balazske wrote:
> Could you please show your commands which reproduced this crash? I tested
> locally with the following commands and it runs OK.
>
> ```c++
> clang++ -cc1 -std=c++17 -emit-pch -o test.cpp.ast test.cpp
> clang++ -cc1 -x c++ -ast-merge test.cpp.ast /dev/null -ast-dump
> ```
https://github.com/balazske created
https://github.com/llvm/llvm-project/pull/93299
None
From 9baa8cc3a1a738a43deee811b51593db85d5c88c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bal=C3=A1zs=20K=C3=A9ri?=
Date: Fri, 24 May 2024 15:22:22 +0200
Subject: [PATCH] [clang][analyzer]
https://github.com/balazske closed
https://github.com/llvm/llvm-project/pull/92424
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
https://github.com/balazske updated
https://github.com/llvm/llvm-project/pull/92424
From 769523d392204eac6c48cb80a2282212f3edbbe4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bal=C3=A1zs=20K=C3=A9ri?=
Date: Fri, 10 May 2024 17:30:23 +0200
Subject: [PATCH 1/4] [clang][analyzer] Move checker
https://github.com/balazske edited
https://github.com/llvm/llvm-project/pull/92424
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
balazske wrote:
The problem is that there is a distance between getting the "InsertPos" and the
insetion into the list. Between getting the `InsertPos`
(`VarTemplate->findSpecialization`) and the insertion further AST import
statements can occur and probably it can cause the list of
balazske wrote:
I could reproduce this assertion (with CTU analysis on project "contour"):
```
clang-19: llvm-project/clang/lib/AST/DeclTemplate.cpp:370: void
clang::RedeclarableTemplateDecl::addSpecializationImpl(llvm::FoldingSetVector&,
EntryType*, void*) [with Derived =
https://github.com/balazske closed
https://github.com/llvm/llvm-project/pull/91445
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
https://github.com/balazske updated
https://github.com/llvm/llvm-project/pull/91445
From d839faf7a30851a172d812137b30635c741870f0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bal=C3=A1zs=20K=C3=A9ri?=
Date: Wed, 8 May 2024 10:10:24 +0200
Subject: [PATCH 01/10] [clang][analyzer] Add checker
https://github.com/balazske updated
https://github.com/llvm/llvm-project/pull/92424
From 769523d392204eac6c48cb80a2282212f3edbbe4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bal=C3=A1zs=20K=C3=A9ri?=
Date: Fri, 10 May 2024 17:30:23 +0200
Subject: [PATCH 1/3] [clang][analyzer] Move checker
balazske wrote:
I moved the checker to `alpha.security` now and changed the name, and made the
documentations more exact.
https://github.com/llvm/llvm-project/pull/92424
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://github.com/balazske updated
https://github.com/llvm/llvm-project/pull/92424
From 769523d392204eac6c48cb80a2282212f3edbbe4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bal=C3=A1zs=20K=C3=A9ri?=
Date: Fri, 10 May 2024 17:30:23 +0200
Subject: [PATCH 1/2] [clang][analyzer] Move checker
https://github.com/balazske created
https://github.com/llvm/llvm-project/pull/92424
The "cert" package looks not useful and the checker has not a meaningful name
with the old naming scheme.
Additionally tests and documentation is updated.
The checker looks good enough to be moved into
https://github.com/balazske updated
https://github.com/llvm/llvm-project/pull/91445
From d839faf7a30851a172d812137b30635c741870f0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bal=C3=A1zs=20K=C3=A9ri?=
Date: Wed, 8 May 2024 10:10:24 +0200
Subject: [PATCH 1/9] [clang][analyzer] Add checker
https://github.com/balazske updated
https://github.com/llvm/llvm-project/pull/91445
From d839faf7a30851a172d812137b30635c741870f0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bal=C3=A1zs=20K=C3=A9ri?=
Date: Wed, 8 May 2024 10:10:24 +0200
Subject: [PATCH 1/8] [clang][analyzer] Add checker
balazske wrote:
I added the `NoteTag` support now (instead of a next PR). The
`checkDeadSymbols` is removed, it does really not matter if the data remains in
the GDM and this way it is used to display the note tag only for the last
`setuid` call.
