clang  7.0.0svn
CStringChecker.cpp
Go to the documentation of this file.
1 //= CStringChecker.cpp - Checks calls to C string functions --------*- C++ -*-//
2 //
3 // The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // This defines CStringChecker, which is an assortment of checks on calls
11 // to functions in <string.h>.
12 //
13 //===----------------------------------------------------------------------===//
14 
15 #include "ClangSACheckers.h"
16 #include "InterCheckerAPI.h"
17 #include "clang/Basic/CharInfo.h"
23 #include "llvm/ADT/STLExtras.h"
24 #include "llvm/ADT/SmallString.h"
25 #include "llvm/Support/raw_ostream.h"
26 
27 using namespace clang;
28 using namespace ento;
29 
30 namespace {
31 class CStringChecker : public Checker< eval::Call,
32  check::PreStmt<DeclStmt>,
33  check::LiveSymbols,
34  check::DeadSymbols,
35  check::RegionChanges
36  > {
37  mutable std::unique_ptr<BugType> BT_Null, BT_Bounds, BT_Overlap,
38  BT_NotCString, BT_AdditionOverflow;
39 
40  mutable const char *CurrentFunctionDescription;
41 
42 public:
43  /// The filter is used to filter out the diagnostics which are not enabled by
44  /// the user.
45  struct CStringChecksFilter {
46  DefaultBool CheckCStringNullArg;
47  DefaultBool CheckCStringOutOfBounds;
48  DefaultBool CheckCStringBufferOverlap;
49  DefaultBool CheckCStringNotNullTerm;
50 
51  CheckName CheckNameCStringNullArg;
52  CheckName CheckNameCStringOutOfBounds;
53  CheckName CheckNameCStringBufferOverlap;
54  CheckName CheckNameCStringNotNullTerm;
55  };
56 
57  CStringChecksFilter Filter;
58 
59  static void *getTag() { static int tag; return &tag; }
60 
61  bool evalCall(const CallExpr *CE, CheckerContext &C) const;
62  void checkPreStmt(const DeclStmt *DS, CheckerContext &C) const;
63  void checkLiveSymbols(ProgramStateRef state, SymbolReaper &SR) const;
64  void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
65 
67  checkRegionChanges(ProgramStateRef state,
68  const InvalidatedSymbols *,
69  ArrayRef<const MemRegion *> ExplicitRegions,
71  const LocationContext *LCtx,
72  const CallEvent *Call) const;
73 
74  typedef void (CStringChecker::*FnCheck)(CheckerContext &,
75  const CallExpr *) const;
76 
77  void evalMemcpy(CheckerContext &C, const CallExpr *CE) const;
78  void evalMempcpy(CheckerContext &C, const CallExpr *CE) const;
79  void evalMemmove(CheckerContext &C, const CallExpr *CE) const;
80  void evalBcopy(CheckerContext &C, const CallExpr *CE) const;
81  void evalCopyCommon(CheckerContext &C, const CallExpr *CE,
83  const Expr *Size,
84  const Expr *Source,
85  const Expr *Dest,
86  bool Restricted = false,
87  bool IsMempcpy = false) const;
88 
89  void evalMemcmp(CheckerContext &C, const CallExpr *CE) const;
90 
91  void evalstrLength(CheckerContext &C, const CallExpr *CE) const;
92  void evalstrnLength(CheckerContext &C, const CallExpr *CE) const;
93  void evalstrLengthCommon(CheckerContext &C,
94  const CallExpr *CE,
95  bool IsStrnlen = false) const;
96 
97  void evalStrcpy(CheckerContext &C, const CallExpr *CE) const;
98  void evalStrncpy(CheckerContext &C, const CallExpr *CE) const;
99  void evalStpcpy(CheckerContext &C, const CallExpr *CE) const;
100  void evalStrcpyCommon(CheckerContext &C,
101  const CallExpr *CE,
102  bool returnEnd,
103  bool isBounded,
104  bool isAppending) const;
105 
106  void evalStrcat(CheckerContext &C, const CallExpr *CE) const;
107  void evalStrncat(CheckerContext &C, const CallExpr *CE) const;
108 
109  void evalStrcmp(CheckerContext &C, const CallExpr *CE) const;
110  void evalStrncmp(CheckerContext &C, const CallExpr *CE) const;
111  void evalStrcasecmp(CheckerContext &C, const CallExpr *CE) const;
112  void evalStrncasecmp(CheckerContext &C, const CallExpr *CE) const;
113  void evalStrcmpCommon(CheckerContext &C,
114  const CallExpr *CE,
115  bool isBounded = false,
116  bool ignoreCase = false) const;
117 
118  void evalStrsep(CheckerContext &C, const CallExpr *CE) const;
119 
120  void evalStdCopy(CheckerContext &C, const CallExpr *CE) const;
121  void evalStdCopyBackward(CheckerContext &C, const CallExpr *CE) const;
122  void evalStdCopyCommon(CheckerContext &C, const CallExpr *CE) const;
123  void evalMemset(CheckerContext &C, const CallExpr *CE) const;
124 
125  // Utility methods
126  std::pair<ProgramStateRef , ProgramStateRef >
127  static assumeZero(CheckerContext &C,
129 
130  static ProgramStateRef setCStringLength(ProgramStateRef state,
131  const MemRegion *MR,
132  SVal strLength);
133  static SVal getCStringLengthForRegion(CheckerContext &C,
135  const Expr *Ex,
136  const MemRegion *MR,
137  bool hypothetical);
138  SVal getCStringLength(CheckerContext &C,
140  const Expr *Ex,
141  SVal Buf,
142  bool hypothetical = false) const;
143 
144  const StringLiteral *getCStringLiteral(CheckerContext &C,
146  const Expr *expr,
147  SVal val) const;
148 
149  static ProgramStateRef InvalidateBuffer(CheckerContext &C,
151  const Expr *Ex, SVal V,
152  bool IsSourceBuffer,
153  const Expr *Size);
154 
155  static bool SummarizeRegion(raw_ostream &os, ASTContext &Ctx,
156  const MemRegion *MR);
157 
158  // Re-usable checks
159  ProgramStateRef checkNonNull(CheckerContext &C,
161  const Expr *S,
162  SVal l) const;
163  ProgramStateRef CheckLocation(CheckerContext &C,
165  const Expr *S,
166  SVal l,
167  const char *message = nullptr) const;
168  ProgramStateRef CheckBufferAccess(CheckerContext &C,
170  const Expr *Size,
171  const Expr *FirstBuf,
172  const Expr *SecondBuf,
173  const char *firstMessage = nullptr,
174  const char *secondMessage = nullptr,
175  bool WarnAboutSize = false) const;
176 
177  ProgramStateRef CheckBufferAccess(CheckerContext &C,
179  const Expr *Size,
180  const Expr *Buf,
181  const char *message = nullptr,
182  bool WarnAboutSize = false) const {
183  // This is a convenience override.
184  return CheckBufferAccess(C, state, Size, Buf, nullptr, message, nullptr,
185  WarnAboutSize);
186  }
187  ProgramStateRef CheckOverlap(CheckerContext &C,
189  const Expr *Size,
190  const Expr *First,
191  const Expr *Second) const;
192  void emitOverlapBug(CheckerContext &C,
194  const Stmt *First,
195  const Stmt *Second) const;
196 
197  ProgramStateRef checkAdditionOverflow(CheckerContext &C,
199  NonLoc left,
200  NonLoc right) const;
201 
202  // Return true if the destination buffer of the copy function may be in bound.
203  // Expects SVal of Size to be positive and unsigned.
204  // Expects SVal of FirstBuf to be a FieldRegion.
205  static bool IsFirstBufInBound(CheckerContext &C,
207  const Expr *FirstBuf,
208  const Expr *Size);
209 };
210 
211 } //end anonymous namespace
212 
213 REGISTER_MAP_WITH_PROGRAMSTATE(CStringLength, const MemRegion *, SVal)
214 
215 //===----------------------------------------------------------------------===//
216 // Individual checks and utility methods.
217 //===----------------------------------------------------------------------===//
218 
219 std::pair<ProgramStateRef , ProgramStateRef >
220 CStringChecker::assumeZero(CheckerContext &C, ProgramStateRef state, SVal V,
221  QualType Ty) {
223  if (!val)
224  return std::pair<ProgramStateRef , ProgramStateRef >(state, state);
225 
226  SValBuilder &svalBuilder = C.getSValBuilder();
227  DefinedOrUnknownSVal zero = svalBuilder.makeZeroVal(Ty);
228  return state->assume(svalBuilder.evalEQ(state, *val, zero));
229 }
230 
231 ProgramStateRef CStringChecker::checkNonNull(CheckerContext &C,
232  ProgramStateRef state,
233  const Expr *S, SVal l) const {
234  // If a previous check has failed, propagate the failure.
235  if (!state)
236  return nullptr;
237 
238  ProgramStateRef stateNull, stateNonNull;
239  std::tie(stateNull, stateNonNull) = assumeZero(C, state, l, S->getType());
240 
241  if (stateNull && !stateNonNull) {
242  if (!Filter.CheckCStringNullArg)
243  return nullptr;
244 
245  ExplodedNode *N = C.generateErrorNode(stateNull);
246  if (!N)
247  return nullptr;
248 
249  if (!BT_Null)
250  BT_Null.reset(new BuiltinBug(
251  Filter.CheckNameCStringNullArg, categories::UnixAPI,
252  "Null pointer argument in call to byte string function"));
253 
254  SmallString<80> buf;
255  llvm::raw_svector_ostream os(buf);
256  assert(CurrentFunctionDescription);
257  os << "Null pointer argument in call to " << CurrentFunctionDescription;
258 
259  // Generate a report for this bug.
260  BuiltinBug *BT = static_cast<BuiltinBug*>(BT_Null.get());
261  auto report = llvm::make_unique<BugReport>(*BT, os.str(), N);
262 
263  report->addRange(S->getSourceRange());
264  bugreporter::trackNullOrUndefValue(N, S, *report);
265  C.emitReport(std::move(report));
266  return nullptr;
267  }
268 
269  // From here on, assume that the value is non-null.
270  assert(stateNonNull);
271  return stateNonNull;
272 }
273 
274 // FIXME: This was originally copied from ArrayBoundChecker.cpp. Refactor?
275 ProgramStateRef CStringChecker::CheckLocation(CheckerContext &C,
276  ProgramStateRef state,
277  const Expr *S, SVal l,
278  const char *warningMsg) const {
279  // If a previous check has failed, propagate the failure.
280  if (!state)
281  return nullptr;
282 
283  // Check for out of bound array element access.
284  const MemRegion *R = l.getAsRegion();
285  if (!R)
286  return state;
287 
288  const ElementRegion *ER = dyn_cast<ElementRegion>(R);
289  if (!ER)
290  return state;
291 
292  if (ER->getValueType() != C.getASTContext().CharTy)
293  return state;
294 
295  // Get the size of the array.
296  const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion());
297  SValBuilder &svalBuilder = C.getSValBuilder();
298  SVal Extent =
299  svalBuilder.convertToArrayIndex(superReg->getExtent(svalBuilder));
301 
302  // Get the index of the accessed element.
304 
305  ProgramStateRef StInBound = state->assumeInBound(Idx, Size, true);
306  ProgramStateRef StOutBound = state->assumeInBound(Idx, Size, false);
307  if (StOutBound && !StInBound) {
308  ExplodedNode *N = C.generateErrorNode(StOutBound);
309  if (!N)
310  return nullptr;
311 
312  CheckName Name;
313  // These checks are either enabled by the CString out-of-bounds checker
314  // explicitly or the "basic" CStringNullArg checker support that Malloc
315  // checker enables.
316  assert(Filter.CheckCStringOutOfBounds || Filter.CheckCStringNullArg);
317  if (Filter.CheckCStringOutOfBounds)
318  Name = Filter.CheckNameCStringOutOfBounds;
319  else
320  Name = Filter.CheckNameCStringNullArg;
321 
322  if (!BT_Bounds) {
323  BT_Bounds.reset(new BuiltinBug(
324  Name, "Out-of-bound array access",
325  "Byte string function accesses out-of-bound array element"));
326  }
327  BuiltinBug *BT = static_cast<BuiltinBug*>(BT_Bounds.get());
328 
329  // Generate a report for this bug.
330  std::unique_ptr<BugReport> report;
331  if (warningMsg) {
332  report = llvm::make_unique<BugReport>(*BT, warningMsg, N);
333  } else {
334  assert(CurrentFunctionDescription);
335  assert(CurrentFunctionDescription[0] != '\0');
336 
337  SmallString<80> buf;
338  llvm::raw_svector_ostream os(buf);
339  os << toUppercase(CurrentFunctionDescription[0])
340  << &CurrentFunctionDescription[1]
341  << " accesses out-of-bound array element";
342  report = llvm::make_unique<BugReport>(*BT, os.str(), N);
343  }
344 
345  // FIXME: It would be nice to eventually make this diagnostic more clear,
346  // e.g., by referencing the original declaration or by saying *why* this
347  // reference is outside the range.
