clang  16.0.0git
ErrnoModeling.cpp
Go to the documentation of this file.
1 //=== ErrnoModeling.cpp -----------------------------------------*- C++ -*-===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This defines a checker `ErrnoModeling`, which is used to make the system
10 // value 'errno' available to other checkers.
11 // The 'errno' value is stored at a special memory region that is accessible
12 // through the `errno_modeling` namespace. The memory region is either the
13 // region of `errno` itself if it is a variable, otherwise an artifically
14 // created region (in the system memory space). If `errno` is defined by using
15 // a function which returns the address of it (this is always the case if it is
16 // not a variable) this function is recognized and evaluated. In this way
17 // `errno` becomes visible to the analysis and checkers can change its value.
18 //
19 //===----------------------------------------------------------------------===//
20 
21 #include "ErrnoModeling.h"
22 #include "clang/AST/ParentMapContext.h"
23 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
24 #include "clang/StaticAnalyzer/Core/Checker.h"
25 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
26 #include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
27 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
28 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
29 #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
30 #include "llvm/ADT/STLExtras.h"
31 
32 using namespace clang;
33 using namespace ento;
34 
35 namespace {
36 
37 // Name of the "errno" variable.
38 // FIXME: Is there a system where it is not called "errno" but is a variable?
39 const char *ErrnoVarName = "errno";
40 // Names of functions that return a location of the "errno" value.
41 // FIXME: Are there other similar function names?
42 const char *ErrnoLocationFuncNames[] = {"__errno_location", "___errno",
43  "__errno", "_errno", "__error"};
44 
45 class ErrnoModeling
46  : public Checker<check::ASTDecl<TranslationUnitDecl>, check::BeginFunction,
47  check::LiveSymbols, eval::Call> {
48 public:
49  void checkASTDecl(const TranslationUnitDecl *D, AnalysisManager &Mgr,
50  BugReporter &BR) const;
51  void checkBeginFunction(CheckerContext &C) const;
52  void checkLiveSymbols(ProgramStateRef State, SymbolReaper &SR) const;
53  bool evalCall(const CallEvent &Call, CheckerContext &C) const;
54 
55  // The declaration of an "errno" variable or "errno location" function.
56  mutable const Decl *ErrnoDecl = nullptr;
57 
58 private:
59  // FIXME: Names from `ErrnoLocationFuncNames` are used to build this set.
60  CallDescriptionSet ErrnoLocationCalls{{"__errno_location", 0, 0},
61  {"___errno", 0, 0},
62  {"__errno", 0, 0},
63  {"_errno", 0, 0},
64  {"__error", 0, 0}};
65 };
66 
67 } // namespace
68 
69 /// Store a MemRegion that contains the 'errno' integer value.
70 /// The value is null if the 'errno' value was not recognized in the AST.
71 REGISTER_TRAIT_WITH_PROGRAMSTATE(ErrnoRegion, const MemRegion *)
72 
73 REGISTER_TRAIT_WITH_PROGRAMSTATE(ErrnoState, errno_modeling::ErrnoCheckState)
74 
75 /// Search for a variable called "errno" in the AST.
76 /// Return nullptr if not found.
77 static const VarDecl *getErrnoVar(ASTContext &ACtx) {
78  IdentifierInfo &II = ACtx.Idents.get(ErrnoVarName);
79  auto LookupRes = ACtx.getTranslationUnitDecl()->lookup(&II);
80  auto Found = llvm::find_if(LookupRes, [&ACtx](const Decl *D) {
81  if (auto *VD = dyn_cast<VarDecl>(D))
82  return ACtx.getSourceManager().isInSystemHeader(VD->getLocation()) &&
83  VD->hasExternalStorage() &&
84  VD->getType().getCanonicalType() == ACtx.IntTy;
85  return false;
86  });
87  if (Found == LookupRes.end())
88  return nullptr;
89 
90  return cast<VarDecl>(*Found);
91 }
92 
93 /// Search for a function with a specific name that is used to return a pointer
94 /// to "errno".
