clang  8.0.0svn
CStringChecker.cpp
Go to the documentation of this file.
1 //= CStringChecker.cpp - Checks calls to C string functions --------*- C++ -*-//
2 //
3 // The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // This defines CStringChecker, which is an assortment of checks on calls
11 // to functions in <string.h>.
12 //
13 //===----------------------------------------------------------------------===//
14 
16 #include "InterCheckerAPI.h"
17 #include "clang/Basic/CharInfo.h"
23 #include "llvm/ADT/STLExtras.h"
24 #include "llvm/ADT/SmallString.h"
25 #include "llvm/Support/raw_ostream.h"
26 
27 using namespace clang;
28 using namespace ento;
29 
30 namespace {
31 class CStringChecker : public Checker< eval::Call,
32  check::PreStmt<DeclStmt>,
33  check::LiveSymbols,
34  check::DeadSymbols,
35  check::RegionChanges
36  > {
37  mutable std::unique_ptr<BugType> BT_Null, BT_Bounds, BT_Overlap,
38  BT_NotCString, BT_AdditionOverflow;
39 
40  mutable const char *CurrentFunctionDescription;
41 
42 public:
43  /// The filter is used to filter out the diagnostics which are not enabled by
44  /// the user.
45  struct CStringChecksFilter {
46  DefaultBool CheckCStringNullArg;
47  DefaultBool CheckCStringOutOfBounds;
48  DefaultBool CheckCStringBufferOverlap;
49  DefaultBool CheckCStringNotNullTerm;
50 
51  CheckName CheckNameCStringNullArg;
52  CheckName CheckNameCStringOutOfBounds;
53  CheckName CheckNameCStringBufferOverlap;
54  CheckName CheckNameCStringNotNullTerm;
55  };
56 
57  CStringChecksFilter Filter;
58 
59  static void *getTag() { static int tag; return &tag; }
60 
61  bool evalCall(const CallExpr *CE, CheckerContext &C) const;
62  void checkPreStmt(const DeclStmt *DS, CheckerContext &C) const;
63  void checkLiveSymbols(ProgramStateRef state, SymbolReaper &SR) const;
64  void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
65 
67  checkRegionChanges(ProgramStateRef state,
68  const InvalidatedSymbols *,
69  ArrayRef<const MemRegion *> ExplicitRegions,
71  const LocationContext *LCtx,
72  const CallEvent *Call) const;
73 
74  typedef void (CStringChecker::*FnCheck)(CheckerContext &,
75  const CallExpr *) const;
76 
77  void evalMemcpy(CheckerContext &C, const CallExpr *CE) const;
78  void evalMempcpy(CheckerContext &C, const CallExpr *CE) const;
79  void evalMemmove(CheckerContext &C, const CallExpr *CE) const;
80  void evalBcopy(CheckerContext &C, const CallExpr *CE) const;
81  void evalCopyCommon(CheckerContext &C, const CallExpr *CE,
83  const Expr *Size,
84  const Expr *Source,
85  const Expr *Dest,
86  bool Restricted = false,
87  bool IsMempcpy = false) const;
88 
89  void evalMemcmp(CheckerContext &C, const CallExpr *CE) const;
90 
91  void evalstrLength(CheckerContext &C, const CallExpr *CE) const;
92  void evalstrnLength(CheckerContext &C, const CallExpr *CE) const;
93  void evalstrLengthCommon(CheckerContext &C,
94  const CallExpr *CE,
95  bool IsStrnlen = false) const;
96 
97  void evalStrcpy(CheckerContext &C, const CallExpr *CE) const;
98  void evalStrncpy(CheckerContext &C, const CallExpr *CE) const;
99  void evalStpcpy(CheckerContext &C, const CallExpr *CE) const;
100  void evalStrlcpy(CheckerContext &C, const CallExpr *CE) const;
101  void evalStrcpyCommon(CheckerContext &C,
102  const CallExpr *CE,
103  bool returnEnd,
104  bool isBounded,
105  bool isAppending,
106  bool returnPtr = true) const;
107 
108  void evalStrcat(CheckerContext &C, const CallExpr *CE) const;
109  void evalStrncat(CheckerContext &C, const CallExpr *CE) const;
110  void evalStrlcat(CheckerContext &C, const CallExpr *CE) const;
111 
112  void evalStrcmp(CheckerContext &C, const CallExpr *CE) const;
113  void evalStrncmp(CheckerContext &C, const CallExpr *CE) const;
114  void evalStrcasecmp(CheckerContext &C, const CallExpr *CE) const;
115  void evalStrncasecmp(CheckerContext &C, const CallExpr *CE) const;
116  void evalStrcmpCommon(CheckerContext &C,
117  const CallExpr *CE,
118  bool isBounded = false,
119  bool ignoreCase = false) const;
120 
121  void evalStrsep(CheckerContext &C, const CallExpr *CE) const;
122 
123  void evalStdCopy(CheckerContext &C, const CallExpr *CE) const;
124  void evalStdCopyBackward(CheckerContext &C, const CallExpr *CE) const;
125  void evalStdCopyCommon(CheckerContext &C, const CallExpr *CE) const;
126  void evalMemset(CheckerContext &C, const CallExpr *CE) const;
127  void evalBzero(CheckerContext &C, const CallExpr *CE) const;
128 
129  // Utility methods
130  std::pair<ProgramStateRef , ProgramStateRef >
131  static assumeZero(CheckerContext &C,
132  ProgramStateRef state, SVal V, QualType Ty);
133 
134  static ProgramStateRef setCStringLength(ProgramStateRef state,
135  const MemRegion *MR,
136  SVal strLength);
137  static SVal getCStringLengthForRegion(CheckerContext &C,
139  const Expr *Ex,
140  const MemRegion *MR,
141  bool hypothetical);
142  SVal getCStringLength(CheckerContext &C,
144  const Expr *Ex,
145  SVal Buf,
146  bool hypothetical = false) const;
147 
148  const StringLiteral *getCStringLiteral(CheckerContext &C,
150  const Expr *expr,
151  SVal val) const;
152 
153  static ProgramStateRef InvalidateBuffer(CheckerContext &C,
155  const Expr *Ex, SVal V,
156  bool IsSourceBuffer,
157  const Expr *Size);
158 
159  static bool SummarizeRegion(raw_ostream &os, ASTContext &Ctx,
160  const MemRegion *MR);
161 
162  static bool memsetAux(const Expr *DstBuffer, SVal CharE,
163  const Expr *Size, CheckerContext &C,
165 
166  // Re-usable checks
167  ProgramStateRef checkNonNull(CheckerContext &C,
169  const Expr *S,
170  SVal l) const;
171  ProgramStateRef CheckLocation(CheckerContext &C,
173  const Expr *S,
174  SVal l,
175  const char *message = nullptr) const;
176  ProgramStateRef CheckBufferAccess(CheckerContext &C,
178  const Expr *Size,
179  const Expr *FirstBuf,
180  const Expr *SecondBuf,
181  const char *firstMessage = nullptr,
182  const char *secondMessage = nullptr,
183  bool WarnAboutSize = false) const;
184 
185  ProgramStateRef CheckBufferAccess(CheckerContext &C,
187  const Expr *Size,
188  const Expr *Buf,
189  const char *message = nullptr,
190  bool WarnAboutSize = false) const {
191  // This is a convenience override.
192  return CheckBufferAccess(C, state, Size, Buf, nullptr, message, nullptr,
193  WarnAboutSize);
194  }
195  ProgramStateRef CheckOverlap(CheckerContext &C,
197  const Expr *Size,
198  const Expr *First,
199  const Expr *Second) const;
200  void emitOverlapBug(CheckerContext &C,
202  const Stmt *First,
203  const Stmt *Second) const;
204 
205  void emitNullArgBug(CheckerContext &C, ProgramStateRef State, const Stmt *S,
206  StringRef WarningMsg) const;
207  void emitOutOfBoundsBug(CheckerContext &C, ProgramStateRef State,
208  const Stmt *S, StringRef WarningMsg) const;
209  void emitNotCStringBug(CheckerContext &C, ProgramStateRef State,
210  const Stmt *S, StringRef WarningMsg) const;
211  void emitAdditionOverflowBug(CheckerContext &C, ProgramStateRef State) const;
212 
213  ProgramStateRef checkAdditionOverflow(CheckerContext &C,
215  NonLoc left,
216  NonLoc right) const;
217 
218  // Return true if the destination buffer of the copy function may be in bound.
219  // Expects SVal of Size to be positive and unsigned.
220  // Expects SVal of FirstBuf to be a FieldRegion.
221  static bool IsFirstBufInBound(CheckerContext &C,
223  const Expr *FirstBuf,
224  const Expr *Size);
225 };
226 
227 } //end anonymous namespace
228 
229 REGISTER_MAP_WITH_PROGRAMSTATE(CStringLength, const MemRegion *, SVal)
230 
231 //===----------------------------------------------------------------------===//
232 // Individual checks and utility methods.
233 //===----------------------------------------------------------------------===//
234 
235 std::pair<ProgramStateRef , ProgramStateRef >
236 CStringChecker::assumeZero(CheckerContext &C, ProgramStateRef state, SVal V,
237  QualType Ty) {
238  Optional<DefinedSVal> val = V.getAs<DefinedSVal>();
239  if (!val)
240  return std::pair<ProgramStateRef , ProgramStateRef >(state, state);
241 
242  SValBuilder &svalBuilder = C.getSValBuilder();
243  DefinedOrUnknownSVal zero = svalBuilder.makeZeroVal(Ty);
244  return state->assume(svalBuilder.evalEQ(state, *val, zero));
245 }
246 
247 ProgramStateRef CStringChecker::checkNonNull(CheckerContext &C,
248  ProgramStateRef state,
249  const Expr *S, SVal l) const {
250  // If a previous check has failed, propagate the failure.
251  if (!state)
252  return nullptr;
253 
254  ProgramStateRef stateNull, stateNonNull;
255  std::tie(stateNull, stateNonNull) = assumeZero(C, state, l, S->getType());
256 
257  if (stateNull && !stateNonNull) {
258  if (Filter.CheckCStringNullArg) {
259  SmallString<80> buf;
260  llvm::raw_svector_ostream os(buf);
261  assert(CurrentFunctionDescription);
262  os << "Null pointer argument in call to " << CurrentFunctionDescription;
263 
264  emitNullArgBug(C, stateNull, S, os.str());
265  }
266  return nullptr;
267  }
268 
269  // From here on, assume that the value is non-null.
270  assert(stateNonNull);
271  return stateNonNull;
272 }
273 
274 // FIXME: This was originally copied from ArrayBoundChecker.cpp. Refactor?
275 ProgramStateRef CStringChecker::CheckLocation(CheckerContext &C,
276  ProgramStateRef state,
277  const Expr *S, SVal l,
278  const char *warningMsg) const {
279  // If a previous check has failed, propagate the failure.
280  if (!state)
281  return nullptr;
282 
283  // Check for out of bound array element access.
284  const MemRegion *R = l.getAsRegion();
285  if (!R)
286  return state;
287 
288  const ElementRegion *ER = dyn_cast<ElementRegion>(R);
289  if (!ER)
290  return state;
291 
292  if (ER->getValueType() != C.getASTContext().CharTy)
293  return state;
294 
295  // Get the size of the array.
296  const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion());
297  SValBuilder &svalBuilder = C.getSValBuilder();
298  SVal Extent =
299  svalBuilder.convertToArrayIndex(superReg->getExtent(svalBuilder));
300  DefinedOrUnknownSVal Size = Extent.castAs<DefinedOrUnknownSVal>();
301 
302  // Get the index of the accessed element.
303  DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();
304 
305  ProgramStateRef StInBound = state->assumeInBound(Idx, Size, true);
306  ProgramStateRef StOutBound = state->assumeInBound(Idx, Size, false);
307  if (StOutBound && !StInBound) {
308  // These checks are either enabled by the CString out-of-bounds checker
309  // explicitly or implicitly by the Malloc checker.
310  // In the latter case we only do modeling but do not emit warning.
311  if (!Filter.CheckCStringOutOfBounds)
312  return nullptr;
313  // Emit a bug report.
314  if (warningMsg) {
315  emitOutOfBoundsBug(C, StOutBound, S, warningMsg);
316  } else {
317  assert(CurrentFunctionDescription);
318  assert(CurrentFunctionDescription[0] != '\0');
319 
320  SmallString<80> buf;
321  llvm::raw_svector_ostream os(buf);
322  os << toUppercase(CurrentFunctionDescription[0])
323  << &CurrentFunctionDescription[1]
324  << " accesses out-of-bound array element";
325  emitOutOfBoundsBug(C, StOutBound, S, os.str());
326  }
327  return nullptr;
328  }
329 
330  // Array bound check succeeded. From this point forward the array bound
331  // should always succeed.
332  return StInBound;
333 }
334 
335 ProgramStateRef CStringChecker::CheckBufferAccess(CheckerContext &C,
336  ProgramStateRef state,
337  const Expr *Size,
338  const Expr *FirstBuf,
339  const Expr *SecondBuf,
340  const char *firstMessage,
341  const char *secondMessage,
342  bool WarnAboutSize) const {
343  // If a previous check has failed, propagate the failure.
