This is an archive of the discontinued LLVM Phabricator instance.

Differential D58797

[Sema] Add some compile time _FORTIFY_SOURCE diagnostics
ClosedPublic

Authored by erik.pilkington on Feb 28 2019, 3:03 PM.

Details

Reviewers
george.burgess.iv
rsmith
aaron.ballman
Commits
rGb6e16ea006a2: [Sema] Add some compile time _FORTIFY_SOURCE diagnostics
rL356397: [Sema] Add some compile time _FORTIFY_SOURCE diagnostics
rC356397: [Sema] Add some compile time _FORTIFY_SOURCE diagnostics
Summary

These diagnose overflowing calls to subset of fortifiable functions. Some functions, like sprintf or strcpy aren't supported right not, but we should probably support these in the future. We previously supported this kind of functionality with -Wbuiltin-memcpy-chk-size, but that diagnose doesn't work with _FORTIFY implementations that use wrapper functions. Also unlike that diagnostic, we emit these warnings regardless of whether _FORTIFY_SOURCE is actually enabled, which is nice for programs that don't enable the runtime checks.

Why not just use diagnose_if, like Bionic does? We can get better diagnostics in the compiler (i.e. mention the sizes), and we have the potential to diagnose sprintf and strcpy which is impossible with diagnose_if (at least, in languages that don't support C++14 constexpr). This approach also saves standard libraries from having to add diagnose_if.

rdar://48006655

Thanks for taking a look!
Erik

Diff Detail

Event Timeline

erik.pilkington created this revision.Feb 28 2019, 3:03 PM
Herald added a project: Restricted Project. · View Herald TranscriptFeb 28 2019, 3:04 PM
Herald added subscribers: jdoerfert, dexonsmith, jkorous. · View Herald Transcript
riccibruno added a subscriber: riccibruno.Mar 1 2019, 4:25 AM
george.burgess.iv added a comment.Mar 1 2019, 11:37 AM

Thanks for working on this!

I hope to take an in-depth look at this patch next week (if someone else doesn't beat me to it...), but wanted to note that I think enabling clang to emit these warnings on its own is a good thing. diagnose_if is great for potentially more targeted/implementation-defined things that standard libraries want to diagnose, but IMO clang should be able to catch trivially broken code like this regardless of the stdlib it's building against.

george.burgess.iv added a comment.Mar 7 2019, 5:07 PM

Looks solid to me overall; just a few nits.

I don't think I have actual ownership over any of this code, so I'll defer to either Aaron or Richard for the final LGTM

Thanks again!

clang/lib/Sema/SemaChecking.cpp
317

nit: I think the prevailing preference is to name lambdas as you'd name variables, rather than as you'd name methods/functions

321

Should this also try to consider fortify_stdlib?

367

nit: All of these cases (and the two lambdas above) look super similar. Might it be clearer to just set SizeIndex and ObjectIndex variables from here, and actually evaluate them before UsedSize.ule(ComputedSize)?

If not, I'm OK with this as-is.

clang/lib/Sema/SemaExpr.cpp
5929

Why isn't this in CheckBuiltinFunctionCall?

aaron.ballman added inline comments.Mar 8 2019, 1:28 PM
clang/lib/AST/Decl.cpp
2994

If we should -> If true, we should

2995

its -> it's

clang/lib/Sema/SemaChecking.cpp
319

it's -> its

367

Formatting looks off here -- run the patch through clang-format?

388

depend -> depends

423

Why don't we want to do this for the new fortify diagnostics?

erik.pilkington updated this revision to Diff 190549.Mar 13 2019, 6:09 PM
erik.pilkington marked 16 inline comments as done.

Address review comments. Thanks!

clang/lib/Sema/SemaChecking.cpp
319

The opposite mistake as above, lol.

321

I reverted fortify_stdlib in r356103 (although you couldn't possible know this, since that was after you made this comment ;)). We're going to use your pass_object_size attribute instead.

367

Sure, I guess it's a bit cleaner to do that.

423

No reason, just was trying to avoid changing the output of the _chk diagnostic. We might as as well though, it cleans up the diagnostic.

clang/lib/Sema/SemaExpr.cpp
5929

For the same reason I added the bool parameter to getBuiltinCallee, we don't usually consider calls to __attribute__((overloadable)) be builtins, so we never reach CheckBuiltinFunctionCall for them. We're planning on using that attribute though:

int sprintf(__attribute__((pass_object_size(_FORTIFY_LEVEL))) char *buffer, const char *format, ...) 
          __attribute__((overloadable)) __asm__("___sprintf_pass_object_size_chk");
george.burgess.iv added a comment.Mar 14 2019, 1:35 PM

This LGTM; feel free to submit after Aaron stamps this.

Thanks again!

clang/lib/Sema/SemaExpr.cpp
5929

SGTM

aaron.ballman accepted this revision.Mar 15 2019, 11:15 AM

LGTM aside from some minor nits.

clang/lib/Sema/SemaChecking.cpp
338

I feel like this diagnostic name should be updated -- snprintf() and memcpy() are pretty distinct things. Maybe warn_builtin_chk_overflow?

400

const auto *

This revision is now accepted and ready to land.Mar 15 2019, 11:15 AM
Closed by commit rC356397: [Sema] Add some compile time _FORTIFY_SOURCE diagnostics (authored by epilk). · Explain WhyMar 18 2019, 12:22 PM
This revision was automatically updated to reflect the committed changes.
nickdesaulniers added a subscriber: nickdesaulniers.EditedMar 21 2019, 10:24 PM

This is causing false positive warnings for the Linux kernel:
https://github.com/ClangBuiltLinux/linux/issues/423
:(

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/fs/statfs.c#n128
Consider this untested case (when the condition is false):

	if (sizeof(buf) == sizeof(*st))
		memcpy(&buf, st, sizeof(*st));

fs/statfs.c:129:3: warning: 'memcpy' will always overflow; destination buffer has size 64, but size argument is 88 [-Wfortify-source]

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/fs/statfs.c#n169, too.

erik.pilkington marked 4 inline comments as done.Mar 22 2019, 12:14 PM
In D58797#1438975, @nickdesaulniers wrote:

This is causing false positive warnings for the Linux kernel:
https://github.com/ClangBuiltLinux/linux/issues/423
:(

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/fs/statfs.c#n128
Consider this untested case (when the condition is false):

	if (sizeof(buf) == sizeof(*st))
		memcpy(&buf, st, sizeof(*st));

fs/statfs.c:129:3: warning: 'memcpy' will always overflow; destination buffer has size 64, but size argument is 88 [-Wfortify-source]

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/fs/statfs.c#n169, too.

Ah, I didn't consider that case. Presumably st is configured to have different sizes based on the target? I agree that this is a false-positive, but it seems like a pretty narrow edge case, and there is a pretty obvious source workaround that doesn't affect readability: memcpy(&buf, st, sizeof(buf)). @aaron.ballman/@rsmith Any thoughts here? IMO keeping this diagnostic is worth it.

nickdesaulniers added a comment.Mar 22 2019, 12:48 PM
In D58797#1439888, @erik.pilkington wrote:

Ah, I didn't consider that case. Presumably st is configured to have different sizes based on the target?

Yes; sorry I was not clear about that in my example.

I agree that this is a false-positive, but it seems like a pretty narrow edge case, and there is a pretty obvious source workaround that doesn't affect readability: memcpy(&buf, st, sizeof(buf)).

Oh, yeah, we could make that source level change.

@aaron.ballman/@rsmith Any thoughts here? IMO keeping this diagnostic is worth it.

I'm all for keeping it, I'm curious if it can be extended to NOT warn in the case provided?

aaron.ballman added a comment.Mar 26 2019, 11:33 AM
In D58797#1439888, @erik.pilkington wrote:

Ah, I didn't consider that case. Presumably st is configured to have different sizes based on the target? I agree that this is a false-positive, but it seems like a pretty narrow edge case, and there is a pretty obvious source workaround that doesn't affect readability: memcpy(&buf, st, sizeof(buf)). @aaron.ballman/@rsmith Any thoughts here? IMO keeping this diagnostic is worth it.

Yes, I think we should keep this diagnostic. However, if we can find a way to silence it for this particular false-positive pattern, that would be great!

efriedma added a subscriber: efriedma.Mar 26 2019, 12:08 PM

For that particular case, I think we could suppress the false positive using DiagRuntimeBehavior. How many total false positives are we talking about, and how many can the compiler statically prove are unreachable?

george.burgess.iv added a comment.Mar 26 2019, 1:38 PM

We have warnings like -Wdivision-by-zero that take reachability into account: https://godbolt.org/z/3PD-eF. I don't immediately know how it's all done (e.g. in batch because CFG construction is expensive? ...), but looking there for inspiration may be useful.

george.burgess.iv added a comment.Mar 26 2019, 1:39 PM

(Forgot to refresh before pressing 'Submit', so maybe efriedma's comment answers all of the questions in mine ;) )

erik.pilkington added a comment.Mar 26 2019, 4:20 PM
In D58797#1443411, @efriedma wrote:

For that particular case, I think we could suppress the false positive using DiagRuntimeBehavior. How many total false positives are we talking about, and how many can the compiler statically prove are unreachable?

