clang  15.0.0git
CStringChecker.cpp
Go to the documentation of this file.
1 //= CStringChecker.cpp - Checks calls to C string functions --------*- C++ -*-//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This defines CStringChecker, which is an assortment of checks on calls
10 // to functions in <string.h>.
11 //
12 //===----------------------------------------------------------------------===//
13 
14 #include "InterCheckerAPI.h"
15 #include "clang/Basic/CharInfo.h"
25 #include "llvm/ADT/STLExtras.h"
26 #include "llvm/ADT/SmallString.h"
27 #include "llvm/ADT/StringExtras.h"
28 #include "llvm/Support/raw_ostream.h"
29 
30 using namespace clang;
31 using namespace ento;
32 
33 namespace {
34 struct AnyArgExpr {
35  // FIXME: Remove constructor in C++17 to turn it into an aggregate.
36  AnyArgExpr(const Expr *Expression, unsigned ArgumentIndex)
37  : Expression{Expression}, ArgumentIndex{ArgumentIndex} {}
38  const Expr *Expression;
39  unsigned ArgumentIndex;
40 };
41 
42 struct SourceArgExpr : AnyArgExpr {
43  using AnyArgExpr::AnyArgExpr; // FIXME: Remove using in C++17.
44 };
45 
46 struct DestinationArgExpr : AnyArgExpr {
47  using AnyArgExpr::AnyArgExpr; // FIXME: Same.
48 };
49 
50 struct SizeArgExpr : AnyArgExpr {
51  using AnyArgExpr::AnyArgExpr; // FIXME: Same.
52 };
53 
54 using ErrorMessage = SmallString<128>;
55 enum class AccessKind { write, read };
56 
57 static ErrorMessage createOutOfBoundErrorMsg(StringRef FunctionDescription,
58  AccessKind Access) {
59  ErrorMessage Message;
60  llvm::raw_svector_ostream Os(Message);
61 
62  // Function classification like: Memory copy function
63  Os << toUppercase(FunctionDescription.front())
64  << &FunctionDescription.data()[1];
65 
66  if (Access == AccessKind::write) {
67  Os << " overflows the destination buffer";
68  } else { // read access
69  Os << " accesses out-of-bound array element";
70  }
71 
72  return Message;
73 }
74 
75 enum class ConcatFnKind { none = 0, strcat = 1, strlcat = 2 };
76 class CStringChecker : public Checker< eval::Call,
77  check::PreStmt<DeclStmt>,
78  check::LiveSymbols,
79  check::DeadSymbols,
80  check::RegionChanges
81  > {
82  mutable std::unique_ptr<BugType> BT_Null, BT_Bounds, BT_Overlap,
83  BT_NotCString, BT_AdditionOverflow, BT_UninitRead;
84 
85  mutable const char *CurrentFunctionDescription;
86 
87 public:
88  /// The filter is used to filter out the diagnostics which are not enabled by
89  /// the user.
90  struct CStringChecksFilter {
91  bool CheckCStringNullArg = false;
92  bool CheckCStringOutOfBounds = false;
93  bool CheckCStringBufferOverlap = false;
94  bool CheckCStringNotNullTerm = false;
95  bool CheckCStringUninitializedRead = false;
96 
97  CheckerNameRef CheckNameCStringNullArg;
98  CheckerNameRef CheckNameCStringOutOfBounds;
99  CheckerNameRef CheckNameCStringBufferOverlap;
100  CheckerNameRef CheckNameCStringNotNullTerm;
101  CheckerNameRef CheckNameCStringUninitializedRead;
102  };
103 
104  CStringChecksFilter Filter;
105 
106  static void *getTag() { static int tag; return &tag; }
107 
108  bool evalCall(const CallEvent &Call, CheckerContext &C) const;
109  void checkPreStmt(const DeclStmt *DS, CheckerContext &C) const;
110  void checkLiveSymbols(ProgramStateRef state, SymbolReaper &SR) const;
111  void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
112 
114  checkRegionChanges(ProgramStateRef state,
115  const InvalidatedSymbols *,
116  ArrayRef<const MemRegion *> ExplicitRegions,
118  const LocationContext *LCtx,
119  const CallEvent *Call) const;
120 
121  typedef void (CStringChecker::*FnCheck)(CheckerContext &,
122  const CallExpr *) const;
123  CallDescriptionMap<FnCheck> Callbacks = {
124  {{CDF_MaybeBuiltin, "memcpy", 3}, &CStringChecker::evalMemcpy},
125  {{CDF_MaybeBuiltin, "mempcpy", 3}, &CStringChecker::evalMempcpy},
126  {{CDF_MaybeBuiltin, "memcmp", 3}, &CStringChecker::evalMemcmp},
127  {{CDF_MaybeBuiltin, "memmove", 3}, &CStringChecker::evalMemmove},
128  {{CDF_MaybeBuiltin, "memset", 3}, &CStringChecker::evalMemset},
129  {{CDF_MaybeBuiltin, "explicit_memset", 3}, &CStringChecker::evalMemset},
130  {{CDF_MaybeBuiltin, "strcpy", 2}, &CStringChecker::evalStrcpy},
131  {{CDF_MaybeBuiltin, "strncpy", 3}, &CStringChecker::evalStrncpy},
132  {{CDF_MaybeBuiltin, "stpcpy", 2}, &CStringChecker::evalStpcpy},
133  {{CDF_MaybeBuiltin, "strlcpy", 3}, &CStringChecker::evalStrlcpy},
134  {{CDF_MaybeBuiltin, "strcat", 2}, &CStringChecker::evalStrcat},
135  {{CDF_MaybeBuiltin, "strncat", 3}, &CStringChecker::evalStrncat},
136  {{CDF_MaybeBuiltin, "strlcat", 3}, &CStringChecker::evalStrlcat},
137  {{CDF_MaybeBuiltin, "strlen", 1}, &CStringChecker::evalstrLength},
138  {{CDF_MaybeBuiltin, "strnlen", 2}, &CStringChecker::evalstrnLength},
139  {{CDF_MaybeBuiltin, "strcmp", 2}, &CStringChecker::evalStrcmp},
140  {{CDF_MaybeBuiltin, "strncmp", 3}, &CStringChecker::evalStrncmp},
141  {{CDF_MaybeBuiltin, "strcasecmp", 2}, &CStringChecker::evalStrcasecmp},
142  {{CDF_MaybeBuiltin, "strncasecmp", 3}, &CStringChecker::evalStrncasecmp},
143  {{CDF_MaybeBuiltin, "strsep", 2}, &CStringChecker::evalStrsep},
144  {{CDF_MaybeBuiltin, "bcopy", 3}, &CStringChecker::evalBcopy},
145  {{CDF_MaybeBuiltin, "bcmp", 3}, &CStringChecker::evalMemcmp},
146  {{CDF_MaybeBuiltin, "bzero", 2}, &CStringChecker::evalBzero},
147  {{CDF_MaybeBuiltin, "explicit_bzero", 2}, &CStringChecker::evalBzero},
148  };
149 
150  // These require a bit of special handling.
151  CallDescription StdCopy{{"std", "copy"}, 3},
152  StdCopyBackward{{"std", "copy_backward"}, 3};
153 
154  FnCheck identifyCall(const CallEvent &Call, CheckerContext &C) const;
155  void evalMemcpy(CheckerContext &C, const CallExpr *CE) const;
156  void evalMempcpy(CheckerContext &C, const CallExpr *CE) const;
157  void evalMemmove(CheckerContext &C, const CallExpr *CE) const;
158  void evalBcopy(CheckerContext &C, const CallExpr *CE) const;
159  void evalCopyCommon(CheckerContext &C, const CallExpr *CE,
160  ProgramStateRef state, SizeArgExpr Size,
161  DestinationArgExpr Dest, SourceArgExpr Source,
162  bool Restricted, bool IsMempcpy) const;
163 
164  void evalMemcmp(CheckerContext &C, const CallExpr *CE) const;
165 
166  void evalstrLength(CheckerContext &C, const CallExpr *CE) const;
167  void evalstrnLength(CheckerContext &C, const CallExpr *CE) const;
168  void evalstrLengthCommon(CheckerContext &C,
169  const CallExpr *CE,
170  bool IsStrnlen = false) const;
171 
172  void evalStrcpy(CheckerContext &C, const CallExpr *CE) const;
173  void evalStrncpy(CheckerContext &C, const CallExpr *CE) const;
174  void evalStpcpy(CheckerContext &C, const CallExpr *CE) const;
175  void evalStrlcpy(CheckerContext &C, const CallExpr *CE) const;
176  void evalStrcpyCommon(CheckerContext &C, const CallExpr *CE, bool ReturnEnd,
177  bool IsBounded, ConcatFnKind appendK,
178  bool returnPtr = true) const;
179 
180  void evalStrcat(CheckerContext &C, const CallExpr *CE) const;
181  void evalStrncat(CheckerContext &C, const CallExpr *CE) const;
182  void evalStrlcat(CheckerContext &C, const CallExpr *CE) const;
183 
184  void evalStrcmp(CheckerContext &C, const CallExpr *CE) const;
185  void evalStrncmp(CheckerContext &C, const CallExpr *CE) const;
186  void evalStrcasecmp(CheckerContext &C, const CallExpr *CE) const;
187  void evalStrncasecmp(CheckerContext &C, const CallExpr *CE) const;
188  void evalStrcmpCommon(CheckerContext &C,
189  const CallExpr *CE,
190  bool IsBounded = false,
191  bool IgnoreCase = false) const;
192 
193  void evalStrsep(CheckerContext &C, const CallExpr *CE) const;
194 
195  void evalStdCopy(CheckerContext &C, const CallExpr *CE) const;
196  void evalStdCopyBackward(CheckerContext &C, const CallExpr *CE) const;
197  void evalStdCopyCommon(CheckerContext &C, const CallExpr *CE) const;
198  void evalMemset(CheckerContext &C, const CallExpr *CE) const;
199  void evalBzero(CheckerContext &C, const CallExpr *CE) const;
200 
201  // Utility methods
202  std::pair<ProgramStateRef , ProgramStateRef >
203  static assumeZero(CheckerContext &C,
204  ProgramStateRef state, SVal V, QualType Ty);
205 
206  static ProgramStateRef setCStringLength(ProgramStateRef state,
207  const MemRegion *MR,
208  SVal strLength);
209  static SVal getCStringLengthForRegion(CheckerContext &C,
211  const Expr *Ex,
212  const MemRegion *MR,
213  bool hypothetical);
214  SVal getCStringLength(CheckerContext &C,
216  const Expr *Ex,
217  SVal Buf,
218  bool hypothetical = false) const;
219 
220  const StringLiteral *getCStringLiteral(CheckerContext &C,
222  const Expr *expr,
223  SVal val) const;
224 
225  static ProgramStateRef InvalidateBuffer(CheckerContext &C,
227  const Expr *Ex, SVal V,
228  bool IsSourceBuffer,
229  const Expr *Size);
230 
231  static bool SummarizeRegion(raw_ostream &os, ASTContext &Ctx,
232  const MemRegion *MR);
233 
234  static bool memsetAux(const Expr *DstBuffer, SVal CharE,
235  const Expr *Size, CheckerContext &C,
237 
238  // Re-usable checks
239  ProgramStateRef checkNonNull(CheckerContext &C, ProgramStateRef State,
240  AnyArgExpr Arg, SVal l) const;
241  ProgramStateRef CheckLocation(CheckerContext &C, ProgramStateRef state,
242  AnyArgExpr Buffer, SVal Element,
243  AccessKind Access) const;
244  ProgramStateRef CheckBufferAccess(CheckerContext &C, ProgramStateRef State,
245  AnyArgExpr Buffer, SizeArgExpr Size,
246  AccessKind Access) const;
247  ProgramStateRef CheckOverlap(CheckerContext &C, ProgramStateRef state,
248  SizeArgExpr Size, AnyArgExpr First,
249  AnyArgExpr Second) const;
250  void emitOverlapBug(CheckerContext &C,
252  const Stmt *First,
253  const Stmt *Second) const;
254 
255  void emitNullArgBug(CheckerContext &C, ProgramStateRef State, const Stmt *S,
256  StringRef WarningMsg) const;
257  void emitOutOfBoundsBug(CheckerContext &C, ProgramStateRef State,
258  const Stmt *S, StringRef WarningMsg) const;
259  void emitNotCStringBug(CheckerContext &C, ProgramStateRef State,
260  const Stmt *S, StringRef WarningMsg) const;
261  void emitAdditionOverflowBug(CheckerContext &C, ProgramStateRef State) const;
262  void emitUninitializedReadBug(CheckerContext &C, ProgramStateRef State,
263  const Expr *E) const;
264  ProgramStateRef checkAdditionOverflow(CheckerContext &C,
266  NonLoc left,
267  NonLoc right) const;
268 
269  // Return true if the destination buffer of the copy function may be in bound.
270  // Expects SVal of Size to be positive and unsigned.
271  // Expects SVal of FirstBuf to be a FieldRegion.
272  static bool IsFirstBufInBound(CheckerContext &C,
274  const Expr *FirstBuf,
275  const Expr *Size);
276 };
277 
278 } //end anonymous namespace
279 
280 REGISTER_MAP_WITH_PROGRAMSTATE(CStringLength, const MemRegion *, SVal)
281 
282 //===----------------------------------------------------------------------===//
283 // Individual checks and utility methods.
284 //===----------------------------------------------------------------------===//
285 
286 std::pair<ProgramStateRef , ProgramStateRef >
287 CStringChecker::assumeZero(CheckerContext &C, ProgramStateRef state, SVal V,
288  QualType Ty) {
289  Optional<DefinedSVal> val = V.getAs<DefinedSVal>();
290  if (!val)
291  return std::pair<ProgramStateRef , ProgramStateRef >(state, state);
292 
293  SValBuilder &svalBuilder = C.getSValBuilder();
294  DefinedOrUnknownSVal zero = svalBuilder.makeZeroVal(Ty);
295  return state->assume(svalBuilder.evalEQ(state, *val, zero));
296 }
297 
298 ProgramStateRef CStringChecker::checkNonNull(CheckerContext &C,
300  AnyArgExpr Arg, SVal l) const {
301  // If a previous check has failed, propagate the failure.
