clang  9.0.0svn
SimpleStreamChecker.cpp
Go to the documentation of this file.
1 //===-- SimpleStreamChecker.cpp -----------------------------------------*- C++ -*--//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // Defines a checker for proper use of fopen/fclose APIs.
10 // - If a file has been closed with fclose, it should not be accessed again.
11 // Accessing a closed file results in undefined behavior.
12 // - If a file was opened with fopen, it must be closed with fclose before
13 // the execution ends. Failing to do so results in a resource leak.
14 //
15 //===----------------------------------------------------------------------===//
16 
17 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
18 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
19 #include "clang/StaticAnalyzer/Core/Checker.h"
20 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
21 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
22 #include <utility>
23 
24 using namespace clang;
25 using namespace ento;
26 
27 namespace {
28 typedef SmallVector<SymbolRef, 2> SymbolVector;
29 
30 struct StreamState {
31 private:
32  enum Kind { Opened, Closed } K;
33  StreamState(Kind InK) : K(InK) { }
34 
35 public:
36  bool isOpened() const { return K == Opened; }
37  bool isClosed() const { return K == Closed; }
38 
39  static StreamState getOpened() { return StreamState(Opened); }
40  static StreamState getClosed() { return StreamState(Closed); }
41 
42  bool operator==(const StreamState &X) const {
43  return K == X.K;
44  }
45  void Profile(llvm::FoldingSetNodeID &ID) const {
46  ID.AddInteger(K);
47  }
48 };
49 
50 class SimpleStreamChecker : public Checker<check::PostCall,
51  check::PreCall,
52  check::DeadSymbols,
53  check::PointerEscape> {
54  CallDescription OpenFn, CloseFn;
55 
56  std::unique_ptr<BugType> DoubleCloseBugType;
57  std::unique_ptr<BugType> LeakBugType;
58 
59  void reportDoubleClose(SymbolRef FileDescSym,
60  const CallEvent &Call,
61  CheckerContext &C) const;
62 
63  void reportLeaks(ArrayRef<SymbolRef> LeakedStreams, CheckerContext &C,
64  ExplodedNode *ErrNode) const;
65 
66  bool guaranteedNotToCloseFile(const CallEvent &Call) const;
67 
68 public:
69  SimpleStreamChecker();
70 
71  /// Process fopen.
72  void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
73  /// Process fclose.
74  void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
75 
76  void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
77 
78  /// Stop tracking addresses which escape.
79  ProgramStateRef checkPointerEscape(ProgramStateRef State,
80  const InvalidatedSymbols &Escaped,
81  const CallEvent *Call,
82  PointerEscapeKind Kind) const;
83 };
84 
85 } // end anonymous namespace
86 
87 /// The state of the checker is a map from tracked stream symbols to their
88 /// state. Let's store it in the ProgramState.
89 REGISTER_MAP_WITH_PROGRAMSTATE(StreamMap, SymbolRef, StreamState)
90 
91 namespace {
92 class StopTrackingCallback final : public SymbolVisitor {
93  ProgramStateRef state;
94 public:
95  StopTrackingCallback(ProgramStateRef st) : state(std::move(st)) {}
96  ProgramStateRef getState() const { return state; }
97 
98  bool VisitSymbol(SymbolRef sym) override {
99  state = state->remove<StreamMap>(sym);
100  return true;
101  }
102 };
103 } // end anonymous namespace
104 
105 SimpleStreamChecker::SimpleStreamChecker()
106  : OpenFn("fopen"), CloseFn("fclose", 1) {
107  // Initialize the bug types.
108  DoubleCloseBugType.reset(
109  new BugType(this, "Double fclose", "Unix Stream API Error"));
110 
111  // Sinks are higher importance bugs as well as calls to assert() or exit(0).
112  LeakBugType.reset(
113  new BugType(this, "Resource Leak", "Unix Stream API Error",
114  /*SuppressOnSink=*/true));
115 }
116 
117 void SimpleStreamChecker::checkPostCall(const CallEvent &Call,
118  CheckerContext &C) const {
119  if (!Call.isGlobalCFunction())
120  return;
121 
122  if (!Call.isCalled(OpenFn))
123  return;
124 
125  // Get the symbolic value corresponding to the file handle.
