clang  5.0.0
CStringChecker.cpp
Go to the documentation of this file.
1 //= CStringChecker.cpp - Checks calls to C string functions --------*- C++ -*-//
2 //
3 // The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // This defines CStringChecker, which is an assortment of checks on calls
11 // to functions in <string.h>.
12 //
13 //===----------------------------------------------------------------------===//
14 
15 #include "ClangSACheckers.h"
16 #include "InterCheckerAPI.h"
17 #include "clang/Basic/CharInfo.h"
23 #include "llvm/ADT/STLExtras.h"
24 #include "llvm/ADT/SmallString.h"
25 #include "llvm/Support/raw_ostream.h"
26 
27 using namespace clang;
28 using namespace ento;
29 
30 namespace {
31 class CStringChecker : public Checker< eval::Call,
32  check::PreStmt<DeclStmt>,
33  check::LiveSymbols,
34  check::DeadSymbols,
35  check::RegionChanges
36  > {
37  mutable std::unique_ptr<BugType> BT_Null, BT_Bounds, BT_Overlap,
38  BT_NotCString, BT_AdditionOverflow;
39 
40  mutable const char *CurrentFunctionDescription;
41 
42 public:
43  /// The filter is used to filter out the diagnostics which are not enabled by
44  /// the user.
45  struct CStringChecksFilter {
46  DefaultBool CheckCStringNullArg;
47  DefaultBool CheckCStringOutOfBounds;
48  DefaultBool CheckCStringBufferOverlap;
49  DefaultBool CheckCStringNotNullTerm;
50 
51  CheckName CheckNameCStringNullArg;
52  CheckName CheckNameCStringOutOfBounds;
53  CheckName CheckNameCStringBufferOverlap;
54  CheckName CheckNameCStringNotNullTerm;
55  };
56 
57  CStringChecksFilter Filter;
58 
59  static void *getTag() { static int tag; return &tag; }
60 
61  bool evalCall(const CallExpr *CE, CheckerContext &C) const;
62  void checkPreStmt(const DeclStmt *DS, CheckerContext &C) const;
63  void checkLiveSymbols(ProgramStateRef state, SymbolReaper &SR) const;
64  void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
65 
67  checkRegionChanges(ProgramStateRef state,
68  const InvalidatedSymbols *,
69  ArrayRef<const MemRegion *> ExplicitRegions,
71  const LocationContext *LCtx,
72  const CallEvent *Call) const;
73 
74  typedef void (CStringChecker::*FnCheck)(CheckerContext &,
75  const CallExpr *) const;
76 
77  void evalMemcpy(CheckerContext &C, const CallExpr *CE) const;
78  void evalMempcpy(CheckerContext &C, const CallExpr *CE) const;
79  void evalMemmove(CheckerContext &C, const CallExpr *CE) const;
80  void evalBcopy(CheckerContext &C, const CallExpr *CE) const;
81  void evalCopyCommon(CheckerContext &C, const CallExpr *CE,
83  const Expr *Size,
84  const Expr *Source,
85  const Expr *Dest,
86  bool Restricted = false,
87  bool IsMempcpy = false) const;
88 
89  void evalMemcmp(CheckerContext &C, const CallExpr *CE) const;
90 
91  void evalstrLength(CheckerContext &C, const CallExpr *CE) const;
92  void evalstrnLength(CheckerContext &C, const CallExpr *CE) const;
93  void evalstrLengthCommon(CheckerContext &C,
94  const CallExpr *CE,
95  bool IsStrnlen = false) const;
96 
97  void evalStrcpy(CheckerContext &C, const CallExpr *CE) const;
98  void evalStrncpy(CheckerContext &C, const CallExpr *CE) const;
99  void evalStpcpy(CheckerContext &C, const CallExpr *CE) const;
100  void evalStrcpyCommon(CheckerContext &C,
101  const CallExpr *CE,
102  bool returnEnd,
103  bool isBounded,
104  bool isAppending) const;
105 
106  void evalStrcat(CheckerContext &C, const CallExpr *CE) const;
107  void evalStrncat(CheckerContext &C, const CallExpr *CE) const;
108 
109  void evalStrcmp(CheckerContext &C, const CallExpr *CE) const;
110  void evalStrncmp(CheckerContext &C, const CallExpr *CE) const;
111  void evalStrcasecmp(CheckerContext &C, const CallExpr *CE) const;
112  void evalStrncasecmp(CheckerContext &C, const CallExpr *CE) const;
113  void evalStrcmpCommon(CheckerContext &C,
114  const CallExpr *CE,
115  bool isBounded = false,
116  bool ignoreCase = false) const;
117 
118  void evalStrsep(CheckerContext &C, const CallExpr *CE) const;
119 
120  void evalStdCopy(CheckerContext &C, const CallExpr *CE) const;
121  void evalStdCopyBackward(CheckerContext &C, const CallExpr *CE) const;
122  void evalStdCopyCommon(CheckerContext &C, const CallExpr *CE) const;
123  void evalMemset(CheckerContext &C, const CallExpr *CE) const;
124 
125  // Utility methods
126  std::pair<ProgramStateRef , ProgramStateRef >
127  static assumeZero(CheckerContext &C,
129 
130  static ProgramStateRef setCStringLength(ProgramStateRef state,
131  const MemRegion *MR,
132  SVal strLength);
133  static SVal getCStringLengthForRegion(CheckerContext &C,
135  const Expr *Ex,
136  const MemRegion *MR,
137  bool hypothetical);
138  SVal getCStringLength(CheckerContext &C,
140  const Expr *Ex,
141  SVal Buf,
142  bool hypothetical = false) const;
143 
144  const StringLiteral *getCStringLiteral(CheckerContext &C,
146  const Expr *expr,
147  SVal val) const;
148 
149  static ProgramStateRef InvalidateBuffer(CheckerContext &C,
151  const Expr *Ex, SVal V,
152  bool IsSourceBuffer,
153  const Expr *Size);
154 
155  static bool SummarizeRegion(raw_ostream &os, ASTContext &Ctx,
156  const MemRegion *MR);
157 
158  // Re-usable checks
159  ProgramStateRef checkNonNull(CheckerContext &C,
161  const Expr *S,
162  SVal l) const;
163  ProgramStateRef CheckLocation(CheckerContext &C,
165  const Expr *S,
166  SVal l,
167  const char *message = nullptr) const;
168  ProgramStateRef CheckBufferAccess(CheckerContext &C,
170  const Expr *Size,
171  const Expr *FirstBuf,
172  const Expr *SecondBuf,
173  const char *firstMessage = nullptr,
174  const char *secondMessage = nullptr,
175  bool WarnAboutSize = false) const;
176 
177  ProgramStateRef CheckBufferAccess(CheckerContext &C,
179  const Expr *Size,
180  const Expr *Buf,
181  const char *message = nullptr,
182  bool WarnAboutSize = false) const {
183  // This is a convenience override.
184  return CheckBufferAccess(C, state, Size, Buf, nullptr, message, nullptr,
185  WarnAboutSize);
186  }
187  ProgramStateRef CheckOverlap(CheckerContext &C,
189  const Expr *Size,
190  const Expr *First,
191  const Expr *Second) const;
192  void emitOverlapBug(CheckerContext &C,
194  const Stmt *First,
195  const Stmt *Second) const;
196 
197  ProgramStateRef checkAdditionOverflow(CheckerContext &C,
199  NonLoc left,
200  NonLoc right) const;
201 
202  // Return true if the destination buffer of the copy function may be in bound.
203  // Expects SVal of Size to be positive and unsigned.
204  // Expects SVal of FirstBuf to be a FieldRegion.
205  static bool IsFirstBufInBound(CheckerContext &C,
207  const Expr *FirstBuf,
208  const Expr *Size);
209 };
210 
211 } //end anonymous namespace
212 
213 REGISTER_MAP_WITH_PROGRAMSTATE(CStringLength, const MemRegion *, SVal)
214 
215 //===----------------------------------------------------------------------===//
216 // Individual checks and utility methods.
217 //===----------------------------------------------------------------------===//
218 
219 std::pair<ProgramStateRef , ProgramStateRef >
220 CStringChecker::assumeZero(CheckerContext &C, ProgramStateRef state, SVal V,
221  QualType Ty) {
222  Optional<DefinedSVal> val = V.getAs<DefinedSVal>();
223  if (!val)
224  return std::pair<ProgramStateRef , ProgramStateRef >(state, state);
225 
226  SValBuilder &svalBuilder = C.getSValBuilder();
227  DefinedOrUnknownSVal zero = svalBuilder.makeZeroVal(Ty);
228  return state->assume(svalBuilder.evalEQ(state, *val, zero));
229 }
230 
231 ProgramStateRef CStringChecker::checkNonNull(CheckerContext &C,
232  ProgramStateRef state,
233  const Expr *S, SVal l) const {
234  // If a previous check has failed, propagate the failure.
235  if (!state)
236  return nullptr;
237 
238  ProgramStateRef stateNull, stateNonNull;
239  std::tie(stateNull, stateNonNull) = assumeZero(C, state, l, S->getType());
240 
241  if (stateNull && !stateNonNull) {
242  if (!Filter.CheckCStringNullArg)
243  return nullptr;
244 
245  ExplodedNode *N = C.generateErrorNode(stateNull);
246  if (!N)
247  return nullptr;
248 
249  if (!BT_Null)
250  BT_Null.reset(new BuiltinBug(
251  Filter.CheckNameCStringNullArg, categories::UnixAPI,
252  "Null pointer argument in call to byte string function"));
253 
254  SmallString<80> buf;
255  llvm::raw_svector_ostream os(buf);
256  assert(CurrentFunctionDescription);
257  os << "Null pointer argument in call to " << CurrentFunctionDescription;
258 
259  // Generate a report for this bug.
260  BuiltinBug *BT = static_cast<BuiltinBug*>(BT_Null.get());
261  auto report = llvm::make_unique<BugReport>(*BT, os.str(), N);
262 
263  report->addRange(S->getSourceRange());
264  bugreporter::trackNullOrUndefValue(N, S, *report);
265  C.emitReport(std::move(report));
266  return nullptr;
267  }
268 
269  // From here on, assume that the value is non-null.
270  assert(stateNonNull);
271  return stateNonNull;
272 }
273 
274 // FIXME: This was originally copied from ArrayBoundChecker.cpp. Refactor?
275 ProgramStateRef CStringChecker::CheckLocation(CheckerContext &C,
276  ProgramStateRef state,
277  const Expr *S, SVal l,
278  const char *warningMsg) const {
279  // If a previous check has failed, propagate the failure.
280  if (!state)
281  return nullptr;
282 
283  // Check for out of bound array element access.
284  const MemRegion *R = l.getAsRegion();
285  if (!R)
286  return state;
287 
288  const ElementRegion *ER = dyn_cast<ElementRegion>(R);
289  if (!ER)
290  return state;
291 
292  assert(ER->getValueType() == C.getASTContext().CharTy &&
293  "CheckLocation should only be called with char* ElementRegions");
294 
295  // Get the size of the array.
296  const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion());
297  SValBuilder &svalBuilder = C.getSValBuilder();
298  SVal Extent =
299  svalBuilder.convertToArrayIndex(superReg->getExtent(svalBuilder));
301 
302  // Get the index of the accessed element.
304 
305  ProgramStateRef StInBound = state->assumeInBound(Idx, Size, true);
306  ProgramStateRef StOutBound = state->assumeInBound(Idx, Size, false);
307  if (StOutBound && !StInBound) {
308  ExplodedNode *N = C.generateErrorNode(StOutBound);
309  if (!N)
310  return nullptr;
311 
312  if (!BT_Bounds) {
313  BT_Bounds.reset(new BuiltinBug(
314  Filter.CheckNameCStringOutOfBounds, "Out-of-bound array access",
315  "Byte string function accesses out-of-bound array element"));
316  }
317  BuiltinBug *BT = static_cast<BuiltinBug*>(BT_Bounds.get());
318 
319  // Generate a report for this bug.
320  std::unique_ptr<BugReport> report;
321  if (warningMsg) {
322  report = llvm::make_unique<BugReport>(*BT, warningMsg, N);
323  } else {
324  assert(CurrentFunctionDescription);
325  assert(CurrentFunctionDescription[0] != '\0');
326 
327  SmallString<80> buf;
328  llvm::raw_svector_ostream os(buf);
329  os << toUppercase(CurrentFunctionDescription[0])
330  << &CurrentFunctionDescription[1]
331  << " accesses out-of-bound array element";
332  report = llvm::make_unique<BugReport>(*BT, os.str(), N);
333  }
334 
335  // FIXME: It would be nice to eventually make this diagnostic more clear,
336  // e.g., by referencing the original declaration or by saying *why* this
337  // reference is outside the range.
