This is an archive of the discontinued LLVM Phabricator instance.

Differential D66049

[analyzer] PR41729: Fix some false positives and improve strlcat and strlcpy modeling
ClosedPublic

Authored by dkrupp on Aug 10 2019, 1:08 AM.

Details

Reviewers
NoQ
Szelethus
gamesh411
Commits
rGacac540422e8: [analyzer] PR41729: CStringChecker: Improve strlcat and strlcpy modeling.
Summary

Fixes Bug 41729 (https://bugs.llvm.org/show_bug.cgi?id=41729)
and the following errors:

  • Fixes false positive reports of strlcat
  • The return value of strlcat and strlcpy is now correctly calculated
  • The resulting string length of strlcat and strlcpy is now correctly calculated

Diff Detail

Event Timeline

dkrupp created this revision.Aug 10 2019, 1:08 AM
Herald added a project: Restricted Project. · View Herald TranscriptAug 10 2019, 1:08 AM
Herald added subscribers: cfe-commits, rnkovacs. · View Herald Transcript
Szelethus retitled this revision from Fixes Bug 41729 and improves strlcat and strlcpy modeling to [analyzer] PR41729: Fix some false positives and improve strlcat and strlcpy modeling.Aug 11 2019, 11:32 AM
Szelethus edited the summary of this revision. (Show Details)
Herald added subscribers: Charusso, donat.nagy, mikhail.ramalho and 5 others. · View Herald TranscriptAug 11 2019, 11:32 AM
NoQ added a comment.Aug 12 2019, 4:28 PM

Oh, these false positives! Thanks!!

lib/StaticAnalyzer/Checkers/CStringChecker.cpp
1627 ↗(On Diff #214512)

Please handle the situation when freeSpaceNL is None before dereferencing. I suspect that this might actually happen when you overwhelm the symbol complexity by subtracting 1. I'm not really super sure this can happen, given that symbols we're working with are very specific as of now, but this is something that should be made possible if we ever go far enough in our attempts to improve this checker.

1637 ↗(On Diff #214512)

Strange whitespace here and in the next comment (:

1647 ↗(On Diff #214512)

Great job not introducing the state split here!

test/Analysis/cstring-syntax.c
57 ↗(On Diff #214512)

I think this test doesn't really demonstrate that bug 41729 is fixed, as the offending checker isn't enabled on this test.

dkrupp updated this revision to Diff 214817.Aug 13 2019, 6:05 AM

Fix comments from @NoQ

dkrupp marked 3 inline comments as done.Aug 13 2019, 6:06 AM

Thanks for the comments @NoQ , all of them addressed.

gamesh411 added a comment.Aug 14 2019, 2:57 AM

Nice improvements! It was a good catch that a substantial part of the checker could be cut out. Accurate modelling of CString and related API-s is really important, and this is a good step in that direction.
I would test this on a larger codebase as well before committing, but LGTM otherwise.

Szelethus added a comment.Aug 14 2019, 12:45 PM

I agree with @gamesh411 here, would it be much trouble to see how this behaves on a bigger codebase?

Szelethus added a comment.Oct 1 2019, 6:42 AM

The logic of the patch is fine in my eyes, but I dislike the formatting. Could you please make the code obey the LLVM coding style, and after that use clang-format-diff.py?
https://llvm.org/docs/CodingStandards.html
https://clang.llvm.org/docs/ClangFormat.html#script-for-patch-reformatting

lib/StaticAnalyzer/Checkers/CStringChecker.cpp
31 ↗(On Diff #214817)

Please capitalize these. Also, ConcatFnKind might be more descriptive? Ad absurdum, we might as well pass the CallDescription that is responsible for the concatenation. That maaay just be a little over engineered though.

133–134 ↗(On Diff #214817)

CaPitALizeE :D

1556 ↗(On Diff #214817)

Please terminate this sentence.

1580 ↗(On Diff #214817)

Ah, okay, so the assumption is that bounded functions' third argument is always a numerical size parameter. Why isn't that enforced at all?

1596 ↗(On Diff #214817)

Can we just do a switch-case? If someone were to add a new concat type, it would even give a warning in case it was left unhandled.

1628 ↗(On Diff #214817)

Please put comments like these before the branch. I like the following format better:

// While unlikely, it is possible that the subtraction is too complexity
// to complex to compute, let's check whether it succeeded.
if (Optional<NonLoc> freeSpaceNL = freeSpace.getAs<NonLoc>())
1630 ↗(On Diff #214817)

hasEnoughSpace

1637–1640 ↗(On Diff #214817)

All of these too, and omit braces too:

// srcStrLength <= size - dstStrLength -1
if (TrueState && !FalseState)
  amountCopied = strLength;
1657 ↗(On Diff #214817)

Would prefer a switch case here too.

dkrupp updated this revision to Diff 224088.Oct 9 2019, 9:44 AM
dkrupp marked 9 inline comments as done.

@Szelethus thanks for your review.
I fixed your suggestions.

dkrupp added a comment.Oct 9 2019, 9:48 AM

I also analyzed openssl with the baseline and this version, but did not find any new warnings.
See:
http://codechecker-demo.eastus.cloudapp.azure.com/Default/#run=D66049_baseline&newcheck=D66049_improved&review-status=Unreviewed&review-status=Confirmed&detection-status=New&detection-status=Reopened&detection-status=Unresolved&tab=D66049_baseline_diff_D66049_improved

lib/StaticAnalyzer/Checkers/CStringChecker.cpp
1580 ↗(On Diff #214817)

How should we enforce this?

dkrupp updated this revision to Diff 224090.Oct 9 2019, 10:01 AM

Fixing minor capitalization issue and removing an extra newline.

Szelethus accepted this revision.Oct 10 2019, 7:07 AM

LGTM!

In D66049#1701730, @dkrupp wrote:

I also analyzed openssl with the baseline and this version, but did not find any new warnings.
See:
http://codechecker-demo.eastus.cloudapp.azure.com/Default/#run=D66049_baseline&newcheck=D66049_improved&review-status=Unreviewed&review-status=Confirmed&detection-status=New&detection-status=Reopened&detection-status=Unresolved&tab=D66049_baseline_diff_D66049_improved

This requires a username/pw, but if there isn't any noticeable change on open source code, this change mustn't hurt much.

clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp
1652–1654

We usually omit braces when the branch consists of a single line.

This revision is now accepted and ready to land.Oct 10 2019, 7:07 AM
dkrupp added a comment.Oct 11 2019, 3:24 AM

Thanks for the reviews!
Could you pls commit this for me?

dkrupp added a comment.Nov 4 2019, 8:51 AM

If this is good to go, could you please commit this? Thanks!

