clang  8.0.0svn
CStringChecker.cpp
Go to the documentation of this file.
1 //= CStringChecker.cpp - Checks calls to C string functions --------*- C++ -*-//
2 //
3 // The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // This defines CStringChecker, which is an assortment of checks on calls
11 // to functions in <string.h>.
12 //
13 //===----------------------------------------------------------------------===//
14 
15 #include "ClangSACheckers.h"
16 #include "InterCheckerAPI.h"
17 #include "clang/Basic/CharInfo.h"
18 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
19 #include "clang/StaticAnalyzer/Core/Checker.h"
20 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
21 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
22 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
23 #include "llvm/ADT/STLExtras.h"
24 #include "llvm/ADT/SmallString.h"
25 #include "llvm/Support/raw_ostream.h"
26 
27 using namespace clang;
28 using namespace ento;
29 
30 namespace {
31 class CStringChecker : public Checker< eval::Call,
32  check::PreStmt<DeclStmt>,
33  check::LiveSymbols,
34  check::DeadSymbols,
35  check::RegionChanges
36  > {
37  mutable std::unique_ptr<BugType> BT_Null, BT_Bounds, BT_Overlap,
38  BT_NotCString, BT_AdditionOverflow;
39 
40  mutable const char *CurrentFunctionDescription;
41 
42 public:
43  /// The filter is used to filter out the diagnostics which are not enabled by
44  /// the user.
45  struct CStringChecksFilter {
46  DefaultBool CheckCStringNullArg;
47  DefaultBool CheckCStringOutOfBounds;
48  DefaultBool CheckCStringBufferOverlap;
49  DefaultBool CheckCStringNotNullTerm;
50 
51  CheckName CheckNameCStringNullArg;
52  CheckName CheckNameCStringOutOfBounds;
53  CheckName CheckNameCStringBufferOverlap;
54  CheckName CheckNameCStringNotNullTerm;
55  };
56 
57  CStringChecksFilter Filter;
58 
59  static void *getTag() { static int tag; return &tag; }
60 
61  bool evalCall(const CallExpr *CE, CheckerContext &C) const;
62  void checkPreStmt(const DeclStmt *DS, CheckerContext &C) const;
63  void checkLiveSymbols(ProgramStateRef state, SymbolReaper &SR) const;
64  void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
65 
66  ProgramStateRef
67  checkRegionChanges(ProgramStateRef state,
68  const InvalidatedSymbols *,
69  ArrayRef<const MemRegion *> ExplicitRegions,
70  ArrayRef<const MemRegion *> Regions,
71  const LocationContext *LCtx,
72  const CallEvent *Call) const;
73 
74  typedef void (CStringChecker::*FnCheck)(CheckerContext &,
75  const CallExpr *) const;
76 
77  void evalMemcpy(CheckerContext &C, const CallExpr *CE) const;
78  void evalMempcpy(CheckerContext &C, const CallExpr *CE) const;
79  void evalMemmove(CheckerContext &C, const CallExpr *CE) const;
80  void evalBcopy(CheckerContext &C, const CallExpr *CE) const;
81  void evalCopyCommon(CheckerContext &C, const CallExpr *CE,
82  ProgramStateRef state,
83  const Expr *Size,
84  const Expr *Source,
85  const Expr *Dest,
86  bool Restricted = false,
87  bool IsMempcpy = false) const;
88 
89  void evalMemcmp(CheckerContext &C, const CallExpr *CE) const;
90 
91  void evalstrLength(CheckerContext &C, const CallExpr *CE) const;
92  void evalstrnLength(CheckerContext &C, const CallExpr *CE) const;
93  void evalstrLengthCommon(CheckerContext &C,
94  const CallExpr *CE,
95  bool IsStrnlen = false) const;
96 
97  void evalStrcpy(CheckerContext &C, const CallExpr *CE) const;
98  void evalStrncpy(CheckerContext &C, const CallExpr *CE) const;
99  void evalStpcpy(CheckerContext &C, const CallExpr *CE) const;
100  void evalStrlcpy(CheckerContext &C, const CallExpr *CE) const;
101  void evalStrcpyCommon(CheckerContext &C,
102  const CallExpr *CE,
103  bool returnEnd,
104  bool isBounded,
105  bool isAppending,
106  bool returnPtr = true) const;
107 
108  void evalStrcat(CheckerContext &C, const CallExpr *CE) const;
109  void evalStrncat(CheckerContext &C, const CallExpr *CE) const;
110  void evalStrlcat(CheckerContext &C, const CallExpr *CE) const;
111 
112  void evalStrcmp(CheckerContext &C, const CallExpr *CE) const;
113  void evalStrncmp(CheckerContext &C, const CallExpr *CE) const;
114  void evalStrcasecmp(CheckerContext &C, const CallExpr *CE) const;
115  void evalStrncasecmp(CheckerContext &C, const CallExpr *CE) const;
116  void evalStrcmpCommon(CheckerContext &C,
117  const CallExpr *CE,
118  bool isBounded = false,
119  bool ignoreCase = false) const;
120 
121  void evalStrsep(CheckerContext &C, const CallExpr *CE) const;
122 
123  void evalStdCopy(CheckerContext &C, const CallExpr *CE) const;
124  void evalStdCopyBackward(CheckerContext &C, const CallExpr *CE) const;
125  void evalStdCopyCommon(CheckerContext &C, const CallExpr *CE) const;
126  void evalMemset(CheckerContext &C, const CallExpr *CE) const;
127 
128  // Utility methods
129  std::pair<ProgramStateRef , ProgramStateRef >
130  static assumeZero(CheckerContext &C,
131  ProgramStateRef state, SVal V, QualType Ty);
132 
133  static ProgramStateRef setCStringLength(ProgramStateRef state,
134  const MemRegion *MR,
135  SVal strLength);
136  static SVal getCStringLengthForRegion(CheckerContext &C,
137  ProgramStateRef &state,
138  const Expr *Ex,
139  const MemRegion *MR,
140  bool hypothetical);
141  SVal getCStringLength(CheckerContext &C,
142  ProgramStateRef &state,
143  const Expr *Ex,
144  SVal Buf,
145  bool hypothetical = false) const;
146 
147  const StringLiteral *getCStringLiteral(CheckerContext &C,
148  ProgramStateRef &state,
149  const Expr *expr,
150  SVal val) const;
151 
152  static ProgramStateRef InvalidateBuffer(CheckerContext &C,
153  ProgramStateRef state,
154  const Expr *Ex, SVal V,
155  bool IsSourceBuffer,
156  const Expr *Size);
157 
158  static bool SummarizeRegion(raw_ostream &os, ASTContext &Ctx,
159  const MemRegion *MR);
160 
161  static bool memsetAux(const Expr *DstBuffer, const Expr *CharE,
162  const Expr *Size, CheckerContext &C,
163  ProgramStateRef &State);
164 
165  // Re-usable checks
166  ProgramStateRef checkNonNull(CheckerContext &C,
167  ProgramStateRef state,
168  const Expr *S,
169  SVal l) const;
170  ProgramStateRef CheckLocation(CheckerContext &C,
171  ProgramStateRef state,
172  const Expr *S,
173  SVal l,
174  const char *message = nullptr) const;
175  ProgramStateRef CheckBufferAccess(CheckerContext &C,
176  ProgramStateRef state,
177  const Expr *Size,
178  const Expr *FirstBuf,
179  const Expr *SecondBuf,
180  const char *firstMessage = nullptr,
181  const char *secondMessage = nullptr,
182  bool WarnAboutSize = false) const;
183 
184  ProgramStateRef CheckBufferAccess(CheckerContext &C,
185  ProgramStateRef state,
186  const Expr *Size,
187  const Expr *Buf,
188  const char *message = nullptr,
189  bool WarnAboutSize = false) const {
190  // This is a convenience override.
191  return CheckBufferAccess(C, state, Size, Buf, nullptr, message, nullptr,
192  WarnAboutSize);
193  }
194  ProgramStateRef CheckOverlap(CheckerContext &C,
195  ProgramStateRef state,
196  const Expr *Size,
197  const Expr *First,
198  const Expr *Second) const;
199  void emitOverlapBug(CheckerContext &C,
200  ProgramStateRef state,
201  const Stmt *First,
202  const Stmt *Second) const;
203 
204  void emitNullArgBug(CheckerContext &C, ProgramStateRef State, const Stmt *S,
205  StringRef WarningMsg) const;
206  void emitOutOfBoundsBug(CheckerContext &C, ProgramStateRef State,
207  const Stmt *S, StringRef WarningMsg) const;
208  void emitNotCStringBug(CheckerContext &C, ProgramStateRef State,
209  const Stmt *S, StringRef WarningMsg) const;
210  void emitAdditionOverflowBug(CheckerContext &C, ProgramStateRef State) const;
211 
212  ProgramStateRef checkAdditionOverflow(CheckerContext &C,
213  ProgramStateRef state,
214  NonLoc left,
215  NonLoc right) const;
216 
217  // Return true if the destination buffer of the copy function may be in bound.
218  // Expects SVal of Size to be positive and unsigned.
219  // Expects SVal of FirstBuf to be a FieldRegion.
220  static bool IsFirstBufInBound(CheckerContext &C,
221  ProgramStateRef state,
222  const Expr *FirstBuf,
223  const Expr *Size);
224 };
225 
226 } //end anonymous namespace
227 
228 REGISTER_MAP_WITH_PROGRAMSTATE(CStringLength, const MemRegion *, SVal)
229 
230 //===----------------------------------------------------------------------===//
231 // Individual checks and utility methods.
232 //===----------------------------------------------------------------------===//
233 
234 std::pair<ProgramStateRef , ProgramStateRef >
235 CStringChecker::assumeZero(CheckerContext &C, ProgramStateRef state, SVal V,
236  QualType Ty) {
237  Optional<DefinedSVal> val = V.getAs<DefinedSVal>();
238  if (!val)
239  return std::pair<ProgramStateRef , ProgramStateRef >(state, state);
240 
241  SValBuilder &svalBuilder = C.getSValBuilder();
242  DefinedOrUnknownSVal zero = svalBuilder.makeZeroVal(Ty);
243  return state->assume(svalBuilder.evalEQ(state, *val, zero));
244 }
245 
246 ProgramStateRef CStringChecker::checkNonNull(CheckerContext &C,
247  ProgramStateRef state,
248  const Expr *S, SVal l) const {
249  // If a previous check has failed, propagate the failure.
250  if (!state)
251  return nullptr;
252 
253  ProgramStateRef stateNull, stateNonNull;
254  std::tie(stateNull, stateNonNull) = assumeZero(C, state, l, S->getType());
255 
256  if (stateNull && !stateNonNull) {
257  if (Filter.CheckCStringNullArg) {
258  SmallString<80> buf;
259  llvm::raw_svector_ostream os(buf);
260  assert(CurrentFunctionDescription);
261  os << "Null pointer argument in call to " << CurrentFunctionDescription;
262 
263  emitNullArgBug(C, stateNull, S, os.str());
264  }
265  return nullptr;
266  }
267 
268  // From here on, assume that the value is non-null.
269  assert(stateNonNull);
270  return stateNonNull;
271 }
272 
273 // FIXME: This was originally copied from ArrayBoundChecker.cpp. Refactor?
274 ProgramStateRef CStringChecker::CheckLocation(CheckerContext &C,
275  ProgramStateRef state,
276  const Expr *S, SVal l,
277  const char *warningMsg) const {
278  // If a previous check has failed, propagate the failure.
279  if (!state)
280  return nullptr;
281 
282  // Check for out of bound array element access.
283  const MemRegion *R = l.getAsRegion();
284  if (!R)
285  return state;
286 
287  const ElementRegion *ER = dyn_cast<ElementRegion>(R);
288  if (!ER)
289  return state;
290 
291  if (ER->getValueType() != C.getASTContext().CharTy)
292  return state;
293 
294  // Get the size of the array.
295  const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion());
296  SValBuilder &svalBuilder = C.getSValBuilder();
297  SVal Extent =
298  svalBuilder.convertToArrayIndex(superReg->getExtent(svalBuilder));
299  DefinedOrUnknownSVal Size = Extent.castAs<DefinedOrUnknownSVal>();
300 
301  // Get the index of the accessed element.
302  DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();
303 
304  ProgramStateRef StInBound = state->assumeInBound(Idx, Size, true);
305  ProgramStateRef StOutBound = state->assumeInBound(Idx, Size, false);
306  if (StOutBound && !StInBound) {
307  // These checks are either enabled by the CString out-of-bounds checker
308  // explicitly or implicitly by the Malloc checker.
309  // In the latter case we only do modeling but do not emit warning.
310  if (!Filter.CheckCStringOutOfBounds)
311  return nullptr;
312  // Emit a bug report.
313  if (warningMsg) {
314  emitOutOfBoundsBug(C, StOutBound, S, warningMsg);
315  } else {
316  assert(CurrentFunctionDescription);
317  assert(CurrentFunctionDescription[0] != '\0');
318 
319  SmallString<80> buf;
320  llvm::raw_svector_ostream os(buf);
321  os << toUppercase(CurrentFunctionDescription[0])
322  << &CurrentFunctionDescription[1]
323  << " accesses out-of-bound array element";
324  emitOutOfBoundsBug(C, StOutBound, S, os.str());
325  }
326  return nullptr;
327  }
328 
329  // Array bound check succeeded. From this point forward the array bound
330  // should always succeed.
