clang  14.0.0git
CStringChecker.cpp
Go to the documentation of this file.
1 //= CStringChecker.cpp - Checks calls to C string functions --------*- C++ -*-//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This defines CStringChecker, which is an assortment of checks on calls
10 // to functions in <string.h>.
11 //
12 //===----------------------------------------------------------------------===//
13 
14 #include "InterCheckerAPI.h"
15 #include "clang/Basic/CharInfo.h"
24 #include "llvm/ADT/STLExtras.h"
25 #include "llvm/ADT/SmallString.h"
26 #include "llvm/ADT/StringExtras.h"
27 #include "llvm/Support/raw_ostream.h"
28 
29 using namespace clang;
30 using namespace ento;
31 
32 namespace {
33 struct AnyArgExpr {
34  // FIXME: Remove constructor in C++17 to turn it into an aggregate.
35  AnyArgExpr(const Expr *Expression, unsigned ArgumentIndex)
36  : Expression{Expression}, ArgumentIndex{ArgumentIndex} {}
37  const Expr *Expression;
38  unsigned ArgumentIndex;
39 };
40 
41 struct SourceArgExpr : AnyArgExpr {
42  using AnyArgExpr::AnyArgExpr; // FIXME: Remove using in C++17.
43 };
44 
45 struct DestinationArgExpr : AnyArgExpr {
46  using AnyArgExpr::AnyArgExpr; // FIXME: Same.
47 };
48 
49 struct SizeArgExpr : AnyArgExpr {
50  using AnyArgExpr::AnyArgExpr; // FIXME: Same.
51 };
52 
53 using ErrorMessage = SmallString<128>;
54 enum class AccessKind { write, read };
55 
56 static ErrorMessage createOutOfBoundErrorMsg(StringRef FunctionDescription,
57  AccessKind Access) {
58  ErrorMessage Message;
59  llvm::raw_svector_ostream Os(Message);
60 
61  // Function classification like: Memory copy function
62  Os << toUppercase(FunctionDescription.front())
63  << &FunctionDescription.data()[1];
64 
65  if (Access == AccessKind::write) {
66  Os << " overflows the destination buffer";
67  } else { // read access
68  Os << " accesses out-of-bound array element";
69  }
70 
71  return Message;
72 }
73 
74 enum class ConcatFnKind { none = 0, strcat = 1, strlcat = 2 };
75 class CStringChecker : public Checker< eval::Call,
76  check::PreStmt<DeclStmt>,
77  check::LiveSymbols,
78  check::DeadSymbols,
79  check::RegionChanges
80  > {
81  mutable std::unique_ptr<BugType> BT_Null, BT_Bounds, BT_Overlap,
82  BT_NotCString, BT_AdditionOverflow;
83 
84  mutable const char *CurrentFunctionDescription;
85 
86 public:
87  /// The filter is used to filter out the diagnostics which are not enabled by
88  /// the user.
89  struct CStringChecksFilter {
90  DefaultBool CheckCStringNullArg;
91  DefaultBool CheckCStringOutOfBounds;
92  DefaultBool CheckCStringBufferOverlap;
93  DefaultBool CheckCStringNotNullTerm;
94 
95  CheckerNameRef CheckNameCStringNullArg;
96  CheckerNameRef CheckNameCStringOutOfBounds;
97  CheckerNameRef CheckNameCStringBufferOverlap;
98  CheckerNameRef CheckNameCStringNotNullTerm;
99  };
100 
101  CStringChecksFilter Filter;
102 
103  static void *getTag() { static int tag; return &tag; }
104 
105  bool evalCall(const CallEvent &Call, CheckerContext &C) const;
106  void checkPreStmt(const DeclStmt *DS, CheckerContext &C) const;
107  void checkLiveSymbols(ProgramStateRef state, SymbolReaper &SR) const;
108  void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
109 
111  checkRegionChanges(ProgramStateRef state,
112  const InvalidatedSymbols *,
113  ArrayRef<const MemRegion *> ExplicitRegions,
115  const LocationContext *LCtx,
116  const CallEvent *Call) const;
117 
118  typedef void (CStringChecker::*FnCheck)(CheckerContext &,
119  const CallExpr *) const;
120  CallDescriptionMap<FnCheck> Callbacks = {
121  {{CDF_MaybeBuiltin, "memcpy", 3}, &CStringChecker::evalMemcpy},
122  {{CDF_MaybeBuiltin, "mempcpy", 3}, &CStringChecker::evalMempcpy},
123  {{CDF_MaybeBuiltin, "memcmp", 3}, &CStringChecker::evalMemcmp},
124  {{CDF_MaybeBuiltin, "memmove", 3}, &CStringChecker::evalMemmove},
125  {{CDF_MaybeBuiltin, "memset", 3}, &CStringChecker::evalMemset},
126  {{CDF_MaybeBuiltin, "explicit_memset", 3}, &CStringChecker::evalMemset},
127  {{CDF_MaybeBuiltin, "strcpy", 2}, &CStringChecker::evalStrcpy},
128  {{CDF_MaybeBuiltin, "strncpy", 3}, &CStringChecker::evalStrncpy},
129  {{CDF_MaybeBuiltin, "stpcpy", 2}, &CStringChecker::evalStpcpy},
130  {{CDF_MaybeBuiltin, "strlcpy", 3}, &CStringChecker::evalStrlcpy},
131  {{CDF_MaybeBuiltin, "strcat", 2}, &CStringChecker::evalStrcat},
132  {{CDF_MaybeBuiltin, "strncat", 3}, &CStringChecker::evalStrncat},
133  {{CDF_MaybeBuiltin, "strlcat", 3}, &CStringChecker::evalStrlcat},
134  {{CDF_MaybeBuiltin, "strlen", 1}, &CStringChecker::evalstrLength},
135  {{CDF_MaybeBuiltin, "strnlen", 2}, &CStringChecker::evalstrnLength},
136  {{CDF_MaybeBuiltin, "strcmp", 2}, &CStringChecker::evalStrcmp},
137  {{CDF_MaybeBuiltin, "strncmp", 3}, &CStringChecker::evalStrncmp},
138  {{CDF_MaybeBuiltin, "strcasecmp", 2}, &CStringChecker::evalStrcasecmp},
139  {{CDF_MaybeBuiltin, "strncasecmp", 3}, &CStringChecker::evalStrncasecmp},
140  {{CDF_MaybeBuiltin, "strsep", 2}, &CStringChecker::evalStrsep},
141  {{CDF_MaybeBuiltin, "bcopy", 3}, &CStringChecker::evalBcopy},
142  {{CDF_MaybeBuiltin, "bcmp", 3}, &CStringChecker::evalMemcmp},
143  {{CDF_MaybeBuiltin, "bzero", 2}, &CStringChecker::evalBzero},
144  {{CDF_MaybeBuiltin, "explicit_bzero", 2}, &CStringChecker::evalBzero},
145  };
146 
147  // These require a bit of special handling.
148  CallDescription StdCopy{{"std", "copy"}, 3},
149  StdCopyBackward{{"std", "copy_backward"}, 3};
150 
151  FnCheck identifyCall(const CallEvent &Call, CheckerContext &C) const;
152  void evalMemcpy(CheckerContext &C, const CallExpr *CE) const;
153  void evalMempcpy(CheckerContext &C, const CallExpr *CE) const;
154  void evalMemmove(CheckerContext &C, const CallExpr *CE) const;
155  void evalBcopy(CheckerContext &C, const CallExpr *CE) const;
156  void evalCopyCommon(CheckerContext &C, const CallExpr *CE,
157  ProgramStateRef state, SizeArgExpr Size,
158  DestinationArgExpr Dest, SourceArgExpr Source,
159  bool Restricted, bool IsMempcpy) const;
160 
161  void evalMemcmp(CheckerContext &C, const CallExpr *CE) const;
162 
163  void evalstrLength(CheckerContext &C, const CallExpr *CE) const;
164  void evalstrnLength(CheckerContext &C, const CallExpr *CE) const;
165  void evalstrLengthCommon(CheckerContext &C,
166  const CallExpr *CE,
167  bool IsStrnlen = false) const;
168 
169  void evalStrcpy(CheckerContext &C, const CallExpr *CE) const;
170  void evalStrncpy(CheckerContext &C, const CallExpr *CE) const;
171  void evalStpcpy(CheckerContext &C, const CallExpr *CE) const;
172  void evalStrlcpy(CheckerContext &C, const CallExpr *CE) const;
173  void evalStrcpyCommon(CheckerContext &C, const CallExpr *CE, bool ReturnEnd,
174  bool IsBounded, ConcatFnKind appendK,
175  bool returnPtr = true) const;
176 
177  void evalStrcat(CheckerContext &C, const CallExpr *CE) const;
178  void evalStrncat(CheckerContext &C, const CallExpr *CE) const;
179  void evalStrlcat(CheckerContext &C, const CallExpr *CE) const;
180 
181  void evalStrcmp(CheckerContext &C, const CallExpr *CE) const;
182  void evalStrncmp(CheckerContext &C, const CallExpr *CE) const;
183  void evalStrcasecmp(CheckerContext &C, const CallExpr *CE) const;
184  void evalStrncasecmp(CheckerContext &C, const CallExpr *CE) const;
185  void evalStrcmpCommon(CheckerContext &C,
186  const CallExpr *CE,
187  bool IsBounded = false,
188  bool IgnoreCase = false) const;
189 
190  void evalStrsep(CheckerContext &C, const CallExpr *CE) const;
191 
192  void evalStdCopy(CheckerContext &C, const CallExpr *CE) const;
193  void evalStdCopyBackward(CheckerContext &C, const CallExpr *CE) const;
194  void evalStdCopyCommon(CheckerContext &C, const CallExpr *CE) const;
195  void evalMemset(CheckerContext &C, const CallExpr *CE) const;
196  void evalBzero(CheckerContext &C, const CallExpr *CE) const;
197 
198  // Utility methods
199  std::pair<ProgramStateRef , ProgramStateRef >
200  static assumeZero(CheckerContext &C,
201  ProgramStateRef state, SVal V, QualType Ty);
202 
203  static ProgramStateRef setCStringLength(ProgramStateRef state,
204  const MemRegion *MR,
205  SVal strLength);
206  static SVal getCStringLengthForRegion(CheckerContext &C,
208  const Expr *Ex,
209  const MemRegion *MR,
210  bool hypothetical);
211  SVal getCStringLength(CheckerContext &C,
213  const Expr *Ex,
214  SVal Buf,
215  bool hypothetical = false) const;
216 
217  const StringLiteral *getCStringLiteral(CheckerContext &C,
219  const Expr *expr,
220  SVal val) const;
221 
222  static ProgramStateRef InvalidateBuffer(CheckerContext &C,
224  const Expr *Ex, SVal V,
225  bool IsSourceBuffer,
226  const Expr *Size);
227 
228  static bool SummarizeRegion(raw_ostream &os, ASTContext &Ctx,
229  const MemRegion *MR);
230 
231  static bool memsetAux(const Expr *DstBuffer, SVal CharE,
232  const Expr *Size, CheckerContext &C,
234 
235  // Re-usable checks
236  ProgramStateRef checkNonNull(CheckerContext &C, ProgramStateRef State,
237  AnyArgExpr Arg, SVal l) const;
238  ProgramStateRef CheckLocation(CheckerContext &C, ProgramStateRef state,
239  AnyArgExpr Buffer, SVal Element,
240  AccessKind Access) const;
241  ProgramStateRef CheckBufferAccess(CheckerContext &C, ProgramStateRef State,
242  AnyArgExpr Buffer, SizeArgExpr Size,
243  AccessKind Access) const;
244  ProgramStateRef CheckOverlap(CheckerContext &C, ProgramStateRef state,
245  SizeArgExpr Size, AnyArgExpr First,
246  AnyArgExpr Second) const;
247  void emitOverlapBug(CheckerContext &C,
249  const Stmt *First,
250  const Stmt *Second) const;
251 
252  void emitNullArgBug(CheckerContext &C, ProgramStateRef State, const Stmt *S,
253  StringRef WarningMsg) const;
254  void emitOutOfBoundsBug(CheckerContext &C, ProgramStateRef State,
255  const Stmt *S, StringRef WarningMsg) const;
256  void emitNotCStringBug(CheckerContext &C, ProgramStateRef State,
257  const Stmt *S, StringRef WarningMsg) const;
258  void emitAdditionOverflowBug(CheckerContext &C, ProgramStateRef State) const;
259 
260  ProgramStateRef checkAdditionOverflow(CheckerContext &C,
262  NonLoc left,
263  NonLoc right) const;
264 
265  // Return true if the destination buffer of the copy function may be in bound.
266  // Expects SVal of Size to be positive and unsigned.
267  // Expects SVal of FirstBuf to be a FieldRegion.
268  static bool IsFirstBufInBound(CheckerContext &C,
270  const Expr *FirstBuf,
271  const Expr *Size);
272 };
273 
274 } //end anonymous namespace
275 
276 REGISTER_MAP_WITH_PROGRAMSTATE(CStringLength, const MemRegion *, SVal)
277 
278 //===----------------------------------------------------------------------===//
279 // Individual checks and utility methods.
280 //===----------------------------------------------------------------------===//
281 
282 std::pair<ProgramStateRef , ProgramStateRef >
283 CStringChecker::assumeZero(CheckerContext &C, ProgramStateRef state, SVal V,
284  QualType Ty) {
285  Optional<DefinedSVal> val = V.getAs<DefinedSVal>();
286  if (!val)
287  return std::pair<ProgramStateRef , ProgramStateRef >(state, state);
288 
289  SValBuilder &svalBuilder = C.getSValBuilder();
290  DefinedOrUnknownSVal zero = svalBuilder.makeZeroVal(Ty);
291  return state->assume(svalBuilder.evalEQ(state, *val, zero));
292 }
293 
294 ProgramStateRef CStringChecker::checkNonNull(CheckerContext &C,
296  AnyArgExpr Arg, SVal l) const {
297  // If a previous check has failed, propagate the failure.
