[analyzer] Bifurcate on getenv() calls

The `getenv()` function might return `NULL` just like any other function. However, in case of `getenv()` a state-split seems justified since the programmer should expect the failure of this function. `secure_getenv(const char *name)` behaves the same way but is not handled right now. Note that `std::getenv()` is also not handled. Reviewed By: martong Differential Revision: https://reviews.llvm.org/D111245
2024-11-27 15:41:46 +00:00 · 2021-10-13 10:50:26 +02:00 · 2021-10-13 10:50:26 +02:00 · 7fc150309d
commit 7fc150309d
parent fc2ba5e53d
2 changed files with 16 additions and 0 deletions
--- a/clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
+++ b/clang/lib/StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp
@ -1433,6 +1433,14 @@ void StdLibraryFunctionsChecker::initFunctionSummaries(
                RetType{Ssize_tTy}),
      GetLineSummary);

+  // char *getenv(const char *name);
+  addToFunctionSummaryMap(
+      "getenv", Signature(ArgTypes{ConstCharPtrTy}, RetType{CharPtrTy}),
+      Summary(NoEvalCall)
+          .Case({NotNull(Ret)})
+          .Case({NotNull(Ret)->negate()})
+          .ArgConstraint(NotNull(ArgNo(0))));
+
  if (ModelPOSIX) {

    // long a64l(const char *str64);
--- a/clang/test/Analysis/std-c-library-functions.c
+++ b/clang/test/Analysis/std-c-library-functions.c
@ -254,3 +254,11 @@ void test_call_by_pointer() {
  f = ispunct;
  clang_analyzer_eval(f('A')); // expected-warning{{FALSE}}
 }
+
+char *getenv(const char *name);
+void test_getenv() {
+  // getenv() bifurcates here.
+  clang_analyzer_eval(getenv("FOO") == 0);
+  // expected-warning@-1 {{TRUE}}
+  // expected-warning@-2 {{FALSE}}
+}