338 
339  report->addRange(S->getSourceRange());
340  C.emitReport(std::move(report));
341  return nullptr;
342  }
343 
344  // Array bound check succeeded. From this point forward the array bound
345  // should always succeed.
346  return StInBound;
347 }
348 
349 ProgramStateRef CStringChecker::CheckBufferAccess(CheckerContext &C,
350  ProgramStateRef state,
351  const Expr *Size,
352  const Expr *FirstBuf,
353  const Expr *SecondBuf,
354  const char *firstMessage,
355  const char *secondMessage,
356  bool WarnAboutSize) const {
357  // If a previous check has failed, propagate the failure.
358  if (!state)
359  return nullptr;
360 
361  SValBuilder &svalBuilder = C.getSValBuilder();
362  ASTContext &Ctx = svalBuilder.getContext();
363  const LocationContext *LCtx = C.getLocationContext();
364 
365  QualType sizeTy = Size->getType();
366  QualType PtrTy = Ctx.getPointerType(Ctx.CharTy);
367 
368  // Check that the first buffer is non-null.
369  SVal BufVal = state->getSVal(FirstBuf, LCtx);
370  state = checkNonNull(C, state, FirstBuf, BufVal);
371  if (!state)
372  return nullptr;
373 
374  // If out-of-bounds checking is turned off, skip the rest.
375  if (!Filter.CheckCStringOutOfBounds)
376  return state;
377 
378  // Get the access length and make sure it is known.
379  // FIXME: This assumes the caller has already checked that the access length
380  // is positive. And that it's unsigned.
381  SVal LengthVal = state->getSVal(Size, LCtx);
382  Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
383  if (!Length)
384  return state;
385 
386  // Compute the offset of the last element to be accessed: size-1.
387  NonLoc One = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
388  NonLoc LastOffset = svalBuilder
389  .evalBinOpNN(state, BO_Sub, *Length, One, sizeTy).castAs<NonLoc>();
390 
391  // Check that the first buffer is sufficiently long.
392  SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType());
393  if (Optional<Loc> BufLoc = BufStart.getAs<Loc>()) {
394  const Expr *warningExpr = (WarnAboutSize ? Size : FirstBuf);
395 
396  SVal BufEnd = svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc,
397  LastOffset, PtrTy);
398  state = CheckLocation(C, state, warningExpr, BufEnd, firstMessage);
399 
400  // If the buffer isn't large enough, abort.
401  if (!state)
402  return nullptr;
403  }
404 
405  // If there's a second buffer, check it as well.
406  if (SecondBuf) {
407  BufVal = state->getSVal(SecondBuf, LCtx);
408  state = checkNonNull(C, state, SecondBuf, BufVal);
409  if (!state)
410  return nullptr;
411 
412  BufStart = svalBuilder.evalCast(BufVal, PtrTy, SecondBuf->getType());
413  if (Optional<Loc> BufLoc = BufStart.getAs<Loc>()) {
414  const Expr *warningExpr = (WarnAboutSize ? Size : SecondBuf);
415 
416  SVal BufEnd = svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc,
417  LastOffset, PtrTy);
418  state = CheckLocation(C, state, warningExpr, BufEnd, secondMessage);
419  }
420  }
421 
422  // Large enough or not, return this state!
423  return state;
424 }
425 
426 ProgramStateRef CStringChecker::CheckOverlap(CheckerContext &C,
427  ProgramStateRef state,
428  const Expr *Size,
429  const Expr *First,
430  const Expr *Second) const {
431  if (!Filter.CheckCStringBufferOverlap)
432  return state;
433 
434  // Do a simple check for overlap: if the two arguments are from the same
435  // buffer, see if the end of the first is greater than the start of the second
436  // or vice versa.
437 
438  // If a previous check has failed, propagate the failure.
439  if (!state)
440  return nullptr;
441 
442  ProgramStateRef stateTrue, stateFalse;
443 
444  // Get the buffer values and make sure they're known locations.
445  const LocationContext *LCtx = C.getLocationContext();
446  SVal firstVal = state->getSVal(First, LCtx);
447  SVal secondVal = state->getSVal(Second, LCtx);
448 
449  Optional<Loc> firstLoc = firstVal.getAs<Loc>();
450  if (!firstLoc)
451  return state;
452 
453  Optional<Loc> secondLoc = secondVal.getAs<Loc>();
454  if (!secondLoc)
455  return state;
456 
457  // Are the two values the same?
458  SValBuilder &svalBuilder = C.getSValBuilder();
459  std::tie(stateTrue, stateFalse) =
460  state->assume(svalBuilder.evalEQ(state, *firstLoc, *secondLoc));
461 
462  if (stateTrue && !stateFalse) {
463  // If the values are known to be equal, that's automatically an overlap.
464  emitOverlapBug(C, stateTrue, First, Second);
465  return nullptr;
466  }
467 
468  // assume the two expressions are not equal.
469  assert(stateFalse);
470  state = stateFalse;
471 
472  // Which value comes first?
473  QualType cmpTy = svalBuilder.getConditionType();
474  SVal reverse = svalBuilder.evalBinOpLL(state, BO_GT,
475  *firstLoc, *secondLoc, cmpTy);
476  Optional<DefinedOrUnknownSVal> reverseTest =
477  reverse.getAs<DefinedOrUnknownSVal>();
478  if (!reverseTest)
479  return state;
480 
481  std::tie(stateTrue, stateFalse) = state->assume(*reverseTest);
482  if (stateTrue) {
483  if (stateFalse) {
484  // If we don't know which one comes first, we can't perform this test.
485  return state;
486  } else {
487  // Switch the values so that firstVal is before secondVal.
488  std::swap(firstLoc, secondLoc);
489 
490  // Switch the Exprs as well, so that they still correspond.
491  std::swap(First, Second);
492  }
493  }
494 
495  // Get the length, and make sure it too is known.
496  SVal LengthVal = state->getSVal(Size, LCtx);
497  Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
498  if (!Length)
499  return state;
500 
501  // Convert the first buffer's start address to char*.
502  // Bail out if the cast fails.
503  ASTContext &Ctx = svalBuilder.getContext();
504  QualType CharPtrTy = Ctx.getPointerType(Ctx.CharTy);
505  SVal FirstStart = svalBuilder.evalCast(*firstLoc, CharPtrTy,
506  First->getType());
507  Optional<Loc> FirstStartLoc = FirstStart.getAs<Loc>();
508  if (!FirstStartLoc)
509  return state;
510 
511  // Compute the end of the first buffer. Bail out if THAT fails.
512  SVal FirstEnd = svalBuilder.evalBinOpLN(state, BO_Add,
513  *FirstStartLoc, *Length, CharPtrTy);
514  Optional<Loc> FirstEndLoc = FirstEnd.getAs<Loc>();
515  if (!FirstEndLoc)
516  return state;
517 
518  // Is the end of the first buffer past the start of the second buffer?
519  SVal Overlap = svalBuilder.evalBinOpLL(state, BO_GT,
520  *FirstEndLoc, *secondLoc, cmpTy);
521  Optional<DefinedOrUnknownSVal> OverlapTest =
522  Overlap.getAs<DefinedOrUnknownSVal>();
523  if (!OverlapTest)
524  return state;
525 
526  std::tie(stateTrue, stateFalse) = state->assume(*OverlapTest);
527 
528  if (stateTrue && !stateFalse) {
529  // Overlap!
530  emitOverlapBug(C, stateTrue, First, Second);
531  return nullptr;
532  }
533 
534  // assume the two expressions don't overlap.
535  assert(stateFalse);
536  return stateFalse;
537 }
538 
539 void CStringChecker::emitOverlapBug(CheckerContext &C, ProgramStateRef state,
540  const Stmt *First, const Stmt *Second) const {
541  ExplodedNode *N = C.generateErrorNode(state);
542  if (!N)
543  return;
544 
545  if (!BT_Overlap)
546  BT_Overlap.reset(new BugType(Filter.CheckNameCStringBufferOverlap,
547  categories::UnixAPI, "Improper arguments"));
548 
549  // Generate a report for this bug.
550  auto report = llvm::make_unique<BugReport>(
551  *BT_Overlap, "Arguments must not be overlapping buffers", N);
552  report->addRange(First->getSourceRange());
553  report->addRange(Second->getSourceRange());
554 
555  C.emitReport(std::move(report));
556 }
557 
558 ProgramStateRef CStringChecker::checkAdditionOverflow(CheckerContext &C,
559  ProgramStateRef state,
560  NonLoc left,
561  NonLoc right) const {
562  // If out-of-bounds checking is turned off, skip the rest.
563  if (!Filter.CheckCStringOutOfBounds)
564  return state;
565 
566  // If a previous check has failed, propagate the failure.
567  if (!state)
568  return nullptr;
569 
570  SValBuilder &svalBuilder = C.getSValBuilder();
571  BasicValueFactory &BVF = svalBuilder.getBasicValueFactory();
572 
573  QualType sizeTy = svalBuilder.getContext().getSizeType();
574  const llvm::APSInt &maxValInt = BVF.getMaxValue(sizeTy);
575  NonLoc maxVal = svalBuilder.makeIntVal(maxValInt);
576 
577  SVal maxMinusRight;
578  if (right.getAs<nonloc::ConcreteInt>()) {
579  maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, right,
580  sizeTy);
581  } else {
582  // Try switching the operands. (The order of these two assignments is
583  // important!)
584  maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, left,
585  sizeTy);
586  left = right;
587  }
588 
589  if (Optional<NonLoc> maxMinusRightNL = maxMinusRight.getAs<NonLoc>()) {
590  QualType cmpTy = svalBuilder.getConditionType();
591  // If left > max - right, we have an overflow.
592  SVal willOverflow = svalBuilder.evalBinOpNN(state, BO_GT, left,
593  *maxMinusRightNL, cmpTy);
594 
595  ProgramStateRef stateOverflow, stateOkay;
596  std::tie(stateOverflow, stateOkay) =
597  state->assume(willOverflow.castAs<DefinedOrUnknownSVal>());
598 
599  if (stateOverflow && !stateOkay) {
600  // We have an overflow. Emit a bug report.
601  ExplodedNode *N = C.generateErrorNode(stateOverflow);
602  if (!N)
603  return nullptr;
604 
605  if (!BT_AdditionOverflow)
606  BT_AdditionOverflow.reset(
607  new BuiltinBug(Filter.CheckNameCStringOutOfBounds, "API",
608  "Sum of expressions causes overflow"));
609 
610  // This isn't a great error message, but this should never occur in real
611  // code anyway -- you'd have to create a buffer longer than a size_t can
612  // represent, which is sort of a contradiction.
613  const char *warning =
614  "This expression will create a string whose length is too big to "
615  "be represented as a size_t";
616 
617  // Generate a report for this bug.
618  C.emitReport(
619  llvm::make_unique<BugReport>(*BT_AdditionOverflow, warning, N));
620 
621  return nullptr;
622  }
623 
624  // From now on, assume an overflow didn't occur.
625  assert(stateOkay);
626  state = stateOkay;
627  }
628 
629  return state;
630 }
631 
632 ProgramStateRef CStringChecker::setCStringLength(ProgramStateRef state,
633  const MemRegion *MR,
634  SVal strLength) {
635  assert(!strLength.isUndef() && "Attempt to set an undefined string length");
636 
637  MR = MR->StripCasts();
638 
639  switch (MR->getKind()) {
640  case MemRegion::StringRegionKind:
641  // FIXME: This can happen if we strcpy() into a string region. This is
642  // undefined [C99 6.4.5p6], but we should still warn about it.
643  return state;
644 
645  case MemRegion::SymbolicRegionKind:
646  case MemRegion::AllocaRegionKind:
647  case MemRegion::VarRegionKind:
648  case MemRegion::FieldRegionKind:
649  case MemRegion::ObjCIvarRegionKind:
650  // These are the types we can currently track string lengths for.
651  break;
652 
653  case MemRegion::ElementRegionKind:
654  // FIXME: Handle element regions by upper-bounding the parent region's
655  // string length.
656  return state;
657 
658  default:
659  // Other regions (mostly non-data) can't have a reliable C string length.
660  // For now, just ignore the change.
661  // FIXME: These are rare but not impossible. We should output some kind of
662  // warning for things like strcpy((char[]){'a', 0}, "b");
663  return state;
664  }
665 
666  if (strLength.isUnknown())
667  return state->remove<CStringLength>(MR);
668 
669  return state->set<CStringLength>(MR, strLength);
670 }
671 
672 SVal CStringChecker::getCStringLengthForRegion(CheckerContext &C,
673  ProgramStateRef &state,
674  const Expr *Ex,
675  const MemRegion *MR,
676  bool hypothetical) {
677  if (!hypothetical) {
678  // If there's a recorded length, go ahead and return it.
