CStringChecker.cpp revision 210c05b10317a11971f87e474ffa4c30bb8e4df9
1//= CStringChecker.h - Checks calls to C string functions ----------*- C++ -*-// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This defines CStringChecker, which is an assortment of checks on calls 11// to functions in <string.h>. 12// 13//===----------------------------------------------------------------------===// 14 15#include "ClangSACheckers.h" 16#include "clang/StaticAnalyzer/Core/Checker.h" 17#include "clang/StaticAnalyzer/Core/CheckerManager.h" 18#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 19#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 20#include "clang/StaticAnalyzer/Core/PathSensitive/GRStateTrait.h" 21#include "llvm/ADT/StringSwitch.h" 22 23using namespace clang; 24using namespace ento; 25 26namespace { 27class CStringChecker : public Checker< eval::Call, 28 check::PreStmt<DeclStmt>, 29 check::LiveSymbols, 30 check::DeadSymbols, 31 check::RegionChanges 32 > { 33 mutable llvm::OwningPtr<BugType> BT_Null, BT_Bounds, BT_BoundsWrite, 34 BT_Overlap, BT_NotCString; 35public: 36 static void *getTag() { static int tag; return &tag; } 37 38 bool evalCall(const CallExpr *CE, CheckerContext &C) const; 39 void checkPreStmt(const DeclStmt *DS, CheckerContext &C) const; 40 void checkLiveSymbols(const GRState *state, SymbolReaper &SR) const; 41 void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const; 42 bool wantsRegionChangeUpdate(const GRState *state) const; 43 44 const GRState *checkRegionChanges(const GRState *state, 45 const StoreManager::InvalidatedSymbols *, 46 const MemRegion * const *Begin, 47 const MemRegion * const *End) const; 48 49 typedef void (CStringChecker::*FnCheck)(CheckerContext &, 50 const CallExpr *) const; 51 52 void evalMemcpy(CheckerContext &C, const CallExpr *CE) const; 53 void evalMempcpy(CheckerContext &C, const CallExpr *CE) const; 54 void evalMemmove(CheckerContext &C, const CallExpr *CE) const; 55 void evalBcopy(CheckerContext &C, const CallExpr *CE) const; 56 void evalCopyCommon(CheckerContext &C, const CallExpr *CE, 57 const GRState *state, 58 const Expr *Size, const Expr *Source, const Expr *Dest, 59 bool Restricted = false, 60 bool IsMempcpy = false) const; 61 62 void evalMemcmp(CheckerContext &C, const CallExpr *CE) const; 63 64 void evalstrLength(CheckerContext &C, const CallExpr *CE) const; 65 void evalstrnLength(CheckerContext &C, const CallExpr *CE) const; 66 void evalstrLengthCommon(CheckerContext &C, const CallExpr *CE, 67 bool IsStrnlen = false) const; 68 69 void evalStrcpy(CheckerContext &C, const CallExpr *CE) const; 70 void evalStrncpy(CheckerContext &C, const CallExpr *CE) const; 71 void evalStpcpy(CheckerContext &C, const CallExpr *CE) const; 72 void evalStrcpyCommon(CheckerContext &C, const CallExpr *CE, bool returnEnd, 73 bool isBounded, bool isAppending) const; 74 75 void evalStrcat(CheckerContext &C, const CallExpr *CE) const; 76 void evalStrncat(CheckerContext &C, const CallExpr *CE) const; 77 78 void evalStrcmp(CheckerContext &C, const CallExpr *CE) const; 79 void evalStrncmp(CheckerContext &C, const CallExpr *CE) const; 80 void evalStrcasecmp(CheckerContext &C, const CallExpr *CE) const; 81 void evalStrncasecmp(CheckerContext &C, const CallExpr *CE) const; 82 void evalStrcmpCommon(CheckerContext &C, const CallExpr *CE, 83 bool isBounded = false, bool ignoreCase = false) const; 84 85 // Utility methods 86 std::pair<const GRState*, const GRState*> 87 static assumeZero(CheckerContext &C, 88 const GRState *state, SVal V, QualType Ty); 89 90 static const GRState *setCStringLength(const GRState *state, 91 const MemRegion *MR, SVal strLength); 92 static SVal getCStringLengthForRegion(CheckerContext &C, 93 const GRState *&state, 94 const Expr *Ex, const MemRegion *MR); 95 SVal getCStringLength(CheckerContext &C, const GRState *&state, 96 const Expr *Ex, SVal Buf) const; 97 98 const StringLiteral *getCStringLiteral(CheckerContext &C, 99 const GRState *&state, 100 const Expr *expr, 101 SVal val) const; 102 103 static const GRState *InvalidateBuffer(CheckerContext &C, 104 const GRState *state, 105 const Expr *Ex, SVal V); 106 107 static bool SummarizeRegion(llvm::raw_ostream& os, ASTContext& Ctx, 108 const MemRegion *MR); 109 110 // Re-usable checks 111 const GRState *checkNonNull(CheckerContext &C, const GRState *state, 112 const Expr *S, SVal l) const; 113 const GRState *CheckLocation(CheckerContext &C, const GRState *state, 114 const Expr *S, SVal l, 115 bool IsDestination = false) const; 116 const GRState *CheckBufferAccess(CheckerContext &C, const GRState *state, 117 const Expr *Size, 118 const Expr *FirstBuf, 119 const Expr *SecondBuf = NULL, 120 bool FirstIsDestination = false) const; 121 const GRState *CheckOverlap(CheckerContext &C, const GRState *state, 122 const Expr *Size, const Expr *First, 123 const Expr *Second) const; 124 void emitOverlapBug(CheckerContext &C, const GRState *state, 125 const Stmt *First, const Stmt *Second) const; 126}; 127 128class CStringLength { 129public: 130 typedef llvm::ImmutableMap<const MemRegion *, SVal> EntryMap; 131}; 132} //end anonymous namespace 133 134namespace clang { 135namespace ento { 136 template <> 137 struct GRStateTrait<CStringLength> 138 : public GRStatePartialTrait<CStringLength::EntryMap> { 139 static void *GDMIndex() { return CStringChecker::getTag(); } 140 }; 141} 142} 143 144//===----------------------------------------------------------------------===// 145// Individual checks and utility methods. 146//===----------------------------------------------------------------------===// 147 148std::pair<const GRState*, const GRState*> 149CStringChecker::assumeZero(CheckerContext &C, const GRState *state, SVal V, 150 QualType Ty) { 151 DefinedSVal *val = dyn_cast<DefinedSVal>(&V); 152 if (!val) 153 return std::pair<const GRState*, const GRState *>(state, state); 154 155 SValBuilder &svalBuilder = C.getSValBuilder(); 156 DefinedOrUnknownSVal zero = svalBuilder.makeZeroVal(Ty); 157 return state->assume(svalBuilder.evalEQ(state, *val, zero)); 158} 159 160const GRState *CStringChecker::checkNonNull(CheckerContext &C, 161 const GRState *state, 162 const Expr *S, SVal l) const { 163 // If a previous check has failed, propagate the failure. 