clang  10.0.0git
CStringChecker.cpp
Go to the documentation of this file.
1 //= CStringChecker.cpp - Checks calls to C string functions --------*- C++ -*-//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This defines CStringChecker, which is an assortment of checks on calls
10 // to functions in <string.h>.
11 //
12 //===----------------------------------------------------------------------===//
13 
15 #include "InterCheckerAPI.h"
16 #include "clang/Basic/CharInfo.h"
23 #include "llvm/ADT/STLExtras.h"
24 #include "llvm/ADT/SmallString.h"
25 #include "llvm/Support/raw_ostream.h"
26 
27 using namespace clang;
28 using namespace ento;
29 
30 namespace {
31 enum class ConcatFnKind { none = 0, strcat = 1, strlcat = 2 };
32 class CStringChecker : public Checker< eval::Call,
33  check::PreStmt<DeclStmt>,
34  check::LiveSymbols,
35  check::DeadSymbols,
36  check::RegionChanges
37  > {
38  mutable std::unique_ptr<BugType> BT_Null, BT_Bounds, BT_Overlap,
39  BT_NotCString, BT_AdditionOverflow;
40 
41  mutable const char *CurrentFunctionDescription;
42 
43 public:
44  /// The filter is used to filter out the diagnostics which are not enabled by
45  /// the user.
46  struct CStringChecksFilter {
47  DefaultBool CheckCStringNullArg;
48  DefaultBool CheckCStringOutOfBounds;
49  DefaultBool CheckCStringBufferOverlap;
50  DefaultBool CheckCStringNotNullTerm;
51 
52  CheckerNameRef CheckNameCStringNullArg;
53  CheckerNameRef CheckNameCStringOutOfBounds;
54  CheckerNameRef CheckNameCStringBufferOverlap;
55  CheckerNameRef CheckNameCStringNotNullTerm;
56  };
57 
58  CStringChecksFilter Filter;
59 
60  static void *getTag() { static int tag; return &tag; }
61 
62  bool evalCall(const CallEvent &Call, CheckerContext &C) const;
63  void checkPreStmt(const DeclStmt *DS, CheckerContext &C) const;
64  void checkLiveSymbols(ProgramStateRef state, SymbolReaper &SR) const;
65  void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
66 
68  checkRegionChanges(ProgramStateRef state,
69  const InvalidatedSymbols *,
70  ArrayRef<const MemRegion *> ExplicitRegions,
72  const LocationContext *LCtx,
73  const CallEvent *Call) const;
74 
75  typedef void (CStringChecker::*FnCheck)(CheckerContext &,
76  const CallExpr *) const;
77  CallDescriptionMap<FnCheck> Callbacks = {
78  {{CDF_MaybeBuiltin, "memcpy", 3}, &CStringChecker::evalMemcpy},
79  {{CDF_MaybeBuiltin, "mempcpy", 3}, &CStringChecker::evalMempcpy},
80  {{CDF_MaybeBuiltin, "memcmp", 3}, &CStringChecker::evalMemcmp},
81  {{CDF_MaybeBuiltin, "memmove", 3}, &CStringChecker::evalMemmove},
82  {{CDF_MaybeBuiltin, "memset", 3}, &CStringChecker::evalMemset},
83  {{CDF_MaybeBuiltin, "explicit_memset", 3}, &CStringChecker::evalMemset},
84  {{CDF_MaybeBuiltin, "strcpy", 2}, &CStringChecker::evalStrcpy},
85  {{CDF_MaybeBuiltin, "strncpy", 3}, &CStringChecker::evalStrncpy},
86  {{CDF_MaybeBuiltin, "stpcpy", 2}, &CStringChecker::evalStpcpy},
87  {{CDF_MaybeBuiltin, "strlcpy", 3}, &CStringChecker::evalStrlcpy},
88  {{CDF_MaybeBuiltin, "strcat", 2}, &CStringChecker::evalStrcat},
89  {{CDF_MaybeBuiltin, "strncat", 3}, &CStringChecker::evalStrncat},
90  {{CDF_MaybeBuiltin, "strlcat", 3}, &CStringChecker::evalStrlcat},
91  {{CDF_MaybeBuiltin, "strlen", 1}, &CStringChecker::evalstrLength},
92  {{CDF_MaybeBuiltin, "strnlen", 2}, &CStringChecker::evalstrnLength},
93  {{CDF_MaybeBuiltin, "strcmp", 2}, &CStringChecker::evalStrcmp},
94  {{CDF_MaybeBuiltin, "strncmp", 3}, &CStringChecker::evalStrncmp},
95  {{CDF_MaybeBuiltin, "strcasecmp", 2}, &CStringChecker::evalStrcasecmp},
96  {{CDF_MaybeBuiltin, "strncasecmp", 3}, &CStringChecker::evalStrncasecmp},
97  {{CDF_MaybeBuiltin, "strsep", 2}, &CStringChecker::evalStrsep},
98  {{CDF_MaybeBuiltin, "bcopy", 3}, &CStringChecker::evalBcopy},
99  {{CDF_MaybeBuiltin, "bcmp", 3}, &CStringChecker::evalMemcmp},
100  {{CDF_MaybeBuiltin, "bzero", 2}, &CStringChecker::evalBzero},
101  {{CDF_MaybeBuiltin, "explicit_bzero", 2}, &CStringChecker::evalBzero},
102  };
103 
104  // These require a bit of special handling.
105  CallDescription StdCopy{{"std", "copy"}, 3},
106  StdCopyBackward{{"std", "copy_backward"}, 3};
107 
108  FnCheck identifyCall(const CallEvent &Call, CheckerContext &C) const;
109  void evalMemcpy(CheckerContext &C, const CallExpr *CE) const;
110  void evalMempcpy(CheckerContext &C, const CallExpr *CE) const;
111  void evalMemmove(CheckerContext &C, const CallExpr *CE) const;
112  void evalBcopy(CheckerContext &C, const CallExpr *CE) const;
113  void evalCopyCommon(CheckerContext &C, const CallExpr *CE,
114  ProgramStateRef state,
115  const Expr *Size,
116  const Expr *Source,
117  const Expr *Dest,
118  bool Restricted = false,
119  bool IsMempcpy = false) const;
120 
121  void evalMemcmp(CheckerContext &C, const CallExpr *CE) const;
122 
123  void evalstrLength(CheckerContext &C, const CallExpr *CE) const;
124  void evalstrnLength(CheckerContext &C, const CallExpr *CE) const;
125  void evalstrLengthCommon(CheckerContext &C,
126  const CallExpr *CE,
127  bool IsStrnlen = false) const;
128 
129  void evalStrcpy(CheckerContext &C, const CallExpr *CE) const;
130  void evalStrncpy(CheckerContext &C, const CallExpr *CE) const;
131  void evalStpcpy(CheckerContext &C, const CallExpr *CE) const;
132  void evalStrlcpy(CheckerContext &C, const CallExpr *CE) const;
133  void evalStrcpyCommon(CheckerContext &C, const CallExpr *CE, bool ReturnEnd,
134  bool IsBounded, ConcatFnKind appendK,
135  bool returnPtr = true) const;
136 
137  void evalStrcat(CheckerContext &C, const CallExpr *CE) const;
138  void evalStrncat(CheckerContext &C, const CallExpr *CE) const;
139  void evalStrlcat(CheckerContext &C, const CallExpr *CE) const;
140 
141  void evalStrcmp(CheckerContext &C, const CallExpr *CE) const;
142  void evalStrncmp(CheckerContext &C, const CallExpr *CE) const;
143  void evalStrcasecmp(CheckerContext &C, const CallExpr *CE) const;
144  void evalStrncasecmp(CheckerContext &C, const CallExpr *CE) const;
145  void evalStrcmpCommon(CheckerContext &C,
146  const CallExpr *CE,
147  bool IsBounded = false,
148  bool IgnoreCase = false) const;
149 
150  void evalStrsep(CheckerContext &C, const CallExpr *CE) const;
151 
152  void evalStdCopy(CheckerContext &C, const CallExpr *CE) const;
153  void evalStdCopyBackward(CheckerContext &C, const CallExpr *CE) const;
154  void evalStdCopyCommon(CheckerContext &C, const CallExpr *CE) const;
155  void evalMemset(CheckerContext &C, const CallExpr *CE) const;
156  void evalBzero(CheckerContext &C, const CallExpr *CE) const;
157 
158  // Utility methods
159  std::pair<ProgramStateRef , ProgramStateRef >
160  static assumeZero(CheckerContext &C,
161  ProgramStateRef state, SVal V, QualType Ty);
162 
163  static ProgramStateRef setCStringLength(ProgramStateRef state,
164  const MemRegion *MR,
165  SVal strLength);
166  static SVal getCStringLengthForRegion(CheckerContext &C,
167  ProgramStateRef &state,
168  const Expr *Ex,
169  const MemRegion *MR,
170  bool hypothetical);
171  SVal getCStringLength(CheckerContext &C,
172  ProgramStateRef &state,
173  const Expr *Ex,
174  SVal Buf,
175  bool hypothetical = false) const;
176 
177  const StringLiteral *getCStringLiteral(CheckerContext &C,
178  ProgramStateRef &state,
179  const Expr *expr,
180  SVal val) const;
181 
182  static ProgramStateRef InvalidateBuffer(CheckerContext &C,
183  ProgramStateRef state,
184  const Expr *Ex, SVal V,
185  bool IsSourceBuffer,
186  const Expr *Size);
187 
188  static bool SummarizeRegion(raw_ostream &os, ASTContext &Ctx,
189  const MemRegion *MR);
190 
191  static bool memsetAux(const Expr *DstBuffer, SVal CharE,
192  const Expr *Size, CheckerContext &C,
194 
195  // Re-usable checks
196  ProgramStateRef checkNonNull(CheckerContext &C,
197  ProgramStateRef state,
198  const Expr *S,
199  SVal l,
200  unsigned IdxOfArg) const;
201  ProgramStateRef CheckLocation(CheckerContext &C,
202  ProgramStateRef state,
203  const Expr *S,
204  SVal l,
205  const char *message = nullptr) const;
206  ProgramStateRef CheckBufferAccess(CheckerContext &C,
207  ProgramStateRef state,
208  const Expr *Size,
209  const Expr *FirstBuf,
210  const Expr *SecondBuf,
211  const char *firstMessage = nullptr,
212  const char *secondMessage = nullptr,
213  bool WarnAboutSize = false) const;
214 
215  ProgramStateRef CheckBufferAccess(CheckerContext &C,
216  ProgramStateRef state,
217  const Expr *Size,
218  const Expr *Buf,
219  const char *message = nullptr,
220  bool WarnAboutSize = false) const {
221  // This is a convenience overload.
222  return CheckBufferAccess(C, state, Size, Buf, nullptr, message, nullptr,
223  WarnAboutSize);
224  }
225  ProgramStateRef CheckOverlap(CheckerContext &C,
226  ProgramStateRef state,
227  const Expr *Size,
228  const Expr *First,
229  const Expr *Second) const;
230  void emitOverlapBug(CheckerContext &C,
231  ProgramStateRef state,
232  const Stmt *First,
233  const Stmt *Second) const;
234 
235  void emitNullArgBug(CheckerContext &C, ProgramStateRef State, const Stmt *S,
236  StringRef WarningMsg) const;
237  void emitOutOfBoundsBug(CheckerContext &C, ProgramStateRef State,
238  const Stmt *S, StringRef WarningMsg) const;
239  void emitNotCStringBug(CheckerContext &C, ProgramStateRef State,
240  const Stmt *S, StringRef WarningMsg) const;
241  void emitAdditionOverflowBug(CheckerContext &C, ProgramStateRef State) const;
242 
243  ProgramStateRef checkAdditionOverflow(CheckerContext &C,
244  ProgramStateRef state,
245  NonLoc left,
246  NonLoc right) const;
247 
248  // Return true if the destination buffer of the copy function may be in bound.
249  // Expects SVal of Size to be positive and unsigned.
250  // Expects SVal of FirstBuf to be a FieldRegion.
251  static bool IsFirstBufInBound(CheckerContext &C,
252  ProgramStateRef state,
253  const Expr *FirstBuf,
254  const Expr *Size);
255 };
256 
257 } //end anonymous namespace
258 
259 REGISTER_MAP_WITH_PROGRAMSTATE(CStringLength, const MemRegion *, SVal)
260 
261 //===----------------------------------------------------------------------===//
262 // Individual checks and utility methods.
263 //===----------------------------------------------------------------------===//
264 
265 std::pair<ProgramStateRef , ProgramStateRef >
266 CStringChecker::assumeZero(CheckerContext &C, ProgramStateRef state, SVal V,
267  QualType Ty) {
268  Optional<DefinedSVal> val = V.getAs<DefinedSVal>();
269  if (!val)
270  return std::pair<ProgramStateRef , ProgramStateRef >(state, state);
271 
272  SValBuilder &svalBuilder = C.getSValBuilder();
273  DefinedOrUnknownSVal zero = svalBuilder.makeZeroVal(Ty);
274  return state->assume(svalBuilder.evalEQ(state, *val, zero));
275 }
276 
277 ProgramStateRef CStringChecker::checkNonNull(CheckerContext &C,
279  const Expr *S, SVal l,
280  unsigned IdxOfArg) const {
281  // If a previous check has failed, propagate the failure.
