1 /* A state machine for detecting misuses of <stdio.h>'s FILE * API.
2 Copyright (C) 2019-2023 Free Software Foundation, Inc.
3 Contributed by David Malcolm <dmalcolm@redhat.com>.
5 This file is part of GCC.
7 GCC is free software; you can redistribute it and/or modify it
8 under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3, or (at your option)
12 GCC is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
22 #define INCLUDE_MEMORY
24 #include "coretypes.h"
25 #include "make-unique.h"
28 #include "basic-block.h"
31 #include "diagnostic-path.h"
32 #include "analyzer/analyzer.h"
33 #include "diagnostic-event-id.h"
34 #include "analyzer/analyzer-logging.h"
35 #include "analyzer/sm.h"
36 #include "analyzer/pending-diagnostic.h"
37 #include "analyzer/function-set.h"
38 #include "analyzer/analyzer-selftests.h"
40 #include "analyzer/call-string.h"
41 #include "analyzer/program-point.h"
42 #include "analyzer/store.h"
43 #include "analyzer/region-model.h"
44 #include "analyzer/call-details.h"
52 /* A state machine for detecting misuses of <stdio.h>'s FILE * API. */
54 class fileptr_state_machine
: public state_machine
57 fileptr_state_machine (logger
*logger
);
59 bool inherited_state_p () const final override
{ return false; }
61 state_machine::state_t
62 get_default_state (const svalue
*sval
) const final override
64 if (tree cst
= sval
->maybe_get_constant ())
72 bool on_stmt (sm_context
*sm_ctxt
,
73 const supernode
*node
,
74 const gimple
*stmt
) const final override
;
76 void on_condition (sm_context
*sm_ctxt
,
77 const supernode
*node
,
81 const svalue
*rhs
) const final override
;
83 bool can_purge_p (state_t s
) const final override
;
84 std::unique_ptr
<pending_diagnostic
> on_leak (tree var
) const final override
;
86 /* State for a FILE * returned from fopen that hasn't been checked for
88 It could be an open stream, or could be NULL. */
91 /* State for a FILE * that's known to be NULL. */
94 /* State for a FILE * that's known to be a non-NULL open stream. */
97 /* State for a FILE * that's had fclose called on it. */
100 /* Stop state, for a FILE * we don't want to track any more. */
104 /* Base class for diagnostics relative to fileptr_state_machine. */
106 class file_diagnostic
: public pending_diagnostic
109 file_diagnostic (const fileptr_state_machine
&sm
, tree arg
)
110 : m_sm (sm
), m_arg (arg
)
113 bool subclass_equal_p (const pending_diagnostic
&base_other
) const override
115 return same_tree_p (m_arg
, ((const file_diagnostic
&)base_other
).m_arg
);
118 label_text
describe_state_change (const evdesc::state_change
&change
)
121 if (change
.m_old_state
== m_sm
.get_start_state ()
122 && change
.m_new_state
== m_sm
.m_unchecked
)
123 // TODO: verify that it's the fopen stmt, not a copy
124 return label_text::borrow ("opened here");
125 if (change
.m_old_state
== m_sm
.m_unchecked
126 && change
.m_new_state
== m_sm
.m_nonnull
)
129 return change
.formatted_print ("assuming %qE is non-NULL",
132 return change
.formatted_print ("assuming FILE * is non-NULL");
134 if (change
.m_new_state
== m_sm
.m_null
)
137 return change
.formatted_print ("assuming %qE is NULL",
140 return change
.formatted_print ("assuming FILE * is NULL");
142 return label_text ();
145 diagnostic_event::meaning
146 get_meaning_for_state_change (const evdesc::state_change
&change
)
149 if (change
.m_old_state
== m_sm
.get_start_state ()
150 && change
.m_new_state
== m_sm
.m_unchecked
)
151 return diagnostic_event::meaning (diagnostic_event::VERB_acquire
,
152 diagnostic_event::NOUN_resource
);
153 if (change
.m_new_state
== m_sm
.m_closed
)
154 return diagnostic_event::meaning (diagnostic_event::VERB_release
,
155 diagnostic_event::NOUN_resource
);
156 return diagnostic_event::meaning ();
160 const fileptr_state_machine
&m_sm
;
164 class double_fclose
: public file_diagnostic
167 double_fclose (const fileptr_state_machine
&sm
, tree arg
)
168 : file_diagnostic (sm
, arg
)
171 const char *get_kind () const final override
{ return "double_fclose"; }
173 int get_controlling_option () const final override
