[clang] [clang][analyzer] Move checker alpha.unix.StdCLibraryFunctions out of alpha. (PR #66207)
https://github.com/balazske closed https://github.com/llvm/llvm-project/pull/66207 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] [clang][analyzer] Move checker alpha.unix.StdCLibraryFunctions out of alpha. (PR #66207)
https://github.com/balazske reopened https://github.com/llvm/llvm-project/pull/66207 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] [clang][analyzer] Move checker alpha.unix.StdCLibraryFunctions out of alpha. (PR #66207)
https://github.com/balazske closed https://github.com/llvm/llvm-project/pull/66207 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] [clang][analyzer] Move checker alpha.unix.StdCLibraryFunctions out of alpha. (PR #66207)
balazske wrote: @haoNoQ Could you check if this change is OK to merge? https://github.com/llvm/llvm-project/pull/66207 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] [clang][analyzer] Move checker alpha.unix.StdCLibraryFunctions out of alpha. (PR #66207)
https://github.com/balazske updated https://github.com/llvm/llvm-project/pull/66207 From 5b9ad350fedad88a4d2ac93bafc29bae893c32e7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bal=C3=A1zs=20K=C3=A9ri?= Date: Wed, 13 Sep 2023 14:56:18 +0200 Subject: [PATCH 1/2] [clang][analyzer] Move checker alpha.unix.StdCLibraryFunctions out of alpha. This checker can be good enough to move out of alpha. I am not sure about the exact requirements, this review can be a place for discussion about what should be fixed (if any). Reviewed By: steakhal Differential Revision: https://reviews.llvm.org/D152436 --- clang/docs/ReleaseNotes.rst | 2 + clang/docs/analyzer/checkers.rst | 188 +- .../clang/StaticAnalyzer/Checkers/Checkers.td | 43 ++-- clang/test/Analysis/PR49642.c | 2 +- clang/test/Analysis/analyzer-config.c | 4 +- .../test/Analysis/analyzer-enabled-checkers.c | 1 + clang/test/Analysis/conversion.c | 4 +- .../errno-stdlibraryfunctions-notes.c | 4 +- .../test/Analysis/errno-stdlibraryfunctions.c | 4 +- .../std-c-library-functions-POSIX-lookup.c| 6 +- ...ibrary-functions-POSIX-socket-sockaddr.cpp | 6 +- .../Analysis/std-c-library-functions-POSIX.c | 12 +- ...ry-functions-arg-constraints-note-tags.cpp | 4 +- ...ibrary-functions-arg-constraints-notes.cpp | 4 +- ...functions-arg-constraints-tracking-notes.c | 2 +- .../std-c-library-functions-arg-constraints.c | 8 +- ...td-c-library-functions-arg-constraints.cpp | 2 +- ...library-functions-arg-cstring-dependency.c | 4 +- ...c-library-functions-arg-enabled-checkers.c | 10 +- .../std-c-library-functions-arg-weakdeps.c| 10 +- .../Analysis/std-c-library-functions-eof.c| 10 +- .../std-c-library-functions-inlined.c | 10 +- .../Analysis/std-c-library-functions-lookup.c | 4 +- .../std-c-library-functions-lookup.cpp| 4 +- .../std-c-library-functions-path-notes.c | 4 +- .../std-c-library-functions-restrict.c| 4 +- .../std-c-library-functions-restrict.cpp | 4 +- ...td-c-library-functions-vs-stream-checker.c | 8 +- clang/test/Analysis/std-c-library-functions.c | 12 +- .../test/Analysis/std-c-library-functions.cpp | 2 +- .../test/Analysis/std-c-library-posix-crash.c | 4 +- clang/test/Analysis/stream-errno-note.c | 4 +- clang/test/Analysis/stream-errno.c| 4 +- clang/test/Analysis/stream-noopen.c | 8 +- clang/test/Analysis/stream-note.c | 4 +- .../Analysis/stream-stdlibraryfunctionargs.c | 10 +- clang/test/Analysis/weak-dependencies.c | 2 +- 37 files changed, 211 insertions(+), 207 deletions(-) diff --git a/clang/docs/ReleaseNotes.rst b/clang/docs/ReleaseNotes.rst index 3cdad2f7b9f0e5a..dd10e707b2f561c 100644 --- a/clang/docs/ReleaseNotes.rst +++ b/clang/docs/ReleaseNotes.rst @@ -408,6 +408,8 @@ Static Analyzer - Added a new checker ``core.BitwiseShift`` which reports situations where bitwise shift operators produce undefined behavior (because some operand is negative or too large). +- Move checker ``alpha.unix.StdCLibraryFunctions`` out of the ``alpha`` package + to ``unix.StdCLibraryFunctions``. .. _release-notes-sanitizers: diff --git a/clang/docs/analyzer/checkers.rst b/clang/docs/analyzer/checkers.rst index 54ea49e7426cc86..998a9e888f3a3b3 100644 --- a/clang/docs/analyzer/checkers.rst +++ b/clang/docs/analyzer/checkers.rst @@ -1026,6 +1026,100 @@ Check for null