164 if (!state) 165 return NULL; 166 167 const GRState *stateNull, *stateNonNull; 168 llvm::tie(stateNull, stateNonNull) = assumeZero(C, state, l, S->getType()); 169 170 if (stateNull && !stateNonNull) { 171 ExplodedNode *N = C.generateSink(stateNull); 172 if (!N) 173 return NULL; 174 175 if (!BT_Null) 176 BT_Null.reset(new BuiltinBug("API", 177 "Null pointer argument in call to byte string function")); 178 179 // Generate a report for this bug. 180 BuiltinBug *BT = static_cast<BuiltinBug*>(BT_Null.get()); 181 EnhancedBugReport *report = new EnhancedBugReport(*BT, 182 BT->getDescription(), N); 183 184 report->addRange(S->getSourceRange()); 185 report->addVisitorCreator(bugreporter::registerTrackNullOrUndefValue, S); 186 C.EmitReport(report); 187 return NULL; 188 } 189 190 // From here on, assume that the value is non-null. 191 assert(stateNonNull); 192 return stateNonNull; 193} 194 195// FIXME: This was originally copied from ArrayBoundChecker.cpp. Refactor? 196const GRState *CStringChecker::CheckLocation(CheckerContext &C, 197 const GRState *state, 198 const Expr *S, SVal l, 199 bool IsDestination) const { 200 // If a previous check has failed, propagate the failure. 201 if (!state) 202 return NULL; 203 204 // Check for out of bound array element access. 205 const MemRegion *R = l.getAsRegion(); 206 if (!R) 207 return state; 208 209 const ElementRegion *ER = dyn_cast<ElementRegion>(R); 210 if (!ER) 211 return state; 212 213 assert(ER->getValueType() == C.getASTContext().CharTy && 214 "CheckLocation should only be called with char* ElementRegions"); 215 216 // Get the size of the array. 217 const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion()); 218 SValBuilder &svalBuilder = C.getSValBuilder(); 219 SVal Extent = svalBuilder.convertToArrayIndex(superReg->getExtent(svalBuilder)); 220 DefinedOrUnknownSVal Size = cast<DefinedOrUnknownSVal>(Extent); 221 222 // Get the index of the accessed element. 223 DefinedOrUnknownSVal Idx = cast<DefinedOrUnknownSVal>(ER->getIndex()); 224 225 const GRState *StInBound = state->assumeInBound(Idx, Size, true); 226 const GRState *StOutBound = state->assumeInBound(Idx, Size, false); 227 if (StOutBound && !StInBound) { 228 ExplodedNode *N = C.generateSink(StOutBound); 229 if (!N) 230 return NULL; 231 232 BuiltinBug *BT; 233 if (IsDestination) { 234 if (!BT_BoundsWrite) { 235 BT_BoundsWrite.reset(new BuiltinBug("Out-of-bound array access", 236 "Byte string function overflows destination buffer")); 237 } 238 BT = static_cast<BuiltinBug*>(BT_BoundsWrite.get()); 239 } else { 240 if (!BT_Bounds) { 241 BT_Bounds.reset(new BuiltinBug("Out-of-bound array access", 242 "Byte string function accesses out-of-bound array element")); 243 } 244 BT = static_cast<BuiltinBug*>(BT_Bounds.get()); 245 } 246 247 // FIXME: It would be nice to eventually make this diagnostic more clear, 248 // e.g., by referencing the original declaration or by saying *why* this 249 // reference is outside the range. 250 251 // Generate a report for this bug. 252 RangedBugReport *report = new RangedBugReport(*BT, BT->getDescription(), N); 253 254 report->addRange(S->getSourceRange()); 255 C.EmitReport(report); 256 return NULL; 257 } 258 259 // Array bound check succeeded. From this point forward the array bound 260 // should always succeed. 261 return StInBound; 262} 263 264const GRState *CStringChecker::CheckBufferAccess(CheckerContext &C, 265 const GRState *state, 266 const Expr *Size, 267 const Expr *FirstBuf, 268 const Expr *SecondBuf, 269 bool FirstIsDestination) const { 270 // If a previous check has failed, propagate the failure. 271 if (!state) 272 return NULL; 273 274 SValBuilder &svalBuilder = C.getSValBuilder(); 275 ASTContext &Ctx = C.getASTContext(); 276 277 QualType sizeTy = Size->getType(); 278 QualType PtrTy = Ctx.getPointerType(Ctx.CharTy); 279 280 // Check that the first buffer is non-null. 281 SVal BufVal = state->getSVal(FirstBuf); 282 state = checkNonNull(C, state, FirstBuf, BufVal); 283 if (!state) 284 return NULL; 285 286 // Get the access length and make sure it is known. 287 SVal LengthVal = state->getSVal(Size); 288 NonLoc *Length = dyn_cast<NonLoc>(&LengthVal); 289 if (!Length) 290 return state; 291 292 // Compute the offset of the last element to be accessed: size-1. 293 NonLoc One = cast<NonLoc>(svalBuilder.makeIntVal(1, sizeTy)); 294 NonLoc LastOffset = cast<NonLoc>(svalBuilder.evalBinOpNN(state, BO_Sub, 295 *Length, One, sizeTy)); 296 297 // Check that the first buffer is sufficiently long. 298 SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType()); 299 if (Loc *BufLoc = dyn_cast<Loc>(&BufStart)) { 300 SVal BufEnd = svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc, 301 LastOffset, PtrTy); 302 state = CheckLocation(C, state, FirstBuf, BufEnd, FirstIsDestination); 303 304 // If the buffer isn't large enough, abort. 305 if (!state) 306 return NULL; 307 } 308 309 // If there's a second buffer, check it as well. 310 if (SecondBuf) { 311 BufVal = state->getSVal(SecondBuf); 312 state = checkNonNull(C, state, SecondBuf, BufVal); 313 if (!state) 314 return NULL; 315 316 BufStart = svalBuilder.evalCast(BufVal, PtrTy, SecondBuf->getType()); 317 if (Loc *BufLoc = dyn_cast<Loc>(&BufStart)) { 318 SVal BufEnd = svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc, 319 LastOffset, PtrTy); 320 state = CheckLocation(C, state, SecondBuf, BufEnd); 321 } 322 } 323 324 // Large enough or not, return this state! 325 return state; 326} 327 328const GRState *CStringChecker::CheckOverlap(CheckerContext &C, 329 const GRState *state, 330 const Expr *Size, 331 const Expr *First, 332 const Expr *Second) const { 333 // Do a simple check for overlap: if the two arguments are from the same 334 // buffer, see if the end of the first is greater than the start of the second 335 // or vice versa. 336 337 // If a previous check has failed, propagate the failure. 338 if (!state) 339 return NULL; 340 341 const GRState *stateTrue, *stateFalse; 342 343 // Get the buffer values and make sure they're known locations. 344 SVal firstVal = state->getSVal(First); 345 SVal secondVal = state->getSVal(Second); 346 347 Loc *firstLoc = dyn_cast<Loc>(&firstVal); 348 if (!firstLoc) 349 return state; 350 351 Loc *secondLoc = dyn_cast<Loc>(&secondVal); 352 if (!secondLoc) 353 return state; 354 355 // Are the two values the same? 356 SValBuilder &svalBuilder = C.getSValBuilder(); 357 llvm::tie(stateTrue, stateFalse) = 358 state->assume(svalBuilder.evalEQ(state, *firstLoc, *secondLoc)); 359 360 if (stateTrue && !stateFalse) { 361 // If the values are known to be equal, that's automatically an overlap. 362 emitOverlapBug(C, stateTrue, First, Second); 363 return NULL; 364 } 365 366 // assume the two expressions are not equal. 367 assert(stateFalse); 368 state = stateFalse; 369 370 // Which value comes first? 