doxygen/SimpleStreamChecker_8cpp_source.html

 //===-- SimpleStreamChecker.cpp -----------------------------------------*- C++ -*--//
 //
 //                     The LLVM Compiler Infrastructure
 //
 // This file is distributed under the University of Illinois Open Source
 // License. See LICENSE.TXT for details.
 //
 //===----------------------------------------------------------------------===//
 //
 // Defines a checker for proper use of fopen/fclose APIs.
 //   - If a file has been closed with fclose, it should not be accessed again.
 //   Accessing a closed file results in undefined behavior.
 //   - If a file was opened with fopen, it must be closed with fclose before
 //   the execution ends. Failing to do so results in a resource leak.
 //
 //===----------------------------------------------------------------------===//

 #include "ClangSACheckers.h"
 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
 #include "clang/StaticAnalyzer/Core/Checker.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
 #include <utility>

 using namespace clang;
 using namespace ento;

 namespace {
 typedef SmallVector<SymbolRef, 2> SymbolVector;

 struct StreamState {
 private:
   enum Kind { Opened, Closed } K;
   StreamState(Kind InK) : K(InK) { }

 public:
   bool isOpened() const { return K == Opened; }
   bool isClosed() const { return K == Closed; }

   static StreamState getOpened() { return StreamState(Opened); }
   static StreamState getClosed() { return StreamState(Closed); }

   bool operator==(const StreamState &X) const {
     return K == X.K;
   }
   void Profile(llvm::FoldingSetNodeID &ID) const {
     ID.AddInteger(K);
   }
 };

 class SimpleStreamChecker : public Checker<check::PostCall,
                                            check::PreCall,
                                            check::DeadSymbols,
                                            check::PointerEscape> {
   CallDescription OpenFn, CloseFn;

   std::unique_ptr<BugType> DoubleCloseBugType;
   std::unique_ptr<BugType> LeakBugType;

   void reportDoubleClose(SymbolRef FileDescSym,
                          const CallEvent &Call,
                          CheckerContext &C) const;

   void reportLeaks(ArrayRef<SymbolRef> LeakedStreams, CheckerContext &C,
                    ExplodedNode *ErrNode) const;

   bool guaranteedNotToCloseFile(const CallEvent &Call) const;

 public:
   SimpleStreamChecker();

   /// Process fopen.
   void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
   /// Process fclose.
   void checkPreCall(const CallEvent &Call, CheckerContext &C) const;

   void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;

   /// Stop tracking addresses which escape.
   ProgramStateRef checkPointerEscape(ProgramStateRef State,
                                     const InvalidatedSymbols &Escaped,
                                     const CallEvent *Call,
                                     PointerEscapeKind Kind) const;
 };

 } // end anonymous namespace

 /// The state of the checker is a map from tracked stream symbols to their
 /// state. Let's store it in the ProgramState.
 REGISTER_MAP_WITH_PROGRAMSTATE(StreamMap, SymbolRef, StreamState)

 namespace {
 class StopTrackingCallback final : public SymbolVisitor {
   ProgramStateRef state;
 public:
   StopTrackingCallback(ProgramStateRef st) : state(std::move(st)) {}
   ProgramStateRef getState() const { return state; }

   bool VisitSymbol(SymbolRef sym) override {
     state = state->remove<StreamMap>(sym);
     return true;
   }
 };
 } // end anonymous namespace

 SimpleStreamChecker::SimpleStreamChecker()
     : OpenFn("fopen"), CloseFn("fclose", 1) {
   // Initialize the bug types.
   DoubleCloseBugType.reset(
       new BugType(this, "Double fclose", "Unix Stream API Error"));

   LeakBugType.reset(
       new BugType(this, "Resource Leak", "Unix Stream API Error"));
   // Sinks are higher importance bugs as well as calls to assert() or exit(0).
   LeakBugType->setSuppressOnSink(true);
 }

 void SimpleStreamChecker::checkPostCall(const CallEvent &Call,
                                         CheckerContext &C) const {
   if (!Call.isGlobalCFunction())
     return;

   if (!Call.isCalled(OpenFn))
     return;

