clang  15.0.0git
StreamChecker.cpp
Go to the documentation of this file.
1 //===-- StreamChecker.cpp -----------------------------------------*- C++ -*--//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This file defines checkers that model and check stream handling functions.
10 //
11 //===----------------------------------------------------------------------===//
12 
23 #include <functional>
24 
25 using namespace clang;
26 using namespace ento;
27 using namespace std::placeholders;
28 
29 //===----------------------------------------------------------------------===//
30 // Definition of state data structures.
31 //===----------------------------------------------------------------------===//
32 
33 namespace {
34 
35 struct FnDescription;
36 
37 /// State of the stream error flags.
38 /// Sometimes it is not known to the checker what error flags are set.
39 /// This is indicated by setting more than one flag to true.
40 /// This is an optimization to avoid state splits.
41 /// A stream can either be in FEOF or FERROR but not both at the same time.
42 /// Multiple flags are set to handle the corresponding states together.
43 struct StreamErrorState {
44  /// The stream can be in state where none of the error flags set.
45  bool NoError = true;
46  /// The stream can be in state where the EOF indicator is set.
47  bool FEof = false;
48  /// The stream can be in state where the error indicator is set.
49  bool FError = false;
50 
51  bool isNoError() const { return NoError && !FEof && !FError; }
52  bool isFEof() const { return !NoError && FEof && !FError; }
53  bool isFError() const { return !NoError && !FEof && FError; }
54 
55  bool operator==(const StreamErrorState &ES) const {
56  return NoError == ES.NoError && FEof == ES.FEof && FError == ES.FError;
57  }
58 
59  bool operator!=(const StreamErrorState &ES) const { return !(*this == ES); }
60 
61  StreamErrorState operator|(const StreamErrorState &E) const {
62  return {NoError || E.NoError, FEof || E.FEof, FError || E.FError};
63  }
64 
65  StreamErrorState operator&(const StreamErrorState &E) const {
66  return {NoError && E.NoError, FEof && E.FEof, FError && E.FError};
67  }
68 
69  StreamErrorState operator~() const { return {!NoError, !FEof, !FError}; }
70 
71  /// Returns if the StreamErrorState is a valid object.
72  operator bool() const { return NoError || FEof || FError; }
73 
74  void Profile(llvm::FoldingSetNodeID &ID) const {
75  ID.AddBoolean(NoError);
76  ID.AddBoolean(FEof);
77  ID.AddBoolean(FError);
78  }
79 };
80 
81 const StreamErrorState ErrorNone{true, false, false};
82 const StreamErrorState ErrorFEof{false, true, false};
83 const StreamErrorState ErrorFError{false, false, true};
84 
85 /// Full state information about a stream pointer.
86 struct StreamState {
87  /// The last file operation called in the stream.
88  const FnDescription *LastOperation;
89 
90  /// State of a stream symbol.
91  /// FIXME: We need maybe an "escaped" state later.
92  enum KindTy {
93  Opened, /// Stream is opened.
94  Closed, /// Closed stream (an invalid stream pointer after it was closed).
95  OpenFailed /// The last open operation has failed.
96  } State;
97 
98  /// State of the error flags.
99  /// Ignored in non-opened stream state but must be NoError.
100  StreamErrorState const ErrorState;
101 
102  /// Indicate if the file has an "indeterminate file position indicator".
103  /// This can be set at a failing read or write or seek operation.
104  /// If it is set no more read or write is allowed.
105  /// This value is not dependent on the stream error flags:
106  /// The error flag may be cleared with `clearerr` but the file position
107  /// remains still indeterminate.
108  /// This value applies to all error states in ErrorState except FEOF.
109  /// An EOF+indeterminate state is the same as EOF state.
110  bool const FilePositionIndeterminate = false;
111 
112  StreamState(const FnDescription *L, KindTy S, const StreamErrorState &ES,
113  bool IsFilePositionIndeterminate)
114  : LastOperation(L), State(S), ErrorState(ES),
115  FilePositionIndeterminate(IsFilePositionIndeterminate) {
116  assert((!ES.isFEof() || !IsFilePositionIndeterminate) &&
117  "FilePositionIndeterminate should be false in FEof case.");
118  assert((State == Opened || ErrorState.isNoError()) &&
119  "ErrorState should be None in non-opened stream state.");
120  }
121 
122  bool isOpened() const { return State == Opened; }
123  bool isClosed() const { return State == Closed; }
124  bool isOpenFailed() const { return State == OpenFailed; }
125 
126  bool operator==(const StreamState &X) const {
127  // In not opened state error state should always NoError, so comparison
128  // here is no problem.
129  return LastOperation == X.LastOperation && State == X.State &&
130  ErrorState == X.ErrorState &&
131  FilePositionIndeterminate == X.FilePositionIndeterminate;
132  }
133 
134  static StreamState getOpened(const FnDescription *L,
135  const StreamErrorState &ES = ErrorNone,
136  bool IsFilePositionIndeterminate = false) {
137  return StreamState{L, Opened, ES, IsFilePositionIndeterminate};
138  }
139  static StreamState getClosed(const FnDescription *L) {
140  return StreamState{L, Closed, {}, false};
141  }
142  static StreamState getOpenFailed(const FnDescription *L) {
143  return StreamState{L, OpenFailed, {}, false};
144  }
145 
146  void Profile(llvm::FoldingSetNodeID &ID) const {
147  ID.AddPointer(LastOperation);
148  ID.AddInteger(State);
149  ErrorState.Profile(ID);
150  ID.AddBoolean(FilePositionIndeterminate);
151  }
152 };
153 
154 } // namespace
155 
156 //===----------------------------------------------------------------------===//
157 // StreamChecker class and utility functions.
158 //===----------------------------------------------------------------------===//
159 
160 namespace {
161 
162 class StreamChecker;
163 using FnCheck = std::function<void(const StreamChecker *, const FnDescription *,
164  const CallEvent &, CheckerContext &)>;
165 
166 using ArgNoTy = unsigned int;
167 static const ArgNoTy ArgNone = std::numeric_limits<ArgNoTy>::max();
168 
169 struct FnDescription {
170  FnCheck PreFn;
171  FnCheck EvalFn;
172  ArgNoTy StreamArgNo;
173 };
174 
175 /// Get the value of the stream argument out of the passed call event.
