossible stream state, but its not a programming error, its a design decision.
    }
}

This might warrant a bit on explanation either here, or in ensureNoFilePositionIndeterminate. Probably the latter.

With that said, can SteamState's constructor ensure that we do not create a known to be EOF stream that is indeterminate?

Szelethus: What does this mean? "An EOF+indeterminate state is the same as EOF state." I don't understand…
SzelethusUnsubmitted
Done
ReplyInline Actions

Actually, not enforcing this could leave to false positives:

void f() {
 FILE *F = fopen(...);
 if (fseek(F, ...)) {
    // Could be either EOF, ERROR, and ofc indeterminate
    if (eof(F)) {
      clearerr(F);
      fseek(F, ...); // false positive warning
    }
}
Szelethus: Actually, not enforcing this could leave to false positives: ``` void f() { FILE *F = fopen(..
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

The comment wants to say only that if the ErrorState contains the ErrorFEof the value of filePositionIndeterminate is to be ignored for the EOF case. If the file is in EOF it does not matter what value filePositionIndeterminate has. The cause for this handling is that ErrorState handles multiple possible errors together but the indeterminate position does not apply to all. If ErrorState contains ErrorFEof and ErrorFError together and the filePositionIndeterminate is set, the position is not indeterminate in the EOF case. For EOF case we should know that the position is at the end of the file, not indeterminate.

Another solution for this problem can be to have a "ErrorFErrorIndeterminate" and "ErrorNoneIndeterminate" error type but this makes things more difficult to handle.

balazske: The comment wants to say only that if the **ErrorState** contains the **ErrorFEof** the value…
SzelethusUnsubmitted
Done
ReplyInline Actions

What do you mean under the term "the EOF case"? When we know the stream to only be in the EOF state? The overall modeling seems correct, its just that little corner case that if we know that the stream hit EOF, the file position must be determinate.

Szelethus: What do you mean under the term "the EOF case"? When we **know** the stream to only be in the…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

The "difficult" case is when we do not know if the stream is in error or EOF state. We know only that it is in one of these. And the FilePositionIndeterminate is set to true. In this state FEof and FError are true in ErrorState. If the program should know what the error is, it needs to generate 2 new states, one with only FEof true and other with FError. And how to set the FilePositionIndeterminate for the new states? For FError it must be set to true because it was true before, for FEof it is set to false because by definition it is not applied to FEof case. (This last is the EOF case above.)

This table shows what (real) stream state is represented (values at right) by what values in StreamState (values at left side):

FEofFErrorFilePositionIndeterminatestream feof?stream ferror?position indeterminate?
falsefalsetruefalsefalsetrue
truefalsetruetruefalsefalse
falsetruetruefalsetruetrue
truetruetrue---
balazske: The "difficult" case is when we do not know if the stream is in error or EOF state. We know…
SzelethusUnsubmitted
Done
ReplyInline Actions

Right. How about we make this field private and create a an isFilePositionIndeterminate() method that ensures that for the second row of that table we always return false? That would take some responsibility off of this interface's users.

Szelethus: Right. How about we make this field private and create a an `isFilePositionIndeterminate()`…
ErrorState == X.ErrorState; ErrorState == X.ErrorState &&
FilePositionIndeterminate == X.FilePositionIndeterminate;
} }
static StreamState getOpened(const FnDescription *L, static StreamState getOpened(const FnDescription *L,
const StreamErrorState &ES = {}) { const StreamErrorState &ES = ErrorNone,
return StreamState{L, Opened, ES}; bool IsFilePositionIndeterminate = false) {
SzelethusUnsubmitted
Done
ReplyInline Actions

Let's not cheap out on this parameter name :^)

