CStringChecker.cpp revision 223f0ff6a9a5d0eaf63b98b3aa92888b4c088868
1//= CStringChecker.cpp - Checks calls to C string functions --------*- C++ -*-// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This defines CStringChecker, which is an assortment of checks on calls 11// to functions in <string.h>. 12// 13//===----------------------------------------------------------------------===// 14 15#include "ClangSACheckers.h" 16#include "InterCheckerAPI.h" 17#include "clang/Basic/CharInfo.h" 18#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 19#include "clang/StaticAnalyzer/Core/Checker.h" 20#include "clang/StaticAnalyzer/Core/CheckerManager.h" 21#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 22#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" 23#include "llvm/ADT/STLExtras.h" 24#include "llvm/ADT/SmallString.h" 25#include "llvm/ADT/StringSwitch.h" 26#include "llvm/Support/raw_ostream.h" 27 28using namespace clang; 29using namespace ento; 30 31namespace { 32class CStringChecker : public Checker< eval::Call, 33 check::PreStmt<DeclStmt>, 34 check::LiveSymbols, 35 check::DeadSymbols, 36 check::RegionChanges 37 > { 38 mutable OwningPtr<BugType> BT_Null, 39 BT_Bounds, 40 BT_Overlap, 41 BT_NotCString, 42 BT_AdditionOverflow; 43 44 mutable const char *CurrentFunctionDescription; 45 46public: 47 /// The filter is used to filter out the diagnostics which are not enabled by 48 /// the user. 49 struct CStringChecksFilter { 50 DefaultBool CheckCStringNullArg; 51 DefaultBool CheckCStringOutOfBounds; 52 DefaultBool CheckCStringBufferOverlap; 53 DefaultBool CheckCStringNotNullTerm; 54 }; 55 56 CStringChecksFilter Filter; 57 58 static void *getTag() { static int tag; return &tag; } 59 60 bool evalCall(const CallExpr *CE, CheckerContext &C) const; 61 void checkPreStmt(const DeclStmt *DS, CheckerContext &C) const; 62 void checkLiveSymbols(ProgramStateRef state, SymbolReaper &SR) const; 63 void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const; 64 bool wantsRegionChangeUpdate(ProgramStateRef state) const; 65 66 ProgramStateRef 67 checkRegionChanges(ProgramStateRef state, 68 const InvalidatedSymbols *, 69 ArrayRef<const MemRegion *> ExplicitRegions, 70 ArrayRef<const MemRegion *> Regions, 71 const CallEvent *Call) const; 72 73 typedef void (CStringChecker::*FnCheck)(CheckerContext &, 74 const CallExpr *) const; 75 76 void evalMemcpy(CheckerContext &C, const CallExpr *CE) const; 77 void evalMempcpy(CheckerContext &C, const CallExpr *CE) const; 78 void evalMemmove(CheckerContext &C, const CallExpr *CE) const; 79 void evalBcopy(CheckerContext &C, const CallExpr *CE) const; 80 void evalCopyCommon(CheckerContext &C, const CallExpr *CE, 81 ProgramStateRef state, 82 const Expr *Size, 83 const Expr *Source, 84 const Expr *Dest, 85 bool Restricted = false, 86 bool IsMempcpy = false) const; 87 88 void evalMemcmp(CheckerContext &C, const CallExpr *CE) const; 89 90 void evalstrLength(CheckerContext &C, const CallExpr *CE) const; 91 void evalstrnLength(CheckerContext &C, const CallExpr *CE) const; 92 void evalstrLengthCommon(CheckerContext &C, 93 const CallExpr *CE, 94 bool IsStrnlen = false) const; 95 96 void evalStrcpy(CheckerContext &C, const CallExpr *CE) const; 97 void evalStrncpy(CheckerContext &C, const CallExpr *CE) const; 98 void evalStpcpy(CheckerContext &C, const CallExpr *CE) const; 99 void evalStrcpyCommon(CheckerContext &C, 100 const CallExpr *CE, 101 bool returnEnd, 102 bool isBounded, 103 bool isAppending) const; 104 105 void evalStrcat(CheckerContext &C, const CallExpr *CE) const; 106 void evalStrncat(CheckerContext &C, const CallExpr *CE) const; 107 108 void evalStrcmp(CheckerContext &C, const CallExpr *CE) const; 109 void evalStrncmp(CheckerContext &C, const CallExpr *CE) const; 110 void evalStrcasecmp(CheckerContext &C, const CallExpr *CE) const; 111 void evalStrncasecmp(CheckerContext &C, const CallExpr *CE) const; 112 void evalStrcmpCommon(CheckerContext &C, 113 const CallExpr *CE, 114 bool isBounded = false, 115 bool ignoreCase = false) const; 116 117 // Utility methods 118 std::pair<ProgramStateRef , ProgramStateRef > 119 static assumeZero(CheckerContext &C, 120 ProgramStateRef state, SVal V, QualType Ty); 121 122 static ProgramStateRef setCStringLength(ProgramStateRef state, 123 const MemRegion *MR, 124 SVal strLength); 125 static SVal getCStringLengthForRegion(CheckerContext &C, 126 ProgramStateRef &state, 127 const Expr *Ex, 128 const MemRegion *MR, 129 bool hypothetical); 130 SVal getCStringLength(CheckerContext &C, 131 ProgramStateRef &state, 132 const Expr *Ex, 133 SVal Buf, 134 bool hypothetical = false) const; 135 136 const StringLiteral *getCStringLiteral(CheckerContext &C, 137 ProgramStateRef &state, 138 const Expr *expr, 139 SVal val) const; 140 141 static ProgramStateRef InvalidateBuffer(CheckerContext &C, 142 ProgramStateRef state, 143 const Expr *Ex, SVal V); 144 145 static bool SummarizeRegion(raw_ostream &os, ASTContext &Ctx, 146 const MemRegion *MR); 147 148 // Re-usable checks 149 ProgramStateRef checkNonNull(CheckerContext &C, 150 ProgramStateRef state, 151 const Expr *S, 152 SVal l) const; 153 ProgramStateRef CheckLocation(CheckerContext &C, 154 ProgramStateRef state, 155 const Expr *S, 156 SVal l, 157 const char *message = NULL) const; 158 ProgramStateRef CheckBufferAccess(CheckerContext &C, 159 ProgramStateRef state, 160 const Expr *Size, 161 const Expr *FirstBuf, 162 const Expr *SecondBuf, 163 const char *firstMessage = NULL, 164 const char *secondMessage = NULL, 165 bool WarnAboutSize = false) const; 166 167 ProgramStateRef CheckBufferAccess(CheckerContext &C, 168 ProgramStateRef state, 169 const Expr *Size, 170 const Expr *Buf, 171 const char *message = NULL, 172 bool WarnAboutSize = false) const { 173 // This is a convenience override. 174 return CheckBufferAccess(C, state, Size, Buf, NULL, message, NULL, 175 WarnAboutSize); 176 } 177 ProgramStateRef CheckOverlap(CheckerContext &C, 178 ProgramStateRef state, 179 const Expr *Size, 180 const Expr *First, 181 const Expr *Second) const; 182 void emitOverlapBug(CheckerContext &C, 183 ProgramStateRef state, 184 const Stmt *First, 185 const Stmt *Second) const; 186 187 ProgramStateRef checkAdditionOverflow(CheckerContext &C, 188 ProgramStateRef state, 189 NonLoc left, 190 NonLoc right) const; 191}; 192 193} //end anonymous namespace 194 195REGISTER_MAP_WITH_PROGRAMSTATE(CStringLength, const MemRegion *, SVal) 196 197//===----------------------------------------------------------------------===// 198// Individual checks and utility methods. 199//===----------------------------------------------------------------------===// 200 201std::pair<ProgramStateRef , ProgramStateRef > 202CStringChecker::assumeZero(CheckerContext &C, ProgramStateRef state, SVal V, 203 QualType Ty) { 204 DefinedSVal *val = dyn_cast<DefinedSVal>(&V); 205 if (!val) 206 return std::pair<ProgramStateRef , ProgramStateRef >(state, state); 207 208 SValBuilder &svalBuilder = C.getSValBuilder(); 209 DefinedOrUnknownSVal zero = svalBuilder.makeZeroVal(Ty); 210 return state->assume(svalBuilder.evalEQ(state, *val, zero)); 211} 212 213ProgramStateRef CStringChecker::checkNonNull(CheckerContext &C, 214 ProgramStateRef state, 215 const Expr *S, SVal l) const { 216 // If a previous check has failed, propagate the failure. 217 if (!state) 218 return NULL; 219 220 ProgramStateRef stateNull, stateNonNull; 221 llvm::tie(stateNull, stateNonNull) = assumeZero(C, state, l, S->getType()); 222 223 if (stateNull && !stateNonNull) { 224 if (!Filter.CheckCStringNullArg) 225 return NULL; 226 227 ExplodedNode *N = C.generateSink(stateNull); 228 if (!N) 229 return NULL; 230 231 if (!BT_Null) 232 BT_Null.reset(new BuiltinBug("Unix API", 233 "Null pointer argument in call to byte string function")); 234 235 SmallString<80> buf; 236 llvm::raw_svector_ostream os(buf); 237 assert(CurrentFunctionDescription); 238 os << "Null pointer argument in call to " << CurrentFunctionDescription; 239 240 // Generate a report for this bug. 241 BuiltinBug *BT = static_cast<BuiltinBug*>(BT_Null.get()); 242 BugReport *report = new BugReport(*BT, os.str(), N); 243 244 report->addRange(S->getSourceRange()); 245 bugreporter::trackNullOrUndefValue(N, S, *report); 246 C.emitReport(report); 247 return NULL; 248 } 249 250 // From here on, assume that the value is non-null. 251 assert(stateNonNull); 252 return stateNonNull; 253} 254 255// FIXME: This was originally copied from ArrayBoundChecker.cpp. Refactor? 256ProgramStateRef CStringChecker::CheckLocation(CheckerContext &C, 257 ProgramStateRef state, 258 const Expr *S, SVal l, 259 const char *warningMsg) const { 260 // If a previous check has failed, propagate the failure. 