   // Get the symbolic value corresponding to the file handle.
   SymbolRef FileDesc = Call.getReturnValue().getAsSymbol();
   if (!FileDesc)
     return;

   // Generate the next transition (an edge in the exploded graph).
   ProgramStateRef State = C.getState();
   State = State->set<StreamMap>(FileDesc, StreamState::getOpened());
   C.addTransition(State);
 }

 void SimpleStreamChecker::checkPreCall(const CallEvent &Call,
                                        CheckerContext &C) const {
   if (!Call.isGlobalCFunction())
     return;

   if (!Call.isCalled(CloseFn))
     return;

   // Get the symbolic value corresponding to the file handle.
   SymbolRef FileDesc = Call.getArgSVal(0).getAsSymbol();
   if (!FileDesc)
     return;

   // Check if the stream has already been closed.
   ProgramStateRef State = C.getState();
   const StreamState *SS = State->get<StreamMap>(FileDesc);
   if (SS && SS->isClosed()) {
     reportDoubleClose(FileDesc, Call, C);
     return;
   }

   // Generate the next transition, in which the stream is closed.
   State = State->set<StreamMap>(FileDesc, StreamState::getClosed());
   C.addTransition(State);
 }

 static bool isLeaked(SymbolRef Sym, const StreamState &SS,
                      bool IsSymDead, ProgramStateRef State) {
   if (IsSymDead && SS.isOpened()) {
     // If a symbol is NULL, assume that fopen failed on this path.
     // A symbol should only be considered leaked if it is non-null.
     ConstraintManager &CMgr = State->getConstraintManager();
     ConditionTruthVal OpenFailed = CMgr.isNull(State, Sym);
     return !OpenFailed.isConstrainedTrue();
   }
   return false;
 }

 void SimpleStreamChecker::checkDeadSymbols(SymbolReaper &SymReaper,
                                            CheckerContext &C) const {
   ProgramStateRef State = C.getState();
   SymbolVector LeakedStreams;
   StreamMapTy TrackedStreams = State->get<StreamMap>();
   for (StreamMapTy::iterator I = TrackedStreams.begin(),
                              E = TrackedStreams.end(); I != E; ++I) {
     SymbolRef Sym = I->first;
     bool IsSymDead = SymReaper.isDead(Sym);

     // Collect leaked symbols.
     if (isLeaked(Sym, I->second, IsSymDead, State))
       LeakedStreams.push_back(Sym);

     // Remove the dead symbol from the streams map.
     if (IsSymDead)
       State = State->remove<StreamMap>(Sym);
   }

   ExplodedNode *N = C.generateNonFatalErrorNode(State);
   if (!N)
     return;
   reportLeaks(LeakedStreams, C, N);
 }

 void SimpleStreamChecker::reportDoubleClose(SymbolRef FileDescSym,
                                             const CallEvent &Call,
                                             CheckerContext &C) const {
   // We reached a bug, stop exploring the path here by generating a sink.
   ExplodedNode *ErrNode = C.generateErrorNode();
   // If we've already reached this node on another path, return.
   if (!ErrNode)
     return;

   // Generate the report.
   auto R = llvm::make_unique<BugReport>(*DoubleCloseBugType,
       "Closing a previously closed file stream", ErrNode);
   R->addRange(Call.getSourceRange());
   R->markInteresting(FileDescSym);
   C.emitReport(std::move(R));
 }

 void SimpleStreamChecker::reportLeaks(ArrayRef<SymbolRef> LeakedStreams,
                                       CheckerContext &C,
                                       ExplodedNode *ErrNode) const {
   // Attach bug reports to the leak node.
   // TODO: Identify the leaked file descriptor.
   for (SymbolRef LeakedStream : LeakedStreams) {
     auto R = llvm::make_unique<BugReport>(*LeakBugType,
         "Opened file is never closed; potential resource leak", ErrNode);
     R->markInteresting(LeakedStream);
     C.emitReport(std::move(R));
   }
 }

 bool SimpleStreamChecker::guaranteedNotToCloseFile(const CallEvent &Call) const{
   // If it's not in a system header, assume it might close a file.
   if (!Call.isInSystemHeader())
     return false;

