This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
include/clang/StaticAnalyzer/Checkers/
-
clang/
-
StaticAnalyzer/
-
Checkers/
5
Checkers.td
-
lib/StaticAnalyzer/Checkers/
-
StaticAnalyzer/
-
Checkers/
4/22
CheckSecuritySyntaxOnly.cpp
-
test/Analysis/
-
Analysis/
2
security-syntax-checks.m

Differential D35068

[analyzer] Detect usages of unsafe I/O functions
ClosedPublic

Authored by koldaniel on Jul 6 2017, 9:52 AM.

Download Raw Diff

Details

Reviewers

zaks.anna
dcoughlin
NoQ
xazax.hun
Szelethus
george.karpenkov

Commits

rG8d239996392c: [analyzer] New checker for detecting usages of unsafe I/O functions
rC353698: [analyzer] New checker for detecting usages of unsafe I/O functions
rL353698: [analyzer] New checker for detecting usages of unsafe I/O functions

Summary

There are certain unsafe or deprecated (since C11) buffer handling
functions which should be avoided in safety critical code. They
could cause buffer overflows. Two new checks had been implemented
which warn for every occurrence of such functions
(unsafe or deprecated printf, scanf family, and other buffer
handling functions, which now have a secure variant).

Diff Detail

Event Timeline

koldaniel created this revision.Jul 6 2017, 9:52 AM

koldaniel added a reviewer: zaks.anna.Jul 6 2017, 9:55 AM

This does not do anything more than traversing the AST, shouldn't this be a clang-tidy check?
Also, i suspect CERT-MSC24-C might be relevant

lib/StaticAnalyzer/Checkers/CheckSecuritySyntaxOnly.cpp
614	deprecated

xazax.hun retitled this revision from Detect usages of unsafe I/O functions to [analyzer] Detect usages of unsafe I/O functions.Jul 7 2017, 2:43 AM

xazax.hun edited the summary of this revision. (Show Details)

xazax.hun added reviewers: dcoughlin, NoQ.

xazax.hun set the repository for this revision to rL LLVM.

xazax.hun added a subscriber: xazax.hun.

whisperity added subscribers: gsd, dkrupp, whisperity.Jul 11 2017, 2:25 AM

It'd look good in clang-tidy (especially if extended to provide fixits), but if Daniel is interested in having this feature in the analyzer (and picked by clang-tidy from there), i wouldn't mind.

I wonder how noisy this check is - did you test it on large codebases? Because these functions are popular, and in many cases it'd be fine to use insecure functions, i wonder if it's worth it to have this check on by default. Like, if it's relatively quiet - it's fine, but if it'd constitute 90% of the analyzer's warnings on popular projects, that'd probably not be fine.

lib/StaticAnalyzer/Checkers/CheckSecuritySyntaxOnly.cpp
604–605	Note that you cannot easily figure out if the code is intended to get compiled only under C11 and above - maybe it's accidentally compiled under C11 for this user, but is otherwise intended to keep working under older standards.
639	Because it also checks deprecated buffer handling, i'd rename this function to `checkDeprecatedOrUnsafeBufferHandling`.
677–682	You'd probably also want to quit early if the format string is not a literal.

In D35068#811437, @NoQ wrote:

It'd look good in clang-tidy (especially if extended to provide fixits), but if Daniel is interested in having this feature in the analyzer (and picked by clang-tidy from there), i wouldn't mind.

I wonder how noisy this check is - did you test it on large codebases? Because these functions are popular, and in many cases it'd be fine to use insecure functions, i wonder if it's worth it to have this check on by default. Like, if it's relatively quiet - it's fine, but if it'd constitute 90% of the analyzer's warnings on popular projects, that'd probably not be fine.

This patch basically extends an already existing static analyzer check. Even if tidy might be a better fit, I wonder what is the right thing to do in this case. We either end up overlapping functionality with the analyzer and tidy or have to come up with a policy what to do in this such cases.

xazax.hun added inline comments.Aug 8 2017, 1:32 AM

lib/StaticAnalyzer/Checkers/CheckSecuritySyntaxOnly.cpp
629	I would put a new line above and remove one bellow.
639	Is the TODO still relevant in this line?

koldaniel marked 4 inline comments as done.Aug 29 2017, 4:50 AM

koldaniel added inline comments.

lib/StaticAnalyzer/Checkers/CheckSecuritySyntaxOnly.cpp
604–605	It is a possible scenario, how should I check if the checks should warn (safe functions are available) if not by using this method?
677–682	If the format string is not a literal (i.e. a variable), currently we cannot determine if there were any restrictions regarding the size or not, so we want this check to warn.

Updated checker name, minor modifications

Renaming the unsafe checker, updating tests.

koldaniel updated this revision to Diff 117782.Oct 5 2017, 1:22 AM

Herald added a subscriber: szepet. · View Herald TranscriptOct 5 2017, 1:22 AM

xazax.hun added inline comments.Nov 2 2017, 8:19 AM

include/clang/StaticAnalyzer/Checkers/Checkers.td
395	I do not like the naming of these two checks, It feels like one of them warns for a subset of the other, however, it is not the case. What about removing the "deprecated" part from the first check?
lib/Driver/ToolChains/Clang.cpp
2256 ↗	(On Diff #117782)	Do we want to turn on both of these by default? Warning on every use of `memset` will be very noisy for example.
lib/StaticAnalyzer/Checkers/CheckSecuritySyntaxOnly.cpp
144	This is the only print-related function in this group. Is this intended?
604–605	This is the same approach some check takes in clang tidy. I think it is still better to not warn for non C11 users than warn for everybody. If a project is not interested in this check but they are interested in having C11 builds, they can turn this check off. (Or it can be off by default in the first place).

koldaniel added inline comments.Nov 13 2017, 9:30 AM

include/clang/StaticAnalyzer/Checkers/Checkers.td
395	Both checker warns if a buffer handling function is deprecated (DeprecatedOrUnsafeBufferHandling calls DeprecatedBufferHandling), but the DeprecatedOrUnsafeBufferHandling checker also warns if a function is not only deprecated but unsafe (i.e. writes a buffer without size restrictions) too.
lib/Driver/ToolChains/Clang.cpp
2256 ↗	(On Diff #117782)	It's true that these checkers could be very noisy if they are enabled by default, I'm going to fix this.
lib/StaticAnalyzer/Checkers/CheckSecuritySyntaxOnly.cpp
144	sprintf and vsprintf are buffer-writing functions without size restrictions, this is the reason why only these two are checked by DeprecatedOrUnsafeBufferHandling of the printf family. There are buffer-writing members of this family which are not unsafe (because of size restrictions) but have a secure version introduced in the C11 standard, and DeprecatedBufferHandling warns for them: swprintf, snprintf, vswprintf, vsnprintf. Other printf-related functions are either printing to a file or to the standard output.

xazax.hun added inline comments.Nov 15 2017, 5:39 AM

include/clang/StaticAnalyzer/Checkers/Checkers.td
395	I see. Maybe it would be better to make them disjoint? Also, I think it is not a good user experience to get two warnings for the same function call.