95 /// Return nullptr if no such function was found.
96 static const FunctionDecl *getErrnoFunc(ASTContext &ACtx) {
97  SmallVector<const Decl *> LookupRes;
98  for (StringRef ErrnoName : ErrnoLocationFuncNames) {
99  IdentifierInfo &II = ACtx.Idents.get(ErrnoName);
100  llvm::append_range(LookupRes, ACtx.getTranslationUnitDecl()->lookup(&II));
101  }
102 
103  auto Found = llvm::find_if(LookupRes, [&ACtx](const Decl *D) {
104  if (auto *FD = dyn_cast<FunctionDecl>(D))
105  return ACtx.getSourceManager().isInSystemHeader(FD->getLocation()) &&
106  FD->isExternC() && FD->getNumParams() == 0 &&
107  FD->getReturnType().getCanonicalType() ==
108  ACtx.getPointerType(ACtx.IntTy);
109  return false;
110  });
111  if (Found == LookupRes.end())
112  return nullptr;
113 
114  return cast<FunctionDecl>(*Found);
115 }
116 
117 void ErrnoModeling::checkASTDecl(const TranslationUnitDecl *D,
118  AnalysisManager &Mgr, BugReporter &BR) const {
119  // Try to find an usable `errno` value.
120  // It can be an external variable called "errno" or a function that returns a
121  // pointer to the "errno" value. This function can have different names.
122  // The actual case is dependent on the C library implementation, we
123  // can only search for a match in one of these variations.
124  // We assume that exactly one of these cases might be true.
125  ErrnoDecl = getErrnoVar(Mgr.getASTContext());
126  if (!ErrnoDecl)
127  ErrnoDecl = getErrnoFunc(Mgr.getASTContext());
128 }
129 
130 void ErrnoModeling::checkBeginFunction(CheckerContext &C) const {
131  if (!C.inTopFrame())
132  return;
133 
134  ASTContext &ACtx = C.getASTContext();
135  ProgramStateRef State = C.getState();
136 
137  if (const auto *ErrnoVar = dyn_cast_or_null<VarDecl>(ErrnoDecl)) {
138  // There is an external 'errno' variable.
139  // Use its memory region.
140  // The memory region for an 'errno'-like variable is allocated in system
141  // space by MemRegionManager.
142  const MemRegion *ErrnoR =
143  State->getRegion(ErrnoVar, C.getLocationContext());
144  assert(ErrnoR && "Memory region should exist for the 'errno' variable.");
145  State = State->set<ErrnoRegion>(ErrnoR);
146  State =
147  errno_modeling::setErrnoValue(State, C, 0, errno_modeling::Irrelevant);
148  C.addTransition(State);
149  } else if (ErrnoDecl) {
150  assert(isa<FunctionDecl>(ErrnoDecl) && "Invalid errno location function.");
151  // There is a function that returns the location of 'errno'.
152  // We must create a memory region for it in system space.
153  // Currently a symbolic region is used with an artifical symbol.
154  // FIXME: It is better to have a custom (new) kind of MemRegion for such
155  // cases.
156  SValBuilder &SVB = C.getSValBuilder();
157  MemRegionManager &RMgr = C.getStateManager().getRegionManager();
158 
159  const MemSpaceRegion *GlobalSystemSpace =
160  RMgr.getGlobalsRegion(MemRegion::GlobalSystemSpaceRegionKind);
161 
162  // Create an artifical symbol for the region.
163  // It is not possible to associate a statement or expression in this case.
164  const SymbolConjured *Sym = SVB.conjureSymbol(
165  nullptr, C.getLocationContext(),
166  ACtx.getLValueReferenceType(ACtx.IntTy), C.blockCount(), &ErrnoDecl);
167 
168  // The symbolic region is untyped, create a typed sub-region in it.
169  // The ElementRegion is used to make the errno region a typed region.
