This is an archive of the discontinued LLVM Phabricator instance.

Differential D104887

[clang] Evaluate strlen of strcpy argument for -Wfortify-source.
ClosedPublic

Authored by mbenfield on Jun 24 2021, 5:10 PM.

Details

Reviewers
george.burgess.iv
cjdb
rsmith
Commits
rGe12e02df09a9: [clang] Evaluate strlen of strcpy argument for -Wfortify-source.
Summary

Also introduce Expr::tryEvaluateStrLen.

Diff Detail

Event Timeline

mbenfield requested review of this revision.Jun 24 2021, 5:10 PM
mbenfield created this revision.
Herald added a project: Restricted Project. · View Herald TranscriptJun 24 2021, 5:10 PM
Herald added a subscriber: cfe-commits. · View Herald Transcript
Harbormaster completed remote builds in B110924: Diff 354401.Jun 24 2021, 5:20 PM
mbenfield updated this revision to Diff 354563.Jun 25 2021, 11:32 AM

Accommodate the fact that APSInt::toString(unsigned) was removed.

Harbormaster completed remote builds in B111047: Diff 354563.Jun 25 2021, 12:31 PM
mbenfield updated this revision to Diff 357077.Jul 7 2021, 2:25 PM

fix failing tests

Harbormaster completed remote builds in B112870: Diff 357077.Jul 7 2021, 3:20 PM
mbenfield updated this revision to Diff 358309.Jul 13 2021, 9:32 AM

undo commenting out in source_location.cpp

Harbormaster completed remote builds in B113768: Diff 358309.Jul 13 2021, 11:08 AM
george.burgess.iv added a comment.Jul 14 2021, 3:15 PM

thanks for this! mostly just nits from me

clang/lib/AST/ExprConstant.cpp
15755

Looks like this is the second "try to evaluate the call to this builtin function" API endpoint we have here (the other being for __builtin_object_size). IMO this isn't an issue, but if we need many more of these, it might be worth considering exposing a more general Expr::tryEvaluateBuiltinFunctionCall(APValue &, ASTContext &, BuiltinID, ArrayRef<Expr>) or similar.

clang/lib/Sema/SemaChecking.cpp
604

nit: i'd rename this ComputeExplicitObjectSizeArgument

621

nit: would const Expr * work here? clang prefers to have const where possible

741–742

i expected ComputeCheckVariantSize to imply that the argument was to a _chk function, but these cases don't reference _chk functions (nor do we set IsChkVariant = true;). should this be calling ComputeSizeArgument instead?

755–756

same "shouldn't this be ComputeSizeArgument?' question

764–765

same question

clang/test/Sema/warn-fortify-source.c
64

for completeness and consistency, please include a case where this warning doesn't fire.

at the same time, it'd be nice to test for an off-by-one (which i believe is handled correctly by this patch already); maybe shorten src to "abcd" and have a test on char dst2[5]; that doesn't fire?

cjdb added a comment.Jul 15 2021, 11:05 AM

Thanks for getting around to this! Just a nit and a clarifying question.

clang/include/clang/Basic/DiagnosticSemaKinds.td
821

Nit: s/null/NUL

clang/lib/AST/ExprConstant.cpp
15737

This comment is slightly different to the RHS: does that mean that a diagnostic might not be issued?

mbenfield added inline comments.Jul 16 2021, 2:10 PM
clang/lib/AST/ExprConstant.cpp
15737

I just didn't find the extra verbiage helpful. AFAICT this code could be used for purposes other than issuing a diagnostic, and a diagnostic could be issued after following either the fast or slow path, so it didn't make a lot of sense to me. But if you have a different preference for this comment let me know.

mbenfield added inline comments.Jul 16 2021, 3:15 PM
clang/lib/Sema/SemaChecking.cpp
741–742

Maybe the name ComputeCheckVariantSize was misleading and it'll be more clear now that I'm changing the name, but these functions like strncat, the memcpys below, and snprintf, etc, all take an explicit size argument just like the _chk functions.

mbenfield updated this revision to Diff 359655.Jul 18 2021, 4:05 PM

Rebased and addressed comments.

  • Renamed ComputeCheckVariantSize.
  • const Expr *.
  • Changed existing test case to write only one excess byte.
  • Added new, non-diagnosing test case.
Harbormaster completed remote builds in B114760: Diff 359655.Jul 18 2021, 5:15 PM
mbenfield updated this revision to Diff 359955.Jul 19 2021, 4:37 PM

Rebase.

Harbormaster completed remote builds in B114976: Diff 359955.Jul 19 2021, 5:22 PM
george.burgess.iv accepted this revision.Jul 20 2021, 9:51 AM

lgtm -- thanks!

please give a day for other reviewers to add any last minute comments, then i think we can land this.

clang/lib/Sema/SemaChecking.cpp
741–742

ohh, gotcha. i was misinterpreting the relationship between IsChkVariant and SourceSize then -- thanks for the clarification!

This revision is now accepted and ready to land.Jul 20 2021, 9:51 AM
This revision was landed with ongoing or failed builds.Jul 28 2021, 1:53 PM
Closed by commit rGe12e02df09a9: [clang] Evaluate strlen of strcpy argument for -Wfortify-source. (authored by mbenfield, committed by gbiv). · Explain Why
This revision was automatically updated to reflect the committed changes.
gbiv added a commit: rGe12e02df09a9: [clang] Evaluate strlen of strcpy argument for -Wfortify-source..