pointers being passed as arguments to C string functions: return strlen(0); // warn } +.. _unix-StdCLibraryFunctions: + +unix.StdCLibraryFunctions (C) +""" +Check for calls of standard library functions that violate predefined argument +constraints. For example, it is stated in the C standard that for the ``int +isalnum(int ch)`` function the behavior is undefined if the value of ``ch`` is +not representable as unsigned char and is not equal to ``EOF``. + +.. code-block:: c + + #define EOF -1 + void test_alnum_concrete(int v) { +int ret = isalnum(256); // \ +// warning: Function argument outside of allowed range +(void)ret; + } + + void buffer_size_violation(FILE *file) { +enum { BUFFER_SIZE = 1024 }; +wchar_t wbuf[BUFFER_SIZE]; + +const size_t size = sizeof(*wbuf); // 4 +const size_t nitems = sizeof(wbuf); // 4096 + +// Below we receive a warning because the 3rd parameter should be the +// number of elements to read, not the size in bytes. This case is a known +// vulnerability described by the ARR38-C SEI-CERT rule. +fread(wbuf, size, nitems, file); + } + +You can think of this checker as defining restrictions (pre- and postconditions) +on standard library functions. Preconditions are checked, and when they are +violated, a warning is emitted. Post conditions are added to the analysis, e.g. +that the return value must be no greater than
[clang] [clang][analyzer] Move checker alpha.unix.StdCLibraryFunctions out of alpha. (PR #66207)
@@ -1026,6 +1026,100 @@ Check for null pointers being passed as arguments to C string functions: return strlen(0); // warn } +.. _unix-StdCLibraryFunctions: + +unix.StdCLibraryFunctions (C) +""" +Check for calls of standard library functions that violate predefined argument +constraints. For example, it is stated in the C standard that for the ``int +isalnum(int ch)`` function the behavior is undefined if the value of ``ch`` is +not representable as unsigned char and is not equal to ``EOF``. + +.. code-block:: c + + #define EOF -1 + void test_alnum_concrete(int v) { +int ret = isalnum(256); // \ +// warning: Function argument outside of allowed range +(void)ret; + } + + void buffer_size_violation(FILE *file) { +enum { BUFFER_SIZE = 1024 }; +wchar_t wbuf[BUFFER_SIZE]; + +const size_t size = sizeof(*wbuf); // 4 +const size_t nitems = sizeof(wbuf); // 4096 + +// Below we receive a warning because the 3rd parameter should be the +// number of elements to read, not the size in bytes. This case is a known +// vulnerability described by the ARR38-C SEI-CERT rule. +fread(wbuf, size, nitems, file); + } + +You can think of this checker as defining restrictions (pre- and postconditions) +on standard library functions. Preconditions are checked, and when they are +violated, a warning is emitted. Post conditions are added to the analysis, e.g. +that the return value must be no greater than 255. + +For example if an argument to a function must be in between 0 and 255, but the +value of the argument is unknown, the analyzer will conservatively assume that +it is in this interval. Similarly, if a function mustn't be called with a null +pointer and the null value of the argument can not be proven, the analyzer will +assume that it is non-null. + +These are the possible checks on the values passed as function arguments: + - The argument has an allowed range (or multiple ranges) of values. The checker + can detect if a passed value is outside of the allowed range and show the + actual and allowed values. + - The argument has pointer type and is not allowed to be null pointer. Many + (but not all) standard functions can produce undefined behavior if a null + pointer is passed, these cases can be detected by the checker. + - The argument is a pointer to a memory block and the minimal size of this + buffer is determined by another argument to the function, or by + multiplication of two arguments (like at function ``fread``), or is a fixed + value (for example ``asctime_r`` requires at least a buffer of size 26). The + checker can detect if the buffer size is too small and in optimal case show + the size of the buffer and the values of the corresponding arguments. + +.. code-block:: c + + int test_alnum_symbolic(int x) { +int ret = isalnum(x); +// after the call, ret is assumed to be in the range [-1, 255] + +if (ret > 255) // impossible (infeasible branch) + if (x == 0) +return ret / x; // division by zero is not reported +return ret; + } + +Additionally to the argument and return value conditions, this checker also adds +state of the value ``errno`` if applicable to the analysis. Many system +functions set the ``errno`` value only if an error occurs (together with a +specific return value of the function), otherwise it becomes undefined. This +checker changes the analysis state to contain such information. This data is +used by other checkers, for example :ref:`alpha-unix-Errno`. + +**Limitations** + +The checker can not always provide notes about the values of the arguments. +Without this information it is hard to confirm if the constraint is indeed +violated. The argument values are shown if they are known constants or the value +is determined by previous (not too complicated) assumptions. + +The checker can produce false positives in cases such as if the program has +invariants not known to the analyzer engine or the bug report path contains +calls to unknown functions. In these cases the analyzer fails to detect the real +range of the argument. + +**Parameters** + +The checker models functions (and emits diagnostics) from the C standard by +default. The ``ModelPOSIX`` option enables modeling (and emit diagnostics) of +additional functions that are defined in the POSIX standard. This option is +disabled by default. + balazske wrote: If I remember correctly the list of functions was already rejected by reviewers (because maintenance problems). Otherwise I think it is good to have an exact list of modeled functions. https://github.com/llvm/llvm-project/pull/66207 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] [clang][analyzer] Move checker alpha.unix.StdCLibraryFunctions out of alpha. (PR #66207)
@@ -532,6 +532,27 @@ def MismatchedDeallocatorChecker : Checker<"MismatchedDeallocator">, Dependencies<[DynamicMemoryModeling]>, Documentation; +def StdCLibraryFunctionsChecker : Checker<"StdCLibraryFunctions">, + HelpText<"Check for invalid arguments of C standard library functions, " + "and apply relations between arguments and return value">, + CheckerOptions<[ +CmdLineOptionhttps://github.com/llvm/llvm-project/pull/66207 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] [clang][analyzer] Move checker alpha.unix.StdCLibraryFunctions out of alpha. (PR #66207)
@@ -1026,6 +1026,100 @@ Check for null pointers being passed as arguments to C string functions: return strlen(0); // warn } +.. _unix-StdCLibraryFunctions: + +unix.StdCLibraryFunctions (C) +""" +Check for calls of standard library functions that violate predefined argument +constraints. For example, it is stated in the C standard that for the ``int +isalnum(int ch)`` function the behavior is undefined if the value of ``ch`` is +not representable as unsigned char and is not equal to ``EOF``. steakhal wrote: Char and unsigned are not escaped like we usually do for code. https://github.com/llvm/llvm-project/pull/66207 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] [clang][analyzer] Move checker alpha.unix.StdCLibraryFunctions out of alpha. (PR #66207)
@@ -1026,6 +1026,100 @@ Check for null pointers being passed as arguments to C string functions: return strlen(0); // warn } +.. _unix-StdCLibraryFunctions: + +unix.StdCLibraryFunctions (C) +""" +Check for calls of standard library functions that violate predefined argument +constraints. For example, it is stated in the C standard that for the ``int +isalnum(int ch)`` function the behavior is undefined if the value of ``ch`` is steakhal wrote: The grammar feels odd here. https://github.com/llvm/llvm-project/pull/66207 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] [clang][analyzer] Move checker alpha.unix.StdCLibraryFunctions out of alpha. (PR #66207)
@@ -1026,6 +1026,100 @@ Check for null pointers being passed as arguments to C string functions: return strlen(0); // warn } +.. _unix-StdCLibraryFunctions: + +unix.StdCLibraryFunctions (C) +""" steakhal wrote: Align this with the section title. https://github.com/llvm/llvm-project/pull/66207 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] [clang][analyzer] Move checker alpha.unix.StdCLibraryFunctions out of alpha. (PR #66207)