348 
349  report->addRange(S->getSourceRange());
350  C.emitReport(std::move(report));
351  return nullptr;
352  }
353 
354  // Array bound check succeeded. From this point forward the array bound
355  // should always succeed.
356  return StInBound;
357 }
358 
359 ProgramStateRef CStringChecker::CheckBufferAccess(CheckerContext &C,
360  ProgramStateRef state,
361  const Expr *Size,
362  const Expr *FirstBuf,
363  const Expr *SecondBuf,
364  const char *firstMessage,
365  const char *secondMessage,
366  bool WarnAboutSize) const {
367  // If a previous check has failed, propagate the failure.
368  if (!state)
369  return nullptr;
370 
371  SValBuilder &svalBuilder = C.getSValBuilder();
372  ASTContext &Ctx = svalBuilder.getContext();
373  const LocationContext *LCtx = C.getLocationContext();
374 
375  QualType sizeTy = Size->getType();
376  QualType PtrTy = Ctx.getPointerType(Ctx.CharTy);
377 
378  // Check that the first buffer is non-null.
379  SVal BufVal = C.getSVal(FirstBuf);
380  state = checkNonNull(C, state, FirstBuf, BufVal);
381  if (!state)
382  return nullptr;
383 
384  // If out-of-bounds checking is turned off, skip the rest.
385  if (!Filter.CheckCStringOutOfBounds)
386  return state;
387 
388  // Get the access length and make sure it is known.
389  // FIXME: This assumes the caller has already checked that the access length
390  // is positive. And that it's unsigned.
391  SVal LengthVal = C.getSVal(Size);
392  Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
393  if (!Length)
394  return state;
395 
396  // Compute the offset of the last element to be accessed: size-1.
397  NonLoc One = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
398  NonLoc LastOffset = svalBuilder
399  .evalBinOpNN(state, BO_Sub, *Length, One, sizeTy).castAs<NonLoc>();
400 
401  // Check that the first buffer is sufficiently long.
402  SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType());
403  if (Optional<Loc> BufLoc = BufStart.getAs<Loc>()) {
404  const Expr *warningExpr = (WarnAboutSize ? Size : FirstBuf);
405 
406  SVal BufEnd = svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc,
407  LastOffset, PtrTy);
408  state = CheckLocation(C, state, warningExpr, BufEnd, firstMessage);
409 
410  // If the buffer isn't large enough, abort.
411  if (!state)
412  return nullptr;
413  }
414 
415  // If there's a second buffer, check it as well.
416  if (SecondBuf) {
417  BufVal = state->getSVal(SecondBuf, LCtx);
418  state = checkNonNull(C, state, SecondBuf, BufVal);
419  if (!state)
420  return nullptr;
421 
422  BufStart = svalBuilder.evalCast(BufVal, PtrTy, SecondBuf->getType());
423  if (Optional<Loc> BufLoc = BufStart.getAs<Loc>()) {
424  const Expr *warningExpr = (WarnAboutSize ? Size : SecondBuf);
425 
426  SVal BufEnd = svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc,
427  LastOffset, PtrTy);
428  state = CheckLocation(C, state, warningExpr, BufEnd, secondMessage);
429  }
430  }
431 
432  // Large enough or not, return this state!
433  return state;
434 }
435 
436 ProgramStateRef CStringChecker::CheckOverlap(CheckerContext &C,
437  ProgramStateRef state,
438  const Expr *Size,
439  const Expr *First,
440  const Expr *Second) const {
441  if (!Filter.CheckCStringBufferOverlap)
442  return state;
443 
444  // Do a simple check for overlap: if the two arguments are from the same
445  // buffer, see if the end of the first is greater than the start of the second
446  // or vice versa.
447 
448  // If a previous check has failed, propagate the failure.
449  if (!state)
450  return nullptr;
451 
452  ProgramStateRef stateTrue, stateFalse;
453 
454  // Get the buffer values and make sure they're known locations.
455  const LocationContext *LCtx = C.getLocationContext();
456  SVal firstVal = state->getSVal(First, LCtx);
457  SVal secondVal = state->getSVal(Second, LCtx);
458 
459  Optional<Loc> firstLoc = firstVal.getAs<Loc>();
460  if (!firstLoc)
461  return state;
462 
463  Optional<Loc> secondLoc = secondVal.getAs<Loc>();
464  if (!secondLoc)
465  return state;
466 
467  // Are the two values the same?
468  SValBuilder &svalBuilder = C.getSValBuilder();
469  std::tie(stateTrue, stateFalse) =
470  state->assume(svalBuilder.evalEQ(state, *firstLoc, *secondLoc));
471 
472  if (stateTrue && !stateFalse) {
473  // If the values are known to be equal, that's automatically an overlap.
474  emitOverlapBug(C, stateTrue, First, Second);
475  return nullptr;
476  }
477 
478  // assume the two expressions are not equal.
479  assert(stateFalse);
480  state = stateFalse;
481 
482  // Which value comes first?
483  QualType cmpTy = svalBuilder.getConditionType();
484  SVal reverse = svalBuilder.evalBinOpLL(state, BO_GT,
485  *firstLoc, *secondLoc, cmpTy);
486  Optional<DefinedOrUnknownSVal> reverseTest =
487  reverse.getAs<DefinedOrUnknownSVal>();
488  if (!reverseTest)
489  return state;
490 
491  std::tie(stateTrue, stateFalse) = state->assume(*reverseTest);
492  if (stateTrue) {
493  if (stateFalse) {
494  // If we don't know which one comes first, we can't perform this test.
495  return state;
496  } else {
497  // Switch the values so that firstVal is before secondVal.
498  std::swap(firstLoc, secondLoc);
499 
500  // Switch the Exprs as well, so that they still correspond.
501  std::swap(First, Second);
502  }
503  }
504 
505  // Get the length, and make sure it too is known.
506  SVal LengthVal = state->getSVal(Size, LCtx);
507  Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
508  if (!Length)
509  return state;
510 
511  // Convert the first buffer's start address to char*.
512  // Bail out if the cast fails.
513  ASTContext &Ctx = svalBuilder.getContext();
514  QualType CharPtrTy = Ctx.getPointerType(Ctx.CharTy);
515  SVal FirstStart = svalBuilder.evalCast(*firstLoc, CharPtrTy,
516  First->getType());
517  Optional<Loc> FirstStartLoc = FirstStart.getAs<Loc>();
518  if (!FirstStartLoc)
519  return state;
520 
521  // Compute the end of the first buffer. Bail out if THAT fails.
522  SVal FirstEnd = svalBuilder.evalBinOpLN(state, BO_Add,
523  *FirstStartLoc, *Length, CharPtrTy);
524  Optional<Loc> FirstEndLoc = FirstEnd.getAs<Loc>();
525  if (!FirstEndLoc)
526  return state;
527 
528  // Is the end of the first buffer past the start of the second buffer?
529  SVal Overlap = svalBuilder.evalBinOpLL(state, BO_GT,
530  *FirstEndLoc, *secondLoc, cmpTy);
531  Optional<DefinedOrUnknownSVal> OverlapTest =
532  Overlap.getAs<DefinedOrUnknownSVal>();
533  if (!OverlapTest)
534  return state;
535 
536  std::tie(stateTrue, stateFalse) = state->assume(*OverlapTest);
537 
538  if (stateTrue && !stateFalse) {
539  // Overlap!
540  emitOverlapBug(C, stateTrue, First, Second);
541  return nullptr;
542  }
543 
544  // assume the two expressions don't overlap.
545  assert(stateFalse);
546  return stateFalse;
547 }
548 
549 void CStringChecker::emitOverlapBug(CheckerContext &C, ProgramStateRef state,
550  const Stmt *First, const Stmt *Second) const {
551  ExplodedNode *N = C.generateErrorNode(state);
552  if (!N)
553  return;
554 
555  if (!BT_Overlap)
556  BT_Overlap.reset(new BugType(Filter.CheckNameCStringBufferOverlap,
557  categories::UnixAPI, "Improper arguments"));
558 
559  // Generate a report for this bug.
560  auto report = llvm::make_unique<BugReport>(
561  *BT_Overlap, "Arguments must not be overlapping buffers", N);
562  report->addRange(First->getSourceRange());
563  report->addRange(Second->getSourceRange());
564 
565  C.emitReport(std::move(report));
566 }
567 
568 ProgramStateRef CStringChecker::checkAdditionOverflow(CheckerContext &C,
569  ProgramStateRef state,
570  NonLoc left,
571  NonLoc right) const {
572  // If out-of-bounds checking is turned off, skip the rest.
573  if (!Filter.CheckCStringOutOfBounds)
574  return state;
575 
576  // If a previous check has failed, propagate the failure.
577  if (!state)
578  return nullptr;
579 
580  SValBuilder &svalBuilder = C.getSValBuilder();
581  BasicValueFactory &BVF = svalBuilder.getBasicValueFactory();
582 
583  QualType sizeTy = svalBuilder.getContext().getSizeType();
584  const llvm::APSInt &maxValInt = BVF.getMaxValue(sizeTy);
585  NonLoc maxVal = svalBuilder.makeIntVal(maxValInt);
586 
587  SVal maxMinusRight;
588  if (right.getAs<nonloc::ConcreteInt>()) {
589  maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, right,
590  sizeTy);
591  } else {
592  // Try switching the operands. (The order of these two assignments is
593  // important!)
594  maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, left,
595  sizeTy);
596  left = right;
597  }
598 
599  if (Optional<NonLoc> maxMinusRightNL = maxMinusRight.getAs<NonLoc>()) {
600  QualType cmpTy = svalBuilder.getConditionType();
601  // If left > max - right, we have an overflow.
602  SVal willOverflow = svalBuilder.evalBinOpNN(state, BO_GT, left,
603  *maxMinusRightNL, cmpTy);
604 
605  ProgramStateRef stateOverflow, stateOkay;
606  std::tie(stateOverflow, stateOkay) =
607  state->assume(willOverflow.castAs<DefinedOrUnknownSVal>());
608 
609  if (stateOverflow && !stateOkay) {
610  // We have an overflow. Emit a bug report.
611  ExplodedNode *N = C.generateErrorNode(stateOverflow);
612  if (!N)
613  return nullptr;
614 
615  if (!BT_AdditionOverflow)
616  BT_AdditionOverflow.reset(
617  new BuiltinBug(Filter.CheckNameCStringOutOfBounds, "API",
618  "Sum of expressions causes overflow"));
619 
620  // This isn't a great error message, but this should never occur in real
621  // code anyway -- you'd have to create a buffer longer than a size_t can
622  // represent, which is sort of a contradiction.
623  const char *warning =
624  "This expression will create a string whose length is too big to "
625  "be represented as a size_t";
626 
627  // Generate a report for this bug.
628  C.emitReport(
629  llvm::make_unique<BugReport>(*BT_AdditionOverflow, warning, N));
630 
631  return nullptr;
632  }
633 
634  // From now on, assume an overflow didn't occur.
635  assert(stateOkay);
636  state = stateOkay;
637  }
638 
639  return state;
640 }
641 
642 ProgramStateRef CStringChecker::setCStringLength(ProgramStateRef state,
643  const MemRegion *MR,
644  SVal strLength) {
645  assert(!strLength.isUndef() && "Attempt to set an undefined string length");
646 
647  MR = MR->StripCasts();
648 
649  switch (MR->getKind()) {
650  case MemRegion::StringRegionKind:
651  // FIXME: This can happen if we strcpy() into a string region. This is
652  // undefined [C99 6.4.5p6], but we should still warn about it.
653  return state;
654 
655  case MemRegion::SymbolicRegionKind:
656  case MemRegion::AllocaRegionKind:
657  case MemRegion::VarRegionKind:
658  case MemRegion::FieldRegionKind:
659  case MemRegion::ObjCIvarRegionKind:
660  // These are the types we can currently track string lengths for.
661  break;
662 
663  case MemRegion::ElementRegionKind:
664  // FIXME: Handle element regions by upper-bounding the parent region's
665  // string length.
666  return state;
667 
668  default:
669  // Other regions (mostly non-data) can't have a reliable C string length.
670  // For now, just ignore the change.
