[clang] fd02a86 - [analyzer] Add system header simulator a symmetric random access iterator operator+

[Endre Fülöp via cfe-commits]

Author: Endre Fülöp
Date: 2020-07-17T14:36:43+02:00
New Revision: fd02a86260b3fb01361175af9600d53354631fb2

URL: 
https://github.com/llvm/llvm-project/commit/fd02a86260b3fb01361175af9600d53354631fb2
DIFF: 
https://github.com/llvm/llvm-project/commit/fd02a86260b3fb01361175af9600d53354631fb2.diff

LOG: [analyzer] Add system header simulator a symmetric random access iterator 
operator+

Summary:
Random access iterators must handle operator+, where the iterator is on the
RHS. The system header simulator library is extended with these operators.

Reviewers: Szelethus

Subscribers: whisperity, xazax.hun, baloghadamsoftware, szepet, a.sidorin, 
mikhail.ramalho, Szelethus, donat.nagy, dkrupp, Charusso, steakhal, martong, 
ASDenysPetrov, cfe-commits

Tags: #clang

Differential Revision: https://reviews.llvm.org/D83226

Added: 


Modified: 
clang/test/Analysis/Inputs/system-header-simulator-cxx.h
clang/test/Analysis/diagnostics/explicit-suppression.cpp

Removed: 




diff  --git a/clang/test/Analysis/Inputs/system-header-simulator-cxx.h 
b/clang/test/Analysis/Inputs/system-header-simulator-cxx.h
index fe4b9d081e9c..1dee3294d732 100644
--- a/clang/test/Analysis/Inputs/system-header-simulator-cxx.h
+++ b/clang/test/Analysis/Inputs/system-header-simulator-cxx.h
@@ -60,6 +60,11 @@ template  struct 
__vector_iterator {
   __vector_iterator operator+(
diff erence_type n) {
 return ptr + n;
   }
+  friend __vector_iterator operator+(
+  
diff erence_type n,
+  const __vector_iterator &iter) {
+return n + iter.ptr;
+  }
   __vector_iterator operator-(
diff erence_type n) {
 return ptr - n;
   }
@@ -118,6 +123,11 @@ template  struct 
__deque_iterator {
   __deque_iterator operator+(
diff erence_type n) {
 return ptr + n;
   }
+  friend __deque_iterator operator+(
+  
diff erence_type n,
+  const __deque_iterator &iter) {
+return n + iter.ptr;
+  }
   __deque_iterator operator-(
diff erence_type n) {
 return ptr - n;
   }

diff  --git a/clang/test/Analysis/diagnostics/explicit-suppression.cpp 
b/clang/test/Analysis/diagnostics/explicit-suppression.cpp
index 2b586add19ee..0ef01771e58b 100644
--- a/clang/test/Analysis/diagnostics/explicit-suppression.cpp
+++ b/clang/test/Analysis/diagnostics/explicit-suppression.cpp
@@ -19,6 +19,6 @@ class C {
 void testCopyNull(C *I, C *E) {
   std::copy(I, E, (C *)0);
 #ifndef SUPPRESSED
-  // expected-warning@../Inputs/system-header-simulator-cxx.h:699 {{Called C++ 
object pointer is null}}
+  // expected-warning@../Inputs/system-header-simulator-cxx.h:709 {{Called C++ 
object pointer is null}}
 #endif
 }



___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] 020815f - [analyzer] On-demand parsing capability for CTU

[Endre Fülöp via cfe-commits]

Author: Endre Fülöp
Date: 2020-06-10T08:59:04+02:00
New Revision: 020815fafd15ddac0f2b5539e7766107d7b25ddc

URL: 
https://github.com/llvm/llvm-project/commit/020815fafd15ddac0f2b5539e7766107d7b25ddc
DIFF: 
https://github.com/llvm/llvm-project/commit/020815fafd15ddac0f2b5539e7766107d7b25ddc.diff

LOG: [analyzer] On-demand parsing capability for CTU

Summary:
Introduce on-demand parsing of needed ASTs during CTU analysis.
The index-file format is extended, and analyzer-option CTUInvocationList
is added to specify the exact invocations needed to parse the needed
source-files.

Reviewers: martong, balazske, Szelethus, xazax.hun, whisperity

Reviewed By: martong, xazax.hun

Subscribers: gribozavr2, thakis, ASDenysPetrov, ormris, mgorny, whisperity, 
xazax.hun, baloghadamsoftware, szepet, rnkovacs, a.sidorin, mikhail.ramalho, 
Szelethus, donat.nagy, dkrupp, Charusso, steakhal, cfe-commits

Tags: #clang

Differential Revision: https://reviews.llvm.org/D75665

Added: 
clang/test/Analysis/Inputs/ctu-other.c.externalDefMap.ast-dump.txt
clang/test/Analysis/Inputs/ctu-other.cpp.externalDefMap.ast-dump.txt
clang/test/Analysis/ctu-on-demand-parsing.c
clang/test/Analysis/ctu-on-demand-parsing.cpp

Modified: 
clang/docs/analyzer/user-docs/CrossTranslationUnit.rst
clang/include/clang/CrossTU/CrossTranslationUnit.h
clang/include/clang/StaticAnalyzer/Core/AnalyzerOptions.def
clang/lib/CrossTU/CrossTranslationUnit.cpp
clang/test/Analysis/Inputs/ctu-other.c
clang/test/Analysis/analyzer-config.c
clang/test/Analysis/ctu-different-triples.cpp
clang/test/Analysis/ctu-main.c
clang/test/Analysis/ctu-main.cpp
clang/test/Analysis/ctu-unknown-parts-in-triples.cpp
clang/unittests/CrossTU/CrossTranslationUnitTest.cpp

Removed: 
clang/test/Analysis/Inputs/ctu-other.c.externalDefMap.txt
clang/test/Analysis/Inputs/ctu-other.cpp.externalDefMap.txt



diff  --git a/clang/docs/analyzer/user-docs/CrossTranslationUnit.rst 
b/clang/docs/analyzer/user-docs/CrossTranslationUnit.rst
index 86f972b63e31..36be82f209ef 100644
--- a/clang/docs/analyzer/user-docs/CrossTranslationUnit.rst
+++ b/clang/docs/analyzer/user-docs/CrossTranslationUnit.rst
@@ -3,14 +3,35 @@ Cross Translation Unit (CTU) Analysis
 =
 
 Normally, static analysis works in the boundary of one translation unit (TU).
-However, with additional steps and configuration we can enable the analysis to 
inline the definition of a function from another TU.
+However, with additional steps and configuration we can enable the analysis to 
inline the definition of a function from
+another TU.
 
 .. contents::
:local:
 
-Manual CTU Analysis

+Overview
+
+CTU analysis can be used in a variety of ways. The importing of external TU 
definitions can work with pre-dumped PCH
+files or generating the necessary AST structure on-demand, during the analysis 
of the main TU. Driving the static
+analysis can also be implemented in multiple ways. The most direct way is to 
specify the necessary commandline options
+of the Clang frontend manually (and generate the prerequisite dependencies of 
the specific import method by hand). This
+process can be automated by other tools, like `CodeChecker 
`_ and scan-build-py
+(preference for the former).
+
+PCH-based analysis
+__
+The analysis needs the PCH dumps of all the translations units used in the 
project.
+These can be generated by the Clang Frontend itself, and must be arranged in a 
specific way in the filesystem.
+The index, which maps symbols' USR names to PCH dumps containing them must 
also be generated by the
+`clang-extdef-mapping`. Entries in the index *must* have an `.ast` suffix if 
the goal
+is to use PCH-based analysis, as the lack of that extension signals that the 
entry is to be used as a source-file, and parsed on-demand.
+This tool uses a :doc:`compilation database <../../JSONCompilationDatabase>` to
+determine the compilation flags used.
+The analysis invocation must be provided with the directory which contains the 
dumps and the mapping files.
+
 
+Manual CTU Analysis
+###
 Let's consider these source files in our minimal example:
 
 .. code-block:: cpp
@@ -47,7 +68,8 @@ And a compilation database:
   ]
 
 We'd like to analyze `main.cpp` and discover the division by zero bug.
-In order to be able to inline the definition of `foo` from `foo.cpp` first we 
have to generate the `AST` (or `PCH`) file of `foo.cpp`:
+In order to be able to inline the definition of `foo` from `foo.cpp` first we 
have to generate the `AST` (or `PCH`) file
+of `foo.cpp`:
 
 .. code-block:: bash
 
@@ -58,7 +80,8 @@ In order to be able to inline the definition of `foo` from 
`foo.cpp` first we ha
   compile_commands.json  foo.cpp.ast  foo.cpp  main.cpp
   $
 
-The next step is to create

[clang] c640779 - Revert "[analyzer] On-demand parsing capability for CTU"

[Endre Fülöp via cfe-commits]

Author: Endre Fülöp
Date: 2020-06-10T10:30:10+02:00
New Revision: c64077949448f70c017939aea9490aee3851321c

URL: 
https://github.com/llvm/llvm-project/commit/c64077949448f70c017939aea9490aee3851321c
DIFF: 
https://github.com/llvm/llvm-project/commit/c64077949448f70c017939aea9490aee3851321c.diff

LOG: Revert "[analyzer] On-demand parsing capability for CTU"

This reverts commit 020815fafd15ddac0f2b5539e7766107d7b25ddc.
Reason: PS4 buildbot broke

Added: 
clang/test/Analysis/Inputs/ctu-other.c.externalDefMap.txt
clang/test/Analysis/Inputs/ctu-other.cpp.externalDefMap.txt

Modified: 
clang/docs/analyzer/user-docs/CrossTranslationUnit.rst
clang/include/clang/CrossTU/CrossTranslationUnit.h
clang/include/clang/StaticAnalyzer/Core/AnalyzerOptions.def
clang/lib/CrossTU/CrossTranslationUnit.cpp
clang/test/Analysis/Inputs/ctu-other.c
clang/test/Analysis/analyzer-config.c
clang/test/Analysis/ctu-different-triples.cpp
clang/test/Analysis/ctu-main.c
clang/test/Analysis/ctu-main.cpp
clang/test/Analysis/ctu-unknown-parts-in-triples.cpp
clang/unittests/CrossTU/CrossTranslationUnitTest.cpp

Removed: 
clang/test/Analysis/Inputs/ctu-other.c.externalDefMap.ast-dump.txt
clang/test/Analysis/Inputs/ctu-other.cpp.externalDefMap.ast-dump.txt
clang/test/Analysis/ctu-on-demand-parsing.c
clang/test/Analysis/ctu-on-demand-parsing.cpp



diff  --git a/clang/docs/analyzer/user-docs/CrossTranslationUnit.rst 
b/clang/docs/analyzer/user-docs/CrossTranslationUnit.rst
index 36be82f209ef..86f972b63e31 100644
--- a/clang/docs/analyzer/user-docs/CrossTranslationUnit.rst
+++ b/clang/docs/analyzer/user-docs/CrossTranslationUnit.rst
@@ -3,35 +3,14 @@ Cross Translation Unit (CTU) Analysis
 =
 
 Normally, static analysis works in the boundary of one translation unit (TU).
-However, with additional steps and configuration we can enable the analysis to 
inline the definition of a function from
-another TU.
+However, with additional steps and configuration we can enable the analysis to 
inline the definition of a function from another TU.
 
 .. contents::
:local:
 
-Overview
-
-CTU analysis can be used in a variety of ways. The importing of external TU 
definitions can work with pre-dumped PCH
-files or generating the necessary AST structure on-demand, during the analysis 
of the main TU. Driving the static
-analysis can also be implemented in multiple ways. The most direct way is to 
specify the necessary commandline options
-of the Clang frontend manually (and generate the prerequisite dependencies of 
the specific import method by hand). This
-process can be automated by other tools, like `CodeChecker 
`_ and scan-build-py
-(preference for the former).
-
-PCH-based analysis
-__
-The analysis needs the PCH dumps of all the translations units used in the 
project.
-These can be generated by the Clang Frontend itself, and must be arranged in a 
specific way in the filesystem.
-The index, which maps symbols' USR names to PCH dumps containing them must 
also be generated by the
-`clang-extdef-mapping`. Entries in the index *must* have an `.ast` suffix if 
the goal
-is to use PCH-based analysis, as the lack of that extension signals that the 
entry is to be used as a source-file, and parsed on-demand.
-This tool uses a :doc:`compilation database <../../JSONCompilationDatabase>` to
-determine the compilation flags used.
-The analysis invocation must be provided with the directory which contains the 
dumps and the mapping files.
-
-
 Manual CTU Analysis
-###
+---
+
 Let's consider these source files in our minimal example:
 
 .. code-block:: cpp
@@ -68,8 +47,7 @@ And a compilation database:
   ]
 
 We'd like to analyze `main.cpp` and discover the division by zero bug.
-In order to be able to inline the definition of `foo` from `foo.cpp` first we 
have to generate the `AST` (or `PCH`) file
-of `foo.cpp`:
+In order to be able to inline the definition of `foo` from `foo.cpp` first we 
have to generate the `AST` (or `PCH`) file of `foo.cpp`:
 
 .. code-block:: bash
 
@@ -80,8 +58,7 @@ of `foo.cpp`:
   compile_commands.json  foo.cpp.ast  foo.cpp  main.cpp
   $
 
-The next step is to create a CTU index file which holds the `USR` name and 
location of external definitions in the
-source files:
+The next step is to create a CTU index file which holds the `USR` name and 
location of external definitions in the source files:
 
 .. code-block:: bash
 
@@ -108,33 +85,47 @@ We have to feed Clang with CTU specific extra arguments:
 
   $ pwd
   /path/to/your/project
-  $ clang++ --analyze \
-  -Xclang -analyzer-config -Xclang 
experimental-enable-naive-ctu-analysis=true \
-  -Xclang -analyzer-config -Xclang ctu-dir=. \
-  -Xclang -analyzer-output=plist-multi-file \
-  main.c

[clang] 97e07d0 - [analyzer] On-demand parsing capability for CTU

[Endre Fülöp via cfe-commits]

Author: Endre Fülöp
Date: 2020-06-10T13:43:51+02:00
New Revision: 97e07d0c352ca469eb07a0cb3162c2807ff1099d

URL: 
https://github.com/llvm/llvm-project/commit/97e07d0c352ca469eb07a0cb3162c2807ff1099d
DIFF: 
https://github.com/llvm/llvm-project/commit/97e07d0c352ca469eb07a0cb3162c2807ff1099d.diff

LOG: [analyzer] On-demand parsing capability for CTU

Summary:
Introduce on-demand parsing of needed ASTs during CTU analysis.
The index-file format is extended, and analyzer-option CTUInvocationList
is added to specify the exact invocations needed to parse the needed
source-files.

Reviewers: martong, balazske, Szelethus, xazax.hun, whisperity

Reviewed By: martong, xazax.hun

Subscribers: gribozavr2, thakis, ASDenysPetrov, ormris, mgorny, whisperity, 
xazax.hun, baloghadamsoftware, szepet, rnkovacs, a.sidorin, mikhail.ramalho, 
Szelethus, donat.nagy, dkrupp, Charusso, steakhal, cfe-commits

Tags: #clang

Differential Revision: https://reviews.llvm.org/D75665

Added: 
clang/test/Analysis/Inputs/ctu-other.c.externalDefMap.ast-dump.txt
clang/test/Analysis/Inputs/ctu-other.cpp.externalDefMap.ast-dump.txt
clang/test/Analysis/ctu-on-demand-parsing.c
clang/test/Analysis/ctu-on-demand-parsing.cpp

Modified: 
clang/docs/analyzer/user-docs/CrossTranslationUnit.rst
clang/include/clang/CrossTU/CrossTranslationUnit.h
clang/include/clang/StaticAnalyzer/Core/AnalyzerOptions.def
clang/lib/CrossTU/CrossTranslationUnit.cpp
clang/test/Analysis/Inputs/ctu-other.c
clang/test/Analysis/analyzer-config.c
clang/test/Analysis/ctu-different-triples.cpp
clang/test/Analysis/ctu-main.c
clang/test/Analysis/ctu-main.cpp
clang/test/Analysis/ctu-unknown-parts-in-triples.cpp
clang/unittests/CrossTU/CrossTranslationUnitTest.cpp

Removed: 
clang/test/Analysis/Inputs/ctu-other.c.externalDefMap.txt
clang/test/Analysis/Inputs/ctu-other.cpp.externalDefMap.txt



diff  --git a/clang/docs/analyzer/user-docs/CrossTranslationUnit.rst 
b/clang/docs/analyzer/user-docs/CrossTranslationUnit.rst
index 86f972b63e31..36be82f209ef 100644
--- a/clang/docs/analyzer/user-docs/CrossTranslationUnit.rst
+++ b/clang/docs/analyzer/user-docs/CrossTranslationUnit.rst
@@ -3,14 +3,35 @@ Cross Translation Unit (CTU) Analysis
 =
 
 Normally, static analysis works in the boundary of one translation unit (TU).
-However, with additional steps and configuration we can enable the analysis to 
inline the definition of a function from another TU.
+However, with additional steps and configuration we can enable the analysis to 
inline the definition of a function from
+another TU.
 
 .. contents::
:local:
 
-Manual CTU Analysis

+Overview
+
+CTU analysis can be used in a variety of ways. The importing of external TU 
definitions can work with pre-dumped PCH
+files or generating the necessary AST structure on-demand, during the analysis 
of the main TU. Driving the static
+analysis can also be implemented in multiple ways. The most direct way is to 
specify the necessary commandline options
+of the Clang frontend manually (and generate the prerequisite dependencies of 
the specific import method by hand). This
+process can be automated by other tools, like `CodeChecker 
`_ and scan-build-py
+(preference for the former).
+
+PCH-based analysis
+__
+The analysis needs the PCH dumps of all the translations units used in the 
project.
+These can be generated by the Clang Frontend itself, and must be arranged in a 
specific way in the filesystem.
+The index, which maps symbols' USR names to PCH dumps containing them must 
also be generated by the
+`clang-extdef-mapping`. Entries in the index *must* have an `.ast` suffix if 
the goal
+is to use PCH-based analysis, as the lack of that extension signals that the 
entry is to be used as a source-file, and parsed on-demand.
+This tool uses a :doc:`compilation database <../../JSONCompilationDatabase>` to
+determine the compilation flags used.
+The analysis invocation must be provided with the directory which contains the 
dumps and the mapping files.
+
 
+Manual CTU Analysis
+###
 Let's consider these source files in our minimal example:
 
 .. code-block:: cpp
@@ -47,7 +68,8 @@ And a compilation database:
   ]
 
 We'd like to analyze `main.cpp` and discover the division by zero bug.
-In order to be able to inline the definition of `foo` from `foo.cpp` first we 
have to generate the `AST` (or `PCH`) file of `foo.cpp`:
+In order to be able to inline the definition of `foo` from `foo.cpp` first we 
have to generate the `AST` (or `PCH`) file
+of `foo.cpp`:
 
 .. code-block:: bash
 
@@ -58,7 +80,8 @@ In order to be able to inline the definition of `foo` from 
`foo.cpp` first we ha
   compile_commands.json  foo.cpp.ast  foo.cpp  main.cpp
   $
 
-The next step is to create

[clang] 435b458 - Revert "[analyzer] On-demand parsing capability for CTU"

[Endre Fülöp via cfe-commits]

Author: Endre Fülöp
Date: 2020-06-10T17:55:37+02:00
New Revision: 435b458ad0a4630e6126246a6865748104ccad06

URL: 
https://github.com/llvm/llvm-project/commit/435b458ad0a4630e6126246a6865748104ccad06
DIFF: 
https://github.com/llvm/llvm-project/commit/435b458ad0a4630e6126246a6865748104ccad06.diff

LOG: Revert "[analyzer] On-demand parsing capability for CTU"

This reverts commit 97e07d0c352ca469eb07a0cb3162c2807ff1099d.
Reason: OSX broke for a different reason, this really only seem to work
on linux and very generic windows builds

Added: 
clang/test/Analysis/Inputs/ctu-other.c.externalDefMap.txt
clang/test/Analysis/Inputs/ctu-other.cpp.externalDefMap.txt

Modified: 
clang/docs/analyzer/user-docs/CrossTranslationUnit.rst
clang/include/clang/CrossTU/CrossTranslationUnit.h
clang/include/clang/StaticAnalyzer/Core/AnalyzerOptions.def
clang/lib/CrossTU/CrossTranslationUnit.cpp
clang/test/Analysis/Inputs/ctu-other.c
clang/test/Analysis/analyzer-config.c
clang/test/Analysis/ctu-different-triples.cpp
clang/test/Analysis/ctu-main.c
clang/test/Analysis/ctu-main.cpp
clang/test/Analysis/ctu-unknown-parts-in-triples.cpp
clang/unittests/CrossTU/CrossTranslationUnitTest.cpp

Removed: 
clang/test/Analysis/Inputs/ctu-other.c.externalDefMap.ast-dump.txt
clang/test/Analysis/Inputs/ctu-other.cpp.externalDefMap.ast-dump.txt
clang/test/Analysis/ctu-on-demand-parsing.c
clang/test/Analysis/ctu-on-demand-parsing.cpp



diff  --git a/clang/docs/analyzer/user-docs/CrossTranslationUnit.rst 
b/clang/docs/analyzer/user-docs/CrossTranslationUnit.rst
index 36be82f209ef..86f972b63e31 100644
--- a/clang/docs/analyzer/user-docs/CrossTranslationUnit.rst
+++ b/clang/docs/analyzer/user-docs/CrossTranslationUnit.rst
@@ -3,35 +3,14 @@ Cross Translation Unit (CTU) Analysis
 =
 
 Normally, static analysis works in the boundary of one translation unit (TU).
-However, with additional steps and configuration we can enable the analysis to 
inline the definition of a function from
-another TU.
+However, with additional steps and configuration we can enable the analysis to 
inline the definition of a function from another TU.
 
 .. contents::
:local:
 
-Overview
-
-CTU analysis can be used in a variety of ways. The importing of external TU 
definitions can work with pre-dumped PCH
-files or generating the necessary AST structure on-demand, during the analysis 
of the main TU. Driving the static
-analysis can also be implemented in multiple ways. The most direct way is to 
specify the necessary commandline options
-of the Clang frontend manually (and generate the prerequisite dependencies of 
the specific import method by hand). This
-process can be automated by other tools, like `CodeChecker 
`_ and scan-build-py
-(preference for the former).
-
-PCH-based analysis
-__
-The analysis needs the PCH dumps of all the translations units used in the 
project.
-These can be generated by the Clang Frontend itself, and must be arranged in a 
specific way in the filesystem.
-The index, which maps symbols' USR names to PCH dumps containing them must 
also be generated by the
-`clang-extdef-mapping`. Entries in the index *must* have an `.ast` suffix if 
the goal
-is to use PCH-based analysis, as the lack of that extension signals that the 
entry is to be used as a source-file, and parsed on-demand.
-This tool uses a :doc:`compilation database <../../JSONCompilationDatabase>` to
-determine the compilation flags used.
-The analysis invocation must be provided with the directory which contains the 
dumps and the mapping files.
-
-
 Manual CTU Analysis
-###
+---
+
 Let's consider these source files in our minimal example:
 
 .. code-block:: cpp
@@ -68,8 +47,7 @@ And a compilation database:
   ]
 
 We'd like to analyze `main.cpp` and discover the division by zero bug.
-In order to be able to inline the definition of `foo` from `foo.cpp` first we 
have to generate the `AST` (or `PCH`) file
-of `foo.cpp`:
+In order to be able to inline the definition of `foo` from `foo.cpp` first we 
have to generate the `AST` (or `PCH`) file of `foo.cpp`:
 
 .. code-block:: bash
 
@@ -80,8 +58,7 @@ of `foo.cpp`:
   compile_commands.json  foo.cpp.ast  foo.cpp  main.cpp
   $
 
-The next step is to create a CTU index file which holds the `USR` name and 
location of external definitions in the
-source files:
+The next step is to create a CTU index file which holds the `USR` name and 
location of external definitions in the source files:
 
 .. code-block:: bash
 
@@ -108,33 +85,47 @@ We have to feed Clang with CTU specific extra arguments:
 
   $ pwd
   /path/to/your/project
-  $ clang++ --analyze \
-  -Xclang -analyzer-config -Xclang 
experimental-enable-naive-ctu-analysis=true \
-  -Xclang -analyzer-confi

[clang] 5cc1851 - [analyzer] On-demand parsing capability for CTU

[Endre Fülöp via cfe-commits]

Author: Endre Fülöp
Date: 2020-06-11T10:56:59+02:00
New Revision: 5cc18516c4839fccc64b54eaa5aa447a8e1ed8fa

URL: 
https://github.com/llvm/llvm-project/commit/5cc18516c4839fccc64b54eaa5aa447a8e1ed8fa
DIFF: 
https://github.com/llvm/llvm-project/commit/5cc18516c4839fccc64b54eaa5aa447a8e1ed8fa.diff

LOG: [analyzer] On-demand parsing capability for CTU

Summary:
Introduce on-demand parsing of needed ASTs during CTU analysis.
The index-file format is extended, and analyzer-option CTUInvocationList
is added to specify the exact invocations needed to parse the needed
source-files.

Reviewers: martong, balazske, Szelethus, xazax.hun, whisperity

Reviewed By: martong, xazax.hun

Subscribers: gribozavr2, thakis, ASDenysPetrov, ormris, mgorny, whisperity, 
xazax.hun, baloghadamsoftware, szepet, rnkovacs, a.sidorin, mikhail.ramalho, 
Szelethus, donat.nagy, dkrupp, Charusso, steakhal, cfe-commits

Tags: #clang

Differential Revision: https://reviews.llvm.org/D75665

Added: 
clang/test/Analysis/Inputs/ctu-other.c.externalDefMap.ast-dump.txt
clang/test/Analysis/Inputs/ctu-other.cpp.externalDefMap.ast-dump.txt
clang/test/Analysis/ctu-on-demand-parsing.c
clang/test/Analysis/ctu-on-demand-parsing.cpp

Modified: 
clang/docs/analyzer/user-docs/CrossTranslationUnit.rst
clang/include/clang/CrossTU/CrossTranslationUnit.h
clang/include/clang/StaticAnalyzer/Core/AnalyzerOptions.def
clang/lib/CrossTU/CrossTranslationUnit.cpp
clang/test/Analysis/Inputs/ctu-other.c
clang/test/Analysis/analyzer-config.c
clang/test/Analysis/ctu-different-triples.cpp
clang/test/Analysis/ctu-main.c
clang/test/Analysis/ctu-main.cpp
clang/test/Analysis/ctu-unknown-parts-in-triples.cpp
clang/unittests/CrossTU/CrossTranslationUnitTest.cpp

Removed: 
clang/test/Analysis/Inputs/ctu-other.c.externalDefMap.txt
clang/test/Analysis/Inputs/ctu-other.cpp.externalDefMap.txt



diff  --git a/clang/docs/analyzer/user-docs/CrossTranslationUnit.rst 
b/clang/docs/analyzer/user-docs/CrossTranslationUnit.rst
index 86f972b63e31..36be82f209ef 100644
--- a/clang/docs/analyzer/user-docs/CrossTranslationUnit.rst
+++ b/clang/docs/analyzer/user-docs/CrossTranslationUnit.rst
@@ -3,14 +3,35 @@ Cross Translation Unit (CTU) Analysis
 =
 
 Normally, static analysis works in the boundary of one translation unit (TU).
-However, with additional steps and configuration we can enable the analysis to 
inline the definition of a function from another TU.
+However, with additional steps and configuration we can enable the analysis to 
inline the definition of a function from
+another TU.
 
 .. contents::
:local:
 
-Manual CTU Analysis

+Overview
+
+CTU analysis can be used in a variety of ways. The importing of external TU 
definitions can work with pre-dumped PCH
+files or generating the necessary AST structure on-demand, during the analysis 
of the main TU. Driving the static
+analysis can also be implemented in multiple ways. The most direct way is to 
specify the necessary commandline options
+of the Clang frontend manually (and generate the prerequisite dependencies of 
the specific import method by hand). This
+process can be automated by other tools, like `CodeChecker 
`_ and scan-build-py
+(preference for the former).
+
+PCH-based analysis
+__
+The analysis needs the PCH dumps of all the translations units used in the 
project.
+These can be generated by the Clang Frontend itself, and must be arranged in a 
specific way in the filesystem.
+The index, which maps symbols' USR names to PCH dumps containing them must 
also be generated by the
+`clang-extdef-mapping`. Entries in the index *must* have an `.ast` suffix if 
the goal
+is to use PCH-based analysis, as the lack of that extension signals that the 
entry is to be used as a source-file, and parsed on-demand.
+This tool uses a :doc:`compilation database <../../JSONCompilationDatabase>` to
+determine the compilation flags used.
+The analysis invocation must be provided with the directory which contains the 
dumps and the mapping files.
+
 
+Manual CTU Analysis
+###
 Let's consider these source files in our minimal example:
 
 .. code-block:: cpp
@@ -47,7 +68,8 @@ And a compilation database:
   ]
 
 We'd like to analyze `main.cpp` and discover the division by zero bug.
-In order to be able to inline the definition of `foo` from `foo.cpp` first we 
have to generate the `AST` (or `PCH`) file of `foo.cpp`:
+In order to be able to inline the definition of `foo` from `foo.cpp` first we 
have to generate the `AST` (or `PCH`) file
+of `foo.cpp`:
 
 .. code-block:: bash
 
@@ -58,7 +80,8 @@ In order to be able to inline the definition of `foo` from 
`foo.cpp` first we ha
   compile_commands.json  foo.cpp.ast  foo.cpp  main.cpp
   $
 
-The next step is to create

[clang] 52f6532 - [analyzer][CrossTU] Lower CTUImportThreshold default value

[Endre Fülöp via cfe-commits]

Author: Endre Fülöp
Date: 2020-07-01T10:08:52+02:00
New Revision: 52f65323660051a5d039d475edfd4a3018682dcb

URL: 
https://github.com/llvm/llvm-project/commit/52f65323660051a5d039d475edfd4a3018682dcb
DIFF: 
https://github.com/llvm/llvm-project/commit/52f65323660051a5d039d475edfd4a3018682dcb.diff

LOG: [analyzer][CrossTU] Lower CTUImportThreshold default value

Summary:
The default value of 100 makes the analysis slow. Projects of considerable
size can take more time to finish than it is practical. The new default
setting of 8 is based on the analysis of LLVM itself. With the old default
value of 100 the analysis time was over a magnitude slower. Thresholding the
load of ASTUnits is to be extended in the future with a more fine-tuneable
solution that accomodates to the specifics of the project analyzed.

Reviewers: martong, balazske, Szelethus

Subscribers: whisperity, xazax.hun, baloghadamsoftware, szepet, rnkovacs, 
a.sidorin, mikhail.ramalho, Szelethus, donat.nagy, dkrupp, Charusso, steakhal, 
ASDenysPetrov, cfe-commits

Tags: #clang

Differential Revision: https://reviews.llvm.org/D82561

Added: 


Modified: 
clang/include/clang/StaticAnalyzer/Core/AnalyzerOptions.def
clang/test/Analysis/analyzer-config.c

Removed: 




diff  --git a/clang/include/clang/StaticAnalyzer/Core/AnalyzerOptions.def 
b/clang/include/clang/StaticAnalyzer/Core/AnalyzerOptions.def
index 8944dfe0f749..9ee113c0dcaf 100644
--- a/clang/include/clang/StaticAnalyzer/Core/AnalyzerOptions.def
+++ b/clang/include/clang/StaticAnalyzer/Core/AnalyzerOptions.def
@@ -324,7 +324,7 @@ ANALYZER_OPTION(unsigned, CTUImportThreshold, 
"ctu-import-threshold",
 "Lowering this threshold can alleviate the memory burder of "
 "analysis with many interdependent definitions located in "
 "various translation units.",
-100u)
+8u)
 
 ANALYZER_OPTION(
 unsigned, AlwaysInlineSize, "ipa-always-inline-size",

diff  --git a/clang/test/Analysis/analyzer-config.c 
b/clang/test/Analysis/analyzer-config.c
index 7a411a162201..e4035cf755b2 100644
--- a/clang/test/Analysis/analyzer-config.c
+++ b/clang/test/Analysis/analyzer-config.c
@@ -41,7 +41,7 @@
 // CHECK-NEXT: cplusplus.Move:WarnOn = KnownsAndLocals
 // CHECK-NEXT: crosscheck-with-z3 = false
 // CHECK-NEXT: ctu-dir = ""
-// CHECK-NEXT: ctu-import-threshold = 100
+// CHECK-NEXT: ctu-import-threshold = 8
 // CHECK-NEXT: ctu-index-name = externalDefMap.txt
 // CHECK-NEXT: ctu-invocation-list = invocations.yaml
 // CHECK-NEXT: deadcode.DeadStores:ShowFixIts = false



___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] 811c0c9 - [analyzer] On-demand parsing capability for CTU

[Endre Fülöp via cfe-commits]

Author: Endre Fülöp
Date: 2020-04-27T11:20:35+02:00
New Revision: 811c0c9eb462d1fef6ab6908aab7881e5c4f5fbf

URL: 
https://github.com/llvm/llvm-project/commit/811c0c9eb462d1fef6ab6908aab7881e5c4f5fbf
DIFF: 
https://github.com/llvm/llvm-project/commit/811c0c9eb462d1fef6ab6908aab7881e5c4f5fbf.diff

LOG: [analyzer] On-demand parsing capability for CTU

Summary:
Add an option to enable on-demand parsing of needed ASTs during CTU analysis.
Two options are introduced. CTUOnDemandParsing enables the feature, and
CTUOnDemandParsingDatabase specifies the path to a compilation database, which
has all the necessary information to generate the ASTs.

Reviewers: martong, balazske, Szelethus, xazax.hun

Subscribers: ormris, mgorny, whisperity, xazax.hun, baloghadamsoftware, szepet, 
rnkovacs, a.sidorin, mikhail.ramalho, Szelethus, donat.nagy, dkrupp, Charusso, 
steakhal, cfe-commits

Tags: #clang

Differential Revision: https://reviews.llvm.org/D75665

Added: 
clang/test/Analysis/Inputs/ctu-other.c.externalDefMap.ast-dump.txt
clang/test/Analysis/Inputs/ctu-other.cpp.externalDefMap.ast-dump.txt
clang/test/Analysis/ctu-on-demand-parsing-ambigous-compilation-database.c
clang/test/Analysis/ctu-on-demand-parsing.c
clang/test/Analysis/ctu-on-demand-parsing.cpp

Modified: 
clang/docs/analyzer/user-docs/CrossTranslationUnit.rst
clang/include/clang/CrossTU/CrossTranslationUnit.h
clang/include/clang/StaticAnalyzer/Core/AnalyzerOptions.def
clang/lib/CrossTU/CMakeLists.txt
clang/lib/CrossTU/CrossTranslationUnit.cpp
clang/lib/Frontend/CompilerInvocation.cpp
clang/test/Analysis/Inputs/ctu-other.c
clang/test/Analysis/analyzer-config.c
clang/test/Analysis/ctu-different-triples.cpp
clang/test/Analysis/ctu-main.c
clang/test/Analysis/ctu-main.cpp
clang/test/Analysis/ctu-unknown-parts-in-triples.cpp
clang/unittests/CrossTU/CrossTranslationUnitTest.cpp

Removed: 
clang/test/Analysis/Inputs/ctu-other.c.externalDefMap.txt
clang/test/Analysis/Inputs/ctu-other.cpp.externalDefMap.txt



diff  --git a/clang/docs/analyzer/user-docs/CrossTranslationUnit.rst 
b/clang/docs/analyzer/user-docs/CrossTranslationUnit.rst
index 86f972b63e31..1a7ac1c71f21 100644
--- a/clang/docs/analyzer/user-docs/CrossTranslationUnit.rst
+++ b/clang/docs/analyzer/user-docs/CrossTranslationUnit.rst
@@ -3,14 +3,33 @@ Cross Translation Unit (CTU) Analysis
 =
 
 Normally, static analysis works in the boundary of one translation unit (TU).
-However, with additional steps and configuration we can enable the analysis to 
inline the definition of a function from another TU.
+However, with additional steps and configuration we can enable the analysis to 
inline the definition of a function from
+another TU.
 
 .. contents::
:local:
 
-Manual CTU Analysis

+Overview
+
+CTU analysis can be used in a variety of ways. The importing of external TU 
definitions can work with pre-dumped PCH
+files or generating the necessary AST structure on-demand, during the analysis 
of the main TU. Driving the static
+analysis can also be implemented in multiple ways. The most direct way is to 
specify the necessary commandline options
+of the Clang frontend manually (and generate the prerequisite dependencies of 
the specific import method by hand). This
+process can be automated by other tools, like `CodeChecker 
`_ and scan-build-py
+(preference for the former).
+
+PCH-based analysis
+__
+The analysis needs the PCH dumps of all the translations units used in the 
project.
+These can be generated by the Clang Frontend itself, and must be arranged in a 
specific way in the filesystem.
+The index, which maps symbols' USR names to PCH dumps containing them must 
also be generated by the
+`clang-extdef-mapping`. This tool uses a :doc:`compilation database 
<../../JSONCompilationDatabase>` to
+determine the compilation flags used.
+The analysis invocation must be provided with the directory which contains the 
dumps and the mapping files.
+
 
+Manual CTU Analysis
+###
 Let's consider these source files in our minimal example:
 
 .. code-block:: cpp
@@ -47,7 +66,8 @@ And a compilation database:
   ]
 
 We'd like to analyze `main.cpp` and discover the division by zero bug.
-In order to be able to inline the definition of `foo` from `foo.cpp` first we 
have to generate the `AST` (or `PCH`) file of `foo.cpp`:
+In order to be able to inline the definition of `foo` from `foo.cpp` first we 
have to generate the `AST` (or `PCH`) file
+of `foo.cpp`:
 
 .. code-block:: bash
 
@@ -58,7 +78,8 @@ In order to be able to inline the definition of `foo` from 
`foo.cpp` first we ha
   compile_commands.json  foo.cpp.ast  foo.cpp  main.cpp
   $
 
-The next step is to create a CTU index file which holds the `USR` name and 
locati

[clang] [analyzer] Move security.cert.env.InvalidPtr out of alpha (PR #71912)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 created 
https://github.com/llvm/llvm-project/pull/71912

Thanks to recent improvements in #67663, InvalidPtr checker does not emit any 
false positives on the following OS projects: memcached, tmux, curl, twin, vim, 
openssl, sqlite, ffmpeg, postgres, tinyxml2, libwebm, xerces, bitcoin, 
protobuf, qtbase, contour, acid, openrct2.