Revision Contents

PathSize
clang/
include/
clang/
AST/
6 lines
Basic/
5 lines
lib/
AST/
101 lines
Sema/
140 lines
test/
Analysis/
16 lines
Sema/
13 lines

Diff 362530

clang/include/clang/AST/Expr.h

Show First 20 LinesShow All 734 Lines▼ Show 20 Linespublic:
/// Returns true if all of the above holds and we were able to figure out the /// Returns true if all of the above holds and we were able to figure out the
/// size, false otherwise. /// size, false otherwise.
/// ///
/// \param Type - How to evaluate the size of the Expr, as defined by the /// \param Type - How to evaluate the size of the Expr, as defined by the
/// "type" parameter of __builtin_object_size /// "type" parameter of __builtin_object_size
bool tryEvaluateObjectSize(uint64_t &Result, ASTContext &Ctx, bool tryEvaluateObjectSize(uint64_t &Result, ASTContext &Ctx,
unsigned Type) const; unsigned Type) const;
/// If the current Expr is a pointer, this will try to statically
/// determine the strlen of the string pointed to.
/// Returns true if all of the above holds and we were able to figure out the
/// strlen, false otherwise.
bool tryEvaluateStrLen(uint64_t &Result, ASTContext &Ctx) const;
/// Enumeration used to describe the kind of Null pointer constant /// Enumeration used to describe the kind of Null pointer constant
/// returned from \c isNullPointerConstant(). /// returned from \c isNullPointerConstant().
enum NullPointerConstantKind { enum NullPointerConstantKind {
/// Expression is not a Null pointer constant. /// Expression is not a Null pointer constant.
NPCK_NotNull = 0, NPCK_NotNull = 0,
/// Expression is a Null pointer constant built from a zero integer /// Expression is a Null pointer constant built from a zero integer
/// expression that is not a simple, possibly parenthesized, zero literal. /// expression that is not a simple, possibly parenthesized, zero literal.
▲ Show 20 LinesShow All 5,702 LinesShow Last 20 Lines

clang/include/clang/Basic/DiagnosticSemaKinds.td

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 810 Lines▼ Show 20 Linesdef warn_builtin_chk_overflow : Warning<
InGroup<DiagGroup<"builtin-memcpy-chk-size">>; InGroup<DiagGroup<"builtin-memcpy-chk-size">>;
def warn_fortify_source_overflow def warn_fortify_source_overflow
: Warning<warn_builtin_chk_overflow.Text>, InGroup<FortifySource>; : Warning<warn_builtin_chk_overflow.Text>, InGroup<FortifySource>;
def warn_fortify_source_size_mismatch : Warning< def warn_fortify_source_size_mismatch : Warning<
"'%0' size argument is too large; destination buffer has size %1," "'%0' size argument is too large; destination buffer has size %1,"
" but size argument is %2">, InGroup<FortifySource>; " but size argument is %2">, InGroup<FortifySource>;
def warn_fortify_strlen_overflow: Warning<
"'%0' will always overflow; destination buffer has size %1,"
" but the source string has length %2 (including NUL byte)">,
cjdbUnsubmitted
Not Done
ReplyInline Actions

Nit: s/null/NUL

cjdb: Nit: s/null/NUL
InGroup<FortifySource>;
def warn_fortify_source_format_overflow : Warning< def warn_fortify_source_format_overflow : Warning<
"'%0' will always overflow; destination buffer has size %1," "'%0' will always overflow; destination buffer has size %1,"
" but format string expands to at least %2">, " but format string expands to at least %2">,
InGroup<FortifySource>; InGroup<FortifySource>;
/// main() /// main()
// static main() is not an error in C, just in C++. // static main() is not an error in C, just in C++.
▲ Show 20 LinesShow All 10,530 LinesShow Last 20 Lines

