clang 20.0.0git
StreamChecker.cpp
Go to the documentation of this file.
1//===-- StreamChecker.cpp -----------------------------------------*- C++ -*--//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This file defines checkers that model and check stream handling functions.
10//
11//===----------------------------------------------------------------------===//
12
13#include "NoOwnershipChangeVisitor.h"
14#include "clang/ASTMatchers/ASTMatchFinder.h"
15#include "clang/ASTMatchers/ASTMatchers.h"
16#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
17#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
18#include "clang/StaticAnalyzer/Core/Checker.h"
19#include "clang/StaticAnalyzer/Core/CheckerManager.h"
20#include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
21#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
22#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
23#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h"
24#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
25#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
26#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"
27#include "llvm/ADT/Sequence.h"
28#include <functional>
29#include <optional>
30
31using namespace clang;
32using namespace ento;
33using namespace std::placeholders;
34
35//===----------------------------------------------------------------------===//
36// Definition of state data structures.
37//===----------------------------------------------------------------------===//
38
39namespace {
40
41struct FnDescription;
42
43/// State of the stream error flags.
44/// Sometimes it is not known to the checker what error flags are set.
45/// This is indicated by setting more than one flag to true.
46/// This is an optimization to avoid state splits.
47/// A stream can either be in FEOF or FERROR but not both at the same time.
48/// Multiple flags are set to handle the corresponding states together.
49struct StreamErrorState {
50 /// The stream can be in state where none of the error flags set.
51 bool NoError = true;
52 /// The stream can be in state where the EOF indicator is set.
53 bool FEof = false;
54 /// The stream can be in state where the error indicator is set.
55 bool FError = false;
56
57 bool isNoError() const { return NoError && !FEof && !FError; }
58 bool isFEof() const { return !NoError && FEof && !FError; }
59 bool isFError() const { return !NoError && !FEof && FError; }
60
61 bool operator==(const StreamErrorState &ES) const {
62 return NoError == ES.NoError && FEof == ES.FEof && FError == ES.FError;
63 }
64
65 bool operator!=(const StreamErrorState &ES) const { return !(*this == ES); }
66
67 StreamErrorState operator|(const StreamErrorState &E) const {
68 return {NoError || E.NoError, FEof || E.FEof, FError || E.FError};
69 }
70
71 StreamErrorState operator&(const StreamErrorState &E) const {
72 return {NoError && E.NoError, FEof && E.FEof, FError && E.FError};
73 }
74
75 StreamErrorState operator~() const { return {!NoError, !FEof, !FError}; }
76
77 /// Returns if the StreamErrorState is a valid object.
78 operator bool() const { return NoError || FEof || FError; }
79
80 LLVM_DUMP_METHOD void dump() const { dumpToStream(llvm::errs()); }
81 LLVM_DUMP_METHOD void dumpToStream(llvm::raw_ostream &os) const {
82 os << "NoError: " << NoError << ", FEof: " << FEof
83 << ", FError: " << FError;
84 }
85
86 void Profile(llvm::FoldingSetNodeID &ID) const {
87 ID.AddBoolean(NoError);
88 ID.AddBoolean(FEof);
89 ID.AddBoolean(FError);
90 }
91};
92
93const StreamErrorState ErrorNone{true, false, false};
94const StreamErrorState ErrorFEof{false, true, false};
95const StreamErrorState ErrorFError{false, false, true};
96
97/// Full state information about a stream pointer.
98struct StreamState {
99 /// The last file operation called in the stream.
100 /// Can be nullptr.
101 const FnDescription *LastOperation;
102
103 /// State of a stream symbol.
104 enum KindTy {
105 Opened, /// Stream is opened.
106 Closed, /// Closed stream (an invalid stream pointer after it was closed).
107 OpenFailed /// The last open operation has failed.
108 } State;
109
110 StringRef getKindStr() const {
111 switch (State) {
112 case Opened:
113 return "Opened";
114 case Closed:
115 return "Closed";
116 case OpenFailed:
117 return "OpenFailed";
118 }
119 llvm_unreachable("Unknown StreamState!");
120 }
121
122 /// State of the error flags.
123 /// Ignored in non-opened stream state but must be NoError.
124 StreamErrorState const ErrorState;
125
126 /// Indicate if the file has an "indeterminate file position indicator".
127 /// This can be set at a failing read or write or seek operation.
128 /// If it is set no more read or write is allowed.
129 /// This value is not dependent on the stream error flags:
130 /// The error flag may be cleared with `clearerr` but the file position
131 /// remains still indeterminate.
132 /// This value applies to all error states in ErrorState except FEOF.
133 /// An EOF+indeterminate state is the same as EOF state.
134 bool const FilePositionIndeterminate = false;
135
136 StreamState(const FnDescription *L, KindTy S, const StreamErrorState &ES,
137 bool IsFilePositionIndeterminate)
138 : LastOperation(L), State(S), ErrorState(ES),
139 FilePositionIndeterminate(IsFilePositionIndeterminate) {
140 assert((!ES.isFEof() || !IsFilePositionIndeterminate) &&
141 "FilePositionIndeterminate should be false in FEof case.");
142 assert((State == Opened || ErrorState.isNoError()) &&
143 "ErrorState should be None in non-opened stream state.");
144 }
145
146 bool isOpened() const { return State == Opened; }
147 bool isClosed() const { return State == Closed; }
148 bool isOpenFailed() const { return State == OpenFailed; }
149
150 bool operator==(const StreamState &X) const {
151 // In not opened state error state should always NoError, so comparison
152 // here is no problem.
153 return LastOperation == X.LastOperation && State == X.State &&
154 ErrorState == X.ErrorState &&
155 FilePositionIndeterminate == X.FilePositionIndeterminate;
156 }
157
158 static StreamState getOpened(const FnDescription *L,
159 const StreamErrorState &ES = ErrorNone,
160 bool IsFilePositionIndeterminate = false) {
161 return StreamState{L, Opened, ES, IsFilePositionIndeterminate};
162 }
163 static StreamState getClosed(const FnDescription *L) {
164 return StreamState{L, Closed, {}, false};
165 }
166 static StreamState getOpenFailed(const FnDescription *L) {
167 return StreamState{L, OpenFailed, {}, false};
168 }
169
170 LLVM_DUMP_METHOD void dump() const { dumpToStream(llvm::errs()); }
171 LLVM_DUMP_METHOD void dumpToStream(llvm::raw_ostream &os) const;
172
173 void Profile(llvm::FoldingSetNodeID &ID) const {
174 ID.AddPointer(LastOperation);
175 ID.AddInteger(State);
176 ErrorState.Profile(ID);
177 ID.AddBoolean(FilePositionIndeterminate);
178 }
179};
180
181} // namespace
182
183// This map holds the state of a stream.
184// The stream is identified with a SymbolRef that is created when a stream
185// opening function is modeled by the checker.
186REGISTER_MAP_WITH_PROGRAMSTATE(StreamMap, SymbolRef, StreamState)
187
188//===----------------------------------------------------------------------===//
189// StreamChecker class and utility functions.
190//===----------------------------------------------------------------------===//
191
192namespace {
193
194class StreamChecker;
195using FnCheck = std::function<void(const StreamChecker *, const FnDescription *,
196 const CallEvent &, CheckerContext &)>;
197
198using ArgNoTy = unsigned int;
199static const ArgNoTy ArgNone = std::numeric_limits<ArgNoTy>::max();
200
201const char *FeofNote = "Assuming stream reaches end-of-file here";
202const char *FerrorNote = "Assuming this stream operation fails";
203
204struct FnDescription {
205 FnCheck PreFn;
206 FnCheck EvalFn;
207 ArgNoTy StreamArgNo;
208};
209
210LLVM_DUMP_METHOD void StreamState::dumpToStream(llvm::raw_ostream &os) const {
211 os << "{Kind: " << getKindStr() << ", Last operation: " << LastOperation
212 << ", ErrorState: ";
213 ErrorState.dumpToStream(os);
214 os << ", FilePos: " << (FilePositionIndeterminate ? "Indeterminate" : "OK")
215 << '}';
216}
217
218/// Get the value of the stream argument out of the passed call event.
219/// The call should contain a function that is described by Desc.
220SVal getStreamArg(const FnDescription *Desc, const CallEvent &Call) {
221 assert(Desc && Desc->StreamArgNo != ArgNone &&
222 "Try to get a non-existing stream argument.");
223 return Call.getArgSVal(Desc->StreamArgNo);
224}
225
226/// Create a conjured symbol return value for a call expression.
227DefinedSVal makeRetVal(CheckerContext &C, const CallExpr *CE) {
228 assert(CE && "Expecting a call expression.");
229
230 const LocationContext *LCtx = C.getLocationContext();
231 return C.getSValBuilder()
232 .conjureSymbolVal(nullptr, CE, LCtx, C.blockCount())
233 .castAs<DefinedSVal>();
234}
235
236ProgramStateRef bindAndAssumeTrue(ProgramStateRef State, CheckerContext &C,
237 const CallExpr *CE) {
238 DefinedSVal RetVal = makeRetVal(C, CE);
239 State = State->BindExpr(CE, C.getLocationContext(), RetVal);
240 State = State->assume(RetVal, true);
241 assert(State && "Assumption on new value should not fail.");
242 return State;
243}
244
245ProgramStateRef bindInt(uint64_t Value, ProgramStateRef State,
246 CheckerContext &C, const CallExpr *CE) {
247 State = State->BindExpr(CE, C.getLocationContext(),
248 C.getSValBuilder().makeIntVal(Value, CE->getType()));
249 return State;
250}
251
252inline void assertStreamStateOpened(const StreamState *SS) {
253 assert(SS->isOpened() && "Stream is expected to be opened");
254}
255
256class StreamChecker : public Checker<check::PreCall, eval::Call,
257 check::DeadSymbols, check::PointerEscape,
258 check::ASTDecl<TranslationUnitDecl>> {
259 BugType BT_FileNull{this, "NULL stream pointer", "Stream handling error"};
260 BugType BT_UseAfterClose{this, "Closed stream", "Stream handling error"};
261 BugType BT_UseAfterOpenFailed{this, "Invalid stream",
262 "Stream handling error"};
263 BugType BT_IndeterminatePosition{this, "Invalid stream state",
264 "Stream handling error"};
265 BugType BT_IllegalWhence{this, "Illegal whence argument",
266 "Stream handling error"};
267 BugType BT_StreamEof{this, "Stream already in EOF", "Stream handling error"};
268 BugType BT_ResourceLeak{this, "Resource leak", "Stream handling error",
269 /*SuppressOnSink =*/true};
270
271public:
272 void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
273 bool evalCall(const CallEvent &Call, CheckerContext &C) const;
274 void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
275 ProgramStateRef checkPointerEscape(ProgramStateRef State,
276 const InvalidatedSymbols &Escaped,
277 const CallEvent *Call,
278 PointerEscapeKind Kind) const;
279
280 /// Finds the declarations of 'FILE *stdin, *stdout, *stderr'.
281 void checkASTDecl(const TranslationUnitDecl *TU, AnalysisManager &,
282 BugReporter &) const;
283
284 const BugType *getBT_StreamEof() const { return &BT_StreamEof; }
285 const BugType *getBT_IndeterminatePosition() const {
286 return &BT_IndeterminatePosition;
287 }
288
289 /// Assumes that the result of 'fopen' can't alias with the pointee of
290 /// 'stdin', 'stdout' or 'stderr'.
291 ProgramStateRef assumeNoAliasingWithStdStreams(ProgramStateRef State,
292 DefinedSVal RetVal,
293 CheckerContext &C) const;
294
295 const NoteTag *constructSetEofNoteTag(CheckerContext &C,
296 SymbolRef StreamSym) const {
297 return C.getNoteTag([this, StreamSym](PathSensitiveBugReport &BR) {
298 if (!BR.isInteresting(StreamSym) ||
299 &BR.getBugType() != this->getBT_StreamEof())
300 return "";
301
302 BR.markNotInteresting(StreamSym);
303
304 return FeofNote;
305 });
306 }
307
308 const NoteTag *constructSetErrorNoteTag(CheckerContext &C,
309 SymbolRef StreamSym) const {
310 return C.getNoteTag([this, StreamSym](PathSensitiveBugReport &BR) {
311 if (!BR.isInteresting(StreamSym) ||
312 &BR.getBugType() != this->getBT_IndeterminatePosition())
313 return "";
314
315 BR.markNotInteresting(StreamSym);
316
317 return FerrorNote;
318 });
319 }
320
321 const NoteTag *constructSetEofOrErrorNoteTag(CheckerContext &C,
322 SymbolRef StreamSym) const {
323 return C.getNoteTag([this, StreamSym](PathSensitiveBugReport &BR) {
324 if (!BR.isInteresting(StreamSym))
325 return "";
326
327 if (&BR.getBugType() == this->getBT_StreamEof()) {
328 BR.markNotInteresting(StreamSym);
329 return FeofNote;
330 }
331 if (&BR.getBugType() == this->getBT_IndeterminatePosition()) {
332 BR.markNotInteresting(StreamSym);
333 return FerrorNote;
334 }
335
336 return "";
337 });
338 }
339
340 /// If true, evaluate special testing stream functions.
341 bool TestMode = false;
342
343 /// If true, generate failure branches for cases that are often not checked.