https://github.com/balazske updated
https://github.com/llvm/llvm-project/pull/91445
From d839faf7a30851a172d812137b30635c741870f0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bal=C3=A1zs=20K=C3=A9ri?=
Date: Wed, 8 May 2024 10:10:24 +0200
Subject: [PATCH 1/7] [clang][analyzer] Add checker
https://github.com/balazske updated
https://github.com/llvm/llvm-project/pull/91445
From d839faf7a30851a172d812137b30635c741870f0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bal=C3=A1zs=20K=C3=A9ri?=
Date: Wed, 8 May 2024 10:10:24 +0200
Subject: [PATCH 1/6] [clang][analyzer] Add checker
@@ -0,0 +1,196 @@
+//===-- SetgidSetuidOrderChecker.cpp - check privilege revocation calls
---===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM
Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier:
@@ -0,0 +1,185 @@
+// RUN: %clang_analyze_cc1 -analyzer-checker=core,security.SetgidSetuidOrder
-verify %s
+
+typedef int uid_t;
+typedef int gid_t;
+
+int setuid(uid_t);
+int setgid(gid_t);
+int seteuid(uid_t);
+int setegid(gid_t);
+int setreuid(uid_t, uid_t);
+int
@@ -1179,6 +1179,34 @@ security.insecureAPI.DeprecatedOrUnsafeBufferHandling (C)
strncpy(buf, "a", 1); // warn
}
+security.SetgidSetuidOrder (C)
+""
balazske wrote:
Move the new checker into `unix`, or move the chroot checker
@@ -136,53 +100,48 @@ void ErrnoModeling::checkBeginFunction(CheckerContext )
const {
ASTContext = C.getASTContext();
ProgramStateRef State = C.getState();
- if (const auto *ErrnoVar = dyn_cast_or_null(ErrnoDecl)) {
-// There is an external 'errno' variable.
-
@@ -0,0 +1,197 @@
+//===-- SetgidSetuidOrderChecker.cpp - check privilege revocation calls
---===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM
Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier:
@@ -0,0 +1,170 @@
+// RUN: %clang_analyze_cc1 -analyzer-checker=core,security.SetgidSetuidOrder
-verify %s
+
+#include "Inputs/system-header-simulator-setgid-setuid.h"
+
+void correct_order() {
+ if (setgid(getgid()) == -1)
+return;
+ if (setuid(getuid()) == -1)
+
https://github.com/balazske updated
https://github.com/llvm/llvm-project/pull/91445
From d839faf7a30851a172d812137b30635c741870f0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bal=C3=A1zs=20K=C3=A9ri?=
Date: Wed, 8 May 2024 10:10:24 +0200
Subject: [PATCH 1/5] [clang][analyzer] Add checker
balazske wrote:
Is it useful to add a note tag to the previous `setuid(getuid())` call? It can
be (theoretically) in another function or otherwise in a remote place in the
source code.
https://github.com/llvm/llvm-project/pull/91445
___
cfe-commits
https://github.com/balazske deleted
https://github.com/llvm/llvm-project/pull/91445
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
@@ -0,0 +1,197 @@
+//===-- SetgidSetuidOrderChecker.cpp - check privilege revocation calls
---===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM
Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier:
@@ -0,0 +1,197 @@
+//===-- SetgidSetuidOrderChecker.cpp - check privilege revocation calls
---===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM
Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier:
https://github.com/balazske updated
https://github.com/llvm/llvm-project/pull/91445
From d839faf7a30851a172d812137b30635c741870f0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bal=C3=A1zs=20K=C3=A9ri?=
Date: Wed, 8 May 2024 10:10:24 +0200
Subject: [PATCH 1/4] [clang][analyzer] Add checker
@@ -136,53 +100,48 @@ void ErrnoModeling::checkBeginFunction(CheckerContext )
const {
ASTContext = C.getASTContext();
ProgramStateRef State = C.getState();
- if (const auto *ErrnoVar = dyn_cast_or_null(ErrnoDecl)) {
-// There is an external 'errno' variable.