koldaniel added inline comments.Nov 16 2017, 6:52 AM

include/clang/StaticAnalyzer/Checkers/Checkers.td
395	Do you mean to separate them, so we would have one checker which warns for the unsafe and deprecated buffer handling functions, and one which warns for the deprecated functions which have some boundary restrictions?

koldaniel updated this revision to Diff 136261.Feb 28 2018, 2:57 AM

Herald added a reviewer: george.karpenkov. · View Herald TranscriptFeb 28 2018, 2:57 AM

Herald added a subscriber: a.sidorin. · View Herald Transcript

george.karpenkov added inline comments.Feb 28 2018, 11:08 AM

lib/StaticAnalyzer/Checkers/CheckSecuritySyntaxOnly.cpp
100	80 chars
165	That's a lot of duplicated `WalkAST::checkDeprecatedOrUnsafeBufferHandling`. Could that be simplified?
618	That's a lot of duplication of 1/0/-1. And also 1/0/-1 are cryptic symbols, why not use an enum with a descriptive name? Maybe use `.Cases("sprintf", "vsprintf", "vfscanf", WARN_UNSAFE)` ?

koldaniel added inline comments.Mar 5 2018, 5:25 AM

lib/StaticAnalyzer/Checkers/CheckSecuritySyntaxOnly.cpp
618	The duplications will be solved by using .Cases, but is using enum necessary? 1 and 0 refers to the index of the argument which could be a format string. -1 means there is no need to look for a string like this.

george.karpenkov added inline comments.Mar 5 2018, 4:57 PM

lib/StaticAnalyzer/Checkers/CheckSecuritySyntaxOnly.cpp
618	Right, then I guess 1 and 0 are self-descriptive, but I would still add a separate constant for `-1`.

koldaniel updated this revision to Diff 137162.Mar 6 2018, 5:10 AM

Do you have any other comments, or could this change be accepted?

@koldaniel Have you evaluated this checker? On which codebases? Were the warnings real security issues, or were they mostly spurious? The code seems fine, but I'm not sure whether it should be in security or in alpha.

In D35068#1049530, @george.karpenkov wrote:

@koldaniel Have you evaluated this checker? On which codebases? Were the warnings real security issues, or were they mostly spurious? The code seems fine, but I'm not sure whether it should be in security or in alpha.

I've evaluated this checker on LLVM+Clang, there were only a few (about 15) warnings, because of the C11 flag check at the beginning of the checker body. However, if this check was removed, number of the warnings would be increased significantly. I wouldn't say the findings were real security issues, most of the warnings were about usages of deprecated functions, which has not been considered unsecure (but which may cause problems if the code is modified in an improper way in the future).

Do you have any other comments? Could this checker be delivered into security?

george.karpenkov resigned from this revision.May 30 2018, 5:03 PM

george.karpenkov added a subscriber: george.karpenkov.

Hi, could you please take a look at this issue?

Herald added a subscriber: mikhail.ramalho. · View Herald TranscriptJul 3 2018, 3:54 AM

LGTM!

Any objections to commit this?
I think this is quiet coding guideline specific check which is useful for a set of security critical projects. As this is an opt in kind of check, I think it does no harm to have it upstream.

This revision is now accepted and ready to land.Jan 17 2019, 3:09 AM

Herald added subscribers: donat.nagy, Szelethus, rnkovacs, baloghadamsoftware. · View Herald TranscriptJan 17 2019, 3:09 AM

Overall I think this looks great, thanks! I left some inlines that would be nice to fix before commiting, but all of them are minor nits.

Would it be possible for you to commit the clang-formatting and the actual logic separately?

include/clang/StaticAnalyzer/Checkers/Checkers.td
393	Lately we started paying attention to the 80 column limit in `Checkers.td`. Could you please break this line?
lib/StaticAnalyzer/Checkers/CheckSecuritySyntaxOnly.cpp
598	I think this newline should stay.
599	This is out of place.
607	Could you please add an extra newline?
619–626	I wonder whether using `CallDescription` would be (way) more efficient here. Comparing `IndentifierInfo`s would also be better I guess. I'm a little unsure about performance implications here, it might not be worth the chore to refactor this.
643–646	Could you please start these variable names with a capital letter?
test/Analysis/security-syntax-checks.m
253	When using `{{}}`, you actually supply a regex as an argument, and the output of the analyzer is matched against it. My point is, could you instead just write // expected-warning{{Call to function 'sprintf' is insecure}} to improve readability?

Szelethus added inline comments.Jan 17 2019, 10:07 AM

test/Analysis/security-syntax-checks.m
253	Or whatever the shortest string is needed to know whether the expected output it there.

In D35068#811436, @NoQ wrote:

I wonder how noisy this check is - did you test it on large codebases? Because these functions are popular, and in many cases it'd be fine to use insecure functions, i wonder if it's worth it to have this check on by default. Like, if it's relatively quiet - it's fine, but if it'd constitute 90% of the analyzer's warnings on popular projects, that'd probably not be fine.

In D35068#1049530, @george.karpenkov wrote:

@koldaniel Have you evaluated this checker? On which codebases? Were the warnings real security issues, or were they mostly spurious? The code seems fine, but I'm not sure whether it should be in security or in alpha.

Sorry, didn't read the discussion, there are some fair points in the quoted comments.

In D35068#1069880, @koldaniel wrote:

I've evaluated this checker on LLVM+Clang, there were only a few (about 15) warnings, because of the C11 flag check at the beginning of the checker body. However, if this check was removed, number of the warnings would be increased significantly. I wouldn't say the findings were real security issues, most of the warnings were about usages of deprecated functions, which has not been considered unsecure (but which may cause problems if the code is modified in an improper way in the future).

My problem is that LLVM+Clang isn't really a C (nor a C11) project, and I think judging this checker on it is a little misleading. Could you please test it on some C11 projects? I think tmux uses C11.

Edit: it doesn't, but CMake is mostly a C project and it does!

In D35068#1361195, @xazax.hun wrote:

I think this is quiet coding guideline specific check which is useful for a set of security critical projects. As this is an opt in kind of check, I think it does no harm to have it upstream.

I do generally agree with this statement, but I'd be more comfortable either landing it in alpha or seeing some other results.

This revision now requires changes to proceed.Jan 17 2019, 10:17 AM

In D35068#1361902, @Szelethus wrote:

Edit: it doesn't, but CMake is mostly a C project and it does!

CMake really isn't a C project if you look at what language it actually uses - the C files come from tests and system utilities such as ZIP being reimplemented.
And as far as I've seen with my recent endeavours, Clang has problems with parsing and building CMake (however all these errors relate to some very niche standard library memory size related stuff not being there where it wants them).

In D35068#1361902, @Szelethus wrote:

In D35068#1069880, @koldaniel wrote:

I've evaluated this checker on LLVM+Clang, there were only a few (about 15) warnings, because of the C11 flag check at the beginning of the checker body. However, if this check was removed, number of the warnings would be increased significantly. I wouldn't say the findings were real security issues, most of the warnings were about usages of deprecated functions, which has not been considered unsecure (but which may cause problems if the code is modified in an improper way in the future).

