clang  6.0.0svn
CStringChecker.cpp
Go to the documentation of this file.
1 //= CStringChecker.cpp - Checks calls to C string functions --------*- C++ -*-//
2 //
3 // The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // This defines CStringChecker, which is an assortment of checks on calls
11 // to functions in <string.h>.
12 //
13 //===----------------------------------------------------------------------===//
14 
15 #include "ClangSACheckers.h"
16 #include "InterCheckerAPI.h"
17 #include "clang/Basic/CharInfo.h"
23 #include "llvm/ADT/STLExtras.h"
24 #include "llvm/ADT/SmallString.h"
25 #include "llvm/Support/raw_ostream.h"
26 
27 using namespace clang;
28 using namespace ento;
29 
30 namespace {
31 class CStringChecker : public Checker< eval::Call,
32  check::PreStmt<DeclStmt>,
33  check::LiveSymbols,
34  check::DeadSymbols,
35  check::RegionChanges
36  > {
37  mutable std::unique_ptr<BugType> BT_Null, BT_Bounds, BT_Overlap,
38  BT_NotCString, BT_AdditionOverflow;
39 
40  mutable const char *CurrentFunctionDescription;
41 
42 public:
43  /// The filter is used to filter out the diagnostics which are not enabled by
44  /// the user.
45  struct CStringChecksFilter {
46  DefaultBool CheckCStringNullArg;
47  DefaultBool CheckCStringOutOfBounds;
48  DefaultBool CheckCStringBufferOverlap;
49  DefaultBool CheckCStringNotNullTerm;
50 
51  CheckName CheckNameCStringNullArg;
52  CheckName CheckNameCStringOutOfBounds;
53  CheckName CheckNameCStringBufferOverlap;
54  CheckName CheckNameCStringNotNullTerm;
55  };
56 
57  CStringChecksFilter Filter;
58 
59  static void *getTag() { static int tag; return &tag; }
60 
61  bool evalCall(const CallExpr *CE, CheckerContext &C) const;
62  void checkPreStmt(const DeclStmt *DS, CheckerContext &C) const;
63  void checkLiveSymbols(ProgramStateRef state, SymbolReaper &SR) const;
64  void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
65 
67  checkRegionChanges(ProgramStateRef state,
68  const InvalidatedSymbols *,
69  ArrayRef<const MemRegion *> ExplicitRegions,
71  const LocationContext *LCtx,
72  const CallEvent *Call) const;
73 
74  typedef void (CStringChecker::*FnCheck)(CheckerContext &,
75  const CallExpr *) const;
76 
77  void evalMemcpy(CheckerContext &C, const CallExpr *CE) const;
78  void evalMempcpy(CheckerContext &C, const CallExpr *CE) const;
79  void evalMemmove(CheckerContext &C, const CallExpr *CE) const;
80  void evalBcopy(CheckerContext &C, const CallExpr *CE) const;
81  void evalCopyCommon(CheckerContext &C, const CallExpr *CE,
83  const Expr *Size,
84  const Expr *Source,
85  const Expr *Dest,
86  bool Restricted = false,
87  bool IsMempcpy = false) const;
88 
89  void evalMemcmp(CheckerContext &C, const CallExpr *CE) const;
90 
91  void evalstrLength(CheckerContext &C, const CallExpr *CE) const;
92  void evalstrnLength(CheckerContext &C, const CallExpr *CE) const;
93  void evalstrLengthCommon(CheckerContext &C,
94  const CallExpr *CE,
95  bool IsStrnlen = false) const;
96 
97  void evalStrcpy(CheckerContext &C, const CallExpr *CE) const;
98  void evalStrncpy(CheckerContext &C, const CallExpr *CE) const;
99  void evalStpcpy(CheckerContext &C, const CallExpr *CE) const;
100  void evalStrcpyCommon(CheckerContext &C,
101  const CallExpr *CE,
102  bool returnEnd,
103  bool isBounded,
104  bool isAppending) const;
105 
106  void evalStrcat(CheckerContext &C, const CallExpr *CE) const;
107  void evalStrncat(CheckerContext &C, const CallExpr *CE) const;
108 
109  void evalStrcmp(CheckerContext &C, const CallExpr *CE) const;
110  void evalStrncmp(CheckerContext &C, const CallExpr *CE) const;
111  void evalStrcasecmp(CheckerContext &C, const CallExpr *CE) const;
112  void evalStrncasecmp(CheckerContext &C, const CallExpr *CE) const;
113  void evalStrcmpCommon(CheckerContext &C,
114  const CallExpr *CE,
115  bool isBounded = false,
116  bool ignoreCase = false) const;
117 
118  void evalStrsep(CheckerContext &C, const CallExpr *CE) const;
119 
120  void evalStdCopy(CheckerContext &C, const CallExpr *CE) const;
121  void evalStdCopyBackward(CheckerContext &C, const CallExpr *CE) const;
122  void evalStdCopyCommon(CheckerContext &C, const CallExpr *CE) const;
123  void evalMemset(CheckerContext &C, const CallExpr *CE) const;
124 
125  // Utility methods
126  std::pair<ProgramStateRef , ProgramStateRef >
127  static assumeZero(CheckerContext &C,
129 
130  static ProgramStateRef setCStringLength(ProgramStateRef state,
131  const MemRegion *MR,
132  SVal strLength);
133  static SVal getCStringLengthForRegion(CheckerContext &C,
135  const Expr *Ex,
136  const MemRegion *MR,
137  bool hypothetical);
138  SVal getCStringLength(CheckerContext &C,
140  const Expr *Ex,
141  SVal Buf,
142  bool hypothetical = false) const;
143 
144  const StringLiteral *getCStringLiteral(CheckerContext &C,
146  const Expr *expr,
147  SVal val) const;
148 
149  static ProgramStateRef InvalidateBuffer(CheckerContext &C,
151  const Expr *Ex, SVal V,
152  bool IsSourceBuffer,
153  const Expr *Size);
154 
155  static bool SummarizeRegion(raw_ostream &os, ASTContext &Ctx,
156  const MemRegion *MR);
157 
158  // Re-usable checks
159  ProgramStateRef checkNonNull(CheckerContext &C,
161  const Expr *S,
162  SVal l) const;
163  ProgramStateRef CheckLocation(CheckerContext &C,
165  const Expr *S,
166  SVal l,
167  const char *message = nullptr) const;
168  ProgramStateRef CheckBufferAccess(CheckerContext &C,
170  const Expr *Size,
171  const Expr *FirstBuf,
172  const Expr *SecondBuf,
173  const char *firstMessage = nullptr,
174  const char *secondMessage = nullptr,
175  bool WarnAboutSize = false) const;
176 
177  ProgramStateRef CheckBufferAccess(CheckerContext &C,
179  const Expr *Size,
180  const Expr *Buf,
181  const char *message = nullptr,
182  bool WarnAboutSize = false) const {
183  // This is a convenience override.
184  return CheckBufferAccess(C, state, Size, Buf, nullptr, message, nullptr,
185  WarnAboutSize);
186  }
187  ProgramStateRef CheckOverlap(CheckerContext &C,
189  const Expr *Size,
190  const Expr *First,
191  const Expr *Second) const;
192  void emitOverlapBug(CheckerContext &C,
194  const Stmt *First,
195  const Stmt *Second) const;
196 
197  ProgramStateRef checkAdditionOverflow(CheckerContext &C,
199  NonLoc left,
200  NonLoc right) const;
201 
202  // Return true if the destination buffer of the copy function may be in bound.
203  // Expects SVal of Size to be positive and unsigned.
204  // Expects SVal of FirstBuf to be a FieldRegion.
205  static bool IsFirstBufInBound(CheckerContext &C,
207  const Expr *FirstBuf,
208  const Expr *Size);
209 };
210 
211 } //end anonymous namespace
212 
213 REGISTER_MAP_WITH_PROGRAMSTATE(CStringLength, const MemRegion *, SVal)
214 
215 //===----------------------------------------------------------------------===//
216 // Individual checks and utility methods.
217 //===----------------------------------------------------------------------===//
218 
219 std::pair<ProgramStateRef , ProgramStateRef >
220 CStringChecker::assumeZero(CheckerContext &C, ProgramStateRef state, SVal V,
221  QualType Ty) {
223  if (!val)
224  return std::pair<ProgramStateRef , ProgramStateRef >(state, state);
225 
226  SValBuilder &svalBuilder = C.getSValBuilder();
227  DefinedOrUnknownSVal zero = svalBuilder.makeZeroVal(Ty);
228  return state->assume(svalBuilder.evalEQ(state, *val, zero));
229 }
230 
231 ProgramStateRef CStringChecker::checkNonNull(CheckerContext &C,
232  ProgramStateRef state,
233  const Expr *S, SVal l) const {
234  // If a previous check has failed, propagate the failure.
235  if (!state)
236  return nullptr;
237 
238  ProgramStateRef stateNull, stateNonNull;
239  std::tie(stateNull, stateNonNull) = assumeZero(C, state, l, S->getType());
240 
241  if (stateNull && !stateNonNull) {
242  if (!Filter.CheckCStringNullArg)
243  return nullptr;
244 
245  ExplodedNode *N = C.generateErrorNode(stateNull);
246  if (!N)
247  return nullptr;
248 
249  if (!BT_Null)
250  BT_Null.reset(new BuiltinBug(
251  Filter.CheckNameCStringNullArg, categories::UnixAPI,
252  "Null pointer argument in call to byte string function"));
253 
254  SmallString<80> buf;
255  llvm::raw_svector_ostream os(buf);
256  assert(CurrentFunctionDescription);
257  os << "Null pointer argument in call to " << CurrentFunctionDescription;
258 
259  // Generate a report for this bug.
260  BuiltinBug *BT = static_cast<BuiltinBug*>(BT_Null.get());
261  auto report = llvm::make_unique<BugReport>(*BT, os.str(), N);
262 
263  report->addRange(S->getSourceRange());
264  bugreporter::trackNullOrUndefValue(N, S, *report);
265  C.emitReport(std::move(report));
266  return nullptr;
267  }
268 
269  // From here on, assume that the value is non-null.
270  assert(stateNonNull);
271  return stateNonNull;
272 }
273 
274 // FIXME: This was originally copied from ArrayBoundChecker.cpp. Refactor?
275 ProgramStateRef CStringChecker::CheckLocation(CheckerContext &C,
276  ProgramStateRef state,
277  const Expr *S, SVal l,
278  const char *warningMsg) const {
279  // If a previous check has failed, propagate the failure.
280  if (!state)
281  return nullptr;
282 
283  // Check for out of bound array element access.
284  const MemRegion *R = l.getAsRegion();
285  if (!R)
286  return state;
287 
288  const ElementRegion *ER = dyn_cast<ElementRegion>(R);
289  if (!ER)
290  return state;
291 
292  if (ER->getValueType() != C.getASTContext().CharTy)
293  return state;
294 
295  // Get the size of the array.
296  const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion());
297  SValBuilder &svalBuilder = C.getSValBuilder();
298  SVal Extent =
299  svalBuilder.convertToArrayIndex(superReg->getExtent(svalBuilder));
301 
302  // Get the index of the accessed element.
304 
305  ProgramStateRef StInBound = state->assumeInBound(Idx, Size, true);
306  ProgramStateRef StOutBound = state->assumeInBound(Idx, Size, false);
307  if (StOutBound && !StInBound) {
308  ExplodedNode *N = C.generateErrorNode(StOutBound);
309  if (!N)
310  return nullptr;
311 
312  if (!BT_Bounds) {
313  BT_Bounds.reset(new BuiltinBug(
314  Filter.CheckNameCStringOutOfBounds, "Out-of-bound array access",
315  "Byte string function accesses out-of-bound array element"));
316  }
317  BuiltinBug *BT = static_cast<BuiltinBug*>(BT_Bounds.get());
318 
319  // Generate a report for this bug.
320  std::unique_ptr<BugReport> report;
321  if (warningMsg) {
322  report = llvm::make_unique<BugReport>(*BT, warningMsg, N);
323  } else {
324  assert(CurrentFunctionDescription);
325  assert(CurrentFunctionDescription[0] != '\0');
326 
327  SmallString<80> buf;
328  llvm::raw_svector_ostream os(buf);
329  os << toUppercase(CurrentFunctionDescription[0])
330  << &CurrentFunctionDescription[1]
331  << " accesses out-of-bound array element";
332  report = llvm::make_unique<BugReport>(*BT, os.str(), N);
333  }
334 
335  // FIXME: It would be nice to eventually make this diagnostic more clear,
336  // e.g., by referencing the original declaration or by saying *why* this
337  // reference is outside the range.
