Commit Graph

131 Commits

Author SHA1 Message Date
Balázs Kéri 60f3b07118 [clang][analyzer] Add checker for bad use of 'errno'.
Extend checker 'ErrnoModeling' with a state of 'errno' to indicate
the importance of the 'errno' value and how it should be used.
Add a new checker 'ErrnoChecker' that observes use of 'errno' and
finds possible wrong uses, based on the "errno state".
The "errno state" should be set (together with value of 'errno')
by other checkers (that perform modeling of the given function)
in the future. Currently only a test function can set this value.
The new checker has no user-observable effect yet.

Reviewed By: martong, steakhal

Differential Revision: https://reviews.llvm.org/D122150
2022-06-20 10:07:31 +02:00
Hans Wennborg 166f9be330 Update old mailing list link in the nullability doc 2022-06-03 14:23:41 +02:00
Balazs Benics 3a7a465def [analyzer][docs] Fix typo in checker name
Fixes #55720
2022-05-27 10:07:06 +02:00
Brian Tracy 87a55137e2 Fix "the the" typo in documentation and user facing strings
There are many more instances of this pattern, but I chose to limit this change to .rst files (docs), anything in libcxx/include, and string literals. These have the highest chance of being seen by end users.

Reviewed By: #libc, Mordante, martong, ldionne

Differential Revision: https://reviews.llvm.org/D124708
2022-05-05 17:52:08 +02:00
Balazs Benics 464c9833df [analyzer][docs] Document alpha.security.cert.pos.34c limitations
Reviewed By: martong

Differential Revision: https://reviews.llvm.org/D124659
2022-05-02 10:37:23 +02:00
Vince Bridgers 3566bbe62f [analyzer] Add option for AddrSpace in core.NullDereference check
This change adds an option to detect all null dereferences for
    non-default address spaces, except for address spaces 256, 257 and 258.
    Those address spaces are special since null dereferences are not errors.

    All address spaces can be considered (except for 256, 257, and 258) by
    using -analyzer-config
    core.NullDereference:DetectAllNullDereferences=true. This option is
    false by default, retaining the original behavior.

    A LIT test was enhanced to cover this case, and the rst documentation
    was updated to describe this behavior.

Reviewed By: steakhal

Differential Revision: https://reviews.llvm.org/D122841
2022-04-24 03:51:49 -05:00
Ella Ma 9f90254286 [analyzer][ctu] Fix wrong 'multiple definitions' errors caused by space characters in lookup names when parsing the ctu index file
This error was found when analyzing MySQL with CTU enabled.

When there are space characters in the lookup name, the current
delimiter searching strategy will make the file path wrongly parsed.
And when two lookup names have the same prefix before their first space
characters, a 'multiple definitions' error will be wrongly reported.

e.g. The lookup names for the two lambda exprs in the test case are
`c:@S@G@F@G#@Sa@F@operator int (*)(char)#1` and
`c:@S@G@F@G#@Sa@F@operator bool (*)(char)#1` respectively. And their
prefixes are both `c:@S@G@F@G#@Sa@F@operator` when using the first space
character as the delimiter.

Solving the problem by adding a length for the lookup name, making the
index items in the format of `<USR-Length>:<USR File> <Path>`.

---

In the test case of this patch, we found that it will trigger a "triple
mismatch" warning when using `clang -cc1` to analyze the source file
with CTU using the on-demand-parsing strategy in Darwin systems. And
this problem is also encountered in D75665, which is the patch
introducing the on-demand parsing strategy.
We temporarily bypass this problem by using the loading-ast-file
strategy.

Refer to the [discourse topic](https://discourse.llvm.org/t/60762) for
more details.

Differential Revision: https://reviews.llvm.org/D102669
2022-03-22 10:28:42 +08:00
Endre Fülöp 4fd6c6e65a [analyzer] Add more propagations to Taint analysis
Add more functions as taint propators to GenericTaintChecker.