671  // FIXME: These are rare but not impossible. We should output some kind of
672  // warning for things like strcpy((char[]){'a', 0}, "b");
673  return state;
674  }
675 
676  if (strLength.isUnknown())
677  return state->remove<CStringLength>(MR);
678 
679  return state->set<CStringLength>(MR, strLength);
680 }
681 
682 SVal CStringChecker::getCStringLengthForRegion(CheckerContext &C,
683  ProgramStateRef &state,
684  const Expr *Ex,
685  const MemRegion *MR,
686  bool hypothetical) {
687  if (!hypothetical) {
688  // If there's a recorded length, go ahead and return it.
689  const SVal *Recorded = state->get<CStringLength>(MR);
690  if (Recorded)
691  return *Recorded;
692  }
693 
694  // Otherwise, get a new symbol and update the state.
695  SValBuilder &svalBuilder = C.getSValBuilder();
696  QualType sizeTy = svalBuilder.getContext().getSizeType();
697  SVal strLength = svalBuilder.getMetadataSymbolVal(CStringChecker::getTag(),
698  MR, Ex, sizeTy,
699  C.getLocationContext(),
700  C.blockCount());
701 
702  if (!hypothetical) {
703  if (Optional<NonLoc> strLn = strLength.getAs<NonLoc>()) {
704  // In case of unbounded calls strlen etc bound the range to SIZE_MAX/4
705  BasicValueFactory &BVF = svalBuilder.getBasicValueFactory();
706  const llvm::APSInt &maxValInt = BVF.getMaxValue(sizeTy);
707  llvm::APSInt fourInt = APSIntType(maxValInt).getValue(4);
708  const llvm::APSInt *maxLengthInt = BVF.evalAPSInt(BO_Div, maxValInt,
709  fourInt);
710  NonLoc maxLength = svalBuilder.makeIntVal(*maxLengthInt);
711  SVal evalLength = svalBuilder.evalBinOpNN(state, BO_LE, *strLn,
712  maxLength, sizeTy);
713  state = state->assume(evalLength.castAs<DefinedOrUnknownSVal>(), true);
714  }
715  state = state->set<CStringLength>(MR, strLength);
716  }
717 
718  return strLength;
719 }
720 
721 SVal CStringChecker::getCStringLength(CheckerContext &C, ProgramStateRef &state,
722  const Expr *Ex, SVal Buf,
723  bool hypothetical) const {
724  const MemRegion *MR = Buf.getAsRegion();
725  if (!MR) {
726  // If we can't get a region, see if it's something we /know/ isn't a
727  // C string. In the context of locations, the only time we can issue such
728  // a warning is for labels.
730  if (!Filter.CheckCStringNotNullTerm)
731  return UndefinedVal();
732 
733  if (ExplodedNode *N = C.generateNonFatalErrorNode(state)) {
734  if (!BT_NotCString)
735  BT_NotCString.reset(new BuiltinBug(
736  Filter.CheckNameCStringNotNullTerm, categories::UnixAPI,
737  "Argument is not a null-terminated string."));
738 
739  SmallString<120> buf;
740  llvm::raw_svector_ostream os(buf);
741  assert(CurrentFunctionDescription);
742  os << "Argument to " << CurrentFunctionDescription
743  << " is the address of the label '" << Label->getLabel()->getName()
744  << "', which is not a null-terminated string";
745 
746  // Generate a report for this bug.
747  auto report = llvm::make_unique<BugReport>(*BT_NotCString, os.str(), N);
748 
749  report->addRange(Ex->getSourceRange());
750  C.emitReport(std::move(report));
751  }
752  return UndefinedVal();
753 
754  }
755 
756  // If it's not a region and not a label, give up.
757  return UnknownVal();
758  }
759 
760  // If we have a region, strip casts from it and see if we can figure out
761  // its length. For anything we can't figure out, just return UnknownVal.
762  MR = MR->StripCasts();
763 
764  switch (MR->getKind()) {
765  case MemRegion::StringRegionKind: {
766  // Modifying the contents of string regions is undefined [C99 6.4.5p6],
767  // so we can assume that the byte length is the correct C string length.
768  SValBuilder &svalBuilder = C.getSValBuilder();
769  QualType sizeTy = svalBuilder.getContext().getSizeType();
770  const StringLiteral *strLit = cast<StringRegion>(MR)->getStringLiteral();
771  return svalBuilder.makeIntVal(strLit->getByteLength(), sizeTy);
772  }
773  case MemRegion::SymbolicRegionKind:
774  case MemRegion::AllocaRegionKind:
775  case MemRegion::VarRegionKind:
776  case MemRegion::FieldRegionKind:
777  case MemRegion::ObjCIvarRegionKind:
778  return getCStringLengthForRegion(C, state, Ex, MR, hypothetical);
779  case MemRegion::CompoundLiteralRegionKind:
780  // FIXME: Can we track this? Is it necessary?
781  return UnknownVal();
782  case MemRegion::ElementRegionKind:
783  // FIXME: How can we handle this? It's not good enough to subtract the
784  // offset from the base string length; consider "123\x00567" and &a[5].
785  return UnknownVal();
786  default:
787  // Other regions (mostly non-data) can't have a reliable C string length.
788  // In this case, an error is emitted and UndefinedVal is returned.
789  // The caller should always be prepared to handle this case.
790  if (!Filter.CheckCStringNotNullTerm)
791  return UndefinedVal();
792 
793  if (ExplodedNode *N = C.generateNonFatalErrorNode(state)) {
794  if (!BT_NotCString)
795  BT_NotCString.reset(new BuiltinBug(
796  Filter.CheckNameCStringNotNullTerm, categories::UnixAPI,
797  "Argument is not a null-terminated string."));
798 
799  SmallString<120> buf;
800  llvm::raw_svector_ostream os(buf);
801 
802  assert(CurrentFunctionDescription);
803  os << "Argument to " << CurrentFunctionDescription << " is ";
804 
805  if (SummarizeRegion(os, C.getASTContext(), MR))
806  os << ", which is not a null-terminated string";
807  else
808  os << "not a null-terminated string";
809 
810  // Generate a report for this bug.
811  auto report = llvm::make_unique<BugReport>(*BT_NotCString, os.str(), N);
812 
813  report->addRange(Ex->getSourceRange());
814  C.emitReport(std::move(report));
815  }
816 
817  return UndefinedVal();
818  }
819 }
820 
821 const StringLiteral *CStringChecker::getCStringLiteral(CheckerContext &C,
822  ProgramStateRef &state, const Expr *expr, SVal val) const {
823 
824  // Get the memory region pointed to by the val.
825  const MemRegion *bufRegion = val.getAsRegion();
826  if (!bufRegion)
827  return nullptr;
828 
829  // Strip casts off the memory region.
830  bufRegion = bufRegion->StripCasts();
831 
832  // Cast the memory region to a string region.
833  const StringRegion *strRegion= dyn_cast<StringRegion>(bufRegion);
834  if (!strRegion)
835  return nullptr;
836 
837  // Return the actual string in the string region.
838  return strRegion->getStringLiteral();
839 }
840 
841 bool CStringChecker::IsFirstBufInBound(CheckerContext &C,
842  ProgramStateRef state,
843  const Expr *FirstBuf,
844  const Expr *Size) {
845  // If we do not know that the buffer is long enough we return 'true'.
846  // Otherwise the parent region of this field region would also get
847  // invalidated, which would lead to warnings based on an unknown state.
848 
849  // Originally copied from CheckBufferAccess and CheckLocation.
850  SValBuilder &svalBuilder = C.getSValBuilder();
851  ASTContext &Ctx = svalBuilder.getContext();
852  const LocationContext *LCtx = C.getLocationContext();
853 
854  QualType sizeTy = Size->getType();
855  QualType PtrTy = Ctx.getPointerType(Ctx.CharTy);
856  SVal BufVal = state->getSVal(FirstBuf, LCtx);
857 
858  SVal LengthVal = state->getSVal(Size, LCtx);
859  Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
860  if (!Length)
861  return true; // cf top comment.
862 
863  // Compute the offset of the last element to be accessed: size-1.
864  NonLoc One = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
865  NonLoc LastOffset =
866  svalBuilder.evalBinOpNN(state, BO_Sub, *Length, One, sizeTy)
867  .castAs<NonLoc>();
868 
869  // Check that the first buffer is sufficiently long.
870  SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType());
871  Optional<Loc> BufLoc = BufStart.getAs<Loc>();
872  if (!BufLoc)
873  return true; // cf top comment.
874 
875  SVal BufEnd =
876  svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc, LastOffset, PtrTy);
877 
878  // Check for out of bound array element access.
879  const MemRegion *R = BufEnd.getAsRegion();
880  if (!R)
881  return true; // cf top comment.
882 
883  const ElementRegion *ER = dyn_cast<ElementRegion>(R);
884  if (!ER)
885  return true; // cf top comment.
886 
887  // FIXME: Does this crash when a non-standard definition
888  // of a library function is encountered?
889  assert(ER->getValueType() == C.getASTContext().CharTy &&
890  "IsFirstBufInBound should only be called with char* ElementRegions");
891 
892  // Get the size of the array.
893  const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion());
894  SVal Extent =
895  svalBuilder.convertToArrayIndex(superReg->getExtent(svalBuilder));
896  DefinedOrUnknownSVal ExtentSize = Extent.castAs<DefinedOrUnknownSVal>();
897 
898  // Get the index of the accessed element.
900 
901  ProgramStateRef StInBound = state->assumeInBound(Idx, ExtentSize, true);
902 
903  return static_cast<bool>(StInBound);
904 }
905 
906 ProgramStateRef CStringChecker::InvalidateBuffer(CheckerContext &C,
907  ProgramStateRef state,
908  const Expr *E, SVal V,
909  bool IsSourceBuffer,
910  const Expr *Size) {
911  Optional<Loc> L = V.getAs<Loc>();
912  if (!L)
913  return state;
914 
915  // FIXME: This is a simplified version of what's in CFRefCount.cpp -- it makes
916  // some assumptions about the value that CFRefCount can't. Even so, it should
917  // probably be refactored.
918  if (Optional<loc::MemRegionVal> MR = L->getAs<loc::MemRegionVal>()) {
919  const MemRegion *R = MR->getRegion()->StripCasts();
920 
921  // Are we dealing with an ElementRegion? If so, we should be invalidating
922  // the super-region.
923  if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) {
924  R = ER->getSuperRegion();
925  // FIXME: What about layers of ElementRegions?
926  }
927 
928  // Invalidate this region.
930 
931  bool CausesPointerEscape = false;
933  // Invalidate and escape only indirect regions accessible through the source
934  // buffer.
935  if (IsSourceBuffer) {
936  ITraits.setTrait(R->getBaseRegion(),
939  CausesPointerEscape = true;
940  } else {
941  const MemRegion::Kind& K = R->getKind();
942  if (K == MemRegion::FieldRegionKind)
943  if (Size && IsFirstBufInBound(C, state, E, Size)) {
944  // If destination buffer is a field region and access is in bound,
945  // do not invalidate its super region.
946  ITraits.setTrait(
947  R,
949  }
950  }
951 
952  return state->invalidateRegions(R, E, C.blockCount(), LCtx,
953  CausesPointerEscape, nullptr, nullptr,
954  &ITraits);
955  }
956 
957  // If we have a non-region value by chance, just remove the binding.
958  // FIXME: is this necessary or correct? This handles the non-Region
959  // cases. Is it ever valid to store to these?
960  return state->killBinding(*L);
961 }
962 
963 bool CStringChecker::SummarizeRegion(raw_ostream &os, ASTContext &Ctx,
964  const MemRegion *MR) {
965  const TypedValueRegion *TVR = dyn_cast<TypedValueRegion>(MR);
966 
967  switch (MR->getKind()) {
968  case MemRegion::FunctionCodeRegionKind: {
969  const NamedDecl *FD = cast<FunctionCodeRegion>(MR)->getDecl();
970  if (FD)
971  os << "the address of the function '" << *FD << '\'';
972  else
973  os << "the address of a function";
974  return true;
975  }
976  case MemRegion::BlockCodeRegionKind:
977  os << "block text";
978  return true;
979  case MemRegion::BlockDataRegionKind:
980  os << "a block";
981  return true;
982  case MemRegion::CXXThisRegionKind:
983  case MemRegion::CXXTempObjectRegionKind:
984  os << "a C++ temp object of type " << TVR->getValueType().getAsString();
985  return true;
986  case MemRegion::VarRegionKind:
987  os << "a variable of type" << TVR->getValueType().getAsString();
988  return true;
989  case MemRegion::FieldRegionKind:
990  os << "a field of type " << TVR->getValueType().getAsString();
991  return true;
992  case MemRegion::ObjCIvarRegionKind:
993  os << "an instance variable of type " << TVR->getValueType().getAsString();
994  return true;
995  default:
996  return false;
997  }
998 }
999 
1000 //===----------------------------------------------------------------------===//
1001 // evaluation of individual function calls.