331  return StInBound;
332 }
333 
334 ProgramStateRef CStringChecker::CheckBufferAccess(CheckerContext &C,
335  ProgramStateRef state,
336  const Expr *Size,
337  const Expr *FirstBuf,
338  const Expr *SecondBuf,
339  const char *firstMessage,
340  const char *secondMessage,
341  bool WarnAboutSize) const {
342  // If a previous check has failed, propagate the failure.
343  if (!state)
344  return nullptr;
345 
346  SValBuilder &svalBuilder = C.getSValBuilder();
347  ASTContext &Ctx = svalBuilder.getContext();
348  const LocationContext *LCtx = C.getLocationContext();
349 
350  QualType sizeTy = Size->getType();
351  QualType PtrTy = Ctx.getPointerType(Ctx.CharTy);
352 
353  // Check that the first buffer is non-null.
354  SVal BufVal = C.getSVal(FirstBuf);
355  state = checkNonNull(C, state, FirstBuf, BufVal);
356  if (!state)
357  return nullptr;
358 
359  // If out-of-bounds checking is turned off, skip the rest.
360  if (!Filter.CheckCStringOutOfBounds)
361  return state;
362 
363  // Get the access length and make sure it is known.
364  // FIXME: This assumes the caller has already checked that the access length
365  // is positive. And that it's unsigned.
366  SVal LengthVal = C.getSVal(Size);
367  Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
368  if (!Length)
369  return state;
370 
371  // Compute the offset of the last element to be accessed: size-1.
372  NonLoc One = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
373  SVal Offset = svalBuilder.evalBinOpNN(state, BO_Sub, *Length, One, sizeTy);
374  if (Offset.isUnknown())
375  return nullptr;
376  NonLoc LastOffset = Offset.castAs<NonLoc>();
377 
378  // Check that the first buffer is sufficiently long.
379  SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType());
380  if (Optional<Loc> BufLoc = BufStart.getAs<Loc>()) {
381  const Expr *warningExpr = (WarnAboutSize ? Size : FirstBuf);
382 
383  SVal BufEnd = svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc,
384  LastOffset, PtrTy);
385  state = CheckLocation(C, state, warningExpr, BufEnd, firstMessage);
386 
387  // If the buffer isn't large enough, abort.
388  if (!state)
389  return nullptr;
390  }
391 
392  // If there's a second buffer, check it as well.
393  if (SecondBuf) {
394  BufVal = state->getSVal(SecondBuf, LCtx);
395  state = checkNonNull(C, state, SecondBuf, BufVal);
396  if (!state)
397  return nullptr;
398 
399  BufStart = svalBuilder.evalCast(BufVal, PtrTy, SecondBuf->getType());
400  if (Optional<Loc> BufLoc = BufStart.getAs<Loc>()) {
401  const Expr *warningExpr = (WarnAboutSize ? Size : SecondBuf);
402 
403  SVal BufEnd = svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc,
404  LastOffset, PtrTy);
405  state = CheckLocation(C, state, warningExpr, BufEnd, secondMessage);
406  }
407  }
408 
409  // Large enough or not, return this state!
410  return state;
411 }
412 
413 ProgramStateRef CStringChecker::CheckOverlap(CheckerContext &C,
414  ProgramStateRef state,
415  const Expr *Size,
416  const Expr *First,
417  const Expr *Second) const {
418  if (!Filter.CheckCStringBufferOverlap)
419  return state;
420 
421  // Do a simple check for overlap: if the two arguments are from the same
422  // buffer, see if the end of the first is greater than the start of the second
423  // or vice versa.
424 
425  // If a previous check has failed, propagate the failure.
426  if (!state)
427  return nullptr;
428 
429  ProgramStateRef stateTrue, stateFalse;
430 
431  // Get the buffer values and make sure they're known locations.
432  const LocationContext *LCtx = C.getLocationContext();
433  SVal firstVal = state->getSVal(First, LCtx);
434  SVal secondVal = state->getSVal(Second, LCtx);
435 
436  Optional<Loc> firstLoc = firstVal.getAs<Loc>();
437  if (!firstLoc)
438  return state;
439 
440  Optional<Loc> secondLoc = secondVal.getAs<Loc>();
441  if (!secondLoc)
442  return state;
443 
444  // Are the two values the same?
445  SValBuilder &svalBuilder = C.getSValBuilder();
446  std::tie(stateTrue, stateFalse) =
447  state->assume(svalBuilder.evalEQ(state, *firstLoc, *secondLoc));
448 
449  if (stateTrue && !stateFalse) {
450  // If the values are known to be equal, that's automatically an overlap.
451  emitOverlapBug(C, stateTrue, First, Second);
452  return nullptr;
453  }
454 
455  // assume the two expressions are not equal.
456  assert(stateFalse);
457  state = stateFalse;
458 
459  // Which value comes first?
460  QualType cmpTy = svalBuilder.getConditionType();
461  SVal reverse = svalBuilder.evalBinOpLL(state, BO_GT,
462  *firstLoc, *secondLoc, cmpTy);
463  Optional<DefinedOrUnknownSVal> reverseTest =
464  reverse.getAs<DefinedOrUnknownSVal>();
465  if (!reverseTest)
466  return state;
467 
468  std::tie(stateTrue, stateFalse) = state->assume(*reverseTest);
469  if (stateTrue) {
470  if (stateFalse) {
471  // If we don't know which one comes first, we can't perform this test.
472  return state;
473  } else {
474  // Switch the values so that firstVal is before secondVal.
475  std::swap(firstLoc, secondLoc);
476 
477  // Switch the Exprs as well, so that they still correspond.
478  std::swap(First, Second);
479  }
480  }
481 
482  // Get the length, and make sure it too is known.
483  SVal LengthVal = state->getSVal(Size, LCtx);
484  Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
485  if (!Length)
486  return state;
487 
488  // Convert the first buffer's start address to char*.
489  // Bail out if the cast fails.
490  ASTContext &Ctx = svalBuilder.getContext();
491  QualType CharPtrTy = Ctx.getPointerType(Ctx.CharTy);
492  SVal FirstStart = svalBuilder.evalCast(*firstLoc, CharPtrTy,
493  First->getType());
494  Optional<Loc> FirstStartLoc = FirstStart.getAs<Loc>();
495  if (!FirstStartLoc)
496  return state;
497 
498  // Compute the end of the first buffer. Bail out if THAT fails.
499  SVal FirstEnd = svalBuilder.evalBinOpLN(state, BO_Add,
500  *FirstStartLoc, *Length, CharPtrTy);
501  Optional<Loc> FirstEndLoc = FirstEnd.getAs<Loc>();
502  if (!FirstEndLoc)
503  return state;
504 
505  // Is the end of the first buffer past the start of the second buffer?
506  SVal Overlap = svalBuilder.evalBinOpLL(state, BO_GT,
507  *FirstEndLoc, *secondLoc, cmpTy);
508  Optional<DefinedOrUnknownSVal> OverlapTest =
509  Overlap.getAs<DefinedOrUnknownSVal>();
510  if (!OverlapTest)
511  return state;
512 
513  std::tie(stateTrue, stateFalse) = state->assume(*OverlapTest);
514 
515  if (stateTrue && !stateFalse) {
516  // Overlap!
517  emitOverlapBug(C, stateTrue, First, Second);
518  return nullptr;
519  }
520 
521  // assume the two expressions don't overlap.
522  assert(stateFalse);
523  return stateFalse;
524 }
525 
526 void CStringChecker::emitOverlapBug(CheckerContext &C, ProgramStateRef state,
527  const Stmt *First, const Stmt *Second) const {
528  ExplodedNode *N = C.generateErrorNode(state);
529  if (!N)
530  return;
531 
532  if (!BT_Overlap)
533  BT_Overlap.reset(new BugType(Filter.CheckNameCStringBufferOverlap,
534  categories::UnixAPI, "Improper arguments"));
535 
536  // Generate a report for this bug.
537  auto report = llvm::make_unique<BugReport>(
538  *BT_Overlap, "Arguments must not be overlapping buffers", N);
539  report->addRange(First->getSourceRange());
540  report->addRange(Second->getSourceRange());
541 
542  C.emitReport(std::move(report));
543 }
544 
545 void CStringChecker::emitNullArgBug(CheckerContext &C, ProgramStateRef State,
546  const Stmt *S, StringRef WarningMsg) const {
547  if (ExplodedNode *N = C.generateErrorNode(State)) {
548  if (!BT_Null)
549  BT_Null.reset(new BuiltinBug(
550  Filter.CheckNameCStringNullArg, categories::UnixAPI,
551  "Null pointer argument in call to byte string function"));
552 
553  BuiltinBug *BT = static_cast<BuiltinBug *>(BT_Null.get());
554  auto Report = llvm::make_unique<BugReport>(*BT, WarningMsg, N);
555  Report->addRange(S->getSourceRange());
556  bugreporter::trackNullOrUndefValue(N, S, *Report);
557  C.emitReport(std::move(Report));
558  }
559 }
560 
561 void CStringChecker::emitOutOfBoundsBug(CheckerContext &C,
562  ProgramStateRef State, const Stmt *S,
563  StringRef WarningMsg) const {
564  if (ExplodedNode *N = C.generateErrorNode(State)) {
565  if (!BT_Bounds)
566  BT_Bounds.reset(new BuiltinBug(
567  Filter.CheckCStringOutOfBounds ? Filter.CheckNameCStringOutOfBounds
568  : Filter.CheckNameCStringNullArg,
569  "Out-of-bound array access",
570  "Byte string function accesses out-of-bound array element"));
571 
572  BuiltinBug *BT = static_cast<BuiltinBug *>(BT_Bounds.get());
573 
574  // FIXME: It would be nice to eventually make this diagnostic more clear,
575  // e.g., by referencing the original declaration or by saying *why* this
576  // reference is outside the range.
577  auto Report = llvm::make_unique<BugReport>(*BT, WarningMsg, N);
578  Report->addRange(S->getSourceRange());
579  C.emitReport(std::move(Report));
580  }
581 }
582 
583 void CStringChecker::emitNotCStringBug(CheckerContext &C, ProgramStateRef State,
584  const Stmt *S,
585  StringRef WarningMsg) const {
586  if (ExplodedNode *N = C.generateNonFatalErrorNode(State)) {
587  if (!BT_NotCString)
588  BT_NotCString.reset(new BuiltinBug(
589  Filter.CheckNameCStringNotNullTerm, categories::UnixAPI,
590  "Argument is not a null-terminated string."));
591 
592  auto Report = llvm::make_unique<BugReport>(*BT_NotCString, WarningMsg, N);
593 
594  Report->addRange(S->getSourceRange());
595  C.emitReport(std::move(Report));
596  }
597 }
598 
599 void CStringChecker::emitAdditionOverflowBug(CheckerContext &C,
600  ProgramStateRef State) const {
601  if (ExplodedNode *N = C.generateErrorNode(State)) {
602  if (!BT_NotCString)
603  BT_NotCString.reset(
604  new BuiltinBug(Filter.CheckNameCStringOutOfBounds, "API",
605  "Sum of expressions causes overflow."));
606 
607  // This isn't a great error message, but this should never occur in real
608  // code anyway -- you'd have to create a buffer longer than a size_t can
609  // represent, which is sort of a contradiction.
610  const char *WarningMsg =
611  "This expression will create a string whose length is too big to "
612  "be represented as a size_t";
613 
614  auto Report = llvm::make_unique<BugReport>(*BT_NotCString, WarningMsg, N);
615  C.emitReport(std::move(Report));
616  }
617 }
618 
619 ProgramStateRef CStringChecker::checkAdditionOverflow(CheckerContext &C,
620  ProgramStateRef state,
621  NonLoc left,
622  NonLoc right) const {
623  // If out-of-bounds checking is turned off, skip the rest.
624  if (!Filter.CheckCStringOutOfBounds)
625  return state;
626 
627  // If a previous check has failed, propagate the failure.
628  if (!state)
629  return nullptr;
630 
631  SValBuilder &svalBuilder = C.getSValBuilder();
632  BasicValueFactory &BVF = svalBuilder.getBasicValueFactory();
633 
634  QualType sizeTy = svalBuilder.getContext().getSizeType();
635  const llvm::APSInt &maxValInt = BVF.getMaxValue(sizeTy);
636  NonLoc maxVal = svalBuilder.makeIntVal(maxValInt);
637 
638  SVal maxMinusRight;
639  if (right.getAs<nonloc::ConcreteInt>()) {
640  maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, right,
641  sizeTy);
642  } else {
643  // Try switching the operands. (The order of these two assignments is
644  // important!)
645  maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, left,
646  sizeTy);
647  left = right;
648  }
649 
650  if (Optional<NonLoc> maxMinusRightNL = maxMinusRight.getAs<NonLoc>()) {
651  QualType cmpTy = svalBuilder.getConditionType();
652  // If left > max - right, we have an overflow.
653  SVal willOverflow = svalBuilder.evalBinOpNN(state, BO_GT, left,
654  *maxMinusRightNL, cmpTy);
655 
656  ProgramStateRef stateOverflow, stateOkay;
657  std::tie(stateOverflow, stateOkay) =
658  state->assume(willOverflow.castAs<DefinedOrUnknownSVal>());
659 
660  if (stateOverflow && !stateOkay) {
661  // We have an overflow. Emit a bug report.
662  emitAdditionOverflowBug(C, stateOverflow);
663  return nullptr;
664  }
665 
666  // From now on, assume an overflow didn't occur.