679  const SVal *Recorded = state->get<CStringLength>(MR);
680  if (Recorded)
681  return *Recorded;
682  }
683 
684  // Otherwise, get a new symbol and update the state.
685  SValBuilder &svalBuilder = C.getSValBuilder();
686  QualType sizeTy = svalBuilder.getContext().getSizeType();
687  SVal strLength = svalBuilder.getMetadataSymbolVal(CStringChecker::getTag(),
688  MR, Ex, sizeTy,
689  C.getLocationContext(),
690  C.blockCount());
691 
692  if (!hypothetical) {
693  if (Optional<NonLoc> strLn = strLength.getAs<NonLoc>()) {
694  // In case of unbounded calls strlen etc bound the range to SIZE_MAX/4
695  BasicValueFactory &BVF = svalBuilder.getBasicValueFactory();
696  const llvm::APSInt &maxValInt = BVF.getMaxValue(sizeTy);
697  llvm::APSInt fourInt = APSIntType(maxValInt).getValue(4);
698  const llvm::APSInt *maxLengthInt = BVF.evalAPSInt(BO_Div, maxValInt,
699  fourInt);
700  NonLoc maxLength = svalBuilder.makeIntVal(*maxLengthInt);
701  SVal evalLength = svalBuilder.evalBinOpNN(state, BO_LE, *strLn,
702  maxLength, sizeTy);
703  state = state->assume(evalLength.castAs<DefinedOrUnknownSVal>(), true);
704  }
705  state = state->set<CStringLength>(MR, strLength);
706  }
707 
708  return strLength;
709 }
710 
711 SVal CStringChecker::getCStringLength(CheckerContext &C, ProgramStateRef &state,
712  const Expr *Ex, SVal Buf,
713  bool hypothetical) const {
714  const MemRegion *MR = Buf.getAsRegion();
715  if (!MR) {
716  // If we can't get a region, see if it's something we /know/ isn't a
717  // C string. In the context of locations, the only time we can issue such
718  // a warning is for labels.
720  if (!Filter.CheckCStringNotNullTerm)
721  return UndefinedVal();
722 
723  if (ExplodedNode *N = C.generateNonFatalErrorNode(state)) {
724  if (!BT_NotCString)
725  BT_NotCString.reset(new BuiltinBug(
726  Filter.CheckNameCStringNotNullTerm, categories::UnixAPI,
727  "Argument is not a null-terminated string."));
728 
729  SmallString<120> buf;
730  llvm::raw_svector_ostream os(buf);
731  assert(CurrentFunctionDescription);
732  os << "Argument to " << CurrentFunctionDescription
733  << " is the address of the label '" << Label->getLabel()->getName()
734  << "', which is not a null-terminated string";
735 
736  // Generate a report for this bug.
737  auto report = llvm::make_unique<BugReport>(*BT_NotCString, os.str(), N);
738 
739  report->addRange(Ex->getSourceRange());
740  C.emitReport(std::move(report));
741  }
742  return UndefinedVal();
743 
744  }
745 
746  // If it's not a region and not a label, give up.
747  return UnknownVal();
748  }
749 
750  // If we have a region, strip casts from it and see if we can figure out
751  // its length. For anything we can't figure out, just return UnknownVal.
752  MR = MR->StripCasts();
753 
754  switch (MR->getKind()) {
755  case MemRegion::StringRegionKind: {
756  // Modifying the contents of string regions is undefined [C99 6.4.5p6],
757  // so we can assume that the byte length is the correct C string length.
758  SValBuilder &svalBuilder = C.getSValBuilder();
759  QualType sizeTy = svalBuilder.getContext().getSizeType();
760  const StringLiteral *strLit = cast<StringRegion>(MR)->getStringLiteral();
761  return svalBuilder.makeIntVal(strLit->getByteLength(), sizeTy);
762  }
763  case MemRegion::SymbolicRegionKind:
764  case MemRegion::AllocaRegionKind:
765  case MemRegion::VarRegionKind:
766  case MemRegion::FieldRegionKind:
767  case MemRegion::ObjCIvarRegionKind:
768  return getCStringLengthForRegion(C, state, Ex, MR, hypothetical);
769  case MemRegion::CompoundLiteralRegionKind:
770  // FIXME: Can we track this? Is it necessary?
771  return UnknownVal();
772  case MemRegion::ElementRegionKind:
773  // FIXME: How can we handle this? It's not good enough to subtract the
774  // offset from the base string length; consider "123\x00567" and &a[5].
775  return UnknownVal();
776  default:
777  // Other regions (mostly non-data) can't have a reliable C string length.
778  // In this case, an error is emitted and UndefinedVal is returned.
779  // The caller should always be prepared to handle this case.
780  if (!Filter.CheckCStringNotNullTerm)
781  return UndefinedVal();
782 
783  if (ExplodedNode *N = C.generateNonFatalErrorNode(state)) {
784  if (!BT_NotCString)
785  BT_NotCString.reset(new BuiltinBug(
786  Filter.CheckNameCStringNotNullTerm, categories::UnixAPI,
787  "Argument is not a null-terminated string."));
788 
789  SmallString<120> buf;
790  llvm::raw_svector_ostream os(buf);
791 
792  assert(CurrentFunctionDescription);
793  os << "Argument to " << CurrentFunctionDescription << " is ";
794 
795  if (SummarizeRegion(os, C.getASTContext(), MR))
796  os << ", which is not a null-terminated string";
797  else
798  os << "not a null-terminated string";
799 
800  // Generate a report for this bug.
801  auto report = llvm::make_unique<BugReport>(*BT_NotCString, os.str(), N);
802 
803  report->addRange(Ex->getSourceRange());
804  C.emitReport(std::move(report));
805  }
806 
807  return UndefinedVal();
808  }
809 }
810 
811 const StringLiteral *CStringChecker::getCStringLiteral(CheckerContext &C,
812  ProgramStateRef &state, const Expr *expr, SVal val) const {
813 
814  // Get the memory region pointed to by the val.
815  const MemRegion *bufRegion = val.getAsRegion();
816  if (!bufRegion)
817  return nullptr;
818 
819  // Strip casts off the memory region.
820  bufRegion = bufRegion->StripCasts();
821 
822  // Cast the memory region to a string region.
823  const StringRegion *strRegion= dyn_cast<StringRegion>(bufRegion);
824  if (!strRegion)
825  return nullptr;
826 
827  // Return the actual string in the string region.
828  return strRegion->getStringLiteral();
829 }
830 
831 bool CStringChecker::IsFirstBufInBound(CheckerContext &C,
832  ProgramStateRef state,
833  const Expr *FirstBuf,
834  const Expr *Size) {
835  // If we do not know that the buffer is long enough we return 'true'.
836  // Otherwise the parent region of this field region would also get
837  // invalidated, which would lead to warnings based on an unknown state.
838 
839  // Originally copied from CheckBufferAccess and CheckLocation.
840  SValBuilder &svalBuilder = C.getSValBuilder();
841  ASTContext &Ctx = svalBuilder.getContext();
842  const LocationContext *LCtx = C.getLocationContext();
843 
844  QualType sizeTy = Size->getType();
845  QualType PtrTy = Ctx.getPointerType(Ctx.CharTy);
846  SVal BufVal = state->getSVal(FirstBuf, LCtx);
847 
848  SVal LengthVal = state->getSVal(Size, LCtx);
849  Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
850  if (!Length)
851  return true; // cf top comment.
852 
853  // Compute the offset of the last element to be accessed: size-1.
854  NonLoc One = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
855  NonLoc LastOffset =
856  svalBuilder.evalBinOpNN(state, BO_Sub, *Length, One, sizeTy)
857  .castAs<NonLoc>();
858 
859  // Check that the first buffer is sufficiently long.
860  SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType());
861  Optional<Loc> BufLoc = BufStart.getAs<Loc>();
862  if (!BufLoc)
863  return true; // cf top comment.
864 
865  SVal BufEnd =
866  svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc, LastOffset, PtrTy);
867 
868  // Check for out of bound array element access.
869  const MemRegion *R = BufEnd.getAsRegion();
870  if (!R)
871  return true; // cf top comment.
872 
873  const ElementRegion *ER = dyn_cast<ElementRegion>(R);
874  if (!ER)
875  return true; // cf top comment.
876 
877  assert(ER->getValueType() == C.getASTContext().CharTy &&
878  "IsFirstBufInBound should only be called with char* ElementRegions");
879 
880  // Get the size of the array.
881  const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion());
882  SVal Extent =
883  svalBuilder.convertToArrayIndex(superReg->getExtent(svalBuilder));
884  DefinedOrUnknownSVal ExtentSize = Extent.castAs<DefinedOrUnknownSVal>();
885 
886  // Get the index of the accessed element.
888 
889  ProgramStateRef StInBound = state->assumeInBound(Idx, ExtentSize, true);
890 
891  return static_cast<bool>(StInBound);
892 }
893 
894 ProgramStateRef CStringChecker::InvalidateBuffer(CheckerContext &C,
895  ProgramStateRef state,
896  const Expr *E, SVal V,
897  bool IsSourceBuffer,
898  const Expr *Size) {
899  Optional<Loc> L = V.getAs<Loc>();
900  if (!L)
901  return state;
902 
903  // FIXME: This is a simplified version of what's in CFRefCount.cpp -- it makes
904  // some assumptions about the value that CFRefCount can't. Even so, it should
905  // probably be refactored.
906  if (Optional<loc::MemRegionVal> MR = L->getAs<loc::MemRegionVal>()) {
907  const MemRegion *R = MR->getRegion()->StripCasts();
908 
909  // Are we dealing with an ElementRegion? If so, we should be invalidating
910  // the super-region.
911  if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) {
912  R = ER->getSuperRegion();
913  // FIXME: What about layers of ElementRegions?
914  }
915 
916  // Invalidate this region.
918 
919  bool CausesPointerEscape = false;
921  // Invalidate and escape only indirect regions accessible through the source
922  // buffer.
923  if (IsSourceBuffer) {
924  ITraits.setTrait(R->getBaseRegion(),
927  CausesPointerEscape = true;
928  } else {
929  const MemRegion::Kind& K = R->getKind();
930  if (K == MemRegion::FieldRegionKind)
931  if (Size && IsFirstBufInBound(C, state, E, Size)) {
932  // If destination buffer is a field region and access is in bound,
933  // do not invalidate its super region.
934  ITraits.setTrait(
935  R,
937  }
938  }
939 
940  return state->invalidateRegions(R, E, C.blockCount(), LCtx,
941  CausesPointerEscape, nullptr, nullptr,
942  &ITraits);
943  }
944 
945  // If we have a non-region value by chance, just remove the binding.
946  // FIXME: is this necessary or correct? This handles the non-Region
947  // cases. Is it ever valid to store to these?
948  return state->killBinding(*L);
949 }
950 
951 bool CStringChecker::SummarizeRegion(raw_ostream &os, ASTContext &Ctx,
952  const MemRegion *MR) {
953  const TypedValueRegion *TVR = dyn_cast<TypedValueRegion>(MR);
954 
955  switch (MR->getKind()) {
956  case MemRegion::FunctionCodeRegionKind: {
957  const NamedDecl *FD = cast<FunctionCodeRegion>(MR)->getDecl();
958  if (FD)
959  os << "the address of the function '" << *FD << '\'';
960  else
961  os << "the address of a function";
962  return true;
963  }
964  case MemRegion::BlockCodeRegionKind:
965  os << "block text";
966  return true;
967  case MemRegion::BlockDataRegionKind:
968  os << "a block";
969  return true;
970  case MemRegion::CXXThisRegionKind:
971  case MemRegion::CXXTempObjectRegionKind:
972  os << "a C++ temp object of type " << TVR->getValueType().getAsString();
973  return true;
974  case MemRegion::VarRegionKind:
975  os << "a variable of type" << TVR->getValueType().getAsString();
976  return true;
977  case MemRegion::FieldRegionKind:
978  os << "a field of type " << TVR->getValueType().getAsString();
979  return true;
980  case MemRegion::ObjCIvarRegionKind:
981  os << "an instance variable of type " << TVR->getValueType().getAsString();
982  return true;
983  default:
984  return false;
985  }
986 }
987 
988 //===----------------------------------------------------------------------===//
989 // evaluation of individual function calls.
990 //===----------------------------------------------------------------------===//
991 
992 void CStringChecker::evalCopyCommon(CheckerContext &C,
993  const CallExpr *CE,
994  ProgramStateRef state,
995  const Expr *Size, const Expr *Dest,
996  const Expr *Source, bool Restricted,
997  bool IsMempcpy) const {
998  CurrentFunctionDescription = "memory copy function";
999 
1000  // See if the size argument is zero.