1002 //===----------------------------------------------------------------------===//
1003 
1004 void CStringChecker::evalCopyCommon(CheckerContext &C,
1005  const CallExpr *CE,
1006  ProgramStateRef state,
1007  const Expr *Size, const Expr *Dest,
1008  const Expr *Source, bool Restricted,
1009  bool IsMempcpy) const {
1010  CurrentFunctionDescription = "memory copy function";
1011 
1012  // See if the size argument is zero.
1013  const LocationContext *LCtx = C.getLocationContext();
1014  SVal sizeVal = state->getSVal(Size, LCtx);
1015  QualType sizeTy = Size->getType();
1016 
1017  ProgramStateRef stateZeroSize, stateNonZeroSize;
1018  std::tie(stateZeroSize, stateNonZeroSize) =
1019  assumeZero(C, state, sizeVal, sizeTy);
1020 
1021  // Get the value of the Dest.
1022  SVal destVal = state->getSVal(Dest, LCtx);
1023 
1024  // If the size is zero, there won't be any actual memory access, so
1025  // just bind the return value to the destination buffer and return.
1026  if (stateZeroSize && !stateNonZeroSize) {
1027  stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, destVal);
1028  C.addTransition(stateZeroSize);
1029  return;
1030  }
1031 
1032  // If the size can be nonzero, we have to check the other arguments.
1033  if (stateNonZeroSize) {
1034  state = stateNonZeroSize;
1035 
1036  // Ensure the destination is not null. If it is NULL there will be a
1037  // NULL pointer dereference.
1038  state = checkNonNull(C, state, Dest, destVal);
1039  if (!state)
1040  return;
1041 
1042  // Get the value of the Src.
1043  SVal srcVal = state->getSVal(Source, LCtx);
1044 
1045  // Ensure the source is not null. If it is NULL there will be a
1046  // NULL pointer dereference.
1047  state = checkNonNull(C, state, Source, srcVal);
1048  if (!state)
1049  return;
1050 
1051  // Ensure the accesses are valid and that the buffers do not overlap.
1052  const char * const writeWarning =
1053  "Memory copy function overflows destination buffer";
1054  state = CheckBufferAccess(C, state, Size, Dest, Source,
1055  writeWarning, /* sourceWarning = */ nullptr);
1056  if (Restricted)
1057  state = CheckOverlap(C, state, Size, Dest, Source);
1058 
1059  if (!state)
1060  return;
1061 
1062  // If this is mempcpy, get the byte after the last byte copied and
1063  // bind the expr.
1064  if (IsMempcpy) {
1065  // Get the byte after the last byte copied.
1066  SValBuilder &SvalBuilder = C.getSValBuilder();
1067  ASTContext &Ctx = SvalBuilder.getContext();
1068  QualType CharPtrTy = Ctx.getPointerType(Ctx.CharTy);
1069  SVal DestRegCharVal =
1070  SvalBuilder.evalCast(destVal, CharPtrTy, Dest->getType());
1071  SVal lastElement = C.getSValBuilder().evalBinOp(
1072  state, BO_Add, DestRegCharVal, sizeVal, Dest->getType());
1073  // If we don't know how much we copied, we can at least
1074  // conjure a return value for later.
1075  if (lastElement.isUnknown())
1076  lastElement = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
1077  C.blockCount());
1078 
1079  // The byte after the last byte copied is the return value.
1080  state = state->BindExpr(CE, LCtx, lastElement);
1081  } else {
1082  // All other copies return the destination buffer.
1083  // (Well, bcopy() has a void return type, but this won't hurt.)
1084  state = state->BindExpr(CE, LCtx, destVal);
1085  }
1086 
1087  // Invalidate the destination (regular invalidation without pointer-escaping
1088  // the address of the top-level region).
1089  // FIXME: Even if we can't perfectly model the copy, we should see if we
1090  // can use LazyCompoundVals to copy the source values into the destination.
1091  // This would probably remove any existing bindings past the end of the
1092  // copied region, but that's still an improvement over blank invalidation.
1093  state = InvalidateBuffer(C, state, Dest, C.getSVal(Dest),
1094  /*IsSourceBuffer*/false, Size);
1095 
1096  // Invalidate the source (const-invalidation without const-pointer-escaping
1097  // the address of the top-level region).
1098  state = InvalidateBuffer(C, state, Source, C.getSVal(Source),
1099  /*IsSourceBuffer*/true, nullptr);
1100 
1101  C.addTransition(state);
1102  }
1103 }
1104 
1105 
1106 void CStringChecker::evalMemcpy(CheckerContext &C, const CallExpr *CE) const {
1107  if (CE->getNumArgs() < 3)
1108  return;
1109 
1110  // void *memcpy(void *restrict dst, const void *restrict src, size_t n);
1111  // The return value is the address of the destination buffer.
1112  const Expr *Dest = CE->getArg(0);
1113  ProgramStateRef state = C.getState();
1114 
1115  evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1), true);
1116 }
1117 
1118 void CStringChecker::evalMempcpy(CheckerContext &C, const CallExpr *CE) const {
1119  if (CE->getNumArgs() < 3)
1120  return;
1121 
1122  // void *mempcpy(void *restrict dst, const void *restrict src, size_t n);
1123  // The return value is a pointer to the byte following the last written byte.
1124  const Expr *Dest = CE->getArg(0);
1125  ProgramStateRef state = C.getState();
1126 
1127  evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1), true, true);
1128 }
1129 
1130 void CStringChecker::evalMemmove(CheckerContext &C, const CallExpr *CE) const {
1131  if (CE->getNumArgs() < 3)
1132  return;
1133 
1134  // void *memmove(void *dst, const void *src, size_t n);
1135  // The return value is the address of the destination buffer.
1136  const Expr *Dest = CE->getArg(0);
1137  ProgramStateRef state = C.getState();
1138 
1139  evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1));
1140 }
1141 
1142 void CStringChecker::evalBcopy(CheckerContext &C, const CallExpr *CE) const {
1143  if (CE->getNumArgs() < 3)
1144  return;
1145 
1146  // void bcopy(const void *src, void *dst, size_t n);
1147  evalCopyCommon(C, CE, C.getState(),
1148  CE->getArg(2), CE->getArg(1), CE->getArg(0));
1149 }
1150 
1151 void CStringChecker::evalMemcmp(CheckerContext &C, const CallExpr *CE) const {
1152  if (CE->getNumArgs() < 3)
1153  return;
1154 
1155  // int memcmp(const void *s1, const void *s2, size_t n);
1156  CurrentFunctionDescription = "memory comparison function";
1157 
1158  const Expr *Left = CE->getArg(0);
1159  const Expr *Right = CE->getArg(1);
1160  const Expr *Size = CE->getArg(2);
1161 
1162  ProgramStateRef state = C.getState();
1163  SValBuilder &svalBuilder = C.getSValBuilder();
1164 
1165  // See if the size argument is zero.
1166  const LocationContext *LCtx = C.getLocationContext();
1167  SVal sizeVal = state->getSVal(Size, LCtx);
1168  QualType sizeTy = Size->getType();
1169 
1170  ProgramStateRef stateZeroSize, stateNonZeroSize;
1171  std::tie(stateZeroSize, stateNonZeroSize) =
1172  assumeZero(C, state, sizeVal, sizeTy);
1173 
1174  // If the size can be zero, the result will be 0 in that case, and we don't
1175  // have to check either of the buffers.
1176  if (stateZeroSize) {
1177  state = stateZeroSize;
1178  state = state->BindExpr(CE, LCtx,
1179  svalBuilder.makeZeroVal(CE->getType()));
1180  C.addTransition(state);
1181  }
1182 
1183  // If the size can be nonzero, we have to check the other arguments.
1184  if (stateNonZeroSize) {
1185  state = stateNonZeroSize;
1186  // If we know the two buffers are the same, we know the result is 0.
1187  // First, get the two buffers' addresses. Another checker will have already
1188  // made sure they're not undefined.
1190  state->getSVal(Left, LCtx).castAs<DefinedOrUnknownSVal>();
1192  state->getSVal(Right, LCtx).castAs<DefinedOrUnknownSVal>();
1193 
1194  // See if they are the same.
1195  DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV);
1196  ProgramStateRef StSameBuf, StNotSameBuf;
1197  std::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf);
1198 
1199  // If the two arguments might be the same buffer, we know the result is 0,
1200  // and we only need to check one size.
1201  if (StSameBuf) {
1202  state = StSameBuf;
1203  state = CheckBufferAccess(C, state, Size, Left);
1204  if (state) {
1205  state = StSameBuf->BindExpr(CE, LCtx,
1206  svalBuilder.makeZeroVal(CE->getType()));
1207  C.addTransition(state);
1208  }
1209  }
1210 
1211  // If the two arguments might be different buffers, we have to check the
1212  // size of both of them.
1213  if (StNotSameBuf) {
1214  state = StNotSameBuf;
1215  state = CheckBufferAccess(C, state, Size, Left, Right);
1216  if (state) {
1217  // The return value is the comparison result, which we don't know.
1218  SVal CmpV = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx,
1219  C.blockCount());
1220  state = state->BindExpr(CE, LCtx, CmpV);
1221  C.addTransition(state);
1222  }
1223  }
1224  }
1225 }
1226 
1227 void CStringChecker::evalstrLength(CheckerContext &C,
1228  const CallExpr *CE) const {
1229  if (CE->getNumArgs() < 1)
1230  return;
1231 
1232  // size_t strlen(const char *s);
1233  evalstrLengthCommon(C, CE, /* IsStrnlen = */ false);
1234 }
1235 
1236 void CStringChecker::evalstrnLength(CheckerContext &C,
1237  const CallExpr *CE) const {
1238  if (CE->getNumArgs() < 2)
1239  return;
1240 
1241  // size_t strnlen(const char *s, size_t maxlen);
1242  evalstrLengthCommon(C, CE, /* IsStrnlen = */ true);
1243 }
1244 
1245 void CStringChecker::evalstrLengthCommon(CheckerContext &C, const CallExpr *CE,
1246  bool IsStrnlen) const {
1247  CurrentFunctionDescription = "string length function";
1248  ProgramStateRef state = C.getState();
1249  const LocationContext *LCtx = C.getLocationContext();
1250 
1251  if (IsStrnlen) {
1252  const Expr *maxlenExpr = CE->getArg(1);
1253  SVal maxlenVal = state->getSVal(maxlenExpr, LCtx);
1254 
1255  ProgramStateRef stateZeroSize, stateNonZeroSize;
1256  std::tie(stateZeroSize, stateNonZeroSize) =
1257  assumeZero(C, state, maxlenVal, maxlenExpr->getType());
1258 
1259  // If the size can be zero, the result will be 0 in that case, and we don't
1260  // have to check the string itself.
1261  if (stateZeroSize) {
1262  SVal zero = C.getSValBuilder().makeZeroVal(CE->getType());
1263  stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, zero);
1264  C.addTransition(stateZeroSize);
1265  }
1266 
1267  // If the size is GUARANTEED to be zero, we're done!
1268  if (!stateNonZeroSize)
1269  return;
1270 
1271  // Otherwise, record the assumption that the size is nonzero.
1272  state = stateNonZeroSize;
1273  }
1274 
1275  // Check that the string argument is non-null.
1276  const Expr *Arg = CE->getArg(0);
1277  SVal ArgVal = state->getSVal(Arg, LCtx);
1278 
1279  state = checkNonNull(C, state, Arg, ArgVal);
1280 
1281  if (!state)
1282  return;
1283 
1284  SVal strLength = getCStringLength(C, state, Arg, ArgVal);
1285 
1286  // If the argument isn't a valid C string, there's no valid state to
1287  // transition to.
1288  if (strLength.isUndef())
1289  return;
1290 
1291  DefinedOrUnknownSVal result = UnknownVal();
1292 
1293  // If the check is for strnlen() then bind the return value to no more than
1294  // the maxlen value.
1295  if (IsStrnlen) {
1297 
1298  // It's a little unfortunate to be getting this again,
1299  // but it's not that expensive...
1300  const Expr *maxlenExpr = CE->getArg(1);
1301  SVal maxlenVal = state->getSVal(maxlenExpr, LCtx);
1302 
1303  Optional<NonLoc> strLengthNL = strLength.getAs<NonLoc>();
1304  Optional<NonLoc> maxlenValNL = maxlenVal.getAs<NonLoc>();
1305 
1306  if (strLengthNL && maxlenValNL) {
1307  ProgramStateRef stateStringTooLong, stateStringNotTooLong;
1308 
1309  // Check if the strLength is greater than the maxlen.
1310  std::tie(stateStringTooLong, stateStringNotTooLong) = state->assume(
1311  C.getSValBuilder()
1312  .evalBinOpNN(state, BO_GT, *strLengthNL, *maxlenValNL, cmpTy)
1314 
1315  if (stateStringTooLong && !stateStringNotTooLong) {
1316  // If the string is longer than maxlen, return maxlen.
