Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[clang][analyzer] Move checker alpha.unix.StdCLibraryFunctions out of alpha. #66207

Merged
merged 2 commits into from
Oct 16, 2023
Merged

[clang][analyzer] Move checker alpha.unix.StdCLibraryFunctions out of alpha. #66207

merged 2 commits into from
Oct 16, 2023

Conversation

balazske
Copy link
Collaborator

The checker is good enough to move out of alpha.

@balazske
[clang][analyzer] Move checker alpha.unix.StdCLibraryFunctions out of…
5b9ad35 
… alpha.

This checker can be good enough to move out of alpha.
I am not sure about the exact requirements, this review can be a place
for discussion about what should be fixed (if any).

Reviewed By: steakhal

Differential Revision: https://reviews.llvm.org/D152436
@balazske balazske requested review from a team as code owners September 13, 2023 13:24
@llvmbot llvmbot added clang Clang issues not falling into any other category clang:static analyzer clang:dataflow Clang Dataflow Analysis framework - https://clang.llvm.org/docs/DataFlowAnalysisIntro.html labels Sep 13, 2023
@llvmbot
Copy link
Member

llvmbot commented Sep 13, 2023

@llvm/pr-subscribers-clang

Changes The checker is good enough to move out of alpha. --

Patch is 48.31 KiB, truncated to 20.00 KiB below, full version: https://github.com/llvm/llvm-project/pull/66207.diff

37 Files Affected:

  • (modified) clang/docs/ReleaseNotes.rst (+2)
  • (modified) clang/docs/analyzer/checkers.rst (+94-94)
  • (modified) clang/include/clang/StaticAnalyzer/Checkers/Checkers.td (+22-21)
  • (modified) clang/test/Analysis/PR49642.c (+1-1)
  • (modified) clang/test/Analysis/analyzer-config.c (+2-2)
  • (modified) clang/test/Analysis/analyzer-enabled-checkers.c (+1)
  • (modified) clang/test/Analysis/conversion.c (+2-2)
  • (modified) clang/test/Analysis/errno-stdlibraryfunctions-notes.c (+2-2)
  • (modified) clang/test/Analysis/errno-stdlibraryfunctions.c (+2-2)
  • (modified) clang/test/Analysis/std-c-library-functions-POSIX-lookup.c (+3-3)
  • (modified) clang/test/Analysis/std-c-library-functions-POSIX-socket-sockaddr.cpp (+3-3)
  • (modified) clang/test/Analysis/std-c-library-functions-POSIX.c (+6-6)
  • (modified) clang/test/Analysis/std-c-library-functions-arg-constraints-note-tags.cpp (+2-2)
  • (modified) clang/test/Analysis/std-c-library-functions-arg-constraints-notes.cpp (+2-2)
  • (modified) clang/test/Analysis/std-c-library-functions-arg-constraints-tracking-notes.c (+1-1)
  • (modified) clang/test/Analysis/std-c-library-functions-arg-constraints.c (+4-4)
  • (modified) clang/test/Analysis/std-c-library-functions-arg-constraints.cpp (+1-1)
  • (modified) clang/test/Analysis/std-c-library-functions-arg-cstring-dependency.c (+2-2)
  • (modified) clang/test/Analysis/std-c-library-functions-arg-enabled-checkers.c (+5-5)
  • (modified) clang/test/Analysis/std-c-library-functions-arg-weakdeps.c (+5-5)
  • (modified) clang/test/Analysis/std-c-library-functions-eof.c (+5-5)
  • (modified) clang/test/Analysis/std-c-library-functions-inlined.c (+5-5)
  • (modified) clang/test/Analysis/std-c-library-functions-lookup.c (+2-2)
  • (modified) clang/test/Analysis/std-c-library-functions-lookup.cpp (+2-2)
  • (modified) clang/test/Analysis/std-c-library-functions-path-notes.c (+2-2)
  • (modified) clang/test/Analysis/std-c-library-functions-restrict.c (+2-2)
  • (modified) clang/test/Analysis/std-c-library-functions-restrict.cpp (+2-2)
  • (modified) clang/test/Analysis/std-c-library-functions-vs-stream-checker.c (+4-4)
  • (modified) clang/test/Analysis/std-c-library-functions.c (+6-6)
  • (modified) clang/test/Analysis/std-c-library-functions.cpp (+1-1)
  • (modified) clang/test/Analysis/std-c-library-posix-crash.c (+2-2)
  • (modified) clang/test/Analysis/stream-errno-note.c (+2-2)
  • (modified) clang/test/Analysis/stream-errno.c (+2-2)
  • (modified) clang/test/Analysis/stream-noopen.c (+4-4)
  • (modified) clang/test/Analysis/stream-note.c (+2-2)
  • (modified) clang/test/Analysis/stream-stdlibraryfunctionargs.c (+5-5)
  • (modified) clang/test/Analysis/weak-dependencies.c (+1-1)