My problem is that LLVM+Clang isn't really a C (nor a C11) project, and I think judging this checker on it is a little misleading. Could you please test it on some C11 projects? I think tmux uses C11.

Edit: it doesn't, but CMake is mostly a C project and it does!

What do we want to validate here? The lack of crashes? Or evaluate false positive ratio?

I have some doubts about evaluating this checker on open source projects. If a project does not care about the safe versions of these functions all of the results will be false positive (or a project might actually care but will not be able to comply due to portability constraints). If a project does care about using the safe variants, they are most likely already using another tool to verify this.
So I think the main value here is to subsume other tools.

To add an analogy, Clang Tidy will not require C++ Core Guidelines related checks to be evaluated on projects that are not following the guidelines as the results are meaningless for those projects.

Yup, I'm sold on that.

This revision is now accepted and ready to land.Jan 21 2019, 1:44 AM

Ok! I hope that the C11 check would do the trick, let's see how it goes :)

In D35068#1364947, @xazax.hun wrote:

What do we want to validate here? The lack of crashes? Or evaluate false positive ratio?

This checker is opt-in, but it still has a notion of a useless positive, and it is something that can often be improved upon. Crashes are also a great thing to look for :)

In D35068#1364948, @xazax.hun wrote:

To add an analogy, Clang Tidy will not require C++ Core Guidelines related checks to be evaluated on projects that are not following the guidelines as the results are meaningless for those projects.

On the contrary, figuring out if the project follows C++ Core Guidelines is pretty hard. Well, it's often pretty easy to demonstrate that it doesn't (: But, i mean, the intention.

lib/StaticAnalyzer/Checkers/CheckSecuritySyntaxOnly.cpp
604–605	Hmm, i guess in many cases such clients may suppress the warning through preprocessing. This will keep the checker warning in C11 builds but would also avoid miscompiles in builds for the older standards.

Could you rebase please? Many things have changed since you last update. After that I'll happily commit on your behalf if you don't have a commit access just yet.

Rebased.

Hmmm, DescFile was removed months ago from Checkers.td, are you sure you uploaded the correct diff?

In D35068#1391758, @Szelethus wrote:

Hmmm, DescFile was removed months ago from Checkers.td, are you sure you uploaded the correct diff?

No, you are absolutely right, an earlier diff had been uploaded, I will correct it.

Rebased. Documentation added.

This looks great, thanks! I'll commit sometime tomorrow.

Closed by commit rL353698: [analyzer] New checker for detecting usages of unsafe I/O functions (authored by Szelethus). · Explain WhyFeb 11 2019, 5:48 AM

This revision was automatically updated to reflect the committed changes.

Herald added a project: Restricted Project. · View Herald TranscriptFeb 11 2019, 5:48 AM

Herald added a subscriber: llvm-commits. · View Herald Transcript

There seems to be a crash in this code. @koldaniel, would you like to take a look? https://bugs.llvm.org/show_bug.cgi?id=41185

Herald added a subscriber: Charusso. · View Herald TranscriptMar 21 2019, 1:06 PM

In D35068#1438498, @NoQ wrote:

There seems to be a crash in this code. @koldaniel, would you like to take a look? https://bugs.llvm.org/show_bug.cgi?id=41185

Hi,

True, it is a faulty scenario, my question is what should be the way forward? I think in case of built-in functions there should be no warning, since they differ from the deprecated ones which come from the old standard. The only purpose of the assert was to help development and maintenance (if a new function had been added, it should be decided if it is deprecated or unsafe). Returning instead of asserting would solve the problem.

In D35068#1440830, @koldaniel wrote:

In D35068#1438498, @NoQ wrote:

There seems to be a crash in this code. @koldaniel, would you like to take a look? https://bugs.llvm.org/show_bug.cgi?id=41185

Hi,

True, it is a faulty scenario, my question is what should be the way forward? I think in case of built-in functions there should be no warning, since they differ from the deprecated ones which come from the old standard. The only purpose of the assert was to help development and maintenance (if a new function had been added, it should be decided if it is deprecated or unsafe). Returning instead of asserting would solve the problem.

On many platforms such standard C functions are implemented as macros that expand to the respective builtins. I believe there should be no difference in behavior between the normal function and the builtin function. Cf. test/Analysis/bstring.c.

Bug fixing: faulty handling of built-in functions.

In D35068#1441581, @koldaniel wrote:

Bug fixing: faulty handling of built-in functions.

Please open a new differential, that is a completely new patch.

In D35068#1441601, @lebedev.ri wrote:

In D35068#1441581, @koldaniel wrote:

Bug fixing: faulty handling of built-in functions.

Please open a new differential, that is a completely new patch.

Hi,

Done: https://reviews.llvm.org/D59812

Revision Contents

Path

Size

include/

clang/

StaticAnalyzer/

Checkers/

Checkers.td

3 lines

lib/

StaticAnalyzer/

Checkers/

CheckSecuritySyntaxOnly.cpp

125 lines

test/

Analysis/

security-syntax-checks.m

83 lines

Diff 136261

include/clang/StaticAnalyzer/Checkers/Checkers.td

Show First 20 Lines • Show All 383 Lines • ▼ Show 20 Lines	def strcpy : Checker<"strcpy">,
HelpText<"Warn on uses of the 'strcpy' and 'strcat' functions">,		HelpText<"Warn on uses of the 'strcpy' and 'strcat' functions">,
DescFile<"CheckSecuritySyntaxOnly.cpp">;		DescFile<"CheckSecuritySyntaxOnly.cpp">;
def vfork : Checker<"vfork">,		def vfork : Checker<"vfork">,
HelpText<"Warn on uses of the 'vfork' function">,		HelpText<"Warn on uses of the 'vfork' function">,
DescFile<"CheckSecuritySyntaxOnly.cpp">;		DescFile<"CheckSecuritySyntaxOnly.cpp">;
def UncheckedReturn : Checker<"UncheckedReturn">,		def UncheckedReturn : Checker<"UncheckedReturn">,
HelpText<"Warn on uses of functions whose return values must be always checked">,		HelpText<"Warn on uses of functions whose return values must be always checked">,
DescFile<"CheckSecuritySyntaxOnly.cpp">;		DescFile<"CheckSecuritySyntaxOnly.cpp">;
		def DeprecatedOrUnsafeBufferHandling : Checker<"DeprecatedOrUnsafeBufferHandling">,
		HelpText<"Warn on uses of unsecure or deprecated buffer manipulating functions">,
		SzelethusUnsubmitted Not Done Reply Inline Actions Lately we started paying attention to the 80 column limit in `Checkers.td`. Could you please break this line? Szelethus: Lately we started paying attention to the 80 column limit in `Checkers.td`. Could you please…
		DescFile<"CheckSecuritySyntaxOnly.cpp">;
}		}
		xazax.hunUnsubmitted Not Done Reply Inline Actions I do not like the naming of these two checks, It feels like one of them warns for a subset of the other, however, it is not the case. What about removing the "deprecated" part from the first check? xazax.hun: I do not like the naming of these two checks, It feels like one of them warns for a subset of…
		koldanielAuthorUnsubmitted Not Done Reply Inline Actions Both checker warns if a buffer handling function is deprecated (DeprecatedOrUnsafeBufferHandling calls DeprecatedBufferHandling), but the DeprecatedOrUnsafeBufferHandling checker also warns if a function is not only deprecated but unsafe (i.e. writes a buffer without size restrictions) too. koldaniel: Both checker warns if a buffer handling function is deprecated…
		xazax.hunUnsubmitted Not Done Reply Inline Actions I see. Maybe it would be better to make them disjoint? Also, I think it is not a good user experience to get two warnings for the same function call. xazax.hun: I see. Maybe it would be better to make them disjoint? Also, I think it is not a good user…
		koldanielAuthorUnsubmitted Not Done Reply Inline Actions Do you mean to separate them, so we would have one checker which warns for the unsafe and deprecated buffer handling functions, and one which warns for the deprecated functions which have some boundary restrictions? koldaniel: Do you mean to separate them, so we would have one checker which warns for the unsafe and…
let ParentPackage = Security in {		let ParentPackage = Security in {
def FloatLoopCounter : Checker<"FloatLoopCounter">,		def FloatLoopCounter : Checker<"FloatLoopCounter">,
HelpText<"Warn on using a floating point value as a loop counter (CERT: FLP30-C, FLP30-CPP)">,		HelpText<"Warn on using a floating point value as a loop counter (CERT: FLP30-C, FLP30-CPP)">,
DescFile<"CheckSecuritySyntaxOnly.cpp">;		DescFile<"CheckSecuritySyntaxOnly.cpp">;
}		}

