clang  8.0.0svn
CStringChecker.cpp
Go to the documentation of this file.
1 //= CStringChecker.cpp - Checks calls to C string functions --------*- C++ -*-//
2 //
3 // The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // This defines CStringChecker, which is an assortment of checks on calls
11 // to functions in <string.h>.
12 //
13 //===----------------------------------------------------------------------===//
14 
15 #include "ClangSACheckers.h"
16 #include "InterCheckerAPI.h"
17 #include "clang/Basic/CharInfo.h"
23 #include "llvm/ADT/STLExtras.h"
24 #include "llvm/ADT/SmallString.h"
25 #include "llvm/Support/raw_ostream.h"
26 
27 using namespace clang;
28 using namespace ento;
29 
30 namespace {
31 class CStringChecker : public Checker< eval::Call,
32  check::PreStmt<DeclStmt>,
33  check::LiveSymbols,
34  check::DeadSymbols,
35  check::RegionChanges
36  > {
37  mutable std::unique_ptr<BugType> BT_Null, BT_Bounds, BT_Overlap,
38  BT_NotCString, BT_AdditionOverflow;
39 
40  mutable const char *CurrentFunctionDescription;
41 
42 public:
43  /// The filter is used to filter out the diagnostics which are not enabled by
44  /// the user.
45  struct CStringChecksFilter {
46  DefaultBool CheckCStringNullArg;
47  DefaultBool CheckCStringOutOfBounds;
48  DefaultBool CheckCStringBufferOverlap;
49  DefaultBool CheckCStringNotNullTerm;
50 
51  CheckName CheckNameCStringNullArg;
52  CheckName CheckNameCStringOutOfBounds;
53  CheckName CheckNameCStringBufferOverlap;
54  CheckName CheckNameCStringNotNullTerm;
55  };
56 
57  CStringChecksFilter Filter;
58 
59  static void *getTag() { static int tag; return &tag; }
60 
61  bool evalCall(const CallExpr *CE, CheckerContext &C) const;
62  void checkPreStmt(const DeclStmt *DS, CheckerContext &C) const;
63  void checkLiveSymbols(ProgramStateRef state, SymbolReaper &SR) const;
64  void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
65 
67  checkRegionChanges(ProgramStateRef state,
68  const InvalidatedSymbols *,
69  ArrayRef<const MemRegion *> ExplicitRegions,
71  const LocationContext *LCtx,
72  const CallEvent *Call) const;
73 
74  typedef void (CStringChecker::*FnCheck)(CheckerContext &,
75  const CallExpr *) const;
76 
77  void evalMemcpy(CheckerContext &C, const CallExpr *CE) const;
78  void evalMempcpy(CheckerContext &C, const CallExpr *CE) const;
79  void evalMemmove(CheckerContext &C, const CallExpr *CE) const;
80  void evalBcopy(CheckerContext &C, const CallExpr *CE) const;
81  void evalCopyCommon(CheckerContext &C, const CallExpr *CE,
83  const Expr *Size,
84  const Expr *Source,
85  const Expr *Dest,
86  bool Restricted = false,
87  bool IsMempcpy = false) const;
88 
89  void evalMemcmp(CheckerContext &C, const CallExpr *CE) const;
90 
91  void evalstrLength(CheckerContext &C, const CallExpr *CE) const;
92  void evalstrnLength(CheckerContext &C, const CallExpr *CE) const;
93  void evalstrLengthCommon(CheckerContext &C,
94  const CallExpr *CE,
95  bool IsStrnlen = false) const;
96 
97  void evalStrcpy(CheckerContext &C, const CallExpr *CE) const;
98  void evalStrncpy(CheckerContext &C, const CallExpr *CE) const;
99  void evalStpcpy(CheckerContext &C, const CallExpr *CE) const;
100  void evalStrlcpy(CheckerContext &C, const CallExpr *CE) const;
101  void evalStrcpyCommon(CheckerContext &C,
102  const CallExpr *CE,
103  bool returnEnd,
104  bool isBounded,
105  bool isAppending,
106  bool returnPtr = true) const;
107 
108  void evalStrcat(CheckerContext &C, const CallExpr *CE) const;
109  void evalStrncat(CheckerContext &C, const CallExpr *CE) const;
110  void evalStrlcat(CheckerContext &C, const CallExpr *CE) const;
111 
112  void evalStrcmp(CheckerContext &C, const CallExpr *CE) const;
113  void evalStrncmp(CheckerContext &C, const CallExpr *CE) const;
114  void evalStrcasecmp(CheckerContext &C, const CallExpr *CE) const;
115  void evalStrncasecmp(CheckerContext &C, const CallExpr *CE) const;
116  void evalStrcmpCommon(CheckerContext &C,
117  const CallExpr *CE,
118  bool isBounded = false,
119  bool ignoreCase = false) const;
120 
121  void evalStrsep(CheckerContext &C, const CallExpr *CE) const;
122 
123  void evalStdCopy(CheckerContext &C, const CallExpr *CE) const;
124  void evalStdCopyBackward(CheckerContext &C, const CallExpr *CE) const;
125  void evalStdCopyCommon(CheckerContext &C, const CallExpr *CE) const;
126  void evalMemset(CheckerContext &C, const CallExpr *CE) const;
127 
128  // Utility methods
129  std::pair<ProgramStateRef , ProgramStateRef >
130  static assumeZero(CheckerContext &C,
132 
133  static ProgramStateRef setCStringLength(ProgramStateRef state,
134  const MemRegion *MR,
135  SVal strLength);
136  static SVal getCStringLengthForRegion(CheckerContext &C,
138  const Expr *Ex,
139  const MemRegion *MR,
140  bool hypothetical);
141  SVal getCStringLength(CheckerContext &C,
143  const Expr *Ex,
144  SVal Buf,
145  bool hypothetical = false) const;
146 
147  const StringLiteral *getCStringLiteral(CheckerContext &C,
149  const Expr *expr,
150  SVal val) const;
151 
152  static ProgramStateRef InvalidateBuffer(CheckerContext &C,
154  const Expr *Ex, SVal V,
155  bool IsSourceBuffer,
156  const Expr *Size);
157 
158  static bool SummarizeRegion(raw_ostream &os, ASTContext &Ctx,
159  const MemRegion *MR);
160 
161  static bool memsetAux(const Expr *DstBuffer, const Expr *CharE,
162  const Expr *Size, CheckerContext &C,
164 
165  // Re-usable checks
166  ProgramStateRef checkNonNull(CheckerContext &C,
168  const Expr *S,
169  SVal l) const;
170  ProgramStateRef CheckLocation(CheckerContext &C,
172  const Expr *S,
173  SVal l,
174  const char *message = nullptr) const;
175  ProgramStateRef CheckBufferAccess(CheckerContext &C,
177  const Expr *Size,
178  const Expr *FirstBuf,
179  const Expr *SecondBuf,
180  const char *firstMessage = nullptr,
181  const char *secondMessage = nullptr,
182  bool WarnAboutSize = false) const;
183 
184  ProgramStateRef CheckBufferAccess(CheckerContext &C,
186  const Expr *Size,
187  const Expr *Buf,
188  const char *message = nullptr,
189  bool WarnAboutSize = false) const {
190  // This is a convenience override.
191  return CheckBufferAccess(C, state, Size, Buf, nullptr, message, nullptr,
192  WarnAboutSize);
193  }
194  ProgramStateRef CheckOverlap(CheckerContext &C,
196  const Expr *Size,
197  const Expr *First,
198  const Expr *Second) const;
199  void emitOverlapBug(CheckerContext &C,
201  const Stmt *First,
202  const Stmt *Second) const;
203 
204  void emitNullArgBug(CheckerContext &C, ProgramStateRef State, const Stmt *S,
205  StringRef WarningMsg) const;
206  void emitOutOfBoundsBug(CheckerContext &C, ProgramStateRef State,
207  const Stmt *S, StringRef WarningMsg) const;
208  void emitNotCStringBug(CheckerContext &C, ProgramStateRef State,
209  const Stmt *S, StringRef WarningMsg) const;
210  void emitAdditionOverflowBug(CheckerContext &C, ProgramStateRef State) const;
211 
212  ProgramStateRef checkAdditionOverflow(CheckerContext &C,
214  NonLoc left,
215  NonLoc right) const;
216 
217  // Return true if the destination buffer of the copy function may be in bound.
218  // Expects SVal of Size to be positive and unsigned.
219  // Expects SVal of FirstBuf to be a FieldRegion.
220  static bool IsFirstBufInBound(CheckerContext &C,
222  const Expr *FirstBuf,
223  const Expr *Size);
224 };
225 
226 } //end anonymous namespace
227 
228 REGISTER_MAP_WITH_PROGRAMSTATE(CStringLength, const MemRegion *, SVal)
229 
230 //===----------------------------------------------------------------------===//
231 // Individual checks and utility methods.
232 //===----------------------------------------------------------------------===//
233 
234 std::pair<ProgramStateRef , ProgramStateRef >
235 CStringChecker::assumeZero(CheckerContext &C, ProgramStateRef state, SVal V,
236  QualType Ty) {
238  if (!val)
239  return std::pair<ProgramStateRef , ProgramStateRef >(state, state);
240 
241  SValBuilder &svalBuilder = C.getSValBuilder();
242  DefinedOrUnknownSVal zero = svalBuilder.makeZeroVal(Ty);
243  return state->assume(svalBuilder.evalEQ(state, *val, zero));
244 }
245 
246 ProgramStateRef CStringChecker::checkNonNull(CheckerContext &C,
247  ProgramStateRef state,
248  const Expr *S, SVal l) const {
249  // If a previous check has failed, propagate the failure.
250  if (!state)
251  return nullptr;
252 
253  ProgramStateRef stateNull, stateNonNull;
254  std::tie(stateNull, stateNonNull) = assumeZero(C, state, l, S->getType());
255 
256  if (stateNull && !stateNonNull) {
257  if (Filter.CheckCStringNullArg) {
258  SmallString<80> buf;
259  llvm::raw_svector_ostream os(buf);
260  assert(CurrentFunctionDescription);
261  os << "Null pointer argument in call to " << CurrentFunctionDescription;
262 
263  emitNullArgBug(C, stateNull, S, os.str());
264  }
265  return nullptr;
266  }
267 
268  // From here on, assume that the value is non-null.
269  assert(stateNonNull);
270  return stateNonNull;
271 }
272 
273 // FIXME: This was originally copied from ArrayBoundChecker.cpp. Refactor?
274 ProgramStateRef CStringChecker::CheckLocation(CheckerContext &C,
275  ProgramStateRef state,
276  const Expr *S, SVal l,
277  const char *warningMsg) const {
278  // If a previous check has failed, propagate the failure.
279  if (!state)
280  return nullptr;
281 
282  // Check for out of bound array element access.
283  const MemRegion *R = l.getAsRegion();
284  if (!R)
285  return state;
286 
287  const ElementRegion *ER = dyn_cast<ElementRegion>(R);
288  if (!ER)
289  return state;
290 
291  if (ER->getValueType() != C.getASTContext().CharTy)
292  return state;
293 
294  // Get the size of the array.
295  const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion());
296  SValBuilder &svalBuilder = C.getSValBuilder();
297  SVal Extent =
298  svalBuilder.convertToArrayIndex(superReg->getExtent(svalBuilder));
300 
301  // Get the index of the accessed element.
303 
304  ProgramStateRef StInBound = state->assumeInBound(Idx, Size, true);
305  ProgramStateRef StOutBound = state->assumeInBound(Idx, Size, false);
306  if (StOutBound && !StInBound) {
307  // These checks are either enabled by the CString out-of-bounds checker
308  // explicitly or implicitly by the Malloc checker.
309  // In the latter case we only do modeling but do not emit warning.
310  if (!Filter.CheckCStringOutOfBounds)
311  return nullptr;
312  // Emit a bug report.
313  if (warningMsg) {
314  emitOutOfBoundsBug(C, StOutBound, S, warningMsg);
315  } else {
316  assert(CurrentFunctionDescription);
317  assert(CurrentFunctionDescription[0] != '\0');
318 
319  SmallString<80> buf;
320  llvm::raw_svector_ostream os(buf);
321  os << toUppercase(CurrentFunctionDescription[0])
322  << &CurrentFunctionDescription[1]
323  << " accesses out-of-bound array element";
324  emitOutOfBoundsBug(C, StOutBound, S, os.str());
325  }
326  return nullptr;
327  }
328 
329  // Array bound check succeeded. From this point forward the array bound
330  // should always succeed.
331  return StInBound;
332 }
333 
334 ProgramStateRef CStringChecker::CheckBufferAccess(CheckerContext &C,
335  ProgramStateRef state,
336  const Expr *Size,
337  const Expr *FirstBuf,
338  const Expr *SecondBuf,
339  const char *firstMessage,
340  const char *secondMessage,
341  bool WarnAboutSize) const {
342  // If a previous check has failed, propagate the failure.
343  if (!state)
344  return nullptr;
345 
346  SValBuilder &svalBuilder = C.getSValBuilder();
347  ASTContext &Ctx = svalBuilder.getContext();
348  const LocationContext *LCtx = C.getLocationContext();
349 
350  QualType sizeTy = Size->getType();
351  QualType PtrTy = Ctx.getPointerType(Ctx.CharTy);
352 
353  // Check that the first buffer is non-null.
354  SVal BufVal = C.getSVal(FirstBuf);
355  state = checkNonNull(C, state, FirstBuf, BufVal);
356  if (!state)
357  return nullptr;
358 
359  // If out-of-bounds checking is turned off, skip the rest.
360  if (!Filter.CheckCStringOutOfBounds)
361  return state;
362 
363  // Get the access length and make sure it is known.