371 ASTContext &Ctx = svalBuilder.getContext(); 372 QualType cmpTy = Ctx.IntTy; 373 SVal reverse = svalBuilder.evalBinOpLL(state, BO_GT, 374 *firstLoc, *secondLoc, cmpTy); 375 DefinedOrUnknownSVal *reverseTest = dyn_cast<DefinedOrUnknownSVal>(&reverse); 376 if (!reverseTest) 377 return state; 378 379 llvm::tie(stateTrue, stateFalse) = state->assume(*reverseTest); 380 if (stateTrue) { 381 if (stateFalse) { 382 // If we don't know which one comes first, we can't perform this test. 383 return state; 384 } else { 385 // Switch the values so that firstVal is before secondVal. 386 Loc *tmpLoc = firstLoc; 387 firstLoc = secondLoc; 388 secondLoc = tmpLoc; 389 390 // Switch the Exprs as well, so that they still correspond. 391 const Expr *tmpExpr = First; 392 First = Second; 393 Second = tmpExpr; 394 } 395 } 396 397 // Get the length, and make sure it too is known. 398 SVal LengthVal = state->getSVal(Size); 399 NonLoc *Length = dyn_cast<NonLoc>(&LengthVal); 400 if (!Length) 401 return state; 402 403 // Convert the first buffer's start address to char*. 404 // Bail out if the cast fails. 405 QualType CharPtrTy = Ctx.getPointerType(Ctx.CharTy); 406 SVal FirstStart = svalBuilder.evalCast(*firstLoc, CharPtrTy, First->getType()); 407 Loc *FirstStartLoc = dyn_cast<Loc>(&FirstStart); 408 if (!FirstStartLoc) 409 return state; 410 411 // Compute the end of the first buffer. Bail out if THAT fails. 412 SVal FirstEnd = svalBuilder.evalBinOpLN(state, BO_Add, 413 *FirstStartLoc, *Length, CharPtrTy); 414 Loc *FirstEndLoc = dyn_cast<Loc>(&FirstEnd); 415 if (!FirstEndLoc) 416 return state; 417 418 // Is the end of the first buffer past the start of the second buffer? 419 SVal Overlap = svalBuilder.evalBinOpLL(state, BO_GT, 420 *FirstEndLoc, *secondLoc, cmpTy); 421 DefinedOrUnknownSVal *OverlapTest = dyn_cast<DefinedOrUnknownSVal>(&Overlap); 422 if (!OverlapTest) 423 return state; 424 425 llvm::tie(stateTrue, stateFalse) = state->assume(*OverlapTest); 426 427 if (stateTrue && !stateFalse) { 428 // Overlap! 429 emitOverlapBug(C, stateTrue, First, Second); 430 return NULL; 431 } 432 433 // assume the two expressions don't overlap. 434 assert(stateFalse); 435 return stateFalse; 436} 437 438void CStringChecker::emitOverlapBug(CheckerContext &C, const GRState *state, 439 const Stmt *First, const Stmt *Second) const { 440 ExplodedNode *N = C.generateSink(state); 441 if (!N) 442 return; 443 444 if (!BT_Overlap) 445 BT_Overlap.reset(new BugType("Unix API", "Improper arguments")); 446 447 // Generate a report for this bug. 448 RangedBugReport *report = 449 new RangedBugReport(*BT_Overlap, 450 "Arguments must not be overlapping buffers", N); 451 report->addRange(First->getSourceRange()); 452 report->addRange(Second->getSourceRange()); 453 454 C.EmitReport(report); 455} 456 457const GRState *CStringChecker::setCStringLength(const GRState *state, 458 const MemRegion *MR, 459 SVal strLength) { 460 assert(!strLength.isUndef() && "Attempt to set an undefined string length"); 461 462 MR = MR->StripCasts(); 463 464 switch (MR->getKind()) { 465 case MemRegion::StringRegionKind: 466 // FIXME: This can happen if we strcpy() into a string region. This is 467 // undefined [C99 6.4.5p6], but we should still warn about it. 468 return state; 469 470 case MemRegion::SymbolicRegionKind: 471 case MemRegion::AllocaRegionKind: 472 case MemRegion::VarRegionKind: 473 case MemRegion::FieldRegionKind: 474 case MemRegion::ObjCIvarRegionKind: 475 // These are the types we can currently track string lengths for. 476 break; 477 478 case MemRegion::ElementRegionKind: 479 // FIXME: Handle element regions by upper-bounding the parent region's 480 // string length. 481 return state; 482 483 default: 484 // Other regions (mostly non-data) can't have a reliable C string length. 485 // For now, just ignore the change. 486 // FIXME: These are rare but not impossible. We should output some kind of 487 // warning for things like strcpy((char[]){'a', 0}, "b"); 488 return state; 489 } 490 491 if (strLength.isUnknown()) 492 return state->remove<CStringLength>(MR); 493 494 return state->set<CStringLength>(MR, strLength); 495} 496 497SVal CStringChecker::getCStringLengthForRegion(CheckerContext &C, 498 const GRState *&state, 499 const Expr *Ex, 500 const MemRegion *MR) { 501 // If there's a recorded length, go ahead and return it. 502 const SVal *Recorded = state->get<CStringLength>(MR); 503 if (Recorded) 504 return *Recorded; 505 506 // Otherwise, get a new symbol and update the state. 507 unsigned Count = C.getNodeBuilder().getCurrentBlockCount(); 508 SValBuilder &svalBuilder = C.getSValBuilder(); 509 QualType sizeTy = svalBuilder.getContext().getSizeType(); 510 SVal strLength = svalBuilder.getMetadataSymbolVal(CStringChecker::getTag(), 511 MR, Ex, sizeTy, Count); 512 state = state->set<CStringLength>(MR, strLength); 513 return strLength; 514} 515 516SVal CStringChecker::getCStringLength(CheckerContext &C, const GRState *&state, 517 const Expr *Ex, SVal Buf) const { 518 const MemRegion *MR = Buf.getAsRegion(); 519 if (!MR) { 520 // If we can't get a region, see if it's something we /know/ isn't a 521 // C string. In the context of locations, the only time we can issue such 522 // a warning is for labels. 523 if (loc::GotoLabel *Label = dyn_cast<loc::GotoLabel>(&Buf)) { 524 if (ExplodedNode *N = C.generateNode(state)) { 525 if (!BT_NotCString) 526 BT_NotCString.reset(new BuiltinBug("API", 527 "Argument is not a null-terminated string.")); 528 529 llvm::SmallString<120> buf; 530 llvm::raw_svector_ostream os(buf); 531 os << "Argument to byte string function is the address of the label '" 532 << Label->getLabel()->getName() 533 << "', which is not a null-terminated string"; 534 535 // Generate a report for this bug. 536 EnhancedBugReport *report = new EnhancedBugReport(*BT_NotCString, 537 os.str(), N); 538 539 report->addRange(Ex->getSourceRange()); 540 C.EmitReport(report); 541 } 542 543 return UndefinedVal(); 544 } 545 546 // If it's not a region and not a label, give up. 547 return UnknownVal(); 548 } 549 550 // If we have a region, strip casts from it and see if we can figure out 551 // its length. For anything we can't figure out, just return UnknownVal. 552 MR = MR->StripCasts(); 553 554 switch (MR->getKind()) { 555 case MemRegion::StringRegionKind: { 556 // Modifying the contents of string regions is undefined [C99 6.4.5p6], 557 // so we can assume that the byte length is the correct C string length. 