Commit Graph

71 Commits

Author SHA1 Message Date
Balazs Benics 30e5c7e82f [analyzer] NFCi: Refactor CStringChecker: use strongly typed internal API
Summary:
I wanted to extend the diagnostics of the CStringChecker with taintedness.
This requires the CStringChecker to be refactored to support a more flexible
reporting mechanism.

This patch does only refactorings, such:
 - eliminates always false parameters (like WarnAboutSize)
 - reduces the number of parameters
 - makes strong types differentiating *source* and *destination* buffers
   (same with size expressions)
 - binds the argument expression and the index, making diagnostics accurate
   and easy to emit
 - removes a bunch of default parameters to make it more readable
 - remove random const char* warning message parameters, making clear where
   and what is going to be emitted

Note that:
 - CheckBufferAccess now checks *only* one buffer, this removed about 100 LOC
   code duplication
 - not every function was refactored to use the /new/ strongly typed API, since
   the CString related functions are really closely coupled monolithic beasts,
   I will refactor them separately
 - all tests are preserved and passing; only the message changed at some places.
   In my opinion, these messages are holding the same information.

I would also highlight that this refactoring caught a bug in
clang/test/Analysis/string.c:454 where the diagnostic did not reflect reality.
This catch backs my effort on simplifying this monolithic CStringChecker.

Reviewers: NoQ, baloghadamsoftware, Szelethus, rengolin, Charusso

Reviewed By: NoQ

Subscribers: whisperity, xazax.hun, szepet, rnkovacs, a.sidorin,
mikhail.ramalho, donat.nagy, dkrupp, Charusso, martong, cfe-commits

Tags: #clang

Differential Revision: https://reviews.llvm.org/D74806
2020-04-09 16:06:32 +02:00
Artem Dergachev 2b3f2071ec [analyzer] CStringChecker: Fix overly eager assumption that memcmp args overlap.
While analyzing code `memcmp(a, NULL, n);', where `a' has an unconstrained
symbolic value, the analyzer was emitting a warning about the *first* argument
being a null pointer, even though we'd rather have it warn about the *second*
argument.

This happens because CStringChecker first checks whether the two argument
buffers are in fact the same buffer, in order to take the fast path.
This boils down to assuming `a == NULL' to true. Then the subsequent check
for null pointer argument "discovers" that `a' is null.

Don't take the fast path unless we are *sure* that the buffers are the same.
Otherwise proceed as normal.

Differential Revision: https://reviews.llvm.org/D71322
2019-12-11 11:22:36 -08:00
Artem Dergachev 134faae042 [analyzer] CStringChecker: Improve warning messages.
Differential Revision: https://reviews.llvm.org/D71321
2019-12-11 11:22:36 -08:00
Artem Dergachev 35fdec1b54 [analyzer] CStringChecker: Modernize to use CallDescriptions.
This patch uses the new CDF_MaybeBuiltin flag to handle C library functions.
It's mostly an NFC/refactoring pass, but it does fix a bug in handling memset()
when it expands to __builtin___memset_chk() because the latter has
one more argument and memset() handling code was trying to match
the exact number of arguments. Now the code is deduplicated and there's
less room for mistakes.

Differential Revision: https://reviews.llvm.org/D62557

llvm-svn: 364868
2019-07-01 23:02:10 +00:00
Kristof Umann 8cffa84850 [analyzer][NFC] Prettify some RUN: lines in test files.
This is a test commit in disguise.

llvm-svn: 361505
2019-05-23 15:49:04 +00:00
Artem Dergachev 9b02a9b401 [analyzer] Make default bindings to variables actually work.
Default RegionStore bindings represent values that can be obtained by loading
from anywhere within the region, not just the specific offset within the region
that they are said to be bound to. For example, default-binding a character \0
to an int (eg., via memset()) means that the whole int is 0, not just
that its lower byte is 0.