667  assert(stateOkay);
668  state = stateOkay;
669  }
670 
671  return state;
672 }
673 
674 ProgramStateRef CStringChecker::setCStringLength(ProgramStateRef state,
675  const MemRegion *MR,
676  SVal strLength) {
677  assert(!strLength.isUndef() && "Attempt to set an undefined string length");
678 
679  MR = MR->StripCasts();
680 
681  switch (MR->getKind()) {
682  case MemRegion::StringRegionKind:
683  // FIXME: This can happen if we strcpy() into a string region. This is
684  // undefined [C99 6.4.5p6], but we should still warn about it.
685  return state;
686 
687  case MemRegion::SymbolicRegionKind:
688  case MemRegion::AllocaRegionKind:
689  case MemRegion::VarRegionKind:
690  case MemRegion::FieldRegionKind:
691  case MemRegion::ObjCIvarRegionKind:
692  // These are the types we can currently track string lengths for.
693  break;
694 
695  case MemRegion::ElementRegionKind:
696  // FIXME: Handle element regions by upper-bounding the parent region's
697  // string length.
698  return state;
699 
700  default:
701  // Other regions (mostly non-data) can't have a reliable C string length.
702  // For now, just ignore the change.
703  // FIXME: These are rare but not impossible. We should output some kind of
704  // warning for things like strcpy((char[]){'a', 0}, "b");
705  return state;
706  }
707 
708  if (strLength.isUnknown())
709  return state->remove<CStringLength>(MR);
710 
711  return state->set<CStringLength>(MR, strLength);
712 }
713 
714 SVal CStringChecker::getCStringLengthForRegion(CheckerContext &C,
715  ProgramStateRef &state,
716  const Expr *Ex,
717  const MemRegion *MR,
718  bool hypothetical) {
719  if (!hypothetical) {
720  // If there's a recorded length, go ahead and return it.
721  const SVal *Recorded = state->get<CStringLength>(MR);
722  if (Recorded)
723  return *Recorded;
724  }
725 
726  // Otherwise, get a new symbol and update the state.
727  SValBuilder &svalBuilder = C.getSValBuilder();
728  QualType sizeTy = svalBuilder.getContext().getSizeType();
729  SVal strLength = svalBuilder.getMetadataSymbolVal(CStringChecker::getTag(),
730  MR, Ex, sizeTy,
731  C.getLocationContext(),
732  C.blockCount());
733 
734  if (!hypothetical) {
735  if (Optional<NonLoc> strLn = strLength.getAs<NonLoc>()) {
736  // In case of unbounded calls strlen etc bound the range to SIZE_MAX/4
737  BasicValueFactory &BVF = svalBuilder.getBasicValueFactory();
738  const llvm::APSInt &maxValInt = BVF.getMaxValue(sizeTy);
739  llvm::APSInt fourInt = APSIntType(maxValInt).getValue(4);
740  const llvm::APSInt *maxLengthInt = BVF.evalAPSInt(BO_Div, maxValInt,
741  fourInt);
742  NonLoc maxLength = svalBuilder.makeIntVal(*maxLengthInt);
743  SVal evalLength = svalBuilder.evalBinOpNN(state, BO_LE, *strLn,
744  maxLength, sizeTy);
745  state = state->assume(evalLength.castAs<DefinedOrUnknownSVal>(), true);
746  }
747  state = state->set<CStringLength>(MR, strLength);
748  }
749 
750  return strLength;
751 }
752 
753 SVal CStringChecker::getCStringLength(CheckerContext &C, ProgramStateRef &state,
754  const Expr *Ex, SVal Buf,
755  bool hypothetical) const {
756  const MemRegion *MR = Buf.getAsRegion();
757  if (!MR) {
758  // If we can't get a region, see if it's something we /know/ isn't a
759  // C string. In the context of locations, the only time we can issue such
760  // a warning is for labels.
761  if (Optional<loc::GotoLabel> Label = Buf.getAs<loc::GotoLabel>()) {
762  if (Filter.CheckCStringNotNullTerm) {
763  SmallString<120> buf;
764  llvm::raw_svector_ostream os(buf);
765  assert(CurrentFunctionDescription);
766  os << "Argument to " << CurrentFunctionDescription
767  << " is the address of the label '" << Label->getLabel()->getName()
768  << "', which is not a null-terminated string";
769 
770  emitNotCStringBug(C, state, Ex, os.str());
771  }
772  return UndefinedVal();
773  }
774 
775  // If it's not a region and not a label, give up.
776  return UnknownVal();
777  }
778 
779  // If we have a region, strip casts from it and see if we can figure out
780  // its length. For anything we can't figure out, just return UnknownVal.
781  MR = MR->StripCasts();
782 
783  switch (MR->getKind()) {
784  case MemRegion::StringRegionKind: {
785  // Modifying the contents of string regions is undefined [C99 6.4.5p6],
786  // so we can assume that the byte length is the correct C string length.
787  SValBuilder &svalBuilder = C.getSValBuilder();
788  QualType sizeTy = svalBuilder.getContext().getSizeType();
789  const StringLiteral *strLit = cast<StringRegion>(MR)->getStringLiteral();
790  return svalBuilder.makeIntVal(strLit->getByteLength(), sizeTy);
791  }
792  case MemRegion::SymbolicRegionKind:
793  case MemRegion::AllocaRegionKind:
794  case MemRegion::VarRegionKind:
795  case MemRegion::FieldRegionKind:
796  case MemRegion::ObjCIvarRegionKind:
797  return getCStringLengthForRegion(C, state, Ex, MR, hypothetical);
798  case MemRegion::CompoundLiteralRegionKind:
799  // FIXME: Can we track this? Is it necessary?
800  return UnknownVal();
801  case MemRegion::ElementRegionKind:
802  // FIXME: How can we handle this? It's not good enough to subtract the
803  // offset from the base string length; consider "123\x00567" and &a[5].
804  return UnknownVal();
805  default:
806  // Other regions (mostly non-data) can't have a reliable C string length.
807  // In this case, an error is emitted and UndefinedVal is returned.
808  // The caller should always be prepared to handle this case.
809  if (Filter.CheckCStringNotNullTerm) {
810  SmallString<120> buf;
811  llvm::raw_svector_ostream os(buf);
812 
813  assert(CurrentFunctionDescription);
814  os << "Argument to " << CurrentFunctionDescription << " is ";
815 
816  if (SummarizeRegion(os, C.getASTContext(), MR))
817  os << ", which is not a null-terminated string";
818  else
819  os << "not a null-terminated string";
820 
821  emitNotCStringBug(C, state, Ex, os.str());
822  }
823  return UndefinedVal();
824  }
825 }
826 
827 const StringLiteral *CStringChecker::getCStringLiteral(CheckerContext &C,
828  ProgramStateRef &state, const Expr *expr, SVal val) const {
829 
830  // Get the memory region pointed to by the val.
831  const MemRegion *bufRegion = val.getAsRegion();
832  if (!bufRegion)
833  return nullptr;
834 
835  // Strip casts off the memory region.
836  bufRegion = bufRegion->StripCasts();
837 
838  // Cast the memory region to a string region.
839  const StringRegion *strRegion= dyn_cast<StringRegion>(bufRegion);
840  if (!strRegion)
841  return nullptr;
842 
843  // Return the actual string in the string region.
844  return strRegion->getStringLiteral();
845 }
846 
847 bool CStringChecker::IsFirstBufInBound(CheckerContext &C,
848  ProgramStateRef state,
849  const Expr *FirstBuf,
850  const Expr *Size) {
851  // If we do not know that the buffer is long enough we return 'true'.
852  // Otherwise the parent region of this field region would also get
853  // invalidated, which would lead to warnings based on an unknown state.
854 
855  // Originally copied from CheckBufferAccess and CheckLocation.
856  SValBuilder &svalBuilder = C.getSValBuilder();
857  ASTContext &Ctx = svalBuilder.getContext();
858  const LocationContext *LCtx = C.getLocationContext();
859 
860  QualType sizeTy = Size->getType();
861  QualType PtrTy = Ctx.getPointerType(Ctx.CharTy);
862  SVal BufVal = state->getSVal(FirstBuf, LCtx);
863 
864  SVal LengthVal = state->getSVal(Size, LCtx);
865  Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
866  if (!Length)
867  return true; // cf top comment.
868 
869  // Compute the offset of the last element to be accessed: size-1.
870  NonLoc One = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
871  SVal Offset = svalBuilder.evalBinOpNN(state, BO_Sub, *Length, One, sizeTy);
872  if (Offset.isUnknown())
873  return true; // cf top comment
874  NonLoc LastOffset = Offset.castAs<NonLoc>();
875 
876  // Check that the first buffer is sufficiently long.
877  SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType());
878  Optional<Loc> BufLoc = BufStart.getAs<Loc>();
879  if (!BufLoc)
880  return true; // cf top comment.
881 
882  SVal BufEnd =
883  svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc, LastOffset, PtrTy);
884 
885  // Check for out of bound array element access.
886  const MemRegion *R = BufEnd.getAsRegion();
887  if (!R)
888  return true; // cf top comment.
889 
890  const ElementRegion *ER = dyn_cast<ElementRegion>(R);
891  if (!ER)
892  return true; // cf top comment.
893 
894  // FIXME: Does this crash when a non-standard definition
895  // of a library function is encountered?
896  assert(ER->getValueType() == C.getASTContext().CharTy &&
897  "IsFirstBufInBound should only be called with char* ElementRegions");
898 
899  // Get the size of the array.
900  const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion());
901  SVal Extent =
902  svalBuilder.convertToArrayIndex(superReg->getExtent(svalBuilder));
903  DefinedOrUnknownSVal ExtentSize = Extent.castAs<DefinedOrUnknownSVal>();
904 
905  // Get the index of the accessed element.
906  DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();
907 
908  ProgramStateRef StInBound = state->assumeInBound(Idx, ExtentSize, true);
909 
910  return static_cast<bool>(StInBound);
911 }
912 
913 ProgramStateRef CStringChecker::InvalidateBuffer(CheckerContext &C,
914  ProgramStateRef state,
915  const Expr *E, SVal V,
916  bool IsSourceBuffer,
917  const Expr *Size) {
918  Optional<Loc> L = V.getAs<Loc>();
919  if (!L)
920  return state;
921 
922  // FIXME: This is a simplified version of what's in CFRefCount.cpp -- it makes
923  // some assumptions about the value that CFRefCount can't. Even so, it should
924  // probably be refactored.
925  if (Optional<loc::MemRegionVal> MR = L->getAs<loc::MemRegionVal>()) {
926  const MemRegion *R = MR->getRegion()->StripCasts();
927 
928  // Are we dealing with an ElementRegion? If so, we should be invalidating
929  // the super-region.
930  if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) {
931  R = ER->getSuperRegion();
932  // FIXME: What about layers of ElementRegions?
933  }
934 
935  // Invalidate this region.
936  const LocationContext *LCtx = C.getPredecessor()->getLocationContext();
937 
938  bool CausesPointerEscape = false;
939  RegionAndSymbolInvalidationTraits ITraits;
940  // Invalidate and escape only indirect regions accessible through the source
941  // buffer.
942  if (IsSourceBuffer) {
943  ITraits.setTrait(R->getBaseRegion(),
944  RegionAndSymbolInvalidationTraits::TK_PreserveContents);
945  ITraits.setTrait(R, RegionAndSymbolInvalidationTraits::TK_SuppressEscape);
946  CausesPointerEscape = true;
947  } else {
948  const MemRegion::Kind& K = R->getKind();
949  if (K == MemRegion::FieldRegionKind)
950  if (Size && IsFirstBufInBound(C, state, E, Size)) {
951  // If destination buffer is a field region and access is in bound,
952  // do not invalidate its super region.
953  ITraits.setTrait(
954  R,
955  RegionAndSymbolInvalidationTraits::TK_DoNotInvalidateSuperRegion);
956  }
957  }
958 
959  return state->invalidateRegions(R, E, C.blockCount(), LCtx,
960  CausesPointerEscape, nullptr, nullptr,
961  &ITraits);
962  }
963 
964  // If we have a non-region value by chance, just remove the binding.
965  // FIXME: is this necessary or correct? This handles the non-Region
966  // cases. Is it ever valid to store to these?
967  return state->killBinding(*L);
968 }
969 
970 bool CStringChecker::SummarizeRegion(raw_ostream &os, ASTContext &Ctx,
971  const MemRegion *MR) {
972  const TypedValueRegion *TVR = dyn_cast<TypedValueRegion>(MR);
973 
974  switch (MR->getKind()) {
975  case MemRegion::FunctionCodeRegionKind: {
976  const NamedDecl *FD = cast<FunctionCodeRegion>(MR)->getDecl();
977  if (FD)
978  os << "the address of the function '" << *FD << '\'';
979  else
980  os << "the address of a function";
981  return true;
982  }
983  case MemRegion::BlockCodeRegionKind:
984  os << "block text";
985  return true;
986  case MemRegion::BlockDataRegionKind:
987  os << "a block";
988  return true;
989  case MemRegion::CXXThisRegionKind:
990  case MemRegion::CXXTempObjectRegionKind:
991  os << "a C++ temp object of type " << TVR->getValueType().getAsString();
992  return true;
993  case MemRegion::VarRegionKind:
994  os << "a variable of type" << TVR->getValueType().getAsString();
995  return true;
996  case MemRegion::FieldRegionKind:
997  os << "a field of type " << TVR->getValueType().getAsString();
998  return true;
999  case MemRegion::ObjCIvarRegionKind:
1000  os << "an instance variable of type " << TVR->getValueType().getAsString();
1001  return true;
1002  default:
1003  return false;
1004  }
1005 }
1006 
1007 bool CStringChecker::memsetAux(const Expr *DstBuffer, const Expr *CharE,
1008  const Expr *Size, CheckerContext &C,
1009  ProgramStateRef &State) {
1010  SVal MemVal = C.getSVal(DstBuffer);
1011  SVal CharVal = C.getSVal(CharE);
1012  SVal SizeVal = C.getSVal(Size);
1013  const MemRegion *MR = MemVal.getAsRegion();
1014  if (!MR)
1015  return false;
1016 
1017  // We're about to model memset by producing a "default binding" in the Store.
