clang  8.0.0svn
CStringChecker.cpp
Go to the documentation of this file.
1 //= CStringChecker.cpp - Checks calls to C string functions --------*- C++ -*-//
2 //
3 // The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // This defines CStringChecker, which is an assortment of checks on calls
11 // to functions in <string.h>.
12 //
13 //===----------------------------------------------------------------------===//
14 
15 #include "ClangSACheckers.h"
16 #include "InterCheckerAPI.h"
17 #include "clang/Basic/CharInfo.h"
23 #include "llvm/ADT/STLExtras.h"
24 #include "llvm/ADT/SmallString.h"
25 #include "llvm/Support/raw_ostream.h"
26 
27 using namespace clang;
28 using namespace ento;
29 
30 namespace {
31 class CStringChecker : public Checker< eval::Call,
32  check::PreStmt<DeclStmt>,
33  check::LiveSymbols,
34  check::DeadSymbols,
35  check::RegionChanges
36  > {
37  mutable std::unique_ptr<BugType> BT_Null, BT_Bounds, BT_Overlap,
38  BT_NotCString, BT_AdditionOverflow;
39 
40  mutable const char *CurrentFunctionDescription;
41 
42 public:
43  /// The filter is used to filter out the diagnostics which are not enabled by
44  /// the user.
45  struct CStringChecksFilter {
46  DefaultBool CheckCStringNullArg;
47  DefaultBool CheckCStringOutOfBounds;
48  DefaultBool CheckCStringBufferOverlap;
49  DefaultBool CheckCStringNotNullTerm;
50 
51  CheckName CheckNameCStringNullArg;
52  CheckName CheckNameCStringOutOfBounds;
53  CheckName CheckNameCStringBufferOverlap;
54  CheckName CheckNameCStringNotNullTerm;
55  };
56 
57  CStringChecksFilter Filter;
58 
59  static void *getTag() { static int tag; return &tag; }
60 
61  bool evalCall(const CallExpr *CE, CheckerContext &C) const;
62  void checkPreStmt(const DeclStmt *DS, CheckerContext &C) const;
63  void checkLiveSymbols(ProgramStateRef state, SymbolReaper &SR) const;
64  void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
65 
67  checkRegionChanges(ProgramStateRef state,
68  const InvalidatedSymbols *,
69  ArrayRef<const MemRegion *> ExplicitRegions,
71  const LocationContext *LCtx,
72  const CallEvent *Call) const;
73 
74  typedef void (CStringChecker::*FnCheck)(CheckerContext &,
75  const CallExpr *) const;
76 
77  void evalMemcpy(CheckerContext &C, const CallExpr *CE) const;
78  void evalMempcpy(CheckerContext &C, const CallExpr *CE) const;
79  void evalMemmove(CheckerContext &C, const CallExpr *CE) const;
80  void evalBcopy(CheckerContext &C, const CallExpr *CE) const;
81  void evalCopyCommon(CheckerContext &C, const CallExpr *CE,
83  const Expr *Size,
84  const Expr *Source,
85  const Expr *Dest,
86  bool Restricted = false,
87  bool IsMempcpy = false) const;
88 
89  void evalMemcmp(CheckerContext &C, const CallExpr *CE) const;
90 
91  void evalstrLength(CheckerContext &C, const CallExpr *CE) const;
92  void evalstrnLength(CheckerContext &C, const CallExpr *CE) const;
93  void evalstrLengthCommon(CheckerContext &C,
94  const CallExpr *CE,
95  bool IsStrnlen = false) const;
96 
97  void evalStrcpy(CheckerContext &C, const CallExpr *CE) const;
98  void evalStrncpy(CheckerContext &C, const CallExpr *CE) const;
99  void evalStpcpy(CheckerContext &C, const CallExpr *CE) const;
100  void evalStrlcpy(CheckerContext &C, const CallExpr *CE) const;
101  void evalStrcpyCommon(CheckerContext &C,
102  const CallExpr *CE,
103  bool returnEnd,
104  bool isBounded,
105  bool isAppending,
106  bool returnPtr = true) const;
107 
108  void evalStrcat(CheckerContext &C, const CallExpr *CE) const;
109  void evalStrncat(CheckerContext &C, const CallExpr *CE) const;
110  void evalStrlcat(CheckerContext &C, const CallExpr *CE) const;
111 
112  void evalStrcmp(CheckerContext &C, const CallExpr *CE) const;
113  void evalStrncmp(CheckerContext &C, const CallExpr *CE) const;
114  void evalStrcasecmp(CheckerContext &C, const CallExpr *CE) const;
115  void evalStrncasecmp(CheckerContext &C, const CallExpr *CE) const;
116  void evalStrcmpCommon(CheckerContext &C,
117  const CallExpr *CE,
118  bool isBounded = false,
119  bool ignoreCase = false) const;
120 
121  void evalStrsep(CheckerContext &C, const CallExpr *CE) const;
122 
123  void evalStdCopy(CheckerContext &C, const CallExpr *CE) const;
124  void evalStdCopyBackward(CheckerContext &C, const CallExpr *CE) const;
125  void evalStdCopyCommon(CheckerContext &C, const CallExpr *CE) const;
126  void evalMemset(CheckerContext &C, const CallExpr *CE) const;
127 
128  // Utility methods
129  std::pair<ProgramStateRef , ProgramStateRef >
130  static assumeZero(CheckerContext &C,
131  ProgramStateRef state, SVal V, QualType Ty);
132 
133  static ProgramStateRef setCStringLength(ProgramStateRef state,
134  const MemRegion *MR,
135  SVal strLength);
136  static SVal getCStringLengthForRegion(CheckerContext &C,
138  const Expr *Ex,
139  const MemRegion *MR,
140  bool hypothetical);
141  SVal getCStringLength(CheckerContext &C,
143  const Expr *Ex,
144  SVal Buf,
145  bool hypothetical = false) const;
146 
147  const StringLiteral *getCStringLiteral(CheckerContext &C,
149  const Expr *expr,
150  SVal val) const;
151 
152  static ProgramStateRef InvalidateBuffer(CheckerContext &C,
154  const Expr *Ex, SVal V,
155  bool IsSourceBuffer,
156  const Expr *Size);
157 
158  static bool SummarizeRegion(raw_ostream &os, ASTContext &Ctx,
159  const MemRegion *MR);
160 
161  static bool memsetAux(const Expr *DstBuffer, const Expr *CharE,
162  const Expr *Size, CheckerContext &C,
164 
165  // Re-usable checks
166  ProgramStateRef checkNonNull(CheckerContext &C,
168  const Expr *S,
169  SVal l) const;
170  ProgramStateRef CheckLocation(CheckerContext &C,
172  const Expr *S,
173  SVal l,
174  const char *message = nullptr) const;
175  ProgramStateRef CheckBufferAccess(CheckerContext &C,
177  const Expr *Size,
178  const Expr *FirstBuf,
179  const Expr *SecondBuf,
180  const char *firstMessage = nullptr,
181  const char *secondMessage = nullptr,
182  bool WarnAboutSize = false) const;
183 
184  ProgramStateRef CheckBufferAccess(CheckerContext &C,
186  const Expr *Size,
187  const Expr *Buf,
188  const char *message = nullptr,
189  bool WarnAboutSize = false) const {
190  // This is a convenience override.
191  return CheckBufferAccess(C, state, Size, Buf, nullptr, message, nullptr,
192  WarnAboutSize);
193  }
194  ProgramStateRef CheckOverlap(CheckerContext &C,
196  const Expr *Size,
197  const Expr *First,
198  const Expr *Second) const;
199  void emitOverlapBug(CheckerContext &C,
201  const Stmt *First,
202  const Stmt *Second) const;
203 
204  void emitNullArgBug(CheckerContext &C, ProgramStateRef State, const Stmt *S,
205  StringRef WarningMsg) const;
206  void emitOutOfBoundsBug(CheckerContext &C, ProgramStateRef State,
207  const Stmt *S, StringRef WarningMsg) const;
208  void emitNotCStringBug(CheckerContext &C, ProgramStateRef State,
209  const Stmt *S, StringRef WarningMsg) const;
210  void emitAdditionOverflowBug(CheckerContext &C, ProgramStateRef State) const;
211 
212  ProgramStateRef checkAdditionOverflow(CheckerContext &C,
214  NonLoc left,
215  NonLoc right) const;
216 
217  // Return true if the destination buffer of the copy function may be in bound.
218  // Expects SVal of Size to be positive and unsigned.
219  // Expects SVal of FirstBuf to be a FieldRegion.
220  static bool IsFirstBufInBound(CheckerContext &C,
222  const Expr *FirstBuf,
223  const Expr *Size);
224 };
225 
226 } //end anonymous namespace
227 
228 REGISTER_MAP_WITH_PROGRAMSTATE(CStringLength, const MemRegion *, SVal)
229 
230 //===----------------------------------------------------------------------===//
231 // Individual checks and utility methods.
232 //===----------------------------------------------------------------------===//
233 
234 std::pair<ProgramStateRef , ProgramStateRef >
235 CStringChecker::assumeZero(CheckerContext &C, ProgramStateRef state, SVal V,
236  QualType Ty) {
237  Optional<DefinedSVal> val = V.getAs<DefinedSVal>();
238  if (!val)
239  return std::pair<ProgramStateRef , ProgramStateRef >(state, state);
240 
241  SValBuilder &svalBuilder = C.getSValBuilder();
242  DefinedOrUnknownSVal zero = svalBuilder.makeZeroVal(Ty);
243  return state->assume(svalBuilder.evalEQ(state, *val, zero));
244 }
245 
246 ProgramStateRef CStringChecker::checkNonNull(CheckerContext &C,
247  ProgramStateRef state,
248  const Expr *S, SVal l) const {
249  // If a previous check has failed, propagate the failure.
250  if (!state)
251  return nullptr;
252 
253  ProgramStateRef stateNull, stateNonNull;
254  std::tie(stateNull, stateNonNull) = assumeZero(C, state, l, S->getType());
255 
256  if (stateNull && !stateNonNull) {
257  if (Filter.CheckCStringNullArg) {
258  SmallString<80> buf;
259  llvm::raw_svector_ostream os(buf);
260  assert(CurrentFunctionDescription);
261  os << "Null pointer argument in call to " << CurrentFunctionDescription;
262 
263  emitNullArgBug(C, stateNull, S, os.str());
264  }
265  return nullptr;
266  }
267 
268  // From here on, assume that the value is non-null.
269  assert(stateNonNull);
270  return stateNonNull;
271 }
272 
273 // FIXME: This was originally copied from ArrayBoundChecker.cpp. Refactor?
274 ProgramStateRef CStringChecker::CheckLocation(CheckerContext &C,
275  ProgramStateRef state,
276  const Expr *S, SVal l,
277  const char *warningMsg) const {
278  // If a previous check has failed, propagate the failure.
279  if (!state)
280  return nullptr;
281 
282  // Check for out of bound array element access.
283  const MemRegion *R = l.getAsRegion();
284  if (!R)
285  return state;
286 
287  const ElementRegion *ER = dyn_cast<ElementRegion>(R);
288  if (!ER)
289  return state;
290 
291  if (ER->getValueType() != C.getASTContext().CharTy)
292  return state;
293 
294  // Get the size of the array.
295  const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion());
296  SValBuilder &svalBuilder = C.getSValBuilder();
297  SVal Extent =
298  svalBuilder.convertToArrayIndex(superReg->getExtent(svalBuilder));
299  DefinedOrUnknownSVal Size = Extent.castAs<DefinedOrUnknownSVal>();
300 
301  // Get the index of the accessed element.
302  DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();
303 
304  ProgramStateRef StInBound = state->assumeInBound(Idx, Size, true);
305  ProgramStateRef StOutBound = state->assumeInBound(Idx, Size, false);
306  if (StOutBound && !StInBound) {
307  // These checks are either enabled by the CString out-of-bounds checker
308  // explicitly or implicitly by the Malloc checker.
309  // In the latter case we only do modeling but do not emit warning.
310  if (!Filter.CheckCStringOutOfBounds)
311  return nullptr;
312  // Emit a bug report.
313  if (warningMsg) {
314  emitOutOfBoundsBug(C, StOutBound, S, warningMsg);
315  } else {
316  assert(CurrentFunctionDescription);
317  assert(CurrentFunctionDescription[0] != '\0');
318 
319  SmallString<80> buf;
320  llvm::raw_svector_ostream os(buf);
321  os << toUppercase(CurrentFunctionDescription[0])
322  << &CurrentFunctionDescription[1]
323  << " accesses out-of-bound array element";
324  emitOutOfBoundsBug(C, StOutBound, S, os.str());
325  }
326  return nullptr;
327  }
328 
329  // Array bound check succeeded. From this point forward the array bound
330  // should always succeed.