176 /// The call should contain a function that is described by Desc.
177 SVal getStreamArg(const FnDescription *Desc, const CallEvent &Call) {
178  assert(Desc && Desc->StreamArgNo != ArgNone &&
179  "Try to get a non-existing stream argument.");
180  return Call.getArgSVal(Desc->StreamArgNo);
181 }
182 
183 /// Create a conjured symbol return value for a call expression.
184 DefinedSVal makeRetVal(CheckerContext &C, const CallExpr *CE) {
185  assert(CE && "Expecting a call expression.");
186 
187  const LocationContext *LCtx = C.getLocationContext();
188  return C.getSValBuilder()
189  .conjureSymbolVal(nullptr, CE, LCtx, C.blockCount())
190  .castAs<DefinedSVal>();
191 }
192 
193 ProgramStateRef bindAndAssumeTrue(ProgramStateRef State, CheckerContext &C,
194  const CallExpr *CE) {
195  DefinedSVal RetVal = makeRetVal(C, CE);
196  State = State->BindExpr(CE, C.getLocationContext(), RetVal);
197  State = State->assume(RetVal, true);
198  assert(State && "Assumption on new value should not fail.");
199  return State;
200 }
201 
203  CheckerContext &C, const CallExpr *CE) {
204  State = State->BindExpr(CE, C.getLocationContext(),
205  C.getSValBuilder().makeIntVal(Value, false));
206  return State;
207 }
208 
209 class StreamChecker : public Checker<check::PreCall, eval::Call,
210  check::DeadSymbols, check::PointerEscape> {
211  BugType BT_FileNull{this, "NULL stream pointer", "Stream handling error"};
212  BugType BT_UseAfterClose{this, "Closed stream", "Stream handling error"};
213  BugType BT_UseAfterOpenFailed{this, "Invalid stream",
214  "Stream handling error"};
215  BugType BT_IndeterminatePosition{this, "Invalid stream state",
216  "Stream handling error"};
217  BugType BT_IllegalWhence{this, "Illegal whence argument",
218  "Stream handling error"};
219  BugType BT_StreamEof{this, "Stream already in EOF", "Stream handling error"};
220  BugType BT_ResourceLeak{this, "Resource leak", "Stream handling error",
221  /*SuppressOnSink =*/true};
222 
223 public:
224  void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
225  bool evalCall(const CallEvent &Call, CheckerContext &C) const;
226  void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
227  ProgramStateRef checkPointerEscape(ProgramStateRef State,
228  const InvalidatedSymbols &Escaped,
229  const CallEvent *Call,
230  PointerEscapeKind Kind) const;
231 
232  /// If true, evaluate special testing stream functions.
233  bool TestMode = false;
234 
235  const BugType *getBT_StreamEof() const { return &BT_StreamEof; }
236 
237 private:
238  CallDescriptionMap<FnDescription> FnDescriptions = {
239  {{"fopen"}, {nullptr, &StreamChecker::evalFopen, ArgNone}},
240  {{"freopen", 3},
241  {&StreamChecker::preFreopen, &StreamChecker::evalFreopen, 2}},
242  {{"tmpfile"}, {nullptr, &StreamChecker::evalFopen, ArgNone}},
243  {{"fclose", 1},
244  {&StreamChecker::preDefault, &StreamChecker::evalFclose, 0}},
245  {{"fread", 4},
246  {&StreamChecker::preFread,
247  std::bind(&StreamChecker::evalFreadFwrite, _1, _2, _3, _4, true), 3}},
248  {{"fwrite", 4},
249  {&StreamChecker::preFwrite,
250  std::bind(&StreamChecker::evalFreadFwrite, _1, _2, _3, _4, false), 3}},
251  {{"fseek", 3}, {&StreamChecker::preFseek, &StreamChecker::evalFseek, 0}},
252  {{"ftell", 1}, {&StreamChecker::preDefault, nullptr, 0}},
253  {{"rewind", 1}, {&StreamChecker::preDefault, nullptr, 0}},
254  {{"fgetpos", 2}, {&StreamChecker::preDefault, nullptr, 0}},
255  {{"fsetpos", 2}, {&StreamChecker::preDefault, nullptr, 0}},
256  {{"clearerr", 1},
257  {&StreamChecker::preDefault, &StreamChecker::evalClearerr, 0}},
258  {{"feof", 1},
259  {&StreamChecker::preDefault,
260  std::bind(&StreamChecker::evalFeofFerror, _1, _2, _3, _4, ErrorFEof),
261  0}},
262  {{"ferror", 1},
263  {&StreamChecker::preDefault,
264  std::bind(&StreamChecker::evalFeofFerror, _1, _2, _3, _4, ErrorFError),
265  0}},
266  {{"fileno", 1}, {&StreamChecker::preDefault, nullptr, 0}},
267  };
268 
269  CallDescriptionMap<FnDescription> FnTestDescriptions = {
270  {{"StreamTesterChecker_make_feof_stream", 1},
271  {nullptr,
272  std::bind(&StreamChecker::evalSetFeofFerror, _1, _2, _3, _4, ErrorFEof),
273  0}},
274  {{"StreamTesterChecker_make_ferror_stream", 1},
275  {nullptr,
276  std::bind(&StreamChecker::evalSetFeofFerror, _1, _2, _3, _4,
277  ErrorFError),
278  0}},
279  };
280 
281  void evalFopen(const FnDescription *Desc, const CallEvent &Call,
282  CheckerContext &C) const;
283 
284  void preFreopen(const FnDescription *Desc, const CallEvent &Call,
285  CheckerContext &C) const;
286  void evalFreopen(const FnDescription *Desc, const CallEvent &Call,
287  CheckerContext &C) const;
288 
289  void evalFclose(const FnDescription *Desc, const CallEvent &Call,
290  CheckerContext &C) const;
291 
292  void preFread(const FnDescription *Desc, const CallEvent &Call,
293  CheckerContext &C) const;
294 
295  void preFwrite(const FnDescription *Desc, const CallEvent &Call,
296  CheckerContext &C) const;
297 
298  void evalFreadFwrite(const FnDescription *Desc, const CallEvent &Call,
299  CheckerContext &C, bool IsFread) const;
300 
301  void preFseek(const FnDescription *Desc, const CallEvent &Call,
302  CheckerContext &C) const;
303  void evalFseek(const FnDescription *Desc, const CallEvent &Call,
304  CheckerContext &C) const;
305 
306  void preDefault(const FnDescription *Desc, const CallEvent &Call,
307  CheckerContext &C) const;
308 
309  void evalClearerr(const FnDescription *Desc, const CallEvent &Call,
310  CheckerContext &C) const;
311 
312  void evalFeofFerror(const FnDescription *Desc, const CallEvent &Call,
313  CheckerContext &C,
314  const StreamErrorState &ErrorKind) const;
315 
316  void evalSetFeofFerror(const FnDescription *Desc, const CallEvent &Call,
317  CheckerContext &C,
318  const StreamErrorState &ErrorKind) const;
319 
320  /// Check that the stream (in StreamVal) is not NULL.