558 SValBuilder &svalBuilder = C.getSValBuilder(); 559 QualType sizeTy = svalBuilder.getContext().getSizeType(); 560 const StringLiteral *strLit = cast<StringRegion>(MR)->getStringLiteral(); 561 return svalBuilder.makeIntVal(strLit->getByteLength(), sizeTy); 562 } 563 case MemRegion::SymbolicRegionKind: 564 case MemRegion::AllocaRegionKind: 565 case MemRegion::VarRegionKind: 566 case MemRegion::FieldRegionKind: 567 case MemRegion::ObjCIvarRegionKind: 568 return getCStringLengthForRegion(C, state, Ex, MR); 569 case MemRegion::CompoundLiteralRegionKind: 570 // FIXME: Can we track this? Is it necessary? 571 return UnknownVal(); 572 case MemRegion::ElementRegionKind: 573 // FIXME: How can we handle this? It's not good enough to subtract the 574 // offset from the base string length; consider "123\x00567" and &a[5]. 575 return UnknownVal(); 576 default: 577 // Other regions (mostly non-data) can't have a reliable C string length. 578 // In this case, an error is emitted and UndefinedVal is returned. 579 // The caller should always be prepared to handle this case. 580 if (ExplodedNode *N = C.generateNode(state)) { 581 if (!BT_NotCString) 582 BT_NotCString.reset(new BuiltinBug("API", 583 "Argument is not a null-terminated string.")); 584 585 llvm::SmallString<120> buf; 586 llvm::raw_svector_ostream os(buf); 587 588 os << "Argument to byte string function is "; 589 590 if (SummarizeRegion(os, C.getASTContext(), MR)) 591 os << ", which is not a null-terminated string"; 592 else 593 os << "not a null-terminated string"; 594 595 // Generate a report for this bug. 596 EnhancedBugReport *report = new EnhancedBugReport(*BT_NotCString, 597 os.str(), N); 598 599 report->addRange(Ex->getSourceRange()); 600 C.EmitReport(report); 601 } 602 603 return UndefinedVal(); 604 } 605} 606 607const StringLiteral *CStringChecker::getCStringLiteral(CheckerContext &C, 608 const GRState *&state, const Expr *expr, SVal val) const { 609 610 // Get the memory region pointed to by the val. 611 const MemRegion *bufRegion = val.getAsRegion(); 612 if (!bufRegion) 613 return NULL; 614 615 // Strip casts off the memory region. 616 bufRegion = bufRegion->StripCasts(); 617 618 // Cast the memory region to a string region. 619 const StringRegion *strRegion= dyn_cast<StringRegion>(bufRegion); 620 if (!strRegion) 621 return NULL; 622 623 // Return the actual string in the string region. 624 return strRegion->getStringLiteral(); 625} 626 627const GRState *CStringChecker::InvalidateBuffer(CheckerContext &C, 628 const GRState *state, 629 const Expr *E, SVal V) { 630 Loc *L = dyn_cast<Loc>(&V); 631 if (!L) 632 return state; 633 634 // FIXME: This is a simplified version of what's in CFRefCount.cpp -- it makes 635 // some assumptions about the value that CFRefCount can't. Even so, it should 636 // probably be refactored. 637 if (loc::MemRegionVal* MR = dyn_cast<loc::MemRegionVal>(L)) { 638 const MemRegion *R = MR->getRegion()->StripCasts(); 639 640 // Are we dealing with an ElementRegion? If so, we should be invalidating 641 // the super-region. 642 if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) { 643 R = ER->getSuperRegion(); 644 // FIXME: What about layers of ElementRegions? 645 } 646 647 // Invalidate this region. 648 unsigned Count = C.getNodeBuilder().getCurrentBlockCount(); 649 return state->invalidateRegion(R, E, Count, NULL); 650 } 651 652 // If we have a non-region value by chance, just remove the binding. 653 // FIXME: is this necessary or correct? This handles the non-Region 654 // cases. Is it ever valid to store to these? 655 return state->unbindLoc(*L); 656} 657 658bool CStringChecker::SummarizeRegion(llvm::raw_ostream& os, ASTContext& Ctx, 659 const MemRegion *MR) { 660 const TypedRegion *TR = dyn_cast<TypedRegion>(MR); 661 if (!TR) 662 return false; 663 664 switch (TR->getKind()) { 665 case MemRegion::FunctionTextRegionKind: { 666 const FunctionDecl *FD = cast<FunctionTextRegion>(TR)->getDecl(); 667 if (FD) 668 os << "the address of the function '" << FD << "'"; 669 else 670 os << "the address of a function"; 671 return true; 672 } 673 case MemRegion::BlockTextRegionKind: 674 os << "block text"; 675 return true; 676 case MemRegion::BlockDataRegionKind: 677 os << "a block"; 678 return true; 679 case MemRegion::CXXThisRegionKind: 680 case MemRegion::CXXTempObjectRegionKind: 681 os << "a C++ temp object of type " << TR->getValueType().getAsString(); 682 return true; 683 case MemRegion::VarRegionKind: 684 os << "a variable of type" << TR->getValueType().getAsString(); 685 return true; 686 case MemRegion::FieldRegionKind: 687 os << "a field of type " << TR->getValueType().getAsString(); 688 return true; 689 case MemRegion::ObjCIvarRegionKind: 690 os << "an instance variable of type " << TR->getValueType().getAsString(); 691 return true; 692 default: 693 return false; 694 } 695} 696 697//===----------------------------------------------------------------------===// 698// evaluation of individual function calls. 699//===----------------------------------------------------------------------===// 700 701void CStringChecker::evalCopyCommon(CheckerContext &C, 702 const CallExpr *CE, 703 const GRState *state, 704 const Expr *Size, const Expr *Dest, 705 const Expr *Source, bool Restricted, 706 bool IsMempcpy) const { 707 // See if the size argument is zero. 708 SVal sizeVal = state->getSVal(Size); 709 QualType sizeTy = Size->getType(); 710 711 const GRState *stateZeroSize, *stateNonZeroSize; 712 llvm::tie(stateZeroSize, stateNonZeroSize) = assumeZero(C, state, sizeVal, sizeTy); 713 714 // Get the value of the Dest. 715 SVal destVal = state->getSVal(Dest); 716 717 // If the size is zero, there won't be any actual memory access, so 718 // just bind the return value to the destination buffer and return. 719 if (stateZeroSize) { 720 stateZeroSize = stateZeroSize->BindExpr(CE, destVal); 721 C.addTransition(stateZeroSize); 722 } 723 724 // If the size can be nonzero, we have to check the other arguments. 725 if (stateNonZeroSize) { 726 state = stateNonZeroSize; 727 728 // Ensure the destination is not null. If it is NULL there will be a 729 // NULL pointer dereference. 730 state = checkNonNull(C, state, Dest, destVal); 731 if (!state) 732 return; 733 734 // Get the value of the Src. 735 SVal srcVal = state->getSVal(Source); 736 737 // Ensure the source is not null. If it is NULL there will be a 738 // NULL pointer dereference. 739 state = checkNonNull(C, state, Source, srcVal); 740 if (!state) 741 return; 742 743 // Ensure the accesses are valid and that the buffers do not overlap. 