CStringChecker.cpp revision a728e927c6e58f26b2c8615a8baa761d2f157e4b
1//= CStringChecker.cpp - Checks calls to C string functions --------*- C++ -*-// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This defines CStringChecker, which is an assortment of checks on calls 11// to functions in <string.h>. 12// 13//===----------------------------------------------------------------------===// 14 15#include "ClangSACheckers.h" 16#include "InterCheckerAPI.h" 17#include "clang/Basic/CharInfo.h" 18#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 19#include "clang/StaticAnalyzer/Core/Checker.h" 20#include "clang/StaticAnalyzer/Core/CheckerManager.h" 21#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 22#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" 23#include "llvm/ADT/STLExtras.h" 24#include "llvm/ADT/SmallString.h" 25#include "llvm/ADT/StringSwitch.h" 26#include "llvm/Support/raw_ostream.h" 27 28using namespace clang; 29using namespace ento; 30 31namespace { 32class CStringChecker : public Checker< eval::Call, 33 check::PreStmt<DeclStmt>, 34 check::LiveSymbols, 35 check::DeadSymbols, 36 check::RegionChanges 37 > { 38 mutable OwningPtr<BugType> BT_Null, 39 BT_Bounds, 40 BT_Overlap, 41 BT_NotCString, 42 BT_AdditionOverflow; 43 44 mutable const char *CurrentFunctionDescription; 45 46public: 47 /// The filter is used to filter out the diagnostics which are not enabled by 48 /// the user. 49 struct CStringChecksFilter { 50 DefaultBool CheckCStringNullArg; 51 DefaultBool CheckCStringOutOfBounds; 52 DefaultBool CheckCStringBufferOverlap; 53 DefaultBool CheckCStringNotNullTerm; 54 }; 55 56 CStringChecksFilter Filter; 57 58 static void *getTag() { static int tag; return &tag; } 59 60 bool evalCall(const CallExpr *CE, CheckerContext &C) const; 61 void checkPreStmt(const DeclStmt *DS, CheckerContext &C) const; 62 void checkLiveSymbols(ProgramStateRef state, SymbolReaper &SR) const; 63 void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const; 64 bool wantsRegionChangeUpdate(ProgramStateRef state) const; 65 66 ProgramStateRef 67 checkRegionChanges(ProgramStateRef state, 68 const InvalidatedSymbols *, 69 ArrayRef<const MemRegion *> ExplicitRegions, 70 ArrayRef<const MemRegion *> Regions, 71 const CallEvent *Call) const; 72 73 typedef void (CStringChecker::*FnCheck)(CheckerContext &, 74 const CallExpr *) const; 75 76 void evalMemcpy(CheckerContext &C, const CallExpr *CE) const; 77 void evalMempcpy(CheckerContext &C, const CallExpr *CE) const; 78 void evalMemmove(CheckerContext &C, const CallExpr *CE) const; 79 void evalBcopy(CheckerContext &C, const CallExpr *CE) const; 80 void evalCopyCommon(CheckerContext &C, const CallExpr *CE, 81 ProgramStateRef state, 82 const Expr *Size, 83 const Expr *Source, 84 const Expr *Dest, 85 bool Restricted = false, 86 bool IsMempcpy = false) const; 87 88 void evalMemcmp(CheckerContext &C, const CallExpr *CE) const; 89 90 void evalstrLength(CheckerContext &C, const CallExpr *CE) const; 91 void evalstrnLength(CheckerContext &C, const CallExpr *CE) const; 92 void evalstrLengthCommon(CheckerContext &C, 93 const CallExpr *CE, 94 bool IsStrnlen = false) const; 95 96 void evalStrcpy(CheckerContext &C, const CallExpr *CE) const; 97 void evalStrncpy(CheckerContext &C, const CallExpr *CE) const; 98 void evalStpcpy(CheckerContext &C, const CallExpr *CE) const; 99 void evalStrcpyCommon(CheckerContext &C, 100 const CallExpr *CE, 101 bool returnEnd, 102 bool isBounded, 103 bool isAppending) const; 104 105 void evalStrcat(CheckerContext &C, const CallExpr *CE) const; 106 void evalStrncat(CheckerContext &C, const CallExpr *CE) const; 107 108 void evalStrcmp(CheckerContext &C, const CallExpr *CE) const; 109 void evalStrncmp(CheckerContext &C, const CallExpr *CE) const; 110 void evalStrcasecmp(CheckerContext &C, const CallExpr *CE) const; 111 void evalStrncasecmp(CheckerContext &C, const CallExpr *CE) const; 112 void evalStrcmpCommon(CheckerContext &C, 113 const CallExpr *CE, 114 bool isBounded = false, 115 bool ignoreCase = false) const; 116 117 void evalStrsep(CheckerContext &C, const CallExpr *CE) const; 118 119 // Utility methods 120 std::pair<ProgramStateRef , ProgramStateRef > 121 static assumeZero(CheckerContext &C, 122 ProgramStateRef state, SVal V, QualType Ty); 123 124 static ProgramStateRef setCStringLength(ProgramStateRef state, 125 const MemRegion *MR, 126 SVal strLength); 127 static SVal getCStringLengthForRegion(CheckerContext &C, 128 ProgramStateRef &state, 129 const Expr *Ex, 130 const MemRegion *MR, 131 bool hypothetical); 132 SVal getCStringLength(CheckerContext &C, 133 ProgramStateRef &state, 134 const Expr *Ex, 135 SVal Buf, 136 bool hypothetical = false) const; 137 138 const StringLiteral *getCStringLiteral(CheckerContext &C, 139 ProgramStateRef &state, 140 const Expr *expr, 141 SVal val) const; 142 143 static ProgramStateRef InvalidateBuffer(CheckerContext &C, 144 ProgramStateRef state, 145 const Expr *Ex, SVal V); 146 147 static bool SummarizeRegion(raw_ostream &os, ASTContext &Ctx, 148 const MemRegion *MR); 149 150 // Re-usable checks 151 ProgramStateRef checkNonNull(CheckerContext &C, 152 ProgramStateRef state, 153 const Expr *S, 154 SVal l) const; 155 ProgramStateRef CheckLocation(CheckerContext &C, 156 ProgramStateRef state, 157 const Expr *S, 158 SVal l, 159 const char *message = NULL) const; 160 ProgramStateRef CheckBufferAccess(CheckerContext &C, 161 ProgramStateRef state, 162 const Expr *Size, 163 const Expr *FirstBuf, 164 const Expr *SecondBuf, 165 const char *firstMessage = NULL, 166 const char *secondMessage = NULL, 167 bool WarnAboutSize = false) const; 168 169 ProgramStateRef CheckBufferAccess(CheckerContext &C, 170 ProgramStateRef state, 171 const Expr *Size, 172 const Expr *Buf, 173 const char *message = NULL, 174 bool WarnAboutSize = false) const { 175 // This is a convenience override. 176 return CheckBufferAccess(C, state, Size, Buf, NULL, message, NULL, 177 WarnAboutSize); 178 } 179 ProgramStateRef CheckOverlap(CheckerContext &C, 180 ProgramStateRef state, 181 const Expr *Size, 182 const Expr *First, 183 const Expr *Second) const; 184 void emitOverlapBug(CheckerContext &C, 185 ProgramStateRef state, 186 const Stmt *First, 187 const Stmt *Second) const; 188 189 ProgramStateRef checkAdditionOverflow(CheckerContext &C, 190 ProgramStateRef state, 191 NonLoc left, 192 NonLoc right) const; 193}; 194 195} //end anonymous namespace 196 197REGISTER_MAP_WITH_PROGRAMSTATE(CStringLength, const MemRegion *, SVal) 198 199//===----------------------------------------------------------------------===// 200// Individual checks and utility methods. 201//===----------------------------------------------------------------------===// 202 203std::pair<ProgramStateRef , ProgramStateRef > 204CStringChecker::assumeZero(CheckerContext &C, ProgramStateRef state, SVal V, 205 QualType Ty) { 206 Optional<DefinedSVal> val = V.getAs<DefinedSVal>(); 207 if (!val) 208 return std::pair<ProgramStateRef , ProgramStateRef >(state, state); 209 210 SValBuilder &svalBuilder = C.getSValBuilder(); 211 DefinedOrUnknownSVal zero = svalBuilder.makeZeroVal(Ty); 212 return state->assume(svalBuilder.evalEQ(state, *val, zero)); 213} 214 215ProgramStateRef CStringChecker::checkNonNull(CheckerContext &C, 216 ProgramStateRef state, 217 const Expr *S, SVal l) const { 218 // If a previous check has failed, propagate the failure. 219 if (!state) 220 return NULL; 221 222 ProgramStateRef stateNull, stateNonNull; 223 llvm::tie(stateNull, stateNonNull) = assumeZero(C, state, l, S->getType()); 224 225 if (stateNull && !stateNonNull) { 226 if (!Filter.CheckCStringNullArg) 227 return NULL; 228 229 ExplodedNode *N = C.generateSink(stateNull); 230 if (!N) 231 return NULL; 232 233 if (!BT_Null) 234 BT_Null.reset(new BuiltinBug("Unix API", 235 "Null pointer argument in call to byte string function")); 236 237 SmallString<80> buf; 238 llvm::raw_svector_ostream os(buf); 239 assert(CurrentFunctionDescription); 240 os << "Null pointer argument in call to " << CurrentFunctionDescription; 241 242 // Generate a report for this bug. 243 BuiltinBug *BT = static_cast<BuiltinBug*>(BT_Null.get()); 244 BugReport *report = new BugReport(*BT, os.str(), N); 245 246 report->addRange(S->getSourceRange()); 247 bugreporter::trackNullOrUndefValue(N, S, *report); 248 C.emitReport(report); 249 return NULL; 250 } 251 252 // From here on, assume that the value is non-null. 253 assert(stateNonNull); 254 return stateNonNull; 255} 256 257// FIXME: This was originally copied from ArrayBoundChecker.cpp. Refactor? 258ProgramStateRef CStringChecker::CheckLocation(CheckerContext &C, 259 ProgramStateRef state, 260 const Expr *S, SVal l, 261 const char *warningMsg) const { 262 // If a previous check has failed, propagate the failure. 263 if (!state) 264 return NULL; 265 266 // Check for out of bound array element access. 267 const MemRegion *R = l.getAsRegion(); 268 if (!R) 269 return state; 270 271 const ElementRegion *ER = dyn_cast<ElementRegion>(R); 272 if (!ER) 273 return state; 274 275 assert(ER->getValueType() == C.getASTContext().CharTy && 276 "CheckLocation should only be called with char* ElementRegions"); 277 278 // Get the size of the array. 