maxjhandsome
/
llvm-project
forked from OSchip/llvm-project
1
0
Fork 0
Code Issues Pull Requests Packages Releases Wiki Activity
llvm-project/clang/test/Analysis/Inputs/system-header-simulator.h

89 lines
3.0 KiB
C
Raw Normal View History

[analyzer] Explain why we have system-header-simulator*.h files. Suggested by Csaba. Text based on an e-mail of mine on cfe-dev. llvm-svn: 174213
2013-02-02 03:50:01 +08:00
// Like the compiler, the static analyzer treats some functions differently if
// they come from a system header -- for example, it is assumed that system
// functions do not arbitrarily free() their parameters, and that some bugs
// found in system headers cannot be fixed by the user and should be
// suppressed.
[analyzer] Be less pessimistic about invalidation of global variables as a result of a call. Problem: Global variables, which come in from system libraries should not be invalidated by all calls. Also, non-system globals should not be invalidated by system calls. Solution: The following solution to invalidation of globals seems flexible enough for taint (does not invalidate stdin) and should not lead to too many false positives. We split globals into 3 classes: * immutable - values are preserved by calls (unless the specific global is passed in as a parameter): A : Most system globals and const scalars * invalidated by functions defined in system headers: B: errno * invalidated by all other functions (note, these functions may in turn contain system calls): B: errno C: all other globals (which are not in A nor B) llvm-svn: 147569
2012-01-05 07:54:01 +08:00
#pragma clang system_header
[analyzer] Re-enable using global regions as a symbolic base. Now that we're invalidating global regions properly, we want to continue taking advantage of a particular optimization: if all global regions are invalidated together, we can represent the bindings of each region with a "derived region value" symbol. Essentially, this lazily links each global region with a single symbol created at invalidation time, rather than binding each region with a new symbolic value. We used to do this, but haven't been for a while; the previous commit re-enabled this code path, and this handles the fallout. <rdar://problem/13464044> llvm-svn: 179554
2013-04-16 04:39:45 +08:00
#ifdef __cplusplus
#define restrict /*restrict*/
#endif
[analyzer] Be less pessimistic about invalidation of global variables as a result of a call. Problem: Global variables, which come in from system libraries should not be invalidated by all calls. Also, non-system globals should not be invalidated by system calls. Solution: The following solution to invalidation of globals seems flexible enough for taint (does not invalidate stdin) and should not lead to too many false positives. We split globals into 3 classes: * immutable - values are preserved by calls (unless the specific global is passed in as a parameter): A : Most system globals and const scalars * invalidated by functions defined in system headers: B: errno * invalidated by all other functions (note, these functions may in turn contain system calls): B: errno C: all other globals (which are not in A nor B) llvm-svn: 147569
2012-01-05 07:54:01 +08:00
typedef struct _FILE FILE;
extern FILE *stdin;
[analyzer] Malloc: A pointer might escape through CFContainers APIs, funopen, setvbuf. Teach the checker and the engine about these APIs to resolve malloc false positives. As I am adding more of these APIs, it is clear that all this should be factored out into a separate callback (for example, region escapes). Malloc, KeyChainAPI and RetainRelease checkers could all use it. llvm-svn: 151737
2012-03-01 02:42:47 +08:00
extern FILE *stdout;
extern FILE *stderr;
// Include a variant of standard streams that occur in the pre-processed file.