170  const MemRegion *ErrnoR = RMgr.getElementRegion(
171  ACtx.IntTy, SVB.makeZeroArrayIndex(),
172  RMgr.getSymbolicRegion(Sym, GlobalSystemSpace), C.getASTContext());
173  State = State->set<ErrnoRegion>(ErrnoR);
174  State =
175  errno_modeling::setErrnoValue(State, C, 0, errno_modeling::Irrelevant);
176  C.addTransition(State);
177  }
178 }
179 
180 bool ErrnoModeling::evalCall(const CallEvent &Call, CheckerContext &C) const {
181  // Return location of "errno" at a call to an "errno address returning"
182  // function.
183  if (ErrnoLocationCalls.contains(Call)) {
184  ProgramStateRef State = C.getState();
185 
186  const MemRegion *ErrnoR = State->get<ErrnoRegion>();
187  if (!ErrnoR)
188  return false;
189 
190  State = State->BindExpr(Call.getOriginExpr(), C.getLocationContext(),
191  loc::MemRegionVal{ErrnoR});
192  C.addTransition(State);
193  return true;
194  }
195 
196  return false;
197 }
198 
199 void ErrnoModeling::checkLiveSymbols(ProgramStateRef State,
200  SymbolReaper &SR) const {
201  // The special errno region should never garbage collected.
202  if (const auto *ErrnoR = State->get<ErrnoRegion>())
203  SR.markLive(ErrnoR);
204 }
205 
206 namespace clang {
207 namespace ento {
208 namespace errno_modeling {
209 
210 Optional<SVal> getErrnoValue(ProgramStateRef State) {
211  const MemRegion *ErrnoR = State->get<ErrnoRegion>();
212  if (!ErrnoR)
213  return {};
214  QualType IntTy = State->getAnalysisManager().getASTContext().IntTy;
215  return State->getSVal(ErrnoR, IntTy);
216 }
217 
218 ProgramStateRef setErrnoValue(ProgramStateRef State,
219  const LocationContext *LCtx, SVal Value,
220  ErrnoCheckState EState) {
221  const MemRegion *ErrnoR = State->get<ErrnoRegion>();
222  if (!ErrnoR)
223  return State;
224  // First set the errno value, the old state is still available at 'checkBind'
225  // or 'checkLocation' for errno value.
226  State = State->bindLoc(loc::MemRegionVal{ErrnoR}, Value, LCtx);
227  return State->set<ErrnoState>(EState);
228 }
229 
230 ProgramStateRef setErrnoValue(ProgramStateRef State, CheckerContext &C,
231  uint64_t Value, ErrnoCheckState EState) {
232  const MemRegion *ErrnoR = State->get<ErrnoRegion>();
233  if (!ErrnoR)
234  return State;
235  State = State->bindLoc(
236  loc::MemRegionVal{ErrnoR},
237  C.getSValBuilder().makeIntVal(Value, C.getASTContext().IntTy),
238  C.getLocationContext());
239  return State->set<ErrnoState>(EState);
240 }
241 
242 Optional<Loc> getErrnoLoc(ProgramStateRef State) {
243  const MemRegion *ErrnoR = State->get<ErrnoRegion>();
244  if (!ErrnoR)
245  return {};
246  return loc::MemRegionVal{ErrnoR};
247 }
248 
249 ProgramStateRef setErrnoState(ProgramStateRef State, ErrnoCheckState EState) {
250  return State->set<ErrnoState>(EState);
251 }
252 
253 ErrnoCheckState getErrnoState(ProgramStateRef State) {
254  return State->get<ErrnoState>();
255 }
256 
257 bool isErrno(const Decl *D) {
258  if (const auto *VD = dyn_cast_or_null<VarDecl>(D))
259  if (const IdentifierInfo *II = VD->getIdentifier())
260  return II->getName() == ErrnoVarName;
261  if (const auto *FD = dyn_cast_or_null<FunctionDecl>(D))
262  if (const IdentifierInfo *II = FD->getIdentifier())
263  return llvm::is_contained(ErrnoLocationFuncNames, II->getName());
