clang  7.0.0svn
CStringChecker.cpp
Go to the documentation of this file.
1 //= CStringChecker.cpp - Checks calls to C string functions --------*- C++ -*-//
2 //
3 // The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // This defines CStringChecker, which is an assortment of checks on calls
11 // to functions in <string.h>.
12 //
13 //===----------------------------------------------------------------------===//
14 
15 #include "ClangSACheckers.h"
16 #include "InterCheckerAPI.h"
17 #include "clang/Basic/CharInfo.h"
23 #include "llvm/ADT/STLExtras.h"
24 #include "llvm/ADT/SmallString.h"
25 #include "llvm/Support/raw_ostream.h"
26 
27 using namespace clang;
28 using namespace ento;
29 
30 namespace {
31 class CStringChecker : public Checker< eval::Call,
32  check::PreStmt<DeclStmt>,
33  check::LiveSymbols,
34  check::DeadSymbols,
35  check::RegionChanges
36  > {
37  mutable std::unique_ptr<BugType> BT_Null, BT_Bounds, BT_Overlap,
38  BT_NotCString, BT_AdditionOverflow;
39 
40  mutable const char *CurrentFunctionDescription;
41 
42 public:
43  /// The filter is used to filter out the diagnostics which are not enabled by
44  /// the user.
45  struct CStringChecksFilter {
46  DefaultBool CheckCStringNullArg;
47  DefaultBool CheckCStringOutOfBounds;
48  DefaultBool CheckCStringBufferOverlap;
49  DefaultBool CheckCStringNotNullTerm;
50 
51  CheckName CheckNameCStringNullArg;
52  CheckName CheckNameCStringOutOfBounds;
53  CheckName CheckNameCStringBufferOverlap;
54  CheckName CheckNameCStringNotNullTerm;
55  };
56 
57  CStringChecksFilter Filter;
58 
59  static void *getTag() { static int tag; return &tag; }
60 
61  bool evalCall(const CallExpr *CE, CheckerContext &C) const;
62  void checkPreStmt(const DeclStmt *DS, CheckerContext &C) const;
63  void checkLiveSymbols(ProgramStateRef state, SymbolReaper &SR) const;
64  void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
65 
67  checkRegionChanges(ProgramStateRef state,
68  const InvalidatedSymbols *,
69  ArrayRef<const MemRegion *> ExplicitRegions,
71  const LocationContext *LCtx,
72  const CallEvent *Call) const;
73 
74  typedef void (CStringChecker::*FnCheck)(CheckerContext &,
75  const CallExpr *) const;
76 
77  void evalMemcpy(CheckerContext &C, const CallExpr *CE) const;
78  void evalMempcpy(CheckerContext &C, const CallExpr *CE) const;
79  void evalMemmove(CheckerContext &C, const CallExpr *CE) const;
80  void evalBcopy(CheckerContext &C, const CallExpr *CE) const;
81  void evalCopyCommon(CheckerContext &C, const CallExpr *CE,
83  const Expr *Size,
84  const Expr *Source,
85  const Expr *Dest,
86  bool Restricted = false,
87  bool IsMempcpy = false) const;
88 
89  void evalMemcmp(CheckerContext &C, const CallExpr *CE) const;
90 
91  void evalstrLength(CheckerContext &C, const CallExpr *CE) const;
92  void evalstrnLength(CheckerContext &C, const CallExpr *CE) const;
93  void evalstrLengthCommon(CheckerContext &C,
94  const CallExpr *CE,
95  bool IsStrnlen = false) const;
96 
97  void evalStrcpy(CheckerContext &C, const CallExpr *CE) const;
98  void evalStrncpy(CheckerContext &C, const CallExpr *CE) const;
99  void evalStpcpy(CheckerContext &C, const CallExpr *CE) const;
100  void evalStrlcpy(CheckerContext &C, const CallExpr *CE) const;
101  void evalStrcpyCommon(CheckerContext &C,
102  const CallExpr *CE,
103  bool returnEnd,
104  bool isBounded,
105  bool isAppending,
106  bool returnPtr = true) const;
107 
108  void evalStrcat(CheckerContext &C, const CallExpr *CE) const;
109  void evalStrncat(CheckerContext &C, const CallExpr *CE) const;
110  void evalStrlcat(CheckerContext &C, const CallExpr *CE) const;
111 
112  void evalStrcmp(CheckerContext &C, const CallExpr *CE) const;
113  void evalStrncmp(CheckerContext &C, const CallExpr *CE) const;
114  void evalStrcasecmp(CheckerContext &C, const CallExpr *CE) const;
115  void evalStrncasecmp(CheckerContext &C, const CallExpr *CE) const;
116  void evalStrcmpCommon(CheckerContext &C,
117  const CallExpr *CE,
118  bool isBounded = false,
119  bool ignoreCase = false) const;
120 
121  void evalStrsep(CheckerContext &C, const CallExpr *CE) const;
122 
123  void evalStdCopy(CheckerContext &C, const CallExpr *CE) const;
124  void evalStdCopyBackward(CheckerContext &C, const CallExpr *CE) const;
125  void evalStdCopyCommon(CheckerContext &C, const CallExpr *CE) const;
126  void evalMemset(CheckerContext &C, const CallExpr *CE) const;
127 
128  // Utility methods
129  std::pair<ProgramStateRef , ProgramStateRef >
130  static assumeZero(CheckerContext &C,
132 
133  static ProgramStateRef setCStringLength(ProgramStateRef state,
134  const MemRegion *MR,
135  SVal strLength);
136  static SVal getCStringLengthForRegion(CheckerContext &C,
138  const Expr *Ex,
139  const MemRegion *MR,
140  bool hypothetical);
141  SVal getCStringLength(CheckerContext &C,
143  const Expr *Ex,
144  SVal Buf,
145  bool hypothetical = false) const;
146 
147  const StringLiteral *getCStringLiteral(CheckerContext &C,
149  const Expr *expr,
150  SVal val) const;
151 
152  static ProgramStateRef InvalidateBuffer(CheckerContext &C,
154  const Expr *Ex, SVal V,
155  bool IsSourceBuffer,
156  const Expr *Size);
157 
158  static bool SummarizeRegion(raw_ostream &os, ASTContext &Ctx,
159  const MemRegion *MR);
160 
161  static bool memsetAux(const Expr *DstBuffer, const Expr *CharE,
162  const Expr *Size, CheckerContext &C,
164 
165  // Re-usable checks
166  ProgramStateRef checkNonNull(CheckerContext &C,
168  const Expr *S,
169  SVal l) const;
170  ProgramStateRef CheckLocation(CheckerContext &C,
172  const Expr *S,
173  SVal l,
174  const char *message = nullptr) const;
175  ProgramStateRef CheckBufferAccess(CheckerContext &C,
177  const Expr *Size,
178  const Expr *FirstBuf,
179  const Expr *SecondBuf,
180  const char *firstMessage = nullptr,
181  const char *secondMessage = nullptr,
182  bool WarnAboutSize = false) const;
183 
184  ProgramStateRef CheckBufferAccess(CheckerContext &C,
186  const Expr *Size,
187  const Expr *Buf,
188  const char *message = nullptr,
189  bool WarnAboutSize = false) const {
190  // This is a convenience override.
191  return CheckBufferAccess(C, state, Size, Buf, nullptr, message, nullptr,
192  WarnAboutSize);
193  }
194  ProgramStateRef CheckOverlap(CheckerContext &C,
196  const Expr *Size,
197  const Expr *First,
198  const Expr *Second) const;
199  void emitOverlapBug(CheckerContext &C,
201  const Stmt *First,
202  const Stmt *Second) const;
203 
204  void emitNullArgBug(CheckerContext &C, ProgramStateRef State, const Stmt *S,
205  StringRef WarningMsg) const;
206  void emitOutOfBoundsBug(CheckerContext &C, ProgramStateRef State,
207  const Stmt *S, StringRef WarningMsg) const;
208  void emitNotCStringBug(CheckerContext &C, ProgramStateRef State,
209  const Stmt *S, StringRef WarningMsg) const;
210  void emitAdditionOverflowBug(CheckerContext &C, ProgramStateRef State) const;
211 
212  ProgramStateRef checkAdditionOverflow(CheckerContext &C,
214  NonLoc left,
215  NonLoc right) const;
216 
217  // Return true if the destination buffer of the copy function may be in bound.
218  // Expects SVal of Size to be positive and unsigned.
219  // Expects SVal of FirstBuf to be a FieldRegion.
220  static bool IsFirstBufInBound(CheckerContext &C,
222  const Expr *FirstBuf,
223  const Expr *Size);
224 };
225 
226 } //end anonymous namespace
227 
228 REGISTER_MAP_WITH_PROGRAMSTATE(CStringLength, const MemRegion *, SVal)
229 
230 //===----------------------------------------------------------------------===//
231 // Individual checks and utility methods.
232 //===----------------------------------------------------------------------===//
233 
234 std::pair<ProgramStateRef , ProgramStateRef >
235 CStringChecker::assumeZero(CheckerContext &C, ProgramStateRef state, SVal V,
236  QualType Ty) {
238  if (!val)
239  return std::pair<ProgramStateRef , ProgramStateRef >(state, state);
240 
241  SValBuilder &svalBuilder = C.getSValBuilder();
242  DefinedOrUnknownSVal zero = svalBuilder.makeZeroVal(Ty);
243  return state->assume(svalBuilder.evalEQ(state, *val, zero));
244 }
245 
246 ProgramStateRef CStringChecker::checkNonNull(CheckerContext &C,
247  ProgramStateRef state,
248  const Expr *S, SVal l) const {
249  // If a previous check has failed, propagate the failure.
250  if (!state)
251  return nullptr;
252 
253  ProgramStateRef stateNull, stateNonNull;
254  std::tie(stateNull, stateNonNull) = assumeZero(C, state, l, S->getType());
255 
256  if (stateNull && !stateNonNull) {
257  if (Filter.CheckCStringNullArg) {
258  SmallString<80> buf;
259  llvm::raw_svector_ostream os(buf);
260  assert(CurrentFunctionDescription);
261  os << "Null pointer argument in call to " << CurrentFunctionDescription;
262 
263  emitNullArgBug(C, stateNull, S, os.str());
264  }
265  return nullptr;
266  }
267 
268  // From here on, assume that the value is non-null.
269  assert(stateNonNull);
270  return stateNonNull;
271 }
272 
273 // FIXME: This was originally copied from ArrayBoundChecker.cpp. Refactor?
274 ProgramStateRef CStringChecker::CheckLocation(CheckerContext &C,
275  ProgramStateRef state,
276  const Expr *S, SVal l,
277  const char *warningMsg) const {
278  // If a previous check has failed, propagate the failure.
279  if (!state)
280  return nullptr;
281 
282  // Check for out of bound array element access.
283  const MemRegion *R = l.getAsRegion();
284  if (!R)
285  return state;
286 
287  const ElementRegion *ER = dyn_cast<ElementRegion>(R);
288  if (!ER)
289  return state;
290 
291  if (ER->getValueType() != C.getASTContext().CharTy)
292  return state;
293 
294  // Get the size of the array.
295  const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion());
296  SValBuilder &svalBuilder = C.getSValBuilder();
297  SVal Extent =
298  svalBuilder.convertToArrayIndex(superReg->getExtent(svalBuilder));
300 
301  // Get the index of the accessed element.
303 
304  ProgramStateRef StInBound = state->assumeInBound(Idx, Size, true);
305  ProgramStateRef StOutBound = state->assumeInBound(Idx, Size, false);
306  if (StOutBound && !StInBound) {
307  // These checks are either enabled by the CString out-of-bounds checker
308  // explicitly or the "basic" CStringNullArg checker support that Malloc
309  // checker enables.
310  assert(Filter.CheckCStringOutOfBounds || Filter.CheckCStringNullArg);
311 
312  // Emit a bug report.
313  if (warningMsg) {
314  emitOutOfBoundsBug(C, StOutBound, S, warningMsg);
315  } else {
316  assert(CurrentFunctionDescription);
317  assert(CurrentFunctionDescription[0] != '\0');
318 
319  SmallString<80> buf;
320  llvm::raw_svector_ostream os(buf);
321  os << toUppercase(CurrentFunctionDescription[0])
322  << &CurrentFunctionDescription[1]
323  << " accesses out-of-bound array element";
324  emitOutOfBoundsBug(C, StOutBound, S, os.str());
325  }
326  return nullptr;
327  }
328 
329  // Array bound check succeeded. From this point forward the array bound
330  // should always succeed.
331  return StInBound;
332 }
333 
334 ProgramStateRef CStringChecker::CheckBufferAccess(CheckerContext &C,
335  ProgramStateRef state,
336  const Expr *Size,
337  const Expr *FirstBuf,
338  const Expr *SecondBuf,
339  const char *firstMessage,
340  const char *secondMessage,
341  bool WarnAboutSize) const {
342  // If a previous check has failed, propagate the failure.
343  if (!state)
344  return nullptr;
345 
346  SValBuilder &svalBuilder = C.getSValBuilder();
347  ASTContext &Ctx = svalBuilder.getContext();
348  const LocationContext *LCtx = C.getLocationContext();
349 
350  QualType sizeTy = Size->getType();
351  QualType PtrTy = Ctx.getPointerType(Ctx.CharTy);
352 
353  // Check that the first buffer is non-null.
354  SVal BufVal = C.getSVal(FirstBuf);
355  state = checkNonNull(C, state, FirstBuf, BufVal);
356  if (!state)
357  return nullptr;
358 
359  // If out-of-bounds checking is turned off, skip the rest.
360  if (!Filter.CheckCStringOutOfBounds)
361  return state;
362 
363  // Get the access length and make sure it is known.
