clang 22.0.0git
ErrnoModeling.cpp
Go to the documentation of this file.
1//=== ErrnoModeling.cpp -----------------------------------------*- C++ -*-===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This defines a checker `ErrnoModeling`, which is used to make the system
10// value 'errno' available to other checkers.
11// The 'errno' value is stored at a special memory region that is accessible
12// through the `errno_modeling` namespace. The memory region is either the
13// region of `errno` itself if it is a variable, otherwise an artifically
14// created region (in the system memory space). If `errno` is defined by using
15// a function which returns the address of it (this is always the case if it is
16// not a variable) this function is recognized and evaluated. In this way
17// `errno` becomes visible to the analysis and checkers can change its value.
18//
19//===----------------------------------------------------------------------===//
20
21#include "ErrnoModeling.h"
22#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
23#include "clang/StaticAnalyzer/Core/Checker.h"
24#include "clang/StaticAnalyzer/Core/CheckerManager.h"
25#include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
26#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
27#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
28#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
29#include "llvm/ADT/STLExtras.h"
30#include <optional>
31
32using namespace clang;
33using namespace ento;
34
35namespace {
36
37// Name of the "errno" variable.
38// FIXME: Is there a system where it is not called "errno" but is a variable?
39const char *ErrnoVarName = "errno";
40
41// Names of functions that return a location of the "errno" value.
42// FIXME: Are there other similar function names?
43CallDescriptionSet ErrnoLocationCalls{
44 {CDM::CLibrary, {"__errno_location"}, 0, 0},
45 {CDM::CLibrary, {"___errno"}, 0, 0},
46 {CDM::CLibrary, {"__errno"}, 0, 0},
47 {CDM::CLibrary, {"_errno"}, 0, 0},
48 {CDM::CLibrary, {"__error"}, 0, 0}};
49
50class ErrnoModeling
51 : public Checker<check::ASTDecl<TranslationUnitDecl>, check::BeginFunction,
52 check::LiveSymbols, eval::Call> {
53public:
54 void checkASTDecl(const TranslationUnitDecl *D, AnalysisManager &Mgr,
55 BugReporter &BR) const;
56 void checkBeginFunction(CheckerContext &C) const;
57 void checkLiveSymbols(ProgramStateRef State, SymbolReaper &SR) const;
58 bool evalCall(const CallEvent &Call, CheckerContext &C) const;
59
60private:
61 // The declaration of an "errno" variable on systems where errno is
62 // represented by a variable (and not a function that queries its location).
63 mutable const VarDecl *ErrnoDecl = nullptr;
64};
65
66} // namespace
67
68/// Store a MemRegion that contains the 'errno' integer value.
69/// The value is null if the 'errno' value was not recognized in the AST.
70REGISTER_TRAIT_WITH_PROGRAMSTATE(ErrnoRegion, const MemRegion *)
71
72REGISTER_TRAIT_WITH_PROGRAMSTATE(ErrnoState, errno_modeling::ErrnoCheckState)
73
74void ErrnoModeling::checkASTDecl(const TranslationUnitDecl *D,
75 AnalysisManager &Mgr, BugReporter &BR) const {
76 // Try to find the declaration of the external variable `int errno;`.
77 // There are also C library implementations, where the `errno` location is
78 // accessed via a function that returns its address; in those environments
79 // this callback has no effect.
80 ASTContext &ACtx = Mgr.getASTContext();
81 IdentifierInfo &II = ACtx.Idents.get(ErrnoVarName);
82 auto LookupRes = ACtx.getTranslationUnitDecl()->lookup(&II);
83 auto Found = llvm::find_if(LookupRes, [&ACtx](const Decl *D) {
84 if (auto *VD = dyn_cast<VarDecl>(D))
85 return ACtx.getSourceManager().isInSystemHeader(VD->getLocation()) &&
86 VD->hasExternalStorage() &&
87 VD->getType().getCanonicalType() == ACtx.IntTy;
88 return false;
89 });
90 if (Found != LookupRes.end())
91 ErrnoDecl = cast<VarDecl>(*Found);
92}
93
94void ErrnoModeling::checkBeginFunction(CheckerContext &C) const {
95 if (!C.inTopFrame())
96 return;
97
98 ASTContext &ACtx = C.getASTContext();
99 ProgramStateRef State = C.getState();
100
101 const MemRegion *ErrnoR = nullptr;
102
103 if (ErrnoDecl) {
104 // There is an external 'errno' variable, so we can simply use the memory
105 // region that's associated with it.
