search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
libcpp, c, middle-end: Optimize initializers using #embed in C
[official-gcc.git] / gcc / analyzer / sm-file.cc
blob98ca4e4c9eb4069f97e7c9707e86268702acff83
1 /* A state machine for detecting misuses of <stdio.h>'s FILE * API.
2 Copyright (C) 2019-2024 Free Software Foundation, Inc.
3 Contributed by David Malcolm <dmalcolm@redhat.com>.
4
5 This file is part of GCC.
6
7 GCC is free software; you can redistribute it and/or modify it
8 under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3, or (at your option)
10 any later version.
11
12 GCC is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
20
21 #include "config.h"
22 #define INCLUDE_MEMORY
23 #define INCLUDE_VECTOR
24 #include "system.h"
25 #include "coretypes.h"
26 #include "make-unique.h"
27 #include "tree.h"
28 #include "function.h"
29 #include "basic-block.h"
30 #include "gimple.h"
31 #include "options.h"
32 #include "diagnostic-path.h"
33 #include "analyzer/analyzer.h"
34 #include "diagnostic-event-id.h"
35 #include "analyzer/analyzer-logging.h"
36 #include "analyzer/sm.h"
37 #include "analyzer/pending-diagnostic.h"
38 #include "analyzer/function-set.h"
39 #include "analyzer/analyzer-selftests.h"
40 #include "selftest.h"
41 #include "analyzer/call-string.h"
42 #include "analyzer/program-point.h"
43 #include "analyzer/store.h"
44 #include "analyzer/region-model.h"
45 #include "analyzer/call-details.h"
46
47 #if ENABLE_ANALYZER
48
49 namespace ana {
50
51 namespace {
52
53 /* A state machine for detecting misuses of <stdio.h>'s FILE * API. */
54
55 class fileptr_state_machine : public state_machine
56 {
57 public:
58 fileptr_state_machine (logger *logger);
59
60 bool inherited_state_p () const final override { return false; }
61
62 state_machine::state_t
63 get_default_state (const svalue *sval) const final override
64 {
65 if (tree cst = sval->maybe_get_constant ())
66 {
67 if (zerop (cst))
68 return m_null;
69 }
70 return m_start;
71 }
72
73 bool on_stmt (sm_context &sm_ctxt,
74 const supernode *node,
75 const gimple *stmt) const final override;
76
77 void on_condition (sm_context &sm_ctxt,
78 const supernode *node,
79 const gimple *stmt,
80 const svalue *lhs,
81 enum tree_code op,
82 const svalue *rhs) const final override;
83
84 bool can_purge_p (state_t s) const final override;
85 std::unique_ptr<pending_diagnostic> on_leak (tree var) const final override;