-
@@ -74,9 +73,13 @@ REGISTER_TRAIT_WITH_PROGRAMSTATE(ErrnoRegion, const
MemRegion *)
REGISTER_TRAIT_WITH_PROGRAMSTATE(ErrnoState, errno_modeling::ErrnoCheckState)
-/// Search for a variable called "errno" in the AST.
-/// Return nullptr if not found.
-static const VarDecl
@@ -71,12 +71,9 @@ ProgramStateRef setErrnoState(ProgramStateRef State,
ErrnoCheckState EState);
/// Clear state of errno (make it irrelevant).
ProgramStateRef clearErrnoState(ProgramStateRef State);
-/// Determine if a `Decl` node related to 'errno'.
-/// This is true if
@@ -54,16 +59,10 @@ class ErrnoModeling
void checkLiveSymbols(ProgramStateRef State, SymbolReaper ) const;
bool evalCall(const CallEvent , CheckerContext ) const;
- // The declaration of an "errno" variable or "errno location" function.
- mutable const Decl *ErrnoDecl =
@@ -71,12 +71,9 @@ ProgramStateRef setErrnoState(ProgramStateRef State,
ErrnoCheckState EState);
/// Clear state of errno (make it irrelevant).
ProgramStateRef clearErrnoState(ProgramStateRef State);
-/// Determine if a `Decl` node related to 'errno'.
-/// This is true if
@@ -39,10 +39,15 @@ namespace {
// Name of the "errno" variable.
// FIXME: Is there a system where it is not called "errno" but is a variable?
const char *ErrnoVarName = "errno";
+
// Names of functions that return a location of the "errno" value.
// FIXME: Are there other
https://github.com/balazske updated
https://github.com/llvm/llvm-project/pull/91445
From d839faf7a30851a172d812137b30635c741870f0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bal=C3=A1zs=20K=C3=A9ri?=
Date: Wed, 8 May 2024 10:10:24 +0200
Subject: [PATCH 1/3] [clang][analyzer] Add checker
@@ -0,0 +1,197 @@
+//===-- SetgidSetuidOrderChecker.cpp - check privilege revocation calls
---===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM
Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier:
https://github.com/balazske updated
https://github.com/llvm/llvm-project/pull/91445
From d839faf7a30851a172d812137b30635c741870f0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bal=C3=A1zs=20K=C3=A9ri?=
Date: Wed, 8 May 2024 10:10:24 +0200
Subject: [PATCH 1/2] [clang][analyzer] Add checker
https://github.com/balazske created
https://github.com/llvm/llvm-project/pull/91445
None
From d839faf7a30851a172d812137b30635c741870f0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bal=C3=A1zs=20K=C3=A9ri?=
Date: Wed, 8 May 2024 10:10:24 +0200
Subject: [PATCH] [clang][analyzer] Add checker
https://github.com/balazske closed
https://github.com/llvm/llvm-project/pull/89247
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
https://github.com/balazske updated
https://github.com/llvm/llvm-project/pull/89247
From 7138f026e845ebb4f1a3e6a86bdeb534d666ae7a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bal=C3=A1zs=20K=C3=A9ri?=
Date: Thu, 18 Apr 2024 16:40:03 +0200
Subject: [PATCH 1/5] [clang][analyzer] Move StreamChecker
https://github.com/balazske approved this pull request.