106 ErrnoR = State->getRegion(ErrnoDecl, C.getLocationContext());
107 assert(ErrnoR && "Memory region should exist for the 'errno' variable.");
108 } else {
109 // There is no 'errno' variable, so create a new symbolic memory region
110 // that can be used to model the return value of the "get the location of
111 // errno" internal functions.
112 // NOTE: this `SVal` is created even if errno is not defined or used.
113 SValBuilder &SVB = C.getSValBuilder();
114 MemRegionManager &RMgr = C.getStateManager().getRegionManager();
115
116 const MemSpaceRegion *GlobalSystemSpace =
117 RMgr.getGlobalsRegion(MemRegion::GlobalSystemSpaceRegionKind);
118
119 // Create an artifical symbol for the region.
120 // Note that it is not possible to associate a statement or expression in
121 // this case and the `symbolTag` (opaque pointer tag) is just the address
122 // of the data member `ErrnoDecl` of the singleton `ErrnoModeling` checker
123 // object.
124 const SymbolConjured *Sym = SVB.conjureSymbol(
125 C.getCFGElementRef(), C.getLocationContext(),
126 ACtx.getLValueReferenceType(ACtx.IntTy), C.blockCount(), &ErrnoDecl);
127
128 // The symbolic region is untyped, create a typed sub-region in it.
129 // The ElementRegion is used to make the errno region a typed region.
130 ErrnoR = RMgr.getElementRegion(
131 ACtx.IntTy, SVB.makeZeroArrayIndex(),
132 RMgr.getSymbolicRegion(Sym, GlobalSystemSpace), C.getASTContext());
133 }
134 assert(ErrnoR);
135 State = State->set<ErrnoRegion>(ErrnoR);
136 State =
137 errno_modeling::setErrnoValue(State, C, 0, errno_modeling::Irrelevant);
138 C.addTransition(State);
139}
140
141bool ErrnoModeling::evalCall(const CallEvent &Call, CheckerContext &C) const {
142 // Return location of "errno" at a call to an "errno address returning"
143 // function.
144 if (errno_modeling::isErrnoLocationCall(Call)) {
145 ProgramStateRef State = C.getState();
146
147 const MemRegion *ErrnoR = State->get<ErrnoRegion>();
148 if (!ErrnoR)
149 return false;
150
151 State = State->BindExpr(Call.getOriginExpr(), C.getLocationContext(),
152 loc::MemRegionVal{ErrnoR});
153 C.addTransition(State);
154 return true;
155 }
156
157 return false;
158}
159
160void ErrnoModeling::checkLiveSymbols(ProgramStateRef State,
161 SymbolReaper &SR) const {
162 // The special errno region should never garbage collected.
163 if (const auto *ErrnoR = State->get<ErrnoRegion>())
164 SR.markLive(ErrnoR);
165}
166
167namespace clang {
168namespace ento {
169namespace errno_modeling {
170
171std::optional<SVal> getErrnoValue(ProgramStateRef State) {
172 const MemRegion *ErrnoR = State->get<ErrnoRegion>();
173 if (!ErrnoR)
174 return {};
175 QualType IntTy = State->getAnalysisManager().getASTContext().IntTy;
176 return State->getSVal(ErrnoR, IntTy);
177}
178
179ProgramStateRef setErrnoValue(ProgramStateRef State,
180 const LocationContext *LCtx, SVal Value,
181 ErrnoCheckState EState) {
182 const MemRegion *ErrnoR = State->get<ErrnoRegion>();
183 if (!ErrnoR)
184 return State;
185 // First set the errno value, the old state is still available at 'checkBind'
186 // or 'checkLocation' for errno value.