364  // FIXME: This assumes the caller has already checked that the access length
365  // is positive. And that it's unsigned.
366  SVal LengthVal = C.getSVal(Size);
367  Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
368  if (!Length)
369  return state;
370 
371  // Compute the offset of the last element to be accessed: size-1.
372  NonLoc One = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
373  SVal Offset = svalBuilder.evalBinOpNN(state, BO_Sub, *Length, One, sizeTy);
374  if (Offset.isUnknown())
375  return nullptr;
376  NonLoc LastOffset = Offset.castAs<NonLoc>();
377 
378  // Check that the first buffer is sufficiently long.
379  SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType());
380  if (Optional<Loc> BufLoc = BufStart.getAs<Loc>()) {
381  const Expr *warningExpr = (WarnAboutSize ? Size : FirstBuf);
382 
383  SVal BufEnd = svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc,
384  LastOffset, PtrTy);
385  state = CheckLocation(C, state, warningExpr, BufEnd, firstMessage);
386 
387  // If the buffer isn't large enough, abort.
388  if (!state)
389  return nullptr;
390  }
391 
392  // If there's a second buffer, check it as well.
393  if (SecondBuf) {
394  BufVal = state->getSVal(SecondBuf, LCtx);
395  state = checkNonNull(C, state, SecondBuf, BufVal);
396  if (!state)
397  return nullptr;
398 
399  BufStart = svalBuilder.evalCast(BufVal, PtrTy, SecondBuf->getType());
400  if (Optional<Loc> BufLoc = BufStart.getAs<Loc>()) {
401  const Expr *warningExpr = (WarnAboutSize ? Size : SecondBuf);
402 
403  SVal BufEnd = svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc,
404  LastOffset, PtrTy);
405  state = CheckLocation(C, state, warningExpr, BufEnd, secondMessage);
406  }
407  }
408 
409  // Large enough or not, return this state!
410  return state;
411 }
412 
413 ProgramStateRef CStringChecker::CheckOverlap(CheckerContext &C,
414  ProgramStateRef state,
415  const Expr *Size,
416  const Expr *First,
417  const Expr *Second) const {
418  if (!Filter.CheckCStringBufferOverlap)
419  return state;
420 
421  // Do a simple check for overlap: if the two arguments are from the same
422  // buffer, see if the end of the first is greater than the start of the second
423  // or vice versa.
424 
425  // If a previous check has failed, propagate the failure.
426  if (!state)
427  return nullptr;
428 
429  ProgramStateRef stateTrue, stateFalse;
430 
431  // Get the buffer values and make sure they're known locations.
432  const LocationContext *LCtx = C.getLocationContext();
433  SVal firstVal = state->getSVal(First, LCtx);
434  SVal secondVal = state->getSVal(Second, LCtx);
435 
436  Optional<Loc> firstLoc = firstVal.getAs<Loc>();
437  if (!firstLoc)
438  return state;
439 
440  Optional<Loc> secondLoc = secondVal.getAs<Loc>();
441  if (!secondLoc)
442  return state;
443 
444  // Are the two values the same?
445  SValBuilder &svalBuilder = C.getSValBuilder();
446  std::tie(stateTrue, stateFalse) =
447  state->assume(svalBuilder.evalEQ(state, *firstLoc, *secondLoc));
448 
449  if (stateTrue && !stateFalse) {
450  // If the values are known to be equal, that's automatically an overlap.
451  emitOverlapBug(C, stateTrue, First, Second);
452  return nullptr;
453  }
454 
455  // assume the two expressions are not equal.
456  assert(stateFalse);
457  state = stateFalse;
458 
459  // Which value comes first?
460  QualType cmpTy = svalBuilder.getConditionType();
461  SVal reverse = svalBuilder.evalBinOpLL(state, BO_GT,
462  *firstLoc, *secondLoc, cmpTy);
463  Optional<DefinedOrUnknownSVal> reverseTest =
464  reverse.getAs<DefinedOrUnknownSVal>();
465  if (!reverseTest)
466  return state;
467 
468  std::tie(stateTrue, stateFalse) = state->assume(*reverseTest);
469  if (stateTrue) {
470  if (stateFalse) {
471  // If we don't know which one comes first, we can't perform this test.
472  return state;
473  } else {
474  // Switch the values so that firstVal is before secondVal.
475  std::swap(firstLoc, secondLoc);
476 
477  // Switch the Exprs as well, so that they still correspond.
478  std::swap(First, Second);
479  }
480  }
481 
482  // Get the length, and make sure it too is known.
483  SVal LengthVal = state->getSVal(Size, LCtx);
484  Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
485  if (!Length)
486  return state;
487 
488  // Convert the first buffer's start address to char*.
489  // Bail out if the cast fails.
490  ASTContext &Ctx = svalBuilder.getContext();
491  QualType CharPtrTy = Ctx.getPointerType(Ctx.CharTy);
492  SVal FirstStart = svalBuilder.evalCast(*firstLoc, CharPtrTy,
493  First->getType());
494  Optional<Loc> FirstStartLoc = FirstStart.getAs<Loc>();
495  if (!FirstStartLoc)
496  return state;
497 
498  // Compute the end of the first buffer. Bail out if THAT fails.
499  SVal FirstEnd = svalBuilder.evalBinOpLN(state, BO_Add,
500  *FirstStartLoc, *Length, CharPtrTy);
501  Optional<Loc> FirstEndLoc = FirstEnd.getAs<Loc>();
502  if (!FirstEndLoc)
503  return state;
504 
505  // Is the end of the first buffer past the start of the second buffer?
506  SVal Overlap = svalBuilder.evalBinOpLL(state, BO_GT,
507  *FirstEndLoc, *secondLoc, cmpTy);
508  Optional<DefinedOrUnknownSVal> OverlapTest =
509  Overlap.getAs<DefinedOrUnknownSVal>();
510  if (!OverlapTest)
511  return state;
512 
513  std::tie(stateTrue, stateFalse) = state->assume(*OverlapTest);
514 
515  if (stateTrue && !stateFalse) {
516  // Overlap!
517  emitOverlapBug(C, stateTrue, First, Second);
518  return nullptr;
519  }
520 
521  // assume the two expressions don't overlap.
522  assert(stateFalse);
523  return stateFalse;
524 }
525 
526 void CStringChecker::emitOverlapBug(CheckerContext &C, ProgramStateRef state,
527  const Stmt *First, const Stmt *Second) const {
528  ExplodedNode *N = C.generateErrorNode(state);
529  if (!N)
530  return;
531 
532  if (!BT_Overlap)
533  BT_Overlap.reset(new BugType(Filter.CheckNameCStringBufferOverlap,
534  categories::UnixAPI, "Improper arguments"));
535 
536  // Generate a report for this bug.
537  auto report = llvm::make_unique<BugReport>(
538  *BT_Overlap, "Arguments must not be overlapping buffers", N);
539  report->addRange(First->getSourceRange());
540  report->addRange(Second->getSourceRange());
541 
542  C.emitReport(std::move(report));
543 }
544 
545 void CStringChecker::emitNullArgBug(CheckerContext &C, ProgramStateRef State,
546  const Stmt *S, StringRef WarningMsg) const {
547  if (ExplodedNode *N = C.generateErrorNode(State)) {
548  if (!BT_Null)
549  BT_Null.reset(new BuiltinBug(
550  Filter.CheckNameCStringNullArg, categories::UnixAPI,
551  "Null pointer argument in call to byte string function"));
552 
553  BuiltinBug *BT = static_cast<BuiltinBug *>(BT_Null.get());
554  auto Report = llvm::make_unique<BugReport>(*BT, WarningMsg, N);
555  Report->addRange(S->getSourceRange());
556  bugreporter::trackNullOrUndefValue(N, S, *Report);
557  C.emitReport(std::move(Report));
558  }
559 }
560 
561 void CStringChecker::emitOutOfBoundsBug(CheckerContext &C,
562  ProgramStateRef State, const Stmt *S,
563  StringRef WarningMsg) const {
564  if (ExplodedNode *N = C.generateErrorNode(State)) {
565  if (!BT_Bounds)
566  BT_Bounds.reset(new BuiltinBug(
567  Filter.CheckCStringOutOfBounds ? Filter.CheckNameCStringOutOfBounds
568  : Filter.CheckNameCStringNullArg,
569  "Out-of-bound array access",
570  "Byte string function accesses out-of-bound array element"));
571 
572  BuiltinBug *BT = static_cast<BuiltinBug *>(BT_Bounds.get());
573 
574  // FIXME: It would be nice to eventually make this diagnostic more clear,
575  // e.g., by referencing the original declaration or by saying *why* this
576  // reference is outside the range.
577  auto Report = llvm::make_unique<BugReport>(*BT, WarningMsg, N);
578  Report->addRange(S->getSourceRange());
579  C.emitReport(std::move(Report));
580  }
581 }
582 
583 void CStringChecker::emitNotCStringBug(CheckerContext &C, ProgramStateRef State,
584  const Stmt *S,
585  StringRef WarningMsg) const {
586  if (ExplodedNode *N = C.generateNonFatalErrorNode(State)) {
587  if (!BT_NotCString)
588  BT_NotCString.reset(new BuiltinBug(
589  Filter.CheckNameCStringNotNullTerm, categories::UnixAPI,
590  "Argument is not a null-terminated string."));
591 
592  auto Report = llvm::make_unique<BugReport>(*BT_NotCString, WarningMsg, N);
593 
594  Report->addRange(S->getSourceRange());
595  C.emitReport(std::move(Report));
596  }
597 }
598 
599 void CStringChecker::emitAdditionOverflowBug(CheckerContext &C,
600  ProgramStateRef State) const {
601  if (ExplodedNode *N = C.generateErrorNode(State)) {
602  if (!BT_NotCString)
603  BT_NotCString.reset(
604  new BuiltinBug(Filter.CheckNameCStringOutOfBounds, "API",
605  "Sum of expressions causes overflow."));
606 
607  // This isn't a great error message, but this should never occur in real
608  // code anyway -- you'd have to create a buffer longer than a size_t can
609  // represent, which is sort of a contradiction.
610  const char *WarningMsg =
611  "This expression will create a string whose length is too big to "
612  "be represented as a size_t";
613 
614  auto Report = llvm::make_unique<BugReport>(*BT_NotCString, WarningMsg, N);
615  C.emitReport(std::move(Report));
616  }
617 }
618 
619 ProgramStateRef CStringChecker::checkAdditionOverflow(CheckerContext &C,
620  ProgramStateRef state,
621  NonLoc left,
622  NonLoc right) const {
623  // If out-of-bounds checking is turned off, skip the rest.
624  if (!Filter.CheckCStringOutOfBounds)
625  return state;
626 
627  // If a previous check has failed, propagate the failure.
628  if (!state)
629  return nullptr;
630 
631  SValBuilder &svalBuilder = C.getSValBuilder();
632  BasicValueFactory &BVF = svalBuilder.getBasicValueFactory();
633 
634  QualType sizeTy = svalBuilder.getContext().getSizeType();
635  const llvm::APSInt &maxValInt = BVF.getMaxValue(sizeTy);
636  NonLoc maxVal = svalBuilder.makeIntVal(maxValInt);
637 
638  SVal maxMinusRight;
639  if (right.getAs<nonloc::ConcreteInt>()) {
640  maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, right,
641  sizeTy);
642  } else {
643  // Try switching the operands. (The order of these two assignments is
644  // important!)
645  maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, left,
646  sizeTy);
647  left = right;
648  }
649 
650  if (Optional<NonLoc> maxMinusRightNL = maxMinusRight.getAs<NonLoc>()) {
651  QualType cmpTy = svalBuilder.getConditionType();
652  // If left > max - right, we have an overflow.
653  SVal willOverflow = svalBuilder.evalBinOpNN(state, BO_GT, left,
654  *maxMinusRightNL, cmpTy);
655 
656  ProgramStateRef stateOverflow, stateOkay;
657  std::tie(stateOverflow, stateOkay) =
658  state->assume(willOverflow.castAs<DefinedOrUnknownSVal>());
659 
660  if (stateOverflow && !stateOkay) {
661  // We have an overflow. Emit a bug report.
662  emitAdditionOverflowBug(C, stateOverflow);
663  return nullptr;
664  }
665 
666  // From now on, assume an overflow didn't occur.
667  assert(stateOkay);
668  state = stateOkay;
669  }
670 
671  return state;
672 }
673 
674 ProgramStateRef CStringChecker::setCStringLength(ProgramStateRef state,
675  const MemRegion *MR,
676  SVal strLength) {
677  assert(!strLength.isUndef() && "Attempt to set an undefined string length");
678 
679  MR = MR->StripCasts();
680 
681  switch (MR->getKind()) {
682  case MemRegion::StringRegionKind:
683  // FIXME: This can happen if we strcpy() into a string region. This is
684  // undefined [C99 6.4.5p6], but we should still warn about it.
685  return state;
686 
687  case MemRegion::SymbolicRegionKind:
688  case MemRegion::AllocaRegionKind:
689  case MemRegion::VarRegionKind:
690  case MemRegion::FieldRegionKind:
691  case MemRegion::ObjCIvarRegionKind:
692  // These are the types we can currently track string lengths for.
693  break;
694 
695  case MemRegion::ElementRegionKind:
696  // FIXME: Handle element regions by upper-bounding the parent region's
697  // string length.
698  return state;
699 
700  default:
701  // Other regions (mostly non-data) can't have a reliable C string length.
702  // For now, just ignore the change.