261 if (!state) 262 return NULL; 263 264 // Check for out of bound array element access. 265 const MemRegion *R = l.getAsRegion(); 266 if (!R) 267 return state; 268 269 const ElementRegion *ER = dyn_cast<ElementRegion>(R); 270 if (!ER) 271 return state; 272 273 assert(ER->getValueType() == C.getASTContext().CharTy && 274 "CheckLocation should only be called with char* ElementRegions"); 275 276 // Get the size of the array. 277 const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion()); 278 SValBuilder &svalBuilder = C.getSValBuilder(); 279 SVal Extent = 280 svalBuilder.convertToArrayIndex(superReg->getExtent(svalBuilder)); 281 DefinedOrUnknownSVal Size = cast<DefinedOrUnknownSVal>(Extent); 282 283 // Get the index of the accessed element. 284 DefinedOrUnknownSVal Idx = cast<DefinedOrUnknownSVal>(ER->getIndex()); 285 286 ProgramStateRef StInBound = state->assumeInBound(Idx, Size, true); 287 ProgramStateRef StOutBound = state->assumeInBound(Idx, Size, false); 288 if (StOutBound && !StInBound) { 289 ExplodedNode *N = C.generateSink(StOutBound); 290 if (!N) 291 return NULL; 292 293 if (!BT_Bounds) { 294 BT_Bounds.reset(new BuiltinBug("Out-of-bound array access", 295 "Byte string function accesses out-of-bound array element")); 296 } 297 BuiltinBug *BT = static_cast<BuiltinBug*>(BT_Bounds.get()); 298 299 // Generate a report for this bug. 300 BugReport *report; 301 if (warningMsg) { 302 report = new BugReport(*BT, warningMsg, N); 303 } else { 304 assert(CurrentFunctionDescription); 305 assert(CurrentFunctionDescription[0] != '\0'); 306 307 SmallString<80> buf; 308 llvm::raw_svector_ostream os(buf); 309 os << toUppercase(CurrentFunctionDescription[0]) 310 << &CurrentFunctionDescription[1] 311 << " accesses out-of-bound array element"; 312 report = new BugReport(*BT, os.str(), N); 313 } 314 315 // FIXME: It would be nice to eventually make this diagnostic more clear, 316 // e.g., by referencing the original declaration or by saying *why* this 317 // reference is outside the range. 318 319 report->addRange(S->getSourceRange()); 320 C.emitReport(report); 321 return NULL; 322 } 323 324 // Array bound check succeeded. From this point forward the array bound 325 // should always succeed. 326 return StInBound; 327} 328 329ProgramStateRef CStringChecker::CheckBufferAccess(CheckerContext &C, 330 ProgramStateRef state, 331 const Expr *Size, 332 const Expr *FirstBuf, 333 const Expr *SecondBuf, 334 const char *firstMessage, 335 const char *secondMessage, 336 bool WarnAboutSize) const { 337 // If a previous check has failed, propagate the failure. 338 if (!state) 339 return NULL; 340 341 SValBuilder &svalBuilder = C.getSValBuilder(); 342 ASTContext &Ctx = svalBuilder.getContext(); 343 const LocationContext *LCtx = C.getLocationContext(); 344 345 QualType sizeTy = Size->getType(); 346 QualType PtrTy = Ctx.getPointerType(Ctx.CharTy); 347 348 // Check that the first buffer is non-null. 349 SVal BufVal = state->getSVal(FirstBuf, LCtx); 350 state = checkNonNull(C, state, FirstBuf, BufVal); 351 if (!state) 352 return NULL; 353 354 // If out-of-bounds checking is turned off, skip the rest. 355 if (!Filter.CheckCStringOutOfBounds) 356 return state; 357 358 // Get the access length and make sure it is known. 359 // FIXME: This assumes the caller has already checked that the access length 360 // is positive. And that it's unsigned. 361 SVal LengthVal = state->getSVal(Size, LCtx); 362 NonLoc *Length = dyn_cast<NonLoc>(&LengthVal); 363 if (!Length) 364 return state; 365 366 // Compute the offset of the last element to be accessed: size-1. 367 NonLoc One = cast<NonLoc>(svalBuilder.makeIntVal(1, sizeTy)); 368 NonLoc LastOffset = cast<NonLoc>(svalBuilder.evalBinOpNN(state, BO_Sub, 369 *Length, One, sizeTy)); 370 371 // Check that the first buffer is sufficiently long. 372 SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType()); 373 if (Loc *BufLoc = dyn_cast<Loc>(&BufStart)) { 374 const Expr *warningExpr = (WarnAboutSize ? Size : FirstBuf); 375 376 SVal BufEnd = svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc, 377 LastOffset, PtrTy); 378 state = CheckLocation(C, state, warningExpr, BufEnd, firstMessage); 379 380 // If the buffer isn't large enough, abort. 381 if (!state) 382 return NULL; 383 } 384 385 // If there's a second buffer, check it as well. 386 if (SecondBuf) { 387 BufVal = state->getSVal(SecondBuf, LCtx); 388 state = checkNonNull(C, state, SecondBuf, BufVal); 389 if (!state) 390 return NULL; 391 392 BufStart = svalBuilder.evalCast(BufVal, PtrTy, SecondBuf->getType()); 393 if (Loc *BufLoc = dyn_cast<Loc>(&BufStart)) { 394 const Expr *warningExpr = (WarnAboutSize ? Size : SecondBuf); 395 396 SVal BufEnd = svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc, 397 LastOffset, PtrTy); 398 state = CheckLocation(C, state, warningExpr, BufEnd, secondMessage); 399 } 400 } 401 402 // Large enough or not, return this state! 403 return state; 404} 405 406ProgramStateRef CStringChecker::CheckOverlap(CheckerContext &C, 407 ProgramStateRef state, 408 const Expr *Size, 409 const Expr *First, 410 const Expr *Second) const { 411 if (!Filter.CheckCStringBufferOverlap) 412 return state; 413 414 // Do a simple check for overlap: if the two arguments are from the same 415 // buffer, see if the end of the first is greater than the start of the second 416 // or vice versa. 417 418 // If a previous check has failed, propagate the failure. 419 if (!state) 420 return NULL; 421 422 ProgramStateRef stateTrue, stateFalse; 423 424 // Get the buffer values and make sure they're known locations. 425 const LocationContext *LCtx = C.getLocationContext(); 426 SVal firstVal = state->getSVal(First, LCtx); 427 SVal secondVal = state->getSVal(Second, LCtx); 428 429 Loc *firstLoc = dyn_cast<Loc>(&firstVal); 430 if (!firstLoc) 431 return state; 432 433 Loc *secondLoc = dyn_cast<Loc>(&secondVal); 434 if (!secondLoc) 435 return state; 436 437 // Are the two values the same? 438 SValBuilder &svalBuilder = C.getSValBuilder(); 439 llvm::tie(stateTrue, stateFalse) = 440 state->assume(svalBuilder.evalEQ(state, *firstLoc, *secondLoc)); 441 442 if (stateTrue && !stateFalse) { 443 // If the values are known to be equal, that's automatically an overlap. 444 emitOverlapBug(C, stateTrue, First, Second); 445 return NULL; 446 } 447 448 // assume the two expressions are not equal. 449 assert(stateFalse); 450 state = stateFalse; 451 452 // Which value comes first? 453 QualType cmpTy = svalBuilder.getConditionType(); 454 SVal reverse = svalBuilder.evalBinOpLL(state, BO_GT, 455 *firstLoc, *secondLoc, cmpTy); 456 DefinedOrUnknownSVal *reverseTest = dyn_cast<DefinedOrUnknownSVal>(&reverse); 457 if (!reverseTest) 458 return state; 459 460 llvm::tie(stateTrue, stateFalse) = state->assume(*reverseTest); 461 if (stateTrue) { 462 if (stateFalse) { 463 // If we don't know which one comes first, we can't perform this test. 464 return state; 465 } else { 466 // Switch the values so that firstVal is before secondVal. 467 Loc *tmpLoc = firstLoc; 468 firstLoc = secondLoc; 469 secondLoc = tmpLoc; 470 471 // Switch the Exprs as well, so that they still correspond. 472 const Expr *tmpExpr = First; 473 First = Second; 474 Second = tmpExpr; 475 } 476 } 477 478 // Get the length, and make sure it too is known. 479 SVal LengthVal = state->getSVal(Size, LCtx); 480 NonLoc *Length = dyn_cast<NonLoc>(&LengthVal); 481 if (!Length) 482 return state; 483 484 // Convert the first buffer's start address to char*. 485 // Bail out if the cast fails. 486 ASTContext &Ctx = svalBuilder.getContext(); 487 QualType CharPtrTy = Ctx.getPointerType(Ctx.CharTy); 488 SVal FirstStart = svalBuilder.evalCast(*firstLoc, CharPtrTy, 489 First->getType()); 490 Loc *FirstStartLoc = dyn_cast<Loc>(&FirstStart); 491 if (!FirstStartLoc) 492 return state; 493 494 // Compute the end of the first buffer. Bail out if THAT fails. 495 SVal FirstEnd = svalBuilder.evalBinOpLN(state, BO_Add, 496 *FirstStartLoc, *Length, CharPtrTy); 497 Loc *FirstEndLoc = dyn_cast<Loc>(&FirstEnd); 498 if (!FirstEndLoc) 499 return state; 500 501 // Is the end of the first buffer past the start of the second buffer? 502 SVal Overlap = svalBuilder.evalBinOpLL(state, BO_GT, 503 *FirstEndLoc, *secondLoc, cmpTy); 504 DefinedOrUnknownSVal *OverlapTest = dyn_cast<DefinedOrUnknownSVal>(&Overlap); 505 if (!OverlapTest) 506 return state; 507 508 llvm::tie(stateTrue, stateFalse) = state->assume(*OverlapTest); 509 510 if (stateTrue && !stateFalse) { 511 // Overlap! 512 emitOverlapBug(C, stateTrue, First, Second); 513 return NULL; 514 } 515 516 // assume the two expressions don't overlap. 