Sure, that seems like a perfect fit, I added it in r357041. There are only two false-positives IIUC, and they're both immediately guarded by an if (sizeof(x) == sizeof(y)).

nickdesaulniers added a comment.EditedMar 27 2019, 9:46 AM
In D58797#1443856, @erik.pilkington wrote:

I added it in r357041.

LGTM, thanks!

phosek added a subscriber: phosek.Mar 28 2019, 6:50 PM

This is triggering a Clang assertion failure in Fuchsia build:

clang/lib/AST/ExprConstant.cpp:5032: bool (anonymous namespace)::ExprEvaluatorBase<(anonymous namespace)::PointerExprEvaluator>::VisitMemberExpr(const clang::MemberExpr *) [Derived = (anonymous namespace)::PointerExprEvaluator]: Assertion `!E->isArrow() && "missing call to bound member function?"' failed.

I've filed PR41286 which also has a reproducer.

erik.pilkington added a comment.Mar 28 2019, 7:20 PM

Ah, looks like the problem is we're sending a dependent expression to the constant evaluator, we should just bail out in that case. I'll fix this tomorrow morning, thanks for tracking this down!

erik.pilkington added a comment.Mar 29 2019, 12:52 PM
In D58797#1447148, @phosek wrote:

This is triggering a Clang assertion failure in Fuchsia build:

clang/lib/AST/ExprConstant.cpp:5032: bool (anonymous namespace)::ExprEvaluatorBase<(anonymous namespace)::PointerExprEvaluator>::VisitMemberExpr(const clang::MemberExpr *) [Derived = (anonymous namespace)::PointerExprEvaluator]: Assertion `!E->isArrow() && "missing call to bound member function?"' failed.

I've filed PR41286 which also has a reproducer.

Fixed in r357304, thanks.

tschuett mentioned this in D127517: [libc] add integer writing to printf.Jun 10 2022, 1:43 PM

Revision Contents

PathSize
clang/
include/
clang/
AST/
2 lines
Basic/
2 lines
6 lines
Sema/
1 line
lib/
AST/
26 lines
Sema/
215 lines
2 lines
test/
Analysis/
13 lines
2 lines
4 lines
10 lines
Sema/
4 lines
10 lines
2 lines
83 lines
2 lines

Diff 190549

clang/include/clang/AST/Decl.h

Show First 20 LinesShow All 492 Lines▼ Show 20 Lines
void setPreviousDeclaration(FunctionDecl * PrevDecl); void setPreviousDeclaration(FunctionDecl * PrevDecl);
FunctionDecl *getCanonicalDecl() override; FunctionDecl *getCanonicalDecl() override;
const FunctionDecl *getCanonicalDecl() const { const FunctionDecl *getCanonicalDecl() const {
return const_cast<FunctionDecl*>(this)->getCanonicalDecl(); return const_cast<FunctionDecl*>(this)->getCanonicalDecl();
} }
unsigned getBuiltinID() const; unsigned getBuiltinID(bool ConsiderWrapperFunctions = false) const;
// ArrayRef interface to parameters. // ArrayRef interface to parameters.
ArrayRef<ParmVarDecl *> parameters() const { ArrayRef<ParmVarDecl *> parameters() const {
return {ParamInfo, getNumParams()}; return {ParamInfo, getNumParams()};
} }
MutableArrayRef<ParmVarDecl *> parameters() { MutableArrayRef<ParmVarDecl *> parameters() {
return {ParamInfo, getNumParams()}; return {ParamInfo, getNumParams()};
} }
▲ Show 20 LinesShow All 492 LinesShow Last 20 Lines

clang/include/clang/Basic/DiagnosticGroups.td

Show First 20 LinesShow All 492 Lines▼ Show 20 Lines
def FunctionMultiVersioning : DiagGroup<"function-multiversion">; def FunctionMultiVersioning : DiagGroup<"function-multiversion">;
def NoDeref : DiagGroup<"noderef">; def NoDeref : DiagGroup<"noderef">;
// A group for cross translation unit static analysis related warnings. // A group for cross translation unit static analysis related warnings.
def CrossTU : DiagGroup<"ctu">; def CrossTU : DiagGroup<"ctu">;
def CTADMaybeUnsupported : DiagGroup<"ctad-maybe-unsupported">; def CTADMaybeUnsupported : DiagGroup<"ctad-maybe-unsupported">;
def FortifySource : DiagGroup<"fortify-source">;
Context not available.

clang/include/clang/Basic/DiagnosticSemaKinds.td

Show First 20 LinesShow All 492 Lines▼ Show 20 Lines
"the argument to %0 has side effects that will be discarded">, "the argument to %0 has side effects that will be discarded">,
InGroup<DiagGroup<"assume">>; InGroup<DiagGroup<"assume">>;
def warn_memcpy_chk_overflow : Warning< def warn_memcpy_chk_overflow : Warning<
"'%0' will always overflow; destination buffer has size %1," "'%0' will always overflow; destination buffer has size %1,"
" but size argument is %2">, " but size argument is %2">,
InGroup<DiagGroup<"builtin-memcpy-chk-size">>; InGroup<DiagGroup<"builtin-memcpy-chk-size">>;
def warn_fortify_source_overflow
: Warning<warn_memcpy_chk_overflow.Text>, InGroup<FortifySource>;
def warn_fortify_source_size_mismatch : Warning<
"'%0' size argument is too large; destination buffer has size %1,"
" but size argument is %2">, InGroup<FortifySource>;
/// main() /// main()
// static main() is not an error in C, just in C++. // static main() is not an error in C, just in C++.
def warn_static_main : Warning<"'main' should not be declared static">, def warn_static_main : Warning<"'main' should not be declared static">,
InGroup<Main>; InGroup<Main>;
def err_static_main : Error<"'main' is not allowed to be declared static">; def err_static_main : Error<"'main' is not allowed to be declared static">;
def err_inline_main : Error<"'main' is not allowed to be declared inline">; def err_inline_main : Error<"'main' is not allowed to be declared inline">;
def ext_variadic_main : ExtWarn< def ext_variadic_main : ExtWarn<
"'main' is not allowed to be declared variadic">, InGroup<Main>; "'main' is not allowed to be declared variadic">, InGroup<Main>;
▲ Show 20 LinesShow All 492 LinesShow Last 20 Lines

clang/include/clang/Sema/Sema.h

Show First 20 LinesShow All 492 Lines▼ Show 20 Lines
bool IsMemberFunction, SourceLocation Loc, SourceRange Range, bool IsMemberFunction, SourceLocation Loc, SourceRange Range,
VariadicCallType CallType); VariadicCallType CallType);
bool CheckObjCString(Expr *Arg); bool CheckObjCString(Expr *Arg);
ExprResult CheckOSLogFormatStringArg(Expr *Arg); ExprResult CheckOSLogFormatStringArg(Expr *Arg);
ExprResult CheckBuiltinFunctionCall(FunctionDecl *FDecl, ExprResult CheckBuiltinFunctionCall(FunctionDecl *FDecl,
unsigned BuiltinID, CallExpr *TheCall); unsigned BuiltinID, CallExpr *TheCall);
void checkFortifiedBuiltinMemoryFunction(FunctionDecl *FD, CallExpr *TheCall);
bool CheckARMBuiltinExclusiveCall(unsigned BuiltinID, CallExpr *TheCall, bool CheckARMBuiltinExclusiveCall(unsigned BuiltinID, CallExpr *TheCall,
unsigned MaxWidth); unsigned MaxWidth);
bool CheckNeonBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall); bool CheckNeonBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall);
bool CheckARMBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall); bool CheckARMBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall);
bool CheckAArch64BuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall); bool CheckAArch64BuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall);
bool CheckHexagonBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall); bool CheckHexagonBuiltinFunctionCall(unsigned BuiltinID, CallExpr *TheCall);
▲ Show 20 LinesShow All 433 LinesShow Last 20 Lines

clang/lib/AST/Decl.cpp

Show First 20 LinesShow All 492 Lines▼ Show 20 Lines
} }
if (PrevDecl && PrevDecl->isInlined()) if (PrevDecl && PrevDecl->isInlined())
setImplicitlyInline(true); setImplicitlyInline(true);
} }
FunctionDecl *FunctionDecl::getCanonicalDecl() { return getFirstDecl(); } FunctionDecl *FunctionDecl::getCanonicalDecl() { return getFirstDecl(); }
/// Returns a value indicating whether this function /// Returns a value indicating whether this function corresponds to a builtin
/// corresponds to a builtin function. /// function.
/// ///
/// The function corresponds to a built-in function if it is /// The function corresponds to a built-in function if it is declared at
/// declared at translation scope or within an extern "C" block and /// translation scope or within an extern "C" block and its name matches with
/// its name matches with the name of a builtin. The returned value /// the name of a builtin. The returned value will be 0 for functions that do
/// will be 0 for functions that do not correspond to a builtin, a /// not correspond to a builtin, a value of type \c Builtin::ID if in the
/// value of type \c Builtin::ID if in the target-independent range /// target-independent range \c [1,Builtin::First), or a target-specific builtin
/// \c [1,Builtin::First), or a target-specific builtin value. /// value.
unsigned FunctionDecl::getBuiltinID() const { ///
/// \param ConsiderWrapperFunctions If true, we should consider wrapper
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

