CStringChecker.cpp revision 740d490593e0de8732a697c9f77b90ddd463863b
1//= CStringChecker.cpp - Checks calls to C string functions --------*- C++ -*-// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This defines CStringChecker, which is an assortment of checks on calls 11// to functions in <string.h>. 12// 13//===----------------------------------------------------------------------===// 14 15#include "ClangSACheckers.h" 16#include "InterCheckerAPI.h" 17#include "clang/StaticAnalyzer/Core/Checker.h" 18#include "clang/StaticAnalyzer/Core/CheckerManager.h" 19#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 20#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 21#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" 22#include "llvm/ADT/SmallString.h" 23#include "llvm/ADT/STLExtras.h" 24#include "llvm/ADT/StringSwitch.h" 25 26using namespace clang; 27using namespace ento; 28 29namespace { 30class CStringChecker : public Checker< eval::Call, 31 check::PreStmt<DeclStmt>, 32 check::LiveSymbols, 33 check::DeadSymbols, 34 check::RegionChanges 35 > { 36 mutable OwningPtr<BugType> BT_Null, 37 BT_Bounds, 38 BT_Overlap, 39 BT_NotCString, 40 BT_AdditionOverflow; 41 42 mutable const char *CurrentFunctionDescription; 43 44public: 45 /// The filter is used to filter out the diagnostics which are not enabled by 46 /// the user. 47 struct CStringChecksFilter { 48 DefaultBool CheckCStringNullArg; 49 DefaultBool CheckCStringOutOfBounds; 50 DefaultBool CheckCStringBufferOverlap; 51 DefaultBool CheckCStringNotNullTerm; 52 }; 53 54 CStringChecksFilter Filter; 55 56 static void *getTag() { static int tag; return &tag; } 57 58 bool evalCall(const CallExpr *CE, CheckerContext &C) const; 59 void checkPreStmt(const DeclStmt *DS, CheckerContext &C) const; 60 void checkLiveSymbols(ProgramStateRef state, SymbolReaper &SR) const; 61 void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const; 62 bool wantsRegionChangeUpdate(ProgramStateRef state) const; 63 64 ProgramStateRef 65 checkRegionChanges(ProgramStateRef state, 66 const StoreManager::InvalidatedSymbols *, 67 ArrayRef<const MemRegion *> ExplicitRegions, 68 ArrayRef<const MemRegion *> Regions, 69 const CallEvent *Call) const; 70 71 typedef void (CStringChecker::*FnCheck)(CheckerContext &, 72 const CallExpr *) const; 73 74 void evalMemcpy(CheckerContext &C, const CallExpr *CE) const; 75 void evalMempcpy(CheckerContext &C, const CallExpr *CE) const; 76 void evalMemmove(CheckerContext &C, const CallExpr *CE) const; 77 void evalBcopy(CheckerContext &C, const CallExpr *CE) const; 78 void evalCopyCommon(CheckerContext &C, const CallExpr *CE, 79 ProgramStateRef state, 80 const Expr *Size, 81 const Expr *Source, 82 const Expr *Dest, 83 bool Restricted = false, 84 bool IsMempcpy = false) const; 85 86 void evalMemcmp(CheckerContext &C, const CallExpr *CE) const; 87 88 void evalstrLength(CheckerContext &C, const CallExpr *CE) const; 89 void evalstrnLength(CheckerContext &C, const CallExpr *CE) const; 90 void evalstrLengthCommon(CheckerContext &C, 91 const CallExpr *CE, 92 bool IsStrnlen = false) const; 93 94 void evalStrcpy(CheckerContext &C, const CallExpr *CE) const; 95 void evalStrncpy(CheckerContext &C, const CallExpr *CE) const; 96 void evalStpcpy(CheckerContext &C, const CallExpr *CE) const; 97 void evalStrcpyCommon(CheckerContext &C, 98 const CallExpr *CE, 99 bool returnEnd, 100 bool isBounded, 101 bool isAppending) const; 102 103 void evalStrcat(CheckerContext &C, const CallExpr *CE) const; 104 void evalStrncat(CheckerContext &C, const CallExpr *CE) const; 105 106 void evalStrcmp(CheckerContext &C, const CallExpr *CE) const; 107 void evalStrncmp(CheckerContext &C, const CallExpr *CE) const; 108 void evalStrcasecmp(CheckerContext &C, const CallExpr *CE) const; 109 void evalStrncasecmp(CheckerContext &C, const CallExpr *CE) const; 110 void evalStrcmpCommon(CheckerContext &C, 111 const CallExpr *CE, 112 bool isBounded = false, 113 bool ignoreCase = false) const; 114 115 // Utility methods 116 std::pair<ProgramStateRef , ProgramStateRef > 117 static assumeZero(CheckerContext &C, 118 ProgramStateRef state, SVal V, QualType Ty); 119 120 static ProgramStateRef setCStringLength(ProgramStateRef state, 121 const MemRegion *MR, 122 SVal strLength); 123 static SVal getCStringLengthForRegion(CheckerContext &C, 124 ProgramStateRef &state, 125 const Expr *Ex, 126 const MemRegion *MR, 127 bool hypothetical); 128 SVal getCStringLength(CheckerContext &C, 129 ProgramStateRef &state, 130 const Expr *Ex, 131 SVal Buf, 132 bool hypothetical = false) const; 133 134 const StringLiteral *getCStringLiteral(CheckerContext &C, 135 ProgramStateRef &state, 136 const Expr *expr, 137 SVal val) const; 138 139 static ProgramStateRef InvalidateBuffer(CheckerContext &C, 140 ProgramStateRef state, 141 const Expr *Ex, SVal V); 142 143 static bool SummarizeRegion(raw_ostream &os, ASTContext &Ctx, 144 const MemRegion *MR); 145 146 // Re-usable checks 147 ProgramStateRef checkNonNull(CheckerContext &C, 148 ProgramStateRef state, 149 const Expr *S, 150 SVal l) const; 151 ProgramStateRef CheckLocation(CheckerContext &C, 152 ProgramStateRef state, 153 const Expr *S, 154 SVal l, 155 const char *message = NULL) const; 156 ProgramStateRef CheckBufferAccess(CheckerContext &C, 157 ProgramStateRef state, 158 const Expr *Size, 159 const Expr *FirstBuf, 160 const Expr *SecondBuf, 161 const char *firstMessage = NULL, 162 const char *secondMessage = NULL, 163 bool WarnAboutSize = false) const; 164 165 ProgramStateRef CheckBufferAccess(CheckerContext &C, 166 ProgramStateRef state, 167 const Expr *Size, 168 const Expr *Buf, 169 const char *message = NULL, 170 bool WarnAboutSize = false) const { 171 // This is a convenience override. 172 return CheckBufferAccess(C, state, Size, Buf, NULL, message, NULL, 173 WarnAboutSize); 174 } 175 ProgramStateRef CheckOverlap(CheckerContext &C, 176 ProgramStateRef state, 177 const Expr *Size, 178 const Expr *First, 179 const Expr *Second) const; 180 void emitOverlapBug(CheckerContext &C, 181 ProgramStateRef state, 182 const Stmt *First, 183 const Stmt *Second) const; 184 185 ProgramStateRef checkAdditionOverflow(CheckerContext &C, 186 ProgramStateRef state, 187 NonLoc left, 188 NonLoc right) const; 189}; 190 191class CStringLength { 192public: 193 typedef llvm::ImmutableMap<const MemRegion *, SVal> EntryMap; 194}; 195} //end anonymous namespace 196 197namespace clang { 198namespace ento { 199 template <> 200 struct ProgramStateTrait<CStringLength> 201 : public ProgramStatePartialTrait<CStringLength::EntryMap> { 202 static void *GDMIndex() { return CStringChecker::getTag(); } 203 }; 204} 205} 206 207//===----------------------------------------------------------------------===// 208// Individual checks and utility methods. 209//===----------------------------------------------------------------------===// 210 211std::pair<ProgramStateRef , ProgramStateRef > 212CStringChecker::assumeZero(CheckerContext &C, ProgramStateRef state, SVal V, 213 QualType Ty) { 214 DefinedSVal *val = dyn_cast<DefinedSVal>(&V); 215 if (!val) 216 return std::pair<ProgramStateRef , ProgramStateRef >(state, state); 217 218 SValBuilder &svalBuilder = C.getSValBuilder(); 219 DefinedOrUnknownSVal zero = svalBuilder.makeZeroVal(Ty); 220 return state->assume(svalBuilder.evalEQ(state, *val, zero)); 221} 222 223ProgramStateRef CStringChecker::checkNonNull(CheckerContext &C, 224 ProgramStateRef state, 225 const Expr *S, SVal l) const { 226 // If a previous check has failed, propagate the failure. 227 if (!state) 228 return NULL; 229 230 ProgramStateRef stateNull, stateNonNull; 231 llvm::tie(stateNull, stateNonNull) = assumeZero(C, state, l, S->getType()); 232 233 if (stateNull && !stateNonNull) { 234 if (!Filter.CheckCStringNullArg) 235 return NULL; 236 237 ExplodedNode *N = C.generateSink(stateNull); 238 if (!N) 239 return NULL; 240 241 if (!BT_Null) 242 BT_Null.reset(new BuiltinBug("Unix API", 243 "Null pointer argument in call to byte string function")); 244 245 SmallString<80> buf; 246 llvm::raw_svector_ostream os(buf); 247 assert(CurrentFunctionDescription); 248 os << "Null pointer argument in call to " << CurrentFunctionDescription; 249 250 // Generate a report for this bug. 251 BuiltinBug *BT = static_cast<BuiltinBug*>(BT_Null.get()); 252 BugReport *report = new BugReport(*BT, os.str(), N); 253 254 report->addRange(S->getSourceRange()); 255 report->addVisitor(bugreporter::getTrackNullOrUndefValueVisitor(N, S, 256 report)); 257 C.EmitReport(report); 258 return NULL; 259 } 260 261 // From here on, assume that the value is non-null. 262 assert(stateNonNull); 263 return stateNonNull; 264} 265 266// FIXME: This was originally copied from ArrayBoundChecker.cpp. Refactor? 