175 return OPT_Wanalyzer_double_fclose
;
178 bool emit (diagnostic_emission_context
&ctxt
) final override
180 /* CWE-1341: Multiple Releases of Same Resource or Handle. */
182 return ctxt
.warn ("double %<fclose%> of FILE %qE",
186 label_text
describe_state_change (const evdesc::state_change
&change
)
189 if (change
.m_new_state
== m_sm
.m_closed
)
191 m_first_fclose_event
= change
.m_event_id
;
192 return change
.formatted_print ("first %qs here", "fclose");
194 return file_diagnostic::describe_state_change (change
);
197 label_text
describe_final_event (const evdesc::final_event
&ev
) final override
199 if (m_first_fclose_event
.known_p ())
200 return ev
.formatted_print ("second %qs here; first %qs was at %@",
202 &m_first_fclose_event
);
203 return ev
.formatted_print ("second %qs here", "fclose");
207 diagnostic_event_id_t m_first_fclose_event
;
210 class file_leak
: public file_diagnostic
213 file_leak (const fileptr_state_machine
&sm
, tree arg
)
214 : file_diagnostic (sm
, arg
)
217 const char *get_kind () const final override
{ return "file_leak"; }
219 int get_controlling_option () const final override
221 return OPT_Wanalyzer_file_leak
;
224 bool emit (diagnostic_emission_context
&ctxt
) final override
226 /* CWE-775: "Missing Release of File Descriptor or Handle after
227 Effective Lifetime". */
230 return ctxt
.warn ("leak of FILE %qE", m_arg
);
232 return ctxt
.warn ("leak of FILE");
235 label_text
describe_state_change (const evdesc::state_change
&change
)
238 if (change
.m_new_state
== m_sm
.m_unchecked
)
240 m_fopen_event
= change
.m_event_id
;
241 return label_text::borrow ("opened here");
243 return file_diagnostic::describe_state_change (change
);
246 label_text
describe_final_event (const evdesc::final_event
&ev
) final override
248 if (m_fopen_event
.known_p ())
251 return ev
.formatted_print ("%qE leaks here; was opened at %@",
252 ev
.m_expr
, &m_fopen_event
);
254 return ev
.formatted_print ("leaks here; was opened at %@",
260 return ev
.formatted_print ("%qE leaks here", ev
.m_expr
);
262 return ev
.formatted_print ("leaks here");
267 diagnostic_event_id_t m_fopen_event
;
270 /* fileptr_state_machine's ctor. */
272 fileptr_state_machine::fileptr_state_machine (logger
*logger
)
273 : state_machine ("file", logger
),
274 m_unchecked (add_state ("unchecked")),
275 m_null (add_state ("null")),
276 m_nonnull (add_state ("nonnull")),
277 m_closed (add_state ("closed")),
278 m_stop (add_state ("stop"))
282 /* Get a set of functions that are known to take a FILE * that must be open,
283 and are known to not close it. */
286 get_file_using_fns ()
288 // TODO: populate this list more fully
289 static const char * const funcnames
[] = {
290 /* This array must be kept sorted. */
306 "fflush", // safe to call with NULL
307 "fflush_unlocked", // safe to call with NULL
342 const size_t count
= ARRAY_SIZE (funcnames
);
343 function_set
fs (funcnames
, count
);
347 /* Return true if FNDECL is known to require an open FILE *, and is known
351 is_file_using_fn_p (tree fndecl
)
353 function_set fs
= get_file_using_fns ();
354 if (fs
.contains_decl_p (fndecl
))
357 /* Also support variants of these names prefixed with "_IO_". */
358 const char *name
= IDENTIFIER_POINTER (DECL_NAME (fndecl
));
359 if (startswith (name
, "_IO_") && fs
.contains_name_p (name
+ 4))
365 /* Implementation of state_machine::on_stmt vfunc for fileptr_state_machine. */
368 fileptr_state_machine::on_stmt (sm_context
*sm_ctxt
,
369 const supernode
*node
,
370 const gimple
*stmt
) const
372 if (const gcall
*call
= dyn_cast
<const gcall
*> (stmt
))
373 if (tree callee_fndecl
= sm_ctxt
->get_fndecl_for_call (call
))
375 if (is_named_call_p (callee_fndecl
, "fopen", call
, 2))
377 tree lhs
= gimple_call_lhs (call
);
379 sm_ctxt
->on_transition (node
, stmt
, lhs
, m_start
, m_unchecked
);
382 /* TODO: report leak. */
387 if (is_named_call_p (callee_fndecl
, "fclose", call
, 1))
389 tree arg
= gimple_call_arg (call
, 0);
391 sm_ctxt
->on_transition (node
, stmt
, arg
, m_start
, m_closed
);
393 // TODO: is it safe to call fclose (NULL) ?