If we should -> If true, we should

aaron.ballman: If we should -> If true, we should
/// functions as their wrapped builtins. This shouldn't be done in general, but
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

its -> it's

aaron.ballman: its -> it's
/// it's useful in Sema to diagnose calls to wrappers based on their semantics.
unsigned FunctionDecl::getBuiltinID(bool ConsiderWrapperFunctions) const {
if (!getIdentifier()) if (!getIdentifier())
return 0; return 0;
unsigned BuiltinID = getIdentifier()->getBuiltinID(); unsigned BuiltinID = getIdentifier()->getBuiltinID();
if (!BuiltinID) if (!BuiltinID)
return 0; return 0;
ASTContext &Context = getASTContext(); ASTContext &Context = getASTContext();
Show All 11 Lines
return 0; return 0;
} }
if (LinkageDecl->getLanguage() != LinkageSpecDecl::lang_c) if (LinkageDecl->getLanguage() != LinkageSpecDecl::lang_c)
return 0; return 0;
} }
// If the function is marked "overloadable", it has a different mangled name // If the function is marked "overloadable", it has a different mangled name
// and is not the C library function. // and is not the C library function.
if (hasAttr<OverloadableAttr>()) if (!ConsiderWrapperFunctions && hasAttr<OverloadableAttr>())
return 0; return 0;
if (!Context.BuiltinInfo.isPredefinedLibFunction(BuiltinID)) if (!Context.BuiltinInfo.isPredefinedLibFunction(BuiltinID))
return BuiltinID; return BuiltinID;
// This function has the name of a known C library // This function has the name of a known C library
// function. Determine whether it actually refers to the C library // function. Determine whether it actually refers to the C library
// function or whether it just has the same name. // function or whether it just has the same name.
// If this is a static function, it's not a builtin. // If this is a static function, it's not a builtin.
if (getStorageClass() == SC_Static) if (!ConsiderWrapperFunctions && getStorageClass() == SC_Static)
return 0; return 0;
// OpenCL v1.2 s6.9.f - The library functions defined in // OpenCL v1.2 s6.9.f - The library functions defined in
// the C99 standard headers are not available. // the C99 standard headers are not available.
if (Context.getLangOpts().OpenCL && if (Context.getLangOpts().OpenCL &&
Context.BuiltinInfo.isPredefinedLibFunction(BuiltinID)) Context.BuiltinInfo.isPredefinedLibFunction(BuiltinID))
return 0; return 0;
▲ Show 20 LinesShow All 492 LinesShow Last 20 Lines

clang/lib/Sema/SemaChecking.cpp

Show First 20 LinesShow All 229 Lines▼ Show 20 Lines // the other qualifiers aren't possible.
Arg = S.PerformCopyInitialization(Entity, SourceLocation(), Arg); Arg = S.PerformCopyInitialization(Entity, SourceLocation(), Arg);
if (Arg.isInvalid()) if (Arg.isInvalid())
return true; return true;
TheCall->setArg(2, Arg.get()); TheCall->setArg(2, Arg.get());
} }
return false; return false;
} }
static void SemaBuiltinMemChkCall(Sema &S, FunctionDecl *FDecl,
CallExpr *TheCall, unsigned SizeIdx,
unsigned DstSizeIdx,
StringRef LikelyMacroName) {
if (TheCall->getNumArgs() <= SizeIdx ||
TheCall->getNumArgs() <= DstSizeIdx)
return;
const Expr *SizeArg = TheCall->getArg(SizeIdx);
const Expr *DstSizeArg = TheCall->getArg(DstSizeIdx);
Expr::EvalResult SizeResult, DstSizeResult;
// find out if both sizes are known at compile time
if (!SizeArg->EvaluateAsInt(SizeResult, S.Context) ||
!DstSizeArg->EvaluateAsInt(DstSizeResult, S.Context))
return;
llvm::APSInt Size = SizeResult.Val.getInt();
llvm::APSInt DstSize = DstSizeResult.Val.getInt();
if (Size.ule(DstSize))
return;
// Confirmed overflow, so generate the diagnostic.
StringRef FunctionName = FDecl->getName();
SourceLocation SL = TheCall->getBeginLoc();
SourceManager &SM = S.getSourceManager();
// If we're in an expansion of a macro whose name corresponds to this builtin,
// use the simple macro name and location.
if (SL.isMacroID() && Lexer::getImmediateMacroName(SL, SM, S.getLangOpts()) ==
LikelyMacroName) {
FunctionName = LikelyMacroName;
SL = SM.getImmediateMacroCallerLoc(SL);
}
S.Diag(SL, diag::warn_memcpy_chk_overflow)
<< FunctionName << DstSize.toString(/*Radix=*/10)
<< Size.toString(/*Radix=*/10);
}
static bool SemaBuiltinCallWithStaticChain(Sema &S, CallExpr *BuiltinCall) { static bool SemaBuiltinCallWithStaticChain(Sema &S, CallExpr *BuiltinCall) {
if (checkArgCount(S, BuiltinCall, 2)) if (checkArgCount(S, BuiltinCall, 2))
return true; return true;
SourceLocation BuiltinLoc = BuiltinCall->getBeginLoc(); SourceLocation BuiltinLoc = BuiltinCall->getBeginLoc();
Expr *Builtin = BuiltinCall->getCallee()->IgnoreImpCasts(); Expr *Builtin = BuiltinCall->getCallee()->IgnoreImpCasts();
Expr *Call = BuiltinCall->getArg(0); Expr *Call = BuiltinCall->getArg(0);
Expr *Chain = BuiltinCall->getArg(1); Expr *Chain = BuiltinCall->getArg(1);
▲ Show 20 LinesShow All 47 Lines▼ Show 20 Linesstatic bool SemaBuiltinCallWithStaticChain(Sema &S, CallExpr *BuiltinCall) {
BuiltinCall->setValueKind(CE->getValueKind()); BuiltinCall->setValueKind(CE->getValueKind());
BuiltinCall->setObjectKind(CE->getObjectKind()); BuiltinCall->setObjectKind(CE->getObjectKind());
BuiltinCall->setCallee(Builtin); BuiltinCall->setCallee(Builtin);
BuiltinCall->setArg(1, ChainResult.get()); BuiltinCall->setArg(1, ChainResult.get());
return false; return false;
} }
/// Check a call to BuiltinID for buffer overflows. If BuiltinID is a
/// __builtin_*_chk function, then use the object size argument specified in the
/// source. Otherwise, infer the object size using __builtin_object_size.
void Sema::checkFortifiedBuiltinMemoryFunction(FunctionDecl *FD,
CallExpr *TheCall) {
// FIXME: There are some more useful checks we could be doing here:
// - Analyze the format string of sprintf to see how much of buffer is used.
// - Evaluate strlen of strcpy arguments, use as object size.
unsigned BuiltinID = FD->getBuiltinID(/*ConsiderWrappers=*/true);
if (!BuiltinID)
return;
unsigned DiagID = 0;
bool IsChkVariant = false;
unsigned SizeIndex, ObjectIndex;
switch (BuiltinID) {
george.burgess.ivUnsubmitted
Done
ReplyInline Actions

nit: I think the prevailing preference is to name lambdas as you'd name variables, rather than as you'd name methods/functions

george.burgess.iv: nit: I think the prevailing preference is to name lambdas as you'd name variables, rather than…
default:
return;
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

it's -> its

aaron.ballman: it's -> its
erik.pilkingtonAuthorUnsubmitted
Done
ReplyInline Actions

The opposite mistake as above, lol.

erik.pilkington: The opposite mistake as above, lol.
case Builtin::BI__builtin___memcpy_chk:
case Builtin::BI__builtin___memmove_chk:
george.burgess.ivUnsubmitted
Done
ReplyInline Actions

Should this also try to consider fortify_stdlib?

george.burgess.iv: Should this also try to consider `fortify_stdlib`?
erik.pilkingtonAuthorUnsubmitted
Done
ReplyInline Actions

I reverted fortify_stdlib in r356103 (although you couldn't possible know this, since that was after you made this comment ;)). We're going to use your pass_object_size attribute instead.