267ProgramStateRef CStringChecker::CheckLocation(CheckerContext &C, 268 ProgramStateRef state, 269 const Expr *S, SVal l, 270 const char *warningMsg) const { 271 // If a previous check has failed, propagate the failure. 272 if (!state) 273 return NULL; 274 275 // Check for out of bound array element access. 276 const MemRegion *R = l.getAsRegion(); 277 if (!R) 278 return state; 279 280 const ElementRegion *ER = dyn_cast<ElementRegion>(R); 281 if (!ER) 282 return state; 283 284 assert(ER->getValueType() == C.getASTContext().CharTy && 285 "CheckLocation should only be called with char* ElementRegions"); 286 287 // Get the size of the array. 288 const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion()); 289 SValBuilder &svalBuilder = C.getSValBuilder(); 290 SVal Extent = 291 svalBuilder.convertToArrayIndex(superReg->getExtent(svalBuilder)); 292 DefinedOrUnknownSVal Size = cast<DefinedOrUnknownSVal>(Extent); 293 294 // Get the index of the accessed element. 295 DefinedOrUnknownSVal Idx = cast<DefinedOrUnknownSVal>(ER->getIndex()); 296 297 ProgramStateRef StInBound = state->assumeInBound(Idx, Size, true); 298 ProgramStateRef StOutBound = state->assumeInBound(Idx, Size, false); 299 if (StOutBound && !StInBound) { 300 ExplodedNode *N = C.generateSink(StOutBound); 301 if (!N) 302 return NULL; 303 304 if (!BT_Bounds) { 305 BT_Bounds.reset(new BuiltinBug("Out-of-bound array access", 306 "Byte string function accesses out-of-bound array element")); 307 } 308 BuiltinBug *BT = static_cast<BuiltinBug*>(BT_Bounds.get()); 309 310 // Generate a report for this bug. 311 BugReport *report; 312 if (warningMsg) { 313 report = new BugReport(*BT, warningMsg, N); 314 } else { 315 assert(CurrentFunctionDescription); 316 assert(CurrentFunctionDescription[0] != '\0'); 317 318 SmallString<80> buf; 319 llvm::raw_svector_ostream os(buf); 320 os << (char)toupper(CurrentFunctionDescription[0]) 321 << &CurrentFunctionDescription[1] 322 << " accesses out-of-bound array element"; 323 report = new BugReport(*BT, os.str(), N); 324 } 325 326 // FIXME: It would be nice to eventually make this diagnostic more clear, 327 // e.g., by referencing the original declaration or by saying *why* this 328 // reference is outside the range. 329 330 report->addRange(S->getSourceRange()); 331 C.EmitReport(report); 332 return NULL; 333 } 334 335 // Array bound check succeeded. From this point forward the array bound 336 // should always succeed. 337 return StInBound; 338} 339 340ProgramStateRef CStringChecker::CheckBufferAccess(CheckerContext &C, 341 ProgramStateRef state, 342 const Expr *Size, 343 const Expr *FirstBuf, 344 const Expr *SecondBuf, 345 const char *firstMessage, 346 const char *secondMessage, 347 bool WarnAboutSize) const { 348 // If a previous check has failed, propagate the failure. 349 if (!state) 350 return NULL; 351 352 SValBuilder &svalBuilder = C.getSValBuilder(); 353 ASTContext &Ctx = svalBuilder.getContext(); 354 const LocationContext *LCtx = C.getLocationContext(); 355 356 QualType sizeTy = Size->getType(); 357 QualType PtrTy = Ctx.getPointerType(Ctx.CharTy); 358 359 // Check that the first buffer is non-null. 360 SVal BufVal = state->getSVal(FirstBuf, LCtx); 361 state = checkNonNull(C, state, FirstBuf, BufVal); 362 if (!state) 363 return NULL; 364 365 // If out-of-bounds checking is turned off, skip the rest. 366 if (!Filter.CheckCStringOutOfBounds) 367 return state; 368 369 // Get the access length and make sure it is known. 370 // FIXME: This assumes the caller has already checked that the access length 371 // is positive. And that it's unsigned. 372 SVal LengthVal = state->getSVal(Size, LCtx); 373 NonLoc *Length = dyn_cast<NonLoc>(&LengthVal); 374 if (!Length) 375 return state; 376 377 // Compute the offset of the last element to be accessed: size-1. 378 NonLoc One = cast<NonLoc>(svalBuilder.makeIntVal(1, sizeTy)); 379 NonLoc LastOffset = cast<NonLoc>(svalBuilder.evalBinOpNN(state, BO_Sub, 380 *Length, One, sizeTy)); 381 382 // Check that the first buffer is sufficiently long. 383 SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType()); 384 if (Loc *BufLoc = dyn_cast<Loc>(&BufStart)) { 385 const Expr *warningExpr = (WarnAboutSize ? Size : FirstBuf); 386 387 SVal BufEnd = svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc, 388 LastOffset, PtrTy); 389 state = CheckLocation(C, state, warningExpr, BufEnd, firstMessage); 390 391 // If the buffer isn't large enough, abort. 392 if (!state) 393 return NULL; 394 } 395 396 // If there's a second buffer, check it as well. 397 if (SecondBuf) { 398 BufVal = state->getSVal(SecondBuf, LCtx); 399 state = checkNonNull(C, state, SecondBuf, BufVal); 400 if (!state) 401 return NULL; 402 403 BufStart = svalBuilder.evalCast(BufVal, PtrTy, SecondBuf->getType()); 404 if (Loc *BufLoc = dyn_cast<Loc>(&BufStart)) { 405 const Expr *warningExpr = (WarnAboutSize ? Size : SecondBuf); 406 407 SVal BufEnd = svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc, 408 LastOffset, PtrTy); 409 state = CheckLocation(C, state, warningExpr, BufEnd, secondMessage); 410 } 411 } 412 413 // Large enough or not, return this state! 414 return state; 415} 416 417ProgramStateRef CStringChecker::CheckOverlap(CheckerContext &C, 418 ProgramStateRef state, 419 const Expr *Size, 420 const Expr *First, 421 const Expr *Second) const { 422 if (!Filter.CheckCStringBufferOverlap) 423 return state; 424 425 // Do a simple check for overlap: if the two arguments are from the same 426 // buffer, see if the end of the first is greater than the start of the second 427 // or vice versa. 428 429 // If a previous check has failed, propagate the failure. 430 if (!state) 431 return NULL; 432 433 ProgramStateRef stateTrue, stateFalse; 434 435 // Get the buffer values and make sure they're known locations. 436 const LocationContext *LCtx = C.getLocationContext(); 437 SVal firstVal = state->getSVal(First, LCtx); 438 SVal secondVal = state->getSVal(Second, LCtx); 439 440 Loc *firstLoc = dyn_cast<Loc>(&firstVal); 441 if (!firstLoc) 442 return state; 443 444 Loc *secondLoc = dyn_cast<Loc>(&secondVal); 445 if (!secondLoc) 446 return state; 447 448 // Are the two values the same? 449 SValBuilder &svalBuilder = C.getSValBuilder(); 450 llvm::tie(stateTrue, stateFalse) = 451 state->assume(svalBuilder.evalEQ(state, *firstLoc, *secondLoc)); 452 453 if (stateTrue && !stateFalse) { 454 // If the values are known to be equal, that's automatically an overlap. 455 emitOverlapBug(C, stateTrue, First, Second); 456 return NULL; 457 } 458 459 // assume the two expressions are not equal. 460 assert(stateFalse); 461 state = stateFalse; 462 463 // Which value comes first? 464 QualType cmpTy = svalBuilder.getConditionType(); 465 SVal reverse = svalBuilder.evalBinOpLL(state, BO_GT, 466 *firstLoc, *secondLoc, cmpTy); 467 DefinedOrUnknownSVal *reverseTest = dyn_cast<DefinedOrUnknownSVal>(&reverse); 468 if (!reverseTest) 469 return state; 470 471 llvm::tie(stateTrue, stateFalse) = state->assume(*reverseTest); 472 if (stateTrue) { 473 if (stateFalse) { 474 // If we don't know which one comes first, we can't perform this test. 475 return state; 476 } else { 477 // Switch the values so that firstVal is before secondVal. 478 Loc *tmpLoc = firstLoc; 479 firstLoc = secondLoc; 480 secondLoc = tmpLoc; 481 482 // Switch the Exprs as well, so that they still correspond. 483 const Expr *tmpExpr = First; 484 First = Second; 485 Second = tmpExpr; 486 } 487 } 488 489 // Get the length, and make sure it too is known. 490 SVal LengthVal = state->getSVal(Size, LCtx); 491 NonLoc *Length = dyn_cast<NonLoc>(&LengthVal); 492 if (!Length) 493 return state; 494 495 // Convert the first buffer's start address to char*. 496 // Bail out if the cast fails. 497 ASTContext &Ctx = svalBuilder.getContext(); 498 QualType CharPtrTy = Ctx.getPointerType(Ctx.CharTy); 499 SVal FirstStart = svalBuilder.evalCast(*firstLoc, CharPtrTy, 500 First->getType()); 501 Loc *FirstStartLoc = dyn_cast<Loc>(&FirstStart); 502 if (!FirstStartLoc) 503 return state; 504 505 // Compute the end of the first buffer. Bail out if THAT fails. 506 SVal FirstEnd = svalBuilder.evalBinOpLN(state, BO_Add, 507 *FirstStartLoc, *Length, CharPtrTy); 508 Loc *FirstEndLoc = dyn_cast<Loc>(&FirstEnd); 509 if (!FirstEndLoc) 510 return state; 511 512 // Is the end of the first buffer past the start of the second buffer? 513 SVal Overlap = svalBuilder.evalBinOpLL(state, BO_GT, 514 *FirstEndLoc, *secondLoc, cmpTy); 515 DefinedOrUnknownSVal *OverlapTest = dyn_cast<DefinedOrUnknownSVal>(&Overlap); 516 if (!OverlapTest) 517 return state; 518 519 llvm::tie(stateTrue, stateFalse) = state->assume(*OverlapTest); 520 521 if (stateTrue && !stateFalse) { 522 // Overlap! 523 emitOverlapBug(C, stateTrue, First, Second); 524 return NULL; 525 } 526 527 // assume the two expressions don't overlap. 