   // Handle cases where we know a buffer's /address/ can escape.
   if (Call.argumentsMayEscape())
     return false;

   // Note, even though fclose closes the file, we do not list it here
   // since the checker is modeling the call.

   return true;
 }

 // If the pointer we are tracking escaped, do not track the symbol as
 // we cannot reason about it anymore.
 ProgramStateRef
 SimpleStreamChecker::checkPointerEscape(ProgramStateRef State,
                                         const InvalidatedSymbols &Escaped,
                                         const CallEvent *Call,
                                         PointerEscapeKind Kind) const {
   // If we know that the call cannot close a file, there is nothing to do.
   if (Kind == PSK_DirectEscapeOnCall && guaranteedNotToCloseFile(*Call)) {
     return State;
   }

   for (InvalidatedSymbols::const_iterator I = Escaped.begin(),
                                           E = Escaped.end();
                                           I != E; ++I) {
     SymbolRef Sym = *I;

     // The symbol escaped. Optimistically, assume that the corresponding file
     // handle will be closed somewhere else.
     State = State->remove<StreamMap>(Sym);
   }
   return State;
 }

 void ento::registerSimpleStreamChecker(CheckerManager &mgr) {
   mgr.registerChecker<SimpleStreamChecker>();
 }
clang::Builtin::ID
ID
Definition: Builtins.h:49

clang::ento::CheckerContext::generateErrorNode
ExplodedNode * generateErrorNode(ProgramStateRef State=nullptr, const ProgramPointTag *Tag=nullptr)
Generate a transition to a node that will be used to report an error.
Definition: CheckerContext.h:248

clang::operator==
bool operator==(CanQual< T > x, CanQual< U > y)
Definition: CanonicalType.h:203

clang::ento::CheckerContext::addTransition
ExplodedNode * addTransition(ProgramStateRef State=nullptr, const ProgramPointTag *Tag=nullptr)
Generates a new transition in the program state graph (ExplodedGraph).
Definition: CheckerContext.h:215

llvm::DenseSet< SymbolRef >

clang::ento::ConstraintManager
Definition: ConstraintManager.h:78

BugType.h

clang::ento::SymbolReaper::isDead
bool isDead(SymbolRef sym) const
Returns whether or not a symbol has been confirmed dead.
Definition: SymbolManager.h:603

clang::ento::CheckerManager
Definition: CheckerManager.h:117

clang::ento::SymExpr
Symbolic value.
Definition: SymExpr.h:30

clang::ento::ConstraintManager::isNull
ConditionTruthVal isNull(ProgramStateRef State, SymbolRef Sym)
Convenience method to query the state to see if a symbol is null or not null, or if neither assumptio...
Definition: ConstraintManager.h:172

State
LineState State
Definition: UnwrappedLineFormatter.cpp:865

std
Definition: Format.h:2031

isLeaked
static bool isLeaked(SymbolRef Sym, const StreamState &SS, bool IsSymDead, ProgramStateRef State)
Definition: SimpleStreamChecker.cpp:163

Checker.h

clang::ento::ExplodedNode
Definition: ExplodedGraph.h:66

clang::CodeGen::state
i32 captured_struct **param SharedsTy A type which contains references the shared variables *param Shareds Context with the list of shared variables from the p *TaskFunction *param Data Additional data for task generation like final * state
Definition: CGOpenMPRuntime.h:721

clang::ento::SymbolVisitor
Definition: SymbolManager.h:619

clang::ento::CheckerContext
Definition: CheckerContext.h:70

clang::ento::CallEvent::getReturnValue
SVal getReturnValue() const
Returns the return value of the call.
Definition: CallEvent.cpp:282

llvm::ArrayRef
Definition: LLVM.h:32

clang::ento::SVal::getAsSymbol
SymbolRef getAsSymbol(bool IncludeBaseRegions=false) const
If this SVal wraps a symbol return that SymbolRef.
Definition: SVals.cpp:127

clang::ento::Checker
Definition: Checker.h:516

clang::ento::ConditionTruthVal::isConstrainedTrue
bool isConstrainedTrue() const
Return true if the constraint is perfectly constrained to &#39;true&#39;.
Definition: ConstraintManager.h:57