279 const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion()); 280 SValBuilder &svalBuilder = C.getSValBuilder(); 281 SVal Extent = 282 svalBuilder.convertToArrayIndex(superReg->getExtent(svalBuilder)); 283 DefinedOrUnknownSVal Size = Extent.castAs<DefinedOrUnknownSVal>(); 284 285 // Get the index of the accessed element. 286 DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>(); 287 288 ProgramStateRef StInBound = state->assumeInBound(Idx, Size, true); 289 ProgramStateRef StOutBound = state->assumeInBound(Idx, Size, false); 290 if (StOutBound && !StInBound) { 291 ExplodedNode *N = C.generateSink(StOutBound); 292 if (!N) 293 return NULL; 294 295 if (!BT_Bounds) { 296 BT_Bounds.reset(new BuiltinBug("Out-of-bound array access", 297 "Byte string function accesses out-of-bound array element")); 298 } 299 BuiltinBug *BT = static_cast<BuiltinBug*>(BT_Bounds.get()); 300 301 // Generate a report for this bug. 302 BugReport *report; 303 if (warningMsg) { 304 report = new BugReport(*BT, warningMsg, N); 305 } else { 306 assert(CurrentFunctionDescription); 307 assert(CurrentFunctionDescription[0] != '\0'); 308 309 SmallString<80> buf; 310 llvm::raw_svector_ostream os(buf); 311 os << toUppercase(CurrentFunctionDescription[0]) 312 << &CurrentFunctionDescription[1] 313 << " accesses out-of-bound array element"; 314 report = new BugReport(*BT, os.str(), N); 315 } 316 317 // FIXME: It would be nice to eventually make this diagnostic more clear, 318 // e.g., by referencing the original declaration or by saying *why* this 319 // reference is outside the range. 320 321 report->addRange(S->getSourceRange()); 322 C.emitReport(report); 323 return NULL; 324 } 325 326 // Array bound check succeeded. From this point forward the array bound 327 // should always succeed. 328 return StInBound; 329} 330 331ProgramStateRef CStringChecker::CheckBufferAccess(CheckerContext &C, 332 ProgramStateRef state, 333 const Expr *Size, 334 const Expr *FirstBuf, 335 const Expr *SecondBuf, 336 const char *firstMessage, 337 const char *secondMessage, 338 bool WarnAboutSize) const { 339 // If a previous check has failed, propagate the failure. 340 if (!state) 341 return NULL; 342 343 SValBuilder &svalBuilder = C.getSValBuilder(); 344 ASTContext &Ctx = svalBuilder.getContext(); 345 const LocationContext *LCtx = C.getLocationContext(); 346 347 QualType sizeTy = Size->getType(); 348 QualType PtrTy = Ctx.getPointerType(Ctx.CharTy); 349 350 // Check that the first buffer is non-null. 351 SVal BufVal = state->getSVal(FirstBuf, LCtx); 352 state = checkNonNull(C, state, FirstBuf, BufVal); 353 if (!state) 354 return NULL; 355 356 // If out-of-bounds checking is turned off, skip the rest. 357 if (!Filter.CheckCStringOutOfBounds) 358 return state; 359 360 // Get the access length and make sure it is known. 361 // FIXME: This assumes the caller has already checked that the access length 362 // is positive. And that it's unsigned. 363 SVal LengthVal = state->getSVal(Size, LCtx); 364 Optional<NonLoc> Length = LengthVal.getAs<NonLoc>(); 365 if (!Length) 366 return state; 367 368 // Compute the offset of the last element to be accessed: size-1. 369 NonLoc One = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>(); 370 NonLoc LastOffset = svalBuilder 371 .evalBinOpNN(state, BO_Sub, *Length, One, sizeTy).castAs<NonLoc>(); 372 373 // Check that the first buffer is sufficiently long. 374 SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType()); 375 if (Optional<Loc> BufLoc = BufStart.getAs<Loc>()) { 376 const Expr *warningExpr = (WarnAboutSize ? Size : FirstBuf); 377 378 SVal BufEnd = svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc, 379 LastOffset, PtrTy); 380 state = CheckLocation(C, state, warningExpr, BufEnd, firstMessage); 381 382 // If the buffer isn't large enough, abort. 383 if (!state) 384 return NULL; 385 } 386 387 // If there's a second buffer, check it as well. 388 if (SecondBuf) { 389 BufVal = state->getSVal(SecondBuf, LCtx); 390 state = checkNonNull(C, state, SecondBuf, BufVal); 391 if (!state) 392 return NULL; 393 394 BufStart = svalBuilder.evalCast(BufVal, PtrTy, SecondBuf->getType()); 395 if (Optional<Loc> BufLoc = BufStart.getAs<Loc>()) { 396 const Expr *warningExpr = (WarnAboutSize ? Size : SecondBuf); 397 398 SVal BufEnd = svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc, 399 LastOffset, PtrTy); 400 state = CheckLocation(C, state, warningExpr, BufEnd, secondMessage); 401 } 402 } 403 404 // Large enough or not, return this state! 405 return state; 406} 407 408ProgramStateRef CStringChecker::CheckOverlap(CheckerContext &C, 409 ProgramStateRef state, 410 const Expr *Size, 411 const Expr *First, 412 const Expr *Second) const { 413 if (!Filter.CheckCStringBufferOverlap) 414 return state; 415 416 // Do a simple check for overlap: if the two arguments are from the same 417 // buffer, see if the end of the first is greater than the start of the second 418 // or vice versa. 419 420 // If a previous check has failed, propagate the failure. 421 if (!state) 422 return NULL; 423 424 ProgramStateRef stateTrue, stateFalse; 425 426 // Get the buffer values and make sure they're known locations. 427 const LocationContext *LCtx = C.getLocationContext(); 428 SVal firstVal = state->getSVal(First, LCtx); 429 SVal secondVal = state->getSVal(Second, LCtx); 430 431 Optional<Loc> firstLoc = firstVal.getAs<Loc>(); 432 if (!firstLoc) 433 return state; 434 435 Optional<Loc> secondLoc = secondVal.getAs<Loc>(); 436 if (!secondLoc) 437 return state; 438 439 // Are the two values the same? 440 SValBuilder &svalBuilder = C.getSValBuilder(); 441 llvm::tie(stateTrue, stateFalse) = 442 state->assume(svalBuilder.evalEQ(state, *firstLoc, *secondLoc)); 443 444 if (stateTrue && !stateFalse) { 445 // If the values are known to be equal, that's automatically an overlap. 446 emitOverlapBug(C, stateTrue, First, Second); 447 return NULL; 448 } 449 450 // assume the two expressions are not equal. 451 assert(stateFalse); 452 state = stateFalse; 453 454 // Which value comes first? 455 QualType cmpTy = svalBuilder.getConditionType(); 456 SVal reverse = svalBuilder.evalBinOpLL(state, BO_GT, 457 *firstLoc, *secondLoc, cmpTy); 458 Optional<DefinedOrUnknownSVal> reverseTest = 459 reverse.getAs<DefinedOrUnknownSVal>(); 460 if (!reverseTest) 461 return state; 462 463 llvm::tie(stateTrue, stateFalse) = state->assume(*reverseTest); 464 if (stateTrue) { 465 if (stateFalse) { 466 // If we don't know which one comes first, we can't perform this test. 467 return state; 468 } else { 469 // Switch the values so that firstVal is before secondVal. 470 std::swap(firstLoc, secondLoc); 471 472 // Switch the Exprs as well, so that they still correspond. 473 std::swap(First, Second); 474 } 475 } 476 477 // Get the length, and make sure it too is known. 478 SVal LengthVal = state->getSVal(Size, LCtx); 479 Optional<NonLoc> Length = LengthVal.getAs<NonLoc>(); 480 if (!Length) 481 return state; 482 483 // Convert the first buffer's start address to char*. 484 // Bail out if the cast fails. 485 ASTContext &Ctx = svalBuilder.getContext(); 486 QualType CharPtrTy = Ctx.getPointerType(Ctx.CharTy); 487 SVal FirstStart = svalBuilder.evalCast(*firstLoc, CharPtrTy, 488 First->getType()); 489 Optional<Loc> FirstStartLoc = FirstStart.getAs<Loc>(); 490 if (!FirstStartLoc) 491 return state; 492 493 // Compute the end of the first buffer. Bail out if THAT fails. 494 SVal FirstEnd = svalBuilder.evalBinOpLN(state, BO_Add, 495 *FirstStartLoc, *Length, CharPtrTy); 496 Optional<Loc> FirstEndLoc = FirstEnd.getAs<Loc>(); 497 if (!FirstEndLoc) 498 return state; 499 500 // Is the end of the first buffer past the start of the second buffer? 501 SVal Overlap = svalBuilder.evalBinOpLL(state, BO_GT, 502 *FirstEndLoc, *secondLoc, cmpTy); 503 Optional<DefinedOrUnknownSVal> OverlapTest = 504 Overlap.getAs<DefinedOrUnknownSVal>(); 505 if (!OverlapTest) 506 return state; 507 508 llvm::tie(stateTrue, stateFalse) = state->assume(*OverlapTest); 509 510 if (stateTrue && !stateFalse) { 511 // Overlap! 512 emitOverlapBug(C, stateTrue, First, Second); 513 return NULL; 514 } 515 516 // assume the two expressions don't overlap. 517 assert(stateFalse); 518 return stateFalse; 519} 520 521void CStringChecker::emitOverlapBug(CheckerContext &C, ProgramStateRef state, 522 const Stmt *First, const Stmt *Second) const { 523 ExplodedNode *N = C.generateSink(state); 524 if (!N) 525 return; 526 527 if (!BT_Overlap) 528 BT_Overlap.reset(new BugType("Unix API", "Improper arguments")); 529 530 // Generate a report for this bug. 531 BugReport *report = 532 new BugReport(*BT_Overlap, 533 "Arguments must not be overlapping buffers", N); 534 report->addRange(First->getSourceRange()); 535 report->addRange(Second->getSourceRange()); 536 537 C.emitReport(report); 538} 539 540ProgramStateRef CStringChecker::checkAdditionOverflow(CheckerContext &C, 541 ProgramStateRef state, 542 NonLoc left, 543 NonLoc right) const { 544 // If out-of-bounds checking is turned off, skip the rest. 545 if (!Filter.CheckCStringOutOfBounds) 546 return state; 547 548 // If a previous check has failed, propagate the failure. 