<pre>
diff --git a/clang/docs/ReleaseNotes.rst b/clang/docs/ReleaseNotes.rst
index 3cdad2f7b9f0e5a..dd10e707b2f561c 100644
--- a/clang/docs/ReleaseNotes.rst
+++ b/clang/docs/ReleaseNotes.rst
@@ -408,6 +408,8 @@ Static Analyzer

  • Added a new checker core.BitwiseShift which reports situations where
    bitwise shift operators produce undefined behavior (because some operand is
    negative or too large).
    +- Move checker alpha.unix.StdCLibraryFunctions out of the alpha package
  • to unix.StdCLibraryFunctions.

.. _release-notes-sanitizers:

diff --git a/clang/docs/analyzer/checkers.rst b/clang/docs/analyzer/checkers.rst
index 54ea49e7426cc86..998a9e888f3a3b3 100644
--- a/clang/docs/analyzer/checkers.rst
+++ b/clang/docs/analyzer/checkers.rst
@@ -1026,6 +1026,100 @@ Check for null pointers being passed as arguments to C string functions:
return strlen(0); // warn
}

+.. _unix-StdCLibraryFunctions:
+
+unix.StdCLibraryFunctions (C)
+&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;
+Check for calls of standard library functions that violate predefined argument
+constraints. For example, it is stated in the C standard that for the int +isalnum(int ch) function the behavior is undefined if the value of ch is
+not representable as unsigned char and is not equal to EOF.
+
+.. code-block:: c
+

  • #define EOF -1
  • void test_alnum_concrete(int v) {
  • int ret = isalnum(256); // \
  • // warning: Function argument outside of allowed range
  • (void)ret;
  • }
  • void buffer_size_violation(FILE *file) {
  • enum { BUFFER_SIZE = 1024 };
  • wchar_t wbuf[BUFFER_SIZE];
  • const size_t size = sizeof(*wbuf); // 4
  • const size_t nitems = sizeof(wbuf); // 4096
  • // Below we receive a warning because the 3rd parameter should be the
  • // number of elements to read, not the size in bytes. This case is a known
  • // vulnerability described by the ARR38-C SEI-CERT rule.
  • fread(wbuf, size, nitems, file);
  • }

+You can think of this checker as defining restrictions (pre- and postconditions)
+on standard library functions. Preconditions are checked, and when they are
+violated, a warning is emitted. Post conditions are added to the analysis, e.g.
+that the return value must be no greater than 255.
+
+For example if an argument to a function must be in between 0 and 255, but the
+value of the argument is unknown, the analyzer will conservatively assume that
+it is in this interval. Similarly, if a function mustn&#x27;t be called with a null
+pointer and the null value of the argument can not be proven, the analyzer will
+assume that it is non-null.
+
+These are the possible checks on the values passed as function arguments:

    • The argument has an allowed range (or multiple ranges) of values. The checker
  • can detect if a passed value is outside of the allowed range and show the
  • actual and allowed values.
    • The argument has pointer type and is not allowed to be null pointer. Many
  • (but not all) standard functions can produce undefined behavior if a null
  • pointer is passed, these cases can be detected by the checker.
    • The argument is a pointer to a memory block and the minimal size of this
  • buffer is determined by another argument to the function, or by
  • multiplication of two arguments (like at function fread), or is a fixed
  • value (for example asctime_r requires at least a buffer of size 26). The
  • checker can detect if the buffer size is too small and in optimal case show
  • the size of the buffer and the values of the corresponding arguments.