clang/lib/AST/ExprConstant.cpp

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 1,820 Lines▼ Show 20 Lines
static bool EvaluateInteger(const Expr *E, APSInt &Result, EvalInfo &Info); static bool EvaluateInteger(const Expr *E, APSInt &Result, EvalInfo &Info);
static bool EvaluateIntegerOrLValue(const Expr *E, APValue &Result, static bool EvaluateIntegerOrLValue(const Expr *E, APValue &Result,
EvalInfo &Info); EvalInfo &Info);
static bool EvaluateFloat(const Expr *E, APFloat &Result, EvalInfo &Info); static bool EvaluateFloat(const Expr *E, APFloat &Result, EvalInfo &Info);
static bool EvaluateComplex(const Expr *E, ComplexValue &Res, EvalInfo &Info); static bool EvaluateComplex(const Expr *E, ComplexValue &Res, EvalInfo &Info);
static bool EvaluateAtomic(const Expr *E, const LValue *This, APValue &Result, static bool EvaluateAtomic(const Expr *E, const LValue *This, APValue &Result,
EvalInfo &Info); EvalInfo &Info);
static bool EvaluateAsRValue(EvalInfo &Info, const Expr *E, APValue &Result); static bool EvaluateAsRValue(EvalInfo &Info, const Expr *E, APValue &Result);
static bool EvaluateBuiltinStrLen(const Expr *E, uint64_t &Result,
EvalInfo &Info);
/// Evaluate an integer or fixed point expression into an APResult. /// Evaluate an integer or fixed point expression into an APResult.
static bool EvaluateFixedPointOrInteger(const Expr *E, APFixedPoint &Result, static bool EvaluateFixedPointOrInteger(const Expr *E, APFixedPoint &Result,
EvalInfo &Info); EvalInfo &Info);
/// Evaluate only a fixed point expression into an APResult. /// Evaluate only a fixed point expression into an APResult.
static bool EvaluateFixedPoint(const Expr *E, APFixedPoint &Result, static bool EvaluateFixedPoint(const Expr *E, APFixedPoint &Result,
EvalInfo &Info); EvalInfo &Info);
▲ Show 20 LinesShow All 9,994 Lines▼ Show 20 Lines if (Info.getLangOpts().CPlusPlus11)
<< (std::string("'") + Info.Ctx.BuiltinInfo.getName(BuiltinOp) + "'"); << (std::string("'") + Info.Ctx.BuiltinInfo.getName(BuiltinOp) + "'");
else else
Info.CCEDiag(E, diag::note_invalid_subexpr_in_const_expr); Info.CCEDiag(E, diag::note_invalid_subexpr_in_const_expr);
LLVM_FALLTHROUGH; LLVM_FALLTHROUGH;
case Builtin::BI__builtin_strlen: case Builtin::BI__builtin_strlen:
case Builtin::BI__builtin_wcslen: { case Builtin::BI__builtin_wcslen: {
// As an extension, we support __builtin_strlen() as a constant expression, // As an extension, we support __builtin_strlen() as a constant expression,
// and support folding strlen() to a constant. // and support folding strlen() to a constant.
LValue String; uint64_t StrLen;
if (!EvaluatePointer(E->getArg(0), String, Info)) if (EvaluateBuiltinStrLen(E->getArg(0), StrLen, Info))
return Success(StrLen, E);
return false; return false;
QualType CharTy = E->getArg(0)->getType()->getPointeeType();
// Fast path: if it's a string literal, search the string value.
if (const StringLiteral *S = dyn_cast_or_null<StringLiteral>(
String.getLValueBase().dyn_cast<const Expr *>())) {
// The string literal may have embedded null characters. Find the first
// one and truncate there.
StringRef Str = S->getBytes();
int64_t Off = String.Offset.getQuantity();
if (Off >= 0 && (uint64_t)Off <= (uint64_t)Str.size() &&
S->getCharByteWidth() == 1 &&
// FIXME: Add fast-path for wchar_t too.
Info.Ctx.hasSameUnqualifiedType(CharTy, Info.Ctx.CharTy)) {
Str = Str.substr(Off);
StringRef::size_type Pos = Str.find(0);
if (Pos != StringRef::npos)
Str = Str.substr(0, Pos);
return Success(Str.size(), E);
}
// Fall through to slow path to issue appropriate diagnostic.
}
// Slow path: scan the bytes of the string looking for the terminating 0.
for (uint64_t Strlen = 0; /**/; ++Strlen) {
APValue Char;
if (!handleLValueToRValueConversion(Info, E, CharTy, String, Char) ||
!Char.isInt())
return false;
if (!Char.getInt())
return Success(Strlen, E);
if (!HandleLValueArrayAdjustment(Info, E, String, CharTy, 1))
return false;
}
} }
case Builtin::BIstrcmp: case Builtin::BIstrcmp:
case Builtin::BIwcscmp: case Builtin::BIwcscmp:
case Builtin::BIstrncmp: case Builtin::BIstrncmp:
case Builtin::BIwcsncmp: case Builtin::BIwcsncmp:
case Builtin::BImemcmp: case Builtin::BImemcmp:
case Builtin::BIbcmp: case Builtin::BIbcmp:
▲ Show 20 LinesShow All 3,844 Lines▼ Show 20 Linesbool Expr::tryEvaluateObjectSize(uint64_t &Result, ASTContext &Ctx,
unsigned Type) const { unsigned Type) const {
if (!getType()->isPointerType()) if (!getType()->isPointerType())
return false; return false;
Expr::EvalStatus Status; Expr::EvalStatus Status;
EvalInfo Info(Ctx, Status, EvalInfo::EM_ConstantFold); EvalInfo Info(Ctx, Status, EvalInfo::EM_ConstantFold);
return tryEvaluateBuiltinObjectSize(this, Type, Info, Result); return tryEvaluateBuiltinObjectSize(this, Type, Info, Result);
} }
static bool EvaluateBuiltinStrLen(const Expr *E, uint64_t &Result,
EvalInfo &Info) {
if (!E->getType()->hasPointerRepresentation() || !E->isPRValue())
return false;
LValue String;
if (!EvaluatePointer(E, String, Info))
return false;
QualType CharTy = E->getType()->getPointeeType();
// Fast path: if it's a string literal, search the string value.
if (const StringLiteral *S = dyn_cast_or_null<StringLiteral>(
String.getLValueBase().dyn_cast<const Expr *>())) {
StringRef Str = S->getBytes();
int64_t Off = String.Offset.getQuantity();
if (Off >= 0 && (uint64_t)Off <= (uint64_t)Str.size() &&
S->getCharByteWidth() == 1 &&
// FIXME: Add fast-path for wchar_t too.
Info.Ctx.hasSameUnqualifiedType(CharTy, Info.Ctx.CharTy)) {
Str = Str.substr(Off);
StringRef::size_type Pos = Str.find(0);
if (Pos != StringRef::npos)
Str = Str.substr(0, Pos);
Result = Str.size();
return true;
}
// Fall through to slow path.
cjdbUnsubmitted
Not Done
ReplyInline Actions