744 state = CheckBufferAccess(C, state, Size, Dest, Source, 745 /* FirstIsDst = */ true); 746 if (Restricted) 747 state = CheckOverlap(C, state, Size, Dest, Source); 748 749 if (!state) 750 return; 751 752 // If this is mempcpy, get the byte after the last byte copied and 753 // bind the expr. 754 if (IsMempcpy) { 755 loc::MemRegionVal *destRegVal = dyn_cast<loc::MemRegionVal>(&destVal); 756 assert(destRegVal && "Destination should be a known MemRegionVal here"); 757 758 // Get the length to copy. 759 NonLoc *lenValNonLoc = dyn_cast<NonLoc>(&sizeVal); 760 761 if (lenValNonLoc) { 762 // Get the byte after the last byte copied. 763 SVal lastElement = C.getSValBuilder().evalBinOpLN(state, BO_Add, 764 *destRegVal, 765 *lenValNonLoc, 766 Dest->getType()); 767 768 // The byte after the last byte copied is the return value. 769 state = state->BindExpr(CE, lastElement); 770 } else { 771 // If we don't know how much we copied, we can at least 772 // conjure a return value for later. 773 unsigned Count = C.getNodeBuilder().getCurrentBlockCount(); 774 SVal result = 775 C.getSValBuilder().getConjuredSymbolVal(NULL, CE, Count); 776 state = state->BindExpr(CE, result); 777 } 778 779 } else { 780 // All other copies return the destination buffer. 781 // (Well, bcopy() has a void return type, but this won't hurt.) 782 state = state->BindExpr(CE, destVal); 783 } 784 785 // Invalidate the destination. 786 // FIXME: Even if we can't perfectly model the copy, we should see if we 787 // can use LazyCompoundVals to copy the source values into the destination. 788 // This would probably remove any existing bindings past the end of the 789 // copied region, but that's still an improvement over blank invalidation. 790 state = InvalidateBuffer(C, state, Dest, state->getSVal(Dest)); 791 C.addTransition(state); 792 } 793} 794 795 796void CStringChecker::evalMemcpy(CheckerContext &C, const CallExpr *CE) const { 797 // void *memcpy(void *restrict dst, const void *restrict src, size_t n); 798 // The return value is the address of the destination buffer. 799 const Expr *Dest = CE->getArg(0); 800 const GRState *state = C.getState(); 801 802 evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1), true); 803} 804 805void CStringChecker::evalMempcpy(CheckerContext &C, const CallExpr *CE) const { 806 // void *mempcpy(void *restrict dst, const void *restrict src, size_t n); 807 // The return value is a pointer to the byte following the last written byte. 808 const Expr *Dest = CE->getArg(0); 809 const GRState *state = C.getState(); 810 811 evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1), true, true); 812} 813 814void CStringChecker::evalMemmove(CheckerContext &C, const CallExpr *CE) const { 815 // void *memmove(void *dst, const void *src, size_t n); 816 // The return value is the address of the destination buffer. 817 const Expr *Dest = CE->getArg(0); 818 const GRState *state = C.getState(); 819 820 evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1)); 821} 822 823void CStringChecker::evalBcopy(CheckerContext &C, const CallExpr *CE) const { 824 // void bcopy(const void *src, void *dst, size_t n); 825 evalCopyCommon(C, CE, C.getState(), 826 CE->getArg(2), CE->getArg(1), CE->getArg(0)); 827} 828 829void CStringChecker::evalMemcmp(CheckerContext &C, const CallExpr *CE) const { 830 // int memcmp(const void *s1, const void *s2, size_t n); 831 const Expr *Left = CE->getArg(0); 832 const Expr *Right = CE->getArg(1); 833 const Expr *Size = CE->getArg(2); 834 835 const GRState *state = C.getState(); 836 SValBuilder &svalBuilder = C.getSValBuilder(); 837 838 // See if the size argument is zero. 839 SVal sizeVal = state->getSVal(Size); 840 QualType sizeTy = Size->getType(); 841 842 const GRState *stateZeroSize, *stateNonZeroSize; 843 llvm::tie(stateZeroSize, stateNonZeroSize) = 844 assumeZero(C, state, sizeVal, sizeTy); 845 846 // If the size can be zero, the result will be 0 in that case, and we don't 847 // have to check either of the buffers. 848 if (stateZeroSize) { 849 state = stateZeroSize; 850 state = state->BindExpr(CE, svalBuilder.makeZeroVal(CE->getType())); 851 C.addTransition(state); 852 } 853 854 // If the size can be nonzero, we have to check the other arguments. 855 if (stateNonZeroSize) { 856 state = stateNonZeroSize; 857 // If we know the two buffers are the same, we know the result is 0. 858 // First, get the two buffers' addresses. Another checker will have already 859 // made sure they're not undefined. 860 DefinedOrUnknownSVal LV = cast<DefinedOrUnknownSVal>(state->getSVal(Left)); 861 DefinedOrUnknownSVal RV = cast<DefinedOrUnknownSVal>(state->getSVal(Right)); 862 863 // See if they are the same. 864 DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV); 865 const GRState *StSameBuf, *StNotSameBuf; 866 llvm::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf); 867 868 // If the two arguments might be the same buffer, we know the result is zero, 869 // and we only need to check one size. 870 if (StSameBuf) { 871 state = StSameBuf; 872 state = CheckBufferAccess(C, state, Size, Left); 873 if (state) { 874 state = StSameBuf->BindExpr(CE, svalBuilder.makeZeroVal(CE->getType())); 875 C.addTransition(state); 876 } 877 } 878 879 // If the two arguments might be different buffers, we have to check the 880 // size of both of them. 881 if (StNotSameBuf) { 882 state = StNotSameBuf; 883 state = CheckBufferAccess(C, state, Size, Left, Right); 884 if (state) { 885 // The return value is the comparison result, which we don't know. 886 unsigned Count = C.getNodeBuilder().getCurrentBlockCount(); 887 SVal CmpV = svalBuilder.getConjuredSymbolVal(NULL, CE, Count); 888 state = state->BindExpr(CE, CmpV); 889 C.addTransition(state); 890 } 891 } 892 } 893} 894 895void CStringChecker::evalstrLength(CheckerContext &C, 896 const CallExpr *CE) const { 897 // size_t strlen(const char *s); 898 evalstrLengthCommon(C, CE, /* IsStrnlen = */ false); 899} 900 901void CStringChecker::evalstrnLength(CheckerContext &C, 902 const CallExpr *CE) const { 903 // size_t strnlen(const char *s, size_t maxlen); 904 evalstrLengthCommon(C, CE, /* IsStrnlen = */ true); 905} 906 907void CStringChecker::evalstrLengthCommon(CheckerContext &C, const CallExpr *CE, 908 bool IsStrnlen) const { 909 const GRState *state = C.getState(); 910 911 if (IsStrnlen) { 912 const Expr *maxlenExpr = CE->getArg(1); 913 SVal maxlenVal = state->getSVal(maxlenExpr); 914 915 const GRState *stateZeroSize, *stateNonZeroSize; 916 llvm::tie(stateZeroSize, stateNonZeroSize) = 917 assumeZero(C, state, maxlenVal, maxlenExpr->getType()); 918 919 // If the size can be zero, the result will be 0 in that case, and we don't 920 // have to check the string itself. 