From 2d94271affd27c5ebf1073a9effbe6c7815f5c01 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Endre=20F=C3=BCl=C3=B6p?= 
Date: Fri, 10 Nov 2023 10:08:58 +0100
Subject: [PATCH] [analyzer] Move security.cert.env.InvalidPtr out of alpha

Thanks to recent improvements in #67663, InvalidPtr checker does
not emit any false positives on the following OS projects:
memcached, tmux, curl, twin, vim, openssl, sqlite, ffmpeg, postgres,
tinyxml2, libwebm, xerces, bitcoin, protobuf, qtbase, contour, acid,
openrct2
---
 clang/docs/analyzer/checkers.rst  | 138 +-
 .../clang/StaticAnalyzer/Checkers/Checkers.td |  28 ++--
 clang/test/Analysis/analyzer-config.c |   2 +-
 clang/test/Analysis/cert/env31-c.c|  10 +-
 .../Analysis/cert/env34-c-cert-examples.c |  10 +-
 clang/test/Analysis/cert/env34-c.c|   4 +-
 clang/test/Analysis/invalid-ptr-checker.c |   8 +-
 7 files changed, 101 insertions(+), 99 deletions(-)

diff --git a/clang/docs/analyzer/checkers.rst b/clang/docs/analyzer/checkers.rst
index 43137f4b020f9f7..ff4559aa89d96a0 100644
--- a/clang/docs/analyzer/checkers.rst
+++ b/clang/docs/analyzer/checkers.rst
@@ -755,6 +755,75 @@ security
 
 Security related checkers.
 
+.. _security-cert-env-InvalidPtr:
+
+security.cert.env.InvalidPtr
+""
+
+Corresponds to SEI CERT Rules ENV31-C and ENV34-C.
+
+ENV31-C:
+Rule is about the possible problem with `main` function's third argument, 
environment pointer,
+"envp". When environment array is modified using some modification function
+such as putenv, setenv or others, It may happen that memory is reallocated,
+however "envp" is not updated to reflect the changes and points to old memory
+region.
+
+ENV34-C:
+Some functions return a pointer to a statically allocated buffer.
+Consequently, subsequent call of these functions will invalidate previous
+pointer. These functions include: getenv, localeconv, asctime, setlocale, 
strerror
+
+.. code-block:: c
+
+  int main(int argc, const char *argv[], const char *envp[]) {
+if (setenv("MY_NEW_VAR", "new_value", 1) != 0) {
+  // setenv call may invalidate 'envp'
+  /* Handle error */
+}
+if (envp != NULL) {
+  for (size_t i = 0; envp[i] != NULL; ++i) {
+puts(envp[i]);
+// envp may no longer point to the current environment
+// this program has unanticipated behavior, since envp
+// does not reflect changes made by setenv function.
+  }
+}
+return 0;
+  }
+
+  void previous_call_invalidation() {
+char *p, *pp;
+
+p = getenv("VAR");
+setenv("SOMEVAR", "VALUE", /*overwrite = */1);
+// call to 'setenv' may invalidate p
+
+*p;
+// dereferencing invalid pointer
+  }
+
+
+The ``InvalidatingGetEnv`` option is available for treating getenv calls as
+invalidating. When enabled, the checker issues a warning if getenv is called
+multiple times and their results are used without first creating a copy.
+This level of strictness might be considered overly pedantic for the commonly
+used getenv implementations.
+
+To enable this option, use:
+``-analyzer-config security.cert.env.InvalidPtr:InvalidatingGetEnv=true``.
+
+By default, this option is set to *false*.
+
+When this option is enabled, warnings will be generated for scenarios like the
+following:
+
+.. code-block:: c
+
+  char* p = getenv("VAR");
+  char* pp = getenv("VAR2"); // assumes this call can invalidate `env`
+  strlen(p); // warns about accessing invalid ptr
+
 .. _security-FloatLoopCounter:
 
 security.FloatLoopCounter (C)
@@ -2479,75 +2548,6 @@ alpha.security.cert.env
 
 SEI CERT checkers of `Environment C coding rules 
`_.
 
-.. _alpha-security-cert-env-InvalidPtr:
-
-alpha.security.cert.env.InvalidPtr
-""
-
-Corresponds to SEI CERT Rules ENV31-C and ENV34-C.
-
-ENV31-C:
-Rule is about the possible problem with `main` function's third argument, 
environment pointer,
-"envp". When environment array is modified using some modification function
-such as putenv, setenv or others, It may happen that memory is reallocated,
-however "envp" is not updated to reflect the changes and points to old memory
-region.
-
-ENV34-C:
-Some functions return a pointer to a statically allocated buffer.
-Consequently, subsequent call of these functions will invalidate previous
-pointer. These functions include: getenv, localeconv, asctime, setlocale, 
strerror
-
-.. code-block:: c
-
-  int main(int argc, const char *argv[], const char *envp[]) {
-if (setenv("MY_NEW_VAR", "new_value", 1) != 

[clang] [analyzer] Move security.cert.env.InvalidPtr out of alpha (PR #71912)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 edited 
https://github.com/llvm/llvm-project/pull/71912
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer] EnumCastOutOfRangeChecker: report the value (PR #74503)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 approved this pull request.


https://github.com/llvm/llvm-project/pull/74503
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer] Use AllocaRegion in MallocChecker (PR #72402)

[Endre Fülöp via cfe-commits]

@@ -81,22 +81,21 @@ bool BuiltinFunctionChecker::evalCall(const CallEvent &Call,
 
   case Builtin::BI__builtin_alloca_with_align:
   case Builtin::BI__builtin_alloca: {
-// FIXME: Refactor into StoreManager itself?
-MemRegionManager& RM = C.getStoreManager().getRegionManager();
-const AllocaRegion* R =
-  RM.getAllocaRegion(CE, C.blockCount(), C.getLocationContext());
-
-// Set the extent of the region in bytes. This enables us to use the
-// SVal of the argument directly. If we save the extent in bits, we
-// cannot represent values like symbol*8.
-auto Size = Call.getArgSVal(0);
-if (Size.isUndef())
-  return true; // Return true to model purity.
-
-state = setDynamicExtent(state, R, Size.castAs(),
- C.getSValBuilder());
+SValBuilder &SVB = C.getSValBuilder();
+const loc::MemRegionVal R =
+SVB.getAllocaRegionVal(CE, C.getLocationContext(), C.blockCount());
 
-C.addTransition(state->BindExpr(CE, LCtx, loc::MemRegionVal(R)));
+// Set the extent of the region in bytes. This enables us to use the SVal
+// of the argument directly. If we saved the extent in bits, it'd be more
+// difficult to reason about values like symbol*8.
+auto Size = Call.getArgSVal(0);
+if (auto DefSize = Size.getAs()) {
+  state = setDynamicExtent(state, R.getRegion(), *DefSize, SVB);
+  // FIXME: perhaps the following transition should be moved out of the

gamesh411 wrote:

I would go with first asserting that the Size is DefinedOrUnknown anyway, and 
if we have a crash with a reproducer, then we can add the if and the test case 
for it.

https://github.com/llvm/llvm-project/pull/72402
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer] Use AllocaRegion in MallocChecker (PR #72402)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 approved this pull request.

LGTM, added two remarks inline, but those can be separate patches as well.

https://github.com/llvm/llvm-project/pull/72402
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer] Use AllocaRegion in MallocChecker (PR #72402)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 edited 
https://github.com/llvm/llvm-project/pull/72402
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer] Use AllocaRegion in MallocChecker (PR #72402)

[Endre Fülöp via cfe-commits]

@@ -266,13 +266,18 @@ void CheckUseZeroAllocated1(void) {
 }
 
 char CheckUseZeroAllocated2(void) {
+  // FIXME: The return value of `alloca()` is modeled with `AllocaRegion`
+  // instead of `SymbolicRegion`, so the current implementation of
+  // `MallocChecker::checkUseZeroAllocated()` cannot handle it; and we get an
+  // unrelated, but suitable warning from core.uninitialized.UndefReturn.
   char *p = alloca(0);
-  return *p; // expected-warning {{Use of memory allocated with size zero}}
+  return *p; // expected-warning {{Undefined or garbage value returned to 
caller}}

gamesh411 wrote:

Even if it is not the real question, what we are to do with the 0-size `alloca` 
calls, but just to highlight some practical concerns, I found these sources:
https://discourse.llvm.org/t/malloc-free-and-alloca-with-zero-size/9284/3
https://stackoverflow.com/questions/8036654/what-does-alloca0-do-and-return-on-various-platforms

So `alloca(0)` sometimes has a special meaning. If we can give more specific 
error messages in these cases, I would prefer to handle those error messages in 
the more specific checker.
Even if ArrayBoundV2 has more user-friendly and mature error reporting (and 
would cover this case strictly speaking), making this more specific checker 
emit better diagnostics as well is something worth considering IMO.

https://github.com/llvm/llvm-project/pull/72402
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [clang][analyzer] Move `security.cert.env.InvalidPtr` out of `alpha` (PR #71912)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 updated 
https://github.com/llvm/llvm-project/pull/71912

From 977e421008c1247d54f4cb67967ed2a353935c03 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Endre=20F=C3=BCl=C3=B6p?= 
Date: Fri, 10 Nov 2023 10:08:58 +0100
Subject: [PATCH 1/2] [analyzer] Move security.cert.env.InvalidPtr out of alpha

Thanks to recent improvements in #67663, InvalidPtr checker does
not emit any false positives on the following OS projects:
memcached, tmux, curl, twin, vim, openssl, sqlite, ffmpeg, postgres,
tinyxml2, libwebm, xerces, bitcoin, protobuf, qtbase, contour, acid,
openrct2
---
 clang/docs/analyzer/checkers.rst  | 138 +-
 .../clang/StaticAnalyzer/Checkers/Checkers.td |  28 ++--
 clang/test/Analysis/analyzer-config.c |   2 +-
 clang/test/Analysis/cert/env31-c.c|  10 +-
 .../Analysis/cert/env34-c-cert-examples.c |  10 +-
 clang/test/Analysis/cert/env34-c.c|   4 +-
 clang/test/Analysis/invalid-ptr-checker.c |   8 +-
 7 files changed, 101 insertions(+), 99 deletions(-)

diff --git a/clang/docs/analyzer/checkers.rst b/clang/docs/analyzer/checkers.rst
index 40aa06724ccb75c..e922ee3c9f4e239 100644
--- a/clang/docs/analyzer/checkers.rst
+++ b/clang/docs/analyzer/checkers.rst
@@ -755,6 +755,75 @@ security
 
 Security related checkers.
 
+.. _security-cert-env-InvalidPtr:
+
+security.cert.env.InvalidPtr
+""
+
+Corresponds to SEI CERT Rules ENV31-C and ENV34-C.
+
+ENV31-C:
+Rule is about the possible problem with `main` function's third argument, 
environment pointer,
+"envp". When environment array is modified using some modification function
+such as putenv, setenv or others, It may happen that memory is reallocated,
+however "envp" is not updated to reflect the changes and points to old memory
+region.
+
+ENV34-C:
+Some functions return a pointer to a statically allocated buffer.
+Consequently, subsequent call of these functions will invalidate previous
+pointer. These functions include: getenv, localeconv, asctime, setlocale, 
strerror
+
+.. code-block:: c
+
+  int main(int argc, const char *argv[], const char *envp[]) {
+if (setenv("MY_NEW_VAR", "new_value", 1) != 0) {
+  // setenv call may invalidate 'envp'
+  /* Handle error */
+}
+if (envp != NULL) {
+  for (size_t i = 0; envp[i] != NULL; ++i) {
+puts(envp[i]);
+// envp may no longer point to the current environment
+// this program has unanticipated behavior, since envp
+// does not reflect changes made by setenv function.
+  }
+}
+return 0;
+  }
+
+  void previous_call_invalidation() {
+char *p, *pp;
+
+p = getenv("VAR");
+setenv("SOMEVAR", "VALUE", /*overwrite = */1);
+// call to 'setenv' may invalidate p
+
+*p;
+// dereferencing invalid pointer
+  }
+
+
+The ``InvalidatingGetEnv`` option is available for treating getenv calls as
+invalidating. When enabled, the checker issues a warning if getenv is called
+multiple times and their results are used without first creating a copy.
+This level of strictness might be considered overly pedantic for the commonly
+used getenv implementations.
+
+To enable this option, use:
+``-analyzer-config security.cert.env.InvalidPtr:InvalidatingGetEnv=true``.
+
+By default, this option is set to *false*.
+
+When this option is enabled, warnings will be generated for scenarios like the
+following:
+
+.. code-block:: c
+
+  char* p = getenv("VAR");
+  char* pp = getenv("VAR2"); // assumes this call can invalidate `env`
+  strlen(p); // warns about accessing invalid ptr
+
 .. _security-FloatLoopCounter:
 
 security.FloatLoopCounter (C)
@@ -2549,75 +2618,6 @@ alpha.security.cert.env
 
 SEI CERT checkers of `Environment C coding rules 
`_.
 
-.. _alpha-security-cert-env-InvalidPtr:
-
-alpha.security.cert.env.InvalidPtr
-""
-
-Corresponds to SEI CERT Rules ENV31-C and ENV34-C.
-
-ENV31-C:
-Rule is about the possible problem with `main` function's third argument, 
environment pointer,
-"envp". When environment array is modified using some modification function
-such as putenv, setenv or others, It may happen that memory is reallocated,
-however "envp" is not updated to reflect the changes and points to old memory
-region.
-
-ENV34-C:
-Some functions return a pointer to a statically allocated buffer.
-Consequently, subsequent call of these functions will invalidate previous
-pointer. These functions include: getenv, localeconv, asctime, setlocale, 
strerror
-
-.. code-block:: c
-
-  int main(int argc, const char *argv[], const char *envp[]) {
-if (setenv("MY_NEW_VAR", "new_value", 1) != 0) {
-  // setenv call may invalidate 'envp'
-  /* Handle error */
-}
-if (envp != NULL) {
-  for (size_t i = 0; envp[i] != NULL; ++i) {
-puts(envp[i]);
-// envp may no longer point to the current environment
-// this program ha

[clang] [clang][analyzer] Move `security.cert.env.InvalidPtr` out of `alpha` (PR #71912)

[Endre Fülöp via cfe-commits]

@@ -1009,11 +1002,20 @@ let ParentPackage = ENV in {
   "standard), which can lead to false positives depending on "
   "implementation.",
   "false",
-  InAlpha>,
+  Released>,
   ]>,
   Documentation;
 
-} // end "alpha.cert.env"
+} // end "security.cert.env"
+
+let ParentPackage = POSAlpha in {
+
+  def PutenvWithAuto : Checker<"34c">,

gamesh411 wrote:

The POS package was by default in the alpha hierarchy, and there was no POS 
package for non-alpha. For consistent naming, I have renamed the old one to 
POSAlpha and introduced a new one with the old name POS. This is why the diff 
is confusing.

https://github.com/llvm/llvm-project/pull/71912
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [clang][analyzer] Move `security.cert.env.InvalidPtr` out of `alpha` (PR #71912)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 updated 
https://github.com/llvm/llvm-project/pull/71912

From 977e421008c1247d54f4cb67967ed2a353935c03 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Endre=20F=C3=BCl=C3=B6p?= 
Date: Fri, 10 Nov 2023 10:08:58 +0100
Subject: [PATCH 1/3] [analyzer] Move security.cert.env.InvalidPtr out of alpha

Thanks to recent improvements in #67663, InvalidPtr checker does
not emit any false positives on the following OS projects:
memcached, tmux, curl, twin, vim, openssl, sqlite, ffmpeg, postgres,
tinyxml2, libwebm, xerces, bitcoin, protobuf, qtbase, contour, acid,
openrct2
---
 clang/docs/analyzer/checkers.rst  | 138 +-
 .../clang/StaticAnalyzer/Checkers/Checkers.td |  28 ++--
 clang/test/Analysis/analyzer-config.c |   2 +-
 clang/test/Analysis/cert/env31-c.c|  10 +-
 .../Analysis/cert/env34-c-cert-examples.c |  10 +-
 clang/test/Analysis/cert/env34-c.c|   4 +-
 clang/test/Analysis/invalid-ptr-checker.c |   8 +-
 7 files changed, 101 insertions(+), 99 deletions(-)

diff --git a/clang/docs/analyzer/checkers.rst b/clang/docs/analyzer/checkers.rst
index 40aa06724ccb75c..e922ee3c9f4e239 100644
--- a/clang/docs/analyzer/checkers.rst
+++ b/clang/docs/analyzer/checkers.rst
@@ -755,6 +755,75 @@ security
 
 Security related checkers.
 
+.. _security-cert-env-InvalidPtr:
+
+security.cert.env.InvalidPtr
+""
+
+Corresponds to SEI CERT Rules ENV31-C and ENV34-C.
+
+ENV31-C:
+Rule is about the possible problem with `main` function's third argument, 
environment pointer,
+"envp". When environment array is modified using some modification function
+such as putenv, setenv or others, It may happen that memory is reallocated,
+however "envp" is not updated to reflect the changes and points to old memory
+region.
+
+ENV34-C:
+Some functions return a pointer to a statically allocated buffer.
+Consequently, subsequent call of these functions will invalidate previous
+pointer. These functions include: getenv, localeconv, asctime, setlocale, 
strerror
+
+.. code-block:: c
+
+  int main(int argc, const char *argv[], const char *envp[]) {
+if (setenv("MY_NEW_VAR", "new_value", 1) != 0) {
+  // setenv call may invalidate 'envp'
+  /* Handle error */
+}
+if (envp != NULL) {
+  for (size_t i = 0; envp[i] != NULL; ++i) {
+puts(envp[i]);
+// envp may no longer point to the current environment
+// this program has unanticipated behavior, since envp
+// does not reflect changes made by setenv function.
+  }
+}
+return 0;
+  }
+
+  void previous_call_invalidation() {
+char *p, *pp;
+
+p = getenv("VAR");
+setenv("SOMEVAR", "VALUE", /*overwrite = */1);
+// call to 'setenv' may invalidate p
+
+*p;
+// dereferencing invalid pointer
+  }
+
+
+The ``InvalidatingGetEnv`` option is available for treating getenv calls as
+invalidating. When enabled, the checker issues a warning if getenv is called
+multiple times and their results are used without first creating a copy.
+This level of strictness might be considered overly pedantic for the commonly
+used getenv implementations.
+
+To enable this option, use:
+``-analyzer-config security.cert.env.InvalidPtr:InvalidatingGetEnv=true``.
+
+By default, this option is set to *false*.
+
+When this option is enabled, warnings will be generated for scenarios like the
+following:
+
+.. code-block:: c
+
+  char* p = getenv("VAR");
+  char* pp = getenv("VAR2"); // assumes this call can invalidate `env`
+  strlen(p); // warns about accessing invalid ptr
+
 .. _security-FloatLoopCounter:
 
 security.FloatLoopCounter (C)
@@ -2549,75 +2618,6 @@ alpha.security.cert.env
 
 SEI CERT checkers of `Environment C coding rules 
`_.
 
-.. _alpha-security-cert-env-InvalidPtr:
-
-alpha.security.cert.env.InvalidPtr
-""
-
-Corresponds to SEI CERT Rules ENV31-C and ENV34-C.
-
-ENV31-C:
-Rule is about the possible problem with `main` function's third argument, 
environment pointer,
-"envp". When environment array is modified using some modification function
-such as putenv, setenv or others, It may happen that memory is reallocated,
-however "envp" is not updated to reflect the changes and points to old memory
-region.
-
-ENV34-C:
-Some functions return a pointer to a statically allocated buffer.
-Consequently, subsequent call of these functions will invalidate previous
-pointer. These functions include: getenv, localeconv, asctime, setlocale, 
strerror
-
-.. code-block:: c
-
-  int main(int argc, const char *argv[], const char *envp[]) {
-if (setenv("MY_NEW_VAR", "new_value", 1) != 0) {
-  // setenv call may invalidate 'envp'
-  /* Handle error */
-}
-if (envp != NULL) {
-  for (size_t i = 0; envp[i] != NULL; ++i) {
-puts(envp[i]);
-// envp may no longer point to the current environment
-// this program ha

[clang] [clang][analyzer] Move `security.cert.env.InvalidPtr` out of `alpha` (PR #71912)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 updated 
https://github.com/llvm/llvm-project/pull/71912

From 80c1f88244b22aaa4badb26384a971d19759b660 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Endre=20F=C3=BCl=C3=B6p?= 
Date: Fri, 10 Nov 2023 10:08:58 +0100
Subject: [PATCH 1/3] [analyzer] Move security.cert.env.InvalidPtr out of alpha

Thanks to recent improvements in #67663, InvalidPtr checker does
not emit any false positives on the following OS projects:
memcached, tmux, curl, twin, vim, openssl, sqlite, ffmpeg, postgres,
tinyxml2, libwebm, xerces, bitcoin, protobuf, qtbase, contour, acid,
openrct2
---
 clang/docs/analyzer/checkers.rst  | 138 +-
 .../clang/StaticAnalyzer/Checkers/Checkers.td |  28 ++--
 clang/test/Analysis/analyzer-config.c |   2 +-
 clang/test/Analysis/cert/env31-c.c|  10 +-
 .../Analysis/cert/env34-c-cert-examples.c |  10 +-
 clang/test/Analysis/cert/env34-c.c|   4 +-
 clang/test/Analysis/invalid-ptr-checker.c |   8 +-
 7 files changed, 101 insertions(+), 99 deletions(-)

diff --git a/clang/docs/analyzer/checkers.rst b/clang/docs/analyzer/checkers.rst
index 40aa06724ccb75c..e922ee3c9f4e239 100644
--- a/clang/docs/analyzer/checkers.rst
+++ b/clang/docs/analyzer/checkers.rst
@@ -755,6 +755,75 @@ security
 
 Security related checkers.
 
+.. _security-cert-env-InvalidPtr:
+
+security.cert.env.InvalidPtr
+""
+
+Corresponds to SEI CERT Rules ENV31-C and ENV34-C.
+
+ENV31-C:
+Rule is about the possible problem with `main` function's third argument, 
environment pointer,
+"envp". When environment array is modified using some modification function
+such as putenv, setenv or others, It may happen that memory is reallocated,
+however "envp" is not updated to reflect the changes and points to old memory
+region.
+
+ENV34-C:
+Some functions return a pointer to a statically allocated buffer.
+Consequently, subsequent call of these functions will invalidate previous
+pointer. These functions include: getenv, localeconv, asctime, setlocale, 
strerror
+
+.. code-block:: c
+
+  int main(int argc, const char *argv[], const char *envp[]) {
+if (setenv("MY_NEW_VAR", "new_value", 1) != 0) {
+  // setenv call may invalidate 'envp'
+  /* Handle error */
+}
+if (envp != NULL) {
+  for (size_t i = 0; envp[i] != NULL; ++i) {
+puts(envp[i]);
+// envp may no longer point to the current environment
+// this program has unanticipated behavior, since envp
+// does not reflect changes made by setenv function.
+  }
+}
+return 0;
+  }
+
+  void previous_call_invalidation() {
+char *p, *pp;
+
+p = getenv("VAR");
+setenv("SOMEVAR", "VALUE", /*overwrite = */1);
+// call to 'setenv' may invalidate p
+
+*p;
+// dereferencing invalid pointer
+  }
+
+
+The ``InvalidatingGetEnv`` option is available for treating getenv calls as
+invalidating. When enabled, the checker issues a warning if getenv is called
+multiple times and their results are used without first creating a copy.
+This level of strictness might be considered overly pedantic for the commonly
+used getenv implementations.
+
+To enable this option, use:
+``-analyzer-config security.cert.env.InvalidPtr:InvalidatingGetEnv=true``.
+
+By default, this option is set to *false*.
+
+When this option is enabled, warnings will be generated for scenarios like the
+following:
+
+.. code-block:: c
+
+  char* p = getenv("VAR");
+  char* pp = getenv("VAR2"); // assumes this call can invalidate `env`
+  strlen(p); // warns about accessing invalid ptr
+
 .. _security-FloatLoopCounter:
 
 security.FloatLoopCounter (C)
@@ -2549,75 +2618,6 @@ alpha.security.cert.env
 
 SEI CERT checkers of `Environment C coding rules 
`_.
 
-.. _alpha-security-cert-env-InvalidPtr:
-
-alpha.security.cert.env.InvalidPtr
-""
-
-Corresponds to SEI CERT Rules ENV31-C and ENV34-C.
-
-ENV31-C:
-Rule is about the possible problem with `main` function's third argument, 
environment pointer,
-"envp". When environment array is modified using some modification function
-such as putenv, setenv or others, It may happen that memory is reallocated,
-however "envp" is not updated to reflect the changes and points to old memory
-region.
-
-ENV34-C:
-Some functions return a pointer to a statically allocated buffer.
-Consequently, subsequent call of these functions will invalidate previous
-pointer. These functions include: getenv, localeconv, asctime, setlocale, 
strerror
-
-.. code-block:: c
-
-  int main(int argc, const char *argv[], const char *envp[]) {
-if (setenv("MY_NEW_VAR", "new_value", 1) != 0) {
-  // setenv call may invalidate 'envp'
-  /* Handle error */
-}
-if (envp != NULL) {
-  for (size_t i = 0; envp[i] != NULL; ++i) {
-puts(envp[i]);
-// envp may no longer point to the current environment
-// this program ha

[clang] [clang][analyzer] Move `security.cert.env.InvalidPtr` out of `alpha` (PR #71912)

[Endre Fülöp via cfe-commits]

gamesh411 wrote:

cleaned up the commiter email, as it was pointing to an old address

https://github.com/llvm/llvm-project/pull/71912
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer] Extend EnumCastOutOfRange diagnostics (PR #68191)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 closed 
https://github.com/llvm/llvm-project/pull/68191
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [clang][analyzer] Move `security.cert.env.InvalidPtr` out of `alpha` (PR #71912)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 updated 
https://github.com/llvm/llvm-project/pull/71912

From 248c94c3b8dd29fa9d98419e53f42454a2225544 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Endre=20F=C3=BCl=C3=B6p?= 
Date: Fri, 10 Nov 2023 10:08:58 +0100
Subject: [PATCH 1/3] [analyzer] Move security.cert.env.InvalidPtr out of alpha

Thanks to recent improvements in #67663, InvalidPtr checker does
not emit any false positives on the following OS projects:
memcached, tmux, curl, twin, vim, openssl, sqlite, ffmpeg, postgres,
tinyxml2, libwebm, xerces, bitcoin, protobuf, qtbase, contour, acid,
openrct2
---
 clang/docs/analyzer/checkers.rst  | 138 +-
 .../clang/StaticAnalyzer/Checkers/Checkers.td |  28 ++--
 clang/test/Analysis/analyzer-config.c |   2 +-
 clang/test/Analysis/cert/env31-c.c|  10 +-
 .../Analysis/cert/env34-c-cert-examples.c |  10 +-
 clang/test/Analysis/cert/env34-c.c|   4 +-
 clang/test/Analysis/invalid-ptr-checker.c |   8 +-
 7 files changed, 101 insertions(+), 99 deletions(-)

diff --git a/clang/docs/analyzer/checkers.rst b/clang/docs/analyzer/checkers.rst
index 40aa06724ccb75c..e922ee3c9f4e239 100644
--- a/clang/docs/analyzer/checkers.rst
+++ b/clang/docs/analyzer/checkers.rst
@@ -755,6 +755,75 @@ security
 
 Security related checkers.
 
+.. _security-cert-env-InvalidPtr:
+
+security.cert.env.InvalidPtr
+""
+
+Corresponds to SEI CERT Rules ENV31-C and ENV34-C.
+
+ENV31-C:
+Rule is about the possible problem with `main` function's third argument, 
environment pointer,
+"envp". When environment array is modified using some modification function
+such as putenv, setenv or others, It may happen that memory is reallocated,
+however "envp" is not updated to reflect the changes and points to old memory
+region.
+
+ENV34-C:
+Some functions return a pointer to a statically allocated buffer.
+Consequently, subsequent call of these functions will invalidate previous
+pointer. These functions include: getenv, localeconv, asctime, setlocale, 
strerror
+
+.. code-block:: c
+
+  int main(int argc, const char *argv[], const char *envp[]) {
+if (setenv("MY_NEW_VAR", "new_value", 1) != 0) {
+  // setenv call may invalidate 'envp'
+  /* Handle error */
+}
+if (envp != NULL) {
+  for (size_t i = 0; envp[i] != NULL; ++i) {
+puts(envp[i]);
+// envp may no longer point to the current environment
+// this program has unanticipated behavior, since envp
+// does not reflect changes made by setenv function.
+  }
+}
+return 0;
+  }
+
+  void previous_call_invalidation() {
+char *p, *pp;
+
+p = getenv("VAR");
+setenv("SOMEVAR", "VALUE", /*overwrite = */1);
+// call to 'setenv' may invalidate p
+
+*p;
+// dereferencing invalid pointer
+  }
+
+
+The ``InvalidatingGetEnv`` option is available for treating getenv calls as
+invalidating. When enabled, the checker issues a warning if getenv is called
+multiple times and their results are used without first creating a copy.
+This level of strictness might be considered overly pedantic for the commonly
+used getenv implementations.
+
+To enable this option, use:
+``-analyzer-config security.cert.env.InvalidPtr:InvalidatingGetEnv=true``.
+
+By default, this option is set to *false*.
+
+When this option is enabled, warnings will be generated for scenarios like the
+following:
+
+.. code-block:: c
+
+  char* p = getenv("VAR");
+  char* pp = getenv("VAR2"); // assumes this call can invalidate `env`
+  strlen(p); // warns about accessing invalid ptr
+
 .. _security-FloatLoopCounter:
 
 security.FloatLoopCounter (C)
@@ -2549,75 +2618,6 @@ alpha.security.cert.env
 
 SEI CERT checkers of `Environment C coding rules 
`_.
 
-.. _alpha-security-cert-env-InvalidPtr:
-
-alpha.security.cert.env.InvalidPtr
-""
-
-Corresponds to SEI CERT Rules ENV31-C and ENV34-C.
-
-ENV31-C:
-Rule is about the possible problem with `main` function's third argument, 
environment pointer,
-"envp". When environment array is modified using some modification function
-such as putenv, setenv or others, It may happen that memory is reallocated,
-however "envp" is not updated to reflect the changes and points to old memory
-region.
-
-ENV34-C:
-Some functions return a pointer to a statically allocated buffer.
-Consequently, subsequent call of these functions will invalidate previous
-pointer. These functions include: getenv, localeconv, asctime, setlocale, 
strerror
-
-.. code-block:: c
-
-  int main(int argc, const char *argv[], const char *envp[]) {
-if (setenv("MY_NEW_VAR", "new_value", 1) != 0) {
-  // setenv call may invalidate 'envp'
-  /* Handle error */
-}
-if (envp != NULL) {
-  for (size_t i = 0; envp[i] != NULL; ++i) {
-puts(envp[i]);
-// envp may no longer point to the current environment
-// this program ha

[clang] [clang][analyzer] Move `security.cert.env.InvalidPtr` out of `alpha` (PR #71912)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 closed 
https://github.com/llvm/llvm-project/pull/71912
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] 094fb13 - [analyzer] Add taint to the BoolAssignmentChecker

[Endre Fülöp via cfe-commits]

Author: Endre Fülöp
Date: 2022-05-13T09:27:28+02:00
New Revision: 094fb13b88b36ecfa475cb877d2c6e9d90b4d1a5

URL: 
https://github.com/llvm/llvm-project/commit/094fb13b88b36ecfa475cb877d2c6e9d90b4d1a5
DIFF: 
https://github.com/llvm/llvm-project/commit/094fb13b88b36ecfa475cb877d2c6e9d90b4d1a5.diff

LOG: [analyzer] Add taint to the BoolAssignmentChecker

BoolAssignment checker is now taint-aware and warns if a tainted value is
assigned.

