<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><br><div><div>On Oct 29, 2012, at 4:19 PM, Jordan Rose wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><meta http-equiv="Content-Type" content="text/html charset=windows-1252"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><br><div><div>On Oct 29, 2012, at 15:51 , Anna Zaks <<a href="mailto:ganna@apple.com">ganna@apple.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">Author: zaks<br>Date: Mon Oct 29 17:51:50 2012<br>New Revision: 166976<br><br>URL: <a href="http://llvm.org/viewvc/llvm-project?rev=166976&view=rev">http://llvm.org/viewvc/llvm-project?rev=166976&view=rev</a><br>Log:<br>[analyzer] Add SimpleStreamChecker.<br><br>This is an example checker for catching fopen fclose API misuses.<br><br>Added:<br>    cfe/trunk/lib/StaticAnalyzer/Checkers/SimpleStreamChecker.cpp<br>    cfe/trunk/test/Analysis/simple-stream-checks.c<br>Modified:<br>    cfe/trunk/lib/StaticAnalyzer/Checkers/CMakeLists.txt<br>    cfe/trunk/lib/StaticAnalyzer/Checkers/Checkers.td<br><br>Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/CMakeLists.txt<br>URL: <a href="http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/CMakeLists.txt?rev=166976&r1=166975&r2=166976&view=diff">http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/CMakeLists.txt?rev=166976&r1=166975&r2=166976&view=diff</a><br>==============================================================================<br>--- cfe/trunk/lib/StaticAnalyzer/Checkers/CMakeLists.txt (original)<br>+++ cfe/trunk/lib/StaticAnalyzer/Checkers/CMakeLists.txt Mon Oct 29 17:51:50 2012<br>@@ -31,6 +31,7 @@<br>   DivZeroChecker.cpp<br>   DynamicTypePropagation.cpp<br>   ExprInspectionChecker.cpp<br>+  SimpleStreamChecker.cpp<br>   FixedAddressChecker.cpp<br>   GenericTaintChecker.cpp<br>   IdempotentOperationChecker.cpp<br></blockquote><div><br></div><div>This list is supposed to be alphabetical (for convenience, not correctness).</div><div><br></div><br><blockquote type="cite">Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/Checkers.td<br>URL: <a href="http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/Checkers.td?rev=166976&r1=166975&r2=166976&view=diff">http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/Checkers.td?rev=166976&r1=166975&r2=166976&view=diff</a><br>==============================================================================<br>--- cfe/trunk/lib/StaticAnalyzer/Checkers/Checkers.td (original)<br>+++ cfe/trunk/lib/StaticAnalyzer/Checkers/Checkers.td Mon Oct 29 17:51:50 2012<br>@@ -303,6 +303,10 @@<br>   HelpText<"Check stream handling functions">,<br>   DescFile<"StreamChecker.cpp">;<br><br>+def SimpleStreamChecker : Checker<"SimpleStream">,<br>+  HelpText<"Check for misuses of stream APIs">,<br>+  DescFile<"SimpleStreamChecker.cpp">;<br>+<br> } // end "alpha.unix"<br><br> let ParentPackage = CString in {<br><br>Added: cfe/trunk/lib/StaticAnalyzer/Checkers/SimpleStreamChecker.cpp<br>URL: <a href="http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/SimpleStreamChecker.cpp?rev=166976&view=auto">http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/SimpleStreamChecker.cpp?rev=166976&view=auto</a><br>==============================================================================<br>--- cfe/trunk/lib/StaticAnalyzer/Checkers/SimpleStreamChecker.cpp (added)<br>+++ cfe/trunk/lib/StaticAnalyzer/Checkers/SimpleStreamChecker.cpp Mon Oct 29 17:51:50 2012<br>@@ -0,0 +1,229 @@<br>+//===-- SimpleStreamChecker.cpp -----------------------------------------*- C++ -*--//<br>+//<br>+//                     The LLVM Compiler Infrastructure<br>+//<br>+// This file is distributed under the University of Illinois Open Source<br>+// License. See LICENSE.TXT for details.<br>+//<br>+//===----------------------------------------------------------------------===//<br>+//<br>+// Defines a checker for proper use of fopen/fclose APIs.