1 //= CStringChecker.cpp - Checks calls to C string functions --------*- C++ -*-// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This defines CStringChecker, which is an assortment of checks on calls 11 // to functions in <string.h>. 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "ClangSACheckers.h" 16 #include "clang/StaticAnalyzer/Core/Checker.h" 17 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 18 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 19 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 20 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" 21 #include "llvm/ADT/SmallString.h" 22 #include "llvm/ADT/STLExtras.h" 23 #include "llvm/ADT/StringSwitch.h" 24 25 using namespace clang; 26 using namespace ento; 27 28 namespace { 29 class CStringChecker : public Checker< eval::Call, 30 check::PreStmt<DeclStmt>, 31 check::LiveSymbols, 32 check::DeadSymbols, 33 check::RegionChanges 34 > { 35 mutable OwningPtr<BugType> BT_Null, 36 BT_Bounds, 37 BT_Overlap, 38 BT_NotCString, 39 BT_AdditionOverflow; 40 41 mutable const char *CurrentFunctionDescription; 42 43 public: 44 /// The filter is used to filter out the diagnostics which are not enabled by 45 /// the user. 46 struct CStringChecksFilter { 47 DefaultBool CheckCStringNullArg; 48 DefaultBool CheckCStringOutOfBounds; 49 DefaultBool CheckCStringBufferOverlap; 50 DefaultBool CheckCStringNotNullTerm; 51 }; 52 53 CStringChecksFilter Filter; 54 55 static void *getTag() { static int tag; return &tag; } 56 57 bool evalCall(const CallExpr *CE, CheckerContext &C) const; 58 void checkPreStmt(const DeclStmt *DS, CheckerContext &C) const; 59 void checkLiveSymbols(ProgramStateRef state, SymbolReaper &SR) const; 60 void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const; 61 bool wantsRegionChangeUpdate(ProgramStateRef state) const; 62 63 ProgramStateRef 64 checkRegionChanges(ProgramStateRef state, 65 const StoreManager::InvalidatedSymbols *, 66 ArrayRef<const MemRegion *> ExplicitRegions, 67 ArrayRef<const MemRegion *> Regions) const; 68 69 typedef void (CStringChecker::*FnCheck)(CheckerContext &, 70 const CallExpr *) const; 71 72 void evalMemcpy(CheckerContext &C, const CallExpr *CE) const; 73 void evalMempcpy(CheckerContext &C, const CallExpr *CE) const; 74 void evalMemmove(CheckerContext &C, const CallExpr *CE) const; 75 void evalBcopy(CheckerContext &C, const CallExpr *CE) const; 76 void evalCopyCommon(CheckerContext &C, const CallExpr *CE, 77 ProgramStateRef state, 78 const Expr *Size, 79 const Expr *Source, 80 const Expr *Dest, 81 bool Restricted = false, 82 bool IsMempcpy = false) const; 83 84 void evalMemcmp(CheckerContext &C, const CallExpr *CE) const; 85 86 void evalstrLength(CheckerContext &C, const CallExpr *CE) const; 87 void evalstrnLength(CheckerContext &C, const CallExpr *CE) const; 88 void evalstrLengthCommon(CheckerContext &C, 89 const CallExpr *CE, 90 bool IsStrnlen = false) const; 91 92 void evalStrcpy(CheckerContext &C, const CallExpr *CE) const; 93 void evalStrncpy(CheckerContext &C, const CallExpr *CE) const; 94 void evalStpcpy(CheckerContext &C, const CallExpr *CE) const; 95 void evalStrcpyCommon(CheckerContext &C, 96 const CallExpr *CE, 97 bool returnEnd, 98 bool isBounded, 99 bool isAppending) const; 100 101 void evalStrcat(CheckerContext &C, const CallExpr *CE) const; 102 void evalStrncat(CheckerContext &C, const CallExpr *CE) const; 103 104 void evalStrcmp(CheckerContext &C, const CallExpr *CE) const; 105 void evalStrncmp(CheckerContext &C, const CallExpr *CE) const; 106 void evalStrcasecmp(CheckerContext &C, const CallExpr *CE) const; 107 void evalStrncasecmp(CheckerContext &C, const CallExpr *CE) const; 108 void evalStrcmpCommon(CheckerContext &C, 109 const CallExpr *CE, 110 bool isBounded = false, 111 bool ignoreCase = false) const; 112 113 // Utility methods 114 std::pair<ProgramStateRef , ProgramStateRef > 115 static assumeZero(CheckerContext &C, 116 ProgramStateRef state, SVal V, QualType Ty); 117 118 static ProgramStateRef setCStringLength(ProgramStateRef state, 119 const MemRegion *MR, 120 SVal strLength); 121 static SVal getCStringLengthForRegion(CheckerContext &C, 122 ProgramStateRef &state, 123 const Expr *Ex, 124 const MemRegion *MR, 125 bool hypothetical); 126 SVal getCStringLength(CheckerContext &C, 127 ProgramStateRef &state, 128 const Expr *Ex, 129 SVal Buf, 130 bool hypothetical = false) const; 131 132 const StringLiteral *getCStringLiteral(CheckerContext &C, 133 ProgramStateRef &state, 134 const Expr *expr, 135 SVal val) const; 136 137 static ProgramStateRef InvalidateBuffer(CheckerContext &C, 138 ProgramStateRef state, 139 const Expr *Ex, SVal V); 140 141 static bool SummarizeRegion(raw_ostream &os, ASTContext &Ctx, 142 const MemRegion *MR); 143 144 // Re-usable checks 145 ProgramStateRef checkNonNull(CheckerContext &C, 146 ProgramStateRef state, 147 const Expr *S, 148 SVal l) const; 149 ProgramStateRef CheckLocation(CheckerContext &C, 150 ProgramStateRef state, 151 const Expr *S, 152 SVal l, 153 const char *message = NULL) const; 154 ProgramStateRef CheckBufferAccess(CheckerContext &C, 155 ProgramStateRef state, 156 const Expr *Size, 157 const Expr *FirstBuf, 158 const Expr *SecondBuf, 159 const char *firstMessage = NULL, 160 const char *secondMessage = NULL, 161 bool WarnAboutSize = false) const; 162 163 ProgramStateRef CheckBufferAccess(CheckerContext &C, 164 ProgramStateRef state, 165 const Expr *Size, 166 const Expr *Buf, 167 const char *message = NULL, 168 bool WarnAboutSize = false) const { 169 // This is a convenience override. 170 return CheckBufferAccess(C, state, Size, Buf, NULL, message, NULL, 171 WarnAboutSize); 172 } 173 ProgramStateRef CheckOverlap(CheckerContext &C, 174 ProgramStateRef state, 175 const Expr *Size, 176 const Expr *First, 177 const Expr *Second) const; 178 void emitOverlapBug(CheckerContext &C, 179 ProgramStateRef state, 180 const Stmt *First, 181 const Stmt *Second) const; 182 183 ProgramStateRef checkAdditionOverflow(CheckerContext &C, 184 ProgramStateRef state, 185 NonLoc left, 186 NonLoc right) const; 187 }; 188 189 class CStringLength { 190 public: 191 typedef llvm::ImmutableMap<const MemRegion *, SVal> EntryMap; 192 }; 193 } //end anonymous namespace 194 195 namespace clang { 196 namespace ento { 197 template <> 198 struct ProgramStateTrait<CStringLength> 199 : public ProgramStatePartialTrait<CStringLength::EntryMap> { 200 static void *GDMIndex() { return CStringChecker::getTag(); } 201 }; 202 } 203 } 204 205 //===----------------------------------------------------------------------===// 206 // Individual checks and utility methods. 207 //===----------------------------------------------------------------------===// 208 209 std::pair<ProgramStateRef , ProgramStateRef > 210 CStringChecker::assumeZero(CheckerContext &C, ProgramStateRef state, SVal V, 211 QualType Ty) { 212 DefinedSVal *val = dyn_cast<DefinedSVal>(&V); 213 if (!val) 214 return std::pair<ProgramStateRef , ProgramStateRef >(state, state); 215 216 SValBuilder &svalBuilder = C.getSValBuilder(); 217 DefinedOrUnknownSVal zero = svalBuilder.makeZeroVal(Ty); 218 return state->assume(svalBuilder.evalEQ(state, *val, zero)); 219 } 220 221 ProgramStateRef CStringChecker::checkNonNull(CheckerContext &C, 222 ProgramStateRef state, 223 const Expr *S, SVal l) const { 224 // If a previous check has failed, propagate the failure. 225 if (!state) 226 return NULL; 227 228 ProgramStateRef stateNull, stateNonNull; 229 llvm::tie(stateNull, stateNonNull) = assumeZero(C, state, l, S->getType()); 230 231 if (stateNull && !stateNonNull) { 232 if (!Filter.CheckCStringNullArg) 233 return NULL; 234 235 ExplodedNode *N = C.generateSink(stateNull); 236 if (!N) 237 return NULL; 238 239 if (!BT_Null) 240 BT_Null.reset(new BuiltinBug("Unix API", 241 "Null pointer argument in call to byte string function")); 242 243 SmallString<80> buf; 244 llvm::raw_svector_ostream os(buf); 245 assert(CurrentFunctionDescription); 246 os << "Null pointer argument in call to " << CurrentFunctionDescription; 247 248 // Generate a report for this bug. 249 BuiltinBug *BT = static_cast<BuiltinBug*>(BT_Null.get()); 250 BugReport *report = new BugReport(*BT, os.str(), N); 251 252 report->addRange(S->getSourceRange()); 253 report->addVisitor(bugreporter::getTrackNullOrUndefValueVisitor(N, S)); 254 C.EmitReport(report); 255 return NULL; 256 } 257 258 // From here on, assume that the value is non-null. 259 assert(stateNonNull); 260 return stateNonNull; 261 } 262 263 // FIXME: This was originally copied from ArrayBoundChecker.cpp. Refactor? 