-
Notifications
You must be signed in to change notification settings - Fork 10.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[clang][analyzer] Change default value of checker option in unix.StdCLibraryFunctions. #80457
Conversation
…LibraryFunctions. Default value of checker option `ModelPOSIX` is changed to `true`. Documentation is updated.
@llvm/pr-subscribers-clang @llvm/pr-subscribers-clang-static-analyzer-1 Author: Balázs Kéri (balazske) ChangesDefault value of checker option Full diff: https://github.com/llvm/llvm-project/pull/80457.diff 3 Files Affected:
diff --git a/clang/docs/analyzer/checkers.rst b/clang/docs/analyzer/checkers.rst
index bb637cf1b8007..24522e56501e5 100644
--- a/clang/docs/analyzer/checkers.rst
+++ b/clang/docs/analyzer/checkers.rst
@@ -1299,10 +1299,21 @@ range of the argument.
**Parameters**
-The checker models functions (and emits diagnostics) from the C standard by
-default. The ``ModelPOSIX`` option enables modeling (and emit diagnostics) of
-additional functions that are defined in the POSIX standard. This option is
-disabled by default.
+The ``ModelPOSIX`` option controls if functions from the POSIX standard are
+recognized by the checker. If ``true``, a big amount of POSIX functions is
+modeled according to the
+`POSIX standard`_. This
+includes ranges of parameters and possible return values. Furthermore the
+behavior related to ``errno`` in the POSIX case is often that ``errno`` is set
+only if a function call fails, and it becomes undefined after a successful
+function call.
+If ``false``, functions are modeled according to the C99 language standard.
+This includes far less functions than the POSIX case. It is possible that the
+same functions are modeled differently in the two cases because differences in
+the standards. The C standard specifies less aspects of the functions, for
+example exact ``errno`` behavior is often unspecified (and not modeled by the
+checker).
+Default value of the option is ``true``.
.. _osx-checkers:
diff --git a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
index e7774e5a9392d..a224b81c33a62 100644
--- a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
+++ b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
@@ -578,7 +578,7 @@ def StdCLibraryFunctionsChecker : Checker<"StdCLibraryFunctions">,
"ModelPOSIX",
"If set to true, the checker models additional functions "
"from the POSIX standard.",
- "false",
+ "true",
InAlpha>
]>,
WeakDependencies<[CallAndMessageChecker, NonNullParamChecker]>,
diff --git a/clang/test/Analysis/analyzer-config.c b/clang/test/Analysis/analyzer-config.c
index 373017f4b18bf..2167a2b32f596 100644
--- a/clang/test/Analysis/analyzer-config.c
+++ b/clang/test/Analysis/analyzer-config.c
@@ -129,7 +129,7 @@
// CHECK-NEXT: unix.DynamicMemoryModeling:Optimistic = false
// CHECK-NEXT: unix.Errno:AllowErrnoReadOutsideConditionExpressions = true
// CHECK-NEXT: unix.StdCLibraryFunctions:DisplayLoadedSummaries = false
-// CHECK-NEXT: unix.StdCLibraryFunctions:ModelPOSIX = false
+// CHECK-NEXT: unix.StdCLibraryFunctions:ModelPOSIX = true
// CHECK-NEXT: unroll-loops = false
// CHECK-NEXT: verbose-report-filename = false
// CHECK-NEXT: widen-loops = false
|
I'm excited to see this change. |
The change was evaluated on the following projects. "Lost reports" shows results that disappear if the
|
I analyzed the results uploaded by @balazske and found the following: memcachedThe new ModelPosix=true produces two new bug reports (1) assuming that fileno() can fail and (2) errno is undefined after close(). These are arguably true positives, although it's unclear whether fileno() can fail or not (e.g. the manpage on my linux claims both that it should not fail and that it can fail: "These functions should not fail and do not set the external variable errno. (However, in case fileno() detects that its argument is not a valid stream, it must return -1 and set errno to EBADF.)"). tmuxThe new ModelPosix=true produces yet another errno undefined after close() and a case where the checker assumes that opening "/dev/null" can fail. The first is a TP, the second is FP in practice but is a reasonable report. curlThere are 9 new reports with ModelPosix=true:
twinTwo new reports with ModelPosix=true, one tricky mmap issue that appears to be TP if we consider the function in isolation and assume that its vim7 new reports with ModelPosix=true:
openssl3 new reports with ModelPosix=true:
sqliteOne new report with ModelPosix=true where the checker assumes that ffmpeg
postgresTwo lost reports (that no longer appear with ModelPosix=true) and 33 (!!) new reports:
xercesModelPosix=true introduces two new reports: one unhandled failure of bitcoinWe have three new reports: a good old ConclusionApparently there are many projects that use Apart from this question, the change seems to be reasonable and there are several situations where it produces valuable reports. |
The new appeared bug reports should be similar to the ones that were observed when |
This may happen because the "controlled environment" analyzer option may be set to |
Because the many cases with |
You're right that the string passed to
Thanks, that would be a good way forward. Ping me if you have a commit for changing the summary, I'll review it quickly.