331  return StInBound;
332 }
333 
334 ProgramStateRef CStringChecker::CheckBufferAccess(CheckerContext &C,
335  ProgramStateRef state,
336  const Expr *Size,
337  const Expr *FirstBuf,
338  const Expr *SecondBuf,
339  const char *firstMessage,
340  const char *secondMessage,
341  bool WarnAboutSize) const {
342  // If a previous check has failed, propagate the failure.
343  if (!state)
344  return nullptr;
345 
346  SValBuilder &svalBuilder = C.getSValBuilder();
347  ASTContext &Ctx = svalBuilder.getContext();
348  const LocationContext *LCtx = C.getLocationContext();
349 
350  QualType sizeTy = Size->getType();
351  QualType PtrTy = Ctx.getPointerType(Ctx.CharTy);
352 
353  // Check that the first buffer is non-null.
354  SVal BufVal = C.getSVal(FirstBuf);
355  state = checkNonNull(C, state, FirstBuf, BufVal);
356  if (!state)
357  return nullptr;
358 
359  // If out-of-bounds checking is turned off, skip the rest.
360  if (!Filter.CheckCStringOutOfBounds)
361  return state;
362 
363  // Get the access length and make sure it is known.
364  // FIXME: This assumes the caller has already checked that the access length
365  // is positive. And that it's unsigned.
366  SVal LengthVal = C.getSVal(Size);
367  Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
368  if (!Length)
369  return state;
370 
371  // Compute the offset of the last element to be accessed: size-1.
372  NonLoc One = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
373  SVal Offset = svalBuilder.evalBinOpNN(state, BO_Sub, *Length, One, sizeTy);
374  if (Offset.isUnknown())
375  return nullptr;
376  NonLoc LastOffset = Offset.castAs<NonLoc>();
377 
378  // Check that the first buffer is sufficiently long.
379  SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType());
380  if (Optional<Loc> BufLoc = BufStart.getAs<Loc>()) {
381  const Expr *warningExpr = (WarnAboutSize ? Size : FirstBuf);
382 
383  SVal BufEnd = svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc,
384  LastOffset, PtrTy);
385  state = CheckLocation(C, state, warningExpr, BufEnd, firstMessage);
386 
387  // If the buffer isn't large enough, abort.
388  if (!state)
389  return nullptr;
390  }
391 
392  // If there's a second buffer, check it as well.
393  if (SecondBuf) {
394  BufVal = state->getSVal(SecondBuf, LCtx);
395  state = checkNonNull(C, state, SecondBuf, BufVal);
396  if (!state)
397  return nullptr;
398 
399  BufStart = svalBuilder.evalCast(BufVal, PtrTy, SecondBuf->getType());
400  if (Optional<Loc> BufLoc = BufStart.getAs<Loc>()) {
401  const Expr *warningExpr = (WarnAboutSize ? Size : SecondBuf);
402 
403  SVal BufEnd = svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc,
404  LastOffset, PtrTy);
405  state = CheckLocation(C, state, warningExpr, BufEnd, secondMessage);
406  }
407  }
408 
409  // Large enough or not, return this state!
410  return state;
411 }
412 
413 ProgramStateRef CStringChecker::CheckOverlap(CheckerContext &C,
414  ProgramStateRef state,
415  const Expr *Size,
416  const Expr *First,
417  const Expr *Second) const {
418  if (!Filter.CheckCStringBufferOverlap)
419  return state;
420 
421  // Do a simple check for overlap: if the two arguments are from the same
422  // buffer, see if the end of the first is greater than the start of the second
423  // or vice versa.
424 
425  // If a previous check has failed, propagate the failure.
426  if (!state)
427  return nullptr;
428 
429  ProgramStateRef stateTrue, stateFalse;
430 
431  // Get the buffer values and make sure they're known locations.
432  const LocationContext *LCtx = C.getLocationContext();
433  SVal firstVal = state->getSVal(First, LCtx);
434  SVal secondVal = state->getSVal(Second, LCtx);
435 
436  Optional<Loc> firstLoc = firstVal.getAs<Loc>();
437  if (!firstLoc)
438  return state;
439 
440  Optional<Loc> secondLoc = secondVal.getAs<Loc>();
441  if (!secondLoc)
442  return state;
443 
444  // Are the two values the same?
445  SValBuilder &svalBuilder = C.getSValBuilder();
446  std::tie(stateTrue, stateFalse) =
447  state->assume(svalBuilder.evalEQ(state, *firstLoc, *secondLoc));
448 
449  if (stateTrue && !stateFalse) {
450  // If the values are known to be equal, that's automatically an overlap.
451  emitOverlapBug(C, stateTrue, First, Second);
452  return nullptr;
453  }
454 
455  // assume the two expressions are not equal.
456  assert(stateFalse);
457  state = stateFalse;
458 
459  // Which value comes first?
460  QualType cmpTy = svalBuilder.getConditionType();
461  SVal reverse = svalBuilder.evalBinOpLL(state, BO_GT,
462  *firstLoc, *secondLoc, cmpTy);
463  Optional<DefinedOrUnknownSVal> reverseTest =
464  reverse.getAs<DefinedOrUnknownSVal>();
465  if (!reverseTest)
466  return state;
467 
468  std::tie(stateTrue, stateFalse) = state->assume(*reverseTest);
469  if (stateTrue) {
470  if (stateFalse) {
471  // If we don't know which one comes first, we can't perform this test.
472  return state;
473  } else {
474  // Switch the values so that firstVal is before secondVal.
475  std::swap(firstLoc, secondLoc);
476 
477  // Switch the Exprs as well, so that they still correspond.
478  std::swap(First, Second);
479  }
480  }
481 
482  // Get the length, and make sure it too is known.
483  SVal LengthVal = state->getSVal(Size, LCtx);
484  Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
485  if (!Length)
486  return state;
487 
488  // Convert the first buffer's start address to char*.
489  // Bail out if the cast fails.
490  ASTContext &Ctx = svalBuilder.getContext();
491  QualType CharPtrTy = Ctx.getPointerType(Ctx.CharTy);
492  SVal FirstStart = svalBuilder.evalCast(*firstLoc, CharPtrTy,
493  First->getType());
494  Optional<Loc> FirstStartLoc = FirstStart.getAs<Loc>();
495  if (!FirstStartLoc)
496  return state;
497 
498  // Compute the end of the first buffer. Bail out if THAT fails.
499  SVal FirstEnd = svalBuilder.evalBinOpLN(state, BO_Add,
500  *FirstStartLoc, *Length, CharPtrTy);
501  Optional<Loc> FirstEndLoc = FirstEnd.getAs<Loc>();
502  if (!FirstEndLoc)
503  return state;
504 
505  // Is the end of the first buffer past the start of the second buffer?
506  SVal Overlap = svalBuilder.evalBinOpLL(state, BO_GT,
507  *FirstEndLoc, *secondLoc, cmpTy);
508  Optional<DefinedOrUnknownSVal> OverlapTest =
509  Overlap.getAs<DefinedOrUnknownSVal>();
510  if (!OverlapTest)
511  return state;
512 
513  std::tie(stateTrue, stateFalse) = state->assume(*OverlapTest);
514 
515  if (stateTrue && !stateFalse) {
516  // Overlap!
517  emitOverlapBug(C, stateTrue, First, Second);
518  return nullptr;
519  }
520 
521  // assume the two expressions don't overlap.
522  assert(stateFalse);
523  return stateFalse;
524 }
525 
526 void CStringChecker::emitOverlapBug(CheckerContext &C, ProgramStateRef state,
527  const Stmt *First, const Stmt *Second) const {
528  ExplodedNode *N = C.generateErrorNode(state);
529  if (!N)
530  return;
531 
532  if (!BT_Overlap)
533  BT_Overlap.reset(new BugType(Filter.CheckNameCStringBufferOverlap,
534  categories::UnixAPI, "Improper arguments"));
535 
536  // Generate a report for this bug.
537  auto report = llvm::make_unique<BugReport>(
538  *BT_Overlap, "Arguments must not be overlapping buffers", N);
539  report->addRange(First->getSourceRange());
540  report->addRange(Second->getSourceRange());
541 
542  C.emitReport(std::move(report));
543 }
544 
545 void CStringChecker::emitNullArgBug(CheckerContext &C, ProgramStateRef State,
546  const Stmt *S, StringRef WarningMsg) const {
547  if (ExplodedNode *N = C.generateErrorNode(State)) {
548  if (!BT_Null)
549  BT_Null.reset(new BuiltinBug(
550  Filter.CheckNameCStringNullArg, categories::UnixAPI,
551  "Null pointer argument in call to byte string function"));
552 
553  BuiltinBug *BT = static_cast<BuiltinBug *>(BT_Null.get());
554  auto Report = llvm::make_unique<BugReport>(*BT, WarningMsg, N);
555  Report->addRange(S->getSourceRange());
556  if (const auto *Ex = dyn_cast<Expr>(S))
557  bugreporter::trackExpressionValue(N, Ex, *Report);
558  C.emitReport(std::move(Report));
559  }
560 }
561 
562 void CStringChecker::emitOutOfBoundsBug(CheckerContext &C,
563  ProgramStateRef State, const Stmt *S,
564  StringRef WarningMsg) const {
565  if (ExplodedNode *N = C.generateErrorNode(State)) {
566  if (!BT_Bounds)
567  BT_Bounds.reset(new BuiltinBug(
568  Filter.CheckCStringOutOfBounds ? Filter.CheckNameCStringOutOfBounds
569  : Filter.CheckNameCStringNullArg,
570  "Out-of-bound array access",
571  "Byte string function accesses out-of-bound array element"));
572 
573  BuiltinBug *BT = static_cast<BuiltinBug *>(BT_Bounds.get());
574 
575  // FIXME: It would be nice to eventually make this diagnostic more clear,
576  // e.g., by referencing the original declaration or by saying *why* this
577  // reference is outside the range.
578  auto Report = llvm::make_unique<BugReport>(*BT, WarningMsg, N);
579  Report->addRange(S->getSourceRange());
580  C.emitReport(std::move(Report));
581  }
582 }
583 
584 void CStringChecker::emitNotCStringBug(CheckerContext &C, ProgramStateRef State,
585  const Stmt *S,
586  StringRef WarningMsg) const {
587  if (ExplodedNode *N = C.generateNonFatalErrorNode(State)) {
588  if (!BT_NotCString)
589  BT_NotCString.reset(new BuiltinBug(
590  Filter.CheckNameCStringNotNullTerm, categories::UnixAPI,
591  "Argument is not a null-terminated string."));
592 
593  auto Report = llvm::make_unique<BugReport>(*BT_NotCString, WarningMsg, N);
594 
595  Report->addRange(S->getSourceRange());
596  C.emitReport(std::move(Report));
597  }
598 }
599 
600 void CStringChecker::emitAdditionOverflowBug(CheckerContext &C,
601  ProgramStateRef State) const {
602  if (ExplodedNode *N = C.generateErrorNode(State)) {
603  if (!BT_NotCString)
604  BT_NotCString.reset(
605  new BuiltinBug(Filter.CheckNameCStringOutOfBounds, "API",
606  "Sum of expressions causes overflow."));
607 
608  // This isn't a great error message, but this should never occur in real
609  // code anyway -- you'd have to create a buffer longer than a size_t can
610  // represent, which is sort of a contradiction.
611  const char *WarningMsg =
612  "This expression will create a string whose length is too big to "
613  "be represented as a size_t";
614 
615  auto Report = llvm::make_unique<BugReport>(*BT_NotCString, WarningMsg, N);
616  C.emitReport(std::move(Report));
617  }
618 }
619 
620 ProgramStateRef CStringChecker::checkAdditionOverflow(CheckerContext &C,
621  ProgramStateRef state,
622  NonLoc left,
623  NonLoc right) const {
624  // If out-of-bounds checking is turned off, skip the rest.
625  if (!Filter.CheckCStringOutOfBounds)
626  return state;
627 
628  // If a previous check has failed, propagate the failure.
629  if (!state)
630  return nullptr;
631 
632  SValBuilder &svalBuilder = C.getSValBuilder();
633  BasicValueFactory &BVF = svalBuilder.getBasicValueFactory();
634 
635  QualType sizeTy = svalBuilder.getContext().getSizeType();
636  const llvm::APSInt &maxValInt = BVF.getMaxValue(sizeTy);
637  NonLoc maxVal = svalBuilder.makeIntVal(maxValInt);
638 
639  SVal maxMinusRight;
640  if (right.getAs<nonloc::ConcreteInt>()) {
641  maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, right,
642  sizeTy);
643  } else {
644  // Try switching the operands. (The order of these two assignments is
645  // important!)
646  maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, left,
647  sizeTy);
648  left = right;
649  }
650 
651  if (Optional<NonLoc> maxMinusRightNL = maxMinusRight.getAs<NonLoc>()) {
652  QualType cmpTy = svalBuilder.getConditionType();
653  // If left > max - right, we have an overflow.
654  SVal willOverflow = svalBuilder.evalBinOpNN(state, BO_GT, left,
655  *maxMinusRightNL, cmpTy);
656 
657  ProgramStateRef stateOverflow, stateOkay;
658  std::tie(stateOverflow, stateOkay) =
659  state->assume(willOverflow.castAs<DefinedOrUnknownSVal>());
660 
661  if (stateOverflow && !stateOkay) {
662  // We have an overflow. Emit a bug report.
