This is an archive of the discontinued LLVM Phabricator instance.

Differential D71155

[analyzer] CERT STR rule checkers: STR30-C
Needs RevisionPublic

Authored by Charusso on Dec 6 2019, 4:21 PM.

Details

Reviewers
NoQ
baloghadamsoftware
Summary

This checker is implemented based on the following rule:
https://wiki.sei.cmu.edu/confluence/display/c/STR30-C.+Do+not+attempt+to+modify+string+literals

It warns on misusing the following functions: strpbrk(), strchr(),
strrchr(), strstr(), memchr().

Diff Detail

Event Timeline

Charusso created this revision.Dec 6 2019, 4:21 PM
Herald added subscribers: cfe-commits, dkrupp, donat.nagy and 6 others. · View Herald TranscriptDec 6 2019, 4:21 PM
Charusso added a comment.Dec 6 2019, 4:24 PM

Examples generated by CodeChecker from the curl project:

str30-c.tar.gz1 MBDownload

Charusso added a parent revision: D71033: [analyzer] CERT STR rule checkers: STR32-C.Dec 6 2019, 4:24 PM
NoQ added inline comments.Dec 9 2019, 7:23 PM
clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp
2148

Why does it matter whether the region is symbolic or not?

2149

Mmm, that's not a correct return value for these functions. These functions don't simply pass through their first argument.

2161

Why "heap"?

Charusso marked 2 inline comments as done.Dec 9 2019, 7:41 PM
Charusso added inline comments.
clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp
2148

Hm, I think you are right, we could omit that if-statement. I wanted to specify to reuse conjured symbols.

2149

Yes, but we need some index here. It requires a NonLoc, so I just randomly picked the first index, but I like the idea of an unknown index. Would we like to introduce UnknownVal for indices?

2161

Well, a string which length is at least 16 characters long is going to be allocated on the heap. I have to conjure the string here to create its element.

NoQ added inline comments.Dec 9 2019, 7:48 PM
clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp
2149

Use the correct region but conjure the index.

2161

o.o

void foo() {
  // This string is 20 characters long
  // but it's clearly on the stack.
  char str[] = "12345678901234567890";
  // This one is therefore also on the stack.
  char *ptr = strchr(str, '0');
}
Charusso updated this revision to Diff 233905.Dec 13 2019, 6:53 PM
Charusso marked 6 inline comments as done.
  • Try to conjure the index of the 'ElementRegion'.
Charusso retitled this revision from [analyzer] CERT: StrChecker: 30.c to [analyzer] CERT: STR30-C.EditedDec 13 2019, 7:01 PM
Charusso marked 3 inline comments as done.

In order to bypass [1] the CK_LValueToRValue evalCast() we have to create en ElementRegion as a return-value of the problematic function call. In that case for a mythical reason we miss the fact the pointer is nullable. I have not figured out yet why, but tried to create an appropriate return-value using a VarRegion so we could refer to the underlying constant string's name.

[1] bypass: If I tried to evaluate the call by returning a pointer to the element it immediately wraps the SymbolicRegion into an ElementRegion, like with HeapSpaceRegions it is useful, but for us it is bad.

clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp
2161

Well, a string which length is at least 16 characters long is going to be allocated on the heap. I have to conjure the string here to create its element.

I really felt that the std::string should behave like the C-strings, but C-strings are on the stack whatever it takes, yes, my bad. Thanks for pointing that out!

clang/test/Analysis/cert/str30-c-notes.cpp
30

Needs to be an assumption.

NoQ added a comment.Feb 3 2020, 7:46 AM

Let's separate CStringChecker improvements into a separate patch and have a separate set of tests for it.

clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp
2136–2137

Ok, so this whole thing is trying to evaluate strchr-like functions, right? I've no idea what it does but the problem is much more trivial that what you're trying to do here.

Branch 1:

  1. Conjure the offset.
  2. Add it to the original pointer (using evalBinOp).
  3. Bind the result.

Branch 2:

  1. Bind null.

And you probably should drop branch 2 completely because usually there's no indication that the character may in fact be missing in the string, and i don't want more null dereference false alarms. So it's just branch 1.

So the whole function should be 3 lines of code (maybe with a couple line breaks).

Well, maybe you should also handle the case where the original pointer is null (not sure if it's an immediate UB or not).

This could be improved by actually taking into account the contents of the string, but you don't seem to be trying to do this here.

2140–2142

So, like, StateNull is the state in which it is assumed that 0 is non-zero and State is the state in which it is assumed that 0 is zero?

I mean, apart from the naming flip-flop - i can tell you in advance that 0 is zero, it's not a matter of assumptions.

2166–2167

This is guaranteed to return the string region that you already have as the value of that expression.