703  // FIXME: These are rare but not impossible. We should output some kind of
704  // warning for things like strcpy((char[]){'a', 0}, "b");
705  return state;
706  }
707 
708  if (strLength.isUnknown())
709  return state->remove<CStringLength>(MR);
710 
711  return state->set<CStringLength>(MR, strLength);
712 }
713 
714 SVal CStringChecker::getCStringLengthForRegion(CheckerContext &C,
715  ProgramStateRef &state,
716  const Expr *Ex,
717  const MemRegion *MR,
718  bool hypothetical) {
719  if (!hypothetical) {
720  // If there's a recorded length, go ahead and return it.
721  const SVal *Recorded = state->get<CStringLength>(MR);
722  if (Recorded)
723  return *Recorded;
724  }
725 
726  // Otherwise, get a new symbol and update the state.
727  SValBuilder &svalBuilder = C.getSValBuilder();
728  QualType sizeTy = svalBuilder.getContext().getSizeType();
729  SVal strLength = svalBuilder.getMetadataSymbolVal(CStringChecker::getTag(),
730  MR, Ex, sizeTy,
731  C.getLocationContext(),
732  C.blockCount());
733 
734  if (!hypothetical) {
735  if (Optional<NonLoc> strLn = strLength.getAs<NonLoc>()) {
736  // In case of unbounded calls strlen etc bound the range to SIZE_MAX/4
737  BasicValueFactory &BVF = svalBuilder.getBasicValueFactory();
738  const llvm::APSInt &maxValInt = BVF.getMaxValue(sizeTy);
739  llvm::APSInt fourInt = APSIntType(maxValInt).getValue(4);
740  const llvm::APSInt *maxLengthInt = BVF.evalAPSInt(BO_Div, maxValInt,
741  fourInt);
742  NonLoc maxLength = svalBuilder.makeIntVal(*maxLengthInt);
743  SVal evalLength = svalBuilder.evalBinOpNN(state, BO_LE, *strLn,
744  maxLength, sizeTy);
745  state = state->assume(evalLength.castAs<DefinedOrUnknownSVal>(), true);
746  }
747  state = state->set<CStringLength>(MR, strLength);
748  }
749 
750  return strLength;
751 }
752 
753 SVal CStringChecker::getCStringLength(CheckerContext &C, ProgramStateRef &state,
754  const Expr *Ex, SVal Buf,
755  bool hypothetical) const {
756  const MemRegion *MR = Buf.getAsRegion();
757  if (!MR) {
758  // If we can't get a region, see if it's something we /know/ isn't a
759  // C string. In the context of locations, the only time we can issue such
760  // a warning is for labels.
762  if (Filter.CheckCStringNotNullTerm) {
763  SmallString<120> buf;
764  llvm::raw_svector_ostream os(buf);
765  assert(CurrentFunctionDescription);
766  os << "Argument to " << CurrentFunctionDescription
767  << " is the address of the label '" << Label->getLabel()->getName()
768  << "', which is not a null-terminated string";
769 
770  emitNotCStringBug(C, state, Ex, os.str());
771  }
772  return UndefinedVal();
773  }
774 
775  // If it's not a region and not a label, give up.
776  return UnknownVal();
777  }
778 
779  // If we have a region, strip casts from it and see if we can figure out
780  // its length. For anything we can't figure out, just return UnknownVal.
781  MR = MR->StripCasts();
782 
783  switch (MR->getKind()) {
784  case MemRegion::StringRegionKind: {
785  // Modifying the contents of string regions is undefined [C99 6.4.5p6],
786  // so we can assume that the byte length is the correct C string length.
787  SValBuilder &svalBuilder = C.getSValBuilder();
788  QualType sizeTy = svalBuilder.getContext().getSizeType();
789  const StringLiteral *strLit = cast<StringRegion>(MR)->getStringLiteral();
790  return svalBuilder.makeIntVal(strLit->getByteLength(), sizeTy);
791  }
792  case MemRegion::SymbolicRegionKind:
793  case MemRegion::AllocaRegionKind:
794  case MemRegion::VarRegionKind:
795  case MemRegion::FieldRegionKind:
796  case MemRegion::ObjCIvarRegionKind:
797  return getCStringLengthForRegion(C, state, Ex, MR, hypothetical);
798  case MemRegion::CompoundLiteralRegionKind:
799  // FIXME: Can we track this? Is it necessary?
800  return UnknownVal();
801  case MemRegion::ElementRegionKind:
802  // FIXME: How can we handle this? It's not good enough to subtract the
803  // offset from the base string length; consider "123\x00567" and &a[5].
804  return UnknownVal();
805  default:
806  // Other regions (mostly non-data) can't have a reliable C string length.
807  // In this case, an error is emitted and UndefinedVal is returned.
808  // The caller should always be prepared to handle this case.
809  if (Filter.CheckCStringNotNullTerm) {
810  SmallString<120> buf;
811  llvm::raw_svector_ostream os(buf);
812 
813  assert(CurrentFunctionDescription);
814  os << "Argument to " << CurrentFunctionDescription << " is ";
815 
816  if (SummarizeRegion(os, C.getASTContext(), MR))
817  os << ", which is not a null-terminated string";
818  else
819  os << "not a null-terminated string";
820 
821  emitNotCStringBug(C, state, Ex, os.str());
822  }
823  return UndefinedVal();
824  }
825 }
826 
827 const StringLiteral *CStringChecker::getCStringLiteral(CheckerContext &C,
828  ProgramStateRef &state, const Expr *expr, SVal val) const {
829 
830  // Get the memory region pointed to by the val.
831  const MemRegion *bufRegion = val.getAsRegion();
832  if (!bufRegion)
833  return nullptr;
834 
835  // Strip casts off the memory region.
836  bufRegion = bufRegion->StripCasts();
837 
838  // Cast the memory region to a string region.
839  const StringRegion *strRegion= dyn_cast<StringRegion>(bufRegion);
840  if (!strRegion)
841  return nullptr;
842 
843  // Return the actual string in the string region.
844  return strRegion->getStringLiteral();
845 }
846 
847 bool CStringChecker::IsFirstBufInBound(CheckerContext &C,
848  ProgramStateRef state,
849  const Expr *FirstBuf,
850  const Expr *Size) {
851  // If we do not know that the buffer is long enough we return 'true'.
852  // Otherwise the parent region of this field region would also get
853  // invalidated, which would lead to warnings based on an unknown state.
854 
855  // Originally copied from CheckBufferAccess and CheckLocation.
856  SValBuilder &svalBuilder = C.getSValBuilder();
857  ASTContext &Ctx = svalBuilder.getContext();
858  const LocationContext *LCtx = C.getLocationContext();
859 
860  QualType sizeTy = Size->getType();
861  QualType PtrTy = Ctx.getPointerType(Ctx.CharTy);
862  SVal BufVal = state->getSVal(FirstBuf, LCtx);
863 
864  SVal LengthVal = state->getSVal(Size, LCtx);
865  Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
866  if (!Length)
867  return true; // cf top comment.
868 
869  // Compute the offset of the last element to be accessed: size-1.
870  NonLoc One = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
871  SVal Offset = svalBuilder.evalBinOpNN(state, BO_Sub, *Length, One, sizeTy);
872  if (Offset.isUnknown())
873  return true; // cf top comment
874  NonLoc LastOffset = Offset.castAs<NonLoc>();
875 
876  // Check that the first buffer is sufficiently long.
877  SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType());
878  Optional<Loc> BufLoc = BufStart.getAs<Loc>();
879  if (!BufLoc)
880  return true; // cf top comment.
881 
882  SVal BufEnd =
883  svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc, LastOffset, PtrTy);
884 
885  // Check for out of bound array element access.
886  const MemRegion *R = BufEnd.getAsRegion();
887  if (!R)
888  return true; // cf top comment.
889 
890  const ElementRegion *ER = dyn_cast<ElementRegion>(R);
891  if (!ER)
892  return true; // cf top comment.
893 
894  // FIXME: Does this crash when a non-standard definition
895  // of a library function is encountered?
896  assert(ER->getValueType() == C.getASTContext().CharTy &&
897  "IsFirstBufInBound should only be called with char* ElementRegions");
898 
899  // Get the size of the array.
900  const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion());
901  SVal Extent =
902  svalBuilder.convertToArrayIndex(superReg->getExtent(svalBuilder));
903  DefinedOrUnknownSVal ExtentSize = Extent.castAs<DefinedOrUnknownSVal>();
904 
905  // Get the index of the accessed element.
907 
908  ProgramStateRef StInBound = state->assumeInBound(Idx, ExtentSize, true);
909 
910  return static_cast<bool>(StInBound);
911 }
912 
913 ProgramStateRef CStringChecker::InvalidateBuffer(CheckerContext &C,
914  ProgramStateRef state,
915  const Expr *E, SVal V,
916  bool IsSourceBuffer,
917  const Expr *Size) {
918  Optional<Loc> L = V.getAs<Loc>();
919  if (!L)
920  return state;
921 
922  // FIXME: This is a simplified version of what's in CFRefCount.cpp -- it makes
923  // some assumptions about the value that CFRefCount can't. Even so, it should
924  // probably be refactored.
925  if (Optional<loc::MemRegionVal> MR = L->getAs<loc::MemRegionVal>()) {
926  const MemRegion *R = MR->getRegion()->StripCasts();
927 
928  // Are we dealing with an ElementRegion? If so, we should be invalidating
929  // the super-region.
930  if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) {
931  R = ER->getSuperRegion();
932  // FIXME: What about layers of ElementRegions?
933  }
934 
935  // Invalidate this region.
937 
938  bool CausesPointerEscape = false;
940  // Invalidate and escape only indirect regions accessible through the source
941  // buffer.
942  if (IsSourceBuffer) {
943  ITraits.setTrait(R->getBaseRegion(),
946  CausesPointerEscape = true;
947  } else {
948  const MemRegion::Kind& K = R->getKind();
949  if (K == MemRegion::FieldRegionKind)
950  if (Size && IsFirstBufInBound(C, state, E, Size)) {
951  // If destination buffer is a field region and access is in bound,
952  // do not invalidate its super region.
953  ITraits.setTrait(
954  R,
956  }
957  }
958 
959  return state->invalidateRegions(R, E, C.blockCount(), LCtx,
960  CausesPointerEscape, nullptr, nullptr,
961  &ITraits);
962  }
963 
964  // If we have a non-region value by chance, just remove the binding.
965  // FIXME: is this necessary or correct? This handles the non-Region
966  // cases. Is it ever valid to store to these?
967  return state->killBinding(*L);
968 }
969 
970 bool CStringChecker::SummarizeRegion(raw_ostream &os, ASTContext &Ctx,
971  const MemRegion *MR) {
972  const TypedValueRegion *TVR = dyn_cast<TypedValueRegion>(MR);
973 
974  switch (MR->getKind()) {
975  case MemRegion::FunctionCodeRegionKind: {
976  const NamedDecl *FD = cast<FunctionCodeRegion>(MR)->getDecl();
977  if (FD)
978  os << "the address of the function '" << *FD << '\'';
979  else
980  os << "the address of a function";
981  return true;
982  }
983  case MemRegion::BlockCodeRegionKind:
984  os << "block text";
985  return true;
986  case MemRegion::BlockDataRegionKind:
987  os << "a block";
988  return true;
989  case MemRegion::CXXThisRegionKind:
990  case MemRegion::CXXTempObjectRegionKind:
991  os << "a C++ temp object of type " << TVR->getValueType().getAsString();
992  return true;
993  case MemRegion::VarRegionKind:
994  os << "a variable of type" << TVR->getValueType().getAsString();
995  return true;
996  case MemRegion::FieldRegionKind:
997  os << "a field of type " << TVR->getValueType().getAsString();
998  return true;
999  case MemRegion::ObjCIvarRegionKind:
1000  os << "an instance variable of type " << TVR->getValueType().getAsString();
1001  return true;
1002  default:
1003  return false;
1004  }
1005 }
1006 
1007 bool CStringChecker::memsetAux(const Expr *DstBuffer, const Expr *CharE,
1008  const Expr *Size, CheckerContext &C,
1009  ProgramStateRef &State) {
1010  SVal MemVal = C.getSVal(DstBuffer);
1011  SVal CharVal = C.getSVal(CharE);
1012  SVal SizeVal = C.getSVal(Size);
1013  const MemRegion *MR = MemVal.getAsRegion();
1014  if (!MR)
1015  return false;
1016 
1017  // We're about to model memset by producing a "default binding" in the Store.
1018  // Our current implementation - RegionStore - doesn't support default bindings
1019  // that don't cover the whole base region. So we should first get the offset
1020  // and the base region to figure out whether the offset of buffer is 0.
1021  RegionOffset Offset = MR->getAsOffset();
1022  const MemRegion *BR = Offset.getRegion();
1023 
1024  Optional<NonLoc> SizeNL = SizeVal.getAs<NonLoc>();
1025  if (!SizeNL)
1026  return false;
1027 
1028  SValBuilder &svalBuilder = C.getSValBuilder();
1029  ASTContext &Ctx = C.getASTContext();
1030 
1031  // void *memset(void *dest, int ch, size_t count);
1032  // For now we can only handle the case of offset is 0 and concrete char value.
1033  if (Offset.isValid() && !Offset.hasSymbolicOffset() &&
1034  Offset.getOffset() == 0) {
1035  // Get the base region's extent.
1036  auto *SubReg = cast<SubRegion>(BR);
1037  DefinedOrUnknownSVal Extent = SubReg->getExtent(svalBuilder);
1038 
1039  ProgramStateRef StateWholeReg, StateNotWholeReg;
1040  std::tie(StateWholeReg, StateNotWholeReg) =
1041  State->assume(svalBuilder.evalEQ(State, Extent, *SizeNL));
1042 
1043  // With the semantic of 'memset()', we should convert the CharVal to
1044  // unsigned char.