Reviewed By: steakhal

Differential Revision: https://reviews.llvm.org/D120369
2022-03-07 13:18:54 +01:00
Aaron Ballman 6afe035404 Revert "[analyzer] Done some changes to detect Uninitialized read by the char array manipulation functions"
This reverts commit 9c300c18a4.

This broke the sphinx bot and seems like an unintentional commit.
2022-03-04 07:21:52 -05:00
phyBrackets 9c300c18a4 [analyzer] Done some changes to detect Uninitialized read by the char array manipulation functions
Few weeks back I was experimenting with reading the uninitialized values from src , which is actually a bug but the CSA seems to give up at that point . I was curious about that and I pinged @steakhal on the discord and according to him this seems to be a genuine issue and needs to be fix. So I goes with fixing this bug and thanks to @steakhal who help me creating this patch. This feature seems to break some tests but this was the genuine problem and the broken tests also needs to fix in certain manner. I add a test but yeah we need more tests,I'll try to add more tests.Thanks

Reviewed By: steakhal, NoQ

Differential Revision: https://reviews.llvm.org/D120489
2022-03-04 12:17:58 +05:30
Aaron Ballman d74a3a514c Fixed sphinx build due to indentation 2022-03-03 16:03:05 -05:00
Shivam bd1917c88a [analyzer] Done some changes to detect Uninitialized read by the char array manipulation functions
Few weeks back I was experimenting with reading the uninitialized values from src , which is actually a bug but the CSA seems to give up at that point . I was curious about that and I pinged @steakhal on the discord and according to him this seems to be a genuine issue and needs to be fix. So I goes with fixing this bug and thanks to @steakhal who help me creating this patch. This feature seems to break some tests but this was the genuine problem and the broken tests also needs to fix in certain manner. I add a test but yeah we need more tests,I'll try to add more tests.Thanks

Reviewed By: steakhal, NoQ

Differential Revision: https://reviews.llvm.org/D120489
2022-03-03 23:21:26 +05:30
Endre Fülöp 34a7387986 [analyzer] Add more sources to Taint analysis
Add more functions as taint sources to GenericTaintChecker.

Reviewed By: steakhal

Differential Revision: https://reviews.llvm.org/D120236
2022-02-28 11:33:02 +01:00
Tom Stellard a2601c9887 Bump the trunk major version to 15 2022-02-01 23:54:52 -08:00
Gabor Marton 280b43031c [Analyzer] Add docs to StdCLibraryFunctionArgsChecker
Differential Revision: https://reviews.llvm.org/D117568
2022-01-31 11:25:31 +01:00
Nico Weber 770ef94097 Revert "[analyzer][ctu] Fix wrong 'multiple definitions' errors caused by space characters in lookup names when parsing the ctu index file"
This reverts commit 333d66b094.
Breaks tests on macOS, see comments on https://reviews.llvm.org/D102669
2021-12-16 20:46:51 -05:00
Ella Ma 333d66b094 [analyzer][ctu] Fix wrong 'multiple definitions' errors caused by space characters in lookup names when parsing the ctu index file
This error was found when analyzing MySQL with CTU enabled.

When there are space characters in the lookup name, the current
delimiter searching strategy will make the file path wrongly parsed.
And when two lookup names have the same prefix before their first space
characters, a 'multiple definitions' error will be wrongly reported.

e.g. The lookup names for the two lambda exprs in the test case are
`c:@S@G@F@G#@Sa@F@operator int (*)(char)#1` and
`c:@S@G@F@G#@Sa@F@operator bool (*)(char)#1` respectively. And their
prefixes are both `c:@S@G@F@G#@Sa@F@operator` when using the first space
character as the delimiter.

Solving the problem by adding a length for the lookup name, making the
index items in the format of `USR-Length:USR File-Path`.