921 if (stateZeroSize) { 922 SVal zero = C.getSValBuilder().makeZeroVal(CE->getType()); 923 stateZeroSize = stateZeroSize->BindExpr(CE, zero); 924 C.addTransition(stateZeroSize); 925 } 926 927 // If the size is GUARANTEED to be zero, we're done! 928 if (!stateNonZeroSize) 929 return; 930 931 // Otherwise, record the assumption that the size is nonzero. 932 state = stateNonZeroSize; 933 } 934 935 // Check that the string argument is non-null. 936 const Expr *Arg = CE->getArg(0); 937 SVal ArgVal = state->getSVal(Arg); 938 939 state = checkNonNull(C, state, Arg, ArgVal); 940 941 if (!state) 942 return; 943 944 SVal strLength = getCStringLength(C, state, Arg, ArgVal); 945 946 // If the argument isn't a valid C string, there's no valid state to 947 // transition to. 948 if (strLength.isUndef()) 949 return; 950 951 DefinedOrUnknownSVal result = UnknownVal(); 952 953 // If the check is for strnlen() then bind the return value to no more than 954 // the maxlen value. 955 if (IsStrnlen) { 956 QualType cmpTy = C.getSValBuilder().getContext().IntTy; 957 958 // It's a little unfortunate to be getting this again, 959 // but it's not that expensive... 960 const Expr *maxlenExpr = CE->getArg(1); 961 SVal maxlenVal = state->getSVal(maxlenExpr); 962 963 NonLoc *strLengthNL = dyn_cast<NonLoc>(&strLength); 964 NonLoc *maxlenValNL = dyn_cast<NonLoc>(&maxlenVal); 965 966 if (strLengthNL && maxlenValNL) { 967 const GRState *stateStringTooLong, *stateStringNotTooLong; 968 969 // Check if the strLength is greater than the maxlen. 970 llvm::tie(stateStringTooLong, stateStringNotTooLong) = 971 state->assume(cast<DefinedOrUnknownSVal> 972 (C.getSValBuilder().evalBinOpNN(state, BO_GT, 973 *strLengthNL, 974 *maxlenValNL, 975 cmpTy))); 976 977 if (stateStringTooLong && !stateStringNotTooLong) { 978 // If the string is longer than maxlen, return maxlen. 979 result = *maxlenValNL; 980 } else if (stateStringNotTooLong && !stateStringTooLong) { 981 // If the string is shorter than maxlen, return its length. 982 result = *strLengthNL; 983 } 984 } 985 986 if (result.isUnknown()) { 987 // If we don't have enough information for a comparison, there's 988 // no guarantee the full string length will actually be returned. 989 // All we know is the return value is the min of the string length 990 // and the limit. This is better than nothing. 991 unsigned Count = C.getNodeBuilder().getCurrentBlockCount(); 992 result = C.getSValBuilder().getConjuredSymbolVal(NULL, CE, Count); 993 NonLoc *resultNL = cast<NonLoc>(&result); 994 995 if (strLengthNL) { 996 state = state->assume(cast<DefinedOrUnknownSVal> 997 (C.getSValBuilder().evalBinOpNN(state, BO_LE, 998 *resultNL, 999 *strLengthNL, 1000 cmpTy)), true); 1001 } 1002 1003 if (maxlenValNL) { 1004 state = state->assume(cast<DefinedOrUnknownSVal> 1005 (C.getSValBuilder().evalBinOpNN(state, BO_LE, 1006 *resultNL, 1007 *maxlenValNL, 1008 cmpTy)), true); 1009 } 1010 } 1011 1012 } else { 1013 // This is a plain strlen(), not strnlen(). 1014 result = cast<DefinedOrUnknownSVal>(strLength); 1015 1016 // If we don't know the length of the string, conjure a return 1017 // value, so it can be used in constraints, at least. 1018 if (result.isUnknown()) { 1019 unsigned Count = C.getNodeBuilder().getCurrentBlockCount(); 1020 result = C.getSValBuilder().getConjuredSymbolVal(NULL, CE, Count); 1021 } 1022 } 1023 1024 // Bind the return value. 1025 assert(!result.isUnknown() && "Should have conjured a value by now"); 1026 state = state->BindExpr(CE, result); 1027 C.addTransition(state); 1028} 1029 1030void CStringChecker::evalStrcpy(CheckerContext &C, const CallExpr *CE) const { 1031 // char *strcpy(char *restrict dst, const char *restrict src); 1032 evalStrcpyCommon(C, CE, 1033 /* returnEnd = */ false, 1034 /* isBounded = */ false, 1035 /* isAppending = */ false); 1036} 1037 1038void CStringChecker::evalStrncpy(CheckerContext &C, const CallExpr *CE) const { 1039 // char *strncpy(char *restrict dst, const char *restrict src, size_t n); 1040 evalStrcpyCommon(C, CE, 1041 /* returnEnd = */ false, 1042 /* isBounded = */ true, 1043 /* isAppending = */ false); 1044} 1045 1046void CStringChecker::evalStpcpy(CheckerContext &C, const CallExpr *CE) const { 1047 // char *stpcpy(char *restrict dst, const char *restrict src); 1048 evalStrcpyCommon(C, CE, 1049 /* returnEnd = */ true, 1050 /* isBounded = */ false, 1051 /* isAppending = */ false); 1052} 1053 1054void CStringChecker::evalStrcat(CheckerContext &C, const CallExpr *CE) const { 1055 //char *strcat(char *restrict s1, const char *restrict s2); 1056 evalStrcpyCommon(C, CE, 1057 /* returnEnd = */ false, 1058 /* isBounded = */ false, 1059 /* isAppending = */ true); 1060} 1061 1062void CStringChecker::evalStrncat(CheckerContext &C, const CallExpr *CE) const { 1063 //char *strncat(char *restrict s1, const char *restrict s2, size_t n); 1064 evalStrcpyCommon(C, CE, 1065 /* returnEnd = */ false, 1066 /* isBounded = */ true, 1067 /* isAppending = */ true); 1068} 1069 1070void CStringChecker::evalStrcpyCommon(CheckerContext &C, const CallExpr *CE, 1071 bool returnEnd, bool isBounded, 1072 bool isAppending) const { 1073 const GRState *state = C.getState(); 1074 1075 // Check that the destination is non-null. 1076 const Expr *Dst = CE->getArg(0); 1077 SVal DstVal = state->getSVal(Dst); 1078 1079 state = checkNonNull(C, state, Dst, DstVal); 1080 if (!state) 1081 return; 1082 1083 // Check that the source is non-null. 1084 const Expr *srcExpr = CE->getArg(1); 1085 SVal srcVal = state->getSVal(srcExpr); 1086 state = checkNonNull(C, state, srcExpr, srcVal); 1087 if (!state) 1088 return; 1089 1090 // Get the string length of the source. 1091 SVal strLength = getCStringLength(C, state, srcExpr, srcVal); 1092 1093 // If the source isn't a valid C string, give up. 1094 if (strLength.isUndef()) 1095 return; 1096 1097 // If the function is strncpy, strncat, etc... it is bounded. 