264  return false;
265 }
266 
267 const char *describeErrnoCheckState(ErrnoCheckState CS) {
268  assert(CS == errno_modeling::MustNotBeChecked &&
269  "Errno description not applicable.");
270  return "may be undefined after the call and should not be used";
271 }
272 
273 const NoteTag *getErrnoNoteTag(CheckerContext &C, const std::string &Message) {
274  return C.getNoteTag([Message](PathSensitiveBugReport &BR) -> std::string {
275  const MemRegion *ErrnoR = BR.getErrorNode()->getState()->get<ErrnoRegion>();
276  if (ErrnoR && BR.isInteresting(ErrnoR)) {
277  BR.markNotInteresting(ErrnoR);
278  return Message;
279  }
280  return "";
281  });
282 }
283 
284 ProgramStateRef setErrnoForStdSuccess(ProgramStateRef State,
285  CheckerContext &C) {
286  return setErrnoState(State, MustNotBeChecked);
287 }
288 
289 ProgramStateRef setErrnoForStdFailure(ProgramStateRef State, CheckerContext &C,
290  NonLoc ErrnoSym) {
291  SValBuilder &SVB = C.getSValBuilder();
292  NonLoc ZeroVal = SVB.makeZeroVal(C.getASTContext().IntTy).castAs<NonLoc>();
293  DefinedOrUnknownSVal Cond =
294  SVB.evalBinOp(State, BO_NE, ErrnoSym, ZeroVal, SVB.getConditionType())
295  .castAs<DefinedOrUnknownSVal>();
296  State = State->assume(Cond, true);
297  if (!State)
298  return nullptr;
299  return setErrnoValue(State, C.getLocationContext(), ErrnoSym, Irrelevant);
300 }
301 
302 const NoteTag *getNoteTagForStdSuccess(CheckerContext &C, llvm::StringRef Fn) {
303  return getErrnoNoteTag(
304  C, (Twine("Assuming that function '") + Twine(Fn) +
305  Twine("' is successful, in this case the value 'errno' ") +
306  Twine(describeErrnoCheckState(MustNotBeChecked)))
307  .str());
308 }
309 
310 } // namespace errno_modeling
311 } // namespace ento
312 } // namespace clang
313 
314 void ento::registerErrnoModeling(CheckerManager &mgr) {
315  mgr.registerChecker<ErrnoModeling>();
316 }
317 
318 bool ento::shouldRegisterErrnoModeling(const CheckerManager &mgr) {
319  return true;
320 }
clang::ento::SValBuilder::evalBinOp
SVal evalBinOp(ProgramStateRef state, BinaryOperator::Opcode op, SVal lhs, SVal rhs, QualType type)
Definition: SValBuilder.cpp:484
clang::LocationContext
It wraps the AnalysisDeclContext to represent both the call stack with the help of StackFrameContext ...
Definition: AnalysisDeclContext.h:215
CallDescription.h
SVals.h
string
string(SUBSTRING ${CMAKE_CURRENT_BINARY_DIR} 0 ${PATH_LIB_START} PATH_HEAD) string(SUBSTRING $
Definition: CMakeLists.txt:22
clang::ento::SVal::castAs
T castAs() const
Convert to the specified SVal type, asserting that this SVal is of the desired type.
Definition: SVals.h:100
clang::ento::NonLoc
Definition: SVals.h:266
clang::ento::errno_modeling::Irrelevant
@ Irrelevant
We do not know anything about 'errno'.
Definition: ErrnoModeling.h:28
clang::ento::DefinedOrUnknownSVal
Definition: SVals.h:221
llvm::SmallVector
Definition: LLVM.h:38
clang::IdentifierTable::get
IdentifierInfo & get(StringRef Name)
Return the identifier token info for the specified named identifier.
Definition: IdentifierTable.h:597
clang::ento::ProgramStateRef
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
Definition: ProgramState_Fwd.h:37
clang::QualType
A (possibly-)qualified type.