338 
339  report->addRange(S->getSourceRange());
340  C.emitReport(std::move(report));
341  return nullptr;
342  }
343 
344  // Array bound check succeeded. From this point forward the array bound
345  // should always succeed.
346  return StInBound;
347 }
348 
349 ProgramStateRef CStringChecker::CheckBufferAccess(CheckerContext &C,
350  ProgramStateRef state,
351  const Expr *Size,
352  const Expr *FirstBuf,
353  const Expr *SecondBuf,
354  const char *firstMessage,
355  const char *secondMessage,
356  bool WarnAboutSize) const {
357  // If a previous check has failed, propagate the failure.
358  if (!state)
359  return nullptr;
360 
361  SValBuilder &svalBuilder = C.getSValBuilder();
362  ASTContext &Ctx = svalBuilder.getContext();
363  const LocationContext *LCtx = C.getLocationContext();
364 
365  QualType sizeTy = Size->getType();
366  QualType PtrTy = Ctx.getPointerType(Ctx.CharTy);
367 
368  // Check that the first buffer is non-null.
369  SVal BufVal = state->getSVal(FirstBuf, LCtx);
370  state = checkNonNull(C, state, FirstBuf, BufVal);
371  if (!state)
372  return nullptr;
373 
374  // If out-of-bounds checking is turned off, skip the rest.
375  if (!Filter.CheckCStringOutOfBounds)
376  return state;
377 
378  // Get the access length and make sure it is known.
379  // FIXME: This assumes the caller has already checked that the access length
380  // is positive. And that it's unsigned.
381  SVal LengthVal = state->getSVal(Size, LCtx);
382  Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
383  if (!Length)
384  return state;
385 
386  // Compute the offset of the last element to be accessed: size-1.
387  NonLoc One = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
388  NonLoc LastOffset = svalBuilder
389  .evalBinOpNN(state, BO_Sub, *Length, One, sizeTy).castAs<NonLoc>();
390 
391  // Check that the first buffer is sufficiently long.
392  SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType());
393  if (Optional<Loc> BufLoc = BufStart.getAs<Loc>()) {
394  const Expr *warningExpr = (WarnAboutSize ? Size : FirstBuf);
395 
396  SVal BufEnd = svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc,
397  LastOffset, PtrTy);
398  state = CheckLocation(C, state, warningExpr, BufEnd, firstMessage);
399 
400  // If the buffer isn't large enough, abort.
401  if (!state)
402  return nullptr;
403  }
404 
405  // If there's a second buffer, check it as well.
406  if (SecondBuf) {
407  BufVal = state->getSVal(SecondBuf, LCtx);
408  state = checkNonNull(C, state, SecondBuf, BufVal);
409  if (!state)
410  return nullptr;
411 
412  BufStart = svalBuilder.evalCast(BufVal, PtrTy, SecondBuf->getType());
413  if (Optional<Loc> BufLoc = BufStart.getAs<Loc>()) {
414  const Expr *warningExpr = (WarnAboutSize ? Size : SecondBuf);
415 
416  SVal BufEnd = svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc,
417  LastOffset, PtrTy);
418  state = CheckLocation(C, state, warningExpr, BufEnd, secondMessage);
419  }
420  }
421 
422  // Large enough or not, return this state!
423  return state;
424 }
425 
426 ProgramStateRef CStringChecker::CheckOverlap(CheckerContext &C,
427  ProgramStateRef state,
428  const Expr *Size,
429  const Expr *First,
430  const Expr *Second) const {
431  if (!Filter.CheckCStringBufferOverlap)
432  return state;
433 
434  // Do a simple check for overlap: if the two arguments are from the same
435  // buffer, see if the end of the first is greater than the start of the second
436  // or vice versa.
437 
438  // If a previous check has failed, propagate the failure.
439  if (!state)
440  return nullptr;
441 
442  ProgramStateRef stateTrue, stateFalse;
443 
444  // Get the buffer values and make sure they're known locations.
445  const LocationContext *LCtx = C.getLocationContext();
446  SVal firstVal = state->getSVal(First, LCtx);
447  SVal secondVal = state->getSVal(Second, LCtx);
448 
449  Optional<Loc> firstLoc = firstVal.getAs<Loc>();
450  if (!firstLoc)
451  return state;
452 
453  Optional<Loc> secondLoc = secondVal.getAs<Loc>();
454  if (!secondLoc)
455  return state;
456 
457  // Are the two values the same?
458  SValBuilder &svalBuilder = C.getSValBuilder();
459  std::tie(stateTrue, stateFalse) =
460  state->assume(svalBuilder.evalEQ(state, *firstLoc, *secondLoc));
461 
462  if (stateTrue && !stateFalse) {
463  // If the values are known to be equal, that's automatically an overlap.
464  emitOverlapBug(C, stateTrue, First, Second);
465  return nullptr;
466  }
467 
468  // assume the two expressions are not equal.
469  assert(stateFalse);
470  state = stateFalse;
471 
472  // Which value comes first?
473  QualType cmpTy = svalBuilder.getConditionType();
474  SVal reverse = svalBuilder.evalBinOpLL(state, BO_GT,
475  *firstLoc, *secondLoc, cmpTy);
476  Optional<DefinedOrUnknownSVal> reverseTest =
477  reverse.getAs<DefinedOrUnknownSVal>();
478  if (!reverseTest)
479  return state;
480 
481  std::tie(stateTrue, stateFalse) = state->assume(*reverseTest);
482  if (stateTrue) {
483  if (stateFalse) {
484  // If we don't know which one comes first, we can't perform this test.
485  return state;
486  } else {
487  // Switch the values so that firstVal is before secondVal.
488  std::swap(firstLoc, secondLoc);
489 
490  // Switch the Exprs as well, so that they still correspond.
491  std::swap(First, Second);
492  }
493  }
494 
495  // Get the length, and make sure it too is known.
496  SVal LengthVal = state->getSVal(Size, LCtx);
497  Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
498  if (!Length)
499  return state;
500 
501  // Convert the first buffer's start address to char*.
502  // Bail out if the cast fails.
503  ASTContext &Ctx = svalBuilder.getContext();
504  QualType CharPtrTy = Ctx.getPointerType(Ctx.CharTy);
505  SVal FirstStart = svalBuilder.evalCast(*firstLoc, CharPtrTy,
506  First->getType());
507  Optional<Loc> FirstStartLoc = FirstStart.getAs<Loc>();
508  if (!FirstStartLoc)
509  return state;
510 
511  // Compute the end of the first buffer. Bail out if THAT fails.
512  SVal FirstEnd = svalBuilder.evalBinOpLN(state, BO_Add,
513  *FirstStartLoc, *Length, CharPtrTy);
514  Optional<Loc> FirstEndLoc = FirstEnd.getAs<Loc>();
515  if (!FirstEndLoc)
516  return state;
517 
518  // Is the end of the first buffer past the start of the second buffer?
519  SVal Overlap = svalBuilder.evalBinOpLL(state, BO_GT,
520  *FirstEndLoc, *secondLoc, cmpTy);
521  Optional<DefinedOrUnknownSVal> OverlapTest =
522  Overlap.getAs<DefinedOrUnknownSVal>();
523  if (!OverlapTest)
524  return state;
525 
526  std::tie(stateTrue, stateFalse) = state->assume(*OverlapTest);
527 
528  if (stateTrue && !stateFalse) {
529  // Overlap!
530  emitOverlapBug(C, stateTrue, First, Second);
531  return nullptr;
532  }
533 
534  // assume the two expressions don't overlap.
535  assert(stateFalse);
536  return stateFalse;
537 }
538 
539 void CStringChecker::emitOverlapBug(CheckerContext &C, ProgramStateRef state,
540  const Stmt *First, const Stmt *Second) const {
541  ExplodedNode *N = C.generateErrorNode(state);
542  if (!N)
543  return;
544 
545  if (!BT_Overlap)
546  BT_Overlap.reset(new BugType(Filter.CheckNameCStringBufferOverlap,
547  categories::UnixAPI, "Improper arguments"));
548 
549  // Generate a report for this bug.
550  auto report = llvm::make_unique<BugReport>(
551  *BT_Overlap, "Arguments must not be overlapping buffers", N);
552  report->addRange(First->getSourceRange());
553  report->addRange(Second->getSourceRange());
554 
555  C.emitReport(std::move(report));
556 }
557 
558 ProgramStateRef CStringChecker::checkAdditionOverflow(CheckerContext &C,
559  ProgramStateRef state,
560  NonLoc left,
561  NonLoc right) const {
562  // If out-of-bounds checking is turned off, skip the rest.
563  if (!Filter.CheckCStringOutOfBounds)
564  return state;
565 
566  // If a previous check has failed, propagate the failure.
567  if (!state)
568  return nullptr;
569 
570  SValBuilder &svalBuilder = C.getSValBuilder();
571  BasicValueFactory &BVF = svalBuilder.getBasicValueFactory();
572 
573  QualType sizeTy = svalBuilder.getContext().getSizeType();
574  const llvm::APSInt &maxValInt = BVF.getMaxValue(sizeTy);
575  NonLoc maxVal = svalBuilder.makeIntVal(maxValInt);
576 
577  SVal maxMinusRight;
578  if (right.getAs<nonloc::ConcreteInt>()) {
579  maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, right,
580  sizeTy);
581  } else {
582  // Try switching the operands. (The order of these two assignments is
583  // important!)
584  maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, left,
585  sizeTy);
586  left = right;
587  }
588 
589  if (Optional<NonLoc> maxMinusRightNL = maxMinusRight.getAs<NonLoc>()) {
590  QualType cmpTy = svalBuilder.getConditionType();
591  // If left > max - right, we have an overflow.
592  SVal willOverflow = svalBuilder.evalBinOpNN(state, BO_GT, left,
593  *maxMinusRightNL, cmpTy);
594 
595  ProgramStateRef stateOverflow, stateOkay;
596  std::tie(stateOverflow, stateOkay) =
597  state->assume(willOverflow.castAs<DefinedOrUnknownSVal>());
598 
599  if (stateOverflow && !stateOkay) {
600  // We have an overflow. Emit a bug report.
601  ExplodedNode *N = C.generateErrorNode(stateOverflow);
602  if (!N)
603  return nullptr;
604 
605  if (!BT_AdditionOverflow)
606  BT_AdditionOverflow.reset(
607  new BuiltinBug(Filter.CheckNameCStringOutOfBounds, "API",
608  "Sum of expressions causes overflow"));
609 
610  // This isn't a great error message, but this should never occur in real
611  // code anyway -- you'd have to create a buffer longer than a size_t can
612  // represent, which is sort of a contradiction.
613  const char *warning =
614  "This expression will create a string whose length is too big to "
615  "be represented as a size_t";
616 
617  // Generate a report for this bug.
618  C.emitReport(
619  llvm::make_unique<BugReport>(*BT_AdditionOverflow, warning, N));
620 
621  return nullptr;
622  }
623 
624  // From now on, assume an overflow didn't occur.
625  assert(stateOkay);
626  state = stateOkay;
627  }
628 
629  return state;
630 }
631 
632 ProgramStateRef CStringChecker::setCStringLength(ProgramStateRef state,
633  const MemRegion *MR,
634  SVal strLength) {
635  assert(!strLength.isUndef() && "Attempt to set an undefined string length");
636 
637  MR = MR->StripCasts();
638 
639  switch (MR->getKind()) {
640  case MemRegion::StringRegionKind:
641  // FIXME: This can happen if we strcpy() into a string region. This is
642  // undefined [C99 6.4.5p6], but we should still warn about it.
643  return state;
644 
645  case MemRegion::SymbolicRegionKind:
646  case MemRegion::AllocaRegionKind:
647  case MemRegion::VarRegionKind:
648  case MemRegion::FieldRegionKind:
649  case MemRegion::ObjCIvarRegionKind:
650  // These are the types we can currently track string lengths for.
651  break;
652 
653  case MemRegion::ElementRegionKind:
654  // FIXME: Handle element regions by upper-bounding the parent region's
655  // string length.
656  return state;
657 
658  default:
659  // Other regions (mostly non-data) can't have a reliable C string length.
660  // For now, just ignore the change.
661  // FIXME: These are rare but not impossible. We should output some kind of
662  // warning for things like strcpy((char[]){'a', 0}, "b");
663  return state;
664  }
665 
666  if (strLength.isUnknown())
667  return state->remove<CStringLength>(MR);
668 
669  return state->set<CStringLength>(MR, strLength);
670 }
671 
672 SVal CStringChecker::getCStringLengthForRegion(CheckerContext &C,
673  ProgramStateRef &state,
674  const Expr *Ex,
675  const MemRegion *MR,
676  bool hypothetical) {
677  if (!hypothetical) {
678  // If there's a recorded length, go ahead and return it.