Original author: steakhal

Reviewed By: martong

Differential Revision: https://reviews.llvm.org/D125360

Added: 


Modified: 
clang/lib/StaticAnalyzer/Checkers/BoolAssignmentChecker.cpp
clang/test/Analysis/bool-assignment.c

Removed: 




diff  --git a/clang/lib/StaticAnalyzer/Checkers/BoolAssignmentChecker.cpp 
b/clang/lib/StaticAnalyzer/Checkers/BoolAssignmentChecker.cpp
index 6c0caf3c4e78..dad25d6f853b 100644
--- a/clang/lib/StaticAnalyzer/Checkers/BoolAssignmentChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/BoolAssignmentChecker.cpp
@@ -12,6 +12,7 @@
 
//===--===//
 
 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
+#include "clang/StaticAnalyzer/Checkers/Taint.h"
 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
 #include "clang/StaticAnalyzer/Core/Checker.h"
 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
@@ -23,20 +24,23 @@ using namespace ento;
 namespace {
   class BoolAssignmentChecker : public Checker< check::Bind > {
 mutable std::unique_ptr BT;
-void emitReport(ProgramStateRef state, CheckerContext &C) const;
+void emitReport(ProgramStateRef state, CheckerContext &C,
+bool IsTainted = false) const;
+
   public:
 void checkBind(SVal loc, SVal val, const Stmt *S, CheckerContext &C) const;
   };
 } // end anonymous namespace
 
-void BoolAssignmentChecker::emitReport(ProgramStateRef state,
-   CheckerContext &C) const {
+void BoolAssignmentChecker::emitReport(ProgramStateRef state, CheckerContext 
&C,
+   bool IsTainted) const {
   if (ExplodedNode *N = C.generateNonFatalErrorNode(state)) {
 if (!BT)
   BT.reset(new BuiltinBug(this, "Assignment of a non-Boolean value"));
 
-C.emitReport(
-std::make_unique(*BT, BT->getDescription(), 
N));
+StringRef Msg = IsTainted ? "Might assign a tainted non-Boolean value"
+  : "Assignment of a non-Boolean value";
+C.emitReport(std::make_unique(*BT, Msg, N));
   }
 }
 
@@ -90,6 +94,8 @@ void BoolAssignmentChecker::checkBind(SVal loc, SVal val, 
const Stmt *S,
 
   if (!StIn)
 emitReport(StOut, C);
+  if (StIn && StOut && taint::isTainted(state, *NV))
+emitReport(StOut, C, /*IsTainted=*/true);
 }
 
 void ento::registerBoolAssignmentChecker(CheckerManager &mgr) {

diff  --git a/clang/test/Analysis/bool-assignment.c 
b/clang/test/Analysis/bool-assignment.c
index 57a7f0b5dc1b..812710786d94 100644
--- a/clang/test/Analysis/bool-assignment.c
+++ b/clang/test/Analysis/bool-assignment.c
@@ -1,5 +1,5 @@
-// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.core.BoolAssignment 
-analyzer-store=region -verify -std=c99 -Dbool=_Bool %s
-// RUN: %clang_analyze_cc1 -analyzer-checker=core,alpha.core.BoolAssignment 
-analyzer-store=region -verify -x c++ %s
+// RUN: %clang_analyze_cc1 
-analyzer-checker=core,alpha.core.BoolAssignment,alpha.security.taint 
-analyzer-store=region -verify -std=c99 -Dbool=_Bool %s
+// RUN: %clang_analyze_cc1 
-analyzer-checker=core,alpha.core.BoolAssignment,alpha.security.taint 
-analyzer-store=region -verify -x c++ %s
 
 // Test C++'s bool and C's _Bool.
 // FIXME: We stopped warning on these when SValBuilder got smarter about
@@ -104,3 +104,10 @@ void test_Boolean_assignment(int y) {
   }
   x = y; // no-warning
 }
+
+int scanf(const char *format, ...);
+void test_tainted_Boolean() {
+  int n;
+  scanf("%d", &n);
+  Boolean copy = n; // expected-warning {{Might assign a tainted non-Boolean 
value}}
+}



___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [clang][analyzer] Improve BlockInCriticalSectionsChecker (PR #80029)

[Endre Fülöp via cfe-commits]

@@ -20,48 +20,180 @@
 #include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
+#include "llvm/ADT/STLExtras.h"
+#include "llvm/ADT/SmallString.h"
+#include "llvm/ADT/StringExtras.h"
+
+#include 
+#include 
+#include 
 
 using namespace clang;
 using namespace ento;
 
 namespace {
+
+struct CritSectionMarker {
+  const Expr *LockExpr{};
+  const MemRegion *LockReg{};
+
+  void Profile(llvm::FoldingSetNodeID &ID) const {
+ID.Add(LockExpr);
+ID.Add(LockReg);
+  }
+
+  [[nodiscard]] constexpr bool
+  operator==(const CritSectionMarker &Other) const noexcept {
+return LockExpr == Other.LockExpr && LockReg == Other.LockReg;
+  }
+  [[nodiscard]] constexpr bool
+  operator!=(const CritSectionMarker &Other) const noexcept {
+return !(*this == Other);
+  }
+};
+
+class FirstArgMutexDescriptor {
+  CallDescription LockFn;
+  CallDescription UnlockFn;
+
+public:
+  FirstArgMutexDescriptor(CallDescription &&LockFn, CallDescription &&UnlockFn)
+  : LockFn(std::move(LockFn)), UnlockFn(std::move(UnlockFn)) {}
+  [[nodiscard]] bool matchesLock(const CallEvent &Call) const {
+return LockFn.matches(Call) && Call.getNumArgs() > 0;
+  }
+  [[nodiscard]] bool matchesUnlock(const CallEvent &Call) const {
+return UnlockFn.matches(Call) && Call.getNumArgs() > 0;
+  }
+  [[nodiscard]] const MemRegion *getLockRegion(const CallEvent &Call) const {
+return Call.getArgSVal(0).getAsRegion();
+  }
+  [[nodiscard]] const MemRegion *getUnlockRegion(const CallEvent &Call) const {
+return Call.getArgSVal(0).getAsRegion();
+  }
+};
+
+class MemberMutexDescriptor {
+  CallDescription LockFn;
+  CallDescription UnlockFn;
+
+public:
+  MemberMutexDescriptor(CallDescription &&LockFn, CallDescription &&UnlockFn)
+  : LockFn(std::move(LockFn)), UnlockFn(std::move(UnlockFn)) {}
+  [[nodiscard]] bool matchesLock(const CallEvent &Call) const {
+return LockFn.matches(Call);
+  }
+  bool matchesUnlock(const CallEvent &Call) const {
+return UnlockFn.matches(Call);
+  }
+  [[nodiscard]] const MemRegion *getLockRegion(const CallEvent &Call) const {
+return cast(Call).getCXXThisVal().getAsRegion();
+  }
+  [[nodiscard]] const MemRegion *getUnlockRegion(const CallEvent &Call) const {
+return cast(Call).getCXXThisVal().getAsRegion();
+  }
+};
+
+class RAIIMutexDescriptor {
+  mutable const IdentifierInfo *Guard{};
+  mutable bool IdentifierInfoInitialized{};
+  mutable llvm::SmallString<32> GuardName{};
+
+  void initIdentifierInfo(const CallEvent &Call) const {
+if (!IdentifierInfoInitialized) {
+  // In case of checking C code, or when the corresponding headers are not
+  // included, we might end up query the identifier table every time when
+  // this function is called instead of early returning it. To avoid this, 
a
+  // bool variable (IdentifierInfoInitialized) is used and the function 
will
+  // be run only once.
+  Guard = &Call.getCalleeAnalysisDeclContext()->getASTContext().Idents.get(
+  GuardName);
+  IdentifierInfoInitialized = true;
+}
+  }
+
+public:
+  RAIIMutexDescriptor(StringRef GuardName) : GuardName(GuardName) {}
+  [[nodiscard]] bool matchesLock(const CallEvent &Call) const {
+initIdentifierInfo(Call);
+const auto *Ctor = dyn_cast(&Call);
+if (!Ctor)
+  return false;
+auto *IdentifierInfo = Ctor->getDecl()->getParent()->getIdentifier();
+return IdentifierInfo == Guard;
+  }
+  [[nodiscard]] bool matchesUnlock(const CallEvent &Call) const {
+initIdentifierInfo(Call);
+const auto *Dtor = dyn_cast(&Call);
+if (!Dtor)
+  return false;
+auto *IdentifierInfo =
+cast(Dtor->getDecl()->getParent())->getIdentifier();

gamesh411 wrote:

The constructor and destructor cases are not symmetric; the getParent() for 
CXXConstructorDecl uses the cast internally, while the getParent() only gives 
DeclContext.
So, for the constructor, we have the following type chain:
`CXXConstructorCall` ---[ `getDecl()` ]---> `CXXConstructorDecl` ---[ 
`getParent()` ]---> `CXXRecordDecl`
and for the destructor we have the following:
`CXXDescructorCall` ---[ `getDecl()` ]---> `FunctionDecl` ---[ `getParent()` 
]--> `DeclContext` (and this has to be cast to CXXRecordDecl)
The API is just not symmetric enough.

https://github.com/llvm/llvm-project/pull/80029
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [clang][analyzer] Improve BlockInCriticalSectionsChecker (PR #80029)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 updated 
https://github.com/llvm/llvm-project/pull/80029

From 346e2296869e750c7ec5bd75cf05f80a23b70569 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Endre=20F=C3=BCl=C3=B6p?= 
Date: Tue, 30 Jan 2024 11:33:30 +0100
Subject: [PATCH 1/2] [clang][analyzer] Improve BlockInCriticalSectionsChecker
 with multi-section and recursive mutex support

* Add support for multiple, potentially overlapping critical sections:
  The checker can now simultaneously handle several mutex's critical
  sections without confusing them.
* Implement the handling of recursive mutexes:
  By identifying the lock events, recursive mutexes are now supported.
  A lock event is a pair of a lock expression and the SVal of the mutex
  that it locks, so even multiple locks of the same mutex (and even by
  the same expression) is now supported.
* Refine the note tags generated by the checker:
  The note tags now correctly show just for mutexes those are
  active at point of error, and multiple acqisitions of the same mutex
  are also noted.
---
 .../BlockInCriticalSectionChecker.cpp | 391 ++
 .../Analysis/block-in-critical-section.cpp| 270 +---
 2 files changed, 515 insertions(+), 146 deletions(-)

diff --git 
a/clang/lib/StaticAnalyzer/Checkers/BlockInCriticalSectionChecker.cpp 
b/clang/lib/StaticAnalyzer/Checkers/BlockInCriticalSectionChecker.cpp
index 66e080adb1382b..74ec4b73bd8b5f 100644
--- a/clang/lib/StaticAnalyzer/Checkers/BlockInCriticalSectionChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/BlockInCriticalSectionChecker.cpp
@@ -20,48 +20,180 @@
 #include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
+#include "llvm/ADT/STLExtras.h"
+#include "llvm/ADT/SmallString.h"
+#include "llvm/ADT/StringExtras.h"
+
+#include 
+#include 
+#include 
 
 using namespace clang;
 using namespace ento;
 
 namespace {
+
+struct CritSectionMarker {
+  const Expr *LockExpr{};
+  const MemRegion *LockReg{};
+
+  void Profile(llvm::FoldingSetNodeID &ID) const {
+ID.Add(LockExpr);
+ID.Add(LockReg);
+  }
+
+  [[nodiscard]] constexpr bool
+  operator==(const CritSectionMarker &Other) const noexcept {
+return LockExpr == Other.LockExpr && LockReg == Other.LockReg;
+  }
+  [[nodiscard]] constexpr bool
+  operator!=(const CritSectionMarker &Other) const noexcept {
+return !(*this == Other);
+  }
+};
+
+class FirstArgMutexDescriptor {
+  CallDescription LockFn;
+  CallDescription UnlockFn;
+
+public:
+  FirstArgMutexDescriptor(CallDescription &&LockFn, CallDescription &&UnlockFn)
+  : LockFn(std::move(LockFn)), UnlockFn(std::move(UnlockFn)) {}
+  [[nodiscard]] bool matchesLock(const CallEvent &Call) const {
+return LockFn.matches(Call) && Call.getNumArgs() > 0;
+  }
+  [[nodiscard]] bool matchesUnlock(const CallEvent &Call) const {
+return UnlockFn.matches(Call) && Call.getNumArgs() > 0;
+  }
+  [[nodiscard]] const MemRegion *getLockRegion(const CallEvent &Call) const {
+return Call.getArgSVal(0).getAsRegion();
+  }
+  [[nodiscard]] const MemRegion *getUnlockRegion(const CallEvent &Call) const {
+return Call.getArgSVal(0).getAsRegion();
+  }
+};
+
+class MemberMutexDescriptor {
+  CallDescription LockFn;
+  CallDescription UnlockFn;
+
+public:
+  MemberMutexDescriptor(CallDescription &&LockFn, CallDescription &&UnlockFn)
+  : LockFn(std::move(LockFn)), UnlockFn(std::move(UnlockFn)) {}
+  [[nodiscard]] bool matchesLock(const CallEvent &Call) const {
+return LockFn.matches(Call);
+  }
+  bool matchesUnlock(const CallEvent &Call) const {
+return UnlockFn.matches(Call);
+  }
+  [[nodiscard]] const MemRegion *getLockRegion(const CallEvent &Call) const {
+return cast(Call).getCXXThisVal().getAsRegion();
+  }
+  [[nodiscard]] const MemRegion *getUnlockRegion(const CallEvent &Call) const {
+return cast(Call).getCXXThisVal().getAsRegion();
+  }
+};
+
+class RAIIMutexDescriptor {
+  mutable const IdentifierInfo *Guard{};
+  mutable bool IdentifierInfoInitialized{};
+  mutable llvm::SmallString<32> GuardName{};
+
+  void initIdentifierInfo(const CallEvent &Call) const {
+if (!IdentifierInfoInitialized) {
+  // In case of checking C code, or when the corresponding headers are not
+  // included, we might end up query the identifier table every time when
+  // this function is called instead of early returning it. To avoid this, 
a
+  // bool variable (IdentifierInfoInitialized) is used and the function 
will
+  // be run only once.
+  Guard = &Call.getCalleeAnalysisDeclContext()->getASTContext().Idents.get(
+  GuardName);
+  IdentifierInfoInitialized = true;
+}
+  }
+
+pu

[clang] [clang][analyzer] Improve BlockInCriticalSectionsChecker (PR #80029)

[Endre Fülöp via cfe-commits]

@@ -70,73 +202,121 @@ class BlockInCriticalSectionChecker : public 
Checker {
 
 } // end anonymous namespace
 
-REGISTER_TRAIT_WITH_PROGRAMSTATE(MutexCounter, unsigned)
+REGISTER_LIST_WITH_PROGRAMSTATE(ActiveCritSections, CritSectionMarker)
 
-void BlockInCriticalSectionChecker::initIdentifierInfo(ASTContext &Ctx) const {
-  if (!IdentifierInfoInitialized) {
-/* In case of checking C code, or when the corresponding headers are not
- * included, we might end up query the identifier table every time when 
this
- * function is called instead of early returning it. To avoid this, a bool
- * variable (IdentifierInfoInitialized) is used and the function will be 
run
- * only once. */
-IILockGuard  = &Ctx.Idents.get(ClassLockGuard);
-IIUniqueLock = &Ctx.Idents.get(ClassUniqueLock);
-IdentifierInfoInitialized = true;
-  }
-}
+namespace std {
+// Iterator traits for ImmutableList data structure
+// that enable the use of STL algorithms.
+// TODO: Move these to llvm::ImmutableList when overhauling immutable data
+// structures for proper iterator concept support.
+template <>
+struct iterator_traits<
+typename llvm::ImmutableList::iterator> {
+  using iterator_category = std::forward_iterator_tag;
+  using value_type = CritSectionMarker;
+  using difference_type = std::ptrdiff_t;
+  using reference = CritSectionMarker &;
+  using pointer = CritSectionMarker *;
+};
+} // namespace std
 
-bool BlockInCriticalSectionChecker::isBlockingFunction(const CallEvent &Call) 
const {
-  return matchesAny(Call, SleepFn, GetcFn, FgetsFn, ReadFn, RecvFn);
+std::optional
+BlockInCriticalSectionChecker::checkLock(const CallEvent &Call,
+ CheckerContext &C) const {
+  const auto *LockDescriptor =
+  llvm::find_if(MutexDescriptors, [&Call](auto &&LockFn) {
+return std::visit(
+[&Call](auto &&Descriptor) { return Descriptor.matchesLock(Call); 
},
+LockFn);
+  });
+  if (LockDescriptor != MutexDescriptors.end())
+return *LockDescriptor;
+  return std::nullopt;
 }
 
-bool BlockInCriticalSectionChecker::isLockFunction(const CallEvent &Call) 
const {
-  if (const auto *Ctor = dyn_cast(&Call)) {
-auto IdentifierInfo = Ctor->getDecl()->getParent()->getIdentifier();
-if (IdentifierInfo == IILockGuard || IdentifierInfo == IIUniqueLock)
-  return true;
-  }
+void BlockInCriticalSectionChecker::handleLock(
+const MutexDescriptor &LockDescriptor, const CallEvent &Call,
+CheckerContext &C) const {
+  const auto *MutexRegion = std::visit(
+  [&Call](auto &&Descriptor) { return Descriptor.getLockRegion(Call); },
+  LockDescriptor);
+  if (!MutexRegion)
+return;
+
+  const auto MarkToAdd = CritSectionMarker{Call.getOriginExpr(), MutexRegion};
+  ProgramStateRef StateWithLockEvent =
+  C.getState()->add(MarkToAdd);
+  C.addTransition(StateWithLockEvent, createCritSectionNote(MarkToAdd, C));
+}
 
-  return matchesAny(Call, LockFn, PthreadLockFn, PthreadTryLockFn, MtxLock,
-MtxTimedLock, MtxTryLock);
+std::optional
+BlockInCriticalSectionChecker::checkUnlock(const CallEvent &Call,
+   CheckerContext &C) const {
+  const auto *UnlockDescriptor =
+  llvm::find_if(MutexDescriptors, [&Call](auto &&UnlockFn) {
+return std::visit(
+[&Call](auto &&Descriptor) {
+  return Descriptor.matchesUnlock(Call);
+},
+UnlockFn);
+  });
+  if (UnlockDescriptor != MutexDescriptors.end())
+return *UnlockDescriptor;
+  return std::nullopt;

gamesh411 wrote:

I think I have fixed most of the code duplication, thanks for the suggestions 👍 

https://github.com/llvm/llvm-project/pull/80029
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [clang][analyzer] Improve BlockInCriticalSectionsChecker (PR #80029)

[Endre Fülöp via cfe-commits]

@@ -20,48 +20,180 @@
 #include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
+#include "llvm/ADT/STLExtras.h"
+#include "llvm/ADT/SmallString.h"
+#include "llvm/ADT/StringExtras.h"
+
+#include 
+#include 
+#include 
 
 using namespace clang;
 using namespace ento;
 
 namespace {
+
+struct CritSectionMarker {
+  const Expr *LockExpr{};
+  const MemRegion *LockReg{};
+
+  void Profile(llvm::FoldingSetNodeID &ID) const {
+ID.Add(LockExpr);
+ID.Add(LockReg);
+  }
+
+  [[nodiscard]] constexpr bool
+  operator==(const CritSectionMarker &Other) const noexcept {
+return LockExpr == Other.LockExpr && LockReg == Other.LockReg;
+  }
+  [[nodiscard]] constexpr bool
+  operator!=(const CritSectionMarker &Other) const noexcept {
+return !(*this == Other);
+  }
+};
+
+class FirstArgMutexDescriptor {
+  CallDescription LockFn;
+  CallDescription UnlockFn;
+
+public:
+  FirstArgMutexDescriptor(CallDescription &&LockFn, CallDescription &&UnlockFn)
+  : LockFn(std::move(LockFn)), UnlockFn(std::move(UnlockFn)) {}
+  [[nodiscard]] bool matchesLock(const CallEvent &Call) const {
+return LockFn.matches(Call) && Call.getNumArgs() > 0;
+  }
+  [[nodiscard]] bool matchesUnlock(const CallEvent &Call) const {
+return UnlockFn.matches(Call) && Call.getNumArgs() > 0;
+  }
+  [[nodiscard]] const MemRegion *getLockRegion(const CallEvent &Call) const {
+return Call.getArgSVal(0).getAsRegion();
+  }
+  [[nodiscard]] const MemRegion *getUnlockRegion(const CallEvent &Call) const {
+return Call.getArgSVal(0).getAsRegion();
+  }
+};
+
+class MemberMutexDescriptor {
+  CallDescription LockFn;
+  CallDescription UnlockFn;
+
+public:
+  MemberMutexDescriptor(CallDescription &&LockFn, CallDescription &&UnlockFn)
+  : LockFn(std::move(LockFn)), UnlockFn(std::move(UnlockFn)) {}
+  [[nodiscard]] bool matchesLock(const CallEvent &Call) const {
+return LockFn.matches(Call);
+  }
+  bool matchesUnlock(const CallEvent &Call) const {
+return UnlockFn.matches(Call);
+  }
+  [[nodiscard]] const MemRegion *getLockRegion(const CallEvent &Call) const {
+return cast(Call).getCXXThisVal().getAsRegion();
+  }
+  [[nodiscard]] const MemRegion *getUnlockRegion(const CallEvent &Call) const {
+return cast(Call).getCXXThisVal().getAsRegion();
+  }
+};
+
+class RAIIMutexDescriptor {
+  mutable const IdentifierInfo *Guard{};
+  mutable bool IdentifierInfoInitialized{};
+  mutable llvm::SmallString<32> GuardName{};
+
+  void initIdentifierInfo(const CallEvent &Call) const {
+if (!IdentifierInfoInitialized) {
+  // In case of checking C code, or when the corresponding headers are not
+  // included, we might end up query the identifier table every time when
+  // this function is called instead of early returning it. To avoid this, 
a
+  // bool variable (IdentifierInfoInitialized) is used and the function 
will
+  // be run only once.
+  Guard = &Call.getCalleeAnalysisDeclContext()->getASTContext().Idents.get(
+  GuardName);
+  IdentifierInfoInitialized = true;
+}
+  }
+
+public:
+  RAIIMutexDescriptor(StringRef GuardName) : GuardName(GuardName) {}
+  [[nodiscard]] bool matchesLock(const CallEvent &Call) const {
+initIdentifierInfo(Call);
+const auto *Ctor = dyn_cast(&Call);
+if (!Ctor)
+  return false;
+auto *IdentifierInfo = Ctor->getDecl()->getParent()->getIdentifier();
+return IdentifierInfo == Guard;
+  }
+  [[nodiscard]] bool matchesUnlock(const CallEvent &Call) const {
+initIdentifierInfo(Call);
+const auto *Dtor = dyn_cast(&Call);
+if (!Dtor)
+  return false;
+auto *IdentifierInfo =
+cast(Dtor->getDecl()->getParent())->getIdentifier();
+return IdentifierInfo == Guard;
+  }

gamesh411 wrote:

Fixed.

https://github.com/llvm/llvm-project/pull/80029
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [clang][analyzer] Improve BlockInCriticalSectionsChecker (PR #80029)

[Endre Fülöp via cfe-commits]

@@ -20,48 +20,180 @@
 #include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
+#include "llvm/ADT/STLExtras.h"
+#include "llvm/ADT/SmallString.h"
+#include "llvm/ADT/StringExtras.h"
+
+#include 
+#include 
+#include 
 
 using namespace clang;
 using namespace ento;
 
 namespace {
+
+struct CritSectionMarker {
+  const Expr *LockExpr{};
+  const MemRegion *LockReg{};
+
+  void Profile(llvm::FoldingSetNodeID &ID) const {
+ID.Add(LockExpr);
+ID.Add(LockReg);
+  }
+
+  [[nodiscard]] constexpr bool
+  operator==(const CritSectionMarker &Other) const noexcept {
+return LockExpr == Other.LockExpr && LockReg == Other.LockReg;
+  }
+  [[nodiscard]] constexpr bool
+  operator!=(const CritSectionMarker &Other) const noexcept {
+return !(*this == Other);
+  }
+};
+
+class FirstArgMutexDescriptor {
+  CallDescription LockFn;
+  CallDescription UnlockFn;
+
+public:
+  FirstArgMutexDescriptor(CallDescription &&LockFn, CallDescription &&UnlockFn)
+  : LockFn(std::move(LockFn)), UnlockFn(std::move(UnlockFn)) {}
+  [[nodiscard]] bool matchesLock(const CallEvent &Call) const {
+return LockFn.matches(Call) && Call.getNumArgs() > 0;
+  }
+  [[nodiscard]] bool matchesUnlock(const CallEvent &Call) const {
+return UnlockFn.matches(Call) && Call.getNumArgs() > 0;
+  }
+  [[nodiscard]] const MemRegion *getLockRegion(const CallEvent &Call) const {
+return Call.getArgSVal(0).getAsRegion();
+  }
+  [[nodiscard]] const MemRegion *getUnlockRegion(const CallEvent &Call) const {
+return Call.getArgSVal(0).getAsRegion();
+  }
+};
+
+class MemberMutexDescriptor {
+  CallDescription LockFn;
+  CallDescription UnlockFn;
+
+public:
+  MemberMutexDescriptor(CallDescription &&LockFn, CallDescription &&UnlockFn)
+  : LockFn(std::move(LockFn)), UnlockFn(std::move(UnlockFn)) {}
+  [[nodiscard]] bool matchesLock(const CallEvent &Call) const {
+return LockFn.matches(Call);
+  }
+  bool matchesUnlock(const CallEvent &Call) const {
+return UnlockFn.matches(Call);
+  }
+  [[nodiscard]] const MemRegion *getLockRegion(const CallEvent &Call) const {
+return cast(Call).getCXXThisVal().getAsRegion();
+  }
+  [[nodiscard]] const MemRegion *getUnlockRegion(const CallEvent &Call) const {
+return cast(Call).getCXXThisVal().getAsRegion();
+  }
+};

gamesh411 wrote:

Introduced a common base class for these 2 classes.

https://github.com/llvm/llvm-project/pull/80029
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [clang][analyzer] Improve BlockInCriticalSectionsChecker (PR #80029)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 updated 
https://github.com/llvm/llvm-project/pull/80029

From 346e2296869e750c7ec5bd75cf05f80a23b70569 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Endre=20F=C3=BCl=C3=B6p?= 
Date: Tue, 30 Jan 2024 11:33:30 +0100
Subject: [PATCH 1/3] [clang][analyzer] Improve BlockInCriticalSectionsChecker
 with multi-section and recursive mutex support

* Add support for multiple, potentially overlapping critical sections:
  The checker can now simultaneously handle several mutex's critical
  sections without confusing them.
* Implement the handling of recursive mutexes:
  By identifying the lock events, recursive mutexes are now supported.
  A lock event is a pair of a lock expression and the SVal of the mutex
  that it locks, so even multiple locks of the same mutex (and even by
  the same expression) is now supported.
* Refine the note tags generated by the checker:
  The note tags now correctly show just for mutexes those are
  active at point of error, and multiple acqisitions of the same mutex
  are also noted.
---
 .../BlockInCriticalSectionChecker.cpp | 391 ++
 .../Analysis/block-in-critical-section.cpp| 270 +---
 2 files changed, 515 insertions(+), 146 deletions(-)

diff --git 
a/clang/lib/StaticAnalyzer/Checkers/BlockInCriticalSectionChecker.cpp 
b/clang/lib/StaticAnalyzer/Checkers/BlockInCriticalSectionChecker.cpp
index 66e080adb1382b..74ec4b73bd8b5f 100644
--- a/clang/lib/StaticAnalyzer/Checkers/BlockInCriticalSectionChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/BlockInCriticalSectionChecker.cpp
@@ -20,48 +20,180 @@
 #include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
+#include "llvm/ADT/STLExtras.h"
+#include "llvm/ADT/SmallString.h"
+#include "llvm/ADT/StringExtras.h"
+
+#include 
+#include 
+#include 
 
 using namespace clang;
 using namespace ento;
 
 namespace {
+
+struct CritSectionMarker {
+  const Expr *LockExpr{};
+  const MemRegion *LockReg{};
+
+  void Profile(llvm::FoldingSetNodeID &ID) const {
+ID.Add(LockExpr);
+ID.Add(LockReg);
+  }
+
+  [[nodiscard]] constexpr bool
+  operator==(const CritSectionMarker &Other) const noexcept {
+return LockExpr == Other.LockExpr && LockReg == Other.LockReg;
+  }
+  [[nodiscard]] constexpr bool
+  operator!=(const CritSectionMarker &Other) const noexcept {
+return !(*this == Other);
+  }
+};
+
+class FirstArgMutexDescriptor {
+  CallDescription LockFn;
+  CallDescription UnlockFn;
+
+public:
+  FirstArgMutexDescriptor(CallDescription &&LockFn, CallDescription &&UnlockFn)
+  : LockFn(std::move(LockFn)), UnlockFn(std::move(UnlockFn)) {}
+  [[nodiscard]] bool matchesLock(const CallEvent &Call) const {
+return LockFn.matches(Call) && Call.getNumArgs() > 0;
+  }
+  [[nodiscard]] bool matchesUnlock(const CallEvent &Call) const {
+return UnlockFn.matches(Call) && Call.getNumArgs() > 0;
+  }
+  [[nodiscard]] const MemRegion *getLockRegion(const CallEvent &Call) const {
+return Call.getArgSVal(0).getAsRegion();
+  }
+  [[nodiscard]] const MemRegion *getUnlockRegion(const CallEvent &Call) const {
+return Call.getArgSVal(0).getAsRegion();
+  }
+};
+
+class MemberMutexDescriptor {
+  CallDescription LockFn;
+  CallDescription UnlockFn;
+
+public:
+  MemberMutexDescriptor(CallDescription &&LockFn, CallDescription &&UnlockFn)
+  : LockFn(std::move(LockFn)), UnlockFn(std::move(UnlockFn)) {}
+  [[nodiscard]] bool matchesLock(const CallEvent &Call) const {
+return LockFn.matches(Call);
+  }
+  bool matchesUnlock(const CallEvent &Call) const {
+return UnlockFn.matches(Call);
+  }
+  [[nodiscard]] const MemRegion *getLockRegion(const CallEvent &Call) const {
+return cast(Call).getCXXThisVal().getAsRegion();
+  }
+  [[nodiscard]] const MemRegion *getUnlockRegion(const CallEvent &Call) const {
+return cast(Call).getCXXThisVal().getAsRegion();
+  }
+};
+
+class RAIIMutexDescriptor {
+  mutable const IdentifierInfo *Guard{};
+  mutable bool IdentifierInfoInitialized{};
+  mutable llvm::SmallString<32> GuardName{};
+
+  void initIdentifierInfo(const CallEvent &Call) const {
+if (!IdentifierInfoInitialized) {
+  // In case of checking C code, or when the corresponding headers are not
+  // included, we might end up query the identifier table every time when
+  // this function is called instead of early returning it. To avoid this, 
a
+  // bool variable (IdentifierInfoInitialized) is used and the function 
will
+  // be run only once.
+  Guard = &Call.getCalleeAnalysisDeclContext()->getASTContext().Idents.get(
+  GuardName);
+  IdentifierInfoInitialized = true;
+}
+  }
+
+pu

[clang] [clang][analyzer] Improve BlockInCriticalSectionsChecker (PR #80029)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 closed 
https://github.com/llvm/llvm-project/pull/80029
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [clang][analyzer] Add note tags to alpha.unix.BlockInCriticalSection (PR #80029)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 updated 
https://github.com/llvm/llvm-project/pull/80029

From f7875a7f1ff20f3cf850ce1c23bec6d6c3d88d57 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Endre=20F=C3=BCl=C3=B6p?= 
Date: Tue, 30 Jan 2024 11:33:30 +0100
Subject: [PATCH 1/2] [clang][analyzer] Add note tags to
 alpha.unix.BlockInCriticalSection checker

On entering a critical section, a note tag is now placed along the
bugpath.
---
 .../BlockInCriticalSectionChecker.cpp | 18 -
 .../Analysis/block-in-critical-section.cpp| 77 ++-
 2 files changed, 75 insertions(+), 20 deletions(-)

diff --git 
a/clang/lib/StaticAnalyzer/Checkers/BlockInCriticalSectionChecker.cpp 
b/clang/lib/StaticAnalyzer/Checkers/BlockInCriticalSectionChecker.cpp
index 66e080adb1382b..1297ae96c8b644 100644
--- a/clang/lib/StaticAnalyzer/Checkers/BlockInCriticalSectionChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/BlockInCriticalSectionChecker.cpp
@@ -57,6 +57,8 @@ class BlockInCriticalSectionChecker : public 
Checker {
 const CallEvent &call,
 CheckerContext &C) const;
 
+  const NoteTag *createCriticalSectionNote(CheckerContext &C) const;
+
 public:
   bool isBlockingFunction(const CallEvent &Call) const;
   bool isLockFunction(const CallEvent &Call) const;
@@ -126,8 +128,9 @@ void BlockInCriticalSectionChecker::checkPostCall(const 
CallEvent &Call,
 State = State->set(--mutexCount);
 C.addTransition(State);
   } else if (isLockFunction(Call)) {
+const NoteTag *Note = createCriticalSectionNote(C);
 State = State->set(++mutexCount);
-C.addTransition(State);
+C.addTransition(State, Note);
   } else if (mutexCount > 0) {
 SymbolRef BlockDesc = Call.getReturnValue().getAsSymbol();
 reportBlockInCritSection(BlockDesc, Call, C);
@@ -151,10 +154,21 @@ void 
BlockInCriticalSectionChecker::reportBlockInCritSection(
   C.emitReport(std::move(R));
 }
 
+const NoteTag *BlockInCriticalSectionChecker::createCriticalSectionNote(
+CheckerContext &C) const {
+  const BugType *BT = &this->BlockInCritSectionBugType;
+  return C.getNoteTag([BT](PathSensitiveBugReport &BR, llvm::raw_ostream &OS) {
+if (&BR.getBugType() != BT)
+  return;
+OS << "Entering critical section here";
+  });
+}
+
 void ento::registerBlockInCriticalSectionChecker(CheckerManager &mgr) {
   mgr.registerChecker();
 }
 
-bool ento::shouldRegisterBlockInCriticalSectionChecker(const CheckerManager 
&mgr) {
+bool ento::shouldRegisterBlockInCriticalSectionChecker(
+const CheckerManager &mgr) {
   return true;
 }
diff --git a/clang/test/Analysis/block-in-critical-section.cpp 
b/clang/test/Analysis/block-in-critical-section.cpp
index fcf6188fc033ec..93d46c741e16ff 100644
--- a/clang/test/Analysis/block-in-critical-section.cpp
+++ b/clang/test/Analysis/block-in-critical-section.cpp
@@ -1,4 +1,8 @@
-// RUN: %clang_analyze_cc1 -analyzer-checker=alpha.unix.BlockInCriticalSection 
-std=c++11 -verify %s
+// RUN: %clang_analyze_cc1 \
+// RUN:   -analyzer-checker=alpha.unix.BlockInCriticalSection \
+// RUN:   -std=c++11 \
+// RUN:   -analyzer-output text \
+// RUN:   -verify %s
 
 void sleep(int x) {}
 
@@ -21,7 +25,7 @@ template
 struct not_real_lock {
   not_real_lock(std::mutex) {}
 };
-}
+} // namespace std
 
 void getc() {}
 void fgets() {}
@@ -39,81 +43,115 @@ void mtx_unlock() {}
 
 void testBlockInCriticalSectionWithStdMutex() {
   std::mutex m;
-  m.lock();
+  m.lock(); // expected-note 5{{Entering critical section here}}
   sleep(3); // expected-warning {{Call to blocking function 'sleep' inside of 
critical section}}
+// expected-note@-1 {{Call to blocking function 'sleep' inside of 
critical section}}
   getc(); // expected-warning {{Call to blocking function 'getc' inside of 
critical section}}
+  // expected-note@-1 {{Call to blocking function 'getc' inside of 
critical section}}
   fgets(); // expected-warning {{Call to blocking function 'fgets' inside of 
critical section}}
+   // expected-note@-1 {{Call to blocking function 'fgets' inside of 
critical section}}
   read(); // expected-warning {{Call to blocking function 'read' inside of 
critical section}}
+  // expected-note@-1 {{Call to blocking function 'read' inside of 
critical section}}
   recv(); // expected-warning {{Call to blocking function 'recv' inside of 
critical section}}
+  // expected-note@-1 {{Call to blocking function 'recv' inside of 
critical section}}
   m.unlock();
 }
 
 void testBlockInCriticalSectionWithPthreadMutex() {
-  pthread_mutex_lock();
+  pthread_mutex_lock(); // expected-note 10{{Entering critical section here}}
   sleep(3); // expected-warning {{Call to blocking function 'sleep' inside of 
critical section}}
+// expected-note@-1 {{Call to blocking function 'sleep' inside of 
critical section}}
   getc(); // expected-warning {{Call to blocking function 'getc' inside of 
critical section}}
+  // expected-n

[clang] [clang][analyzer] Add note tags to alpha.unix.BlockInCriticalSection (PR #80029)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 updated 
https://github.com/llvm/llvm-project/pull/80029

From 346e2296869e750c7ec5bd75cf05f80a23b70569 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Endre=20F=C3=BCl=C3=B6p?= 
Date: Tue, 30 Jan 2024 11:33:30 +0100
Subject: [PATCH] [clang][analyzer] Improve BlockInCriticalSectionsChecker with
 multi-section and recursive mutex support

* Add support for multiple, potentially overlapping critical sections:
  The checker can now simultaneously handle several mutex's critical
  sections without confusing them.
* Implement the handling of recursive mutexes:
  By identifying the lock events, recursive mutexes are now supported.
  A lock event is a pair of a lock expression and the SVal of the mutex
  that it locks, so even multiple locks of the same mutex (and even by
  the same expression) is now supported.
* Refine the note tags generated by the checker:
  The note tags now correctly show just for mutexes those are
  active at point of error, and multiple acqisitions of the same mutex
  are also noted.
---
 .../BlockInCriticalSectionChecker.cpp | 391 ++
 .../Analysis/block-in-critical-section.cpp| 270 +---
 2 files changed, 515 insertions(+), 146 deletions(-)

diff --git 
a/clang/lib/StaticAnalyzer/Checkers/BlockInCriticalSectionChecker.cpp 
b/clang/lib/StaticAnalyzer/Checkers/BlockInCriticalSectionChecker.cpp
index 66e080adb1382b..74ec4b73bd8b5f 100644
--- a/clang/lib/StaticAnalyzer/Checkers/BlockInCriticalSectionChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/BlockInCriticalSectionChecker.cpp
@@ -20,48 +20,180 @@
 #include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
+#include "llvm/ADT/STLExtras.h"
+#include "llvm/ADT/SmallString.h"
+#include "llvm/ADT/StringExtras.h"
+
+#include 
+#include 
+#include 
 
 using namespace clang;
 using namespace ento;
 
 namespace {
+
+struct CritSectionMarker {
+  const Expr *LockExpr{};
+  const MemRegion *LockReg{};
+
+  void Profile(llvm::FoldingSetNodeID &ID) const {
+ID.Add(LockExpr);
+ID.Add(LockReg);
+  }
+
+  [[nodiscard]] constexpr bool
+  operator==(const CritSectionMarker &Other) const noexcept {
+return LockExpr == Other.LockExpr && LockReg == Other.LockReg;
+  }
+  [[nodiscard]] constexpr bool
+  operator!=(const CritSectionMarker &Other) const noexcept {
+return !(*this == Other);
+  }
+};
+
+class FirstArgMutexDescriptor {
+  CallDescription LockFn;
+  CallDescription UnlockFn;
+
+public:
+  FirstArgMutexDescriptor(CallDescription &&LockFn, CallDescription &&UnlockFn)
+  : LockFn(std::move(LockFn)), UnlockFn(std::move(UnlockFn)) {}
+  [[nodiscard]] bool matchesLock(const CallEvent &Call) const {
+return LockFn.matches(Call) && Call.getNumArgs() > 0;
+  }
+  [[nodiscard]] bool matchesUnlock(const CallEvent &Call) const {
+return UnlockFn.matches(Call) && Call.getNumArgs() > 0;
+  }
+  [[nodiscard]] const MemRegion *getLockRegion(const CallEvent &Call) const {
+return Call.getArgSVal(0).getAsRegion();
+  }
+  [[nodiscard]] const MemRegion *getUnlockRegion(const CallEvent &Call) const {
+return Call.getArgSVal(0).getAsRegion();
+  }
+};
+
+class MemberMutexDescriptor {
+  CallDescription LockFn;
+  CallDescription UnlockFn;
+
+public:
+  MemberMutexDescriptor(CallDescription &&LockFn, CallDescription &&UnlockFn)
+  : LockFn(std::move(LockFn)), UnlockFn(std::move(UnlockFn)) {}
+  [[nodiscard]] bool matchesLock(const CallEvent &Call) const {
+return LockFn.matches(Call);
+  }
+  bool matchesUnlock(const CallEvent &Call) const {
+return UnlockFn.matches(Call);
+  }
+  [[nodiscard]] const MemRegion *getLockRegion(const CallEvent &Call) const {
+return cast(Call).getCXXThisVal().getAsRegion();
+  }
+  [[nodiscard]] const MemRegion *getUnlockRegion(const CallEvent &Call) const {
+return cast(Call).getCXXThisVal().getAsRegion();
+  }
+};
+
+class RAIIMutexDescriptor {
+  mutable const IdentifierInfo *Guard{};
+  mutable bool IdentifierInfoInitialized{};
+  mutable llvm::SmallString<32> GuardName{};
+
+  void initIdentifierInfo(const CallEvent &Call) const {
+if (!IdentifierInfoInitialized) {
+  // In case of checking C code, or when the corresponding headers are not
+  // included, we might end up query the identifier table every time when
+  // this function is called instead of early returning it. To avoid this, 
a
+  // bool variable (IdentifierInfoInitialized) is used and the function 
will
+  // be run only once.
+  Guard = &Call.getCalleeAnalysisDeclContext()->getASTContext().Idents.get(
+  GuardName);
+  IdentifierInfoInitialized = true;
+}
+  }
+
+public

[clang] [clang][analyzer] Improve BlockInCriticalSectionsChecker (PR #80029)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 edited 
https://github.com/llvm/llvm-project/pull/80029
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [clang][analyzer] Improve BlockInCriticalSectionsChecker (PR #80029)

[Endre Fülöp via cfe-commits]

gamesh411 wrote:

As keeping the trivial change that this PR was before, and thanks to the fact 
that the checker needed a major overhaul, I have increased the scope of this 
change to support the use cases mentioned by @balazske.
That is why I am re-requesting a review.

https://github.com/llvm/llvm-project/pull/80029
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer] Refactor CallDescription match mode (NFC) (PR #83432)

[Endre Fülöp via cfe-commits]

gamesh411 wrote:

> > The flag approach can probably make a sense for namespace handling (match 
> > the exact specified namespace, or allow a prefix before, or even something 
> > in between).
> 
> Even in that case, I'd prefer a separate second parameter (that's either 
> boolean or a different `enum`). Squeezing unrelated things into the same flag 
> only makes sense if (1) memory use is strongly limited (2) there would be too 
> many separate parameters.