let ParentPackage = SecurityAlpha in {		let ParentPackage = SecurityAlpha in {

▲ Show 20 Lines • Show All 381 Lines • Show Last 20 Lines

lib/StaticAnalyzer/Checkers/CheckSecuritySyntaxOnly.cpp

Show All 36 Lines

namespace {		namespace {
struct ChecksFilter {		struct ChecksFilter {
DefaultBool check_gets;		DefaultBool check_gets;
DefaultBool check_getpw;		DefaultBool check_getpw;
DefaultBool check_mktemp;		DefaultBool check_mktemp;
DefaultBool check_mkstemp;		DefaultBool check_mkstemp;
DefaultBool check_strcpy;		DefaultBool check_strcpy;
		DefaultBool check_DeprecatedOrUnsafeBufferHandling;
DefaultBool check_rand;		DefaultBool check_rand;
DefaultBool check_vfork;		DefaultBool check_vfork;
DefaultBool check_FloatLoopCounter;		DefaultBool check_FloatLoopCounter;
DefaultBool check_UncheckedReturn;		DefaultBool check_UncheckedReturn;

CheckName checkName_gets;		CheckName checkName_gets;
CheckName checkName_getpw;		CheckName checkName_getpw;
CheckName checkName_mktemp;		CheckName checkName_mktemp;
CheckName checkName_mkstemp;		CheckName checkName_mkstemp;
CheckName checkName_strcpy;		CheckName checkName_strcpy;
		CheckName checkName_DeprecatedOrUnsafeBufferHandling;
CheckName checkName_rand;		CheckName checkName_rand;
CheckName checkName_vfork;		CheckName checkName_vfork;
CheckName checkName_FloatLoopCounter;		CheckName checkName_FloatLoopCounter;
CheckName checkName_UncheckedReturn;		CheckName checkName_UncheckedReturn;
};		};

class WalkAST : public StmtVisitor<WalkAST> {		class WalkAST : public StmtVisitor<WalkAST> {
BugReporter &BR;		BugReporter &BR;
Show All 27 Lines	public:
// Checker-specific methods.		// Checker-specific methods.
void checkLoopConditionForFloat(const ForStmt *FS);		void checkLoopConditionForFloat(const ForStmt *FS);
void checkCall_gets(const CallExpr CE, const FunctionDecl FD);		void checkCall_gets(const CallExpr CE, const FunctionDecl FD);
void checkCall_getpw(const CallExpr CE, const FunctionDecl FD);		void checkCall_getpw(const CallExpr CE, const FunctionDecl FD);
void checkCall_mktemp(const CallExpr CE, const FunctionDecl FD);		void checkCall_mktemp(const CallExpr CE, const FunctionDecl FD);
void checkCall_mkstemp(const CallExpr CE, const FunctionDecl FD);		void checkCall_mkstemp(const CallExpr CE, const FunctionDecl FD);
void checkCall_strcpy(const CallExpr CE, const FunctionDecl FD);		void checkCall_strcpy(const CallExpr CE, const FunctionDecl FD);
void checkCall_strcat(const CallExpr CE, const FunctionDecl FD);		void checkCall_strcat(const CallExpr CE, const FunctionDecl FD);
		void checkDeprecatedOrUnsafeBufferHandling(const CallExpr CE, const FunctionDecl FD);
		george.karpenkovUnsubmitted Not Done Reply Inline Actions 80 chars george.karpenkov: 80 chars
void checkCall_rand(const CallExpr CE, const FunctionDecl FD);		void checkCall_rand(const CallExpr CE, const FunctionDecl FD);
void checkCall_random(const CallExpr CE, const FunctionDecl FD);		void checkCall_random(const CallExpr CE, const FunctionDecl FD);
void checkCall_vfork(const CallExpr CE, const FunctionDecl FD);		void checkCall_vfork(const CallExpr CE, const FunctionDecl FD);
void checkUncheckedReturnValue(CallExpr *CE);		void checkUncheckedReturnValue(CallExpr *CE);
};		};
} // end anonymous namespace		} // end anonymous namespace