663  emitAdditionOverflowBug(C, stateOverflow);
664  return nullptr;
665  }
666 
667  // From now on, assume an overflow didn't occur.
668  assert(stateOkay);
669  state = stateOkay;
670  }
671 
672  return state;
673 }
674 
675 ProgramStateRef CStringChecker::setCStringLength(ProgramStateRef state,
676  const MemRegion *MR,
677  SVal strLength) {
678  assert(!strLength.isUndef() && "Attempt to set an undefined string length");
679 
680  MR = MR->StripCasts();
681 
682  switch (MR->getKind()) {
683  case MemRegion::StringRegionKind:
684  // FIXME: This can happen if we strcpy() into a string region. This is
685  // undefined [C99 6.4.5p6], but we should still warn about it.
686  return state;
687 
688  case MemRegion::SymbolicRegionKind:
689  case MemRegion::AllocaRegionKind:
690  case MemRegion::VarRegionKind:
691  case MemRegion::FieldRegionKind:
692  case MemRegion::ObjCIvarRegionKind:
693  // These are the types we can currently track string lengths for.
694  break;
695 
696  case MemRegion::ElementRegionKind:
697  // FIXME: Handle element regions by upper-bounding the parent region's
698  // string length.
699  return state;
700 
701  default:
702  // Other regions (mostly non-data) can't have a reliable C string length.
703  // For now, just ignore the change.
704  // FIXME: These are rare but not impossible. We should output some kind of
705  // warning for things like strcpy((char[]){'a', 0}, "b");
706  return state;
707  }
708 
709  if (strLength.isUnknown())
710  return state->remove<CStringLength>(MR);
711 
712  return state->set<CStringLength>(MR, strLength);
713 }
714 
715 SVal CStringChecker::getCStringLengthForRegion(CheckerContext &C,
716  ProgramStateRef &state,
717  const Expr *Ex,
718  const MemRegion *MR,
719  bool hypothetical) {
720  if (!hypothetical) {
721  // If there's a recorded length, go ahead and return it.
722  const SVal *Recorded = state->get<CStringLength>(MR);
723  if (Recorded)
724  return *Recorded;
725  }
726 
727  // Otherwise, get a new symbol and update the state.
728  SValBuilder &svalBuilder = C.getSValBuilder();
729  QualType sizeTy = svalBuilder.getContext().getSizeType();
730  SVal strLength = svalBuilder.getMetadataSymbolVal(CStringChecker::getTag(),
731  MR, Ex, sizeTy,
732  C.getLocationContext(),
733  C.blockCount());
734 
735  if (!hypothetical) {
736  if (Optional<NonLoc> strLn = strLength.getAs<NonLoc>()) {
737  // In case of unbounded calls strlen etc bound the range to SIZE_MAX/4
738  BasicValueFactory &BVF = svalBuilder.getBasicValueFactory();
739  const llvm::APSInt &maxValInt = BVF.getMaxValue(sizeTy);
740  llvm::APSInt fourInt = APSIntType(maxValInt).getValue(4);
741  const llvm::APSInt *maxLengthInt = BVF.evalAPSInt(BO_Div, maxValInt,
742  fourInt);
743  NonLoc maxLength = svalBuilder.makeIntVal(*maxLengthInt);
744  SVal evalLength = svalBuilder.evalBinOpNN(state, BO_LE, *strLn,
745  maxLength, sizeTy);
746  state = state->assume(evalLength.castAs<DefinedOrUnknownSVal>(), true);
747  }
748  state = state->set<CStringLength>(MR, strLength);
749  }
750 
751  return strLength;
752 }
753 
754 SVal CStringChecker::getCStringLength(CheckerContext &C, ProgramStateRef &state,
755  const Expr *Ex, SVal Buf,
756  bool hypothetical) const {
757  const MemRegion *MR = Buf.getAsRegion();
758  if (!MR) {
759  // If we can't get a region, see if it's something we /know/ isn't a
760  // C string. In the context of locations, the only time we can issue such
761  // a warning is for labels.
762  if (Optional<loc::GotoLabel> Label = Buf.getAs<loc::GotoLabel>()) {
763  if (Filter.CheckCStringNotNullTerm) {
764  SmallString<120> buf;
765  llvm::raw_svector_ostream os(buf);
766  assert(CurrentFunctionDescription);
767  os << "Argument to " << CurrentFunctionDescription
768  << " is the address of the label '" << Label->getLabel()->getName()
769  << "', which is not a null-terminated string";
770 
771  emitNotCStringBug(C, state, Ex, os.str());
772  }
773  return UndefinedVal();
774  }
775 
776  // If it's not a region and not a label, give up.
777  return UnknownVal();
778  }
779 
780  // If we have a region, strip casts from it and see if we can figure out
781  // its length. For anything we can't figure out, just return UnknownVal.
782  MR = MR->StripCasts();
783 
784  switch (MR->getKind()) {
785  case MemRegion::StringRegionKind: {
786  // Modifying the contents of string regions is undefined [C99 6.4.5p6],
787  // so we can assume that the byte length is the correct C string length.
788  SValBuilder &svalBuilder = C.getSValBuilder();
789  QualType sizeTy = svalBuilder.getContext().getSizeType();
790  const StringLiteral *strLit = cast<StringRegion>(MR)->getStringLiteral();
791  return svalBuilder.makeIntVal(strLit->getByteLength(), sizeTy);
792  }
793  case MemRegion::SymbolicRegionKind:
794  case MemRegion::AllocaRegionKind:
795  case MemRegion::VarRegionKind:
796  case MemRegion::FieldRegionKind:
797  case MemRegion::ObjCIvarRegionKind:
798  return getCStringLengthForRegion(C, state, Ex, MR, hypothetical);
799  case MemRegion::CompoundLiteralRegionKind:
800  // FIXME: Can we track this? Is it necessary?
801  return UnknownVal();
802  case MemRegion::ElementRegionKind:
803  // FIXME: How can we handle this? It's not good enough to subtract the
804  // offset from the base string length; consider "123\x00567" and &a[5].
805  return UnknownVal();
806  default:
807  // Other regions (mostly non-data) can't have a reliable C string length.
808  // In this case, an error is emitted and UndefinedVal is returned.
809  // The caller should always be prepared to handle this case.
810  if (Filter.CheckCStringNotNullTerm) {
811  SmallString<120> buf;
812  llvm::raw_svector_ostream os(buf);
813 
814  assert(CurrentFunctionDescription);
815  os << "Argument to " << CurrentFunctionDescription << " is ";
816 
817  if (SummarizeRegion(os, C.getASTContext(), MR))
818  os << ", which is not a null-terminated string";
819  else
820  os << "not a null-terminated string";
821 
822  emitNotCStringBug(C, state, Ex, os.str());
823  }
824  return UndefinedVal();
825  }
826 }
827 
828 const StringLiteral *CStringChecker::getCStringLiteral(CheckerContext &C,
829  ProgramStateRef &state, const Expr *expr, SVal val) const {
830 
831  // Get the memory region pointed to by the val.
832  const MemRegion *bufRegion = val.getAsRegion();
833  if (!bufRegion)
834  return nullptr;
835 
836  // Strip casts off the memory region.
837  bufRegion = bufRegion->StripCasts();
838 
839  // Cast the memory region to a string region.
840  const StringRegion *strRegion= dyn_cast<StringRegion>(bufRegion);
841  if (!strRegion)
842  return nullptr;
843 
844  // Return the actual string in the string region.
845  return strRegion->getStringLiteral();
846 }
847 
848 bool CStringChecker::IsFirstBufInBound(CheckerContext &C,
849  ProgramStateRef state,
850  const Expr *FirstBuf,
851  const Expr *Size) {
852  // If we do not know that the buffer is long enough we return 'true'.
853  // Otherwise the parent region of this field region would also get
854  // invalidated, which would lead to warnings based on an unknown state.
855 
856  // Originally copied from CheckBufferAccess and CheckLocation.
857  SValBuilder &svalBuilder = C.getSValBuilder();
858  ASTContext &Ctx = svalBuilder.getContext();
859  const LocationContext *LCtx = C.getLocationContext();
860 
861  QualType sizeTy = Size->getType();
862  QualType PtrTy = Ctx.getPointerType(Ctx.CharTy);
863  SVal BufVal = state->getSVal(FirstBuf, LCtx);
864 
865  SVal LengthVal = state->getSVal(Size, LCtx);
866  Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
867  if (!Length)
868  return true; // cf top comment.
869 
870  // Compute the offset of the last element to be accessed: size-1.
871  NonLoc One = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
872  SVal Offset = svalBuilder.evalBinOpNN(state, BO_Sub, *Length, One, sizeTy);
873  if (Offset.isUnknown())
874  return true; // cf top comment
875  NonLoc LastOffset = Offset.castAs<NonLoc>();
876 
877  // Check that the first buffer is sufficiently long.
878  SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType());
879  Optional<Loc> BufLoc = BufStart.getAs<Loc>();
880  if (!BufLoc)
881  return true; // cf top comment.
882 
883  SVal BufEnd =
884  svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc, LastOffset, PtrTy);
885 
886  // Check for out of bound array element access.
887  const MemRegion *R = BufEnd.getAsRegion();
888  if (!R)
889  return true; // cf top comment.
890 
891  const ElementRegion *ER = dyn_cast<ElementRegion>(R);
892  if (!ER)
893  return true; // cf top comment.
894 
895  // FIXME: Does this crash when a non-standard definition
896  // of a library function is encountered?
897  assert(ER->getValueType() == C.getASTContext().CharTy &&
898  "IsFirstBufInBound should only be called with char* ElementRegions");
899 
900  // Get the size of the array.
901  const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion());
902  SVal Extent =
903  svalBuilder.convertToArrayIndex(superReg->getExtent(svalBuilder));
904  DefinedOrUnknownSVal ExtentSize = Extent.castAs<DefinedOrUnknownSVal>();
905 
906  // Get the index of the accessed element.
907  DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();
908 
909  ProgramStateRef StInBound = state->assumeInBound(Idx, ExtentSize, true);
910 
911  return static_cast<bool>(StInBound);
912 }
913 
914 ProgramStateRef CStringChecker::InvalidateBuffer(CheckerContext &C,
915  ProgramStateRef state,
916  const Expr *E, SVal V,
917  bool IsSourceBuffer,
918  const Expr *Size) {
919  Optional<Loc> L = V.getAs<Loc>();
920  if (!L)
921  return state;
922 
923  // FIXME: This is a simplified version of what's in CFRefCount.cpp -- it makes
924  // some assumptions about the value that CFRefCount can't. Even so, it should
925  // probably be refactored.
926  if (Optional<loc::MemRegionVal> MR = L->getAs<loc::MemRegionVal>()) {
927  const MemRegion *R = MR->getRegion()->StripCasts();
928 
929  // Are we dealing with an ElementRegion? If so, we should be invalidating
930  // the super-region.
931  if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) {
932  R = ER->getSuperRegion();
933  // FIXME: What about layers of ElementRegions?
934  }
935 
936  // Invalidate this region.
937  const LocationContext *LCtx = C.getPredecessor()->getLocationContext();
938 
939  bool CausesPointerEscape = false;
940  RegionAndSymbolInvalidationTraits ITraits;
941  // Invalidate and escape only indirect regions accessible through the source
942  // buffer.
943  if (IsSourceBuffer) {
944  ITraits.setTrait(R->getBaseRegion(),
947  CausesPointerEscape = true;
948  } else {
949  const MemRegion::Kind& K = R->getKind();
950  if (K == MemRegion::FieldRegionKind)
951  if (Size && IsFirstBufInBound(C, state, E, Size)) {
952  // If destination buffer is a field region and access is in bound,
953  // do not invalidate its super region.
954  ITraits.setTrait(
955  R,
957  }
958  }
959 
960  return state->invalidateRegions(R, E, C.blockCount(), LCtx,
961  CausesPointerEscape, nullptr, nullptr,
962  &ITraits);
963  }
964 
965  // If we have a non-region value by chance, just remove the binding.
966  // FIXME: is this necessary or correct? This handles the non-Region
967  // cases. Is it ever valid to store to these?