REGISTER_MAP_WITH_PROGRAMSTATE
#define REGISTER_MAP_WITH_PROGRAMSTATE(Name, Key, Value)
Declares an immutable map of type NameTy, suitable for placement into the ProgramState.
Definition: CheckerContext.h:36

clang::ento::PSK_DirectEscapeOnCall
The pointer has been passed to a function call directly.
Definition: CheckerManager.h:82

clang::ento::CallEvent::isInSystemHeader
bool isInSystemHeader() const
Returns true if the callee is known to be from a system header.
Definition: CallEvent.h:260

clang::ento::CheckerContext::generateNonFatalErrorNode
ExplodedNode * generateNonFatalErrorNode(ProgramStateRef State=nullptr, const ProgramPointTag *Tag=nullptr)
Generate a transition to a node that will be used to report an error.
Definition: CheckerContext.h:262

clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT... Args)
Used to register checkers.
Definition: CheckerManager.h:152

clang::ento::CallEvent::argumentsMayEscape
virtual bool argumentsMayEscape() const
Returns true if any of the arguments are known to escape to long- term storage, even if this method w...
Definition: CallEvent.h:329

clang::ento::CheckerContext::emitReport
void emitReport(std::unique_ptr< BugReport > R)
Emit the diagnostics report.
Definition: CheckerContext.h:268

clang::ento::CallEvent::getSourceRange
virtual SourceRange getSourceRange() const
Returns a source range for the entire call, suitable for outputting in diagnostics.
Definition: CallEvent.h:289

Kind
Kind
Definition: ChrootChecker.cpp:29

clang::ento::CallDescription
This class represents a description of a function call using the number of arguments and the name of ...
Definition: CallEvent.h:77

llvm::IntrusiveRefCntPtr
Definition: LLVM.h:45

llvm::SmallVector
Definition: LLVM.h:36

clang::ento::SymbolReaper
A class responsible for cleaning up unused symbols.
Definition: SymbolManager.h:522

clang
Dataflow Directional Tag Classes.
Definition: CFGReachabilityAnalysis.h:22

clang::ento::BugType
Definition: BugType.h:30

ClangSACheckers.h

clang::ento::CallEvent
Represents an abstract call to a function or method along a particular path.
Definition: CallEvent.h:164

clang::ento::PointerEscapeKind
PointerEscapeKind
Describes the different reasons a pointer escapes during analysis.
Definition: CheckerManager.h:76

clang::ento::CheckerContext::getState
const ProgramStateRef & getState() const
Definition: CheckerContext.h:118

clang::ento::CallEvent::isGlobalCFunction
bool isGlobalCFunction(StringRef SpecificName=StringRef()) const
Returns true if the callee is an externally-visible function in the top-level namespace, such as malloc.
Definition: CallEvent.cpp:161

X
X
Add a minimal nested name specifier fixit hint to allow lookup of a tag name from an outer enclosing ...
Definition: SemaDecl.cpp:13530

clang::ento::CallEvent::isCalled
bool isCalled(const CallDescription &CD) const
Returns true if the CallEvent is a call to a function that matches the CallDescription.
Definition: CallEvent.cpp:253

clang::ento::CallEvent::getArgSVal
virtual SVal getArgSVal(unsigned Index) const
Returns the value of a given argument at the time of the call.
Definition: CallEvent.cpp:268

CallEvent.h

clang::ento::ConditionTruthVal
Definition: ConstraintManager.h:39

CheckerContext.h