1001  const LocationContext *LCtx = C.getLocationContext();
1002  SVal sizeVal = state->getSVal(Size, LCtx);
1003  QualType sizeTy = Size->getType();
1004 
1005  ProgramStateRef stateZeroSize, stateNonZeroSize;
1006  std::tie(stateZeroSize, stateNonZeroSize) =
1007  assumeZero(C, state, sizeVal, sizeTy);
1008 
1009  // Get the value of the Dest.
1010  SVal destVal = state->getSVal(Dest, LCtx);
1011 
1012  // If the size is zero, there won't be any actual memory access, so
1013  // just bind the return value to the destination buffer and return.
1014  if (stateZeroSize && !stateNonZeroSize) {
1015  stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, destVal);
1016  C.addTransition(stateZeroSize);
1017  return;
1018  }
1019 
1020  // If the size can be nonzero, we have to check the other arguments.
1021  if (stateNonZeroSize) {
1022  state = stateNonZeroSize;
1023 
1024  // Ensure the destination is not null. If it is NULL there will be a
1025  // NULL pointer dereference.
1026  state = checkNonNull(C, state, Dest, destVal);
1027  if (!state)
1028  return;
1029 
1030  // Get the value of the Src.
1031  SVal srcVal = state->getSVal(Source, LCtx);
1032 
1033  // Ensure the source is not null. If it is NULL there will be a
1034  // NULL pointer dereference.
1035  state = checkNonNull(C, state, Source, srcVal);
1036  if (!state)
1037  return;
1038 
1039  // Ensure the accesses are valid and that the buffers do not overlap.
1040  const char * const writeWarning =
1041  "Memory copy function overflows destination buffer";
1042  state = CheckBufferAccess(C, state, Size, Dest, Source,
1043  writeWarning, /* sourceWarning = */ nullptr);
1044  if (Restricted)
1045  state = CheckOverlap(C, state, Size, Dest, Source);
1046 
1047  if (!state)
1048  return;
1049 
1050  // If this is mempcpy, get the byte after the last byte copied and
1051  // bind the expr.
1052  if (IsMempcpy) {
1053  loc::MemRegionVal destRegVal = destVal.castAs<loc::MemRegionVal>();
1054 
1055  // Get the length to copy.
1056  if (Optional<NonLoc> lenValNonLoc = sizeVal.getAs<NonLoc>()) {
1057  // Get the byte after the last byte copied.
1058  SValBuilder &SvalBuilder = C.getSValBuilder();
1059  ASTContext &Ctx = SvalBuilder.getContext();
1060  QualType CharPtrTy = Ctx.getPointerType(Ctx.CharTy);
1061  loc::MemRegionVal DestRegCharVal = SvalBuilder.evalCast(destRegVal,
1062  CharPtrTy, Dest->getType()).castAs<loc::MemRegionVal>();
1063  SVal lastElement = C.getSValBuilder().evalBinOpLN(state, BO_Add,
1064  DestRegCharVal,
1065  *lenValNonLoc,
1066  Dest->getType());
1067 
1068  // The byte after the last byte copied is the return value.
1069  state = state->BindExpr(CE, LCtx, lastElement);
1070  } else {
1071  // If we don't know how much we copied, we can at least
1072  // conjure a return value for later.
1073  SVal result = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
1074  C.blockCount());
1075  state = state->BindExpr(CE, LCtx, result);
1076  }
1077 
1078  } else {
1079  // All other copies return the destination buffer.
1080  // (Well, bcopy() has a void return type, but this won't hurt.)
1081  state = state->BindExpr(CE, LCtx, destVal);
1082  }
1083 
1084  // Invalidate the destination (regular invalidation without pointer-escaping
1085  // the address of the top-level region).
1086  // FIXME: Even if we can't perfectly model the copy, we should see if we
1087  // can use LazyCompoundVals to copy the source values into the destination.
1088  // This would probably remove any existing bindings past the end of the
1089  // copied region, but that's still an improvement over blank invalidation.
1090  state = InvalidateBuffer(C, state, Dest, C.getSVal(Dest),
1091  /*IsSourceBuffer*/false, Size);
1092 
1093  // Invalidate the source (const-invalidation without const-pointer-escaping
1094  // the address of the top-level region).
1095  state = InvalidateBuffer(C, state, Source, C.getSVal(Source),
1096  /*IsSourceBuffer*/true, nullptr);
1097 
1098  C.addTransition(state);
1099  }
1100 }
1101 
1102 
1103 void CStringChecker::evalMemcpy(CheckerContext &C, const CallExpr *CE) const {
1104  if (CE->getNumArgs() < 3)
1105  return;
1106 
1107  // void *memcpy(void *restrict dst, const void *restrict src, size_t n);
1108  // The return value is the address of the destination buffer.
1109  const Expr *Dest = CE->getArg(0);
1110  ProgramStateRef state = C.getState();
1111 
1112  evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1), true);
1113 }
1114 
1115 void CStringChecker::evalMempcpy(CheckerContext &C, const CallExpr *CE) const {
1116  if (CE->getNumArgs() < 3)
1117  return;
1118 
1119  // void *mempcpy(void *restrict dst, const void *restrict src, size_t n);
1120  // The return value is a pointer to the byte following the last written byte.
1121  const Expr *Dest = CE->getArg(0);
1122  ProgramStateRef state = C.getState();
1123 
1124  evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1), true, true);
1125 }
1126 
1127 void CStringChecker::evalMemmove(CheckerContext &C, const CallExpr *CE) const {
1128  if (CE->getNumArgs() < 3)
1129  return;
1130 
1131  // void *memmove(void *dst, const void *src, size_t n);
1132  // The return value is the address of the destination buffer.
1133  const Expr *Dest = CE->getArg(0);
1134  ProgramStateRef state = C.getState();
1135 
1136  evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1));
1137 }
1138 
1139 void CStringChecker::evalBcopy(CheckerContext &C, const CallExpr *CE) const {
1140  if (CE->getNumArgs() < 3)
1141  return;
1142 
1143  // void bcopy(const void *src, void *dst, size_t n);
1144  evalCopyCommon(C, CE, C.getState(),
1145  CE->getArg(2), CE->getArg(1), CE->getArg(0));
1146 }
1147 
1148 void CStringChecker::evalMemcmp(CheckerContext &C, const CallExpr *CE) const {
1149  if (CE->getNumArgs() < 3)
1150  return;
1151 
1152  // int memcmp(const void *s1, const void *s2, size_t n);
1153  CurrentFunctionDescription = "memory comparison function";
1154 
1155  const Expr *Left = CE->getArg(0);
1156  const Expr *Right = CE->getArg(1);
1157  const Expr *Size = CE->getArg(2);
1158 
1159  ProgramStateRef state = C.getState();
1160  SValBuilder &svalBuilder = C.getSValBuilder();
1161 
1162  // See if the size argument is zero.
1163  const LocationContext *LCtx = C.getLocationContext();
1164  SVal sizeVal = state->getSVal(Size, LCtx);
1165  QualType sizeTy = Size->getType();
1166 
1167  ProgramStateRef stateZeroSize, stateNonZeroSize;
1168  std::tie(stateZeroSize, stateNonZeroSize) =
1169  assumeZero(C, state, sizeVal, sizeTy);
1170 
1171  // If the size can be zero, the result will be 0 in that case, and we don't
1172  // have to check either of the buffers.
1173  if (stateZeroSize) {
1174  state = stateZeroSize;
1175  state = state->BindExpr(CE, LCtx,
1176  svalBuilder.makeZeroVal(CE->getType()));
1177  C.addTransition(state);
1178  }
1179 
1180  // If the size can be nonzero, we have to check the other arguments.
1181  if (stateNonZeroSize) {
1182  state = stateNonZeroSize;
1183  // If we know the two buffers are the same, we know the result is 0.
1184  // First, get the two buffers' addresses. Another checker will have already
1185  // made sure they're not undefined.
1187  state->getSVal(Left, LCtx).castAs<DefinedOrUnknownSVal>();
1189  state->getSVal(Right, LCtx).castAs<DefinedOrUnknownSVal>();
1190 
1191  // See if they are the same.
1192  DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV);
1193  ProgramStateRef StSameBuf, StNotSameBuf;
1194  std::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf);
1195 
1196  // If the two arguments might be the same buffer, we know the result is 0,
1197  // and we only need to check one size.
1198  if (StSameBuf) {
1199  state = StSameBuf;
1200  state = CheckBufferAccess(C, state, Size, Left);
1201  if (state) {
1202  state = StSameBuf->BindExpr(CE, LCtx,
1203  svalBuilder.makeZeroVal(CE->getType()));
1204  C.addTransition(state);
1205  }
1206  }
1207 
1208  // If the two arguments might be different buffers, we have to check the
1209  // size of both of them.
1210  if (StNotSameBuf) {
1211  state = StNotSameBuf;
1212  state = CheckBufferAccess(C, state, Size, Left, Right);
1213  if (state) {
1214  // The return value is the comparison result, which we don't know.
1215  SVal CmpV = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx,
1216  C.blockCount());
1217  state = state->BindExpr(CE, LCtx, CmpV);
1218  C.addTransition(state);
1219  }
1220  }
1221  }
1222 }
1223 
1224 void CStringChecker::evalstrLength(CheckerContext &C,
1225  const CallExpr *CE) const {
1226  if (CE->getNumArgs() < 1)
1227  return;
1228 
1229  // size_t strlen(const char *s);
1230  evalstrLengthCommon(C, CE, /* IsStrnlen = */ false);
1231 }
1232 
1233 void CStringChecker::evalstrnLength(CheckerContext &C,
1234  const CallExpr *CE) const {
1235  if (CE->getNumArgs() < 2)
1236  return;
1237 
1238  // size_t strnlen(const char *s, size_t maxlen);
1239  evalstrLengthCommon(C, CE, /* IsStrnlen = */ true);
1240 }
1241 
1242 void CStringChecker::evalstrLengthCommon(CheckerContext &C, const CallExpr *CE,
1243  bool IsStrnlen) const {
1244  CurrentFunctionDescription = "string length function";
1245  ProgramStateRef state = C.getState();
1246  const LocationContext *LCtx = C.getLocationContext();
1247 
1248  if (IsStrnlen) {
1249  const Expr *maxlenExpr = CE->getArg(1);
1250  SVal maxlenVal = state->getSVal(maxlenExpr, LCtx);
1251 
1252  ProgramStateRef stateZeroSize, stateNonZeroSize;
1253  std::tie(stateZeroSize, stateNonZeroSize) =
1254  assumeZero(C, state, maxlenVal, maxlenExpr->getType());
1255 
1256  // If the size can be zero, the result will be 0 in that case, and we don't
1257  // have to check the string itself.
1258  if (stateZeroSize) {
1259  SVal zero = C.getSValBuilder().makeZeroVal(CE->getType());
1260  stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, zero);
1261  C.addTransition(stateZeroSize);
1262  }
1263 
1264  // If the size is GUARANTEED to be zero, we're done!
1265  if (!stateNonZeroSize)
1266  return;
1267 
1268  // Otherwise, record the assumption that the size is nonzero.
1269  state = stateNonZeroSize;
1270  }
1271 
1272  // Check that the string argument is non-null.
1273  const Expr *Arg = CE->getArg(0);
1274  SVal ArgVal = state->getSVal(Arg, LCtx);
1275 
1276  state = checkNonNull(C, state, Arg, ArgVal);
1277 
1278  if (!state)
1279  return;
1280 
1281  SVal strLength = getCStringLength(C, state, Arg, ArgVal);
1282 
1283  // If the argument isn't a valid C string, there's no valid state to
1284  // transition to.
1285  if (strLength.isUndef())
1286  return;
1287 
1288  DefinedOrUnknownSVal result = UnknownVal();
1289 
1290  // If the check is for strnlen() then bind the return value to no more than
1291  // the maxlen value.
1292  if (IsStrnlen) {
1294 
1295  // It's a little unfortunate to be getting this again,
1296  // but it's not that expensive...
1297  const Expr *maxlenExpr = CE->getArg(1);
1298  SVal maxlenVal = state->getSVal(maxlenExpr, LCtx);
1299 
1300  Optional<NonLoc> strLengthNL = strLength.getAs<NonLoc>();
1301  Optional<NonLoc> maxlenValNL = maxlenVal.getAs<NonLoc>();
1302 
1303  if (strLengthNL && maxlenValNL) {
1304  ProgramStateRef stateStringTooLong, stateStringNotTooLong;
1305 
1306  // Check if the strLength is greater than the maxlen.
1307  std::tie(stateStringTooLong, stateStringNotTooLong) = state->assume(
1308  C.getSValBuilder()
1309  .evalBinOpNN(state, BO_GT, *strLengthNL, *maxlenValNL, cmpTy)
1311 
1312  if (stateStringTooLong && !stateStringNotTooLong) {
1313  // If the string is longer than maxlen, return maxlen.
