[clang][analyzer] fix crash when modelling 'getline'

Author: vbvictor

clang/docs/ReleaseNotes.rst

@@ -1060,6 +1060,9 @@ impact the linker behaviour like the other `-static-*` flags.
 Crash and bug fixes
 ^^^^^^^^^^^^^^^^^^^
 
+- Fixed a crash in ``UnixAPIMisuseChecker`` and ``MallocChecker`` when analyzing
+  code with non-standard ``getline`` or ``getdelim`` function signatures.
+
 Improvements
 ^^^^^^^^^^^^
 

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp

@@ -1482,11 +1482,63 @@ static bool isFromStdNamespace(const CallEvent &Call) {
   return FD->isInStdNamespace();
 }
 
+static bool IsGetDelim(const CallEvent &Call, CheckerContext &C) {
+  const FunctionDecl *FD = dyn_cast_if_present<FunctionDecl>(Call.getDecl());
+  if (!FD || FD->getKind() != Decl::Function)
+    return false;
+
+  const StringRef FName = C.getCalleeName(FD);
+  const bool IsDelim = FName == "getdelim";
+  const bool IsLine = FName == "getline";
+
+  unsigned ExpectedNumArgs = 0;
+  if (IsDelim)
+    ExpectedNumArgs = 4;
+  else if (IsLine)
+    ExpectedNumArgs = 3;
+  else
+    return false;
+
+  if (FD->getNumParams() != ExpectedNumArgs)
+    return false;
+
+  // Should be char**
+  const QualType CharPtrType = FD->getParamDecl(0)->getType()->getPointeeType();
+  if (CharPtrType.isNull())
+    return false;
+  const QualType CharType = CharPtrType->getPointeeType();
+  if (CharType.isNull() || !CharType->isCharType())
+    return false;
+
+  // Should be size_t*
+  const QualType SizePtrType = FD->getParamDecl(1)->getType();
+  if (!SizePtrType->isPointerType())
+    return false;
+  const QualType SizeArgType = SizePtrType->getPointeeType();
+  const ASTContext &Ctx = C.getASTContext();
+  if (SizeArgType.isNull() ||
+      !Ctx.hasSameUnqualifiedType(SizeArgType, Ctx.getSizeType()))
+    return false;
+
+  // For getdelim, should be int
+  if (IsDelim)
+    if (!FD->getParamDecl(2)->getType()->isIntegerType())
+      return false;
+
+  // Last parameter should be FILE*
+  const QualType Pointee =
+      FD->getParamDecl(IsDelim ? 3 : 2)->getType()->getPointeeType();
+  if (Pointee.isNull() || Pointee.getAsString() != "FILE")
+    return false;
+
+  return true;
+}
+
 void MallocChecker::preGetdelim(ProgramStateRef State, const CallEvent &Call,
                                 CheckerContext &C) const {
   // Discard calls to the C++ standard library function std::getline(), which
   // is completely unrelated to the POSIX getline() that we're checking.
-  if (isFromStdNamespace(Call))
+  if (isFromStdNamespace(Call) || !IsGetDelim(Call, C))
     return;
 
   const auto LinePtr = getPointeeVal(Call.getArgSVal(0), State);
@@ -1509,7 +1561,7 @@ void MallocChecker::checkGetdelim(ProgramStateRef State, const CallEvent &Call,
                                   CheckerContext &C) const {
   // Discard calls to the C++ standard library function std::getline(), which
   // is completely unrelated to the POSIX getline() that we're checking.
-  if (isFromStdNamespace(Call))
+  if (isFromStdNamespace(Call) || !IsGetDelim(Call, C))
     return;
 
   // Handle the post-conditions of getline and getdelim:

clang/lib/StaticAnalyzer/Checkers/UnixAPIChecker.cpp

@@ -147,6 +147,55 @@ ProgramStateRef UnixAPIMisuseChecker::EnsurePtrNotNull(
   return PtrNotNull;
 }
 
+static bool IsGetDelim(const CallEvent &Call, const FunctionDecl *FD,
+                       CheckerContext &C) {
+  const StringRef FName = C.getCalleeName(FD);
+  const bool IsDelim = FName == "getdelim";
+  const bool IsLine = FName == "getline";
+
+  unsigned ExpectedNumArgs = 0;
+  if (IsDelim)
+    ExpectedNumArgs = 4;
+  else if (IsLine)
+    ExpectedNumArgs = 3;
+  else
+    return false;
+
+  if (FD->getNumParams() != ExpectedNumArgs)
+    return false;
+
+  // Should be char**
+  const QualType CharPtrType = FD->getParamDecl(0)->getType()->getPointeeType();
+  if (CharPtrType.isNull())
+    return false;
+  const QualType CharType = CharPtrType->getPointeeType();
+  if (CharType.isNull() || !CharType->isCharType())
+    return false;
+
+  // Should be size_t*
+  const QualType SizePtrType = FD->getParamDecl(1)->getType();
+  if (!SizePtrType->isPointerType())
+    return false;
+  const QualType SizeArgType = SizePtrType->getPointeeType();
+  const ASTContext &Ctx = C.getASTContext();
+  if (SizeArgType.isNull() ||
+      !Ctx.hasSameUnqualifiedType(SizeArgType, Ctx.getSizeType()))
+    return false;
+
+  // For getdelim, should be int
+  if (IsDelim)
+    if (!FD->getParamDecl(2)->getType()->isIntegerType())
+      return false;
+
+  // Last parameter should be FILE*
+  const QualType Pointee =
+      FD->getParamDecl(IsDelim ? 3 : 2)->getType()->getPointeeType();
+  if (Pointee.isNull() || Pointee.getAsString() != "FILE")
+    return false;
+
+  return true;
+}
+
 //===----------------------------------------------------------------------===//
 // "open" (man 2 open)
 //===----------------------------------------------------------------------===/
@@ -176,7 +225,7 @@ void UnixAPIMisuseChecker::checkPreCall(const CallEvent &Call,
   else if (FName == "pthread_once")
     CheckPthreadOnce(C, Call);
 