264 ProgramStateRef CStringChecker::CheckLocation(CheckerContext &C, 265 ProgramStateRef state, 266 const Expr *S, SVal l, 267 const char *warningMsg) const { 268 // If a previous check has failed, propagate the failure. 269 if (!state) 270 return NULL; 271 272 // Check for out of bound array element access. 273 const MemRegion *R = l.getAsRegion(); 274 if (!R) 275 return state; 276 277 const ElementRegion *ER = dyn_cast<ElementRegion>(R); 278 if (!ER) 279 return state; 280 281 assert(ER->getValueType() == C.getASTContext().CharTy && 282 "CheckLocation should only be called with char* ElementRegions"); 283 284 // Get the size of the array. 285 const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion()); 286 SValBuilder &svalBuilder = C.getSValBuilder(); 287 SVal Extent = 288 svalBuilder.convertToArrayIndex(superReg->getExtent(svalBuilder)); 289 DefinedOrUnknownSVal Size = cast<DefinedOrUnknownSVal>(Extent); 290 291 // Get the index of the accessed element. 292 DefinedOrUnknownSVal Idx = cast<DefinedOrUnknownSVal>(ER->getIndex()); 293 294 ProgramStateRef StInBound = state->assumeInBound(Idx, Size, true); 295 ProgramStateRef StOutBound = state->assumeInBound(Idx, Size, false); 296 if (StOutBound && !StInBound) { 297 ExplodedNode *N = C.generateSink(StOutBound); 298 if (!N) 299 return NULL; 300 301 if (!BT_Bounds) { 302 BT_Bounds.reset(new BuiltinBug("Out-of-bound array access", 303 "Byte string function accesses out-of-bound array element")); 304 } 305 BuiltinBug *BT = static_cast<BuiltinBug*>(BT_Bounds.get()); 306 307 // Generate a report for this bug. 308 BugReport *report; 309 if (warningMsg) { 310 report = new BugReport(*BT, warningMsg, N); 311 } else { 312 assert(CurrentFunctionDescription); 313 assert(CurrentFunctionDescription[0] != '\0'); 314 315 SmallString<80> buf; 316 llvm::raw_svector_ostream os(buf); 317 os << (char)toupper(CurrentFunctionDescription[0]) 318 << &CurrentFunctionDescription[1] 319 << " accesses out-of-bound array element"; 320 report = new BugReport(*BT, os.str(), N); 321 } 322 323 // FIXME: It would be nice to eventually make this diagnostic more clear, 324 // e.g., by referencing the original declaration or by saying *why* this 325 // reference is outside the range. 326 327 report->addRange(S->getSourceRange()); 328 C.EmitReport(report); 329 return NULL; 330 } 331 332 // Array bound check succeeded. From this point forward the array bound 333 // should always succeed. 334 return StInBound; 335 } 336 337 ProgramStateRef CStringChecker::CheckBufferAccess(CheckerContext &C, 338 ProgramStateRef state, 339 const Expr *Size, 340 const Expr *FirstBuf, 341 const Expr *SecondBuf, 342 const char *firstMessage, 343 const char *secondMessage, 344 bool WarnAboutSize) const { 345 // If a previous check has failed, propagate the failure. 346 if (!state) 347 return NULL; 348 349 SValBuilder &svalBuilder = C.getSValBuilder(); 350 ASTContext &Ctx = svalBuilder.getContext(); 351 const LocationContext *LCtx = C.getLocationContext(); 352 353 QualType sizeTy = Size->getType(); 354 QualType PtrTy = Ctx.getPointerType(Ctx.CharTy); 355 356 // Check that the first buffer is non-null. 357 SVal BufVal = state->getSVal(FirstBuf, LCtx); 358 state = checkNonNull(C, state, FirstBuf, BufVal); 359 if (!state) 360 return NULL; 361 362 // If out-of-bounds checking is turned off, skip the rest. 363 if (!Filter.CheckCStringOutOfBounds) 364 return state; 365 366 // Get the access length and make sure it is known. 367 // FIXME: This assumes the caller has already checked that the access length 368 // is positive. And that it's unsigned. 369 SVal LengthVal = state->getSVal(Size, LCtx); 370 NonLoc *Length = dyn_cast<NonLoc>(&LengthVal); 371 if (!Length) 372 return state; 373 374 // Compute the offset of the last element to be accessed: size-1. 375 NonLoc One = cast<NonLoc>(svalBuilder.makeIntVal(1, sizeTy)); 376 NonLoc LastOffset = cast<NonLoc>(svalBuilder.evalBinOpNN(state, BO_Sub, 377 *Length, One, sizeTy)); 378 379 // Check that the first buffer is sufficiently long. 380 SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType()); 381 if (Loc *BufLoc = dyn_cast<Loc>(&BufStart)) { 382 const Expr *warningExpr = (WarnAboutSize ? Size : FirstBuf); 383 384 SVal BufEnd = svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc, 385 LastOffset, PtrTy); 386 state = CheckLocation(C, state, warningExpr, BufEnd, firstMessage); 387 388 // If the buffer isn't large enough, abort. 389 if (!state) 390 return NULL; 391 } 392 393 // If there's a second buffer, check it as well. 394 if (SecondBuf) { 395 BufVal = state->getSVal(SecondBuf, LCtx); 396 state = checkNonNull(C, state, SecondBuf, BufVal); 397 if (!state) 398 return NULL; 399 400 BufStart = svalBuilder.evalCast(BufVal, PtrTy, SecondBuf->getType()); 401 if (Loc *BufLoc = dyn_cast<Loc>(&BufStart)) { 402 const Expr *warningExpr = (WarnAboutSize ? Size : SecondBuf); 403 404 SVal BufEnd = svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc, 405 LastOffset, PtrTy); 406 state = CheckLocation(C, state, warningExpr, BufEnd, secondMessage); 407 } 408 } 409 410 // Large enough or not, return this state! 411 return state; 412 } 413 414 ProgramStateRef CStringChecker::CheckOverlap(CheckerContext &C, 415 ProgramStateRef state, 416 const Expr *Size, 417 const Expr *First, 418 const Expr *Second) const { 419 if (!Filter.CheckCStringBufferOverlap) 420 return state; 421 422 // Do a simple check for overlap: if the two arguments are from the same 423 // buffer, see if the end of the first is greater than the start of the second 424 // or vice versa. 425 426 // If a previous check has failed, propagate the failure. 427 if (!state) 428 return NULL; 429 430 ProgramStateRef stateTrue, stateFalse; 431 432 // Get the buffer values and make sure they're known locations. 433 const LocationContext *LCtx = C.getLocationContext(); 434 SVal firstVal = state->getSVal(First, LCtx); 435 SVal secondVal = state->getSVal(Second, LCtx); 436 437 Loc *firstLoc = dyn_cast<Loc>(&firstVal); 438 if (!firstLoc) 439 return state; 440 441 Loc *secondLoc = dyn_cast<Loc>(&secondVal); 442 if (!secondLoc) 443 return state; 444 445 // Are the two values the same? 446 SValBuilder &svalBuilder = C.getSValBuilder(); 447 llvm::tie(stateTrue, stateFalse) = 448 state->assume(svalBuilder.evalEQ(state, *firstLoc, *secondLoc)); 449 450 if (stateTrue && !stateFalse) { 451 // If the values are known to be equal, that's automatically an overlap. 452 emitOverlapBug(C, stateTrue, First, Second); 453 return NULL; 454 } 455 456 // assume the two expressions are not equal. 457 assert(stateFalse); 458 state = stateFalse; 459 460 // Which value comes first? 461 QualType cmpTy = svalBuilder.getConditionType(); 462 SVal reverse = svalBuilder.evalBinOpLL(state, BO_GT, 463 *firstLoc, *secondLoc, cmpTy); 464 DefinedOrUnknownSVal *reverseTest = dyn_cast<DefinedOrUnknownSVal>(&reverse); 465 if (!reverseTest) 466 return state; 467 468 llvm::tie(stateTrue, stateFalse) = state->assume(*reverseTest); 469 if (stateTrue) { 470 if (stateFalse) { 471 // If we don't know which one comes first, we can't perform this test. 472 return state; 473 } else { 474 // Switch the values so that firstVal is before secondVal. 475 Loc *tmpLoc = firstLoc; 476 firstLoc = secondLoc; 477 secondLoc = tmpLoc; 478 479 // Switch the Exprs as well, so that they still correspond. 480 const Expr *tmpExpr = First; 481 First = Second; 482 Second = tmpExpr; 483 } 484 } 485 486 // Get the length, and make sure it too is known. 487 SVal LengthVal = state->getSVal(Size, LCtx); 488 NonLoc *Length = dyn_cast<NonLoc>(&LengthVal); 489 if (!Length) 490 return state; 491 492 // Convert the first buffer's start address to char*. 493 // Bail out if the cast fails. 494 ASTContext &Ctx = svalBuilder.getContext(); 495 QualType CharPtrTy = Ctx.getPointerType(Ctx.CharTy); 496 SVal FirstStart = svalBuilder.evalCast(*firstLoc, CharPtrTy, 497 First->getType()); 498 Loc *FirstStartLoc = dyn_cast<Loc>(&FirstStart); 499 if (!FirstStartLoc) 500 return state; 501 502 // Compute the end of the first buffer. Bail out if THAT fails. 503 SVal FirstEnd = svalBuilder.evalBinOpLN(state, BO_Add, 504 *FirstStartLoc, *Length, CharPtrTy); 505 Loc *FirstEndLoc = dyn_cast<Loc>(&FirstEnd); 506 if (!FirstEndLoc) 507 return state; 508 509 // Is the end of the first buffer past the start of the second buffer? 