282  if (!state)
283  return nullptr;
284 
285  ProgramStateRef stateNull, stateNonNull;
286  std::tie(stateNull, stateNonNull) = assumeZero(C, state, l, S->getType());
287 
288  if (stateNull && !stateNonNull) {
289  if (Filter.CheckCStringNullArg) {
290  SmallString<80> buf;
291  llvm::raw_svector_ostream OS(buf);
292  assert(CurrentFunctionDescription);
293  OS << "Null pointer passed as " << IdxOfArg
294  << llvm::getOrdinalSuffix(IdxOfArg) << " argument to "
295  << CurrentFunctionDescription;
296 
297  emitNullArgBug(C, stateNull, S, OS.str());
298  }
299  return nullptr;
300  }
301 
302  // From here on, assume that the value is non-null.
303  assert(stateNonNull);
304  return stateNonNull;
305 }
306 
307 // FIXME: This was originally copied from ArrayBoundChecker.cpp. Refactor?
308 ProgramStateRef CStringChecker::CheckLocation(CheckerContext &C,
310  const Expr *S, SVal l,
311  const char *warningMsg) const {
312  // If a previous check has failed, propagate the failure.
313  if (!state)
314  return nullptr;
315 
316  // Check for out of bound array element access.
317  const MemRegion *R = l.getAsRegion();
318  if (!R)
319  return state;
320 
321  const ElementRegion *ER = dyn_cast<ElementRegion>(R);
322  if (!ER)
323  return state;
324 
325  if (ER->getValueType() != C.getASTContext().CharTy)
326  return state;
327 
328  // Get the size of the array.
329  const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion());
330  SValBuilder &svalBuilder = C.getSValBuilder();
331  SVal Extent =
332  svalBuilder.convertToArrayIndex(superReg->getExtent(svalBuilder));
333  DefinedOrUnknownSVal Size = Extent.castAs<DefinedOrUnknownSVal>();
334 
335  // Get the index of the accessed element.
336  DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();
337 
338  ProgramStateRef StInBound = state->assumeInBound(Idx, Size, true);
339  ProgramStateRef StOutBound = state->assumeInBound(Idx, Size, false);
340  if (StOutBound && !StInBound) {
341  // These checks are either enabled by the CString out-of-bounds checker
342  // explicitly or implicitly by the Malloc checker.
343  // In the latter case we only do modeling but do not emit warning.
344  if (!Filter.CheckCStringOutOfBounds)
345  return nullptr;
346  // Emit a bug report.
347  if (warningMsg) {
348  emitOutOfBoundsBug(C, StOutBound, S, warningMsg);
349  } else {
350  assert(CurrentFunctionDescription);
351  assert(CurrentFunctionDescription[0] != '\0');
352 
353  SmallString<80> buf;
354  llvm::raw_svector_ostream os(buf);
355  os << toUppercase(CurrentFunctionDescription[0])
356  << &CurrentFunctionDescription[1]
357  << " accesses out-of-bound array element";
358  emitOutOfBoundsBug(C, StOutBound, S, os.str());
359  }
360  return nullptr;
361  }
362 
363  // Array bound check succeeded. From this point forward the array bound
364  // should always succeed.
365  return StInBound;
366 }
367 
368 ProgramStateRef CStringChecker::CheckBufferAccess(CheckerContext &C,
370  const Expr *Size,
371  const Expr *FirstBuf,
372  const Expr *SecondBuf,
373  const char *firstMessage,
374  const char *secondMessage,
375  bool WarnAboutSize) const {
376  // If a previous check has failed, propagate the failure.
377  if (!state)
378  return nullptr;
379 
380  SValBuilder &svalBuilder = C.getSValBuilder();
381  ASTContext &Ctx = svalBuilder.getContext();
382  const LocationContext *LCtx = C.getLocationContext();
383 
384  QualType sizeTy = Size->getType();
385  QualType PtrTy = Ctx.getPointerType(Ctx.CharTy);
386 
387  // Check that the first buffer is non-null.
388  SVal BufVal = C.getSVal(FirstBuf);
389  state = checkNonNull(C, state, FirstBuf, BufVal, 1);
390  if (!state)
391  return nullptr;
392 
393  // If out-of-bounds checking is turned off, skip the rest.
394  if (!Filter.CheckCStringOutOfBounds)
395  return state;
396 
397  // Get the access length and make sure it is known.
398  // FIXME: This assumes the caller has already checked that the access length
399  // is positive. And that it's unsigned.
400  SVal LengthVal = C.getSVal(Size);
401  Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
402  if (!Length)
403  return state;
404 
405  // Compute the offset of the last element to be accessed: size-1.
406  NonLoc One = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
407  SVal Offset = svalBuilder.evalBinOpNN(state, BO_Sub, *Length, One, sizeTy);
408  if (Offset.isUnknown())
409  return nullptr;
410  NonLoc LastOffset = Offset.castAs<NonLoc>();
411 
412  // Check that the first buffer is sufficiently long.
413  SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType());
414  if (Optional<Loc> BufLoc = BufStart.getAs<Loc>()) {
415  const Expr *warningExpr = (WarnAboutSize ? Size : FirstBuf);
416 
417  SVal BufEnd = svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc,
418  LastOffset, PtrTy);
419  state = CheckLocation(C, state, warningExpr, BufEnd, firstMessage);
420 
421  // If the buffer isn't large enough, abort.
422  if (!state)
423  return nullptr;
424  }
425 
426  // If there's a second buffer, check it as well.
427  if (SecondBuf) {
428  BufVal = state->getSVal(SecondBuf, LCtx);
429  state = checkNonNull(C, state, SecondBuf, BufVal, 2);
430  if (!state)
431  return nullptr;
432 
433  BufStart = svalBuilder.evalCast(BufVal, PtrTy, SecondBuf->getType());
434  if (Optional<Loc> BufLoc = BufStart.getAs<Loc>()) {
435  const Expr *warningExpr = (WarnAboutSize ? Size : SecondBuf);
436 
437  SVal BufEnd = svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc,
438  LastOffset, PtrTy);
439  state = CheckLocation(C, state, warningExpr, BufEnd, secondMessage);
440  }
441  }
442 
443  // Large enough or not, return this state!
444  return state;
445 }
446 
447 ProgramStateRef CStringChecker::CheckOverlap(CheckerContext &C,
449  const Expr *Size,
450  const Expr *First,
451  const Expr *Second) const {
452  if (!Filter.CheckCStringBufferOverlap)
453  return state;
454 
455  // Do a simple check for overlap: if the two arguments are from the same
456  // buffer, see if the end of the first is greater than the start of the second
457  // or vice versa.
458 
459  // If a previous check has failed, propagate the failure.
460  if (!state)
461  return nullptr;
462 
463  ProgramStateRef stateTrue, stateFalse;
464 
465  // Get the buffer values and make sure they're known locations.
466  const LocationContext *LCtx = C.getLocationContext();
467  SVal firstVal = state->getSVal(First, LCtx);
468  SVal secondVal = state->getSVal(Second, LCtx);
469 
470  Optional<Loc> firstLoc = firstVal.getAs<Loc>();
471  if (!firstLoc)
472  return state;
473 
474  Optional<Loc> secondLoc = secondVal.getAs<Loc>();
475  if (!secondLoc)
476  return state;
477 
478  // Are the two values the same?
479  SValBuilder &svalBuilder = C.getSValBuilder();
480  std::tie(stateTrue, stateFalse) =
481  state->assume(svalBuilder.evalEQ(state, *firstLoc, *secondLoc));
482 
483  if (stateTrue && !stateFalse) {
484  // If the values are known to be equal, that's automatically an overlap.
485  emitOverlapBug(C, stateTrue, First, Second);
486  return nullptr;
487  }
488 
489  // assume the two expressions are not equal.
490  assert(stateFalse);
491  state = stateFalse;
492 
493  // Which value comes first?
494  QualType cmpTy = svalBuilder.getConditionType();
495  SVal reverse = svalBuilder.evalBinOpLL(state, BO_GT,
496  *firstLoc, *secondLoc, cmpTy);
497  Optional<DefinedOrUnknownSVal> reverseTest =
498  reverse.getAs<DefinedOrUnknownSVal>();
499  if (!reverseTest)
500  return state;
501 
502  std::tie(stateTrue, stateFalse) = state->assume(*reverseTest);
503  if (stateTrue) {
504  if (stateFalse) {
505  // If we don't know which one comes first, we can't perform this test.
506  return state;
507  } else {
508  // Switch the values so that firstVal is before secondVal.
509  std::swap(firstLoc, secondLoc);
510 
511  // Switch the Exprs as well, so that they still correspond.
512  std::swap(First, Second);
513  }
514  }
515 
516  // Get the length, and make sure it too is known.
517  SVal LengthVal = state->getSVal(Size, LCtx);
518  Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
519  if (!Length)
520  return state;
521 
522  // Convert the first buffer's start address to char*.
523  // Bail out if the cast fails.
524  ASTContext &Ctx = svalBuilder.getContext();
525  QualType CharPtrTy = Ctx.getPointerType(Ctx.CharTy);
526  SVal FirstStart = svalBuilder.evalCast(*firstLoc, CharPtrTy,
527  First->getType());
528  Optional<Loc> FirstStartLoc = FirstStart.getAs<Loc>();
529  if (!FirstStartLoc)
530  return state;
531 
532  // Compute the end of the first buffer. Bail out if THAT fails.
533  SVal FirstEnd = svalBuilder.evalBinOpLN(state, BO_Add,
534  *FirstStartLoc, *Length, CharPtrTy);
535  Optional<Loc> FirstEndLoc = FirstEnd.getAs<Loc>();
536  if (!FirstEndLoc)
537  return state;
538 
539  // Is the end of the first buffer past the start of the second buffer?
540  SVal Overlap = svalBuilder.evalBinOpLL(state, BO_GT,
541  *FirstEndLoc, *secondLoc, cmpTy);
542  Optional<DefinedOrUnknownSVal> OverlapTest =
543  Overlap.getAs<DefinedOrUnknownSVal>();
544  if (!OverlapTest)
545  return state;
546 
547  std::tie(stateTrue, stateFalse) = state->assume(*OverlapTest);
548 
549  if (stateTrue && !stateFalse) {
550  // Overlap!
551  emitOverlapBug(C, stateTrue, First, Second);
552  return nullptr;
553  }
554 
555  // assume the two expressions don't overlap.
556  assert(stateFalse);
557  return stateFalse;
558 }
559 
560 void CStringChecker::emitOverlapBug(CheckerContext &C, ProgramStateRef state,
561  const Stmt *First, const Stmt *Second) const {
562  ExplodedNode *N = C.generateErrorNode(state);
563  if (!N)
564  return;
565 
566  if (!BT_Overlap)
567  BT_Overlap.reset(new BugType(Filter.CheckNameCStringBufferOverlap,
568  categories::UnixAPI, "Improper arguments"));
569 
570  // Generate a report for this bug.
571  auto report = std::make_unique<PathSensitiveBugReport>(
572  *BT_Overlap, "Arguments must not be overlapping buffers", N);
573  report->addRange(First->getSourceRange());
574  report->addRange(Second->getSourceRange());
575 
576  C.emitReport(std::move(report));
577 }
578 
579 void CStringChecker::emitNullArgBug(CheckerContext &C, ProgramStateRef State,
580  const Stmt *S, StringRef WarningMsg) const {
581  if (ExplodedNode *N = C.generateErrorNode(State)) {
582  if (!BT_Null)
583  BT_Null.reset(new BuiltinBug(
584  Filter.CheckNameCStringNullArg, categories::UnixAPI,
585  "Null pointer argument in call to byte string function"));
586 
587  BuiltinBug *BT = static_cast<BuiltinBug *>(BT_Null.get());
588  auto Report = std::make_unique<PathSensitiveBugReport>(*BT, WarningMsg, N);
589  Report->addRange(S->getSourceRange());
590  if (const auto *Ex = dyn_cast<Expr>(S))
591  bugreporter::trackExpressionValue(N, Ex, *Report);
592  C.emitReport(std::move(Report));
593  }
594 }
595 
596 void CStringChecker::emitOutOfBoundsBug(CheckerContext &C,
597  ProgramStateRef State, const Stmt *S,
598  StringRef WarningMsg) const {
599  if (ExplodedNode *N = C.generateErrorNode(State)) {
600  if (!BT_Bounds)
601  BT_Bounds.reset(new BuiltinBug(
602  Filter.CheckCStringOutOfBounds ? Filter.CheckNameCStringOutOfBounds
603  : Filter.CheckNameCStringNullArg,
604  "Out-of-bound array access",
605  "Byte string function accesses out-of-bound array element"));
606 
607  BuiltinBug *BT = static_cast<BuiltinBug *>(BT_Bounds.get());
608 
609  // FIXME: It would be nice to eventually make this diagnostic more clear,
610  // e.g., by referencing the original declaration or by saying *why* this
611  // reference is outside the range.