+.. code-block:: c
+

  • int test_alnum_symbolic(int x) {
  • int ret = isalnum(x);
  • // after the call, ret is assumed to be in the range [-1, 255]
  • if (ret &gt; 255) // impossible (infeasible branch)
  •  if (x == 0)

  •    return ret / x; // division by zero is not reported
  • return ret;
  • }

+Additionally to the argument and return value conditions, this checker also adds
+state of the value errno if applicable to the analysis. Many system
+functions set the errno value only if an error occurs (together with a
+specific return value of the function), otherwise it becomes undefined. This
+checker changes the analysis state to contain such information. This data is
+used by other checkers, for example :ref:alpha-unix-Errno.
+
+Limitations
+
+The checker can not always provide notes about the values of the arguments.
+Without this information it is hard to confirm if the constraint is indeed
+violated. The argument values are shown if they are known constants or the value
+is determined by previous (not too complicated) assumptions.
+
+The checker can produce false positives in cases such as if the program has
+invariants not known to the analyzer engine or the bug report path contains
+calls to unknown functions. In these cases the analyzer fails to detect the real
+range of the argument.
+
+Parameters
+
+The checker models functions (and emits diagnostics) from the C standard by
+default. The ModelPOSIX option enables modeling (and emit diagnostics) of
+additional functions that are defined in the POSIX standard. This option is
+disabled by default.
+
.. _osx-checkers:

osx
@@ -2651,100 +2745,6 @@ For a more detailed description of configuration options, please see the
alpha.unix
^^^^^^^^^^^

-.. _alpha-unix-StdCLibraryFunctions:

-alpha.unix.StdCLibraryFunctions (C)
-&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;&quot;
-Check for calls of standard library functions that violate predefined argument
-constraints. For example, it is stated in the C standard that for the int -isalnum(int ch) function the behavior is undefined if the value of ch is
-not representable as unsigned char and is not equal to EOF.

-.. code-block:: c

  • #define EOF -1
  • void test_alnum_concrete(int v) {
  • int ret = isalnum(256); // \
  • // warning: Function argument outside of allowed range
  • (void)ret;
  • }
  • void buffer_size_violation(FILE *file) {
  • enum { BUFFER_SIZE = 1024 };
  • wchar_t wbuf[BUFFER_SIZE];
  • const size_t size = sizeof(*wbuf); // 4
  • const size_t nitems = sizeof(wbuf); // 4096
  • // Below we receive a warning because the 3rd parameter should be the
  • // number of elements to read, not the size in bytes. This case is a known
  • // vulnerability described by the ARR38-C SEI-CERT rule.
  • fread(wbuf, size, nitems, file);
  • }

-You can think of this checker as defining restrictions (pre- and postconditions)
-on standard library functions. Preconditions are checked, and when they are
-violated, a warning is emitted. Post conditions are added to the analysis, e.g.
-that the return value must be no greater than 255.

-For example if an argument to a function must be in between 0 and 255, but the
-value of the argument is unknown, the analyzer will conservatively assume that
-it is in this interval. Similarly, if a function mustn&#x27;t be called with a null
-pointer and the null value of the argument can not be proven, the analyzer will
-assume that it is non-null.

-These are the possible checks on the values passed as function arguments:

    • The argument has an allowed range (or multiple ranges) of values. The checker
  • can detect if a passed value is outside of the allowed range and show the
  • actual and allowed values.
    • The argument has pointer type and is not allowed to be null pointer. Many
  • (but not all) standard functions can produce undefined behavior if a null
  • pointer is passed, these cases can be detected by the checker.
    • The argument is a pointer to a memory block and the minimal size of this
  • buffer is determined by another argument to the function, or by
  • multiplication of two arguments (like at function fread), or is a fixed
  • value (for example asctime_r requires at least a buffer of size 26). The
  • checker can detect if the buffer size is too small and in optimal case show
  • the size of the buffer and the values of the corresponding arguments.

-.. code-block:: c

  • int test_alnum_symbolic(int x) {
  • int ret = isalnum(x);
  • // after the call, ret is assumed to be in the range [-1, 255]
  • if (ret &gt; 255) // impossible (infeasible branch)
  •  if (x == 0)

  •    return ret / x; // division by zero is not reported
  • return ret;
  • }

-Additionally to the argument and return value conditions, this checker also adds
-state of the value errno if applicable to the analysis. Many system
-functions set the errno value only if an error occurs (together with a
-specific return value of the function), otherwise it becomes undefined. This
-checker changes the analysis state to contain such information. This data is
-used by other checkers, for example :ref:alpha-unix-Errno.