517 assert(stateFalse); 518 return stateFalse; 519} 520 521void CStringChecker::emitOverlapBug(CheckerContext &C, ProgramStateRef state, 522 const Stmt *First, const Stmt *Second) const { 523 ExplodedNode *N = C.generateSink(state); 524 if (!N) 525 return; 526 527 if (!BT_Overlap) 528 BT_Overlap.reset(new BugType("Unix API", "Improper arguments")); 529 530 // Generate a report for this bug. 531 BugReport *report = 532 new BugReport(*BT_Overlap, 533 "Arguments must not be overlapping buffers", N); 534 report->addRange(First->getSourceRange()); 535 report->addRange(Second->getSourceRange()); 536 537 C.emitReport(report); 538} 539 540ProgramStateRef CStringChecker::checkAdditionOverflow(CheckerContext &C, 541 ProgramStateRef state, 542 NonLoc left, 543 NonLoc right) const { 544 // If out-of-bounds checking is turned off, skip the rest. 545 if (!Filter.CheckCStringOutOfBounds) 546 return state; 547 548 // If a previous check has failed, propagate the failure. 549 if (!state) 550 return NULL; 551 552 SValBuilder &svalBuilder = C.getSValBuilder(); 553 BasicValueFactory &BVF = svalBuilder.getBasicValueFactory(); 554 555 QualType sizeTy = svalBuilder.getContext().getSizeType(); 556 const llvm::APSInt &maxValInt = BVF.getMaxValue(sizeTy); 557 NonLoc maxVal = svalBuilder.makeIntVal(maxValInt); 558 559 SVal maxMinusRight; 560 if (isa<nonloc::ConcreteInt>(right)) { 561 maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, right, 562 sizeTy); 563 } else { 564 // Try switching the operands. (The order of these two assignments is 565 // important!) 566 maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, left, 567 sizeTy); 568 left = right; 569 } 570 571 if (NonLoc *maxMinusRightNL = dyn_cast<NonLoc>(&maxMinusRight)) { 572 QualType cmpTy = svalBuilder.getConditionType(); 573 // If left > max - right, we have an overflow. 574 SVal willOverflow = svalBuilder.evalBinOpNN(state, BO_GT, left, 575 *maxMinusRightNL, cmpTy); 576 577 ProgramStateRef stateOverflow, stateOkay; 578 llvm::tie(stateOverflow, stateOkay) = 579 state->assume(cast<DefinedOrUnknownSVal>(willOverflow)); 580 581 if (stateOverflow && !stateOkay) { 582 // We have an overflow. Emit a bug report. 583 ExplodedNode *N = C.generateSink(stateOverflow); 584 if (!N) 585 return NULL; 586 587 if (!BT_AdditionOverflow) 588 BT_AdditionOverflow.reset(new BuiltinBug("API", 589 "Sum of expressions causes overflow")); 590 591 // This isn't a great error message, but this should never occur in real 592 // code anyway -- you'd have to create a buffer longer than a size_t can 593 // represent, which is sort of a contradiction. 594 const char *warning = 595 "This expression will create a string whose length is too big to " 596 "be represented as a size_t"; 597 598 // Generate a report for this bug. 599 BugReport *report = new BugReport(*BT_AdditionOverflow, warning, N); 600 C.emitReport(report); 601 602 return NULL; 603 } 604 605 // From now on, assume an overflow didn't occur. 606 assert(stateOkay); 607 state = stateOkay; 608 } 609 610 return state; 611} 612 613ProgramStateRef CStringChecker::setCStringLength(ProgramStateRef state, 614 const MemRegion *MR, 615 SVal strLength) { 616 assert(!strLength.isUndef() && "Attempt to set an undefined string length"); 617 618 MR = MR->StripCasts(); 619 620 switch (MR->getKind()) { 621 case MemRegion::StringRegionKind: 622 // FIXME: This can happen if we strcpy() into a string region. This is 623 // undefined [C99 6.4.5p6], but we should still warn about it. 624 return state; 625 626 case MemRegion::SymbolicRegionKind: 627 case MemRegion::AllocaRegionKind: 628 case MemRegion::VarRegionKind: 629 case MemRegion::FieldRegionKind: 630 case MemRegion::ObjCIvarRegionKind: 631 // These are the types we can currently track string lengths for. 632 break; 633 634 case MemRegion::ElementRegionKind: 635 // FIXME: Handle element regions by upper-bounding the parent region's 636 // string length. 637 return state; 638 639 default: 640 // Other regions (mostly non-data) can't have a reliable C string length. 641 // For now, just ignore the change. 642 // FIXME: These are rare but not impossible. We should output some kind of 643 // warning for things like strcpy((char[]){'a', 0}, "b"); 644 return state; 645 } 646 647 if (strLength.isUnknown()) 648 return state->remove<CStringLength>(MR); 649 650 return state->set<CStringLength>(MR, strLength); 651} 652 653SVal CStringChecker::getCStringLengthForRegion(CheckerContext &C, 654 ProgramStateRef &state, 655 const Expr *Ex, 656 const MemRegion *MR, 657 bool hypothetical) { 658 if (!hypothetical) { 659 // If there's a recorded length, go ahead and return it. 660 const SVal *Recorded = state->get<CStringLength>(MR); 661 if (Recorded) 662 return *Recorded; 663 } 664 665 // Otherwise, get a new symbol and update the state. 666 SValBuilder &svalBuilder = C.getSValBuilder(); 667 QualType sizeTy = svalBuilder.getContext().getSizeType(); 668 SVal strLength = svalBuilder.getMetadataSymbolVal(CStringChecker::getTag(), 669 MR, Ex, sizeTy, 670 C.blockCount()); 671 672 if (!hypothetical) 673 state = state->set<CStringLength>(MR, strLength); 674 675 return strLength; 676} 677 678SVal CStringChecker::getCStringLength(CheckerContext &C, ProgramStateRef &state, 679 const Expr *Ex, SVal Buf, 680 bool hypothetical) const { 681 const MemRegion *MR = Buf.getAsRegion(); 682 if (!MR) { 683 // If we can't get a region, see if it's something we /know/ isn't a 684 // C string. In the context of locations, the only time we can issue such 685 // a warning is for labels. 686 if (loc::GotoLabel *Label = dyn_cast<loc::GotoLabel>(&Buf)) { 687 if (!Filter.CheckCStringNotNullTerm) 688 return UndefinedVal(); 689 690 if (ExplodedNode *N = C.addTransition(state)) { 691 if (!BT_NotCString) 692 BT_NotCString.reset(new BuiltinBug("Unix API", 693 "Argument is not a null-terminated string.")); 694 695 SmallString<120> buf; 696 llvm::raw_svector_ostream os(buf); 697 assert(CurrentFunctionDescription); 698 os << "Argument to " << CurrentFunctionDescription 699 << " is the address of the label '" << Label->getLabel()->getName() 700 << "', which is not a null-terminated string"; 701 702 // Generate a report for this bug. 703 BugReport *report = new BugReport(*BT_NotCString, 704 os.str(), N); 705 706 report->addRange(Ex->getSourceRange()); 707 C.emitReport(report); 708 } 709 return UndefinedVal(); 710 711 } 712 713 // If it's not a region and not a label, give up. 714 return UnknownVal(); 715 } 716 717 // If we have a region, strip casts from it and see if we can figure out 718 // its length. For anything we can't figure out, just return UnknownVal. 719 MR = MR->StripCasts(); 720 721 switch (MR->getKind()) { 722 case MemRegion::StringRegionKind: { 723 // Modifying the contents of string regions is undefined [C99 6.4.5p6], 724 // so we can assume that the byte length is the correct C string length. 725 SValBuilder &svalBuilder = C.getSValBuilder(); 726 QualType sizeTy = svalBuilder.getContext().getSizeType(); 727 const StringLiteral *strLit = cast<StringRegion>(MR)->getStringLiteral(); 728 return svalBuilder.makeIntVal(strLit->getByteLength(), sizeTy); 729 } 730 case MemRegion::SymbolicRegionKind: 731 case MemRegion::AllocaRegionKind: 732 case MemRegion::VarRegionKind: 733 case MemRegion::FieldRegionKind: 734 case MemRegion::ObjCIvarRegionKind: 735 return getCStringLengthForRegion(C, state, Ex, MR, hypothetical); 736 case MemRegion::CompoundLiteralRegionKind: 737 // FIXME: Can we track this? Is it necessary? 738 return UnknownVal(); 739 case MemRegion::ElementRegionKind: 740 // FIXME: How can we handle this? It's not good enough to subtract the 741 // offset from the base string length; consider "123\x00567" and &a[5]. 742 return UnknownVal(); 743 default: 744 // Other regions (mostly non-data) can't have a reliable C string length. 745 // In this case, an error is emitted and UndefinedVal is returned. 746 // The caller should always be prepared to handle this case. 747 if (!Filter.CheckCStringNotNullTerm) 748 return UndefinedVal(); 749 750 if (ExplodedNode *N = C.addTransition(state)) { 751 if (!BT_NotCString) 752 BT_NotCString.reset(new BuiltinBug("Unix API", 753 "Argument is not a null-terminated string.")); 754 755 SmallString<120> buf; 756 llvm::raw_svector_ostream os(buf); 757 758 assert(CurrentFunctionDescription); 759 os << "Argument to " << CurrentFunctionDescription << " is "; 760 761 if (SummarizeRegion(os, C.getASTContext(), MR)) 762 os << ", which is not a null-terminated string"; 763 else 764 os << "not a null-terminated string"; 765 766 // Generate a report for this bug. 767 BugReport *report = new BugReport(*BT_NotCString, 768 os.str(), N); 769 770 report->addRange(Ex->getSourceRange()); 771 C.emitReport(report); 772 } 773 774 return UndefinedVal(); 775 } 776} 777 778const StringLiteral *CStringChecker::getCStringLiteral(CheckerContext &C, 779 ProgramStateRef &state, const Expr *expr, SVal val) const { 780 781 // Get the memory region pointed to by the val. 782 const MemRegion *bufRegion = val.getAsRegion(); 783 if (!bufRegion) 784 return NULL; 785 786 // Strip casts off the memory region. 