Closed by commit rGacac540422e8: [analyzer] PR41729: CStringChecker: Improve strlcat and strlcpy modeling. (authored by dergachev.a). · Explain WhyNov 7 2019, 5:23 PM
This revision was automatically updated to reflect the committed changes.
NoQ added inline comments.Dec 13 2019, 6:03 PM
clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp
1710–1711

rGf450dd63a14d

Please use the normal evalBinOp without suffixes, it just works!

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
301 lines
test/
Analysis/
89 lines

Diff 228343

clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp

Show All 22 Lines
#include "llvm/ADT/STLExtras.h" #include "llvm/ADT/STLExtras.h"
#include "llvm/ADT/SmallString.h" #include "llvm/ADT/SmallString.h"
#include "llvm/Support/raw_ostream.h" #include "llvm/Support/raw_ostream.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
namespace { namespace {
enum class ConcatFnKind { none = 0, strcat = 1, strlcat = 2 };
class CStringChecker : public Checker< eval::Call, class CStringChecker : public Checker< eval::Call,
check::PreStmt<DeclStmt>, check::PreStmt<DeclStmt>,
check::LiveSymbols, check::LiveSymbols,
check::DeadSymbols, check::DeadSymbols,
check::RegionChanges check::RegionChanges
> { > {
mutable std::unique_ptr<BugType> BT_Null, BT_Bounds, BT_Overlap, mutable std::unique_ptr<BugType> BT_Null, BT_Bounds, BT_Overlap,
BT_NotCString, BT_AdditionOverflow; BT_NotCString, BT_AdditionOverflow;
▲ Show 20 LinesShow All 85 Lines▼ Show 20 Linespublic:
void evalstrLengthCommon(CheckerContext &C, void evalstrLengthCommon(CheckerContext &C,
const CallExpr *CE, const CallExpr *CE,
bool IsStrnlen = false) const; bool IsStrnlen = false) const;
void evalStrcpy(CheckerContext &C, const CallExpr *CE) const; void evalStrcpy(CheckerContext &C, const CallExpr *CE) const;
void evalStrncpy(CheckerContext &C, const CallExpr *CE) const; void evalStrncpy(CheckerContext &C, const CallExpr *CE) const;
void evalStpcpy(CheckerContext &C, const CallExpr *CE) const; void evalStpcpy(CheckerContext &C, const CallExpr *CE) const;
void evalStrlcpy(CheckerContext &C, const CallExpr *CE) const; void evalStrlcpy(CheckerContext &C, const CallExpr *CE) const;
void evalStrcpyCommon(CheckerContext &C, void evalStrcpyCommon(CheckerContext &C, const CallExpr *CE, bool ReturnEnd,
const CallExpr *CE, bool IsBounded, ConcatFnKind appendK,
bool returnEnd,
bool isBounded,
bool isAppending,
bool returnPtr = true) const; bool returnPtr = true) const;
void evalStrcat(CheckerContext &C, const CallExpr *CE) const; void evalStrcat(CheckerContext &C, const CallExpr *CE) const;
void evalStrncat(CheckerContext &C, const CallExpr *CE) const; void evalStrncat(CheckerContext &C, const CallExpr *CE) const;
void evalStrlcat(CheckerContext &C, const CallExpr *CE) const; void evalStrlcat(CheckerContext &C, const CallExpr *CE) const;
void evalStrcmp(CheckerContext &C, const CallExpr *CE) const; void evalStrcmp(CheckerContext &C, const CallExpr *CE) const;
void evalStrncmp(CheckerContext &C, const CallExpr *CE) const; void evalStrncmp(CheckerContext &C, const CallExpr *CE) const;
void evalStrcasecmp(CheckerContext &C, const CallExpr *CE) const; void evalStrcasecmp(CheckerContext &C, const CallExpr *CE) const;
void evalStrncasecmp(CheckerContext &C, const CallExpr *CE) const; void evalStrncasecmp(CheckerContext &C, const CallExpr *CE) const;
void evalStrcmpCommon(CheckerContext &C, void evalStrcmpCommon(CheckerContext &C,
const CallExpr *CE, const CallExpr *CE,
bool isBounded = false, bool IsBounded = false,
bool ignoreCase = false) const; bool IgnoreCase = false) const;
void evalStrsep(CheckerContext &C, const CallExpr *CE) const; void evalStrsep(CheckerContext &C, const CallExpr *CE) const;
void evalStdCopy(CheckerContext &C, const CallExpr *CE) const; void evalStdCopy(CheckerContext &C, const CallExpr *CE) const;
void evalStdCopyBackward(CheckerContext &C, const CallExpr *CE) const; void evalStdCopyBackward(CheckerContext &C, const CallExpr *CE) const;
void evalStdCopyCommon(CheckerContext &C, const CallExpr *CE) const; void evalStdCopyCommon(CheckerContext &C, const CallExpr *CE) const;
void evalMemset(CheckerContext &C, const CallExpr *CE) const; void evalMemset(CheckerContext &C, const CallExpr *CE) const;
void evalBzero(CheckerContext &C, const CallExpr *CE) const; void evalBzero(CheckerContext &C, const CallExpr *CE) const;
▲ Show 20 LinesShow All 1,313 Lines▼ Show 20 Linesvoid CStringChecker::evalstrLengthCommon(CheckerContext &C, const CallExpr *CE,
assert(!result.isUnknown() && "Should have conjured a value by now"); assert(!result.isUnknown() && "Should have conjured a value by now");
state = state->BindExpr(CE, LCtx, result); state = state->BindExpr(CE, LCtx, result);
C.addTransition(state); C.addTransition(state);
} }
void CStringChecker::evalStrcpy(CheckerContext &C, const CallExpr *CE) const { void CStringChecker::evalStrcpy(CheckerContext &C, const CallExpr *CE) const {
// char *strcpy(char *restrict dst, const char *restrict src); // char *strcpy(char *restrict dst, const char *restrict src);
evalStrcpyCommon(C, CE, evalStrcpyCommon(C, CE,
/* returnEnd = */ false, /* ReturnEnd = */ false,
/* isBounded = */ false, /* IsBounded = */ false,
/* isAppending = */ false); /* appendK = */ ConcatFnKind::none);
} }
void CStringChecker::evalStrncpy(CheckerContext &C, const CallExpr *CE) const { void CStringChecker::evalStrncpy(CheckerContext &C, const CallExpr *CE) const {
// char *strncpy(char *restrict dst, const char *restrict src, size_t n); // char *strncpy(char *restrict dst, const char *restrict src, size_t n);
evalStrcpyCommon(C, CE, evalStrcpyCommon(C, CE,
/* returnEnd = */ false, /* ReturnEnd = */ false,
/* isBounded = */ true, /* IsBounded = */ true,
/* isAppending = */ false); /* appendK = */ ConcatFnKind::none);
} }
void CStringChecker::evalStpcpy(CheckerContext &C, const CallExpr *CE) const { void CStringChecker::evalStpcpy(CheckerContext &C, const CallExpr *CE) const {
// char *stpcpy(char *restrict dst, const char *restrict src); // char *stpcpy(char *restrict dst, const char *restrict src);
evalStrcpyCommon(C, CE, evalStrcpyCommon(C, CE,
/* returnEnd = */ true, /* ReturnEnd = */ true,
/* isBounded = */ false, /* IsBounded = */ false,
/* isAppending = */ false); /* appendK = */ ConcatFnKind::none);
} }
void CStringChecker::evalStrlcpy(CheckerContext &C, const CallExpr *CE) const { void CStringChecker::evalStrlcpy(CheckerContext &C, const CallExpr *CE) const {
// char *strlcpy(char *dst, const char *src, size_t n); // size_t strlcpy(char *dest, const char *src, size_t size);
evalStrcpyCommon(C, CE, evalStrcpyCommon(C, CE,
/* returnEnd = */ true, /* ReturnEnd = */ true,
/* isBounded = */ true, /* IsBounded = */ true,
/* isAppending = */ false, /* appendK = */ ConcatFnKind::none,
/* returnPtr = */ false); /* returnPtr = */ false);
} }
void CStringChecker::evalStrcat(CheckerContext &C, const CallExpr *CE) const { void CStringChecker::evalStrcat(CheckerContext &C, const CallExpr *CE) const {
//char *strcat(char *restrict s1, const char *restrict s2); // char *strcat(char *restrict s1, const char *restrict s2);
evalStrcpyCommon(C, CE, evalStrcpyCommon(C, CE,
/* returnEnd = */ false, /* ReturnEnd = */ false,
/* isBounded = */ false, /* IsBounded = */ false,
/* isAppending = */ true); /* appendK = */ ConcatFnKind::strcat);
} }
void CStringChecker::evalStrncat(CheckerContext &C, const CallExpr *CE) const { void CStringChecker::evalStrncat(CheckerContext &C, const CallExpr *CE) const {
//char *strncat(char *restrict s1, const char *restrict s2, size_t n); //char *strncat(char *restrict s1, const char *restrict s2, size_t n);
evalStrcpyCommon(C, CE, evalStrcpyCommon(C, CE,