Charusso updated this revision to Diff 242159.Feb 3 2020, 12:36 PM
Charusso marked 8 inline comments as done.
  • Remove the modeling from CStringChecker.
Charusso added a comment.Feb 3 2020, 12:38 PM

Thanks! I have felt that may I create a too complex symbolic value. Sorry for stealing your time.

clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp
2136–2137

I've no idea what it does

I wanted to represent the root string's VarDecl in the symbolic value so I could refer to it. I think it became too complex and printing out the root string's variable name does not worth that complexity. But here it is from str30-c-explain.cpp:

char *slash;
slash = strrchr(pathname, '/');

clang_analyzer_dump(slash);
// CHECK: &Element{pathname,conj_$1{long long, LC1, S{{[0-9]+}}, #1},char}

clang_analyzer_explain(slash);
// CHECK: pointer to element of type 'char' with index 'symbol of type 'long long' conjured at statement 'pathname'' of parameter 'pathname'

This could be improved by actually taking into account the contents of the string, but you don't seem to be trying to do this here.

At first the name of the string would be cool to print out and we need dataflow support to make it cool. Given that it is too complex I have reverted the modeling part. Also I wanted to create a simpler modeling with your modeling solution for my name-storing purposes, but I cannot.

2140–2142

I wanted to force out the state split of an unknown indexing: null and non-null but may it was too explicit and useless, yes.

2166–2167

Whoops. The idea was that to handle string regions explicitly and may calculate the returning index as well.

clang/test/Analysis/cert/str30-c-notes.cpp
30

Let us say it is non-null.

Charusso updated this revision to Diff 265963.May 24 2020, 9:32 PM
Charusso retitled this revision from [analyzer] CERT: STR30-C to [analyzer] CERT STR rule checkers: STR30-C.
  • Refactor.
Herald added subscribers: ASDenysPetrov, martong, steakhal. · View Herald TranscriptMay 24 2020, 9:32 PM
Charusso added a comment.May 24 2020, 9:32 PM
In D71155#1854908, @NoQ wrote:

Let's separate CStringChecker improvements into a separate patch and have a separate set of tests for it.

I was thinking about creating tests, but I cannot figure out any better testing than a live checker that uses such features of CStringChecker. Also I have not found any real world issues with the checker, so I could not really test its real behavior.

Charusso added a child revision: D80503: [analyzer] CallDescriptionMap: Support CXXConstructExpr.May 24 2020, 9:36 PM
baloghadamsoftware requested changes to this revision.Jun 29 2020, 9:35 AM
baloghadamsoftware added inline comments.
clang/docs/analyzer/checkers.rst
1973

STR30-C is more general: Do not attempt to modify string literals. You should not check for these functions specifically, just model that they return string literals. However, you can also declare a string literal yourself. The checker should look for modifications of any string literals, whether returned by these functions or not.

clang/lib/StaticAnalyzer/Checkers/cert/StrChecker.cpp
394

I do not see V used in this function anywhere. We are not interested to what it is attempted to be modified. We are just interested that it is attempted to be modified.

This revision now requires changes to proceed.Jun 29 2020, 9:35 AM
Herald added a subscriber: rnkovacs. · View Herald TranscriptJun 29 2020, 9:35 AM
whisperity added a subscriber: whisperity.Jul 9 2020, 1:01 AM

Revision Contents

PathSize
clang/
docs/
analyzer/
10 lines
include/
clang/
StaticAnalyzer/
Checkers/
5 lines
lib/
StaticAnalyzer/
Checkers/
65 lines
cert/
160 lines
test/
Analysis/
cert/
43 lines
58 lines

Diff 265963

clang/docs/analyzer/checkers.rst

Show First 20 LinesShow All 1,955 Lines▼ Show 20 Lines int func(const char *var) {
int retval = snprintf(env, sizeof(env),"TEST=%s", var); int retval = snprintf(env, sizeof(env),"TEST=%s", var);
if (retval < 0 || (size_t)retval >= sizeof(env)) { if (retval < 0 || (size_t)retval >= sizeof(env)) {
/* Handle error */ /* Handle error */
} }
return putenv(env); // putenv function should not be called with auto variables return putenv(env); // putenv function should not be called with auto variables
} }
.. _alpha-security-cert-str-30c:
alpha.security.cert.str.30c
"""""""""""""""""""""""""""
Checker for `STR30-C rule<https://wiki.sei.cmu.edu/confluence/x/VtYxBQ>`_.
It warns on misusing the following functions:
``strpbrk()``, ``strchr()``, ``strrchr()``, ``strstr()``, ``memchr()``.
baloghadamsoftwareUnsubmitted
Not Done
ReplyInline Actions

STR30-C is more general: Do not attempt to modify string literals. You should not check for these functions specifically, just model that they return string literals. However, you can also declare a string literal yourself. The checker should look for modifications of any string literals, whether returned by these functions or not.