787 bufRegion = bufRegion->StripCasts(); 788 789 // Cast the memory region to a string region. 790 const StringRegion *strRegion= dyn_cast<StringRegion>(bufRegion); 791 if (!strRegion) 792 return NULL; 793 794 // Return the actual string in the string region. 795 return strRegion->getStringLiteral(); 796} 797 798ProgramStateRef CStringChecker::InvalidateBuffer(CheckerContext &C, 799 ProgramStateRef state, 800 const Expr *E, SVal V) { 801 Loc *L = dyn_cast<Loc>(&V); 802 if (!L) 803 return state; 804 805 // FIXME: This is a simplified version of what's in CFRefCount.cpp -- it makes 806 // some assumptions about the value that CFRefCount can't. Even so, it should 807 // probably be refactored. 808 if (loc::MemRegionVal* MR = dyn_cast<loc::MemRegionVal>(L)) { 809 const MemRegion *R = MR->getRegion()->StripCasts(); 810 811 // Are we dealing with an ElementRegion? If so, we should be invalidating 812 // the super-region. 813 if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) { 814 R = ER->getSuperRegion(); 815 // FIXME: What about layers of ElementRegions? 816 } 817 818 // Invalidate this region. 819 const LocationContext *LCtx = C.getPredecessor()->getLocationContext(); 820 return state->invalidateRegions(R, E, C.blockCount(), LCtx, 821 /*CausesPointerEscape*/ false); 822 } 823 824 // If we have a non-region value by chance, just remove the binding. 825 // FIXME: is this necessary or correct? This handles the non-Region 826 // cases. Is it ever valid to store to these? 827 return state->killBinding(*L); 828} 829 830bool CStringChecker::SummarizeRegion(raw_ostream &os, ASTContext &Ctx, 831 const MemRegion *MR) { 832 const TypedValueRegion *TVR = dyn_cast<TypedValueRegion>(MR); 833 834 switch (MR->getKind()) { 835 case MemRegion::FunctionTextRegionKind: { 836 const NamedDecl *FD = cast<FunctionTextRegion>(MR)->getDecl(); 837 if (FD) 838 os << "the address of the function '" << *FD << '\''; 839 else 840 os << "the address of a function"; 841 return true; 842 } 843 case MemRegion::BlockTextRegionKind: 844 os << "block text"; 845 return true; 846 case MemRegion::BlockDataRegionKind: 847 os << "a block"; 848 return true; 849 case MemRegion::CXXThisRegionKind: 850 case MemRegion::CXXTempObjectRegionKind: 851 os << "a C++ temp object of type " << TVR->getValueType().getAsString(); 852 return true; 853 case MemRegion::VarRegionKind: 854 os << "a variable of type" << TVR->getValueType().getAsString(); 855 return true; 856 case MemRegion::FieldRegionKind: 857 os << "a field of type " << TVR->getValueType().getAsString(); 858 return true; 859 case MemRegion::ObjCIvarRegionKind: 860 os << "an instance variable of type " << TVR->getValueType().getAsString(); 861 return true; 862 default: 863 return false; 864 } 865} 866 867//===----------------------------------------------------------------------===// 868// evaluation of individual function calls. 869//===----------------------------------------------------------------------===// 870 871void CStringChecker::evalCopyCommon(CheckerContext &C, 872 const CallExpr *CE, 873 ProgramStateRef state, 874 const Expr *Size, const Expr *Dest, 875 const Expr *Source, bool Restricted, 876 bool IsMempcpy) const { 877 CurrentFunctionDescription = "memory copy function"; 878 879 // See if the size argument is zero. 880 const LocationContext *LCtx = C.getLocationContext(); 881 SVal sizeVal = state->getSVal(Size, LCtx); 882 QualType sizeTy = Size->getType(); 883 884 ProgramStateRef stateZeroSize, stateNonZeroSize; 885 llvm::tie(stateZeroSize, stateNonZeroSize) = 886 assumeZero(C, state, sizeVal, sizeTy); 887 888 // Get the value of the Dest. 889 SVal destVal = state->getSVal(Dest, LCtx); 890 891 // If the size is zero, there won't be any actual memory access, so 892 // just bind the return value to the destination buffer and return. 893 if (stateZeroSize && !stateNonZeroSize) { 894 stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, destVal); 895 C.addTransition(stateZeroSize); 896 return; 897 } 898 899 // If the size can be nonzero, we have to check the other arguments. 900 if (stateNonZeroSize) { 901 state = stateNonZeroSize; 902 903 // Ensure the destination is not null. If it is NULL there will be a 904 // NULL pointer dereference. 905 state = checkNonNull(C, state, Dest, destVal); 906 if (!state) 907 return; 908 909 // Get the value of the Src. 910 SVal srcVal = state->getSVal(Source, LCtx); 911 912 // Ensure the source is not null. If it is NULL there will be a 913 // NULL pointer dereference. 914 state = checkNonNull(C, state, Source, srcVal); 915 if (!state) 916 return; 917 918 // Ensure the accesses are valid and that the buffers do not overlap. 919 const char * const writeWarning = 920 "Memory copy function overflows destination buffer"; 921 state = CheckBufferAccess(C, state, Size, Dest, Source, 922 writeWarning, /* sourceWarning = */ NULL); 923 if (Restricted) 924 state = CheckOverlap(C, state, Size, Dest, Source); 925 926 if (!state) 927 return; 928 929 // If this is mempcpy, get the byte after the last byte copied and 930 // bind the expr. 931 if (IsMempcpy) { 932 loc::MemRegionVal *destRegVal = dyn_cast<loc::MemRegionVal>(&destVal); 933 assert(destRegVal && "Destination should be a known MemRegionVal here"); 934 935 // Get the length to copy. 936 NonLoc *lenValNonLoc = dyn_cast<NonLoc>(&sizeVal); 937 938 if (lenValNonLoc) { 939 // Get the byte after the last byte copied. 940 SVal lastElement = C.getSValBuilder().evalBinOpLN(state, BO_Add, 941 *destRegVal, 942 *lenValNonLoc, 943 Dest->getType()); 944 945 // The byte after the last byte copied is the return value. 946 state = state->BindExpr(CE, LCtx, lastElement); 947 } else { 948 // If we don't know how much we copied, we can at least 949 // conjure a return value for later. 950 SVal result = C.getSValBuilder().conjureSymbolVal(0, CE, LCtx, 951 C.blockCount()); 952 state = state->BindExpr(CE, LCtx, result); 953 } 954 955 } else { 956 // All other copies return the destination buffer. 957 // (Well, bcopy() has a void return type, but this won't hurt.) 958 state = state->BindExpr(CE, LCtx, destVal); 959 } 960 961 // Invalidate the destination. 962 // FIXME: Even if we can't perfectly model the copy, we should see if we 963 // can use LazyCompoundVals to copy the source values into the destination. 964 // This would probably remove any existing bindings past the end of the 965 // copied region, but that's still an improvement over blank invalidation. 966 state = InvalidateBuffer(C, state, Dest, 967 state->getSVal(Dest, C.getLocationContext())); 968 C.addTransition(state); 969 } 970} 971 972 973void CStringChecker::evalMemcpy(CheckerContext &C, const CallExpr *CE) const { 974 if (CE->getNumArgs() < 3) 975 return; 976 977 // void *memcpy(void *restrict dst, const void *restrict src, size_t n); 978 // The return value is the address of the destination buffer. 979 const Expr *Dest = CE->getArg(0); 980 ProgramStateRef state = C.getState(); 981 982 evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1), true); 983} 984 985void CStringChecker::evalMempcpy(CheckerContext &C, const CallExpr *CE) const { 986 if (CE->getNumArgs() < 3) 987 return; 988 989 // void *mempcpy(void *restrict dst, const void *restrict src, size_t n); 990 // The return value is a pointer to the byte following the last written byte. 991 const Expr *Dest = CE->getArg(0); 992 ProgramStateRef state = C.getState(); 993 994 evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1), true, true); 995} 996 997void CStringChecker::evalMemmove(CheckerContext &C, const CallExpr *CE) const { 998 if (CE->getNumArgs() < 3) 999 return; 1000 1001 // void *memmove(void *dst, const void *src, size_t n); 1002 // The return value is the address of the destination buffer. 