1018  // Our current implementation - RegionStore - doesn't support default bindings
1019  // that don't cover the whole base region. So we should first get the offset
1020  // and the base region to figure out whether the offset of buffer is 0.
1021  RegionOffset Offset = MR->getAsOffset();
1022  const MemRegion *BR = Offset.getRegion();
1023 
1024  Optional<NonLoc> SizeNL = SizeVal.getAs<NonLoc>();
1025  if (!SizeNL)
1026  return false;
1027 
1028  SValBuilder &svalBuilder = C.getSValBuilder();
1029  ASTContext &Ctx = C.getASTContext();
1030 
1031  // void *memset(void *dest, int ch, size_t count);
1032  // For now we can only handle the case of offset is 0 and concrete char value.
1033  if (Offset.isValid() && !Offset.hasSymbolicOffset() &&
1034  Offset.getOffset() == 0) {
1035  // Get the base region's extent.
1036  auto *SubReg = cast<SubRegion>(BR);
1037  DefinedOrUnknownSVal Extent = SubReg->getExtent(svalBuilder);
1038 
1039  ProgramStateRef StateWholeReg, StateNotWholeReg;
1040  std::tie(StateWholeReg, StateNotWholeReg) =
1041  State->assume(svalBuilder.evalEQ(State, Extent, *SizeNL));
1042 
1043  // With the semantic of 'memset()', we should convert the CharVal to
1044  // unsigned char.
1045  CharVal = svalBuilder.evalCast(CharVal, Ctx.UnsignedCharTy, Ctx.IntTy);
1046 
1047  ProgramStateRef StateNullChar, StateNonNullChar;
1048  std::tie(StateNullChar, StateNonNullChar) =
1049  assumeZero(C, State, CharVal, Ctx.UnsignedCharTy);
1050 
1051  if (StateWholeReg && !StateNotWholeReg && StateNullChar &&
1052  !StateNonNullChar) {
1053  // If the 'memset()' acts on the whole region of destination buffer and
1054  // the value of the second argument of 'memset()' is zero, bind the second
1055  // argument's value to the destination buffer with 'default binding'.
1056  // FIXME: Since there is no perfect way to bind the non-zero character, we
1057  // can only deal with zero value here. In the future, we need to deal with
1058  // the binding of non-zero value in the case of whole region.
1059  State = State->bindDefaultZero(svalBuilder.makeLoc(BR),
1060  C.getLocationContext());
1061  } else {
1062  // If the destination buffer's extent is not equal to the value of
1063  // third argument, just invalidate buffer.
1064  State = InvalidateBuffer(C, State, DstBuffer, MemVal,
1065  /*IsSourceBuffer*/ false, Size);
1066  }
1067 
1068  if (StateNullChar && !StateNonNullChar) {
1069  // If the value of the second argument of 'memset()' is zero, set the
1070  // string length of destination buffer to 0 directly.
1071  State = setCStringLength(State, MR,
1072  svalBuilder.makeZeroVal(Ctx.getSizeType()));
1073  } else if (!StateNullChar && StateNonNullChar) {
1074  SVal NewStrLen = svalBuilder.getMetadataSymbolVal(
1075  CStringChecker::getTag(), MR, DstBuffer, Ctx.getSizeType(),
1076  C.getLocationContext(), C.blockCount());
1077 
1078  // If the value of second argument is not zero, then the string length
1079  // is at least the size argument.
1080  SVal NewStrLenGESize = svalBuilder.evalBinOp(
1081  State, BO_GE, NewStrLen, SizeVal, svalBuilder.getConditionType());
1082 
1083  State = setCStringLength(
1084  State->assume(NewStrLenGESize.castAs<DefinedOrUnknownSVal>(), true),
1085  MR, NewStrLen);
1086  }
1087  } else {
1088  // If the offset is not zero and char value is not concrete, we can do
1089  // nothing but invalidate the buffer.
1090  State = InvalidateBuffer(C, State, DstBuffer, MemVal,
1091  /*IsSourceBuffer*/ false, Size);
1092  }
1093  return true;
1094 }
1095 
1096 //===----------------------------------------------------------------------===//
1097 // evaluation of individual function calls.
1098 //===----------------------------------------------------------------------===//
1099 
1100 void CStringChecker::evalCopyCommon(CheckerContext &C,
1101  const CallExpr *CE,
1102  ProgramStateRef state,
1103  const Expr *Size, const Expr *Dest,
1104  const Expr *Source, bool Restricted,
1105  bool IsMempcpy) const {
1106  CurrentFunctionDescription = "memory copy function";
1107 
1108  // See if the size argument is zero.
1109  const LocationContext *LCtx = C.getLocationContext();
1110  SVal sizeVal = state->getSVal(Size, LCtx);
1111  QualType sizeTy = Size->getType();
1112 
1113  ProgramStateRef stateZeroSize, stateNonZeroSize;
1114  std::tie(stateZeroSize, stateNonZeroSize) =
1115  assumeZero(C, state, sizeVal, sizeTy);
1116 
1117  // Get the value of the Dest.
1118  SVal destVal = state->getSVal(Dest, LCtx);
1119 
1120  // If the size is zero, there won't be any actual memory access, so
1121  // just bind the return value to the destination buffer and return.
1122  if (stateZeroSize && !stateNonZeroSize) {
1123  stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, destVal);
1124  C.addTransition(stateZeroSize);
1125  return;
1126  }
1127 
1128  // If the size can be nonzero, we have to check the other arguments.
1129  if (stateNonZeroSize) {
1130  state = stateNonZeroSize;
1131 
1132  // Ensure the destination is not null. If it is NULL there will be a
1133  // NULL pointer dereference.
1134  state = checkNonNull(C, state, Dest, destVal);
1135  if (!state)
1136  return;
1137 
1138  // Get the value of the Src.
1139  SVal srcVal = state->getSVal(Source, LCtx);
1140 
1141  // Ensure the source is not null. If it is NULL there will be a
1142  // NULL pointer dereference.
1143  state = checkNonNull(C, state, Source, srcVal);
1144  if (!state)
1145  return;
1146 
1147  // Ensure the accesses are valid and that the buffers do not overlap.
1148  const char * const writeWarning =
1149  "Memory copy function overflows destination buffer";
1150  state = CheckBufferAccess(C, state, Size, Dest, Source,
1151  writeWarning, /* sourceWarning = */ nullptr);
1152  if (Restricted)
1153  state = CheckOverlap(C, state, Size, Dest, Source);
1154 
1155  if (!state)
1156  return;
1157 
1158  // If this is mempcpy, get the byte after the last byte copied and
1159  // bind the expr.
1160  if (IsMempcpy) {
1161  // Get the byte after the last byte copied.
1162  SValBuilder &SvalBuilder = C.getSValBuilder();
1163  ASTContext &Ctx = SvalBuilder.getContext();
1164  QualType CharPtrTy = Ctx.getPointerType(Ctx.CharTy);
1165  SVal DestRegCharVal =
1166  SvalBuilder.evalCast(destVal, CharPtrTy, Dest->getType());
1167  SVal lastElement = C.getSValBuilder().evalBinOp(
1168  state, BO_Add, DestRegCharVal, sizeVal, Dest->getType());
1169  // If we don't know how much we copied, we can at least
1170  // conjure a return value for later.
1171  if (lastElement.isUnknown())
1172  lastElement = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
1173  C.blockCount());
1174 
1175  // The byte after the last byte copied is the return value.
1176  state = state->BindExpr(CE, LCtx, lastElement);
1177  } else {
1178  // All other copies return the destination buffer.
1179  // (Well, bcopy() has a void return type, but this won't hurt.)
1180  state = state->BindExpr(CE, LCtx, destVal);
1181  }
1182 
1183  // Invalidate the destination (regular invalidation without pointer-escaping
1184  // the address of the top-level region).
1185  // FIXME: Even if we can't perfectly model the copy, we should see if we
1186  // can use LazyCompoundVals to copy the source values into the destination.
1187  // This would probably remove any existing bindings past the end of the
1188  // copied region, but that's still an improvement over blank invalidation.
1189  state = InvalidateBuffer(C, state, Dest, C.getSVal(Dest),
1190  /*IsSourceBuffer*/false, Size);
1191 
1192  // Invalidate the source (const-invalidation without const-pointer-escaping
1193  // the address of the top-level region).
1194  state = InvalidateBuffer(C, state, Source, C.getSVal(Source),
1195  /*IsSourceBuffer*/true, nullptr);
1196 
1197  C.addTransition(state);
1198  }
1199 }
1200 
1201 
1202 void CStringChecker::evalMemcpy(CheckerContext &C, const CallExpr *CE) const {
1203  if (CE->getNumArgs() < 3)
1204  return;
1205 
1206  // void *memcpy(void *restrict dst, const void *restrict src, size_t n);
1207  // The return value is the address of the destination buffer.
1208  const Expr *Dest = CE->getArg(0);
1209  ProgramStateRef state = C.getState();
1210 
1211  evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1), true);
1212 }
1213 
1214 void CStringChecker::evalMempcpy(CheckerContext &C, const CallExpr *CE) const {
1215  if (CE->getNumArgs() < 3)
1216  return;
1217 
1218  // void *mempcpy(void *restrict dst, const void *restrict src, size_t n);
1219  // The return value is a pointer to the byte following the last written byte.
1220  const Expr *Dest = CE->getArg(0);
1221  ProgramStateRef state = C.getState();
1222 
1223  evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1), true, true);
1224 }
1225 
1226 void CStringChecker::evalMemmove(CheckerContext &C, const CallExpr *CE) const {
1227  if (CE->getNumArgs() < 3)
1228  return;
1229 
1230  // void *memmove(void *dst, const void *src, size_t n);
1231  // The return value is the address of the destination buffer.
1232  const Expr *Dest = CE->getArg(0);
1233  ProgramStateRef state = C.getState();
1234 
1235  evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1));
1236 }
1237 
1238 void CStringChecker::evalBcopy(CheckerContext &C, const CallExpr *CE) const {
1239  if (CE->getNumArgs() < 3)
1240  return;
1241 
1242  // void bcopy(const void *src, void *dst, size_t n);
1243  evalCopyCommon(C, CE, C.getState(),
1244  CE->getArg(2), CE->getArg(1), CE->getArg(0));
1245 }
1246 
1247 void CStringChecker::evalMemcmp(CheckerContext &C, const CallExpr *CE) const {
1248  if (CE->getNumArgs() < 3)
1249  return;
1250 
1251  // int memcmp(const void *s1, const void *s2, size_t n);
1252  CurrentFunctionDescription = "memory comparison function";
1253 
1254  const Expr *Left = CE->getArg(0);
1255  const Expr *Right = CE->getArg(1);
1256  const Expr *Size = CE->getArg(2);
1257 
1258  ProgramStateRef state = C.getState();
1259  SValBuilder &svalBuilder = C.getSValBuilder();
1260 
1261  // See if the size argument is zero.
1262  const LocationContext *LCtx = C.getLocationContext();
1263  SVal sizeVal = state->getSVal(Size, LCtx);
1264  QualType sizeTy = Size->getType();
1265 
1266  ProgramStateRef stateZeroSize, stateNonZeroSize;
1267  std::tie(stateZeroSize, stateNonZeroSize) =
1268  assumeZero(C, state, sizeVal, sizeTy);
1269 
1270  // If the size can be zero, the result will be 0 in that case, and we don't
1271  // have to check either of the buffers.
1272  if (stateZeroSize) {
1273  state = stateZeroSize;
1274  state = state->BindExpr(CE, LCtx,
1275  svalBuilder.makeZeroVal(CE->getType()));
1276  C.addTransition(state);
1277  }
1278 
1279  // If the size can be nonzero, we have to check the other arguments.
1280  if (stateNonZeroSize) {
1281  state = stateNonZeroSize;
1282  // If we know the two buffers are the same, we know the result is 0.
1283  // First, get the two buffers' addresses. Another checker will have already
1284  // made sure they're not undefined.
1285  DefinedOrUnknownSVal LV =
1286  state->getSVal(Left, LCtx).castAs<DefinedOrUnknownSVal>();
1287  DefinedOrUnknownSVal RV =
1288  state->getSVal(Right, LCtx).castAs<DefinedOrUnknownSVal>();
1289 
1290  // See if they are the same.
1291  DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV);
1292  ProgramStateRef StSameBuf, StNotSameBuf;
1293  std::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf);
1294 
1295  // If the two arguments might be the same buffer, we know the result is 0,
1296  // and we only need to check one size.