//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
Show All 26 Lines	FnCheck evalFunction = llvm::StringSwitch<FnCheck>(Name)
.Case("gets", &WalkAST::checkCall_gets)		.Case("gets", &WalkAST::checkCall_gets)
.Case("getpw", &WalkAST::checkCall_getpw)		.Case("getpw", &WalkAST::checkCall_getpw)
.Case("mktemp", &WalkAST::checkCall_mktemp)		.Case("mktemp", &WalkAST::checkCall_mktemp)
.Case("mkstemp", &WalkAST::checkCall_mkstemp)		.Case("mkstemp", &WalkAST::checkCall_mkstemp)
.Case("mkdtemp", &WalkAST::checkCall_mkstemp)		.Case("mkdtemp", &WalkAST::checkCall_mkstemp)
.Case("mkstemps", &WalkAST::checkCall_mkstemp)		.Case("mkstemps", &WalkAST::checkCall_mkstemp)
.Cases("strcpy", "__strcpy_chk", &WalkAST::checkCall_strcpy)		.Cases("strcpy", "__strcpy_chk", &WalkAST::checkCall_strcpy)
.Cases("strcat", "__strcat_chk", &WalkAST::checkCall_strcat)		.Cases("strcat", "__strcat_chk", &WalkAST::checkCall_strcat)
		.Case("sprintf", &WalkAST::checkDeprecatedOrUnsafeBufferHandling)
		.Case("vsprintf", &WalkAST::checkDeprecatedOrUnsafeBufferHandling)
		xazax.hunUnsubmitted Not Done Reply Inline Actions This is the only print-related function in this group. Is this intended? xazax.hun: This is the only print-related function in this group. Is this intended?
		koldanielAuthorUnsubmitted Not Done Reply Inline Actions sprintf and vsprintf are buffer-writing functions without size restrictions, this is the reason why only these two are checked by DeprecatedOrUnsafeBufferHandling of the printf family. There are buffer-writing members of this family which are not unsafe (because of size restrictions) but have a secure version introduced in the C11 standard, and DeprecatedBufferHandling warns for them: swprintf, snprintf, vswprintf, vsnprintf. Other printf-related functions are either printing to a file or to the standard output. koldaniel: sprintf and vsprintf are buffer-writing functions without size restrictions, this is the reason…
		.Case("scanf", &WalkAST::checkDeprecatedOrUnsafeBufferHandling)
		.Case("wscanf", &WalkAST::checkDeprecatedOrUnsafeBufferHandling)
		.Case("fscanf", &WalkAST::checkDeprecatedOrUnsafeBufferHandling)
		.Case("fwscanf", &WalkAST::checkDeprecatedOrUnsafeBufferHandling)
		.Case("vscanf", &WalkAST::checkDeprecatedOrUnsafeBufferHandling)
		.Case("vwscanf", &WalkAST::checkDeprecatedOrUnsafeBufferHandling)
		.Case("vfscanf", &WalkAST::checkDeprecatedOrUnsafeBufferHandling)
		.Case("vfwscanf", &WalkAST::checkDeprecatedOrUnsafeBufferHandling)
		.Case("sscanf", &WalkAST::checkDeprecatedOrUnsafeBufferHandling)
		.Case("swscanf", &WalkAST::checkDeprecatedOrUnsafeBufferHandling)
		.Case("vsscanf", &WalkAST::checkDeprecatedOrUnsafeBufferHandling)
		.Case("vswscanf", &WalkAST::checkDeprecatedOrUnsafeBufferHandling)
		.Case("swprintf", &WalkAST::checkDeprecatedOrUnsafeBufferHandling)
		.Case("snprintf", &WalkAST::checkDeprecatedOrUnsafeBufferHandling)
		.Case("vswprintf", &WalkAST::checkDeprecatedOrUnsafeBufferHandling)
		.Case("vsnprintf", &WalkAST::checkDeprecatedOrUnsafeBufferHandling)
		.Case("memcpy", &WalkAST::checkDeprecatedOrUnsafeBufferHandling)
		.Case("memmove", &WalkAST::checkDeprecatedOrUnsafeBufferHandling)
		.Case("strncpy", &WalkAST::checkDeprecatedOrUnsafeBufferHandling)
		.Case("strncat", &WalkAST::checkDeprecatedOrUnsafeBufferHandling)
		.Case("memset", &WalkAST::checkDeprecatedOrUnsafeBufferHandling)
		george.karpenkovUnsubmitted Not Done Reply Inline Actions That's a lot of duplicated `WalkAST::checkDeprecatedOrUnsafeBufferHandling`. Could that be simplified? george.karpenkov: That's a lot of duplicated `WalkAST::checkDeprecatedOrUnsafeBufferHandling`. Could that be…
.Case("drand48", &WalkAST::checkCall_rand)		.Case("drand48", &WalkAST::checkCall_rand)
.Case("erand48", &WalkAST::checkCall_rand)		.Case("erand48", &WalkAST::checkCall_rand)
.Case("jrand48", &WalkAST::checkCall_rand)		.Case("jrand48", &WalkAST::checkCall_rand)
.Case("lrand48", &WalkAST::checkCall_rand)		.Case("lrand48", &WalkAST::checkCall_rand)
.Case("mrand48", &WalkAST::checkCall_rand)		.Case("mrand48", &WalkAST::checkCall_rand)
.Case("nrand48", &WalkAST::checkCall_rand)		.Case("nrand48", &WalkAST::checkCall_rand)
.Case("lcong48", &WalkAST::checkCall_rand)		.Case("lcong48", &WalkAST::checkCall_rand)
.Case("rand", &WalkAST::checkCall_rand)		.Case("rand", &WalkAST::checkCall_rand)
▲ Show 20 Lines • Show All 410 Lines • ▼ Show 20 Lines	BR.EmitBasicReport(AC->getDecl(), filter.checkName_strcpy,
"Call to function 'strcat' is insecure as it does not "		"Call to function 'strcat' is insecure as it does not "
"provide bounding of the memory buffer. Replace "		"provide bounding of the memory buffer. Replace "
"unbounded copy functions with analogous functions that "		"unbounded copy functions with analogous functions that "
"support length arguments such as 'strlcat'. CWE-119.",		"support length arguments such as 'strlcat'. CWE-119.",
CELoc, CE->getCallee()->getSourceRange());		CELoc, CE->getCallee()->getSourceRange());
}		}

//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
		// Check: Any use of 'sprintf', 'vsprintf', 'scanf', 'wscanf', 'fscanf',
		// 'fwscanf', 'vscanf', 'vwscanf', 'vfscanf', 'vfwscanf', 'sscanf',
		// 'swscanf', 'vsscanf', 'vswscanf', 'swprintf', 'snprintf', 'vswprintf',
		// 'vsnprintf', 'memcpy', 'memmove', 'strncpy', 'strncat', 'memset'
		// is deprecated since C11.
		//
		// Use of 'sprintf', 'vsprintf', 'scanf', 'wscanf',
		//'fscanf',
		SzelethusUnsubmitted Not Done Reply Inline Actions This is out of place. Szelethus: This is out of place.
		// 'fwscanf', 'vscanf', 'vwscanf', 'vfscanf', 'vfwscanf', 'sscanf',
		// 'swscanf', 'vsscanf', 'vswscanf' without buffer limitations
		// is insecure.
		//
		// CWE-119: Improper Restriction of Operations within
		// the Bounds of a Memory Buffer
		NoQUnsubmitted Not Done Reply Inline Actions Note that you cannot easily figure out if the code is intended to get compiled only under C11 and above - maybe it's accidentally compiled under C11 for this user, but is otherwise intended to keep working under older standards. NoQ: Note that you cannot easily figure out if the code is intended to get compiled only under C11…
		koldanielAuthorUnsubmitted Not Done Reply Inline Actions It is a possible scenario, how should I check if the checks should warn (safe functions are available) if not by using this method? koldaniel: It is a possible scenario, how should I check if the checks should warn (safe functions are…
		xazax.hunUnsubmitted Not Done Reply Inline Actions This is the same approach some check takes in clang tidy. I think it is still better to not warn for non C11 users than warn for everybody. If a project is not interested in this check but they are interested in having C11 builds, they can turn this check off. (Or it can be off by default in the first place). xazax.hun: This is the same approach some check takes in clang tidy. I think it is still better to not…
		NoQUnsubmitted Not Done Reply Inline Actions Hmm, i guess in many cases such clients may suppress the warning through preprocessing. This will keep the checker warning in C11 builds but would also avoid miscompiles in builds for the older standards. NoQ: Hmm, i guess in many cases such clients may suppress the warning through preprocessing. This…
		//===----------------------------------------------------------------------===//
		void WalkAST::checkDeprecatedOrUnsafeBufferHandling(const CallExpr *CE,
		SzelethusUnsubmitted Not Done Reply Inline Actions Could you please add an extra newline? Szelethus: Could you please add an extra newline?
		const FunctionDecl *FD) {
		if (!filter.check_DeprecatedOrUnsafeBufferHandling)
		return;