Good idea, that would be very nice as a separate longer-term solution :) |
Behavior of
in last comment that it is already existing functionality (in StreamChecker and other invalid pointer checkers). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, I think that it isn't necessary to re-evaluate the change, because it's clear that the fileno
issue is handled and the other reports are good.
I have one very minor suggestion to slightly improve the documentation, but the change is also acceptable without that.
clang/docs/analyzer/checkers.rst
Outdated
The ``ModelPOSIX`` option controls if functions from the POSIX standard are | ||
recognized by the checker. If ``true``, a big amount of POSIX functions is | ||
modeled according to the | ||
`POSIX standard`_. This | ||
includes ranges of parameters and possible return values. Furthermore the | ||
behavior related to ``errno`` in the POSIX case is often that ``errno`` is set | ||
only if a function call fails, and it becomes undefined after a successful | ||
function call. | ||
If ``false``, functions are modeled according to the C99 language standard. | ||
This includes far less functions than the POSIX case. It is possible that the | ||
same functions are modeled differently in the two cases because differences in | ||
the standards. The C standard specifies less aspects of the functions, for | ||
example exact ``errno`` behavior is often unspecified (and not modeled by the | ||
checker). | ||
Default value of the option is ``true``. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The ``ModelPOSIX`` option controls if functions from the POSIX standard are | |
recognized by the checker. If ``true``, a big amount of POSIX functions is | |
modeled according to the | |
`POSIX standard`_. This | |
includes ranges of parameters and possible return values. Furthermore the | |
behavior related to ``errno`` in the POSIX case is often that ``errno`` is set | |
only if a function call fails, and it becomes undefined after a successful | |
function call. | |
If ``false``, functions are modeled according to the C99 language standard. | |
This includes far less functions than the POSIX case. It is possible that the | |
same functions are modeled differently in the two cases because differences in | |
the standards. The C standard specifies less aspects of the functions, for | |
example exact ``errno`` behavior is often unspecified (and not modeled by the | |
checker). | |
Default value of the option is ``true``. | |
The ``ModelPOSIX`` option controls if functions from the POSIX standard are | |
recognized by the checker. | |
With ``ModelPOSIX=true``, lots of POSIX functions are modeled according to the | |
`POSIX standard`_. This includes ranges of parameters and possible return | |
values. Furthermore the behavior related to ``errno`` in the POSIX case is | |
often that ``errno`` is set only if a function call fails, and it becomes | |
undefined after a successful function call. | |
With ``ModelPOSIX=false``, this checker follows the C99 language standard and | |
only models the functions that are described there. It is possible that the | |
same functions are modeled differently in the two cases because differences in | |
the standards. The C standard specifies less aspects of the functions, for | |
example exact ``errno`` behavior is often unspecified (and not modeled by the | |
checker). | |
Default value of the option is ``true``. |
Default value of checker option
ModelPOSIX
is changed totrue
. Documentation is updated.