1045  CharVal = svalBuilder.evalCast(CharVal, Ctx.UnsignedCharTy, Ctx.IntTy);
1046 
1047  ProgramStateRef StateNullChar, StateNonNullChar;
1048  std::tie(StateNullChar, StateNonNullChar) =
1049  assumeZero(C, State, CharVal, Ctx.UnsignedCharTy);
1050 
1051  if (StateWholeReg && !StateNotWholeReg && StateNullChar &&
1052  !StateNonNullChar) {
1053  // If the 'memset()' acts on the whole region of destination buffer and
1054  // the value of the second argument of 'memset()' is zero, bind the second
1055  // argument's value to the destination buffer with 'default binding'.
1056  // FIXME: Since there is no perfect way to bind the non-zero character, we
1057  // can only deal with zero value here. In the future, we need to deal with
1058  // the binding of non-zero value in the case of whole region.
1059  State = State->bindDefaultZero(svalBuilder.makeLoc(BR),
1060  C.getLocationContext());
1061  } else {
1062  // If the destination buffer's extent is not equal to the value of
1063  // third argument, just invalidate buffer.
1064  State = InvalidateBuffer(C, State, DstBuffer, MemVal,
1065  /*IsSourceBuffer*/ false, Size);
1066  }
1067 
1068  if (StateNullChar && !StateNonNullChar) {
1069  // If the value of the second argument of 'memset()' is zero, set the
1070  // string length of destination buffer to 0 directly.
1071  State = setCStringLength(State, MR,
1072  svalBuilder.makeZeroVal(Ctx.getSizeType()));
1073  } else if (!StateNullChar && StateNonNullChar) {
1074  SVal NewStrLen = svalBuilder.getMetadataSymbolVal(
1075  CStringChecker::getTag(), MR, DstBuffer, Ctx.getSizeType(),
1076  C.getLocationContext(), C.blockCount());
1077 
1078  // If the value of second argument is not zero, then the string length
1079  // is at least the size argument.
1080  SVal NewStrLenGESize = svalBuilder.evalBinOp(
1081  State, BO_GE, NewStrLen, SizeVal, svalBuilder.getConditionType());
1082 
1083  State = setCStringLength(
1084  State->assume(NewStrLenGESize.castAs<DefinedOrUnknownSVal>(), true),
1085  MR, NewStrLen);
1086  }
1087  } else {
1088  // If the offset is not zero and char value is not concrete, we can do
1089  // nothing but invalidate the buffer.
1090  State = InvalidateBuffer(C, State, DstBuffer, MemVal,
1091  /*IsSourceBuffer*/ false, Size);
1092  }
1093  return true;
1094 }
1095 
1096 //===----------------------------------------------------------------------===//
1097 // evaluation of individual function calls.
1098 //===----------------------------------------------------------------------===//
1099 
1100 void CStringChecker::evalCopyCommon(CheckerContext &C,
1101  const CallExpr *CE,
1102  ProgramStateRef state,
1103  const Expr *Size, const Expr *Dest,
1104  const Expr *Source, bool Restricted,
1105  bool IsMempcpy) const {
1106  CurrentFunctionDescription = "memory copy function";
1107 
1108  // See if the size argument is zero.
1109  const LocationContext *LCtx = C.getLocationContext();
1110  SVal sizeVal = state->getSVal(Size, LCtx);
1111  QualType sizeTy = Size->getType();
1112 
1113  ProgramStateRef stateZeroSize, stateNonZeroSize;
1114  std::tie(stateZeroSize, stateNonZeroSize) =
1115  assumeZero(C, state, sizeVal, sizeTy);
1116 
1117  // Get the value of the Dest.
1118  SVal destVal = state->getSVal(Dest, LCtx);
1119 
1120  // If the size is zero, there won't be any actual memory access, so
1121  // just bind the return value to the destination buffer and return.
1122  if (stateZeroSize && !stateNonZeroSize) {
1123  stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, destVal);
1124  C.addTransition(stateZeroSize);
1125  return;
1126  }
1127 
1128  // If the size can be nonzero, we have to check the other arguments.
1129  if (stateNonZeroSize) {
1130  state = stateNonZeroSize;
1131 
1132  // Ensure the destination is not null. If it is NULL there will be a
1133  // NULL pointer dereference.
1134  state = checkNonNull(C, state, Dest, destVal);
1135  if (!state)
1136  return;
1137 
1138  // Get the value of the Src.
1139  SVal srcVal = state->getSVal(Source, LCtx);
1140 
1141  // Ensure the source is not null. If it is NULL there will be a
1142  // NULL pointer dereference.
1143  state = checkNonNull(C, state, Source, srcVal);
1144  if (!state)
1145  return;
1146 
1147  // Ensure the accesses are valid and that the buffers do not overlap.
1148  const char * const writeWarning =
1149  "Memory copy function overflows destination buffer";
1150  state = CheckBufferAccess(C, state, Size, Dest, Source,
1151  writeWarning, /* sourceWarning = */ nullptr);
1152  if (Restricted)
1153  state = CheckOverlap(C, state, Size, Dest, Source);
1154 
1155  if (!state)
1156  return;
1157 
1158  // If this is mempcpy, get the byte after the last byte copied and
1159  // bind the expr.
1160  if (IsMempcpy) {
1161  // Get the byte after the last byte copied.
1162  SValBuilder &SvalBuilder = C.getSValBuilder();
1163  ASTContext &Ctx = SvalBuilder.getContext();
1164  QualType CharPtrTy = Ctx.getPointerType(Ctx.CharTy);
1165  SVal DestRegCharVal =
1166  SvalBuilder.evalCast(destVal, CharPtrTy, Dest->getType());
1167  SVal lastElement = C.getSValBuilder().evalBinOp(
1168  state, BO_Add, DestRegCharVal, sizeVal, Dest->getType());
1169  // If we don't know how much we copied, we can at least
1170  // conjure a return value for later.
1171  if (lastElement.isUnknown())
1172  lastElement = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
1173  C.blockCount());
1174 
1175  // The byte after the last byte copied is the return value.
1176  state = state->BindExpr(CE, LCtx, lastElement);
1177  } else {
1178  // All other copies return the destination buffer.
1179  // (Well, bcopy() has a void return type, but this won't hurt.)
1180  state = state->BindExpr(CE, LCtx, destVal);
1181  }
1182 
1183  // Invalidate the destination (regular invalidation without pointer-escaping
1184  // the address of the top-level region).
1185  // FIXME: Even if we can't perfectly model the copy, we should see if we
1186  // can use LazyCompoundVals to copy the source values into the destination.
1187  // This would probably remove any existing bindings past the end of the
1188  // copied region, but that's still an improvement over blank invalidation.
1189  state = InvalidateBuffer(C, state, Dest, C.getSVal(Dest),
1190  /*IsSourceBuffer*/false, Size);
1191 
1192  // Invalidate the source (const-invalidation without const-pointer-escaping
1193  // the address of the top-level region).
1194  state = InvalidateBuffer(C, state, Source, C.getSVal(Source),
1195  /*IsSourceBuffer*/true, nullptr);
1196 
1197  C.addTransition(state);
1198  }
1199 }
1200 
1201 
1202 void CStringChecker::evalMemcpy(CheckerContext &C, const CallExpr *CE) const {
1203  if (CE->getNumArgs() < 3)
1204  return;
1205 
1206  // void *memcpy(void *restrict dst, const void *restrict src, size_t n);
1207  // The return value is the address of the destination buffer.
1208  const Expr *Dest = CE->getArg(0);
1209  ProgramStateRef state = C.getState();
1210 
1211  evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1), true);
1212 }
1213 
1214 void CStringChecker::evalMempcpy(CheckerContext &C, const CallExpr *CE) const {
1215  if (CE->getNumArgs() < 3)
1216  return;
1217 
1218  // void *mempcpy(void *restrict dst, const void *restrict src, size_t n);
1219  // The return value is a pointer to the byte following the last written byte.
1220  const Expr *Dest = CE->getArg(0);
1221  ProgramStateRef state = C.getState();
1222 
1223  evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1), true, true);
1224 }
1225 
1226 void CStringChecker::evalMemmove(CheckerContext &C, const CallExpr *CE) const {
1227  if (CE->getNumArgs() < 3)
1228  return;
1229 
1230  // void *memmove(void *dst, const void *src, size_t n);
1231  // The return value is the address of the destination buffer.
1232  const Expr *Dest = CE->getArg(0);
1233  ProgramStateRef state = C.getState();
1234 
1235  evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1));
1236 }
1237 
1238 void CStringChecker::evalBcopy(CheckerContext &C, const CallExpr *CE) const {
1239  if (CE->getNumArgs() < 3)
1240  return;
1241 
1242  // void bcopy(const void *src, void *dst, size_t n);
1243  evalCopyCommon(C, CE, C.getState(),
1244  CE->getArg(2), CE->getArg(1), CE->getArg(0));
1245 }
1246 
1247 void CStringChecker::evalMemcmp(CheckerContext &C, const CallExpr *CE) const {
1248  if (CE->getNumArgs() < 3)
1249  return;
1250 
1251  // int memcmp(const void *s1, const void *s2, size_t n);
1252  CurrentFunctionDescription = "memory comparison function";
1253 
1254  const Expr *Left = CE->getArg(0);
1255  const Expr *Right = CE->getArg(1);
1256  const Expr *Size = CE->getArg(2);
1257 
1258  ProgramStateRef state = C.getState();
1259  SValBuilder &svalBuilder = C.getSValBuilder();
1260 
1261  // See if the size argument is zero.
1262  const LocationContext *LCtx = C.getLocationContext();
1263  SVal sizeVal = state->getSVal(Size, LCtx);
1264  QualType sizeTy = Size->getType();
1265 
1266  ProgramStateRef stateZeroSize, stateNonZeroSize;
1267  std::tie(stateZeroSize, stateNonZeroSize) =
1268  assumeZero(C, state, sizeVal, sizeTy);
1269 
1270  // If the size can be zero, the result will be 0 in that case, and we don't
1271  // have to check either of the buffers.
1272  if (stateZeroSize) {
1273  state = stateZeroSize;
1274  state = state->BindExpr(CE, LCtx,
1275  svalBuilder.makeZeroVal(CE->getType()));
1276  C.addTransition(state);
1277  }
1278 
1279  // If the size can be nonzero, we have to check the other arguments.
1280  if (stateNonZeroSize) {
1281  state = stateNonZeroSize;
1282  // If we know the two buffers are the same, we know the result is 0.
1283  // First, get the two buffers' addresses. Another checker will have already
1284  // made sure they're not undefined.
1286  state->getSVal(Left, LCtx).castAs<DefinedOrUnknownSVal>();
1288  state->getSVal(Right, LCtx).castAs<DefinedOrUnknownSVal>();
1289 
1290  // See if they are the same.
1291  DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV);
1292  ProgramStateRef StSameBuf, StNotSameBuf;
1293  std::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf);
1294 
1295  // If the two arguments might be the same buffer, we know the result is 0,
1296  // and we only need to check one size.
1297  if (StSameBuf) {
1298  state = StSameBuf;
1299  state = CheckBufferAccess(C, state, Size, Left);
1300  if (state) {
1301  state = StSameBuf->BindExpr(CE, LCtx,
1302  svalBuilder.makeZeroVal(CE->getType()));
1303  C.addTransition(state);
1304  }
1305  }
1306 
1307  // If the two arguments might be different buffers, we have to check the
1308  // size of both of them.
1309  if (StNotSameBuf) {
1310  state = StNotSameBuf;
1311  state = CheckBufferAccess(C, state, Size, Left, Right);
1312  if (state) {
1313  // The return value is the comparison result, which we don't know.
1314  SVal CmpV = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx,
1315  C.blockCount());
1316  state = state->BindExpr(CE, LCtx, CmpV);
1317  C.addTransition(state);
1318  }
1319  }
1320  }
1321 }
1322 
1323 void CStringChecker::evalstrLength(CheckerContext &C,
1324  const CallExpr *CE) const {
1325  if (CE->getNumArgs() < 1)
1326  return;
1327 
1328  // size_t strlen(const char *s);
1329  evalstrLengthCommon(C, CE, /* IsStrnlen = */ false);
1330 }
1331 
1332 void CStringChecker::evalstrnLength(CheckerContext &C,
1333  const CallExpr *CE) const {
1334  if (CE->getNumArgs() < 2)
1335  return;
1336 
1337  // size_t strnlen(const char *s, size_t maxlen);
1338  evalstrLengthCommon(C, CE, /* IsStrnlen = */ true);
1339 }
1340 
1341 void CStringChecker::evalstrLengthCommon(CheckerContext &C, const CallExpr *CE,
1342  bool IsStrnlen) const {
1343  CurrentFunctionDescription = "string length function";
1344  ProgramStateRef state = C.getState();
1345  const LocationContext *LCtx = C.getLocationContext();
1346 
1347  if (IsStrnlen) {
1348  const Expr *maxlenExpr = CE->getArg(1);
1349  SVal maxlenVal = state->getSVal(maxlenExpr, LCtx);
1350 
1351  ProgramStateRef stateZeroSize, stateNonZeroSize;
1352  std::tie(stateZeroSize, stateNonZeroSize) =
1353  assumeZero(C, state, maxlenVal, maxlenExpr->getType());
1354 
1355  // If the size can be zero, the result will be 0 in that case, and we don't
1356  // have to check the string itself.
1357  if (stateZeroSize) {
1358  SVal zero = C.getSValBuilder().makeZeroVal(CE->getType());
1359  stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, zero);
1360  C.addTransition(stateZeroSize);
1361  }
1362 
1363  // If the size is GUARANTEED to be zero, we're done!
1364  if (!stateNonZeroSize)
1365  return;
1366 
1367  // Otherwise, record the assumption that the size is nonzero.