302  if (!State)
303  return nullptr;
304 
305  ProgramStateRef stateNull, stateNonNull;
306  std::tie(stateNull, stateNonNull) =
307  assumeZero(C, State, l, Arg.Expression->getType());
308 
309  if (stateNull && !stateNonNull) {
310  if (Filter.CheckCStringNullArg) {
311  SmallString<80> buf;
312  llvm::raw_svector_ostream OS(buf);
313  assert(CurrentFunctionDescription);
314  OS << "Null pointer passed as " << (Arg.ArgumentIndex + 1)
315  << llvm::getOrdinalSuffix(Arg.ArgumentIndex + 1) << " argument to "
316  << CurrentFunctionDescription;
317 
318  emitNullArgBug(C, stateNull, Arg.Expression, OS.str());
319  }
320  return nullptr;
321  }
322 
323  // From here on, assume that the value is non-null.
324  assert(stateNonNull);
325  return stateNonNull;
326 }
327 
328 // FIXME: This was originally copied from ArrayBoundChecker.cpp. Refactor?
329 ProgramStateRef CStringChecker::CheckLocation(CheckerContext &C,
331  AnyArgExpr Buffer, SVal Element,
332  AccessKind Access) const {
333 
334  // If a previous check has failed, propagate the failure.
335  if (!state)
336  return nullptr;
337 
338  // Check for out of bound array element access.
339  const MemRegion *R = Element.getAsRegion();
340  if (!R)
341  return state;
342 
343  const auto *ER = dyn_cast<ElementRegion>(R);
344  if (!ER)
345  return state;
346 
347  if (ER->getValueType() != C.getASTContext().CharTy)
348  return state;
349 
350  // Get the size of the array.
351  const auto *superReg = cast<SubRegion>(ER->getSuperRegion());
352  DefinedOrUnknownSVal Size =
353  getDynamicExtent(state, superReg, C.getSValBuilder());
354 
355  // Get the index of the accessed element.
356  DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();
357 
358  ProgramStateRef StInBound, StOutBound;
359  std::tie(StInBound, StOutBound) = state->assumeInBoundDual(Idx, Size);
360  if (StOutBound && !StInBound) {
361  // These checks are either enabled by the CString out-of-bounds checker
362  // explicitly or implicitly by the Malloc checker.
363  // In the latter case we only do modeling but do not emit warning.
364  if (!Filter.CheckCStringOutOfBounds)
365  return nullptr;
366 
367  // Emit a bug report.
368  ErrorMessage Message =
369  createOutOfBoundErrorMsg(CurrentFunctionDescription, Access);
370  emitOutOfBoundsBug(C, StOutBound, Buffer.Expression, Message);
371  return nullptr;
372  }
373 
374  // Ensure that we wouldn't read uninitialized value.
375  if (Access == AccessKind::read) {
376  if (Filter.CheckCStringUninitializedRead &&
377  StInBound->getSVal(ER).isUndef()) {
378  emitUninitializedReadBug(C, StInBound, Buffer.Expression);
379  return nullptr;
380  }
381  }
382 
383  // Array bound check succeeded. From this point forward the array bound
384  // should always succeed.
385  return StInBound;
386 }
387 
388 ProgramStateRef CStringChecker::CheckBufferAccess(CheckerContext &C,
390  AnyArgExpr Buffer,
391  SizeArgExpr Size,
392  AccessKind Access) const {
393  // If a previous check has failed, propagate the failure.
394  if (!State)
395  return nullptr;
396 
397  SValBuilder &svalBuilder = C.getSValBuilder();
398  ASTContext &Ctx = svalBuilder.getContext();
399 
400  QualType SizeTy = Size.Expression->getType();
401  QualType PtrTy = Ctx.getPointerType(Ctx.CharTy);
402 
403  // Check that the first buffer is non-null.
404  SVal BufVal = C.getSVal(Buffer.Expression);
405  State = checkNonNull(C, State, Buffer, BufVal);
406  if (!State)
407  return nullptr;
408 
409  // If out-of-bounds checking is turned off, skip the rest.
410  if (!Filter.CheckCStringOutOfBounds)
411  return State;
412 
413  // Get the access length and make sure it is known.
414  // FIXME: This assumes the caller has already checked that the access length
415  // is positive. And that it's unsigned.
416  SVal LengthVal = C.getSVal(Size.Expression);
417  Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
418  if (!Length)
419  return State;
420 
421  // Compute the offset of the last element to be accessed: size-1.
422  NonLoc One = svalBuilder.makeIntVal(1, SizeTy).castAs<NonLoc>();
423  SVal Offset = svalBuilder.evalBinOpNN(State, BO_Sub, *Length, One, SizeTy);
424  if (Offset.isUnknown())
425  return nullptr;
426  NonLoc LastOffset = Offset.castAs<NonLoc>();
427 
428  // Check that the first buffer is sufficiently long.
429  SVal BufStart =
430  svalBuilder.evalCast(BufVal, PtrTy, Buffer.Expression->getType());
431  if (Optional<Loc> BufLoc = BufStart.getAs<Loc>()) {
432 
433  SVal BufEnd =
434  svalBuilder.evalBinOpLN(State, BO_Add, *BufLoc, LastOffset, PtrTy);
435  State = CheckLocation(C, State, Buffer, BufEnd, Access);
436 
437  // If the buffer isn't large enough, abort.
438  if (!State)
439  return nullptr;
440  }
441 
442  // Large enough or not, return this state!
443  return State;
444 }
445 
446 ProgramStateRef CStringChecker::CheckOverlap(CheckerContext &C,
448  SizeArgExpr Size, AnyArgExpr First,
449  AnyArgExpr Second) const {
450  if (!Filter.CheckCStringBufferOverlap)
451  return state;
452 
453  // Do a simple check for overlap: if the two arguments are from the same
454  // buffer, see if the end of the first is greater than the start of the second
455  // or vice versa.
456 
457  // If a previous check has failed, propagate the failure.
458  if (!state)
459  return nullptr;
460 
461  ProgramStateRef stateTrue, stateFalse;
462 
463  // Assume different address spaces cannot overlap.
464  if (First.Expression->getType()->getPointeeType().getAddressSpace() !=
465  Second.Expression->getType()->getPointeeType().getAddressSpace())
466  return state;
467 
468  // Get the buffer values and make sure they're known locations.
469  const LocationContext *LCtx = C.getLocationContext();
470  SVal firstVal = state->getSVal(First.Expression, LCtx);
471  SVal secondVal = state->getSVal(Second.Expression, LCtx);
472 
473  Optional<Loc> firstLoc = firstVal.getAs<Loc>();
474  if (!firstLoc)
475  return state;
476 
477  Optional<Loc> secondLoc = secondVal.getAs<Loc>();
478  if (!secondLoc)
479  return state;
480 
481  // Are the two values the same?
482  SValBuilder &svalBuilder = C.getSValBuilder();
483  std::tie(stateTrue, stateFalse) =
484  state->assume(svalBuilder.evalEQ(state, *firstLoc, *secondLoc));
485 
486  if (stateTrue && !stateFalse) {
487  // If the values are known to be equal, that's automatically an overlap.
488  emitOverlapBug(C, stateTrue, First.Expression, Second.Expression);
489  return nullptr;
490  }
491 
492  // assume the two expressions are not equal.
493  assert(stateFalse);
494  state = stateFalse;
495 
496  // Which value comes first?
497  QualType cmpTy = svalBuilder.getConditionType();
498  SVal reverse =
499  svalBuilder.evalBinOpLL(state, BO_GT, *firstLoc, *secondLoc, cmpTy);
500  Optional<DefinedOrUnknownSVal> reverseTest =
501  reverse.getAs<DefinedOrUnknownSVal>();
502  if (!reverseTest)
503  return state;
504 
505  std::tie(stateTrue, stateFalse) = state->assume(*reverseTest);
506  if (stateTrue) {
507  if (stateFalse) {
508  // If we don't know which one comes first, we can't perform this test.
509  return state;
510  } else {
511  // Switch the values so that firstVal is before secondVal.
512  std::swap(firstLoc, secondLoc);
513 
514  // Switch the Exprs as well, so that they still correspond.
515  std::swap(First, Second);
516  }
517  }
518 
519  // Get the length, and make sure it too is known.
520  SVal LengthVal = state->getSVal(Size.Expression, LCtx);
521  Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
522  if (!Length)
523  return state;
524 
525  // Convert the first buffer's start address to char*.
526  // Bail out if the cast fails.
527  ASTContext &Ctx = svalBuilder.getContext();
528  QualType CharPtrTy = Ctx.getPointerType(Ctx.CharTy);
529  SVal FirstStart =
530  svalBuilder.evalCast(*firstLoc, CharPtrTy, First.Expression->getType());
531  Optional<Loc> FirstStartLoc = FirstStart.getAs<Loc>();
532  if (!FirstStartLoc)
533  return state;
534 
535  // Compute the end of the first buffer. Bail out if THAT fails.
536  SVal FirstEnd = svalBuilder.evalBinOpLN(state, BO_Add, *FirstStartLoc,
537  *Length, CharPtrTy);
538  Optional<Loc> FirstEndLoc = FirstEnd.getAs<Loc>();
539  if (!FirstEndLoc)
540  return state;
541 
542  // Is the end of the first buffer past the start of the second buffer?
543  SVal Overlap =
544  svalBuilder.evalBinOpLL(state, BO_GT, *FirstEndLoc, *secondLoc, cmpTy);
545  Optional<DefinedOrUnknownSVal> OverlapTest =
546  Overlap.getAs<DefinedOrUnknownSVal>();
547  if (!OverlapTest)
548  return state;
549 
550  std::tie(stateTrue, stateFalse) = state->assume(*OverlapTest);
551 
552  if (stateTrue && !stateFalse) {
553  // Overlap!
554  emitOverlapBug(C, stateTrue, First.Expression, Second.Expression);
555  return nullptr;
556  }
557 
558  // assume the two expressions don't overlap.
559  assert(stateFalse);
560  return stateFalse;
561 }
562 
563 void CStringChecker::emitOverlapBug(CheckerContext &C, ProgramStateRef state,
564  const Stmt *First, const Stmt *Second) const {
565  ExplodedNode *N = C.generateErrorNode(state);
566  if (!N)
567  return;
568 
569  if (!BT_Overlap)
570  BT_Overlap.reset(new BugType(Filter.CheckNameCStringBufferOverlap,
571  categories::UnixAPI, "Improper arguments"));
572 
573  // Generate a report for this bug.
574  auto report = std::make_unique<PathSensitiveBugReport>(
575  *BT_Overlap, "Arguments must not be overlapping buffers", N);
576  report->addRange(First->getSourceRange());
577  report->addRange(Second->getSourceRange());
578 
579  C.emitReport(std::move(report));
580 }
581 
582 void CStringChecker::emitNullArgBug(CheckerContext &C, ProgramStateRef State,
583  const Stmt *S, StringRef WarningMsg) const {
584  if (ExplodedNode *N = C.generateErrorNode(State)) {
585  if (!BT_Null)
586  BT_Null.reset(new BuiltinBug(
587  Filter.CheckNameCStringNullArg, categories::UnixAPI,
588  "Null pointer argument in call to byte string function"));
589 
590  BuiltinBug *BT = static_cast<BuiltinBug *>(BT_Null.get());
591  auto Report = std::make_unique<PathSensitiveBugReport>(*BT, WarningMsg, N);
592  Report->addRange(S->getSourceRange());
593  if (const auto *Ex = dyn_cast<Expr>(S))
594  bugreporter::trackExpressionValue(N, Ex, *Report);
595  C.emitReport(std::move(Report));
596  }
597 }
598 
599 void CStringChecker::emitUninitializedReadBug(CheckerContext &C,
601  const Expr *E) const {
602  if (ExplodedNode *N = C.generateErrorNode(State)) {
603  const char *Msg =
604  "Bytes string function accesses uninitialized/garbage values";
605  if (!BT_UninitRead)
606  BT_UninitRead.reset(
607  new BuiltinBug(Filter.CheckNameCStringUninitializedRead,
608  "Accessing unitialized/garbage values", Msg));
609 
610  BuiltinBug *BT = static_cast<BuiltinBug *>(BT_UninitRead.get());
611 
612  auto Report = std::make_unique<PathSensitiveBugReport>(*BT, Msg, N);
613  Report->addRange(E->getSourceRange());
614  bugreporter::trackExpressionValue(N, E, *Report);
615  C.emitReport(std::move(Report));
616  }
617 }
618 
619 void CStringChecker::emitOutOfBoundsBug(CheckerContext &C,
620  ProgramStateRef State, const Stmt *S,
621  StringRef WarningMsg) const {
622  if (ExplodedNode *N = C.generateErrorNode(State)) {
623  if (!BT_Bounds)
624  BT_Bounds.reset(new BuiltinBug(
625  Filter.CheckCStringOutOfBounds ? Filter.CheckNameCStringOutOfBounds
626  : Filter.CheckNameCStringNullArg,
627  "Out-of-bound array access",
628  "Byte string function accesses out-of-bound array element"));
629 
630  BuiltinBug *BT = static_cast<BuiltinBug *>(BT_Bounds.get());
631 
632  // FIXME: It would be nice to eventually make this diagnostic more clear,
633  // e.g., by referencing the original declaration or by saying *why* this
634  // reference is outside the range.
635  auto Report = std::make_unique<PathSensitiveBugReport>(*BT, WarningMsg, N);
636  Report->addRange(S->getSourceRange());
637  C.emitReport(std::move(Report));
638  }
639 }
640 
641 void CStringChecker::emitNotCStringBug(CheckerContext &C, ProgramStateRef State,
642  const Stmt *S,
643  StringRef WarningMsg) const {
644  if (ExplodedNode *N = C.generateNonFatalErrorNode(State)) {
645  if (!BT_NotCString)
646  BT_NotCString.reset(new BuiltinBug(
647  Filter.CheckNameCStringNotNullTerm, categories::UnixAPI,
648  "Argument is not a null-terminated string."));
649 
650  auto Report =
651  std::make_unique<PathSensitiveBugReport>(*BT_NotCString, WarningMsg, N);
652 
653  Report->addRange(S->getSourceRange());
654  C.emitReport(std::move(Report));
655  }
656 }
657 
658 void CStringChecker::emitAdditionOverflowBug(CheckerContext &C,
659  ProgramStateRef State) const {
660  if (ExplodedNode *N = C.generateErrorNode(State)) {
661  if (!BT_AdditionOverflow)
662  BT_AdditionOverflow.reset(
663  new BuiltinBug(Filter.CheckNameCStringOutOfBounds, "API",
664  "Sum of expressions causes overflow."));
665 
666  // This isn't a great error message, but this should never occur in real
667  // code anyway -- you'd have to create a buffer longer than a size_t can
668  // represent, which is sort of a contradiction.