344  if (!state)
345  return nullptr;
346 
347  SValBuilder &svalBuilder = C.getSValBuilder();
348  ASTContext &Ctx = svalBuilder.getContext();
349  const LocationContext *LCtx = C.getLocationContext();
350 
351  QualType sizeTy = Size->getType();
352  QualType PtrTy = Ctx.getPointerType(Ctx.CharTy);
353 
354  // Check that the first buffer is non-null.
355  SVal BufVal = C.getSVal(FirstBuf);
356  state = checkNonNull(C, state, FirstBuf, BufVal);
357  if (!state)
358  return nullptr;
359 
360  // If out-of-bounds checking is turned off, skip the rest.
361  if (!Filter.CheckCStringOutOfBounds)
362  return state;
363 
364  // Get the access length and make sure it is known.
365  // FIXME: This assumes the caller has already checked that the access length
366  // is positive. And that it's unsigned.
367  SVal LengthVal = C.getSVal(Size);
368  Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
369  if (!Length)
370  return state;
371 
372  // Compute the offset of the last element to be accessed: size-1.
373  NonLoc One = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
374  SVal Offset = svalBuilder.evalBinOpNN(state, BO_Sub, *Length, One, sizeTy);
375  if (Offset.isUnknown())
376  return nullptr;
377  NonLoc LastOffset = Offset.castAs<NonLoc>();
378 
379  // Check that the first buffer is sufficiently long.
380  SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType());
381  if (Optional<Loc> BufLoc = BufStart.getAs<Loc>()) {
382  const Expr *warningExpr = (WarnAboutSize ? Size : FirstBuf);
383 
384  SVal BufEnd = svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc,
385  LastOffset, PtrTy);
386  state = CheckLocation(C, state, warningExpr, BufEnd, firstMessage);
387 
388  // If the buffer isn't large enough, abort.
389  if (!state)
390  return nullptr;
391  }
392 
393  // If there's a second buffer, check it as well.
394  if (SecondBuf) {
395  BufVal = state->getSVal(SecondBuf, LCtx);
396  state = checkNonNull(C, state, SecondBuf, BufVal);
397  if (!state)
398  return nullptr;
399 
400  BufStart = svalBuilder.evalCast(BufVal, PtrTy, SecondBuf->getType());
401  if (Optional<Loc> BufLoc = BufStart.getAs<Loc>()) {
402  const Expr *warningExpr = (WarnAboutSize ? Size : SecondBuf);
403 
404  SVal BufEnd = svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc,
405  LastOffset, PtrTy);
406  state = CheckLocation(C, state, warningExpr, BufEnd, secondMessage);
407  }
408  }
409 
410  // Large enough or not, return this state!
411  return state;
412 }
413 
414 ProgramStateRef CStringChecker::CheckOverlap(CheckerContext &C,
415  ProgramStateRef state,
416  const Expr *Size,
417  const Expr *First,
418  const Expr *Second) const {
419  if (!Filter.CheckCStringBufferOverlap)
420  return state;
421 
422  // Do a simple check for overlap: if the two arguments are from the same
423  // buffer, see if the end of the first is greater than the start of the second
424  // or vice versa.
425 
426  // If a previous check has failed, propagate the failure.
427  if (!state)
428  return nullptr;
429 
430  ProgramStateRef stateTrue, stateFalse;
431 
432  // Get the buffer values and make sure they're known locations.
433  const LocationContext *LCtx = C.getLocationContext();
434  SVal firstVal = state->getSVal(First, LCtx);
435  SVal secondVal = state->getSVal(Second, LCtx);
436 
437  Optional<Loc> firstLoc = firstVal.getAs<Loc>();
438  if (!firstLoc)
439  return state;
440 
441  Optional<Loc> secondLoc = secondVal.getAs<Loc>();
442  if (!secondLoc)
443  return state;
444 
445  // Are the two values the same?
446  SValBuilder &svalBuilder = C.getSValBuilder();
447  std::tie(stateTrue, stateFalse) =
448  state->assume(svalBuilder.evalEQ(state, *firstLoc, *secondLoc));
449 
450  if (stateTrue && !stateFalse) {
451  // If the values are known to be equal, that's automatically an overlap.
452  emitOverlapBug(C, stateTrue, First, Second);
453  return nullptr;
454  }
455 
456  // assume the two expressions are not equal.
457  assert(stateFalse);
458  state = stateFalse;
459 
460  // Which value comes first?
461  QualType cmpTy = svalBuilder.getConditionType();
462  SVal reverse = svalBuilder.evalBinOpLL(state, BO_GT,
463  *firstLoc, *secondLoc, cmpTy);
464  Optional<DefinedOrUnknownSVal> reverseTest =
465  reverse.getAs<DefinedOrUnknownSVal>();
466  if (!reverseTest)
467  return state;
468 
469  std::tie(stateTrue, stateFalse) = state->assume(*reverseTest);
470  if (stateTrue) {
471  if (stateFalse) {
472  // If we don't know which one comes first, we can't perform this test.
473  return state;
474  } else {
475  // Switch the values so that firstVal is before secondVal.
476  std::swap(firstLoc, secondLoc);
477 
478  // Switch the Exprs as well, so that they still correspond.
479  std::swap(First, Second);
480  }
481  }
482 
483  // Get the length, and make sure it too is known.
484  SVal LengthVal = state->getSVal(Size, LCtx);
485  Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
486  if (!Length)
487  return state;
488 
489  // Convert the first buffer's start address to char*.
490  // Bail out if the cast fails.
491  ASTContext &Ctx = svalBuilder.getContext();
492  QualType CharPtrTy = Ctx.getPointerType(Ctx.CharTy);
493  SVal FirstStart = svalBuilder.evalCast(*firstLoc, CharPtrTy,
494  First->getType());
495  Optional<Loc> FirstStartLoc = FirstStart.getAs<Loc>();
496  if (!FirstStartLoc)
497  return state;
498 
499  // Compute the end of the first buffer. Bail out if THAT fails.
500  SVal FirstEnd = svalBuilder.evalBinOpLN(state, BO_Add,
501  *FirstStartLoc, *Length, CharPtrTy);
502  Optional<Loc> FirstEndLoc = FirstEnd.getAs<Loc>();
503  if (!FirstEndLoc)
504  return state;
505 
506  // Is the end of the first buffer past the start of the second buffer?
507  SVal Overlap = svalBuilder.evalBinOpLL(state, BO_GT,
508  *FirstEndLoc, *secondLoc, cmpTy);
509  Optional<DefinedOrUnknownSVal> OverlapTest =
510  Overlap.getAs<DefinedOrUnknownSVal>();
511  if (!OverlapTest)
512  return state;
513 
514  std::tie(stateTrue, stateFalse) = state->assume(*OverlapTest);
515 
516  if (stateTrue && !stateFalse) {
517  // Overlap!
518  emitOverlapBug(C, stateTrue, First, Second);
519  return nullptr;
520  }
521 
522  // assume the two expressions don't overlap.
523  assert(stateFalse);
524  return stateFalse;
525 }
526 
527 void CStringChecker::emitOverlapBug(CheckerContext &C, ProgramStateRef state,
528  const Stmt *First, const Stmt *Second) const {
529  ExplodedNode *N = C.generateErrorNode(state);
530  if (!N)
531  return;
532 
533  if (!BT_Overlap)
534  BT_Overlap.reset(new BugType(Filter.CheckNameCStringBufferOverlap,
535  categories::UnixAPI, "Improper arguments"));
536 
537  // Generate a report for this bug.
538  auto report = llvm::make_unique<BugReport>(
539  *BT_Overlap, "Arguments must not be overlapping buffers", N);
540  report->addRange(First->getSourceRange());
541  report->addRange(Second->getSourceRange());
542 
543  C.emitReport(std::move(report));
544 }
545 
546 void CStringChecker::emitNullArgBug(CheckerContext &C, ProgramStateRef State,
547  const Stmt *S, StringRef WarningMsg) const {
548  if (ExplodedNode *N = C.generateErrorNode(State)) {
549  if (!BT_Null)
550  BT_Null.reset(new BuiltinBug(
551  Filter.CheckNameCStringNullArg, categories::UnixAPI,
552  "Null pointer argument in call to byte string function"));
553 
554  BuiltinBug *BT = static_cast<BuiltinBug *>(BT_Null.get());
555  auto Report = llvm::make_unique<BugReport>(*BT, WarningMsg, N);
556  Report->addRange(S->getSourceRange());
557  if (const auto *Ex = dyn_cast<Expr>(S))
558  bugreporter::trackExpressionValue(N, Ex, *Report);
559  C.emitReport(std::move(Report));
560  }
561 }
562 
563 void CStringChecker::emitOutOfBoundsBug(CheckerContext &C,
564  ProgramStateRef State, const Stmt *S,
565  StringRef WarningMsg) const {
566  if (ExplodedNode *N = C.generateErrorNode(State)) {
567  if (!BT_Bounds)
568  BT_Bounds.reset(new BuiltinBug(
569  Filter.CheckCStringOutOfBounds ? Filter.CheckNameCStringOutOfBounds
570  : Filter.CheckNameCStringNullArg,
571  "Out-of-bound array access",
572  "Byte string function accesses out-of-bound array element"));
573 
574  BuiltinBug *BT = static_cast<BuiltinBug *>(BT_Bounds.get());
575 
576  // FIXME: It would be nice to eventually make this diagnostic more clear,
577  // e.g., by referencing the original declaration or by saying *why* this
578  // reference is outside the range.
579  auto Report = llvm::make_unique<BugReport>(*BT, WarningMsg, N);
580  Report->addRange(S->getSourceRange());
581  C.emitReport(std::move(Report));
582  }
583 }
584 
585 void CStringChecker::emitNotCStringBug(CheckerContext &C, ProgramStateRef State,
586  const Stmt *S,
587  StringRef WarningMsg) const {
588  if (ExplodedNode *N = C.generateNonFatalErrorNode(State)) {
589  if (!BT_NotCString)
590  BT_NotCString.reset(new BuiltinBug(
591  Filter.CheckNameCStringNotNullTerm, categories::UnixAPI,
592  "Argument is not a null-terminated string."));
593 
594  auto Report = llvm::make_unique<BugReport>(*BT_NotCString, WarningMsg, N);
595 
596  Report->addRange(S->getSourceRange());
597  C.emitReport(std::move(Report));
598  }
599 }
600 
601 void CStringChecker::emitAdditionOverflowBug(CheckerContext &C,
602  ProgramStateRef State) const {
603  if (ExplodedNode *N = C.generateErrorNode(State)) {
604  if (!BT_NotCString)
605  BT_NotCString.reset(
606  new BuiltinBug(Filter.CheckNameCStringOutOfBounds, "API",
607  "Sum of expressions causes overflow."));
608 
609  // This isn't a great error message, but this should never occur in real
610  // code anyway -- you'd have to create a buffer longer than a size_t can
611  // represent, which is sort of a contradiction.
612  const char *WarningMsg =
613  "This expression will create a string whose length is too big to "
614  "be represented as a size_t";
615 
616  auto Report = llvm::make_unique<BugReport>(*BT_NotCString, WarningMsg, N);
617  C.emitReport(std::move(Report));
618  }
619 }
620 
621 ProgramStateRef CStringChecker::checkAdditionOverflow(CheckerContext &C,
622  ProgramStateRef state,
623  NonLoc left,
624  NonLoc right) const {
625  // If out-of-bounds checking is turned off, skip the rest.
626  if (!Filter.CheckCStringOutOfBounds)
627  return state;
628 
629  // If a previous check has failed, propagate the failure.
630  if (!state)
631  return nullptr;
632 
633  SValBuilder &svalBuilder = C.getSValBuilder();
634  BasicValueFactory &BVF = svalBuilder.getBasicValueFactory();
635 
636  QualType sizeTy = svalBuilder.getContext().getSizeType();
637  const llvm::APSInt &maxValInt = BVF.getMaxValue(sizeTy);
638  NonLoc maxVal = svalBuilder.makeIntVal(maxValInt);
639 
640  SVal maxMinusRight;
641  if (right.getAs<nonloc::ConcreteInt>()) {
642  maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, right,
643  sizeTy);
644  } else {
645  // Try switching the operands. (The order of these two assignments is
646  // important!)
647  maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, left,
648  sizeTy);
649  left = right;
650  }
651 
652  if (Optional<NonLoc> maxMinusRightNL = maxMinusRight.getAs<NonLoc>()) {
653  QualType cmpTy = svalBuilder.getConditionType();
654  // If left > max - right, we have an overflow.
655  SVal willOverflow = svalBuilder.evalBinOpNN(state, BO_GT, left,
656  *maxMinusRightNL, cmpTy);
657 
658  ProgramStateRef stateOverflow, stateOkay;
659  std::tie(stateOverflow, stateOkay) =
660  state->assume(willOverflow.castAs<DefinedOrUnknownSVal>());
661 
662  if (stateOverflow && !stateOkay) {
663  // We have an overflow. Emit a bug report.
664  emitAdditionOverflowBug(C, stateOverflow);
665  return nullptr;
666  }
667 
668  // From now on, assume an overflow didn't occur.