510 SVal Overlap = svalBuilder.evalBinOpLL(state, BO_GT, 511 *FirstEndLoc, *secondLoc, cmpTy); 512 DefinedOrUnknownSVal *OverlapTest = dyn_cast<DefinedOrUnknownSVal>(&Overlap); 513 if (!OverlapTest) 514 return state; 515 516 llvm::tie(stateTrue, stateFalse) = state->assume(*OverlapTest); 517 518 if (stateTrue && !stateFalse) { 519 // Overlap! 520 emitOverlapBug(C, stateTrue, First, Second); 521 return NULL; 522 } 523 524 // assume the two expressions don't overlap. 525 assert(stateFalse); 526 return stateFalse; 527 } 528 529 void CStringChecker::emitOverlapBug(CheckerContext &C, ProgramStateRef state, 530 const Stmt *First, const Stmt *Second) const { 531 ExplodedNode *N = C.generateSink(state); 532 if (!N) 533 return; 534 535 if (!BT_Overlap) 536 BT_Overlap.reset(new BugType("Unix API", "Improper arguments")); 537 538 // Generate a report for this bug. 539 BugReport *report = 540 new BugReport(*BT_Overlap, 541 "Arguments must not be overlapping buffers", N); 542 report->addRange(First->getSourceRange()); 543 report->addRange(Second->getSourceRange()); 544 545 C.EmitReport(report); 546 } 547 548 ProgramStateRef CStringChecker::checkAdditionOverflow(CheckerContext &C, 549 ProgramStateRef state, 550 NonLoc left, 551 NonLoc right) const { 552 // If out-of-bounds checking is turned off, skip the rest. 553 if (!Filter.CheckCStringOutOfBounds) 554 return state; 555 556 // If a previous check has failed, propagate the failure. 557 if (!state) 558 return NULL; 559 560 SValBuilder &svalBuilder = C.getSValBuilder(); 561 BasicValueFactory &BVF = svalBuilder.getBasicValueFactory(); 562 563 QualType sizeTy = svalBuilder.getContext().getSizeType(); 564 const llvm::APSInt &maxValInt = BVF.getMaxValue(sizeTy); 565 NonLoc maxVal = svalBuilder.makeIntVal(maxValInt); 566 567 SVal maxMinusRight; 568 if (isa<nonloc::ConcreteInt>(right)) { 569 maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, right, 570 sizeTy); 571 } else { 572 // Try switching the operands. (The order of these two assignments is 573 // important!) 574 maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, left, 575 sizeTy); 576 left = right; 577 } 578 579 if (NonLoc *maxMinusRightNL = dyn_cast<NonLoc>(&maxMinusRight)) { 580 QualType cmpTy = svalBuilder.getConditionType(); 581 // If left > max - right, we have an overflow. 582 SVal willOverflow = svalBuilder.evalBinOpNN(state, BO_GT, left, 583 *maxMinusRightNL, cmpTy); 584 585 ProgramStateRef stateOverflow, stateOkay; 586 llvm::tie(stateOverflow, stateOkay) = 587 state->assume(cast<DefinedOrUnknownSVal>(willOverflow)); 588 589 if (stateOverflow && !stateOkay) { 590 // We have an overflow. Emit a bug report. 591 ExplodedNode *N = C.generateSink(stateOverflow); 592 if (!N) 593 return NULL; 594 595 if (!BT_AdditionOverflow) 596 BT_AdditionOverflow.reset(new BuiltinBug("API", 597 "Sum of expressions causes overflow")); 598 599 // This isn't a great error message, but this should never occur in real 600 // code anyway -- you'd have to create a buffer longer than a size_t can 601 // represent, which is sort of a contradiction. 602 const char *warning = 603 "This expression will create a string whose length is too big to " 604 "be represented as a size_t"; 605 606 // Generate a report for this bug. 607 BugReport *report = new BugReport(*BT_AdditionOverflow, warning, N); 608 C.EmitReport(report); 609 610 return NULL; 611 } 612 613 // From now on, assume an overflow didn't occur. 614 assert(stateOkay); 615 state = stateOkay; 616 } 617 618 return state; 619 } 620 621 ProgramStateRef CStringChecker::setCStringLength(ProgramStateRef state, 622 const MemRegion *MR, 623 SVal strLength) { 624 assert(!strLength.isUndef() && "Attempt to set an undefined string length"); 625 626 MR = MR->StripCasts(); 627 628 switch (MR->getKind()) { 629 case MemRegion::StringRegionKind: 630 // FIXME: This can happen if we strcpy() into a string region. This is 631 // undefined [C99 6.4.5p6], but we should still warn about it. 632 return state; 633 634 case MemRegion::SymbolicRegionKind: 635 case MemRegion::AllocaRegionKind: 636 case MemRegion::VarRegionKind: 637 case MemRegion::FieldRegionKind: 638 case MemRegion::ObjCIvarRegionKind: 639 // These are the types we can currently track string lengths for. 640 break; 641 642 case MemRegion::ElementRegionKind: 643 // FIXME: Handle element regions by upper-bounding the parent region's 644 // string length. 645 return state; 646 647 default: 648 // Other regions (mostly non-data) can't have a reliable C string length. 649 // For now, just ignore the change. 650 // FIXME: These are rare but not impossible. We should output some kind of 651 // warning for things like strcpy((char[]){'a', 0}, "b"); 652 return state; 653 } 654 655 if (strLength.isUnknown()) 656 return state->remove<CStringLength>(MR); 657 658 return state->set<CStringLength>(MR, strLength); 659 } 660 661 SVal CStringChecker::getCStringLengthForRegion(CheckerContext &C, 662 ProgramStateRef &state, 663 const Expr *Ex, 664 const MemRegion *MR, 665 bool hypothetical) { 666 if (!hypothetical) { 667 // If there's a recorded length, go ahead and return it. 668 const SVal *Recorded = state->get<CStringLength>(MR); 669 if (Recorded) 670 return *Recorded; 671 } 672 673 // Otherwise, get a new symbol and update the state. 674 unsigned Count = C.getCurrentBlockCount(); 675 SValBuilder &svalBuilder = C.getSValBuilder(); 676 QualType sizeTy = svalBuilder.getContext().getSizeType(); 677 SVal strLength = svalBuilder.getMetadataSymbolVal(CStringChecker::getTag(), 678 MR, Ex, sizeTy, Count); 679 680 if (!hypothetical) 681 state = state->set<CStringLength>(MR, strLength); 682 683 return strLength; 684 } 685 686 SVal CStringChecker::getCStringLength(CheckerContext &C, ProgramStateRef &state, 687 const Expr *Ex, SVal Buf, 688 bool hypothetical) const { 689 const MemRegion *MR = Buf.getAsRegion(); 690 if (!MR) { 691 // If we can't get a region, see if it's something we /know/ isn't a 692 // C string. In the context of locations, the only time we can issue such 693 // a warning is for labels. 694 if (loc::GotoLabel *Label = dyn_cast<loc::GotoLabel>(&Buf)) { 695 if (!Filter.CheckCStringNotNullTerm) 696 return UndefinedVal(); 697 698 if (ExplodedNode *N = C.addTransition(state)) { 699 if (!BT_NotCString) 700 BT_NotCString.reset(new BuiltinBug("Unix API", 701 "Argument is not a null-terminated string.")); 702 703 SmallString<120> buf; 704 llvm::raw_svector_ostream os(buf); 705 assert(CurrentFunctionDescription); 706 os << "Argument to " << CurrentFunctionDescription 707 << " is the address of the label '" << Label->getLabel()->getName() 708 << "', which is not a null-terminated string"; 709 710 // Generate a report for this bug. 711 BugReport *report = new BugReport(*BT_NotCString, 712 os.str(), N); 713 714 report->addRange(Ex->getSourceRange()); 715 C.EmitReport(report); 716 } 717 return UndefinedVal(); 718 719 } 720 721 // If it's not a region and not a label, give up. 722 return UnknownVal(); 723 } 724 725 // If we have a region, strip casts from it and see if we can figure out 726 // its length. For anything we can't figure out, just return UnknownVal. 727 MR = MR->StripCasts(); 728 729 switch (MR->getKind()) { 730 case MemRegion::StringRegionKind: { 731 // Modifying the contents of string regions is undefined [C99 6.4.5p6], 732 // so we can assume that the byte length is the correct C string length. 733 SValBuilder &svalBuilder = C.getSValBuilder(); 734 QualType sizeTy = svalBuilder.getContext().getSizeType(); 735 const StringLiteral *strLit = cast<StringRegion>(MR)->getStringLiteral(); 736 return svalBuilder.makeIntVal(strLit->getByteLength(), sizeTy); 737 } 738 case MemRegion::SymbolicRegionKind: 739 case MemRegion::AllocaRegionKind: 740 case MemRegion::VarRegionKind: 741 case MemRegion::FieldRegionKind: 742 case MemRegion::ObjCIvarRegionKind: 743 return getCStringLengthForRegion(C, state, Ex, MR, hypothetical); 744 case MemRegion::CompoundLiteralRegionKind: 745 // FIXME: Can we track this? Is it necessary? 746 return UnknownVal(); 747 case MemRegion::ElementRegionKind: 748 // FIXME: How can we handle this? It's not good enough to subtract the 749 // offset from the base string length; consider "123\x00567" and &a[5]. 750 return UnknownVal(); 751 default: 752 // Other regions (mostly non-data) can't have a reliable C string length. 753 // In this case, an error is emitted and UndefinedVal is returned. 