Probably add [clang] tag to the title.
https://github.com/llvm/llvm-project/pull/89837
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
balazske wrote:
A test is needed to make the change acceptable but I could not find an easy
case to provoke the situation. The problem looks to be related to his code:
```c++
using size_t = int;
template class tuple;
template
struct integral_constant
{
static constexpr T value = v;
https://github.com/balazske created
https://github.com/llvm/llvm-project/pull/89887
In some situations a new `VarTemplateSpecializationDecl` (for the same
template) can be added during import of another one. The "insert position" that
is used to insert the current object into the list of
https://github.com/balazske updated
https://github.com/llvm/llvm-project/pull/89247
From 7138f026e845ebb4f1a3e6a86bdeb534d666ae7a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bal=C3=A1zs=20K=C3=A9ri?=
Date: Thu, 18 Apr 2024 16:40:03 +0200
Subject: [PATCH 1/4] [clang][analyzer] Move StreamChecker
https://github.com/balazske updated
https://github.com/llvm/llvm-project/pull/89247
From 7138f026e845ebb4f1a3e6a86bdeb534d666ae7a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bal=C3=A1zs=20K=C3=A9ri?=
Date: Thu, 18 Apr 2024 16:40:03 +0200
Subject: [PATCH 1/3] [clang][analyzer] Move StreamChecker
https://github.com/balazske updated
https://github.com/llvm/llvm-project/pull/89247
From 7138f026e845ebb4f1a3e6a86bdeb534d666ae7a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bal=C3=A1zs=20K=C3=A9ri?=
Date: Thu, 18 Apr 2024 16:40:03 +0200
Subject: [PATCH 1/2] [clang][analyzer] Move StreamChecker
@@ -48,7 +48,7 @@ Open Projects
(Difficulty: Medium)
- alpha.unix.StreamChecker
+ unix.StreamChecker
balazske wrote:
This section should be removed too. The problem is still not solved in the
mentioned way ("delayed split"). I do not
@@ -910,8 +910,8 @@ Unix Alpha Checkers
-
-alpha.unix.Stream
+
+unix.Stream
balazske wrote:
Probably the checker must be removed entirely from this file?
https://github.com/llvm/llvm-project/pull/89247
___
@@ -563,6 +563,20 @@ def MismatchedDeallocatorChecker :
Checker<"MismatchedDeallocator">,
Dependencies<[DynamicMemoryModeling]>,
Documentation;
+def StreamChecker : Checker<"Stream">,
+ HelpText<"Check stream handling functions">,
+
balazske wrote:
The checker is usable enough to move to non-alpha state.
This table contains some links to the results after the "Pedantic" option was
added. The "new reports" are the ones that got removed if the option is turned
on. At some projects there are still many results, for example
https://github.com/balazske created
https://github.com/llvm/llvm-project/pull/89247
None
From 7138f026e845ebb4f1a3e6a86bdeb534d666ae7a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bal=C3=A1zs=20K=C3=A9ri?=
Date: Thu, 18 Apr 2024 16:40:03 +0200
Subject: [PATCH] [clang][analyzer] Move StreamChecker
https://github.com/balazske closed
https://github.com/llvm/llvm-project/pull/87322
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
https://github.com/balazske updated
https://github.com/llvm/llvm-project/pull/87322
From 79bbe640c0d60744f484db9965865455b0b15246 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bal=C3=A1zs=20K=C3=A9ri?=
Date: Tue, 2 Apr 2024 09:59:48 +0200
Subject: [PATCH 1/3] [clang][analyzer] Add "pedantic" mode
balazske wrote:
> Unless you plan to add more heuristics, I'd prefer a more concrete option
> name, like AssumeSuccessfulWrites=true. This would better describe it imo.
I do not like totally the name "Pedantic", it could be
"AssumeOftenUncheckedOperationsMayFail". I am not sure if this
https://github.com/balazske created
https://github.com/llvm/llvm-project/pull/87322
The checker may create failure branches for all stream write operations only if
the new option "pedantic" is set to true.