1003 const Expr *Dest = CE->getArg(0); 1004 ProgramStateRef state = C.getState(); 1005 1006 evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1)); 1007} 1008 1009void CStringChecker::evalBcopy(CheckerContext &C, const CallExpr *CE) const { 1010 if (CE->getNumArgs() < 3) 1011 return; 1012 1013 // void bcopy(const void *src, void *dst, size_t n); 1014 evalCopyCommon(C, CE, C.getState(), 1015 CE->getArg(2), CE->getArg(1), CE->getArg(0)); 1016} 1017 1018void CStringChecker::evalMemcmp(CheckerContext &C, const CallExpr *CE) const { 1019 if (CE->getNumArgs() < 3) 1020 return; 1021 1022 // int memcmp(const void *s1, const void *s2, size_t n); 1023 CurrentFunctionDescription = "memory comparison function"; 1024 1025 const Expr *Left = CE->getArg(0); 1026 const Expr *Right = CE->getArg(1); 1027 const Expr *Size = CE->getArg(2); 1028 1029 ProgramStateRef state = C.getState(); 1030 SValBuilder &svalBuilder = C.getSValBuilder(); 1031 1032 // See if the size argument is zero. 1033 const LocationContext *LCtx = C.getLocationContext(); 1034 SVal sizeVal = state->getSVal(Size, LCtx); 1035 QualType sizeTy = Size->getType(); 1036 1037 ProgramStateRef stateZeroSize, stateNonZeroSize; 1038 llvm::tie(stateZeroSize, stateNonZeroSize) = 1039 assumeZero(C, state, sizeVal, sizeTy); 1040 1041 // If the size can be zero, the result will be 0 in that case, and we don't 1042 // have to check either of the buffers. 1043 if (stateZeroSize) { 1044 state = stateZeroSize; 1045 state = state->BindExpr(CE, LCtx, 1046 svalBuilder.makeZeroVal(CE->getType())); 1047 C.addTransition(state); 1048 } 1049 1050 // If the size can be nonzero, we have to check the other arguments. 1051 if (stateNonZeroSize) { 1052 state = stateNonZeroSize; 1053 // If we know the two buffers are the same, we know the result is 0. 1054 // First, get the two buffers' addresses. Another checker will have already 1055 // made sure they're not undefined. 1056 DefinedOrUnknownSVal LV = 1057 cast<DefinedOrUnknownSVal>(state->getSVal(Left, LCtx)); 1058 DefinedOrUnknownSVal RV = 1059 cast<DefinedOrUnknownSVal>(state->getSVal(Right, LCtx)); 1060 1061 // See if they are the same. 1062 DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV); 1063 ProgramStateRef StSameBuf, StNotSameBuf; 1064 llvm::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf); 1065 1066 // If the two arguments might be the same buffer, we know the result is 0, 1067 // and we only need to check one size. 1068 if (StSameBuf) { 1069 state = StSameBuf; 1070 state = CheckBufferAccess(C, state, Size, Left); 1071 if (state) { 1072 state = StSameBuf->BindExpr(CE, LCtx, 1073 svalBuilder.makeZeroVal(CE->getType())); 1074 C.addTransition(state); 1075 } 1076 } 1077 1078 // If the two arguments might be different buffers, we have to check the 1079 // size of both of them. 1080 if (StNotSameBuf) { 1081 state = StNotSameBuf; 1082 state = CheckBufferAccess(C, state, Size, Left, Right); 1083 if (state) { 1084 // The return value is the comparison result, which we don't know. 1085 SVal CmpV = svalBuilder.conjureSymbolVal(0, CE, LCtx, C.blockCount()); 1086 state = state->BindExpr(CE, LCtx, CmpV); 1087 C.addTransition(state); 1088 } 1089 } 1090 } 1091} 1092 1093void CStringChecker::evalstrLength(CheckerContext &C, 1094 const CallExpr *CE) const { 1095 if (CE->getNumArgs() < 1) 1096 return; 1097 1098 // size_t strlen(const char *s); 1099 evalstrLengthCommon(C, CE, /* IsStrnlen = */ false); 1100} 1101 1102void CStringChecker::evalstrnLength(CheckerContext &C, 1103 const CallExpr *CE) const { 1104 if (CE->getNumArgs() < 2) 1105 return; 1106 1107 // size_t strnlen(const char *s, size_t maxlen); 1108 evalstrLengthCommon(C, CE, /* IsStrnlen = */ true); 1109} 1110 1111void CStringChecker::evalstrLengthCommon(CheckerContext &C, const CallExpr *CE, 1112 bool IsStrnlen) const { 1113 CurrentFunctionDescription = "string length function"; 1114 ProgramStateRef state = C.getState(); 1115 const LocationContext *LCtx = C.getLocationContext(); 1116 1117 if (IsStrnlen) { 1118 const Expr *maxlenExpr = CE->getArg(1); 1119 SVal maxlenVal = state->getSVal(maxlenExpr, LCtx); 1120 1121 ProgramStateRef stateZeroSize, stateNonZeroSize; 1122 llvm::tie(stateZeroSize, stateNonZeroSize) = 1123 assumeZero(C, state, maxlenVal, maxlenExpr->getType()); 1124 1125 // If the size can be zero, the result will be 0 in that case, and we don't 1126 // have to check the string itself. 1127 if (stateZeroSize) { 1128 SVal zero = C.getSValBuilder().makeZeroVal(CE->getType()); 1129 stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, zero); 1130 C.addTransition(stateZeroSize); 1131 } 1132 1133 // If the size is GUARANTEED to be zero, we're done! 1134 if (!stateNonZeroSize) 1135 return; 1136 1137 // Otherwise, record the assumption that the size is nonzero. 1138 state = stateNonZeroSize; 1139 } 1140 1141 // Check that the string argument is non-null. 1142 const Expr *Arg = CE->getArg(0); 1143 SVal ArgVal = state->getSVal(Arg, LCtx); 1144 1145 state = checkNonNull(C, state, Arg, ArgVal); 1146 1147 if (!state) 1148 return; 1149 1150 SVal strLength = getCStringLength(C, state, Arg, ArgVal); 1151 1152 // If the argument isn't a valid C string, there's no valid state to 1153 // transition to. 1154 if (strLength.isUndef()) 1155 return; 1156 1157 DefinedOrUnknownSVal result = UnknownVal(); 1158 1159 // If the check is for strnlen() then bind the return value to no more than 1160 // the maxlen value. 1161 if (IsStrnlen) { 1162 QualType cmpTy = C.getSValBuilder().getConditionType(); 1163 1164 // It's a little unfortunate to be getting this again, 1165 // but it's not that expensive... 1166 const Expr *maxlenExpr = CE->getArg(1); 1167 SVal maxlenVal = state->getSVal(maxlenExpr, LCtx); 1168 1169 NonLoc *strLengthNL = dyn_cast<NonLoc>(&strLength); 1170 NonLoc *maxlenValNL = dyn_cast<NonLoc>(&maxlenVal); 1171 1172 if (strLengthNL && maxlenValNL) { 1173 ProgramStateRef stateStringTooLong, stateStringNotTooLong; 1174 1175 // Check if the strLength is greater than the maxlen. 1176 llvm::tie(stateStringTooLong, stateStringNotTooLong) = 1177 state->assume(cast<DefinedOrUnknownSVal> 1178 (C.getSValBuilder().evalBinOpNN(state, BO_GT, 1179 *strLengthNL, 1180 *maxlenValNL, 1181 cmpTy))); 1182 1183 if (stateStringTooLong && !stateStringNotTooLong) { 1184 // If the string is longer than maxlen, return maxlen. 1185 result = *maxlenValNL; 1186 } else if (stateStringNotTooLong && !stateStringTooLong) { 1187 // If the string is shorter than maxlen, return its length. 1188 result = *strLengthNL; 1189 } 1190 } 1191 1192 if (result.isUnknown()) { 1193 // If we don't have enough information for a comparison, there's 1194 // no guarantee the full string length will actually be returned. 1195 // All we know is the return value is the min of the string length 1196 // and the limit. This is better than nothing. 1197 result = C.getSValBuilder().conjureSymbolVal(0, CE, LCtx, C.blockCount()); 1198 NonLoc *resultNL = cast<NonLoc>(&result); 1199 1200 if (strLengthNL) { 1201 state = state->assume(cast<DefinedOrUnknownSVal> 1202 (C.getSValBuilder().evalBinOpNN(state, BO_LE, 1203 *resultNL, 1204 *strLengthNL, 1205 cmpTy)), true); 1206 } 1207 1208 if (maxlenValNL) { 1209 state = state->assume(cast<DefinedOrUnknownSVal> 1210 (C.getSValBuilder().evalBinOpNN(state, BO_LE, 1211 *resultNL, 1212 *maxlenValNL, 1213 cmpTy)), true); 1214 } 1215 } 1216 1217 } else { 1218 // This is a plain strlen(), not strnlen(). 1219 result = cast<DefinedOrUnknownSVal>(strLength); 1220 1221 // If we don't know the length of the string, conjure a return 1222 // value, so it can be used in constraints, at least. 1223 if (result.isUnknown()) { 1224 result = C.getSValBuilder().conjureSymbolVal(0, CE, LCtx, C.blockCount()); 1225 } 1226 } 1227 1228 // Bind the return value. 1229 assert(!result.isUnknown() && "Should have conjured a value by now"); 1230 state = state->BindExpr(CE, LCtx, result); 1231 C.addTransition(state); 1232} 1233 1234void CStringChecker::evalStrcpy(CheckerContext &C, const CallExpr *CE) const { 1235 if (CE->getNumArgs() < 2) 1236 return; 1237 1238 // char *strcpy(char *restrict dst, const char *restrict src); 1239 evalStrcpyCommon(C, CE, 1240 /* returnEnd = */ false, 1241 /* isBounded = */ false, 1242 /* isAppending = */ false); 1243} 1244 1245void CStringChecker::evalStrncpy(CheckerContext &C, const CallExpr *CE) const { 1246 if (CE->getNumArgs() < 3) 1247 return; 1248 1249 // char *strncpy(char *restrict dst, const char *restrict src, size_t n); 1250 evalStrcpyCommon(C, CE, 1251 /* returnEnd = */ false, 1252 /* isBounded = */ true, 1253 /* isAppending = */ false); 1254} 1255 1256void CStringChecker::evalStpcpy(CheckerContext &C, const CallExpr *CE) const { 1257 if (CE->getNumArgs() < 2) 1258 return; 1259 1260 // char *stpcpy(char *restrict dst, const char *restrict src); 1261 evalStrcpyCommon(C, CE, 1262 /* returnEnd = */ true, 1263 /* isBounded = */ false, 1264 /* isAppending = */ false); 1265} 1266 1267void CStringChecker::evalStrcat(CheckerContext &C, const CallExpr *CE) const { 1268 if (CE->getNumArgs() < 2) 1269 return; 1270 1271 //char *strcat(char *restrict s1, const char *restrict s2); 1272 evalStrcpyCommon(C, CE, 1273 /* returnEnd = */ false, 1274 /* isBounded = */ false, 1275 /* isAppending = */ true); 1276} 1277 1278void CStringChecker::evalStrncat(CheckerContext &C, const CallExpr *CE) const { 1279 if (CE->getNumArgs() < 3) 1280 return; 1281 1282 //char *strncat(char *restrict s1, const char *restrict s2, size_t n); 1283 evalStrcpyCommon(C, CE, 1284 /* returnEnd = */ false, 1285 /* isBounded = */ true, 1286 /* isAppending = */ true); 1287} 1288 1289void CStringChecker::evalStrcpyCommon(CheckerContext &C, const CallExpr *CE, 1290 bool returnEnd, bool isBounded, 1291 bool isAppending) const { 1292 CurrentFunctionDescription = "string copy function"; 1293 ProgramStateRef state = C.getState(); 1294 const LocationContext *LCtx = C.getLocationContext(); 1295 1296 // Check that the destination is non-null. 1297 const Expr *Dst = CE->getArg(0); 1298 SVal DstVal = state->getSVal(Dst, LCtx); 1299 1300 state = checkNonNull(C, state, Dst, DstVal); 1301 if (!state) 1302 return; 1303 1304 // Check that the source is non-null. 1305 const Expr *srcExpr = CE->getArg(1); 1306 SVal srcVal = state->getSVal(srcExpr, LCtx); 1307 state = checkNonNull(C, state, srcExpr, srcVal); 1308 if (!state) 1309 return; 1310 1311 // Get the string length of the source. 