Even though memset and bzero were modeled this way, it didn't work correctly
when applied to simple variables. Eg., in

  int x;
  memset(x, 0, sizeof(x));

we did produce a default binding, but were unable to read it later, and 'x'
was perceived as an uninitialized variable even after memset.

At the same time, if we replace 'x' with a variable of a structure or array
type, accessing fields or elements of such variable was working correctly,
which was enough for most cases. So this was only a problem for variables of
simple integer/enumeration/floating-point/pointer types.

Fix loading default bindings from RegionStore for regions of simple variables.

Add a unit test to document the API contract as well.

Differential Revision: https://reviews.llvm.org/D60742

llvm-svn: 358722
2019-04-18 23:35:56 +00:00
Erik Pilkington b6e16ea006 [Sema] Add some compile time _FORTIFY_SOURCE diagnostics
These diagnose overflowing calls to subset of fortifiable functions. Some
functions, like sprintf or strcpy aren't supported right not, but we should
probably support these in the future. We previously supported this kind of
functionality with -Wbuiltin-memcpy-chk-size, but that diagnostic doesn't work
with _FORTIFY implementations that use wrapper functions. Also unlike that
diagnostic, we emit these warnings regardless of whether _FORTIFY_SOURCE is
actually enabled, which is nice for programs that don't enable the runtime
checks.

Why not just use diagnose_if, like Bionic does? We can get better diagnostics in
the compiler (i.e. mention the sizes), and we have the potential to diagnose
sprintf and strcpy which is impossible with diagnose_if (at least, in languages
that don't support C++14 constexpr). This approach also saves standard libraries
from having to add diagnose_if.

rdar://48006655

Differential revision: https://reviews.llvm.org/D58797

llvm-svn: 356397
2019-03-18 19:23:45 +00:00
David Carlier 37a22ea063 [analyzer][CStringChecker] evaluate explicit_bzero
- explicit_bzero has limited scope/usage only for security/crypto purposes but is non-optimisable version of memset/0 and bzero.
- explicit_memset has similar signature and semantics as memset but is also a non-optimisable version.

Reviewers: NoQ

Reviewed By: NoQ

Differential Revision: https://reviews.llvm.org/D54592

llvm-svn: 348884
2018-12-11 18:57:07 +00:00
George Karpenkov a393e68b27 [analyzer] Move analyzer-eagerly-assume to AnalyzerOptions, enable by default
Differential Revision: https://reviews.llvm.org/D51251

llvm-svn: 340963
2018-08-29 20:29:17 +00:00
Adam Balogh bf966f5237 [Analyzer] alpha.unix.cstring.OutOfBounds checker enable/disable fix
It was not possible to disable alpha.unix.cstring.OutOfBounds checker's reports
since unix.Malloc checker always implicitly enabled the filter. Moreover if the
checker was disabled from command line (-analyzer-disable-checker ..) the out
of bounds warnings were nevertheless emitted under different checker names such
as unix.cstring.NullArg, or unix.Malloc.

This patch fixes the case sot that Malloc checker only enables implicitly the
underlying modeling of strcpy, memcpy etc. but not the warning messages that
would have been emmitted by alpha.unix.cstring.OutOfBounds

Patch by: Dániel Krupp

Differential Revision: https://reviews.llvm.org/D48831

llvm-svn: 337000
2018-07-13 13:44:44 +00:00
Henry Wong afe62cdc4e [analyzer] Improve the modeling of memset().
Since there is no perfect way bind the non-zero value with the default binding, this patch only considers the case where buffer's offset is zero and the char value is 0. And according to the value for overwriting, decide how to update the string length.

