|
PR analyzer/107711 seems to be a bug in how named constants are looked up
by the analyzer in the C frontend.
To help debug this, this patch extends -fdump-analyzer and
-fdump-analyzer-stderr so that they dump this part of the analyzer's
startup.
gcc/analyzer/ChangeLog:
PR analyzer/107711
* analyzer-language.cc: Include "diagnostic.h".
(maybe_stash_named_constant): Add logger param and use it to log
the name being looked up, and the result.
(stash_named_constants): New, splitting out from...
(on_finish_translation_unit): ...this function. Call
get_or_create_logfile and use the result to create a logger
instance, passing it to stash_named_constants.
* analyzer.h (get_or_create_any_logfile): New decl.
* engine.cc (dump_fout, owns_dump_fout): New globals, split out
from run_checkers.
(get_or_create_any_logfile): New function, split out from...
(run_checkers): ...here, so that the logfile can be opened by
on_finish_translation_unit. Clear the globals when closing the
dump file.
gcc/testsuite/ChangeLog:
PR analyzer/107711
* gcc.dg/analyzer/fdump-analyzer-1.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
This patch generalizes the analyzer's file descriptor state machine
so that it tracks the states of sockets.
It adds two new warnings relating to misuses of socket APIs:
* -Wanalyzer-fd-phase-mismatch (e.g. calling 'accept' on a socket
before calling 'listen' on it)
* -Wanalyzer-fd-type-mismatch (e.g. using a stream socket operation
on a datagram socket)
gcc/analyzer/ChangeLog:
PR analyzer/106140
* analyzer-language.cc (on_finish_translation_unit): Stash named
constants "SOCK_STREAM" and "SOCK_DGRAM".
* analyzer.opt (Wanalyzer-fd-phase-mismatch): New.
(Wanalyzer-fd-type-mismatch): New.
* engine.cc (impl_region_model_context::get_state_map_by_name):
Add "out_sm_context" param. Allow out_sm_idx to be NULL.
* exploded-graph.h
(impl_region_model_context::get_state_map_by_name):
Add "out_sm_context" param.
* region-model-impl-calls.cc (region_model::impl_call_accept): New.
(region_model::impl_call_bind): New.
(region_model::impl_call_connect): New.
(region_model::impl_call_listen): New.
(region_model::impl_call_socket): New.
* region-model.cc (region_model::on_call_pre): Special-case
"bind".
(region_model::on_call_post): Special-case "accept", "bind",
"connect", "listen", and "socket".
* region-model.h (region_model::impl_call_accept): New decl.
(region_model::impl_call_bind): New decl.
(region_model::impl_call_connect): New decl.
(region_model::impl_call_listen): New decl.
(region_model::impl_call_socket): New decl.
(region_model::on_socket): New decl.
(region_model::on_bind): New decl.
(region_model::on_listen): New decl.
(region_model::on_accept): New decl.
(region_model::on_connect): New decl.
(region_model::add_constraint): Make public.
(region_model::check_for_poison): Make public.
(region_model_context::get_state_map_by_name): Add out_sm_context param.
(region_model_context::get_fd_map): Likewise.
(region_model_context::get_malloc_map): Likewise.
(region_model_context::get_taint_map): Likewise.
(noop_region_model_context::get_state_map_by_name): Likewise.
(region_model_context_decorator::get_state_map_by_name): Likewise.
* sm-fd.cc: Include "analyzer/supergraph.h" and
"analyzer/analyzer-language.h".
(enum expected_phase): New enum.
(fd_state_machine::m_new_datagram_socket): New.
(fd_state_machine::m_new_stream_socket): New.
(fd_state_machine::m_new_unknown_socket): New.
(fd_state_machine::m_bound_datagram_socket): New.
(fd_state_machine::m_bound_stream_socket): New.
(fd_state_machine::m_bound_unknown_socket): New.
(fd_state_machine::m_listening_stream_socket): New.
(fd_state_machine::m_m_connected_stream_socket): New.
(fd_state_machine::m_SOCK_STREAM): New.
(fd_state_machine::m_SOCK_DGRAM): New.
(fd_diagnostic::describe_state_change): Handle socket states.
(fd_diagnostic::get_meaning_for_state_change): Likewise.