I lean towards the separate enum for the namespace handling scenario even if it 
means adding another enum to the constructor, or maybe packing the two enums 
into a configuration object because these are separate concerns.
I left a suggestion inline as well, but otherwise, LGTM.

https://github.com/llvm/llvm-project/pull/83432
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer] Refactor CallDescription match mode (NFC) (PR #83432)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 approved this pull request.


https://github.com/llvm/llvm-project/pull/83432
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer] Refactor CallDescription match mode (NFC) (PR #83432)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 edited 
https://github.com/llvm/llvm-project/pull/83432
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer] Refactor CallDescription match mode (NFC) (PR #83432)

[Endre Fülöp via cfe-commits]

@@ -27,20 +27,48 @@ class IdentifierInfo;
 
 namespace clang {
 namespace ento {
-
-enum CallDescriptionFlags : unsigned {
-  CDF_None = 0,
-
-  /// Describes a C standard function that is sometimes implemented as a macro
-  /// that expands to a compiler builtin with some __builtin prefix.
-  /// The builtin may as well have a few extra arguments on top of the 
requested
-  /// number of arguments.
-  CDF_MaybeBuiltin = 1 << 0,
-};
-
-/// This class represents a description of a function call using the number of
-/// arguments and the name of the function.
+/// A `CallDescription` is a pattern that can be used to _match_ calls
+/// based on the qualified name and the argument/parameter counts.
 class CallDescription {
+public:
+  enum class Mode {
+/// Match calls to functions from the C standard library. On some platforms
+/// some functions may be implemented as macros that expand to calls to
+/// built-in variants of the given functions, so in this mode we use some
+/// heuristics to recognize these implementation-defined variants:
+///  - We also accept calls where the name is derived from the specified
+///name by adding "__builtin" or similar prefixes/suffixes.
+///  - We also accept calls where the number of arguments or parameters is
+///greater than the specified value.
+/// For the exact heuristics, see CheckerContext::isCLibraryFunction().
+/// Note that functions whose declaration context is not a TU (e.g.
+/// methods, functions in namespaces) are not accepted as C library
+/// functions.
+/// FIXME: If I understand it correctly, this discards calls where C++ code
+/// refers a C library function through the namespace `std::` via headers
+/// like .
+CLibrary,
+
+/// Matches "simple" functions that are not methods. (Static methods are
+/// methods.)
+SimpleFunc,
+
+/// Matches a C+ method (may be static, may be virtual, may be an
+/// overloaded operator, a constructor or a destructor).
+CXXMethod,
+
+/// Match any CallEvent that is not an ObjCMethodCall.
+/// FIXME: Previously this was the default behavior of CallDescription, but
+/// its use should be replaced by a more specific mode almost everywhere.
+Unspecified,

gamesh411 wrote:

I suggest that we go with the enumerator name 'Default', as the name of the 
enum is Mode, so it would be easily understood that this is something that 
comes out of the box.
(Those interested in how or what it matches will look at the docs of this enum 
anyway. I find this to be a conventional and non-surprising nomenclature).

https://github.com/llvm/llvm-project/pull/83432
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer] Refactor CallDescription match mode (NFC) (PR #83432)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 edited 
https://github.com/llvm/llvm-project/pull/83432
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [clang][analyzer] Add note tags to alpha.unix.BlockInCriticalSection (PR #80029)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 created 
https://github.com/llvm/llvm-project/pull/80029

checker

On entering a critical section, a note tag is now placed along the bugpath.

From 54da4f5ff32a0e35777fd77f6a928c65789c22af Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Endre=20F=C3=BCl=C3=B6p?= 
Date: Tue, 30 Jan 2024 11:33:30 +0100
Subject: [PATCH] [clang][analyzer] Add note tags to
 alpha.unix.BlockInCriticalSection checker

On entering a critical section, a note tag is now placed along the
bugpath.
---
 .../BlockInCriticalSectionChecker.cpp | 19 -
 .../Analysis/block-in-critical-section.cpp| 77 ++-
 2 files changed, 76 insertions(+), 20 deletions(-)

diff --git 
a/clang/lib/StaticAnalyzer/Checkers/BlockInCriticalSectionChecker.cpp 
b/clang/lib/StaticAnalyzer/Checkers/BlockInCriticalSectionChecker.cpp
index 66e080adb1382..2b9b56ecdd374 100644
--- a/clang/lib/StaticAnalyzer/Checkers/BlockInCriticalSectionChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/BlockInCriticalSectionChecker.cpp
@@ -57,6 +57,8 @@ class BlockInCriticalSectionChecker : public 
Checker {
 const CallEvent &call,
 CheckerContext &C) const;
 
+  const NoteTag *createCriticalSectionNote(CheckerContext &C) const;
+
 public:
   bool isBlockingFunction(const CallEvent &Call) const;
   bool isLockFunction(const CallEvent &Call) const;
@@ -126,8 +128,9 @@ void BlockInCriticalSectionChecker::checkPostCall(const 
CallEvent &Call,
 State = State->set(--mutexCount);
 C.addTransition(State);
   } else if (isLockFunction(Call)) {
+const NoteTag *Note = createCriticalSectionNote(C);
 State = State->set(++mutexCount);
-C.addTransition(State);
+C.addTransition(State, Note);
   } else if (mutexCount > 0) {
 SymbolRef BlockDesc = Call.getReturnValue().getAsSymbol();
 reportBlockInCritSection(BlockDesc, Call, C);
@@ -151,10 +154,22 @@ void 
BlockInCriticalSectionChecker::reportBlockInCritSection(
   C.emitReport(std::move(R));
 }
 
+const NoteTag *BlockInCriticalSectionChecker::createCriticalSectionNote(
+CheckerContext &C) const {
+  const BugType *BT = &this->BlockInCritSectionBugType;
+  return C.getNoteTag(
+  [BT](PathSensitiveBugReport &BR, llvm::raw_ostream &OS) {
+if(&BR.getBugType() != BT)
+  return;
+OS << "Entering critical section here";
+  });
+}
+
 void ento::registerBlockInCriticalSectionChecker(CheckerManager &mgr) {
   mgr.registerChecker();
 }
 
-bool ento::shouldRegisterBlockInCriticalSectionChecker(const CheckerManager 
&mgr) {
+bool ento::shouldRegisterBlockInCriticalSectionChecker(
+const CheckerManager &mgr) {
   return true;
 }
diff --git a/clang/test/Analysis/block-in-critical-section.cpp 
b/clang/test/Analysis/block-in-critical-section.cpp
index fcf6188fc033e..93d46c741e16f 100644
--- a/clang/test/Analysis/block-in-critical-section.cpp
+++ b/clang/test/Analysis/block-in-critical-section.cpp
@@ -1,4 +1,8 @@
-// RUN: %clang_analyze_cc1 -analyzer-checker=alpha.unix.BlockInCriticalSection 
-std=c++11 -verify %s
+// RUN: %clang_analyze_cc1 \
+// RUN:   -analyzer-checker=alpha.unix.BlockInCriticalSection \
+// RUN:   -std=c++11 \
+// RUN:   -analyzer-output text \
+// RUN:   -verify %s
 
 void sleep(int x) {}
 
@@ -21,7 +25,7 @@ template
 struct not_real_lock {
   not_real_lock(std::mutex) {}
 };
-}
+} // namespace std
 
 void getc() {}
 void fgets() {}
@@ -39,81 +43,115 @@ void mtx_unlock() {}
 
 void testBlockInCriticalSectionWithStdMutex() {
   std::mutex m;
-  m.lock();
+  m.lock(); // expected-note 5{{Entering critical section here}}
   sleep(3); // expected-warning {{Call to blocking function 'sleep' inside of 
critical section}}
+// expected-note@-1 {{Call to blocking function 'sleep' inside of 
critical section}}
   getc(); // expected-warning {{Call to blocking function 'getc' inside of 
critical section}}
+  // expected-note@-1 {{Call to blocking function 'getc' inside of 
critical section}}
   fgets(); // expected-warning {{Call to blocking function 'fgets' inside of 
critical section}}
+   // expected-note@-1 {{Call to blocking function 'fgets' inside of 
critical section}}
   read(); // expected-warning {{Call to blocking function 'read' inside of 
critical section}}
+  // expected-note@-1 {{Call to blocking function 'read' inside of 
critical section}}
   recv(); // expected-warning {{Call to blocking function 'recv' inside of 
critical section}}
+  // expected-note@-1 {{Call to blocking function 'recv' inside of 
critical section}}
   m.unlock();
 }
 
 void testBlockInCriticalSectionWithPthreadMutex() {
-  pthread_mutex_lock();
+  pthread_mutex_lock(); // expected-note 10{{Entering critical section here}}
   sleep(3); // expected-warning {{Call to blocking function 'sleep' inside of 
critical section}}
+// expected-note@-1 {{Call to blocking function 'sleep' inside of 
critical section}}
   getc(); // expec

[clang] [clang][analyzer] Add note tags to alpha.unix.BlockInCriticalSection (PR #80029)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 updated 
https://github.com/llvm/llvm-project/pull/80029

From f7875a7f1ff20f3cf850ce1c23bec6d6c3d88d57 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Endre=20F=C3=BCl=C3=B6p?= 
Date: Tue, 30 Jan 2024 11:33:30 +0100
Subject: [PATCH] [clang][analyzer] Add note tags to
 alpha.unix.BlockInCriticalSection checker

On entering a critical section, a note tag is now placed along the
bugpath.
---
 .../BlockInCriticalSectionChecker.cpp | 18 -
 .../Analysis/block-in-critical-section.cpp| 77 ++-
 2 files changed, 75 insertions(+), 20 deletions(-)

diff --git 
a/clang/lib/StaticAnalyzer/Checkers/BlockInCriticalSectionChecker.cpp 
b/clang/lib/StaticAnalyzer/Checkers/BlockInCriticalSectionChecker.cpp
index 66e080adb1382..1297ae96c8b64 100644
--- a/clang/lib/StaticAnalyzer/Checkers/BlockInCriticalSectionChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/BlockInCriticalSectionChecker.cpp
@@ -57,6 +57,8 @@ class BlockInCriticalSectionChecker : public 
Checker {
 const CallEvent &call,
 CheckerContext &C) const;
 
+  const NoteTag *createCriticalSectionNote(CheckerContext &C) const;
+
 public:
   bool isBlockingFunction(const CallEvent &Call) const;
   bool isLockFunction(const CallEvent &Call) const;
@@ -126,8 +128,9 @@ void BlockInCriticalSectionChecker::checkPostCall(const 
CallEvent &Call,
 State = State->set(--mutexCount);
 C.addTransition(State);
   } else if (isLockFunction(Call)) {
+const NoteTag *Note = createCriticalSectionNote(C);
 State = State->set(++mutexCount);
-C.addTransition(State);
+C.addTransition(State, Note);
   } else if (mutexCount > 0) {
 SymbolRef BlockDesc = Call.getReturnValue().getAsSymbol();
 reportBlockInCritSection(BlockDesc, Call, C);
@@ -151,10 +154,21 @@ void 
BlockInCriticalSectionChecker::reportBlockInCritSection(
   C.emitReport(std::move(R));
 }
 
+const NoteTag *BlockInCriticalSectionChecker::createCriticalSectionNote(
+CheckerContext &C) const {
+  const BugType *BT = &this->BlockInCritSectionBugType;
+  return C.getNoteTag([BT](PathSensitiveBugReport &BR, llvm::raw_ostream &OS) {
+if (&BR.getBugType() != BT)
+  return;
+OS << "Entering critical section here";
+  });
+}
+
 void ento::registerBlockInCriticalSectionChecker(CheckerManager &mgr) {
   mgr.registerChecker();
 }
 
-bool ento::shouldRegisterBlockInCriticalSectionChecker(const CheckerManager 
&mgr) {
+bool ento::shouldRegisterBlockInCriticalSectionChecker(
+const CheckerManager &mgr) {
   return true;
 }
diff --git a/clang/test/Analysis/block-in-critical-section.cpp 
b/clang/test/Analysis/block-in-critical-section.cpp
index fcf6188fc033e..93d46c741e16f 100644
--- a/clang/test/Analysis/block-in-critical-section.cpp
+++ b/clang/test/Analysis/block-in-critical-section.cpp
@@ -1,4 +1,8 @@
-// RUN: %clang_analyze_cc1 -analyzer-checker=alpha.unix.BlockInCriticalSection 
-std=c++11 -verify %s
+// RUN: %clang_analyze_cc1 \
+// RUN:   -analyzer-checker=alpha.unix.BlockInCriticalSection \
+// RUN:   -std=c++11 \
+// RUN:   -analyzer-output text \
+// RUN:   -verify %s
 
 void sleep(int x) {}
 
@@ -21,7 +25,7 @@ template
 struct not_real_lock {
   not_real_lock(std::mutex) {}
 };
-}
+} // namespace std
 
 void getc() {}
 void fgets() {}
@@ -39,81 +43,115 @@ void mtx_unlock() {}
 
 void testBlockInCriticalSectionWithStdMutex() {
   std::mutex m;
-  m.lock();
+  m.lock(); // expected-note 5{{Entering critical section here}}
   sleep(3); // expected-warning {{Call to blocking function 'sleep' inside of 
critical section}}
+// expected-note@-1 {{Call to blocking function 'sleep' inside of 
critical section}}
   getc(); // expected-warning {{Call to blocking function 'getc' inside of 
critical section}}
+  // expected-note@-1 {{Call to blocking function 'getc' inside of 
critical section}}
   fgets(); // expected-warning {{Call to blocking function 'fgets' inside of 
critical section}}
+   // expected-note@-1 {{Call to blocking function 'fgets' inside of 
critical section}}
   read(); // expected-warning {{Call to blocking function 'read' inside of 
critical section}}
+  // expected-note@-1 {{Call to blocking function 'read' inside of 
critical section}}
   recv(); // expected-warning {{Call to blocking function 'recv' inside of 
critical section}}
+  // expected-note@-1 {{Call to blocking function 'recv' inside of 
critical section}}
   m.unlock();
 }
 
 void testBlockInCriticalSectionWithPthreadMutex() {
-  pthread_mutex_lock();
+  pthread_mutex_lock(); // expected-note 10{{Entering critical section here}}
   sleep(3); // expected-warning {{Call to blocking function 'sleep' inside of 
critical section}}
+// expected-note@-1 {{Call to blocking function 'sleep' inside of 
critical section}}
   getc(); // expected-warning {{Call to blocking function 'getc' inside of 
critical section}}
+  // expected-note@-1 {

[clang] [analyzer][clangsa] Add new option to alpha.security.cert.InvalidPtrChecker (PR #67663)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 updated 
https://github.com/llvm/llvm-project/pull/67663

From 9aea93ddeb70245a07984188aa98577d54e8e560 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Endre=20F=C3=BCl=C3=B6p?= 
Date: Fri, 8 Sep 2023 14:20:00 +0200
Subject: [PATCH 01/12] [analyzer][clangsa] Add new option to
 alpha.security.cert.InvalidPtrChecker

The invalidation of pointer pointers returned by subsequent calls to genenv is
suggested by the POSIX standard, but is too strict from a practical point of
view. A new checker option 'InvalidatingGetEnv' is introduced, and is set to a
more lax default value, which does not consider consecutive getenv calls
invalidating.
The handling of the main function's possible specification where an environment
pointer is also pecified as a third parameter is also considered now.

Differential Revision: https://reviews.llvm.org/D154603
---
 .../clang/StaticAnalyzer/Checkers/Checkers.td |  9 ++
 .../Checkers/cert/InvalidPtrChecker.cpp   | 86 ++-
 clang/test/Analysis/analyzer-config.c |  1 +
 .../Analysis/cert/env34-c-cert-examples.c | 40 -
 clang/test/Analysis/cert/env34-c.c|  1 +
 clang/test/Analysis/invalid-ptr-checker.c | 50 +++
 6 files changed, 163 insertions(+), 24 deletions(-)
 create mode 100644 clang/test/Analysis/invalid-ptr-checker.c

diff --git a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td 
b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
index 65c1595eb6245dd..b4f65c934bf483b 100644
--- a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
+++ b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
@@ -997,6 +997,15 @@ let ParentPackage = ENV in {
 
   def InvalidPtrChecker : Checker<"InvalidPtr">,
   HelpText<"Finds usages of possibly invalidated pointers">,
+  CheckerOptions<[
+CmdLineOption,
+  ]>,
   Documentation;
 
 } // end "alpha.cert.env"
diff --git a/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp 
b/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
index aae1a17bc0ae53e..8849eb1148564b7 100644
--- a/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
@@ -38,6 +38,15 @@ class InvalidPtrChecker
 CheckerContext &C) const;
 
   // SEI CERT ENV31-C
+
+  // If set to true, consider getenv calls as invalidating operations on the
+  // environment variable buffer. This is implied in the standard, but in
+  // practice does not cause problems (in the commonly used environments).
+  bool InvalidatingGetEnv = false;
+
+  // GetEnv can be treated invalidating and non-invalidating as well.
+  const CallDescription GetEnvCall{{"getenv"}, 1};
+
   const CallDescriptionMap EnvpInvalidatingFunctions = {
   {{{"setenv"}, 3}, &InvalidPtrChecker::EnvpInvalidatingCall},
   {{{"unsetenv"}, 1}, &InvalidPtrChecker::EnvpInvalidatingCall},
@@ -51,7 +60,6 @@ class InvalidPtrChecker
 
   // SEI CERT ENV34-C
   const CallDescriptionMap PreviousCallInvalidatingFunctions = {
-  {{{"getenv"}, 1}, 
&InvalidPtrChecker::postPreviousReturnInvalidatingCall},
   {{{"setlocale"}, 2},
&InvalidPtrChecker::postPreviousReturnInvalidatingCall},
   {{{"strerror"}, 1},
@@ -62,6 +70,10 @@ class InvalidPtrChecker
&InvalidPtrChecker::postPreviousReturnInvalidatingCall},
   };
 
+  // The private members of this checker corresponding to commandline options
+  // are set in this function.
+  friend void ento::registerInvalidPtrChecker(CheckerManager &);
+
 public:
   // Obtain the environment pointer from 'main()' (if present).
   void checkBeginFunction(CheckerContext &C) const;
@@ -84,7 +96,10 @@ class InvalidPtrChecker
 REGISTER_SET_WITH_PROGRAMSTATE(InvalidMemoryRegions, const MemRegion *)
 
 // Stores the region of the environment pointer of 'main' (if present).
-REGISTER_TRAIT_WITH_PROGRAMSTATE(EnvPtrRegion, const MemRegion *)
+REGISTER_TRAIT_WITH_PROGRAMSTATE(MainEnvPtrRegion, const MemRegion *)
+
+// Stores the regions of environments returned by getenv calls.
+REGISTER_SET_WITH_PROGRAMSTATE(GetenvEnvPtrRegions, const MemRegion *)
 
 // Stores key-value pairs, where key is function declaration and value is
 // pointer to memory region returned by previous call of this function
@@ -95,22 +110,35 @@ void InvalidPtrChecker::EnvpInvalidatingCall(const 
CallEvent &Call,
  CheckerContext &C) const {
   StringRef FunctionName = Call.getCalleeIdentifier()->getName();
   ProgramStateRef State = C.getState();
-  const MemRegion *SymbolicEnvPtrRegion = State->get();
-  if (!SymbolicEnvPtrRegion)
-return;
 
-  State = State->add(SymbolicEnvPtrRegion);
+  auto PlaceInvalidationNote = [&C, FunctionName,
+&State](const MemRegion *Region,
+StringRef Message, ExplodedNode *Pred) 
{
+State = State->add(Region);
+
+// Make c

[clang] [analyzer][clangsa] Add new option to alpha.security.cert.InvalidPtrChecker (PR #67663)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 updated 
https://github.com/llvm/llvm-project/pull/67663

From 65a4bf21e38a925f643c6cca3d3cad4c2910071c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Endre=20F=C3=BCl=C3=B6p?= 
Date: Fri, 8 Sep 2023 14:20:00 +0200
Subject: [PATCH 01/12] [analyzer][clangsa] Add new option to
 alpha.security.cert.InvalidPtrChecker

The invalidation of pointer pointers returned by subsequent calls to genenv is
suggested by the POSIX standard, but is too strict from a practical point of
view. A new checker option 'InvalidatingGetEnv' is introduced, and is set to a
more lax default value, which does not consider consecutive getenv calls
invalidating.
The handling of the main function's possible specification where an environment
pointer is also pecified as a third parameter is also considered now.

Differential Revision: https://reviews.llvm.org/D154603
---
 .../clang/StaticAnalyzer/Checkers/Checkers.td |  9 ++
 .../Checkers/cert/InvalidPtrChecker.cpp   | 86 ++-
 clang/test/Analysis/analyzer-config.c |  1 +
 .../Analysis/cert/env34-c-cert-examples.c | 40 -
 clang/test/Analysis/cert/env34-c.c|  1 +
 clang/test/Analysis/invalid-ptr-checker.c | 50 +++
 6 files changed, 163 insertions(+), 24 deletions(-)
 create mode 100644 clang/test/Analysis/invalid-ptr-checker.c

diff --git a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td 
b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
index be813bde8be41ea..b6e9f0fae1c7f48 100644
--- a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
+++ b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
@@ -1002,6 +1002,15 @@ let ParentPackage = ENV in {
 
   def InvalidPtrChecker : Checker<"InvalidPtr">,
   HelpText<"Finds usages of possibly invalidated pointers">,
+  CheckerOptions<[
+CmdLineOption,
+  ]>,
   Documentation;
 
 } // end "alpha.cert.env"
diff --git a/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp 
b/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
index aae1a17bc0ae53e..8849eb1148564b7 100644
--- a/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
@@ -38,6 +38,15 @@ class InvalidPtrChecker
 CheckerContext &C) const;
 
   // SEI CERT ENV31-C
+
+  // If set to true, consider getenv calls as invalidating operations on the
+  // environment variable buffer. This is implied in the standard, but in
+  // practice does not cause problems (in the commonly used environments).
+  bool InvalidatingGetEnv = false;
+
+  // GetEnv can be treated invalidating and non-invalidating as well.
+  const CallDescription GetEnvCall{{"getenv"}, 1};
+
   const CallDescriptionMap EnvpInvalidatingFunctions = {
   {{{"setenv"}, 3}, &InvalidPtrChecker::EnvpInvalidatingCall},
   {{{"unsetenv"}, 1}, &InvalidPtrChecker::EnvpInvalidatingCall},
@@ -51,7 +60,6 @@ class InvalidPtrChecker
 
   // SEI CERT ENV34-C
   const CallDescriptionMap PreviousCallInvalidatingFunctions = {
-  {{{"getenv"}, 1}, 
&InvalidPtrChecker::postPreviousReturnInvalidatingCall},
   {{{"setlocale"}, 2},
&InvalidPtrChecker::postPreviousReturnInvalidatingCall},
   {{{"strerror"}, 1},
@@ -62,6 +70,10 @@ class InvalidPtrChecker
&InvalidPtrChecker::postPreviousReturnInvalidatingCall},
   };
 
+  // The private members of this checker corresponding to commandline options
+  // are set in this function.
+  friend void ento::registerInvalidPtrChecker(CheckerManager &);
+
 public:
   // Obtain the environment pointer from 'main()' (if present).
   void checkBeginFunction(CheckerContext &C) const;
@@ -84,7 +96,10 @@ class InvalidPtrChecker
 REGISTER_SET_WITH_PROGRAMSTATE(InvalidMemoryRegions, const MemRegion *)
 
 // Stores the region of the environment pointer of 'main' (if present).
-REGISTER_TRAIT_WITH_PROGRAMSTATE(EnvPtrRegion, const MemRegion *)
+REGISTER_TRAIT_WITH_PROGRAMSTATE(MainEnvPtrRegion, const MemRegion *)
+
+// Stores the regions of environments returned by getenv calls.
+REGISTER_SET_WITH_PROGRAMSTATE(GetenvEnvPtrRegions, const MemRegion *)
 
 // Stores key-value pairs, where key is function declaration and value is
 // pointer to memory region returned by previous call of this function
@@ -95,22 +110,35 @@ void InvalidPtrChecker::EnvpInvalidatingCall(const 
CallEvent &Call,
  CheckerContext &C) const {
   StringRef FunctionName = Call.getCalleeIdentifier()->getName();
   ProgramStateRef State = C.getState();
-  const MemRegion *SymbolicEnvPtrRegion = State->get();
-  if (!SymbolicEnvPtrRegion)
-return;
 
-  State = State->add(SymbolicEnvPtrRegion);
+  auto PlaceInvalidationNote = [&C, FunctionName,
+&State](const MemRegion *Region,
+StringRef Message, ExplodedNode *Pred) 
{
+State = State->add(Region);
+
+// Make

[clang] [analyzer][clangsa] Add new option to alpha.security.cert.InvalidPtrChecker (PR #67663)

[Endre Fülöp via cfe-commits]

gamesh411 wrote:

I have rebased on the current main.

https://github.com/llvm/llvm-project/pull/67663
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer][clangsa] Add new option to alpha.security.cert.InvalidPtrChecker (PR #67663)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 closed 
https://github.com/llvm/llvm-project/pull/67663
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer] Extend EnumCastOutOfRange diagnostics (PR #68191)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 updated 
https://github.com/llvm/llvm-project/pull/68191

From a08f51109bd93f88271f0548719c52c75afc96e3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Endre=20F=C3=BCl=C3=B6p?= 
Date: Wed, 4 Oct 2023 10:38:00 +0200
Subject: [PATCH 1/3] [analyzer] Extend EnumCastOutOfRange diagnostics

EnumCastOutOfRange checker now reports the name of the enum in the
warning message. Additionally, a note-tag is placed to highlight the
location of the declaration.
---
 .../Checkers/EnumCastOutOfRangeChecker.cpp|  33 --
 clang/test/Analysis/enum-cast-out-of-range.c  |  13 ++-
 .../test/Analysis/enum-cast-out-of-range.cpp  | 108 +-
 3 files changed, 87 insertions(+), 67 deletions(-)

diff --git a/clang/lib/StaticAnalyzer/Checkers/EnumCastOutOfRangeChecker.cpp 
b/clang/lib/StaticAnalyzer/Checkers/EnumCastOutOfRangeChecker.cpp
index 89be6a47250a245..6163f7a23804091 100644
--- a/clang/lib/StaticAnalyzer/Checkers/EnumCastOutOfRangeChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/EnumCastOutOfRangeChecker.cpp
@@ -59,7 +59,7 @@ class ConstraintBasedEQEvaluator {
 // value can be matching.
 class EnumCastOutOfRangeChecker : public Checker> {
   mutable std::unique_ptr EnumValueCastOutOfRange;
-  void reportWarning(CheckerContext &C) const;
+  void reportWarning(CheckerContext &C, const EnumDecl *E) const;
 
 public:
   void checkPreStmt(const CastExpr *CE, CheckerContext &C) const;
@@ -72,21 +72,36 @@ EnumValueVector getDeclValuesForEnum(const EnumDecl *ED) {
   EnumValueVector DeclValues(
   std::distance(ED->enumerator_begin(), ED->enumerator_end()));
   llvm::transform(ED->enumerators(), DeclValues.begin(),
- [](const EnumConstantDecl *D) { return D->getInitVal(); });
+  [](const EnumConstantDecl *D) { return D->getInitVal(); });
   return DeclValues;
 }
 } // namespace
 
-void EnumCastOutOfRangeChecker::reportWarning(CheckerContext &C) const {
+void EnumCastOutOfRangeChecker::reportWarning(CheckerContext &C,
+  const EnumDecl *E) const {
+  assert(E && "valid EnumDecl* is expected");
   if (const ExplodedNode *N = C.generateNonFatalErrorNode()) {
 if (!EnumValueCastOutOfRange)
   EnumValueCastOutOfRange.reset(
   new BugType(this, "Enum cast out of range"));
-constexpr llvm::StringLiteral Msg =
-"The value provided to the cast expression is not in the valid range"
-" of values for the enum";
-C.emitReport(std::make_unique(
-*EnumValueCastOutOfRange, Msg, N));
+
+llvm::SmallString<128> Msg{"The value provided to the cast expression is "
+   "not in the valid range of values for "};
+StringRef EnumName{E->getName()};
+if (EnumName.empty()) {
+  Msg += "the enum";
+} else {
+  Msg += '\'';
+  Msg += EnumName;
+  Msg += '\'';
+}
+
+auto BR = 
std::make_unique(*EnumValueCastOutOfRange,
+   Msg, N);
+BR->addNote("enum declared here",
+PathDiagnosticLocation::create(E, C.getSourceManager()),
+{E->getSourceRange()});
+C.emitReport(std::move(BR));
   }
 }
 
@@ -144,7 +159,7 @@ void EnumCastOutOfRangeChecker::checkPreStmt(const CastExpr 
*CE,
   // If there is no value that can possibly match any of the enum values, then
   // warn.
   if (!PossibleValueMatch)
-reportWarning(C);
+reportWarning(C, ED);
 }
 
 void ento::registerEnumCastOutOfRangeChecker(CheckerManager &mgr) {
diff --git a/clang/test/Analysis/enum-cast-out-of-range.c 
b/clang/test/Analysis/enum-cast-out-of-range.c
index 3282cba653d7125..6d3afa3fcf9885f 100644
--- a/clang/test/Analysis/enum-cast-out-of-range.c
+++ b/clang/test/Analysis/enum-cast-out-of-range.c
@@ -2,6 +2,7 @@
 // RUN:   -analyzer-checker=core,alpha.cplusplus.EnumCastOutOfRange \
 // RUN:   -verify %s
 
+// expected-note@+1 6 {{enum declared here}}
 enum En_t {
   En_0 = -4,
   En_1,
@@ -11,17 +12,17 @@ enum En_t {
 };
 
 void unscopedUnspecifiedCStyle(void) {
-  enum En_t Below = (enum En_t)(-5);// expected-warning {{not in the valid 
range}}
+  enum En_t Below = (enum En_t)(-5);// expected-warning {{not in the valid 
range of values for 'En_t'}}
   enum En_t NegVal1 = (enum En_t)(-4);  // OK.
   enum En_t NegVal2 = (enum En_t)(-3);  // OK.
-  enum En_t InRange1 = (enum En_t)(-2); // expected-warning {{not in the valid 
range}}
-  enum En_t InRange2 = (enum En_t)(-1); // expected-warning {{not in the valid 
range}}
-  enum En_t InRange3 = (enum En_t)(0);  // expected-warning {{not in the valid 
range}}
+  enum En_t InRange1 = (enum En_t)(-2); // expected-warning {{not in the valid 
range of values for 'En_t'}}
+  enum En_t InRange2 = (enum En_t)(-1); // expected-warning {{not in the valid 
range of values for 'En_t'}}
+  enum En_t InRange3 = (enum En_t)(0);  // expected-warning {{not in the valid 
range of values for 'En_t'}}
   enum En_t PosVal1 = (enum En_t)(

[clang] [analyzer] Extend EnumCastOutOfRange diagnostics (PR #68191)

[Endre Fülöp via cfe-commits]

gamesh411 wrote:

@Xazax-hun Thanks for the review!
I have modified the tracking a bit, because seeing the other usecases, and also 
just thinking through, the *subexpression* of the cast is what we are 
interested in upstream in the bugpath.
I have added a very minimal test as well, and rebased.

https://github.com/llvm/llvm-project/pull/68191
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer] Extend EnumCastOutOfRange diagnostics (PR #68191)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 updated 
https://github.com/llvm/llvm-project/pull/68191

From a08f51109bd93f88271f0548719c52c75afc96e3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Endre=20F=C3=BCl=C3=B6p?= 
Date: Wed, 4 Oct 2023 10:38:00 +0200
Subject: [PATCH 1/4] [analyzer] Extend EnumCastOutOfRange diagnostics

EnumCastOutOfRange checker now reports the name of the enum in the
warning message. Additionally, a note-tag is placed to highlight the
location of the declaration.
---
 .../Checkers/EnumCastOutOfRangeChecker.cpp|  33 --
 clang/test/Analysis/enum-cast-out-of-range.c  |  13 ++-
 .../test/Analysis/enum-cast-out-of-range.cpp  | 108 +-
 3 files changed, 87 insertions(+), 67 deletions(-)

diff --git a/clang/lib/StaticAnalyzer/Checkers/EnumCastOutOfRangeChecker.cpp 
b/clang/lib/StaticAnalyzer/Checkers/EnumCastOutOfRangeChecker.cpp
index 89be6a47250a245..6163f7a23804091 100644
--- a/clang/lib/StaticAnalyzer/Checkers/EnumCastOutOfRangeChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/EnumCastOutOfRangeChecker.cpp
@@ -59,7 +59,7 @@ class ConstraintBasedEQEvaluator {
 // value can be matching.
 class EnumCastOutOfRangeChecker : public Checker> {
   mutable std::unique_ptr EnumValueCastOutOfRange;
-  void reportWarning(CheckerContext &C) const;
+  void reportWarning(CheckerContext &C, const EnumDecl *E) const;
 
 public:
   void checkPreStmt(const CastExpr *CE, CheckerContext &C) const;
@@ -72,21 +72,36 @@ EnumValueVector getDeclValuesForEnum(const EnumDecl *ED) {
   EnumValueVector DeclValues(
   std::distance(ED->enumerator_begin(), ED->enumerator_end()));
   llvm::transform(ED->enumerators(), DeclValues.begin(),
- [](const EnumConstantDecl *D) { return D->getInitVal(); });
+  [](const EnumConstantDecl *D) { return D->getInitVal(); });
   return DeclValues;
 }
 } // namespace
 
-void EnumCastOutOfRangeChecker::reportWarning(CheckerContext &C) const {
+void EnumCastOutOfRangeChecker::reportWarning(CheckerContext &C,
+  const EnumDecl *E) const {
+  assert(E && "valid EnumDecl* is expected");
   if (const ExplodedNode *N = C.generateNonFatalErrorNode()) {
 if (!EnumValueCastOutOfRange)
   EnumValueCastOutOfRange.reset(
   new BugType(this, "Enum cast out of range"));
-constexpr llvm::StringLiteral Msg =
-"The value provided to the cast expression is not in the valid range"
-" of values for the enum";
-C.emitReport(std::make_unique(
-*EnumValueCastOutOfRange, Msg, N));
+
+llvm::SmallString<128> Msg{"The value provided to the cast expression is "
+   "not in the valid range of values for "};
+StringRef EnumName{E->getName()};
+if (EnumName.empty()) {
+  Msg += "the enum";
+} else {
+  Msg += '\'';
+  Msg += EnumName;
+  Msg += '\'';
+}
+
+auto BR = 
std::make_unique(*EnumValueCastOutOfRange,
+   Msg, N);
+BR->addNote("enum declared here",
+PathDiagnosticLocation::create(E, C.getSourceManager()),
+{E->getSourceRange()});
+C.emitReport(std::move(BR));
   }
 }
 
@@ -144,7 +159,7 @@ void EnumCastOutOfRangeChecker::checkPreStmt(const CastExpr 
*CE,
   // If there is no value that can possibly match any of the enum values, then
   // warn.
   if (!PossibleValueMatch)
-reportWarning(C);
+reportWarning(C, ED);
 }
 
 void ento::registerEnumCastOutOfRangeChecker(CheckerManager &mgr) {
diff --git a/clang/test/Analysis/enum-cast-out-of-range.c 
b/clang/test/Analysis/enum-cast-out-of-range.c
index 3282cba653d7125..6d3afa3fcf9885f 100644
--- a/clang/test/Analysis/enum-cast-out-of-range.c
+++ b/clang/test/Analysis/enum-cast-out-of-range.c
@@ -2,6 +2,7 @@
 // RUN:   -analyzer-checker=core,alpha.cplusplus.EnumCastOutOfRange \
 // RUN:   -verify %s
 
+// expected-note@+1 6 {{enum declared here}}
 enum En_t {
   En_0 = -4,
   En_1,
@@ -11,17 +12,17 @@ enum En_t {
 };
 
 void unscopedUnspecifiedCStyle(void) {
-  enum En_t Below = (enum En_t)(-5);// expected-warning {{not in the valid 
range}}
+  enum En_t Below = (enum En_t)(-5);// expected-warning {{not in the valid 
range of values for 'En_t'}}
   enum En_t NegVal1 = (enum En_t)(-4);  // OK.
   enum En_t NegVal2 = (enum En_t)(-3);  // OK.
-  enum En_t InRange1 = (enum En_t)(-2); // expected-warning {{not in the valid 
range}}
-  enum En_t InRange2 = (enum En_t)(-1); // expected-warning {{not in the valid 
range}}
-  enum En_t InRange3 = (enum En_t)(0);  // expected-warning {{not in the valid 
range}}
+  enum En_t InRange1 = (enum En_t)(-2); // expected-warning {{not in the valid 
range of values for 'En_t'}}
+  enum En_t InRange2 = (enum En_t)(-1); // expected-warning {{not in the valid 
range of values for 'En_t'}}
+  enum En_t InRange3 = (enum En_t)(0);  // expected-warning {{not in the valid 
range of values for 'En_t'}}
   enum En_t PosVal1 = (enum En_t)(

[clang] dc96cc3 - [clang][test] Fix prefix operator++ signature in iterators

[Endre Fülöp via cfe-commits]

Author: Endre Fülöp
Date: 2020-11-25T18:05:11+01:00
New Revision: dc96cc33c13e1e38382118c25bf26de480eb2b12

URL: 
https://github.com/llvm/llvm-project/commit/dc96cc33c13e1e38382118c25bf26de480eb2b12
DIFF: 
https://github.com/llvm/llvm-project/commit/dc96cc33c13e1e38382118c25bf26de480eb2b12.diff

LOG: [clang][test] Fix prefix operator++ signature in iterators

Prefix operator++ should return the iterator incremented by reference.