1314  result = *maxlenValNL;
1315  } else if (stateStringNotTooLong && !stateStringTooLong) {
1316  // If the string is shorter than maxlen, return its length.
1317  result = *strLengthNL;
1318  }
1319  }
1320 
1321  if (result.isUnknown()) {
1322  // If we don't have enough information for a comparison, there's
1323  // no guarantee the full string length will actually be returned.
1324  // All we know is the return value is the min of the string length
1325  // and the limit. This is better than nothing.
1326  result = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
1327  C.blockCount());
1328  NonLoc resultNL = result.castAs<NonLoc>();
1329 
1330  if (strLengthNL) {
1331  state = state->assume(C.getSValBuilder().evalBinOpNN(
1332  state, BO_LE, resultNL, *strLengthNL, cmpTy)
1333  .castAs<DefinedOrUnknownSVal>(), true);
1334  }
1335 
1336  if (maxlenValNL) {
1337  state = state->assume(C.getSValBuilder().evalBinOpNN(
1338  state, BO_LE, resultNL, *maxlenValNL, cmpTy)
1339  .castAs<DefinedOrUnknownSVal>(), true);
1340  }
1341  }
1342 
1343  } else {
1344  // This is a plain strlen(), not strnlen().
1345  result = strLength.castAs<DefinedOrUnknownSVal>();
1346 
1347  // If we don't know the length of the string, conjure a return
1348  // value, so it can be used in constraints, at least.
1349  if (result.isUnknown()) {
1350  result = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
1351  C.blockCount());
1352  }
1353  }
1354 
1355  // Bind the return value.
1356  assert(!result.isUnknown() && "Should have conjured a value by now");
1357  state = state->BindExpr(CE, LCtx, result);
1358  C.addTransition(state);
1359 }
1360 
1361 void CStringChecker::evalStrcpy(CheckerContext &C, const CallExpr *CE) const {
1362  if (CE->getNumArgs() < 2)
1363  return;
1364 
1365  // char *strcpy(char *restrict dst, const char *restrict src);
1366  evalStrcpyCommon(C, CE,
1367  /* returnEnd = */ false,
1368  /* isBounded = */ false,
1369  /* isAppending = */ false);
1370 }
1371 
1372 void CStringChecker::evalStrncpy(CheckerContext &C, const CallExpr *CE) const {
1373  if (CE->getNumArgs() < 3)
1374  return;
1375 
1376  // char *strncpy(char *restrict dst, const char *restrict src, size_t n);
1377  evalStrcpyCommon(C, CE,
1378  /* returnEnd = */ false,
1379  /* isBounded = */ true,
1380  /* isAppending = */ false);
1381 }
1382 
1383 void CStringChecker::evalStpcpy(CheckerContext &C, const CallExpr *CE) const {
1384  if (CE->getNumArgs() < 2)
1385  return;
1386 
1387  // char *stpcpy(char *restrict dst, const char *restrict src);
1388  evalStrcpyCommon(C, CE,
1389  /* returnEnd = */ true,
1390  /* isBounded = */ false,
1391  /* isAppending = */ false);
1392 }
1393 
1394 void CStringChecker::evalStrcat(CheckerContext &C, const CallExpr *CE) const {
1395  if (CE->getNumArgs() < 2)
1396  return;
1397 
1398  //char *strcat(char *restrict s1, const char *restrict s2);
1399  evalStrcpyCommon(C, CE,
1400  /* returnEnd = */ false,
1401  /* isBounded = */ false,
1402  /* isAppending = */ true);
1403 }
1404 
1405 void CStringChecker::evalStrncat(CheckerContext &C, const CallExpr *CE) const {
1406  if (CE->getNumArgs() < 3)
1407  return;
1408 
1409  //char *strncat(char *restrict s1, const char *restrict s2, size_t n);
1410  evalStrcpyCommon(C, CE,
1411  /* returnEnd = */ false,
1412  /* isBounded = */ true,
1413  /* isAppending = */ true);
1414 }
1415 
1416 void CStringChecker::evalStrcpyCommon(CheckerContext &C, const CallExpr *CE,
1417  bool returnEnd, bool isBounded,
1418  bool isAppending) const {
1419  CurrentFunctionDescription = "string copy function";
1420  ProgramStateRef state = C.getState();
1421  const LocationContext *LCtx = C.getLocationContext();
1422 
1423  // Check that the destination is non-null.
1424  const Expr *Dst = CE->getArg(0);
1425  SVal DstVal = state->getSVal(Dst, LCtx);
1426 
1427  state = checkNonNull(C, state, Dst, DstVal);
1428  if (!state)
1429  return;
1430 
1431  // Check that the source is non-null.
1432  const Expr *srcExpr = CE->getArg(1);
1433  SVal srcVal = state->getSVal(srcExpr, LCtx);
1434  state = checkNonNull(C, state, srcExpr, srcVal);
1435  if (!state)
1436  return;
1437 
1438  // Get the string length of the source.
1439  SVal strLength = getCStringLength(C, state, srcExpr, srcVal);
1440 
1441  // If the source isn't a valid C string, give up.
1442  if (strLength.isUndef())
1443  return;
1444 
1445  SValBuilder &svalBuilder = C.getSValBuilder();
1446  QualType cmpTy = svalBuilder.getConditionType();
1447  QualType sizeTy = svalBuilder.getContext().getSizeType();
1448 
1449  // These two values allow checking two kinds of errors:
1450  // - actual overflows caused by a source that doesn't fit in the destination
1451  // - potential overflows caused by a bound that could exceed the destination
1452  SVal amountCopied = UnknownVal();
1453  SVal maxLastElementIndex = UnknownVal();
1454  const char *boundWarning = nullptr;
1455 
1456  // If the function is strncpy, strncat, etc... it is bounded.
1457  if (isBounded) {
1458  // Get the max number of characters to copy.
1459  const Expr *lenExpr = CE->getArg(2);
1460  SVal lenVal = state->getSVal(lenExpr, LCtx);
1461 
1462  // Protect against misdeclared strncpy().
1463  lenVal = svalBuilder.evalCast(lenVal, sizeTy, lenExpr->getType());
1464 
1465  Optional<NonLoc> strLengthNL = strLength.getAs<NonLoc>();
1466  Optional<NonLoc> lenValNL = lenVal.getAs<NonLoc>();
1467 
1468  // If we know both values, we might be able to figure out how much
1469  // we're copying.
1470  if (strLengthNL && lenValNL) {
1471  ProgramStateRef stateSourceTooLong, stateSourceNotTooLong;
1472 
1473  // Check if the max number to copy is less than the length of the src.
1474  // If the bound is equal to the source length, strncpy won't null-
1475  // terminate the result!
1476  std::tie(stateSourceTooLong, stateSourceNotTooLong) = state->assume(
1477  svalBuilder.evalBinOpNN(state, BO_GE, *strLengthNL, *lenValNL, cmpTy)
1479 
1480  if (stateSourceTooLong && !stateSourceNotTooLong) {
1481  // Max number to copy is less than the length of the src, so the actual
1482  // strLength copied is the max number arg.
1483  state = stateSourceTooLong;
1484  amountCopied = lenVal;
1485 
1486  } else if (!stateSourceTooLong && stateSourceNotTooLong) {
1487  // The source buffer entirely fits in the bound.
1488  state = stateSourceNotTooLong;
1489  amountCopied = strLength;
1490  }
1491  }
1492 
1493  // We still want to know if the bound is known to be too large.
1494  if (lenValNL) {
1495  if (isAppending) {
1496  // For strncat, the check is strlen(dst) + lenVal < sizeof(dst)
1497 
1498  // Get the string length of the destination. If the destination is
1499  // memory that can't have a string length, we shouldn't be copying
1500  // into it anyway.
1501  SVal dstStrLength = getCStringLength(C, state, Dst, DstVal);
1502  if (dstStrLength.isUndef())
1503  return;
1504 
1505  if (Optional<NonLoc> dstStrLengthNL = dstStrLength.getAs<NonLoc>()) {
1506  maxLastElementIndex = svalBuilder.evalBinOpNN(state, BO_Add,
1507  *lenValNL,
1508  *dstStrLengthNL,
1509  sizeTy);
1510  boundWarning = "Size argument is greater than the free space in the "
1511  "destination buffer";
1512  }
1513 
1514  } else {
1515  // For strncpy, this is just checking that lenVal <= sizeof(dst)
1516  // (Yes, strncpy and strncat differ in how they treat termination.
1517  // strncat ALWAYS terminates, but strncpy doesn't.)
1518 
1519  // We need a special case for when the copy size is zero, in which
1520  // case strncpy will do no work at all. Our bounds check uses n-1
1521  // as the last element accessed, so n == 0 is problematic.
1522  ProgramStateRef StateZeroSize, StateNonZeroSize;
1523  std::tie(StateZeroSize, StateNonZeroSize) =
1524  assumeZero(C, state, *lenValNL, sizeTy);
1525 
1526  // If the size is known to be zero, we're done.
1527  if (StateZeroSize && !StateNonZeroSize) {
1528  StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, DstVal);
1529  C.addTransition(StateZeroSize);
1530  return;
1531  }
1532 
1533  // Otherwise, go ahead and figure out the last element we'll touch.
1534  // We don't record the non-zero assumption here because we can't
1535  // be sure. We won't warn on a possible zero.
1536  NonLoc one = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
1537  maxLastElementIndex = svalBuilder.evalBinOpNN(state, BO_Sub, *lenValNL,
1538  one, sizeTy);
1539  boundWarning = "Size argument is greater than the length of the "
1540  "destination buffer";
1541  }
1542  }
1543 
1544  // If we couldn't pin down the copy length, at least bound it.
1545  // FIXME: We should actually run this code path for append as well, but
1546  // right now it creates problems with constraints (since we can end up
1547  // trying to pass constraints from symbol to symbol).
1548  if (amountCopied.isUnknown() && !isAppending) {
1549  // Try to get a "hypothetical" string length symbol, which we can later
1550  // set as a real value if that turns out to be the case.
1551  amountCopied = getCStringLength(C, state, lenExpr, srcVal, true);
1552  assert(!amountCopied.isUndef());
1553 
1554  if (Optional<NonLoc> amountCopiedNL = amountCopied.getAs<NonLoc>()) {
1555  if (lenValNL) {
1556  // amountCopied <= lenVal
1557  SVal copiedLessThanBound = svalBuilder.evalBinOpNN(state, BO_LE,
1558  *amountCopiedNL,
1559  *lenValNL,
1560  cmpTy);
1561  state = state->assume(
1562  copiedLessThanBound.castAs<DefinedOrUnknownSVal>(), true);
1563  if (!state)
1564  return;
1565  }
1566 
1567  if (strLengthNL) {
1568  // amountCopied <= strlen(source)
1569  SVal copiedLessThanSrc = svalBuilder.evalBinOpNN(state, BO_LE,
1570  *amountCopiedNL,
1571  *strLengthNL,
1572  cmpTy);
1573  state = state->assume(
1574  copiedLessThanSrc.castAs<DefinedOrUnknownSVal>(), true);
1575  if (!state)
1576  return;
1577  }
1578  }
1579  }
1580 
1581  } else {
1582  // The function isn't bounded. The amount copied should match the length
1583  // of the source buffer.
1584  amountCopied = strLength;
1585  }
1586 
1587  assert(state);
1588 
1589  // This represents the number of characters copied into the destination
1590  // buffer. (It may not actually be the strlen if the destination buffer
1591  // is not terminated.)
1592  SVal finalStrLength = UnknownVal();
1593 
1594  // If this is an appending function (strcat, strncat...) then set the
1595  // string length to strlen(src) + strlen(dst) since the buffer will
1596  // ultimately contain both.
1597  if (isAppending) {
1598  // Get the string length of the destination. If the destination is memory
1599  // that can't have a string length, we shouldn't be copying into it anyway.
1600  SVal dstStrLength = getCStringLength(C, state, Dst, DstVal);
1601  if (dstStrLength.isUndef())
1602  return;
1603 
1604  Optional<NonLoc> srcStrLengthNL = amountCopied.getAs<NonLoc>();
1605  Optional<NonLoc> dstStrLengthNL = dstStrLength.getAs<NonLoc>();
1606 
1607  // If we know both string lengths, we might know the final string length.
1608  if (srcStrLengthNL && dstStrLengthNL) {
1609  // Make sure the two lengths together don't overflow a size_t.
1610  state = checkAdditionOverflow(C, state, *srcStrLengthNL, *dstStrLengthNL);
1611  if (!state)
1612  return;
1613 
1614  finalStrLength = svalBuilder.evalBinOpNN(state, BO_Add, *srcStrLengthNL,
1615  *dstStrLengthNL, sizeTy);
1616  }
1617 
1618  // If we couldn't get a single value for the final string length,
1619  // we can at least bound it by the individual lengths.