extern FILE *__stdinp;
extern FILE *__stdoutp;
extern FILE *__stderrp;
[analyzer] Tests: move system functions into system header simulator files. Some checkers ascribe different behavior to functions declared in system headers, so when working with standard library functions it's probably best to always have them in a standard location. Test change only (no functionality change), but necessary for the next commit. llvm-svn: 179552
2013-04-16 04:39:37 +08:00
int scanf(const char *restrict format, ...);
[analyzer] Malloc: A pointer might escape through CFContainers APIs, funopen, setvbuf. Teach the checker and the engine about these APIs to resolve malloc false positives. As I am adding more of these APIs, it is clear that all this should be factored out into a separate callback (for example, region escapes). Malloc, KeyChainAPI and RetainRelease checkers could all use it. llvm-svn: 151737
2012-03-01 02:42:47 +08:00
int fscanf(FILE *restrict, const char *restrict, ...);
[analyzer] Tests: move system functions into system header simulator files. Some checkers ascribe different behavior to functions declared in system headers, so when working with standard library functions it's probably best to always have them in a standard location. Test change only (no functionality change), but necessary for the next commit. llvm-svn: 179552
2013-04-16 04:39:37 +08:00
int printf(const char *restrict format, ...);
int fprintf(FILE *restrict, const char *restrict, ...);
int getchar(void);
[analyzer] Be less pessimistic about invalidation of global variables as a result of a call. Problem: Global variables, which come in from system libraries should not be invalidated by all calls. Also, non-system globals should not be invalidated by system calls. Solution: The following solution to invalidation of globals seems flexible enough for taint (does not invalidate stdin) and should not lead to too many false positives. We split globals into 3 classes: * immutable - values are preserved by calls (unless the specific global is passed in as a parameter): A : Most system globals and const scalars * invalidated by functions defined in system headers: B: errno * invalidated by all other functions (note, these functions may in turn contain system calls): B: errno C: all other globals (which are not in A nor B) llvm-svn: 147569
2012-01-05 07:54:01 +08:00
// Note, on some platforms errno macro gets replaced with a function call.
extern int errno;
clang/test/Analysis: Fix the declaration of strlen() for 32 bit targets. - Inputs/system-header-simulator.h: Declare strlen() with size_t. - malloc-interprocedural.c: Move the definition of size_t into the header above. Then XFAIL can be pruned. llvm-svn: 164300
2012-09-20 19:03:56 +08:00
typedef __typeof(sizeof(int)) size_t;
size_t strlen(const char *);
[analyzer] Malloc Checker: reduce false negatives rate by assuming that a pointer cannot escape through calls to system functions. Also, stop after reporting the first use-after-free. llvm-svn: 150315
2012-02-12 07:46:36 +08:00
[analyzer] Malloc: A pointer might escape through CFContainers APIs, funopen, setvbuf. Teach the checker and the engine about these APIs to resolve malloc false positives. As I am adding more of these APIs, it is clear that all this should be factored out into a separate callback (for example, region escapes). Malloc, KeyChainAPI and RetainRelease checkers could all use it. llvm-svn: 151737
2012-03-01 02:42:47 +08:00
char *strcpy(char *restrict, const char *restrict);
[analyzer] Better modeling of memcpy by the CStringChecker (PR16731). New rules of invalidation/escape of the source buffer of memcpy: the source buffer contents is invalidated and escape while the source buffer region itself is neither invalidated, nor escape. In the current modeling of memcpy the information about allocation state of regions, accessible through the source buffer, is not copied to the destination buffer and we can not track the allocation state of those regions anymore. So we invalidate/escape the source buffer indirect regions in anticipation of their being invalidated for real later. This eliminates false-positive leaks reported by the unix.Malloc and alpha.cplusplus.NewDeleteLeaks checkers for the cases like char *f() { void *x = malloc(47); char *a; memcpy(&a, &x, sizeof a); return a; } llvm-svn: 194953
2013-11-17 17:18:48 +08:00
void *memcpy(void *dst, const void *src, size_t n);