528 assert(stateFalse); 529 return stateFalse; 530} 531 532void CStringChecker::emitOverlapBug(CheckerContext &C, ProgramStateRef state, 533 const Stmt *First, const Stmt *Second) const { 534 ExplodedNode *N = C.generateSink(state); 535 if (!N) 536 return; 537 538 if (!BT_Overlap) 539 BT_Overlap.reset(new BugType("Unix API", "Improper arguments")); 540 541 // Generate a report for this bug. 542 BugReport *report = 543 new BugReport(*BT_Overlap, 544 "Arguments must not be overlapping buffers", N); 545 report->addRange(First->getSourceRange()); 546 report->addRange(Second->getSourceRange()); 547 548 C.EmitReport(report); 549} 550 551ProgramStateRef CStringChecker::checkAdditionOverflow(CheckerContext &C, 552 ProgramStateRef state, 553 NonLoc left, 554 NonLoc right) const { 555 // If out-of-bounds checking is turned off, skip the rest. 556 if (!Filter.CheckCStringOutOfBounds) 557 return state; 558 559 // If a previous check has failed, propagate the failure. 560 if (!state) 561 return NULL; 562 563 SValBuilder &svalBuilder = C.getSValBuilder(); 564 BasicValueFactory &BVF = svalBuilder.getBasicValueFactory(); 565 566 QualType sizeTy = svalBuilder.getContext().getSizeType(); 567 const llvm::APSInt &maxValInt = BVF.getMaxValue(sizeTy); 568 NonLoc maxVal = svalBuilder.makeIntVal(maxValInt); 569 570 SVal maxMinusRight; 571 if (isa<nonloc::ConcreteInt>(right)) { 572 maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, right, 573 sizeTy); 574 } else { 575 // Try switching the operands. (The order of these two assignments is 576 // important!) 577 maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, left, 578 sizeTy); 579 left = right; 580 } 581 582 if (NonLoc *maxMinusRightNL = dyn_cast<NonLoc>(&maxMinusRight)) { 583 QualType cmpTy = svalBuilder.getConditionType(); 584 // If left > max - right, we have an overflow. 585 SVal willOverflow = svalBuilder.evalBinOpNN(state, BO_GT, left, 586 *maxMinusRightNL, cmpTy); 587 588 ProgramStateRef stateOverflow, stateOkay; 589 llvm::tie(stateOverflow, stateOkay) = 590 state->assume(cast<DefinedOrUnknownSVal>(willOverflow)); 591 592 if (stateOverflow && !stateOkay) { 593 // We have an overflow. Emit a bug report. 594 ExplodedNode *N = C.generateSink(stateOverflow); 595 if (!N) 596 return NULL; 597 598 if (!BT_AdditionOverflow) 599 BT_AdditionOverflow.reset(new BuiltinBug("API", 600 "Sum of expressions causes overflow")); 601 602 // This isn't a great error message, but this should never occur in real 603 // code anyway -- you'd have to create a buffer longer than a size_t can 604 // represent, which is sort of a contradiction. 605 const char *warning = 606 "This expression will create a string whose length is too big to " 607 "be represented as a size_t"; 608 609 // Generate a report for this bug. 610 BugReport *report = new BugReport(*BT_AdditionOverflow, warning, N); 611 C.EmitReport(report); 612 613 return NULL; 614 } 615 616 // From now on, assume an overflow didn't occur. 617 assert(stateOkay); 618 state = stateOkay; 619 } 620 621 return state; 622} 623 624ProgramStateRef CStringChecker::setCStringLength(ProgramStateRef state, 625 const MemRegion *MR, 626 SVal strLength) { 627 assert(!strLength.isUndef() && "Attempt to set an undefined string length"); 628 629 MR = MR->StripCasts(); 630 631 switch (MR->getKind()) { 632 case MemRegion::StringRegionKind: 633 // FIXME: This can happen if we strcpy() into a string region. This is 634 // undefined [C99 6.4.5p6], but we should still warn about it. 635 return state; 636 637 case MemRegion::SymbolicRegionKind: 638 case MemRegion::AllocaRegionKind: 639 case MemRegion::VarRegionKind: 640 case MemRegion::FieldRegionKind: 641 case MemRegion::ObjCIvarRegionKind: 642 // These are the types we can currently track string lengths for. 643 break; 644 645 case MemRegion::ElementRegionKind: 646 // FIXME: Handle element regions by upper-bounding the parent region's 647 // string length. 648 return state; 649 650 default: 651 // Other regions (mostly non-data) can't have a reliable C string length. 652 // For now, just ignore the change. 653 // FIXME: These are rare but not impossible. We should output some kind of 654 // warning for things like strcpy((char[]){'a', 0}, "b"); 655 return state; 656 } 657 658 if (strLength.isUnknown()) 659 return state->remove<CStringLength>(MR); 660 661 return state->set<CStringLength>(MR, strLength); 662} 663 664SVal CStringChecker::getCStringLengthForRegion(CheckerContext &C, 665 ProgramStateRef &state, 666 const Expr *Ex, 667 const MemRegion *MR, 668 bool hypothetical) { 669 if (!hypothetical) { 670 // If there's a recorded length, go ahead and return it. 671 const SVal *Recorded = state->get<CStringLength>(MR); 672 if (Recorded) 673 return *Recorded; 674 } 675 676 // Otherwise, get a new symbol and update the state. 677 unsigned Count = C.getCurrentBlockCount(); 678 SValBuilder &svalBuilder = C.getSValBuilder(); 679 QualType sizeTy = svalBuilder.getContext().getSizeType(); 680 SVal strLength = svalBuilder.getMetadataSymbolVal(CStringChecker::getTag(), 681 MR, Ex, sizeTy, Count); 682 683 if (!hypothetical) 684 state = state->set<CStringLength>(MR, strLength); 685 686 return strLength; 687} 688 689SVal CStringChecker::getCStringLength(CheckerContext &C, ProgramStateRef &state, 690 const Expr *Ex, SVal Buf, 691 bool hypothetical) const { 692 const MemRegion *MR = Buf.getAsRegion(); 693 if (!MR) { 694 // If we can't get a region, see if it's something we /know/ isn't a 695 // C string. In the context of locations, the only time we can issue such 696 // a warning is for labels. 697 if (loc::GotoLabel *Label = dyn_cast<loc::GotoLabel>(&Buf)) { 698 if (!Filter.CheckCStringNotNullTerm) 699 return UndefinedVal(); 700 701 if (ExplodedNode *N = C.addTransition(state)) { 702 if (!BT_NotCString) 703 BT_NotCString.reset(new BuiltinBug("Unix API", 704 "Argument is not a null-terminated string.")); 705 706 SmallString<120> buf; 707 llvm::raw_svector_ostream os(buf); 708 assert(CurrentFunctionDescription); 709 os << "Argument to " << CurrentFunctionDescription 710 << " is the address of the label '" << Label->getLabel()->getName() 711 << "', which is not a null-terminated string"; 712 713 // Generate a report for this bug. 714 BugReport *report = new BugReport(*BT_NotCString, 715 os.str(), N); 716 717 report->addRange(Ex->getSourceRange()); 718 C.EmitReport(report); 719 } 720 return UndefinedVal(); 721 722 } 723 724 // If it's not a region and not a label, give up. 725 return UnknownVal(); 726 } 727 728 // If we have a region, strip casts from it and see if we can figure out 729 // its length. For anything we can't figure out, just return UnknownVal. 730 MR = MR->StripCasts(); 731 732 switch (MR->getKind()) { 733 case MemRegion::StringRegionKind: { 734 // Modifying the contents of string regions is undefined [C99 6.4.5p6], 735 // so we can assume that the byte length is the correct C string length. 736 SValBuilder &svalBuilder = C.getSValBuilder(); 737 QualType sizeTy = svalBuilder.getContext().getSizeType(); 738 const StringLiteral *strLit = cast<StringRegion>(MR)->getStringLiteral(); 739 return svalBuilder.makeIntVal(strLit->getByteLength(), sizeTy); 740 } 741 case MemRegion::SymbolicRegionKind: 742 case MemRegion::AllocaRegionKind: 743 case MemRegion::VarRegionKind: 744 case MemRegion::FieldRegionKind: 745 case MemRegion::ObjCIvarRegionKind: 746 return getCStringLengthForRegion(C, state, Ex, MR, hypothetical); 747 case MemRegion::CompoundLiteralRegionKind: 748 // FIXME: Can we track this? Is it necessary? 749 return UnknownVal(); 750 case MemRegion::ElementRegionKind: 751 // FIXME: How can we handle this? It's not good enough to subtract the 752 // offset from the base string length; consider "123\x00567" and &a[5]. 753 return UnknownVal(); 754 default: 755 // Other regions (mostly non-data) can't have a reliable C string length. 756 // In this case, an error is emitted and UndefinedVal is returned. 757 // The caller should always be prepared to handle this case. 758 if (!Filter.CheckCStringNotNullTerm) 759 return UndefinedVal(); 760 761 if (ExplodedNode *N = C.addTransition(state)) { 762 if (!BT_NotCString) 763 BT_NotCString.reset(new BuiltinBug("Unix API", 764 "Argument is not a null-terminated string.")); 765 766 SmallString<120> buf; 767 llvm::raw_svector_ostream os(buf); 768 769 assert(CurrentFunctionDescription); 770 os << "Argument to " << CurrentFunctionDescription << " is "; 771 772 if (SummarizeRegion(os, C.getASTContext(), MR)) 773 os << ", which is not a null-terminated string"; 774 else 775 os << "not a null-terminated string"; 776 777 // Generate a report for this bug. 778 BugReport *report = new BugReport(*BT_NotCString, 779 os.str(), N); 780 781 report->addRange(Ex->getSourceRange()); 782 C.EmitReport(report); 783 } 784 785 return UndefinedVal(); 786 } 787} 788 789const StringLiteral *CStringChecker::getCStringLiteral(CheckerContext &C, 790 ProgramStateRef &state, const Expr *expr, SVal val) const { 791 792 // Get the memory region pointed to by the val. 793 const MemRegion *bufRegion = val.getAsRegion(); 794 if (!bufRegion) 795 return NULL; 796 797 // Strip casts off the memory region. 