clang  3.7.0
SimpleStreamChecker.cpp
Go to the documentation of this file.
1 //===-- SimpleStreamChecker.cpp -----------------------------------------*- C++ -*--//
2 //
3 // The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // Defines a checker for proper use of fopen/fclose APIs.
11 // - If a file has been closed with fclose, it should not be accessed again.
12 // Accessing a closed file results in undefined behavior.
13 // - If a file was opened with fopen, it must be closed with fclose before
14 // the execution ends. Failing to do so results in a resource leak.
15 //
16 //===----------------------------------------------------------------------===//
17 
18 #include "ClangSACheckers.h"
23 
24 using namespace clang;
25 using namespace ento;
26 
27 namespace {
28 typedef SmallVector<SymbolRef, 2> SymbolVector;
29 
30 struct StreamState {
31 private:
32  enum Kind { Opened, Closed } K;
33  StreamState(Kind InK) : K(InK) { }
34 
35 public:
36  bool isOpened() const { return K == Opened; }
37  bool isClosed() const { return K == Closed; }
38 
39  static StreamState getOpened() { return StreamState(Opened); }
40  static StreamState getClosed() { return StreamState(Closed); }
41 
42  bool operator==(const StreamState &X) const {
43  return K == X.K;
44  }
45  void Profile(llvm::FoldingSetNodeID &ID) const {
46  ID.AddInteger(K);
47  }
48 };
49 
50 class SimpleStreamChecker : public Checker<check::PostCall,
51  check::PreCall,
52  check::DeadSymbols,
53  check::PointerEscape> {
54 
55  mutable IdentifierInfo *IIfopen, *IIfclose;
56 
57  std::unique_ptr<BugType> DoubleCloseBugType;
58  std::unique_ptr<BugType> LeakBugType;
59 
60  void initIdentifierInfo(ASTContext &Ctx) const;
61 
62  void reportDoubleClose(SymbolRef FileDescSym,
63  const CallEvent &Call,
64  CheckerContext &C) const;
65 
66  void reportLeaks(ArrayRef<SymbolRef> LeakedStreams, CheckerContext &C,
67  ExplodedNode *ErrNode) const;
68 
69  bool guaranteedNotToCloseFile(const CallEvent &Call) const;
70 
71 public:
72  SimpleStreamChecker();
73 
74  /// Process fopen.
75  void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
76  /// Process fclose.
77  void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
78 
79  void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
80 
81  /// Stop tracking addresses which escape.
82  ProgramStateRef checkPointerEscape(ProgramStateRef State,
83  const InvalidatedSymbols &Escaped,
84  const CallEvent *Call,
85  PointerEscapeKind Kind) const;
86 };
87 
88 } // end anonymous namespace
89 
90 /// The state of the checker is a map from tracked stream symbols to their
91 /// state. Let's store it in the ProgramState.
92 REGISTER_MAP_WITH_PROGRAMSTATE(StreamMap, SymbolRef, StreamState)
93 
94 namespace {
95 class StopTrackingCallback : public SymbolVisitor {
96  ProgramStateRef state;
97 public:
98  StopTrackingCallback(ProgramStateRef st) : state(st) {}
99  ProgramStateRef getState() const { return state; }
100 
101  bool VisitSymbol(SymbolRef sym) override {
102  state = state->remove<StreamMap>(sym);
103  return true;
104  }
105 };
106 } // end anonymous namespace
107 
108 SimpleStreamChecker::SimpleStreamChecker()
109  : IIfopen(nullptr), IIfclose(nullptr) {
110  // Initialize the bug types.
111  DoubleCloseBugType.reset(
112  new BugType(this, "Double fclose", "Unix Stream API Error"));
113 
114  LeakBugType.reset(
115  new BugType(this, "Resource Leak", "Unix Stream API Error"));
116  // Sinks are higher importance bugs as well as calls to assert() or exit(0).
117  LeakBugType->setSuppressOnSink(true);
118 }
119 
120 void SimpleStreamChecker::checkPostCall(const CallEvent &Call,
121  CheckerContext &C) const {
122  initIdentifierInfo(C.getASTContext());
123 
124  if (!Call.isGlobalCFunction())
125  return;
126 
127  if (Call.getCalleeIdentifier() != IIfopen)
128  return;
129 
130  // Get the symbolic value corresponding to the file handle.
131  SymbolRef FileDesc = Call.getReturnValue().getAsSymbol();
132  if (!FileDesc)
133  return;
134 
135  // Generate the next transition (an edge in the exploded graph).