erik.pilkington: I reverted `fortify_stdlib` in r356103 (although you couldn't possible know this, since that…
case Builtin::BI__builtin___memset_chk:
case Builtin::BI__builtin___strlcat_chk:
case Builtin::BI__builtin___strlcpy_chk:
case Builtin::BI__builtin___strncat_chk:
case Builtin::BI__builtin___strncpy_chk:
case Builtin::BI__builtin___stpncpy_chk:
case Builtin::BI__builtin___memccpy_chk: {
DiagID = diag::warn_memcpy_chk_overflow;
IsChkVariant = true;
SizeIndex = TheCall->getNumArgs() - 2;
ObjectIndex = TheCall->getNumArgs() - 1;
break;
}
case Builtin::BI__builtin___snprintf_chk:
case Builtin::BI__builtin___vsnprintf_chk: {
DiagID = diag::warn_memcpy_chk_overflow;
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

I feel like this diagnostic name should be updated -- snprintf() and memcpy() are pretty distinct things. Maybe warn_builtin_chk_overflow?

aaron.ballman: I feel like this diagnostic name should be updated -- `snprintf()` and `memcpy()` are pretty…
IsChkVariant = true;
SizeIndex = 1;
ObjectIndex = 3;
break;
}
case Builtin::BIstrncat:
case Builtin::BI__builtin_strncat:
case Builtin::BIstrncpy:
case Builtin::BI__builtin_strncpy:
case Builtin::BIstpncpy:
case Builtin::BI__builtin_stpncpy: {
// Whether these functions overflow depends on the runtime strlen of the
// string, not just the buffer size, so emitting the "always overflow"
// diagnostic isn't quite right. We should still diagnose passing a buffer
// size larger than the destination buffer though; this is a runtime abort
// in _FORTIFY_SOURCE mode, and is quite suspicious otherwise.
DiagID = diag::warn_fortify_source_size_mismatch;
SizeIndex = TheCall->getNumArgs() - 1;
ObjectIndex = 0;
break;
}
case Builtin::BImemcpy:
case Builtin::BI__builtin_memcpy:
case Builtin::BImemmove:
case Builtin::BI__builtin_memmove:
case Builtin::BImemset:
case Builtin::BI__builtin_memset: {
george.burgess.ivUnsubmitted
Done
ReplyInline Actions

nit: All of these cases (and the two lambdas above) look super similar. Might it be clearer to just set SizeIndex and ObjectIndex variables from here, and actually evaluate them before UsedSize.ule(ComputedSize)?

If not, I'm OK with this as-is.

george.burgess.iv: nit: All of these cases (and the two lambdas above) look super similar. Might it be clearer to…
erik.pilkingtonAuthorUnsubmitted
Done
ReplyInline Actions

Sure, I guess it's a bit cleaner to do that.

erik.pilkington: Sure, I guess it's a bit cleaner to do that.
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

Formatting looks off here -- run the patch through clang-format?

aaron.ballman: Formatting looks off here -- run the patch through clang-format?
DiagID = diag::warn_fortify_source_overflow;
SizeIndex = TheCall->getNumArgs() - 1;
ObjectIndex = 0;
break;
}
case Builtin::BIsnprintf:
case Builtin::BI__builtin_snprintf:
case Builtin::BIvsnprintf:
case Builtin::BI__builtin_vsnprintf: {
DiagID = diag::warn_fortify_source_size_mismatch;
SizeIndex = 1;
ObjectIndex = 0;
break;
}
}
llvm::APSInt ObjectSize;
// For __builtin___*_chk, the object size is explicitly provided by the caller
// (usually using __builtin_object_size). Use that value to check this call.
if (IsChkVariant) {
Expr::EvalResult Result;
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

depend -> depends

aaron.ballman: depend -> depends
Expr *SizeArg = TheCall->getArg(ObjectIndex);
if (!SizeArg->EvaluateAsInt(Result, getASTContext()))
return;
ObjectSize = Result.Val.getInt();
// Otherwise, try to evaluate an imaginary call to __builtin_object_size.
} else {
// If the parameter has a pass_object_size attribute, then we should use its
// (potentially) more strict checking mode. Otherwise, conservatively assume
// type 0.
int BOSType = 0;
if (auto *POS =
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

const auto *

aaron.ballman: `const auto *`
FD->getParamDecl(ObjectIndex)->getAttr<PassObjectSizeAttr>())
BOSType = POS->getType();
Expr *ObjArg = TheCall->getArg(ObjectIndex);
uint64_t Result;
if (!ObjArg->tryEvaluateObjectSize(Result, getASTContext(), BOSType))
return;
// Get the object size in the target's size_t width.
const TargetInfo &TI = getASTContext().getTargetInfo();
unsigned SizeTypeWidth = TI.getTypeWidth(TI.getSizeType());
ObjectSize = llvm::APSInt::getUnsigned(Result).extOrTrunc(SizeTypeWidth);
}
// Evaluate the number of bytes of the object that this call will use.
Expr::EvalResult Result;
Expr *UsedSizeArg = TheCall->getArg(SizeIndex);
if (!UsedSizeArg->EvaluateAsInt(Result, getASTContext()))
return;
llvm::APSInt UsedSize = Result.Val.getInt();
if (UsedSize.ule(ObjectSize))
return;
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

Why don't we want to do this for the new fortify diagnostics?

aaron.ballman: Why don't we want to do this for the new fortify diagnostics?
erik.pilkingtonAuthorUnsubmitted
Done
ReplyInline Actions

No reason, just was trying to avoid changing the output of the _chk diagnostic. We might as as well though, it cleans up the diagnostic.

erik.pilkington: No reason, just was trying to avoid changing the output of the `_chk` diagnostic. We might as…
StringRef FunctionName = getASTContext().BuiltinInfo.getName(BuiltinID);
// Skim off the details of whichever builtin was called to produce a better
// diagnostic, as it's unlikley that the user wrote the __builtin explicitly.
if (IsChkVariant) {
FunctionName = FunctionName.drop_front(std::strlen("__builtin___"));
FunctionName = FunctionName.drop_back(std::strlen("_chk"));
} else if (FunctionName.startswith("__builtin_")) {
FunctionName = FunctionName.drop_front(std::strlen("__builtin_"));
}
Diag(TheCall->getBeginLoc(), DiagID)
<< FunctionName << ObjectSize.toString(/*Radix=*/10)
<< UsedSize.toString(/*Radix=*/10);
}
static bool SemaBuiltinSEHScopeCheck(Sema &SemaRef, CallExpr *TheCall, static bool SemaBuiltinSEHScopeCheck(Sema &SemaRef, CallExpr *TheCall,
Scope::ScopeFlags NeededScopeFlags, Scope::ScopeFlags NeededScopeFlags,
unsigned DiagID) { unsigned DiagID) {
// Scopes aren't available during instantiation. Fortunately, builtin // Scopes aren't available during instantiation. Fortunately, builtin
// functions cannot be template args so they cannot be formed through template // functions cannot be template args so they cannot be formed through template
// instantiation. Therefore checking once during the parse is sufficient. // instantiation. Therefore checking once during the parse is sufficient.
if (SemaRef.inTemplateInstantiation()) if (SemaRef.inTemplateInstantiation())
return false; return false;
▲ Show 20 LinesShow All 947 Lines▼ Show 20 Lines if (const auto *FT = dyn_cast<FunctionProtoType>(FuncType)) {
<< 2 << FnPtrArgType << "'int (*)(const char *, ...)'"; << 2 << FnPtrArgType << "'int (*)(const char *, ...)'";
return ExprError(); return ExprError();
} }
} }
TheCall->setType(Context.IntTy); TheCall->setType(Context.IntTy);
break; break;
} }
// check secure string manipulation functions where overflows
// are detectable at compile time
case Builtin::BI__builtin___memcpy_chk:
SemaBuiltinMemChkCall(*this, FDecl, TheCall, 2, 3, "memcpy");
break;
case Builtin::BI__builtin___memmove_chk:
SemaBuiltinMemChkCall(*this, FDecl, TheCall, 2, 3, "memmove");
break;
case Builtin::BI__builtin___memset_chk:
SemaBuiltinMemChkCall(*this, FDecl, TheCall, 2, 3, "memset");
break;
case Builtin::BI__builtin___strlcat_chk:
SemaBuiltinMemChkCall(*this, FDecl, TheCall, 2, 3, "strlcat");
break;
case Builtin::BI__builtin___strlcpy_chk:
SemaBuiltinMemChkCall(*this, FDecl, TheCall, 2, 3, "strlcpy");
break;
case Builtin::BI__builtin___strncat_chk:
SemaBuiltinMemChkCall(*this, FDecl, TheCall, 2, 3, "strncat");
break;
case Builtin::BI__builtin___strncpy_chk:
SemaBuiltinMemChkCall(*this, FDecl, TheCall, 2, 3, "strncpy");
break;
case Builtin::BI__builtin___stpncpy_chk:
SemaBuiltinMemChkCall(*this, FDecl, TheCall, 2, 3, "stpncpy");
break;
case Builtin::BI__builtin___memccpy_chk:
SemaBuiltinMemChkCall(*this, FDecl, TheCall, 3, 4, "memccpy");
break;
case Builtin::BI__builtin___snprintf_chk:
SemaBuiltinMemChkCall(*this, FDecl, TheCall, 1, 3, "snprintf");
break;
case Builtin::BI__builtin___vsnprintf_chk:
SemaBuiltinMemChkCall(*this, FDecl, TheCall, 1, 3, "vsnprintf");
break;
case Builtin::BI__builtin_call_with_static_chain: case Builtin::BI__builtin_call_with_static_chain:
if (SemaBuiltinCallWithStaticChain(*this, TheCall)) if (SemaBuiltinCallWithStaticChain(*this, TheCall))
return ExprError(); return ExprError();
break; break;
case Builtin::BI__exception_code: case Builtin::BI__exception_code:
case Builtin::BI_exception_code: case Builtin::BI_exception_code:
if (SemaBuiltinSEHScopeCheck(*this, TheCall, Scope::SEHExceptScope, if (SemaBuiltinSEHScopeCheck(*this, TheCall, Scope::SEHExceptScope,
diag::err_seh___except_block)) diag::err_seh___except_block))
▲ Show 20 LinesShow All 492 LinesShow Last 20 Lines