1317  result = *maxlenValNL;
1318  } else if (stateStringNotTooLong && !stateStringTooLong) {
1319  // If the string is shorter than maxlen, return its length.
1320  result = *strLengthNL;
1321  }
1322  }
1323 
1324  if (result.isUnknown()) {
1325  // If we don't have enough information for a comparison, there's
1326  // no guarantee the full string length will actually be returned.
1327  // All we know is the return value is the min of the string length
1328  // and the limit. This is better than nothing.
1329  result = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
1330  C.blockCount());
1331  NonLoc resultNL = result.castAs<NonLoc>();
1332 
1333  if (strLengthNL) {
1334  state = state->assume(C.getSValBuilder().evalBinOpNN(
1335  state, BO_LE, resultNL, *strLengthNL, cmpTy)
1336  .castAs<DefinedOrUnknownSVal>(), true);
1337  }
1338 
1339  if (maxlenValNL) {
1340  state = state->assume(C.getSValBuilder().evalBinOpNN(
1341  state, BO_LE, resultNL, *maxlenValNL, cmpTy)
1342  .castAs<DefinedOrUnknownSVal>(), true);
1343  }
1344  }
1345 
1346  } else {
1347  // This is a plain strlen(), not strnlen().
1348  result = strLength.castAs<DefinedOrUnknownSVal>();
1349 
1350  // If we don't know the length of the string, conjure a return
1351  // value, so it can be used in constraints, at least.
1352  if (result.isUnknown()) {
1353  result = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
1354  C.blockCount());
1355  }
1356  }
1357 
1358  // Bind the return value.
1359  assert(!result.isUnknown() && "Should have conjured a value by now");
1360  state = state->BindExpr(CE, LCtx, result);
1361  C.addTransition(state);
1362 }
1363 
1364 void CStringChecker::evalStrcpy(CheckerContext &C, const CallExpr *CE) const {
1365  if (CE->getNumArgs() < 2)
1366  return;
1367 
1368  // char *strcpy(char *restrict dst, const char *restrict src);
1369  evalStrcpyCommon(C, CE,
1370  /* returnEnd = */ false,
1371  /* isBounded = */ false,
1372  /* isAppending = */ false);
1373 }
1374 
1375 void CStringChecker::evalStrncpy(CheckerContext &C, const CallExpr *CE) const {
1376  if (CE->getNumArgs() < 3)
1377  return;
1378 
1379  // char *strncpy(char *restrict dst, const char *restrict src, size_t n);
1380  evalStrcpyCommon(C, CE,
1381  /* returnEnd = */ false,
1382  /* isBounded = */ true,
1383  /* isAppending = */ false);
1384 }
1385 
1386 void CStringChecker::evalStpcpy(CheckerContext &C, const CallExpr *CE) const {
1387  if (CE->getNumArgs() < 2)
1388  return;
1389 
1390  // char *stpcpy(char *restrict dst, const char *restrict src);
1391  evalStrcpyCommon(C, CE,
1392  /* returnEnd = */ true,
1393  /* isBounded = */ false,
1394  /* isAppending = */ false);
1395 }
1396 
1397 void CStringChecker::evalStrcat(CheckerContext &C, const CallExpr *CE) const {
1398  if (CE->getNumArgs() < 2)
1399  return;
1400 
1401  //char *strcat(char *restrict s1, const char *restrict s2);
1402  evalStrcpyCommon(C, CE,
1403  /* returnEnd = */ false,
1404  /* isBounded = */ false,
1405  /* isAppending = */ true);
1406 }
1407 
1408 void CStringChecker::evalStrncat(CheckerContext &C, const CallExpr *CE) const {
1409  if (CE->getNumArgs() < 3)
1410  return;
1411 
1412  //char *strncat(char *restrict s1, const char *restrict s2, size_t n);
1413  evalStrcpyCommon(C, CE,
1414  /* returnEnd = */ false,
1415  /* isBounded = */ true,
1416  /* isAppending = */ true);
1417 }
1418 
1419 void CStringChecker::evalStrcpyCommon(CheckerContext &C, const CallExpr *CE,
1420  bool returnEnd, bool isBounded,
1421  bool isAppending) const {
1422  CurrentFunctionDescription = "string copy function";
1423  ProgramStateRef state = C.getState();
1424  const LocationContext *LCtx = C.getLocationContext();
1425 
1426  // Check that the destination is non-null.
1427  const Expr *Dst = CE->getArg(0);
1428  SVal DstVal = state->getSVal(Dst, LCtx);
1429 
1430  state = checkNonNull(C, state, Dst, DstVal);
1431  if (!state)
1432  return;
1433 
1434  // Check that the source is non-null.
1435  const Expr *srcExpr = CE->getArg(1);
1436  SVal srcVal = state->getSVal(srcExpr, LCtx);
1437  state = checkNonNull(C, state, srcExpr, srcVal);
1438  if (!state)
1439  return;
1440 
1441  // Get the string length of the source.
1442  SVal strLength = getCStringLength(C, state, srcExpr, srcVal);
1443 
1444  // If the source isn't a valid C string, give up.
1445  if (strLength.isUndef())
1446  return;
1447 
1448  SValBuilder &svalBuilder = C.getSValBuilder();
1449  QualType cmpTy = svalBuilder.getConditionType();
1450  QualType sizeTy = svalBuilder.getContext().getSizeType();
1451 
1452  // These two values allow checking two kinds of errors:
1453  // - actual overflows caused by a source that doesn't fit in the destination
1454  // - potential overflows caused by a bound that could exceed the destination
1455  SVal amountCopied = UnknownVal();
1456  SVal maxLastElementIndex = UnknownVal();
1457  const char *boundWarning = nullptr;
1458 
1459  // If the function is strncpy, strncat, etc... it is bounded.
1460  if (isBounded) {
1461  // Get the max number of characters to copy.
1462  const Expr *lenExpr = CE->getArg(2);
1463  SVal lenVal = state->getSVal(lenExpr, LCtx);
1464 
1465  // Protect against misdeclared strncpy().
1466  lenVal = svalBuilder.evalCast(lenVal, sizeTy, lenExpr->getType());
1467 
1468  Optional<NonLoc> strLengthNL = strLength.getAs<NonLoc>();
1469  Optional<NonLoc> lenValNL = lenVal.getAs<NonLoc>();
1470 
1471  // If we know both values, we might be able to figure out how much
1472  // we're copying.
1473  if (strLengthNL && lenValNL) {
1474  ProgramStateRef stateSourceTooLong, stateSourceNotTooLong;
1475 
1476  // Check if the max number to copy is less than the length of the src.
1477  // If the bound is equal to the source length, strncpy won't null-
1478  // terminate the result!
1479  std::tie(stateSourceTooLong, stateSourceNotTooLong) = state->assume(
1480  svalBuilder.evalBinOpNN(state, BO_GE, *strLengthNL, *lenValNL, cmpTy)
1482 
1483  if (stateSourceTooLong && !stateSourceNotTooLong) {
1484  // Max number to copy is less than the length of the src, so the actual
1485  // strLength copied is the max number arg.
1486  state = stateSourceTooLong;
1487  amountCopied = lenVal;
1488 
1489  } else if (!stateSourceTooLong && stateSourceNotTooLong) {
1490  // The source buffer entirely fits in the bound.
1491  state = stateSourceNotTooLong;
1492  amountCopied = strLength;
1493  }
1494  }
1495 
1496  // We still want to know if the bound is known to be too large.
1497  if (lenValNL) {
1498  if (isAppending) {
1499  // For strncat, the check is strlen(dst) + lenVal < sizeof(dst)
1500 
1501  // Get the string length of the destination. If the destination is
1502  // memory that can't have a string length, we shouldn't be copying
1503  // into it anyway.
1504  SVal dstStrLength = getCStringLength(C, state, Dst, DstVal);
1505  if (dstStrLength.isUndef())
1506  return;
1507 
1508  if (Optional<NonLoc> dstStrLengthNL = dstStrLength.getAs<NonLoc>()) {
1509  maxLastElementIndex = svalBuilder.evalBinOpNN(state, BO_Add,
1510  *lenValNL,
1511  *dstStrLengthNL,
1512  sizeTy);
1513  boundWarning = "Size argument is greater than the free space in the "
1514  "destination buffer";
1515  }
1516 
1517  } else {
1518  // For strncpy, this is just checking that lenVal <= sizeof(dst)
1519  // (Yes, strncpy and strncat differ in how they treat termination.
1520  // strncat ALWAYS terminates, but strncpy doesn't.)
1521 
1522  // We need a special case for when the copy size is zero, in which
1523  // case strncpy will do no work at all. Our bounds check uses n-1
1524  // as the last element accessed, so n == 0 is problematic.
1525  ProgramStateRef StateZeroSize, StateNonZeroSize;
1526  std::tie(StateZeroSize, StateNonZeroSize) =
1527  assumeZero(C, state, *lenValNL, sizeTy);
1528 
1529  // If the size is known to be zero, we're done.
1530  if (StateZeroSize && !StateNonZeroSize) {
1531  StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, DstVal);
1532  C.addTransition(StateZeroSize);
1533  return;
1534  }
1535 
1536  // Otherwise, go ahead and figure out the last element we'll touch.
1537  // We don't record the non-zero assumption here because we can't
1538  // be sure. We won't warn on a possible zero.
1539  NonLoc one = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
1540  maxLastElementIndex = svalBuilder.evalBinOpNN(state, BO_Sub, *lenValNL,
1541  one, sizeTy);
1542  boundWarning = "Size argument is greater than the length of the "
1543  "destination buffer";
1544  }
1545  }
1546 
1547  // If we couldn't pin down the copy length, at least bound it.
1548  // FIXME: We should actually run this code path for append as well, but
1549  // right now it creates problems with constraints (since we can end up
1550  // trying to pass constraints from symbol to symbol).
1551  if (amountCopied.isUnknown() && !isAppending) {
1552  // Try to get a "hypothetical" string length symbol, which we can later
1553  // set as a real value if that turns out to be the case.
1554  amountCopied = getCStringLength(C, state, lenExpr, srcVal, true);
1555  assert(!amountCopied.isUndef());
1556 
1557  if (Optional<NonLoc> amountCopiedNL = amountCopied.getAs<NonLoc>()) {
1558  if (lenValNL) {
1559  // amountCopied <= lenVal
1560  SVal copiedLessThanBound = svalBuilder.evalBinOpNN(state, BO_LE,
1561  *amountCopiedNL,
1562  *lenValNL,
1563  cmpTy);
1564  state = state->assume(
1565  copiedLessThanBound.castAs<DefinedOrUnknownSVal>(), true);
1566  if (!state)
1567  return;
1568  }
1569 
1570  if (strLengthNL) {
1571  // amountCopied <= strlen(source)
1572  SVal copiedLessThanSrc = svalBuilder.evalBinOpNN(state, BO_LE,
1573  *amountCopiedNL,
1574  *strLengthNL,
1575  cmpTy);
1576  state = state->assume(
1577  copiedLessThanSrc.castAs<DefinedOrUnknownSVal>(), true);
1578  if (!state)
1579  return;
1580  }
1581  }
1582  }
1583 
1584  } else {
1585  // The function isn't bounded. The amount copied should match the length
1586  // of the source buffer.
1587  amountCopied = strLength;
1588  }
1589 
1590  assert(state);
1591 
1592  // This represents the number of characters copied into the destination
1593  // buffer. (It may not actually be the strlen if the destination buffer
1594  // is not terminated.)
1595  SVal finalStrLength = UnknownVal();
1596 
1597  // If this is an appending function (strcat, strncat...) then set the
1598  // string length to strlen(src) + strlen(dst) since the buffer will
1599  // ultimately contain both.
1600  if (isAppending) {
1601  // Get the string length of the destination. If the destination is memory
1602  // that can't have a string length, we shouldn't be copying into it anyway.
1603  SVal dstStrLength = getCStringLength(C, state, Dst, DstVal);
1604  if (dstStrLength.isUndef())
1605  return;
1606 
1607  Optional<NonLoc> srcStrLengthNL = amountCopied.getAs<NonLoc>();
1608  Optional<NonLoc> dstStrLengthNL = dstStrLength.getAs<NonLoc>();
1609 
1610  // If we know both string lengths, we might know the final string length.
1611  if (srcStrLengthNL && dstStrLengthNL) {
1612  // Make sure the two lengths together don't overflow a size_t.