612  auto Report = std::make_unique<PathSensitiveBugReport>(*BT, WarningMsg, N);
613  Report->addRange(S->getSourceRange());
614  C.emitReport(std::move(Report));
615  }
616 }
617 
618 void CStringChecker::emitNotCStringBug(CheckerContext &C, ProgramStateRef State,
619  const Stmt *S,
620  StringRef WarningMsg) const {
621  if (ExplodedNode *N = C.generateNonFatalErrorNode(State)) {
622  if (!BT_NotCString)
623  BT_NotCString.reset(new BuiltinBug(
624  Filter.CheckNameCStringNotNullTerm, categories::UnixAPI,
625  "Argument is not a null-terminated string."));
626 
627  auto Report =
628  std::make_unique<PathSensitiveBugReport>(*BT_NotCString, WarningMsg, N);
629 
630  Report->addRange(S->getSourceRange());
631  C.emitReport(std::move(Report));
632  }
633 }
634 
635 void CStringChecker::emitAdditionOverflowBug(CheckerContext &C,
636  ProgramStateRef State) const {
637  if (ExplodedNode *N = C.generateErrorNode(State)) {
638  if (!BT_NotCString)
639  BT_NotCString.reset(
640  new BuiltinBug(Filter.CheckNameCStringOutOfBounds, "API",
641  "Sum of expressions causes overflow."));
642 
643  // This isn't a great error message, but this should never occur in real
644  // code anyway -- you'd have to create a buffer longer than a size_t can
645  // represent, which is sort of a contradiction.
646  const char *WarningMsg =
647  "This expression will create a string whose length is too big to "
648  "be represented as a size_t";
649 
650  auto Report =
651  std::make_unique<PathSensitiveBugReport>(*BT_NotCString, WarningMsg, N);
652  C.emitReport(std::move(Report));
653  }
654 }
655 
656 ProgramStateRef CStringChecker::checkAdditionOverflow(CheckerContext &C,
658  NonLoc left,
659  NonLoc right) const {
660  // If out-of-bounds checking is turned off, skip the rest.
661  if (!Filter.CheckCStringOutOfBounds)
662  return state;
663 
664  // If a previous check has failed, propagate the failure.
665  if (!state)
666  return nullptr;
667 
668  SValBuilder &svalBuilder = C.getSValBuilder();
669  BasicValueFactory &BVF = svalBuilder.getBasicValueFactory();
670 
671  QualType sizeTy = svalBuilder.getContext().getSizeType();
672  const llvm::APSInt &maxValInt = BVF.getMaxValue(sizeTy);
673  NonLoc maxVal = svalBuilder.makeIntVal(maxValInt);
674 
675  SVal maxMinusRight;
676  if (right.getAs<nonloc::ConcreteInt>()) {
677  maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, right,
678  sizeTy);
679  } else {
680  // Try switching the operands. (The order of these two assignments is
681  // important!)
682  maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, left,
683  sizeTy);
684  left = right;
685  }
686 
687  if (Optional<NonLoc> maxMinusRightNL = maxMinusRight.getAs<NonLoc>()) {
688  QualType cmpTy = svalBuilder.getConditionType();
689  // If left > max - right, we have an overflow.
690  SVal willOverflow = svalBuilder.evalBinOpNN(state, BO_GT, left,
691  *maxMinusRightNL, cmpTy);
692 
693  ProgramStateRef stateOverflow, stateOkay;
694  std::tie(stateOverflow, stateOkay) =
695  state->assume(willOverflow.castAs<DefinedOrUnknownSVal>());
696 
697  if (stateOverflow && !stateOkay) {
698  // We have an overflow. Emit a bug report.
699  emitAdditionOverflowBug(C, stateOverflow);
700  return nullptr;
701  }
702 
703  // From now on, assume an overflow didn't occur.
704  assert(stateOkay);
705  state = stateOkay;
706  }
707 
708  return state;
709 }
710 
711 ProgramStateRef CStringChecker::setCStringLength(ProgramStateRef state,
712  const MemRegion *MR,
713  SVal strLength) {
714  assert(!strLength.isUndef() && "Attempt to set an undefined string length");
715 
716  MR = MR->StripCasts();
717 
718  switch (MR->getKind()) {
719  case MemRegion::StringRegionKind:
720  // FIXME: This can happen if we strcpy() into a string region. This is
721  // undefined [C99 6.4.5p6], but we should still warn about it.
722  return state;
723 
724  case MemRegion::SymbolicRegionKind:
725  case MemRegion::AllocaRegionKind:
726  case MemRegion::VarRegionKind:
727  case MemRegion::FieldRegionKind:
728  case MemRegion::ObjCIvarRegionKind:
729  // These are the types we can currently track string lengths for.
730  break;
731 
732  case MemRegion::ElementRegionKind:
733  // FIXME: Handle element regions by upper-bounding the parent region's
734  // string length.
735  return state;
736 
737  default:
738  // Other regions (mostly non-data) can't have a reliable C string length.
739  // For now, just ignore the change.
740  // FIXME: These are rare but not impossible. We should output some kind of
741  // warning for things like strcpy((char[]){'a', 0}, "b");
742  return state;
743  }
744 
745  if (strLength.isUnknown())
746  return state->remove<CStringLength>(MR);
747 
748  return state->set<CStringLength>(MR, strLength);
749 }
750 
751 SVal CStringChecker::getCStringLengthForRegion(CheckerContext &C,
753  const Expr *Ex,
754  const MemRegion *MR,
755  bool hypothetical) {
756  if (!hypothetical) {
757  // If there's a recorded length, go ahead and return it.
758  const SVal *Recorded = state->get<CStringLength>(MR);
759  if (Recorded)
760  return *Recorded;
761  }
762 
763  // Otherwise, get a new symbol and update the state.
764  SValBuilder &svalBuilder = C.getSValBuilder();
765  QualType sizeTy = svalBuilder.getContext().getSizeType();
766  SVal strLength = svalBuilder.getMetadataSymbolVal(CStringChecker::getTag(),
767  MR, Ex, sizeTy,
768  C.getLocationContext(),
769  C.blockCount());
770 
771  if (!hypothetical) {
772  if (Optional<NonLoc> strLn = strLength.getAs<NonLoc>()) {
773  // In case of unbounded calls strlen etc bound the range to SIZE_MAX/4
774  BasicValueFactory &BVF = svalBuilder.getBasicValueFactory();
775  const llvm::APSInt &maxValInt = BVF.getMaxValue(sizeTy);
776  llvm::APSInt fourInt = APSIntType(maxValInt).getValue(4);
777  const llvm::APSInt *maxLengthInt = BVF.evalAPSInt(BO_Div, maxValInt,
778  fourInt);
779  NonLoc maxLength = svalBuilder.makeIntVal(*maxLengthInt);
780  SVal evalLength = svalBuilder.evalBinOpNN(state, BO_LE, *strLn,
781  maxLength, sizeTy);
782  state = state->assume(evalLength.castAs<DefinedOrUnknownSVal>(), true);
783  }
784  state = state->set<CStringLength>(MR, strLength);
785  }
786 
787  return strLength;
788 }
789 
790 SVal CStringChecker::getCStringLength(CheckerContext &C, ProgramStateRef &state,
791  const Expr *Ex, SVal Buf,
792  bool hypothetical) const {
793  const MemRegion *MR = Buf.getAsRegion();
794  if (!MR) {
795  // If we can't get a region, see if it's something we /know/ isn't a
796  // C string. In the context of locations, the only time we can issue such
797  // a warning is for labels.
798  if (Optional<loc::GotoLabel> Label = Buf.getAs<loc::GotoLabel>()) {
799  if (Filter.CheckCStringNotNullTerm) {
800  SmallString<120> buf;
801  llvm::raw_svector_ostream os(buf);
802  assert(CurrentFunctionDescription);
803  os << "Argument to " << CurrentFunctionDescription
804  << " is the address of the label '" << Label->getLabel()->getName()
805  << "', which is not a null-terminated string";
806 
807  emitNotCStringBug(C, state, Ex, os.str());
808  }
809  return UndefinedVal();
810  }
811 
812  // If it's not a region and not a label, give up.
813  return UnknownVal();
814  }
815 
816  // If we have a region, strip casts from it and see if we can figure out
817  // its length. For anything we can't figure out, just return UnknownVal.
818  MR = MR->StripCasts();
819 
820  switch (MR->getKind()) {
821  case MemRegion::StringRegionKind: {
822  // Modifying the contents of string regions is undefined [C99 6.4.5p6],
823  // so we can assume that the byte length is the correct C string length.
824  SValBuilder &svalBuilder = C.getSValBuilder();
825  QualType sizeTy = svalBuilder.getContext().getSizeType();
826  const StringLiteral *strLit = cast<StringRegion>(MR)->getStringLiteral();
827  return svalBuilder.makeIntVal(strLit->getByteLength(), sizeTy);
828  }
829  case MemRegion::SymbolicRegionKind:
830  case MemRegion::AllocaRegionKind:
831  case MemRegion::VarRegionKind:
832  case MemRegion::FieldRegionKind:
833  case MemRegion::ObjCIvarRegionKind:
834  return getCStringLengthForRegion(C, state, Ex, MR, hypothetical);
835  case MemRegion::CompoundLiteralRegionKind:
836  // FIXME: Can we track this? Is it necessary?
837  return UnknownVal();
838  case MemRegion::ElementRegionKind:
839  // FIXME: How can we handle this? It's not good enough to subtract the
840  // offset from the base string length; consider "123\x00567" and &a[5].
841  return UnknownVal();
842  default:
843  // Other regions (mostly non-data) can't have a reliable C string length.
844  // In this case, an error is emitted and UndefinedVal is returned.
845  // The caller should always be prepared to handle this case.
846  if (Filter.CheckCStringNotNullTerm) {
847  SmallString<120> buf;
848  llvm::raw_svector_ostream os(buf);
849 
850  assert(CurrentFunctionDescription);
851  os << "Argument to " << CurrentFunctionDescription << " is ";
852 
853  if (SummarizeRegion(os, C.getASTContext(), MR))
854  os << ", which is not a null-terminated string";
855  else
856  os << "not a null-terminated string";
857 
858  emitNotCStringBug(C, state, Ex, os.str());
859  }
860  return UndefinedVal();
861  }
862 }
863 
864 const StringLiteral *CStringChecker::getCStringLiteral(CheckerContext &C,
865  ProgramStateRef &state, const Expr *expr, SVal val) const {
866 
867  // Get the memory region pointed to by the val.
868  const MemRegion *bufRegion = val.getAsRegion();
869  if (!bufRegion)
870  return nullptr;
871 
872  // Strip casts off the memory region.
873  bufRegion = bufRegion->StripCasts();
874 
875  // Cast the memory region to a string region.
876  const StringRegion *strRegion= dyn_cast<StringRegion>(bufRegion);
877  if (!strRegion)
878  return nullptr;
879 
880  // Return the actual string in the string region.
881  return strRegion->getStringLiteral();
882 }
883 
884 bool CStringChecker::IsFirstBufInBound(CheckerContext &C,
886  const Expr *FirstBuf,
887  const Expr *Size) {
888  // If we do not know that the buffer is long enough we return 'true'.
889  // Otherwise the parent region of this field region would also get
890  // invalidated, which would lead to warnings based on an unknown state.
891 
892  // Originally copied from CheckBufferAccess and CheckLocation.
893  SValBuilder &svalBuilder = C.getSValBuilder();
894  ASTContext &Ctx = svalBuilder.getContext();
895  const LocationContext *LCtx = C.getLocationContext();
896 
897  QualType sizeTy = Size->getType();
898  QualType PtrTy = Ctx.getPointerType(Ctx.CharTy);
899  SVal BufVal = state->getSVal(FirstBuf, LCtx);
900 
901  SVal LengthVal = state->getSVal(Size, LCtx);
902  Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
903  if (!Length)
904  return true; // cf top comment.
905 
906  // Compute the offset of the last element to be accessed: size-1.
907  NonLoc One = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
908  SVal Offset = svalBuilder.evalBinOpNN(state, BO_Sub, *Length, One, sizeTy);
909  if (Offset.isUnknown())
910  return true; // cf top comment
911  NonLoc LastOffset = Offset.castAs<NonLoc>();
912 
913  // Check that the first buffer is sufficiently long.
914  SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType());
915  Optional<Loc> BufLoc = BufStart.getAs<Loc>();
916  if (!BufLoc)
917  return true; // cf top comment.
918 
919  SVal BufEnd =
920  svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc, LastOffset, PtrTy);
921 
922  // Check for out of bound array element access.
923  const MemRegion *R = BufEnd.getAsRegion();
924  if (!R)
925  return true; // cf top comment.
926 
927  const ElementRegion *ER = dyn_cast<ElementRegion>(R);
928  if (!ER)
929  return true; // cf top comment.
930 
931  // FIXME: Does this crash when a non-standard definition
932  // of a library function is encountered?
933  assert(ER->getValueType() == C.getASTContext().CharTy &&
934  "IsFirstBufInBound should only be called with char* ElementRegions");
935 
936  // Get the size of the array.
937  const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion());
938  SVal Extent =
939  svalBuilder.convertToArrayIndex(superReg->getExtent(svalBuilder));
940  DefinedOrUnknownSVal ExtentSize = Extent.castAs<DefinedOrUnknownSVal>();
941 
942  // Get the index of the accessed element.
943  DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();
944 
945  ProgramStateRef StInBound = state->assumeInBound(Idx, ExtentSize, true);
946 
947  return static_cast<bool>(StInBound);
948 }
949 
950 ProgramStateRef CStringChecker::InvalidateBuffer(CheckerContext &C,
952  const Expr *E, SVal V,
953  bool IsSourceBuffer,
954  const Expr *Size) {
955  Optional<Loc> L = V.getAs<Loc>();
956  if (!L)
957  return state;
958 
959  // FIXME: This is a simplified version of what's in CFRefCount.cpp -- it makes
960  // some assumptions about the value that CFRefCount can't. Even so, it should
961  // probably be refactored.