86
87 /* State for a FILE * returned from fopen that hasn't been checked for
88 NULL.
89 It could be an open stream, or could be NULL. */
90 state_t m_unchecked;
91
92 /* State for a FILE * that's known to be NULL. */
93 state_t m_null;
94
95 /* State for a FILE * that's known to be a non-NULL open stream. */
96 state_t m_nonnull;
97
98 /* State for a FILE * that's had fclose called on it. */
99 state_t m_closed;
100
101 /* Stop state, for a FILE * we don't want to track any more. */
102 state_t m_stop;
103 };
104
105 /* Base class for diagnostics relative to fileptr_state_machine. */
106
107 class file_diagnostic : public pending_diagnostic
108 {
109 public:
110 file_diagnostic (const fileptr_state_machine &sm, tree arg)
111 : m_sm (sm), m_arg (arg)
112 {}
113
114 bool subclass_equal_p (const pending_diagnostic &base_other) const override
115 {
116 return same_tree_p (m_arg, ((const file_diagnostic &)base_other).m_arg);
117 }
118
119 label_text describe_state_change (const evdesc::state_change &change)
120 override
121 {
122 if (change.m_old_state == m_sm.get_start_state ()
123 && change.m_new_state == m_sm.m_unchecked)
124 // TODO: verify that it's the fopen stmt, not a copy
125 return label_text::borrow ("opened here");
126 if (change.m_old_state == m_sm.m_unchecked
127 && change.m_new_state == m_sm.m_nonnull)
128 {
129 if (change.m_expr)
130 return change.formatted_print ("assuming %qE is non-NULL",
131 change.m_expr);
132 else
133 return change.formatted_print ("assuming FILE * is non-NULL");
134 }
135 if (change.m_new_state == m_sm.m_null)
136 {
137 if (change.m_expr)
138 return change.formatted_print ("assuming %qE is NULL",
139 change.m_expr);
140 else
141 return change.formatted_print ("assuming FILE * is NULL");
142 }
143 return label_text ();
144 }
145
146 diagnostic_event::meaning
147 get_meaning_for_state_change (const evdesc::state_change &change)
148 const final override
149 {
150 if (change.m_old_state == m_sm.get_start_state ()
151 && change.m_new_state == m_sm.m_unchecked)
152 return diagnostic_event::meaning (diagnostic_event::VERB_acquire,
153 diagnostic_event::NOUN_resource);
154 if (change.m_new_state == m_sm.m_closed)
155 return diagnostic_event::meaning (diagnostic_event::VERB_release,
156 diagnostic_event::NOUN_resource);
157 return diagnostic_event::meaning ();
158 }
159
160 protected:
161 const fileptr_state_machine &m_sm;
162 tree m_arg;
163 };
164
165 class double_fclose : public file_diagnostic
166 {
167 public:
168 double_fclose (const fileptr_state_machine &sm, tree arg)
169 : file_diagnostic (sm, arg)
170 {}
171
172 const char *get_kind () const final override { return "double_fclose"; }
173
174 int get_controlling_option () const final override
175 {
176 return OPT_Wanalyzer_double_fclose;
177 }
178
179 bool emit (diagnostic_emission_context &ctxt) final override
180 {
181 /* CWE-1341: Multiple Releases of Same Resource or Handle. */
182 ctxt.add_cwe (1341);
183 return ctxt.warn ("double %<fclose%> of FILE %qE",
184 m_arg);
185 }
186
187 label_text describe_state_change (const evdesc::state_change &change)
188 override
189 {
190 if (change.m_new_state == m_sm.m_closed)
191 {
192 m_first_fclose_event = change.m_event_id;
193 return change.formatted_print ("first %qs here", "fclose");
194 }
195 return file_diagnostic::describe_state_change (change);
196 }
197
198 label_text describe_final_event (const evdesc::final_event &ev) final override
199 {
200 if (m_first_fclose_event.known_p ())
201 return ev.formatted_print ("second %qs here; first %qs was at %@",
202 "fclose", "fclose",
203 &m_first_fclose_event);
204 return ev.formatted_print ("second %qs here", "fclose");
205 }
206
207 private:
208 diagnostic_event_id_t m_first_fclose_event;
209 };
210
211 class file_leak : public file_diagnostic
212 {
213 public:
214 file_leak (const fileptr_state_machine &sm, tree arg)
215 : file_diagnostic (sm, arg)
216 {}
217
218 const char *get_kind () const final override { return "file_leak"; }
219
220 int get_controlling_option () const final override
221 {
222 return OPT_Wanalyzer_file_leak;
223 }
224
225 bool emit (diagnostic_emission_context &ctxt) final override
226 {