Result of the write operations is often not checked in typical code. If failure
https://github.com/balazske closed
https://github.com/llvm/llvm-project/pull/86919
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
https://github.com/balazske closed
https://github.com/llvm/llvm-project/pull/83858
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
@@ -2515,6 +2517,53 @@ void CStringChecker::evalSprintfCommon(CheckerContext
, const CallEvent ,
C.addTransition(State);
}
+void CStringChecker::evalGetentropy(CheckerContext , const CallEvent )
const {
+ DestinationArgExpr Buffer = {{Call.getArgExpr(0), 0}};
+
https://github.com/balazske created
https://github.com/llvm/llvm-project/pull/86919
Until now function `fseek` returned nonzero on error, this is changed to -1
only. And it does not produce EOF error any more.
This complies better with the POSIX standard.
From
balazske wrote:
It looks like that this change causes crashes on many projects (curl, vim,
postgres, others) in `RAIIMutexDescriptor::initIdentifierInfo`.
https://github.com/llvm/llvm-project/pull/80029
___
cfe-commits mailing list
@@ -376,3 +377,75 @@ void fflush_on_open_failed_stream(void) {
}
fclose(F);
}
+
+void getline_null_file() {
+ char *buffer = NULL;
+ size_t n = 0;
+ getline(, , NULL); // expected-warning {{Stream pointer might be
NULL}}
+}
+
+void getdelim_null_file() {
+ char
https://github.com/balazske approved this pull request.
I did not find more issues (at least in `StreamChecker` and its tests). But did
not check in detail the `UnixAPIChecker` part and tests.
https://github.com/llvm/llvm-project/pull/83027
___
@@ -376,3 +377,122 @@ void fflush_on_open_failed_stream(void) {
}
fclose(F);
}
+
+void getline_null_file() {
+ char *buffer = NULL;
+ size_t n = 0;
+ getline(, , NULL); // expected-warning {{Stream pointer might be
NULL}}
+}
+
+void getdelim_null_file() {
+ char
@@ -376,3 +377,122 @@ void fflush_on_open_failed_stream(void) {
}
fclose(F);
}
+
+void getline_null_file() {
+ char *buffer = NULL;
+ size_t n = 0;
+ getline(, , NULL); // expected-warning {{Stream pointer might be
NULL}}
+}
+
+void getdelim_null_file() {
+ char
@@ -376,3 +377,122 @@ void fflush_on_open_failed_stream(void) {
}
fclose(F);
}
+
+void getline_null_file() {
+ char *buffer = NULL;
+ size_t n = 0;
+ getline(, , NULL); // expected-warning {{Stream pointer might be
NULL}}
+}
+
+void getdelim_null_file() {
+ char
@@ -376,3 +377,122 @@ void fflush_on_open_failed_stream(void) {
}
fclose(F);
}
+
+void getline_null_file() {
+ char *buffer = NULL;
+ size_t n = 0;
+ getline(, , NULL); // expected-warning {{Stream pointer might be
NULL}}
+}
+
+void getdelim_null_file() {
+ char
@@ -376,3 +377,122 @@ void fflush_on_open_failed_stream(void) {
}
fclose(F);
}
+
+void getline_null_file() {
+ char *buffer = NULL;
+ size_t n = 0;
+ getline(, , NULL); // expected-warning {{Stream pointer might be
NULL}}
+}
+
+void getdelim_null_file() {
+ char
@@ -1204,6 +1204,20 @@ void StreamChecker::evalGetdelim(const FnDescription