669  assert(stateOkay);
670  state = stateOkay;
671  }
672 
673  return state;
674 }
675 
676 ProgramStateRef CStringChecker::setCStringLength(ProgramStateRef state,
677  const MemRegion *MR,
678  SVal strLength) {
679  assert(!strLength.isUndef() && "Attempt to set an undefined string length");
680 
681  MR = MR->StripCasts();
682 
683  switch (MR->getKind()) {
684  case MemRegion::StringRegionKind:
685  // FIXME: This can happen if we strcpy() into a string region. This is
686  // undefined [C99 6.4.5p6], but we should still warn about it.
687  return state;
688 
689  case MemRegion::SymbolicRegionKind:
690  case MemRegion::AllocaRegionKind:
691  case MemRegion::VarRegionKind:
692  case MemRegion::FieldRegionKind:
693  case MemRegion::ObjCIvarRegionKind:
694  // These are the types we can currently track string lengths for.
695  break;
696 
697  case MemRegion::ElementRegionKind:
698  // FIXME: Handle element regions by upper-bounding the parent region's
699  // string length.
700  return state;
701 
702  default:
703  // Other regions (mostly non-data) can't have a reliable C string length.
704  // For now, just ignore the change.
705  // FIXME: These are rare but not impossible. We should output some kind of
706  // warning for things like strcpy((char[]){'a', 0}, "b");
707  return state;
708  }
709 
710  if (strLength.isUnknown())
711  return state->remove<CStringLength>(MR);
712 
713  return state->set<CStringLength>(MR, strLength);
714 }
715 
716 SVal CStringChecker::getCStringLengthForRegion(CheckerContext &C,
717  ProgramStateRef &state,
718  const Expr *Ex,
719  const MemRegion *MR,
720  bool hypothetical) {
721  if (!hypothetical) {
722  // If there's a recorded length, go ahead and return it.
723  const SVal *Recorded = state->get<CStringLength>(MR);
724  if (Recorded)
725  return *Recorded;
726  }
727 
728  // Otherwise, get a new symbol and update the state.
729  SValBuilder &svalBuilder = C.getSValBuilder();
730  QualType sizeTy = svalBuilder.getContext().getSizeType();
731  SVal strLength = svalBuilder.getMetadataSymbolVal(CStringChecker::getTag(),
732  MR, Ex, sizeTy,
733  C.getLocationContext(),
734  C.blockCount());
735 
736  if (!hypothetical) {
737  if (Optional<NonLoc> strLn = strLength.getAs<NonLoc>()) {
738  // In case of unbounded calls strlen etc bound the range to SIZE_MAX/4
739  BasicValueFactory &BVF = svalBuilder.getBasicValueFactory();
740  const llvm::APSInt &maxValInt = BVF.getMaxValue(sizeTy);
741  llvm::APSInt fourInt = APSIntType(maxValInt).getValue(4);
742  const llvm::APSInt *maxLengthInt = BVF.evalAPSInt(BO_Div, maxValInt,
743  fourInt);
744  NonLoc maxLength = svalBuilder.makeIntVal(*maxLengthInt);
745  SVal evalLength = svalBuilder.evalBinOpNN(state, BO_LE, *strLn,
746  maxLength, sizeTy);
747  state = state->assume(evalLength.castAs<DefinedOrUnknownSVal>(), true);
748  }
749  state = state->set<CStringLength>(MR, strLength);
750  }
751 
752  return strLength;
753 }
754 
755 SVal CStringChecker::getCStringLength(CheckerContext &C, ProgramStateRef &state,
756  const Expr *Ex, SVal Buf,
757  bool hypothetical) const {
758  const MemRegion *MR = Buf.getAsRegion();
759  if (!MR) {
760  // If we can't get a region, see if it's something we /know/ isn't a
761  // C string. In the context of locations, the only time we can issue such
762  // a warning is for labels.
763  if (Optional<loc::GotoLabel> Label = Buf.getAs<loc::GotoLabel>()) {
764  if (Filter.CheckCStringNotNullTerm) {
765  SmallString<120> buf;
766  llvm::raw_svector_ostream os(buf);
767  assert(CurrentFunctionDescription);
768  os << "Argument to " << CurrentFunctionDescription
769  << " is the address of the label '" << Label->getLabel()->getName()
770  << "', which is not a null-terminated string";
771 
772  emitNotCStringBug(C, state, Ex, os.str());
773  }
774  return UndefinedVal();
775  }
776 
777  // If it's not a region and not a label, give up.
778  return UnknownVal();
779  }
780 
781  // If we have a region, strip casts from it and see if we can figure out
782  // its length. For anything we can't figure out, just return UnknownVal.
783  MR = MR->StripCasts();
784 
785  switch (MR->getKind()) {
786  case MemRegion::StringRegionKind: {
787  // Modifying the contents of string regions is undefined [C99 6.4.5p6],
788  // so we can assume that the byte length is the correct C string length.
789  SValBuilder &svalBuilder = C.getSValBuilder();
790  QualType sizeTy = svalBuilder.getContext().getSizeType();
791  const StringLiteral *strLit = cast<StringRegion>(MR)->getStringLiteral();
792  return svalBuilder.makeIntVal(strLit->getByteLength(), sizeTy);
793  }
794  case MemRegion::SymbolicRegionKind:
795  case MemRegion::AllocaRegionKind:
796  case MemRegion::VarRegionKind:
797  case MemRegion::FieldRegionKind:
798  case MemRegion::ObjCIvarRegionKind:
799  return getCStringLengthForRegion(C, state, Ex, MR, hypothetical);
800  case MemRegion::CompoundLiteralRegionKind:
801  // FIXME: Can we track this? Is it necessary?
802  return UnknownVal();
803  case MemRegion::ElementRegionKind:
804  // FIXME: How can we handle this? It's not good enough to subtract the
805  // offset from the base string length; consider "123\x00567" and &a[5].
806  return UnknownVal();
807  default:
808  // Other regions (mostly non-data) can't have a reliable C string length.
809  // In this case, an error is emitted and UndefinedVal is returned.
810  // The caller should always be prepared to handle this case.
811  if (Filter.CheckCStringNotNullTerm) {
812  SmallString<120> buf;
813  llvm::raw_svector_ostream os(buf);
814 
815  assert(CurrentFunctionDescription);
816  os << "Argument to " << CurrentFunctionDescription << " is ";
817 
818  if (SummarizeRegion(os, C.getASTContext(), MR))
819  os << ", which is not a null-terminated string";
820  else
821  os << "not a null-terminated string";
822 
823  emitNotCStringBug(C, state, Ex, os.str());
824  }
825  return UndefinedVal();
826  }
827 }
828 
829 const StringLiteral *CStringChecker::getCStringLiteral(CheckerContext &C,
830  ProgramStateRef &state, const Expr *expr, SVal val) const {
831 
832  // Get the memory region pointed to by the val.
833  const MemRegion *bufRegion = val.getAsRegion();
834  if (!bufRegion)
835  return nullptr;
836 
837  // Strip casts off the memory region.
838  bufRegion = bufRegion->StripCasts();
839 
840  // Cast the memory region to a string region.
841  const StringRegion *strRegion= dyn_cast<StringRegion>(bufRegion);
842  if (!strRegion)
843  return nullptr;
844 
845  // Return the actual string in the string region.
846  return strRegion->getStringLiteral();
847 }
848 
849 bool CStringChecker::IsFirstBufInBound(CheckerContext &C,
850  ProgramStateRef state,
851  const Expr *FirstBuf,
852  const Expr *Size) {
853  // If we do not know that the buffer is long enough we return 'true'.
854  // Otherwise the parent region of this field region would also get
855  // invalidated, which would lead to warnings based on an unknown state.
856 
857  // Originally copied from CheckBufferAccess and CheckLocation.
858  SValBuilder &svalBuilder = C.getSValBuilder();
859  ASTContext &Ctx = svalBuilder.getContext();
860  const LocationContext *LCtx = C.getLocationContext();
861 
862  QualType sizeTy = Size->getType();
863  QualType PtrTy = Ctx.getPointerType(Ctx.CharTy);
864  SVal BufVal = state->getSVal(FirstBuf, LCtx);
865 
866  SVal LengthVal = state->getSVal(Size, LCtx);
867  Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
868  if (!Length)
869  return true; // cf top comment.
870 
871  // Compute the offset of the last element to be accessed: size-1.
872  NonLoc One = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
873  SVal Offset = svalBuilder.evalBinOpNN(state, BO_Sub, *Length, One, sizeTy);
874  if (Offset.isUnknown())
875  return true; // cf top comment
876  NonLoc LastOffset = Offset.castAs<NonLoc>();
877 
878  // Check that the first buffer is sufficiently long.
879  SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType());
880  Optional<Loc> BufLoc = BufStart.getAs<Loc>();
881  if (!BufLoc)
882  return true; // cf top comment.
883 
884  SVal BufEnd =
885  svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc, LastOffset, PtrTy);
886 
887  // Check for out of bound array element access.
888  const MemRegion *R = BufEnd.getAsRegion();
889  if (!R)
890  return true; // cf top comment.
891 
892  const ElementRegion *ER = dyn_cast<ElementRegion>(R);
893  if (!ER)
894  return true; // cf top comment.
895 
896  // FIXME: Does this crash when a non-standard definition
897  // of a library function is encountered?
898  assert(ER->getValueType() == C.getASTContext().CharTy &&
899  "IsFirstBufInBound should only be called with char* ElementRegions");
900 
901  // Get the size of the array.
902  const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion());
903  SVal Extent =
904  svalBuilder.convertToArrayIndex(superReg->getExtent(svalBuilder));
905  DefinedOrUnknownSVal ExtentSize = Extent.castAs<DefinedOrUnknownSVal>();
906 
907  // Get the index of the accessed element.
908  DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();
909 
910  ProgramStateRef StInBound = state->assumeInBound(Idx, ExtentSize, true);
911 
912  return static_cast<bool>(StInBound);
913 }
914 
915 ProgramStateRef CStringChecker::InvalidateBuffer(CheckerContext &C,
916  ProgramStateRef state,
917  const Expr *E, SVal V,
918  bool IsSourceBuffer,
919  const Expr *Size) {
920  Optional<Loc> L = V.getAs<Loc>();
921  if (!L)
922  return state;
923 
924  // FIXME: This is a simplified version of what's in CFRefCount.cpp -- it makes
925  // some assumptions about the value that CFRefCount can't. Even so, it should
926  // probably be refactored.
927  if (Optional<loc::MemRegionVal> MR = L->getAs<loc::MemRegionVal>()) {
928  const MemRegion *R = MR->getRegion()->StripCasts();
929 
930  // Are we dealing with an ElementRegion? If so, we should be invalidating
931  // the super-region.
932  if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) {
933  R = ER->getSuperRegion();
934  // FIXME: What about layers of ElementRegions?
935  }
936 
937  // Invalidate this region.
938  const LocationContext *LCtx = C.getPredecessor()->getLocationContext();
939 
940  bool CausesPointerEscape = false;
941  RegionAndSymbolInvalidationTraits ITraits;
942  // Invalidate and escape only indirect regions accessible through the source
943  // buffer.
944  if (IsSourceBuffer) {
945  ITraits.setTrait(R->getBaseRegion(),
948  CausesPointerEscape = true;
949  } else {
950  const MemRegion::Kind& K = R->getKind();
951  if (K == MemRegion::FieldRegionKind)
952  if (Size && IsFirstBufInBound(C, state, E, Size)) {
953  // If destination buffer is a field region and access is in bound,
954  // do not invalidate its super region.
955  ITraits.setTrait(
956  R,
958  }
959  }
960 
961  return state->invalidateRegions(R, E, C.blockCount(), LCtx,
962  CausesPointerEscape, nullptr, nullptr,
963  &ITraits);
964  }
965 
966  // If we have a non-region value by chance, just remove the binding.
967  // FIXME: is this necessary or correct? This handles the non-Region
968  // cases. Is it ever valid to store to these?
969  return state->killBinding(*L);
970 }
971 
972 bool CStringChecker::SummarizeRegion(raw_ostream &os, ASTContext &Ctx,
973  const MemRegion *MR) {
974  const TypedValueRegion *TVR = dyn_cast<TypedValueRegion>(MR);
975 
976  switch (MR->getKind()) {
977  case MemRegion::FunctionCodeRegionKind: {
978  const NamedDecl *FD = cast<FunctionCodeRegion>(MR)->getDecl();
979  if (FD)
980  os << "the address of the function '" << *FD << '\'';
981  else
982  os << "the address of a function";
983  return true;
984  }
985  case MemRegion::BlockCodeRegionKind:
986  os << "block text";
987  return true;
988  case MemRegion::BlockDataRegionKind:
989  os << "a block";
990  return true;
991  case MemRegion::CXXThisRegionKind:
992  case MemRegion::CXXTempObjectRegionKind:
993  os << "a C++ temp object of type " << TVR->getValueType().getAsString();
994  return true;
995  case MemRegion::VarRegionKind:
996  os << "a variable of type" << TVR->getValueType().getAsString();
997  return true;
998  case MemRegion::FieldRegionKind:
999  os << "a field of type " << TVR->getValueType().getAsString();
1000  return true;
1001  case MemRegion::ObjCIvarRegionKind:
1002  os << "an instance variable of type " << TVR->getValueType().getAsString();
1003  return true;
1004  default:
1005  return false;
1006  }
1007 }
1008 
1009 bool CStringChecker::memsetAux(const Expr *DstBuffer, SVal CharVal,
1010  const Expr *Size, CheckerContext &C,
1011  ProgramStateRef &State) {
1012  SVal MemVal = C.getSVal(DstBuffer);
1013  SVal SizeVal = C.getSVal(Size);
1014  const MemRegion *MR = MemVal.getAsRegion();
1015  if (!MR)
1016  return false;
1017 
1018  // We're about to model memset by producing a "default binding" in the Store.