549 if (!state) 550 return NULL; 551 552 SValBuilder &svalBuilder = C.getSValBuilder(); 553 BasicValueFactory &BVF = svalBuilder.getBasicValueFactory(); 554 555 QualType sizeTy = svalBuilder.getContext().getSizeType(); 556 const llvm::APSInt &maxValInt = BVF.getMaxValue(sizeTy); 557 NonLoc maxVal = svalBuilder.makeIntVal(maxValInt); 558 559 SVal maxMinusRight; 560 if (right.getAs<nonloc::ConcreteInt>()) { 561 maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, right, 562 sizeTy); 563 } else { 564 // Try switching the operands. (The order of these two assignments is 565 // important!) 566 maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, left, 567 sizeTy); 568 left = right; 569 } 570 571 if (Optional<NonLoc> maxMinusRightNL = maxMinusRight.getAs<NonLoc>()) { 572 QualType cmpTy = svalBuilder.getConditionType(); 573 // If left > max - right, we have an overflow. 574 SVal willOverflow = svalBuilder.evalBinOpNN(state, BO_GT, left, 575 *maxMinusRightNL, cmpTy); 576 577 ProgramStateRef stateOverflow, stateOkay; 578 llvm::tie(stateOverflow, stateOkay) = 579 state->assume(willOverflow.castAs<DefinedOrUnknownSVal>()); 580 581 if (stateOverflow && !stateOkay) { 582 // We have an overflow. Emit a bug report. 583 ExplodedNode *N = C.generateSink(stateOverflow); 584 if (!N) 585 return NULL; 586 587 if (!BT_AdditionOverflow) 588 BT_AdditionOverflow.reset(new BuiltinBug("API", 589 "Sum of expressions causes overflow")); 590 591 // This isn't a great error message, but this should never occur in real 592 // code anyway -- you'd have to create a buffer longer than a size_t can 593 // represent, which is sort of a contradiction. 594 const char *warning = 595 "This expression will create a string whose length is too big to " 596 "be represented as a size_t"; 597 598 // Generate a report for this bug. 599 BugReport *report = new BugReport(*BT_AdditionOverflow, warning, N); 600 C.emitReport(report); 601 602 return NULL; 603 } 604 605 // From now on, assume an overflow didn't occur. 606 assert(stateOkay); 607 state = stateOkay; 608 } 609 610 return state; 611} 612 613ProgramStateRef CStringChecker::setCStringLength(ProgramStateRef state, 614 const MemRegion *MR, 615 SVal strLength) { 616 assert(!strLength.isUndef() && "Attempt to set an undefined string length"); 617 618 MR = MR->StripCasts(); 619 620 switch (MR->getKind()) { 621 case MemRegion::StringRegionKind: 622 // FIXME: This can happen if we strcpy() into a string region. This is 623 // undefined [C99 6.4.5p6], but we should still warn about it. 624 return state; 625 626 case MemRegion::SymbolicRegionKind: 627 case MemRegion::AllocaRegionKind: 628 case MemRegion::VarRegionKind: 629 case MemRegion::FieldRegionKind: 630 case MemRegion::ObjCIvarRegionKind: 631 // These are the types we can currently track string lengths for. 632 break; 633 634 case MemRegion::ElementRegionKind: 635 // FIXME: Handle element regions by upper-bounding the parent region's 636 // string length. 637 return state; 638 639 default: 640 // Other regions (mostly non-data) can't have a reliable C string length. 641 // For now, just ignore the change. 642 // FIXME: These are rare but not impossible. We should output some kind of 643 // warning for things like strcpy((char[]){'a', 0}, "b"); 644 return state; 645 } 646 647 if (strLength.isUnknown()) 648 return state->remove<CStringLength>(MR); 649 650 return state->set<CStringLength>(MR, strLength); 651} 652 653SVal CStringChecker::getCStringLengthForRegion(CheckerContext &C, 654 ProgramStateRef &state, 655 const Expr *Ex, 656 const MemRegion *MR, 657 bool hypothetical) { 658 if (!hypothetical) { 659 // If there's a recorded length, go ahead and return it. 660 const SVal *Recorded = state->get<CStringLength>(MR); 661 if (Recorded) 662 return *Recorded; 663 } 664 665 // Otherwise, get a new symbol and update the state. 666 SValBuilder &svalBuilder = C.getSValBuilder(); 667 QualType sizeTy = svalBuilder.getContext().getSizeType(); 668 SVal strLength = svalBuilder.getMetadataSymbolVal(CStringChecker::getTag(), 669 MR, Ex, sizeTy, 670 C.blockCount()); 671 672 if (!hypothetical) { 673 if (Optional<NonLoc> strLn = strLength.getAs<NonLoc>()) { 674 // In case of unbounded calls strlen etc bound the range to SIZE_MAX/4 675 BasicValueFactory &BVF = svalBuilder.getBasicValueFactory(); 676 const llvm::APSInt &maxValInt = BVF.getMaxValue(sizeTy); 677 llvm::APSInt fourInt = APSIntType(maxValInt).getValue(4); 678 const llvm::APSInt *maxLengthInt = BVF.evalAPSInt(BO_Div, maxValInt, 679 fourInt); 680 NonLoc maxLength = svalBuilder.makeIntVal(*maxLengthInt); 681 SVal evalLength = svalBuilder.evalBinOpNN(state, BO_LE, *strLn, 682 maxLength, sizeTy); 683 state = state->assume(evalLength.castAs<DefinedOrUnknownSVal>(), true); 684 } 685 state = state->set<CStringLength>(MR, strLength); 686 } 687 688 return strLength; 689} 690 691SVal CStringChecker::getCStringLength(CheckerContext &C, ProgramStateRef &state, 692 const Expr *Ex, SVal Buf, 693 bool hypothetical) const { 694 const MemRegion *MR = Buf.getAsRegion(); 695 if (!MR) { 696 // If we can't get a region, see if it's something we /know/ isn't a 697 // C string. In the context of locations, the only time we can issue such 698 // a warning is for labels. 699 if (Optional<loc::GotoLabel> Label = Buf.getAs<loc::GotoLabel>()) { 700 if (!Filter.CheckCStringNotNullTerm) 701 return UndefinedVal(); 702 703 if (ExplodedNode *N = C.addTransition(state)) { 704 if (!BT_NotCString) 705 BT_NotCString.reset(new BuiltinBug("Unix API", 706 "Argument is not a null-terminated string.")); 707 708 SmallString<120> buf; 709 llvm::raw_svector_ostream os(buf); 710 assert(CurrentFunctionDescription); 711 os << "Argument to " << CurrentFunctionDescription 712 << " is the address of the label '" << Label->getLabel()->getName() 713 << "', which is not a null-terminated string"; 714 715 // Generate a report for this bug. 716 BugReport *report = new BugReport(*BT_NotCString, 717 os.str(), N); 718 719 report->addRange(Ex->getSourceRange()); 720 C.emitReport(report); 721 } 722 return UndefinedVal(); 723 724 } 725 726 // If it's not a region and not a label, give up. 727 return UnknownVal(); 728 } 729 730 // If we have a region, strip casts from it and see if we can figure out 731 // its length. For anything we can't figure out, just return UnknownVal. 732 MR = MR->StripCasts(); 733 734 switch (MR->getKind()) { 735 case MemRegion::StringRegionKind: { 736 // Modifying the contents of string regions is undefined [C99 6.4.5p6], 737 // so we can assume that the byte length is the correct C string length. 738 SValBuilder &svalBuilder = C.getSValBuilder(); 739 QualType sizeTy = svalBuilder.getContext().getSizeType(); 740 const StringLiteral *strLit = cast<StringRegion>(MR)->getStringLiteral(); 741 return svalBuilder.makeIntVal(strLit->getByteLength(), sizeTy); 742 } 743 case MemRegion::SymbolicRegionKind: 744 case MemRegion::AllocaRegionKind: 745 case MemRegion::VarRegionKind: 746 case MemRegion::FieldRegionKind: 747 case MemRegion::ObjCIvarRegionKind: 748 return getCStringLengthForRegion(C, state, Ex, MR, hypothetical); 749 case MemRegion::CompoundLiteralRegionKind: 750 // FIXME: Can we track this? Is it necessary? 751 return UnknownVal(); 752 case MemRegion::ElementRegionKind: 753 // FIXME: How can we handle this? It's not good enough to subtract the 754 // offset from the base string length; consider "123\x00567" and &a[5]. 755 return UnknownVal(); 756 default: 757 // Other regions (mostly non-data) can't have a reliable C string length. 758 // In this case, an error is emitted and UndefinedVal is returned. 759 // The caller should always be prepared to handle this case. 760 if (!Filter.CheckCStringNotNullTerm) 761 return UndefinedVal(); 762 763 if (ExplodedNode *N = C.addTransition(state)) { 764 if (!BT_NotCString) 765 BT_NotCString.reset(new BuiltinBug("Unix API", 766 "Argument is not a null-terminated string.")); 767 768 SmallString<120> buf; 769 llvm::raw_svector_ostream os(buf); 770 771 assert(CurrentFunctionDescription); 772 os << "Argument to " << CurrentFunctionDescription << " is "; 773 774 if (SummarizeRegion(os, C.getASTContext(), MR)) 775 os << ", which is not a null-terminated string"; 776 else 777 os << "not a null-terminated string"; 778 779 // Generate a report for this bug. 780 BugReport *report = new BugReport(*BT_NotCString, 781 os.str(), N); 782 783 report->addRange(Ex->getSourceRange()); 784 C.emitReport(report); 785 } 786 787 return UndefinedVal(); 788 } 789} 790 791const StringLiteral *CStringChecker::getCStringLiteral(CheckerContext &C, 792 ProgramStateRef &state, const Expr *expr, SVal val) const { 793 794 // Get the memory region pointed to by the val. 795 const MemRegion *bufRegion = val.getAsRegion(); 796 if (!bufRegion) 797 return NULL; 798 799 // Strip casts off the memory region. 