1312 SVal strLength = getCStringLength(C, state, srcExpr, srcVal); 1313 1314 // If the source isn't a valid C string, give up. 1315 if (strLength.isUndef()) 1316 return; 1317 1318 SValBuilder &svalBuilder = C.getSValBuilder(); 1319 QualType cmpTy = svalBuilder.getConditionType(); 1320 QualType sizeTy = svalBuilder.getContext().getSizeType(); 1321 1322 // These two values allow checking two kinds of errors: 1323 // - actual overflows caused by a source that doesn't fit in the destination 1324 // - potential overflows caused by a bound that could exceed the destination 1325 SVal amountCopied = UnknownVal(); 1326 SVal maxLastElementIndex = UnknownVal(); 1327 const char *boundWarning = NULL; 1328 1329 // If the function is strncpy, strncat, etc... it is bounded. 1330 if (isBounded) { 1331 // Get the max number of characters to copy. 1332 const Expr *lenExpr = CE->getArg(2); 1333 SVal lenVal = state->getSVal(lenExpr, LCtx); 1334 1335 // Protect against misdeclared strncpy(). 1336 lenVal = svalBuilder.evalCast(lenVal, sizeTy, lenExpr->getType()); 1337 1338 NonLoc *strLengthNL = dyn_cast<NonLoc>(&strLength); 1339 NonLoc *lenValNL = dyn_cast<NonLoc>(&lenVal); 1340 1341 // If we know both values, we might be able to figure out how much 1342 // we're copying. 1343 if (strLengthNL && lenValNL) { 1344 ProgramStateRef stateSourceTooLong, stateSourceNotTooLong; 1345 1346 // Check if the max number to copy is less than the length of the src. 1347 // If the bound is equal to the source length, strncpy won't null- 1348 // terminate the result! 1349 llvm::tie(stateSourceTooLong, stateSourceNotTooLong) = 1350 state->assume(cast<DefinedOrUnknownSVal> 1351 (svalBuilder.evalBinOpNN(state, BO_GE, *strLengthNL, 1352 *lenValNL, cmpTy))); 1353 1354 if (stateSourceTooLong && !stateSourceNotTooLong) { 1355 // Max number to copy is less than the length of the src, so the actual 1356 // strLength copied is the max number arg. 1357 state = stateSourceTooLong; 1358 amountCopied = lenVal; 1359 1360 } else if (!stateSourceTooLong && stateSourceNotTooLong) { 1361 // The source buffer entirely fits in the bound. 1362 state = stateSourceNotTooLong; 1363 amountCopied = strLength; 1364 } 1365 } 1366 1367 // We still want to know if the bound is known to be too large. 1368 if (lenValNL) { 1369 if (isAppending) { 1370 // For strncat, the check is strlen(dst) + lenVal < sizeof(dst) 1371 1372 // Get the string length of the destination. If the destination is 1373 // memory that can't have a string length, we shouldn't be copying 1374 // into it anyway. 1375 SVal dstStrLength = getCStringLength(C, state, Dst, DstVal); 1376 if (dstStrLength.isUndef()) 1377 return; 1378 1379 if (NonLoc *dstStrLengthNL = dyn_cast<NonLoc>(&dstStrLength)) { 1380 maxLastElementIndex = svalBuilder.evalBinOpNN(state, BO_Add, 1381 *lenValNL, 1382 *dstStrLengthNL, 1383 sizeTy); 1384 boundWarning = "Size argument is greater than the free space in the " 1385 "destination buffer"; 1386 } 1387 1388 } else { 1389 // For strncpy, this is just checking that lenVal <= sizeof(dst) 1390 // (Yes, strncpy and strncat differ in how they treat termination. 1391 // strncat ALWAYS terminates, but strncpy doesn't.) 1392 1393 // We need a special case for when the copy size is zero, in which 1394 // case strncpy will do no work at all. Our bounds check uses n-1 1395 // as the last element accessed, so n == 0 is problematic. 1396 ProgramStateRef StateZeroSize, StateNonZeroSize; 1397 llvm::tie(StateZeroSize, StateNonZeroSize) = 1398 assumeZero(C, state, *lenValNL, sizeTy); 1399 1400 // If the size is known to be zero, we're done. 1401 if (StateZeroSize && !StateNonZeroSize) { 1402 StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, DstVal); 1403 C.addTransition(StateZeroSize); 1404 return; 1405 } 1406 1407 // Otherwise, go ahead and figure out the last element we'll touch. 1408 // We don't record the non-zero assumption here because we can't 1409 // be sure. We won't warn on a possible zero. 1410 NonLoc one = cast<NonLoc>(svalBuilder.makeIntVal(1, sizeTy)); 1411 maxLastElementIndex = svalBuilder.evalBinOpNN(state, BO_Sub, *lenValNL, 1412 one, sizeTy); 1413 boundWarning = "Size argument is greater than the length of the " 1414 "destination buffer"; 1415 } 1416 } 1417 1418 // If we couldn't pin down the copy length, at least bound it. 1419 // FIXME: We should actually run this code path for append as well, but 1420 // right now it creates problems with constraints (since we can end up 1421 // trying to pass constraints from symbol to symbol). 1422 if (amountCopied.isUnknown() && !isAppending) { 1423 // Try to get a "hypothetical" string length symbol, which we can later 1424 // set as a real value if that turns out to be the case. 1425 amountCopied = getCStringLength(C, state, lenExpr, srcVal, true); 1426 assert(!amountCopied.isUndef()); 1427 1428 if (NonLoc *amountCopiedNL = dyn_cast<NonLoc>(&amountCopied)) { 1429 if (lenValNL) { 1430 // amountCopied <= lenVal 1431 SVal copiedLessThanBound = svalBuilder.evalBinOpNN(state, BO_LE, 1432 *amountCopiedNL, 1433 *lenValNL, 1434 cmpTy); 1435 state = state->assume(cast<DefinedOrUnknownSVal>(copiedLessThanBound), 1436 true); 1437 if (!state) 1438 return; 1439 } 1440 1441 if (strLengthNL) { 1442 // amountCopied <= strlen(source) 1443 SVal copiedLessThanSrc = svalBuilder.evalBinOpNN(state, BO_LE, 1444 *amountCopiedNL, 1445 *strLengthNL, 1446 cmpTy); 1447 state = state->assume(cast<DefinedOrUnknownSVal>(copiedLessThanSrc), 1448 true); 1449 if (!state) 1450 return; 1451 } 1452 } 1453 } 1454 1455 } else { 1456 // The function isn't bounded. The amount copied should match the length 1457 // of the source buffer. 1458 amountCopied = strLength; 1459 } 1460 1461 assert(state); 1462 1463 // This represents the number of characters copied into the destination 1464 // buffer. (It may not actually be the strlen if the destination buffer 1465 // is not terminated.) 1466 SVal finalStrLength = UnknownVal(); 1467 1468 // If this is an appending function (strcat, strncat...) then set the 1469 // string length to strlen(src) + strlen(dst) since the buffer will 1470 // ultimately contain both. 1471 if (isAppending) { 1472 // Get the string length of the destination. If the destination is memory 1473 // that can't have a string length, we shouldn't be copying into it anyway. 1474 SVal dstStrLength = getCStringLength(C, state, Dst, DstVal); 1475 if (dstStrLength.isUndef()) 1476 return; 1477 1478 NonLoc *srcStrLengthNL = dyn_cast<NonLoc>(&amountCopied); 1479 NonLoc *dstStrLengthNL = dyn_cast<NonLoc>(&dstStrLength); 1480 1481 // If we know both string lengths, we might know the final string length. 1482 if (srcStrLengthNL && dstStrLengthNL) { 1483 // Make sure the two lengths together don't overflow a size_t. 1484 state = checkAdditionOverflow(C, state, *srcStrLengthNL, *dstStrLengthNL); 1485 if (!state) 1486 return; 1487 1488 finalStrLength = svalBuilder.evalBinOpNN(state, BO_Add, *srcStrLengthNL, 1489 *dstStrLengthNL, sizeTy); 1490 } 1491 1492 // If we couldn't get a single value for the final string length, 1493 // we can at least bound it by the individual lengths. 