968  return state->killBinding(*L);
969 }
970 
971 bool CStringChecker::SummarizeRegion(raw_ostream &os, ASTContext &Ctx,
972  const MemRegion *MR) {
973  const TypedValueRegion *TVR = dyn_cast<TypedValueRegion>(MR);
974 
975  switch (MR->getKind()) {
976  case MemRegion::FunctionCodeRegionKind: {
977  const NamedDecl *FD = cast<FunctionCodeRegion>(MR)->getDecl();
978  if (FD)
979  os << "the address of the function '" << *FD << '\'';
980  else
981  os << "the address of a function";
982  return true;
983  }
984  case MemRegion::BlockCodeRegionKind:
985  os << "block text";
986  return true;
987  case MemRegion::BlockDataRegionKind:
988  os << "a block";
989  return true;
990  case MemRegion::CXXThisRegionKind:
991  case MemRegion::CXXTempObjectRegionKind:
992  os << "a C++ temp object of type " << TVR->getValueType().getAsString();
993  return true;
994  case MemRegion::VarRegionKind:
995  os << "a variable of type" << TVR->getValueType().getAsString();
996  return true;
997  case MemRegion::FieldRegionKind:
998  os << "a field of type " << TVR->getValueType().getAsString();
999  return true;
1000  case MemRegion::ObjCIvarRegionKind:
1001  os << "an instance variable of type " << TVR->getValueType().getAsString();
1002  return true;
1003  default:
1004  return false;
1005  }
1006 }
1007 
1008 bool CStringChecker::memsetAux(const Expr *DstBuffer, const Expr *CharE,
1009  const Expr *Size, CheckerContext &C,
1010  ProgramStateRef &State) {
1011  SVal MemVal = C.getSVal(DstBuffer);
1012  SVal CharVal = C.getSVal(CharE);
1013  SVal SizeVal = C.getSVal(Size);
1014  const MemRegion *MR = MemVal.getAsRegion();
1015  if (!MR)
1016  return false;
1017 
1018  // We're about to model memset by producing a "default binding" in the Store.
1019  // Our current implementation - RegionStore - doesn't support default bindings
1020  // that don't cover the whole base region. So we should first get the offset
1021  // and the base region to figure out whether the offset of buffer is 0.
1022  RegionOffset Offset = MR->getAsOffset();
1023  const MemRegion *BR = Offset.getRegion();
1024 
1025  Optional<NonLoc> SizeNL = SizeVal.getAs<NonLoc>();
1026  if (!SizeNL)
1027  return false;
1028 
1029  SValBuilder &svalBuilder = C.getSValBuilder();
1030  ASTContext &Ctx = C.getASTContext();
1031 
1032  // void *memset(void *dest, int ch, size_t count);
1033  // For now we can only handle the case of offset is 0 and concrete char value.
1034  if (Offset.isValid() && !Offset.hasSymbolicOffset() &&
1035  Offset.getOffset() == 0) {
1036  // Get the base region's extent.
1037  auto *SubReg = cast<SubRegion>(BR);
1038  DefinedOrUnknownSVal Extent = SubReg->getExtent(svalBuilder);
1039 
1040  ProgramStateRef StateWholeReg, StateNotWholeReg;
1041  std::tie(StateWholeReg, StateNotWholeReg) =
1042  State->assume(svalBuilder.evalEQ(State, Extent, *SizeNL));
1043 
1044  // With the semantic of 'memset()', we should convert the CharVal to
1045  // unsigned char.
1046  CharVal = svalBuilder.evalCast(CharVal, Ctx.UnsignedCharTy, Ctx.IntTy);
1047 
1048  ProgramStateRef StateNullChar, StateNonNullChar;
1049  std::tie(StateNullChar, StateNonNullChar) =
1050  assumeZero(C, State, CharVal, Ctx.UnsignedCharTy);
1051 
1052  if (StateWholeReg && !StateNotWholeReg && StateNullChar &&
1053  !StateNonNullChar) {
1054  // If the 'memset()' acts on the whole region of destination buffer and
1055  // the value of the second argument of 'memset()' is zero, bind the second
1056  // argument's value to the destination buffer with 'default binding'.
1057  // FIXME: Since there is no perfect way to bind the non-zero character, we
1058  // can only deal with zero value here. In the future, we need to deal with
1059  // the binding of non-zero value in the case of whole region.
1060  State = State->bindDefaultZero(svalBuilder.makeLoc(BR),
1061  C.getLocationContext());
1062  } else {
1063  // If the destination buffer's extent is not equal to the value of
1064  // third argument, just invalidate buffer.
1065  State = InvalidateBuffer(C, State, DstBuffer, MemVal,
1066  /*IsSourceBuffer*/ false, Size);
1067  }
1068 
1069  if (StateNullChar && !StateNonNullChar) {
1070  // If the value of the second argument of 'memset()' is zero, set the
1071  // string length of destination buffer to 0 directly.
1072  State = setCStringLength(State, MR,
1073  svalBuilder.makeZeroVal(Ctx.getSizeType()));
1074  } else if (!StateNullChar && StateNonNullChar) {
1075  SVal NewStrLen = svalBuilder.getMetadataSymbolVal(
1076  CStringChecker::getTag(), MR, DstBuffer, Ctx.getSizeType(),
1077  C.getLocationContext(), C.blockCount());
1078 
1079  // If the value of second argument is not zero, then the string length
1080  // is at least the size argument.
1081  SVal NewStrLenGESize = svalBuilder.evalBinOp(
1082  State, BO_GE, NewStrLen, SizeVal, svalBuilder.getConditionType());
1083 
1084  State = setCStringLength(
1085  State->assume(NewStrLenGESize.castAs<DefinedOrUnknownSVal>(), true),
1086  MR, NewStrLen);
1087  }
1088  } else {
1089  // If the offset is not zero and char value is not concrete, we can do
1090  // nothing but invalidate the buffer.
1091  State = InvalidateBuffer(C, State, DstBuffer, MemVal,
1092  /*IsSourceBuffer*/ false, Size);
1093  }
1094  return true;
1095 }
1096 
1097 //===----------------------------------------------------------------------===//
1098 // evaluation of individual function calls.
1099 //===----------------------------------------------------------------------===//
1100 
1101 void CStringChecker::evalCopyCommon(CheckerContext &C,
1102  const CallExpr *CE,
1103  ProgramStateRef state,
1104  const Expr *Size, const Expr *Dest,
1105  const Expr *Source, bool Restricted,
1106  bool IsMempcpy) const {
1107  CurrentFunctionDescription = "memory copy function";
1108 
1109  // See if the size argument is zero.
1110  const LocationContext *LCtx = C.getLocationContext();
1111  SVal sizeVal = state->getSVal(Size, LCtx);
1112  QualType sizeTy = Size->getType();
1113 
1114  ProgramStateRef stateZeroSize, stateNonZeroSize;
1115  std::tie(stateZeroSize, stateNonZeroSize) =
1116  assumeZero(C, state, sizeVal, sizeTy);
1117 
1118  // Get the value of the Dest.
1119  SVal destVal = state->getSVal(Dest, LCtx);
1120 
1121  // If the size is zero, there won't be any actual memory access, so
1122  // just bind the return value to the destination buffer and return.
1123  if (stateZeroSize && !stateNonZeroSize) {
1124  stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, destVal);
1125  C.addTransition(stateZeroSize);
1126  return;
1127  }
1128 
1129  // If the size can be nonzero, we have to check the other arguments.
1130  if (stateNonZeroSize) {
1131  state = stateNonZeroSize;
1132 
1133  // Ensure the destination is not null. If it is NULL there will be a
1134  // NULL pointer dereference.
1135  state = checkNonNull(C, state, Dest, destVal);
1136  if (!state)
1137  return;
1138 
1139  // Get the value of the Src.
1140  SVal srcVal = state->getSVal(Source, LCtx);
1141 
1142  // Ensure the source is not null. If it is NULL there will be a
1143  // NULL pointer dereference.
1144  state = checkNonNull(C, state, Source, srcVal);
1145  if (!state)
1146  return;
1147 
1148  // Ensure the accesses are valid and that the buffers do not overlap.
1149  const char * const writeWarning =
1150  "Memory copy function overflows destination buffer";
1151  state = CheckBufferAccess(C, state, Size, Dest, Source,
1152  writeWarning, /* sourceWarning = */ nullptr);
1153  if (Restricted)
1154  state = CheckOverlap(C, state, Size, Dest, Source);
1155 
1156  if (!state)
1157  return;
1158 
1159  // If this is mempcpy, get the byte after the last byte copied and
1160  // bind the expr.
1161  if (IsMempcpy) {
1162  // Get the byte after the last byte copied.
1163  SValBuilder &SvalBuilder = C.getSValBuilder();
1164  ASTContext &Ctx = SvalBuilder.getContext();
1165  QualType CharPtrTy = Ctx.getPointerType(Ctx.CharTy);
1166  SVal DestRegCharVal =
1167  SvalBuilder.evalCast(destVal, CharPtrTy, Dest->getType());
1168  SVal lastElement = C.getSValBuilder().evalBinOp(
1169  state, BO_Add, DestRegCharVal, sizeVal, Dest->getType());
1170  // If we don't know how much we copied, we can at least
1171  // conjure a return value for later.
1172  if (lastElement.isUnknown())
1173  lastElement = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
1174  C.blockCount());
1175 
1176  // The byte after the last byte copied is the return value.
1177  state = state->BindExpr(CE, LCtx, lastElement);
1178  } else {
1179  // All other copies return the destination buffer.
1180  // (Well, bcopy() has a void return type, but this won't hurt.)
1181  state = state->BindExpr(CE, LCtx, destVal);
1182  }
1183 
1184  // Invalidate the destination (regular invalidation without pointer-escaping
1185  // the address of the top-level region).
1186  // FIXME: Even if we can't perfectly model the copy, we should see if we
1187  // can use LazyCompoundVals to copy the source values into the destination.
1188  // This would probably remove any existing bindings past the end of the
1189  // copied region, but that's still an improvement over blank invalidation.
1190  state = InvalidateBuffer(C, state, Dest, C.getSVal(Dest),
1191  /*IsSourceBuffer*/false, Size);
1192 
1193  // Invalidate the source (const-invalidation without const-pointer-escaping
1194  // the address of the top-level region).
1195  state = InvalidateBuffer(C, state, Source, C.getSVal(Source),
1196  /*IsSourceBuffer*/true, nullptr);
1197 
1198  C.addTransition(state);
1199  }
1200 }
1201 
1202 
1203 void CStringChecker::evalMemcpy(CheckerContext &C, const CallExpr *CE) const {
1204  if (CE->getNumArgs() < 3)
1205  return;
1206 
1207  // void *memcpy(void *restrict dst, const void *restrict src, size_t n);
1208  // The return value is the address of the destination buffer.
1209  const Expr *Dest = CE->getArg(0);
1210  ProgramStateRef state = C.getState();
1211 
1212  evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1), true);
1213 }
1214 
1215 void CStringChecker::evalMempcpy(CheckerContext &C, const CallExpr *CE) const {
1216  if (CE->getNumArgs() < 3)
1217  return;
1218 
1219  // void *mempcpy(void *restrict dst, const void *restrict src, size_t n);
1220  // The return value is a pointer to the byte following the last written byte.
1221  const Expr *Dest = CE->getArg(0);
1222  ProgramStateRef state = C.getState();
1223 
1224  evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1), true, true);
1225 }
1226 
1227 void CStringChecker::evalMemmove(CheckerContext &C, const CallExpr *CE) const {
1228  if (CE->getNumArgs() < 3)
1229  return;
1230 
1231  // void *memmove(void *dst, const void *src, size_t n);
1232  // The return value is the address of the destination buffer.
1233  const Expr *Dest = CE->getArg(0);
1234  ProgramStateRef state = C.getState();
1235 
1236  evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1));
1237 }
1238 
1239 void CStringChecker::evalBcopy(CheckerContext &C, const CallExpr *CE) const {
1240  if (CE->getNumArgs() < 3)
1241  return;
1242 
1243  // void bcopy(const void *src, void *dst, size_t n);
1244  evalCopyCommon(C, CE, C.getState(),
1245  CE->getArg(2), CE->getArg(1), CE->getArg(0));
1246 }
1247 
1248 void CStringChecker::evalMemcmp(CheckerContext &C, const CallExpr *CE) const {
1249  if (CE->getNumArgs() < 3)
1250  return;
1251 
1252  // int memcmp(const void *s1, const void *s2, size_t n);
1253  CurrentFunctionDescription = "memory comparison function";
1254 
1255  const Expr *Left = CE->getArg(0);
1256  const Expr *Right = CE->getArg(1);
1257  const Expr *Size = CE->getArg(2);
1258 
1259  ProgramStateRef state = C.getState();
1260  SValBuilder &svalBuilder = C.getSValBuilder();
1261 
1262  // See if the size argument is zero.
1263  const LocationContext *LCtx = C.getLocationContext();
1264  SVal sizeVal = state->getSVal(Size, LCtx);
1265  QualType sizeTy = Size->getType();
1266 
1267  ProgramStateRef stateZeroSize, stateNonZeroSize;
1268  std::tie(stateZeroSize, stateNonZeroSize) =
1269  assumeZero(C, state, sizeVal, sizeTy);
1270 
1271  // If the size can be zero, the result will be 0 in that case, and we don't
1272  // have to check either of the buffers.
1273  if (stateZeroSize) {
1274  state = stateZeroSize;
1275  state = state->BindExpr(CE, LCtx,
1276  svalBuilder.makeZeroVal(CE->getType()));
1277  C.addTransition(state);
1278  }
1279 
1280  // If the size can be nonzero, we have to check the other arguments.