Reviewed By: steakhal

Differential Revision: https://reviews.llvm.org/D102669
2021-12-16 17:47:59 +01:00
Endre Fülöp 4aac00a71d [analyzer][doc] Add user documenation for taint analysis
Checker alpha.security.taint.TaintPropagation now has user documentation for
taint analysis with an example showing external YAML configuration format.
The format of the taint configuration file is now documented under the user
documentation of Clang SA.

Differential Revision: https://reviews.llvm.org/D113251
2021-11-28 23:36:47 +01:00
Balazs Benics bf55b9f0d0 [analyzer][docs] Ellaborate the docs of cplusplus.StringChecker
Let's describe accurately what the users can expect from the checker in
a direct way.
Also, add an example warning message.

Reviewed By: martong, Szelethus

Differential Revision: https://reviews.llvm.org/D113401
2021-11-19 11:59:46 +01:00
Shao-Ce SUN 0c660256eb [NFC] Trim trailing whitespace in *.rst 2021-11-15 09:17:08 +08:00
Kristóf Umann 8cc2de667e [analyzer][docs] Fix the incorrect structure of the checker docs
The alpha.security.cert section came right after alpha.security, making it look
like checkers like alpha.security.MmapWriteExec belonged to that package.

Differential Revision: https://reviews.llvm.org/D113397
2021-11-09 15:26:00 +01:00
Balazs Benics e1fdec875f [analyzer] Add std::string checker
This patch adds a checker checking `std::string` operations.
At first, it only checks the `std::string` single `const char *`
constructor for nullness.
If It might be `null`, it will constrain it to non-null and place a note
tag there.

Reviewed By: martong

Differential Revision: https://reviews.llvm.org/D111247
2021-10-25 11:15:40 +02:00
Kazu Hirata d8e4170b0a Ensure newlines at the end of files (NFC) 2021-10-23 08:45:29 -07:00
Aaron Ballman 939712734a Fix some Sphinx warnings in the static analyzer docs
A heading wasn't underlined properly, and two links share the same text
and so they should use an anonymous hyperlink instead of a named one.
2021-10-05 16:43:55 -04:00
Zurab Tsinadze 811b1736d9 [analyzer] Add InvalidPtrChecker
This patch introduces a new checker: `alpha.security.cert.env.InvalidPtr`

Checker finds usage of invalidated pointers related to environment.

Based on the following SEI CERT Rules:
ENV34-C: https://wiki.sei.cmu.edu/confluence/x/8tYxBQ
ENV31-C: https://wiki.sei.cmu.edu/confluence/x/5NUxBQ

Reviewed By: martong

Differential Revision: https://reviews.llvm.org/D97699
2021-10-04 17:08:34 +02:00
Deep Majumder 5dee50111c [analyzer] Move docs of SmartPtr to correct subcategory
The docs of alpha.cplusplus.SmartPtr was incorrectly placed under
alpha.deadcode. Moved it to under alpha.cplusplus

Differential Revision: https://reviews.llvm.org/D110032
2021-09-20 20:13:04 +05:30
Balazs Benics 68088563fb [analyzer] MallocOverflow should consider comparisons only preceding malloc
MallocOverflow works in two phases:

1) Collects suspicious malloc calls, whose argument is a multiplication
2) Filters the aggregated list of suspicious malloc calls by iterating
   over the BasicBlocks of the CFG looking for comparison binary
   operators over the variable constituting in any suspicious malloc.

Consequently, it suppressed true-positive cases when the comparison
check was after the malloc call.
In this patch the checker will consider the relative position of the
relation check to the malloc call.

E.g.:

```lang=C++
void *check_after_malloc(int n, int x) {
  int *p = NULL;
  if (x == 42)
    p = malloc(n * sizeof(int)); // Previously **no** warning, now it
                                 // warns about this.

  // The check is after the allocation!
  if (n > 10) {
    // Do something conditionally.
  }
  return p;
}
```

Reviewed By: martong

Differential Revision: https://reviews.llvm.org/D107804
2021-08-27 14:41:26 +02:00
Balazs Benics af79f1bff9 [analyzer] Extend the documentation of MallocOverflow
Previously by following the documentation it was not immediately clear
what the capabilities of this checker are.