This comment is slightly different to the RHS: does that mean that a diagnostic might not be issued?

cjdb: This comment is slightly different to the RHS: does that mean that a diagnostic might not be…
mbenfieldAuthorUnsubmitted
Done
ReplyInline Actions

I just didn't find the extra verbiage helpful. AFAICT this code could be used for purposes other than issuing a diagnostic, and a diagnostic could be issued after following either the fast or slow path, so it didn't make a lot of sense to me. But if you have a different preference for this comment let me know.

mbenfield: I just didn't find the extra verbiage helpful. AFAICT this code could be used for purposes…
}
// Slow path: scan the bytes of the string looking for the terminating 0.
for (uint64_t Strlen = 0; /**/; ++Strlen) {
APValue Char;
if (!handleLValueToRValueConversion(Info, E, CharTy, String, Char) ||
!Char.isInt())
return false;
if (!Char.getInt()) {
Result = Strlen;
return true;
}
if (!HandleLValueArrayAdjustment(Info, E, String, CharTy, 1))
return false;
}
}
bool Expr::tryEvaluateStrLen(uint64_t &Result, ASTContext &Ctx) const {
george.burgess.ivUnsubmitted
Not Done
ReplyInline Actions

Looks like this is the second "try to evaluate the call to this builtin function" API endpoint we have here (the other being for __builtin_object_size). IMO this isn't an issue, but if we need many more of these, it might be worth considering exposing a more general Expr::tryEvaluateBuiltinFunctionCall(APValue &, ASTContext &, BuiltinID, ArrayRef<Expr>) or similar.

george.burgess.iv: Looks like this is the second "try to evaluate the call to this builtin function" API endpoint…
Expr::EvalStatus Status;
EvalInfo Info(Ctx, Status, EvalInfo::EM_ConstantFold);
return EvaluateBuiltinStrLen(this, Result, Info);
}

clang/lib/Sema/SemaChecking.cpp

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 582 Lines▼ Show 20 Lines default:
break; break;
} }
return Precision; return Precision;
} }
}; };
} // namespace } // namespace
/// Check a call to BuiltinID for buffer overflows. If BuiltinID is a
/// __builtin_*_chk function, then use the object size argument specified in the
/// source. Otherwise, infer the object size using __builtin_object_size.
void Sema::checkFortifiedBuiltinMemoryFunction(FunctionDecl *FD, void Sema::checkFortifiedBuiltinMemoryFunction(FunctionDecl *FD,
CallExpr *TheCall) { CallExpr *TheCall) {
// FIXME: There are some more useful checks we could be doing here:
// - Evaluate strlen of strcpy arguments, use as object size.
if (TheCall->isValueDependent() || TheCall->isTypeDependent() || if (TheCall->isValueDependent() || TheCall->isTypeDependent() ||
isConstantEvaluated()) isConstantEvaluated())
return; return;
unsigned BuiltinID = FD->getBuiltinID(/*ConsiderWrappers=*/true); unsigned BuiltinID = FD->getBuiltinID(/*ConsiderWrappers=*/true);
if (!BuiltinID) if (!BuiltinID)
return; return;
const TargetInfo &TI = getASTContext().getTargetInfo(); const TargetInfo &TI = getASTContext().getTargetInfo();
unsigned SizeTypeWidth = TI.getTypeWidth(TI.getSizeType()); unsigned SizeTypeWidth = TI.getTypeWidth(TI.getSizeType());
auto ComputeExplicitObjectSizeArgument =
george.burgess.ivUnsubmitted
Not Done
ReplyInline Actions

nit: i'd rename this ComputeExplicitObjectSizeArgument

george.burgess.iv: nit: i'd rename this `ComputeExplicitObjectSizeArgument`
[&](unsigned Index) -> Optional<llvm::APSInt> {
Expr::EvalResult Result;
Expr *SizeArg = TheCall->getArg(Index);
if (!SizeArg->EvaluateAsInt(Result, getASTContext()))
return llvm::None;
return Result.Val.getInt();
};
auto ComputeSizeArgument = [&](unsigned Index) -> Optional<llvm::APSInt> {
// If the parameter has a pass_object_size attribute, then we should use its
// (potentially) more strict checking mode. Otherwise, conservatively assume
// type 0.
int BOSType = 0;
if (const auto *POS =
FD->getParamDecl(Index)->getAttr<PassObjectSizeAttr>())
BOSType = POS->getType();
george.burgess.ivUnsubmitted
Not Done
ReplyInline Actions

