CStringChecker.cpp revision 3b1df8bb941a18c4a7256d7cfcbccb9de7e39995
1//= CStringChecker.cpp - Checks calls to C string functions --------*- C++ -*-// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This defines CStringChecker, which is an assortment of checks on calls 11// to functions in <string.h>. 12// 13//===----------------------------------------------------------------------===// 14 15#include "ClangSACheckers.h" 16#include "InterCheckerAPI.h" 17#include "clang/StaticAnalyzer/Core/Checker.h" 18#include "clang/StaticAnalyzer/Core/CheckerManager.h" 19#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 20#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 21#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" 22#include "llvm/ADT/SmallString.h" 23#include "llvm/ADT/STLExtras.h" 24#include "llvm/ADT/StringSwitch.h" 25 26using namespace clang; 27using namespace ento; 28 29namespace { 30class CStringChecker : public Checker< eval::Call, 31 check::PreStmt<DeclStmt>, 32 check::LiveSymbols, 33 check::DeadSymbols, 34 check::RegionChanges 35 > { 36 mutable OwningPtr<BugType> BT_Null, 37 BT_Bounds, 38 BT_Overlap, 39 BT_NotCString, 40 BT_AdditionOverflow; 41 42 mutable const char *CurrentFunctionDescription; 43 44public: 45 /// The filter is used to filter out the diagnostics which are not enabled by 46 /// the user. 47 struct CStringChecksFilter { 48 DefaultBool CheckCStringNullArg; 49 DefaultBool CheckCStringOutOfBounds; 50 DefaultBool CheckCStringBufferOverlap; 51 DefaultBool CheckCStringNotNullTerm; 52 }; 53 54 CStringChecksFilter Filter; 55 56 static void *getTag() { static int tag; return &tag; } 57 58 bool evalCall(const CallExpr *CE, CheckerContext &C) const; 59 void checkPreStmt(const DeclStmt *DS, CheckerContext &C) const; 60 void checkLiveSymbols(ProgramStateRef state, SymbolReaper &SR) const; 61 void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const; 62 bool wantsRegionChangeUpdate(ProgramStateRef state) const; 63 64 ProgramStateRef 65 checkRegionChanges(ProgramStateRef state, 66 const StoreManager::InvalidatedSymbols *, 67 ArrayRef<const MemRegion *> ExplicitRegions, 68 ArrayRef<const MemRegion *> Regions, 69 const CallEvent *Call) const; 70 71 typedef void (CStringChecker::*FnCheck)(CheckerContext &, 72 const CallExpr *) const; 73 74 void evalMemcpy(CheckerContext &C, const CallExpr *CE) const; 75 void evalMempcpy(CheckerContext &C, const CallExpr *CE) const; 76 void evalMemmove(CheckerContext &C, const CallExpr *CE) const; 77 void evalBcopy(CheckerContext &C, const CallExpr *CE) const; 78 void evalCopyCommon(CheckerContext &C, const CallExpr *CE, 79 ProgramStateRef state, 80 const Expr *Size, 81 const Expr *Source, 82 const Expr *Dest, 83 bool Restricted = false, 84 bool IsMempcpy = false) const; 85 86 void evalMemcmp(CheckerContext &C, const CallExpr *CE) const; 87 88 void evalstrLength(CheckerContext &C, const CallExpr *CE) const; 89 void evalstrnLength(CheckerContext &C, const CallExpr *CE) const; 90 void evalstrLengthCommon(CheckerContext &C, 91 const CallExpr *CE, 92 bool IsStrnlen = false) const; 93 94 void evalStrcpy(CheckerContext &C, const CallExpr *CE) const; 95 void evalStrncpy(CheckerContext &C, const CallExpr *CE) const; 96 void evalStpcpy(CheckerContext &C, const CallExpr *CE) const; 97 void evalStrcpyCommon(CheckerContext &C, 98 const CallExpr *CE, 99 bool returnEnd, 100 bool isBounded, 101 bool isAppending) const; 102 103 void evalStrcat(CheckerContext &C, const CallExpr *CE) const; 104 void evalStrncat(CheckerContext &C, const CallExpr *CE) const; 105 106 void evalStrcmp(CheckerContext &C, const CallExpr *CE) const; 107 void evalStrncmp(CheckerContext &C, const CallExpr *CE) const; 108 void evalStrcasecmp(CheckerContext &C, const CallExpr *CE) const; 109 void evalStrncasecmp(CheckerContext &C, const CallExpr *CE) const; 110 void evalStrcmpCommon(CheckerContext &C, 111 const CallExpr *CE, 112 bool isBounded = false, 113 bool ignoreCase = false) const; 114 115 // Utility methods 116 std::pair<ProgramStateRef , ProgramStateRef > 117 static assumeZero(CheckerContext &C, 118 ProgramStateRef state, SVal V, QualType Ty); 119 120 static ProgramStateRef setCStringLength(ProgramStateRef state, 121 const MemRegion *MR, 122 SVal strLength); 123 static SVal getCStringLengthForRegion(CheckerContext &C, 124 ProgramStateRef &state, 125 const Expr *Ex, 126 const MemRegion *MR, 127 bool hypothetical); 128 SVal getCStringLength(CheckerContext &C, 129 ProgramStateRef &state, 130 const Expr *Ex, 131 SVal Buf, 132 bool hypothetical = false) const; 133 134 const StringLiteral *getCStringLiteral(CheckerContext &C, 135 ProgramStateRef &state, 136 const Expr *expr, 137 SVal val) const; 138 139 static ProgramStateRef InvalidateBuffer(CheckerContext &C, 140 ProgramStateRef state, 141 const Expr *Ex, SVal V); 142 143 static bool SummarizeRegion(raw_ostream &os, ASTContext &Ctx, 144 const MemRegion *MR); 145 146 // Re-usable checks 147 ProgramStateRef checkNonNull(CheckerContext &C, 148 ProgramStateRef state, 149 const Expr *S, 150 SVal l) const; 151 ProgramStateRef CheckLocation(CheckerContext &C, 152 ProgramStateRef state, 153 const Expr *S, 154 SVal l, 155 const char *message = NULL) const; 156 ProgramStateRef CheckBufferAccess(CheckerContext &C, 157 ProgramStateRef state, 158 const Expr *Size, 159 const Expr *FirstBuf, 160 const Expr *SecondBuf, 161 const char *firstMessage = NULL, 162 const char *secondMessage = NULL, 163 bool WarnAboutSize = false) const; 164 165 ProgramStateRef CheckBufferAccess(CheckerContext &C, 166 ProgramStateRef state, 167 const Expr *Size, 168 const Expr *Buf, 169 const char *message = NULL, 170 bool WarnAboutSize = false) const { 171 // This is a convenience override. 172 return CheckBufferAccess(C, state, Size, Buf, NULL, message, NULL, 173 WarnAboutSize); 174 } 175 ProgramStateRef CheckOverlap(CheckerContext &C, 176 ProgramStateRef state, 177 const Expr *Size, 178 const Expr *First, 179 const Expr *Second) const; 180 void emitOverlapBug(CheckerContext &C, 181 ProgramStateRef state, 182 const Stmt *First, 183 const Stmt *Second) const; 184 185 ProgramStateRef checkAdditionOverflow(CheckerContext &C, 186 ProgramStateRef state, 187 NonLoc left, 188 NonLoc right) const; 189}; 190 191class CStringLength { 192public: 193 typedef llvm::ImmutableMap<const MemRegion *, SVal> EntryMap; 194}; 195} //end anonymous namespace 196 197namespace clang { 198namespace ento { 199 template <> 200 struct ProgramStateTrait<CStringLength> 201 : public ProgramStatePartialTrait<CStringLength::EntryMap> { 202 static void *GDMIndex() { return CStringChecker::getTag(); } 203 }; 204} 205} 206 207//===----------------------------------------------------------------------===// 208// Individual checks and utility methods. 209//===----------------------------------------------------------------------===// 210 211std::pair<ProgramStateRef , ProgramStateRef > 212CStringChecker::assumeZero(CheckerContext &C, ProgramStateRef state, SVal V, 213 QualType Ty) { 214 DefinedSVal *val = dyn_cast<DefinedSVal>(&V); 215 if (!val) 216 return std::pair<ProgramStateRef , ProgramStateRef >(state, state); 217 218 SValBuilder &svalBuilder = C.getSValBuilder(); 219 DefinedOrUnknownSVal zero = svalBuilder.makeZeroVal(Ty); 220 return state->assume(svalBuilder.evalEQ(state, *val, zero)); 221} 222 223ProgramStateRef CStringChecker::checkNonNull(CheckerContext &C, 224 ProgramStateRef state, 225 const Expr *S, SVal l) const { 226 // If a previous check has failed, propagate the failure. 227 if (!state) 228 return NULL; 229 230 ProgramStateRef stateNull, stateNonNull; 231 llvm::tie(stateNull, stateNonNull) = assumeZero(C, state, l, S->getType()); 232 233 if (stateNull && !stateNonNull) { 234 if (!Filter.CheckCStringNullArg) 235 return NULL; 236 237 ExplodedNode *N = C.generateSink(stateNull); 238 if (!N) 239 return NULL; 240 241 if (!BT_Null) 242 BT_Null.reset(new BuiltinBug("Unix API", 243 "Null pointer argument in call to byte string function")); 244 245 SmallString<80> buf; 246 llvm::raw_svector_ostream os(buf); 247 assert(CurrentFunctionDescription); 248 os << "Null pointer argument in call to " << CurrentFunctionDescription; 249 250 // Generate a report for this bug. 251 BuiltinBug *BT = static_cast<BuiltinBug*>(BT_Null.get()); 252 BugReport *report = new BugReport(*BT, os.str(), N); 253 254 report->addRange(S->getSourceRange()); 255 bugreporter::addTrackNullOrUndefValueVisitor(N, S, report); 256 C.EmitReport(report); 257 return NULL; 258 } 259 260 // From here on, assume that the value is non-null. 261 assert(stateNonNull); 262 return stateNonNull; 263} 264 265// FIXME: This was originally copied from ArrayBoundChecker.cpp. Refactor? 