-  else if (is_contained({"getdelim", "getline"}, FName))
+  else if (IsGetDelim(Call, FD, C))
     CheckGetDelim(C, Call);
 }
 void UnixAPIMisuseChecker::ReportOpenBug(CheckerContext &C,

clang/test/Analysis/getline-unixapi-invalid-signatures.c

@@ -0,0 +1,130 @@
+// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix -verify %s -DTEST_CORRECT
+// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix -verify %s -DTEST_GETLINE_1
+// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix -verify %s -DTEST_GETLINE_2
+// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix -verify %s -DTEST_GETLINE_3
+// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix -verify %s -DTEST_GETLINE_4
+// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix -verify %s -DTEST_GETLINE_5
+// RUN: %clang_analyze_cc1 -analyzer-checker=core,unix -verify %s -DTEST_GETLINE_GH144884
+
+// emulator of "system-header-simulator.h" because of redefinition of 'getline' function
+typedef struct _FILE FILE;
+typedef __typeof(sizeof(int)) size_t;
+typedef long ssize_t;
+#define NULL 0
+
+int fclose(FILE *fp);
+FILE *tmpfile(void);
+
+#ifdef TEST_CORRECT
+ssize_t getline(char **lineptr, size_t *n, FILE *stream);
+ssize_t getdelim(char **lineptr, size_t *n, int delimiter, FILE *stream);
+
+void test_correct() {
+  FILE *F1 = tmpfile();
+  if (!F1)
+    return;
+  char *buffer = NULL;
+  getline(&buffer, NULL, F1); // expected-warning {{Size pointer might be NULL}}
+  fclose(F1);
+}
+
+void test_delim_correct() {
+  FILE *F1 = tmpfile();
+  if (!F1)
+    return;
+  char *buffer = NULL;
+  getdelim(&buffer, NULL, ',', F1); // expected-warning {{Size pointer might be NULL}}
+  fclose(F1);
+}
+#endif
+
+#ifdef TEST_GETLINE_1
+// expected-no-diagnostics
+ssize_t getline(int lineptr);
+
+void test() {
+  FILE *F1 = tmpfile();
+  if (!F1)
+    return;
+  int buffer = 0;
+  getline(buffer);
+  fclose(F1);
+}
+#endif
+
+#ifdef TEST_GETLINE_2
+// expected-no-diagnostics
+ssize_t getline(char **lineptr, size_t *n);
+
+void test() {
+  FILE *F1 = tmpfile();
+  if (!F1)
+    return;
+  char *buffer = NULL;
+  getline(&buffer, NULL);
+  fclose(F1);
+}
+#endif
+
+#ifdef TEST_GETLINE_3
+// expected-no-diagnostics
+ssize_t getline(char **lineptr, size_t n, FILE *stream);
+
+void test() {
+  FILE *F1 = tmpfile();
+  if (!F1)
+    return;
+  char *buffer = NULL;
+  getline(&buffer, 0, F1);
+  fclose(F1);
+}
+#endif
+
+#ifdef TEST_GETLINE_4
+// expected-no-diagnostics
+ssize_t getline(char **lineptr, size_t *n, int stream);
+ssize_t getdelim(char **lineptr, size_t *n, int delimiter, int stream);
+
+void test() {
+  FILE *F1 = tmpfile();
+  if (!F1)
+    return;
+  char *buffer = NULL;
+  getline(&buffer, NULL, 1);
+  fclose(F1);
+}
+
+void test_delim() {
+  FILE *F1 = tmpfile();
+  if (!F1)
+    return;
+  char *buffer = NULL;
+  getdelim(&buffer, NULL, ',', 1);
+  fclose(F1);
+}
+#endif
+
+#ifdef TEST_GETLINE_5
+// expected-no-diagnostics
+ssize_t getdelim(char **lineptr, size_t *n, const char* delimiter, FILE *stream);
+
+void test_delim() {
+  FILE *F1 = tmpfile();
+  if (!F1)
+    return;
+  char *buffer = NULL;
+  getdelim(&buffer, NULL, ",", F1);
+  fclose(F1);
+}
+#endif
+
+#ifdef TEST_GETLINE_GH144884
+// expected-no-diagnostics
+struct AW_string {};
+void getline(int *, struct AW_string);
+void top() {
+  struct AW_string line;
+  int getline_file_info;
+  getline(&getline_file_info, line);
+}
+#endif