		if (!BR.getContext().getLangOpts().C11)
		return;

		lebedev.riUnsubmitted Done Reply Inline Actions deprecated lebedev.ri: deprecated
		// Issue a warning. ArgIndex == -1: Deprecated but not unsafe (has size
		// restrictions).
		StringRef Name = FD->getIdentifier()->getName();
		int ArgIndex = llvm::StringSwitch<int>(Name)
		george.karpenkovUnsubmitted Not Done Reply Inline Actions That's a lot of duplication of 1/0/-1. And also 1/0/-1 are cryptic symbols, why not use an enum with a descriptive name? Maybe use `.Cases("sprintf", "vsprintf", "vfscanf", WARN_UNSAFE)` ? george.karpenkov: That's a lot of duplication of 1/0/-1. And also 1/0/-1 are cryptic symbols, why not use an…
		koldanielAuthorUnsubmitted Not Done Reply Inline Actions The duplications will be solved by using .Cases, but is using enum necessary? 1 and 0 refers to the index of the argument which could be a format string. -1 means there is no need to look for a string like this. koldaniel: The duplications will be solved by using .Cases, but is using enum necessary? 1 and 0 refers to…
		george.karpenkovUnsubmitted Not Done Reply Inline Actions Right, then I guess 1 and 0 are self-descriptive, but I would still add a separate constant for `-1`. george.karpenkov: Right, then I guess 1 and 0 are self-descriptive, but I would still add a separate constant for…
		.Case("sprintf", 1)
		.Case("vsprintf", 1)
		.Case("scanf", 0)
		.Case("wscanf", 0)
		.Case("fscanf", 1)
		.Case("fwscanf", 1)
		.Case("vscanf", 0)
		.Case("vwscanf", 0)
		SzelethusUnsubmitted Not Done Reply Inline Actions I wonder whether using `CallDescription` would be (way) more efficient here. Comparing `IndentifierInfo`s would also be better I guess. I'm a little unsure about performance implications here, it might not be worth the chore to refactor this. Szelethus: I wonder whether using `CallDescription` would be (way) more efficient here. Comparing…
		.Case("vfscanf", 1)
		.Case("vfwscanf", 1)
		.Case("sscanf", 1)
		xazax.hunUnsubmitted Done Reply Inline Actions I would put a new line above and remove one bellow. xazax.hun: I would put a new line above and remove one bellow.
		.Case("swscanf", 1)
		.Case("vsscanf", 1)
		.Case("vswscanf", 1)
		.Case("swprintf", -1)
		.Case("snprintf", -1)
		.Case("vswprintf", -1)
		.Case("vsnprintf", -1)
		.Case("memcpy", -1)
		.Case("memmove", -1)
		.Case("memset", -1)
		NoQUnsubmitted Done Reply Inline Actions Because it also checks deprecated buffer handling, i'd rename this function to `checkDeprecatedOrUnsafeBufferHandling`. NoQ: Because it also checks deprecated buffer handling, i'd rename this function to…
		xazax.hunUnsubmitted Done Reply Inline Actions Is the TODO still relevant in this line? xazax.hun: Is the TODO still relevant in this line?
		.Case("strncpy", -1)
		.Case("strncat", -1)
		.Default(-2);

		assert(ArgIndex >= -1 && "Unsupported function");
		bool BoundsProvided = ArgIndex == -1;

		SzelethusUnsubmitted Not Done Reply Inline Actions Could you please start these variable names with a capital letter? Szelethus: Could you please start these variable names with a capital letter?
		if (!BoundsProvided) {
		// Currently we only handle (not wide) string literals. It is possible to do
		// better, either by looking at references to const variables, or by doing
		// real flow analysis.
		auto FormatString =
		dyn_cast<StringLiteral>(CE->getArg(ArgIndex)->IgnoreParenImpCasts());
		if (FormatString &&
		FormatString->getString().find("%s") == StringRef::npos &&
		FormatString->getString().find("%[") == StringRef::npos)
		BoundsProvided = true;
		}

		SmallString<128> buf1;
		SmallString<512> buf2;
		llvm::raw_svector_ostream out1(buf1);
		llvm::raw_svector_ostream out2(buf2);

		out1 << "Potential insecure memory buffer bounds restriction in call '"
		<< Name << "'";
		out2 << "Call to function '" << Name
		<< "' is insecure as it does not provide ";

		if (!BoundsProvided) {
		out2 << "bounding of the memory buffer or ";
		}

		out2 << "security checks introduced "
		"in the C11 standard. Replace with analogous functions that "
		"support length arguments or provides boundary checks such as '"
		<< Name << "_s' in case of C11";

		PathDiagnosticLocation CELoc =
		PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
		BR.EmitBasicReport(AC->getDecl(),
		filter.checkName_DeprecatedOrUnsafeBufferHandling,
		out1.str(), "Security", out2.str(), CELoc,
		NoQUnsubmitted Not Done Reply Inline Actions You'd probably also want to quit early if the format string is not a literal. NoQ: You'd probably also want to quit early if the format string is not a literal.
		koldanielAuthorUnsubmitted Not Done Reply Inline Actions If the format string is not a literal (i.e. a variable), currently we cannot determine if there were any restrictions regarding the size or not, so we want this check to warn. koldaniel: If the format string is not a literal (i.e. a variable), currently we cannot determine if there…
		CE->getCallee()->getSourceRange());
		}

		//===----------------------------------------------------------------------===//
// Common check for str* functions with no bounds parameters.		// Common check for str* functions with no bounds parameters.
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
bool WalkAST::checkCall_strCommon(const CallExpr CE, const FunctionDecl FD) {		bool WalkAST::checkCall_strCommon(const CallExpr CE, const FunctionDecl FD) {
const FunctionProtoType *FPT = FD->getType()->getAs<FunctionProtoType>();		const FunctionProtoType *FPT = FD->getType()->getAs<FunctionProtoType>();
if (!FPT)		if (!FPT)
return false;		return false;

// Verify the function takes two arguments, three in the _chk version.		// Verify the function takes two arguments, three in the _chk version.
Show All 16 Lines	bool WalkAST::checkCall_strCommon(const CallExpr CE, const FunctionDecl FD) {
return true;		return true;
}		}

//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
// Check: Linear congruent random number generators should not be used		// Check: Linear congruent random number generators should not be used
// Originally: <rdar://problem/63371000>		// Originally: <rdar://problem/63371000>
// CWE-338: Use of cryptographically weak prng		// CWE-338: Use of cryptographically weak prng
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//

