[analyzer][docs] Update the release notes for llvm-18

[steakhal]

This PR prepares the release notes of the Clang Static Analyzer for the llvm-18 release branch, due in about a week.
See the regular release schedule.

This patch was written after examining the relevant Static Analyzer commits since the last release.
Have a look at the commits, and provide feedback if I missed anything interesting.
Note that the release notes is not meant to be an exhaustive list of the changes, but rather a curated list of the relevant changes that might interest our stakeholders, such as tool vendors based on top of CSA or users with custom checkers.

See the relevant commits by using this command:

git log --oneline llvmorg-18-init..llvm/main   clang/{lib/StaticAnalyzer,include/clang/StaticAnalyzer} | grep -v NFC | grep -v -i revert

Tasks to do before llvm-18 branches off:

We need to adjust/add documentation after the following PRs, to the clang/docs/analyzer/checkers.rst:

• [clang][analyzer] Support fprintf in the SecuritySyntaxChecker #73247: The list in the docs is incomplete. We need to check and update it.
• [analyzer] Add std::variant checker #66481: The StdVariant alpha checker experimental, but we should still have some documentation for it. Now its completely absent.

[llvmbot]

@llvm/pr-subscribers-clang

@llvm/pr-subscribers-clang-static-analyzer-1

Author: Balazs Benics (steakhal)

Changes

This PR prepares the release notes of the Clang Static Analyzer for the llvm-18 release branch, due in about a week.
See the regular release schedule.

This patch was written after examining the relevant Static Analyzer commits since the last release.
Have a look at the commits, and provide feedback if I missed anything interesting.
Note that the release notes is not meant to be an exhaustive list of the changes, but rather a curated list of the relevant changes that might interest our stakeholders, such as tool vendors based on top of CSA or users with custom checkers.

See the relevant commits by using this command:

git log --oneline llvmorg-18-init..llvm/main   clang/{lib/StaticAnalyzer,include/clang/StaticAnalyzer} | grep -v NFC | grep -v -i revert

Tasks to do before llvm-18 branches off:

We need to adjust/add documentation after the following PRs, to the clang/docs/analyzer/checkers.rst:

• #73247: The list in the docs is incomplete. We need to check and update it.
• #66481: The StdVariant alpha checker experimental, but we should still have some documentation for it. Now its completely absent.

---

Full diff: https://github.com/llvm/llvm-project/pull/76446.diff

1 Files Affected:

• (modified) clang/docs/ReleaseNotes.rst (+101-7)

diff --git a/clang/docs/ReleaseNotes.rst b/clang/docs/ReleaseNotes.rst
index ee211c16a48ac8..17b6e285a89ca2 100644
--- a/clang/docs/ReleaseNotes.rst
+++ b/clang/docs/ReleaseNotes.rst
@@ -1052,18 +1052,92 @@ libclang
 Static Analyzer
 ---------------
 
+- Implemented the ``[[clang::suppress]]`` attribute for suppressing diagnostics
+  of static analysis tools, such as the Clang Static Analyzer.
+  `Documentation <https://clang.llvm.org/docs/analyzer/checkers.html#security-cert-env-invalidptr>`__.
+
+- Added a new experimental checker ``alpha.core.StdVariant`` to detect variant
+  accesses via wrong alternatives.
+  (`#66481 <https://github.com/llvm/llvm-project/pull/66481>`_)
+
+- Added a new experimental checker ``alpha.cplusplus.ArrayDelete`` to detect
+  destructions of arrays of polymorphic objects that are destructed as their
+  base class (`CERT EXP51-CPP <https://wiki.sei.cmu.edu/confluence/display/cplusplus/EXP51-CPP.+Do+not+delete+an+array+through+a+pointer+of+the+incorrect+type>`_).
+  `Documentation <https://clang.llvm.org/docs/analyzer/checkers.html#alpha-cplusplus-arraydelete-c>`__.
+  (`0e246bb67573 <https://github.com/llvm/llvm-project/commit/0e246bb67573799409d0085b89902a330998ddcc>`_)
+
 - Added a new checker ``core.BitwiseShift`` which reports situations where
   bitwise shift operators produce undefined behavior (because some operand is
   negative or too large).
+  `Documentation <https://clang.llvm.org/docs/analyzer/checkers.html#core-bitwiseshift-c-c>`__.
+
+- Support "Deducing this" (P0847R7). (Worked out of the box)
+  (`af4751738db8 <https://github.com/llvm/llvm-project/commit/af4751738db89a142a8880c782d12d4201b222a8>`__)
 
 - Move checker ``alpha.unix.Errno`` out of the ``alpha`` package
   to ``unix.Errno``.
+  `Documentation <https://clang.llvm.org/docs/analyzer/checkers.html#unix-errno-c>`__.
 