1613  state = checkAdditionOverflow(C, state, *srcStrLengthNL, *dstStrLengthNL);
1614  if (!state)
1615  return;
1616 
1617  finalStrLength = svalBuilder.evalBinOpNN(state, BO_Add, *srcStrLengthNL,
1618  *dstStrLengthNL, sizeTy);
1619  }
1620 
1621  // If we couldn't get a single value for the final string length,
1622  // we can at least bound it by the individual lengths.
1623  if (finalStrLength.isUnknown()) {
1624  // Try to get a "hypothetical" string length symbol, which we can later
1625  // set as a real value if that turns out to be the case.
1626  finalStrLength = getCStringLength(C, state, CE, DstVal, true);
1627  assert(!finalStrLength.isUndef());
1628 
1629  if (Optional<NonLoc> finalStrLengthNL = finalStrLength.getAs<NonLoc>()) {
1630  if (srcStrLengthNL) {
1631  // finalStrLength >= srcStrLength
1632  SVal sourceInResult = svalBuilder.evalBinOpNN(state, BO_GE,
1633  *finalStrLengthNL,
1634  *srcStrLengthNL,
1635  cmpTy);
1636  state = state->assume(sourceInResult.castAs<DefinedOrUnknownSVal>(),
1637  true);
1638  if (!state)
1639  return;
1640  }
1641 
1642  if (dstStrLengthNL) {
1643  // finalStrLength >= dstStrLength
1644  SVal destInResult = svalBuilder.evalBinOpNN(state, BO_GE,
1645  *finalStrLengthNL,
1646  *dstStrLengthNL,
1647  cmpTy);
1648  state =
1649  state->assume(destInResult.castAs<DefinedOrUnknownSVal>(), true);
1650  if (!state)
1651  return;
1652  }
1653  }
1654  }
1655 
1656  } else {
1657  // Otherwise, this is a copy-over function (strcpy, strncpy, ...), and
1658  // the final string length will match the input string length.
1659  finalStrLength = amountCopied;
1660  }
1661 
1662  // The final result of the function will either be a pointer past the last
1663  // copied element, or a pointer to the start of the destination buffer.
1664  SVal Result = (returnEnd ? UnknownVal() : DstVal);
1665 
1666  assert(state);
1667 
1668  // If the destination is a MemRegion, try to check for a buffer overflow and
1669  // record the new string length.
1670  if (Optional<loc::MemRegionVal> dstRegVal =
1671  DstVal.getAs<loc::MemRegionVal>()) {
1672  QualType ptrTy = Dst->getType();
1673 
1674  // If we have an exact value on a bounded copy, use that to check for
1675  // overflows, rather than our estimate about how much is actually copied.
1676  if (boundWarning) {
1677  if (Optional<NonLoc> maxLastNL = maxLastElementIndex.getAs<NonLoc>()) {
1678  SVal maxLastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal,
1679  *maxLastNL, ptrTy);
1680  state = CheckLocation(C, state, CE->getArg(2), maxLastElement,
1681  boundWarning);
1682  if (!state)
1683  return;
1684  }
1685  }
1686 
1687  // Then, if the final length is known...
1688  if (Optional<NonLoc> knownStrLength = finalStrLength.getAs<NonLoc>()) {
1689  SVal lastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal,
1690  *knownStrLength, ptrTy);
1691 
1692  // ...and we haven't checked the bound, we'll check the actual copy.
1693  if (!boundWarning) {
1694  const char * const warningMsg =
1695  "String copy function overflows destination buffer";
1696  state = CheckLocation(C, state, Dst, lastElement, warningMsg);
1697  if (!state)
1698  return;
1699  }
1700 
1701  // If this is a stpcpy-style copy, the last element is the return value.
1702  if (returnEnd)
1703  Result = lastElement;
1704  }
1705 
1706  // Invalidate the destination (regular invalidation without pointer-escaping
1707  // the address of the top-level region). This must happen before we set the
1708  // C string length because invalidation will clear the length.
1709  // FIXME: Even if we can't perfectly model the copy, we should see if we
1710  // can use LazyCompoundVals to copy the source values into the destination.
1711  // This would probably remove any existing bindings past the end of the
1712  // string, but that's still an improvement over blank invalidation.
1713  state = InvalidateBuffer(C, state, Dst, *dstRegVal,
1714  /*IsSourceBuffer*/false, nullptr);
1715 
1716  // Invalidate the source (const-invalidation without const-pointer-escaping
1717  // the address of the top-level region).
1718  state = InvalidateBuffer(C, state, srcExpr, srcVal, /*IsSourceBuffer*/true,
1719  nullptr);
1720 
1721  // Set the C string length of the destination, if we know it.
1722  if (isBounded && !isAppending) {
1723  // strncpy is annoying in that it doesn't guarantee to null-terminate
1724  // the result string. If the original string didn't fit entirely inside
1725  // the bound (including the null-terminator), we don't know how long the
1726  // result is.
1727  if (amountCopied != strLength)
1728  finalStrLength = UnknownVal();
1729  }
1730  state = setCStringLength(state, dstRegVal->getRegion(), finalStrLength);
1731  }
1732 
1733  assert(state);
1734 
1735  // If this is a stpcpy-style copy, but we were unable to check for a buffer
1736  // overflow, we still need a result. Conjure a return value.
1737  if (returnEnd && Result.isUnknown()) {
1738  Result = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
1739  }
1740 
1741  // Set the return value.
1742  state = state->BindExpr(CE, LCtx, Result);
1743  C.addTransition(state);
1744 }
1745 
1746 void CStringChecker::evalStrcmp(CheckerContext &C, const CallExpr *CE) const {
1747  if (CE->getNumArgs() < 2)
1748  return;
1749 
1750  //int strcmp(const char *s1, const char *s2);
1751  evalStrcmpCommon(C, CE, /* isBounded = */ false, /* ignoreCase = */ false);
1752 }
1753 
1754 void CStringChecker::evalStrncmp(CheckerContext &C, const CallExpr *CE) const {
1755  if (CE->getNumArgs() < 3)
1756  return;
1757 
1758  //int strncmp(const char *s1, const char *s2, size_t n);
1759  evalStrcmpCommon(C, CE, /* isBounded = */ true, /* ignoreCase = */ false);
1760 }
1761 
1762 void CStringChecker::evalStrcasecmp(CheckerContext &C,
1763  const CallExpr *CE) const {
1764  if (CE->getNumArgs() < 2)
1765  return;
1766 
1767  //int strcasecmp(const char *s1, const char *s2);
1768  evalStrcmpCommon(C, CE, /* isBounded = */ false, /* ignoreCase = */ true);
1769 }
1770 
1771 void CStringChecker::evalStrncasecmp(CheckerContext &C,
1772  const CallExpr *CE) const {
1773  if (CE->getNumArgs() < 3)
1774  return;
1775 
1776  //int strncasecmp(const char *s1, const char *s2, size_t n);
1777  evalStrcmpCommon(C, CE, /* isBounded = */ true, /* ignoreCase = */ true);
1778 }
1779 
1780 void CStringChecker::evalStrcmpCommon(CheckerContext &C, const CallExpr *CE,
1781  bool isBounded, bool ignoreCase) const {
1782  CurrentFunctionDescription = "string comparison function";
1783  ProgramStateRef state = C.getState();
1784  const LocationContext *LCtx = C.getLocationContext();
1785 
1786  // Check that the first string is non-null
1787  const Expr *s1 = CE->getArg(0);
1788  SVal s1Val = state->getSVal(s1, LCtx);
1789  state = checkNonNull(C, state, s1, s1Val);
1790  if (!state)
1791  return;
1792 
1793  // Check that the second string is non-null.
1794  const Expr *s2 = CE->getArg(1);
1795  SVal s2Val = state->getSVal(s2, LCtx);
1796  state = checkNonNull(C, state, s2, s2Val);
1797  if (!state)
1798  return;
1799 
1800  // Get the string length of the first string or give up.
1801  SVal s1Length = getCStringLength(C, state, s1, s1Val);
1802  if (s1Length.isUndef())
1803  return;
1804 
1805  // Get the string length of the second string or give up.
1806  SVal s2Length = getCStringLength(C, state, s2, s2Val);
1807  if (s2Length.isUndef())
1808  return;
1809 
1810  // If we know the two buffers are the same, we know the result is 0.
1811  // First, get the two buffers' addresses. Another checker will have already
1812  // made sure they're not undefined.
1815 
1816  // See if they are the same.
1817  SValBuilder &svalBuilder = C.getSValBuilder();
1818  DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV);
1819  ProgramStateRef StSameBuf, StNotSameBuf;
1820  std::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf);
1821 
1822  // If the two arguments might be the same buffer, we know the result is 0,
1823  // and we only need to check one size.
1824  if (StSameBuf) {
1825  StSameBuf = StSameBuf->BindExpr(CE, LCtx,
1826  svalBuilder.makeZeroVal(CE->getType()));
1827  C.addTransition(StSameBuf);
1828 
1829  // If the two arguments are GUARANTEED to be the same, we're done!
1830  if (!StNotSameBuf)
1831  return;
1832  }
1833 
1834  assert(StNotSameBuf);
1835  state = StNotSameBuf;
1836 
1837  // At this point we can go about comparing the two buffers.
1838  // For now, we only do this if they're both known string literals.
1839 
1840  // Attempt to extract string literals from both expressions.
1841  const StringLiteral *s1StrLiteral = getCStringLiteral(C, state, s1, s1Val);
1842  const StringLiteral *s2StrLiteral = getCStringLiteral(C, state, s2, s2Val);
1843  bool canComputeResult = false;
1844  SVal resultVal = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx,
1845  C.blockCount());
1846 
1847  if (s1StrLiteral && s2StrLiteral) {
1848  StringRef s1StrRef = s1StrLiteral->getString();
1849  StringRef s2StrRef = s2StrLiteral->getString();
1850 
1851  if (isBounded) {
1852  // Get the max number of characters to compare.
1853  const Expr *lenExpr = CE->getArg(2);
1854  SVal lenVal = state->getSVal(lenExpr, LCtx);
1855 
1856  // If the length is known, we can get the right substrings.
1857  if (const llvm::APSInt *len = svalBuilder.getKnownValue(state, lenVal)) {
1858  // Create substrings of each to compare the prefix.
1859  s1StrRef = s1StrRef.substr(0, (size_t)len->getZExtValue());
1860  s2StrRef = s2StrRef.substr(0, (size_t)len->getZExtValue());
1861  canComputeResult = true;
1862  }
1863  } else {
1864  // This is a normal, unbounded strcmp.
1865  canComputeResult = true;
1866  }
1867 
1868  if (canComputeResult) {
1869  // Real strcmp stops at null characters.
1870  size_t s1Term = s1StrRef.find('\0');
1871  if (s1Term != StringRef::npos)
1872  s1StrRef = s1StrRef.substr(0, s1Term);
1873 
1874  size_t s2Term = s2StrRef.find('\0');
1875  if (s2Term != StringRef::npos)
1876  s2StrRef = s2StrRef.substr(0, s2Term);
1877 
1878  // Use StringRef's comparison methods to compute the actual result.
1879  int compareRes = ignoreCase ? s1StrRef.compare_lower(s2StrRef)
1880  : s1StrRef.compare(s2StrRef);
1881 
1882  // The strcmp function returns an integer greater than, equal to, or less
1883  // than zero, [c11, p7.24.4.2].
1884  if (compareRes == 0) {
1885  resultVal = svalBuilder.makeIntVal(compareRes, CE->getType());
1886  }
1887  else {
1888  DefinedSVal zeroVal = svalBuilder.makeIntVal(0, CE->getType());
1889  // Constrain strcmp's result range based on the result of StringRef's
1890  // comparison methods.
1891  BinaryOperatorKind op = (compareRes == 1) ? BO_GT : BO_LT;
1892  SVal compareWithZero =
1893  svalBuilder.evalBinOp(state, op, resultVal, zeroVal,
1894  svalBuilder.getConditionType());
1895  DefinedSVal compareWithZeroVal = compareWithZero.castAs<DefinedSVal>();
1896  state = state->assume(compareWithZeroVal, true);
1897  }
1898  }
1899  }
1900 
1901  state = state->BindExpr(CE, LCtx, resultVal);
1902 
1903  // Record this as a possible path.
1904  C.addTransition(state);
1905 }
1906 
1907 void CStringChecker::evalStrsep(CheckerContext &C, const CallExpr *CE) const {
1908  //char *strsep(char **stringp, const char *delim);
1909  if (CE->getNumArgs() < 2)
1910  return;
1911 
1912  // Sanity: does the search string parameter match the return type?
1913  const Expr *SearchStrPtr = CE->getArg(0);
1914  QualType CharPtrTy = SearchStrPtr->getType()->getPointeeType();
1915  if (CharPtrTy.isNull() ||
1916  CE->getType().getUnqualifiedType() != CharPtrTy.getUnqualifiedType())
1917  return;
1918 
1919  CurrentFunctionDescription = "strsep()";
1921  const LocationContext *LCtx = C.getLocationContext();
1922 
1923  // Check that the search string pointer is non-null (though it may point to
1924  // a null string).