364  // FIXME: This assumes the caller has already checked that the access length
365  // is positive. And that it's unsigned.
366  SVal LengthVal = C.getSVal(Size);
367  Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
368  if (!Length)
369  return state;
370 
371  // Compute the offset of the last element to be accessed: size-1.
372  NonLoc One = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
373  SVal Offset = svalBuilder.evalBinOpNN(state, BO_Sub, *Length, One, sizeTy);
374  if (Offset.isUnknown())
375  return nullptr;
376  NonLoc LastOffset = Offset.castAs<NonLoc>();
377 
378  // Check that the first buffer is sufficiently long.
379  SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType());
380  if (Optional<Loc> BufLoc = BufStart.getAs<Loc>()) {
381  const Expr *warningExpr = (WarnAboutSize ? Size : FirstBuf);
382 
383  SVal BufEnd = svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc,
384  LastOffset, PtrTy);
385  state = CheckLocation(C, state, warningExpr, BufEnd, firstMessage);
386 
387  // If the buffer isn't large enough, abort.
388  if (!state)
389  return nullptr;
390  }
391 
392  // If there's a second buffer, check it as well.
393  if (SecondBuf) {
394  BufVal = state->getSVal(SecondBuf, LCtx);
395  state = checkNonNull(C, state, SecondBuf, BufVal);
396  if (!state)
397  return nullptr;
398 
399  BufStart = svalBuilder.evalCast(BufVal, PtrTy, SecondBuf->getType());
400  if (Optional<Loc> BufLoc = BufStart.getAs<Loc>()) {
401  const Expr *warningExpr = (WarnAboutSize ? Size : SecondBuf);
402 
403  SVal BufEnd = svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc,
404  LastOffset, PtrTy);
405  state = CheckLocation(C, state, warningExpr, BufEnd, secondMessage);
406  }
407  }
408 
409  // Large enough or not, return this state!
410  return state;
411 }
412 
413 ProgramStateRef CStringChecker::CheckOverlap(CheckerContext &C,
414  ProgramStateRef state,
415  const Expr *Size,
416  const Expr *First,
417  const Expr *Second) const {
418  if (!Filter.CheckCStringBufferOverlap)
419  return state;
420 
421  // Do a simple check for overlap: if the two arguments are from the same
422  // buffer, see if the end of the first is greater than the start of the second
423  // or vice versa.
424 
425  // If a previous check has failed, propagate the failure.
426  if (!state)
427  return nullptr;
428 
429  ProgramStateRef stateTrue, stateFalse;
430 
431  // Get the buffer values and make sure they're known locations.
432  const LocationContext *LCtx = C.getLocationContext();
433  SVal firstVal = state->getSVal(First, LCtx);
434  SVal secondVal = state->getSVal(Second, LCtx);
435 
436  Optional<Loc> firstLoc = firstVal.getAs<Loc>();
437  if (!firstLoc)
438  return state;
439 
440  Optional<Loc> secondLoc = secondVal.getAs<Loc>();
441  if (!secondLoc)
442  return state;
443 
444  // Are the two values the same?
445  SValBuilder &svalBuilder = C.getSValBuilder();
446  std::tie(stateTrue, stateFalse) =
447  state->assume(svalBuilder.evalEQ(state, *firstLoc, *secondLoc));
448 
449  if (stateTrue && !stateFalse) {
450  // If the values are known to be equal, that's automatically an overlap.
451  emitOverlapBug(C, stateTrue, First, Second);
452  return nullptr;
453  }
454 
455  // assume the two expressions are not equal.
456  assert(stateFalse);
457  state = stateFalse;
458 
459  // Which value comes first?
460  QualType cmpTy = svalBuilder.getConditionType();
461  SVal reverse = svalBuilder.evalBinOpLL(state, BO_GT,
462  *firstLoc, *secondLoc, cmpTy);
463  Optional<DefinedOrUnknownSVal> reverseTest =
464  reverse.getAs<DefinedOrUnknownSVal>();
465  if (!reverseTest)
466  return state;
467 
468  std::tie(stateTrue, stateFalse) = state->assume(*reverseTest);
469  if (stateTrue) {
470  if (stateFalse) {
471  // If we don't know which one comes first, we can't perform this test.
472  return state;
473  } else {
474  // Switch the values so that firstVal is before secondVal.
475  std::swap(firstLoc, secondLoc);
476 
477  // Switch the Exprs as well, so that they still correspond.
478  std::swap(First, Second);
479  }
480  }
481 
482  // Get the length, and make sure it too is known.
483  SVal LengthVal = state->getSVal(Size, LCtx);
484  Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
485  if (!Length)
486  return state;
487 
488  // Convert the first buffer's start address to char*.
489  // Bail out if the cast fails.
490  ASTContext &Ctx = svalBuilder.getContext();
491  QualType CharPtrTy = Ctx.getPointerType(Ctx.CharTy);
492  SVal FirstStart = svalBuilder.evalCast(*firstLoc, CharPtrTy,
493  First->getType());
494  Optional<Loc> FirstStartLoc = FirstStart.getAs<Loc>();
495  if (!FirstStartLoc)
496  return state;
497 
498  // Compute the end of the first buffer. Bail out if THAT fails.
499  SVal FirstEnd = svalBuilder.evalBinOpLN(state, BO_Add,
500  *FirstStartLoc, *Length, CharPtrTy);
501  Optional<Loc> FirstEndLoc = FirstEnd.getAs<Loc>();
502  if (!FirstEndLoc)
503  return state;
504 
505  // Is the end of the first buffer past the start of the second buffer?
506  SVal Overlap = svalBuilder.evalBinOpLL(state, BO_GT,
507  *FirstEndLoc, *secondLoc, cmpTy);
508  Optional<DefinedOrUnknownSVal> OverlapTest =
509  Overlap.getAs<DefinedOrUnknownSVal>();
510  if (!OverlapTest)
511  return state;
512 
513  std::tie(stateTrue, stateFalse) = state->assume(*OverlapTest);
514 
515  if (stateTrue && !stateFalse) {
516  // Overlap!
517  emitOverlapBug(C, stateTrue, First, Second);
518  return nullptr;
519  }
520 
521  // assume the two expressions don't overlap.
522  assert(stateFalse);
523  return stateFalse;
524 }
525 
526 void CStringChecker::emitOverlapBug(CheckerContext &C, ProgramStateRef state,
527  const Stmt *First, const Stmt *Second) const {
528  ExplodedNode *N = C.generateErrorNode(state);
529  if (!N)
530  return;
531 
532  if (!BT_Overlap)
533  BT_Overlap.reset(new BugType(Filter.CheckNameCStringBufferOverlap,
534  categories::UnixAPI, "Improper arguments"));
535 
536  // Generate a report for this bug.
537  auto report = llvm::make_unique<BugReport>(
538  *BT_Overlap, "Arguments must not be overlapping buffers", N);
539  report->addRange(First->getSourceRange());
540  report->addRange(Second->getSourceRange());
541 
542  C.emitReport(std::move(report));
543 }
544 
545 void CStringChecker::emitNullArgBug(CheckerContext &C, ProgramStateRef State,
546  const Stmt *S, StringRef WarningMsg) const {
547  if (ExplodedNode *N = C.generateErrorNode(State)) {
548  if (!BT_Null)
549  BT_Null.reset(new BuiltinBug(
550  Filter.CheckNameCStringNullArg, categories::UnixAPI,
551  "Null pointer argument in call to byte string function"));
552 
553  BuiltinBug *BT = static_cast<BuiltinBug *>(BT_Null.get());
554  auto Report = llvm::make_unique<BugReport>(*BT, WarningMsg, N);
555  bugreporter::trackNullOrUndefValue(N, S, *Report);
556  C.emitReport(std::move(Report));
557  }
558 }
559 
560 void CStringChecker::emitOutOfBoundsBug(CheckerContext &C,
561  ProgramStateRef State, const Stmt *S,
562  StringRef WarningMsg) const {
563  if (ExplodedNode *N = C.generateErrorNode(State)) {
564  if (!BT_Bounds)
565  BT_Bounds.reset(new BuiltinBug(
566  Filter.CheckCStringOutOfBounds ? Filter.CheckNameCStringOutOfBounds
567  : Filter.CheckNameCStringNullArg,
568  "Out-of-bound array access",
569  "Byte string function accesses out-of-bound array element"));
570 
571  BuiltinBug *BT = static_cast<BuiltinBug *>(BT_Bounds.get());
572 
573  // FIXME: It would be nice to eventually make this diagnostic more clear,
574  // e.g., by referencing the original declaration or by saying *why* this
575  // reference is outside the range.
576  auto Report = llvm::make_unique<BugReport>(*BT, WarningMsg, N);
577  Report->addRange(S->getSourceRange());
578  C.emitReport(std::move(Report));
579  }
580 }
581 
582 void CStringChecker::emitNotCStringBug(CheckerContext &C, ProgramStateRef State,
583  const Stmt *S,
584  StringRef WarningMsg) const {
585  if (ExplodedNode *N = C.generateNonFatalErrorNode(State)) {
586  if (!BT_NotCString)
587  BT_NotCString.reset(new BuiltinBug(
588  Filter.CheckNameCStringNotNullTerm, categories::UnixAPI,
589  "Argument is not a null-terminated string."));
590 
591  auto Report = llvm::make_unique<BugReport>(*BT_NotCString, WarningMsg, N);
592 
593  Report->addRange(S->getSourceRange());
594  C.emitReport(std::move(Report));
595  }
596 }
597 
598 void CStringChecker::emitAdditionOverflowBug(CheckerContext &C,
599  ProgramStateRef State) const {
600  if (ExplodedNode *N = C.generateErrorNode(State)) {
601  if (!BT_NotCString)
602  BT_NotCString.reset(
603  new BuiltinBug(Filter.CheckNameCStringOutOfBounds, "API",
604  "Sum of expressions causes overflow."));
605 
606  // This isn't a great error message, but this should never occur in real
607  // code anyway -- you'd have to create a buffer longer than a size_t can
608  // represent, which is sort of a contradiction.
609  const char *WarningMsg =
610  "This expression will create a string whose length is too big to "
611  "be represented as a size_t";
612 
613  auto Report = llvm::make_unique<BugReport>(*BT_NotCString, WarningMsg, N);
614  C.emitReport(std::move(Report));
615  }
616 }
617 
618 ProgramStateRef CStringChecker::checkAdditionOverflow(CheckerContext &C,
619  ProgramStateRef state,
620  NonLoc left,
621  NonLoc right) const {
622  // If out-of-bounds checking is turned off, skip the rest.
623  if (!Filter.CheckCStringOutOfBounds)
624  return state;
625 
626  // If a previous check has failed, propagate the failure.
627  if (!state)
628  return nullptr;
629 
630  SValBuilder &svalBuilder = C.getSValBuilder();
631  BasicValueFactory &BVF = svalBuilder.getBasicValueFactory();
632 
633  QualType sizeTy = svalBuilder.getContext().getSizeType();
634  const llvm::APSInt &maxValInt = BVF.getMaxValue(sizeTy);
635  NonLoc maxVal = svalBuilder.makeIntVal(maxValInt);
636 
637  SVal maxMinusRight;
638  if (right.getAs<nonloc::ConcreteInt>()) {
639  maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, right,
640  sizeTy);
641  } else {
642  // Try switching the operands. (The order of these two assignments is
643  // important!)
644  maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, left,
645  sizeTy);
646  left = right;
647  }
648 
649  if (Optional<NonLoc> maxMinusRightNL = maxMinusRight.getAs<NonLoc>()) {
650  QualType cmpTy = svalBuilder.getConditionType();
651  // If left > max - right, we have an overflow.
652  SVal willOverflow = svalBuilder.evalBinOpNN(state, BO_GT, left,
653  *maxMinusRightNL, cmpTy);
654 
655  ProgramStateRef stateOverflow, stateOkay;
656  std::tie(stateOverflow, stateOkay) =
657  state->assume(willOverflow.castAs<DefinedOrUnknownSVal>());
658 
659  if (stateOverflow && !stateOkay) {
660  // We have an overflow. Emit a bug report.
661  emitAdditionOverflowBug(C, stateOverflow);
662  return nullptr;
663  }
664 
665  // From now on, assume an overflow didn't occur.
666  assert(stateOkay);
667  state = stateOkay;
668  }
669 
670  return state;
671 }
672 
673 ProgramStateRef CStringChecker::setCStringLength(ProgramStateRef state,
674  const MemRegion *MR,
675  SVal strLength) {
676  assert(!strLength.isUndef() && "Attempt to set an undefined string length");
677 
678  MR = MR->StripCasts();
679 
680  switch (MR->getKind()) {
681  case MemRegion::StringRegionKind:
682  // FIXME: This can happen if we strcpy() into a string region. This is
683  // undefined [C99 6.4.5p6], but we should still warn about it.
684  return state;
685 
686  case MemRegion::SymbolicRegionKind:
687  case MemRegion::AllocaRegionKind:
688  case MemRegion::VarRegionKind:
689  case MemRegion::FieldRegionKind:
690  case MemRegion::ObjCIvarRegionKind:
691  // These are the types we can currently track string lengths for.
692  break;
693 
694  case MemRegion::ElementRegionKind:
695  // FIXME: Handle element regions by upper-bounding the parent region's
696  // string length.
697  return state;
698 
699  default:
700  // Other regions (mostly non-data) can't have a reliable C string length.
701  // For now, just ignore the change.
702  // FIXME: These are rare but not impossible. We should output some kind of
703  // warning for things like strcpy((char[]){'a', 0}, "b");
704  return state;
705  }
706 
707  if (strLength.isUnknown())
708  return state->remove<CStringLength>(MR);
709 
710  return state->set<CStringLength>(MR, strLength);
711 }
712 
713 SVal CStringChecker::getCStringLengthForRegion(CheckerContext &C,
714  ProgramStateRef &state,
715  const Expr *Ex,
716  const MemRegion *MR,
717  bool hypothetical) {
718  if (!hypothetical) {
719  // If there's a recorded length, go ahead and return it.