1297  if (StSameBuf) {
1298  state = StSameBuf;
1299  state = CheckBufferAccess(C, state, Size, Left);
1300  if (state) {
1301  state = StSameBuf->BindExpr(CE, LCtx,
1302  svalBuilder.makeZeroVal(CE->getType()));
1303  C.addTransition(state);
1304  }
1305  }
1306 
1307  // If the two arguments might be different buffers, we have to check the
1308  // size of both of them.
1309  if (StNotSameBuf) {
1310  state = StNotSameBuf;
1311  state = CheckBufferAccess(C, state, Size, Left, Right);
1312  if (state) {
1313  // The return value is the comparison result, which we don't know.
1314  SVal CmpV = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx,
1315  C.blockCount());
1316  state = state->BindExpr(CE, LCtx, CmpV);
1317  C.addTransition(state);
1318  }
1319  }
1320  }
1321 }
1322 
1323 void CStringChecker::evalstrLength(CheckerContext &C,
1324  const CallExpr *CE) const {
1325  if (CE->getNumArgs() < 1)
1326  return;
1327 
1328  // size_t strlen(const char *s);
1329  evalstrLengthCommon(C, CE, /* IsStrnlen = */ false);
1330 }
1331 
1332 void CStringChecker::evalstrnLength(CheckerContext &C,
1333  const CallExpr *CE) const {
1334  if (CE->getNumArgs() < 2)
1335  return;
1336 
1337  // size_t strnlen(const char *s, size_t maxlen);
1338  evalstrLengthCommon(C, CE, /* IsStrnlen = */ true);
1339 }
1340 
1341 void CStringChecker::evalstrLengthCommon(CheckerContext &C, const CallExpr *CE,
1342  bool IsStrnlen) const {
1343  CurrentFunctionDescription = "string length function";
1344  ProgramStateRef state = C.getState();
1345  const LocationContext *LCtx = C.getLocationContext();
1346 
1347  if (IsStrnlen) {
1348  const Expr *maxlenExpr = CE->getArg(1);
1349  SVal maxlenVal = state->getSVal(maxlenExpr, LCtx);
1350 
1351  ProgramStateRef stateZeroSize, stateNonZeroSize;
1352  std::tie(stateZeroSize, stateNonZeroSize) =
1353  assumeZero(C, state, maxlenVal, maxlenExpr->getType());
1354 
1355  // If the size can be zero, the result will be 0 in that case, and we don't
1356  // have to check the string itself.
1357  if (stateZeroSize) {
1358  SVal zero = C.getSValBuilder().makeZeroVal(CE->getType());
1359  stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, zero);
1360  C.addTransition(stateZeroSize);
1361  }
1362 
1363  // If the size is GUARANTEED to be zero, we're done!
1364  if (!stateNonZeroSize)
1365  return;
1366 
1367  // Otherwise, record the assumption that the size is nonzero.
1368  state = stateNonZeroSize;
1369  }
1370 
1371  // Check that the string argument is non-null.
1372  const Expr *Arg = CE->getArg(0);
1373  SVal ArgVal = state->getSVal(Arg, LCtx);
1374 
1375  state = checkNonNull(C, state, Arg, ArgVal);
1376 
1377  if (!state)
1378  return;
1379 
1380  SVal strLength = getCStringLength(C, state, Arg, ArgVal);
1381 
1382  // If the argument isn't a valid C string, there's no valid state to
1383  // transition to.
1384  if (strLength.isUndef())
1385  return;
1386 
1387  DefinedOrUnknownSVal result = UnknownVal();
1388 
1389  // If the check is for strnlen() then bind the return value to no more than
1390  // the maxlen value.
1391  if (IsStrnlen) {
1392  QualType cmpTy = C.getSValBuilder().getConditionType();
1393 
1394  // It's a little unfortunate to be getting this again,
1395  // but it's not that expensive...
1396  const Expr *maxlenExpr = CE->getArg(1);
1397  SVal maxlenVal = state->getSVal(maxlenExpr, LCtx);
1398 
1399  Optional<NonLoc> strLengthNL = strLength.getAs<NonLoc>();
1400  Optional<NonLoc> maxlenValNL = maxlenVal.getAs<NonLoc>();
1401 
1402  if (strLengthNL && maxlenValNL) {
1403  ProgramStateRef stateStringTooLong, stateStringNotTooLong;
1404 
1405  // Check if the strLength is greater than the maxlen.
1406  std::tie(stateStringTooLong, stateStringNotTooLong) = state->assume(
1407  C.getSValBuilder()
1408  .evalBinOpNN(state, BO_GT, *strLengthNL, *maxlenValNL, cmpTy)
1409  .castAs<DefinedOrUnknownSVal>());
1410 
1411  if (stateStringTooLong && !stateStringNotTooLong) {
1412  // If the string is longer than maxlen, return maxlen.
1413  result = *maxlenValNL;
1414  } else if (stateStringNotTooLong && !stateStringTooLong) {
1415  // If the string is shorter than maxlen, return its length.
1416  result = *strLengthNL;
1417  }
1418  }
1419 
1420  if (result.isUnknown()) {
1421  // If we don't have enough information for a comparison, there's
1422  // no guarantee the full string length will actually be returned.
1423  // All we know is the return value is the min of the string length
1424  // and the limit. This is better than nothing.
1425  result = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
1426  C.blockCount());
1427  NonLoc resultNL = result.castAs<NonLoc>();
1428 
1429  if (strLengthNL) {
1430  state = state->assume(C.getSValBuilder().evalBinOpNN(
1431  state, BO_LE, resultNL, *strLengthNL, cmpTy)
1432  .castAs<DefinedOrUnknownSVal>(), true);
1433  }
1434 
1435  if (maxlenValNL) {
1436  state = state->assume(C.getSValBuilder().evalBinOpNN(
1437  state, BO_LE, resultNL, *maxlenValNL, cmpTy)
1438  .castAs<DefinedOrUnknownSVal>(), true);
1439  }
1440  }
1441 
1442  } else {
1443  // This is a plain strlen(), not strnlen().
1444  result = strLength.castAs<DefinedOrUnknownSVal>();
1445 
1446  // If we don't know the length of the string, conjure a return
1447  // value, so it can be used in constraints, at least.
1448  if (result.isUnknown()) {
1449  result = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
1450  C.blockCount());
1451  }
1452  }
1453 
1454  // Bind the return value.
1455  assert(!result.isUnknown() && "Should have conjured a value by now");
1456  state = state->BindExpr(CE, LCtx, result);
1457  C.addTransition(state);
1458 }
1459 
1460 void CStringChecker::evalStrcpy(CheckerContext &C, const CallExpr *CE) const {
1461  if (CE->getNumArgs() < 2)
1462  return;
1463 
1464  // char *strcpy(char *restrict dst, const char *restrict src);
1465  evalStrcpyCommon(C, CE,
1466  /* returnEnd = */ false,
1467  /* isBounded = */ false,
1468  /* isAppending = */ false);
1469 }
1470 
1471 void CStringChecker::evalStrncpy(CheckerContext &C, const CallExpr *CE) const {
1472  if (CE->getNumArgs() < 3)
1473  return;
1474 
1475  // char *strncpy(char *restrict dst, const char *restrict src, size_t n);
1476  evalStrcpyCommon(C, CE,
1477  /* returnEnd = */ false,
1478  /* isBounded = */ true,
1479  /* isAppending = */ false);
1480 }
1481 
1482 void CStringChecker::evalStpcpy(CheckerContext &C, const CallExpr *CE) const {
1483  if (CE->getNumArgs() < 2)
1484  return;
1485 
1486  // char *stpcpy(char *restrict dst, const char *restrict src);
1487  evalStrcpyCommon(C, CE,
1488  /* returnEnd = */ true,
1489  /* isBounded = */ false,
1490  /* isAppending = */ false);
1491 }
1492 
1493 void CStringChecker::evalStrlcpy(CheckerContext &C, const CallExpr *CE) const {
1494  if (CE->getNumArgs() < 3)
1495  return;
1496 
1497  // char *strlcpy(char *dst, const char *src, size_t n);
1498  evalStrcpyCommon(C, CE,
1499  /* returnEnd = */ true,
1500  /* isBounded = */ true,
1501  /* isAppending = */ false,
1502  /* returnPtr = */ false);
1503 }
1504 
1505 void CStringChecker::evalStrcat(CheckerContext &C, const CallExpr *CE) const {
1506  if (CE->getNumArgs() < 2)
1507  return;
1508 
1509  //char *strcat(char *restrict s1, const char *restrict s2);
1510  evalStrcpyCommon(C, CE,
1511  /* returnEnd = */ false,
1512  /* isBounded = */ false,
1513  /* isAppending = */ true);
1514 }
1515 
1516 void CStringChecker::evalStrncat(CheckerContext &C, const CallExpr *CE) const {
1517  if (CE->getNumArgs() < 3)
1518  return;
1519 
1520  //char *strncat(char *restrict s1, const char *restrict s2, size_t n);
1521  evalStrcpyCommon(C, CE,
1522  /* returnEnd = */ false,
1523  /* isBounded = */ true,
1524  /* isAppending = */ true);
1525 }
1526 
1527 void CStringChecker::evalStrlcat(CheckerContext &C, const CallExpr *CE) const {
1528  if (CE->getNumArgs() < 3)
1529  return;
1530 
1531  //char *strlcat(char *s1, const char *s2, size_t n);
1532  evalStrcpyCommon(C, CE,
1533  /* returnEnd = */ false,
1534  /* isBounded = */ true,
1535  /* isAppending = */ true,
1536  /* returnPtr = */ false);
1537 }
1538 
1539 void CStringChecker::evalStrcpyCommon(CheckerContext &C, const CallExpr *CE,
1540  bool returnEnd, bool isBounded,
1541  bool isAppending, bool returnPtr) const {
1542  CurrentFunctionDescription = "string copy function";
1543  ProgramStateRef state = C.getState();
1544  const LocationContext *LCtx = C.getLocationContext();
1545 
1546  // Check that the destination is non-null.
1547  const Expr *Dst = CE->getArg(0);
1548  SVal DstVal = state->getSVal(Dst, LCtx);
1549 
1550  state = checkNonNull(C, state, Dst, DstVal);
1551  if (!state)
1552  return;
1553 
1554  // Check that the source is non-null.
1555  const Expr *srcExpr = CE->getArg(1);
1556  SVal srcVal = state->getSVal(srcExpr, LCtx);
1557  state = checkNonNull(C, state, srcExpr, srcVal);
1558  if (!state)
1559  return;
1560 
1561  // Get the string length of the source.
1562  SVal strLength = getCStringLength(C, state, srcExpr, srcVal);
1563 
1564  // If the source isn't a valid C string, give up.
1565  if (strLength.isUndef())
1566  return;
1567 
1568  SValBuilder &svalBuilder = C.getSValBuilder();
1569  QualType cmpTy = svalBuilder.getConditionType();
1570  QualType sizeTy = svalBuilder.getContext().getSizeType();
1571 
1572  // These two values allow checking two kinds of errors:
1573  // - actual overflows caused by a source that doesn't fit in the destination
1574  // - potential overflows caused by a bound that could exceed the destination
1575  SVal amountCopied = UnknownVal();
1576  SVal maxLastElementIndex = UnknownVal();
1577  const char *boundWarning = nullptr;
1578 
1579  state = CheckOverlap(C, state, isBounded ? CE->getArg(2) : CE->getArg(1), Dst, srcExpr);
1580 
1581  if (!state)
1582  return;
1583 
1584  // If the function is strncpy, strncat, etc... it is bounded.
1585  if (isBounded) {
1586  // Get the max number of characters to copy.
1587  const Expr *lenExpr = CE->getArg(2);
1588  SVal lenVal = state->getSVal(lenExpr, LCtx);
1589 
1590  // Protect against misdeclared strncpy().
1591  lenVal = svalBuilder.evalCast(lenVal, sizeTy, lenExpr->getType());
1592 
1593  Optional<NonLoc> strLengthNL = strLength.getAs<NonLoc>();
1594  Optional<NonLoc> lenValNL = lenVal.getAs<NonLoc>();
1595 
1596  // If we know both values, we might be able to figure out how much
1597  // we're copying.
1598  if (strLengthNL && lenValNL) {
1599  ProgramStateRef stateSourceTooLong, stateSourceNotTooLong;
1600 
1601  // Check if the max number to copy is less than the length of the src.
1602  // If the bound is equal to the source length, strncpy won't null-
1603  // terminate the result!
1604  std::tie(stateSourceTooLong, stateSourceNotTooLong) = state->assume(
1605  svalBuilder.evalBinOpNN(state, BO_GE, *strLengthNL, *lenValNL, cmpTy)
1606  .castAs<DefinedOrUnknownSVal>());
1607 
1608  if (stateSourceTooLong && !stateSourceNotTooLong) {
1609  // Max number to copy is less than the length of the src, so the actual
1610  // strLength copied is the max number arg.
1611  state = stateSourceTooLong;
1612  amountCopied = lenVal;
1613 
1614  } else if (!stateSourceTooLong && stateSourceNotTooLong) {
1615  // The source buffer entirely fits in the bound.
1616  state = stateSourceNotTooLong;
1617  amountCopied = strLength;
1618  }
1619  }
1620 
1621  // We still want to know if the bound is known to be too large.
1622  if (lenValNL) {
1623  if (isAppending) {
1624  // For strncat, the check is strlen(dst) + lenVal < sizeof(dst)
1625 
1626  // Get the string length of the destination. If the destination is
1627  // memory that can't have a string length, we shouldn't be copying
1628  // into it anyway.