266ProgramStateRef CStringChecker::CheckLocation(CheckerContext &C, 267 ProgramStateRef state, 268 const Expr *S, SVal l, 269 const char *warningMsg) const { 270 // If a previous check has failed, propagate the failure. 271 if (!state) 272 return NULL; 273 274 // Check for out of bound array element access. 275 const MemRegion *R = l.getAsRegion(); 276 if (!R) 277 return state; 278 279 const ElementRegion *ER = dyn_cast<ElementRegion>(R); 280 if (!ER) 281 return state; 282 283 assert(ER->getValueType() == C.getASTContext().CharTy && 284 "CheckLocation should only be called with char* ElementRegions"); 285 286 // Get the size of the array. 287 const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion()); 288 SValBuilder &svalBuilder = C.getSValBuilder(); 289 SVal Extent = 290 svalBuilder.convertToArrayIndex(superReg->getExtent(svalBuilder)); 291 DefinedOrUnknownSVal Size = cast<DefinedOrUnknownSVal>(Extent); 292 293 // Get the index of the accessed element. 294 DefinedOrUnknownSVal Idx = cast<DefinedOrUnknownSVal>(ER->getIndex()); 295 296 ProgramStateRef StInBound = state->assumeInBound(Idx, Size, true); 297 ProgramStateRef StOutBound = state->assumeInBound(Idx, Size, false); 298 if (StOutBound && !StInBound) { 299 ExplodedNode *N = C.generateSink(StOutBound); 300 if (!N) 301 return NULL; 302 303 if (!BT_Bounds) { 304 BT_Bounds.reset(new BuiltinBug("Out-of-bound array access", 305 "Byte string function accesses out-of-bound array element")); 306 } 307 BuiltinBug *BT = static_cast<BuiltinBug*>(BT_Bounds.get()); 308 309 // Generate a report for this bug. 310 BugReport *report; 311 if (warningMsg) { 312 report = new BugReport(*BT, warningMsg, N); 313 } else { 314 assert(CurrentFunctionDescription); 315 assert(CurrentFunctionDescription[0] != '\0'); 316 317 SmallString<80> buf; 318 llvm::raw_svector_ostream os(buf); 319 os << (char)toupper(CurrentFunctionDescription[0]) 320 << &CurrentFunctionDescription[1] 321 << " accesses out-of-bound array element"; 322 report = new BugReport(*BT, os.str(), N); 323 } 324 325 // FIXME: It would be nice to eventually make this diagnostic more clear, 326 // e.g., by referencing the original declaration or by saying *why* this 327 // reference is outside the range. 328 329 report->addRange(S->getSourceRange()); 330 C.EmitReport(report); 331 return NULL; 332 } 333 334 // Array bound check succeeded. From this point forward the array bound 335 // should always succeed. 336 return StInBound; 337} 338 339ProgramStateRef CStringChecker::CheckBufferAccess(CheckerContext &C, 340 ProgramStateRef state, 341 const Expr *Size, 342 const Expr *FirstBuf, 343 const Expr *SecondBuf, 344 const char *firstMessage, 345 const char *secondMessage, 346 bool WarnAboutSize) const { 347 // If a previous check has failed, propagate the failure. 348 if (!state) 349 return NULL; 350 351 SValBuilder &svalBuilder = C.getSValBuilder(); 352 ASTContext &Ctx = svalBuilder.getContext(); 353 const LocationContext *LCtx = C.getLocationContext(); 354 355 QualType sizeTy = Size->getType(); 356 QualType PtrTy = Ctx.getPointerType(Ctx.CharTy); 357 358 // Check that the first buffer is non-null. 359 SVal BufVal = state->getSVal(FirstBuf, LCtx); 360 state = checkNonNull(C, state, FirstBuf, BufVal); 361 if (!state) 362 return NULL; 363 364 // If out-of-bounds checking is turned off, skip the rest. 365 if (!Filter.CheckCStringOutOfBounds) 366 return state; 367 368 // Get the access length and make sure it is known. 369 // FIXME: This assumes the caller has already checked that the access length 370 // is positive. And that it's unsigned. 371 SVal LengthVal = state->getSVal(Size, LCtx); 372 NonLoc *Length = dyn_cast<NonLoc>(&LengthVal); 373 if (!Length) 374 return state; 375 376 // Compute the offset of the last element to be accessed: size-1. 377 NonLoc One = cast<NonLoc>(svalBuilder.makeIntVal(1, sizeTy)); 378 NonLoc LastOffset = cast<NonLoc>(svalBuilder.evalBinOpNN(state, BO_Sub, 379 *Length, One, sizeTy)); 380 381 // Check that the first buffer is sufficiently long. 382 SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType()); 383 if (Loc *BufLoc = dyn_cast<Loc>(&BufStart)) { 384 const Expr *warningExpr = (WarnAboutSize ? Size : FirstBuf); 385 386 SVal BufEnd = svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc, 387 LastOffset, PtrTy); 388 state = CheckLocation(C, state, warningExpr, BufEnd, firstMessage); 389 390 // If the buffer isn't large enough, abort. 391 if (!state) 392 return NULL; 393 } 394 395 // If there's a second buffer, check it as well. 396 if (SecondBuf) { 397 BufVal = state->getSVal(SecondBuf, LCtx); 398 state = checkNonNull(C, state, SecondBuf, BufVal); 399 if (!state) 400 return NULL; 401 402 BufStart = svalBuilder.evalCast(BufVal, PtrTy, SecondBuf->getType()); 403 if (Loc *BufLoc = dyn_cast<Loc>(&BufStart)) { 404 const Expr *warningExpr = (WarnAboutSize ? Size : SecondBuf); 405 406 SVal BufEnd = svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc, 407 LastOffset, PtrTy); 408 state = CheckLocation(C, state, warningExpr, BufEnd, secondMessage); 409 } 410 } 411 412 // Large enough or not, return this state! 413 return state; 414} 415 416ProgramStateRef CStringChecker::CheckOverlap(CheckerContext &C, 417 ProgramStateRef state, 418 const Expr *Size, 419 const Expr *First, 420 const Expr *Second) const { 421 if (!Filter.CheckCStringBufferOverlap) 422 return state; 423 424 // Do a simple check for overlap: if the two arguments are from the same 425 // buffer, see if the end of the first is greater than the start of the second 426 // or vice versa. 427 428 // If a previous check has failed, propagate the failure. 429 if (!state) 430 return NULL; 431 432 ProgramStateRef stateTrue, stateFalse; 433 434 // Get the buffer values and make sure they're known locations. 435 const LocationContext *LCtx = C.getLocationContext(); 436 SVal firstVal = state->getSVal(First, LCtx); 437 SVal secondVal = state->getSVal(Second, LCtx); 438 439 Loc *firstLoc = dyn_cast<Loc>(&firstVal); 440 if (!firstLoc) 441 return state; 442 443 Loc *secondLoc = dyn_cast<Loc>(&secondVal); 444 if (!secondLoc) 445 return state; 446 447 // Are the two values the same? 448 SValBuilder &svalBuilder = C.getSValBuilder(); 449 llvm::tie(stateTrue, stateFalse) = 450 state->assume(svalBuilder.evalEQ(state, *firstLoc, *secondLoc)); 451 452 if (stateTrue && !stateFalse) { 453 // If the values are known to be equal, that's automatically an overlap. 454 emitOverlapBug(C, stateTrue, First, Second); 455 return NULL; 456 } 457 458 // assume the two expressions are not equal. 459 assert(stateFalse); 460 state = stateFalse; 461 462 // Which value comes first? 463 QualType cmpTy = svalBuilder.getConditionType(); 464 SVal reverse = svalBuilder.evalBinOpLL(state, BO_GT, 465 *firstLoc, *secondLoc, cmpTy); 466 DefinedOrUnknownSVal *reverseTest = dyn_cast<DefinedOrUnknownSVal>(&reverse); 467 if (!reverseTest) 468 return state; 469 470 llvm::tie(stateTrue, stateFalse) = state->assume(*reverseTest); 471 if (stateTrue) { 472 if (stateFalse) { 473 // If we don't know which one comes first, we can't perform this test. 474 return state; 475 } else { 476 // Switch the values so that firstVal is before secondVal. 477 Loc *tmpLoc = firstLoc; 478 firstLoc = secondLoc; 479 secondLoc = tmpLoc; 480 481 // Switch the Exprs as well, so that they still correspond. 482 const Expr *tmpExpr = First; 483 First = Second; 484 Second = tmpExpr; 485 } 486 } 487 488 // Get the length, and make sure it too is known. 489 SVal LengthVal = state->getSVal(Size, LCtx); 490 NonLoc *Length = dyn_cast<NonLoc>(&LengthVal); 491 if (!Length) 492 return state; 493 494 // Convert the first buffer's start address to char*. 495 // Bail out if the cast fails. 496 ASTContext &Ctx = svalBuilder.getContext(); 497 QualType CharPtrTy = Ctx.getPointerType(Ctx.CharTy); 498 SVal FirstStart = svalBuilder.evalCast(*firstLoc, CharPtrTy, 499 First->getType()); 500 Loc *FirstStartLoc = dyn_cast<Loc>(&FirstStart); 501 if (!FirstStartLoc) 502 return state; 503 504 // Compute the end of the first buffer. Bail out if THAT fails. 505 SVal FirstEnd = svalBuilder.evalBinOpLN(state, BO_Add, 506 *FirstStartLoc, *Length, CharPtrTy); 507 Loc *FirstEndLoc = dyn_cast<Loc>(&FirstEnd); 508 if (!FirstEndLoc) 509 return state; 510 511 // Is the end of the first buffer past the start of the second buffer? 512 SVal Overlap = svalBuilder.evalBinOpLL(state, BO_GT, 513 *FirstEndLoc, *secondLoc, cmpTy); 514 DefinedOrUnknownSVal *OverlapTest = dyn_cast<DefinedOrUnknownSVal>(&Overlap); 515 if (!OverlapTest) 516 return state; 517 518 llvm::tie(stateTrue, stateFalse) = state->assume(*OverlapTest); 519 520 if (stateTrue && !stateFalse) { 521 // Overlap! 522 emitOverlapBug(C, stateTrue, First, Second); 523 return NULL; 524 } 525 526 // assume the two expressions don't overlap. 