227 /* CWE-775: "Missing Release of File Descriptor or Handle after
228 Effective Lifetime". */
229 ctxt.add_cwe (775);
230 if (m_arg)
231 return ctxt.warn ("leak of FILE %qE", m_arg);
232 else
233 return ctxt.warn ("leak of FILE");
234 }
235
236 label_text describe_state_change (const evdesc::state_change &change)
237 final override
238 {
239 if (change.m_new_state == m_sm.m_unchecked)
240 {
241 m_fopen_event = change.m_event_id;
242 return label_text::borrow ("opened here");
243 }
244 return file_diagnostic::describe_state_change (change);
245 }
246
247 label_text describe_final_event (const evdesc::final_event &ev) final override
248 {
249 if (m_fopen_event.known_p ())
250 {
251 if (ev.m_expr)
252 return ev.formatted_print ("%qE leaks here; was opened at %@",
253 ev.m_expr, &m_fopen_event);
254 else
255 return ev.formatted_print ("leaks here; was opened at %@",
256 &m_fopen_event);
257 }
258 else
259 {
260 if (ev.m_expr)
261 return ev.formatted_print ("%qE leaks here", ev.m_expr);
262 else
263 return ev.formatted_print ("leaks here");
264 }
265 }
266
267 private:
268 diagnostic_event_id_t m_fopen_event;
269 };
270
271 /* fileptr_state_machine's ctor. */
272
273 fileptr_state_machine::fileptr_state_machine (logger *logger)
274 : state_machine ("file", logger),
275 m_unchecked (add_state ("unchecked")),
276 m_null (add_state ("null")),
277 m_nonnull (add_state ("nonnull")),
278 m_closed (add_state ("closed")),
279 m_stop (add_state ("stop"))
280 {
281 }
282
283 /* Get a set of functions that are known to take a FILE * that must be open,
284 and are known to not close it. */
285
286 static function_set
287 get_file_using_fns ()
288 {
289 // TODO: populate this list more fully
290 static const char * const funcnames[] = {
291 /* This array must be kept sorted. */
292 "__fbufsize",
293 "__flbf",
294 "__fpending",
295 "__fpurge",
296 "__freadable",
297 "__freading",
298 "__fsetlocking",
299 "__fwritable",
300 "__fwriting",
301 "clearerr",
302 "clearerr_unlocked",
303 "feof",
304 "feof_unlocked",
305 "ferror",
306 "ferror_unlocked",
307 "fflush", // safe to call with NULL
308 "fflush_unlocked", // safe to call with NULL
309 "fgetc",
310 "fgetc_unlocked",
311 "fgetpos",
312 "fgets",
313 "fgets_unlocked",
314 "fgetwc_unlocked",
315 "fgetws_unlocked",
316 "fileno",
317 "fileno_unlocked",
318 "fprintf",
319 "fputc",
320 "fputc_unlocked",
321 "fputs",
322 "fputs_unlocked",
323 "fputwc_unlocked",
324 "fputws_unlocked",
325 "fread_unlocked",
326 "fseek",
327 "fsetpos",
328 "ftell",
329 "fwrite_unlocked",
330 "getc",
331 "getc_unlocked",
332 "getwc_unlocked",
333 "putc",
334 "putc_unlocked",
335 "rewind",
336 "setbuf",
337 "setbuffer",
338 "setlinebuf",
339 "setvbuf",
340 "ungetc",
341 "vfprintf"
342 };
343 const size_t count = ARRAY_SIZE (funcnames);
344 function_set fs (funcnames, count);
345 return fs;
346 }
347
348 /* Return true if FNDECL is known to require an open FILE *, and is known
349 to not close it. */
350
351 static bool
352 is_file_using_fn_p (tree fndecl)
353 {
354 function_set fs = get_file_using_fns ();
355 if (fs.contains_decl_p (fndecl))
356 return true;
357
358 /* Also support variants of these names prefixed with "_IO_". */
359 const char *name = IDENTIFIER_POINTER (DECL_NAME (fndecl));
360 if (startswith (name, "_IO_") && fs.contains_name_p (name + 4))
361 return true;
362
363 return false;
364 }
365
366 /* Implementation of state_machine::on_stmt vfunc for fileptr_state_machine. */
367
368 bool
369 fileptr_state_machine::on_stmt (sm_context &sm_ctxt,
370 const supernode *node,
371 const gimple *stmt) const
372 {
373 if (const gcall *call = dyn_cast <const gcall *> (stmt))
374 if (tree callee_fndecl = sm_ctxt.get_fndecl_for_call (call))
375 {
376 if (is_named_call_p (callee_fndecl, "fopen", call, 2))
377 {
378 tree lhs = gimple_call_lhs (call);
379 if (lhs)
380 sm_ctxt.on_transition (node, stmt, lhs, m_start, m_unchecked);
381 else
382 {
383 /* TODO: report leak. */
384 }
385 return true;
386 }
387
388 if (is_named_call_p (callee_fndecl, "fclose", call, 1))
389 {
390 tree arg = gimple_call_arg (call, 0);
391
392 sm_ctxt.on_transition (node, stmt, arg, m_start, m_closed);
393
394 // TODO: is it safe to call fclose (NULL) ?