321  /// If it can only be NULL a fatal error is emitted and nullptr returned.
322  /// Otherwise the return value is a new state where the stream is constrained
323  /// to be non-null.
324  ProgramStateRef ensureStreamNonNull(SVal StreamVal, const Expr *StreamE,
325  CheckerContext &C,
326  ProgramStateRef State) const;
327 
328  /// Check that the stream is the opened state.
329  /// If the stream is known to be not opened an error is generated
330  /// and nullptr returned, otherwise the original state is returned.
331  ProgramStateRef ensureStreamOpened(SVal StreamVal, CheckerContext &C,
332  ProgramStateRef State) const;
333 
334  /// Check that the stream has not an invalid ("indeterminate") file position,
335  /// generate warning for it.
336  /// (EOF is not an invalid position.)
337  /// The returned state can be nullptr if a fatal error was generated.
338  /// It can return non-null state if the stream has not an invalid position or
339  /// there is execution path with non-invalid position.
341  ensureNoFilePositionIndeterminate(SVal StreamVal, CheckerContext &C,
342  ProgramStateRef State) const;
343 
344  /// Check the legality of the 'whence' argument of 'fseek'.
345  /// Generate error and return nullptr if it is found to be illegal.
346  /// Otherwise returns the state.
347  /// (State is not changed here because the "whence" value is already known.)
348  ProgramStateRef ensureFseekWhenceCorrect(SVal WhenceVal, CheckerContext &C,
349  ProgramStateRef State) const;
350 
351  /// Generate warning about stream in EOF state.
352  /// There will be always a state transition into the passed State,
353  /// by the new non-fatal error node or (if failed) a normal transition,
354  /// to ensure uniform handling.
355  void reportFEofWarning(SymbolRef StreamSym, CheckerContext &C,
356  ProgramStateRef State) const;
357 
358  /// Emit resource leak warnings for the given symbols.
359  /// Createn a non-fatal error node for these, and returns it (if any warnings
360  /// were generated). Return value is non-null.
361  ExplodedNode *reportLeaks(const SmallVector<SymbolRef, 2> &LeakedSyms,
362  CheckerContext &C, ExplodedNode *Pred) const;
363 
364  /// Find the description data of the function called by a call event.
365  /// Returns nullptr if no function is recognized.
366  const FnDescription *lookupFn(const CallEvent &Call) const {
367  // Recognize "global C functions" with only integral or pointer arguments
368  // (and matching name) as stream functions.
369  if (!Call.isGlobalCFunction())
370  return nullptr;
371  for (auto P : Call.parameters()) {
372  QualType T = P->getType();
373  if (!T->isIntegralOrEnumerationType() && !T->isPointerType())
374  return nullptr;
375  }
376 
377  return FnDescriptions.lookup(Call);
378  }
379 
380  /// Generate a message for BugReporterVisitor if the stored symbol is
381  /// marked as interesting by the actual bug report.
382  // FIXME: Use lambda instead.
383  struct NoteFn {
384  const BugType *BT_ResourceLeak;
385  SymbolRef StreamSym;
387 
388  std::string operator()(PathSensitiveBugReport &BR) const {
389  if (BR.isInteresting(StreamSym) && &BR.getBugType() == BT_ResourceLeak)
390  return Message;
391 
392  return "";
393  }
394  };
395 
396  const NoteTag *constructNoteTag(CheckerContext &C, SymbolRef StreamSym,
397  const std::string &Message) const {
398  return C.getNoteTag(NoteFn{&BT_ResourceLeak, StreamSym, Message});
399  }
400 
401  const NoteTag *constructSetEofNoteTag(CheckerContext &C,
402  SymbolRef StreamSym) const {
403  return C.getNoteTag([this, StreamSym](PathSensitiveBugReport &BR) {
404  if (!BR.isInteresting(StreamSym) ||
405  &BR.getBugType() != this->getBT_StreamEof())
406  return "";
407 
408  BR.markNotInteresting(StreamSym);
409 
410  return "Assuming stream reaches end-of-file here";
411  });
412  }
413 
414  /// Searches for the ExplodedNode where the file descriptor was acquired for
415  /// StreamSym.
416  static const ExplodedNode *getAcquisitionSite(const ExplodedNode *N,
417  SymbolRef StreamSym,
418  CheckerContext &C);
419 };
420 
421 } // end anonymous namespace
422 
423 // This map holds the state of a stream.
424 // The stream is identified with a SymbolRef that is created when a stream
425 // opening function is modeled by the checker.
426 REGISTER_MAP_WITH_PROGRAMSTATE(StreamMap, SymbolRef, StreamState)
427 
428 inline void assertStreamStateOpened(const StreamState *SS) {
429  assert(SS->isOpened() &&
430  "Previous create of error node for non-opened stream failed?");
431 }
432 
433 const ExplodedNode *StreamChecker::getAcquisitionSite(const ExplodedNode *N,
434  SymbolRef StreamSym,
435  CheckerContext &C) {
436  ProgramStateRef State = N->getState();
437  // When bug type is resource leak, exploded node N may not have state info
438  // for leaked file descriptor, but predecessor should have it.
439  if (!State->get<StreamMap>(StreamSym))
440  N = N->getFirstPred();
441 
442  const ExplodedNode *Pred = N;
443  while (N) {
444  State = N->getState();
445  if (!State->get<StreamMap>(StreamSym))
446  return Pred;
447  Pred = N;
448  N = N->getFirstPred();
449  }
450 
451  return nullptr;
452 }
453 
454 //===----------------------------------------------------------------------===//
455 // Methods of StreamChecker.