1098 if (isBounded) { 1099 // Get the max number of characters to copy. 1100 const Expr *lenExpr = CE->getArg(2); 1101 SVal lenVal = state->getSVal(lenExpr); 1102 1103 // Cast the length to a NonLoc SVal. If it is not a NonLoc then give up. 1104 NonLoc *strLengthNL = dyn_cast<NonLoc>(&strLength); 1105 if (!strLengthNL) 1106 return; 1107 1108 // Cast the max length to a NonLoc SVal. If it is not a NonLoc then give up. 1109 NonLoc *lenValNL = dyn_cast<NonLoc>(&lenVal); 1110 if (!lenValNL) 1111 return; 1112 1113 QualType cmpTy = C.getSValBuilder().getContext().IntTy; 1114 const GRState *stateTrue, *stateFalse; 1115 1116 // Check if the max number to copy is less than the length of the src. 1117 llvm::tie(stateTrue, stateFalse) = 1118 state->assume(cast<DefinedOrUnknownSVal> 1119 (C.getSValBuilder().evalBinOpNN(state, BO_GT, 1120 *strLengthNL, *lenValNL, 1121 cmpTy))); 1122 1123 if (stateTrue) { 1124 // Max number to copy is less than the length of the src, so the actual 1125 // strLength copied is the max number arg. 1126 strLength = lenVal; 1127 } 1128 } 1129 1130 // If this is an appending function (strcat, strncat...) then set the 1131 // string length to strlen(src) + strlen(dst) since the buffer will 1132 // ultimately contain both. 1133 if (isAppending) { 1134 // Get the string length of the destination, or give up. 1135 SVal dstStrLength = getCStringLength(C, state, Dst, DstVal); 1136 if (dstStrLength.isUndef()) 1137 return; 1138 1139 NonLoc *srcStrLengthNL = dyn_cast<NonLoc>(&strLength); 1140 NonLoc *dstStrLengthNL = dyn_cast<NonLoc>(&dstStrLength); 1141 1142 // If src or dst cast to NonLoc is NULL, give up. 1143 if ((!srcStrLengthNL) || (!dstStrLengthNL)) 1144 return; 1145 1146 QualType addTy = C.getSValBuilder().getContext().getSizeType(); 1147 1148 strLength = C.getSValBuilder().evalBinOpNN(state, BO_Add, 1149 *srcStrLengthNL, *dstStrLengthNL, 1150 addTy); 1151 } 1152 1153 SVal Result = (returnEnd ? UnknownVal() : DstVal); 1154 1155 // If the destination is a MemRegion, try to check for a buffer overflow and 1156 // record the new string length. 1157 if (loc::MemRegionVal *dstRegVal = dyn_cast<loc::MemRegionVal>(&DstVal)) { 1158 // If the length is known, we can check for an overflow. 1159 if (NonLoc *knownStrLength = dyn_cast<NonLoc>(&strLength)) { 1160 SVal lastElement = 1161 C.getSValBuilder().evalBinOpLN(state, BO_Add, *dstRegVal, 1162 *knownStrLength, Dst->getType()); 1163 1164 state = CheckLocation(C, state, Dst, lastElement, /* IsDst = */ true); 1165 if (!state) 1166 return; 1167 1168 // If this is a stpcpy-style copy, the last element is the return value. 1169 if (returnEnd) 1170 Result = lastElement; 1171 } 1172 1173 // Invalidate the destination. This must happen before we set the C string 1174 // length because invalidation will clear the length. 1175 // FIXME: Even if we can't perfectly model the copy, we should see if we 1176 // can use LazyCompoundVals to copy the source values into the destination. 1177 // This would probably remove any existing bindings past the end of the 1178 // string, but that's still an improvement over blank invalidation. 1179 state = InvalidateBuffer(C, state, Dst, *dstRegVal); 1180 1181 // Set the C string length of the destination. 1182 state = setCStringLength(state, dstRegVal->getRegion(), strLength); 1183 } 1184 1185 // If this is a stpcpy-style copy, but we were unable to check for a buffer 1186 // overflow, we still need a result. Conjure a return value. 1187 if (returnEnd && Result.isUnknown()) { 1188 SValBuilder &svalBuilder = C.getSValBuilder(); 1189 unsigned Count = C.getNodeBuilder().getCurrentBlockCount(); 1190 strLength = svalBuilder.getConjuredSymbolVal(NULL, CE, Count); 1191 } 1192 1193 // Set the return value. 1194 state = state->BindExpr(CE, Result); 1195 C.addTransition(state); 1196} 1197 1198void CStringChecker::evalStrcmp(CheckerContext &C, const CallExpr *CE) const { 1199 //int strcmp(const char *restrict s1, const char *restrict s2); 1200 evalStrcmpCommon(C, CE, /* isBounded = */ false, /* ignoreCase = */ false); 1201} 1202 1203void CStringChecker::evalStrncmp(CheckerContext &C, const CallExpr *CE) const { 1204 //int strncmp(const char *restrict s1, const char *restrict s2, size_t n); 1205 evalStrcmpCommon(C, CE, /* isBounded = */ true, /* ignoreCase = */ false); 1206} 1207 1208void CStringChecker::evalStrcasecmp(CheckerContext &C, 1209 const CallExpr *CE) const { 1210 //int strcasecmp(const char *restrict s1, const char *restrict s2); 1211 evalStrcmpCommon(C, CE, /* isBounded = */ false, /* ignoreCase = */ true); 1212} 1213 1214void CStringChecker::evalStrncasecmp(CheckerContext &C, 1215 const CallExpr *CE) const { 1216 //int strncasecmp(const char *restrict s1, const char *restrict s2, size_t n); 1217 evalStrcmpCommon(C, CE, /* isBounded = */ true, /* ignoreCase = */ true); 1218} 1219 1220void CStringChecker::evalStrcmpCommon(CheckerContext &C, const CallExpr *CE, 1221 bool isBounded, bool ignoreCase) const { 1222 const GRState *state = C.getState(); 1223 1224 // Check that the first string is non-null 1225 const Expr *s1 = CE->getArg(0); 1226 SVal s1Val = state->getSVal(s1); 1227 state = checkNonNull(C, state, s1, s1Val); 1228 if (!state) 1229 return; 1230 1231 // Check that the second string is non-null. 1232 const Expr *s2 = CE->getArg(1); 1233 SVal s2Val = state->getSVal(s2); 1234 state = checkNonNull(C, state, s2, s2Val); 1235 if (!state) 1236 return; 1237 1238 // Get the string length of the first string or give up. 1239 SVal s1Length = getCStringLength(C, state, s1, s1Val); 1240 if (s1Length.isUndef()) 1241 return; 1242 1243 // Get the string length of the second string or give up. 1244 SVal s2Length = getCStringLength(C, state, s2, s2Val); 1245 if (s2Length.isUndef()) 1246 return; 1247 1248 // Get the string literal of the first string. 1249 const StringLiteral *s1StrLiteral = getCStringLiteral(C, state, s1, s1Val); 1250 if (!s1StrLiteral) 1251 return; 1252 llvm::StringRef s1StrRef = s1StrLiteral->getString(); 1253 1254 // Get the string literal of the second string. 1255 const StringLiteral *s2StrLiteral = getCStringLiteral(C, state, s2, s2Val); 1256 if (!s2StrLiteral) 1257 return; 1258 llvm::StringRef s2StrRef = s2StrLiteral->getString(); 1259 1260 int result; 1261 if (isBounded) { 1262 // Get the max number of characters to compare. 1263 const Expr *lenExpr = CE->getArg(2); 1264 SVal lenVal = state->getSVal(lenExpr); 1265 1266 // Dynamically cast the length to a ConcreteInt. If it is not a ConcreteInt 1267 // then give up, otherwise get the value and use it as the bounds. 1268 nonloc::ConcreteInt *CI = dyn_cast<nonloc::ConcreteInt>(&lenVal); 1269 if (!CI) 1270 return; 1271 llvm::APSInt lenInt(CI->getValue()); 1272 1273 // Create substrings of each to compare the prefix. 1274 s1StrRef = s1StrRef.substr(0, (size_t)lenInt.getLimitedValue()); 1275 s2StrRef = s2StrRef.substr(0, (size_t)lenInt.getLimitedValue()); 1276 } 1277 1278 if (ignoreCase) { 1279 // Compare string 1 to string 2 the same way strcasecmp() does. 1280 result = s1StrRef.compare_lower(s2StrRef); 1281 } else { 1282 // Compare string 1 to string 2 the same way strcmp() does. 1283 result = s1StrRef.compare(s2StrRef); 1284 } 1285 1286 // Build the SVal of the comparison to bind the return value. 1287 SValBuilder &svalBuilder = C.getSValBuilder(); 1288 QualType intTy = svalBuilder.getContext().IntTy; 1289 SVal resultVal = svalBuilder.makeIntVal(result, intTy); 1290 1291 // Bind the return value of the expression. 