344 bool PedanticMode = false;
345
346 const CallDescription FCloseDesc = {CDM::CLibrary, {"fclose"}, 1};
347
348private:
349 CallDescriptionMap<FnDescription> FnDescriptions = {
350 {{CDM::CLibrary, {"fopen"}, 2},
351 {nullptr, &StreamChecker::evalFopen, ArgNone}},
352 {{CDM::CLibrary, {"fdopen"}, 2},
353 {nullptr, &StreamChecker::evalFopen, ArgNone}},
354 {{CDM::CLibrary, {"freopen"}, 3},
355 {&StreamChecker::preFreopen, &StreamChecker::evalFreopen, 2}},
356 {{CDM::CLibrary, {"tmpfile"}, 0},
357 {nullptr, &StreamChecker::evalFopen, ArgNone}},
358 {FCloseDesc, {&StreamChecker::preDefault, &StreamChecker::evalFclose, 0}},
359 {{CDM::CLibrary, {"fread"}, 4},
360 {&StreamChecker::preRead,
361 std::bind(&StreamChecker::evalFreadFwrite, _1, _2, _3, _4, true), 3}},
362 {{CDM::CLibrary, {"fwrite"}, 4},
363 {&StreamChecker::preWrite,
364 std::bind(&StreamChecker::evalFreadFwrite, _1, _2, _3, _4, false), 3}},
365 {{CDM::CLibrary, {"fgetc"}, 1},
366 {&StreamChecker::preRead,
367 std::bind(&StreamChecker::evalFgetx, _1, _2, _3, _4, true), 0}},
368 {{CDM::CLibrary, {"fgets"}, 3},
369 {&StreamChecker::preRead,
370 std::bind(&StreamChecker::evalFgetx, _1, _2, _3, _4, false), 2}},
371 {{CDM::CLibrary, {"getc"}, 1},
372 {&StreamChecker::preRead,
373 std::bind(&StreamChecker::evalFgetx, _1, _2, _3, _4, true), 0}},
374 {{CDM::CLibrary, {"fputc"}, 2},
375 {&StreamChecker::preWrite,
376 std::bind(&StreamChecker::evalFputx, _1, _2, _3, _4, true), 1}},
377 {{CDM::CLibrary, {"fputs"}, 2},
378 {&StreamChecker::preWrite,
379 std::bind(&StreamChecker::evalFputx, _1, _2, _3, _4, false), 1}},
380 {{CDM::CLibrary, {"putc"}, 2},
381 {&StreamChecker::preWrite,
382 std::bind(&StreamChecker::evalFputx, _1, _2, _3, _4, true), 1}},
383 {{CDM::CLibrary, {"fprintf"}},
384 {&StreamChecker::preWrite,
385 std::bind(&StreamChecker::evalFprintf, _1, _2, _3, _4), 0}},
386 {{CDM::CLibrary, {"vfprintf"}, 3},
387 {&StreamChecker::preWrite,
388 std::bind(&StreamChecker::evalFprintf, _1, _2, _3, _4), 0}},
389 {{CDM::CLibrary, {"fscanf"}},
390 {&StreamChecker::preRead,
391 std::bind(&StreamChecker::evalFscanf, _1, _2, _3, _4), 0}},
392 {{CDM::CLibrary, {"vfscanf"}, 3},
393 {&StreamChecker::preRead,
394 std::bind(&StreamChecker::evalFscanf, _1, _2, _3, _4), 0}},
395 {{CDM::CLibrary, {"ungetc"}, 2},
396 {&StreamChecker::preWrite,
397 std::bind(&StreamChecker::evalUngetc, _1, _2, _3, _4), 1}},
398 {{CDM::CLibrary, {"getdelim"}, 4},
399 {&StreamChecker::preRead,
400 std::bind(&StreamChecker::evalGetdelim, _1, _2, _3, _4), 3}},
401 {{CDM::CLibrary, {"getline"}, 3},
402 {&StreamChecker::preRead,
403 std::bind(&StreamChecker::evalGetdelim, _1, _2, _3, _4), 2}},
404 {{CDM::CLibrary, {"fseek"}, 3},
405 {&StreamChecker::preFseek, &StreamChecker::evalFseek, 0}},
406 {{CDM::CLibrary, {"fseeko"}, 3},
407 {&StreamChecker::preFseek, &StreamChecker::evalFseek, 0}},
408 {{CDM::CLibrary, {"ftell"}, 1},
409 {&StreamChecker::preWrite, &StreamChecker::evalFtell, 0}},
410 {{CDM::CLibrary, {"ftello"}, 1},
411 {&StreamChecker::preWrite, &StreamChecker::evalFtell, 0}},
412 {{CDM::CLibrary, {"fflush"}, 1},
413 {&StreamChecker::preFflush, &StreamChecker::evalFflush, 0}},
414 {{CDM::CLibrary, {"rewind"}, 1},
415 {&StreamChecker::preDefault, &StreamChecker::evalRewind, 0}},
416 {{CDM::CLibrary, {"fgetpos"}, 2},
417 {&StreamChecker::preWrite, &StreamChecker::evalFgetpos, 0}},
418 {{CDM::CLibrary, {"fsetpos"}, 2},
419 {&StreamChecker::preDefault, &StreamChecker::evalFsetpos, 0}},
420 {{CDM::CLibrary, {"clearerr"}, 1},
421 {&StreamChecker::preDefault, &StreamChecker::evalClearerr, 0}},
422 {{CDM::CLibrary, {"feof"}, 1},
423 {&StreamChecker::preDefault,
424 std::bind(&StreamChecker::evalFeofFerror, _1, _2, _3, _4, ErrorFEof),
425 0}},
426 {{CDM::CLibrary, {"ferror"}, 1},
427 {&StreamChecker::preDefault,
428 std::bind(&StreamChecker::evalFeofFerror, _1, _2, _3, _4, ErrorFError),
429 0}},
430 {{CDM::CLibrary, {"fileno"}, 1},
431 {&StreamChecker::preDefault, &StreamChecker::evalFileno, 0}},
432 };
433
434 CallDescriptionMap<FnDescription> FnTestDescriptions = {
435 {{CDM::SimpleFunc, {"StreamTesterChecker_make_feof_stream"}, 1},
436 {nullptr,
437 std::bind(&StreamChecker::evalSetFeofFerror, _1, _2, _3, _4, ErrorFEof,
438 false),
439 0}},
440 {{CDM::SimpleFunc, {"StreamTesterChecker_make_ferror_stream"}, 1},
441 {nullptr,
442 std::bind(&StreamChecker::evalSetFeofFerror, _1, _2, _3, _4,
443 ErrorFError, false),
444 0}},
445 {{CDM::SimpleFunc,
446 {"StreamTesterChecker_make_ferror_indeterminate_stream"},
447 1},
448 {nullptr,
449 std::bind(&StreamChecker::evalSetFeofFerror, _1, _2, _3, _4,
450 ErrorFError, true),
451 0}},
452 };
453
454 /// Expanded value of EOF, empty before initialization.
455 mutable std::optional<int> EofVal;
456 /// Expanded value of SEEK_SET, 0 if not found.
457 mutable int SeekSetVal = 0;
458 /// Expanded value of SEEK_CUR, 1 if not found.
459 mutable int SeekCurVal = 1;
460 /// Expanded value of SEEK_END, 2 if not found.
461 mutable int SeekEndVal = 2;
462 /// The built-in va_list type is platform-specific
463 mutable QualType VaListType;
464
465 mutable const VarDecl *StdinDecl = nullptr;
466 mutable const VarDecl *StdoutDecl = nullptr;
467 mutable const VarDecl *StderrDecl = nullptr;
468
469 void evalFopen(const FnDescription *Desc, const CallEvent &Call,
470 CheckerContext &C) const;
471
472 void preFreopen(const FnDescription *Desc, const CallEvent &Call,
473 CheckerContext &C) const;
474 void evalFreopen(const FnDescription *Desc, const CallEvent &Call,
475 CheckerContext &C) const;
476
477 void evalFclose(const FnDescription *Desc, const CallEvent &Call,
478 CheckerContext &C) const;
479
480 void preRead(const FnDescription *Desc, const CallEvent &Call,
481 CheckerContext &C) const;
482
483 void preWrite(const FnDescription *Desc, const CallEvent &Call,
484 CheckerContext &C) const;
485
486 void evalFreadFwrite(const FnDescription *Desc, const CallEvent &Call,
487 CheckerContext &C, bool IsFread) const;
488
489 void evalFgetx(const FnDescription *Desc, const CallEvent &Call,
490 CheckerContext &C, bool SingleChar) const;
491
492 void evalFputx(const FnDescription *Desc, const CallEvent &Call,
493 CheckerContext &C, bool IsSingleChar) const;
494
495 void evalFprintf(const FnDescription *Desc, const CallEvent &Call,
496 CheckerContext &C) const;
497
498 void evalFscanf(const FnDescription *Desc, const CallEvent &Call,
499 CheckerContext &C) const;
500
501 void evalUngetc(const FnDescription *Desc, const CallEvent &Call,
502 CheckerContext &C) const;
503
504 void evalGetdelim(const FnDescription *Desc, const CallEvent &Call,
505 CheckerContext &C) const;
506
507 void preFseek(const FnDescription *Desc, const CallEvent &Call,
508 CheckerContext &C) const;
509 void evalFseek(const FnDescription *Desc, const CallEvent &Call,
510 CheckerContext &C) const;
511
512 void evalFgetpos(const FnDescription *Desc, const CallEvent &Call,
513 CheckerContext &C) const;
514
515 void evalFsetpos(const FnDescription *Desc, const CallEvent &Call,
516 CheckerContext &C) const;
517
518 void evalFtell(const FnDescription *Desc, const CallEvent &Call,
519 CheckerContext &C) const;
520
521 void evalRewind(const FnDescription *Desc, const CallEvent &Call,
522 CheckerContext &C) const;
523
524 void preDefault(const FnDescription *Desc, const CallEvent &Call,
525 CheckerContext &C) const;
526
527 void evalClearerr(const FnDescription *Desc, const CallEvent &Call,
528 CheckerContext &C) const;
529
530 void evalFeofFerror(const FnDescription *Desc, const CallEvent &Call,
531 CheckerContext &C,
532 const StreamErrorState &ErrorKind) const;
533
534 void evalSetFeofFerror(const FnDescription *Desc, const CallEvent &Call,
535 CheckerContext &C, const StreamErrorState &ErrorKind,
536 bool Indeterminate) const;
537
538 void preFflush(const FnDescription *Desc, const CallEvent &Call,
539 CheckerContext &C) const;
540
541 void evalFflush(const FnDescription *Desc, const CallEvent &Call,
542 CheckerContext &C) const;
543
544 void evalFileno(const FnDescription *Desc, const CallEvent &Call,
545 CheckerContext &C) const;
546
547 /// Check that the stream (in StreamVal) is not NULL.
548 /// If it can only be NULL a fatal error is emitted and nullptr returned.
549 /// Otherwise the return value is a new state where the stream is constrained
550 /// to be non-null.
551 ProgramStateRef ensureStreamNonNull(SVal StreamVal, const Expr *StreamE,
552 CheckerContext &C,
553 ProgramStateRef State) const;
554
555 /// Check that the stream is the opened state.
556 /// If the stream is known to be not opened an error is generated
557 /// and nullptr returned, otherwise the original state is returned.
558 ProgramStateRef ensureStreamOpened(SVal StreamVal, CheckerContext &C,
559 ProgramStateRef State) const;
560
561 /// Check that the stream has not an invalid ("indeterminate") file position,
562 /// generate warning for it.
563 /// (EOF is not an invalid position.)
564 /// The returned state can be nullptr if a fatal error was generated.
565 /// It can return non-null state if the stream has not an invalid position or
566 /// there is execution path with non-invalid position.
567 ProgramStateRef
568 ensureNoFilePositionIndeterminate(SVal StreamVal, CheckerContext &C,
569 ProgramStateRef State) const;
570
571 /// Check the legality of the 'whence' argument of 'fseek'.
572 /// Generate error and return nullptr if it is found to be illegal.
573 /// Otherwise returns the state.
574 /// (State is not changed here because the "whence" value is already known.)
575 ProgramStateRef ensureFseekWhenceCorrect(SVal WhenceVal, CheckerContext &C,
576 ProgramStateRef State) const;
577
578 /// Generate warning about stream in EOF state.
579 /// There will be always a state transition into the passed State,
580 /// by the new non-fatal error node or (if failed) a normal transition,
581 /// to ensure uniform handling.
582 void reportFEofWarning(SymbolRef StreamSym, CheckerContext &C,
583 ProgramStateRef State) const;
584
585 /// Emit resource leak warnings for the given symbols.
586 /// Createn a non-fatal error node for these, and returns it (if any warnings
587 /// were generated). Return value is non-null.
588 ExplodedNode *reportLeaks(const SmallVector<SymbolRef, 2> &LeakedSyms,
589 CheckerContext &C, ExplodedNode *Pred) const;
590
591 /// Find the description data of the function called by a call event.
592 /// Returns nullptr if no function is recognized.
593 const FnDescription *lookupFn(const CallEvent &Call) const {
594 // Recognize "global C functions" with only integral or pointer arguments
595 // (and matching name) as stream functions.
596 for (auto *P : Call.parameters()) {
597 QualType T = P->getType();
598 if (!T->isIntegralOrEnumerationType() && !T->isPointerType() &&
599 T.getCanonicalType() != VaListType)
600 return nullptr;
601 }
602
603 return FnDescriptions.lookup(Call);
604 }
605
606 /// Generate a message for BugReporterVisitor if the stored symbol is
607 /// marked as interesting by the actual bug report.
608 const NoteTag *constructLeakNoteTag(CheckerContext &C, SymbolRef StreamSym,
609 const std::string &Message) const {
610 return C.getNoteTag([this, StreamSym,
611 Message](PathSensitiveBugReport &BR) -> std::string {
612 if (BR.isInteresting(StreamSym) && &BR.getBugType() == &BT_ResourceLeak)
613 return Message;
614 return "";
615 });
616 }
617
618 void initMacroValues(const Preprocessor &PP) const {
619 if (EofVal)
620 return;
621
622 if (const std::optional<int> OptInt = tryExpandAsInteger("EOF", PP))
623 EofVal = *OptInt;
624 else
625 EofVal = -1;
626 if (const std::optional<int> OptInt = tryExpandAsInteger("SEEK_SET", PP))
627 SeekSetVal = *OptInt;
628 if (const std::optional<int> OptInt = tryExpandAsInteger("SEEK_END", PP))
629 SeekEndVal = *OptInt;
630 if (const std::optional<int> OptInt = tryExpandAsInteger("SEEK_CUR", PP))
631 SeekCurVal = *OptInt;
632 }
633
634 /// Searches for the ExplodedNode where the file descriptor was acquired for
635 /// StreamSym.