800 bufRegion = bufRegion->StripCasts(); 801 802 // Cast the memory region to a string region. 803 const StringRegion *strRegion= dyn_cast<StringRegion>(bufRegion); 804 if (!strRegion) 805 return NULL; 806 807 // Return the actual string in the string region. 808 return strRegion->getStringLiteral(); 809} 810 811ProgramStateRef CStringChecker::InvalidateBuffer(CheckerContext &C, 812 ProgramStateRef state, 813 const Expr *E, SVal V) { 814 Optional<Loc> L = V.getAs<Loc>(); 815 if (!L) 816 return state; 817 818 // FIXME: This is a simplified version of what's in CFRefCount.cpp -- it makes 819 // some assumptions about the value that CFRefCount can't. Even so, it should 820 // probably be refactored. 821 if (Optional<loc::MemRegionVal> MR = L->getAs<loc::MemRegionVal>()) { 822 const MemRegion *R = MR->getRegion()->StripCasts(); 823 824 // Are we dealing with an ElementRegion? If so, we should be invalidating 825 // the super-region. 826 if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) { 827 R = ER->getSuperRegion(); 828 // FIXME: What about layers of ElementRegions? 829 } 830 831 // Invalidate this region. 832 const LocationContext *LCtx = C.getPredecessor()->getLocationContext(); 833 return state->invalidateRegions(R, E, C.blockCount(), LCtx, 834 /*CausesPointerEscape*/ false); 835 } 836 837 // If we have a non-region value by chance, just remove the binding. 838 // FIXME: is this necessary or correct? This handles the non-Region 839 // cases. Is it ever valid to store to these? 840 return state->killBinding(*L); 841} 842 843bool CStringChecker::SummarizeRegion(raw_ostream &os, ASTContext &Ctx, 844 const MemRegion *MR) { 845 const TypedValueRegion *TVR = dyn_cast<TypedValueRegion>(MR); 846 847 switch (MR->getKind()) { 848 case MemRegion::FunctionTextRegionKind: { 849 const NamedDecl *FD = cast<FunctionTextRegion>(MR)->getDecl(); 850 if (FD) 851 os << "the address of the function '" << *FD << '\''; 852 else 853 os << "the address of a function"; 854 return true; 855 } 856 case MemRegion::BlockTextRegionKind: 857 os << "block text"; 858 return true; 859 case MemRegion::BlockDataRegionKind: 860 os << "a block"; 861 return true; 862 case MemRegion::CXXThisRegionKind: 863 case MemRegion::CXXTempObjectRegionKind: 864 os << "a C++ temp object of type " << TVR->getValueType().getAsString(); 865 return true; 866 case MemRegion::VarRegionKind: 867 os << "a variable of type" << TVR->getValueType().getAsString(); 868 return true; 869 case MemRegion::FieldRegionKind: 870 os << "a field of type " << TVR->getValueType().getAsString(); 871 return true; 872 case MemRegion::ObjCIvarRegionKind: 873 os << "an instance variable of type " << TVR->getValueType().getAsString(); 874 return true; 875 default: 876 return false; 877 } 878} 879 880//===----------------------------------------------------------------------===// 881// evaluation of individual function calls. 882//===----------------------------------------------------------------------===// 883 884void CStringChecker::evalCopyCommon(CheckerContext &C, 885 const CallExpr *CE, 886 ProgramStateRef state, 887 const Expr *Size, const Expr *Dest, 888 const Expr *Source, bool Restricted, 889 bool IsMempcpy) const { 890 CurrentFunctionDescription = "memory copy function"; 891 892 // See if the size argument is zero. 893 const LocationContext *LCtx = C.getLocationContext(); 894 SVal sizeVal = state->getSVal(Size, LCtx); 895 QualType sizeTy = Size->getType(); 896 897 ProgramStateRef stateZeroSize, stateNonZeroSize; 898 llvm::tie(stateZeroSize, stateNonZeroSize) = 899 assumeZero(C, state, sizeVal, sizeTy); 900 901 // Get the value of the Dest. 902 SVal destVal = state->getSVal(Dest, LCtx); 903 904 // If the size is zero, there won't be any actual memory access, so 905 // just bind the return value to the destination buffer and return. 906 if (stateZeroSize && !stateNonZeroSize) { 907 stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, destVal); 908 C.addTransition(stateZeroSize); 909 return; 910 } 911 912 // If the size can be nonzero, we have to check the other arguments. 913 if (stateNonZeroSize) { 914 state = stateNonZeroSize; 915 916 // Ensure the destination is not null. If it is NULL there will be a 917 // NULL pointer dereference. 918 state = checkNonNull(C, state, Dest, destVal); 919 if (!state) 920 return; 921 922 // Get the value of the Src. 923 SVal srcVal = state->getSVal(Source, LCtx); 924 925 // Ensure the source is not null. If it is NULL there will be a 926 // NULL pointer dereference. 927 state = checkNonNull(C, state, Source, srcVal); 928 if (!state) 929 return; 930 931 // Ensure the accesses are valid and that the buffers do not overlap. 932 const char * const writeWarning = 933 "Memory copy function overflows destination buffer"; 934 state = CheckBufferAccess(C, state, Size, Dest, Source, 935 writeWarning, /* sourceWarning = */ NULL); 936 if (Restricted) 937 state = CheckOverlap(C, state, Size, Dest, Source); 938 939 if (!state) 940 return; 941 942 // If this is mempcpy, get the byte after the last byte copied and 943 // bind the expr. 944 if (IsMempcpy) { 945 loc::MemRegionVal destRegVal = destVal.castAs<loc::MemRegionVal>(); 946 947 // Get the length to copy. 948 if (Optional<NonLoc> lenValNonLoc = sizeVal.getAs<NonLoc>()) { 949 // Get the byte after the last byte copied. 950 SVal lastElement = C.getSValBuilder().evalBinOpLN(state, BO_Add, 951 destRegVal, 952 *lenValNonLoc, 953 Dest->getType()); 954 955 // The byte after the last byte copied is the return value. 956 state = state->BindExpr(CE, LCtx, lastElement); 957 } else { 958 // If we don't know how much we copied, we can at least 959 // conjure a return value for later. 960 SVal result = C.getSValBuilder().conjureSymbolVal(0, CE, LCtx, 961 C.blockCount()); 962 state = state->BindExpr(CE, LCtx, result); 963 } 964 965 } else { 966 // All other copies return the destination buffer. 967 // (Well, bcopy() has a void return type, but this won't hurt.) 968 state = state->BindExpr(CE, LCtx, destVal); 969 } 970 971 // Invalidate the destination. 972 // FIXME: Even if we can't perfectly model the copy, we should see if we 973 // can use LazyCompoundVals to copy the source values into the destination. 974 // This would probably remove any existing bindings past the end of the 975 // copied region, but that's still an improvement over blank invalidation. 976 state = InvalidateBuffer(C, state, Dest, 977 state->getSVal(Dest, C.getLocationContext())); 978 C.addTransition(state); 979 } 980} 981 982 983void CStringChecker::evalMemcpy(CheckerContext &C, const CallExpr *CE) const { 984 if (CE->getNumArgs() < 3) 985 return; 986 987 // void *memcpy(void *restrict dst, const void *restrict src, size_t n); 988 // The return value is the address of the destination buffer. 989 const Expr *Dest = CE->getArg(0); 990 ProgramStateRef state = C.getState(); 991 992 evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1), true); 993} 994 995void CStringChecker::evalMempcpy(CheckerContext &C, const CallExpr *CE) const { 996 if (CE->getNumArgs() < 3) 997 return; 998 999 // void *mempcpy(void *restrict dst, const void *restrict src, size_t n); 1000 // The return value is a pointer to the byte following the last written byte. 1001 const Expr *Dest = CE->getArg(0); 1002 ProgramStateRef state = C.getState(); 1003 1004 evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1), true, true); 1005} 1006 1007void CStringChecker::evalMemmove(CheckerContext &C, const CallExpr *CE) const { 1008 if (CE->getNumArgs() < 3) 1009 return; 1010 1011 // void *memmove(void *dst, const void *src, size_t n); 1012 // The return value is the address of the destination buffer. 1013 const Expr *Dest = CE->getArg(0); 1014 ProgramStateRef state = C.getState(); 1015 1016 evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1)); 1017} 1018 1019void CStringChecker::evalBcopy(CheckerContext &C, const CallExpr *CE) const { 1020 if (CE->getNumArgs() < 3) 1021 return; 1022 1023 // void bcopy(const void *src, void *dst, size_t n); 1024 evalCopyCommon(C, CE, C.getState(), 1025 CE->getArg(2), CE->getArg(1), CE->getArg(0)); 1026} 1027 1028void CStringChecker::evalMemcmp(CheckerContext &C, const CallExpr *CE) const { 1029 if (CE->getNumArgs() < 3) 1030 return; 1031 1032 // int memcmp(const void *s1, const void *s2, size_t n); 1033 CurrentFunctionDescription = "memory comparison function"; 1034 1035 const Expr *Left = CE->getArg(0); 1036 const Expr *Right = CE->getArg(1); 1037 const Expr *Size = CE->getArg(2); 1038 1039 ProgramStateRef state = C.getState(); 1040 SValBuilder &svalBuilder = C.getSValBuilder(); 1041 1042 // See if the size argument is zero. 1043 const LocationContext *LCtx = C.getLocationContext(); 1044 SVal sizeVal = state->getSVal(Size, LCtx); 1045 QualType sizeTy = Size->getType(); 1046 1047 ProgramStateRef stateZeroSize, stateNonZeroSize; 1048 llvm::tie(stateZeroSize, stateNonZeroSize) = 1049 assumeZero(C, state, sizeVal, sizeTy); 1050 1051 // If the size can be zero, the result will be 0 in that case, and we don't 1052 // have to check either of the buffers. 