clang  12.0.0git
StreamChecker.cpp
Go to the documentation of this file.
1 //===-- StreamChecker.cpp -----------------------------------------*- C++ -*--//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This file defines checkers that model and check stream handling functions.
10 //
11 //===----------------------------------------------------------------------===//
12 
22 #include <functional>
23 
24 using namespace clang;
25 using namespace ento;
26 using namespace std::placeholders;
27 
28 namespace {
29 
30 struct FnDescription;
31 
32 /// State of the stream error flags.
33 /// Sometimes it is not known to the checker what error flags are set.
34 /// This is indicated by setting more than one flag to true.
35 /// This is an optimization to avoid state splits.
36 /// A stream can either be in FEOF or FERROR but not both at the same time.
37 /// Multiple flags are set to handle the corresponding states together.
38 struct StreamErrorState {
39  /// The stream can be in state where none of the error flags set.
40  bool NoError = true;
41  /// The stream can be in state where the EOF indicator is set.
42  bool FEof = false;
43  /// The stream can be in state where the error indicator is set.
44  bool FError = false;
45 
46  bool isNoError() const { return NoError && !FEof && !FError; }
47  bool isFEof() const { return !NoError && FEof && !FError; }
48  bool isFError() const { return !NoError && !FEof && FError; }
49 
50  bool operator==(const StreamErrorState &ES) const {
51  return NoError == ES.NoError && FEof == ES.FEof && FError == ES.FError;
52  }
53 
54  bool operator!=(const StreamErrorState &ES) const { return !(*this == ES); }
55 
56  StreamErrorState operator|(const StreamErrorState &E) const {
57  return {NoError || E.NoError, FEof || E.FEof, FError || E.FError};
58  }
59 
60  StreamErrorState operator&(const StreamErrorState &E) const {
61  return {NoError && E.NoError, FEof && E.FEof, FError && E.FError};
62  }
63 
64  StreamErrorState operator~() const { return {!NoError, !FEof, !FError}; }
65 
66  /// Returns if the StreamErrorState is a valid object.
67  operator bool() const { return NoError || FEof || FError; }
68 
69  void Profile(llvm::FoldingSetNodeID &ID) const {
70  ID.AddBoolean(NoError);
71  ID.AddBoolean(FEof);
72  ID.AddBoolean(FError);
73  }
74 };
75 
76 const StreamErrorState ErrorNone{true, false, false};
77 const StreamErrorState ErrorFEof{false, true, false};
78 const StreamErrorState ErrorFError{false, false, true};
79 
80 /// Full state information about a stream pointer.
81 struct StreamState {
82  /// The last file operation called in the stream.
83  const FnDescription *LastOperation;
84 
85  /// State of a stream symbol.
86  /// FIXME: We need maybe an "escaped" state later.
87  enum KindTy {
88  Opened, /// Stream is opened.
89  Closed, /// Closed stream (an invalid stream pointer after it was closed).
90  OpenFailed /// The last open operation has failed.
91  } State;
92 
93  /// State of the error flags.
94  /// Ignored in non-opened stream state but must be NoError.
95  StreamErrorState const ErrorState;
96 
97  /// Indicate if the file has an "indeterminate file position indicator".
98  /// This can be set at a failing read or write or seek operation.
99  /// If it is set no more read or write is allowed.
100  /// This value is not dependent on the stream error flags:
101  /// The error flag may be cleared with `clearerr` but the file position
102  /// remains still indeterminate.
103  /// This value applies to all error states in ErrorState except FEOF.
104  /// An EOF+indeterminate state is the same as EOF state.
105  bool const FilePositionIndeterminate = false;
106 
107  StreamState(const FnDescription *L, KindTy S, const StreamErrorState &ES,
108  bool IsFilePositionIndeterminate)
109  : LastOperation(L), State(S), ErrorState(ES),
110  FilePositionIndeterminate(IsFilePositionIndeterminate) {
111  assert((!ES.isFEof() || !IsFilePositionIndeterminate) &&
112  "FilePositionIndeterminate should be false in FEof case.");
113  assert((State == Opened || ErrorState.isNoError()) &&
114  "ErrorState should be None in non-opened stream state.");
115  }
116 
117  bool isOpened() const { return State == Opened; }
118  bool isClosed() const { return State == Closed; }
119  bool isOpenFailed() const { return State == OpenFailed; }
120 
121  bool operator==(const StreamState &X) const {
122  // In not opened state error state should always NoError, so comparison
123  // here is no problem.
124  return LastOperation == X.LastOperation && State == X.State &&
125  ErrorState == X.ErrorState &&
126  FilePositionIndeterminate == X.FilePositionIndeterminate;
127  }
128 
129  static StreamState getOpened(const FnDescription *L,
130  const StreamErrorState &ES = ErrorNone,
131  bool IsFilePositionIndeterminate = false) {
132  return StreamState{L, Opened, ES, IsFilePositionIndeterminate};
133  }
134  static StreamState getClosed(const FnDescription *L) {
135  return StreamState{L, Closed, {}, false};
136  }
137  static StreamState getOpenFailed(const FnDescription *L) {
138  return StreamState{L, OpenFailed, {}, false};
139  }
140 
141  void Profile(llvm::FoldingSetNodeID &ID) const {
142  ID.AddPointer(LastOperation);
143  ID.AddInteger(State);
144  ID.AddInteger(ErrorState);
145  ID.AddBoolean(FilePositionIndeterminate);
146  }
147 };
148 
149 class StreamChecker;
150 using FnCheck = std::function<void(const StreamChecker *, const FnDescription *,
151  const CallEvent &, CheckerContext &)>;
152 
153 using ArgNoTy = unsigned int;
154 static const ArgNoTy ArgNone = std::numeric_limits<ArgNoTy>::max();
155 
156 struct FnDescription {
157  FnCheck PreFn;
158  FnCheck EvalFn;
159  ArgNoTy StreamArgNo;
160 };
161 
162 /// Get the value of the stream argument out of the passed call event.