@@ -2651,100 +2745,6 @@ For a more detailed description of configuration options, please see the alpha.unix ^^^ steakhal wrote: As we are here, could you align this with its section title as well? https://github.com/llvm/llvm-project/pull/66207 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] [clang][analyzer] Move checker alpha.unix.StdCLibraryFunctions out of alpha. (PR #66207)
@@ -1026,6 +1026,100 @@ Check for null pointers being passed as arguments to C string functions: return strlen(0); // warn } +.. _unix-StdCLibraryFunctions: + +unix.StdCLibraryFunctions (C) +""" +Check for calls of standard library functions that violate predefined argument +constraints. For example, it is stated in the C standard that for the ``int +isalnum(int ch)`` function the behavior is undefined if the value of ``ch`` is +not representable as unsigned char and is not equal to ``EOF``. + +.. code-block:: c + + #define EOF -1 + void test_alnum_concrete(int v) { +int ret = isalnum(256); // \ +// warning: Function argument outside of allowed range +(void)ret; + } + + void buffer_size_violation(FILE *file) { +enum { BUFFER_SIZE = 1024 }; +wchar_t wbuf[BUFFER_SIZE]; + +const size_t size = sizeof(*wbuf); // 4 +const size_t nitems = sizeof(wbuf); // 4096 + +// Below we receive a warning because the 3rd parameter should be the +// number of elements to read, not the size in bytes. This case is a known +// vulnerability described by the ARR38-C SEI-CERT rule. +fread(wbuf, size, nitems, file); + } + +You can think of this checker as defining restrictions (pre- and postconditions) +on standard library functions. Preconditions are checked, and when they are +violated, a warning is emitted. Post conditions are added to the analysis, e.g. +that the return value must be no greater than 255. + +For example if an argument to a function must be in between 0 and 255, but the +value of the argument is unknown, the analyzer will conservatively assume that +it is in this interval. Similarly, if a function mustn't be called with a null +pointer and the null value of the argument can not be proven, the analyzer will +assume that it is non-null. + +These are the possible checks on the values passed as function arguments: + - The argument has an allowed range (or multiple ranges) of values. The checker + can detect if a passed value is outside of the allowed range and show the + actual and allowed values. + - The argument has pointer type and is not allowed to be null pointer. Many + (but not all) standard functions can produce undefined behavior if a null + pointer is passed, these cases can be detected by the checker. + - The argument is a pointer to a memory block and the minimal size of this + buffer is determined by another argument to the function, or by + multiplication of two arguments (like at function ``fread``), or is a fixed + value (for example ``asctime_r`` requires at least a buffer of size 26). The + checker can detect if the buffer size is too small and in optimal case show + the size of the buffer and the values of the corresponding arguments. + +.. code-block:: c + + int test_alnum_symbolic(int x) { +int ret = isalnum(x); +// after the call, ret is assumed to be in the range [-1, 255] + +if (ret > 255) // impossible (infeasible branch) + if (x == 0) +return ret / x; // division by zero is not reported +return ret; + } + +Additionally to the argument and return value conditions, this checker also adds +state of the value ``errno`` if applicable to the analysis. Many system +functions set the ``errno`` value only if an error occurs (together with a +specific return value of the function), otherwise it becomes undefined. This +checker changes the analysis state to contain such information. This data is +used by other checkers, for example :ref:`alpha-unix-Errno`. + +**Limitations** + +The checker can not always provide notes about the values of the arguments. +Without this information it is hard to confirm if the constraint is indeed +violated. The argument values are shown if they are known constants or the value +is determined by previous (not too complicated) assumptions. + +The checker can produce false positives in cases such as if the program has +invariants not known to the analyzer engine or the bug report path