Bug Summary

File:build/source/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp
Warning:line 1547, column 17
Called C++ object pointer is null

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name CStringChecker.cpp -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=cplusplus -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -analyzer-config-compatibility-mode=true -mrelocation-model pic -pic-level 2 -mframe-pointer=none -relaxed-aliasing -fmath-errno -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -ffunction-sections -fdata-sections -fcoverage-compilation-dir=/build/source/build-llvm/tools/clang/stage2-bins -resource-dir /usr/lib/llvm-17/lib/clang/17 -I tools/clang/lib/StaticAnalyzer/Checkers -I /build/source/clang/lib/StaticAnalyzer/Checkers -I /build/source/clang/include -I tools/clang/include -I include -I /build/source/llvm/include -D CLANG_REPOSITORY_STRING="++20230206101206+d453d73d0d04-1~exp1~20230206221324.1090" -D _DEBUG -D _GNU_SOURCE -D __STDC_CONSTANT_MACROS -D __STDC_FORMAT_MACROS -D __STDC_LIMIT_MACROS -D _FORTIFY_SOURCE=2 -D NDEBUG -U NDEBUG -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10 -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/x86_64-linux-gnu/c++/10 -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/backward -internal-isystem /usr/lib/llvm-17/lib/clang/17/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/10/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -fmacro-prefix-map=/build/source/build-llvm/tools/clang/stage2-bins=build-llvm/tools/clang/stage2-bins -fmacro-prefix-map=/build/source/= -fcoverage-prefix-map=/build/source/build-llvm/tools/clang/stage2-bins=build-llvm/tools/clang/stage2-bins -fcoverage-prefix-map=/build/source/= -source-date-epoch 1675721604 -O2 -Wno-unused-command-line-argument -Wno-unused-parameter -Wwrite-strings -Wno-missing-field-initializers -Wno-long-long -Wno-maybe-uninitialized -Wno-class-memaccess -Wno-redundant-move -Wno-pessimizing-move -Wno-noexcept-type -Wno-comment -Wno-misleading-indentation -std=c++17 -fdeprecated-macro -fdebug-compilation-dir=/build/source/build-llvm/tools/clang/stage2-bins -fdebug-prefix-map=/build/source/build-llvm/tools/clang/stage2-bins=build-llvm/tools/clang/stage2-bins -fdebug-prefix-map=/build/source/= -ferror-limit 19 -fvisibility-inlines-hidden -stack-protector 2 -fgnuc-version=4.2.1 -fcolor-diagnostics -vectorize-loops -vectorize-slp -analyzer-output=html -analyzer-config stable-report-filename=true -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /tmp/scan-build-2023-02-07-030702-17298-1 -x c++ /build/source/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp

/build/source/clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp

1//= CStringChecker.cpp - Checks calls to C string functions --------*- C++ -*-//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This defines CStringChecker, which is an assortment of checks on calls
10// to functions in <string.h>.
11//
12//===----------------------------------------------------------------------===//
13
14#include "InterCheckerAPI.h"
15#include "clang/Basic/CharInfo.h"
16#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
17#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
18#include "clang/StaticAnalyzer/Core/Checker.h"
19#include "clang/StaticAnalyzer/Core/CheckerManager.h"
20#include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
21#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
22#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
23#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h"
24#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
25#include "llvm/ADT/STLExtras.h"
26#include "llvm/ADT/SmallString.h"
27#include "llvm/ADT/StringExtras.h"
28#include "llvm/Support/raw_ostream.h"
29#include <functional>
30#include <optional>
31
32using namespace clang;
33using namespace ento;
34using namespace std::placeholders;
35
36namespace {
37struct AnyArgExpr {
38 // FIXME: Remove constructor in C++17 to turn it into an aggregate.
39 AnyArgExpr(const Expr *Expression, unsigned ArgumentIndex)
40 : Expression{Expression}, ArgumentIndex{ArgumentIndex} {}
41 const Expr *Expression;
42 unsigned ArgumentIndex;
43};
44
45struct SourceArgExpr : AnyArgExpr {
46 using AnyArgExpr::AnyArgExpr; // FIXME: Remove using in C++17.
47};
48
49struct DestinationArgExpr : AnyArgExpr {
50 using AnyArgExpr::AnyArgExpr; // FIXME: Same.
51};
52
53struct SizeArgExpr : AnyArgExpr {
54 using AnyArgExpr::AnyArgExpr; // FIXME: Same.
55};
56
57using ErrorMessage = SmallString<128>;
58enum class AccessKind { write, read };
59
60static ErrorMessage createOutOfBoundErrorMsg(StringRef FunctionDescription,
61 AccessKind Access) {
62 ErrorMessage Message;
63 llvm::raw_svector_ostream Os(Message);
64
65 // Function classification like: Memory copy function
66 Os << toUppercase(FunctionDescription.front())
67 << &FunctionDescription.data()[1];
68
69 if (Access == AccessKind::write) {
70 Os << " overflows the destination buffer";
71 } else { // read access
72 Os << " accesses out-of-bound array element";
73 }
74
75 return Message;
76}
77
78enum class ConcatFnKind { none = 0, strcat = 1, strlcat = 2 };
79
80enum class CharKind { Regular = 0, Wide };
81constexpr CharKind CK_Regular = CharKind::Regular;
82constexpr CharKind CK_Wide = CharKind::Wide;
83
84static QualType getCharPtrType(ASTContext &Ctx, CharKind CK) {
85 return Ctx.getPointerType(CK == CharKind::Regular ? Ctx.CharTy
86 : Ctx.WideCharTy);
87}
88
89class CStringChecker : public Checker< eval::Call,
90 check::PreStmt<DeclStmt>,
91 check::LiveSymbols,
92 check::DeadSymbols,
93 check::RegionChanges
94 > {
95 mutable std::unique_ptr<BugType> BT_Null, BT_Bounds, BT_Overlap,
96 BT_NotCString, BT_AdditionOverflow, BT_UninitRead;
97
98 mutable const char *CurrentFunctionDescription;
99
100public:
101 /// The filter is used to filter out the diagnostics which are not enabled by
102 /// the user.
103 struct CStringChecksFilter {
104 bool CheckCStringNullArg = false;
105 bool CheckCStringOutOfBounds = false;
106 bool CheckCStringBufferOverlap = false;
107 bool CheckCStringNotNullTerm = false;
108 bool CheckCStringUninitializedRead = false;
109
110 CheckerNameRef CheckNameCStringNullArg;
111 CheckerNameRef CheckNameCStringOutOfBounds;
112 CheckerNameRef CheckNameCStringBufferOverlap;
113 CheckerNameRef CheckNameCStringNotNullTerm;
114 CheckerNameRef CheckNameCStringUninitializedRead;
115 };
116
117 CStringChecksFilter Filter;
118
119 static void *getTag() { static int tag; return &tag; }
120
121 bool evalCall(const CallEvent &Call, CheckerContext &C) const;
122 void checkPreStmt(const DeclStmt *DS, CheckerContext &C) const;
123 void checkLiveSymbols(ProgramStateRef state, SymbolReaper &SR) const;
124 void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
125
126 ProgramStateRef
127 checkRegionChanges(ProgramStateRef state,
128 const InvalidatedSymbols *,
129 ArrayRef<const MemRegion *> ExplicitRegions,
130 ArrayRef<const MemRegion *> Regions,
131 const LocationContext *LCtx,
132 const CallEvent *Call) const;
133
134 using FnCheck = std::function<void(const CStringChecker *, CheckerContext &,
135 const CallExpr *)>;
136
137 CallDescriptionMap<FnCheck> Callbacks = {
138 {{CDF_MaybeBuiltin, {"memcpy"}, 3},
139 std::bind(&CStringChecker::evalMemcpy, _1, _2, _3, CK_Regular)},
140 {{CDF_MaybeBuiltin, {"wmemcpy"}, 3},
141 std::bind(&CStringChecker::evalMemcpy, _1, _2, _3, CK_Wide)},
142 {{CDF_MaybeBuiltin, {"mempcpy"}, 3},
143 std::bind(&CStringChecker::evalMempcpy, _1, _2, _3, CK_Regular)},
144 {{CDF_None, {"wmempcpy"}, 3},
145 std::bind(&CStringChecker::evalMempcpy, _1, _2, _3, CK_Wide)},
146 {{CDF_MaybeBuiltin, {"memcmp"}, 3},
147 std::bind(&CStringChecker::evalMemcmp, _1, _2, _3, CK_Regular)},
148 {{CDF_MaybeBuiltin, {"wmemcmp"}, 3},
149 std::bind(&CStringChecker::evalMemcmp, _1, _2, _3, CK_Wide)},
150 {{CDF_MaybeBuiltin, {"memmove"}, 3},
151 std::bind(&CStringChecker::evalMemmove, _1, _2, _3, CK_Regular)},
152 {{CDF_MaybeBuiltin, {"wmemmove"}, 3},
153 std::bind(&CStringChecker::evalMemmove, _1, _2, _3, CK_Wide)},
154 {{CDF_MaybeBuiltin, {"memset"}, 3}, &CStringChecker::evalMemset},
155 {{CDF_MaybeBuiltin, {"explicit_memset"}, 3}, &CStringChecker::evalMemset},
156 {{CDF_MaybeBuiltin, {"strcpy"}, 2}, &CStringChecker::evalStrcpy},
157 {{CDF_MaybeBuiltin, {"strncpy"}, 3}, &CStringChecker::evalStrncpy},
158 {{CDF_MaybeBuiltin, {"stpcpy"}, 2}, &CStringChecker::evalStpcpy},
159 {{CDF_MaybeBuiltin, {"strlcpy"}, 3}, &CStringChecker::evalStrlcpy},
160 {{CDF_MaybeBuiltin, {"strcat"}, 2}, &CStringChecker::evalStrcat},
161 {{CDF_MaybeBuiltin, {"strncat"}, 3}, &CStringChecker::evalStrncat},
162 {{CDF_MaybeBuiltin, {"strlcat"}, 3}, &CStringChecker::evalStrlcat},
163 {{CDF_MaybeBuiltin, {"strlen"}, 1}, &CStringChecker::evalstrLength},
164 {{CDF_MaybeBuiltin, {"wcslen"}, 1}, &CStringChecker::evalstrLength},
165 {{CDF_MaybeBuiltin, {"strnlen"}, 2}, &CStringChecker::evalstrnLength},
166 {{CDF_MaybeBuiltin, {"wcsnlen"}, 2}, &CStringChecker::evalstrnLength},
167 {{CDF_MaybeBuiltin, {"strcmp"}, 2}, &CStringChecker::evalStrcmp},
168 {{CDF_MaybeBuiltin, {"strncmp"}, 3}, &CStringChecker::evalStrncmp},
169 {{CDF_MaybeBuiltin, {"strcasecmp"}, 2}, &CStringChecker::evalStrcasecmp},
170 {{CDF_MaybeBuiltin, {"strncasecmp"}, 3},
171 &CStringChecker::evalStrncasecmp},
172 {{CDF_MaybeBuiltin, {"strsep"}, 2}, &CStringChecker::evalStrsep},
173 {{CDF_MaybeBuiltin, {"bcopy"}, 3}, &CStringChecker::evalBcopy},
174 {{CDF_MaybeBuiltin, {"bcmp"}, 3},
175 std::bind(&CStringChecker::evalMemcmp, _1, _2, _3, CK_Regular)},
176 {{CDF_MaybeBuiltin, {"bzero"}, 2}, &CStringChecker::evalBzero},
177 {{CDF_MaybeBuiltin, {"explicit_bzero"}, 2}, &CStringChecker::evalBzero},
178 };
179
180 // These require a bit of special handling.
181 CallDescription StdCopy{{"std", "copy"}, 3},
182 StdCopyBackward{{"std", "copy_backward"}, 3};
183
184 FnCheck identifyCall(const CallEvent &Call, CheckerContext &C) const;
185 void evalMemcpy(CheckerContext &C, const CallExpr *CE, CharKind CK) const;
186 void evalMempcpy(CheckerContext &C, const CallExpr *CE, CharKind CK) const;
187 void evalMemmove(CheckerContext &C, const CallExpr *CE, CharKind CK) const;
188 void evalBcopy(CheckerContext &C, const CallExpr *CE) const;
189 void evalCopyCommon(CheckerContext &C, const CallExpr *CE,
190 ProgramStateRef state, SizeArgExpr Size,
191 DestinationArgExpr Dest, SourceArgExpr Source,
192 bool Restricted, bool IsMempcpy, CharKind CK) const;
193
194 void evalMemcmp(CheckerContext &C, const CallExpr *CE, CharKind CK) const;
195
196 void evalstrLength(CheckerContext &C, const CallExpr *CE) const;
197 void evalstrnLength(CheckerContext &C, const CallExpr *CE) const;
198 void evalstrLengthCommon(CheckerContext &C,
199 const CallExpr *CE,
200 bool IsStrnlen = false) const;
201
202 void evalStrcpy(CheckerContext &C, const CallExpr *CE) const;
203 void evalStrncpy(CheckerContext &C, const CallExpr *CE) const;
204 void evalStpcpy(CheckerContext &C, const CallExpr *CE) const;
205 void evalStrlcpy(CheckerContext &C, const CallExpr *CE) const;
206 void evalStrcpyCommon(CheckerContext &C, const CallExpr *CE, bool ReturnEnd,
207 bool IsBounded, ConcatFnKind appendK,
208 bool returnPtr = true) const;
209
210 void evalStrcat(CheckerContext &C, const CallExpr *CE) const;
211 void evalStrncat(CheckerContext &C, const CallExpr *CE) const;
212 void evalStrlcat(CheckerContext &C, const CallExpr *CE) const;
213
214 void evalStrcmp(CheckerContext &C, const CallExpr *CE) const;
215 void evalStrncmp(CheckerContext &C, const CallExpr *CE) const;
216 void evalStrcasecmp(CheckerContext &C, const CallExpr *CE) const;
217 void evalStrncasecmp(CheckerContext &C, const CallExpr *CE) const;
218 void evalStrcmpCommon(CheckerContext &C,
219 const CallExpr *CE,
220 bool IsBounded = false,
221 bool IgnoreCase = false) const;
222
223 void evalStrsep(CheckerContext &C, const CallExpr *CE) const;
224
225 void evalStdCopy(CheckerContext &C, const CallExpr *CE) const;
226 void evalStdCopyBackward(CheckerContext &C, const CallExpr *CE) const;
227 void evalStdCopyCommon(CheckerContext &C, const CallExpr *CE) const;
228 void evalMemset(CheckerContext &C, const CallExpr *CE) const;
229 void evalBzero(CheckerContext &C, const CallExpr *CE) const;
230
231 // Utility methods
232 std::pair<ProgramStateRef , ProgramStateRef >
233 static assumeZero(CheckerContext &C,
234 ProgramStateRef state, SVal V, QualType Ty);
235
236 static ProgramStateRef setCStringLength(ProgramStateRef state,
237 const MemRegion *MR,
238 SVal strLength);
239 static SVal getCStringLengthForRegion(CheckerContext &C,
240 ProgramStateRef &state,
241 const Expr *Ex,
242 const MemRegion *MR,
243 bool hypothetical);
244 SVal getCStringLength(CheckerContext &C,
245 ProgramStateRef &state,
246 const Expr *Ex,
247 SVal Buf,
248 bool hypothetical = false) const;
249
250 const StringLiteral *getCStringLiteral(CheckerContext &C,
251 ProgramStateRef &state,
252 const Expr *expr,
253 SVal val) const;
254
255 static ProgramStateRef InvalidateBuffer(CheckerContext &C,
256 ProgramStateRef state,
257 const Expr *Ex, SVal V,
258 bool IsSourceBuffer,
259 const Expr *Size);
260
261 static bool SummarizeRegion(raw_ostream &os, ASTContext &Ctx,
262 const MemRegion *MR);
263
264 static bool memsetAux(const Expr *DstBuffer, SVal CharE,
265 const Expr *Size, CheckerContext &C,
266 ProgramStateRef &State);
267
268 // Re-usable checks
269 ProgramStateRef checkNonNull(CheckerContext &C, ProgramStateRef State,
270 AnyArgExpr Arg, SVal l) const;
271 ProgramStateRef CheckLocation(CheckerContext &C, ProgramStateRef state,
272 AnyArgExpr Buffer, SVal Element,
273 AccessKind Access,
274 CharKind CK = CharKind::Regular) const;
275 ProgramStateRef CheckBufferAccess(CheckerContext &C, ProgramStateRef State,
276 AnyArgExpr Buffer, SizeArgExpr Size,
277 AccessKind Access,
278 CharKind CK = CharKind::Regular) const;
279 ProgramStateRef CheckOverlap(CheckerContext &C, ProgramStateRef state,
280 SizeArgExpr Size, AnyArgExpr First,
281 AnyArgExpr Second,
282 CharKind CK = CharKind::Regular) const;
283 void emitOverlapBug(CheckerContext &C,
284 ProgramStateRef state,
285 const Stmt *First,
286 const Stmt *Second) const;
287
288 void emitNullArgBug(CheckerContext &C, ProgramStateRef State, const Stmt *S,
289 StringRef WarningMsg) const;
290 void emitOutOfBoundsBug(CheckerContext &C, ProgramStateRef State,
291 const Stmt *S, StringRef WarningMsg) const;
292 void emitNotCStringBug(CheckerContext &C, ProgramStateRef State,
293 const Stmt *S, StringRef WarningMsg) const;
294 void emitAdditionOverflowBug(CheckerContext &C, ProgramStateRef State) const;
295 void emitUninitializedReadBug(CheckerContext &C, ProgramStateRef State,
296 const Expr *E) const;
297 ProgramStateRef checkAdditionOverflow(CheckerContext &C,
298 ProgramStateRef state,
299 NonLoc left,
300 NonLoc right) const;
301
302 // Return true if the destination buffer of the copy function may be in bound.
303 // Expects SVal of Size to be positive and unsigned.
304 // Expects SVal of FirstBuf to be a FieldRegion.
305 static bool IsFirstBufInBound(CheckerContext &C,
306 ProgramStateRef state,
307 const Expr *FirstBuf,
308 const Expr *Size);
309};
310
311} //end anonymous namespace
312
313REGISTER_MAP_WITH_PROGRAMSTATE(CStringLength, const MemRegion *, SVal)namespace { class CStringLength {}; using CStringLengthTy = llvm
::ImmutableMap<const MemRegion *, SVal>; } namespace clang
{ namespace ento { template <> struct ProgramStateTrait
<CStringLength> : public ProgramStatePartialTrait<CStringLengthTy
> { static void *GDMIndex() { static int Index; return &
Index; } }; } }
314
315//===----------------------------------------------------------------------===//
316// Individual checks and utility methods.
317//===----------------------------------------------------------------------===//
318
319std::pair<ProgramStateRef , ProgramStateRef >
320CStringChecker::assumeZero(CheckerContext &C, ProgramStateRef state, SVal V,
321 QualType Ty) {
322 std::optional<DefinedSVal> val = V.getAs<DefinedSVal>();
323 if (!val)
324 return std::pair<ProgramStateRef , ProgramStateRef >(state, state);
325
326 SValBuilder &svalBuilder = C.getSValBuilder();
327 DefinedOrUnknownSVal zero = svalBuilder.makeZeroVal(Ty);
328 return state->assume(svalBuilder.evalEQ(state, *val, zero));
329}
330
331ProgramStateRef CStringChecker::checkNonNull(CheckerContext &C,
332 ProgramStateRef State,
333 AnyArgExpr Arg, SVal l) const {
334 // If a previous check has failed, propagate the failure.
335 if (!State)
336 return nullptr;
337
338 ProgramStateRef stateNull, stateNonNull;
339 std::tie(stateNull, stateNonNull) =
340 assumeZero(C, State, l, Arg.Expression->getType());
341
342 if (stateNull && !stateNonNull) {
343 if (Filter.CheckCStringNullArg) {
344 SmallString<80> buf;
345 llvm::raw_svector_ostream OS(buf);
346 assert(CurrentFunctionDescription)(static_cast <bool> (CurrentFunctionDescription) ? void
(0) : __assert_fail ("CurrentFunctionDescription", "clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp"
, 346, __extension__ __PRETTY_FUNCTION__));
347 OS << "Null pointer passed as " << (Arg.ArgumentIndex + 1)
348 << llvm::getOrdinalSuffix(Arg.ArgumentIndex + 1) << " argument to "
349 << CurrentFunctionDescription;
350
351 emitNullArgBug(C, stateNull, Arg.Expression, OS.str());
352 }
353 return nullptr;
354 }
355
356 // From here on, assume that the value is non-null.
357 assert(stateNonNull)(static_cast <bool> (stateNonNull) ? void (0) : __assert_fail
("stateNonNull", "clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp"
, 357, __extension__ __PRETTY_FUNCTION__));
358 return stateNonNull;
359}
360
361// FIXME: This was originally copied from ArrayBoundChecker.cpp. Refactor?
362ProgramStateRef CStringChecker::CheckLocation(CheckerContext &C,
363 ProgramStateRef state,
364 AnyArgExpr Buffer, SVal Element,
365 AccessKind Access,
366 CharKind CK) const {
367
368 // If a previous check has failed, propagate the failure.
369 if (!state)
370 return nullptr;
371
372 // Check for out of bound array element access.
373 const MemRegion *R = Element.getAsRegion();
374 if (!R)
375 return state;
376
377 const auto *ER = dyn_cast<ElementRegion>(R);
378 if (!ER)
379 return state;
380
381 SValBuilder &svalBuilder = C.getSValBuilder();
382 ASTContext &Ctx = svalBuilder.getContext();
383
384 // Get the index of the accessed element.