 - Move checker ``alpha.unix.StdCLibraryFunctions`` out of the ``alpha`` package
   to ``unix.StdCLibraryFunctions``.
 
+- Added a new checker configuration option to
+  ``alpha.security.cert.InvalidPtrChecker``.
+  `Documentation <https://clang.llvm.org/docs/analyzer/checkers.html#security-cert-env-invalidptr>`__.
+  (`#67663 <https://github.com/llvm/llvm-project/pull/67663>`_)
+
+- Move checker ``alpha.security.cert.env.InvalidPtr`` out of the ``alpha``
+  package to ``security.cert.env.InvalidPtr``.
+  `Documentation <https://clang.llvm.org/docs/analyzer/checkers.html#security-cert-env-invalidptr>`__.
+
+- Move checker ``alpha.cplusplus.EnumCastOutOfRange`` out of the ``alpha``
+  package to ``optin.core.EnumCastOutOfRange``.
+  `Documentation <https://clang.llvm.org/docs/analyzer/checkers.html#optin-core-enumcastoutofrange-c-c>`__.
+
+- Improved the diagnostics of the ``optin.core.EnumCastOutOfRange`` checker.
+  It will display the name and the declaration of the enumeration along with
+  the concrete value being cast to the enum.
+  (`#74503 <https://github.com/llvm/llvm-project/pull/74503>`_)
+
+- Improved the ``ArrayBoundV2`` checker for detecting buffer accesses prior
+  the buffer; and also reworked the diagnostic messages.
+  (`3e014038b373 <https://github.com/llvm/llvm-project/commit/3e014038b373e5a4a96d89d46cea17e4d2456a04>`_,
+  `#70056 <https://github.com/llvm/llvm-project/pull/70056>`_,
+  `#72107 <https://github.com/llvm/llvm-project/pull/72107>`_)
+
+- Improved the ``CStringChecker`` checking both ends of the buffers in more cases.
+  (`c3a87ddad62a <https://github.com/llvm/llvm-project/commit/c3a87ddad62a6cc01acaccc76592bc6730c8ac3c>`_,
+  `0954dc3fb921 <https://github.com/llvm/llvm-project/commit/0954dc3fb9214b994623f5306473de075f8e3593>`_)
+
+- Improved the ``StreamChecker`` by modeling more functions like,
+  ``fflush``, ``fputs``, ``fgetc``, ``fputc``, ``fopen``, ``fopen``, ``fgets``.
+  (`#74296 <https://github.com/llvm/llvm-project/pull/74296>`_,
+  `#73335 <https://github.com/llvm/llvm-project/pull/73335>`_,
+  `#72627 <https://github.com/llvm/llvm-project/pull/72627>`_,
+  `#71518 <https://github.com/llvm/llvm-project/pull/71518>`_,
+  `#72016 <https://github.com/llvm/llvm-project/pull/72016>`_,
+  `#70540 <https://github.com/llvm/llvm-project/pull/70540>`_,
+  `#73638 <https://github.com/llvm/llvm-project/pull/73638>`_)
+
+- Improved the ``unix.StdCLibraryFunctions`` checker by modeling more functions like ``send``, ``recv``, ``readlink`` and ``errno`` behavior.
+  (`52ac71f92d38 <https://github.com/llvm/llvm-project/commit/52ac71f92d38f75df5cb88e9c090ac5fd5a71548>`_,
+  `#71373 <https://github.com/llvm/llvm-project/pull/71373>`_,
+  `#71392 <https://github.com/llvm/llvm-project/pull/71392>`_)
+
+- Fixed a false negative for when accessing a nonnull property (ObjC).
+  (`1dceba3a3684 <https://github.com/llvm/llvm-project/commit/1dceba3a3684d12394731e09a6cf3efcebf07a3a>`_)
+
+- ``DeprecatedOrUnsafeBufferHandling`` now considers ``fprintf`` calls unsafe.
+  `Documentation <https://clang.llvm.org/docs/analyzer/checkers.html#security-insecureapi-deprecatedorunsafebufferhandling-c>`__.
+
 - Fix false positive in mutation check when using pointer to member function.
-  (`#66204: <https://github.com/llvm/llvm-project/issues/66204>`_).
+  (`#66204 <https://github.com/llvm/llvm-project/issues/66204>`_)
+
+- Fixed a crash caused by ``builtin_bit_cast``.
+  (`#69922 <https://github.com/llvm/llvm-project/issues/69922>`_)
+
+- Fix ``StackAddrEscapeChecker`` crash on temporary object fields.
+  (`#66221 <https://github.com/llvm/llvm-project/issues/66221>`_)
 