/* returnEnd = */ false, /* ReturnEnd = */ false,
/* isBounded = */ true, /* IsBounded = */ true,
/* isAppending = */ true); /* appendK = */ ConcatFnKind::strcat);
} }
void CStringChecker::evalStrlcat(CheckerContext &C, const CallExpr *CE) const { void CStringChecker::evalStrlcat(CheckerContext &C, const CallExpr *CE) const {
// FIXME: strlcat() uses a different rule for bound checking, i.e. 'n' means // size_t strlcat(char *dst, const char *src, size_t size);
// a different thing as compared to strncat(). This currently causes // It will append at most size - strlen(dst) - 1 bytes,
// false positives in the alpha string bound checker. // NULL-terminating the result.
//char *strlcat(char *s1, const char *s2, size_t n);
evalStrcpyCommon(C, CE, evalStrcpyCommon(C, CE,
/* returnEnd = */ false, /* ReturnEnd = */ false,
/* isBounded = */ true, /* IsBounded = */ true,
/* isAppending = */ true, /* appendK = */ ConcatFnKind::strlcat,
/* returnPtr = */ false); /* returnPtr = */ false);
} }
void CStringChecker::evalStrcpyCommon(CheckerContext &C, const CallExpr *CE, void CStringChecker::evalStrcpyCommon(CheckerContext &C, const CallExpr *CE,
bool returnEnd, bool isBounded, bool ReturnEnd, bool IsBounded,
bool isAppending, bool returnPtr) const { ConcatFnKind appendK,
bool returnPtr) const {
CurrentFunctionDescription = "string copy function"; CurrentFunctionDescription = "string copy function";
ProgramStateRef state = C.getState(); ProgramStateRef state = C.getState();
const LocationContext *LCtx = C.getLocationContext(); const LocationContext *LCtx = C.getLocationContext();
// Check that the destination is non-null. // Check that the destination is non-null.
const Expr *Dst = CE->getArg(0); const Expr *Dst = CE->getArg(0);
SVal DstVal = state->getSVal(Dst, LCtx); SVal DstVal = state->getSVal(Dst, LCtx);
state = checkNonNull(C, state, Dst, DstVal, 1); state = checkNonNull(C, state, Dst, DstVal, 1);
if (!state) if (!state)
return; return;
// Check that the source is non-null. // Check that the source is non-null.
const Expr *srcExpr = CE->getArg(1); const Expr *srcExpr = CE->getArg(1);
SVal srcVal = state->getSVal(srcExpr, LCtx); SVal srcVal = state->getSVal(srcExpr, LCtx);
state = checkNonNull(C, state, srcExpr, srcVal, 2); state = checkNonNull(C, state, srcExpr, srcVal, 2);
if (!state) if (!state)
return; return;
// Get the string length of the source. // Get the string length of the source.
SVal strLength = getCStringLength(C, state, srcExpr, srcVal); SVal strLength = getCStringLength(C, state, srcExpr, srcVal);
Optional<NonLoc> strLengthNL = strLength.getAs<NonLoc>();
// Get the string length of the destination buffer.
SVal dstStrLength = getCStringLength(C, state, Dst, DstVal);
Optional<NonLoc> dstStrLengthNL = dstStrLength.getAs<NonLoc>();
// If the source isn't a valid C string, give up. // If the source isn't a valid C string, give up.
if (strLength.isUndef()) if (strLength.isUndef())
return; return;
SValBuilder &svalBuilder = C.getSValBuilder(); SValBuilder &svalBuilder = C.getSValBuilder();
QualType cmpTy = svalBuilder.getConditionType(); QualType cmpTy = svalBuilder.getConditionType();
QualType sizeTy = svalBuilder.getContext().getSizeType(); QualType sizeTy = svalBuilder.getContext().getSizeType();
// These two values allow checking two kinds of errors: // These two values allow checking two kinds of errors:
// - actual overflows caused by a source that doesn't fit in the destination // - actual overflows caused by a source that doesn't fit in the destination
// - potential overflows caused by a bound that could exceed the destination // - potential overflows caused by a bound that could exceed the destination
SVal amountCopied = UnknownVal(); SVal amountCopied = UnknownVal();
SVal maxLastElementIndex = UnknownVal(); SVal maxLastElementIndex = UnknownVal();
const char *boundWarning = nullptr; const char *boundWarning = nullptr;
state = CheckOverlap(C, state, isBounded ? CE->getArg(2) : CE->getArg(1), Dst, srcExpr); state = CheckOverlap(C, state, IsBounded ? CE->getArg(2) : CE->getArg(1), Dst,
srcExpr);
if (!state) if (!state)
return; return;
// If the function is strncpy, strncat, etc... it is bounded. // If the function is strncpy, strncat, etc... it is bounded.
if (isBounded) { if (IsBounded) {
// Get the max number of characters to copy. // Get the max number of characters to copy.
const Expr *lenExpr = CE->getArg(2); const Expr *lenExpr = CE->getArg(2);
SVal lenVal = state->getSVal(lenExpr, LCtx); SVal lenVal = state->getSVal(lenExpr, LCtx);
// Protect against misdeclared strncpy(). // Protect against misdeclared strncpy().
lenVal = svalBuilder.evalCast(lenVal, sizeTy, lenExpr->getType()); lenVal = svalBuilder.evalCast(lenVal, sizeTy, lenExpr->getType());
Optional<NonLoc> strLengthNL = strLength.getAs<NonLoc>();
Optional<NonLoc> lenValNL = lenVal.getAs<NonLoc>(); Optional<NonLoc> lenValNL = lenVal.getAs<NonLoc>();
// If we know both values, we might be able to figure out how much // If we know both values, we might be able to figure out how much
// we're copying. // we're copying.
if (strLengthNL && lenValNL) { if (strLengthNL && lenValNL) {
switch (appendK) {
case ConcatFnKind::none:
case ConcatFnKind::strcat: {
ProgramStateRef stateSourceTooLong, stateSourceNotTooLong; ProgramStateRef stateSourceTooLong, stateSourceNotTooLong;
// Check if the max number to copy is less than the length of the src. // Check if the max number to copy is less than the length of the src.
// If the bound is equal to the source length, strncpy won't null- // If the bound is equal to the source length, strncpy won't null-
// terminate the result! // terminate the result!
std::tie(stateSourceTooLong, stateSourceNotTooLong) = state->assume( std::tie(stateSourceTooLong, stateSourceNotTooLong) = state->assume(
svalBuilder.evalBinOpNN(state, BO_GE, *strLengthNL, *lenValNL, cmpTy) svalBuilder
.evalBinOpNN(state, BO_GE, *strLengthNL, *lenValNL, cmpTy)
.castAs<DefinedOrUnknownSVal>()); .castAs<DefinedOrUnknownSVal>());
if (stateSourceTooLong && !stateSourceNotTooLong) { if (stateSourceTooLong && !stateSourceNotTooLong) {
// Max number to copy is less than the length of the src, so the actual // Max number to copy is less than the length of the src, so the
// strLength copied is the max number arg. // actual strLength copied is the max number arg.
state = stateSourceTooLong; state = stateSourceTooLong;
amountCopied = lenVal; amountCopied = lenVal;
} else if (!stateSourceTooLong && stateSourceNotTooLong) { } else if (!stateSourceTooLong && stateSourceNotTooLong) {
// The source buffer entirely fits in the bound. // The source buffer entirely fits in the bound.
state = stateSourceNotTooLong; state = stateSourceNotTooLong;
amountCopied = strLength; amountCopied = strLength;
} }
break;
}
case ConcatFnKind::strlcat:
if (!dstStrLengthNL)
return;
// amountCopied = min (size - dstLen - 1 , srcLen)
SVal freeSpace = svalBuilder.evalBinOpNN(state, BO_Sub, *lenValNL,
*dstStrLengthNL, sizeTy);
if (!freeSpace.getAs<NonLoc>())
return;
freeSpace =
svalBuilder.evalBinOp(state, BO_Sub, freeSpace,
svalBuilder.makeIntVal(1, sizeTy), sizeTy);
Optional<NonLoc> freeSpaceNL = freeSpace.getAs<NonLoc>();
// While unlikely, it is possible that the subtraction is
// too complex to compute, let's check whether it succeeded.
if (!freeSpaceNL)
return;
SVal hasEnoughSpace = svalBuilder.evalBinOpNN(
state, BO_LE, *strLengthNL, *freeSpaceNL, cmpTy);
ProgramStateRef TrueState, FalseState;
std::tie(TrueState, FalseState) =
state->assume(hasEnoughSpace.castAs<DefinedOrUnknownSVal>());
// srcStrLength <= size - dstStrLength -1
if (TrueState && !FalseState) {
amountCopied = strLength;
}
SzelethusUnsubmitted
Not Done
ReplyInline Actions