clang/lib/Sema/SemaExpr.cpp

Show First 20 LinesShow All 487 Lines▼ Show 20 Lines
if (!Method->isStatic()) if (!Method->isStatic())
return ExprError(Diag(LParenLoc, diag::err_member_call_without_object) return ExprError(Diag(LParenLoc, diag::err_member_call_without_object)
<< Fn->getSourceRange()); << Fn->getSourceRange());
// Check for sentinels // Check for sentinels
if (NDecl) if (NDecl)
DiagnoseSentinelCalls(NDecl, LParenLoc, Args); DiagnoseSentinelCalls(NDecl, LParenLoc, Args);
// Do special checking on direct calls to functions. // Do special checking on direct calls to functions.
george.burgess.ivUnsubmitted
Done
ReplyInline Actions

Why isn't this in CheckBuiltinFunctionCall?

george.burgess.iv: Why isn't this in CheckBuiltinFunctionCall?
erik.pilkingtonAuthorUnsubmitted
Done
ReplyInline Actions

For the same reason I added the bool parameter to getBuiltinCallee, we don't usually consider calls to __attribute__((overloadable)) be builtins, so we never reach CheckBuiltinFunctionCall for them. We're planning on using that attribute though:

int sprintf(__attribute__((pass_object_size(_FORTIFY_LEVEL))) char *buffer, const char *format, ...) 
          __attribute__((overloadable)) __asm__("___sprintf_pass_object_size_chk");
erik.pilkington: For the same reason I added the `bool` parameter to `getBuiltinCallee`, we don't usually…
george.burgess.ivUnsubmitted
Done
ReplyInline Actions

SGTM

george.burgess.iv: SGTM
if (FDecl) { if (FDecl) {
if (CheckFunctionCall(FDecl, TheCall, Proto)) if (CheckFunctionCall(FDecl, TheCall, Proto))
return ExprError(); return ExprError();
checkFortifiedBuiltinMemoryFunction(FDecl, TheCall);
if (BuiltinID) if (BuiltinID)
return CheckBuiltinFunctionCall(FDecl, BuiltinID, TheCall); return CheckBuiltinFunctionCall(FDecl, BuiltinID, TheCall);
} else if (NDecl) { } else if (NDecl) {
if (CheckPointerCall(NDecl, TheCall, Proto)) if (CheckPointerCall(NDecl, TheCall, Proto))
return ExprError(); return ExprError();
} else { } else {
if (CheckOtherCall(TheCall, Proto)) if (CheckOtherCall(TheCall, Proto))
return ExprError(); return ExprError();
▲ Show 20 LinesShow All 492 LinesShow Last 20 Lines

clang/test/Analysis/bstring.c

Show First 20 LinesShow All 66 Lines▼ Show 20 Linesvoid memcpy1 () {
memcpy(dst, src, 5); // expected-warning{{Memory copy function accesses out-of-bound array element}} memcpy(dst, src, 5); // expected-warning{{Memory copy function accesses out-of-bound array element}}
} }
void memcpy2 () { void memcpy2 () {
char src[] = {1, 2, 3, 4}; char src[] = {1, 2, 3, 4};
char dst[1]; char dst[1];
memcpy(dst, src, 4); // expected-warning{{Memory copy function overflows destination buffer}} memcpy(dst, src, 4); // expected-warning{{Memory copy function overflows destination buffer}}
#ifndef VARIANT
// expected-warning@-2{{memcpy' will always overflow; destination buffer has size 1, but size argument is 4}}
#endif
} }
void memcpy3 () { void memcpy3 () {
char src[] = {1, 2, 3, 4}; char src[] = {1, 2, 3, 4};
char dst[3]; char dst[3];
memcpy(dst+1, src+2, 2); // no-warning memcpy(dst+1, src+2, 2); // no-warning
} }
void memcpy4 () { void memcpy4 () {
char src[] = {1, 2, 3, 4}; char src[] = {1, 2, 3, 4};
char dst[10]; char dst[10];
memcpy(dst+2, src+2, 3); // expected-warning{{Memory copy function accesses out-of-bound array element}} memcpy(dst+2, src+2, 3); // expected-warning{{Memory copy function accesses out-of-bound array element}}
} }
void memcpy5() { void memcpy5() {
char src[] = {1, 2, 3, 4}; char src[] = {1, 2, 3, 4};
char dst[3]; char dst[3];
memcpy(dst+2, src+2, 2); // expected-warning{{Memory copy function overflows destination buffer}} memcpy(dst+2, src+2, 2); // expected-warning{{Memory copy function overflows destination buffer}}
#ifndef VARIANT
// expected-warning@-2{{memcpy' will always overflow; destination buffer has size 1, but size argument is 2}}
#endif
} }
void memcpy6() { void memcpy6() {
int a[4] = {0}; int a[4] = {0};
memcpy(a, a, 8); // expected-warning{{overlapping}} memcpy(a, a, 8); // expected-warning{{overlapping}}
} }
void memcpy7() { void memcpy7() {
▲ Show 20 LinesShow All 241 Lines▼ Show 20 Linesvoid memmove1 () {
memmove(dst, src, 5); // expected-warning{{out-of-bound}} memmove(dst, src, 5); // expected-warning{{out-of-bound}}
} }
void memmove2 () { void memmove2 () {
char src[] = {1, 2, 3, 4}; char src[] = {1, 2, 3, 4};
char dst[1]; char dst[1];
memmove(dst, src, 4); // expected-warning{{overflow}} memmove(dst, src, 4); // expected-warning{{Memory copy function overflows destination buffer}}
#ifndef VARIANT
// expected-warning@-2{{memmove' will always overflow; destination buffer has size 1, but size argument is 4}}
#endif
} }
//===----------------------------------------------------------------------=== //===----------------------------------------------------------------------===
// memcmp() // memcmp()
//===----------------------------------------------------------------------=== //===----------------------------------------------------------------------===
#ifdef VARIANT #ifdef VARIANT
▲ Show 20 LinesShow All 122 LinesShow Last 20 Lines

clang/test/Analysis/null-deref-ps-region.c

Show First 20 LinesShow All 45 Lines▼ Show 20 Lines
void testHeapSymbol() { void testHeapSymbol() {
char *buf = (char *)malloc(13); char *buf = (char *)malloc(13);
memset(buf, 0, 1); // no-warning memset(buf, 0, 1); // no-warning
free(buf); free(buf);
} }
void testStackArrayOutOfBound() { void testStackArrayOutOfBound() {
char buf[1]; char buf[1];
memset(buf, 0, 1024); // expected-warning {{Memory set function accesses out-of-bound array element}} memset(buf, 0, 1024); // expected-warning {{Memory set function accesses out-of-bound array element}} expected-warning {{'memset' will always overflow; destination buffer has size 1, but size argument is 1024}}
} }
void testHeapSymbolOutOfBound() { void testHeapSymbolOutOfBound() {
char *buf = (char *)malloc(1); char *buf = (char *)malloc(1);
memset(buf, 0, 1024); // expected-warning {{Memory set function accesses out-of-bound array element}} memset(buf, 0, 1024); // expected-warning {{Memory set function accesses out-of-bound array element}}
free(buf); free(buf);
} }
Show All 10 Lines