1629  SVal dstStrLength = getCStringLength(C, state, Dst, DstVal);
1630  if (dstStrLength.isUndef())
1631  return;
1632 
1633  if (Optional<NonLoc> dstStrLengthNL = dstStrLength.getAs<NonLoc>()) {
1634  maxLastElementIndex = svalBuilder.evalBinOpNN(state, BO_Add,
1635  *lenValNL,
1636  *dstStrLengthNL,
1637  sizeTy);
1638  boundWarning = "Size argument is greater than the free space in the "
1639  "destination buffer";
1640  }
1641 
1642  } else {
1643  // For strncpy, this is just checking that lenVal <= sizeof(dst)
1644  // (Yes, strncpy and strncat differ in how they treat termination.
1645  // strncat ALWAYS terminates, but strncpy doesn't.)
1646 
1647  // We need a special case for when the copy size is zero, in which
1648  // case strncpy will do no work at all. Our bounds check uses n-1
1649  // as the last element accessed, so n == 0 is problematic.
1650  ProgramStateRef StateZeroSize, StateNonZeroSize;
1651  std::tie(StateZeroSize, StateNonZeroSize) =
1652  assumeZero(C, state, *lenValNL, sizeTy);
1653 
1654  // If the size is known to be zero, we're done.
1655  if (StateZeroSize && !StateNonZeroSize) {
1656  if (returnPtr) {
1657  StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, DstVal);
1658  } else {
1659  StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, *lenValNL);
1660  }
1661  C.addTransition(StateZeroSize);
1662  return;
1663  }
1664 
1665  // Otherwise, go ahead and figure out the last element we'll touch.
1666  // We don't record the non-zero assumption here because we can't
1667  // be sure. We won't warn on a possible zero.
1668  NonLoc one = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
1669  maxLastElementIndex = svalBuilder.evalBinOpNN(state, BO_Sub, *lenValNL,
1670  one, sizeTy);
1671  boundWarning = "Size argument is greater than the length of the "
1672  "destination buffer";
1673  }
1674  }
1675 
1676  // If we couldn't pin down the copy length, at least bound it.
1677  // FIXME: We should actually run this code path for append as well, but
1678  // right now it creates problems with constraints (since we can end up
1679  // trying to pass constraints from symbol to symbol).
1680  if (amountCopied.isUnknown() && !isAppending) {
1681  // Try to get a "hypothetical" string length symbol, which we can later
1682  // set as a real value if that turns out to be the case.
1683  amountCopied = getCStringLength(C, state, lenExpr, srcVal, true);
1684  assert(!amountCopied.isUndef());
1685 
1686  if (Optional<NonLoc> amountCopiedNL = amountCopied.getAs<NonLoc>()) {
1687  if (lenValNL) {
1688  // amountCopied <= lenVal
1689  SVal copiedLessThanBound = svalBuilder.evalBinOpNN(state, BO_LE,
1690  *amountCopiedNL,
1691  *lenValNL,
1692  cmpTy);
1693  state = state->assume(
1694  copiedLessThanBound.castAs<DefinedOrUnknownSVal>(), true);
1695  if (!state)
1696  return;
1697  }
1698 
1699  if (strLengthNL) {
1700  // amountCopied <= strlen(source)
1701  SVal copiedLessThanSrc = svalBuilder.evalBinOpNN(state, BO_LE,
1702  *amountCopiedNL,
1703  *strLengthNL,
1704  cmpTy);
1705  state = state->assume(
1706  copiedLessThanSrc.castAs<DefinedOrUnknownSVal>(), true);
1707  if (!state)
1708  return;
1709  }
1710  }
1711  }
1712 
1713  } else {
1714  // The function isn't bounded. The amount copied should match the length
1715  // of the source buffer.
1716  amountCopied = strLength;
1717  }
1718 
1719  assert(state);
1720 
1721  // This represents the number of characters copied into the destination
1722  // buffer. (It may not actually be the strlen if the destination buffer
1723  // is not terminated.)
1724  SVal finalStrLength = UnknownVal();
1725 
1726  // If this is an appending function (strcat, strncat...) then set the
1727  // string length to strlen(src) + strlen(dst) since the buffer will
1728  // ultimately contain both.
1729  if (isAppending) {
1730  // Get the string length of the destination. If the destination is memory
1731  // that can't have a string length, we shouldn't be copying into it anyway.
1732  SVal dstStrLength = getCStringLength(C, state, Dst, DstVal);
1733  if (dstStrLength.isUndef())
1734  return;
1735 
1736  Optional<NonLoc> srcStrLengthNL = amountCopied.getAs<NonLoc>();
1737  Optional<NonLoc> dstStrLengthNL = dstStrLength.getAs<NonLoc>();
1738 
1739  // If we know both string lengths, we might know the final string length.
1740  if (srcStrLengthNL && dstStrLengthNL) {
1741  // Make sure the two lengths together don't overflow a size_t.
1742  state = checkAdditionOverflow(C, state, *srcStrLengthNL, *dstStrLengthNL);
1743  if (!state)
1744  return;
1745 
1746  finalStrLength = svalBuilder.evalBinOpNN(state, BO_Add, *srcStrLengthNL,
1747  *dstStrLengthNL, sizeTy);
1748  }
1749 
1750  // If we couldn't get a single value for the final string length,
1751  // we can at least bound it by the individual lengths.
1752  if (finalStrLength.isUnknown()) {
1753  // Try to get a "hypothetical" string length symbol, which we can later
1754  // set as a real value if that turns out to be the case.
1755  finalStrLength = getCStringLength(C, state, CE, DstVal, true);
1756  assert(!finalStrLength.isUndef());
1757 
1758  if (Optional<NonLoc> finalStrLengthNL = finalStrLength.getAs<NonLoc>()) {
1759  if (srcStrLengthNL) {
1760  // finalStrLength >= srcStrLength
1761  SVal sourceInResult = svalBuilder.evalBinOpNN(state, BO_GE,
1762  *finalStrLengthNL,
1763  *srcStrLengthNL,
1764  cmpTy);
1765  state = state->assume(sourceInResult.castAs<DefinedOrUnknownSVal>(),
1766  true);
1767  if (!state)
1768  return;
1769  }
1770 
1771  if (dstStrLengthNL) {
1772  // finalStrLength >= dstStrLength
1773  SVal destInResult = svalBuilder.evalBinOpNN(state, BO_GE,
1774  *finalStrLengthNL,
1775  *dstStrLengthNL,
1776  cmpTy);
1777  state =
1778  state->assume(destInResult.castAs<DefinedOrUnknownSVal>(), true);
1779  if (!state)
1780  return;
1781  }
1782  }
1783  }
1784 
1785  } else {
1786  // Otherwise, this is a copy-over function (strcpy, strncpy, ...), and
1787  // the final string length will match the input string length.
1788  finalStrLength = amountCopied;
1789  }
1790 
1791  SVal Result;
1792 
1793  if (returnPtr) {
1794  // The final result of the function will either be a pointer past the last
1795  // copied element, or a pointer to the start of the destination buffer.
1796  Result = (returnEnd ? UnknownVal() : DstVal);
1797  } else {
1798  Result = finalStrLength;
1799  }
1800 
1801  assert(state);
1802 
1803  // If the destination is a MemRegion, try to check for a buffer overflow and
1804  // record the new string length.
1805  if (Optional<loc::MemRegionVal> dstRegVal =
1806  DstVal.getAs<loc::MemRegionVal>()) {
1807  QualType ptrTy = Dst->getType();
1808 
1809  // If we have an exact value on a bounded copy, use that to check for
1810  // overflows, rather than our estimate about how much is actually copied.
1811  if (boundWarning) {
1812  if (Optional<NonLoc> maxLastNL = maxLastElementIndex.getAs<NonLoc>()) {
1813  SVal maxLastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal,
1814  *maxLastNL, ptrTy);
1815  state = CheckLocation(C, state, CE->getArg(2), maxLastElement,
1816  boundWarning);
1817  if (!state)
1818  return;
1819  }
1820  }
1821 
1822  // Then, if the final length is known...
1823  if (Optional<NonLoc> knownStrLength = finalStrLength.getAs<NonLoc>()) {
1824  SVal lastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal,
1825  *knownStrLength, ptrTy);
1826 
1827  // ...and we haven't checked the bound, we'll check the actual copy.
1828  if (!boundWarning) {
1829  const char * const warningMsg =
1830  "String copy function overflows destination buffer";
1831  state = CheckLocation(C, state, Dst, lastElement, warningMsg);
1832  if (!state)
1833  return;
1834  }
1835 
1836  // If this is a stpcpy-style copy, the last element is the return value.
1837  if (returnPtr && returnEnd)
1838  Result = lastElement;
1839  }
1840 
1841  // Invalidate the destination (regular invalidation without pointer-escaping
1842  // the address of the top-level region). This must happen before we set the
1843  // C string length because invalidation will clear the length.
1844  // FIXME: Even if we can't perfectly model the copy, we should see if we
1845  // can use LazyCompoundVals to copy the source values into the destination.
1846  // This would probably remove any existing bindings past the end of the
1847  // string, but that's still an improvement over blank invalidation.
1848  state = InvalidateBuffer(C, state, Dst, *dstRegVal,
1849  /*IsSourceBuffer*/false, nullptr);
1850 
1851  // Invalidate the source (const-invalidation without const-pointer-escaping
1852  // the address of the top-level region).
1853  state = InvalidateBuffer(C, state, srcExpr, srcVal, /*IsSourceBuffer*/true,
1854  nullptr);
1855 
1856  // Set the C string length of the destination, if we know it.
1857  if (isBounded && !isAppending) {
1858  // strncpy is annoying in that it doesn't guarantee to null-terminate
1859  // the result string. If the original string didn't fit entirely inside
1860  // the bound (including the null-terminator), we don't know how long the
1861  // result is.
1862  if (amountCopied != strLength)
1863  finalStrLength = UnknownVal();
1864  }
1865  state = setCStringLength(state, dstRegVal->getRegion(), finalStrLength);
1866  }
1867 
1868  assert(state);
1869 
1870  if (returnPtr) {
1871  // If this is a stpcpy-style copy, but we were unable to check for a buffer
1872  // overflow, we still need a result. Conjure a return value.
1873  if (returnEnd && Result.isUnknown()) {
1874  Result = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
1875  }
1876  }
1877  // Set the return value.
1878  state = state->BindExpr(CE, LCtx, Result);
1879  C.addTransition(state);
1880 }
1881 
1882 void CStringChecker::evalStrcmp(CheckerContext &C, const CallExpr *CE) const {
1883  if (CE->getNumArgs() < 2)
1884  return;
1885 
1886  //int strcmp(const char *s1, const char *s2);
1887  evalStrcmpCommon(C, CE, /* isBounded = */ false, /* ignoreCase = */ false);
1888 }
1889 
1890 void CStringChecker::evalStrncmp(CheckerContext &C, const CallExpr *CE) const {
1891  if (CE->getNumArgs() < 3)
1892  return;
1893 
1894  //int strncmp(const char *s1, const char *s2, size_t n);
1895  evalStrcmpCommon(C, CE, /* isBounded = */ true, /* ignoreCase = */ false);
1896 }
1897 
1898 void CStringChecker::evalStrcasecmp(CheckerContext &C,
1899  const CallExpr *CE) const {
1900  if (CE->getNumArgs() < 2)
1901  return;
1902 
1903  //int strcasecmp(const char *s1, const char *s2);
1904  evalStrcmpCommon(C, CE, /* isBounded = */ false, /* ignoreCase = */ true);
1905 }
1906 
1907 void CStringChecker::evalStrncasecmp(CheckerContext &C,
1908  const CallExpr *CE) const {
1909  if (CE->getNumArgs() < 3)
1910  return;
1911 
1912  //int strncasecmp(const char *s1, const char *s2, size_t n);
1913  evalStrcmpCommon(C, CE, /* isBounded = */ true, /* ignoreCase = */ true);
1914 }
1915 
1916 void CStringChecker::evalStrcmpCommon(CheckerContext &C, const CallExpr *CE,
1917  bool isBounded, bool ignoreCase) const {
1918  CurrentFunctionDescription = "string comparison function";
1919  ProgramStateRef state = C.getState();
1920  const LocationContext *LCtx = C.getLocationContext();
1921 
1922  // Check that the first string is non-null
1923  const Expr *s1 = CE->getArg(0);
1924  SVal s1Val = state->getSVal(s1, LCtx);
1925  state = checkNonNull(C, state, s1, s1Val);
1926  if (!state)
1927  return;
1928 
1929  // Check that the second string is non-null.
1930  const Expr *s2 = CE->getArg(1);
1931  SVal s2Val = state->getSVal(s2, LCtx);
1932  state = checkNonNull(C, state, s2, s2Val);
1933  if (!state)
1934  return;
1935 
1936  // Get the string length of the first string or give up.
1937  SVal s1Length = getCStringLength(C, state, s1, s1Val);
1938  if (s1Length.isUndef())
1939  return;
1940 
1941  // Get the string length of the second string or give up.
1942  SVal s2Length = getCStringLength(C, state, s2, s2Val);
1943  if (s2Length.isUndef())
1944  return;
1945 
1946  // If we know the two buffers are the same, we know the result is 0.
1947  // First, get the two buffers' addresses. Another checker will have already
1948  // made sure they're not undefined.