385 NonLoc Idx = ER->getIndex();
386
387 if (CK == CharKind::Regular) {
388 if (ER->getValueType() != Ctx.CharTy)
389 return state;
390 } else {
391 if (ER->getValueType() != Ctx.WideCharTy)
392 return state;
393
394 QualType SizeTy = Ctx.getSizeType();
395 NonLoc WideSize =
396 svalBuilder
397 .makeIntVal(Ctx.getTypeSizeInChars(Ctx.WideCharTy).getQuantity(),
398 SizeTy)
399 .castAs<NonLoc>();
400 SVal Offset = svalBuilder.evalBinOpNN(state, BO_Mul, Idx, WideSize, SizeTy);
401 if (Offset.isUnknown())
402 return state;
403 Idx = Offset.castAs<NonLoc>();
404 }
405
406 // Get the size of the array.
407 const auto *superReg = cast<SubRegion>(ER->getSuperRegion());
408 DefinedOrUnknownSVal Size =
409 getDynamicExtent(state, superReg, C.getSValBuilder());
410
411 ProgramStateRef StInBound, StOutBound;
412 std::tie(StInBound, StOutBound) = state->assumeInBoundDual(Idx, Size);
413 if (StOutBound && !StInBound) {
414 // These checks are either enabled by the CString out-of-bounds checker
415 // explicitly or implicitly by the Malloc checker.
416 // In the latter case we only do modeling but do not emit warning.
417 if (!Filter.CheckCStringOutOfBounds)
418 return nullptr;
419
420 // Emit a bug report.
421 ErrorMessage Message =
422 createOutOfBoundErrorMsg(CurrentFunctionDescription, Access);
423 emitOutOfBoundsBug(C, StOutBound, Buffer.Expression, Message);
424 return nullptr;
425 }
426
427 // Ensure that we wouldn't read uninitialized value.
428 if (Access == AccessKind::read) {
429 if (Filter.CheckCStringUninitializedRead &&
430 StInBound->getSVal(ER).isUndef()) {
431 emitUninitializedReadBug(C, StInBound, Buffer.Expression);
432 return nullptr;
433 }
434 }
435
436 // Array bound check succeeded. From this point forward the array bound
437 // should always succeed.
438 return StInBound;
439}
440
441ProgramStateRef
442CStringChecker::CheckBufferAccess(CheckerContext &C, ProgramStateRef State,
443 AnyArgExpr Buffer, SizeArgExpr Size,
444 AccessKind Access, CharKind CK) const {
445 // If a previous check has failed, propagate the failure.
446 if (!State)
447 return nullptr;
448
449 SValBuilder &svalBuilder = C.getSValBuilder();
450 ASTContext &Ctx = svalBuilder.getContext();
451
452 QualType SizeTy = Size.Expression->getType();
453 QualType PtrTy = getCharPtrType(Ctx, CK);
454
455 // Check that the first buffer is non-null.
456 SVal BufVal = C.getSVal(Buffer.Expression);
457 State = checkNonNull(C, State, Buffer, BufVal);
458 if (!State)
459 return nullptr;
460
461 // If out-of-bounds checking is turned off, skip the rest.
462 if (!Filter.CheckCStringOutOfBounds)
463 return State;
464
465 // Get the access length and make sure it is known.
466 // FIXME: This assumes the caller has already checked that the access length
467 // is positive. And that it's unsigned.
468 SVal LengthVal = C.getSVal(Size.Expression);
469 std::optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
470 if (!Length)
471 return State;
472
473 // Compute the offset of the last element to be accessed: size-1.
474 NonLoc One = svalBuilder.makeIntVal(1, SizeTy).castAs<NonLoc>();
475 SVal Offset = svalBuilder.evalBinOpNN(State, BO_Sub, *Length, One, SizeTy);
476 if (Offset.isUnknown())
477 return nullptr;
478 NonLoc LastOffset = Offset.castAs<NonLoc>();
479
480 // Check that the first buffer is sufficiently long.
481 SVal BufStart =
482 svalBuilder.evalCast(BufVal, PtrTy, Buffer.Expression->getType());
483 if (std::optional<Loc> BufLoc = BufStart.getAs<Loc>()) {
484
485 SVal BufEnd =
486 svalBuilder.evalBinOpLN(State, BO_Add, *BufLoc, LastOffset, PtrTy);
487 State = CheckLocation(C, State, Buffer, BufEnd, Access, CK);
488
489 // If the buffer isn't large enough, abort.
490 if (!State)
491 return nullptr;
492 }
493
494 // Large enough or not, return this state!
495 return State;
496}
497
498ProgramStateRef CStringChecker::CheckOverlap(CheckerContext &C,
499 ProgramStateRef state,
500 SizeArgExpr Size, AnyArgExpr First,
501 AnyArgExpr Second,
502 CharKind CK) const {
503 if (!Filter.CheckCStringBufferOverlap)
504 return state;
505
506 // Do a simple check for overlap: if the two arguments are from the same
507 // buffer, see if the end of the first is greater than the start of the second
508 // or vice versa.
509
510 // If a previous check has failed, propagate the failure.
511 if (!state)
512 return nullptr;
513
514 ProgramStateRef stateTrue, stateFalse;
515
516 // Assume different address spaces cannot overlap.
517 if (First.Expression->getType()->getPointeeType().getAddressSpace() !=
518 Second.Expression->getType()->getPointeeType().getAddressSpace())
519 return state;
520
521 // Get the buffer values and make sure they're known locations.
522 const LocationContext *LCtx = C.getLocationContext();
523 SVal firstVal = state->getSVal(First.Expression, LCtx);
524 SVal secondVal = state->getSVal(Second.Expression, LCtx);
525
526 std::optional<Loc> firstLoc = firstVal.getAs<Loc>();
527 if (!firstLoc)
528 return state;
529
530 std::optional<Loc> secondLoc = secondVal.getAs<Loc>();
531 if (!secondLoc)
532 return state;
533
534 // Are the two values the same?
535 SValBuilder &svalBuilder = C.getSValBuilder();
536 std::tie(stateTrue, stateFalse) =
537 state->assume(svalBuilder.evalEQ(state, *firstLoc, *secondLoc));
538
539 if (stateTrue && !stateFalse) {
540 // If the values are known to be equal, that's automatically an overlap.
541 emitOverlapBug(C, stateTrue, First.Expression, Second.Expression);
542 return nullptr;
543 }
544
545 // assume the two expressions are not equal.
546 assert(stateFalse)(static_cast <bool> (stateFalse) ? void (0) : __assert_fail
("stateFalse", "clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp"
, 546, __extension__ __PRETTY_FUNCTION__));
547 state = stateFalse;
548
549 // Which value comes first?
550 QualType cmpTy = svalBuilder.getConditionType();
551 SVal reverse =
552 svalBuilder.evalBinOpLL(state, BO_GT, *firstLoc, *secondLoc, cmpTy);
553 std::optional<DefinedOrUnknownSVal> reverseTest =
554 reverse.getAs<DefinedOrUnknownSVal>();
555 if (!reverseTest)
556 return state;
557
558 std::tie(stateTrue, stateFalse) = state->assume(*reverseTest);
559 if (stateTrue) {
560 if (stateFalse) {
561 // If we don't know which one comes first, we can't perform this test.
562 return state;
563 } else {
564 // Switch the values so that firstVal is before secondVal.
565 std::swap(firstLoc, secondLoc);
566
567 // Switch the Exprs as well, so that they still correspond.
568 std::swap(First, Second);
569 }
570 }
571
572 // Get the length, and make sure it too is known.
573 SVal LengthVal = state->getSVal(Size.Expression, LCtx);
574 std::optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
575 if (!Length)
576 return state;
577
578 // Convert the first buffer's start address to char*.
579 // Bail out if the cast fails.
580 ASTContext &Ctx = svalBuilder.getContext();
581 QualType CharPtrTy = getCharPtrType(Ctx, CK);
582 SVal FirstStart =
583 svalBuilder.evalCast(*firstLoc, CharPtrTy, First.Expression->getType());
584 std::optional<Loc> FirstStartLoc = FirstStart.getAs<Loc>();
585 if (!FirstStartLoc)
586 return state;
587
588 // Compute the end of the first buffer. Bail out if THAT fails.
589 SVal FirstEnd = svalBuilder.evalBinOpLN(state, BO_Add, *FirstStartLoc,
590 *Length, CharPtrTy);
591 std::optional<Loc> FirstEndLoc = FirstEnd.getAs<Loc>();
592 if (!FirstEndLoc)
593 return state;
594
595 // Is the end of the first buffer past the start of the second buffer?
596 SVal Overlap =
597 svalBuilder.evalBinOpLL(state, BO_GT, *FirstEndLoc, *secondLoc, cmpTy);
598 std::optional<DefinedOrUnknownSVal> OverlapTest =
599 Overlap.getAs<DefinedOrUnknownSVal>();
600 if (!OverlapTest)
601 return state;
602
603 std::tie(stateTrue, stateFalse) = state->assume(*OverlapTest);
604
605 if (stateTrue && !stateFalse) {
606 // Overlap!
607 emitOverlapBug(C, stateTrue, First.Expression, Second.Expression);
608 return nullptr;
609 }
610
611 // assume the two expressions don't overlap.
612 assert(stateFalse)(static_cast <bool> (stateFalse) ? void (0) : __assert_fail
("stateFalse", "clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp"
, 612, __extension__ __PRETTY_FUNCTION__));
613 return stateFalse;
614}
615
616void CStringChecker::emitOverlapBug(CheckerContext &C, ProgramStateRef state,
617 const Stmt *First, const Stmt *Second) const {
618 ExplodedNode *N = C.generateErrorNode(state);
619 if (!N)
620 return;
621
622 if (!BT_Overlap)
623 BT_Overlap.reset(new BugType(Filter.CheckNameCStringBufferOverlap,
624 categories::UnixAPI, "Improper arguments"));
625
626 // Generate a report for this bug.
627 auto report = std::make_unique<PathSensitiveBugReport>(
628 *BT_Overlap, "Arguments must not be overlapping buffers", N);
629 report->addRange(First->getSourceRange());
630 report->addRange(Second->getSourceRange());
631
632 C.emitReport(std::move(report));
633}
634
635void CStringChecker::emitNullArgBug(CheckerContext &C, ProgramStateRef State,
636 const Stmt *S, StringRef WarningMsg) const {
637 if (ExplodedNode *N = C.generateErrorNode(State)) {
638 if (!BT_Null)
639 BT_Null.reset(new BuiltinBug(
640 Filter.CheckNameCStringNullArg, categories::UnixAPI,
641 "Null pointer argument in call to byte string function"));
642
643 BuiltinBug *BT = static_cast<BuiltinBug *>(BT_Null.get());
644 auto Report = std::make_unique<PathSensitiveBugReport>(*BT, WarningMsg, N);
645 Report->addRange(S->getSourceRange());
646 if (const auto *Ex = dyn_cast<Expr>(S))
647 bugreporter::trackExpressionValue(N, Ex, *Report);
648 C.emitReport(std::move(Report));
649 }
650}
651
652void CStringChecker::emitUninitializedReadBug(CheckerContext &C,
653 ProgramStateRef State,
654 const Expr *E) const {
655 if (ExplodedNode *N = C.generateErrorNode(State)) {
656 const char *Msg =
657 "Bytes string function accesses uninitialized/garbage values";
658 if (!BT_UninitRead)
659 BT_UninitRead.reset(
660 new BuiltinBug(Filter.CheckNameCStringUninitializedRead,
661 "Accessing unitialized/garbage values", Msg));
662
663 BuiltinBug *BT = static_cast<BuiltinBug *>(BT_UninitRead.get());
664
665 auto Report = std::make_unique<PathSensitiveBugReport>(*BT, Msg, N);
666 Report->addRange(E->getSourceRange());
667 bugreporter::trackExpressionValue(N, E, *Report);
668 C.emitReport(std::move(Report));
669 }
670}
671
672void CStringChecker::emitOutOfBoundsBug(CheckerContext &C,
673 ProgramStateRef State, const Stmt *S,
674 StringRef WarningMsg) const {
675 if (ExplodedNode *N = C.generateErrorNode(State)) {
676 if (!BT_Bounds)
677 BT_Bounds.reset(new BuiltinBug(
678 Filter.CheckCStringOutOfBounds ? Filter.CheckNameCStringOutOfBounds
679 : Filter.CheckNameCStringNullArg,
680 "Out-of-bound array access",
681 "Byte string function accesses out-of-bound array element"));
682
683 BuiltinBug *BT = static_cast<BuiltinBug *>(BT_Bounds.get());
684
685 // FIXME: It would be nice to eventually make this diagnostic more clear,
686 // e.g., by referencing the original declaration or by saying *why* this
687 // reference is outside the range.
688 auto Report = std::make_unique<PathSensitiveBugReport>(*BT, WarningMsg, N);
689 Report->addRange(S->getSourceRange());
690 C.emitReport(std::move(Report));
691 }
692}
693
694void CStringChecker::emitNotCStringBug(CheckerContext &C, ProgramStateRef State,
695 const Stmt *S,
696 StringRef WarningMsg) const {
697 if (ExplodedNode *N = C.generateNonFatalErrorNode(State)) {
698 if (!BT_NotCString)
699 BT_NotCString.reset(new BuiltinBug(
700 Filter.CheckNameCStringNotNullTerm, categories::UnixAPI,
701 "Argument is not a null-terminated string."));
702
703 auto Report =
704 std::make_unique<PathSensitiveBugReport>(*BT_NotCString, WarningMsg, N);
705
706 Report->addRange(S->getSourceRange());
707 C.emitReport(std::move(Report));
708 }
709}
710
711void CStringChecker::emitAdditionOverflowBug(CheckerContext &C,
712 ProgramStateRef State) const {
713 if (ExplodedNode *N = C.generateErrorNode(State)) {
714 if (!BT_AdditionOverflow)
715 BT_AdditionOverflow.reset(
716 new BuiltinBug(Filter.CheckNameCStringOutOfBounds, "API",
717 "Sum of expressions causes overflow."));
718
719 // This isn't a great error message, but this should never occur in real
720 // code anyway -- you'd have to create a buffer longer than a size_t can
721 // represent, which is sort of a contradiction.
722 const char *WarningMsg =
723 "This expression will create a string whose length is too big to "
724 "be represented as a size_t";
725
726 auto Report = std::make_unique<PathSensitiveBugReport>(*BT_AdditionOverflow,
727 WarningMsg, N);
728 C.emitReport(std::move(Report));
729 }
730}
731
732ProgramStateRef CStringChecker::checkAdditionOverflow(CheckerContext &C,
733 ProgramStateRef state,
734 NonLoc left,
735 NonLoc right) const {
736 // If out-of-bounds checking is turned off, skip the rest.
737 if (!Filter.CheckCStringOutOfBounds)
738 return state;
739
740 // If a previous check has failed, propagate the failure.
741 if (!state)
742 return nullptr;
743
744 SValBuilder &svalBuilder = C.getSValBuilder();
745 BasicValueFactory &BVF = svalBuilder.getBasicValueFactory();
746
747 QualType sizeTy = svalBuilder.getContext().getSizeType();
748 const llvm::APSInt &maxValInt = BVF.getMaxValue(sizeTy);
749 NonLoc maxVal = svalBuilder.makeIntVal(maxValInt);
750
751 SVal maxMinusRight;
752 if (isa<nonloc::ConcreteInt>(right)) {
753 maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, right,
754 sizeTy);
755 } else {
756 // Try switching the operands. (The order of these two assignments is
757 // important!)
758 maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, left,
759 sizeTy);
760 left = right;
761 }
762
763 if (std::optional<NonLoc> maxMinusRightNL = maxMinusRight.getAs<NonLoc>()) {
764 QualType cmpTy = svalBuilder.getConditionType();
765 // If left > max - right, we have an overflow.
766 SVal willOverflow = svalBuilder.evalBinOpNN(state, BO_GT, left,
767 *maxMinusRightNL, cmpTy);
768
769 ProgramStateRef stateOverflow, stateOkay;
770 std::tie(stateOverflow, stateOkay) =
771 state->assume(willOverflow.castAs<DefinedOrUnknownSVal>());
772
773 if (stateOverflow && !stateOkay) {
774 // We have an overflow. Emit a bug report.
775 emitAdditionOverflowBug(C, stateOverflow);
776 return nullptr;
777 }
778
779 // From now on, assume an overflow didn't occur.
780 assert(stateOkay)(static_cast <bool> (stateOkay) ? void (0) : __assert_fail
("stateOkay", "clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp"
, 780, __extension__ __PRETTY_FUNCTION__));
781 state = stateOkay;
782 }
783
784 return state;
785}
786
787ProgramStateRef CStringChecker::setCStringLength(ProgramStateRef state,
788 const MemRegion *MR,
789 SVal strLength) {
790 assert(!strLength.isUndef() && "Attempt to set an undefined string length")(static_cast <bool> (!strLength.isUndef() && "Attempt to set an undefined string length"
) ? void (0) : __assert_fail ("!strLength.isUndef() && \"Attempt to set an undefined string length\""
, "clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp", 790
, __extension__ __PRETTY_FUNCTION__));
791
792 MR = MR->StripCasts();
793
794 switch (MR->getKind()) {
795 case MemRegion::StringRegionKind:
796 // FIXME: This can happen if we strcpy() into a string region. This is
797 // undefined [C99 6.4.5p6], but we should still warn about it.
798 return state;
799
800 case MemRegion::SymbolicRegionKind:
801 case MemRegion::AllocaRegionKind:
802 case MemRegion::NonParamVarRegionKind:
803 case MemRegion::ParamVarRegionKind:
804 case MemRegion::FieldRegionKind:
805 case MemRegion::ObjCIvarRegionKind:
806 // These are the types we can currently track string lengths for.
807 break;
808
809 case MemRegion::ElementRegionKind:
810 // FIXME: Handle element regions by upper-bounding the parent region's
811 // string length.
812 return state;
813
814 default:
815 // Other regions (mostly non-data) can't have a reliable C string length.
816 // For now, just ignore the change.
817 // FIXME: These are rare but not impossible. We should output some kind of
818 // warning for things like strcpy((char[]){'a', 0}, "b");
819 return state;
820 }
821
822 if (strLength.isUnknown())
823 return state->remove<CStringLength>(MR);
824
825 return state->set<CStringLength>(MR, strLength);
826}
827
828SVal CStringChecker::getCStringLengthForRegion(CheckerContext &C,
829 ProgramStateRef &state,
830 const Expr *Ex,
831 const MemRegion *MR,
832 bool hypothetical) {
833 if (!hypothetical) {
834 // If there's a recorded length, go ahead and return it.
835 const SVal *Recorded = state->get<CStringLength>(MR);
836 if (Recorded)
837 return *Recorded;
838 }
839
840 // Otherwise, get a new symbol and update the state.
841 SValBuilder &svalBuilder = C.getSValBuilder();
842 QualType sizeTy = svalBuilder.getContext().getSizeType();
843 SVal strLength = svalBuilder.getMetadataSymbolVal(CStringChecker::getTag(),
844 MR, Ex, sizeTy,
845 C.getLocationContext(),
846 C.blockCount());
847
848 if (!hypothetical) {
849 if (std::optional<NonLoc> strLn = strLength.getAs<NonLoc>()) {
850 // In case of unbounded calls strlen etc bound the range to SIZE_MAX/4
851 BasicValueFactory &BVF = svalBuilder.getBasicValueFactory();
852 const llvm::APSInt &maxValInt = BVF.getMaxValue(sizeTy);
853 llvm::APSInt fourInt = APSIntType(maxValInt).getValue(4);
854 const llvm::APSInt *maxLengthInt = BVF.evalAPSInt(BO_Div, maxValInt,
855 fourInt);
856 NonLoc maxLength = svalBuilder.makeIntVal(*maxLengthInt);
857 SVal evalLength = svalBuilder.evalBinOpNN(state, BO_LE, *strLn,
858 maxLength, sizeTy);
859 state = state->assume(evalLength.castAs<DefinedOrUnknownSVal>(), true);
860 }
861 state = state->set<CStringLength>(MR, strLength);
862 }
863
864 return strLength;
865}
866
867SVal CStringChecker::getCStringLength(CheckerContext &C, ProgramStateRef &state,
868 const Expr *Ex, SVal Buf,
869 bool hypothetical) const {
870 const MemRegion *MR = Buf.getAsRegion();
871 if (!MR) {
872 // If we can't get a region, see if it's something we /know/ isn't a
873 // C string. In the context of locations, the only time we can issue such
874 // a warning is for labels.
875 if (std::optional<loc::GotoLabel> Label = Buf.getAs<loc::GotoLabel>()) {
876 if (Filter.CheckCStringNotNullTerm) {
877 SmallString<120> buf;
878 llvm::raw_svector_ostream os(buf);
879 assert(CurrentFunctionDescription)(static_cast <bool> (CurrentFunctionDescription) ? void
(0) : __assert_fail ("CurrentFunctionDescription", "clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp"
, 879, __extension__ __PRETTY_FUNCTION__));
880 os << "Argument to " << CurrentFunctionDescription
881 << " is the address of the label '" << Label->getLabel()->getName()
882 << "', which is not a null-terminated string";
883
884 emitNotCStringBug(C, state, Ex, os.str());
885 }
886 return UndefinedVal();
887 }
888
889 // If it's not a region and not a label, give up.