720  const SVal *Recorded = state->get<CStringLength>(MR);
721  if (Recorded)
722  return *Recorded;
723  }
724 
725  // Otherwise, get a new symbol and update the state.
726  SValBuilder &svalBuilder = C.getSValBuilder();
727  QualType sizeTy = svalBuilder.getContext().getSizeType();
728  SVal strLength = svalBuilder.getMetadataSymbolVal(CStringChecker::getTag(),
729  MR, Ex, sizeTy,
730  C.getLocationContext(),
731  C.blockCount());
732 
733  if (!hypothetical) {
734  if (Optional<NonLoc> strLn = strLength.getAs<NonLoc>()) {
735  // In case of unbounded calls strlen etc bound the range to SIZE_MAX/4
736  BasicValueFactory &BVF = svalBuilder.getBasicValueFactory();
737  const llvm::APSInt &maxValInt = BVF.getMaxValue(sizeTy);
738  llvm::APSInt fourInt = APSIntType(maxValInt).getValue(4);
739  const llvm::APSInt *maxLengthInt = BVF.evalAPSInt(BO_Div, maxValInt,
740  fourInt);
741  NonLoc maxLength = svalBuilder.makeIntVal(*maxLengthInt);
742  SVal evalLength = svalBuilder.evalBinOpNN(state, BO_LE, *strLn,
743  maxLength, sizeTy);
744  state = state->assume(evalLength.castAs<DefinedOrUnknownSVal>(), true);
745  }
746  state = state->set<CStringLength>(MR, strLength);
747  }
748 
749  return strLength;
750 }
751 
752 SVal CStringChecker::getCStringLength(CheckerContext &C, ProgramStateRef &state,
753  const Expr *Ex, SVal Buf,
754  bool hypothetical) const {
755  const MemRegion *MR = Buf.getAsRegion();
756  if (!MR) {
757  // If we can't get a region, see if it's something we /know/ isn't a
758  // C string. In the context of locations, the only time we can issue such
759  // a warning is for labels.
761  if (Filter.CheckCStringNotNullTerm) {
762  SmallString<120> buf;
763  llvm::raw_svector_ostream os(buf);
764  assert(CurrentFunctionDescription);
765  os << "Argument to " << CurrentFunctionDescription
766  << " is the address of the label '" << Label->getLabel()->getName()
767  << "', which is not a null-terminated string";
768 
769  emitNotCStringBug(C, state, Ex, os.str());
770  }
771  return UndefinedVal();
772  }
773 
774  // If it's not a region and not a label, give up.
775  return UnknownVal();
776  }
777 
778  // If we have a region, strip casts from it and see if we can figure out
779  // its length. For anything we can't figure out, just return UnknownVal.
780  MR = MR->StripCasts();
781 
782  switch (MR->getKind()) {
783  case MemRegion::StringRegionKind: {
784  // Modifying the contents of string regions is undefined [C99 6.4.5p6],
785  // so we can assume that the byte length is the correct C string length.
786  SValBuilder &svalBuilder = C.getSValBuilder();
787  QualType sizeTy = svalBuilder.getContext().getSizeType();
788  const StringLiteral *strLit = cast<StringRegion>(MR)->getStringLiteral();
789  return svalBuilder.makeIntVal(strLit->getByteLength(), sizeTy);
790  }
791  case MemRegion::SymbolicRegionKind:
792  case MemRegion::AllocaRegionKind:
793  case MemRegion::VarRegionKind:
794  case MemRegion::FieldRegionKind:
795  case MemRegion::ObjCIvarRegionKind:
796  return getCStringLengthForRegion(C, state, Ex, MR, hypothetical);
797  case MemRegion::CompoundLiteralRegionKind:
798  // FIXME: Can we track this? Is it necessary?
799  return UnknownVal();
800  case MemRegion::ElementRegionKind:
801  // FIXME: How can we handle this? It's not good enough to subtract the
802  // offset from the base string length; consider "123\x00567" and &a[5].
803  return UnknownVal();
804  default:
805  // Other regions (mostly non-data) can't have a reliable C string length.
806  // In this case, an error is emitted and UndefinedVal is returned.
807  // The caller should always be prepared to handle this case.
808  if (Filter.CheckCStringNotNullTerm) {
809  SmallString<120> buf;
810  llvm::raw_svector_ostream os(buf);
811 
812  assert(CurrentFunctionDescription);
813  os << "Argument to " << CurrentFunctionDescription << " is ";
814 
815  if (SummarizeRegion(os, C.getASTContext(), MR))
816  os << ", which is not a null-terminated string";
817  else
818  os << "not a null-terminated string";
819 
820  emitNotCStringBug(C, state, Ex, os.str());
821  }
822  return UndefinedVal();
823  }
824 }
825 
826 const StringLiteral *CStringChecker::getCStringLiteral(CheckerContext &C,
827  ProgramStateRef &state, const Expr *expr, SVal val) const {
828 
829  // Get the memory region pointed to by the val.
830  const MemRegion *bufRegion = val.getAsRegion();
831  if (!bufRegion)
832  return nullptr;
833 
834  // Strip casts off the memory region.
835  bufRegion = bufRegion->StripCasts();
836 
837  // Cast the memory region to a string region.
838  const StringRegion *strRegion= dyn_cast<StringRegion>(bufRegion);
839  if (!strRegion)
840  return nullptr;
841 
842  // Return the actual string in the string region.
843  return strRegion->getStringLiteral();
844 }
845 
846 bool CStringChecker::IsFirstBufInBound(CheckerContext &C,
847  ProgramStateRef state,
848  const Expr *FirstBuf,
849  const Expr *Size) {
850  // If we do not know that the buffer is long enough we return 'true'.
851  // Otherwise the parent region of this field region would also get
852  // invalidated, which would lead to warnings based on an unknown state.
853 
854  // Originally copied from CheckBufferAccess and CheckLocation.
855  SValBuilder &svalBuilder = C.getSValBuilder();
856  ASTContext &Ctx = svalBuilder.getContext();
857  const LocationContext *LCtx = C.getLocationContext();
858 
859  QualType sizeTy = Size->getType();
860  QualType PtrTy = Ctx.getPointerType(Ctx.CharTy);
861  SVal BufVal = state->getSVal(FirstBuf, LCtx);
862 
863  SVal LengthVal = state->getSVal(Size, LCtx);
864  Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
865  if (!Length)
866  return true; // cf top comment.
867 
868  // Compute the offset of the last element to be accessed: size-1.
869  NonLoc One = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
870  SVal Offset = svalBuilder.evalBinOpNN(state, BO_Sub, *Length, One, sizeTy);
871  if (Offset.isUnknown())
872  return true; // cf top comment
873  NonLoc LastOffset = Offset.castAs<NonLoc>();
874 
875  // Check that the first buffer is sufficiently long.
876  SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType());
877  Optional<Loc> BufLoc = BufStart.getAs<Loc>();
878  if (!BufLoc)
879  return true; // cf top comment.
880 
881  SVal BufEnd =
882  svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc, LastOffset, PtrTy);
883 
884  // Check for out of bound array element access.
885  const MemRegion *R = BufEnd.getAsRegion();
886  if (!R)
887  return true; // cf top comment.
888 
889  const ElementRegion *ER = dyn_cast<ElementRegion>(R);
890  if (!ER)
891  return true; // cf top comment.
892 
893  // FIXME: Does this crash when a non-standard definition
894  // of a library function is encountered?
895  assert(ER->getValueType() == C.getASTContext().CharTy &&
896  "IsFirstBufInBound should only be called with char* ElementRegions");
897 
898  // Get the size of the array.
899  const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion());
900  SVal Extent =
901  svalBuilder.convertToArrayIndex(superReg->getExtent(svalBuilder));
902  DefinedOrUnknownSVal ExtentSize = Extent.castAs<DefinedOrUnknownSVal>();
903 
904  // Get the index of the accessed element.
906 
907  ProgramStateRef StInBound = state->assumeInBound(Idx, ExtentSize, true);
908 
909  return static_cast<bool>(StInBound);
910 }
911 
912 ProgramStateRef CStringChecker::InvalidateBuffer(CheckerContext &C,
913  ProgramStateRef state,
914  const Expr *E, SVal V,
915  bool IsSourceBuffer,
916  const Expr *Size) {
917  Optional<Loc> L = V.getAs<Loc>();
918  if (!L)
919  return state;
920 
921  // FIXME: This is a simplified version of what's in CFRefCount.cpp -- it makes
922  // some assumptions about the value that CFRefCount can't. Even so, it should
923  // probably be refactored.
924  if (Optional<loc::MemRegionVal> MR = L->getAs<loc::MemRegionVal>()) {
925  const MemRegion *R = MR->getRegion()->StripCasts();
926 
927  // Are we dealing with an ElementRegion? If so, we should be invalidating
928  // the super-region.
929  if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) {
930  R = ER->getSuperRegion();
931  // FIXME: What about layers of ElementRegions?
932  }
933 
934  // Invalidate this region.
936 
937  bool CausesPointerEscape = false;
939  // Invalidate and escape only indirect regions accessible through the source
940  // buffer.
941  if (IsSourceBuffer) {
942  ITraits.setTrait(R->getBaseRegion(),
945  CausesPointerEscape = true;
946  } else {
947  const MemRegion::Kind& K = R->getKind();
948  if (K == MemRegion::FieldRegionKind)
949  if (Size && IsFirstBufInBound(C, state, E, Size)) {
950  // If destination buffer is a field region and access is in bound,
951  // do not invalidate its super region.
952  ITraits.setTrait(
953  R,
955  }
956  }
957 
958  return state->invalidateRegions(R, E, C.blockCount(), LCtx,
959  CausesPointerEscape, nullptr, nullptr,
960  &ITraits);
961  }
962 
963  // If we have a non-region value by chance, just remove the binding.
964  // FIXME: is this necessary or correct? This handles the non-Region
965  // cases. Is it ever valid to store to these?
966  return state->killBinding(*L);
967 }
968 
969 bool CStringChecker::SummarizeRegion(raw_ostream &os, ASTContext &Ctx,
970  const MemRegion *MR) {
971  const TypedValueRegion *TVR = dyn_cast<TypedValueRegion>(MR);
972 
973  switch (MR->getKind()) {
974  case MemRegion::FunctionCodeRegionKind: {
975  const NamedDecl *FD = cast<FunctionCodeRegion>(MR)->getDecl();
976  if (FD)
977  os << "the address of the function '" << *FD << '\'';
978  else
979  os << "the address of a function";
980  return true;
981  }
982  case MemRegion::BlockCodeRegionKind:
983  os << "block text";
984  return true;
985  case MemRegion::BlockDataRegionKind:
986  os << "a block";
987  return true;
988  case MemRegion::CXXThisRegionKind:
989  case MemRegion::CXXTempObjectRegionKind:
990  os << "a C++ temp object of type " << TVR->getValueType().getAsString();
991  return true;
992  case MemRegion::VarRegionKind:
993  os << "a variable of type" << TVR->getValueType().getAsString();
994  return true;
995  case MemRegion::FieldRegionKind:
996  os << "a field of type " << TVR->getValueType().getAsString();
997  return true;
998  case MemRegion::ObjCIvarRegionKind:
999  os << "an instance variable of type " << TVR->getValueType().getAsString();
1000  return true;
1001  default:
1002  return false;
1003  }
1004 }
1005 
1006 bool CStringChecker::memsetAux(const Expr *DstBuffer, const Expr *CharE,
1007  const Expr *Size, CheckerContext &C,
1008  ProgramStateRef &State) {
1009  SVal MemVal = C.getSVal(DstBuffer);
1010  SVal CharVal = C.getSVal(CharE);
1011  SVal SizeVal = C.getSVal(Size);
1012  const MemRegion *MR = MemVal.getAsRegion();
1013  if (!MR)
1014  return false;
1015 
1016  // We're about to model memset by producing a "default binding" in the Store.
1017  // Our current implementation - RegionStore - doesn't support default bindings
1018  // that don't cover the whole base region. So we should first get the offset
1019  // and the base region to figure out whether the offset of buffer is 0.
1020  RegionOffset Offset = MR->getAsOffset();
1021  const MemRegion *BR = Offset.getRegion();
1022 
1023  Optional<NonLoc> SizeNL = SizeVal.getAs<NonLoc>();
1024  if (!SizeNL)
1025  return false;
1026 
1027  SValBuilder &svalBuilder = C.getSValBuilder();
1028  ASTContext &Ctx = C.getASTContext();
1029 
1030  // void *memset(void *dest, int ch, size_t count);
1031  // For now we can only handle the case of offset is 0 and concrete char value.
1032  if (Offset.isValid() && !Offset.hasSymbolicOffset() &&
1033  Offset.getOffset() == 0) {
1034  // Get the base region's extent.
1035  auto *SubReg = cast<SubRegion>(BR);
1036  DefinedOrUnknownSVal Extent = SubReg->getExtent(svalBuilder);
1037 
1038  ProgramStateRef StateWholeReg, StateNotWholeReg;
1039  std::tie(StateWholeReg, StateNotWholeReg) =
1040  State->assume(svalBuilder.evalEQ(State, Extent, *SizeNL));
1041 
1042  // With the semantic of 'memset()', we should convert the CharVal to
1043  // unsigned char.