137  State = State->set<StreamMap>(FileDesc, StreamState::getOpened());
138  C.addTransition(State);
139 }
140 
141 void SimpleStreamChecker::checkPreCall(const CallEvent &Call,
142  CheckerContext &C) const {
143  initIdentifierInfo(C.getASTContext());
144 
145  if (!Call.isGlobalCFunction())
146  return;
147 
148  if (Call.getCalleeIdentifier() != IIfclose)
149  return;
150 
151  if (Call.getNumArgs() != 1)
152  return;
153 
154  // Get the symbolic value corresponding to the file handle.
155  SymbolRef FileDesc = Call.getArgSVal(0).getAsSymbol();
156  if (!FileDesc)
157  return;
158 
159  // Check if the stream has already been closed.
160  ProgramStateRef State = C.getState();
161  const StreamState *SS = State->get<StreamMap>(FileDesc);
162  if (SS && SS->isClosed()) {
163  reportDoubleClose(FileDesc, Call, C);
164  return;
165  }
166 
167  // Generate the next transition, in which the stream is closed.
168  State = State->set<StreamMap>(FileDesc, StreamState::getClosed());
169  C.addTransition(State);
170 }
171 
172 static bool isLeaked(SymbolRef Sym, const StreamState &SS,
173  bool IsSymDead, ProgramStateRef State) {
174  if (IsSymDead && SS.isOpened()) {
175  // If a symbol is NULL, assume that fopen failed on this path.
176  // A symbol should only be considered leaked if it is non-null.
177  ConstraintManager &CMgr = State->getConstraintManager();
178  ConditionTruthVal OpenFailed = CMgr.isNull(State, Sym);
179  return !OpenFailed.isConstrainedTrue();
180  }
181  return false;
182 }
183 
184 void SimpleStreamChecker::checkDeadSymbols(SymbolReaper &SymReaper,
185  CheckerContext &C) const {
186  ProgramStateRef State = C.getState();
187  SymbolVector LeakedStreams;
188  StreamMapTy TrackedStreams = State->get<StreamMap>();
189  for (StreamMapTy::iterator I = TrackedStreams.begin(),
190  E = TrackedStreams.end(); I != E; ++I) {
191  SymbolRef Sym = I->first;
192  bool IsSymDead = SymReaper.isDead(Sym);
193 
194  // Collect leaked symbols.
195  if (isLeaked(Sym, I->second, IsSymDead, State))
196  LeakedStreams.push_back(Sym);
197 
198  // Remove the dead symbol from the streams map.
199  if (IsSymDead)
200  State = State->remove<StreamMap>(Sym);
201  }
202 
203  ExplodedNode *N = C.addTransition(State);
204  reportLeaks(LeakedStreams, C, N);
205 }
206 
207 void SimpleStreamChecker::reportDoubleClose(SymbolRef FileDescSym,
208  const CallEvent &Call,
209  CheckerContext &C) const {
210  // We reached a bug, stop exploring the path here by generating a sink.
211  ExplodedNode *ErrNode = C.generateSink();
212  // If we've already reached this node on another path, return.
213  if (!ErrNode)
214  return;
215 
216  // Generate the report.
217  auto R = llvm::make_unique<BugReport>(*DoubleCloseBugType,
218  "Closing a previously closed file stream", ErrNode);
219  R->addRange(Call.getSourceRange());
220  R->markInteresting(FileDescSym);
221  C.emitReport(std::move(R));
222 }
223 
224 void SimpleStreamChecker::reportLeaks(ArrayRef<SymbolRef> LeakedStreams,
225  CheckerContext &C,
226  ExplodedNode *ErrNode) const {
227  // Attach bug reports to the leak node.
228  // TODO: Identify the leaked file descriptor.
229  for (SymbolRef LeakedStream : LeakedStreams) {
230  auto R = llvm::make_unique<BugReport>(*LeakBugType,
231  "Opened file is never closed; potential resource leak", ErrNode);
232  R->markInteresting(LeakedStream);
233  C.emitReport(std::move(R));
234  }
235 }
236 
237 bool SimpleStreamChecker::guaranteedNotToCloseFile(const CallEvent &Call) const{
238  // If it's not in a system header, assume it might close a file.
239  if (!Call.isInSystemHeader())
240  return false;
241 
242  // Handle cases where we know a buffer's /address/ can escape.
243  if (Call.argumentsMayEscape())
244  return false;
245 
246  // Note, even though fclose closes the file, we do not list it here
247  // since the checker is modeling the call.
248 
249  return true;
250 }
251 
252 // If the pointer we are tracking escaped, do not track the symbol as
253 // we cannot reason about it anymore.