Szelethus: Let's not cheap out on this parameter name :^)
return StreamState{L, Opened, ES, IsFilePositionIndeterminate};
} }
static StreamState getClosed(const FnDescription *L) { static StreamState getClosed(const FnDescription *L) {
return StreamState{L, Closed, {}}; return StreamState{L, Closed, {}, false};
} }
static StreamState getOpenFailed(const FnDescription *L) { static StreamState getOpenFailed(const FnDescription *L) {
return StreamState{L, OpenFailed, {}}; return StreamState{L, OpenFailed, {}, false};
} }
void Profile(llvm::FoldingSetNodeID &ID) const { void Profile(llvm::FoldingSetNodeID &ID) const {
ID.AddPointer(LastOperation); ID.AddPointer(LastOperation);
ID.AddInteger(State); ID.AddInteger(State);
ID.AddInteger(ErrorState); ID.AddInteger(ErrorState);
ID.AddBoolean(FilePositionIndeterminate);
} }
}; };
class StreamChecker; class StreamChecker;
using FnCheck = std::function<void(const StreamChecker *, const FnDescription *, using FnCheck = std::function<void(const StreamChecker *, const FnDescription *,
const CallEvent &, CheckerContext &)>; const CallEvent &, CheckerContext &)>;
using ArgNoTy = unsigned int; using ArgNoTy = unsigned int;
Show All 36 LinesProgramStateRef bindInt(uint64_t Value, ProgramStateRef State,
CheckerContext &C, const CallExpr *CE) { CheckerContext &C, const CallExpr *CE) {
State = State->BindExpr(CE, C.getLocationContext(), State = State->BindExpr(CE, C.getLocationContext(),
C.getSValBuilder().makeIntVal(Value, false)); C.getSValBuilder().makeIntVal(Value, false));
return State; return State;
} }
class StreamChecker class StreamChecker
: public Checker<check::PreCall, eval::Call, check::DeadSymbols> { : public Checker<check::PreCall, eval::Call, check::DeadSymbols> {
mutable std::unique_ptr<BuiltinBug> BT_nullfp, BT_illegalwhence, mutable std::unique_ptr<BuiltinBug> BT_nullfp, BT_illegalwhence,
BT_UseAfterClose, BT_UseAfterOpenFailed, BT_ResourceLeak, BT_StreamEof; BT_UseAfterClose, BT_UseAfterOpenFailed, BT_ResourceLeak, BT_StreamEof,
BT_IndeterminatePosition;
SzelethusUnsubmitted
Not Done
ReplyInline Actions

In time, we could create a new checker for each of these bug types, similar to how D77866 does it. But this is clearly a low prio issue, I'm just talking aloud.

Szelethus: In time, we could create a new checker for each of these bug types, similar to how D77866 does…
public: public:
void checkPreCall(const CallEvent &Call, CheckerContext &C) const; void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
bool evalCall(const CallEvent &Call, CheckerContext &C) const; bool evalCall(const CallEvent &Call, CheckerContext &C) const;
void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const; void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
/// If true, evaluate special testing stream functions. /// If true, evaluate special testing stream functions.
bool TestMode = false; bool TestMode = false;
▲ Show 20 LinesShow All 88 Lines▼ Show 20 Lines ProgramStateRef ensureStreamNonNull(SVal StreamVal, CheckerContext &C,
ProgramStateRef State) const; ProgramStateRef State) const;
/// Check that the stream is the opened state. /// Check that the stream is the opened state.
/// If the stream is known to be not opened an error is generated /// If the stream is known to be not opened an error is generated
/// and nullptr returned, otherwise the original state is returned. /// and nullptr returned, otherwise the original state is returned.
ProgramStateRef ensureStreamOpened(SVal StreamVal, CheckerContext &C, ProgramStateRef ensureStreamOpened(SVal StreamVal, CheckerContext &C,
ProgramStateRef State) const; ProgramStateRef State) const;
/// Check that the stream has not an invalid ("indeterminate") file position,
/// generate warning for it.
/// (EOF is not an invalid position.)
/// The returned state can be nullptr if a fatal error was generated.
/// It can return non-null state if the stream has not an invalid position or
/// there is execution path with non-invalid position.
ProgramStateRef
ensureNoFilePositionIndeterminate(SVal StreamVal, CheckerContext &C,
SzelethusUnsubmitted
Done
ReplyInline Actions

Ooooor ensureFilePositionDeterminate? :D

Szelethus: Ooooor `ensureFilePositionDeterminate`? :D
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

It is better to call "Invalid" or "Unknown" position, "indeterminate" is taken from the text of the C standard. I think "indeterminate" is a special name here that is better to have in this form always.

balazske: It is better to call "Invalid" or "Unknown" position, "indeterminate" is taken from the text of…
SzelethusUnsubmitted
Done
ReplyInline Actions

Sure, I'm sold.