1019  // Our current implementation - RegionStore - doesn't support default bindings
1020  // that don't cover the whole base region. So we should first get the offset
1021  // and the base region to figure out whether the offset of buffer is 0.
1022  RegionOffset Offset = MR->getAsOffset();
1023  const MemRegion *BR = Offset.getRegion();
1024 
1025  Optional<NonLoc> SizeNL = SizeVal.getAs<NonLoc>();
1026  if (!SizeNL)
1027  return false;
1028 
1029  SValBuilder &svalBuilder = C.getSValBuilder();
1030  ASTContext &Ctx = C.getASTContext();
1031 
1032  // void *memset(void *dest, int ch, size_t count);
1033  // For now we can only handle the case of offset is 0 and concrete char value.
1034  if (Offset.isValid() && !Offset.hasSymbolicOffset() &&
1035  Offset.getOffset() == 0) {
1036  // Get the base region's extent.
1037  auto *SubReg = cast<SubRegion>(BR);
1038  DefinedOrUnknownSVal Extent = SubReg->getExtent(svalBuilder);
1039 
1040  ProgramStateRef StateWholeReg, StateNotWholeReg;
1041  std::tie(StateWholeReg, StateNotWholeReg) =
1042  State->assume(svalBuilder.evalEQ(State, Extent, *SizeNL));
1043 
1044  // With the semantic of 'memset()', we should convert the CharVal to
1045  // unsigned char.
1046  CharVal = svalBuilder.evalCast(CharVal, Ctx.UnsignedCharTy, Ctx.IntTy);
1047 
1048  ProgramStateRef StateNullChar, StateNonNullChar;
1049  std::tie(StateNullChar, StateNonNullChar) =
1050  assumeZero(C, State, CharVal, Ctx.UnsignedCharTy);
1051 
1052  if (StateWholeReg && !StateNotWholeReg && StateNullChar &&
1053  !StateNonNullChar) {
1054  // If the 'memset()' acts on the whole region of destination buffer and
1055  // the value of the second argument of 'memset()' is zero, bind the second
1056  // argument's value to the destination buffer with 'default binding'.
1057  // FIXME: Since there is no perfect way to bind the non-zero character, we
1058  // can only deal with zero value here. In the future, we need to deal with
1059  // the binding of non-zero value in the case of whole region.
1060  State = State->bindDefaultZero(svalBuilder.makeLoc(BR),
1061  C.getLocationContext());
1062  } else {
1063  // If the destination buffer's extent is not equal to the value of
1064  // third argument, just invalidate buffer.
1065  State = InvalidateBuffer(C, State, DstBuffer, MemVal,
1066  /*IsSourceBuffer*/ false, Size);
1067  }
1068 
1069  if (StateNullChar && !StateNonNullChar) {
1070  // If the value of the second argument of 'memset()' is zero, set the
1071  // string length of destination buffer to 0 directly.
1072  State = setCStringLength(State, MR,
1073  svalBuilder.makeZeroVal(Ctx.getSizeType()));
1074  } else if (!StateNullChar && StateNonNullChar) {
1075  SVal NewStrLen = svalBuilder.getMetadataSymbolVal(
1076  CStringChecker::getTag(), MR, DstBuffer, Ctx.getSizeType(),
1077  C.getLocationContext(), C.blockCount());
1078 
1079  // If the value of second argument is not zero, then the string length
1080  // is at least the size argument.
1081  SVal NewStrLenGESize = svalBuilder.evalBinOp(
1082  State, BO_GE, NewStrLen, SizeVal, svalBuilder.getConditionType());
1083 
1084  State = setCStringLength(
1085  State->assume(NewStrLenGESize.castAs<DefinedOrUnknownSVal>(), true),
1086  MR, NewStrLen);
1087  }
1088  } else {
1089  // If the offset is not zero and char value is not concrete, we can do
1090  // nothing but invalidate the buffer.
1091  State = InvalidateBuffer(C, State, DstBuffer, MemVal,
1092  /*IsSourceBuffer*/ false, Size);
1093  }
1094  return true;
1095 }
1096 
1097 //===----------------------------------------------------------------------===//
1098 // evaluation of individual function calls.
1099 //===----------------------------------------------------------------------===//
1100 
1101 void CStringChecker::evalCopyCommon(CheckerContext &C,
1102  const CallExpr *CE,
1103  ProgramStateRef state,
1104  const Expr *Size, const Expr *Dest,
1105  const Expr *Source, bool Restricted,
1106  bool IsMempcpy) const {
1107  CurrentFunctionDescription = "memory copy function";
1108 
1109  // See if the size argument is zero.
1110  const LocationContext *LCtx = C.getLocationContext();
1111  SVal sizeVal = state->getSVal(Size, LCtx);
1112  QualType sizeTy = Size->getType();
1113 
1114  ProgramStateRef stateZeroSize, stateNonZeroSize;
1115  std::tie(stateZeroSize, stateNonZeroSize) =
1116  assumeZero(C, state, sizeVal, sizeTy);
1117 
1118  // Get the value of the Dest.
1119  SVal destVal = state->getSVal(Dest, LCtx);
1120 
1121  // If the size is zero, there won't be any actual memory access, so
1122  // just bind the return value to the destination buffer and return.
1123  if (stateZeroSize && !stateNonZeroSize) {
1124  stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, destVal);
1125  C.addTransition(stateZeroSize);
1126  return;
1127  }
1128 
1129  // If the size can be nonzero, we have to check the other arguments.
1130  if (stateNonZeroSize) {
1131  state = stateNonZeroSize;
1132 
1133  // Ensure the destination is not null. If it is NULL there will be a
1134  // NULL pointer dereference.
1135  state = checkNonNull(C, state, Dest, destVal);
1136  if (!state)
1137  return;
1138 
1139  // Get the value of the Src.
1140  SVal srcVal = state->getSVal(Source, LCtx);
1141 
1142  // Ensure the source is not null. If it is NULL there will be a
1143  // NULL pointer dereference.
1144  state = checkNonNull(C, state, Source, srcVal);
1145  if (!state)
1146  return;
1147 
1148  // Ensure the accesses are valid and that the buffers do not overlap.
1149  const char * const writeWarning =
1150  "Memory copy function overflows destination buffer";
1151  state = CheckBufferAccess(C, state, Size, Dest, Source,
1152  writeWarning, /* sourceWarning = */ nullptr);
1153  if (Restricted)
1154  state = CheckOverlap(C, state, Size, Dest, Source);
1155 
1156  if (!state)
1157  return;
1158 
1159  // If this is mempcpy, get the byte after the last byte copied and
1160  // bind the expr.
1161  if (IsMempcpy) {
1162  // Get the byte after the last byte copied.
1163  SValBuilder &SvalBuilder = C.getSValBuilder();
1164  ASTContext &Ctx = SvalBuilder.getContext();
1165  QualType CharPtrTy = Ctx.getPointerType(Ctx.CharTy);
1166  SVal DestRegCharVal =
1167  SvalBuilder.evalCast(destVal, CharPtrTy, Dest->getType());
1168  SVal lastElement = C.getSValBuilder().evalBinOp(
1169  state, BO_Add, DestRegCharVal, sizeVal, Dest->getType());
1170  // If we don't know how much we copied, we can at least
1171  // conjure a return value for later.
1172  if (lastElement.isUnknown())
1173  lastElement = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
1174  C.blockCount());
1175 
1176  // The byte after the last byte copied is the return value.
1177  state = state->BindExpr(CE, LCtx, lastElement);
1178  } else {
1179  // All other copies return the destination buffer.
1180  // (Well, bcopy() has a void return type, but this won't hurt.)
1181  state = state->BindExpr(CE, LCtx, destVal);
1182  }
1183 
1184  // Invalidate the destination (regular invalidation without pointer-escaping
1185  // the address of the top-level region).
1186  // FIXME: Even if we can't perfectly model the copy, we should see if we
1187  // can use LazyCompoundVals to copy the source values into the destination.
1188  // This would probably remove any existing bindings past the end of the
1189  // copied region, but that's still an improvement over blank invalidation.
1190  state = InvalidateBuffer(C, state, Dest, C.getSVal(Dest),
1191  /*IsSourceBuffer*/false, Size);
1192 
1193  // Invalidate the source (const-invalidation without const-pointer-escaping
1194  // the address of the top-level region).
1195  state = InvalidateBuffer(C, state, Source, C.getSVal(Source),
1196  /*IsSourceBuffer*/true, nullptr);
1197 
1198  C.addTransition(state);
1199  }
1200 }
1201 
1202 
1203 void CStringChecker::evalMemcpy(CheckerContext &C, const CallExpr *CE) const {
1204  if (CE->getNumArgs() < 3)
1205  return;
1206 
1207  // void *memcpy(void *restrict dst, const void *restrict src, size_t n);
1208  // The return value is the address of the destination buffer.
1209  const Expr *Dest = CE->getArg(0);
1210  ProgramStateRef state = C.getState();
1211 
1212  evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1), true);
1213 }
1214 
1215 void CStringChecker::evalMempcpy(CheckerContext &C, const CallExpr *CE) const {
1216  if (CE->getNumArgs() < 3)
1217  return;
1218 
1219  // void *mempcpy(void *restrict dst, const void *restrict src, size_t n);
1220  // The return value is a pointer to the byte following the last written byte.
1221  const Expr *Dest = CE->getArg(0);
1222  ProgramStateRef state = C.getState();
1223 
1224  evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1), true, true);
1225 }
1226 
1227 void CStringChecker::evalMemmove(CheckerContext &C, const CallExpr *CE) const {
1228  if (CE->getNumArgs() < 3)
1229  return;
1230 
1231  // void *memmove(void *dst, const void *src, size_t n);
1232  // The return value is the address of the destination buffer.
1233  const Expr *Dest = CE->getArg(0);
1234  ProgramStateRef state = C.getState();
1235 
1236  evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1));
1237 }
1238 
1239 void CStringChecker::evalBcopy(CheckerContext &C, const CallExpr *CE) const {
1240  if (CE->getNumArgs() < 3)
1241  return;
1242 
1243  // void bcopy(const void *src, void *dst, size_t n);
1244  evalCopyCommon(C, CE, C.getState(),
1245  CE->getArg(2), CE->getArg(1), CE->getArg(0));
1246 }
1247 
1248 void CStringChecker::evalMemcmp(CheckerContext &C, const CallExpr *CE) const {
1249  if (CE->getNumArgs() < 3)
1250  return;
1251 
1252  // int memcmp(const void *s1, const void *s2, size_t n);
1253  CurrentFunctionDescription = "memory comparison function";
1254 
1255  const Expr *Left = CE->getArg(0);
1256  const Expr *Right = CE->getArg(1);
1257  const Expr *Size = CE->getArg(2);
1258 
1259  ProgramStateRef state = C.getState();
1260  SValBuilder &svalBuilder = C.getSValBuilder();
1261 
1262  // See if the size argument is zero.
1263  const LocationContext *LCtx = C.getLocationContext();
1264  SVal sizeVal = state->getSVal(Size, LCtx);
1265  QualType sizeTy = Size->getType();
1266 
1267  ProgramStateRef stateZeroSize, stateNonZeroSize;
1268  std::tie(stateZeroSize, stateNonZeroSize) =
1269  assumeZero(C, state, sizeVal, sizeTy);
1270 
1271  // If the size can be zero, the result will be 0 in that case, and we don't
1272  // have to check either of the buffers.
1273  if (stateZeroSize) {
1274  state = stateZeroSize;
1275  state = state->BindExpr(CE, LCtx,
1276  svalBuilder.makeZeroVal(CE->getType()));
1277  C.addTransition(state);
1278  }
1279 
1280  // If the size can be nonzero, we have to check the other arguments.
1281  if (stateNonZeroSize) {
1282  state = stateNonZeroSize;
1283  // If we know the two buffers are the same, we know the result is 0.
1284  // First, get the two buffers' addresses. Another checker will have already
1285  // made sure they're not undefined.
1286  DefinedOrUnknownSVal LV =
1287  state->getSVal(Left, LCtx).castAs<DefinedOrUnknownSVal>();
1288  DefinedOrUnknownSVal RV =
1289  state->getSVal(Right, LCtx).castAs<DefinedOrUnknownSVal>();
1290 
1291  // See if they are the same.
1292  DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV);
1293  ProgramStateRef StSameBuf, StNotSameBuf;
1294  std::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf);
1295 
1296  // If the two arguments might be the same buffer, we know the result is 0,
1297  // and we only need to check one size.