527 assert(stateFalse); 528 return stateFalse; 529} 530 531void CStringChecker::emitOverlapBug(CheckerContext &C, ProgramStateRef state, 532 const Stmt *First, const Stmt *Second) const { 533 ExplodedNode *N = C.generateSink(state); 534 if (!N) 535 return; 536 537 if (!BT_Overlap) 538 BT_Overlap.reset(new BugType("Unix API", "Improper arguments")); 539 540 // Generate a report for this bug. 541 BugReport *report = 542 new BugReport(*BT_Overlap, 543 "Arguments must not be overlapping buffers", N); 544 report->addRange(First->getSourceRange()); 545 report->addRange(Second->getSourceRange()); 546 547 C.EmitReport(report); 548} 549 550ProgramStateRef CStringChecker::checkAdditionOverflow(CheckerContext &C, 551 ProgramStateRef state, 552 NonLoc left, 553 NonLoc right) const { 554 // If out-of-bounds checking is turned off, skip the rest. 555 if (!Filter.CheckCStringOutOfBounds) 556 return state; 557 558 // If a previous check has failed, propagate the failure. 559 if (!state) 560 return NULL; 561 562 SValBuilder &svalBuilder = C.getSValBuilder(); 563 BasicValueFactory &BVF = svalBuilder.getBasicValueFactory(); 564 565 QualType sizeTy = svalBuilder.getContext().getSizeType(); 566 const llvm::APSInt &maxValInt = BVF.getMaxValue(sizeTy); 567 NonLoc maxVal = svalBuilder.makeIntVal(maxValInt); 568 569 SVal maxMinusRight; 570 if (isa<nonloc::ConcreteInt>(right)) { 571 maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, right, 572 sizeTy); 573 } else { 574 // Try switching the operands. (The order of these two assignments is 575 // important!) 576 maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, left, 577 sizeTy); 578 left = right; 579 } 580 581 if (NonLoc *maxMinusRightNL = dyn_cast<NonLoc>(&maxMinusRight)) { 582 QualType cmpTy = svalBuilder.getConditionType(); 583 // If left > max - right, we have an overflow. 584 SVal willOverflow = svalBuilder.evalBinOpNN(state, BO_GT, left, 585 *maxMinusRightNL, cmpTy); 586 587 ProgramStateRef stateOverflow, stateOkay; 588 llvm::tie(stateOverflow, stateOkay) = 589 state->assume(cast<DefinedOrUnknownSVal>(willOverflow)); 590 591 if (stateOverflow && !stateOkay) { 592 // We have an overflow. Emit a bug report. 593 ExplodedNode *N = C.generateSink(stateOverflow); 594 if (!N) 595 return NULL; 596 597 if (!BT_AdditionOverflow) 598 BT_AdditionOverflow.reset(new BuiltinBug("API", 599 "Sum of expressions causes overflow")); 600 601 // This isn't a great error message, but this should never occur in real 602 // code anyway -- you'd have to create a buffer longer than a size_t can 603 // represent, which is sort of a contradiction. 604 const char *warning = 605 "This expression will create a string whose length is too big to " 606 "be represented as a size_t"; 607 608 // Generate a report for this bug. 609 BugReport *report = new BugReport(*BT_AdditionOverflow, warning, N); 610 C.EmitReport(report); 611 612 return NULL; 613 } 614 615 // From now on, assume an overflow didn't occur. 616 assert(stateOkay); 617 state = stateOkay; 618 } 619 620 return state; 621} 622 623ProgramStateRef CStringChecker::setCStringLength(ProgramStateRef state, 624 const MemRegion *MR, 625 SVal strLength) { 626 assert(!strLength.isUndef() && "Attempt to set an undefined string length"); 627 628 MR = MR->StripCasts(); 629 630 switch (MR->getKind()) { 631 case MemRegion::StringRegionKind: 632 // FIXME: This can happen if we strcpy() into a string region. This is 633 // undefined [C99 6.4.5p6], but we should still warn about it. 634 return state; 635 636 case MemRegion::SymbolicRegionKind: 637 case MemRegion::AllocaRegionKind: 638 case MemRegion::VarRegionKind: 639 case MemRegion::FieldRegionKind: 640 case MemRegion::ObjCIvarRegionKind: 641 // These are the types we can currently track string lengths for. 642 break; 643 644 case MemRegion::ElementRegionKind: 645 // FIXME: Handle element regions by upper-bounding the parent region's 646 // string length. 647 return state; 648 649 default: 650 // Other regions (mostly non-data) can't have a reliable C string length. 651 // For now, just ignore the change. 652 // FIXME: These are rare but not impossible. We should output some kind of 653 // warning for things like strcpy((char[]){'a', 0}, "b"); 654 return state; 655 } 656 657 if (strLength.isUnknown()) 658 return state->remove<CStringLength>(MR); 659 660 return state->set<CStringLength>(MR, strLength); 661} 662 663SVal CStringChecker::getCStringLengthForRegion(CheckerContext &C, 664 ProgramStateRef &state, 665 const Expr *Ex, 666 const MemRegion *MR, 667 bool hypothetical) { 668 if (!hypothetical) { 669 // If there's a recorded length, go ahead and return it. 670 const SVal *Recorded = state->get<CStringLength>(MR); 671 if (Recorded) 672 return *Recorded; 673 } 674 675 // Otherwise, get a new symbol and update the state. 676 unsigned Count = C.getCurrentBlockCount(); 677 SValBuilder &svalBuilder = C.getSValBuilder(); 678 QualType sizeTy = svalBuilder.getContext().getSizeType(); 679 SVal strLength = svalBuilder.getMetadataSymbolVal(CStringChecker::getTag(), 680 MR, Ex, sizeTy, Count); 681 682 if (!hypothetical) 683 state = state->set<CStringLength>(MR, strLength); 684 685 return strLength; 686} 687 688SVal CStringChecker::getCStringLength(CheckerContext &C, ProgramStateRef &state, 689 const Expr *Ex, SVal Buf, 690 bool hypothetical) const { 691 const MemRegion *MR = Buf.getAsRegion(); 692 if (!MR) { 693 // If we can't get a region, see if it's something we /know/ isn't a 694 // C string. In the context of locations, the only time we can issue such 695 // a warning is for labels. 696 if (loc::GotoLabel *Label = dyn_cast<loc::GotoLabel>(&Buf)) { 697 if (!Filter.CheckCStringNotNullTerm) 698 return UndefinedVal(); 699 700 if (ExplodedNode *N = C.addTransition(state)) { 701 if (!BT_NotCString) 702 BT_NotCString.reset(new BuiltinBug("Unix API", 703 "Argument is not a null-terminated string.")); 704 705 SmallString<120> buf; 706 llvm::raw_svector_ostream os(buf); 707 assert(CurrentFunctionDescription); 708 os << "Argument to " << CurrentFunctionDescription 709 << " is the address of the label '" << Label->getLabel()->getName() 710 << "', which is not a null-terminated string"; 711 712 // Generate a report for this bug. 713 BugReport *report = new BugReport(*BT_NotCString, 714 os.str(), N); 715 716 report->addRange(Ex->getSourceRange()); 717 C.EmitReport(report); 718 } 719 return UndefinedVal(); 720 721 } 722 723 // If it's not a region and not a label, give up. 724 return UnknownVal(); 725 } 726 727 // If we have a region, strip casts from it and see if we can figure out 728 // its length. For anything we can't figure out, just return UnknownVal. 729 MR = MR->StripCasts(); 730 731 switch (MR->getKind()) { 732 case MemRegion::StringRegionKind: { 733 // Modifying the contents of string regions is undefined [C99 6.4.5p6], 734 // so we can assume that the byte length is the correct C string length. 735 SValBuilder &svalBuilder = C.getSValBuilder(); 736 QualType sizeTy = svalBuilder.getContext().getSizeType(); 737 const StringLiteral *strLit = cast<StringRegion>(MR)->getStringLiteral(); 738 return svalBuilder.makeIntVal(strLit->getByteLength(), sizeTy); 739 } 740 case MemRegion::SymbolicRegionKind: 741 case MemRegion::AllocaRegionKind: 742 case MemRegion::VarRegionKind: 743 case MemRegion::FieldRegionKind: 744 case MemRegion::ObjCIvarRegionKind: 745 return getCStringLengthForRegion(C, state, Ex, MR, hypothetical); 746 case MemRegion::CompoundLiteralRegionKind: 747 // FIXME: Can we track this? Is it necessary? 748 return UnknownVal(); 749 case MemRegion::ElementRegionKind: 750 // FIXME: How can we handle this? It's not good enough to subtract the 751 // offset from the base string length; consider "123\x00567" and &a[5]. 752 return UnknownVal(); 753 default: 754 // Other regions (mostly non-data) can't have a reliable C string length. 755 // In this case, an error is emitted and UndefinedVal is returned. 756 // The caller should always be prepared to handle this case. 757 if (!Filter.CheckCStringNotNullTerm) 758 return UndefinedVal(); 759 760 if (ExplodedNode *N = C.addTransition(state)) { 761 if (!BT_NotCString) 762 BT_NotCString.reset(new BuiltinBug("Unix API", 763 "Argument is not a null-terminated string.")); 764 765 SmallString<120> buf; 766 llvm::raw_svector_ostream os(buf); 767 768 assert(CurrentFunctionDescription); 769 os << "Argument to " << CurrentFunctionDescription << " is "; 770 771 if (SummarizeRegion(os, C.getASTContext(), MR)) 772 os << ", which is not a null-terminated string"; 773 else 774 os << "not a null-terminated string"; 775 776 // Generate a report for this bug. 777 BugReport *report = new BugReport(*BT_NotCString, 778 os.str(), N); 779 780 report->addRange(Ex->getSourceRange()); 781 C.EmitReport(report); 782 } 783 784 return UndefinedVal(); 785 } 786} 787 788const StringLiteral *CStringChecker::getCStringLiteral(CheckerContext &C, 789 ProgramStateRef &state, const Expr *expr, SVal val) const { 790 791 // Get the memory region pointed to by the val. 792 const MemRegion *bufRegion = val.getAsRegion(); 793 if (!bufRegion) 794 return NULL; 795 796 // Strip casts off the memory region. 