clang/test/Analysis/pr22954.c

Show First 20 LinesShow All 297 Lines▼ Show 20 Lines
}; };
int f18() { int f18() {
struct ii i18 = {{1, 2, 3, 4}, 5, 6}; struct ii i18 = {{1, 2, 3, 4}, 5, 6};
i18.i = 10; i18.i = 10;
i18.j = 11; i18.j = 11;
i18.s2 = strdup("hello"); i18.s2 = strdup("hello");
char input[100] = {3}; char input[100] = {3};
memcpy(i18.s1, input, 100); memcpy(i18.s1, input, 100); // expected-warning {{'memcpy' will always overflow; destination buffer has size 24, but size argument is 100}}
clang_analyzer_eval(i18.s1[0] == 1); // expected-warning{{UNKNOWN}}\ clang_analyzer_eval(i18.s1[0] == 1); // expected-warning{{UNKNOWN}}\
expected-warning{{Potential leak of memory pointed to by 'i18.s2'}} expected-warning{{Potential leak of memory pointed to by 'i18.s2'}}
clang_analyzer_eval(i18.s1[1] == 2); // expected-warning{{UNKNOWN}} clang_analyzer_eval(i18.s1[1] == 2); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(i18.s1[2] == 3); // expected-warning{{UNKNOWN}} clang_analyzer_eval(i18.s1[2] == 3); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(i18.s1[3] == 4); // expected-warning{{UNKNOWN}} clang_analyzer_eval(i18.s1[3] == 4); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(i18.i == 10); // expected-warning{{UNKNOWN}} clang_analyzer_eval(i18.i == 10); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(i18.j == 11); // expected-warning{{UNKNOWN}} clang_analyzer_eval(i18.j == 11); // expected-warning{{UNKNOWN}}
return 0; return 0;
▲ Show 20 LinesShow All 214 Lines▼ Show 20 Linesint f261() {
return 0; return 0;
} }
// Test negative size argument. // Test negative size argument.
int f262() { int f262() {
struct aa a262 = {{1, 2, 3, 4}, 0}; struct aa a262 = {{1, 2, 3, 4}, 0};
a262.s2 = strdup("hello"); a262.s2 = strdup("hello");
char input[] = {'a', 'b', 'c', 'd'}; char input[] = {'a', 'b', 'c', 'd'};
memcpy(a262.s1, input, -1); memcpy(a262.s1, input, -1); // expected-warning{{'memcpy' will always overflow; destination buffer has size 16, but size argument is 18446744073709551615}}
clang_analyzer_eval(a262.s1[0] == 1); // expected-warning{{UNKNOWN}}\ clang_analyzer_eval(a262.s1[0] == 1); // expected-warning{{UNKNOWN}}\
expected-warning{{Potential leak of memory pointed to by 'a262.s2'}} expected-warning{{Potential leak of memory pointed to by 'a262.s2'}}
clang_analyzer_eval(a262.s1[1] == 1); // expected-warning{{UNKNOWN}} clang_analyzer_eval(a262.s1[1] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a262.s1[2] == 1); // expected-warning{{UNKNOWN}} clang_analyzer_eval(a262.s1[2] == 1); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(a262.s1[3] == 1); // expected-warning{{UNKNOWN}} clang_analyzer_eval(a262.s1[3] == 1); // expected-warning{{UNKNOWN}}
return 0; return 0;
} }
▲ Show 20 LinesShow All 372 LinesShow Last 20 Lines

clang/test/Analysis/string.c

Show First 20 LinesShow All 492 Lines▼ Show 20 Lines
strncpy(p, "AAA", sizeof("AAA")); // expected-warning {{Size argument is greater than the length of the destination buffer}} strncpy(p, "AAA", sizeof("AAA")); // expected-warning {{Size argument is greater than the length of the destination buffer}}
free(p); free(p);
} }
void strncpy_overflow(char *y) { void strncpy_overflow(char *y) {
char x[4]; char x[4];
if (strlen(y) == 4) if (strlen(y) == 4)
strncpy(x, y, 5); // expected-warning{{Size argument is greater than the length of the destination buffer}} strncpy(x, y, 5); // expected-warning{{Size argument is greater than the length of the destination buffer}}
#ifndef VARIANT
// expected-warning@-2{{size argument is too large; destination buffer has size 4, but size argument is 5}}
#endif
} }
void strncpy_no_overflow(char *y) { void strncpy_no_overflow(char *y) {
char x[4]; char x[4];
if (strlen(y) == 3) if (strlen(y) == 3)
strncpy(x, y, 5); // expected-warning{{Size argument is greater than the length of the destination buffer}} strncpy(x, y, 5); // expected-warning{{Size argument is greater than the length of the destination buffer}}
#ifndef VARIANT
// expected-warning@-2{{size argument is too large; destination buffer has size 4, but size argument is 5}}
#endif
} }
void strncpy_no_overflow2(char *y, int n) { void strncpy_no_overflow2(char *y, int n) {
if (n <= 4) if (n <= 4)
return; return;
char x[4]; char x[4];
if (strlen(y) == 3) if (strlen(y) == 3)
▲ Show 20 LinesShow All 708 Lines▼ Show 20 Lines
clang_analyzer_eval(str[0] == 'a'); // expected-warning{{UNKNOWN}} clang_analyzer_eval(str[0] == 'a'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(strlen(str) == 4); // expected-warning{{UNKNOWN}} clang_analyzer_eval(strlen(str) == 4); // expected-warning{{UNKNOWN}}
} }
#ifdef SUPPRESS_OUT_OF_BOUND #ifdef SUPPRESS_OUT_OF_BOUND
void memset8_char_array_nonnull() { void memset8_char_array_nonnull() {
char str[5] = "abcd"; char str[5] = "abcd";
clang_analyzer_eval(strlen(str) == 4); // expected-warning{{TRUE}} clang_analyzer_eval(strlen(str) == 4); // expected-warning{{TRUE}}
memset(str, '0', 10); memset(str, '0', 10); // expected-warning{{'memset' will always overflow; destination buffer has size 5, but size argument is 10}}
clang_analyzer_eval(str[0] != '0'); // expected-warning{{UNKNOWN}} clang_analyzer_eval(str[0] != '0'); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(strlen(str) >= 10); // expected-warning{{TRUE}} clang_analyzer_eval(strlen(str) >= 10); // expected-warning{{TRUE}}
clang_analyzer_eval(strlen(str) < 10); // expected-warning{{FALSE}} clang_analyzer_eval(strlen(str) < 10); // expected-warning{{FALSE}}
} }
#endif #endif
struct POD_memset { struct POD_memset {
int num; int num;
Show All 20 Lines
clang_analyzer_eval(pod.num == 0); // expected-warning{{TRUE}} clang_analyzer_eval(pod.num == 0); // expected-warning{{TRUE}}
clang_analyzer_eval(pod.c == '\0'); // expected-warning{{TRUE}} clang_analyzer_eval(pod.c == '\0'); // expected-warning{{TRUE}}
} }
void memset12_struct_field() { void memset12_struct_field() {
struct POD_memset pod; struct POD_memset pod;
pod.num = 1; pod.num = 1;
pod.c = '1'; pod.c = '1';
memset(&pod.c, 0, sizeof(struct POD_memset)); memset(&pod.c, 0, sizeof(struct POD_memset)); // expected-warning {{'memset' will always overflow; destination buffer has size 4, but size argument is 8}}
clang_analyzer_eval(pod.num == 0); // expected-warning{{UNKNOWN}} clang_analyzer_eval(pod.num == 0); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(pod.c == 0); // expected-warning{{UNKNOWN}} clang_analyzer_eval(pod.c == 0); // expected-warning{{UNKNOWN}}
} }
union U_memset { union U_memset {
int i; int i;
double d; double d;
char c; char c;
▲ Show 20 LinesShow All 255 LinesShow Last 20 Lines

clang/test/Sema/builtin-object-size.c

Show All 24 Lines
int f3() { int f3() {
return OBJECT_SIZE_BUILTIN(&a, 4); // expected-error {{argument value 4 is outside the valid range [0, 3]}} return OBJECT_SIZE_BUILTIN(&a, 4); // expected-error {{argument value 4 is outside the valid range [0, 3]}}
} }
// rdar://6252231 - cannot call vsnprintf with va_list on x86_64 // rdar://6252231 - cannot call vsnprintf with va_list on x86_64
void f4(const char *fmt, ...) { void f4(const char *fmt, ...) {
__builtin_va_list args; __builtin_va_list args;
__builtin___vsnprintf_chk (0, 42, 0, 11, fmt, args); // expected-warning {{'__builtin___vsnprintf_chk' will always overflow; destination buffer has size 11, but size argument is 42}} __builtin___vsnprintf_chk (0, 42, 0, 11, fmt, args); // expected-warning {{'vsnprintf' will always overflow; destination buffer has size 11, but size argument is 42}}
} }
// rdar://18334276 // rdar://18334276
typedef __typeof__(sizeof(int)) size_t; typedef __typeof__(sizeof(int)) size_t;
void * memcset(void *restrict dst, int src, size_t n); void * memcset(void *restrict dst, int src, size_t n);
void * memcpy(void *restrict dst, const void *restrict src, size_t n); void * memcpy(void *restrict dst, const void *restrict src, size_t n);
#define memset(dest, src, len) __builtin___memset_chk(dest, src, len, OBJECT_SIZE_BUILTIN(dest, 0)) #define memset(dest, src, len) __builtin___memset_chk(dest, src, len, OBJECT_SIZE_BUILTIN(dest, 0))
Show All 10 Lines
} }
// rdar://18431336 // rdar://18431336
void f6(void) void f6(void)
{ {
char b[5]; char b[5];
char buf[10]; char buf[10];
__builtin___memccpy_chk (buf, b, '\0', sizeof(b), OBJECT_SIZE_BUILTIN (buf, 0)); __builtin___memccpy_chk (buf, b, '\0', sizeof(b), OBJECT_SIZE_BUILTIN (buf, 0));
__builtin___memccpy_chk (b, buf, '\0', sizeof(buf), OBJECT_SIZE_BUILTIN (b, 0)); // expected-warning {{'__builtin___memccpy_chk' will always overflow; destination buffer has size 5, but size argument is 10}} __builtin___memccpy_chk (b, buf, '\0', sizeof(buf), OBJECT_SIZE_BUILTIN (b, 0)); // expected-warning {{'memccpy' will always overflow; destination buffer has size 5, but size argument is 10}}
} }
int pr28314(void) { int pr28314(void) {
struct { struct {
struct InvalidField a; // expected-error{{has incomplete type}} expected-note 3{{forward declaration of 'struct InvalidField'}} struct InvalidField a; // expected-error{{has incomplete type}} expected-note 3{{forward declaration of 'struct InvalidField'}}
char b[0]; char b[0];
} *p; } *p;
▲ Show 20 LinesShow All 51 LinesShow Last 20 Lines