669  const char *WarningMsg =
670  "This expression will create a string whose length is too big to "
671  "be represented as a size_t";
672 
673  auto Report = std::make_unique<PathSensitiveBugReport>(*BT_AdditionOverflow,
674  WarningMsg, N);
675  C.emitReport(std::move(Report));
676  }
677 }
678 
679 ProgramStateRef CStringChecker::checkAdditionOverflow(CheckerContext &C,
681  NonLoc left,
682  NonLoc right) const {
683  // If out-of-bounds checking is turned off, skip the rest.
684  if (!Filter.CheckCStringOutOfBounds)
685  return state;
686 
687  // If a previous check has failed, propagate the failure.
688  if (!state)
689  return nullptr;
690 
691  SValBuilder &svalBuilder = C.getSValBuilder();
692  BasicValueFactory &BVF = svalBuilder.getBasicValueFactory();
693 
694  QualType sizeTy = svalBuilder.getContext().getSizeType();
695  const llvm::APSInt &maxValInt = BVF.getMaxValue(sizeTy);
696  NonLoc maxVal = svalBuilder.makeIntVal(maxValInt);
697 
698  SVal maxMinusRight;
699  if (isa<nonloc::ConcreteInt>(right)) {
700  maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, right,
701  sizeTy);
702  } else {
703  // Try switching the operands. (The order of these two assignments is
704  // important!)
705  maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, left,
706  sizeTy);
707  left = right;
708  }
709 
710  if (Optional<NonLoc> maxMinusRightNL = maxMinusRight.getAs<NonLoc>()) {
711  QualType cmpTy = svalBuilder.getConditionType();
712  // If left > max - right, we have an overflow.
713  SVal willOverflow = svalBuilder.evalBinOpNN(state, BO_GT, left,
714  *maxMinusRightNL, cmpTy);
715 
716  ProgramStateRef stateOverflow, stateOkay;
717  std::tie(stateOverflow, stateOkay) =
718  state->assume(willOverflow.castAs<DefinedOrUnknownSVal>());
719 
720  if (stateOverflow && !stateOkay) {
721  // We have an overflow. Emit a bug report.
722  emitAdditionOverflowBug(C, stateOverflow);
723  return nullptr;
724  }
725 
726  // From now on, assume an overflow didn't occur.
727  assert(stateOkay);
728  state = stateOkay;
729  }
730 
731  return state;
732 }
733 
734 ProgramStateRef CStringChecker::setCStringLength(ProgramStateRef state,
735  const MemRegion *MR,
736  SVal strLength) {
737  assert(!strLength.isUndef() && "Attempt to set an undefined string length");
738 
739  MR = MR->StripCasts();
740 
741  switch (MR->getKind()) {
742  case MemRegion::StringRegionKind:
743  // FIXME: This can happen if we strcpy() into a string region. This is
744  // undefined [C99 6.4.5p6], but we should still warn about it.
745  return state;
746 
747  case MemRegion::SymbolicRegionKind:
748  case MemRegion::AllocaRegionKind:
749  case MemRegion::NonParamVarRegionKind:
750  case MemRegion::ParamVarRegionKind:
751  case MemRegion::FieldRegionKind:
752  case MemRegion::ObjCIvarRegionKind:
753  // These are the types we can currently track string lengths for.
754  break;
755 
756  case MemRegion::ElementRegionKind:
757  // FIXME: Handle element regions by upper-bounding the parent region's
758  // string length.
759  return state;
760 
761  default:
762  // Other regions (mostly non-data) can't have a reliable C string length.
763  // For now, just ignore the change.
764  // FIXME: These are rare but not impossible. We should output some kind of
765  // warning for things like strcpy((char[]){'a', 0}, "b");
766  return state;
767  }
768 
769  if (strLength.isUnknown())
770  return state->remove<CStringLength>(MR);
771 
772  return state->set<CStringLength>(MR, strLength);
773 }
774 
775 SVal CStringChecker::getCStringLengthForRegion(CheckerContext &C,
777  const Expr *Ex,
778  const MemRegion *MR,
779  bool hypothetical) {
780  if (!hypothetical) {
781  // If there's a recorded length, go ahead and return it.
782  const SVal *Recorded = state->get<CStringLength>(MR);
783  if (Recorded)
784  return *Recorded;
785  }
786 
787  // Otherwise, get a new symbol and update the state.
788  SValBuilder &svalBuilder = C.getSValBuilder();
789  QualType sizeTy = svalBuilder.getContext().getSizeType();
790  SVal strLength = svalBuilder.getMetadataSymbolVal(CStringChecker::getTag(),
791  MR, Ex, sizeTy,
792  C.getLocationContext(),
793  C.blockCount());
794 
795  if (!hypothetical) {
796  if (Optional<NonLoc> strLn = strLength.getAs<NonLoc>()) {
797  // In case of unbounded calls strlen etc bound the range to SIZE_MAX/4
798  BasicValueFactory &BVF = svalBuilder.getBasicValueFactory();
799  const llvm::APSInt &maxValInt = BVF.getMaxValue(sizeTy);
800  llvm::APSInt fourInt = APSIntType(maxValInt).getValue(4);
801  const llvm::APSInt *maxLengthInt = BVF.evalAPSInt(BO_Div, maxValInt,
802  fourInt);
803  NonLoc maxLength = svalBuilder.makeIntVal(*maxLengthInt);
804  SVal evalLength = svalBuilder.evalBinOpNN(state, BO_LE, *strLn,
805  maxLength, sizeTy);
806  state = state->assume(evalLength.castAs<DefinedOrUnknownSVal>(), true);
807  }
808  state = state->set<CStringLength>(MR, strLength);
809  }
810 
811  return strLength;
812 }
813 
814 SVal CStringChecker::getCStringLength(CheckerContext &C, ProgramStateRef &state,
815  const Expr *Ex, SVal Buf,
816  bool hypothetical) const {
817  const MemRegion *MR = Buf.getAsRegion();
818  if (!MR) {
819  // If we can't get a region, see if it's something we /know/ isn't a
820  // C string. In the context of locations, the only time we can issue such
821  // a warning is for labels.
822  if (Optional<loc::GotoLabel> Label = Buf.getAs<loc::GotoLabel>()) {
823  if (Filter.CheckCStringNotNullTerm) {
824  SmallString<120> buf;
825  llvm::raw_svector_ostream os(buf);
826  assert(CurrentFunctionDescription);
827  os << "Argument to " << CurrentFunctionDescription
828  << " is the address of the label '" << Label->getLabel()->getName()
829  << "', which is not a null-terminated string";
830 
831  emitNotCStringBug(C, state, Ex, os.str());
832  }
833  return UndefinedVal();
834  }
835 
836  // If it's not a region and not a label, give up.
837  return UnknownVal();
838  }
839 
840  // If we have a region, strip casts from it and see if we can figure out
841  // its length. For anything we can't figure out, just return UnknownVal.
842  MR = MR->StripCasts();
843 
844  switch (MR->getKind()) {
845  case MemRegion::StringRegionKind: {
846  // Modifying the contents of string regions is undefined [C99 6.4.5p6],
847  // so we can assume that the byte length is the correct C string length.
848  SValBuilder &svalBuilder = C.getSValBuilder();
849  QualType sizeTy = svalBuilder.getContext().getSizeType();
850  const StringLiteral *strLit = cast<StringRegion>(MR)->getStringLiteral();
851  return svalBuilder.makeIntVal(strLit->getByteLength(), sizeTy);
852  }
853  case MemRegion::SymbolicRegionKind:
854  case MemRegion::AllocaRegionKind:
855  case MemRegion::NonParamVarRegionKind:
856  case MemRegion::ParamVarRegionKind:
857  case MemRegion::FieldRegionKind:
858  case MemRegion::ObjCIvarRegionKind:
859  return getCStringLengthForRegion(C, state, Ex, MR, hypothetical);
860  case MemRegion::CompoundLiteralRegionKind:
861  // FIXME: Can we track this? Is it necessary?
862  return UnknownVal();
863  case MemRegion::ElementRegionKind:
864  // FIXME: How can we handle this? It's not good enough to subtract the
865  // offset from the base string length; consider "123\x00567" and &a[5].
866  return UnknownVal();
867  default:
868  // Other regions (mostly non-data) can't have a reliable C string length.
869  // In this case, an error is emitted and UndefinedVal is returned.
870  // The caller should always be prepared to handle this case.
871  if (Filter.CheckCStringNotNullTerm) {
872  SmallString<120> buf;
873  llvm::raw_svector_ostream os(buf);
874 
875  assert(CurrentFunctionDescription);
876  os << "Argument to " << CurrentFunctionDescription << " is ";
877 
878  if (SummarizeRegion(os, C.getASTContext(), MR))
879  os << ", which is not a null-terminated string";
880  else
881  os << "not a null-terminated string";
882 
883  emitNotCStringBug(C, state, Ex, os.str());
884  }
885  return UndefinedVal();
886  }
887 }
888 
889 const StringLiteral *CStringChecker::getCStringLiteral(CheckerContext &C,
890  ProgramStateRef &state, const Expr *expr, SVal val) const {
891 
892  // Get the memory region pointed to by the val.
893  const MemRegion *bufRegion = val.getAsRegion();
894  if (!bufRegion)
895  return nullptr;
896 
897  // Strip casts off the memory region.
898  bufRegion = bufRegion->StripCasts();
899 
900  // Cast the memory region to a string region.
901  const StringRegion *strRegion= dyn_cast<StringRegion>(bufRegion);
902  if (!strRegion)
903  return nullptr;
904 
905  // Return the actual string in the string region.
906  return strRegion->getStringLiteral();
907 }
908 
909 bool CStringChecker::IsFirstBufInBound(CheckerContext &C,
911  const Expr *FirstBuf,
912  const Expr *Size) {
913  // If we do not know that the buffer is long enough we return 'true'.
914  // Otherwise the parent region of this field region would also get
915  // invalidated, which would lead to warnings based on an unknown state.
916 
917  // Originally copied from CheckBufferAccess and CheckLocation.
918  SValBuilder &svalBuilder = C.getSValBuilder();
919  ASTContext &Ctx = svalBuilder.getContext();
920  const LocationContext *LCtx = C.getLocationContext();
921 
922  QualType sizeTy = Size->getType();
923  QualType PtrTy = Ctx.getPointerType(Ctx.CharTy);
924  SVal BufVal = state->getSVal(FirstBuf, LCtx);
925 
926  SVal LengthVal = state->getSVal(Size, LCtx);
927  Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
928  if (!Length)
929  return true; // cf top comment.
930 
931  // Compute the offset of the last element to be accessed: size-1.
932  NonLoc One = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
933  SVal Offset = svalBuilder.evalBinOpNN(state, BO_Sub, *Length, One, sizeTy);
934  if (Offset.isUnknown())
935  return true; // cf top comment
936  NonLoc LastOffset = Offset.castAs<NonLoc>();
937 
938  // Check that the first buffer is sufficiently long.
939  SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType());
940  Optional<Loc> BufLoc = BufStart.getAs<Loc>();
941  if (!BufLoc)
942  return true; // cf top comment.
943 
944  SVal BufEnd =
945  svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc, LastOffset, PtrTy);
946 
947  // Check for out of bound array element access.
948  const MemRegion *R = BufEnd.getAsRegion();
949  if (!R)
950  return true; // cf top comment.
951 
952  const ElementRegion *ER = dyn_cast<ElementRegion>(R);
953  if (!ER)
954  return true; // cf top comment.
955 
956  // FIXME: Does this crash when a non-standard definition
957  // of a library function is encountered?
958  assert(ER->getValueType() == C.getASTContext().CharTy &&
959  "IsFirstBufInBound should only be called with char* ElementRegions");
960 
961  // Get the size of the array.
962  const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion());
963  DefinedOrUnknownSVal SizeDV = getDynamicExtent(state, superReg, svalBuilder);
964 
965  // Get the index of the accessed element.
966  DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();
967 
968  ProgramStateRef StInBound = state->assumeInBound(Idx, SizeDV, true);
969 
970  return static_cast<bool>(StInBound);
971 }
972 
973 ProgramStateRef CStringChecker::InvalidateBuffer(CheckerContext &C,
975  const Expr *E, SVal V,
976  bool IsSourceBuffer,
977  const Expr *Size) {
978  Optional<Loc> L = V.getAs<Loc>();
979  if (!L)
980  return state;
981 
982  // FIXME: This is a simplified version of what's in CFRefCount.cpp -- it makes
983  // some assumptions about the value that CFRefCount can't. Even so, it should
984  // probably be refactored.
985  if (Optional<loc::MemRegionVal> MR = L->getAs<loc::MemRegionVal>()) {
986  const MemRegion *R = MR->getRegion()->StripCasts();
987 
988  // Are we dealing with an ElementRegion? If so, we should be invalidating
989  // the super-region.
990  if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) {
991  R = ER->getSuperRegion();
992  // FIXME: What about layers of ElementRegions?
993  }
994 
995  // Invalidate this region.
996  const LocationContext *LCtx = C.getPredecessor()->getLocationContext();
997 
998  bool CausesPointerEscape = false;
999  RegionAndSymbolInvalidationTraits ITraits;
1000  // Invalidate and escape only indirect regions accessible through the source
1001  // buffer.
1002  if (IsSourceBuffer) {
1003  ITraits.setTrait(R->getBaseRegion(),
1006  CausesPointerEscape = true;
1007  } else {
1008  const MemRegion::Kind& K = R->getKind();
1009  if (K == MemRegion::FieldRegionKind)
1010  if (Size && IsFirstBufInBound(C, state, E, Size)) {
1011  // If destination buffer is a field region and access is in bound,
1012  // do not invalidate its super region.
1013  ITraits.setTrait(
1014  R,
1016  }
1017  }
1018 
1019  return state->invalidateRegions(R, E, C.blockCount(), LCtx,
1020  CausesPointerEscape, nullptr, nullptr,
1021  &ITraits);
1022  }
1023 
1024  // If we have a non-region value by chance, just remove the binding.