797 bufRegion = bufRegion->StripCasts(); 798 799 // Cast the memory region to a string region. 800 const StringRegion *strRegion= dyn_cast<StringRegion>(bufRegion); 801 if (!strRegion) 802 return NULL; 803 804 // Return the actual string in the string region. 805 return strRegion->getStringLiteral(); 806} 807 808ProgramStateRef CStringChecker::InvalidateBuffer(CheckerContext &C, 809 ProgramStateRef state, 810 const Expr *E, SVal V) { 811 Loc *L = dyn_cast<Loc>(&V); 812 if (!L) 813 return state; 814 815 // FIXME: This is a simplified version of what's in CFRefCount.cpp -- it makes 816 // some assumptions about the value that CFRefCount can't. Even so, it should 817 // probably be refactored. 818 if (loc::MemRegionVal* MR = dyn_cast<loc::MemRegionVal>(L)) { 819 const MemRegion *R = MR->getRegion()->StripCasts(); 820 821 // Are we dealing with an ElementRegion? If so, we should be invalidating 822 // the super-region. 823 if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) { 824 R = ER->getSuperRegion(); 825 // FIXME: What about layers of ElementRegions? 826 } 827 828 // Invalidate this region. 829 unsigned Count = C.getCurrentBlockCount(); 830 const LocationContext *LCtx = C.getPredecessor()->getLocationContext(); 831 return state->invalidateRegions(R, E, Count, LCtx); 832 } 833 834 // If we have a non-region value by chance, just remove the binding. 835 // FIXME: is this necessary or correct? This handles the non-Region 836 // cases. Is it ever valid to store to these? 837 return state->unbindLoc(*L); 838} 839 840bool CStringChecker::SummarizeRegion(raw_ostream &os, ASTContext &Ctx, 841 const MemRegion *MR) { 842 const TypedValueRegion *TVR = dyn_cast<TypedValueRegion>(MR); 843 844 switch (MR->getKind()) { 845 case MemRegion::FunctionTextRegionKind: { 846 const FunctionDecl *FD = cast<FunctionTextRegion>(MR)->getDecl(); 847 if (FD) 848 os << "the address of the function '" << *FD << '\''; 849 else 850 os << "the address of a function"; 851 return true; 852 } 853 case MemRegion::BlockTextRegionKind: 854 os << "block text"; 855 return true; 856 case MemRegion::BlockDataRegionKind: 857 os << "a block"; 858 return true; 859 case MemRegion::CXXThisRegionKind: 860 case MemRegion::CXXTempObjectRegionKind: 861 os << "a C++ temp object of type " << TVR->getValueType().getAsString(); 862 return true; 863 case MemRegion::VarRegionKind: 864 os << "a variable of type" << TVR->getValueType().getAsString(); 865 return true; 866 case MemRegion::FieldRegionKind: 867 os << "a field of type " << TVR->getValueType().getAsString(); 868 return true; 869 case MemRegion::ObjCIvarRegionKind: 870 os << "an instance variable of type " << TVR->getValueType().getAsString(); 871 return true; 872 default: 873 return false; 874 } 875} 876 877//===----------------------------------------------------------------------===// 878// evaluation of individual function calls. 879//===----------------------------------------------------------------------===// 880 881void CStringChecker::evalCopyCommon(CheckerContext &C, 882 const CallExpr *CE, 883 ProgramStateRef state, 884 const Expr *Size, const Expr *Dest, 885 const Expr *Source, bool Restricted, 886 bool IsMempcpy) const { 887 CurrentFunctionDescription = "memory copy function"; 888 889 // See if the size argument is zero. 890 const LocationContext *LCtx = C.getLocationContext(); 891 SVal sizeVal = state->getSVal(Size, LCtx); 892 QualType sizeTy = Size->getType(); 893 894 ProgramStateRef stateZeroSize, stateNonZeroSize; 895 llvm::tie(stateZeroSize, stateNonZeroSize) = 896 assumeZero(C, state, sizeVal, sizeTy); 897 898 // Get the value of the Dest. 899 SVal destVal = state->getSVal(Dest, LCtx); 900 901 // If the size is zero, there won't be any actual memory access, so 902 // just bind the return value to the destination buffer and return. 903 if (stateZeroSize && !stateNonZeroSize) { 904 stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, destVal); 905 C.addTransition(stateZeroSize); 906 return; 907 } 908 909 // If the size can be nonzero, we have to check the other arguments. 910 if (stateNonZeroSize) { 911 state = stateNonZeroSize; 912 913 // Ensure the destination is not null. If it is NULL there will be a 914 // NULL pointer dereference. 915 state = checkNonNull(C, state, Dest, destVal); 916 if (!state) 917 return; 918 919 // Get the value of the Src. 920 SVal srcVal = state->getSVal(Source, LCtx); 921 922 // Ensure the source is not null. If it is NULL there will be a 923 // NULL pointer dereference. 924 state = checkNonNull(C, state, Source, srcVal); 925 if (!state) 926 return; 927 928 // Ensure the accesses are valid and that the buffers do not overlap. 929 const char * const writeWarning = 930 "Memory copy function overflows destination buffer"; 931 state = CheckBufferAccess(C, state, Size, Dest, Source, 932 writeWarning, /* sourceWarning = */ NULL); 933 if (Restricted) 934 state = CheckOverlap(C, state, Size, Dest, Source); 935 936 if (!state) 937 return; 938 939 // If this is mempcpy, get the byte after the last byte copied and 940 // bind the expr. 941 if (IsMempcpy) { 942 loc::MemRegionVal *destRegVal = dyn_cast<loc::MemRegionVal>(&destVal); 943 assert(destRegVal && "Destination should be a known MemRegionVal here"); 944 945 // Get the length to copy. 946 NonLoc *lenValNonLoc = dyn_cast<NonLoc>(&sizeVal); 947 948 if (lenValNonLoc) { 949 // Get the byte after the last byte copied. 950 SVal lastElement = C.getSValBuilder().evalBinOpLN(state, BO_Add, 951 *destRegVal, 952 *lenValNonLoc, 953 Dest->getType()); 954 955 // The byte after the last byte copied is the return value. 956 state = state->BindExpr(CE, LCtx, lastElement); 957 } else { 958 // If we don't know how much we copied, we can at least 959 // conjure a return value for later. 960 unsigned Count = C.getCurrentBlockCount(); 961 SVal result = C.getSValBuilder().conjureSymbolVal(0, CE, LCtx, Count); 962 state = state->BindExpr(CE, LCtx, result); 963 } 964 965 } else { 966 // All other copies return the destination buffer. 967 // (Well, bcopy() has a void return type, but this won't hurt.) 968 state = state->BindExpr(CE, LCtx, destVal); 969 } 970 971 // Invalidate the destination. 972 // FIXME: Even if we can't perfectly model the copy, we should see if we 973 // can use LazyCompoundVals to copy the source values into the destination. 974 // This would probably remove any existing bindings past the end of the 975 // copied region, but that's still an improvement over blank invalidation. 976 state = InvalidateBuffer(C, state, Dest, 977 state->getSVal(Dest, C.getLocationContext())); 978 C.addTransition(state); 979 } 980} 981 982 983void CStringChecker::evalMemcpy(CheckerContext &C, const CallExpr *CE) const { 984 if (CE->getNumArgs() < 3) 985 return; 986 987 // void *memcpy(void *restrict dst, const void *restrict src, size_t n); 988 // The return value is the address of the destination buffer. 989 const Expr *Dest = CE->getArg(0); 990 ProgramStateRef state = C.getState(); 991 992 evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1), true); 993} 994 995void CStringChecker::evalMempcpy(CheckerContext &C, const CallExpr *CE) const { 996 if (CE->getNumArgs() < 3) 997 return; 998 999 // void *mempcpy(void *restrict dst, const void *restrict src, size_t n); 1000 // The return value is a pointer to the byte following the last written byte. 1001 const Expr *Dest = CE->getArg(0); 1002 ProgramStateRef state = C.getState(); 1003 1004 evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1), true, true); 1005} 1006 1007void CStringChecker::evalMemmove(CheckerContext &C, const CallExpr *CE) const { 1008 if (CE->getNumArgs() < 3) 1009 return; 1010 1011 // void *memmove(void *dst, const void *src, size_t n); 1012 // The return value is the address of the destination buffer. 