baloghadamsoftware: **STR30-C** is more general: //Do not attempt to modify string literals//. You should not check…
.. _alpha-security-cert-str-31c: .. _alpha-security-cert-str-31c:
alpha.security.cert.str.31c alpha.security.cert.str.31c
""""""""""""""""""""""""""" """""""""""""""""""""""""""
Checker for `STR31-C rule<https://wiki.sei.cmu.edu/confluence/x/sNUxBQ>`_. Checker for `STR31-C rule<https://wiki.sei.cmu.edu/confluence/x/sNUxBQ>`_.
It warns on misusing the following functions: It warns on misusing the following functions:
▲ Show 20 LinesShow All 478 LinesShow Last 20 Lines

clang/include/clang/StaticAnalyzer/Checkers/Checkers.td

Show First 20 LinesShow All 850 Lines▼ Show 20 Lines
let ParentPackage = STR in { let ParentPackage = STR in {
def StrCheckerBase : Checker<"StrCheckerBase">, def StrCheckerBase : Checker<"StrCheckerBase">,
HelpText<"SEI CERT base checker of rules defined in STR">, HelpText<"SEI CERT base checker of rules defined in STR">,
Documentation<NotDocumented>, Documentation<NotDocumented>,
Hidden; Hidden;
def Str30cChecker : Checker<"30c">,
HelpText<"SEI CERT checker of rules defined in STR30-C">,
Dependencies<[StrCheckerBase]>,
Documentation<HasDocumentation>;
def Str31cChecker : Checker<"31c">, def Str31cChecker : Checker<"31c">,
HelpText<"SEI CERT checker of rules defined in STR31-C">, HelpText<"SEI CERT checker of rules defined in STR31-C">,
Dependencies<[StrCheckerBase]>, Dependencies<[StrCheckerBase]>,
Documentation<HasDocumentation>; Documentation<HasDocumentation>;
def Str32cChecker : Checker<"32c">, def Str32cChecker : Checker<"32c">,
HelpText<"SEI CERT checker of rules defined in STR32-C">, HelpText<"SEI CERT checker of rules defined in STR32-C">,
Dependencies<[StrCheckerBase]>, Dependencies<[StrCheckerBase]>,
▲ Show 20 LinesShow All 705 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp

Show First 20 LinesShow All 116 Lines▼ Show 20 Linespublic:
typedef void (CStringChecker::*FnCheck)(CheckerContext &, typedef void (CStringChecker::*FnCheck)(CheckerContext &,
const CallExpr *) const; const CallExpr *) const;
CallDescriptionMap<FnCheck> Callbacks = { CallDescriptionMap<FnCheck> Callbacks = {
{{CDF_MaybeBuiltin, "memcpy", 3}, &CStringChecker::evalMemcpy}, {{CDF_MaybeBuiltin, "memcpy", 3}, &CStringChecker::evalMemcpy},
{{CDF_MaybeBuiltin, "mempcpy", 3}, &CStringChecker::evalMempcpy}, {{CDF_MaybeBuiltin, "mempcpy", 3}, &CStringChecker::evalMempcpy},
{{CDF_MaybeBuiltin, "memcmp", 3}, &CStringChecker::evalMemcmp}, {{CDF_MaybeBuiltin, "memcmp", 3}, &CStringChecker::evalMemcmp},
{{CDF_MaybeBuiltin, "memmove", 3}, &CStringChecker::evalMemmove}, {{CDF_MaybeBuiltin, "memmove", 3}, &CStringChecker::evalMemmove},
{{CDF_MaybeBuiltin, "memchr", 3}, &CStringChecker::evalMemchr},
{{CDF_MaybeBuiltin, "memset", 3}, &CStringChecker::evalMemset}, {{CDF_MaybeBuiltin, "memset", 3}, &CStringChecker::evalMemset},
{{CDF_MaybeBuiltin, "explicit_memset", 3}, &CStringChecker::evalMemset}, {{CDF_MaybeBuiltin, "explicit_memset", 3}, &CStringChecker::evalMemset},
{{CDF_MaybeBuiltin, "strcpy", 2}, &CStringChecker::evalStrcpy}, {{CDF_MaybeBuiltin, "strcpy", 2}, &CStringChecker::evalStrcpy},
{{CDF_MaybeBuiltin, "strncpy", 3}, &CStringChecker::evalStrncpy}, {{CDF_MaybeBuiltin, "strncpy", 3}, &CStringChecker::evalStrncpy},
{{CDF_MaybeBuiltin, "stpcpy", 2}, &CStringChecker::evalStpcpy}, {{CDF_MaybeBuiltin, "stpcpy", 2}, &CStringChecker::evalStpcpy},
{{CDF_MaybeBuiltin, "strlcpy", 3}, &CStringChecker::evalStrlcpy}, {{CDF_MaybeBuiltin, "strlcpy", 3}, &CStringChecker::evalStrlcpy},
{{CDF_MaybeBuiltin, "strcat", 2}, &CStringChecker::evalStrcat}, {{CDF_MaybeBuiltin, "strcat", 2}, &CStringChecker::evalStrcat},
{{CDF_MaybeBuiltin, "strncat", 3}, &CStringChecker::evalStrncat}, {{CDF_MaybeBuiltin, "strncat", 3}, &CStringChecker::evalStrncat},
{{CDF_MaybeBuiltin, "strlcat", 3}, &CStringChecker::evalStrlcat}, {{CDF_MaybeBuiltin, "strlcat", 3}, &CStringChecker::evalStrlcat},
{{CDF_MaybeBuiltin, "strlen", 1}, &CStringChecker::evalstrLength}, {{CDF_MaybeBuiltin, "strlen", 1}, &CStringChecker::evalstrLength},
{{CDF_MaybeBuiltin, "strnlen", 2}, &CStringChecker::evalstrnLength}, {{CDF_MaybeBuiltin, "strnlen", 2}, &CStringChecker::evalstrnLength},
{{CDF_MaybeBuiltin, "strcmp", 2}, &CStringChecker::evalStrcmp}, {{CDF_MaybeBuiltin, "strcmp", 2}, &CStringChecker::evalStrcmp},
{{CDF_MaybeBuiltin, "strncmp", 3}, &CStringChecker::evalStrncmp}, {{CDF_MaybeBuiltin, "strncmp", 3}, &CStringChecker::evalStrncmp},
{{CDF_MaybeBuiltin, "strcasecmp", 2}, &CStringChecker::evalStrcasecmp}, {{CDF_MaybeBuiltin, "strcasecmp", 2}, &CStringChecker::evalStrcasecmp},
{{CDF_MaybeBuiltin, "strncasecmp", 3}, &CStringChecker::evalStrncasecmp}, {{CDF_MaybeBuiltin, "strncasecmp", 3}, &CStringChecker::evalStrncasecmp},
{{CDF_MaybeBuiltin, "strsep", 2}, &CStringChecker::evalStrsep}, {{CDF_MaybeBuiltin, "strsep", 2}, &CStringChecker::evalStrsep},
{{CDF_MaybeBuiltin, "strpbrk", 2}, &CStringChecker::evalStrpbrk},
{{CDF_MaybeBuiltin, "strchr", 2}, &CStringChecker::evalStrchr},
{{CDF_MaybeBuiltin, "strrchr", 2}, &CStringChecker::evalStrrchr},
{{CDF_MaybeBuiltin, "strstr", 2}, &CStringChecker::evalStrstr},
{{CDF_MaybeBuiltin, "bcopy", 3}, &CStringChecker::evalBcopy}, {{CDF_MaybeBuiltin, "bcopy", 3}, &CStringChecker::evalBcopy},
{{CDF_MaybeBuiltin, "bcmp", 3}, &CStringChecker::evalMemcmp}, {{CDF_MaybeBuiltin, "bcmp", 3}, &CStringChecker::evalMemcmp},
{{CDF_MaybeBuiltin, "bzero", 2}, &CStringChecker::evalBzero}, {{CDF_MaybeBuiltin, "bzero", 2}, &CStringChecker::evalBzero},
{{CDF_MaybeBuiltin, "explicit_bzero", 2}, &CStringChecker::evalBzero}, {{CDF_MaybeBuiltin, "explicit_bzero", 2}, &CStringChecker::evalBzero},
}; };
// These require a bit of special handling. // These require a bit of special handling.
CallDescription StdCopy{{"std", "copy"}, 3}, CallDescription StdCopy{{"std", "copy"}, 3},
Show All 35 Linespublic:
void evalStrncasecmp(CheckerContext &C, const CallExpr *CE) const; void evalStrncasecmp(CheckerContext &C, const CallExpr *CE) const;
void evalStrcmpCommon(CheckerContext &C, void evalStrcmpCommon(CheckerContext &C,
const CallExpr *CE, const CallExpr *CE,
bool IsBounded = false, bool IsBounded = false,
bool IgnoreCase = false) const; bool IgnoreCase = false) const;
void evalStrsep(CheckerContext &C, const CallExpr *CE) const; void evalStrsep(CheckerContext &C, const CallExpr *CE) const;
// Evaluate function calls which returns a pointer to the string argument.
void evalCharPtrCommon(CheckerContext &C, const CallExpr *CE) const;
void evalMemchr(CheckerContext &C, const CallExpr *CE) const;
void evalStrchr(CheckerContext &C, const CallExpr *CE) const;
void evalStrrchr(CheckerContext &C, const CallExpr *CE) const;
void evalStrstr(CheckerContext &C, const CallExpr *CE) const;
void evalStrpbrk(CheckerContext &C, const CallExpr *CE) const;
void evalStdCopy(CheckerContext &C, const CallExpr *CE) const; void evalStdCopy(CheckerContext &C, const CallExpr *CE) const;
void evalStdCopyBackward(CheckerContext &C, const CallExpr *CE) const; void evalStdCopyBackward(CheckerContext &C, const CallExpr *CE) const;
void evalStdCopyCommon(CheckerContext &C, const CallExpr *CE) const; void evalStdCopyCommon(CheckerContext &C, const CallExpr *CE) const;
void evalMemset(CheckerContext &C, const CallExpr *CE) const; void evalMemset(CheckerContext &C, const CallExpr *CE) const;
void evalBzero(CheckerContext &C, const CallExpr *CE) const; void evalBzero(CheckerContext &C, const CallExpr *CE) const;
// Utility methods // Utility methods
std::pair<ProgramStateRef , ProgramStateRef > std::pair<ProgramStateRef , ProgramStateRef >
▲ Show 20 LinesShow All 1,915 Lines▼ Show 20 Lines if (Optional<Loc> SearchStrLoc = SearchStrVal.getAs<Loc>()) {
Result = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount()); Result = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
} }
// Set the return value, and finish. // Set the return value, and finish.
State = State->BindExpr(CE, LCtx, Result); State = State->BindExpr(CE, LCtx, Result);
C.addTransition(State); C.addTransition(State);
} }
void CStringChecker::evalCharPtrCommon(CheckerContext &C,
const CallExpr *CE) const {
NoQUnsubmitted
Done
ReplyInline Actions