1044  CharVal = svalBuilder.evalCast(CharVal, Ctx.UnsignedCharTy, Ctx.IntTy);
1045 
1046  ProgramStateRef StateNullChar, StateNonNullChar;
1047  std::tie(StateNullChar, StateNonNullChar) =
1048  assumeZero(C, State, CharVal, Ctx.UnsignedCharTy);
1049 
1050  if (StateWholeReg && !StateNotWholeReg && StateNullChar &&
1051  !StateNonNullChar) {
1052  // If the 'memset()' acts on the whole region of destination buffer and
1053  // the value of the second argument of 'memset()' is zero, bind the second
1054  // argument's value to the destination buffer with 'default binding'.
1055  // FIXME: Since there is no perfect way to bind the non-zero character, we
1056  // can only deal with zero value here. In the future, we need to deal with
1057  // the binding of non-zero value in the case of whole region.
1058  State = State->bindDefaultZero(svalBuilder.makeLoc(BR),
1059  C.getLocationContext());
1060  } else {
1061  // If the destination buffer's extent is not equal to the value of
1062  // third argument, just invalidate buffer.
1063  State = InvalidateBuffer(C, State, DstBuffer, MemVal,
1064  /*IsSourceBuffer*/ false, Size);
1065  }
1066 
1067  if (StateNullChar && !StateNonNullChar) {
1068  // If the value of the second argument of 'memset()' is zero, set the
1069  // string length of destination buffer to 0 directly.
1070  State = setCStringLength(State, MR,
1071  svalBuilder.makeZeroVal(Ctx.getSizeType()));
1072  } else if (!StateNullChar && StateNonNullChar) {
1073  SVal NewStrLen = svalBuilder.getMetadataSymbolVal(
1074  CStringChecker::getTag(), MR, DstBuffer, Ctx.getSizeType(),
1075  C.getLocationContext(), C.blockCount());
1076 
1077  // If the value of second argument is not zero, then the string length
1078  // is at least the size argument.
1079  SVal NewStrLenGESize = svalBuilder.evalBinOp(
1080  State, BO_GE, NewStrLen, SizeVal, svalBuilder.getConditionType());
1081 
1082  State = setCStringLength(
1083  State->assume(NewStrLenGESize.castAs<DefinedOrUnknownSVal>(), true),
1084  MR, NewStrLen);
1085  }
1086  } else {
1087  // If the offset is not zero and char value is not concrete, we can do
1088  // nothing but invalidate the buffer.
1089  State = InvalidateBuffer(C, State, DstBuffer, MemVal,
1090  /*IsSourceBuffer*/ false, Size);
1091  }
1092  return true;
1093 }
1094 
1095 //===----------------------------------------------------------------------===//
1096 // evaluation of individual function calls.
1097 //===----------------------------------------------------------------------===//
1098 
1099 void CStringChecker::evalCopyCommon(CheckerContext &C,
1100  const CallExpr *CE,
1101  ProgramStateRef state,
1102  const Expr *Size, const Expr *Dest,
1103  const Expr *Source, bool Restricted,
1104  bool IsMempcpy) const {
1105  CurrentFunctionDescription = "memory copy function";
1106 
1107  // See if the size argument is zero.
1108  const LocationContext *LCtx = C.getLocationContext();
1109  SVal sizeVal = state->getSVal(Size, LCtx);
1110  QualType sizeTy = Size->getType();
1111 
1112  ProgramStateRef stateZeroSize, stateNonZeroSize;
1113  std::tie(stateZeroSize, stateNonZeroSize) =
1114  assumeZero(C, state, sizeVal, sizeTy);
1115 
1116  // Get the value of the Dest.
1117  SVal destVal = state->getSVal(Dest, LCtx);
1118 
1119  // If the size is zero, there won't be any actual memory access, so
1120  // just bind the return value to the destination buffer and return.
1121  if (stateZeroSize && !stateNonZeroSize) {
1122  stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, destVal);
1123  C.addTransition(stateZeroSize);
1124  return;
1125  }
1126 
1127  // If the size can be nonzero, we have to check the other arguments.
1128  if (stateNonZeroSize) {
1129  state = stateNonZeroSize;
1130 
1131  // Ensure the destination is not null. If it is NULL there will be a
1132  // NULL pointer dereference.
1133  state = checkNonNull(C, state, Dest, destVal);
1134  if (!state)
1135  return;
1136 
1137  // Get the value of the Src.
1138  SVal srcVal = state->getSVal(Source, LCtx);
1139 
1140  // Ensure the source is not null. If it is NULL there will be a
1141  // NULL pointer dereference.
1142  state = checkNonNull(C, state, Source, srcVal);
1143  if (!state)
1144  return;
1145 
1146  // Ensure the accesses are valid and that the buffers do not overlap.
1147  const char * const writeWarning =
1148  "Memory copy function overflows destination buffer";
1149  state = CheckBufferAccess(C, state, Size, Dest, Source,
1150  writeWarning, /* sourceWarning = */ nullptr);
1151  if (Restricted)
1152  state = CheckOverlap(C, state, Size, Dest, Source);
1153 
1154  if (!state)
1155  return;
1156 
1157  // If this is mempcpy, get the byte after the last byte copied and
1158  // bind the expr.
1159  if (IsMempcpy) {
1160  // Get the byte after the last byte copied.
1161  SValBuilder &SvalBuilder = C.getSValBuilder();
1162  ASTContext &Ctx = SvalBuilder.getContext();
1163  QualType CharPtrTy = Ctx.getPointerType(Ctx.CharTy);
1164  SVal DestRegCharVal =
1165  SvalBuilder.evalCast(destVal, CharPtrTy, Dest->getType());
1166  SVal lastElement = C.getSValBuilder().evalBinOp(
1167  state, BO_Add, DestRegCharVal, sizeVal, Dest->getType());
1168  // If we don't know how much we copied, we can at least
1169  // conjure a return value for later.
1170  if (lastElement.isUnknown())
1171  lastElement = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
1172  C.blockCount());
1173 
1174  // The byte after the last byte copied is the return value.
1175  state = state->BindExpr(CE, LCtx, lastElement);
1176  } else {
1177  // All other copies return the destination buffer.
1178  // (Well, bcopy() has a void return type, but this won't hurt.)
1179  state = state->BindExpr(CE, LCtx, destVal);
1180  }
1181 
1182  // Invalidate the destination (regular invalidation without pointer-escaping
1183  // the address of the top-level region).
1184  // FIXME: Even if we can't perfectly model the copy, we should see if we
1185  // can use LazyCompoundVals to copy the source values into the destination.
1186  // This would probably remove any existing bindings past the end of the
1187  // copied region, but that's still an improvement over blank invalidation.
1188  state = InvalidateBuffer(C, state, Dest, C.getSVal(Dest),
1189  /*IsSourceBuffer*/false, Size);
1190 
1191  // Invalidate the source (const-invalidation without const-pointer-escaping
1192  // the address of the top-level region).
1193  state = InvalidateBuffer(C, state, Source, C.getSVal(Source),
1194  /*IsSourceBuffer*/true, nullptr);
1195 
1196  C.addTransition(state);
1197  }
1198 }
1199 
1200 
1201 void CStringChecker::evalMemcpy(CheckerContext &C, const CallExpr *CE) const {
1202  if (CE->getNumArgs() < 3)
1203  return;
1204 
1205  // void *memcpy(void *restrict dst, const void *restrict src, size_t n);
1206  // The return value is the address of the destination buffer.
1207  const Expr *Dest = CE->getArg(0);
1208  ProgramStateRef state = C.getState();
1209 
1210  evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1), true);
1211 }
1212 
1213 void CStringChecker::evalMempcpy(CheckerContext &C, const CallExpr *CE) const {
1214  if (CE->getNumArgs() < 3)
1215  return;
1216 
1217  // void *mempcpy(void *restrict dst, const void *restrict src, size_t n);
1218  // The return value is a pointer to the byte following the last written byte.
1219  const Expr *Dest = CE->getArg(0);
1220  ProgramStateRef state = C.getState();
1221 
1222  evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1), true, true);
1223 }
1224 
1225 void CStringChecker::evalMemmove(CheckerContext &C, const CallExpr *CE) const {
1226  if (CE->getNumArgs() < 3)
1227  return;
1228 
1229  // void *memmove(void *dst, const void *src, size_t n);
1230  // The return value is the address of the destination buffer.
1231  const Expr *Dest = CE->getArg(0);
1232  ProgramStateRef state = C.getState();
1233 
1234  evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1));
1235 }
1236 
1237 void CStringChecker::evalBcopy(CheckerContext &C, const CallExpr *CE) const {
1238  if (CE->getNumArgs() < 3)
1239  return;
1240 
1241  // void bcopy(const void *src, void *dst, size_t n);
1242  evalCopyCommon(C, CE, C.getState(),
1243  CE->getArg(2), CE->getArg(1), CE->getArg(0));
1244 }
1245 
1246 void CStringChecker::evalMemcmp(CheckerContext &C, const CallExpr *CE) const {
1247  if (CE->getNumArgs() < 3)
1248  return;
1249 
1250  // int memcmp(const void *s1, const void *s2, size_t n);
1251  CurrentFunctionDescription = "memory comparison function";
1252 
1253  const Expr *Left = CE->getArg(0);
1254  const Expr *Right = CE->getArg(1);
1255  const Expr *Size = CE->getArg(2);
1256 
1257  ProgramStateRef state = C.getState();
1258  SValBuilder &svalBuilder = C.getSValBuilder();
1259 
1260  // See if the size argument is zero.
1261  const LocationContext *LCtx = C.getLocationContext();
1262  SVal sizeVal = state->getSVal(Size, LCtx);
1263  QualType sizeTy = Size->getType();
1264 
1265  ProgramStateRef stateZeroSize, stateNonZeroSize;
1266  std::tie(stateZeroSize, stateNonZeroSize) =
1267  assumeZero(C, state, sizeVal, sizeTy);
1268 
1269  // If the size can be zero, the result will be 0 in that case, and we don't
1270  // have to check either of the buffers.
1271  if (stateZeroSize) {
1272  state = stateZeroSize;
1273  state = state->BindExpr(CE, LCtx,
1274  svalBuilder.makeZeroVal(CE->getType()));
1275  C.addTransition(state);
1276  }
1277 
1278  // If the size can be nonzero, we have to check the other arguments.
1279  if (stateNonZeroSize) {
1280  state = stateNonZeroSize;
1281  // If we know the two buffers are the same, we know the result is 0.
1282  // First, get the two buffers' addresses. Another checker will have already
1283  // made sure they're not undefined.
1285  state->getSVal(Left, LCtx).castAs<DefinedOrUnknownSVal>();
1287  state->getSVal(Right, LCtx).castAs<DefinedOrUnknownSVal>();
1288 
1289  // See if they are the same.
1290  DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV);
1291  ProgramStateRef StSameBuf, StNotSameBuf;
1292  std::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf);
1293 
1294  // If the two arguments might be the same buffer, we know the result is 0,
1295  // and we only need to check one size.
1296  if (StSameBuf) {
1297  state = StSameBuf;
1298  state = CheckBufferAccess(C, state, Size, Left);
1299  if (state) {
1300  state = StSameBuf->BindExpr(CE, LCtx,
1301  svalBuilder.makeZeroVal(CE->getType()));
1302  C.addTransition(state);
1303  }
1304  }
1305 
1306  // If the two arguments might be different buffers, we have to check the
1307  // size of both of them.
1308  if (StNotSameBuf) {
1309  state = StNotSameBuf;
1310  state = CheckBufferAccess(C, state, Size, Left, Right);
1311  if (state) {
1312  // The return value is the comparison result, which we don't know.
1313  SVal CmpV = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx,
1314  C.blockCount());
1315  state = state->BindExpr(CE, LCtx, CmpV);
1316  C.addTransition(state);
1317  }
1318  }
1319  }
1320 }
1321 
1322 void CStringChecker::evalstrLength(CheckerContext &C,
1323  const CallExpr *CE) const {
1324  if (CE->getNumArgs() < 1)
1325  return;
1326 
1327  // size_t strlen(const char *s);
1328  evalstrLengthCommon(C, CE, /* IsStrnlen = */ false);
1329 }
1330 
1331 void CStringChecker::evalstrnLength(CheckerContext &C,
1332  const CallExpr *CE) const {
1333  if (CE->getNumArgs() < 2)
1334  return;
1335 
1336  // size_t strnlen(const char *s, size_t maxlen);
1337  evalstrLengthCommon(C, CE, /* IsStrnlen = */ true);
1338 }
1339 
1340 void CStringChecker::evalstrLengthCommon(CheckerContext &C, const CallExpr *CE,
1341  bool IsStrnlen) const {
1342  CurrentFunctionDescription = "string length function";
1343  ProgramStateRef state = C.getState();
1344  const LocationContext *LCtx = C.getLocationContext();
1345 
1346  if (IsStrnlen) {
1347  const Expr *maxlenExpr = CE->getArg(1);
1348  SVal maxlenVal = state->getSVal(maxlenExpr, LCtx);
1349 
1350  ProgramStateRef stateZeroSize, stateNonZeroSize;
1351  std::tie(stateZeroSize, stateNonZeroSize) =
1352  assumeZero(C, state, maxlenVal, maxlenExpr->getType());
1353 
1354  // If the size can be zero, the result will be 0 in that case, and we don't
1355  // have to check the string itself.
1356  if (stateZeroSize) {
1357  SVal zero = C.getSValBuilder().makeZeroVal(CE->getType());
1358  stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, zero);
1359  C.addTransition(stateZeroSize);
1360  }
1361 
1362  // If the size is GUARANTEED to be zero, we're done!
1363  if (!stateNonZeroSize)
1364  return;
1365 
1366  // Otherwise, record the assumption that the size is nonzero.
1367  state = stateNonZeroSize;
1368  }
1369 
1370  // Check that the string argument is non-null.