456 //===----------------------------------------------------------------------===//
457 
458 void StreamChecker::checkPreCall(const CallEvent &Call,
459  CheckerContext &C) const {
460  const FnDescription *Desc = lookupFn(Call);
461  if (!Desc || !Desc->PreFn)
462  return;
463 
464  Desc->PreFn(this, Desc, Call, C);
465 }
466 
467 bool StreamChecker::evalCall(const CallEvent &Call, CheckerContext &C) const {
468  const FnDescription *Desc = lookupFn(Call);
469  if (!Desc && TestMode)
470  Desc = FnTestDescriptions.lookup(Call);
471  if (!Desc || !Desc->EvalFn)
472  return false;
473 
474  Desc->EvalFn(this, Desc, Call, C);
475 
476  return C.isDifferent();
477 }
478 
479 void StreamChecker::evalFopen(const FnDescription *Desc, const CallEvent &Call,
480  CheckerContext &C) const {
481  ProgramStateRef State = C.getState();
482  const CallExpr *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
483  if (!CE)
484  return;
485 
486  DefinedSVal RetVal = makeRetVal(C, CE);
487  SymbolRef RetSym = RetVal.getAsSymbol();
488  assert(RetSym && "RetVal must be a symbol here.");
489 
490  State = State->BindExpr(CE, C.getLocationContext(), RetVal);
491 
492  // Bifurcate the state into two: one with a valid FILE* pointer, the other
493  // with a NULL.
494  ProgramStateRef StateNotNull, StateNull;
495  std::tie(StateNotNull, StateNull) =
496  C.getConstraintManager().assumeDual(State, RetVal);
497 
498  StateNotNull =
499  StateNotNull->set<StreamMap>(RetSym, StreamState::getOpened(Desc));
500  StateNull =
501  StateNull->set<StreamMap>(RetSym, StreamState::getOpenFailed(Desc));
502 
503  C.addTransition(StateNotNull,
504  constructNoteTag(C, RetSym, "Stream opened here"));
505  C.addTransition(StateNull);
506 }
507 
508 void StreamChecker::preFreopen(const FnDescription *Desc, const CallEvent &Call,
509  CheckerContext &C) const {
510  // Do not allow NULL as passed stream pointer but allow a closed stream.
511  ProgramStateRef State = C.getState();
512  State = ensureStreamNonNull(getStreamArg(Desc, Call),
513  Call.getArgExpr(Desc->StreamArgNo), C, State);
514  if (!State)
515  return;
516 
517  C.addTransition(State);
518 }
519 
520 void StreamChecker::evalFreopen(const FnDescription *Desc,
521  const CallEvent &Call,
522  CheckerContext &C) const {
523  ProgramStateRef State = C.getState();
524 
525  auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
526  if (!CE)
527  return;
528 
529  Optional<DefinedSVal> StreamVal =
530  getStreamArg(Desc, Call).getAs<DefinedSVal>();
531  if (!StreamVal)
532  return;
533 
534  SymbolRef StreamSym = StreamVal->getAsSymbol();
535  // Do not care about concrete values for stream ("(FILE *)0x12345"?).
536  // FIXME: Can be stdin, stdout, stderr such values?
537  if (!StreamSym)
538  return;
539 
540  // Do not handle untracked stream. It is probably escaped.
541  if (!State->get<StreamMap>(StreamSym))
542  return;
543 
544  // Generate state for non-failed case.
545  // Return value is the passed stream pointer.
546  // According to the documentations, the stream is closed first
547  // but any close error is ignored. The state changes to (or remains) opened.
548  ProgramStateRef StateRetNotNull =
549  State->BindExpr(CE, C.getLocationContext(), *StreamVal);
550  // Generate state for NULL return value.
551  // Stream switches to OpenFailed state.
552  ProgramStateRef StateRetNull =
553  State->BindExpr(CE, C.getLocationContext(),
554  C.getSValBuilder().makeNullWithType(CE->getType()));
555 
556  StateRetNotNull =
557  StateRetNotNull->set<StreamMap>(StreamSym, StreamState::getOpened(Desc));
558  StateRetNull =
559  StateRetNull->set<StreamMap>(StreamSym, StreamState::getOpenFailed(Desc));
560 
561  C.addTransition(StateRetNotNull,
562  constructNoteTag(C, StreamSym, "Stream reopened here"));
563  C.addTransition(StateRetNull);
564 }
565 
566 void StreamChecker::evalFclose(const FnDescription *Desc, const CallEvent &Call,
567  CheckerContext &C) const {
568  ProgramStateRef State = C.getState();
569  SymbolRef Sym = getStreamArg(Desc, Call).getAsSymbol();
570  if (!Sym)
571  return;
572 
573  const StreamState *SS = State->get<StreamMap>(Sym);
574  if (!SS)
575  return;
576 
578 
579  // Close the File Descriptor.
580  // Regardless if the close fails or not, stream becomes "closed"
581  // and can not be used any more.