We usually omit braces when the branch consists of a single line.

Szelethus: We usually omit braces when the branch consists of a single line.
// srcStrLength > size - dstStrLength -1
if (!TrueState && FalseState) {
amountCopied = freeSpace;
} }
if (TrueState && FalseState)
amountCopied = UnknownVal();
break;
}
}
// We still want to know if the bound is known to be too large. // We still want to know if the bound is known to be too large.
if (lenValNL) { if (lenValNL) {
if (isAppending) { switch (appendK) {
case ConcatFnKind::strcat:
// For strncat, the check is strlen(dst) + lenVal < sizeof(dst) // For strncat, the check is strlen(dst) + lenVal < sizeof(dst)
// Get the string length of the destination. If the destination is // Get the string length of the destination. If the destination is
// memory that can't have a string length, we shouldn't be copying // memory that can't have a string length, we shouldn't be copying
// into it anyway. // into it anyway.
SVal dstStrLength = getCStringLength(C, state, Dst, DstVal);
if (dstStrLength.isUndef()) if (dstStrLength.isUndef())
return; return;
if (Optional<NonLoc> dstStrLengthNL = dstStrLength.getAs<NonLoc>()) { if (dstStrLengthNL) {
maxLastElementIndex = svalBuilder.evalBinOpNN(state, BO_Add, maxLastElementIndex = svalBuilder.evalBinOpNN(
*lenValNL, state, BO_Add, *lenValNL, *dstStrLengthNL, sizeTy);
*dstStrLengthNL,
sizeTy);
boundWarning = "Size argument is greater than the free space in the " boundWarning = "Size argument is greater than the free space in the "
"destination buffer"; "destination buffer";
} }
break;
} else { case ConcatFnKind::none:
// For strncpy, this is just checking that lenVal <= sizeof(dst) case ConcatFnKind::strlcat:
// For strncpy and strlcat, this is just checking
// that lenVal <= sizeof(dst).
// (Yes, strncpy and strncat differ in how they treat termination. // (Yes, strncpy and strncat differ in how they treat termination.
// strncat ALWAYS terminates, but strncpy doesn't.) // strncat ALWAYS terminates, but strncpy doesn't.)
// We need a special case for when the copy size is zero, in which // We need a special case for when the copy size is zero, in which
// case strncpy will do no work at all. Our bounds check uses n-1 // case strncpy will do no work at all. Our bounds check uses n-1
// as the last element accessed, so n == 0 is problematic. // as the last element accessed, so n == 0 is problematic.
ProgramStateRef StateZeroSize, StateNonZeroSize; ProgramStateRef StateZeroSize, StateNonZeroSize;
std::tie(StateZeroSize, StateNonZeroSize) = std::tie(StateZeroSize, StateNonZeroSize) =
assumeZero(C, state, *lenValNL, sizeTy); assumeZero(C, state, *lenValNL, sizeTy);
// If the size is known to be zero, we're done. // If the size is known to be zero, we're done.
if (StateZeroSize && !StateNonZeroSize) { if (StateZeroSize && !StateNonZeroSize) {
if (returnPtr) { if (returnPtr) {
StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, DstVal); StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, DstVal);
} else { } else {
StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, *lenValNL); if (appendK == ConcatFnKind::none) {
// strlcpy returns strlen(src)
StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, *strLengthNL);
} else if (dstStrLengthNL) {
// strlcat returns strlen(src) + strlen(dst)
SVal retSize = svalBuilder.evalBinOpNN(
state, BO_Add, *strLengthNL, *dstStrLengthNL, sizeTy);
NoQUnsubmitted
Not Done
ReplyInline Actions