(class fd_phase_mismatch): New.
(enum expected_type): New enum.
(class fd_type_mismatch): New.
(fd_state_machine::fd_state_machine): Initialize new states and
stashed named constants.
(fd_state_machine::is_socket_fd_p): New.
(fd_state_machine::is_datagram_socket_fd_p): New.
(fd_state_machine::is_stream_socket_fd_p): New.
(fd_state_machine::on_close): Handle the socket states.
(fd_state_machine::check_for_open_fd): Complain about fncalls on
sockets in the wrong phase. Support socket FDs.
(add_constraint_ge_zero): New.
(fd_state_machine::get_state_for_socket_type): New.
(fd_state_machine::on_socket): New.
(fd_state_machine::check_for_socket_fd): New.
(fd_state_machine::check_for_new_socket_fd): New.
(fd_state_machine::on_bind): New.
(fd_state_machine::on_listen): New.
(fd_state_machine::on_accept): New.
(fd_state_machine::on_connect): New.
(fd_state_machine::can_purge_p): Don't purge socket values.
(get_fd_state): New.
(region_model::mark_as_valid_fd): Use get_fd_state.
(region_model::on_socket): New.
(region_model::on_bind): New.
(region_model::on_listen): New.
(region_model::on_accept): New.
(region_model::on_connect): New.
* sm-fd.dot: Update to reflect sm-fd.cc changes.
gcc/ChangeLog:
PR analyzer/106140
* doc/invoke.texi (Static Analyzer Options): Add
-Wanalyzer-fd-phase-mismatch and -Wanalyzer-fd-type-mismatch. Add
"socket", "bind", "listen", "accept", and "connect" to the list of
functions known to the analyzer.
gcc/testsuite/ChangeLog:
PR analyzer/106140
* gcc.dg/analyzer/fd-accept.c: New test.
* gcc.dg/analyzer/fd-bind.c: New test.
* gcc.dg/analyzer/fd-connect.c: New test.
* gcc.dg/analyzer/fd-datagram-socket.c: New test.
* gcc.dg/analyzer/fd-glibc-byte-stream-connection-server.c: New test.
* gcc.dg/analyzer/fd-glibc-byte-stream-socket.c: New test.
* gcc.dg/analyzer/fd-glibc-datagram-client.c: New test.
* gcc.dg/analyzer/fd-glibc-datagram-socket.c: New test.
* gcc.dg/analyzer/fd-glibc-make_named_socket.h: New test.
* gcc.dg/analyzer/fd-listen.c: New test.
* gcc.dg/analyzer/fd-manpage-getaddrinfo-client.c: New test.
* gcc.dg/analyzer/fd-mappage-getaddrinfo-server.c: New test.
* gcc.dg/analyzer/fd-socket-meaning.c: New test.
* gcc.dg/analyzer/fd-socket-misuse.c: New test.
* gcc.dg/analyzer/fd-stream-socket-active-open.c: New test.
* gcc.dg/analyzer/fd-stream-socket-passive-open.c: New test.
* gcc.dg/analyzer/fd-stream-socket.c: New test.
* gcc.dg/analyzer/fd-symbolic-socket.c: New test.
* gcc.dg/analyzer/pr104369-1.c: Add -Wno-analyzer-too-complex and
-Wno-analyzer-fd-leak to options.
* gcc.dg/analyzer/pr104369-2.c: Add -Wno-analyzer-fd-leak to
options.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
|
The analyzer's file-descriptor state machine tracks the access mode of
opened files, so that it can emit -Wanalyzer-fd-access-mode-mismatch.
To do this, its symbolic execution needs to "know" the values of the
constants "O_RDONLY", "O_WRONLY", and "O_ACCMODE". Currently
analyzer/sm-fd.cc simply uses these values directly from the build-time
header files, but these are the values on the host, not those from the
target, which could be different (PR analyzer/106302).
In an earlier discussion of this issue:
https://gcc.gnu.org/pipermail/gcc/2022-June/238954.html
we talked about adding a target hook for this.
However, I've also been experimenting with extending the fd state
machine to track sockets (PR analyzer/106140). For this, it's useful to
"know" the values of the constants "SOCK_STREAM" and "SOCK_DGRAM".
Unfortunately, these seem to have many arbitrary differences from target
to target.