163 /// The call should contain a function that is described by Desc.
164 SVal getStreamArg(const FnDescription *Desc, const CallEvent &Call) {
165  assert(Desc && Desc->StreamArgNo != ArgNone &&
166  "Try to get a non-existing stream argument.");
167  return Call.getArgSVal(Desc->StreamArgNo);
168 }
169 
170 /// Create a conjured symbol return value for a call expression.
171 DefinedSVal makeRetVal(CheckerContext &C, const CallExpr *CE) {
172  assert(CE && "Expecting a call expression.");
173 
174  const LocationContext *LCtx = C.getLocationContext();
175  return C.getSValBuilder()
176  .conjureSymbolVal(nullptr, CE, LCtx, C.blockCount())
177  .castAs<DefinedSVal>();
178 }
179 
180 ProgramStateRef bindAndAssumeTrue(ProgramStateRef State, CheckerContext &C,
181  const CallExpr *CE) {
182  DefinedSVal RetVal = makeRetVal(C, CE);
183  State = State->BindExpr(CE, C.getLocationContext(), RetVal);
184  State = State->assume(RetVal, true);
185  assert(State && "Assumption on new value should not fail.");
186  return State;
187 }
188 
189 ProgramStateRef bindInt(uint64_t Value, ProgramStateRef State,
190  CheckerContext &C, const CallExpr *CE) {
191  State = State->BindExpr(CE, C.getLocationContext(),
192  C.getSValBuilder().makeIntVal(Value, false));
193  return State;
194 }
195 
196 class StreamChecker : public Checker<check::PreCall, eval::Call,
197  check::DeadSymbols, check::PointerEscape> {
198  BugType BT_FileNull{this, "NULL stream pointer", "Stream handling error"};
199  BugType BT_UseAfterClose{this, "Closed stream", "Stream handling error"};
200  BugType BT_UseAfterOpenFailed{this, "Invalid stream",
201  "Stream handling error"};
202  BugType BT_IndeterminatePosition{this, "Invalid stream state",
203  "Stream handling error"};
204  BugType BT_IllegalWhence{this, "Illegal whence argument",
205  "Stream handling error"};
206  BugType BT_StreamEof{this, "Stream already in EOF", "Stream handling error"};
207  BugType BT_ResourceLeak{this, "Resource leak", "Stream handling error",
208  /*SuppressOnSink =*/true};
209 
210 public:
211  void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
212  bool evalCall(const CallEvent &Call, CheckerContext &C) const;
213  void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
214  ProgramStateRef checkPointerEscape(ProgramStateRef State,
215  const InvalidatedSymbols &Escaped,
216  const CallEvent *Call,
217  PointerEscapeKind Kind) const;
218 
219  /// If true, evaluate special testing stream functions.
220  bool TestMode = false;
221 
222 private:
223  CallDescriptionMap<FnDescription> FnDescriptions = {
224  {{"fopen"}, {nullptr, &StreamChecker::evalFopen, ArgNone}},
225  {{"freopen", 3},
226  {&StreamChecker::preFreopen, &StreamChecker::evalFreopen, 2}},
227  {{"tmpfile"}, {nullptr, &StreamChecker::evalFopen, ArgNone}},
228  {{"fclose", 1},
229  {&StreamChecker::preDefault, &StreamChecker::evalFclose, 0}},
230  {{"fread", 4},
231  {&StreamChecker::preFread,
232  std::bind(&StreamChecker::evalFreadFwrite, _1, _2, _3, _4, true), 3}},
233  {{"fwrite", 4},
234  {&StreamChecker::preFwrite,
235  std::bind(&StreamChecker::evalFreadFwrite, _1, _2, _3, _4, false), 3}},
236  {{"fseek", 3}, {&StreamChecker::preFseek, &StreamChecker::evalFseek, 0}},
237  {{"ftell", 1}, {&StreamChecker::preDefault, nullptr, 0}},
238  {{"rewind", 1}, {&StreamChecker::preDefault, nullptr, 0}},
239  {{"fgetpos", 2}, {&StreamChecker::preDefault, nullptr, 0}},
240  {{"fsetpos", 2}, {&StreamChecker::preDefault, nullptr, 0}},
241  {{"clearerr", 1},
242  {&StreamChecker::preDefault, &StreamChecker::evalClearerr, 0}},
243  {{"feof", 1},
244  {&StreamChecker::preDefault,
245  std::bind(&StreamChecker::evalFeofFerror, _1, _2, _3, _4, ErrorFEof),
246  0}},
247  {{"ferror", 1},
248  {&StreamChecker::preDefault,
249  std::bind(&StreamChecker::evalFeofFerror, _1, _2, _3, _4, ErrorFError),
250  0}},
251  {{"fileno", 1}, {&StreamChecker::preDefault, nullptr, 0}},
252  };
253 
254  CallDescriptionMap<FnDescription> FnTestDescriptions = {
255  {{"StreamTesterChecker_make_feof_stream", 1},
256  {nullptr,
257  std::bind(&StreamChecker::evalSetFeofFerror, _1, _2, _3, _4, ErrorFEof),
258  0}},
259  {{"StreamTesterChecker_make_ferror_stream", 1},
260  {nullptr,
261  std::bind(&StreamChecker::evalSetFeofFerror, _1, _2, _3, _4,
262  ErrorFError),
263  0}},
264  };
265 
266  void evalFopen(const FnDescription *Desc, const CallEvent &Call,
267  CheckerContext &C) const;
268 
269  void preFreopen(const FnDescription *Desc, const CallEvent &Call,
270  CheckerContext &C) const;
271  void evalFreopen(const FnDescription *Desc, const CallEvent &Call,
272  CheckerContext &C) const;
273 
274  void evalFclose(const FnDescription *Desc, const CallEvent &Call,