Definition: Type.h:737
AttributeLangSupport::C
@ C
Definition: SemaDeclAttr.cpp:56
llvm::Optional
Definition: LLVM.h:40
clang::ento::SValBuilder::makeZeroVal
DefinedOrUnknownSVal makeZeroVal(QualType type)
Construct an SVal representing '0' for the specified type.
Definition: SValBuilder.cpp:63
getErrnoFunc
static const FunctionDecl * getErrnoFunc(ASTContext &ACtx)
Search for a function with a specific name that is used to return a pointer to "errno".
Definition: ErrnoModeling.cpp:96
ErrnoModeling.h
clang::ento::loc::MemRegionVal
Definition: SVals.h:506
clang::ASTContext::getSourceManager
SourceManager & getSourceManager()
Definition: ASTContext.h:721
clang::ASTContext::getTranslationUnitDecl
TranslationUnitDecl * getTranslationUnitDecl() const
Definition: ASTContext.h:1089
getErrnoVar
static const VarDecl * getErrnoVar(ASTContext &ACtx)
Store a MemRegion that contains the 'errno' integer value.
Definition: ErrnoModeling.cpp:77
REGISTER_TRAIT_WITH_PROGRAMSTATE
#define REGISTER_TRAIT_WITH_PROGRAMSTATE(Name, Type)
Declares a program state trait for type Type called Name, and introduce a type named NameTy.
Definition: ProgramStateTrait.h:34
ParentMapContext.h
clang::ento::MemRegion
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:95
clang::TranslationUnitDecl
The top declaration context.
Definition: Decl.h:80
BuiltinCheckerRegistration.h
clang::ento::errno_modeling::getErrnoNoteTag
const NoteTag * getErrnoNoteTag(CheckerContext &C, const std::string &Message)
Create a NoteTag that displays the message if the 'errno' memory region is marked as interesting,...
Definition: ErrnoModeling.cpp:273
hlsl::uint64_t
unsigned long uint64_t
Definition: hlsl_basic_types.h:25
clang::ento::errno_modeling::getNoteTagForStdSuccess
const NoteTag * getNoteTagForStdSuccess(CheckerContext &C, llvm::StringRef Fn)
Generate the note tag that can be applied at the state generated by setErrnoForStdSuccess .
Definition: ErrnoModeling.cpp:302
CheckerManager.h
clang::ASTContext
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:209
clang::ento::PathSensitiveBugReport::getErrorNode
const ExplodedNode * getErrorNode() const
Definition: BugReporter.h:402
clang::ento::errno_modeling::setErrnoState
ProgramStateRef setErrnoState(ProgramStateRef State, ErrnoCheckState EState)
Set the errno check state, do not modify the errno value.
Definition: ErrnoModeling.cpp:249
clang::ento::errno_modeling::setErrnoForStdSuccess
ProgramStateRef setErrnoForStdSuccess(ProgramStateRef State, CheckerContext &C)
Set errno state for the common case when a standard function is successful.
Definition: ErrnoModeling.cpp:284
clang::ento::errno_modeling::describeErrnoCheckState
const char * describeErrnoCheckState(ErrnoCheckState CS)
Produce a textual description about how errno is allowed to be used (in a ErrnoCheckState).
Definition: ErrnoModeling.cpp:267
clang::VarDecl
Represents a variable declaration or definition.
Definition: Decl.h:906
clang::ento::errno_modeling::MustNotBeChecked
@ MustNotBeChecked
Value of 'errno' is not allowed to be read, it can contain an unspecified value.
Definition: ErrnoModeling.h:41
clang::ento::errno_modeling::setErrnoValue
ProgramStateRef setErrnoValue(ProgramStateRef State, const LocationContext *LCtx, SVal Value, ErrnoCheckState EState)
Set value of 'errno' to any SVal, if possible.
Definition: ErrnoModeling.cpp:218
clang::ento::errno_modeling::ErrnoCheckState
ErrnoCheckState
Describe how reads and writes of errno are handled by the checker.