nit: would const Expr * work here? clang prefers to have const where possible

george.burgess.iv: nit: would `const Expr *` work here? clang prefers to have `const` where possible
const Expr *ObjArg = TheCall->getArg(Index);
uint64_t Result;
if (!ObjArg->tryEvaluateObjectSize(Result, getASTContext(), BOSType))
return llvm::None;
// Get the object size in the target's size_t width.
return llvm::APSInt::getUnsigned(Result).extOrTrunc(SizeTypeWidth);
};
auto ComputeStrLenArgument = [&](unsigned Index) -> Optional<llvm::APSInt> {
Expr *ObjArg = TheCall->getArg(Index);
uint64_t Result;
if (!ObjArg->tryEvaluateStrLen(Result, getASTContext()))
return llvm::None;
// Add 1 for null byte.
return llvm::APSInt::getUnsigned(Result + 1).extOrTrunc(SizeTypeWidth);
};
Optional<llvm::APSInt> SourceSize;
Optional<llvm::APSInt> DestinationSize;
unsigned DiagID = 0; unsigned DiagID = 0;
bool IsChkVariant = false; bool IsChkVariant = false;
Optional<llvm::APSInt> UsedSize;
unsigned SizeIndex, ObjectIndex;
switch (BuiltinID) { switch (BuiltinID) {
default: default:
return; return;
case Builtin::BI__builtin_strcpy:
case Builtin::BIstrcpy: {
DiagID = diag::warn_fortify_strlen_overflow;
SourceSize = ComputeStrLenArgument(1);
DestinationSize = ComputeSizeArgument(0);
break;
}
case Builtin::BI__builtin___strcpy_chk: {
DiagID = diag::warn_fortify_strlen_overflow;
SourceSize = ComputeStrLenArgument(1);
DestinationSize = ComputeExplicitObjectSizeArgument(2);
IsChkVariant = true;
break;
}
case Builtin::BIsprintf: case Builtin::BIsprintf:
case Builtin::BI__builtin___sprintf_chk: { case Builtin::BI__builtin___sprintf_chk: {
size_t FormatIndex = BuiltinID == Builtin::BIsprintf ? 1 : 3; size_t FormatIndex = BuiltinID == Builtin::BIsprintf ? 1 : 3;
auto *FormatExpr = TheCall->getArg(FormatIndex)->IgnoreParenImpCasts(); auto *FormatExpr = TheCall->getArg(FormatIndex)->IgnoreParenImpCasts();
if (auto *Format = dyn_cast<StringLiteral>(FormatExpr)) { if (auto *Format = dyn_cast<StringLiteral>(FormatExpr)) {
if (!Format->isAscii() && !Format->isUTF8()) if (!Format->isAscii() && !Format->isUTF8())
Show All 9 Lines if (auto *Format = dyn_cast<StringLiteral>(FormatExpr)) {
// In case there's a null byte somewhere. // In case there's a null byte somewhere.
size_t StrLen = size_t StrLen =
std::min(std::max(TypeSize, size_t(1)) - 1, FormatStrRef.find(0)); std::min(std::max(TypeSize, size_t(1)) - 1, FormatStrRef.find(0));
if (!analyze_format_string::ParsePrintfString( if (!analyze_format_string::ParsePrintfString(
H, FormatBytes, FormatBytes + StrLen, getLangOpts(), H, FormatBytes, FormatBytes + StrLen, getLangOpts(),
Context.getTargetInfo(), false)) { Context.getTargetInfo(), false)) {
DiagID = diag::warn_fortify_source_format_overflow; DiagID = diag::warn_fortify_source_format_overflow;
UsedSize = llvm::APSInt::getUnsigned(H.getSizeLowerBound()) SourceSize = llvm::APSInt::getUnsigned(H.getSizeLowerBound())
.extOrTrunc(SizeTypeWidth); .extOrTrunc(SizeTypeWidth);
if (BuiltinID == Builtin::BI__builtin___sprintf_chk) { if (BuiltinID == Builtin::BI__builtin___sprintf_chk) {
DestinationSize = ComputeExplicitObjectSizeArgument(2);
IsChkVariant = true; IsChkVariant = true;
ObjectIndex = 2;
} else { } else {
IsChkVariant = false; DestinationSize = ComputeSizeArgument(0);
ObjectIndex = 0;
} }
break; break;
} }
} }
return; return;
} }
case Builtin::BI__builtin___memcpy_chk: case Builtin::BI__builtin___memcpy_chk:
case Builtin::BI__builtin___memmove_chk: case Builtin::BI__builtin___memmove_chk:
case Builtin::BI__builtin___memset_chk: case Builtin::BI__builtin___memset_chk:
case Builtin::BI__builtin___strlcat_chk: case Builtin::BI__builtin___strlcat_chk:
case Builtin::BI__builtin___strlcpy_chk: case Builtin::BI__builtin___strlcpy_chk:
case Builtin::BI__builtin___strncat_chk: case Builtin::BI__builtin___strncat_chk:
case Builtin::BI__builtin___strncpy_chk: case Builtin::BI__builtin___strncpy_chk:
case Builtin::BI__builtin___stpncpy_chk: case Builtin::BI__builtin___stpncpy_chk:
case Builtin::BI__builtin___memccpy_chk: case Builtin::BI__builtin___memccpy_chk:
case Builtin::BI__builtin___mempcpy_chk: { case Builtin::BI__builtin___mempcpy_chk: {
DiagID = diag::warn_builtin_chk_overflow; DiagID = diag::warn_builtin_chk_overflow;
SourceSize = ComputeExplicitObjectSizeArgument(TheCall->getNumArgs() - 2);
DestinationSize =
ComputeExplicitObjectSizeArgument(TheCall->getNumArgs() - 1);
IsChkVariant = true; IsChkVariant = true;
SizeIndex = TheCall->getNumArgs() - 2;
ObjectIndex = TheCall->getNumArgs() - 1;
break; break;
} }
case Builtin::BI__builtin___snprintf_chk: case Builtin::BI__builtin___snprintf_chk:
case Builtin::BI__builtin___vsnprintf_chk: { case Builtin::BI__builtin___vsnprintf_chk: {
DiagID = diag::warn_builtin_chk_overflow; DiagID = diag::warn_builtin_chk_overflow;
SourceSize = ComputeExplicitObjectSizeArgument(1);
DestinationSize = ComputeExplicitObjectSizeArgument(3);
IsChkVariant = true; IsChkVariant = true;
SizeIndex = 1;
ObjectIndex = 3;
break; break;
} }
case Builtin::BIstrncat: case Builtin::BIstrncat:
case Builtin::BI__builtin_strncat: case Builtin::BI__builtin_strncat:
case Builtin::BIstrncpy: case Builtin::BIstrncpy:
case Builtin::BI__builtin_strncpy: case Builtin::BI__builtin_strncpy:
case Builtin::BIstpncpy: case Builtin::BIstpncpy:
case Builtin::BI__builtin_stpncpy: { case Builtin::BI__builtin_stpncpy: {
// Whether these functions overflow depends on the runtime strlen of the // Whether these functions overflow depends on the runtime strlen of the
// string, not just the buffer size, so emitting the "always overflow" // string, not just the buffer size, so emitting the "always overflow"
// diagnostic isn't quite right. We should still diagnose passing a buffer // diagnostic isn't quite right. We should still diagnose passing a buffer
// size larger than the destination buffer though; this is a runtime abort // size larger than the destination buffer though; this is a runtime abort
// in _FORTIFY_SOURCE mode, and is quite suspicious otherwise. // in _FORTIFY_SOURCE mode, and is quite suspicious otherwise.
DiagID = diag::warn_fortify_source_size_mismatch; DiagID = diag::warn_fortify_source_size_mismatch;
SizeIndex = TheCall->getNumArgs() - 1; SourceSize = ComputeExplicitObjectSizeArgument(TheCall->getNumArgs() - 1);
ObjectIndex = 0; DestinationSize = ComputeSizeArgument(0);
george.burgess.ivUnsubmitted
Not Done
ReplyInline Actions