275  CheckerContext &C) const;
276 
277  void preFread(const FnDescription *Desc, const CallEvent &Call,
278  CheckerContext &C) const;
279 
280  void preFwrite(const FnDescription *Desc, const CallEvent &Call,
281  CheckerContext &C) const;
282 
283  void evalFreadFwrite(const FnDescription *Desc, const CallEvent &Call,
284  CheckerContext &C, bool IsFread) const;
285 
286  void preFseek(const FnDescription *Desc, const CallEvent &Call,
287  CheckerContext &C) const;
288  void evalFseek(const FnDescription *Desc, const CallEvent &Call,
289  CheckerContext &C) const;
290 
291  void preDefault(const FnDescription *Desc, const CallEvent &Call,
292  CheckerContext &C) const;
293 
294  void evalClearerr(const FnDescription *Desc, const CallEvent &Call,
295  CheckerContext &C) const;
296 
297  void evalFeofFerror(const FnDescription *Desc, const CallEvent &Call,
298  CheckerContext &C,
299  const StreamErrorState &ErrorKind) const;
300 
301  void evalSetFeofFerror(const FnDescription *Desc, const CallEvent &Call,
302  CheckerContext &C,
303  const StreamErrorState &ErrorKind) const;
304 
305  /// Check that the stream (in StreamVal) is not NULL.
306  /// If it can only be NULL a fatal error is emitted and nullptr returned.
307  /// Otherwise the return value is a new state where the stream is constrained
308  /// to be non-null.
309  ProgramStateRef ensureStreamNonNull(SVal StreamVal, CheckerContext &C,
310  ProgramStateRef State) const;
311 
312  /// Check that the stream is the opened state.
313  /// If the stream is known to be not opened an error is generated
314  /// and nullptr returned, otherwise the original state is returned.
315  ProgramStateRef ensureStreamOpened(SVal StreamVal, CheckerContext &C,
316  ProgramStateRef State) const;
317 
318  /// Check that the stream has not an invalid ("indeterminate") file position,
319  /// generate warning for it.
320  /// (EOF is not an invalid position.)
321  /// The returned state can be nullptr if a fatal error was generated.
322  /// It can return non-null state if the stream has not an invalid position or
323  /// there is execution path with non-invalid position.
325  ensureNoFilePositionIndeterminate(SVal StreamVal, CheckerContext &C,
326  ProgramStateRef State) const;
327 
328  /// Check the legality of the 'whence' argument of 'fseek'.
329  /// Generate error and return nullptr if it is found to be illegal.
330  /// Otherwise returns the state.
331  /// (State is not changed here because the "whence" value is already known.)
332  ProgramStateRef ensureFseekWhenceCorrect(SVal WhenceVal, CheckerContext &C,
333  ProgramStateRef State) const;
334 
335  /// Generate warning about stream in EOF state.
336  /// There will be always a state transition into the passed State,
337  /// by the new non-fatal error node or (if failed) a normal transition,
338  /// to ensure uniform handling.
339  void reportFEofWarning(CheckerContext &C, ProgramStateRef State) const;
340 
341  /// Emit resource leak warnings for the given symbols.
342  /// Createn a non-fatal error node for these, and returns it (if any warnings
343  /// were generated). Return value is non-null.
344  ExplodedNode *reportLeaks(const SmallVector<SymbolRef, 2> &LeakedSyms,
345  CheckerContext &C, ExplodedNode *Pred) const;
346 
347  /// Find the description data of the function called by a call event.
348  /// Returns nullptr if no function is recognized.
349  const FnDescription *lookupFn(const CallEvent &Call) const {
350  // Recognize "global C functions" with only integral or pointer arguments
351  // (and matching name) as stream functions.
352  if (!Call.isGlobalCFunction())
353  return nullptr;
354  for (auto P : Call.parameters()) {
355  QualType T = P->getType();
356  if (!T->isIntegralOrEnumerationType() && !T->isPointerType())
357  return nullptr;
358  }
359 
360  return FnDescriptions.lookup(Call);
361  }
362 
363  /// Generate a message for BugReporterVisitor if the stored symbol is
364  /// marked as interesting by the actual bug report.
365  struct NoteFn {
366  const CheckerNameRef CheckerName;
367  SymbolRef StreamSym;
368  std::string Message;
369 
370  std::string operator()(PathSensitiveBugReport &BR) const {
371  if (BR.isInteresting(StreamSym) &&
372  CheckerName == BR.getBugType().getCheckerName())
373  return Message;
374 
375  return "";
376  }
377  };
378 
379  const NoteTag *constructNoteTag(CheckerContext &C, SymbolRef StreamSym,
380  const std::string &Message) const {
381  return C.getNoteTag(NoteFn{getCheckerName(), StreamSym, Message});
382  }
383 
384  /// Searches for the ExplodedNode where the file descriptor was acquired for
385  /// StreamSym.