1053 if (stateZeroSize) { 1054 state = stateZeroSize; 1055 state = state->BindExpr(CE, LCtx, 1056 svalBuilder.makeZeroVal(CE->getType())); 1057 C.addTransition(state); 1058 } 1059 1060 // If the size can be nonzero, we have to check the other arguments. 1061 if (stateNonZeroSize) { 1062 state = stateNonZeroSize; 1063 // If we know the two buffers are the same, we know the result is 0. 1064 // First, get the two buffers' addresses. Another checker will have already 1065 // made sure they're not undefined. 1066 DefinedOrUnknownSVal LV = 1067 state->getSVal(Left, LCtx).castAs<DefinedOrUnknownSVal>(); 1068 DefinedOrUnknownSVal RV = 1069 state->getSVal(Right, LCtx).castAs<DefinedOrUnknownSVal>(); 1070 1071 // See if they are the same. 1072 DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV); 1073 ProgramStateRef StSameBuf, StNotSameBuf; 1074 llvm::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf); 1075 1076 // If the two arguments might be the same buffer, we know the result is 0, 1077 // and we only need to check one size. 1078 if (StSameBuf) { 1079 state = StSameBuf; 1080 state = CheckBufferAccess(C, state, Size, Left); 1081 if (state) { 1082 state = StSameBuf->BindExpr(CE, LCtx, 1083 svalBuilder.makeZeroVal(CE->getType())); 1084 C.addTransition(state); 1085 } 1086 } 1087 1088 // If the two arguments might be different buffers, we have to check the 1089 // size of both of them. 1090 if (StNotSameBuf) { 1091 state = StNotSameBuf; 1092 state = CheckBufferAccess(C, state, Size, Left, Right); 1093 if (state) { 1094 // The return value is the comparison result, which we don't know. 1095 SVal CmpV = svalBuilder.conjureSymbolVal(0, CE, LCtx, C.blockCount()); 1096 state = state->BindExpr(CE, LCtx, CmpV); 1097 C.addTransition(state); 1098 } 1099 } 1100 } 1101} 1102 1103void CStringChecker::evalstrLength(CheckerContext &C, 1104 const CallExpr *CE) const { 1105 if (CE->getNumArgs() < 1) 1106 return; 1107 1108 // size_t strlen(const char *s); 1109 evalstrLengthCommon(C, CE, /* IsStrnlen = */ false); 1110} 1111 1112void CStringChecker::evalstrnLength(CheckerContext &C, 1113 const CallExpr *CE) const { 1114 if (CE->getNumArgs() < 2) 1115 return; 1116 1117 // size_t strnlen(const char *s, size_t maxlen); 1118 evalstrLengthCommon(C, CE, /* IsStrnlen = */ true); 1119} 1120 1121void CStringChecker::evalstrLengthCommon(CheckerContext &C, const CallExpr *CE, 1122 bool IsStrnlen) const { 1123 CurrentFunctionDescription = "string length function"; 1124 ProgramStateRef state = C.getState(); 1125 const LocationContext *LCtx = C.getLocationContext(); 1126 1127 if (IsStrnlen) { 1128 const Expr *maxlenExpr = CE->getArg(1); 1129 SVal maxlenVal = state->getSVal(maxlenExpr, LCtx); 1130 1131 ProgramStateRef stateZeroSize, stateNonZeroSize; 1132 llvm::tie(stateZeroSize, stateNonZeroSize) = 1133 assumeZero(C, state, maxlenVal, maxlenExpr->getType()); 1134 1135 // If the size can be zero, the result will be 0 in that case, and we don't 1136 // have to check the string itself. 1137 if (stateZeroSize) { 1138 SVal zero = C.getSValBuilder().makeZeroVal(CE->getType()); 1139 stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, zero); 1140 C.addTransition(stateZeroSize); 1141 } 1142 1143 // If the size is GUARANTEED to be zero, we're done! 1144 if (!stateNonZeroSize) 1145 return; 1146 1147 // Otherwise, record the assumption that the size is nonzero. 1148 state = stateNonZeroSize; 1149 } 1150 1151 // Check that the string argument is non-null. 1152 const Expr *Arg = CE->getArg(0); 1153 SVal ArgVal = state->getSVal(Arg, LCtx); 1154 1155 state = checkNonNull(C, state, Arg, ArgVal); 1156 1157 if (!state) 1158 return; 1159 1160 SVal strLength = getCStringLength(C, state, Arg, ArgVal); 1161 1162 // If the argument isn't a valid C string, there's no valid state to 1163 // transition to. 1164 if (strLength.isUndef()) 1165 return; 1166 1167 DefinedOrUnknownSVal result = UnknownVal(); 1168 1169 // If the check is for strnlen() then bind the return value to no more than 1170 // the maxlen value. 1171 if (IsStrnlen) { 1172 QualType cmpTy = C.getSValBuilder().getConditionType(); 1173 1174 // It's a little unfortunate to be getting this again, 1175 // but it's not that expensive... 1176 const Expr *maxlenExpr = CE->getArg(1); 1177 SVal maxlenVal = state->getSVal(maxlenExpr, LCtx); 1178 1179 Optional<NonLoc> strLengthNL = strLength.getAs<NonLoc>(); 1180 Optional<NonLoc> maxlenValNL = maxlenVal.getAs<NonLoc>(); 1181 1182 if (strLengthNL && maxlenValNL) { 1183 ProgramStateRef stateStringTooLong, stateStringNotTooLong; 1184 1185 // Check if the strLength is greater than the maxlen. 1186 llvm::tie(stateStringTooLong, stateStringNotTooLong) = 1187 state->assume(C.getSValBuilder().evalBinOpNN( 1188 state, BO_GT, *strLengthNL, *maxlenValNL, cmpTy) 1189 .castAs<DefinedOrUnknownSVal>()); 1190 1191 if (stateStringTooLong && !stateStringNotTooLong) { 1192 // If the string is longer than maxlen, return maxlen. 1193 result = *maxlenValNL; 1194 } else if (stateStringNotTooLong && !stateStringTooLong) { 1195 // If the string is shorter than maxlen, return its length. 1196 result = *strLengthNL; 1197 } 1198 } 1199 1200 if (result.isUnknown()) { 1201 // If we don't have enough information for a comparison, there's 1202 // no guarantee the full string length will actually be returned. 1203 // All we know is the return value is the min of the string length 1204 // and the limit. This is better than nothing. 1205 result = C.getSValBuilder().conjureSymbolVal(0, CE, LCtx, C.blockCount()); 1206 NonLoc resultNL = result.castAs<NonLoc>(); 1207 1208 if (strLengthNL) { 1209 state = state->assume(C.getSValBuilder().evalBinOpNN( 1210 state, BO_LE, resultNL, *strLengthNL, cmpTy) 1211 .castAs<DefinedOrUnknownSVal>(), true); 1212 } 1213 1214 if (maxlenValNL) { 1215 state = state->assume(C.getSValBuilder().evalBinOpNN( 1216 state, BO_LE, resultNL, *maxlenValNL, cmpTy) 1217 .castAs<DefinedOrUnknownSVal>(), true); 1218 } 1219 } 1220 1221 } else { 1222 // This is a plain strlen(), not strnlen(). 1223 result = strLength.castAs<DefinedOrUnknownSVal>(); 1224 1225 // If we don't know the length of the string, conjure a return 1226 // value, so it can be used in constraints, at least. 1227 if (result.isUnknown()) { 1228 result = C.getSValBuilder().conjureSymbolVal(0, CE, LCtx, C.blockCount()); 1229 } 1230 } 1231 1232 // Bind the return value. 1233 assert(!result.isUnknown() && "Should have conjured a value by now"); 1234 state = state->BindExpr(CE, LCtx, result); 1235 C.addTransition(state); 1236} 1237 1238void CStringChecker::evalStrcpy(CheckerContext &C, const CallExpr *CE) const { 1239 if (CE->getNumArgs() < 2) 1240 return; 1241 1242 // char *strcpy(char *restrict dst, const char *restrict src); 1243 evalStrcpyCommon(C, CE, 1244 /* returnEnd = */ false, 1245 /* isBounded = */ false, 1246 /* isAppending = */ false); 1247} 1248 1249void CStringChecker::evalStrncpy(CheckerContext &C, const CallExpr *CE) const { 1250 if (CE->getNumArgs() < 3) 1251 return; 1252 1253 // char *strncpy(char *restrict dst, const char *restrict src, size_t n); 1254 evalStrcpyCommon(C, CE, 1255 /* returnEnd = */ false, 1256 /* isBounded = */ true, 1257 /* isAppending = */ false); 1258} 1259 1260void CStringChecker::evalStpcpy(CheckerContext &C, const CallExpr *CE) const { 1261 if (CE->getNumArgs() < 2) 1262 return; 1263 1264 // char *stpcpy(char *restrict dst, const char *restrict src); 1265 evalStrcpyCommon(C, CE, 1266 /* returnEnd = */ true, 1267 /* isBounded = */ false, 1268 /* isAppending = */ false); 1269} 1270 1271void CStringChecker::evalStrcat(CheckerContext &C, const CallExpr *CE) const { 1272 if (CE->getNumArgs() < 2) 1273 return; 1274 1275 //char *strcat(char *restrict s1, const char *restrict s2); 1276 evalStrcpyCommon(C, CE, 1277 /* returnEnd = */ false, 1278 /* isBounded = */ false, 1279 /* isAppending = */ true); 1280} 1281 1282void CStringChecker::evalStrncat(CheckerContext &C, const CallExpr *CE) const { 1283 if (CE->getNumArgs() < 3) 1284 return; 1285 1286 //char *strncat(char *restrict s1, const char *restrict s2, size_t n); 1287 evalStrcpyCommon(C, CE, 1288 /* returnEnd = */ false, 1289 /* isBounded = */ true, 1290 /* isAppending = */ true); 1291} 1292 1293void CStringChecker::evalStrcpyCommon(CheckerContext &C, const CallExpr *CE, 1294 bool returnEnd, bool isBounded, 1295 bool isAppending) const { 1296 CurrentFunctionDescription = "string copy function"; 1297 ProgramStateRef state = C.getState(); 1298 const LocationContext *LCtx = C.getLocationContext(); 1299 1300 // Check that the destination is non-null. 1301 const Expr *Dst = CE->getArg(0); 1302 SVal DstVal = state->getSVal(Dst, LCtx); 1303 1304 state = checkNonNull(C, state, Dst, DstVal); 1305 if (!state) 1306 return; 1307 1308 // Check that the source is non-null. 1309 const Expr *srcExpr = CE->getArg(1); 1310 SVal srcVal = state->getSVal(srcExpr, LCtx); 1311 state = checkNonNull(C, state, srcExpr, srcVal); 1312 if (!state) 1313 return; 1314 1315 // Get the string length of the source. 