[PATCH] D106262: [clang][analyzer] Use generic note tag in alpha.unix.Stream .

Balázs Kéri via Phabricator via cfe-commits cfe-commits at lists.llvm.org
Mon Aug 2 07:51:13 PDT 2021 

balazske added a comment.

> No matter what happens during analysis, as of now, the NoteTag message is unambiguous at the point of the tags construction.

The stream error state is designed to store a "superposition" of different error states. This is part of `evalFseek`:

  StateFailed = StateFailed->set<StreamMap>(
      StreamSym,
      StreamState::getOpened(Desc, ErrorNone | ErrorFEof | ErrorFError, true));
  C.addTransition(StateFailed,
                  constructNoteTag(C, StreamSym,
                                   {&BT_StreamEof, &BT_IndeterminatePosition}));

The code above means the same as this code:

  StateFailedFEof = StateFailed->set<StreamMap>(
      StreamSym,
      StreamState::getOpened(Desc, ErrorFEof, false));
  C.addTransition(StateFailedFEof, constructNoteTag(C, StreamSym, {&BT_StreamEof}));
  
  StateFailedFErrorIndeterminate = StateFailed->set<StreamMap>(
      StreamSym,
      StreamState::getOpened(Desc, ErrorFError, true));
  C.addTransition(StateFailedFErrorIndeterminate, constructNoteTag(C, StreamSym, {&BT_IndeterminatePosition}));
  
  StateFailedIndeterminate = StateFailed->set<StreamMap>(
      StreamSym,
      StreamState::getOpened(Desc, ErrorNone, true));
  C.addTransition(StateFailedIndeterminate, constructNoteTag(C, StreamSym, {&BT_IndeterminatePosition}));

In this code the NoteTag message is unambiguous. The code above is a "compression" of this and at the construction of the NoteTag message is in "superposition" state too (like the error state that determines the message).

`freopen` is a different case: At failure it returns a NULL pointer and the stream becomes in an invalid state. But if the return value of `freopen` is not assigned to it, the stream pointer is not set to NULL:

- `F = freopen(0, "w", F);` F will be NULL at failure, this makes a bug with `BT_FileNull` bug type.
- `freopen(0, "w", F);` F becomes invalid but not NULL, if used then a `BT_UseAfterOpenFailed` bug is detected (this is the only case for this bug type).

At failure of `freopen` we can not tell which case will occur later (it depends on the analyzed code). (It may be possible to have only one bug for these cases but a differentation is needed to tell the user if a file was NULL or invalid but not NULL.)


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D106262/new/

https://reviews.llvm.org/D106262

More information about the cfe-commits mailing list