Definition: ErrnoModeling.h:25
clang::ento::SValBuilder
Definition: SValBuilder.h:53
clang::ento::errno_modeling::getErrnoValue
Optional< SVal > getErrnoValue(ProgramStateRef State)
Returns the value of 'errno', if 'errno' was found in the AST.
Definition: ErrnoModeling.cpp:210
clang::ento::errno_modeling::setErrnoForStdFailure
ProgramStateRef setErrnoForStdFailure(ProgramStateRef State, CheckerContext &C, NonLoc ErrnoSym)
Set errno state for the common case when a standard function fails.
Definition: ErrnoModeling.cpp:289
clang::ASTContext::IntTy
CanQualType IntTy
Definition: ASTContext.h:1116
clang::ento::errno_modeling::isErrno
bool isErrno(const Decl *D)
Determine if a Decl node related to 'errno'.
Definition: ErrnoModeling.cpp:257
clang::ASTContext::Idents
IdentifierTable & Idents
Definition: ASTContext.h:660
Value
Value
Definition: UninitializedValues.cpp:103
clang::Decl
Decl - This represents one declaration (or definition), e.g.
Definition: DeclBase.h:83
State
LineState State
Definition: UnwrappedLineFormatter.cpp:1147
clang::IdentifierInfo
One of these records is kept for each identifier that is lexed.
Definition: IdentifierTable.h:85
CheckerContext.h
clang::ASTContext::getLValueReferenceType
QualType getLValueReferenceType(QualType T, bool SpelledAsLValue=true) const
Return the uniqued reference to the type for an lvalue reference to the specified type.
Definition: ASTContext.cpp:3465
ProgramState.h
Checker.h
clang::ento::PathSensitiveBugReport
Definition: BugReporter.h:289
clang
Definition: CalledOnceCheck.h:17
clang::DeclContext::lookup
lookup_result lookup(DeclarationName Name) const
lookup - Find the declarations (if any) with the given Name in this context.
Definition: DeclBase.cpp:1692
clang::SourceManager::isInSystemHeader
bool isInSystemHeader(SourceLocation Loc) const
Returns if a SourceLocation is in a system header.
Definition: SourceManager.h:1504
clang::ento::errno_modeling::getErrnoLoc
Optional< Loc > getErrnoLoc(ProgramStateRef State)
Returns the location that points to the MemoryRegion where the 'errno' value is stored.
Definition: ErrnoModeling.cpp:242
clang::ento::CheckerContext
Definition: CheckerContext.h:23
clang::ento::PathSensitiveBugReport::isInteresting
bool isInteresting(SymbolRef sym) const
Definition: BugReporter.cpp:2369
clang::ASTContext::getPointerType
QualType getPointerType(QualType T) const
Return the uniqued reference to the type for a pointer to the specified type.
Definition: ASTContext.cpp:3341
clang::ento::SVal
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:73
clang::ento::errno_modeling::setErrnoValue
ProgramStateRef setErrnoValue(ProgramStateRef State, CheckerContext &C, uint64_t Value, ErrnoCheckState EState)
Set value of 'errno' to a concrete (signed) integer, if possible.
Definition: ErrnoModeling.cpp:230
clang::interp::Call
bool Call(InterpState &S, CodePtr &PC, const Function *Func)
Definition: Interp.h:1246
clang::ento::SValBuilder::getConditionType
QualType getConditionType() const
Definition: SValBuilder.h:141
clang::ento::errno_modeling::getErrnoState
ErrnoCheckState getErrnoState(ProgramStateRef State)
Returns the errno check state, Errno_Irrelevant if 'errno' was not found (this is not the only case f...
Definition: ErrnoModeling.cpp:253
clang::ento::NoteTag
The tag upon which the TagVisitor reacts.
Definition: BugReporter.h:763
clang::FunctionDecl
Represents a function declaration or definition.
Definition: Decl.h:1904
llvm::IntrusiveRefCntPtr
Definition: LLVM.h:47
Generated on Fri Dec 2 2022 04:07:12 for clang by   doxygen 1.8.17