395 sm_ctxt.on_transition (node, stmt, arg, m_unchecked, m_closed);
396 sm_ctxt.on_transition (node, stmt, arg, m_null, m_closed);
397
398 sm_ctxt.on_transition (node, stmt , arg, m_nonnull, m_closed);
399
400 if (sm_ctxt.get_state (stmt, arg) == m_closed)
401 {
402 tree diag_arg = sm_ctxt.get_diagnostic_tree (arg);
403 sm_ctxt.warn (node, stmt, arg,
404 make_unique<double_fclose> (*this, diag_arg));
405 sm_ctxt.set_next_state (stmt, arg, m_stop);
406 }
407 return true;
408 }
409
410 if (is_file_using_fn_p (callee_fndecl))
411 {
412 // TODO: operations on unchecked file
413 return true;
414 }
415 // etc
416 }
417
418 return false;
419 }
420
421 /* Implementation of state_machine::on_condition vfunc for
422 fileptr_state_machine.
423 Potentially transition state 'unchecked' to 'nonnull' or to 'null'. */
424
425 void
426 fileptr_state_machine::on_condition (sm_context &sm_ctxt,
427 const supernode *node,
428 const gimple *stmt,
429 const svalue *lhs,
430 enum tree_code op,
431 const svalue *rhs) const
432 {
433 if (!rhs->all_zeroes_p ())
434 return;
435
436 // TODO: has to be a FILE *, specifically
437 if (!any_pointer_p (lhs))
438 return;
439 // TODO: has to be a FILE *, specifically
440 if (!any_pointer_p (rhs))
441 return;
442
443 if (op == NE_EXPR)
444 {
445 log ("got 'ARG != 0' match");
446 sm_ctxt.on_transition (node, stmt,
447 lhs, m_unchecked, m_nonnull);
448 }
449 else if (op == EQ_EXPR)
450 {
451 log ("got 'ARG == 0' match");
452 sm_ctxt.on_transition (node, stmt,
453 lhs, m_unchecked, m_null);
454 }
455 }
456
457 /* Implementation of state_machine::can_purge_p vfunc for fileptr_state_machine.