contains +calls to unknown functions. In these cases the analyzer fails to detect the real +range of the argument. + +**Parameters** + +The checker models functions (and emits diagnostics) from the C standard by +default. The ``ModelPOSIX`` option enables modeling (and emit diagnostics) of +additional functions that are defined in the POSIX standard. This option is +disabled by default. + steakhal wrote: Do you think we should have an exhaustive list of the modeled functions here, or that wouldn't be useful? https://github.com/llvm/llvm-project/pull/66207 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] [clang][analyzer] Move checker alpha.unix.StdCLibraryFunctions out of alpha. (PR #66207)
@@ -1026,6 +1026,100 @@ Check for null pointers being passed as arguments to C string functions: return strlen(0); // warn } +.. _unix-StdCLibraryFunctions: + +unix.StdCLibraryFunctions (C) +""" +Check for calls of standard library functions that violate predefined argument +constraints. For example, it is stated in the C standard that for the ``int +isalnum(int ch)`` function the behavior is undefined if the value of ``ch`` is +not representable as unsigned char and is not equal to ``EOF``. + +.. code-block:: c + + #define EOF -1 + void test_alnum_concrete(int v) { +int ret = isalnum(256); // \ +// warning: Function argument outside of allowed range +(void)ret; + } + + void buffer_size_violation(FILE *file) { +enum { BUFFER_SIZE = 1024 }; +wchar_t wbuf[BUFFER_SIZE]; + +const size_t size = sizeof(*wbuf); // 4 +const size_t nitems = sizeof(wbuf); // 4096 + +// Below we receive a warning because the 3rd parameter should be the +// number of elements to read, not the size in bytes. This case is a known +// vulnerability described by the ARR38-C SEI-CERT rule. +fread(wbuf, size, nitems, file); + } + +You can think of this checker as defining restrictions (pre- and postconditions) +on standard library functions. Preconditions are checked, and when they are +violated, a warning is emitted. Post conditions are added to the analysis, e.g. steakhal wrote: Here "post condition" is spelled as separate words, while previously there was a hyphen between the words. https://github.com/llvm/llvm-project/pull/66207 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] [clang][analyzer] Move checker alpha.unix.StdCLibraryFunctions out of alpha. (PR #66207)
https://github.com/steakhal approved this pull request. I didn't spent much time on this, but I think it should be good. Please check the docs with Grammarly to catch mistakes. Also, please generate the HTML for the rst to verify how it looks. I'm not sure if the release docs mentions this, but it definitely should. Make sure that's the case. I approve this, assuming that these wrinkles are ironed. https://github.com/llvm/llvm-project/pull/66207 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] [clang][analyzer] Move checker alpha.unix.StdCLibraryFunctions out of alpha. (PR #66207)
https://github.com/steakhal edited https://github.com/llvm/llvm-project/pull/66207 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] [clang][analyzer] Move checker alpha.unix.StdCLibraryFunctions out of alpha. (PR #66207)
https://github.com/DonatNagyE approved this pull request. Based on these clean test results I'd say that it's safe to move this checker out of alpha. @haoNoQ @steakhal Do you have any objections? https://github.com/llvm/llvm-project/pull/66207 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] [clang][analyzer] Move checker alpha.unix.StdCLibraryFunctions out of alpha. (PR #66207)
DonatNagyE wrote: I tested this commit on several open-source projects, comparing it and its parent with a configuration that enables the non-alpha checkers (so StdCLibraryFunctions becomes enabled when this commit moves it out of alpha). The results show that this checker doesn't produce random noise and can provide some useful results: | Project | New reports | Lost reports | Changes | | --- | --- | --- | --- | | memcached | [New reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=memcached_1.6.8_baseline=memcached_1.6.8_with_std_library_functions=on=New) | [Lost reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=memcached_1.6.8_baseline=memcached_1.6.8_with_std_library_functions=on=Resolved) | no