i expected ComputeCheckVariantSize to imply that the argument was to a _chk function, but these cases don't reference _chk functions (nor do we set IsChkVariant = true;). should this be calling ComputeSizeArgument instead?

george.burgess.iv: i expected `ComputeCheckVariantSize` to imply that the argument was to a `_chk` function, but…
mbenfieldAuthorUnsubmitted
Done
ReplyInline Actions

Maybe the name ComputeCheckVariantSize was misleading and it'll be more clear now that I'm changing the name, but these functions like strncat, the memcpys below, and snprintf, etc, all take an explicit size argument just like the _chk functions.

mbenfield: Maybe the name `ComputeCheckVariantSize` was misleading and it'll be more clear now that I'm…
george.burgess.ivUnsubmitted
Not Done
ReplyInline Actions

ohh, gotcha. i was misinterpreting the relationship between IsChkVariant and SourceSize then -- thanks for the clarification!

george.burgess.iv: ohh, gotcha. i was misinterpreting the relationship between `IsChkVariant` and `SourceSize`…
break; break;
} }
case Builtin::BImemcpy: case Builtin::BImemcpy:
case Builtin::BI__builtin_memcpy: case Builtin::BI__builtin_memcpy:
case Builtin::BImemmove: case Builtin::BImemmove:
case Builtin::BI__builtin_memmove: case Builtin::BI__builtin_memmove:
case Builtin::BImemset: case Builtin::BImemset:
case Builtin::BI__builtin_memset: case Builtin::BI__builtin_memset:
case Builtin::BImempcpy: case Builtin::BImempcpy:
case Builtin::BI__builtin_mempcpy: { case Builtin::BI__builtin_mempcpy: {
DiagID = diag::warn_fortify_source_overflow; DiagID = diag::warn_fortify_source_overflow;
SizeIndex = TheCall->getNumArgs() - 1; SourceSize = ComputeExplicitObjectSizeArgument(TheCall->getNumArgs() - 1);
ObjectIndex = 0; DestinationSize = ComputeSizeArgument(0);
george.burgess.ivUnsubmitted
Not Done
ReplyInline Actions

same "shouldn't this be ComputeSizeArgument?' question

george.burgess.iv: same "shouldn't this be `ComputeSizeArgument`?' question
break; break;
} }
case Builtin::BIsnprintf: case Builtin::BIsnprintf:
case Builtin::BI__builtin_snprintf: case Builtin::BI__builtin_snprintf:
case Builtin::BIvsnprintf: case Builtin::BIvsnprintf:
case Builtin::BI__builtin_vsnprintf: { case Builtin::BI__builtin_vsnprintf: {
DiagID = diag::warn_fortify_source_size_mismatch; DiagID = diag::warn_fortify_source_size_mismatch;
SizeIndex = 1; SourceSize = ComputeExplicitObjectSizeArgument(1);
ObjectIndex = 0; DestinationSize = ComputeSizeArgument(0);
george.burgess.ivUnsubmitted
Not Done
ReplyInline Actions