754 // The caller should always be prepared to handle this case. 755 if (!Filter.CheckCStringNotNullTerm) 756 return UndefinedVal(); 757 758 if (ExplodedNode *N = C.addTransition(state)) { 759 if (!BT_NotCString) 760 BT_NotCString.reset(new BuiltinBug("Unix API", 761 "Argument is not a null-terminated string.")); 762 763 SmallString<120> buf; 764 llvm::raw_svector_ostream os(buf); 765 766 assert(CurrentFunctionDescription); 767 os << "Argument to " << CurrentFunctionDescription << " is "; 768 769 if (SummarizeRegion(os, C.getASTContext(), MR)) 770 os << ", which is not a null-terminated string"; 771 else 772 os << "not a null-terminated string"; 773 774 // Generate a report for this bug. 775 BugReport *report = new BugReport(*BT_NotCString, 776 os.str(), N); 777 778 report->addRange(Ex->getSourceRange()); 779 C.EmitReport(report); 780 } 781 782 return UndefinedVal(); 783 } 784 } 785 786 const StringLiteral *CStringChecker::getCStringLiteral(CheckerContext &C, 787 ProgramStateRef &state, const Expr *expr, SVal val) const { 788 789 // Get the memory region pointed to by the val. 790 const MemRegion *bufRegion = val.getAsRegion(); 791 if (!bufRegion) 792 return NULL; 793 794 // Strip casts off the memory region. 795 bufRegion = bufRegion->StripCasts(); 796 797 // Cast the memory region to a string region. 798 const StringRegion *strRegion= dyn_cast<StringRegion>(bufRegion); 799 if (!strRegion) 800 return NULL; 801 802 // Return the actual string in the string region. 803 return strRegion->getStringLiteral(); 804 } 805 806 ProgramStateRef CStringChecker::InvalidateBuffer(CheckerContext &C, 807 ProgramStateRef state, 808 const Expr *E, SVal V) { 809 Loc *L = dyn_cast<Loc>(&V); 810 if (!L) 811 return state; 812 813 // FIXME: This is a simplified version of what's in CFRefCount.cpp -- it makes 814 // some assumptions about the value that CFRefCount can't. Even so, it should 815 // probably be refactored. 816 if (loc::MemRegionVal* MR = dyn_cast<loc::MemRegionVal>(L)) { 817 const MemRegion *R = MR->getRegion()->StripCasts(); 818 819 // Are we dealing with an ElementRegion? If so, we should be invalidating 820 // the super-region. 821 if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) { 822 R = ER->getSuperRegion(); 823 // FIXME: What about layers of ElementRegions? 824 } 825 826 // Invalidate this region. 827 unsigned Count = C.getCurrentBlockCount(); 828 return state->invalidateRegions(R, E, Count); 829 } 830 831 // If we have a non-region value by chance, just remove the binding. 832 // FIXME: is this necessary or correct? This handles the non-Region 833 // cases. Is it ever valid to store to these? 834 return state->unbindLoc(*L); 835 } 836 837 bool CStringChecker::SummarizeRegion(raw_ostream &os, ASTContext &Ctx, 838 const MemRegion *MR) { 839 const TypedValueRegion *TVR = dyn_cast<TypedValueRegion>(MR); 840 841 switch (MR->getKind()) { 842 case MemRegion::FunctionTextRegionKind: { 843 const FunctionDecl *FD = cast<FunctionTextRegion>(MR)->getDecl(); 844 if (FD) 845 os << "the address of the function '" << *FD << '\''; 846 else 847 os << "the address of a function"; 848 return true; 849 } 850 case MemRegion::BlockTextRegionKind: 851 os << "block text"; 852 return true; 853 case MemRegion::BlockDataRegionKind: 854 os << "a block"; 855 return true; 856 case MemRegion::CXXThisRegionKind: 857 case MemRegion::CXXTempObjectRegionKind: 858 os << "a C++ temp object of type " << TVR->getValueType().getAsString(); 859 return true; 860 case MemRegion::VarRegionKind: 861 os << "a variable of type" << TVR->getValueType().getAsString(); 862 return true; 863 case MemRegion::FieldRegionKind: 864 os << "a field of type " << TVR->getValueType().getAsString(); 865 return true; 866 case MemRegion::ObjCIvarRegionKind: 867 os << "an instance variable of type " << TVR->getValueType().getAsString(); 868 return true; 869 default: 870 return false; 871 } 872 } 873 874 //===----------------------------------------------------------------------===// 875 // evaluation of individual function calls. 876 //===----------------------------------------------------------------------===// 877 878 void CStringChecker::evalCopyCommon(CheckerContext &C, 879 const CallExpr *CE, 880 ProgramStateRef state, 881 const Expr *Size, const Expr *Dest, 882 const Expr *Source, bool Restricted, 883 bool IsMempcpy) const { 884 CurrentFunctionDescription = "memory copy function"; 885 886 // See if the size argument is zero. 887 const LocationContext *LCtx = C.getLocationContext(); 888 SVal sizeVal = state->getSVal(Size, LCtx); 889 QualType sizeTy = Size->getType(); 890 891 ProgramStateRef stateZeroSize, stateNonZeroSize; 892 llvm::tie(stateZeroSize, stateNonZeroSize) = 893 assumeZero(C, state, sizeVal, sizeTy); 894 895 // Get the value of the Dest. 896 SVal destVal = state->getSVal(Dest, LCtx); 897 898 // If the size is zero, there won't be any actual memory access, so 899 // just bind the return value to the destination buffer and return. 900 if (stateZeroSize) { 901 stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, destVal); 902 C.addTransition(stateZeroSize); 903 } 904 905 // If the size can be nonzero, we have to check the other arguments. 906 if (stateNonZeroSize) { 907 state = stateNonZeroSize; 908 909 // Ensure the destination is not null. If it is NULL there will be a 910 // NULL pointer dereference. 911 state = checkNonNull(C, state, Dest, destVal); 912 if (!state) 913 return; 914 915 // Get the value of the Src. 916 SVal srcVal = state->getSVal(Source, LCtx); 917 918 // Ensure the source is not null. If it is NULL there will be a 919 // NULL pointer dereference. 920 state = checkNonNull(C, state, Source, srcVal); 921 if (!state) 922 return; 923 924 // Ensure the accesses are valid and that the buffers do not overlap. 925 const char * const writeWarning = 926 "Memory copy function overflows destination buffer"; 927 state = CheckBufferAccess(C, state, Size, Dest, Source, 928 writeWarning, /* sourceWarning = */ NULL); 929 if (Restricted) 930 state = CheckOverlap(C, state, Size, Dest, Source); 931 932 if (!state) 933 return; 934 935 // If this is mempcpy, get the byte after the last byte copied and 936 // bind the expr. 937 if (IsMempcpy) { 938 loc::MemRegionVal *destRegVal = dyn_cast<loc::MemRegionVal>(&destVal); 939 assert(destRegVal && "Destination should be a known MemRegionVal here"); 940 941 // Get the length to copy. 942 NonLoc *lenValNonLoc = dyn_cast<NonLoc>(&sizeVal); 943 944 if (lenValNonLoc) { 945 // Get the byte after the last byte copied. 946 SVal lastElement = C.getSValBuilder().evalBinOpLN(state, BO_Add, 947 *destRegVal, 948 *lenValNonLoc, 949 Dest->getType()); 950 951 // The byte after the last byte copied is the return value. 952 state = state->BindExpr(CE, LCtx, lastElement); 953 } else { 954 // If we don't know how much we copied, we can at least 955 // conjure a return value for later. 956 unsigned Count = C.getCurrentBlockCount(); 957 SVal result = 958 C.getSValBuilder().getConjuredSymbolVal(NULL, CE, Count); 959 state = state->BindExpr(CE, LCtx, result); 960 } 961 962 } else { 963 // All other copies return the destination buffer. 964 // (Well, bcopy() has a void return type, but this won't hurt.) 965 state = state->BindExpr(CE, LCtx, destVal); 966 } 967 968 // Invalidate the destination. 969 // FIXME: Even if we can't perfectly model the copy, we should see if we 970 // can use LazyCompoundVals to copy the source values into the destination. 971 // This would probably remove any existing bindings past the end of the 972 // copied region, but that's still an improvement over blank invalidation. 973 state = InvalidateBuffer(C, state, Dest, 974 state->getSVal(Dest, C.getLocationContext())); 975 C.addTransition(state); 976 } 977 } 978 979 980 void CStringChecker::evalMemcpy(CheckerContext &C, const CallExpr *CE) const { 981 // void *memcpy(void *restrict dst, const void *restrict src, size_t n); 982 // The return value is the address of the destination buffer. 983 const Expr *Dest = CE->getArg(0); 984 ProgramStateRef state = C.getState(); 985 986 evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1), true); 987 } 988 989 void CStringChecker::evalMempcpy(CheckerContext &C, const CallExpr *CE) const { 990 // void *mempcpy(void *restrict dst, const void *restrict src, size_t n); 991 // The return value is a pointer to the byte following the last written byte. 992 const Expr *Dest = CE->getArg(0); 993 ProgramStateRef state = C.getState(); 994 995 evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1), true, true); 996 } 997 998 void CStringChecker::evalMemmove(CheckerContext &C, const CallExpr *CE) const { 999 // void *memmove(void *dst, const void *src, size_t n); 1000 // The return value is the address of the destination buffer. 