1281  if (stateNonZeroSize) {
1282  state = stateNonZeroSize;
1283  // If we know the two buffers are the same, we know the result is 0.
1284  // First, get the two buffers' addresses. Another checker will have already
1285  // made sure they're not undefined.
1286  DefinedOrUnknownSVal LV =
1287  state->getSVal(Left, LCtx).castAs<DefinedOrUnknownSVal>();
1288  DefinedOrUnknownSVal RV =
1289  state->getSVal(Right, LCtx).castAs<DefinedOrUnknownSVal>();
1290 
1291  // See if they are the same.
1292  DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV);
1293  ProgramStateRef StSameBuf, StNotSameBuf;
1294  std::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf);
1295 
1296  // If the two arguments might be the same buffer, we know the result is 0,
1297  // and we only need to check one size.
1298  if (StSameBuf) {
1299  state = StSameBuf;
1300  state = CheckBufferAccess(C, state, Size, Left);
1301  if (state) {
1302  state = StSameBuf->BindExpr(CE, LCtx,
1303  svalBuilder.makeZeroVal(CE->getType()));
1304  C.addTransition(state);
1305  }
1306  }
1307 
1308  // If the two arguments might be different buffers, we have to check the
1309  // size of both of them.
1310  if (StNotSameBuf) {
1311  state = StNotSameBuf;
1312  state = CheckBufferAccess(C, state, Size, Left, Right);
1313  if (state) {
1314  // The return value is the comparison result, which we don't know.
1315  SVal CmpV = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx,
1316  C.blockCount());
1317  state = state->BindExpr(CE, LCtx, CmpV);
1318  C.addTransition(state);
1319  }
1320  }
1321  }
1322 }
1323 
1324 void CStringChecker::evalstrLength(CheckerContext &C,
1325  const CallExpr *CE) const {
1326  if (CE->getNumArgs() < 1)
1327  return;
1328 
1329  // size_t strlen(const char *s);
1330  evalstrLengthCommon(C, CE, /* IsStrnlen = */ false);
1331 }
1332 
1333 void CStringChecker::evalstrnLength(CheckerContext &C,
1334  const CallExpr *CE) const {
1335  if (CE->getNumArgs() < 2)
1336  return;
1337 
1338  // size_t strnlen(const char *s, size_t maxlen);
1339  evalstrLengthCommon(C, CE, /* IsStrnlen = */ true);
1340 }
1341 
1342 void CStringChecker::evalstrLengthCommon(CheckerContext &C, const CallExpr *CE,
1343  bool IsStrnlen) const {
1344  CurrentFunctionDescription = "string length function";
1345  ProgramStateRef state = C.getState();
1346  const LocationContext *LCtx = C.getLocationContext();
1347 
1348  if (IsStrnlen) {
1349  const Expr *maxlenExpr = CE->getArg(1);
1350  SVal maxlenVal = state->getSVal(maxlenExpr, LCtx);
1351 
1352  ProgramStateRef stateZeroSize, stateNonZeroSize;
1353  std::tie(stateZeroSize, stateNonZeroSize) =
1354  assumeZero(C, state, maxlenVal, maxlenExpr->getType());
1355 
1356  // If the size can be zero, the result will be 0 in that case, and we don't
1357  // have to check the string itself.
1358  if (stateZeroSize) {
1359  SVal zero = C.getSValBuilder().makeZeroVal(CE->getType());
1360  stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, zero);
1361  C.addTransition(stateZeroSize);
1362  }
1363 
1364  // If the size is GUARANTEED to be zero, we're done!
1365  if (!stateNonZeroSize)
1366  return;
1367 
1368  // Otherwise, record the assumption that the size is nonzero.
1369  state = stateNonZeroSize;
1370  }
1371 
1372  // Check that the string argument is non-null.
1373  const Expr *Arg = CE->getArg(0);
1374  SVal ArgVal = state->getSVal(Arg, LCtx);
1375 
1376  state = checkNonNull(C, state, Arg, ArgVal);
1377 
1378  if (!state)
1379  return;
1380 
1381  SVal strLength = getCStringLength(C, state, Arg, ArgVal);
1382 
1383  // If the argument isn't a valid C string, there's no valid state to
1384  // transition to.
1385  if (strLength.isUndef())
1386  return;
1387 
1388  DefinedOrUnknownSVal result = UnknownVal();
1389 
1390  // If the check is for strnlen() then bind the return value to no more than
1391  // the maxlen value.
1392  if (IsStrnlen) {
1393  QualType cmpTy = C.getSValBuilder().getConditionType();
1394 
1395  // It's a little unfortunate to be getting this again,
1396  // but it's not that expensive...
1397  const Expr *maxlenExpr = CE->getArg(1);
1398  SVal maxlenVal = state->getSVal(maxlenExpr, LCtx);
1399 
1400  Optional<NonLoc> strLengthNL = strLength.getAs<NonLoc>();
1401  Optional<NonLoc> maxlenValNL = maxlenVal.getAs<NonLoc>();
1402 
1403  if (strLengthNL && maxlenValNL) {
1404  ProgramStateRef stateStringTooLong, stateStringNotTooLong;
1405 
1406  // Check if the strLength is greater than the maxlen.
1407  std::tie(stateStringTooLong, stateStringNotTooLong) = state->assume(
1408  C.getSValBuilder()
1409  .evalBinOpNN(state, BO_GT, *strLengthNL, *maxlenValNL, cmpTy)
1410  .castAs<DefinedOrUnknownSVal>());
1411 
1412  if (stateStringTooLong && !stateStringNotTooLong) {
1413  // If the string is longer than maxlen, return maxlen.
1414  result = *maxlenValNL;
1415  } else if (stateStringNotTooLong && !stateStringTooLong) {
1416  // If the string is shorter than maxlen, return its length.
1417  result = *strLengthNL;
1418  }
1419  }
1420 
1421  if (result.isUnknown()) {
1422  // If we don't have enough information for a comparison, there's
1423  // no guarantee the full string length will actually be returned.
1424  // All we know is the return value is the min of the string length
1425  // and the limit. This is better than nothing.
1426  result = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
1427  C.blockCount());
1428  NonLoc resultNL = result.castAs<NonLoc>();
1429 
1430  if (strLengthNL) {
1431  state = state->assume(C.getSValBuilder().evalBinOpNN(
1432  state, BO_LE, resultNL, *strLengthNL, cmpTy)
1433  .castAs<DefinedOrUnknownSVal>(), true);
1434  }
1435 
1436  if (maxlenValNL) {
1437  state = state->assume(C.getSValBuilder().evalBinOpNN(
1438  state, BO_LE, resultNL, *maxlenValNL, cmpTy)
1439  .castAs<DefinedOrUnknownSVal>(), true);
1440  }
1441  }
1442 
1443  } else {
1444  // This is a plain strlen(), not strnlen().
1445  result = strLength.castAs<DefinedOrUnknownSVal>();
1446 
1447  // If we don't know the length of the string, conjure a return
1448  // value, so it can be used in constraints, at least.
1449  if (result.isUnknown()) {
1450  result = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
1451  C.blockCount());
1452  }
1453  }
1454 
1455  // Bind the return value.
1456  assert(!result.isUnknown() && "Should have conjured a value by now");
1457  state = state->BindExpr(CE, LCtx, result);
1458  C.addTransition(state);
1459 }
1460 
1461 void CStringChecker::evalStrcpy(CheckerContext &C, const CallExpr *CE) const {
1462  if (CE->getNumArgs() < 2)
1463  return;
1464 
1465  // char *strcpy(char *restrict dst, const char *restrict src);
1466  evalStrcpyCommon(C, CE,
1467  /* returnEnd = */ false,
1468  /* isBounded = */ false,
1469  /* isAppending = */ false);
1470 }
1471 
1472 void CStringChecker::evalStrncpy(CheckerContext &C, const CallExpr *CE) const {
1473  if (CE->getNumArgs() < 3)
1474  return;
1475 
1476  // char *strncpy(char *restrict dst, const char *restrict src, size_t n);
1477  evalStrcpyCommon(C, CE,
1478  /* returnEnd = */ false,
1479  /* isBounded = */ true,
1480  /* isAppending = */ false);
1481 }
1482 
1483 void CStringChecker::evalStpcpy(CheckerContext &C, const CallExpr *CE) const {
1484  if (CE->getNumArgs() < 2)
1485  return;
1486 
1487  // char *stpcpy(char *restrict dst, const char *restrict src);
1488  evalStrcpyCommon(C, CE,
1489  /* returnEnd = */ true,
1490  /* isBounded = */ false,
1491  /* isAppending = */ false);
1492 }
1493 
1494 void CStringChecker::evalStrlcpy(CheckerContext &C, const CallExpr *CE) const {
1495  if (CE->getNumArgs() < 3)
1496  return;
1497 
1498  // char *strlcpy(char *dst, const char *src, size_t n);
1499  evalStrcpyCommon(C, CE,
1500  /* returnEnd = */ true,
1501  /* isBounded = */ true,
1502  /* isAppending = */ false,
1503  /* returnPtr = */ false);
1504 }
1505 
1506 void CStringChecker::evalStrcat(CheckerContext &C, const CallExpr *CE) const {
1507  if (CE->getNumArgs() < 2)
1508  return;
1509 
1510  //char *strcat(char *restrict s1, const char *restrict s2);
1511  evalStrcpyCommon(C, CE,
1512  /* returnEnd = */ false,
1513  /* isBounded = */ false,
1514  /* isAppending = */ true);
1515 }
1516 
1517 void CStringChecker::evalStrncat(CheckerContext &C, const CallExpr *CE) const {
1518  if (CE->getNumArgs() < 3)
1519  return;
1520 
1521  //char *strncat(char *restrict s1, const char *restrict s2, size_t n);
1522  evalStrcpyCommon(C, CE,
1523  /* returnEnd = */ false,
1524  /* isBounded = */ true,
1525  /* isAppending = */ true);
1526 }
1527 
1528 void CStringChecker::evalStrlcat(CheckerContext &C, const CallExpr *CE) const {
1529  if (CE->getNumArgs() < 3)
1530  return;
1531 
1532  //char *strlcat(char *s1, const char *s2, size_t n);
1533  evalStrcpyCommon(C, CE,
1534  /* returnEnd = */ false,
1535  /* isBounded = */ true,
1536  /* isAppending = */ true,
1537  /* returnPtr = */ false);
1538 }
1539 
1540 void CStringChecker::evalStrcpyCommon(CheckerContext &C, const CallExpr *CE,
1541  bool returnEnd, bool isBounded,
1542  bool isAppending, bool returnPtr) const {
1543  CurrentFunctionDescription = "string copy function";
1544  ProgramStateRef state = C.getState();
1545  const LocationContext *LCtx = C.getLocationContext();
1546 
1547  // Check that the destination is non-null.
1548  const Expr *Dst = CE->getArg(0);
1549  SVal DstVal = state->getSVal(Dst, LCtx);
1550 
1551  state = checkNonNull(C, state, Dst, DstVal);
1552  if (!state)
1553  return;
1554 
1555  // Check that the source is non-null.
1556  const Expr *srcExpr = CE->getArg(1);
1557  SVal srcVal = state->getSVal(srcExpr, LCtx);
1558  state = checkNonNull(C, state, srcExpr, srcVal);
1559  if (!state)
1560  return;
1561 
1562  // Get the string length of the source.
1563  SVal strLength = getCStringLength(C, state, srcExpr, srcVal);
1564 
1565  // If the source isn't a valid C string, give up.
1566  if (strLength.isUndef())
1567  return;
1568 
1569  SValBuilder &svalBuilder = C.getSValBuilder();
1570  QualType cmpTy = svalBuilder.getConditionType();
1571  QualType sizeTy = svalBuilder.getContext().getSizeType();
1572 
1573  // These two values allow checking two kinds of errors:
1574  // - actual overflows caused by a source that doesn't fit in the destination
1575  // - potential overflows caused by a bound that could exceed the destination
1576  SVal amountCopied = UnknownVal();
1577  SVal maxLastElementIndex = UnknownVal();
1578  const char *boundWarning = nullptr;
1579 
1580  state = CheckOverlap(C, state, isBounded ? CE->getArg(2) : CE->getArg(1), Dst, srcExpr);
1581 
1582  if (!state)
1583  return;
1584 
1585  // If the function is strncpy, strncat, etc... it is bounded.
1586  if (isBounded) {
1587  // Get the max number of characters to copy.
1588  const Expr *lenExpr = CE->getArg(2);
1589  SVal lenVal = state->getSVal(lenExpr, LCtx);
1590 
1591  // Protect against misdeclared strncpy().
1592  lenVal = svalBuilder.evalCast(lenVal, sizeTy, lenExpr->getType());
1593 
1594  Optional<NonLoc> strLengthNL = strLength.getAs<NonLoc>();
1595  Optional<NonLoc> lenValNL = lenVal.getAs<NonLoc>();
1596 
1597  // If we know both values, we might be able to figure out how much
1598  // we're copying.