Szelethus: Sure, I'm sold.
ProgramStateRef State) const;
/// Check the legality of the 'whence' argument of 'fseek'. /// Check the legality of the 'whence' argument of 'fseek'.
/// Generate error and return nullptr if it is found to be illegal. /// Generate error and return nullptr if it is found to be illegal.
/// Otherwise returns the state. /// Otherwise returns the state.
/// (State is not changed here because the "whence" value is already known.) /// (State is not changed here because the "whence" value is already known.)
ProgramStateRef ensureFseekWhenceCorrect(SVal WhenceVal, CheckerContext &C, ProgramStateRef ensureFseekWhenceCorrect(SVal WhenceVal, CheckerContext &C,
ProgramStateRef State) const; ProgramStateRef State) const;
/// Generate warning about stream in EOF state. /// Generate warning about stream in EOF state.
▲ Show 20 LinesShow All 154 Lines▼ Show 20 Linesvoid StreamChecker::preFread(const FnDescription *Desc, const CallEvent &Call,
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
SVal StreamVal = getStreamArg(Desc, Call); SVal StreamVal = getStreamArg(Desc, Call);
State = ensureStreamNonNull(StreamVal, C, State); State = ensureStreamNonNull(StreamVal, C, State);
if (!State) if (!State)
return; return;
State = ensureStreamOpened(StreamVal, C, State); State = ensureStreamOpened(StreamVal, C, State);
if (!State) if (!State)
return; return;
State = ensureNoFilePositionIndeterminate(StreamVal, C, State);
if (!State)
return;
SymbolRef Sym = StreamVal.getAsSymbol(); SymbolRef Sym = StreamVal.getAsSymbol();
if (Sym && State->get<StreamMap>(Sym)) { if (Sym && State->get<StreamMap>(Sym)) {
const StreamState *SS = State->get<StreamMap>(Sym); const StreamState *SS = State->get<StreamMap>(Sym);
if (SS->ErrorState & ErrorFEof) if (SS->ErrorState & ErrorFEof)
reportFEofWarning(C, State); reportFEofWarning(C, State);
} else { } else {
C.addTransition(State); C.addTransition(State);
} }
} }
void StreamChecker::preFwrite(const FnDescription *Desc, const CallEvent &Call, void StreamChecker::preFwrite(const FnDescription *Desc, const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
SVal StreamVal = getStreamArg(Desc, Call); SVal StreamVal = getStreamArg(Desc, Call);
State = ensureStreamNonNull(StreamVal, C, State); State = ensureStreamNonNull(StreamVal, C, State);
if (!State) if (!State)
return; return;
State = ensureStreamOpened(StreamVal, C, State); State = ensureStreamOpened(StreamVal, C, State);
if (!State) if (!State)
return; return;
State = ensureNoFilePositionIndeterminate(StreamVal, C, State);
if (!State)
return;
C.addTransition(State); C.addTransition(State);
} }
void StreamChecker::evalFreadFwrite(const FnDescription *Desc, void StreamChecker::evalFreadFwrite(const FnDescription *Desc,
const CallEvent &Call, CheckerContext &C, const CallEvent &Call, CheckerContext &C,
bool IsFread) const { bool IsFread) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
▲ Show 20 LinesShow All 62 Lines▼ Show 20 Linesvoid StreamChecker::evalFreadFwrite(const FnDescription *Desc,
if (!StateFailed) if (!StateFailed)
return; return;
StreamErrorState NewES; StreamErrorState NewES;
if (IsFread) if (IsFread)
NewES = (SS->ErrorState == ErrorFEof) ? ErrorFEof : ErrorFEof | ErrorFError; NewES = (SS->ErrorState == ErrorFEof) ? ErrorFEof : ErrorFEof | ErrorFError;
else else
NewES = ErrorFError; NewES = ErrorFError;
StreamState NewState = StreamState::getOpened(Desc, NewES); // If a (non-EOF) error occurs, the resulting value of the file position
// indicator for the stream is indeterminate.
StreamState NewState = StreamState::getOpened(Desc, NewES, !NewES.isFEof());
StateFailed = StateFailed->set<StreamMap>(StreamSym, NewState); StateFailed = StateFailed->set<StreamMap>(StreamSym, NewState);
C.addTransition(StateFailed); C.addTransition(StateFailed);
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

This is a place where FilePositionIndeterminate is set in the state. We do not know if FEOF or FERROR will happen. If it is FERROR the position is indeterminate, if it is FEOF the position is not indeterminate.