Differential Revision: https://reviews.llvm.org/D89528

Added: 


Modified: 
clang/test/Analysis/Inputs/system-header-simulator-cxx.h

Removed: 




diff  --git a/clang/test/Analysis/Inputs/system-header-simulator-cxx.h 
b/clang/test/Analysis/Inputs/system-header-simulator-cxx.h
index f2b148cbc692..87984d02c2f6 100644
--- a/clang/test/Analysis/Inputs/system-header-simulator-cxx.h
+++ b/clang/test/Analysis/Inputs/system-header-simulator-cxx.h
@@ -46,7 +46,7 @@ template  struct 
__vector_iterator {
 
   __vector_iterator(const Ptr p = 0) : ptr(p) {}
   __vector_iterator(const iterator &rhs): ptr(rhs.base()) {}
-  __vector_iterator operator++() { ++ ptr; return *this; }
+  __vector_iterator& operator++() { ++ ptr; return *this; }
   __vector_iterator operator++(int) {
 auto tmp = *this;
 ++ ptr;
@@ -109,7 +109,7 @@ template  struct 
__deque_iterator {
 
   __deque_iterator(const Ptr p = 0) : ptr(p) {}
   __deque_iterator(const iterator &rhs): ptr(rhs.base()) {}
-  __deque_iterator operator++() { ++ ptr; return *this; }
+  __deque_iterator& operator++() { ++ ptr; return *this; }
   __deque_iterator operator++(int) {
 auto tmp = *this;
 ++ ptr;
@@ -169,7 +169,7 @@ template  struct 
__list_iterator {
 
   __list_iterator(T* it = 0) : item(it) {}
   __list_iterator(const iterator &rhs): item(rhs.item) {}
-  __list_iterator operator++() { item = item->next; return *this; 
}
+  __list_iterator& operator++() { item = item->next; return 
*this; }
   __list_iterator operator++(int) {
 auto tmp = *this;
 item = item->next;
@@ -212,7 +212,7 @@ template  struct 
__fwdl_iterator {
 
   __fwdl_iterator(T* it = 0) : item(it) {}
   __fwdl_iterator(const iterator &rhs): item(rhs.item) {}
-  __fwdl_iterator operator++() { item = item->next; return *this; 
}
+  __fwdl_iterator& operator++() { item = item->next; return 
*this; }
   __fwdl_iterator operator++(int) {
 auto tmp = *this;
 item = item->next;
@@ -1079,7 +1079,7 @@ template<
 class iterator {
 public:
   iterator(Key *key): ptr(key) {}
-  iterator operator++() { ++ptr; return *this; }
+  iterator& operator++() { ++ptr; return *this; }
   bool operator!=(const iterator &other) const { return ptr != other.ptr; }
   const Key &operator*() const { return *ptr; }
 private:
@@ -1104,7 +1104,7 @@ template<
 class iterator {
 public:
   iterator(Key *key): ptr(key) {}
-  iterator operator++() { ++ptr; return *this; }
+  iterator& operator++() { ++ptr; return *this; }
   bool operator!=(const iterator &other) const { return ptr != other.ptr; }
   const Key &operator*() const { return *ptr; }
 private:



___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] 4aac00a - [analyzer][doc] Add user documenation for taint analysis

[Endre Fülöp via cfe-commits]

Author: Endre Fülöp
Date: 2021-11-28T23:36:47+01:00
New Revision: 4aac00a71db31121d70b140d7367e7f9d9992f66

URL: 
https://github.com/llvm/llvm-project/commit/4aac00a71db31121d70b140d7367e7f9d9992f66
DIFF: 
https://github.com/llvm/llvm-project/commit/4aac00a71db31121d70b140d7367e7f9d9992f66.diff

LOG: [analyzer][doc] Add user documenation for taint analysis

Checker alpha.security.taint.TaintPropagation now has user documentation for
taint analysis with an example showing external YAML configuration format.
The format of the taint configuration file is now documented under the user
documentation of Clang SA.

Differential Revision: https://reviews.llvm.org/D113251

Added: 
clang/docs/analyzer/user-docs/TaintAnalysisConfiguration.rst

Modified: 
clang/docs/analyzer/checkers.rst
clang/docs/analyzer/user-docs.rst

Removed: 




diff  --git a/clang/docs/analyzer/checkers.rst 
b/clang/docs/analyzer/checkers.rst
index df62fb0643f86..a31c38c133d97 100644
--- a/clang/docs/analyzer/checkers.rst
+++ b/clang/docs/analyzer/checkers.rst
@@ -2317,8 +2317,15 @@ Checkers implementing `taint analysis 
`_ format. The 
taint-related options defined in the config file extend but do not override the 
built-in sources, rules, sinks.
+The format of the external taint configuration file is not stable, and could 
change without any notice even in a non-backward compatible way.
+
+For a more detailed description of configuration options, please see the 
:doc:`user-docs/TaintAnalysisConfiguration`. For an example see 
:ref:`clangsa-taint-configuration-example`.
+
 alpha.unix
 ^^^
 

diff  --git a/clang/docs/analyzer/user-docs.rst 
b/clang/docs/analyzer/user-docs.rst
index 69486c52d2873..2292cec6944b1 100644
--- a/clang/docs/analyzer/user-docs.rst
+++ b/clang/docs/analyzer/user-docs.rst
@@ -7,3 +7,4 @@ Contents:
:maxdepth: 2
 
user-docs/CrossTranslationUnit
+   user-docs/TaintAnalysisConfiguration

diff  --git a/clang/docs/analyzer/user-docs/TaintAnalysisConfiguration.rst 
b/clang/docs/analyzer/user-docs/TaintAnalysisConfiguration.rst
new file mode 100644
index 0..94db84494e00b
--- /dev/null
+++ b/clang/docs/analyzer/user-docs/TaintAnalysisConfiguration.rst
@@ -0,0 +1,170 @@
+
+Taint Analysis Configuration
+
+
+The Clang Static Analyzer uses taint analysis to detect security-related 
issues in code.
+The backbone of taint analysis in the Clang SA is the `GenericTaintChecker`, 
which the user can access via the :ref:`alpha-security-taint-TaintPropagation` 
checker alias and this checker has a default taint-related configuration.
+The built-in default settings are defined in code, and they are always in 
effe

[clang-tools-extra] d33f199 - [clang-tidy] Extend cert-oop57-cpp to check non-zero memset values

[Endre Fülöp via cfe-commits]

Author: Endre Fülöp
Date: 2022-06-01T08:15:03+02:00
New Revision: d33f199910fa02cf7072f3227913e670c98d03a9

URL: 
https://github.com/llvm/llvm-project/commit/d33f199910fa02cf7072f3227913e670c98d03a9
DIFF: 
https://github.com/llvm/llvm-project/commit/d33f199910fa02cf7072f3227913e670c98d03a9.diff

LOG: [clang-tidy] Extend cert-oop57-cpp to check non-zero memset values

Clang Tidy check cert-oop57-cpp now checks for arbitrary-valued
arguments in memset expressions containing non-trivially
default-constructible instances. Previously it only checked literal 0 values.

Reviewed By: aaron.ballman

Differential Revision: https://reviews.llvm.org/D126186

Added: 


Modified: 
clang-tools-extra/clang-tidy/cert/NonTrivialTypesLibcMemoryCallsCheck.cpp
clang-tools-extra/docs/ReleaseNotes.rst
clang-tools-extra/test/clang-tidy/checkers/cert-oop57-cpp.cpp

Removed: 




diff  --git 
a/clang-tools-extra/clang-tidy/cert/NonTrivialTypesLibcMemoryCallsCheck.cpp 
b/clang-tools-extra/clang-tidy/cert/NonTrivialTypesLibcMemoryCallsCheck.cpp
index 8e6acea290826..5c8da5b4cacf7 100644
--- a/clang-tools-extra/clang-tidy/cert/NonTrivialTypesLibcMemoryCallsCheck.cpp
+++ b/clang-tools-extra/clang-tidy/cert/NonTrivialTypesLibcMemoryCallsCheck.cpp
@@ -80,7 +80,7 @@ void NonTrivialTypesLibcMemoryCallsCheck::registerMatchers(
   auto IsRecordSizeOf =
   expr(sizeOfExpr(hasArgumentOfType(equalsBoundNode("Record";
   auto ArgChecker = [&](Matcher RecordConstraint,
-BindableMatcher SecondArg) {
+BindableMatcher SecondArg = expr()) {
 return allOf(argumentCountIs(3),
  hasArgument(0, IsStructPointer(RecordConstraint, true)),
  hasArgument(1, SecondArg), hasArgument(2, IsRecordSizeOf));
@@ -89,8 +89,7 @@ void NonTrivialTypesLibcMemoryCallsCheck::registerMatchers(
   Finder->addMatcher(
   callExpr(callee(namedDecl(hasAnyName(
utils::options::parseListPair(BuiltinMemSet, 
MemSetNames,
-   ArgChecker(unless(isTriviallyDefaultConstructible()),
-  expr(integerLiteral(equals(0)
+   ArgChecker(unless(isTriviallyDefaultConstructible(
   .bind("lazyConstruct"),
   this);
   Finder->addMatcher(

diff  --git a/clang-tools-extra/docs/ReleaseNotes.rst 
b/clang-tools-extra/docs/ReleaseNotes.rst
index 5196c53291d19..e21bee6a80b30 100644
--- a/clang-tools-extra/docs/ReleaseNotes.rst
+++ b/clang-tools-extra/docs/ReleaseNotes.rst
@@ -156,6 +156,9 @@ Changes in existing checks
   ` when `sizeof(...)` is
   compared against a `__int128_t`.
 
+- Made :doc:`cert-oop57-cpp ` more sensitive
+  by checking for an arbitrary expression in the second argument of `memset`.
+
 - Improved :doc:`cppcoreguidelines-prefer-member-initializer
   ` check.
 

diff  --git a/clang-tools-extra/test/clang-tidy/checkers/cert-oop57-cpp.cpp 
b/clang-tools-extra/test/clang-tidy/checkers/cert-oop57-cpp.cpp
index a5a38734ce6ae..880c5c3a1c9fe 100644
--- a/clang-tools-extra/test/clang-tidy/checkers/cert-oop57-cpp.cpp
+++ b/clang-tools-extra/test/clang-tidy/checkers/cert-oop57-cpp.cpp
@@ -88,3 +88,17 @@ void baz(const NonTrivial &Other) {
   mymemcmp(&Data, &Other, sizeof(Data));
   // CHECK-MESSAGES: :[[@LINE-1]]:3: warning: consider using comparison 
operators instead of calling 'mymemcmp'
 }
+
+void nonNullSetValue() {
+  NonTrivial Data;
+  // Check non-null-valued second argument.
+  std::memset(&Data, 1, sizeof(Data));
+  // CHECK-MESSAGES: :[[@LINE-1]]:3: warning: calling 'memset' on a 
non-trivially default constructible class is undefined
+}
+
+void nonLiteralSetValue(char C) {
+  NonTrivial Data;
+  // Check non-literal second argument.
+  std::memset(&Data, C, sizeof(Data));
+  // CHECK-MESSAGES: :[[@LINE-1]]:3: warning: calling 'memset' on a 
non-trivially default constructible class is undefined
+}



___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang-tools-extra] 1c459a2 - Revert "[clang-tidy] Extend cert-oop57-cpp to check non-zero memset values"

[Endre Fülöp via cfe-commits]

Author: Endre Fülöp
Date: 2022-06-01T08:21:16+02:00
New Revision: 1c459a20ea5626264d867aaf65882c9cc6d0bf8a

URL: 
https://github.com/llvm/llvm-project/commit/1c459a20ea5626264d867aaf65882c9cc6d0bf8a
DIFF: 
https://github.com/llvm/llvm-project/commit/1c459a20ea5626264d867aaf65882c9cc6d0bf8a.diff

LOG: Revert "[clang-tidy] Extend cert-oop57-cpp to check non-zero memset values"

Revert to fix a ReleaseNote issue.

This reverts commit d33f199910fa02cf7072f3227913e670c98d03a9.

Added: 


Modified: 
clang-tools-extra/clang-tidy/cert/NonTrivialTypesLibcMemoryCallsCheck.cpp
clang-tools-extra/docs/ReleaseNotes.rst
clang-tools-extra/test/clang-tidy/checkers/cert-oop57-cpp.cpp

Removed: 




diff  --git 
a/clang-tools-extra/clang-tidy/cert/NonTrivialTypesLibcMemoryCallsCheck.cpp 
b/clang-tools-extra/clang-tidy/cert/NonTrivialTypesLibcMemoryCallsCheck.cpp
index 5c8da5b4cacf7..8e6acea290826 100644
--- a/clang-tools-extra/clang-tidy/cert/NonTrivialTypesLibcMemoryCallsCheck.cpp
+++ b/clang-tools-extra/clang-tidy/cert/NonTrivialTypesLibcMemoryCallsCheck.cpp
@@ -80,7 +80,7 @@ void NonTrivialTypesLibcMemoryCallsCheck::registerMatchers(
   auto IsRecordSizeOf =
   expr(sizeOfExpr(hasArgumentOfType(equalsBoundNode("Record";
   auto ArgChecker = [&](Matcher RecordConstraint,
-BindableMatcher SecondArg = expr()) {
+BindableMatcher SecondArg) {
 return allOf(argumentCountIs(3),
  hasArgument(0, IsStructPointer(RecordConstraint, true)),
  hasArgument(1, SecondArg), hasArgument(2, IsRecordSizeOf));
@@ -89,7 +89,8 @@ void NonTrivialTypesLibcMemoryCallsCheck::registerMatchers(
   Finder->addMatcher(
   callExpr(callee(namedDecl(hasAnyName(
utils::options::parseListPair(BuiltinMemSet, 
MemSetNames,
-   ArgChecker(unless(isTriviallyDefaultConstructible(
+   ArgChecker(unless(isTriviallyDefaultConstructible()),
+  expr(integerLiteral(equals(0)
   .bind("lazyConstruct"),
   this);
   Finder->addMatcher(

diff  --git a/clang-tools-extra/docs/ReleaseNotes.rst 
b/clang-tools-extra/docs/ReleaseNotes.rst
index e21bee6a80b30..5196c53291d19 100644
--- a/clang-tools-extra/docs/ReleaseNotes.rst
+++ b/clang-tools-extra/docs/ReleaseNotes.rst
@@ -156,9 +156,6 @@ Changes in existing checks
   ` when `sizeof(...)` is
   compared against a `__int128_t`.
 
-- Made :doc:`cert-oop57-cpp ` more sensitive
-  by checking for an arbitrary expression in the second argument of `memset`.
-
 - Improved :doc:`cppcoreguidelines-prefer-member-initializer
   ` check.
 

diff  --git a/clang-tools-extra/test/clang-tidy/checkers/cert-oop57-cpp.cpp 
b/clang-tools-extra/test/clang-tidy/checkers/cert-oop57-cpp.cpp
index 880c5c3a1c9fe..a5a38734ce6ae 100644
--- a/clang-tools-extra/test/clang-tidy/checkers/cert-oop57-cpp.cpp
+++ b/clang-tools-extra/test/clang-tidy/checkers/cert-oop57-cpp.cpp
@@ -88,17 +88,3 @@ void baz(const NonTrivial &Other) {
   mymemcmp(&Data, &Other, sizeof(Data));
   // CHECK-MESSAGES: :[[@LINE-1]]:3: warning: consider using comparison 
operators instead of calling 'mymemcmp'
 }
-
-void nonNullSetValue() {
-  NonTrivial Data;
-  // Check non-null-valued second argument.
-  std::memset(&Data, 1, sizeof(Data));
-  // CHECK-MESSAGES: :[[@LINE-1]]:3: warning: calling 'memset' on a 
non-trivially default constructible class is undefined
-}
-
-void nonLiteralSetValue(char C) {
-  NonTrivial Data;
-  // Check non-literal second argument.
-  std::memset(&Data, C, sizeof(Data));
-  // CHECK-MESSAGES: :[[@LINE-1]]:3: warning: calling 'memset' on a 
non-trivially default constructible class is undefined
-}



___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang-tools-extra] e290fce - [clang-tidy] Extend cert-oop57-cpp to check non-zero memset values

[Endre Fülöp via cfe-commits]

Author: Endre Fülöp
Date: 2022-06-01T08:23:23+02:00
New Revision: e290fcef111c24ed833c9768809eb900a21c94e0

URL: 
https://github.com/llvm/llvm-project/commit/e290fcef111c24ed833c9768809eb900a21c94e0
DIFF: 
https://github.com/llvm/llvm-project/commit/e290fcef111c24ed833c9768809eb900a21c94e0.diff

LOG: [clang-tidy] Extend cert-oop57-cpp to check non-zero memset values

Clang Tidy check cert-oop57-cpp now checks for arbitrary-valued
arguments in memset expressions containing non-trivially
default-constructible instances. Previously it only checked literal 0 values.

Reviewed By: aaron.ballman

Differential Revision: https://reviews.llvm.org/D126186

Added: 


Modified: 
clang-tools-extra/clang-tidy/cert/NonTrivialTypesLibcMemoryCallsCheck.cpp
clang-tools-extra/docs/ReleaseNotes.rst
clang-tools-extra/test/clang-tidy/checkers/cert-oop57-cpp.cpp

Removed: 




diff  --git 
a/clang-tools-extra/clang-tidy/cert/NonTrivialTypesLibcMemoryCallsCheck.cpp 
b/clang-tools-extra/clang-tidy/cert/NonTrivialTypesLibcMemoryCallsCheck.cpp
index 8e6acea290826..5c8da5b4cacf7 100644
--- a/clang-tools-extra/clang-tidy/cert/NonTrivialTypesLibcMemoryCallsCheck.cpp
+++ b/clang-tools-extra/clang-tidy/cert/NonTrivialTypesLibcMemoryCallsCheck.cpp
@@ -80,7 +80,7 @@ void NonTrivialTypesLibcMemoryCallsCheck::registerMatchers(
   auto IsRecordSizeOf =
   expr(sizeOfExpr(hasArgumentOfType(equalsBoundNode("Record";
   auto ArgChecker = [&](Matcher RecordConstraint,
-BindableMatcher SecondArg) {
+BindableMatcher SecondArg = expr()) {
 return allOf(argumentCountIs(3),
  hasArgument(0, IsStructPointer(RecordConstraint, true)),
  hasArgument(1, SecondArg), hasArgument(2, IsRecordSizeOf));
@@ -89,8 +89,7 @@ void NonTrivialTypesLibcMemoryCallsCheck::registerMatchers(
   Finder->addMatcher(
   callExpr(callee(namedDecl(hasAnyName(
utils::options::parseListPair(BuiltinMemSet, 
MemSetNames,
-   ArgChecker(unless(isTriviallyDefaultConstructible()),
-  expr(integerLiteral(equals(0)
+   ArgChecker(unless(isTriviallyDefaultConstructible(
   .bind("lazyConstruct"),
   this);
   Finder->addMatcher(

diff  --git a/clang-tools-extra/docs/ReleaseNotes.rst 
b/clang-tools-extra/docs/ReleaseNotes.rst
index 5196c53291d19..c709f6d35e155 100644
--- a/clang-tools-extra/docs/ReleaseNotes.rst
+++ b/clang-tools-extra/docs/ReleaseNotes.rst
@@ -156,6 +156,9 @@ Changes in existing checks
   ` when `sizeof(...)` is
   compared against a `__int128_t`.
 
+- Made :doc:`cert-oop57-cpp ` more sensitive
+  by checking for an arbitrary expression in the second argument of ``memset``.
+
 - Improved :doc:`cppcoreguidelines-prefer-member-initializer
   ` check.
 

diff  --git a/clang-tools-extra/test/clang-tidy/checkers/cert-oop57-cpp.cpp 
b/clang-tools-extra/test/clang-tidy/checkers/cert-oop57-cpp.cpp
index a5a38734ce6ae..880c5c3a1c9fe 100644
--- a/clang-tools-extra/test/clang-tidy/checkers/cert-oop57-cpp.cpp
+++ b/clang-tools-extra/test/clang-tidy/checkers/cert-oop57-cpp.cpp
@@ -88,3 +88,17 @@ void baz(const NonTrivial &Other) {
   mymemcmp(&Data, &Other, sizeof(Data));
   // CHECK-MESSAGES: :[[@LINE-1]]:3: warning: consider using comparison 
operators instead of calling 'mymemcmp'
 }
+
+void nonNullSetValue() {
+  NonTrivial Data;
+  // Check non-null-valued second argument.
+  std::memset(&Data, 1, sizeof(Data));
+  // CHECK-MESSAGES: :[[@LINE-1]]:3: warning: calling 'memset' on a 
non-trivially default constructible class is undefined
+}
+
+void nonLiteralSetValue(char C) {
+  NonTrivial Data;
+  // Check non-literal second argument.
+  std::memset(&Data, C, sizeof(Data));
+  // CHECK-MESSAGES: :[[@LINE-1]]:3: warning: calling 'memset' on a 
non-trivially default constructible class is undefined
+}



___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer] Move alpha checker EnumCastOutOfRange to optin (PR #67157)

[Endre Fülöp via cfe-commits]

gamesh411 wrote:

| OpenSource Project name | New Reports | Reports Lost | Evaluation of reports |
|||||
| memcached_1.6.8 | [New 
reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=memcached_1.6.8_baseline&newcheck=memcached_1.6.8_with_enum_cast&is-unique=on&diff-mode=New)
 | [Lost 
reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=memcached_1.6.8_baseline&newcheck=memcached_1.6.8_with_enum_cast&is-unique=on&diff-mode=Resolved)
 | no reports |
| tmux_2.6 | [New 
reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=tmux_2.6_baseline&newcheck=tmux_2.6_with_enum_cast&is-unique=on&diff-mode=New)
 | [Lost 
reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=tmux_2.6_baseline&newcheck=tmux_2.6_with_enum_cast&is-unique=on&diff-mode=Resolved)
 | no reports |
| curl_curl-7_66_0 | [New 
reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=curl_curl-7_66_0_baseline&newcheck=curl_curl-7_66_0_with_enum_cast&is-unique=on&diff-mode=New)
 | [Lost 
reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=curl_curl-7_66_0_baseline&newcheck=curl_curl-7_66_0_with_enum_cast&is-unique=on&diff-mode=Resolved)
 | 18 reports, all seem valid, even if some of them are just plain ugly macro 
expansion-wrapped madness |
| twin_v0.8.1 | [New 
reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=twin_v0.8.1_baseline&newcheck=twin_v0.8.1_with_enum_cast&is-unique=on&diff-mode=New)
 | [Lost 
reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=twin_v0.8.1_baseline&newcheck=twin_v0.8.1_with_enum_cast&is-unique=on&diff-mode=Resolved)
 | 2 reports, 1 is flag type usage, so this project would want NOT want to opt 
into this checker
| vim_v8.2.1920 | [New 
reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=vim_v8.2.1920_baseline&newcheck=vim_v8.2.1920_with_enum_cast&is-unique=on&diff-mode=New)
 | [Lost 
reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=vim_v8.2.1920_baseline&newcheck=vim_v8.2.1920_with_enum_cast&is-unique=on&diff-mode=Resolved)
 | 29 reports, valid, but not really useful for this project |
| openssl_openssl-3.0.0 | [New 
reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=openssl_openssl-3.0.0-alpha7_baseline&newcheck=openssl_openssl-3.0.0-alpha7_with_enum_cast&is-unique=on&diff-mode=New)
 | [Lost 
reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=openssl_openssl-3.0.0-alpha7_baseline&newcheck=openssl_openssl-3.0.0-alpha7_with_enum_cast&is-unique=on&diff-mode=Resolved)
 | no reports |
| sqlite_version-3.33.0 | [New 
reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=sqlite_version-3.33.0_baseline&newcheck=sqlite_version-3.33.0_with_enum_cast&is-unique=on&diff-mode=New)
 | [Lost 
reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=sqlite_version-3.33.0_baseline&newcheck=sqlite_version-3.33.0_with_enum_cast&is-unique=on&diff-mode=Resolved)
 | no reports |
| ffmpeg_n4.3.1 | [New 
reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=ffmpeg_n4.3.1_baseline&newcheck=ffmpeg_n4.3.1_with_enum_cast&is-unique=on&diff-mode=New)
 | [Lost 
reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=ffmpeg_n4.3.1_baseline&newcheck=ffmpeg_n4.3.1_with_enum_cast&is-unique=on&diff-mode=Resolved)
 | 39 reports, not really useful or understandable |
| postgres_REL_13_0 | [New 
reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=postgres_REL_13_0_baseline&newcheck=postgres_REL_13_0_with_enum_cast&is-unique=on&diff-mode=New)
 | [Lost 
reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=postgres_REL_13_0_baseline&newcheck=postgres_REL_13_0_with_enum_cast&is-unique=on&diff-mode=Resolved)
 | 16 reports, they valid from the coding style enforcing POV |
| tinyxml2_8.0.0 | [New 
reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=tinyxml2_8.0.0_baseline&newcheck=tinyxml2_8.0.0_with_enum_cast&is-unique=on&diff-mode=New)
 | [Lost 
reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=tinyxml2_8.0.0_baseline&newcheck=tinyxml2_8.0.0_with_enum_cast&is-unique=on&diff-mode=Resolved)
 | no reports |
| libwebm_libwebm-1.0.0.27 | [New 
reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=libwebm_libwebm-1.0.0.27_baseline&newcheck=libwebm_libwebm-1.0.0.27_with_enum_cast&is-unique=on&diff-mode=New)
 | [Lost 
reports](https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=libwebm_libwebm-1.0.0.27_baseline&newcheck=libwebm_libwebm-1.0.0.27_with_enum_cast&is-unique=on&diff-mode=Resolved)
 | no reports |
| xerces_v3.2.3 | [New 
reports](https://codechecker-de

[clang] [analyzer] Move alpha checker EnumCastOutOfRange to optin (PR #67157)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 approved this pull request.


https://github.com/llvm/llvm-project/pull/67157
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer][clangsa] Add new option to alpha.security.cert.InvalidPtrChecker (PR #67663)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 created 
https://github.com/llvm/llvm-project/pull/67663

**This PR is a continuation of the Phabricator review 
https://reviews.llvm.org/D154603 **

The invalidation of pointer pointers returned by subsequent calls to genenv is
suggested by the POSIX standard, but is too strict from a practical point of
view. A new checker option 'InvalidatingGetEnv' is introduced, and is set to a
more lax default value, which does not consider consecutive getenv calls
invalidating.
The handling of the main function's possible specification where an environment
pointer is also pecified as a third parameter is also considered now.

From 9f7f577c95d7e9fb7e2f929215ff217ca2d7ed53 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Endre=20F=C3=BCl=C3=B6p?= 
Date: Fri, 8 Sep 2023 14:20:00 +0200
Subject: [PATCH 1/7] [analyzer][clangsa] Add new option to
 alpha.security.cert.InvalidPtrChecker

The invalidation of pointer pointers returned by subsequent calls to genenv is
suggested by the POSIX standard, but is too strict from a practical point of
view. A new checker option 'InvalidatingGetEnv' is introduced, and is set to a
more lax default value, which does not consider consecutive getenv calls
invalidating.
The handling of the main function's possible specification where an environment
pointer is also pecified as a third parameter is also considered now.

Differential Revision: https://reviews.llvm.org/D154603
---
 .../clang/StaticAnalyzer/Checkers/Checkers.td |  9 ++
 .../Checkers/cert/InvalidPtrChecker.cpp   | 86 ++-
 clang/test/Analysis/analyzer-config.c |  1 +
 .../Analysis/cert/env34-c-cert-examples.c | 40 -
 clang/test/Analysis/cert/env34-c.c|  1 +
 clang/test/Analysis/invalid-ptr-checker.c | 50 +++
 6 files changed, 163 insertions(+), 24 deletions(-)
 create mode 100644 clang/test/Analysis/invalid-ptr-checker.c

diff --git a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td 
b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
index 65c1595eb6245dd..b4f65c934bf483b 100644
--- a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
+++ b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
@@ -997,6 +997,15 @@ let ParentPackage = ENV in {
 
   def InvalidPtrChecker : Checker<"InvalidPtr">,
   HelpText<"Finds usages of possibly invalidated pointers">,
+  CheckerOptions<[
+CmdLineOption,
+  ]>,
   Documentation;
 
 } // end "alpha.cert.env"
diff --git a/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp 
b/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
index aae1a17bc0ae53e..8849eb1148564b7 100644
--- a/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
@@ -38,6 +38,15 @@ class InvalidPtrChecker
 CheckerContext &C) const;
 
   // SEI CERT ENV31-C
+
+  // If set to true, consider getenv calls as invalidating operations on the
+  // environment variable buffer. This is implied in the standard, but in
+  // practice does not cause problems (in the commonly used environments).
+  bool InvalidatingGetEnv = false;
+
+  // GetEnv can be treated invalidating and non-invalidating as well.
+  const CallDescription GetEnvCall{{"getenv"}, 1};
+
   const CallDescriptionMap EnvpInvalidatingFunctions = {
   {{{"setenv"}, 3}, &InvalidPtrChecker::EnvpInvalidatingCall},
   {{{"unsetenv"}, 1}, &InvalidPtrChecker::EnvpInvalidatingCall},
@@ -51,7 +60,6 @@ class InvalidPtrChecker
 
   // SEI CERT ENV34-C
   const CallDescriptionMap PreviousCallInvalidatingFunctions = {
-  {{{"getenv"}, 1}, 
&InvalidPtrChecker::postPreviousReturnInvalidatingCall},
   {{{"setlocale"}, 2},
&InvalidPtrChecker::postPreviousReturnInvalidatingCall},
   {{{"strerror"}, 1},
@@ -62,6 +70,10 @@ class InvalidPtrChecker
&InvalidPtrChecker::postPreviousReturnInvalidatingCall},
   };
 
+  // The private members of this checker corresponding to commandline options
+  // are set in this function.
+  friend void ento::registerInvalidPtrChecker(CheckerManager &);
+
 public:
   // Obtain the environment pointer from 'main()' (if present).
   void checkBeginFunction(CheckerContext &C) const;
@@ -84,7 +96,10 @@ class InvalidPtrChecker
 REGISTER_SET_WITH_PROGRAMSTATE(InvalidMemoryRegions, const MemRegion *)
 
 // Stores the region of the environment pointer of 'main' (if present).
-REGISTER_TRAIT_WITH_PROGRAMSTATE(EnvPtrRegion, const MemRegion *)
+REGISTER_TRAIT_WITH_PROGRAMSTATE(MainEnvPtrRegion, const MemRegion *)
+
+// Stores the regions of environments returned by getenv calls.
+REGISTER_SET_WITH_PROGRAMSTATE(GetenvEnvPtrRegions, const MemRegion *)
 
 // Stores key-value pairs, where key is function declaration and value is
 // pointer to memory region returned by previous call of this function
@@ -95,22 +110,35 @@ void InvalidPtrChecker::EnvpInvalidatingCall(const 
CallEvent &Call,
  

[clang] [analyzer][clangsa] Add new option to alpha.security.cert.InvalidPtrChecker (PR #67663)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 edited 
https://github.com/llvm/llvm-project/pull/67663
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer][NFC] Simplifications in ArrayBoundV2 (PR #67572)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 approved this pull request.

LGTM

https://github.com/llvm/llvm-project/pull/67572
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer][clangsa] Add new option to alpha.security.cert.InvalidPtrChecker (PR #67663)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 updated 
https://github.com/llvm/llvm-project/pull/67663

From 9f7f577c95d7e9fb7e2f929215ff217ca2d7ed53 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Endre=20F=C3=BCl=C3=B6p?= 
Date: Fri, 8 Sep 2023 14:20:00 +0200
Subject: [PATCH 1/8] [analyzer][clangsa] Add new option to
 alpha.security.cert.InvalidPtrChecker

The invalidation of pointer pointers returned by subsequent calls to genenv is
suggested by the POSIX standard, but is too strict from a practical point of
view. A new checker option 'InvalidatingGetEnv' is introduced, and is set to a
more lax default value, which does not consider consecutive getenv calls
invalidating.
The handling of the main function's possible specification where an environment
pointer is also pecified as a third parameter is also considered now.

Differential Revision: https://reviews.llvm.org/D154603
---
 .../clang/StaticAnalyzer/Checkers/Checkers.td |  9 ++
 .../Checkers/cert/InvalidPtrChecker.cpp   | 86 ++-
 clang/test/Analysis/analyzer-config.c |  1 +
 .../Analysis/cert/env34-c-cert-examples.c | 40 -
 clang/test/Analysis/cert/env34-c.c|  1 +
 clang/test/Analysis/invalid-ptr-checker.c | 50 +++
 6 files changed, 163 insertions(+), 24 deletions(-)
 create mode 100644 clang/test/Analysis/invalid-ptr-checker.c

diff --git a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td 
b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
index 65c1595eb6245dd..b4f65c934bf483b 100644
--- a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
+++ b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
@@ -997,6 +997,15 @@ let ParentPackage = ENV in {
 
   def InvalidPtrChecker : Checker<"InvalidPtr">,
   HelpText<"Finds usages of possibly invalidated pointers">,
+  CheckerOptions<[
+CmdLineOption,
+  ]>,
   Documentation;
 
 } // end "alpha.cert.env"
diff --git a/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp 
b/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
index aae1a17bc0ae53e..8849eb1148564b7 100644
--- a/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
@@ -38,6 +38,15 @@ class InvalidPtrChecker
 CheckerContext &C) const;
 
   // SEI CERT ENV31-C
+
+  // If set to true, consider getenv calls as invalidating operations on the
+  // environment variable buffer. This is implied in the standard, but in
+  // practice does not cause problems (in the commonly used environments).
+  bool InvalidatingGetEnv = false;
+
+  // GetEnv can be treated invalidating and non-invalidating as well.
+  const CallDescription GetEnvCall{{"getenv"}, 1};
+
   const CallDescriptionMap EnvpInvalidatingFunctions = {
   {{{"setenv"}, 3}, &InvalidPtrChecker::EnvpInvalidatingCall},
   {{{"unsetenv"}, 1}, &InvalidPtrChecker::EnvpInvalidatingCall},
@@ -51,7 +60,6 @@ class InvalidPtrChecker
 
   // SEI CERT ENV34-C
   const CallDescriptionMap PreviousCallInvalidatingFunctions = {
-  {{{"getenv"}, 1}, 
&InvalidPtrChecker::postPreviousReturnInvalidatingCall},
   {{{"setlocale"}, 2},
&InvalidPtrChecker::postPreviousReturnInvalidatingCall},
   {{{"strerror"}, 1},
@@ -62,6 +70,10 @@ class InvalidPtrChecker
&InvalidPtrChecker::postPreviousReturnInvalidatingCall},
   };
 
+  // The private members of this checker corresponding to commandline options
+  // are set in this function.
+  friend void ento::registerInvalidPtrChecker(CheckerManager &);
+
 public:
   // Obtain the environment pointer from 'main()' (if present).
   void checkBeginFunction(CheckerContext &C) const;
@@ -84,7 +96,10 @@ class InvalidPtrChecker
 REGISTER_SET_WITH_PROGRAMSTATE(InvalidMemoryRegions, const MemRegion *)
 
 // Stores the region of the environment pointer of 'main' (if present).
-REGISTER_TRAIT_WITH_PROGRAMSTATE(EnvPtrRegion, const MemRegion *)
+REGISTER_TRAIT_WITH_PROGRAMSTATE(MainEnvPtrRegion, const MemRegion *)
+
+// Stores the regions of environments returned by getenv calls.
+REGISTER_SET_WITH_PROGRAMSTATE(GetenvEnvPtrRegions, const MemRegion *)
 
 // Stores key-value pairs, where key is function declaration and value is
 // pointer to memory region returned by previous call of this function
@@ -95,22 +110,35 @@ void InvalidPtrChecker::EnvpInvalidatingCall(const 
CallEvent &Call,
  CheckerContext &C) const {
   StringRef FunctionName = Call.getCalleeIdentifier()->getName();
   ProgramStateRef State = C.getState();
-  const MemRegion *SymbolicEnvPtrRegion = State->get();
-  if (!SymbolicEnvPtrRegion)
-return;
 
-  State = State->add(SymbolicEnvPtrRegion);
+  auto PlaceInvalidationNote = [&C, FunctionName,
+&State](const MemRegion *Region,
+StringRef Message, ExplodedNode *Pred) 
{
+State = State->add(Region);
+
+// Make cop

[clang] [analyzer][clangsa] Add new option to alpha.security.cert.InvalidPtrChecker (PR #67663)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 updated 
https://github.com/llvm/llvm-project/pull/67663

From 9f7f577c95d7e9fb7e2f929215ff217ca2d7ed53 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Endre=20F=C3=BCl=C3=B6p?= 
Date: Fri, 8 Sep 2023 14:20:00 +0200
Subject: [PATCH 1/7] [analyzer][clangsa] Add new option to
 alpha.security.cert.InvalidPtrChecker

The invalidation of pointer pointers returned by subsequent calls to genenv is
suggested by the POSIX standard, but is too strict from a practical point of
view. A new checker option 'InvalidatingGetEnv' is introduced, and is set to a
more lax default value, which does not consider consecutive getenv calls
invalidating.
The handling of the main function's possible specification where an environment
pointer is also pecified as a third parameter is also considered now.

