aboutsummaryrefslogtreecommitdiff
path: root/clang/lib/StaticAnalyzer
diff options
context:
space:
mode:
Diffstat (limited to 'clang/lib/StaticAnalyzer')
-rw-r--r--clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp39
-rw-r--r--clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp80
-rw-r--r--clang/lib/StaticAnalyzer/Checkers/VLASizeChecker.cpp2
3 files changed, 64 insertions, 57 deletions
diff --git a/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
index 30a0497..a7704da 100644
--- a/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp
@@ -1281,7 +1281,7 @@ SVal MallocChecker::evalMulForBufferSize(CheckerContext &C, const Expr *Blocks,
SVal BlockBytesVal = C.getSVal(BlockBytes);
ProgramStateRef State = C.getState();
SVal TotalSize = SB.evalBinOp(State, BO_Mul, BlocksVal, BlockBytesVal,
- SB.getContext().getSizeType());
+ SB.getContext().getCanonicalSizeType());
return TotalSize;
}
@@ -1311,11 +1311,9 @@ static bool isStandardRealloc(const CallEvent &Call) {
const FunctionDecl *FD = dyn_cast<FunctionDecl>(Call.getDecl());
assert(FD);
ASTContext &AC = FD->getASTContext();
-
- return FD->getDeclaredReturnType().getDesugaredType(AC) == AC.VoidPtrTy &&
- FD->getParamDecl(0)->getType().getDesugaredType(AC) == AC.VoidPtrTy &&
- FD->getParamDecl(1)->getType().getDesugaredType(AC) ==
- AC.getSizeType();
+ return AC.hasSameType(FD->getDeclaredReturnType(), AC.VoidPtrTy) &&
+ AC.hasSameType(FD->getParamDecl(0)->getType(), AC.VoidPtrTy) &&
+ AC.hasSameType(FD->getParamDecl(1)->getType(), AC.getSizeType());
}
static bool isGRealloc(const CallEvent &Call) {
@@ -1323,10 +1321,9 @@ static bool isGRealloc(const CallEvent &Call) {
assert(FD);
ASTContext &AC = FD->getASTContext();
- return FD->getDeclaredReturnType().getDesugaredType(AC) == AC.VoidPtrTy &&
- FD->getParamDecl(0)->getType().getDesugaredType(AC) == AC.VoidPtrTy &&
- FD->getParamDecl(1)->getType().getDesugaredType(AC) ==
- AC.UnsignedLongTy;
+ return AC.hasSameType(FD->getDeclaredReturnType(), AC.VoidPtrTy) &&
+ AC.hasSameType(FD->getParamDecl(0)->getType(), AC.VoidPtrTy) &&
+ AC.hasSameType(FD->getParamDecl(1)->getType(), AC.UnsignedLongTy);
}
void MallocChecker::checkRealloc(ProgramStateRef State, const CallEvent &Call,
@@ -2830,10 +2827,10 @@ MallocChecker::ReallocMemAux(CheckerContext &C, const CallEvent &Call,
return nullptr;
// Compare the size argument to 0.
- DefinedOrUnknownSVal SizeZero =
- svalBuilder.evalEQ(State, TotalSize.castAs<DefinedOrUnknownSVal>(),
- svalBuilder.makeIntValWithWidth(
- svalBuilder.getContext().getSizeType(), 0));
+ DefinedOrUnknownSVal SizeZero = svalBuilder.evalEQ(
+ State, TotalSize.castAs<DefinedOrUnknownSVal>(),
+ svalBuilder.makeIntValWithWidth(
+ svalBuilder.getContext().getCanonicalSizeType(), 0));
ProgramStateRef StatePtrIsNull, StatePtrNotNull;
std::tie(StatePtrIsNull, StatePtrNotNull) = State->assume(PtrEQ);
@@ -3733,13 +3730,15 @@ PathDiagnosticPieceRef MallocBugVisitor::VisitNode(const ExplodedNode *N,
return nullptr;
}
- // Save the first destructor/function as release point.
- assert(!ReleaseFunctionLC && "There should be only one release point");
+ // Record the stack frame that is _responsible_ for this memory release
+ // event. This will be used by the false positive suppression heuristics
+ // that recognize the release points of reference-counted objects.
+ //
+ // Usually (e.g. in C) we say that the _responsible_ stack frame is the
+ // current innermost stack frame:
ReleaseFunctionLC = CurrentLC->getStackFrame();
-
- // See if we're releasing memory while inlining a destructor that
- // decrement reference counters (or one of its callees).
- // This turns on various common false positive suppressions.