1620  if (finalStrLength.isUnknown()) {
1621  // Try to get a "hypothetical" string length symbol, which we can later
1622  // set as a real value if that turns out to be the case.
1623  finalStrLength = getCStringLength(C, state, CE, DstVal, true);
1624  assert(!finalStrLength.isUndef());
1625 
1626  if (Optional<NonLoc> finalStrLengthNL = finalStrLength.getAs<NonLoc>()) {
1627  if (srcStrLengthNL) {
1628  // finalStrLength >= srcStrLength
1629  SVal sourceInResult = svalBuilder.evalBinOpNN(state, BO_GE,
1630  *finalStrLengthNL,
1631  *srcStrLengthNL,
1632  cmpTy);
1633  state = state->assume(sourceInResult.castAs<DefinedOrUnknownSVal>(),
1634  true);
1635  if (!state)
1636  return;
1637  }
1638 
1639  if (dstStrLengthNL) {
1640  // finalStrLength >= dstStrLength
1641  SVal destInResult = svalBuilder.evalBinOpNN(state, BO_GE,
1642  *finalStrLengthNL,
1643  *dstStrLengthNL,
1644  cmpTy);
1645  state =
1646  state->assume(destInResult.castAs<DefinedOrUnknownSVal>(), true);
1647  if (!state)
1648  return;
1649  }
1650  }
1651  }
1652 
1653  } else {
1654  // Otherwise, this is a copy-over function (strcpy, strncpy, ...), and
1655  // the final string length will match the input string length.
1656  finalStrLength = amountCopied;
1657  }
1658 
1659  // The final result of the function will either be a pointer past the last
1660  // copied element, or a pointer to the start of the destination buffer.
1661  SVal Result = (returnEnd ? UnknownVal() : DstVal);
1662 
1663  assert(state);
1664 
1665  // If the destination is a MemRegion, try to check for a buffer overflow and
1666  // record the new string length.
1667  if (Optional<loc::MemRegionVal> dstRegVal =
1668  DstVal.getAs<loc::MemRegionVal>()) {
1669  QualType ptrTy = Dst->getType();
1670 
1671  // If we have an exact value on a bounded copy, use that to check for
1672  // overflows, rather than our estimate about how much is actually copied.
1673  if (boundWarning) {
1674  if (Optional<NonLoc> maxLastNL = maxLastElementIndex.getAs<NonLoc>()) {
1675  SVal maxLastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal,
1676  *maxLastNL, ptrTy);
1677  state = CheckLocation(C, state, CE->getArg(2), maxLastElement,
1678  boundWarning);
1679  if (!state)
1680  return;
1681  }
1682  }
1683 
1684  // Then, if the final length is known...
1685  if (Optional<NonLoc> knownStrLength = finalStrLength.getAs<NonLoc>()) {
1686  SVal lastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal,
1687  *knownStrLength, ptrTy);
1688 
1689  // ...and we haven't checked the bound, we'll check the actual copy.
1690  if (!boundWarning) {
1691  const char * const warningMsg =
1692  "String copy function overflows destination buffer";
1693  state = CheckLocation(C, state, Dst, lastElement, warningMsg);
1694  if (!state)
1695  return;
1696  }
1697 
1698  // If this is a stpcpy-style copy, the last element is the return value.
1699  if (returnEnd)
1700  Result = lastElement;
1701  }
1702 
1703  // Invalidate the destination (regular invalidation without pointer-escaping
1704  // the address of the top-level region). This must happen before we set the
1705  // C string length because invalidation will clear the length.
1706  // FIXME: Even if we can't perfectly model the copy, we should see if we
1707  // can use LazyCompoundVals to copy the source values into the destination.
1708  // This would probably remove any existing bindings past the end of the
1709  // string, but that's still an improvement over blank invalidation.
1710  state = InvalidateBuffer(C, state, Dst, *dstRegVal,
1711  /*IsSourceBuffer*/false, nullptr);
1712 
1713  // Invalidate the source (const-invalidation without const-pointer-escaping
1714  // the address of the top-level region).
1715  state = InvalidateBuffer(C, state, srcExpr, srcVal, /*IsSourceBuffer*/true,
1716  nullptr);
1717 
1718  // Set the C string length of the destination, if we know it.
1719  if (isBounded && !isAppending) {
1720  // strncpy is annoying in that it doesn't guarantee to null-terminate
1721  // the result string. If the original string didn't fit entirely inside
1722  // the bound (including the null-terminator), we don't know how long the
1723  // result is.
1724  if (amountCopied != strLength)
1725  finalStrLength = UnknownVal();
1726  }
1727  state = setCStringLength(state, dstRegVal->getRegion(), finalStrLength);
1728  }
1729 
1730  assert(state);
1731 
1732  // If this is a stpcpy-style copy, but we were unable to check for a buffer
1733  // overflow, we still need a result. Conjure a return value.
1734  if (returnEnd && Result.isUnknown()) {
1735  Result = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
1736  }
1737 
1738  // Set the return value.
1739  state = state->BindExpr(CE, LCtx, Result);
1740  C.addTransition(state);
1741 }
1742 
1743 void CStringChecker::evalStrcmp(CheckerContext &C, const CallExpr *CE) const {
1744  if (CE->getNumArgs() < 2)
1745  return;
1746 
1747  //int strcmp(const char *s1, const char *s2);
1748  evalStrcmpCommon(C, CE, /* isBounded = */ false, /* ignoreCase = */ false);
1749 }
1750 
1751 void CStringChecker::evalStrncmp(CheckerContext &C, const CallExpr *CE) const {
1752  if (CE->getNumArgs() < 3)
1753  return;
1754 
1755  //int strncmp(const char *s1, const char *s2, size_t n);
1756  evalStrcmpCommon(C, CE, /* isBounded = */ true, /* ignoreCase = */ false);
1757 }
1758 
1759 void CStringChecker::evalStrcasecmp(CheckerContext &C,
1760  const CallExpr *CE) const {
1761  if (CE->getNumArgs() < 2)
1762  return;
1763 
1764  //int strcasecmp(const char *s1, const char *s2);
1765  evalStrcmpCommon(C, CE, /* isBounded = */ false, /* ignoreCase = */ true);
1766 }
1767 
1768 void CStringChecker::evalStrncasecmp(CheckerContext &C,
1769  const CallExpr *CE) const {
1770  if (CE->getNumArgs() < 3)
1771  return;
1772 
1773  //int strncasecmp(const char *s1, const char *s2, size_t n);
1774  evalStrcmpCommon(C, CE, /* isBounded = */ true, /* ignoreCase = */ true);
1775 }
1776 
1777 void CStringChecker::evalStrcmpCommon(CheckerContext &C, const CallExpr *CE,
1778  bool isBounded, bool ignoreCase) const {
1779  CurrentFunctionDescription = "string comparison function";
1780  ProgramStateRef state = C.getState();
1781  const LocationContext *LCtx = C.getLocationContext();
1782 
1783  // Check that the first string is non-null
1784  const Expr *s1 = CE->getArg(0);
1785  SVal s1Val = state->getSVal(s1, LCtx);
1786  state = checkNonNull(C, state, s1, s1Val);
1787  if (!state)
1788  return;
1789 
1790  // Check that the second string is non-null.
1791  const Expr *s2 = CE->getArg(1);
1792  SVal s2Val = state->getSVal(s2, LCtx);
1793  state = checkNonNull(C, state, s2, s2Val);
1794  if (!state)
1795  return;
1796 
1797  // Get the string length of the first string or give up.
1798  SVal s1Length = getCStringLength(C, state, s1, s1Val);
1799  if (s1Length.isUndef())
1800  return;
1801 
1802  // Get the string length of the second string or give up.
1803  SVal s2Length = getCStringLength(C, state, s2, s2Val);
1804  if (s2Length.isUndef())
1805  return;
1806 
1807  // If we know the two buffers are the same, we know the result is 0.
1808  // First, get the two buffers' addresses. Another checker will have already
1809  // made sure they're not undefined.
1812 
1813  // See if they are the same.
1814  SValBuilder &svalBuilder = C.getSValBuilder();
1815  DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV);
1816  ProgramStateRef StSameBuf, StNotSameBuf;
1817  std::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf);
1818 
1819  // If the two arguments might be the same buffer, we know the result is 0,
1820  // and we only need to check one size.
1821  if (StSameBuf) {
1822  StSameBuf = StSameBuf->BindExpr(CE, LCtx,
1823  svalBuilder.makeZeroVal(CE->getType()));
1824  C.addTransition(StSameBuf);
1825 
1826  // If the two arguments are GUARANTEED to be the same, we're done!
1827  if (!StNotSameBuf)
1828  return;
1829  }
1830 
1831  assert(StNotSameBuf);
1832  state = StNotSameBuf;
1833 
1834  // At this point we can go about comparing the two buffers.
1835  // For now, we only do this if they're both known string literals.
1836 
1837  // Attempt to extract string literals from both expressions.
1838  const StringLiteral *s1StrLiteral = getCStringLiteral(C, state, s1, s1Val);
1839  const StringLiteral *s2StrLiteral = getCStringLiteral(C, state, s2, s2Val);
1840  bool canComputeResult = false;
1841  SVal resultVal = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx,
1842  C.blockCount());
1843 
1844  if (s1StrLiteral && s2StrLiteral) {
1845  StringRef s1StrRef = s1StrLiteral->getString();
1846  StringRef s2StrRef = s2StrLiteral->getString();
1847 
1848  if (isBounded) {
1849  // Get the max number of characters to compare.
1850  const Expr *lenExpr = CE->getArg(2);
1851  SVal lenVal = state->getSVal(lenExpr, LCtx);
1852 
1853  // If the length is known, we can get the right substrings.
1854  if (const llvm::APSInt *len = svalBuilder.getKnownValue(state, lenVal)) {
1855  // Create substrings of each to compare the prefix.
1856  s1StrRef = s1StrRef.substr(0, (size_t)len->getZExtValue());
1857  s2StrRef = s2StrRef.substr(0, (size_t)len->getZExtValue());
1858  canComputeResult = true;
1859  }
1860  } else {
1861  // This is a normal, unbounded strcmp.
1862  canComputeResult = true;
1863  }
1864 
1865  if (canComputeResult) {
1866  // Real strcmp stops at null characters.
1867  size_t s1Term = s1StrRef.find('\0');
1868  if (s1Term != StringRef::npos)
1869  s1StrRef = s1StrRef.substr(0, s1Term);
1870 
1871  size_t s2Term = s2StrRef.find('\0');
1872  if (s2Term != StringRef::npos)
1873  s2StrRef = s2StrRef.substr(0, s2Term);
1874 
1875  // Use StringRef's comparison methods to compute the actual result.
1876  int compareRes = ignoreCase ? s1StrRef.compare_lower(s2StrRef)
1877  : s1StrRef.compare(s2StrRef);
1878 
1879  // The strcmp function returns an integer greater than, equal to, or less
1880  // than zero, [c11, p7.24.4.2].
1881  if (compareRes == 0) {
1882  resultVal = svalBuilder.makeIntVal(compareRes, CE->getType());
1883  }
1884  else {
1885  DefinedSVal zeroVal = svalBuilder.makeIntVal(0, CE->getType());
1886  // Constrain strcmp's result range based on the result of StringRef's
1887  // comparison methods.
1888  BinaryOperatorKind op = (compareRes == 1) ? BO_GT : BO_LT;
1889  SVal compareWithZero =
1890  svalBuilder.evalBinOp(state, op, resultVal, zeroVal,
1891  svalBuilder.getConditionType());
1892  DefinedSVal compareWithZeroVal = compareWithZero.castAs<DefinedSVal>();
1893  state = state->assume(compareWithZeroVal, true);
1894  }
1895  }
1896  }
1897 
1898  state = state->BindExpr(CE, LCtx, resultVal);
1899 
1900  // Record this as a possible path.
1901  C.addTransition(state);
1902 }
1903 
1904 void CStringChecker::evalStrsep(CheckerContext &C, const CallExpr *CE) const {
1905  //char *strsep(char **stringp, const char *delim);
1906  if (CE->getNumArgs() < 2)
1907  return;
1908 
1909  // Sanity: does the search string parameter match the return type?
1910  const Expr *SearchStrPtr = CE->getArg(0);
1911  QualType CharPtrTy = SearchStrPtr->getType()->getPointeeType();
1912  if (CharPtrTy.isNull() ||
1913  CE->getType().getUnqualifiedType() != CharPtrTy.getUnqualifiedType())
1914  return;
1915 
1916  CurrentFunctionDescription = "strsep()";
1917  ProgramStateRef State = C.getState();
1918  const LocationContext *LCtx = C.getLocationContext();
1919 
1920  // Check that the search string pointer is non-null (though it may point to
1921  // a null string).