For example: Linux/glibc general has SOCK_STREAM == 1, SOCK_DGRAM == 2,
as does AIX, but annoyingly, e.g. Linux on MIPS has them the other way
around.
It seems to me that as the analyzer grows more ambitious modeling of the
behavior of APIs (perhaps via plugins) it's more likely that the
analyzer will need to know the values of named constants, which might
not even exist on the host.
For example, at LPC it was suggested to me that -fanalyzer could check
rules about memory management inside the Linux kernel (probably via a
plugin), but doing so involves a bunch of GFP_* flags (see PR 107472).
So rather than trying to capture all this knowledge in a target hook,
this patch attempts to get at named constant values from the user's
source code.
The patch adds an interface for frontends to call into the analyzer as
the translation unit finishes. The analyzer can then call back into the
frontend to ask about the values of the named constants it cares about
whilst the frontend's data structures are still around.
The patch implements this for the C frontend, which looks up the names
by looking for named CONST_DECLs (which handles enum values). Failing
that, it attempts to look up the values of macros but only the simplest
cases are supported (a non-traditional macro with a single CPP_NUMBER
token). It does this by building a buffer containing the macro
definition and rerunning a lexer on it.
The analyzer gracefully handles the cases where named values aren't
found (such as anything more complicated than described above).
The patch ports the analyzer to use this mechanism for "O_RDONLY",
"O_WRONLY", and "O_ACCMODE". I have successfully tested my socket patch
to also use this for "SOCK_STREAM" and "SOCK_DGRAM", so the technique
seems to work.
gcc/ChangeLog:
PR analyzer/106302
* Makefile.in (ANALYZER_OBJS): Add analyzer/analyzer-language.o.
(GTFILES): Add analyzer/analyzer-language.cc.
* doc/analyzer.texi: Document __analyzer_dump_named_constant.
gcc/analyzer/ChangeLog:
PR analyzer/106302
* analyzer-language.cc: New file.
* analyzer-language.h: New file.
* analyzer.h (get_stashed_constant_by_name): New decl.
(log_stashed_constants): New decl.
* engine.cc (impl_run_checkers): Call log_stashed_constants.
* region-model-impl-calls.cc
(region_model::impl_call_analyzer_dump_named_constant): New.
* region-model.cc (region_model::on_stmt_pre): Handle
__analyzer_dump_named_constant.
* region-model.h
(region_model::impl_call_analyzer_dump_named_constant): New decl.
* sm-fd.cc (fd_state_machine::m_O_ACCMODE): New.
(fd_state_machine::m_O_RDONLY): New.
(fd_state_machine::m_O_WRONLY): New.
(fd_state_machine::fd_state_machine): Initialize the new fields.
(fd_state_machine::get_access_mode_from_flag): Use the new fields,
rather than using the host values.
gcc/c/ChangeLog:
PR analyzer/106302
* c-parser.cc: Include "analyzer/analyzer-language.h" and "toplev.h".
(class ana::c_translation_unit): New.
(c_parser_translation_unit): Call ana::on_finish_translation_unit.
gcc/testsuite/ChangeLog:
* gcc.dg/analyzer/analyzer-decls.h
(__analyzer_dump_named_constant): New decl.
* gcc.dg/analyzer/fd-4.c (void): Likewise.
(O_ACCMODE): Define.
* gcc.dg/analyzer/fd-access-mode-enum.c: New test, based on .
* gcc.dg/analyzer/fd-5.c: ...this. Rename to...
* gcc.dg/analyzer/fd-access-mode-macros.c: ...this.
(O_ACCMODE): Define.
* gcc.dg/analyzer/fd-access-mode-target-headers.c: New test, also
based on fd-5.c.
(test_sm_fd_constants): New.
* gcc.dg/analyzer/fd-dup-1.c (O_ACCMODE): Define.
* gcc.dg/analyzer/named-constants-via-enum.c: New test.
* gcc.dg/analyzer/named-constants-via-enum-and-macro.c: New test.
* gcc.dg/analyzer/named-constants-via-macros-2.c: New test.
* gcc.dg/analyzer/named-constants-via-macros.c: New test.
Signed-off-by: David Malcolm <dmalcolm@redhat.com>
|