 - The ``alpha.security.taint.TaintPropagation`` checker no longer propagates
   taint on ``strlen`` and ``strnlen`` calls, unless these are marked
@@ -1072,16 +1146,36 @@ Static Analyzer
   Read the PR for the details.
   (`#66086 <https://github.com/llvm/llvm-project/pull/66086>`_)
 
+- Other taint-related improvements.
+  (`#66358 <https://github.com/llvm/llvm-project/pull/66358>`_,
+  `#66074 <https://github.com/llvm/llvm-project/pull/66074>`_,
+  `#66358 <https://github.com/llvm/llvm-project/pull/66358>`_)
+
 - A few crashes have been found and fixed using randomized testing related
-  to the use of ``_BitInt()`` in tidy checks and in clang analysis. See
-  `#67212 <https://github.com/llvm/llvm-project/pull/67212>`_,
+  to the use of ``_BitInt()`` in tidy checks and in clang analysis.
+  (`#67212 <https://github.com/llvm/llvm-project/pull/67212>`_,
   `#66782 <https://github.com/llvm/llvm-project/pull/66782>`_,
   `#65889 <https://github.com/llvm/llvm-project/pull/65889>`_,
-  `#65888 <https://github.com/llvm/llvm-project/pull/65888>`_, and
-  `#65887 <https://github.com/llvm/llvm-project/pull/65887>`_
+  `#65888 <https://github.com/llvm/llvm-project/pull/65888>`_,
+  `#65887 <https://github.com/llvm/llvm-project/pull/65887>`_)
 
-- Move checker ``alpha.cplusplus.EnumCastOutOfRange`` out of the ``alpha``
-  package to ``optin.core.EnumCastOutOfRange``.
+- Fixed note links of the HTML output.
+  (`#64054 <https://github.com/llvm/llvm-project/issues/64054>`_)
+
+- Allow widening rage-based for loops.
+  (`#70190 <https://github.com/llvm/llvm-project/pull/70190>`_)
+
+- Fixed uninitialized base class with initializer list when ctor is not
+  declared in the base class.
+  (`#70464 <https://github.com/llvm/llvm-project/issues/70464>`_,
+  `#59493 <https://github.com/llvm/llvm-project/issues/59493>`_,
+  `#54533 <https://github.com/llvm/llvm-project/issues/54533>`_)
+
+- Added support for the ``cleanup`` attribute.
+  `Documentation <https://clang.llvm.org/docs/AttributeReference.html#cleanup>`__.
+
+- Checkers can query constraint bounds to improve diagnostic messages.
+  (`#74141 <https://github.com/llvm/llvm-project/pull/74141>`_)
 
 .. _release-notes-sanitizers:
 

[steakhal]

The docs-clang-html build target produces the following html document at tools/clang/docs/html/ReleaseNotes.html#static-analyzer, without any warnings:

[Xazax-hun]

In some cases, we link to the PR/commit, in other cases only to the documentation. I am OK with this, I was only wondering whether we want to add links to the commits everywhere. Feel free to ignore.

[steakhal]

My reasoning was to always leave a ref to the relevant change. Possibly, including the PR if present to be able to read the discussions.
Given that this release is the only one which is "in transit" from Phabricator to the GH PR workflow, PRs are not always present, hence I opted for linking the commit.
I wanted to avoid referencing Phabricator revisions, as its being phased out AFAIK.

The PR/change is helpful for the users to see concrete diffs/examples how test code was changed, or how certain flags were used. I figured, its not too intrusive, so I opted-in for those.

[steakhal]

[steakhal]

@spaits Could you craft some docs for the experimental std::variant checker?

[steakhal]

I've decided to fix the checker docs for the security.insecureAPI.DeprecatedOrUnsafeBufferHandling.
It turned out to be an easy one as the only missing function was fprintf, so it was already well in sync. I bundled that single word change with this PR for simplicity.

[NagyDonat]

There are several changes that are only relevant for the users who use alpha checkers. Perhaps it would be a good idea to put those into a separate list (or to the end of the list?).

Either way, the update looks good to me, thanks for composing it!

[NagyDonat]

(I didn't check all the links, but overall LGTM.)

[steakhal]

Introduced subsub-sections and ordered them and their content by expected relevance.
The rule of thumb was:

• released stuff comes first, then alpha. etc.
  Also, checkers are always fully named, and named by their user-facing names.

Now the html looks like this:

I'm pretty happy with the result.

[NagyDonat]

Late review: nice reorganization :)