effect | | tmux | [New reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=tmux_2.6_baseline=tmux_2.6_with_std_library_functions=on=New) | [Lost reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=tmux_2.6_baseline=tmux_2.6_with_std_library_functions=on=Resolved) | no effect | | twin | [New reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=twin_v0.8.1_baseline=twin_v0.8.1_with_std_library_functions=on=New) | [Lost reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=twin_v0.8.1_baseline=twin_v0.8.1_with_std_library_functions=on=Resolved) | no effect | | vim | [New reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=vim_v8.2.1920_baseline=vim_v8.2.1920_with_std_library_functions=on=New) | [Lost reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=vim_v8.2.1920_baseline=vim_v8.2.1920_with_std_library_functions=on=Resolved) | no effect | | openssl | [New reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=openssl_openssl-3.0.0-alpha7_baseline=openssl_openssl-3.0.0-alpha7_with_std_library_functions=on=New) | [Lost reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=openssl_openssl-3.0.0-alpha7_baseline=openssl_openssl-3.0.0-alpha7_with_std_library_functions=on=Resolved) | no effect | | sqlite | [New reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=sqlite_version-3.33.0_baseline=sqlite_version-3.33.0_with_std_library_functions=on=New) | [Lost reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=sqlite_version-3.33.0_baseline=sqlite_version-3.33.0_with_std_library_functions=on=Resolved) | no effect | | ffmpeg | [New reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=ffmpeg_n4.3.1_baseline=ffmpeg_n4.3.1_with_std_library_functions=on=New) | [Lost reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=ffmpeg_n4.3.1_baseline=ffmpeg_n4.3.1_with_std_library_functions=on=Resolved) | no effect | | postgres | [New reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=postgres_REL_13_0_baseline=postgres_REL_13_0_with_std_library_functions=on=New) | [Lost reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=postgres_REL_13_0_baseline=postgres_REL_13_0_with_std_library_functions=on=Resolved) | 5 new TPs [1] | tinyxml2 | [New reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=tinyxml2_8.0.0_baseline=tinyxml2_8.0.0_with_std_library_functions=on=New) | [Lost reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=tinyxml2_8.0.0_baseline=tinyxml2_8.0.0_with_std_library_functions=on=Resolved) | no effect | | libwebm | [New reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=libwebm_libwebm-1.0.0.27_baseline=libwebm_libwebm-1.0.0.27_with_std_library_functions=on=New) | [Lost reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=libwebm_libwebm-1.0.0.27_baseline=libwebm_libwebm-1.0.0.27_with_std_library_functions=on=Resolved) | no effect | | xerces | [New reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=xerces_v3.2.3_baseline=xerces_v3.2.3_with_std_library_functions=on=New) | [Lost reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=xerces_v3.2.3_baseline=xerces_v3.2.3_with_std_library_functions=on=Resolved) | no effect | | bitcoin | [New reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=bitcoin_v0.20.1_baseline=bitcoin_v0.20.1_with_std_library_functions=on=New) | [Lost reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=bitcoin_v0.20.1_baseline=bitcoin_v0.20.1_with_std_library_functions=on=Resolved) | no effect | | protobuf | [New reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=protobuf_v3.13.0_baseline=protobuf_v3.13.0_with_std_library_functions=on=New) | [Lost
[clang] [clang][analyzer] Move checker alpha.unix.StdCLibraryFunctions out of alpha. (PR #66207)
https://github.com/DonatNagyE edited https://github.com/llvm/llvm-project/pull/66207 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] [clang][analyzer] Move checker alpha.unix.StdCLibraryFunctions out of alpha. (PR #66207)