rGf450dd63a14d

Please use the normal evalBinOp without suffixes, it just works!

NoQ: rGf450dd63a14d Please use the normal `evalBinOp` without suffixes, it just works!
StateZeroSize =
StateZeroSize->BindExpr(CE, LCtx, *(retSize.getAs<NonLoc>()));
}
} }
C.addTransition(StateZeroSize); C.addTransition(StateZeroSize);
return; return;
} }
// Otherwise, go ahead and figure out the last element we'll touch. // Otherwise, go ahead and figure out the last element we'll touch.
// We don't record the non-zero assumption here because we can't // We don't record the non-zero assumption here because we can't
// be sure. We won't warn on a possible zero. // be sure. We won't warn on a possible zero.
NonLoc one = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>(); NonLoc one = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
maxLastElementIndex = svalBuilder.evalBinOpNN(state, BO_Sub, *lenValNL, maxLastElementIndex =
one, sizeTy); svalBuilder.evalBinOpNN(state, BO_Sub, *lenValNL, one, sizeTy);
boundWarning = "Size argument is greater than the length of the " boundWarning = "Size argument is greater than the length of the "
"destination buffer"; "destination buffer";
break;
} }
} }
// If we couldn't pin down the copy length, at least bound it.
// FIXME: We should actually run this code path for append as well, but
// right now it creates problems with constraints (since we can end up
// trying to pass constraints from symbol to symbol).
if (amountCopied.isUnknown() && !isAppending) {
// Try to get a "hypothetical" string length symbol, which we can later
// set as a real value if that turns out to be the case.
amountCopied = getCStringLength(C, state, lenExpr, srcVal, true);
assert(!amountCopied.isUndef());
if (Optional<NonLoc> amountCopiedNL = amountCopied.getAs<NonLoc>()) {
if (lenValNL) {
// amountCopied <= lenVal
SVal copiedLessThanBound = svalBuilder.evalBinOpNN(state, BO_LE,
*amountCopiedNL,
*lenValNL,
cmpTy);
state = state->assume(
copiedLessThanBound.castAs<DefinedOrUnknownSVal>(), true);
if (!state)
return;
}
if (strLengthNL) {
// amountCopied <= strlen(source)
SVal copiedLessThanSrc = svalBuilder.evalBinOpNN(state, BO_LE,
*amountCopiedNL,
*strLengthNL,
cmpTy);
state = state->assume(
copiedLessThanSrc.castAs<DefinedOrUnknownSVal>(), true);
if (!state)
return;
}
}
}
} else { } else {
// The function isn't bounded. The amount copied should match the length // The function isn't bounded. The amount copied should match the length
// of the source buffer. // of the source buffer.
amountCopied = strLength; amountCopied = strLength;
} }
assert(state); assert(state);
// This represents the number of characters copied into the destination // This represents the number of characters copied into the destination
// buffer. (It may not actually be the strlen if the destination buffer // buffer. (It may not actually be the strlen if the destination buffer
// is not terminated.) // is not terminated.)
SVal finalStrLength = UnknownVal(); SVal finalStrLength = UnknownVal();
SVal strlRetVal = UnknownVal();
if (appendK == ConcatFnKind::none && !returnPtr) {
// strlcpy returns the sizeof(src)
strlRetVal = strLength;
}
// If this is an appending function (strcat, strncat...) then set the // If this is an appending function (strcat, strncat...) then set the
// string length to strlen(src) + strlen(dst) since the buffer will // string length to strlen(src) + strlen(dst) since the buffer will
// ultimately contain both. // ultimately contain both.
if (isAppending) { if (appendK != ConcatFnKind::none) {
// Get the string length of the destination. If the destination is memory // Get the string length of the destination. If the destination is memory
// that can't have a string length, we shouldn't be copying into it anyway. // that can't have a string length, we shouldn't be copying into it anyway.
SVal dstStrLength = getCStringLength(C, state, Dst, DstVal);
if (dstStrLength.isUndef()) if (dstStrLength.isUndef())
return; return;
Optional<NonLoc> srcStrLengthNL = amountCopied.getAs<NonLoc>(); if (appendK == ConcatFnKind::strlcat && dstStrLengthNL && strLengthNL) {
Optional<NonLoc> dstStrLengthNL = dstStrLength.getAs<NonLoc>(); strlRetVal = svalBuilder.evalBinOpNN(state, BO_Add, *strLengthNL,
*dstStrLengthNL, sizeTy);
}
Optional<NonLoc> amountCopiedNL = amountCopied.getAs<NonLoc>();
// If we know both string lengths, we might know the final string length. // If we know both string lengths, we might know the final string length.
if (srcStrLengthNL && dstStrLengthNL) { if (amountCopiedNL && dstStrLengthNL) {
// Make sure the two lengths together don't overflow a size_t. // Make sure the two lengths together don't overflow a size_t.
state = checkAdditionOverflow(C, state, *srcStrLengthNL, *dstStrLengthNL); state = checkAdditionOverflow(C, state, *amountCopiedNL, *dstStrLengthNL);
if (!state) if (!state)
return; return;
finalStrLength = svalBuilder.evalBinOpNN(state, BO_Add, *srcStrLengthNL, finalStrLength = svalBuilder.evalBinOpNN(state, BO_Add, *amountCopiedNL,
*dstStrLengthNL, sizeTy); *dstStrLengthNL, sizeTy);
} }
// If we couldn't get a single value for the final string length, // If we couldn't get a single value for the final string length,
// we can at least bound it by the individual lengths. // we can at least bound it by the individual lengths.
if (finalStrLength.isUnknown()) { if (finalStrLength.isUnknown()) {
// Try to get a "hypothetical" string length symbol, which we can later // Try to get a "hypothetical" string length symbol, which we can later
// set as a real value if that turns out to be the case. // set as a real value if that turns out to be the case.
finalStrLength = getCStringLength(C, state, CE, DstVal, true); finalStrLength = getCStringLength(C, state, CE, DstVal, true);
assert(!finalStrLength.isUndef()); assert(!finalStrLength.isUndef());
if (Optional<NonLoc> finalStrLengthNL = finalStrLength.getAs<NonLoc>()) { if (Optional<NonLoc> finalStrLengthNL = finalStrLength.getAs<NonLoc>()) {
if (srcStrLengthNL) { if (amountCopiedNL && appendK == ConcatFnKind::none) {
// we overwrite dst string with the src
// finalStrLength >= srcStrLength // finalStrLength >= srcStrLength
SVal sourceInResult = svalBuilder.evalBinOpNN(state, BO_GE, SVal sourceInResult = svalBuilder.evalBinOpNN(