1001 const Expr *Dest = CE->getArg(0); 1002 ProgramStateRef state = C.getState(); 1003 1004 evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1)); 1005 } 1006 1007 void CStringChecker::evalBcopy(CheckerContext &C, const CallExpr *CE) const { 1008 // void bcopy(const void *src, void *dst, size_t n); 1009 evalCopyCommon(C, CE, C.getState(), 1010 CE->getArg(2), CE->getArg(1), CE->getArg(0)); 1011 } 1012 1013 void CStringChecker::evalMemcmp(CheckerContext &C, const CallExpr *CE) const { 1014 // int memcmp(const void *s1, const void *s2, size_t n); 1015 CurrentFunctionDescription = "memory comparison function"; 1016 1017 const Expr *Left = CE->getArg(0); 1018 const Expr *Right = CE->getArg(1); 1019 const Expr *Size = CE->getArg(2); 1020 1021 ProgramStateRef state = C.getState(); 1022 SValBuilder &svalBuilder = C.getSValBuilder(); 1023 1024 // See if the size argument is zero. 1025 const LocationContext *LCtx = C.getLocationContext(); 1026 SVal sizeVal = state->getSVal(Size, LCtx); 1027 QualType sizeTy = Size->getType(); 1028 1029 ProgramStateRef stateZeroSize, stateNonZeroSize; 1030 llvm::tie(stateZeroSize, stateNonZeroSize) = 1031 assumeZero(C, state, sizeVal, sizeTy); 1032 1033 // If the size can be zero, the result will be 0 in that case, and we don't 1034 // have to check either of the buffers. 1035 if (stateZeroSize) { 1036 state = stateZeroSize; 1037 state = state->BindExpr(CE, LCtx, 1038 svalBuilder.makeZeroVal(CE->getType())); 1039 C.addTransition(state); 1040 } 1041 1042 // If the size can be nonzero, we have to check the other arguments. 1043 if (stateNonZeroSize) { 1044 state = stateNonZeroSize; 1045 // If we know the two buffers are the same, we know the result is 0. 1046 // First, get the two buffers' addresses. Another checker will have already 1047 // made sure they're not undefined. 1048 DefinedOrUnknownSVal LV = 1049 cast<DefinedOrUnknownSVal>(state->getSVal(Left, LCtx)); 1050 DefinedOrUnknownSVal RV = 1051 cast<DefinedOrUnknownSVal>(state->getSVal(Right, LCtx)); 1052 1053 // See if they are the same. 1054 DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV); 1055 ProgramStateRef StSameBuf, StNotSameBuf; 1056 llvm::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf); 1057 1058 // If the two arguments might be the same buffer, we know the result is 0, 1059 // and we only need to check one size. 1060 if (StSameBuf) { 1061 state = StSameBuf; 1062 state = CheckBufferAccess(C, state, Size, Left); 1063 if (state) { 1064 state = StSameBuf->BindExpr(CE, LCtx, 1065 svalBuilder.makeZeroVal(CE->getType())); 1066 C.addTransition(state); 1067 } 1068 } 1069 1070 // If the two arguments might be different buffers, we have to check the 1071 // size of both of them. 1072 if (StNotSameBuf) { 1073 state = StNotSameBuf; 1074 state = CheckBufferAccess(C, state, Size, Left, Right); 1075 if (state) { 1076 // The return value is the comparison result, which we don't know. 1077 unsigned Count = C.getCurrentBlockCount(); 1078 SVal CmpV = svalBuilder.getConjuredSymbolVal(NULL, CE, Count); 1079 state = state->BindExpr(CE, LCtx, CmpV); 1080 C.addTransition(state); 1081 } 1082 } 1083 } 1084 } 1085 1086 void CStringChecker::evalstrLength(CheckerContext &C, 1087 const CallExpr *CE) const { 1088 // size_t strlen(const char *s); 1089 evalstrLengthCommon(C, CE, /* IsStrnlen = */ false); 1090 } 1091 1092 void CStringChecker::evalstrnLength(CheckerContext &C, 1093 const CallExpr *CE) const { 1094 // size_t strnlen(const char *s, size_t maxlen); 1095 evalstrLengthCommon(C, CE, /* IsStrnlen = */ true); 1096 } 1097 1098 void CStringChecker::evalstrLengthCommon(CheckerContext &C, const CallExpr *CE, 1099 bool IsStrnlen) const { 1100 CurrentFunctionDescription = "string length function"; 1101 ProgramStateRef state = C.getState(); 1102 const LocationContext *LCtx = C.getLocationContext(); 1103 1104 if (IsStrnlen) { 1105 const Expr *maxlenExpr = CE->getArg(1); 1106 SVal maxlenVal = state->getSVal(maxlenExpr, LCtx); 1107 1108 ProgramStateRef stateZeroSize, stateNonZeroSize; 1109 llvm::tie(stateZeroSize, stateNonZeroSize) = 1110 assumeZero(C, state, maxlenVal, maxlenExpr->getType()); 1111 1112 // If the size can be zero, the result will be 0 in that case, and we don't 1113 // have to check the string itself. 1114 if (stateZeroSize) { 1115 SVal zero = C.getSValBuilder().makeZeroVal(CE->getType()); 1116 stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, zero); 1117 C.addTransition(stateZeroSize); 1118 } 1119 1120 // If the size is GUARANTEED to be zero, we're done! 1121 if (!stateNonZeroSize) 1122 return; 1123 1124 // Otherwise, record the assumption that the size is nonzero. 1125 state = stateNonZeroSize; 1126 } 1127 1128 // Check that the string argument is non-null. 1129 const Expr *Arg = CE->getArg(0); 1130 SVal ArgVal = state->getSVal(Arg, LCtx); 1131 1132 state = checkNonNull(C, state, Arg, ArgVal); 1133 1134 if (!state) 1135 return; 1136 1137 SVal strLength = getCStringLength(C, state, Arg, ArgVal); 1138 1139 // If the argument isn't a valid C string, there's no valid state to 1140 // transition to. 1141 if (strLength.isUndef()) 1142 return; 1143 1144 DefinedOrUnknownSVal result = UnknownVal(); 1145 1146 // If the check is for strnlen() then bind the return value to no more than 1147 // the maxlen value. 1148 if (IsStrnlen) { 1149 QualType cmpTy = C.getSValBuilder().getConditionType(); 1150 1151 // It's a little unfortunate to be getting this again, 1152 // but it's not that expensive... 1153 const Expr *maxlenExpr = CE->getArg(1); 1154 SVal maxlenVal = state->getSVal(maxlenExpr, LCtx); 1155 1156 NonLoc *strLengthNL = dyn_cast<NonLoc>(&strLength); 1157 NonLoc *maxlenValNL = dyn_cast<NonLoc>(&maxlenVal); 1158 1159 if (strLengthNL && maxlenValNL) { 1160 ProgramStateRef stateStringTooLong, stateStringNotTooLong; 1161 1162 // Check if the strLength is greater than the maxlen. 1163 llvm::tie(stateStringTooLong, stateStringNotTooLong) = 1164 state->assume(cast<DefinedOrUnknownSVal> 1165 (C.getSValBuilder().evalBinOpNN(state, BO_GT, 1166 *strLengthNL, 1167 *maxlenValNL, 1168 cmpTy))); 1169 1170 if (stateStringTooLong && !stateStringNotTooLong) { 1171 // If the string is longer than maxlen, return maxlen. 1172 result = *maxlenValNL; 1173 } else if (stateStringNotTooLong && !stateStringTooLong) { 1174 // If the string is shorter than maxlen, return its length. 1175 result = *strLengthNL; 1176 } 1177 } 1178 1179 if (result.isUnknown()) { 1180 // If we don't have enough information for a comparison, there's 1181 // no guarantee the full string length will actually be returned. 1182 // All we know is the return value is the min of the string length 1183 // and the limit. This is better than nothing. 1184 unsigned Count = C.getCurrentBlockCount(); 1185 result = C.getSValBuilder().getConjuredSymbolVal(NULL, CE, Count); 1186 NonLoc *resultNL = cast<NonLoc>(&result); 1187 1188 if (strLengthNL) { 1189 state = state->assume(cast<DefinedOrUnknownSVal> 1190 (C.getSValBuilder().evalBinOpNN(state, BO_LE, 1191 *resultNL, 1192 *strLengthNL, 1193 cmpTy)), true); 1194 } 1195 1196 if (maxlenValNL) { 1197 state = state->assume(cast<DefinedOrUnknownSVal> 1198 (C.getSValBuilder().evalBinOpNN(state, BO_LE, 1199 *resultNL, 1200 *maxlenValNL, 1201 cmpTy)), true); 1202 } 1203 } 1204 1205 } else { 1206 // This is a plain strlen(), not strnlen(). 1207 result = cast<DefinedOrUnknownSVal>(strLength); 1208 1209 // If we don't know the length of the string, conjure a return 1210 // value, so it can be used in constraints, at least. 1211 if (result.isUnknown()) { 1212 unsigned Count = C.getCurrentBlockCount(); 1213 result = C.getSValBuilder().getConjuredSymbolVal(NULL, CE, Count); 1214 } 1215 } 1216 1217 // Bind the return value. 