<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><br><div><div>On Oct 29, 2012, at 15:51 , Anna Zaks <<a href="mailto:ganna@apple.com">ganna@apple.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">Author: zaks<br>Date: Mon Oct 29 17:51:50 2012<br>New Revision: 166976<br><br>URL: <a href="http://llvm.org/viewvc/llvm-project?rev=166976&view=rev">http://llvm.org/viewvc/llvm-project?rev=166976&view=rev</a><br>Log:<br>[analyzer] Add SimpleStreamChecker.<br><br>This is an example checker for catching fopen fclose API misuses.<br><br>Added:<br> cfe/trunk/lib/StaticAnalyzer/Checkers/SimpleStreamChecker.cpp<br> cfe/trunk/test/Analysis/simple-stream-checks.c<br>Modified:<br> cfe/trunk/lib/StaticAnalyzer/Checkers/CMakeLists.txt<br> cfe/trunk/lib/StaticAnalyzer/Checkers/Checkers.td<br><br>Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/CMakeLists.txt<br>URL: <a href="http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/CMakeLists.txt?rev=166976&r1=166975&r2=166976&view=diff">http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/CMakeLists.txt?rev=166976&r1=166975&r2=166976&view=diff</a><br>==============================================================================<br>--- cfe/trunk/lib/StaticAnalyzer/Checkers/CMakeLists.txt (original)<br>+++ cfe/trunk/lib/StaticAnalyzer/Checkers/CMakeLists.txt Mon Oct 29 17:51:50 2012<br>@@ -31,6 +31,7 @@<br> DivZeroChecker.cpp<br> DynamicTypePropagation.cpp<br> ExprInspectionChecker.cpp<br>+ SimpleStreamChecker.cpp<br> FixedAddressChecker.cpp<br> GenericTaintChecker.cpp<br> IdempotentOperationChecker.cpp<br></blockquote><div><br></div><div>This list is supposed to be alphabetical (for convenience, not correctness).</div><div><br></div><br><blockquote type="cite">Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/Checkers.td<br>URL: <a href="http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/Checkers.td?rev=166976&r1=166975&r2=166976&view=diff">http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/Checkers.td?rev=166976&r1=166975&r2=166976&view=diff</a><br>==============================================================================<br>--- cfe/trunk/lib/StaticAnalyzer/Checkers/Checkers.td (original)<br>+++ cfe/trunk/lib/StaticAnalyzer/Checkers/Checkers.td Mon Oct 29 17:51:50 2012<br>@@ -303,6 +303,10 @@<br> HelpText<"Check stream handling functions">,<br> DescFile<"StreamChecker.cpp">;<br><br>+def SimpleStreamChecker : Checker<"SimpleStream">,<br>+ HelpText<"Check for misuses of stream APIs">,<br>+ DescFile<"SimpleStreamChecker.cpp">;<br>+<br> } // end "alpha.unix"<br><br> let ParentPackage = CString in {<br><br>Added: cfe/trunk/lib/StaticAnalyzer/Checkers/SimpleStreamChecker.cpp<br>URL: <a href="http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/SimpleStreamChecker.cpp?rev=166976&view=auto">http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/SimpleStreamChecker.cpp?rev=166976&view=auto</a><br>==============================================================================<br>--- cfe/trunk/lib/StaticAnalyzer/Checkers/SimpleStreamChecker.cpp (added)<br>+++ cfe/trunk/lib/StaticAnalyzer/Checkers/SimpleStreamChecker.cpp Mon Oct 29 17:51:50 2012<br>@@ -0,0 +1,229 @@<br>+//===-- SimpleStreamChecker.cpp -----------------------------------------*- C++ -*--//<br>+//<br>+// The LLVM Compiler Infrastructure<br>+//<br>+// This file is distributed under the University of Illinois Open Source<br>+// License. See LICENSE.TXT for details.