1013 const Expr *Dest = CE->getArg(0); 1014 ProgramStateRef state = C.getState(); 1015 1016 evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1)); 1017} 1018 1019void CStringChecker::evalBcopy(CheckerContext &C, const CallExpr *CE) const { 1020 if (CE->getNumArgs() < 3) 1021 return; 1022 1023 // void bcopy(const void *src, void *dst, size_t n); 1024 evalCopyCommon(C, CE, C.getState(), 1025 CE->getArg(2), CE->getArg(1), CE->getArg(0)); 1026} 1027 1028void CStringChecker::evalMemcmp(CheckerContext &C, const CallExpr *CE) const { 1029 if (CE->getNumArgs() < 3) 1030 return; 1031 1032 // int memcmp(const void *s1, const void *s2, size_t n); 1033 CurrentFunctionDescription = "memory comparison function"; 1034 1035 const Expr *Left = CE->getArg(0); 1036 const Expr *Right = CE->getArg(1); 1037 const Expr *Size = CE->getArg(2); 1038 1039 ProgramStateRef state = C.getState(); 1040 SValBuilder &svalBuilder = C.getSValBuilder(); 1041 1042 // See if the size argument is zero. 1043 const LocationContext *LCtx = C.getLocationContext(); 1044 SVal sizeVal = state->getSVal(Size, LCtx); 1045 QualType sizeTy = Size->getType(); 1046 1047 ProgramStateRef stateZeroSize, stateNonZeroSize; 1048 llvm::tie(stateZeroSize, stateNonZeroSize) = 1049 assumeZero(C, state, sizeVal, sizeTy); 1050 1051 // If the size can be zero, the result will be 0 in that case, and we don't 1052 // have to check either of the buffers. 1053 if (stateZeroSize) { 1054 state = stateZeroSize; 1055 state = state->BindExpr(CE, LCtx, 1056 svalBuilder.makeZeroVal(CE->getType())); 1057 C.addTransition(state); 1058 } 1059 1060 // If the size can be nonzero, we have to check the other arguments. 1061 if (stateNonZeroSize) { 1062 state = stateNonZeroSize; 1063 // If we know the two buffers are the same, we know the result is 0. 1064 // First, get the two buffers' addresses. Another checker will have already 1065 // made sure they're not undefined. 1066 DefinedOrUnknownSVal LV = 1067 cast<DefinedOrUnknownSVal>(state->getSVal(Left, LCtx)); 1068 DefinedOrUnknownSVal RV = 1069 cast<DefinedOrUnknownSVal>(state->getSVal(Right, LCtx)); 1070 1071 // See if they are the same. 1072 DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV); 1073 ProgramStateRef StSameBuf, StNotSameBuf; 1074 llvm::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf); 1075 1076 // If the two arguments might be the same buffer, we know the result is 0, 1077 // and we only need to check one size. 1078 if (StSameBuf) { 1079 state = StSameBuf; 1080 state = CheckBufferAccess(C, state, Size, Left); 1081 if (state) { 1082 state = StSameBuf->BindExpr(CE, LCtx, 1083 svalBuilder.makeZeroVal(CE->getType())); 1084 C.addTransition(state); 1085 } 1086 } 1087 1088 // If the two arguments might be different buffers, we have to check the 1089 // size of both of them. 1090 if (StNotSameBuf) { 1091 state = StNotSameBuf; 1092 state = CheckBufferAccess(C, state, Size, Left, Right); 1093 if (state) { 1094 // The return value is the comparison result, which we don't know. 1095 unsigned Count = C.getCurrentBlockCount(); 1096 SVal CmpV = svalBuilder.conjureSymbolVal(0, CE, LCtx, Count); 1097 state = state->BindExpr(CE, LCtx, CmpV); 1098 C.addTransition(state); 1099 } 1100 } 1101 } 1102} 1103 1104void CStringChecker::evalstrLength(CheckerContext &C, 1105 const CallExpr *CE) const { 1106 if (CE->getNumArgs() < 1) 1107 return; 1108 1109 // size_t strlen(const char *s); 1110 evalstrLengthCommon(C, CE, /* IsStrnlen = */ false); 1111} 1112 1113void CStringChecker::evalstrnLength(CheckerContext &C, 1114 const CallExpr *CE) const { 1115 if (CE->getNumArgs() < 2) 1116 return; 1117 1118 // size_t strnlen(const char *s, size_t maxlen); 1119 evalstrLengthCommon(C, CE, /* IsStrnlen = */ true); 1120} 1121 1122void CStringChecker::evalstrLengthCommon(CheckerContext &C, const CallExpr *CE, 1123 bool IsStrnlen) const { 1124 CurrentFunctionDescription = "string length function"; 1125 ProgramStateRef state = C.getState(); 1126 const LocationContext *LCtx = C.getLocationContext(); 1127 1128 if (IsStrnlen) { 1129 const Expr *maxlenExpr = CE->getArg(1); 1130 SVal maxlenVal = state->getSVal(maxlenExpr, LCtx); 1131 1132 ProgramStateRef stateZeroSize, stateNonZeroSize; 1133 llvm::tie(stateZeroSize, stateNonZeroSize) = 1134 assumeZero(C, state, maxlenVal, maxlenExpr->getType()); 1135 1136 // If the size can be zero, the result will be 0 in that case, and we don't 1137 // have to check the string itself. 1138 if (stateZeroSize) { 1139 SVal zero = C.getSValBuilder().makeZeroVal(CE->getType()); 1140 stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, zero); 1141 C.addTransition(stateZeroSize); 1142 } 1143 1144 // If the size is GUARANTEED to be zero, we're done! 1145 if (!stateNonZeroSize) 1146 return; 1147 1148 // Otherwise, record the assumption that the size is nonzero. 1149 state = stateNonZeroSize; 1150 } 1151 1152 // Check that the string argument is non-null. 1153 const Expr *Arg = CE->getArg(0); 1154 SVal ArgVal = state->getSVal(Arg, LCtx); 1155 1156 state = checkNonNull(C, state, Arg, ArgVal); 1157 1158 if (!state) 1159 return; 1160 1161 SVal strLength = getCStringLength(C, state, Arg, ArgVal); 1162 1163 // If the argument isn't a valid C string, there's no valid state to 1164 // transition to. 1165 if (strLength.isUndef()) 1166 return; 1167 1168 DefinedOrUnknownSVal result = UnknownVal(); 1169 1170 // If the check is for strnlen() then bind the return value to no more than 1171 // the maxlen value. 1172 if (IsStrnlen) { 1173 QualType cmpTy = C.getSValBuilder().getConditionType(); 1174 1175 // It's a little unfortunate to be getting this again, 1176 // but it's not that expensive... 1177 const Expr *maxlenExpr = CE->getArg(1); 1178 SVal maxlenVal = state->getSVal(maxlenExpr, LCtx); 1179 1180 NonLoc *strLengthNL = dyn_cast<NonLoc>(&strLength); 1181 NonLoc *maxlenValNL = dyn_cast<NonLoc>(&maxlenVal); 1182 1183 if (strLengthNL && maxlenValNL) { 1184 ProgramStateRef stateStringTooLong, stateStringNotTooLong; 1185 1186 // Check if the strLength is greater than the maxlen. 1187 llvm::tie(stateStringTooLong, stateStringNotTooLong) = 1188 state->assume(cast<DefinedOrUnknownSVal> 1189 (C.getSValBuilder().evalBinOpNN(state, BO_GT, 1190 *strLengthNL, 1191 *maxlenValNL, 1192 cmpTy))); 1193 1194 if (stateStringTooLong && !stateStringNotTooLong) { 1195 // If the string is longer than maxlen, return maxlen. 1196 result = *maxlenValNL; 1197 } else if (stateStringNotTooLong && !stateStringTooLong) { 1198 // If the string is shorter than maxlen, return its length. 1199 result = *strLengthNL; 1200 } 1201 } 1202 1203 if (result.isUnknown()) { 1204 // If we don't have enough information for a comparison, there's 1205 // no guarantee the full string length will actually be returned. 1206 // All we know is the return value is the min of the string length 1207 // and the limit. This is better than nothing. 1208 unsigned Count = C.getCurrentBlockCount(); 1209 result = C.getSValBuilder().conjureSymbolVal(0, CE, LCtx, Count); 1210 NonLoc *resultNL = cast<NonLoc>(&result); 1211 1212 if (strLengthNL) { 1213 state = state->assume(cast<DefinedOrUnknownSVal> 1214 (C.getSValBuilder().evalBinOpNN(state, BO_LE, 1215 *resultNL, 1216 *strLengthNL, 1217 cmpTy)), true); 1218 } 1219 1220 if (maxlenValNL) { 1221 state = state->assume(cast<DefinedOrUnknownSVal> 1222 (C.getSValBuilder().evalBinOpNN(state, BO_LE, 1223 *resultNL, 1224 *maxlenValNL, 1225 cmpTy)), true); 1226 } 1227 } 1228 1229 } else { 1230 // This is a plain strlen(), not strnlen(). 1231 result = cast<DefinedOrUnknownSVal>(strLength); 1232 1233 // If we don't know the length of the string, conjure a return 1234 // value, so it can be used in constraints, at least. 1235 if (result.isUnknown()) { 1236 unsigned Count = C.getCurrentBlockCount(); 1237 result = C.getSValBuilder().conjureSymbolVal(0, CE, LCtx, Count); 1238 } 1239 } 1240 1241 // Bind the return value. 1242 assert(!result.isUnknown() && "Should have conjured a value by now"); 1243 state = state->BindExpr(CE, LCtx, result); 1244 C.addTransition(state); 1245} 1246 1247void CStringChecker::evalStrcpy(CheckerContext &C, const CallExpr *CE) const { 1248 if (CE->getNumArgs() < 2) 1249 return; 1250 1251 // char *strcpy(char *restrict dst, const char *restrict src); 1252 evalStrcpyCommon(C, CE, 1253 /* returnEnd = */ false, 1254 /* isBounded = */ false, 1255 /* isAppending = */ false); 1256} 1257 1258void CStringChecker::evalStrncpy(CheckerContext &C, const CallExpr *CE) const { 1259 if (CE->getNumArgs() < 3) 1260 return; 1261 1262 // char *strncpy(char *restrict dst, const char *restrict src, size_t n); 1263 evalStrcpyCommon(C, CE, 1264 /* returnEnd = */ false, 1265 /* isBounded = */ true, 1266 /* isAppending = */ false); 1267} 1268 1269void CStringChecker::evalStpcpy(CheckerContext &C, const CallExpr *CE) const { 1270 if (CE->getNumArgs() < 2) 1271 return; 1272 1273 // char *stpcpy(char *restrict dst, const char *restrict src); 1274 evalStrcpyCommon(C, CE, 1275 /* returnEnd = */ true, 1276 /* isBounded = */ false, 1277 /* isAppending = */ false); 1278} 1279 1280void CStringChecker::evalStrcat(CheckerContext &C, const CallExpr *CE) const { 1281 if (CE->getNumArgs() < 2) 1282 return; 1283 1284 //char *strcat(char *restrict s1, const char *restrict s2); 1285 evalStrcpyCommon(C, CE, 1286 /* returnEnd = */ false, 1287 /* isBounded = */ false, 1288 /* isAppending = */ true); 1289} 1290 1291void CStringChecker::evalStrncat(CheckerContext &C, const CallExpr *CE) const { 1292 if (CE->getNumArgs() < 3) 1293 return; 1294 1295 //char *strncat(char *restrict s1, const char *restrict s2, size_t n); 1296 evalStrcpyCommon(C, CE, 1297 /* returnEnd = */ false, 1298 /* isBounded = */ true, 1299 /* isAppending = */ true); 1300} 1301 1302void CStringChecker::evalStrcpyCommon(CheckerContext &C, const CallExpr *CE, 1303 bool returnEnd, bool isBounded, 1304 bool isAppending) const { 1305 CurrentFunctionDescription = "string copy function"; 1306 ProgramStateRef state = C.getState(); 1307 const LocationContext *LCtx = C.getLocationContext(); 1308 1309 // Check that the destination is non-null. 1310 const Expr *Dst = CE->getArg(0); 1311 SVal DstVal = state->getSVal(Dst, LCtx); 1312 1313 state = checkNonNull(C, state, Dst, DstVal); 1314 if (!state) 1315 return; 1316 1317 // Check that the source is non-null. 1318 const Expr *srcExpr = CE->getArg(1); 1319 SVal srcVal = state->getSVal(srcExpr, LCtx); 1320 state = checkNonNull(C, state, srcExpr, srcVal); 1321 if (!state) 1322 return; 1323 1324 // Get the string length of the source. 