Reviewers: dcoughlin, NoQ, xazax.hun, a.sidorin, george.karpenkov

Reviewed By: NoQ

Differential Revision: https://reviews.llvm.org/D44934

llvm-svn: 332463
2018-05-16 12:37:53 +00:00
Alexander Kornienko 2a8c18d991 Fix typos in clang
Found via codespell -q 3 -I ../clang-whitelist.txt
Where whitelist consists of:

  archtype
  cas
  classs
  checkk
  compres
  definit
  frome
  iff
  inteval
  ith
  lod
  methode
  nd
  optin
  ot
  pres
  statics
  te
  thru

Patch by luzpaz! (This is a subset of D44188 that applies cleanly with a few
files that have dubious fixes reverted.)

Differential revision: https://reviews.llvm.org/D44188

llvm-svn: 329399
2018-04-06 15:14:32 +00:00
George Karpenkov 96871864d2 [analyzer] Hopefully fix the ARM buildbot.
llvm-svn: 328913
2018-03-31 02:17:15 +00:00
George Karpenkov 6fe0f035bd [analyzer] Fix assertion crash in CStringChecker
An offset might be unknown.

rdar://39054939

Differential Revision: https://reviews.llvm.org/D45115

llvm-svn: 328912
2018-03-31 01:20:08 +00:00
Dominic Chen 184c6242fa Reland 4: [analyzer] NFC: Update test infrastructure to support multiple constraint managers
Summary: Replace calls to %clang/%clang_cc1 with %clang_analyze_cc1 when invoking static analyzer, and perform runtime substitution to select the appropriate constraint manager, per D28952.

Reviewers: xazax.hun, NoQ, zaks.anna, dcoughlin

Subscribers: mgorny, rgov, mikhail.ramalho, a.sidorin, cfe-commits

Differential Revision: https://reviews.llvm.org/D30373

llvm-svn: 296895
2017-03-03 18:02:02 +00:00
Dominic Chen 09d66f7528 Revert "Reland 3: [analyzer] NFC: Update test infrastructure to support multiple constraint managers"
This reverts commit ea36f1406e1f36bf456c3f3929839b024128e468.

llvm-svn: 296841
2017-03-02 23:30:53 +00:00
Dominic Chen feaf9ff5ee Reland 3: [analyzer] NFC: Update test infrastructure to support multiple constraint managers
Summary: Replace calls to %clang/%clang_cc1 with %clang_analyze_cc1 when invoking static analyzer, and perform runtime substitution to select the appropriate constraint manager, per D28952.

Reviewers: xazax.hun, NoQ, zaks.anna, dcoughlin

Subscribers: mgorny, rgov, mikhail.ramalho, a.sidorin, cfe-commits

Differential Revision: https://reviews.llvm.org/D30373

llvm-svn: 296837
2017-03-02 23:05:45 +00:00
Dominic Chen 4a90bf8c3f Revert "Reland 2: [analyzer] NFC: Update test infrastructure to support multiple constraint managers"
This reverts commit f93343c099fff646a2314cc7f4925833708298b1.

llvm-svn: 296836
2017-03-02 22:58:06 +00:00
Dominic Chen 1cb0256a3c Reland 2: [analyzer] NFC: Update test infrastructure to support multiple constraint managers
Summary: Replace calls to %clang/%clang_cc1 with %clang_analyze_cc1 when invoking static analyzer, and perform runtime substitution to select the appropriate constraint manager, per D28952.

Reviewers: xazax.hun, NoQ, zaks.anna, dcoughlin

Subscribers: mgorny, rgov, mikhail.ramalho, a.sidorin, cfe-commits

Differential Revision: https://reviews.llvm.org/D30373

llvm-svn: 296835
2017-03-02 22:45:24 +00:00
Dominic Chen 00355a51d0 Revert "Reland: [analyzer] NFC: Update test infrastructure to support multiple constraint managers"
This reverts commit 1b28d0b10e1c8feccb971abb6ef7a18bee589830.

llvm-svn: 296422
2017-02-28 01:50:23 +00:00
Dominic Chen 59cd893320 Reland: [analyzer] NFC: Update test infrastructure to support multiple constraint managers
Summary: Replace calls to %clang/%clang_cc1 with %clang_analyze_cc1 when invoking static analyzer, and perform runtime substitution to select the appropriate constraint manager, per D28952.