1218 assert(!result.isUnknown() && "Should have conjured a value by now"); 1219 state = state->BindExpr(CE, LCtx, result); 1220 C.addTransition(state); 1221 } 1222 1223 void CStringChecker::evalStrcpy(CheckerContext &C, const CallExpr *CE) const { 1224 // char *strcpy(char *restrict dst, const char *restrict src); 1225 evalStrcpyCommon(C, CE, 1226 /* returnEnd = */ false, 1227 /* isBounded = */ false, 1228 /* isAppending = */ false); 1229 } 1230 1231 void CStringChecker::evalStrncpy(CheckerContext &C, const CallExpr *CE) const { 1232 // char *strncpy(char *restrict dst, const char *restrict src, size_t n); 1233 evalStrcpyCommon(C, CE, 1234 /* returnEnd = */ false, 1235 /* isBounded = */ true, 1236 /* isAppending = */ false); 1237 } 1238 1239 void CStringChecker::evalStpcpy(CheckerContext &C, const CallExpr *CE) const { 1240 // char *stpcpy(char *restrict dst, const char *restrict src); 1241 evalStrcpyCommon(C, CE, 1242 /* returnEnd = */ true, 1243 /* isBounded = */ false, 1244 /* isAppending = */ false); 1245 } 1246 1247 void CStringChecker::evalStrcat(CheckerContext &C, const CallExpr *CE) const { 1248 //char *strcat(char *restrict s1, const char *restrict s2); 1249 evalStrcpyCommon(C, CE, 1250 /* returnEnd = */ false, 1251 /* isBounded = */ false, 1252 /* isAppending = */ true); 1253 } 1254 1255 void CStringChecker::evalStrncat(CheckerContext &C, const CallExpr *CE) const { 1256 //char *strncat(char *restrict s1, const char *restrict s2, size_t n); 1257 evalStrcpyCommon(C, CE, 1258 /* returnEnd = */ false, 1259 /* isBounded = */ true, 1260 /* isAppending = */ true); 1261 } 1262 1263 void CStringChecker::evalStrcpyCommon(CheckerContext &C, const CallExpr *CE, 1264 bool returnEnd, bool isBounded, 1265 bool isAppending) const { 1266 CurrentFunctionDescription = "string copy function"; 1267 ProgramStateRef state = C.getState(); 1268 const LocationContext *LCtx = C.getLocationContext(); 1269 1270 // Check that the destination is non-null. 1271 const Expr *Dst = CE->getArg(0); 1272 SVal DstVal = state->getSVal(Dst, LCtx); 1273 1274 state = checkNonNull(C, state, Dst, DstVal); 1275 if (!state) 1276 return; 1277 1278 // Check that the source is non-null. 1279 const Expr *srcExpr = CE->getArg(1); 1280 SVal srcVal = state->getSVal(srcExpr, LCtx); 1281 state = checkNonNull(C, state, srcExpr, srcVal); 1282 if (!state) 1283 return; 1284 1285 // Get the string length of the source. 1286 SVal strLength = getCStringLength(C, state, srcExpr, srcVal); 1287 1288 // If the source isn't a valid C string, give up. 1289 if (strLength.isUndef()) 1290 return; 1291 1292 SValBuilder &svalBuilder = C.getSValBuilder(); 1293 QualType cmpTy = svalBuilder.getConditionType(); 1294 QualType sizeTy = svalBuilder.getContext().getSizeType(); 1295 1296 // These two values allow checking two kinds of errors: 1297 // - actual overflows caused by a source that doesn't fit in the destination 1298 // - potential overflows caused by a bound that could exceed the destination 1299 SVal amountCopied = UnknownVal(); 1300 SVal maxLastElementIndex = UnknownVal(); 1301 const char *boundWarning = NULL; 1302 1303 // If the function is strncpy, strncat, etc... it is bounded. 1304 if (isBounded) { 1305 // Get the max number of characters to copy. 1306 const Expr *lenExpr = CE->getArg(2); 1307 SVal lenVal = state->getSVal(lenExpr, LCtx); 1308 1309 // Protect against misdeclared strncpy(). 1310 lenVal = svalBuilder.evalCast(lenVal, sizeTy, lenExpr->getType()); 1311 1312 NonLoc *strLengthNL = dyn_cast<NonLoc>(&strLength); 1313 NonLoc *lenValNL = dyn_cast<NonLoc>(&lenVal); 1314 1315 // If we know both values, we might be able to figure out how much 1316 // we're copying. 1317 if (strLengthNL && lenValNL) { 1318 ProgramStateRef stateSourceTooLong, stateSourceNotTooLong; 1319 1320 // Check if the max number to copy is less than the length of the src. 1321 // If the bound is equal to the source length, strncpy won't null- 1322 // terminate the result! 1323 llvm::tie(stateSourceTooLong, stateSourceNotTooLong) = 1324 state->assume(cast<DefinedOrUnknownSVal> 1325 (svalBuilder.evalBinOpNN(state, BO_GE, *strLengthNL, 1326 *lenValNL, cmpTy))); 1327 1328 if (stateSourceTooLong && !stateSourceNotTooLong) { 1329 // Max number to copy is less than the length of the src, so the actual 1330 // strLength copied is the max number arg. 1331 state = stateSourceTooLong; 1332 amountCopied = lenVal; 1333 1334 } else if (!stateSourceTooLong && stateSourceNotTooLong) { 1335 // The source buffer entirely fits in the bound. 1336 state = stateSourceNotTooLong; 1337 amountCopied = strLength; 1338 } 1339 } 1340 1341 // We still want to know if the bound is known to be too large. 1342 if (lenValNL) { 1343 if (isAppending) { 1344 // For strncat, the check is strlen(dst) + lenVal < sizeof(dst) 1345 1346 // Get the string length of the destination. If the destination is 1347 // memory that can't have a string length, we shouldn't be copying 1348 // into it anyway. 1349 SVal dstStrLength = getCStringLength(C, state, Dst, DstVal); 1350 if (dstStrLength.isUndef()) 1351 return; 1352 1353 if (NonLoc *dstStrLengthNL = dyn_cast<NonLoc>(&dstStrLength)) { 1354 maxLastElementIndex = svalBuilder.evalBinOpNN(state, BO_Add, 1355 *lenValNL, 1356 *dstStrLengthNL, 1357 sizeTy); 1358 boundWarning = "Size argument is greater than the free space in the " 1359 "destination buffer"; 1360 } 1361 1362 } else { 1363 // For strncpy, this is just checking that lenVal <= sizeof(dst) 1364 // (Yes, strncpy and strncat differ in how they treat termination. 1365 // strncat ALWAYS terminates, but strncpy doesn't.) 1366 NonLoc one = cast<NonLoc>(svalBuilder.makeIntVal(1, sizeTy)); 1367 maxLastElementIndex = svalBuilder.evalBinOpNN(state, BO_Sub, *lenValNL, 1368 one, sizeTy); 1369 boundWarning = "Size argument is greater than the length of the " 1370 "destination buffer"; 1371 } 1372 } 1373 1374 // If we couldn't pin down the copy length, at least bound it. 1375 // FIXME: We should actually run this code path for append as well, but 1376 // right now it creates problems with constraints (since we can end up 1377 // trying to pass constraints from symbol to symbol). 1378 if (amountCopied.isUnknown() && !isAppending) { 1379 // Try to get a "hypothetical" string length symbol, which we can later 1380 // set as a real value if that turns out to be the case. 1381 amountCopied = getCStringLength(C, state, lenExpr, srcVal, true); 1382 assert(!amountCopied.isUndef()); 1383 1384 if (NonLoc *amountCopiedNL = dyn_cast<NonLoc>(&amountCopied)) { 1385 if (lenValNL) { 1386 // amountCopied <= lenVal 1387 SVal copiedLessThanBound = svalBuilder.evalBinOpNN(state, BO_LE, 1388 *amountCopiedNL, 1389 *lenValNL, 1390 cmpTy); 1391 state = state->assume(cast<DefinedOrUnknownSVal>(copiedLessThanBound), 1392 true); 1393 if (!state) 1394 return; 1395 } 1396 1397 if (strLengthNL) { 1398 // amountCopied <= strlen(source) 1399 SVal copiedLessThanSrc = svalBuilder.evalBinOpNN(state, BO_LE, 1400 *amountCopiedNL, 1401 *strLengthNL, 1402 cmpTy); 1403 state = state->assume(cast<DefinedOrUnknownSVal>(copiedLessThanSrc), 1404 true); 1405 if (!state) 1406 return; 1407 } 1408 } 1409 } 1410 1411 } else { 1412 // The function isn't bounded. The amount copied should match the length 1413 // of the source buffer. 1414 amountCopied = strLength; 1415 } 1416 1417 assert(state); 1418 1419 // This represents the number of characters copied into the destination 1420 // buffer. (It may not actually be the strlen if the destination buffer 1421 // is not terminated.) 1422 SVal finalStrLength = UnknownVal(); 1423 1424 // If this is an appending function (strcat, strncat...) then set the 1425 // string length to strlen(src) + strlen(dst) since the buffer will 1426 // ultimately contain both. 1427 if (isAppending) { 1428 // Get the string length of the destination. If the destination is memory 1429 // that can't have a string length, we shouldn't be copying into it anyway. 1430 SVal dstStrLength = getCStringLength(C, state, Dst, DstVal); 1431 if (dstStrLength.isUndef()) 1432 return; 1433 1434 NonLoc *srcStrLengthNL = dyn_cast<NonLoc>(&amountCopied); 1435 NonLoc *dstStrLengthNL = dyn_cast<NonLoc>(&dstStrLength); 1436 1437 // If we know both string lengths, we might know the final string length. 1438 if (srcStrLengthNL && dstStrLengthNL) { 1439 // Make sure the two lengths together don't overflow a size_t. 1440 state = checkAdditionOverflow(C, state, *srcStrLengthNL, *dstStrLengthNL); 1441 if (!state) 1442 return; 1443 1444 finalStrLength = svalBuilder.evalBinOpNN(state, BO_Add, *srcStrLengthNL, 1445 *dstStrLengthNL, sizeTy); 1446 } 1447 1448 // If we couldn't get a single value for the final string length, 1449 // we can at least bound it by the individual lengths. 