1922  SVal SearchStrVal = State->getSVal(SearchStrPtr, LCtx);
1923  State = checkNonNull(C, State, SearchStrPtr, SearchStrVal);
1924  if (!State)
1925  return;
1926 
1927  // Check that the delimiter string is non-null.
1928  const Expr *DelimStr = CE->getArg(1);
1929  SVal DelimStrVal = State->getSVal(DelimStr, LCtx);
1930  State = checkNonNull(C, State, DelimStr, DelimStrVal);
1931  if (!State)
1932  return;
1933 
1934  SValBuilder &SVB = C.getSValBuilder();
1935  SVal Result;
1936  if (Optional<Loc> SearchStrLoc = SearchStrVal.getAs<Loc>()) {
1937  // Get the current value of the search string pointer, as a char*.
1938  Result = State->getSVal(*SearchStrLoc, CharPtrTy);
1939 
1940  // Invalidate the search string, representing the change of one delimiter
1941  // character to NUL.
1942  State = InvalidateBuffer(C, State, SearchStrPtr, Result,
1943  /*IsSourceBuffer*/false, nullptr);
1944 
1945  // Overwrite the search string pointer. The new value is either an address
1946  // further along in the same string, or NULL if there are no more tokens.
1947  State = State->bindLoc(*SearchStrLoc,
1948  SVB.conjureSymbolVal(getTag(),
1949  CE,
1950  LCtx,
1951  CharPtrTy,
1952  C.blockCount()),
1953  LCtx);
1954  } else {
1955  assert(SearchStrVal.isUnknown());
1956  // Conjure a symbolic value. It's the best we can do.
1957  Result = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
1958  }
1959 
1960  // Set the return value, and finish.
1961  State = State->BindExpr(CE, LCtx, Result);
1962  C.addTransition(State);
1963 }
1964 
1965 // These should probably be moved into a C++ standard library checker.
1966 void CStringChecker::evalStdCopy(CheckerContext &C, const CallExpr *CE) const {
1967  evalStdCopyCommon(C, CE);
1968 }
1969 
1970 void CStringChecker::evalStdCopyBackward(CheckerContext &C,
1971  const CallExpr *CE) const {
1972  evalStdCopyCommon(C, CE);
1973 }
1974 
1975 void CStringChecker::evalStdCopyCommon(CheckerContext &C,
1976  const CallExpr *CE) const {
1977  if (CE->getNumArgs() < 3)
1978  return;
1979 
1980  ProgramStateRef State = C.getState();
1981 
1982  const LocationContext *LCtx = C.getLocationContext();
1983 
1984  // template <class _InputIterator, class _OutputIterator>
1985  // _OutputIterator
1986  // copy(_InputIterator __first, _InputIterator __last,
1987  // _OutputIterator __result)
1988 
1989  // Invalidate the destination buffer
1990  const Expr *Dst = CE->getArg(2);
1991  SVal DstVal = State->getSVal(Dst, LCtx);
1992  State = InvalidateBuffer(C, State, Dst, DstVal, /*IsSource=*/false,
1993  /*Size=*/nullptr);
1994 
1995  SValBuilder &SVB = C.getSValBuilder();
1996 
1997  SVal ResultVal = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
1998  State = State->BindExpr(CE, LCtx, ResultVal);
1999 
2000  C.addTransition(State);
2001 }
2002 
2003 void CStringChecker::evalMemset(CheckerContext &C, const CallExpr *CE) const {
2004  if (CE->getNumArgs() != 3)
2005  return;
2006 
2007  CurrentFunctionDescription = "memory set function";
2008 
2009  const Expr *Mem = CE->getArg(0);
2010  const Expr *Size = CE->getArg(2);
2011  ProgramStateRef State = C.getState();
2012 
2013  // See if the size argument is zero.
2014  const LocationContext *LCtx = C.getLocationContext();
2015  SVal SizeVal = State->getSVal(Size, LCtx);
2016  QualType SizeTy = Size->getType();
2017 
2018  ProgramStateRef StateZeroSize, StateNonZeroSize;
2019  std::tie(StateZeroSize, StateNonZeroSize) =
2020  assumeZero(C, State, SizeVal, SizeTy);
2021 
2022  // Get the value of the memory area.
2023  SVal MemVal = State->getSVal(Mem, LCtx);
2024 
2025  // If the size is zero, there won't be any actual memory access, so
2026  // just bind the return value to the Mem buffer and return.
2027  if (StateZeroSize && !StateNonZeroSize) {
2028  StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, MemVal);
2029  C.addTransition(StateZeroSize);
2030  return;
2031  }
2032 
2033  // Ensure the memory area is not null.
2034  // If it is NULL there will be a NULL pointer dereference.
2035  State = checkNonNull(C, StateNonZeroSize, Mem, MemVal);
2036  if (!State)
2037  return;
2038 
2039  State = CheckBufferAccess(C, State, Size, Mem);
2040  if (!State)
2041  return;
2042  State = InvalidateBuffer(C, State, Mem, C.getSVal(Mem),
2043  /*IsSourceBuffer*/false, Size);
2044  if (!State)
2045  return;
2046 
2047  State = State->BindExpr(CE, LCtx, MemVal);
2048  C.addTransition(State);
2049 }
2050 
2051 static bool isCPPStdLibraryFunction(const FunctionDecl *FD, StringRef Name) {
2052  IdentifierInfo *II = FD->getIdentifier();
2053  if (!II)
2054  return false;
2055 
2057  return false;
2058 
2059  if (II->getName().equals(Name))
2060  return true;
2061 
2062  return false;
2063 }
2064 //===----------------------------------------------------------------------===//
2065 // The driver method, and other Checker callbacks.
2066 //===----------------------------------------------------------------------===//
2067 
2068 bool CStringChecker::evalCall(const CallExpr *CE, CheckerContext &C) const {
2069  const FunctionDecl *FDecl = C.getCalleeDecl(CE);
2070 
2071  if (!FDecl)
2072  return false;
2073 
2074  // FIXME: Poorly-factored string switches are slow.
2075  FnCheck evalFunction = nullptr;
2076  if (C.isCLibraryFunction(FDecl, "memcpy"))
2077  evalFunction = &CStringChecker::evalMemcpy;
2078  else if (C.isCLibraryFunction(FDecl, "mempcpy"))
2079  evalFunction = &CStringChecker::evalMempcpy;
2080  else if (C.isCLibraryFunction(FDecl, "memcmp"))
2081  evalFunction = &CStringChecker::evalMemcmp;
2082  else if (C.isCLibraryFunction(FDecl, "memmove"))
2083  evalFunction = &CStringChecker::evalMemmove;
2084  else if (C.isCLibraryFunction(FDecl, "memset"))
2085  evalFunction = &CStringChecker::evalMemset;
2086  else if (C.isCLibraryFunction(FDecl, "strcpy"))
2087  evalFunction = &CStringChecker::evalStrcpy;
2088  else if (C.isCLibraryFunction(FDecl, "strncpy"))
2089  evalFunction = &CStringChecker::evalStrncpy;
2090  else if (C.isCLibraryFunction(FDecl, "stpcpy"))
2091  evalFunction = &CStringChecker::evalStpcpy;
2092  else if (C.isCLibraryFunction(FDecl, "strcat"))
2093  evalFunction = &CStringChecker::evalStrcat;
2094  else if (C.isCLibraryFunction(FDecl, "strncat"))
2095  evalFunction = &CStringChecker::evalStrncat;
2096  else if (C.isCLibraryFunction(FDecl, "strlen"))
2097  evalFunction = &CStringChecker::evalstrLength;
2098  else if (C.isCLibraryFunction(FDecl, "strnlen"))
2099  evalFunction = &CStringChecker::evalstrnLength;
2100  else if (C.isCLibraryFunction(FDecl, "strcmp"))
2101  evalFunction = &CStringChecker::evalStrcmp;
2102  else if (C.isCLibraryFunction(FDecl, "strncmp"))
2103  evalFunction = &CStringChecker::evalStrncmp;
2104  else if (C.isCLibraryFunction(FDecl, "strcasecmp"))
2105  evalFunction = &CStringChecker::evalStrcasecmp;
2106  else if (C.isCLibraryFunction(FDecl, "strncasecmp"))
2107  evalFunction = &CStringChecker::evalStrncasecmp;
2108  else if (C.isCLibraryFunction(FDecl, "strsep"))
2109  evalFunction = &CStringChecker::evalStrsep;
2110  else if (C.isCLibraryFunction(FDecl, "bcopy"))
2111  evalFunction = &CStringChecker::evalBcopy;
2112  else if (C.isCLibraryFunction(FDecl, "bcmp"))
2113  evalFunction = &CStringChecker::evalMemcmp;
2114  else if (isCPPStdLibraryFunction(FDecl, "copy"))
2115  evalFunction = &CStringChecker::evalStdCopy;
2116  else if (isCPPStdLibraryFunction(FDecl, "copy_backward"))
2117  evalFunction = &CStringChecker::evalStdCopyBackward;
2118 
2119  // If the callee isn't a string function, let another checker handle it.
2120  if (!evalFunction)
2121  return false;
2122 
2123  // Check and evaluate the call.
2124  (this->*evalFunction)(C, CE);
2125 
2126  // If the evaluate call resulted in no change, chain to the next eval call
2127  // handler.
2128  // Note, the custom CString evaluation calls assume that basic safety
2129  // properties are held. However, if the user chooses to turn off some of these
2130  // checks, we ignore the issues and leave the call evaluation to a generic
2131  // handler.
2132  return C.isDifferent();
2133 }
2134 
2135 void CStringChecker::checkPreStmt(const DeclStmt *DS, CheckerContext &C) const {
2136  // Record string length for char a[] = "abc";
2137  ProgramStateRef state = C.getState();
2138 
2139  for (const auto *I : DS->decls()) {
2140  const VarDecl *D = dyn_cast<VarDecl>(I);
2141  if (!D)
2142  continue;
2143 
2144  // FIXME: Handle array fields of structs.
2145  if (!D->getType()->isArrayType())
2146  continue;
2147 
2148  const Expr *Init = D->getInit();
2149  if (!Init)
2150  continue;
2151  if (!isa<StringLiteral>(Init))
2152  continue;
2153 
2154  Loc VarLoc = state->getLValue(D, C.getLocationContext());
2155  const MemRegion *MR = VarLoc.getAsRegion();
2156  if (!MR)
2157  continue;
2158 
2159  SVal StrVal = state->getSVal(Init, C.getLocationContext());
2160  assert(StrVal.isValid() && "Initializer string is unknown or undefined");
2161  DefinedOrUnknownSVal strLength =
2162  getCStringLength(C, state, Init, StrVal).castAs<DefinedOrUnknownSVal>();
2163 
2164  state = state->set<CStringLength>(MR, strLength);
2165  }
2166 
2167  C.addTransition(state);
2168 }
2169 
2170 ProgramStateRef
2171 CStringChecker::checkRegionChanges(ProgramStateRef state,
2172  const InvalidatedSymbols *,
2173  ArrayRef<const MemRegion *> ExplicitRegions,
2175  const LocationContext *LCtx,
2176  const CallEvent *Call) const {
2177  CStringLengthTy Entries = state->get<CStringLength>();
2178  if (Entries.isEmpty())
2179  return state;
2180 
2181  llvm::SmallPtrSet<const MemRegion *, 8> Invalidated;
2182  llvm::SmallPtrSet<const MemRegion *, 32> SuperRegions;
2183 
2184  // First build sets for the changed regions and their super-regions.
2186  I = Regions.begin(), E = Regions.end(); I != E; ++I) {
2187  const MemRegion *MR = *I;
2188  Invalidated.insert(MR);
2189 
2190  SuperRegions.insert(MR);
2191  while (const SubRegion *SR = dyn_cast<SubRegion>(MR)) {
2192  MR = SR->getSuperRegion();
2193  SuperRegions.insert(MR);
2194  }
2195  }
2196 
2197  CStringLengthTy::Factory &F = state->get_context<CStringLength>();
2198 
2199  // Then loop over the entries in the current state.
2200  for (CStringLengthTy::iterator I = Entries.begin(),
2201  E = Entries.end(); I != E; ++I) {
2202  const MemRegion *MR = I.getKey();
2203 
2204  // Is this entry for a super-region of a changed region?
2205  if (SuperRegions.count(MR)) {
2206  Entries = F.remove(Entries, MR);
2207  continue;
2208  }
2209 
2210  // Is this entry for a sub-region of a changed region?