798 bufRegion = bufRegion->StripCasts(); 799 800 // Cast the memory region to a string region. 801 const StringRegion *strRegion= dyn_cast<StringRegion>(bufRegion); 802 if (!strRegion) 803 return NULL; 804 805 // Return the actual string in the string region. 806 return strRegion->getStringLiteral(); 807} 808 809ProgramStateRef CStringChecker::InvalidateBuffer(CheckerContext &C, 810 ProgramStateRef state, 811 const Expr *E, SVal V) { 812 Loc *L = dyn_cast<Loc>(&V); 813 if (!L) 814 return state; 815 816 // FIXME: This is a simplified version of what's in CFRefCount.cpp -- it makes 817 // some assumptions about the value that CFRefCount can't. Even so, it should 818 // probably be refactored. 819 if (loc::MemRegionVal* MR = dyn_cast<loc::MemRegionVal>(L)) { 820 const MemRegion *R = MR->getRegion()->StripCasts(); 821 822 // Are we dealing with an ElementRegion? If so, we should be invalidating 823 // the super-region. 824 if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) { 825 R = ER->getSuperRegion(); 826 // FIXME: What about layers of ElementRegions? 827 } 828 829 // Invalidate this region. 830 unsigned Count = C.getCurrentBlockCount(); 831 const LocationContext *LCtx = C.getPredecessor()->getLocationContext(); 832 return state->invalidateRegions(R, E, Count, LCtx); 833 } 834 835 // If we have a non-region value by chance, just remove the binding. 836 // FIXME: is this necessary or correct? This handles the non-Region 837 // cases. Is it ever valid to store to these? 838 return state->unbindLoc(*L); 839} 840 841bool CStringChecker::SummarizeRegion(raw_ostream &os, ASTContext &Ctx, 842 const MemRegion *MR) { 843 const TypedValueRegion *TVR = dyn_cast<TypedValueRegion>(MR); 844 845 switch (MR->getKind()) { 846 case MemRegion::FunctionTextRegionKind: { 847 const FunctionDecl *FD = cast<FunctionTextRegion>(MR)->getDecl(); 848 if (FD) 849 os << "the address of the function '" << *FD << '\''; 850 else 851 os << "the address of a function"; 852 return true; 853 } 854 case MemRegion::BlockTextRegionKind: 855 os << "block text"; 856 return true; 857 case MemRegion::BlockDataRegionKind: 858 os << "a block"; 859 return true; 860 case MemRegion::CXXThisRegionKind: 861 case MemRegion::CXXTempObjectRegionKind: 862 os << "a C++ temp object of type " << TVR->getValueType().getAsString(); 863 return true; 864 case MemRegion::VarRegionKind: 865 os << "a variable of type" << TVR->getValueType().getAsString(); 866 return true; 867 case MemRegion::FieldRegionKind: 868 os << "a field of type " << TVR->getValueType().getAsString(); 869 return true; 870 case MemRegion::ObjCIvarRegionKind: 871 os << "an instance variable of type " << TVR->getValueType().getAsString(); 872 return true; 873 default: 874 return false; 875 } 876} 877 878//===----------------------------------------------------------------------===// 879// evaluation of individual function calls. 880//===----------------------------------------------------------------------===// 881 882void CStringChecker::evalCopyCommon(CheckerContext &C, 883 const CallExpr *CE, 884 ProgramStateRef state, 885 const Expr *Size, const Expr *Dest, 886 const Expr *Source, bool Restricted, 887 bool IsMempcpy) const { 888 CurrentFunctionDescription = "memory copy function"; 889 890 // See if the size argument is zero. 891 const LocationContext *LCtx = C.getLocationContext(); 892 SVal sizeVal = state->getSVal(Size, LCtx); 893 QualType sizeTy = Size->getType(); 894 895 ProgramStateRef stateZeroSize, stateNonZeroSize; 896 llvm::tie(stateZeroSize, stateNonZeroSize) = 897 assumeZero(C, state, sizeVal, sizeTy); 898 899 // Get the value of the Dest. 900 SVal destVal = state->getSVal(Dest, LCtx); 901 902 // If the size is zero, there won't be any actual memory access, so 903 // just bind the return value to the destination buffer and return. 904 if (stateZeroSize && !stateNonZeroSize) { 905 stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, destVal); 906 C.addTransition(stateZeroSize); 907 return; 908 } 909 910 // If the size can be nonzero, we have to check the other arguments. 911 if (stateNonZeroSize) { 912 state = stateNonZeroSize; 913 914 // Ensure the destination is not null. If it is NULL there will be a 915 // NULL pointer dereference. 916 state = checkNonNull(C, state, Dest, destVal); 917 if (!state) 918 return; 919 920 // Get the value of the Src. 921 SVal srcVal = state->getSVal(Source, LCtx); 922 923 // Ensure the source is not null. If it is NULL there will be a 924 // NULL pointer dereference. 925 state = checkNonNull(C, state, Source, srcVal); 926 if (!state) 927 return; 928 929 // Ensure the accesses are valid and that the buffers do not overlap. 930 const char * const writeWarning = 931 "Memory copy function overflows destination buffer"; 932 state = CheckBufferAccess(C, state, Size, Dest, Source, 933 writeWarning, /* sourceWarning = */ NULL); 934 if (Restricted) 935 state = CheckOverlap(C, state, Size, Dest, Source); 936 937 if (!state) 938 return; 939 940 // If this is mempcpy, get the byte after the last byte copied and 941 // bind the expr. 942 if (IsMempcpy) { 943 loc::MemRegionVal *destRegVal = dyn_cast<loc::MemRegionVal>(&destVal); 944 assert(destRegVal && "Destination should be a known MemRegionVal here"); 945 946 // Get the length to copy. 947 NonLoc *lenValNonLoc = dyn_cast<NonLoc>(&sizeVal); 948 949 if (lenValNonLoc) { 950 // Get the byte after the last byte copied. 951 SVal lastElement = C.getSValBuilder().evalBinOpLN(state, BO_Add, 952 *destRegVal, 953 *lenValNonLoc, 954 Dest->getType()); 955 956 // The byte after the last byte copied is the return value. 957 state = state->BindExpr(CE, LCtx, lastElement); 958 } else { 959 // If we don't know how much we copied, we can at least 960 // conjure a return value for later. 961 unsigned Count = C.getCurrentBlockCount(); 962 SVal result = 963 C.getSValBuilder().getConjuredSymbolVal(NULL, CE, LCtx, Count); 964 state = state->BindExpr(CE, LCtx, result); 965 } 966 967 } else { 968 // All other copies return the destination buffer. 969 // (Well, bcopy() has a void return type, but this won't hurt.) 970 state = state->BindExpr(CE, LCtx, destVal); 971 } 972 973 // Invalidate the destination. 974 // FIXME: Even if we can't perfectly model the copy, we should see if we 975 // can use LazyCompoundVals to copy the source values into the destination. 976 // This would probably remove any existing bindings past the end of the 977 // copied region, but that's still an improvement over blank invalidation. 978 state = InvalidateBuffer(C, state, Dest, 979 state->getSVal(Dest, C.getLocationContext())); 980 C.addTransition(state); 981 } 982} 983 984 985void CStringChecker::evalMemcpy(CheckerContext &C, const CallExpr *CE) const { 986 if (CE->getNumArgs() < 3) 987 return; 988 989 // void *memcpy(void *restrict dst, const void *restrict src, size_t n); 990 // The return value is the address of the destination buffer. 991 const Expr *Dest = CE->getArg(0); 992 ProgramStateRef state = C.getState(); 993 994 evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1), true); 995} 996 997void CStringChecker::evalMempcpy(CheckerContext &C, const CallExpr *CE) const { 998 if (CE->getNumArgs() < 3) 999 return; 1000 1001 // void *mempcpy(void *restrict dst, const void *restrict src, size_t n); 1002 // The return value is a pointer to the byte following the last written byte. 1003 const Expr *Dest = CE->getArg(0); 1004 ProgramStateRef state = C.getState(); 1005 1006 evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1), true, true); 1007} 1008 1009void CStringChecker::evalMemmove(CheckerContext &C, const CallExpr *CE) const { 1010 if (CE->getNumArgs() < 3) 1011 return; 1012 1013 // void *memmove(void *dst, const void *src, size_t n); 1014 // The return value is the address of the destination buffer. 