386  static const ExplodedNode *getAcquisitionSite(const ExplodedNode *N,
387  SymbolRef StreamSym,
388  CheckerContext &C);
389 };
390 
391 } // end anonymous namespace
392 
393 REGISTER_MAP_WITH_PROGRAMSTATE(StreamMap, SymbolRef, StreamState)
394 
395 inline void assertStreamStateOpened(const StreamState *SS) {
396  assert(SS->isOpened() &&
397  "Previous create of error node for non-opened stream failed?");
398 }
399 
400 const ExplodedNode *StreamChecker::getAcquisitionSite(const ExplodedNode *N,
401  SymbolRef StreamSym,
402  CheckerContext &C) {
403  ProgramStateRef State = N->getState();
404  // When bug type is resource leak, exploded node N may not have state info
405  // for leaked file descriptor, but predecessor should have it.
406  if (!State->get<StreamMap>(StreamSym))
407  N = N->getFirstPred();
408 
409  const ExplodedNode *Pred = N;
410  while (N) {
411  State = N->getState();
412  if (!State->get<StreamMap>(StreamSym))
413  return Pred;
414  Pred = N;
415  N = N->getFirstPred();
416  }
417 
418  return nullptr;
419 }
420 
421 void StreamChecker::checkPreCall(const CallEvent &Call,
422  CheckerContext &C) const {
423  const FnDescription *Desc = lookupFn(Call);
424  if (!Desc || !Desc->PreFn)
425  return;
426 
427  Desc->PreFn(this, Desc, Call, C);
428 }
429 
430 bool StreamChecker::evalCall(const CallEvent &Call, CheckerContext &C) const {
431  const FnDescription *Desc = lookupFn(Call);
432  if (!Desc && TestMode)
433  Desc = FnTestDescriptions.lookup(Call);
434  if (!Desc || !Desc->EvalFn)
435  return false;
436 
437  Desc->EvalFn(this, Desc, Call, C);
438 
439  return C.isDifferent();
440 }
441 
442 void StreamChecker::evalFopen(const FnDescription *Desc, const CallEvent &Call,
443  CheckerContext &C) const {
444  ProgramStateRef State = C.getState();
445  const CallExpr *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
446  if (!CE)
447  return;
448 
449  DefinedSVal RetVal = makeRetVal(C, CE);
450  SymbolRef RetSym = RetVal.getAsSymbol();
451  assert(RetSym && "RetVal must be a symbol here.");
452 
453  State = State->BindExpr(CE, C.getLocationContext(), RetVal);
454 
455  // Bifurcate the state into two: one with a valid FILE* pointer, the other
456  // with a NULL.
457  ProgramStateRef StateNotNull, StateNull;
458  std::tie(StateNotNull, StateNull) =
459  C.getConstraintManager().assumeDual(State, RetVal);
460 
461  StateNotNull =
462  StateNotNull->set<StreamMap>(RetSym, StreamState::getOpened(Desc));
463  StateNull =
464  StateNull->set<StreamMap>(RetSym, StreamState::getOpenFailed(Desc));
465 
466  C.addTransition(StateNotNull,
467  constructNoteTag(C, RetSym, "Stream opened here"));
468  C.addTransition(StateNull);
469 }
470 
471 void StreamChecker::preFreopen(const FnDescription *Desc, const CallEvent &Call,
472  CheckerContext &C) const {
473  // Do not allow NULL as passed stream pointer but allow a closed stream.
474  ProgramStateRef State = C.getState();
475  State = ensureStreamNonNull(getStreamArg(Desc, Call), C, State);
476  if (!State)
477  return;
478 
479  C.addTransition(State);
480 }
481 
482 void StreamChecker::evalFreopen(const FnDescription *Desc,
483  const CallEvent &Call,
484  CheckerContext &C) const {
485  ProgramStateRef State = C.getState();
486 
487  auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
488  if (!CE)
489  return;
490 
491  Optional<DefinedSVal> StreamVal =
492  getStreamArg(Desc, Call).getAs<DefinedSVal>();
493  if (!StreamVal)
494  return;
495 
496  SymbolRef StreamSym = StreamVal->getAsSymbol();
497  // Do not care about concrete values for stream ("(FILE *)0x12345"?).
498  // FIXME: Can be stdin, stdout, stderr such values?
499  if (!StreamSym)
500  return;
501 
502  // Do not handle untracked stream. It is probably escaped.
503  if (!State->get<StreamMap>(StreamSym))
504  return;
505 
506  // Generate state for non-failed case.
507  // Return value is the passed stream pointer.
508  // According to the documentations, the stream is closed first
509  // but any close error is ignored. The state changes to (or remains) opened.
510  ProgramStateRef StateRetNotNull =
511  State->BindExpr(CE, C.getLocationContext(), *StreamVal);
512  // Generate state for NULL return value.
513  // Stream switches to OpenFailed state.
514  ProgramStateRef StateRetNull = State->BindExpr(CE, C.getLocationContext(),
515  C.getSValBuilder().makeNull());
516 
517  StateRetNotNull =
518  StateRetNotNull->set<StreamMap>(StreamSym, StreamState::getOpened(Desc));
519  StateRetNull =
520  StateRetNull->set<StreamMap>(StreamSym, StreamState::getOpenFailed(Desc));
521 
522  C.addTransition(StateRetNotNull,
523  constructNoteTag(C, StreamSym, "Stream reopened here"));
524  C.addTransition(StateRetNull);
525 }
526 
527 void StreamChecker::evalFclose(const FnDescription *Desc, const CallEvent &Call,
528  CheckerContext &C) const {
529  ProgramStateRef State = C.getState();
530  SymbolRef Sym = getStreamArg(Desc, Call).getAsSymbol();
531  if (!Sym)
532  return;
533 
534  const StreamState *SS = State->get<StreamMap>(Sym);
535  if (!SS)
536  return;
537 
539 
540  // Close the File Descriptor.