298  if (!State)
299  return nullptr;
300 
301  ProgramStateRef stateNull, stateNonNull;
302  std::tie(stateNull, stateNonNull) =
303  assumeZero(C, State, l, Arg.Expression->getType());
304 
305  if (stateNull && !stateNonNull) {
306  if (Filter.CheckCStringNullArg) {
307  SmallString<80> buf;
308  llvm::raw_svector_ostream OS(buf);
309  assert(CurrentFunctionDescription);
310  OS << "Null pointer passed as " << (Arg.ArgumentIndex + 1)
311  << llvm::getOrdinalSuffix(Arg.ArgumentIndex + 1) << " argument to "
312  << CurrentFunctionDescription;
313 
314  emitNullArgBug(C, stateNull, Arg.Expression, OS.str());
315  }
316  return nullptr;
317  }
318 
319  // From here on, assume that the value is non-null.
320  assert(stateNonNull);
321  return stateNonNull;
322 }
323 
324 // FIXME: This was originally copied from ArrayBoundChecker.cpp. Refactor?
325 ProgramStateRef CStringChecker::CheckLocation(CheckerContext &C,
327  AnyArgExpr Buffer, SVal Element,
328  AccessKind Access) const {
329 
330  // If a previous check has failed, propagate the failure.
331  if (!state)
332  return nullptr;
333 
334  // Check for out of bound array element access.
335  const MemRegion *R = Element.getAsRegion();
336  if (!R)
337  return state;
338 
339  const auto *ER = dyn_cast<ElementRegion>(R);
340  if (!ER)
341  return state;
342 
343  if (ER->getValueType() != C.getASTContext().CharTy)
344  return state;
345 
346  // Get the size of the array.
347  const auto *superReg = cast<SubRegion>(ER->getSuperRegion());
348  DefinedOrUnknownSVal Size =
349  getDynamicExtent(state, superReg, C.getSValBuilder());
350 
351  // Get the index of the accessed element.
352  DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();
353 
354  ProgramStateRef StInBound = state->assumeInBound(Idx, Size, true);
355  ProgramStateRef StOutBound = state->assumeInBound(Idx, Size, false);
356  if (StOutBound && !StInBound) {
357  // These checks are either enabled by the CString out-of-bounds checker
358  // explicitly or implicitly by the Malloc checker.
359  // In the latter case we only do modeling but do not emit warning.
360  if (!Filter.CheckCStringOutOfBounds)
361  return nullptr;
362 
363  // Emit a bug report.
364  ErrorMessage Message =
365  createOutOfBoundErrorMsg(CurrentFunctionDescription, Access);
366  emitOutOfBoundsBug(C, StOutBound, Buffer.Expression, Message);
367  return nullptr;
368  }
369 
370  // Array bound check succeeded. From this point forward the array bound
371  // should always succeed.
372  return StInBound;
373 }
374 
375 ProgramStateRef CStringChecker::CheckBufferAccess(CheckerContext &C,
377  AnyArgExpr Buffer,
378  SizeArgExpr Size,
379  AccessKind Access) const {
380  // If a previous check has failed, propagate the failure.
381  if (!State)
382  return nullptr;
383 
384  SValBuilder &svalBuilder = C.getSValBuilder();
385  ASTContext &Ctx = svalBuilder.getContext();
386 
387  QualType SizeTy = Size.Expression->getType();
388  QualType PtrTy = Ctx.getPointerType(Ctx.CharTy);
389 
390  // Check that the first buffer is non-null.
391  SVal BufVal = C.getSVal(Buffer.Expression);
392  State = checkNonNull(C, State, Buffer, BufVal);
393  if (!State)
394  return nullptr;
395 
396  // If out-of-bounds checking is turned off, skip the rest.
397  if (!Filter.CheckCStringOutOfBounds)
398  return State;
399 
400  // Get the access length and make sure it is known.
401  // FIXME: This assumes the caller has already checked that the access length
402  // is positive. And that it's unsigned.
403  SVal LengthVal = C.getSVal(Size.Expression);
404  Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
405  if (!Length)
406  return State;
407 
408  // Compute the offset of the last element to be accessed: size-1.
409  NonLoc One = svalBuilder.makeIntVal(1, SizeTy).castAs<NonLoc>();
410  SVal Offset = svalBuilder.evalBinOpNN(State, BO_Sub, *Length, One, SizeTy);
411  if (Offset.isUnknown())
412  return nullptr;
413  NonLoc LastOffset = Offset.castAs<NonLoc>();
414 
415  // Check that the first buffer is sufficiently long.
416  SVal BufStart =
417  svalBuilder.evalCast(BufVal, PtrTy, Buffer.Expression->getType());
418  if (Optional<Loc> BufLoc = BufStart.getAs<Loc>()) {
419 
420  SVal BufEnd =
421  svalBuilder.evalBinOpLN(State, BO_Add, *BufLoc, LastOffset, PtrTy);
422 
423  State = CheckLocation(C, State, Buffer, BufEnd, Access);
424 
425  // If the buffer isn't large enough, abort.
426  if (!State)
427  return nullptr;
428  }
429 
430  // Large enough or not, return this state!
431  return State;
432 }
433 
434 ProgramStateRef CStringChecker::CheckOverlap(CheckerContext &C,
436  SizeArgExpr Size, AnyArgExpr First,
437  AnyArgExpr Second) const {
438  if (!Filter.CheckCStringBufferOverlap)
439  return state;
440 
441  // Do a simple check for overlap: if the two arguments are from the same
442  // buffer, see if the end of the first is greater than the start of the second
443  // or vice versa.
444 
445  // If a previous check has failed, propagate the failure.
446  if (!state)
447  return nullptr;
448 
449  ProgramStateRef stateTrue, stateFalse;
450 
451  // Get the buffer values and make sure they're known locations.
452  const LocationContext *LCtx = C.getLocationContext();
453  SVal firstVal = state->getSVal(First.Expression, LCtx);
454  SVal secondVal = state->getSVal(Second.Expression, LCtx);
455 
456  Optional<Loc> firstLoc = firstVal.getAs<Loc>();
457  if (!firstLoc)
458  return state;
459 
460  Optional<Loc> secondLoc = secondVal.getAs<Loc>();
461  if (!secondLoc)
462  return state;
463 
464  // Are the two values the same?
465  SValBuilder &svalBuilder = C.getSValBuilder();
466  std::tie(stateTrue, stateFalse) =
467  state->assume(svalBuilder.evalEQ(state, *firstLoc, *secondLoc));
468 
469  if (stateTrue && !stateFalse) {
470  // If the values are known to be equal, that's automatically an overlap.
471  emitOverlapBug(C, stateTrue, First.Expression, Second.Expression);
472  return nullptr;
473  }
474 
475  // assume the two expressions are not equal.
476  assert(stateFalse);
477  state = stateFalse;
478 
479  // Which value comes first?
480  QualType cmpTy = svalBuilder.getConditionType();
481  SVal reverse =
482  svalBuilder.evalBinOpLL(state, BO_GT, *firstLoc, *secondLoc, cmpTy);
483  Optional<DefinedOrUnknownSVal> reverseTest =
484  reverse.getAs<DefinedOrUnknownSVal>();
485  if (!reverseTest)
486  return state;
487 
488  std::tie(stateTrue, stateFalse) = state->assume(*reverseTest);
489  if (stateTrue) {
490  if (stateFalse) {
491  // If we don't know which one comes first, we can't perform this test.
492  return state;
493  } else {
494  // Switch the values so that firstVal is before secondVal.
495  std::swap(firstLoc, secondLoc);
496 
497  // Switch the Exprs as well, so that they still correspond.
498  std::swap(First, Second);
499  }
500  }
501 
502  // Get the length, and make sure it too is known.
503  SVal LengthVal = state->getSVal(Size.Expression, LCtx);
504  Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
505  if (!Length)
506  return state;
507 
508  // Convert the first buffer's start address to char*.
509  // Bail out if the cast fails.
510  ASTContext &Ctx = svalBuilder.getContext();
511  QualType CharPtrTy = Ctx.getPointerType(Ctx.CharTy);
512  SVal FirstStart =
513  svalBuilder.evalCast(*firstLoc, CharPtrTy, First.Expression->getType());
514  Optional<Loc> FirstStartLoc = FirstStart.getAs<Loc>();
515  if (!FirstStartLoc)
516  return state;
517 
518  // Compute the end of the first buffer. Bail out if THAT fails.
519  SVal FirstEnd = svalBuilder.evalBinOpLN(state, BO_Add, *FirstStartLoc,
520  *Length, CharPtrTy);
521  Optional<Loc> FirstEndLoc = FirstEnd.getAs<Loc>();
522  if (!FirstEndLoc)
523  return state;
524 
525  // Is the end of the first buffer past the start of the second buffer?
526  SVal Overlap =
527  svalBuilder.evalBinOpLL(state, BO_GT, *FirstEndLoc, *secondLoc, cmpTy);
528  Optional<DefinedOrUnknownSVal> OverlapTest =
529  Overlap.getAs<DefinedOrUnknownSVal>();
530  if (!OverlapTest)
531  return state;
532 
533  std::tie(stateTrue, stateFalse) = state->assume(*OverlapTest);
534 
535  if (stateTrue && !stateFalse) {
536  // Overlap!
537  emitOverlapBug(C, stateTrue, First.Expression, Second.Expression);
538  return nullptr;
539  }
540 
541  // assume the two expressions don't overlap.
542  assert(stateFalse);
543  return stateFalse;
544 }
545 
546 void CStringChecker::emitOverlapBug(CheckerContext &C, ProgramStateRef state,
547  const Stmt *First, const Stmt *Second) const {
548  ExplodedNode *N = C.generateErrorNode(state);
549  if (!N)
550  return;
551 
552  if (!BT_Overlap)
553  BT_Overlap.reset(new BugType(Filter.CheckNameCStringBufferOverlap,
554  categories::UnixAPI, "Improper arguments"));
555 
556  // Generate a report for this bug.
557  auto report = std::make_unique<PathSensitiveBugReport>(
558  *BT_Overlap, "Arguments must not be overlapping buffers", N);
559  report->addRange(First->getSourceRange());
560  report->addRange(Second->getSourceRange());
561 
562  C.emitReport(std::move(report));
563 }
564 
565 void CStringChecker::emitNullArgBug(CheckerContext &C, ProgramStateRef State,
566  const Stmt *S, StringRef WarningMsg) const {
567  if (ExplodedNode *N = C.generateErrorNode(State)) {
568  if (!BT_Null)
569  BT_Null.reset(new BuiltinBug(
570  Filter.CheckNameCStringNullArg, categories::UnixAPI,
571  "Null pointer argument in call to byte string function"));
572 
573  BuiltinBug *BT = static_cast<BuiltinBug *>(BT_Null.get());
574  auto Report = std::make_unique<PathSensitiveBugReport>(*BT, WarningMsg, N);
575  Report->addRange(S->getSourceRange());
576  if (const auto *Ex = dyn_cast<Expr>(S))
577  bugreporter::trackExpressionValue(N, Ex, *Report);
578  C.emitReport(std::move(Report));
579  }
580 }
581 
582 void CStringChecker::emitOutOfBoundsBug(CheckerContext &C,
583  ProgramStateRef State, const Stmt *S,
584  StringRef WarningMsg) const {
585  if (ExplodedNode *N = C.generateErrorNode(State)) {
586  if (!BT_Bounds)
587  BT_Bounds.reset(new BuiltinBug(
588  Filter.CheckCStringOutOfBounds ? Filter.CheckNameCStringOutOfBounds
589  : Filter.CheckNameCStringNullArg,
590  "Out-of-bound array access",
591  "Byte string function accesses out-of-bound array element"));
592 
593  BuiltinBug *BT = static_cast<BuiltinBug *>(BT_Bounds.get());
594 
595  // FIXME: It would be nice to eventually make this diagnostic more clear,
596  // e.g., by referencing the original declaration or by saying *why* this
597  // reference is outside the range.
598  auto Report = std::make_unique<PathSensitiveBugReport>(*BT, WarningMsg, N);
599  Report->addRange(S->getSourceRange());
600  C.emitReport(std::move(Report));
601  }
602 }
603 
604 void CStringChecker::emitNotCStringBug(CheckerContext &C, ProgramStateRef State,
605  const Stmt *S,
606  StringRef WarningMsg) const {
607  if (ExplodedNode *N = C.generateNonFatalErrorNode(State)) {
608  if (!BT_NotCString)
609  BT_NotCString.reset(new BuiltinBug(
610  Filter.CheckNameCStringNotNullTerm, categories::UnixAPI,
611  "Argument is not a null-terminated string."));
612 
613  auto Report =
614  std::make_unique<PathSensitiveBugReport>(*BT_NotCString, WarningMsg, N);
615 
616  Report->addRange(S->getSourceRange());
617  C.emitReport(std::move(Report));
618  }
619 }
620 
621 void CStringChecker::emitAdditionOverflowBug(CheckerContext &C,
622  ProgramStateRef State) const {
623  if (ExplodedNode *N = C.generateErrorNode(State)) {
624  if (!BT_NotCString)
625  BT_NotCString.reset(
626  new BuiltinBug(Filter.CheckNameCStringOutOfBounds, "API",
627  "Sum of expressions causes overflow."));
628 
629  // This isn't a great error message, but this should never occur in real
630  // code anyway -- you'd have to create a buffer longer than a size_t can
631  // represent, which is sort of a contradiction.
632  const char *WarningMsg =
633  "This expression will create a string whose length is too big to "
634  "be represented as a size_t";
635 
636  auto Report =
637  std::make_unique<PathSensitiveBugReport>(*BT_NotCString, WarningMsg, N);
638  C.emitReport(std::move(Report));
639  }
640 }
641 
642 ProgramStateRef CStringChecker::checkAdditionOverflow(CheckerContext &C,
644  NonLoc left,
645  NonLoc right) const {
646  // If out-of-bounds checking is turned off, skip the rest.
647  if (!Filter.CheckCStringOutOfBounds)
648  return state;
649 
650  // If a previous check has failed, propagate the failure.