clang/test/Sema/builtins.c

Show First 20 LinesShow All 224 Lines▼ Show 20 Lines
{ {
static char b[40]; static char b[40];
static char buf[20]; static char buf[20];
strlcpy(buf, b, sizeof(b)); // expected-warning {{size argument in 'strlcpy' call appears to be size of the source; expected the size of the destination}} \\ strlcpy(buf, b, sizeof(b)); // expected-warning {{size argument in 'strlcpy' call appears to be size of the source; expected the size of the destination}} \\
// expected-note {{change size argument to be the size of the destination}} // expected-note {{change size argument to be the size of the destination}}
__builtin___strlcpy_chk(buf, b, sizeof(b), __builtin_object_size(buf, 0)); // expected-warning {{size argument in '__builtin___strlcpy_chk' call appears to be size of the source; expected the size of the destination}} \ __builtin___strlcpy_chk(buf, b, sizeof(b), __builtin_object_size(buf, 0)); // expected-warning {{size argument in '__builtin___strlcpy_chk' call appears to be size of the source; expected the size of the destination}} \
// expected-note {{change size argument to be the size of the destination}} \ // expected-note {{change size argument to be the size of the destination}} \
// expected-warning {{'__builtin___strlcpy_chk' will always overflow; destination buffer has size 20, but size argument is 40}} // expected-warning {{'strlcpy' will always overflow; destination buffer has size 20, but size argument is 40}}
strlcat(buf, b, sizeof(b)); // expected-warning {{size argument in 'strlcat' call appears to be size of the source; expected the size of the destination}} \ strlcat(buf, b, sizeof(b)); // expected-warning {{size argument in 'strlcat' call appears to be size of the source; expected the size of the destination}} \
// expected-note {{change size argument to be the size of the destination}} // expected-note {{change size argument to be the size of the destination}}
__builtin___strlcat_chk(buf, b, sizeof(b), __builtin_object_size(buf, 0)); // expected-warning {{size argument in '__builtin___strlcat_chk' call appears to be size of the source; expected the size of the destination}} \ __builtin___strlcat_chk(buf, b, sizeof(b), __builtin_object_size(buf, 0)); // expected-warning {{size argument in '__builtin___strlcat_chk' call appears to be size of the source; expected the size of the destination}} \
// expected-note {{change size argument to be the size of the destination}} \ // expected-note {{change size argument to be the size of the destination}} \
// expected-warning {{'__builtin___strlcat_chk' will always overflow; destination buffer has size 20, but size argument is 40}} // expected-warning {{'strlcat' will always overflow; destination buffer has size 20, but size argument is 40}}
} }
// rdar://11076881 // rdar://11076881
char * Test20(char *p, const char *in, unsigned n) char * Test20(char *p, const char *in, unsigned n)
{ {
static char buf[10]; static char buf[10];
__builtin___memcpy_chk (&buf[6], in, 5, __builtin_object_size (&buf[6], 0)); // expected-warning {{'__builtin___memcpy_chk' will always overflow; destination buffer has size 4, but size argument is 5}} __builtin___memcpy_chk (&buf[6], in, 5, __builtin_object_size (&buf[6], 0)); // expected-warning {{'memcpy' will always overflow; destination buffer has size 4, but size argument is 5}}
__builtin___memcpy_chk (p, "abcde", n, __builtin_object_size (p, 0)); __builtin___memcpy_chk (p, "abcde", n, __builtin_object_size (p, 0));
__builtin___memcpy_chk (&buf[5], "abcde", 5, __builtin_object_size (&buf[5], 0)); __builtin___memcpy_chk (&buf[5], "abcde", 5, __builtin_object_size (&buf[5], 0));
__builtin___memcpy_chk (&buf[5], "abcde", n, __builtin_object_size (&buf[5], 0)); __builtin___memcpy_chk (&buf[5], "abcde", n, __builtin_object_size (&buf[5], 0));
__builtin___memcpy_chk (&buf[6], "abcde", 5, __builtin_object_size (&buf[6], 0)); // expected-warning {{'__builtin___memcpy_chk' will always overflow; destination buffer has size 4, but size argument is 5}} __builtin___memcpy_chk (&buf[6], "abcde", 5, __builtin_object_size (&buf[6], 0)); // expected-warning {{'memcpy' will always overflow; destination buffer has size 4, but size argument is 5}}
return buf; return buf;
} }
typedef void (fn_t)(int); typedef void (fn_t)(int);
void test_builtin_launder(char *p, void *vp, const void *cvp, void test_builtin_launder(char *p, void *vp, const void *cvp,
const volatile int *ip, float *restrict fp, const volatile int *ip, float *restrict fp,
▲ Show 20 LinesShow All 42 Lines▼ Show 20 Lines
// rdar://43909200 // rdar://43909200
#define memcpy(x,y,z) __builtin___memcpy_chk(x,y,z, __builtin_object_size(x,0)) #define memcpy(x,y,z) __builtin___memcpy_chk(x,y,z, __builtin_object_size(x,0))
#define my_memcpy(x,y,z) __builtin___memcpy_chk(x,y,z, __builtin_object_size(x,0)) #define my_memcpy(x,y,z) __builtin___memcpy_chk(x,y,z, __builtin_object_size(x,0))
void test23() { void test23() {
char src[1024]; char src[1024];
char buf[10]; char buf[10];
memcpy(buf, src, 11); // expected-warning{{'memcpy' will always overflow; destination buffer has size 10, but size argument is 11}} memcpy(buf, src, 11); // expected-warning{{'memcpy' will always overflow; destination buffer has size 10, but size argument is 11}}
my_memcpy(buf, src, 11); // expected-warning{{'__builtin___memcpy_chk' will always overflow; destination buffer has size 10, but size argument is 11}} my_memcpy(buf, src, 11); // expected-warning{{'memcpy' will always overflow; destination buffer has size 10, but size argument is 11}}
} }