890 return UnknownVal();
891 }
892
893 // If we have a region, strip casts from it and see if we can figure out
894 // its length. For anything we can't figure out, just return UnknownVal.
895 MR = MR->StripCasts();
896
897 switch (MR->getKind()) {
898 case MemRegion::StringRegionKind: {
899 // Modifying the contents of string regions is undefined [C99 6.4.5p6],
900 // so we can assume that the byte length is the correct C string length.
901 SValBuilder &svalBuilder = C.getSValBuilder();
902 QualType sizeTy = svalBuilder.getContext().getSizeType();
903 const StringLiteral *strLit = cast<StringRegion>(MR)->getStringLiteral();
904 return svalBuilder.makeIntVal(strLit->getLength(), sizeTy);
905 }
906 case MemRegion::SymbolicRegionKind:
907 case MemRegion::AllocaRegionKind:
908 case MemRegion::NonParamVarRegionKind:
909 case MemRegion::ParamVarRegionKind:
910 case MemRegion::FieldRegionKind:
911 case MemRegion::ObjCIvarRegionKind:
912 return getCStringLengthForRegion(C, state, Ex, MR, hypothetical);
913 case MemRegion::CompoundLiteralRegionKind:
914 // FIXME: Can we track this? Is it necessary?
915 return UnknownVal();
916 case MemRegion::ElementRegionKind:
917 // FIXME: How can we handle this? It's not good enough to subtract the
918 // offset from the base string length; consider "123\x00567" and &a[5].
919 return UnknownVal();
920 default:
921 // Other regions (mostly non-data) can't have a reliable C string length.
922 // In this case, an error is emitted and UndefinedVal is returned.
923 // The caller should always be prepared to handle this case.
924 if (Filter.CheckCStringNotNullTerm) {
925 SmallString<120> buf;
926 llvm::raw_svector_ostream os(buf);
927
928 assert(CurrentFunctionDescription)(static_cast <bool> (CurrentFunctionDescription) ? void
(0) : __assert_fail ("CurrentFunctionDescription", "clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp"
, 928, __extension__ __PRETTY_FUNCTION__));
929 os << "Argument to " << CurrentFunctionDescription << " is ";
930
931 if (SummarizeRegion(os, C.getASTContext(), MR))
932 os << ", which is not a null-terminated string";
933 else
934 os << "not a null-terminated string";
935
936 emitNotCStringBug(C, state, Ex, os.str());
937 }
938 return UndefinedVal();
939 }
940}
941
942const StringLiteral *CStringChecker::getCStringLiteral(CheckerContext &C,
943 ProgramStateRef &state, const Expr *expr, SVal val) const {
944
945 // Get the memory region pointed to by the val.
946 const MemRegion *bufRegion = val.getAsRegion();
947 if (!bufRegion)
948 return nullptr;
949
950 // Strip casts off the memory region.
951 bufRegion = bufRegion->StripCasts();
952
953 // Cast the memory region to a string region.
954 const StringRegion *strRegion= dyn_cast<StringRegion>(bufRegion);
955 if (!strRegion)
956 return nullptr;
957
958 // Return the actual string in the string region.
959 return strRegion->getStringLiteral();
960}
961
962bool CStringChecker::IsFirstBufInBound(CheckerContext &C,
963 ProgramStateRef state,
964 const Expr *FirstBuf,
965 const Expr *Size) {
966 // If we do not know that the buffer is long enough we return 'true'.
967 // Otherwise the parent region of this field region would also get
968 // invalidated, which would lead to warnings based on an unknown state.
969
970 // Originally copied from CheckBufferAccess and CheckLocation.
971 SValBuilder &svalBuilder = C.getSValBuilder();
972 ASTContext &Ctx = svalBuilder.getContext();
973 const LocationContext *LCtx = C.getLocationContext();
974
975 QualType sizeTy = Size->getType();
976 QualType PtrTy = Ctx.getPointerType(Ctx.CharTy);
977 SVal BufVal = state->getSVal(FirstBuf, LCtx);
978
979 SVal LengthVal = state->getSVal(Size, LCtx);
980 std::optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
981 if (!Length)
982 return true; // cf top comment.
983
984 // Compute the offset of the last element to be accessed: size-1.
985 NonLoc One = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
986 SVal Offset = svalBuilder.evalBinOpNN(state, BO_Sub, *Length, One, sizeTy);
987 if (Offset.isUnknown())
988 return true; // cf top comment
989 NonLoc LastOffset = Offset.castAs<NonLoc>();
990
991 // Check that the first buffer is sufficiently long.
992 SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType());
993 std::optional<Loc> BufLoc = BufStart.getAs<Loc>();
994 if (!BufLoc)
995 return true; // cf top comment.
996
997 SVal BufEnd =
998 svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc, LastOffset, PtrTy);
999
1000 // Check for out of bound array element access.
1001 const MemRegion *R = BufEnd.getAsRegion();
1002 if (!R)
1003 return true; // cf top comment.
1004
1005 const ElementRegion *ER = dyn_cast<ElementRegion>(R);
1006 if (!ER)
1007 return true; // cf top comment.
1008
1009 // FIXME: Does this crash when a non-standard definition
1010 // of a library function is encountered?
1011 assert(ER->getValueType() == C.getASTContext().CharTy &&(static_cast <bool> (ER->getValueType() == C.getASTContext
().CharTy && "IsFirstBufInBound should only be called with char* ElementRegions"
) ? void (0) : __assert_fail ("ER->getValueType() == C.getASTContext().CharTy && \"IsFirstBufInBound should only be called with char* ElementRegions\""
, "clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp", 1012
, __extension__ __PRETTY_FUNCTION__))
1012 "IsFirstBufInBound should only be called with char* ElementRegions")(static_cast <bool> (ER->getValueType() == C.getASTContext
().CharTy && "IsFirstBufInBound should only be called with char* ElementRegions"
) ? void (0) : __assert_fail ("ER->getValueType() == C.getASTContext().CharTy && \"IsFirstBufInBound should only be called with char* ElementRegions\""
, "clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp", 1012
, __extension__ __PRETTY_FUNCTION__));
1013
1014 // Get the size of the array.
1015 const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion());
1016 DefinedOrUnknownSVal SizeDV = getDynamicExtent(state, superReg, svalBuilder);
1017
1018 // Get the index of the accessed element.
1019 DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();
1020
1021 ProgramStateRef StInBound = state->assumeInBound(Idx, SizeDV, true);
1022
1023 return static_cast<bool>(StInBound);
1024}
1025
1026ProgramStateRef CStringChecker::InvalidateBuffer(CheckerContext &C,
1027 ProgramStateRef state,
1028 const Expr *E, SVal V,
1029 bool IsSourceBuffer,
1030 const Expr *Size) {
1031 std::optional<Loc> L = V.getAs<Loc>();
1032 if (!L)
1033 return state;
1034
1035 // FIXME: This is a simplified version of what's in CFRefCount.cpp -- it makes
1036 // some assumptions about the value that CFRefCount can't. Even so, it should
1037 // probably be refactored.
1038 if (std::optional<loc::MemRegionVal> MR = L->getAs<loc::MemRegionVal>()) {
1039 const MemRegion *R = MR->getRegion()->StripCasts();
1040
1041 // Are we dealing with an ElementRegion? If so, we should be invalidating
1042 // the super-region.
1043 if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) {
1044 R = ER->getSuperRegion();
1045 // FIXME: What about layers of ElementRegions?
1046 }
1047
1048 // Invalidate this region.
1049 const LocationContext *LCtx = C.getPredecessor()->getLocationContext();
1050
1051 bool CausesPointerEscape = false;
1052 RegionAndSymbolInvalidationTraits ITraits;
1053 // Invalidate and escape only indirect regions accessible through the source
1054 // buffer.
1055 if (IsSourceBuffer) {
1056 ITraits.setTrait(R->getBaseRegion(),
1057 RegionAndSymbolInvalidationTraits::TK_PreserveContents);
1058 ITraits.setTrait(R, RegionAndSymbolInvalidationTraits::TK_SuppressEscape);
1059 CausesPointerEscape = true;
1060 } else {
1061 const MemRegion::Kind& K = R->getKind();
1062 if (K == MemRegion::FieldRegionKind)
1063 if (Size && IsFirstBufInBound(C, state, E, Size)) {
1064 // If destination buffer is a field region and access is in bound,
1065 // do not invalidate its super region.
1066 ITraits.setTrait(
1067 R,
1068 RegionAndSymbolInvalidationTraits::TK_DoNotInvalidateSuperRegion);
1069 }
1070 }
1071
1072 return state->invalidateRegions(R, E, C.blockCount(), LCtx,
1073 CausesPointerEscape, nullptr, nullptr,
1074 &ITraits);
1075 }
1076
1077 // If we have a non-region value by chance, just remove the binding.
1078 // FIXME: is this necessary or correct? This handles the non-Region
1079 // cases. Is it ever valid to store to these?
1080 return state->killBinding(*L);
1081}
1082
1083bool CStringChecker::SummarizeRegion(raw_ostream &os, ASTContext &Ctx,
1084 const MemRegion *MR) {
1085 switch (MR->getKind()) {
1086 case MemRegion::FunctionCodeRegionKind: {
1087 if (const auto *FD = cast<FunctionCodeRegion>(MR)->getDecl())
1088 os << "the address of the function '" << *FD << '\'';
1089 else
1090 os << "the address of a function";
1091 return true;
1092 }
1093 case MemRegion::BlockCodeRegionKind:
1094 os << "block text";
1095 return true;
1096 case MemRegion::BlockDataRegionKind:
1097 os << "a block";
1098 return true;
1099 case MemRegion::CXXThisRegionKind:
1100 case MemRegion::CXXTempObjectRegionKind:
1101 os << "a C++ temp object of type "
1102 << cast<TypedValueRegion>(MR)->getValueType();
1103 return true;
1104 case MemRegion::NonParamVarRegionKind:
1105 os << "a variable of type" << cast<TypedValueRegion>(MR)->getValueType();
1106 return true;
1107 case MemRegion::ParamVarRegionKind:
1108 os << "a parameter of type" << cast<TypedValueRegion>(MR)->getValueType();
1109 return true;
1110 case MemRegion::FieldRegionKind:
1111 os << "a field of type " << cast<TypedValueRegion>(MR)->getValueType();
1112 return true;
1113 case MemRegion::ObjCIvarRegionKind:
1114 os << "an instance variable of type "
1115 << cast<TypedValueRegion>(MR)->getValueType();
1116 return true;
1117 default:
1118 return false;
1119 }
1120}
1121
1122bool CStringChecker::memsetAux(const Expr *DstBuffer, SVal CharVal,
1123 const Expr *Size, CheckerContext &C,
1124 ProgramStateRef &State) {
1125 SVal MemVal = C.getSVal(DstBuffer);
1126 SVal SizeVal = C.getSVal(Size);
1127 const MemRegion *MR = MemVal.getAsRegion();
1128 if (!MR)
1129 return false;
1130
1131 // We're about to model memset by producing a "default binding" in the Store.
1132 // Our current implementation - RegionStore - doesn't support default bindings
1133 // that don't cover the whole base region. So we should first get the offset
1134 // and the base region to figure out whether the offset of buffer is 0.
1135 RegionOffset Offset = MR->getAsOffset();
1136 const MemRegion *BR = Offset.getRegion();
1137
1138 std::optional<NonLoc> SizeNL = SizeVal.getAs<NonLoc>();
1139 if (!SizeNL)
1140 return false;
1141
1142 SValBuilder &svalBuilder = C.getSValBuilder();
1143 ASTContext &Ctx = C.getASTContext();
1144
1145 // void *memset(void *dest, int ch, size_t count);
1146 // For now we can only handle the case of offset is 0 and concrete char value.
1147 if (Offset.isValid() && !Offset.hasSymbolicOffset() &&
1148 Offset.getOffset() == 0) {
1149 // Get the base region's size.
1150 DefinedOrUnknownSVal SizeDV = getDynamicExtent(State, BR, svalBuilder);
1151
1152 ProgramStateRef StateWholeReg, StateNotWholeReg;
1153 std::tie(StateWholeReg, StateNotWholeReg) =
1154 State->assume(svalBuilder.evalEQ(State, SizeDV, *SizeNL));
1155
1156 // With the semantic of 'memset()', we should convert the CharVal to
1157 // unsigned char.
1158 CharVal = svalBuilder.evalCast(CharVal, Ctx.UnsignedCharTy, Ctx.IntTy);
1159
1160 ProgramStateRef StateNullChar, StateNonNullChar;
1161 std::tie(StateNullChar, StateNonNullChar) =
1162 assumeZero(C, State, CharVal, Ctx.UnsignedCharTy);
1163
1164 if (StateWholeReg && !StateNotWholeReg && StateNullChar &&
1165 !StateNonNullChar) {
1166 // If the 'memset()' acts on the whole region of destination buffer and
1167 // the value of the second argument of 'memset()' is zero, bind the second
1168 // argument's value to the destination buffer with 'default binding'.
1169 // FIXME: Since there is no perfect way to bind the non-zero character, we
1170 // can only deal with zero value here. In the future, we need to deal with
1171 // the binding of non-zero value in the case of whole region.
1172 State = State->bindDefaultZero(svalBuilder.makeLoc(BR),
1173 C.getLocationContext());
1174 } else {
1175 // If the destination buffer's extent is not equal to the value of
1176 // third argument, just invalidate buffer.
1177 State = InvalidateBuffer(C, State, DstBuffer, MemVal,
1178 /*IsSourceBuffer*/ false, Size);
1179 }
1180
1181 if (StateNullChar && !StateNonNullChar) {
1182 // If the value of the second argument of 'memset()' is zero, set the
1183 // string length of destination buffer to 0 directly.
1184 State = setCStringLength(State, MR,
1185 svalBuilder.makeZeroVal(Ctx.getSizeType()));
1186 } else if (!StateNullChar && StateNonNullChar) {
1187 SVal NewStrLen = svalBuilder.getMetadataSymbolVal(
1188 CStringChecker::getTag(), MR, DstBuffer, Ctx.getSizeType(),
1189 C.getLocationContext(), C.blockCount());
1190
1191 // If the value of second argument is not zero, then the string length
1192 // is at least the size argument.
1193 SVal NewStrLenGESize = svalBuilder.evalBinOp(
1194 State, BO_GE, NewStrLen, SizeVal, svalBuilder.getConditionType());
1195
1196 State = setCStringLength(
1197 State->assume(NewStrLenGESize.castAs<DefinedOrUnknownSVal>(), true),
1198 MR, NewStrLen);
1199 }
1200 } else {
1201 // If the offset is not zero and char value is not concrete, we can do
1202 // nothing but invalidate the buffer.
1203 State = InvalidateBuffer(C, State, DstBuffer, MemVal,
1204 /*IsSourceBuffer*/ false, Size);
1205 }
1206 return true;
1207}
1208
1209//===----------------------------------------------------------------------===//
1210// evaluation of individual function calls.
1211//===----------------------------------------------------------------------===//
1212
1213void CStringChecker::evalCopyCommon(CheckerContext &C, const CallExpr *CE,
1214 ProgramStateRef state, SizeArgExpr Size,
1215 DestinationArgExpr Dest,
1216 SourceArgExpr Source, bool Restricted,
1217 bool IsMempcpy, CharKind CK) const {
1218 CurrentFunctionDescription = "memory copy function";
1219
1220 // See if the size argument is zero.
1221 const LocationContext *LCtx = C.getLocationContext();
1222 SVal sizeVal = state->getSVal(Size.Expression, LCtx);
1223 QualType sizeTy = Size.Expression->getType();
1224
1225 ProgramStateRef stateZeroSize, stateNonZeroSize;
1226 std::tie(stateZeroSize, stateNonZeroSize) =
1227 assumeZero(C, state, sizeVal, sizeTy);
1228
1229 // Get the value of the Dest.
1230 SVal destVal = state->getSVal(Dest.Expression, LCtx);
1231
1232 // If the size is zero, there won't be any actual memory access, so
1233 // just bind the return value to the destination buffer and return.
1234 if (stateZeroSize && !stateNonZeroSize) {
1235 stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, destVal);
1236 C.addTransition(stateZeroSize);
1237 return;
1238 }
1239
1240 // If the size can be nonzero, we have to check the other arguments.
1241 if (stateNonZeroSize) {
1242 state = stateNonZeroSize;
1243
1244 // Ensure the destination is not null. If it is NULL there will be a
1245 // NULL pointer dereference.
1246 state = checkNonNull(C, state, Dest, destVal);
1247 if (!state)
1248 return;
1249
1250 // Get the value of the Src.
1251 SVal srcVal = state->getSVal(Source.Expression, LCtx);
1252
1253 // Ensure the source is not null. If it is NULL there will be a
1254 // NULL pointer dereference.
1255 state = checkNonNull(C, state, Source, srcVal);
1256 if (!state)
1257 return;
1258
1259 // Ensure the accesses are valid and that the buffers do not overlap.
1260 state = CheckBufferAccess(C, state, Dest, Size, AccessKind::write, CK);
1261 state = CheckBufferAccess(C, state, Source, Size, AccessKind::read, CK);
1262
1263 if (Restricted)
1264 state = CheckOverlap(C, state, Size, Dest, Source, CK);
1265
1266 if (!state)
1267 return;
1268
1269 // If this is mempcpy, get the byte after the last byte copied and
1270 // bind the expr.
1271 if (IsMempcpy) {
1272 // Get the byte after the last byte copied.
1273 SValBuilder &SvalBuilder = C.getSValBuilder();
1274 ASTContext &Ctx = SvalBuilder.getContext();
1275 QualType CharPtrTy = getCharPtrType(Ctx, CK);
1276 SVal DestRegCharVal =
1277 SvalBuilder.evalCast(destVal, CharPtrTy, Dest.Expression->getType());
1278 SVal lastElement = C.getSValBuilder().evalBinOp(
1279 state, BO_Add, DestRegCharVal, sizeVal, Dest.Expression->getType());
1280 // If we don't know how much we copied, we can at least
1281 // conjure a return value for later.
1282 if (lastElement.isUnknown())
1283 lastElement = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
1284 C.blockCount());
1285
1286 // The byte after the last byte copied is the return value.
1287 state = state->BindExpr(CE, LCtx, lastElement);
1288 } else {
1289 // All other copies return the destination buffer.
1290 // (Well, bcopy() has a void return type, but this won't hurt.)
1291 state = state->BindExpr(CE, LCtx, destVal);
1292 }
1293
1294 // Invalidate the destination (regular invalidation without pointer-escaping
1295 // the address of the top-level region).
1296 // FIXME: Even if we can't perfectly model the copy, we should see if we
1297 // can use LazyCompoundVals to copy the source values into the destination.
1298 // This would probably remove any existing bindings past the end of the
1299 // copied region, but that's still an improvement over blank invalidation.
1300 state =
1301 InvalidateBuffer(C, state, Dest.Expression, C.getSVal(Dest.Expression),
1302 /*IsSourceBuffer*/ false, Size.Expression);
1303
1304 // Invalidate the source (const-invalidation without const-pointer-escaping
1305 // the address of the top-level region).
1306 state = InvalidateBuffer(C, state, Source.Expression,
1307 C.getSVal(Source.Expression),
1308 /*IsSourceBuffer*/ true, nullptr);
1309
1310 C.addTransition(state);
1311 }
1312}
1313
1314void CStringChecker::evalMemcpy(CheckerContext &C, const CallExpr *CE,
1315 CharKind CK) const {
1316 // void *memcpy(void *restrict dst, const void *restrict src, size_t n);
1317 // The return value is the address of the destination buffer.
1318 DestinationArgExpr Dest = {CE->getArg(0), 0};
1319 SourceArgExpr Src = {CE->getArg(1), 1};
1320 SizeArgExpr Size = {CE->getArg(2), 2};
1321
1322 ProgramStateRef State = C.getState();
1323
1324 constexpr bool IsRestricted = true;
1325 constexpr bool IsMempcpy = false;
1326 evalCopyCommon(C, CE, State, Size, Dest, Src, IsRestricted, IsMempcpy, CK);
1327}
1328
1329void CStringChecker::evalMempcpy(CheckerContext &C, const CallExpr *CE,
1330 CharKind CK) const {
1331 // void *mempcpy(void *restrict dst, const void *restrict src, size_t n);
1332 // The return value is a pointer to the byte following the last written byte.
1333 DestinationArgExpr Dest = {CE->getArg(0), 0};
1334 SourceArgExpr Src = {CE->getArg(1), 1};
1335 SizeArgExpr Size = {CE->getArg(2), 2};
1336
1337 constexpr bool IsRestricted = true;
1338 constexpr bool IsMempcpy = true;
1339 evalCopyCommon(C, CE, C.getState(), Size, Dest, Src, IsRestricted, IsMempcpy,
1340 CK);
1341}
1342
1343void CStringChecker::evalMemmove(CheckerContext &C, const CallExpr *CE,
1344 CharKind CK) const {
1345 // void *memmove(void *dst, const void *src, size_t n);
1346 // The return value is the address of the destination buffer.
