1*0b57cec5SDimitry Andric //===-- BlockInCriticalSectionChecker.cpp -----------------------*- C++ -*-===// 2*0b57cec5SDimitry Andric // 3*0b57cec5SDimitry Andric // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4*0b57cec5SDimitry Andric // See https://llvm.org/LICENSE.txt for license information. 5*0b57cec5SDimitry Andric // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6*0b57cec5SDimitry Andric // 7*0b57cec5SDimitry Andric //===----------------------------------------------------------------------===// 8*0b57cec5SDimitry Andric // 9*0b57cec5SDimitry Andric // Defines a checker for blocks in critical sections. This checker should find 10*0b57cec5SDimitry Andric // the calls to blocking functions (for example: sleep, getc, fgets, read, 11*0b57cec5SDimitry Andric // recv etc.) inside a critical section. When sleep(x) is called while a mutex 12*0b57cec5SDimitry Andric // is held, other threades cannot lock the same mutex. This might take some 13*0b57cec5SDimitry Andric // time, leading to bad performance or even deadlock. 14*0b57cec5SDimitry Andric // 15*0b57cec5SDimitry Andric //===----------------------------------------------------------------------===// 16*0b57cec5SDimitry Andric 17*0b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" 18*0b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 19*0b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/Checker.h" 20*0b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 21*0b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 22*0b57cec5SDimitry Andric 23*0b57cec5SDimitry Andric using namespace clang; 24*0b57cec5SDimitry Andric using namespace ento; 25*0b57cec5SDimitry Andric 26*0b57cec5SDimitry Andric namespace { 27*0b57cec5SDimitry Andric 28*0b57cec5SDimitry Andric class BlockInCriticalSectionChecker : public Checker<check::PostCall> { 29*0b57cec5SDimitry Andric 30*0b57cec5SDimitry Andric mutable IdentifierInfo *IILockGuard, *IIUniqueLock; 31*0b57cec5SDimitry Andric 32*0b57cec5SDimitry Andric CallDescription LockFn, UnlockFn, SleepFn, GetcFn, FgetsFn, ReadFn, RecvFn, 33*0b57cec5SDimitry Andric PthreadLockFn, PthreadTryLockFn, PthreadUnlockFn, 34*0b57cec5SDimitry Andric MtxLock, MtxTimedLock, MtxTryLock, MtxUnlock; 35*0b57cec5SDimitry Andric 36*0b57cec5SDimitry Andric StringRef ClassLockGuard, ClassUniqueLock; 37*0b57cec5SDimitry Andric 38*0b57cec5SDimitry Andric mutable bool IdentifierInfoInitialized; 39*0b57cec5SDimitry Andric 40*0b57cec5SDimitry Andric std::unique_ptr<BugType> BlockInCritSectionBugType; 41*0b57cec5SDimitry Andric 42*0b57cec5SDimitry Andric void initIdentifierInfo(ASTContext &Ctx) const; 43*0b57cec5SDimitry Andric 44*0b57cec5SDimitry Andric void reportBlockInCritSection(SymbolRef FileDescSym, 45*0b57cec5SDimitry Andric const CallEvent &call, 46*0b57cec5SDimitry Andric CheckerContext &C) const; 47*0b57cec5SDimitry Andric 48*0b57cec5SDimitry Andric public: 49*0b57cec5SDimitry Andric BlockInCriticalSectionChecker(); 50*0b57cec5SDimitry Andric 51*0b57cec5SDimitry Andric bool isBlockingFunction(const CallEvent &Call) const; 52*0b57cec5SDimitry Andric bool isLockFunction(const CallEvent &Call) const; 53*0b57cec5SDimitry Andric bool isUnlockFunction(const CallEvent &Call) const; 54*0b57cec5SDimitry Andric 55*0b57cec5SDimitry Andric /// Process unlock. 