-Limitations

-The checker can not always provide notes about the values of the arguments.
-Without this information it is hard to confirm if the constraint is indeed
-violated. The argument values are shown if they are known constants or the value
-is determined by previous (not too complicated) assumptions.

-The checker can produce false positives in cases such as if the program has
-invariants not known to the analyzer engine or the bug report path contains
-calls to unknown functions. In these cases the analyzer fails to detect the real
-range of the argument.

-Parameters

-The checker models functions (and emits diagnostics) from the C standard by
-default. The ModelPOSIX option enables modeling (and emit diagnostics) of
-additional functions that are defined in the POSIX standard. This option is
-disabled by default.

.. _alpha-unix-BlockInCriticalSection:

alpha.unix.BlockInCriticalSection (C)
diff --git a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
index 65c1595eb6245dd..d4c1e0532f9c56d 100644
--- a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
+++ b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
@@ -532,6 +532,27 @@ def MismatchedDeallocatorChecker : Checker&lt;&quot;MismatchedDeallocator&quot;&gt;,
Dependencies&lt;[DynamicMemoryModeling]&gt;,
Documentation&lt;HasDocumentation&gt;;

+def StdCLibraryFunctionsChecker : Checker&lt;&quot;StdCLibraryFunctions&quot;&gt;,

  • HelpText&lt;&quot;Check for invalid arguments of C standard library functions, &quot;
  •       &amp;quot;and apply relations between arguments and return value&amp;quot;&amp;gt;,
  • CheckerOptions&lt;[
  • CmdLineOption&lt;Boolean,
  •              &amp;quot;DisplayLoadedSummaries&amp;quot;,

  •              &amp;quot;If set to true, the checker displays the found summaries &amp;quot;

  •              &amp;quot;for the given translation unit.&amp;quot;,

  •              &amp;quot;false&amp;quot;,

  •              Released,

  •              Hide&amp;gt;,
  • CmdLineOption&lt;Boolean,
  •              &amp;quot;ModelPOSIX&amp;quot;,

  •              &amp;quot;If set to true, the checker models additional functions &amp;quot;

  •              &amp;quot;from the POSIX standard.&amp;quot;,

  •              &amp;quot;false&amp;quot;,

  •              InAlpha&amp;gt;
  • ]&gt;,
  • WeakDependencies&lt;[CallAndMessageChecker, NonNullParamChecker]&gt;,
  • Documentation&lt;HasDocumentation&gt;;

def VforkChecker : Checker&lt;&quot;Vfork&quot;&gt;,
HelpText&lt;&quot;Check for proper usage of vfork&quot;&gt;,
Documentation&lt;HasDocumentation&gt;;
@@ -574,27 +595,6 @@ def BlockInCriticalSectionChecker : Checker&lt;&quot;BlockInCriticalSection&quot;&gt;,
HelpText&lt;&quot;Check for calls to blocking functions inside a critical section&quot;&gt;,
Documentation&lt;HasDocumentation&gt;;

-def StdCLibraryFunctionsChecker : Checker&lt;&quot;StdCLibraryFunctions&quot;&gt;,

  • HelpText&lt;&quot;Check for invalid arguments of C standard library functions, &quot;
  •       &amp;quot;and apply relations between arguments and return value&amp;quot;&amp;gt;,
  • CheckerOptions&lt;[
  • CmdLineOption&lt;Boolean,
  •              &amp;quot;DisplayLoadedSummaries&amp;quot;,

  •              &amp;quot;If set to true, the checker displays the found summaries &amp;quot;

  •              &amp;quot;for the given translation unit.&amp;quot;,

  •              &amp;quot;false&amp;quot;,

  •              Released,

  •              Hide&amp;gt;,
  • CmdLineOption&lt;Boolean,
  •              &amp;quot;ModelPOSIX&amp;quot;,

  •              &amp;quot;If set to true, the checker models additional functions &amp;quot;

  •              &amp;quot;from the POSIX standard.&amp;quot;,

  •              &amp;quot;false&amp;quot;,

  •              InAlpha&amp;gt;
  • ]&gt;,
  • WeakDependencies&lt;[CallAndMessageChecker, NonNullParamChecker, StreamChecker]&gt;,
  • Documentation&lt;HasDocumentation&gt;;