same question

george.burgess.iv: same question
break; break;
} }
} }
llvm::APSInt ObjectSize; if (!SourceSize || !DestinationSize ||
// For __builtin___*_chk, the object size is explicitly provided by the caller SourceSize.getValue().ule(DestinationSize.getValue()))
// (usually using __builtin_object_size). Use that value to check this call.
if (IsChkVariant) {
Expr::EvalResult Result;
Expr *SizeArg = TheCall->getArg(ObjectIndex);
if (!SizeArg->EvaluateAsInt(Result, getASTContext()))
return;
ObjectSize = Result.Val.getInt();
// Otherwise, try to evaluate an imaginary call to __builtin_object_size.
} else {
// If the parameter has a pass_object_size attribute, then we should use its
// (potentially) more strict checking mode. Otherwise, conservatively assume
// type 0.
int BOSType = 0;
if (const auto *POS =
FD->getParamDecl(ObjectIndex)->getAttr<PassObjectSizeAttr>())
BOSType = POS->getType();
Expr *ObjArg = TheCall->getArg(ObjectIndex);
uint64_t Result;
if (!ObjArg->tryEvaluateObjectSize(Result, getASTContext(), BOSType))
return;
// Get the object size in the target's size_t width.
ObjectSize = llvm::APSInt::getUnsigned(Result).extOrTrunc(SizeTypeWidth);
}
// Evaluate the number of bytes of the object that this call will use.
if (!UsedSize) {
Expr::EvalResult Result;
Expr *UsedSizeArg = TheCall->getArg(SizeIndex);
if (!UsedSizeArg->EvaluateAsInt(Result, getASTContext()))
return;
UsedSize = Result.Val.getInt().extOrTrunc(SizeTypeWidth);
}
if (UsedSize.getValue().ule(ObjectSize))
return; return;
StringRef FunctionName = getASTContext().BuiltinInfo.getName(BuiltinID); StringRef FunctionName = getASTContext().BuiltinInfo.getName(BuiltinID);
// Skim off the details of whichever builtin was called to produce a better // Skim off the details of whichever builtin was called to produce a better
// diagnostic, as it's unlikley that the user wrote the __builtin explicitly. // diagnostic, as it's unlikley that the user wrote the __builtin explicitly.
if (IsChkVariant) { if (IsChkVariant) {
FunctionName = FunctionName.drop_front(std::strlen("__builtin___")); FunctionName = FunctionName.drop_front(std::strlen("__builtin___"));
FunctionName = FunctionName.drop_back(std::strlen("_chk")); FunctionName = FunctionName.drop_back(std::strlen("_chk"));
} else if (FunctionName.startswith("__builtin_")) { } else if (FunctionName.startswith("__builtin_")) {
FunctionName = FunctionName.drop_front(std::strlen("__builtin_")); FunctionName = FunctionName.drop_front(std::strlen("__builtin_"));
} }
SmallString<16> DestinationStr;
SmallString<16> SourceStr;
DestinationSize->toString(DestinationStr, /*Radix=*/10);
SourceSize->toString(SourceStr, /*Radix=*/10);
DiagRuntimeBehavior(TheCall->getBeginLoc(), TheCall, DiagRuntimeBehavior(TheCall->getBeginLoc(), TheCall,
PDiag(DiagID) PDiag(DiagID)
<< FunctionName << toString(ObjectSize, /*Radix=*/10) << FunctionName << DestinationStr << SourceStr);
<< toString(UsedSize.getValue(), /*Radix=*/10));
} }
static bool SemaBuiltinSEHScopeCheck(Sema &SemaRef, CallExpr *TheCall, static bool SemaBuiltinSEHScopeCheck(Sema &SemaRef, CallExpr *TheCall,
Scope::ScopeFlags NeededScopeFlags, Scope::ScopeFlags NeededScopeFlags,
unsigned DiagID) { unsigned DiagID) {
// Scopes aren't available during instantiation. Fortunately, builtin // Scopes aren't available during instantiation. Fortunately, builtin
// functions cannot be template args so they cannot be formed through template // functions cannot be template args so they cannot be formed through template
// instantiation. Therefore checking once during the parse is sufficient. // instantiation. Therefore checking once during the parse is sufficient.
▲ Show 20 LinesShow All 15,921 LinesShow Last 20 Lines