636 static const ExplodedNode *getAcquisitionSite(const ExplodedNode *N,
637 SymbolRef StreamSym,
638 CheckerContext &C);
639};
640
641struct StreamOperationEvaluator {
642 SValBuilder &SVB;
643 const ASTContext &ACtx;
644
645 SymbolRef StreamSym = nullptr;
646 const StreamState *SS = nullptr;
647 const CallExpr *CE = nullptr;
648 StreamErrorState NewES;
649
650 StreamOperationEvaluator(CheckerContext &C)
651 : SVB(C.getSValBuilder()), ACtx(C.getASTContext()) {
652 ;
653 }
654
655 bool Init(const FnDescription *Desc, const CallEvent &Call, CheckerContext &C,
656 ProgramStateRef State) {
657 StreamSym = getStreamArg(Desc, Call).getAsSymbol();
658 if (!StreamSym)
659 return false;
660 SS = State->get<StreamMap>(StreamSym);
661 if (!SS)
662 return false;
663 NewES = SS->ErrorState;
664 CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
665 if (!CE)
666 return false;
667
668 assertStreamStateOpened(SS);
669
670 return true;
671 }
672
673 bool isStreamEof() const { return SS->ErrorState == ErrorFEof; }
674
675 NonLoc getZeroVal(const CallEvent &Call) {
676 return *SVB.makeZeroVal(Call.getResultType()).getAs<NonLoc>();
677 }
678
679 ProgramStateRef setStreamState(ProgramStateRef State,
680 const StreamState &NewSS) {
681 NewES = NewSS.ErrorState;
682 return State->set<StreamMap>(StreamSym, NewSS);
683 }
684
685 ProgramStateRef makeAndBindRetVal(ProgramStateRef State, CheckerContext &C) {
686 NonLoc RetVal = makeRetVal(C, CE).castAs<NonLoc>();
687 return State->BindExpr(CE, C.getLocationContext(), RetVal);
688 }
689
690 ProgramStateRef bindReturnValue(ProgramStateRef State, CheckerContext &C,
691 uint64_t Val) {
692 return State->BindExpr(CE, C.getLocationContext(),
693 SVB.makeIntVal(Val, CE->getCallReturnType(ACtx)));
694 }
695
696 ProgramStateRef bindReturnValue(ProgramStateRef State, CheckerContext &C,
697 SVal Val) {
698 return State->BindExpr(CE, C.getLocationContext(), Val);
699 }
700
701 ProgramStateRef bindNullReturnValue(ProgramStateRef State,
702 CheckerContext &C) {
703 return State->BindExpr(CE, C.getLocationContext(),
704 C.getSValBuilder().makeNullWithType(CE->getType()));
705 }
706
707 ProgramStateRef assumeBinOpNN(ProgramStateRef State,
708 BinaryOperator::Opcode Op, NonLoc LHS,
709 NonLoc RHS) {
710 auto Cond = SVB.evalBinOpNN(State, Op, LHS, RHS, SVB.getConditionType())
711 .getAs<DefinedOrUnknownSVal>();
712 if (!Cond)
713 return nullptr;
714 return State->assume(*Cond, true);
715 }
716
717 ConstraintManager::ProgramStatePair
718 makeRetValAndAssumeDual(ProgramStateRef State, CheckerContext &C) {
719 DefinedSVal RetVal = makeRetVal(C, CE);
720 State = State->BindExpr(CE, C.getLocationContext(), RetVal);
721 return C.getConstraintManager().assumeDual(State, RetVal);
722 }
723
724 const NoteTag *getFailureNoteTag(const StreamChecker *Ch, CheckerContext &C) {
725 bool SetFeof = NewES.FEof && !SS->ErrorState.FEof;
726 bool SetFerror = NewES.FError && !SS->ErrorState.FError;
727 if (SetFeof && !SetFerror)
728 return Ch->constructSetEofNoteTag(C, StreamSym);
729 if (!SetFeof && SetFerror)
730 return Ch->constructSetErrorNoteTag(C, StreamSym);
731 if (SetFeof && SetFerror)
732 return Ch->constructSetEofOrErrorNoteTag(C, StreamSym);
733 return nullptr;
734 }
735};
736
737} // end anonymous namespace
738
739//===----------------------------------------------------------------------===//
740// Definition of NoStreamStateChangeVisitor.
741//===----------------------------------------------------------------------===//
742
743namespace {
744class NoStreamStateChangeVisitor final : public NoOwnershipChangeVisitor {
745protected:
746 /// Syntactically checks whether the callee is a closing function. Since
747 /// we have no path-sensitive information on this call (we would need a
748 /// CallEvent instead of a CallExpr for that), its possible that a
749 /// closing function was called indirectly through a function pointer,
750 /// but we are not able to tell, so this is a best effort analysis.
751 bool isClosingCallAsWritten(const CallExpr &Call) const {
752 const auto *StreamChk = static_cast<const StreamChecker *>(&Checker);
753 return StreamChk->FCloseDesc.matchesAsWritten(Call);
754 }
755
756 bool doesFnIntendToHandleOwnership(const Decl *Callee,
757 ASTContext &ACtx) final {
758 const FunctionDecl *FD = dyn_cast<FunctionDecl>(Callee);
759
760 // Given that the stack frame was entered, the body should always be
761 // theoretically obtainable. In case of body farms, the synthesized body
762 // is not attached to declaration, thus triggering the '!FD->hasBody()'
763 // branch. That said, would a synthesized body ever intend to handle
764 // ownership? As of today they don't. And if they did, how would we
765 // put notes inside it, given that it doesn't match any source locations?
766 if (!FD || !FD->hasBody())
767 return false;
768 using namespace clang::ast_matchers;
769
770 auto Matches =
771 match(findAll(callExpr().bind("call")), *FD->getBody(), ACtx);
772 for (BoundNodes Match : Matches) {
773 if (const auto *Call = Match.getNodeAs<CallExpr>("call"))
774 if (isClosingCallAsWritten(*Call))
775 return true;
776 }
777 // TODO: Ownership might change with an attempt to store stream object, not
778 // only through closing it. Check for attempted stores as well.
779 return false;
780 }
781
782 bool hasResourceStateChanged(ProgramStateRef CallEnterState,
783 ProgramStateRef CallExitEndState) final {
784 return CallEnterState->get<StreamMap>(Sym) !=
785 CallExitEndState->get<StreamMap>(Sym);
786 }
787
788 PathDiagnosticPieceRef emitNote(const ExplodedNode *N) override {
789 PathDiagnosticLocation L = PathDiagnosticLocation::create(
790 N->getLocation(),
791 N->getState()->getStateManager().getContext().getSourceManager());
792 return std::make_shared<PathDiagnosticEventPiece>(
793 L, "Returning without closing stream object or storing it for later "
794 "release");
795 }
796
797public:
798 NoStreamStateChangeVisitor(SymbolRef Sym, const StreamChecker *Checker)
799 : NoOwnershipChangeVisitor(Sym, Checker) {}
800};
801
802} // end anonymous namespace
803
804const ExplodedNode *StreamChecker::getAcquisitionSite(const ExplodedNode *N,
805 SymbolRef StreamSym,
806 CheckerContext &C) {
807 ProgramStateRef State = N->getState();
808 // When bug type is resource leak, exploded node N may not have state info
809 // for leaked file descriptor, but predecessor should have it.
810 if (!State->get<StreamMap>(StreamSym))
811 N = N->getFirstPred();
812
813 const ExplodedNode *Pred = N;
814 while (N) {
815 State = N->getState();
816 if (!State->get<StreamMap>(StreamSym))
817 return Pred;
818 Pred = N;
819 N = N->getFirstPred();
820 }
821
822 return nullptr;
823}
824
825static std::optional<int64_t> getKnownValue(ProgramStateRef State, SVal V) {
826 SValBuilder &SVB = State->getStateManager().getSValBuilder();
827 if (const llvm::APSInt *Int = SVB.getKnownValue(State, V))
828 return Int->tryExtValue();
829 return std::nullopt;
830}
831
832/// Invalidate only the requested elements instead of the whole buffer.
833/// This is basically a refinement of the more generic 'escapeArgs' or
834/// the plain old 'invalidateRegions'.
835static ProgramStateRef
836escapeByStartIndexAndCount(ProgramStateRef State, const CallEvent &Call,
837 unsigned BlockCount, const SubRegion *Buffer,
838 QualType ElemType, int64_t StartIndex,
839 int64_t ElementCount) {
840 constexpr auto DoNotInvalidateSuperRegion =
841 RegionAndSymbolInvalidationTraits::InvalidationKinds::
842 TK_DoNotInvalidateSuperRegion;
843
844 const LocationContext *LCtx = Call.getLocationContext();
845 const ASTContext &Ctx = State->getStateManager().getContext();
846 SValBuilder &SVB = State->getStateManager().getSValBuilder();
847 auto &RegionManager = Buffer->getMemRegionManager();
848
849 SmallVector<SVal> EscapingVals;
850 EscapingVals.reserve(ElementCount);
851
852 RegionAndSymbolInvalidationTraits ITraits;
853 for (auto Idx : llvm::seq(StartIndex, StartIndex + ElementCount)) {
854 NonLoc Index = SVB.makeArrayIndex(Idx);
855 const auto *Element =
856 RegionManager.getElementRegion(ElemType, Index, Buffer, Ctx);
857 EscapingVals.push_back(loc::MemRegionVal(Element));
858 ITraits.setTrait(Element, DoNotInvalidateSuperRegion);
859 }
860 return State->invalidateRegions(
861 EscapingVals, Call.getOriginExpr(), BlockCount, LCtx,
862 /*CausesPointerEscape=*/false,
863 /*InvalidatedSymbols=*/nullptr, &Call, &ITraits);
864}
865
866static ProgramStateRef escapeArgs(ProgramStateRef State, CheckerContext &C,
867 const CallEvent &Call,
868 ArrayRef<unsigned int> EscapingArgs) {
869 auto GetArgSVal = [&Call](int Idx) { return Call.getArgSVal(Idx); };
870 auto EscapingVals = to_vector(map_range(EscapingArgs, GetArgSVal));
871 State = State->invalidateRegions(EscapingVals, Call.getOriginExpr(),
872 C.blockCount(), C.getLocationContext(),
873 /*CausesPointerEscape=*/false,
874 /*InvalidatedSymbols=*/nullptr);
875 return State;
876}
877
878//===----------------------------------------------------------------------===//
879// Methods of StreamChecker.
880//===----------------------------------------------------------------------===//
881
882void StreamChecker::checkPreCall(const CallEvent &Call,
883 CheckerContext &C) const {
884 const FnDescription *Desc = lookupFn(Call);
885 if (!Desc || !Desc->PreFn)
886 return;
887
888 Desc->PreFn(this, Desc, Call, C);
889}
890
891bool StreamChecker::evalCall(const CallEvent &Call, CheckerContext &C) const {
892 const FnDescription *Desc = lookupFn(Call);
893 if (!Desc && TestMode)
894 Desc = FnTestDescriptions.lookup(Call);
895 if (!Desc || !Desc->EvalFn)
896 return false;
897
898 Desc->EvalFn(this, Desc, Call, C);
899
900 return C.isDifferent();
901}
902
903ProgramStateRef StreamChecker::assumeNoAliasingWithStdStreams(
904 ProgramStateRef State, DefinedSVal RetVal, CheckerContext &C) const {
905 auto assumeRetNE = [&C, RetVal](ProgramStateRef State,
906 const VarDecl *Var) -> ProgramStateRef {
907 if (!Var)
908 return State;
909 const auto *LCtx = C.getLocationContext();
910 auto &StoreMgr = C.getStoreManager();
911 auto &SVB = C.getSValBuilder();
912 SVal VarValue = State->getSVal(StoreMgr.getLValueVar(Var, LCtx));
913 auto NoAliasState =
914 SVB.evalBinOp(State, BO_NE, RetVal, VarValue, SVB.getConditionType())
915 .castAs<DefinedOrUnknownSVal>();
916 return State->assume(NoAliasState, true);
917 };
918
919 assert(State);
920 State = assumeRetNE(State, StdinDecl);
921 State = assumeRetNE(State, StdoutDecl);
922 State = assumeRetNE(State, StderrDecl);
923 assert(State);
924 return State;
925}
926
927void StreamChecker::evalFopen(const FnDescription *Desc, const CallEvent &Call,
928 CheckerContext &C) const {
929 ProgramStateRef State = C.getState();
930 const CallExpr *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
931 if (!CE)
932 return;
933
934 DefinedSVal RetVal = makeRetVal(C, CE);
935 SymbolRef RetSym = RetVal.getAsSymbol();
936 assert(RetSym && "RetVal must be a symbol here.");
937
938 State = State->BindExpr(CE, C.getLocationContext(), RetVal);
939
940 // Bifurcate the state into two: one with a valid FILE* pointer, the other
941 // with a NULL.
942 ProgramStateRef StateNotNull, StateNull;
943 std::tie(StateNotNull, StateNull) =
944 C.getConstraintManager().assumeDual(State, RetVal);
945
946 StateNotNull =
947 StateNotNull->set<StreamMap>(RetSym, StreamState::getOpened(Desc));
948 StateNull =
949 StateNull->set<StreamMap>(RetSym, StreamState::getOpenFailed(Desc));
950
951 StateNotNull = assumeNoAliasingWithStdStreams(StateNotNull, RetVal, C);
952
953 C.addTransition(StateNotNull,
954 constructLeakNoteTag(C, RetSym, "Stream opened here"));
955 C.addTransition(StateNull);
956}
957
958void StreamChecker::preFreopen(const FnDescription *Desc, const CallEvent &Call,
959 CheckerContext &C) const {
960 // Do not allow NULL as passed stream pointer but allow a closed stream.