1371  const Expr *Arg = CE->getArg(0);
1372  SVal ArgVal = state->getSVal(Arg, LCtx);
1373 
1374  state = checkNonNull(C, state, Arg, ArgVal);
1375 
1376  if (!state)
1377  return;
1378 
1379  SVal strLength = getCStringLength(C, state, Arg, ArgVal);
1380 
1381  // If the argument isn't a valid C string, there's no valid state to
1382  // transition to.
1383  if (strLength.isUndef())
1384  return;
1385 
1386  DefinedOrUnknownSVal result = UnknownVal();
1387 
1388  // If the check is for strnlen() then bind the return value to no more than
1389  // the maxlen value.
1390  if (IsStrnlen) {
1392 
1393  // It's a little unfortunate to be getting this again,
1394  // but it's not that expensive...
1395  const Expr *maxlenExpr = CE->getArg(1);
1396  SVal maxlenVal = state->getSVal(maxlenExpr, LCtx);
1397 
1398  Optional<NonLoc> strLengthNL = strLength.getAs<NonLoc>();
1399  Optional<NonLoc> maxlenValNL = maxlenVal.getAs<NonLoc>();
1400 
1401  if (strLengthNL && maxlenValNL) {
1402  ProgramStateRef stateStringTooLong, stateStringNotTooLong;
1403 
1404  // Check if the strLength is greater than the maxlen.
1405  std::tie(stateStringTooLong, stateStringNotTooLong) = state->assume(
1406  C.getSValBuilder()
1407  .evalBinOpNN(state, BO_GT, *strLengthNL, *maxlenValNL, cmpTy)
1409 
1410  if (stateStringTooLong && !stateStringNotTooLong) {
1411  // If the string is longer than maxlen, return maxlen.
1412  result = *maxlenValNL;
1413  } else if (stateStringNotTooLong && !stateStringTooLong) {
1414  // If the string is shorter than maxlen, return its length.
1415  result = *strLengthNL;
1416  }
1417  }
1418 
1419  if (result.isUnknown()) {
1420  // If we don't have enough information for a comparison, there's
1421  // no guarantee the full string length will actually be returned.
1422  // All we know is the return value is the min of the string length
1423  // and the limit. This is better than nothing.
1424  result = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
1425  C.blockCount());
1426  NonLoc resultNL = result.castAs<NonLoc>();
1427 
1428  if (strLengthNL) {
1429  state = state->assume(C.getSValBuilder().evalBinOpNN(
1430  state, BO_LE, resultNL, *strLengthNL, cmpTy)
1431  .castAs<DefinedOrUnknownSVal>(), true);
1432  }
1433 
1434  if (maxlenValNL) {
1435  state = state->assume(C.getSValBuilder().evalBinOpNN(
1436  state, BO_LE, resultNL, *maxlenValNL, cmpTy)
1437  .castAs<DefinedOrUnknownSVal>(), true);
1438  }
1439  }
1440 
1441  } else {
1442  // This is a plain strlen(), not strnlen().
1443  result = strLength.castAs<DefinedOrUnknownSVal>();
1444 
1445  // If we don't know the length of the string, conjure a return
1446  // value, so it can be used in constraints, at least.
1447  if (result.isUnknown()) {
1448  result = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
1449  C.blockCount());
1450  }
1451  }
1452 
1453  // Bind the return value.
1454  assert(!result.isUnknown() && "Should have conjured a value by now");
1455  state = state->BindExpr(CE, LCtx, result);
1456  C.addTransition(state);
1457 }
1458 
1459 void CStringChecker::evalStrcpy(CheckerContext &C, const CallExpr *CE) const {
1460  if (CE->getNumArgs() < 2)
1461  return;
1462 
1463  // char *strcpy(char *restrict dst, const char *restrict src);
1464  evalStrcpyCommon(C, CE,
1465  /* returnEnd = */ false,
1466  /* isBounded = */ false,
1467  /* isAppending = */ false);
1468 }
1469 
1470 void CStringChecker::evalStrncpy(CheckerContext &C, const CallExpr *CE) const {
1471  if (CE->getNumArgs() < 3)
1472  return;
1473 
1474  // char *strncpy(char *restrict dst, const char *restrict src, size_t n);
1475  evalStrcpyCommon(C, CE,
1476  /* returnEnd = */ false,
1477  /* isBounded = */ true,
1478  /* isAppending = */ false);
1479 }
1480 
1481 void CStringChecker::evalStpcpy(CheckerContext &C, const CallExpr *CE) const {
1482  if (CE->getNumArgs() < 2)
1483  return;
1484 
1485  // char *stpcpy(char *restrict dst, const char *restrict src);
1486  evalStrcpyCommon(C, CE,
1487  /* returnEnd = */ true,
1488  /* isBounded = */ false,
1489  /* isAppending = */ false);
1490 }
1491 
1492 void CStringChecker::evalStrlcpy(CheckerContext &C, const CallExpr *CE) const {
1493  if (CE->getNumArgs() < 3)
1494  return;
1495 
1496  // char *strlcpy(char *dst, const char *src, size_t n);
1497  evalStrcpyCommon(C, CE,
1498  /* returnEnd = */ true,
1499  /* isBounded = */ true,
1500  /* isAppending = */ false,
1501  /* returnPtr = */ false);
1502 }
1503 
1504 void CStringChecker::evalStrcat(CheckerContext &C, const CallExpr *CE) const {
1505  if (CE->getNumArgs() < 2)
1506  return;
1507 
1508  //char *strcat(char *restrict s1, const char *restrict s2);
1509  evalStrcpyCommon(C, CE,
1510  /* returnEnd = */ false,
1511  /* isBounded = */ false,
1512  /* isAppending = */ true);
1513 }
1514 
1515 void CStringChecker::evalStrncat(CheckerContext &C, const CallExpr *CE) const {
1516  if (CE->getNumArgs() < 3)
1517  return;
1518 
1519  //char *strncat(char *restrict s1, const char *restrict s2, size_t n);
1520  evalStrcpyCommon(C, CE,
1521  /* returnEnd = */ false,
1522  /* isBounded = */ true,
1523  /* isAppending = */ true);
1524 }
1525 
1526 void CStringChecker::evalStrlcat(CheckerContext &C, const CallExpr *CE) const {
1527  if (CE->getNumArgs() < 3)
1528  return;
1529 
1530  //char *strlcat(char *s1, const char *s2, size_t n);
1531  evalStrcpyCommon(C, CE,
1532  /* returnEnd = */ false,
1533  /* isBounded = */ true,
1534  /* isAppending = */ true,
1535  /* returnPtr = */ false);
1536 }
1537 
1538 void CStringChecker::evalStrcpyCommon(CheckerContext &C, const CallExpr *CE,
1539  bool returnEnd, bool isBounded,
1540  bool isAppending, bool returnPtr) const {
1541  CurrentFunctionDescription = "string copy function";
1542  ProgramStateRef state = C.getState();
1543  const LocationContext *LCtx = C.getLocationContext();
1544 
1545  // Check that the destination is non-null.
1546  const Expr *Dst = CE->getArg(0);
1547  SVal DstVal = state->getSVal(Dst, LCtx);
1548 
1549  state = checkNonNull(C, state, Dst, DstVal);
1550  if (!state)
1551  return;
1552 
1553  // Check that the source is non-null.
1554  const Expr *srcExpr = CE->getArg(1);
1555  SVal srcVal = state->getSVal(srcExpr, LCtx);
1556  state = checkNonNull(C, state, srcExpr, srcVal);
1557  if (!state)
1558  return;
1559 
1560  // Get the string length of the source.
1561  SVal strLength = getCStringLength(C, state, srcExpr, srcVal);
1562 
1563  // If the source isn't a valid C string, give up.
1564  if (strLength.isUndef())
1565  return;
1566 
1567  SValBuilder &svalBuilder = C.getSValBuilder();
1568  QualType cmpTy = svalBuilder.getConditionType();
1569  QualType sizeTy = svalBuilder.getContext().getSizeType();
1570 
1571  // These two values allow checking two kinds of errors:
1572  // - actual overflows caused by a source that doesn't fit in the destination
1573  // - potential overflows caused by a bound that could exceed the destination
1574  SVal amountCopied = UnknownVal();
1575  SVal maxLastElementIndex = UnknownVal();
1576  const char *boundWarning = nullptr;
1577 
1578  state = CheckOverlap(C, state, isBounded ? CE->getArg(2) : CE->getArg(1), Dst, srcExpr);
1579 
1580  if (!state)
1581  return;
1582 
1583  // If the function is strncpy, strncat, etc... it is bounded.
1584  if (isBounded) {
1585  // Get the max number of characters to copy.
1586  const Expr *lenExpr = CE->getArg(2);
1587  SVal lenVal = state->getSVal(lenExpr, LCtx);
1588 
1589  // Protect against misdeclared strncpy().
1590  lenVal = svalBuilder.evalCast(lenVal, sizeTy, lenExpr->getType());
1591 
1592  Optional<NonLoc> strLengthNL = strLength.getAs<NonLoc>();
1593  Optional<NonLoc> lenValNL = lenVal.getAs<NonLoc>();
1594 
1595  // If we know both values, we might be able to figure out how much
1596  // we're copying.
1597  if (strLengthNL && lenValNL) {
1598  ProgramStateRef stateSourceTooLong, stateSourceNotTooLong;
1599 
1600  // Check if the max number to copy is less than the length of the src.
1601  // If the bound is equal to the source length, strncpy won't null-
1602  // terminate the result!
1603  std::tie(stateSourceTooLong, stateSourceNotTooLong) = state->assume(
1604  svalBuilder.evalBinOpNN(state, BO_GE, *strLengthNL, *lenValNL, cmpTy)
1606 
1607  if (stateSourceTooLong && !stateSourceNotTooLong) {
1608  // Max number to copy is less than the length of the src, so the actual
1609  // strLength copied is the max number arg.
1610  state = stateSourceTooLong;
1611  amountCopied = lenVal;
1612 
1613  } else if (!stateSourceTooLong && stateSourceNotTooLong) {
1614  // The source buffer entirely fits in the bound.
1615  state = stateSourceNotTooLong;
1616  amountCopied = strLength;
1617  }
1618  }
1619 
1620  // We still want to know if the bound is known to be too large.
1621  if (lenValNL) {
1622  if (isAppending) {
1623  // For strncat, the check is strlen(dst) + lenVal < sizeof(dst)
1624 
1625  // Get the string length of the destination. If the destination is
1626  // memory that can't have a string length, we shouldn't be copying
1627  // into it anyway.
1628  SVal dstStrLength = getCStringLength(C, state, Dst, DstVal);
1629  if (dstStrLength.isUndef())
1630  return;
1631 
1632  if (Optional<NonLoc> dstStrLengthNL = dstStrLength.getAs<NonLoc>()) {
1633  maxLastElementIndex = svalBuilder.evalBinOpNN(state, BO_Add,
1634  *lenValNL,
1635  *dstStrLengthNL,
1636  sizeTy);
1637  boundWarning = "Size argument is greater than the free space in the "
1638  "destination buffer";
1639  }
1640 
1641  } else {
1642  // For strncpy, this is just checking that lenVal <= sizeof(dst)
1643  // (Yes, strncpy and strncat differ in how they treat termination.
1644  // strncat ALWAYS terminates, but strncpy doesn't.)
1645 
1646  // We need a special case for when the copy size is zero, in which
1647  // case strncpy will do no work at all. Our bounds check uses n-1
1648  // as the last element accessed, so n == 0 is problematic.
1649  ProgramStateRef StateZeroSize, StateNonZeroSize;
1650  std::tie(StateZeroSize, StateNonZeroSize) =
1651  assumeZero(C, state, *lenValNL, sizeTy);
1652 
1653  // If the size is known to be zero, we're done.
1654  if (StateZeroSize && !StateNonZeroSize) {
1655  StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, DstVal);
1656  C.addTransition(StateZeroSize);
1657  return;
1658  }
1659 
1660  // Otherwise, go ahead and figure out the last element we'll touch.
1661  // We don't record the non-zero assumption here because we can't
1662  // be sure. We won't warn on a possible zero.
1663  NonLoc one = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
1664  maxLastElementIndex = svalBuilder.evalBinOpNN(state, BO_Sub, *lenValNL,
1665  one, sizeTy);
1666  boundWarning = "Size argument is greater than the length of the "
1667  "destination buffer";
1668  }
1669  }
1670 
1671  // If we couldn't pin down the copy length, at least bound it.
1672  // FIXME: We should actually run this code path for append as well, but
1673  // right now it creates problems with constraints (since we can end up
1674  // trying to pass constraints from symbol to symbol).
1675  if (amountCopied.isUnknown() && !isAppending) {
1676  // Try to get a "hypothetical" string length symbol, which we can later
1677  // set as a real value if that turns out to be the case.
1678  amountCopied = getCStringLength(C, state, lenExpr, srcVal, true);
1679  assert(!amountCopied.isUndef());
1680 
1681  if (Optional<NonLoc> amountCopiedNL = amountCopied.getAs<NonLoc>()) {
1682  if (lenValNL) {
1683  // amountCopied <= lenVal
1684  SVal copiedLessThanBound = svalBuilder.evalBinOpNN(state, BO_LE,
1685  *amountCopiedNL,
1686  *lenValNL,
1687  cmpTy);
1688  state = state->assume(
1689  copiedLessThanBound.castAs<DefinedOrUnknownSVal>(), true);
1690  if (!state)
1691  return;
1692  }
1693 
1694  if (strLengthNL) {
1695  // amountCopied <= strlen(source)
1696  SVal copiedLessThanSrc = svalBuilder.evalBinOpNN(state, BO_LE,
1697  *amountCopiedNL,
1698  *strLengthNL,
1699  cmpTy);
1700  state = state->assume(
1701  copiedLessThanSrc.castAs<DefinedOrUnknownSVal>(), true);
1702  if (!state)
1703  return;
1704  }
1705  }
1706  }
1707 
1708  } else {
1709  // The function isn't bounded. The amount copied should match the length
1710  // of the source buffer.