1025  // FIXME: is this necessary or correct? This handles the non-Region
1026  // cases. Is it ever valid to store to these?
1027  return state->killBinding(*L);
1028 }
1029 
1030 bool CStringChecker::SummarizeRegion(raw_ostream &os, ASTContext &Ctx,
1031  const MemRegion *MR) {
1032  switch (MR->getKind()) {
1033  case MemRegion::FunctionCodeRegionKind: {
1034  if (const auto *FD = cast<FunctionCodeRegion>(MR)->getDecl())
1035  os << "the address of the function '" << *FD << '\'';
1036  else
1037  os << "the address of a function";
1038  return true;
1039  }
1040  case MemRegion::BlockCodeRegionKind:
1041  os << "block text";
1042  return true;
1043  case MemRegion::BlockDataRegionKind:
1044  os << "a block";
1045  return true;
1046  case MemRegion::CXXThisRegionKind:
1047  case MemRegion::CXXTempObjectRegionKind:
1048  os << "a C++ temp object of type "
1049  << cast<TypedValueRegion>(MR)->getValueType();
1050  return true;
1051  case MemRegion::NonParamVarRegionKind:
1052  os << "a variable of type" << cast<TypedValueRegion>(MR)->getValueType();
1053  return true;
1054  case MemRegion::ParamVarRegionKind:
1055  os << "a parameter of type" << cast<TypedValueRegion>(MR)->getValueType();
1056  return true;
1057  case MemRegion::FieldRegionKind:
1058  os << "a field of type " << cast<TypedValueRegion>(MR)->getValueType();
1059  return true;
1060  case MemRegion::ObjCIvarRegionKind:
1061  os << "an instance variable of type "
1062  << cast<TypedValueRegion>(MR)->getValueType();
1063  return true;
1064  default:
1065  return false;
1066  }
1067 }
1068 
1069 bool CStringChecker::memsetAux(const Expr *DstBuffer, SVal CharVal,
1070  const Expr *Size, CheckerContext &C,
1072  SVal MemVal = C.getSVal(DstBuffer);
1073  SVal SizeVal = C.getSVal(Size);
1074  const MemRegion *MR = MemVal.getAsRegion();
1075  if (!MR)
1076  return false;
1077 
1078  // We're about to model memset by producing a "default binding" in the Store.
1079  // Our current implementation - RegionStore - doesn't support default bindings
1080  // that don't cover the whole base region. So we should first get the offset
1081  // and the base region to figure out whether the offset of buffer is 0.
1082  RegionOffset Offset = MR->getAsOffset();
1083  const MemRegion *BR = Offset.getRegion();
1084 
1085  Optional<NonLoc> SizeNL = SizeVal.getAs<NonLoc>();
1086  if (!SizeNL)
1087  return false;
1088 
1089  SValBuilder &svalBuilder = C.getSValBuilder();
1090  ASTContext &Ctx = C.getASTContext();
1091 
1092  // void *memset(void *dest, int ch, size_t count);
1093  // For now we can only handle the case of offset is 0 and concrete char value.
1094  if (Offset.isValid() && !Offset.hasSymbolicOffset() &&
1095  Offset.getOffset() == 0) {
1096  // Get the base region's size.
1097  DefinedOrUnknownSVal SizeDV = getDynamicExtent(State, BR, svalBuilder);
1098 
1099  ProgramStateRef StateWholeReg, StateNotWholeReg;
1100  std::tie(StateWholeReg, StateNotWholeReg) =
1101  State->assume(svalBuilder.evalEQ(State, SizeDV, *SizeNL));
1102 
1103  // With the semantic of 'memset()', we should convert the CharVal to
1104  // unsigned char.
1105  CharVal = svalBuilder.evalCast(CharVal, Ctx.UnsignedCharTy, Ctx.IntTy);
1106 
1107  ProgramStateRef StateNullChar, StateNonNullChar;
1108  std::tie(StateNullChar, StateNonNullChar) =
1109  assumeZero(C, State, CharVal, Ctx.UnsignedCharTy);
1110 
1111  if (StateWholeReg && !StateNotWholeReg && StateNullChar &&
1112  !StateNonNullChar) {
1113  // If the 'memset()' acts on the whole region of destination buffer and
1114  // the value of the second argument of 'memset()' is zero, bind the second
1115  // argument's value to the destination buffer with 'default binding'.
1116  // FIXME: Since there is no perfect way to bind the non-zero character, we
1117  // can only deal with zero value here. In the future, we need to deal with
1118  // the binding of non-zero value in the case of whole region.
1119  State = State->bindDefaultZero(svalBuilder.makeLoc(BR),
1120  C.getLocationContext());
1121  } else {
1122  // If the destination buffer's extent is not equal to the value of
1123  // third argument, just invalidate buffer.
1124  State = InvalidateBuffer(C, State, DstBuffer, MemVal,
1125  /*IsSourceBuffer*/ false, Size);
1126  }
1127 
1128  if (StateNullChar && !StateNonNullChar) {
1129  // If the value of the second argument of 'memset()' is zero, set the
1130  // string length of destination buffer to 0 directly.
1131  State = setCStringLength(State, MR,
1132  svalBuilder.makeZeroVal(Ctx.getSizeType()));
1133  } else if (!StateNullChar && StateNonNullChar) {
1134  SVal NewStrLen = svalBuilder.getMetadataSymbolVal(
1135  CStringChecker::getTag(), MR, DstBuffer, Ctx.getSizeType(),
1136  C.getLocationContext(), C.blockCount());
1137 
1138  // If the value of second argument is not zero, then the string length
1139  // is at least the size argument.
1140  SVal NewStrLenGESize = svalBuilder.evalBinOp(
1141  State, BO_GE, NewStrLen, SizeVal, svalBuilder.getConditionType());
1142 
1143  State = setCStringLength(
1144  State->assume(NewStrLenGESize.castAs<DefinedOrUnknownSVal>(), true),
1145  MR, NewStrLen);
1146  }
1147  } else {
1148  // If the offset is not zero and char value is not concrete, we can do
1149  // nothing but invalidate the buffer.
1150  State = InvalidateBuffer(C, State, DstBuffer, MemVal,
1151  /*IsSourceBuffer*/ false, Size);
1152  }
1153  return true;
1154 }
1155 
1156 //===----------------------------------------------------------------------===//
1157 // evaluation of individual function calls.
1158 //===----------------------------------------------------------------------===//
1159 
1160 void CStringChecker::evalCopyCommon(CheckerContext &C, const CallExpr *CE,
1161  ProgramStateRef state, SizeArgExpr Size,
1162  DestinationArgExpr Dest,
1163  SourceArgExpr Source, bool Restricted,
1164  bool IsMempcpy) const {
1165  CurrentFunctionDescription = "memory copy function";
1166 
1167  // See if the size argument is zero.
1168  const LocationContext *LCtx = C.getLocationContext();
1169  SVal sizeVal = state->getSVal(Size.Expression, LCtx);
1170  QualType sizeTy = Size.Expression->getType();
1171 
1172  ProgramStateRef stateZeroSize, stateNonZeroSize;
1173  std::tie(stateZeroSize, stateNonZeroSize) =
1174  assumeZero(C, state, sizeVal, sizeTy);
1175 
1176  // Get the value of the Dest.
1177  SVal destVal = state->getSVal(Dest.Expression, LCtx);
1178 
1179  // If the size is zero, there won't be any actual memory access, so
1180  // just bind the return value to the destination buffer and return.
1181  if (stateZeroSize && !stateNonZeroSize) {
1182  stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, destVal);
1183  C.addTransition(stateZeroSize);
1184  return;
1185  }
1186 
1187  // If the size can be nonzero, we have to check the other arguments.
1188  if (stateNonZeroSize) {
1189  state = stateNonZeroSize;
1190 
1191  // Ensure the destination is not null. If it is NULL there will be a
1192  // NULL pointer dereference.
1193  state = checkNonNull(C, state, Dest, destVal);
1194  if (!state)
1195  return;
1196 
1197  // Get the value of the Src.
1198  SVal srcVal = state->getSVal(Source.Expression, LCtx);
1199 
1200  // Ensure the source is not null. If it is NULL there will be a
1201  // NULL pointer dereference.
1202  state = checkNonNull(C, state, Source, srcVal);
1203  if (!state)
1204  return;
1205 
1206  // Ensure the accesses are valid and that the buffers do not overlap.
1207  state = CheckBufferAccess(C, state, Dest, Size, AccessKind::write);
1208  state = CheckBufferAccess(C, state, Source, Size, AccessKind::read);
1209 
1210  if (Restricted)
1211  state = CheckOverlap(C, state, Size, Dest, Source);
1212 
1213  if (!state)
1214  return;
1215 
1216  // If this is mempcpy, get the byte after the last byte copied and
1217  // bind the expr.
1218  if (IsMempcpy) {
1219  // Get the byte after the last byte copied.
1220  SValBuilder &SvalBuilder = C.getSValBuilder();
1221  ASTContext &Ctx = SvalBuilder.getContext();
1222  QualType CharPtrTy = Ctx.getPointerType(Ctx.CharTy);
1223  SVal DestRegCharVal =
1224  SvalBuilder.evalCast(destVal, CharPtrTy, Dest.Expression->getType());
1225  SVal lastElement = C.getSValBuilder().evalBinOp(
1226  state, BO_Add, DestRegCharVal, sizeVal, Dest.Expression->getType());
1227  // If we don't know how much we copied, we can at least
1228  // conjure a return value for later.
1229  if (lastElement.isUnknown())
1230  lastElement = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
1231  C.blockCount());
1232 
1233  // The byte after the last byte copied is the return value.
1234  state = state->BindExpr(CE, LCtx, lastElement);
1235  } else {
1236  // All other copies return the destination buffer.
1237  // (Well, bcopy() has a void return type, but this won't hurt.)
1238  state = state->BindExpr(CE, LCtx, destVal);
1239  }
1240 
1241  // Invalidate the destination (regular invalidation without pointer-escaping
1242  // the address of the top-level region).
1243  // FIXME: Even if we can't perfectly model the copy, we should see if we
1244  // can use LazyCompoundVals to copy the source values into the destination.
1245  // This would probably remove any existing bindings past the end of the
1246  // copied region, but that's still an improvement over blank invalidation.
1247  state =
1248  InvalidateBuffer(C, state, Dest.Expression, C.getSVal(Dest.Expression),
1249  /*IsSourceBuffer*/ false, Size.Expression);
1250 
1251  // Invalidate the source (const-invalidation without const-pointer-escaping
1252  // the address of the top-level region).
1253  state = InvalidateBuffer(C, state, Source.Expression,
1254  C.getSVal(Source.Expression),
1255  /*IsSourceBuffer*/ true, nullptr);
1256 
1257  C.addTransition(state);
1258  }
1259 }
1260 
1261 void CStringChecker::evalMemcpy(CheckerContext &C, const CallExpr *CE) const {
1262  // void *memcpy(void *restrict dst, const void *restrict src, size_t n);
1263  // The return value is the address of the destination buffer.
1264  DestinationArgExpr Dest = {CE->getArg(0), 0};
1265  SourceArgExpr Src = {CE->getArg(1), 1};
1266  SizeArgExpr Size = {CE->getArg(2), 2};
1267 
1268  ProgramStateRef State = C.getState();
1269 
1270  constexpr bool IsRestricted = true;
1271  constexpr bool IsMempcpy = false;
1272  evalCopyCommon(C, CE, State, Size, Dest, Src, IsRestricted, IsMempcpy);
1273 }
1274 
1275 void CStringChecker::evalMempcpy(CheckerContext &C, const CallExpr *CE) const {
1276  // void *mempcpy(void *restrict dst, const void *restrict src, size_t n);
1277  // The return value is a pointer to the byte following the last written byte.
1278  DestinationArgExpr Dest = {CE->getArg(0), 0};
1279  SourceArgExpr Src = {CE->getArg(1), 1};
1280  SizeArgExpr Size = {CE->getArg(2), 2};
1281 
1282  constexpr bool IsRestricted = true;
1283  constexpr bool IsMempcpy = true;
1284  evalCopyCommon(C, CE, C.getState(), Size, Dest, Src, IsRestricted, IsMempcpy);
1285 }
1286 
1287 void CStringChecker::evalMemmove(CheckerContext &C, const CallExpr *CE) const {
1288  // void *memmove(void *dst, const void *src, size_t n);
1289  // The return value is the address of the destination buffer.
1290  DestinationArgExpr Dest = {CE->getArg(0), 0};
1291  SourceArgExpr Src = {CE->getArg(1), 1};
1292  SizeArgExpr Size = {CE->getArg(2), 2};
1293 
1294  constexpr bool IsRestricted = false;
1295  constexpr bool IsMempcpy = false;
1296  evalCopyCommon(C, CE, C.getState(), Size, Dest, Src, IsRestricted, IsMempcpy);
1297 }
1298 
1299 void CStringChecker::evalBcopy(CheckerContext &C, const CallExpr *CE) const {
1300  // void bcopy(const void *src, void *dst, size_t n);
1301  SourceArgExpr Src(CE->getArg(0), 0);
1302  DestinationArgExpr Dest = {CE->getArg(1), 1};
1303  SizeArgExpr Size = {CE->getArg(2), 2};
1304 
1305  constexpr bool IsRestricted = false;
1306  constexpr bool IsMempcpy = false;
1307  evalCopyCommon(C, CE, C.getState(), Size, Dest, Src, IsRestricted, IsMempcpy);
1308 }
1309 
1310 void CStringChecker::evalMemcmp(CheckerContext &C, const CallExpr *CE) const {
1311  // int memcmp(const void *s1, const void *s2, size_t n);
1312  CurrentFunctionDescription = "memory comparison function";
1313 
1314  AnyArgExpr Left = {CE->getArg(0), 0};
1315  AnyArgExpr Right = {CE->getArg(1), 1};
1316  SizeArgExpr Size = {CE->getArg(2), 2};
1317 
1318  ProgramStateRef State = C.getState();
1319  SValBuilder &Builder = C.getSValBuilder();
1320  const LocationContext *LCtx = C.getLocationContext();
1321 
1322  // See if the size argument is zero.