*finalStrLengthNL, state, BO_GE, *finalStrLengthNL, *amountCopiedNL, cmpTy);
*srcStrLengthNL,
cmpTy);
state = state->assume(sourceInResult.castAs<DefinedOrUnknownSVal>(), state = state->assume(sourceInResult.castAs<DefinedOrUnknownSVal>(),
true); true);
if (!state) if (!state)
return; return;
} }
if (dstStrLengthNL) { if (dstStrLengthNL && appendK != ConcatFnKind::none) {
// we extend the dst string with the src
// finalStrLength >= dstStrLength // finalStrLength >= dstStrLength
SVal destInResult = svalBuilder.evalBinOpNN(state, BO_GE, SVal destInResult = svalBuilder.evalBinOpNN(state, BO_GE,
*finalStrLengthNL, *finalStrLengthNL,
*dstStrLengthNL, *dstStrLengthNL,
cmpTy); cmpTy);
state = state =
state->assume(destInResult.castAs<DefinedOrUnknownSVal>(), true); state->assume(destInResult.castAs<DefinedOrUnknownSVal>(), true);
if (!state) if (!state)
return; return;
} }
} }
} }
} else { } else {
// Otherwise, this is a copy-over function (strcpy, strncpy, ...), and // Otherwise, this is a copy-over function (strcpy, strncpy, ...), and
// the final string length will match the input string length. // the final string length will match the input string length.
finalStrLength = amountCopied; finalStrLength = amountCopied;
} }
SVal Result; SVal Result;
if (returnPtr) { if (returnPtr) {
// The final result of the function will either be a pointer past the last // The final result of the function will either be a pointer past the last
// copied element, or a pointer to the start of the destination buffer. // copied element, or a pointer to the start of the destination buffer.
Result = (returnEnd ? UnknownVal() : DstVal); Result = (ReturnEnd ? UnknownVal() : DstVal);
} else { } else {
if (appendK == ConcatFnKind::strlcat || appendK == ConcatFnKind::none)
//strlcpy, strlcat
Result = strlRetVal;
else
Result = finalStrLength; Result = finalStrLength;
} }
assert(state); assert(state);
// If the destination is a MemRegion, try to check for a buffer overflow and // If the destination is a MemRegion, try to check for a buffer overflow and
// record the new string length. // record the new string length.
if (Optional<loc::MemRegionVal> dstRegVal = if (Optional<loc::MemRegionVal> dstRegVal =
DstVal.getAs<loc::MemRegionVal>()) { DstVal.getAs<loc::MemRegionVal>()) {
Show All 22 Lines if (Optional<NonLoc> knownStrLength = finalStrLength.getAs<NonLoc>()) {
const char * const warningMsg = const char * const warningMsg =
"String copy function overflows destination buffer"; "String copy function overflows destination buffer";
state = CheckLocation(C, state, Dst, lastElement, warningMsg); state = CheckLocation(C, state, Dst, lastElement, warningMsg);
if (!state) if (!state)
return; return;
} }
// If this is a stpcpy-style copy, the last element is the return value. // If this is a stpcpy-style copy, the last element is the return value.
if (returnPtr && returnEnd) if (returnPtr && ReturnEnd)
Result = lastElement; Result = lastElement;
} }
// Invalidate the destination (regular invalidation without pointer-escaping // Invalidate the destination (regular invalidation without pointer-escaping
// the address of the top-level region). This must happen before we set the // the address of the top-level region). This must happen before we set the
// C string length because invalidation will clear the length. // C string length because invalidation will clear the length.
// FIXME: Even if we can't perfectly model the copy, we should see if we // FIXME: Even if we can't perfectly model the copy, we should see if we
// can use LazyCompoundVals to copy the source values into the destination. // can use LazyCompoundVals to copy the source values into the destination.
// This would probably remove any existing bindings past the end of the // This would probably remove any existing bindings past the end of the
// string, but that's still an improvement over blank invalidation. // string, but that's still an improvement over blank invalidation.
state = InvalidateBuffer(C, state, Dst, *dstRegVal, state = InvalidateBuffer(C, state, Dst, *dstRegVal,
/*IsSourceBuffer*/false, nullptr); /*IsSourceBuffer*/false, nullptr);
// Invalidate the source (const-invalidation without const-pointer-escaping // Invalidate the source (const-invalidation without const-pointer-escaping
// the address of the top-level region). // the address of the top-level region).
state = InvalidateBuffer(C, state, srcExpr, srcVal, /*IsSourceBuffer*/true, state = InvalidateBuffer(C, state, srcExpr, srcVal, /*IsSourceBuffer*/true,
nullptr); nullptr);
// Set the C string length of the destination, if we know it. // Set the C string length of the destination, if we know it.
if (isBounded && !isAppending) { if (IsBounded && (appendK == ConcatFnKind::none)) {
// strncpy is annoying in that it doesn't guarantee to null-terminate // strncpy is annoying in that it doesn't guarantee to null-terminate
// the result string. If the original string didn't fit entirely inside // the result string. If the original string didn't fit entirely inside
// the bound (including the null-terminator), we don't know how long the // the bound (including the null-terminator), we don't know how long the
// result is. // result is.
if (amountCopied != strLength) if (amountCopied != strLength)
finalStrLength = UnknownVal(); finalStrLength = UnknownVal();
} }
state = setCStringLength(state, dstRegVal->getRegion(), finalStrLength); state = setCStringLength(state, dstRegVal->getRegion(), finalStrLength);
} }
assert(state); assert(state);
if (returnPtr) { if (returnPtr) {
// If this is a stpcpy-style copy, but we were unable to check for a buffer // If this is a stpcpy-style copy, but we were unable to check for a buffer
// overflow, we still need a result. Conjure a return value. // overflow, we still need a result. Conjure a return value.
if (returnEnd && Result.isUnknown()) { if (ReturnEnd && Result.isUnknown()) {
Result = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount()); Result = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
} }
} }
// Set the return value. // Set the return value.
state = state->BindExpr(CE, LCtx, Result); state = state->BindExpr(CE, LCtx, Result);
C.addTransition(state); C.addTransition(state);