<br>+//   - If a file has been closed with fclose, it should not be accessed again.<br>+//   Accessing a closed file results in undefined behavior.<br>+//   - If a file was opened with fopen, it must be closed with fclose before<br>+//   the execution ends. Failing to do so results in a resource leak.<br>+//<br>+//===----------------------------------------------------------------------===//<br>+<br>+#include "ClangSACheckers.h"<br>+#include "clang/StaticAnalyzer/Core/Checker.h"<br>+#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"<br>+#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"<br>+<br>+using namespace clang;<br>+using namespace ento;<br>+<br>+namespace {<br>+typedef llvm::SmallVector<SymbolRef, 2> SymbolVector;<br>+<br>+struct StreamState {<br>+  enum Kind { Opened, Closed } K;<br>+<br>+  StreamState(Kind InK) : K(InK) { }<br>+<br>+  bool isOpened() const { return K == Opened; }<br>+  bool isClosed() const { return K == Closed; }<br>+<br>+  static StreamState getOpened() { return StreamState(Opened); }<br>+  static StreamState getClosed() { return StreamState(Closed); }<br>+<br>+  bool operator==(const StreamState &X) const {<br>+    return K == X.K;<br>+  }<br>+  void Profile(llvm::FoldingSetNodeID &ID) const {<br>+    ID.AddInteger(K);<br>+  }<br>+};<br>+<br>+class SimpleStreamChecker: public Checker<check::PostStmt<CallExpr>,<br>+                                          check::PreStmt<CallExpr>,<br>+                                          check::DeadSymbols,<br>+                                          eval::Assume > {<br>+<br>+  mutable IdentifierInfo *IIfopen, *IIfclose;<br>+<br>+  mutable OwningPtr<BugType> DoubleCloseBugType;<br>+  mutable OwningPtr<BugType> LeakBugType;<br>+<br>+  void initIdentifierInfo(ASTContext &Ctx) const;<br>+<br>+  void reportDoubleClose(SymbolRef FileDescSym,<br>+                         const CallExpr *Call,<br>+                         CheckerContext &C) const;<br>+<br>+  ExplodedNode *reportLeaks(SymbolVector LeakedStreams,<br>+                            CheckerContext &C) const;<br>+<br>+public:<br>+  SimpleStreamChecker() : IIfopen(0), IIfclose(0) {}<br>+<br>+  /// Process fopen.<br>+  void checkPostStmt(const CallExpr *Call, CheckerContext &C) const;<br>+  /// Process fclose.<br>+  void checkPreStmt(const CallExpr *Call, CheckerContext &C) const;<br>+<br>+  void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;<br>+  ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond,<br>+                             bool Assumption) const;<br>+<br>+};<br>+<br>+} // end anonymous namespace<br>+<br>+/// The state of the checker is a map from tracked stream symbols to their<br>+/// state. Let's store it in the GDM.<br>+REGISTER_MAP_WITH_GDM(StreamMap, SymbolRef, StreamState)<br>+<br>+void SimpleStreamChecker::checkPostStmt(const CallExpr *Call,<br>+                                        CheckerContext &C) const {<br>+  initIdentifierInfo(C.getASTContext());<br>+<br>+  if (C.getCalleeIdentifier(Call) != IIfopen)<br>+    return;<br>+<br>+  // Get the symbolic value corresponding to the file handle.<br>+  SymbolRef FileDesc = C.getSVal(Call).getAsSymbol();<br>+  if (!FileDesc)<br>+    return;<br>+<br>+  // Generate the next transition (an edge in the exploded graph).<br>+  ProgramStateRef State = C.getState();<br>+  State = State->set<StreamMap>(FileDesc, StreamState::getOpened());<br>+  C.addTransition(State);<br>+}<br>+<br>+void SimpleStreamChecker::checkPreStmt(const CallExpr *Call,<br>+                                       CheckerContext &C) const {<br>+  initIdentifierInfo(C.getASTContext());<br>+<br>+  if (C.getCalleeIdentifier(Call) != IIfclose)<br>+    return;<br>+  if (Call->getNumArgs() != 1)<br>+    return;<br>+<br>+  // Get the symbolic value corresponding to the file handle.