679  const SVal *Recorded = state->get<CStringLength>(MR);
680  if (Recorded)
681  return *Recorded;
682  }
683 
684  // Otherwise, get a new symbol and update the state.
685  SValBuilder &svalBuilder = C.getSValBuilder();
686  QualType sizeTy = svalBuilder.getContext().getSizeType();
687  SVal strLength = svalBuilder.getMetadataSymbolVal(CStringChecker::getTag(),
688  MR, Ex, sizeTy,
689  C.getLocationContext(),
690  C.blockCount());
691 
692  if (!hypothetical) {
693  if (Optional<NonLoc> strLn = strLength.getAs<NonLoc>()) {
694  // In case of unbounded calls strlen etc bound the range to SIZE_MAX/4
695  BasicValueFactory &BVF = svalBuilder.getBasicValueFactory();
696  const llvm::APSInt &maxValInt = BVF.getMaxValue(sizeTy);
697  llvm::APSInt fourInt = APSIntType(maxValInt).getValue(4);
698  const llvm::APSInt *maxLengthInt = BVF.evalAPSInt(BO_Div, maxValInt,
699  fourInt);
700  NonLoc maxLength = svalBuilder.makeIntVal(*maxLengthInt);
701  SVal evalLength = svalBuilder.evalBinOpNN(state, BO_LE, *strLn,
702  maxLength, sizeTy);
703  state = state->assume(evalLength.castAs<DefinedOrUnknownSVal>(), true);
704  }
705  state = state->set<CStringLength>(MR, strLength);
706  }
707 
708  return strLength;
709 }
710 
711 SVal CStringChecker::getCStringLength(CheckerContext &C, ProgramStateRef &state,
712  const Expr *Ex, SVal Buf,
713  bool hypothetical) const {
714  const MemRegion *MR = Buf.getAsRegion();
715  if (!MR) {
716  // If we can't get a region, see if it's something we /know/ isn't a
717  // C string. In the context of locations, the only time we can issue such
718  // a warning is for labels.
720  if (!Filter.CheckCStringNotNullTerm)
721  return UndefinedVal();
722 
723  if (ExplodedNode *N = C.generateNonFatalErrorNode(state)) {
724  if (!BT_NotCString)
725  BT_NotCString.reset(new BuiltinBug(
726  Filter.CheckNameCStringNotNullTerm, categories::UnixAPI,
727  "Argument is not a null-terminated string."));
728 
729  SmallString<120> buf;
730  llvm::raw_svector_ostream os(buf);
731  assert(CurrentFunctionDescription);
732  os << "Argument to " << CurrentFunctionDescription
733  << " is the address of the label '" << Label->getLabel()->getName()
734  << "', which is not a null-terminated string";
735 
736  // Generate a report for this bug.
737  auto report = llvm::make_unique<BugReport>(*BT_NotCString, os.str(), N);
738 
739  report->addRange(Ex->getSourceRange());
740  C.emitReport(std::move(report));
741  }
742  return UndefinedVal();
743 
744  }
745 
746  // If it's not a region and not a label, give up.
747  return UnknownVal();
748  }
749 
750  // If we have a region, strip casts from it and see if we can figure out
751  // its length. For anything we can't figure out, just return UnknownVal.
752  MR = MR->StripCasts();
753 
754  switch (MR->getKind()) {
755  case MemRegion::StringRegionKind: {
756  // Modifying the contents of string regions is undefined [C99 6.4.5p6],
757  // so we can assume that the byte length is the correct C string length.
758  SValBuilder &svalBuilder = C.getSValBuilder();
759  QualType sizeTy = svalBuilder.getContext().getSizeType();
760  const StringLiteral *strLit = cast<StringRegion>(MR)->getStringLiteral();
761  return svalBuilder.makeIntVal(strLit->getByteLength(), sizeTy);
762  }
763  case MemRegion::SymbolicRegionKind:
764  case MemRegion::AllocaRegionKind:
765  case MemRegion::VarRegionKind:
766  case MemRegion::FieldRegionKind:
767  case MemRegion::ObjCIvarRegionKind:
768  return getCStringLengthForRegion(C, state, Ex, MR, hypothetical);
769  case MemRegion::CompoundLiteralRegionKind:
770  // FIXME: Can we track this? Is it necessary?
771  return UnknownVal();
772  case MemRegion::ElementRegionKind:
773  // FIXME: How can we handle this? It's not good enough to subtract the
774  // offset from the base string length; consider "123\x00567" and &a[5].
775  return UnknownVal();
776  default:
777  // Other regions (mostly non-data) can't have a reliable C string length.
778  // In this case, an error is emitted and UndefinedVal is returned.
779  // The caller should always be prepared to handle this case.
780  if (!Filter.CheckCStringNotNullTerm)
781  return UndefinedVal();
782 
783  if (ExplodedNode *N = C.generateNonFatalErrorNode(state)) {
784  if (!BT_NotCString)
785  BT_NotCString.reset(new BuiltinBug(
786  Filter.CheckNameCStringNotNullTerm, categories::UnixAPI,
787  "Argument is not a null-terminated string."));
788 
789  SmallString<120> buf;
790  llvm::raw_svector_ostream os(buf);
791 
792  assert(CurrentFunctionDescription);
793  os << "Argument to " << CurrentFunctionDescription << " is ";
794 
795  if (SummarizeRegion(os, C.getASTContext(), MR))
796  os << ", which is not a null-terminated string";
797  else
798  os << "not a null-terminated string";
799 
800  // Generate a report for this bug.
801  auto report = llvm::make_unique<BugReport>(*BT_NotCString, os.str(), N);
802 
803  report->addRange(Ex->getSourceRange());
804  C.emitReport(std::move(report));
805  }
806 
807  return UndefinedVal();
808  }
809 }
810 
811 const StringLiteral *CStringChecker::getCStringLiteral(CheckerContext &C,
812  ProgramStateRef &state, const Expr *expr, SVal val) const {
813 
814  // Get the memory region pointed to by the val.
815  const MemRegion *bufRegion = val.getAsRegion();
816  if (!bufRegion)
817  return nullptr;
818 
819  // Strip casts off the memory region.
820  bufRegion = bufRegion->StripCasts();
821 
822  // Cast the memory region to a string region.
823  const StringRegion *strRegion= dyn_cast<StringRegion>(bufRegion);
824  if (!strRegion)
825  return nullptr;
826 
827  // Return the actual string in the string region.
828  return strRegion->getStringLiteral();
829 }
830 
831 bool CStringChecker::IsFirstBufInBound(CheckerContext &C,
832  ProgramStateRef state,
833  const Expr *FirstBuf,
834  const Expr *Size) {
835  // If we do not know that the buffer is long enough we return 'true'.
836  // Otherwise the parent region of this field region would also get
837  // invalidated, which would lead to warnings based on an unknown state.
838 
839  // Originally copied from CheckBufferAccess and CheckLocation.
840  SValBuilder &svalBuilder = C.getSValBuilder();
841  ASTContext &Ctx = svalBuilder.getContext();
842  const LocationContext *LCtx = C.getLocationContext();
843 
844  QualType sizeTy = Size->getType();
845  QualType PtrTy = Ctx.getPointerType(Ctx.CharTy);
846  SVal BufVal = state->getSVal(FirstBuf, LCtx);
847 
848  SVal LengthVal = state->getSVal(Size, LCtx);
849  Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
850  if (!Length)
851  return true; // cf top comment.
852 
853  // Compute the offset of the last element to be accessed: size-1.
854  NonLoc One = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
855  NonLoc LastOffset =
856  svalBuilder.evalBinOpNN(state, BO_Sub, *Length, One, sizeTy)
857  .castAs<NonLoc>();
858 
859  // Check that the first buffer is sufficiently long.
860  SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType());
861  Optional<Loc> BufLoc = BufStart.getAs<Loc>();
862  if (!BufLoc)
863  return true; // cf top comment.
864 
865  SVal BufEnd =
866  svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc, LastOffset, PtrTy);
867 
868  // Check for out of bound array element access.
869  const MemRegion *R = BufEnd.getAsRegion();
870  if (!R)
871  return true; // cf top comment.
872 
873  const ElementRegion *ER = dyn_cast<ElementRegion>(R);
874  if (!ER)
875  return true; // cf top comment.
876 
877  // FIXME: Does this crash when a non-standard definition
878  // of a library function is encountered?
879  assert(ER->getValueType() == C.getASTContext().CharTy &&
880  "IsFirstBufInBound should only be called with char* ElementRegions");
881 
882  // Get the size of the array.
883  const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion());
884  SVal Extent =
885  svalBuilder.convertToArrayIndex(superReg->getExtent(svalBuilder));
886  DefinedOrUnknownSVal ExtentSize = Extent.castAs<DefinedOrUnknownSVal>();
887 
888  // Get the index of the accessed element.
890 
891  ProgramStateRef StInBound = state->assumeInBound(Idx, ExtentSize, true);
892 
893  return static_cast<bool>(StInBound);
894 }
895 
896 ProgramStateRef CStringChecker::InvalidateBuffer(CheckerContext &C,
897  ProgramStateRef state,
898  const Expr *E, SVal V,
899  bool IsSourceBuffer,
900  const Expr *Size) {
901  Optional<Loc> L = V.getAs<Loc>();
902  if (!L)
903  return state;
904 
905  // FIXME: This is a simplified version of what's in CFRefCount.cpp -- it makes
906  // some assumptions about the value that CFRefCount can't. Even so, it should
907  // probably be refactored.
908  if (Optional<loc::MemRegionVal> MR = L->getAs<loc::MemRegionVal>()) {
909  const MemRegion *R = MR->getRegion()->StripCasts();
910 
911  // Are we dealing with an ElementRegion? If so, we should be invalidating
912  // the super-region.
913  if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) {
914  R = ER->getSuperRegion();
915  // FIXME: What about layers of ElementRegions?
916  }
917 
918  // Invalidate this region.
920 
921  bool CausesPointerEscape = false;
923  // Invalidate and escape only indirect regions accessible through the source
924  // buffer.
925  if (IsSourceBuffer) {
926  ITraits.setTrait(R->getBaseRegion(),
929  CausesPointerEscape = true;
930  } else {
931  const MemRegion::Kind& K = R->getKind();
932  if (K == MemRegion::FieldRegionKind)
933  if (Size && IsFirstBufInBound(C, state, E, Size)) {
934  // If destination buffer is a field region and access is in bound,
935  // do not invalidate its super region.
936  ITraits.setTrait(
937  R,
939  }
940  }
941 
942  return state->invalidateRegions(R, E, C.blockCount(), LCtx,
943  CausesPointerEscape, nullptr, nullptr,
944  &ITraits);
945  }
946 
947  // If we have a non-region value by chance, just remove the binding.
948  // FIXME: is this necessary or correct? This handles the non-Region
949  // cases. Is it ever valid to store to these?
950  return state->killBinding(*L);
951 }
952 
953 bool CStringChecker::SummarizeRegion(raw_ostream &os, ASTContext &Ctx,
954  const MemRegion *MR) {
955  const TypedValueRegion *TVR = dyn_cast<TypedValueRegion>(MR);
956 
957  switch (MR->getKind()) {
958  case MemRegion::FunctionCodeRegionKind: {
959  const NamedDecl *FD = cast<FunctionCodeRegion>(MR)->getDecl();
960  if (FD)
961  os << "the address of the function '" << *FD << '\'';
962  else
963  os << "the address of a function";
964  return true;
965  }
966  case MemRegion::BlockCodeRegionKind:
967  os << "block text";
968  return true;
969  case MemRegion::BlockDataRegionKind:
970  os << "a block";
971  return true;
972  case MemRegion::CXXThisRegionKind:
973  case MemRegion::CXXTempObjectRegionKind:
974  os << "a C++ temp object of type " << TVR->getValueType().getAsString();
975  return true;
976  case MemRegion::VarRegionKind:
977  os << "a variable of type" << TVR->getValueType().getAsString();
978  return true;
979  case MemRegion::FieldRegionKind:
980  os << "a field of type " << TVR->getValueType().getAsString();
981  return true;
982  case MemRegion::ObjCIvarRegionKind:
983  os << "an instance variable of type " << TVR->getValueType().getAsString();
984  return true;
985  default:
986  return false;
987  }
988 }
989 
990 //===----------------------------------------------------------------------===//
991 // evaluation of individual function calls.
992 //===----------------------------------------------------------------------===//
993 
994 void CStringChecker::evalCopyCommon(CheckerContext &C,
995  const CallExpr *CE,
996  ProgramStateRef state,
997  const Expr *Size, const Expr *Dest,
998  const Expr *Source, bool Restricted,
999  bool IsMempcpy) const {
1000  CurrentFunctionDescription = "memory copy function";
1001 
1002  // See if the size argument is zero.