541  // Regardless if the close fails or not, stream becomes "closed"
542  // and can not be used any more.
543  State = State->set<StreamMap>(Sym, StreamState::getClosed(Desc));
544 
545  C.addTransition(State);
546 }
547 
548 void StreamChecker::preFread(const FnDescription *Desc, const CallEvent &Call,
549  CheckerContext &C) const {
550  ProgramStateRef State = C.getState();
551  SVal StreamVal = getStreamArg(Desc, Call);
552  State = ensureStreamNonNull(StreamVal, C, State);
553  if (!State)
554  return;
555  State = ensureStreamOpened(StreamVal, C, State);
556  if (!State)
557  return;
558  State = ensureNoFilePositionIndeterminate(StreamVal, C, State);
559  if (!State)
560  return;
561 
562  SymbolRef Sym = StreamVal.getAsSymbol();
563  if (Sym && State->get<StreamMap>(Sym)) {
564  const StreamState *SS = State->get<StreamMap>(Sym);
565  if (SS->ErrorState & ErrorFEof)
566  reportFEofWarning(C, State);
567  } else {
568  C.addTransition(State);
569  }
570 }
571 
572 void StreamChecker::preFwrite(const FnDescription *Desc, const CallEvent &Call,
573  CheckerContext &C) const {
574  ProgramStateRef State = C.getState();
575  SVal StreamVal = getStreamArg(Desc, Call);
576  State = ensureStreamNonNull(StreamVal, C, State);
577  if (!State)
578  return;
579  State = ensureStreamOpened(StreamVal, C, State);
580  if (!State)
581  return;
582  State = ensureNoFilePositionIndeterminate(StreamVal, C, State);
583  if (!State)
584  return;
585 
586  C.addTransition(State);
587 }
588 
589 void StreamChecker::evalFreadFwrite(const FnDescription *Desc,
590  const CallEvent &Call, CheckerContext &C,
591  bool IsFread) const {
592  ProgramStateRef State = C.getState();
593  SymbolRef StreamSym = getStreamArg(Desc, Call).getAsSymbol();
594  if (!StreamSym)
595  return;
596 
597  const CallExpr *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
598  if (!CE)
599  return;
600 
601  Optional<NonLoc> SizeVal = Call.getArgSVal(1).getAs<NonLoc>();
602  if (!SizeVal)
603  return;
604  Optional<NonLoc> NMembVal = Call.getArgSVal(2).getAs<NonLoc>();
605  if (!NMembVal)
606  return;
607 
608  const StreamState *SS = State->get<StreamMap>(StreamSym);
609  if (!SS)
610  return;
611 
613 
614  // C'99 standard, ยง7.19.8.1.3, the return value of fread:
615  // The fread function returns the number of elements successfully read, which
616  // may be less than nmemb if a read error or end-of-file is encountered. If
617  // size or nmemb is zero, fread returns zero and the contents of the array and
618  // the state of the stream remain unchanged.
619 
620  if (State->isNull(*SizeVal).isConstrainedTrue() ||
621  State->isNull(*NMembVal).isConstrainedTrue()) {
622  // This is the "size or nmemb is zero" case.
623  // Just return 0, do nothing more (not clear the error flags).
624  State = bindInt(0, State, C, CE);
625  C.addTransition(State);
626  return;
627  }
628 
629  // Generate a transition for the success state.
630  // If we know the state to be FEOF at fread, do not add a success state.
631  if (!IsFread || (SS->ErrorState != ErrorFEof)) {
632  ProgramStateRef StateNotFailed =
633  State->BindExpr(CE, C.getLocationContext(), *NMembVal);
634  if (StateNotFailed) {
635  StateNotFailed = StateNotFailed->set<StreamMap>(
636  StreamSym, StreamState::getOpened(Desc));
637  C.addTransition(StateNotFailed);
638  }
639  }
640 
641  // Add transition for the failed state.
642  Optional<NonLoc> RetVal = makeRetVal(C, CE).castAs<NonLoc>();
643  assert(RetVal && "Value should be NonLoc.");
644  ProgramStateRef StateFailed =
645  State->BindExpr(CE, C.getLocationContext(), *RetVal);
646  if (!StateFailed)
647  return;
648  auto Cond = C.getSValBuilder()
649  .evalBinOpNN(State, BO_LT, *RetVal, *NMembVal,
650  C.getASTContext().IntTy)
651  .getAs<DefinedOrUnknownSVal>();
652  if (!Cond)
653  return;
654  StateFailed = StateFailed->assume(*Cond, true);
655  if (!StateFailed)
656  return;
657 
658  StreamErrorState NewES;
659  if (IsFread)
660  NewES = (SS->ErrorState == ErrorFEof) ? ErrorFEof : ErrorFEof | ErrorFError;
661  else
662  NewES = ErrorFError;
663  // If a (non-EOF) error occurs, the resulting value of the file position
664  // indicator for the stream is indeterminate.