1347 DestinationArgExpr Dest = {CE->getArg(0), 0};
1348 SourceArgExpr Src = {CE->getArg(1), 1};
1349 SizeArgExpr Size = {CE->getArg(2), 2};
1350
1351 constexpr bool IsRestricted = false;
1352 constexpr bool IsMempcpy = false;
1353 evalCopyCommon(C, CE, C.getState(), Size, Dest, Src, IsRestricted, IsMempcpy,
1354 CK);
1355}
1356
1357void CStringChecker::evalBcopy(CheckerContext &C, const CallExpr *CE) const {
1358 // void bcopy(const void *src, void *dst, size_t n);
1359 SourceArgExpr Src(CE->getArg(0), 0);
1360 DestinationArgExpr Dest = {CE->getArg(1), 1};
1361 SizeArgExpr Size = {CE->getArg(2), 2};
1362
1363 constexpr bool IsRestricted = false;
1364 constexpr bool IsMempcpy = false;
1365 evalCopyCommon(C, CE, C.getState(), Size, Dest, Src, IsRestricted, IsMempcpy,
1366 CharKind::Regular);
1367}
1368
1369void CStringChecker::evalMemcmp(CheckerContext &C, const CallExpr *CE,
1370 CharKind CK) const {
1371 // int memcmp(const void *s1, const void *s2, size_t n);
1372 CurrentFunctionDescription = "memory comparison function";
1373
1374 AnyArgExpr Left = {CE->getArg(0), 0};
1375 AnyArgExpr Right = {CE->getArg(1), 1};
1376 SizeArgExpr Size = {CE->getArg(2), 2};
1377
1378 ProgramStateRef State = C.getState();
1379 SValBuilder &Builder = C.getSValBuilder();
1380 const LocationContext *LCtx = C.getLocationContext();
1381
1382 // See if the size argument is zero.
1383 SVal sizeVal = State->getSVal(Size.Expression, LCtx);
1384 QualType sizeTy = Size.Expression->getType();
1385
1386 ProgramStateRef stateZeroSize, stateNonZeroSize;
1387 std::tie(stateZeroSize, stateNonZeroSize) =
1388 assumeZero(C, State, sizeVal, sizeTy);
1389
1390 // If the size can be zero, the result will be 0 in that case, and we don't
1391 // have to check either of the buffers.
1392 if (stateZeroSize) {
1393 State = stateZeroSize;
1394 State = State->BindExpr(CE, LCtx, Builder.makeZeroVal(CE->getType()));
1395 C.addTransition(State);
1396 }
1397
1398 // If the size can be nonzero, we have to check the other arguments.
1399 if (stateNonZeroSize) {
1400 State = stateNonZeroSize;
1401 // If we know the two buffers are the same, we know the result is 0.
1402 // First, get the two buffers' addresses. Another checker will have already
1403 // made sure they're not undefined.
1404 DefinedOrUnknownSVal LV =
1405 State->getSVal(Left.Expression, LCtx).castAs<DefinedOrUnknownSVal>();
1406 DefinedOrUnknownSVal RV =
1407 State->getSVal(Right.Expression, LCtx).castAs<DefinedOrUnknownSVal>();
1408
1409 // See if they are the same.
1410 ProgramStateRef SameBuffer, NotSameBuffer;
1411 std::tie(SameBuffer, NotSameBuffer) =
1412 State->assume(Builder.evalEQ(State, LV, RV));
1413
1414 // If the two arguments are the same buffer, we know the result is 0,
1415 // and we only need to check one size.
1416 if (SameBuffer && !NotSameBuffer) {
1417 State = SameBuffer;
1418 State = CheckBufferAccess(C, State, Left, Size, AccessKind::read);
1419 if (State) {
1420 State =
1421 SameBuffer->BindExpr(CE, LCtx, Builder.makeZeroVal(CE->getType()));
1422 C.addTransition(State);
1423 }
1424 return;
1425 }
1426
1427 // If the two arguments might be different buffers, we have to check
1428 // the size of both of them.
1429 assert(NotSameBuffer)(static_cast <bool> (NotSameBuffer) ? void (0) : __assert_fail
("NotSameBuffer", "clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp"
, 1429, __extension__ __PRETTY_FUNCTION__));
1430 State = CheckBufferAccess(C, State, Right, Size, AccessKind::read, CK);
1431 State = CheckBufferAccess(C, State, Left, Size, AccessKind::read, CK);
1432 if (State) {
1433 // The return value is the comparison result, which we don't know.
1434 SVal CmpV = Builder.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
1435 State = State->BindExpr(CE, LCtx, CmpV);
1436 C.addTransition(State);
1437 }
1438 }
1439}
1440
1441void CStringChecker::evalstrLength(CheckerContext &C,
1442 const CallExpr *CE) const {
1443 // size_t strlen(const char *s);
1444 evalstrLengthCommon(C, CE, /* IsStrnlen = */ false);
1445}
1446
1447void CStringChecker::evalstrnLength(CheckerContext &C,
1448 const CallExpr *CE) const {
1449 // size_t strnlen(const char *s, size_t maxlen);
1450 evalstrLengthCommon(C, CE, /* IsStrnlen = */ true);
1
Calling 'CStringChecker::evalstrLengthCommon'
1451}
1452
1453void CStringChecker::evalstrLengthCommon(CheckerContext &C, const CallExpr *CE,
1454 bool IsStrnlen) const {
1455 CurrentFunctionDescription = "string length function";
1456 ProgramStateRef state = C.getState();
1457 const LocationContext *LCtx = C.getLocationContext();
1458
1459 if (IsStrnlen
1.1
'IsStrnlen' is true
1.1
'IsStrnlen' is true
1.1
'IsStrnlen' is true
) {
2
Taking true branch
1460 const Expr *maxlenExpr = CE->getArg(1);
1461 SVal maxlenVal = state->getSVal(maxlenExpr, LCtx);
1462
1463 ProgramStateRef stateZeroSize, stateNonZeroSize;
1464 std::tie(stateZeroSize, stateNonZeroSize) =
1465 assumeZero(C, state, maxlenVal, maxlenExpr->getType());
1466
1467 // If the size can be zero, the result will be 0 in that case, and we don't
1468 // have to check the string itself.
1469 if (stateZeroSize) {
3
Assuming the condition is false
4
Taking false branch
1470 SVal zero = C.getSValBuilder().makeZeroVal(CE->getType());
1471 stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, zero);
1472 C.addTransition(stateZeroSize);
1473 }
1474
1475 // If the size is GUARANTEED to be zero, we're done!
1476 if (!stateNonZeroSize)
5
Assuming the condition is false
6
Taking false branch
1477 return;
1478
1479 // Otherwise, record the assumption that the size is nonzero.
1480 state = stateNonZeroSize;
1481 }
1482
1483 // Check that the string argument is non-null.
1484 AnyArgExpr Arg = {CE->getArg(0), 0};
1485 SVal ArgVal = state->getSVal(Arg.Expression, LCtx);
1486 state = checkNonNull(C, state, Arg, ArgVal);
1487
1488 if (!state)
7
Assuming the condition is false
8
Taking false branch
1489 return;
1490
1491 SVal strLength = getCStringLength(C, state, Arg.Expression, ArgVal);
1492
1493 // If the argument isn't a valid C string, there's no valid state to
1494 // transition to.
1495 if (strLength.isUndef())
9
Taking false branch
1496 return;
1497
1498 DefinedOrUnknownSVal result = UnknownVal();
1499
1500 // If the check is for strnlen() then bind the return value to no more than
1501 // the maxlen value.
1502 if (IsStrnlen
9.1
'IsStrnlen' is true
9.1
'IsStrnlen' is true
9.1
'IsStrnlen' is true
) {
10
Taking true branch
1503 QualType cmpTy = C.getSValBuilder().getConditionType();
1504
1505 // It's a little unfortunate to be getting this again,
1506 // but it's not that expensive...
1507 const Expr *maxlenExpr = CE->getArg(1);
1508 SVal maxlenVal = state->getSVal(maxlenExpr, LCtx);
1509
1510 std::optional<NonLoc> strLengthNL = strLength.getAs<NonLoc>();
1511 std::optional<NonLoc> maxlenValNL = maxlenVal.getAs<NonLoc>();
1512
1513 if (strLengthNL && maxlenValNL) {
11
Assuming the condition is true
12
Assuming the condition is true
13
Taking true branch
1514 ProgramStateRef stateStringTooLong, stateStringNotTooLong;
1515
1516 // Check if the strLength is greater than the maxlen.
1517 std::tie(stateStringTooLong, stateStringNotTooLong) = state->assume(
1518 C.getSValBuilder()
1519 .evalBinOpNN(state, BO_GT, *strLengthNL, *maxlenValNL, cmpTy)
1520 .castAs<DefinedOrUnknownSVal>());
1521
1522 if (stateStringTooLong && !stateStringNotTooLong) {
14
Assuming the condition is false
1523 // If the string is longer than maxlen, return maxlen.
1524 result = *maxlenValNL;
1525 } else if (stateStringNotTooLong && !stateStringTooLong) {
15
Assuming the condition is false
1526 // If the string is shorter than maxlen, return its length.
1527 result = *strLengthNL;
1528 }
1529 }
1530
1531 if (result.isUnknown()) {
16
Taking true branch
1532 // If we don't have enough information for a comparison, there's
1533 // no guarantee the full string length will actually be returned.
1534 // All we know is the return value is the min of the string length
1535 // and the limit. This is better than nothing.
1536 result = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
1537 C.blockCount());
1538 NonLoc resultNL = result.castAs<NonLoc>();
1539
1540 if (strLengthNL) {
17
Taking true branch
1541 state = state->assume(C.getSValBuilder().evalBinOpNN(
18
Calling 'ProgramState::assume'
21
Returning from 'ProgramState::assume'
22
Calling copy assignment operator for 'IntrusiveRefCntPtr<const clang::ento::ProgramState>'
27
Returning from copy assignment operator for 'IntrusiveRefCntPtr<const clang::ento::ProgramState>'
1542 state, BO_LE, resultNL, *strLengthNL, cmpTy)
1543 .castAs<DefinedOrUnknownSVal>(), true);
1544 }
1545
1546 if (maxlenValNL) {
28
Taking true branch
1547 state = state->assume(C.getSValBuilder().evalBinOpNN(
29
Called C++ object pointer is null
1548 state, BO_LE, resultNL, *maxlenValNL, cmpTy)
1549 .castAs<DefinedOrUnknownSVal>(), true);
1550 }
1551 }
1552
1553 } else {
1554 // This is a plain strlen(), not strnlen().
1555 result = strLength.castAs<DefinedOrUnknownSVal>();
1556
1557 // If we don't know the length of the string, conjure a return
1558 // value, so it can be used in constraints, at least.
1559 if (result.isUnknown()) {
1560 result = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
1561 C.blockCount());
1562 }
1563 }
1564
1565 // Bind the return value.
1566 assert(!result.isUnknown() && "Should have conjured a value by now")(static_cast <bool> (!result.isUnknown() && "Should have conjured a value by now"
) ? void (0) : __assert_fail ("!result.isUnknown() && \"Should have conjured a value by now\""
, "clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp", 1566
, __extension__ __PRETTY_FUNCTION__));
1567 state = state->BindExpr(CE, LCtx, result);
1568 C.addTransition(state);
1569}
1570
1571void CStringChecker::evalStrcpy(CheckerContext &C, const CallExpr *CE) const {
1572 // char *strcpy(char *restrict dst, const char *restrict src);
1573 evalStrcpyCommon(C, CE,
1574 /* ReturnEnd = */ false,
1575 /* IsBounded = */ false,
1576 /* appendK = */ ConcatFnKind::none);
1577}
1578
1579void CStringChecker::evalStrncpy(CheckerContext &C, const CallExpr *CE) const {
1580 // char *strncpy(char *restrict dst, const char *restrict src, size_t n);
1581 evalStrcpyCommon(C, CE,
1582 /* ReturnEnd = */ false,
1583 /* IsBounded = */ true,
1584 /* appendK = */ ConcatFnKind::none);
1585}
1586
1587void CStringChecker::evalStpcpy(CheckerContext &C, const CallExpr *CE) const {
1588 // char *stpcpy(char *restrict dst, const char *restrict src);
1589 evalStrcpyCommon(C, CE,
1590 /* ReturnEnd = */ true,
1591 /* IsBounded = */ false,
1592 /* appendK = */ ConcatFnKind::none);
1593}
1594
1595void CStringChecker::evalStrlcpy(CheckerContext &C, const CallExpr *CE) const {
1596 // size_t strlcpy(char *dest, const char *src, size_t size);
1597 evalStrcpyCommon(C, CE,
1598 /* ReturnEnd = */ true,
1599 /* IsBounded = */ true,
1600 /* appendK = */ ConcatFnKind::none,
1601 /* returnPtr = */ false);
1602}
1603
1604void CStringChecker::evalStrcat(CheckerContext &C, const CallExpr *CE) const {
1605 // char *strcat(char *restrict s1, const char *restrict s2);
1606 evalStrcpyCommon(C, CE,
1607 /* ReturnEnd = */ false,
1608 /* IsBounded = */ false,
1609 /* appendK = */ ConcatFnKind::strcat);
1610}
1611
1612void CStringChecker::evalStrncat(CheckerContext &C, const CallExpr *CE) const {
1613 // char *strncat(char *restrict s1, const char *restrict s2, size_t n);
1614 evalStrcpyCommon(C, CE,
1615 /* ReturnEnd = */ false,
1616 /* IsBounded = */ true,
1617 /* appendK = */ ConcatFnKind::strcat);
1618}
1619
1620void CStringChecker::evalStrlcat(CheckerContext &C, const CallExpr *CE) const {
1621 // size_t strlcat(char *dst, const char *src, size_t size);
1622 // It will append at most size - strlen(dst) - 1 bytes,
1623 // NULL-terminating the result.
1624 evalStrcpyCommon(C, CE,
1625 /* ReturnEnd = */ false,
1626 /* IsBounded = */ true,
1627 /* appendK = */ ConcatFnKind::strlcat,
1628 /* returnPtr = */ false);
1629}
1630
1631void CStringChecker::evalStrcpyCommon(CheckerContext &C, const CallExpr *CE,
1632 bool ReturnEnd, bool IsBounded,
1633 ConcatFnKind appendK,
1634 bool returnPtr) const {
1635 if (appendK == ConcatFnKind::none)
1636 CurrentFunctionDescription = "string copy function";
1637 else
1638 CurrentFunctionDescription = "string concatenation function";
1639
1640 ProgramStateRef state = C.getState();
1641 const LocationContext *LCtx = C.getLocationContext();
1642
1643 // Check that the destination is non-null.
1644 DestinationArgExpr Dst = {CE->getArg(0), 0};
1645 SVal DstVal = state->getSVal(Dst.Expression, LCtx);
1646 state = checkNonNull(C, state, Dst, DstVal);
1647 if (!state)
1648 return;
1649
1650 // Check that the source is non-null.
1651 SourceArgExpr srcExpr = {CE->getArg(1), 1};
1652 SVal srcVal = state->getSVal(srcExpr.Expression, LCtx);
1653 state = checkNonNull(C, state, srcExpr, srcVal);
1654 if (!state)
1655 return;
1656
1657 // Get the string length of the source.
1658 SVal strLength = getCStringLength(C, state, srcExpr.Expression, srcVal);
1659 std::optional<NonLoc> strLengthNL = strLength.getAs<NonLoc>();
1660
1661 // Get the string length of the destination buffer.
1662 SVal dstStrLength = getCStringLength(C, state, Dst.Expression, DstVal);
1663 std::optional<NonLoc> dstStrLengthNL = dstStrLength.getAs<NonLoc>();
1664
1665 // If the source isn't a valid C string, give up.
1666 if (strLength.isUndef())
1667 return;
1668
1669 SValBuilder &svalBuilder = C.getSValBuilder();
1670 QualType cmpTy = svalBuilder.getConditionType();
1671 QualType sizeTy = svalBuilder.getContext().getSizeType();
1672
1673 // These two values allow checking two kinds of errors:
1674 // - actual overflows caused by a source that doesn't fit in the destination
1675 // - potential overflows caused by a bound that could exceed the destination
1676 SVal amountCopied = UnknownVal();
1677 SVal maxLastElementIndex = UnknownVal();
1678 const char *boundWarning = nullptr;
1679
1680 // FIXME: Why do we choose the srcExpr if the access has no size?
1681 // Note that the 3rd argument of the call would be the size parameter.
1682 SizeArgExpr SrcExprAsSizeDummy = {srcExpr.Expression, srcExpr.ArgumentIndex};
1683 state = CheckOverlap(
1684 C, state,
1685 (IsBounded ? SizeArgExpr{CE->getArg(2), 2} : SrcExprAsSizeDummy), Dst,
1686 srcExpr);
1687
1688 if (!state)
1689 return;
1690
1691 // If the function is strncpy, strncat, etc... it is bounded.
1692 if (IsBounded) {
1693 // Get the max number of characters to copy.
1694 SizeArgExpr lenExpr = {CE->getArg(2), 2};
1695 SVal lenVal = state->getSVal(lenExpr.Expression, LCtx);
1696
1697 // Protect against misdeclared strncpy().
1698 lenVal =
1699 svalBuilder.evalCast(lenVal, sizeTy, lenExpr.Expression->getType());
1700
1701 std::optional<NonLoc> lenValNL = lenVal.getAs<NonLoc>();
1702
1703 // If we know both values, we might be able to figure out how much
1704 // we're copying.
1705 if (strLengthNL && lenValNL) {
1706 switch (appendK) {
1707 case ConcatFnKind::none:
1708 case ConcatFnKind::strcat: {
1709 ProgramStateRef stateSourceTooLong, stateSourceNotTooLong;
1710 // Check if the max number to copy is less than the length of the src.
1711 // If the bound is equal to the source length, strncpy won't null-
1712 // terminate the result!
1713 std::tie(stateSourceTooLong, stateSourceNotTooLong) = state->assume(
1714 svalBuilder
1715 .evalBinOpNN(state, BO_GE, *strLengthNL, *lenValNL, cmpTy)
1716 .castAs<DefinedOrUnknownSVal>());
1717
1718 if (stateSourceTooLong && !stateSourceNotTooLong) {
1719 // Max number to copy is less than the length of the src, so the
1720 // actual strLength copied is the max number arg.
1721 state = stateSourceTooLong;
1722 amountCopied = lenVal;
1723
1724 } else if (!stateSourceTooLong && stateSourceNotTooLong) {
1725 // The source buffer entirely fits in the bound.
1726 state = stateSourceNotTooLong;
1727 amountCopied = strLength;
1728 }
1729 break;
1730 }
1731 case ConcatFnKind::strlcat:
1732 if (!dstStrLengthNL)
1733 return;
1734
1735 // amountCopied = min (size - dstLen - 1 , srcLen)
1736 SVal freeSpace = svalBuilder.evalBinOpNN(state, BO_Sub, *lenValNL,
1737 *dstStrLengthNL, sizeTy);
1738 if (!isa<NonLoc>(freeSpace))
1739 return;
1740 freeSpace =
1741 svalBuilder.evalBinOp(state, BO_Sub, freeSpace,
1742 svalBuilder.makeIntVal(1, sizeTy), sizeTy);
1743 std::optional<NonLoc> freeSpaceNL = freeSpace.getAs<NonLoc>();
1744
1745 // While unlikely, it is possible that the subtraction is
1746 // too complex to compute, let's check whether it succeeded.
1747 if (!freeSpaceNL)
1748 return;
1749 SVal hasEnoughSpace = svalBuilder.evalBinOpNN(
1750 state, BO_LE, *strLengthNL, *freeSpaceNL, cmpTy);
1751
1752 ProgramStateRef TrueState, FalseState;
1753 std::tie(TrueState, FalseState) =
1754 state->assume(hasEnoughSpace.castAs<DefinedOrUnknownSVal>());
1755
1756 // srcStrLength <= size - dstStrLength -1
1757 if (TrueState && !FalseState) {
1758 amountCopied = strLength;
1759 }
1760
1761 // srcStrLength > size - dstStrLength -1
1762 if (!TrueState && FalseState) {
1763 amountCopied = freeSpace;
1764 }
1765
1766 if (TrueState && FalseState)
1767 amountCopied = UnknownVal();
1768 break;
1769 }
1770 }
1771 // We still want to know if the bound is known to be too large.
1772 if (lenValNL) {
1773 switch (appendK) {
1774 case ConcatFnKind::strcat:
1775 // For strncat, the check is strlen(dst) + lenVal < sizeof(dst)
1776
1777 // Get the string length of the destination. If the destination is
1778 // memory that can't have a string length, we shouldn't be copying
1779 // into it anyway.
1780 if (dstStrLength.isUndef())
1781 return;
1782
1783 if (dstStrLengthNL) {
1784 maxLastElementIndex = svalBuilder.evalBinOpNN(
1785 state, BO_Add, *lenValNL, *dstStrLengthNL, sizeTy);
1786
1787 boundWarning = "Size argument is greater than the free space in the "
1788 "destination buffer";
1789 }
1790 break;
1791 case ConcatFnKind::none:
1792 case ConcatFnKind::strlcat:
1793 // For strncpy and strlcat, this is just checking
1794 // that lenVal <= sizeof(dst).
1795 // (Yes, strncpy and strncat differ in how they treat termination.
1796 // strncat ALWAYS terminates, but strncpy doesn't.)
1797
1798 // We need a special case for when the copy size is zero, in which
1799 // case strncpy will do no work at all. Our bounds check uses n-1
1800 // as the last element accessed, so n == 0 is problematic.
1801 ProgramStateRef StateZeroSize, StateNonZeroSize;
1802 std::tie(StateZeroSize, StateNonZeroSize) =
1803 assumeZero(C, state, *lenValNL, sizeTy);
1804
1805 // If the size is known to be zero, we're done.