1003  const LocationContext *LCtx = C.getLocationContext();
1004  SVal sizeVal = state->getSVal(Size, LCtx);
1005  QualType sizeTy = Size->getType();
1006 
1007  ProgramStateRef stateZeroSize, stateNonZeroSize;
1008  std::tie(stateZeroSize, stateNonZeroSize) =
1009  assumeZero(C, state, sizeVal, sizeTy);
1010 
1011  // Get the value of the Dest.
1012  SVal destVal = state->getSVal(Dest, LCtx);
1013 
1014  // If the size is zero, there won't be any actual memory access, so
1015  // just bind the return value to the destination buffer and return.
1016  if (stateZeroSize && !stateNonZeroSize) {
1017  stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, destVal);
1018  C.addTransition(stateZeroSize);
1019  return;
1020  }
1021 
1022  // If the size can be nonzero, we have to check the other arguments.
1023  if (stateNonZeroSize) {
1024  state = stateNonZeroSize;
1025 
1026  // Ensure the destination is not null. If it is NULL there will be a
1027  // NULL pointer dereference.
1028  state = checkNonNull(C, state, Dest, destVal);
1029  if (!state)
1030  return;
1031 
1032  // Get the value of the Src.
1033  SVal srcVal = state->getSVal(Source, LCtx);
1034 
1035  // Ensure the source is not null. If it is NULL there will be a
1036  // NULL pointer dereference.
1037  state = checkNonNull(C, state, Source, srcVal);
1038  if (!state)
1039  return;
1040 
1041  // Ensure the accesses are valid and that the buffers do not overlap.
1042  const char * const writeWarning =
1043  "Memory copy function overflows destination buffer";
1044  state = CheckBufferAccess(C, state, Size, Dest, Source,
1045  writeWarning, /* sourceWarning = */ nullptr);
1046  if (Restricted)
1047  state = CheckOverlap(C, state, Size, Dest, Source);
1048 
1049  if (!state)
1050  return;
1051 
1052  // If this is mempcpy, get the byte after the last byte copied and
1053  // bind the expr.
1054  if (IsMempcpy) {
1055  // Get the byte after the last byte copied.
1056  SValBuilder &SvalBuilder = C.getSValBuilder();
1057  ASTContext &Ctx = SvalBuilder.getContext();
1058  QualType CharPtrTy = Ctx.getPointerType(Ctx.CharTy);
1059  SVal DestRegCharVal =
1060  SvalBuilder.evalCast(destVal, CharPtrTy, Dest->getType());
1061  SVal lastElement = C.getSValBuilder().evalBinOp(
1062  state, BO_Add, DestRegCharVal, sizeVal, Dest->getType());
1063  // If we don't know how much we copied, we can at least
1064  // conjure a return value for later.
1065  if (lastElement.isUnknown())
1066  lastElement = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
1067  C.blockCount());
1068 
1069  // The byte after the last byte copied is the return value.
1070  state = state->BindExpr(CE, LCtx, lastElement);
1071  } else {
1072  // All other copies return the destination buffer.
1073  // (Well, bcopy() has a void return type, but this won't hurt.)
1074  state = state->BindExpr(CE, LCtx, destVal);
1075  }
1076 
1077  // Invalidate the destination (regular invalidation without pointer-escaping
1078  // the address of the top-level region).
1079  // FIXME: Even if we can't perfectly model the copy, we should see if we
1080  // can use LazyCompoundVals to copy the source values into the destination.
1081  // This would probably remove any existing bindings past the end of the
1082  // copied region, but that's still an improvement over blank invalidation.
1083  state = InvalidateBuffer(C, state, Dest, C.getSVal(Dest),
1084  /*IsSourceBuffer*/false, Size);
1085 
1086  // Invalidate the source (const-invalidation without const-pointer-escaping
1087  // the address of the top-level region).
1088  state = InvalidateBuffer(C, state, Source, C.getSVal(Source),
1089  /*IsSourceBuffer*/true, nullptr);
1090 
1091  C.addTransition(state);
1092  }
1093 }
1094 
1095 
1096 void CStringChecker::evalMemcpy(CheckerContext &C, const CallExpr *CE) const {
1097  if (CE->getNumArgs() < 3)
1098  return;
1099 
1100  // void *memcpy(void *restrict dst, const void *restrict src, size_t n);
1101  // The return value is the address of the destination buffer.
1102  const Expr *Dest = CE->getArg(0);
1103  ProgramStateRef state = C.getState();
1104 
1105  evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1), true);
1106 }
1107 
1108 void CStringChecker::evalMempcpy(CheckerContext &C, const CallExpr *CE) const {
1109  if (CE->getNumArgs() < 3)
1110  return;
1111 
1112  // void *mempcpy(void *restrict dst, const void *restrict src, size_t n);
1113  // The return value is a pointer to the byte following the last written byte.
1114  const Expr *Dest = CE->getArg(0);
1115  ProgramStateRef state = C.getState();
1116 
1117  evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1), true, true);
1118 }
1119 
1120 void CStringChecker::evalMemmove(CheckerContext &C, const CallExpr *CE) const {
1121  if (CE->getNumArgs() < 3)
1122  return;
1123 
1124  // void *memmove(void *dst, const void *src, size_t n);
1125  // The return value is the address of the destination buffer.
1126  const Expr *Dest = CE->getArg(0);
1127  ProgramStateRef state = C.getState();
1128 
1129  evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1));
1130 }
1131 
1132 void CStringChecker::evalBcopy(CheckerContext &C, const CallExpr *CE) const {
1133  if (CE->getNumArgs() < 3)
1134  return;
1135 
1136  // void bcopy(const void *src, void *dst, size_t n);
1137  evalCopyCommon(C, CE, C.getState(),
1138  CE->getArg(2), CE->getArg(1), CE->getArg(0));
1139 }
1140 
1141 void CStringChecker::evalMemcmp(CheckerContext &C, const CallExpr *CE) const {
1142  if (CE->getNumArgs() < 3)
1143  return;
1144 
1145  // int memcmp(const void *s1, const void *s2, size_t n);
1146  CurrentFunctionDescription = "memory comparison function";
1147 
1148  const Expr *Left = CE->getArg(0);
1149  const Expr *Right = CE->getArg(1);
1150  const Expr *Size = CE->getArg(2);
1151 
1152  ProgramStateRef state = C.getState();
1153  SValBuilder &svalBuilder = C.getSValBuilder();
1154 
1155  // See if the size argument is zero.
1156  const LocationContext *LCtx = C.getLocationContext();
1157  SVal sizeVal = state->getSVal(Size, LCtx);
1158  QualType sizeTy = Size->getType();
1159 
1160  ProgramStateRef stateZeroSize, stateNonZeroSize;
1161  std::tie(stateZeroSize, stateNonZeroSize) =
1162  assumeZero(C, state, sizeVal, sizeTy);
1163 
1164  // If the size can be zero, the result will be 0 in that case, and we don't
1165  // have to check either of the buffers.
1166  if (stateZeroSize) {
1167  state = stateZeroSize;
1168  state = state->BindExpr(CE, LCtx,
1169  svalBuilder.makeZeroVal(CE->getType()));
1170  C.addTransition(state);
1171  }
1172 
1173  // If the size can be nonzero, we have to check the other arguments.
1174  if (stateNonZeroSize) {
1175  state = stateNonZeroSize;
1176  // If we know the two buffers are the same, we know the result is 0.
1177  // First, get the two buffers' addresses. Another checker will have already
1178  // made sure they're not undefined.
1180  state->getSVal(Left, LCtx).castAs<DefinedOrUnknownSVal>();
1182  state->getSVal(Right, LCtx).castAs<DefinedOrUnknownSVal>();
1183 
1184  // See if they are the same.
1185  DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV);
1186  ProgramStateRef StSameBuf, StNotSameBuf;
1187  std::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf);
1188 
1189  // If the two arguments might be the same buffer, we know the result is 0,
1190  // and we only need to check one size.
1191  if (StSameBuf) {
1192  state = StSameBuf;
1193  state = CheckBufferAccess(C, state, Size, Left);
1194  if (state) {
1195  state = StSameBuf->BindExpr(CE, LCtx,
1196  svalBuilder.makeZeroVal(CE->getType()));
1197  C.addTransition(state);
1198  }
1199  }
1200 
1201  // If the two arguments might be different buffers, we have to check the
1202  // size of both of them.
1203  if (StNotSameBuf) {
1204  state = StNotSameBuf;
1205  state = CheckBufferAccess(C, state, Size, Left, Right);
1206  if (state) {
1207  // The return value is the comparison result, which we don't know.
1208  SVal CmpV = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx,
1209  C.blockCount());
1210  state = state->BindExpr(CE, LCtx, CmpV);
1211  C.addTransition(state);
1212  }
1213  }
1214  }
1215 }
1216 
1217 void CStringChecker::evalstrLength(CheckerContext &C,
1218  const CallExpr *CE) const {
1219  if (CE->getNumArgs() < 1)
1220  return;
1221 
1222  // size_t strlen(const char *s);
1223  evalstrLengthCommon(C, CE, /* IsStrnlen = */ false);
1224 }
1225 
1226 void CStringChecker::evalstrnLength(CheckerContext &C,
1227  const CallExpr *CE) const {
1228  if (CE->getNumArgs() < 2)
1229  return;
1230 
1231  // size_t strnlen(const char *s, size_t maxlen);
1232  evalstrLengthCommon(C, CE, /* IsStrnlen = */ true);
1233 }
1234 
1235 void CStringChecker::evalstrLengthCommon(CheckerContext &C, const CallExpr *CE,
1236  bool IsStrnlen) const {
1237  CurrentFunctionDescription = "string length function";
1238  ProgramStateRef state = C.getState();
1239  const LocationContext *LCtx = C.getLocationContext();
1240 
1241  if (IsStrnlen) {
1242  const Expr *maxlenExpr = CE->getArg(1);
1243  SVal maxlenVal = state->getSVal(maxlenExpr, LCtx);
1244 
1245  ProgramStateRef stateZeroSize, stateNonZeroSize;
1246  std::tie(stateZeroSize, stateNonZeroSize) =
1247  assumeZero(C, state, maxlenVal, maxlenExpr->getType());
1248 
1249  // If the size can be zero, the result will be 0 in that case, and we don't
1250  // have to check the string itself.
1251  if (stateZeroSize) {
1252  SVal zero = C.getSValBuilder().makeZeroVal(CE->getType());
1253  stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, zero);
1254  C.addTransition(stateZeroSize);
1255  }
1256 
1257  // If the size is GUARANTEED to be zero, we're done!
1258  if (!stateNonZeroSize)
1259  return;
1260 
1261  // Otherwise, record the assumption that the size is nonzero.
1262  state = stateNonZeroSize;
1263  }
1264 
1265  // Check that the string argument is non-null.
1266  const Expr *Arg = CE->getArg(0);
1267  SVal ArgVal = state->getSVal(Arg, LCtx);
1268 
1269  state = checkNonNull(C, state, Arg, ArgVal);
1270 
1271  if (!state)
1272  return;
1273 
1274  SVal strLength = getCStringLength(C, state, Arg, ArgVal);
1275 
1276  // If the argument isn't a valid C string, there's no valid state to
1277  // transition to.
1278  if (strLength.isUndef())
1279  return;
1280 
1281  DefinedOrUnknownSVal result = UnknownVal();
1282 
1283  // If the check is for strnlen() then bind the return value to no more than
1284  // the maxlen value.
1285  if (IsStrnlen) {
1287 
1288  // It's a little unfortunate to be getting this again,
1289  // but it's not that expensive...
1290  const Expr *maxlenExpr = CE->getArg(1);
1291  SVal maxlenVal = state->getSVal(maxlenExpr, LCtx);
1292 
1293  Optional<NonLoc> strLengthNL = strLength.getAs<NonLoc>();
1294  Optional<NonLoc> maxlenValNL = maxlenVal.getAs<NonLoc>();
1295 
1296  if (strLengthNL && maxlenValNL) {
1297  ProgramStateRef stateStringTooLong, stateStringNotTooLong;
1298 
1299  // Check if the strLength is greater than the maxlen.
1300  std::tie(stateStringTooLong, stateStringNotTooLong) = state->assume(
1301  C.getSValBuilder()
1302  .evalBinOpNN(state, BO_GT, *strLengthNL, *maxlenValNL, cmpTy)
1304 
1305  if (stateStringTooLong && !stateStringNotTooLong) {
1306  // If the string is longer than maxlen, return maxlen.
1307  result = *maxlenValNL;
1308  } else if (stateStringNotTooLong && !stateStringTooLong) {
1309  // If the string is shorter than maxlen, return its length.