} }
void CStringChecker::evalStrcmp(CheckerContext &C, const CallExpr *CE) const { void CStringChecker::evalStrcmp(CheckerContext &C, const CallExpr *CE) const {
//int strcmp(const char *s1, const char *s2); //int strcmp(const char *s1, const char *s2);
evalStrcmpCommon(C, CE, /* isBounded = */ false, /* ignoreCase = */ false); evalStrcmpCommon(C, CE, /* IsBounded = */ false, /* IgnoreCase = */ false);
} }
void CStringChecker::evalStrncmp(CheckerContext &C, const CallExpr *CE) const { void CStringChecker::evalStrncmp(CheckerContext &C, const CallExpr *CE) const {
//int strncmp(const char *s1, const char *s2, size_t n); //int strncmp(const char *s1, const char *s2, size_t n);
evalStrcmpCommon(C, CE, /* isBounded = */ true, /* ignoreCase = */ false); evalStrcmpCommon(C, CE, /* IsBounded = */ true, /* IgnoreCase = */ false);
} }
void CStringChecker::evalStrcasecmp(CheckerContext &C, void CStringChecker::evalStrcasecmp(CheckerContext &C,
const CallExpr *CE) const { const CallExpr *CE) const {
//int strcasecmp(const char *s1, const char *s2); //int strcasecmp(const char *s1, const char *s2);
evalStrcmpCommon(C, CE, /* isBounded = */ false, /* ignoreCase = */ true); evalStrcmpCommon(C, CE, /* IsBounded = */ false, /* IgnoreCase = */ true);
} }
void CStringChecker::evalStrncasecmp(CheckerContext &C, void CStringChecker::evalStrncasecmp(CheckerContext &C,
const CallExpr *CE) const { const CallExpr *CE) const {
//int strncasecmp(const char *s1, const char *s2, size_t n); //int strncasecmp(const char *s1, const char *s2, size_t n);
evalStrcmpCommon(C, CE, /* isBounded = */ true, /* ignoreCase = */ true); evalStrcmpCommon(C, CE, /* IsBounded = */ true, /* IgnoreCase = */ true);
} }
void CStringChecker::evalStrcmpCommon(CheckerContext &C, const CallExpr *CE, void CStringChecker::evalStrcmpCommon(CheckerContext &C, const CallExpr *CE,
bool isBounded, bool ignoreCase) const { bool IsBounded, bool IgnoreCase) const {
CurrentFunctionDescription = "string comparison function"; CurrentFunctionDescription = "string comparison function";
ProgramStateRef state = C.getState(); ProgramStateRef state = C.getState();
const LocationContext *LCtx = C.getLocationContext(); const LocationContext *LCtx = C.getLocationContext();
// Check that the first string is non-null // Check that the first string is non-null
const Expr *s1 = CE->getArg(0); const Expr *s1 = CE->getArg(0);
SVal s1Val = state->getSVal(s1, LCtx); SVal s1Val = state->getSVal(s1, LCtx);
state = checkNonNull(C, state, s1, s1Val, 1); state = checkNonNull(C, state, s1, s1Val, 1);
▲ Show 20 LinesShow All 53 Lines▼ Show 20 Linesvoid CStringChecker::evalStrcmpCommon(CheckerContext &C, const CallExpr *CE,
bool canComputeResult = false; bool canComputeResult = false;
SVal resultVal = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx, SVal resultVal = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx,
C.blockCount()); C.blockCount());
if (s1StrLiteral && s2StrLiteral) { if (s1StrLiteral && s2StrLiteral) {
StringRef s1StrRef = s1StrLiteral->getString(); StringRef s1StrRef = s1StrLiteral->getString();
StringRef s2StrRef = s2StrLiteral->getString(); StringRef s2StrRef = s2StrLiteral->getString();
if (isBounded) { if (IsBounded) {
// Get the max number of characters to compare. // Get the max number of characters to compare.
const Expr *lenExpr = CE->getArg(2); const Expr *lenExpr = CE->getArg(2);
SVal lenVal = state->getSVal(lenExpr, LCtx); SVal lenVal = state->getSVal(lenExpr, LCtx);
// If the length is known, we can get the right substrings. // If the length is known, we can get the right substrings.
if (const llvm::APSInt *len = svalBuilder.getKnownValue(state, lenVal)) { if (const llvm::APSInt *len = svalBuilder.getKnownValue(state, lenVal)) {
// Create substrings of each to compare the prefix. // Create substrings of each to compare the prefix.
s1StrRef = s1StrRef.substr(0, (size_t)len->getZExtValue()); s1StrRef = s1StrRef.substr(0, (size_t)len->getZExtValue());
Show All 11 Lines if (canComputeResult) {
if (s1Term != StringRef::npos) if (s1Term != StringRef::npos)
s1StrRef = s1StrRef.substr(0, s1Term); s1StrRef = s1StrRef.substr(0, s1Term);
size_t s2Term = s2StrRef.find('\0'); size_t s2Term = s2StrRef.find('\0');
if (s2Term != StringRef::npos) if (s2Term != StringRef::npos)
s2StrRef = s2StrRef.substr(0, s2Term); s2StrRef = s2StrRef.substr(0, s2Term);
// Use StringRef's comparison methods to compute the actual result. // Use StringRef's comparison methods to compute the actual result.
int compareRes = ignoreCase ? s1StrRef.compare_lower(s2StrRef) int compareRes = IgnoreCase ? s1StrRef.compare_lower(s2StrRef)
: s1StrRef.compare(s2StrRef); : s1StrRef.compare(s2StrRef);
// The strcmp function returns an integer greater than, equal to, or less // The strcmp function returns an integer greater than, equal to, or less
// than zero, [c11, p7.24.4.2]. // than zero, [c11, p7.24.4.2].
if (compareRes == 0) { if (compareRes == 0) {
resultVal = svalBuilder.makeIntVal(compareRes, CE->getType()); resultVal = svalBuilder.makeIntVal(compareRes, CE->getType());
} }
else { else {
▲ Show 20 LinesShow All 163 Lines▼ Show 20 Lines
void CStringChecker::evalBzero(CheckerContext &C, const CallExpr *CE) const { void CStringChecker::evalBzero(CheckerContext &C, const CallExpr *CE) const {
CurrentFunctionDescription = "memory clearance function"; CurrentFunctionDescription = "memory clearance function";
const Expr *Mem = CE->getArg(0); const Expr *Mem = CE->getArg(0);
const Expr *Size = CE->getArg(1); const Expr *Size = CE->getArg(1);
SVal Zero = C.getSValBuilder().makeZeroVal(C.getASTContext().IntTy); SVal Zero = C.getSValBuilder().makeZeroVal(C.getASTContext().IntTy);
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
// See if the size argument is zero. // See if the size argument is zero.
SVal SizeVal = C.getSVal(Size); SVal SizeVal = C.getSVal(Size);
QualType SizeTy = Size->getType(); QualType SizeTy = Size->getType();
ProgramStateRef StateZeroSize, StateNonZeroSize; ProgramStateRef StateZeroSize, StateNonZeroSize;
std::tie(StateZeroSize, StateNonZeroSize) = std::tie(StateZeroSize, StateNonZeroSize) =
assumeZero(C, State, SizeVal, SizeTy); assumeZero(C, State, SizeVal, SizeTy);
▲ Show 20 LinesShow All 229 LinesShow Last 20 Lines