In this patch, I add some clarification on when does the checker issue a
report and what it's limitations are.
I'm also advertising suppressing such reports by adding an assertion, as
demonstrated by the test3().
I'm highlighting that this checker might produce an extensive amount of
findings, but it might be still useful for code audits.

Reviewed By: martong

Differential Revision: https://reviews.llvm.org/D107756
2021-08-26 18:15:10 +02:00
Balazs Benics 379b6394d9 Revert "[analyzer] Extend the documentation of MallocOverflow"
This reverts commit 6097a41924.
2021-08-26 15:29:32 +02:00
Balazs Benics 6097a41924 [analyzer] Extend the documentation of MallocOverflow
Previously by following the documentation it was not immediately clear
what the capabilities of this checker are.

In this patch, I add some clarification on when does the checker issue a
report and what it's limitations are.
I'm also advertising suppressing such reports by adding an assertion, as
demonstrated by the test3().
I'm highlighting that this checker might produce an extensive amount of
findings, but it might be still useful for code audits.

Reviewed By: martong

Differential Revision: https://reviews.llvm.org/D107756
2021-08-26 15:20:41 +02:00
Tom Stellard 08c766a731 Bump the trunk major version to 14
and clear the release notes.
2021-07-27 21:58:25 -07:00
Charusso 89d210fe1a [analyzer] DynamicSize: Debug facility
This patch adds two debug functions to ExprInspectionChecker to dump out
the dynamic extent and element count of symbolic values:
dumpExtent(), dumpElementCount().
2021-04-05 19:17:52 +02:00
Balazs Benics 57e149d386 [analyzer][docs][NFC] Fix typo in checkers.rst
Move `alpha.core.BoolAssignment` out of the `alpha.clone` enumeration.

Reviewed By: Szelethus

Differential Revision: https://reviews.llvm.org/D97936
2021-03-10 12:42:23 +01:00
Kazu Hirata 31443f8e86 [clang] Fix typos in documentation (NFC) 2021-03-06 15:52:52 -08:00
Tom Stellard 5369517d20 Bump the trunk major version to 13
and clear the release notes.
2021-01-26 19:37:55 -08:00
Jonas Toth 4e53490047 [NFC][Docs] fix clang-docs compilation 2020-09-24 13:13:38 +02:00
Jan Korous 8a64689e26 [Analyzer][WebKit] UncountedLocalVarsChecker
Differential Review: https://reviews.llvm.org/D83259
2020-09-22 11:05:04 -07:00
Kristóf Umann dd1d5488e4 [analyzer][Liveness][NFC] Get rid of statement liveness, because such a thing doesn't exist
The summary and very short discussion in D82122 summarizes whats happening here.

In short, liveness talks about variables, or expressions, anything that
has a value. Well, statements just simply don't have a one.

Differential Revision: https://reviews.llvm.org/D82598
2020-09-15 17:43:02 +02:00
Kristóf Umann 7c6f5b7fbf [analyzer] Add documentation for alpha.fuchsia.Lock and alpha.core.C11Lock
Differential Revision: https://reviews.llvm.org/D86532
2020-09-15 16:55:44 +02:00
Jan Korous c9239b2bf5 [Analyzer][docs][NFC] Fix typo in code example 2020-09-03 09:28:34 -07:00
Jan Korous 820e8d8656 [Analyzer][WebKit] UncountedLambdaCaptureChecker
Differential Revision: https://reviews.llvm.org/D82837
2020-08-05 15:23:55 -08:00
Hans Wennborg 7ab7b979d2 Bump the trunk major version to 12
and clear the release notes.
2020-07-15 12:05:05 +02:00
Nithin Vadukkumchery Rajendrakumar 20e271a98d [analyzer] Warning for default constructed unique_ptr dereference
Summary: Add support for warning incase of default constructed unique pointer dereferences