961 ProgramStateRef State = C.getState();
962 State = ensureStreamNonNull(getStreamArg(Desc, Call),
963 Call.getArgExpr(Desc->StreamArgNo), C, State);
964 if (!State)
965 return;
966
967 C.addTransition(State);
968}
969
970void StreamChecker::evalFreopen(const FnDescription *Desc,
971 const CallEvent &Call,
972 CheckerContext &C) const {
973 ProgramStateRef State = C.getState();
974
975 auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
976 if (!CE)
977 return;
978
979 std::optional<DefinedSVal> StreamVal =
980 getStreamArg(Desc, Call).getAs<DefinedSVal>();
981 if (!StreamVal)
982 return;
983
984 SymbolRef StreamSym = StreamVal->getAsSymbol();
985 // Do not care about concrete values for stream ("(FILE *)0x12345"?).
986 // FIXME: Can be stdin, stdout, stderr such values?
987 if (!StreamSym)
988 return;
989
990 // Do not handle untracked stream. It is probably escaped.
991 if (!State->get<StreamMap>(StreamSym))
992 return;
993
994 // Generate state for non-failed case.
995 // Return value is the passed stream pointer.
996 // According to the documentations, the stream is closed first
997 // but any close error is ignored. The state changes to (or remains) opened.
998 ProgramStateRef StateRetNotNull =
999 State->BindExpr(CE, C.getLocationContext(), *StreamVal);
1000 // Generate state for NULL return value.
1001 // Stream switches to OpenFailed state.
1002 ProgramStateRef StateRetNull =
1003 State->BindExpr(CE, C.getLocationContext(),
1004 C.getSValBuilder().makeNullWithType(CE->getType()));
1005
1006 StateRetNotNull =
1007 StateRetNotNull->set<StreamMap>(StreamSym, StreamState::getOpened(Desc));
1008 StateRetNull =
1009 StateRetNull->set<StreamMap>(StreamSym, StreamState::getOpenFailed(Desc));
1010
1011 C.addTransition(StateRetNotNull,
1012 constructLeakNoteTag(C, StreamSym, "Stream reopened here"));
1013 C.addTransition(StateRetNull);
1014}
1015
1016void StreamChecker::evalFclose(const FnDescription *Desc, const CallEvent &Call,
1017 CheckerContext &C) const {
1018 ProgramStateRef State = C.getState();
1019 StreamOperationEvaluator E(C);
1020 if (!E.Init(Desc, Call, C, State))
1021 return;
1022
1023 // Close the File Descriptor.
1024 // Regardless if the close fails or not, stream becomes "closed"
1025 // and can not be used any more.
1026 State = E.setStreamState(State, StreamState::getClosed(Desc));
1027
1028 // Return 0 on success, EOF on failure.
1029 C.addTransition(E.bindReturnValue(State, C, 0));
1030 C.addTransition(E.bindReturnValue(State, C, *EofVal));
1031}
1032
1033void StreamChecker::preRead(const FnDescription *Desc, const CallEvent &Call,
1034 CheckerContext &C) const {
1035 ProgramStateRef State = C.getState();
1036 SVal StreamVal = getStreamArg(Desc, Call);
1037 State = ensureStreamNonNull(StreamVal, Call.getArgExpr(Desc->StreamArgNo), C,
1038 State);
1039 if (!State)
1040 return;
1041 State = ensureStreamOpened(StreamVal, C, State);
1042 if (!State)
1043 return;
1044 State = ensureNoFilePositionIndeterminate(StreamVal, C, State);
1045 if (!State)
1046 return;
1047
1048 SymbolRef Sym = StreamVal.getAsSymbol();
1049 if (Sym && State->get<StreamMap>(Sym)) {
1050 const StreamState *SS = State->get<StreamMap>(Sym);
1051 if (SS->ErrorState & ErrorFEof)
1052 reportFEofWarning(Sym, C, State);
1053 } else {
1054 C.addTransition(State);
1055 }
1056}
1057
1058void StreamChecker::preWrite(const FnDescription *Desc, const CallEvent &Call,
1059 CheckerContext &C) const {
1060 ProgramStateRef State = C.getState();
1061 SVal StreamVal = getStreamArg(Desc, Call);
1062 State = ensureStreamNonNull(StreamVal, Call.getArgExpr(Desc->StreamArgNo), C,
1063 State);
1064 if (!State)
1065 return;
1066 State = ensureStreamOpened(StreamVal, C, State);
1067 if (!State)
1068 return;
1069 State = ensureNoFilePositionIndeterminate(StreamVal, C, State);
1070 if (!State)
1071 return;
1072
1073 C.addTransition(State);
1074}
1075
1076static QualType getPointeeType(const MemRegion *R) {
1077 if (!R)
1078 return {};
1079 if (const auto *ER = dyn_cast<ElementRegion>(R))
1080 return ER->getElementType();
1081 if (const auto *TR = dyn_cast<TypedValueRegion>(R))
1082 return TR->getValueType();
1083 if (const auto *SR = dyn_cast<SymbolicRegion>(R))
1084 return SR->getPointeeStaticType();
1085 return {};
1086}
1087
1088static std::optional<NonLoc> getStartIndex(SValBuilder &SVB,
1089 const MemRegion *R) {
1090 if (!R)
1091 return std::nullopt;
1092
1093 auto Zero = [&SVB] {
1094 BasicValueFactory &BVF = SVB.getBasicValueFactory();
1095 return nonloc::ConcreteInt(BVF.getIntValue(0, /*isUnsigned=*/false));
1096 };
1097
1098 if (const auto *ER = dyn_cast<ElementRegion>(R))
1099 return ER->getIndex();
1100 if (isa<TypedValueRegion>(R))
1101 return Zero();
1102 if (isa<SymbolicRegion>(R))
1103 return Zero();
1104 return std::nullopt;
1105}
1106
1107static ProgramStateRef
1108tryToInvalidateFReadBufferByElements(ProgramStateRef State, CheckerContext &C,
1109 const CallEvent &Call, NonLoc SizeVal,
1110 NonLoc NMembVal) {
1111 // Try to invalidate the individual elements.
1112 const auto *Buffer =
1113 dyn_cast_or_null<SubRegion>(Call.getArgSVal(0).getAsRegion());
1114
1115 const ASTContext &Ctx = C.getASTContext();
1116 QualType ElemTy = getPointeeType(Buffer);
1117 std::optional<SVal> StartElementIndex =
1118 getStartIndex(C.getSValBuilder(), Buffer);
1119
1120 // Drop the outermost ElementRegion to get the buffer.
1121 if (const auto *ER = dyn_cast_or_null<ElementRegion>(Buffer))
1122 Buffer = dyn_cast<SubRegion>(ER->getSuperRegion());
1123
1124 std::optional<int64_t> CountVal = getKnownValue(State, NMembVal);
1125 std::optional<int64_t> Size = getKnownValue(State, SizeVal);
1126 std::optional<int64_t> StartIndexVal =
1127 getKnownValue(State, StartElementIndex.value_or(UnknownVal()));
1128
1129 if (!ElemTy.isNull() && CountVal && Size && StartIndexVal) {
1130 int64_t NumBytesRead = Size.value() * CountVal.value();
1131 int64_t ElemSizeInChars = Ctx.getTypeSizeInChars(ElemTy).getQuantity();
1132 if (ElemSizeInChars == 0 || NumBytesRead < 0)
1133 return nullptr;
1134
1135 bool IncompleteLastElement = (NumBytesRead % ElemSizeInChars) != 0;
1136 int64_t NumCompleteOrIncompleteElementsRead =
1137 NumBytesRead / ElemSizeInChars + IncompleteLastElement;
1138
1139 constexpr int MaxInvalidatedElementsLimit = 64;
1140 if (NumCompleteOrIncompleteElementsRead <= MaxInvalidatedElementsLimit) {
1141 return escapeByStartIndexAndCount(State, Call, C.blockCount(), Buffer,
1142 ElemTy, *StartIndexVal,
1143 NumCompleteOrIncompleteElementsRead);
1144 }
1145 }
1146 return nullptr;
1147}
1148
1149void StreamChecker::evalFreadFwrite(const FnDescription *Desc,
1150 const CallEvent &Call, CheckerContext &C,
1151 bool IsFread) const {
1152 ProgramStateRef State = C.getState();
1153 StreamOperationEvaluator E(C);
1154 if (!E.Init(Desc, Call, C, State))
1155 return;
1156
1157 std::optional<NonLoc> SizeVal = Call.getArgSVal(1).getAs<NonLoc>();
1158 if (!SizeVal)
1159 return;
1160 std::optional<NonLoc> NMembVal = Call.getArgSVal(2).getAs<NonLoc>();
1161 if (!NMembVal)
1162 return;
1163
1164 // C'99 standard, §7.19.8.1.3, the return value of fread:
1165 // The fread function returns the number of elements successfully read, which
1166 // may be less than nmemb if a read error or end-of-file is encountered. If
1167 // size or nmemb is zero, fread returns zero and the contents of the array and
1168 // the state of the stream remain unchanged.
1169 if (State->isNull(*SizeVal).isConstrainedTrue() ||
1170 State->isNull(*NMembVal).isConstrainedTrue()) {
1171 // This is the "size or nmemb is zero" case.
1172 // Just return 0, do nothing more (not clear the error flags).
1173 C.addTransition(E.bindReturnValue(State, C, 0));
1174 return;
1175 }
1176
1177 // At read, invalidate the buffer in any case of error or success,
1178 // except if EOF was already present.
1179 if (IsFread && !E.isStreamEof()) {
1180 // Try to invalidate the individual elements.
1181 // Otherwise just fall back to invalidating the whole buffer.
1182 ProgramStateRef InvalidatedState = tryToInvalidateFReadBufferByElements(
1183 State, C, Call, *SizeVal, *NMembVal);
1184 State =
1185 InvalidatedState ? InvalidatedState : escapeArgs(State, C, Call, {0});
1186 }
1187
1188 // Generate a transition for the success state.
1189 // If we know the state to be FEOF at fread, do not add a success state.
1190 if (!IsFread || !E.isStreamEof()) {
1191 ProgramStateRef StateNotFailed =
1192 State->BindExpr(E.CE, C.getLocationContext(), *NMembVal);
1193 StateNotFailed =
1194 E.setStreamState(StateNotFailed, StreamState::getOpened(Desc));
1195 C.addTransition(StateNotFailed);
1196 }
1197
1198 // Add transition for the failed state.
1199 // At write, add failure case only if "pedantic mode" is on.
1200 if (!IsFread && !PedanticMode)
1201 return;
1202
1203 NonLoc RetVal = makeRetVal(C, E.CE).castAs<NonLoc>();
1204 ProgramStateRef StateFailed =
1205 State->BindExpr(E.CE, C.getLocationContext(), RetVal);
1206 StateFailed = E.assumeBinOpNN(StateFailed, BO_LT, RetVal, *NMembVal);
1207 if (!StateFailed)
1208 return;
1209
1210 StreamErrorState NewES;
1211 if (IsFread)
1212 NewES = E.isStreamEof() ? ErrorFEof : ErrorFEof | ErrorFError;
1213 else
1214 NewES = ErrorFError;
1215 // If a (non-EOF) error occurs, the resulting value of the file position
1216 // indicator for the stream is indeterminate.
1217 StateFailed = E.setStreamState(
1218 StateFailed, StreamState::getOpened(Desc, NewES, !NewES.isFEof()));
1219 C.addTransition(StateFailed, E.getFailureNoteTag(this, C));
1220}
1221
1222void StreamChecker::evalFgetx(const FnDescription *Desc, const CallEvent &Call,
1223 CheckerContext &C, bool SingleChar) const {
1224 // `fgetc` returns the read character on success, otherwise returns EOF.
1225 // `fgets` returns the read buffer address on success, otherwise returns NULL.
1226
1227 ProgramStateRef State = C.getState();
1228 StreamOperationEvaluator E(C);
1229 if (!E.Init(Desc, Call, C, State))
1230 return;
1231
1232 if (!E.isStreamEof()) {
1233 // If there was already EOF, assume that read buffer is not changed.
1234 // Otherwise it may change at success or failure.
1235 State = escapeArgs(State, C, Call, {0});
1236 if (SingleChar) {
1237 // Generate a transition for the success state of `fgetc`.
1238 NonLoc RetVal = makeRetVal(C, E.CE).castAs<NonLoc>();
1239 ProgramStateRef StateNotFailed =
1240 State->BindExpr(E.CE, C.getLocationContext(), RetVal);
1241 // The returned 'unsigned char' of `fgetc` is converted to 'int',
1242 // so we need to check if it is in range [0, 255].
1243 StateNotFailed = StateNotFailed->assumeInclusiveRange(
1244 RetVal,
1245 E.SVB.getBasicValueFactory().getValue(0, E.ACtx.UnsignedCharTy),
1246 E.SVB.getBasicValueFactory().getMaxValue(E.ACtx.UnsignedCharTy),
1247 true);
1248 if (!StateNotFailed)
1249 return;
1250 C.addTransition(StateNotFailed);
1251 } else {
1252 // Generate a transition for the success state of `fgets`.
1253 std::optional<DefinedSVal> GetBuf =
1254 Call.getArgSVal(0).getAs<DefinedSVal>();
1255 if (!GetBuf)
1256 return;
1257 ProgramStateRef StateNotFailed =
1258 State->BindExpr(E.CE, C.getLocationContext(), *GetBuf);
1259 StateNotFailed =
1260 E.setStreamState(StateNotFailed, StreamState::getOpened(Desc));
1261 C.addTransition(StateNotFailed);
1262 }
1263 }
1264
1265 // Add transition for the failed state.
1266 ProgramStateRef StateFailed;
1267 if (SingleChar)
1268 StateFailed = E.bindReturnValue(State, C, *EofVal);
1269 else
1270 StateFailed = E.bindNullReturnValue(State, C);
1271
1272 // If a (non-EOF) error occurs, the resulting value of the file position
1273 // indicator for the stream is indeterminate.
1274 StreamErrorState NewES =
1275 E.isStreamEof() ? ErrorFEof : ErrorFEof | ErrorFError;
1276 StateFailed = E.setStreamState(
1277 StateFailed, StreamState::getOpened(Desc, NewES, !NewES.isFEof()));
1278 C.addTransition(StateFailed, E.getFailureNoteTag(this, C));
1279}
1280
1281void StreamChecker::evalFputx(const FnDescription *Desc, const CallEvent &Call,
1282 CheckerContext &C, bool IsSingleChar) const {
1283 // `fputc` returns the written character on success, otherwise returns EOF.