Reviewers: xazax.hun, NoQ, zaks.anna, dcoughlin

Subscribers: mgorny, rgov, mikhail.ramalho, a.sidorin, cfe-commits

Differential Revision: https://reviews.llvm.org/D30373

llvm-svn: 296414
2017-02-28 00:02:36 +00:00
Dominic Chen 8589e10c30 Revert "[analyzer] NFC: Update test infrastructure to support multiple constraint managers"
This reverts commit 8e7780b9e59ddaad1800baf533058d2c064d4787.

llvm-svn: 296317
2017-02-27 03:29:25 +00:00
Dominic Chen 02064a3076 [analyzer] NFC: Update test infrastructure to support multiple constraint managers
Summary: Replace calls to %clang/%clang_cc1 with %clang_analyze_cc1 when invoking static analyzer, and perform runtime substitution to select the appropriate constraint manager, per D28952.

Reviewers: xazax.hun, NoQ, zaks.anna, dcoughlin

Subscribers: mgorny, rgov, mikhail.ramalho, a.sidorin, cfe-commits

Differential Revision: https://reviews.llvm.org/D30373

llvm-svn: 296312
2017-02-27 02:36:15 +00:00
Artem Dergachev cbce96c3af [analyzer] Add LocationContext information to SymbolMetadata.
Like SymbolConjured, SymbolMetadata also needs to be uniquely
identified by the moment of its birth.

Such moments are coded by the (Statement, LocationContext, Block count) triples.
Each such triple represents the moment of analyzing a statement with a certain
call backtrace, with corresponding CFG block having been entered a given amount
of times during analysis of the current code body.

The LocationContext information was accidentally omitted for SymbolMetadata,
which leads to reincarnation of SymbolMetadata upon re-entering a code body
with a different backtrace; the new symbol is incorrectly unified with
the old symbol, which leads to unsound assumptions.

Patch by Alexey Sidorin!

Differential Revision: https://reviews.llvm.org/D21978

llvm-svn: 278937
2016-08-17 15:37:52 +00:00
Anton Yartsev 8a88b90817 [analyzer] Fix for PR23790 : constrain return value of strcmp() rather than returning a concrete value.
The function strcmp() can return any value, not just {-1,0,1} : "The strcmp(const char *s1, const char *s2) function returns an integer greater than, equal to, or less than zero, accordingly as the string pointed to by s1 is greater than, equal to, or less than the string pointed to by s2." [C11 7.24.4.2p3]
https://llvm.org/bugs/show_bug.cgi?id=23790
http://reviews.llvm.org/D16317

llvm-svn: 270154
2016-05-19 23:03:49 +00:00
Devin Coughlin 480a0c00ca [analyzer] Avoid crash when attempting to evaluate binary operation on LazyCompoundVal.
Instead, return UnknownValue if either operand is a nonloc::LazyCompoundVal. This is a
spot fix for PR 24951.

rdar://problem/23682244

llvm-svn: 260066
2016-02-08 00:28:24 +00:00
Jordan Rose 60619a639b [analyzer] Assume that strings are no longer than SIZE_MAX/4.
This keeps the analyzer from making silly assumptions, like thinking
strlen(foo)+1 could wrap around to 0. This fixes PR16558.

Patch by Karthik Bhat!

llvm-svn: 188680
2013-08-19 16:27:34 +00:00
Jordan Rose 6e3cf2ba85 [analyzer] Model strsep(), particularly that it returns its input.
This handles the false positive leak warning in PR15374, and also serves
as a basic model for the strsep() function.

llvm-svn: 180069
2013-04-22 23:18:42 +00:00
Jordan Rose 28c68a2d07 [analyzer] Don't invalidate globals when there's no call involved.
This fixes some mistaken condition logic in RegionStore that caused
global variables to be invalidated when /any/ region was invalidated,
rather than only as part of opaque function calls. This was only
being used by CStringChecker, and so users will now see that strcpy()
and friends do not invalidate global variables.