Differential Revision: https://reviews.llvm.org/D154603
---
 .../clang/StaticAnalyzer/Checkers/Checkers.td |  9 ++
 .../Checkers/cert/InvalidPtrChecker.cpp   | 86 ++-
 clang/test/Analysis/analyzer-config.c |  1 +
 .../Analysis/cert/env34-c-cert-examples.c | 40 -
 clang/test/Analysis/cert/env34-c.c|  1 +
 clang/test/Analysis/invalid-ptr-checker.c | 50 +++
 6 files changed, 163 insertions(+), 24 deletions(-)
 create mode 100644 clang/test/Analysis/invalid-ptr-checker.c

diff --git a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td 
b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
index 65c1595eb6245dd..b4f65c934bf483b 100644
--- a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
+++ b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
@@ -997,6 +997,15 @@ let ParentPackage = ENV in {
 
   def InvalidPtrChecker : Checker<"InvalidPtr">,
   HelpText<"Finds usages of possibly invalidated pointers">,
+  CheckerOptions<[
+CmdLineOption,
+  ]>,
   Documentation;
 
 } // end "alpha.cert.env"
diff --git a/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp 
b/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
index aae1a17bc0ae53e..8849eb1148564b7 100644
--- a/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
@@ -38,6 +38,15 @@ class InvalidPtrChecker
 CheckerContext &C) const;
 
   // SEI CERT ENV31-C
+
+  // If set to true, consider getenv calls as invalidating operations on the
+  // environment variable buffer. This is implied in the standard, but in
+  // practice does not cause problems (in the commonly used environments).
+  bool InvalidatingGetEnv = false;
+
+  // GetEnv can be treated invalidating and non-invalidating as well.
+  const CallDescription GetEnvCall{{"getenv"}, 1};
+
   const CallDescriptionMap EnvpInvalidatingFunctions = {
   {{{"setenv"}, 3}, &InvalidPtrChecker::EnvpInvalidatingCall},
   {{{"unsetenv"}, 1}, &InvalidPtrChecker::EnvpInvalidatingCall},
@@ -51,7 +60,6 @@ class InvalidPtrChecker
 
   // SEI CERT ENV34-C
   const CallDescriptionMap PreviousCallInvalidatingFunctions = {
-  {{{"getenv"}, 1}, 
&InvalidPtrChecker::postPreviousReturnInvalidatingCall},
   {{{"setlocale"}, 2},
&InvalidPtrChecker::postPreviousReturnInvalidatingCall},
   {{{"strerror"}, 1},
@@ -62,6 +70,10 @@ class InvalidPtrChecker
&InvalidPtrChecker::postPreviousReturnInvalidatingCall},
   };
 
+  // The private members of this checker corresponding to commandline options
+  // are set in this function.
+  friend void ento::registerInvalidPtrChecker(CheckerManager &);
+
 public:
   // Obtain the environment pointer from 'main()' (if present).
   void checkBeginFunction(CheckerContext &C) const;
@@ -84,7 +96,10 @@ class InvalidPtrChecker
 REGISTER_SET_WITH_PROGRAMSTATE(InvalidMemoryRegions, const MemRegion *)
 
 // Stores the region of the environment pointer of 'main' (if present).
-REGISTER_TRAIT_WITH_PROGRAMSTATE(EnvPtrRegion, const MemRegion *)
+REGISTER_TRAIT_WITH_PROGRAMSTATE(MainEnvPtrRegion, const MemRegion *)
+
+// Stores the regions of environments returned by getenv calls.
+REGISTER_SET_WITH_PROGRAMSTATE(GetenvEnvPtrRegions, const MemRegion *)
 
 // Stores key-value pairs, where key is function declaration and value is
 // pointer to memory region returned by previous call of this function
@@ -95,22 +110,35 @@ void InvalidPtrChecker::EnvpInvalidatingCall(const 
CallEvent &Call,
  CheckerContext &C) const {
   StringRef FunctionName = Call.getCalleeIdentifier()->getName();
   ProgramStateRef State = C.getState();
-  const MemRegion *SymbolicEnvPtrRegion = State->get();
-  if (!SymbolicEnvPtrRegion)
-return;
 
-  State = State->add(SymbolicEnvPtrRegion);
+  auto PlaceInvalidationNote = [&C, FunctionName,
+&State](const MemRegion *Region,
+StringRef Message, ExplodedNode *Pred) 
{
+State = State->add(Region);
+
+// Make cop

[clang] [analyzer][clangsa] Add new option to alpha.security.cert.InvalidPtrChecker (PR #67663)

[Endre Fülöp via cfe-commits]

@@ -2399,13 +2399,34 @@ pointer. These functions include: getenv, localeconv, 
asctime, setlocale, strerr
 char *p, *pp;
 
 p = getenv("VAR");
-pp = getenv("VAR2");
-// subsequent call to 'getenv' invalidated previous one
+setenv("SOMEVAR", "VALUE", /*overwrite*/1);

gamesh411 wrote:

fixed in 5e2d77aa0c14ee8695bcde55b68daa22ccb84a1b

https://github.com/llvm/llvm-project/pull/67663
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer][clangsa] Add new option to alpha.security.cert.InvalidPtrChecker (PR #67663)

[Endre Fülöp via cfe-commits]

@@ -2399,13 +2399,34 @@ pointer. These functions include: getenv, localeconv, 
asctime, setlocale, strerr
 char *p, *pp;
 
 p = getenv("VAR");
-pp = getenv("VAR2");
-// subsequent call to 'getenv' invalidated previous one
+setenv("SOMEVAR", "VALUE", /*overwrite*/1);
+// call to 'setenv' may invalidate p
 
 *p;
 // dereferencing invalid pointer
   }
 
+
+The ``InvalidatingGetEnv`` option is available for treating getenv calls as
+invalidating. When enabled, the checker issues a warning if getenv is called
+multiple times and their results are used without first creating a copy.
+This level of strictness might be considered overly pedantic for a standard
+getenv implementation.

gamesh411 wrote:

fixed as well (5e2d77aa0c14ee8695bcde55b68daa22ccb84a1b)

https://github.com/llvm/llvm-project/pull/67663
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer][clangsa] Add new option to alpha.security.cert.InvalidPtrChecker (PR #67663)

[Endre Fülöp via cfe-commits]

@@ -25,19 +25,36 @@
 using namespace clang;
 using namespace ento;
 
+
 namespace {
 
+
 class InvalidPtrChecker
 : public Checker {
 private:
-  BugType BT{this, "Use of invalidated pointer", categories::MemoryError};
+  static const BugType *InvalidPtrBugType;
+  // For accurate emission of NoteTags, the BugType of this checker should have
+  // a unique address.
+  void InitInvalidPtrBugType() {
+InvalidPtrBugType = new BugType(this, "Use of invalidated pointer",
+categories::MemoryError);
+  }

gamesh411 wrote:

incorporated this in 190d2409b89147b8c2c9c2e8d0f96ec07df9e3fc

https://github.com/llvm/llvm-project/pull/67663
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer][clangsa] Add new option to alpha.security.cert.InvalidPtrChecker (PR #67663)

[Endre Fülöp via cfe-commits]

@@ -146,16 +188,15 @@ void 
InvalidPtrChecker::postPreviousReturnInvalidatingCall(
 
   // Remember to this region.
   const auto *SymRegOfRetVal = cast(RetVal.getAsRegion());
-  const MemRegion *MR =
-  const_cast(SymRegOfRetVal->getBaseRegion());
+  const MemRegion *MR = SymRegOfRetVal->getBaseRegion();
   State = State->set(FD, MR);
 
   ExplodedNode *Node = C.addTransition(State, Note);
   const NoteTag *PreviousCallNote =
   C.getNoteTag([MR](PathSensitiveBugReport &BR, llvm::raw_ostream &Out) {
-if (!BR.isInteresting(MR))
+if (!BR.isInteresting(MR) || &BR.getBugType() != InvalidPtrBugType)
   return;
-Out << '\'' << "'previous function call was here" << '\'';
+Out << "'previous function call was here" << '\'';

gamesh411 wrote:

fixed in fd4dab0a486c95642905582e94e50f0743d2a6a2

https://github.com/llvm/llvm-project/pull/67663
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer][clangsa] Add new option to alpha.security.cert.InvalidPtrChecker (PR #67663)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 updated 
https://github.com/llvm/llvm-project/pull/67663

From 9f7f577c95d7e9fb7e2f929215ff217ca2d7ed53 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Endre=20F=C3=BCl=C3=B6p?= 
Date: Fri, 8 Sep 2023 14:20:00 +0200
Subject: [PATCH 1/8] [analyzer][clangsa] Add new option to
 alpha.security.cert.InvalidPtrChecker

The invalidation of pointer pointers returned by subsequent calls to genenv is
suggested by the POSIX standard, but is too strict from a practical point of
view. A new checker option 'InvalidatingGetEnv' is introduced, and is set to a
more lax default value, which does not consider consecutive getenv calls
invalidating.
The handling of the main function's possible specification where an environment
pointer is also pecified as a third parameter is also considered now.

Differential Revision: https://reviews.llvm.org/D154603
---
 .../clang/StaticAnalyzer/Checkers/Checkers.td |  9 ++
 .../Checkers/cert/InvalidPtrChecker.cpp   | 86 ++-
 clang/test/Analysis/analyzer-config.c |  1 +
 .../Analysis/cert/env34-c-cert-examples.c | 40 -
 clang/test/Analysis/cert/env34-c.c|  1 +
 clang/test/Analysis/invalid-ptr-checker.c | 50 +++
 6 files changed, 163 insertions(+), 24 deletions(-)
 create mode 100644 clang/test/Analysis/invalid-ptr-checker.c

diff --git a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td 
b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
index 65c1595eb6245dd..b4f65c934bf483b 100644
--- a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
+++ b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
@@ -997,6 +997,15 @@ let ParentPackage = ENV in {
 
   def InvalidPtrChecker : Checker<"InvalidPtr">,
   HelpText<"Finds usages of possibly invalidated pointers">,
+  CheckerOptions<[
+CmdLineOption,
+  ]>,
   Documentation;
 
 } // end "alpha.cert.env"
diff --git a/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp 
b/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
index aae1a17bc0ae53e..8849eb1148564b7 100644
--- a/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
@@ -38,6 +38,15 @@ class InvalidPtrChecker
 CheckerContext &C) const;
 
   // SEI CERT ENV31-C
+
+  // If set to true, consider getenv calls as invalidating operations on the
+  // environment variable buffer. This is implied in the standard, but in
+  // practice does not cause problems (in the commonly used environments).
+  bool InvalidatingGetEnv = false;
+
+  // GetEnv can be treated invalidating and non-invalidating as well.
+  const CallDescription GetEnvCall{{"getenv"}, 1};
+
   const CallDescriptionMap EnvpInvalidatingFunctions = {
   {{{"setenv"}, 3}, &InvalidPtrChecker::EnvpInvalidatingCall},
   {{{"unsetenv"}, 1}, &InvalidPtrChecker::EnvpInvalidatingCall},
@@ -51,7 +60,6 @@ class InvalidPtrChecker
 
   // SEI CERT ENV34-C
   const CallDescriptionMap PreviousCallInvalidatingFunctions = {
-  {{{"getenv"}, 1}, 
&InvalidPtrChecker::postPreviousReturnInvalidatingCall},
   {{{"setlocale"}, 2},
&InvalidPtrChecker::postPreviousReturnInvalidatingCall},
   {{{"strerror"}, 1},
@@ -62,6 +70,10 @@ class InvalidPtrChecker
&InvalidPtrChecker::postPreviousReturnInvalidatingCall},
   };
 
+  // The private members of this checker corresponding to commandline options
+  // are set in this function.
+  friend void ento::registerInvalidPtrChecker(CheckerManager &);
+
 public:
   // Obtain the environment pointer from 'main()' (if present).
   void checkBeginFunction(CheckerContext &C) const;
@@ -84,7 +96,10 @@ class InvalidPtrChecker
 REGISTER_SET_WITH_PROGRAMSTATE(InvalidMemoryRegions, const MemRegion *)
 
 // Stores the region of the environment pointer of 'main' (if present).
-REGISTER_TRAIT_WITH_PROGRAMSTATE(EnvPtrRegion, const MemRegion *)
+REGISTER_TRAIT_WITH_PROGRAMSTATE(MainEnvPtrRegion, const MemRegion *)
+
+// Stores the regions of environments returned by getenv calls.
+REGISTER_SET_WITH_PROGRAMSTATE(GetenvEnvPtrRegions, const MemRegion *)
 
 // Stores key-value pairs, where key is function declaration and value is
 // pointer to memory region returned by previous call of this function
@@ -95,22 +110,35 @@ void InvalidPtrChecker::EnvpInvalidatingCall(const 
CallEvent &Call,
  CheckerContext &C) const {
   StringRef FunctionName = Call.getCalleeIdentifier()->getName();
   ProgramStateRef State = C.getState();
-  const MemRegion *SymbolicEnvPtrRegion = State->get();
-  if (!SymbolicEnvPtrRegion)
-return;
 
-  State = State->add(SymbolicEnvPtrRegion);
+  auto PlaceInvalidationNote = [&C, FunctionName,
+&State](const MemRegion *Region,
+StringRef Message, ExplodedNode *Pred) 
{
+State = State->add(Region);
+
+// Make cop

[clang] [analyzer][clangsa] Add new option to alpha.security.cert.InvalidPtrChecker (PR #67663)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 updated 
https://github.com/llvm/llvm-project/pull/67663

From 9f7f577c95d7e9fb7e2f929215ff217ca2d7ed53 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Endre=20F=C3=BCl=C3=B6p?= 
Date: Fri, 8 Sep 2023 14:20:00 +0200
Subject: [PATCH 1/8] [analyzer][clangsa] Add new option to
 alpha.security.cert.InvalidPtrChecker

The invalidation of pointer pointers returned by subsequent calls to genenv is
suggested by the POSIX standard, but is too strict from a practical point of
view. A new checker option 'InvalidatingGetEnv' is introduced, and is set to a
more lax default value, which does not consider consecutive getenv calls
invalidating.
The handling of the main function's possible specification where an environment
pointer is also pecified as a third parameter is also considered now.

Differential Revision: https://reviews.llvm.org/D154603
---
 .../clang/StaticAnalyzer/Checkers/Checkers.td |  9 ++
 .../Checkers/cert/InvalidPtrChecker.cpp   | 86 ++-
 clang/test/Analysis/analyzer-config.c |  1 +
 .../Analysis/cert/env34-c-cert-examples.c | 40 -
 clang/test/Analysis/cert/env34-c.c|  1 +
 clang/test/Analysis/invalid-ptr-checker.c | 50 +++
 6 files changed, 163 insertions(+), 24 deletions(-)
 create mode 100644 clang/test/Analysis/invalid-ptr-checker.c

diff --git a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td 
b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
index 65c1595eb6245dd..b4f65c934bf483b 100644
--- a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
+++ b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
@@ -997,6 +997,15 @@ let ParentPackage = ENV in {
 
   def InvalidPtrChecker : Checker<"InvalidPtr">,
   HelpText<"Finds usages of possibly invalidated pointers">,
+  CheckerOptions<[
+CmdLineOption,
+  ]>,
   Documentation;
 
 } // end "alpha.cert.env"
diff --git a/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp 
b/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
index aae1a17bc0ae53e..8849eb1148564b7 100644
--- a/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
@@ -38,6 +38,15 @@ class InvalidPtrChecker
 CheckerContext &C) const;
 
   // SEI CERT ENV31-C
+
+  // If set to true, consider getenv calls as invalidating operations on the
+  // environment variable buffer. This is implied in the standard, but in
+  // practice does not cause problems (in the commonly used environments).
+  bool InvalidatingGetEnv = false;
+
+  // GetEnv can be treated invalidating and non-invalidating as well.
+  const CallDescription GetEnvCall{{"getenv"}, 1};
+
   const CallDescriptionMap EnvpInvalidatingFunctions = {
   {{{"setenv"}, 3}, &InvalidPtrChecker::EnvpInvalidatingCall},
   {{{"unsetenv"}, 1}, &InvalidPtrChecker::EnvpInvalidatingCall},
@@ -51,7 +60,6 @@ class InvalidPtrChecker
 
   // SEI CERT ENV34-C
   const CallDescriptionMap PreviousCallInvalidatingFunctions = {
-  {{{"getenv"}, 1}, 
&InvalidPtrChecker::postPreviousReturnInvalidatingCall},
   {{{"setlocale"}, 2},
&InvalidPtrChecker::postPreviousReturnInvalidatingCall},
   {{{"strerror"}, 1},
@@ -62,6 +70,10 @@ class InvalidPtrChecker
&InvalidPtrChecker::postPreviousReturnInvalidatingCall},
   };
 
+  // The private members of this checker corresponding to commandline options
+  // are set in this function.
+  friend void ento::registerInvalidPtrChecker(CheckerManager &);
+
 public:
   // Obtain the environment pointer from 'main()' (if present).
   void checkBeginFunction(CheckerContext &C) const;
@@ -84,7 +96,10 @@ class InvalidPtrChecker
 REGISTER_SET_WITH_PROGRAMSTATE(InvalidMemoryRegions, const MemRegion *)
 
 // Stores the region of the environment pointer of 'main' (if present).
-REGISTER_TRAIT_WITH_PROGRAMSTATE(EnvPtrRegion, const MemRegion *)
+REGISTER_TRAIT_WITH_PROGRAMSTATE(MainEnvPtrRegion, const MemRegion *)
+
+// Stores the regions of environments returned by getenv calls.
+REGISTER_SET_WITH_PROGRAMSTATE(GetenvEnvPtrRegions, const MemRegion *)
 
 // Stores key-value pairs, where key is function declaration and value is
 // pointer to memory region returned by previous call of this function
@@ -95,22 +110,35 @@ void InvalidPtrChecker::EnvpInvalidatingCall(const 
CallEvent &Call,
  CheckerContext &C) const {
   StringRef FunctionName = Call.getCalleeIdentifier()->getName();
   ProgramStateRef State = C.getState();
-  const MemRegion *SymbolicEnvPtrRegion = State->get();
-  if (!SymbolicEnvPtrRegion)
-return;
 
-  State = State->add(SymbolicEnvPtrRegion);
+  auto PlaceInvalidationNote = [&C, FunctionName,
+&State](const MemRegion *Region,
+StringRef Message, ExplodedNode *Pred) 
{
+State = State->add(Region);
+
+// Make cop

[clang] [analyzer][clangsa] Add new option to alpha.security.cert.InvalidPtrChecker (PR #67663)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 updated 
https://github.com/llvm/llvm-project/pull/67663

From 9aea93ddeb70245a07984188aa98577d54e8e560 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Endre=20F=C3=BCl=C3=B6p?= 
Date: Fri, 8 Sep 2023 14:20:00 +0200
Subject: [PATCH 1/8] [analyzer][clangsa] Add new option to
 alpha.security.cert.InvalidPtrChecker

The invalidation of pointer pointers returned by subsequent calls to genenv is
suggested by the POSIX standard, but is too strict from a practical point of
view. A new checker option 'InvalidatingGetEnv' is introduced, and is set to a
more lax default value, which does not consider consecutive getenv calls
invalidating.
The handling of the main function's possible specification where an environment
pointer is also pecified as a third parameter is also considered now.

Differential Revision: https://reviews.llvm.org/D154603
---
 .../clang/StaticAnalyzer/Checkers/Checkers.td |  9 ++
 .../Checkers/cert/InvalidPtrChecker.cpp   | 86 ++-
 clang/test/Analysis/analyzer-config.c |  1 +
 .../Analysis/cert/env34-c-cert-examples.c | 40 -
 clang/test/Analysis/cert/env34-c.c|  1 +
 clang/test/Analysis/invalid-ptr-checker.c | 50 +++
 6 files changed, 163 insertions(+), 24 deletions(-)
 create mode 100644 clang/test/Analysis/invalid-ptr-checker.c

diff --git a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td 
b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
index 65c1595eb6245dd..b4f65c934bf483b 100644
--- a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
+++ b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
@@ -997,6 +997,15 @@ let ParentPackage = ENV in {
 
   def InvalidPtrChecker : Checker<"InvalidPtr">,
   HelpText<"Finds usages of possibly invalidated pointers">,
+  CheckerOptions<[
+CmdLineOption,
+  ]>,
   Documentation;
 
 } // end "alpha.cert.env"
diff --git a/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp 
b/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
index aae1a17bc0ae53e..8849eb1148564b7 100644
--- a/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
@@ -38,6 +38,15 @@ class InvalidPtrChecker
 CheckerContext &C) const;
 
   // SEI CERT ENV31-C
+
+  // If set to true, consider getenv calls as invalidating operations on the
+  // environment variable buffer. This is implied in the standard, but in
+  // practice does not cause problems (in the commonly used environments).
+  bool InvalidatingGetEnv = false;
+
+  // GetEnv can be treated invalidating and non-invalidating as well.
+  const CallDescription GetEnvCall{{"getenv"}, 1};
+
   const CallDescriptionMap EnvpInvalidatingFunctions = {
   {{{"setenv"}, 3}, &InvalidPtrChecker::EnvpInvalidatingCall},
   {{{"unsetenv"}, 1}, &InvalidPtrChecker::EnvpInvalidatingCall},
@@ -51,7 +60,6 @@ class InvalidPtrChecker
 
   // SEI CERT ENV34-C
   const CallDescriptionMap PreviousCallInvalidatingFunctions = {
-  {{{"getenv"}, 1}, 
&InvalidPtrChecker::postPreviousReturnInvalidatingCall},
   {{{"setlocale"}, 2},
&InvalidPtrChecker::postPreviousReturnInvalidatingCall},
   {{{"strerror"}, 1},
@@ -62,6 +70,10 @@ class InvalidPtrChecker
&InvalidPtrChecker::postPreviousReturnInvalidatingCall},
   };
 
+  // The private members of this checker corresponding to commandline options
+  // are set in this function.
+  friend void ento::registerInvalidPtrChecker(CheckerManager &);
+
 public:
   // Obtain the environment pointer from 'main()' (if present).
   void checkBeginFunction(CheckerContext &C) const;
@@ -84,7 +96,10 @@ class InvalidPtrChecker
 REGISTER_SET_WITH_PROGRAMSTATE(InvalidMemoryRegions, const MemRegion *)
 
 // Stores the region of the environment pointer of 'main' (if present).
-REGISTER_TRAIT_WITH_PROGRAMSTATE(EnvPtrRegion, const MemRegion *)
+REGISTER_TRAIT_WITH_PROGRAMSTATE(MainEnvPtrRegion, const MemRegion *)
+
+// Stores the regions of environments returned by getenv calls.
+REGISTER_SET_WITH_PROGRAMSTATE(GetenvEnvPtrRegions, const MemRegion *)
 
 // Stores key-value pairs, where key is function declaration and value is
 // pointer to memory region returned by previous call of this function
@@ -95,22 +110,35 @@ void InvalidPtrChecker::EnvpInvalidatingCall(const 
CallEvent &Call,
  CheckerContext &C) const {
   StringRef FunctionName = Call.getCalleeIdentifier()->getName();
   ProgramStateRef State = C.getState();
-  const MemRegion *SymbolicEnvPtrRegion = State->get();
-  if (!SymbolicEnvPtrRegion)
-return;
 
-  State = State->add(SymbolicEnvPtrRegion);
+  auto PlaceInvalidationNote = [&C, FunctionName,
+&State](const MemRegion *Region,
+StringRef Message, ExplodedNode *Pred) 
{
+State = State->add(Region);
+
+// Make cop

[clang] [analyzer] Extend EnumCastOutOfRange diagnostics (PR #68191)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 created 
https://github.com/llvm/llvm-project/pull/68191

EnumCastOutOfRange checker now reports the name of the enum in the warning 
message. Additionally, a note-tag is placed to highlight the location of the 
declaration.

From 6b70c3246747b5a1204062f40f91273f60a38600 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Endre=20F=C3=BCl=C3=B6p?= 
Date: Wed, 4 Oct 2023 10:38:00 +0200
Subject: [PATCH] [analyzer] Extend EnumCastOutOfRange diagnostics

EnumCastOutOfRange checker now reports the name of the enum in the
warning message. Additionally, a note-tag is placed to highlight the
location of the declaration.
---
 .../Checkers/EnumCastOutOfRangeChecker.cpp|  33 --
 clang/test/Analysis/enum-cast-out-of-range.c  |  13 ++-
 .../test/Analysis/enum-cast-out-of-range.cpp  | 108 +-
 3 files changed, 87 insertions(+), 67 deletions(-)

diff --git a/clang/lib/StaticAnalyzer/Checkers/EnumCastOutOfRangeChecker.cpp 
b/clang/lib/StaticAnalyzer/Checkers/EnumCastOutOfRangeChecker.cpp
index 89be6a47250a245..6163f7a23804091 100644
--- a/clang/lib/StaticAnalyzer/Checkers/EnumCastOutOfRangeChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/EnumCastOutOfRangeChecker.cpp
@@ -59,7 +59,7 @@ class ConstraintBasedEQEvaluator {
 // value can be matching.
 class EnumCastOutOfRangeChecker : public Checker> {
   mutable std::unique_ptr EnumValueCastOutOfRange;
-  void reportWarning(CheckerContext &C) const;
+  void reportWarning(CheckerContext &C, const EnumDecl *E) const;
 
 public:
   void checkPreStmt(const CastExpr *CE, CheckerContext &C) const;
@@ -72,21 +72,36 @@ EnumValueVector getDeclValuesForEnum(const EnumDecl *ED) {
   EnumValueVector DeclValues(
   std::distance(ED->enumerator_begin(), ED->enumerator_end()));
   llvm::transform(ED->enumerators(), DeclValues.begin(),
- [](const EnumConstantDecl *D) { return D->getInitVal(); });
+  [](const EnumConstantDecl *D) { return D->getInitVal(); });
   return DeclValues;
 }
 } // namespace
 
-void EnumCastOutOfRangeChecker::reportWarning(CheckerContext &C) const {
+void EnumCastOutOfRangeChecker::reportWarning(CheckerContext &C,
+  const EnumDecl *E) const {
+  assert(E && "valid EnumDecl* is expected");
   if (const ExplodedNode *N = C.generateNonFatalErrorNode()) {
 if (!EnumValueCastOutOfRange)
   EnumValueCastOutOfRange.reset(
   new BugType(this, "Enum cast out of range"));
-constexpr llvm::StringLiteral Msg =
-"The value provided to the cast expression is not in the valid range"
-" of values for the enum";
-C.emitReport(std::make_unique(
-*EnumValueCastOutOfRange, Msg, N));
+
+llvm::SmallString<128> Msg{"The value provided to the cast expression is "
+   "not in the valid range of values for "};
+StringRef EnumName{E->getName()};
+if (EnumName.empty()) {
+  Msg += "the enum";
+} else {
+  Msg += '\'';
+  Msg += EnumName;
+  Msg += '\'';
+}
+
+auto BR = 
std::make_unique(*EnumValueCastOutOfRange,
+   Msg, N);
+BR->addNote("enum declared here",
+PathDiagnosticLocation::create(E, C.getSourceManager()),
+{E->getSourceRange()});
+C.emitReport(std::move(BR));
   }
 }
 
@@ -144,7 +159,7 @@ void EnumCastOutOfRangeChecker::checkPreStmt(const CastExpr 
*CE,
   // If there is no value that can possibly match any of the enum values, then
   // warn.
   if (!PossibleValueMatch)
-reportWarning(C);
+reportWarning(C, ED);
 }
 
 void ento::registerEnumCastOutOfRangeChecker(CheckerManager &mgr) {
diff --git a/clang/test/Analysis/enum-cast-out-of-range.c 
b/clang/test/Analysis/enum-cast-out-of-range.c
index 3282cba653d7125..6d3afa3fcf9885f 100644
--- a/clang/test/Analysis/enum-cast-out-of-range.c
+++ b/clang/test/Analysis/enum-cast-out-of-range.c
@@ -2,6 +2,7 @@
 // RUN:   -analyzer-checker=core,alpha.cplusplus.EnumCastOutOfRange \
 // RUN:   -verify %s
 
+// expected-note@+1 6 {{enum declared here}}
 enum En_t {
   En_0 = -4,
   En_1,
@@ -11,17 +12,17 @@ enum En_t {
 };
 
 void unscopedUnspecifiedCStyle(void) {
-  enum En_t Below = (enum En_t)(-5);// expected-warning {{not in the valid 
range}}
+  enum En_t Below = (enum En_t)(-5);// expected-warning {{not in the valid 
range of values for 'En_t'}}
   enum En_t NegVal1 = (enum En_t)(-4);  // OK.
   enum En_t NegVal2 = (enum En_t)(-3);  // OK.
-  enum En_t InRange1 = (enum En_t)(-2); // expected-warning {{not in the valid 
range}}
-  enum En_t InRange2 = (enum En_t)(-1); // expected-warning {{not in the valid 
range}}
-  enum En_t InRange3 = (enum En_t)(0);  // expected-warning {{not in the valid 
range}}
+  enum En_t InRange1 = (enum En_t)(-2); // expected-warning {{not in the valid 
range of values for 'En_t'}}
+  enum En_t InRange2 = (enum En_t)(-1); // expected-warning {{not in the valid 
range of v

[clang] [analyzer] Extend EnumCastOutOfRange diagnostics (PR #68191)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 updated 
https://github.com/llvm/llvm-project/pull/68191

From 6b70c3246747b5a1204062f40f91273f60a38600 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Endre=20F=C3=BCl=C3=B6p?= 
Date: Wed, 4 Oct 2023 10:38:00 +0200
Subject: [PATCH 1/2] [analyzer] Extend EnumCastOutOfRange diagnostics

EnumCastOutOfRange checker now reports the name of the enum in the
warning message. Additionally, a note-tag is placed to highlight the
location of the declaration.
---
 .../Checkers/EnumCastOutOfRangeChecker.cpp|  33 --
 clang/test/Analysis/enum-cast-out-of-range.c  |  13 ++-
 .../test/Analysis/enum-cast-out-of-range.cpp  | 108 +-
 3 files changed, 87 insertions(+), 67 deletions(-)

diff --git a/clang/lib/StaticAnalyzer/Checkers/EnumCastOutOfRangeChecker.cpp 
b/clang/lib/StaticAnalyzer/Checkers/EnumCastOutOfRangeChecker.cpp
index 89be6a47250a245..6163f7a23804091 100644
--- a/clang/lib/StaticAnalyzer/Checkers/EnumCastOutOfRangeChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/EnumCastOutOfRangeChecker.cpp
@@ -59,7 +59,7 @@ class ConstraintBasedEQEvaluator {
 // value can be matching.
 class EnumCastOutOfRangeChecker : public Checker> {
   mutable std::unique_ptr EnumValueCastOutOfRange;
-  void reportWarning(CheckerContext &C) const;
+  void reportWarning(CheckerContext &C, const EnumDecl *E) const;
 
 public:
   void checkPreStmt(const CastExpr *CE, CheckerContext &C) const;
@@ -72,21 +72,36 @@ EnumValueVector getDeclValuesForEnum(const EnumDecl *ED) {
   EnumValueVector DeclValues(
   std::distance(ED->enumerator_begin(), ED->enumerator_end()));
   llvm::transform(ED->enumerators(), DeclValues.begin(),
- [](const EnumConstantDecl *D) { return D->getInitVal(); });
+  [](const EnumConstantDecl *D) { return D->getInitVal(); });
   return DeclValues;
 }
 } // namespace
 
-void EnumCastOutOfRangeChecker::reportWarning(CheckerContext &C) const {
+void EnumCastOutOfRangeChecker::reportWarning(CheckerContext &C,
+  const EnumDecl *E) const {
+  assert(E && "valid EnumDecl* is expected");
   if (const ExplodedNode *N = C.generateNonFatalErrorNode()) {
 if (!EnumValueCastOutOfRange)
   EnumValueCastOutOfRange.reset(
   new BugType(this, "Enum cast out of range"));
-constexpr llvm::StringLiteral Msg =
-"The value provided to the cast expression is not in the valid range"
-" of values for the enum";
-C.emitReport(std::make_unique(
-*EnumValueCastOutOfRange, Msg, N));
+
+llvm::SmallString<128> Msg{"The value provided to the cast expression is "
+   "not in the valid range of values for "};
+StringRef EnumName{E->getName()};
+if (EnumName.empty()) {
+  Msg += "the enum";
+} else {
+  Msg += '\'';
+  Msg += EnumName;
+  Msg += '\'';
+}
+
+auto BR = 
std::make_unique(*EnumValueCastOutOfRange,
+   Msg, N);
+BR->addNote("enum declared here",
+PathDiagnosticLocation::create(E, C.getSourceManager()),
+{E->getSourceRange()});
+C.emitReport(std::move(BR));
   }
 }
 
@@ -144,7 +159,7 @@ void EnumCastOutOfRangeChecker::checkPreStmt(const CastExpr 
*CE,
   // If there is no value that can possibly match any of the enum values, then
   // warn.
   if (!PossibleValueMatch)
-reportWarning(C);
+reportWarning(C, ED);
 }
 
 void ento::registerEnumCastOutOfRangeChecker(CheckerManager &mgr) {
diff --git a/clang/test/Analysis/enum-cast-out-of-range.c 
b/clang/test/Analysis/enum-cast-out-of-range.c
index 3282cba653d7125..6d3afa3fcf9885f 100644
--- a/clang/test/Analysis/enum-cast-out-of-range.c
+++ b/clang/test/Analysis/enum-cast-out-of-range.c
@@ -2,6 +2,7 @@
 // RUN:   -analyzer-checker=core,alpha.cplusplus.EnumCastOutOfRange \
 // RUN:   -verify %s
 
+// expected-note@+1 6 {{enum declared here}}
 enum En_t {
   En_0 = -4,
   En_1,
@@ -11,17 +12,17 @@ enum En_t {
 };
 
 void unscopedUnspecifiedCStyle(void) {
-  enum En_t Below = (enum En_t)(-5);// expected-warning {{not in the valid 
range}}
+  enum En_t Below = (enum En_t)(-5);// expected-warning {{not in the valid 
range of values for 'En_t'}}
   enum En_t NegVal1 = (enum En_t)(-4);  // OK.
   enum En_t NegVal2 = (enum En_t)(-3);  // OK.
-  enum En_t InRange1 = (enum En_t)(-2); // expected-warning {{not in the valid 
range}}
-  enum En_t InRange2 = (enum En_t)(-1); // expected-warning {{not in the valid 
range}}
-  enum En_t InRange3 = (enum En_t)(0);  // expected-warning {{not in the valid 
range}}
+  enum En_t InRange1 = (enum En_t)(-2); // expected-warning {{not in the valid 
range of values for 'En_t'}}
+  enum En_t InRange2 = (enum En_t)(-1); // expected-warning {{not in the valid 
range of values for 'En_t'}}
+  enum En_t InRange3 = (enum En_t)(0);  // expected-warning {{not in the valid 
range of values for 'En_t'}}
   enum En_t PosVal1 = (enum En_t)(

[clang] [analyzer][clangsa] Add new option to alpha.security.cert.InvalidPtrChecker (PR #67663)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 updated 
https://github.com/llvm/llvm-project/pull/67663

From 9aea93ddeb70245a07984188aa98577d54e8e560 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Endre=20F=C3=BCl=C3=B6p?= 
Date: Fri, 8 Sep 2023 14:20:00 +0200
Subject: [PATCH 1/9] [analyzer][clangsa] Add new option to
 alpha.security.cert.InvalidPtrChecker

The invalidation of pointer pointers returned by subsequent calls to genenv is
suggested by the POSIX standard, but is too strict from a practical point of
view. A new checker option 'InvalidatingGetEnv' is introduced, and is set to a
more lax default value, which does not consider consecutive getenv calls
invalidating.
The handling of the main function's possible specification where an environment
pointer is also pecified as a third parameter is also considered now.