394 sm_ctxt
->on_transition (node
, stmt
, arg
, m_unchecked
, m_closed
);
395 sm_ctxt
->on_transition (node
, stmt
, arg
, m_null
, m_closed
);
397 sm_ctxt
->on_transition (node
, stmt
, arg
, m_nonnull
, m_closed
);
399 if (sm_ctxt
->get_state (stmt
, arg
) == m_closed
)
401 tree diag_arg
= sm_ctxt
->get_diagnostic_tree (arg
);
402 sm_ctxt
->warn (node
, stmt
, arg
,
403 make_unique
<double_fclose
> (*this, diag_arg
));
404 sm_ctxt
->set_next_state (stmt
, arg
, m_stop
);
409 if (is_file_using_fn_p (callee_fndecl
))
411 // TODO: operations on unchecked file
420 /* Implementation of state_machine::on_condition vfunc for
421 fileptr_state_machine.
422 Potentially transition state 'unchecked' to 'nonnull' or to 'null'. */
425 fileptr_state_machine::on_condition (sm_context
*sm_ctxt
,
426 const supernode
*node
,
430 const svalue
*rhs
) const
432 if (!rhs
->all_zeroes_p ())
435 // TODO: has to be a FILE *, specifically
436 if (!any_pointer_p (lhs
))
438 // TODO: has to be a FILE *, specifically
439 if (!any_pointer_p (rhs
))
444 log ("got 'ARG != 0' match");
445 sm_ctxt
->on_transition (node
, stmt
,
446 lhs
, m_unchecked
, m_nonnull
);
448 else if (op
== EQ_EXPR
)
450 log ("got 'ARG == 0' match");
451 sm_ctxt
->on_transition (node
, stmt
,
452 lhs
, m_unchecked
, m_null
);
456 /* Implementation of state_machine::can_purge_p vfunc for fileptr_state_machine.
457 Don't allow purging of pointers in state 'unchecked' or 'nonnull'
458 (to avoid false leak reports). */
461 fileptr_state_machine::can_purge_p (state_t s
) const
463 return s
!= m_unchecked
&& s
!= m_nonnull
;
466 /* Implementation of state_machine::on_leak vfunc for
467 fileptr_state_machine, for complaining about leaks of FILE * in
468 state 'unchecked' and 'nonnull'. */
470 std::unique_ptr
<pending_diagnostic
>
471 fileptr_state_machine::on_leak (tree var
) const
473 return make_unique
<file_leak
> (*this, var
);
476 } // anonymous namespace
478 /* Internal interface to this file. */
481 make_fileptr_state_machine (logger
*logger
)
483 return new fileptr_state_machine (logger
);
486 /* Handler for various stdio-related builtins that merely have external
487 effects that are out of scope for the analyzer: we only want to model
488 the effects on the return value. */
490 class kf_stdio_output_fn
: public pure_known_function_with_default_return
493 bool matches_call_types_p (const call_details
&) const final override
498 /* A no-op; we just want the conjured return value. */
501 /* Handler for "ferror"". */
503 class kf_ferror
: public pure_known_function_with_default_return
506 bool matches_call_types_p (const call_details
&cd
) const final override
508 return (cd
.num_args () == 1
509 && cd
.arg_is_pointer_p (0));
512 /* No side effects. */
515 /* Handler for "fileno"". */
517 class kf_fileno
: public pure_known_function_with_default_return
520 bool matches_call_types_p (const call_details
&cd
) const final override
522 return (cd
.num_args () == 1
523 && cd
.arg_is_pointer_p (0));
526 /* No side effects. */
529 /* Handler for "fgets" and "fgets_unlocked". */
531 class kf_fgets
: public known_function
534 bool matches_call_types_p (const call_details
&cd
) const final override
536 return (cd
.num_args () == 3
537 && cd
.arg_is_pointer_p (0)
538 && cd
.arg_is_pointer_p (2));
541 void impl_call_pre (const call_details
&cd
) const final override
543 /* Ideally we would bifurcate state here between the
544 error vs no error cases. */
545 region_model
*model
= cd
.get_model ();
546 const svalue
*ptr_sval
= cd
.get_arg_svalue (0);
547 if (const region
*reg
= ptr_sval
->maybe_get_region ())
549 const region
*base_reg
= reg
->get_base_region ();
550 const svalue
*new_sval
= cd
.get_or_create_conjured_svalue (base_reg
);
551 model
->set_value (base_reg
, new_sval
, cd
.get_ctxt ());
553 cd
.set_any_lhs_with_defaults ();
557 /* Handler for "fread".