1325 SVal strLength = getCStringLength(C, state, srcExpr, srcVal); 1326 1327 // If the source isn't a valid C string, give up. 1328 if (strLength.isUndef()) 1329 return; 1330 1331 SValBuilder &svalBuilder = C.getSValBuilder(); 1332 QualType cmpTy = svalBuilder.getConditionType(); 1333 QualType sizeTy = svalBuilder.getContext().getSizeType(); 1334 1335 // These two values allow checking two kinds of errors: 1336 // - actual overflows caused by a source that doesn't fit in the destination 1337 // - potential overflows caused by a bound that could exceed the destination 1338 SVal amountCopied = UnknownVal(); 1339 SVal maxLastElementIndex = UnknownVal(); 1340 const char *boundWarning = NULL; 1341 1342 // If the function is strncpy, strncat, etc... it is bounded. 1343 if (isBounded) { 1344 // Get the max number of characters to copy. 1345 const Expr *lenExpr = CE->getArg(2); 1346 SVal lenVal = state->getSVal(lenExpr, LCtx); 1347 1348 // Protect against misdeclared strncpy(). 1349 lenVal = svalBuilder.evalCast(lenVal, sizeTy, lenExpr->getType()); 1350 1351 NonLoc *strLengthNL = dyn_cast<NonLoc>(&strLength); 1352 NonLoc *lenValNL = dyn_cast<NonLoc>(&lenVal); 1353 1354 // If we know both values, we might be able to figure out how much 1355 // we're copying. 1356 if (strLengthNL && lenValNL) { 1357 ProgramStateRef stateSourceTooLong, stateSourceNotTooLong; 1358 1359 // Check if the max number to copy is less than the length of the src. 1360 // If the bound is equal to the source length, strncpy won't null- 1361 // terminate the result! 1362 llvm::tie(stateSourceTooLong, stateSourceNotTooLong) = 1363 state->assume(cast<DefinedOrUnknownSVal> 1364 (svalBuilder.evalBinOpNN(state, BO_GE, *strLengthNL, 1365 *lenValNL, cmpTy))); 1366 1367 if (stateSourceTooLong && !stateSourceNotTooLong) { 1368 // Max number to copy is less than the length of the src, so the actual 1369 // strLength copied is the max number arg. 1370 state = stateSourceTooLong; 1371 amountCopied = lenVal; 1372 1373 } else if (!stateSourceTooLong && stateSourceNotTooLong) { 1374 // The source buffer entirely fits in the bound. 1375 state = stateSourceNotTooLong; 1376 amountCopied = strLength; 1377 } 1378 } 1379 1380 // We still want to know if the bound is known to be too large. 1381 if (lenValNL) { 1382 if (isAppending) { 1383 // For strncat, the check is strlen(dst) + lenVal < sizeof(dst) 1384 1385 // Get the string length of the destination. If the destination is 1386 // memory that can't have a string length, we shouldn't be copying 1387 // into it anyway. 1388 SVal dstStrLength = getCStringLength(C, state, Dst, DstVal); 1389 if (dstStrLength.isUndef()) 1390 return; 1391 1392 if (NonLoc *dstStrLengthNL = dyn_cast<NonLoc>(&dstStrLength)) { 1393 maxLastElementIndex = svalBuilder.evalBinOpNN(state, BO_Add, 1394 *lenValNL, 1395 *dstStrLengthNL, 1396 sizeTy); 1397 boundWarning = "Size argument is greater than the free space in the " 1398 "destination buffer"; 1399 } 1400 1401 } else { 1402 // For strncpy, this is just checking that lenVal <= sizeof(dst) 1403 // (Yes, strncpy and strncat differ in how they treat termination. 1404 // strncat ALWAYS terminates, but strncpy doesn't.) 1405 1406 // We need a special case for when the copy size is zero, in which 1407 // case strncpy will do no work at all. Our bounds check uses n-1 1408 // as the last element accessed, so n == 0 is problematic. 1409 ProgramStateRef StateZeroSize, StateNonZeroSize; 1410 llvm::tie(StateZeroSize, StateNonZeroSize) = 1411 assumeZero(C, state, *lenValNL, sizeTy); 1412 1413 // If the size is known to be zero, we're done. 1414 if (StateZeroSize && !StateNonZeroSize) { 1415 StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, DstVal); 1416 C.addTransition(StateZeroSize); 1417 return; 1418 } 1419 1420 // Otherwise, go ahead and figure out the last element we'll touch. 1421 // We don't record the non-zero assumption here because we can't 1422 // be sure. We won't warn on a possible zero. 1423 NonLoc one = cast<NonLoc>(svalBuilder.makeIntVal(1, sizeTy)); 1424 maxLastElementIndex = svalBuilder.evalBinOpNN(state, BO_Sub, *lenValNL, 1425 one, sizeTy); 1426 boundWarning = "Size argument is greater than the length of the " 1427 "destination buffer"; 1428 } 1429 } 1430 1431 // If we couldn't pin down the copy length, at least bound it. 1432 // FIXME: We should actually run this code path for append as well, but 1433 // right now it creates problems with constraints (since we can end up 1434 // trying to pass constraints from symbol to symbol). 1435 if (amountCopied.isUnknown() && !isAppending) { 1436 // Try to get a "hypothetical" string length symbol, which we can later 1437 // set as a real value if that turns out to be the case. 1438 amountCopied = getCStringLength(C, state, lenExpr, srcVal, true); 1439 assert(!amountCopied.isUndef()); 1440 1441 if (NonLoc *amountCopiedNL = dyn_cast<NonLoc>(&amountCopied)) { 1442 if (lenValNL) { 1443 // amountCopied <= lenVal 1444 SVal copiedLessThanBound = svalBuilder.evalBinOpNN(state, BO_LE, 1445 *amountCopiedNL, 1446 *lenValNL, 1447 cmpTy); 1448 state = state->assume(cast<DefinedOrUnknownSVal>(copiedLessThanBound), 1449 true); 1450 if (!state) 1451 return; 1452 } 1453 1454 if (strLengthNL) { 1455 // amountCopied <= strlen(source) 1456 SVal copiedLessThanSrc = svalBuilder.evalBinOpNN(state, BO_LE, 1457 *amountCopiedNL, 1458 *strLengthNL, 1459 cmpTy); 1460 state = state->assume(cast<DefinedOrUnknownSVal>(copiedLessThanSrc), 1461 true); 1462 if (!state) 1463 return; 1464 } 1465 } 1466 } 1467 1468 } else { 1469 // The function isn't bounded. The amount copied should match the length 1470 // of the source buffer. 1471 amountCopied = strLength; 1472 } 1473 1474 assert(state); 1475 1476 // This represents the number of characters copied into the destination 1477 // buffer. (It may not actually be the strlen if the destination buffer 1478 // is not terminated.) 1479 SVal finalStrLength = UnknownVal(); 1480 1481 // If this is an appending function (strcat, strncat...) then set the 1482 // string length to strlen(src) + strlen(dst) since the buffer will 1483 // ultimately contain both. 1484 if (isAppending) { 1485 // Get the string length of the destination. If the destination is memory 1486 // that can't have a string length, we shouldn't be copying into it anyway. 1487 SVal dstStrLength = getCStringLength(C, state, Dst, DstVal); 1488 if (dstStrLength.isUndef()) 1489 return; 1490 1491 NonLoc *srcStrLengthNL = dyn_cast<NonLoc>(&amountCopied); 1492 NonLoc *dstStrLengthNL = dyn_cast<NonLoc>(&dstStrLength); 1493 1494 // If we know both string lengths, we might know the final string length. 1495 if (srcStrLengthNL && dstStrLengthNL) { 1496 // Make sure the two lengths together don't overflow a size_t. 1497 state = checkAdditionOverflow(C, state, *srcStrLengthNL, *dstStrLengthNL); 1498 if (!state) 1499 return; 1500 1501 finalStrLength = svalBuilder.evalBinOpNN(state, BO_Add, *srcStrLengthNL, 1502 *dstStrLengthNL, sizeTy); 1503 } 1504 1505 // If we couldn't get a single value for the final string length, 1506 // we can at least bound it by the individual lengths. 