Ok, so this whole thing is trying to evaluate strchr-like functions, right? I've no idea what it does but the problem is much more trivial that what you're trying to do here.

Branch 1:

  1. Conjure the offset.
  2. Add it to the original pointer (using evalBinOp).
  3. Bind the result.

Branch 2:

  1. Bind null.

And you probably should drop branch 2 completely because usually there's no indication that the character may in fact be missing in the string, and i don't want more null dereference false alarms. So it's just branch 1.

So the whole function should be 3 lines of code (maybe with a couple line breaks).

Well, maybe you should also handle the case where the original pointer is null (not sure if it's an immediate UB or not).

This could be improved by actually taking into account the contents of the string, but you don't seem to be trying to do this here.

NoQ: Ok, so this whole thing is trying to evaluate `strchr`-like functions, right? I've no idea what…
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

I've no idea what it does

I wanted to represent the root string's VarDecl in the symbolic value so I could refer to it. I think it became too complex and printing out the root string's variable name does not worth that complexity. But here it is from str30-c-explain.cpp:

char *slash;
slash = strrchr(pathname, '/');

clang_analyzer_dump(slash);
// CHECK: &Element{pathname,conj_$1{long long, LC1, S{{[0-9]+}}, #1},char}

clang_analyzer_explain(slash);
// CHECK: pointer to element of type 'char' with index 'symbol of type 'long long' conjured at statement 'pathname'' of parameter 'pathname'

This could be improved by actually taking into account the contents of the string, but you don't seem to be trying to do this here.

At first the name of the string would be cool to print out and we need dataflow support to make it cool. Given that it is too complex I have reverted the modeling part. Also I wanted to create a simpler modeling with your modeling solution for my name-storing purposes, but I cannot.

Charusso: > I've no idea what it does I wanted to represent the root string's VarDecl in the symbolic…
CurrentFunctionDescription = "char pointer returning function";
SValBuilder &SVB = C.getSValBuilder();
ProgramStateRef State = C.getState();
const LocationContext *LCtx = C.getLocationContext();
NoQUnsubmitted
Done
ReplyInline Actions

So, like, StateNull is the state in which it is assumed that 0 is non-zero and State is the state in which it is assumed that 0 is zero?

I mean, apart from the naming flip-flop - i can tell you in advance that 0 is zero, it's not a matter of assumptions.

NoQ: So, like, `StateNull` is the state in which it is assumed that `0` is non-zero and `State` is…
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

I wanted to force out the state split of an unknown indexing: null and non-null but may it was too explicit and useless, yes.

Charusso: I wanted to force out the state split of an unknown indexing: null and non-null but may it was…
const Expr *SrcExpr = CE->getArg(0);
// Add a conjured index to the source string.
SVal SrcV = C.getSVal(SrcExpr);
DefinedOrUnknownSVal Index = SVB.conjureSymbolVal(
NoQUnsubmitted
Done
ReplyInline Actions

Why does it matter whether the region is symbolic or not?

NoQ: Why does it matter whether the region is symbolic or not?
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

Hm, I think you are right, we could omit that if-statement. I wanted to specify to reuse conjured symbols.

Charusso: Hm, I think you are right, we could omit that if-statement. I wanted to specify to reuse…
SrcExpr, LCtx, SVB.getArrayIndexType(), C.blockCount());
NoQUnsubmitted
Done
ReplyInline Actions

Mmm, that's not a correct return value for these functions. These functions don't simply pass through their first argument.

NoQ: Mmm, that's not a correct return value for these functions. These functions don't simply pass…
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

Yes, but we need some index here. It requires a NonLoc, so I just randomly picked the first index, but I like the idea of an unknown index. Would we like to introduce UnknownVal for indices?

Charusso: Yes, but we need some index here. It requires a `NonLoc`, so I just randomly picked the first…
NoQUnsubmitted
Done
ReplyInline Actions

Use the correct region but conjure the index.

NoQ: Use the correct region but //conjure the index//.
SVal Offset = SVB.evalBinOp(State, BO_Add, SrcV, Index, SrcExpr->getType());
State = State->BindExpr(CE, LCtx, Offset);
C.addTransition(State);
}
void CStringChecker::evalMemchr(CheckerContext &C, const CallExpr *CE) const {
// void *memchr(const void *buffer, int c, size_t count);
const Expr *BufferExpr = CE->getArg(0);
QualType Ty = BufferExpr->getType().getUnqualifiedType();
if (Ty->isPointerType())
NoQUnsubmitted
Done
ReplyInline Actions

Why "heap"?

NoQ: Why "heap"?
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

Well, a string which length is at least 16 characters long is going to be allocated on the heap. I have to conjure the string here to create its element.

Charusso: Well, a string which length is at least 16 characters long is going to be allocated on the heap.
NoQUnsubmitted
Done
ReplyInline Actions

o.o

void foo() {
  // This string is 20 characters long
  // but it's clearly on the stack.
  char str[] = "12345678901234567890";
  // This one is therefore also on the stack.
  char *ptr = strchr(str, '0');
}
NoQ: o.o ```lang=c++ void foo() { // This string is 20 characters long // but it's clearly on…
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

Well, a string which length is at least 16 characters long is going to be allocated on the heap. I have to conjure the string here to create its element.

I really felt that the std::string should behave like the C-strings, but C-strings are on the stack whatever it takes, yes, my bad. Thanks for pointing that out!

Charusso: > Well, a string which length is at least 16 characters long is going to be allocated on the…
Ty = Ty->getPointeeType();
if (Ty->isAnyCharacterType())
evalCharPtrCommon(C, CE);
}
NoQUnsubmitted
Done
ReplyInline Actions

This is guaranteed to return the string region that you already have as the value of that expression.

NoQ: This is guaranteed to return the string region that you already have as the value of that…
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

Whoops. The idea was that to handle string regions explicitly and may calculate the returning index as well.

Charusso: Whoops. The idea was that to handle string regions explicitly and may calculate the returning…
void CStringChecker::evalStrchr(CheckerContext &C, const CallExpr *CE) const {
// char *strchr(const char *str, int c);
evalCharPtrCommon(C, CE);
}
void CStringChecker::evalStrrchr(CheckerContext &C, const CallExpr *CE) const {
// char *strrchr(const char *str, int c);
evalCharPtrCommon(C, CE);
}
void CStringChecker::evalStrstr(CheckerContext &C, const CallExpr *CE) const {
// char *strstr(const char *str, const char *strSearch);
evalCharPtrCommon(C, CE);
}
void CStringChecker::evalStrpbrk(CheckerContext &C, const CallExpr *CE) const {
// char *strpbrk(const char *str, const char *strCharSet);
evalCharPtrCommon(C, CE);
}
// These should probably be moved into a C++ standard library checker. // These should probably be moved into a C++ standard library checker.
void CStringChecker::evalStdCopy(CheckerContext &C, const CallExpr *CE) const { void CStringChecker::evalStdCopy(CheckerContext &C, const CallExpr *CE) const {
evalStdCopyCommon(C, CE); evalStdCopyCommon(C, CE);
} }
void CStringChecker::evalStdCopyBackward(CheckerContext &C, void CStringChecker::evalStdCopyBackward(CheckerContext &C,
const CallExpr *CE) const { const CallExpr *CE) const {
evalStdCopyCommon(C, CE); evalStdCopyCommon(C, CE);
▲ Show 20 LinesShow All 326 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/cert/StrChecker.cpp