1368  state = stateNonZeroSize;
1369  }
1370 
1371  // Check that the string argument is non-null.
1372  const Expr *Arg = CE->getArg(0);
1373  SVal ArgVal = state->getSVal(Arg, LCtx);
1374 
1375  state = checkNonNull(C, state, Arg, ArgVal);
1376 
1377  if (!state)
1378  return;
1379 
1380  SVal strLength = getCStringLength(C, state, Arg, ArgVal);
1381 
1382  // If the argument isn't a valid C string, there's no valid state to
1383  // transition to.
1384  if (strLength.isUndef())
1385  return;
1386 
1387  DefinedOrUnknownSVal result = UnknownVal();
1388 
1389  // If the check is for strnlen() then bind the return value to no more than
1390  // the maxlen value.
1391  if (IsStrnlen) {
1393 
1394  // It's a little unfortunate to be getting this again,
1395  // but it's not that expensive...
1396  const Expr *maxlenExpr = CE->getArg(1);
1397  SVal maxlenVal = state->getSVal(maxlenExpr, LCtx);
1398 
1399  Optional<NonLoc> strLengthNL = strLength.getAs<NonLoc>();
1400  Optional<NonLoc> maxlenValNL = maxlenVal.getAs<NonLoc>();
1401 
1402  if (strLengthNL && maxlenValNL) {
1403  ProgramStateRef stateStringTooLong, stateStringNotTooLong;
1404 
1405  // Check if the strLength is greater than the maxlen.
1406  std::tie(stateStringTooLong, stateStringNotTooLong) = state->assume(
1407  C.getSValBuilder()
1408  .evalBinOpNN(state, BO_GT, *strLengthNL, *maxlenValNL, cmpTy)
1410 
1411  if (stateStringTooLong && !stateStringNotTooLong) {
1412  // If the string is longer than maxlen, return maxlen.
1413  result = *maxlenValNL;
1414  } else if (stateStringNotTooLong && !stateStringTooLong) {
1415  // If the string is shorter than maxlen, return its length.
1416  result = *strLengthNL;
1417  }
1418  }
1419 
1420  if (result.isUnknown()) {
1421  // If we don't have enough information for a comparison, there's
1422  // no guarantee the full string length will actually be returned.
1423  // All we know is the return value is the min of the string length
1424  // and the limit. This is better than nothing.
1425  result = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
1426  C.blockCount());
1427  NonLoc resultNL = result.castAs<NonLoc>();
1428 
1429  if (strLengthNL) {
1430  state = state->assume(C.getSValBuilder().evalBinOpNN(
1431  state, BO_LE, resultNL, *strLengthNL, cmpTy)
1432  .castAs<DefinedOrUnknownSVal>(), true);
1433  }
1434 
1435  if (maxlenValNL) {
1436  state = state->assume(C.getSValBuilder().evalBinOpNN(
1437  state, BO_LE, resultNL, *maxlenValNL, cmpTy)
1438  .castAs<DefinedOrUnknownSVal>(), true);
1439  }
1440  }
1441 
1442  } else {
1443  // This is a plain strlen(), not strnlen().
1444  result = strLength.castAs<DefinedOrUnknownSVal>();
1445 
1446  // If we don't know the length of the string, conjure a return
1447  // value, so it can be used in constraints, at least.
1448  if (result.isUnknown()) {
1449  result = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
1450  C.blockCount());
1451  }
1452  }
1453 
1454  // Bind the return value.
1455  assert(!result.isUnknown() && "Should have conjured a value by now");
1456  state = state->BindExpr(CE, LCtx, result);
1457  C.addTransition(state);
1458 }
1459 
1460 void CStringChecker::evalStrcpy(CheckerContext &C, const CallExpr *CE) const {
1461  if (CE->getNumArgs() < 2)
1462  return;
1463 
1464  // char *strcpy(char *restrict dst, const char *restrict src);
1465  evalStrcpyCommon(C, CE,
1466  /* returnEnd = */ false,
1467  /* isBounded = */ false,
1468  /* isAppending = */ false);
1469 }
1470 
1471 void CStringChecker::evalStrncpy(CheckerContext &C, const CallExpr *CE) const {
1472  if (CE->getNumArgs() < 3)
1473  return;
1474 
1475  // char *strncpy(char *restrict dst, const char *restrict src, size_t n);
1476  evalStrcpyCommon(C, CE,
1477  /* returnEnd = */ false,
1478  /* isBounded = */ true,
1479  /* isAppending = */ false);
1480 }
1481 
1482 void CStringChecker::evalStpcpy(CheckerContext &C, const CallExpr *CE) const {
1483  if (CE->getNumArgs() < 2)
1484  return;
1485 
1486  // char *stpcpy(char *restrict dst, const char *restrict src);
1487  evalStrcpyCommon(C, CE,
1488  /* returnEnd = */ true,
1489  /* isBounded = */ false,
1490  /* isAppending = */ false);
1491 }
1492 
1493 void CStringChecker::evalStrlcpy(CheckerContext &C, const CallExpr *CE) const {
1494  if (CE->getNumArgs() < 3)
1495  return;
1496 
1497  // char *strlcpy(char *dst, const char *src, size_t n);
1498  evalStrcpyCommon(C, CE,
1499  /* returnEnd = */ true,
1500  /* isBounded = */ true,
1501  /* isAppending = */ false,
1502  /* returnPtr = */ false);
1503 }
1504 
1505 void CStringChecker::evalStrcat(CheckerContext &C, const CallExpr *CE) const {
1506  if (CE->getNumArgs() < 2)
1507  return;
1508 
1509  //char *strcat(char *restrict s1, const char *restrict s2);
1510  evalStrcpyCommon(C, CE,
1511  /* returnEnd = */ false,
1512  /* isBounded = */ false,
1513  /* isAppending = */ true);
1514 }
1515 
1516 void CStringChecker::evalStrncat(CheckerContext &C, const CallExpr *CE) const {
1517  if (CE->getNumArgs() < 3)
1518  return;
1519 
1520  //char *strncat(char *restrict s1, const char *restrict s2, size_t n);
1521  evalStrcpyCommon(C, CE,
1522  /* returnEnd = */ false,
1523  /* isBounded = */ true,
1524  /* isAppending = */ true);
1525 }
1526 
1527 void CStringChecker::evalStrlcat(CheckerContext &C, const CallExpr *CE) const {
1528  if (CE->getNumArgs() < 3)
1529  return;
1530 
1531  //char *strlcat(char *s1, const char *s2, size_t n);
1532  evalStrcpyCommon(C, CE,
1533  /* returnEnd = */ false,
1534  /* isBounded = */ true,
1535  /* isAppending = */ true,
1536  /* returnPtr = */ false);
1537 }
1538 
1539 void CStringChecker::evalStrcpyCommon(CheckerContext &C, const CallExpr *CE,
1540  bool returnEnd, bool isBounded,
1541  bool isAppending, bool returnPtr) const {
1542  CurrentFunctionDescription = "string copy function";
1543  ProgramStateRef state = C.getState();
1544  const LocationContext *LCtx = C.getLocationContext();
1545 
1546  // Check that the destination is non-null.
1547  const Expr *Dst = CE->getArg(0);
1548  SVal DstVal = state->getSVal(Dst, LCtx);
1549 
1550  state = checkNonNull(C, state, Dst, DstVal);
1551  if (!state)
1552  return;
1553 
1554  // Check that the source is non-null.
1555  const Expr *srcExpr = CE->getArg(1);
1556  SVal srcVal = state->getSVal(srcExpr, LCtx);
1557  state = checkNonNull(C, state, srcExpr, srcVal);
1558  if (!state)
1559  return;
1560 
1561  // Get the string length of the source.
1562  SVal strLength = getCStringLength(C, state, srcExpr, srcVal);
1563 
1564  // If the source isn't a valid C string, give up.
1565  if (strLength.isUndef())
1566  return;
1567 
1568  SValBuilder &svalBuilder = C.getSValBuilder();
1569  QualType cmpTy = svalBuilder.getConditionType();
1570  QualType sizeTy = svalBuilder.getContext().getSizeType();
1571 
1572  // These two values allow checking two kinds of errors:
1573  // - actual overflows caused by a source that doesn't fit in the destination
1574  // - potential overflows caused by a bound that could exceed the destination
1575  SVal amountCopied = UnknownVal();
1576  SVal maxLastElementIndex = UnknownVal();
1577  const char *boundWarning = nullptr;
1578 
1579  state = CheckOverlap(C, state, isBounded ? CE->getArg(2) : CE->getArg(1), Dst, srcExpr);
1580 
1581  if (!state)
1582  return;
1583 
1584  // If the function is strncpy, strncat, etc... it is bounded.
1585  if (isBounded) {
1586  // Get the max number of characters to copy.
1587  const Expr *lenExpr = CE->getArg(2);
1588  SVal lenVal = state->getSVal(lenExpr, LCtx);
1589 
1590  // Protect against misdeclared strncpy().
1591  lenVal = svalBuilder.evalCast(lenVal, sizeTy, lenExpr->getType());
1592 
1593  Optional<NonLoc> strLengthNL = strLength.getAs<NonLoc>();
1594  Optional<NonLoc> lenValNL = lenVal.getAs<NonLoc>();
1595 
1596  // If we know both values, we might be able to figure out how much
1597  // we're copying.
1598  if (strLengthNL && lenValNL) {
1599  ProgramStateRef stateSourceTooLong, stateSourceNotTooLong;
1600 
1601  // Check if the max number to copy is less than the length of the src.
1602  // If the bound is equal to the source length, strncpy won't null-
1603  // terminate the result!
1604  std::tie(stateSourceTooLong, stateSourceNotTooLong) = state->assume(
1605  svalBuilder.evalBinOpNN(state, BO_GE, *strLengthNL, *lenValNL, cmpTy)
1607 
1608  if (stateSourceTooLong && !stateSourceNotTooLong) {
1609  // Max number to copy is less than the length of the src, so the actual
1610  // strLength copied is the max number arg.
1611  state = stateSourceTooLong;
1612  amountCopied = lenVal;
1613 
1614  } else if (!stateSourceTooLong && stateSourceNotTooLong) {
1615  // The source buffer entirely fits in the bound.
1616  state = stateSourceNotTooLong;
1617  amountCopied = strLength;
1618  }
1619  }
1620 
1621  // We still want to know if the bound is known to be too large.
1622  if (lenValNL) {
1623  if (isAppending) {
1624  // For strncat, the check is strlen(dst) + lenVal < sizeof(dst)
1625 
1626  // Get the string length of the destination. If the destination is
1627  // memory that can't have a string length, we shouldn't be copying
1628  // into it anyway.
1629  SVal dstStrLength = getCStringLength(C, state, Dst, DstVal);
1630  if (dstStrLength.isUndef())
1631  return;
1632 
1633  if (Optional<NonLoc> dstStrLengthNL = dstStrLength.getAs<NonLoc>()) {
1634  maxLastElementIndex = svalBuilder.evalBinOpNN(state, BO_Add,
1635  *lenValNL,
1636  *dstStrLengthNL,
1637  sizeTy);
1638  boundWarning = "Size argument is greater than the free space in the "
1639  "destination buffer";
1640  }
1641 
1642  } else {
1643  // For strncpy, this is just checking that lenVal <= sizeof(dst)
1644  // (Yes, strncpy and strncat differ in how they treat termination.
1645  // strncat ALWAYS terminates, but strncpy doesn't.)
1646 
1647  // We need a special case for when the copy size is zero, in which
1648  // case strncpy will do no work at all. Our bounds check uses n-1
1649  // as the last element accessed, so n == 0 is problematic.
1650  ProgramStateRef StateZeroSize, StateNonZeroSize;
1651  std::tie(StateZeroSize, StateNonZeroSize) =
1652  assumeZero(C, state, *lenValNL, sizeTy);
1653 
1654  // If the size is known to be zero, we're done.
1655  if (StateZeroSize && !StateNonZeroSize) {
1656  if (returnPtr) {
1657  StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, DstVal);
1658  } else {
1659  StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, *lenValNL);
1660  }
1661  C.addTransition(StateZeroSize);
1662  return;
1663  }
1664 
1665  // Otherwise, go ahead and figure out the last element we'll touch.
1666  // We don't record the non-zero assumption here because we can't
1667  // be sure. We won't warn on a possible zero.
1668  NonLoc one = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
1669  maxLastElementIndex = svalBuilder.evalBinOpNN(state, BO_Sub, *lenValNL,
1670  one, sizeTy);
1671  boundWarning = "Size argument is greater than the length of the "
1672  "destination buffer";
1673  }
1674  }
1675 
1676  // If we couldn't pin down the copy length, at least bound it.
1677  // FIXME: We should actually run this code path for append as well, but
1678  // right now it creates problems with constraints (since we can end up
1679  // trying to pass constraints from symbol to symbol).
1680  if (amountCopied.isUnknown() && !isAppending) {
1681  // Try to get a "hypothetical" string length symbol, which we can later
1682  // set as a real value if that turns out to be the case.
1683  amountCopied = getCStringLength(C, state, lenExpr, srcVal, true);
1684  assert(!amountCopied.isUndef());
1685 
1686  if (Optional<NonLoc> amountCopiedNL = amountCopied.getAs<NonLoc>()) {
1687  if (lenValNL) {
1688  // amountCopied <= lenVal
1689  SVal copiedLessThanBound = svalBuilder.evalBinOpNN(state, BO_LE,
1690  *amountCopiedNL,
1691  *lenValNL,
1692  cmpTy);
1693  state = state->assume(
1694  copiedLessThanBound.castAs<DefinedOrUnknownSVal>(), true);
1695  if (!state)
1696  return;
1697  }
1698 
1699  if (strLengthNL) {
1700  // amountCopied <= strlen(source)
1701  SVal copiedLessThanSrc = svalBuilder.evalBinOpNN(state, BO_LE,
1702  *amountCopiedNL,
1703  *strLengthNL,
1704  cmpTy);
1705  state = state->assume(
1706  copiedLessThanSrc.castAs<DefinedOrUnknownSVal>(), true);
1707  if (!state)
1708  return;
1709  }
1710  }
1711  }
1712 
1713  } else {
1714  // The function isn't bounded. The amount copied should match the length
1715  // of the source buffer.