<br>+  SymbolRef FileDesc = C.getSVal(Call->getArg(0)).getAsSymbol();<br>+  if (!FileDesc)<br>+    return;<br>+<br>+  // Check if the stream has already been closed.<br>+  ProgramStateRef State = C.getState();<br>+  const StreamState *SS = State->get<StreamMap>(FileDesc);<br>+  if (SS && SS->isClosed())<br>+    reportDoubleClose(FileDesc, Call, C);<br>+<br>+  // Generate the next transition, in which the stream is closed.<br>+  State = State->set<StreamMap>(FileDesc, StreamState::getClosed());<br>+  C.addTransition(State);<br>+}<br>+<br>+void SimpleStreamChecker::checkDeadSymbols(SymbolReaper &SymReaper,<br>+                                           CheckerContext &C) const {<br>+  ProgramStateRef State = C.getState();<br>+  StreamMap TrackedStreams = State->get<StreamMap>();<br>+  SymbolVector LeakedStreams;<br>+  for (StreamMap::iterator I = TrackedStreams.begin(),<br>+                           E = TrackedStreams.end(); I != E; ++I) {<br>+    SymbolRef Sym = I->first;<br>+    if (SymReaper.isDead(Sym)) {<br>+      const StreamState &SS = I->second;<br>+      if (SS.isOpened())<br>+        LeakedStreams.push_back(Sym);<br>+<br>+      // Remove the dead symbol from the streams map.<br>+      State = State->remove<StreamMap>(Sym);<br>+    }<br>+  }<br>+<br>+  ExplodedNode *N = reportLeaks(LeakedStreams, C);<br>+  C.addTransition(State, N);<br>+}<br>+<br>+// If a symbolic region is assumed to NULL (or another constant), stop tracking<br>+// it - assuming that allocation failed on this path.<br>+ProgramStateRef SimpleStreamChecker::evalAssume(ProgramStateRef State,<br>+                                                SVal Cond,<br>+                                                bool Assumption) const {<br>+  StreamMap TrackedStreams = State->get<StreamMap>();<br>+  SymbolVector LeakedStreams;<br>+  for (StreamMap::iterator I = TrackedStreams.begin(),<br>+                           E = TrackedStreams.end(); I != E; ++I) {<br>+    SymbolRef Sym = I->first;<br>+    if (State->getConstraintManager().isNull(State, Sym).isTrue())<br>+      State = State->remove<StreamMap>(Sym);<br>+  }<br>+  return State;<br>+}<br>+<br>+void SimpleStreamChecker::reportDoubleClose(SymbolRef FileDescSym,<br>+                                            const CallExpr *CallExpr,<br>+                                            CheckerContext &C) const {<br>+  // We reached a bug, stop exploring the path here by generating a sink.<br>+  ExplodedNode *ErrNode = C.generateSink();<br>+  // If this error node already exists, return.<br>+  if (!ErrNode)<br>+    return;<br>+<br>+  // Initialize the bug type.<br>+  if (!DoubleCloseBugType)<br>+    DoubleCloseBugType.reset(new BugType("Double fclose",<br>+                             "Unix Stream API Error"));<br>+  // Generate the report.<br>+  BugReport *R = new BugReport(*DoubleCloseBugType,<br>+      "Closing a previously closed file stream", ErrNode);<br>+  R->addRange(CallExpr->getSourceRange());<br>+  R->markInteresting(FileDescSym);<br>+  C.EmitReport(R);<br>+}<br>+<br>+ExplodedNode *SimpleStreamChecker::reportLeaks(SymbolVector LeakedStreams,<br>+                                               CheckerContext &C) const {<br>+  ExplodedNode *Pred = C.getPredecessor();<br>+  if (LeakedStreams.empty())<br>+    return Pred;<br>+<br>+  // Generate an intermediate node representing the leak point.<br>+  static SimpleProgramPointTag Tag("StreamChecker : Leak");<br>+  ExplodedNode *ErrNode = C.addTransition(Pred->getState(), Pred, &Tag);<br>+  if (!ErrNode)<br>+    return Pred;<br></blockquote><div><br></div><div>Why generate an intermediate node at all? I feel like we could just generate the transition in the caller and then report all the leaks here.</div><div><br></div><br><blockquote type="cite">+  // Initialize the bug type.