clang/test/Sema/transpose-memset.c

// RUN: %clang_cc1 -Wmemset-transposed-args -verify %s // RUN: %clang_cc1 -Wmemset-transposed-args -verify %s
// RUN: %clang_cc1 -xc++ -Wmemset-transposed-args -verify %s // RUN: %clang_cc1 -xc++ -Wmemset-transposed-args -verify %s
#define memset(...) __builtin_memset(__VA_ARGS__) #define memset(...) __builtin_memset(__VA_ARGS__)
#define bzero(x,y) __builtin_memset(x, 0, y) #define bzero(x,y) __builtin_memset(x, 0, y)
#define real_bzero(x,y) __builtin_bzero(x,y) #define real_bzero(x,y) __builtin_bzero(x,y)
int array[10]; int array[10];
int *ptr; int *ptr;
int main() { int main() {
memset(array, sizeof(array), 0); // expected-warning{{'size' argument to memset is '0'; did you mean to transpose the last two arguments?}} expected-note{{parenthesize the third argument to silence}} memset(array, sizeof(array), 0); // expected-warning{{'size' argument to memset is '0'; did you mean to transpose the last two arguments?}} expected-note{{parenthesize the third argument to silence}}
memset(array, sizeof(array), 0xff); // expected-warning{{setting buffer to a 'sizeof' expression; did you mean to transpose the last two arguments?}} expected-note{{cast the second argument to 'int' to silence}} memset(array, sizeof(array), 0xff); // expected-warning{{setting buffer to a 'sizeof' expression; did you mean to transpose the last two arguments?}} expected-note{{cast the second argument to 'int' to silence}} expected-warning{{'memset' will always overflow; destination buffer has size 40, but size argument is 255}}
memset(ptr, sizeof(ptr), 0); // expected-warning{{'size' argument to memset is '0'; did you mean to transpose the last two arguments?}} expected-note{{parenthesize the third argument to silence}} memset(ptr, sizeof(ptr), 0); // expected-warning{{'size' argument to memset is '0'; did you mean to transpose the last two arguments?}} expected-note{{parenthesize the third argument to silence}}
memset(ptr, sizeof(*ptr) * 10, 1); // expected-warning{{setting buffer to a 'sizeof' expression; did you mean to transpose the last two arguments?}} expected-note{{cast the second argument to 'int' to silence}} memset(ptr, sizeof(*ptr) * 10, 1); // expected-warning{{setting buffer to a 'sizeof' expression; did you mean to transpose the last two arguments?}} expected-note{{cast the second argument to 'int' to silence}}
memset(ptr, 10 * sizeof(int *), 1); // expected-warning{{setting buffer to a 'sizeof' expression; did you mean to transpose the last two arguments?}} expected-note{{cast the second argument to 'int' to silence}} memset(ptr, 10 * sizeof(int *), 1); // expected-warning{{setting buffer to a 'sizeof' expression; did you mean to transpose the last two arguments?}} expected-note{{cast the second argument to 'int' to silence}}
memset(ptr, 10 * sizeof(int *) + 10, 0xff); // expected-warning{{setting buffer to a 'sizeof' expression; did you mean to transpose the last two arguments?}} expected-note{{cast the second argument to 'int' to silence}} memset(ptr, 10 * sizeof(int *) + 10, 0xff); // expected-warning{{setting buffer to a 'sizeof' expression; did you mean to transpose the last two arguments?}} expected-note{{cast the second argument to 'int' to silence}}
memset(ptr, sizeof(char) * sizeof(int *), 0xff); // expected-warning{{setting buffer to a 'sizeof' expression; did you mean to transpose the last two arguments?}} expected-note{{cast the second argument to 'int' to silence}} memset(ptr, sizeof(char) * sizeof(int *), 0xff); // expected-warning{{setting buffer to a 'sizeof' expression; did you mean to transpose the last two arguments?}} expected-note{{cast the second argument to 'int' to silence}}
memset(array, sizeof(array), sizeof(array)); // Uh... fine I guess. memset(array, sizeof(array), sizeof(array)); // Uh... fine I guess.
memset(array, 0, sizeof(array)); memset(array, 0, sizeof(array));
memset(ptr, 0, sizeof(int *) * 10); memset(ptr, 0, sizeof(int *) * 10);
Show All 40 Lines

clang/test/Sema/warn-fortify-source.c

  • This file was added.
// RUN: %clang_cc1 -triple x86_64-apple-macosx10.14.0 %s -verify
// RUN: %clang_cc1 -triple x86_64-apple-macosx10.14.0 %s -verify -DUSE_PASS_OBJECT_SIZE
// RUN: %clang_cc1 -triple x86_64-apple-macosx10.14.0 %s -verify -DUSE_BUILTINS
typedef unsigned long size_t;
#if defined(USE_PASS_OBJECT_SIZE)
void *memcpy(void *dst, const void *src, size_t c);
static void *memcpy(void *dst __attribute__((pass_object_size(1))), const void *src, size_t c) __attribute__((overloadable)) __asm__("merp");
static void *memcpy(void *const dst __attribute__((pass_object_size(1))), const void *src, size_t c) __attribute__((overloadable)) {
return 0;
}
#elif defined(USE_BUILTINS)
#define memcpy(x,y,z) __builtin_memcpy(x,y,z)
#else
void *memcpy(void *dst, const void *src, size_t c);
#endif
void call_memcpy() {
char dst[10];
char src[20];
memcpy(dst, src, 20); // expected-warning {{memcpy' will always overflow; destination buffer has size 10, but size argument is 20}}
}
void call_memcpy_type() {
struct pair {
int first;
int second;
};
struct pair p;
char buf[20];
memcpy(&p.first, buf, 20);
#ifdef USE_PASS_OBJECT_SIZE
// Use the more strict checking mode on the pass_object_size attribute:
// expected-warning@-3 {{memcpy' will always overflow; destination buffer has size 4, but size argument is 20}}
#else
// Or just fallback to type 0:
// expected-warning@-6 {{memcpy' will always overflow; destination buffer has size 8, but size argument is 20}}
#endif
}
void call_strncat() {
char s1[10], s2[20];
__builtin_strncat(s2, s1, 20);
__builtin_strncat(s1, s2, 20); // expected-warning {{'strncat' size argument is too large; destination buffer has size 10, but size argument is 20}}
}
void call_strncpy() {
char s1[10], s2[20];
__builtin_strncpy(s2, s1, 20);
__builtin_strncpy(s1, s2, 20); // expected-warning {{'strncpy' size argument is too large; destination buffer has size 10, but size argument is 20}}
}
void call_stpncpy() {
char s1[10], s2[20];
__builtin_stpncpy(s2, s1, 20);
__builtin_stpncpy(s1, s2, 20); // expected-warning {{'stpncpy' size argument is too large; destination buffer has size 10, but size argument is 20}}
}
void call_memmove() {
char s1[10], s2[20];
__builtin_memmove(s2, s1, 20);
__builtin_memmove(s1, s2, 20); // expected-warning {{'memmove' will always overflow; destination buffer has size 10, but size argument is 20}}
}
void call_memset() {
char buf[10];
__builtin_memset(buf, 0xff, 10);
__builtin_memset(buf, 0xff, 11); // expected-warning {{'memset' will always overflow; destination buffer has size 10, but size argument is 11}}
}
void call_snprintf() {
char buf[10];
__builtin_snprintf(buf, 10, "merp");
__builtin_snprintf(buf, 11, "merp"); // expected-warning {{'snprintf' size argument is too large; destination buffer has size 10, but size argument is 11}}
}
void call_vsnprintf() {
char buf[10];
__builtin_va_list list;
__builtin_vsnprintf(buf, 10, "merp", list);
__builtin_vsnprintf(buf, 11, "merp", list); // expected-warning {{'vsnprintf' size argument is too large; destination buffer has size 10, but size argument is 11}}
}

clang/test/Sema/warn-strncat-size.c

Show All 33 Linesvoid test(char *src) {
strncat(dest, src, sizeof(src) - 1); // expected-warning {{size argument in 'strncat' call appears to be size of the source}} expected-note {{change the argument to be the free space in the destination buffer minus the terminating null byte}} strncat(dest, src, sizeof(src) - 1); // expected-warning {{size argument in 'strncat' call appears to be size of the source}} expected-note {{change the argument to be the free space in the destination buffer minus the terminating null byte}}
strncat(dest, "AAAAAAAAAAAAAAAAAAAAAAAAAAA", sizeof(dest)); // expected-warning{{the value of the size argument in 'strncat' is too large, might lead to a buffer overflow}} expected-note {{change the argument to be the free space in the destination buffer minus the terminating null byte}} strncat(dest, "AAAAAAAAAAAAAAAAAAAAAAAAAAA", sizeof(dest)); // expected-warning{{the value of the size argument in 'strncat' is too large, might lead to a buffer overflow}} expected-note {{change the argument to be the free space in the destination buffer minus the terminating null byte}}
strncat(dest, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", sizeof(dest) - strlen(dest)); // expected-warning{{the value of the size argument in 'strncat' is too large, might lead to a buffer overflow}} expected-note {{change the argument to be the free space in the destination buffer minus the terminating null byte}} strncat(dest, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", sizeof(dest) - strlen(dest)); // expected-warning{{the value of the size argument in 'strncat' is too large, might lead to a buffer overflow}} expected-note {{change the argument to be the free space in the destination buffer minus the terminating null byte}}
strncat((*s5)->f2[x], s2, sizeof(s2)); // expected-warning {{size argument in 'strncat' call appears to be size of the source}} expected-note {{change the argument to be the free space in the destination buffer minus the terminating null byte}} strncat((*s5)->f2[x], s2, sizeof(s2)); // expected-warning {{size argument in 'strncat' call appears to be size of the source}} expected-note {{change the argument to be the free space in the destination buffer minus the terminating null byte}}
strncat(s1+3, s2, sizeof(s2)); // expected-warning {{size argument in 'strncat' call appears to be size of the source}} strncat(s1+3, s2, sizeof(s2)); // expected-warning {{size argument in 'strncat' call appears to be size of the source}} expected-warning {{strncat' size argument is too large; destination buffer has size 97, but size argument is 200}}
strncat(s4.f1, s2, sizeof(s2)); // expected-warning {{size argument in 'strncat' call appears to be size of the source}} expected-note {{change the argument to be the free space in the destination buffer minus the terminating null byte}} strncat(s4.f1, s2, sizeof(s2)); // expected-warning {{size argument in 'strncat' call appears to be size of the source}} expected-note {{change the argument to be the free space in the destination buffer minus the terminating null byte}}
} }
// Don't issue FIXIT for flexible arrays. // Don't issue FIXIT for flexible arrays.
struct S { struct S {
int y; int y;
char x[]; char x[];
}; };
Show All 26 Lines