1316 SVal strLength = getCStringLength(C, state, srcExpr, srcVal); 1317 1318 // If the source isn't a valid C string, give up. 1319 if (strLength.isUndef()) 1320 return; 1321 1322 SValBuilder &svalBuilder = C.getSValBuilder(); 1323 QualType cmpTy = svalBuilder.getConditionType(); 1324 QualType sizeTy = svalBuilder.getContext().getSizeType(); 1325 1326 // These two values allow checking two kinds of errors: 1327 // - actual overflows caused by a source that doesn't fit in the destination 1328 // - potential overflows caused by a bound that could exceed the destination 1329 SVal amountCopied = UnknownVal(); 1330 SVal maxLastElementIndex = UnknownVal(); 1331 const char *boundWarning = NULL; 1332 1333 // If the function is strncpy, strncat, etc... it is bounded. 1334 if (isBounded) { 1335 // Get the max number of characters to copy. 1336 const Expr *lenExpr = CE->getArg(2); 1337 SVal lenVal = state->getSVal(lenExpr, LCtx); 1338 1339 // Protect against misdeclared strncpy(). 1340 lenVal = svalBuilder.evalCast(lenVal, sizeTy, lenExpr->getType()); 1341 1342 Optional<NonLoc> strLengthNL = strLength.getAs<NonLoc>(); 1343 Optional<NonLoc> lenValNL = lenVal.getAs<NonLoc>(); 1344 1345 // If we know both values, we might be able to figure out how much 1346 // we're copying. 1347 if (strLengthNL && lenValNL) { 1348 ProgramStateRef stateSourceTooLong, stateSourceNotTooLong; 1349 1350 // Check if the max number to copy is less than the length of the src. 1351 // If the bound is equal to the source length, strncpy won't null- 1352 // terminate the result! 1353 llvm::tie(stateSourceTooLong, stateSourceNotTooLong) = state->assume( 1354 svalBuilder.evalBinOpNN(state, BO_GE, *strLengthNL, *lenValNL, cmpTy) 1355 .castAs<DefinedOrUnknownSVal>()); 1356 1357 if (stateSourceTooLong && !stateSourceNotTooLong) { 1358 // Max number to copy is less than the length of the src, so the actual 1359 // strLength copied is the max number arg. 1360 state = stateSourceTooLong; 1361 amountCopied = lenVal; 1362 1363 } else if (!stateSourceTooLong && stateSourceNotTooLong) { 1364 // The source buffer entirely fits in the bound. 1365 state = stateSourceNotTooLong; 1366 amountCopied = strLength; 1367 } 1368 } 1369 1370 // We still want to know if the bound is known to be too large. 1371 if (lenValNL) { 1372 if (isAppending) { 1373 // For strncat, the check is strlen(dst) + lenVal < sizeof(dst) 1374 1375 // Get the string length of the destination. If the destination is 1376 // memory that can't have a string length, we shouldn't be copying 1377 // into it anyway. 1378 SVal dstStrLength = getCStringLength(C, state, Dst, DstVal); 1379 if (dstStrLength.isUndef()) 1380 return; 1381 1382 if (Optional<NonLoc> dstStrLengthNL = dstStrLength.getAs<NonLoc>()) { 1383 maxLastElementIndex = svalBuilder.evalBinOpNN(state, BO_Add, 1384 *lenValNL, 1385 *dstStrLengthNL, 1386 sizeTy); 1387 boundWarning = "Size argument is greater than the free space in the " 1388 "destination buffer"; 1389 } 1390 1391 } else { 1392 // For strncpy, this is just checking that lenVal <= sizeof(dst) 1393 // (Yes, strncpy and strncat differ in how they treat termination. 1394 // strncat ALWAYS terminates, but strncpy doesn't.) 1395 1396 // We need a special case for when the copy size is zero, in which 1397 // case strncpy will do no work at all. Our bounds check uses n-1 1398 // as the last element accessed, so n == 0 is problematic. 1399 ProgramStateRef StateZeroSize, StateNonZeroSize; 1400 llvm::tie(StateZeroSize, StateNonZeroSize) = 1401 assumeZero(C, state, *lenValNL, sizeTy); 1402 1403 // If the size is known to be zero, we're done. 1404 if (StateZeroSize && !StateNonZeroSize) { 1405 StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, DstVal); 1406 C.addTransition(StateZeroSize); 1407 return; 1408 } 1409 1410 // Otherwise, go ahead and figure out the last element we'll touch. 1411 // We don't record the non-zero assumption here because we can't 1412 // be sure. We won't warn on a possible zero. 1413 NonLoc one = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>(); 1414 maxLastElementIndex = svalBuilder.evalBinOpNN(state, BO_Sub, *lenValNL, 1415 one, sizeTy); 1416 boundWarning = "Size argument is greater than the length of the " 1417 "destination buffer"; 1418 } 1419 } 1420 1421 // If we couldn't pin down the copy length, at least bound it. 1422 // FIXME: We should actually run this code path for append as well, but 1423 // right now it creates problems with constraints (since we can end up 1424 // trying to pass constraints from symbol to symbol). 1425 if (amountCopied.isUnknown() && !isAppending) { 1426 // Try to get a "hypothetical" string length symbol, which we can later 1427 // set as a real value if that turns out to be the case. 1428 amountCopied = getCStringLength(C, state, lenExpr, srcVal, true); 1429 assert(!amountCopied.isUndef()); 1430 1431 if (Optional<NonLoc> amountCopiedNL = amountCopied.getAs<NonLoc>()) { 1432 if (lenValNL) { 1433 // amountCopied <= lenVal 1434 SVal copiedLessThanBound = svalBuilder.evalBinOpNN(state, BO_LE, 1435 *amountCopiedNL, 1436 *lenValNL, 1437 cmpTy); 1438 state = state->assume( 1439 copiedLessThanBound.castAs<DefinedOrUnknownSVal>(), true); 1440 if (!state) 1441 return; 1442 } 1443 1444 if (strLengthNL) { 1445 // amountCopied <= strlen(source) 1446 SVal copiedLessThanSrc = svalBuilder.evalBinOpNN(state, BO_LE, 1447 *amountCopiedNL, 1448 *strLengthNL, 1449 cmpTy); 1450 state = state->assume( 1451 copiedLessThanSrc.castAs<DefinedOrUnknownSVal>(), true); 1452 if (!state) 1453 return; 1454 } 1455 } 1456 } 1457 1458 } else { 1459 // The function isn't bounded. The amount copied should match the length 1460 // of the source buffer. 1461 amountCopied = strLength; 1462 } 1463 1464 assert(state); 1465 1466 // This represents the number of characters copied into the destination 1467 // buffer. (It may not actually be the strlen if the destination buffer 1468 // is not terminated.) 1469 SVal finalStrLength = UnknownVal(); 1470 1471 // If this is an appending function (strcat, strncat...) then set the 1472 // string length to strlen(src) + strlen(dst) since the buffer will 1473 // ultimately contain both. 1474 if (isAppending) { 1475 // Get the string length of the destination. If the destination is memory 1476 // that can't have a string length, we shouldn't be copying into it anyway. 1477 SVal dstStrLength = getCStringLength(C, state, Dst, DstVal); 1478 if (dstStrLength.isUndef()) 1479 return; 1480 1481 Optional<NonLoc> srcStrLengthNL = amountCopied.getAs<NonLoc>(); 1482 Optional<NonLoc> dstStrLengthNL = dstStrLength.getAs<NonLoc>(); 1483 1484 // If we know both string lengths, we might know the final string length. 1485 if (srcStrLengthNL && dstStrLengthNL) { 1486 // Make sure the two lengths together don't overflow a size_t. 1487 state = checkAdditionOverflow(C, state, *srcStrLengthNL, *dstStrLengthNL); 1488 if (!state) 1489 return; 1490 1491 finalStrLength = svalBuilder.evalBinOpNN(state, BO_Add, *srcStrLengthNL, 1492 *dstStrLengthNL, sizeTy); 1493 } 1494 1495 // If we couldn't get a single value for the final string length, 1496 // we can at least bound it by the individual lengths. 1497 if (finalStrLength.isUnknown()) { 1498 // Try to get a "hypothetical" string length symbol, which we can later 1499 // set as a real value if that turns out to be the case. 1500 finalStrLength = getCStringLength(C, state, CE, DstVal, true); 1501 assert(!finalStrLength.isUndef()); 1502 1503 if (Optional<NonLoc> finalStrLengthNL = finalStrLength.getAs<NonLoc>()) { 1504 if (srcStrLengthNL) { 1505 // finalStrLength >= srcStrLength 1506 SVal sourceInResult = svalBuilder.evalBinOpNN(state, BO_GE, 1507 *finalStrLengthNL, 1508 *srcStrLengthNL, 1509 cmpTy); 1510 state = state->assume(sourceInResult.castAs<DefinedOrUnknownSVal>(), 1511 true); 1512 if (!state) 1513 return; 1514 } 1515 1516 if (dstStrLengthNL) { 1517 // finalStrLength >= dstStrLength 1518 SVal destInResult = svalBuilder.evalBinOpNN(state, BO_GE, 1519 *finalStrLengthNL, 1520 *dstStrLengthNL, 1521 cmpTy); 1522 state = 1523 state->assume(destInResult.castAs<DefinedOrUnknownSVal>(), true); 1524 if (!state) 1525 return; 1526 } 1527 } 1528 } 1529 1530 } else { 1531 // Otherwise, this is a copy-over function (strcpy, strncpy, ...), and 1532 // the final string length will match the input string length. 1533 finalStrLength = amountCopied; 1534 } 1535 1536 // The final result of the function will either be a pointer past the last 1537 // copied element, or a pointer to the start of the destination buffer. 1538 SVal Result = (returnEnd ? UnknownVal() : DstVal); 1539 1540 assert(state); 1541 1542 // If the destination is a MemRegion, try to check for a buffer overflow and 1543 // record the new string length. 1544 if (Optional<loc::MemRegionVal> dstRegVal = 1545 DstVal.getAs<loc::MemRegionVal>()) { 1546 QualType ptrTy = Dst->getType(); 1547 1548 // If we have an exact value on a bounded copy, use that to check for 1549 // overflows, rather than our estimate about how much is actually copied. 