458 Don't allow purging of pointers in state 'unchecked' or 'nonnull'
459 (to avoid false leak reports). */
460
461 bool
462 fileptr_state_machine::can_purge_p (state_t s) const
463 {
464 return s != m_unchecked && s != m_nonnull;
465 }
466
467 /* Implementation of state_machine::on_leak vfunc for
468 fileptr_state_machine, for complaining about leaks of FILE * in
469 state 'unchecked' and 'nonnull'. */
470
471 std::unique_ptr<pending_diagnostic>
472 fileptr_state_machine::on_leak (tree var) const
473 {
474 return make_unique<file_leak> (*this, var);
475 }
476
477 } // anonymous namespace
478
479 /* Internal interface to this file. */
480
481 state_machine *
482 make_fileptr_state_machine (logger *logger)
483 {
484 return new fileptr_state_machine (logger);
485 }
486
487 /* Handler for various stdio-related builtins that merely have external
488 effects that are out of scope for the analyzer: we only want to model
489 the effects on the return value. */
490
491 class kf_stdio_output_fn : public pure_known_function_with_default_return
492 {
493 public:
494 bool matches_call_types_p (const call_details &) const final override
495 {
496 return true;
497 }
498
499 /* A no-op; we just want the conjured return value. */
500 };
501
502 /* Handler for "ferror"". */
503
504 class kf_ferror : public pure_known_function_with_default_return
505 {
506 public:
507 bool matches_call_types_p (const call_details &cd) const final override
508 {
509 return (cd.num_args () == 1
510 && cd.arg_is_pointer_p (0));
511 }
512
513 /* No side effects. */
514 };
515
516 /* Handler for "fileno"". */
517
518 class kf_fileno : public pure_known_function_with_default_return
519 {
520 public:
521 bool matches_call_types_p (const call_details &cd) const final override
522 {
523 return (cd.num_args () == 1
524 && cd.arg_is_pointer_p (0));
525 }
526
527 /* No side effects. */
528 };
529
530 /* Handler for "fgets" and "fgets_unlocked". */
531
532 class kf_fgets : public known_function
533 {
534 public:
535 bool matches_call_types_p (const call_details &cd) const final override
536 {
537 return (cd.num_args () == 3
538 && cd.arg_is_pointer_p (0)
539 && cd.arg_is_pointer_p (2));
540 }
541
542 void impl_call_pre (const call_details &cd) const final override
543 {
544 /* Ideally we would bifurcate state here between the
545 error vs no error cases. */
546 region_model *model = cd.get_model ();
547 const svalue *ptr_sval = cd.get_arg_svalue (0);
548 if (const region *reg = ptr_sval->maybe_get_region ())
549 {
550 const region *base_reg = reg->get_base_region ();
551 const svalue *new_sval = cd.get_or_create_conjured_svalue (base_reg);
552 model->set_value (base_reg, new_sval, cd.get_ctxt ());
553 }
554 cd.set_any_lhs_with_defaults ();
555 }
556 };
557
558 /* Handler for "fread".
559 size_t fread(void *restrict buffer, size_t size, size_t count,
560 FILE *restrict stream);
561 See e.g. https://en.cppreference.com/w/c/io/fread
562 and https://www.man7.org/linux/man-pages/man3/fread.3.html */
563
564 class kf_fread : public known_function
565 {
566 public:
567 bool matches_call_types_p (const call_details &cd) const final override
568 {
569 return (cd.num_args () == 4
570 && cd.arg_is_pointer_p (0)
571 && cd.arg_is_size_p (1)
572 && cd.arg_is_size_p (2)
573 && cd.arg_is_pointer_p (3));
574 }
575
576 /* For now, assume that any call to "fread" fully clobbers the buffer
577 passed in. This isn't quite correct (e.g. errors, partial reads;
578 see PR analyzer/108689), but at least stops us falsely complaining
579 about the buffer being uninitialized. */
580 void impl_call_pre (const call_details &cd) const final override
581 {
582 region_model *model = cd.get_model ();