1323  SVal sizeVal = State->getSVal(Size.Expression, LCtx);
1324  QualType sizeTy = Size.Expression->getType();
1325 
1326  ProgramStateRef stateZeroSize, stateNonZeroSize;
1327  std::tie(stateZeroSize, stateNonZeroSize) =
1328  assumeZero(C, State, sizeVal, sizeTy);
1329 
1330  // If the size can be zero, the result will be 0 in that case, and we don't
1331  // have to check either of the buffers.
1332  if (stateZeroSize) {
1333  State = stateZeroSize;
1334  State = State->BindExpr(CE, LCtx, Builder.makeZeroVal(CE->getType()));
1335  C.addTransition(State);
1336  }
1337 
1338  // If the size can be nonzero, we have to check the other arguments.
1339  if (stateNonZeroSize) {
1340  State = stateNonZeroSize;
1341  // If we know the two buffers are the same, we know the result is 0.
1342  // First, get the two buffers' addresses. Another checker will have already
1343  // made sure they're not undefined.
1344  DefinedOrUnknownSVal LV =
1345  State->getSVal(Left.Expression, LCtx).castAs<DefinedOrUnknownSVal>();
1346  DefinedOrUnknownSVal RV =
1347  State->getSVal(Right.Expression, LCtx).castAs<DefinedOrUnknownSVal>();
1348 
1349  // See if they are the same.
1350  ProgramStateRef SameBuffer, NotSameBuffer;
1351  std::tie(SameBuffer, NotSameBuffer) =
1352  State->assume(Builder.evalEQ(State, LV, RV));
1353 
1354  // If the two arguments are the same buffer, we know the result is 0,
1355  // and we only need to check one size.
1356  if (SameBuffer && !NotSameBuffer) {
1357  State = SameBuffer;
1358  State = CheckBufferAccess(C, State, Left, Size, AccessKind::read);
1359  if (State) {
1360  State =
1361  SameBuffer->BindExpr(CE, LCtx, Builder.makeZeroVal(CE->getType()));
1362  C.addTransition(State);
1363  }
1364  return;
1365  }
1366 
1367  // If the two arguments might be different buffers, we have to check
1368  // the size of both of them.
1369  assert(NotSameBuffer);
1370  State = CheckBufferAccess(C, State, Right, Size, AccessKind::read);
1371  State = CheckBufferAccess(C, State, Left, Size, AccessKind::read);
1372  if (State) {
1373  // The return value is the comparison result, which we don't know.
1374  SVal CmpV = Builder.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
1375  State = State->BindExpr(CE, LCtx, CmpV);
1376  C.addTransition(State);
1377  }
1378  }
1379 }
1380 
1381 void CStringChecker::evalstrLength(CheckerContext &C,
1382  const CallExpr *CE) const {
1383  // size_t strlen(const char *s);
1384  evalstrLengthCommon(C, CE, /* IsStrnlen = */ false);
1385 }
1386 
1387 void CStringChecker::evalstrnLength(CheckerContext &C,
1388  const CallExpr *CE) const {
1389  // size_t strnlen(const char *s, size_t maxlen);
1390  evalstrLengthCommon(C, CE, /* IsStrnlen = */ true);
1391 }
1392 
1393 void CStringChecker::evalstrLengthCommon(CheckerContext &C, const CallExpr *CE,
1394  bool IsStrnlen) const {
1395  CurrentFunctionDescription = "string length function";
1396  ProgramStateRef state = C.getState();
1397  const LocationContext *LCtx = C.getLocationContext();
1398 
1399  if (IsStrnlen) {
1400  const Expr *maxlenExpr = CE->getArg(1);
1401  SVal maxlenVal = state->getSVal(maxlenExpr, LCtx);
1402 
1403  ProgramStateRef stateZeroSize, stateNonZeroSize;
1404  std::tie(stateZeroSize, stateNonZeroSize) =
1405  assumeZero(C, state, maxlenVal, maxlenExpr->getType());
1406 
1407  // If the size can be zero, the result will be 0 in that case, and we don't
1408  // have to check the string itself.
1409  if (stateZeroSize) {
1410  SVal zero = C.getSValBuilder().makeZeroVal(CE->getType());
1411  stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, zero);
1412  C.addTransition(stateZeroSize);
1413  }
1414 
1415  // If the size is GUARANTEED to be zero, we're done!
1416  if (!stateNonZeroSize)
1417  return;
1418 
1419  // Otherwise, record the assumption that the size is nonzero.
1420  state = stateNonZeroSize;
1421  }
1422 
1423  // Check that the string argument is non-null.
1424  AnyArgExpr Arg = {CE->getArg(0), 0};
1425  SVal ArgVal = state->getSVal(Arg.Expression, LCtx);
1426  state = checkNonNull(C, state, Arg, ArgVal);
1427 
1428  if (!state)
1429  return;
1430 
1431  SVal strLength = getCStringLength(C, state, Arg.Expression, ArgVal);
1432 
1433  // If the argument isn't a valid C string, there's no valid state to
1434  // transition to.
1435  if (strLength.isUndef())
1436  return;
1437 
1438  DefinedOrUnknownSVal result = UnknownVal();
1439 
1440  // If the check is for strnlen() then bind the return value to no more than
1441  // the maxlen value.
1442  if (IsStrnlen) {
1443  QualType cmpTy = C.getSValBuilder().getConditionType();
1444 
1445  // It's a little unfortunate to be getting this again,
1446  // but it's not that expensive...
1447  const Expr *maxlenExpr = CE->getArg(1);
1448  SVal maxlenVal = state->getSVal(maxlenExpr, LCtx);
1449 
1450  Optional<NonLoc> strLengthNL = strLength.getAs<NonLoc>();
1451  Optional<NonLoc> maxlenValNL = maxlenVal.getAs<NonLoc>();
1452 
1453  if (strLengthNL && maxlenValNL) {
1454  ProgramStateRef stateStringTooLong, stateStringNotTooLong;
1455 
1456  // Check if the strLength is greater than the maxlen.
1457  std::tie(stateStringTooLong, stateStringNotTooLong) = state->assume(
1458  C.getSValBuilder()
1459  .evalBinOpNN(state, BO_GT, *strLengthNL, *maxlenValNL, cmpTy)
1460  .castAs<DefinedOrUnknownSVal>());
1461 
1462  if (stateStringTooLong && !stateStringNotTooLong) {
1463  // If the string is longer than maxlen, return maxlen.
1464  result = *maxlenValNL;
1465  } else if (stateStringNotTooLong && !stateStringTooLong) {
1466  // If the string is shorter than maxlen, return its length.
1467  result = *strLengthNL;
1468  }
1469  }
1470 
1471  if (result.isUnknown()) {
1472  // If we don't have enough information for a comparison, there's
1473  // no guarantee the full string length will actually be returned.
1474  // All we know is the return value is the min of the string length
1475  // and the limit. This is better than nothing.
1476  result = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
1477  C.blockCount());
1478  NonLoc resultNL = result.castAs<NonLoc>();
1479 
1480  if (strLengthNL) {
1481  state = state->assume(C.getSValBuilder().evalBinOpNN(
1482  state, BO_LE, resultNL, *strLengthNL, cmpTy)
1483  .castAs<DefinedOrUnknownSVal>(), true);
1484  }
1485 
1486  if (maxlenValNL) {
1487  state = state->assume(C.getSValBuilder().evalBinOpNN(
1488  state, BO_LE, resultNL, *maxlenValNL, cmpTy)
1489  .castAs<DefinedOrUnknownSVal>(), true);
1490  }
1491  }
1492 
1493  } else {
1494  // This is a plain strlen(), not strnlen().
1495  result = strLength.castAs<DefinedOrUnknownSVal>();
1496 
1497  // If we don't know the length of the string, conjure a return
1498  // value, so it can be used in constraints, at least.
1499  if (result.isUnknown()) {
1500  result = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
1501  C.blockCount());
1502  }
1503  }
1504 
1505  // Bind the return value.
1506  assert(!result.isUnknown() && "Should have conjured a value by now");
1507  state = state->BindExpr(CE, LCtx, result);
1508  C.addTransition(state);
1509 }
1510 
1511 void CStringChecker::evalStrcpy(CheckerContext &C, const CallExpr *CE) const {
1512  // char *strcpy(char *restrict dst, const char *restrict src);
1513  evalStrcpyCommon(C, CE,
1514  /* ReturnEnd = */ false,
1515  /* IsBounded = */ false,
1516  /* appendK = */ ConcatFnKind::none);
1517 }
1518 
1519 void CStringChecker::evalStrncpy(CheckerContext &C, const CallExpr *CE) const {
1520  // char *strncpy(char *restrict dst, const char *restrict src, size_t n);
1521  evalStrcpyCommon(C, CE,
1522  /* ReturnEnd = */ false,
1523  /* IsBounded = */ true,
1524  /* appendK = */ ConcatFnKind::none);
1525 }
1526 
1527 void CStringChecker::evalStpcpy(CheckerContext &C, const CallExpr *CE) const {
1528  // char *stpcpy(char *restrict dst, const char *restrict src);
1529  evalStrcpyCommon(C, CE,
1530  /* ReturnEnd = */ true,
1531  /* IsBounded = */ false,
1532  /* appendK = */ ConcatFnKind::none);
1533 }
1534 
1535 void CStringChecker::evalStrlcpy(CheckerContext &C, const CallExpr *CE) const {
1536  // size_t strlcpy(char *dest, const char *src, size_t size);
1537  evalStrcpyCommon(C, CE,
1538  /* ReturnEnd = */ true,
1539  /* IsBounded = */ true,
1540  /* appendK = */ ConcatFnKind::none,
1541  /* returnPtr = */ false);
1542 }
1543 
1544 void CStringChecker::evalStrcat(CheckerContext &C, const CallExpr *CE) const {
1545  // char *strcat(char *restrict s1, const char *restrict s2);
1546  evalStrcpyCommon(C, CE,
1547  /* ReturnEnd = */ false,
1548  /* IsBounded = */ false,
1549  /* appendK = */ ConcatFnKind::strcat);
1550 }
1551 
1552 void CStringChecker::evalStrncat(CheckerContext &C, const CallExpr *CE) const {
1553  // char *strncat(char *restrict s1, const char *restrict s2, size_t n);
1554  evalStrcpyCommon(C, CE,
1555  /* ReturnEnd = */ false,
1556  /* IsBounded = */ true,
1557  /* appendK = */ ConcatFnKind::strcat);
1558 }
1559 
1560 void CStringChecker::evalStrlcat(CheckerContext &C, const CallExpr *CE) const {
1561  // size_t strlcat(char *dst, const char *src, size_t size);
1562  // It will append at most size - strlen(dst) - 1 bytes,
1563  // NULL-terminating the result.
1564  evalStrcpyCommon(C, CE,
1565  /* ReturnEnd = */ false,
1566  /* IsBounded = */ true,
1567  /* appendK = */ ConcatFnKind::strlcat,
1568  /* returnPtr = */ false);
1569 }
1570 
1571 void CStringChecker::evalStrcpyCommon(CheckerContext &C, const CallExpr *CE,
1572  bool ReturnEnd, bool IsBounded,
1573  ConcatFnKind appendK,
1574  bool returnPtr) const {
1575  if (appendK == ConcatFnKind::none)
1576  CurrentFunctionDescription = "string copy function";
1577  else
1578  CurrentFunctionDescription = "string concatenation function";
1579 
1580  ProgramStateRef state = C.getState();
1581  const LocationContext *LCtx = C.getLocationContext();
1582 
1583  // Check that the destination is non-null.
1584  DestinationArgExpr Dst = {CE->getArg(0), 0};
1585  SVal DstVal = state->getSVal(Dst.Expression, LCtx);
1586  state = checkNonNull(C, state, Dst, DstVal);
1587  if (!state)
1588  return;
1589 
1590  // Check that the source is non-null.
1591  SourceArgExpr srcExpr = {CE->getArg(1), 1};
1592  SVal srcVal = state->getSVal(srcExpr.Expression, LCtx);
1593  state = checkNonNull(C, state, srcExpr, srcVal);
1594  if (!state)
1595  return;
1596 
1597  // Get the string length of the source.
1598  SVal strLength = getCStringLength(C, state, srcExpr.Expression, srcVal);
1599  Optional<NonLoc> strLengthNL = strLength.getAs<NonLoc>();
1600 
1601  // Get the string length of the destination buffer.
1602  SVal dstStrLength = getCStringLength(C, state, Dst.Expression, DstVal);
1603  Optional<NonLoc> dstStrLengthNL = dstStrLength.getAs<NonLoc>();
1604 
1605  // If the source isn't a valid C string, give up.
1606  if (strLength.isUndef())
1607  return;
1608 
1609  SValBuilder &svalBuilder = C.getSValBuilder();
1610  QualType cmpTy = svalBuilder.getConditionType();
1611  QualType sizeTy = svalBuilder.getContext().getSizeType();
1612 
1613  // These two values allow checking two kinds of errors:
1614  // - actual overflows caused by a source that doesn't fit in the destination
1615  // - potential overflows caused by a bound that could exceed the destination
1616  SVal amountCopied = UnknownVal();
1617  SVal maxLastElementIndex = UnknownVal();
1618  const char *boundWarning = nullptr;
1619 
1620  // FIXME: Why do we choose the srcExpr if the access has no size?
1621  // Note that the 3rd argument of the call would be the size parameter.
1622  SizeArgExpr SrcExprAsSizeDummy = {srcExpr.Expression, srcExpr.ArgumentIndex};
1623  state = CheckOverlap(
1624  C, state,
1625  (IsBounded ? SizeArgExpr{CE->getArg(2), 2} : SrcExprAsSizeDummy), Dst,
1626  srcExpr);
1627 
1628  if (!state)
1629  return;
1630 
1631  // If the function is strncpy, strncat, etc... it is bounded.
1632  if (IsBounded) {
1633  // Get the max number of characters to copy.
1634  SizeArgExpr lenExpr = {CE->getArg(2), 2};
1635  SVal lenVal = state->getSVal(lenExpr.Expression, LCtx);
1636 
1637  // Protect against misdeclared strncpy().
1638  lenVal =
1639  svalBuilder.evalCast(lenVal, sizeTy, lenExpr.Expression->getType());
1640 
1641  Optional<NonLoc> lenValNL = lenVal.getAs<NonLoc>();
1642 
1643  // If we know both values, we might be able to figure out how much
1644  // we're copying.