} // end &quot;alpha.unix&quot;

//===----------------------------------------------------------------------===//
@@ -1622,6 +1622,7 @@ def DebugIteratorModeling : Checker&lt;&quot;DebugIteratorModeling&quot;&gt;,
def StdCLibraryFunctionsTesterChecker : Checker&lt;&quot;StdCLibraryFunctionsTester&quot;&gt;,
HelpText&lt;&quot;Add test functions to the summary map, so testing of individual &quot;
&quot;summary constituents becomes possible.&quot;&gt;,

  • WeakDependencies&lt;[StdCLibraryFunctionsChecker]&gt;,
    Documentation&lt;NotDocumented&gt;;

} // end &quot;debug&quot;
diff --git a/clang/test/Analysis/PR49642.c b/clang/test/Analysis/PR49642.c
index c21050fd4a5c878..78bbde79d83006d 100644
--- a/clang/test/Analysis/PR49642.c
+++ b/clang/test/Analysis/PR49642.c
@@ -1,6 +1,6 @@
// RUN: %clang_analyze_cc1 -Wno-implicit-function-declaration -Wno-implicit-int -w -verify %s
// RUN: -analyzer-checker=core
-// RUN: -analyzer-checker=alpha.unix.StdCLibraryFunctions
+// RUN: -analyzer-checker=unix.StdCLibraryFunctions

// expected-no-diagnostics

diff --git a/clang/test/Analysis/analyzer-config.c b/clang/test/Analysis/analyzer-config.c
index d86ca5d19219c64..794ef8b9cc08680 100644
--- a/clang/test/Analysis/analyzer-config.c
+++ b/clang/test/Analysis/analyzer-config.c
@@ -13,8 +13,6 @@
// CHECK-NEXT: alpha.security.MmapWriteExec:MmapProtRead = 0x01
// CHECK-NEXT: alpha.security.taint.TaintPropagation:Config = &quot;&quot;
// CHECK-NEXT: alpha.unix.Errno:AllowErrnoReadOutsideConditionExpressions = true
-// CHECK-NEXT: alpha.unix.StdCLibraryFunctions:DisplayLoadedSummaries = false
-// CHECK-NEXT: alpha.unix.StdCLibraryFunctions:ModelPOSIX = false
// CHECK-NEXT: apply-fixits = false
// CHECK-NEXT: assume-controlled-environment = false
// CHECK-NEXT: avoid-suppressing-null-argument-paths = false
@@ -129,6 +127,8 @@
// CHECK-NEXT: track-conditions-debug = false
// CHECK-NEXT: unix.DynamicMemoryModeling:AddNoOwnershipChangeNotes = true
// CHECK-NEXT: unix.DynamicMemoryModeling:Optimistic = false
+// CHECK-NEXT: unix.StdCLibraryFunctions:DisplayLoadedSummaries = false
+// CHECK-NEXT: unix.StdCLibraryFunctions:ModelPOSIX = false
// CHECK-NEXT: unroll-loops = false
// CHECK-NEXT: verbose-report-filename = false
// CHECK-NEXT: widen-loops = false
diff --git a/clang/test/Analysis/analyzer-enabled-checkers.c b/clang/test/Analysis/analyzer-enabled-checkers.c
index ed8334b9e2db009..cf69a6b04c97922 100644
--- a/clang/test/Analysis/analyzer-enabled-checkers.c
+++ b/clang/test/Analysis/analyzer-enabled-checkers.c
@@ -47,6 +47,7 @@
// CHECK-NEXT: unix.Malloc
// CHECK-NEXT: unix.MallocSizeof
// CHECK-NEXT: unix.MismatchedDeallocator
+// CHECK-NEXT: unix.StdCLibraryFunctions
// CHECK-NEXT: unix.Vfork
// CHECK-NEXT: unix.cstring.BadSizeArg
// CHECK-NEXT: unix.cstring.NullArg
diff --git a/clang/test/Analysis/conversion.c b/clang/test/Analysis/conversion.c
index 0d2e005550b16c1..cafe9c37c240225 100644
--- a/clang/test/Analysis/conversion.c
+++ b/clang/test/Analysis/conversion.c
@@ -1,6 +1,6 @@
// RUN: %clang_analyze_cc1 %s
// RUN: -Wno-conversion -Wno-tautological-constant-compare
-// RUN: -analyzer-checker=core,apiModeling,alpha.unix.StdCLibraryFunctions,alpha.core.Conversion
+// RUN: -analyzer-checker=core,apiModeling,unix.StdCLibraryFunctions,alpha.core.Conversion
// RUN: -verify