56*0b57cec5SDimitry Andric /// Process lock. 57*0b57cec5SDimitry Andric /// Process blocking functions (sleep, getc, fgets, read, recv) 58*0b57cec5SDimitry Andric void checkPostCall(const CallEvent &Call, CheckerContext &C) const; 59*0b57cec5SDimitry Andric }; 60*0b57cec5SDimitry Andric 61*0b57cec5SDimitry Andric } // end anonymous namespace 62*0b57cec5SDimitry Andric 63*0b57cec5SDimitry Andric REGISTER_TRAIT_WITH_PROGRAMSTATE(MutexCounter, unsigned) 64*0b57cec5SDimitry Andric 65*0b57cec5SDimitry Andric BlockInCriticalSectionChecker::BlockInCriticalSectionChecker() 66*0b57cec5SDimitry Andric : IILockGuard(nullptr), IIUniqueLock(nullptr), 67*0b57cec5SDimitry Andric LockFn("lock"), UnlockFn("unlock"), SleepFn("sleep"), GetcFn("getc"), 68*0b57cec5SDimitry Andric FgetsFn("fgets"), ReadFn("read"), RecvFn("recv"), 69*0b57cec5SDimitry Andric PthreadLockFn("pthread_mutex_lock"), 70*0b57cec5SDimitry Andric PthreadTryLockFn("pthread_mutex_trylock"), 71*0b57cec5SDimitry Andric PthreadUnlockFn("pthread_mutex_unlock"), 72*0b57cec5SDimitry Andric MtxLock("mtx_lock"), 73*0b57cec5SDimitry Andric MtxTimedLock("mtx_timedlock"), 74*0b57cec5SDimitry Andric MtxTryLock("mtx_trylock"), 75*0b57cec5SDimitry Andric MtxUnlock("mtx_unlock"), 76*0b57cec5SDimitry Andric ClassLockGuard("lock_guard"), 77*0b57cec5SDimitry Andric ClassUniqueLock("unique_lock"), 78*0b57cec5SDimitry Andric IdentifierInfoInitialized(false) { 79*0b57cec5SDimitry Andric // Initialize the bug type. 80*0b57cec5SDimitry Andric BlockInCritSectionBugType.reset( 81*0b57cec5SDimitry Andric new BugType(this, "Call to blocking function in critical section", 82*0b57cec5SDimitry Andric "Blocking Error")); 83*0b57cec5SDimitry Andric } 84*0b57cec5SDimitry Andric 85*0b57cec5SDimitry Andric void BlockInCriticalSectionChecker::initIdentifierInfo(ASTContext &Ctx) const { 86*0b57cec5SDimitry Andric if (!IdentifierInfoInitialized) { 87*0b57cec5SDimitry Andric /* In case of checking C code, or when the corresponding headers are not 88*0b57cec5SDimitry Andric * included, we might end up query the identifier table every time when this 89*0b57cec5SDimitry Andric * function is called instead of early returning it. To avoid this, a bool 90*0b57cec5SDimitry Andric * variable (IdentifierInfoInitialized) is used and the function will be run 91*0b57cec5SDimitry Andric * only once. */ 92*0b57cec5SDimitry Andric IILockGuard = &Ctx.Idents.get(ClassLockGuard); 93*0b57cec5SDimitry Andric IIUniqueLock = &Ctx.Idents.get(ClassUniqueLock); 94*0b57cec5SDimitry Andric IdentifierInfoInitialized = true; 95*0b57cec5SDimitry Andric } 96*0b57cec5SDimitry Andric } 97*0b57cec5SDimitry Andric 98*0b57cec5SDimitry Andric bool BlockInCriticalSectionChecker::isBlockingFunction(const CallEvent &Call) const { 99*0b57cec5SDimitry Andric if (Call.isCalled(SleepFn) 100*0b57cec5SDimitry Andric || Call.isCalled(GetcFn) 101*0b57cec5SDimitry Andric || Call.isCalled(FgetsFn) 102*0b57cec5SDimitry Andric || Call.isCalled(ReadFn) 103*0b57cec5SDimitry Andric || Call.isCalled(RecvFn)) { 104*0b57cec5SDimitry Andric return true; 105*0b57cec5SDimitry Andric } 106*0b57cec5SDimitry Andric return false; 107*0b57cec5SDimitry Andric } 108*0b57cec5SDimitry Andric 109*0b57cec5SDimitry Andric bool BlockInCriticalSectionChecker::isLockFunction(const CallEvent &Call) const { 110*0b57cec5SDimitry Andric if (const auto *Ctor = dyn_cast<CXXConstructorCall>(&Call)) { 111*0b57cec5SDimitry Andric auto IdentifierInfo = Ctor->getDecl()->getParent()->getIdentifier(); 112*0b57cec5SDimitry Andric if (IdentifierInfo == IILockGuard || IdentifierInfo == IIUniqueLock) 113*0b57cec5SDimitry Andric return true; 114*0b57cec5SDimitry Andric } 115*0b57cec5SDimitry Andric 116*0b57cec5SDimitry Andric if (Call.isCalled(LockFn) 117*0b57cec5SDimitry Andric || Call.isCalled(PthreadLockFn) 118*0b57cec5SDimitry Andric || Call.isCalled(PthreadTryLockFn) 119*0b57cec5SDimitry Andric || Call.isCalled(MtxLock) 120*0b57cec5SDimitry Andric || Call.isCalled(MtxTimedLock) 121*0b57cec5SDimitry Andric || Call.isCalled(MtxTryLock)) { 122*0b57cec5SDimitry Andric return true; 123*0b57cec5SDimitry Andric } 124*0b57cec5SDimitry Andric return false; 125*0b57cec5SDimitry