Reviewed By: NoQ, Szelethus, vsavchenko, xazax.hun

Tags: #clang

Differential Revision: https://reviews.llvm.org/D81315
2020-07-08 09:51:02 +02:00
Jan Korous a93ff1826b [Analyzer][NFC] Remove prefix from WebKitNoUncountedMemberChecker name 2020-06-15 14:13:56 -07:00
Jan Korous a7eb3692e7 [Analyzer][WebKit] UncountedCallArgsChecker
Differential Revision: https://reviews.llvm.org/D77179
2020-06-15 13:53:36 -07:00
Endre Fülöp 5cc18516c4 [analyzer] On-demand parsing capability for CTU
Summary:
Introduce on-demand parsing of needed ASTs during CTU analysis.
The index-file format is extended, and analyzer-option CTUInvocationList
is added to specify the exact invocations needed to parse the needed
source-files.

Reviewers: martong, balazske, Szelethus, xazax.hun, whisperity

Reviewed By: martong, xazax.hun

Subscribers: gribozavr2, thakis, ASDenysPetrov, ormris, mgorny, whisperity, xazax.hun, baloghadamsoftware, szepet, rnkovacs, a.sidorin, mikhail.ramalho, Szelethus, donat.nagy, dkrupp, Charusso, steakhal, cfe-commits

Tags: #clang

Differential Revision: https://reviews.llvm.org/D75665
2020-06-11 10:56:59 +02:00
Endre Fülöp 435b458ad0 Revert "[analyzer] On-demand parsing capability for CTU"
This reverts commit 97e07d0c35.
Reason: OSX broke for a different reason, this really only seem to work
on linux and very generic windows builds
2020-06-10 17:55:37 +02:00
Endre Fülöp 97e07d0c35 [analyzer] On-demand parsing capability for CTU
Summary:
Introduce on-demand parsing of needed ASTs during CTU analysis.
The index-file format is extended, and analyzer-option CTUInvocationList
is added to specify the exact invocations needed to parse the needed
source-files.

Reviewers: martong, balazske, Szelethus, xazax.hun, whisperity

Reviewed By: martong, xazax.hun

Subscribers: gribozavr2, thakis, ASDenysPetrov, ormris, mgorny, whisperity, xazax.hun, baloghadamsoftware, szepet, rnkovacs, a.sidorin, mikhail.ramalho, Szelethus, donat.nagy, dkrupp, Charusso, steakhal, cfe-commits

Tags: #clang

Differential Revision: https://reviews.llvm.org/D75665
2020-06-10 13:43:51 +02:00
Endre Fülöp c640779494 Revert "[analyzer] On-demand parsing capability for CTU"
This reverts commit 020815fafd.
Reason: PS4 buildbot broke
2020-06-10 10:30:10 +02:00
Endre Fülöp 020815fafd [analyzer] On-demand parsing capability for CTU
Summary:
Introduce on-demand parsing of needed ASTs during CTU analysis.
The index-file format is extended, and analyzer-option CTUInvocationList
is added to specify the exact invocations needed to parse the needed
source-files.

Reviewers: martong, balazske, Szelethus, xazax.hun, whisperity

Reviewed By: martong, xazax.hun

Subscribers: gribozavr2, thakis, ASDenysPetrov, ormris, mgorny, whisperity, xazax.hun, baloghadamsoftware, szepet, rnkovacs, a.sidorin, mikhail.ramalho, Szelethus, donat.nagy, dkrupp, Charusso, steakhal, cfe-commits

Tags: #clang

Differential Revision: https://reviews.llvm.org/D75665
2020-06-10 08:59:04 +02:00