//===- StrCheckerBase - SEI CERT rules checker defined in STR ---*- C++ -*-===// //===- StrCheckerBase - SEI CERT rules checker defined in STR ---*- C++ -*-===//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This file defines StrCheckerBase which tries to find the SEI CERT string // This file defines StrCheckerBase which tries to find the SEI CERT string
// handler function issues. // handler function issues.
// The rules can be found in section 'Rule 07. Characters and Strings (STR)': // The rules can be found in section 'Rule 07. Characters and Strings (STR)':
// - https://wiki.sei.cmu.edu/confluence/x/ptUxBQ // - https://wiki.sei.cmu.edu/confluence/x/ptUxBQ
// //
// This checker is a base checker which consist of the following checkers: // This checker is a base checker which consist of the following checkers:
// - STR30-C: Do not attempt to modify string literals:
// - https://wiki.sei.cmu.edu/confluence/x/VtYxBQ
//
// - STR31-C: Guarantee that storage for strings has sufficient space for // - STR31-C: Guarantee that storage for strings has sufficient space for
// character data and the null terminator: // character data and the null terminator:
// - https://wiki.sei.cmu.edu/confluence/x/sNUxBQ // - https://wiki.sei.cmu.edu/confluence/x/sNUxBQ
// //
// - STR32-C: Do not pass a non-null-terminated character sequence to a // - STR32-C: Do not pass a non-null-terminated character sequence to a
// library function that expects a string: // library function that expects a string:
// - https://wiki.sei.cmu.edu/confluence/x/r9UxBQ // - https://wiki.sei.cmu.edu/confluence/x/r9UxBQ
// //
▲ Show 20 LinesShow All 55 Lines▼ Show 20 Linespublic:
void checkBind(SVal L, SVal V, const Stmt *S, CheckerContext &C) const; void checkBind(SVal L, SVal V, const Stmt *S, CheckerContext &C) const;
/// It reports a note on array declarations which may cannot store a string /// It reports a note on array declarations which may cannot store a string
/// because of its size, similar to the check in 'checkBind()'. /// because of its size, similar to the check in 'checkBind()'.
void checkPostStmt(const DeclStmt *S, CheckerContext &C) const; void checkPostStmt(const DeclStmt *S, CheckerContext &C) const;
/// \{ /// \{
/// Check the function calls defined in 'CDM'. /// Check the function calls defined in 'CDM'.
/// STR30-C.
void checkMemchr(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) const;
void checkStrchr(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) const;
void checkStrrchr(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) const;
void checkStrstr(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) const;
void checkStrpbrk(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) const;
/// STR31-C. /// STR31-C.
void checkGets(const CallEvent &Call, const CallContext &CallC, void checkGets(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) const; CheckerContext &C) const;
void checkSprintf(const CallEvent &Call, const CallContext &CallC, void checkSprintf(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) const; CheckerContext &C) const;
void checkFscanf(const CallEvent &Call, const CallContext &CallC, void checkFscanf(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) const; CheckerContext &C) const;
void checkStrcpy(const CallEvent &Call, const CallContext &CallC, void checkStrcpy(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) const; CheckerContext &C) const;
/// STR32-C. /// STR32-C.
void checkStrncpy(const CallEvent &Call, const CallContext &CallC, void checkStrncpy(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) const; CheckerContext &C) const;
/// \} /// \}
/// Create a report on a function call which could cause a buffer overflow. /// Create a report on a function call which could cause a buffer overflow.
/// ///
/// In case of STR31-C emit an error report. /// In case of STR31-C emit an error report.
/// In case of STR32-C emit a note and mark the buffer as possibly not /// In case of STR32-C emit a note and mark the buffer as possibly not
/// null-terminated. /// null-terminated.
void createCallOverflowReport(const CallEvent &Call, const CallContext &CallC, void createCallOverflowReport(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) const; CheckerContext &C) const;
bool EnableStr30cChecker = false;
bool EnableStr31cChecker = false; bool EnableStr31cChecker = false;
bool EnableStr32cChecker = false; bool EnableStr32cChecker = false;
private: private:
using StrCheck = std::function<void(const StrCheckerBase *, const CallEvent &, using StrCheck = std::function<void(const StrCheckerBase *, const CallEvent &,
const CallContext &, CheckerContext &)>; const CallContext &, CheckerContext &)>;
const CallDescriptionMap<std::pair<StrCheck, CallContext>> CDM = { const CallDescriptionMap<std::pair<StrCheck, CallContext>> CDM = {
// The following checks STR30-C rules.
// void *memchr(const void *buffer, int c, size_t count);
{{"memchr", 3}, {&StrCheckerBase::checkMemchr, {None, 0}}},
// char *strchr(const char *str, int c);
{{"strchr", 2}, {&StrCheckerBase::checkStrchr, {None, 0}}},
// char *strrchr(const char *str, int c);
{{"strrchr", 2}, {&StrCheckerBase::checkStrrchr, {None, 0}}},
// char *strstr(const char *str, const char *strSearch);
{{"strstr", 2}, {&StrCheckerBase::checkStrstr, {None, 0}}},
// char *strpbrk(const char *str, const char *strCharSet);
{{"strpbrk", 2}, {&StrCheckerBase::checkStrpbrk, {None, 0}}},
// The following checks STR31-C rules. // The following checks STR31-C rules.
// char *gets(char *dest); // char *gets(char *dest);
{{"gets", 1}, {&StrCheckerBase::checkGets, {0}}}, {{"gets", 1}, {&StrCheckerBase::checkGets, {0}}},
// int sprintf(char *dest, const char *format, ... [const char *source]); // int sprintf(char *dest, const char *format, ... [const char *source]);
{{"sprintf", 3, 2}, {&StrCheckerBase::checkSprintf, {0}}}, {{"sprintf", 3, 2}, {&StrCheckerBase::checkSprintf, {0}}},
// int fscanf(FILE *stream, const char *format, ... [char *dest]); // int fscanf(FILE *stream, const char *format, ... [char *dest]);
{{"fscanf", 3, 2}, {&StrCheckerBase::checkFscanf, {2}}}, {{"fscanf", 3, 2}, {&StrCheckerBase::checkFscanf, {2}}},
// char *strcpy(char *dest, const char *src); // char *strcpy(char *dest, const char *src);
Show All 9 Lines
} // namespace } // namespace
/// It stores whether the string is null-terminated. /// It stores whether the string is null-terminated.
REGISTER_MAP_WITH_PROGRAMSTATE(NullTerminationMap, const MemRegion *, bool) REGISTER_MAP_WITH_PROGRAMSTATE(NullTerminationMap, const MemRegion *, bool)
/// It stores the allocations which we emit notes on. /// It stores the allocations which we emit notes on.
REGISTER_LIST_WITH_PROGRAMSTATE(AllocationList, const MemRegion *) REGISTER_LIST_WITH_PROGRAMSTATE(AllocationList, const MemRegion *)
/// It stores the constant strings which we have pointers to them.
REGISTER_LIST_WITH_PROGRAMSTATE(PointerList, const MemRegion *)
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Helper functions. // Helper functions.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
/// Returns the interesting region of \p V. /// Returns the interesting region of \p V.
static const MemRegion *getRegion(SVal V) { static const MemRegion *getRegion(SVal V) {
const MemRegion *MR = V.getAsRegion(); const MemRegion *MR = V.getAsRegion();
if (!MR) if (!MR)
▲ Show 20 LinesShow All 203 Lines▼ Show 20 Lines if (const auto *VR = LocMR->getAs<VarRegion>()) {
} }
} }
createAllocationOverflowReport(NonLocMR, ArrayName, IsInit, C); createAllocationOverflowReport(NonLocMR, ArrayName, IsInit, C);
return true; return true;
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// The following checks STR30-C rules.
//===----------------------------------------------------------------------===//
/// Check whether a constant string is being modified. If so, emit a report.
static bool isConstantStringModify(SVal L, SVal V, const Stmt *S,
baloghadamsoftwareUnsubmitted
Not Done
ReplyInline Actions