+ // ...but if the stack contains a destructor call, then we say that the
+ // outermost destructor stack frame is the _responsible_ one:
for (const LocationContext *LC = CurrentLC; LC; LC = LC->getParent()) {
if (const auto *DD = dyn_cast<CXXDestructorDecl>(LC->getDecl())) {
if (isReferenceCountingPointerDestructor(DD)) {
diff --git a/clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
index 1c748f9..52b3d1e 100644
--- a/clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
@@ -1666,7 +1666,7 @@ void StdLibraryFunctionsChecker::initFunctionSummaries(
const QualType IntTy = ACtx.IntTy;
const QualType UnsignedIntTy = ACtx.UnsignedIntTy;
const QualType LongTy = ACtx.LongTy;
- const QualType SizeTy = ACtx.getSizeType();
+ const QualType SizeTyCanonTy = ACtx.getCanonicalSizeType();
const QualType VoidPtrTy = getPointerTy(VoidTy); // void *
const QualType IntPtrTy = getPointerTy(IntTy); // int *
@@ -1684,14 +1684,14 @@ void StdLibraryFunctionsChecker::initFunctionSummaries(
const QualType ConstWchar_tPtrTy =
getPointerTy(getConstTy(WCharTy)); // const wchar_t *
const QualType ConstVoidPtrRestrictTy = getRestrictTy(ConstVoidPtrTy);
- const QualType SizePtrTy = getPointerTy(SizeTy);
+ const QualType SizePtrTy = getPointerTy(SizeTyCanonTy);
const QualType SizePtrRestrictTy = getRestrictTy(SizePtrTy);
const RangeInt IntMax = BVF.getMaxValue(IntTy)->getLimitedValue();
const RangeInt UnsignedIntMax =
BVF.getMaxValue(UnsignedIntTy)->getLimitedValue();
const RangeInt LongMax = BVF.getMaxValue(LongTy)->getLimitedValue();
- const RangeInt SizeMax = BVF.getMaxValue(SizeTy)->getLimitedValue();
+ const RangeInt SizeMax = BVF.getMaxValue(SizeTyCanonTy)->getLimitedValue();
// Set UCharRangeMax to min of int or uchar maximum value.
// The C standard states that the arguments of functions like isalpha must
@@ -2057,18 +2057,19 @@ void StdLibraryFunctionsChecker::initFunctionSummaries(
// size_t fread(void *restrict ptr, size_t size, size_t nitems,
// FILE *restrict stream);
- addToFunctionSummaryMap(
- "fread",
- Signature(ArgTypes{VoidPtrRestrictTy, SizeTy, SizeTy, FilePtrRestrictTy},
- RetType{SizeTy}),
- FreadSummary);
+ addToFunctionSummaryMap("fread",
+ Signature(ArgTypes{VoidPtrRestrictTy, SizeTyCanonTy,
+ SizeTyCanonTy, FilePtrRestrictTy},
+ RetType{SizeTyCanonTy}),
+ FreadSummary);
// size_t fwrite(const void *restrict ptr, size_t size, size_t nitems,
// FILE *restrict stream);
- addToFunctionSummaryMap("fwrite",
- Signature(ArgTypes{ConstVoidPtrRestrictTy, SizeTy,
- SizeTy, FilePtrRestrictTy},
- RetType{SizeTy}),
- FreadSummary);
+ addToFunctionSummaryMap(
+ "fwrite",
+ Signature(ArgTypes{ConstVoidPtrRestrictTy, SizeTyCanonTy, SizeTyCanonTy,
+ FilePtrRestrictTy},
+ RetType{SizeTyCanonTy}),
+ FreadSummary);
std::optional<QualType> Ssize_tTy = lookupTy("ssize_t");
std::optional<RangeInt> Ssize_tMax = getMaxValue(Ssize_tTy);
@@ -2083,12 +2084,14 @@ void StdLibraryFunctionsChecker::initFunctionSummaries(
// should handle them together with the rest of the POSIX functions.
// ssize_t read(int fildes, void *buf, size_t nbyte);
addToFunctionSummaryMap(
- "read", Signature(ArgTypes{IntTy, VoidPtrTy, SizeTy}, RetType{Ssize_tTy}),
+ "read",
+ Signature(ArgTypes{IntTy, VoidPtrTy, SizeTyCanonTy}, RetType{Ssize_tTy}),
ReadSummary);
// ssize_t write(int fildes, const void *buf, size_t nbyte);
addToFunctionSummaryMap(
"write",
- Signature(ArgTypes{IntTy, ConstVoidPtrTy, SizeTy}, RetType{Ssize_tTy}),
+ Signature(ArgTypes{IntTy, ConstVoidPtrTy, SizeTyCanonTy},
+ RetType{Ssize_tTy}),
ReadSummary);
auto GetLineSummary =
@@ -2618,7 +2621,7 @@ void StdLibraryFunctionsChecker::initFunctionSummaries(
// char *strndup(const char *s, size_t n);
addToFunctionSummaryMap(
"strndup",
- Signature(ArgTypes{ConstCharPtrTy, SizeTy}, RetType{CharPtrTy}),
+ Signature(ArgTypes{ConstCharPtrTy, SizeTyCanonTy}, RetType{CharPtrTy}),
Summary(NoEvalCall)
.ArgConstraint(NotNull(ArgNo(0)))
.ArgConstraint(
@@ -2649,7 +2652,8 @@ void StdLibraryFunctionsChecker::initFunctionSummaries(
// char *getcwd(char *buf, size_t size);
addToFunctionSummaryMap(
- "getcwd", Signature(ArgTypes{CharPtrTy, SizeTy}, RetType{CharPtrTy}),
+ "getcwd",
+ Signature(ArgTypes{CharPtrTy, SizeTyCanonTy}, RetType{CharPtrTy}),
Summary(NoEvalCall)
.Case({NotNull(0),
ArgumentCondition(1, WithinRange, Range(1, SizeMax)),
@@ -2957,8 +2961,9 @@ void StdLibraryFunctionsChecker::initFunctionSummaries(
// FIXME: Improve for errno modeling.