962  if (Optional<loc::MemRegionVal> MR = L->getAs<loc::MemRegionVal>()) {
963  const MemRegion *R = MR->getRegion()->StripCasts();
964 
965  // Are we dealing with an ElementRegion? If so, we should be invalidating
966  // the super-region.
967  if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) {
968  R = ER->getSuperRegion();
969  // FIXME: What about layers of ElementRegions?
970  }
971 
972  // Invalidate this region.
973  const LocationContext *LCtx = C.getPredecessor()->getLocationContext();
974 
975  bool CausesPointerEscape = false;
976  RegionAndSymbolInvalidationTraits ITraits;
977  // Invalidate and escape only indirect regions accessible through the source
978  // buffer.
979  if (IsSourceBuffer) {
980  ITraits.setTrait(R->getBaseRegion(),
983  CausesPointerEscape = true;
984  } else {
985  const MemRegion::Kind& K = R->getKind();
986  if (K == MemRegion::FieldRegionKind)
987  if (Size && IsFirstBufInBound(C, state, E, Size)) {
988  // If destination buffer is a field region and access is in bound,
989  // do not invalidate its super region.
990  ITraits.setTrait(
991  R,
993  }
994  }
995 
996  return state->invalidateRegions(R, E, C.blockCount(), LCtx,
997  CausesPointerEscape, nullptr, nullptr,
998  &ITraits);
999  }
1000 
1001  // If we have a non-region value by chance, just remove the binding.
1002  // FIXME: is this necessary or correct? This handles the non-Region
1003  // cases. Is it ever valid to store to these?
1004  return state->killBinding(*L);
1005 }
1006 
1007 bool CStringChecker::SummarizeRegion(raw_ostream &os, ASTContext &Ctx,
1008  const MemRegion *MR) {
1009  switch (MR->getKind()) {
1010  case MemRegion::FunctionCodeRegionKind: {
1011  if (const auto *FD = cast<FunctionCodeRegion>(MR)->getDecl())
1012  os << "the address of the function '" << *FD << '\'';
1013  else
1014  os << "the address of a function";
1015  return true;
1016  }
1017  case MemRegion::BlockCodeRegionKind:
1018  os << "block text";
1019  return true;
1020  case MemRegion::BlockDataRegionKind:
1021  os << "a block";
1022  return true;
1023  case MemRegion::CXXThisRegionKind:
1024  case MemRegion::CXXTempObjectRegionKind:
1025  os << "a C++ temp object of type "
1026  << cast<TypedValueRegion>(MR)->getValueType().getAsString();
1027  return true;
1028  case MemRegion::VarRegionKind:
1029  os << "a variable of type"
1030  << cast<TypedValueRegion>(MR)->getValueType().getAsString();
1031  return true;
1032  case MemRegion::FieldRegionKind:
1033  os << "a field of type "
1034  << cast<TypedValueRegion>(MR)->getValueType().getAsString();
1035  return true;
1036  case MemRegion::ObjCIvarRegionKind:
1037  os << "an instance variable of type "
1038  << cast<TypedValueRegion>(MR)->getValueType().getAsString();
1039  return true;
1040  default:
1041  return false;
1042  }
1043 }
1044 
1045 bool CStringChecker::memsetAux(const Expr *DstBuffer, SVal CharVal,
1046  const Expr *Size, CheckerContext &C,
1048  SVal MemVal = C.getSVal(DstBuffer);
1049  SVal SizeVal = C.getSVal(Size);
1050  const MemRegion *MR = MemVal.getAsRegion();
1051  if (!MR)
1052  return false;
1053 
1054  // We're about to model memset by producing a "default binding" in the Store.
1055  // Our current implementation - RegionStore - doesn't support default bindings
1056  // that don't cover the whole base region. So we should first get the offset
1057  // and the base region to figure out whether the offset of buffer is 0.
1058  RegionOffset Offset = MR->getAsOffset();
1059  const MemRegion *BR = Offset.getRegion();
1060 
1061  Optional<NonLoc> SizeNL = SizeVal.getAs<NonLoc>();
1062  if (!SizeNL)
1063  return false;
1064 
1065  SValBuilder &svalBuilder = C.getSValBuilder();
1066  ASTContext &Ctx = C.getASTContext();
1067 
1068  // void *memset(void *dest, int ch, size_t count);
1069  // For now we can only handle the case of offset is 0 and concrete char value.
1070  if (Offset.isValid() && !Offset.hasSymbolicOffset() &&
1071  Offset.getOffset() == 0) {
1072  // Get the base region's extent.
1073  auto *SubReg = cast<SubRegion>(BR);
1074  DefinedOrUnknownSVal Extent = SubReg->getExtent(svalBuilder);
1075 
1076  ProgramStateRef StateWholeReg, StateNotWholeReg;
1077  std::tie(StateWholeReg, StateNotWholeReg) =
1078  State->assume(svalBuilder.evalEQ(State, Extent, *SizeNL));
1079 
1080  // With the semantic of 'memset()', we should convert the CharVal to
1081  // unsigned char.
1082  CharVal = svalBuilder.evalCast(CharVal, Ctx.UnsignedCharTy, Ctx.IntTy);
1083 
1084  ProgramStateRef StateNullChar, StateNonNullChar;
1085  std::tie(StateNullChar, StateNonNullChar) =
1086  assumeZero(C, State, CharVal, Ctx.UnsignedCharTy);
1087 
1088  if (StateWholeReg && !StateNotWholeReg && StateNullChar &&
1089  !StateNonNullChar) {
1090  // If the 'memset()' acts on the whole region of destination buffer and
1091  // the value of the second argument of 'memset()' is zero, bind the second
1092  // argument's value to the destination buffer with 'default binding'.
1093  // FIXME: Since there is no perfect way to bind the non-zero character, we
1094  // can only deal with zero value here. In the future, we need to deal with
1095  // the binding of non-zero value in the case of whole region.
1096  State = State->bindDefaultZero(svalBuilder.makeLoc(BR),
1097  C.getLocationContext());
1098  } else {
1099  // If the destination buffer's extent is not equal to the value of
1100  // third argument, just invalidate buffer.
1101  State = InvalidateBuffer(C, State, DstBuffer, MemVal,
1102  /*IsSourceBuffer*/ false, Size);
1103  }
1104 
1105  if (StateNullChar && !StateNonNullChar) {
1106  // If the value of the second argument of 'memset()' is zero, set the
1107  // string length of destination buffer to 0 directly.
1108  State = setCStringLength(State, MR,
1109  svalBuilder.makeZeroVal(Ctx.getSizeType()));
1110  } else if (!StateNullChar && StateNonNullChar) {
1111  SVal NewStrLen = svalBuilder.getMetadataSymbolVal(
1112  CStringChecker::getTag(), MR, DstBuffer, Ctx.getSizeType(),
1113  C.getLocationContext(), C.blockCount());
1114 
1115  // If the value of second argument is not zero, then the string length
1116  // is at least the size argument.
1117  SVal NewStrLenGESize = svalBuilder.evalBinOp(
1118  State, BO_GE, NewStrLen, SizeVal, svalBuilder.getConditionType());
1119 
1120  State = setCStringLength(
1121  State->assume(NewStrLenGESize.castAs<DefinedOrUnknownSVal>(), true),
1122  MR, NewStrLen);
1123  }
1124  } else {
1125  // If the offset is not zero and char value is not concrete, we can do
1126  // nothing but invalidate the buffer.
1127  State = InvalidateBuffer(C, State, DstBuffer, MemVal,
1128  /*IsSourceBuffer*/ false, Size);
1129  }
1130  return true;
1131 }
1132 
1133 //===----------------------------------------------------------------------===//
1134 // evaluation of individual function calls.
1135 //===----------------------------------------------------------------------===//
1136 
1137 void CStringChecker::evalCopyCommon(CheckerContext &C,
1138  const CallExpr *CE,
1140  const Expr *Size, const Expr *Dest,
1141  const Expr *Source, bool Restricted,
1142  bool IsMempcpy) const {
1143  CurrentFunctionDescription = "memory copy function";
1144 
1145  // See if the size argument is zero.
1146  const LocationContext *LCtx = C.getLocationContext();
1147  SVal sizeVal = state->getSVal(Size, LCtx);
1148  QualType sizeTy = Size->getType();
1149 
1150  ProgramStateRef stateZeroSize, stateNonZeroSize;
1151  std::tie(stateZeroSize, stateNonZeroSize) =
1152  assumeZero(C, state, sizeVal, sizeTy);
1153 
1154  // Get the value of the Dest.
1155  SVal destVal = state->getSVal(Dest, LCtx);
1156 
1157  // If the size is zero, there won't be any actual memory access, so
1158  // just bind the return value to the destination buffer and return.
1159  if (stateZeroSize && !stateNonZeroSize) {
1160  stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, destVal);
1161  C.addTransition(stateZeroSize);
1162  return;
1163  }
1164 
1165  // If the size can be nonzero, we have to check the other arguments.
1166  if (stateNonZeroSize) {
1167  state = stateNonZeroSize;
1168 
1169  // Ensure the destination is not null. If it is NULL there will be a
1170  // NULL pointer dereference.
1171  state = checkNonNull(C, state, Dest, destVal, 1);
1172  if (!state)
1173  return;
1174 
1175  // Get the value of the Src.
1176  SVal srcVal = state->getSVal(Source, LCtx);
1177 
1178  // Ensure the source is not null. If it is NULL there will be a
1179  // NULL pointer dereference.
1180  state = checkNonNull(C, state, Source, srcVal, 2);
1181  if (!state)
1182  return;
1183 
1184  // Ensure the accesses are valid and that the buffers do not overlap.
1185  const char * const writeWarning =
1186  "Memory copy function overflows destination buffer";
1187  state = CheckBufferAccess(C, state, Size, Dest, Source,
1188  writeWarning, /* sourceWarning = */ nullptr);
1189  if (Restricted)
1190  state = CheckOverlap(C, state, Size, Dest, Source);
1191 
1192  if (!state)
1193  return;
1194 
1195  // If this is mempcpy, get the byte after the last byte copied and
1196  // bind the expr.
1197  if (IsMempcpy) {
1198  // Get the byte after the last byte copied.
1199  SValBuilder &SvalBuilder = C.getSValBuilder();
1200  ASTContext &Ctx = SvalBuilder.getContext();
1201  QualType CharPtrTy = Ctx.getPointerType(Ctx.CharTy);
1202  SVal DestRegCharVal =
1203  SvalBuilder.evalCast(destVal, CharPtrTy, Dest->getType());
1204  SVal lastElement = C.getSValBuilder().evalBinOp(
1205  state, BO_Add, DestRegCharVal, sizeVal, Dest->getType());
1206  // If we don't know how much we copied, we can at least
1207  // conjure a return value for later.
1208  if (lastElement.isUnknown())
1209  lastElement = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
1210  C.blockCount());
1211 
1212  // The byte after the last byte copied is the return value.
1213  state = state->BindExpr(CE, LCtx, lastElement);
1214  } else {
1215  // All other copies return the destination buffer.
1216  // (Well, bcopy() has a void return type, but this won't hurt.)
1217  state = state->BindExpr(CE, LCtx, destVal);
1218  }
1219 
1220  // Invalidate the destination (regular invalidation without pointer-escaping
1221  // the address of the top-level region).
1222  // FIXME: Even if we can't perfectly model the copy, we should see if we
1223  // can use LazyCompoundVals to copy the source values into the destination.
1224  // This would probably remove any existing bindings past the end of the
1225  // copied region, but that's still an improvement over blank invalidation.
1226  state = InvalidateBuffer(C, state, Dest, C.getSVal(Dest),
1227  /*IsSourceBuffer*/false, Size);
1228 
1229  // Invalidate the source (const-invalidation without const-pointer-escaping
1230  // the address of the top-level region).
1231  state = InvalidateBuffer(C, state, Source, C.getSVal(Source),
1232  /*IsSourceBuffer*/true, nullptr);
1233 
1234  C.addTransition(state);
1235  }
1236 }
1237 
1238 
1239 void CStringChecker::evalMemcpy(CheckerContext &C, const CallExpr *CE) const {
1240  // void *memcpy(void *restrict dst, const void *restrict src, size_t n);
1241  // The return value is the address of the destination buffer.
1242  const Expr *Dest = CE->getArg(0);
1243  ProgramStateRef state = C.getState();
1244 
1245  evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1), true);
1246 }
1247 
1248 void CStringChecker::evalMempcpy(CheckerContext &C, const CallExpr *CE) const {
1249  // void *mempcpy(void *restrict dst, const void *restrict src, size_t n);
1250  // The return value is a pointer to the byte following the last written byte.
1251  const Expr *Dest = CE->getArg(0);
1252  ProgramStateRef state = C.getState();
1253 
1254  evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1), true, true);
1255 }
1256 
1257 void CStringChecker::evalMemmove(CheckerContext &C, const CallExpr *CE) const {
1258  // void *memmove(void *dst, const void *src, size_t n);
1259  // The return value is the address of the destination buffer.
