[analyzer] Bifurcate on getenv() calls

The `getenv()` function might return `NULL` just like any other function.
However, in case of `getenv()` a state-split seems justified since the
programmer should expect the failure of this function.

`secure_getenv(const char *name)` behaves the same way but is not handled
right now.
Note that `std::getenv()` is also not handled.

Reviewed By: martong

Differential Revision: https://reviews.llvm.org/D111245
This commit is contained in:
Balazs Benics 2021-10-13 10:50:26 +02:00
parent fc2ba5e53d
commit 7fc150309d
2 changed files with 16 additions and 0 deletions
clang
lib/StaticAnalyzer/Checkers
test/Analysis

View File

@ -1433,6 +1433,14 @@ void StdLibraryFunctionsChecker::initFunctionSummaries(
RetType{Ssize_tTy}),
GetLineSummary);
// char *getenv(const char *name);
addToFunctionSummaryMap(
"getenv", Signature(ArgTypes{ConstCharPtrTy}, RetType{CharPtrTy}),
Summary(NoEvalCall)
.Case({NotNull(Ret)})
.Case({NotNull(Ret)->negate()})
.ArgConstraint(NotNull(ArgNo(0))));
if (ModelPOSIX) {
// long a64l(const char *str64);

View File

@ -254,3 +254,11 @@ void test_call_by_pointer() {
f = ispunct;
clang_analyzer_eval(f('A')); // expected-warning{{FALSE}}
}
char *getenv(const char *name);
void test_getenv() {
// getenv() bifurcates here.
clang_analyzer_eval(getenv("FOO") == 0);
// expected-warning@-1 {{TRUE}}
// expected-warning@-2 {{FALSE}}
}