1507 if (finalStrLength.isUnknown()) { 1508 // Try to get a "hypothetical" string length symbol, which we can later 1509 // set as a real value if that turns out to be the case. 1510 finalStrLength = getCStringLength(C, state, CE, DstVal, true); 1511 assert(!finalStrLength.isUndef()); 1512 1513 if (NonLoc *finalStrLengthNL = dyn_cast<NonLoc>(&finalStrLength)) { 1514 if (srcStrLengthNL) { 1515 // finalStrLength >= srcStrLength 1516 SVal sourceInResult = svalBuilder.evalBinOpNN(state, BO_GE, 1517 *finalStrLengthNL, 1518 *srcStrLengthNL, 1519 cmpTy); 1520 state = state->assume(cast<DefinedOrUnknownSVal>(sourceInResult), 1521 true); 1522 if (!state) 1523 return; 1524 } 1525 1526 if (dstStrLengthNL) { 1527 // finalStrLength >= dstStrLength 1528 SVal destInResult = svalBuilder.evalBinOpNN(state, BO_GE, 1529 *finalStrLengthNL, 1530 *dstStrLengthNL, 1531 cmpTy); 1532 state = state->assume(cast<DefinedOrUnknownSVal>(destInResult), 1533 true); 1534 if (!state) 1535 return; 1536 } 1537 } 1538 } 1539 1540 } else { 1541 // Otherwise, this is a copy-over function (strcpy, strncpy, ...), and 1542 // the final string length will match the input string length. 1543 finalStrLength = amountCopied; 1544 } 1545 1546 // The final result of the function will either be a pointer past the last 1547 // copied element, or a pointer to the start of the destination buffer. 1548 SVal Result = (returnEnd ? UnknownVal() : DstVal); 1549 1550 assert(state); 1551 1552 // If the destination is a MemRegion, try to check for a buffer overflow and 1553 // record the new string length. 1554 if (loc::MemRegionVal *dstRegVal = dyn_cast<loc::MemRegionVal>(&DstVal)) { 1555 QualType ptrTy = Dst->getType(); 1556 1557 // If we have an exact value on a bounded copy, use that to check for 1558 // overflows, rather than our estimate about how much is actually copied. 1559 if (boundWarning) { 1560 if (NonLoc *maxLastNL = dyn_cast<NonLoc>(&maxLastElementIndex)) { 1561 SVal maxLastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal, 1562 *maxLastNL, ptrTy); 1563 state = CheckLocation(C, state, CE->getArg(2), maxLastElement, 1564 boundWarning); 1565 if (!state) 1566 return; 1567 } 1568 } 1569 1570 // Then, if the final length is known... 1571 if (NonLoc *knownStrLength = dyn_cast<NonLoc>(&finalStrLength)) { 1572 SVal lastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal, 1573 *knownStrLength, ptrTy); 1574 1575 // ...and we haven't checked the bound, we'll check the actual copy. 1576 if (!boundWarning) { 1577 const char * const warningMsg = 1578 "String copy function overflows destination buffer"; 1579 state = CheckLocation(C, state, Dst, lastElement, warningMsg); 1580 if (!state) 1581 return; 1582 } 1583 1584 // If this is a stpcpy-style copy, the last element is the return value. 1585 if (returnEnd) 1586 Result = lastElement; 1587 } 1588 1589 // Invalidate the destination. This must happen before we set the C string 1590 // length because invalidation will clear the length. 1591 // FIXME: Even if we can't perfectly model the copy, we should see if we 1592 // can use LazyCompoundVals to copy the source values into the destination. 1593 // This would probably remove any existing bindings past the end of the 1594 // string, but that's still an improvement over blank invalidation. 1595 state = InvalidateBuffer(C, state, Dst, *dstRegVal); 1596 1597 // Set the C string length of the destination, if we know it. 1598 if (isBounded && !isAppending) { 1599 // strncpy is annoying in that it doesn't guarantee to null-terminate 1600 // the result string. If the original string didn't fit entirely inside 1601 // the bound (including the null-terminator), we don't know how long the 1602 // result is. 1603 if (amountCopied != strLength) 1604 finalStrLength = UnknownVal(); 1605 } 1606 state = setCStringLength(state, dstRegVal->getRegion(), finalStrLength); 1607 } 1608 1609 assert(state); 1610 1611 // If this is a stpcpy-style copy, but we were unable to check for a buffer 1612 // overflow, we still need a result. Conjure a return value. 1613 if (returnEnd && Result.isUnknown()) { 1614 unsigned Count = C.getCurrentBlockCount(); 1615 Result = svalBuilder.conjureSymbolVal(0, CE, LCtx, Count); 1616 } 1617 1618 // Set the return value. 1619 state = state->BindExpr(CE, LCtx, Result); 1620 C.addTransition(state); 1621} 1622 1623void CStringChecker::evalStrcmp(CheckerContext &C, const CallExpr *CE) const { 1624 if (CE->getNumArgs() < 2) 1625 return; 1626 1627 //int strcmp(const char *s1, const char *s2); 1628 evalStrcmpCommon(C, CE, /* isBounded = */ false, /* ignoreCase = */ false); 1629} 1630 1631void CStringChecker::evalStrncmp(CheckerContext &C, const CallExpr *CE) const { 1632 if (CE->getNumArgs() < 3) 1633 return; 1634 1635 //int strncmp(const char *s1, const char *s2, size_t n); 1636 evalStrcmpCommon(C, CE, /* isBounded = */ true, /* ignoreCase = */ false); 1637} 1638 1639void CStringChecker::evalStrcasecmp(CheckerContext &C, 1640 const CallExpr *CE) const { 1641 if (CE->getNumArgs() < 2) 1642 return; 1643 1644 //int strcasecmp(const char *s1, const char *s2); 1645 evalStrcmpCommon(C, CE, /* isBounded = */ false, /* ignoreCase = */ true); 1646} 1647 1648void CStringChecker::evalStrncasecmp(CheckerContext &C, 1649 const CallExpr *CE) const { 1650 if (CE->getNumArgs() < 3) 1651 return; 1652 1653 //int strncasecmp(const char *s1, const char *s2, size_t n); 1654 evalStrcmpCommon(C, CE, /* isBounded = */ true, /* ignoreCase = */ true); 1655} 1656 1657void CStringChecker::evalStrcmpCommon(CheckerContext &C, const CallExpr *CE, 1658 bool isBounded, bool ignoreCase) const { 1659 CurrentFunctionDescription = "string comparison function"; 1660 ProgramStateRef state = C.getState(); 1661 const LocationContext *LCtx = C.getLocationContext(); 1662 1663 // Check that the first string is non-null 1664 const Expr *s1 = CE->getArg(0); 1665 SVal s1Val = state->getSVal(s1, LCtx); 1666 state = checkNonNull(C, state, s1, s1Val); 1667 if (!state) 1668 return; 1669 1670 // Check that the second string is non-null. 1671 const Expr *s2 = CE->getArg(1); 1672 SVal s2Val = state->getSVal(s2, LCtx); 1673 state = checkNonNull(C, state, s2, s2Val); 1674 if (!state) 1675 return; 1676 1677 // Get the string length of the first string or give up. 1678 SVal s1Length = getCStringLength(C, state, s1, s1Val); 1679 if (s1Length.isUndef()) 1680 return; 1681 1682 // Get the string length of the second string or give up. 1683 SVal s2Length = getCStringLength(C, state, s2, s2Val); 1684 if (s2Length.isUndef()) 1685 return; 1686 1687 // If we know the two buffers are the same, we know the result is 0. 1688 // First, get the two buffers' addresses. Another checker will have already 1689 // made sure they're not undefined. 1690 DefinedOrUnknownSVal LV = cast<DefinedOrUnknownSVal>(s1Val); 1691 DefinedOrUnknownSVal RV = cast<DefinedOrUnknownSVal>(s2Val); 1692 1693 // See if they are the same. 1694 SValBuilder &svalBuilder = C.getSValBuilder(); 1695 DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV); 1696 ProgramStateRef StSameBuf, StNotSameBuf; 1697 llvm::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf); 1698 1699 // If the two arguments might be the same buffer, we know the result is 0, 1700 // and we only need to check one size. 1701 if (StSameBuf) { 1702 StSameBuf = StSameBuf->BindExpr(CE, LCtx, 1703 svalBuilder.makeZeroVal(CE->getType())); 1704 C.addTransition(StSameBuf); 1705 1706 // If the two arguments are GUARANTEED to be the same, we're done! 1707 if (!StNotSameBuf) 1708 return; 1709 } 1710 1711 assert(StNotSameBuf); 1712 state = StNotSameBuf; 1713 1714 // At this point we can go about comparing the two buffers. 1715 // For now, we only do this if they're both known string literals. 1716 1717 // Attempt to extract string literals from both expressions. 1718 const StringLiteral *s1StrLiteral = getCStringLiteral(C, state, s1, s1Val); 1719 const StringLiteral *s2StrLiteral = getCStringLiteral(C, state, s2, s2Val); 1720 bool canComputeResult = false; 1721 1722 if (s1StrLiteral && s2StrLiteral) { 1723 StringRef s1StrRef = s1StrLiteral->getString(); 1724 StringRef s2StrRef = s2StrLiteral->getString(); 1725 1726 if (isBounded) { 1727 // Get the max number of characters to compare. 1728 const Expr *lenExpr = CE->getArg(2); 1729 SVal lenVal = state->getSVal(lenExpr, LCtx); 1730 1731 // If the length is known, we can get the right substrings. 1732 if (const llvm::APSInt *len = svalBuilder.getKnownValue(state, lenVal)) { 1733 // Create substrings of each to compare the prefix. 1734 s1StrRef = s1StrRef.substr(0, (size_t)len->getZExtValue()); 1735 s2StrRef = s2StrRef.substr(0, (size_t)len->getZExtValue()); 1736 canComputeResult = true; 1737 } 1738 } else { 1739 // This is a normal, unbounded strcmp. 1740 canComputeResult = true; 1741 } 1742 1743 if (canComputeResult) { 1744 // Real strcmp stops at null characters. 1745 size_t s1Term = s1StrRef.find('\0'); 1746 if (s1Term != StringRef::npos) 1747 s1StrRef = s1StrRef.substr(0, s1Term); 1748 1749 size_t s2Term = s2StrRef.find('\0'); 1750 if (s2Term != StringRef::npos) 1751 s2StrRef = s2StrRef.substr(0, s2Term); 1752 1753 // Use StringRef's comparison methods to compute the actual result. 