1599  if (strLengthNL && lenValNL) {
1600  ProgramStateRef stateSourceTooLong, stateSourceNotTooLong;
1601 
1602  // Check if the max number to copy is less than the length of the src.
1603  // If the bound is equal to the source length, strncpy won't null-
1604  // terminate the result!
1605  std::tie(stateSourceTooLong, stateSourceNotTooLong) = state->assume(
1606  svalBuilder.evalBinOpNN(state, BO_GE, *strLengthNL, *lenValNL, cmpTy)
1607  .castAs<DefinedOrUnknownSVal>());
1608 
1609  if (stateSourceTooLong && !stateSourceNotTooLong) {
1610  // Max number to copy is less than the length of the src, so the actual
1611  // strLength copied is the max number arg.
1612  state = stateSourceTooLong;
1613  amountCopied = lenVal;
1614 
1615  } else if (!stateSourceTooLong && stateSourceNotTooLong) {
1616  // The source buffer entirely fits in the bound.
1617  state = stateSourceNotTooLong;
1618  amountCopied = strLength;
1619  }
1620  }
1621 
1622  // We still want to know if the bound is known to be too large.
1623  if (lenValNL) {
1624  if (isAppending) {
1625  // For strncat, the check is strlen(dst) + lenVal < sizeof(dst)
1626 
1627  // Get the string length of the destination. If the destination is
1628  // memory that can't have a string length, we shouldn't be copying
1629  // into it anyway.
1630  SVal dstStrLength = getCStringLength(C, state, Dst, DstVal);
1631  if (dstStrLength.isUndef())
1632  return;
1633 
1634  if (Optional<NonLoc> dstStrLengthNL = dstStrLength.getAs<NonLoc>()) {
1635  maxLastElementIndex = svalBuilder.evalBinOpNN(state, BO_Add,
1636  *lenValNL,
1637  *dstStrLengthNL,
1638  sizeTy);
1639  boundWarning = "Size argument is greater than the free space in the "
1640  "destination buffer";
1641  }
1642 
1643  } else {
1644  // For strncpy, this is just checking that lenVal <= sizeof(dst)
1645  // (Yes, strncpy and strncat differ in how they treat termination.
1646  // strncat ALWAYS terminates, but strncpy doesn't.)
1647 
1648  // We need a special case for when the copy size is zero, in which
1649  // case strncpy will do no work at all. Our bounds check uses n-1
1650  // as the last element accessed, so n == 0 is problematic.
1651  ProgramStateRef StateZeroSize, StateNonZeroSize;
1652  std::tie(StateZeroSize, StateNonZeroSize) =
1653  assumeZero(C, state, *lenValNL, sizeTy);
1654 
1655  // If the size is known to be zero, we're done.
1656  if (StateZeroSize && !StateNonZeroSize) {
1657  if (returnPtr) {
1658  StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, DstVal);
1659  } else {
1660  StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, *lenValNL);
1661  }
1662  C.addTransition(StateZeroSize);
1663  return;
1664  }
1665 
1666  // Otherwise, go ahead and figure out the last element we'll touch.
1667  // We don't record the non-zero assumption here because we can't
1668  // be sure. We won't warn on a possible zero.
1669  NonLoc one = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
1670  maxLastElementIndex = svalBuilder.evalBinOpNN(state, BO_Sub, *lenValNL,
1671  one, sizeTy);
1672  boundWarning = "Size argument is greater than the length of the "
1673  "destination buffer";
1674  }
1675  }
1676 
1677  // If we couldn't pin down the copy length, at least bound it.
1678  // FIXME: We should actually run this code path for append as well, but
1679  // right now it creates problems with constraints (since we can end up
1680  // trying to pass constraints from symbol to symbol).
1681  if (amountCopied.isUnknown() && !isAppending) {
1682  // Try to get a "hypothetical" string length symbol, which we can later
1683  // set as a real value if that turns out to be the case.
1684  amountCopied = getCStringLength(C, state, lenExpr, srcVal, true);
1685  assert(!amountCopied.isUndef());
1686 
1687  if (Optional<NonLoc> amountCopiedNL = amountCopied.getAs<NonLoc>()) {
1688  if (lenValNL) {
1689  // amountCopied <= lenVal
1690  SVal copiedLessThanBound = svalBuilder.evalBinOpNN(state, BO_LE,
1691  *amountCopiedNL,
1692  *lenValNL,
1693  cmpTy);
1694  state = state->assume(
1695  copiedLessThanBound.castAs<DefinedOrUnknownSVal>(), true);
1696  if (!state)
1697  return;
1698  }
1699 
1700  if (strLengthNL) {
1701  // amountCopied <= strlen(source)
1702  SVal copiedLessThanSrc = svalBuilder.evalBinOpNN(state, BO_LE,
1703  *amountCopiedNL,
1704  *strLengthNL,
1705  cmpTy);
1706  state = state->assume(
1707  copiedLessThanSrc.castAs<DefinedOrUnknownSVal>(), true);
1708  if (!state)
1709  return;
1710  }
1711  }
1712  }
1713 
1714  } else {
1715  // The function isn't bounded. The amount copied should match the length
1716  // of the source buffer.
1717  amountCopied = strLength;
1718  }
1719 
1720  assert(state);
1721 
1722  // This represents the number of characters copied into the destination
1723  // buffer. (It may not actually be the strlen if the destination buffer
1724  // is not terminated.)
1725  SVal finalStrLength = UnknownVal();
1726 
1727  // If this is an appending function (strcat, strncat...) then set the
1728  // string length to strlen(src) + strlen(dst) since the buffer will
1729  // ultimately contain both.
1730  if (isAppending) {
1731  // Get the string length of the destination. If the destination is memory
1732  // that can't have a string length, we shouldn't be copying into it anyway.
1733  SVal dstStrLength = getCStringLength(C, state, Dst, DstVal);
1734  if (dstStrLength.isUndef())
1735  return;
1736 
1737  Optional<NonLoc> srcStrLengthNL = amountCopied.getAs<NonLoc>();
1738  Optional<NonLoc> dstStrLengthNL = dstStrLength.getAs<NonLoc>();
1739 
1740  // If we know both string lengths, we might know the final string length.
1741  if (srcStrLengthNL && dstStrLengthNL) {
1742  // Make sure the two lengths together don't overflow a size_t.
1743  state = checkAdditionOverflow(C, state, *srcStrLengthNL, *dstStrLengthNL);
1744  if (!state)
1745  return;
1746 
1747  finalStrLength = svalBuilder.evalBinOpNN(state, BO_Add, *srcStrLengthNL,
1748  *dstStrLengthNL, sizeTy);
1749  }
1750 
1751  // If we couldn't get a single value for the final string length,
1752  // we can at least bound it by the individual lengths.
1753  if (finalStrLength.isUnknown()) {
1754  // Try to get a "hypothetical" string length symbol, which we can later
1755  // set as a real value if that turns out to be the case.
1756  finalStrLength = getCStringLength(C, state, CE, DstVal, true);
1757  assert(!finalStrLength.isUndef());
1758 
1759  if (Optional<NonLoc> finalStrLengthNL = finalStrLength.getAs<NonLoc>()) {
1760  if (srcStrLengthNL) {
1761  // finalStrLength >= srcStrLength
1762  SVal sourceInResult = svalBuilder.evalBinOpNN(state, BO_GE,
1763  *finalStrLengthNL,
1764  *srcStrLengthNL,
1765  cmpTy);
1766  state = state->assume(sourceInResult.castAs<DefinedOrUnknownSVal>(),
1767  true);
1768  if (!state)
1769  return;
1770  }
1771 
1772  if (dstStrLengthNL) {
1773  // finalStrLength >= dstStrLength
1774  SVal destInResult = svalBuilder.evalBinOpNN(state, BO_GE,
1775  *finalStrLengthNL,
1776  *dstStrLengthNL,
1777  cmpTy);
1778  state =
1779  state->assume(destInResult.castAs<DefinedOrUnknownSVal>(), true);
1780  if (!state)
1781  return;
1782  }
1783  }
1784  }
1785 
1786  } else {
1787  // Otherwise, this is a copy-over function (strcpy, strncpy, ...), and
1788  // the final string length will match the input string length.
1789  finalStrLength = amountCopied;
1790  }
1791 
1792  SVal Result;
1793 
1794  if (returnPtr) {
1795  // The final result of the function will either be a pointer past the last
1796  // copied element, or a pointer to the start of the destination buffer.
1797  Result = (returnEnd ? UnknownVal() : DstVal);
1798  } else {
1799  Result = finalStrLength;
1800  }
1801 
1802  assert(state);
1803 
1804  // If the destination is a MemRegion, try to check for a buffer overflow and
1805  // record the new string length.
1806  if (Optional<loc::MemRegionVal> dstRegVal =
1807  DstVal.getAs<loc::MemRegionVal>()) {
1808  QualType ptrTy = Dst->getType();
1809 
1810  // If we have an exact value on a bounded copy, use that to check for
1811  // overflows, rather than our estimate about how much is actually copied.
1812  if (boundWarning) {
1813  if (Optional<NonLoc> maxLastNL = maxLastElementIndex.getAs<NonLoc>()) {
1814  SVal maxLastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal,
1815  *maxLastNL, ptrTy);
1816  state = CheckLocation(C, state, CE->getArg(2), maxLastElement,
1817  boundWarning);
1818  if (!state)
1819  return;
1820  }
1821  }
1822 
1823  // Then, if the final length is known...
1824  if (Optional<NonLoc> knownStrLength = finalStrLength.getAs<NonLoc>()) {
1825  SVal lastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal,
1826  *knownStrLength, ptrTy);
1827 
1828  // ...and we haven't checked the bound, we'll check the actual copy.
1829  if (!boundWarning) {
1830  const char * const warningMsg =
1831  "String copy function overflows destination buffer";
1832  state = CheckLocation(C, state, Dst, lastElement, warningMsg);
1833  if (!state)
1834  return;
1835  }
1836 
1837  // If this is a stpcpy-style copy, the last element is the return value.
1838  if (returnPtr && returnEnd)
1839  Result = lastElement;
1840  }
1841 
1842  // Invalidate the destination (regular invalidation without pointer-escaping
1843  // the address of the top-level region). This must happen before we set the
1844  // C string length because invalidation will clear the length.
1845  // FIXME: Even if we can't perfectly model the copy, we should see if we
1846  // can use LazyCompoundVals to copy the source values into the destination.
1847  // This would probably remove any existing bindings past the end of the
1848  // string, but that's still an improvement over blank invalidation.
1849  state = InvalidateBuffer(C, state, Dst, *dstRegVal,
1850  /*IsSourceBuffer*/false, nullptr);
1851 
1852  // Invalidate the source (const-invalidation without const-pointer-escaping
1853  // the address of the top-level region).
1854  state = InvalidateBuffer(C, state, srcExpr, srcVal, /*IsSourceBuffer*/true,
1855  nullptr);
1856 
1857  // Set the C string length of the destination, if we know it.
1858  if (isBounded && !isAppending) {
1859  // strncpy is annoying in that it doesn't guarantee to null-terminate
1860  // the result string. If the original string didn't fit entirely inside
1861  // the bound (including the null-terminator), we don't know how long the
1862  // result is.
1863  if (amountCopied != strLength)
1864  finalStrLength = UnknownVal();
1865  }
1866  state = setCStringLength(state, dstRegVal->getRegion(), finalStrLength);
1867  }
1868 
1869  assert(state);
1870 
1871  if (returnPtr) {
1872  // If this is a stpcpy-style copy, but we were unable to check for a buffer
1873  // overflow, we still need a result. Conjure a return value.
1874  if (returnEnd && Result.isUnknown()) {
1875  Result = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
1876  }
1877  }
1878  // Set the return value.
1879  state = state->BindExpr(CE, LCtx, Result);
1880  C.addTransition(state);
1881 }
1882 
1883 void CStringChecker::evalStrcmp(CheckerContext &C, const CallExpr *CE) const {
1884  if (CE->getNumArgs() < 2)
1885  return;
1886 
1887  //int strcmp(const char *s1, const char *s2);
1888  evalStrcmpCommon(C, CE, /* isBounded = */ false, /* ignoreCase = */ false);
1889 }
1890 
1891 void CStringChecker::evalStrncmp(CheckerContext &C, const CallExpr *CE) const {
1892  if (CE->getNumArgs() < 3)
1893  return;
1894 
1895  //int strncmp(const char *s1, const char *s2, size_t n);
1896  evalStrcmpCommon(C, CE, /* isBounded = */ true, /* ignoreCase = */ false);
1897 }
1898 
1899 void CStringChecker::evalStrcasecmp(CheckerContext &C,
1900  const CallExpr *CE) const {
1901  if (CE->getNumArgs() < 2)
1902  return;
1903 
1904  //int strcasecmp(const char *s1, const char *s2);
1905  evalStrcmpCommon(C, CE, /* isBounded = */ false, /* ignoreCase = */ true);
1906 }
1907 
1908 void CStringChecker::evalStrncasecmp(CheckerContext &C,
1909  const CallExpr *CE) const {
1910  if (CE->getNumArgs() < 3)
1911  return;
1912 
1913  //int strncasecmp(const char *s1, const char *s2, size_t n);
1914  evalStrcmpCommon(C, CE, /* isBounded = */ true, /* ignoreCase = */ true);
1915 }
1916 
1917 void CStringChecker::evalStrcmpCommon(CheckerContext &C, const CallExpr *CE,
1918  bool isBounded, bool ignoreCase) const {
1919  CurrentFunctionDescription = "string comparison function";
1920  ProgramStateRef state = C.getState();
1921  const LocationContext *LCtx = C.getLocationContext();
1922 
1923  // Check that the first string is non-null
1924  const Expr *s1 = CE->getArg(0);
1925  SVal s1Val = state->getSVal(s1, LCtx);
1926  state = checkNonNull(C, state, s1, s1Val);
1927  if (!state)
1928  return;
1929 
1930  // Check that the second string is non-null.