651  if (!state)
652  return nullptr;
653 
654  SValBuilder &svalBuilder = C.getSValBuilder();
655  BasicValueFactory &BVF = svalBuilder.getBasicValueFactory();
656 
657  QualType sizeTy = svalBuilder.getContext().getSizeType();
658  const llvm::APSInt &maxValInt = BVF.getMaxValue(sizeTy);
659  NonLoc maxVal = svalBuilder.makeIntVal(maxValInt);
660 
661  SVal maxMinusRight;
662  if (right.getAs<nonloc::ConcreteInt>()) {
663  maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, right,
664  sizeTy);
665  } else {
666  // Try switching the operands. (The order of these two assignments is
667  // important!)
668  maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, left,
669  sizeTy);
670  left = right;
671  }
672 
673  if (Optional<NonLoc> maxMinusRightNL = maxMinusRight.getAs<NonLoc>()) {
674  QualType cmpTy = svalBuilder.getConditionType();
675  // If left > max - right, we have an overflow.
676  SVal willOverflow = svalBuilder.evalBinOpNN(state, BO_GT, left,
677  *maxMinusRightNL, cmpTy);
678 
679  ProgramStateRef stateOverflow, stateOkay;
680  std::tie(stateOverflow, stateOkay) =
681  state->assume(willOverflow.castAs<DefinedOrUnknownSVal>());
682 
683  if (stateOverflow && !stateOkay) {
684  // We have an overflow. Emit a bug report.
685  emitAdditionOverflowBug(C, stateOverflow);
686  return nullptr;
687  }
688 
689  // From now on, assume an overflow didn't occur.
690  assert(stateOkay);
691  state = stateOkay;
692  }
693 
694  return state;
695 }
696 
697 ProgramStateRef CStringChecker::setCStringLength(ProgramStateRef state,
698  const MemRegion *MR,
699  SVal strLength) {
700  assert(!strLength.isUndef() && "Attempt to set an undefined string length");
701 
702  MR = MR->StripCasts();
703 
704  switch (MR->getKind()) {
705  case MemRegion::StringRegionKind:
706  // FIXME: This can happen if we strcpy() into a string region. This is
707  // undefined [C99 6.4.5p6], but we should still warn about it.
708  return state;
709 
710  case MemRegion::SymbolicRegionKind:
711  case MemRegion::AllocaRegionKind:
712  case MemRegion::NonParamVarRegionKind:
713  case MemRegion::ParamVarRegionKind:
714  case MemRegion::FieldRegionKind:
715  case MemRegion::ObjCIvarRegionKind:
716  // These are the types we can currently track string lengths for.
717  break;
718 
719  case MemRegion::ElementRegionKind:
720  // FIXME: Handle element regions by upper-bounding the parent region's
721  // string length.
722  return state;
723 
724  default:
725  // Other regions (mostly non-data) can't have a reliable C string length.
726  // For now, just ignore the change.
727  // FIXME: These are rare but not impossible. We should output some kind of
728  // warning for things like strcpy((char[]){'a', 0}, "b");
729  return state;
730  }
731 
732  if (strLength.isUnknown())
733  return state->remove<CStringLength>(MR);
734 
735  return state->set<CStringLength>(MR, strLength);
736 }
737 
738 SVal CStringChecker::getCStringLengthForRegion(CheckerContext &C,
740  const Expr *Ex,
741  const MemRegion *MR,
742  bool hypothetical) {
743  if (!hypothetical) {
744  // If there's a recorded length, go ahead and return it.
745  const SVal *Recorded = state->get<CStringLength>(MR);
746  if (Recorded)
747  return *Recorded;
748  }
749 
750  // Otherwise, get a new symbol and update the state.
751  SValBuilder &svalBuilder = C.getSValBuilder();
752  QualType sizeTy = svalBuilder.getContext().getSizeType();
753  SVal strLength = svalBuilder.getMetadataSymbolVal(CStringChecker::getTag(),
754  MR, Ex, sizeTy,
755  C.getLocationContext(),
756  C.blockCount());
757 
758  if (!hypothetical) {
759  if (Optional<NonLoc> strLn = strLength.getAs<NonLoc>()) {
760  // In case of unbounded calls strlen etc bound the range to SIZE_MAX/4
761  BasicValueFactory &BVF = svalBuilder.getBasicValueFactory();
762  const llvm::APSInt &maxValInt = BVF.getMaxValue(sizeTy);
763  llvm::APSInt fourInt = APSIntType(maxValInt).getValue(4);
764  const llvm::APSInt *maxLengthInt = BVF.evalAPSInt(BO_Div, maxValInt,
765  fourInt);
766  NonLoc maxLength = svalBuilder.makeIntVal(*maxLengthInt);
767  SVal evalLength = svalBuilder.evalBinOpNN(state, BO_LE, *strLn,
768  maxLength, sizeTy);
769  state = state->assume(evalLength.castAs<DefinedOrUnknownSVal>(), true);
770  }
771  state = state->set<CStringLength>(MR, strLength);
772  }
773 
774  return strLength;
775 }
776 
777 SVal CStringChecker::getCStringLength(CheckerContext &C, ProgramStateRef &state,
778  const Expr *Ex, SVal Buf,
779  bool hypothetical) const {
780  const MemRegion *MR = Buf.getAsRegion();
781  if (!MR) {
782  // If we can't get a region, see if it's something we /know/ isn't a
783  // C string. In the context of locations, the only time we can issue such
784  // a warning is for labels.
785  if (Optional<loc::GotoLabel> Label = Buf.getAs<loc::GotoLabel>()) {
786  if (Filter.CheckCStringNotNullTerm) {
787  SmallString<120> buf;
788  llvm::raw_svector_ostream os(buf);
789  assert(CurrentFunctionDescription);
790  os << "Argument to " << CurrentFunctionDescription
791  << " is the address of the label '" << Label->getLabel()->getName()
792  << "', which is not a null-terminated string";
793 
794  emitNotCStringBug(C, state, Ex, os.str());
795  }
796  return UndefinedVal();
797  }
798 
799  // If it's not a region and not a label, give up.
800  return UnknownVal();
801  }
802 
803  // If we have a region, strip casts from it and see if we can figure out
804  // its length. For anything we can't figure out, just return UnknownVal.
805  MR = MR->StripCasts();
806 
807  switch (MR->getKind()) {
808  case MemRegion::StringRegionKind: {
809  // Modifying the contents of string regions is undefined [C99 6.4.5p6],
810  // so we can assume that the byte length is the correct C string length.
811  SValBuilder &svalBuilder = C.getSValBuilder();
812  QualType sizeTy = svalBuilder.getContext().getSizeType();
813  const StringLiteral *strLit = cast<StringRegion>(MR)->getStringLiteral();
814  return svalBuilder.makeIntVal(strLit->getByteLength(), sizeTy);
815  }
816  case MemRegion::SymbolicRegionKind:
817  case MemRegion::AllocaRegionKind:
818  case MemRegion::NonParamVarRegionKind:
819  case MemRegion::ParamVarRegionKind:
820  case MemRegion::FieldRegionKind:
821  case MemRegion::ObjCIvarRegionKind:
822  return getCStringLengthForRegion(C, state, Ex, MR, hypothetical);
823  case MemRegion::CompoundLiteralRegionKind:
824  // FIXME: Can we track this? Is it necessary?
825  return UnknownVal();
826  case MemRegion::ElementRegionKind:
827  // FIXME: How can we handle this? It's not good enough to subtract the
828  // offset from the base string length; consider "123\x00567" and &a[5].
829  return UnknownVal();
830  default:
831  // Other regions (mostly non-data) can't have a reliable C string length.
832  // In this case, an error is emitted and UndefinedVal is returned.
833  // The caller should always be prepared to handle this case.
834  if (Filter.CheckCStringNotNullTerm) {
835  SmallString<120> buf;
836  llvm::raw_svector_ostream os(buf);
837 
838  assert(CurrentFunctionDescription);
839  os << "Argument to " << CurrentFunctionDescription << " is ";
840 
841  if (SummarizeRegion(os, C.getASTContext(), MR))
842  os << ", which is not a null-terminated string";
843  else
844  os << "not a null-terminated string";
845 
846  emitNotCStringBug(C, state, Ex, os.str());
847  }
848  return UndefinedVal();
849  }
850 }
851 
852 const StringLiteral *CStringChecker::getCStringLiteral(CheckerContext &C,
853  ProgramStateRef &state, const Expr *expr, SVal val) const {
854 
855  // Get the memory region pointed to by the val.
856  const MemRegion *bufRegion = val.getAsRegion();
857  if (!bufRegion)
858  return nullptr;
859 
860  // Strip casts off the memory region.
861  bufRegion = bufRegion->StripCasts();
862 
863  // Cast the memory region to a string region.
864  const StringRegion *strRegion= dyn_cast<StringRegion>(bufRegion);
865  if (!strRegion)
866  return nullptr;
867 
868  // Return the actual string in the string region.
869  return strRegion->getStringLiteral();
870 }
871 
872 bool CStringChecker::IsFirstBufInBound(CheckerContext &C,
874  const Expr *FirstBuf,
875  const Expr *Size) {
876  // If we do not know that the buffer is long enough we return 'true'.
877  // Otherwise the parent region of this field region would also get
878  // invalidated, which would lead to warnings based on an unknown state.
879 
880  // Originally copied from CheckBufferAccess and CheckLocation.
881  SValBuilder &svalBuilder = C.getSValBuilder();
882  ASTContext &Ctx = svalBuilder.getContext();
883  const LocationContext *LCtx = C.getLocationContext();
884 
885  QualType sizeTy = Size->getType();
886  QualType PtrTy = Ctx.getPointerType(Ctx.CharTy);
887  SVal BufVal = state->getSVal(FirstBuf, LCtx);
888 
889  SVal LengthVal = state->getSVal(Size, LCtx);
890  Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
891  if (!Length)
892  return true; // cf top comment.
893 
894  // Compute the offset of the last element to be accessed: size-1.
895  NonLoc One = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
896  SVal Offset = svalBuilder.evalBinOpNN(state, BO_Sub, *Length, One, sizeTy);
897  if (Offset.isUnknown())
898  return true; // cf top comment
899  NonLoc LastOffset = Offset.castAs<NonLoc>();
900 
901  // Check that the first buffer is sufficiently long.
902  SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType());
903  Optional<Loc> BufLoc = BufStart.getAs<Loc>();
904  if (!BufLoc)
905  return true; // cf top comment.
906 
907  SVal BufEnd =
908  svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc, LastOffset, PtrTy);
909 
910  // Check for out of bound array element access.
911  const MemRegion *R = BufEnd.getAsRegion();
912  if (!R)
913  return true; // cf top comment.
914 
915  const ElementRegion *ER = dyn_cast<ElementRegion>(R);
916  if (!ER)
917  return true; // cf top comment.
918 
919  // FIXME: Does this crash when a non-standard definition
920  // of a library function is encountered?
921  assert(ER->getValueType() == C.getASTContext().CharTy &&
922  "IsFirstBufInBound should only be called with char* ElementRegions");
923 
924  // Get the size of the array.
925  const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion());
926  DefinedOrUnknownSVal SizeDV = getDynamicExtent(state, superReg, svalBuilder);
927 
928  // Get the index of the accessed element.
929  DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();
930 
931  ProgramStateRef StInBound = state->assumeInBound(Idx, SizeDV, true);
932 
933  return static_cast<bool>(StInBound);
934 }
935 
936 ProgramStateRef CStringChecker::InvalidateBuffer(CheckerContext &C,
938  const Expr *E, SVal V,
939  bool IsSourceBuffer,
940  const Expr *Size) {
941  Optional<Loc> L = V.getAs<Loc>();
942  if (!L)
943  return state;
944 
945  // FIXME: This is a simplified version of what's in CFRefCount.cpp -- it makes
946  // some assumptions about the value that CFRefCount can't. Even so, it should
947  // probably be refactored.
948  if (Optional<loc::MemRegionVal> MR = L->getAs<loc::MemRegionVal>()) {
949  const MemRegion *R = MR->getRegion()->StripCasts();
950 
951  // Are we dealing with an ElementRegion? If so, we should be invalidating
952  // the super-region.
953  if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) {
954  R = ER->getSuperRegion();
955  // FIXME: What about layers of ElementRegions?
956  }
957 
958  // Invalidate this region.
959  const LocationContext *LCtx = C.getPredecessor()->getLocationContext();
960 
961  bool CausesPointerEscape = false;
962  RegionAndSymbolInvalidationTraits ITraits;
963  // Invalidate and escape only indirect regions accessible through the source
964  // buffer.
965  if (IsSourceBuffer) {
966  ITraits.setTrait(R->getBaseRegion(),
969  CausesPointerEscape = true;
970  } else {
971  const MemRegion::Kind& K = R->getKind();
972  if (K == MemRegion::FieldRegionKind)
973  if (Size && IsFirstBufInBound(C, state, E, Size)) {
974  // If destination buffer is a field region and access is in bound,
975  // do not invalidate its super region.
976  ITraits.setTrait(
977  R,
979  }
980  }
981 
982  return state->invalidateRegions(R, E, C.blockCount(), LCtx,
983  CausesPointerEscape, nullptr, nullptr,
984  &ITraits);
985  }
986 
987  // If we have a non-region value by chance, just remove the binding.
988  // FIXME: is this necessary or correct? This handles the non-Region
989  // cases. Is it ever valid to store to these?