187 State = State->bindLoc(loc::MemRegionVal{ErrnoR}, Value, LCtx);
188 return State->set<ErrnoState>(EState);
189}
190
191ProgramStateRef setErrnoValue(ProgramStateRef State, CheckerContext &C,
192 uint64_t Value, ErrnoCheckState EState) {
193 const MemRegion *ErrnoR = State->get<ErrnoRegion>();
194 if (!ErrnoR)
195 return State;
196 State = State->bindLoc(
197 loc::MemRegionVal{ErrnoR},
198 C.getSValBuilder().makeIntVal(Value, C.getASTContext().IntTy),
199 C.getLocationContext());
200 return State->set<ErrnoState>(EState);
201}
202
203std::optional<Loc> getErrnoLoc(ProgramStateRef State) {
204 const MemRegion *ErrnoR = State->get<ErrnoRegion>();
205 if (!ErrnoR)
206 return {};
207 return loc::MemRegionVal{ErrnoR};
208}
209
210ErrnoCheckState getErrnoState(ProgramStateRef State) {
211 return State->get<ErrnoState>();
212}
213
214ProgramStateRef setErrnoState(ProgramStateRef State, ErrnoCheckState EState) {
215 return State->set<ErrnoState>(EState);
216}
217
221
222bool isErrnoLocationCall(const CallEvent &CE) {
223 return ErrnoLocationCalls.contains(CE);
224}
225
226const NoteTag *getErrnoNoteTag(CheckerContext &C, const std::string &Message) {
227 return C.getNoteTag([Message](PathSensitiveBugReport &BR) -> std::string {
228 const MemRegion *ErrnoR = BR.getErrorNode()->getState()->get<ErrnoRegion>();
229 if (ErrnoR && BR.isInteresting(ErrnoR)) {
230 BR.markNotInteresting(ErrnoR);
231 return Message;
232 }
233 return "";
234 });
235}
236
241
242ProgramStateRef setErrnoForStdFailure(ProgramStateRef State, CheckerContext &C,
243 NonLoc ErrnoSym) {
244 SValBuilder &SVB = C.getSValBuilder();
245 NonLoc ZeroVal = SVB.makeZeroVal(C.getASTContext().IntTy).castAs<NonLoc>();
246 DefinedOrUnknownSVal Cond =
247 SVB.evalBinOp(State, BO_NE, ErrnoSym, ZeroVal, SVB.getConditionType())
248 .castAs<DefinedOrUnknownSVal>();
249 State = State->assume(Cond, true);
250 if (!State)
251 return nullptr;
252 return setErrnoValue(State, C.getLocationContext(), ErrnoSym, Irrelevant);
253}
254
255ProgramStateRef setErrnoStdMustBeChecked(ProgramStateRef State,
256 CheckerContext &C,
257 ConstCFGElementRef Elem) {
258 const MemRegion *ErrnoR = State->get<ErrnoRegion>();
259 if (!ErrnoR)
260 return State;
261 State = State->invalidateRegions(ErrnoR, Elem, C.blockCount(),
262 C.getLocationContext(), false);
263 if (!State)
264 return nullptr;
265 return setErrnoState(State, MustBeChecked);
266}
267
268} // namespace errno_modeling
269} // namespace ento
270} // namespace clang
271
272void ento::registerErrnoModeling(CheckerManager &mgr) {
273 mgr.registerChecker<ErrnoModeling>();
274}
275
276bool ento::shouldRegisterErrnoModeling(const CheckerManager &mgr) {
277 return true;
278}
REGISTER_TRAIT_WITH_PROGRAMSTATE
#define REGISTER_TRAIT_WITH_PROGRAMSTATE(Name, Type)
Declares a program state trait for type Type called Name, and introduce a type named NameTy.
Definition ProgramStateTrait.h:34
clang::ASTContext::getSourceManager
SourceManager & getSourceManager()
Definition ASTContext.h:798
clang::ASTContext::getTranslationUnitDecl
TranslationUnitDecl * getTranslationUnitDecl() const
Definition ASTContext.h:1198
clang::ASTContext::getLValueReferenceType
QualType getLValueReferenceType(QualType T, bool SpelledAsLValue=true) const
Return the uniqued reference to the type for an lvalue reference to the specified type.
Definition ASTContext.cpp:4073
clang::ASTContext::Idents
IdentifierTable & Idents
Definition ASTContext.h:737
clang::ASTContext::IntTy
CanQualType IntTy
Definition ASTContext.h:1228
clang::DeclContext::lookup
lookup_result lookup(DeclarationName Name) const
lookup - Find the declarations (if any) with the given Name in this context.