1550 if (boundWarning) { 1551 if (Optional<NonLoc> maxLastNL = maxLastElementIndex.getAs<NonLoc>()) { 1552 SVal maxLastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal, 1553 *maxLastNL, ptrTy); 1554 state = CheckLocation(C, state, CE->getArg(2), maxLastElement, 1555 boundWarning); 1556 if (!state) 1557 return; 1558 } 1559 } 1560 1561 // Then, if the final length is known... 1562 if (Optional<NonLoc> knownStrLength = finalStrLength.getAs<NonLoc>()) { 1563 SVal lastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal, 1564 *knownStrLength, ptrTy); 1565 1566 // ...and we haven't checked the bound, we'll check the actual copy. 1567 if (!boundWarning) { 1568 const char * const warningMsg = 1569 "String copy function overflows destination buffer"; 1570 state = CheckLocation(C, state, Dst, lastElement, warningMsg); 1571 if (!state) 1572 return; 1573 } 1574 1575 // If this is a stpcpy-style copy, the last element is the return value. 1576 if (returnEnd) 1577 Result = lastElement; 1578 } 1579 1580 // Invalidate the destination. This must happen before we set the C string 1581 // length because invalidation will clear the length. 1582 // FIXME: Even if we can't perfectly model the copy, we should see if we 1583 // can use LazyCompoundVals to copy the source values into the destination. 1584 // This would probably remove any existing bindings past the end of the 1585 // string, but that's still an improvement over blank invalidation. 1586 state = InvalidateBuffer(C, state, Dst, *dstRegVal); 1587 1588 // Set the C string length of the destination, if we know it. 1589 if (isBounded && !isAppending) { 1590 // strncpy is annoying in that it doesn't guarantee to null-terminate 1591 // the result string. If the original string didn't fit entirely inside 1592 // the bound (including the null-terminator), we don't know how long the 1593 // result is. 1594 if (amountCopied != strLength) 1595 finalStrLength = UnknownVal(); 1596 } 1597 state = setCStringLength(state, dstRegVal->getRegion(), finalStrLength); 1598 } 1599 1600 assert(state); 1601 1602 // If this is a stpcpy-style copy, but we were unable to check for a buffer 1603 // overflow, we still need a result. Conjure a return value. 1604 if (returnEnd && Result.isUnknown()) { 1605 Result = svalBuilder.conjureSymbolVal(0, CE, LCtx, C.blockCount()); 1606 } 1607 1608 // Set the return value. 1609 state = state->BindExpr(CE, LCtx, Result); 1610 C.addTransition(state); 1611} 1612 1613void CStringChecker::evalStrcmp(CheckerContext &C, const CallExpr *CE) const { 1614 if (CE->getNumArgs() < 2) 1615 return; 1616 1617 //int strcmp(const char *s1, const char *s2); 1618 evalStrcmpCommon(C, CE, /* isBounded = */ false, /* ignoreCase = */ false); 1619} 1620 1621void CStringChecker::evalStrncmp(CheckerContext &C, const CallExpr *CE) const { 1622 if (CE->getNumArgs() < 3) 1623 return; 1624 1625 //int strncmp(const char *s1, const char *s2, size_t n); 1626 evalStrcmpCommon(C, CE, /* isBounded = */ true, /* ignoreCase = */ false); 1627} 1628 1629void CStringChecker::evalStrcasecmp(CheckerContext &C, 1630 const CallExpr *CE) const { 1631 if (CE->getNumArgs() < 2) 1632 return; 1633 1634 //int strcasecmp(const char *s1, const char *s2); 1635 evalStrcmpCommon(C, CE, /* isBounded = */ false, /* ignoreCase = */ true); 1636} 1637 1638void CStringChecker::evalStrncasecmp(CheckerContext &C, 1639 const CallExpr *CE) const { 1640 if (CE->getNumArgs() < 3) 1641 return; 1642 1643 //int strncasecmp(const char *s1, const char *s2, size_t n); 1644 evalStrcmpCommon(C, CE, /* isBounded = */ true, /* ignoreCase = */ true); 1645} 1646 1647void CStringChecker::evalStrcmpCommon(CheckerContext &C, const CallExpr *CE, 1648 bool isBounded, bool ignoreCase) const { 1649 CurrentFunctionDescription = "string comparison function"; 1650 ProgramStateRef state = C.getState(); 1651 const LocationContext *LCtx = C.getLocationContext(); 1652 1653 // Check that the first string is non-null 1654 const Expr *s1 = CE->getArg(0); 1655 SVal s1Val = state->getSVal(s1, LCtx); 1656 state = checkNonNull(C, state, s1, s1Val); 1657 if (!state) 1658 return; 1659 1660 // Check that the second string is non-null. 1661 const Expr *s2 = CE->getArg(1); 1662 SVal s2Val = state->getSVal(s2, LCtx); 1663 state = checkNonNull(C, state, s2, s2Val); 1664 if (!state) 1665 return; 1666 1667 // Get the string length of the first string or give up. 1668 SVal s1Length = getCStringLength(C, state, s1, s1Val); 1669 if (s1Length.isUndef()) 1670 return; 1671 1672 // Get the string length of the second string or give up. 1673 SVal s2Length = getCStringLength(C, state, s2, s2Val); 1674 if (s2Length.isUndef()) 1675 return; 1676 1677 // If we know the two buffers are the same, we know the result is 0. 1678 // First, get the two buffers' addresses. Another checker will have already 1679 // made sure they're not undefined. 1680 DefinedOrUnknownSVal LV = s1Val.castAs<DefinedOrUnknownSVal>(); 1681 DefinedOrUnknownSVal RV = s2Val.castAs<DefinedOrUnknownSVal>(); 1682 1683 // See if they are the same. 1684 SValBuilder &svalBuilder = C.getSValBuilder(); 1685 DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV); 1686 ProgramStateRef StSameBuf, StNotSameBuf; 1687 llvm::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf); 1688 1689 // If the two arguments might be the same buffer, we know the result is 0, 1690 // and we only need to check one size. 1691 if (StSameBuf) { 1692 StSameBuf = StSameBuf->BindExpr(CE, LCtx, 1693 svalBuilder.makeZeroVal(CE->getType())); 1694 C.addTransition(StSameBuf); 1695 1696 // If the two arguments are GUARANTEED to be the same, we're done! 1697 if (!StNotSameBuf) 1698 return; 1699 } 1700 1701 assert(StNotSameBuf); 1702 state = StNotSameBuf; 1703 1704 // At this point we can go about comparing the two buffers. 1705 // For now, we only do this if they're both known string literals. 1706 1707 // Attempt to extract string literals from both expressions. 1708 const StringLiteral *s1StrLiteral = getCStringLiteral(C, state, s1, s1Val); 1709 const StringLiteral *s2StrLiteral = getCStringLiteral(C, state, s2, s2Val); 1710 bool canComputeResult = false; 1711 1712 if (s1StrLiteral && s2StrLiteral) { 1713 StringRef s1StrRef = s1StrLiteral->getString(); 1714 StringRef s2StrRef = s2StrLiteral->getString(); 1715 1716 if (isBounded) { 1717 // Get the max number of characters to compare. 1718 const Expr *lenExpr = CE->getArg(2); 1719 SVal lenVal = state->getSVal(lenExpr, LCtx); 1720 1721 // If the length is known, we can get the right substrings. 1722 if (const llvm::APSInt *len = svalBuilder.getKnownValue(state, lenVal)) { 1723 // Create substrings of each to compare the prefix. 1724 s1StrRef = s1StrRef.substr(0, (size_t)len->getZExtValue()); 1725 s2StrRef = s2StrRef.substr(0, (size_t)len->getZExtValue()); 1726 canComputeResult = true; 1727 } 1728 } else { 1729 // This is a normal, unbounded strcmp. 1730 canComputeResult = true; 1731 } 1732 1733 if (canComputeResult) { 1734 // Real strcmp stops at null characters. 1735 size_t s1Term = s1StrRef.find('\0'); 1736 if (s1Term != StringRef::npos) 1737 s1StrRef = s1StrRef.substr(0, s1Term); 1738 1739 size_t s2Term = s2StrRef.find('\0'); 1740 if (s2Term != StringRef::npos) 1741 s2StrRef = s2StrRef.substr(0, s2Term); 1742 1743 // Use StringRef's comparison methods to compute the actual result. 1744 int result; 1745 1746 if (ignoreCase) { 1747 // Compare string 1 to string 2 the same way strcasecmp() does. 1748 result = s1StrRef.compare_lower(s2StrRef); 1749 } else { 1750 // Compare string 1 to string 2 the same way strcmp() does. 1751 result = s1StrRef.compare(s2StrRef); 1752 } 1753 1754 // Build the SVal of the comparison and bind the return value. 1755 SVal resultVal = svalBuilder.makeIntVal(result, CE->getType()); 1756 state = state->BindExpr(CE, LCtx, resultVal); 1757 } 1758 } 1759 1760 if (!canComputeResult) { 1761 // Conjure a symbolic value. It's the best we can do. 1762 SVal resultVal = svalBuilder.conjureSymbolVal(0, CE, LCtx, C.blockCount()); 1763 state = state->BindExpr(CE, LCtx, resultVal); 1764 } 1765 1766 // Record this as a possible path. 1767 C.addTransition(state); 1768} 1769 1770void CStringChecker::evalStrsep(CheckerContext &C, const CallExpr *CE) const { 1771 //char *strsep(char **stringp, const char *delim); 1772 if (CE->getNumArgs() < 2) 1773 return; 1774 1775 // Sanity: does the search string parameter match the return type? 1776 const Expr *SearchStrPtr = CE->getArg(0); 1777 QualType CharPtrTy = SearchStrPtr->getType()->getPointeeType(); 1778 if (CharPtrTy.isNull() || 1779 CE->getType().getUnqualifiedType() != CharPtrTy.getUnqualifiedType()) 1780 return; 1781 1782 CurrentFunctionDescription = "strsep()"; 1783 ProgramStateRef State = C.getState(); 1784 const LocationContext *LCtx = C.getLocationContext(); 1785 1786 // Check that the search string pointer is non-null (though it may point to 1787 // a null string). 