[analyzer] Malloc Checker: reduce false negatives rate by assuming that a pointer cannot escape through calls to system functions. Also, stop after reporting the first use-after-free. llvm-svn: 150315
2012-02-12 07:46:36 +08:00
[analyzer] Invalidate the region passed to pthread_setspecific() call. Make this call an exception in ExprEngine::invalidateArguments: 'int pthread_setspecific(ptheread_key k, const void *)' stores a value into thread local storage. The value can later be retrieved with 'void *ptheread_getspecific(pthread_key)'. So even thought the parameter is 'const void *', the region escapes through the call. (Here we just blacklist the call in the ExprEngine's default logic. Another option would be to add a checker which evaluates the call and triggers the call to invalidate regions.) Teach the Malloc Checker, which treats all system calls as safe about the API. llvm-svn: 151220
2012-02-23 09:05:27 +08:00
typedef unsigned long __darwin_pthread_key_t;
typedef __darwin_pthread_key_t pthread_key_t;
[analyzer] Malloc: A pointer might escape through CFContainers APIs, funopen, setvbuf. Teach the checker and the engine about these APIs to resolve malloc false positives. As I am adding more of these APIs, it is clear that all this should be factored out into a separate callback (for example, region escapes). Malloc, KeyChainAPI and RetainRelease checkers could all use it. llvm-svn: 151737
2012-03-01 02:42:47 +08:00
int pthread_setspecific(pthread_key_t, const void *);
typedef long long __int64_t;
typedef __int64_t __darwin_off_t;
typedef __darwin_off_t fpos_t;
void setbuf(FILE * restrict, char * restrict);
int setvbuf(FILE * restrict, char * restrict, int, size_t);
[analyzer] Tests: move system functions into system header simulator files. Some checkers ascribe different behavior to functions declared in system headers, so when working with standard library functions it's probably best to always have them in a standard location. Test change only (no functionality change), but necessary for the next commit. llvm-svn: 179552
2013-04-16 04:39:37 +08:00
FILE *fopen(const char * restrict, const char * restrict);
int fclose(FILE *);
[analyzer] Malloc: A pointer might escape through CFContainers APIs, funopen, setvbuf. Teach the checker and the engine about these APIs to resolve malloc false positives. As I am adding more of these APIs, it is clear that all this should be factored out into a separate callback (for example, region escapes). Malloc, KeyChainAPI and RetainRelease checkers could all use it. llvm-svn: 151737
2012-03-01 02:42:47 +08:00
FILE *funopen(const void *,
int (*)(void *, char *, int),
int (*)(void *, const char *, int),
fpos_t (*)(void *, fpos_t, int),
int (*)(void *));
[analyzer] Allow pointers escape through calls containing callback args. (Since we don't have a generic pointer escape callback, modify ExprEngineCallAndReturn as well as the malloc checker.) llvm-svn: 156134
2012-05-04 07:50:28 +08:00
int sqlite3_bind_text_my(int, const char*, int n, void(*)(void*));
[analyzer] Assume pointer escapes when a callback is passed inside a struct. llvm-svn: 156135
2012-05-04 07:50:33 +08:00
typedef void (*freeCallback) (void*);
typedef struct {
int i;
freeCallback fc;
} StWithCallback;
int dealocateMemWhenDoneByVal(void*, StWithCallback);
int dealocateMemWhenDoneByRef(StWithCallback*, const void*);
[analyzer] Buffers passed to CGBitmapContextCreate can escape. Specifically, although the bitmap context does not take ownership of the buffer (unlike CGBitmapContextCreateWithData), the data buffer can be extracted out of the created CGContextRef. Thus the buffer is not leaked even if its original pointer goes out of scope, as long as - the context escapes, or - it is retrieved via CGBitmapContextGetData and freed. Actually implementing that logic is beyond the current scope of MallocChecker, so for now CGBitmapContextCreate goes on our system function exception list. llvm-svn: 158579
2012-06-16 08:09:20 +08:00
typedef struct CGContext *CGContextRef;
CGContextRef CGBitmapContextCreate(void *data/*, size_t width, size_t height,
size_t bitsPerComponent, size_t bytesPerRow,
CGColorSpaceRef space,
CGBitmapInfo bitmapInfo*/);
void *CGBitmapContextGetData(CGContextRef context);
[analyzer] Malloc leak false positive: Allow xpc context to escape. llvm-svn: 158875
2012-06-21 07:35:57 +08:00
// Include xpc.