1310  result = *strLengthNL;
1311  }
1312  }
1313 
1314  if (result.isUnknown()) {
1315  // If we don't have enough information for a comparison, there's
1316  // no guarantee the full string length will actually be returned.
1317  // All we know is the return value is the min of the string length
1318  // and the limit. This is better than nothing.
1319  result = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
1320  C.blockCount());
1321  NonLoc resultNL = result.castAs<NonLoc>();
1322 
1323  if (strLengthNL) {
1324  state = state->assume(C.getSValBuilder().evalBinOpNN(
1325  state, BO_LE, resultNL, *strLengthNL, cmpTy)
1326  .castAs<DefinedOrUnknownSVal>(), true);
1327  }
1328 
1329  if (maxlenValNL) {
1330  state = state->assume(C.getSValBuilder().evalBinOpNN(
1331  state, BO_LE, resultNL, *maxlenValNL, cmpTy)
1332  .castAs<DefinedOrUnknownSVal>(), true);
1333  }
1334  }
1335 
1336  } else {
1337  // This is a plain strlen(), not strnlen().
1338  result = strLength.castAs<DefinedOrUnknownSVal>();
1339 
1340  // If we don't know the length of the string, conjure a return
1341  // value, so it can be used in constraints, at least.
1342  if (result.isUnknown()) {
1343  result = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
1344  C.blockCount());
1345  }
1346  }
1347 
1348  // Bind the return value.
1349  assert(!result.isUnknown() && "Should have conjured a value by now");
1350  state = state->BindExpr(CE, LCtx, result);
1351  C.addTransition(state);
1352 }
1353 
1354 void CStringChecker::evalStrcpy(CheckerContext &C, const CallExpr *CE) const {
1355  if (CE->getNumArgs() < 2)
1356  return;
1357 
1358  // char *strcpy(char *restrict dst, const char *restrict src);
1359  evalStrcpyCommon(C, CE,
1360  /* returnEnd = */ false,
1361  /* isBounded = */ false,
1362  /* isAppending = */ false);
1363 }
1364 
1365 void CStringChecker::evalStrncpy(CheckerContext &C, const CallExpr *CE) const {
1366  if (CE->getNumArgs() < 3)
1367  return;
1368 
1369  // char *strncpy(char *restrict dst, const char *restrict src, size_t n);
1370  evalStrcpyCommon(C, CE,
1371  /* returnEnd = */ false,
1372  /* isBounded = */ true,
1373  /* isAppending = */ false);
1374 }
1375 
1376 void CStringChecker::evalStpcpy(CheckerContext &C, const CallExpr *CE) const {
1377  if (CE->getNumArgs() < 2)
1378  return;
1379 
1380  // char *stpcpy(char *restrict dst, const char *restrict src);
1381  evalStrcpyCommon(C, CE,
1382  /* returnEnd = */ true,
1383  /* isBounded = */ false,
1384  /* isAppending = */ false);
1385 }
1386 
1387 void CStringChecker::evalStrcat(CheckerContext &C, const CallExpr *CE) const {
1388  if (CE->getNumArgs() < 2)
1389  return;
1390 
1391  //char *strcat(char *restrict s1, const char *restrict s2);
1392  evalStrcpyCommon(C, CE,
1393  /* returnEnd = */ false,
1394  /* isBounded = */ false,
1395  /* isAppending = */ true);
1396 }
1397 
1398 void CStringChecker::evalStrncat(CheckerContext &C, const CallExpr *CE) const {
1399  if (CE->getNumArgs() < 3)
1400  return;
1401 
1402  //char *strncat(char *restrict s1, const char *restrict s2, size_t n);
1403  evalStrcpyCommon(C, CE,
1404  /* returnEnd = */ false,
1405  /* isBounded = */ true,
1406  /* isAppending = */ true);
1407 }
1408 
1409 void CStringChecker::evalStrcpyCommon(CheckerContext &C, const CallExpr *CE,
1410  bool returnEnd, bool isBounded,
1411  bool isAppending) const {
1412  CurrentFunctionDescription = "string copy function";
1413  ProgramStateRef state = C.getState();
1414  const LocationContext *LCtx = C.getLocationContext();
1415 
1416  // Check that the destination is non-null.
1417  const Expr *Dst = CE->getArg(0);
1418  SVal DstVal = state->getSVal(Dst, LCtx);
1419 
1420  state = checkNonNull(C, state, Dst, DstVal);
1421  if (!state)
1422  return;
1423 
1424  // Check that the source is non-null.
1425  const Expr *srcExpr = CE->getArg(1);
1426  SVal srcVal = state->getSVal(srcExpr, LCtx);
1427  state = checkNonNull(C, state, srcExpr, srcVal);
1428  if (!state)
1429  return;
1430 
1431  // Get the string length of the source.
1432  SVal strLength = getCStringLength(C, state, srcExpr, srcVal);
1433 
1434  // If the source isn't a valid C string, give up.
1435  if (strLength.isUndef())
1436  return;
1437 
1438  SValBuilder &svalBuilder = C.getSValBuilder();
1439  QualType cmpTy = svalBuilder.getConditionType();
1440  QualType sizeTy = svalBuilder.getContext().getSizeType();
1441 
1442  // These two values allow checking two kinds of errors:
1443  // - actual overflows caused by a source that doesn't fit in the destination
1444  // - potential overflows caused by a bound that could exceed the destination
1445  SVal amountCopied = UnknownVal();
1446  SVal maxLastElementIndex = UnknownVal();
1447  const char *boundWarning = nullptr;
1448 
1449  // If the function is strncpy, strncat, etc... it is bounded.
1450  if (isBounded) {
1451  // Get the max number of characters to copy.
1452  const Expr *lenExpr = CE->getArg(2);
1453  SVal lenVal = state->getSVal(lenExpr, LCtx);
1454 
1455  // Protect against misdeclared strncpy().
1456  lenVal = svalBuilder.evalCast(lenVal, sizeTy, lenExpr->getType());
1457 
1458  Optional<NonLoc> strLengthNL = strLength.getAs<NonLoc>();
1459  Optional<NonLoc> lenValNL = lenVal.getAs<NonLoc>();
1460 
1461  // If we know both values, we might be able to figure out how much
1462  // we're copying.
1463  if (strLengthNL && lenValNL) {
1464  ProgramStateRef stateSourceTooLong, stateSourceNotTooLong;
1465 
1466  // Check if the max number to copy is less than the length of the src.
1467  // If the bound is equal to the source length, strncpy won't null-
1468  // terminate the result!
1469  std::tie(stateSourceTooLong, stateSourceNotTooLong) = state->assume(
1470  svalBuilder.evalBinOpNN(state, BO_GE, *strLengthNL, *lenValNL, cmpTy)
1472 
1473  if (stateSourceTooLong && !stateSourceNotTooLong) {
1474  // Max number to copy is less than the length of the src, so the actual
1475  // strLength copied is the max number arg.
1476  state = stateSourceTooLong;
1477  amountCopied = lenVal;
1478 
1479  } else if (!stateSourceTooLong && stateSourceNotTooLong) {
1480  // The source buffer entirely fits in the bound.
1481  state = stateSourceNotTooLong;
1482  amountCopied = strLength;
1483  }
1484  }
1485 
1486  // We still want to know if the bound is known to be too large.
1487  if (lenValNL) {
1488  if (isAppending) {
1489  // For strncat, the check is strlen(dst) + lenVal < sizeof(dst)
1490 
1491  // Get the string length of the destination. If the destination is
1492  // memory that can't have a string length, we shouldn't be copying
1493  // into it anyway.
1494  SVal dstStrLength = getCStringLength(C, state, Dst, DstVal);
1495  if (dstStrLength.isUndef())
1496  return;
1497 
1498  if (Optional<NonLoc> dstStrLengthNL = dstStrLength.getAs<NonLoc>()) {
1499  maxLastElementIndex = svalBuilder.evalBinOpNN(state, BO_Add,
1500  *lenValNL,
1501  *dstStrLengthNL,
1502  sizeTy);
1503  boundWarning = "Size argument is greater than the free space in the "
1504  "destination buffer";
1505  }
1506 
1507  } else {
1508  // For strncpy, this is just checking that lenVal <= sizeof(dst)
1509  // (Yes, strncpy and strncat differ in how they treat termination.
1510  // strncat ALWAYS terminates, but strncpy doesn't.)
1511 
1512  // We need a special case for when the copy size is zero, in which
1513  // case strncpy will do no work at all. Our bounds check uses n-1
1514  // as the last element accessed, so n == 0 is problematic.
1515  ProgramStateRef StateZeroSize, StateNonZeroSize;
1516  std::tie(StateZeroSize, StateNonZeroSize) =
1517  assumeZero(C, state, *lenValNL, sizeTy);
1518 
1519  // If the size is known to be zero, we're done.
1520  if (StateZeroSize && !StateNonZeroSize) {
1521  StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, DstVal);
1522  C.addTransition(StateZeroSize);
1523  return;
1524  }
1525 
1526  // Otherwise, go ahead and figure out the last element we'll touch.
1527  // We don't record the non-zero assumption here because we can't
1528  // be sure. We won't warn on a possible zero.
1529  NonLoc one = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
1530  maxLastElementIndex = svalBuilder.evalBinOpNN(state, BO_Sub, *lenValNL,
1531  one, sizeTy);
1532  boundWarning = "Size argument is greater than the length of the "
1533  "destination buffer";
1534  }
1535  }
1536 
1537  // If we couldn't pin down the copy length, at least bound it.
1538  // FIXME: We should actually run this code path for append as well, but
1539  // right now it creates problems with constraints (since we can end up
1540  // trying to pass constraints from symbol to symbol).
1541  if (amountCopied.isUnknown() && !isAppending) {
1542  // Try to get a "hypothetical" string length symbol, which we can later
1543  // set as a real value if that turns out to be the case.
1544  amountCopied = getCStringLength(C, state, lenExpr, srcVal, true);
1545  assert(!amountCopied.isUndef());
1546 
1547  if (Optional<NonLoc> amountCopiedNL = amountCopied.getAs<NonLoc>()) {
1548  if (lenValNL) {
1549  // amountCopied <= lenVal
1550  SVal copiedLessThanBound = svalBuilder.evalBinOpNN(state, BO_LE,
1551  *amountCopiedNL,
1552  *lenValNL,
1553  cmpTy);
1554  state = state->assume(
1555  copiedLessThanBound.castAs<DefinedOrUnknownSVal>(), true);
1556  if (!state)
1557  return;
1558  }
1559 
1560  if (strLengthNL) {
1561  // amountCopied <= strlen(source)
1562  SVal copiedLessThanSrc = svalBuilder.evalBinOpNN(state, BO_LE,
1563  *amountCopiedNL,
1564  *strLengthNL,
1565  cmpTy);
1566  state = state->assume(
1567  copiedLessThanSrc.castAs<DefinedOrUnknownSVal>(), true);
1568  if (!state)
1569  return;
1570  }
1571  }
1572  }
1573 
1574  } else {
1575  // The function isn't bounded. The amount copied should match the length
1576  // of the source buffer.
1577  amountCopied = strLength;
1578  }
1579 
1580  assert(state);
1581 
1582  // This represents the number of characters copied into the destination
1583  // buffer. (It may not actually be the strlen if the destination buffer
1584  // is not terminated.)
1585  SVal finalStrLength = UnknownVal();
1586 
1587  // If this is an appending function (strcat, strncat...) then set the
1588  // string length to strlen(src) + strlen(dst) since the buffer will
1589  // ultimately contain both.
1590  if (isAppending) {
1591  // Get the string length of the destination. If the destination is memory
1592  // that can't have a string length, we shouldn't be copying into it anyway.
1593  SVal dstStrLength = getCStringLength(C, state, Dst, DstVal);
1594  if (dstStrLength.isUndef())
1595  return;
1596 
1597  Optional<NonLoc> srcStrLengthNL = amountCopied.getAs<NonLoc>();
1598  Optional<NonLoc> dstStrLengthNL = dstStrLength.getAs<NonLoc>();
1599 
1600  // If we know both string lengths, we might know the final string length.
1601  if (srcStrLengthNL && dstStrLengthNL) {
1602  // Make sure the two lengths together don't overflow a size_t.
1603  state = checkAdditionOverflow(C, state, *srcStrLengthNL, *dstStrLengthNL);
1604  if (!state)
1605  return;
1606 
1607  finalStrLength = svalBuilder.evalBinOpNN(state, BO_Add, *srcStrLengthNL,
1608  *dstStrLengthNL, sizeTy);
1609  }
1610 
1611  // If we couldn't get a single value for the final string length,
1612  // we can at least bound it by the individual lengths.