1788 SVal SearchStrVal = State->getSVal(SearchStrPtr, LCtx); 1789 State = checkNonNull(C, State, SearchStrPtr, SearchStrVal); 1790 if (!State) 1791 return; 1792 1793 // Check that the delimiter string is non-null. 1794 const Expr *DelimStr = CE->getArg(1); 1795 SVal DelimStrVal = State->getSVal(DelimStr, LCtx); 1796 State = checkNonNull(C, State, DelimStr, DelimStrVal); 1797 if (!State) 1798 return; 1799 1800 SValBuilder &SVB = C.getSValBuilder(); 1801 SVal Result; 1802 if (Optional<Loc> SearchStrLoc = SearchStrVal.getAs<Loc>()) { 1803 // Get the current value of the search string pointer, as a char*. 1804 Result = State->getSVal(*SearchStrLoc, CharPtrTy); 1805 1806 // Invalidate the search string, representing the change of one delimiter 1807 // character to NUL. 1808 State = InvalidateBuffer(C, State, SearchStrPtr, Result); 1809 1810 // Overwrite the search string pointer. The new value is either an address 1811 // further along in the same string, or NULL if there are no more tokens. 1812 State = State->bindLoc(*SearchStrLoc, 1813 SVB.conjureSymbolVal(getTag(), CE, LCtx, CharPtrTy, 1814 C.blockCount())); 1815 } else { 1816 assert(SearchStrVal.isUnknown()); 1817 // Conjure a symbolic value. It's the best we can do. 1818 Result = SVB.conjureSymbolVal(0, CE, LCtx, C.blockCount()); 1819 } 1820 1821 // Set the return value, and finish. 1822 State = State->BindExpr(CE, LCtx, Result); 1823 C.addTransition(State); 1824} 1825 1826 1827//===----------------------------------------------------------------------===// 1828// The driver method, and other Checker callbacks. 1829//===----------------------------------------------------------------------===// 1830 1831bool CStringChecker::evalCall(const CallExpr *CE, CheckerContext &C) const { 1832 const FunctionDecl *FDecl = C.getCalleeDecl(CE); 1833 1834 if (!FDecl) 1835 return false; 1836 1837 // FIXME: Poorly-factored string switches are slow. 1838 FnCheck evalFunction = 0; 1839 if (C.isCLibraryFunction(FDecl, "memcpy")) 1840 evalFunction = &CStringChecker::evalMemcpy; 1841 else if (C.isCLibraryFunction(FDecl, "mempcpy")) 1842 evalFunction = &CStringChecker::evalMempcpy; 1843 else if (C.isCLibraryFunction(FDecl, "memcmp")) 1844 evalFunction = &CStringChecker::evalMemcmp; 1845 else if (C.isCLibraryFunction(FDecl, "memmove")) 1846 evalFunction = &CStringChecker::evalMemmove; 1847 else if (C.isCLibraryFunction(FDecl, "strcpy")) 1848 evalFunction = &CStringChecker::evalStrcpy; 1849 else if (C.isCLibraryFunction(FDecl, "strncpy")) 1850 evalFunction = &CStringChecker::evalStrncpy; 1851 else if (C.isCLibraryFunction(FDecl, "stpcpy")) 1852 evalFunction = &CStringChecker::evalStpcpy; 1853 else if (C.isCLibraryFunction(FDecl, "strcat")) 1854 evalFunction = &CStringChecker::evalStrcat; 1855 else if (C.isCLibraryFunction(FDecl, "strncat")) 1856 evalFunction = &CStringChecker::evalStrncat; 1857 else if (C.isCLibraryFunction(FDecl, "strlen")) 1858 evalFunction = &CStringChecker::evalstrLength; 1859 else if (C.isCLibraryFunction(FDecl, "strnlen")) 1860 evalFunction = &CStringChecker::evalstrnLength; 1861 else if (C.isCLibraryFunction(FDecl, "strcmp")) 1862 evalFunction = &CStringChecker::evalStrcmp; 1863 else if (C.isCLibraryFunction(FDecl, "strncmp")) 1864 evalFunction = &CStringChecker::evalStrncmp; 1865 else if (C.isCLibraryFunction(FDecl, "strcasecmp")) 1866 evalFunction = &CStringChecker::evalStrcasecmp; 1867 else if (C.isCLibraryFunction(FDecl, "strncasecmp")) 1868 evalFunction = &CStringChecker::evalStrncasecmp; 1869 else if (C.isCLibraryFunction(FDecl, "strsep")) 1870 evalFunction = &CStringChecker::evalStrsep; 1871 else if (C.isCLibraryFunction(FDecl, "bcopy")) 1872 evalFunction = &CStringChecker::evalBcopy; 1873 else if (C.isCLibraryFunction(FDecl, "bcmp")) 1874 evalFunction = &CStringChecker::evalMemcmp; 1875 1876 // If the callee isn't a string function, let another checker handle it. 1877 if (!evalFunction) 1878 return false; 1879 1880 // Make sure each function sets its own description. 1881 // (But don't bother in a release build.) 1882 assert(!(CurrentFunctionDescription = NULL)); 1883 1884 // Check and evaluate the call. 1885 (this->*evalFunction)(C, CE); 1886 1887 // If the evaluate call resulted in no change, chain to the next eval call 1888 // handler. 1889 // Note, the custom CString evaluation calls assume that basic safety 1890 // properties are held. However, if the user chooses to turn off some of these 1891 // checks, we ignore the issues and leave the call evaluation to a generic 1892 // handler. 1893 if (!C.isDifferent()) 1894 return false; 1895 1896 return true; 1897} 1898 1899void CStringChecker::checkPreStmt(const DeclStmt *DS, CheckerContext &C) const { 1900 // Record string length for char a[] = "abc"; 1901 ProgramStateRef state = C.getState(); 1902 1903 for (DeclStmt::const_decl_iterator I = DS->decl_begin(), E = DS->decl_end(); 1904 I != E; ++I) { 1905 const VarDecl *D = dyn_cast<VarDecl>(*I); 1906 if (!D) 1907 continue; 1908 1909 // FIXME: Handle array fields of structs. 1910 if (!D->getType()->isArrayType()) 1911 continue; 1912 1913 const Expr *Init = D->getInit(); 1914 if (!Init) 1915 continue; 1916 if (!isa<StringLiteral>(Init)) 1917 continue; 1918 1919 Loc VarLoc = state->getLValue(D, C.getLocationContext()); 1920 const MemRegion *MR = VarLoc.getAsRegion(); 1921 if (!MR) 1922 continue; 1923 1924 SVal StrVal = state->getSVal(Init, C.getLocationContext()); 1925 assert(StrVal.isValid() && "Initializer string is unknown or undefined"); 1926 DefinedOrUnknownSVal strLength = 1927 getCStringLength(C, state, Init, StrVal).castAs<DefinedOrUnknownSVal>(); 1928 1929 state = state->set<CStringLength>(MR, strLength); 1930 } 1931 1932 C.addTransition(state); 1933} 1934 1935bool CStringChecker::wantsRegionChangeUpdate(ProgramStateRef state) const { 1936 CStringLengthTy Entries = state->get<CStringLength>(); 1937 return !Entries.isEmpty(); 1938} 1939 1940ProgramStateRef 1941CStringChecker::checkRegionChanges(ProgramStateRef state, 1942 const InvalidatedSymbols *, 1943 ArrayRef<const MemRegion *> ExplicitRegions, 1944 ArrayRef<const MemRegion *> Regions, 1945 const CallEvent *Call) const { 1946 CStringLengthTy Entries = state->get<CStringLength>(); 1947 if (Entries.isEmpty()) 1948 return state; 1949 1950 llvm::SmallPtrSet<const MemRegion *, 8> Invalidated; 1951 llvm::SmallPtrSet<const MemRegion *, 32> SuperRegions; 1952 1953 // First build sets for the changed regions and their super-regions. 1954 for (ArrayRef<const MemRegion *>::iterator 1955 I = Regions.begin(), E = Regions.end(); I != E; ++I) { 1956 const MemRegion *MR = *I; 1957 Invalidated.insert(MR); 1958 1959 SuperRegions.insert(MR); 1960 while (const SubRegion *SR = dyn_cast<SubRegion>(MR)) { 1961 MR = SR->getSuperRegion(); 1962 SuperRegions.insert(MR); 1963 } 1964 } 1965 1966 CStringLengthTy::Factory &F = state->get_context<CStringLength>(); 1967 1968 // Then loop over the entries in the current state. 1969 for (CStringLengthTy::iterator I = Entries.begin(), 1970 E = Entries.end(); I != E; ++I) { 1971 const MemRegion *MR = I.getKey(); 1972 1973 // Is this entry for a super-region of a changed region? 1974 if (SuperRegions.count(MR)) { 1975 Entries = F.remove(Entries, MR); 1976 continue; 1977 } 1978 1979 // Is this entry for a sub-region of a changed region? 1980 const MemRegion *Super = MR; 1981 while (const SubRegion *SR = dyn_cast<SubRegion>(Super)) { 1982 Super = SR->getSuperRegion(); 1983 if (Invalidated.count(Super)) { 1984 Entries = F.remove(Entries, MR); 1985 break; 1986 } 1987 } 1988 } 1989 1990 return state->set<CStringLength>(Entries); 1991} 1992 1993void CStringChecker::checkLiveSymbols(ProgramStateRef state, 1994 SymbolReaper &SR) const { 1995 // Mark all symbols in our string length map as valid. 1996 CStringLengthTy Entries = state->get<CStringLength>(); 1997 1998 for (CStringLengthTy::iterator I = Entries.begin(), E = Entries.end(); 1999 I != E; ++I) { 2000 SVal Len = I.getData(); 2001 2002 for (SymExpr::symbol_iterator si = Len.symbol_begin(), 2003 se = Len.symbol_end(); si != se; ++si) 2004 SR.markInUse(*si); 2005 } 2006} 2007 2008void CStringChecker::checkDeadSymbols(SymbolReaper &SR, 2009 CheckerContext &C) const { 2010 if (!SR.hasDeadSymbols()) 2011 return; 2012 2013 ProgramStateRef state = C.getState(); 2014 CStringLengthTy Entries = state->get<CStringLength>(); 2015 if (Entries.isEmpty()) 2016 return; 2017 2018 CStringLengthTy::Factory &F = state->get_context<CStringLength>(); 2019 for (CStringLengthTy::iterator I = Entries.begin(), E = Entries.end(); 2020 I != E; ++I) { 2021 SVal Len = I.getData(); 2022 if (SymbolRef Sym = Len.getAsSymbol()) { 2023 if (SR.isDead(Sym)) 2024 Entries = F.remove(Entries, I.getKey()); 2025 } 2026 } 2027 2028 state = state->set<CStringLength>(Entries); 2029 C.addTransition(state); 2030} 2031 2032#define REGISTER_CHECKER(name) \ 2033void ento::register##name(CheckerManager &mgr) {\ 2034 mgr.registerChecker<CStringChecker>()->Filter.Check##name = true; \ 2035} 2036 2037REGISTER_CHECKER(CStringNullArg) 2038REGISTER_CHECKER(CStringOutOfBounds) 2039REGISTER_CHECKER(CStringBufferOverlap) 2040REGISTER_CHECKER(CStringNotNullTerm) 2041 2042void ento::registerCStringCheckerBasic(CheckerManager &Mgr) { 2043 registerCStringNullArg(Mgr); 2044} 2045