typedef struct _xpc_connection_s * xpc_connection_t;
typedef void (*xpc_finalizer_t)(void *value);
void xpc_connection_set_context(xpc_connection_t connection, void *context);
void xpc_connection_set_finalizer_f(xpc_connection_t connection, xpc_finalizer_t finalizer);
void xpc_connection_resume(xpc_connection_t connection);
[analyzer] Add pointer escape type param to checkPointerEscape callback The checkPointerEscape callback previously did not specify how a pointer escaped. This change includes an enum which describes the different ways a pointer may escape. This enum is passed to the checkPointerEscape callback when a pointer escapes. If the escape is due to a function call, the call is passed. This changes previous behavior where the call is passed as NULL if the escape was due to indirectly invalidating the region the pointer referenced. A patch by Branden Archer! llvm-svn: 174677
2013-02-08 07:05:43 +08:00
[analyzer] Indirect invalidation counts as an escape for leak checkers. Consider this example: char *p = malloc(sizeof(char)); systemFunction(&p); free(p); In this case, when we call systemFunction, we know (because it's a system function) that it won't free 'p'. However, we /don't/ know whether or not it will /change/ 'p', so the analyzer is forced to invalidate 'p', wiping out any bindings it contains. But now the malloc'd region looks like a leak, since there are no more bindings pointing to it, and we'll get a spurious leak warning. The fix for this is to notice when something is becoming inaccessible due to invalidation (i.e. an imperfect model, as opposed to being explicitly overwritten) and stop tracking it at that point. Currently, the best way to determine this for a call is the "indirect escape" pointer-escape kind. In practice, all the patch does is take the "system functions don't free memory" special case and limit it to direct parameters, i.e. just the arguments to a call and not other regions accessible to them. This is a conservative change that should only cause us to escape regions more eagerly, which means fewer leak warnings. This isn't perfect for several reasons, the main one being that this example is treated the same as the one above: char **p = malloc(sizeof(char *)); systemFunction(p + 1); // leak Currently, "addresses accessible by offsets of the starting region" and "addresses accessible through bindings of the starting region" are both considered "indirect" regions, hence this uniform treatment. Another issue is our longstanding problem of not distinguishing const and non-const bindings; if in the first example systemFunction's parameter were a char * const *, we should know that the function will not overwrite 'p', and thus we can safely report the leak. <rdar://problem/13758386> llvm-svn: 181607
2013-05-11 01:07:16 +08:00
//The following are fake system header functions for generic testing.
[analyzer] Add pointer escape type param to checkPointerEscape callback The checkPointerEscape callback previously did not specify how a pointer escaped. This change includes an enum which describes the different ways a pointer may escape. This enum is passed to the checkPointerEscape callback when a pointer escapes. If the escape is due to a function call, the call is passed. This changes previous behavior where the call is passed as NULL if the escape was due to indirectly invalidating the region the pointer referenced. A patch by Branden Archer! llvm-svn: 174677
2013-02-08 07:05:43 +08:00
void fakeSystemHeaderCallInt(int *);
[analyzer] Indirect invalidation counts as an escape for leak checkers. Consider this example: char *p = malloc(sizeof(char)); systemFunction(&p); free(p); In this case, when we call systemFunction, we know (because it's a system function) that it won't free 'p'. However, we /don't/ know whether or not it will /change/ 'p', so the analyzer is forced to invalidate 'p', wiping out any bindings it contains. But now the malloc'd region looks like a leak, since there are no more bindings pointing to it, and we'll get a spurious leak warning. The fix for this is to notice when something is becoming inaccessible due to invalidation (i.e. an imperfect model, as opposed to being explicitly overwritten) and stop tracking it at that point. Currently, the best way to determine this for a call is the "indirect escape" pointer-escape kind. In practice, all the patch does is take the "system functions don't free memory" special case and limit it to direct parameters, i.e. just the arguments to a call and not other regions accessible to them. This is a conservative change that should only cause us to escape regions more eagerly, which means fewer leak warnings. This isn't perfect for several reasons, the main one being that this example is treated the same as the one above: char **p = malloc(sizeof(char *)); systemFunction(p + 1); // leak Currently, "addresses accessible by offsets of the starting region" and "addresses accessible through bindings of the starting region" are both considered "indirect" regions, hence this uniform treatment. Another issue is our longstanding problem of not distinguishing const and non-const bindings; if in the first example systemFunction's parameter were a char * const *, we should know that the function will not overwrite 'p', and thus we can safely report the leak. <rdar://problem/13758386> llvm-svn: 181607
2013-05-11 01:07:16 +08:00
void fakeSystemHeaderCallIntPtr(int **);
[analyzer] Add pointer escape type param to checkPointerEscape callback The checkPointerEscape callback previously did not specify how a pointer escaped. This change includes an enum which describes the different ways a pointer may escape. This enum is passed to the checkPointerEscape callback when a pointer escapes. If the escape is due to a function call, the call is passed. This changes previous behavior where the call is passed as NULL if the escape was due to indirectly invalidating the region the pointer referenced. A patch by Branden Archer! llvm-svn: 174677
2013-02-08 07:05:43 +08:00
typedef struct __SomeStruct {
char * p;
} SomeStruct;
void fakeSystemHeaderCall(SomeStruct *);