From 3aa6f431897edf5fec32cbede8fcddbfb8fa16f7 Mon Sep 17 00:00:00 2001 From: Jordan Rose Date: Wed, 28 Aug 2013 17:07:04 +0000 Subject: [PATCH] [analyzer] Add support for testing the presence of weak functions. When casting the address of a FunctionTextRegion to bool, or when adding constraints to such an address, use a stand-in symbol to represent the presence or absence of the function if the function is weakly linked. This is groundwork for possible simple availability testing checks, and can already catch mistakes involving inverted null checks for weakly-linked functions. Currently, the implementation reuses the "extent" symbols, originally created for tracking the size of a malloc region. Since FunctionTextRegions cannot be dereferenced, the extent symbol will never be used for anything else. Still, this probably deserves a refactoring in the future. This patch does not attempt to support testing the presence of weak /variables/ (global variables), which would likely require much more of a change and a generalization of "region structure metadata", like the current "extents", vs. "region contents metadata", like CStringChecker's "string length". Patch by Richard ! git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@189492 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/StaticAnalyzer/Core/SValBuilder.cpp | 9 +- .../Core/SimpleConstraintManager.cpp | 59 +++------ .../Core/SimpleConstraintManager.h | 6 - lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp | 47 +++++-- lib/StaticAnalyzer/Core/SymbolManager.cpp | 3 + test/Analysis/weak-functions.c | 117 ++++++++++++++++++ 6 files changed, 174 insertions(+), 67 deletions(-) create mode 100644 test/Analysis/weak-functions.c diff --git a/lib/StaticAnalyzer/Core/SValBuilder.cpp b/lib/StaticAnalyzer/Core/SValBuilder.cpp index 6df8a901f4..d615d3f577 100644 --- a/lib/StaticAnalyzer/Core/SValBuilder.cpp +++ b/lib/StaticAnalyzer/Core/SValBuilder.cpp @@ -405,15 +405,18 @@ SVal SValBuilder::evalCast(SVal val, QualType castTy, QualType originalTy) { return val; if (val.isConstant()) return makeTruthVal(!val.isZeroConstant(), castTy); - if (SymbolRef Sym = val.getAsSymbol()) { + if (SymbolRef Sym = val.getAsSymbol(true)) { BasicValueFactory &BVF = getBasicValueFactory(); // FIXME: If we had a state here, we could see if the symbol is known to // be zero, but we don't. return makeNonLoc(Sym, BO_NE, BVF.getValue(0, Sym->getType()), castTy); } + // Loc values are not always true, they could be weakly linked functions. + if (Optional L = val.getAs()) + return evalCastFromLoc(*L, castTy); - assert(val.getAs() || val.getAs()); - return makeTruthVal(true, castTy); + Loc L = val.castAs().getLoc(); + return evalCastFromLoc(L, castTy); } // For const casts, casts to void, just propagate the value. diff --git a/lib/StaticAnalyzer/Core/SimpleConstraintManager.cpp b/lib/StaticAnalyzer/Core/SimpleConstraintManager.cpp index a06268dd33..e6653ae6e4 100644 --- a/lib/StaticAnalyzer/Core/SimpleConstraintManager.cpp +++ b/lib/StaticAnalyzer/Core/SimpleConstraintManager.cpp @@ -68,51 +68,20 @@ bool SimpleConstraintManager::canReasonAbout(SVal X) const { ProgramStateRef SimpleConstraintManager::assume(ProgramStateRef state, DefinedSVal Cond, bool Assumption) { - if (Optional NV = Cond.getAs()) - return assume(state, *NV, Assumption); - return assume(state, Cond.castAs(), Assumption); -} - -ProgramStateRef SimpleConstraintManager::assume(ProgramStateRef