1949  DefinedOrUnknownSVal LV = s1Val.castAs<DefinedOrUnknownSVal>();
1950  DefinedOrUnknownSVal RV = s2Val.castAs<DefinedOrUnknownSVal>();
1951 
1952  // See if they are the same.
1953  SValBuilder &svalBuilder = C.getSValBuilder();
1954  DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV);
1955  ProgramStateRef StSameBuf, StNotSameBuf;
1956  std::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf);
1957 
1958  // If the two arguments might be the same buffer, we know the result is 0,
1959  // and we only need to check one size.
1960  if (StSameBuf) {
1961  StSameBuf = StSameBuf->BindExpr(CE, LCtx,
1962  svalBuilder.makeZeroVal(CE->getType()));
1963  C.addTransition(StSameBuf);
1964 
1965  // If the two arguments are GUARANTEED to be the same, we're done!
1966  if (!StNotSameBuf)
1967  return;
1968  }
1969 
1970  assert(StNotSameBuf);
1971  state = StNotSameBuf;
1972 
1973  // At this point we can go about comparing the two buffers.
1974  // For now, we only do this if they're both known string literals.
1975 
1976  // Attempt to extract string literals from both expressions.
1977  const StringLiteral *s1StrLiteral = getCStringLiteral(C, state, s1, s1Val);
1978  const StringLiteral *s2StrLiteral = getCStringLiteral(C, state, s2, s2Val);
1979  bool canComputeResult = false;
1980  SVal resultVal = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx,
1981  C.blockCount());
1982 
1983  if (s1StrLiteral && s2StrLiteral) {
1984  StringRef s1StrRef = s1StrLiteral->getString();
1985  StringRef s2StrRef = s2StrLiteral->getString();
1986 
1987  if (isBounded) {
1988  // Get the max number of characters to compare.
1989  const Expr *lenExpr = CE->getArg(2);
1990  SVal lenVal = state->getSVal(lenExpr, LCtx);
1991 
1992  // If the length is known, we can get the right substrings.
1993  if (const llvm::APSInt *len = svalBuilder.getKnownValue(state, lenVal)) {
1994  // Create substrings of each to compare the prefix.
1995  s1StrRef = s1StrRef.substr(0, (size_t)len->getZExtValue());
1996  s2StrRef = s2StrRef.substr(0, (size_t)len->getZExtValue());
1997  canComputeResult = true;
1998  }
1999  } else {
2000  // This is a normal, unbounded strcmp.
2001  canComputeResult = true;
2002  }
2003 
2004  if (canComputeResult) {
2005  // Real strcmp stops at null characters.
2006  size_t s1Term = s1StrRef.find('\0');
2007  if (s1Term != StringRef::npos)
2008  s1StrRef = s1StrRef.substr(0, s1Term);
2009 
2010  size_t s2Term = s2StrRef.find('\0');
2011  if (s2Term != StringRef::npos)
2012  s2StrRef = s2StrRef.substr(0, s2Term);
2013 
2014  // Use StringRef's comparison methods to compute the actual result.
2015  int compareRes = ignoreCase ? s1StrRef.compare_lower(s2StrRef)
2016  : s1StrRef.compare(s2StrRef);
2017 
2018  // The strcmp function returns an integer greater than, equal to, or less
2019  // than zero, [c11, p7.24.4.2].
2020  if (compareRes == 0) {
2021  resultVal = svalBuilder.makeIntVal(compareRes, CE->getType());
2022  }
2023  else {
2024  DefinedSVal zeroVal = svalBuilder.makeIntVal(0, CE->getType());
2025  // Constrain strcmp's result range based on the result of StringRef's
2026  // comparison methods.
2027  BinaryOperatorKind op = (compareRes == 1) ? BO_GT : BO_LT;
2028  SVal compareWithZero =
2029  svalBuilder.evalBinOp(state, op, resultVal, zeroVal,
2030  svalBuilder.getConditionType());
2031  DefinedSVal compareWithZeroVal = compareWithZero.castAs<DefinedSVal>();
2032  state = state->assume(compareWithZeroVal, true);
2033  }
2034  }
2035  }
2036 
2037  state = state->BindExpr(CE, LCtx, resultVal);
2038 
2039  // Record this as a possible path.
2040  C.addTransition(state);
2041 }
2042 
2043 void CStringChecker::evalStrsep(CheckerContext &C, const CallExpr *CE) const {
2044  //char *strsep(char **stringp, const char *delim);
2045  if (CE->getNumArgs() < 2)
2046  return;
2047 
2048  // Sanity: does the search string parameter match the return type?
2049  const Expr *SearchStrPtr = CE->getArg(0);
2050  QualType CharPtrTy = SearchStrPtr->getType()->getPointeeType();
2051  if (CharPtrTy.isNull() ||
2052  CE->getType().getUnqualifiedType() != CharPtrTy.getUnqualifiedType())
2053  return;
2054 
2055  CurrentFunctionDescription = "strsep()";
2056  ProgramStateRef State = C.getState();
2057  const LocationContext *LCtx = C.getLocationContext();
2058 
2059  // Check that the search string pointer is non-null (though it may point to
2060  // a null string).
2061  SVal SearchStrVal = State->getSVal(SearchStrPtr, LCtx);
2062  State = checkNonNull(C, State, SearchStrPtr, SearchStrVal);
2063  if (!State)
2064  return;
2065 
2066  // Check that the delimiter string is non-null.
2067  const Expr *DelimStr = CE->getArg(1);
2068  SVal DelimStrVal = State->getSVal(DelimStr, LCtx);
2069  State = checkNonNull(C, State, DelimStr, DelimStrVal);
2070  if (!State)
2071  return;
2072 
2073  SValBuilder &SVB = C.getSValBuilder();
2074  SVal Result;
2075  if (Optional<Loc> SearchStrLoc = SearchStrVal.getAs<Loc>()) {
2076  // Get the current value of the search string pointer, as a char*.
2077  Result = State->getSVal(*SearchStrLoc, CharPtrTy);
2078 
2079  // Invalidate the search string, representing the change of one delimiter
2080  // character to NUL.
2081  State = InvalidateBuffer(C, State, SearchStrPtr, Result,
2082  /*IsSourceBuffer*/false, nullptr);
2083 
2084  // Overwrite the search string pointer. The new value is either an address
2085  // further along in the same string, or NULL if there are no more tokens.
2086  State = State->bindLoc(*SearchStrLoc,
2087  SVB.conjureSymbolVal(getTag(),
2088  CE,
2089  LCtx,
2090  CharPtrTy,
2091  C.blockCount()),
2092  LCtx);
2093  } else {
2094  assert(SearchStrVal.isUnknown());
2095  // Conjure a symbolic value. It's the best we can do.
2096  Result = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
2097  }
2098 
2099  // Set the return value, and finish.
2100  State = State->BindExpr(CE, LCtx, Result);
2101  C.addTransition(State);
2102 }
2103 
2104 // These should probably be moved into a C++ standard library checker.
2105 void CStringChecker::evalStdCopy(CheckerContext &C, const CallExpr *CE) const {
2106  evalStdCopyCommon(C, CE);
2107 }
2108 
2109 void CStringChecker::evalStdCopyBackward(CheckerContext &C,
2110  const CallExpr *CE) const {
2111  evalStdCopyCommon(C, CE);
2112 }
2113 
2114 void CStringChecker::evalStdCopyCommon(CheckerContext &C,
2115  const CallExpr *CE) const {
2116  if (CE->getNumArgs() < 3)
2117  return;
2118 
2119  ProgramStateRef State = C.getState();
2120 
2121  const LocationContext *LCtx = C.getLocationContext();
2122 
2123  // template <class _InputIterator, class _OutputIterator>
2124  // _OutputIterator
2125  // copy(_InputIterator __first, _InputIterator __last,
2126  // _OutputIterator __result)
2127 
2128  // Invalidate the destination buffer
2129  const Expr *Dst = CE->getArg(2);
2130  SVal DstVal = State->getSVal(Dst, LCtx);
2131  State = InvalidateBuffer(C, State, Dst, DstVal, /*IsSource=*/false,
2132  /*Size=*/nullptr);
2133 
2134  SValBuilder &SVB = C.getSValBuilder();
2135 
2136  SVal ResultVal = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
2137  State = State->BindExpr(CE, LCtx, ResultVal);
2138 
2139  C.addTransition(State);
2140 }
2141 
2142 void CStringChecker::evalMemset(CheckerContext &C, const CallExpr *CE) const {
2143  if (CE->getNumArgs() != 3)
2144  return;
2145 
2146  CurrentFunctionDescription = "memory set function";
2147 
2148  const Expr *Mem = CE->getArg(0);
2149  const Expr *CharE = CE->getArg(1);
2150  const Expr *Size = CE->getArg(2);
2151  ProgramStateRef State = C.getState();
2152 
2153  // See if the size argument is zero.
2154  const LocationContext *LCtx = C.getLocationContext();
2155  SVal SizeVal = State->getSVal(Size, LCtx);
2156  QualType SizeTy = Size->getType();
2157 
2158  ProgramStateRef StateZeroSize, StateNonZeroSize;
2159  std::tie(StateZeroSize, StateNonZeroSize) =
2160  assumeZero(C, State, SizeVal, SizeTy);
2161 
2162  // Get the value of the memory area.
2163  SVal MemVal = State->getSVal(Mem, LCtx);
2164 
2165  // If the size is zero, there won't be any actual memory access, so
2166  // just bind the return value to the Mem buffer and return.
2167  if (StateZeroSize && !StateNonZeroSize) {
2168  StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, MemVal);
2169  C.addTransition(StateZeroSize);
2170  return;
2171  }
2172 
2173  // Ensure the memory area is not null.
2174  // If it is NULL there will be a NULL pointer dereference.
2175  State = checkNonNull(C, StateNonZeroSize, Mem, MemVal);
2176  if (!State)
2177  return;
2178 
2179  State = CheckBufferAccess(C, State, Size, Mem);
2180  if (!State)
2181  return;
2182 
2183  // According to the values of the arguments, bind the value of the second
2184  // argument to the destination buffer and set string length, or just
2185  // invalidate the destination buffer.
2186  if (!memsetAux(Mem, CharE, Size, C, State))
2187  return;
2188 
2189  State = State->BindExpr(CE, LCtx, MemVal);
2190  C.addTransition(State);
2191 }
2192 
2193 static bool isCPPStdLibraryFunction(const FunctionDecl *FD, StringRef Name) {
2194  IdentifierInfo *II = FD->getIdentifier();
2195  if (!II)
2196  return false;
2197 
2198  if (!AnalysisDeclContext::isInStdNamespace(FD))
2199  return false;
2200 
2201  if (II->getName().equals(Name))
2202  return true;
2203 
2204  return false;
2205 }
2206 //===----------------------------------------------------------------------===//
2207 // The driver method, and other Checker callbacks.
2208 //===----------------------------------------------------------------------===//
2209 
2210 bool CStringChecker::evalCall(const CallExpr *CE, CheckerContext &C) const {
2211  const FunctionDecl *FDecl = C.getCalleeDecl(CE);
2212 
2213  if (!FDecl)
2214  return false;
2215 
2216  // FIXME: Poorly-factored string switches are slow.
2217  FnCheck evalFunction = nullptr;
2218  if (C.isCLibraryFunction(FDecl, "memcpy"))
2219  evalFunction = &CStringChecker::evalMemcpy;
2220  else if (C.isCLibraryFunction(FDecl, "mempcpy"))
2221  evalFunction = &CStringChecker::evalMempcpy;
2222  else if (C.isCLibraryFunction(FDecl, "memcmp"))
2223  evalFunction = &CStringChecker::evalMemcmp;
2224  else if (C.isCLibraryFunction(FDecl, "memmove"))
2225  evalFunction = &CStringChecker::evalMemmove;
2226  else if (C.isCLibraryFunction(FDecl, "memset"))
2227  evalFunction = &CStringChecker::evalMemset;
2228  else if (C.isCLibraryFunction(FDecl, "strcpy"))
2229  evalFunction = &CStringChecker::evalStrcpy;
2230  else if (C.isCLibraryFunction(FDecl, "strncpy"))
2231  evalFunction = &CStringChecker::evalStrncpy;
2232  else if (C.isCLibraryFunction(FDecl, "stpcpy"))
2233  evalFunction = &CStringChecker::evalStpcpy;
2234  else if (C.isCLibraryFunction(FDecl, "strlcpy"))
2235  evalFunction = &CStringChecker::evalStrlcpy;
2236  else if (C.isCLibraryFunction(FDecl, "strcat"))
2237  evalFunction = &CStringChecker::evalStrcat;
2238  else if (C.isCLibraryFunction(FDecl, "strncat"))
2239  evalFunction = &CStringChecker::evalStrncat;
2240  else if (C.isCLibraryFunction(FDecl, "strlcat"))
2241  evalFunction = &CStringChecker::evalStrlcat;
2242  else if (C.isCLibraryFunction(FDecl, "strlen"))
2243  evalFunction = &CStringChecker::evalstrLength;
2244  else if (C.isCLibraryFunction(FDecl, "strnlen"))
2245  evalFunction = &CStringChecker::evalstrnLength;
2246  else if (C.isCLibraryFunction(FDecl, "strcmp"))
2247  evalFunction = &CStringChecker::evalStrcmp;
2248  else if (C.isCLibraryFunction(FDecl, "strncmp"))
2249  evalFunction = &CStringChecker::evalStrncmp;
2250  else if (C.isCLibraryFunction(FDecl, "strcasecmp"))
2251  evalFunction = &CStringChecker::evalStrcasecmp;
2252  else if (C.isCLibraryFunction(FDecl, "strncasecmp"))
2253  evalFunction = &CStringChecker::evalStrncasecmp;
2254  else if (C.isCLibraryFunction(FDecl, "strsep"))
2255  evalFunction = &CStringChecker::evalStrsep;
2256  else if (C.isCLibraryFunction(FDecl, "bcopy"))
2257  evalFunction = &CStringChecker::evalBcopy;
2258  else if (C.isCLibraryFunction(FDecl, "bcmp"))
2259  evalFunction = &CStringChecker::evalMemcmp;
2260  else if (isCPPStdLibraryFunction(FDecl, "copy"))
2261  evalFunction = &CStringChecker::evalStdCopy;
2262  else if (isCPPStdLibraryFunction(FDecl, "copy_backward"))
2263  evalFunction = &CStringChecker::evalStdCopyBackward;
2264 
2265  // If the callee isn't a string function, let another checker handle it.