2211  const MemRegion *Super = MR;
2212  while (const SubRegion *SR = dyn_cast<SubRegion>(Super)) {
2213  Super = SR->getSuperRegion();
2214  if (Invalidated.count(Super)) {
2215  Entries = F.remove(Entries, MR);
2216  break;
2217  }
2218  }
2219  }
2220 
2221  return state->set<CStringLength>(Entries);
2222 }
2223 
2224 void CStringChecker::checkLiveSymbols(ProgramStateRef state,
2225  SymbolReaper &SR) const {
2226  // Mark all symbols in our string length map as valid.
2227  CStringLengthTy Entries = state->get<CStringLength>();
2228 
2229  for (CStringLengthTy::iterator I = Entries.begin(), E = Entries.end();
2230  I != E; ++I) {
2231  SVal Len = I.getData();
2232 
2233  for (SymExpr::symbol_iterator si = Len.symbol_begin(),
2234  se = Len.symbol_end(); si != se; ++si)
2235  SR.markInUse(*si);
2236  }
2237 }
2238 
2239 void CStringChecker::checkDeadSymbols(SymbolReaper &SR,
2240  CheckerContext &C) const {
2241  if (!SR.hasDeadSymbols())
2242  return;
2243 
2244  ProgramStateRef state = C.getState();
2245  CStringLengthTy Entries = state->get<CStringLength>();
2246  if (Entries.isEmpty())
2247  return;
2248 
2249  CStringLengthTy::Factory &F = state->get_context<CStringLength>();
2250  for (CStringLengthTy::iterator I = Entries.begin(), E = Entries.end();
2251  I != E; ++I) {
2252  SVal Len = I.getData();
2253  if (SymbolRef Sym = Len.getAsSymbol()) {
2254  if (SR.isDead(Sym))
2255  Entries = F.remove(Entries, I.getKey());
2256  }
2257  }
2258 
2259  state = state->set<CStringLength>(Entries);
2260  C.addTransition(state);
2261 }
2262 
2263 #define REGISTER_CHECKER(name) \
2264  void ento::register##name(CheckerManager &mgr) { \
2265  CStringChecker *checker = mgr.registerChecker<CStringChecker>(); \
2266  checker->Filter.Check##name = true; \
2267  checker->Filter.CheckName##name = mgr.getCurrentCheckName(); \
2268  }
2269 
2270 REGISTER_CHECKER(CStringNullArg)
2271 REGISTER_CHECKER(CStringOutOfBounds)
2272 REGISTER_CHECKER(CStringBufferOverlap)
2273 REGISTER_CHECKER(CStringNotNullTerm)
2274 
2276  registerCStringNullArg(Mgr);
2277 }
FunctionDecl - An instance of this class is created to represent a function declaration or definition...
Definition: Decl.h:1618
const internal::VariadicDynCastAllOfMatcher< Stmt, Expr > expr
Matches expressions.
Definition: ASTMatchers.h:1510
TypedValueRegion - An abstract class representing regions having a typed value.
Definition: MemRegion.h:511
nonloc::ConcreteInt makeIntVal(const IntegerLiteral *integer)
Definition: SValBuilder.h:254
unsigned Length
A (possibly-)qualified type.
Definition: Type.h:616
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:79
ExplodedNode * generateErrorNode(ProgramStateRef State=nullptr, const ProgramPointTag *Tag=nullptr)
Generate a transition to a node that will be used to report an error.
Expr * getArg(unsigned Arg)
getArg - Return the specified argument.
Definition: Expr.h:2275
bool hasDeadSymbols() const
IdentifierInfo * getIdentifier() const
getIdentifier - Get the identifier that names this declaration, if there is one.
Definition: Decl.h:232
Stmt - This represents one statement.
Definition: Stmt.h:60
Information about invalidation for a particular region/symbol.
Definition: MemRegion.h:1383
CanQualType getSizeType() const
Return the unique type for "size_t" (C99 7.17), defined in <stddef.h>.
A helper class which wraps a boolean value set to false by default.
Definition: Checker.h:551
ExplodedNode * addTransition(ProgramStateRef State=nullptr, const ProgramPointTag *Tag=nullptr)
Generates a new transition in the program state graph (ExplodedGraph).
virtual QualType getValueType() const =0
std::string getAsString() const
Definition: Type.h:942
const Expr * getInit() const
Definition: Decl.h:1146
SVal evalCast(SVal val, QualType castTy, QualType originalType)
Value representing integer constant.
Definition: SVals.h:352
VarDecl - An instance of this class is created to represent a variable declaration or definition...
Definition: Decl.h:758
void setTrait(SymbolRef Sym, InvalidationKinds IK)
Definition: MemRegion.cpp:1488
ExplodedNode * getPredecessor()
Returns the previous node in the exploded graph, which includes the state of the program before the c...
const MemRegion * getBaseRegion() const
Definition: MemRegion.cpp:1091
Symbolic value.
Definition: SymExpr.h:29
void markInUse(SymbolRef sym)
Marks a symbol as important to a checker.
One of these records is kept for each identifier that is lexed.
virtual SVal evalBinOpLN(ProgramStateRef state, BinaryOperator::Opcode op, Loc lhs, NonLoc rhs, QualType resultTy)=0
Create a new value which represents a binary expression with a memory location and non-location opera...
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:128
const FunctionDecl * getCalleeDecl(const CallExpr *CE) const
Get the declaration of the called function (path-sensitive).
LineState State
Kind getKind() const
Definition: MemRegion.h:148
unsigned blockCount() const
Returns the number of times the current block has been visited along the analyzed path...
i32 captured_struct **param SharedsTy A type which contains references the shared variables *param Shareds Context with the list of shared variables from the p *TaskFunction *param Data Additional data for task generation like final * state
void registerCStringCheckerBasic(CheckerManager &Mgr)
Register the checker which evaluates CString API calls.
BinaryOperatorKind
static bool isInStdNamespace(const Decl *D)
Returns true if the root namespace of the given declaration is the 'std' C++ namespace.
const StringLiteral * getStringLiteral() const
Definition: MemRegion.h:795
static bool isCPPStdLibraryFunction(const FunctionDecl *FD, StringRef Name)
A record of the "type" of an APSInt, used for conversions.
Definition: APSIntType.h:20
SymExpr::symbol_iterator symbol_begin() const
Definition: SVals.h:188
bool isValid() const
Definition: SVals.h:140
detail::InMemoryDirectory::const_iterator I
QualType getType() const
Definition: Decl.h:589
const MemRegion * getSuperRegion() const
Definition: MemRegion.h:430
const LocationContext * getLocationContext() const
#define REGISTER_CHECKER(name)
#define REGISTER_MAP_WITH_PROGRAMSTATE(Name, Key, Value)
Declares an immutable map of type NameTy, suitable for placement into the ProgramState.
const MemRegion * StripCasts(bool StripBaseCasts=true) const
Definition: MemRegion.cpp:1117
QualType getPointeeType() const
If this is a pointer, ObjC object pointer, or block pointer, this returns the respective pointee...
Definition: Type.cpp:414
bool isDead(SymbolRef sym) const
Returns whether or not a symbol has been confirmed dead.
DefinedOrUnknownSVal makeZeroVal(QualType type)
Construct an SVal representing '0' for the specified type.
Definition: SValBuilder.cpp:32
Expr - This represents one expression.
Definition: Expr.h:105
StringRef getName() const
Return the actual identifier string.
const ProgramStateRef & getState() const
std::string Label
static bool isCLibraryFunction(const FunctionDecl *FD, StringRef Name=StringRef())
Returns true if the callee is an externally-visible function in the top-level namespace, such as malloc.
Optional< T > getAs() const
Convert to the specified SVal type, returning None if this SVal is not of the desired type...
Definition: SVals.h:100
virtual SVal evalBinOpLL(ProgramStateRef state, BinaryOperator::Opcode op, Loc lhs, Loc rhs, QualType resultTy)=0
Create a new value which represents a binary expression with two memory location operands.
ExplodedNode * generateNonFatalErrorNode(ProgramStateRef State=nullptr, const ProgramPointTag *Tag=nullptr)
Generate a transition to a node that will be used to report an error.
QualType getConditionType() const
Definition: SValBuilder.h:136
void emitReport(std::unique_ptr< BugReport > R)
Emit the diagnostics report.
DefinedOrUnknownSVal conjureSymbolVal(const void *symbolTag, const Expr *expr, const LocationContext *LCtx, unsigned count)
Create a new symbol with a unique 'name'.
DeclStmt - Adaptor class for mixing declarations with statements and expressions. ...
Definition: Stmt.h:467
ASTContext & getContext()
Definition: SValBuilder.h:131
SymExpr::symbol_iterator symbol_end() const
Definition: SVals.h:196
SVal - This represents a symbolic expression, which can be either an L-value or an R-value...
Definition: SVals.h:63
A class responsible for cleaning up unused symbols.
bool isUndef() const
Definition: SVals.h:132
const llvm::APSInt * evalAPSInt(BinaryOperator::Opcode Op, const llvm::APSInt &V1, const llvm::APSInt &V2)
Tells that a region's contents is not changed.
Definition: MemRegion.h:1397
NonLoc getIndex() const
Definition: MemRegion.h:1085
virtual SVal evalBinOpNN(ProgramStateRef state, BinaryOperator::Opcode op, NonLoc lhs, NonLoc rhs, QualType resultTy)=0
Create a new value which represents a binary expression with two non- location operands.
QualType getType() const
Definition: Expr.h:127
CanQualType CharTy
Definition: ASTContext.h:965
llvm::APSInt getValue(uint64_t RawValue) const LLVM_READONLY
Definition: APSIntType.h:70
unsigned getByteLength() const
Definition: Expr.h:1586
StringRef Name
Definition: USRFinder.cpp:123
QualType getPointerType(QualType T) const
Return the uniqued reference to the type for a pointer to the specified type.
StringRef getString() const
Definition: Expr.h:1554
detail::InMemoryDirectory::const_iterator E
const MemRegion * getAsRegion() const
Definition: SVals.cpp:140
unsigned getNumArgs() const
getNumArgs - Return the number of actual arguments to this call.
Definition: Expr.h:2263
Represents an abstract call to a function or method along a particular path.
Definition: CallEvent.h:140
SVal convertToArrayIndex(SVal val)
Definition: SValBuilder.cpp:79
DefinedSVal getMetadataSymbolVal(const void *symbolTag, const MemRegion *region, const Expr *expr, QualType type, const LocationContext *LCtx, unsigned count)
BasicValueFactory & getBasicValueFactory()
Definition: SValBuilder.h:144
SubRegion - A region that subsets another larger region.
Definition: MemRegion.h:419
bool isUnknown() const
Definition: SVals.h:128
decl_range decls()
Definition: Stmt.h:515
QualType getUnqualifiedType() const
Retrieve the unqualified variant of the given type, removing as little sugar as possible.
Definition: Type.h:5569
DefinedOrUnknownSVal evalEQ(ProgramStateRef state, DefinedOrUnknownSVal lhs, DefinedOrUnknownSVal rhs)
bool trackNullOrUndefValue(const ExplodedNode *N, const Stmt *S, BugReport &R, bool IsArg=false, bool EnableNullFPSuppression=true)
Attempts to add visitors to trace a null or undefined value back to its point of origin, whether it is a symbol constrained to null or an explicit assignment.
QualType getValueType() const override
Definition: MemRegion.h:1087
SymbolRef getAsSymbol(bool IncludeBaseRegions=false) const
If this SVal wraps a symbol return that SymbolRef.
Definition: SVals.cpp:116
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:245
bool isArrayType() const
Definition: Type.h:5751
SValBuilder & getSValBuilder()
StringLiteral - This represents a string literal expression, e.g.
Definition: Expr.h:1506
CallExpr - Represents a function call (C99 6.5.2.2, C++ [expr.call]).
Definition: Expr.h:2206
const llvm::APSInt & getMaxValue(const llvm::APSInt &v)
StringRegion - Region associated with a StringLiteral.
Definition: MemRegion.h:779
ElementRegin is used to represent both array elements and casts.
Definition: MemRegion.h:1066
static LLVM_READONLY char toUppercase(char c)
Converts the given ASCII character to its uppercase equivalent.
Definition: CharInfo.h:174
NamedDecl - This represents a decl with a name.
Definition: Decl.h:213
bool isNull() const
Return true if this QualType doesn't point to a type yet.
Definition: Type.h:683
T castAs() const
Convert to the specified SVal type, asserting that this SVal is of the desired type.
Definition: SVals.h:92
bool isDifferent()
Check if the checker changed the state of the execution; ex: added a new transition or a bug report...
const NamedDecl * Result
Definition: USRFinder.cpp:70
const LocationContext * getLocationContext() const
SVal getSVal(const Stmt *S) const
Get the value of arbitrary expressions at this point in the path.
Iterator over symbols that the current symbol depends on.
Definition: SymExpr.h:68