1494 if (finalStrLength.isUnknown()) { 1495 // Try to get a "hypothetical" string length symbol, which we can later 1496 // set as a real value if that turns out to be the case. 1497 finalStrLength = getCStringLength(C, state, CE, DstVal, true); 1498 assert(!finalStrLength.isUndef()); 1499 1500 if (NonLoc *finalStrLengthNL = dyn_cast<NonLoc>(&finalStrLength)) { 1501 if (srcStrLengthNL) { 1502 // finalStrLength >= srcStrLength 1503 SVal sourceInResult = svalBuilder.evalBinOpNN(state, BO_GE, 1504 *finalStrLengthNL, 1505 *srcStrLengthNL, 1506 cmpTy); 1507 state = state->assume(cast<DefinedOrUnknownSVal>(sourceInResult), 1508 true); 1509 if (!state) 1510 return; 1511 } 1512 1513 if (dstStrLengthNL) { 1514 // finalStrLength >= dstStrLength 1515 SVal destInResult = svalBuilder.evalBinOpNN(state, BO_GE, 1516 *finalStrLengthNL, 1517 *dstStrLengthNL, 1518 cmpTy); 1519 state = state->assume(cast<DefinedOrUnknownSVal>(destInResult), 1520 true); 1521 if (!state) 1522 return; 1523 } 1524 } 1525 } 1526 1527 } else { 1528 // Otherwise, this is a copy-over function (strcpy, strncpy, ...), and 1529 // the final string length will match the input string length. 1530 finalStrLength = amountCopied; 1531 } 1532 1533 // The final result of the function will either be a pointer past the last 1534 // copied element, or a pointer to the start of the destination buffer. 1535 SVal Result = (returnEnd ? UnknownVal() : DstVal); 1536 1537 assert(state); 1538 1539 // If the destination is a MemRegion, try to check for a buffer overflow and 1540 // record the new string length. 1541 if (loc::MemRegionVal *dstRegVal = dyn_cast<loc::MemRegionVal>(&DstVal)) { 1542 QualType ptrTy = Dst->getType(); 1543 1544 // If we have an exact value on a bounded copy, use that to check for 1545 // overflows, rather than our estimate about how much is actually copied. 1546 if (boundWarning) { 1547 if (NonLoc *maxLastNL = dyn_cast<NonLoc>(&maxLastElementIndex)) { 1548 SVal maxLastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal, 1549 *maxLastNL, ptrTy); 1550 state = CheckLocation(C, state, CE->getArg(2), maxLastElement, 1551 boundWarning); 1552 if (!state) 1553 return; 1554 } 1555 } 1556 1557 // Then, if the final length is known... 1558 if (NonLoc *knownStrLength = dyn_cast<NonLoc>(&finalStrLength)) { 1559 SVal lastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal, 1560 *knownStrLength, ptrTy); 1561 1562 // ...and we haven't checked the bound, we'll check the actual copy. 1563 if (!boundWarning) { 1564 const char * const warningMsg = 1565 "String copy function overflows destination buffer"; 1566 state = CheckLocation(C, state, Dst, lastElement, warningMsg); 1567 if (!state) 1568 return; 1569 } 1570 1571 // If this is a stpcpy-style copy, the last element is the return value. 1572 if (returnEnd) 1573 Result = lastElement; 1574 } 1575 1576 // Invalidate the destination. This must happen before we set the C string 1577 // length because invalidation will clear the length. 1578 // FIXME: Even if we can't perfectly model the copy, we should see if we 1579 // can use LazyCompoundVals to copy the source values into the destination. 1580 // This would probably remove any existing bindings past the end of the 1581 // string, but that's still an improvement over blank invalidation. 1582 state = InvalidateBuffer(C, state, Dst, *dstRegVal); 1583 1584 // Set the C string length of the destination, if we know it. 1585 if (isBounded && !isAppending) { 1586 // strncpy is annoying in that it doesn't guarantee to null-terminate 1587 // the result string. If the original string didn't fit entirely inside 1588 // the bound (including the null-terminator), we don't know how long the 1589 // result is. 1590 if (amountCopied != strLength) 1591 finalStrLength = UnknownVal(); 1592 } 1593 state = setCStringLength(state, dstRegVal->getRegion(), finalStrLength); 1594 } 1595 1596 assert(state); 1597 1598 // If this is a stpcpy-style copy, but we were unable to check for a buffer 1599 // overflow, we still need a result. Conjure a return value. 1600 if (returnEnd && Result.isUnknown()) { 1601 Result = svalBuilder.conjureSymbolVal(0, CE, LCtx, C.blockCount()); 1602 } 1603 1604 // Set the return value. 1605 state = state->BindExpr(CE, LCtx, Result); 1606 C.addTransition(state); 1607} 1608 1609void CStringChecker::evalStrcmp(CheckerContext &C, const CallExpr *CE) const { 1610 if (CE->getNumArgs() < 2) 1611 return; 1612 1613 //int strcmp(const char *s1, const char *s2); 1614 evalStrcmpCommon(C, CE, /* isBounded = */ false, /* ignoreCase = */ false); 1615} 1616 1617void CStringChecker::evalStrncmp(CheckerContext &C, const CallExpr *CE) const { 1618 if (CE->getNumArgs() < 3) 1619 return; 1620 1621 //int strncmp(const char *s1, const char *s2, size_t n); 1622 evalStrcmpCommon(C, CE, /* isBounded = */ true, /* ignoreCase = */ false); 1623} 1624 1625void CStringChecker::evalStrcasecmp(CheckerContext &C, 1626 const CallExpr *CE) const { 1627 if (CE->getNumArgs() < 2) 1628 return; 1629 1630 //int strcasecmp(const char *s1, const char *s2); 1631 evalStrcmpCommon(C, CE, /* isBounded = */ false, /* ignoreCase = */ true); 1632} 1633 1634void CStringChecker::evalStrncasecmp(CheckerContext &C, 1635 const CallExpr *CE) const { 1636 if (CE->getNumArgs() < 3) 1637 return; 1638 1639 //int strncasecmp(const char *s1, const char *s2, size_t n); 1640 evalStrcmpCommon(C, CE, /* isBounded = */ true, /* ignoreCase = */ true); 1641} 1642 1643void CStringChecker::evalStrcmpCommon(CheckerContext &C, const CallExpr *CE, 1644 bool isBounded, bool ignoreCase) const { 1645 CurrentFunctionDescription = "string comparison function"; 1646 ProgramStateRef state = C.getState(); 1647 const LocationContext *LCtx = C.getLocationContext(); 1648 1649 // Check that the first string is non-null 1650 const Expr *s1 = CE->getArg(0); 1651 SVal s1Val = state->getSVal(s1, LCtx); 1652 state = checkNonNull(C, state, s1, s1Val); 1653 if (!state) 1654 return; 1655 1656 // Check that the second string is non-null. 1657 const Expr *s2 = CE->getArg(1); 1658 SVal s2Val = state->getSVal(s2, LCtx); 1659 state = checkNonNull(C, state, s2, s2Val); 1660 if (!state) 1661 return; 1662 1663 // Get the string length of the first string or give up. 1664 SVal s1Length = getCStringLength(C, state, s1, s1Val); 1665 if (s1Length.isUndef()) 1666 return; 1667 1668 // Get the string length of the second string or give up. 1669 SVal s2Length = getCStringLength(C, state, s2, s2Val); 1670 if (s2Length.isUndef()) 1671 return; 1672 1673 // If we know the two buffers are the same, we know the result is 0. 1674 // First, get the two buffers' addresses. Another checker will have already 1675 // made sure they're not undefined. 1676 DefinedOrUnknownSVal LV = cast<DefinedOrUnknownSVal>(s1Val); 1677 DefinedOrUnknownSVal RV = cast<DefinedOrUnknownSVal>(s2Val); 1678 1679 // See if they are the same. 1680 SValBuilder &svalBuilder = C.getSValBuilder(); 1681 DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV); 1682 ProgramStateRef StSameBuf, StNotSameBuf; 1683 llvm::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf); 1684 1685 // If the two arguments might be the same buffer, we know the result is 0, 1686 // and we only need to check one size. 1687 if (StSameBuf) { 1688 StSameBuf = StSameBuf->BindExpr(CE, LCtx, 1689 svalBuilder.makeZeroVal(CE->getType())); 1690 C.addTransition(StSameBuf); 1691 1692 // If the two arguments are GUARANTEED to be the same, we're done! 1693 if (!StNotSameBuf) 1694 return; 1695 } 1696 1697 assert(StNotSameBuf); 1698 state = StNotSameBuf; 1699 1700 // At this point we can go about comparing the two buffers. 1701 // For now, we only do this if they're both known string literals. 1702 1703 // Attempt to extract string literals from both expressions. 1704 const StringLiteral *s1StrLiteral = getCStringLiteral(C, state, s1, s1Val); 1705 const StringLiteral *s2StrLiteral = getCStringLiteral(C, state, s2, s2Val); 1706 bool canComputeResult = false; 1707 1708 if (s1StrLiteral && s2StrLiteral) { 1709 StringRef s1StrRef = s1StrLiteral->getString(); 1710 StringRef s2StrRef = s2StrLiteral->getString(); 1711 1712 if (isBounded) { 1713 // Get the max number of characters to compare. 1714 const Expr *lenExpr = CE->getArg(2); 1715 SVal lenVal = state->getSVal(lenExpr, LCtx); 1716 1717 // If the length is known, we can get the right substrings. 1718 if (const llvm::APSInt *len = svalBuilder.getKnownValue(state, lenVal)) { 1719 // Create substrings of each to compare the prefix. 1720 s1StrRef = s1StrRef.substr(0, (size_t)len->getZExtValue()); 1721 s2StrRef = s2StrRef.substr(0, (size_t)len->getZExtValue()); 1722 canComputeResult = true; 1723 } 1724 } else { 1725 // This is a normal, unbounded strcmp. 1726 canComputeResult = true; 1727 } 1728 1729 if (canComputeResult) { 1730 // Real strcmp stops at null characters. 1731 size_t s1Term = s1StrRef.find('\0'); 1732 if (s1Term != StringRef::npos) 1733 s1StrRef = s1StrRef.substr(0, s1Term); 1734 1735 size_t s2Term = s2StrRef.find('\0'); 1736 if (s2Term != StringRef::npos) 1737 s2StrRef = s2StrRef.substr(0, s2Term); 1738 1739 // Use StringRef's comparison methods to compute the actual result. 