990  return state->killBinding(*L);
991 }
992 
993 bool CStringChecker::SummarizeRegion(raw_ostream &os, ASTContext &Ctx,
994  const MemRegion *MR) {
995  switch (MR->getKind()) {
996  case MemRegion::FunctionCodeRegionKind: {
997  if (const auto *FD = cast<FunctionCodeRegion>(MR)->getDecl())
998  os << "the address of the function '" << *FD << '\'';
999  else
1000  os << "the address of a function";
1001  return true;
1002  }
1003  case MemRegion::BlockCodeRegionKind:
1004  os << "block text";
1005  return true;
1006  case MemRegion::BlockDataRegionKind:
1007  os << "a block";
1008  return true;
1009  case MemRegion::CXXThisRegionKind:
1010  case MemRegion::CXXTempObjectRegionKind:
1011  os << "a C++ temp object of type "
1012  << cast<TypedValueRegion>(MR)->getValueType().getAsString();
1013  return true;
1014  case MemRegion::NonParamVarRegionKind:
1015  os << "a variable of type"
1016  << cast<TypedValueRegion>(MR)->getValueType().getAsString();
1017  return true;
1018  case MemRegion::ParamVarRegionKind:
1019  os << "a parameter of type"
1020  << cast<TypedValueRegion>(MR)->getValueType().getAsString();
1021  return true;
1022  case MemRegion::FieldRegionKind:
1023  os << "a field of type "
1024  << cast<TypedValueRegion>(MR)->getValueType().getAsString();
1025  return true;
1026  case MemRegion::ObjCIvarRegionKind:
1027  os << "an instance variable of type "
1028  << cast<TypedValueRegion>(MR)->getValueType().getAsString();
1029  return true;
1030  default:
1031  return false;
1032  }
1033 }
1034 
1035 bool CStringChecker::memsetAux(const Expr *DstBuffer, SVal CharVal,
1036  const Expr *Size, CheckerContext &C,
1038  SVal MemVal = C.getSVal(DstBuffer);
1039  SVal SizeVal = C.getSVal(Size);
1040  const MemRegion *MR = MemVal.getAsRegion();
1041  if (!MR)
1042  return false;
1043 
1044  // We're about to model memset by producing a "default binding" in the Store.
1045  // Our current implementation - RegionStore - doesn't support default bindings
1046  // that don't cover the whole base region. So we should first get the offset
1047  // and the base region to figure out whether the offset of buffer is 0.
1048  RegionOffset Offset = MR->getAsOffset();
1049  const MemRegion *BR = Offset.getRegion();
1050 
1051  Optional<NonLoc> SizeNL = SizeVal.getAs<NonLoc>();
1052  if (!SizeNL)
1053  return false;
1054 
1055  SValBuilder &svalBuilder = C.getSValBuilder();
1056  ASTContext &Ctx = C.getASTContext();
1057 
1058  // void *memset(void *dest, int ch, size_t count);
1059  // For now we can only handle the case of offset is 0 and concrete char value.
1060  if (Offset.isValid() && !Offset.hasSymbolicOffset() &&
1061  Offset.getOffset() == 0) {
1062  // Get the base region's size.
1063  DefinedOrUnknownSVal SizeDV = getDynamicExtent(State, BR, svalBuilder);
1064 
1065  ProgramStateRef StateWholeReg, StateNotWholeReg;
1066  std::tie(StateWholeReg, StateNotWholeReg) =
1067  State->assume(svalBuilder.evalEQ(State, SizeDV, *SizeNL));
1068 
1069  // With the semantic of 'memset()', we should convert the CharVal to
1070  // unsigned char.
1071  CharVal = svalBuilder.evalCast(CharVal, Ctx.UnsignedCharTy, Ctx.IntTy);
1072 
1073  ProgramStateRef StateNullChar, StateNonNullChar;
1074  std::tie(StateNullChar, StateNonNullChar) =
1075  assumeZero(C, State, CharVal, Ctx.UnsignedCharTy);
1076 
1077  if (StateWholeReg && !StateNotWholeReg && StateNullChar &&
1078  !StateNonNullChar) {
1079  // If the 'memset()' acts on the whole region of destination buffer and
1080  // the value of the second argument of 'memset()' is zero, bind the second
1081  // argument's value to the destination buffer with 'default binding'.
1082  // FIXME: Since there is no perfect way to bind the non-zero character, we
1083  // can only deal with zero value here. In the future, we need to deal with
1084  // the binding of non-zero value in the case of whole region.
1085  State = State->bindDefaultZero(svalBuilder.makeLoc(BR),
1086  C.getLocationContext());
1087  } else {
1088  // If the destination buffer's extent is not equal to the value of
1089  // third argument, just invalidate buffer.
1090  State = InvalidateBuffer(C, State, DstBuffer, MemVal,
1091  /*IsSourceBuffer*/ false, Size);
1092  }
1093 
1094  if (StateNullChar && !StateNonNullChar) {
1095  // If the value of the second argument of 'memset()' is zero, set the
1096  // string length of destination buffer to 0 directly.
1097  State = setCStringLength(State, MR,
1098  svalBuilder.makeZeroVal(Ctx.getSizeType()));
1099  } else if (!StateNullChar && StateNonNullChar) {
1100  SVal NewStrLen = svalBuilder.getMetadataSymbolVal(
1101  CStringChecker::getTag(), MR, DstBuffer, Ctx.getSizeType(),
1102  C.getLocationContext(), C.blockCount());
1103 
1104  // If the value of second argument is not zero, then the string length
1105  // is at least the size argument.
1106  SVal NewStrLenGESize = svalBuilder.evalBinOp(
1107  State, BO_GE, NewStrLen, SizeVal, svalBuilder.getConditionType());
1108 
1109  State = setCStringLength(
1110  State->assume(NewStrLenGESize.castAs<DefinedOrUnknownSVal>(), true),
1111  MR, NewStrLen);
1112  }
1113  } else {
1114  // If the offset is not zero and char value is not concrete, we can do
1115  // nothing but invalidate the buffer.
1116  State = InvalidateBuffer(C, State, DstBuffer, MemVal,
1117  /*IsSourceBuffer*/ false, Size);
1118  }
1119  return true;
1120 }
1121 
1122 //===----------------------------------------------------------------------===//
1123 // evaluation of individual function calls.
1124 //===----------------------------------------------------------------------===//
1125 
1126 void CStringChecker::evalCopyCommon(CheckerContext &C, const CallExpr *CE,
1127  ProgramStateRef state, SizeArgExpr Size,
1128  DestinationArgExpr Dest,
1129  SourceArgExpr Source, bool Restricted,
1130  bool IsMempcpy) const {
1131  CurrentFunctionDescription = "memory copy function";
1132 
1133  // See if the size argument is zero.
1134  const LocationContext *LCtx = C.getLocationContext();
1135  SVal sizeVal = state->getSVal(Size.Expression, LCtx);
1136  QualType sizeTy = Size.Expression->getType();
1137 
1138  ProgramStateRef stateZeroSize, stateNonZeroSize;
1139  std::tie(stateZeroSize, stateNonZeroSize) =
1140  assumeZero(C, state, sizeVal, sizeTy);
1141 
1142  // Get the value of the Dest.
1143  SVal destVal = state->getSVal(Dest.Expression, LCtx);
1144 
1145  // If the size is zero, there won't be any actual memory access, so
1146  // just bind the return value to the destination buffer and return.
1147  if (stateZeroSize && !stateNonZeroSize) {
1148  stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, destVal);
1149  C.addTransition(stateZeroSize);
1150  return;
1151  }
1152 
1153  // If the size can be nonzero, we have to check the other arguments.
1154  if (stateNonZeroSize) {
1155  state = stateNonZeroSize;
1156 
1157  // Ensure the destination is not null. If it is NULL there will be a
1158  // NULL pointer dereference.
1159  state = checkNonNull(C, state, Dest, destVal);
1160  if (!state)
1161  return;
1162 
1163  // Get the value of the Src.
1164  SVal srcVal = state->getSVal(Source.Expression, LCtx);
1165 
1166  // Ensure the source is not null. If it is NULL there will be a
1167  // NULL pointer dereference.
1168  state = checkNonNull(C, state, Source, srcVal);
1169  if (!state)
1170  return;
1171 
1172  // Ensure the accesses are valid and that the buffers do not overlap.
1173  state = CheckBufferAccess(C, state, Dest, Size, AccessKind::write);
1174  state = CheckBufferAccess(C, state, Source, Size, AccessKind::read);
1175 
1176  if (Restricted)
1177  state = CheckOverlap(C, state, Size, Dest, Source);
1178 
1179  if (!state)
1180  return;
1181 
1182  // If this is mempcpy, get the byte after the last byte copied and
1183  // bind the expr.
1184  if (IsMempcpy) {
1185  // Get the byte after the last byte copied.
1186  SValBuilder &SvalBuilder = C.getSValBuilder();
1187  ASTContext &Ctx = SvalBuilder.getContext();
1188  QualType CharPtrTy = Ctx.getPointerType(Ctx.CharTy);
1189  SVal DestRegCharVal =
1190  SvalBuilder.evalCast(destVal, CharPtrTy, Dest.Expression->getType());
1191  SVal lastElement = C.getSValBuilder().evalBinOp(
1192  state, BO_Add, DestRegCharVal, sizeVal, Dest.Expression->getType());
1193  // If we don't know how much we copied, we can at least
1194  // conjure a return value for later.
1195  if (lastElement.isUnknown())
1196  lastElement = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
1197  C.blockCount());
1198 
1199  // The byte after the last byte copied is the return value.
1200  state = state->BindExpr(CE, LCtx, lastElement);
1201  } else {
1202  // All other copies return the destination buffer.
1203  // (Well, bcopy() has a void return type, but this won't hurt.)
1204  state = state->BindExpr(CE, LCtx, destVal);
1205  }
1206 
1207  // Invalidate the destination (regular invalidation without pointer-escaping
1208  // the address of the top-level region).
1209  // FIXME: Even if we can't perfectly model the copy, we should see if we
1210  // can use LazyCompoundVals to copy the source values into the destination.
1211  // This would probably remove any existing bindings past the end of the
1212  // copied region, but that's still an improvement over blank invalidation.
1213  state =
1214  InvalidateBuffer(C, state, Dest.Expression, C.getSVal(Dest.Expression),
1215  /*IsSourceBuffer*/ false, Size.Expression);
1216 
1217  // Invalidate the source (const-invalidation without const-pointer-escaping
1218  // the address of the top-level region).
1219  state = InvalidateBuffer(C, state, Source.Expression,
1220  C.getSVal(Source.Expression),
1221  /*IsSourceBuffer*/ true, nullptr);
1222 
1223  C.addTransition(state);
1224  }
1225 }
1226 
1227 void CStringChecker::evalMemcpy(CheckerContext &C, const CallExpr *CE) const {
1228  // void *memcpy(void *restrict dst, const void *restrict src, size_t n);
1229  // The return value is the address of the destination buffer.
1230  DestinationArgExpr Dest = {CE->getArg(0), 0};
1231  SourceArgExpr Src = {CE->getArg(1), 1};
1232  SizeArgExpr Size = {CE->getArg(2), 2};
1233 
1234  ProgramStateRef State = C.getState();
1235 
1236  constexpr bool IsRestricted = true;
1237  constexpr bool IsMempcpy = false;
1238  evalCopyCommon(C, CE, State, Size, Dest, Src, IsRestricted, IsMempcpy);
1239 }
1240 
1241 void CStringChecker::evalMempcpy(CheckerContext &C, const CallExpr *CE) const {
1242  // void *mempcpy(void *restrict dst, const void *restrict src, size_t n);
1243  // The return value is a pointer to the byte following the last written byte.
1244  DestinationArgExpr Dest = {CE->getArg(0), 0};
1245  SourceArgExpr Src = {CE->getArg(1), 1};
1246  SizeArgExpr Size = {CE->getArg(2), 2};
1247 
1248  constexpr bool IsRestricted = true;
1249  constexpr bool IsMempcpy = true;
1250  evalCopyCommon(C, CE, C.getState(), Size, Dest, Src, IsRestricted, IsMempcpy);
1251 }
1252 
1253 void CStringChecker::evalMemmove(CheckerContext &C, const CallExpr *CE) const {
1254  // void *memmove(void *dst, const void *src, size_t n);
1255  // The return value is the address of the destination buffer.
1256  DestinationArgExpr Dest = {CE->getArg(0), 0};
1257  SourceArgExpr Src = {CE->getArg(1), 1};
1258  SizeArgExpr Size = {CE->getArg(2), 2};
1259 
1260  constexpr bool IsRestricted = false;
1261  constexpr bool IsMempcpy = false;
1262  evalCopyCommon(C, CE, C.getState(), Size, Dest, Src, IsRestricted, IsMempcpy);
1263 }
1264 
1265 void CStringChecker::evalBcopy(CheckerContext &C, const CallExpr *CE) const {
1266  // void bcopy(const void *src, void *dst, size_t n);
1267  SourceArgExpr Src(CE->getArg(0), 0);
1268  DestinationArgExpr Dest = {CE->getArg(1), 1};
1269  SizeArgExpr Size = {CE->getArg(2), 2};
1270 
1271  constexpr bool IsRestricted = false;
1272  constexpr bool IsMempcpy = false;
1273  evalCopyCommon(C, CE, C.getState(), Size, Dest, Src, IsRestricted, IsMempcpy);
1274 }
1275 
1276 void CStringChecker::evalMemcmp(CheckerContext &C, const CallExpr *CE) const {
1277  // int memcmp(const void *s1, const void *s2, size_t n);
1278  CurrentFunctionDescription = "memory comparison function";
1279 
1280  AnyArgExpr Left = {CE->getArg(0), 0};
1281  AnyArgExpr Right = {CE->getArg(1), 1};
1282  SizeArgExpr Size = {CE->getArg(2), 2};
1283 
1284  ProgramStateRef State = C.getState();
1285  SValBuilder &Builder = C.getSValBuilder();
1286  const LocationContext *LCtx = C.getLocationContext();
1287 
1288  // See if the size argument is zero.
1289  SVal sizeVal = State->getSVal(Size.Expression, LCtx);
1290  QualType sizeTy = Size.Expression->getType();
1291 
1292  ProgramStateRef stateZeroSize, stateNonZeroSize;
1293  std::tie(stateZeroSize, stateNonZeroSize) =
1294  assumeZero(C, State, sizeVal, sizeTy);
1295 
1296  // If the size can be zero, the result will be 0 in that case, and we don't
1297  // have to check either of the buffers.
1298  if (stateZeroSize) {
1299  State = stateZeroSize;
1300  State = State->BindExpr(CE, LCtx, Builder.makeZeroVal(CE->getType()));
1301  C.addTransition(State);
1302  }
1303 
1304  // If the size can be nonzero, we have to check the other arguments.
1305  if (stateNonZeroSize) {
1306  State = stateNonZeroSize;
1307  // If we know the two buffers are the same, we know the result is 0.
1308  // First, get the two buffers' addresses. Another checker will have already
1309  // made sure they're not undefined.