2266  if (!evalFunction)
2267  return false;
2268 
2269  // Check and evaluate the call.
2270  (this->*evalFunction)(C, CE);
2271 
2272  // If the evaluate call resulted in no change, chain to the next eval call
2273  // handler.
2274  // Note, the custom CString evaluation calls assume that basic safety
2275  // properties are held. However, if the user chooses to turn off some of these
2276  // checks, we ignore the issues and leave the call evaluation to a generic
2277  // handler.
2278  return C.isDifferent();
2279 }
2280 
2281 void CStringChecker::checkPreStmt(const DeclStmt *DS, CheckerContext &C) const {
2282  // Record string length for char a[] = "abc";
2283  ProgramStateRef state = C.getState();
2284 
2285  for (const auto *I : DS->decls()) {
2286  const VarDecl *D = dyn_cast<VarDecl>(I);
2287  if (!D)
2288  continue;
2289 
2290  // FIXME: Handle array fields of structs.
2291  if (!D->getType()->isArrayType())
2292  continue;
2293 
2294  const Expr *Init = D->getInit();
2295  if (!Init)
2296  continue;
2297  if (!isa<StringLiteral>(Init))
2298  continue;
2299 
2300  Loc VarLoc = state->getLValue(D, C.getLocationContext());
2301  const MemRegion *MR = VarLoc.getAsRegion();
2302  if (!MR)
2303  continue;
2304 
2305  SVal StrVal = C.getSVal(Init);
2306  assert(StrVal.isValid() && "Initializer string is unknown or undefined");
2307  DefinedOrUnknownSVal strLength =
2308  getCStringLength(C, state, Init, StrVal).castAs<DefinedOrUnknownSVal>();
2309 
2310  state = state->set<CStringLength>(MR, strLength);
2311  }
2312 
2313  C.addTransition(state);
2314 }
2315 
2316 ProgramStateRef
2317 CStringChecker::checkRegionChanges(ProgramStateRef state,
2318  const InvalidatedSymbols *,
2319  ArrayRef<const MemRegion *> ExplicitRegions,
2320  ArrayRef<const MemRegion *> Regions,
2321  const LocationContext *LCtx,
2322  const CallEvent *Call) const {
2323  CStringLengthTy Entries = state->get<CStringLength>();
2324  if (Entries.isEmpty())
2325  return state;
2326 
2327  llvm::SmallPtrSet<const MemRegion *, 8> Invalidated;
2328  llvm::SmallPtrSet<const MemRegion *, 32> SuperRegions;
2329 
2330  // First build sets for the changed regions and their super-regions.
2331  for (ArrayRef<const MemRegion *>::iterator
2332  I = Regions.begin(), E = Regions.end(); I != E; ++I) {
2333  const MemRegion *MR = *I;
2334  Invalidated.insert(MR);
2335 
2336  SuperRegions.insert(MR);
2337  while (const SubRegion *SR = dyn_cast<SubRegion>(MR)) {
2338  MR = SR->getSuperRegion();
2339  SuperRegions.insert(MR);
2340  }
2341  }
2342 
2343  CStringLengthTy::Factory &F = state->get_context<CStringLength>();
2344 
2345  // Then loop over the entries in the current state.
2346  for (CStringLengthTy::iterator I = Entries.begin(),
2347  E = Entries.end(); I != E; ++I) {
2348  const MemRegion *MR = I.getKey();
2349 
2350  // Is this entry for a super-region of a changed region?
2351  if (SuperRegions.count(MR)) {
2352  Entries = F.remove(Entries, MR);
2353  continue;
2354  }
2355 
2356  // Is this entry for a sub-region of a changed region?
2357  const MemRegion *Super = MR;
2358  while (const SubRegion *SR = dyn_cast<SubRegion>(Super)) {
2359  Super = SR->getSuperRegion();
2360  if (Invalidated.count(Super)) {
2361  Entries = F.remove(Entries, MR);
2362  break;
2363  }
2364  }
2365  }
2366 
2367  return state->set<CStringLength>(Entries);
2368 }
2369 
2370 void CStringChecker::checkLiveSymbols(ProgramStateRef state,
2371  SymbolReaper &SR) const {
2372  // Mark all symbols in our string length map as valid.
2373  CStringLengthTy Entries = state->get<CStringLength>();
2374 
2375  for (CStringLengthTy::iterator I = Entries.begin(), E = Entries.end();
2376  I != E; ++I) {
2377  SVal Len = I.getData();
2378 
2379  for (SymExpr::symbol_iterator si = Len.symbol_begin(),
2380  se = Len.symbol_end(); si != se; ++si)
2381  SR.markInUse(*si);
2382  }
2383 }
2384 
2385 void CStringChecker::checkDeadSymbols(SymbolReaper &SR,
2386  CheckerContext &C) const {
2387  if (!SR.hasDeadSymbols())
2388  return;
2389 
2390  ProgramStateRef state = C.getState();
2391  CStringLengthTy Entries = state->get<CStringLength>();
2392  if (Entries.isEmpty())
2393  return;
2394 
2395  CStringLengthTy::Factory &F = state->get_context<CStringLength>();
2396  for (CStringLengthTy::iterator I = Entries.begin(), E = Entries.end();
2397  I != E; ++I) {
2398  SVal Len = I.getData();
2399  if (SymbolRef Sym = Len.getAsSymbol()) {
2400  if (SR.isDead(Sym))
2401  Entries = F.remove(Entries, I.getKey());
2402  }
2403  }
2404 
2405  state = state->set<CStringLength>(Entries);
2406  C.addTransition(state);
2407 }
2408 
2409 #define REGISTER_CHECKER(name) \
2410  void ento::register##name(CheckerManager &mgr) { \
2411  CStringChecker *checker = mgr.registerChecker<CStringChecker>(); \
2412  checker->Filter.Check##name = true; \
2413  checker->Filter.CheckName##name = mgr.getCurrentCheckName(); \
2414  }
2415 
2416  REGISTER_CHECKER(CStringNullArg)
2417  REGISTER_CHECKER(CStringOutOfBounds)
2418  REGISTER_CHECKER(CStringBufferOverlap)
2419 REGISTER_CHECKER(CStringNotNullTerm)
2420 
2421  void ento::registerCStringCheckerBasic(CheckerManager &Mgr) {
2422  Mgr.registerChecker<CStringChecker>();
2423  }
clang::FunctionDecl
Represents a function declaration or definition.
Definition: Decl.h:1717
clang::QualType
A (possibly-)qualified type.
Definition: Type.h:642
clang::Type::isArrayType
bool isArrayType() const
Definition: Type.h:6226
clang::CallExpr::getArg
Expr * getArg(unsigned Arg)
getArg - Return the specified argument.
Definition: Expr.h:2354
clang::ento::InvalidatedSymbols
llvm::DenseSet< SymbolRef > InvalidatedSymbols
Definition: Store.h:52
clang::ento::SymbolRef
const SymExpr * SymbolRef
Definition: PathDiagnostic.h:59
clang::Stmt
Stmt - This represents one statement.
Definition: Stmt.h:66
clang::CallExpr::getNumArgs
unsigned getNumArgs() const
getNumArgs - Return the number of actual arguments to this call.
Definition: Expr.h:2342
clang::Type::getPointeeType
QualType getPointeeType() const
If this is a pointer, ObjC object pointer, or block pointer, this returns the respective pointee...
Definition: Type.cpp:497
clang::ento::ProgramStateRef
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
Definition: ProgramState_Fwd.h:38
clang::VarDecl
Represents a variable declaration or definition.
Definition: Decl.h:812
clang::ast_matchers::expr
const internal::VariadicDynCastAllOfMatcher< Stmt, Expr > expr
Matches expressions.
Definition: ASTMatchersInternal.cpp:687
clang::NamedDecl::getIdentifier
IdentifierInfo * getIdentifier() const
Get the identifier that names this declaration, if there is one.
Definition: Decl.h:269
clang::IdentifierInfo
One of these records is kept for each identifier that is lexed.
Definition: IdentifierTable.h:50
clang::ASTContext
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:154
State
LineState State
Definition: UnwrappedLineFormatter.cpp:875
clang::CodeGen::state
i32 captured_struct **param SharedsTy A type which contains references the shared variables *param Shareds Context with the list of shared variables from the p *TaskFunction *param Data Additional data for task generation like final * state
Definition: CGOpenMPRuntime.h:721
clang::ento::registerCStringCheckerBasic
void registerCStringCheckerBasic(CheckerManager &Mgr)
Register the checker which evaluates CString API calls.
Definition: CStringChecker.cpp:2421
clang::BinaryOperatorKind
BinaryOperatorKind
Definition: OperationKinds.h:26
clang::AnalysisDeclContext::isInStdNamespace
static bool isInStdNamespace(const Decl *D)
Returns true if the root namespace of the given declaration is the &#39;std&#39; C++ namespace.
Definition: AnalysisDeclContext.cpp:324
Offset
uint32_t Offset
Definition: CacheTokens.cpp:43
isCPPStdLibraryFunction
static bool isCPPStdLibraryFunction(const FunctionDecl *FD, StringRef Name)
Definition: CStringChecker.cpp:2193
clang::ASTContext::UnsignedCharTy
CanQualType UnsignedCharTy
Definition: ASTContext.h:1035
clang::StringLiteral::getString
StringRef getString() const
Definition: Expr.h:1616
REGISTER_CHECKER
#define REGISTER_CHECKER(name)
Definition: CStringChecker.cpp:2409
REGISTER_MAP_WITH_PROGRAMSTATE
#define REGISTER_MAP_WITH_PROGRAMSTATE(Name, Key, Value)
Declares an immutable map of type NameTy, suitable for placement into the ProgramState.
Definition: CheckerContext.h:36
clang::Expr
This represents one expression.
Definition: Expr.h:105
Label
std::string Label
Definition: UsingDeclarationsSorter.cpp:70
clang::Expr::getType
QualType getType() const
Definition: Expr.h:127
clang::QualType::isNull
bool isNull() const
Return true if this QualType doesn&#39;t point to a type yet.
Definition: Type.h:707
clang::DeclStmt
DeclStmt - Adaptor class for mixing declarations with statements and expressions. ...
Definition: Stmt.h:505
clang::ento::RegionAndSymbolInvalidationTraits::TK_PreserveContents
Tells that a region&#39;s contents is not changed.
Definition: MemRegion.h:1453
clang::IdentifierInfo::getName
StringRef getName() const
Return the actual identifier string.
Definition: IdentifierTable.h:160
clang::ASTContext::CharTy
CanQualType CharTy
Definition: ASTContext.h:1027
clang
Dataflow Directional Tag Classes.
Definition: CFGReachabilityAnalysis.h:22
clang::VarDecl::getInit
const Expr * getInit() const
Definition: Decl.h:1217
clang::StringLiteral::getByteLength
unsigned getByteLength() const
Definition: Expr.h:1648
clang::DeclStmt::decls
decl_range decls()
Definition: Stmt.h:550
clang::QualType::getUnqualifiedType
QualType getUnqualifiedType() const
Retrieve the unqualified variant of the given type, removing as little sugar as possible.
Definition: Type.h:6033
clang::ASTContext::getPointerType
QualType getPointerType(QualType T) const
Return the uniqued reference to the type for a pointer to the specified type.
Definition: ASTContext.cpp:2784
clang::Stmt::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:268
clang::StringLiteral
StringLiteral - This represents a string literal expression, e.g.
Definition: Expr.h:1568
clang::CallExpr
CallExpr - Represents a function call (C99 6.5.2.2, C++ [expr.call]).
Definition: Expr.h:2285
clang::toUppercase
LLVM_READONLY char toUppercase(char c)
Converts the given ASCII character to its uppercase equivalent.
Definition: CharInfo.h:174
clang::ASTContext::IntTy
CanQualType IntTy
Definition: ASTContext.h:1034
clang::ValueDecl::getType
QualType getType() const
Definition: Decl.h:647
clang::NamedDecl
This represents a decl that may have a name.
Definition: Decl.h:248
clang::ASTContext::getSizeType
CanQualType getSizeType() const
Return the unique type for "size_t" (C99 7.17), defined in <stddef.h>.
Definition: ASTContext.cpp:4905
Generated on Thu Sep 20 2018 00:54:11 for clang by   doxygen 1.8.13