1298  if (StSameBuf) {
1299  state = StSameBuf;
1300  state = CheckBufferAccess(C, state, Size, Left);
1301  if (state) {
1302  state = StSameBuf->BindExpr(CE, LCtx,
1303  svalBuilder.makeZeroVal(CE->getType()));
1304  C.addTransition(state);
1305  }
1306  }
1307 
1308  // If the two arguments might be different buffers, we have to check the
1309  // size of both of them.
1310  if (StNotSameBuf) {
1311  state = StNotSameBuf;
1312  state = CheckBufferAccess(C, state, Size, Left, Right);
1313  if (state) {
1314  // The return value is the comparison result, which we don't know.
1315  SVal CmpV = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx,
1316  C.blockCount());
1317  state = state->BindExpr(CE, LCtx, CmpV);
1318  C.addTransition(state);
1319  }
1320  }
1321  }
1322 }
1323 
1324 void CStringChecker::evalstrLength(CheckerContext &C,
1325  const CallExpr *CE) const {
1326  if (CE->getNumArgs() < 1)
1327  return;
1328 
1329  // size_t strlen(const char *s);
1330  evalstrLengthCommon(C, CE, /* IsStrnlen = */ false);
1331 }
1332 
1333 void CStringChecker::evalstrnLength(CheckerContext &C,
1334  const CallExpr *CE) const {
1335  if (CE->getNumArgs() < 2)
1336  return;
1337 
1338  // size_t strnlen(const char *s, size_t maxlen);
1339  evalstrLengthCommon(C, CE, /* IsStrnlen = */ true);
1340 }
1341 
1342 void CStringChecker::evalstrLengthCommon(CheckerContext &C, const CallExpr *CE,
1343  bool IsStrnlen) const {
1344  CurrentFunctionDescription = "string length function";
1345  ProgramStateRef state = C.getState();
1346  const LocationContext *LCtx = C.getLocationContext();
1347 
1348  if (IsStrnlen) {
1349  const Expr *maxlenExpr = CE->getArg(1);
1350  SVal maxlenVal = state->getSVal(maxlenExpr, LCtx);
1351 
1352  ProgramStateRef stateZeroSize, stateNonZeroSize;
1353  std::tie(stateZeroSize, stateNonZeroSize) =
1354  assumeZero(C, state, maxlenVal, maxlenExpr->getType());
1355 
1356  // If the size can be zero, the result will be 0 in that case, and we don't
1357  // have to check the string itself.
1358  if (stateZeroSize) {
1359  SVal zero = C.getSValBuilder().makeZeroVal(CE->getType());
1360  stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, zero);
1361  C.addTransition(stateZeroSize);
1362  }
1363 
1364  // If the size is GUARANTEED to be zero, we're done!
1365  if (!stateNonZeroSize)
1366  return;
1367 
1368  // Otherwise, record the assumption that the size is nonzero.
1369  state = stateNonZeroSize;
1370  }
1371 
1372  // Check that the string argument is non-null.
1373  const Expr *Arg = CE->getArg(0);
1374  SVal ArgVal = state->getSVal(Arg, LCtx);
1375 
1376  state = checkNonNull(C, state, Arg, ArgVal);
1377 
1378  if (!state)
1379  return;
1380 
1381  SVal strLength = getCStringLength(C, state, Arg, ArgVal);
1382 
1383  // If the argument isn't a valid C string, there's no valid state to
1384  // transition to.
1385  if (strLength.isUndef())
1386  return;
1387 
1388  DefinedOrUnknownSVal result = UnknownVal();
1389 
1390  // If the check is for strnlen() then bind the return value to no more than
1391  // the maxlen value.
1392  if (IsStrnlen) {
1393  QualType cmpTy = C.getSValBuilder().getConditionType();
1394 
1395  // It's a little unfortunate to be getting this again,
1396  // but it's not that expensive...
1397  const Expr *maxlenExpr = CE->getArg(1);
1398  SVal maxlenVal = state->getSVal(maxlenExpr, LCtx);
1399 
1400  Optional<NonLoc> strLengthNL = strLength.getAs<NonLoc>();
1401  Optional<NonLoc> maxlenValNL = maxlenVal.getAs<NonLoc>();
1402 
1403  if (strLengthNL && maxlenValNL) {
1404  ProgramStateRef stateStringTooLong, stateStringNotTooLong;
1405 
1406  // Check if the strLength is greater than the maxlen.
1407  std::tie(stateStringTooLong, stateStringNotTooLong) = state->assume(
1408  C.getSValBuilder()
1409  .evalBinOpNN(state, BO_GT, *strLengthNL, *maxlenValNL, cmpTy)
1410  .castAs<DefinedOrUnknownSVal>());
1411 
1412  if (stateStringTooLong && !stateStringNotTooLong) {
1413  // If the string is longer than maxlen, return maxlen.
1414  result = *maxlenValNL;
1415  } else if (stateStringNotTooLong && !stateStringTooLong) {
1416  // If the string is shorter than maxlen, return its length.
1417  result = *strLengthNL;
1418  }
1419  }
1420 
1421  if (result.isUnknown()) {
1422  // If we don't have enough information for a comparison, there's
1423  // no guarantee the full string length will actually be returned.
1424  // All we know is the return value is the min of the string length
1425  // and the limit. This is better than nothing.
1426  result = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
1427  C.blockCount());
1428  NonLoc resultNL = result.castAs<NonLoc>();
1429 
1430  if (strLengthNL) {
1431  state = state->assume(C.getSValBuilder().evalBinOpNN(
1432  state, BO_LE, resultNL, *strLengthNL, cmpTy)
1433  .castAs<DefinedOrUnknownSVal>(), true);
1434  }
1435 
1436  if (maxlenValNL) {
1437  state = state->assume(C.getSValBuilder().evalBinOpNN(
1438  state, BO_LE, resultNL, *maxlenValNL, cmpTy)
1439  .castAs<DefinedOrUnknownSVal>(), true);
1440  }
1441  }
1442 
1443  } else {
1444  // This is a plain strlen(), not strnlen().
1445  result = strLength.castAs<DefinedOrUnknownSVal>();
1446 
1447  // If we don't know the length of the string, conjure a return
1448  // value, so it can be used in constraints, at least.
1449  if (result.isUnknown()) {
1450  result = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
1451  C.blockCount());
1452  }
1453  }
1454 
1455  // Bind the return value.
1456  assert(!result.isUnknown() && "Should have conjured a value by now");
1457  state = state->BindExpr(CE, LCtx, result);
1458  C.addTransition(state);
1459 }
1460 
1461 void CStringChecker::evalStrcpy(CheckerContext &C, const CallExpr *CE) const {
1462  if (CE->getNumArgs() < 2)
1463  return;
1464 
1465  // char *strcpy(char *restrict dst, const char *restrict src);
1466  evalStrcpyCommon(C, CE,
1467  /* returnEnd = */ false,
1468  /* isBounded = */ false,
1469  /* isAppending = */ false);
1470 }
1471 
1472 void CStringChecker::evalStrncpy(CheckerContext &C, const CallExpr *CE) const {
1473  if (CE->getNumArgs() < 3)
1474  return;
1475 
1476  // char *strncpy(char *restrict dst, const char *restrict src, size_t n);
1477  evalStrcpyCommon(C, CE,
1478  /* returnEnd = */ false,
1479  /* isBounded = */ true,
1480  /* isAppending = */ false);
1481 }
1482 
1483 void CStringChecker::evalStpcpy(CheckerContext &C, const CallExpr *CE) const {
1484  if (CE->getNumArgs() < 2)
1485  return;
1486 
1487  // char *stpcpy(char *restrict dst, const char *restrict src);
1488  evalStrcpyCommon(C, CE,
1489  /* returnEnd = */ true,
1490  /* isBounded = */ false,
1491  /* isAppending = */ false);
1492 }
1493 
1494 void CStringChecker::evalStrlcpy(CheckerContext &C, const CallExpr *CE) const {
1495  if (CE->getNumArgs() < 3)
1496  return;
1497 
1498  // char *strlcpy(char *dst, const char *src, size_t n);
1499  evalStrcpyCommon(C, CE,
1500  /* returnEnd = */ true,
1501  /* isBounded = */ true,
1502  /* isAppending = */ false,
1503  /* returnPtr = */ false);
1504 }
1505 
1506 void CStringChecker::evalStrcat(CheckerContext &C, const CallExpr *CE) const {
1507  if (CE->getNumArgs() < 2)
1508  return;
1509 
1510  //char *strcat(char *restrict s1, const char *restrict s2);
1511  evalStrcpyCommon(C, CE,
1512  /* returnEnd = */ false,
1513  /* isBounded = */ false,
1514  /* isAppending = */ true);
1515 }
1516 
1517 void CStringChecker::evalStrncat(CheckerContext &C, const CallExpr *CE) const {
1518  if (CE->getNumArgs() < 3)
1519  return;
1520 
1521  //char *strncat(char *restrict s1, const char *restrict s2, size_t n);
1522  evalStrcpyCommon(C, CE,
1523  /* returnEnd = */ false,
1524  /* isBounded = */ true,
1525  /* isAppending = */ true);
1526 }
1527 
1528 void CStringChecker::evalStrlcat(CheckerContext &C, const CallExpr *CE) const {
1529  if (CE->getNumArgs() < 3)
1530  return;
1531 
1532  //char *strlcat(char *s1, const char *s2, size_t n);
1533  evalStrcpyCommon(C, CE,
1534  /* returnEnd = */ false,
1535  /* isBounded = */ true,
1536  /* isAppending = */ true,
1537  /* returnPtr = */ false);
1538 }
1539 
1540 void CStringChecker::evalStrcpyCommon(CheckerContext &C, const CallExpr *CE,
1541  bool returnEnd, bool isBounded,
1542  bool isAppending, bool returnPtr) const {
1543  CurrentFunctionDescription = "string copy function";
1544  ProgramStateRef state = C.getState();
1545  const LocationContext *LCtx = C.getLocationContext();
1546 
1547  // Check that the destination is non-null.
1548  const Expr *Dst = CE->getArg(0);
1549  SVal DstVal = state->getSVal(Dst, LCtx);
1550 
1551  state = checkNonNull(C, state, Dst, DstVal);
1552  if (!state)
1553  return;
1554 
1555  // Check that the source is non-null.
1556  const Expr *srcExpr = CE->getArg(1);
1557  SVal srcVal = state->getSVal(srcExpr, LCtx);
1558  state = checkNonNull(C, state, srcExpr, srcVal);
1559  if (!state)
1560  return;
1561 
1562  // Get the string length of the source.
1563  SVal strLength = getCStringLength(C, state, srcExpr, srcVal);
1564 
1565  // If the source isn't a valid C string, give up.
1566  if (strLength.isUndef())
1567  return;
1568 
1569  SValBuilder &svalBuilder = C.getSValBuilder();
1570  QualType cmpTy = svalBuilder.getConditionType();
1571  QualType sizeTy = svalBuilder.getContext().getSizeType();
1572 
1573  // These two values allow checking two kinds of errors:
1574  // - actual overflows caused by a source that doesn't fit in the destination
1575  // - potential overflows caused by a bound that could exceed the destination
1576  SVal amountCopied = UnknownVal();
1577  SVal maxLastElementIndex = UnknownVal();
1578  const char *boundWarning = nullptr;
1579 
1580  state = CheckOverlap(C, state, isBounded ? CE->getArg(2) : CE->getArg(1), Dst, srcExpr);
1581 
1582  if (!state)
1583  return;
1584 
1585  // If the function is strncpy, strncat, etc... it is bounded.
1586  if (isBounded) {
1587  // Get the max number of characters to copy.
1588  const Expr *lenExpr = CE->getArg(2);
1589  SVal lenVal = state->getSVal(lenExpr, LCtx);
1590 
1591  // Protect against misdeclared strncpy().
1592  lenVal = svalBuilder.evalCast(lenVal, sizeTy, lenExpr->getType());
1593 
1594  Optional<NonLoc> strLengthNL = strLength.getAs<NonLoc>();
1595  Optional<NonLoc> lenValNL = lenVal.getAs<NonLoc>();
1596 
1597  // If we know both values, we might be able to figure out how much
1598  // we're copying.
1599  if (strLengthNL && lenValNL) {
1600  ProgramStateRef stateSourceTooLong, stateSourceNotTooLong;
1601 
1602  // Check if the max number to copy is less than the length of the src.
1603  // If the bound is equal to the source length, strncpy won't null-
1604  // terminate the result!
1605  std::tie(stateSourceTooLong, stateSourceNotTooLong) = state->assume(
1606  svalBuilder.evalBinOpNN(state, BO_GE, *strLengthNL, *lenValNL, cmpTy)
1607  .castAs<DefinedOrUnknownSVal>());
1608 
1609  if (stateSourceTooLong && !stateSourceNotTooLong) {
1610  // Max number to copy is less than the length of the src, so the actual
1611  // strLength copied is the max number arg.
1612  state = stateSourceTooLong;
1613  amountCopied = lenVal;
1614 
1615  } else if (!stateSourceTooLong && stateSourceNotTooLong) {
1616  // The source buffer entirely fits in the bound.
1617  state = stateSourceNotTooLong;
1618  amountCopied = strLength;
1619  }
1620  }
1621 
1622  // We still want to know if the bound is known to be too large.