Differential Revision: https://reviews.llvm.org/D154603
---
 .../clang/StaticAnalyzer/Checkers/Checkers.td |  9 ++
 .../Checkers/cert/InvalidPtrChecker.cpp   | 86 ++-
 clang/test/Analysis/analyzer-config.c |  1 +
 .../Analysis/cert/env34-c-cert-examples.c | 40 -
 clang/test/Analysis/cert/env34-c.c|  1 +
 clang/test/Analysis/invalid-ptr-checker.c | 50 +++
 6 files changed, 163 insertions(+), 24 deletions(-)
 create mode 100644 clang/test/Analysis/invalid-ptr-checker.c

diff --git a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td 
b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
index 65c1595eb6245dd..b4f65c934bf483b 100644
--- a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
+++ b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
@@ -997,6 +997,15 @@ let ParentPackage = ENV in {
 
   def InvalidPtrChecker : Checker<"InvalidPtr">,
   HelpText<"Finds usages of possibly invalidated pointers">,
+  CheckerOptions<[
+CmdLineOption,
+  ]>,
   Documentation;
 
 } // end "alpha.cert.env"
diff --git a/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp 
b/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
index aae1a17bc0ae53e..8849eb1148564b7 100644
--- a/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
@@ -38,6 +38,15 @@ class InvalidPtrChecker
 CheckerContext &C) const;
 
   // SEI CERT ENV31-C
+
+  // If set to true, consider getenv calls as invalidating operations on the
+  // environment variable buffer. This is implied in the standard, but in
+  // practice does not cause problems (in the commonly used environments).
+  bool InvalidatingGetEnv = false;
+
+  // GetEnv can be treated invalidating and non-invalidating as well.
+  const CallDescription GetEnvCall{{"getenv"}, 1};
+
   const CallDescriptionMap EnvpInvalidatingFunctions = {
   {{{"setenv"}, 3}, &InvalidPtrChecker::EnvpInvalidatingCall},
   {{{"unsetenv"}, 1}, &InvalidPtrChecker::EnvpInvalidatingCall},
@@ -51,7 +60,6 @@ class InvalidPtrChecker
 
   // SEI CERT ENV34-C
   const CallDescriptionMap PreviousCallInvalidatingFunctions = {
-  {{{"getenv"}, 1}, 
&InvalidPtrChecker::postPreviousReturnInvalidatingCall},
   {{{"setlocale"}, 2},
&InvalidPtrChecker::postPreviousReturnInvalidatingCall},
   {{{"strerror"}, 1},
@@ -62,6 +70,10 @@ class InvalidPtrChecker
&InvalidPtrChecker::postPreviousReturnInvalidatingCall},
   };
 
+  // The private members of this checker corresponding to commandline options
+  // are set in this function.
+  friend void ento::registerInvalidPtrChecker(CheckerManager &);
+
 public:
   // Obtain the environment pointer from 'main()' (if present).
   void checkBeginFunction(CheckerContext &C) const;
@@ -84,7 +96,10 @@ class InvalidPtrChecker
 REGISTER_SET_WITH_PROGRAMSTATE(InvalidMemoryRegions, const MemRegion *)
 
 // Stores the region of the environment pointer of 'main' (if present).
-REGISTER_TRAIT_WITH_PROGRAMSTATE(EnvPtrRegion, const MemRegion *)
+REGISTER_TRAIT_WITH_PROGRAMSTATE(MainEnvPtrRegion, const MemRegion *)
+
+// Stores the regions of environments returned by getenv calls.
+REGISTER_SET_WITH_PROGRAMSTATE(GetenvEnvPtrRegions, const MemRegion *)
 
 // Stores key-value pairs, where key is function declaration and value is
 // pointer to memory region returned by previous call of this function
@@ -95,22 +110,35 @@ void InvalidPtrChecker::EnvpInvalidatingCall(const 
CallEvent &Call,
  CheckerContext &C) const {
   StringRef FunctionName = Call.getCalleeIdentifier()->getName();
   ProgramStateRef State = C.getState();
-  const MemRegion *SymbolicEnvPtrRegion = State->get();
-  if (!SymbolicEnvPtrRegion)
-return;
 
-  State = State->add(SymbolicEnvPtrRegion);
+  auto PlaceInvalidationNote = [&C, FunctionName,
+&State](const MemRegion *Region,
+StringRef Message, ExplodedNode *Pred) 
{
+State = State->add(Region);
+
+// Make cop

[clang] [analyzer][clangsa] Add new option to alpha.security.cert.InvalidPtrChecker (PR #67663)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 updated 
https://github.com/llvm/llvm-project/pull/67663

From 9aea93ddeb70245a07984188aa98577d54e8e560 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Endre=20F=C3=BCl=C3=B6p?= 
Date: Fri, 8 Sep 2023 14:20:00 +0200
Subject: [PATCH 01/10] [analyzer][clangsa] Add new option to
 alpha.security.cert.InvalidPtrChecker

The invalidation of pointer pointers returned by subsequent calls to genenv is
suggested by the POSIX standard, but is too strict from a practical point of
view. A new checker option 'InvalidatingGetEnv' is introduced, and is set to a
more lax default value, which does not consider consecutive getenv calls
invalidating.
The handling of the main function's possible specification where an environment
pointer is also pecified as a third parameter is also considered now.

Differential Revision: https://reviews.llvm.org/D154603
---
 .../clang/StaticAnalyzer/Checkers/Checkers.td |  9 ++
 .../Checkers/cert/InvalidPtrChecker.cpp   | 86 ++-
 clang/test/Analysis/analyzer-config.c |  1 +
 .../Analysis/cert/env34-c-cert-examples.c | 40 -
 clang/test/Analysis/cert/env34-c.c|  1 +
 clang/test/Analysis/invalid-ptr-checker.c | 50 +++
 6 files changed, 163 insertions(+), 24 deletions(-)
 create mode 100644 clang/test/Analysis/invalid-ptr-checker.c

diff --git a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td 
b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
index 65c1595eb6245dd..b4f65c934bf483b 100644
--- a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
+++ b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
@@ -997,6 +997,15 @@ let ParentPackage = ENV in {
 
   def InvalidPtrChecker : Checker<"InvalidPtr">,
   HelpText<"Finds usages of possibly invalidated pointers">,
+  CheckerOptions<[
+CmdLineOption,
+  ]>,
   Documentation;
 
 } // end "alpha.cert.env"
diff --git a/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp 
b/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
index aae1a17bc0ae53e..8849eb1148564b7 100644
--- a/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
@@ -38,6 +38,15 @@ class InvalidPtrChecker
 CheckerContext &C) const;
 
   // SEI CERT ENV31-C
+
+  // If set to true, consider getenv calls as invalidating operations on the
+  // environment variable buffer. This is implied in the standard, but in
+  // practice does not cause problems (in the commonly used environments).
+  bool InvalidatingGetEnv = false;
+
+  // GetEnv can be treated invalidating and non-invalidating as well.
+  const CallDescription GetEnvCall{{"getenv"}, 1};
+
   const CallDescriptionMap EnvpInvalidatingFunctions = {
   {{{"setenv"}, 3}, &InvalidPtrChecker::EnvpInvalidatingCall},
   {{{"unsetenv"}, 1}, &InvalidPtrChecker::EnvpInvalidatingCall},
@@ -51,7 +60,6 @@ class InvalidPtrChecker
 
   // SEI CERT ENV34-C
   const CallDescriptionMap PreviousCallInvalidatingFunctions = {
-  {{{"getenv"}, 1}, 
&InvalidPtrChecker::postPreviousReturnInvalidatingCall},
   {{{"setlocale"}, 2},
&InvalidPtrChecker::postPreviousReturnInvalidatingCall},
   {{{"strerror"}, 1},
@@ -62,6 +70,10 @@ class InvalidPtrChecker
&InvalidPtrChecker::postPreviousReturnInvalidatingCall},
   };
 
+  // The private members of this checker corresponding to commandline options
+  // are set in this function.
+  friend void ento::registerInvalidPtrChecker(CheckerManager &);
+
 public:
   // Obtain the environment pointer from 'main()' (if present).
   void checkBeginFunction(CheckerContext &C) const;
@@ -84,7 +96,10 @@ class InvalidPtrChecker
 REGISTER_SET_WITH_PROGRAMSTATE(InvalidMemoryRegions, const MemRegion *)
 
 // Stores the region of the environment pointer of 'main' (if present).
-REGISTER_TRAIT_WITH_PROGRAMSTATE(EnvPtrRegion, const MemRegion *)
+REGISTER_TRAIT_WITH_PROGRAMSTATE(MainEnvPtrRegion, const MemRegion *)
+
+// Stores the regions of environments returned by getenv calls.
+REGISTER_SET_WITH_PROGRAMSTATE(GetenvEnvPtrRegions, const MemRegion *)
 
 // Stores key-value pairs, where key is function declaration and value is
 // pointer to memory region returned by previous call of this function
@@ -95,22 +110,35 @@ void InvalidPtrChecker::EnvpInvalidatingCall(const 
CallEvent &Call,
  CheckerContext &C) const {
   StringRef FunctionName = Call.getCalleeIdentifier()->getName();
   ProgramStateRef State = C.getState();
-  const MemRegion *SymbolicEnvPtrRegion = State->get();
-  if (!SymbolicEnvPtrRegion)
-return;
 
-  State = State->add(SymbolicEnvPtrRegion);
+  auto PlaceInvalidationNote = [&C, FunctionName,
+&State](const MemRegion *Region,
+StringRef Message, ExplodedNode *Pred) 
{
+State = State->add(Region);
+
+// Make c

[clang] [analyzer][clangsa] Add new option to alpha.security.cert.InvalidPtrChecker (PR #67663)

[Endre Fülöp via cfe-commits]

@@ -94,23 +119,40 @@ REGISTER_MAP_WITH_PROGRAMSTATE(PreviousCallResultMap, 
const FunctionDecl *,
 void InvalidPtrChecker::EnvpInvalidatingCall(const CallEvent &Call,
  CheckerContext &C) const {
   StringRef FunctionName = Call.getCalleeIdentifier()->getName();
-  ProgramStateRef State = C.getState();
-  const MemRegion *SymbolicEnvPtrRegion = State->get();
-  if (!SymbolicEnvPtrRegion)
-return;
-
-  State = State->add(SymbolicEnvPtrRegion);
 
-  const NoteTag *Note =
-  C.getNoteTag([SymbolicEnvPtrRegion, FunctionName](
-   PathSensitiveBugReport &BR, llvm::raw_ostream &Out) {
-if (!BR.isInteresting(SymbolicEnvPtrRegion))
-  return;
-Out << '\'' << FunctionName
-<< "' call may invalidate the environment parameter of 'main'";
-  });
+  auto PlaceInvalidationNote = [&C, FunctionName](ProgramStateRef State,
+  const MemRegion *Region,
+  StringRef Message,
+  ExplodedNode *Pred) {
+State = State->add(Region);
+
+// Make copy of string data for the time when notes are *actually* created.
+const NoteTag *Note =
+C.getNoteTag([Region, FunctionName = std::string{FunctionName},
+  Message = std::string{Message}](
+ PathSensitiveBugReport &BR, llvm::raw_ostream &Out) {
+  if (!BR.isInteresting(Region) ||
+  &BR.getBugType() != InvalidPtrBugType)
+return;
+  Out << '\'' << FunctionName << "' " << Message;
+  BR.markNotInteresting(Region);
+});
+return C.addTransition(State, Pred, Note);
+  };

gamesh411 wrote:

refactored this part, see 
https://github.com/llvm/llvm-project/pull/67663/commits/1faca072459898c26d7e19b2ba1fe1315b9e2171

https://github.com/llvm/llvm-project/pull/67663
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer][clangsa] Add new option to alpha.security.cert.InvalidPtrChecker (PR #67663)

[Endre Fülöp via cfe-commits]

@@ -1,15 +1,49 @@
+// Default options.
 // RUN: %clang_analyze_cc1 \
 // RUN:  -analyzer-checker=core,alpha.security.cert.env.InvalidPtr \
 // RUN:  -verify -Wno-unused %s
+//
+// Test the laxer handling of getenv function (this is the default).
+// RUN: %clang_analyze_cc1 \
+// RUN:  -analyzer-checker=core,alpha.security.cert.env.InvalidPtr \
+// RUN:  -analyzer-config 
alpha.security.cert.env.InvalidPtr:InvalidatingGetEnv=false \
+// RUN:  -verify -Wno-unused %s
+//
+// Test the stricter handling of getenv function.
+// RUN: %clang_analyze_cc1 \
+// RUN:  -analyzer-checker=core,alpha.security.cert.env.InvalidPtr \
+// RUN:  -analyzer-config 
alpha.security.cert.env.InvalidPtr:InvalidatingGetEnv=true \
+// RUN:  -verify=pedantic -Wno-unused %s

gamesh411 wrote:

this is addressed in 
https://github.com/llvm/llvm-project/pull/67663/commits/39ed2178944539aaa8e221ac11a8d6c7ec93675e

https://github.com/llvm/llvm-project/pull/67663
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer][clangsa] Add new option to alpha.security.cert.InvalidPtrChecker (PR #67663)

[Endre Fülöp via cfe-commits]

@@ -94,23 +119,40 @@ REGISTER_MAP_WITH_PROGRAMSTATE(PreviousCallResultMap, 
const FunctionDecl *,
 void InvalidPtrChecker::EnvpInvalidatingCall(const CallEvent &Call,
  CheckerContext &C) const {
   StringRef FunctionName = Call.getCalleeIdentifier()->getName();
-  ProgramStateRef State = C.getState();
-  const MemRegion *SymbolicEnvPtrRegion = State->get();
-  if (!SymbolicEnvPtrRegion)
-return;
-
-  State = State->add(SymbolicEnvPtrRegion);
 
-  const NoteTag *Note =
-  C.getNoteTag([SymbolicEnvPtrRegion, FunctionName](
-   PathSensitiveBugReport &BR, llvm::raw_ostream &Out) {
-if (!BR.isInteresting(SymbolicEnvPtrRegion))
-  return;
-Out << '\'' << FunctionName
-<< "' call may invalidate the environment parameter of 'main'";
-  });
+  auto PlaceInvalidationNote = [&C, FunctionName](ProgramStateRef State,
+  const MemRegion *Region,
+  StringRef Message,
+  ExplodedNode *Pred) {
+State = State->add(Region);
+
+// Make copy of string data for the time when notes are *actually* created.
+const NoteTag *Note =
+C.getNoteTag([Region, FunctionName = std::string{FunctionName},
+  Message = std::string{Message}](
+ PathSensitiveBugReport &BR, llvm::raw_ostream &Out) {
+  if (!BR.isInteresting(Region) ||
+  &BR.getBugType() != InvalidPtrBugType)
+return;
+  Out << '\'' << FunctionName << "' " << Message;
+  BR.markNotInteresting(Region);
+});
+return C.addTransition(State, Pred, Note);
+  };
 
-  C.addTransition(State, Note);
+  ProgramStateRef State = C.getState();
+  ExplodedNode *CurrentChainEnd = C.getPredecessor();
+
+  if (const MemRegion *MainEnvPtr = State->get())
+CurrentChainEnd = PlaceInvalidationNote(
+State, MainEnvPtr,
+"call may invalidate the environment parameter of 'main'",
+CurrentChainEnd);
+
+  for (const MemRegion *EnvPtr : State->get())
+CurrentChainEnd = PlaceInvalidationNote(
+State, EnvPtr, "call may invalidate the environment returned by 
getenv",
+CurrentChainEnd);

gamesh411 wrote:

I have a test now, and could indeed verify, that without marking the 
invalidation regions *not* interesting, this test fails
https://github.com/llvm/llvm-project/pull/67663/commits/d15e570f37f6fb321daf3742231408585f577137

https://github.com/llvm/llvm-project/pull/67663
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer][NFC] Remove outdated FIXME comment (PR #68211)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 approved this pull request.

I can confirm the claims about HeapSpaceRegion being used:
![image](https://github.com/llvm/llvm-project/assets/3802256/682c69f1-7129-4d0f-873f-44aee0fa5f2f)



https://github.com/llvm/llvm-project/pull/68211
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer][NFC] Remove outdated FIXME comment (PR #68211)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 edited 
https://github.com/llvm/llvm-project/pull/68211
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer][clangsa] Add new option to alpha.security.cert.InvalidPtrChecker (PR #67663)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 updated 
https://github.com/llvm/llvm-project/pull/67663

From 9aea93ddeb70245a07984188aa98577d54e8e560 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Endre=20F=C3=BCl=C3=B6p?= 
Date: Fri, 8 Sep 2023 14:20:00 +0200
Subject: [PATCH 01/11] [analyzer][clangsa] Add new option to
 alpha.security.cert.InvalidPtrChecker

The invalidation of pointer pointers returned by subsequent calls to genenv is
suggested by the POSIX standard, but is too strict from a practical point of
view. A new checker option 'InvalidatingGetEnv' is introduced, and is set to a
more lax default value, which does not consider consecutive getenv calls
invalidating.
The handling of the main function's possible specification where an environment
pointer is also pecified as a third parameter is also considered now.

Differential Revision: https://reviews.llvm.org/D154603
---
 .../clang/StaticAnalyzer/Checkers/Checkers.td |  9 ++
 .../Checkers/cert/InvalidPtrChecker.cpp   | 86 ++-
 clang/test/Analysis/analyzer-config.c |  1 +
 .../Analysis/cert/env34-c-cert-examples.c | 40 -
 clang/test/Analysis/cert/env34-c.c|  1 +
 clang/test/Analysis/invalid-ptr-checker.c | 50 +++
 6 files changed, 163 insertions(+), 24 deletions(-)
 create mode 100644 clang/test/Analysis/invalid-ptr-checker.c

diff --git a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td 
b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
index 65c1595eb6245dd..b4f65c934bf483b 100644
--- a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
+++ b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
@@ -997,6 +997,15 @@ let ParentPackage = ENV in {
 
   def InvalidPtrChecker : Checker<"InvalidPtr">,
   HelpText<"Finds usages of possibly invalidated pointers">,
+  CheckerOptions<[
+CmdLineOption,
+  ]>,
   Documentation;
 
 } // end "alpha.cert.env"
diff --git a/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp 
b/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
index aae1a17bc0ae53e..8849eb1148564b7 100644
--- a/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
@@ -38,6 +38,15 @@ class InvalidPtrChecker
 CheckerContext &C) const;
 
   // SEI CERT ENV31-C
+
+  // If set to true, consider getenv calls as invalidating operations on the
+  // environment variable buffer. This is implied in the standard, but in
+  // practice does not cause problems (in the commonly used environments).
+  bool InvalidatingGetEnv = false;
+
+  // GetEnv can be treated invalidating and non-invalidating as well.
+  const CallDescription GetEnvCall{{"getenv"}, 1};
+
   const CallDescriptionMap EnvpInvalidatingFunctions = {
   {{{"setenv"}, 3}, &InvalidPtrChecker::EnvpInvalidatingCall},
   {{{"unsetenv"}, 1}, &InvalidPtrChecker::EnvpInvalidatingCall},
@@ -51,7 +60,6 @@ class InvalidPtrChecker
 
   // SEI CERT ENV34-C
   const CallDescriptionMap PreviousCallInvalidatingFunctions = {
-  {{{"getenv"}, 1}, 
&InvalidPtrChecker::postPreviousReturnInvalidatingCall},
   {{{"setlocale"}, 2},
&InvalidPtrChecker::postPreviousReturnInvalidatingCall},
   {{{"strerror"}, 1},
@@ -62,6 +70,10 @@ class InvalidPtrChecker
&InvalidPtrChecker::postPreviousReturnInvalidatingCall},
   };
 
+  // The private members of this checker corresponding to commandline options
+  // are set in this function.
+  friend void ento::registerInvalidPtrChecker(CheckerManager &);
+
 public:
   // Obtain the environment pointer from 'main()' (if present).
   void checkBeginFunction(CheckerContext &C) const;
@@ -84,7 +96,10 @@ class InvalidPtrChecker
 REGISTER_SET_WITH_PROGRAMSTATE(InvalidMemoryRegions, const MemRegion *)
 
 // Stores the region of the environment pointer of 'main' (if present).
-REGISTER_TRAIT_WITH_PROGRAMSTATE(EnvPtrRegion, const MemRegion *)
+REGISTER_TRAIT_WITH_PROGRAMSTATE(MainEnvPtrRegion, const MemRegion *)
+
+// Stores the regions of environments returned by getenv calls.
+REGISTER_SET_WITH_PROGRAMSTATE(GetenvEnvPtrRegions, const MemRegion *)
 
 // Stores key-value pairs, where key is function declaration and value is
 // pointer to memory region returned by previous call of this function
@@ -95,22 +110,35 @@ void InvalidPtrChecker::EnvpInvalidatingCall(const 
CallEvent &Call,
  CheckerContext &C) const {
   StringRef FunctionName = Call.getCalleeIdentifier()->getName();
   ProgramStateRef State = C.getState();
-  const MemRegion *SymbolicEnvPtrRegion = State->get();
-  if (!SymbolicEnvPtrRegion)
-return;
 
-  State = State->add(SymbolicEnvPtrRegion);
+  auto PlaceInvalidationNote = [&C, FunctionName,
+&State](const MemRegion *Region,
+StringRef Message, ExplodedNode *Pred) 
{
+State = State->add(Region);
+
+// Make c

[clang] [analyzer][clangsa] Add new option to alpha.security.cert.InvalidPtrChecker (PR #67663)

[Endre Fülöp via cfe-commits]

@@ -84,33 +104,70 @@ class InvalidPtrChecker
 REGISTER_SET_WITH_PROGRAMSTATE(InvalidMemoryRegions, const MemRegion *)
 
 // Stores the region of the environment pointer of 'main' (if present).
-REGISTER_TRAIT_WITH_PROGRAMSTATE(EnvPtrRegion, const MemRegion *)
+REGISTER_TRAIT_WITH_PROGRAMSTATE(MainEnvPtrRegion, const MemRegion *)
+
+// Stores the regions of environments returned by getenv calls.
+REGISTER_SET_WITH_PROGRAMSTATE(GetenvEnvPtrRegions, const MemRegion *)
 
 // Stores key-value pairs, where key is function declaration and value is
 // pointer to memory region returned by previous call of this function
 REGISTER_MAP_WITH_PROGRAMSTATE(PreviousCallResultMap, const FunctionDecl *,
const MemRegion *)
 
+const NoteTag *InvalidPtrChecker::createEnvInvalidationNote(
+CheckerContext &C, ProgramStateRef State, StringRef FunctionName) const {
+
+  const MemRegion *MainRegion = State->get();
+  const auto GetenvRegions = State->get();
+
+  return C.getNoteTag([this, MainRegion, GetenvRegions,
+   FunctionName = std::string{FunctionName}](
+  PathSensitiveBugReport &BR, llvm::raw_ostream &Out) {
+auto IsInterestingForInvalidation = [this, &BR](const MemRegion *R) {
+  return R && &BR.getBugType() == &InvalidPtrBugType && 
BR.isInteresting(R);
+};

gamesh411 wrote:

I have checked, and even if they were `nulltptr`s the isInteresting and 
markNotInteresting would handle it.

https://github.com/llvm/llvm-project/pull/67663
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] 90c1f51 - [clang][analyzer] Fix empty enum handling in EnumCastOutOfRange checker

[Endre Fülöp via cfe-commits]

Author: Endre Fülöp
Date: 2023-08-09T15:12:09+02:00
New Revision: 90c1f51c4b3e7a38a5e1b75de75d15757fc861e4

URL: 
https://github.com/llvm/llvm-project/commit/90c1f51c4b3e7a38a5e1b75de75d15757fc861e4
DIFF: 
https://github.com/llvm/llvm-project/commit/90c1f51c4b3e7a38a5e1b75de75d15757fc861e4.diff

LOG: [clang][analyzer] Fix empty enum handling in EnumCastOutOfRange checker

The alpha.cplusplus.EnumCastOutOfRange checker previously gave many
false positives because a warning was given if the initializer value
did not appear in the enumerator list.
The strict handling caused std::byte to always give a warning, as it
is implemented as an enum class without any declarators.

Reviewed By: donat.nagy, steakhal

Differential Revision: https://reviews.llvm.org/D153954

Added: 


Modified: 
clang/lib/StaticAnalyzer/Checkers/EnumCastOutOfRangeChecker.cpp
clang/test/Analysis/enum-cast-out-of-range.cpp

Removed: 




diff  --git a/clang/lib/StaticAnalyzer/Checkers/EnumCastOutOfRangeChecker.cpp 
b/clang/lib/StaticAnalyzer/Checkers/EnumCastOutOfRangeChecker.cpp
index 1077ceb6288efe..bfb8d1cc010535 100644
--- a/clang/lib/StaticAnalyzer/Checkers/EnumCastOutOfRangeChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/EnumCastOutOfRangeChecker.cpp
@@ -129,6 +129,14 @@ void EnumCastOutOfRangeChecker::checkPreStmt(const 
CastExpr *CE,
   const EnumDecl *ED = T->castAs()->getDecl();
 
   EnumValueVector DeclValues = getDeclValuesForEnum(ED);
+
+  // If the declarator list is empty, bail out.
+  // Every initialization an enum with a fixed underlying type but without any
+  // enumerators would produce a warning if we were to continue at this point.
+  // The most notable example is std::byte in the C++17 standard library.
+  if (DeclValues.size() == 0)
+return;
+
   // Check if any of the enum values possibly match.
   bool PossibleValueMatch = llvm::any_of(
   DeclValues, ConstraintBasedEQEvaluator(C, *ValueToCast));

diff  --git a/clang/test/Analysis/enum-cast-out-of-range.cpp 
b/clang/test/Analysis/enum-cast-out-of-range.cpp
index b600367f8c14a4..abc1431e5be140 100644
--- a/clang/test/Analysis/enum-cast-out-of-range.cpp
+++ b/clang/test/Analysis/enum-cast-out-of-range.cpp
@@ -198,3 +198,20 @@ void enumBitFieldAssignment() {
   s.E = static_cast(4); // OK.
   s.E = static_cast(5); // expected-warning {{The 
value provided to the cast expression is not in the valid range of values for 
the enum}}
 }
+
+
+enum class empty_unspecified {};
+
+enum class empty_specified: char {};
+
+enum class empty_specified_unsigned: unsigned char {};
+
+void ignore_unused(...);
+
+void empty_enums_init_with_zero_should_not_warn() {
+  auto eu = static_cast(0); //should always be OK to zero 
initialize any enum
+  auto ef = static_cast(0);
+  auto efu = static_cast(0);
+
+  ignore_unused(eu, ef, efu);
+}



___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer] Improve handling of unsigned values in ArrayBoundCheckerV2 (PR #81034)

[Endre Fülöp via cfe-commits]

gamesh411 wrote:

I checked many false positives, even those that were not FP at first sight; I 
think we can live without them.
I also agree that we should strive to handle comparison evaluation more 
uniformly and preferably behind the API barrier of the constraint manager.
LGTM

https://github.com/llvm/llvm-project/pull/81034
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [analyzer] Improve handling of unsigned values in ArrayBoundCheckerV2 (PR #81034)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 approved this pull request.


https://github.com/llvm/llvm-project/pull/81034
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [clang][analyzer][doc] Migrate user-related docs from HTML to RST (PR #97034)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 edited 
https://github.com/llvm/llvm-project/pull/97034
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [clang][analyzer][doc] Migrate checkers-related docs from HTML to RST (PR #97032)

[Endre Fülöp via cfe-commits]

gamesh411 wrote:

I have tried to ensure no information is lost with this change.
I have cross-checked the history of the checker's HTML files with commits that 
introduce checkers and have found that we tend to add checkers only to the RST 
files and sometimes miss the fact that there is another description in the HTML 
format.

https://github.com/llvm/llvm-project/pull/97032
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [clang][analyzer][doc] Migrate user-related docs from HTML to RST (PR #97034)

[Endre Fülöp via cfe-commits]

@@ -0,0 +1,238 @@
+Command-Line Usage: CodeChecker and scan-build
+===
+
+This document provides guidelines for running Clang Static Analyzer from the 
command line on whole projects.
+CodeChecker and scan-build are two CLI tools for using CSA on multiple files 
(tranlation units).
+Both provide a way of driving the analyzer, detecting compilation flags, and 
generating reports.
+CodeChecker is more actively maintained, provides heuristics for working with 
multiple versions of popular compilers and it also comes with a web-based GUI 
for viewing, filtering, categorizing and suppressing the results.
+Therefore CodeChecker is recommended in case you need any of the above 
features or just more customizability in general.
+
+Comparison of CodeChecker and scan-build
+
+
+Static Analyzer is by design a GUI tool originally intended to be consumed by 
the XCode IDE.
+Its purpose is to find buggy execution paths in the program, and such paths 
are very hard to comprehend by looking at a non-interactive standard output.
+It is possible, however, to invoke the Static Analyzer from the command line 
in order to obtain analysis results, and then later view them interactively in 
a graphical interface.
+The following tools are used commonly to run the analyzer from the commandline.
+Both tools are wrapper scripts to drive the analysis and the underlying 
invocations of the Clang compiler:
+
+1. CodeChecker_ is a driver and web server that runs the Static Analyzer on 
your projects on demand and maintains a database of issues.
+- Perfect for managing large amounts of Static Analyzer warnings in a 
collaborative environment.
+- Generally much more feature-rich than scan-build.
+- Supports incremental analysis: Results can be stored in a database, 
subsequent analysis runs can be compared to list the newly added defects.
+- :doc:`CrossTranslationUnit` is supported fully on Linux via CodeChecker.

gamesh411 wrote:

I have checked, and I think the GitHub viewer is buggy.
Steps used to verify:
```
// inside the build directory
1. build target `docs-clang-html` (cmake --build . -- docs-clang-html)
2. start webserver (python3 -mhttp.server -d tools/clang/docs/html)
3. browse localhost
```

https://github.com/llvm/llvm-project/pull/97034
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [clang][analyzer][doc] Migrate user-related docs from HTML to RST (PR #97034)

[Endre Fülöp via cfe-commits]

@@ -0,0 +1,238 @@
+Command-Line Usage: CodeChecker and scan-build
+===
+
+This document provides guidelines for running Clang Static Analyzer from the 
command line on whole projects.
+CodeChecker and scan-build are two CLI tools for using CSA on multiple files 
(tranlation units).
+Both provide a way of driving the analyzer, detecting compilation flags, and 
generating reports.
+CodeChecker is more actively maintained, provides heuristics for working with 
multiple versions of popular compilers and it also comes with a web-based GUI 
for viewing, filtering, categorizing and suppressing the results.
+Therefore CodeChecker is recommended in case you need any of the above 
features or just more customizability in general.
+
+Comparison of CodeChecker and scan-build
+
+
+Static Analyzer is by design a GUI tool originally intended to be consumed by 
the XCode IDE.
+Its purpose is to find buggy execution paths in the program, and such paths 
are very hard to comprehend by looking at a non-interactive standard output.
+It is possible, however, to invoke the Static Analyzer from the command line 
in order to obtain analysis results, and then later view them interactively in 
a graphical interface.
+The following tools are used commonly to run the analyzer from the commandline.
+Both tools are wrapper scripts to drive the analysis and the underlying 
invocations of the Clang compiler:
+
+1. CodeChecker_ is a driver and web server that runs the Static Analyzer on 
your projects on demand and maintains a database of issues.

gamesh411 wrote:

As above, this is not the case for the actual HTML generated.

https://github.com/llvm/llvm-project/pull/97034
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [clang][analyzer][doc] Migrate user-related docs from HTML to RST (PR #97034)

[Endre Fülöp via cfe-commits]

@@ -0,0 +1,238 @@
+Command-Line Usage: CodeChecker and scan-build
+===
+
+This document provides guidelines for running Clang Static Analyzer from the 
command line on whole projects.
+CodeChecker and scan-build are two CLI tools for using CSA on multiple files 
(tranlation units).
+Both provide a way of driving the analyzer, detecting compilation flags, and 
generating reports.
+CodeChecker is more actively maintained, provides heuristics for working with 
multiple versions of popular compilers and it also comes with a web-based GUI 
for viewing, filtering, categorizing and suppressing the results.
+Therefore CodeChecker is recommended in case you need any of the above 
features or just more customizability in general.
+
+Comparison of CodeChecker and scan-build
+
+
+Static Analyzer is by design a GUI tool originally intended to be consumed by 
the XCode IDE.
+Its purpose is to find buggy execution paths in the program, and such paths 
are very hard to comprehend by looking at a non-interactive standard output.
+It is possible, however, to invoke the Static Analyzer from the command line 
in order to obtain analysis results, and then later view them interactively in 
a graphical interface.
+The following tools are used commonly to run the analyzer from the commandline.
+Both tools are wrapper scripts to drive the analysis and the underlying 
invocations of the Clang compiler:
+
+1. CodeChecker_ is a driver and web server that runs the Static Analyzer on 
your projects on demand and maintains a database of issues.

gamesh411 wrote:

The intent was to create a link to the subheading lower down in the document, 
not to italicize it.

https://github.com/llvm/llvm-project/pull/97034
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [clang][analyzer][doc] Migrate checkers-related docs from HTML to RST (PR #97032)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 updated 
https://github.com/llvm/llvm-project/pull/97032

From b11a113682a1b998395139e5e4736689c0f9be84 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Endre=20F=C3=BCl=C3=B6p?= 
Date: Wed, 26 Jun 2024 11:09:33 +0200
Subject: [PATCH 1/2] [clang][analyzer][doc] Migrate checkers-related docs from
 HTML to RST

Documentation for the checkers is kept up to date in RST files.
This patch removes duplication by replacing the HTML docs with links to
docs generated from the RST.
---
 clang/www/analyzer/alpha_checks.html |  932 +---
 clang/www/analyzer/available_checks.html | 1736 +-
 2 files changed, 2 insertions(+), 2666 deletions(-)

diff --git a/clang/www/analyzer/alpha_checks.html 
b/clang/www/analyzer/alpha_checks.html
index 501a9bcbc82a9..80a3ebe4c6166 100644
--- a/clang/www/analyzer/alpha_checks.html
+++ b/clang/www/analyzer/alpha_checks.html
@@ -17,938 +17,8 @@
 
 
 
-Alpha Checkers
-Experimental checkers in addition to the 
-Default Checkers. These are checkers with known issues or limitations that
-keep them from being on by default. They are likely to have false positives.
-Bug reports are welcome but will likely not be investigated for some time.
-Patches welcome!
-
-Clone Alpha Checkers
-Core Alpha Checkers
-C++ Alpha Checkers
-LLVM Checkers
-Variable Argument Alpha Checkers
-Dead Code Alpha Checkers
-OS X Alpha Checkers
-Security Alpha Checkers
-Unix Alpha Checkers
-Non-determinism Alpha 
Checkers
-
 
-
-
-Clone Alpha Checkers
-
-
-Name, DescriptionExample
-
-
-
-alpha.clone.CloneChecker
-(C, C++, ObjC)
-Reports similar pieces of code.
-
-
-void log();
-
-int max(int a, int b) { // warn
-  log();
-  if (a > b)
-return a;
-  return b;
-}
-
-int maxClone(int x, int y) { // similar code here
-  log();
-  if (x > y)
-return x;
-  return y;
-}
-
-
-
-
-Core Alpha Checkers
-
-
-Name, DescriptionExample
-
-
-
-alpha.core.BoolAssignment
-(ObjC)
-Warn about assigning non-{0,1} values to boolean 
variables.
-
-
-void test() {
-  BOOL b = -1; // warn
-}
-
-
-
-
-alpha.core.CastSize
-(C)
-Check when casting a malloc'ed type T, whether the size is a multiple of the
-size of T (Works only with unix.Malloc
-or alpha.unix.MallocWithAnnotations
-checks enabled).
-
-
-void test() {
-  int *x = (int *)malloc(11); // warn
-}
-
-
-
-
-alpha.core.CastToStruct
-(C, C++)
-Check for cast from non-struct pointer to struct pointer.
-
-
-// C
-struct s {};
-
-void test(int *p) {
-  struct s *ps = (struct s *) p; // warn
-}
-
-
-// C++
-class c {};
-
-void test(int *p) {
-  c *pc = (c *) p; // warn
-}
-
-
-
-
-alpha.core.Conversion
-(C, C++, ObjC)
-Loss of sign or precision in implicit conversions
-
-
-void test(unsigned U, signed S) {
-  if (S > 10) {
-if (U < S) {
-}
-  }
-  if (S < -10) {
-if (U < S) { // warn (loss of sign)
-}
-  }
-}
-
-
-void test() {
-  long long A = 1LL << 60;
-  short X = A; // warn (loss of precision)
-}
-
-
-
-
-alpha.core.DynamicTypeChecker
-(ObjC)
-Check for cases where the dynamic and the static type of an
-object are unrelated.
-
-
-id date = [NSDate date];
-
-// Warning: Object has a dynamic type 'NSDate *' which is
-// incompatible with static type 'NSNumber *'"
-NSNumber *number = date;
-[number doubleValue];
-
-
-
-
-alpha.core.FixedAddr
-(C)
-Check for assignment of a fixed address to a pointer.
-
-
-void test() {
-  int *p;
-  p = (int *) 0x1; // warn
-}
-
-
-
-
-alpha.core.IdenticalExpr
-(C, C++)
-Warn about suspicious uses of identical expressions.
-
-
-// C
-void test() {
-  int a = 5;
-  int b = a | 4 | a; // warn: identical expr on both sides
-}
-
-
-// C++
-bool f(void);
-
-void test(bool b) {
-  int i = 10;
-  if (f()) { // warn: true and false branches are identical
-do {
-  i--;
-} while (f());
-  } else {
-do {
-  i--;
-} while (f());
-  }
-}
-
-
-
-
-alpha.core.PointerArithm
-(C)
-Check for pointer arithmetic on locations other than array
-elements.
-
-
-void test() {
-  int x;
-  int *p;
-  p = &x + 1; // warn
-}
-
-
-
-
-alpha.core.PointerSub
-(C)
-Check for pointer subtractions on two pointers pointing to different memory
-chunks.
-
-
-void test() {
-  int x, y;
-  int d = &y - &x; // warn
-}
-
-
-
-
-alpha.core.StackAddressAsyncEscape
-(C)
-Check that addresses to stack memory do not escape the function that involves
-dispatch_after or dispatch_async. This checker is
-a part of core.StackAddressEscape, but is
-https://reviews.llvm.org/D41042>temporarily disabled until some
-false positives are fixed.
-
-
-dispatch_block_t test_block_inside_block_async_leak() {
-  int x = 123;
-  void (^inner)(void) = ^void(void) {
-int y = x;
-++y;
-  };
-  void (^outer)(void) = ^void(void) {
-int z = x;
-++z;
-inner();
-  };
-  return outer; // warn: address of stack-allocated block is captured by a
-//   returned block
-}
-
-
-
-
-alpha.core.TestAfterDivZero
-(C, C++, ObjC)
-Check for division by variable that is later compared against 0.
-Either t