balazske: This is a place where `FilePositionIndeterminate` is set in the state. We do not know if FEOF…
} }
void StreamChecker::preFseek(const FnDescription *Desc, const CallEvent &Call, void StreamChecker::preFseek(const FnDescription *Desc, const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
SVal StreamVal = getStreamArg(Desc, Call); SVal StreamVal = getStreamArg(Desc, Call);
State = ensureStreamNonNull(StreamVal, C, State); State = ensureStreamNonNull(StreamVal, C, State);
if (!State) if (!State)
Show All 34 Linesvoid StreamChecker::evalFseek(const FnDescription *Desc, const CallEvent &Call,
std::tie(StateFailed, StateNotFailed) = std::tie(StateFailed, StateNotFailed) =
C.getConstraintManager().assumeDual(State, RetVal); C.getConstraintManager().assumeDual(State, RetVal);
// Reset the state to opened with no error. // Reset the state to opened with no error.
StateNotFailed = StateNotFailed =
StateNotFailed->set<StreamMap>(StreamSym, StreamState::getOpened(Desc)); StateNotFailed->set<StreamMap>(StreamSym, StreamState::getOpened(Desc));
// We get error. // We get error.
// It is possible that fseek fails but sets none of the error flags. // It is possible that fseek fails but sets none of the error flags.
// If fseek failed, assume that the file position becomes indeterminate in any
// case.
StateFailed = StateFailed->set<StreamMap>( StateFailed = StateFailed->set<StreamMap>(
StreamSym, StreamSym,
StreamState::getOpened(Desc, ErrorNone | ErrorFEof | ErrorFError)); StreamState::getOpened(Desc, ErrorNone | ErrorFEof | ErrorFError, true));
C.addTransition(StateNotFailed); C.addTransition(StateNotFailed);
C.addTransition(StateFailed); C.addTransition(StateFailed);
} }
void StreamChecker::evalClearerr(const FnDescription *Desc, void StreamChecker::evalClearerr(const FnDescription *Desc,
const CallEvent &Call, const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
SymbolRef StreamSym = getStreamArg(Desc, Call).getAsSymbol(); SymbolRef StreamSym = getStreamArg(Desc, Call).getAsSymbol();
if (!StreamSym) if (!StreamSym)
return; return;
const StreamState *SS = State->get<StreamMap>(StreamSym); const StreamState *SS = State->get<StreamMap>(StreamSym);
if (!SS) if (!SS)
return; return;
assertStreamStateOpened(SS); assertStreamStateOpened(SS);
State = State->set<StreamMap>(StreamSym, StreamState::getOpened(Desc)); // FilePositionIndeterminate is not cleared.
State = State->set<StreamMap>(
StreamSym,
StreamState::getOpened(Desc, ErrorNone, SS->FilePositionIndeterminate));
SzelethusUnsubmitted
Not Done
ReplyInline Actions

But what if I inspect errno and conclude that the file position is intact? Is there such a thing? After a call to stream operation that might leave the file position indicator indeterminate and getting ferror, am I supposed to fseek or reopen the file no matter what?

Szelethus: But what if I inspect errno and conclude that the file position is intact? Is there such a…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

There is not much information about what errno values mean an indeterminate file position (and what errno values are possible at all after a specific operation). Probably we can assume that only position reset (fseek, fsetpos, rewind) and fflush fixes the wrong state. Many of stream handling code anyway aborts the operation if error happens.

balazske: There is not much information about what `errno` values mean an indeterminate file position…
SzelethusUnsubmitted
Not Done
ReplyInline Actions

Yeah, this makes sense. We should double check the standard in time though.