665  StreamState NewState = StreamState::getOpened(Desc, NewES, !NewES.isFEof());
666  StateFailed = StateFailed->set<StreamMap>(StreamSym, NewState);
667  C.addTransition(StateFailed);
668 }
669 
670 void StreamChecker::preFseek(const FnDescription *Desc, const CallEvent &Call,
671  CheckerContext &C) const {
672  ProgramStateRef State = C.getState();
673  SVal StreamVal = getStreamArg(Desc, Call);
674  State = ensureStreamNonNull(StreamVal, C, State);
675  if (!State)
676  return;
677  State = ensureStreamOpened(StreamVal, C, State);
678  if (!State)
679  return;
680  State = ensureFseekWhenceCorrect(Call.getArgSVal(2), C, State);
681  if (!State)
682  return;
683 
684  C.addTransition(State);
685 }
686 
687 void StreamChecker::evalFseek(const FnDescription *Desc, const CallEvent &Call,
688  CheckerContext &C) const {
689  ProgramStateRef State = C.getState();
690  SymbolRef StreamSym = getStreamArg(Desc, Call).getAsSymbol();
691  if (!StreamSym)
692  return;
693 
694  const CallExpr *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
695  if (!CE)
696  return;
697 
698  // Ignore the call if the stream is not tracked.
699  if (!State->get<StreamMap>(StreamSym))
700  return;
701 
702  DefinedSVal RetVal = makeRetVal(C, CE);
703 
704  // Make expression result.
705  State = State->BindExpr(CE, C.getLocationContext(), RetVal);
706 
707  // Bifurcate the state into failed and non-failed.
708  // Return zero on success, nonzero on error.
709  ProgramStateRef StateNotFailed, StateFailed;
710  std::tie(StateFailed, StateNotFailed) =
711  C.getConstraintManager().assumeDual(State, RetVal);
712 
713  // Reset the state to opened with no error.
714  StateNotFailed =
715  StateNotFailed->set<StreamMap>(StreamSym, StreamState::getOpened(Desc));
716  // We get error.
717  // It is possible that fseek fails but sets none of the error flags.
718  // If fseek failed, assume that the file position becomes indeterminate in any
719  // case.
720  StateFailed = StateFailed->set<StreamMap>(
721  StreamSym,
722  StreamState::getOpened(Desc, ErrorNone | ErrorFEof | ErrorFError, true));
723 
724  C.addTransition(StateNotFailed);
725  C.addTransition(StateFailed);
726 }
727 
728 void StreamChecker::evalClearerr(const FnDescription *Desc,
729  const CallEvent &Call,
730  CheckerContext &C) const {
731  ProgramStateRef State = C.getState();
732  SymbolRef StreamSym = getStreamArg(Desc, Call).getAsSymbol();
733  if (!StreamSym)
734  return;
735 
736  const StreamState *SS = State->get<StreamMap>(StreamSym);
737  if (!SS)
738  return;
739 
741 
742  // FilePositionIndeterminate is not cleared.
743  State = State->set<StreamMap>(
744  StreamSym,
745  StreamState::getOpened(Desc, ErrorNone, SS->FilePositionIndeterminate));
746  C.addTransition(State);
747 }
748 
749 void StreamChecker::evalFeofFerror(const FnDescription *Desc,
750  const CallEvent &Call, CheckerContext &C,
751  const StreamErrorState &ErrorKind) const {
752  ProgramStateRef State = C.getState();
753  SymbolRef StreamSym = getStreamArg(Desc, Call).getAsSymbol();
754  if (!StreamSym)
755  return;
756 
757  const CallExpr *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
758  if (!CE)
759  return;
760 
761  const StreamState *SS = State->get<StreamMap>(StreamSym);
762  if (!SS)
763  return;
764 
766 
767  if (SS->ErrorState & ErrorKind) {
768  // Execution path with error of ErrorKind.
769  // Function returns true.
770  // From now on it is the only one error state.
771  ProgramStateRef TrueState = bindAndAssumeTrue(State, C, CE);
772  C.addTransition(TrueState->set<StreamMap>(
773  StreamSym, StreamState::getOpened(Desc, ErrorKind,
774  SS->FilePositionIndeterminate &&
775  !ErrorKind.isFEof())));
776  }
777  if (StreamErrorState NewES = SS->ErrorState & (~ErrorKind)) {
778  // Execution path(s) with ErrorKind not set.
779  // Function returns false.
780  // New error state is everything before minus ErrorKind.
781  ProgramStateRef FalseState = bindInt(0, State, C, CE);
782  C.addTransition(FalseState->set<StreamMap>(
783  StreamSym,
784  StreamState::getOpened(
785  Desc, NewES, SS->FilePositionIndeterminate && !NewES.isFEof())));
786  }
787 }
788 
789 void StreamChecker::preDefault(const FnDescription *Desc, const CallEvent &Call,
790  CheckerContext &C) const {
791  ProgramStateRef State = C.getState();
792  SVal StreamVal = getStreamArg(Desc, Call);
793  State = ensureStreamNonNull(StreamVal, C, State);
794  if (!State)
795  return;
796  State = ensureStreamOpened(StreamVal, C, State);
797  if (!State)
798  return;
799 
800  C.addTransition(State);
801 }
802 
803 void StreamChecker::evalSetFeofFerror(const FnDescription *Desc,
804  const CallEvent &Call, CheckerContext &C,
805  const StreamErrorState &ErrorKind) const {
806  ProgramStateRef State = C.getState();
807  SymbolRef StreamSym = getStreamArg(Desc, Call).getAsSymbol();
808  assert(StreamSym && "Operation not permitted on non-symbolic stream value.");
809  const StreamState *SS = State->get<StreamMap>(StreamSym);
810  assert(SS && "Stream should be tracked by the checker.");
811  State = State->set<StreamMap>(
812  StreamSym, StreamState::getOpened(SS->LastOperation, ErrorKind));
813  C.addTransition(State);
814 }
815 
817 StreamChecker::ensureStreamNonNull(SVal StreamVal, CheckerContext &C,
818  ProgramStateRef State) const {
819  auto Stream = StreamVal.getAs<DefinedSVal>();
820  if (!Stream)
821  return State;
822 
823  ConstraintManager &CM = C.getConstraintManager();
824 
825  ProgramStateRef StateNotNull, StateNull;
826  std::tie(StateNotNull, StateNull) = CM.assumeDual(C.getState(), *Stream);
827 
828  if (!StateNotNull && StateNull) {
829  if (ExplodedNode *N = C.generateErrorNode(StateNull)) {
830  C.emitReport(std::make_unique<PathSensitiveBugReport>(
831  BT_FileNull, "Stream pointer might be NULL.", N));
832  }
833  return nullptr;
834  }
835 
836  return StateNotNull;
837 }
838 
839 ProgramStateRef StreamChecker::ensureStreamOpened(SVal StreamVal,
840  CheckerContext &C,
841  ProgramStateRef State) const {
842  SymbolRef Sym = StreamVal.getAsSymbol();
843  if (!Sym)
844  return State;
845 
846  const StreamState *SS = State->get<StreamMap>(Sym);
847  if (!SS)
848  return State;
849 
850  if (SS->isClosed()) {
851  // Using a stream pointer after 'fclose' causes undefined behavior
852  // according to cppreference.com .