1623  if (lenValNL) {
1624  if (isAppending) {
1625  // For strncat, the check is strlen(dst) + lenVal < sizeof(dst)
1626 
1627  // Get the string length of the destination. If the destination is
1628  // memory that can't have a string length, we shouldn't be copying
1629  // into it anyway.
1630  SVal dstStrLength = getCStringLength(C, state, Dst, DstVal);
1631  if (dstStrLength.isUndef())
1632  return;
1633 
1634  if (Optional<NonLoc> dstStrLengthNL = dstStrLength.getAs<NonLoc>()) {
1635  maxLastElementIndex = svalBuilder.evalBinOpNN(state, BO_Add,
1636  *lenValNL,
1637  *dstStrLengthNL,
1638  sizeTy);
1639  boundWarning = "Size argument is greater than the free space in the "
1640  "destination buffer";
1641  }
1642 
1643  } else {
1644  // For strncpy, this is just checking that lenVal <= sizeof(dst)
1645  // (Yes, strncpy and strncat differ in how they treat termination.
1646  // strncat ALWAYS terminates, but strncpy doesn't.)
1647 
1648  // We need a special case for when the copy size is zero, in which
1649  // case strncpy will do no work at all. Our bounds check uses n-1
1650  // as the last element accessed, so n == 0 is problematic.
1651  ProgramStateRef StateZeroSize, StateNonZeroSize;
1652  std::tie(StateZeroSize, StateNonZeroSize) =
1653  assumeZero(C, state, *lenValNL, sizeTy);
1654 
1655  // If the size is known to be zero, we're done.
1656  if (StateZeroSize && !StateNonZeroSize) {
1657  if (returnPtr) {
1658  StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, DstVal);
1659  } else {
1660  StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, *lenValNL);
1661  }
1662  C.addTransition(StateZeroSize);
1663  return;
1664  }
1665 
1666  // Otherwise, go ahead and figure out the last element we'll touch.
1667  // We don't record the non-zero assumption here because we can't
1668  // be sure. We won't warn on a possible zero.
1669  NonLoc one = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
1670  maxLastElementIndex = svalBuilder.evalBinOpNN(state, BO_Sub, *lenValNL,
1671  one, sizeTy);
1672  boundWarning = "Size argument is greater than the length of the "
1673  "destination buffer";
1674  }
1675  }
1676 
1677  // If we couldn't pin down the copy length, at least bound it.
1678  // FIXME: We should actually run this code path for append as well, but
1679  // right now it creates problems with constraints (since we can end up
1680  // trying to pass constraints from symbol to symbol).
1681  if (amountCopied.isUnknown() && !isAppending) {
1682  // Try to get a "hypothetical" string length symbol, which we can later
1683  // set as a real value if that turns out to be the case.
1684  amountCopied = getCStringLength(C, state, lenExpr, srcVal, true);
1685  assert(!amountCopied.isUndef());
1686 
1687  if (Optional<NonLoc> amountCopiedNL = amountCopied.getAs<NonLoc>()) {
1688  if (lenValNL) {
1689  // amountCopied <= lenVal
1690  SVal copiedLessThanBound = svalBuilder.evalBinOpNN(state, BO_LE,
1691  *amountCopiedNL,
1692  *lenValNL,
1693  cmpTy);
1694  state = state->assume(
1695  copiedLessThanBound.castAs<DefinedOrUnknownSVal>(), true);
1696  if (!state)
1697  return;
1698  }
1699 
1700  if (strLengthNL) {
1701  // amountCopied <= strlen(source)
1702  SVal copiedLessThanSrc = svalBuilder.evalBinOpNN(state, BO_LE,
1703  *amountCopiedNL,
1704  *strLengthNL,
1705  cmpTy);
1706  state = state->assume(
1707  copiedLessThanSrc.castAs<DefinedOrUnknownSVal>(), true);
1708  if (!state)
1709  return;
1710  }
1711  }
1712  }
1713 
1714  } else {
1715  // The function isn't bounded. The amount copied should match the length
1716  // of the source buffer.
1717  amountCopied = strLength;
1718  }
1719 
1720  assert(state);
1721 
1722  // This represents the number of characters copied into the destination
1723  // buffer. (It may not actually be the strlen if the destination buffer
1724  // is not terminated.)
1725  SVal finalStrLength = UnknownVal();
1726 
1727  // If this is an appending function (strcat, strncat...) then set the
1728  // string length to strlen(src) + strlen(dst) since the buffer will
1729  // ultimately contain both.
1730  if (isAppending) {
1731  // Get the string length of the destination. If the destination is memory
1732  // that can't have a string length, we shouldn't be copying into it anyway.
1733  SVal dstStrLength = getCStringLength(C, state, Dst, DstVal);
1734  if (dstStrLength.isUndef())
1735  return;
1736 
1737  Optional<NonLoc> srcStrLengthNL = amountCopied.getAs<NonLoc>();
1738  Optional<NonLoc> dstStrLengthNL = dstStrLength.getAs<NonLoc>();
1739 
1740  // If we know both string lengths, we might know the final string length.
1741  if (srcStrLengthNL && dstStrLengthNL) {
1742  // Make sure the two lengths together don't overflow a size_t.
1743  state = checkAdditionOverflow(C, state, *srcStrLengthNL, *dstStrLengthNL);
1744  if (!state)
1745  return;
1746 
1747  finalStrLength = svalBuilder.evalBinOpNN(state, BO_Add, *srcStrLengthNL,
1748  *dstStrLengthNL, sizeTy);
1749  }
1750 
1751  // If we couldn't get a single value for the final string length,
1752  // we can at least bound it by the individual lengths.
1753  if (finalStrLength.isUnknown()) {
1754  // Try to get a "hypothetical" string length symbol, which we can later
1755  // set as a real value if that turns out to be the case.
1756  finalStrLength = getCStringLength(C, state, CE, DstVal, true);
1757  assert(!finalStrLength.isUndef());
1758 
1759  if (Optional<NonLoc> finalStrLengthNL = finalStrLength.getAs<NonLoc>()) {
1760  if (srcStrLengthNL) {
1761  // finalStrLength >= srcStrLength
1762  SVal sourceInResult = svalBuilder.evalBinOpNN(state, BO_GE,
1763  *finalStrLengthNL,
1764  *srcStrLengthNL,
1765  cmpTy);
1766  state = state->assume(sourceInResult.castAs<DefinedOrUnknownSVal>(),
1767  true);
1768  if (!state)
1769  return;
1770  }
1771 
1772  if (dstStrLengthNL) {
1773  // finalStrLength >= dstStrLength
1774  SVal destInResult = svalBuilder.evalBinOpNN(state, BO_GE,
1775  *finalStrLengthNL,
1776  *dstStrLengthNL,
1777  cmpTy);
1778  state =
1779  state->assume(destInResult.castAs<DefinedOrUnknownSVal>(), true);
1780  if (!state)
1781  return;
1782  }
1783  }
1784  }
1785 
1786  } else {
1787  // Otherwise, this is a copy-over function (strcpy, strncpy, ...), and
1788  // the final string length will match the input string length.
1789  finalStrLength = amountCopied;
1790  }
1791 
1792  SVal Result;
1793 
1794  if (returnPtr) {
1795  // The final result of the function will either be a pointer past the last
1796  // copied element, or a pointer to the start of the destination buffer.
1797  Result = (returnEnd ? UnknownVal() : DstVal);
1798  } else {
1799  Result = finalStrLength;
1800  }
1801 
1802  assert(state);
1803 
1804  // If the destination is a MemRegion, try to check for a buffer overflow and
1805  // record the new string length.
1806  if (Optional<loc::MemRegionVal> dstRegVal =
1807  DstVal.getAs<loc::MemRegionVal>()) {
1808  QualType ptrTy = Dst->getType();
1809 
1810  // If we have an exact value on a bounded copy, use that to check for
1811  // overflows, rather than our estimate about how much is actually copied.
1812  if (boundWarning) {
1813  if (Optional<NonLoc> maxLastNL = maxLastElementIndex.getAs<NonLoc>()) {
1814  SVal maxLastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal,
1815  *maxLastNL, ptrTy);
1816  state = CheckLocation(C, state, CE->getArg(2), maxLastElement,
1817  boundWarning);
1818  if (!state)
1819  return;
1820  }
1821  }
1822 
1823  // Then, if the final length is known...
1824  if (Optional<NonLoc> knownStrLength = finalStrLength.getAs<NonLoc>()) {
1825  SVal lastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal,
1826  *knownStrLength, ptrTy);
1827 
1828  // ...and we haven't checked the bound, we'll check the actual copy.
1829  if (!boundWarning) {
1830  const char * const warningMsg =
1831  "String copy function overflows destination buffer";
1832  state = CheckLocation(C, state, Dst, lastElement, warningMsg);
1833  if (!state)
1834  return;
1835  }
1836 
1837  // If this is a stpcpy-style copy, the last element is the return value.
1838  if (returnPtr && returnEnd)
1839  Result = lastElement;
1840  }
1841 
1842  // Invalidate the destination (regular invalidation without pointer-escaping
1843  // the address of the top-level region). This must happen before we set the
1844  // C string length because invalidation will clear the length.
1845  // FIXME: Even if we can't perfectly model the copy, we should see if we
1846  // can use LazyCompoundVals to copy the source values into the destination.
1847  // This would probably remove any existing bindings past the end of the
1848  // string, but that's still an improvement over blank invalidation.
1849  state = InvalidateBuffer(C, state, Dst, *dstRegVal,
1850  /*IsSourceBuffer*/false, nullptr);
1851 
1852  // Invalidate the source (const-invalidation without const-pointer-escaping
1853  // the address of the top-level region).
1854  state = InvalidateBuffer(C, state, srcExpr, srcVal, /*IsSourceBuffer*/true,
1855  nullptr);
1856 
1857  // Set the C string length of the destination, if we know it.
1858  if (isBounded && !isAppending) {
1859  // strncpy is annoying in that it doesn't guarantee to null-terminate
1860  // the result string. If the original string didn't fit entirely inside
1861  // the bound (including the null-terminator), we don't know how long the
1862  // result is.
1863  if (amountCopied != strLength)
1864  finalStrLength = UnknownVal();
1865  }
1866  state = setCStringLength(state, dstRegVal->getRegion(), finalStrLength);
1867  }
1868 
1869  assert(state);
1870 
1871  if (returnPtr) {
1872  // If this is a stpcpy-style copy, but we were unable to check for a buffer
1873  // overflow, we still need a result. Conjure a return value.
1874  if (returnEnd && Result.isUnknown()) {
1875  Result = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
1876  }
1877  }
1878  // Set the return value.
1879  state = state->BindExpr(CE, LCtx, Result);
1880  C.addTransition(state);
1881 }
1882 
1883 void CStringChecker::evalStrcmp(CheckerContext &C, const CallExpr *CE) const {
1884  if (CE->getNumArgs() < 2)
1885  return;
1886 
1887  //int strcmp(const char *s1, const char *s2);
1888  evalStrcmpCommon(C, CE, /* isBounded = */ false, /* ignoreCase = */ false);
1889 }
1890 
1891 void CStringChecker::evalStrncmp(CheckerContext &C, const CallExpr *CE) const {
1892  if (CE->getNumArgs() < 3)
1893  return;
1894 
1895  //int strncmp(const char *s1, const char *s2, size_t n);
1896  evalStrcmpCommon(C, CE, /* isBounded = */ true, /* ignoreCase = */ false);
1897 }
1898 
1899 void CStringChecker::evalStrcasecmp(CheckerContext &C,
1900  const CallExpr *CE) const {
1901  if (CE->getNumArgs() < 2)
1902  return;
1903 
1904  //int strcasecmp(const char *s1, const char *s2);
1905  evalStrcmpCommon(C, CE, /* isBounded = */ false, /* ignoreCase = */ true);
1906 }
1907 
1908 void CStringChecker::evalStrncasecmp(CheckerContext &C,
1909  const CallExpr *CE) const {
1910  if (CE->getNumArgs() < 3)
1911  return;
1912 
1913  //int strncasecmp(const char *s1, const char *s2, size_t n);
1914  evalStrcmpCommon(C, CE, /* isBounded = */ true, /* ignoreCase = */ true);
1915 }
1916 
1917 void CStringChecker::evalStrcmpCommon(CheckerContext &C, const CallExpr *CE,
1918  bool isBounded, bool ignoreCase) const {
1919  CurrentFunctionDescription = "string comparison function";
1920  ProgramStateRef state = C.getState();
1921  const LocationContext *LCtx = C.getLocationContext();
1922 
1923  // Check that the first string is non-null
1924  const Expr *s1 = CE->getArg(0);
1925  SVal s1Val = state->getSVal(s1, LCtx);
1926  state = checkNonNull(C, state, s1, s1Val);
1927  if (!state)
1928  return;
1929 
1930  // Check that the second string is non-null.
1931  const Expr *s2 = CE->getArg(1);
1932  SVal s2Val = state->getSVal(s2, LCtx);
1933  state = checkNonNull(C, state, s2, s2Val);
1934  if (!state)
1935  return;
1936 
1937  // Get the string length of the first string or give up.
1938  SVal s1Length = getCStringLength(C, state, s1, s1Val);
1939  if (s1Length.isUndef())
1940  return;
1941 
1942  // Get the string length of the second string or give up.