Szelethus: Yeah, this makes sense. We should double check the standard in time though.
C.addTransition(State); C.addTransition(State);
} }
void StreamChecker::evalFeofFerror(const FnDescription *Desc, void StreamChecker::evalFeofFerror(const FnDescription *Desc,
const CallEvent &Call, CheckerContext &C, const CallEvent &Call, CheckerContext &C,
const StreamErrorState &ErrorKind) const { const StreamErrorState &ErrorKind) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
SymbolRef StreamSym = getStreamArg(Desc, Call).getAsSymbol(); SymbolRef StreamSym = getStreamArg(Desc, Call).getAsSymbol();
Show All 11 Linesvoid StreamChecker::evalFeofFerror(const FnDescription *Desc,
assertStreamStateOpened(SS); assertStreamStateOpened(SS);
if (SS->ErrorState & ErrorKind) { if (SS->ErrorState & ErrorKind) {
// Execution path with error of ErrorKind. // Execution path with error of ErrorKind.
// Function returns true. // Function returns true.
// From now on it is the only one error state. // From now on it is the only one error state.
ProgramStateRef TrueState = bindAndAssumeTrue(State, C, CE); ProgramStateRef TrueState = bindAndAssumeTrue(State, C, CE);
C.addTransition(TrueState->set<StreamMap>( C.addTransition(TrueState->set<StreamMap>(
StreamSym, StreamState::getOpened(Desc, ErrorKind))); StreamSym, StreamState::getOpened(Desc, ErrorKind,
SS->FilePositionIndeterminate &&
!ErrorKind.isFEof())));
} }
if (StreamErrorState NewES = SS->ErrorState & (~ErrorKind)) { if (StreamErrorState NewES = SS->ErrorState & (~ErrorKind)) {
// Execution path(s) with ErrorKind not set. // Execution path(s) with ErrorKind not set.
// Function returns false. // Function returns false.
// New error state is everything before minus ErrorKind. // New error state is everything before minus ErrorKind.
ProgramStateRef FalseState = bindInt(0, State, C, CE); ProgramStateRef FalseState = bindInt(0, State, C, CE);
C.addTransition(FalseState->set<StreamMap>( C.addTransition(FalseState->set<StreamMap>(
StreamSym, StreamState::getOpened(Desc, NewES))); StreamSym,
StreamState::getOpened(
Desc, NewES, SS->FilePositionIndeterminate && !NewES.isFEof())));
} }
} }
void StreamChecker::preDefault(const FnDescription *Desc, const CallEvent &Call, void StreamChecker::preDefault(const FnDescription *Desc, const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
SVal StreamVal = getStreamArg(Desc, Call); SVal StreamVal = getStreamArg(Desc, Call);
State = ensureStreamNonNull(StreamVal, C, State); State = ensureStreamNonNull(StreamVal, C, State);
▲ Show 20 LinesShow All 91 Lines▼ Show 20 Lines if (N) {
return nullptr; return nullptr;
} }
return State; return State;
} }
return State; return State;
} }
ProgramStateRef StreamChecker::ensureNoFilePositionIndeterminate(
SVal StreamVal, CheckerContext &C, ProgramStateRef State) const {
SymbolRef Sym = StreamVal.getAsSymbol();
if (!Sym)
return State;
const StreamState *SS = State->get<StreamMap>(Sym);
if (!SS)
return State;
assert(SS->isOpened() && "First ensure that stream is opened.");
if (SS->FilePositionIndeterminate) {
if (!BT_IndeterminatePosition)
BT_IndeterminatePosition.reset(
new BuiltinBug(this, "Invalid stream state",
"File position of the stream might be 'indeterminate' "
"after a failed operation. "
"Can cause undefined behavior."));
if (SS->ErrorState & ErrorFEof) {
// The error is unknown but may be FEOF.
// Continue analysis with the FEOF error state.
// Report warning because the other possible error states.
ExplodedNode *N = C.generateNonFatalErrorNode(State);
if (!N)
SzelethusUnsubmitted
Done
ReplyInline Actions

I think we shouldn't say its ignored, but rather its impossible. I mean, if we have reached the end of the file, how could the file position indicator be indeterminate?

Szelethus: I think we shouldn't say its ignored, but rather its impossible. I mean, if we have reached the…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

The previous comment tells why it is set. The FEOF case is represented in the data structure with indeterminate flag set or not set. Both mean the same state of the modeled stream: FEOF and not indeterminate.

balazske: The previous comment tells why it is set. The FEOF case is represented in the data structure…
return nullptr;
SzelethusUnsubmitted
Done
ReplyInline Actions

This branch could be removed in its entirety.

Szelethus: This branch could be removed in its entirety.
C.emitReport(std::make_unique<PathSensitiveBugReport>(
*BT_IndeterminatePosition, BT_IndeterminatePosition->getDescription(),
N));
return State->set<StreamMap>(
Sym, StreamState::getOpened(SS->LastOperation, ErrorFEof, false));
}
// Known or unknown error state without FEOF possible.
// Stop analysis, report error.
ExplodedNode *N = C.generateErrorNode(State);
if (N)
C.emitReport(std::make_unique<PathSensitiveBugReport>(
SzelethusUnsubmitted
Done
ReplyInline Actions

Good question. It would make sense... @NoQ, @xazax.hun?

Szelethus: Good question. It would make sense... @NoQ, @xazax.hun?
SzelethusUnsubmitted
Done
ReplyInline Actions

Well, looking at other checkers, they usually early return and don't modify the state if the creation of the error node failed, so a nullptr return would be more appropriate.