853  ExplodedNode *N = C.generateErrorNode();
854  if (N) {
855  C.emitReport(std::make_unique<PathSensitiveBugReport>(
856  BT_UseAfterClose,
857  "Stream might be already closed. Causes undefined behaviour.", N));
858  return nullptr;
859  }
860 
861  return State;
862  }
863 
864  if (SS->isOpenFailed()) {
865  // Using a stream that has failed to open is likely to cause problems.
866  // This should usually not occur because stream pointer is NULL.
867  // But freopen can cause a state when stream pointer remains non-null but
868  // failed to open.
869  ExplodedNode *N = C.generateErrorNode();
870  if (N) {
871  C.emitReport(std::make_unique<PathSensitiveBugReport>(
872  BT_UseAfterOpenFailed,
873  "Stream might be invalid after "
874  "(re-)opening it has failed. "
875  "Can cause undefined behaviour.",
876  N));
877  return nullptr;
878  }
879  return State;
880  }
881 
882  return State;
883 }
884 
885 ProgramStateRef StreamChecker::ensureNoFilePositionIndeterminate(
886  SVal StreamVal, CheckerContext &C, ProgramStateRef State) const {
887  static const char *BugMessage =
888  "File position of the stream might be 'indeterminate' "
889  "after a failed operation. "
890  "Can cause undefined behavior.";
891 
892  SymbolRef Sym = StreamVal.getAsSymbol();
893  if (!Sym)
894  return State;
895 
896  const StreamState *SS = State->get<StreamMap>(Sym);
897  if (!SS)
898  return State;
899 
900  assert(SS->isOpened() && "First ensure that stream is opened.");
901 
902  if (SS->FilePositionIndeterminate) {
903  if (SS->ErrorState & ErrorFEof) {
904  // The error is unknown but may be FEOF.
905  // Continue analysis with the FEOF error state.
906  // Report warning because the other possible error states.
907  ExplodedNode *N = C.generateNonFatalErrorNode(State);
908  if (!N)
909  return nullptr;
910 
911  C.emitReport(std::make_unique<PathSensitiveBugReport>(
912  BT_IndeterminatePosition, BugMessage, N));
913  return State->set<StreamMap>(
914  Sym, StreamState::getOpened(SS->LastOperation, ErrorFEof, false));
915  }
916 
917  // Known or unknown error state without FEOF possible.
918  // Stop analysis, report error.
919  ExplodedNode *N = C.generateErrorNode(State);
920  if (N)
921  C.emitReport(std::make_unique<PathSensitiveBugReport>(
922  BT_IndeterminatePosition, BugMessage, N));
923 
924  return nullptr;
925  }
926 
927  return State;
928 }
929 
931 StreamChecker::ensureFseekWhenceCorrect(SVal WhenceVal, CheckerContext &C,
932  ProgramStateRef State) const {
933  Optional<nonloc::ConcreteInt> CI = WhenceVal.getAs<nonloc::ConcreteInt>();
934  if (!CI)
935  return State;
936 
937  int64_t X = CI->getValue().getSExtValue();
938  if (X >= 0 && X <= 2)
939  return State;
940 
941  if (ExplodedNode *N = C.generateNonFatalErrorNode(State)) {
942  C.emitReport(std::make_unique<PathSensitiveBugReport>(
943  BT_IllegalWhence,
944  "The whence argument to fseek() should be "
945  "SEEK_SET, SEEK_END, or SEEK_CUR.",
946  N));
947  return nullptr;
948  }
949 
950  return State;
951 }
952 
953 void StreamChecker::reportFEofWarning(CheckerContext &C,
954  ProgramStateRef State) const {
955  if (ExplodedNode *N = C.generateNonFatalErrorNode(State)) {
956  C.emitReport(std::make_unique<PathSensitiveBugReport>(
957  BT_StreamEof,
958  "Read function called when stream is in EOF state. "
959  "Function has no effect.",
960  N));
961  return;
962  }
963  C.addTransition(State);
964 }
965 
966 ExplodedNode *
967 StreamChecker::reportLeaks(const SmallVector<SymbolRef, 2> &LeakedSyms,
968  CheckerContext &C, ExplodedNode *Pred) const {
969  ExplodedNode *Err = C.generateNonFatalErrorNode(C.getState(), Pred);
970  if (!Err)
971  return Pred;
972 
973  for (SymbolRef LeakSym : LeakedSyms) {
974  // Resource leaks can result in multiple warning that describe the same kind
975  // of programming error:
976  // void f() {
977  // FILE *F = fopen("a.txt");
978  // if (rand()) // state split
979  // return; // warning
980  // } // warning
981  // While this isn't necessarily true (leaking the same stream could result
982  // from a different kinds of errors), the reduction in redundant reports
983  // makes this a worthwhile heuristic.