1310  DefinedOrUnknownSVal LV =
1311  State->getSVal(Left.Expression, LCtx).castAs<DefinedOrUnknownSVal>();
1312  DefinedOrUnknownSVal RV =
1313  State->getSVal(Right.Expression, LCtx).castAs<DefinedOrUnknownSVal>();
1314 
1315  // See if they are the same.
1316  ProgramStateRef SameBuffer, NotSameBuffer;
1317  std::tie(SameBuffer, NotSameBuffer) =
1318  State->assume(Builder.evalEQ(State, LV, RV));
1319 
1320  // If the two arguments are the same buffer, we know the result is 0,
1321  // and we only need to check one size.
1322  if (SameBuffer && !NotSameBuffer) {
1323  State = SameBuffer;
1324  State = CheckBufferAccess(C, State, Left, Size, AccessKind::read);
1325  if (State) {
1326  State =
1327  SameBuffer->BindExpr(CE, LCtx, Builder.makeZeroVal(CE->getType()));
1328  C.addTransition(State);
1329  }
1330  return;
1331  }
1332 
1333  // If the two arguments might be different buffers, we have to check
1334  // the size of both of them.
1335  assert(NotSameBuffer);
1336  State = CheckBufferAccess(C, State, Right, Size, AccessKind::read);
1337  State = CheckBufferAccess(C, State, Left, Size, AccessKind::read);
1338  if (State) {
1339  // The return value is the comparison result, which we don't know.
1340  SVal CmpV = Builder.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
1341  State = State->BindExpr(CE, LCtx, CmpV);
1342  C.addTransition(State);
1343  }
1344  }
1345 }
1346 
1347 void CStringChecker::evalstrLength(CheckerContext &C,
1348  const CallExpr *CE) const {
1349  // size_t strlen(const char *s);
1350  evalstrLengthCommon(C, CE, /* IsStrnlen = */ false);
1351 }
1352 
1353 void CStringChecker::evalstrnLength(CheckerContext &C,
1354  const CallExpr *CE) const {
1355  // size_t strnlen(const char *s, size_t maxlen);
1356  evalstrLengthCommon(C, CE, /* IsStrnlen = */ true);
1357 }
1358 
1359 void CStringChecker::evalstrLengthCommon(CheckerContext &C, const CallExpr *CE,
1360  bool IsStrnlen) const {
1361  CurrentFunctionDescription = "string length function";
1362  ProgramStateRef state = C.getState();
1363  const LocationContext *LCtx = C.getLocationContext();
1364 
1365  if (IsStrnlen) {
1366  const Expr *maxlenExpr = CE->getArg(1);
1367  SVal maxlenVal = state->getSVal(maxlenExpr, LCtx);
1368 
1369  ProgramStateRef stateZeroSize, stateNonZeroSize;
1370  std::tie(stateZeroSize, stateNonZeroSize) =
1371  assumeZero(C, state, maxlenVal, maxlenExpr->getType());
1372 
1373  // If the size can be zero, the result will be 0 in that case, and we don't
1374  // have to check the string itself.
1375  if (stateZeroSize) {
1376  SVal zero = C.getSValBuilder().makeZeroVal(CE->getType());
1377  stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, zero);
1378  C.addTransition(stateZeroSize);
1379  }
1380 
1381  // If the size is GUARANTEED to be zero, we're done!
1382  if (!stateNonZeroSize)
1383  return;
1384 
1385  // Otherwise, record the assumption that the size is nonzero.
1386  state = stateNonZeroSize;
1387  }
1388 
1389  // Check that the string argument is non-null.
1390  AnyArgExpr Arg = {CE->getArg(0), 0};
1391  SVal ArgVal = state->getSVal(Arg.Expression, LCtx);
1392  state = checkNonNull(C, state, Arg, ArgVal);
1393 
1394  if (!state)
1395  return;
1396 
1397  SVal strLength = getCStringLength(C, state, Arg.Expression, ArgVal);
1398 
1399  // If the argument isn't a valid C string, there's no valid state to
1400  // transition to.
1401  if (strLength.isUndef())
1402  return;
1403 
1404  DefinedOrUnknownSVal result = UnknownVal();
1405 
1406  // If the check is for strnlen() then bind the return value to no more than
1407  // the maxlen value.
1408  if (IsStrnlen) {
1409  QualType cmpTy = C.getSValBuilder().getConditionType();
1410 
1411  // It's a little unfortunate to be getting this again,
1412  // but it's not that expensive...
1413  const Expr *maxlenExpr = CE->getArg(1);
1414  SVal maxlenVal = state->getSVal(maxlenExpr, LCtx);
1415 
1416  Optional<NonLoc> strLengthNL = strLength.getAs<NonLoc>();
1417  Optional<NonLoc> maxlenValNL = maxlenVal.getAs<NonLoc>();
1418 
1419  if (strLengthNL && maxlenValNL) {
1420  ProgramStateRef stateStringTooLong, stateStringNotTooLong;
1421 
1422  // Check if the strLength is greater than the maxlen.
1423  std::tie(stateStringTooLong, stateStringNotTooLong) = state->assume(
1424  C.getSValBuilder()
1425  .evalBinOpNN(state, BO_GT, *strLengthNL, *maxlenValNL, cmpTy)
1426  .castAs<DefinedOrUnknownSVal>());
1427 
1428  if (stateStringTooLong && !stateStringNotTooLong) {
1429  // If the string is longer than maxlen, return maxlen.
1430  result = *maxlenValNL;
1431  } else if (stateStringNotTooLong && !stateStringTooLong) {
1432  // If the string is shorter than maxlen, return its length.
1433  result = *strLengthNL;
1434  }
1435  }
1436 
1437  if (result.isUnknown()) {
1438  // If we don't have enough information for a comparison, there's
1439  // no guarantee the full string length will actually be returned.
1440  // All we know is the return value is the min of the string length
1441  // and the limit. This is better than nothing.
1442  result = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
1443  C.blockCount());
1444  NonLoc resultNL = result.castAs<NonLoc>();
1445 
1446  if (strLengthNL) {
1447  state = state->assume(C.getSValBuilder().evalBinOpNN(
1448  state, BO_LE, resultNL, *strLengthNL, cmpTy)
1449  .castAs<DefinedOrUnknownSVal>(), true);
1450  }
1451 
1452  if (maxlenValNL) {
1453  state = state->assume(C.getSValBuilder().evalBinOpNN(
1454  state, BO_LE, resultNL, *maxlenValNL, cmpTy)
1455  .castAs<DefinedOrUnknownSVal>(), true);
1456  }
1457  }
1458 
1459  } else {
1460  // This is a plain strlen(), not strnlen().
1461  result = strLength.castAs<DefinedOrUnknownSVal>();
1462 
1463  // If we don't know the length of the string, conjure a return
1464  // value, so it can be used in constraints, at least.
1465  if (result.isUnknown()) {
1466  result = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
1467  C.blockCount());
1468  }
1469  }
1470 
1471  // Bind the return value.
1472  assert(!result.isUnknown() && "Should have conjured a value by now");
1473  state = state->BindExpr(CE, LCtx, result);
1474  C.addTransition(state);
1475 }
1476 
1477 void CStringChecker::evalStrcpy(CheckerContext &C, const CallExpr *CE) const {
1478  // char *strcpy(char *restrict dst, const char *restrict src);
1479  evalStrcpyCommon(C, CE,
1480  /* ReturnEnd = */ false,
1481  /* IsBounded = */ false,
1482  /* appendK = */ ConcatFnKind::none);
1483 }
1484 
1485 void CStringChecker::evalStrncpy(CheckerContext &C, const CallExpr *CE) const {
1486  // char *strncpy(char *restrict dst, const char *restrict src, size_t n);
1487  evalStrcpyCommon(C, CE,
1488  /* ReturnEnd = */ false,
1489  /* IsBounded = */ true,
1490  /* appendK = */ ConcatFnKind::none);
1491 }
1492 
1493 void CStringChecker::evalStpcpy(CheckerContext &C, const CallExpr *CE) const {
1494  // char *stpcpy(char *restrict dst, const char *restrict src);
1495  evalStrcpyCommon(C, CE,
1496  /* ReturnEnd = */ true,
1497  /* IsBounded = */ false,
1498  /* appendK = */ ConcatFnKind::none);
1499 }
1500 
1501 void CStringChecker::evalStrlcpy(CheckerContext &C, const CallExpr *CE) const {
1502  // size_t strlcpy(char *dest, const char *src, size_t size);
1503  evalStrcpyCommon(C, CE,
1504  /* ReturnEnd = */ true,
1505  /* IsBounded = */ true,
1506  /* appendK = */ ConcatFnKind::none,
1507  /* returnPtr = */ false);
1508 }
1509 
1510 void CStringChecker::evalStrcat(CheckerContext &C, const CallExpr *CE) const {
1511  // char *strcat(char *restrict s1, const char *restrict s2);
1512  evalStrcpyCommon(C, CE,
1513  /* ReturnEnd = */ false,
1514  /* IsBounded = */ false,
1515  /* appendK = */ ConcatFnKind::strcat);
1516 }
1517 
1518 void CStringChecker::evalStrncat(CheckerContext &C, const CallExpr *CE) const {
1519  //char *strncat(char *restrict s1, const char *restrict s2, size_t n);
1520  evalStrcpyCommon(C, CE,
1521  /* ReturnEnd = */ false,
1522  /* IsBounded = */ true,
1523  /* appendK = */ ConcatFnKind::strcat);
1524 }
1525 
1526 void CStringChecker::evalStrlcat(CheckerContext &C, const CallExpr *CE) const {
1527  // size_t strlcat(char *dst, const char *src, size_t size);
1528  // It will append at most size - strlen(dst) - 1 bytes,
1529  // NULL-terminating the result.
1530  evalStrcpyCommon(C, CE,
1531  /* ReturnEnd = */ false,
1532  /* IsBounded = */ true,
1533  /* appendK = */ ConcatFnKind::strlcat,
1534  /* returnPtr = */ false);
1535 }
1536 
1537 void CStringChecker::evalStrcpyCommon(CheckerContext &C, const CallExpr *CE,
1538  bool ReturnEnd, bool IsBounded,
1539  ConcatFnKind appendK,
1540  bool returnPtr) const {
1541  if (appendK == ConcatFnKind::none)
1542  CurrentFunctionDescription = "string copy function";
1543  else
1544  CurrentFunctionDescription = "string concatenation function";
1545 
1546  ProgramStateRef state = C.getState();
1547  const LocationContext *LCtx = C.getLocationContext();
1548 
1549  // Check that the destination is non-null.
1550  DestinationArgExpr Dst = {CE->getArg(0), 0};
1551  SVal DstVal = state->getSVal(Dst.Expression, LCtx);
1552  state = checkNonNull(C, state, Dst, DstVal);
1553  if (!state)
1554  return;
1555 
1556  // Check that the source is non-null.
1557  SourceArgExpr srcExpr = {CE->getArg(1), 1};
1558  SVal srcVal = state->getSVal(srcExpr.Expression, LCtx);
1559  state = checkNonNull(C, state, srcExpr, srcVal);
1560  if (!state)
1561  return;
1562 
1563  // Get the string length of the source.
1564  SVal strLength = getCStringLength(C, state, srcExpr.Expression, srcVal);
1565  Optional<NonLoc> strLengthNL = strLength.getAs<NonLoc>();
1566 
1567  // Get the string length of the destination buffer.
1568  SVal dstStrLength = getCStringLength(C, state, Dst.Expression, DstVal);
1569  Optional<NonLoc> dstStrLengthNL = dstStrLength.getAs<NonLoc>();
1570 
1571  // If the source isn't a valid C string, give up.
1572  if (strLength.isUndef())
1573  return;
1574 
1575  SValBuilder &svalBuilder = C.getSValBuilder();
1576  QualType cmpTy = svalBuilder.getConditionType();
1577  QualType sizeTy = svalBuilder.getContext().getSizeType();
1578 
1579  // These two values allow checking two kinds of errors:
1580  // - actual overflows caused by a source that doesn't fit in the destination
1581  // - potential overflows caused by a bound that could exceed the destination
1582  SVal amountCopied = UnknownVal();
1583  SVal maxLastElementIndex = UnknownVal();
1584  const char *boundWarning = nullptr;
1585 
1586  // FIXME: Why do we choose the srcExpr if the access has no size?
1587  // Note that the 3rd argument of the call would be the size parameter.
1588  SizeArgExpr SrcExprAsSizeDummy = {srcExpr.Expression, srcExpr.ArgumentIndex};
1589  state = CheckOverlap(
1590  C, state,
1591  (IsBounded ? SizeArgExpr{CE->getArg(2), 2} : SrcExprAsSizeDummy), Dst,
1592  srcExpr);
1593 
1594  if (!state)
1595  return;
1596 
1597  // If the function is strncpy, strncat, etc... it is bounded.
1598  if (IsBounded) {
1599  // Get the max number of characters to copy.
1600  SizeArgExpr lenExpr = {CE->getArg(2), 2};
1601  SVal lenVal = state->getSVal(lenExpr.Expression, LCtx);
1602 
1603  // Protect against misdeclared strncpy().
1604  lenVal =
1605  svalBuilder.evalCast(lenVal, sizeTy, lenExpr.Expression->getType());
1606 
1607  Optional<NonLoc> lenValNL = lenVal.getAs<NonLoc>();
1608 
1609  // If we know both values, we might be able to figure out how much
1610  // we're copying.
1611  if (strLengthNL && lenValNL) {
1612  switch (appendK) {
1613  case ConcatFnKind::none:
1614  case ConcatFnKind::strcat: {
1615  ProgramStateRef stateSourceTooLong, stateSourceNotTooLong;
1616  // Check if the max number to copy is less than the length of the src.
1617  // If the bound is equal to the source length, strncpy won't null-
1618  // terminate the result!
1619  std::tie(stateSourceTooLong, stateSourceNotTooLong) = state->assume(
1620  svalBuilder
1621  .evalBinOpNN(state, BO_GE, *strLengthNL, *lenValNL, cmpTy)
1622  .castAs<DefinedOrUnknownSVal>());
1623 
1624  if (stateSourceTooLong && !stateSourceNotTooLong) {
1625  // Max number to copy is less than the length of the src, so the
1626  // actual strLength copied is the max number arg.