582  State = State->set<StreamMap>(Sym, StreamState::getClosed(Desc));
583 
584  C.addTransition(State);
585 }
586 
587 void StreamChecker::preFread(const FnDescription *Desc, const CallEvent &Call,
588  CheckerContext &C) const {
589  ProgramStateRef State = C.getState();
590  SVal StreamVal = getStreamArg(Desc, Call);
591  State = ensureStreamNonNull(StreamVal, Call.getArgExpr(Desc->StreamArgNo), C,
592  State);
593  if (!State)
594  return;
595  State = ensureStreamOpened(StreamVal, C, State);
596  if (!State)
597  return;
598  State = ensureNoFilePositionIndeterminate(StreamVal, C, State);
599  if (!State)
600  return;
601 
602  SymbolRef Sym = StreamVal.getAsSymbol();
603  if (Sym && State->get<StreamMap>(Sym)) {
604  const StreamState *SS = State->get<StreamMap>(Sym);
605  if (SS->ErrorState & ErrorFEof)
606  reportFEofWarning(Sym, C, State);
607  } else {
608  C.addTransition(State);
609  }
610 }
611 
612 void StreamChecker::preFwrite(const FnDescription *Desc, const CallEvent &Call,
613  CheckerContext &C) const {
614  ProgramStateRef State = C.getState();
615  SVal StreamVal = getStreamArg(Desc, Call);
616  State = ensureStreamNonNull(StreamVal, Call.getArgExpr(Desc->StreamArgNo), C,
617  State);
618  if (!State)
619  return;
620  State = ensureStreamOpened(StreamVal, C, State);
621  if (!State)
622  return;
623  State = ensureNoFilePositionIndeterminate(StreamVal, C, State);
624  if (!State)
625  return;
626 
627  C.addTransition(State);
628 }
629 
630 void StreamChecker::evalFreadFwrite(const FnDescription *Desc,
631  const CallEvent &Call, CheckerContext &C,
632  bool IsFread) const {
633  ProgramStateRef State = C.getState();
634  SymbolRef StreamSym = getStreamArg(Desc, Call).getAsSymbol();
635  if (!StreamSym)
636  return;
637 
638  const CallExpr *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
639  if (!CE)
640  return;
641 
642  Optional<NonLoc> SizeVal = Call.getArgSVal(1).getAs<NonLoc>();
643  if (!SizeVal)
644  return;
645  Optional<NonLoc> NMembVal = Call.getArgSVal(2).getAs<NonLoc>();
646  if (!NMembVal)
647  return;
648 
649  const StreamState *OldSS = State->get<StreamMap>(StreamSym);
650  if (!OldSS)
651  return;
652 
654 
655  // C'99 standard, ยง7.19.8.1.3, the return value of fread:
656  // The fread function returns the number of elements successfully read, which
657  // may be less than nmemb if a read error or end-of-file is encountered. If
658  // size or nmemb is zero, fread returns zero and the contents of the array and
659  // the state of the stream remain unchanged.
660 
661  if (State->isNull(*SizeVal).isConstrainedTrue() ||
662  State->isNull(*NMembVal).isConstrainedTrue()) {
663  // This is the "size or nmemb is zero" case.
664  // Just return 0, do nothing more (not clear the error flags).
665  State = bindInt(0, State, C, CE);
666  C.addTransition(State);
667  return;
668  }
669 
670  // Generate a transition for the success state.
671  // If we know the state to be FEOF at fread, do not add a success state.
672  if (!IsFread || (OldSS->ErrorState != ErrorFEof)) {
673  ProgramStateRef StateNotFailed =
674  State->BindExpr(CE, C.getLocationContext(), *NMembVal);
675  StateNotFailed =
676  StateNotFailed->set<StreamMap>(StreamSym, StreamState::getOpened(Desc));
677  C.addTransition(StateNotFailed);
678  }
679 
680  // Add transition for the failed state.
681  NonLoc RetVal = makeRetVal(C, CE).castAs<NonLoc>();
682  ProgramStateRef StateFailed =
683  State->BindExpr(CE, C.getLocationContext(), RetVal);
684  auto Cond =
685  C.getSValBuilder()
686  .evalBinOpNN(State, BO_LT, RetVal, *NMembVal, C.getASTContext().IntTy)
687  .getAs<DefinedOrUnknownSVal>();
688  if (!Cond)
689  return;
690  StateFailed = StateFailed->assume(*Cond, true);
691  if (!StateFailed)
692  return;
693 
694  StreamErrorState NewES;
695  if (IsFread)
696  NewES =
697  (OldSS->ErrorState == ErrorFEof) ? ErrorFEof : ErrorFEof | ErrorFError;
698  else
699  NewES = ErrorFError;
700  // If a (non-EOF) error occurs, the resulting value of the file position
701  // indicator for the stream is indeterminate.
702  StreamState NewSS = StreamState::getOpened(Desc, NewES, !NewES.isFEof());
703  StateFailed = StateFailed->set<StreamMap>(StreamSym, NewSS);
704  if (IsFread && OldSS->ErrorState != ErrorFEof)
705  C.addTransition(StateFailed, constructSetEofNoteTag(C, StreamSym));
706  else
707  C.addTransition(StateFailed);
708 }
709 
710 void StreamChecker::preFseek(const FnDescription *Desc, const CallEvent &Call,
711  CheckerContext &C) const {
712  ProgramStateRef State = C.getState();
713  SVal StreamVal = getStreamArg(Desc, Call);
714  State = ensureStreamNonNull(StreamVal, Call.getArgExpr(Desc->StreamArgNo), C,
715  State);
716  if (!State)
717  return;
718  State = ensureStreamOpened(StreamVal, C, State);
719  if (!State)
720  return;
721  State = ensureFseekWhenceCorrect(Call.getArgSVal(2), C, State);
722  if (!State)
723  return;
724 
725  C.addTransition(State);
726 }
727 
728 void StreamChecker::evalFseek(const FnDescription *Desc, const CallEvent &Call,
729  CheckerContext &C) const {
730  ProgramStateRef State = C.getState();
731  SymbolRef StreamSym = getStreamArg(Desc, Call).getAsSymbol();
732  if (!StreamSym)
733  return;
734 
735  const CallExpr *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
736  if (!CE)
737  return;
738 
739  // Ignore the call if the stream is not tracked.
740  if (!State->get<StreamMap>(StreamSym))
741  return;
742 
743  DefinedSVal RetVal = makeRetVal(C, CE);
744 
745  // Make expression result.
746  State = State->BindExpr(CE, C.getLocationContext(), RetVal);
747 
748  // Bifurcate the state into failed and non-failed.
749  // Return zero on success, nonzero on error.
750  ProgramStateRef StateNotFailed, StateFailed;
751  std::tie(StateFailed, StateNotFailed) =
752  C.getConstraintManager().assumeDual(State, RetVal);
753 
754  // Reset the state to opened with no error.
755  StateNotFailed =
756  StateNotFailed->set<StreamMap>(StreamSym, StreamState::getOpened(Desc));
757  // We get error.
758  // It is possible that fseek fails but sets none of the error flags.
759  // If fseek failed, assume that the file position becomes indeterminate in any
760  // case.