Szelethus: Well, looking at other checkers, they usually early return and don't modify the state if the…
*BT_IndeterminatePosition, BT_IndeterminatePosition->getDescription(),
N));
return nullptr;
}
return State;
}
ProgramStateRef ProgramStateRef
StreamChecker::ensureFseekWhenceCorrect(SVal WhenceVal, CheckerContext &C, StreamChecker::ensureFseekWhenceCorrect(SVal WhenceVal, CheckerContext &C,
ProgramStateRef State) const { ProgramStateRef State) const {
Optional<nonloc::ConcreteInt> CI = WhenceVal.getAs<nonloc::ConcreteInt>(); Optional<nonloc::ConcreteInt> CI = WhenceVal.getAs<nonloc::ConcreteInt>();
if (!CI) if (!CI)
SzelethusUnsubmitted
Not Done
ReplyInline Actions

Ugh, tough one. I think this just isn't really *the* error to highlight here, but rather that its bad practice to not check on the stream after an operation. But I'm willing to accept I might be wrong here.

Szelethus: Ugh, tough one. I think this just isn't really *the* error to highlight here, but rather that…
SzelethusUnsubmitted
Not Done
ReplyInline Actions

Actually, I take this back. If we had NoteTags to explain that "this stream operation failed and left the stream file position indication in an indeterminate state", this would be great.

Szelethus: Actually, I take this back. If we had `NoteTag`s to explain that "this stream operation failed…
balazskeAuthorUnsubmitted
Done
ReplyInline Actions

Adding of NoteTag and other bug path improvements are planned in the next changes. (The message text could mention that error check was probably forgotten. But the faulty function can be called despite the error check was done.)

balazske: Adding of `NoteTag` and other bug path improvements are planned in the next changes. (The…
SzelethusUnsubmitted
Not Done
ReplyInline Actions

Cool! Proceed as its most convenient, no need to rush it while the checker is in alpha.

Szelethus: Cool! Proceed as its most convenient, no need to rush it while the checker is in alpha.
return State; return State;
int64_t X = CI->getValue().getSExtValue(); int64_t X = CI->getValue().getSExtValue();
if (X >= 0 && X <= 2) if (X >= 0 && X <= 2)
return State; return State;
if (ExplodedNode *N = C.generateNonFatalErrorNode(State)) { if (ExplodedNode *N = C.generateNonFatalErrorNode(State)) {
if (!BT_illegalwhence) if (!BT_illegalwhence)
▲ Show 20 LinesShow All 68 LinesShow Last 20 Lines