<br>+//<br>+//===----------------------------------------------------------------------===//<br>+//<br>+// Defines a checker for proper use of fopen/fclose APIs.<br>+// - If a file has been closed with fclose, it should not be accessed again.<br>+// Accessing a closed file results in undefined behavior.<br>+// - If a file was opened with fopen, it must be closed with fclose before<br>+// the execution ends. Failing to do so results in a resource leak.<br>+//<br>+//===----------------------------------------------------------------------===//<br>+<br>+#include "ClangSACheckers.h"<br>+#include "clang/StaticAnalyzer/Core/Checker.h"<br>+#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"<br>+#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"<br>+<br>+using namespace clang;<br>+using namespace ento;<br>+<br>+namespace {<br>+typedef llvm::SmallVector<SymbolRef, 2> SymbolVector;<br>+<br>+struct StreamState {<br>+ enum Kind { Opened, Closed } K;<br>+<br>+ StreamState(Kind InK) : K(InK) { }<br>+<br>+ bool isOpened() const { return K == Opened; }<br>+ bool isClosed() const { return K == Closed; }<br>+<br>+ static StreamState getOpened() { return StreamState(Opened); }<br>+ static StreamState getClosed() { return StreamState(Closed); }<br>+<br>+ bool operator==(const StreamState &X) const {<br>+ return K == X.K;<br>+ }<br>+ void Profile(llvm::FoldingSetNodeID &ID) const {<br>+ ID.AddInteger(K);<br>+ }<br>+};<br>+<br>+class SimpleStreamChecker: public Checker<check::PostStmt<CallExpr>,<br>+ check::PreStmt<CallExpr>,<br>+ check::DeadSymbols,<br>+ eval::Assume > {<br>+<br>+ mutable IdentifierInfo *IIfopen, *IIfclose;<br>+<br>+ mutable OwningPtr<BugType> DoubleCloseBugType;<br>+ mutable OwningPtr<BugType> LeakBugType;<br>+<br>+ void initIdentifierInfo(ASTContext &Ctx) const;<br>+<br>+ void reportDoubleClose(SymbolRef FileDescSym,<br>+ const CallExpr *Call,<br>+ CheckerContext &C) const;<br>+<br>+ ExplodedNode *reportLeaks(SymbolVector LeakedStreams,<br>+ CheckerContext &C) const;<br>+<br>+public:<br>+ SimpleStreamChecker() : IIfopen(0), IIfclose(0) {}<br>+<br>+ /// Process fopen.<br>+ void checkPostStmt(const CallExpr *Call, CheckerContext &C) const;<br>+ /// Process fclose.<br>+ void checkPreStmt(const CallExpr *Call, CheckerContext &C) const;<br>+<br>+ void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;<br>+ ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond,<br>+ bool Assumption) const;<br>+<br>+};<br>+<br>+} // end anonymous namespace<br>+<br>+/// The state of the checker is a map from tracked stream symbols to their<br>+/// state. Let's store it in the GDM.<br>+REGISTER_MAP_WITH_GDM(StreamMap, SymbolRef, StreamState)<br>+<br>+void SimpleStreamChecker::checkPostStmt(const CallExpr *Call,<br>+ CheckerContext &C) const {<br>+ initIdentifierInfo(C.getASTContext());<br>+<br>+ if (C.getCalleeIdentifier(Call) != IIfopen)<br>+ return;<br>+<br>+ // Get the symbolic value corresponding to the file handle.<br>+ SymbolRef FileDesc = C.getSVal(Call).getAsSymbol();<br>+ if (!FileDesc)<br>+ return;<br>+<br>+ // Generate the next transition (an edge in the exploded graph).<br>+ ProgramStateRef State = C.getState();<br>+ State = State->set<StreamMap>(FileDesc, StreamState::getOpened());<br>+ C.addTransition(State);<br>+}<br>+<br>+void SimpleStreamChecker::checkPreStmt(const CallExpr *Call,<br>+ CheckerContext &C) const {<br>+ initIdentifierInfo(C.getASTContext());<br>+<br>+ if (C.getCalleeIdentifier(Call) != IIfclose)<br>+ return;<br>+ if (Call->getNumArgs() != 1)<br>+ return;<br>+<br>+ // Get the symbolic value corresponding to the file handle.