1015 const Expr *Dest = CE->getArg(0); 1016 ProgramStateRef state = C.getState(); 1017 1018 evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1)); 1019} 1020 1021void CStringChecker::evalBcopy(CheckerContext &C, const CallExpr *CE) const { 1022 if (CE->getNumArgs() < 3) 1023 return; 1024 1025 // void bcopy(const void *src, void *dst, size_t n); 1026 evalCopyCommon(C, CE, C.getState(), 1027 CE->getArg(2), CE->getArg(1), CE->getArg(0)); 1028} 1029 1030void CStringChecker::evalMemcmp(CheckerContext &C, const CallExpr *CE) const { 1031 if (CE->getNumArgs() < 3) 1032 return; 1033 1034 // int memcmp(const void *s1, const void *s2, size_t n); 1035 CurrentFunctionDescription = "memory comparison function"; 1036 1037 const Expr *Left = CE->getArg(0); 1038 const Expr *Right = CE->getArg(1); 1039 const Expr *Size = CE->getArg(2); 1040 1041 ProgramStateRef state = C.getState(); 1042 SValBuilder &svalBuilder = C.getSValBuilder(); 1043 1044 // See if the size argument is zero. 1045 const LocationContext *LCtx = C.getLocationContext(); 1046 SVal sizeVal = state->getSVal(Size, LCtx); 1047 QualType sizeTy = Size->getType(); 1048 1049 ProgramStateRef stateZeroSize, stateNonZeroSize; 1050 llvm::tie(stateZeroSize, stateNonZeroSize) = 1051 assumeZero(C, state, sizeVal, sizeTy); 1052 1053 // If the size can be zero, the result will be 0 in that case, and we don't 1054 // have to check either of the buffers. 1055 if (stateZeroSize) { 1056 state = stateZeroSize; 1057 state = state->BindExpr(CE, LCtx, 1058 svalBuilder.makeZeroVal(CE->getType())); 1059 C.addTransition(state); 1060 } 1061 1062 // If the size can be nonzero, we have to check the other arguments. 1063 if (stateNonZeroSize) { 1064 state = stateNonZeroSize; 1065 // If we know the two buffers are the same, we know the result is 0. 1066 // First, get the two buffers' addresses. Another checker will have already 1067 // made sure they're not undefined. 1068 DefinedOrUnknownSVal LV = 1069 cast<DefinedOrUnknownSVal>(state->getSVal(Left, LCtx)); 1070 DefinedOrUnknownSVal RV = 1071 cast<DefinedOrUnknownSVal>(state->getSVal(Right, LCtx)); 1072 1073 // See if they are the same. 1074 DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV); 1075 ProgramStateRef StSameBuf, StNotSameBuf; 1076 llvm::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf); 1077 1078 // If the two arguments might be the same buffer, we know the result is 0, 1079 // and we only need to check one size. 1080 if (StSameBuf) { 1081 state = StSameBuf; 1082 state = CheckBufferAccess(C, state, Size, Left); 1083 if (state) { 1084 state = StSameBuf->BindExpr(CE, LCtx, 1085 svalBuilder.makeZeroVal(CE->getType())); 1086 C.addTransition(state); 1087 } 1088 } 1089 1090 // If the two arguments might be different buffers, we have to check the 1091 // size of both of them. 1092 if (StNotSameBuf) { 1093 state = StNotSameBuf; 1094 state = CheckBufferAccess(C, state, Size, Left, Right); 1095 if (state) { 1096 // The return value is the comparison result, which we don't know. 1097 unsigned Count = C.getCurrentBlockCount(); 1098 SVal CmpV = svalBuilder.getConjuredSymbolVal(NULL, CE, LCtx, Count); 1099 state = state->BindExpr(CE, LCtx, CmpV); 1100 C.addTransition(state); 1101 } 1102 } 1103 } 1104} 1105 1106void CStringChecker::evalstrLength(CheckerContext &C, 1107 const CallExpr *CE) const { 1108 if (CE->getNumArgs() < 1) 1109 return; 1110 1111 // size_t strlen(const char *s); 1112 evalstrLengthCommon(C, CE, /* IsStrnlen = */ false); 1113} 1114 1115void CStringChecker::evalstrnLength(CheckerContext &C, 1116 const CallExpr *CE) const { 1117 if (CE->getNumArgs() < 2) 1118 return; 1119 1120 // size_t strnlen(const char *s, size_t maxlen); 1121 evalstrLengthCommon(C, CE, /* IsStrnlen = */ true); 1122} 1123 1124void CStringChecker::evalstrLengthCommon(CheckerContext &C, const CallExpr *CE, 1125 bool IsStrnlen) const { 1126 CurrentFunctionDescription = "string length function"; 1127 ProgramStateRef state = C.getState(); 1128 const LocationContext *LCtx = C.getLocationContext(); 1129 1130 if (IsStrnlen) { 1131 const Expr *maxlenExpr = CE->getArg(1); 1132 SVal maxlenVal = state->getSVal(maxlenExpr, LCtx); 1133 1134 ProgramStateRef stateZeroSize, stateNonZeroSize; 1135 llvm::tie(stateZeroSize, stateNonZeroSize) = 1136 assumeZero(C, state, maxlenVal, maxlenExpr->getType()); 1137 1138 // If the size can be zero, the result will be 0 in that case, and we don't 1139 // have to check the string itself. 1140 if (stateZeroSize) { 1141 SVal zero = C.getSValBuilder().makeZeroVal(CE->getType()); 1142 stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, zero); 1143 C.addTransition(stateZeroSize); 1144 } 1145 1146 // If the size is GUARANTEED to be zero, we're done! 1147 if (!stateNonZeroSize) 1148 return; 1149 1150 // Otherwise, record the assumption that the size is nonzero. 1151 state = stateNonZeroSize; 1152 } 1153 1154 // Check that the string argument is non-null. 1155 const Expr *Arg = CE->getArg(0); 1156 SVal ArgVal = state->getSVal(Arg, LCtx); 1157 1158 state = checkNonNull(C, state, Arg, ArgVal); 1159 1160 if (!state) 1161 return; 1162 1163 SVal strLength = getCStringLength(C, state, Arg, ArgVal); 1164 1165 // If the argument isn't a valid C string, there's no valid state to 1166 // transition to. 1167 if (strLength.isUndef()) 1168 return; 1169 1170 DefinedOrUnknownSVal result = UnknownVal(); 1171 1172 // If the check is for strnlen() then bind the return value to no more than 1173 // the maxlen value. 1174 if (IsStrnlen) { 1175 QualType cmpTy = C.getSValBuilder().getConditionType(); 1176 1177 // It's a little unfortunate to be getting this again, 1178 // but it's not that expensive... 1179 const Expr *maxlenExpr = CE->getArg(1); 1180 SVal maxlenVal = state->getSVal(maxlenExpr, LCtx); 1181 1182 NonLoc *strLengthNL = dyn_cast<NonLoc>(&strLength); 1183 NonLoc *maxlenValNL = dyn_cast<NonLoc>(&maxlenVal); 1184 1185 if (strLengthNL && maxlenValNL) { 1186 ProgramStateRef stateStringTooLong, stateStringNotTooLong; 1187 1188 // Check if the strLength is greater than the maxlen. 1189 llvm::tie(stateStringTooLong, stateStringNotTooLong) = 1190 state->assume(cast<DefinedOrUnknownSVal> 1191 (C.getSValBuilder().evalBinOpNN(state, BO_GT, 1192 *strLengthNL, 1193 *maxlenValNL, 1194 cmpTy))); 1195 1196 if (stateStringTooLong && !stateStringNotTooLong) { 1197 // If the string is longer than maxlen, return maxlen. 1198 result = *maxlenValNL; 1199 } else if (stateStringNotTooLong && !stateStringTooLong) { 1200 // If the string is shorter than maxlen, return its length. 1201 result = *strLengthNL; 1202 } 1203 } 1204 1205 if (result.isUnknown()) { 1206 // If we don't have enough information for a comparison, there's 1207 // no guarantee the full string length will actually be returned. 1208 // All we know is the return value is the min of the string length 1209 // and the limit. This is better than nothing. 1210 unsigned Count = C.getCurrentBlockCount(); 1211 result = C.getSValBuilder().getConjuredSymbolVal(NULL, CE, LCtx, Count); 1212 NonLoc *resultNL = cast<NonLoc>(&result); 1213 1214 if (strLengthNL) { 1215 state = state->assume(cast<DefinedOrUnknownSVal> 1216 (C.getSValBuilder().evalBinOpNN(state, BO_LE, 1217 *resultNL, 1218 *strLengthNL, 1219 cmpTy)), true); 1220 } 1221 1222 if (maxlenValNL) { 1223 state = state->assume(cast<DefinedOrUnknownSVal> 1224 (C.getSValBuilder().evalBinOpNN(state, BO_LE, 1225 *resultNL, 1226 *maxlenValNL, 1227 cmpTy)), true); 1228 } 1229 } 1230 1231 } else { 1232 // This is a plain strlen(), not strnlen(). 1233 result = cast<DefinedOrUnknownSVal>(strLength); 1234 1235 // If we don't know the length of the string, conjure a return 1236 // value, so it can be used in constraints, at least. 1237 if (result.isUnknown()) { 1238 unsigned Count = C.getCurrentBlockCount(); 1239 result = C.getSValBuilder().getConjuredSymbolVal(NULL, CE, LCtx, Count); 1240 } 1241 } 1242 1243 // Bind the return value. 1244 assert(!result.isUnknown() && "Should have conjured a value by now"); 1245 state = state->BindExpr(CE, LCtx, result); 1246 C.addTransition(state); 1247} 1248 1249void CStringChecker::evalStrcpy(CheckerContext &C, const CallExpr *CE) const { 1250 if (CE->getNumArgs() < 2) 1251 return; 1252 1253 // char *strcpy(char *restrict dst, const char *restrict src); 1254 evalStrcpyCommon(C, CE, 1255 /* returnEnd = */ false, 1256 /* isBounded = */ false, 1257 /* isAppending = */ false); 1258} 1259 1260void CStringChecker::evalStrncpy(CheckerContext &C, const CallExpr *CE) const { 1261 if (CE->getNumArgs() < 3) 1262 return; 1263 1264 // char *strncpy(char *restrict dst, const char *restrict src, size_t n); 1265 evalStrcpyCommon(C, CE, 1266 /* returnEnd = */ false, 1267 /* isBounded = */ true, 1268 /* isAppending = */ false); 1269} 1270 1271void CStringChecker::evalStpcpy(CheckerContext &C, const CallExpr *CE) const { 1272 if (CE->getNumArgs() < 2) 1273 return; 1274 1275 // char *stpcpy(char *restrict dst, const char *restrict src); 1276 evalStrcpyCommon(C, CE, 1277 /* returnEnd = */ true, 1278 /* isBounded = */ false, 1279 /* isAppending = */ false); 1280} 1281 1282void CStringChecker::evalStrcat(CheckerContext &C, const CallExpr *CE) const { 1283 if (CE->getNumArgs() < 2) 1284 return; 1285 1286 //char *strcat(char *restrict s1, const char *restrict s2); 1287 evalStrcpyCommon(C, CE, 1288 /* returnEnd = */ false, 1289 /* isBounded = */ false, 1290 /* isAppending = */ true); 1291} 1292 1293void CStringChecker::evalStrncat(CheckerContext &C, const CallExpr *CE) const { 1294 if (CE->getNumArgs() < 3) 1295 return; 1296 1297 //char *strncat(char *restrict s1, const char *restrict s2, size_t n); 1298 evalStrcpyCommon(C, CE, 1299 /* returnEnd = */ false, 1300 /* isBounded = */ true, 1301 /* isAppending = */ true); 1302} 1303 1304void CStringChecker::evalStrcpyCommon(CheckerContext &C, const CallExpr *CE, 1305 bool returnEnd, bool isBounded, 1306 bool isAppending) const { 1307 CurrentFunctionDescription = "string copy function"; 1308 ProgramStateRef state = C.getState(); 1309 const LocationContext *LCtx = C.getLocationContext(); 1310 1311 // Check that the destination is non-null. 1312 const Expr *Dst = CE->getArg(0); 1313 SVal DstVal = state->getSVal(Dst, LCtx); 1314 1315 state = checkNonNull(C, state, Dst, DstVal); 1316 if (!state) 1317 return; 1318 1319 // Check that the source is non-null. 1320 const Expr *srcExpr = CE->getArg(1); 1321 SVal srcVal = state->getSVal(srcExpr, LCtx); 1322 state = checkNonNull(C, state, srcExpr, srcVal); 1323 if (!state) 1324 return; 1325 1326 // Get the string length of the source. 