Also, add a test case we don't handle properly: explicitly-assigned
global variables aren't being invalidated by opaque calls. This is
being tracked by <rdar://problem/13464044>.

llvm-svn: 177572
2013-03-20 20:36:01 +00:00
Anna Zaks bda130f02a [analyzer] Use isLiveRegion to determine when SymbolRegionValue is dead.
Fixes a FIXME, improves dead symbol collection, suppresses a false positive,
which resulted from reusing the same symbol twice for simulation of 2 calls to the same function.

Fixing this lead to 2 possible false negatives in CString checker. Since the checker is still alpha and
the solution will not require revert of this commit, move the tests to a FIXME section.

llvm-svn: 177206
2013-03-15 23:34:29 +00:00
Ted Kremenek 722398f1d4 Fix analyzer tests.
llvm-svn: 162588
2012-08-24 20:39:55 +00:00
Jordy Rose 5934226067 [analyzer] Fix test for PR12206, which was failing on i386.
llvm-svn: 156941
2012-05-16 20:29:44 +00:00
Anna Zaks f8be8595ae [analyzer] Revert a regression committed in r156920.
This breaks the build with -triple i386-apple-darwin9.

llvm-svn: 156932
2012-05-16 18:46:25 +00:00
Jordy Rose 6d5a8caac3 [analyzer] Convert many existing tests to use clang_analyzer_eval.
llvm-svn: 156920
2012-05-16 16:01:10 +00:00
Jordy Rose 459d5f62c2 [analyzer] strncpy: Special-case a length of 0 to avoid an incorrect warning.
We check the address of the last element accessed, but with 0 calculating that
address results in element -1. This patch bails out early (and avoids a bunch
of other work at that).

Fixes PR12807.

llvm-svn: 156769
2012-05-14 17:58:35 +00:00
Jordy Rose d23232975f [analyzer] Equality ops are like relational ops in that the arguments shouldn't be converted to the result type. Fixes PR12206 and dupe PR12510.
This was probably the original intent of r133041 (also me, a year ago).

llvm-svn: 156062
2012-05-03 07:34:01 +00:00
Anna Zaks 0cdce4df76 [analyzer] Turn on by default the Malloc Checker and a couple of CString
checks:

- unix.Malloc - Checks for memory leaks, double free, use-after-free.
- unix.cstring.NullArg - Checks for null pointers passed as arguments to
CString functions + evaluates CString functions.
- unix.cstring.BadSizeArg - Checks for common anti-patterns in
strncat size argument.

llvm-svn: 150988
2012-02-20 21:10:37 +00:00
Anna Zaks e0c7c27473 [analyzer] Allow each CString check to be enabled/disabled
separately.

llvm-svn: 149947
2012-02-07 00:56:14 +00:00
Anna Zaks 87b6ff09f9 [analyzer] Add checks for common anti-patterns in strncat.
(Since this is syntax only, might be a good candidate for turning into a
compiler warning.)

llvm-svn: 149407
2012-01-31 19:33:39 +00:00
Anna Zaks 6228130099 [analyzer] RegionStoreManager::getBinding() should not crash when
looking up value at a CodeTextRegion even when the type is not provided.

llvm-svn: 148079
2012-01-13 00:56:48 +00:00
Anna Zaks 5f847144d1 [analyzer] Do not invalidate arguments when the parameter's
type is a pointer to const. (radar://10595327)

The regions corresponding to the pointer and reference arguments to
a function get invalidated by the calls since a function call can
possibly modify the pointed to data. With this change, we are not going
to invalidate the data if the argument is a pointer to const. This
change makes the analyzer more optimistic in reporting errors.
(Support for C, C++ and Obj C)

llvm-svn: 147002
2011-12-20 22:35:30 +00:00
Anna Zaks 7c96b7db96 [analyzer] CStringChecker should not rely on the analyzer generating UndefOrUnknown value when it cannot reason about the expression.
We are now often generating expressions even if the solver is not known to be able to simplify it. This is another cleanup of the existing code, where the rest of the analyzer and checkers should not base their logic on knowing ahead of the time what the solver can reason about. 