1645  if (strLengthNL && lenValNL) {
1646  switch (appendK) {
1647  case ConcatFnKind::none:
1648  case ConcatFnKind::strcat: {
1649  ProgramStateRef stateSourceTooLong, stateSourceNotTooLong;
1650  // Check if the max number to copy is less than the length of the src.
1651  // If the bound is equal to the source length, strncpy won't null-
1652  // terminate the result!
1653  std::tie(stateSourceTooLong, stateSourceNotTooLong) = state->assume(
1654  svalBuilder
1655  .evalBinOpNN(state, BO_GE, *strLengthNL, *lenValNL, cmpTy)
1656  .castAs<DefinedOrUnknownSVal>());
1657 
1658  if (stateSourceTooLong && !stateSourceNotTooLong) {
1659  // Max number to copy is less than the length of the src, so the
1660  // actual strLength copied is the max number arg.
1661  state = stateSourceTooLong;
1662  amountCopied = lenVal;
1663 
1664  } else if (!stateSourceTooLong && stateSourceNotTooLong) {
1665  // The source buffer entirely fits in the bound.
1666  state = stateSourceNotTooLong;
1667  amountCopied = strLength;
1668  }
1669  break;
1670  }
1671  case ConcatFnKind::strlcat:
1672  if (!dstStrLengthNL)
1673  return;
1674 
1675  // amountCopied = min (size - dstLen - 1 , srcLen)
1676  SVal freeSpace = svalBuilder.evalBinOpNN(state, BO_Sub, *lenValNL,
1677  *dstStrLengthNL, sizeTy);
1678  if (!isa<NonLoc>(freeSpace))
1679  return;
1680  freeSpace =
1681  svalBuilder.evalBinOp(state, BO_Sub, freeSpace,
1682  svalBuilder.makeIntVal(1, sizeTy), sizeTy);
1683  Optional<NonLoc> freeSpaceNL = freeSpace.getAs<NonLoc>();
1684 
1685  // While unlikely, it is possible that the subtraction is
1686  // too complex to compute, let's check whether it succeeded.
1687  if (!freeSpaceNL)
1688  return;
1689  SVal hasEnoughSpace = svalBuilder.evalBinOpNN(
1690  state, BO_LE, *strLengthNL, *freeSpaceNL, cmpTy);
1691 
1692  ProgramStateRef TrueState, FalseState;
1693  std::tie(TrueState, FalseState) =
1694  state->assume(hasEnoughSpace.castAs<DefinedOrUnknownSVal>());
1695 
1696  // srcStrLength <= size - dstStrLength -1
1697  if (TrueState && !FalseState) {
1698  amountCopied = strLength;
1699  }
1700 
1701  // srcStrLength > size - dstStrLength -1
1702  if (!TrueState && FalseState) {
1703  amountCopied = freeSpace;
1704  }
1705 
1706  if (TrueState && FalseState)
1707  amountCopied = UnknownVal();
1708  break;
1709  }
1710  }
1711  // We still want to know if the bound is known to be too large.
1712  if (lenValNL) {
1713  switch (appendK) {
1714  case ConcatFnKind::strcat:
1715  // For strncat, the check is strlen(dst) + lenVal < sizeof(dst)
1716 
1717  // Get the string length of the destination. If the destination is
1718  // memory that can't have a string length, we shouldn't be copying
1719  // into it anyway.
1720  if (dstStrLength.isUndef())
1721  return;
1722 
1723  if (dstStrLengthNL) {
1724  maxLastElementIndex = svalBuilder.evalBinOpNN(
1725  state, BO_Add, *lenValNL, *dstStrLengthNL, sizeTy);
1726 
1727  boundWarning = "Size argument is greater than the free space in the "
1728  "destination buffer";
1729  }
1730  break;
1731  case ConcatFnKind::none:
1732  case ConcatFnKind::strlcat:
1733  // For strncpy and strlcat, this is just checking
1734  // that lenVal <= sizeof(dst).
1735  // (Yes, strncpy and strncat differ in how they treat termination.
1736  // strncat ALWAYS terminates, but strncpy doesn't.)
1737 
1738  // We need a special case for when the copy size is zero, in which
1739  // case strncpy will do no work at all. Our bounds check uses n-1
1740  // as the last element accessed, so n == 0 is problematic.
1741  ProgramStateRef StateZeroSize, StateNonZeroSize;
1742  std::tie(StateZeroSize, StateNonZeroSize) =
1743  assumeZero(C, state, *lenValNL, sizeTy);
1744 
1745  // If the size is known to be zero, we're done.
1746  if (StateZeroSize && !StateNonZeroSize) {
1747  if (returnPtr) {
1748  StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, DstVal);
1749  } else {
1750  if (appendK == ConcatFnKind::none) {
1751  // strlcpy returns strlen(src)
1752  StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, strLength);
1753  } else {
1754  // strlcat returns strlen(src) + strlen(dst)
1755  SVal retSize = svalBuilder.evalBinOp(
1756  state, BO_Add, strLength, dstStrLength, sizeTy);
1757  StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, retSize);
1758  }
1759  }
1760  C.addTransition(StateZeroSize);
1761  return;
1762  }
1763 
1764  // Otherwise, go ahead and figure out the last element we'll touch.
1765  // We don't record the non-zero assumption here because we can't
1766  // be sure. We won't warn on a possible zero.
1767  NonLoc one = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
1768  maxLastElementIndex =
1769  svalBuilder.evalBinOpNN(state, BO_Sub, *lenValNL, one, sizeTy);
1770  boundWarning = "Size argument is greater than the length of the "
1771  "destination buffer";
1772  break;
1773  }
1774  }
1775  } else {
1776  // The function isn't bounded. The amount copied should match the length
1777  // of the source buffer.
1778  amountCopied = strLength;
1779  }
1780 
1781  assert(state);
1782 
1783  // This represents the number of characters copied into the destination
1784  // buffer. (It may not actually be the strlen if the destination buffer
1785  // is not terminated.)
1786  SVal finalStrLength = UnknownVal();
1787  SVal strlRetVal = UnknownVal();
1788 
1789  if (appendK == ConcatFnKind::none && !returnPtr) {
1790  // strlcpy returns the sizeof(src)
1791  strlRetVal = strLength;
1792  }
1793 
1794  // If this is an appending function (strcat, strncat...) then set the
1795  // string length to strlen(src) + strlen(dst) since the buffer will
1796  // ultimately contain both.
1797  if (appendK != ConcatFnKind::none) {
1798  // Get the string length of the destination. If the destination is memory
1799  // that can't have a string length, we shouldn't be copying into it anyway.
1800  if (dstStrLength.isUndef())
1801  return;
1802 
1803  if (appendK == ConcatFnKind::strlcat && dstStrLengthNL && strLengthNL) {
1804  strlRetVal = svalBuilder.evalBinOpNN(state, BO_Add, *strLengthNL,
1805  *dstStrLengthNL, sizeTy);
1806  }
1807 
1808  Optional<NonLoc> amountCopiedNL = amountCopied.getAs<NonLoc>();
1809 
1810  // If we know both string lengths, we might know the final string length.
1811  if (amountCopiedNL && dstStrLengthNL) {
1812  // Make sure the two lengths together don't overflow a size_t.
1813  state = checkAdditionOverflow(C, state, *amountCopiedNL, *dstStrLengthNL);
1814  if (!state)
1815  return;
1816 
1817  finalStrLength = svalBuilder.evalBinOpNN(state, BO_Add, *amountCopiedNL,
1818  *dstStrLengthNL, sizeTy);
1819  }
1820 
1821  // If we couldn't get a single value for the final string length,
1822  // we can at least bound it by the individual lengths.
1823  if (finalStrLength.isUnknown()) {
1824  // Try to get a "hypothetical" string length symbol, which we can later
1825  // set as a real value if that turns out to be the case.
1826  finalStrLength = getCStringLength(C, state, CE, DstVal, true);
1827  assert(!finalStrLength.isUndef());
1828 
1829  if (Optional<NonLoc> finalStrLengthNL = finalStrLength.getAs<NonLoc>()) {
1830  if (amountCopiedNL && appendK == ConcatFnKind::none) {
1831  // we overwrite dst string with the src
1832  // finalStrLength >= srcStrLength
1833  SVal sourceInResult = svalBuilder.evalBinOpNN(
1834  state, BO_GE, *finalStrLengthNL, *amountCopiedNL, cmpTy);
1835  state = state->assume(sourceInResult.castAs<DefinedOrUnknownSVal>(),
1836  true);
1837  if (!state)
1838  return;
1839  }
1840 
1841  if (dstStrLengthNL && appendK != ConcatFnKind::none) {
1842  // we extend the dst string with the src
1843  // finalStrLength >= dstStrLength
1844  SVal destInResult = svalBuilder.evalBinOpNN(state, BO_GE,
1845  *finalStrLengthNL,
1846  *dstStrLengthNL,
1847  cmpTy);
1848  state =
1849  state->assume(destInResult.castAs<DefinedOrUnknownSVal>(), true);
1850  if (!state)
1851  return;
1852  }
1853  }
1854  }
1855 
1856  } else {
1857  // Otherwise, this is a copy-over function (strcpy, strncpy, ...), and
1858  // the final string length will match the input string length.
1859  finalStrLength = amountCopied;
1860  }
1861 
1862  SVal Result;
1863 
1864  if (returnPtr) {
1865  // The final result of the function will either be a pointer past the last
1866  // copied element, or a pointer to the start of the destination buffer.
1867  Result = (ReturnEnd ? UnknownVal() : DstVal);
1868  } else {
1869  if (appendK == ConcatFnKind::strlcat || appendK == ConcatFnKind::none)
1870  //strlcpy, strlcat
1871  Result = strlRetVal;
1872  else
1873  Result = finalStrLength;
1874  }
1875 
1876  assert(state);
1877 
1878  // If the destination is a MemRegion, try to check for a buffer overflow and
1879  // record the new string length.
1880  if (Optional<loc::MemRegionVal> dstRegVal =
1881  DstVal.getAs<loc::MemRegionVal>()) {
1882  QualType ptrTy = Dst.Expression->getType();
1883 
1884  // If we have an exact value on a bounded copy, use that to check for
1885  // overflows, rather than our estimate about how much is actually copied.
1886  if (Optional<NonLoc> maxLastNL = maxLastElementIndex.getAs<NonLoc>()) {
1887  SVal maxLastElement =
1888  svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal, *maxLastNL, ptrTy);
1889 
1890  state = CheckLocation(C, state, Dst, maxLastElement, AccessKind::write);
1891  if (!state)
1892  return;
1893  }
1894 
1895  // Then, if the final length is known...
1896  if (Optional<NonLoc> knownStrLength = finalStrLength.getAs<NonLoc>()) {
1897  SVal lastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal,
1898  *knownStrLength, ptrTy);
1899 
1900  // ...and we haven't checked the bound, we'll check the actual copy.
1901  if (!boundWarning) {
1902  state = CheckLocation(C, state, Dst, lastElement, AccessKind::write);
1903  if (!state)
1904  return;
1905  }
1906 
1907  // If this is a stpcpy-style copy, the last element is the return value.
1908  if (returnPtr && ReturnEnd)
1909  Result = lastElement;
1910  }
1911 
1912  // Invalidate the destination (regular invalidation without pointer-escaping
1913  // the address of the top-level region). This must happen before we set the
1914  // C string length because invalidation will clear the length.
1915  // FIXME: Even if we can't perfectly model the copy, we should see if we
1916  // can use LazyCompoundVals to copy the source values into the destination.
1917  // This would probably remove any existing bindings past the end of the
1918  // string, but that's still an improvement over blank invalidation.
1919  state = InvalidateBuffer(C, state, Dst.Expression, *dstRegVal,
1920  /*IsSourceBuffer*/ false, nullptr);
1921 
1922  // Invalidate the source (const-invalidation without const-pointer-escaping
1923  // the address of the top-level region).
1924  state = InvalidateBuffer(C, state, srcExpr.Expression, srcVal,
1925  /*IsSourceBuffer*/ true, nullptr);
1926 
1927  // Set the C string length of the destination, if we know it.
1928  if (IsBounded && (appendK == ConcatFnKind::none)) {
1929  // strncpy is annoying in that it doesn't guarantee to null-terminate
1930  // the result string. If the original string didn't fit entirely inside
1931  // the bound (including the null-terminator), we don't know how long the
1932  // result is.
1933  if (amountCopied != strLength)
1934  finalStrLength = UnknownVal();
1935  }
1936  state = setCStringLength(state, dstRegVal->getRegion(), finalStrLength);
1937  }
1938 
1939  assert(state);
1940 
1941  if (returnPtr) {
1942  // If this is a stpcpy-style copy, but we were unable to check for a buffer
1943  // overflow, we still need a result. Conjure a return value.
1944  if (ReturnEnd && Result.isUnknown()) {
1945  Result = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
1946  }
1947  }
1948  // Set the return value.
1949  state = state->BindExpr(CE, LCtx, Result);
1950  C.addTransition(state);
1951 }
1952 
1953 void CStringChecker::evalStrcmp(CheckerContext &C, const CallExpr *CE) const {
1954  //int strcmp(const char *s1, const char *s2);
1955  evalStrcmpCommon(C, CE, /* IsBounded = */ false, /* IgnoreCase = */ false);
1956 }
1957 
1958 void CStringChecker::evalStrncmp(CheckerContext &C, const CallExpr *CE) const {
1959  //int strncmp(const char *s1, const char *s2, size_t n);
1960  evalStrcmpCommon(C, CE, /* IsBounded = */ true, /* IgnoreCase = */ false);
1961 }
1962 
1963 void CStringChecker::evalStrcasecmp(CheckerContext &C,
1964  const CallExpr *CE) const {
1965  //int strcasecmp(const char *s1, const char *s2);
1966  evalStrcmpCommon(C, CE, /* IsBounded = */ false, /* IgnoreCase = */ true);
1967 }
1968 
1969 void CStringChecker::evalStrncasecmp(CheckerContext &C,
1970  const CallExpr *CE) const {
1971  //int strncasecmp(const char *s1, const char *s2, size_t n);
1972  evalStrcmpCommon(C, CE, /* IsBounded = */ true, /* IgnoreCase = */ true);
1973 }
1974 
1975 void CStringChecker::evalStrcmpCommon(CheckerContext &C, const CallExpr *CE,
1976  bool IsBounded, bool IgnoreCase) const {
1977  CurrentFunctionDescription = "string comparison function";
1978  ProgramStateRef state = C.getState();
1979  const LocationContext *LCtx = C.getLocationContext();
1980 
1981  // Check that the first string is non-null
1982  AnyArgExpr Left = {CE->getArg(0), 0};
1983  SVal LeftVal = state->getSVal(Left.Expression, LCtx);
1984  state = checkNonNull(C, state, Left, LeftVal);
1985  if (!state)
1986  return;
1987 
1988  // Check that the second string is non-null.