1716  amountCopied = strLength;
1717  }
1718 
1719  assert(state);
1720 
1721  // This represents the number of characters copied into the destination
1722  // buffer. (It may not actually be the strlen if the destination buffer
1723  // is not terminated.)
1724  SVal finalStrLength = UnknownVal();
1725 
1726  // If this is an appending function (strcat, strncat...) then set the
1727  // string length to strlen(src) + strlen(dst) since the buffer will
1728  // ultimately contain both.
1729  if (isAppending) {
1730  // Get the string length of the destination. If the destination is memory
1731  // that can't have a string length, we shouldn't be copying into it anyway.
1732  SVal dstStrLength = getCStringLength(C, state, Dst, DstVal);
1733  if (dstStrLength.isUndef())
1734  return;
1735 
1736  Optional<NonLoc> srcStrLengthNL = amountCopied.getAs<NonLoc>();
1737  Optional<NonLoc> dstStrLengthNL = dstStrLength.getAs<NonLoc>();
1738 
1739  // If we know both string lengths, we might know the final string length.
1740  if (srcStrLengthNL && dstStrLengthNL) {
1741  // Make sure the two lengths together don't overflow a size_t.
1742  state = checkAdditionOverflow(C, state, *srcStrLengthNL, *dstStrLengthNL);
1743  if (!state)
1744  return;
1745 
1746  finalStrLength = svalBuilder.evalBinOpNN(state, BO_Add, *srcStrLengthNL,
1747  *dstStrLengthNL, sizeTy);
1748  }
1749 
1750  // If we couldn't get a single value for the final string length,
1751  // we can at least bound it by the individual lengths.
1752  if (finalStrLength.isUnknown()) {
1753  // Try to get a "hypothetical" string length symbol, which we can later
1754  // set as a real value if that turns out to be the case.
1755  finalStrLength = getCStringLength(C, state, CE, DstVal, true);
1756  assert(!finalStrLength.isUndef());
1757 
1758  if (Optional<NonLoc> finalStrLengthNL = finalStrLength.getAs<NonLoc>()) {
1759  if (srcStrLengthNL) {
1760  // finalStrLength >= srcStrLength
1761  SVal sourceInResult = svalBuilder.evalBinOpNN(state, BO_GE,
1762  *finalStrLengthNL,
1763  *srcStrLengthNL,
1764  cmpTy);
1765  state = state->assume(sourceInResult.castAs<DefinedOrUnknownSVal>(),
1766  true);
1767  if (!state)
1768  return;
1769  }
1770 
1771  if (dstStrLengthNL) {
1772  // finalStrLength >= dstStrLength
1773  SVal destInResult = svalBuilder.evalBinOpNN(state, BO_GE,
1774  *finalStrLengthNL,
1775  *dstStrLengthNL,
1776  cmpTy);
1777  state =
1778  state->assume(destInResult.castAs<DefinedOrUnknownSVal>(), true);
1779  if (!state)
1780  return;
1781  }
1782  }
1783  }
1784 
1785  } else {
1786  // Otherwise, this is a copy-over function (strcpy, strncpy, ...), and
1787  // the final string length will match the input string length.
1788  finalStrLength = amountCopied;
1789  }
1790 
1791  SVal Result;
1792 
1793  if (returnPtr) {
1794  // The final result of the function will either be a pointer past the last
1795  // copied element, or a pointer to the start of the destination buffer.
1796  Result = (returnEnd ? UnknownVal() : DstVal);
1797  } else {
1798  Result = finalStrLength;
1799  }
1800 
1801  assert(state);
1802 
1803  // If the destination is a MemRegion, try to check for a buffer overflow and
1804  // record the new string length.
1805  if (Optional<loc::MemRegionVal> dstRegVal =
1806  DstVal.getAs<loc::MemRegionVal>()) {
1807  QualType ptrTy = Dst->getType();
1808 
1809  // If we have an exact value on a bounded copy, use that to check for
1810  // overflows, rather than our estimate about how much is actually copied.
1811  if (boundWarning) {
1812  if (Optional<NonLoc> maxLastNL = maxLastElementIndex.getAs<NonLoc>()) {
1813  SVal maxLastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal,
1814  *maxLastNL, ptrTy);
1815  state = CheckLocation(C, state, CE->getArg(2), maxLastElement,
1816  boundWarning);
1817  if (!state)
1818  return;
1819  }
1820  }
1821 
1822  // Then, if the final length is known...
1823  if (Optional<NonLoc> knownStrLength = finalStrLength.getAs<NonLoc>()) {
1824  SVal lastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal,
1825  *knownStrLength, ptrTy);
1826 
1827  // ...and we haven't checked the bound, we'll check the actual copy.
1828  if (!boundWarning) {
1829  const char * const warningMsg =
1830  "String copy function overflows destination buffer";
1831  state = CheckLocation(C, state, Dst, lastElement, warningMsg);
1832  if (!state)
1833  return;
1834  }
1835 
1836  // If this is a stpcpy-style copy, the last element is the return value.
1837  if (returnPtr && returnEnd)
1838  Result = lastElement;
1839  }
1840 
1841  // Invalidate the destination (regular invalidation without pointer-escaping
1842  // the address of the top-level region). This must happen before we set the
1843  // C string length because invalidation will clear the length.
1844  // FIXME: Even if we can't perfectly model the copy, we should see if we
1845  // can use LazyCompoundVals to copy the source values into the destination.
1846  // This would probably remove any existing bindings past the end of the
1847  // string, but that's still an improvement over blank invalidation.
1848  state = InvalidateBuffer(C, state, Dst, *dstRegVal,
1849  /*IsSourceBuffer*/false, nullptr);
1850 
1851  // Invalidate the source (const-invalidation without const-pointer-escaping
1852  // the address of the top-level region).
1853  state = InvalidateBuffer(C, state, srcExpr, srcVal, /*IsSourceBuffer*/true,
1854  nullptr);
1855 
1856  // Set the C string length of the destination, if we know it.
1857  if (isBounded && !isAppending) {
1858  // strncpy is annoying in that it doesn't guarantee to null-terminate
1859  // the result string. If the original string didn't fit entirely inside
1860  // the bound (including the null-terminator), we don't know how long the
1861  // result is.
1862  if (amountCopied != strLength)
1863  finalStrLength = UnknownVal();
1864  }
1865  state = setCStringLength(state, dstRegVal->getRegion(), finalStrLength);
1866  }
1867 
1868  assert(state);
1869 
1870  if (returnPtr) {
1871  // If this is a stpcpy-style copy, but we were unable to check for a buffer
1872  // overflow, we still need a result. Conjure a return value.
1873  if (returnEnd && Result.isUnknown()) {
1874  Result = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
1875  }
1876  }
1877  // Set the return value.
1878  state = state->BindExpr(CE, LCtx, Result);
1879  C.addTransition(state);
1880 }
1881 
1882 void CStringChecker::evalStrcmp(CheckerContext &C, const CallExpr *CE) const {
1883  if (CE->getNumArgs() < 2)
1884  return;
1885 
1886  //int strcmp(const char *s1, const char *s2);
1887  evalStrcmpCommon(C, CE, /* isBounded = */ false, /* ignoreCase = */ false);
1888 }
1889 
1890 void CStringChecker::evalStrncmp(CheckerContext &C, const CallExpr *CE) const {
1891  if (CE->getNumArgs() < 3)
1892  return;
1893 
1894  //int strncmp(const char *s1, const char *s2, size_t n);
1895  evalStrcmpCommon(C, CE, /* isBounded = */ true, /* ignoreCase = */ false);
1896 }
1897 
1898 void CStringChecker::evalStrcasecmp(CheckerContext &C,
1899  const CallExpr *CE) const {
1900  if (CE->getNumArgs() < 2)
1901  return;
1902 
1903  //int strcasecmp(const char *s1, const char *s2);
1904  evalStrcmpCommon(C, CE, /* isBounded = */ false, /* ignoreCase = */ true);
1905 }
1906 
1907 void CStringChecker::evalStrncasecmp(CheckerContext &C,
1908  const CallExpr *CE) const {
1909  if (CE->getNumArgs() < 3)
1910  return;
1911 
1912  //int strncasecmp(const char *s1, const char *s2, size_t n);
1913  evalStrcmpCommon(C, CE, /* isBounded = */ true, /* ignoreCase = */ true);
1914 }
1915 
1916 void CStringChecker::evalStrcmpCommon(CheckerContext &C, const CallExpr *CE,
1917  bool isBounded, bool ignoreCase) const {
1918  CurrentFunctionDescription = "string comparison function";
1919  ProgramStateRef state = C.getState();
1920  const LocationContext *LCtx = C.getLocationContext();
1921 
1922  // Check that the first string is non-null
1923  const Expr *s1 = CE->getArg(0);
1924  SVal s1Val = state->getSVal(s1, LCtx);
1925  state = checkNonNull(C, state, s1, s1Val);
1926  if (!state)
1927  return;
1928 
1929  // Check that the second string is non-null.
1930  const Expr *s2 = CE->getArg(1);
1931  SVal s2Val = state->getSVal(s2, LCtx);
1932  state = checkNonNull(C, state, s2, s2Val);
1933  if (!state)
1934  return;
1935 
1936  // Get the string length of the first string or give up.
1937  SVal s1Length = getCStringLength(C, state, s1, s1Val);
1938  if (s1Length.isUndef())
1939  return;
1940 
1941  // Get the string length of the second string or give up.
1942  SVal s2Length = getCStringLength(C, state, s2, s2Val);
1943  if (s2Length.isUndef())
1944  return;
1945 
1946  // If we know the two buffers are the same, we know the result is 0.
1947  // First, get the two buffers' addresses. Another checker will have already
1948  // made sure they're not undefined.
1951 
1952  // See if they are the same.
1953  SValBuilder &svalBuilder = C.getSValBuilder();
1954  DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV);
1955  ProgramStateRef StSameBuf, StNotSameBuf;
1956  std::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf);
1957 
1958  // If the two arguments might be the same buffer, we know the result is 0,
1959  // and we only need to check one size.
1960  if (StSameBuf) {
1961  StSameBuf = StSameBuf->BindExpr(CE, LCtx,
1962  svalBuilder.makeZeroVal(CE->getType()));
1963  C.addTransition(StSameBuf);
1964 
1965  // If the two arguments are GUARANTEED to be the same, we're done!
1966  if (!StNotSameBuf)
1967  return;
1968  }
1969 
1970  assert(StNotSameBuf);
1971  state = StNotSameBuf;
1972 
1973  // At this point we can go about comparing the two buffers.
1974  // For now, we only do this if they're both known string literals.
1975 
1976  // Attempt to extract string literals from both expressions.
1977  const StringLiteral *s1StrLiteral = getCStringLiteral(C, state, s1, s1Val);
1978  const StringLiteral *s2StrLiteral = getCStringLiteral(C, state, s2, s2Val);
1979  bool canComputeResult = false;
1980  SVal resultVal = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx,
1981  C.blockCount());
1982 
1983  if (s1StrLiteral && s2StrLiteral) {
1984  StringRef s1StrRef = s1StrLiteral->getString();
1985  StringRef s2StrRef = s2StrLiteral->getString();
1986 
1987  if (isBounded) {
1988  // Get the max number of characters to compare.
1989  const Expr *lenExpr = CE->getArg(2);
1990  SVal lenVal = state->getSVal(lenExpr, LCtx);
1991 
1992  // If the length is known, we can get the right substrings.
1993  if (const llvm::APSInt *len = svalBuilder.getKnownValue(state, lenVal)) {
1994  // Create substrings of each to compare the prefix.
1995  s1StrRef = s1StrRef.substr(0, (size_t)len->getZExtValue());
1996  s2StrRef = s2StrRef.substr(0, (size_t)len->getZExtValue());
1997  canComputeResult = true;
1998  }
1999  } else {
2000  // This is a normal, unbounded strcmp.
2001  canComputeResult = true;
2002  }
2003 
2004  if (canComputeResult) {
2005  // Real strcmp stops at null characters.
2006  size_t s1Term = s1StrRef.find('\0');
2007  if (s1Term != StringRef::npos)
2008  s1StrRef = s1StrRef.substr(0, s1Term);
2009 
2010  size_t s2Term = s2StrRef.find('\0');
2011  if (s2Term != StringRef::npos)
2012  s2StrRef = s2StrRef.substr(0, s2Term);
2013 
2014  // Use StringRef's comparison methods to compute the actual result.
2015  int compareRes = ignoreCase ? s1StrRef.compare_lower(s2StrRef)
2016  : s1StrRef.compare(s2StrRef);
2017 
2018  // The strcmp function returns an integer greater than, equal to, or less
2019  // than zero, [c11, p7.24.4.2].
2020  if (compareRes == 0) {
2021  resultVal = svalBuilder.makeIntVal(compareRes, CE->getType());
2022  }
2023  else {
2024  DefinedSVal zeroVal = svalBuilder.makeIntVal(0, CE->getType());
2025  // Constrain strcmp's result range based on the result of StringRef's
2026  // comparison methods.