1260  const Expr *Dest = CE->getArg(0);
1261  ProgramStateRef state = C.getState();
1262 
1263  evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1));
1264 }
1265 
1266 void CStringChecker::evalBcopy(CheckerContext &C, const CallExpr *CE) const {
1267  // void bcopy(const void *src, void *dst, size_t n);
1268  evalCopyCommon(C, CE, C.getState(),
1269  CE->getArg(2), CE->getArg(1), CE->getArg(0));
1270 }
1271 
1272 void CStringChecker::evalMemcmp(CheckerContext &C, const CallExpr *CE) const {
1273  // int memcmp(const void *s1, const void *s2, size_t n);
1274  CurrentFunctionDescription = "memory comparison function";
1275 
1276  const Expr *Left = CE->getArg(0);
1277  const Expr *Right = CE->getArg(1);
1278  const Expr *Size = CE->getArg(2);
1279 
1280  ProgramStateRef state = C.getState();
1281  SValBuilder &svalBuilder = C.getSValBuilder();
1282 
1283  // See if the size argument is zero.
1284  const LocationContext *LCtx = C.getLocationContext();
1285  SVal sizeVal = state->getSVal(Size, LCtx);
1286  QualType sizeTy = Size->getType();
1287 
1288  ProgramStateRef stateZeroSize, stateNonZeroSize;
1289  std::tie(stateZeroSize, stateNonZeroSize) =
1290  assumeZero(C, state, sizeVal, sizeTy);
1291 
1292  // If the size can be zero, the result will be 0 in that case, and we don't
1293  // have to check either of the buffers.
1294  if (stateZeroSize) {
1295  state = stateZeroSize;
1296  state = state->BindExpr(CE, LCtx,
1297  svalBuilder.makeZeroVal(CE->getType()));
1298  C.addTransition(state);
1299  }
1300 
1301  // If the size can be nonzero, we have to check the other arguments.
1302  if (stateNonZeroSize) {
1303  state = stateNonZeroSize;
1304  // If we know the two buffers are the same, we know the result is 0.
1305  // First, get the two buffers' addresses. Another checker will have already
1306  // made sure they're not undefined.
1307  DefinedOrUnknownSVal LV =
1308  state->getSVal(Left, LCtx).castAs<DefinedOrUnknownSVal>();
1309  DefinedOrUnknownSVal RV =
1310  state->getSVal(Right, LCtx).castAs<DefinedOrUnknownSVal>();
1311 
1312  // See if they are the same.
1313  DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV);
1314  ProgramStateRef StSameBuf, StNotSameBuf;
1315  std::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf);
1316 
1317  // If the two arguments are the same buffer, we know the result is 0,
1318  // and we only need to check one size.
1319  if (StSameBuf && !StNotSameBuf) {
1320  state = StSameBuf;
1321  state = CheckBufferAccess(C, state, Size, Left);
1322  if (state) {
1323  state = StSameBuf->BindExpr(CE, LCtx,
1324  svalBuilder.makeZeroVal(CE->getType()));
1325  C.addTransition(state);
1326  }
1327  return;
1328  }
1329 
1330  // If the two arguments might be different buffers, we have to check
1331  // the size of both of them.
1332  assert(StNotSameBuf);
1333  state = CheckBufferAccess(C, state, Size, Left, Right);
1334  if (state) {
1335  // The return value is the comparison result, which we don't know.
1336  SVal CmpV =
1337  svalBuilder.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
1338  state = state->BindExpr(CE, LCtx, CmpV);
1339  C.addTransition(state);
1340  }
1341  }
1342 }
1343 
1344 void CStringChecker::evalstrLength(CheckerContext &C,
1345  const CallExpr *CE) const {
1346  // size_t strlen(const char *s);
1347  evalstrLengthCommon(C, CE, /* IsStrnlen = */ false);
1348 }
1349 
1350 void CStringChecker::evalstrnLength(CheckerContext &C,
1351  const CallExpr *CE) const {
1352  // size_t strnlen(const char *s, size_t maxlen);
1353  evalstrLengthCommon(C, CE, /* IsStrnlen = */ true);
1354 }
1355 
1356 void CStringChecker::evalstrLengthCommon(CheckerContext &C, const CallExpr *CE,
1357  bool IsStrnlen) const {
1358  CurrentFunctionDescription = "string length function";
1359  ProgramStateRef state = C.getState();
1360  const LocationContext *LCtx = C.getLocationContext();
1361 
1362  if (IsStrnlen) {
1363  const Expr *maxlenExpr = CE->getArg(1);
1364  SVal maxlenVal = state->getSVal(maxlenExpr, LCtx);
1365 
1366  ProgramStateRef stateZeroSize, stateNonZeroSize;
1367  std::tie(stateZeroSize, stateNonZeroSize) =
1368  assumeZero(C, state, maxlenVal, maxlenExpr->getType());
1369 
1370  // If the size can be zero, the result will be 0 in that case, and we don't
1371  // have to check the string itself.
1372  if (stateZeroSize) {
1373  SVal zero = C.getSValBuilder().makeZeroVal(CE->getType());
1374  stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, zero);
1375  C.addTransition(stateZeroSize);
1376  }
1377 
1378  // If the size is GUARANTEED to be zero, we're done!
1379  if (!stateNonZeroSize)
1380  return;
1381 
1382  // Otherwise, record the assumption that the size is nonzero.
1383  state = stateNonZeroSize;
1384  }
1385 
1386  // Check that the string argument is non-null.
1387  const Expr *Arg = CE->getArg(0);
1388  SVal ArgVal = state->getSVal(Arg, LCtx);
1389 
1390  state = checkNonNull(C, state, Arg, ArgVal, 1);
1391 
1392  if (!state)
1393  return;
1394 
1395  SVal strLength = getCStringLength(C, state, Arg, ArgVal);
1396 
1397  // If the argument isn't a valid C string, there's no valid state to
1398  // transition to.
1399  if (strLength.isUndef())
1400  return;
1401 
1402  DefinedOrUnknownSVal result = UnknownVal();
1403 
1404  // If the check is for strnlen() then bind the return value to no more than
1405  // the maxlen value.
1406  if (IsStrnlen) {
1407  QualType cmpTy = C.getSValBuilder().getConditionType();
1408 
1409  // It's a little unfortunate to be getting this again,
1410  // but it's not that expensive...
1411  const Expr *maxlenExpr = CE->getArg(1);
1412  SVal maxlenVal = state->getSVal(maxlenExpr, LCtx);
1413 
1414  Optional<NonLoc> strLengthNL = strLength.getAs<NonLoc>();
1415  Optional<NonLoc> maxlenValNL = maxlenVal.getAs<NonLoc>();
1416 
1417  if (strLengthNL && maxlenValNL) {
1418  ProgramStateRef stateStringTooLong, stateStringNotTooLong;
1419 
1420  // Check if the strLength is greater than the maxlen.
1421  std::tie(stateStringTooLong, stateStringNotTooLong) = state->assume(
1422  C.getSValBuilder()
1423  .evalBinOpNN(state, BO_GT, *strLengthNL, *maxlenValNL, cmpTy)
1424  .castAs<DefinedOrUnknownSVal>());
1425 
1426  if (stateStringTooLong && !stateStringNotTooLong) {
1427  // If the string is longer than maxlen, return maxlen.
1428  result = *maxlenValNL;
1429  } else if (stateStringNotTooLong && !stateStringTooLong) {
1430  // If the string is shorter than maxlen, return its length.
1431  result = *strLengthNL;
1432  }
1433  }
1434 
1435  if (result.isUnknown()) {
1436  // If we don't have enough information for a comparison, there's
1437  // no guarantee the full string length will actually be returned.
1438  // All we know is the return value is the min of the string length
1439  // and the limit. This is better than nothing.
1440  result = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
1441  C.blockCount());
1442  NonLoc resultNL = result.castAs<NonLoc>();
1443 
1444  if (strLengthNL) {
1445  state = state->assume(C.getSValBuilder().evalBinOpNN(
1446  state, BO_LE, resultNL, *strLengthNL, cmpTy)
1447  .castAs<DefinedOrUnknownSVal>(), true);
1448  }
1449 
1450  if (maxlenValNL) {
1451  state = state->assume(C.getSValBuilder().evalBinOpNN(
1452  state, BO_LE, resultNL, *maxlenValNL, cmpTy)
1453  .castAs<DefinedOrUnknownSVal>(), true);
1454  }
1455  }
1456 
1457  } else {
1458  // This is a plain strlen(), not strnlen().
1459  result = strLength.castAs<DefinedOrUnknownSVal>();
1460 
1461  // If we don't know the length of the string, conjure a return
1462  // value, so it can be used in constraints, at least.
1463  if (result.isUnknown()) {
1464  result = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
1465  C.blockCount());
1466  }
1467  }
1468 
1469  // Bind the return value.
1470  assert(!result.isUnknown() && "Should have conjured a value by now");
1471  state = state->BindExpr(CE, LCtx, result);
1472  C.addTransition(state);
1473 }
1474 
1475 void CStringChecker::evalStrcpy(CheckerContext &C, const CallExpr *CE) const {
1476  // char *strcpy(char *restrict dst, const char *restrict src);
1477  evalStrcpyCommon(C, CE,
1478  /* ReturnEnd = */ false,
1479  /* IsBounded = */ false,
1480  /* appendK = */ ConcatFnKind::none);
1481 }
1482 
1483 void CStringChecker::evalStrncpy(CheckerContext &C, const CallExpr *CE) const {
1484  // char *strncpy(char *restrict dst, const char *restrict src, size_t n);
1485  evalStrcpyCommon(C, CE,
1486  /* ReturnEnd = */ false,
1487  /* IsBounded = */ true,
1488  /* appendK = */ ConcatFnKind::none);
1489 }
1490 
1491 void CStringChecker::evalStpcpy(CheckerContext &C, const CallExpr *CE) const {
1492  // char *stpcpy(char *restrict dst, const char *restrict src);
1493  evalStrcpyCommon(C, CE,
1494  /* ReturnEnd = */ true,
1495  /* IsBounded = */ false,
1496  /* appendK = */ ConcatFnKind::none);
1497 }
1498 
1499 void CStringChecker::evalStrlcpy(CheckerContext &C, const CallExpr *CE) const {
1500  // size_t strlcpy(char *dest, const char *src, size_t size);
1501  evalStrcpyCommon(C, CE,
1502  /* ReturnEnd = */ true,
1503  /* IsBounded = */ true,
1504  /* appendK = */ ConcatFnKind::none,
1505  /* returnPtr = */ false);
1506 }
1507 
1508 void CStringChecker::evalStrcat(CheckerContext &C, const CallExpr *CE) const {
1509  // char *strcat(char *restrict s1, const char *restrict s2);
1510  evalStrcpyCommon(C, CE,
1511  /* ReturnEnd = */ false,
1512  /* IsBounded = */ false,
1513  /* appendK = */ ConcatFnKind::strcat);
1514 }
1515 
1516 void CStringChecker::evalStrncat(CheckerContext &C, const CallExpr *CE) const {
1517  //char *strncat(char *restrict s1, const char *restrict s2, size_t n);
1518  evalStrcpyCommon(C, CE,
1519  /* ReturnEnd = */ false,
1520  /* IsBounded = */ true,
1521  /* appendK = */ ConcatFnKind::strcat);
1522 }
1523 
1524 void CStringChecker::evalStrlcat(CheckerContext &C, const CallExpr *CE) const {
1525  // size_t strlcat(char *dst, const char *src, size_t size);
1526  // It will append at most size - strlen(dst) - 1 bytes,
1527  // NULL-terminating the result.
1528  evalStrcpyCommon(C, CE,
1529  /* ReturnEnd = */ false,
1530  /* IsBounded = */ true,
1531  /* appendK = */ ConcatFnKind::strlcat,
1532  /* returnPtr = */ false);
1533 }
1534 
1535 void CStringChecker::evalStrcpyCommon(CheckerContext &C, const CallExpr *CE,
1536  bool ReturnEnd, bool IsBounded,
1537  ConcatFnKind appendK,
1538  bool returnPtr) const {
1539  if (appendK == ConcatFnKind::none)
1540  CurrentFunctionDescription = "string copy function";
1541  else
1542  CurrentFunctionDescription = "string concatenation function";
1543  ProgramStateRef state = C.getState();
1544  const LocationContext *LCtx = C.getLocationContext();
1545 
1546  // Check that the destination is non-null.
1547  const Expr *Dst = CE->getArg(0);
1548  SVal DstVal = state->getSVal(Dst, LCtx);
1549 
1550  state = checkNonNull(C, state, Dst, DstVal, 1);
1551  if (!state)
1552  return;
1553 
1554  // Check that the source is non-null.
1555  const Expr *srcExpr = CE->getArg(1);
1556  SVal srcVal = state->getSVal(srcExpr, LCtx);
1557  state = checkNonNull(C, state, srcExpr, srcVal, 2);
1558  if (!state)
1559  return;
1560 
1561  // Get the string length of the source.
1562  SVal strLength = getCStringLength(C, state, srcExpr, srcVal);
1563  Optional<NonLoc> strLengthNL = strLength.getAs<NonLoc>();
1564 
1565  // Get the string length of the destination buffer.
1566  SVal dstStrLength = getCStringLength(C, state, Dst, DstVal);
1567  Optional<NonLoc> dstStrLengthNL = dstStrLength.getAs<NonLoc>();
1568 
1569  // If the source isn't a valid C string, give up.
1570  if (strLength.isUndef())
1571  return;
1572 
1573  SValBuilder &svalBuilder = C.getSValBuilder();
1574  QualType cmpTy = svalBuilder.getConditionType();
1575  QualType sizeTy = svalBuilder.getContext().getSizeType();
1576 
1577  // These two values allow checking two kinds of errors:
1578  // - actual overflows caused by a source that doesn't fit in the destination
1579  // - potential overflows caused by a bound that could exceed the destination
1580  SVal amountCopied = UnknownVal();
1581  SVal maxLastElementIndex = UnknownVal();
1582  const char *boundWarning = nullptr;
1583 
1584  state = CheckOverlap(C, state, IsBounded ? CE->getArg(2) : CE->getArg(1), Dst,
1585  srcExpr);
1586 
1587  if (!state)
1588  return;
1589 
1590  // If the function is strncpy, strncat, etc... it is bounded.