Andric } 126*0b57cec5SDimitry Andric 127*0b57cec5SDimitry Andric bool BlockInCriticalSectionChecker::isUnlockFunction(const CallEvent &Call) const { 128*0b57cec5SDimitry Andric if (const auto *Dtor = dyn_cast<CXXDestructorCall>(&Call)) { 129*0b57cec5SDimitry Andric const auto *DRecordDecl = dyn_cast<CXXRecordDecl>(Dtor->getDecl()->getParent()); 130*0b57cec5SDimitry Andric auto IdentifierInfo = DRecordDecl->getIdentifier(); 131*0b57cec5SDimitry Andric if (IdentifierInfo == IILockGuard || IdentifierInfo == IIUniqueLock) 132*0b57cec5SDimitry Andric return true; 133*0b57cec5SDimitry Andric } 134*0b57cec5SDimitry Andric 135*0b57cec5SDimitry Andric if (Call.isCalled(UnlockFn) 136*0b57cec5SDimitry Andric || Call.isCalled(PthreadUnlockFn) 137*0b57cec5SDimitry Andric || Call.isCalled(MtxUnlock)) { 138*0b57cec5SDimitry Andric return true; 139*0b57cec5SDimitry Andric } 140*0b57cec5SDimitry Andric return false; 141*0b57cec5SDimitry Andric } 142*0b57cec5SDimitry Andric 143*0b57cec5SDimitry Andric void BlockInCriticalSectionChecker::checkPostCall(const CallEvent &Call, 144*0b57cec5SDimitry Andric CheckerContext &C) const { 145*0b57cec5SDimitry Andric initIdentifierInfo(C.getASTContext()); 146*0b57cec5SDimitry Andric 147*0b57cec5SDimitry Andric if (!isBlockingFunction(Call) 148*0b57cec5SDimitry Andric && !isLockFunction(Call) 149*0b57cec5SDimitry Andric && !isUnlockFunction(Call)) 150*0b57cec5SDimitry Andric return; 151*0b57cec5SDimitry Andric 152*0b57cec5SDimitry Andric ProgramStateRef State = C.getState(); 153*0b57cec5SDimitry Andric unsigned mutexCount = State->get<MutexCounter>(); 154*0b57cec5SDimitry Andric if (isUnlockFunction(Call) && mutexCount > 0) { 155*0b57cec5SDimitry Andric State = State->set<MutexCounter>(--mutexCount); 156*0b57cec5SDimitry Andric C.addTransition(State); 157*0b57cec5SDimitry Andric } else if (isLockFunction(Call)) { 158*0b57cec5SDimitry Andric State = State->set<MutexCounter>(++mutexCount); 159*0b57cec5SDimitry Andric C.addTransition(State); 160*0b57cec5SDimitry Andric } else if (mutexCount > 0) { 161*0b57cec5SDimitry Andric SymbolRef BlockDesc = Call.getReturnValue().getAsSymbol(); 162*0b57cec5SDimitry Andric reportBlockInCritSection(BlockDesc, Call, C); 163*0b57cec5SDimitry Andric } 164*0b57cec5SDimitry Andric } 165*0b57cec5SDimitry Andric 166*0b57cec5SDimitry Andric void BlockInCriticalSectionChecker::reportBlockInCritSection( 167*0b57cec5SDimitry Andric SymbolRef BlockDescSym, const CallEvent &Call, CheckerContext &C) const { 168*0b57cec5SDimitry Andric ExplodedNode *ErrNode = C.generateNonFatalErrorNode(); 169*0b57cec5SDimitry Andric if (!ErrNode) 170*0b57cec5SDimitry Andric return; 171*0b57cec5SDimitry Andric 172*0b57cec5SDimitry Andric std::string msg; 173*0b57cec5SDimitry Andric llvm::raw_string_ostream os(msg); 174*0b57cec5SDimitry Andric os << "Call to blocking function '" << Call.getCalleeIdentifier()->getName() 175*0b57cec5SDimitry Andric << "' inside of critical section"; 176*0b57cec5SDimitry Andric auto R = llvm::make_unique<BugReport>(*BlockInCritSectionBugType, os.str(), ErrNode); 177*0b57cec5SDimitry Andric R->addRange(Call.getSourceRange()); 178*0b57cec5SDimitry Andric R->markInteresting(BlockDescSym); 179*0b57cec5SDimitry Andric C.emitReport(std::move(R)); 180*0b57cec5SDimitry Andric } 181*0b57cec5SDimitry Andric 182*0b57cec5SDimitry Andric void ento::registerBlockInCriticalSectionChecker(CheckerManager &mgr) { 183*0b57cec5SDimitry Andric mgr.registerChecker<BlockInCriticalSectionChecker>(); 184*0b57cec5SDimitry Andric } 185*0b57cec5SDimitry Andric 186*0b57cec5SDimitry Andric bool ento::shouldRegisterBlockInCriticalSectionChecker(const LangOptions &LO) { 187*0b57cec5SDimitry Andric return true; 188*0b57cec5SDimitry Andric } 189