In this case, CStringChecker is performing a check for overflow of 'left+right' operation. The overflow can be checked with either 'maxVal-left' or 'maxVal-right'. Previously, the decision was based on whether the expresion evaluated to undef or not. With this patch, we check if one of the arguments is a constant, in which case we know that 'maxVal-const' is easily simplified. (Another option is to use canReasonAbout() method of the solver here, however, it's currently is protected.)

This patch also contains 2 small bug fixes:
 - swap the order of operators inside SValBuilder::makeGenericVal.
 - handle a case when AddeVal is unknown in GenericTaintChecker::getPointedToSymbol.

llvm-svn: 146343
2011-12-11 18:43:40 +00:00
Ted Kremenek 3f955e6d89 [analyzer] rename all experimental checker packages to have 'experimental' be the common root package.
llvm-svn: 136835
2011-08-03 23:14:55 +00:00
Jordy Rose 7770a8c6c5 [analyzer] strnlen isn't a builtin, don't test for it
llvm-svn: 133994
2011-06-28 05:34:40 +00:00
Jordy Rose b41f7c55f5 [analyzer] Finish size argument checking for strncat (and strncpy).
llvm-svn: 133472
2011-06-20 21:55:40 +00:00
Jordy Rose 328deeed7f [analyzer] Re-enable checking for strncpy, along with a new validation of the size argument. strncat is not yet up-to-date, but I'm leaving it enabled for now (there shouldn't be any false positives, at least...)
llvm-svn: 133408
2011-06-20 03:49:16 +00:00
Jordy Rose dceb0cf3f3 [analyzer] Eliminate "byte string function" from CStringChecker's diagnostics, and make it easier to provide custom messages for overflow checking, in preparation for re-enabling strncpy checking.
llvm-svn: 133406
2011-06-20 02:06:40 +00:00
Jordy Rose c026370858 [analyzer] Clean up modeling of strcmp, including cases where a string literal has an embedded null character, and where both arguments are the same buffer. Also use nested ifs rather than early returns; in this case early returns will lose any assumptions we've made earlier in the function.
llvm-svn: 133154
2011-06-16 07:13:34 +00:00
Jordy Rose 634c12d23f [analyzer] Revise CStringChecker's modelling of strcpy() and strcat():
- (bounded copies) Be more conservative about how much is being copied.
- (str(n)cat) If we can't compute the exact final length of an append operation, we can still lower-bound it.
- (stpcpy) Fix the conjured return value at the end to actually be returned.

This requires these supporting changes:
- C string metadata symbols are still live even when buried in a SymExpr.
- "Hypothetical" C string lengths, to represent a value that /will/ be passed to setCStringLength() if all goes well. (The idea is to allow for temporary constrainable symbols that may end up becoming permanent.)
- The 'checkAdditionOverflow' helper makes sure that the two strings being appended in a strcat don't overflow size_t. This should never *actually* happen; the real effect is to keep the final string length from "wrapping around" in the constraint manager.

This doesn't actually test the "bounded" operations (strncpy and strncat) because they can leave strings unterminated. Next on the list!

llvm-svn: 133046
2011-06-15 05:52:56 +00:00
Jordy Rose bc7483f505 [analyzer] CStringChecker checks functions in the C standard library, not C++. Its external name is now unix.experimental.CString.
llvm-svn: 132958
2011-06-14 01:40:43 +00:00