state, Loc cond, - bool assumption) { - state = assumeAux(state, cond, assumption); - if (NotifyAssumeClients && SU) - return SU->processAssume(state, cond, assumption); - return state; -} - -ProgramStateRef SimpleConstraintManager::assumeAux(ProgramStateRef state, - Loc Cond, bool Assumption) { - switch (Cond.getSubKind()) { - default: - assert (false && "'Assume' not implemented for this Loc."); - return state; - - case loc::MemRegionKind: { - // FIXME: Should this go into the storemanager? - const MemRegion *R = Cond.castAs().getRegion(); - - // FIXME: now we only find the first symbolic region. - if (const SymbolicRegion *SymR = R->getSymbolicBase()) { - const llvm::APSInt &zero = getBasicVals().getZeroWithPtrWidth(); - if (Assumption) - return assumeSymNE(state, SymR->getSymbol(), zero, zero); - else - return assumeSymEQ(state, SymR->getSymbol(), zero, zero); - } - - // FALL-THROUGH. + // If we have a Loc value, cast it to a bool NonLoc first. + if (Optional LV = Cond.getAs()) { + SValBuilder &SVB = state->getStateManager().getSValBuilder(); + QualType T; + const MemRegion *MR = LV->getAsRegion(); + if (const TypedRegion *TR = dyn_cast_or_null(MR)) + T = TR->getLocationType(); + else + T = SVB.getContext().VoidPtrTy; + + Cond = SVB.evalCast(*LV, SVB.getContext().BoolTy, T).castAs(); } - case loc::GotoLabelKind: - return Assumption ? state : NULL; - - case loc::ConcreteIntKind: { - bool b = Cond.castAs().getValue() != 0; - bool isFeasible = b ? Assumption : !Assumption; - return isFeasible ? state : NULL; - } - } // end switch + return assume(state, Cond.castAs(), Assumption); } ProgramStateRef SimpleConstraintManager::assume(ProgramStateRef state, @@ -216,8 +185,8 @@ ProgramStateRef SimpleConstraintManager::assumeAux(ProgramStateRef state, } case nonloc::LocAsIntegerKind: - return assumeAux(state, Cond.castAs().getLoc(), - Assumption); + return assume(state, Cond.castAs().getLoc(), + Assumption); } // end switch } diff --git a/lib/StaticAnalyzer/Core/SimpleConstraintManager.h b/lib/StaticAnalyzer/Core/SimpleConstraintManager.h index 10ddef1341..28a9a4ded9 100644 --- a/lib/StaticAnalyzer/Core/SimpleConstraintManager.h +++ b/lib/StaticAnalyzer/Core/SimpleConstraintManager.h @@ -36,8 +36,6 @@ public: ProgramStateRef assume(ProgramStateRef state, DefinedSVal Cond, bool Assumption); - ProgramStateRef assume(ProgramStateRef state, Loc Cond, bool Assumption); - ProgramStateRef assume(ProgramStateRef state, NonLoc Cond, bool Assumption); ProgramStateRef assumeSymRel(ProgramStateRef state, @@ -86,10 +84,6 @@ protected: bool canReasonAbout(SVal X) const; - ProgramStateRef assumeAux(ProgramStateRef state, - Loc Cond, - bool Assumption); - ProgramStateRef assumeAux(ProgramStateRef state, NonLoc Cond, bool Assumption); diff --git a/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp b/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp index 57ec282025..cc0ee0b5c7 100644 --- a/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp +++ b/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp @@ -137,6 +137,32 @@ SVal SimpleSValBuilder::evalCastFromLoc(Loc val, QualType castTy) { if (castTy->isUnionType()) return UnknownVal(); + // Casting a Loc to a bool will almost always be true, + // unless this is a weak function or a symbolic region. + if (castTy->isBooleanType()) { + switch (val.getSubKind()) { + case loc::MemRegionKind: { + const MemRegion *R = val.castAs().getRegion(); + if (const FunctionTextRegion *FTR = dyn_cast(R)) + if (const FunctionDecl *FD = dyn_cast(FTR->getDecl())) + if (FD->isWeak()) + // FIXME: Currently we are using an extent symbol here, + // because there are no generic region address metadata + // symbols to use, only content metadata. + return nonloc::SymbolVal(SymMgr.getExtentSymbol(FTR)); + + if (const SymbolicRegion *SymR = R->getSymbolicBase()) + return nonloc::SymbolVal(SymR->getSymbol()); + + // FALL-THROUGH + } + + case loc::GotoLabelKind: + // Labels and non symbolic memory regions are always true. + return makeTruthVal(true, castTy); + } + } + if (castTy->isIntegralOrEnumerationType()) { unsigned BitWidth = Context.getTypeSize(castTy); @@ -668,7 +694,7 @@ SVal SimpleSValBuilder::evalBinOpLL(ProgramStateRef state, if (Optional rInt = rhs.getAs()) { // If one of the operands is a symbol and the other is a constant, // build an expression for use by the constraint manager. - if (SymbolRef lSym = lhs.getAsLocSymbol()) + if (SymbolRef lSym = lhs.getAsLocSymbol(true)) return MakeSymIntVal(lSym, op, rInt->getValue(), resultTy); // Special case comparisons to NULL. @@ -676,19 +702,14 @@ SVal SimpleSValBuilder::evalBinOpLL(ProgramStateRef state, // build constraints. The address of any non-symbolic region is guaranteed // to be non-NULL. if (rInt->isZeroConstant()) { - switch (op) { - default: - break; - case BO_Sub: + if (op == BO_Sub) return evalCastFromLoc(lhs, resultTy); - case BO_EQ: - case BO_LT: - case BO_LE: - return makeTruthVal(false, resultTy); - case BO_NE: - case BO_GT: - case BO_GE: - return makeTruthVal(true, resultTy); + + if (BinaryOperator::isComparisonOp(op)) { + QualType boolType = getContext().BoolTy; + NonLoc l = evalCastFromLoc(lhs, boolType).castAs(); + NonLoc r = makeTruthVal(false, boolType).castAs(); + return evalBinOpNN(state, op, l, r, resultTy); } } diff --git a/lib/StaticAnalyzer/Core/SymbolManager.cpp b/lib/StaticAnalyzer/Core/SymbolManager.cpp index 2fe599b67e..1b56f82dc6 100644 --- a/lib/StaticAnalyzer/Core/SymbolManager.cpp +++ b/lib/StaticAnalyzer/Core/SymbolManager.cpp @@ -435,6 +435,9 @@ bool SymbolReaper::isLiveRegion(const MemRegion *MR) { if (isa(MR)) return true; + if (isa(MR)) + return true; + return false; } diff --git a/test/Analysis/weak-functions.c b/test/Analysis/weak-functions.c new file mode 100644 index 0000000000..96e3b44d03 --- /dev/null +++ b/test/Analysis/weak-functions.c @@ -0,0 +1,117 @@ +// RUN: %clang_cc1 -analyze -analyzer-checker=core,alpha.core,debug.ExprInspection,unix.Malloc,unix.cstring,alpha.unix.cstring,unix.API,osx.API,osx.cocoa.RetainCount -Wno-null-dereference -analyzer-store=region -fblocks -verify %s +#define NULL 0 +void clang_analyzer_eval(int); +void myFunc(); +void myWeakFunc() __attribute__((weak_import)); + +void testWeakFuncIsNull() +{ + clang_analyzer_eval(myFunc == NULL); // expected-warning{{FALSE}} + clang_analyzer_eval(myWeakFunc == NULL); // expected-warning{{UNKNOWN}} + if (myWeakFunc == NULL) { + clang_analyzer_eval(myWeakFunc == NULL); // expected-warning{{TRUE}} + } else { + clang_analyzer_eval(myWeakFunc == NULL); // expected-warning{{FALSE}} + } +} + +void testWeakFuncIsNot() +{ + clang_analyzer_eval(myWeakFunc == NULL); // expected-warning{{UNKNOWN}} + if (!myWeakFunc) { + clang_analyzer_eval(myWeakFunc == NULL); // expected-warning{{TRUE}} + } else { + clang_analyzer_eval(myWeakFunc == NULL); // expected-warning{{FALSE}} + } +} + +void testWeakFuncIsTrue() +{ + clang_analyzer_eval(myWeakFunc == NULL); // expected-warning{{UNKNOWN}} + if (myWeakFunc) { + clang_analyzer_eval(myWeakFunc == NULL); // expected-warning{{FALSE}} + } else { + clang_analyzer_eval(myWeakFunc == NULL); // expected-warning{{TRUE}} + } +} + +//===----------------------------------------------------------------------=== +// func.c +//===----------------------------------------------------------------------=== +void f(void) __attribute__((weak_import)); +void g(void (*fp)(void)) __attribute__((weak_import)); + +void f(void) { + void (*p)(void); + p = f; + p = &f; + p(); + (*p)(); +} + +void g(void (*fp)(void)); + +void f2() { + g(f); +} + +void f3(void (*f)(void), void (*g)(void)) { + clang_analyzer_eval(!f); // expected-warning{{UNKNOWN}} + f(); + clang_analyzer_eval(!f); // expected-warning{{FALSE}} + + clang_analyzer_eval(!g); // expected-warning{{UNKNOWN}} + (*g)(); + clang_analyzer_eval(!g); // expected-warning{{FALSE}} +} + +//===----------------------------------------------------------------------=== +// free.c +//===----------------------------------------------------------------------=== +void free(void *) __attribute__((weak_import)); + +void t10 () { + free((void*)&t10); // expected-warning {{Argument to free() is the address of the function 't10', which is not memory allocated by malloc()}} +} + +//===----------------------------------------------------------------------=== +// string.c : strnlen() +//===----------------------------------------------------------------------=== +typedef typeof(sizeof(int)) size_t; +size_t strlen(const char *s) __attribute__((weak_import)); + +size_t strlen_fn() { + return strlen((char*)&strlen_fn); // expected-warning{{Argument to string length function is the address of the function 'strlen_fn', which is not a null-terminated string}} +} + +//===----------------------------------------------------------------------=== +// unix-fns.c : dispatch_once +//===----------------------------------------------------------------------=== +typedef void (^dispatch_block_t)(void); +typedef long dispatch_once_t; +void dispatch_once(dispatch_once_t *predicate, dispatch_block_t block) __attribute__((weak_import)); + +void test_dispatch_once() { + dispatch_once_t pred = 0; + do { if (__builtin_expect(*(&pred), ~0l) != ~0l) dispatch_once((&pred), (^() {})); } while (0); // expected-warning{{Call to 'dispatch_once' uses the local variable 'pred' for the predicate value}} +} +void test_dispatch_once_neg() { + static dispatch_once_t pred = 0; + do { if (__builtin_expect(*(&pred), ~0l) != ~0l) dispatch_once((&pred), (^() {})); } while (0); // no-warning +} + +//===----------------------------------------------------------------------=== +// retain-release-path-notes.m +//===----------------------------------------------------------------------=== +typedef struct CFType *CFTypeRef; +CFTypeRef CFCreateSomething() __attribute__((weak_import)); +CFTypeRef CFGetSomething() __attribute__((weak_import)); + +CFTypeRef CFCopyRuleViolation () { + CFTypeRef object = CFGetSomething(); + return object; // expected-warning{{Object with a +0 retain count returned to caller where a +1 (owning) retain count is expected}} +} + +CFTypeRef CFGetRuleViolation () { + CFTypeRef object = CFCreateSomething(); // expected-warning{{Potential leak of an object stored into 'object'}} + return object; } -- 2.40.0