*Desc,
State->BindExpr(E.CE, C.getLocationContext(), RetVal);
StateNotFailed =
E.assumeBinOpNN(StateNotFailed, BO_GE, RetVal, E.getZeroVal(Call));
+// The buffer size `*n` must
@@ -1217,6 +1231,11 @@ void StreamChecker::evalGetdelim(const FnDescription
*Desc,
E.isStreamEof() ? ErrorFEof : ErrorFEof | ErrorFError;
StateFailed = E.setStreamState(
StateFailed, StreamState::getOpened(Desc, NewES, !NewES.isFEof()));
+ // On failure, the
@@ -1204,6 +1204,20 @@ void StreamChecker::evalGetdelim(const FnDescription
*Desc,
State->BindExpr(E.CE, C.getLocationContext(), RetVal);
StateNotFailed =
E.assumeBinOpNN(StateNotFailed, BO_GE, RetVal, E.getZeroVal(Call));
+// The buffer size `*n` must
@@ -1179,6 +1195,113 @@ void StreamChecker::evalUngetc(const FnDescription
*Desc, const CallEvent ,
C.addTransition(StateFailed);
}
+ProgramStateRef StreamChecker::ensureGetdelimBufferAndSizeCorrect(
+SVal LinePtrPtrSVal, SVal SizePtrSVal, const Expr *LinePtrPtrExpr,
+
@@ -1204,6 +1204,20 @@ void StreamChecker::evalGetdelim(const FnDescription
*Desc,
State->BindExpr(E.CE, C.getLocationContext(), RetVal);
StateNotFailed =
E.assumeBinOpNN(StateNotFailed, BO_GE, RetVal, E.getZeroVal(Call));
+// The buffer size `*n` must
balazske wrote:
> @balazske Are you interested in refactoring the logic of
> `StdLibraryFunctionsChecker` into an API that can be used by separate
> checkers?
I could try it. It would solve at least the (dependency) difficulties related
to this checker. Probably the checker can remain and
balazske wrote:
> So, it seems removing them from `StdLibraryFunctionsChecker` is not out of
> the question. We can leave them together with other stream functions, or we
> could move them to `UnixAPIChecker`, which we have enabled downstream.
>
> I think the latter is a reasonable compromise
@@ -1090,7 +1090,8 @@ static bool isStandardNewDelete(const FunctionDecl *FD) {
// If the header for operator delete is not included, it's still defined
// in an invalid source location. Check to make sure we don't crash.
return !L.isValid() ||
-
@@ -83,6 +83,8 @@ class StateUpdateReporter {
AssumedUpperBound = UpperBoundVal;
}
+ bool assumedNonNegative() { return AssumedNonNegative; }
balazske wrote:
This should be called `getAssumedNonNegative` or `hasAssumedNonNegative` (but
the naming
https://github.com/balazske edited
https://github.com/llvm/llvm-project/pull/84201
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
https://github.com/balazske approved this pull request.
I am not totally sure but this looks correct with the new variable names and
there are some tests for the new case.
https://github.com/llvm/llvm-project/pull/84201
___
cfe-commits mailing list
balazske wrote:
I want to avoid that some functions have null pointer checks in
`StreamChecker`, some not. If this change is merged then it would be good to
add null pointer checks to other functions like `fread` and `fwrite`. (Until
now only the NULL stream pointer was checked.)