[clang] [clang][analyzer][doc] Migrate checkers-related docs from HTML to RST (PR #97032)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 updated 
https://github.com/llvm/llvm-project/pull/97032

From b11a113682a1b998395139e5e4736689c0f9be84 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Endre=20F=C3=BCl=C3=B6p?= 
Date: Wed, 26 Jun 2024 11:09:33 +0200
Subject: [PATCH 1/2] [clang][analyzer][doc] Migrate checkers-related docs from
 HTML to RST

Documentation for the checkers is kept up to date in RST files.
This patch removes duplication by replacing the HTML docs with links to
docs generated from the RST.
---
 clang/www/analyzer/alpha_checks.html |  932 +---
 clang/www/analyzer/available_checks.html | 1736 +-
 2 files changed, 2 insertions(+), 2666 deletions(-)

diff --git a/clang/www/analyzer/alpha_checks.html 
b/clang/www/analyzer/alpha_checks.html
index 501a9bcbc82a9..80a3ebe4c6166 100644
--- a/clang/www/analyzer/alpha_checks.html
+++ b/clang/www/analyzer/alpha_checks.html
@@ -17,938 +17,8 @@
 
 
 
-Alpha Checkers
-Experimental checkers in addition to the 
-Default Checkers. These are checkers with known issues or limitations that
-keep them from being on by default. They are likely to have false positives.
-Bug reports are welcome but will likely not be investigated for some time.
-Patches welcome!
-
-Clone Alpha Checkers
-Core Alpha Checkers
-C++ Alpha Checkers
-LLVM Checkers
-Variable Argument Alpha Checkers
-Dead Code Alpha Checkers
-OS X Alpha Checkers
-Security Alpha Checkers
-Unix Alpha Checkers
-Non-determinism Alpha 
Checkers
-
 
-
-
-Clone Alpha Checkers
-
-
-Name, DescriptionExample
-
-
-
-alpha.clone.CloneChecker
-(C, C++, ObjC)
-Reports similar pieces of code.
-
-
-void log();
-
-int max(int a, int b) { // warn
-  log();
-  if (a > b)
-return a;
-  return b;
-}
-
-int maxClone(int x, int y) { // similar code here
-  log();
-  if (x > y)
-return x;
-  return y;
-}
-
-
-
-
-Core Alpha Checkers
-
-
-Name, DescriptionExample
-
-
-
-alpha.core.BoolAssignment
-(ObjC)
-Warn about assigning non-{0,1} values to boolean 
variables.
-
-
-void test() {
-  BOOL b = -1; // warn
-}
-
-
-
-
-alpha.core.CastSize
-(C)
-Check when casting a malloc'ed type T, whether the size is a multiple of the
-size of T (Works only with unix.Malloc
-or alpha.unix.MallocWithAnnotations
-checks enabled).
-
-
-void test() {
-  int *x = (int *)malloc(11); // warn
-}
-
-
-
-
-alpha.core.CastToStruct
-(C, C++)
-Check for cast from non-struct pointer to struct pointer.
-
-
-// C
-struct s {};
-
-void test(int *p) {
-  struct s *ps = (struct s *) p; // warn
-}
-
-
-// C++
-class c {};
-
-void test(int *p) {
-  c *pc = (c *) p; // warn
-}
-
-
-
-
-alpha.core.Conversion
-(C, C++, ObjC)
-Loss of sign or precision in implicit conversions
-
-
-void test(unsigned U, signed S) {
-  if (S > 10) {
-if (U < S) {
-}
-  }
-  if (S < -10) {
-if (U < S) { // warn (loss of sign)
-}
-  }
-}
-
-
-void test() {
-  long long A = 1LL << 60;
-  short X = A; // warn (loss of precision)
-}
-
-
-
-
-alpha.core.DynamicTypeChecker
-(ObjC)
-Check for cases where the dynamic and the static type of an
-object are unrelated.
-
-
-id date = [NSDate date];
-
-// Warning: Object has a dynamic type 'NSDate *' which is
-// incompatible with static type 'NSNumber *'"
-NSNumber *number = date;
-[number doubleValue];
-
-
-
-
-alpha.core.FixedAddr
-(C)
-Check for assignment of a fixed address to a pointer.
-
-
-void test() {
-  int *p;
-  p = (int *) 0x1; // warn
-}
-
-
-
-
-alpha.core.IdenticalExpr
-(C, C++)
-Warn about suspicious uses of identical expressions.
-
-
-// C
-void test() {
-  int a = 5;
-  int b = a | 4 | a; // warn: identical expr on both sides
-}
-
-
-// C++
-bool f(void);
-
-void test(bool b) {
-  int i = 10;
-  if (f()) { // warn: true and false branches are identical
-do {
-  i--;
-} while (f());
-  } else {
-do {
-  i--;
-} while (f());
-  }
-}
-
-
-
-
-alpha.core.PointerArithm
-(C)
-Check for pointer arithmetic on locations other than array
-elements.
-
-
-void test() {
-  int x;
-  int *p;
-  p = &x + 1; // warn
-}
-
-
-
-
-alpha.core.PointerSub
-(C)
-Check for pointer subtractions on two pointers pointing to different memory
-chunks.
-
-
-void test() {
-  int x, y;
-  int d = &y - &x; // warn
-}
-
-
-
-
-alpha.core.StackAddressAsyncEscape
-(C)
-Check that addresses to stack memory do not escape the function that involves
-dispatch_after or dispatch_async. This checker is
-a part of core.StackAddressEscape, but is
-https://reviews.llvm.org/D41042>temporarily disabled until some
-false positives are fixed.
-
-
-dispatch_block_t test_block_inside_block_async_leak() {
-  int x = 123;
-  void (^inner)(void) = ^void(void) {
-int y = x;
-++y;
-  };
-  void (^outer)(void) = ^void(void) {
-int z = x;
-++z;
-inner();
-  };
-  return outer; // warn: address of stack-allocated block is captured by a
-//   returned block
-}
-
-
-
-
-alpha.core.TestAfterDivZero
-(C, C++, ObjC)
-Check for division by variable that is later compared against 0.
-Either t

[clang] [clang][analyzer][doc] Migrate checkers-related docs from HTML to RST (PR #97032)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 updated 
https://github.com/llvm/llvm-project/pull/97032

From b11a113682a1b998395139e5e4736689c0f9be84 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Endre=20F=C3=BCl=C3=B6p?= 
Date: Wed, 26 Jun 2024 11:09:33 +0200
Subject: [PATCH 1/2] [clang][analyzer][doc] Migrate checkers-related docs from
 HTML to RST

Documentation for the checkers is kept up to date in RST files.
This patch removes duplication by replacing the HTML docs with links to
docs generated from the RST.
---
 clang/www/analyzer/alpha_checks.html |  932 +---
 clang/www/analyzer/available_checks.html | 1736 +-
 2 files changed, 2 insertions(+), 2666 deletions(-)

diff --git a/clang/www/analyzer/alpha_checks.html 
b/clang/www/analyzer/alpha_checks.html
index 501a9bcbc82a9..80a3ebe4c6166 100644
--- a/clang/www/analyzer/alpha_checks.html
+++ b/clang/www/analyzer/alpha_checks.html
@@ -17,938 +17,8 @@
 
 
 
-Alpha Checkers
-Experimental checkers in addition to the 
-Default Checkers. These are checkers with known issues or limitations that
-keep them from being on by default. They are likely to have false positives.
-Bug reports are welcome but will likely not be investigated for some time.
-Patches welcome!
-
-Clone Alpha Checkers
-Core Alpha Checkers
-C++ Alpha Checkers
-LLVM Checkers
-Variable Argument Alpha Checkers
-Dead Code Alpha Checkers
-OS X Alpha Checkers
-Security Alpha Checkers
-Unix Alpha Checkers
-Non-determinism Alpha 
Checkers
-
 
-
-
-Clone Alpha Checkers
-
-
-Name, DescriptionExample
-
-
-
-alpha.clone.CloneChecker
-(C, C++, ObjC)
-Reports similar pieces of code.
-
-
-void log();
-
-int max(int a, int b) { // warn
-  log();
-  if (a > b)
-return a;
-  return b;
-}
-
-int maxClone(int x, int y) { // similar code here
-  log();
-  if (x > y)
-return x;
-  return y;
-}
-
-
-
-
-Core Alpha Checkers
-
-
-Name, DescriptionExample
-
-
-
-alpha.core.BoolAssignment
-(ObjC)
-Warn about assigning non-{0,1} values to boolean 
variables.
-
-
-void test() {
-  BOOL b = -1; // warn
-}
-
-
-
-
-alpha.core.CastSize
-(C)
-Check when casting a malloc'ed type T, whether the size is a multiple of the
-size of T (Works only with unix.Malloc
-or alpha.unix.MallocWithAnnotations
-checks enabled).
-
-
-void test() {
-  int *x = (int *)malloc(11); // warn
-}
-
-
-
-
-alpha.core.CastToStruct
-(C, C++)
-Check for cast from non-struct pointer to struct pointer.
-
-
-// C
-struct s {};
-
-void test(int *p) {
-  struct s *ps = (struct s *) p; // warn
-}
-
-
-// C++
-class c {};
-
-void test(int *p) {
-  c *pc = (c *) p; // warn
-}
-
-
-
-
-alpha.core.Conversion
-(C, C++, ObjC)
-Loss of sign or precision in implicit conversions
-
-
-void test(unsigned U, signed S) {
-  if (S > 10) {
-if (U < S) {
-}
-  }
-  if (S < -10) {
-if (U < S) { // warn (loss of sign)
-}
-  }
-}
-
-
-void test() {
-  long long A = 1LL << 60;
-  short X = A; // warn (loss of precision)
-}
-
-
-
-
-alpha.core.DynamicTypeChecker
-(ObjC)
-Check for cases where the dynamic and the static type of an
-object are unrelated.
-
-
-id date = [NSDate date];
-
-// Warning: Object has a dynamic type 'NSDate *' which is
-// incompatible with static type 'NSNumber *'"
-NSNumber *number = date;
-[number doubleValue];
-
-
-
-
-alpha.core.FixedAddr
-(C)
-Check for assignment of a fixed address to a pointer.
-
-
-void test() {
-  int *p;
-  p = (int *) 0x1; // warn
-}
-
-
-
-
-alpha.core.IdenticalExpr
-(C, C++)
-Warn about suspicious uses of identical expressions.
-
-
-// C
-void test() {
-  int a = 5;
-  int b = a | 4 | a; // warn: identical expr on both sides
-}
-
-
-// C++
-bool f(void);
-
-void test(bool b) {
-  int i = 10;
-  if (f()) { // warn: true and false branches are identical
-do {
-  i--;
-} while (f());
-  } else {
-do {
-  i--;
-} while (f());
-  }
-}
-
-
-
-
-alpha.core.PointerArithm
-(C)
-Check for pointer arithmetic on locations other than array
-elements.
-
-
-void test() {
-  int x;
-  int *p;
-  p = &x + 1; // warn
-}
-
-
-
-
-alpha.core.PointerSub
-(C)
-Check for pointer subtractions on two pointers pointing to different memory
-chunks.
-
-
-void test() {
-  int x, y;
-  int d = &y - &x; // warn
-}
-
-
-
-
-alpha.core.StackAddressAsyncEscape
-(C)
-Check that addresses to stack memory do not escape the function that involves
-dispatch_after or dispatch_async. This checker is
-a part of core.StackAddressEscape, but is
-https://reviews.llvm.org/D41042>temporarily disabled until some
-false positives are fixed.
-
-
-dispatch_block_t test_block_inside_block_async_leak() {
-  int x = 123;
-  void (^inner)(void) = ^void(void) {
-int y = x;
-++y;
-  };
-  void (^outer)(void) = ^void(void) {
-int z = x;
-++z;
-inner();
-  };
-  return outer; // warn: address of stack-allocated block is captured by a
-//   returned block
-}
-
-
-
-
-alpha.core.TestAfterDivZero
-(C, C++, ObjC)
-Check for division by variable that is later compared against 0.
-Either t

[clang] [clang][analyzer][doc] Migrate checkers-related docs from HTML to RST (PR #97032)

[Endre Fülöp via cfe-commits]

@@ -126,7 +126,7 @@ Cocoa & Core Foundation Memory 
Management
 Annotations
 
 

gamesh411 wrote:

I am unsure which one to link to, so I opted for less but not misleading 
information with this edit.

https://github.com/llvm/llvm-project/pull/97032
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [clang][analyzer][doc] Migrate checkers-related docs from HTML to RST (PR #97032)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 closed 
https://github.com/llvm/llvm-project/pull/97032
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [clang][analyzer][doc] Migrate user-related docs from HTML to RST (PR #97034)

[Endre Fülöp via cfe-commits]

@@ -96,11 +96,11 @@ Download
Mac OS X

 Latest build (10.8+):
- 
+ checker-279.tar.bz2 
(built November 14, 2016)

gamesh411 wrote:

@haoNoQ Thanks for the insights!
I'll also create another PR to clean up the index.html and finish the developer 
section.
There will be questions about what to do with open projects and checker ideas, 
but let's discuss it later in that PR.

https://github.com/llvm/llvm-project/pull/97034
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [clang][analyzer][doc] Migrate user-related docs from HTML to RST (PR #97034)

[Endre Fülöp via cfe-commits]

gamesh411 wrote:

* Updated the HTML pages to use the redirect logic in available_checks.html 
(instead of deleting them).
* Updated the usages of 'the static analyzer' in the files touched by this 
patch.
@steakhal, @NagyDonat, @haoNoQ Thanks for the snappy review!

https://github.com/llvm/llvm-project/pull/97034
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [clang][analyzer][doc] Migrate user-related docs from HTML to RST (PR #97034)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 closed 
https://github.com/llvm/llvm-project/pull/97034
___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [clang][analyzer][tests] Add test for a limitation of alpha.unix.Bloc… (PR #93799)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 created 
https://github.com/llvm/llvm-project/pull/93799

…kInCriticalSection checker

Updated the documentation in `checkers.rst` to include an example of how 
`trylock` function is handled.
Added a new test for a scenario where `pthread_mutex_trylock` is used, 
demonstrating the current limitation.

From e284ad9e4a0f00825d077a00d9b628ffb926315f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Endre=20F=C3=BCl=C3=B6p?= 
Date: Thu, 30 May 2024 11:12:59 +0200
Subject: [PATCH] [clang][analyzer][tests] Add test for a limitation of
 alpha.unix.BlockInCriticalSection checker

Updated the documentation in `checkers.rst` to include an example of how
`trylock` function is handled.
Added a new test for a scenario where `pthread_mutex_trylock` is used,
demonstrating the current limitation.
---
 clang/docs/analyzer/checkers.rst  | 15 +
 .../Analysis/block-in-critical-section.cpp| 31 ++-
 2 files changed, 39 insertions(+), 7 deletions(-)

diff --git a/clang/docs/analyzer/checkers.rst b/clang/docs/analyzer/checkers.rst
index 3a31708a1e9de..b677c5f3efa04 100644
--- a/clang/docs/analyzer/checkers.rst
+++ b/clang/docs/analyzer/checkers.rst
@@ -3148,6 +3148,21 @@ Applies to: ``lock, unlock, sleep, getc, fgets, read, 
recv, pthread_mutex_lock,`
m.unlock();
  }
 
+**Limitations**
+* The ``trylock`` and ``timedlock`` versions of acquiring locks are currently 
assumed to always succeed.
+  This can lead to false positives.
+
+.. code-block:: c
+
+void trylock_example(pthread_mutex_t *m) {
+  if (pthread_mutex_trylock(m) == 0) { // assume trylock always succeeds
+sleep(10); // warn: Call to blocking function 'sleep' inside of critical 
section
+pthread_mutex_unlock(m);
+  } else {
+sleep(10); // false positive: Incorrect warning about blocking function 
inside critical section.
+  }
+}
+
 .. _alpha-unix-Chroot:
 
 alpha.unix.Chroot (C)
diff --git a/clang/test/Analysis/block-in-critical-section.cpp 
b/clang/test/Analysis/block-in-critical-section.cpp
index 87c26b9f1b520..403b7a16726a2 100644
--- a/clang/test/Analysis/block-in-critical-section.cpp
+++ b/clang/test/Analysis/block-in-critical-section.cpp
@@ -36,15 +36,15 @@ ssize_t read(int fd, void *buf, size_t count);
 ssize_t recv(int sockfd, void *buf, size_t len, int flags);
 
 struct pthread_mutex_t;
-void pthread_mutex_lock(pthread_mutex_t *mutex);
-void pthread_mutex_trylock(pthread_mutex_t *mutex);
-void pthread_mutex_unlock(pthread_mutex_t *mutex);
+int pthread_mutex_lock(pthread_mutex_t *mutex);
+int pthread_mutex_trylock(pthread_mutex_t *mutex);
+int pthread_mutex_unlock(pthread_mutex_t *mutex);
 
 struct mtx_t;
-void mtx_lock(mtx_t *mutex);
-void mtx_timedlock(mtx_t *mutex);
-void mtx_trylock(mtx_t *mutex);
-void mtx_unlock(mtx_t *mutex);
+int mtx_lock(mtx_t *mutex);
+int mtx_timedlock(mtx_t *mutex);
+int mtx_trylock(mtx_t *mutex);
+int mtx_unlock(mtx_t *mutex);
 
 // global params for dummy function calls
 FILE *stream;
@@ -292,3 +292,20 @@ void testBlockInCriticalSectionUniqueLockNested() {
   testBlockInCriticalSectionUniqueLock(); // expected-note {{Calling 
'testBlockInCriticalSectionUniqueLock'}}
   sleep(1); // no-warning
 }
+
+void testTrylockCurrentlyFalsePositive(pthread_mutex_t *m) {
+   // expected-note@+4 {{Assuming the 
condition is true}}
+   // expected-note@+3 {{Taking true 
branch}}
+   // expected-note@+2 {{Assuming the 
condition is false}}
+   // expected-note@+1 {{Taking false 
branch}}
+  if (pthread_mutex_trylock(m) == 0) { // expected-note 2 {{Entering critical 
section here}}
+   // FIXME: we are entering the critical 
section only in the true branch
+sleep(10); // expected-warning {{Call to blocking function 'sleep' inside 
of critical section}}
+   // expected-note@-1 {{Call to blocking function 'sleep' inside 
of critical section}}
+pthread_mutex_unlock(m);
+  } else {
+sleep(10); // expected-warning {{Call to blocking function 'sleep' inside 
of critical section}}
+   // expected-note@-1 {{Call to blocking function 'sleep' inside 
of critical section}}
+   // FIXME: this is a false positive, the lock was not acquired
+  }
+}

___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [clang][analyzer][tests] Add test for a limitation of alpha.unix.Bloc… (PR #93799)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 updated 
https://github.com/llvm/llvm-project/pull/93799

From 6cc7b93783993e0e7f21124f2d640cb92484faff Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Endre=20F=C3=BCl=C3=B6p?= 
Date: Thu, 30 May 2024 11:12:59 +0200
Subject: [PATCH] [clang][analyzer][NFC] Add test for a limitation of
 alpha.unix.BlockInCriticalSection checker

Updated the documentation in `checkers.rst` to include an example of how
`trylock` function is handled.
Added a new test for a scenario where `pthread_mutex_trylock` is used,
demonstrating the current limitation.
---
 clang/docs/analyzer/checkers.rst  | 15 +
 .../Analysis/block-in-critical-section.cpp| 31 ++-
 2 files changed, 39 insertions(+), 7 deletions(-)

diff --git a/clang/docs/analyzer/checkers.rst b/clang/docs/analyzer/checkers.rst
index 3a31708a1e9de..b677c5f3efa04 100644
--- a/clang/docs/analyzer/checkers.rst
+++ b/clang/docs/analyzer/checkers.rst
@@ -3148,6 +3148,21 @@ Applies to: ``lock, unlock, sleep, getc, fgets, read, 
recv, pthread_mutex_lock,`
m.unlock();
  }
 
+**Limitations**
+* The ``trylock`` and ``timedlock`` versions of acquiring locks are currently 
assumed to always succeed.
+  This can lead to false positives.
+
+.. code-block:: c
+
+void trylock_example(pthread_mutex_t *m) {
+  if (pthread_mutex_trylock(m) == 0) { // assume trylock always succeeds
+sleep(10); // warn: Call to blocking function 'sleep' inside of critical 
section
+pthread_mutex_unlock(m);
+  } else {
+sleep(10); // false positive: Incorrect warning about blocking function 
inside critical section.
+  }
+}
+
 .. _alpha-unix-Chroot:
 
 alpha.unix.Chroot (C)
diff --git a/clang/test/Analysis/block-in-critical-section.cpp 
b/clang/test/Analysis/block-in-critical-section.cpp
index 87c26b9f1b520..403b7a16726a2 100644
--- a/clang/test/Analysis/block-in-critical-section.cpp
+++ b/clang/test/Analysis/block-in-critical-section.cpp
@@ -36,15 +36,15 @@ ssize_t read(int fd, void *buf, size_t count);
 ssize_t recv(int sockfd, void *buf, size_t len, int flags);
 
 struct pthread_mutex_t;
-void pthread_mutex_lock(pthread_mutex_t *mutex);
-void pthread_mutex_trylock(pthread_mutex_t *mutex);
-void pthread_mutex_unlock(pthread_mutex_t *mutex);
+int pthread_mutex_lock(pthread_mutex_t *mutex);
+int pthread_mutex_trylock(pthread_mutex_t *mutex);
+int pthread_mutex_unlock(pthread_mutex_t *mutex);
 
 struct mtx_t;
-void mtx_lock(mtx_t *mutex);
-void mtx_timedlock(mtx_t *mutex);
-void mtx_trylock(mtx_t *mutex);
-void mtx_unlock(mtx_t *mutex);
+int mtx_lock(mtx_t *mutex);
+int mtx_timedlock(mtx_t *mutex);
+int mtx_trylock(mtx_t *mutex);
+int mtx_unlock(mtx_t *mutex);
 
 // global params for dummy function calls
 FILE *stream;
@@ -292,3 +292,20 @@ void testBlockInCriticalSectionUniqueLockNested() {
   testBlockInCriticalSectionUniqueLock(); // expected-note {{Calling 
'testBlockInCriticalSectionUniqueLock'}}
   sleep(1); // no-warning
 }
+
+void testTrylockCurrentlyFalsePositive(pthread_mutex_t *m) {
+   // expected-note@+4 {{Assuming the 
condition is true}}
+   // expected-note@+3 {{Taking true 
branch}}
+   // expected-note@+2 {{Assuming the 
condition is false}}
+   // expected-note@+1 {{Taking false 
branch}}
+  if (pthread_mutex_trylock(m) == 0) { // expected-note 2 {{Entering critical 
section here}}
+   // FIXME: we are entering the critical 
section only in the true branch
+sleep(10); // expected-warning {{Call to blocking function 'sleep' inside 
of critical section}}
+   // expected-note@-1 {{Call to blocking function 'sleep' inside 
of critical section}}
+pthread_mutex_unlock(m);
+  } else {
+sleep(10); // expected-warning {{Call to blocking function 'sleep' inside 
of critical section}}
+   // expected-note@-1 {{Call to blocking function 'sleep' inside 
of critical section}}
+   // FIXME: this is a false positive, the lock was not acquired
+  }
+}

___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [clang][analyzer][tests] Add test for a limitation of alpha.unix.Bloc… (PR #93799)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 updated 
https://github.com/llvm/llvm-project/pull/93799

From 6cc7b93783993e0e7f21124f2d640cb92484faff Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Endre=20F=C3=BCl=C3=B6p?= 
Date: Thu, 30 May 2024 11:12:59 +0200
Subject: [PATCH 1/2] [clang][analyzer][NFC] Add test for a limitation of
 alpha.unix.BlockInCriticalSection checker

Updated the documentation in `checkers.rst` to include an example of how
`trylock` function is handled.
Added a new test for a scenario where `pthread_mutex_trylock` is used,
demonstrating the current limitation.
---
 clang/docs/analyzer/checkers.rst  | 15 +
 .../Analysis/block-in-critical-section.cpp| 31 ++-
 2 files changed, 39 insertions(+), 7 deletions(-)

diff --git a/clang/docs/analyzer/checkers.rst b/clang/docs/analyzer/checkers.rst
index 3a31708a1e9de..b677c5f3efa04 100644
--- a/clang/docs/analyzer/checkers.rst
+++ b/clang/docs/analyzer/checkers.rst
@@ -3148,6 +3148,21 @@ Applies to: ``lock, unlock, sleep, getc, fgets, read, 
recv, pthread_mutex_lock,`
m.unlock();
  }
 
+**Limitations**
+* The ``trylock`` and ``timedlock`` versions of acquiring locks are currently 
assumed to always succeed.
+  This can lead to false positives.
+
+.. code-block:: c
+
+void trylock_example(pthread_mutex_t *m) {
+  if (pthread_mutex_trylock(m) == 0) { // assume trylock always succeeds
+sleep(10); // warn: Call to blocking function 'sleep' inside of critical 
section
+pthread_mutex_unlock(m);
+  } else {
+sleep(10); // false positive: Incorrect warning about blocking function 
inside critical section.
+  }
+}
+
 .. _alpha-unix-Chroot:
 
 alpha.unix.Chroot (C)
diff --git a/clang/test/Analysis/block-in-critical-section.cpp 
b/clang/test/Analysis/block-in-critical-section.cpp
index 87c26b9f1b520..403b7a16726a2 100644
--- a/clang/test/Analysis/block-in-critical-section.cpp
+++ b/clang/test/Analysis/block-in-critical-section.cpp
@@ -36,15 +36,15 @@ ssize_t read(int fd, void *buf, size_t count);
 ssize_t recv(int sockfd, void *buf, size_t len, int flags);
 
 struct pthread_mutex_t;
-void pthread_mutex_lock(pthread_mutex_t *mutex);
-void pthread_mutex_trylock(pthread_mutex_t *mutex);
-void pthread_mutex_unlock(pthread_mutex_t *mutex);
+int pthread_mutex_lock(pthread_mutex_t *mutex);
+int pthread_mutex_trylock(pthread_mutex_t *mutex);
+int pthread_mutex_unlock(pthread_mutex_t *mutex);
 
 struct mtx_t;
-void mtx_lock(mtx_t *mutex);
-void mtx_timedlock(mtx_t *mutex);
-void mtx_trylock(mtx_t *mutex);
-void mtx_unlock(mtx_t *mutex);
+int mtx_lock(mtx_t *mutex);
+int mtx_timedlock(mtx_t *mutex);
+int mtx_trylock(mtx_t *mutex);
+int mtx_unlock(mtx_t *mutex);
 
 // global params for dummy function calls
 FILE *stream;
@@ -292,3 +292,20 @@ void testBlockInCriticalSectionUniqueLockNested() {
   testBlockInCriticalSectionUniqueLock(); // expected-note {{Calling 
'testBlockInCriticalSectionUniqueLock'}}
   sleep(1); // no-warning
 }
+
+void testTrylockCurrentlyFalsePositive(pthread_mutex_t *m) {
+   // expected-note@+4 {{Assuming the 
condition is true}}
+   // expected-note@+3 {{Taking true 
branch}}
+   // expected-note@+2 {{Assuming the 
condition is false}}
+   // expected-note@+1 {{Taking false 
branch}}
+  if (pthread_mutex_trylock(m) == 0) { // expected-note 2 {{Entering critical 
section here}}
+   // FIXME: we are entering the critical 
section only in the true branch
+sleep(10); // expected-warning {{Call to blocking function 'sleep' inside 
of critical section}}
+   // expected-note@-1 {{Call to blocking function 'sleep' inside 
of critical section}}
+pthread_mutex_unlock(m);
+  } else {
+sleep(10); // expected-warning {{Call to blocking function 'sleep' inside 
of critical section}}
+   // expected-note@-1 {{Call to blocking function 'sleep' inside 
of critical section}}
+   // FIXME: this is a false positive, the lock was not acquired
+  }
+}

From 71509c4f16915483a34ad6745e555481e4a872e8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Endre=20F=C3=BCl=C3=B6p?= 
Date: Thu, 30 May 2024 14:16:12 +0200
Subject: [PATCH 2/2] fix indentation

---
 clang/docs/analyzer/checkers.rst | 16 
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/clang/docs/analyzer/checkers.rst b/clang/docs/analyzer/checkers.rst
index b677c5f3efa04..5416a4d7d7f78 100644
--- a/clang/docs/analyzer/checkers.rst
+++ b/clang/docs/analyzer/checkers.rst
@@ -3154,14 +3154,14 @@ Applies to: ``lock, unlock, sleep, getc, fgets, read, 
recv, pthread_mutex_lock,`
 
 .. code-block:: c
 
-void trylock_example(pthread_mutex_t *m) {
-  if (pthread_mutex_trylock(m) == 0) { // assume trylock always succeeds
-sleep(10); // warn: Call to blocking function 'sleep' inside of critical 
section
-pthread_mutex_unlock(m);
-  

[clang] [clang][analyzer][NFC] Improve docs of alpha.unix.BlockInCriticalSection (PR #93812)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 created 
https://github.com/llvm/llvm-project/pull/93812

- Enhanced descriptions for blocking and critical section functions
- Added an additional code sample highlighting interleaved C and C++
style mutexes
- Introduced a new section on limitations


From 8cb24070e2c0770d7d5a8e51aa364c6712ac5d1a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Endre=20F=C3=BCl=C3=B6p?= 
Date: Tue, 28 May 2024 23:13:07 +0200
Subject: [PATCH] [clang][analyzer][NFC] Improve docs of
 alpha.unix.BlockInCriticalSection

- Enhanced descriptions for blocking and critical section functions
- Added an additional code sample highlighting interleaved C and C++
style mutexes
- Introduced a new section on limitations
---
 clang/docs/analyzer/checkers.rst | 30 ++
 1 file changed, 22 insertions(+), 8 deletions(-)

diff --git a/clang/docs/analyzer/checkers.rst b/clang/docs/analyzer/checkers.rst
index 3a31708a1e9de..58adc0e62173a 100644
--- a/clang/docs/analyzer/checkers.rst
+++ b/clang/docs/analyzer/checkers.rst
@@ -3135,19 +3135,33 @@ alpha.unix
 alpha.unix.BlockInCriticalSection (C)
 "
 Check for calls to blocking functions inside a critical section.
-Applies to: ``lock, unlock, sleep, getc, fgets, read, recv, 
pthread_mutex_lock,``
-`` pthread_mutex_unlock, mtx_lock, mtx_timedlock, mtx_trylock, mtx_unlock, 
lock_guard, unique_lock``
+Blocking functions detected by this checker: ``sleep, getc, fgets, read, 
recv``.
+Critical section handling functions modelled by this checker: ``lock, unlock, 
pthread_mutex_lock, pthread_mutex_trylock, pthread_mutex_unlock, mtx_lock, 
mtx_timedlock, mtx_trylock, mtx_unlock, lock_guard, unique_lock``.
 
 .. code-block:: c
 
- void test() {
-   std::mutex m;
-   m.lock();
-   sleep(3); // warn: a blocking function sleep is called inside a critical
- //   section
-   m.unlock();
+ void pthread_lock_example(pthread_mutex_t *m) {
+   pthread_mutex_lock(m); // note: entering critical section here
+   sleep(10); // warn: Call to blocking function 'sleep' inside of critical 
section
+   pthread_mutex_unlock(m);
+ }
+
+.. code-block:: cpp
+
+ void overlapping_critical_sections(mtx_t *m1, std::mutex &m2) {
+   std::lock_guard lg{m2}; // note: entering critical section here
+   mtx_lock(m1); // note: entering critical section here
+   sleep(10); // warn: Call to blocking function 'sleep' inside of critical 
section
+   mtx_unlock(m1);
+   sleep(10); // warn: Call to blocking function 'sleep' inside of critical 
section
+ // still inside of the critical section of the std::lock_guard
  }
 
+**Limitations**
+
+* The ``trylock`` and ``timedlock`` versions of acquiring locks are currently 
handled as if they always succeeded.
+  This can lead to false positives.
+
 .. _alpha-unix-Chroot:
 
 alpha.unix.Chroot (C)

___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [clang][analyzer] Move unix.BlockInCriticalSection out of alpha (PR #93815)

[Endre Fülöp via cfe-commits]

https://github.com/gamesh411 created 
https://github.com/llvm/llvm-project/pull/93815

After recent improvements, and testing on open source projects, the
checker is ready to move out of the alpha package.

I would like to land #93799 and #93799 first, then this modification.

I have ran this checker on multiple OS projects, and found no false positives, 
and only 10 true ones.
The complete set of tested projects:
codechecker, memcached, tmux, curl, twin, vim, openssl, sqlite, ffmpeg, 
postgres, tinyxml2, libwebm, xerces, bitcoin, protobuf, qtbase, openrct2, 
llvm-project.

The results for this checker:

https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=bitcoin_v0.20.1_alpha.unix.BlockInCriticalSection-evaluation&is-unique=on&diff-type=New&checker-name=alpha.unix.BlockInCriticalSection

https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=qtbase_v6.2.0_alpha.unix.BlockInCriticalSection-evaluation&is-unique=on&diff-type=New&checker-name=alpha.unix.BlockInCriticalSection

https://codechecker-demo.eastus.cloudapp.azure.com/Default/reports?run=openrct2_v0.4.8_alpha.unix.BlockInCriticalSection-evaluation&is-unique=on&diff-type=New&checker-name=alpha.unix.BlockInCriticalSection


From 895ff8779b11294f132604e40572ebec8b6bc4c4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Endre=20F=C3=BCl=C3=B6p?= 
Date: Wed, 29 May 2024 00:38:07 +0200
Subject: [PATCH] [clang][analyzer] Move unix.BlockInCriticalSection out of
 alpha

After recent improvements, and testing on open source projects, the
checker is ready to move out of the alpha package.
---
 clang/docs/analyzer/checkers.rst  | 37 ++-
 .../clang/StaticAnalyzer/Checkers/Checkers.td |  8 ++--
 .../test/Analysis/block-in-critical-section.c |  2 +-
 .../Analysis/block-in-critical-section.cpp|  2 +-
 .../test/Analysis/block-in-critical-section.m |  2 +-
 clang/www/analyzer/alpha_checks.html  | 33 -
 6 files changed, 26 insertions(+), 58 deletions(-)

diff --git a/clang/docs/analyzer/checkers.rst b/clang/docs/analyzer/checkers.rst
index 3a31708a1e9de..86412bd3b9294 100644
--- a/clang/docs/analyzer/checkers.rst
+++ b/clang/docs/analyzer/checkers.rst
@@ -1235,6 +1235,25 @@ Check calls to various UNIX/Posix functions: ``open, 
pthread_once, calloc, mallo
 .. literalinclude:: checkers/unix_api_example.c
 :language: c
 
+.. _unix-BlockInCriticalSection:
+
+unix.BlockInCriticalSection (C)
+"
+
+Check for calls to blocking functions inside a critical section.
+Applies to: ``lock, unlock, sleep, getc, fgets, read, recv, 
pthread_mutex_lock,``
+`` pthread_mutex_unlock, mtx_lock, mtx_timedlock, mtx_trylock, mtx_unlock, 
lock_guard, unique_lock``
+
+.. code-block:: c
+
+ void test() {
+   std::mutex m;
+   m.lock();
+   sleep(3); // warn: a blocking function sleep is called inside a critical
+ //   section
+   m.unlock();
+ }
+
 .. _unix-Errno:
 
 unix.Errno (C)
@@ -3130,24 +3149,6 @@ For a more detailed description of configuration 
options, please see the
 alpha.unix
 ^^
 
-.. _alpha-unix-BlockInCriticalSection:
-
-alpha.unix.BlockInCriticalSection (C)
-"
-Check for calls to blocking functions inside a critical section.
-Applies to: ``lock, unlock, sleep, getc, fgets, read, recv, 
pthread_mutex_lock,``
-`` pthread_mutex_unlock, mtx_lock, mtx_timedlock, mtx_trylock, mtx_unlock, 
lock_guard, unique_lock``
-
-.. code-block:: c
-
- void test() {
-   std::mutex m;
-   m.lock();
-   sleep(3); // warn: a blocking function sleep is called inside a critical
- //   section
-   m.unlock();
- }
-
 .. _alpha-unix-Chroot:
 
 alpha.unix.Chroot (C)
diff --git a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td 
b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
index 40f443047bd4b..668e9f6cf0716 100644
--- a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
+++ b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
@@ -509,6 +509,10 @@ def UnixAPIMisuseChecker : Checker<"API">,
   HelpText<"Check calls to various UNIX/Posix functions">,
   Documentation;
 
+def BlockInCriticalSectionChecker : Checker<"BlockInCriticalSection">,
+  HelpText<"Check for calls to blocking functions inside a critical section">,
+  Documentation;
+
 def DynamicMemoryModeling: Checker<"DynamicMemoryModeling">,
   HelpText<"The base of several malloc() related checkers. On it's own it "
"emits no reports, but adds valuable information to the analysis "
@@ -619,10 +623,6 @@ def SimpleStreamChecker : Checker<"SimpleStream">,
   HelpText<"Check for misuses of stream APIs">,
   Documentation;
 
-def BlockInCriticalSectionChecker : Checker<"BlockInCriticalSection">,
-  HelpText<"Check for calls to blocking functions inside a critical section">,
-  Documentation;
-
 } // end "alpha.unix"
 
 
//===--===//
diff --git a/clang/tes