1627  state = stateSourceTooLong;
1628  amountCopied = lenVal;
1629 
1630  } else if (!stateSourceTooLong && stateSourceNotTooLong) {
1631  // The source buffer entirely fits in the bound.
1632  state = stateSourceNotTooLong;
1633  amountCopied = strLength;
1634  }
1635  break;
1636  }
1637  case ConcatFnKind::strlcat:
1638  if (!dstStrLengthNL)
1639  return;
1640 
1641  // amountCopied = min (size - dstLen - 1 , srcLen)
1642  SVal freeSpace = svalBuilder.evalBinOpNN(state, BO_Sub, *lenValNL,
1643  *dstStrLengthNL, sizeTy);
1644  if (!freeSpace.getAs<NonLoc>())
1645  return;
1646  freeSpace =
1647  svalBuilder.evalBinOp(state, BO_Sub, freeSpace,
1648  svalBuilder.makeIntVal(1, sizeTy), sizeTy);
1649  Optional<NonLoc> freeSpaceNL = freeSpace.getAs<NonLoc>();
1650 
1651  // While unlikely, it is possible that the subtraction is
1652  // too complex to compute, let's check whether it succeeded.
1653  if (!freeSpaceNL)
1654  return;
1655  SVal hasEnoughSpace = svalBuilder.evalBinOpNN(
1656  state, BO_LE, *strLengthNL, *freeSpaceNL, cmpTy);
1657 
1658  ProgramStateRef TrueState, FalseState;
1659  std::tie(TrueState, FalseState) =
1660  state->assume(hasEnoughSpace.castAs<DefinedOrUnknownSVal>());
1661 
1662  // srcStrLength <= size - dstStrLength -1
1663  if (TrueState && !FalseState) {
1664  amountCopied = strLength;
1665  }
1666 
1667  // srcStrLength > size - dstStrLength -1
1668  if (!TrueState && FalseState) {
1669  amountCopied = freeSpace;
1670  }
1671 
1672  if (TrueState && FalseState)
1673  amountCopied = UnknownVal();
1674  break;
1675  }
1676  }
1677  // We still want to know if the bound is known to be too large.
1678  if (lenValNL) {
1679  switch (appendK) {
1680  case ConcatFnKind::strcat:
1681  // For strncat, the check is strlen(dst) + lenVal < sizeof(dst)
1682 
1683  // Get the string length of the destination. If the destination is
1684  // memory that can't have a string length, we shouldn't be copying
1685  // into it anyway.
1686  if (dstStrLength.isUndef())
1687  return;
1688 
1689  if (dstStrLengthNL) {
1690  maxLastElementIndex = svalBuilder.evalBinOpNN(
1691  state, BO_Add, *lenValNL, *dstStrLengthNL, sizeTy);
1692 
1693  boundWarning = "Size argument is greater than the free space in the "
1694  "destination buffer";
1695  }
1696  break;
1697  case ConcatFnKind::none:
1698  case ConcatFnKind::strlcat:
1699  // For strncpy and strlcat, this is just checking
1700  // that lenVal <= sizeof(dst).
1701  // (Yes, strncpy and strncat differ in how they treat termination.
1702  // strncat ALWAYS terminates, but strncpy doesn't.)
1703 
1704  // We need a special case for when the copy size is zero, in which
1705  // case strncpy will do no work at all. Our bounds check uses n-1
1706  // as the last element accessed, so n == 0 is problematic.
1707  ProgramStateRef StateZeroSize, StateNonZeroSize;
1708  std::tie(StateZeroSize, StateNonZeroSize) =
1709  assumeZero(C, state, *lenValNL, sizeTy);
1710 
1711  // If the size is known to be zero, we're done.
1712  if (StateZeroSize && !StateNonZeroSize) {
1713  if (returnPtr) {
1714  StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, DstVal);
1715  } else {
1716  if (appendK == ConcatFnKind::none) {
1717  // strlcpy returns strlen(src)
1718  StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, strLength);
1719  } else {
1720  // strlcat returns strlen(src) + strlen(dst)
1721  SVal retSize = svalBuilder.evalBinOp(
1722  state, BO_Add, strLength, dstStrLength, sizeTy);
1723  StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, retSize);
1724  }
1725  }
1726  C.addTransition(StateZeroSize);
1727  return;
1728  }
1729 
1730  // Otherwise, go ahead and figure out the last element we'll touch.
1731  // We don't record the non-zero assumption here because we can't
1732  // be sure. We won't warn on a possible zero.
1733  NonLoc one = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
1734  maxLastElementIndex =
1735  svalBuilder.evalBinOpNN(state, BO_Sub, *lenValNL, one, sizeTy);
1736  boundWarning = "Size argument is greater than the length of the "
1737  "destination buffer";
1738  break;
1739  }
1740  }
1741  } else {
1742  // The function isn't bounded. The amount copied should match the length
1743  // of the source buffer.
1744  amountCopied = strLength;
1745  }
1746 
1747  assert(state);
1748 
1749  // This represents the number of characters copied into the destination
1750  // buffer. (It may not actually be the strlen if the destination buffer
1751  // is not terminated.)
1752  SVal finalStrLength = UnknownVal();
1753  SVal strlRetVal = UnknownVal();
1754 
1755  if (appendK == ConcatFnKind::none && !returnPtr) {
1756  // strlcpy returns the sizeof(src)
1757  strlRetVal = strLength;
1758  }
1759 
1760  // If this is an appending function (strcat, strncat...) then set the
1761  // string length to strlen(src) + strlen(dst) since the buffer will
1762  // ultimately contain both.
1763  if (appendK != ConcatFnKind::none) {
1764  // Get the string length of the destination. If the destination is memory
1765  // that can't have a string length, we shouldn't be copying into it anyway.
1766  if (dstStrLength.isUndef())
1767  return;
1768 
1769  if (appendK == ConcatFnKind::strlcat && dstStrLengthNL && strLengthNL) {
1770  strlRetVal = svalBuilder.evalBinOpNN(state, BO_Add, *strLengthNL,
1771  *dstStrLengthNL, sizeTy);
1772  }
1773 
1774  Optional<NonLoc> amountCopiedNL = amountCopied.getAs<NonLoc>();
1775 
1776  // If we know both string lengths, we might know the final string length.
1777  if (amountCopiedNL && dstStrLengthNL) {
1778  // Make sure the two lengths together don't overflow a size_t.
1779  state = checkAdditionOverflow(C, state, *amountCopiedNL, *dstStrLengthNL);
1780  if (!state)
1781  return;
1782 
1783  finalStrLength = svalBuilder.evalBinOpNN(state, BO_Add, *amountCopiedNL,
1784  *dstStrLengthNL, sizeTy);
1785  }
1786 
1787  // If we couldn't get a single value for the final string length,
1788  // we can at least bound it by the individual lengths.
1789  if (finalStrLength.isUnknown()) {
1790  // Try to get a "hypothetical" string length symbol, which we can later
1791  // set as a real value if that turns out to be the case.
1792  finalStrLength = getCStringLength(C, state, CE, DstVal, true);
1793  assert(!finalStrLength.isUndef());
1794 
1795  if (Optional<NonLoc> finalStrLengthNL = finalStrLength.getAs<NonLoc>()) {
1796  if (amountCopiedNL && appendK == ConcatFnKind::none) {
1797  // we overwrite dst string with the src
1798  // finalStrLength >= srcStrLength
1799  SVal sourceInResult = svalBuilder.evalBinOpNN(
1800  state, BO_GE, *finalStrLengthNL, *amountCopiedNL, cmpTy);
1801  state = state->assume(sourceInResult.castAs<DefinedOrUnknownSVal>(),
1802  true);
1803  if (!state)
1804  return;
1805  }
1806 
1807  if (dstStrLengthNL && appendK != ConcatFnKind::none) {
1808  // we extend the dst string with the src
1809  // finalStrLength >= dstStrLength
1810  SVal destInResult = svalBuilder.evalBinOpNN(state, BO_GE,
1811  *finalStrLengthNL,
1812  *dstStrLengthNL,
1813  cmpTy);
1814  state =
1815  state->assume(destInResult.castAs<DefinedOrUnknownSVal>(), true);
1816  if (!state)
1817  return;
1818  }
1819  }
1820  }
1821 
1822  } else {
1823  // Otherwise, this is a copy-over function (strcpy, strncpy, ...), and
1824  // the final string length will match the input string length.
1825  finalStrLength = amountCopied;
1826  }
1827 
1828  SVal Result;
1829 
1830  if (returnPtr) {
1831  // The final result of the function will either be a pointer past the last
1832  // copied element, or a pointer to the start of the destination buffer.
1833  Result = (ReturnEnd ? UnknownVal() : DstVal);
1834  } else {
1835  if (appendK == ConcatFnKind::strlcat || appendK == ConcatFnKind::none)
1836  //strlcpy, strlcat
1837  Result = strlRetVal;
1838  else
1839  Result = finalStrLength;
1840  }
1841 
1842  assert(state);
1843 
1844  // If the destination is a MemRegion, try to check for a buffer overflow and
1845  // record the new string length.
1846  if (Optional<loc::MemRegionVal> dstRegVal =
1847  DstVal.getAs<loc::MemRegionVal>()) {
1848  QualType ptrTy = Dst.Expression->getType();
1849 
1850  // If we have an exact value on a bounded copy, use that to check for
1851  // overflows, rather than our estimate about how much is actually copied.
1852  if (Optional<NonLoc> maxLastNL = maxLastElementIndex.getAs<NonLoc>()) {
1853  SVal maxLastElement =
1854  svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal, *maxLastNL, ptrTy);
1855 
1856  state = CheckLocation(C, state, Dst, maxLastElement, AccessKind::write);
1857  if (!state)
1858  return;
1859  }
1860 
1861  // Then, if the final length is known...
1862  if (Optional<NonLoc> knownStrLength = finalStrLength.getAs<NonLoc>()) {
1863  SVal lastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal,
1864  *knownStrLength, ptrTy);
1865 
1866  // ...and we haven't checked the bound, we'll check the actual copy.
1867  if (!boundWarning) {
1868  state = CheckLocation(C, state, Dst, lastElement, AccessKind::write);
1869  if (!state)
1870  return;
1871  }
1872 
1873  // If this is a stpcpy-style copy, the last element is the return value.
1874  if (returnPtr && ReturnEnd)
1875  Result = lastElement;
1876  }
1877 
1878  // Invalidate the destination (regular invalidation without pointer-escaping
1879  // the address of the top-level region). This must happen before we set the
1880  // C string length because invalidation will clear the length.
1881  // FIXME: Even if we can't perfectly model the copy, we should see if we
1882  // can use LazyCompoundVals to copy the source values into the destination.
1883  // This would probably remove any existing bindings past the end of the
1884  // string, but that's still an improvement over blank invalidation.
1885  state = InvalidateBuffer(C, state, Dst.Expression, *dstRegVal,
1886  /*IsSourceBuffer*/ false, nullptr);
1887 
1888  // Invalidate the source (const-invalidation without const-pointer-escaping
1889  // the address of the top-level region).
1890  state = InvalidateBuffer(C, state, srcExpr.Expression, srcVal,
1891  /*IsSourceBuffer*/ true, nullptr);
1892 
1893  // Set the C string length of the destination, if we know it.
1894  if (IsBounded && (appendK == ConcatFnKind::none)) {
1895  // strncpy is annoying in that it doesn't guarantee to null-terminate
1896  // the result string. If the original string didn't fit entirely inside
1897  // the bound (including the null-terminator), we don't know how long the
1898  // result is.
1899  if (amountCopied != strLength)
1900  finalStrLength = UnknownVal();
1901  }
1902  state = setCStringLength(state, dstRegVal->getRegion(), finalStrLength);
1903  }
1904 
1905  assert(state);
1906 
1907  if (returnPtr) {
1908  // If this is a stpcpy-style copy, but we were unable to check for a buffer
1909  // overflow, we still need a result. Conjure a return value.
1910  if (ReturnEnd && Result.isUnknown()) {
1911  Result = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
1912  }
1913  }
1914  // Set the return value.
1915  state = state->BindExpr(CE, LCtx, Result);
1916  C.addTransition(state);
1917 }
1918 
1919 void CStringChecker::evalStrcmp(CheckerContext &C, const CallExpr *CE) const {
1920  //int strcmp(const char *s1, const char *s2);
1921  evalStrcmpCommon(C, CE, /* IsBounded = */ false, /* IgnoreCase = */ false);
1922 }
1923 
1924 void CStringChecker::evalStrncmp(CheckerContext &C, const CallExpr *CE) const {
1925  //int strncmp(const char *s1, const char *s2, size_t n);
1926  evalStrcmpCommon(C, CE, /* IsBounded = */ true, /* IgnoreCase = */ false);
1927 }
1928 
1929 void CStringChecker::evalStrcasecmp(CheckerContext &C,
1930  const CallExpr *CE) const {
1931  //int strcasecmp(const char *s1, const char *s2);
1932  evalStrcmpCommon(C, CE, /* IsBounded = */ false, /* IgnoreCase = */ true);
1933 }
1934 
1935 void CStringChecker::evalStrncasecmp(CheckerContext &C,
1936  const CallExpr *CE) const {
1937  //int strncasecmp(const char *s1, const char *s2, size_t n);
1938  evalStrcmpCommon(C, CE, /* IsBounded = */ true, /* IgnoreCase = */ true);
1939 }
1940 
1941 void CStringChecker::evalStrcmpCommon(CheckerContext &C, const CallExpr *CE,
1942  bool IsBounded, bool IgnoreCase) const {
1943  CurrentFunctionDescription = "string comparison function";
1944  ProgramStateRef state = C.getState();
1945  const LocationContext *LCtx = C.getLocationContext();
1946 
1947  // Check that the first string is non-null
1948  AnyArgExpr Left = {CE->getArg(0), 0};
1949  SVal LeftVal = state->getSVal(Left.Expression, LCtx);
1950  state = checkNonNull(C, state, Left, LeftVal);
1951  if (!state)
1952  return;
1953 
1954  // Check that the second string is non-null.