SzelethusUnsubmitted Not Done Reply Inline Actions I think this newline should stay. Szelethus: I think this newline should stay.
void WalkAST::checkCall_rand(const CallExpr CE, const FunctionDecl FD) {		void WalkAST::checkCall_rand(const CallExpr CE, const FunctionDecl FD) {
if (!filter.check_rand \|\| !CheckRand)		if (!filter.check_rand \|\| !CheckRand)
return;		return;

const FunctionProtoType *FTP = FD->getType()->getAs<FunctionProtoType>();		const FunctionProtoType *FTP = FD->getType()->getAs<FunctionProtoType>();
if (!FTP)		if (!FTP)
return;		return;

▲ Show 20 Lines • Show All 172 Lines • ▼ Show 20 Lines
REGISTER_CHECKER(getpw)		REGISTER_CHECKER(getpw)
REGISTER_CHECKER(mkstemp)		REGISTER_CHECKER(mkstemp)
REGISTER_CHECKER(mktemp)		REGISTER_CHECKER(mktemp)
REGISTER_CHECKER(strcpy)		REGISTER_CHECKER(strcpy)
REGISTER_CHECKER(rand)		REGISTER_CHECKER(rand)
REGISTER_CHECKER(vfork)		REGISTER_CHECKER(vfork)
REGISTER_CHECKER(FloatLoopCounter)		REGISTER_CHECKER(FloatLoopCounter)
REGISTER_CHECKER(UncheckedReturn)		REGISTER_CHECKER(UncheckedReturn)
		REGISTER_CHECKER(DeprecatedOrUnsafeBufferHandling)

test/Analysis/security-syntax-checks.m

// RUN: %clang_analyze_cc1 -triple i386-apple-darwin10 -analyzer-checker=security.insecureAPI,security.FloatLoopCounter %s -verify		// RUN: %clang_analyze_cc1 -triple i386-apple-darwin10 -analyzer-checker=security.insecureAPI,security.FloatLoopCounter %s -verify
// RUN: %clang_analyze_cc1 -triple i386-apple-darwin10 -DUSE_BUILTINS -analyzer-checker=security.insecureAPI,security.FloatLoopCounter %s -verify		// RUN: %clang_analyze_cc1 -triple i386-apple-darwin10 -DUSE_BUILTINS -analyzer-checker=security.insecureAPI,security.FloatLoopCounter %s -verify
// RUN: %clang_analyze_cc1 -triple i386-apple-darwin10 -DVARIANT -analyzer-checker=security.insecureAPI,security.FloatLoopCounter %s -verify		// RUN: %clang_analyze_cc1 -triple i386-apple-darwin10 -DVARIANT -analyzer-checker=security.insecureAPI,security.FloatLoopCounter %s -verify
// RUN: %clang_analyze_cc1 -triple i386-apple-darwin10 -DUSE_BUILTINS -DVARIANT -analyzer-checker=security.insecureAPI,security.FloatLoopCounter %s -verify		// RUN: %clang_analyze_cc1 -triple i386-apple-darwin10 -DUSE_BUILTINS -DVARIANT -analyzer-checker=security.insecureAPI,security.FloatLoopCounter %s -verify
// RUN: %clang_analyze_cc1 -triple x86_64-unknown-cloudabi -analyzer-checker=security.insecureAPI,security.FloatLoopCounter %s -verify		// RUN: %clang_analyze_cc1 -triple x86_64-unknown-cloudabi -analyzer-checker=security.insecureAPI,security.FloatLoopCounter %s -verify
// RUN: %clang_analyze_cc1 -triple x86_64-unknown-cloudabi -DUSE_BUILTINS -analyzer-checker=security.insecureAPI,security.FloatLoopCounter %s -verify		// RUN: %clang_analyze_cc1 -triple x86_64-unknown-cloudabi -DUSE_BUILTINS -analyzer-checker=security.insecureAPI,security.FloatLoopCounter %s -verify
// RUN: %clang_analyze_cc1 -triple x86_64-unknown-cloudabi -DVARIANT -analyzer-checker=security.insecureAPI,security.FloatLoopCounter %s -verify		// RUN: %clang_analyze_cc1 -triple x86_64-unknown-cloudabi -DVARIANT -analyzer-checker=security.insecureAPI,security.FloatLoopCounter %s -verify
// RUN: %clang_analyze_cc1 -triple x86_64-unknown-cloudabi -DUSE_BUILTINS -DVARIANT -analyzer-checker=security.insecureAPI,security.FloatLoopCounter %s -verify		// RUN: %clang_analyze_cc1 -triple x86_64-unknown-cloudabi -DUSE_BUILTINS -DVARIANT -analyzer-checker=security.insecureAPI,security.FloatLoopCounter %s -verify

#ifdef USE_BUILTINS		#ifdef USE_BUILTINS
# define BUILTIN(f) __builtin_ ## f		# define BUILTIN(f) __builtin_ ## f
#else /* USE_BUILTINS */		#else /* USE_BUILTINS */
# define BUILTIN(f) f		# define BUILTIN(f) f
#endif /* USE_BUILTINS */		#endif /* USE_BUILTINS */

		#include "Inputs/system-header-simulator-for-valist.h"
		#include "Inputs/system-header-simulator-for-simple-stream.h"

typedef typeof(sizeof(int)) size_t;		typedef typeof(sizeof(int)) size_t;


// <rdar://problem/6336718> rule request: floating point used as loop		// <rdar://problem/6336718> rule request: floating point used as loop
// condition (FLP30-C, FLP-30-CPP)		// condition (FLP30-C, FLP-30-CPP)
//		//
// For reference: https://www.securecoding.cert.org/confluence/display/seccode/FLP30-C.+Do+not+use+floating+point+variables+as+loop+counters		// For reference: https://www.securecoding.cert.org/confluence/display/seccode/FLP30-C.+Do+not+use+floating+point+variables+as+loop+counters
//		//
▲ Show 20 Lines • Show All 183 Lines • ▼ Show 20 Lines	void test_mkstemp() {
mkstemps("XXXXXX", 0);		mkstemps("XXXXXX", 0);
mkstemps("XXXXXX", 1); // expected-warning {{5 'X's seen}}		mkstemps("XXXXXX", 1); // expected-warning {{5 'X's seen}}
mkstemps("XXXXXX", 2); // expected-warning {{Call to 'mkstemps' should have at least 6 'X's in the format string to be secure (4 'X's seen, 2 characters used as a suffix)}}		mkstemps("XXXXXX", 2); // expected-warning {{Call to 'mkstemps' should have at least 6 'X's in the format string to be secure (4 'X's seen, 2 characters used as a suffix)}}
mkdtemp("XX"); // expected-warning {{2 'X's seen}}		mkdtemp("XX"); // expected-warning {{2 'X's seen}}
mkstemp("X"); // expected-warning {{Call to 'mkstemp' should have at least 6 'X's in the format string to be secure (1 'X' seen)}}		mkstemp("X"); // expected-warning {{Call to 'mkstemp' should have at least 6 'X's in the format string to be secure (1 'X' seen)}}
mkdtemp("XXXXXX");		mkdtemp("XXXXXX");
}		}