1989  AnyArgExpr Right = {CE->getArg(1), 1};
1990  SVal RightVal = state->getSVal(Right.Expression, LCtx);
1991  state = checkNonNull(C, state, Right, RightVal);
1992  if (!state)
1993  return;
1994 
1995  // Get the string length of the first string or give up.
1996  SVal LeftLength = getCStringLength(C, state, Left.Expression, LeftVal);
1997  if (LeftLength.isUndef())
1998  return;
1999 
2000  // Get the string length of the second string or give up.
2001  SVal RightLength = getCStringLength(C, state, Right.Expression, RightVal);
2002  if (RightLength.isUndef())
2003  return;
2004 
2005  // If we know the two buffers are the same, we know the result is 0.
2006  // First, get the two buffers' addresses. Another checker will have already
2007  // made sure they're not undefined.
2008  DefinedOrUnknownSVal LV = LeftVal.castAs<DefinedOrUnknownSVal>();
2009  DefinedOrUnknownSVal RV = RightVal.castAs<DefinedOrUnknownSVal>();
2010 
2011  // See if they are the same.
2012  SValBuilder &svalBuilder = C.getSValBuilder();
2013  DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV);
2014  ProgramStateRef StSameBuf, StNotSameBuf;
2015  std::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf);
2016 
2017  // If the two arguments might be the same buffer, we know the result is 0,
2018  // and we only need to check one size.
2019  if (StSameBuf) {
2020  StSameBuf = StSameBuf->BindExpr(CE, LCtx,
2021  svalBuilder.makeZeroVal(CE->getType()));
2022  C.addTransition(StSameBuf);
2023 
2024  // If the two arguments are GUARANTEED to be the same, we're done!
2025  if (!StNotSameBuf)
2026  return;
2027  }
2028 
2029  assert(StNotSameBuf);
2030  state = StNotSameBuf;
2031 
2032  // At this point we can go about comparing the two buffers.
2033  // For now, we only do this if they're both known string literals.
2034 
2035  // Attempt to extract string literals from both expressions.
2036  const StringLiteral *LeftStrLiteral =
2037  getCStringLiteral(C, state, Left.Expression, LeftVal);
2038  const StringLiteral *RightStrLiteral =
2039  getCStringLiteral(C, state, Right.Expression, RightVal);
2040  bool canComputeResult = false;
2041  SVal resultVal = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx,
2042  C.blockCount());
2043 
2044  if (LeftStrLiteral && RightStrLiteral) {
2045  StringRef LeftStrRef = LeftStrLiteral->getString();
2046  StringRef RightStrRef = RightStrLiteral->getString();
2047 
2048  if (IsBounded) {
2049  // Get the max number of characters to compare.
2050  const Expr *lenExpr = CE->getArg(2);
2051  SVal lenVal = state->getSVal(lenExpr, LCtx);
2052 
2053  // If the length is known, we can get the right substrings.
2054  if (const llvm::APSInt *len = svalBuilder.getKnownValue(state, lenVal)) {
2055  // Create substrings of each to compare the prefix.
2056  LeftStrRef = LeftStrRef.substr(0, (size_t)len->getZExtValue());
2057  RightStrRef = RightStrRef.substr(0, (size_t)len->getZExtValue());
2058  canComputeResult = true;
2059  }
2060  } else {
2061  // This is a normal, unbounded strcmp.
2062  canComputeResult = true;
2063  }
2064 
2065  if (canComputeResult) {
2066  // Real strcmp stops at null characters.
2067  size_t s1Term = LeftStrRef.find('\0');
2068  if (s1Term != StringRef::npos)
2069  LeftStrRef = LeftStrRef.substr(0, s1Term);
2070 
2071  size_t s2Term = RightStrRef.find('\0');
2072  if (s2Term != StringRef::npos)
2073  RightStrRef = RightStrRef.substr(0, s2Term);
2074 
2075  // Use StringRef's comparison methods to compute the actual result.
2076  int compareRes = IgnoreCase ? LeftStrRef.compare_insensitive(RightStrRef)
2077  : LeftStrRef.compare(RightStrRef);
2078 
2079  // The strcmp function returns an integer greater than, equal to, or less
2080  // than zero, [c11, p7.24.4.2].
2081  if (compareRes == 0) {
2082  resultVal = svalBuilder.makeIntVal(compareRes, CE->getType());
2083  }
2084  else {
2085  DefinedSVal zeroVal = svalBuilder.makeIntVal(0, CE->getType());
2086  // Constrain strcmp's result range based on the result of StringRef's
2087  // comparison methods.
2088  BinaryOperatorKind op = (compareRes == 1) ? BO_GT : BO_LT;
2089  SVal compareWithZero =
2090  svalBuilder.evalBinOp(state, op, resultVal, zeroVal,
2091  svalBuilder.getConditionType());
2092  DefinedSVal compareWithZeroVal = compareWithZero.castAs<DefinedSVal>();
2093  state = state->assume(compareWithZeroVal, true);
2094  }
2095  }
2096  }
2097 
2098  state = state->BindExpr(CE, LCtx, resultVal);
2099 
2100  // Record this as a possible path.
2101  C.addTransition(state);
2102 }
2103 
2104 void CStringChecker::evalStrsep(CheckerContext &C, const CallExpr *CE) const {
2105  // char *strsep(char **stringp, const char *delim);
2106  // Verify whether the search string parameter matches the return type.
2107  SourceArgExpr SearchStrPtr = {CE->getArg(0), 0};
2108 
2109  QualType CharPtrTy = SearchStrPtr.Expression->getType()->getPointeeType();
2110  if (CharPtrTy.isNull() ||
2111  CE->getType().getUnqualifiedType() != CharPtrTy.getUnqualifiedType())
2112  return;
2113 
2114  CurrentFunctionDescription = "strsep()";
2115  ProgramStateRef State = C.getState();
2116  const LocationContext *LCtx = C.getLocationContext();
2117 
2118  // Check that the search string pointer is non-null (though it may point to
2119  // a null string).
2120  SVal SearchStrVal = State->getSVal(SearchStrPtr.Expression, LCtx);
2121  State = checkNonNull(C, State, SearchStrPtr, SearchStrVal);
2122  if (!State)
2123  return;
2124 
2125  // Check that the delimiter string is non-null.
2126  AnyArgExpr DelimStr = {CE->getArg(1), 1};
2127  SVal DelimStrVal = State->getSVal(DelimStr.Expression, LCtx);
2128  State = checkNonNull(C, State, DelimStr, DelimStrVal);
2129  if (!State)
2130  return;
2131 
2132  SValBuilder &SVB = C.getSValBuilder();
2133  SVal Result;
2134  if (Optional<Loc> SearchStrLoc = SearchStrVal.getAs<Loc>()) {
2135  // Get the current value of the search string pointer, as a char*.
2136  Result = State->getSVal(*SearchStrLoc, CharPtrTy);
2137 
2138  // Invalidate the search string, representing the change of one delimiter
2139  // character to NUL.
2140  State = InvalidateBuffer(C, State, SearchStrPtr.Expression, Result,
2141  /*IsSourceBuffer*/ false, nullptr);
2142 
2143  // Overwrite the search string pointer. The new value is either an address
2144  // further along in the same string, or NULL if there are no more tokens.
2145  State = State->bindLoc(*SearchStrLoc,
2146  SVB.conjureSymbolVal(getTag(),
2147  CE,
2148  LCtx,
2149  CharPtrTy,
2150  C.blockCount()),
2151  LCtx);
2152  } else {
2153  assert(SearchStrVal.isUnknown());
2154  // Conjure a symbolic value. It's the best we can do.
2155  Result = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
2156  }
2157 
2158  // Set the return value, and finish.
2159  State = State->BindExpr(CE, LCtx, Result);
2160  C.addTransition(State);
2161 }
2162 
2163 // These should probably be moved into a C++ standard library checker.
2164 void CStringChecker::evalStdCopy(CheckerContext &C, const CallExpr *CE) const {
2165  evalStdCopyCommon(C, CE);
2166 }
2167 
2168 void CStringChecker::evalStdCopyBackward(CheckerContext &C,
2169  const CallExpr *CE) const {
2170  evalStdCopyCommon(C, CE);
2171 }
2172 
2173 void CStringChecker::evalStdCopyCommon(CheckerContext &C,
2174  const CallExpr *CE) const {
2175  if (!CE->getArg(2)->getType()->isPointerType())
2176  return;
2177 
2178  ProgramStateRef State = C.getState();
2179 
2180  const LocationContext *LCtx = C.getLocationContext();
2181 
2182  // template <class _InputIterator, class _OutputIterator>
2183  // _OutputIterator
2184  // copy(_InputIterator __first, _InputIterator __last,
2185  // _OutputIterator __result)
2186 
2187  // Invalidate the destination buffer
2188  const Expr *Dst = CE->getArg(2);
2189  SVal DstVal = State->getSVal(Dst, LCtx);
2190  State = InvalidateBuffer(C, State, Dst, DstVal, /*IsSource=*/false,
2191  /*Size=*/nullptr);
2192 
2193  SValBuilder &SVB = C.getSValBuilder();
2194 
2195  SVal ResultVal = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
2196  State = State->BindExpr(CE, LCtx, ResultVal);
2197 
2198  C.addTransition(State);
2199 }
2200 
2201 void CStringChecker::evalMemset(CheckerContext &C, const CallExpr *CE) const {
2202  // void *memset(void *s, int c, size_t n);
2203  CurrentFunctionDescription = "memory set function";
2204 
2205  DestinationArgExpr Buffer = {CE->getArg(0), 0};
2206  AnyArgExpr CharE = {CE->getArg(1), 1};
2207  SizeArgExpr Size = {CE->getArg(2), 2};
2208 
2209  ProgramStateRef State = C.getState();
2210 
2211  // See if the size argument is zero.
2212  const LocationContext *LCtx = C.getLocationContext();
2213  SVal SizeVal = C.getSVal(Size.Expression);
2214  QualType SizeTy = Size.Expression->getType();
2215 
2216  ProgramStateRef ZeroSize, NonZeroSize;
2217  std::tie(ZeroSize, NonZeroSize) = assumeZero(C, State, SizeVal, SizeTy);
2218 
2219  // Get the value of the memory area.
2220  SVal BufferPtrVal = C.getSVal(Buffer.Expression);
2221 
2222  // If the size is zero, there won't be any actual memory access, so
2223  // just bind the return value to the buffer and return.
2224  if (ZeroSize && !NonZeroSize) {
2225  ZeroSize = ZeroSize->BindExpr(CE, LCtx, BufferPtrVal);
2226  C.addTransition(ZeroSize);
2227  return;
2228  }
2229 
2230  // Ensure the memory area is not null.
2231  // If it is NULL there will be a NULL pointer dereference.
2232  State = checkNonNull(C, NonZeroSize, Buffer, BufferPtrVal);
2233  if (!State)
2234  return;
2235 
2236  State = CheckBufferAccess(C, State, Buffer, Size, AccessKind::write);
2237  if (!State)
2238  return;
2239 
2240  // According to the values of the arguments, bind the value of the second
2241  // argument to the destination buffer and set string length, or just
2242  // invalidate the destination buffer.
2243  if (!memsetAux(Buffer.Expression, C.getSVal(CharE.Expression),
2244  Size.Expression, C, State))
2245  return;
2246 
2247  State = State->BindExpr(CE, LCtx, BufferPtrVal);
2248  C.addTransition(State);
2249 }
2250 
2251 void CStringChecker::evalBzero(CheckerContext &C, const CallExpr *CE) const {
2252  CurrentFunctionDescription = "memory clearance function";
2253 
2254  DestinationArgExpr Buffer = {CE->getArg(0), 0};
2255  SizeArgExpr Size = {CE->getArg(1), 1};
2256  SVal Zero = C.getSValBuilder().makeZeroVal(C.getASTContext().IntTy);
2257 
2258  ProgramStateRef State = C.getState();
2259 
2260  // See if the size argument is zero.
2261  SVal SizeVal = C.getSVal(Size.Expression);
2262  QualType SizeTy = Size.Expression->getType();
2263 
2264  ProgramStateRef StateZeroSize, StateNonZeroSize;
2265  std::tie(StateZeroSize, StateNonZeroSize) =
2266  assumeZero(C, State, SizeVal, SizeTy);
2267 
2268  // If the size is zero, there won't be any actual memory access,
2269  // In this case we just return.
2270  if (StateZeroSize && !StateNonZeroSize) {
2271  C.addTransition(StateZeroSize);
2272  return;
2273  }
2274 
2275  // Get the value of the memory area.
2276  SVal MemVal = C.getSVal(Buffer.Expression);
2277 
2278  // Ensure the memory area is not null.
2279  // If it is NULL there will be a NULL pointer dereference.
2280  State = checkNonNull(C, StateNonZeroSize, Buffer, MemVal);
2281  if (!State)
2282  return;
2283 
2284  State = CheckBufferAccess(C, State, Buffer, Size, AccessKind::write);
2285  if (!State)
2286  return;
2287 
2288  if (!memsetAux(Buffer.Expression, Zero, Size.Expression, C, State))
2289  return;
2290 
2291  C.addTransition(State);
2292 }
2293 
2294 //===----------------------------------------------------------------------===//
2295 // The driver method, and other Checker callbacks.
2296 //===----------------------------------------------------------------------===//
2297 
2298 CStringChecker::FnCheck CStringChecker::identifyCall(const CallEvent &Call,
2299  CheckerContext &C) const {
2300  const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
2301  if (!CE)
2302  return nullptr;
2303 
2304  const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
2305  if (!FD)
2306  return nullptr;
2307 
2308  if (StdCopy.matches(Call))
2309  return &CStringChecker::evalStdCopy;
2310  if (StdCopyBackward.matches(Call))
2311  return &CStringChecker::evalStdCopyBackward;
2312 
2313  // Pro-actively check that argument types are safe to do arithmetic upon.