1613  if (finalStrLength.isUnknown()) {
1614  // Try to get a "hypothetical" string length symbol, which we can later
1615  // set as a real value if that turns out to be the case.
1616  finalStrLength = getCStringLength(C, state, CE, DstVal, true);
1617  assert(!finalStrLength.isUndef());
1618 
1619  if (Optional<NonLoc> finalStrLengthNL = finalStrLength.getAs<NonLoc>()) {
1620  if (srcStrLengthNL) {
1621  // finalStrLength >= srcStrLength
1622  SVal sourceInResult = svalBuilder.evalBinOpNN(state, BO_GE,
1623  *finalStrLengthNL,
1624  *srcStrLengthNL,
1625  cmpTy);
1626  state = state->assume(sourceInResult.castAs<DefinedOrUnknownSVal>(),
1627  true);
1628  if (!state)
1629  return;
1630  }
1631 
1632  if (dstStrLengthNL) {
1633  // finalStrLength >= dstStrLength
1634  SVal destInResult = svalBuilder.evalBinOpNN(state, BO_GE,
1635  *finalStrLengthNL,
1636  *dstStrLengthNL,
1637  cmpTy);
1638  state =
1639  state->assume(destInResult.castAs<DefinedOrUnknownSVal>(), true);
1640  if (!state)
1641  return;
1642  }
1643  }
1644  }
1645 
1646  } else {
1647  // Otherwise, this is a copy-over function (strcpy, strncpy, ...), and
1648  // the final string length will match the input string length.
1649  finalStrLength = amountCopied;
1650  }
1651 
1652  // The final result of the function will either be a pointer past the last
1653  // copied element, or a pointer to the start of the destination buffer.
1654  SVal Result = (returnEnd ? UnknownVal() : DstVal);
1655 
1656  assert(state);
1657 
1658  // If the destination is a MemRegion, try to check for a buffer overflow and
1659  // record the new string length.
1660  if (Optional<loc::MemRegionVal> dstRegVal =
1661  DstVal.getAs<loc::MemRegionVal>()) {
1662  QualType ptrTy = Dst->getType();
1663 
1664  // If we have an exact value on a bounded copy, use that to check for
1665  // overflows, rather than our estimate about how much is actually copied.
1666  if (boundWarning) {
1667  if (Optional<NonLoc> maxLastNL = maxLastElementIndex.getAs<NonLoc>()) {
1668  SVal maxLastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal,
1669  *maxLastNL, ptrTy);
1670  state = CheckLocation(C, state, CE->getArg(2), maxLastElement,
1671  boundWarning);
1672  if (!state)
1673  return;
1674  }
1675  }
1676 
1677  // Then, if the final length is known...
1678  if (Optional<NonLoc> knownStrLength = finalStrLength.getAs<NonLoc>()) {
1679  SVal lastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal,
1680  *knownStrLength, ptrTy);
1681 
1682  // ...and we haven't checked the bound, we'll check the actual copy.
1683  if (!boundWarning) {
1684  const char * const warningMsg =
1685  "String copy function overflows destination buffer";
1686  state = CheckLocation(C, state, Dst, lastElement, warningMsg);
1687  if (!state)
1688  return;
1689  }
1690 
1691  // If this is a stpcpy-style copy, the last element is the return value.
1692  if (returnEnd)
1693  Result = lastElement;
1694  }
1695 
1696  // Invalidate the destination (regular invalidation without pointer-escaping
1697  // the address of the top-level region). This must happen before we set the
1698  // C string length because invalidation will clear the length.
1699  // FIXME: Even if we can't perfectly model the copy, we should see if we
1700  // can use LazyCompoundVals to copy the source values into the destination.
1701  // This would probably remove any existing bindings past the end of the
1702  // string, but that's still an improvement over blank invalidation.
1703  state = InvalidateBuffer(C, state, Dst, *dstRegVal,
1704  /*IsSourceBuffer*/false, nullptr);
1705 
1706  // Invalidate the source (const-invalidation without const-pointer-escaping
1707  // the address of the top-level region).
1708  state = InvalidateBuffer(C, state, srcExpr, srcVal, /*IsSourceBuffer*/true,
1709  nullptr);
1710 
1711  // Set the C string length of the destination, if we know it.
1712  if (isBounded && !isAppending) {
1713  // strncpy is annoying in that it doesn't guarantee to null-terminate
1714  // the result string. If the original string didn't fit entirely inside
1715  // the bound (including the null-terminator), we don't know how long the
1716  // result is.
1717  if (amountCopied != strLength)
1718  finalStrLength = UnknownVal();
1719  }
1720  state = setCStringLength(state, dstRegVal->getRegion(), finalStrLength);
1721  }
1722 
1723  assert(state);
1724 
1725  // If this is a stpcpy-style copy, but we were unable to check for a buffer
1726  // overflow, we still need a result. Conjure a return value.
1727  if (returnEnd && Result.isUnknown()) {
1728  Result = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
1729  }
1730 
1731  // Set the return value.
1732  state = state->BindExpr(CE, LCtx, Result);
1733  C.addTransition(state);
1734 }
1735 
1736 void CStringChecker::evalStrcmp(CheckerContext &C, const CallExpr *CE) const {
1737  if (CE->getNumArgs() < 2)
1738  return;
1739 
1740  //int strcmp(const char *s1, const char *s2);
1741  evalStrcmpCommon(C, CE, /* isBounded = */ false, /* ignoreCase = */ false);
1742 }
1743 
1744 void CStringChecker::evalStrncmp(CheckerContext &C, const CallExpr *CE) const {
1745  if (CE->getNumArgs() < 3)
1746  return;
1747 
1748  //int strncmp(const char *s1, const char *s2, size_t n);
1749  evalStrcmpCommon(C, CE, /* isBounded = */ true, /* ignoreCase = */ false);
1750 }
1751 
1752 void CStringChecker::evalStrcasecmp(CheckerContext &C,
1753  const CallExpr *CE) const {
1754  if (CE->getNumArgs() < 2)
1755  return;
1756 
1757  //int strcasecmp(const char *s1, const char *s2);
1758  evalStrcmpCommon(C, CE, /* isBounded = */ false, /* ignoreCase = */ true);
1759 }
1760 
1761 void CStringChecker::evalStrncasecmp(CheckerContext &C,
1762  const CallExpr *CE) const {
1763  if (CE->getNumArgs() < 3)
1764  return;
1765 
1766  //int strncasecmp(const char *s1, const char *s2, size_t n);
1767  evalStrcmpCommon(C, CE, /* isBounded = */ true, /* ignoreCase = */ true);
1768 }
1769 
1770 void CStringChecker::evalStrcmpCommon(CheckerContext &C, const CallExpr *CE,
1771  bool isBounded, bool ignoreCase) const {
1772  CurrentFunctionDescription = "string comparison function";
1773  ProgramStateRef state = C.getState();
1774  const LocationContext *LCtx = C.getLocationContext();
1775 
1776  // Check that the first string is non-null
1777  const Expr *s1 = CE->getArg(0);
1778  SVal s1Val = state->getSVal(s1, LCtx);
1779  state = checkNonNull(C, state, s1, s1Val);
1780  if (!state)
1781  return;
1782 
1783  // Check that the second string is non-null.
1784  const Expr *s2 = CE->getArg(1);
1785  SVal s2Val = state->getSVal(s2, LCtx);
1786  state = checkNonNull(C, state, s2, s2Val);
1787  if (!state)
1788  return;
1789 
1790  // Get the string length of the first string or give up.
1791  SVal s1Length = getCStringLength(C, state, s1, s1Val);
1792  if (s1Length.isUndef())
1793  return;
1794 
1795  // Get the string length of the second string or give up.
1796  SVal s2Length = getCStringLength(C, state, s2, s2Val);
1797  if (s2Length.isUndef())
1798  return;
1799 
1800  // If we know the two buffers are the same, we know the result is 0.
1801  // First, get the two buffers' addresses. Another checker will have already
1802  // made sure they're not undefined.
1805 
1806  // See if they are the same.
1807  SValBuilder &svalBuilder = C.getSValBuilder();
1808  DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV);
1809  ProgramStateRef StSameBuf, StNotSameBuf;
1810  std::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf);
1811 
1812  // If the two arguments might be the same buffer, we know the result is 0,
1813  // and we only need to check one size.
1814  if (StSameBuf) {
1815  StSameBuf = StSameBuf->BindExpr(CE, LCtx,
1816  svalBuilder.makeZeroVal(CE->getType()));
1817  C.addTransition(StSameBuf);
1818 
1819  // If the two arguments are GUARANTEED to be the same, we're done!
1820  if (!StNotSameBuf)
1821  return;
1822  }
1823 
1824  assert(StNotSameBuf);
1825  state = StNotSameBuf;
1826 
1827  // At this point we can go about comparing the two buffers.
1828  // For now, we only do this if they're both known string literals.
1829 
1830  // Attempt to extract string literals from both expressions.
1831  const StringLiteral *s1StrLiteral = getCStringLiteral(C, state, s1, s1Val);
1832  const StringLiteral *s2StrLiteral = getCStringLiteral(C, state, s2, s2Val);
1833  bool canComputeResult = false;
1834  SVal resultVal = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx,
1835  C.blockCount());
1836 
1837  if (s1StrLiteral && s2StrLiteral) {
1838  StringRef s1StrRef = s1StrLiteral->getString();
1839  StringRef s2StrRef = s2StrLiteral->getString();
1840 
1841  if (isBounded) {
1842  // Get the max number of characters to compare.
1843  const Expr *lenExpr = CE->getArg(2);
1844  SVal lenVal = state->getSVal(lenExpr, LCtx);
1845 
1846  // If the length is known, we can get the right substrings.
1847  if (const llvm::APSInt *len = svalBuilder.getKnownValue(state, lenVal)) {
1848  // Create substrings of each to compare the prefix.
1849  s1StrRef = s1StrRef.substr(0, (size_t)len->getZExtValue());
1850  s2StrRef = s2StrRef.substr(0, (size_t)len->getZExtValue());
1851  canComputeResult = true;
1852  }
1853  } else {
1854  // This is a normal, unbounded strcmp.
1855  canComputeResult = true;
1856  }
1857 
1858  if (canComputeResult) {
1859  // Real strcmp stops at null characters.
1860  size_t s1Term = s1StrRef.find('\0');
1861  if (s1Term != StringRef::npos)
1862  s1StrRef = s1StrRef.substr(0, s1Term);
1863 
1864  size_t s2Term = s2StrRef.find('\0');
1865  if (s2Term != StringRef::npos)
1866  s2StrRef = s2StrRef.substr(0, s2Term);
1867 
1868  // Use StringRef's comparison methods to compute the actual result.
1869  int compareRes = ignoreCase ? s1StrRef.compare_lower(s2StrRef)
1870  : s1StrRef.compare(s2StrRef);
1871 
1872  // The strcmp function returns an integer greater than, equal to, or less
1873  // than zero, [c11, p7.24.4.2].
1874  if (compareRes == 0) {
1875  resultVal = svalBuilder.makeIntVal(compareRes, CE->getType());
1876  }
1877  else {
1878  DefinedSVal zeroVal = svalBuilder.makeIntVal(0, CE->getType());
1879  // Constrain strcmp's result range based on the result of StringRef's
1880  // comparison methods.
1881  BinaryOperatorKind op = (compareRes == 1) ? BO_GT : BO_LT;
1882  SVal compareWithZero =
1883  svalBuilder.evalBinOp(state, op, resultVal, zeroVal,
1884  svalBuilder.getConditionType());
1885  DefinedSVal compareWithZeroVal = compareWithZero.castAs<DefinedSVal>();
1886  state = state->assume(compareWithZeroVal, true);
1887  }
1888  }
1889  }
1890 
1891  state = state->BindExpr(CE, LCtx, resultVal);
1892 
1893  // Record this as a possible path.
1894  C.addTransition(state);
1895 }
1896 
1897 void CStringChecker::evalStrsep(CheckerContext &C, const CallExpr *CE) const {
1898  //char *strsep(char **stringp, const char *delim);
1899  if (CE->getNumArgs() < 2)
1900  return;
1901 
1902  // Sanity: does the search string parameter match the return type?
1903  const Expr *SearchStrPtr = CE->getArg(0);
1904  QualType CharPtrTy = SearchStrPtr->getType()->getPointeeType();
1905  if (CharPtrTy.isNull() ||
1906  CE->getType().getUnqualifiedType() != CharPtrTy.getUnqualifiedType())
1907  return;
1908 
1909  CurrentFunctionDescription = "strsep()";
1911  const LocationContext *LCtx = C.getLocationContext();
1912 
1913  // Check that the search string pointer is non-null (though it may point to
1914  // a null string).