clang/test/Analysis/stream-error.c

Show First 20 LinesShow All 70 Lines▼ Show 20 Lines if (Ret == 10) {
if (feof(F)) { if (feof(F)) {
clang_analyzer_warnIfReached(); // expected-warning {{REACHABLE}} clang_analyzer_warnIfReached(); // expected-warning {{REACHABLE}}
fread(Buf, 1, 10, F); // expected-warning {{Read function called when stream is in EOF state}} fread(Buf, 1, 10, F); // expected-warning {{Read function called when stream is in EOF state}}
clang_analyzer_eval(feof(F)); // expected-warning {{TRUE}} clang_analyzer_eval(feof(F)); // expected-warning {{TRUE}}
clang_analyzer_eval(ferror(F)); // expected-warning {{FALSE}} clang_analyzer_eval(ferror(F)); // expected-warning {{FALSE}}
} }
if (ferror(F)) { if (ferror(F)) {
clang_analyzer_warnIfReached(); // expected-warning {{REACHABLE}} clang_analyzer_warnIfReached(); // expected-warning {{REACHABLE}}
fread(Buf, 1, 10, F); // no warning fread(Buf, 1, 10, F); // expected-warning {{might be 'indeterminate'}}
} }
} }
fclose(F); fclose(F);
Ret = fread(Buf, 1, 10, F); // expected-warning {{Stream might be already closed}} Ret = fread(Buf, 1, 10, F); // expected-warning {{Stream might be already closed}}
} }
void error_fwrite() { void error_fwrite() {
FILE *F = tmpfile(); FILE *F = tmpfile();
if (!F) if (!F)
return; return;
const char *Buf = "123456789"; const char *Buf = "123456789";
int Ret = fwrite(Buf, 1, 10, F); int Ret = fwrite(Buf, 1, 10, F);
if (Ret == 10) { if (Ret == 10) {
clang_analyzer_eval(feof(F) || ferror(F)); // expected-warning {{FALSE}} clang_analyzer_eval(feof(F) || ferror(F)); // expected-warning {{FALSE}}
} else { } else {
clang_analyzer_eval(feof(F)); // expected-warning {{FALSE}} clang_analyzer_eval(feof(F)); // expected-warning {{FALSE}}
clang_analyzer_eval(ferror(F)); // expected-warning {{TRUE}} clang_analyzer_eval(ferror(F)); // expected-warning {{TRUE}}
fwrite(0, 1, 10, F); // no warning fwrite(0, 1, 10, F); // expected-warning {{might be 'indeterminate'}}
} }
fclose(F); fclose(F);
Ret = fwrite(0, 1, 10, F); // expected-warning {{Stream might be already closed}} Ret = fwrite(0, 1, 10, F); // expected-warning {{Stream might be already closed}}
} }
void freadwrite_zerosize(FILE *F) { void freadwrite_zerosize(FILE *F) {
fwrite(0, 1, 0, F); fwrite(0, 1, 0, F);
fwrite(0, 0, 1, F); fwrite(0, 0, 1, F);
▲ Show 20 LinesShow All 55 Lines▼ Show 20 Lines if (rc) {
clang_analyzer_eval(feof(F)); // expected-warning {{FALSE}} clang_analyzer_eval(feof(F)); // expected-warning {{FALSE}}
clang_analyzer_eval(ferror(F)); // expected-warning {{FALSE}} clang_analyzer_eval(ferror(F)); // expected-warning {{FALSE}}
// Error flags should not change. // Error flags should not change.
clang_analyzer_eval(feof(F)); // expected-warning {{FALSE}} clang_analyzer_eval(feof(F)); // expected-warning {{FALSE}}
clang_analyzer_eval(ferror(F)); // expected-warning {{FALSE}} clang_analyzer_eval(ferror(F)); // expected-warning {{FALSE}}
} }
fclose(F); fclose(F);
} }
void error_indeterminate() {
FILE *F = fopen("file", "r+");
if (!F)
return;
const char *Buf = "123456789";
int rc = fseek(F, 0, SEEK_SET);
if (rc) {
if (feof(F)) {
fwrite(Buf, 1, 10, F); // no warning
} else if (ferror(F)) {
fwrite(Buf, 1, 10, F); // expected-warning {{might be 'indeterminate'}}
} else {
fwrite(Buf, 1, 10, F); // expected-warning {{might be 'indeterminate'}}
SzelethusUnsubmitted
Done
ReplyInline Actions

Here the user checked whether F is in eof or in ferror, and its in neither. Isn't it reasonable to assume then that the stream is fine?

Szelethus: Here the user checked whether F is in eof or in ferror, and its in neither. Isn't it reasonable…
SzelethusUnsubmitted
Done
ReplyInline Actions

Oh wow I meant to delete this inline. Please disregard.

Szelethus: Oh wow I meant to delete this inline. Please disregard.
}
}
fclose(F);
}
void error_indeterminate_clearerr() {
FILE *F = fopen("file", "r+");
if (!F)
return;
const char *Buf = "123456789";
int rc = fseek(F, 0, SEEK_SET);
if (rc) {
if (feof(F)) {
clearerr(F);
fwrite(Buf, 1, 10, F); // no warning
} else if (ferror(F)) {
clearerr(F);
fwrite(Buf, 1, 10, F); // expected-warning {{might be 'indeterminate'}}
} else {
clearerr(F);
fwrite(Buf, 1, 10, F); // expected-warning {{might be 'indeterminate'}}
}
}
fclose(F);
}
void error_indeterminate_feof1() {
FILE *F = fopen("file", "r+");
if (!F)
return;
char Buf[10];
if (fread(Buf, 1, 10, F) < 10) {
if (feof(F)) {
// error is feof, should be non-indeterminate
fwrite("1", 1, 1, F); // no warning
}
}
fclose(F);
}
void error_indeterminate_feof2() {
FILE *F = fopen("file", "r+");
if (!F)
return;
char Buf[10];
if (fread(Buf, 1, 10, F) < 10) {
if (ferror(F) == 0) {
// error is feof, should be non-indeterminate
fwrite("1", 1, 1, F); // no warning
}
}
fclose(F);
}