2314  // We do not want to crash if someone accidentally passes a structure
2315  // into, say, a C++ overload of any of these functions. We could not check
2316  // that for std::copy because they may have arguments of other types.
2317  for (auto I : CE->arguments()) {
2318  QualType T = I->getType();
2319  if (!T->isIntegralOrEnumerationType() && !T->isPointerType())
2320  return nullptr;
2321  }
2322 
2323  const FnCheck *Callback = Callbacks.lookup(Call);
2324  if (Callback)
2325  return *Callback;
2326 
2327  return nullptr;
2328 }
2329 
2330 bool CStringChecker::evalCall(const CallEvent &Call, CheckerContext &C) const {
2331  FnCheck Callback = identifyCall(Call, C);
2332 
2333  // If the callee isn't a string function, let another checker handle it.
2334  if (!Callback)
2335  return false;
2336 
2337  // Check and evaluate the call.
2338  const auto *CE = cast<CallExpr>(Call.getOriginExpr());
2339  (this->*Callback)(C, CE);
2340 
2341  // If the evaluate call resulted in no change, chain to the next eval call
2342  // handler.
2343  // Note, the custom CString evaluation calls assume that basic safety
2344  // properties are held. However, if the user chooses to turn off some of these
2345  // checks, we ignore the issues and leave the call evaluation to a generic
2346  // handler.
2347  return C.isDifferent();
2348 }
2349 
2350 void CStringChecker::checkPreStmt(const DeclStmt *DS, CheckerContext &C) const {
2351  // Record string length for char a[] = "abc";
2352  ProgramStateRef state = C.getState();
2353 
2354  for (const auto *I : DS->decls()) {
2355  const VarDecl *D = dyn_cast<VarDecl>(I);
2356  if (!D)
2357  continue;
2358 
2359  // FIXME: Handle array fields of structs.
2360  if (!D->getType()->isArrayType())
2361  continue;
2362 
2363  const Expr *Init = D->getInit();
2364  if (!Init)
2365  continue;
2366  if (!isa<StringLiteral>(Init))
2367  continue;
2368 
2369  Loc VarLoc = state->getLValue(D, C.getLocationContext());
2370  const MemRegion *MR = VarLoc.getAsRegion();
2371  if (!MR)
2372  continue;
2373 
2374  SVal StrVal = C.getSVal(Init);
2375  assert(StrVal.isValid() && "Initializer string is unknown or undefined");
2376  DefinedOrUnknownSVal strLength =
2377  getCStringLength(C, state, Init, StrVal).castAs<DefinedOrUnknownSVal>();
2378 
2379  state = state->set<CStringLength>(MR, strLength);
2380  }
2381 
2382  C.addTransition(state);
2383 }
2384 
2386 CStringChecker::checkRegionChanges(ProgramStateRef state,
2387  const InvalidatedSymbols *,
2388  ArrayRef<const MemRegion *> ExplicitRegions,
2390  const LocationContext *LCtx,
2391  const CallEvent *Call) const {
2392  CStringLengthTy Entries = state->get<CStringLength>();
2393  if (Entries.isEmpty())
2394  return state;
2395 
2398 
2399  // First build sets for the changed regions and their super-regions.
2401  I = Regions.begin(), E = Regions.end(); I != E; ++I) {
2402  const MemRegion *MR = *I;
2403  Invalidated.insert(MR);
2404 
2405  SuperRegions.insert(MR);
2406  while (const SubRegion *SR = dyn_cast<SubRegion>(MR)) {
2407  MR = SR->getSuperRegion();
2408  SuperRegions.insert(MR);
2409  }
2410  }
2411 
2412  CStringLengthTy::Factory &F = state->get_context<CStringLength>();
2413 
2414  // Then loop over the entries in the current state.
2415  for (CStringLengthTy::iterator I = Entries.begin(),
2416  E = Entries.end(); I != E; ++I) {
2417  const MemRegion *MR = I.getKey();
2418 
2419  // Is this entry for a super-region of a changed region?
2420  if (SuperRegions.count(MR)) {
2421  Entries = F.remove(Entries, MR);
2422  continue;
2423  }
2424 
2425  // Is this entry for a sub-region of a changed region?
2426  const MemRegion *Super = MR;
2427  while (const SubRegion *SR = dyn_cast<SubRegion>(Super)) {
2428  Super = SR->getSuperRegion();
2429  if (Invalidated.count(Super)) {
2430  Entries = F.remove(Entries, MR);
2431  break;
2432  }
2433  }
2434  }
2435 
2436  return state->set<CStringLength>(Entries);
2437 }
2438 
2439 void CStringChecker::checkLiveSymbols(ProgramStateRef state,
2440  SymbolReaper &SR) const {
2441  // Mark all symbols in our string length map as valid.
2442  CStringLengthTy Entries = state->get<CStringLength>();
2443 
2444  for (CStringLengthTy::iterator I = Entries.begin(), E = Entries.end();
2445  I != E; ++I) {
2446  SVal Len = I.getData();
2447 
2448  for (SymExpr::symbol_iterator si = Len.symbol_begin(),
2449  se = Len.symbol_end(); si != se; ++si)
2450  SR.markInUse(*si);
2451  }
2452 }
2453 
2454 void CStringChecker::checkDeadSymbols(SymbolReaper &SR,
2455  CheckerContext &C) const {
2456  ProgramStateRef state = C.getState();
2457  CStringLengthTy Entries = state->get<CStringLength>();
2458  if (Entries.isEmpty())
2459  return;
2460 
2461  CStringLengthTy::Factory &F = state->get_context<CStringLength>();
2462  for (CStringLengthTy::iterator I = Entries.begin(), E = Entries.end();
2463  I != E; ++I) {
2464  SVal Len = I.getData();
2465  if (SymbolRef Sym = Len.getAsSymbol()) {
2466  if (SR.isDead(Sym))
2467  Entries = F.remove(Entries, I.getKey());
2468  }
2469  }
2470 
2471  state = state->set<CStringLength>(Entries);
2472  C.addTransition(state);
2473 }
2474 
2475 void ento::registerCStringModeling(CheckerManager &Mgr) {
2476  Mgr.registerChecker<CStringChecker>();
2477 }
2478 
2479 bool ento::shouldRegisterCStringModeling(const CheckerManager &mgr) {
2480  return true;
2481 }
2482 
2483 #define REGISTER_CHECKER(name) \
2484  void ento::register##name(CheckerManager &mgr) { \
2485  CStringChecker *checker = mgr.getChecker<CStringChecker>(); \
2486  checker->Filter.Check##name = true; \
2487  checker->Filter.CheckName##name = mgr.getCurrentCheckerName(); \
2488  } \
2489  \
2490  bool ento::shouldRegister##name(const CheckerManager &mgr) { return true; }
2491 
2492 REGISTER_CHECKER(CStringNullArg)
2493 REGISTER_CHECKER(CStringOutOfBounds)
2494 REGISTER_CHECKER(CStringBufferOverlap)
2495 REGISTER_CHECKER(CStringNotNullTerm)
2496 REGISTER_CHECKER(CStringUninitializedRead)
DynamicExtent.h
clang::LocationContext
It wraps the AnalysisDeclContext to represent both the call stack with the help of StackFrameContext ...
Definition: AnalysisDeclContext.h:215
CallDescription.h
clang::threadSafety::AccessKind
AccessKind
This enum distinguishes between different ways to access (read or write) a variable.
Definition: ThreadSafety.h:69
clang::ento::RegionAndSymbolInvalidationTraits::TK_SuppressEscape
@ TK_SuppressEscape
Suppress pointer-escaping of a region.
Definition: MemRegion.h:1575
clang::Stmt::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:324
clang::ento::ProgramStateRef
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
Definition: ProgramState_Fwd.h:37
clang::QualType
A (possibly-)qualified type.
Definition: Type.h:731
AttributeLangSupport::C
@ C
Definition: SemaDeclAttr.cpp:55
clang::tooling::Filter
llvm::cl::opt< std::string > Filter
clang::ento::SymbolRef
const SymExpr * SymbolRef
Definition: SymExpr.h:111
llvm::Optional
Definition: LLVM.h:40
clang::ComparisonCategoryType::First
@ First
llvm::SmallPtrSet
Definition: ASTContext.h:82
Expression
clang::index::SymbolRole::Call
@ Call
REGISTER_CHECKER
#define REGISTER_CHECKER(name)
Definition: CStringChecker.cpp:2483
clang::StringLiteral::getByteLength
unsigned getByteLength() const
Definition: Expr.h:1878
InterCheckerAPI.h
CallEvent.h
Offset
unsigned Offset
Definition: Format.cpp:2574
REGISTER_MAP_WITH_PROGRAMSTATE
#define REGISTER_MAP_WITH_PROGRAMSTATE(Name, Key, Value)
Declares an immutable map of type NameTy, suitable for placement into the ProgramState.
Definition: ProgramStateTrait.h:87
APSInt
llvm::APSInt APSInt
Definition: ByteCodeEmitter.cpp:19
V
#define V(N, I)
Definition: ASTContext.h:3176
clang::ast_matchers::expr
const internal::VariadicDynCastAllOfMatcher< Stmt, Expr > expr
Matches expressions.
Definition: ASTMatchersInternal.cpp:890
BuiltinCheckerRegistration.h
CheckerManager.h
clang::ASTContext
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:208
clang::ASTContext::getSizeType
CanQualType getSizeType() const
Return the unique type for "size_t" (C99 7.17), defined in <stddef.h>.
Definition: ASTContext.cpp:5850
clang::CallExpr::getArg
Expr * getArg(unsigned Arg)
getArg - Return the specified argument.
Definition: Expr.h:2992
llvm::SmallString< 128 >
clang::interp::Zero
bool Zero(InterpState &S, CodePtr OpPC)
Definition: Interp.h:814
clang::VarDecl
Represents a variable declaration or definition.
Definition: Decl.h:874
clang::StringLiteral
StringLiteral - This represents a string literal expression, e.g.
Definition: Expr.h:1767
Label
std::string Label
Definition: UsingDeclarationsSorter.cpp:69
clang::ento::MemRegion::Kind
Kind
Definition: MemRegion.h:97
state
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded which has the entry program point and initial state
Definition: README.txt:30
clang::QualType::getUnqualifiedType
QualType getUnqualifiedType() const
Retrieve the unqualified variant of the given type, removing as little sugar as possible.
Definition: Type.h:6639
clang::toUppercase
LLVM_READONLY char toUppercase(char c)
Converts the given ASCII character to its uppercase equivalent.
Definition: CharInfo.h:217
clang::ASTContext::UnsignedCharTy
CanQualType UnsignedCharTy
Definition: ASTContext.h:1106
clang::ento::bugreporter::trackExpressionValue
bool trackExpressionValue(const ExplodedNode *N, const Expr *E, PathSensitiveBugReport &R, TrackingOptions Opts={})
Attempts to add visitors to track expression value back to its point of origin.
CharInfo.h
clang::Type::isPointerType
bool isPointerType() const
Definition: Type.h:6807
clang::syntax::NodeRole::Size
@ Size
BugType.h
clang::ASTContext::IntTy
CanQualType IntTy
Definition: ASTContext.h:1105
clang::QualType::isNull
bool isNull() const
Return true if this QualType doesn't point to a type yet.
Definition: Type.h:796
llvm::ArrayRef
Definition: LLVM.h:34
clang::ento::CDF_MaybeBuiltin
@ CDF_MaybeBuiltin
Describes a C standard function that is sometimes implemented as a macro that expands to a compiler b...
Definition: CallDescription.h:38
clang::syntax::NodeRole::Message
@ Message
clang::ASTContext::CharTy
CanQualType CharTy
Definition: ASTContext.h:1098
State
LineState State
Definition: UnwrappedLineFormatter.cpp:1126
clang::BinaryOperatorKind
BinaryOperatorKind
Definition: OperationKinds.h:25
clang::VarDecl::getInit
const Expr * getInit() const
Definition: Decl.h:1283
CheckerContext.h
clang::DeclStmt
DeclStmt - Adaptor class for mixing declarations with statements and expressions.
Definition: Stmt.h:1299
clang::ento::getDynamicExtent
DefinedOrUnknownSVal getDynamicExtent(ProgramStateRef State, const MemRegion *MR, SValBuilder &SVB)
Checker.h
clang::ento::RegionAndSymbolInvalidationTraits::TK_PreserveContents
@ TK_PreserveContents
Tells that a region's contents is not changed.
Definition: MemRegion.h:1572
clang
Definition: CalledOnceCheck.h:17
clang::Type::isArrayType
bool isArrayType() const
Definition: Type.h:6873
clang::Stmt
Stmt - This represents one statement.
Definition: Stmt.h:70
clang::ento::RegionAndSymbolInvalidationTraits::TK_DoNotInvalidateSuperRegion
@ TK_DoNotInvalidateSuperRegion
Definition: MemRegion.h:1578
clang::Expr::getType
QualType getType() const
Definition: Expr.h:141
clang::DeclStmt::decls
decl_range decls()
Definition: Stmt.h:1347
clang::ASTContext::getPointerType
QualType getPointerType(QualType T) const
Return the uniqued reference to the type for a pointer to the specified type.
Definition: ASTContext.cpp:3285
clang::CallExpr::arguments
arg_range arguments()
Definition: Expr.h:3040
clang::ValueDecl::getType
QualType getType() const
Definition: Decl.h:685
ProgramStateTrait.h
clang::Expr
This represents one expression.
Definition: Expr.h:109
clang::ento::InvalidatedSymbols
llvm::DenseSet< SymbolRef > InvalidatedSymbols
Definition: Store.h:51
clang::ento::categories::UnixAPI
const char *const UnixAPI
Definition: CommonBugCategories.cpp:21
clang::FunctionDecl
Represents a function declaration or definition.
Definition: Decl.h:1872
clang::CallExpr
CallExpr - Represents a function call (C99 6.5.2.2, C++ [expr.call]).
Definition: Expr.h:2801
clang::StringLiteral::getString
StringRef getString() const
Definition: Expr.h:1850
clang::Type::isIntegralOrEnumerationType
bool isIntegralOrEnumerationType() const
Determine whether this type is an integral or enumeration type.
Definition: Type.h:7199
clang::ento::ObjKind::OS
@ OS
Indicates that the tracking object is a descendant of a referenced-counted OSObject,...