1915  SVal SearchStrVal = State->getSVal(SearchStrPtr, LCtx);
1916  State = checkNonNull(C, State, SearchStrPtr, SearchStrVal);
1917  if (!State)
1918  return;
1919 
1920  // Check that the delimiter string is non-null.
1921  const Expr *DelimStr = CE->getArg(1);
1922  SVal DelimStrVal = State->getSVal(DelimStr, LCtx);
1923  State = checkNonNull(C, State, DelimStr, DelimStrVal);
1924  if (!State)
1925  return;
1926 
1927  SValBuilder &SVB = C.getSValBuilder();
1928  SVal Result;
1929  if (Optional<Loc> SearchStrLoc = SearchStrVal.getAs<Loc>()) {
1930  // Get the current value of the search string pointer, as a char*.
1931  Result = State->getSVal(*SearchStrLoc, CharPtrTy);
1932 
1933  // Invalidate the search string, representing the change of one delimiter
1934  // character to NUL.
1935  State = InvalidateBuffer(C, State, SearchStrPtr, Result,
1936  /*IsSourceBuffer*/false, nullptr);
1937 
1938  // Overwrite the search string pointer. The new value is either an address
1939  // further along in the same string, or NULL if there are no more tokens.
1940  State = State->bindLoc(*SearchStrLoc,
1941  SVB.conjureSymbolVal(getTag(),
1942  CE,
1943  LCtx,
1944  CharPtrTy,
1945  C.blockCount()),
1946  LCtx);
1947  } else {
1948  assert(SearchStrVal.isUnknown());
1949  // Conjure a symbolic value. It's the best we can do.
1950  Result = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
1951  }
1952 
1953  // Set the return value, and finish.
1954  State = State->BindExpr(CE, LCtx, Result);
1955  C.addTransition(State);
1956 }
1957 
1958 // These should probably be moved into a C++ standard library checker.
1959 void CStringChecker::evalStdCopy(CheckerContext &C, const CallExpr *CE) const {
1960  evalStdCopyCommon(C, CE);
1961 }
1962 
1963 void CStringChecker::evalStdCopyBackward(CheckerContext &C,
1964  const CallExpr *CE) const {
1965  evalStdCopyCommon(C, CE);
1966 }
1967 
1968 void CStringChecker::evalStdCopyCommon(CheckerContext &C,
1969  const CallExpr *CE) const {
1970  if (CE->getNumArgs() < 3)
1971  return;
1972 
1973  ProgramStateRef State = C.getState();
1974 
1975  const LocationContext *LCtx = C.getLocationContext();
1976 
1977  // template <class _InputIterator, class _OutputIterator>
1978  // _OutputIterator
1979  // copy(_InputIterator __first, _InputIterator __last,
1980  // _OutputIterator __result)
1981 
1982  // Invalidate the destination buffer
1983  const Expr *Dst = CE->getArg(2);
1984  SVal DstVal = State->getSVal(Dst, LCtx);
1985  State = InvalidateBuffer(C, State, Dst, DstVal, /*IsSource=*/false,
1986  /*Size=*/nullptr);
1987 
1988  SValBuilder &SVB = C.getSValBuilder();
1989 
1990  SVal ResultVal = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
1991  State = State->BindExpr(CE, LCtx, ResultVal);
1992 
1993  C.addTransition(State);
1994 }
1995 
1996 void CStringChecker::evalMemset(CheckerContext &C, const CallExpr *CE) const {
1997  if (CE->getNumArgs() != 3)
1998  return;
1999 
2000  CurrentFunctionDescription = "memory set function";
2001 
2002  const Expr *Mem = CE->getArg(0);
2003  const Expr *Size = CE->getArg(2);
2004  ProgramStateRef State = C.getState();
2005 
2006  // See if the size argument is zero.
2007  const LocationContext *LCtx = C.getLocationContext();
2008  SVal SizeVal = State->getSVal(Size, LCtx);
2009  QualType SizeTy = Size->getType();
2010 
2011  ProgramStateRef StateZeroSize, StateNonZeroSize;
2012  std::tie(StateZeroSize, StateNonZeroSize) =
2013  assumeZero(C, State, SizeVal, SizeTy);
2014 
2015  // Get the value of the memory area.
2016  SVal MemVal = State->getSVal(Mem, LCtx);
2017 
2018  // If the size is zero, there won't be any actual memory access, so
2019  // just bind the return value to the Mem buffer and return.
2020  if (StateZeroSize && !StateNonZeroSize) {
2021  StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, MemVal);
2022  C.addTransition(StateZeroSize);
2023  return;
2024  }
2025 
2026  // Ensure the memory area is not null.
2027  // If it is NULL there will be a NULL pointer dereference.
2028  State = checkNonNull(C, StateNonZeroSize, Mem, MemVal);
2029  if (!State)
2030  return;
2031 
2032  State = CheckBufferAccess(C, State, Size, Mem);
2033  if (!State)
2034  return;
2035  State = InvalidateBuffer(C, State, Mem, C.getSVal(Mem),
2036  /*IsSourceBuffer*/false, Size);
2037  if (!State)
2038  return;
2039 
2040  State = State->BindExpr(CE, LCtx, MemVal);
2041  C.addTransition(State);
2042 }
2043 
2044 static bool isCPPStdLibraryFunction(const FunctionDecl *FD, StringRef Name) {
2045  IdentifierInfo *II = FD->getIdentifier();
2046  if (!II)
2047  return false;
2048 
2050  return false;
2051 
2052  if (II->getName().equals(Name))
2053  return true;
2054 
2055  return false;
2056 }
2057 //===----------------------------------------------------------------------===//
2058 // The driver method, and other Checker callbacks.
2059 //===----------------------------------------------------------------------===//
2060 
2061 bool CStringChecker::evalCall(const CallExpr *CE, CheckerContext &C) const {
2062  const FunctionDecl *FDecl = C.getCalleeDecl(CE);
2063 
2064  if (!FDecl)
2065  return false;
2066 
2067  // FIXME: Poorly-factored string switches are slow.
2068  FnCheck evalFunction = nullptr;
2069  if (C.isCLibraryFunction(FDecl, "memcpy"))
2070  evalFunction = &CStringChecker::evalMemcpy;
2071  else if (C.isCLibraryFunction(FDecl, "mempcpy"))
2072  evalFunction = &CStringChecker::evalMempcpy;
2073  else if (C.isCLibraryFunction(FDecl, "memcmp"))
2074  evalFunction = &CStringChecker::evalMemcmp;
2075  else if (C.isCLibraryFunction(FDecl, "memmove"))
2076  evalFunction = &CStringChecker::evalMemmove;
2077  else if (C.isCLibraryFunction(FDecl, "memset"))
2078  evalFunction = &CStringChecker::evalMemset;
2079  else if (C.isCLibraryFunction(FDecl, "strcpy"))
2080  evalFunction = &CStringChecker::evalStrcpy;
2081  else if (C.isCLibraryFunction(FDecl, "strncpy"))
2082  evalFunction = &CStringChecker::evalStrncpy;
2083  else if (C.isCLibraryFunction(FDecl, "stpcpy"))
2084  evalFunction = &CStringChecker::evalStpcpy;
2085  else if (C.isCLibraryFunction(FDecl, "strcat"))
2086  evalFunction = &CStringChecker::evalStrcat;
2087  else if (C.isCLibraryFunction(FDecl, "strncat"))
2088  evalFunction = &CStringChecker::evalStrncat;
2089  else if (C.isCLibraryFunction(FDecl, "strlen"))
2090  evalFunction = &CStringChecker::evalstrLength;
2091  else if (C.isCLibraryFunction(FDecl, "strnlen"))
2092  evalFunction = &CStringChecker::evalstrnLength;
2093  else if (C.isCLibraryFunction(FDecl, "strcmp"))
2094  evalFunction = &CStringChecker::evalStrcmp;
2095  else if (C.isCLibraryFunction(FDecl, "strncmp"))
2096  evalFunction = &CStringChecker::evalStrncmp;
2097  else if (C.isCLibraryFunction(FDecl, "strcasecmp"))
2098  evalFunction = &CStringChecker::evalStrcasecmp;
2099  else if (C.isCLibraryFunction(FDecl, "strncasecmp"))
2100  evalFunction = &CStringChecker::evalStrncasecmp;
2101  else if (C.isCLibraryFunction(FDecl, "strsep"))
2102  evalFunction = &CStringChecker::evalStrsep;
2103  else if (C.isCLibraryFunction(FDecl, "bcopy"))
2104  evalFunction = &CStringChecker::evalBcopy;
2105  else if (C.isCLibraryFunction(FDecl, "bcmp"))
2106  evalFunction = &CStringChecker::evalMemcmp;
2107  else if (isCPPStdLibraryFunction(FDecl, "copy"))
2108  evalFunction = &CStringChecker::evalStdCopy;
2109  else if (isCPPStdLibraryFunction(FDecl, "copy_backward"))
2110  evalFunction = &CStringChecker::evalStdCopyBackward;
2111 
2112  // If the callee isn't a string function, let another checker handle it.
2113  if (!evalFunction)
2114  return false;
2115 
2116  // Check and evaluate the call.
2117  (this->*evalFunction)(C, CE);
2118 
2119  // If the evaluate call resulted in no change, chain to the next eval call
2120  // handler.
2121  // Note, the custom CString evaluation calls assume that basic safety
2122  // properties are held. However, if the user chooses to turn off some of these
2123  // checks, we ignore the issues and leave the call evaluation to a generic
2124  // handler.
2125  return C.isDifferent();
2126 }
2127 
2128 void CStringChecker::checkPreStmt(const DeclStmt *DS, CheckerContext &C) const {
2129  // Record string length for char a[] = "abc";
2130  ProgramStateRef state = C.getState();
2131 
2132  for (const auto *I : DS->decls()) {
2133  const VarDecl *D = dyn_cast<VarDecl>(I);
2134  if (!D)
2135  continue;
2136 
2137  // FIXME: Handle array fields of structs.
2138  if (!D->getType()->isArrayType())
2139  continue;
2140 
2141  const Expr *Init = D->getInit();
2142  if (!Init)
2143  continue;
2144  if (!isa<StringLiteral>(Init))
2145  continue;
2146 
2147  Loc VarLoc = state->getLValue(D, C.getLocationContext());
2148  const MemRegion *MR = VarLoc.getAsRegion();
2149  if (!MR)
2150  continue;
2151 
2152  SVal StrVal = state->getSVal(Init, C.getLocationContext());
2153  assert(StrVal.isValid() && "Initializer string is unknown or undefined");
2154  DefinedOrUnknownSVal strLength =
2155  getCStringLength(C, state, Init, StrVal).castAs<DefinedOrUnknownSVal>();
2156 
2157  state = state->set<CStringLength>(MR, strLength);
2158  }
2159 
2160  C.addTransition(state);
2161 }
2162 
2164 CStringChecker::checkRegionChanges(ProgramStateRef state,
2165  const InvalidatedSymbols *,
2166  ArrayRef<const MemRegion *> ExplicitRegions,
2168  const LocationContext *LCtx,
2169  const CallEvent *Call) const {
2170  CStringLengthTy Entries = state->get<CStringLength>();
2171  if (Entries.isEmpty())
2172  return state;
2173 
2174  llvm::SmallPtrSet<const MemRegion *, 8> Invalidated;
2175  llvm::SmallPtrSet<const MemRegion *, 32> SuperRegions;
2176 
2177  // First build sets for the changed regions and their super-regions.
2179  I = Regions.begin(), E = Regions.end(); I != E; ++I) {
2180  const MemRegion *MR = *I;
2181  Invalidated.insert(MR);
2182 
2183  SuperRegions.insert(MR);
2184  while (const SubRegion *SR = dyn_cast<SubRegion>(MR)) {
2185  MR = SR->getSuperRegion();
2186  SuperRegions.insert(MR);
2187  }
2188  }
2189 
2190  CStringLengthTy::Factory &F = state->get_context<CStringLength>();
2191 
2192  // Then loop over the entries in the current state.
2193  for (CStringLengthTy::iterator I = Entries.begin(),
2194  E = Entries.end(); I != E; ++I) {
2195  const MemRegion *MR = I.getKey();
2196 
2197  // Is this entry for a super-region of a changed region?
2198  if (SuperRegions.count(MR)) {
2199  Entries = F.remove(Entries, MR);
2200  continue;
2201  }
2202 
2203  // Is this entry for a sub-region of a changed region?