2027  BinaryOperatorKind op = (compareRes == 1) ? BO_GT : BO_LT;
2028  SVal compareWithZero =
2029  svalBuilder.evalBinOp(state, op, resultVal, zeroVal,
2030  svalBuilder.getConditionType());
2031  DefinedSVal compareWithZeroVal = compareWithZero.castAs<DefinedSVal>();
2032  state = state->assume(compareWithZeroVal, true);
2033  }
2034  }
2035  }
2036 
2037  state = state->BindExpr(CE, LCtx, resultVal);
2038 
2039  // Record this as a possible path.
2040  C.addTransition(state);
2041 }
2042 
2043 void CStringChecker::evalStrsep(CheckerContext &C, const CallExpr *CE) const {
2044  //char *strsep(char **stringp, const char *delim);
2045  if (CE->getNumArgs() < 2)
2046  return;
2047 
2048  // Sanity: does the search string parameter match the return type?
2049  const Expr *SearchStrPtr = CE->getArg(0);
2050  QualType CharPtrTy = SearchStrPtr->getType()->getPointeeType();
2051  if (CharPtrTy.isNull() ||
2052  CE->getType().getUnqualifiedType() != CharPtrTy.getUnqualifiedType())
2053  return;
2054 
2055  CurrentFunctionDescription = "strsep()";
2056  ProgramStateRef State = C.getState();
2057  const LocationContext *LCtx = C.getLocationContext();
2058 
2059  // Check that the search string pointer is non-null (though it may point to
2060  // a null string).
2061  SVal SearchStrVal = State->getSVal(SearchStrPtr, LCtx);
2062  State = checkNonNull(C, State, SearchStrPtr, SearchStrVal);
2063  if (!State)
2064  return;
2065 
2066  // Check that the delimiter string is non-null.
2067  const Expr *DelimStr = CE->getArg(1);
2068  SVal DelimStrVal = State->getSVal(DelimStr, LCtx);
2069  State = checkNonNull(C, State, DelimStr, DelimStrVal);
2070  if (!State)
2071  return;
2072 
2073  SValBuilder &SVB = C.getSValBuilder();
2074  SVal Result;
2075  if (Optional<Loc> SearchStrLoc = SearchStrVal.getAs<Loc>()) {
2076  // Get the current value of the search string pointer, as a char*.
2077  Result = State->getSVal(*SearchStrLoc, CharPtrTy);
2078 
2079  // Invalidate the search string, representing the change of one delimiter
2080  // character to NUL.
2081  State = InvalidateBuffer(C, State, SearchStrPtr, Result,
2082  /*IsSourceBuffer*/false, nullptr);
2083 
2084  // Overwrite the search string pointer. The new value is either an address
2085  // further along in the same string, or NULL if there are no more tokens.
2086  State = State->bindLoc(*SearchStrLoc,
2087  SVB.conjureSymbolVal(getTag(),
2088  CE,
2089  LCtx,
2090  CharPtrTy,
2091  C.blockCount()),
2092  LCtx);
2093  } else {
2094  assert(SearchStrVal.isUnknown());
2095  // Conjure a symbolic value. It's the best we can do.
2096  Result = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
2097  }
2098 
2099  // Set the return value, and finish.
2100  State = State->BindExpr(CE, LCtx, Result);
2101  C.addTransition(State);
2102 }
2103 
2104 // These should probably be moved into a C++ standard library checker.
2105 void CStringChecker::evalStdCopy(CheckerContext &C, const CallExpr *CE) const {
2106  evalStdCopyCommon(C, CE);
2107 }
2108 
2109 void CStringChecker::evalStdCopyBackward(CheckerContext &C,
2110  const CallExpr *CE) const {
2111  evalStdCopyCommon(C, CE);
2112 }
2113 
2114 void CStringChecker::evalStdCopyCommon(CheckerContext &C,
2115  const CallExpr *CE) const {
2116  if (CE->getNumArgs() < 3)
2117  return;
2118 
2119  ProgramStateRef State = C.getState();
2120 
2121  const LocationContext *LCtx = C.getLocationContext();
2122 
2123  // template <class _InputIterator, class _OutputIterator>
2124  // _OutputIterator
2125  // copy(_InputIterator __first, _InputIterator __last,
2126  // _OutputIterator __result)
2127 
2128  // Invalidate the destination buffer
2129  const Expr *Dst = CE->getArg(2);
2130  SVal DstVal = State->getSVal(Dst, LCtx);
2131  State = InvalidateBuffer(C, State, Dst, DstVal, /*IsSource=*/false,
2132  /*Size=*/nullptr);
2133 
2134  SValBuilder &SVB = C.getSValBuilder();
2135 
2136  SVal ResultVal = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
2137  State = State->BindExpr(CE, LCtx, ResultVal);
2138 
2139  C.addTransition(State);
2140 }
2141 
2142 void CStringChecker::evalMemset(CheckerContext &C, const CallExpr *CE) const {
2143  if (CE->getNumArgs() != 3)
2144  return;
2145 
2146  CurrentFunctionDescription = "memory set function";
2147 
2148  const Expr *Mem = CE->getArg(0);
2149  const Expr *CharE = CE->getArg(1);
2150  const Expr *Size = CE->getArg(2);
2151  ProgramStateRef State = C.getState();
2152 
2153  // See if the size argument is zero.
2154  const LocationContext *LCtx = C.getLocationContext();
2155  SVal SizeVal = State->getSVal(Size, LCtx);
2156  QualType SizeTy = Size->getType();
2157 
2158  ProgramStateRef StateZeroSize, StateNonZeroSize;
2159  std::tie(StateZeroSize, StateNonZeroSize) =
2160  assumeZero(C, State, SizeVal, SizeTy);
2161 
2162  // Get the value of the memory area.
2163  SVal MemVal = State->getSVal(Mem, LCtx);
2164 
2165  // If the size is zero, there won't be any actual memory access, so
2166  // just bind the return value to the Mem buffer and return.
2167  if (StateZeroSize && !StateNonZeroSize) {
2168  StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, MemVal);
2169  C.addTransition(StateZeroSize);
2170  return;
2171  }
2172 
2173  // Ensure the memory area is not null.
2174  // If it is NULL there will be a NULL pointer dereference.
2175  State = checkNonNull(C, StateNonZeroSize, Mem, MemVal);
2176  if (!State)
2177  return;
2178 
2179  State = CheckBufferAccess(C, State, Size, Mem);
2180  if (!State)
2181  return;
2182 
2183  // According to the values of the arguments, bind the value of the second
2184  // argument to the destination buffer and set string length, or just
2185  // invalidate the destination buffer.
2186  if (!memsetAux(Mem, CharE, Size, C, State))
2187  return;
2188 
2189  State = State->BindExpr(CE, LCtx, MemVal);
2190  C.addTransition(State);
2191 }
2192 
2193 static bool isCPPStdLibraryFunction(const FunctionDecl *FD, StringRef Name) {
2194  IdentifierInfo *II = FD->getIdentifier();
2195  if (!II)
2196  return false;
2197 
2199  return false;
2200 
2201  if (II->getName().equals(Name))
2202  return true;
2203 
2204  return false;
2205 }
2206 //===----------------------------------------------------------------------===//
2207 // The driver method, and other Checker callbacks.
2208 //===----------------------------------------------------------------------===//
2209 
2210 bool CStringChecker::evalCall(const CallExpr *CE, CheckerContext &C) const {
2211  const FunctionDecl *FDecl = C.getCalleeDecl(CE);
2212 
2213  if (!FDecl)
2214  return false;
2215 
2216  // FIXME: Poorly-factored string switches are slow.
2217  FnCheck evalFunction = nullptr;
2218  if (C.isCLibraryFunction(FDecl, "memcpy"))
2219  evalFunction = &CStringChecker::evalMemcpy;
2220  else if (C.isCLibraryFunction(FDecl, "mempcpy"))
2221  evalFunction = &CStringChecker::evalMempcpy;
2222  else if (C.isCLibraryFunction(FDecl, "memcmp"))
2223  evalFunction = &CStringChecker::evalMemcmp;
2224  else if (C.isCLibraryFunction(FDecl, "memmove"))
2225  evalFunction = &CStringChecker::evalMemmove;
2226  else if (C.isCLibraryFunction(FDecl, "memset"))
2227  evalFunction = &CStringChecker::evalMemset;
2228  else if (C.isCLibraryFunction(FDecl, "strcpy"))
2229  evalFunction = &CStringChecker::evalStrcpy;
2230  else if (C.isCLibraryFunction(FDecl, "strncpy"))
2231  evalFunction = &CStringChecker::evalStrncpy;
2232  else if (C.isCLibraryFunction(FDecl, "stpcpy"))
2233  evalFunction = &CStringChecker::evalStpcpy;
2234  else if (C.isCLibraryFunction(FDecl, "strlcpy"))
2235  evalFunction = &CStringChecker::evalStrlcpy;
2236  else if (C.isCLibraryFunction(FDecl, "strcat"))
2237  evalFunction = &CStringChecker::evalStrcat;
2238  else if (C.isCLibraryFunction(FDecl, "strncat"))
2239  evalFunction = &CStringChecker::evalStrncat;
2240  else if (C.isCLibraryFunction(FDecl, "strlcat"))
2241  evalFunction = &CStringChecker::evalStrlcat;
2242  else if (C.isCLibraryFunction(FDecl, "strlen"))
2243  evalFunction = &CStringChecker::evalstrLength;
2244  else if (C.isCLibraryFunction(FDecl, "strnlen"))
2245  evalFunction = &CStringChecker::evalstrnLength;
2246  else if (C.isCLibraryFunction(FDecl, "strcmp"))
2247  evalFunction = &CStringChecker::evalStrcmp;
2248  else if (C.isCLibraryFunction(FDecl, "strncmp"))
2249  evalFunction = &CStringChecker::evalStrncmp;
2250  else if (C.isCLibraryFunction(FDecl, "strcasecmp"))
2251  evalFunction = &CStringChecker::evalStrcasecmp;
2252  else if (C.isCLibraryFunction(FDecl, "strncasecmp"))
2253  evalFunction = &CStringChecker::evalStrncasecmp;
2254  else if (C.isCLibraryFunction(FDecl, "strsep"))
2255  evalFunction = &CStringChecker::evalStrsep;
2256  else if (C.isCLibraryFunction(FDecl, "bcopy"))
2257  evalFunction = &CStringChecker::evalBcopy;
2258  else if (C.isCLibraryFunction(FDecl, "bcmp"))
2259  evalFunction = &CStringChecker::evalMemcmp;
2260  else if (isCPPStdLibraryFunction(FDecl, "copy"))
2261  evalFunction = &CStringChecker::evalStdCopy;
2262  else if (isCPPStdLibraryFunction(FDecl, "copy_backward"))
2263  evalFunction = &CStringChecker::evalStdCopyBackward;
2264 
2265  // If the callee isn't a string function, let another checker handle it.
2266  if (!evalFunction)
2267  return false;
2268 
2269  // Check and evaluate the call.
2270  (this->*evalFunction)(C, CE);
2271 
2272  // If the evaluate call resulted in no change, chain to the next eval call
2273  // handler.
2274  // Note, the custom CString evaluation calls assume that basic safety
2275  // properties are held. However, if the user chooses to turn off some of these
2276  // checks, we ignore the issues and leave the call evaluation to a generic
2277  // handler.
2278  return C.isDifferent();
2279 }
2280 
2281 void CStringChecker::checkPreStmt(const DeclStmt *DS, CheckerContext &C) const {
2282  // Record string length for char a[] = "abc";
2283  ProgramStateRef state = C.getState();
2284 
2285  for (const auto *I : DS->decls()) {
2286  const VarDecl *D = dyn_cast<VarDecl>(I);
2287  if (!D)
2288  continue;
2289 
2290  // FIXME: Handle array fields of structs.
2291  if (!D->getType()->isArrayType())
2292  continue;
2293 
2294  const Expr *Init = D->getInit();
2295  if (!Init)
2296  continue;
2297  if (!isa<StringLiteral>(Init))
2298  continue;
2299 
2300  Loc VarLoc = state->getLValue(D, C.getLocationContext());
2301  const MemRegion *MR = VarLoc.getAsRegion();
2302  if (!MR)
2303  continue;
2304 
2305  SVal StrVal = C.getSVal(Init);
2306  assert(StrVal.isValid() && "Initializer string is unknown or undefined");
2307  DefinedOrUnknownSVal strLength =
2308  getCStringLength(C, state, Init, StrVal).castAs<DefinedOrUnknownSVal>();
2309 
2310  state = state->set<CStringLength>(MR, strLength);
2311  }
2312 
2313  C.addTransition(state);
2314 }
2315 
2317 CStringChecker::checkRegionChanges(ProgramStateRef state,
2318  const InvalidatedSymbols *,
2319  ArrayRef<const MemRegion *> ExplicitRegions,
2321  const LocationContext *LCtx,
2322  const CallEvent *Call) const {
2323  CStringLengthTy Entries = state->get<CStringLength>();
2324  if (Entries.isEmpty())
2325  return state;
2326 
2327  llvm::SmallPtrSet<const MemRegion *, 8> Invalidated;
2328  llvm::SmallPtrSet<const MemRegion *, 32> SuperRegions;
2329 
2330  // First build sets for the changed regions and their super-regions.
2332  I = Regions.begin(), E = Regions.end(); I != E; ++I) {
2333  const MemRegion *MR = *I;
2334  Invalidated.insert(MR);
2335 
2336  SuperRegions.insert(MR);
2337  while (const SubRegion *SR = dyn_cast<SubRegion>(MR)) {
2338  MR = SR->getSuperRegion();
2339  SuperRegions.insert(MR);
2340  }
2341  }
2342 
2343  CStringLengthTy::Factory &F = state->get_context<CStringLength>();
2344 
2345  // Then loop over the entries in the current state.