1925  SVal SearchStrVal = State->getSVal(SearchStrPtr, LCtx);
1926  State = checkNonNull(C, State, SearchStrPtr, SearchStrVal);
1927  if (!State)
1928  return;
1929 
1930  // Check that the delimiter string is non-null.
1931  const Expr *DelimStr = CE->getArg(1);
1932  SVal DelimStrVal = State->getSVal(DelimStr, LCtx);
1933  State = checkNonNull(C, State, DelimStr, DelimStrVal);
1934  if (!State)
1935  return;
1936 
1937  SValBuilder &SVB = C.getSValBuilder();
1938  SVal Result;
1939  if (Optional<Loc> SearchStrLoc = SearchStrVal.getAs<Loc>()) {
1940  // Get the current value of the search string pointer, as a char*.
1941  Result = State->getSVal(*SearchStrLoc, CharPtrTy);
1942 
1943  // Invalidate the search string, representing the change of one delimiter
1944  // character to NUL.
1945  State = InvalidateBuffer(C, State, SearchStrPtr, Result,
1946  /*IsSourceBuffer*/false, nullptr);
1947 
1948  // Overwrite the search string pointer. The new value is either an address
1949  // further along in the same string, or NULL if there are no more tokens.
1950  State = State->bindLoc(*SearchStrLoc,
1951  SVB.conjureSymbolVal(getTag(),
1952  CE,
1953  LCtx,
1954  CharPtrTy,
1955  C.blockCount()),
1956  LCtx);
1957  } else {
1958  assert(SearchStrVal.isUnknown());
1959  // Conjure a symbolic value. It's the best we can do.
1960  Result = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
1961  }
1962 
1963  // Set the return value, and finish.
1964  State = State->BindExpr(CE, LCtx, Result);
1965  C.addTransition(State);
1966 }
1967 
1968 // These should probably be moved into a C++ standard library checker.
1969 void CStringChecker::evalStdCopy(CheckerContext &C, const CallExpr *CE) const {
1970  evalStdCopyCommon(C, CE);
1971 }
1972 
1973 void CStringChecker::evalStdCopyBackward(CheckerContext &C,
1974  const CallExpr *CE) const {
1975  evalStdCopyCommon(C, CE);
1976 }
1977 
1978 void CStringChecker::evalStdCopyCommon(CheckerContext &C,
1979  const CallExpr *CE) const {
1980  if (CE->getNumArgs() < 3)
1981  return;
1982 
1983  ProgramStateRef State = C.getState();
1984 
1985  const LocationContext *LCtx = C.getLocationContext();
1986 
1987  // template <class _InputIterator, class _OutputIterator>
1988  // _OutputIterator
1989  // copy(_InputIterator __first, _InputIterator __last,
1990  // _OutputIterator __result)
1991 
1992  // Invalidate the destination buffer
1993  const Expr *Dst = CE->getArg(2);
1994  SVal DstVal = State->getSVal(Dst, LCtx);
1995  State = InvalidateBuffer(C, State, Dst, DstVal, /*IsSource=*/false,
1996  /*Size=*/nullptr);
1997 
1998  SValBuilder &SVB = C.getSValBuilder();
1999 
2000  SVal ResultVal = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
2001  State = State->BindExpr(CE, LCtx, ResultVal);
2002 
2003  C.addTransition(State);
2004 }
2005 
2006 void CStringChecker::evalMemset(CheckerContext &C, const CallExpr *CE) const {
2007  if (CE->getNumArgs() != 3)
2008  return;
2009 
2010  CurrentFunctionDescription = "memory set function";
2011 
2012  const Expr *Mem = CE->getArg(0);
2013  const Expr *Size = CE->getArg(2);
2014  ProgramStateRef State = C.getState();
2015 
2016  // See if the size argument is zero.
2017  const LocationContext *LCtx = C.getLocationContext();
2018  SVal SizeVal = State->getSVal(Size, LCtx);
2019  QualType SizeTy = Size->getType();
2020 
2021  ProgramStateRef StateZeroSize, StateNonZeroSize;
2022  std::tie(StateZeroSize, StateNonZeroSize) =
2023  assumeZero(C, State, SizeVal, SizeTy);
2024 
2025  // Get the value of the memory area.
2026  SVal MemVal = State->getSVal(Mem, LCtx);
2027 
2028  // If the size is zero, there won't be any actual memory access, so
2029  // just bind the return value to the Mem buffer and return.
2030  if (StateZeroSize && !StateNonZeroSize) {
2031  StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, MemVal);
2032  C.addTransition(StateZeroSize);
2033  return;
2034  }
2035 
2036  // Ensure the memory area is not null.
2037  // If it is NULL there will be a NULL pointer dereference.
2038  State = checkNonNull(C, StateNonZeroSize, Mem, MemVal);
2039  if (!State)
2040  return;
2041 
2042  State = CheckBufferAccess(C, State, Size, Mem);
2043  if (!State)
2044  return;
2045  State = InvalidateBuffer(C, State, Mem, C.getSVal(Mem),
2046  /*IsSourceBuffer*/false, Size);
2047  if (!State)
2048  return;
2049 
2050  State = State->BindExpr(CE, LCtx, MemVal);
2051  C.addTransition(State);
2052 }
2053 
2054 static bool isCPPStdLibraryFunction(const FunctionDecl *FD, StringRef Name) {
2055  IdentifierInfo *II = FD->getIdentifier();
2056  if (!II)
2057  return false;
2058 
2060  return false;
2061 
2062  if (II->getName().equals(Name))
2063  return true;
2064 
2065  return false;
2066 }
2067 //===----------------------------------------------------------------------===//
2068 // The driver method, and other Checker callbacks.
2069 //===----------------------------------------------------------------------===//
2070 
2071 bool CStringChecker::evalCall(const CallExpr *CE, CheckerContext &C) const {
2072  const FunctionDecl *FDecl = C.getCalleeDecl(CE);
2073 
2074  if (!FDecl)
2075  return false;
2076 
2077  // FIXME: Poorly-factored string switches are slow.
2078  FnCheck evalFunction = nullptr;
2079  if (C.isCLibraryFunction(FDecl, "memcpy"))
2080  evalFunction = &CStringChecker::evalMemcpy;
2081  else if (C.isCLibraryFunction(FDecl, "mempcpy"))
2082  evalFunction = &CStringChecker::evalMempcpy;
2083  else if (C.isCLibraryFunction(FDecl, "memcmp"))
2084  evalFunction = &CStringChecker::evalMemcmp;
2085  else if (C.isCLibraryFunction(FDecl, "memmove"))
2086  evalFunction = &CStringChecker::evalMemmove;
2087  else if (C.isCLibraryFunction(FDecl, "memset"))
2088  evalFunction = &CStringChecker::evalMemset;
2089  else if (C.isCLibraryFunction(FDecl, "strcpy"))
2090  evalFunction = &CStringChecker::evalStrcpy;
2091  else if (C.isCLibraryFunction(FDecl, "strncpy"))
2092  evalFunction = &CStringChecker::evalStrncpy;
2093  else if (C.isCLibraryFunction(FDecl, "stpcpy"))
2094  evalFunction = &CStringChecker::evalStpcpy;
2095  else if (C.isCLibraryFunction(FDecl, "strcat"))
2096  evalFunction = &CStringChecker::evalStrcat;
2097  else if (C.isCLibraryFunction(FDecl, "strncat"))
2098  evalFunction = &CStringChecker::evalStrncat;
2099  else if (C.isCLibraryFunction(FDecl, "strlen"))
2100  evalFunction = &CStringChecker::evalstrLength;
2101  else if (C.isCLibraryFunction(FDecl, "strnlen"))
2102  evalFunction = &CStringChecker::evalstrnLength;
2103  else if (C.isCLibraryFunction(FDecl, "strcmp"))
2104  evalFunction = &CStringChecker::evalStrcmp;
2105  else if (C.isCLibraryFunction(FDecl, "strncmp"))
2106  evalFunction = &CStringChecker::evalStrncmp;
2107  else if (C.isCLibraryFunction(FDecl, "strcasecmp"))
2108  evalFunction = &CStringChecker::evalStrcasecmp;
2109  else if (C.isCLibraryFunction(FDecl, "strncasecmp"))
2110  evalFunction = &CStringChecker::evalStrncasecmp;
2111  else if (C.isCLibraryFunction(FDecl, "strsep"))
2112  evalFunction = &CStringChecker::evalStrsep;
2113  else if (C.isCLibraryFunction(FDecl, "bcopy"))
2114  evalFunction = &CStringChecker::evalBcopy;
2115  else if (C.isCLibraryFunction(FDecl, "bcmp"))
2116  evalFunction = &CStringChecker::evalMemcmp;
2117  else if (isCPPStdLibraryFunction(FDecl, "copy"))
2118  evalFunction = &CStringChecker::evalStdCopy;
2119  else if (isCPPStdLibraryFunction(FDecl, "copy_backward"))
2120  evalFunction = &CStringChecker::evalStdCopyBackward;
2121 
2122  // If the callee isn't a string function, let another checker handle it.
2123  if (!evalFunction)
2124  return false;
2125 
2126  // Check and evaluate the call.
2127  (this->*evalFunction)(C, CE);
2128 
2129  // If the evaluate call resulted in no change, chain to the next eval call
2130  // handler.
2131  // Note, the custom CString evaluation calls assume that basic safety
2132  // properties are held. However, if the user chooses to turn off some of these
2133  // checks, we ignore the issues and leave the call evaluation to a generic
2134  // handler.
2135  return C.isDifferent();
2136 }
2137 
2138 void CStringChecker::checkPreStmt(const DeclStmt *DS, CheckerContext &C) const {
2139  // Record string length for char a[] = "abc";
2140  ProgramStateRef state = C.getState();
2141 
2142  for (const auto *I : DS->decls()) {
2143  const VarDecl *D = dyn_cast<VarDecl>(I);
2144  if (!D)
2145  continue;
2146 
2147  // FIXME: Handle array fields of structs.
2148  if (!D->getType()->isArrayType())
2149  continue;
2150 
2151  const Expr *Init = D->getInit();
2152  if (!Init)
2153  continue;
2154  if (!isa<StringLiteral>(Init))
2155  continue;
2156 
2157  Loc VarLoc = state->getLValue(D, C.getLocationContext());
2158  const MemRegion *MR = VarLoc.getAsRegion();
2159  if (!MR)
2160  continue;
2161 
2162  SVal StrVal = C.getSVal(Init);
2163  assert(StrVal.isValid() && "Initializer string is unknown or undefined");
2164  DefinedOrUnknownSVal strLength =
2165  getCStringLength(C, state, Init, StrVal).castAs<DefinedOrUnknownSVal>();
2166 
2167  state = state->set<CStringLength>(MR, strLength);
2168  }
2169 
2170  C.addTransition(state);
2171 }
2172 
2174 CStringChecker::checkRegionChanges(ProgramStateRef state,
2175  const InvalidatedSymbols *,
2176  ArrayRef<const MemRegion *> ExplicitRegions,
2178  const LocationContext *LCtx,
2179  const CallEvent *Call) const {
2180  CStringLengthTy Entries = state->get<CStringLength>();
2181  if (Entries.isEmpty())
2182  return state;
2183 
2184  llvm::SmallPtrSet<const MemRegion *, 8> Invalidated;
2185  llvm::SmallPtrSet<const MemRegion *, 32> SuperRegions;
2186 
2187  // First build sets for the changed regions and their super-regions.
2189  I = Regions.begin(), E = Regions.end(); I != E; ++I) {
2190  const MemRegion *MR = *I;
2191  Invalidated.insert(MR);
2192 
2193  SuperRegions.insert(MR);
2194  while (const SubRegion *SR = dyn_cast<SubRegion>(MR)) {
2195  MR = SR->getSuperRegion();
2196  SuperRegions.insert(MR);
2197  }
2198  }
2199 
2200  CStringLengthTy::Factory &F = state->get_context<CStringLength>();
2201 
2202  // Then loop over the entries in the current state.
2203  for (CStringLengthTy::iterator I = Entries.begin(),
2204  E = Entries.end(); I != E; ++I) {
2205  const MemRegion *MR = I.getKey();
2206 
2207  // Is this entry for a super-region of a changed region?
2208  if (SuperRegions.count(MR)) {
2209  Entries = F.remove(Entries, MR);
2210  continue;
2211  }
2212 
2213  // Is this entry for a sub-region of a changed region?