255 SimpleStreamChecker::checkPointerEscape(ProgramStateRef State,
256  const InvalidatedSymbols &Escaped,
257  const CallEvent *Call,
258  PointerEscapeKind Kind) const {
259  // If we know that the call cannot close a file, there is nothing to do.
260  if (Kind == PSK_DirectEscapeOnCall && guaranteedNotToCloseFile(*Call)) {
261  return State;
262  }
263 
264  for (InvalidatedSymbols::const_iterator I = Escaped.begin(),
265  E = Escaped.end();
266  I != E; ++I) {
267  SymbolRef Sym = *I;
268 
269  // The symbol escaped. Optimistically, assume that the corresponding file
270  // handle will be closed somewhere else.
271  State = State->remove<StreamMap>(Sym);
272  }
273  return State;
274 }
275 
276 void SimpleStreamChecker::initIdentifierInfo(ASTContext &Ctx) const {
277  if (IIfopen)
278  return;
279  IIfopen = &Ctx.Idents.get("fopen");
280  IIfclose = &Ctx.Idents.get("fclose");
281 }
282 
283 void ento::registerSimpleStreamChecker(CheckerManager &mgr) {
284  mgr.registerChecker<SimpleStreamChecker>();
285 }
virtual SVal getArgSVal(unsigned Index) const
Returns the value of a given argument at the time of the call.
Definition: CallEvent.cpp:195
bool isInSystemHeader() const
Returns true if the callee is known to be from a system header.
Definition: CallEvent.h:209
bool operator==(CanQual< T > x, CanQual< U > y)
virtual bool argumentsMayEscape() const
Returns true if any of the arguments are known to escape to long- term storage, even if this method w...
Definition: CallEvent.h:264
ExplodedNode * addTransition(ProgramStateRef State=nullptr, const ProgramPointTag *Tag=nullptr)
Generates a new transition in the program state graph (ExplodedGraph). Uses the default CheckerContex...
Symbolic value. These values used to capture symbolic execution of the program.
Definition: SymbolManager.h:42
ConditionTruthVal isNull(ProgramStateRef State, SymbolRef Sym)
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:89
LineState State
static bool isLeaked(SymbolRef Sym, const StreamState &SS, bool IsSymDead, ProgramStateRef State)
IdentifierTable & Idents
Definition: ASTContext.h:439
ExplodedNode * generateSink(ProgramStateRef State=nullptr, ExplodedNode *Pred=nullptr, const ProgramPointTag *Tag=nullptr)
Generate a sink node. Generating a sink stops exploration of the given path.
bool isGlobalCFunction(StringRef SpecificName=StringRef()) const
Returns true if the callee is an externally-visible function in the top-level namespace, such as malloc.
Definition: CallEvent.cpp:103
ID
Defines the set of possible language-specific address spaces.
Definition: AddressSpaces.h:27
bool isDead(SymbolRef sym) const
Returns whether or not a symbol has been confirmed dead.
const ProgramStateRef & getState() const
The pointer has been passed to a function call directly.
void emitReport(std::unique_ptr< BugReport > R)
Emit the diagnostics report.
Kind
CHECKER * registerChecker()
Used to register checkers.
IdentifierInfo & get(StringRef Name)
Return the identifier token info for the specified named identifier.
A class responsible for cleaning up unused symbols.
virtual SourceRange getSourceRange() const
Returns a source range for the entire call, suitable for outputting in diagnostics.
Definition: CallEvent.h:231
REGISTER_MAP_WITH_PROGRAMSTATE(AllocatedData, SymbolRef, MacOSKeychainAPIChecker::AllocationState) static bool isEnclosingFunctionParam(const Expr *E)
const IdentifierInfo * getCalleeIdentifier() const
Returns the name of the callee, if its name is a simple identifier.
Definition: CallEvent.h:293
bool isConstrainedTrue() const
Return true if the constraint is perfectly constrained to 'true'.
Represents an abstract call to a function or method along a particular path.
Definition: CallEvent.h:113
PointerEscapeKind
Describes the different reasons a pointer escapes during analysis.
X
Definition: SemaDecl.cpp:11429
virtual unsigned getNumArgs() const =0
Returns the number of arguments (explicit and implicit).
SymbolRef getAsSymbol(bool IncludeBaseRegions=false) const
If this SVal wraps a symbol return that SymbolRef. Otherwise, return 0.
Definition: SVals.cpp:111
SVal getReturnValue() const
Returns the return value of the call.
Definition: CallEvent.cpp:209