1806 if (StateZeroSize && !StateNonZeroSize) {
1807 if (returnPtr) {
1808 StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, DstVal);
1809 } else {
1810 if (appendK == ConcatFnKind::none) {
1811 // strlcpy returns strlen(src)
1812 StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, strLength);
1813 } else {
1814 // strlcat returns strlen(src) + strlen(dst)
1815 SVal retSize = svalBuilder.evalBinOp(
1816 state, BO_Add, strLength, dstStrLength, sizeTy);
1817 StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, retSize);
1818 }
1819 }
1820 C.addTransition(StateZeroSize);
1821 return;
1822 }
1823
1824 // Otherwise, go ahead and figure out the last element we'll touch.
1825 // We don't record the non-zero assumption here because we can't
1826 // be sure. We won't warn on a possible zero.
1827 NonLoc one = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
1828 maxLastElementIndex =
1829 svalBuilder.evalBinOpNN(state, BO_Sub, *lenValNL, one, sizeTy);
1830 boundWarning = "Size argument is greater than the length of the "
1831 "destination buffer";
1832 break;
1833 }
1834 }
1835 } else {
1836 // The function isn't bounded. The amount copied should match the length
1837 // of the source buffer.
1838 amountCopied = strLength;
1839 }
1840
1841 assert(state)(static_cast <bool> (state) ? void (0) : __assert_fail (
"state", "clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp"
, 1841, __extension__ __PRETTY_FUNCTION__));
1842
1843 // This represents the number of characters copied into the destination
1844 // buffer. (It may not actually be the strlen if the destination buffer
1845 // is not terminated.)
1846 SVal finalStrLength = UnknownVal();
1847 SVal strlRetVal = UnknownVal();
1848
1849 if (appendK == ConcatFnKind::none && !returnPtr) {
1850 // strlcpy returns the sizeof(src)
1851 strlRetVal = strLength;
1852 }
1853
1854 // If this is an appending function (strcat, strncat...) then set the
1855 // string length to strlen(src) + strlen(dst) since the buffer will
1856 // ultimately contain both.
1857 if (appendK != ConcatFnKind::none) {
1858 // Get the string length of the destination. If the destination is memory
1859 // that can't have a string length, we shouldn't be copying into it anyway.
1860 if (dstStrLength.isUndef())
1861 return;
1862
1863 if (appendK == ConcatFnKind::strlcat && dstStrLengthNL && strLengthNL) {
1864 strlRetVal = svalBuilder.evalBinOpNN(state, BO_Add, *strLengthNL,
1865 *dstStrLengthNL, sizeTy);
1866 }
1867
1868 std::optional<NonLoc> amountCopiedNL = amountCopied.getAs<NonLoc>();
1869
1870 // If we know both string lengths, we might know the final string length.
1871 if (amountCopiedNL && dstStrLengthNL) {
1872 // Make sure the two lengths together don't overflow a size_t.
1873 state = checkAdditionOverflow(C, state, *amountCopiedNL, *dstStrLengthNL);
1874 if (!state)
1875 return;
1876
1877 finalStrLength = svalBuilder.evalBinOpNN(state, BO_Add, *amountCopiedNL,
1878 *dstStrLengthNL, sizeTy);
1879 }
1880
1881 // If we couldn't get a single value for the final string length,
1882 // we can at least bound it by the individual lengths.
1883 if (finalStrLength.isUnknown()) {
1884 // Try to get a "hypothetical" string length symbol, which we can later
1885 // set as a real value if that turns out to be the case.
1886 finalStrLength = getCStringLength(C, state, CE, DstVal, true);
1887 assert(!finalStrLength.isUndef())(static_cast <bool> (!finalStrLength.isUndef()) ? void (
0) : __assert_fail ("!finalStrLength.isUndef()", "clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp"
, 1887, __extension__ __PRETTY_FUNCTION__));
1888
1889 if (std::optional<NonLoc> finalStrLengthNL =
1890 finalStrLength.getAs<NonLoc>()) {
1891 if (amountCopiedNL && appendK == ConcatFnKind::none) {
1892 // we overwrite dst string with the src
1893 // finalStrLength >= srcStrLength
1894 SVal sourceInResult = svalBuilder.evalBinOpNN(
1895 state, BO_GE, *finalStrLengthNL, *amountCopiedNL, cmpTy);
1896 state = state->assume(sourceInResult.castAs<DefinedOrUnknownSVal>(),
1897 true);
1898 if (!state)
1899 return;
1900 }
1901
1902 if (dstStrLengthNL && appendK != ConcatFnKind::none) {
1903 // we extend the dst string with the src
1904 // finalStrLength >= dstStrLength
1905 SVal destInResult = svalBuilder.evalBinOpNN(state, BO_GE,
1906 *finalStrLengthNL,
1907 *dstStrLengthNL,
1908 cmpTy);
1909 state =
1910 state->assume(destInResult.castAs<DefinedOrUnknownSVal>(), true);
1911 if (!state)
1912 return;
1913 }
1914 }
1915 }
1916
1917 } else {
1918 // Otherwise, this is a copy-over function (strcpy, strncpy, ...), and
1919 // the final string length will match the input string length.
1920 finalStrLength = amountCopied;
1921 }
1922
1923 SVal Result;
1924
1925 if (returnPtr) {
1926 // The final result of the function will either be a pointer past the last
1927 // copied element, or a pointer to the start of the destination buffer.
1928 Result = (ReturnEnd ? UnknownVal() : DstVal);
1929 } else {
1930 if (appendK == ConcatFnKind::strlcat || appendK == ConcatFnKind::none)
1931 //strlcpy, strlcat
1932 Result = strlRetVal;
1933 else
1934 Result = finalStrLength;
1935 }
1936
1937 assert(state)(static_cast <bool> (state) ? void (0) : __assert_fail (
"state", "clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp"
, 1937, __extension__ __PRETTY_FUNCTION__));
1938
1939 // If the destination is a MemRegion, try to check for a buffer overflow and
1940 // record the new string length.
1941 if (std::optional<loc::MemRegionVal> dstRegVal =
1942 DstVal.getAs<loc::MemRegionVal>()) {
1943 QualType ptrTy = Dst.Expression->getType();
1944
1945 // If we have an exact value on a bounded copy, use that to check for
1946 // overflows, rather than our estimate about how much is actually copied.
1947 if (std::optional<NonLoc> maxLastNL = maxLastElementIndex.getAs<NonLoc>()) {
1948 SVal maxLastElement =
1949 svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal, *maxLastNL, ptrTy);
1950
1951 state = CheckLocation(C, state, Dst, maxLastElement, AccessKind::write);
1952 if (!state)
1953 return;
1954 }
1955
1956 // Then, if the final length is known...
1957 if (std::optional<NonLoc> knownStrLength = finalStrLength.getAs<NonLoc>()) {
1958 SVal lastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal,
1959 *knownStrLength, ptrTy);
1960
1961 // ...and we haven't checked the bound, we'll check the actual copy.
1962 if (!boundWarning) {
1963 state = CheckLocation(C, state, Dst, lastElement, AccessKind::write);
1964 if (!state)
1965 return;
1966 }
1967
1968 // If this is a stpcpy-style copy, the last element is the return value.
1969 if (returnPtr && ReturnEnd)
1970 Result = lastElement;
1971 }
1972
1973 // Invalidate the destination (regular invalidation without pointer-escaping
1974 // the address of the top-level region). This must happen before we set the
1975 // C string length because invalidation will clear the length.
1976 // FIXME: Even if we can't perfectly model the copy, we should see if we
1977 // can use LazyCompoundVals to copy the source values into the destination.
1978 // This would probably remove any existing bindings past the end of the
1979 // string, but that's still an improvement over blank invalidation.
1980 state = InvalidateBuffer(C, state, Dst.Expression, *dstRegVal,
1981 /*IsSourceBuffer*/ false, nullptr);
1982
1983 // Invalidate the source (const-invalidation without const-pointer-escaping
1984 // the address of the top-level region).
1985 state = InvalidateBuffer(C, state, srcExpr.Expression, srcVal,
1986 /*IsSourceBuffer*/ true, nullptr);
1987
1988 // Set the C string length of the destination, if we know it.
1989 if (IsBounded && (appendK == ConcatFnKind::none)) {
1990 // strncpy is annoying in that it doesn't guarantee to null-terminate
1991 // the result string. If the original string didn't fit entirely inside
1992 // the bound (including the null-terminator), we don't know how long the
1993 // result is.
1994 if (amountCopied != strLength)
1995 finalStrLength = UnknownVal();
1996 }
1997 state = setCStringLength(state, dstRegVal->getRegion(), finalStrLength);
1998 }
1999
2000 assert(state)(static_cast <bool> (state) ? void (0) : __assert_fail (
"state", "clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp"
, 2000, __extension__ __PRETTY_FUNCTION__));
2001
2002 if (returnPtr) {
2003 // If this is a stpcpy-style copy, but we were unable to check for a buffer
2004 // overflow, we still need a result. Conjure a return value.
2005 if (ReturnEnd && Result.isUnknown()) {
2006 Result = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
2007 }
2008 }
2009 // Set the return value.
2010 state = state->BindExpr(CE, LCtx, Result);
2011 C.addTransition(state);
2012}
2013
2014void CStringChecker::evalStrcmp(CheckerContext &C, const CallExpr *CE) const {
2015 //int strcmp(const char *s1, const char *s2);
2016 evalStrcmpCommon(C, CE, /* IsBounded = */ false, /* IgnoreCase = */ false);
2017}
2018
2019void CStringChecker::evalStrncmp(CheckerContext &C, const CallExpr *CE) const {
2020 //int strncmp(const char *s1, const char *s2, size_t n);
2021 evalStrcmpCommon(C, CE, /* IsBounded = */ true, /* IgnoreCase = */ false);
2022}
2023
2024void CStringChecker::evalStrcasecmp(CheckerContext &C,
2025 const CallExpr *CE) const {
2026 //int strcasecmp(const char *s1, const char *s2);
2027 evalStrcmpCommon(C, CE, /* IsBounded = */ false, /* IgnoreCase = */ true);
2028}
2029
2030void CStringChecker::evalStrncasecmp(CheckerContext &C,
2031 const CallExpr *CE) const {
2032 //int strncasecmp(const char *s1, const char *s2, size_t n);
2033 evalStrcmpCommon(C, CE, /* IsBounded = */ true, /* IgnoreCase = */ true);
2034}
2035
2036void CStringChecker::evalStrcmpCommon(CheckerContext &C, const CallExpr *CE,
2037 bool IsBounded, bool IgnoreCase) const {
2038 CurrentFunctionDescription = "string comparison function";
2039 ProgramStateRef state = C.getState();
2040 const LocationContext *LCtx = C.getLocationContext();
2041
2042 // Check that the first string is non-null
2043 AnyArgExpr Left = {CE->getArg(0), 0};
2044 SVal LeftVal = state->getSVal(Left.Expression, LCtx);
2045 state = checkNonNull(C, state, Left, LeftVal);
2046 if (!state)
2047 return;
2048
2049 // Check that the second string is non-null.
2050 AnyArgExpr Right = {CE->getArg(1), 1};
2051 SVal RightVal = state->getSVal(Right.Expression, LCtx);
2052 state = checkNonNull(C, state, Right, RightVal);
2053 if (!state)
2054 return;
2055
2056 // Get the string length of the first string or give up.
2057 SVal LeftLength = getCStringLength(C, state, Left.Expression, LeftVal);
2058 if (LeftLength.isUndef())
2059 return;
2060
2061 // Get the string length of the second string or give up.
2062 SVal RightLength = getCStringLength(C, state, Right.Expression, RightVal);
2063 if (RightLength.isUndef())
2064 return;
2065
2066 // If we know the two buffers are the same, we know the result is 0.
2067 // First, get the two buffers' addresses. Another checker will have already
2068 // made sure they're not undefined.
2069 DefinedOrUnknownSVal LV = LeftVal.castAs<DefinedOrUnknownSVal>();
2070 DefinedOrUnknownSVal RV = RightVal.castAs<DefinedOrUnknownSVal>();
2071
2072 // See if they are the same.
2073 SValBuilder &svalBuilder = C.getSValBuilder();
2074 DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV);
2075 ProgramStateRef StSameBuf, StNotSameBuf;
2076 std::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf);
2077
2078 // If the two arguments might be the same buffer, we know the result is 0,
2079 // and we only need to check one size.
2080 if (StSameBuf) {
2081 StSameBuf = StSameBuf->BindExpr(CE, LCtx,
2082 svalBuilder.makeZeroVal(CE->getType()));
2083 C.addTransition(StSameBuf);
2084
2085 // If the two arguments are GUARANTEED to be the same, we're done!
2086 if (!StNotSameBuf)
2087 return;
2088 }
2089
2090 assert(StNotSameBuf)(static_cast <bool> (StNotSameBuf) ? void (0) : __assert_fail
("StNotSameBuf", "clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp"
, 2090, __extension__ __PRETTY_FUNCTION__));
2091 state = StNotSameBuf;
2092
2093 // At this point we can go about comparing the two buffers.
2094 // For now, we only do this if they're both known string literals.
2095
2096 // Attempt to extract string literals from both expressions.
2097 const StringLiteral *LeftStrLiteral =
2098 getCStringLiteral(C, state, Left.Expression, LeftVal);
2099 const StringLiteral *RightStrLiteral =
2100 getCStringLiteral(C, state, Right.Expression, RightVal);
2101 bool canComputeResult = false;
2102 SVal resultVal = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx,
2103 C.blockCount());
2104
2105 if (LeftStrLiteral && RightStrLiteral) {
2106 StringRef LeftStrRef = LeftStrLiteral->getString();
2107 StringRef RightStrRef = RightStrLiteral->getString();
2108
2109 if (IsBounded) {
2110 // Get the max number of characters to compare.
2111 const Expr *lenExpr = CE->getArg(2);
2112 SVal lenVal = state->getSVal(lenExpr, LCtx);
2113
2114 // If the length is known, we can get the right substrings.
2115 if (const llvm::APSInt *len = svalBuilder.getKnownValue(state, lenVal)) {
2116 // Create substrings of each to compare the prefix.
2117 LeftStrRef = LeftStrRef.substr(0, (size_t)len->getZExtValue());
2118 RightStrRef = RightStrRef.substr(0, (size_t)len->getZExtValue());
2119 canComputeResult = true;
2120 }
2121 } else {
2122 // This is a normal, unbounded strcmp.
2123 canComputeResult = true;
2124 }
2125
2126 if (canComputeResult) {
2127 // Real strcmp stops at null characters.
2128 size_t s1Term = LeftStrRef.find('\0');
2129 if (s1Term != StringRef::npos)
2130 LeftStrRef = LeftStrRef.substr(0, s1Term);
2131
2132 size_t s2Term = RightStrRef.find('\0');
2133 if (s2Term != StringRef::npos)
2134 RightStrRef = RightStrRef.substr(0, s2Term);
2135
2136 // Use StringRef's comparison methods to compute the actual result.
2137 int compareRes = IgnoreCase ? LeftStrRef.compare_insensitive(RightStrRef)
2138 : LeftStrRef.compare(RightStrRef);
2139
2140 // The strcmp function returns an integer greater than, equal to, or less
2141 // than zero, [c11, p7.24.4.2].
2142 if (compareRes == 0) {
2143 resultVal = svalBuilder.makeIntVal(compareRes, CE->getType());
2144 }
2145 else {
2146 DefinedSVal zeroVal = svalBuilder.makeIntVal(0, CE->getType());
2147 // Constrain strcmp's result range based on the result of StringRef's
2148 // comparison methods.
2149 BinaryOperatorKind op = (compareRes > 0) ? BO_GT : BO_LT;
2150 SVal compareWithZero =
2151 svalBuilder.evalBinOp(state, op, resultVal, zeroVal,
2152 svalBuilder.getConditionType());
2153 DefinedSVal compareWithZeroVal = compareWithZero.castAs<DefinedSVal>();
2154 state = state->assume(compareWithZeroVal, true);
2155 }
2156 }
2157 }
2158
2159 state = state->BindExpr(CE, LCtx, resultVal);
2160
2161 // Record this as a possible path.
2162 C.addTransition(state);
2163}
2164
2165void CStringChecker::evalStrsep(CheckerContext &C, const CallExpr *CE) const {
2166 // char *strsep(char **stringp, const char *delim);
2167 // Verify whether the search string parameter matches the return type.
2168 SourceArgExpr SearchStrPtr = {CE->getArg(0), 0};
2169
2170 QualType CharPtrTy = SearchStrPtr.Expression->getType()->getPointeeType();
2171 if (CharPtrTy.isNull() ||
2172 CE->getType().getUnqualifiedType() != CharPtrTy.getUnqualifiedType())
2173 return;
2174
2175 CurrentFunctionDescription = "strsep()";
2176 ProgramStateRef State = C.getState();
2177 const LocationContext *LCtx = C.getLocationContext();
2178
2179 // Check that the search string pointer is non-null (though it may point to
2180 // a null string).
2181 SVal SearchStrVal = State->getSVal(SearchStrPtr.Expression, LCtx);
2182 State = checkNonNull(C, State, SearchStrPtr, SearchStrVal);
2183 if (!State)
2184 return;
2185
2186 // Check that the delimiter string is non-null.
2187 AnyArgExpr DelimStr = {CE->getArg(1), 1};
2188 SVal DelimStrVal = State->getSVal(DelimStr.Expression, LCtx);
2189 State = checkNonNull(C, State, DelimStr, DelimStrVal);
2190 if (!State)
2191 return;
2192
2193 SValBuilder &SVB = C.getSValBuilder();
2194 SVal Result;
2195 if (std::optional<Loc> SearchStrLoc = SearchStrVal.getAs<Loc>()) {
2196 // Get the current value of the search string pointer, as a char*.
2197 Result = State->getSVal(*SearchStrLoc, CharPtrTy);
2198
2199 // Invalidate the search string, representing the change of one delimiter
2200 // character to NUL.
2201 State = InvalidateBuffer(C, State, SearchStrPtr.Expression, Result,
2202 /*IsSourceBuffer*/ false, nullptr);
2203
2204 // Overwrite the search string pointer. The new value is either an address
2205 // further along in the same string, or NULL if there are no more tokens.
2206 State = State->bindLoc(*SearchStrLoc,
2207 SVB.conjureSymbolVal(getTag(),
2208 CE,
2209 LCtx,
2210 CharPtrTy,
2211 C.blockCount()),
2212 LCtx);
2213 } else {
2214 assert(SearchStrVal.isUnknown())(static_cast <bool> (SearchStrVal.isUnknown()) ? void (
0) : __assert_fail ("SearchStrVal.isUnknown()", "clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp"
, 2214, __extension__ __PRETTY_FUNCTION__));
2215 // Conjure a symbolic value. It's the best we can do.
2216 Result = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
2217 }
2218
2219 // Set the return value, and finish.
2220 State = State->BindExpr(CE, LCtx, Result);
2221 C.addTransition(State);
2222}
2223
2224// These should probably be moved into a C++ standard library checker.
2225void CStringChecker::evalStdCopy(CheckerContext &C, const CallExpr *CE) const {
2226 evalStdCopyCommon(C, CE);
2227}
2228
2229void CStringChecker::evalStdCopyBackward(CheckerContext &C,
2230 const CallExpr *CE) const {
2231 evalStdCopyCommon(C, CE);
2232}
2233
2234void CStringChecker::evalStdCopyCommon(CheckerContext &C,
2235 const CallExpr *CE) const {
2236 if (!CE->getArg(2)->getType()->isPointerType())
2237 return;
2238
2239 ProgramStateRef State = C.getState();
2240
2241 const LocationContext *LCtx = C.getLocationContext();
2242
2243 // template <class _InputIterator, class _OutputIterator>
2244 // _OutputIterator
2245 // copy(_InputIterator __first, _InputIterator __last,
2246 // _OutputIterator __result)
2247
2248 // Invalidate the destination buffer
2249 const Expr *Dst = CE->getArg(2);
2250 SVal DstVal = State->getSVal(Dst, LCtx);
2251 State = InvalidateBuffer(C, State, Dst, DstVal, /*IsSource=*/false,
2252 /*Size=*/nullptr);
2253
2254 SValBuilder &SVB = C.getSValBuilder();
2255
2256 SVal ResultVal = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
2257 State = State->BindExpr(CE, LCtx, ResultVal);
2258
2259 C.addTransition(State);
2260}
2261
2262void CStringChecker::evalMemset(CheckerContext &C, const CallExpr *CE) const {
2263 // void *memset(void *s, int c, size_t n);
2264 CurrentFunctionDescription = "memory set function";
2265
2266 DestinationArgExpr Buffer = {CE->getArg(0), 0};
2267 AnyArgExpr CharE = {CE->getArg(1), 1};
2268 SizeArgExpr Size = {CE->getArg(2), 2};
2269
2270 ProgramStateRef State = C.getState();
2271
2272 // See if the size argument is zero.
2273 const LocationContext *LCtx = C.getLocationContext();
2274 SVal SizeVal = C.getSVal(Size.Expression);
2275 QualType SizeTy = Size.Expression->getType();
2276
2277 ProgramStateRef ZeroSize, NonZeroSize;
2278 std::tie(ZeroSize, NonZeroSize) = assumeZero(C, State, SizeVal, SizeTy);
2279
2280 // Get the value of the memory area.
2281 SVal BufferPtrVal = C.getSVal(Buffer.Expression);
2282
2283 // If the size is zero, there won't be any actual memory access, so
2284 // just bind the return value to the buffer and return.