1931  const Expr *s2 = CE->getArg(1);
1932  SVal s2Val = state->getSVal(s2, LCtx);
1933  state = checkNonNull(C, state, s2, s2Val);
1934  if (!state)
1935  return;
1936 
1937  // Get the string length of the first string or give up.
1938  SVal s1Length = getCStringLength(C, state, s1, s1Val);
1939  if (s1Length.isUndef())
1940  return;
1941 
1942  // Get the string length of the second string or give up.
1943  SVal s2Length = getCStringLength(C, state, s2, s2Val);
1944  if (s2Length.isUndef())
1945  return;
1946 
1947  // If we know the two buffers are the same, we know the result is 0.
1948  // First, get the two buffers' addresses. Another checker will have already
1949  // made sure they're not undefined.
1950  DefinedOrUnknownSVal LV = s1Val.castAs<DefinedOrUnknownSVal>();
1951  DefinedOrUnknownSVal RV = s2Val.castAs<DefinedOrUnknownSVal>();
1952 
1953  // See if they are the same.
1954  SValBuilder &svalBuilder = C.getSValBuilder();
1955  DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV);
1956  ProgramStateRef StSameBuf, StNotSameBuf;
1957  std::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf);
1958 
1959  // If the two arguments might be the same buffer, we know the result is 0,
1960  // and we only need to check one size.
1961  if (StSameBuf) {
1962  StSameBuf = StSameBuf->BindExpr(CE, LCtx,
1963  svalBuilder.makeZeroVal(CE->getType()));
1964  C.addTransition(StSameBuf);
1965 
1966  // If the two arguments are GUARANTEED to be the same, we're done!
1967  if (!StNotSameBuf)
1968  return;
1969  }
1970 
1971  assert(StNotSameBuf);
1972  state = StNotSameBuf;
1973 
1974  // At this point we can go about comparing the two buffers.
1975  // For now, we only do this if they're both known string literals.
1976 
1977  // Attempt to extract string literals from both expressions.
1978  const StringLiteral *s1StrLiteral = getCStringLiteral(C, state, s1, s1Val);
1979  const StringLiteral *s2StrLiteral = getCStringLiteral(C, state, s2, s2Val);
1980  bool canComputeResult = false;
1981  SVal resultVal = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx,
1982  C.blockCount());
1983 
1984  if (s1StrLiteral && s2StrLiteral) {
1985  StringRef s1StrRef = s1StrLiteral->getString();
1986  StringRef s2StrRef = s2StrLiteral->getString();
1987 
1988  if (isBounded) {
1989  // Get the max number of characters to compare.
1990  const Expr *lenExpr = CE->getArg(2);
1991  SVal lenVal = state->getSVal(lenExpr, LCtx);
1992 
1993  // If the length is known, we can get the right substrings.
1994  if (const llvm::APSInt *len = svalBuilder.getKnownValue(state, lenVal)) {
1995  // Create substrings of each to compare the prefix.
1996  s1StrRef = s1StrRef.substr(0, (size_t)len->getZExtValue());
1997  s2StrRef = s2StrRef.substr(0, (size_t)len->getZExtValue());
1998  canComputeResult = true;
1999  }
2000  } else {
2001  // This is a normal, unbounded strcmp.
2002  canComputeResult = true;
2003  }
2004 
2005  if (canComputeResult) {
2006  // Real strcmp stops at null characters.
2007  size_t s1Term = s1StrRef.find('\0');
2008  if (s1Term != StringRef::npos)
2009  s1StrRef = s1StrRef.substr(0, s1Term);
2010 
2011  size_t s2Term = s2StrRef.find('\0');
2012  if (s2Term != StringRef::npos)
2013  s2StrRef = s2StrRef.substr(0, s2Term);
2014 
2015  // Use StringRef's comparison methods to compute the actual result.
2016  int compareRes = ignoreCase ? s1StrRef.compare_lower(s2StrRef)
2017  : s1StrRef.compare(s2StrRef);
2018 
2019  // The strcmp function returns an integer greater than, equal to, or less
2020  // than zero, [c11, p7.24.4.2].
2021  if (compareRes == 0) {
2022  resultVal = svalBuilder.makeIntVal(compareRes, CE->getType());
2023  }
2024  else {
2025  DefinedSVal zeroVal = svalBuilder.makeIntVal(0, CE->getType());
2026  // Constrain strcmp's result range based on the result of StringRef's
2027  // comparison methods.
2028  BinaryOperatorKind op = (compareRes == 1) ? BO_GT : BO_LT;
2029  SVal compareWithZero =
2030  svalBuilder.evalBinOp(state, op, resultVal, zeroVal,
2031  svalBuilder.getConditionType());
2032  DefinedSVal compareWithZeroVal = compareWithZero.castAs<DefinedSVal>();
2033  state = state->assume(compareWithZeroVal, true);
2034  }
2035  }
2036  }
2037 
2038  state = state->BindExpr(CE, LCtx, resultVal);
2039 
2040  // Record this as a possible path.
2041  C.addTransition(state);
2042 }
2043 
2044 void CStringChecker::evalStrsep(CheckerContext &C, const CallExpr *CE) const {
2045  //char *strsep(char **stringp, const char *delim);
2046  if (CE->getNumArgs() < 2)
2047  return;
2048 
2049  // Sanity: does the search string parameter match the return type?
2050  const Expr *SearchStrPtr = CE->getArg(0);
2051  QualType CharPtrTy = SearchStrPtr->getType()->getPointeeType();
2052  if (CharPtrTy.isNull() ||
2053  CE->getType().getUnqualifiedType() != CharPtrTy.getUnqualifiedType())
2054  return;
2055 
2056  CurrentFunctionDescription = "strsep()";
2057  ProgramStateRef State = C.getState();
2058  const LocationContext *LCtx = C.getLocationContext();
2059 
2060  // Check that the search string pointer is non-null (though it may point to
2061  // a null string).
2062  SVal SearchStrVal = State->getSVal(SearchStrPtr, LCtx);
2063  State = checkNonNull(C, State, SearchStrPtr, SearchStrVal);
2064  if (!State)
2065  return;
2066 
2067  // Check that the delimiter string is non-null.
2068  const Expr *DelimStr = CE->getArg(1);
2069  SVal DelimStrVal = State->getSVal(DelimStr, LCtx);
2070  State = checkNonNull(C, State, DelimStr, DelimStrVal);
2071  if (!State)
2072  return;
2073 
2074  SValBuilder &SVB = C.getSValBuilder();
2075  SVal Result;
2076  if (Optional<Loc> SearchStrLoc = SearchStrVal.getAs<Loc>()) {
2077  // Get the current value of the search string pointer, as a char*.
2078  Result = State->getSVal(*SearchStrLoc, CharPtrTy);
2079 
2080  // Invalidate the search string, representing the change of one delimiter
2081  // character to NUL.
2082  State = InvalidateBuffer(C, State, SearchStrPtr, Result,
2083  /*IsSourceBuffer*/false, nullptr);
2084 
2085  // Overwrite the search string pointer. The new value is either an address
2086  // further along in the same string, or NULL if there are no more tokens.
2087  State = State->bindLoc(*SearchStrLoc,
2088  SVB.conjureSymbolVal(getTag(),
2089  CE,
2090  LCtx,
2091  CharPtrTy,
2092  C.blockCount()),
2093  LCtx);
2094  } else {
2095  assert(SearchStrVal.isUnknown());
2096  // Conjure a symbolic value. It's the best we can do.
2097  Result = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
2098  }
2099 
2100  // Set the return value, and finish.
2101  State = State->BindExpr(CE, LCtx, Result);
2102  C.addTransition(State);
2103 }
2104 
2105 // These should probably be moved into a C++ standard library checker.
2106 void CStringChecker::evalStdCopy(CheckerContext &C, const CallExpr *CE) const {
2107  evalStdCopyCommon(C, CE);
2108 }
2109 
2110 void CStringChecker::evalStdCopyBackward(CheckerContext &C,
2111  const CallExpr *CE) const {
2112  evalStdCopyCommon(C, CE);
2113 }
2114 
2115 void CStringChecker::evalStdCopyCommon(CheckerContext &C,
2116  const CallExpr *CE) const {
2117  if (CE->getNumArgs() < 3)
2118  return;
2119 
2120  ProgramStateRef State = C.getState();
2121 
2122  const LocationContext *LCtx = C.getLocationContext();
2123 
2124  // template <class _InputIterator, class _OutputIterator>
2125  // _OutputIterator
2126  // copy(_InputIterator __first, _InputIterator __last,
2127  // _OutputIterator __result)
2128 
2129  // Invalidate the destination buffer
2130  const Expr *Dst = CE->getArg(2);
2131  SVal DstVal = State->getSVal(Dst, LCtx);
2132  State = InvalidateBuffer(C, State, Dst, DstVal, /*IsSource=*/false,
2133  /*Size=*/nullptr);
2134 
2135  SValBuilder &SVB = C.getSValBuilder();
2136 
2137  SVal ResultVal = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
2138  State = State->BindExpr(CE, LCtx, ResultVal);
2139 
2140  C.addTransition(State);
2141 }
2142 
2143 void CStringChecker::evalMemset(CheckerContext &C, const CallExpr *CE) const {
2144  if (CE->getNumArgs() != 3)
2145  return;
2146 
2147  CurrentFunctionDescription = "memory set function";
2148 
2149  const Expr *Mem = CE->getArg(0);
2150  const Expr *CharE = CE->getArg(1);
2151  const Expr *Size = CE->getArg(2);
2152  ProgramStateRef State = C.getState();
2153 
2154  // See if the size argument is zero.
2155  const LocationContext *LCtx = C.getLocationContext();
2156  SVal SizeVal = State->getSVal(Size, LCtx);
2157  QualType SizeTy = Size->getType();
2158 
2159  ProgramStateRef StateZeroSize, StateNonZeroSize;
2160  std::tie(StateZeroSize, StateNonZeroSize) =
2161  assumeZero(C, State, SizeVal, SizeTy);
2162 
2163  // Get the value of the memory area.
2164  SVal MemVal = State->getSVal(Mem, LCtx);
2165 
2166  // If the size is zero, there won't be any actual memory access, so
2167  // just bind the return value to the Mem buffer and return.
2168  if (StateZeroSize && !StateNonZeroSize) {
2169  StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, MemVal);
2170  C.addTransition(StateZeroSize);
2171  return;
2172  }
2173 
2174  // Ensure the memory area is not null.
2175  // If it is NULL there will be a NULL pointer dereference.
2176  State = checkNonNull(C, StateNonZeroSize, Mem, MemVal);
2177  if (!State)
2178  return;
2179 
2180  State = CheckBufferAccess(C, State, Size, Mem);
2181  if (!State)
2182  return;
2183 
2184  // According to the values of the arguments, bind the value of the second
2185  // argument to the destination buffer and set string length, or just
2186  // invalidate the destination buffer.
2187  if (!memsetAux(Mem, CharE, Size, C, State))
2188  return;
2189 
2190  State = State->BindExpr(CE, LCtx, MemVal);
2191  C.addTransition(State);
2192 }
2193 
2194 static bool isCPPStdLibraryFunction(const FunctionDecl *FD, StringRef Name) {
2195  IdentifierInfo *II = FD->getIdentifier();
2196  if (!II)
2197  return false;
2198 
2200  return false;
2201 
2202  if (II->getName().equals(Name))
2203  return true;
2204 
2205  return false;
2206 }
2207 //===----------------------------------------------------------------------===//
2208 // The driver method, and other Checker callbacks.
2209 //===----------------------------------------------------------------------===//
2210 
2211 bool CStringChecker::evalCall(const CallExpr *CE, CheckerContext &C) const {
2212  const FunctionDecl *FDecl = C.getCalleeDecl(CE);
2213 
2214  if (!FDecl)
2215  return false;
2216 
2217  // FIXME: Poorly-factored string switches are slow.