1450 if (finalStrLength.isUnknown()) { 1451 // Try to get a "hypothetical" string length symbol, which we can later 1452 // set as a real value if that turns out to be the case. 1453 finalStrLength = getCStringLength(C, state, CE, DstVal, true); 1454 assert(!finalStrLength.isUndef()); 1455 1456 if (NonLoc *finalStrLengthNL = dyn_cast<NonLoc>(&finalStrLength)) { 1457 if (srcStrLengthNL) { 1458 // finalStrLength >= srcStrLength 1459 SVal sourceInResult = svalBuilder.evalBinOpNN(state, BO_GE, 1460 *finalStrLengthNL, 1461 *srcStrLengthNL, 1462 cmpTy); 1463 state = state->assume(cast<DefinedOrUnknownSVal>(sourceInResult), 1464 true); 1465 if (!state) 1466 return; 1467 } 1468 1469 if (dstStrLengthNL) { 1470 // finalStrLength >= dstStrLength 1471 SVal destInResult = svalBuilder.evalBinOpNN(state, BO_GE, 1472 *finalStrLengthNL, 1473 *dstStrLengthNL, 1474 cmpTy); 1475 state = state->assume(cast<DefinedOrUnknownSVal>(destInResult), 1476 true); 1477 if (!state) 1478 return; 1479 } 1480 } 1481 } 1482 1483 } else { 1484 // Otherwise, this is a copy-over function (strcpy, strncpy, ...), and 1485 // the final string length will match the input string length. 1486 finalStrLength = amountCopied; 1487 } 1488 1489 // The final result of the function will either be a pointer past the last 1490 // copied element, or a pointer to the start of the destination buffer. 1491 SVal Result = (returnEnd ? UnknownVal() : DstVal); 1492 1493 assert(state); 1494 1495 // If the destination is a MemRegion, try to check for a buffer overflow and 1496 // record the new string length. 1497 if (loc::MemRegionVal *dstRegVal = dyn_cast<loc::MemRegionVal>(&DstVal)) { 1498 QualType ptrTy = Dst->getType(); 1499 1500 // If we have an exact value on a bounded copy, use that to check for 1501 // overflows, rather than our estimate about how much is actually copied. 1502 if (boundWarning) { 1503 if (NonLoc *maxLastNL = dyn_cast<NonLoc>(&maxLastElementIndex)) { 1504 SVal maxLastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal, 1505 *maxLastNL, ptrTy); 1506 state = CheckLocation(C, state, CE->getArg(2), maxLastElement, 1507 boundWarning); 1508 if (!state) 1509 return; 1510 } 1511 } 1512 1513 // Then, if the final length is known... 1514 if (NonLoc *knownStrLength = dyn_cast<NonLoc>(&finalStrLength)) { 1515 SVal lastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal, 1516 *knownStrLength, ptrTy); 1517 1518 // ...and we haven't checked the bound, we'll check the actual copy. 1519 if (!boundWarning) { 1520 const char * const warningMsg = 1521 "String copy function overflows destination buffer"; 1522 state = CheckLocation(C, state, Dst, lastElement, warningMsg); 1523 if (!state) 1524 return; 1525 } 1526 1527 // If this is a stpcpy-style copy, the last element is the return value. 1528 if (returnEnd) 1529 Result = lastElement; 1530 } 1531 1532 // Invalidate the destination. This must happen before we set the C string 1533 // length because invalidation will clear the length. 1534 // FIXME: Even if we can't perfectly model the copy, we should see if we 1535 // can use LazyCompoundVals to copy the source values into the destination. 1536 // This would probably remove any existing bindings past the end of the 1537 // string, but that's still an improvement over blank invalidation. 1538 state = InvalidateBuffer(C, state, Dst, *dstRegVal); 1539 1540 // Set the C string length of the destination, if we know it. 1541 if (isBounded && !isAppending) { 1542 // strncpy is annoying in that it doesn't guarantee to null-terminate 1543 // the result string. If the original string didn't fit entirely inside 1544 // the bound (including the null-terminator), we don't know how long the 1545 // result is. 1546 if (amountCopied != strLength) 1547 finalStrLength = UnknownVal(); 1548 } 1549 state = setCStringLength(state, dstRegVal->getRegion(), finalStrLength); 1550 } 1551 1552 assert(state); 1553 1554 // If this is a stpcpy-style copy, but we were unable to check for a buffer 1555 // overflow, we still need a result. Conjure a return value. 1556 if (returnEnd && Result.isUnknown()) { 1557 unsigned Count = C.getCurrentBlockCount(); 1558 Result = svalBuilder.getConjuredSymbolVal(NULL, CE, Count); 1559 } 1560 1561 // Set the return value. 1562 state = state->BindExpr(CE, LCtx, Result); 1563 C.addTransition(state); 1564 } 1565 1566 void CStringChecker::evalStrcmp(CheckerContext &C, const CallExpr *CE) const { 1567 //int strcmp(const char *s1, const char *s2); 1568 evalStrcmpCommon(C, CE, /* isBounded = */ false, /* ignoreCase = */ false); 1569 } 1570 1571 void CStringChecker::evalStrncmp(CheckerContext &C, const CallExpr *CE) const { 1572 //int strncmp(const char *s1, const char *s2, size_t n); 1573 evalStrcmpCommon(C, CE, /* isBounded = */ true, /* ignoreCase = */ false); 1574 } 1575 1576 void CStringChecker::evalStrcasecmp(CheckerContext &C, 1577 const CallExpr *CE) const { 1578 //int strcasecmp(const char *s1, const char *s2); 1579 evalStrcmpCommon(C, CE, /* isBounded = */ false, /* ignoreCase = */ true); 1580 } 1581 1582 void CStringChecker::evalStrncasecmp(CheckerContext &C, 1583 const CallExpr *CE) const { 1584 //int strncasecmp(const char *s1, const char *s2, size_t n); 1585 evalStrcmpCommon(C, CE, /* isBounded = */ true, /* ignoreCase = */ true); 1586 } 1587 1588 void CStringChecker::evalStrcmpCommon(CheckerContext &C, const CallExpr *CE, 1589 bool isBounded, bool ignoreCase) const { 1590 CurrentFunctionDescription = "string comparison function"; 1591 ProgramStateRef state = C.getState(); 1592 const LocationContext *LCtx = C.getLocationContext(); 1593 1594 // Check that the first string is non-null 1595 const Expr *s1 = CE->getArg(0); 1596 SVal s1Val = state->getSVal(s1, LCtx); 1597 state = checkNonNull(C, state, s1, s1Val); 1598 if (!state) 1599 return; 1600 1601 // Check that the second string is non-null. 1602 const Expr *s2 = CE->getArg(1); 1603 SVal s2Val = state->getSVal(s2, LCtx); 1604 state = checkNonNull(C, state, s2, s2Val); 1605 if (!state) 1606 return; 1607 1608 // Get the string length of the first string or give up. 1609 SVal s1Length = getCStringLength(C, state, s1, s1Val); 1610 if (s1Length.isUndef()) 1611 return; 1612 1613 // Get the string length of the second string or give up. 1614 SVal s2Length = getCStringLength(C, state, s2, s2Val); 1615 if (s2Length.isUndef()) 1616 return; 1617 1618 // If we know the two buffers are the same, we know the result is 0. 1619 // First, get the two buffers' addresses. Another checker will have already 1620 // made sure they're not undefined. 1621 DefinedOrUnknownSVal LV = cast<DefinedOrUnknownSVal>(s1Val); 1622 DefinedOrUnknownSVal RV = cast<DefinedOrUnknownSVal>(s2Val); 1623 1624 // See if they are the same. 1625 SValBuilder &svalBuilder = C.getSValBuilder(); 1626 DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV); 1627 ProgramStateRef StSameBuf, StNotSameBuf; 1628 llvm::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf); 1629 1630 // If the two arguments might be the same buffer, we know the result is 0, 1631 // and we only need to check one size. 1632 if (StSameBuf) { 1633 StSameBuf = StSameBuf->BindExpr(CE, LCtx, 1634 svalBuilder.makeZeroVal(CE->getType())); 1635 C.addTransition(StSameBuf); 1636 1637 // If the two arguments are GUARANTEED to be the same, we're done! 1638 if (!StNotSameBuf) 1639 return; 1640 } 1641 1642 assert(StNotSameBuf); 1643 state = StNotSameBuf; 1644 1645 // At this point we can go about comparing the two buffers. 1646 // For now, we only do this if they're both known string literals. 1647 1648 // Attempt to extract string literals from both expressions. 1649 const StringLiteral *s1StrLiteral = getCStringLiteral(C, state, s1, s1Val); 1650 const StringLiteral *s2StrLiteral = getCStringLiteral(C, state, s2, s2Val); 1651 bool canComputeResult = false; 1652 1653 if (s1StrLiteral && s2StrLiteral) { 1654 StringRef s1StrRef = s1StrLiteral->getString(); 1655 StringRef s2StrRef = s2StrLiteral->getString(); 1656 1657 if (isBounded) { 1658 // Get the max number of characters to compare. 1659 const Expr *lenExpr = CE->getArg(2); 1660 SVal lenVal = state->getSVal(lenExpr, LCtx); 1661 1662 // If the length is known, we can get the right substrings. 1663 if (const llvm::APSInt *len = svalBuilder.getKnownValue(state, lenVal)) { 1664 // Create substrings of each to compare the prefix. 1665 s1StrRef = s1StrRef.substr(0, (size_t)len->getZExtValue()); 1666 s2StrRef = s2StrRef.substr(0, (size_t)len->getZExtValue()); 1667 canComputeResult = true; 1668 } 1669 } else { 1670 // This is a normal, unbounded strcmp. 