1955  AnyArgExpr Right = {CE->getArg(1), 1};
1956  SVal RightVal = state->getSVal(Right.Expression, LCtx);
1957  state = checkNonNull(C, state, Right, RightVal);
1958  if (!state)
1959  return;
1960 
1961  // Get the string length of the first string or give up.
1962  SVal LeftLength = getCStringLength(C, state, Left.Expression, LeftVal);
1963  if (LeftLength.isUndef())
1964  return;
1965 
1966  // Get the string length of the second string or give up.
1967  SVal RightLength = getCStringLength(C, state, Right.Expression, RightVal);
1968  if (RightLength.isUndef())
1969  return;
1970 
1971  // If we know the two buffers are the same, we know the result is 0.
1972  // First, get the two buffers' addresses. Another checker will have already
1973  // made sure they're not undefined.
1974  DefinedOrUnknownSVal LV = LeftVal.castAs<DefinedOrUnknownSVal>();
1975  DefinedOrUnknownSVal RV = RightVal.castAs<DefinedOrUnknownSVal>();
1976 
1977  // See if they are the same.
1978  SValBuilder &svalBuilder = C.getSValBuilder();
1979  DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV);
1980  ProgramStateRef StSameBuf, StNotSameBuf;
1981  std::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf);
1982 
1983  // If the two arguments might be the same buffer, we know the result is 0,
1984  // and we only need to check one size.
1985  if (StSameBuf) {
1986  StSameBuf = StSameBuf->BindExpr(CE, LCtx,
1987  svalBuilder.makeZeroVal(CE->getType()));
1988  C.addTransition(StSameBuf);
1989 
1990  // If the two arguments are GUARANTEED to be the same, we're done!
1991  if (!StNotSameBuf)
1992  return;
1993  }
1994 
1995  assert(StNotSameBuf);
1996  state = StNotSameBuf;
1997 
1998  // At this point we can go about comparing the two buffers.
1999  // For now, we only do this if they're both known string literals.
2000 
2001  // Attempt to extract string literals from both expressions.
2002  const StringLiteral *LeftStrLiteral =
2003  getCStringLiteral(C, state, Left.Expression, LeftVal);
2004  const StringLiteral *RightStrLiteral =
2005  getCStringLiteral(C, state, Right.Expression, RightVal);
2006  bool canComputeResult = false;
2007  SVal resultVal = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx,
2008  C.blockCount());
2009 
2010  if (LeftStrLiteral && RightStrLiteral) {
2011  StringRef LeftStrRef = LeftStrLiteral->getString();
2012  StringRef RightStrRef = RightStrLiteral->getString();
2013 
2014  if (IsBounded) {
2015  // Get the max number of characters to compare.
2016  const Expr *lenExpr = CE->getArg(2);
2017  SVal lenVal = state->getSVal(lenExpr, LCtx);
2018 
2019  // If the length is known, we can get the right substrings.
2020  if (const llvm::APSInt *len = svalBuilder.getKnownValue(state, lenVal)) {
2021  // Create substrings of each to compare the prefix.
2022  LeftStrRef = LeftStrRef.substr(0, (size_t)len->getZExtValue());
2023  RightStrRef = RightStrRef.substr(0, (size_t)len->getZExtValue());
2024  canComputeResult = true;
2025  }
2026  } else {
2027  // This is a normal, unbounded strcmp.
2028  canComputeResult = true;
2029  }
2030 
2031  if (canComputeResult) {
2032  // Real strcmp stops at null characters.
2033  size_t s1Term = LeftStrRef.find('\0');
2034  if (s1Term != StringRef::npos)
2035  LeftStrRef = LeftStrRef.substr(0, s1Term);
2036 
2037  size_t s2Term = RightStrRef.find('\0');
2038  if (s2Term != StringRef::npos)
2039  RightStrRef = RightStrRef.substr(0, s2Term);
2040 
2041  // Use StringRef's comparison methods to compute the actual result.
2042  int compareRes = IgnoreCase ? LeftStrRef.compare_insensitive(RightStrRef)
2043  : LeftStrRef.compare(RightStrRef);
2044 
2045  // The strcmp function returns an integer greater than, equal to, or less
2046  // than zero, [c11, p7.24.4.2].
2047  if (compareRes == 0) {
2048  resultVal = svalBuilder.makeIntVal(compareRes, CE->getType());
2049  }
2050  else {
2051  DefinedSVal zeroVal = svalBuilder.makeIntVal(0, CE->getType());
2052  // Constrain strcmp's result range based on the result of StringRef's
2053  // comparison methods.
2054  BinaryOperatorKind op = (compareRes == 1) ? BO_GT : BO_LT;
2055  SVal compareWithZero =
2056  svalBuilder.evalBinOp(state, op, resultVal, zeroVal,
2057  svalBuilder.getConditionType());
2058  DefinedSVal compareWithZeroVal = compareWithZero.castAs<DefinedSVal>();
2059  state = state->assume(compareWithZeroVal, true);
2060  }
2061  }
2062  }
2063 
2064  state = state->BindExpr(CE, LCtx, resultVal);
2065 
2066  // Record this as a possible path.
2067  C.addTransition(state);
2068 }
2069 
2070 void CStringChecker::evalStrsep(CheckerContext &C, const CallExpr *CE) const {
2071  //char *strsep(char **stringp, const char *delim);
2072  // Sanity: does the search string parameter match the return type?
2073  SourceArgExpr SearchStrPtr = {CE->getArg(0), 0};
2074 
2075  QualType CharPtrTy = SearchStrPtr.Expression->getType()->getPointeeType();
2076  if (CharPtrTy.isNull() ||
2077  CE->getType().getUnqualifiedType() != CharPtrTy.getUnqualifiedType())
2078  return;
2079 
2080  CurrentFunctionDescription = "strsep()";
2081  ProgramStateRef State = C.getState();
2082  const LocationContext *LCtx = C.getLocationContext();
2083 
2084  // Check that the search string pointer is non-null (though it may point to
2085  // a null string).
2086  SVal SearchStrVal = State->getSVal(SearchStrPtr.Expression, LCtx);
2087  State = checkNonNull(C, State, SearchStrPtr, SearchStrVal);
2088  if (!State)
2089  return;
2090 
2091  // Check that the delimiter string is non-null.
2092  AnyArgExpr DelimStr = {CE->getArg(1), 1};
2093  SVal DelimStrVal = State->getSVal(DelimStr.Expression, LCtx);
2094  State = checkNonNull(C, State, DelimStr, DelimStrVal);
2095  if (!State)
2096  return;
2097 
2098  SValBuilder &SVB = C.getSValBuilder();
2099  SVal Result;
2100  if (Optional<Loc> SearchStrLoc = SearchStrVal.getAs<Loc>()) {
2101  // Get the current value of the search string pointer, as a char*.
2102  Result = State->getSVal(*SearchStrLoc, CharPtrTy);
2103 
2104  // Invalidate the search string, representing the change of one delimiter
2105  // character to NUL.
2106  State = InvalidateBuffer(C, State, SearchStrPtr.Expression, Result,
2107  /*IsSourceBuffer*/ false, nullptr);
2108 
2109  // Overwrite the search string pointer. The new value is either an address
2110  // further along in the same string, or NULL if there are no more tokens.
2111  State = State->bindLoc(*SearchStrLoc,
2112  SVB.conjureSymbolVal(getTag(),
2113  CE,
2114  LCtx,
2115  CharPtrTy,
2116  C.blockCount()),
2117  LCtx);
2118  } else {
2119  assert(SearchStrVal.isUnknown());
2120  // Conjure a symbolic value. It's the best we can do.
2121  Result = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
2122  }
2123 
2124  // Set the return value, and finish.
2125  State = State->BindExpr(CE, LCtx, Result);
2126  C.addTransition(State);
2127 }
2128 
2129 // These should probably be moved into a C++ standard library checker.
2130 void CStringChecker::evalStdCopy(CheckerContext &C, const CallExpr *CE) const {
2131  evalStdCopyCommon(C, CE);
2132 }
2133 
2134 void CStringChecker::evalStdCopyBackward(CheckerContext &C,
2135  const CallExpr *CE) const {
2136  evalStdCopyCommon(C, CE);
2137 }
2138 
2139 void CStringChecker::evalStdCopyCommon(CheckerContext &C,
2140  const CallExpr *CE) const {
2141  if (!CE->getArg(2)->getType()->isPointerType())
2142  return;
2143 
2144  ProgramStateRef State = C.getState();
2145 
2146  const LocationContext *LCtx = C.getLocationContext();
2147 
2148  // template <class _InputIterator, class _OutputIterator>
2149  // _OutputIterator
2150  // copy(_InputIterator __first, _InputIterator __last,
2151  // _OutputIterator __result)
2152 
2153  // Invalidate the destination buffer
2154  const Expr *Dst = CE->getArg(2);
2155  SVal DstVal = State->getSVal(Dst, LCtx);
2156  State = InvalidateBuffer(C, State, Dst, DstVal, /*IsSource=*/false,
2157  /*Size=*/nullptr);
2158 
2159  SValBuilder &SVB = C.getSValBuilder();
2160 
2161  SVal ResultVal = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
2162  State = State->BindExpr(CE, LCtx, ResultVal);
2163 
2164  C.addTransition(State);
2165 }
2166 
2167 void CStringChecker::evalMemset(CheckerContext &C, const CallExpr *CE) const {
2168  // void *memset(void *s, int c, size_t n);
2169  CurrentFunctionDescription = "memory set function";
2170 
2171  DestinationArgExpr Buffer = {CE->getArg(0), 0};
2172  AnyArgExpr CharE = {CE->getArg(1), 1};
2173  SizeArgExpr Size = {CE->getArg(2), 2};
2174 
2175  ProgramStateRef State = C.getState();
2176 
2177  // See if the size argument is zero.
2178  const LocationContext *LCtx = C.getLocationContext();
2179  SVal SizeVal = C.getSVal(Size.Expression);
2180  QualType SizeTy = Size.Expression->getType();
2181 
2182  ProgramStateRef ZeroSize, NonZeroSize;
2183  std::tie(ZeroSize, NonZeroSize) = assumeZero(C, State, SizeVal, SizeTy);
2184 
2185  // Get the value of the memory area.
2186  SVal BufferPtrVal = C.getSVal(Buffer.Expression);
2187 
2188  // If the size is zero, there won't be any actual memory access, so
2189  // just bind the return value to the buffer and return.
2190  if (ZeroSize && !NonZeroSize) {
2191  ZeroSize = ZeroSize->BindExpr(CE, LCtx, BufferPtrVal);
2192  C.addTransition(ZeroSize);
2193  return;
2194  }
2195 
2196  // Ensure the memory area is not null.
2197  // If it is NULL there will be a NULL pointer dereference.
2198  State = checkNonNull(C, NonZeroSize, Buffer, BufferPtrVal);
2199  if (!State)
2200  return;
2201 
2202  State = CheckBufferAccess(C, State, Buffer, Size, AccessKind::write);
2203  if (!State)
2204  return;
2205 
2206  // According to the values of the arguments, bind the value of the second
2207  // argument to the destination buffer and set string length, or just
2208  // invalidate the destination buffer.
2209  if (!memsetAux(Buffer.Expression, C.getSVal(CharE.Expression),
2210  Size.Expression, C, State))
2211  return;
2212 
2213  State = State->BindExpr(CE, LCtx, BufferPtrVal);
2214  C.addTransition(State);
2215 }
2216 
2217 void CStringChecker::evalBzero(CheckerContext &C, const CallExpr *CE) const {
2218  CurrentFunctionDescription = "memory clearance function";
2219 
2220  DestinationArgExpr Buffer = {CE->getArg(0), 0};
2221  SizeArgExpr Size = {CE->getArg(1), 1};
2222  SVal Zero = C.getSValBuilder().makeZeroVal(C.getASTContext().IntTy);
2223 
2224  ProgramStateRef State = C.getState();
2225 
2226  // See if the size argument is zero.
2227  SVal SizeVal = C.getSVal(Size.Expression);
2228  QualType SizeTy = Size.Expression->getType();
2229 
2230  ProgramStateRef StateZeroSize, StateNonZeroSize;
2231  std::tie(StateZeroSize, StateNonZeroSize) =
2232  assumeZero(C, State, SizeVal, SizeTy);
2233 
2234  // If the size is zero, there won't be any actual memory access,
2235  // In this case we just return.
2236  if (StateZeroSize && !StateNonZeroSize) {
2237  C.addTransition(StateZeroSize);
2238  return;
2239  }
2240 
2241  // Get the value of the memory area.
2242  SVal MemVal = C.getSVal(Buffer.Expression);
2243 
2244  // Ensure the memory area is not null.
2245  // If it is NULL there will be a NULL pointer dereference.
2246  State = checkNonNull(C, StateNonZeroSize, Buffer, MemVal);
2247  if (!State)
2248  return;
2249 
2250  State = CheckBufferAccess(C, State, Buffer, Size, AccessKind::write);
2251  if (!State)
2252  return;
2253 
2254  if (!memsetAux(Buffer.Expression, Zero, Size.Expression, C, State))
2255  return;
2256 
2257  C.addTransition(State);
2258 }
2259 
2260 //===----------------------------------------------------------------------===//
2261 // The driver method, and other Checker callbacks.
2262 //===----------------------------------------------------------------------===//
2263 
2264 CStringChecker::FnCheck CStringChecker::identifyCall(const CallEvent &Call,
2265  CheckerContext &C) const {
2266  const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
2267  if (!CE)
2268  return nullptr;
2269 
2270  const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
2271  if (!FD)
2272  return nullptr;
2273 
2274  if (Call.isCalled(StdCopy)) {
2275  return &CStringChecker::evalStdCopy;
2276  } else if (Call.isCalled(StdCopyBackward)) {
2277  return &CStringChecker::evalStdCopyBackward;
2278  }
2279 
2280  // Pro-actively check that argument types are safe to do arithmetic upon.
2281  // We do not want to crash if someone accidentally passes a structure
2282  // into, say, a C++ overload of any of these functions. We could not check
2283  // that for std::copy because they may have arguments of other types.