1591  if (IsBounded) {
1592  // Get the max number of characters to copy.
1593  const Expr *lenExpr = CE->getArg(2);
1594  SVal lenVal = state->getSVal(lenExpr, LCtx);
1595 
1596  // Protect against misdeclared strncpy().
1597  lenVal = svalBuilder.evalCast(lenVal, sizeTy, lenExpr->getType());
1598 
1599  Optional<NonLoc> lenValNL = lenVal.getAs<NonLoc>();
1600 
1601  // If we know both values, we might be able to figure out how much
1602  // we're copying.
1603  if (strLengthNL && lenValNL) {
1604  switch (appendK) {
1605  case ConcatFnKind::none:
1606  case ConcatFnKind::strcat: {
1607  ProgramStateRef stateSourceTooLong, stateSourceNotTooLong;
1608  // Check if the max number to copy is less than the length of the src.
1609  // If the bound is equal to the source length, strncpy won't null-
1610  // terminate the result!
1611  std::tie(stateSourceTooLong, stateSourceNotTooLong) = state->assume(
1612  svalBuilder
1613  .evalBinOpNN(state, BO_GE, *strLengthNL, *lenValNL, cmpTy)
1614  .castAs<DefinedOrUnknownSVal>());
1615 
1616  if (stateSourceTooLong && !stateSourceNotTooLong) {
1617  // Max number to copy is less than the length of the src, so the
1618  // actual strLength copied is the max number arg.
1619  state = stateSourceTooLong;
1620  amountCopied = lenVal;
1621 
1622  } else if (!stateSourceTooLong && stateSourceNotTooLong) {
1623  // The source buffer entirely fits in the bound.
1624  state = stateSourceNotTooLong;
1625  amountCopied = strLength;
1626  }
1627  break;
1628  }
1629  case ConcatFnKind::strlcat:
1630  if (!dstStrLengthNL)
1631  return;
1632 
1633  // amountCopied = min (size - dstLen - 1 , srcLen)
1634  SVal freeSpace = svalBuilder.evalBinOpNN(state, BO_Sub, *lenValNL,
1635  *dstStrLengthNL, sizeTy);
1636  if (!freeSpace.getAs<NonLoc>())
1637  return;
1638  freeSpace =
1639  svalBuilder.evalBinOp(state, BO_Sub, freeSpace,
1640  svalBuilder.makeIntVal(1, sizeTy), sizeTy);
1641  Optional<NonLoc> freeSpaceNL = freeSpace.getAs<NonLoc>();
1642 
1643  // While unlikely, it is possible that the subtraction is
1644  // too complex to compute, let's check whether it succeeded.
1645  if (!freeSpaceNL)
1646  return;
1647  SVal hasEnoughSpace = svalBuilder.evalBinOpNN(
1648  state, BO_LE, *strLengthNL, *freeSpaceNL, cmpTy);
1649 
1650  ProgramStateRef TrueState, FalseState;
1651  std::tie(TrueState, FalseState) =
1652  state->assume(hasEnoughSpace.castAs<DefinedOrUnknownSVal>());
1653 
1654  // srcStrLength <= size - dstStrLength -1
1655  if (TrueState && !FalseState) {
1656  amountCopied = strLength;
1657  }
1658 
1659  // srcStrLength > size - dstStrLength -1
1660  if (!TrueState && FalseState) {
1661  amountCopied = freeSpace;
1662  }
1663 
1664  if (TrueState && FalseState)
1665  amountCopied = UnknownVal();
1666  break;
1667  }
1668  }
1669  // We still want to know if the bound is known to be too large.
1670  if (lenValNL) {
1671  switch (appendK) {
1672  case ConcatFnKind::strcat:
1673  // For strncat, the check is strlen(dst) + lenVal < sizeof(dst)
1674 
1675  // Get the string length of the destination. If the destination is
1676  // memory that can't have a string length, we shouldn't be copying
1677  // into it anyway.
1678  if (dstStrLength.isUndef())
1679  return;
1680 
1681  if (dstStrLengthNL) {
1682  maxLastElementIndex = svalBuilder.evalBinOpNN(
1683  state, BO_Add, *lenValNL, *dstStrLengthNL, sizeTy);
1684 
1685  boundWarning = "Size argument is greater than the free space in the "
1686  "destination buffer";
1687  }
1688  break;
1689  case ConcatFnKind::none:
1690  case ConcatFnKind::strlcat:
1691  // For strncpy and strlcat, this is just checking
1692  // that lenVal <= sizeof(dst).
1693  // (Yes, strncpy and strncat differ in how they treat termination.
1694  // strncat ALWAYS terminates, but strncpy doesn't.)
1695 
1696  // We need a special case for when the copy size is zero, in which
1697  // case strncpy will do no work at all. Our bounds check uses n-1
1698  // as the last element accessed, so n == 0 is problematic.
1699  ProgramStateRef StateZeroSize, StateNonZeroSize;
1700  std::tie(StateZeroSize, StateNonZeroSize) =
1701  assumeZero(C, state, *lenValNL, sizeTy);
1702 
1703  // If the size is known to be zero, we're done.
1704  if (StateZeroSize && !StateNonZeroSize) {
1705  if (returnPtr) {
1706  StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, DstVal);
1707  } else {
1708  if (appendK == ConcatFnKind::none) {
1709  // strlcpy returns strlen(src)
1710  StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, strLength);
1711  } else {
1712  // strlcat returns strlen(src) + strlen(dst)
1713  SVal retSize = svalBuilder.evalBinOp(
1714  state, BO_Add, strLength, dstStrLength, sizeTy);
1715  StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, retSize);
1716  }
1717  }
1718  C.addTransition(StateZeroSize);
1719  return;
1720  }
1721 
1722  // Otherwise, go ahead and figure out the last element we'll touch.
1723  // We don't record the non-zero assumption here because we can't
1724  // be sure. We won't warn on a possible zero.
1725  NonLoc one = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
1726  maxLastElementIndex =
1727  svalBuilder.evalBinOpNN(state, BO_Sub, *lenValNL, one, sizeTy);
1728  boundWarning = "Size argument is greater than the length of the "
1729  "destination buffer";
1730  break;
1731  }
1732  }
1733  } else {
1734  // The function isn't bounded. The amount copied should match the length
1735  // of the source buffer.
1736  amountCopied = strLength;
1737  }
1738 
1739  assert(state);
1740 
1741  // This represents the number of characters copied into the destination
1742  // buffer. (It may not actually be the strlen if the destination buffer
1743  // is not terminated.)
1744  SVal finalStrLength = UnknownVal();
1745  SVal strlRetVal = UnknownVal();
1746 
1747  if (appendK == ConcatFnKind::none && !returnPtr) {
1748  // strlcpy returns the sizeof(src)
1749  strlRetVal = strLength;
1750  }
1751 
1752  // If this is an appending function (strcat, strncat...) then set the
1753  // string length to strlen(src) + strlen(dst) since the buffer will
1754  // ultimately contain both.
1755  if (appendK != ConcatFnKind::none) {
1756  // Get the string length of the destination. If the destination is memory
1757  // that can't have a string length, we shouldn't be copying into it anyway.
1758  if (dstStrLength.isUndef())
1759  return;
1760 
1761  if (appendK == ConcatFnKind::strlcat && dstStrLengthNL && strLengthNL) {
1762  strlRetVal = svalBuilder.evalBinOpNN(state, BO_Add, *strLengthNL,
1763  *dstStrLengthNL, sizeTy);
1764  }
1765 
1766  Optional<NonLoc> amountCopiedNL = amountCopied.getAs<NonLoc>();
1767 
1768  // If we know both string lengths, we might know the final string length.
1769  if (amountCopiedNL && dstStrLengthNL) {
1770  // Make sure the two lengths together don't overflow a size_t.
1771  state = checkAdditionOverflow(C, state, *amountCopiedNL, *dstStrLengthNL);
1772  if (!state)
1773  return;
1774 
1775  finalStrLength = svalBuilder.evalBinOpNN(state, BO_Add, *amountCopiedNL,
1776  *dstStrLengthNL, sizeTy);
1777  }
1778 
1779  // If we couldn't get a single value for the final string length,
1780  // we can at least bound it by the individual lengths.
1781  if (finalStrLength.isUnknown()) {
1782  // Try to get a "hypothetical" string length symbol, which we can later
1783  // set as a real value if that turns out to be the case.
1784  finalStrLength = getCStringLength(C, state, CE, DstVal, true);
1785  assert(!finalStrLength.isUndef());
1786 
1787  if (Optional<NonLoc> finalStrLengthNL = finalStrLength.getAs<NonLoc>()) {
1788  if (amountCopiedNL && appendK == ConcatFnKind::none) {
1789  // we overwrite dst string with the src
1790  // finalStrLength >= srcStrLength
1791  SVal sourceInResult = svalBuilder.evalBinOpNN(
1792  state, BO_GE, *finalStrLengthNL, *amountCopiedNL, cmpTy);
1793  state = state->assume(sourceInResult.castAs<DefinedOrUnknownSVal>(),
1794  true);
1795  if (!state)
1796  return;
1797  }
1798 
1799  if (dstStrLengthNL && appendK != ConcatFnKind::none) {
1800  // we extend the dst string with the src
1801  // finalStrLength >= dstStrLength
1802  SVal destInResult = svalBuilder.evalBinOpNN(state, BO_GE,
1803  *finalStrLengthNL,
1804  *dstStrLengthNL,
1805  cmpTy);
1806  state =
1807  state->assume(destInResult.castAs<DefinedOrUnknownSVal>(), true);
1808  if (!state)
1809  return;
1810  }
1811  }
1812  }
1813 
1814  } else {
1815  // Otherwise, this is a copy-over function (strcpy, strncpy, ...), and
1816  // the final string length will match the input string length.
1817  finalStrLength = amountCopied;
1818  }
1819 
1820  SVal Result;
1821 
1822  if (returnPtr) {
1823  // The final result of the function will either be a pointer past the last
1824  // copied element, or a pointer to the start of the destination buffer.
1825  Result = (ReturnEnd ? UnknownVal() : DstVal);
1826  } else {
1827  if (appendK == ConcatFnKind::strlcat || appendK == ConcatFnKind::none)
1828  //strlcpy, strlcat
1829  Result = strlRetVal;
1830  else
1831  Result = finalStrLength;
1832  }
1833 
1834  assert(state);
1835 
1836  // If the destination is a MemRegion, try to check for a buffer overflow and
1837  // record the new string length.
1838  if (Optional<loc::MemRegionVal> dstRegVal =
1839  DstVal.getAs<loc::MemRegionVal>()) {
1840  QualType ptrTy = Dst->getType();
1841 
1842  // If we have an exact value on a bounded copy, use that to check for
1843  // overflows, rather than our estimate about how much is actually copied.
1844  if (boundWarning) {
1845  if (Optional<NonLoc> maxLastNL = maxLastElementIndex.getAs<NonLoc>()) {
1846  SVal maxLastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal,
1847  *maxLastNL, ptrTy);
1848  state = CheckLocation(C, state, CE->getArg(2), maxLastElement,
1849  boundWarning);
1850  if (!state)
1851  return;
1852  }
1853  }
1854 
1855  // Then, if the final length is known...
1856  if (Optional<NonLoc> knownStrLength = finalStrLength.getAs<NonLoc>()) {
1857  SVal lastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal,
1858  *knownStrLength, ptrTy);
1859 
1860  // ...and we haven't checked the bound, we'll check the actual copy.
1861  if (!boundWarning) {
1862  const char * const warningMsg =
1863  "String copy function overflows destination buffer";
1864  state = CheckLocation(C, state, Dst, lastElement, warningMsg);
1865  if (!state)
1866  return;
1867  }
1868 
1869  // If this is a stpcpy-style copy, the last element is the return value.
1870  if (returnPtr && ReturnEnd)
1871  Result = lastElement;
1872  }
1873 
1874  // Invalidate the destination (regular invalidation without pointer-escaping
1875  // the address of the top-level region). This must happen before we set the
1876  // C string length because invalidation will clear the length.
1877  // FIXME: Even if we can't perfectly model the copy, we should see if we
1878  // can use LazyCompoundVals to copy the source values into the destination.
1879  // This would probably remove any existing bindings past the end of the
1880  // string, but that's still an improvement over blank invalidation.
1881  state = InvalidateBuffer(C, state, Dst, *dstRegVal,
1882  /*IsSourceBuffer*/false, nullptr);
1883 
1884  // Invalidate the source (const-invalidation without const-pointer-escaping
1885  // the address of the top-level region).
1886  state = InvalidateBuffer(C, state, srcExpr, srcVal, /*IsSourceBuffer*/true,
1887  nullptr);
1888 
1889  // Set the C string length of the destination, if we know it.
1890  if (IsBounded && (appendK == ConcatFnKind::none)) {
1891  // strncpy is annoying in that it doesn't guarantee to null-terminate
1892  // the result string. If the original string didn't fit entirely inside
1893  // the bound (including the null-terminator), we don't know how long the
1894  // result is.