984  // FIXME: Add a checker option to turn this uniqueing feature off.
985  const ExplodedNode *StreamOpenNode = getAcquisitionSite(Err, LeakSym, C);
986  assert(StreamOpenNode && "Could not find place of stream opening.");
987  PathDiagnosticLocation LocUsedForUniqueing =
989  StreamOpenNode->getStmtForDiagnostics(), C.getSourceManager(),
990  StreamOpenNode->getLocationContext());
991 
992  std::unique_ptr<PathSensitiveBugReport> R =
993  std::make_unique<PathSensitiveBugReport>(
994  BT_ResourceLeak,
995  "Opened stream never closed. Potential resource leak.", Err,
996  LocUsedForUniqueing,
997  StreamOpenNode->getLocationContext()->getDecl());
998  R->markInteresting(LeakSym);
999  C.emitReport(std::move(R));
1000  }
1001 
1002  return Err;
1003 }
1004 
1005 void StreamChecker::checkDeadSymbols(SymbolReaper &SymReaper,
1006  CheckerContext &C) const {
1007  ProgramStateRef State = C.getState();
1008 
1010 
1011  const StreamMapTy &Map = State->get<StreamMap>();
1012  for (const auto &I : Map) {
1013  SymbolRef Sym = I.first;
1014  const StreamState &SS = I.second;
1015  if (!SymReaper.isDead(Sym))
1016  continue;
1017  if (SS.isOpened())
1018  LeakedSyms.push_back(Sym);
1019  State = State->remove<StreamMap>(Sym);
1020  }
1021 
1022  ExplodedNode *N = C.getPredecessor();
1023  if (!LeakedSyms.empty())
1024  N = reportLeaks(LeakedSyms, C, N);
1025 
1026  C.addTransition(State, N);
1027 }
1028 
1029 ProgramStateRef StreamChecker::checkPointerEscape(
1030  ProgramStateRef State, const InvalidatedSymbols &Escaped,
1031  const CallEvent *Call, PointerEscapeKind Kind) const {
1032  // Check for file-handling system call that is not handled by the checker.
1033  // FIXME: The checker should be updated to handle all system calls that take
1034  // 'FILE*' argument. These are now ignored.
1035  if (Kind == PSK_DirectEscapeOnCall && Call->isInSystemHeader())
1036  return State;
1037 
1038  for (SymbolRef Sym : Escaped) {
1039  // The symbol escaped.
1040  // From now the stream can be manipulated in unknown way to the checker,
1041  // it is not possible to handle it any more.
1042  // Optimistically, assume that the corresponding file handle will be closed
1043  // somewhere else.
1044  // Remove symbol from state so the following stream calls on this symbol are
1045  // not handled by the checker.
1046  State = State->remove<StreamMap>(Sym);
1047  }
1048  return State;
1049 }
1050 
1051 void ento::registerStreamChecker(CheckerManager &Mgr) {
1052  Mgr.registerChecker<StreamChecker>();
1053 }
1054 
1055 bool ento::shouldRegisterStreamChecker(const CheckerManager &Mgr) {
1056  return true;
1057 }
1058 
1059 void ento::registerStreamTesterChecker(CheckerManager &Mgr) {
1060  auto *Checker = Mgr.getChecker<StreamChecker>();
1061  Checker->TestMode = true;
1062 }
1063 
1064 bool ento::shouldRegisterStreamTesterChecker(const CheckerManager &Mgr) {
1065  return true;
1066 }
A (possibly-)qualified type.
Definition: Type.h:661
llvm::DenseSet< SymbolRef > InvalidatedSymbols
Definition: Store.h:51
__DEVICE__ int max(int __a, int __b)
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
StringRef P
It wraps the AnalysisDeclContext to represent both the call stack with the help of StackFrameContext ...
const SymExpr * SymbolRef
Definition: SymExpr.h:110
LineState State
bool isIntegralOrEnumerationType() const
Determine whether this type is an integral or enumeration type.
Definition: Type.h:7022
bool operator==(const CallGraphNode::CallRecord &LHS, const CallGraphNode::CallRecord &RHS)
Definition: CallGraph.h:207
__device__ int
DiagnosticLevelMask operator|(DiagnosticLevelMask LHS, DiagnosticLevelMask RHS)
The pointer has been passed to a function call directly.
#define bool
Definition: stdbool.h:15
void assertStreamStateOpened(const StreamState *SS)
static PathDiagnosticLocation createBegin(const Decl *D, const SourceManager &SM)
Create a location for the beginning of the declaration.
Kind
#define REGISTER_MAP_WITH_PROGRAMSTATE(Name, Key, Value)
Declares an immutable map of type NameTy, suitable for placement into the ProgramState.
Dataflow Directional Tag Classes.
DiagnosticLevelMask operator~(DiagnosticLevelMask M)
PointerEscapeKind
Describes the different reasons a pointer escapes during analysis.
X
Add a minimal nested name specifier fixit hint to allow lookup of a tag name from an outer enclosing ...
Definition: SemaDecl.cpp:15282
bool operator!=(CanQual< T > x, CanQual< U > y)
CallExpr - Represents a function call (C99 6.5.2.2, C++ [expr.call]).
Definition: Expr.h:2730
DiagnosticLevelMask operator &(DiagnosticLevelMask LHS, DiagnosticLevelMask RHS)
bool isPointerType() const
Definition: Type.h:6640