Definition DeclBase.cpp:1879
clang::IdentifierTable::get
IdentifierInfo & get(StringRef Name)
Return the identifier token info for the specified named identifier.
Definition IdentifierTable.h:696
clang::LocationContext
It wraps the AnalysisDeclContext to represent both the call stack with the help of StackFrameContext ...
Definition AnalysisDeclContext.h:215
clang::QualType
A (possibly-)qualified type.
Definition TypeBase.h:937
clang::SourceManager::isInSystemHeader
bool isInSystemHeader(SourceLocation Loc) const
Returns if a SourceLocation is in a system header.
Definition SourceManager.h:1544
clang::TranslationUnitDecl
The top declaration context.
Definition Decl.h:104
clang::ento::AnalysisManager::getASTContext
ASTContext & getASTContext() override
Definition AnalysisManager.h:82
clang::ento::BugReporter
BugReporter is a utility class for generating PathDiagnostics for analysis.
Definition BugReporter.h:586
clang::ento::CallDescriptionSet
An immutable set of CallDescriptions.
Definition CallDescription.h:262
clang::ento::CallEvent
Represents an abstract call to a function or method along a particular path.
Definition CallEvent.h:153
clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&...Args)
Register a single-part checker (derived from Checker): construct its singleton instance,...
Definition CheckerManager.h:218
clang::ento::Checker
Simple checker classes that implement one frontend (i.e.
Definition Checker.h:553
clang::ento::ExplodedNode::getState
const ProgramStateRef & getState() const
Definition ExplodedGraph.h:169
clang::ento::MemRegionManager::getElementRegion
const ElementRegion * getElementRegion(QualType elementType, NonLoc Idx, const SubRegion *superRegion, const ASTContext &Ctx)
getElementRegion - Retrieve the memory region associated with the associated element type,...
Definition MemRegion.cpp:1217
clang::ento::MemRegionManager::getGlobalsRegion
const GlobalsSpaceRegion * getGlobalsRegion(MemRegion::Kind K=MemRegion::GlobalInternalSpaceRegionKind, const CodeTextRegion *R=nullptr)
getGlobalsRegion - Retrieve the memory region associated with global variables.
Definition MemRegion.cpp:949
clang::ento::MemRegionManager::getSymbolicRegion
const SymbolicRegion * getSymbolicRegion(SymbolRef Sym, const MemSpaceRegion *MemSpace=nullptr)
Retrieve or create a "symbolic" memory region.
Definition MemRegion.cpp:1260
clang::ento::MemRegion
MemRegion - The root abstract class for all memory regions.
Definition MemRegion.h:98
clang::ento::NoteTag
The tag upon which the TagVisitor reacts.
Definition BugReporter.h:786
clang::ento::PathSensitiveBugReport::getErrorNode
const ExplodedNode * getErrorNode() const
Definition BugReporter.h:402
clang::ento::PathSensitiveBugReport::isInteresting
bool isInteresting(SymbolRef sym) const
Definition BugReporter.cpp:2399
clang::ento::SValBuilder::makeZeroVal
DefinedOrUnknownSVal makeZeroVal(QualType type)
Construct an SVal representing '0' for the specified type.
Definition SValBuilder.cpp:62
clang::ento::SValBuilder::getConditionType
QualType getConditionType() const
Definition SValBuilder.h:154
clang::ento::SValBuilder::evalBinOp
SVal evalBinOp(ProgramStateRef state, BinaryOperator::Opcode op, SVal lhs, SVal rhs, QualType type)
Definition SValBuilder.cpp:494
clang::ento::SValBuilder::conjureSymbol
const SymbolConjured * conjureSymbol(ConstCFGElementRef Elem, const LocationContext *LCtx, QualType type, unsigned visitCount, const void *symbolTag=nullptr)
Definition SValBuilder.h:175
clang::ento::SVal
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition SVals.h:56
clang::ento::SVal::castAs
T castAs() const
Convert to the specified SVal type, asserting that this SVal is of the desired type.
Definition SVals.h:83
clang::ento::SymbolReaper::markLive
void markLive(SymbolRef sym)
Unconditionally marks a symbol as live.