1327 SVal strLength = getCStringLength(C, state, srcExpr, srcVal); 1328 1329 // If the source isn't a valid C string, give up. 1330 if (strLength.isUndef()) 1331 return; 1332 1333 SValBuilder &svalBuilder = C.getSValBuilder(); 1334 QualType cmpTy = svalBuilder.getConditionType(); 1335 QualType sizeTy = svalBuilder.getContext().getSizeType(); 1336 1337 // These two values allow checking two kinds of errors: 1338 // - actual overflows caused by a source that doesn't fit in the destination 1339 // - potential overflows caused by a bound that could exceed the destination 1340 SVal amountCopied = UnknownVal(); 1341 SVal maxLastElementIndex = UnknownVal(); 1342 const char *boundWarning = NULL; 1343 1344 // If the function is strncpy, strncat, etc... it is bounded. 1345 if (isBounded) { 1346 // Get the max number of characters to copy. 1347 const Expr *lenExpr = CE->getArg(2); 1348 SVal lenVal = state->getSVal(lenExpr, LCtx); 1349 1350 // Protect against misdeclared strncpy(). 1351 lenVal = svalBuilder.evalCast(lenVal, sizeTy, lenExpr->getType()); 1352 1353 NonLoc *strLengthNL = dyn_cast<NonLoc>(&strLength); 1354 NonLoc *lenValNL = dyn_cast<NonLoc>(&lenVal); 1355 1356 // If we know both values, we might be able to figure out how much 1357 // we're copying. 1358 if (strLengthNL && lenValNL) { 1359 ProgramStateRef stateSourceTooLong, stateSourceNotTooLong; 1360 1361 // Check if the max number to copy is less than the length of the src. 1362 // If the bound is equal to the source length, strncpy won't null- 1363 // terminate the result! 1364 llvm::tie(stateSourceTooLong, stateSourceNotTooLong) = 1365 state->assume(cast<DefinedOrUnknownSVal> 1366 (svalBuilder.evalBinOpNN(state, BO_GE, *strLengthNL, 1367 *lenValNL, cmpTy))); 1368 1369 if (stateSourceTooLong && !stateSourceNotTooLong) { 1370 // Max number to copy is less than the length of the src, so the actual 1371 // strLength copied is the max number arg. 1372 state = stateSourceTooLong; 1373 amountCopied = lenVal; 1374 1375 } else if (!stateSourceTooLong && stateSourceNotTooLong) { 1376 // The source buffer entirely fits in the bound. 1377 state = stateSourceNotTooLong; 1378 amountCopied = strLength; 1379 } 1380 } 1381 1382 // We still want to know if the bound is known to be too large. 1383 if (lenValNL) { 1384 if (isAppending) { 1385 // For strncat, the check is strlen(dst) + lenVal < sizeof(dst) 1386 1387 // Get the string length of the destination. If the destination is 1388 // memory that can't have a string length, we shouldn't be copying 1389 // into it anyway. 1390 SVal dstStrLength = getCStringLength(C, state, Dst, DstVal); 1391 if (dstStrLength.isUndef()) 1392 return; 1393 1394 if (NonLoc *dstStrLengthNL = dyn_cast<NonLoc>(&dstStrLength)) { 1395 maxLastElementIndex = svalBuilder.evalBinOpNN(state, BO_Add, 1396 *lenValNL, 1397 *dstStrLengthNL, 1398 sizeTy); 1399 boundWarning = "Size argument is greater than the free space in the " 1400 "destination buffer"; 1401 } 1402 1403 } else { 1404 // For strncpy, this is just checking that lenVal <= sizeof(dst) 1405 // (Yes, strncpy and strncat differ in how they treat termination. 1406 // strncat ALWAYS terminates, but strncpy doesn't.) 1407 1408 // We need a special case for when the copy size is zero, in which 1409 // case strncpy will do no work at all. Our bounds check uses n-1 1410 // as the last element accessed, so n == 0 is problematic. 1411 ProgramStateRef StateZeroSize, StateNonZeroSize; 1412 llvm::tie(StateZeroSize, StateNonZeroSize) = 1413 assumeZero(C, state, *lenValNL, sizeTy); 1414 1415 // If the size is known to be zero, we're done. 1416 if (StateZeroSize && !StateNonZeroSize) { 1417 StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, DstVal); 1418 C.addTransition(StateZeroSize); 1419 return; 1420 } 1421 1422 // Otherwise, go ahead and figure out the last element we'll touch. 1423 // We don't record the non-zero assumption here because we can't 1424 // be sure. We won't warn on a possible zero. 1425 NonLoc one = cast<NonLoc>(svalBuilder.makeIntVal(1, sizeTy)); 1426 maxLastElementIndex = svalBuilder.evalBinOpNN(state, BO_Sub, *lenValNL, 1427 one, sizeTy); 1428 boundWarning = "Size argument is greater than the length of the " 1429 "destination buffer"; 1430 } 1431 } 1432 1433 // If we couldn't pin down the copy length, at least bound it. 1434 // FIXME: We should actually run this code path for append as well, but 1435 // right now it creates problems with constraints (since we can end up 1436 // trying to pass constraints from symbol to symbol). 1437 if (amountCopied.isUnknown() && !isAppending) { 1438 // Try to get a "hypothetical" string length symbol, which we can later 1439 // set as a real value if that turns out to be the case. 1440 amountCopied = getCStringLength(C, state, lenExpr, srcVal, true); 1441 assert(!amountCopied.isUndef()); 1442 1443 if (NonLoc *amountCopiedNL = dyn_cast<NonLoc>(&amountCopied)) { 1444 if (lenValNL) { 1445 // amountCopied <= lenVal 1446 SVal copiedLessThanBound = svalBuilder.evalBinOpNN(state, BO_LE, 1447 *amountCopiedNL, 1448 *lenValNL, 1449 cmpTy); 1450 state = state->assume(cast<DefinedOrUnknownSVal>(copiedLessThanBound), 1451 true); 1452 if (!state) 1453 return; 1454 } 1455 1456 if (strLengthNL) { 1457 // amountCopied <= strlen(source) 1458 SVal copiedLessThanSrc = svalBuilder.evalBinOpNN(state, BO_LE, 1459 *amountCopiedNL, 1460 *strLengthNL, 1461 cmpTy); 1462 state = state->assume(cast<DefinedOrUnknownSVal>(copiedLessThanSrc), 1463 true); 1464 if (!state) 1465 return; 1466 } 1467 } 1468 } 1469 1470 } else { 1471 // The function isn't bounded. The amount copied should match the length 1472 // of the source buffer. 1473 amountCopied = strLength; 1474 } 1475 1476 assert(state); 1477 1478 // This represents the number of characters copied into the destination 1479 // buffer. (It may not actually be the strlen if the destination buffer 1480 // is not terminated.) 1481 SVal finalStrLength = UnknownVal(); 1482 1483 // If this is an appending function (strcat, strncat...) then set the 1484 // string length to strlen(src) + strlen(dst) since the buffer will 1485 // ultimately contain both. 1486 if (isAppending) { 1487 // Get the string length of the destination. If the destination is memory 1488 // that can't have a string length, we shouldn't be copying into it anyway. 1489 SVal dstStrLength = getCStringLength(C, state, Dst, DstVal); 1490 if (dstStrLength.isUndef()) 1491 return; 1492 1493 NonLoc *srcStrLengthNL = dyn_cast<NonLoc>(&amountCopied); 1494 NonLoc *dstStrLengthNL = dyn_cast<NonLoc>(&dstStrLength); 1495 1496 // If we know both string lengths, we might know the final string length. 1497 if (srcStrLengthNL && dstStrLengthNL) { 1498 // Make sure the two lengths together don't overflow a size_t. 1499 state = checkAdditionOverflow(C, state, *srcStrLengthNL, *dstStrLengthNL); 1500 if (!state) 1501 return; 1502 1503 finalStrLength = svalBuilder.evalBinOpNN(state, BO_Add, *srcStrLengthNL, 1504 *dstStrLengthNL, sizeTy); 1505 } 1506 1507 // If we couldn't get a single value for the final string length, 1508 // we can at least bound it by the individual lengths. 