2204  const MemRegion *Super = MR;
2205  while (const SubRegion *SR = dyn_cast<SubRegion>(Super)) {
2206  Super = SR->getSuperRegion();
2207  if (Invalidated.count(Super)) {
2208  Entries = F.remove(Entries, MR);
2209  break;
2210  }
2211  }
2212  }
2213 
2214  return state->set<CStringLength>(Entries);
2215 }
2216 
2217 void CStringChecker::checkLiveSymbols(ProgramStateRef state,
2218  SymbolReaper &SR) const {
2219  // Mark all symbols in our string length map as valid.
2220  CStringLengthTy Entries = state->get<CStringLength>();
2221 
2222  for (CStringLengthTy::iterator I = Entries.begin(), E = Entries.end();
2223  I != E; ++I) {
2224  SVal Len = I.getData();
2225 
2226  for (SymExpr::symbol_iterator si = Len.symbol_begin(),
2227  se = Len.symbol_end(); si != se; ++si)
2228  SR.markInUse(*si);
2229  }
2230 }
2231 
2232 void CStringChecker::checkDeadSymbols(SymbolReaper &SR,
2233  CheckerContext &C) const {
2234  if (!SR.hasDeadSymbols())
2235  return;
2236 
2237  ProgramStateRef state = C.getState();
2238  CStringLengthTy Entries = state->get<CStringLength>();
2239  if (Entries.isEmpty())
2240  return;
2241 
2242  CStringLengthTy::Factory &F = state->get_context<CStringLength>();
2243  for (CStringLengthTy::iterator I = Entries.begin(), E = Entries.end();
2244  I != E; ++I) {
2245  SVal Len = I.getData();
2246  if (SymbolRef Sym = Len.getAsSymbol()) {
2247  if (SR.isDead(Sym))
2248  Entries = F.remove(Entries, I.getKey());
2249  }
2250  }
2251 
2252  state = state->set<CStringLength>(Entries);
2253  C.addTransition(state);
2254 }
2255 
2256 #define REGISTER_CHECKER(name) \
2257  void ento::register##name(CheckerManager &mgr) { \
2258  CStringChecker *checker = mgr.registerChecker<CStringChecker>(); \
2259  checker->Filter.Check##name = true; \
2260  checker->Filter.CheckName##name = mgr.getCurrentCheckName(); \
2261  }
2262 
2263 REGISTER_CHECKER(CStringNullArg)
2264 REGISTER_CHECKER(CStringOutOfBounds)
2265 REGISTER_CHECKER(CStringBufferOverlap)
2266 REGISTER_CHECKER(CStringNotNullTerm)
2267 
2269  registerCStringNullArg(Mgr);
2270 }
FunctionDecl - An instance of this class is created to represent a function declaration or definition...
Definition: Decl.h:1698
TypedValueRegion - An abstract class representing regions having a typed value.
Definition: MemRegion.h:511
nonloc::ConcreteInt makeIntVal(const IntegerLiteral *integer)
Definition: SValBuilder.h:254
A (possibly-)qualified type.
Definition: Type.h:653
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:79
ExplodedNode * generateErrorNode(ProgramStateRef State=nullptr, const ProgramPointTag *Tag=nullptr)
Generate a transition to a node that will be used to report an error.
bool isArrayType() const
Definition: Type.h:5993
Expr * getArg(unsigned Arg)
getArg - Return the specified argument.
Definition: Expr.h:2278
Stmt - This represents one statement.
Definition: Stmt.h:66
unsigned getNumArgs() const
getNumArgs - Return the number of actual arguments to this call.
Definition: Expr.h:2266
Information about invalidation for a particular region/symbol.
Definition: MemRegion.h:1383
NonLoc getIndex() const
Definition: MemRegion.h:1085
A helper class which wraps a boolean value set to false by default.
Definition: Checker.h:551
QualType getPointeeType() const
If this is a pointer, ObjC object pointer, or block pointer, this returns the respective pointee...
Definition: Type.cpp:456
ExplodedNode * addTransition(ProgramStateRef State=nullptr, const ProgramPointTag *Tag=nullptr)
Generates a new transition in the program state graph (ExplodedGraph).
virtual QualType getValueType() const =0
SVal evalCast(SVal val, QualType castTy, QualType originalType)
Value representing integer constant.
Definition: SVals.h:353
VarDecl - An instance of this class is created to represent a variable declaration or definition...
Definition: Decl.h:807
const internal::VariadicDynCastAllOfMatcher< Stmt, Expr > expr
Matches expressions.
void setTrait(SymbolRef Sym, InvalidationKinds IK)
Definition: MemRegion.cpp:1490
const FunctionDecl * getCalleeDecl(const CallExpr *CE) const
Get the declaration of the called function (path-sensitive).
bool isDead(SymbolRef sym) const
Returns whether or not a symbol has been confirmed dead.
ExplodedNode * getPredecessor()
Returns the previous node in the exploded graph, which includes the state of the program before the c...
SVal getSVal(const Stmt *S) const
Get the value of arbitrary expressions at this point in the path.
Symbolic value.
Definition: SymExpr.h:29
IdentifierInfo * getIdentifier() const
getIdentifier - Get the identifier that names this declaration, if there is one.
Definition: Decl.h:265
const MemRegion * getSuperRegion() const
Definition: MemRegion.h:430
void markInUse(SymbolRef sym)
Marks a symbol as important to a checker.
One of these records is kept for each identifier that is lexed.
virtual SVal evalBinOpLN(ProgramStateRef state, BinaryOperator::Opcode op, Loc lhs, NonLoc rhs, QualType resultTy)=0
Create a new value which represents a binary expression with a memory location and non-location opera...
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:149
LineState State
i32 captured_struct **param SharedsTy A type which contains references the shared variables *param Shareds Context with the list of shared variables from the p *TaskFunction *param Data Additional data for task generation like final * state
virtual DefinedOrUnknownSVal getExtent(SValBuilder &svalBuilder) const
getExtent - Returns the size of the region in bytes.
Definition: MemRegion.h:435
void registerCStringCheckerBasic(CheckerManager &Mgr)
Register the checker which evaluates CString API calls.
BinaryOperatorKind
static bool isInStdNamespace(const Decl *D)
Returns true if the root namespace of the given declaration is the &#39;std&#39; C++ namespace.
const LocationContext * getLocationContext() const
static bool isCPPStdLibraryFunction(const FunctionDecl *FD, StringRef Name)
bool isUnknown() const
Definition: SVals.h:125
std::string getAsString() const
Definition: Type.h:979
A record of the "type" of an APSInt, used for conversions.
Definition: APSIntType.h:20
const StringLiteral * getStringLiteral() const
Definition: MemRegion.h:795
SymExpr::symbol_iterator symbol_end() const
Definition: SVals.h:193
SymbolRef getAsSymbol(bool IncludeBaseRegions=false) const
If this SVal wraps a symbol return that SymbolRef.
Definition: SVals.cpp:116
StringRef getString() const
Definition: Expr.h:1557
#define REGISTER_CHECKER(name)
#define REGISTER_MAP_WITH_PROGRAMSTATE(Name, Key, Value)
Declares an immutable map of type NameTy, suitable for placement into the ProgramState.
DefinedOrUnknownSVal makeZeroVal(QualType type)
Construct an SVal representing &#39;0&#39; for the specified type.
Definition: SValBuilder.cpp:32
Expr - This represents one expression.
Definition: Expr.h:106
std::string Label
static bool isCLibraryFunction(const FunctionDecl *FD, StringRef Name=StringRef())
Returns true if the callee is an externally-visible function in the top-level namespace, such as malloc.
QualType getConditionType() const
Definition: SValBuilder.h:136
bool isValid() const
Definition: SVals.h:137
QualType getType() const
Definition: Expr.h:128
virtual SVal evalBinOpLL(ProgramStateRef state, BinaryOperator::Opcode op, Loc lhs, Loc rhs, QualType resultTy)=0
Create a new value which represents a binary expression with two memory location operands.
SVal evalBinOp(ProgramStateRef state, BinaryOperator::Opcode op, SVal lhs, SVal rhs, QualType type)
ExplodedNode * generateNonFatalErrorNode(ProgramStateRef State=nullptr, const ProgramPointTag *Tag=nullptr)
Generate a transition to a node that will be used to report an error.
bool isNull() const
Return true if this QualType doesn&#39;t point to a type yet.
Definition: Type.h:719
Optional< T > getAs() const
Convert to the specified SVal type, returning None if this SVal is not of the desired type...
Definition: SVals.h:100
void emitReport(std::unique_ptr< BugReport > R)
Emit the diagnostics report.
const MemRegion * StripCasts(bool StripBaseCasts=true) const
Definition: MemRegion.cpp:1119
Kind getKind() const
Definition: MemRegion.h:148
DefinedOrUnknownSVal conjureSymbolVal(const void *symbolTag, const Expr *expr, const LocationContext *LCtx, unsigned count)
Create a new symbol with a unique &#39;name&#39;.
const MemRegion * getAsRegion() const
Definition: SVals.cpp:140
DeclStmt - Adaptor class for mixing declarations with statements and expressions. ...
Definition: Stmt.h:487
ASTContext & getContext()
Definition: SValBuilder.h:131
SVal - This represents a symbolic expression, which can be either an L-value or an R-value...
Definition: SVals.h:63
A class responsible for cleaning up unused symbols.
const llvm::APSInt * evalAPSInt(BinaryOperator::Opcode Op, const llvm::APSInt &V1, const llvm::APSInt &V2)
Tells that a region&#39;s contents is not changed.
Definition: MemRegion.h:1397
virtual SVal evalBinOpNN(ProgramStateRef state, BinaryOperator::Opcode op, NonLoc lhs, NonLoc rhs, QualType resultTy)=0
Create a new value which represents a binary expression with two non- location operands.
unsigned blockCount() const
Returns the number of times the current block has been visited along the analyzed path...
StringRef getName() const
Return the actual identifier string.
CanQualType CharTy
Definition: ASTContext.h:998
llvm::APSInt getValue(uint64_t RawValue) const LLVM_READONLY
Definition: APSIntType.h:70
Dataflow Directional Tag Classes.
const Expr * getInit() const
Definition: Decl.h:1213
Represents an abstract call to a function or method along a particular path.
Definition: CallEvent.h:140
SVal convertToArrayIndex(SVal val)
Definition: SValBuilder.cpp:79
DefinedSVal getMetadataSymbolVal(const void *symbolTag, const MemRegion *region, const Expr *expr, QualType type, const LocationContext *LCtx, unsigned count)
unsigned getByteLength() const
Definition: Expr.h:1589
T castAs() const
Convert to the specified SVal type, asserting that this SVal is of the desired type.
Definition: SVals.h:92
BasicValueFactory & getBasicValueFactory()
Definition: SValBuilder.h:144
SubRegion - A region that subsets another larger region.
Definition: MemRegion.h:419
const ProgramStateRef & getState() const
decl_range decls()
Definition: Stmt.h:534
QualType getUnqualifiedType() const
Retrieve the unqualified variant of the given type, removing as little sugar as possible.
Definition: Type.h:5800
DefinedOrUnknownSVal evalEQ(ProgramStateRef state, DefinedOrUnknownSVal lhs, DefinedOrUnknownSVal rhs)
bool trackNullOrUndefValue(const ExplodedNode *N, const Stmt *S, BugReport &R, bool IsArg=false, bool EnableNullFPSuppression=true)
Attempts to add visitors to trace a null or undefined value back to its point of origin, whether it is a symbol constrained to null or an explicit assignment.
QualType getValueType() const override
Definition: MemRegion.h:1087
QualType getPointerType(QualType T) const
Return the uniqued reference to the type for a pointer to the specified type.
const MemRegion * getBaseRegion() const
Definition: MemRegion.cpp:1093
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:265
SValBuilder & getSValBuilder()
StringLiteral - This represents a string literal expression, e.g.
Definition: Expr.h:1509
CallExpr - Represents a function call (C99 6.5.2.2, C++ [expr.call]).
Definition: Expr.h:2209
const llvm::APSInt & getMaxValue(const llvm::APSInt &v)
bool isUndef() const
Definition: SVals.h:129
StringRegion - Region associated with a StringLiteral.
Definition: MemRegion.h:779
LLVM_READONLY char toUppercase(char c)
Converts the given ASCII character to its uppercase equivalent.
Definition: CharInfo.h:174
ElementRegin is used to represent both array elements and casts.
Definition: MemRegion.h:1066
SymExpr::symbol_iterator symbol_begin() const
Definition: SVals.h:185
QualType getType() const
Definition: Decl.h:639
NamedDecl - This represents a decl with a name.
Definition: Decl.h:245
const LocationContext * getLocationContext() const
bool isDifferent()
Check if the checker changed the state of the execution; ex: added a new transition or a bug report...
CanQualType getSizeType() const
Return the unique type for "size_t" (C99 7.17), defined in <stddef.h>.
Iterator over symbols that the current symbol depends on.
Definition: SymExpr.h:68