2285 if (ZeroSize && !NonZeroSize) {
2286 ZeroSize = ZeroSize->BindExpr(CE, LCtx, BufferPtrVal);
2287 C.addTransition(ZeroSize);
2288 return;
2289 }
2290
2291 // Ensure the memory area is not null.
2292 // If it is NULL there will be a NULL pointer dereference.
2293 State = checkNonNull(C, NonZeroSize, Buffer, BufferPtrVal);
2294 if (!State)
2295 return;
2296
2297 State = CheckBufferAccess(C, State, Buffer, Size, AccessKind::write);
2298 if (!State)
2299 return;
2300
2301 // According to the values of the arguments, bind the value of the second
2302 // argument to the destination buffer and set string length, or just
2303 // invalidate the destination buffer.
2304 if (!memsetAux(Buffer.Expression, C.getSVal(CharE.Expression),
2305 Size.Expression, C, State))
2306 return;
2307
2308 State = State->BindExpr(CE, LCtx, BufferPtrVal);
2309 C.addTransition(State);
2310}
2311
2312void CStringChecker::evalBzero(CheckerContext &C, const CallExpr *CE) const {
2313 CurrentFunctionDescription = "memory clearance function";
2314
2315 DestinationArgExpr Buffer = {CE->getArg(0), 0};
2316 SizeArgExpr Size = {CE->getArg(1), 1};
2317 SVal Zero = C.getSValBuilder().makeZeroVal(C.getASTContext().IntTy);
2318
2319 ProgramStateRef State = C.getState();
2320
2321 // See if the size argument is zero.
2322 SVal SizeVal = C.getSVal(Size.Expression);
2323 QualType SizeTy = Size.Expression->getType();
2324
2325 ProgramStateRef StateZeroSize, StateNonZeroSize;
2326 std::tie(StateZeroSize, StateNonZeroSize) =
2327 assumeZero(C, State, SizeVal, SizeTy);
2328
2329 // If the size is zero, there won't be any actual memory access,
2330 // In this case we just return.
2331 if (StateZeroSize && !StateNonZeroSize) {
2332 C.addTransition(StateZeroSize);
2333 return;
2334 }
2335
2336 // Get the value of the memory area.
2337 SVal MemVal = C.getSVal(Buffer.Expression);
2338
2339 // Ensure the memory area is not null.
2340 // If it is NULL there will be a NULL pointer dereference.
2341 State = checkNonNull(C, StateNonZeroSize, Buffer, MemVal);
2342 if (!State)
2343 return;
2344
2345 State = CheckBufferAccess(C, State, Buffer, Size, AccessKind::write);
2346 if (!State)
2347 return;
2348
2349 if (!memsetAux(Buffer.Expression, Zero, Size.Expression, C, State))
2350 return;
2351
2352 C.addTransition(State);
2353}
2354
2355//===----------------------------------------------------------------------===//
2356// The driver method, and other Checker callbacks.
2357//===----------------------------------------------------------------------===//
2358
2359CStringChecker::FnCheck CStringChecker::identifyCall(const CallEvent &Call,
2360 CheckerContext &C) const {
2361 const auto *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr());
2362 if (!CE)
2363 return nullptr;
2364
2365 const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
2366 if (!FD)
2367 return nullptr;
2368
2369 if (StdCopy.matches(Call))
2370 return &CStringChecker::evalStdCopy;
2371 if (StdCopyBackward.matches(Call))
2372 return &CStringChecker::evalStdCopyBackward;
2373
2374 // Pro-actively check that argument types are safe to do arithmetic upon.
2375 // We do not want to crash if someone accidentally passes a structure
2376 // into, say, a C++ overload of any of these functions. We could not check
2377 // that for std::copy because they may have arguments of other types.
2378 for (auto I : CE->arguments()) {
2379 QualType T = I->getType();
2380 if (!T->isIntegralOrEnumerationType() && !T->isPointerType())
2381 return nullptr;
2382 }
2383
2384 const FnCheck *Callback = Callbacks.lookup(Call);
2385 if (Callback)
2386 return *Callback;
2387
2388 return nullptr;
2389}
2390
2391bool CStringChecker::evalCall(const CallEvent &Call, CheckerContext &C) const {
2392 FnCheck Callback = identifyCall(Call, C);
2393
2394 // If the callee isn't a string function, let another checker handle it.
2395 if (!Callback)
2396 return false;
2397
2398 // Check and evaluate the call.
2399 const auto *CE = cast<CallExpr>(Call.getOriginExpr());
2400 Callback(this, C, CE);
2401
2402 // If the evaluate call resulted in no change, chain to the next eval call
2403 // handler.
2404 // Note, the custom CString evaluation calls assume that basic safety
2405 // properties are held. However, if the user chooses to turn off some of these
2406 // checks, we ignore the issues and leave the call evaluation to a generic
2407 // handler.
2408 return C.isDifferent();
2409}
2410
2411void CStringChecker::checkPreStmt(const DeclStmt *DS, CheckerContext &C) const {
2412 // Record string length for char a[] = "abc";
2413 ProgramStateRef state = C.getState();
2414
2415 for (const auto *I : DS->decls()) {
2416 const VarDecl *D = dyn_cast<VarDecl>(I);
2417 if (!D)
2418 continue;
2419
2420 // FIXME: Handle array fields of structs.
2421 if (!D->getType()->isArrayType())
2422 continue;
2423
2424 const Expr *Init = D->getInit();
2425 if (!Init)
2426 continue;
2427 if (!isa<StringLiteral>(Init))
2428 continue;
2429
2430 Loc VarLoc = state->getLValue(D, C.getLocationContext());
2431 const MemRegion *MR = VarLoc.getAsRegion();
2432 if (!MR)
2433 continue;
2434
2435 SVal StrVal = C.getSVal(Init);
2436 assert(StrVal.isValid() && "Initializer string is unknown or undefined")(static_cast <bool> (StrVal.isValid() && "Initializer string is unknown or undefined"
) ? void (0) : __assert_fail ("StrVal.isValid() && \"Initializer string is unknown or undefined\""
, "clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp", 2436
, __extension__ __PRETTY_FUNCTION__));
2437 DefinedOrUnknownSVal strLength =
2438 getCStringLength(C, state, Init, StrVal).castAs<DefinedOrUnknownSVal>();
2439
2440 state = state->set<CStringLength>(MR, strLength);
2441 }
2442
2443 C.addTransition(state);
2444}
2445
2446ProgramStateRef
2447CStringChecker::checkRegionChanges(ProgramStateRef state,
2448 const InvalidatedSymbols *,
2449 ArrayRef<const MemRegion *> ExplicitRegions,
2450 ArrayRef<const MemRegion *> Regions,
2451 const LocationContext *LCtx,
2452 const CallEvent *Call) const {
2453 CStringLengthTy Entries = state->get<CStringLength>();
2454 if (Entries.isEmpty())
2455 return state;
2456
2457 llvm::SmallPtrSet<const MemRegion *, 8> Invalidated;
2458 llvm::SmallPtrSet<const MemRegion *, 32> SuperRegions;
2459
2460 // First build sets for the changed regions and their super-regions.
2461 for (ArrayRef<const MemRegion *>::iterator
2462 I = Regions.begin(), E = Regions.end(); I != E; ++I) {
2463 const MemRegion *MR = *I;
2464 Invalidated.insert(MR);
2465
2466 SuperRegions.insert(MR);
2467 while (const SubRegion *SR = dyn_cast<SubRegion>(MR)) {
2468 MR = SR->getSuperRegion();
2469 SuperRegions.insert(MR);
2470 }
2471 }
2472
2473 CStringLengthTy::Factory &F = state->get_context<CStringLength>();
2474
2475 // Then loop over the entries in the current state.
2476 for (CStringLengthTy::iterator I = Entries.begin(),
2477 E = Entries.end(); I != E; ++I) {
2478 const MemRegion *MR = I.getKey();
2479
2480 // Is this entry for a super-region of a changed region?
2481 if (SuperRegions.count(MR)) {
2482 Entries = F.remove(Entries, MR);
2483 continue;
2484 }
2485
2486 // Is this entry for a sub-region of a changed region?
2487 const MemRegion *Super = MR;
2488 while (const SubRegion *SR = dyn_cast<SubRegion>(Super)) {
2489 Super = SR->getSuperRegion();
2490 if (Invalidated.count(Super)) {
2491 Entries = F.remove(Entries, MR);
2492 break;
2493 }
2494 }
2495 }
2496
2497 return state->set<CStringLength>(Entries);
2498}
2499
2500void CStringChecker::checkLiveSymbols(ProgramStateRef state,
2501 SymbolReaper &SR) const {
2502 // Mark all symbols in our string length map as valid.
2503 CStringLengthTy Entries = state->get<CStringLength>();
2504
2505 for (CStringLengthTy::iterator I = Entries.begin(), E = Entries.end();
2506 I != E; ++I) {
2507 SVal Len = I.getData();
2508
2509 for (SymExpr::symbol_iterator si = Len.symbol_begin(),
2510 se = Len.symbol_end(); si != se; ++si)
2511 SR.markInUse(*si);
2512 }
2513}
2514
2515void CStringChecker::checkDeadSymbols(SymbolReaper &SR,
2516 CheckerContext &C) const {
2517 ProgramStateRef state = C.getState();
2518 CStringLengthTy Entries = state->get<CStringLength>();
2519 if (Entries.isEmpty())
2520 return;
2521
2522 CStringLengthTy::Factory &F = state->get_context<CStringLength>();
2523 for (CStringLengthTy::iterator I = Entries.begin(), E = Entries.end();
2524 I != E; ++I) {
2525 SVal Len = I.getData();
2526 if (SymbolRef Sym = Len.getAsSymbol()) {
2527 if (SR.isDead(Sym))
2528 Entries = F.remove(Entries, I.getKey());
2529 }
2530 }
2531
2532 state = state->set<CStringLength>(Entries);
2533 C.addTransition(state);
2534}
2535
2536void ento::registerCStringModeling(CheckerManager &Mgr) {
2537 Mgr.registerChecker<CStringChecker>();
2538}
2539
2540bool ento::shouldRegisterCStringModeling(const CheckerManager &mgr) {
2541 return true;
2542}
2543
2544#define REGISTER_CHECKER(name)void ento::registername(CheckerManager &mgr) { CStringChecker
*checker = mgr.getChecker<CStringChecker>(); checker->
Filter.Checkname = true; checker->Filter.CheckNamename = mgr
.getCurrentCheckerName(); } bool ento::shouldRegistername(const
CheckerManager &mgr) { return true; } \
2545 void ento::register##name(CheckerManager &mgr) { \
2546 CStringChecker *checker = mgr.getChecker<CStringChecker>(); \
2547 checker->Filter.Check##name = true; \
2548 checker->Filter.CheckName##name = mgr.getCurrentCheckerName(); \
2549 } \
2550 \
2551 bool ento::shouldRegister##name(const CheckerManager &mgr) { return true; }
2552
2553REGISTER_CHECKER(CStringNullArg)void ento::registerCStringNullArg(CheckerManager &mgr) { CStringChecker
*checker = mgr.getChecker<CStringChecker>(); checker->
Filter.CheckCStringNullArg = true; checker->Filter.CheckNameCStringNullArg
= mgr.getCurrentCheckerName(); } bool ento::shouldRegisterCStringNullArg
(const CheckerManager &mgr) { return true; }
2554REGISTER_CHECKER(CStringOutOfBounds)void ento::registerCStringOutOfBounds(CheckerManager &mgr
) { CStringChecker *checker = mgr.getChecker<CStringChecker
>(); checker->Filter.CheckCStringOutOfBounds = true; checker
->Filter.CheckNameCStringOutOfBounds = mgr.getCurrentCheckerName
(); } bool ento::shouldRegisterCStringOutOfBounds(const CheckerManager
&mgr) { return true; }
2555REGISTER_CHECKER(CStringBufferOverlap)void ento::registerCStringBufferOverlap(CheckerManager &mgr
) { CStringChecker *checker = mgr.getChecker<CStringChecker
>(); checker->Filter.CheckCStringBufferOverlap = true; checker
->Filter.CheckNameCStringBufferOverlap = mgr.getCurrentCheckerName
(); } bool ento::shouldRegisterCStringBufferOverlap(const CheckerManager
&mgr) { return true; }
2556REGISTER_CHECKER(CStringNotNullTerm)void ento::registerCStringNotNullTerm(CheckerManager &mgr
) { CStringChecker *checker = mgr.getChecker<CStringChecker
>(); checker->Filter.CheckCStringNotNullTerm = true; checker
->Filter.CheckNameCStringNotNullTerm = mgr.getCurrentCheckerName
(); } bool ento::shouldRegisterCStringNotNullTerm(const CheckerManager
&mgr) { return true; }
2557REGISTER_CHECKER(CStringUninitializedRead)void ento::registerCStringUninitializedRead(CheckerManager &
mgr) { CStringChecker *checker = mgr.getChecker<CStringChecker
>(); checker->Filter.CheckCStringUninitializedRead = true
; checker->Filter.CheckNameCStringUninitializedRead = mgr.
getCurrentCheckerName(); } bool ento::shouldRegisterCStringUninitializedRead
(const CheckerManager &mgr) { return true; }

/build/source/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h

1//== ProgramState.h - Path-sensitive "State" for tracking values -*- C++ -*--=//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This file defines the state of the program along the analysisa path.
10//
11//===----------------------------------------------------------------------===//
12
13#ifndef LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_PROGRAMSTATE_H
14#define LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_PROGRAMSTATE_H
15
16#include "clang/Basic/LLVM.h"
17#include "clang/StaticAnalyzer/Core/PathSensitive/ConstraintManager.h"
18#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeInfo.h"
19#include "clang/StaticAnalyzer/Core/PathSensitive/Environment.h"
20#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
21#include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h"
22#include "clang/StaticAnalyzer/Core/PathSensitive/Store.h"
23#include "llvm/ADT/FoldingSet.h"
24#include "llvm/ADT/ImmutableMap.h"
25#include "llvm/Support/Allocator.h"
26#include <optional>
27#include <utility>
28
29namespace llvm {
30class APSInt;
31}
32
33namespace clang {
34class ASTContext;
35
36namespace ento {
37
38class AnalysisManager;
39class CallEvent;
40class CallEventManager;
41
42typedef std::unique_ptr<ConstraintManager>(*ConstraintManagerCreator)(
43 ProgramStateManager &, ExprEngine *);
44typedef std::unique_ptr<StoreManager>(*StoreManagerCreator)(
45 ProgramStateManager &);
46
47//===----------------------------------------------------------------------===//
48// ProgramStateTrait - Traits used by the Generic Data Map of a ProgramState.
49//===----------------------------------------------------------------------===//
50
51template <typename T> struct ProgramStateTrait {
52 typedef typename T::data_type data_type;
53 static inline void *MakeVoidPtr(data_type D) { return (void*) D; }
54 static inline data_type MakeData(void *const* P) {
55 return P ? (data_type) *P : (data_type) 0;
56 }
57};
58
59/// \class ProgramState
60/// ProgramState - This class encapsulates:
61///
62/// 1. A mapping from expressions to values (Environment)
63/// 2. A mapping from locations to values (Store)
64/// 3. Constraints on symbolic values (GenericDataMap)
65///
66/// Together these represent the "abstract state" of a program.
67///
68/// ProgramState is intended to be used as a functional object; that is,
69/// once it is created and made "persistent" in a FoldingSet, its
70/// values will never change.
71class ProgramState : public llvm::FoldingSetNode {
72public:
73 typedef llvm::ImmutableSet<llvm::APSInt*> IntSetTy;
74 typedef llvm::ImmutableMap<void*, void*> GenericDataMap;
75
76private:
77 void operator=(const ProgramState& R) = delete;
78
79 friend class ProgramStateManager;
80 friend class ExplodedGraph;
81 friend class ExplodedNode;
82 friend class NodeBuilder;
83
84 ProgramStateManager *stateMgr;
85 Environment Env; // Maps a Stmt to its current SVal.
86 Store store; // Maps a location to its current value.
87 GenericDataMap GDM; // Custom data stored by a client of this class.
88
89 // A state is infeasible if there is a contradiction among the constraints.
90 // An infeasible state is represented by a `nullptr`.
91 // In the sense of `assumeDual`, a state can have two children by adding a
92 // new constraint and the negation of that new constraint. A parent state is
93 // over-constrained if both of its children are infeasible. In the
94 // mathematical sense, it means that the parent is infeasible and we should
95 // have realized that at the moment when we have created it. However, we
96 // could not recognize that because of the imperfection of the underlying
97 // constraint solver. We say it is posteriorly over-constrained because we
98 // recognize that a parent is infeasible only *after* a new and more specific
99 // constraint and its negation are evaluated.
100 //
101 // Example:
102 //
103 // x * x = 4 and x is in the range [0, 1]
104 // This is an already infeasible state, but the constraint solver is not
105 // capable of handling sqrt, thus we don't know it yet.
106 //
107 // Then a new constraint `x = 0` is added. At this moment the constraint
108 // solver re-evaluates the existing constraints and realizes the
109 // contradiction `0 * 0 = 4`.
110 // We also evaluate the negated constraint `x != 0`; the constraint solver
111 // deduces `x = 1` and then realizes the contradiction `1 * 1 = 4`.
112 // Both children are infeasible, thus the parent state is marked as
113 // posteriorly over-constrained. These parents are handled with special care:
114 // we do not allow transitions to exploded nodes with such states.
115 bool PosteriorlyOverconstrained = false;
116 // Make internal constraint solver entities friends so they can access the
117 // overconstrained-related functions. We want to keep this API inaccessible
118 // for Checkers.
119 friend class ConstraintManager;
120 bool isPosteriorlyOverconstrained() const {
121 return PosteriorlyOverconstrained;
122 }
123 ProgramStateRef cloneAsPosteriorlyOverconstrained() const;
124
125 unsigned refCount;
126
127 /// makeWithStore - Return a ProgramState with the same values as the current
128 /// state with the exception of using the specified Store.
129 ProgramStateRef makeWithStore(const StoreRef &store) const;
130
131 void setStore(const StoreRef &storeRef);
132
133public:
134 /// This ctor is used when creating the first ProgramState object.
135 ProgramState(ProgramStateManager *mgr, const Environment& env,
136 StoreRef st, GenericDataMap gdm);
137
138 /// Copy ctor - We must explicitly define this or else the "Next" ptr
139 /// in FoldingSetNode will also get copied.
140 ProgramState(const ProgramState &RHS);
141
142 ~ProgramState();
143
144 int64_t getID() const;
145
146 /// Return the ProgramStateManager associated with this state.
147 ProgramStateManager &getStateManager() const {
148 return *stateMgr;
149 }
150
151 AnalysisManager &getAnalysisManager() const;
152
153 /// Return the ConstraintManager.
154 ConstraintManager &getConstraintManager() const;
155
156 /// getEnvironment - Return the environment associated with this state.
157 /// The environment is the mapping from expressions to values.
158 const Environment& getEnvironment() const { return Env; }
159
160 /// Return the store associated with this state. The store
161 /// is a mapping from locations to values.
162 Store getStore() const { return store; }
163
164
165 /// getGDM - Return the generic data map associated with this state.
166 GenericDataMap getGDM() const { return GDM; }
167
168 void setGDM(GenericDataMap gdm) { GDM = gdm; }
169
170 /// Profile - Profile the contents of a ProgramState object for use in a
171 /// FoldingSet. Two ProgramState objects are considered equal if they
172 /// have the same Environment, Store, and GenericDataMap.
173 static void Profile(llvm::FoldingSetNodeID& ID, const ProgramState *V) {
174 V->Env.Profile(ID);
175 ID.AddPointer(V->store);
176 V->GDM.Profile(ID);
177 ID.AddBoolean(V->PosteriorlyOverconstrained);
178 }
179
180 /// Profile - Used to profile the contents of this object for inclusion
181 /// in a FoldingSet.
182 void Profile(llvm::FoldingSetNodeID& ID) const {
183 Profile(ID, this);
184 }
185
186 BasicValueFactory &getBasicVals() const;
187 SymbolManager &getSymbolManager() const;
188
189 //==---------------------------------------------------------------------==//
190 // Constraints on values.
191 //==---------------------------------------------------------------------==//
192 //
193 // Each ProgramState records constraints on symbolic values. These constraints
194 // are managed using the ConstraintManager associated with a ProgramStateManager.
195 // As constraints gradually accrue on symbolic values, added constraints
196 // may conflict and indicate that a state is infeasible (as no real values
197 // could satisfy all the constraints). This is the principal mechanism
198 // for modeling path-sensitivity in ExprEngine/ProgramState.
199 //
200 // Various "assume" methods form the interface for adding constraints to
201 // symbolic values. A call to 'assume' indicates an assumption being placed
202 // on one or symbolic values. 'assume' methods take the following inputs:
203 //
204 // (1) A ProgramState object representing the current state.
205 //
206 // (2) The assumed constraint (which is specific to a given "assume" method).
207 //
208 // (3) A binary value "Assumption" that indicates whether the constraint is
209 // assumed to be true or false.
210 //
211 // The output of "assume*" is a new ProgramState object with the added constraints.
212 // If no new state is feasible, NULL is returned.
213 //
214
215 /// Assumes that the value of \p cond is zero (if \p assumption is "false")
216 /// or non-zero (if \p assumption is "true").
217 ///
218 /// This returns a new state with the added constraint on \p cond.
219 /// If no new state is feasible, NULL is returned.