1740 int result; 1741 1742 if (ignoreCase) { 1743 // Compare string 1 to string 2 the same way strcasecmp() does. 1744 result = s1StrRef.compare_lower(s2StrRef); 1745 } else { 1746 // Compare string 1 to string 2 the same way strcmp() does. 1747 result = s1StrRef.compare(s2StrRef); 1748 } 1749 1750 // Build the SVal of the comparison and bind the return value. 1751 SVal resultVal = svalBuilder.makeIntVal(result, CE->getType()); 1752 state = state->BindExpr(CE, LCtx, resultVal); 1753 } 1754 } 1755 1756 if (!canComputeResult) { 1757 // Conjure a symbolic value. It's the best we can do. 1758 SVal resultVal = svalBuilder.conjureSymbolVal(0, CE, LCtx, C.blockCount()); 1759 state = state->BindExpr(CE, LCtx, resultVal); 1760 } 1761 1762 // Record this as a possible path. 1763 C.addTransition(state); 1764} 1765 1766//===----------------------------------------------------------------------===// 1767// The driver method, and other Checker callbacks. 1768//===----------------------------------------------------------------------===// 1769 1770bool CStringChecker::evalCall(const CallExpr *CE, CheckerContext &C) const { 1771 const FunctionDecl *FDecl = C.getCalleeDecl(CE); 1772 1773 if (!FDecl) 1774 return false; 1775 1776 FnCheck evalFunction = 0; 1777 if (C.isCLibraryFunction(FDecl, "memcpy")) 1778 evalFunction = &CStringChecker::evalMemcpy; 1779 else if (C.isCLibraryFunction(FDecl, "mempcpy")) 1780 evalFunction = &CStringChecker::evalMempcpy; 1781 else if (C.isCLibraryFunction(FDecl, "memcmp")) 1782 evalFunction = &CStringChecker::evalMemcmp; 1783 else if (C.isCLibraryFunction(FDecl, "memmove")) 1784 evalFunction = &CStringChecker::evalMemmove; 1785 else if (C.isCLibraryFunction(FDecl, "strcpy")) 1786 evalFunction = &CStringChecker::evalStrcpy; 1787 else if (C.isCLibraryFunction(FDecl, "strncpy")) 1788 evalFunction = &CStringChecker::evalStrncpy; 1789 else if (C.isCLibraryFunction(FDecl, "stpcpy")) 1790 evalFunction = &CStringChecker::evalStpcpy; 1791 else if (C.isCLibraryFunction(FDecl, "strcat")) 1792 evalFunction = &CStringChecker::evalStrcat; 1793 else if (C.isCLibraryFunction(FDecl, "strncat")) 1794 evalFunction = &CStringChecker::evalStrncat; 1795 else if (C.isCLibraryFunction(FDecl, "strlen")) 1796 evalFunction = &CStringChecker::evalstrLength; 1797 else if (C.isCLibraryFunction(FDecl, "strnlen")) 1798 evalFunction = &CStringChecker::evalstrnLength; 1799 else if (C.isCLibraryFunction(FDecl, "strcmp")) 1800 evalFunction = &CStringChecker::evalStrcmp; 1801 else if (C.isCLibraryFunction(FDecl, "strncmp")) 1802 evalFunction = &CStringChecker::evalStrncmp; 1803 else if (C.isCLibraryFunction(FDecl, "strcasecmp")) 1804 evalFunction = &CStringChecker::evalStrcasecmp; 1805 else if (C.isCLibraryFunction(FDecl, "strncasecmp")) 1806 evalFunction = &CStringChecker::evalStrncasecmp; 1807 else if (C.isCLibraryFunction(FDecl, "bcopy")) 1808 evalFunction = &CStringChecker::evalBcopy; 1809 else if (C.isCLibraryFunction(FDecl, "bcmp")) 1810 evalFunction = &CStringChecker::evalMemcmp; 1811 1812 // If the callee isn't a string function, let another checker handle it. 1813 if (!evalFunction) 1814 return false; 1815 1816 // Make sure each function sets its own description. 1817 // (But don't bother in a release build.) 1818 assert(!(CurrentFunctionDescription = NULL)); 1819 1820 // Check and evaluate the call. 1821 (this->*evalFunction)(C, CE); 1822 1823 // If the evaluate call resulted in no change, chain to the next eval call 1824 // handler. 1825 // Note, the custom CString evaluation calls assume that basic safety 1826 // properties are held. However, if the user chooses to turn off some of these 1827 // checks, we ignore the issues and leave the call evaluation to a generic 1828 // handler. 1829 if (!C.isDifferent()) 1830 return false; 1831 1832 return true; 1833} 1834 1835void CStringChecker::checkPreStmt(const DeclStmt *DS, CheckerContext &C) const { 1836 // Record string length for char a[] = "abc"; 1837 ProgramStateRef state = C.getState(); 1838 1839 for (DeclStmt::const_decl_iterator I = DS->decl_begin(), E = DS->decl_end(); 1840 I != E; ++I) { 1841 const VarDecl *D = dyn_cast<VarDecl>(*I); 1842 if (!D) 1843 continue; 1844 1845 // FIXME: Handle array fields of structs. 1846 if (!D->getType()->isArrayType()) 1847 continue; 1848 1849 const Expr *Init = D->getInit(); 1850 if (!Init) 1851 continue; 1852 if (!isa<StringLiteral>(Init)) 1853 continue; 1854 1855 Loc VarLoc = state->getLValue(D, C.getLocationContext()); 1856 const MemRegion *MR = VarLoc.getAsRegion(); 1857 if (!MR) 1858 continue; 1859 1860 SVal StrVal = state->getSVal(Init, C.getLocationContext()); 1861 assert(StrVal.isValid() && "Initializer string is unknown or undefined"); 1862 DefinedOrUnknownSVal strLength 1863 = cast<DefinedOrUnknownSVal>(getCStringLength(C, state, Init, StrVal)); 1864 1865 state = state->set<CStringLength>(MR, strLength); 1866 } 1867 1868 C.addTransition(state); 1869} 1870 1871bool CStringChecker::wantsRegionChangeUpdate(ProgramStateRef state) const { 1872 CStringLengthTy Entries = state->get<CStringLength>(); 1873 return !Entries.isEmpty(); 1874} 1875 1876ProgramStateRef 1877CStringChecker::checkRegionChanges(ProgramStateRef state, 1878 const InvalidatedSymbols *, 1879 ArrayRef<const MemRegion *> ExplicitRegions, 1880 ArrayRef<const MemRegion *> Regions, 1881 const CallEvent *Call) const { 1882 CStringLengthTy Entries = state->get<CStringLength>(); 1883 if (Entries.isEmpty()) 1884 return state; 1885 1886 llvm::SmallPtrSet<const MemRegion *, 8> Invalidated; 1887 llvm::SmallPtrSet<const MemRegion *, 32> SuperRegions; 1888 1889 // First build sets for the changed regions and their super-regions. 1890 for (ArrayRef<const MemRegion *>::iterator 1891 I = Regions.begin(), E = Regions.end(); I != E; ++I) { 1892 const MemRegion *MR = *I; 1893 Invalidated.insert(MR); 1894 1895 SuperRegions.insert(MR); 1896 while (const SubRegion *SR = dyn_cast<SubRegion>(MR)) { 1897 MR = SR->getSuperRegion(); 1898 SuperRegions.insert(MR); 1899 } 1900 } 1901 1902 CStringLengthTy::Factory &F = state->get_context<CStringLength>(); 1903 1904 // Then loop over the entries in the current state. 1905 for (CStringLengthTy::iterator I = Entries.begin(), 1906 E = Entries.end(); I != E; ++I) { 1907 const MemRegion *MR = I.getKey(); 1908 1909 // Is this entry for a super-region of a changed region? 1910 if (SuperRegions.count(MR)) { 1911 Entries = F.remove(Entries, MR); 1912 continue; 1913 } 1914 1915 // Is this entry for a sub-region of a changed region? 1916 const MemRegion *Super = MR; 1917 while (const SubRegion *SR = dyn_cast<SubRegion>(Super)) { 1918 Super = SR->getSuperRegion(); 1919 if (Invalidated.count(Super)) { 1920 Entries = F.remove(Entries, MR); 1921 break; 1922 } 1923 } 1924 } 1925 1926 return state->set<CStringLength>(Entries); 1927} 1928 1929void CStringChecker::checkLiveSymbols(ProgramStateRef state, 1930 SymbolReaper &SR) const { 1931 // Mark all symbols in our string length map as valid. 1932 CStringLengthTy Entries = state->get<CStringLength>(); 1933 1934 for (CStringLengthTy::iterator I = Entries.begin(), E = Entries.end(); 1935 I != E; ++I) { 1936 SVal Len = I.getData(); 1937 1938 for (SymExpr::symbol_iterator si = Len.symbol_begin(), 1939 se = Len.symbol_end(); si != se; ++si) 1940 SR.markInUse(*si); 1941 } 1942} 1943 1944void CStringChecker::checkDeadSymbols(SymbolReaper &SR, 1945 CheckerContext &C) const { 1946 if (!SR.hasDeadSymbols()) 1947 return; 1948 1949 ProgramStateRef state = C.getState(); 1950 CStringLengthTy Entries = state->get<CStringLength>(); 1951 if (Entries.isEmpty()) 1952 return; 1953 1954 CStringLengthTy::Factory &F = state->get_context<CStringLength>(); 1955 for (CStringLengthTy::iterator I = Entries.begin(), E = Entries.end(); 1956 I != E; ++I) { 1957 SVal Len = I.getData(); 1958 if (SymbolRef Sym = Len.getAsSymbol()) { 1959 if (SR.isDead(Sym)) 1960 Entries = F.remove(Entries, I.getKey()); 1961 } 1962 } 1963 1964 state = state->set<CStringLength>(Entries); 1965 C.addTransition(state); 1966} 1967 1968#define REGISTER_CHECKER(name) \ 1969void ento::register##name(CheckerManager &mgr) {\ 1970 static CStringChecker *TheChecker = 0; \ 1971 if (TheChecker == 0) \ 1972 TheChecker = mgr.registerChecker<CStringChecker>(); \ 1973 TheChecker->Filter.Check##name = true; \ 1974} 1975 1976REGISTER_CHECKER(CStringNullArg) 1977REGISTER_CHECKER(CStringOutOfBounds) 1978REGISTER_CHECKER(CStringBufferOverlap) 1979REGISTER_CHECKER(CStringNotNullTerm) 1980 1981void ento::registerCStringCheckerBasic(CheckerManager &Mgr) { 1982 registerCStringNullArg(Mgr); 1983} 1984