<br>+ SymbolRef FileDesc = C.getSVal(Call->getArg(0)).getAsSymbol();<br>+ if (!FileDesc)<br>+ return;<br>+<br>+ // Check if the stream has already been closed.<br>+ ProgramStateRef State = C.getState();<br>+ const StreamState *SS = State->get<StreamMap>(FileDesc);<br>+ if (SS && SS->isClosed())<br>+ reportDoubleClose(FileDesc, Call, C);<br>+<br>+ // Generate the next transition, in which the stream is closed.<br>+ State = State->set<StreamMap>(FileDesc, StreamState::getClosed());<br>+ C.addTransition(State);<br>+}<br>+<br>+void SimpleStreamChecker::checkDeadSymbols(SymbolReaper &SymReaper,<br>+ CheckerContext &C) const {<br>+ ProgramStateRef State = C.getState();<br>+ StreamMap TrackedStreams = State->get<StreamMap>();<br>+ SymbolVector LeakedStreams;<br>+ for (StreamMap::iterator I = TrackedStreams.begin(),<br>+ E = TrackedStreams.end(); I != E; ++I) {<br>+ SymbolRef Sym = I->first;<br>+ if (SymReaper.isDead(Sym)) {<br>+ const StreamState &SS = I->second;<br>+ if (SS.isOpened())<br>+ LeakedStreams.push_back(Sym);<br>+<br>+ // Remove the dead symbol from the streams map.<br>+ State = State->remove<StreamMap>(Sym);<br>+ }<br>+ }<br>+<br>+ ExplodedNode *N = reportLeaks(LeakedStreams, C);<br>+ C.addTransition(State, N);<br>+}<br>+<br>+// If a symbolic region is assumed to NULL (or another constant), stop tracking<br>+// it - assuming that allocation failed on this path.<br>+ProgramStateRef SimpleStreamChecker::evalAssume(ProgramStateRef State,<br>+ SVal Cond,<br>+ bool Assumption) const {<br>+ StreamMap TrackedStreams = State->get<StreamMap>();<br>+ SymbolVector LeakedStreams;<br>+ for (StreamMap::iterator I = TrackedStreams.begin(),<br>+ E = TrackedStreams.end(); I != E; ++I) {<br>+ SymbolRef Sym = I->first;<br>+ if (State->getConstraintManager().isNull(State, Sym).isTrue())<br>+ State = State->remove<StreamMap>(Sym);<br>+ }<br>+ return State;<br>+}<br>+<br>+void SimpleStreamChecker::reportDoubleClose(SymbolRef FileDescSym,<br>+ const CallExpr *CallExpr,<br>+ CheckerContext &C) const {<br>+ // We reached a bug, stop exploring the path here by generating a sink.<br>+ ExplodedNode *ErrNode = C.generateSink();<br>+ // If this error node already exists, return.<br>+ if (!ErrNode)<br>+ return;<br>+<br>+ // Initialize the bug type.<br>+ if (!DoubleCloseBugType)<br>+ DoubleCloseBugType.reset(new BugType("Double fclose",<br>+ "Unix Stream API Error"));<br>+ // Generate the report.<br>+ BugReport *R = new BugReport(*DoubleCloseBugType,<br>+ "Closing a previously closed file stream", ErrNode);<br>+ R->addRange(CallExpr->getSourceRange());<br>+ R->markInteresting(FileDescSym);<br>+ C.EmitReport(R);<br>+}<br>+<br>+ExplodedNode *SimpleStreamChecker::reportLeaks(SymbolVector LeakedStreams,<br>+ CheckerContext &C) const {<br>+ ExplodedNode *Pred = C.getPredecessor();<br>+ if (LeakedStreams.empty())<br>+ return Pred;<br>+<br>+ // Generate an intermediate node representing the leak point.<br>+ static SimpleProgramPointTag Tag("StreamChecker : Leak");<br>+ ExplodedNode *ErrNode = C.addTransition(Pred->getState(), Pred, &Tag);<br>+ if (!ErrNode)<br>+ return Pred;<br></blockquote><div><br></div><div>Why generate an intermediate node at all? I feel like we could just generate the transition in the caller and then report all the leaks here.