1711  amountCopied = strLength;
1712  }
1713 
1714  assert(state);
1715 
1716  // This represents the number of characters copied into the destination
1717  // buffer. (It may not actually be the strlen if the destination buffer
1718  // is not terminated.)
1719  SVal finalStrLength = UnknownVal();
1720 
1721  // If this is an appending function (strcat, strncat...) then set the
1722  // string length to strlen(src) + strlen(dst) since the buffer will
1723  // ultimately contain both.
1724  if (isAppending) {
1725  // Get the string length of the destination. If the destination is memory
1726  // that can't have a string length, we shouldn't be copying into it anyway.
1727  SVal dstStrLength = getCStringLength(C, state, Dst, DstVal);
1728  if (dstStrLength.isUndef())
1729  return;
1730 
1731  Optional<NonLoc> srcStrLengthNL = amountCopied.getAs<NonLoc>();
1732  Optional<NonLoc> dstStrLengthNL = dstStrLength.getAs<NonLoc>();
1733 
1734  // If we know both string lengths, we might know the final string length.
1735  if (srcStrLengthNL && dstStrLengthNL) {
1736  // Make sure the two lengths together don't overflow a size_t.
1737  state = checkAdditionOverflow(C, state, *srcStrLengthNL, *dstStrLengthNL);
1738  if (!state)
1739  return;
1740 
1741  finalStrLength = svalBuilder.evalBinOpNN(state, BO_Add, *srcStrLengthNL,
1742  *dstStrLengthNL, sizeTy);
1743  }
1744 
1745  // If we couldn't get a single value for the final string length,
1746  // we can at least bound it by the individual lengths.
1747  if (finalStrLength.isUnknown()) {
1748  // Try to get a "hypothetical" string length symbol, which we can later
1749  // set as a real value if that turns out to be the case.
1750  finalStrLength = getCStringLength(C, state, CE, DstVal, true);
1751  assert(!finalStrLength.isUndef());
1752 
1753  if (Optional<NonLoc> finalStrLengthNL = finalStrLength.getAs<NonLoc>()) {
1754  if (srcStrLengthNL) {
1755  // finalStrLength >= srcStrLength
1756  SVal sourceInResult = svalBuilder.evalBinOpNN(state, BO_GE,
1757  *finalStrLengthNL,
1758  *srcStrLengthNL,
1759  cmpTy);
1760  state = state->assume(sourceInResult.castAs<DefinedOrUnknownSVal>(),
1761  true);
1762  if (!state)
1763  return;
1764  }
1765 
1766  if (dstStrLengthNL) {
1767  // finalStrLength >= dstStrLength
1768  SVal destInResult = svalBuilder.evalBinOpNN(state, BO_GE,
1769  *finalStrLengthNL,
1770  *dstStrLengthNL,
1771  cmpTy);
1772  state =
1773  state->assume(destInResult.castAs<DefinedOrUnknownSVal>(), true);
1774  if (!state)
1775  return;
1776  }
1777  }
1778  }
1779 
1780  } else {
1781  // Otherwise, this is a copy-over function (strcpy, strncpy, ...), and
1782  // the final string length will match the input string length.
1783  finalStrLength = amountCopied;
1784  }
1785 
1786  SVal Result;
1787 
1788  if (returnPtr) {
1789  // The final result of the function will either be a pointer past the last
1790  // copied element, or a pointer to the start of the destination buffer.
1791  Result = (returnEnd ? UnknownVal() : DstVal);
1792  } else {
1793  Result = finalStrLength;
1794  }
1795 
1796  assert(state);
1797 
1798  // If the destination is a MemRegion, try to check for a buffer overflow and
1799  // record the new string length.
1800  if (Optional<loc::MemRegionVal> dstRegVal =
1801  DstVal.getAs<loc::MemRegionVal>()) {
1802  QualType ptrTy = Dst->getType();
1803 
1804  // If we have an exact value on a bounded copy, use that to check for
1805  // overflows, rather than our estimate about how much is actually copied.
1806  if (boundWarning) {
1807  if (Optional<NonLoc> maxLastNL = maxLastElementIndex.getAs<NonLoc>()) {
1808  SVal maxLastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal,
1809  *maxLastNL, ptrTy);
1810  state = CheckLocation(C, state, CE->getArg(2), maxLastElement,
1811  boundWarning);
1812  if (!state)
1813  return;
1814  }
1815  }
1816 
1817  // Then, if the final length is known...
1818  if (Optional<NonLoc> knownStrLength = finalStrLength.getAs<NonLoc>()) {
1819  SVal lastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal,
1820  *knownStrLength, ptrTy);
1821 
1822  // ...and we haven't checked the bound, we'll check the actual copy.
1823  if (!boundWarning) {
1824  const char * const warningMsg =
1825  "String copy function overflows destination buffer";
1826  state = CheckLocation(C, state, Dst, lastElement, warningMsg);
1827  if (!state)
1828  return;
1829  }
1830 
1831  // If this is a stpcpy-style copy, the last element is the return value.
1832  if (returnPtr && returnEnd)
1833  Result = lastElement;
1834  }
1835 
1836  // Invalidate the destination (regular invalidation without pointer-escaping
1837  // the address of the top-level region). This must happen before we set the
1838  // C string length because invalidation will clear the length.
1839  // FIXME: Even if we can't perfectly model the copy, we should see if we
1840  // can use LazyCompoundVals to copy the source values into the destination.
1841  // This would probably remove any existing bindings past the end of the
1842  // string, but that's still an improvement over blank invalidation.
1843  state = InvalidateBuffer(C, state, Dst, *dstRegVal,
1844  /*IsSourceBuffer*/false, nullptr);
1845 
1846  // Invalidate the source (const-invalidation without const-pointer-escaping
1847  // the address of the top-level region).
1848  state = InvalidateBuffer(C, state, srcExpr, srcVal, /*IsSourceBuffer*/true,
1849  nullptr);
1850 
1851  // Set the C string length of the destination, if we know it.
1852  if (isBounded && !isAppending) {
1853  // strncpy is annoying in that it doesn't guarantee to null-terminate
1854  // the result string. If the original string didn't fit entirely inside
1855  // the bound (including the null-terminator), we don't know how long the
1856  // result is.
1857  if (amountCopied != strLength)
1858  finalStrLength = UnknownVal();
1859  }
1860  state = setCStringLength(state, dstRegVal->getRegion(), finalStrLength);
1861  }
1862 
1863  assert(state);
1864 
1865  if (returnPtr) {
1866  // If this is a stpcpy-style copy, but we were unable to check for a buffer
1867  // overflow, we still need a result. Conjure a return value.
1868  if (returnEnd && Result.isUnknown()) {
1869  Result = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
1870  }
1871  }
1872  // Set the return value.
1873  state = state->BindExpr(CE, LCtx, Result);
1874  C.addTransition(state);
1875 }
1876 
1877 void CStringChecker::evalStrcmp(CheckerContext &C, const CallExpr *CE) const {
1878  if (CE->getNumArgs() < 2)
1879  return;
1880 
1881  //int strcmp(const char *s1, const char *s2);
1882  evalStrcmpCommon(C, CE, /* isBounded = */ false, /* ignoreCase = */ false);
1883 }
1884 
1885 void CStringChecker::evalStrncmp(CheckerContext &C, const CallExpr *CE) const {
1886  if (CE->getNumArgs() < 3)
1887  return;
1888 
1889  //int strncmp(const char *s1, const char *s2, size_t n);
1890  evalStrcmpCommon(C, CE, /* isBounded = */ true, /* ignoreCase = */ false);
1891 }
1892 
1893 void CStringChecker::evalStrcasecmp(CheckerContext &C,
1894  const CallExpr *CE) const {
1895  if (CE->getNumArgs() < 2)
1896  return;
1897 
1898  //int strcasecmp(const char *s1, const char *s2);
1899  evalStrcmpCommon(C, CE, /* isBounded = */ false, /* ignoreCase = */ true);
1900 }
1901 
1902 void CStringChecker::evalStrncasecmp(CheckerContext &C,
1903  const CallExpr *CE) const {
1904  if (CE->getNumArgs() < 3)
1905  return;
1906 
1907  //int strncasecmp(const char *s1, const char *s2, size_t n);
1908  evalStrcmpCommon(C, CE, /* isBounded = */ true, /* ignoreCase = */ true);
1909 }
1910 
1911 void CStringChecker::evalStrcmpCommon(CheckerContext &C, const CallExpr *CE,
1912  bool isBounded, bool ignoreCase) const {
1913  CurrentFunctionDescription = "string comparison function";
1914  ProgramStateRef state = C.getState();
1915  const LocationContext *LCtx = C.getLocationContext();
1916 
1917  // Check that the first string is non-null
1918  const Expr *s1 = CE->getArg(0);
1919  SVal s1Val = state->getSVal(s1, LCtx);
1920  state = checkNonNull(C, state, s1, s1Val);
1921  if (!state)
1922  return;
1923 
1924  // Check that the second string is non-null.
1925  const Expr *s2 = CE->getArg(1);
1926  SVal s2Val = state->getSVal(s2, LCtx);
1927  state = checkNonNull(C, state, s2, s2Val);
1928  if (!state)
1929  return;
1930 
1931  // Get the string length of the first string or give up.
1932  SVal s1Length = getCStringLength(C, state, s1, s1Val);
1933  if (s1Length.isUndef())
1934  return;
1935 
1936  // Get the string length of the second string or give up.
1937  SVal s2Length = getCStringLength(C, state, s2, s2Val);
1938  if (s2Length.isUndef())
1939  return;
1940 
1941  // If we know the two buffers are the same, we know the result is 0.
1942  // First, get the two buffers' addresses. Another checker will have already
1943  // made sure they're not undefined.
1946 
1947  // See if they are the same.
1948  SValBuilder &svalBuilder = C.getSValBuilder();
1949  DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV);
1950  ProgramStateRef StSameBuf, StNotSameBuf;
1951  std::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf);
1952 
1953  // If the two arguments might be the same buffer, we know the result is 0,
1954  // and we only need to check one size.
1955  if (StSameBuf) {
1956  StSameBuf = StSameBuf->BindExpr(CE, LCtx,
1957  svalBuilder.makeZeroVal(CE->getType()));
1958  C.addTransition(StSameBuf);
1959 
1960  // If the two arguments are GUARANTEED to be the same, we're done!
1961  if (!StNotSameBuf)
1962  return;
1963  }
1964 
1965  assert(StNotSameBuf);
1966  state = StNotSameBuf;
1967 
1968  // At this point we can go about comparing the two buffers.
1969  // For now, we only do this if they're both known string literals.
1970 
1971  // Attempt to extract string literals from both expressions.
1972  const StringLiteral *s1StrLiteral = getCStringLiteral(C, state, s1, s1Val);
1973  const StringLiteral *s2StrLiteral = getCStringLiteral(C, state, s2, s2Val);
1974  bool canComputeResult = false;
1975  SVal resultVal = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx,
1976  C.blockCount());
1977 
1978  if (s1StrLiteral && s2StrLiteral) {
1979  StringRef s1StrRef = s1StrLiteral->getString();
1980  StringRef s2StrRef = s2StrLiteral->getString();
1981 
1982  if (isBounded) {
1983  // Get the max number of characters to compare.
1984  const Expr *lenExpr = CE->getArg(2);
1985  SVal lenVal = state->getSVal(lenExpr, LCtx);
1986 
1987  // If the length is known, we can get the right substrings.
1988  if (const llvm::APSInt *len = svalBuilder.getKnownValue(state, lenVal)) {
1989  // Create substrings of each to compare the prefix.
1990  s1StrRef = s1StrRef.substr(0, (size_t)len->getZExtValue());
1991  s2StrRef = s2StrRef.substr(0, (size_t)len->getZExtValue());
1992  canComputeResult = true;
1993  }
1994  } else {
1995  // This is a normal, unbounded strcmp.
1996  canComputeResult = true;
1997  }
1998 
1999  if (canComputeResult) {
2000  // Real strcmp stops at null characters.
2001  size_t s1Term = s1StrRef.find('\0');
2002  if (s1Term != StringRef::npos)
2003  s1StrRef = s1StrRef.substr(0, s1Term);
2004 
2005  size_t s2Term = s2StrRef.find('\0');
2006  if (s2Term != StringRef::npos)
2007  s2StrRef = s2StrRef.substr(0, s2Term);
2008 
2009  // Use StringRef's comparison methods to compute the actual result.
2010  int compareRes = ignoreCase ? s1StrRef.compare_lower(s2StrRef)
2011  : s1StrRef.compare(s2StrRef);
2012 
2013  // The strcmp function returns an integer greater than, equal to, or less
2014  // than zero, [c11, p7.24.4.2].
2015  if (compareRes == 0) {
2016  resultVal = svalBuilder.makeIntVal(compareRes, CE->getType());
2017  }
2018  else {
2019  DefinedSVal zeroVal = svalBuilder.makeIntVal(0, CE->getType());
2020  // Constrain strcmp's result range based on the result of StringRef's
2021  // comparison methods.
2022  BinaryOperatorKind op = (compareRes == 1) ? BO_GT : BO_LT;
2023  SVal compareWithZero =
2024  svalBuilder.evalBinOp(state, op, resultVal, zeroVal,
2025  svalBuilder.getConditionType());
2026  DefinedSVal compareWithZeroVal = compareWithZero.castAs<DefinedSVal>();
2027  state = state->assume(compareWithZeroVal, true);
2028  }
2029  }
2030  }
2031 
2032  state = state->BindExpr(CE, LCtx, resultVal);
2033 
2034  // Record this as a possible path.