1943  SVal s2Length = getCStringLength(C, state, s2, s2Val);
1944  if (s2Length.isUndef())
1945  return;
1946 
1947  // If we know the two buffers are the same, we know the result is 0.
1948  // First, get the two buffers' addresses. Another checker will have already
1949  // made sure they're not undefined.
1950  DefinedOrUnknownSVal LV = s1Val.castAs<DefinedOrUnknownSVal>();
1951  DefinedOrUnknownSVal RV = s2Val.castAs<DefinedOrUnknownSVal>();
1952 
1953  // See if they are the same.
1954  SValBuilder &svalBuilder = C.getSValBuilder();
1955  DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV);
1956  ProgramStateRef StSameBuf, StNotSameBuf;
1957  std::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf);
1958 
1959  // If the two arguments might be the same buffer, we know the result is 0,
1960  // and we only need to check one size.
1961  if (StSameBuf) {
1962  StSameBuf = StSameBuf->BindExpr(CE, LCtx,
1963  svalBuilder.makeZeroVal(CE->getType()));
1964  C.addTransition(StSameBuf);
1965 
1966  // If the two arguments are GUARANTEED to be the same, we're done!
1967  if (!StNotSameBuf)
1968  return;
1969  }
1970 
1971  assert(StNotSameBuf);
1972  state = StNotSameBuf;
1973 
1974  // At this point we can go about comparing the two buffers.
1975  // For now, we only do this if they're both known string literals.
1976 
1977  // Attempt to extract string literals from both expressions.
1978  const StringLiteral *s1StrLiteral = getCStringLiteral(C, state, s1, s1Val);
1979  const StringLiteral *s2StrLiteral = getCStringLiteral(C, state, s2, s2Val);
1980  bool canComputeResult = false;
1981  SVal resultVal = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx,
1982  C.blockCount());
1983 
1984  if (s1StrLiteral && s2StrLiteral) {
1985  StringRef s1StrRef = s1StrLiteral->getString();
1986  StringRef s2StrRef = s2StrLiteral->getString();
1987 
1988  if (isBounded) {
1989  // Get the max number of characters to compare.
1990  const Expr *lenExpr = CE->getArg(2);
1991  SVal lenVal = state->getSVal(lenExpr, LCtx);
1992 
1993  // If the length is known, we can get the right substrings.
1994  if (const llvm::APSInt *len = svalBuilder.getKnownValue(state, lenVal)) {
1995  // Create substrings of each to compare the prefix.
1996  s1StrRef = s1StrRef.substr(0, (size_t)len->getZExtValue());
1997  s2StrRef = s2StrRef.substr(0, (size_t)len->getZExtValue());
1998  canComputeResult = true;
1999  }
2000  } else {
2001  // This is a normal, unbounded strcmp.
2002  canComputeResult = true;
2003  }
2004 
2005  if (canComputeResult) {
2006  // Real strcmp stops at null characters.
2007  size_t s1Term = s1StrRef.find('\0');
2008  if (s1Term != StringRef::npos)
2009  s1StrRef = s1StrRef.substr(0, s1Term);
2010 
2011  size_t s2Term = s2StrRef.find('\0');
2012  if (s2Term != StringRef::npos)
2013  s2StrRef = s2StrRef.substr(0, s2Term);
2014 
2015  // Use StringRef's comparison methods to compute the actual result.
2016  int compareRes = ignoreCase ? s1StrRef.compare_lower(s2StrRef)
2017  : s1StrRef.compare(s2StrRef);
2018 
2019  // The strcmp function returns an integer greater than, equal to, or less
2020  // than zero, [c11, p7.24.4.2].
2021  if (compareRes == 0) {
2022  resultVal = svalBuilder.makeIntVal(compareRes, CE->getType());
2023  }
2024  else {
2025  DefinedSVal zeroVal = svalBuilder.makeIntVal(0, CE->getType());
2026  // Constrain strcmp's result range based on the result of StringRef's
2027  // comparison methods.
2028  BinaryOperatorKind op = (compareRes == 1) ? BO_GT : BO_LT;
2029  SVal compareWithZero =
2030  svalBuilder.evalBinOp(state, op, resultVal, zeroVal,
2031  svalBuilder.getConditionType());
2032  DefinedSVal compareWithZeroVal = compareWithZero.castAs<DefinedSVal>();
2033  state = state->assume(compareWithZeroVal, true);
2034  }
2035  }
2036  }
2037 
2038  state = state->BindExpr(CE, LCtx, resultVal);
2039 
2040  // Record this as a possible path.
2041  C.addTransition(state);
2042 }
2043 
2044 void CStringChecker::evalStrsep(CheckerContext &C, const CallExpr *CE) const {
2045  //char *strsep(char **stringp, const char *delim);
2046  if (CE->getNumArgs() < 2)
2047  return;
2048 
2049  // Sanity: does the search string parameter match the return type?
2050  const Expr *SearchStrPtr = CE->getArg(0);
2051  QualType CharPtrTy = SearchStrPtr->getType()->getPointeeType();
2052  if (CharPtrTy.isNull() ||
2053  CE->getType().getUnqualifiedType() != CharPtrTy.getUnqualifiedType())
2054  return;
2055 
2056  CurrentFunctionDescription = "strsep()";
2057  ProgramStateRef State = C.getState();
2058  const LocationContext *LCtx = C.getLocationContext();
2059 
2060  // Check that the search string pointer is non-null (though it may point to
2061  // a null string).
2062  SVal SearchStrVal = State->getSVal(SearchStrPtr, LCtx);
2063  State = checkNonNull(C, State, SearchStrPtr, SearchStrVal);
2064  if (!State)
2065  return;
2066 
2067  // Check that the delimiter string is non-null.
2068  const Expr *DelimStr = CE->getArg(1);
2069  SVal DelimStrVal = State->getSVal(DelimStr, LCtx);
2070  State = checkNonNull(C, State, DelimStr, DelimStrVal);
2071  if (!State)
2072  return;
2073 
2074  SValBuilder &SVB = C.getSValBuilder();
2075  SVal Result;
2076  if (Optional<Loc> SearchStrLoc = SearchStrVal.getAs<Loc>()) {
2077  // Get the current value of the search string pointer, as a char*.
2078  Result = State->getSVal(*SearchStrLoc, CharPtrTy);
2079 
2080  // Invalidate the search string, representing the change of one delimiter
2081  // character to NUL.
2082  State = InvalidateBuffer(C, State, SearchStrPtr, Result,
2083  /*IsSourceBuffer*/false, nullptr);
2084 
2085  // Overwrite the search string pointer. The new value is either an address
2086  // further along in the same string, or NULL if there are no more tokens.
2087  State = State->bindLoc(*SearchStrLoc,
2088  SVB.conjureSymbolVal(getTag(),
2089  CE,
2090  LCtx,
2091  CharPtrTy,
2092  C.blockCount()),
2093  LCtx);
2094  } else {
2095  assert(SearchStrVal.isUnknown());
2096  // Conjure a symbolic value. It's the best we can do.
2097  Result = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
2098  }
2099 
2100  // Set the return value, and finish.
2101  State = State->BindExpr(CE, LCtx, Result);
2102  C.addTransition(State);
2103 }
2104 
2105 // These should probably be moved into a C++ standard library checker.
2106 void CStringChecker::evalStdCopy(CheckerContext &C, const CallExpr *CE) const {
2107  evalStdCopyCommon(C, CE);
2108 }
2109 
2110 void CStringChecker::evalStdCopyBackward(CheckerContext &C,
2111  const CallExpr *CE) const {
2112  evalStdCopyCommon(C, CE);
2113 }
2114 
2115 void CStringChecker::evalStdCopyCommon(CheckerContext &C,
2116  const CallExpr *CE) const {
2117  if (CE->getNumArgs() < 3)
2118  return;
2119 
2120  ProgramStateRef State = C.getState();
2121 
2122  const LocationContext *LCtx = C.getLocationContext();
2123 
2124  // template <class _InputIterator, class _OutputIterator>
2125  // _OutputIterator
2126  // copy(_InputIterator __first, _InputIterator __last,
2127  // _OutputIterator __result)
2128 
2129  // Invalidate the destination buffer
2130  const Expr *Dst = CE->getArg(2);
2131  SVal DstVal = State->getSVal(Dst, LCtx);
2132  State = InvalidateBuffer(C, State, Dst, DstVal, /*IsSource=*/false,
2133  /*Size=*/nullptr);
2134 
2135  SValBuilder &SVB = C.getSValBuilder();
2136 
2137  SVal ResultVal = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
2138  State = State->BindExpr(CE, LCtx, ResultVal);
2139 
2140  C.addTransition(State);
2141 }
2142 
2143 void CStringChecker::evalMemset(CheckerContext &C, const CallExpr *CE) const {
2144  if (CE->getNumArgs() != 3)
2145  return;
2146 
2147  CurrentFunctionDescription = "memory set function";
2148 
2149  const Expr *Mem = CE->getArg(0);
2150  const Expr *CharE = CE->getArg(1);
2151  const Expr *Size = CE->getArg(2);
2152  ProgramStateRef State = C.getState();
2153 
2154  // See if the size argument is zero.
2155  const LocationContext *LCtx = C.getLocationContext();
2156  SVal SizeVal = State->getSVal(Size, LCtx);
2157  QualType SizeTy = Size->getType();
2158 
2159  ProgramStateRef StateZeroSize, StateNonZeroSize;
2160  std::tie(StateZeroSize, StateNonZeroSize) =
2161  assumeZero(C, State, SizeVal, SizeTy);
2162 
2163  // Get the value of the memory area.
2164  SVal MemVal = State->getSVal(Mem, LCtx);
2165 
2166  // If the size is zero, there won't be any actual memory access, so
2167  // just bind the return value to the Mem buffer and return.
2168  if (StateZeroSize && !StateNonZeroSize) {
2169  StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, MemVal);
2170  C.addTransition(StateZeroSize);
2171  return;
2172  }
2173 
2174  // Ensure the memory area is not null.
2175  // If it is NULL there will be a NULL pointer dereference.
2176  State = checkNonNull(C, StateNonZeroSize, Mem, MemVal);
2177  if (!State)
2178  return;
2179 
2180  State = CheckBufferAccess(C, State, Size, Mem);
2181  if (!State)
2182  return;
2183 
2184  // According to the values of the arguments, bind the value of the second
2185  // argument to the destination buffer and set string length, or just
2186  // invalidate the destination buffer.
2187  if (!memsetAux(Mem, C.getSVal(CharE), Size, C, State))
2188  return;
2189 
2190  State = State->BindExpr(CE, LCtx, MemVal);
2191  C.addTransition(State);
2192 }
2193 
2194 void CStringChecker::evalBzero(CheckerContext &C, const CallExpr *CE) const {
2195  if (CE->getNumArgs() != 2)
2196  return;
2197 
2198  CurrentFunctionDescription = "memory clearance function";
2199 
2200  const Expr *Mem = CE->getArg(0);
2201  const Expr *Size = CE->getArg(1);
2202  SVal Zero = C.getSValBuilder().makeZeroVal(C.getASTContext().IntTy);
2203 
2204  ProgramStateRef State = C.getState();
2205 
2206  // See if the size argument is zero.
2207  SVal SizeVal = C.getSVal(Size);
2208  QualType SizeTy = Size->getType();
2209 
2210  ProgramStateRef StateZeroSize, StateNonZeroSize;
2211  std::tie(StateZeroSize, StateNonZeroSize) =
2212  assumeZero(C, State, SizeVal, SizeTy);
2213 
2214  // If the size is zero, there won't be any actual memory access,
2215  // In this case we just return.
2216  if (StateZeroSize && !StateNonZeroSize) {
2217  C.addTransition(StateZeroSize);
2218  return;
2219  }
2220 
2221  // Get the value of the memory area.
2222  SVal MemVal = C.getSVal(Mem);
2223 
2224  // Ensure the memory area is not null.
2225  // If it is NULL there will be a NULL pointer dereference.
2226  State = checkNonNull(C, StateNonZeroSize, Mem, MemVal);
2227  if (!State)
2228  return;
2229 
2230  State = CheckBufferAccess(C, State, Size, Mem);
2231  if (!State)
2232  return;
2233 
2234  if (!memsetAux(Mem, Zero, Size, C, State))
2235  return;
2236 
2237  C.addTransition(State);
2238 }
2239 
2240 static bool isCPPStdLibraryFunction(const FunctionDecl *FD, StringRef Name) {
2241  IdentifierInfo *II = FD->getIdentifier();
2242  if (!II)
2243  return false;
2244 
2246  return false;
2247 
2248  if (II->getName().equals(Name))
2249  return true;
2250 
2251  return false;
2252 }
2253 //===----------------------------------------------------------------------===//
2254 // The driver method, and other Checker callbacks.
2255 //===----------------------------------------------------------------------===//
2256 
2257 bool CStringChecker::evalCall(const CallExpr *CE, CheckerContext &C) const {
2258  const FunctionDecl *FDecl = C.getCalleeDecl(CE);
2259 
2260  if (!FDecl)
2261  return false;
2262 
2263  // FIXME: Poorly-factored string switches are slow.