220 [[nodiscard]] ProgramStateRef assume(DefinedOrUnknownSVal cond,
221 bool assumption) const;
222
223 /// Assumes both "true" and "false" for \p cond, and returns both
224 /// corresponding states (respectively).
225 ///
226 /// This is more efficient than calling assume() twice. Note that one (but not
227 /// both) of the returned states may be NULL.
228 [[nodiscard]] std::pair<ProgramStateRef, ProgramStateRef>
229 assume(DefinedOrUnknownSVal cond) const;
230
231 [[nodiscard]] std::pair<ProgramStateRef, ProgramStateRef>
232 assumeInBoundDual(DefinedOrUnknownSVal idx, DefinedOrUnknownSVal upperBound,
233 QualType IndexType = QualType()) const;
234
235 [[nodiscard]] ProgramStateRef
236 assumeInBound(DefinedOrUnknownSVal idx, DefinedOrUnknownSVal upperBound,
237 bool assumption, QualType IndexType = QualType()) const;
238
239 /// Assumes that the value of \p Val is bounded with [\p From; \p To]
240 /// (if \p assumption is "true") or it is fully out of this range
241 /// (if \p assumption is "false").
242 ///
243 /// This returns a new state with the added constraint on \p cond.
244 /// If no new state is feasible, NULL is returned.
245 [[nodiscard]] ProgramStateRef assumeInclusiveRange(DefinedOrUnknownSVal Val,
246 const llvm::APSInt &From,
247 const llvm::APSInt &To,
248 bool assumption) const;
249
250 /// Assumes given range both "true" and "false" for \p Val, and returns both
251 /// corresponding states (respectively).
252 ///
253 /// This is more efficient than calling assume() twice. Note that one (but not
254 /// both) of the returned states may be NULL.
255 [[nodiscard]] std::pair<ProgramStateRef, ProgramStateRef>
256 assumeInclusiveRange(DefinedOrUnknownSVal Val, const llvm::APSInt &From,
257 const llvm::APSInt &To) const;
258
259 /// Check if the given SVal is not constrained to zero and is not
260 /// a zero constant.
261 ConditionTruthVal isNonNull(SVal V) const;
262
263 /// Check if the given SVal is constrained to zero or is a zero
264 /// constant.
265 ConditionTruthVal isNull(SVal V) const;
266
267 /// \return Whether values \p Lhs and \p Rhs are equal.
268 ConditionTruthVal areEqual(SVal Lhs, SVal Rhs) const;
269
270 /// Utility method for getting regions.
271 LLVM_ATTRIBUTE_RETURNS_NONNULL__attribute__((returns_nonnull))
272 const VarRegion* getRegion(const VarDecl *D, const LocationContext *LC) const;
273
274 //==---------------------------------------------------------------------==//
275 // Binding and retrieving values to/from the environment and symbolic store.
276 //==---------------------------------------------------------------------==//
277
278 /// Create a new state by binding the value 'V' to the statement 'S' in the
279 /// state's environment.
280 [[nodiscard]] ProgramStateRef BindExpr(const Stmt *S,
281 const LocationContext *LCtx, SVal V,
282 bool Invalidate = true) const;
283
284 [[nodiscard]] ProgramStateRef bindLoc(Loc location, SVal V,
285 const LocationContext *LCtx,
286 bool notifyChanges = true) const;
287
288 [[nodiscard]] ProgramStateRef bindLoc(SVal location, SVal V,
289 const LocationContext *LCtx) const;
290
291 /// Initializes the region of memory represented by \p loc with an initial
292 /// value. Once initialized, all values loaded from any sub-regions of that
293 /// region will be equal to \p V, unless overwritten later by the program.
294 /// This method should not be used on regions that are already initialized.
295 /// If you need to indicate that memory contents have suddenly become unknown
296 /// within a certain region of memory, consider invalidateRegions().
297 [[nodiscard]] ProgramStateRef
298 bindDefaultInitial(SVal loc, SVal V, const LocationContext *LCtx) const;
299
300 /// Performs C++ zero-initialization procedure on the region of memory
301 /// represented by \p loc.
302 [[nodiscard]] ProgramStateRef
303 bindDefaultZero(SVal loc, const LocationContext *LCtx) const;
304
305 [[nodiscard]] ProgramStateRef killBinding(Loc LV) const;
306
307 /// Returns the state with bindings for the given regions
308 /// cleared from the store.
309 ///
310 /// Optionally invalidates global regions as well.
311 ///
312 /// \param Regions the set of regions to be invalidated.
313 /// \param E the expression that caused the invalidation.
314 /// \param BlockCount The number of times the current basic block has been
315 // visited.
316 /// \param CausesPointerEscape the flag is set to true when
317 /// the invalidation entails escape of a symbol (representing a
318 /// pointer). For example, due to it being passed as an argument in a
319 /// call.
320 /// \param IS the set of invalidated symbols.
321 /// \param Call if non-null, the invalidated regions represent parameters to
322 /// the call and should be considered directly invalidated.
323 /// \param ITraits information about special handling for a particular
324 /// region/symbol.
325 [[nodiscard]] ProgramStateRef
326 invalidateRegions(ArrayRef<const MemRegion *> Regions, const Expr *E,
327 unsigned BlockCount, const LocationContext *LCtx,
328 bool CausesPointerEscape, InvalidatedSymbols *IS = nullptr,
329 const CallEvent *Call = nullptr,
330 RegionAndSymbolInvalidationTraits *ITraits = nullptr) const;
331
332 [[nodiscard]] ProgramStateRef
333 invalidateRegions(ArrayRef<SVal> Regions, const Expr *E, unsigned BlockCount,
334 const LocationContext *LCtx, bool CausesPointerEscape,
335 InvalidatedSymbols *IS = nullptr,
336 const CallEvent *Call = nullptr,
337 RegionAndSymbolInvalidationTraits *ITraits = nullptr) const;
338
339 /// enterStackFrame - Returns the state for entry to the given stack frame,
340 /// preserving the current state.
341 [[nodiscard]] ProgramStateRef
342 enterStackFrame(const CallEvent &Call,
343 const StackFrameContext *CalleeCtx) const;
344
345 /// Return the value of 'self' if available in the given context.
346 SVal getSelfSVal(const LocationContext *LC) const;
347
348 /// Get the lvalue for a base class object reference.
349 Loc getLValue(const CXXBaseSpecifier &BaseSpec, const SubRegion *Super) const;
350
351 /// Get the lvalue for a base class object reference.
352 Loc getLValue(const CXXRecordDecl *BaseClass, const SubRegion *Super,
353 bool IsVirtual) const;
354
355 /// Get the lvalue for a variable reference.
356 Loc getLValue(const VarDecl *D, const LocationContext *LC) const;
357
358 Loc getLValue(const CompoundLiteralExpr *literal,
359 const LocationContext *LC) const;
360
361 /// Get the lvalue for an ivar reference.
362 SVal getLValue(const ObjCIvarDecl *decl, SVal base) const;
363
364 /// Get the lvalue for a field reference.
365 SVal getLValue(const FieldDecl *decl, SVal Base) const;
366
367 /// Get the lvalue for an indirect field reference.
368 SVal getLValue(const IndirectFieldDecl *decl, SVal Base) const;
369
370 /// Get the lvalue for an array index.
371 SVal getLValue(QualType ElementType, SVal Idx, SVal Base) const;
372
373 /// Returns the SVal bound to the statement 'S' in the state's environment.
374 SVal getSVal(const Stmt *S, const LocationContext *LCtx) const;
375
376 SVal getSValAsScalarOrLoc(const Stmt *Ex, const LocationContext *LCtx) const;
377
378 /// Return the value bound to the specified location.
379 /// Returns UnknownVal() if none found.
380 SVal getSVal(Loc LV, QualType T = QualType()) const;
381
382 /// Returns the "raw" SVal bound to LV before any value simplfication.
383 SVal getRawSVal(Loc LV, QualType T= QualType()) const;
384
385 /// Return the value bound to the specified location.
386 /// Returns UnknownVal() if none found.
387 SVal getSVal(const MemRegion* R, QualType T = QualType()) const;
388
389 /// Return the value bound to the specified location, assuming
390 /// that the value is a scalar integer or an enumeration or a pointer.
391 /// Returns UnknownVal() if none found or the region is not known to hold
392 /// a value of such type.
393 SVal getSValAsScalarOrLoc(const MemRegion *R) const;
394
395 using region_iterator = const MemRegion **;
396
397 /// Visits the symbols reachable from the given SVal using the provided
398 /// SymbolVisitor.
399 ///
400 /// This is a convenience API. Consider using ScanReachableSymbols class
401 /// directly when making multiple scans on the same state with the same
402 /// visitor to avoid repeated initialization cost.
403 /// \sa ScanReachableSymbols
404 bool scanReachableSymbols(SVal val, SymbolVisitor& visitor) const;
405
406 /// Visits the symbols reachable from the regions in the given
407 /// MemRegions range using the provided SymbolVisitor.
408 bool scanReachableSymbols(llvm::iterator_range<region_iterator> Reachable,
409 SymbolVisitor &visitor) const;
410
411 template <typename CB> CB scanReachableSymbols(SVal val) const;
412 template <typename CB> CB
413 scanReachableSymbols(llvm::iterator_range<region_iterator> Reachable) const;
414
415 //==---------------------------------------------------------------------==//
416 // Accessing the Generic Data Map (GDM).
417 //==---------------------------------------------------------------------==//
418
419 void *const* FindGDM(void *K) const;
420
421 template <typename T>
422 [[nodiscard]] ProgramStateRef
423 add(typename ProgramStateTrait<T>::key_type K) const;
424
425 template <typename T>
426 typename ProgramStateTrait<T>::data_type
427 get() const {
428 return ProgramStateTrait<T>::MakeData(FindGDM(ProgramStateTrait<T>::GDMIndex()));
429 }
430
431 template<typename T>
432 typename ProgramStateTrait<T>::lookup_type
433 get(typename ProgramStateTrait<T>::key_type key) const {
434 void *const* d = FindGDM(ProgramStateTrait<T>::GDMIndex());
435 return ProgramStateTrait<T>::Lookup(ProgramStateTrait<T>::MakeData(d), key);
436 }
437
438 template <typename T>
439 typename ProgramStateTrait<T>::context_type get_context() const;
440
441 template <typename T>
442 [[nodiscard]] ProgramStateRef
443 remove(typename ProgramStateTrait<T>::key_type K) const;
444
445 template <typename T>
446 [[nodiscard]] ProgramStateRef
447 remove(typename ProgramStateTrait<T>::key_type K,
448 typename ProgramStateTrait<T>::context_type C) const;
449
450 template <typename T> [[nodiscard]] ProgramStateRef remove() const;
451
452 template <typename T>
453 [[nodiscard]] ProgramStateRef
454 set(typename ProgramStateTrait<T>::data_type D) const;
455
456 template <typename T>
457 [[nodiscard]] ProgramStateRef
458 set(typename ProgramStateTrait<T>::key_type K,
459 typename ProgramStateTrait<T>::value_type E) const;
460
461 template <typename T>
462 [[nodiscard]] ProgramStateRef
463 set(typename ProgramStateTrait<T>::key_type K,
464 typename ProgramStateTrait<T>::value_type E,
465 typename ProgramStateTrait<T>::context_type C) const;
466
467 template<typename T>
468 bool contains(typename ProgramStateTrait<T>::key_type key) const {
469 void *const* d = FindGDM(ProgramStateTrait<T>::GDMIndex());
470 return ProgramStateTrait<T>::Contains(ProgramStateTrait<T>::MakeData(d), key);
471 }
472
473 // Pretty-printing.
474 void printJson(raw_ostream &Out, const LocationContext *LCtx = nullptr,
475 const char *NL = "\n", unsigned int Space = 0,
476 bool IsDot = false) const;
477
478 void printDOT(raw_ostream &Out, const LocationContext *LCtx = nullptr,
479 unsigned int Space = 0) const;
480
481 void dump() const;
482
483private:
484 friend void ProgramStateRetain(const ProgramState *state);
485 friend void ProgramStateRelease(const ProgramState *state);
486
487 /// \sa invalidateValues()
488 /// \sa invalidateRegions()
489 ProgramStateRef
490 invalidateRegionsImpl(ArrayRef<SVal> Values,
491 const Expr *E, unsigned BlockCount,
492 const LocationContext *LCtx,
493 bool ResultsInSymbolEscape,
494 InvalidatedSymbols *IS,
495 RegionAndSymbolInvalidationTraits *HTraits,
496 const CallEvent *Call) const;
497};
498
499//===----------------------------------------------------------------------===//
500// ProgramStateManager - Factory object for ProgramStates.
501//===----------------------------------------------------------------------===//
502
503class ProgramStateManager {
504 friend class ProgramState;
505 friend void ProgramStateRelease(const ProgramState *state);
506private:
507 /// Eng - The ExprEngine that owns this state manager.
508 ExprEngine *Eng; /* Can be null. */
509
510 EnvironmentManager EnvMgr;
511 std::unique_ptr<StoreManager> StoreMgr;
512 std::unique_ptr<ConstraintManager> ConstraintMgr;
513
514 ProgramState::GenericDataMap::Factory GDMFactory;
515
516 typedef llvm::DenseMap<void*,std::pair<void*,void (*)(void*)> > GDMContextsTy;
517 GDMContextsTy GDMContexts;
518
519 /// StateSet - FoldingSet containing all the states created for analyzing
520 /// a particular function. This is used to unique states.
521 llvm::FoldingSet<ProgramState> StateSet;
522
523 /// Object that manages the data for all created SVals.
524 std::unique_ptr<SValBuilder> svalBuilder;
525
526 /// Manages memory for created CallEvents.
527 std::unique_ptr<CallEventManager> CallEventMgr;
528
529 /// A BumpPtrAllocator to allocate states.
530 llvm::BumpPtrAllocator &Alloc;
531
532 /// A vector of ProgramStates that we can reuse.
533 std::vector<ProgramState *> freeStates;
534
535public:
536 ProgramStateManager(ASTContext &Ctx,
537 StoreManagerCreator CreateStoreManager,
538 ConstraintManagerCreator CreateConstraintManager,
539 llvm::BumpPtrAllocator& alloc,
540 ExprEngine *expreng);
541
542 ~ProgramStateManager();
543
544 ProgramStateRef getInitialState(const LocationContext *InitLoc);
545
546 ASTContext &getContext() { return svalBuilder->getContext(); }
547 const ASTContext &getContext() const { return svalBuilder->getContext(); }
548
549 BasicValueFactory &getBasicVals() {
550 return svalBuilder->getBasicValueFactory();
551 }
552
553 SValBuilder &getSValBuilder() {
554 return *svalBuilder;
555 }
556
557 const SValBuilder &getSValBuilder() const {
558 return *svalBuilder;
559 }
560
561 SymbolManager &getSymbolManager() {
562 return svalBuilder->getSymbolManager();
563 }
564 const SymbolManager &getSymbolManager() const {
565 return svalBuilder->getSymbolManager();
566 }
567
568 llvm::BumpPtrAllocator& getAllocator() { return Alloc; }
569
570 MemRegionManager& getRegionManager() {
571 return svalBuilder->getRegionManager();
572 }
573 const MemRegionManager &getRegionManager() const {
574 return svalBuilder->getRegionManager();
575 }
576
577 CallEventManager &getCallEventManager() { return *CallEventMgr; }
578
579 StoreManager &getStoreManager() { return *StoreMgr; }
580 ConstraintManager &getConstraintManager() { return *ConstraintMgr; }
581 ExprEngine &getOwningEngine() { return *Eng; }
582
583 ProgramStateRef
584 removeDeadBindingsFromEnvironmentAndStore(ProgramStateRef St,
585 const StackFrameContext *LCtx,
586 SymbolReaper &SymReaper);
587
588public:
589
590 SVal ArrayToPointer(Loc Array, QualType ElementTy) {
591 return StoreMgr->ArrayToPointer(Array, ElementTy);
592 }
593
594 // Methods that manipulate the GDM.
595 ProgramStateRef addGDM(ProgramStateRef St, void *Key, void *Data);
596 ProgramStateRef removeGDM(ProgramStateRef state, void *Key);
597
598 // Methods that query & manipulate the Store.
599
600 void iterBindings(ProgramStateRef state, StoreManager::BindingsHandler& F) {
601 StoreMgr->iterBindings(state->getStore(), F);
602 }
603
604 ProgramStateRef getPersistentState(ProgramState &Impl);
605 ProgramStateRef getPersistentStateWithGDM(ProgramStateRef FromState,
606 ProgramStateRef GDMState);
607
608 bool haveEqualConstraints(ProgramStateRef S1, ProgramStateRef S2) const {
609 return ConstraintMgr->haveEqualConstraints(S1, S2);
610 }
611
612 bool haveEqualEnvironments(ProgramStateRef S1, ProgramStateRef S2) const {
613 return S1->Env == S2->Env;
614 }
615
616 bool haveEqualStores(ProgramStateRef S1, ProgramStateRef S2) const {
617 return S1->store == S2->store;
618 }
619
620 //==---------------------------------------------------------------------==//
621 // Generic Data Map methods.
622 //==---------------------------------------------------------------------==//
623 //
624 // ProgramStateManager and ProgramState support a "generic data map" that allows
625 // different clients of ProgramState objects to embed arbitrary data within a
626 // ProgramState object. The generic data map is essentially an immutable map
627 // from a "tag" (that acts as the "key" for a client) and opaque values.
628 // Tags/keys and values are simply void* values. The typical way that clients
629 // generate unique tags are by taking the address of a static variable.
630 // Clients are responsible for ensuring that data values referred to by a
631 // the data pointer are immutable (and thus are essentially purely functional
632 // data).
633 //
634 // The templated methods below use the ProgramStateTrait<T> class
635 // to resolve keys into the GDM and to return data values to clients.
636 //
637
638 // Trait based GDM dispatch.
639 template <typename T>
640 ProgramStateRef set(ProgramStateRef st, typename ProgramStateTrait<T>::data_type D) {
641 return addGDM(st, ProgramStateTrait<T>::GDMIndex(),
642 ProgramStateTrait<T>::MakeVoidPtr(D));
643 }
644
645 template<typename T>
646 ProgramStateRef set(ProgramStateRef st,
647 typename ProgramStateTrait<T>::key_type K,
648 typename ProgramStateTrait<T>::value_type V,
649 typename ProgramStateTrait<T>::context_type C) {
650
651 return addGDM(st, ProgramStateTrait<T>::GDMIndex(),
652 ProgramStateTrait<T>::MakeVoidPtr(ProgramStateTrait<T>::Set(st->get<T>(), K, V, C)));
653 }
654
655 template <typename T>
656 ProgramStateRef add(ProgramStateRef st,
657 typename ProgramStateTrait<T>::key_type K,
658 typename ProgramStateTrait<T>::context_type C) {
659 return addGDM(st, ProgramStateTrait<T>::GDMIndex(),
660 ProgramStateTrait<T>::MakeVoidPtr(ProgramStateTrait<T>::Add(st->get<T>(), K, C)));
661 }
662
663 template <typename T>
664 ProgramStateRef remove(ProgramStateRef st,
665 typename ProgramStateTrait<T>::key_type K,
666 typename ProgramStateTrait<T>::context_type C) {
667
668 return addGDM(st, ProgramStateTrait<T>::GDMIndex(),
669 ProgramStateTrait<T>::MakeVoidPtr(ProgramStateTrait<T>::Remove(st->get<T>(), K, C)));
670 }
671
672 template <typename T>
673 ProgramStateRef remove(ProgramStateRef st) {
674 return removeGDM(st, ProgramStateTrait<T>::GDMIndex());
675 }
676
677 void *FindGDMContext(void *index,
678 void *(*CreateContext)(llvm::BumpPtrAllocator&),
679 void (*DeleteContext)(void*));
680
681 template <typename T>
682 typename ProgramStateTrait<T>::context_type get_context() {
683 void *p = FindGDMContext(ProgramStateTrait<T>::GDMIndex(),
684 ProgramStateTrait<T>::CreateContext,
685 ProgramStateTrait<T>::DeleteContext);
686
687 return ProgramStateTrait<T>::MakeContext(p);
688 }
689};
690
691
692//===----------------------------------------------------------------------===//
693// Out-of-line method definitions for ProgramState.
694//===----------------------------------------------------------------------===//
695
696inline ConstraintManager &ProgramState::getConstraintManager() const {
697 return stateMgr->getConstraintManager();
698}
699
700inline const VarRegion* ProgramState::getRegion(const VarDecl *D,
701 const LocationContext *LC) const
702{
703 return getStateManager().getRegionManager().getVarRegion(D, LC);
704}
705
706inline ProgramStateRef ProgramState::assume(DefinedOrUnknownSVal Cond,
707 bool Assumption) const {
708 if (Cond.isUnknown())
19
Taking false branch
709 return this;
710
711 return getStateManager().ConstraintMgr
20
Value assigned to 'S.Obj'
712 ->assume(this, Cond.castAs<DefinedSVal>(), Assumption);
713}
714
715inline std::pair<ProgramStateRef , ProgramStateRef >
716ProgramState::assume(DefinedOrUnknownSVal Cond) const {
717 if (Cond.isUnknown())
718 return std::make_pair(this, this);
719
720 return getStateManager().ConstraintMgr
721 ->assumeDual(this, Cond.castAs<DefinedSVal>());
722}
723
724inline ProgramStateRef ProgramState::assumeInclusiveRange(
725 DefinedOrUnknownSVal Val, const llvm::APSInt &From, const llvm::APSInt &To,
726 bool Assumption) const {
727 if (Val.isUnknown())
728 return this;
729
730 assert(isa<NonLoc>(Val) && "Only NonLocs are supported!")(static_cast <bool> (isa<NonLoc>(Val) && "Only NonLocs are supported!"