unsigned char U8;
@@ -187,7 +187,7 @@ char dontwarn10(long long x) {
}

-// C library functions, handled via alpha.unix.StdCLibraryFunctions
+// C library functions, handled via unix.StdCLibraryFunctions

int isascii(int c);
void libraryFunction1(void) {
diff --git a/clang/test/Analysis/errno-stdlibraryfunctions-notes.c b/clang/test/Analysis/errno-stdlibraryfunctions-notes.c
index 991384cc373ef3a..c3fac58c46b3763 100644
--- a/clang/test/Analysis/errno-stdlibraryfunctions-notes.c
+++ b/clang/test/Analysis/errno-stdlibraryfunctions-notes.c
@@ -1,10 +1,10 @@
// RUN: %clang_analyze_cc1 -verify -analyzer-output text %s
// RUN: -analyzer-checker=core
// RUN: -analyzer-checker=debug.ExprInspection
-// RUN: -analyzer-checker=alpha.unix.StdCLibraryFunctions
+// RUN: -analyzer-checker=unix.StdCLibraryFunctions
// RUN: -analyzer-checker=apiModeling.Errno
// RUN: -analyzer-checker=alpha.unix.Errno
-// RUN: -analyzer-config alpha.unix.StdCLibraryFunctions:ModelPOSIX=true
+// RUN: -analyzer-config unix.StdCLibraryFunctions:ModelPOSIX=true

#include &quot;Inputs/errno_var.h&quot;

diff --git a/clang/test/Analysis/errno-stdlibraryfunctions.c b/clang/test/Analysis/errno-stdlibraryfunctions.c
index a3b42f4425c3525..fce5e5d6b0a4710 100644
--- a/clang/test/Analys...

NagyDonat
NagyDonat reviewed Sep 19, 2023
View reviewed changes
Copy link
Contributor

@NagyDonat NagyDonat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(I started to nitpick the documentation text before I realized that it's just old content moved in from elsewhere. Probably it's better to handle these in a separate commit.)

clang/docs/analyzer/checkers.rst Outdated
You can think of this checker as defining restrictions (pre- and postconditions)
on standard library functions. Preconditions are checked, and when they are
violated, a warning is emitted. Post conditions are added to the analysis, e.g.
that the return value must be no greater than 255.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"the return value" of what? I think a function name is missing here.

clang/docs/analyzer/checkers.rst Outdated
Comment on lines 1068 to 1069
pointer and the null value of the argument can not be proven, the analyzer will
assume that it is non-null.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
pointer and the null value of the argument can not be proven, the analyzer will
assume that it is non-null.
pointer and the analyzer cannot prove that it is null, then it will assume that
it is non-null.

"can not be proven" is stronger than "the analyzer cannot prove it"

@NagyDonat
Copy link
Contributor

I tested this commit on several open-source projects, comparing it and its parent with a configuration that enables the non-alpha checkers (so StdCLibraryFunctions becomes enabled when this commit moves it out of alpha).

The results show that this checker doesn't produce random noise and can provide some useful results:

Project New reports Lost reports Changes
memcached New reports Lost reports no effect
tmux New reports Lost reports no effect
twin New reports Lost reports no effect
vim New reports Lost reports no effect
openssl New reports Lost reports no effect
sqlite New reports Lost reports no effect
ffmpeg New reports Lost reports no effect
postgres New reports Lost reports 5 new TPs [1]
tinyxml2 New reports Lost reports no effect
libwebm New reports Lost reports no effect
xerces New reports Lost reports no effect
bitcoin New reports Lost reports no effect
protobuf New reports Lost reports no effect

[1] One unix.StdCLibraryFunctions report and four very similar TOCTOU bugs reported by core.NonNullParamChecker (one example). These are all real issues, although it'd be very difficult to trigger them in practice. Note that we're testing stable versions of open-source projects, so it's not surprising that we don't see serious issues.