2346  for (CStringLengthTy::iterator I = Entries.begin(),
2347  E = Entries.end(); I != E; ++I) {
2348  const MemRegion *MR = I.getKey();
2349 
2350  // Is this entry for a super-region of a changed region?
2351  if (SuperRegions.count(MR)) {
2352  Entries = F.remove(Entries, MR);
2353  continue;
2354  }
2355 
2356  // Is this entry for a sub-region of a changed region?
2357  const MemRegion *Super = MR;
2358  while (const SubRegion *SR = dyn_cast<SubRegion>(Super)) {
2359  Super = SR->getSuperRegion();
2360  if (Invalidated.count(Super)) {
2361  Entries = F.remove(Entries, MR);
2362  break;
2363  }
2364  }
2365  }
2366 
2367  return state->set<CStringLength>(Entries);
2368 }
2369 
2370 void CStringChecker::checkLiveSymbols(ProgramStateRef state,
2371  SymbolReaper &SR) const {
2372  // Mark all symbols in our string length map as valid.
2373  CStringLengthTy Entries = state->get<CStringLength>();
2374 
2375  for (CStringLengthTy::iterator I = Entries.begin(), E = Entries.end();
2376  I != E; ++I) {
2377  SVal Len = I.getData();
2378 
2379  for (SymExpr::symbol_iterator si = Len.symbol_begin(),
2380  se = Len.symbol_end(); si != se; ++si)
2381  SR.markInUse(*si);
2382  }
2383 }
2384 
2385 void CStringChecker::checkDeadSymbols(SymbolReaper &SR,
2386  CheckerContext &C) const {
2387  if (!SR.hasDeadSymbols())
2388  return;
2389 
2390  ProgramStateRef state = C.getState();
2391  CStringLengthTy Entries = state->get<CStringLength>();
2392  if (Entries.isEmpty())
2393  return;
2394 
2395  CStringLengthTy::Factory &F = state->get_context<CStringLength>();
2396  for (CStringLengthTy::iterator I = Entries.begin(), E = Entries.end();
2397  I != E; ++I) {
2398  SVal Len = I.getData();
2399  if (SymbolRef Sym = Len.getAsSymbol()) {
2400  if (SR.isDead(Sym))
2401  Entries = F.remove(Entries, I.getKey());
2402  }
2403  }
2404 
2405  state = state->set<CStringLength>(Entries);
2406  C.addTransition(state);
2407 }
2408 
2409 #define REGISTER_CHECKER(name) \
2410  void ento::register##name(CheckerManager &mgr) { \
2411  CStringChecker *checker = mgr.registerChecker<CStringChecker>(); \
2412  checker->Filter.Check##name = true; \
2413  checker->Filter.CheckName##name = mgr.getCurrentCheckName(); \
2414  }
2415 
2416  REGISTER_CHECKER(CStringNullArg)
2417  REGISTER_CHECKER(CStringOutOfBounds)
2418  REGISTER_CHECKER(CStringBufferOverlap)
2419 REGISTER_CHECKER(CStringNotNullTerm)
2420 
2422  Mgr.registerChecker<CStringChecker>();
2423  }
Represents a function declaration or definition.
Definition: Decl.h:1722
TypedValueRegion - An abstract class representing regions having a typed value.
Definition: MemRegion.h:525
nonloc::ConcreteInt makeIntVal(const IntegerLiteral *integer)
Definition: SValBuilder.h:279
A (possibly-)qualified type.
Definition: Type.h:640
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:94
ExplodedNode * generateErrorNode(ProgramStateRef State=nullptr, const ProgramPointTag *Tag=nullptr)
Generate a transition to a node that will be used to report an error.
bool isArrayType() const
Definition: Type.h:6166
Expr * getArg(unsigned Arg)
getArg - Return the specified argument.
Definition: Expr.h:2475
Stmt - This represents one statement.
Definition: Stmt.h:66
unsigned getNumArgs() const
getNumArgs - Return the number of actual arguments to this call.
Definition: Expr.h:2463
Information about invalidation for a particular region/symbol.
Definition: MemRegion.h:1384
NonLoc getIndex() const
Definition: MemRegion.h:1096
A helper class which wraps a boolean value set to false by default.
Definition: Checker.h:567
QualType getPointeeType() const
If this is a pointer, ObjC object pointer, or block pointer, this returns the respective pointee...
Definition: Type.cpp:497
ExplodedNode * addTransition(ProgramStateRef State=nullptr, const ProgramPointTag *Tag=nullptr)
Generates a new transition in the program state graph (ExplodedGraph).
virtual QualType getValueType() const =0
const MemRegion * getRegion() const
Definition: MemRegion.h:77
SVal evalCast(SVal val, QualType castTy, QualType originalType)
Value representing integer constant.
Definition: SVals.h:377
Represents a variable declaration or definition.
Definition: Decl.h:820
const internal::VariadicDynCastAllOfMatcher< Stmt, Expr > expr
Matches expressions.
void setTrait(SymbolRef Sym, InvalidationKinds IK)
Definition: MemRegion.cpp:1533
const FunctionDecl * getCalleeDecl(const CallExpr *CE) const
Get the declaration of the called function (path-sensitive).
bool isDead(SymbolRef sym) const
Returns whether or not a symbol has been confirmed dead.
ExplodedNode * getPredecessor()
Returns the previous node in the exploded graph, which includes the state of the program before the c...
SVal getSVal(const Stmt *S) const
Get the value of arbitrary expressions at this point in the path.
Symbolic value.
Definition: SymExpr.h:30
IdentifierInfo * getIdentifier() const
Get the identifier that names this declaration, if there is one.
Definition: Decl.h:269
const MemRegion * getSuperRegion() const
Definition: MemRegion.h:443
void markInUse(SymbolRef sym)
Marks a symbol as important to a checker.
One of these records is kept for each identifier that is lexed.
virtual SVal evalBinOpLN(ProgramStateRef state, BinaryOperator::Opcode op, Loc lhs, NonLoc rhs, QualType resultTy)=0
Create a new value which represents a binary expression with a memory location and non-location opera...
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:153
LineState State
bool isValid() const
Definition: MemRegion.h:86
i32 captured_struct **param SharedsTy A type which contains references the shared variables *param Shareds Context with the list of shared variables from the p *TaskFunction *param Data Additional data for task generation like final * state
virtual DefinedOrUnknownSVal getExtent(SValBuilder &svalBuilder) const
getExtent - Returns the size of the region in bytes.
Definition: MemRegion.h:448
void registerCStringCheckerBasic(CheckerManager &Mgr)
Register the checker which evaluates CString API calls.
BinaryOperatorKind
static bool isInStdNamespace(const Decl *D)
Returns true if the root namespace of the given declaration is the &#39;std&#39; C++ namespace.
uint32_t Offset
Definition: CacheTokens.cpp:43
const LocationContext * getLocationContext() const
static bool isCPPStdLibraryFunction(const FunctionDecl *FD, StringRef Name)
bool isUnknown() const
Definition: SVals.h:137
A record of the "type" of an APSInt, used for conversions.
Definition: APSIntType.h:20
const StringLiteral * getStringLiteral() const
Definition: MemRegion.h:809
SymExpr::symbol_iterator symbol_end() const
Definition: SVals.h:205
Represent a region&#39;s offset within the top level base region.
Definition: MemRegion.h:62
CanQualType UnsignedCharTy
Definition: ASTContext.h:1033
SymbolRef getAsSymbol(bool IncludeBaseRegions=false) const
If this SVal wraps a symbol return that SymbolRef.
Definition: SVals.cpp:127
StringRef getString() const
Definition: Expr.h:1681
#define REGISTER_CHECKER(name)
#define REGISTER_MAP_WITH_PROGRAMSTATE(Name, Key, Value)
Declares an immutable map of type NameTy, suitable for placement into the ProgramState.
Loc makeLoc(SymbolRef sym)
Definition: SValBuilder.h:354
DefinedOrUnknownSVal makeZeroVal(QualType type)
Construct an SVal representing &#39;0&#39; for the specified type.
Definition: SValBuilder.cpp:53
Expr - This represents one expression.
Definition: Expr.h:106
std::string Label
static bool isCLibraryFunction(const FunctionDecl *FD, StringRef Name=StringRef())
Returns true if the callee is an externally-visible function in the top-level namespace, such as malloc.
QualType getConditionType() const
Definition: SValBuilder.h:161
bool isValid() const
Definition: SVals.h:149
QualType getType() const
Definition: Expr.h:128
virtual SVal evalBinOpLL(ProgramStateRef state, BinaryOperator::Opcode op, Loc lhs, Loc rhs, QualType resultTy)=0
Create a new value which represents a binary expression with two memory location operands.
SVal evalBinOp(ProgramStateRef state, BinaryOperator::Opcode op, SVal lhs, SVal rhs, QualType type)
ExplodedNode * generateNonFatalErrorNode(ProgramStateRef State=nullptr, const ProgramPointTag *Tag=nullptr)
Generate a transition to a node that will be used to report an error.
bool isNull() const
Return true if this QualType doesn&#39;t point to a type yet.
Definition: Type.h:705
Optional< T > getAs() const
Convert to the specified SVal type, returning None if this SVal is not of the desired type...
Definition: SVals.h:112
void emitReport(std::unique_ptr< BugReport > R)
Emit the diagnostics report.
const MemRegion * StripCasts(bool StripBaseCasts=true) const
Definition: MemRegion.cpp:1152
Kind getKind() const
Definition: MemRegion.h:165
DefinedOrUnknownSVal conjureSymbolVal(const void *symbolTag, const Expr *expr, const LocationContext *LCtx, unsigned count)
Create a new symbol with a unique &#39;name&#39;.
const MemRegion * getAsRegion() const
Definition: SVals.cpp:151
DeclStmt - Adaptor class for mixing declarations with statements and expressions. ...
Definition: Stmt.h:509
ASTContext & getContext()
Definition: SValBuilder.h:156
SVal - This represents a symbolic expression, which can be either an L-value or an R-value...
Definition: SVals.h:76
A class responsible for cleaning up unused symbols.
const llvm::APSInt * evalAPSInt(BinaryOperator::Opcode Op, const llvm::APSInt &V1, const llvm::APSInt &V2)
Tells that a region&#39;s contents is not changed.
Definition: MemRegion.h:1399
virtual SVal evalBinOpNN(ProgramStateRef state, BinaryOperator::Opcode op, NonLoc lhs, NonLoc rhs, QualType resultTy)=0
Create a new value which represents a binary expression with two non- location operands.
unsigned blockCount() const
Returns the number of times the current block has been visited along the analyzed path...
StringRef getName() const
Return the actual identifier string.
CanQualType CharTy
Definition: ASTContext.h:1025
llvm::APSInt getValue(uint64_t RawValue) const LLVM_READONLY
Definition: APSIntType.h:70
Dataflow Directional Tag Classes.
const Expr * getInit() const
Definition: Decl.h:1225
static std::string getAsString(SplitQualType split, const PrintingPolicy &Policy)
Definition: Type.h:973
SVal evalEQ(ProgramStateRef state, SVal lhs, SVal rhs)
Represents an abstract call to a function or method along a particular path.
Definition: CallEvent.h:165
SVal convertToArrayIndex(SVal val)
DefinedSVal getMetadataSymbolVal(const void *symbolTag, const MemRegion *region, const Expr *expr, QualType type, const LocationContext *LCtx, unsigned count)
unsigned getByteLength() const
Definition: Expr.h:1713
T castAs() const
Convert to the specified SVal type, asserting that this SVal is of the desired type.
Definition: SVals.h:104
BasicValueFactory & getBasicValueFactory()
Definition: SValBuilder.h:169
SubRegion - A region that subsets another larger region.
Definition: MemRegion.h:431
const ProgramStateRef & getState() const
RegionOffset getAsOffset() const
Compute the offset within the top level memory object.
Definition: MemRegion.cpp:1415
decl_range decls()
Definition: Stmt.h:566
int64_t getOffset() const
Definition: MemRegion.h:81
QualType getUnqualifiedType() const
Retrieve the unqualified variant of the given type, removing as little sugar as possible.
Definition: Type.h:5973
QualType getValueType() const override
Definition: MemRegion.h:1098
QualType getPointerType(QualType T) const
Return the uniqued reference to the type for a pointer to the specified type.
const MemRegion * getBaseRegion() const
Definition: MemRegion.cpp:1126
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:262
SValBuilder & getSValBuilder()
StringLiteral - This represents a string literal expression, e.g.
Definition: Expr.h:1633
CallExpr - Represents a function call (C99 6.5.2.2, C++ [expr.call]).
Definition: Expr.h:2406
const llvm::APSInt & getMaxValue(const llvm::APSInt &v)
bool isUndef() const
Definition: SVals.h:141
StringRegion - Region associated with a StringLiteral.
Definition: MemRegion.h:794
LLVM_READONLY char toUppercase(char c)
Converts the given ASCII character to its uppercase equivalent.
Definition: CharInfo.h:174
ElementRegin is used to represent both array elements and casts.
Definition: MemRegion.h:1076
CanQualType IntTy
Definition: ASTContext.h:1032
SymExpr::symbol_iterator symbol_begin() const
Definition: SVals.h:197
QualType getType() const
Definition: Decl.h:651
This represents a decl that may have a name.
Definition: Decl.h:248
const LocationContext * getLocationContext() const
bool isDifferent()
Check if the checker changed the state of the execution; ex: added a new transition or a bug report...
bool hasSymbolicOffset() const
Definition: MemRegion.h:79
CanQualType getSizeType() const
Return the unique type for "size_t" (C99 7.17), defined in <stddef.h>.
Iterator over symbols that the current symbol depends on.
Definition: SymExpr.h:71