clang/test/Analysis/bsd-string.c

// RUN: %clang_analyze_cc1 -verify %s \ // RUN: %clang_analyze_cc1 -verify %s \
// RUN: -analyzer-checker=core \ // RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=unix.cstring.NullArg \ // RUN: -analyzer-checker=unix.cstring.NullArg \
// RUN: -analyzer-checker=alpha.unix.cstring \ // RUN: -analyzer-checker=alpha.unix.cstring \
// RUN: -analyzer-checker=debug.ExprInspection // RUN: -analyzer-checker=debug.ExprInspection
#define NULL ((void *)0) #define NULL ((void *)0)
typedef __typeof(sizeof(int)) size_t; typedef __typeof(sizeof(int)) size_t;
size_t strlcpy(char *dst, const char *src, size_t n); size_t strlcpy(char *dst, const char *src, size_t n);
size_t strlcat(char *dst, const char *src, size_t n); size_t strlcat(char *dst, const char *src, size_t n);
size_t strlen(const char *s);
void clang_analyzer_eval(int); void clang_analyzer_eval(int);
void f1() { void f1() {
char overlap[] = "123456789"; char overlap[] = "123456789";
strlcpy(overlap, overlap + 1, 3); // expected-warning{{Arguments must not be overlapping buffers}} strlcpy(overlap, overlap + 1, 3); // expected-warning{{Arguments must not be overlapping buffers}}
} }
void f2() { void f2() {
char buf[5]; char buf[5];
strlcpy(buf, "abcd", sizeof(buf)); // expected-no-warning size_t len;
// FIXME: This should not warn. The string is safely truncated. len = strlcpy(buf, "abcd", sizeof(buf)); // expected-no-warning
strlcat(buf, "efgh", sizeof(buf)); // expected-warning{{Size argument is greater than the free space in the destination buffer}} clang_analyzer_eval(len == 4); // expected-warning{{TRUE}}
len = strlcat(buf, "efgh", sizeof(buf)); // expected-no-warning
clang_analyzer_eval(len == 8); // expected-warning{{TRUE}}
} }
void f3() { void f3() {
char dst[2]; char dst[2];
const char *src = "abdef"; const char *src = "abdef";
strlcpy(dst, src, 5); // expected-warning{{Size argument is greater than the length of the destination buffer}} strlcpy(dst, src, 5); // expected-warning{{Size argument is greater than the length of the destination buffer}}
} }
Show All 11 Linesvoid f6() {
size_t len = strlcat(buf, "defg", 4); size_t len = strlcat(buf, "defg", 4);
clang_analyzer_eval(len == 7); // expected-warning{{TRUE}} clang_analyzer_eval(len == 7); // expected-warning{{TRUE}}
} }
int f7() { int f7() {
char buf[8]; char buf[8];
return strlcpy(buf, "1234567", 0); // no-crash return strlcpy(buf, "1234567", 0); // no-crash
} }
void f8(){
char buf[5];
size_t len;
// basic strlcpy
len = strlcpy(buf,"123", sizeof(buf));
clang_analyzer_eval(len==3);// expected-warning{{TRUE}}
len = strlen(buf);
clang_analyzer_eval(len==3);// expected-warning{{TRUE}}
// testing bounded strlcat
len = strlcat(buf,"456", sizeof(buf));
clang_analyzer_eval(len==6);// expected-warning{{TRUE}}
len = strlen(buf);
clang_analyzer_eval(len==4);// expected-warning{{TRUE}}
// testing strlcat with size==0
len = strlcat(buf,"789", 0);
clang_analyzer_eval(len==7);// expected-warning{{TRUE}}
len = strlen(buf);
clang_analyzer_eval(len==4);// expected-warning{{TRUE}}
// testing strlcpy with size==0
len = strlcpy(buf,"123",0);
clang_analyzer_eval(len==3);// expected-warning{{TRUE}}
len = strlen(buf);
clang_analyzer_eval(len==4);// expected-warning{{TRUE}}
}
void f9(int unknown_size, char* unknown_src, char* unknown_dst){
char buf[8];
size_t len;
len = strlcpy(buf,"abba",sizeof(buf));
clang_analyzer_eval(len==4);// expected-warning{{TRUE}}
clang_analyzer_eval(strlen(buf)==4);// expected-warning{{TRUE}}
//size is unknown
len = strlcat(buf,"cd", unknown_size);
clang_analyzer_eval(len==6);// expected-warning{{TRUE}}
clang_analyzer_eval(strlen(buf)>=4);// expected-warning{{TRUE}}
//dst is unknown
len = strlcpy(unknown_dst,"abbc",unknown_size);
clang_analyzer_eval(len==4);// expected-warning{{TRUE}}
clang_analyzer_eval(strlen(unknown_dst));// expected-warning{{UNKNOWN}}
//src is unknown
len = strlcpy(buf,unknown_src, sizeof(buf));
clang_analyzer_eval(len);// expected-warning{{UNKNOWN}}
clang_analyzer_eval(strlen(buf));// expected-warning{{UNKNOWN}}
//src, dst is unknown
len = strlcpy(unknown_dst, unknown_src, unknown_size);
clang_analyzer_eval(len);// expected-warning{{UNKNOWN}}
clang_analyzer_eval(strlen(unknown_dst));// expected-warning{{UNKNOWN}}
//size is unknown
len = strlcat(buf+2,unknown_src+1, sizeof(buf));// expected-warning{{Size argument is greater than the length of the destination buffer}};
}
void f10(){
char buf[8];
size_t len;
len = strlcpy(buf,"abba",sizeof(buf));
clang_analyzer_eval(len==4);// expected-warning{{TRUE}}
strlcat(buf, "efghi",9);// expected-warning{{Size argument is greater than the length of the destination buffer}}
}
void f11() {
//test for Bug 41729
char a[256], b[256];
strlcpy(a, "world", sizeof(a));
strlcpy(b, "hello ", sizeof(b));
strlcat(b, a, sizeof(b)); // no-warning
}