1284 // `fputs` returns a nonnegative value on success, otherwise returns EOF.
1285
1286 ProgramStateRef State = C.getState();
1287 StreamOperationEvaluator E(C);
1288 if (!E.Init(Desc, Call, C, State))
1289 return;
1290
1291 if (IsSingleChar) {
1292 // Generate a transition for the success state of `fputc`.
1293 std::optional<NonLoc> PutVal = Call.getArgSVal(0).getAs<NonLoc>();
1294 if (!PutVal)
1295 return;
1296 ProgramStateRef StateNotFailed =
1297 State->BindExpr(E.CE, C.getLocationContext(), *PutVal);
1298 StateNotFailed =
1299 E.setStreamState(StateNotFailed, StreamState::getOpened(Desc));
1300 C.addTransition(StateNotFailed);
1301 } else {
1302 // Generate a transition for the success state of `fputs`.
1303 NonLoc RetVal = makeRetVal(C, E.CE).castAs<NonLoc>();
1304 ProgramStateRef StateNotFailed =
1305 State->BindExpr(E.CE, C.getLocationContext(), RetVal);
1306 StateNotFailed =
1307 E.assumeBinOpNN(StateNotFailed, BO_GE, RetVal, E.getZeroVal(Call));
1308 if (!StateNotFailed)
1309 return;
1310 StateNotFailed =
1311 E.setStreamState(StateNotFailed, StreamState::getOpened(Desc));
1312 C.addTransition(StateNotFailed);
1313 }
1314
1315 if (!PedanticMode)
1316 return;
1317
1318 // Add transition for the failed state. The resulting value of the file
1319 // position indicator for the stream is indeterminate.
1320 ProgramStateRef StateFailed = E.bindReturnValue(State, C, *EofVal);
1321 StateFailed = E.setStreamState(
1322 StateFailed, StreamState::getOpened(Desc, ErrorFError, true));
1323 C.addTransition(StateFailed, E.getFailureNoteTag(this, C));
1324}
1325
1326void StreamChecker::evalFprintf(const FnDescription *Desc,
1327 const CallEvent &Call,
1328 CheckerContext &C) const {
1329 if (Call.getNumArgs() < 2)
1330 return;
1331
1332 ProgramStateRef State = C.getState();
1333 StreamOperationEvaluator E(C);
1334 if (!E.Init(Desc, Call, C, State))
1335 return;
1336
1337 NonLoc RetVal = makeRetVal(C, E.CE).castAs<NonLoc>();
1338 State = State->BindExpr(E.CE, C.getLocationContext(), RetVal);
1339 auto Cond =
1340 E.SVB
1341 .evalBinOp(State, BO_GE, RetVal, E.SVB.makeZeroVal(E.ACtx.IntTy),
1342 E.SVB.getConditionType())
1343 .getAs<DefinedOrUnknownSVal>();
1344 if (!Cond)
1345 return;
1346 ProgramStateRef StateNotFailed, StateFailed;
1347 std::tie(StateNotFailed, StateFailed) = State->assume(*Cond);
1348
1349 StateNotFailed =
1350 E.setStreamState(StateNotFailed, StreamState::getOpened(Desc));
1351 C.addTransition(StateNotFailed);
1352
1353 if (!PedanticMode)
1354 return;
1355
1356 // Add transition for the failed state. The resulting value of the file
1357 // position indicator for the stream is indeterminate.
1358 StateFailed = E.setStreamState(
1359 StateFailed, StreamState::getOpened(Desc, ErrorFError, true));
1360 C.addTransition(StateFailed, E.getFailureNoteTag(this, C));
1361}
1362
1363void StreamChecker::evalFscanf(const FnDescription *Desc, const CallEvent &Call,
1364 CheckerContext &C) const {
1365 if (Call.getNumArgs() < 2)
1366 return;
1367
1368 ProgramStateRef State = C.getState();
1369 StreamOperationEvaluator E(C);
1370 if (!E.Init(Desc, Call, C, State))
1371 return;
1372
1373 // Add the success state.
1374 // In this context "success" means there is not an EOF or other read error
1375 // before any item is matched in 'fscanf'. But there may be match failure,
1376 // therefore return value can be 0 or greater.
1377 // It is not specified what happens if some items (not all) are matched and
1378 // then EOF or read error happens. Now this case is handled like a "success"
1379 // case, and no error flags are set on the stream. This is probably not
1380 // accurate, and the POSIX documentation does not tell more.
1381 if (!E.isStreamEof()) {
1382 NonLoc RetVal = makeRetVal(C, E.CE).castAs<NonLoc>();
1383 ProgramStateRef StateNotFailed =
1384 State->BindExpr(E.CE, C.getLocationContext(), RetVal);
1385 StateNotFailed =
1386 E.assumeBinOpNN(StateNotFailed, BO_GE, RetVal, E.getZeroVal(Call));
1387 if (!StateNotFailed)
1388 return;
1389
1390 if (auto const *Callee = Call.getCalleeIdentifier();
1391 !Callee || Callee->getName() != "vfscanf") {
1392 SmallVector<unsigned int> EscArgs;
1393 for (auto EscArg : llvm::seq(2u, Call.getNumArgs()))
1394 EscArgs.push_back(EscArg);
1395 StateNotFailed = escapeArgs(StateNotFailed, C, Call, EscArgs);
1396 }
1397
1398 if (StateNotFailed)
1399 C.addTransition(StateNotFailed);
1400 }
1401
1402 // Add transition for the failed state.
1403 // Error occurs if nothing is matched yet and reading the input fails.
1404 // Error can be EOF, or other error. At "other error" FERROR or 'errno' can
1405 // be set but it is not further specified if all are required to be set.
1406 // Documentation does not mention, but file position will be set to
1407 // indeterminate similarly as at 'fread'.
1408 ProgramStateRef StateFailed = E.bindReturnValue(State, C, *EofVal);
1409 StreamErrorState NewES =
1410 E.isStreamEof() ? ErrorFEof : ErrorNone | ErrorFEof | ErrorFError;
1411 StateFailed = E.setStreamState(
1412 StateFailed, StreamState::getOpened(Desc, NewES, !NewES.isFEof()));
1413 C.addTransition(StateFailed, E.getFailureNoteTag(this, C));
1414}
1415
1416void StreamChecker::evalUngetc(const FnDescription *Desc, const CallEvent &Call,
1417 CheckerContext &C) const {
1418 ProgramStateRef State = C.getState();
1419 StreamOperationEvaluator E(C);
1420 if (!E.Init(Desc, Call, C, State))
1421 return;
1422
1423 // Generate a transition for the success state.
1424 std::optional<NonLoc> PutVal = Call.getArgSVal(0).getAs<NonLoc>();
1425 if (!PutVal)
1426 return;
1427 ProgramStateRef StateNotFailed = E.bindReturnValue(State, C, *PutVal);
1428 StateNotFailed =
1429 E.setStreamState(StateNotFailed, StreamState::getOpened(Desc));
1430 C.addTransition(StateNotFailed);
1431
1432 // Add transition for the failed state.
1433 // Failure of 'ungetc' does not result in feof or ferror state.
1434 // If the PutVal has value of EofVal the function should "fail", but this is
1435 // the same transition as the success state.
1436 // In this case only one state transition is added by the analyzer (the two
1437 // new states may be similar).
1438 ProgramStateRef StateFailed = E.bindReturnValue(State, C, *EofVal);
1439 StateFailed = E.setStreamState(StateFailed, StreamState::getOpened(Desc));
1440 C.addTransition(StateFailed);
1441}
1442
1443void StreamChecker::evalGetdelim(const FnDescription *Desc,
1444 const CallEvent &Call,
1445 CheckerContext &C) const {
1446 ProgramStateRef State = C.getState();
1447 StreamOperationEvaluator E(C);
1448 if (!E.Init(Desc, Call, C, State))
1449 return;
1450
1451 // Upon successful completion, the getline() and getdelim() functions shall
1452 // return the number of bytes written into the buffer.
1453 // If the end-of-file indicator for the stream is set, the function shall
1454 // return -1.
1455 // If an error occurs, the function shall return -1 and set 'errno'.
1456
1457 if (!E.isStreamEof()) {
1458 // Escape buffer and size (may change by the call).
1459 // May happen even at error (partial read?).
1460 State = escapeArgs(State, C, Call, {0, 1});
1461
1462 // Add transition for the successful state.
1463 NonLoc RetVal = makeRetVal(C, E.CE).castAs<NonLoc>();
1464 ProgramStateRef StateNotFailed = E.bindReturnValue(State, C, RetVal);
1465 StateNotFailed =
1466 E.assumeBinOpNN(StateNotFailed, BO_GE, RetVal, E.getZeroVal(Call));
1467
1468 // On success, a buffer is allocated.
1469 auto NewLinePtr = getPointeeVal(Call.getArgSVal(0), State);
1470 if (NewLinePtr && isa<DefinedOrUnknownSVal>(*NewLinePtr))
1471 StateNotFailed = StateNotFailed->assume(
1472 NewLinePtr->castAs<DefinedOrUnknownSVal>(), true);
1473
1474 // The buffer size `*n` must be enough to hold the whole line, and
1475 // greater than the return value, since it has to account for '\0'.
1476 SVal SizePtrSval = Call.getArgSVal(1);
1477 auto NVal = getPointeeVal(SizePtrSval, State);
1478 if (NVal && isa<NonLoc>(*NVal)) {
1479 StateNotFailed = E.assumeBinOpNN(StateNotFailed, BO_GT,
1480 NVal->castAs<NonLoc>(), RetVal);
1481 StateNotFailed = E.bindReturnValue(StateNotFailed, C, RetVal);
1482 }
1483 if (!StateNotFailed)
1484 return;
1485 C.addTransition(StateNotFailed);
1486 }
1487
1488 // Add transition for the failed state.
1489 // If a (non-EOF) error occurs, the resulting value of the file position
1490 // indicator for the stream is indeterminate.
1491 ProgramStateRef StateFailed = E.bindReturnValue(State, C, -1);
1492 StreamErrorState NewES =
1493 E.isStreamEof() ? ErrorFEof : ErrorFEof | ErrorFError;
1494 StateFailed = E.setStreamState(
1495 StateFailed, StreamState::getOpened(Desc, NewES, !NewES.isFEof()));
1496 // On failure, the content of the buffer is undefined.
1497 if (auto NewLinePtr = getPointeeVal(Call.getArgSVal(0), State))
1498 StateFailed = StateFailed->bindLoc(*NewLinePtr, UndefinedVal(),
1499 C.getLocationContext());
1500 C.addTransition(StateFailed, E.getFailureNoteTag(this, C));
1501}
1502
1503void StreamChecker::preFseek(const FnDescription *Desc, const CallEvent &Call,
1504 CheckerContext &C) const {
1505 ProgramStateRef State = C.getState();
1506 SVal StreamVal = getStreamArg(Desc, Call);
1507 State = ensureStreamNonNull(StreamVal, Call.getArgExpr(Desc->StreamArgNo), C,
1508 State);
1509 if (!State)
1510 return;
1511 State = ensureStreamOpened(StreamVal, C, State);
1512 if (!State)
1513 return;
1514 State = ensureFseekWhenceCorrect(Call.getArgSVal(2), C, State);
1515 if (!State)
1516 return;
1517
1518 C.addTransition(State);
1519}
1520
1521void StreamChecker::evalFseek(const FnDescription *Desc, const CallEvent &Call,
1522 CheckerContext &C) const {
1523 ProgramStateRef State = C.getState();
1524 StreamOperationEvaluator E(C);
1525 if (!E.Init(Desc, Call, C, State))
1526 return;
1527
1528 // Add success state.
1529 ProgramStateRef StateNotFailed = E.bindReturnValue(State, C, 0);
1530 // No failure: Reset the state to opened with no error.
1531 StateNotFailed =
1532 E.setStreamState(StateNotFailed, StreamState::getOpened(Desc));
1533 C.addTransition(StateNotFailed);
1534
1535 if (!PedanticMode)
1536 return;
1537
1538 // Add failure state.
1539 // At error it is possible that fseek fails but sets none of the error flags.
1540 // If fseek failed, assume that the file position becomes indeterminate in any
1541 // case.
1542 // It is allowed to set the position beyond the end of the file. EOF error
1543 // should not occur.
1544 ProgramStateRef StateFailed = E.bindReturnValue(State, C, -1);
1545 StateFailed = E.setStreamState(
1546 StateFailed, StreamState::getOpened(Desc, ErrorNone | ErrorFError, true));
1547 C.addTransition(StateFailed, E.getFailureNoteTag(this, C));
1548}
1549
1550void StreamChecker::evalFgetpos(const FnDescription *Desc,
1551 const CallEvent &Call,
1552 CheckerContext &C) const {
1553 ProgramStateRef State = C.getState();
1554 StreamOperationEvaluator E(C);
1555 if (!E.Init(Desc, Call, C, State))
1556 return;
1557
1558 ProgramStateRef StateNotFailed, StateFailed;
1559 std::tie(StateFailed, StateNotFailed) = E.makeRetValAndAssumeDual(State, C);
1560 StateNotFailed = escapeArgs(StateNotFailed, C, Call, {1});
1561
1562 // This function does not affect the stream state.
1563 // Still we add success and failure state with the appropriate return value.
1564 // StdLibraryFunctionsChecker can change these states (set the 'errno' state).
1565 C.addTransition(StateNotFailed);
1566 C.addTransition(StateFailed);
1567}
1568
1569void StreamChecker::evalFsetpos(const FnDescription *Desc,
1570 const CallEvent &Call,
1571 CheckerContext &C) const {
1572 ProgramStateRef State = C.getState();
1573 StreamOperationEvaluator E(C);
1574 if (!E.Init(Desc, Call, C, State))
1575 return;
1576
1577 ProgramStateRef StateNotFailed, StateFailed;
1578 std::tie(StateFailed, StateNotFailed) = E.makeRetValAndAssumeDual(State, C);
1579
1580 StateNotFailed = E.setStreamState(
1581 StateNotFailed, StreamState::getOpened(Desc, ErrorNone, false));
1582 C.addTransition(StateNotFailed);
1583
1584 if (!PedanticMode)
1585 return;
1586
1587 // At failure ferror could be set.