@@ -1026,6 +1026,100 @@ Check for null pointers being passed as arguments to C string functions: return strlen(0); // warn } +.. _unix-StdCLibraryFunctions: + +unix.StdCLibraryFunctions (C) +""" +Check for calls of standard library functions that violate predefined argument +constraints. For example, it is stated in the C standard that for the ``int +isalnum(int ch)`` function the behavior is undefined if the value of ``ch`` is +not representable as unsigned char and is not equal to ``EOF``. + +.. code-block:: c + + #define EOF -1 + void test_alnum_concrete(int v) { +int ret = isalnum(256); // \ +// warning: Function argument outside of allowed range +(void)ret; + } + + void buffer_size_violation(FILE *file) { +enum { BUFFER_SIZE = 1024 }; +wchar_t wbuf[BUFFER_SIZE]; + +const size_t size = sizeof(*wbuf); // 4 +const size_t nitems = sizeof(wbuf); // 4096 + +// Below we receive a warning because the 3rd parameter should be the +// number of elements to read, not the size in bytes. This case is a known +// vulnerability described by the ARR38-C SEI-CERT rule. +fread(wbuf, size, nitems, file); + } + +You can think of this checker as defining restrictions (pre- and postconditions) +on standard library functions. Preconditions are checked, and when they are +violated, a warning is emitted. Post conditions are added to the analysis, e.g. +that the return value must be no greater than 255. + +For example if an argument to a function must be in between 0 and 255, but the +value of the argument is unknown, the analyzer will conservatively assume that +it is in this interval. Similarly, if a function mustn't be called with a null +pointer and the null value of the argument can not be proven, the analyzer will +assume that it is non-null. DonatNagyE wrote: ```suggestion pointer and the analyzer cannot prove that it is null, then it will assume that it is non-null. ``` "can not be proven" is stronger than "the analyzer cannot prove it" https://github.com/llvm/llvm-project/pull/66207 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] [clang][analyzer] Move checker alpha.unix.StdCLibraryFunctions out of alpha. (PR #66207)
@@ -1026,6 +1026,100 @@ Check for null pointers being passed as arguments to C string functions: return strlen(0); // warn } +.. _unix-StdCLibraryFunctions: + +unix.StdCLibraryFunctions (C) +""" +Check for calls of standard library functions that violate predefined argument +constraints. For example, it is stated in the C standard that for the ``int +isalnum(int ch)`` function the behavior is undefined if the value of ``ch`` is +not representable as unsigned char and is not equal to ``EOF``. + +.. code-block:: c + + #define EOF -1 + void test_alnum_concrete(int v) { +int ret = isalnum(256); // \ +// warning: Function argument outside of allowed range +(void)ret; + } + + void buffer_size_violation(FILE *file) { +enum { BUFFER_SIZE = 1024 }; +wchar_t wbuf[BUFFER_SIZE]; + +const size_t size = sizeof(*wbuf); // 4 +const size_t nitems = sizeof(wbuf); // 4096 + +// Below we receive a warning because the 3rd parameter should be the +// number of elements to read, not the size in bytes. This case is a known +// vulnerability described by the ARR38-C SEI-CERT rule. +fread(wbuf, size, nitems, file); + } + +You can think of this checker as defining restrictions (pre- and postconditions) +on standard library functions. Preconditions are checked, and when they are +violated, a warning is emitted. Post conditions are added to the analysis, e.g. +that the return value must be no greater than 255. DonatNagyE wrote: "the return value" of what? I think a function name is missing here. https://github.com/llvm/llvm-project/pull/66207 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] [clang][analyzer] Move checker alpha.unix.StdCLibraryFunctions out of alpha. (PR #66207)
https://github.com/DonatNagyE commented: (I started to nitpick the documentation text before I realized that it's just old content moved in from elsewhere. Probably it's better to handle these in a separate commit.) https://github.com/llvm/llvm-project/pull/66207 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] [clang][analyzer] Move checker alpha.unix.StdCLibraryFunctions out of alpha. (PR #66207)
https://github.com/balazske review_requested https://github.com/llvm/llvm-project/pull/66207 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
[clang] [clang][analyzer] Move checker alpha.unix.StdCLibraryFunctions out of alpha. (PR #66207)
https://github.com/balazske review_requested https://github.com/llvm/llvm-project/pull/66207 ___ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits