This is an archive of the discontinued LLVM Phabricator instance.

Differential D71033

[analyzer] CERT STR rule checkers: STR32-C
Needs RevisionPublic

Authored by Charusso on Dec 4 2019, 2:20 PM.

Details

Reviewers
NoQ
baloghadamsoftware
Summary

This patch introduces a new experimental checker:
alpha.security.cert.str.32c

This checker is implemented based on the following rule:
https://wiki.sei.cmu.edu/confluence/display/c/STR32-C.+Do+not+pass+a+non-null-terminated+character+sequence+to+a+library+function+that+expects+a+string

It warns on reading non-null-terminated strings. This warning is restricted to
the allocations which the Static Analyzer models with unix.Malloc checker.

Also warns on misusing the strncpy() function.

Diff Detail

Event Timeline

Charusso created this revision.Dec 4 2019, 2:20 PM
Herald added subscribers: cfe-commits, dkrupp, donat.nagy and 6 others. · View Herald TranscriptDec 4 2019, 2:20 PM
Charusso marked an inline comment as done.Dec 4 2019, 2:25 PM
Charusso added inline comments.
clang/lib/StaticAnalyzer/Checkers/cert/StrChecker.cpp
430

This is a huge assumption to make this checker as simple as possible. On each allocation I would store the memory regions which the size expression consists of. When we encounter a memory/string handler function call which has a size-expression parameter we could match whether the allocation considered the length of the string it will store.

May we will have a better idea, so I would leave that as it is, for now.

Charusso added a parent revision: D70805: [analyzer] SValHasDescendant: Determine whether the SVal has an SVal descendant.Dec 4 2019, 2:26 PM
Charusso added a comment.Dec 4 2019, 2:32 PM

Examples generated by CodeChecker from the curl project:

str32-c.tar.gz1 MBDownload

Charusso updated this revision to Diff 232672.EditedDec 6 2019, 4:19 PM
Charusso edited the summary of this revision. (Show Details)
  • Add docs.
  • Move to alpha.
Charusso added a child revision: D71155: [analyzer] CERT STR rule checkers: STR30-C.Dec 6 2019, 4:24 PM
Charusso updated this revision to Diff 233904.EditedDec 13 2019, 6:47 PM
Charusso retitled this revision from [analyzer] CERT: StrChecker: 32.c to [analyzer] CERT: STR32-C.
  • Add notes to the initialization of char-arrays.
  • Mark the string null-terminated calling strcpy() with an appropriate size.
Charusso added a comment.Dec 13 2019, 6:51 PM

We need to add the interestingness to the NoteTags so that we only emit notes on initialization/function calls which leads to an error.

Charusso marked an inline comment as done.Dec 13 2019, 6:52 PM
Charusso added inline comments.
clang/lib/StaticAnalyzer/Checkers/cert/StrChecker.cpp
479

-1 line

Charusso updated this revision to Diff 241761.Jan 31 2020, 9:58 AM
  • Rebase.
Charusso edited the summary of this revision. (Show Details)Jan 31 2020, 9:58 AM
Charusso mentioned this in D70411: [analyzer] CERT STR rule checkers: STR31-C.Mar 25 2020, 12:35 PM
Charusso updated this revision to Diff 265962.May 24 2020, 9:23 PM
Charusso retitled this revision from [analyzer] CERT: STR32-C to [analyzer] CERT STR rule checkers: STR32-C.
  • Refactor.
  • State out explicitly whether the Analyzer models the dynamic size.
Herald added subscribers: ASDenysPetrov, martong, steakhal. · View Herald TranscriptMay 24 2020, 9:23 PM
Charusso edited parent revisions, added: D70411: [analyzer] CERT STR rule checkers: STR31-C; removed: D70805: [analyzer] SValHasDescendant: Determine whether the SVal has an SVal descendant.May 24 2020, 9:26 PM
baloghadamsoftware requested changes to this revision.Jun 29 2020, 9:15 AM
baloghadamsoftware added inline comments.
clang/docs/analyzer/checkers.rst
1926

Why? Is retrieving the size of arrays is so much more difficult? We miss the first example of the rule this way.

clang/lib/StaticAnalyzer/Checkers/cert/StrChecker.cpp
179

Why do we need this? The constructor of PathSensitiveBugReport takes a StringRef. Msg.str() returns a StringRef. Your solution creates a C++ string first, which means an unnecessary copy.

322

Do we really need to handle indirect pointers here? I means e.g. char ***?

331

What does it mean that the memory allocation could overflow?

334

Why checking PostCall and not PreCall? Usually PostCall is used for modeling and PreCall for checking because for modeling we need the call already evaluated (e.g. we need the return value) but checking should happen before starting the evaluation of the call.

346

Do we chack any call here passing non-null terminated strings? I disagree with that appraocah because there may be functions expecting e.g. binary data. It seems that we are not even checking the type so we could get false positives here for any mem...() function.

clang/test/Analysis/cert/str32-c.cpp
11

Please move this to the system header simulator instead of repeating it in every test file.

14

Why enum?

This revision now requires changes to proceed.Jun 29 2020, 9:15 AM
Herald added a subscriber: rnkovacs. · View Herald TranscriptJun 29 2020, 9:15 AM
whisperity added a subscriber: whisperity.Jul 9 2020, 1:01 AM

Revision Contents

PathSize
clang/
docs/
analyzer/
12 lines
include/
clang/
StaticAnalyzer/
Checkers/
5 lines
Core/
PathSensitive/
8 lines
lib/
StaticAnalyzer/
Checkers/
cert/
234 lines
Core/
13 lines
test/
Analysis/
Inputs/
21 lines
cert/
3 lines
3 lines
64 lines
88 lines
15 lines

Diff 233904

clang/docs/analyzer/checkers.rst

Show First 20 LinesShow All 1,909 Lines▼ Show 20 Lines
alpha.security.cert.str.31c alpha.security.cert.str.31c
""""""""""""""""""""""""""" """""""""""""""""""""""""""
SEI CERT checker of `STR31-C rule<https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator>`_. SEI CERT checker of `STR31-C rule<https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator>`_.
It warns on misusing the following functions: It warns on misusing the following functions:
``strcpy()``, ``gets()``, ``fscanf()``, ``sprintf()``. ``strcpy()``, ``gets()``, ``fscanf()``, ``sprintf()``.
.. _alpha-security-cert-str-32c:
alpha.security.cert.str.32c
"""""""""""""""""""""""""""
SEI CERT checker of `STR32-C rule<https://wiki.sei.cmu.edu/confluence/display/c/STR32-C.+Do+not+pass+a+non-null-terminated+character+sequence+to+a+library+function+that+expects+a+string>`_.
It warns on reading non-null-terminated strings. This warning is restricted to
the allocations which the Static Analyzer models with :ref:`unix.Malloc<unix-Malloc>`_.
baloghadamsoftwareUnsubmitted
Not Done
ReplyInline Actions

Why? Is retrieving the size of arrays is so much more difficult? We miss the first example of the rule this way.

baloghadamsoftware: Why? Is retrieving the size of arrays is so much more difficult? We miss the first example of…
Also warns on misusing the ``strncpy()`` function.
.. _alpha-security-ArrayBound: .. _alpha-security-ArrayBound:
alpha.security.ArrayBound (C) alpha.security.ArrayBound (C)
""""""""""""""""""""""""""""" """""""""""""""""""""""""""""
Warn about buffer overflows (older checker). Warn about buffer overflows (older checker).
.. code-block:: c .. code-block:: c
▲ Show 20 LinesShow All 450 LinesShow Last 20 Lines

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td

Show First 20 LinesShow All 806 Lines▼ Show 20 Linesdef StrCheckerBase : Checker<"StrCheckerBase">,
Documentation<HasDocumentation>, Documentation<HasDocumentation>,
Hidden; Hidden;
def Str31cChecker : Checker<"31c">, def Str31cChecker : Checker<"31c">,
HelpText<"SEI CERT checker of rules defined in STR31-C">, HelpText<"SEI CERT checker of rules defined in STR31-C">,
Dependencies<[StrCheckerBase]>, Dependencies<[StrCheckerBase]>,
Documentation<HasDocumentation>; Documentation<HasDocumentation>;
def Str32cChecker : Checker<"32c">,
HelpText<"SEI CERT checker of rules defined in STR32-C">,
Dependencies<[StrCheckerBase]>,
Documentation<HasDocumentation>;
} // end "alpha.cert.str" } // end "alpha.cert.str"
let ParentPackage = SecurityAlpha in { let ParentPackage = SecurityAlpha in {
def ArrayBoundChecker : Checker<"ArrayBound">, def ArrayBoundChecker : Checker<"ArrayBound">,
HelpText<"Warn about buffer overflows (older checker)">, HelpText<"Warn about buffer overflows (older checker)">,
Documentation<HasAlphaDocumentation>; Documentation<HasAlphaDocumentation>;
▲ Show 20 LinesShow All 616 LinesShow Last 20 Lines

clang/include/clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h

//===- DynamicSize.h - Dynamic size related APIs ----------------*- C++ -*-===// //===- DynamicSize.h - Dynamic size related APIs ----------------*- C++ -*-===//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This file defines APIs that track and query dynamic size information. // This file defines APIs that track and query dynamic size information.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#ifndef LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICSIZE_H #ifndef LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICSIZE_H
#define LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICSIZE_H #define LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_DYNAMICSIZE_H
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSizeInfo.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h" #include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h"
#include "llvm/ADT/Optional.h"
namespace clang { namespace clang {
namespace ento { namespace ento {
/// \returns The stored dynamic size for the region \p MR. /// \returns The stored dynamic size for the region \p MR.
DefinedOrUnknownSVal getDynamicSize(ProgramStateRef State, const MemRegion *MR, DefinedOrUnknownSVal getDynamicSize(ProgramStateRef State, const MemRegion *MR,
SValBuilder &SVB); SValBuilder &SVB);
/// \returns The stored dynamic size information or the array's static size
/// information for the region \p MR.
Optional<DynamicSizeInfo> getDynamicSizeInfo(ProgramStateRef State,
const MemRegion *MR,
SValBuilder &SVB);
/// \returns The stored dynamic size expression for the region \p MR. /// \returns The stored dynamic size expression for the region \p MR.
const Expr *getDynamicSizeExpr(ProgramStateRef State, const MemRegion *MR); const Expr *getDynamicSizeExpr(ProgramStateRef State, const MemRegion *MR);
/// \returns The stored element count of the region \p MR. /// \returns The stored element count of the region \p MR.
DefinedOrUnknownSVal getDynamicElementCount(ProgramStateRef State, DefinedOrUnknownSVal getDynamicElementCount(ProgramStateRef State,
const MemRegion *MR, const MemRegion *MR,
SValBuilder &SVB, SValBuilder &SVB,
QualType ElementTy); QualType ElementTy);
Show All 10 Lines

clang/lib/StaticAnalyzer/Checkers/cert/StrChecker.cpp

Show All 9 Lines
// handler function issues. // handler function issues.
// The rules can be found in section 'Rule 07. Characters and Strings (STR)': // The rules can be found in section 'Rule 07. Characters and Strings (STR)':
// https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152038 // https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152038
// //
// This checker is a base checker which consist of the following checkers: // This checker is a base checker which consist of the following checkers:
// - '31c' // - '31c'
// https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator // https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator
// //
// - '32c'
// https://wiki.sei.cmu.edu/confluence/display/c/STR32-C.+Do+not+pass+a+non-null-terminated+character+sequence+to+a+library+function+that+expects+a+string
//
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "AllocationState.h" #include "AllocationState.h"
#include "clang/ASTMatchers/ASTMatchFinder.h" #include "clang/ASTMatchers/ASTMatchFinder.h"
#include "clang/Lex/Lexer.h" #include "clang/Lex/Lexer.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h" #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SValHasDescendant.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SValHasDescendant.h"
#include "llvm/ADT/Optional.h" #include "llvm/ADT/Optional.h"
#include <utility> #include <utility>
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
using namespace ast_matchers; using namespace ast_matchers;
namespace { namespace {
struct CallContext { struct CallContext {
CallContext(Optional<unsigned> DestinationPos, CallContext(Optional<unsigned> DestinationPos,
Optional<unsigned> SourcePos = None) Optional<unsigned> SourcePos = None,
: DestinationPos(DestinationPos), SourcePos(SourcePos) {} Optional<unsigned> LengthPos = None)
: DestinationPos(DestinationPos), SourcePos(SourcePos),
LengthPos(LengthPos) {}
Optional<unsigned> DestinationPos; Optional<unsigned> DestinationPos;
Optional<unsigned> SourcePos; Optional<unsigned> SourcePos;
Optional<unsigned> LengthPos;
}; };
class StrCheckerBase : public Checker<check::PostCall, check::Bind> { class StrCheckerBase
: public Checker<check::PostCall, check::Bind, check::PostStmt<DeclStmt>> {
using StrCheck = std::function<void(const StrCheckerBase *, const CallEvent &, using StrCheck = std::function<void(const StrCheckerBase *, const CallEvent &,
const CallContext &, CheckerContext &)>; const CallContext &, CheckerContext &)>;
public: public:
// We report a note when any of the calls in 'CDM' is being used because // We report a note when any of the calls in 'CDM' is being used because
// they can cause a not null-terminated string. In this case we store the // they can cause a not null-terminated string. In this case we store the
// string is being not null-terminated in the 'NullTerminationMap'. // string is being not null-terminated in the 'NullTerminationMap'.
// //
// We report an error when the not null-terminated string is passed to a // We report an error when the not null-terminated string is passed to a
// function call. Assume that the non-'CDM' calls could read the string. // function call. Assume that the non-'CDM' calls could read the string.
void checkPostCall(const CallEvent &Call, CheckerContext &C) const; void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
// We want to catch the hand-written null-termination of strings to prevent // We want to catch the hand-written null-termination of strings to prevent
// false positives. For example: 'c_string[length] = '\0';'. In this case we // false positives. For example: 'c_string[length] = '\0';'. In this case we
// store the string is being null-terminated in the 'NullTerminationMap'. // store the string is being null-terminated in the 'NullTerminationMap'.
void checkBind(SVal L, SVal V, const Stmt *S, CheckerContext &C) const; void checkBind(SVal L, SVal V, const Stmt *S, CheckerContext &C) const;
void checkPostStmt(const DeclStmt *S, CheckerContext &C) const;
void checkGets(const CallEvent &Call, const CallContext &CallC, void checkGets(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) const; CheckerContext &C) const;
void checkSprintf(const CallEvent &Call, const CallContext &CallC, void checkSprintf(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) const; CheckerContext &C) const;
void checkFscanf(const CallEvent &Call, const CallContext &CallC, void checkFscanf(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) const; CheckerContext &C) const;
void checkStrcpy(const CallEvent &Call, const CallContext &CallC, void checkStrcpy(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) const; CheckerContext &C) const;
void checkStrncpy(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) const;
void createOverflowReport(const CallEvent &Call, const CallContext &CallC, void createOverflowReport(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) const; CheckerContext &C) const;
std::unique_ptr<BugType> BT; std::unique_ptr<BugType> BT;
bool WarnOnCall; bool WarnOnCall;
bool EnableStr31cChecker = false;
bool EnableStr31cChecker = false, EnableStr32cChecker = false;
private: private:
const CallDescriptionMap<std::pair<StrCheck, CallContext>> CDM = { const CallDescriptionMap<std::pair<StrCheck, CallContext>> CDM = {
// The following checks STR31-C rules. // The following checks STR31-C rules.
// char *gets(char *dest); // char *gets(char *dest);
{{"gets", 1}, {&StrCheckerBase::checkGets, {0}}}, {{"gets", 1}, {&StrCheckerBase::checkGets, {0}}},
// int sprintf(char *dest, const char *format, ... [const char *source]); // int sprintf(char *dest, const char *format, ... [const char *source]);
{{"sprintf", 3, 2}, {&StrCheckerBase::checkSprintf, {0}}}, {{"sprintf", 3, 2}, {&StrCheckerBase::checkSprintf, {0}}},
// int fscanf(FILE *stream, const char *format, ... [char *dest]); // int fscanf(FILE *stream, const char *format, ... [char *dest]);
{{"fscanf", 3, 2}, {&StrCheckerBase::checkFscanf, {2}}}, {{"fscanf", 3, 2}, {&StrCheckerBase::checkFscanf, {2}}},
// char *strcpy(char *dest, const char *src); // char *strcpy(char *dest, const char *src);
{{"strcpy", 2}, {&StrCheckerBase::checkStrcpy, {0, 1}}}}; {{"strcpy", 2}, {&StrCheckerBase::checkStrcpy, {0, 1}}},
// The following checks STR32-C rules.
// char *strncpy(char *dest, const char *src, size_t count)
{{"strncpy", 3}, {&StrCheckerBase::checkStrncpy, {0, 1, 2}}}};
}; };
} // namespace } // namespace
// It stores whether the string is null-terminated. // It stores whether the string is null-terminated.
REGISTER_MAP_WITH_PROGRAMSTATE(NullTerminationMap, const MemRegion *, bool) REGISTER_MAP_WITH_PROGRAMSTATE(NullTerminationMap, const MemRegion *, bool)
// It stores the allocations which we emit notes on.
REGISTER_LIST_WITH_PROGRAMSTATE(AllocationList, const MemRegion *)
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Helper functions. // Helper functions.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Returns a string representation of \p E. // Returns a string representation of \p E.
static std::string exprToStr(const Expr *E, CheckerContext &C) { static std::string exprToStr(const Expr *E, CheckerContext &C) {
assert(E); assert(E);
Show All 38 Linesvoid StrCheckerBase::createOverflowReport(const CallEvent &Call,
SVal DestV = Call.getArgSVal(DestPos); SVal DestV = Call.getArgSVal(DestPos);
const MemRegion *MR = getRegion(DestV); const MemRegion *MR = getRegion(DestV);
if (!MR) if (!MR)
return; return;
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
std::string CallName = Call.getCalleeIdentifier()->getName(); std::string CallName = Call.getCalleeIdentifier()->getName();
Optional<std::string> ArrayName = getName(Call.getArgExpr(DestPos), C); std::string ArrayName = "the array";
if (Optional<std::string> TmpArrayName = getName(Call.getArgExpr(DestPos), C))
ArrayName = *TmpArrayName;
SmallString<128> Msg; SmallString<128> Msg;
llvm::raw_svector_ostream Out(Msg); llvm::raw_svector_ostream Out(Msg);
Out << '\'' << CallName << "' could write outside of " Out << '\'' << CallName << "' could write outside of " << ArrayName;
baloghadamsoftwareUnsubmitted
Not Done
ReplyInline Actions

Why do we need this? The constructor of PathSensitiveBugReport takes a StringRef. Msg.str() returns a StringRef. Your solution creates a C++ string first, which means an unnecessary copy.

baloghadamsoftware: Why do we need this? The constructor of `PathSensitiveBugReport` takes a `StringRef`. `Msg.str…
<< (ArrayName ? *ArrayName : "the array");
std::string ReportMsg = Out.str(); std::string ReportMsg = Out.str();
if (WarnOnCall) { if (WarnOnCall && !EnableStr32cChecker) {
const Expr *Arg = Call.getArgExpr(DestPos); const Expr *Arg = Call.getArgExpr(DestPos);
auto Report = std::make_unique<PathSensitiveBugReport>( auto Report = std::make_unique<PathSensitiveBugReport>(
*BT, ReportMsg, C.generateErrorNode()); *BT, ReportMsg, C.generateErrorNode());
Report->addRange(Arg->getSourceRange()); Report->addRange(Arg->getSourceRange());
// Track the allocation. // Track the allocation.
const auto *VR = MR->getAs<VarRegion>(); const auto *VR = MR->getAs<VarRegion>();
Show All 10 Linesvoid StrCheckerBase::createOverflowReport(const CallEvent &Call,
const NoteTag *Tag = C.getNoteTag([=]() -> std::string { return ReportMsg; }, const NoteTag *Tag = C.getNoteTag([=]() -> std::string { return ReportMsg; },
/*IsPrunable=*/false); /*IsPrunable=*/false);
// Mark the string could be not null-terminated. // Mark the string could be not null-terminated.
State = State->set<NullTerminationMap>(MR, false); State = State->set<NullTerminationMap>(MR, false);
C.addTransition(State, Tag); C.addTransition(State, Tag);
} }
void createWrongSizeReport(const MemRegion *MR, Optional<std::string> ArrayName,
bool IsAlloc, ProgramStateRef State,
CheckerContext &C) {
const NoteTag *Tag = C.getNoteTag(
[=]() -> std::string {
SmallString<128> Msg;
llvm::raw_svector_ostream Out(Msg);
Out << (ArrayName ? ('\'' + *ArrayName + '\'') : "The array") << " is "
<< (IsAlloc ? "allocated" : "initialized")
<< " without considering the length of the string it "
"will store, therefore it could overflow";
return Out.str();
},
/*IsPrunable=*/false);
// Mark the string could be not null-terminated.
State = State->set<NullTerminationMap>(MR, false);
State = State->add<AllocationList>(MR);
C.addTransition(State, C.getPredecessor(), Tag);
}
static bool isWrongAllocation(SVal DestV, SVal SrcV, CheckerContext &C) {
ProgramStateRef State = C.getState();
SValBuilder &SVB = C.getSValBuilder();
// Check the size of the allocation to prevent false alarms.
const MemRegion *SrcMR = getRegion(SrcV);
const MemRegion *DestMR = getRegion(DestV);
if (!SrcMR || !DestMR)
return false;
DefinedOrUnknownSVal SrcSize = getDynamicSize(State, SrcMR, SVB);
DefinedOrUnknownSVal DestSize = getDynamicSize(State, DestMR, SVB);
// 'strlen(src) + integer' is most likely fine.
// FIXME: We cannot catch every '+ integer' part at the moment so we do not
// check that property for now.
SValHasDescendant HasDescendantSrc(SrcMR);
if (HasDescendantSrc.Visit(DestSize))
return false;
if (const MemRegion *DestSizeR = DestSize.getAsRegion())
if (DestSizeR == SrcMR)
return false;
// 'StringRegion' returns the size with the null-terminator.
if (const llvm::APSInt *SrcSizeInt = SVB.getKnownValue(State, SrcSize))
if (const llvm::APSInt *DestSizeInt = SVB.getKnownValue(State, DestSize))
if (SrcSizeInt->getZExtValue() <= DestSizeInt->getZExtValue())
return false;
return true;
}
static bool isWrongAllocation(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) {
SVal DestV = Call.getArgSVal(*CallC.DestinationPos);
SVal SrcV = Call.getArgSVal(*CallC.SourcePos);
return isWrongAllocation(DestV, SrcV, C);
}
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Evaluating problematic function calls. // Evaluating problematic function calls.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
void StrCheckerBase::checkGets(const CallEvent &Call, const CallContext &CallC, void StrCheckerBase::checkGets(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) const { CheckerContext &C) const {
if (EnableStr31cChecker) if (EnableStr31cChecker)
createOverflowReport(Call, CallC, C); createOverflowReport(Call, CallC, C);
Show All 25 Lines
} }
void StrCheckerBase::checkStrcpy(const CallEvent &Call, void StrCheckerBase::checkStrcpy(const CallEvent &Call,
const CallContext &CallC, const CallContext &CallC,
CheckerContext &C) const { CheckerContext &C) const {
if (!EnableStr31cChecker) if (!EnableStr31cChecker)
return; return;
if (isWrongAllocation(Call, CallC, C)) {
createOverflowReport(Call, CallC, C);
} else {
// Mark the string null-terminated.
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
SValBuilder &SVB = C.getSValBuilder(); State = State->set<NullTerminationMap>(
SVal SrcV = Call.getArgSVal(*CallC.SourcePos); getRegion(Call.getArgSVal(*CallC.DestinationPos)), true);
SVal DestV = Call.getArgSVal(*CallC.DestinationPos); C.addTransition(State);
}
// Check the size of the allocation to prevent false alarms. }
const MemRegion *SrcMR = getRegion(SrcV);
const MemRegion *DestMR = getRegion(DestV);
if (!SrcMR || !DestMR)
return;
DefinedOrUnknownSVal SrcSize = getDynamicSize(State, SrcMR, SVB);
DefinedOrUnknownSVal DestSize = getDynamicSize(State, DestMR, SVB);
// 'strlen(src) + integer' is most likely fine.
// FIXME: We cannot catch every '+ integer' part at the moment so we do not
// check that property for now.
SValHasDescendant HasDescendantSrc(SrcMR);
if (HasDescendantSrc.Visit(DestSize))
return;
// 'StringRegion' returns the size with the null-terminator.
if (const llvm::APSInt *SrcSizeInt = SVB.getKnownValue(State, SrcSize))
if (const llvm::APSInt *DestSizeInt = SVB.getKnownValue(State, DestSize))
if (SrcSizeInt->getZExtValue() <= DestSizeInt->getZExtValue())
return;
baloghadamsoftwareUnsubmitted
Not Done
ReplyInline Actions

Do we really need to handle indirect pointers here? I means e.g. char ***?

baloghadamsoftware: Do we really need to handle indirect pointers here? I means e.g. `char ***`?
void StrCheckerBase::checkStrncpy(const CallEvent &Call,
const CallContext &CallC,
CheckerContext &C) const {
if (EnableStr32cChecker)
createOverflowReport(Call, CallC, C); createOverflowReport(Call, CallC, C);
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Main logic to check a call. // Main logic to check a call.
baloghadamsoftwareUnsubmitted
Not Done
ReplyInline Actions

What does it mean that the memory allocation could overflow?

baloghadamsoftware: What does it mean that //the memory allocation could overflow//?
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
void StrCheckerBase::checkPostCall(const CallEvent &Call, void StrCheckerBase::checkPostCall(const CallEvent &Call,
baloghadamsoftwareUnsubmitted
Not Done
ReplyInline Actions

Why checking PostCall and not PreCall? Usually PostCall is used for modeling and PreCall for checking because for modeling we need the call already evaluated (e.g. we need the return value) but checking should happen before starting the evaluation of the call.

baloghadamsoftware: Why checking `PostCall` and not `PreCall`? Usually `PostCall` is used for modeling and…
CheckerContext &C) const { CheckerContext &C) const {
if (const auto *Lookup = CDM.lookup(Call)) { if (const auto *Lookup = CDM.lookup(Call)) {
const StrCheck &Check = Lookup->first; const StrCheck &Check = Lookup->first;
Check(this, Call, Lookup->second, C); Check(this, Call, Lookup->second, C);
return; return;
} }
// If we do not model the call and the given passed parameter is a string // If we do not model the call and the given passed parameter is a string
// which is not null-terminated see if the string is read to emit a report. // which is not null-terminated see if the string is read to emit a report.
// We assume that the string is read when it is passed to a function call // We assume that the string is read when it is passed to a function call
// as const-qualified. // as const-qualified.
for (unsigned I = 0; I < Call.parameters().size(); ++I) { for (unsigned I = 0; I < Call.parameters().size(); ++I) {
baloghadamsoftwareUnsubmitted
Not Done
ReplyInline Actions

Do we chack any call here passing non-null terminated strings? I disagree with that appraocah because there may be functions expecting e.g. binary data. It seems that we are not even checking the type so we could get false positives here for any mem...() function.

baloghadamsoftware: Do we chack //any// call here passing non-null terminated strings? I disagree with that…
SVal V = Call.getArgSVal(I); SVal V = Call.getArgSVal(I);
const MemRegion *MR = getRegion(V); const MemRegion *MR = getRegion(V);
if (!MR) if (!MR)
continue; continue;
QualType ParamTy = Call.parameters()[I]->getType(); QualType ParamTy = Call.parameters()[I]->getType();
if (ParamTy->isPointerType()) if (ParamTy->isPointerType())
ParamTy = ParamTy->getPointeeType(); ParamTy = ParamTy->getPointeeType();
Show All 29 Lines for (unsigned I = 0; I < Call.parameters().size(); ++I) {
} else if (const SymbolRef Sym = Call.getArgSVal(I).getAsSymbol()) { } else if (const SymbolRef Sym = Call.getArgSVal(I).getAsSymbol()) {
Report->addVisitor(allocation_state::getMallocBRVisitor(Sym)); Report->addVisitor(allocation_state::getMallocBRVisitor(Sym));
} }
C.emitReport(std::move(Report)); C.emitReport(std::move(Report));
} }
} }
void StrCheckerBase::checkBind(SVal L, SVal V, const Stmt *S, static bool checkAllocation(SVal L, SVal V, const Stmt *S, CheckerContext &C,
CheckerContext &C) const { BugType &BT) {
const MemRegion *LocMR = getRegion(L);
const MemRegion *NonLocMR = getRegion(V);
if (!LocMR || !NonLocMR)
return false;
// A C-string is null-terminated.
if (isa<StringRegion>(NonLocMR))
return false;
// Only check for character allocations.
QualType Ty;
const auto *LocTVR = LocMR->getAs<TypedValueRegion>();
if (!LocTVR)
return false;
Ty = LocTVR->getValueType();
if (Ty.isNull())
return false;
if (Ty->isPointerType())
Ty = Ty->getPointeeType();
if (!Ty->isAnyCharacterType())
return false;
// See whether we have made a report so it prevent reports on rebindings.
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
if (State->get<AllocationList>().contains(NonLocMR))
return false;
// Check for a hand-written null-termination, e.g: 'c_string[length] = '\0';'. // Check for allocations we model.
const MemRegion *MR = getRegion(L); Optional<DynamicSizeInfo> SizeInfo =
if (!MR) getDynamicSizeInfo(State, NonLocMR, C.getSValBuilder());
if (!SizeInfo)
return false;
if (const auto *NonLocTVR = NonLocMR->getAs<TypedValueRegion>()) {
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

This is a huge assumption to make this checker as simple as possible. On each allocation I would store the memory regions which the size expression consists of. When we encounter a memory/string handler function call which has a size-expression parameter we could match whether the allocation considered the length of the string it will store.

May we will have a better idea, so I would leave that as it is, for now.

Charusso: This is a huge assumption to make this checker as simple as possible. On each allocation I…
QualType Ty = NonLocTVR->getLocationType();
if (Ty->isPointerType())
Ty = Ty->getPointeeType();
if (Ty->getAsArrayTypeUnsafe())
return false;
}
// 'strlen(something) + something' is most likely fine.
// FIXME: Use the 'SValVisitor' to catch every such constructs of the symbol.
if (const SymExpr *SizeSym = SizeInfo->getSize().getAsSymExpr())
for (const SymExpr *Sym : SizeSym->symbols())
if (const auto *SIE = dyn_cast<SymIntExpr>(Sym))
if (SIE->getOpcode() == BO_Add)
if (const auto *SM = dyn_cast<SymbolMetadata>(SIE->getLHS()))
return true;
Optional<std::string> ArrayName;
if (const auto *VR = LocMR->getAs<VarRegion>())
if (const VarDecl *VD = VR->getDecl())
ArrayName = VD->getNameAsString();
createWrongSizeReport(NonLocMR, ArrayName, /*IsAlloc=*/true, State, C);
return true;
}
void StrCheckerBase::checkBind(SVal L, SVal V, const Stmt *S,
CheckerContext &C) const {
if (EnableStr32cChecker)
if (checkAllocation(L, V, S, C, *BT))
return; return;
ProgramStateRef State = C.getState();
bool IsNullTermination = false; bool IsNullTermination = false;
if (const llvm::APInt *Int = C.getSValBuilder().getKnownValue(State, V)) if (const llvm::APInt *Int = C.getSValBuilder().getKnownValue(State, V))
IsNullTermination = Int->isNullValue(); IsNullTermination = Int->isNullValue();
if (!IsNullTermination) if (!IsNullTermination)
return; return;
// Mark the string null-terminated. // Mark the string null-terminated.
State = State->set<NullTerminationMap>(MR, true); State = State->set<NullTerminationMap>(getRegion(L), true);
C.addTransition(State); C.addTransition(State);
} }
void StrCheckerBase::checkPostStmt(const DeclStmt *S, CheckerContext &C) const {
if (const auto *VD = cast<VarDecl>(S->getSingleDecl())) {
if (VD->getType()->getAsArrayTypeUnsafe()) {
VD->dumpColor();
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

-1 line

Charusso: -1 line
ProgramStateRef State = C.getState();
const VarRegion *VR = State->getRegion(VD, C.getLocationContext());
std::string ArrayName = VD->getNameAsString();
createWrongSizeReport(VR, ArrayName, /*IsAlloc=*/false, State, C);
}
}
}
void ento::registerStrCheckerBase(CheckerManager &Mgr) { void ento::registerStrCheckerBase(CheckerManager &Mgr) {
auto *Checker = Mgr.registerChecker<StrCheckerBase>(); auto *Checker = Mgr.registerChecker<StrCheckerBase>();
Checker->WarnOnCall = Checker->WarnOnCall =
Mgr.getAnalyzerOptions().getCheckerBooleanOption(Checker, "WarnOnCall"); Mgr.getAnalyzerOptions().getCheckerBooleanOption(Checker, "WarnOnCall");
Checker->BT = std::make_unique<BugType>( Checker->BT = std::make_unique<BugType>(
Mgr.getCurrentCheckerName(), "Insecure string handler function call", Mgr.getCurrentCheckerName(), "Insecure string handler function call",
categories::SecurityError); categories::SecurityError);
} }
bool ento::shouldRegisterStrCheckerBase(const LangOptions &) { return true; } bool ento::shouldRegisterStrCheckerBase(const LangOptions &) { return true; }
#define REGISTER_CHECKER(Name) \ #define REGISTER_CHECKER(Name) \
void ento::register##Name(CheckerManager &Mgr) { \ void ento::register##Name(CheckerManager &Mgr) { \
auto *Checker = Mgr.getChecker<StrCheckerBase>(); \ auto *Checker = Mgr.getChecker<StrCheckerBase>(); \
Checker->Enable##Name = true; \ Checker->Enable##Name = true; \
} \ } \
\ \
bool ento::shouldRegister##Name(const LangOptions &LO) { return true; } bool ento::shouldRegister##Name(const LangOptions &LO) { return true; }
REGISTER_CHECKER(Str31cChecker) REGISTER_CHECKER(Str31cChecker)
REGISTER_CHECKER(Str32cChecker)

clang/lib/StaticAnalyzer/Core/DynamicSize.cpp

Show All 34 Lines
DefinedOrUnknownSVal getDynamicSize(ProgramStateRef State, const MemRegion *MR, DefinedOrUnknownSVal getDynamicSize(ProgramStateRef State, const MemRegion *MR,
SValBuilder &SVB) { SValBuilder &SVB) {
if (const DynamicSizeInfo *SizeInfo = State->get<DynamicSizeMap>(MR)) if (const DynamicSizeInfo *SizeInfo = State->get<DynamicSizeMap>(MR))
return SizeInfo->getSize(); return SizeInfo->getSize();
return MR->getMemRegionManager().getStaticSize(MR, SVB); return MR->getMemRegionManager().getStaticSize(MR, SVB);
} }
Optional<DynamicSizeInfo> getDynamicSizeInfo(ProgramStateRef State,
const MemRegion *MR,
SValBuilder &SVB) {
if (const DynamicSizeInfo *SizeInfo = State->get<DynamicSizeMap>(MR))
return *SizeInfo;
if (const auto *TVR = MR->getAs<TypedValueRegion>())
if (TVR->getValueType()->getAsArrayTypeUnsafe())
return DynamicSizeInfo(MR->getMemRegionManager().getStaticSize(MR, SVB));
return None;
}
const Expr *getDynamicSizeExpr(ProgramStateRef State, const MemRegion *MR) { const Expr *getDynamicSizeExpr(ProgramStateRef State, const MemRegion *MR) {
if (const DynamicSizeInfo *SizeInfo = State->get<DynamicSizeMap>(MR)) if (const DynamicSizeInfo *SizeInfo = State->get<DynamicSizeMap>(MR))
return SizeInfo->getSizeExpr(); return SizeInfo->getSizeExpr();
return nullptr; return nullptr;
} }
DefinedOrUnknownSVal getDynamicElementCount(ProgramStateRef State, DefinedOrUnknownSVal getDynamicElementCount(ProgramStateRef State,
Show All 18 Lines

clang/test/Analysis/Inputs/system-header-simulator.h

Show All 32 Lines
int fscanf(FILE *stream, const char *format, ...); int fscanf(FILE *stream, const char *format, ...);
int fscanf_s(FILE *stream, const char *format, ...); int fscanf_s(FILE *stream, const char *format, ...);
char *getenv(const char *varname); char *getenv(const char *varname);
// Note, on some platforms errno macro gets replaced with a function call. // Note, on some platforms errno macro gets replaced with a function call.
extern int errno; extern int errno;
typedef int errno_t; typedef int errno_t;
size_t strlen(const char *); void *memcpy(void *dest, const void *src, size_t count);
size_t strlen(const char *str);
char *strcpy(char *dest, const char *src); char *strcpy(char *dest, const char *src);
errno_t strcpy_s(char *dest, size_t destSize, const char *src); errno_t strcpy_s(char *dest, size_t destSize, const char *src);
char *strncpy(char *dest, const char *src, size_t count); char *strncpy(char *dest, const char *src, size_t count);
void *memcpy(void *dest, const void *src, size_t count); // Without -fms-compatibility, wchar_t isn't a builtin type. MSVC defines
// _WCHAR_T_DEFINED if wchar_t is available. Microsoft recommends that you use
// the builtin type: "Using the typedef version can cause portability
// problems", but we're ok here because we're not actually running anything.
// Also of note is this cryptic warning: "The wchar_t type is not supported
// when you compile C code".
//
// See the docs for more:
// https://msdn.microsoft.com/en-us/library/dh8che7s.aspx
#if !defined(_WCHAR_T_DEFINED) && !__cplusplus
// "Microsoft implements wchar_t as a two-byte unsigned value"
typedef unsigned short wchar_t;
#define _WCHAR_T_DEFINED
#endif
size_t wcslen(const wchar_t *str);
typedef unsigned long __darwin_pthread_key_t; typedef unsigned long __darwin_pthread_key_t;
typedef __darwin_pthread_key_t pthread_key_t; typedef __darwin_pthread_key_t pthread_key_t;
int pthread_setspecific(pthread_key_t, const void *); int pthread_setspecific(pthread_key_t, const void *);
typedef long long __int64_t; typedef long long __int64_t;
typedef __int64_t __darwin_off_t; typedef __int64_t __darwin_off_t;
typedef __darwin_off_t fpos_t; typedef __darwin_off_t fpos_t;
▲ Show 20 LinesShow All 71 LinesShow Last 20 Lines

clang/test/Analysis/cert/str31-c-notes-warn-on-call-off.cpp

Show First 20 LinesShow All 50 Lines▼ Show 20 Linesvoid test_size_redefinition() {
// expected-warning@-1 {{'p' is not null-terminated}} // expected-warning@-1 {{'p' is not null-terminated}}
// expected-note@-2 {{'p' is not null-terminated}} // expected-note@-2 {{'p' is not null-terminated}}
free(p); free(p);
} }
void test_using_before_terminating(const char *src) { void test_using_before_terminating(const char *src) {
char dest[128]; char dest[128];
// expected-note@-1 {{'dest' initialized here}} // expected-note@-1 {{'dest' is initialized without considering the length of the string it will store, therefore it could overflow}}
// expected-note@-2 {{'dest' initialized here}}
strcpy(dest, src); strcpy(dest, src);
// expected-note@-1 {{'strcpy' could write outside of 'dest'}} // expected-note@-1 {{'strcpy' could write outside of 'dest'}}
*dest = '\0'; *dest = '\0';
strcpy(dest, src); strcpy(dest, src);
// expected-note@-1 {{'strcpy' could write outside of 'dest'}} // expected-note@-1 {{'strcpy' could write outside of 'dest'}}
do_something(dest); do_something(dest);
// expected-warning@-1 {{'dest' is not null-terminated}} // expected-warning@-1 {{'dest' is not null-terminated}}
// expected-note@-2 {{'dest' is not null-terminated}} // expected-note@-2 {{'dest' is not null-terminated}}
*dest = '\0'; *dest = '\0';
do_something(dest); do_something(dest);
} }

clang/test/Analysis/cert/str31-c-notes-warn-on-call-on.cpp

Show All 40 Linesvoid test_size_redefinition() {
} }
char *p = buf; char *p = buf;
free(p); free(p);
} }
void test_using_before_terminating(const char *src) { void test_using_before_terminating(const char *src) {
char dest[128]; char dest[128];
// expected-note@-1 {{'dest' initialized here}} // expected-note@-1 {{'dest' is initialized without considering the length of the string it will store, therefore it could overflow}}
// expected-note@-2 {{'dest' initialized here}}
strcpy(dest, src); strcpy(dest, src);
// expected-note@-1 {{'strcpy' could write outside of 'dest'}} // expected-note@-1 {{'strcpy' could write outside of 'dest'}}
// expected-warning@-2 {{'strcpy' could write outside of 'dest'}} // expected-warning@-2 {{'strcpy' could write outside of 'dest'}}
*dest = '\0'; *dest = '\0';
strcpy(dest, src); strcpy(dest, src);
do_something(dest); do_something(dest);
*dest = '\0'; *dest = '\0';
do_something(dest); do_something(dest);
} }

clang/test/Analysis/cert/str32-c-notes.cpp

  • This file was added.
// RUN: %clang_analyze_cc1 \
// RUN: -analyzer-checker=core,unix,alpha.security.cert.str.32c \
// RUN: -analyzer-output=text -verify %s
// See the examples on the page of STR32-C:
// https://wiki.sei.cmu.edu/confluence/display/c/STR32-C.+Do+not+pass+a+non-null-terminated+character+sequence+to+a+library+function+that+expects+a+string
#include "../Inputs/system-header-simulator.h"
void *realloc(void *memblock, size_t size);
namespace test_strncpy_bad {
enum { STR_SIZE = 32 };
size_t func(const char *source) {
char c_str[STR_SIZE];
// expected-note@-1 {{'c_str' is initialized without considering the length of the string it will store, therefore it could overflow}}
// expected-note@-2 {{'c_str' initialized here}}
size_t ret = 0;
if (source) {
// expected-note@-1 {{Assuming 'source' is non-null}}
// expected-note@-2 {{Taking true branch}}
c_str[sizeof(c_str) - 1] = '\0';
strncpy(c_str, source, sizeof(c_str));
// expected-note@-1 {{'strncpy' could write outside of 'c_str'}}
ret = strlen(c_str);
// expected-note@-1 {{'c_str' is not null-terminated}}
// expected-warning@-2 {{'c_str' is not null-terminated}}
}
return ret;
}
} // namespace test_strncpy_bad
namespace test_realloc_bad {
size_t cur_msg_size = 1024;
size_t cur_msg_len = 0;
void lessen_memory_usage(wchar_t *cur_msg) {
if (cur_msg == NULL) {
// expected-note@-1 {{Assuming 'cur_msg' is not equal to NULL}}
// expected-note@-2 {{Taking false branch}}
return;
}
size_t temp_size = cur_msg_size / 2 + 1;
wchar_t temp[256];
// expected-note@-1 {{'temp' is initialized without considering the length of the string it will store, therefore it could overflow}}
// expected-note@-2 {{'temp' initialized here}}
/* temp and cur_msg may no longer be null-terminated */
cur_msg = temp;
// expected-note@-1 {{Value assigned to 'cur_msg'}}
cur_msg_size = temp_size;
cur_msg_len = wcslen(cur_msg);
// expected-note@-1 {{'cur_msg' is not null-terminated}}
// expected-warning@-2 {{'cur_msg' is not null-terminated}}
}
} // namespace test_realloc_bad

clang/test/Analysis/cert/str32-c.cpp

  • This file was added.
// RUN: %clang_analyze_cc1 \
// RUN: -analyzer-checker=core,unix,alpha.security.cert.str.32c \
// RUN: -verify %s
// See the examples on the page of STR32-C:
// https://wiki.sei.cmu.edu/confluence/display/c/STR32-C.+Do+not+pass+a+non-null-terminated+character+sequence+to+a+library+function+that+expects+a+string
#include "../Inputs/system-header-simulator.h"
void *realloc(void *memblock, size_t size);
baloghadamsoftwareUnsubmitted
Not Done
ReplyInline Actions

Please move this to the system header simulator instead of repeating it in every test file.

baloghadamsoftware: Please move this to the //system header simulator// instead of repeating it in every test file.
namespace test_strncpy_bad {
enum { STR_SIZE = 32 };
baloghadamsoftwareUnsubmitted
Not Done
ReplyInline Actions

Why enum?

baloghadamsoftware: Why `enum`?
size_t func(const char *source) {
char c_str[STR_SIZE];
size_t ret = 0;
if (source) {
c_str[sizeof(c_str) - 1] = '\0';
strncpy(c_str, source, sizeof(c_str));
ret = strlen(c_str);
// expected-warning@-1 {{'c_str' is not null-terminated}}
}
return ret;
}
} // namespace test_strncpy_bad
namespace test_strncpy_good {
enum { STR_SIZE = 32 };
size_t func(const char *src) {
char c_str[STR_SIZE];
size_t ret = 0;
if (src) {
strncpy(c_str, src, sizeof(c_str) - 1);
c_str[sizeof(c_str) - 1] = '\0';
ret = strlen(c_str);
}
return ret;
}
} // namespace test_strncpy_good
namespace test_realloc_bad {
wchar_t *cur_msg = NULL;
size_t cur_msg_size = 1024;
size_t cur_msg_len = 0;
void lessen_memory_usage(void) {
if (cur_msg == NULL)
return;
size_t temp_size = cur_msg_size / 2 + 1;
wchar_t *temp = (wchar_t *)realloc(cur_msg, temp_size * sizeof(wchar_t));
/* temp and cur_msg may no longer be null-terminated */
if (temp == NULL)
return;
cur_msg = temp;
cur_msg_size = temp_size;
cur_msg_len = wcslen(cur_msg);
// expected-warning@-1 {{'cur_msg' is not null-terminated}}
}
} // namespace test_realloc_bad
namespace test_realloc_good {
wchar_t *cur_msg = NULL;
size_t cur_msg_size = 1024;
size_t cur_msg_len = 0;
void lessen_memory_usage(void) {
if (cur_msg == NULL)
return;
size_t temp_size = cur_msg_size / 2 + 1;
wchar_t *temp = (wchar_t *)realloc(cur_msg, temp_size * sizeof(wchar_t));
/* temp and cur_msg may no longer be null-terminated */
if (temp == NULL)
return;
cur_msg = temp;
/* Properly null-terminate cur_msg */
cur_msg[temp_size - 1] = L'\0';
cur_msg_size = temp_size;
cur_msg_len = wcslen(cur_msg);
}
} // namespace test_realloc_good

clang/test/Analysis/malloc.c

// RUN: %clang_analyze_cc1 -analyzer-store=region -verify %s \ // RUN: %clang_analyze_cc1 -analyzer-store=region -verify %s \
// RUN: -analyzer-checker=core \ // RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=alpha.deadcode.UnreachableCode \ // RUN: -analyzer-checker=alpha.deadcode.UnreachableCode \
// RUN: -analyzer-checker=alpha.core.CastSize \ // RUN: -analyzer-checker=alpha.core.CastSize \
// RUN: -analyzer-checker=unix.Malloc \ // RUN: -analyzer-checker=unix.Malloc \
// RUN: -analyzer-checker=debug.ExprInspection // RUN: -analyzer-checker=debug.ExprInspection
#include "Inputs/system-header-simulator.h" #include "Inputs/system-header-simulator.h"
void clang_analyzer_eval(int); void clang_analyzer_eval(int);
// Without -fms-compatibility, wchar_t isn't a builtin type. MSVC defines
// _WCHAR_T_DEFINED if wchar_t is available. Microsoft recommends that you use
// the builtin type: "Using the typedef version can cause portability
// problems", but we're ok here because we're not actually running anything.
// Also of note is this cryptic warning: "The wchar_t type is not supported
// when you compile C code".
//
// See the docs for more:
// https://msdn.microsoft.com/en-us/library/dh8che7s.aspx
#if !defined(_WCHAR_T_DEFINED)
// "Microsoft implements wchar_t as a two-byte unsigned value"
typedef unsigned short wchar_t;
#define _WCHAR_T_DEFINED
#endif // !defined(_WCHAR_T_DEFINED)
typedef __typeof(sizeof(int)) size_t; typedef __typeof(sizeof(int)) size_t;
void *malloc(size_t); void *malloc(size_t);
void *alloca(size_t); void *alloca(size_t);
void *valloc(size_t); void *valloc(size_t);
void free(void *); void free(void *);
void *realloc(void *ptr, size_t size); void *realloc(void *ptr, size_t size);
void *reallocf(void *ptr, size_t size); void *reallocf(void *ptr, size_t size);
void *calloc(size_t nmemb, size_t size); void *calloc(size_t nmemb, size_t size);
▲ Show 20 LinesShow All 1,821 LinesShow Last 20 Lines