addToFunctionSummaryMap(
"mmap",
- Signature(ArgTypes{VoidPtrTy, SizeTy, IntTy, IntTy, IntTy, Off_tTy},
- RetType{VoidPtrTy}),
+ Signature(
+ ArgTypes{VoidPtrTy, SizeTyCanonTy, IntTy, IntTy, IntTy, Off_tTy},
+ RetType{VoidPtrTy}),
Summary(NoEvalCall)
.ArgConstraint(ArgumentCondition(1, WithinRange, Range(1, SizeMax)))
.ArgConstraint(
@@ -2970,8 +2975,9 @@ void StdLibraryFunctionsChecker::initFunctionSummaries(
// FIXME: Improve for errno modeling.
addToFunctionSummaryMap(
"mmap64",
- Signature(ArgTypes{VoidPtrTy, SizeTy, IntTy, IntTy, IntTy, Off64_tTy},
- RetType{VoidPtrTy}),
+ Signature(
+ ArgTypes{VoidPtrTy, SizeTyCanonTy, IntTy, IntTy, IntTy, Off64_tTy},
+ RetType{VoidPtrTy}),
Summary(NoEvalCall)
.ArgConstraint(ArgumentCondition(1, WithinRange, Range(1, SizeMax)))
.ArgConstraint(
@@ -3002,8 +3008,9 @@ void StdLibraryFunctionsChecker::initFunctionSummaries(
// size_t bufsize);
addToFunctionSummaryMap(
"readlink",
- Signature(ArgTypes{ConstCharPtrRestrictTy, CharPtrRestrictTy, SizeTy},
- RetType{Ssize_tTy}),
+ Signature(
+ ArgTypes{ConstCharPtrRestrictTy, CharPtrRestrictTy, SizeTyCanonTy},
+ RetType{Ssize_tTy}),
Summary(NoEvalCall)
.Case({ArgumentCondition(2, WithinRange, Range(1, IntMax)),
ReturnValueCondition(LessThanOrEq, ArgNo(2)),
@@ -3025,9 +3032,9 @@ void StdLibraryFunctionsChecker::initFunctionSummaries(
// char *restrict buf, size_t bufsize);
addToFunctionSummaryMap(
"readlinkat",
- Signature(
- ArgTypes{IntTy, ConstCharPtrRestrictTy, CharPtrRestrictTy, SizeTy},
- RetType{Ssize_tTy}),
+ Signature(ArgTypes{IntTy, ConstCharPtrRestrictTy, CharPtrRestrictTy,
+ SizeTyCanonTy},
+ RetType{Ssize_tTy}),
Summary(NoEvalCall)
.Case({ArgumentCondition(3, WithinRange, Range(1, IntMax)),
ReturnValueCondition(LessThanOrEq, ArgNo(3)),
@@ -3268,14 +3275,14 @@ void StdLibraryFunctionsChecker::initFunctionSummaries(
// size_t length,
// int flags, struct sockaddr *restrict address,
// socklen_t *restrict address_len);
- Signature(ArgTypes{IntTy, VoidPtrRestrictTy, SizeTy, IntTy,
+ Signature(ArgTypes{IntTy, VoidPtrRestrictTy, SizeTyCanonTy, IntTy,
StructSockaddrPtrRestrictTy,
Socklen_tPtrRestrictTy},
RetType{Ssize_tTy}),
Recvfrom))
addToFunctionSummaryMap(
"recvfrom",
- Signature(ArgTypes{IntTy, VoidPtrRestrictTy, SizeTy, IntTy,
+ Signature(ArgTypes{IntTy, VoidPtrRestrictTy, SizeTyCanonTy, IntTy,
Irrelevant, Socklen_tPtrRestrictTy},
RetType{Ssize_tTy}),
Recvfrom);
@@ -3297,14 +3304,14 @@ void StdLibraryFunctionsChecker::initFunctionSummaries(
// ssize_t sendto(int socket, const void *message, size_t length,
// int flags, const struct sockaddr *dest_addr,
// socklen_t dest_len);
- Signature(ArgTypes{IntTy, ConstVoidPtrTy, SizeTy, IntTy,
+ Signature(ArgTypes{IntTy, ConstVoidPtrTy, SizeTyCanonTy, IntTy,
ConstStructSockaddrPtrTy, Socklen_tTy},
RetType{Ssize_tTy}),
Sendto))
addToFunctionSummaryMap(
"sendto",