<br>+  if (!LeakBugType) {<br>+    LeakBugType.reset(new BuiltinBug("Resource Leak",<br>+                                     "Unix Stream API Error"));<br>+    // Sinks are higher importance bugs as well as calls to assert() or exit(0).<br></blockquote><div><br></div><div>Perhaps:</div><div>s/are higher importance/represent more important/</div><div><br></div><div>…but also assert isn't really a sink.</div><div><br></div></div></div></blockquote><div><br></div>Why not?</div><div><br><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div><br><blockquote type="cite">+    LeakBugType->setSuppressOnSink(true);<br>+  }<br>+<br>+  // Attach bug reports to the leak node.<br>+  for (llvm::SmallVector<SymbolRef, 2>::iterator<br>+      I = LeakedStreams.begin(), E = LeakedStreams.end(); I != E; ++I) {<br>+    BugReport *R = new BugReport(*LeakBugType,<br>+        "Opened file is never closed; potential resource leak", ErrNode);<br></blockquote><div><br></div><div>No markInteresting? </div></div></div></blockquote><div><br></div>makrInteresting is easy</div><div><br><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div><div>No attempt to say <i>which</i> file it is? …actually, that's rather hard. Hm.</div></div></div></blockquote><div><br></div><div>Yes.  Error reporting on leaks is not yet done. I'll add a TODO.</div><br><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div><br><blockquote type="cite">+    C.EmitReport(R);<br>+  }<br>+<br>+  return ErrNode;<br>+}<br>+<br>+void SimpleStreamChecker::initIdentifierInfo(ASTContext &Ctx) const {<br>+  if (IIfopen)<br>+    return;<br>+  IIfopen = &Ctx.Idents.get("fopen");<br>+  IIfclose = &Ctx.Idents.get("fclose");<br>+}<br>+<br>+void ento::registerSimpleStreamChecker(CheckerManager &mgr) {<br>+  mgr.registerChecker<SimpleStreamChecker>();<br>+}<br><br>Added: cfe/trunk/test/Analysis/simple-stream-checks.c<br>URL: <a href="http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/simple-stream-checks.c?rev=166976&view=auto">http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/simple-stream-checks.c?rev=166976&view=auto</a><br>==============================================================================<br>--- cfe/trunk/test/Analysis/simple-stream-checks.c (added)<br>+++ cfe/trunk/test/Analysis/simple-stream-checks.c Mon Oct 29 17:51:50 2012<br>@@ -0,0 +1,44 @@<br>+// RUN: %clang_cc1 -analyze -analyzer-checker=core,alpha.unix.SimpleStream -verify %s<br>+<br>+typedef struct __sFILE {<br>+  unsigned char *_p;<br>+} FILE;<br>+FILE *fopen(const char * restrict, const char * restrict) __asm("_" "fopen" );<br>+int fputc(int, FILE *);<br>+int fputs(const char * restrict, FILE * restrict) __asm("_" "fputs" );<br>+int fclose(FILE *);<br>+void exit(int);<br>+<br>+void checkDoubleFClose(int *Data) {<br>+  FILE *F = fopen("myfile.txt", "w");<br>+  if (F != 0) {<br>+    fputs ("fopen example", F);<br>+    if (!Data)<br>+      fclose(F);<br>+    else<br>+      fputc(*Data, F);<br>+    fclose(F); // expected-warning {{Closing a previously closed file stream}}<br>+  }<br>+}<br>+<br>+int checkLeak(int *Data) {<br>+  FILE *F = fopen("myfile.txt", "w");<br>+  if (F != 0) {<br>+    fputs ("fopen example", F);<br>+  }<br>+<br>+  if (Data) // expected-warning {{Opened file is never closed; potential resource leak}}<br>+    return *Data;<br>+  else<br>+    return 0;<br>+}<br>+<br>+void checkLeakFollowedByAssert(int *Data) {<br>+  FILE *F = fopen("myfile.txt", "w");<br>+  if (F != 0) {<br>+    fputs ("fopen example", F);<br>+    if (!Data)<br>+      exit(0);<br>+    fclose(F);<br>+  }<br>+}<br><br><br>_______________________________________________<br>cfe-commits mailing list<br><a href="mailto:cfe-commits@cs.uiuc.edu">cfe-commits@cs.uiuc.edu</a><br><a href="http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits">http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits</a><br></blockquote></div><br></div></blockquote></div><br></body></html>