</div><div><br></div><br><blockquote type="cite">+ // Initialize the bug type.<br>+ if (!LeakBugType) {<br>+ LeakBugType.reset(new BuiltinBug("Resource Leak",<br>+ "Unix Stream API Error"));<br>+ // Sinks are higher importance bugs as well as calls to assert() or exit(0).<br></blockquote><div><br></div><div>Perhaps:</div><div>s/are higher importance/represent more important/</div><div><br></div><div>…but also assert isn't really a sink.</div><div><br></div><br><blockquote type="cite">+ LeakBugType->setSuppressOnSink(true);<br>+ }<br>+<br>+ // Attach bug reports to the leak node.<br>+ for (llvm::SmallVector<SymbolRef, 2>::iterator<br>+ I = LeakedStreams.begin(), E = LeakedStreams.end(); I != E; ++I) {<br>+ BugReport *R = new BugReport(*LeakBugType,<br>+ "Opened file is never closed; potential resource leak", ErrNode);<br></blockquote><div><br></div><div>No markInteresting? No attempt to say <i>which</i> file it is? …actually, that's rather hard. Hm.</div><div><br></div><br><blockquote type="cite">+ C.EmitReport(R);<br>+ }<br>+<br>+ return ErrNode;<br>+}<br>+<br>+void SimpleStreamChecker::initIdentifierInfo(ASTContext &Ctx) const {<br>+ if (IIfopen)<br>+ return;<br>+ IIfopen = &Ctx.Idents.get("fopen");<br>+ IIfclose = &Ctx.Idents.get("fclose");<br>+}<br>+<br>+void ento::registerSimpleStreamChecker(CheckerManager &mgr) {<br>+ mgr.registerChecker<SimpleStreamChecker>();<br>+}<br><br>Added: cfe/trunk/test/Analysis/simple-stream-checks.c<br>URL: <a href="http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/simple-stream-checks.c?rev=166976&view=auto">http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/simple-stream-checks.c?rev=166976&view=auto</a><br>==============================================================================<br>--- cfe/trunk/test/Analysis/simple-stream-checks.c (added)<br>+++ cfe/trunk/test/Analysis/simple-stream-checks.c Mon Oct 29 17:51:50 2012<br>@@ -0,0 +1,44 @@<br>+// RUN: %clang_cc1 -analyze -analyzer-checker=core,alpha.unix.SimpleStream -verify %s<br>+<br>+typedef struct __sFILE {<br>+ unsigned char *_p;<br>+} FILE;<br>+FILE *fopen(const char * restrict, const char * restrict) __asm("_" "fopen" );<br>+int fputc(int, FILE *);<br>+int fputs(const char * restrict, FILE * restrict) __asm("_" "fputs" );<br>+int fclose(FILE *);<br>+void exit(int);<br>+<br>+void checkDoubleFClose(int *Data) {<br>+ FILE *F = fopen("myfile.txt", "w");<br>+ if (F != 0) {<br>+ fputs ("fopen example", F);<br>+ if (!Data)<br>+ fclose(F);<br>+ else<br>+ fputc(*Data, F);<br>+ fclose(F); // expected-warning {{Closing a previously closed file stream}}<br>+ }<br>+}<br>+<br>+int checkLeak(int *Data) {<br>+ FILE *F = fopen("myfile.txt", "w");<br>+ if (F != 0) {<br>+ fputs ("fopen example", F);<br>+ }<br>+<br>+ if (Data) // expected-warning {{Opened file is never closed; potential resource leak}}<br>+ return *Data;<br>+ else<br>+ return 0;<br>+}<br>+<br>+void checkLeakFollowedByAssert(int *Data) {<br>+ FILE *F = fopen("myfile.txt", "w");<br>+ if (F != 0) {<br>+ fputs ("fopen example", F);<br>+ if (!Data)<br>+ exit(0);<br>+ fclose(F);<br>+ }<br>+}<br><br><br>_______________________________________________<br>cfe-commits mailing list<br><a href="mailto:cfe-commits@cs.uiuc.edu">cfe-commits@cs.uiuc.edu</a><br>http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits<br></blockquote></div><br></body></html>