Definition SymbolManager.cpp:275
clang::ento::errno_modeling
Definition ErrnoModeling.cpp:169
clang::ento::errno_modeling::getErrnoLoc
std::optional< Loc > getErrnoLoc(ProgramStateRef State)
Returns the location that points to the MemoryRegion where the 'errno' value is stored.
Definition ErrnoModeling.cpp:203
clang::ento::errno_modeling::setErrnoValue
ProgramStateRef setErrnoValue(ProgramStateRef State, const LocationContext *LCtx, SVal Value, ErrnoCheckState EState)
Set value of 'errno' to any SVal, if possible.
Definition ErrnoModeling.cpp:179
clang::ento::errno_modeling::clearErrnoState
ProgramStateRef clearErrnoState(ProgramStateRef State)
Clear state of errno (make it irrelevant).
Definition ErrnoModeling.cpp:218
clang::ento::errno_modeling::setErrnoForStdSuccess
ProgramStateRef setErrnoForStdSuccess(ProgramStateRef State, CheckerContext &C)
Set errno state for the common case when a standard function is successful.
Definition ErrnoModeling.cpp:237
clang::ento::errno_modeling::setErrnoStdMustBeChecked
ProgramStateRef setErrnoStdMustBeChecked(ProgramStateRef State, CheckerContext &C, ConstCFGElementRef Elem)
Set errno state for the common case when a standard function indicates failure only by errno.
Definition ErrnoModeling.cpp:255
clang::ento::errno_modeling::setErrnoState
ProgramStateRef setErrnoState(ProgramStateRef State, ErrnoCheckState EState)
Set the errno check state, do not modify the errno value.
Definition ErrnoModeling.cpp:214
clang::ento::errno_modeling::getErrnoNoteTag
const NoteTag * getErrnoNoteTag(CheckerContext &C, const std::string &Message)
Create a NoteTag that displays the message if the 'errno' memory region is marked as interesting,...
Definition ErrnoModeling.cpp:226
clang::ento::errno_modeling::isErrnoLocationCall
bool isErrnoLocationCall(const CallEvent &CE)
Determine if Call is a call to an internal function that returns the location of errno (in environmen...
Definition ErrnoModeling.cpp:222
clang::ento::errno_modeling::setErrnoForStdFailure
ProgramStateRef setErrnoForStdFailure(ProgramStateRef State, CheckerContext &C, NonLoc ErrnoSym)
Set errno state for the common case when a standard function fails.
Definition ErrnoModeling.cpp:242
clang::ento::errno_modeling::getErrnoValue
std::optional< SVal > getErrnoValue(ProgramStateRef State)
Returns the value of 'errno', if 'errno' was found in the AST.
Definition ErrnoModeling.cpp:171
clang::ento::errno_modeling::ErrnoCheckState
ErrnoCheckState
Describe how reads and writes of errno are handled by the checker.
Definition ErrnoModeling.h:26
clang::ento::errno_modeling::MustBeChecked
@ MustBeChecked
Value of 'errno' should be checked to find out if a previous function call has failed.
Definition ErrnoModeling.h:36
clang::ento::errno_modeling::Irrelevant
@ Irrelevant
We do not know anything about 'errno'.
Definition ErrnoModeling.h:29
clang::ento::errno_modeling::MustNotBeChecked
@ MustNotBeChecked
Value of 'errno' is not allowed to be read, it can contain an unspecified value.
Definition ErrnoModeling.h:42
clang::ento::errno_modeling::getErrnoState
ErrnoCheckState getErrnoState(ProgramStateRef State)
Returns the errno check state, Errno_Irrelevant if 'errno' was not found (this is not the only case f...
Definition ErrnoModeling.cpp:210
clang::ento::ProgramStateRef
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
Definition ProgramState_Fwd.h:37
clang
The JSON file list parser is used to communicate input to InstallAPI.
Definition CalledOnceCheck.h:17
clang::ConstCFGElementRef
CFGBlock::ConstCFGElementRef ConstCFGElementRef
Definition CFG.h:1199
clang::Cond
Expr * Cond
};
Definition StmtOpenMP.h:3056
clang::cast
U cast(CodeGen::Address addr)
Definition Address.h:327
Generated on for clang by doxygen 1.14.0