1588 // The standards do not tell what happens with the file position at failure.
1589 // But we can assume that it is dangerous to make a next I/O operation after
1590 // the position was not set correctly (similar to 'fseek').
1591 StateFailed = E.setStreamState(
1592 StateFailed, StreamState::getOpened(Desc, ErrorNone | ErrorFError, true));
1593
1594 C.addTransition(StateFailed, E.getFailureNoteTag(this, C));
1595}
1596
1597void StreamChecker::evalFtell(const FnDescription *Desc, const CallEvent &Call,
1598 CheckerContext &C) const {
1599 ProgramStateRef State = C.getState();
1600 StreamOperationEvaluator E(C);
1601 if (!E.Init(Desc, Call, C, State))
1602 return;
1603
1604 NonLoc RetVal = makeRetVal(C, E.CE).castAs<NonLoc>();
1605 ProgramStateRef StateNotFailed =
1606 State->BindExpr(E.CE, C.getLocationContext(), RetVal);
1607 StateNotFailed =
1608 E.assumeBinOpNN(StateNotFailed, BO_GE, RetVal, E.getZeroVal(Call));
1609 if (!StateNotFailed)
1610 return;
1611
1612 ProgramStateRef StateFailed = E.bindReturnValue(State, C, -1);
1613
1614 // This function does not affect the stream state.
1615 // Still we add success and failure state with the appropriate return value.
1616 // StdLibraryFunctionsChecker can change these states (set the 'errno' state).
1617 C.addTransition(StateNotFailed);
1618 C.addTransition(StateFailed);
1619}
1620
1621void StreamChecker::evalRewind(const FnDescription *Desc, const CallEvent &Call,
1622 CheckerContext &C) const {
1623 ProgramStateRef State = C.getState();
1624 StreamOperationEvaluator E(C);
1625 if (!E.Init(Desc, Call, C, State))
1626 return;
1627
1628 State =
1629 E.setStreamState(State, StreamState::getOpened(Desc, ErrorNone, false));
1630 C.addTransition(State);
1631}
1632
1633void StreamChecker::preFflush(const FnDescription *Desc, const CallEvent &Call,
1634 CheckerContext &C) const {
1635 ProgramStateRef State = C.getState();
1636 SVal StreamVal = getStreamArg(Desc, Call);
1637 std::optional<DefinedSVal> Stream = StreamVal.getAs<DefinedSVal>();
1638 if (!Stream)
1639 return;
1640
1641 ProgramStateRef StateNotNull, StateNull;
1642 std::tie(StateNotNull, StateNull) =
1643 C.getConstraintManager().assumeDual(State, *Stream);
1644 if (StateNotNull && !StateNull)
1645 ensureStreamOpened(StreamVal, C, StateNotNull);
1646}
1647
1648void StreamChecker::evalFflush(const FnDescription *Desc, const CallEvent &Call,
1649 CheckerContext &C) const {
1650 ProgramStateRef State = C.getState();
1651 SVal StreamVal = getStreamArg(Desc, Call);
1652 std::optional<DefinedSVal> Stream = StreamVal.getAs<DefinedSVal>();
1653 if (!Stream)
1654 return;
1655
1656 // Skip if the stream can be both NULL and non-NULL.
1657 ProgramStateRef StateNotNull, StateNull;
1658 std::tie(StateNotNull, StateNull) =
1659 C.getConstraintManager().assumeDual(State, *Stream);
1660 if (StateNotNull && StateNull)
1661 return;
1662 if (StateNotNull && !StateNull)
1663 State = StateNotNull;
1664 else
1665 State = StateNull;
1666
1667 const CallExpr *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
1668 if (!CE)
1669 return;
1670
1671 // `fflush` returns EOF on failure, otherwise returns 0.
1672 ProgramStateRef StateFailed = bindInt(*EofVal, State, C, CE);
1673 ProgramStateRef StateNotFailed = bindInt(0, State, C, CE);
1674
1675 // Clear error states if `fflush` returns 0, but retain their EOF flags.
1676 auto ClearErrorInNotFailed = [&StateNotFailed, Desc](SymbolRef Sym,
1677 const StreamState *SS) {
1678 if (SS->ErrorState & ErrorFError) {
1679 StreamErrorState NewES =
1680 (SS->ErrorState & ErrorFEof) ? ErrorFEof : ErrorNone;
1681 StreamState NewSS = StreamState::getOpened(Desc, NewES, false);
1682 StateNotFailed = StateNotFailed->set<StreamMap>(Sym, NewSS);
1683 }
1684 };
1685
1686 if (StateNotNull && !StateNull) {
1687 // Skip if the input stream's state is unknown, open-failed or closed.
1688 if (SymbolRef StreamSym = StreamVal.getAsSymbol()) {
1689 const StreamState *SS = State->get<StreamMap>(StreamSym);
1690 if (SS) {
1691 assert(SS->isOpened() && "Stream is expected to be opened");
1692 ClearErrorInNotFailed(StreamSym, SS);
1693 } else
1694 return;
1695 }
1696 } else {
1697 // Clear error states for all streams.
1698 const StreamMapTy &Map = StateNotFailed->get<StreamMap>();
1699 for (const auto &I : Map) {
1700 SymbolRef Sym = I.first;
1701 const StreamState &SS = I.second;
1702 if (SS.isOpened())
1703 ClearErrorInNotFailed(Sym, &SS);
1704 }
1705 }
1706
1707 C.addTransition(StateNotFailed);
1708 C.addTransition(StateFailed);
1709}
1710
1711void StreamChecker::evalClearerr(const FnDescription *Desc,
1712 const CallEvent &Call,
1713 CheckerContext &C) const {
1714 ProgramStateRef State = C.getState();
1715 StreamOperationEvaluator E(C);
1716 if (!E.Init(Desc, Call, C, State))
1717 return;
1718
1719 // FilePositionIndeterminate is not cleared.
1720 State = E.setStreamState(
1721 State,
1722 StreamState::getOpened(Desc, ErrorNone, E.SS->FilePositionIndeterminate));
1723 C.addTransition(State);
1724}
1725
1726void StreamChecker::evalFeofFerror(const FnDescription *Desc,
1727 const CallEvent &Call, CheckerContext &C,
1728 const StreamErrorState &ErrorKind) const {
1729 ProgramStateRef State = C.getState();
1730 StreamOperationEvaluator E(C);
1731 if (!E.Init(Desc, Call, C, State))
1732 return;
1733
1734 if (E.SS->ErrorState & ErrorKind) {
1735 // Execution path with error of ErrorKind.
1736 // Function returns true.
1737 // From now on it is the only one error state.
1738 ProgramStateRef TrueState = bindAndAssumeTrue(State, C, E.CE);
1739 C.addTransition(E.setStreamState(
1740 TrueState, StreamState::getOpened(Desc, ErrorKind,
1741 E.SS->FilePositionIndeterminate &&
1742 !ErrorKind.isFEof())));
1743 }
1744 if (StreamErrorState NewES = E.SS->ErrorState & (~ErrorKind)) {
1745 // Execution path(s) with ErrorKind not set.
1746 // Function returns false.
1747 // New error state is everything before minus ErrorKind.
1748 ProgramStateRef FalseState = E.bindReturnValue(State, C, 0);
1749 C.addTransition(E.setStreamState(
1750 FalseState,
1751 StreamState::getOpened(
1752 Desc, NewES, E.SS->FilePositionIndeterminate && !NewES.isFEof())));
1753 }
1754}
1755
1756void StreamChecker::evalFileno(const FnDescription *Desc, const CallEvent &Call,
1757 CheckerContext &C) const {
1758 // Fileno should fail only if the passed pointer is invalid.
1759 // Some of the preconditions are checked already in preDefault.
1760 // Here we can assume that the operation does not fail, because if we
1761 // introduced a separate branch where fileno() returns -1, then it would cause
1762 // many unexpected and unwanted warnings in situations where fileno() is
1763 // called on valid streams.
1764 // The stream error states are not modified by 'fileno', and 'errno' is also
1765 // left unchanged (so this evalCall does not invalidate it, but we have a
1766 // custom evalCall instead of the default that would invalidate it).
1767 ProgramStateRef State = C.getState();
1768 StreamOperationEvaluator E(C);
1769 if (!E.Init(Desc, Call, C, State))
1770 return;
1771
1772 NonLoc RetVal = makeRetVal(C, E.CE).castAs<NonLoc>();
1773 State = State->BindExpr(E.CE, C.getLocationContext(), RetVal);
1774 State = E.assumeBinOpNN(State, BO_GE, RetVal, E.getZeroVal(Call));
1775 if (!State)
1776 return;
1777
1778 C.addTransition(State);
1779}
1780
1781void StreamChecker::preDefault(const FnDescription *Desc, const CallEvent &Call,
1782 CheckerContext &C) const {
1783 ProgramStateRef State = C.getState();
1784 SVal StreamVal = getStreamArg(Desc, Call);
1785 State = ensureStreamNonNull(StreamVal, Call.getArgExpr(Desc->StreamArgNo), C,
1786 State);
1787 if (!State)
1788 return;
1789 State = ensureStreamOpened(StreamVal, C, State);
1790 if (!State)
1791 return;
1792
1793 C.addTransition(State);
1794}
1795
1796void StreamChecker::evalSetFeofFerror(const FnDescription *Desc,
1797 const CallEvent &Call, CheckerContext &C,
1798 const StreamErrorState &ErrorKind,
1799 bool Indeterminate) const {
1800 ProgramStateRef State = C.getState();
1801 SymbolRef StreamSym = getStreamArg(Desc, Call).getAsSymbol();
1802 assert(StreamSym && "Operation not permitted on non-symbolic stream value.");
1803 const StreamState *SS = State->get<StreamMap>(StreamSym);
1804 assert(SS && "Stream should be tracked by the checker.");
1805 State = State->set<StreamMap>(
1806 StreamSym,
1807 StreamState::getOpened(SS->LastOperation, ErrorKind, Indeterminate));
1808 C.addTransition(State);
1809}
1810
1811ProgramStateRef
1812StreamChecker::ensureStreamNonNull(SVal StreamVal, const Expr *StreamE,
1813 CheckerContext &C,
1814 ProgramStateRef State) const {
1815 auto Stream = StreamVal.getAs<DefinedSVal>();
1816 if (!Stream)
1817 return State;
1818
1819 ConstraintManager &CM = C.getConstraintManager();
1820
1821 ProgramStateRef StateNotNull, StateNull;
1822 std::tie(StateNotNull, StateNull) = CM.assumeDual(State, *Stream);
1823
1824 if (!StateNotNull && StateNull) {
1825 if (ExplodedNode *N = C.generateErrorNode(StateNull)) {
1826 auto R = std::make_unique<PathSensitiveBugReport>(
1827 BT_FileNull, "Stream pointer might be NULL.", N);
1828 if (StreamE)
1829 bugreporter::trackExpressionValue(N, StreamE, *R);
1830 C.emitReport(std::move(R));
1831 }
1832 return nullptr;
1833 }
1834
1835 return StateNotNull;
1836}
1837
1838namespace {
1839class StreamClosedVisitor final : public BugReporterVisitor {
1840 const SymbolRef StreamSym;
1841 bool Satisfied = false;
1842
1843public:
1844 explicit StreamClosedVisitor(SymbolRef StreamSym) : StreamSym(StreamSym) {}
1845
1846 static void *getTag() {
1847 static int Tag = 0;
1848 return &Tag;
1849 }
1850
1851 void Profile(llvm::FoldingSetNodeID &ID) const override {
1852 ID.AddPointer(getTag());
1853 ID.AddPointer(StreamSym);
1854 }
1855
1856 PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
1857 BugReporterContext &BRC,
1858 PathSensitiveBugReport &BR) override {
1859 if (Satisfied)
1860 return nullptr;
1861 const StreamState *PredSS =
1862 N->getFirstPred()->getState()->get<StreamMap>(StreamSym);
1863 if (PredSS && PredSS->isClosed())
1864 return nullptr;
1865
1866 const Stmt *S = N->getStmtForDiagnostics();
1867 if (!S)
1868 return nullptr;
1869 Satisfied = true;
1870 PathDiagnosticLocation Pos(S, BRC.getSourceManager(),
1871 N->getLocationContext());
1872 llvm::StringLiteral Msg = "Stream is closed here";
1873 return std::make_shared<PathDiagnosticEventPiece>(Pos, Msg);
1874 }
1875};
1876} // namespace
1877
1878ProgramStateRef StreamChecker::ensureStreamOpened(SVal StreamVal,
1879 CheckerContext &C,
1880 ProgramStateRef State) const {
1881 SymbolRef Sym = StreamVal.getAsSymbol();
1882 if (!Sym)
1883 return State;
1884
1885 const StreamState *SS = State->get<StreamMap>(Sym);
1886 if (!SS)
1887 return State;
1888
1889 if (SS->isClosed()) {
1890 // Using a stream pointer after 'fclose' causes undefined behavior
1891 // according to cppreference.com .
1892 if (ExplodedNode *N = C.generateErrorNode()) {
1893 auto R = std::make_unique<PathSensitiveBugReport>(
1894 BT_UseAfterClose, "Use of a stream that might be already closed", N);
1895 R->addVisitor<StreamClosedVisitor>(Sym);
1896 C.emitReport(std::move(R));
1897 return nullptr;
1898 }
1899
1900 return State;
1901 }
1902
1903 if (SS->isOpenFailed()) {
1904 // Using a stream that has failed to open is likely to cause problems.
1905 // This should usually not occur because stream pointer is NULL.
1906 // But freopen can cause a state when stream pointer remains non-null but
1907 // failed to open.