NagyDonat
NagyDonat approved these changes Sep 22, 2023
View reviewed changes
Copy link
Contributor

@NagyDonat NagyDonat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Based on these clean test results I'd say that it's safe to move this checker out of alpha.

@haoNoQ @steakhal Do you have any objections?

@NagyDonat NagyDonat requested a review from steakhal September 22, 2023 10:40
@balazske balazske removed the clang:dataflow Clang Dataflow Analysis framework - https://clang.llvm.org/docs/DataFlowAnalysisIntro.html label Sep 25, 2023
@NagyDonat NagyDonat mentioned this pull request Sep 29, 2023
Merged
steakhal
steakhal approved these changes Sep 29, 2023
View reviewed changes
Copy link
Contributor

@steakhal steakhal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't spent much time on this, but I think it should be good.
Please check the docs with Grammarly to catch mistakes.
Also, please generate the HTML for the rst to verify how it looks.

I'm not sure if the release docs mentions this, but it definitely should. Make sure that's the case.

I approve this, assuming that these wrinkles are ironed.

clang/docs/analyzer/checkers.rst Outdated
.. _unix-StdCLibraryFunctions:

unix.StdCLibraryFunctions (C)
"""""""""""""""""""""""""""""""""""
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Align this with the section title.

clang/docs/analyzer/checkers.rst Outdated
"""""""""""""""""""""""""""""""""""
Check for calls of standard library functions that violate predefined argument
constraints. For example, it is stated in the C standard that for the ``int
isalnum(int ch)`` function the behavior is undefined if the value of ``ch`` is
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The grammar feels odd here.

clang/docs/analyzer/checkers.rst Outdated

You can think of this checker as defining restrictions (pre- and postconditions)
on standard library functions. Preconditions are checked, and when they are
violated, a warning is emitted. Post conditions are added to the analysis, e.g.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here "post condition" is spelled as separate words, while previously there was a hyphen between the words.

clang/docs/analyzer/checkers.rst Outdated
Check for calls of standard library functions that violate predefined argument
constraints. For example, it is stated in the C standard that for the ``int
isalnum(int ch)`` function the behavior is undefined if the value of ``ch`` is
not representable as unsigned char and is not equal to ``EOF``.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Char and unsigned are not escaped like we usually do for code.

clang/docs/analyzer/checkers.rst Outdated
@@ -2651,100 +2745,6 @@ For a more detailed description of configuration options, please see the
alpha.unix
^^^^^^^^^^^
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As we are here, could you align this with its section title as well?

clang/docs/analyzer/checkers.rst
default. The ``ModelPOSIX`` option enables modeling (and emit diagnostics) of
additional functions that are defined in the POSIX standard. This option is
disabled by default.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you think we should have an exhaustive list of the modeled functions here, or that wouldn't be useful?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I remember correctly the list of functions was already rejected by reviewers (because maintenance problems). Otherwise I think it is good to have an exact list of modeled functions.

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
"and apply relations between arguments and return value">,
CheckerOptions<[
CmdLineOption<Boolean,
"DisplayLoadedSummaries",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you confirm that this option is not advertised in the user facing docs.

@llvmbot llvmbot added the clang:dataflow Clang Dataflow Analysis framework - https://clang.llvm.org/docs/DataFlowAnalysisIntro.html label Oct 2, 2023
@balazske
Copy link
Collaborator Author

balazske commented Oct 2, 2023

@haoNoQ Could you check if this change is OK to merge?

@balazske balazske closed this Oct 16, 2023
@balazske balazske reopened this Oct 16, 2023
@balazske balazske merged commit c202a17 into llvm:main Oct 16, 2023
@madhur13490 madhur13490 mentioned this pull request Oct 20, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@NagyDonat NagyDonat NagyDonat approved these changes

@steakhal steakhal steakhal approved these changes

@haoNoQ haoNoQ Awaiting requested review from haoNoQ

Assignees
No one assigned
Labels
clang:dataflow Clang Dataflow Analysis framework - https://clang.llvm.org/docs/DataFlowAnalysisIntro.html clang:static analyzer clang Clang issues not falling into any other category
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@balazske @llvmbot @NagyDonat @steakhal