		//===----------------------------------------------------------------------===
		// deprecated or unsafe buffer handling
		//===----------------------------------------------------------------------===
		typedef int wchar_t;

		int sprintf(char str, const char format, ...);
		//int vsprintf (char s, const char format, va_list arg);
		int scanf(const char *format, ...);
		int wscanf(const wchar_t *format, ...);
		int fscanf(FILE stream, const char format, ...);
		int fwscanf(FILE stream, const wchar_t format, ...);
		int vscanf(const char *format, va_list arg);
		int vwscanf(const wchar_t *format, va_list arg);
		int vfscanf(FILE stream, const char format, va_list arg);
		int vfwscanf(FILE stream, const wchar_t format, va_list arg);
		int sscanf(const char s, const char format, ...);
		int swscanf(const wchar_t ws, const wchar_t format, ...);
		int vsscanf(const char s, const char format, va_list arg);
		int vswscanf(const wchar_t ws, const wchar_t format, va_list arg);
		int swprintf(wchar_t ws, size_t len, const wchar_t format, ...);
		int snprintf(char s, size_t n, const char format, ...);
		int vswprintf(wchar_t ws, size_t len, const wchar_t format, va_list arg);
		int vsnprintf(char s, size_t n, const char format, va_list arg);
		void memcpy(void destination, const void *source, size_t num);
		void memmove(void destination, const void *source, size_t num);
		char strncpy(char destination, const char *source, size_t num);
		char strncat(char destination, const char *source, size_t num);
		void memset(void ptr, int value, size_t num);

		void test_deprecated_or_unsafe_buffer_handling_1() {
		char buf [5];
		wchar_t wbuf [5];
		int a;
		FILE *file;
		sprintf(buf, "a"); // expected-warning{{Call to function 'sprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sprintf_s' in case of C11}}
		SzelethusUnsubmitted Not Done Reply Inline Actions When using `{{}}`, you actually supply a regex as an argument, and the output of the analyzer is matched against it. My point is, could you instead just write // expected-warning{{Call to function 'sprintf' is insecure}} to improve readability? Szelethus: When using `{{}}`, you actually supply a regex as an argument, and the output of the analyzer…
		SzelethusUnsubmitted Not Done Reply Inline Actions Or whatever the shortest string is needed to know whether the expected output it there. Szelethus: Or whatever the shortest string is needed to know whether the expected output it there.
		scanf("%d", &a); // expected-warning{{Call to function 'scanf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'scanf_s' in case of C11}}
		scanf("%s", buf); // expected-warning{{Call to function 'scanf' is insecure as it does not provide bounding of the memory buffer or security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'scanf_s' in case of C11}}
		scanf("%4s", buf); // expected-warning{{Call to function 'scanf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'scanf_s' in case of C11}}
		wscanf((const wchar_t*) L"%s", buf); // expected-warning{{Call to function 'wscanf' is insecure as it does not provide bounding of the memory buffer or security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'wscanf_s' in case of C11}}
		fscanf(file, "%d", &a); // expected-warning{{Call to function 'fscanf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'fscanf_s' in case of C11}}
		fscanf(file, "%s", buf); // expected-warning{{Call to function 'fscanf' is insecure as it does not provide bounding of the memory buffer or security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'fscanf_s' in case of C11}}
		fscanf(file, "%4s", buf); // expected-warning{{Call to function 'fscanf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'fscanf_s' in case of C11}}
		fwscanf(file, (const wchar_t*) L"%s", wbuf); // expected-warning{{Call to function 'fwscanf' is insecure as it does not provide bounding of the memory buffer or security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'fwscanf_s' in case of C11}}
		sscanf("5", "%d", &a); // expected-warning{{Call to function 'sscanf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sscanf_s' in case of C11}}
		sscanf("5", "%s", buf); // expected-warning{{Call to function 'sscanf' is insecure as it does not provide bounding of the memory buffer or security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sscanf_s' in case of C11}}
		sscanf("5", "%4s", buf); // expected-warning{{Call to function 'sscanf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sscanf_s' in case of C11}}
		swscanf(L"5", (const wchar_t*) L"%s", wbuf); // expected-warning{{Call to function 'swscanf' is insecure as it does not provide bounding of the memory buffer or security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'swscanf_s' in case of C11}}
		swprintf(L"5", 1, (const wchar_t*) L"%s", wbuf); // expected-warning{{Call to function 'swprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'swprintf_s' in case of C11}}
		snprintf("5", 1, "%s", buf); // expected-warning{{Call to function 'snprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'snprintf_s' in case of C11}}
		memcpy(buf, wbuf, 1); // expected-warning{{Call to function 'memcpy' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'memcpy_s' in case of C11}}
		memmove(buf, wbuf, 1); // expected-warning{{Call to function 'memmove' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'memmove_s' in case of C11}}
		strncpy(buf, "a", 1); // expected-warning{{Call to function 'strncpy' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'strncpy_s' in case of C11}}
		strncat(buf, "a", 1); // expected-warning{{Call to function 'strncat' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'strncat_s' in case of C11}}
		memset(buf, 'a', 1); // expected-warning{{Call to function 'memset' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'memset_s' in case of C11}}
		}

		void test_deprecated_or_unsafe_buffer_handling_2(const char *format, ...) {
		char buf [5];
		FILE *file;
		va_list args;
		va_start(args, format);
		vsprintf(buf, format, args); // expected-warning{{Call to function 'vsprintf' is insecure as it does not provide bounding of the memory buffer or security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'vsprintf_s' in case of C11}}
		vscanf(format, args); // expected-warning{{Call to function 'vscanf' is insecure as it does not provide bounding of the memory buffer or security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'vscanf_s' in case of C11}}
		vfscanf(file, format, args); // expected-warning{{Call to function 'vfscanf' is insecure as it does not provide bounding of the memory buffer or security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'vfscanf_s' in case of C11}}
		vsscanf("a", format, args); // expected-warning{{Call to function 'vsscanf' is insecure as it does not provide bounding of the memory buffer or security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'vsscanf_s' in case of C11}}
		vsnprintf("a", 1, format, args); // expected-warning{{Call to function 'vsnprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'vsnprintf_s' in case of C11}}
		}

		void test_deprecated_or_unsafe_buffer_handling_3(const wchar_t *format, ...) {
		wchar_t wbuf [5];
		FILE *file;
		va_list args;
		va_start(args, format);
		vwscanf(format, args); // expected-warning{{Call to function 'vwscanf' is insecure as it does not provide bounding of the memory buffer or security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'vwscanf_s' in case of C11}}
		vfwscanf(file, format, args); // expected-warning{{Call to function 'vfwscanf' is insecure as it does not provide bounding of the memory buffer or security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'vfwscanf_s' in case of C11}}
		vswscanf(L"a", format, args); // expected-warning{{Call to function 'vswscanf' is insecure as it does not provide bounding of the memory buffer or security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'vswscanf_s' in case of C11}}
		vswprintf(L"a", 1, format, args); // expected-warning{{Call to function 'vswprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'vswprintf_s' in case of C11}}
		}