2035  C.addTransition(state);
2036 }
2037 
2038 void CStringChecker::evalStrsep(CheckerContext &C, const CallExpr *CE) const {
2039  //char *strsep(char **stringp, const char *delim);
2040  if (CE->getNumArgs() < 2)
2041  return;
2042 
2043  // Sanity: does the search string parameter match the return type?
2044  const Expr *SearchStrPtr = CE->getArg(0);
2045  QualType CharPtrTy = SearchStrPtr->getType()->getPointeeType();
2046  if (CharPtrTy.isNull() ||
2047  CE->getType().getUnqualifiedType() != CharPtrTy.getUnqualifiedType())
2048  return;
2049 
2050  CurrentFunctionDescription = "strsep()";
2051  ProgramStateRef State = C.getState();
2052  const LocationContext *LCtx = C.getLocationContext();
2053 
2054  // Check that the search string pointer is non-null (though it may point to
2055  // a null string).
2056  SVal SearchStrVal = State->getSVal(SearchStrPtr, LCtx);
2057  State = checkNonNull(C, State, SearchStrPtr, SearchStrVal);
2058  if (!State)
2059  return;
2060 
2061  // Check that the delimiter string is non-null.
2062  const Expr *DelimStr = CE->getArg(1);
2063  SVal DelimStrVal = State->getSVal(DelimStr, LCtx);
2064  State = checkNonNull(C, State, DelimStr, DelimStrVal);
2065  if (!State)
2066  return;
2067 
2068  SValBuilder &SVB = C.getSValBuilder();
2069  SVal Result;
2070  if (Optional<Loc> SearchStrLoc = SearchStrVal.getAs<Loc>()) {
2071  // Get the current value of the search string pointer, as a char*.
2072  Result = State->getSVal(*SearchStrLoc, CharPtrTy);
2073 
2074  // Invalidate the search string, representing the change of one delimiter
2075  // character to NUL.
2076  State = InvalidateBuffer(C, State, SearchStrPtr, Result,
2077  /*IsSourceBuffer*/false, nullptr);
2078 
2079  // Overwrite the search string pointer. The new value is either an address
2080  // further along in the same string, or NULL if there are no more tokens.
2081  State = State->bindLoc(*SearchStrLoc,
2082  SVB.conjureSymbolVal(getTag(),
2083  CE,
2084  LCtx,
2085  CharPtrTy,
2086  C.blockCount()),
2087  LCtx);
2088  } else {
2089  assert(SearchStrVal.isUnknown());
2090  // Conjure a symbolic value. It's the best we can do.
2091  Result = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
2092  }
2093 
2094  // Set the return value, and finish.
2095  State = State->BindExpr(CE, LCtx, Result);
2096  C.addTransition(State);
2097 }
2098 
2099 // These should probably be moved into a C++ standard library checker.
2100 void CStringChecker::evalStdCopy(CheckerContext &C, const CallExpr *CE) const {
2101  evalStdCopyCommon(C, CE);
2102 }
2103 
2104 void CStringChecker::evalStdCopyBackward(CheckerContext &C,
2105  const CallExpr *CE) const {
2106  evalStdCopyCommon(C, CE);
2107 }
2108 
2109 void CStringChecker::evalStdCopyCommon(CheckerContext &C,
2110  const CallExpr *CE) const {
2111  if (CE->getNumArgs() < 3)
2112  return;
2113 
2114  ProgramStateRef State = C.getState();
2115 
2116  const LocationContext *LCtx = C.getLocationContext();
2117 
2118  // template <class _InputIterator, class _OutputIterator>
2119  // _OutputIterator
2120  // copy(_InputIterator __first, _InputIterator __last,
2121  // _OutputIterator __result)
2122 
2123  // Invalidate the destination buffer
2124  const Expr *Dst = CE->getArg(2);
2125  SVal DstVal = State->getSVal(Dst, LCtx);
2126  State = InvalidateBuffer(C, State, Dst, DstVal, /*IsSource=*/false,
2127  /*Size=*/nullptr);
2128 
2129  SValBuilder &SVB = C.getSValBuilder();
2130 
2131  SVal ResultVal = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
2132  State = State->BindExpr(CE, LCtx, ResultVal);
2133 
2134  C.addTransition(State);
2135 }
2136 
2137 void CStringChecker::evalMemset(CheckerContext &C, const CallExpr *CE) const {
2138  if (CE->getNumArgs() != 3)
2139  return;
2140 
2141  CurrentFunctionDescription = "memory set function";
2142 
2143  const Expr *Mem = CE->getArg(0);
2144  const Expr *CharE = CE->getArg(1);
2145  const Expr *Size = CE->getArg(2);
2146  ProgramStateRef State = C.getState();
2147 
2148  // See if the size argument is zero.
2149  const LocationContext *LCtx = C.getLocationContext();
2150  SVal SizeVal = State->getSVal(Size, LCtx);
2151  QualType SizeTy = Size->getType();
2152 
2153  ProgramStateRef StateZeroSize, StateNonZeroSize;
2154  std::tie(StateZeroSize, StateNonZeroSize) =
2155  assumeZero(C, State, SizeVal, SizeTy);
2156 
2157  // Get the value of the memory area.
2158  SVal MemVal = State->getSVal(Mem, LCtx);
2159 
2160  // If the size is zero, there won't be any actual memory access, so
2161  // just bind the return value to the Mem buffer and return.
2162  if (StateZeroSize && !StateNonZeroSize) {
2163  StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, MemVal);
2164  C.addTransition(StateZeroSize);
2165  return;
2166  }
2167 
2168  // Ensure the memory area is not null.
2169  // If it is NULL there will be a NULL pointer dereference.
2170  State = checkNonNull(C, StateNonZeroSize, Mem, MemVal);
2171  if (!State)
2172  return;
2173 
2174  State = CheckBufferAccess(C, State, Size, Mem);
2175  if (!State)
2176  return;
2177 
2178  // According to the values of the arguments, bind the value of the second
2179  // argument to the destination buffer and set string length, or just
2180  // invalidate the destination buffer.
2181  if (!memsetAux(Mem, CharE, Size, C, State))
2182  return;
2183 
2184  State = State->BindExpr(CE, LCtx, MemVal);
2185  C.addTransition(State);
2186 }
2187 
2188 static bool isCPPStdLibraryFunction(const FunctionDecl *FD, StringRef Name) {
2189  IdentifierInfo *II = FD->getIdentifier();
2190  if (!II)
2191  return false;
2192 
2194  return false;
2195 
2196  if (II->getName().equals(Name))
2197  return true;
2198 
2199  return false;
2200 }
2201 //===----------------------------------------------------------------------===//
2202 // The driver method, and other Checker callbacks.
2203 //===----------------------------------------------------------------------===//
2204 
2205 bool CStringChecker::evalCall(const CallExpr *CE, CheckerContext &C) const {
2206  const FunctionDecl *FDecl = C.getCalleeDecl(CE);
2207 
2208  if (!FDecl)
2209  return false;
2210 
2211  // FIXME: Poorly-factored string switches are slow.
2212  FnCheck evalFunction = nullptr;
2213  if (C.isCLibraryFunction(FDecl, "memcpy"))
2214  evalFunction = &CStringChecker::evalMemcpy;
2215  else if (C.isCLibraryFunction(FDecl, "mempcpy"))
2216  evalFunction = &CStringChecker::evalMempcpy;
2217  else if (C.isCLibraryFunction(FDecl, "memcmp"))
2218  evalFunction = &CStringChecker::evalMemcmp;
2219  else if (C.isCLibraryFunction(FDecl, "memmove"))
2220  evalFunction = &CStringChecker::evalMemmove;
2221  else if (C.isCLibraryFunction(FDecl, "memset"))
2222  evalFunction = &CStringChecker::evalMemset;
2223  else if (C.isCLibraryFunction(FDecl, "strcpy"))
2224  evalFunction = &CStringChecker::evalStrcpy;
2225  else if (C.isCLibraryFunction(FDecl, "strncpy"))
2226  evalFunction = &CStringChecker::evalStrncpy;
2227  else if (C.isCLibraryFunction(FDecl, "stpcpy"))
2228  evalFunction = &CStringChecker::evalStpcpy;
2229  else if (C.isCLibraryFunction(FDecl, "strlcpy"))
2230  evalFunction = &CStringChecker::evalStrlcpy;
2231  else if (C.isCLibraryFunction(FDecl, "strcat"))
2232  evalFunction = &CStringChecker::evalStrcat;
2233  else if (C.isCLibraryFunction(FDecl, "strncat"))
2234  evalFunction = &CStringChecker::evalStrncat;
2235  else if (C.isCLibraryFunction(FDecl, "strlcat"))
2236  evalFunction = &CStringChecker::evalStrlcat;
2237  else if (C.isCLibraryFunction(FDecl, "strlen"))
2238  evalFunction = &CStringChecker::evalstrLength;
2239  else if (C.isCLibraryFunction(FDecl, "strnlen"))
2240  evalFunction = &CStringChecker::evalstrnLength;
2241  else if (C.isCLibraryFunction(FDecl, "strcmp"))
2242  evalFunction = &CStringChecker::evalStrcmp;
2243  else if (C.isCLibraryFunction(FDecl, "strncmp"))
2244  evalFunction = &CStringChecker::evalStrncmp;
2245  else if (C.isCLibraryFunction(FDecl, "strcasecmp"))
2246  evalFunction = &CStringChecker::evalStrcasecmp;
2247  else if (C.isCLibraryFunction(FDecl, "strncasecmp"))
2248  evalFunction = &CStringChecker::evalStrncasecmp;
2249  else if (C.isCLibraryFunction(FDecl, "strsep"))
2250  evalFunction = &CStringChecker::evalStrsep;
2251  else if (C.isCLibraryFunction(FDecl, "bcopy"))
2252  evalFunction = &CStringChecker::evalBcopy;
2253  else if (C.isCLibraryFunction(FDecl, "bcmp"))
2254  evalFunction = &CStringChecker::evalMemcmp;
2255  else if (isCPPStdLibraryFunction(FDecl, "copy"))
2256  evalFunction = &CStringChecker::evalStdCopy;
2257  else if (isCPPStdLibraryFunction(FDecl, "copy_backward"))
2258  evalFunction = &CStringChecker::evalStdCopyBackward;
2259 
2260  // If the callee isn't a string function, let another checker handle it.
2261  if (!evalFunction)
2262  return false;
2263 
2264  // Check and evaluate the call.
2265  (this->*evalFunction)(C, CE);
2266 
2267  // If the evaluate call resulted in no change, chain to the next eval call
2268  // handler.
2269  // Note, the custom CString evaluation calls assume that basic safety
2270  // properties are held. However, if the user chooses to turn off some of these
2271  // checks, we ignore the issues and leave the call evaluation to a generic
2272  // handler.
2273  return C.isDifferent();
2274 }
2275 
2276 void CStringChecker::checkPreStmt(const DeclStmt *DS, CheckerContext &C) const {
2277  // Record string length for char a[] = "abc";
2278  ProgramStateRef state = C.getState();
2279 
2280  for (const auto *I : DS->decls()) {
2281  const VarDecl *D = dyn_cast<VarDecl>(I);
2282  if (!D)
2283  continue;
2284 
2285  // FIXME: Handle array fields of structs.
2286  if (!D->getType()->isArrayType())
2287  continue;
2288 
2289  const Expr *Init = D->getInit();
2290  if (!Init)
2291  continue;
2292  if (!isa<StringLiteral>(Init))
2293  continue;
2294 
2295  Loc VarLoc = state->getLValue(D, C.getLocationContext());
2296  const MemRegion *MR = VarLoc.getAsRegion();
2297  if (!MR)
2298  continue;
2299 
2300  SVal StrVal = C.getSVal(Init);
2301  assert(StrVal.isValid() && "Initializer string is unknown or undefined");
2302  DefinedOrUnknownSVal strLength =
2303  getCStringLength(C, state, Init, StrVal).castAs<DefinedOrUnknownSVal>();
2304 
2305  state = state->set<CStringLength>(MR, strLength);
2306  }
2307 
2308  C.addTransition(state);
2309 }
2310 
2312 CStringChecker::checkRegionChanges(ProgramStateRef state,
2313  const InvalidatedSymbols *,
2314  ArrayRef<const MemRegion *> ExplicitRegions,
2316  const LocationContext *LCtx,
2317  const CallEvent *Call) const {
2318  CStringLengthTy Entries = state->get<CStringLength>();
2319  if (Entries.isEmpty())
2320  return state;
2321 
2322  llvm::SmallPtrSet<const MemRegion *, 8> Invalidated;
2323  llvm::SmallPtrSet<const MemRegion *, 32> SuperRegions;
2324 
2325  // First build sets for the changed regions and their super-regions.
2327  I = Regions.begin(), E = Regions.end(); I != E; ++I) {
2328  const MemRegion *MR = *I;
2329  Invalidated.insert(MR);
2330 
2331  SuperRegions.insert(MR);
2332  while (const SubRegion *SR = dyn_cast<SubRegion>(MR)) {
2333  MR = SR->getSuperRegion();
2334  SuperRegions.insert(MR);
2335  }
2336  }
2337 
2338  CStringLengthTy::Factory &F = state->get_context<CStringLength>();
2339 
2340  // Then loop over the entries in the current state.
2341  for (CStringLengthTy::iterator I = Entries.begin(),
2342  E = Entries.end(); I != E; ++I) {
2343  const MemRegion *MR = I.getKey();
2344 
2345  // Is this entry for a super-region of a changed region?