126  SymbolRef FileDesc = Call.getReturnValue().getAsSymbol();
127  if (!FileDesc)
128  return;
129 
130  // Generate the next transition (an edge in the exploded graph).
131  ProgramStateRef State = C.getState();
132  State = State->set<StreamMap>(FileDesc, StreamState::getOpened());
133  C.addTransition(State);
134 }
135 
136 void SimpleStreamChecker::checkPreCall(const CallEvent &Call,
137  CheckerContext &C) const {
138  if (!Call.isGlobalCFunction())
139  return;
140 
141  if (!Call.isCalled(CloseFn))
142  return;
143 
144  // Get the symbolic value corresponding to the file handle.
145  SymbolRef FileDesc = Call.getArgSVal(0).getAsSymbol();
146  if (!FileDesc)
147  return;
148 
149  // Check if the stream has already been closed.
150  ProgramStateRef State = C.getState();
151  const StreamState *SS = State->get<StreamMap>(FileDesc);
152  if (SS && SS->isClosed()) {
153  reportDoubleClose(FileDesc, Call, C);
154  return;
155  }
156 
157  // Generate the next transition, in which the stream is closed.
158  State = State->set<StreamMap>(FileDesc, StreamState::getClosed());
159  C.addTransition(State);
160 }
161 
162 static bool isLeaked(SymbolRef Sym, const StreamState &SS,
163  bool IsSymDead, ProgramStateRef State) {
164  if (IsSymDead && SS.isOpened()) {
165  // If a symbol is NULL, assume that fopen failed on this path.
166  // A symbol should only be considered leaked if it is non-null.
167  ConstraintManager &CMgr = State->getConstraintManager();
168  ConditionTruthVal OpenFailed = CMgr.isNull(State, Sym);
169  return !OpenFailed.isConstrainedTrue();
170  }
171  return false;
172 }
173 
174 void SimpleStreamChecker::checkDeadSymbols(SymbolReaper &SymReaper,
175  CheckerContext &C) const {
176  ProgramStateRef State = C.getState();
177  SymbolVector LeakedStreams;
178  StreamMapTy TrackedStreams = State->get<StreamMap>();
179  for (StreamMapTy::iterator I = TrackedStreams.begin(),
180  E = TrackedStreams.end(); I != E; ++I) {
181  SymbolRef Sym = I->first;
182  bool IsSymDead = SymReaper.isDead(Sym);
183 
184  // Collect leaked symbols.
185  if (isLeaked(Sym, I->second, IsSymDead, State))
186  LeakedStreams.push_back(Sym);
187 
188  // Remove the dead symbol from the streams map.
189  if (IsSymDead)
190  State = State->remove<StreamMap>(Sym);
191  }
192 
193  ExplodedNode *N = C.generateNonFatalErrorNode(State);
194  if (!N)
195  return;
196  reportLeaks(LeakedStreams, C, N);
197 }
198 
199 void SimpleStreamChecker::reportDoubleClose(SymbolRef FileDescSym,
200  const CallEvent &Call,
201  CheckerContext &C) const {
202  // We reached a bug, stop exploring the path here by generating a sink.
203  ExplodedNode *ErrNode = C.generateErrorNode();
204  // If we've already reached this node on another path, return.
205  if (!ErrNode)
206  return;
207 
208  // Generate the report.
209  auto R = llvm::make_unique<BugReport>(*DoubleCloseBugType,
210  "Closing a previously closed file stream", ErrNode);
211  R->addRange(Call.getSourceRange());
212  R->markInteresting(FileDescSym);
213  C.emitReport(std::move(R));
214 }
215 
216 void SimpleStreamChecker::reportLeaks(ArrayRef<SymbolRef> LeakedStreams,
217  CheckerContext &C,
218  ExplodedNode *ErrNode) const {
219  // Attach bug reports to the leak node.
220  // TODO: Identify the leaked file descriptor.