1509 if (finalStrLength.isUnknown()) { 1510 // Try to get a "hypothetical" string length symbol, which we can later 1511 // set as a real value if that turns out to be the case. 1512 finalStrLength = getCStringLength(C, state, CE, DstVal, true); 1513 assert(!finalStrLength.isUndef()); 1514 1515 if (NonLoc *finalStrLengthNL = dyn_cast<NonLoc>(&finalStrLength)) { 1516 if (srcStrLengthNL) { 1517 // finalStrLength >= srcStrLength 1518 SVal sourceInResult = svalBuilder.evalBinOpNN(state, BO_GE, 1519 *finalStrLengthNL, 1520 *srcStrLengthNL, 1521 cmpTy); 1522 state = state->assume(cast<DefinedOrUnknownSVal>(sourceInResult), 1523 true); 1524 if (!state) 1525 return; 1526 } 1527 1528 if (dstStrLengthNL) { 1529 // finalStrLength >= dstStrLength 1530 SVal destInResult = svalBuilder.evalBinOpNN(state, BO_GE, 1531 *finalStrLengthNL, 1532 *dstStrLengthNL, 1533 cmpTy); 1534 state = state->assume(cast<DefinedOrUnknownSVal>(destInResult), 1535 true); 1536 if (!state) 1537 return; 1538 } 1539 } 1540 } 1541 1542 } else { 1543 // Otherwise, this is a copy-over function (strcpy, strncpy, ...), and 1544 // the final string length will match the input string length. 1545 finalStrLength = amountCopied; 1546 } 1547 1548 // The final result of the function will either be a pointer past the last 1549 // copied element, or a pointer to the start of the destination buffer. 1550 SVal Result = (returnEnd ? UnknownVal() : DstVal); 1551 1552 assert(state); 1553 1554 // If the destination is a MemRegion, try to check for a buffer overflow and 1555 // record the new string length. 1556 if (loc::MemRegionVal *dstRegVal = dyn_cast<loc::MemRegionVal>(&DstVal)) { 1557 QualType ptrTy = Dst->getType(); 1558 1559 // If we have an exact value on a bounded copy, use that to check for 1560 // overflows, rather than our estimate about how much is actually copied. 1561 if (boundWarning) { 1562 if (NonLoc *maxLastNL = dyn_cast<NonLoc>(&maxLastElementIndex)) { 1563 SVal maxLastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal, 1564 *maxLastNL, ptrTy); 1565 state = CheckLocation(C, state, CE->getArg(2), maxLastElement, 1566 boundWarning); 1567 if (!state) 1568 return; 1569 } 1570 } 1571 1572 // Then, if the final length is known... 1573 if (NonLoc *knownStrLength = dyn_cast<NonLoc>(&finalStrLength)) { 1574 SVal lastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal, 1575 *knownStrLength, ptrTy); 1576 1577 // ...and we haven't checked the bound, we'll check the actual copy. 1578 if (!boundWarning) { 1579 const char * const warningMsg = 1580 "String copy function overflows destination buffer"; 1581 state = CheckLocation(C, state, Dst, lastElement, warningMsg); 1582 if (!state) 1583 return; 1584 } 1585 1586 // If this is a stpcpy-style copy, the last element is the return value. 1587 if (returnEnd) 1588 Result = lastElement; 1589 } 1590 1591 // Invalidate the destination. This must happen before we set the C string 1592 // length because invalidation will clear the length. 1593 // FIXME: Even if we can't perfectly model the copy, we should see if we 1594 // can use LazyCompoundVals to copy the source values into the destination. 1595 // This would probably remove any existing bindings past the end of the 1596 // string, but that's still an improvement over blank invalidation. 1597 state = InvalidateBuffer(C, state, Dst, *dstRegVal); 1598 1599 // Set the C string length of the destination, if we know it. 1600 if (isBounded && !isAppending) { 1601 // strncpy is annoying in that it doesn't guarantee to null-terminate 1602 // the result string. If the original string didn't fit entirely inside 1603 // the bound (including the null-terminator), we don't know how long the 1604 // result is. 1605 if (amountCopied != strLength) 1606 finalStrLength = UnknownVal(); 1607 } 1608 state = setCStringLength(state, dstRegVal->getRegion(), finalStrLength); 1609 } 1610 1611 assert(state); 1612 1613 // If this is a stpcpy-style copy, but we were unable to check for a buffer 1614 // overflow, we still need a result. Conjure a return value. 1615 if (returnEnd && Result.isUnknown()) { 1616 unsigned Count = C.getCurrentBlockCount(); 1617 Result = svalBuilder.getConjuredSymbolVal(NULL, CE, LCtx, Count); 1618 } 1619 1620 // Set the return value. 1621 state = state->BindExpr(CE, LCtx, Result); 1622 C.addTransition(state); 1623} 1624 1625void CStringChecker::evalStrcmp(CheckerContext &C, const CallExpr *CE) const { 1626 if (CE->getNumArgs() < 2) 1627 return; 1628 1629 //int strcmp(const char *s1, const char *s2); 1630 evalStrcmpCommon(C, CE, /* isBounded = */ false, /* ignoreCase = */ false); 1631} 1632 1633void CStringChecker::evalStrncmp(CheckerContext &C, const CallExpr *CE) const { 1634 if (CE->getNumArgs() < 3) 1635 return; 1636 1637 //int strncmp(const char *s1, const char *s2, size_t n); 1638 evalStrcmpCommon(C, CE, /* isBounded = */ true, /* ignoreCase = */ false); 1639} 1640 1641void CStringChecker::evalStrcasecmp(CheckerContext &C, 1642 const CallExpr *CE) const { 1643 if (CE->getNumArgs() < 2) 1644 return; 1645 1646 //int strcasecmp(const char *s1, const char *s2); 1647 evalStrcmpCommon(C, CE, /* isBounded = */ false, /* ignoreCase = */ true); 1648} 1649 1650void CStringChecker::evalStrncasecmp(CheckerContext &C, 1651 const CallExpr *CE) const { 1652 if (CE->getNumArgs() < 3) 1653 return; 1654 1655 //int strncasecmp(const char *s1, const char *s2, size_t n); 1656 evalStrcmpCommon(C, CE, /* isBounded = */ true, /* ignoreCase = */ true); 1657} 1658 1659void CStringChecker::evalStrcmpCommon(CheckerContext &C, const CallExpr *CE, 1660 bool isBounded, bool ignoreCase) const { 1661 CurrentFunctionDescription = "string comparison function"; 1662 ProgramStateRef state = C.getState(); 1663 const LocationContext *LCtx = C.getLocationContext(); 1664 1665 // Check that the first string is non-null 1666 const Expr *s1 = CE->getArg(0); 1667 SVal s1Val = state->getSVal(s1, LCtx); 1668 state = checkNonNull(C, state, s1, s1Val); 1669 if (!state) 1670 return; 1671 1672 // Check that the second string is non-null. 1673 const Expr *s2 = CE->getArg(1); 1674 SVal s2Val = state->getSVal(s2, LCtx); 1675 state = checkNonNull(C, state, s2, s2Val); 1676 if (!state) 1677 return; 1678 1679 // Get the string length of the first string or give up. 1680 SVal s1Length = getCStringLength(C, state, s1, s1Val); 1681 if (s1Length.isUndef()) 1682 return; 1683 1684 // Get the string length of the second string or give up. 1685 SVal s2Length = getCStringLength(C, state, s2, s2Val); 1686 if (s2Length.isUndef()) 1687 return; 1688 1689 // If we know the two buffers are the same, we know the result is 0. 1690 // First, get the two buffers' addresses. Another checker will have already 1691 // made sure they're not undefined. 1692 DefinedOrUnknownSVal LV = cast<DefinedOrUnknownSVal>(s1Val); 1693 DefinedOrUnknownSVal RV = cast<DefinedOrUnknownSVal>(s2Val); 1694 1695 // See if they are the same. 1696 SValBuilder &svalBuilder = C.getSValBuilder(); 1697 DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV); 1698 ProgramStateRef StSameBuf, StNotSameBuf; 1699 llvm::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf); 1700 1701 // If the two arguments might be the same buffer, we know the result is 0, 1702 // and we only need to check one size. 1703 if (StSameBuf) { 1704 StSameBuf = StSameBuf->BindExpr(CE, LCtx, 1705 svalBuilder.makeZeroVal(CE->getType())); 1706 C.addTransition(StSameBuf); 1707 1708 // If the two arguments are GUARANTEED to be the same, we're done! 1709 if (!StNotSameBuf) 1710 return; 1711 } 1712 1713 assert(StNotSameBuf); 1714 state = StNotSameBuf; 1715 1716 // At this point we can go about comparing the two buffers. 1717 // For now, we only do this if they're both known string literals. 1718 1719 // Attempt to extract string literals from both expressions. 1720 const StringLiteral *s1StrLiteral = getCStringLiteral(C, state, s1, s1Val); 1721 const StringLiteral *s2StrLiteral = getCStringLiteral(C, state, s2, s2Val); 1722 bool canComputeResult = false; 1723 1724 if (s1StrLiteral && s2StrLiteral) { 1725 StringRef s1StrRef = s1StrLiteral->getString(); 1726 StringRef s2StrRef = s2StrLiteral->getString(); 1727 1728 if (isBounded) { 1729 // Get the max number of characters to compare. 1730 const Expr *lenExpr = CE->getArg(2); 1731 SVal lenVal = state->getSVal(lenExpr, LCtx); 1732 1733 // If the length is known, we can get the right substrings. 1734 if (const llvm::APSInt *len = svalBuilder.getKnownValue(state, lenVal)) { 1735 // Create substrings of each to compare the prefix. 1736 s1StrRef = s1StrRef.substr(0, (size_t)len->getZExtValue()); 1737 s2StrRef = s2StrRef.substr(0, (size_t)len->getZExtValue()); 1738 canComputeResult = true; 1739 } 1740 } else { 1741 // This is a normal, unbounded strcmp. 1742 canComputeResult = true; 1743 } 1744 1745 if (canComputeResult) { 1746 // Real strcmp stops at null characters. 1747 size_t s1Term = s1StrRef.find('\0'); 1748 if (s1Term != StringRef::npos) 1749 s1StrRef = s1StrRef.substr(0, s1Term); 1750 1751 size_t s2Term = s2StrRef.find('\0'); 1752 if (s2Term != StringRef::npos) 1753 s2StrRef = s2StrRef.substr(0, s2Term); 1754 1755 // Use StringRef's comparison methods to compute the actual result. 