1754 int result; 1755 1756 if (ignoreCase) { 1757 // Compare string 1 to string 2 the same way strcasecmp() does. 1758 result = s1StrRef.compare_lower(s2StrRef); 1759 } else { 1760 // Compare string 1 to string 2 the same way strcmp() does. 1761 result = s1StrRef.compare(s2StrRef); 1762 } 1763 1764 // Build the SVal of the comparison and bind the return value. 1765 SVal resultVal = svalBuilder.makeIntVal(result, CE->getType()); 1766 state = state->BindExpr(CE, LCtx, resultVal); 1767 } 1768 } 1769 1770 if (!canComputeResult) { 1771 // Conjure a symbolic value. It's the best we can do. 1772 unsigned Count = C.getCurrentBlockCount(); 1773 SVal resultVal = svalBuilder.conjureSymbolVal(0, CE, LCtx, Count); 1774 state = state->BindExpr(CE, LCtx, resultVal); 1775 } 1776 1777 // Record this as a possible path. 1778 C.addTransition(state); 1779} 1780 1781//===----------------------------------------------------------------------===// 1782// The driver method, and other Checker callbacks. 1783//===----------------------------------------------------------------------===// 1784 1785bool CStringChecker::evalCall(const CallExpr *CE, CheckerContext &C) const { 1786 const FunctionDecl *FDecl = C.getCalleeDecl(CE); 1787 1788 if (!FDecl) 1789 return false; 1790 1791 FnCheck evalFunction = 0; 1792 if (C.isCLibraryFunction(FDecl, "memcpy")) 1793 evalFunction = &CStringChecker::evalMemcpy; 1794 else if (C.isCLibraryFunction(FDecl, "mempcpy")) 1795 evalFunction = &CStringChecker::evalMempcpy; 1796 else if (C.isCLibraryFunction(FDecl, "memcmp")) 1797 evalFunction = &CStringChecker::evalMemcmp; 1798 else if (C.isCLibraryFunction(FDecl, "memmove")) 1799 evalFunction = &CStringChecker::evalMemmove; 1800 else if (C.isCLibraryFunction(FDecl, "strcpy")) 1801 evalFunction = &CStringChecker::evalStrcpy; 1802 else if (C.isCLibraryFunction(FDecl, "strncpy")) 1803 evalFunction = &CStringChecker::evalStrncpy; 1804 else if (C.isCLibraryFunction(FDecl, "stpcpy")) 1805 evalFunction = &CStringChecker::evalStpcpy; 1806 else if (C.isCLibraryFunction(FDecl, "strcat")) 1807 evalFunction = &CStringChecker::evalStrcat; 1808 else if (C.isCLibraryFunction(FDecl, "strncat")) 1809 evalFunction = &CStringChecker::evalStrncat; 1810 else if (C.isCLibraryFunction(FDecl, "strlen")) 1811 evalFunction = &CStringChecker::evalstrLength; 1812 else if (C.isCLibraryFunction(FDecl, "strnlen")) 1813 evalFunction = &CStringChecker::evalstrnLength; 1814 else if (C.isCLibraryFunction(FDecl, "strcmp")) 1815 evalFunction = &CStringChecker::evalStrcmp; 1816 else if (C.isCLibraryFunction(FDecl, "strncmp")) 1817 evalFunction = &CStringChecker::evalStrncmp; 1818 else if (C.isCLibraryFunction(FDecl, "strcasecmp")) 1819 evalFunction = &CStringChecker::evalStrcasecmp; 1820 else if (C.isCLibraryFunction(FDecl, "strncasecmp")) 1821 evalFunction = &CStringChecker::evalStrncasecmp; 1822 else if (C.isCLibraryFunction(FDecl, "bcopy")) 1823 evalFunction = &CStringChecker::evalBcopy; 1824 else if (C.isCLibraryFunction(FDecl, "bcmp")) 1825 evalFunction = &CStringChecker::evalMemcmp; 1826 1827 // If the callee isn't a string function, let another checker handle it. 1828 if (!evalFunction) 1829 return false; 1830 1831 // Make sure each function sets its own description. 1832 // (But don't bother in a release build.) 1833 assert(!(CurrentFunctionDescription = NULL)); 1834 1835 // Check and evaluate the call. 1836 (this->*evalFunction)(C, CE); 1837 1838 // If the evaluate call resulted in no change, chain to the next eval call 1839 // handler. 1840 // Note, the custom CString evaluation calls assume that basic safety 1841 // properties are held. However, if the user chooses to turn off some of these 1842 // checks, we ignore the issues and leave the call evaluation to a generic 1843 // handler. 1844 if (!C.isDifferent()) 1845 return false; 1846 1847 return true; 1848} 1849 1850void CStringChecker::checkPreStmt(const DeclStmt *DS, CheckerContext &C) const { 1851 // Record string length for char a[] = "abc"; 1852 ProgramStateRef state = C.getState(); 1853 1854 for (DeclStmt::const_decl_iterator I = DS->decl_begin(), E = DS->decl_end(); 1855 I != E; ++I) { 1856 const VarDecl *D = dyn_cast<VarDecl>(*I); 1857 if (!D) 1858 continue; 1859 1860 // FIXME: Handle array fields of structs. 1861 if (!D->getType()->isArrayType()) 1862 continue; 1863 1864 const Expr *Init = D->getInit(); 1865 if (!Init) 1866 continue; 1867 if (!isa<StringLiteral>(Init)) 1868 continue; 1869 1870 Loc VarLoc = state->getLValue(D, C.getLocationContext()); 1871 const MemRegion *MR = VarLoc.getAsRegion(); 1872 if (!MR) 1873 continue; 1874 1875 SVal StrVal = state->getSVal(Init, C.getLocationContext()); 1876 assert(StrVal.isValid() && "Initializer string is unknown or undefined"); 1877 DefinedOrUnknownSVal strLength 1878 = cast<DefinedOrUnknownSVal>(getCStringLength(C, state, Init, StrVal)); 1879 1880 state = state->set<CStringLength>(MR, strLength); 1881 } 1882 1883 C.addTransition(state); 1884} 1885 1886bool CStringChecker::wantsRegionChangeUpdate(ProgramStateRef state) const { 1887 CStringLength::EntryMap Entries = state->get<CStringLength>(); 1888 return !Entries.isEmpty(); 1889} 1890 1891ProgramStateRef 1892CStringChecker::checkRegionChanges(ProgramStateRef state, 1893 const StoreManager::InvalidatedSymbols *, 1894 ArrayRef<const MemRegion *> ExplicitRegions, 1895 ArrayRef<const MemRegion *> Regions, 1896 const CallEvent *Call) const { 1897 CStringLength::EntryMap Entries = state->get<CStringLength>(); 1898 if (Entries.isEmpty()) 1899 return state; 1900 1901 llvm::SmallPtrSet<const MemRegion *, 8> Invalidated; 1902 llvm::SmallPtrSet<const MemRegion *, 32> SuperRegions; 1903 1904 // First build sets for the changed regions and their super-regions. 1905 for (ArrayRef<const MemRegion *>::iterator 1906 I = Regions.begin(), E = Regions.end(); I != E; ++I) { 1907 const MemRegion *MR = *I; 1908 Invalidated.insert(MR); 1909 1910 SuperRegions.insert(MR); 1911 while (const SubRegion *SR = dyn_cast<SubRegion>(MR)) { 1912 MR = SR->getSuperRegion(); 1913 SuperRegions.insert(MR); 1914 } 1915 } 1916 1917 CStringLength::EntryMap::Factory &F = state->get_context<CStringLength>(); 1918 1919 // Then loop over the entries in the current state. 1920 for (CStringLength::EntryMap::iterator I = Entries.begin(), 1921 E = Entries.end(); I != E; ++I) { 1922 const MemRegion *MR = I.getKey(); 1923 1924 // Is this entry for a super-region of a changed region? 1925 if (SuperRegions.count(MR)) { 1926 Entries = F.remove(Entries, MR); 1927 continue; 1928 } 1929 1930 // Is this entry for a sub-region of a changed region? 1931 const MemRegion *Super = MR; 1932 while (const SubRegion *SR = dyn_cast<SubRegion>(Super)) { 1933 Super = SR->getSuperRegion(); 1934 if (Invalidated.count(Super)) { 1935 Entries = F.remove(Entries, MR); 1936 break; 1937 } 1938 } 1939 } 1940 1941 return state->set<CStringLength>(Entries); 1942} 1943 1944void CStringChecker::checkLiveSymbols(ProgramStateRef state, 1945 SymbolReaper &SR) const { 1946 // Mark all symbols in our string length map as valid. 1947 CStringLength::EntryMap Entries = state->get<CStringLength>(); 1948 1949 for (CStringLength::EntryMap::iterator I = Entries.begin(), E = Entries.end(); 1950 I != E; ++I) { 1951 SVal Len = I.getData(); 1952 1953 for (SymExpr::symbol_iterator si = Len.symbol_begin(), 1954 se = Len.symbol_end(); si != se; ++si) 1955 SR.markInUse(*si); 1956 } 1957} 1958 1959void CStringChecker::checkDeadSymbols(SymbolReaper &SR, 1960 CheckerContext &C) const { 1961 if (!SR.hasDeadSymbols()) 1962 return; 1963 1964 ProgramStateRef state = C.getState(); 1965 CStringLength::EntryMap Entries = state->get<CStringLength>(); 1966 if (Entries.isEmpty()) 1967 return; 1968 1969 CStringLength::EntryMap::Factory &F = state->get_context<CStringLength>(); 1970 for (CStringLength::EntryMap::iterator I = Entries.begin(), E = Entries.end(); 1971 I != E; ++I) { 1972 SVal Len = I.getData(); 1973 if (SymbolRef Sym = Len.getAsSymbol()) { 1974 if (SR.isDead(Sym)) 1975 Entries = F.remove(Entries, I.getKey()); 1976 } 1977 } 1978 1979 state = state->set<CStringLength>(Entries); 1980 C.addTransition(state); 1981} 1982 1983#define REGISTER_CHECKER(name) \ 1984void ento::register##name(CheckerManager &mgr) {\ 1985 static CStringChecker *TheChecker = 0; \ 1986 if (TheChecker == 0) \ 1987 TheChecker = mgr.registerChecker<CStringChecker>(); \ 1988 TheChecker->Filter.Check##name = true; \ 1989} 1990 1991REGISTER_CHECKER(CStringNullArg) 1992REGISTER_CHECKER(CStringOutOfBounds) 1993REGISTER_CHECKER(CStringBufferOverlap) 1994REGISTER_CHECKER(CStringNotNullTerm) 1995 1996void ento::registerCStringCheckerBasic(CheckerManager &Mgr) { 1997 registerCStringNullArg(Mgr); 1998} 1999