221  for (SymbolRef LeakedStream : LeakedStreams) {
222  auto R = llvm::make_unique<BugReport>(*LeakBugType,
223  "Opened file is never closed; potential resource leak", ErrNode);
224  R->markInteresting(LeakedStream);
225  C.emitReport(std::move(R));
226  }
227 }
228 
229 bool SimpleStreamChecker::guaranteedNotToCloseFile(const CallEvent &Call) const{
230  // If it's not in a system header, assume it might close a file.
231  if (!Call.isInSystemHeader())
232  return false;
233 
234  // Handle cases where we know a buffer's /address/ can escape.
235  if (Call.argumentsMayEscape())
236  return false;
237 
238  // Note, even though fclose closes the file, we do not list it here
239  // since the checker is modeling the call.
240 
241  return true;
242 }
243 
244 // If the pointer we are tracking escaped, do not track the symbol as
245 // we cannot reason about it anymore.
246 ProgramStateRef
247 SimpleStreamChecker::checkPointerEscape(ProgramStateRef State,
248  const InvalidatedSymbols &Escaped,
249  const CallEvent *Call,
250  PointerEscapeKind Kind) const {
251  // If we know that the call cannot close a file, there is nothing to do.
252  if (Kind == PSK_DirectEscapeOnCall && guaranteedNotToCloseFile(*Call)) {
253  return State;
254  }
255 
256  for (InvalidatedSymbols::const_iterator I = Escaped.begin(),
257  E = Escaped.end();
258  I != E; ++I) {
259  SymbolRef Sym = *I;
260 
261  // The symbol escaped. Optimistically, assume that the corresponding file
262  // handle will be closed somewhere else.
263  State = State->remove<StreamMap>(Sym);
264  }
265  return State;
266 }
267 
268 void ento::registerSimpleStreamChecker(CheckerManager &mgr) {
269  mgr.registerChecker<SimpleStreamChecker>();
270 }
271 
272 // This checker should be enabled regardless of how language options are set.
273 bool ento::shouldRegisterSimpleStreamChecker(const LangOptions &LO) {
274  return true;
275 }
clang::operator==
bool operator==(CanQual< T > x, CanQual< U > y)
Definition: CanonicalType.h:202
clang::ento::InvalidatedSymbols
llvm::DenseSet< SymbolRef > InvalidatedSymbols
Definition: Store.h:51
clang::ento::SymbolRef
const SymExpr * SymbolRef
Definition: PathDiagnostic.h:58
clang::ento::ProgramStateRef
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
Definition: ProgramState_Fwd.h:37
State
LineState State
Definition: UnwrappedLineFormatter.cpp:888
std
Definition: Format.h:2274
isLeaked
static bool isLeaked(SymbolRef Sym, const StreamState &SS, bool IsSymDead, ProgramStateRef State)
Definition: SimpleStreamChecker.cpp:162
clang::LangOptions
Keeps track of the various options that can be enabled, which controls the dialect of C or C++ that i...
Definition: LangOptions.h:49
clang::CodeGen::state
i32 captured_struct **param SharedsTy A type which contains references the shared variables *param Shareds Context with the list of shared variables from the p *TaskFunction *param Data Additional data for task generation like final * state
Definition: CGOpenMPRuntime.h:764
clang::CallDescription
This class represents a description of a function call using the number of arguments and the name of ...
Definition: CallEvent.h:1057
clang::ento::PSK_DirectEscapeOnCall
The pointer has been passed to a function call directly.
Definition: CheckerManager.h:81
Kind
Kind
Definition: ChrootChecker.cpp:29
REGISTER_MAP_WITH_PROGRAMSTATE
#define REGISTER_MAP_WITH_PROGRAMSTATE(Name, Key, Value)
Declares an immutable map of type NameTy, suitable for placement into the ProgramState.
Definition: ProgramStateTrait.h:84
clang
Dataflow Directional Tag Classes.
Definition: CFGReachabilityAnalysis.h:21
clang::ento::PointerEscapeKind
PointerEscapeKind
Describes the different reasons a pointer escapes during analysis.
Definition: CheckerManager.h:75
X
X
Add a minimal nested name specifier fixit hint to allow lookup of a tag name from an outer enclosing ...
Definition: SemaDecl.cpp:14423
Generated on Wed Jul 17 2019 00:56:44 for clang by   doxygen 1.8.13