1895  if (amountCopied != strLength)
1896  finalStrLength = UnknownVal();
1897  }
1898  state = setCStringLength(state, dstRegVal->getRegion(), finalStrLength);
1899  }
1900 
1901  assert(state);
1902 
1903  if (returnPtr) {
1904  // If this is a stpcpy-style copy, but we were unable to check for a buffer
1905  // overflow, we still need a result. Conjure a return value.
1906  if (ReturnEnd && Result.isUnknown()) {
1907  Result = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
1908  }
1909  }
1910  // Set the return value.
1911  state = state->BindExpr(CE, LCtx, Result);
1912  C.addTransition(state);
1913 }
1914 
1915 void CStringChecker::evalStrcmp(CheckerContext &C, const CallExpr *CE) const {
1916  //int strcmp(const char *s1, const char *s2);
1917  evalStrcmpCommon(C, CE, /* IsBounded = */ false, /* IgnoreCase = */ false);
1918 }
1919 
1920 void CStringChecker::evalStrncmp(CheckerContext &C, const CallExpr *CE) const {
1921  //int strncmp(const char *s1, const char *s2, size_t n);
1922  evalStrcmpCommon(C, CE, /* IsBounded = */ true, /* IgnoreCase = */ false);
1923 }
1924 
1925 void CStringChecker::evalStrcasecmp(CheckerContext &C,
1926  const CallExpr *CE) const {
1927  //int strcasecmp(const char *s1, const char *s2);
1928  evalStrcmpCommon(C, CE, /* IsBounded = */ false, /* IgnoreCase = */ true);
1929 }
1930 
1931 void CStringChecker::evalStrncasecmp(CheckerContext &C,
1932  const CallExpr *CE) const {
1933  //int strncasecmp(const char *s1, const char *s2, size_t n);
1934  evalStrcmpCommon(C, CE, /* IsBounded = */ true, /* IgnoreCase = */ true);
1935 }
1936 
1937 void CStringChecker::evalStrcmpCommon(CheckerContext &C, const CallExpr *CE,
1938  bool IsBounded, bool IgnoreCase) const {
1939  CurrentFunctionDescription = "string comparison function";
1940  ProgramStateRef state = C.getState();
1941  const LocationContext *LCtx = C.getLocationContext();
1942 
1943  // Check that the first string is non-null
1944  const Expr *s1 = CE->getArg(0);
1945  SVal s1Val = state->getSVal(s1, LCtx);
1946  state = checkNonNull(C, state, s1, s1Val, 1);
1947  if (!state)
1948  return;
1949 
1950  // Check that the second string is non-null.
1951  const Expr *s2 = CE->getArg(1);
1952  SVal s2Val = state->getSVal(s2, LCtx);
1953  state = checkNonNull(C, state, s2, s2Val, 2);
1954  if (!state)
1955  return;
1956 
1957  // Get the string length of the first string or give up.
1958  SVal s1Length = getCStringLength(C, state, s1, s1Val);
1959  if (s1Length.isUndef())
1960  return;
1961 
1962  // Get the string length of the second string or give up.
1963  SVal s2Length = getCStringLength(C, state, s2, s2Val);
1964  if (s2Length.isUndef())
1965  return;
1966 
1967  // If we know the two buffers are the same, we know the result is 0.
1968  // First, get the two buffers' addresses. Another checker will have already
1969  // made sure they're not undefined.
1970  DefinedOrUnknownSVal LV = s1Val.castAs<DefinedOrUnknownSVal>();
1971  DefinedOrUnknownSVal RV = s2Val.castAs<DefinedOrUnknownSVal>();
1972 
1973  // See if they are the same.
1974  SValBuilder &svalBuilder = C.getSValBuilder();
1975  DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV);
1976  ProgramStateRef StSameBuf, StNotSameBuf;
1977  std::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf);
1978 
1979  // If the two arguments might be the same buffer, we know the result is 0,
1980  // and we only need to check one size.
1981  if (StSameBuf) {
1982  StSameBuf = StSameBuf->BindExpr(CE, LCtx,
1983  svalBuilder.makeZeroVal(CE->getType()));
1984  C.addTransition(StSameBuf);
1985 
1986  // If the two arguments are GUARANTEED to be the same, we're done!
1987  if (!StNotSameBuf)
1988  return;
1989  }
1990 
1991  assert(StNotSameBuf);
1992  state = StNotSameBuf;
1993 
1994  // At this point we can go about comparing the two buffers.
1995  // For now, we only do this if they're both known string literals.
1996 
1997  // Attempt to extract string literals from both expressions.
1998  const StringLiteral *s1StrLiteral = getCStringLiteral(C, state, s1, s1Val);
1999  const StringLiteral *s2StrLiteral = getCStringLiteral(C, state, s2, s2Val);
2000  bool canComputeResult = false;
2001  SVal resultVal = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx,
2002  C.blockCount());
2003 
2004  if (s1StrLiteral && s2StrLiteral) {
2005  StringRef s1StrRef = s1StrLiteral->getString();
2006  StringRef s2StrRef = s2StrLiteral->getString();
2007 
2008  if (IsBounded) {
2009  // Get the max number of characters to compare.
2010  const Expr *lenExpr = CE->getArg(2);
2011  SVal lenVal = state->getSVal(lenExpr, LCtx);
2012 
2013  // If the length is known, we can get the right substrings.
2014  if (const llvm::APSInt *len = svalBuilder.getKnownValue(state, lenVal)) {
2015  // Create substrings of each to compare the prefix.
2016  s1StrRef = s1StrRef.substr(0, (size_t)len->getZExtValue());
2017  s2StrRef = s2StrRef.substr(0, (size_t)len->getZExtValue());
2018  canComputeResult = true;
2019  }
2020  } else {
2021  // This is a normal, unbounded strcmp.
2022  canComputeResult = true;
2023  }
2024 
2025  if (canComputeResult) {
2026  // Real strcmp stops at null characters.
2027  size_t s1Term = s1StrRef.find('\0');
2028  if (s1Term != StringRef::npos)
2029  s1StrRef = s1StrRef.substr(0, s1Term);
2030 
2031  size_t s2Term = s2StrRef.find('\0');
2032  if (s2Term != StringRef::npos)
2033  s2StrRef = s2StrRef.substr(0, s2Term);
2034 
2035  // Use StringRef's comparison methods to compute the actual result.
2036  int compareRes = IgnoreCase ? s1StrRef.compare_lower(s2StrRef)
2037  : s1StrRef.compare(s2StrRef);
2038 
2039  // The strcmp function returns an integer greater than, equal to, or less
2040  // than zero, [c11, p7.24.4.2].
2041  if (compareRes == 0) {
2042  resultVal = svalBuilder.makeIntVal(compareRes, CE->getType());
2043  }
2044  else {
2045  DefinedSVal zeroVal = svalBuilder.makeIntVal(0, CE->getType());
2046  // Constrain strcmp's result range based on the result of StringRef's
2047  // comparison methods.
2048  BinaryOperatorKind op = (compareRes == 1) ? BO_GT : BO_LT;
2049  SVal compareWithZero =
2050  svalBuilder.evalBinOp(state, op, resultVal, zeroVal,
2051  svalBuilder.getConditionType());
2052  DefinedSVal compareWithZeroVal = compareWithZero.castAs<DefinedSVal>();
2053  state = state->assume(compareWithZeroVal, true);
2054  }
2055  }
2056  }
2057 
2058  state = state->BindExpr(CE, LCtx, resultVal);
2059 
2060  // Record this as a possible path.
2061  C.addTransition(state);
2062 }
2063 
2064 void CStringChecker::evalStrsep(CheckerContext &C, const CallExpr *CE) const {
2065  //char *strsep(char **stringp, const char *delim);
2066  // Sanity: does the search string parameter match the return type?
2067  const Expr *SearchStrPtr = CE->getArg(0);
2068  QualType CharPtrTy = SearchStrPtr->getType()->getPointeeType();
2069  if (CharPtrTy.isNull() ||
2070  CE->getType().getUnqualifiedType() != CharPtrTy.getUnqualifiedType())
2071  return;
2072 
2073  CurrentFunctionDescription = "strsep()";
2074  ProgramStateRef State = C.getState();
2075  const LocationContext *LCtx = C.getLocationContext();
2076 
2077  // Check that the search string pointer is non-null (though it may point to
2078  // a null string).
2079  SVal SearchStrVal = State->getSVal(SearchStrPtr, LCtx);
2080  State = checkNonNull(C, State, SearchStrPtr, SearchStrVal, 1);
2081  if (!State)
2082  return;
2083 
2084  // Check that the delimiter string is non-null.
2085  const Expr *DelimStr = CE->getArg(1);
2086  SVal DelimStrVal = State->getSVal(DelimStr, LCtx);
2087  State = checkNonNull(C, State, DelimStr, DelimStrVal, 2);
2088  if (!State)
2089  return;
2090 
2091  SValBuilder &SVB = C.getSValBuilder();
2092  SVal Result;
2093  if (Optional<Loc> SearchStrLoc = SearchStrVal.getAs<Loc>()) {
2094  // Get the current value of the search string pointer, as a char*.
2095  Result = State->getSVal(*SearchStrLoc, CharPtrTy);
2096 
2097  // Invalidate the search string, representing the change of one delimiter
2098  // character to NUL.
2099  State = InvalidateBuffer(C, State, SearchStrPtr, Result,
2100  /*IsSourceBuffer*/false, nullptr);
2101 
2102  // Overwrite the search string pointer. The new value is either an address
2103  // further along in the same string, or NULL if there are no more tokens.
2104  State = State->bindLoc(*SearchStrLoc,
2105  SVB.conjureSymbolVal(getTag(),
2106  CE,
2107  LCtx,
2108  CharPtrTy,
2109  C.blockCount()),
2110  LCtx);
2111  } else {
2112  assert(SearchStrVal.isUnknown());
2113  // Conjure a symbolic value. It's the best we can do.
2114  Result = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
2115  }
2116 
2117  // Set the return value, and finish.
2118  State = State->BindExpr(CE, LCtx, Result);
2119  C.addTransition(State);
2120 }
2121 
2122 // These should probably be moved into a C++ standard library checker.
2123 void CStringChecker::evalStdCopy(CheckerContext &C, const CallExpr *CE) const {
2124  evalStdCopyCommon(C, CE);
2125 }
2126 
2127 void CStringChecker::evalStdCopyBackward(CheckerContext &C,
2128  const CallExpr *CE) const {
2129  evalStdCopyCommon(C, CE);
2130 }
2131 
2132 void CStringChecker::evalStdCopyCommon(CheckerContext &C,
2133  const CallExpr *CE) const {
2134  if (!CE->getArg(2)->getType()->isPointerType())
2135  return;
2136 
2137  ProgramStateRef State = C.getState();
2138 
2139  const LocationContext *LCtx = C.getLocationContext();
2140 
2141  // template <class _InputIterator, class _OutputIterator>
2142  // _OutputIterator
2143  // copy(_InputIterator __first, _InputIterator __last,
2144  // _OutputIterator __result)
2145 
2146  // Invalidate the destination buffer
2147  const Expr *Dst = CE->getArg(2);
2148  SVal DstVal = State->getSVal(Dst, LCtx);
2149  State = InvalidateBuffer(C, State, Dst, DstVal, /*IsSource=*/false,
2150  /*Size=*/nullptr);
2151 
2152  SValBuilder &SVB = C.getSValBuilder();
2153 
2154  SVal ResultVal = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
2155  State = State->BindExpr(CE, LCtx, ResultVal);
2156 
2157  C.addTransition(State);
2158 }
2159 
2160 void CStringChecker::evalMemset(CheckerContext &C, const CallExpr *CE) const {
2161  CurrentFunctionDescription = "memory set function";
2162 
2163  const Expr *Mem = CE->getArg(0);
2164  const Expr *CharE = CE->getArg(1);
2165  const Expr *Size = CE->getArg(2);
2166  ProgramStateRef State = C.getState();
2167 
2168  // See if the size argument is zero.
2169  const LocationContext *LCtx = C.getLocationContext();
2170  SVal SizeVal = State->getSVal(Size, LCtx);
2171  QualType SizeTy = Size->getType();
2172 
2173  ProgramStateRef StateZeroSize, StateNonZeroSize;
2174  std::tie(StateZeroSize, StateNonZeroSize) =
2175  assumeZero(C, State, SizeVal, SizeTy);
2176 
2177  // Get the value of the memory area.
2178  SVal MemVal = State->getSVal(Mem, LCtx);
2179 
2180  // If the size is zero, there won't be any actual memory access, so
2181  // just bind the return value to the Mem buffer and return.
2182  if (StateZeroSize && !StateNonZeroSize) {
2183  StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, MemVal);
2184  C.addTransition(StateZeroSize);
2185  return;
2186  }
2187 
2188  // Ensure the memory area is not null.
2189  // If it is NULL there will be a NULL pointer dereference.
2190  State = checkNonNull(C, StateNonZeroSize, Mem, MemVal, 1);
2191  if (!State)
2192  return;
2193 
2194  State = CheckBufferAccess(C, State, Size, Mem);
2195  if (!State)
2196  return;
2197 
2198  // According to the values of the arguments, bind the value of the second
2199  // argument to the destination buffer and set string length, or just
2200  // invalidate the destination buffer.