2346  if (SuperRegions.count(MR)) {
2347  Entries = F.remove(Entries, MR);
2348  continue;
2349  }
2350 
2351  // Is this entry for a sub-region of a changed region?
2352  const MemRegion *Super = MR;
2353  while (const SubRegion *SR = dyn_cast<SubRegion>(Super)) {
2354  Super = SR->getSuperRegion();
2355  if (Invalidated.count(Super)) {
2356  Entries = F.remove(Entries, MR);
2357  break;
2358  }
2359  }
2360  }
2361 
2362  return state->set<CStringLength>(Entries);
2363 }
2364 
2365 void CStringChecker::checkLiveSymbols(ProgramStateRef state,
2366  SymbolReaper &SR) const {
2367  // Mark all symbols in our string length map as valid.
2368  CStringLengthTy Entries = state->get<CStringLength>();
2369 
2370  for (CStringLengthTy::iterator I = Entries.begin(), E = Entries.end();
2371  I != E; ++I) {
2372  SVal Len = I.getData();
2373 
2374  for (SymExpr::symbol_iterator si = Len.symbol_begin(),
2375  se = Len.symbol_end(); si != se; ++si)
2376  SR.markInUse(*si);
2377  }
2378 }
2379 
2380 void CStringChecker::checkDeadSymbols(SymbolReaper &SR,
2381  CheckerContext &C) const {
2382  if (!SR.hasDeadSymbols())
2383  return;
2384 
2385  ProgramStateRef state = C.getState();
2386  CStringLengthTy Entries = state->get<CStringLength>();
2387  if (Entries.isEmpty())
2388  return;
2389 
2390  CStringLengthTy::Factory &F = state->get_context<CStringLength>();
2391  for (CStringLengthTy::iterator I = Entries.begin(), E = Entries.end();
2392  I != E; ++I) {
2393  SVal Len = I.getData();
2394  if (SymbolRef Sym = Len.getAsSymbol()) {
2395  if (SR.isDead(Sym))
2396  Entries = F.remove(Entries, I.getKey());
2397  }
2398  }
2399 
2400  state = state->set<CStringLength>(Entries);
2401  C.addTransition(state);
2402 }
2403 
2404 #define REGISTER_CHECKER(name) \
2405  void ento::register##name(CheckerManager &mgr) { \
2406  CStringChecker *checker = mgr.registerChecker<CStringChecker>(); \
2407  checker->Filter.Check##name = true; \
2408  checker->Filter.CheckName##name = mgr.getCurrentCheckName(); \
2409  }
2410 
2411  REGISTER_CHECKER(CStringNullArg)
2412  REGISTER_CHECKER(CStringOutOfBounds)
2413  REGISTER_CHECKER(CStringBufferOverlap)
2414 REGISTER_CHECKER(CStringNotNullTerm)
2415 
2417  registerCStringNullArg(Mgr);
2418  }
Represents a function declaration or definition.
Definition: Decl.h:1714
TypedValueRegion - An abstract class representing regions having a typed value.
Definition: MemRegion.h:525
nonloc::ConcreteInt makeIntVal(const IntegerLiteral *integer)
Definition: SValBuilder.h:279
A (possibly-)qualified type.
Definition: Type.h:654
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:94
ExplodedNode * generateErrorNode(ProgramStateRef State=nullptr, const ProgramPointTag *Tag=nullptr)
Generate a transition to a node that will be used to report an error.
bool isArrayType() const
Definition: Type.h:6077
Expr * getArg(unsigned Arg)
getArg - Return the specified argument.
Definition: Expr.h:2303
Stmt - This represents one statement.
Definition: Stmt.h:66
unsigned getNumArgs() const
getNumArgs - Return the number of actual arguments to this call.
Definition: Expr.h:2291
Information about invalidation for a particular region/symbol.
Definition: MemRegion.h:1384
NonLoc getIndex() const
Definition: MemRegion.h:1096
A helper class which wraps a boolean value set to false by default.
Definition: Checker.h:567
QualType getPointeeType() const
If this is a pointer, ObjC object pointer, or block pointer, this returns the respective pointee...
Definition: Type.cpp:460
ExplodedNode * addTransition(ProgramStateRef State=nullptr, const ProgramPointTag *Tag=nullptr)
Generates a new transition in the program state graph (ExplodedGraph).
virtual QualType getValueType() const =0
const MemRegion * getRegion() const
Definition: MemRegion.h:77
SVal evalCast(SVal val, QualType castTy, QualType originalType)
Value representing integer constant.
Definition: SVals.h:374
Represents a variable declaration or definition.
Definition: Decl.h:812
const internal::VariadicDynCastAllOfMatcher< Stmt, Expr > expr
Matches expressions.
void setTrait(SymbolRef Sym, InvalidationKinds IK)
Definition: MemRegion.cpp:1567
const FunctionDecl * getCalleeDecl(const CallExpr *CE) const
Get the declaration of the called function (path-sensitive).
bool isDead(SymbolRef sym) const
Returns whether or not a symbol has been confirmed dead.
ExplodedNode * getPredecessor()
Returns the previous node in the exploded graph, which includes the state of the program before the c...
SVal getSVal(const Stmt *S) const
Get the value of arbitrary expressions at this point in the path.
Symbolic value.
Definition: SymExpr.h:30
IdentifierInfo * getIdentifier() const
Get the identifier that names this declaration, if there is one.
Definition: Decl.h:269
const MemRegion * getSuperRegion() const
Definition: MemRegion.h:443
void markInUse(SymbolRef sym)
Marks a symbol as important to a checker.
One of these records is kept for each identifier that is lexed.
virtual SVal evalBinOpLN(ProgramStateRef state, BinaryOperator::Opcode op, Loc lhs, NonLoc rhs, QualType resultTy)=0
Create a new value which represents a binary expression with a memory location and non-location opera...
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:150
LineState State
bool isValid() const
Definition: MemRegion.h:86
i32 captured_struct **param SharedsTy A type which contains references the shared variables *param Shareds Context with the list of shared variables from the p *TaskFunction *param Data Additional data for task generation like final * state
virtual DefinedOrUnknownSVal getExtent(SValBuilder &svalBuilder) const
getExtent - Returns the size of the region in bytes.
Definition: MemRegion.h:448
void registerCStringCheckerBasic(CheckerManager &Mgr)
Register the checker which evaluates CString API calls.
BinaryOperatorKind
static bool isInStdNamespace(const Decl *D)
Returns true if the root namespace of the given declaration is the &#39;std&#39; C++ namespace.
uint32_t Offset
Definition: CacheTokens.cpp:43
const LocationContext * getLocationContext() const
static bool isCPPStdLibraryFunction(const FunctionDecl *FD, StringRef Name)
bool isUnknown() const
Definition: SVals.h:137
A record of the "type" of an APSInt, used for conversions.
Definition: APSIntType.h:20
const StringLiteral * getStringLiteral() const
Definition: MemRegion.h:809
SymExpr::symbol_iterator symbol_end() const
Definition: SVals.h:205
Represent a region&#39;s offset within the top level base region.
Definition: MemRegion.h:62
CanQualType UnsignedCharTy
Definition: ASTContext.h:1007
SymbolRef getAsSymbol(bool IncludeBaseRegions=false) const
If this SVal wraps a symbol return that SymbolRef.
Definition: SVals.cpp:127
StringRef getString() const
Definition: Expr.h:1573
#define REGISTER_CHECKER(name)
#define REGISTER_MAP_WITH_PROGRAMSTATE(Name, Key, Value)
Declares an immutable map of type NameTy, suitable for placement into the ProgramState.
Loc makeLoc(SymbolRef sym)
Definition: SValBuilder.h:354
DefinedOrUnknownSVal makeZeroVal(QualType type)
Construct an SVal representing &#39;0&#39; for the specified type.
Definition: SValBuilder.cpp:51
Expr - This represents one expression.
Definition: Expr.h:106
std::string Label
static bool isCLibraryFunction(const FunctionDecl *FD, StringRef Name=StringRef())
Returns true if the callee is an externally-visible function in the top-level namespace, such as malloc.
QualType getConditionType() const
Definition: SValBuilder.h:161
bool isValid() const
Definition: SVals.h:149
QualType getType() const
Definition: Expr.h:128
virtual SVal evalBinOpLL(ProgramStateRef state, BinaryOperator::Opcode op, Loc lhs, Loc rhs, QualType resultTy)=0
Create a new value which represents a binary expression with two memory location operands.
SVal evalBinOp(ProgramStateRef state, BinaryOperator::Opcode op, SVal lhs, SVal rhs, QualType type)
ExplodedNode * generateNonFatalErrorNode(ProgramStateRef State=nullptr, const ProgramPointTag *Tag=nullptr)
Generate a transition to a node that will be used to report an error.
bool isNull() const
Return true if this QualType doesn&#39;t point to a type yet.
Definition: Type.h:719
Optional< T > getAs() const
Convert to the specified SVal type, returning None if this SVal is not of the desired type...
Definition: SVals.h:112
void emitReport(std::unique_ptr< BugReport > R)
Emit the diagnostics report.
const MemRegion * StripCasts(bool StripBaseCasts=true) const
Definition: MemRegion.cpp:1151
Kind getKind() const
Definition: MemRegion.h:165
DefinedOrUnknownSVal conjureSymbolVal(const void *symbolTag, const Expr *expr, const LocationContext *LCtx, unsigned count)
Create a new symbol with a unique &#39;name&#39;.
const MemRegion * getAsRegion() const
Definition: SVals.cpp:151
DeclStmt - Adaptor class for mixing declarations with statements and expressions. ...
Definition: Stmt.h:499
ASTContext & getContext()
Definition: SValBuilder.h:156
SVal - This represents a symbolic expression, which can be either an L-value or an R-value...
Definition: SVals.h:76
A class responsible for cleaning up unused symbols.
const llvm::APSInt * evalAPSInt(BinaryOperator::Opcode Op, const llvm::APSInt &V1, const llvm::APSInt &V2)
Tells that a region&#39;s contents is not changed.
Definition: MemRegion.h:1399
virtual SVal evalBinOpNN(ProgramStateRef state, BinaryOperator::Opcode op, NonLoc lhs, NonLoc rhs, QualType resultTy)=0
Create a new value which represents a binary expression with two non- location operands.
unsigned blockCount() const
Returns the number of times the current block has been visited along the analyzed path...
StringRef getName() const
Return the actual identifier string.
CanQualType CharTy
Definition: ASTContext.h:999
llvm::APSInt getValue(uint64_t RawValue) const LLVM_READONLY
Definition: APSIntType.h:70
Dataflow Directional Tag Classes.
const Expr * getInit() const
Definition: Decl.h:1217
static std::string getAsString(SplitQualType split, const PrintingPolicy &Policy)
Definition: Type.h:980
SVal evalEQ(ProgramStateRef state, SVal lhs, SVal rhs)
Represents an abstract call to a function or method along a particular path.
Definition: CallEvent.h:164
SVal convertToArrayIndex(SVal val)
Definition: SValBuilder.cpp:98
DefinedSVal getMetadataSymbolVal(const void *symbolTag, const MemRegion *region, const Expr *expr, QualType type, const LocationContext *LCtx, unsigned count)
unsigned getByteLength() const
Definition: Expr.h:1605
T castAs() const
Convert to the specified SVal type, asserting that this SVal is of the desired type.
Definition: SVals.h:104
BasicValueFactory & getBasicValueFactory()
Definition: SValBuilder.h:169
SubRegion - A region that subsets another larger region.
Definition: MemRegion.h:431
const ProgramStateRef & getState() const
RegionOffset getAsOffset() const
Compute the offset within the top level memory object.
Definition: MemRegion.cpp:1449
decl_range decls()
Definition: Stmt.h:546
int64_t getOffset() const
Definition: MemRegion.h:81
QualType getUnqualifiedType() const
Retrieve the unqualified variant of the given type, removing as little sugar as possible.
Definition: Type.h:5884
bool trackNullOrUndefValue(const ExplodedNode *N, const Stmt *S, BugReport &R, bool IsArg=false, bool EnableNullFPSuppression=true)
Attempts to add visitors to trace a null or undefined value back to its point of origin, whether it is a symbol constrained to null or an explicit assignment.
QualType getValueType() const override
Definition: MemRegion.h:1098
QualType getPointerType(QualType T) const
Return the uniqued reference to the type for a pointer to the specified type.
const MemRegion * getBaseRegion() const
Definition: MemRegion.cpp:1125
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:266
SValBuilder & getSValBuilder()
StringLiteral - This represents a string literal expression, e.g.
Definition: Expr.h:1525
CallExpr - Represents a function call (C99 6.5.2.2, C++ [expr.call]).
Definition: Expr.h:2234
const llvm::APSInt & getMaxValue(const llvm::APSInt &v)
bool isUndef() const
Definition: SVals.h:141
StringRegion - Region associated with a StringLiteral.
Definition: MemRegion.h:794
LLVM_READONLY char toUppercase(char c)
Converts the given ASCII character to its uppercase equivalent.
Definition: CharInfo.h:174
ElementRegin is used to represent both array elements and casts.
Definition: MemRegion.h:1076
CanQualType IntTy
Definition: ASTContext.h:1006
SymExpr::symbol_iterator symbol_begin() const
Definition: SVals.h:197
QualType getType() const
Definition: Decl.h:647
This represents a decl that may have a name.
Definition: Decl.h:248
const LocationContext * getLocationContext() const
bool isDifferent()
Check if the checker changed the state of the execution; ex: added a new transition or a bug report...
bool hasSymbolicOffset() const
Definition: MemRegion.h:79
CanQualType getSizeType() const
Return the unique type for "size_t" (C99 7.17), defined in <stddef.h>.
Iterator over symbols that the current symbol depends on.
Definition: SymExpr.h:69