clang/test/Analysis/security-syntax-checks.m

// RUN: %clang_analyze_cc1 -triple i386-apple-darwin10 %s -verify \ // RUN: %clang_analyze_cc1 -triple i386-apple-darwin10 %s -verify -Wno-fortify-source \
// RUN: -analyzer-checker=security.insecureAPI \ // RUN: -analyzer-checker=security.insecureAPI \
// RUN: -analyzer-checker=security.FloatLoopCounter // RUN: -analyzer-checker=security.FloatLoopCounter
// RUN: %clang_analyze_cc1 -triple i386-apple-darwin10 %s -verify \ // RUN: %clang_analyze_cc1 -triple i386-apple-darwin10 %s -verify -Wno-fortify-source \
// RUN: -DUSE_BUILTINS \ // RUN: -DUSE_BUILTINS \
// RUN: -analyzer-checker=security.insecureAPI \ // RUN: -analyzer-checker=security.insecureAPI \
// RUN: -analyzer-checker=security.FloatLoopCounter // RUN: -analyzer-checker=security.FloatLoopCounter
// RUN: %clang_analyze_cc1 -triple i386-apple-darwin10 %s -verify \ // RUN: %clang_analyze_cc1 -triple i386-apple-darwin10 %s -verify -Wno-fortify-source \
// RUN: -DVARIANT \ // RUN: -DVARIANT \
// RUN: -analyzer-checker=security.insecureAPI \ // RUN: -analyzer-checker=security.insecureAPI \
// RUN: -analyzer-checker=security.FloatLoopCounter // RUN: -analyzer-checker=security.FloatLoopCounter
// RUN: %clang_analyze_cc1 -triple i386-apple-darwin10 %s -verify \ // RUN: %clang_analyze_cc1 -triple i386-apple-darwin10 %s -verify -Wno-fortify-source \
// RUN: -DUSE_BUILTINS -DVARIANT \ // RUN: -DUSE_BUILTINS -DVARIANT \
// RUN: -analyzer-checker=security.insecureAPI \ // RUN: -analyzer-checker=security.insecureAPI \
// RUN: -analyzer-checker=security.FloatLoopCounter // RUN: -analyzer-checker=security.FloatLoopCounter
// RUN: %clang_analyze_cc1 -triple x86_64-unknown-cloudabi %s -verify \ // RUN: %clang_analyze_cc1 -triple x86_64-unknown-cloudabi %s -verify -Wno-fortify-source \
// RUN: -analyzer-checker=security.insecureAPI \ // RUN: -analyzer-checker=security.insecureAPI \
// RUN: -analyzer-checker=security.FloatLoopCounter // RUN: -analyzer-checker=security.FloatLoopCounter
// RUN: %clang_analyze_cc1 -triple x86_64-unknown-cloudabi %s -verify \ // RUN: %clang_analyze_cc1 -triple x86_64-unknown-cloudabi %s -verify -Wno-fortify-source \
// RUN: -DUSE_BUILTINS \ // RUN: -DUSE_BUILTINS \
// RUN: -analyzer-checker=security.insecureAPI \ // RUN: -analyzer-checker=security.insecureAPI \
// RUN: -analyzer-checker=security.FloatLoopCounter // RUN: -analyzer-checker=security.FloatLoopCounter
// RUN: %clang_analyze_cc1 -triple x86_64-unknown-cloudabi %s -verify \ // RUN: %clang_analyze_cc1 -triple x86_64-unknown-cloudabi %s -verify -Wno-fortify-source \
// RUN: -DVARIANT \ // RUN: -DVARIANT \
// RUN: -analyzer-checker=security.insecureAPI \ // RUN: -analyzer-checker=security.insecureAPI \
// RUN: -analyzer-checker=security.FloatLoopCounter // RUN: -analyzer-checker=security.FloatLoopCounter
// RUN: %clang_analyze_cc1 -triple x86_64-unknown-cloudabi %s -verify \ // RUN: %clang_analyze_cc1 -triple x86_64-unknown-cloudabi %s -verify -Wno-fortify-source \
// RUN: -DUSE_BUILTINS -DVARIANT \ // RUN: -DUSE_BUILTINS -DVARIANT \
// RUN: -analyzer-checker=security.insecureAPI \ // RUN: -analyzer-checker=security.insecureAPI \
// RUN: -analyzer-checker=security.FloatLoopCounter // RUN: -analyzer-checker=security.FloatLoopCounter
#ifdef USE_BUILTINS #ifdef USE_BUILTINS
# define BUILTIN(f) __builtin_ ## f # define BUILTIN(f) __builtin_ ## f
#else /* USE_BUILTINS */ #else /* USE_BUILTINS */
# define BUILTIN(f) f # define BUILTIN(f) f
▲ Show 20 LinesShow All 309 LinesShow Last 20 Lines

clang/test/Sema/warn-fortify-source.c

Show First 20 LinesShow All 52 Lines▼ Show 20 Lines
} }
void call_stpncpy() { void call_stpncpy() {
char s1[10], s2[20]; char s1[10], s2[20];
__builtin_stpncpy(s2, s1, 20); __builtin_stpncpy(s2, s1, 20);
__builtin_stpncpy(s1, s2, 20); // expected-warning {{'stpncpy' size argument is too large; destination buffer has size 10, but size argument is 20}} __builtin_stpncpy(s1, s2, 20); // expected-warning {{'stpncpy' size argument is too large; destination buffer has size 10, but size argument is 20}}
} }
void call_strcpy() {
const char *const src = "abcd";
char dst[4];
__builtin_strcpy(dst, src); // expected-warning {{'strcpy' will always overflow; destination buffer has size 4, but the source string has length 5 (including NUL byte)}}
george.burgess.ivUnsubmitted
Not Done
ReplyInline Actions

for completeness and consistency, please include a case where this warning doesn't fire.

at the same time, it'd be nice to test for an off-by-one (which i believe is handled correctly by this patch already); maybe shorten src to "abcd" and have a test on char dst2[5]; that doesn't fire?

george.burgess.iv: for completeness and consistency, please include a case where this warning doesn't fire. at…
}
void call_strcpy_nowarn() {
const char *const src = "abcd";
char dst[5];
// We should not get a warning here.
__builtin_strcpy(dst, src);
}
void call_memmove() { void call_memmove() {
char s1[10], s2[20]; char s1[10], s2[20];
__builtin_memmove(s2, s1, 20); __builtin_memmove(s2, s1, 20);
__builtin_memmove(s1, s2, 20); // expected-warning {{'memmove' will always overflow; destination buffer has size 10, but size argument is 20}} __builtin_memmove(s1, s2, 20); // expected-warning {{'memmove' will always overflow; destination buffer has size 10, but size argument is 20}}
} }
void call_memset() { void call_memset() {
char buf[10]; char buf[10];
▲ Show 20 LinesShow All 123 LinesShow Last 20 Lines