1292 // Set the return value. 1293 state = state->BindExpr(CE, resultVal); 1294 C.addTransition(state); 1295} 1296 1297//===----------------------------------------------------------------------===// 1298// The driver method, and other Checker callbacks. 1299//===----------------------------------------------------------------------===// 1300 1301bool CStringChecker::evalCall(const CallExpr *CE, CheckerContext &C) const { 1302 // Get the callee. All the functions we care about are C functions 1303 // with simple identifiers. 1304 const GRState *state = C.getState(); 1305 const Expr *Callee = CE->getCallee(); 1306 const FunctionDecl *FD = state->getSVal(Callee).getAsFunctionDecl(); 1307 1308 if (!FD) 1309 return false; 1310 1311 // Get the name of the callee. If it's a builtin, strip off the prefix. 1312 IdentifierInfo *II = FD->getIdentifier(); 1313 if (!II) // if no identifier, not a simple C function 1314 return false; 1315 llvm::StringRef Name = II->getName(); 1316 if (Name.startswith("__builtin_")) 1317 Name = Name.substr(10); 1318 1319 FnCheck evalFunction = llvm::StringSwitch<FnCheck>(Name) 1320 .Cases("memcpy", "__memcpy_chk", &CStringChecker::evalMemcpy) 1321 .Cases("mempcpy", "__mempcpy_chk", &CStringChecker::evalMempcpy) 1322 .Cases("memcmp", "bcmp", &CStringChecker::evalMemcmp) 1323 .Cases("memmove", "__memmove_chk", &CStringChecker::evalMemmove) 1324 .Cases("strcpy", "__strcpy_chk", &CStringChecker::evalStrcpy) 1325 //.Cases("strncpy", "__strncpy_chk", &CStringChecker::evalStrncpy) 1326 .Cases("stpcpy", "__stpcpy_chk", &CStringChecker::evalStpcpy) 1327 .Cases("strcat", "__strcat_chk", &CStringChecker::evalStrcat) 1328 .Cases("strncat", "__strncat_chk", &CStringChecker::evalStrncat) 1329 .Case("strlen", &CStringChecker::evalstrLength) 1330 .Case("strnlen", &CStringChecker::evalstrnLength) 1331 .Case("strcmp", &CStringChecker::evalStrcmp) 1332 .Case("strncmp", &CStringChecker::evalStrncmp) 1333 .Case("strcasecmp", &CStringChecker::evalStrcasecmp) 1334 .Case("strncasecmp", &CStringChecker::evalStrncasecmp) 1335 .Case("bcopy", &CStringChecker::evalBcopy) 1336 .Default(NULL); 1337 1338 // If the callee isn't a string function, let another checker handle it. 1339 if (!evalFunction) 1340 return false; 1341 1342 // Check and evaluate the call. 1343 (this->*evalFunction)(C, CE); 1344 return true; 1345} 1346 1347void CStringChecker::checkPreStmt(const DeclStmt *DS, CheckerContext &C) const { 1348 // Record string length for char a[] = "abc"; 1349 const GRState *state = C.getState(); 1350 1351 for (DeclStmt::const_decl_iterator I = DS->decl_begin(), E = DS->decl_end(); 1352 I != E; ++I) { 1353 const VarDecl *D = dyn_cast<VarDecl>(*I); 1354 if (!D) 1355 continue; 1356 1357 // FIXME: Handle array fields of structs. 1358 if (!D->getType()->isArrayType()) 1359 continue; 1360 1361 const Expr *Init = D->getInit(); 1362 if (!Init) 1363 continue; 1364 if (!isa<StringLiteral>(Init)) 1365 continue; 1366 1367 Loc VarLoc = state->getLValue(D, C.getPredecessor()->getLocationContext()); 1368 const MemRegion *MR = VarLoc.getAsRegion(); 1369 if (!MR) 1370 continue; 1371 1372 SVal StrVal = state->getSVal(Init); 1373 assert(StrVal.isValid() && "Initializer string is unknown or undefined"); 1374 DefinedOrUnknownSVal strLength 1375 = cast<DefinedOrUnknownSVal>(getCStringLength(C, state, Init, StrVal)); 1376 1377 state = state->set<CStringLength>(MR, strLength); 1378 } 1379 1380 C.addTransition(state); 1381} 1382 1383bool CStringChecker::wantsRegionChangeUpdate(const GRState *state) const { 1384 CStringLength::EntryMap Entries = state->get<CStringLength>(); 1385 return !Entries.isEmpty(); 1386} 1387 1388const GRState * 1389CStringChecker::checkRegionChanges(const GRState *state, 1390 const StoreManager::InvalidatedSymbols *, 1391 const MemRegion * const *Begin, 1392 const MemRegion * const *End) const { 1393 CStringLength::EntryMap Entries = state->get<CStringLength>(); 1394 if (Entries.isEmpty()) 1395 return state; 1396 1397 llvm::SmallPtrSet<const MemRegion *, 8> Invalidated; 1398 llvm::SmallPtrSet<const MemRegion *, 32> SuperRegions; 1399 1400 // First build sets for the changed regions and their super-regions. 1401 for ( ; Begin != End; ++Begin) { 1402 const MemRegion *MR = *Begin; 1403 Invalidated.insert(MR); 1404 1405 SuperRegions.insert(MR); 1406 while (const SubRegion *SR = dyn_cast<SubRegion>(MR)) { 1407 MR = SR->getSuperRegion(); 1408 SuperRegions.insert(MR); 1409 } 1410 } 1411 1412 CStringLength::EntryMap::Factory &F = state->get_context<CStringLength>(); 1413 1414 // Then loop over the entries in the current state. 1415 for (CStringLength::EntryMap::iterator I = Entries.begin(), 1416 E = Entries.end(); I != E; ++I) { 1417 const MemRegion *MR = I.getKey(); 1418 1419 // Is this entry for a super-region of a changed region? 1420 if (SuperRegions.count(MR)) { 1421 Entries = F.remove(Entries, MR); 1422 continue; 1423 } 1424 1425 // Is this entry for a sub-region of a changed region? 1426 const MemRegion *Super = MR; 1427 while (const SubRegion *SR = dyn_cast<SubRegion>(Super)) { 1428 Super = SR->getSuperRegion(); 1429 if (Invalidated.count(Super)) { 1430 Entries = F.remove(Entries, MR); 1431 break; 1432 } 1433 } 1434 } 1435 1436 return state->set<CStringLength>(Entries); 1437} 1438 1439void CStringChecker::checkLiveSymbols(const GRState *state, 1440 SymbolReaper &SR) const { 1441 // Mark all symbols in our string length map as valid. 1442 CStringLength::EntryMap Entries = state->get<CStringLength>(); 1443 1444 for (CStringLength::EntryMap::iterator I = Entries.begin(), E = Entries.end(); 1445 I != E; ++I) { 1446 SVal Len = I.getData(); 1447 if (SymbolRef Sym = Len.getAsSymbol()) 1448 SR.markInUse(Sym); 1449 } 1450} 1451 1452void CStringChecker::checkDeadSymbols(SymbolReaper &SR, 1453 CheckerContext &C) const { 1454 if (!SR.hasDeadSymbols()) 1455 return; 1456 1457 const GRState *state = C.getState(); 1458 CStringLength::EntryMap Entries = state->get<CStringLength>(); 1459 if (Entries.isEmpty()) 1460 return; 1461 1462 CStringLength::EntryMap::Factory &F = state->get_context<CStringLength>(); 1463 for (CStringLength::EntryMap::iterator I = Entries.begin(), E = Entries.end(); 1464 I != E; ++I) { 1465 SVal Len = I.getData(); 1466 if (SymbolRef Sym = Len.getAsSymbol()) { 1467 if (SR.isDead(Sym)) 1468 Entries = F.remove(Entries, I.getKey()); 1469 } 1470 } 1471 1472 state = state->set<CStringLength>(Entries); 1473 C.generateNode(state); 1474} 1475 1476void ento::registerCStringChecker(CheckerManager &mgr) { 1477 mgr.registerChecker<CStringChecker>(); 1478} 1479