761  StateFailed = StateFailed->set<StreamMap>(
762  StreamSym,
763  StreamState::getOpened(Desc, ErrorNone | ErrorFEof | ErrorFError, true));
764 
765  C.addTransition(StateNotFailed);
766  C.addTransition(StateFailed, constructSetEofNoteTag(C, StreamSym));
767 }
768 
769 void StreamChecker::evalClearerr(const FnDescription *Desc,
770  const CallEvent &Call,
771  CheckerContext &C) const {
772  ProgramStateRef State = C.getState();
773  SymbolRef StreamSym = getStreamArg(Desc, Call).getAsSymbol();
774  if (!StreamSym)
775  return;
776 
777  const StreamState *SS = State->get<StreamMap>(StreamSym);
778  if (!SS)
779  return;
780 
782 
783  // FilePositionIndeterminate is not cleared.
784  State = State->set<StreamMap>(
785  StreamSym,
786  StreamState::getOpened(Desc, ErrorNone, SS->FilePositionIndeterminate));
787  C.addTransition(State);
788 }
789 
790 void StreamChecker::evalFeofFerror(const FnDescription *Desc,
791  const CallEvent &Call, CheckerContext &C,
792  const StreamErrorState &ErrorKind) const {
793  ProgramStateRef State = C.getState();
794  SymbolRef StreamSym = getStreamArg(Desc, Call).getAsSymbol();
795  if (!StreamSym)
796  return;
797 
798  const CallExpr *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
799  if (!CE)
800  return;
801 
802  const StreamState *SS = State->get<StreamMap>(StreamSym);
803  if (!SS)
804  return;
805 
807 
808  if (SS->ErrorState & ErrorKind) {
809  // Execution path with error of ErrorKind.
810  // Function returns true.
811  // From now on it is the only one error state.
812  ProgramStateRef TrueState = bindAndAssumeTrue(State, C, CE);
813  C.addTransition(TrueState->set<StreamMap>(
814  StreamSym, StreamState::getOpened(Desc, ErrorKind,
815  SS->FilePositionIndeterminate &&
816  !ErrorKind.isFEof())));
817  }
818  if (StreamErrorState NewES = SS->ErrorState & (~ErrorKind)) {
819  // Execution path(s) with ErrorKind not set.
820  // Function returns false.
821  // New error state is everything before minus ErrorKind.
822  ProgramStateRef FalseState = bindInt(0, State, C, CE);
823  C.addTransition(FalseState->set<StreamMap>(
824  StreamSym,
825  StreamState::getOpened(
826  Desc, NewES, SS->FilePositionIndeterminate && !NewES.isFEof())));
827  }
828 }
829 
830 void StreamChecker::preDefault(const FnDescription *Desc, const CallEvent &Call,
831  CheckerContext &C) const {
832  ProgramStateRef State = C.getState();
833  SVal StreamVal = getStreamArg(Desc, Call);
834  State = ensureStreamNonNull(StreamVal, Call.getArgExpr(Desc->StreamArgNo), C,
835  State);
836  if (!State)
837  return;
838  State = ensureStreamOpened(StreamVal, C, State);
839  if (!State)
840  return;
841 
842  C.addTransition(State);
843 }
844 
845 void StreamChecker::evalSetFeofFerror(const FnDescription *Desc,
846  const CallEvent &Call, CheckerContext &C,
847  const StreamErrorState &ErrorKind) const {
848  ProgramStateRef State = C.getState();
849  SymbolRef StreamSym = getStreamArg(Desc, Call).getAsSymbol();
850  assert(StreamSym && "Operation not permitted on non-symbolic stream value.");
851  const StreamState *SS = State->get<StreamMap>(StreamSym);
852  assert(SS && "Stream should be tracked by the checker.");
853  State = State->set<StreamMap>(
854  StreamSym, StreamState::getOpened(SS->LastOperation, ErrorKind));
855  C.addTransition(State);
856 }
857 
859 StreamChecker::ensureStreamNonNull(SVal StreamVal, const Expr *StreamE,
860  CheckerContext &C,
861  ProgramStateRef State) const {
862  auto Stream = StreamVal.getAs<DefinedSVal>();
863  if (!Stream)
864  return State;
865 
866  ConstraintManager &CM = C.getConstraintManager();
867 
868  ProgramStateRef StateNotNull, StateNull;
869  std::tie(StateNotNull, StateNull) = CM.assumeDual(C.getState(), *Stream);
870 
871  if (!StateNotNull && StateNull) {
872  if (ExplodedNode *N = C.generateErrorNode(StateNull)) {
873  auto R = std::make_unique<PathSensitiveBugReport>(
874  BT_FileNull, "Stream pointer might be NULL.", N);
875  if (StreamE)
876  bugreporter::trackExpressionValue(N, StreamE, *R);
877  C.emitReport(std::move(R));
878  }
879  return nullptr;
880  }
881 
882  return StateNotNull;
883 }
884 
885 ProgramStateRef StreamChecker::ensureStreamOpened(SVal StreamVal,
886  CheckerContext &C,
887  ProgramStateRef State) const {
888  SymbolRef Sym = StreamVal.getAsSymbol();
889  if (!Sym)
890  return State;
891 
892  const StreamState *SS = State->get<StreamMap>(Sym);
893  if (!SS)
894  return State;
895 
896  if (SS->isClosed()) {
897  // Using a stream pointer after 'fclose' causes undefined behavior
898  // according to cppreference.com .
899  ExplodedNode *N = C.generateErrorNode();
900  if (N) {
901  C.emitReport(std::make_unique<PathSensitiveBugReport>(
902  BT_UseAfterClose,
903  "Stream might be already closed. Causes undefined behaviour.", N));
904  return nullptr;
905  }
906 
907  return State;
908  }
909 
910  if (SS->isOpenFailed()) {
911  // Using a stream that has failed to open is likely to cause problems.
912  // This should usually not occur because stream pointer is NULL.
913  // But freopen can cause a state when stream pointer remains non-null but
914  // failed to open.