2264  FnCheck evalFunction = nullptr;
2265  if (C.isCLibraryFunction(FDecl, "memcpy"))
2266  evalFunction = &CStringChecker::evalMemcpy;
2267  else if (C.isCLibraryFunction(FDecl, "mempcpy"))
2268  evalFunction = &CStringChecker::evalMempcpy;
2269  else if (C.isCLibraryFunction(FDecl, "memcmp"))
2270  evalFunction = &CStringChecker::evalMemcmp;
2271  else if (C.isCLibraryFunction(FDecl, "memmove"))
2272  evalFunction = &CStringChecker::evalMemmove;
2273  else if (C.isCLibraryFunction(FDecl, "memset") ||
2274  C.isCLibraryFunction(FDecl, "explicit_memset"))
2275  evalFunction = &CStringChecker::evalMemset;
2276  else if (C.isCLibraryFunction(FDecl, "strcpy"))
2277  evalFunction = &CStringChecker::evalStrcpy;
2278  else if (C.isCLibraryFunction(FDecl, "strncpy"))
2279  evalFunction = &CStringChecker::evalStrncpy;
2280  else if (C.isCLibraryFunction(FDecl, "stpcpy"))
2281  evalFunction = &CStringChecker::evalStpcpy;
2282  else if (C.isCLibraryFunction(FDecl, "strlcpy"))
2283  evalFunction = &CStringChecker::evalStrlcpy;
2284  else if (C.isCLibraryFunction(FDecl, "strcat"))
2285  evalFunction = &CStringChecker::evalStrcat;
2286  else if (C.isCLibraryFunction(FDecl, "strncat"))
2287  evalFunction = &CStringChecker::evalStrncat;
2288  else if (C.isCLibraryFunction(FDecl, "strlcat"))
2289  evalFunction = &CStringChecker::evalStrlcat;
2290  else if (C.isCLibraryFunction(FDecl, "strlen"))
2291  evalFunction = &CStringChecker::evalstrLength;
2292  else if (C.isCLibraryFunction(FDecl, "strnlen"))
2293  evalFunction = &CStringChecker::evalstrnLength;
2294  else if (C.isCLibraryFunction(FDecl, "strcmp"))
2295  evalFunction = &CStringChecker::evalStrcmp;
2296  else if (C.isCLibraryFunction(FDecl, "strncmp"))
2297  evalFunction = &CStringChecker::evalStrncmp;
2298  else if (C.isCLibraryFunction(FDecl, "strcasecmp"))
2299  evalFunction = &CStringChecker::evalStrcasecmp;
2300  else if (C.isCLibraryFunction(FDecl, "strncasecmp"))
2301  evalFunction = &CStringChecker::evalStrncasecmp;
2302  else if (C.isCLibraryFunction(FDecl, "strsep"))
2303  evalFunction = &CStringChecker::evalStrsep;
2304  else if (C.isCLibraryFunction(FDecl, "bcopy"))
2305  evalFunction = &CStringChecker::evalBcopy;
2306  else if (C.isCLibraryFunction(FDecl, "bcmp"))
2307  evalFunction = &CStringChecker::evalMemcmp;
2308  else if (isCPPStdLibraryFunction(FDecl, "copy"))
2309  evalFunction = &CStringChecker::evalStdCopy;
2310  else if (isCPPStdLibraryFunction(FDecl, "copy_backward"))
2311  evalFunction = &CStringChecker::evalStdCopyBackward;
2312  else if (C.isCLibraryFunction(FDecl, "bzero") ||
2313  C.isCLibraryFunction(FDecl, "explicit_bzero"))
2314  evalFunction = &CStringChecker::evalBzero;
2315 
2316  // If the callee isn't a string function, let another checker handle it.
2317  if (!evalFunction)
2318  return false;
2319 
2320  // Check and evaluate the call.
2321  (this->*evalFunction)(C, CE);
2322 
2323  // If the evaluate call resulted in no change, chain to the next eval call
2324  // handler.
2325  // Note, the custom CString evaluation calls assume that basic safety
2326  // properties are held. However, if the user chooses to turn off some of these
2327  // checks, we ignore the issues and leave the call evaluation to a generic
2328  // handler.
2329  return C.isDifferent();
2330 }
2331 
2332 void CStringChecker::checkPreStmt(const DeclStmt *DS, CheckerContext &C) const {
2333  // Record string length for char a[] = "abc";
2334  ProgramStateRef state = C.getState();
2335 
2336  for (const auto *I : DS->decls()) {
2337  const VarDecl *D = dyn_cast<VarDecl>(I);
2338  if (!D)
2339  continue;
2340 
2341  // FIXME: Handle array fields of structs.
2342  if (!D->getType()->isArrayType())
2343  continue;
2344 
2345  const Expr *Init = D->getInit();
2346  if (!Init)
2347  continue;
2348  if (!isa<StringLiteral>(Init))
2349  continue;
2350 
2351  Loc VarLoc = state->getLValue(D, C.getLocationContext());
2352  const MemRegion *MR = VarLoc.getAsRegion();
2353  if (!MR)
2354  continue;
2355 
2356  SVal StrVal = C.getSVal(Init);
2357  assert(StrVal.isValid() && "Initializer string is unknown or undefined");
2358  DefinedOrUnknownSVal strLength =
2359  getCStringLength(C, state, Init, StrVal).castAs<DefinedOrUnknownSVal>();
2360 
2361  state = state->set<CStringLength>(MR, strLength);
2362  }
2363 
2364  C.addTransition(state);
2365 }
2366 
2368 CStringChecker::checkRegionChanges(ProgramStateRef state,
2369  const InvalidatedSymbols *,
2370  ArrayRef<const MemRegion *> ExplicitRegions,
2372  const LocationContext *LCtx,
2373  const CallEvent *Call) const {
2374  CStringLengthTy Entries = state->get<CStringLength>();
2375  if (Entries.isEmpty())
2376  return state;
2377 
2378  llvm::SmallPtrSet<const MemRegion *, 8> Invalidated;
2379  llvm::SmallPtrSet<const MemRegion *, 32> SuperRegions;
2380 
2381  // First build sets for the changed regions and their super-regions.
2383  I = Regions.begin(), E = Regions.end(); I != E; ++I) {
2384  const MemRegion *MR = *I;
2385  Invalidated.insert(MR);
2386 
2387  SuperRegions.insert(MR);
2388  while (const SubRegion *SR = dyn_cast<SubRegion>(MR)) {
2389  MR = SR->getSuperRegion();
2390  SuperRegions.insert(MR);
2391  }
2392  }
2393 
2394  CStringLengthTy::Factory &F = state->get_context<CStringLength>();
2395 
2396  // Then loop over the entries in the current state.
2397  for (CStringLengthTy::iterator I = Entries.begin(),
2398  E = Entries.end(); I != E; ++I) {
2399  const MemRegion *MR = I.getKey();
2400 
2401  // Is this entry for a super-region of a changed region?
2402  if (SuperRegions.count(MR)) {
2403  Entries = F.remove(Entries, MR);
2404  continue;
2405  }
2406 
2407  // Is this entry for a sub-region of a changed region?
2408  const MemRegion *Super = MR;
2409  while (const SubRegion *SR = dyn_cast<SubRegion>(Super)) {
2410  Super = SR->getSuperRegion();
2411  if (Invalidated.count(Super)) {
2412  Entries = F.remove(Entries, MR);
2413  break;
2414  }
2415  }
2416  }
2417 
2418  return state->set<CStringLength>(Entries);
2419 }
2420 
2421 void CStringChecker::checkLiveSymbols(ProgramStateRef state,
2422  SymbolReaper &SR) const {
2423  // Mark all symbols in our string length map as valid.
2424  CStringLengthTy Entries = state->get<CStringLength>();
2425 
2426  for (CStringLengthTy::iterator I = Entries.begin(), E = Entries.end();
2427  I != E; ++I) {
2428  SVal Len = I.getData();
2429 
2430  for (SymExpr::symbol_iterator si = Len.symbol_begin(),
2431  se = Len.symbol_end(); si != se; ++si)
2432  SR.markInUse(*si);
2433  }
2434 }
2435 
2436 void CStringChecker::checkDeadSymbols(SymbolReaper &SR,
2437  CheckerContext &C) const {
2438  ProgramStateRef state = C.getState();
2439  CStringLengthTy Entries = state->get<CStringLength>();
2440  if (Entries.isEmpty())
2441  return;
2442 
2443  CStringLengthTy::Factory &F = state->get_context<CStringLength>();
2444  for (CStringLengthTy::iterator I = Entries.begin(), E = Entries.end();
2445  I != E; ++I) {
2446  SVal Len = I.getData();
2447  if (SymbolRef Sym = Len.getAsSymbol()) {
2448  if (SR.isDead(Sym))
2449  Entries = F.remove(Entries, I.getKey());
2450  }
2451  }
2452 
2453  state = state->set<CStringLength>(Entries);
2454  C.addTransition(state);
2455 }
2456 
2457 #define REGISTER_CHECKER(name) \
2458  void ento::register##name(CheckerManager &mgr) { \
2459  CStringChecker *checker = mgr.registerChecker<CStringChecker>(); \
2460  checker->Filter.Check##name = true; \
2461  checker->Filter.CheckName##name = mgr.getCurrentCheckName(); \
2462  }
2463 
2464  REGISTER_CHECKER(CStringNullArg)
2465  REGISTER_CHECKER(CStringOutOfBounds)
2466  REGISTER_CHECKER(CStringBufferOverlap)
2467 REGISTER_CHECKER(CStringNotNullTerm)
2468 
2470  Mgr.registerChecker<CStringChecker>();
2471  }
Represents a function declaration or definition.
Definition: Decl.h:1739
A (possibly-)qualified type.
Definition: Type.h:638
bool isArrayType() const
Definition: Type.h:6349
Expr * getArg(unsigned Arg)
getArg - Return the specified argument.
Definition: Expr.h:2495
llvm::DenseSet< SymbolRef > InvalidatedSymbols
Definition: Store.h:52
const SymExpr * SymbolRef
Stmt - This represents one statement.
Definition: Stmt.h:66
unsigned getNumArgs() const
getNumArgs - Return the number of actual arguments to this call.
Definition: Expr.h:2483
QualType getPointeeType() const
If this is a pointer, ObjC object pointer, or block pointer, this returns the respective pointee...
Definition: Type.cpp:505
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
Represents a variable declaration or definition.
Definition: Decl.h:812
const internal::VariadicDynCastAllOfMatcher< Stmt, Expr > expr
Matches expressions.
IdentifierInfo * getIdentifier() const
Get the identifier that names this declaration, if there is one.
Definition: Decl.h:269
One of these records is kept for each identifier that is lexed.
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:154
LineState State
i32 captured_struct **param SharedsTy A type which contains references the shared variables *param Shareds Context with the list of shared variables from the p *TaskFunction *param Data Additional data for task generation like final * state
void registerCStringCheckerBasic(CheckerManager &Mgr)
Register the checker which evaluates CString API calls.
BinaryOperatorKind
static bool isInStdNamespace(const Decl *D)
Returns true if the root namespace of the given declaration is the &#39;std&#39; C++ namespace.
static bool isCPPStdLibraryFunction(const FunctionDecl *FD, StringRef Name)
CanQualType UnsignedCharTy
Definition: ASTContext.h:1025
StringRef getString() const
Definition: Expr.h:1660
#define REGISTER_CHECKER(name)
unsigned Offset
Definition: Format.cpp:1631
This represents one expression.
Definition: Expr.h:106
std::string Label
QualType getType() const
Definition: Expr.h:128
bool isNull() const
Return true if this QualType doesn&#39;t point to a type yet.
Definition: Type.h:703
llvm::cl::opt< std::string > Filter
#define REGISTER_MAP_WITH_PROGRAMSTATE(Name, Key, Value)
Declares an immutable map of type NameTy, suitable for placement into the ProgramState.
DeclStmt - Adaptor class for mixing declarations with statements and expressions. ...
Definition: Stmt.h:926
Tells that a region&#39;s contents is not changed.
Definition: MemRegion.h:1457
StringRef getName() const
Return the actual identifier string.
CanQualType CharTy
Definition: ASTContext.h:1017
Dataflow Directional Tag Classes.
const Expr * getInit() const
Definition: Decl.h:1219
unsigned getByteLength() const
Definition: Expr.h:1688
decl_range decls()
Definition: Stmt.h:969
QualType getUnqualifiedType() const
Retrieve the unqualified variant of the given type, removing as little sugar as possible.
Definition: Type.h:6156
QualType getPointerType(QualType T) const
Return the uniqued reference to the type for a pointer to the specified type.
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:276
StringLiteral - This represents a string literal expression, e.g.
Definition: Expr.h:1577
CallExpr - Represents a function call (C99 6.5.2.2, C++ [expr.call]).
Definition: Expr.h:2407
LLVM_READONLY char toUppercase(char c)
Converts the given ASCII character to its uppercase equivalent.
Definition: CharInfo.h:174
CanQualType IntTy
Definition: ASTContext.h:1024
QualType getType() const
Definition: Decl.h:647
This represents a decl that may have a name.
Definition: Decl.h:248
CanQualType getSizeType() const
Return the unique type for "size_t" (C99 7.17), defined in <stddef.h>.