@@ -1158,6 +1173,118 @@ void StreamChecker::evalUngetc(const FnDescription
*Desc, const CallEvent ,
C.addTransition(StateFailed);
}
+ProgramStateRef
+StreamChecker::ensurePtrNotNull(SVal PtrVal, const Expr *PtrExpr,
+CheckerContext ,
@@ -510,6 +517,14 @@ class StreamChecker : public Checkerhttps://github.com/llvm/llvm-project/pull/83027
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
@@ -1158,6 +1173,118 @@ void StreamChecker::evalUngetc(const FnDescription
*Desc, const CallEvent ,
C.addTransition(StateFailed);
}
+ProgramStateRef
+StreamChecker::ensurePtrNotNull(SVal PtrVal, const Expr *PtrExpr,
+CheckerContext ,
@@ -1158,6 +1173,118 @@ void StreamChecker::evalUngetc(const FnDescription
*Desc, const CallEvent ,
C.addTransition(StateFailed);
}
+ProgramStateRef
+StreamChecker::ensurePtrNotNull(SVal PtrVal, const Expr *PtrExpr,
+CheckerContext ,
@@ -1158,6 +1173,118 @@ void StreamChecker::evalUngetc(const FnDescription
*Desc, const CallEvent ,
C.addTransition(StateFailed);
}
+ProgramStateRef
+StreamChecker::ensurePtrNotNull(SVal PtrVal, const Expr *PtrExpr,
+CheckerContext ,
@@ -234,6 +235,9 @@ class StreamChecker : public Checkerhttps://github.com/llvm/llvm-project/pull/83027
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
https://github.com/balazske commented:
This functionality could be added to this checker, but to
`StdLibraryFunctionsChecker` too, and probably will be added at a time (summary
of `getdelim` is not accurate now in that checker). The same bug condition is
checked by two different checkers in
https://github.com/balazske edited
https://github.com/llvm/llvm-project/pull/83027
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
balazske wrote:
Additionally, the checked preconditions look not exact. For example the POSIX
documentation for `getdelim` says: "If *n is non-zero, the application shall
ensure that *lineptr either points to an object of size at least *n bytes, or
is a null pointer." This means `*lineptr`
https://github.com/balazske closed
https://github.com/llvm/llvm-project/pull/84191
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
balazske wrote:
`StreamChecker` still does not check for all possible NULL pointer errors. At
`fread` and `fwrite` for example there is no check for NULL buffer pointer. The
reason is that these are checked in `StdLibraryFunctionsChecker`. Probably it
would be better to add the checks for
balazske wrote:
The change looks correct, but it would be more accurate if 3 different index
error cases would be possible, index is too small (negative), too large, or can
be both too small and too large.
https://github.com/llvm/llvm-project/pull/84201
@@ -603,6 +611,8 @@ void ArrayBoundCheckerV2::performCheck(const Expr *E,
CheckerContext ) const {
auto [WithinUpperBound, ExceedsUpperBound] =
compareValueToThreshold(State, ByteOffset, *KnownSize, SVB);
+bool AssumedNonNegative = SUR.assumedNonNegative();
@@ -603,6 +611,8 @@ void ArrayBoundCheckerV2::performCheck(const Expr *E,
CheckerContext ) const {
auto [WithinUpperBound, ExceedsUpperBound] =
compareValueToThreshold(State, ByteOffset, *KnownSize, SVB);
+bool AssumedNonNegative = SUR.assumedNonNegative();
@@ -880,6 +883,24 @@ void StreamChecker::preReadWrite(const FnDescription *Desc,
}
}
+void StreamChecker::preWrite(const FnDescription *Desc, const CallEvent ,
balazske wrote:
The `CallDescriptionMap` was uncomfortable to handle because too many
https://github.com/balazske updated
https://github.com/llvm/llvm-project/pull/84191
From dbaf3348510582c013254ed48b69663b42816be0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bal=C3=A1zs=20K=C3=A9ri?=
Date: Wed, 6 Mar 2024 16:01:01 +0100
Subject: [PATCH] [clang][analyzer] Fix StreamChecker `ftell`
https://github.com/balazske created
https://github.com/llvm/llvm-project/pull/84191
These functions should not be allowed if the file position is indeterminate
(they return the file position).
This condition is now checked, and tests are improved to check it.
From
balazske wrote:
Currently it looks OK to add `getentropy` to this checker because it is a
string related function in a way. Otherwise it looks like that many of the
checks (for buffer access, and buffer invalidations) that are implemented in
`CStringChecker` could be moved to
@@ -3020,44 +3020,82 @@ Check for misuses of stream APIs. Check for misuses of
stream APIs: ``fopen, fcl
alpha.unix.Stream (C)
"
-Check stream handling functions: ``fopen, tmpfile, fclose, fread, fwrite,
fseek, ftell, rewind, fgetpos,``
-``fsetpos,
1 - 100 of 580 matches
Mail list logo