- Signature(ArgTypes{IntTy, ConstVoidPtrTy, SizeTy, IntTy, Irrelevant,
- Socklen_tTy},
+ Signature(ArgTypes{IntTy, ConstVoidPtrTy, SizeTyCanonTy, IntTy,
+ Irrelevant, Socklen_tTy},
RetType{Ssize_tTy}),
Sendto);
@@ -3320,7 +3327,7 @@ void StdLibraryFunctionsChecker::initFunctionSummaries(
// ssize_t recv(int sockfd, void *buf, size_t len, int flags);
addToFunctionSummaryMap(
"recv",
- Signature(ArgTypes{IntTy, VoidPtrTy, SizeTy, IntTy},
+ Signature(ArgTypes{IntTy, VoidPtrTy, SizeTyCanonTy, IntTy},
RetType{Ssize_tTy}),
Summary(NoEvalCall)
.Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)),
@@ -3395,7 +3402,7 @@ void StdLibraryFunctionsChecker::initFunctionSummaries(
// ssize_t send(int sockfd, const void *buf, size_t len, int flags);
addToFunctionSummaryMap(
"send",
- Signature(ArgTypes{IntTy, ConstVoidPtrTy, SizeTy, IntTy},
+ Signature(ArgTypes{IntTy, ConstVoidPtrTy, SizeTyCanonTy, IntTy},
RetType{Ssize_tTy}),
Summary(NoEvalCall)
.Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)),
@@ -3683,7 +3690,7 @@ void StdLibraryFunctionsChecker::initFunctionSummaries(
// int pthread_attr_setguardsize(pthread_attr_t *attr, size_t guardsize);
addToFunctionSummaryMap(
{"pthread_attr_setstacksize", "pthread_attr_setguardsize"},
- Signature(ArgTypes{Pthread_attr_tPtrTy, SizeTy}, RetType{IntTy}),
+ Signature(ArgTypes{Pthread_attr_tPtrTy, SizeTyCanonTy}, RetType{IntTy}),
Summary(NoEvalCall)
.ArgConstraint(NotNull(ArgNo(0)))
.ArgConstraint(
@@ -3888,13 +3895,14 @@ void StdLibraryFunctionsChecker::initFunctionSummaries(
.ArgConstraint(NotNull(ArgNo(1))));
addToFunctionSummaryMap(
"__buf_size_arg_constraint",
- Signature(ArgTypes{ConstVoidPtrTy, SizeTy}, RetType{IntTy}),
+ Signature(ArgTypes{ConstVoidPtrTy, SizeTyCanonTy}, RetType{IntTy}),
Summary(EvalCallAsPure)
.ArgConstraint(
BufferSize(/*Buffer=*/ArgNo(0), /*BufSize=*/ArgNo(1))));
addToFunctionSummaryMap(
"__buf_size_arg_constraint_mul",
- Signature(ArgTypes{ConstVoidPtrTy, SizeTy, SizeTy}, RetType{IntTy}),
+ Signature(ArgTypes{ConstVoidPtrTy, SizeTyCanonTy, SizeTyCanonTy},
+ RetType{IntTy}),
Summary(EvalCallAsPure)
.ArgConstraint(BufferSize(/*Buffer=*/ArgNo(0), /*BufSize=*/ArgNo(1),
/*BufSizeMultiplier=*/ArgNo(2))));
diff --git a/clang/lib/StaticAnalyzer/Checkers/VLASizeChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/VLASizeChecker.cpp
index 1042b43..c97341f 100644
--- a/clang/lib/StaticAnalyzer/Checkers/VLASizeChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/VLASizeChecker.cpp
@@ -92,7 +92,7 @@ ProgramStateRef VLASizeChecker::checkVLA(CheckerContext &C,
ASTContext &Ctx = C.getASTContext();
SValBuilder &SVB = C.getSValBuilder();
- CanQualType SizeTy = Ctx.getSizeType();
+ QualType SizeTy = Ctx.getSizeType();
uint64_t SizeMax =
SVB.getBasicValueFactory().getMaxValue(SizeTy)->getZExtValue();
generated by cgit v1.1 at 2025-07-25 16:49:20 +0000