2218  FnCheck evalFunction = nullptr;
2219  if (C.isCLibraryFunction(FDecl, "memcpy"))
2220  evalFunction = &CStringChecker::evalMemcpy;
2221  else if (C.isCLibraryFunction(FDecl, "mempcpy"))
2222  evalFunction = &CStringChecker::evalMempcpy;
2223  else if (C.isCLibraryFunction(FDecl, "memcmp"))
2224  evalFunction = &CStringChecker::evalMemcmp;
2225  else if (C.isCLibraryFunction(FDecl, "memmove"))
2226  evalFunction = &CStringChecker::evalMemmove;
2227  else if (C.isCLibraryFunction(FDecl, "memset"))
2228  evalFunction = &CStringChecker::evalMemset;
2229  else if (C.isCLibraryFunction(FDecl, "strcpy"))
2230  evalFunction = &CStringChecker::evalStrcpy;
2231  else if (C.isCLibraryFunction(FDecl, "strncpy"))
2232  evalFunction = &CStringChecker::evalStrncpy;
2233  else if (C.isCLibraryFunction(FDecl, "stpcpy"))
2234  evalFunction = &CStringChecker::evalStpcpy;
2235  else if (C.isCLibraryFunction(FDecl, "strlcpy"))
2236  evalFunction = &CStringChecker::evalStrlcpy;
2237  else if (C.isCLibraryFunction(FDecl, "strcat"))
2238  evalFunction = &CStringChecker::evalStrcat;
2239  else if (C.isCLibraryFunction(FDecl, "strncat"))
2240  evalFunction = &CStringChecker::evalStrncat;
2241  else if (C.isCLibraryFunction(FDecl, "strlcat"))
2242  evalFunction = &CStringChecker::evalStrlcat;
2243  else if (C.isCLibraryFunction(FDecl, "strlen"))
2244  evalFunction = &CStringChecker::evalstrLength;
2245  else if (C.isCLibraryFunction(FDecl, "strnlen"))
2246  evalFunction = &CStringChecker::evalstrnLength;
2247  else if (C.isCLibraryFunction(FDecl, "strcmp"))
2248  evalFunction = &CStringChecker::evalStrcmp;
2249  else if (C.isCLibraryFunction(FDecl, "strncmp"))
2250  evalFunction = &CStringChecker::evalStrncmp;
2251  else if (C.isCLibraryFunction(FDecl, "strcasecmp"))
2252  evalFunction = &CStringChecker::evalStrcasecmp;
2253  else if (C.isCLibraryFunction(FDecl, "strncasecmp"))
2254  evalFunction = &CStringChecker::evalStrncasecmp;
2255  else if (C.isCLibraryFunction(FDecl, "strsep"))
2256  evalFunction = &CStringChecker::evalStrsep;
2257  else if (C.isCLibraryFunction(FDecl, "bcopy"))
2258  evalFunction = &CStringChecker::evalBcopy;
2259  else if (C.isCLibraryFunction(FDecl, "bcmp"))
2260  evalFunction = &CStringChecker::evalMemcmp;
2261  else if (isCPPStdLibraryFunction(FDecl, "copy"))
2262  evalFunction = &CStringChecker::evalStdCopy;
2263  else if (isCPPStdLibraryFunction(FDecl, "copy_backward"))
2264  evalFunction = &CStringChecker::evalStdCopyBackward;
2265 
2266  // If the callee isn't a string function, let another checker handle it.
2267  if (!evalFunction)
2268  return false;
2269 
2270  // Check and evaluate the call.
2271  (this->*evalFunction)(C, CE);
2272 
2273  // If the evaluate call resulted in no change, chain to the next eval call
2274  // handler.
2275  // Note, the custom CString evaluation calls assume that basic safety
2276  // properties are held. However, if the user chooses to turn off some of these
2277  // checks, we ignore the issues and leave the call evaluation to a generic
2278  // handler.
2279  return C.isDifferent();
2280 }
2281 
2282 void CStringChecker::checkPreStmt(const DeclStmt *DS, CheckerContext &C) const {
2283  // Record string length for char a[] = "abc";
2284  ProgramStateRef state = C.getState();
2285 
2286  for (const auto *I : DS->decls()) {
2287  const VarDecl *D = dyn_cast<VarDecl>(I);
2288  if (!D)
2289  continue;
2290 
2291  // FIXME: Handle array fields of structs.
2292  if (!D->getType()->isArrayType())
2293  continue;
2294 
2295  const Expr *Init = D->getInit();
2296  if (!Init)
2297  continue;
2298  if (!isa<StringLiteral>(Init))
2299  continue;
2300 
2301  Loc VarLoc = state->getLValue(D, C.getLocationContext());
2302  const MemRegion *MR = VarLoc.getAsRegion();
2303  if (!MR)
2304  continue;
2305 
2306  SVal StrVal = C.getSVal(Init);
2307  assert(StrVal.isValid() && "Initializer string is unknown or undefined");
2308  DefinedOrUnknownSVal strLength =
2309  getCStringLength(C, state, Init, StrVal).castAs<DefinedOrUnknownSVal>();
2310 
2311  state = state->set<CStringLength>(MR, strLength);
2312  }
2313 
2314  C.addTransition(state);
2315 }
2316 
2318 CStringChecker::checkRegionChanges(ProgramStateRef state,
2319  const InvalidatedSymbols *,
2320  ArrayRef<const MemRegion *> ExplicitRegions,
2322  const LocationContext *LCtx,
2323  const CallEvent *Call) const {
2324  CStringLengthTy Entries = state->get<CStringLength>();
2325  if (Entries.isEmpty())
2326  return state;
2327 
2328  llvm::SmallPtrSet<const MemRegion *, 8> Invalidated;
2329  llvm::SmallPtrSet<const MemRegion *, 32> SuperRegions;
2330 
2331  // First build sets for the changed regions and their super-regions.
2333  I = Regions.begin(), E = Regions.end(); I != E; ++I) {
2334  const MemRegion *MR = *I;
2335  Invalidated.insert(MR);
2336 
2337  SuperRegions.insert(MR);
2338  while (const SubRegion *SR = dyn_cast<SubRegion>(MR)) {
2339  MR = SR->getSuperRegion();
2340  SuperRegions.insert(MR);
2341  }
2342  }
2343 
2344  CStringLengthTy::Factory &F = state->get_context<CStringLength>();
2345 
2346  // Then loop over the entries in the current state.
2347  for (CStringLengthTy::iterator I = Entries.begin(),
2348  E = Entries.end(); I != E; ++I) {
2349  const MemRegion *MR = I.getKey();
2350 
2351  // Is this entry for a super-region of a changed region?
2352  if (SuperRegions.count(MR)) {
2353  Entries = F.remove(Entries, MR);
2354  continue;
2355  }
2356 
2357  // Is this entry for a sub-region of a changed region?
2358  const MemRegion *Super = MR;
2359  while (const SubRegion *SR = dyn_cast<SubRegion>(Super)) {
2360  Super = SR->getSuperRegion();
2361  if (Invalidated.count(Super)) {
2362  Entries = F.remove(Entries, MR);
2363  break;
2364  }
2365  }
2366  }
2367 
2368  return state->set<CStringLength>(Entries);
2369 }
2370 
2371 void CStringChecker::checkLiveSymbols(ProgramStateRef state,
2372  SymbolReaper &SR) const {
2373  // Mark all symbols in our string length map as valid.
2374  CStringLengthTy Entries = state->get<CStringLength>();
2375 
2376  for (CStringLengthTy::iterator I = Entries.begin(), E = Entries.end();
2377  I != E; ++I) {
2378  SVal Len = I.getData();
2379 
2380  for (SymExpr::symbol_iterator si = Len.symbol_begin(),
2381  se = Len.symbol_end(); si != se; ++si)
2382  SR.markInUse(*si);
2383  }
2384 }
2385 
2386 void CStringChecker::checkDeadSymbols(SymbolReaper &SR,
2387  CheckerContext &C) const {
2388  ProgramStateRef state = C.getState();
2389  CStringLengthTy Entries = state->get<CStringLength>();
2390  if (Entries.isEmpty())
2391  return;
2392 
2393  CStringLengthTy::Factory &F = state->get_context<CStringLength>();
2394  for (CStringLengthTy::iterator I = Entries.begin(), E = Entries.end();
2395  I != E; ++I) {
2396  SVal Len = I.getData();
2397  if (SymbolRef Sym = Len.getAsSymbol()) {
2398  if (SR.isDead(Sym))
2399  Entries = F.remove(Entries, I.getKey());
2400  }
2401  }
2402 
2403  state = state->set<CStringLength>(Entries);
2404  C.addTransition(state);
2405 }
2406 
2407 #define REGISTER_CHECKER(name) \
2408  void ento::register##name(CheckerManager &mgr) { \
2409  CStringChecker *checker = mgr.registerChecker<CStringChecker>(); \
2410  checker->Filter.Check##name = true; \
2411  checker->Filter.CheckName##name = mgr.getCurrentCheckName(); \
2412  }
2413 
2414  REGISTER_CHECKER(CStringNullArg)
2415  REGISTER_CHECKER(CStringOutOfBounds)
2416  REGISTER_CHECKER(CStringBufferOverlap)
2417 REGISTER_CHECKER(CStringNotNullTerm)
2418 
2420  Mgr.registerChecker<CStringChecker>();
2421  }
Represents a function declaration or definition.
Definition: Decl.h:1739
A (possibly-)qualified type.
Definition: Type.h:642
bool isArrayType() const
Definition: Type.h:6331
Expr * getArg(unsigned Arg)
getArg - Return the specified argument.
Definition: Expr.h:2480
llvm::DenseSet< SymbolRef > InvalidatedSymbols
Definition: Store.h:52
const SymExpr * SymbolRef
Stmt - This represents one statement.
Definition: Stmt.h:66
unsigned getNumArgs() const
getNumArgs - Return the number of actual arguments to this call.
Definition: Expr.h:2468
QualType getPointeeType() const
If this is a pointer, ObjC object pointer, or block pointer, this returns the respective pointee...
Definition: Type.cpp:505
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
Represents a variable declaration or definition.
Definition: Decl.h:812
const internal::VariadicDynCastAllOfMatcher< Stmt, Expr > expr
Matches expressions.
IdentifierInfo * getIdentifier() const
Get the identifier that names this declaration, if there is one.
Definition: Decl.h:269
One of these records is kept for each identifier that is lexed.
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:154
LineState State
i32 captured_struct **param SharedsTy A type which contains references the shared variables *param Shareds Context with the list of shared variables from the p *TaskFunction *param Data Additional data for task generation like final * state
void registerCStringCheckerBasic(CheckerManager &Mgr)
Register the checker which evaluates CString API calls.
BinaryOperatorKind
static bool isInStdNamespace(const Decl *D)
Returns true if the root namespace of the given declaration is the &#39;std&#39; C++ namespace.
static bool isCPPStdLibraryFunction(const FunctionDecl *FD, StringRef Name)
CanQualType UnsignedCharTy
Definition: ASTContext.h:1025
StringRef getString() const
Definition: Expr.h:1660
#define REGISTER_CHECKER(name)
unsigned Offset
Definition: Format.cpp:1631
This represents one expression.
Definition: Expr.h:106
std::string Label
QualType getType() const
Definition: Expr.h:128
bool isNull() const
Return true if this QualType doesn&#39;t point to a type yet.
Definition: Type.h:707
llvm::cl::opt< std::string > Filter
#define REGISTER_MAP_WITH_PROGRAMSTATE(Name, Key, Value)
Declares an immutable map of type NameTy, suitable for placement into the ProgramState.
DeclStmt - Adaptor class for mixing declarations with statements and expressions. ...
Definition: Stmt.h:923
Tells that a region&#39;s contents is not changed.
Definition: MemRegion.h:1457
StringRef getName() const
Return the actual identifier string.
CanQualType CharTy
Definition: ASTContext.h:1017
Dataflow Directional Tag Classes.
const Expr * getInit() const
Definition: Decl.h:1219
unsigned getByteLength() const
Definition: Expr.h:1688
decl_range decls()
Definition: Stmt.h:966
QualType getUnqualifiedType() const
Retrieve the unqualified variant of the given type, removing as little sugar as possible.
Definition: Type.h:6138
QualType getPointerType(QualType T) const
Return the uniqued reference to the type for a pointer to the specified type.
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:276
StringLiteral - This represents a string literal expression, e.g.
Definition: Expr.h:1577
CallExpr - Represents a function call (C99 6.5.2.2, C++ [expr.call]).
Definition: Expr.h:2407
LLVM_READONLY char toUppercase(char c)
Converts the given ASCII character to its uppercase equivalent.
Definition: CharInfo.h:174
CanQualType IntTy
Definition: ASTContext.h:1024
QualType getType() const
Definition: Decl.h:647
This represents a decl that may have a name.
Definition: Decl.h:248
CanQualType getSizeType() const
Return the unique type for "size_t" (C99 7.17), defined in <stddef.h>.