583 const svalue *ptr_sval = cd.get_arg_svalue (0);
584 if (const region *reg = ptr_sval->maybe_get_region ())
585 {
586 const region *base_reg = reg->get_base_region ();
587 const svalue *new_sval = cd.get_or_create_conjured_svalue (base_reg);
588 model->set_value (base_reg, new_sval, cd.get_ctxt ());
589 }
590 cd.set_any_lhs_with_defaults ();
591 }
592 };
593
594 /* Handler for "getc"". */
595
596 class kf_getc : public pure_known_function_with_default_return
597 {
598 public:
599 bool matches_call_types_p (const call_details &cd) const final override
600 {
601 return (cd.num_args () == 1
602 && cd.arg_is_pointer_p (0));
603 }
604 };
605
606 /* Handler for "getchar"". */
607
608 class kf_getchar : public pure_known_function_with_default_return
609 {
610 public:
611 bool matches_call_types_p (const call_details &cd) const final override
612 {
613 return cd.num_args () == 0;
614 }
615
616 /* Empty. No side-effects (tracking stream state is out-of-scope
617 for the analyzer). */
618 };
619
620 /* Populate KFM with instances of known functions relating to
621 stdio streams. */
622
623 void
624 register_known_file_functions (known_function_manager &kfm)
625 {
626 kfm.add (BUILT_IN_FPRINTF, make_unique<kf_stdio_output_fn> ());
627 kfm.add (BUILT_IN_FPRINTF_UNLOCKED, make_unique<kf_stdio_output_fn> ());
628 kfm.add (BUILT_IN_FPUTC, make_unique<kf_stdio_output_fn> ());
629 kfm.add (BUILT_IN_FPUTC_UNLOCKED, make_unique<kf_stdio_output_fn> ());
630 kfm.add (BUILT_IN_FPUTS, make_unique<kf_stdio_output_fn> ());
631 kfm.add (BUILT_IN_FPUTS_UNLOCKED, make_unique<kf_stdio_output_fn> ());
632 kfm.add (BUILT_IN_FWRITE, make_unique<kf_stdio_output_fn> ());
633 kfm.add (BUILT_IN_FWRITE_UNLOCKED, make_unique<kf_stdio_output_fn> ());
634 kfm.add (BUILT_IN_PRINTF, make_unique<kf_stdio_output_fn> ());
635 kfm.add (BUILT_IN_PRINTF_UNLOCKED, make_unique<kf_stdio_output_fn> ());
636 kfm.add (BUILT_IN_PUTC, make_unique<kf_stdio_output_fn> ());
637 kfm.add (BUILT_IN_PUTCHAR, make_unique<kf_stdio_output_fn> ());
638 kfm.add (BUILT_IN_PUTCHAR_UNLOCKED, make_unique<kf_stdio_output_fn> ());
639 kfm.add (BUILT_IN_PUTC_UNLOCKED, make_unique<kf_stdio_output_fn> ());
640 kfm.add (BUILT_IN_PUTS, make_unique<kf_stdio_output_fn> ());
641 kfm.add (BUILT_IN_PUTS_UNLOCKED, make_unique<kf_stdio_output_fn> ());
642 kfm.add (BUILT_IN_VFPRINTF, make_unique<kf_stdio_output_fn> ());
643 kfm.add (BUILT_IN_VPRINTF, make_unique<kf_stdio_output_fn> ());
644
645 kfm.add ("ferror", make_unique<kf_ferror> ());
646 kfm.add ("fgets", make_unique<kf_fgets> ());
647 kfm.add ("fgets_unlocked", make_unique<kf_fgets> ()); // non-standard
648 kfm.add ("fileno", make_unique<kf_fileno> ());
649 kfm.add ("fread", make_unique<kf_fread> ());
650 kfm.add ("getc", make_unique<kf_getc> ());
651 kfm.add ("getchar", make_unique<kf_getchar> ());
652
653 /* Some C++ implementations use the std:: copies of these functions
654 from <cstdio> for <stdio.h>, so we must match against these too. */
655 kfm.add_std_ns ("ferror", make_unique<kf_ferror> ());
656 kfm.add_std_ns ("fgets", make_unique<kf_fgets> ());
657 kfm.add_std_ns ("fread", make_unique<kf_fread> ());
658 kfm.add_std_ns ("getc", make_unique<kf_getc> ());
659 kfm.add_std_ns ("getchar", make_unique<kf_getchar> ());
660 }
661
662 #if CHECKING_P
663
664 namespace selftest {
665
666 /* Run all of the selftests within this file. */
667
668 void
669 analyzer_sm_file_cc_tests ()
670 {
671 function_set fs = get_file_using_fns ();
672 fs.assert_sorted ();
673 fs.assert_sane ();
674 }
675
676 } // namespace selftest
677
678 #endif /* CHECKING_P */
679
680 } // namespace ana
681
682 #endif /* #if ENABLE_ANALYZER */
Mirror of the offical gcc git repository hosted at gcc.gnu.org