) ? void (0) : __assert_fail ("isa<NonLoc>(Val) && \"Only NonLocs are supported!\""
, "clang/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
, 730, __extension__ __PRETTY_FUNCTION__));
731
732 return getStateManager().ConstraintMgr->assumeInclusiveRange(
733 this, Val.castAs<NonLoc>(), From, To, Assumption);
734}
735
736inline std::pair<ProgramStateRef, ProgramStateRef>
737ProgramState::assumeInclusiveRange(DefinedOrUnknownSVal Val,
738 const llvm::APSInt &From,
739 const llvm::APSInt &To) const {
740 if (Val.isUnknown())
741 return std::make_pair(this, this);
742
743 assert(isa<NonLoc>(Val) && "Only NonLocs are supported!")(static_cast <bool> (isa<NonLoc>(Val) && "Only NonLocs are supported!"
) ? void (0) : __assert_fail ("isa<NonLoc>(Val) && \"Only NonLocs are supported!\""
, "clang/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
, 743, __extension__ __PRETTY_FUNCTION__));
744
745 return getStateManager().ConstraintMgr->assumeInclusiveRangeDual(
746 this, Val.castAs<NonLoc>(), From, To);
747}
748
749inline ProgramStateRef ProgramState::bindLoc(SVal LV, SVal V, const LocationContext *LCtx) const {
750 if (std::optional<Loc> L = LV.getAs<Loc>())
751 return bindLoc(*L, V, LCtx);
752 return this;
753}
754
755inline Loc ProgramState::getLValue(const CXXBaseSpecifier &BaseSpec,
756 const SubRegion *Super) const {
757 const auto *Base = BaseSpec.getType()->getAsCXXRecordDecl();
758 return loc::MemRegionVal(
759 getStateManager().getRegionManager().getCXXBaseObjectRegion(
760 Base, Super, BaseSpec.isVirtual()));
761}
762
763inline Loc ProgramState::getLValue(const CXXRecordDecl *BaseClass,
764 const SubRegion *Super,
765 bool IsVirtual) const {
766 return loc::MemRegionVal(
767 getStateManager().getRegionManager().getCXXBaseObjectRegion(
768 BaseClass, Super, IsVirtual));
769}
770
771inline Loc ProgramState::getLValue(const VarDecl *VD,
772 const LocationContext *LC) const {
773 return getStateManager().StoreMgr->getLValueVar(VD, LC);
774}
775
776inline Loc ProgramState::getLValue(const CompoundLiteralExpr *literal,
777 const LocationContext *LC) const {
778 return getStateManager().StoreMgr->getLValueCompoundLiteral(literal, LC);
779}
780
781inline SVal ProgramState::getLValue(const ObjCIvarDecl *D, SVal Base) const {
782 return getStateManager().StoreMgr->getLValueIvar(D, Base);
783}
784
785inline SVal ProgramState::getLValue(const FieldDecl *D, SVal Base) const {
786 return getStateManager().StoreMgr->getLValueField(D, Base);
787}
788
789inline SVal ProgramState::getLValue(const IndirectFieldDecl *D,
790 SVal Base) const {
791 StoreManager &SM = *getStateManager().StoreMgr;
792 for (const auto *I : D->chain()) {
793 Base = SM.getLValueField(cast<FieldDecl>(I), Base);
794 }
795
796 return Base;
797}
798
799inline SVal ProgramState::getLValue(QualType ElementType, SVal Idx, SVal Base) const{
800 if (std::optional<NonLoc> N = Idx.getAs<NonLoc>())
801 return getStateManager().StoreMgr->getLValueElement(ElementType, *N, Base);
802 return UnknownVal();
803}
804
805inline SVal ProgramState::getSVal(const Stmt *Ex,
806 const LocationContext *LCtx) const{
807 return Env.getSVal(EnvironmentEntry(Ex, LCtx),
808 *getStateManager().svalBuilder);
809}
810
811inline SVal
812ProgramState::getSValAsScalarOrLoc(const Stmt *S,
813 const LocationContext *LCtx) const {
814 if (const Expr *Ex = dyn_cast<Expr>(S)) {
815 QualType T = Ex->getType();
816 if (Ex->isGLValue() || Loc::isLocType(T) ||
817 T->isIntegralOrEnumerationType())
818 return getSVal(S, LCtx);
819 }
820
821 return UnknownVal();
822}
823
824inline SVal ProgramState::getRawSVal(Loc LV, QualType T) const {
825 return getStateManager().StoreMgr->getBinding(getStore(), LV, T);
826}
827
828inline SVal ProgramState::getSVal(const MemRegion* R, QualType T) const {
829 return getStateManager().StoreMgr->getBinding(getStore(),
830 loc::MemRegionVal(R),
831 T);
832}
833
834inline BasicValueFactory &ProgramState::getBasicVals() const {
835 return getStateManager().getBasicVals();
836}
837
838inline SymbolManager &ProgramState::getSymbolManager() const {
839 return getStateManager().getSymbolManager();
840}
841
842template<typename T>
843ProgramStateRef ProgramState::add(typename ProgramStateTrait<T>::key_type K) const {
844 return getStateManager().add<T>(this, K, get_context<T>());
845}
846
847template <typename T>
848typename ProgramStateTrait<T>::context_type ProgramState::get_context() const {
849 return getStateManager().get_context<T>();
850}
851
852template<typename T>
853ProgramStateRef ProgramState::remove(typename ProgramStateTrait<T>::key_type K) const {
854 return getStateManager().remove<T>(this, K, get_context<T>());
855}
856
857template<typename T>
858ProgramStateRef ProgramState::remove(typename ProgramStateTrait<T>::key_type K,
859 typename ProgramStateTrait<T>::context_type C) const {
860 return getStateManager().remove<T>(this, K, C);
861}
862
863template <typename T>
864ProgramStateRef ProgramState::remove() const {
865 return getStateManager().remove<T>(this);
866}
867
868template<typename T>
869ProgramStateRef ProgramState::set(typename ProgramStateTrait<T>::data_type D) const {
870 return getStateManager().set<T>(this, D);
871}
872
873template<typename T>
874ProgramStateRef ProgramState::set(typename ProgramStateTrait<T>::key_type K,
875 typename ProgramStateTrait<T>::value_type E) const {
876 return getStateManager().set<T>(this, K, E, get_context<T>());
877}
878
879template<typename T>
880ProgramStateRef ProgramState::set(typename ProgramStateTrait<T>::key_type K,
881 typename ProgramStateTrait<T>::value_type E,
882 typename ProgramStateTrait<T>::context_type C) const {
883 return getStateManager().set<T>(this, K, E, C);
884}
885
886template <typename CB>
887CB ProgramState::scanReachableSymbols(SVal val) const {
888 CB cb(this);
889 scanReachableSymbols(val, cb);
890 return cb;
891}
892
893template <typename CB>
894CB ProgramState::scanReachableSymbols(
895 llvm::iterator_range<region_iterator> Reachable) const {
896 CB cb(this);
897 scanReachableSymbols(Reachable, cb);
898 return cb;
899}
900
901/// \class ScanReachableSymbols
902/// A utility class that visits the reachable symbols using a custom
903/// SymbolVisitor. Terminates recursive traversal when the visitor function
904/// returns false.
905class ScanReachableSymbols {
906 typedef llvm::DenseSet<const void*> VisitedItems;
907
908 VisitedItems visited;
909 ProgramStateRef state;
910 SymbolVisitor &visitor;
911public:
912 ScanReachableSymbols(ProgramStateRef st, SymbolVisitor &v)
913 : state(std::move(st)), visitor(v) {}
914
915 bool scan(nonloc::LazyCompoundVal val);
916 bool scan(nonloc::CompoundVal val);
917 bool scan(SVal val);
918 bool scan(const MemRegion *R);
919 bool scan(const SymExpr *sym);
920};
921
922} // end ento namespace
923
924} // end clang namespace
925
926#endif

/build/source/llvm/include/llvm/ADT/IntrusiveRefCntPtr.h

1//==- llvm/ADT/IntrusiveRefCntPtr.h - Smart Refcounting Pointer --*- C++ -*-==//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8///
9/// \file
10/// This file defines the RefCountedBase, ThreadSafeRefCountedBase, and
11/// IntrusiveRefCntPtr classes.
12///
13/// IntrusiveRefCntPtr is a smart pointer to an object which maintains a
14/// reference count. (ThreadSafe)RefCountedBase is a mixin class that adds a
15/// refcount member variable and methods for updating the refcount. An object
16/// that inherits from (ThreadSafe)RefCountedBase deletes itself when its
17/// refcount hits zero.
18///
19/// For example:
20///
21/// ```
22/// class MyClass : public RefCountedBase<MyClass> {};
23///
24/// void foo() {
25/// // Constructing an IntrusiveRefCntPtr increases the pointee's refcount
26/// // by 1 (from 0 in this case).
27/// IntrusiveRefCntPtr<MyClass> Ptr1(new MyClass());
28///
29/// // Copying an IntrusiveRefCntPtr increases the pointee's refcount by 1.
30/// IntrusiveRefCntPtr<MyClass> Ptr2(Ptr1);
31///
32/// // Constructing an IntrusiveRefCntPtr has no effect on the object's
33/// // refcount. After a move, the moved-from pointer is null.
34/// IntrusiveRefCntPtr<MyClass> Ptr3(std::move(Ptr1));
35/// assert(Ptr1 == nullptr);
36///
37/// // Clearing an IntrusiveRefCntPtr decreases the pointee's refcount by 1.
38/// Ptr2.reset();
39///
40/// // The object deletes itself when we return from the function, because
41/// // Ptr3's destructor decrements its refcount to 0.
42/// }
43/// ```
44///
45/// You can use IntrusiveRefCntPtr with isa<T>(), dyn_cast<T>(), etc.:
46///
47/// ```
48/// IntrusiveRefCntPtr<MyClass> Ptr(new MyClass());
49/// OtherClass *Other = dyn_cast<OtherClass>(Ptr); // Ptr.get() not required
50/// ```
51///
52/// IntrusiveRefCntPtr works with any class that
53///
54/// - inherits from (ThreadSafe)RefCountedBase,
55/// - has Retain() and Release() methods, or
56/// - specializes IntrusiveRefCntPtrInfo.
57///
58//===----------------------------------------------------------------------===//
59
60#ifndef LLVM_ADT_INTRUSIVEREFCNTPTR_H
61#define LLVM_ADT_INTRUSIVEREFCNTPTR_H
62
63#include <atomic>
64#include <cassert>
65#include <cstddef>
66#include <memory>
67
68namespace llvm {
69
70/// A CRTP mixin class that adds reference counting to a type.
71///
72/// The lifetime of an object which inherits from RefCountedBase is managed by
73/// calls to Release() and Retain(), which increment and decrement the object's
74/// refcount, respectively. When a Release() call decrements the refcount to 0,
75/// the object deletes itself.
76template <class Derived> class RefCountedBase {
77 mutable unsigned RefCount = 0;
78
79protected:
80 RefCountedBase() = default;
81 RefCountedBase(const RefCountedBase &) {}
82 RefCountedBase &operator=(const RefCountedBase &) = delete;
83
84#ifndef NDEBUG
85 ~RefCountedBase() {
86 assert(RefCount == 0 &&(static_cast <bool> (RefCount == 0 && "Destruction occurred when there are still references to this."
) ? void (0) : __assert_fail ("RefCount == 0 && \"Destruction occurred when there are still references to this.\""
, "llvm/include/llvm/ADT/IntrusiveRefCntPtr.h", 87, __extension__
__PRETTY_FUNCTION__))
87 "Destruction occurred when there are still references to this.")(static_cast <bool> (RefCount == 0 && "Destruction occurred when there are still references to this."
) ? void (0) : __assert_fail ("RefCount == 0 && \"Destruction occurred when there are still references to this.\""
, "llvm/include/llvm/ADT/IntrusiveRefCntPtr.h", 87, __extension__
__PRETTY_FUNCTION__));
88 }
89#else
90 // Default the destructor in release builds, A trivial destructor may enable
91 // better codegen.
92 ~RefCountedBase() = default;
93#endif
94
95public:
96 void Retain() const { ++RefCount; }
97
98 void Release() const {
99 assert(RefCount > 0 && "Reference count is already zero.")(static_cast <bool> (RefCount > 0 && "Reference count is already zero."
) ? void (0) : __assert_fail ("RefCount > 0 && \"Reference count is already zero.\""
, "llvm/include/llvm/ADT/IntrusiveRefCntPtr.h", 99, __extension__
__PRETTY_FUNCTION__));
100 if (--RefCount == 0)
101 delete static_cast<const Derived *>(this);
102 }
103};
104
105/// A thread-safe version of \c RefCountedBase.
106template <class Derived> class ThreadSafeRefCountedBase {
107 mutable std::atomic<int> RefCount{0};
108
109protected:
110 ThreadSafeRefCountedBase() = default;
111 ThreadSafeRefCountedBase(const ThreadSafeRefCountedBase &) {}
112 ThreadSafeRefCountedBase &
113 operator=(const ThreadSafeRefCountedBase &) = delete;
114
115#ifndef NDEBUG
116 ~ThreadSafeRefCountedBase() {
117 assert(RefCount == 0 &&(static_cast <bool> (RefCount == 0 && "Destruction occurred when there are still references to this."
) ? void (0) : __assert_fail ("RefCount == 0 && \"Destruction occurred when there are still references to this.\""
, "llvm/include/llvm/ADT/IntrusiveRefCntPtr.h", 118, __extension__
__PRETTY_FUNCTION__))
118 "Destruction occurred when there are still references to this.")(static_cast <bool> (RefCount == 0 && "Destruction occurred when there are still references to this."
) ? void (0) : __assert_fail ("RefCount == 0 && \"Destruction occurred when there are still references to this.\""
, "llvm/include/llvm/ADT/IntrusiveRefCntPtr.h", 118, __extension__
__PRETTY_FUNCTION__));
119 }
120#else
121 // Default the destructor in release builds, A trivial destructor may enable
122 // better codegen.
123 ~ThreadSafeRefCountedBase() = default;
124#endif
125
126public:
127 void Retain() const { RefCount.fetch_add(1, std::memory_order_relaxed); }
128
129 void Release() const {
130 int NewRefCount = RefCount.fetch_sub(1, std::memory_order_acq_rel) - 1;
131 assert(NewRefCount >= 0 && "Reference count was already zero.")(static_cast <bool> (NewRefCount >= 0 && "Reference count was already zero."
) ? void (0) : __assert_fail ("NewRefCount >= 0 && \"Reference count was already zero.\""
, "llvm/include/llvm/ADT/IntrusiveRefCntPtr.h", 131, __extension__
__PRETTY_FUNCTION__));
132 if (NewRefCount == 0)
133 delete static_cast<const Derived *>(this);
134 }
135};
136
137/// Class you can specialize to provide custom retain/release functionality for
138/// a type.
139///
140/// Usually specializing this class is not necessary, as IntrusiveRefCntPtr
141/// works with any type which defines Retain() and Release() functions -- you
142/// can define those functions yourself if RefCountedBase doesn't work for you.
143///
144/// One case when you might want to specialize this type is if you have
145/// - Foo.h defines type Foo and includes Bar.h, and
146/// - Bar.h uses IntrusiveRefCntPtr<Foo> in inline functions.
147///
148/// Because Foo.h includes Bar.h, Bar.h can't include Foo.h in order to pull in
149/// the declaration of Foo. Without the declaration of Foo, normally Bar.h
150/// wouldn't be able to use IntrusiveRefCntPtr<Foo>, which wants to call
151/// T::Retain and T::Release.
152///
153/// To resolve this, Bar.h could include a third header, FooFwd.h, which
154/// forward-declares Foo and specializes IntrusiveRefCntPtrInfo<Foo>. Then
155/// Bar.h could use IntrusiveRefCntPtr<Foo>, although it still couldn't call any
156/// functions on Foo itself, because Foo would be an incomplete type.
157template <typename T> struct IntrusiveRefCntPtrInfo {
158 static void retain(T *obj) { obj->Retain(); }
159 static void release(T *obj) { obj->Release(); }
160};
161
162/// A smart pointer to a reference-counted object that inherits from
163/// RefCountedBase or ThreadSafeRefCountedBase.
164///
165/// This class increments its pointee's reference count when it is created, and
166/// decrements its refcount when it's destroyed (or is changed to point to a
167/// different object).
168template <typename T> class IntrusiveRefCntPtr {
169 T *Obj = nullptr;
170
171public:
172 using element_type = T;
173
174 explicit IntrusiveRefCntPtr() = default;
175 IntrusiveRefCntPtr(T *obj) : Obj(obj) { retain(); }
176 IntrusiveRefCntPtr(const IntrusiveRefCntPtr &S) : Obj(S.Obj) { retain(); }
177 IntrusiveRefCntPtr(IntrusiveRefCntPtr &&S) : Obj(S.Obj) { S.Obj = nullptr; }
178
179 template <class X,
180 std::enable_if_t<std::is_convertible<X *, T *>::value, bool> = true>
181 IntrusiveRefCntPtr(IntrusiveRefCntPtr<X> S) : Obj(S.get()) {
182 S.Obj = nullptr;
183 }
184
185 template <class X,
186 std::enable_if_t<std::is_convertible<X *, T *>::value, bool> = true>
187 IntrusiveRefCntPtr(std::unique_ptr<X> S) : Obj(S.release()) {
188 retain();
189 }
190
191 ~IntrusiveRefCntPtr() { release(); }
192
193 IntrusiveRefCntPtr &operator=(IntrusiveRefCntPtr S) {
194 swap(S);
23
Calling 'IntrusiveRefCntPtr::swap'
26
Returning from 'IntrusiveRefCntPtr::swap'
195 return *this;
196 }
197
198 T &operator*() const { return *Obj; }
199 T *operator->() const { return Obj; }
200 T *get() const { return Obj; }
201 explicit operator bool() const { return Obj; }
202
203 void swap(IntrusiveRefCntPtr &other) {
204 T *tmp = other.Obj;
24
'tmp' initialized here
205 other.Obj = Obj;
206 Obj = tmp;
25
The value of 'tmp' is assigned to 'state.Obj'
207 }
208
209 void reset() {
210 release();
211 Obj = nullptr;
212 }
213
214 void resetWithoutRelease() { Obj = nullptr; }
215
216private:
217 void retain() {
218 if (Obj)
219 IntrusiveRefCntPtrInfo<T>::retain(Obj);
220 }
221
222 void release() {
223 if (Obj)
224 IntrusiveRefCntPtrInfo<T>::release(Obj);
225 }
226
227 template <typename X> friend class IntrusiveRefCntPtr;
228};
229
230template <class T, class U>
231inline bool operator==(const IntrusiveRefCntPtr<T> &A,
232 const IntrusiveRefCntPtr<U> &B) {
233 return A.get() == B.get();
234}
235
236template <class T, class U>
237inline bool operator!=(const IntrusiveRefCntPtr<T> &A,
238 const IntrusiveRefCntPtr<U> &B) {
239 return A.get() != B.get();
240}
241
242template <class T, class U>
243inline bool operator==(const IntrusiveRefCntPtr<T> &A, U *B) {
244 return A.get() == B;
245}
246
247template <class T, class U>
248inline bool operator!=(const IntrusiveRefCntPtr<T> &A, U *B) {
249 return A.get() != B;
250}
251
252template <class T, class U>
253inline bool operator==(T *A, const IntrusiveRefCntPtr<U> &B) {
254 return A == B.get();
255}
256
257template <class T, class U>
258inline bool operator!=(T *A, const IntrusiveRefCntPtr<U> &B) {
259 return A != B.get();
260}
261
262template <class T>
263bool operator==(std::nullptr_t, const IntrusiveRefCntPtr<T> &B) {
264 return !B;
265}
266
267template <class T>
268bool operator==(const IntrusiveRefCntPtr<T> &A, std::nullptr_t B) {
269 return B == A;
270}
271
272template <class T>
273bool operator!=(std::nullptr_t A, const IntrusiveRefCntPtr<T> &B) {
274 return !(A == B);
275}
276
277template <class T>
278bool operator!=(const IntrusiveRefCntPtr<T> &A, std::nullptr_t B) {
279 return !(A == B);
280}
281
282// Make IntrusiveRefCntPtr work with dyn_cast, isa, and the other idioms from
283// Casting.h.
284template <typename From> struct simplify_type;
285
286template <class T> struct simplify_type<IntrusiveRefCntPtr<T>> {
287 using SimpleType = T *;
288
289 static SimpleType getSimplifiedValue(IntrusiveRefCntPtr<T> &Val) {
290 return Val.get();
291 }
292};
293
294template <class T> struct simplify_type<const IntrusiveRefCntPtr<T>> {
295 using SimpleType = /*const*/ T *;
296
297 static SimpleType getSimplifiedValue(const IntrusiveRefCntPtr<T> &Val) {
298 return Val.get();
299 }
300};
301
302/// Factory function for creating intrusive ref counted pointers.
303template <typename T, typename... Args>
304IntrusiveRefCntPtr<T> makeIntrusiveRefCnt(Args &&...A) {
305 return IntrusiveRefCntPtr<T>(new T(std::forward<Args>(A)...));
306}
307
308} // end namespace llvm
309
310#endif // LLVM_ADT_INTRUSIVEREFCNTPTR_H