2284  for (auto I : CE->arguments()) {
2285  QualType T = I->getType();
2286  if (!T->isIntegralOrEnumerationType() && !T->isPointerType())
2287  return nullptr;
2288  }
2289 
2290  const FnCheck *Callback = Callbacks.lookup(Call);
2291  if (Callback)
2292  return *Callback;
2293 
2294  return nullptr;
2295 }
2296 
2297 bool CStringChecker::evalCall(const CallEvent &Call, CheckerContext &C) const {
2298  FnCheck Callback = identifyCall(Call, C);
2299 
2300  // If the callee isn't a string function, let another checker handle it.
2301  if (!Callback)
2302  return false;
2303 
2304  // Check and evaluate the call.
2305  const auto *CE = cast<CallExpr>(Call.getOriginExpr());
2306  (this->*Callback)(C, CE);
2307 
2308  // If the evaluate call resulted in no change, chain to the next eval call
2309  // handler.
2310  // Note, the custom CString evaluation calls assume that basic safety
2311  // properties are held. However, if the user chooses to turn off some of these
2312  // checks, we ignore the issues and leave the call evaluation to a generic
2313  // handler.
2314  return C.isDifferent();
2315 }
2316 
2317 void CStringChecker::checkPreStmt(const DeclStmt *DS, CheckerContext &C) const {
2318  // Record string length for char a[] = "abc";
2319  ProgramStateRef state = C.getState();
2320 
2321  for (const auto *I : DS->decls()) {
2322  const VarDecl *D = dyn_cast<VarDecl>(I);
2323  if (!D)
2324  continue;
2325 
2326  // FIXME: Handle array fields of structs.
2327  if (!D->getType()->isArrayType())
2328  continue;
2329 
2330  const Expr *Init = D->getInit();
2331  if (!Init)
2332  continue;
2333  if (!isa<StringLiteral>(Init))
2334  continue;
2335 
2336  Loc VarLoc = state->getLValue(D, C.getLocationContext());
2337  const MemRegion *MR = VarLoc.getAsRegion();
2338  if (!MR)
2339  continue;
2340 
2341  SVal StrVal = C.getSVal(Init);
2342  assert(StrVal.isValid() && "Initializer string is unknown or undefined");
2343  DefinedOrUnknownSVal strLength =
2344  getCStringLength(C, state, Init, StrVal).castAs<DefinedOrUnknownSVal>();
2345 
2346  state = state->set<CStringLength>(MR, strLength);
2347  }
2348 
2349  C.addTransition(state);
2350 }
2351 
2353 CStringChecker::checkRegionChanges(ProgramStateRef state,
2354  const InvalidatedSymbols *,
2355  ArrayRef<const MemRegion *> ExplicitRegions,
2357  const LocationContext *LCtx,
2358  const CallEvent *Call) const {
2359  CStringLengthTy Entries = state->get<CStringLength>();
2360  if (Entries.isEmpty())
2361  return state;
2362 
2365 
2366  // First build sets for the changed regions and their super-regions.
2368  I = Regions.begin(), E = Regions.end(); I != E; ++I) {
2369  const MemRegion *MR = *I;
2370  Invalidated.insert(MR);
2371 
2372  SuperRegions.insert(MR);
2373  while (const SubRegion *SR = dyn_cast<SubRegion>(MR)) {
2374  MR = SR->getSuperRegion();
2375  SuperRegions.insert(MR);
2376  }
2377  }
2378 
2379  CStringLengthTy::Factory &F = state->get_context<CStringLength>();
2380 
2381  // Then loop over the entries in the current state.
2382  for (CStringLengthTy::iterator I = Entries.begin(),
2383  E = Entries.end(); I != E; ++I) {
2384  const MemRegion *MR = I.getKey();
2385 
2386  // Is this entry for a super-region of a changed region?
2387  if (SuperRegions.count(MR)) {
2388  Entries = F.remove(Entries, MR);
2389  continue;
2390  }
2391 
2392  // Is this entry for a sub-region of a changed region?
2393  const MemRegion *Super = MR;
2394  while (const SubRegion *SR = dyn_cast<SubRegion>(Super)) {
2395  Super = SR->getSuperRegion();
2396  if (Invalidated.count(Super)) {
2397  Entries = F.remove(Entries, MR);
2398  break;
2399  }
2400  }
2401  }
2402 
2403  return state->set<CStringLength>(Entries);
2404 }
2405 
2406 void CStringChecker::checkLiveSymbols(ProgramStateRef state,
2407  SymbolReaper &SR) const {
2408  // Mark all symbols in our string length map as valid.
2409  CStringLengthTy Entries = state->get<CStringLength>();
2410 
2411  for (CStringLengthTy::iterator I = Entries.begin(), E = Entries.end();
2412  I != E; ++I) {
2413  SVal Len = I.getData();
2414 
2415  for (SymExpr::symbol_iterator si = Len.symbol_begin(),
2416  se = Len.symbol_end(); si != se; ++si)
2417  SR.markInUse(*si);
2418  }
2419 }
2420 
2421 void CStringChecker::checkDeadSymbols(SymbolReaper &SR,
2422  CheckerContext &C) const {
2423  ProgramStateRef state = C.getState();
2424  CStringLengthTy Entries = state->get<CStringLength>();
2425  if (Entries.isEmpty())
2426  return;
2427 
2428  CStringLengthTy::Factory &F = state->get_context<CStringLength>();
2429  for (CStringLengthTy::iterator I = Entries.begin(), E = Entries.end();
2430  I != E; ++I) {
2431  SVal Len = I.getData();
2432  if (SymbolRef Sym = Len.getAsSymbol()) {
2433  if (SR.isDead(Sym))
2434  Entries = F.remove(Entries, I.getKey());
2435  }
2436  }
2437 
2438  state = state->set<CStringLength>(Entries);
2439  C.addTransition(state);
2440 }
2441 
2442 void ento::registerCStringModeling(CheckerManager &Mgr) {
2443  Mgr.registerChecker<CStringChecker>();
2444 }
2445 
2446 bool ento::shouldRegisterCStringModeling(const CheckerManager &mgr) {
2447  return true;
2448 }
2449 
2450 #define REGISTER_CHECKER(name) \
2451  void ento::register##name(CheckerManager &mgr) { \
2452  CStringChecker *checker = mgr.getChecker<CStringChecker>(); \
2453  checker->Filter.Check##name = true; \
2454  checker->Filter.CheckName##name = mgr.getCurrentCheckerName(); \
2455  } \
2456  \
2457  bool ento::shouldRegister##name(const CheckerManager &mgr) { return true; }
2458 
2459 REGISTER_CHECKER(CStringNullArg)
2460 REGISTER_CHECKER(CStringOutOfBounds)
2461 REGISTER_CHECKER(CStringBufferOverlap)
2462 REGISTER_CHECKER(CStringNotNullTerm)
clang::ento::CDF_MaybeBuiltin
@ CDF_MaybeBuiltin
Describes a C standard function that is sometimes implemented as a macro that expands to a compiler b...
Definition: CallEvent.h:1233
DynamicExtent.h
clang::LocationContext
It wraps the AnalysisDeclContext to represent both the call stack with the help of StackFrameContext ...
Definition: AnalysisDeclContext.h:215
clang::threadSafety::AccessKind
AccessKind
This enum distinguishes between different ways to access (read or write) a variable.
Definition: ThreadSafety.h:69
clang::ento::RegionAndSymbolInvalidationTraits::TK_SuppressEscape
@ TK_SuppressEscape
Suppress pointer-escaping of a region.
Definition: MemRegion.h:1534
clang::Stmt::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:324
clang::ento::ProgramStateRef
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
Definition: ProgramState_Fwd.h:37
clang::QualType
A (possibly-)qualified type.
Definition: Type.h:673
AttributeLangSupport::C
@ C
Definition: SemaDeclAttr.cpp:54
clang::tooling::Filter
llvm::cl::opt< std::string > Filter
clang::ento::SymbolRef
const SymExpr * SymbolRef
Definition: SymExpr.h:110
llvm::Optional
Definition: LLVM.h:40
clang::ComparisonCategoryType::First
@ First
llvm::SmallPtrSet
Definition: ASTContext.h:82
Expression
clang::index::SymbolRole::Call
@ Call
REGISTER_CHECKER
#define REGISTER_CHECKER(name)
Definition: CStringChecker.cpp:2450
clang::StringLiteral::getByteLength
unsigned getByteLength() const
Definition: Expr.h:1872
InterCheckerAPI.h
CallEvent.h
Offset
unsigned Offset
Definition: Format.cpp:2335
REGISTER_MAP_WITH_PROGRAMSTATE
#define REGISTER_MAP_WITH_PROGRAMSTATE(Name, Key, Value)
Declares an immutable map of type NameTy, suitable for placement into the ProgramState.
Definition: ProgramStateTrait.h:84
APSInt
llvm::APSInt APSInt
Definition: ByteCodeEmitter.cpp:19
V
#define V(N, I)
Definition: ASTContext.h:3121
clang::ast_matchers::expr
const internal::VariadicDynCastAllOfMatcher< Stmt, Expr > expr
Matches expressions.
Definition: ASTMatchersInternal.cpp:889
BuiltinCheckerRegistration.h
CheckerManager.h
clang::ASTContext
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:212
clang::ASTContext::getSizeType
CanQualType getSizeType() const
Return the unique type for "size_t" (C99 7.17), defined in <stddef.h>.
Definition: ASTContext.cpp:5712
clang::CallExpr::getArg
Expr * getArg(unsigned Arg)
getArg - Return the specified argument.
Definition: Expr.h:2986
llvm::SmallString< 128 >
clang::interp::Zero
bool Zero(InterpState &S, CodePtr OpPC)
Definition: Interp.h:814
clang::VarDecl
Represents a variable declaration or definition.
Definition: Decl.h:876
clang::StringLiteral
StringLiteral - This represents a string literal expression, e.g.
Definition: Expr.h:1761
Label
std::string Label
Definition: UsingDeclarationsSorter.cpp:69
clang::ento::MemRegion::Kind
Kind
Definition: MemRegion.h:96
state
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded which has the entry program point and initial state
Definition: README.txt:30
clang::QualType::getUnqualifiedType
QualType getUnqualifiedType() const
Retrieve the unqualified variant of the given type, removing as little sugar as possible.
Definition: Type.h:6505
clang::toUppercase
LLVM_READONLY char toUppercase(char c)
Converts the given ASCII character to its uppercase equivalent.
Definition: CharInfo.h:178
clang::ASTContext::UnsignedCharTy
CanQualType UnsignedCharTy
Definition: ASTContext.h:1085
clang::ento::bugreporter::trackExpressionValue
bool trackExpressionValue(const ExplodedNode *N, const Expr *E, PathSensitiveBugReport &R, TrackingOptions Opts={})
Attempts to add visitors to track expression value back to its point of origin.
CharInfo.h
clang::Type::isPointerType
bool isPointerType() const
Definition: Type.h:6673
clang::syntax::NodeRole::Size
@ Size
BugType.h
clang::ASTContext::IntTy
CanQualType IntTy
Definition: ASTContext.h:1084
clang::QualType::isNull
bool isNull() const
Return true if this QualType doesn't point to a type yet.
Definition: Type.h:738
llvm::ArrayRef
Definition: LLVM.h:34
clang::syntax::NodeRole::Message
@ Message
clang::ASTContext::CharTy
CanQualType CharTy
Definition: ASTContext.h:1077
State
LineState State
Definition: UnwrappedLineFormatter.cpp:986
clang::BinaryOperatorKind
BinaryOperatorKind
Definition: OperationKinds.h:25
clang::VarDecl::getInit
const Expr * getInit() const
Definition: Decl.h:1285
CheckerContext.h
clang::DeclStmt
DeclStmt - Adaptor class for mixing declarations with statements and expressions.
Definition: Stmt.h:1292
clang::ento::getDynamicExtent
DefinedOrUnknownSVal getDynamicExtent(ProgramStateRef State, const MemRegion *MR, SValBuilder &SVB)
Checker.h
clang::ento::RegionAndSymbolInvalidationTraits::TK_PreserveContents
@ TK_PreserveContents
Tells that a region's contents is not changed.
Definition: MemRegion.h:1531
clang
Definition: CalledOnceCheck.h:17
clang::Type::isArrayType
bool isArrayType() const
Definition: Type.h:6739
clang::Stmt
Stmt - This represents one statement.
Definition: Stmt.h:69
clang::ento::RegionAndSymbolInvalidationTraits::TK_DoNotInvalidateSuperRegion
@ TK_DoNotInvalidateSuperRegion
Definition: MemRegion.h:1537
clang::Expr::getType
QualType getType() const
Definition: Expr.h:141
clang::DeclStmt::decls
decl_range decls()
Definition: Stmt.h:1340
clang::ASTContext::getPointerType
QualType getPointerType(QualType T) const
Return the uniqued reference to the type for a pointer to the specified type.
Definition: ASTContext.cpp:3249
clang::CallExpr::arguments
arg_range arguments()
Definition: Expr.h:3034
clang::ValueDecl::getType
QualType getType() const
Definition: Decl.h:687
ProgramStateTrait.h
clang::Expr
This represents one expression.
Definition: Expr.h:109
clang::ento::InvalidatedSymbols
llvm::DenseSet< SymbolRef > InvalidatedSymbols
Definition: Store.h:51
clang::ento::categories::UnixAPI
const char *const UnixAPI
Definition: CommonBugCategories.cpp:21
clang::FunctionDecl
Represents a function declaration or definition.
Definition: Decl.h:1856
clang::CallExpr
CallExpr - Represents a function call (C99 6.5.2.2, C++ [expr.call]).
Definition: Expr.h:2795
clang::StringLiteral::getString
StringRef getString() const
Definition: Expr.h:1844
clang::Type::isIntegralOrEnumerationType
bool isIntegralOrEnumerationType() const
Determine whether this type is an integral or enumeration type.
Definition: Type.h:7059
clang::ento::ObjKind::OS
@ OS
Indicates that the tracking object is a descendant of a referenced-counted OSObject,...