2201  if (!memsetAux(Mem, C.getSVal(CharE), Size, C, State))
2202  return;
2203 
2204  State = State->BindExpr(CE, LCtx, MemVal);
2205  C.addTransition(State);
2206 }
2207 
2208 void CStringChecker::evalBzero(CheckerContext &C, const CallExpr *CE) const {
2209  CurrentFunctionDescription = "memory clearance function";
2210 
2211  const Expr *Mem = CE->getArg(0);
2212  const Expr *Size = CE->getArg(1);
2213  SVal Zero = C.getSValBuilder().makeZeroVal(C.getASTContext().IntTy);
2214 
2215  ProgramStateRef State = C.getState();
2216 
2217  // See if the size argument is zero.
2218  SVal SizeVal = C.getSVal(Size);
2219  QualType SizeTy = Size->getType();
2220 
2221  ProgramStateRef StateZeroSize, StateNonZeroSize;
2222  std::tie(StateZeroSize, StateNonZeroSize) =
2223  assumeZero(C, State, SizeVal, SizeTy);
2224 
2225  // If the size is zero, there won't be any actual memory access,
2226  // In this case we just return.
2227  if (StateZeroSize && !StateNonZeroSize) {
2228  C.addTransition(StateZeroSize);
2229  return;
2230  }
2231 
2232  // Get the value of the memory area.
2233  SVal MemVal = C.getSVal(Mem);
2234 
2235  // Ensure the memory area is not null.
2236  // If it is NULL there will be a NULL pointer dereference.
2237  State = checkNonNull(C, StateNonZeroSize, Mem, MemVal, 1);
2238  if (!State)
2239  return;
2240 
2241  State = CheckBufferAccess(C, State, Size, Mem);
2242  if (!State)
2243  return;
2244 
2245  if (!memsetAux(Mem, Zero, Size, C, State))
2246  return;
2247 
2248  C.addTransition(State);
2249 }
2250 
2251 //===----------------------------------------------------------------------===//
2252 // The driver method, and other Checker callbacks.
2253 //===----------------------------------------------------------------------===//
2254 
2255 CStringChecker::FnCheck CStringChecker::identifyCall(const CallEvent &Call,
2256  CheckerContext &C) const {
2257  const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
2258  if (!CE)
2259  return nullptr;
2260 
2261  const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
2262  if (!FD)
2263  return nullptr;
2264 
2265  if (Call.isCalled(StdCopy)) {
2266  return &CStringChecker::evalStdCopy;
2267  } else if (Call.isCalled(StdCopyBackward)) {
2268  return &CStringChecker::evalStdCopyBackward;
2269  }
2270 
2271  // Pro-actively check that argument types are safe to do arithmetic upon.
2272  // We do not want to crash if someone accidentally passes a structure
2273  // into, say, a C++ overload of any of these functions. We could not check
2274  // that for std::copy because they may have arguments of other types.
2275  for (auto I : CE->arguments()) {
2276  QualType T = I->getType();
2277  if (!T->isIntegralOrEnumerationType() && !T->isPointerType())
2278  return nullptr;
2279  }
2280 
2281  const FnCheck *Callback = Callbacks.lookup(Call);
2282  if (Callback)
2283  return *Callback;
2284 
2285  return nullptr;
2286 }
2287 
2288 bool CStringChecker::evalCall(const CallEvent &Call, CheckerContext &C) const {
2289  FnCheck Callback = identifyCall(Call, C);
2290 
2291  // If the callee isn't a string function, let another checker handle it.
2292  if (!Callback)
2293  return false;
2294 
2295  // Check and evaluate the call.
2296  const auto *CE = cast<CallExpr>(Call.getOriginExpr());
2297  (this->*Callback)(C, CE);
2298 
2299  // If the evaluate call resulted in no change, chain to the next eval call
2300  // handler.
2301  // Note, the custom CString evaluation calls assume that basic safety
2302  // properties are held. However, if the user chooses to turn off some of these
2303  // checks, we ignore the issues and leave the call evaluation to a generic
2304  // handler.
2305  return C.isDifferent();
2306 }
2307 
2308 void CStringChecker::checkPreStmt(const DeclStmt *DS, CheckerContext &C) const {
2309  // Record string length for char a[] = "abc";
2310  ProgramStateRef state = C.getState();
2311 
2312  for (const auto *I : DS->decls()) {
2313  const VarDecl *D = dyn_cast<VarDecl>(I);
2314  if (!D)
2315  continue;
2316 
2317  // FIXME: Handle array fields of structs.
2318  if (!D->getType()->isArrayType())
2319  continue;
2320 
2321  const Expr *Init = D->getInit();
2322  if (!Init)
2323  continue;
2324  if (!isa<StringLiteral>(Init))
2325  continue;
2326 
2327  Loc VarLoc = state->getLValue(D, C.getLocationContext());
2328  const MemRegion *MR = VarLoc.getAsRegion();
2329  if (!MR)
2330  continue;
2331 
2332  SVal StrVal = C.getSVal(Init);
2333  assert(StrVal.isValid() && "Initializer string is unknown or undefined");
2334  DefinedOrUnknownSVal strLength =
2335  getCStringLength(C, state, Init, StrVal).castAs<DefinedOrUnknownSVal>();
2336 
2337  state = state->set<CStringLength>(MR, strLength);
2338  }
2339 
2340  C.addTransition(state);
2341 }
2342 
2344 CStringChecker::checkRegionChanges(ProgramStateRef state,
2345  const InvalidatedSymbols *,
2346  ArrayRef<const MemRegion *> ExplicitRegions,
2348  const LocationContext *LCtx,
2349  const CallEvent *Call) const {
2350  CStringLengthTy Entries = state->get<CStringLength>();
2351  if (Entries.isEmpty())
2352  return state;
2353 
2354  llvm::SmallPtrSet<const MemRegion *, 8> Invalidated;
2355  llvm::SmallPtrSet<const MemRegion *, 32> SuperRegions;
2356 
2357  // First build sets for the changed regions and their super-regions.
2359  I = Regions.begin(), E = Regions.end(); I != E; ++I) {
2360  const MemRegion *MR = *I;
2361  Invalidated.insert(MR);
2362 
2363  SuperRegions.insert(MR);
2364  while (const SubRegion *SR = dyn_cast<SubRegion>(MR)) {
2365  MR = SR->getSuperRegion();
2366  SuperRegions.insert(MR);
2367  }
2368  }
2369 
2370  CStringLengthTy::Factory &F = state->get_context<CStringLength>();
2371 
2372  // Then loop over the entries in the current state.
2373  for (CStringLengthTy::iterator I = Entries.begin(),
2374  E = Entries.end(); I != E; ++I) {
2375  const MemRegion *MR = I.getKey();
2376 
2377  // Is this entry for a super-region of a changed region?
2378  if (SuperRegions.count(MR)) {
2379  Entries = F.remove(Entries, MR);
2380  continue;
2381  }
2382 
2383  // Is this entry for a sub-region of a changed region?
2384  const MemRegion *Super = MR;
2385  while (const SubRegion *SR = dyn_cast<SubRegion>(Super)) {
2386  Super = SR->getSuperRegion();
2387  if (Invalidated.count(Super)) {
2388  Entries = F.remove(Entries, MR);
2389  break;
2390  }
2391  }
2392  }
2393 
2394  return state->set<CStringLength>(Entries);
2395 }
2396 
2397 void CStringChecker::checkLiveSymbols(ProgramStateRef state,
2398  SymbolReaper &SR) const {
2399  // Mark all symbols in our string length map as valid.
2400  CStringLengthTy Entries = state->get<CStringLength>();
2401 
2402  for (CStringLengthTy::iterator I = Entries.begin(), E = Entries.end();
2403  I != E; ++I) {
2404  SVal Len = I.getData();
2405 
2406  for (SymExpr::symbol_iterator si = Len.symbol_begin(),
2407  se = Len.symbol_end(); si != se; ++si)
2408  SR.markInUse(*si);
2409  }
2410 }
2411 
2412 void CStringChecker::checkDeadSymbols(SymbolReaper &SR,
2413  CheckerContext &C) const {
2414  ProgramStateRef state = C.getState();
2415  CStringLengthTy Entries = state->get<CStringLength>();
2416  if (Entries.isEmpty())
2417  return;
2418 
2419  CStringLengthTy::Factory &F = state->get_context<CStringLength>();
2420  for (CStringLengthTy::iterator I = Entries.begin(), E = Entries.end();
2421  I != E; ++I) {
2422  SVal Len = I.getData();
2423  if (SymbolRef Sym = Len.getAsSymbol()) {
2424  if (SR.isDead(Sym))
2425  Entries = F.remove(Entries, I.getKey());
2426  }
2427  }
2428 
2429  state = state->set<CStringLength>(Entries);
2430  C.addTransition(state);
2431 }
2432 
2433 void ento::registerCStringModeling(CheckerManager &Mgr) {
2434  Mgr.registerChecker<CStringChecker>();
2435 }
2436 
2437 bool ento::shouldRegisterCStringModeling(const LangOptions &LO) {
2438  return true;
2439 }
2440 
2441 #define REGISTER_CHECKER(name) \
2442  void ento::register##name(CheckerManager &mgr) { \
2443  CStringChecker *checker = mgr.getChecker<CStringChecker>(); \
2444  checker->Filter.Check##name = true; \
2445  checker->Filter.CheckName##name = mgr.getCurrentCheckerName(); \
2446  } \
2447  \
2448  bool ento::shouldRegister##name(const LangOptions &LO) { return true; }
2449 
2450 REGISTER_CHECKER(CStringNullArg)
2451 REGISTER_CHECKER(CStringOutOfBounds)
2452 REGISTER_CHECKER(CStringBufferOverlap)
2453 REGISTER_CHECKER(CStringNotNullTerm)
Represents a function declaration or definition.
Definition: Decl.h:1783
A (possibly-)qualified type.
Definition: Type.h:654
bool isArrayType() const
Definition: Type.h:6570
Expr * getArg(unsigned Arg)
getArg - Return the specified argument.
Definition: Expr.h:2702
llvm::DenseSet< SymbolRef > InvalidatedSymbols
Definition: Store.h:51
Stmt - This represents one statement.
Definition: Stmt.h:66
QualType getPointeeType() const
If this is a pointer, ObjC object pointer, or block pointer, this returns the respective pointee...
Definition: Type.cpp:557
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
Represents a variable declaration or definition.
Definition: Decl.h:820
const internal::VariadicDynCastAllOfMatcher< Stmt, Expr > expr
Matches expressions.
const SymExpr * SymbolRef
Definition: SymExpr.h:110
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:168
LineState State
bool Zero(InterpState &S, CodePtr OpPC)
Definition: Interp.h:812
Keeps track of the various options that can be enabled, which controls the dialect of C or C++ that i...
Definition: LangOptions.h:53
i32 captured_struct **param SharedsTy A type which contains references the shared variables *param Shareds Context with the list of shared variables from the p *TaskFunction *param Data Additional data for task generation like final * state
bool isIntegralOrEnumerationType() const
Determine whether this type is an integral or enumeration type.
Definition: Type.h:6881
This class represents a description of a function call using the number of arguments and the name of ...
Definition: CallEvent.h:1058
BinaryOperatorKind
CanQualType UnsignedCharTy
Definition: ASTContext.h:1026
StringRef getString() const
Definition: Expr.h:1794
#define REGISTER_CHECKER(name)
unsigned Offset
Definition: Format.cpp:1827
This represents one expression.
Definition: Expr.h:108
std::string Label
#define V(N, I)
Definition: ASTContext.h:2941
QualType getType() const
Definition: Expr.h:137
bool isNull() const
Return true if this QualType doesn&#39;t point to a type yet.
Definition: Type.h:719
llvm::cl::opt< std::string > Filter
llvm::APSInt APSInt
#define REGISTER_MAP_WITH_PROGRAMSTATE(Name, Key, Value)
Declares an immutable map of type NameTy, suitable for placement into the ProgramState.
DeclStmt - Adaptor class for mixing declarations with statements and expressions. ...
Definition: Stmt.h:1225
arg_range arguments()
Definition: Expr.h:2739
Tells that a region&#39;s contents is not changed.
Definition: MemRegion.h:1460
CanQualType CharTy
Definition: ASTContext.h:1018
Dataflow Directional Tag Classes.
const Expr * getInit() const
Definition: Decl.h:1229
Describes a C standard function that is sometimes implemented as a macro that expands to a compiler b...
Definition: CallEvent.h:1053
unsigned getByteLength() const
Definition: Expr.h:1822
Indicates that the tracking object is a descendant of a referenced-counted OSObject, used in the Darwin kernel.
decl_range decls()
Definition: Stmt.h:1273
QualType getUnqualifiedType() const
Retrieve the unqualified variant of the given type, removing as little sugar as possible.
Definition: Type.h:6336
QualType getPointerType(QualType T) const
Return the uniqued reference to the type for a pointer to the specified type.
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:263
StringLiteral - This represents a string literal expression, e.g.
Definition: Expr.h:1711
CallExpr - Represents a function call (C99 6.5.2.2, C++ [expr.call]).
Definition: Expr.h:2546
LLVM_READONLY char toUppercase(char c)
Converts the given ASCII character to its uppercase equivalent.
Definition: CharInfo.h:173
CanQualType IntTy
Definition: ASTContext.h:1025
An immutable map from CallDescriptions to arbitrary data.
Definition: CallEvent.h:1110
bool isPointerType() const
Definition: Type.h:6504
QualType getType() const
Definition: Decl.h:630
ConcatFnKind
CanQualType getSizeType() const
Return the unique type for "size_t" (C99 7.17), defined in <stddef.h>.