1671 canComputeResult = true; 1672 } 1673 1674 if (canComputeResult) { 1675 // Real strcmp stops at null characters. 1676 size_t s1Term = s1StrRef.find('\0'); 1677 if (s1Term != StringRef::npos) 1678 s1StrRef = s1StrRef.substr(0, s1Term); 1679 1680 size_t s2Term = s2StrRef.find('\0'); 1681 if (s2Term != StringRef::npos) 1682 s2StrRef = s2StrRef.substr(0, s2Term); 1683 1684 // Use StringRef's comparison methods to compute the actual result. 1685 int result; 1686 1687 if (ignoreCase) { 1688 // Compare string 1 to string 2 the same way strcasecmp() does. 1689 result = s1StrRef.compare_lower(s2StrRef); 1690 } else { 1691 // Compare string 1 to string 2 the same way strcmp() does. 1692 result = s1StrRef.compare(s2StrRef); 1693 } 1694 1695 // Build the SVal of the comparison and bind the return value. 1696 SVal resultVal = svalBuilder.makeIntVal(result, CE->getType()); 1697 state = state->BindExpr(CE, LCtx, resultVal); 1698 } 1699 } 1700 1701 if (!canComputeResult) { 1702 // Conjure a symbolic value. It's the best we can do. 1703 unsigned Count = C.getCurrentBlockCount(); 1704 SVal resultVal = svalBuilder.getConjuredSymbolVal(NULL, CE, Count); 1705 state = state->BindExpr(CE, LCtx, resultVal); 1706 } 1707 1708 // Record this as a possible path. 1709 C.addTransition(state); 1710 } 1711 1712 //===----------------------------------------------------------------------===// 1713 // The driver method, and other Checker callbacks. 1714 //===----------------------------------------------------------------------===// 1715 1716 bool CStringChecker::evalCall(const CallExpr *CE, CheckerContext &C) const { 1717 StringRef Name = C.getCalleeName(CE); 1718 if (Name.empty()) 1719 return false; 1720 if (Name.startswith("__builtin_")) 1721 Name = Name.substr(10); 1722 1723 FnCheck evalFunction = llvm::StringSwitch<FnCheck>(Name) 1724 .Cases("memcpy", "__memcpy_chk", &CStringChecker::evalMemcpy) 1725 .Cases("mempcpy", "__mempcpy_chk", &CStringChecker::evalMempcpy) 1726 .Cases("memcmp", "bcmp", &CStringChecker::evalMemcmp) 1727 .Cases("memmove", "__memmove_chk", &CStringChecker::evalMemmove) 1728 .Cases("strcpy", "__strcpy_chk", &CStringChecker::evalStrcpy) 1729 .Cases("strncpy", "__strncpy_chk", &CStringChecker::evalStrncpy) 1730 .Cases("stpcpy", "__stpcpy_chk", &CStringChecker::evalStpcpy) 1731 .Cases("strcat", "__strcat_chk", &CStringChecker::evalStrcat) 1732 .Cases("strncat", "__strncat_chk", &CStringChecker::evalStrncat) 1733 .Case("strlen", &CStringChecker::evalstrLength) 1734 .Case("strnlen", &CStringChecker::evalstrnLength) 1735 .Case("strcmp", &CStringChecker::evalStrcmp) 1736 .Case("strncmp", &CStringChecker::evalStrncmp) 1737 .Case("strcasecmp", &CStringChecker::evalStrcasecmp) 1738 .Case("strncasecmp", &CStringChecker::evalStrncasecmp) 1739 .Case("bcopy", &CStringChecker::evalBcopy) 1740 .Default(NULL); 1741 1742 // If the callee isn't a string function, let another checker handle it. 1743 if (!evalFunction) 1744 return false; 1745 1746 // Make sure each function sets its own description. 1747 // (But don't bother in a release build.) 1748 assert(!(CurrentFunctionDescription = NULL)); 1749 1750 // Check and evaluate the call. 1751 (this->*evalFunction)(C, CE); 1752 1753 // If the evaluate call resulted in no change, chain to the next eval call 1754 // handler. 1755 // Note, the custom CString evaluation calls assume that basic safety 1756 // properties are held. However, if the user chooses to turn off some of these 1757 // checks, we ignore the issues and leave the call evaluation to a generic 1758 // handler. 1759 if (!C.isDifferent()) 1760 return false; 1761 1762 return true; 1763 } 1764 1765 void CStringChecker::checkPreStmt(const DeclStmt *DS, CheckerContext &C) const { 1766 // Record string length for char a[] = "abc"; 1767 ProgramStateRef state = C.getState(); 1768 1769 for (DeclStmt::const_decl_iterator I = DS->decl_begin(), E = DS->decl_end(); 1770 I != E; ++I) { 1771 const VarDecl *D = dyn_cast<VarDecl>(*I); 1772 if (!D) 1773 continue; 1774 1775 // FIXME: Handle array fields of structs. 1776 if (!D->getType()->isArrayType()) 1777 continue; 1778 1779 const Expr *Init = D->getInit(); 1780 if (!Init) 1781 continue; 1782 if (!isa<StringLiteral>(Init)) 1783 continue; 1784 1785 Loc VarLoc = state->getLValue(D, C.getLocationContext()); 1786 const MemRegion *MR = VarLoc.getAsRegion(); 1787 if (!MR) 1788 continue; 1789 1790 SVal StrVal = state->getSVal(Init, C.getLocationContext()); 1791 assert(StrVal.isValid() && "Initializer string is unknown or undefined"); 1792 DefinedOrUnknownSVal strLength 1793 = cast<DefinedOrUnknownSVal>(getCStringLength(C, state, Init, StrVal)); 1794 1795 state = state->set<CStringLength>(MR, strLength); 1796 } 1797 1798 C.addTransition(state); 1799 } 1800 1801 bool CStringChecker::wantsRegionChangeUpdate(ProgramStateRef state) const { 1802 CStringLength::EntryMap Entries = state->get<CStringLength>(); 1803 return !Entries.isEmpty(); 1804 } 1805 1806 ProgramStateRef 1807 CStringChecker::checkRegionChanges(ProgramStateRef state, 1808 const StoreManager::InvalidatedSymbols *, 1809 ArrayRef<const MemRegion *> ExplicitRegions, 1810 ArrayRef<const MemRegion *> Regions) const { 1811 CStringLength::EntryMap Entries = state->get<CStringLength>(); 1812 if (Entries.isEmpty()) 1813 return state; 1814 1815 llvm::SmallPtrSet<const MemRegion *, 8> Invalidated; 1816 llvm::SmallPtrSet<const MemRegion *, 32> SuperRegions; 1817 1818 // First build sets for the changed regions and their super-regions. 1819 for (ArrayRef<const MemRegion *>::iterator 1820 I = Regions.begin(), E = Regions.end(); I != E; ++I) { 1821 const MemRegion *MR = *I; 1822 Invalidated.insert(MR); 1823 1824 SuperRegions.insert(MR); 1825 while (const SubRegion *SR = dyn_cast<SubRegion>(MR)) { 1826 MR = SR->getSuperRegion(); 1827 SuperRegions.insert(MR); 1828 } 1829 } 1830 1831 CStringLength::EntryMap::Factory &F = state->get_context<CStringLength>(); 1832 1833 // Then loop over the entries in the current state. 1834 for (CStringLength::EntryMap::iterator I = Entries.begin(), 1835 E = Entries.end(); I != E; ++I) { 1836 const MemRegion *MR = I.getKey(); 1837 1838 // Is this entry for a super-region of a changed region? 1839 if (SuperRegions.count(MR)) { 1840 Entries = F.remove(Entries, MR); 1841 continue; 1842 } 1843 1844 // Is this entry for a sub-region of a changed region? 1845 const MemRegion *Super = MR; 1846 while (const SubRegion *SR = dyn_cast<SubRegion>(Super)) { 1847 Super = SR->getSuperRegion(); 1848 if (Invalidated.count(Super)) { 1849 Entries = F.remove(Entries, MR); 1850 break; 1851 } 1852 } 1853 } 1854 1855 return state->set<CStringLength>(Entries); 1856 } 1857 1858 void CStringChecker::checkLiveSymbols(ProgramStateRef state, 1859 SymbolReaper &SR) const { 1860 // Mark all symbols in our string length map as valid. 1861 CStringLength::EntryMap Entries = state->get<CStringLength>(); 1862 1863 for (CStringLength::EntryMap::iterator I = Entries.begin(), E = Entries.end(); 1864 I != E; ++I) { 1865 SVal Len = I.getData(); 1866 1867 for (SymExpr::symbol_iterator si = Len.symbol_begin(), 1868 se = Len.symbol_end(); si != se; ++si) 1869 SR.markInUse(*si); 1870 } 1871 } 1872 1873 void CStringChecker::checkDeadSymbols(SymbolReaper &SR, 1874 CheckerContext &C) const { 1875 if (!SR.hasDeadSymbols()) 1876 return; 1877 1878 ProgramStateRef state = C.getState(); 1879 CStringLength::EntryMap Entries = state->get<CStringLength>(); 1880 if (Entries.isEmpty()) 1881 return; 1882 1883 CStringLength::EntryMap::Factory &F = state->get_context<CStringLength>(); 1884 for (CStringLength::EntryMap::iterator I = Entries.begin(), E = Entries.end(); 1885 I != E; ++I) { 1886 SVal Len = I.getData(); 1887 if (SymbolRef Sym = Len.getAsSymbol()) { 1888 if (SR.isDead(Sym)) 1889 Entries = F.remove(Entries, I.getKey()); 1890 } 1891 } 1892 1893 state = state->set<CStringLength>(Entries); 1894 C.addTransition(state); 1895 } 1896 1897 #define REGISTER_CHECKER(name) \ 1898 void ento::register##name(CheckerManager &mgr) {\ 1899 static CStringChecker *TheChecker = 0; \ 1900 if (TheChecker == 0) \ 1901 TheChecker = mgr.registerChecker<CStringChecker>(); \ 1902 TheChecker->Filter.Check##name = true; \ 1903 } 1904 1905 REGISTER_CHECKER(CStringNullArg) 1906 REGISTER_CHECKER(CStringOutOfBounds) 1907 REGISTER_CHECKER(CStringBufferOverlap) 1908 REGISTER_CHECKER(CStringNotNullTerm) 1909