1756 int result; 1757 1758 if (ignoreCase) { 1759 // Compare string 1 to string 2 the same way strcasecmp() does. 1760 result = s1StrRef.compare_lower(s2StrRef); 1761 } else { 1762 // Compare string 1 to string 2 the same way strcmp() does. 1763 result = s1StrRef.compare(s2StrRef); 1764 } 1765 1766 // Build the SVal of the comparison and bind the return value. 1767 SVal resultVal = svalBuilder.makeIntVal(result, CE->getType()); 1768 state = state->BindExpr(CE, LCtx, resultVal); 1769 } 1770 } 1771 1772 if (!canComputeResult) { 1773 // Conjure a symbolic value. It's the best we can do. 1774 unsigned Count = C.getCurrentBlockCount(); 1775 SVal resultVal = svalBuilder.getConjuredSymbolVal(NULL, CE, LCtx, Count); 1776 state = state->BindExpr(CE, LCtx, resultVal); 1777 } 1778 1779 // Record this as a possible path. 1780 C.addTransition(state); 1781} 1782 1783//===----------------------------------------------------------------------===// 1784// The driver method, and other Checker callbacks. 1785//===----------------------------------------------------------------------===// 1786 1787bool CStringChecker::evalCall(const CallExpr *CE, CheckerContext &C) const { 1788 const FunctionDecl *FDecl = C.getCalleeDecl(CE); 1789 1790 if (!FDecl) 1791 return false; 1792 1793 FnCheck evalFunction = 0; 1794 if (C.isCLibraryFunction(FDecl, "memcpy")) 1795 evalFunction = &CStringChecker::evalMemcpy; 1796 else if (C.isCLibraryFunction(FDecl, "mempcpy")) 1797 evalFunction = &CStringChecker::evalMempcpy; 1798 else if (C.isCLibraryFunction(FDecl, "memcmp")) 1799 evalFunction = &CStringChecker::evalMemcmp; 1800 else if (C.isCLibraryFunction(FDecl, "memmove")) 1801 evalFunction = &CStringChecker::evalMemmove; 1802 else if (C.isCLibraryFunction(FDecl, "strcpy")) 1803 evalFunction = &CStringChecker::evalStrcpy; 1804 else if (C.isCLibraryFunction(FDecl, "strncpy")) 1805 evalFunction = &CStringChecker::evalStrncpy; 1806 else if (C.isCLibraryFunction(FDecl, "stpcpy")) 1807 evalFunction = &CStringChecker::evalStpcpy; 1808 else if (C.isCLibraryFunction(FDecl, "strcat")) 1809 evalFunction = &CStringChecker::evalStrcat; 1810 else if (C.isCLibraryFunction(FDecl, "strncat")) 1811 evalFunction = &CStringChecker::evalStrncat; 1812 else if (C.isCLibraryFunction(FDecl, "strlen")) 1813 evalFunction = &CStringChecker::evalstrLength; 1814 else if (C.isCLibraryFunction(FDecl, "strnlen")) 1815 evalFunction = &CStringChecker::evalstrnLength; 1816 else if (C.isCLibraryFunction(FDecl, "strcmp")) 1817 evalFunction = &CStringChecker::evalStrcmp; 1818 else if (C.isCLibraryFunction(FDecl, "strncmp")) 1819 evalFunction = &CStringChecker::evalStrncmp; 1820 else if (C.isCLibraryFunction(FDecl, "strcasecmp")) 1821 evalFunction = &CStringChecker::evalStrcasecmp; 1822 else if (C.isCLibraryFunction(FDecl, "strncasecmp")) 1823 evalFunction = &CStringChecker::evalStrncasecmp; 1824 else if (C.isCLibraryFunction(FDecl, "bcopy")) 1825 evalFunction = &CStringChecker::evalBcopy; 1826 else if (C.isCLibraryFunction(FDecl, "bcmp")) 1827 evalFunction = &CStringChecker::evalMemcmp; 1828 1829 // If the callee isn't a string function, let another checker handle it. 1830 if (!evalFunction) 1831 return false; 1832 1833 // Make sure each function sets its own description. 1834 // (But don't bother in a release build.) 1835 assert(!(CurrentFunctionDescription = NULL)); 1836 1837 // Check and evaluate the call. 1838 (this->*evalFunction)(C, CE); 1839 1840 // If the evaluate call resulted in no change, chain to the next eval call 1841 // handler. 1842 // Note, the custom CString evaluation calls assume that basic safety 1843 // properties are held. However, if the user chooses to turn off some of these 1844 // checks, we ignore the issues and leave the call evaluation to a generic 1845 // handler. 1846 if (!C.isDifferent()) 1847 return false; 1848 1849 return true; 1850} 1851 1852void CStringChecker::checkPreStmt(const DeclStmt *DS, CheckerContext &C) const { 1853 // Record string length for char a[] = "abc"; 1854 ProgramStateRef state = C.getState(); 1855 1856 for (DeclStmt::const_decl_iterator I = DS->decl_begin(), E = DS->decl_end(); 1857 I != E; ++I) { 1858 const VarDecl *D = dyn_cast<VarDecl>(*I); 1859 if (!D) 1860 continue; 1861 1862 // FIXME: Handle array fields of structs. 1863 if (!D->getType()->isArrayType()) 1864 continue; 1865 1866 const Expr *Init = D->getInit(); 1867 if (!Init) 1868 continue; 1869 if (!isa<StringLiteral>(Init)) 1870 continue; 1871 1872 Loc VarLoc = state->getLValue(D, C.getLocationContext()); 1873 const MemRegion *MR = VarLoc.getAsRegion(); 1874 if (!MR) 1875 continue; 1876 1877 SVal StrVal = state->getSVal(Init, C.getLocationContext()); 1878 assert(StrVal.isValid() && "Initializer string is unknown or undefined"); 1879 DefinedOrUnknownSVal strLength 1880 = cast<DefinedOrUnknownSVal>(getCStringLength(C, state, Init, StrVal)); 1881 1882 state = state->set<CStringLength>(MR, strLength); 1883 } 1884 1885 C.addTransition(state); 1886} 1887 1888bool CStringChecker::wantsRegionChangeUpdate(ProgramStateRef state) const { 1889 CStringLength::EntryMap Entries = state->get<CStringLength>(); 1890 return !Entries.isEmpty(); 1891} 1892 1893ProgramStateRef 1894CStringChecker::checkRegionChanges(ProgramStateRef state, 1895 const StoreManager::InvalidatedSymbols *, 1896 ArrayRef<const MemRegion *> ExplicitRegions, 1897 ArrayRef<const MemRegion *> Regions, 1898 const CallEvent *Call) const { 1899 CStringLength::EntryMap Entries = state->get<CStringLength>(); 1900 if (Entries.isEmpty()) 1901 return state; 1902 1903 llvm::SmallPtrSet<const MemRegion *, 8> Invalidated; 1904 llvm::SmallPtrSet<const MemRegion *, 32> SuperRegions; 1905 1906 // First build sets for the changed regions and their super-regions. 1907 for (ArrayRef<const MemRegion *>::iterator 1908 I = Regions.begin(), E = Regions.end(); I != E; ++I) { 1909 const MemRegion *MR = *I; 1910 Invalidated.insert(MR); 1911 1912 SuperRegions.insert(MR); 1913 while (const SubRegion *SR = dyn_cast<SubRegion>(MR)) { 1914 MR = SR->getSuperRegion(); 1915 SuperRegions.insert(MR); 1916 } 1917 } 1918 1919 CStringLength::EntryMap::Factory &F = state->get_context<CStringLength>(); 1920 1921 // Then loop over the entries in the current state. 1922 for (CStringLength::EntryMap::iterator I = Entries.begin(), 1923 E = Entries.end(); I != E; ++I) { 1924 const MemRegion *MR = I.getKey(); 1925 1926 // Is this entry for a super-region of a changed region? 1927 if (SuperRegions.count(MR)) { 1928 Entries = F.remove(Entries, MR); 1929 continue; 1930 } 1931 1932 // Is this entry for a sub-region of a changed region? 1933 const MemRegion *Super = MR; 1934 while (const SubRegion *SR = dyn_cast<SubRegion>(Super)) { 1935 Super = SR->getSuperRegion(); 1936 if (Invalidated.count(Super)) { 1937 Entries = F.remove(Entries, MR); 1938 break; 1939 } 1940 } 1941 } 1942 1943 return state->set<CStringLength>(Entries); 1944} 1945 1946void CStringChecker::checkLiveSymbols(ProgramStateRef state, 1947 SymbolReaper &SR) const { 1948 // Mark all symbols in our string length map as valid. 1949 CStringLength::EntryMap Entries = state->get<CStringLength>(); 1950 1951 for (CStringLength::EntryMap::iterator I = Entries.begin(), E = Entries.end(); 1952 I != E; ++I) { 1953 SVal Len = I.getData(); 1954 1955 for (SymExpr::symbol_iterator si = Len.symbol_begin(), 1956 se = Len.symbol_end(); si != se; ++si) 1957 SR.markInUse(*si); 1958 } 1959} 1960 1961void CStringChecker::checkDeadSymbols(SymbolReaper &SR, 1962 CheckerContext &C) const { 1963 if (!SR.hasDeadSymbols()) 1964 return; 1965 1966 ProgramStateRef state = C.getState(); 1967 CStringLength::EntryMap Entries = state->get<CStringLength>(); 1968 if (Entries.isEmpty()) 1969 return; 1970 1971 CStringLength::EntryMap::Factory &F = state->get_context<CStringLength>(); 1972 for (CStringLength::EntryMap::iterator I = Entries.begin(), E = Entries.end(); 1973 I != E; ++I) { 1974 SVal Len = I.getData(); 1975 if (SymbolRef Sym = Len.getAsSymbol()) { 1976 if (SR.isDead(Sym)) 1977 Entries = F.remove(Entries, I.getKey()); 1978 } 1979 } 1980 1981 state = state->set<CStringLength>(Entries); 1982 C.addTransition(state); 1983} 1984 1985#define REGISTER_CHECKER(name) \ 1986void ento::register##name(CheckerManager &mgr) {\ 1987 static CStringChecker *TheChecker = 0; \ 1988 if (TheChecker == 0) \ 1989 TheChecker = mgr.registerChecker<CStringChecker>(); \ 1990 TheChecker->Filter.Check##name = true; \ 1991} 1992 1993REGISTER_CHECKER(CStringNullArg) 1994REGISTER_CHECKER(CStringOutOfBounds) 1995REGISTER_CHECKER(CStringBufferOverlap) 1996REGISTER_CHECKER(CStringNotNullTerm) 1997 1998void ento::registerCStringCheckerBasic(CheckerManager &Mgr) { 1999 registerCStringNullArg(Mgr); 2000} 2001