915  ExplodedNode *N = C.generateErrorNode();
916  if (N) {
917  C.emitReport(std::make_unique<PathSensitiveBugReport>(
918  BT_UseAfterOpenFailed,
919  "Stream might be invalid after "
920  "(re-)opening it has failed. "
921  "Can cause undefined behaviour.",
922  N));
923  return nullptr;
924  }
925  return State;
926  }
927 
928  return State;
929 }
930 
931 ProgramStateRef StreamChecker::ensureNoFilePositionIndeterminate(
932  SVal StreamVal, CheckerContext &C, ProgramStateRef State) const {
933  static const char *BugMessage =
934  "File position of the stream might be 'indeterminate' "
935  "after a failed operation. "
936  "Can cause undefined behavior.";
937 
938  SymbolRef Sym = StreamVal.getAsSymbol();
939  if (!Sym)
940  return State;
941 
942  const StreamState *SS = State->get<StreamMap>(Sym);
943  if (!SS)
944  return State;
945 
946  assert(SS->isOpened() && "First ensure that stream is opened.");
947 
948  if (SS->FilePositionIndeterminate) {
949  if (SS->ErrorState & ErrorFEof) {
950  // The error is unknown but may be FEOF.
951  // Continue analysis with the FEOF error state.
952  // Report warning because the other possible error states.
953  ExplodedNode *N = C.generateNonFatalErrorNode(State);
954  if (!N)
955  return nullptr;
956 
957  C.emitReport(std::make_unique<PathSensitiveBugReport>(
958  BT_IndeterminatePosition, BugMessage, N));
959  return State->set<StreamMap>(
960  Sym, StreamState::getOpened(SS->LastOperation, ErrorFEof, false));
961  }
962 
963  // Known or unknown error state without FEOF possible.
964  // Stop analysis, report error.
965  ExplodedNode *N = C.generateErrorNode(State);
966  if (N)
967  C.emitReport(std::make_unique<PathSensitiveBugReport>(
968  BT_IndeterminatePosition, BugMessage, N));
969 
970  return nullptr;
971  }
972 
973  return State;
974 }
975 
977 StreamChecker::ensureFseekWhenceCorrect(SVal WhenceVal, CheckerContext &C,
978  ProgramStateRef State) const {
979  Optional<nonloc::ConcreteInt> CI = WhenceVal.getAs<nonloc::ConcreteInt>();
980  if (!CI)
981  return State;
982 
983  int64_t X = CI->getValue().getSExtValue();
984  if (X >= 0 && X <= 2)
985  return State;
986 
987  if (ExplodedNode *N = C.generateNonFatalErrorNode(State)) {
988  C.emitReport(std::make_unique<PathSensitiveBugReport>(
989  BT_IllegalWhence,
990  "The whence argument to fseek() should be "
991  "SEEK_SET, SEEK_END, or SEEK_CUR.",
992  N));
993  return nullptr;
994  }
995 
996  return State;
997 }
998 
999 void StreamChecker::reportFEofWarning(SymbolRef StreamSym, CheckerContext &C,
1000  ProgramStateRef State) const {
1001  if (ExplodedNode *N = C.generateNonFatalErrorNode(State)) {
1002  auto R = std::make_unique<PathSensitiveBugReport>(
1003  BT_StreamEof,
1004  "Read function called when stream is in EOF state. "
1005  "Function has no effect.",
1006  N);
1007  R->markInteresting(StreamSym);
1008  C.emitReport(std::move(R));
1009  return;
1010  }
1011  C.addTransition(State);
1012 }
1013 
1014 ExplodedNode *
1015 StreamChecker::reportLeaks(const SmallVector<SymbolRef, 2> &LeakedSyms,
1016  CheckerContext &C, ExplodedNode *Pred) const {
1017  ExplodedNode *Err = C.generateNonFatalErrorNode(C.getState(), Pred);
1018  if (!Err)
1019  return Pred;
1020 
1021  for (SymbolRef LeakSym : LeakedSyms) {
1022  // Resource leaks can result in multiple warning that describe the same kind
1023  // of programming error:
1024  // void f() {
1025  // FILE *F = fopen("a.txt");
1026  // if (rand()) // state split
1027  // return; // warning
1028  // } // warning
1029  // While this isn't necessarily true (leaking the same stream could result
1030  // from a different kinds of errors), the reduction in redundant reports
1031  // makes this a worthwhile heuristic.
1032  // FIXME: Add a checker option to turn this uniqueing feature off.
1033  const ExplodedNode *StreamOpenNode = getAcquisitionSite(Err, LeakSym, C);
1034  assert(StreamOpenNode && "Could not find place of stream opening.");
1035  PathDiagnosticLocation LocUsedForUniqueing =
1037  StreamOpenNode->getStmtForDiagnostics(), C.getSourceManager(),
1038  StreamOpenNode->getLocationContext());
1039 
1040  std::unique_ptr<PathSensitiveBugReport> R =
1041  std::make_unique<PathSensitiveBugReport>(
1042  BT_ResourceLeak,
1043  "Opened stream never closed. Potential resource leak.", Err,
1044  LocUsedForUniqueing,
1045  StreamOpenNode->getLocationContext()->getDecl());
1046  R->markInteresting(LeakSym);
1047  C.emitReport(std::move(R));
1048  }
1049 
1050  return Err;
1051 }
1052 
1053 void StreamChecker::checkDeadSymbols(SymbolReaper &SymReaper,
1054  CheckerContext &C) const {
1055  ProgramStateRef State = C.getState();
1056 
1058 
1059  const StreamMapTy &Map = State->get<StreamMap>();
1060  for (const auto &I : Map) {
1061  SymbolRef Sym = I.first;
1062  const StreamState &SS = I.second;
1063  if (!SymReaper.isDead(Sym))
1064  continue;
1065  if (SS.isOpened())
1066  LeakedSyms.push_back(Sym);
1067  State = State->remove<StreamMap>(Sym);
1068  }
1069 
1070  ExplodedNode *N = C.getPredecessor();
1071  if (!LeakedSyms.empty())
1072  N = reportLeaks(LeakedSyms, C, N);
1073 
1074  C.addTransition(State, N);
1075 }
1076 
1077 ProgramStateRef StreamChecker::checkPointerEscape(
1078  ProgramStateRef State, const InvalidatedSymbols &Escaped,
1079  const CallEvent *Call, PointerEscapeKind Kind) const {
1080  // Check for file-handling system call that is not handled by the checker.
1081  // FIXME: The checker should be updated to handle all system calls that take
1082  // 'FILE*' argument. These are now ignored.