2214  const MemRegion *Super = MR;
2215  while (const SubRegion *SR = dyn_cast<SubRegion>(Super)) {
2216  Super = SR->getSuperRegion();
2217  if (Invalidated.count(Super)) {
2218  Entries = F.remove(Entries, MR);
2219  break;
2220  }
2221  }
2222  }
2223 
2224  return state->set<CStringLength>(Entries);
2225 }
2226 
2227 void CStringChecker::checkLiveSymbols(ProgramStateRef state,
2228  SymbolReaper &SR) const {
2229  // Mark all symbols in our string length map as valid.
2230  CStringLengthTy Entries = state->get<CStringLength>();
2231 
2232  for (CStringLengthTy::iterator I = Entries.begin(), E = Entries.end();
2233  I != E; ++I) {
2234  SVal Len = I.getData();
2235 
2236  for (SymExpr::symbol_iterator si = Len.symbol_begin(),
2237  se = Len.symbol_end(); si != se; ++si)
2238  SR.markInUse(*si);
2239  }
2240 }
2241 
2242 void CStringChecker::checkDeadSymbols(SymbolReaper &SR,
2243  CheckerContext &C) const {
2244  if (!SR.hasDeadSymbols())
2245  return;
2246 
2247  ProgramStateRef state = C.getState();
2248  CStringLengthTy Entries = state->get<CStringLength>();
2249  if (Entries.isEmpty())
2250  return;
2251 
2252  CStringLengthTy::Factory &F = state->get_context<CStringLength>();
2253  for (CStringLengthTy::iterator I = Entries.begin(), E = Entries.end();
2254  I != E; ++I) {
2255  SVal Len = I.getData();
2256  if (SymbolRef Sym = Len.getAsSymbol()) {
2257  if (SR.isDead(Sym))
2258  Entries = F.remove(Entries, I.getKey());
2259  }
2260  }
2261 
2262  state = state->set<CStringLength>(Entries);
2263  C.addTransition(state);
2264 }
2265 
2266 #define REGISTER_CHECKER(name) \
2267  void ento::register##name(CheckerManager &mgr) { \
2268  CStringChecker *checker = mgr.registerChecker<CStringChecker>(); \
2269  checker->Filter.Check##name = true; \
2270  checker->Filter.CheckName##name = mgr.getCurrentCheckName(); \
2271  }
2272 
2273 REGISTER_CHECKER(CStringNullArg)
2274 REGISTER_CHECKER(CStringOutOfBounds)
2275 REGISTER_CHECKER(CStringBufferOverlap)
2276 REGISTER_CHECKER(CStringNotNullTerm)
2277 
2279  registerCStringNullArg(Mgr);
2280 }
Represents a function declaration or definition.
Definition: Decl.h:1696
TypedValueRegion - An abstract class representing regions having a typed value.
Definition: MemRegion.h:512
nonloc::ConcreteInt makeIntVal(const IntegerLiteral *integer)
Definition: SValBuilder.h:261
A (possibly-)qualified type.
Definition: Type.h:653
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:79
ExplodedNode * generateErrorNode(ProgramStateRef State=nullptr, const ProgramPointTag *Tag=nullptr)
Generate a transition to a node that will be used to report an error.
bool isArrayType() const
Definition: Type.h:5997
Expr * getArg(unsigned Arg)
getArg - Return the specified argument.
Definition: Expr.h:2287
Stmt - This represents one statement.
Definition: Stmt.h:66
unsigned getNumArgs() const
getNumArgs - Return the number of actual arguments to this call.
Definition: Expr.h:2275
Information about invalidation for a particular region/symbol.
Definition: MemRegion.h:1389
NonLoc getIndex() const
Definition: MemRegion.h:1091
A helper class which wraps a boolean value set to false by default.
Definition: Checker.h:567
QualType getPointeeType() const
If this is a pointer, ObjC object pointer, or block pointer, this returns the respective pointee...
Definition: Type.cpp:456
ExplodedNode * addTransition(ProgramStateRef State=nullptr, const ProgramPointTag *Tag=nullptr)
Generates a new transition in the program state graph (ExplodedGraph).
virtual QualType getValueType() const =0
SVal evalCast(SVal val, QualType castTy, QualType originalType)
Value representing integer constant.
Definition: SVals.h:353
Represents a variable declaration or definition.
Definition: Decl.h:812
const internal::VariadicDynCastAllOfMatcher< Stmt, Expr > expr
Matches expressions.
void setTrait(SymbolRef Sym, InvalidationKinds IK)
Definition: MemRegion.cpp:1490
const FunctionDecl * getCalleeDecl(const CallExpr *CE) const
Get the declaration of the called function (path-sensitive).
bool isDead(SymbolRef sym) const
Returns whether or not a symbol has been confirmed dead.
ExplodedNode * getPredecessor()
Returns the previous node in the exploded graph, which includes the state of the program before the c...
SVal getSVal(const Stmt *S) const
Get the value of arbitrary expressions at this point in the path.
Symbolic value.
Definition: SymExpr.h:29
IdentifierInfo * getIdentifier() const
Get the identifier that names this declaration, if there is one.
Definition: Decl.h:269
const MemRegion * getSuperRegion() const
Definition: MemRegion.h:431
void markInUse(SymbolRef sym)
Marks a symbol as important to a checker.
One of these records is kept for each identifier that is lexed.
virtual SVal evalBinOpLN(ProgramStateRef state, BinaryOperator::Opcode op, Loc lhs, NonLoc rhs, QualType resultTy)=0
Create a new value which represents a binary expression with a memory location and non-location opera...
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:149
LineState State
i32 captured_struct **param SharedsTy A type which contains references the shared variables *param Shareds Context with the list of shared variables from the p *TaskFunction *param Data Additional data for task generation like final * state
virtual DefinedOrUnknownSVal getExtent(SValBuilder &svalBuilder) const
getExtent - Returns the size of the region in bytes.
Definition: MemRegion.h:436
void registerCStringCheckerBasic(CheckerManager &Mgr)
Register the checker which evaluates CString API calls.
BinaryOperatorKind
static bool isInStdNamespace(const Decl *D)
Returns true if the root namespace of the given declaration is the &#39;std&#39; C++ namespace.
const LocationContext * getLocationContext() const
static bool isCPPStdLibraryFunction(const FunctionDecl *FD, StringRef Name)
bool isUnknown() const
Definition: SVals.h:125
A record of the "type" of an APSInt, used for conversions.
Definition: APSIntType.h:20
const StringLiteral * getStringLiteral() const
Definition: MemRegion.h:796
SymExpr::symbol_iterator symbol_end() const
Definition: SVals.h:193
SymbolRef getAsSymbol(bool IncludeBaseRegions=false) const
If this SVal wraps a symbol return that SymbolRef.
Definition: SVals.cpp:116
StringRef getString() const
Definition: Expr.h:1557
#define REGISTER_CHECKER(name)
#define REGISTER_MAP_WITH_PROGRAMSTATE(Name, Key, Value)
Declares an immutable map of type NameTy, suitable for placement into the ProgramState.
DefinedOrUnknownSVal makeZeroVal(QualType type)
Construct an SVal representing &#39;0&#39; for the specified type.
Definition: SValBuilder.cpp:32
Expr - This represents one expression.
Definition: Expr.h:106
std::string Label
static bool isCLibraryFunction(const FunctionDecl *FD, StringRef Name=StringRef())
Returns true if the callee is an externally-visible function in the top-level namespace, such as malloc.
QualType getConditionType() const
Definition: SValBuilder.h:143
bool isValid() const
Definition: SVals.h:137
QualType getType() const
Definition: Expr.h:128
virtual SVal evalBinOpLL(ProgramStateRef state, BinaryOperator::Opcode op, Loc lhs, Loc rhs, QualType resultTy)=0
Create a new value which represents a binary expression with two memory location operands.
SVal evalBinOp(ProgramStateRef state, BinaryOperator::Opcode op, SVal lhs, SVal rhs, QualType type)
ExplodedNode * generateNonFatalErrorNode(ProgramStateRef State=nullptr, const ProgramPointTag *Tag=nullptr)
Generate a transition to a node that will be used to report an error.
bool isNull() const
Return true if this QualType doesn&#39;t point to a type yet.
Definition: Type.h:719
Optional< T > getAs() const
Convert to the specified SVal type, returning None if this SVal is not of the desired type...
Definition: SVals.h:100
void emitReport(std::unique_ptr< BugReport > R)
Emit the diagnostics report.
const MemRegion * StripCasts(bool StripBaseCasts=true) const
Definition: MemRegion.cpp:1119
Kind getKind() const
Definition: MemRegion.h:149
DefinedOrUnknownSVal conjureSymbolVal(const void *symbolTag, const Expr *expr, const LocationContext *LCtx, unsigned count)
Create a new symbol with a unique &#39;name&#39;.
const MemRegion * getAsRegion() const
Definition: SVals.cpp:140
DeclStmt - Adaptor class for mixing declarations with statements and expressions. ...
Definition: Stmt.h:487
ASTContext & getContext()
Definition: SValBuilder.h:138
SVal - This represents a symbolic expression, which can be either an L-value or an R-value...
Definition: SVals.h:63
A class responsible for cleaning up unused symbols.
const llvm::APSInt * evalAPSInt(BinaryOperator::Opcode Op, const llvm::APSInt &V1, const llvm::APSInt &V2)
Tells that a region&#39;s contents is not changed.
Definition: MemRegion.h:1403
virtual SVal evalBinOpNN(ProgramStateRef state, BinaryOperator::Opcode op, NonLoc lhs, NonLoc rhs, QualType resultTy)=0
Create a new value which represents a binary expression with two non- location operands.
unsigned blockCount() const
Returns the number of times the current block has been visited along the analyzed path...
StringRef getName() const
Return the actual identifier string.
CanQualType CharTy
Definition: ASTContext.h:998
llvm::APSInt getValue(uint64_t RawValue) const LLVM_READONLY
Definition: APSIntType.h:70
Dataflow Directional Tag Classes.
const Expr * getInit() const
Definition: Decl.h:1214
static std::string getAsString(SplitQualType split, const PrintingPolicy &Policy)
Definition: Type.h:984
SVal evalEQ(ProgramStateRef state, SVal lhs, SVal rhs)
Represents an abstract call to a function or method along a particular path.
Definition: CallEvent.h:140
SVal convertToArrayIndex(SVal val)
Definition: SValBuilder.cpp:79
DefinedSVal getMetadataSymbolVal(const void *symbolTag, const MemRegion *region, const Expr *expr, QualType type, const LocationContext *LCtx, unsigned count)
unsigned getByteLength() const
Definition: Expr.h:1589
T castAs() const
Convert to the specified SVal type, asserting that this SVal is of the desired type.
Definition: SVals.h:92
BasicValueFactory & getBasicValueFactory()
Definition: SValBuilder.h:151
SubRegion - A region that subsets another larger region.
Definition: MemRegion.h:420
const ProgramStateRef & getState() const
decl_range decls()
Definition: Stmt.h:534
QualType getUnqualifiedType() const
Retrieve the unqualified variant of the given type, removing as little sugar as possible.
Definition: Type.h:5804
bool trackNullOrUndefValue(const ExplodedNode *N, const Stmt *S, BugReport &R, bool IsArg=false, bool EnableNullFPSuppression=true)
Attempts to add visitors to trace a null or undefined value back to its point of origin, whether it is a symbol constrained to null or an explicit assignment.
QualType getValueType() const override
Definition: MemRegion.h:1093
QualType getPointerType(QualType T) const
Return the uniqued reference to the type for a pointer to the specified type.
const MemRegion * getBaseRegion() const
Definition: MemRegion.cpp:1093
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:265
SValBuilder & getSValBuilder()
StringLiteral - This represents a string literal expression, e.g.
Definition: Expr.h:1509
CallExpr - Represents a function call (C99 6.5.2.2, C++ [expr.call]).
Definition: Expr.h:2218
const llvm::APSInt & getMaxValue(const llvm::APSInt &v)
bool isUndef() const
Definition: SVals.h:129
StringRegion - Region associated with a StringLiteral.
Definition: MemRegion.h:780
LLVM_READONLY char toUppercase(char c)
Converts the given ASCII character to its uppercase equivalent.
Definition: CharInfo.h:174
ElementRegin is used to represent both array elements and casts.
Definition: MemRegion.h:1070
SymExpr::symbol_iterator symbol_begin() const
Definition: SVals.h:185
QualType getType() const
Definition: Decl.h:647
This represents a decl that may have a name.
Definition: Decl.h:248
const LocationContext * getLocationContext() const
bool isDifferent()
Check if the checker changed the state of the execution; ex: added a new transition or a bug report...
CanQualType getSizeType() const
Return the unique type for "size_t" (C99 7.17), defined in <stddef.h>.
Iterator over symbols that the current symbol depends on.
Definition: SymExpr.h:68