1908 ExplodedNode *N = C.generateErrorNode();
1909 if (N) {
1910 C.emitReport(std::make_unique<PathSensitiveBugReport>(
1911 BT_UseAfterOpenFailed,
1912 "Stream might be invalid after "
1913 "(re-)opening it has failed. "
1914 "Can cause undefined behaviour.",
1915 N));
1916 return nullptr;
1917 }
1918 }
1919
1920 return State;
1921}
1922
1923ProgramStateRef StreamChecker::ensureNoFilePositionIndeterminate(
1924 SVal StreamVal, CheckerContext &C, ProgramStateRef State) const {
1925 static const char *BugMessage =
1926 "File position of the stream might be 'indeterminate' "
1927 "after a failed operation. "
1928 "Can cause undefined behavior.";
1929
1930 SymbolRef Sym = StreamVal.getAsSymbol();
1931 if (!Sym)
1932 return State;
1933
1934 const StreamState *SS = State->get<StreamMap>(Sym);
1935 if (!SS)
1936 return State;
1937
1938 assert(SS->isOpened() && "First ensure that stream is opened.");
1939
1940 if (SS->FilePositionIndeterminate) {
1941 if (SS->ErrorState & ErrorFEof) {
1942 // The error is unknown but may be FEOF.
1943 // Continue analysis with the FEOF error state.
1944 // Report warning because the other possible error states.
1945 ExplodedNode *N = C.generateNonFatalErrorNode(State);
1946 if (!N)
1947 return nullptr;
1948
1949 auto R = std::make_unique<PathSensitiveBugReport>(
1950 BT_IndeterminatePosition, BugMessage, N);
1951 R->markInteresting(Sym);
1952 C.emitReport(std::move(R));
1953 return State->set<StreamMap>(
1954 Sym, StreamState::getOpened(SS->LastOperation, ErrorFEof, false));
1955 }
1956
1957 // Known or unknown error state without FEOF possible.
1958 // Stop analysis, report error.
1959 if (ExplodedNode *N = C.generateErrorNode(State)) {
1960 auto R = std::make_unique<PathSensitiveBugReport>(
1961 BT_IndeterminatePosition, BugMessage, N);
1962 R->markInteresting(Sym);
1963 C.emitReport(std::move(R));
1964 }
1965
1966 return nullptr;
1967 }
1968
1969 return State;
1970}
1971
1972ProgramStateRef
1973StreamChecker::ensureFseekWhenceCorrect(SVal WhenceVal, CheckerContext &C,
1974 ProgramStateRef State) const {
1975 std::optional<nonloc::ConcreteInt> CI =
1976 WhenceVal.getAs<nonloc::ConcreteInt>();
1977 if (!CI)
1978 return State;
1979
1980 int64_t X = CI->getValue()->getSExtValue();
1981 if (X == SeekSetVal || X == SeekCurVal || X == SeekEndVal)
1982 return State;
1983
1984 if (ExplodedNode *N = C.generateNonFatalErrorNode(State)) {
1985 C.emitReport(std::make_unique<PathSensitiveBugReport>(
1986 BT_IllegalWhence,
1987 "The whence argument to fseek() should be "
1988 "SEEK_SET, SEEK_END, or SEEK_CUR.",
1989 N));
1990 return nullptr;
1991 }
1992
1993 return State;
1994}
1995
1996void StreamChecker::reportFEofWarning(SymbolRef StreamSym, CheckerContext &C,
1997 ProgramStateRef State) const {
1998 if (ExplodedNode *N = C.generateNonFatalErrorNode(State)) {
1999 auto R = std::make_unique<PathSensitiveBugReport>(
2000 BT_StreamEof,
2001 "Read function called when stream is in EOF state. "
2002 "Function has no effect.",
2003 N);
2004 R->markInteresting(StreamSym);
2005 C.emitReport(std::move(R));
2006 return;
2007 }
2008 C.addTransition(State);
2009}
2010
2011ExplodedNode *
2012StreamChecker::reportLeaks(const SmallVector<SymbolRef, 2> &LeakedSyms,
2013 CheckerContext &C, ExplodedNode *Pred) const {
2014 ExplodedNode *Err = C.generateNonFatalErrorNode(C.getState(), Pred);
2015 if (!Err)
2016 return Pred;
2017
2018 for (SymbolRef LeakSym : LeakedSyms) {
2019 // Resource leaks can result in multiple warning that describe the same kind
2020 // of programming error:
2021 // void f() {
2022 // FILE *F = fopen("a.txt");
2023 // if (rand()) // state split
2024 // return; // warning
2025 // } // warning
2026 // While this isn't necessarily true (leaking the same stream could result
2027 // from a different kinds of errors), the reduction in redundant reports
2028 // makes this a worthwhile heuristic.
2029 // FIXME: Add a checker option to turn this uniqueing feature off.
2030 const ExplodedNode *StreamOpenNode = getAcquisitionSite(Err, LeakSym, C);
2031 assert(StreamOpenNode && "Could not find place of stream opening.");
2032
2033 PathDiagnosticLocation LocUsedForUniqueing;
2034 if (const Stmt *StreamStmt = StreamOpenNode->getStmtForDiagnostics())
2035 LocUsedForUniqueing = PathDiagnosticLocation::createBegin(
2036 StreamStmt, C.getSourceManager(),
2037 StreamOpenNode->getLocationContext());
2038
2039 std::unique_ptr<PathSensitiveBugReport> R =
2040 std::make_unique<PathSensitiveBugReport>(
2041 BT_ResourceLeak,
2042 "Opened stream never closed. Potential resource leak.", Err,
2043 LocUsedForUniqueing,
2044 StreamOpenNode->getLocationContext()->getDecl());
2045 R->markInteresting(LeakSym);
2046 R->addVisitor<NoStreamStateChangeVisitor>(LeakSym, this);
2047 C.emitReport(std::move(R));
2048 }
2049
2050 return Err;
2051}
2052
2053void StreamChecker::checkDeadSymbols(SymbolReaper &SymReaper,
2054 CheckerContext &C) const {
2055 ProgramStateRef State = C.getState();
2056
2057 llvm::SmallVector<SymbolRef, 2> LeakedSyms;
2058
2059 const StreamMapTy &Map = State->get<StreamMap>();
2060 for (const auto &I : Map) {
2061 SymbolRef Sym = I.first;
2062 const StreamState &SS = I.second;
2063 if (!SymReaper.isDead(Sym))
2064 continue;
2065 if (SS.isOpened())
2066 LeakedSyms.push_back(Sym);
2067 State = State->remove<StreamMap>(Sym);
2068 }
2069
2070 ExplodedNode *N = C.getPredecessor();
2071 if (!LeakedSyms.empty())
2072 N = reportLeaks(LeakedSyms, C, N);
2073
2074 C.addTransition(State, N);
2075}
2076
2077ProgramStateRef StreamChecker::checkPointerEscape(
2078 ProgramStateRef State, const InvalidatedSymbols &Escaped,
2079 const CallEvent *Call, PointerEscapeKind Kind) const {
2080 // Check for file-handling system call that is not handled by the checker.
2081 // FIXME: The checker should be updated to handle all system calls that take
2082 // 'FILE*' argument. These are now ignored.
2083 if (Kind == PSK_DirectEscapeOnCall && Call->isInSystemHeader())
2084 return State;
2085
2086 for (SymbolRef Sym : Escaped) {
2087 // The symbol escaped.
2088 // From now the stream can be manipulated in unknown way to the checker,
2089 // it is not possible to handle it any more.
2090 // Optimistically, assume that the corresponding file handle will be closed
2091 // somewhere else.
2092 // Remove symbol from state so the following stream calls on this symbol are
2093 // not handled by the checker.
2094 State = State->remove<StreamMap>(Sym);
2095 }
2096 return State;
2097}
2098
2099static const VarDecl *
2100getGlobalStreamPointerByName(const TranslationUnitDecl *TU, StringRef VarName) {
2101 ASTContext &Ctx = TU->getASTContext();
2102 const auto &SM = Ctx.getSourceManager();
2103 const QualType FileTy = Ctx.getFILEType();
2104
2105 if (FileTy.isNull())
2106 return nullptr;
2107
2108 const QualType FilePtrTy = Ctx.getPointerType(FileTy).getCanonicalType();
2109
2110 auto LookupRes = TU->lookup(&Ctx.Idents.get(VarName));
2111 for (const Decl *D : LookupRes) {
2112 if (auto *VD = dyn_cast_or_null<VarDecl>(D)) {
2113 if (SM.isInSystemHeader(VD->getLocation()) && VD->hasExternalStorage() &&
2114 VD->getType().getCanonicalType() == FilePtrTy) {
2115 return VD;
2116 }
2117 }
2118 }
2119 return nullptr;
2120}
2121
2122void StreamChecker::checkASTDecl(const TranslationUnitDecl *TU,
2123 AnalysisManager &Mgr, BugReporter &) const {
2124 StdinDecl = getGlobalStreamPointerByName(TU, "stdin");
2125 StdoutDecl = getGlobalStreamPointerByName(TU, "stdout");
2126 StderrDecl = getGlobalStreamPointerByName(TU, "stderr");
2127 VaListType = TU->getASTContext().getBuiltinVaListType().getCanonicalType();
2128 initMacroValues(Mgr.getPreprocessor());
2129}
2130
2131//===----------------------------------------------------------------------===//
2132// Checker registration.
2133//===----------------------------------------------------------------------===//
2134
2135void ento::registerStreamChecker(CheckerManager &Mgr) {
2136 auto *Checker = Mgr.registerChecker<StreamChecker>();
2137 Checker->PedanticMode =
2138 Mgr.getAnalyzerOptions().getCheckerBooleanOption(Checker, "Pedantic");
2139}
2140
2141bool ento::shouldRegisterStreamChecker(const CheckerManager &Mgr) {
2142 return true;
2143}
2144
2145void ento::registerStreamTesterChecker(CheckerManager &Mgr) {
2146 auto *Checker = Mgr.getChecker<StreamChecker>();
2147 Checker->TestMode = true;
2148}
2149
2150bool ento::shouldRegisterStreamTesterChecker(const CheckerManager &Mgr) {
2151 return true;
2152}
V
#define V(N, I)
Definition: ASTContext.h:3460
P
StringRef P
Definition: ASTMatchersInternal.cpp:574
SM
#define SM(sm)
Definition: Cuda.cpp:85
D
const Decl * D
Definition: CheckExprLifetime.cpp:212
E
Expr * E
Definition: CheckExprLifetime.cpp:210
dump
static void dump(llvm::raw_ostream &OS, StringRef FunctionName, ArrayRef< CounterExpression > Expressions, ArrayRef< CounterMappingRegion > Regions)
Definition: CoverageMappingGen.cpp:2382
X
#define X(type, name)
Definition: Value.h:144
REGISTER_MAP_WITH_PROGRAMSTATE
#define REGISTER_MAP_WITH_PROGRAMSTATE(Name, Key, Value)
Declares an immutable map of type NameTy, suitable for placement into the ProgramState.
Definition: ProgramStateTrait.h:87
getGlobalStreamPointerByName
static const VarDecl * getGlobalStreamPointerByName(const TranslationUnitDecl *TU, StringRef VarName)
Definition: StreamChecker.cpp:2100
tryToInvalidateFReadBufferByElements
static ProgramStateRef tryToInvalidateFReadBufferByElements(ProgramStateRef State, CheckerContext &C, const CallEvent &Call, NonLoc SizeVal, NonLoc NMembVal)
Definition: StreamChecker.cpp:1108
getPointeeType
static QualType getPointeeType(const MemRegion *R)
Definition: StreamChecker.cpp:1076
getKnownValue
static std::optional< int64_t > getKnownValue(ProgramStateRef State, SVal V)
Definition: StreamChecker.cpp:825
escapeArgs
static ProgramStateRef escapeArgs(ProgramStateRef State, CheckerContext &C, const CallEvent &Call, ArrayRef< unsigned int > EscapingArgs)
Definition: StreamChecker.cpp:866
getStartIndex
static std::optional< NonLoc > getStartIndex(SValBuilder &SVB, const MemRegion *R)
Definition: StreamChecker.cpp:1088
escapeByStartIndexAndCount
static ProgramStateRef escapeByStartIndexAndCount(ProgramStateRef State, const CallEvent &Call, unsigned BlockCount, const SubRegion *Buffer, QualType ElemType, int64_t StartIndex, int64_t ElementCount)
Invalidate only the requested elements instead of the whole buffer.
Definition: StreamChecker.cpp:836
int
__device__ int
Definition: __clang_hip_libdevice_declares.h:67
bool
#define bool
Definition: amdgpuintrin.h:20
clang::ASTContext
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:188
clang::ASTContext::getSourceManager
SourceManager & getSourceManager()
Definition: ASTContext.h:741
clang::ASTContext::getBuiltinVaListType
QualType getBuiltinVaListType() const
Retrieve the type of the __builtin_va_list type.
Definition: ASTContext.h:2258
clang::ASTContext::getFILEType
QualType getFILEType() const
Retrieve the C FILE type.
Definition: ASTContext.h:2096
clang::ASTContext::getPointerType
QualType getPointerType(QualType T) const
Return the uniqued reference to the type for a pointer to the specified type.
Definition: ASTContext.cpp:3810
clang::ASTContext::Idents
IdentifierTable & Idents
Definition: ASTContext.h:680
clang::ASTContext::getTypeSizeInChars
CharUnits getTypeSizeInChars(QualType T) const
Return the size of the specified (complete) type T, in characters.
Definition: ASTContext.cpp:2541
clang::AnalyzerOptions::getCheckerBooleanOption
bool getCheckerBooleanOption(StringRef CheckerName, StringRef OptionName, bool SearchInParents=false) const
Interprets an option's string value as a boolean.
Definition: AnalyzerOptions.cpp:161
clang::CallExpr
CallExpr - Represents a function call (C99 6.5.2.2, C++ [expr.call]).
Definition: Expr.h:2874
clang::CallExpr::getCallReturnType
QualType getCallReturnType(const ASTContext &Ctx) const
getCallReturnType - Get the return type of the call expr.