1083  if (Kind == PSK_DirectEscapeOnCall && Call->isInSystemHeader())
1084  return State;
1085 
1086  for (SymbolRef Sym : Escaped) {
1087  // The symbol escaped.
1088  // From now the stream can be manipulated in unknown way to the checker,
1089  // it is not possible to handle it any more.
1090  // Optimistically, assume that the corresponding file handle will be closed
1091  // somewhere else.
1092  // Remove symbol from state so the following stream calls on this symbol are
1093  // not handled by the checker.
1094  State = State->remove<StreamMap>(Sym);
1095  }
1096  return State;
1097 }
1098 
1099 //===----------------------------------------------------------------------===//
1100 // Checker registration.
1101 //===----------------------------------------------------------------------===//
1102 
1103 void ento::registerStreamChecker(CheckerManager &Mgr) {
1104  Mgr.registerChecker<StreamChecker>();
1105 }
1106 
1107 bool ento::shouldRegisterStreamChecker(const CheckerManager &Mgr) {
1108  return true;
1109 }
1110 
1111 void ento::registerStreamTesterChecker(CheckerManager &Mgr) {
1112  auto *Checker = Mgr.getChecker<StreamChecker>();
1113  Checker->TestMode = true;
1114 }
1115 
1116 bool ento::shouldRegisterStreamTesterChecker(const CheckerManager &Mgr) {
1117  return true;
1118 }
clang::operator!=
bool operator!=(CanQual< T > x, CanQual< U > y)
Definition: CanonicalType.h:207
clang::ento::PSK_DirectEscapeOnCall
@ PSK_DirectEscapeOnCall
The pointer has been passed to a function call directly.
Definition: CheckerManager.h:84
max
__DEVICE__ int max(int __a, int __b)
Definition: __clang_cuda_math.h:196
clang::LocationContext
It wraps the AnalysisDeclContext to represent both the call stack with the help of StackFrameContext ...
Definition: AnalysisDeclContext.h:215
CallDescription.h
string
string(SUBSTRING ${CMAKE_CURRENT_BINARY_DIR} 0 ${PATH_LIB_START} PATH_HEAD) string(SUBSTRING $
Definition: CMakeLists.txt:22
llvm::SmallVector
Definition: LLVM.h:38
clang::ento::ProgramStateRef
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
Definition: ProgramState_Fwd.h:37
clang::QualType
A (possibly-)qualified type.
Definition: Type.h:731
AttributeLangSupport::C
@ C
Definition: SemaDeclAttr.cpp:55
int
__device__ int
Definition: __clang_hip_libdevice_declares.h:63
SymbolManager.h
clang::api_notes::EnumExtensibilityKind::Closed
@ Closed
clang::ento::SymbolRef
const SymExpr * SymbolRef
Definition: SymExpr.h:111
llvm::Optional
Definition: LLVM.h:40
clang::tooling::X
static ToolExecutorPluginRegistry::Add< AllTUsToolExecutorPlugin > X("all-TUs", "Runs FrontendActions on all TUs in the compilation database. " "Tool results are stored in memory.")
clang::index::SymbolRole::Call
@ Call
CallEvent.h
uint64_t
unsigned long uint64_t
Definition: hlsl_basic_types.h:24
REGISTER_MAP_WITH_PROGRAMSTATE
#define REGISTER_MAP_WITH_PROGRAMSTATE(Name, Key, Value)
Declares an immutable map of type NameTy, suitable for placement into the ProgramState.
Definition: ProgramStateTrait.h:87
clang::operator&
DiagnosticLevelMask operator&(DiagnosticLevelMask LHS, DiagnosticLevelMask RHS)
Definition: DiagnosticOptions.h:60
BuiltinCheckerRegistration.h
CheckerManager.h
bool
#define bool
Definition: stdbool.h:20
clang::operator|
DiagnosticLevelMask operator|(DiagnosticLevelMask LHS, DiagnosticLevelMask RHS)
Definition: DiagnosticOptions.h:53
clang::ento::bugreporter::trackExpressionValue
bool trackExpressionValue(const ExplodedNode *N, const Expr *E, PathSensitiveBugReport &R, TrackingOptions Opts={})
Attempts to add visitors to track expression value back to its point of origin.
P
StringRef P
Definition: ASTMatchersInternal.cpp:563
clang::operator~
DiagnosticLevelMask operator~(DiagnosticLevelMask M)
Definition: DiagnosticOptions.h:48
clang::Type::isPointerType
bool isPointerType() const
Definition: Type.h:6807
BugType.h
Value
Value
Definition: UninitializedValues.cpp:102
clang::syntax::NodeRole::Message
@ Message
State
LineState State
Definition: UnwrappedLineFormatter.cpp:1126
CheckerContext.h
assertStreamStateOpened
void assertStreamStateOpened(const StreamState *SS)
Definition: StreamChecker.cpp:428
clang::ObjCPropertyAttribute::Kind
Kind
Definition: DeclObjCCommon.h:22
ProgramState.h
int64_t
long int64_t
Definition: hlsl_basic_types.h:25
Checker.h
clang::Builtin::ID
ID
Definition: Builtins.h:52
clang
Definition: CalledOnceCheck.h:17
clang::Expr::getType
QualType getType() const
Definition: Expr.h:141
clang::ento::PathDiagnosticLocation::createBegin
static PathDiagnosticLocation createBegin(const Decl *D, const SourceManager &SM)
Create a location for the beginning of the declaration.
Definition: PathDiagnostic.cpp:580
clang::ento::PointerEscapeKind
PointerEscapeKind
Describes the different reasons a pointer escapes during analysis.
Definition: CheckerManager.h:78
ProgramStateTrait.h
clang::Expr
This represents one expression.
Definition: Expr.h:109
clang::ento::InvalidatedSymbols
llvm::DenseSet< SymbolRef > InvalidatedSymbols
Definition: Store.h:51
clang::CallExpr
CallExpr - Represents a function call (C99 6.5.2.2, C++ [expr.call]).
Definition: Expr.h:2801
clang::operator==
bool operator==(const CallGraphNode::CallRecord &LHS, const CallGraphNode::CallRecord &RHS)
Definition: CallGraph.h:207
clang::Type::isIntegralOrEnumerationType
bool isIntegralOrEnumerationType() const
Determine whether this type is an integral or enumeration type.
Definition: Type.h:7199