558 size_t fread(void *restrict buffer, size_t size, size_t count,
559 FILE *restrict stream);
560 See e.g. https://en.cppreference.com/w/c/io/fread
561 and https://www.man7.org/linux/man-pages/man3/fread.3.html */
563 class kf_fread
: public known_function
566 bool matches_call_types_p (const call_details
&cd
) const final override
568 return (cd
.num_args () == 4
569 && cd
.arg_is_pointer_p (0)
570 && cd
.arg_is_size_p (1)
571 && cd
.arg_is_size_p (2)
572 && cd
.arg_is_pointer_p (3));
575 /* For now, assume that any call to "fread" fully clobbers the buffer
576 passed in. This isn't quite correct (e.g. errors, partial reads;
577 see PR analyzer/108689), but at least stops us falsely complaining
578 about the buffer being uninitialized. */
579 void impl_call_pre (const call_details
&cd
) const final override
581 region_model
*model
= cd
.get_model ();
582 const svalue
*ptr_sval
= cd
.get_arg_svalue (0);
583 if (const region
*reg
= ptr_sval
->maybe_get_region ())
585 const region
*base_reg
= reg
->get_base_region ();
586 const svalue
*new_sval
= cd
.get_or_create_conjured_svalue (base_reg
);
587 model
->set_value (base_reg
, new_sval
, cd
.get_ctxt ());
589 cd
.set_any_lhs_with_defaults ();
593 /* Handler for "getc"". */
595 class kf_getc
: public pure_known_function_with_default_return
598 bool matches_call_types_p (const call_details
&cd
) const final override
600 return (cd
.num_args () == 1
601 && cd
.arg_is_pointer_p (0));
605 /* Handler for "getchar"". */
607 class kf_getchar
: public pure_known_function_with_default_return
610 bool matches_call_types_p (const call_details
&cd
) const final override
612 return cd
.num_args () == 0;
615 /* Empty. No side-effects (tracking stream state is out-of-scope
616 for the analyzer). */
619 /* Populate KFM with instances of known functions relating to
623 register_known_file_functions (known_function_manager
&kfm
)
625 kfm
.add (BUILT_IN_FPRINTF
, make_unique
<kf_stdio_output_fn
> ());
626 kfm
.add (BUILT_IN_FPRINTF_UNLOCKED
, make_unique
<kf_stdio_output_fn
> ());
627 kfm
.add (BUILT_IN_FPUTC
, make_unique
<kf_stdio_output_fn
> ());
628 kfm
.add (BUILT_IN_FPUTC_UNLOCKED
, make_unique
<kf_stdio_output_fn
> ());
629 kfm
.add (BUILT_IN_FPUTS
, make_unique
<kf_stdio_output_fn
> ());
630 kfm
.add (BUILT_IN_FPUTS_UNLOCKED
, make_unique
<kf_stdio_output_fn
> ());
631 kfm
.add (BUILT_IN_FWRITE
, make_unique
<kf_stdio_output_fn
> ());
632 kfm
.add (BUILT_IN_FWRITE_UNLOCKED
, make_unique
<kf_stdio_output_fn
> ());
633 kfm
.add (BUILT_IN_PRINTF
, make_unique
<kf_stdio_output_fn
> ());
634 kfm
.add (BUILT_IN_PRINTF_UNLOCKED
, make_unique
<kf_stdio_output_fn
> ());
635 kfm
.add (BUILT_IN_PUTC
, make_unique
<kf_stdio_output_fn
> ());
636 kfm
.add (BUILT_IN_PUTCHAR
, make_unique
<kf_stdio_output_fn
> ());
637 kfm
.add (BUILT_IN_PUTCHAR_UNLOCKED
, make_unique
<kf_stdio_output_fn
> ());
638 kfm
.add (BUILT_IN_PUTC_UNLOCKED
, make_unique
<kf_stdio_output_fn
> ());
639 kfm
.add (BUILT_IN_PUTS
, make_unique
<kf_stdio_output_fn
> ());
640 kfm
.add (BUILT_IN_PUTS_UNLOCKED
, make_unique
<kf_stdio_output_fn
> ());
641 kfm
.add (BUILT_IN_VFPRINTF
, make_unique
<kf_stdio_output_fn
> ());
642 kfm
.add (BUILT_IN_VPRINTF
, make_unique
<kf_stdio_output_fn
> ());
644 kfm
.add ("ferror", make_unique
<kf_ferror
> ());
645 kfm
.add ("fgets", make_unique
<kf_fgets
> ());
646 kfm
.add ("fgets_unlocked", make_unique
<kf_fgets
> ()); // non-standard
647 kfm
.add ("fileno", make_unique
<kf_fileno
> ());
648 kfm
.add ("fread", make_unique
<kf_fread
> ());
649 kfm
.add ("getc", make_unique
<kf_getc
> ());
650 kfm
.add ("getchar", make_unique
<kf_getchar
> ());
657 /* Run all of the selftests within this file. */
660 analyzer_sm_file_cc_tests ()
662 function_set fs
= get_file_using_fns ();
667 } // namespace selftest
669 #endif /* CHECKING_P */
673 #endif /* #if ENABLE_ANALYZER */