Definition: Expr.cpp:1595
clang::CharUnits::getQuantity
QuantityType getQuantity() const
getQuantity - Get the raw integer representation of this quantity.
Definition: CharUnits.h:185
clang::DeclContext::lookup
lookup_result lookup(DeclarationName Name) const
lookup - Find the declarations (if any) with the given Name in this context.
Definition: DeclBase.cpp:1866
clang::Decl
Decl - This represents one declaration (or definition), e.g.
Definition: DeclBase.h:86
clang::Expr
This represents one expression.
Definition: Expr.h:110
clang::Expr::getType
QualType getType() const
Definition: Expr.h:142
clang::FunctionDecl
Represents a function declaration or definition.
Definition: Decl.h:1935
clang::FunctionDecl::getBody
Stmt * getBody(const FunctionDecl *&Definition) const
Retrieve the body (definition) of the function.
Definition: Decl.cpp:3243
clang::FunctionDecl::hasBody
bool hasBody(const FunctionDecl *&Definition) const
Returns true if the function has a body.
Definition: Decl.cpp:3163
clang::IdentifierTable::get
IdentifierInfo & get(StringRef Name)
Return the identifier token info for the specified named identifier.
Definition: IdentifierTable.h:688
clang::LocationContext
It wraps the AnalysisDeclContext to represent both the call stack with the help of StackFrameContext ...
Definition: AnalysisDeclContext.h:215
clang::LocationContext::getDecl
const Decl * getDecl() const
Definition: AnalysisDeclContext.h:251
clang::Preprocessor
Engages in a tight little dance with the lexer to efficiently preprocess tokens.
Definition: Preprocessor.h:138
clang::QualType
A (possibly-)qualified type.
Definition: Type.h:929
clang::QualType::isNull
bool isNull() const
Return true if this QualType doesn't point to a type yet.
Definition: Type.h:996
clang::QualType::getCanonicalType
QualType getCanonicalType() const
Definition: Type.h:7989
clang::Stmt
Stmt - This represents one statement.
Definition: Stmt.h:84
clang::TranslationUnitDecl
The top declaration context.
Definition: Decl.h:84
clang::TranslationUnitDecl::getASTContext
ASTContext & getASTContext() const
Definition: Decl.h:120
clang::Type::isPointerType
bool isPointerType() const
Definition: Type.h:8192
clang::Type::isIntegralOrEnumerationType
bool isIntegralOrEnumerationType() const
Determine whether this type is an integral or enumeration type.
Definition: Type.h:8635
clang::VarDecl
Represents a variable declaration or definition.
Definition: Decl.h:882
clang::ast_matchers::BoundNodes
Maps string IDs to AST nodes matched by parts of a matcher.
Definition: ASTMatchers.h:109
clang::ento::AnalysisManager::getPreprocessor
Preprocessor & getPreprocessor() override
Definition: AnalysisManager.h:66
clang::ento::BasicValueFactory::getIntValue
APSIntPtr getIntValue(uint64_t X, bool isUnsigned)
Definition: BasicValueFactory.h:189
clang::ento::BugReport::getBugType
const BugType & getBugType() const
Definition: BugReporter.h:149
clang::ento::BugReporterContext::getSourceManager
const SourceManager & getSourceManager() const
Definition: BugReporter.h:737
clang::ento::BugReporterVisitor
BugReporterVisitors are used to add custom diagnostics along a path.
Definition: BugReporterVisitors.h:49
clang::ento::BugReporterVisitor::Profile
virtual void Profile(llvm::FoldingSetNodeID &ID) const =0
clang::ento::BugReporterVisitor::VisitNode
virtual PathDiagnosticPieceRef VisitNode(const ExplodedNode *Succ, BugReporterContext &BRC, PathSensitiveBugReport &BR)=0
Return a diagnostic piece which should be associated with the given node.
clang::ento::BugReporter
BugReporter is a utility class for generating PathDiagnostics for analysis.
Definition: BugReporter.h:585
clang::ento::CallDescriptionMap
An immutable map from CallDescriptions to arbitrary data.
Definition: CallDescription.h:194
clang::ento::CallDescriptionMap::lookup
const T * lookup(const CallEvent &Call) const
Definition: CallDescription.h:222
clang::ento::CallDescription
A CallDescription is a pattern that can be used to match calls based on the qualified name and the ar...
Definition: CallDescription.h:32
clang::ento::CallEvent
Represents an abstract call to a function or method along a particular path.
Definition: CallEvent.h:153
clang::ento::CheckerManager::getAnalyzerOptions
const AnalyzerOptions & getAnalyzerOptions() const
Definition: CheckerManager.h:168
clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Definition: CheckerManager.h:202
clang::ento::ConstraintManager::assumeDual
ProgramStatePair assumeDual(ProgramStateRef State, DefinedSVal Cond)
Returns a pair of states (StTrue, StFalse) where the given condition is assumed to be true or false,...
Definition: ConstraintManager.cpp:93
clang::ento::ConstraintManager::ProgramStatePair
std::pair< ProgramStateRef, ProgramStateRef > ProgramStatePair
Definition: ConstraintManager.h:80
clang::ento::ExplodedNode::getState
const ProgramStateRef & getState() const
Definition: ExplodedGraph.h:169
clang::ento::ExplodedNode::getStmtForDiagnostics
const Stmt * getStmtForDiagnostics() const
If the node's program point corresponds to a statement, retrieve that statement.
Definition: ExplodedGraph.cpp:319
clang::ento::ExplodedNode::getLocation
ProgramPoint getLocation() const
getLocation - Returns the edge associated with the given node.
Definition: ExplodedGraph.h:145
clang::ento::ExplodedNode::getLocationContext
const LocationContext * getLocationContext() const
Definition: ExplodedGraph.h:147
clang::ento::ExplodedNode::getFirstPred
ExplodedNode * getFirstPred()
Definition: ExplodedGraph.h:209
clang::ento::MemRegion
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:97
clang::ento::NoOwnershipChangeVisitor::doesFnIntendToHandleOwnership
virtual bool doesFnIntendToHandleOwnership(const Decl *Callee, ASTContext &ACtx)=0
Heuristically guess whether the callee intended to free the resource.
clang::ento::NoOwnershipChangeVisitor::emitNote
virtual PathDiagnosticPieceRef emitNote(const ExplodedNode *N)=0
clang::ento::NoOwnershipChangeVisitor::hasResourceStateChanged
virtual bool hasResourceStateChanged(ProgramStateRef CallEnterState, ProgramStateRef CallExitEndState)=0
clang::ento::NoteTag
The tag upon which the TagVisitor reacts.
Definition: BugReporter.h:779
clang::ento::PathDiagnosticLocation::createBegin
static PathDiagnosticLocation createBegin(const Decl *D, const SourceManager &SM)
Create a location for the beginning of the declaration.
Definition: PathDiagnostic.cpp:579
clang::ento::PathDiagnosticLocation::create
static PathDiagnosticLocation create(const Decl *D, const SourceManager &SM)
Create a location corresponding to the given declaration.
Definition: PathDiagnostic.h:248
clang::ento::PathSensitiveBugReport::markNotInteresting
void markNotInteresting(SymbolRef sym)
Definition: BugReporter.cpp:2274
clang::ento::PathSensitiveBugReport::isInteresting
bool isInteresting(SymbolRef sym) const
Definition: BugReporter.cpp:2377
clang::ento::RegionAndSymbolInvalidationTraits
Information about invalidation for a particular region/symbol.
Definition: MemRegion.h:1629
clang::ento::RegionAndSymbolInvalidationTraits::setTrait
void setTrait(SymbolRef Sym, InvalidationKinds IK)
Definition: MemRegion.cpp:1802
clang::ento::SValBuilder::makeZeroVal
DefinedOrUnknownSVal makeZeroVal(QualType type)
Construct an SVal representing '0' for the specified type.
Definition: SValBuilder.cpp:62
clang::ento::SValBuilder::getKnownValue
virtual const llvm::APSInt * getKnownValue(ProgramStateRef state, SVal val)=0
Evaluates a given SVal.
clang::ento::SValBuilder::getBasicValueFactory
BasicValueFactory & getBasicValueFactory()
Definition: SValBuilder.h:161
clang::ento::SValBuilder::makeArrayIndex
NonLoc makeArrayIndex(uint64_t idx)
Definition: SValBuilder.h:282
clang::ento::SValBuilder::makeIntVal
nonloc::ConcreteInt makeIntVal(const IntegerLiteral *integer)
Definition: SValBuilder.h:288
clang::ento::SValBuilder::evalBinOpNN
virtual SVal evalBinOpNN(ProgramStateRef state, BinaryOperator::Opcode op, NonLoc lhs, NonLoc rhs, QualType resultTy)=0
Create a new value which represents a binary expression with two non- location operands.
clang::ento::SValBuilder::getConditionType
QualType getConditionType() const
Definition: SValBuilder.h:153
clang::ento::SValBuilder::evalBinOp
SVal evalBinOp(ProgramStateRef state, BinaryOperator::Opcode op, SVal lhs, SVal rhs, QualType type)
Definition: SValBuilder.cpp:491
clang::ento::SVal
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:56
clang::ento::SVal::getAsSymbol
SymbolRef getAsSymbol(bool IncludeBaseRegions=false) const
If this SVal wraps a symbol return that SymbolRef.
Definition: SVals.cpp:104
clang::ento::SVal::getAs
std::optional< T > getAs() const
Convert to the specified SVal type, returning std::nullopt if this SVal is not of the desired type.
Definition: SVals.h:87
clang::ento::SVal::castAs
T castAs() const
Convert to the specified SVal type, asserting that this SVal is of the desired type.
Definition: SVals.h:83
clang::ento::SubRegion
SubRegion - A region that subsets another larger region.
Definition: MemRegion.h:446
clang::ento::SubRegion::getMemRegionManager
MemRegionManager & getMemRegionManager() const override
Definition: MemRegion.cpp:153
clang::ento::SymExpr
Symbolic value.
Definition: SymExpr.h:32
clang::ento::SymbolReaper
A class responsible for cleaning up unused symbols.
Definition: SymbolManager.h:566
clang::ento::SymbolReaper::isDead
bool isDead(SymbolRef sym)
Returns whether or not a symbol has been confirmed dead.
Definition: SymbolManager.h:636
clang::ento::nonloc::ConcreteInt
Value representing integer constant.
Definition: SVals.h:300
_2
__inline void unsigned int _2
Definition: larchintrin.h:181
clang::api_notes::ContextKind::Tag
@ Tag
clang::api_notes::EnumExtensibilityKind::Closed
@ Closed
clang::ast_matchers
Definition: ASTMatchers.h:100
clang::ast_matchers::callExpr
const internal::VariadicDynCastAllOfMatcher< Stmt, CallExpr > callExpr
Matches call expressions.
Definition: ASTMatchersInternal.cpp:847
clang::ast_matchers::match
SmallVector< BoundNodes, 1 > match(MatcherT Matcher, const NodeT &Node, ASTContext &Context)
Returns the results of matching Matcher on Node.
Definition: ASTMatchFinder.h:313
clang::ast_matchers::findAll
internal::Matcher< T > findAll(const internal::Matcher< T > &Matcher)
Matches if the node or any descendant matches.
Definition: ASTMatchers.h:3611
clang::ento::bugreporter::trackExpressionValue
bool trackExpressionValue(const ExplodedNode *N, const Expr *E, PathSensitiveBugReport &R, TrackingOptions Opts={})
Attempts to add visitors to track expression value back to its point of origin.
Definition: BugReporterVisitors.cpp:2600
clang::ento::PointerEscapeKind
PointerEscapeKind
Describes the different reasons a pointer escapes during analysis.
Definition: CheckerManager.h:78
clang::ento::PSK_DirectEscapeOnCall
@ PSK_DirectEscapeOnCall
The pointer has been passed to a function call directly.
Definition: CheckerManager.h:84
clang::ento::InvalidatedSymbols
llvm::DenseSet< SymbolRef > InvalidatedSymbols
Definition: Store.h:51
clang::ento::getPointeeVal
std::optional< SVal > getPointeeVal(SVal PtrSVal, ProgramStateRef State)
Definition: CheckerHelpers.cpp:186
clang::ento::tryExpandAsInteger
std::optional< int > tryExpandAsInteger(StringRef Macro, const Preprocessor &PP)
Try to parse the value of a defined preprocessor macro.
Definition: CheckerHelpers.cpp:115
clang::ento::PathDiagnosticPieceRef
std::shared_ptr< PathDiagnosticPiece > PathDiagnosticPieceRef
Definition: PathDiagnostic.h:492
clang
The JSON file list parser is used to communicate input to InstallAPI.
Definition: CalledOnceCheck.h:17
clang::if
if(T->getSizeExpr()) TRY_TO(TraverseStmt(const_cast< Expr * >(T -> getSizeExpr())))
Definition: RecursiveASTVisitor.h:1114
clang::BinaryOperatorKind
BinaryOperatorKind
Definition: OperationKinds.h:25
clang::operator==
bool operator==(const CallGraphNode::CallRecord &LHS, const CallGraphNode::CallRecord &RHS)
Definition: CallGraph.h:204
clang::operator&
DiagnosticLevelMask operator&(DiagnosticLevelMask LHS, DiagnosticLevelMask RHS)
Definition: DiagnosticOptions.h:60
clang::operator~
DiagnosticLevelMask operator~(DiagnosticLevelMask M)
Definition: DiagnosticOptions.h:48
clang::operator|
DiagnosticLevelMask operator|(DiagnosticLevelMask LHS, DiagnosticLevelMask RHS)
Definition: DiagnosticOptions.h:53
clang::operator!=
bool operator!=(CanQual< T > x, CanQual< U > y)
Definition: CanonicalType.h:208
clang::T
const FunctionProtoType * T
Definition: RecursiveASTVisitor.h:1365
hlsl::int64_t
long int64_t
Definition: hlsl_basic_types.h:43
Generated on Tue Jul 1 2025 21:05:50 for clang by doxygen 1.9.6