I do not see V used in this function anywhere. We are not interested to what it is attempted to be modified. We are just interested that it is attempted to be modified.

baloghadamsoftware: I do not see `V` used in this function anywhere. We are not interested to //what// it is…
CheckerContext &C, const BugType &BT) {
// FIXME: Handle more complex modifications.
const auto *BO = dyn_cast<BinaryOperator>(S);
if (!BO)
return false;
const MemRegion *MR = L.getAsRegion();
if (!MR)
return false;
if (!C.getState()->contains<PointerList>(MR))
return false;
SmallString<128> Msg;
llvm::raw_svector_ostream Out(Msg);
Out << '\'' << printPretty(BO->getLHS(), C)
<< "' is pointing to a constant string";
auto Report = std::make_unique<PathSensitiveBugReport>(BT, Out.str(),
C.generateErrorNode());
Report->addRange(BO->getLHS()->getSourceRange());
Report->markInteresting(MR);
// Track the allocation.
bugreporter::trackExpressionValue(Report->getErrorNode(), BO->getLHS(),
*Report);
C.emitReport(std::move(Report));
return true;
}
/// Check whether a constant string is being stored. If so, emit a report.
static void checkCharPtr(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) {
const MemRegion *MR = Call.getReturnValue().getAsRegion();
if (!MR)
return;
ProgramStateRef State = C.getState();
const Expr *SrcArg = Call.getArgExpr(*CallC.SourcePos);
const VarRegion *SrcVR = nullptr;
if (const auto *DRE = dyn_cast<DeclRefExpr>(SrcArg->IgnoreImpCasts()))
if (const auto *VD = dyn_cast<VarDecl>(DRE->getDecl()))
SrcVR = State->getRegion(VD, C.getLocationContext());
if (!SrcVR)
return;
const MemRegion *PtrMR = MR->getBaseRegion();
if (!PtrMR)
return;
const auto *PtrTR = PtrMR->getAs<TypedRegion>();
if (!PtrTR)
return;
QualType Ty = PtrTR->getLocationType();
if (Ty->isPointerType())
Ty = Ty->getPointeeType();
if (!Ty.isConstQualified())
return;
std::string CallName = Call.getCalleeIdentifier()->getName().str();
std::string ArgName = SrcVR->getDecl()->getNameAsString();
const NoteTag *Tag = C.getNoteTag(
[=](PathSensitiveBugReport &BR) -> std::string {
if (!BR.isInteresting(MR))
return "";
SmallString<128> Msg;
llvm::raw_svector_ostream Out(Msg);
Out << '\'' << CallName << "' returns a pointer to the constant '"
<< ArgName << '\'';
return Out.str().str();
},
/*IsPrunable=*/false);
State = State->add<PointerList>(MR);
C.addTransition(State, Tag);
}
void StrCheckerBase::checkMemchr(const CallEvent &Call,
const CallContext &CallC,
CheckerContext &C) const {
if (EnableStr30cChecker)
checkCharPtr(Call, CallC, C);
}
void StrCheckerBase::checkStrchr(const CallEvent &Call,
const CallContext &CallC,
CheckerContext &C) const {
if (EnableStr30cChecker)
checkCharPtr(Call, CallC, C);
}
void StrCheckerBase::checkStrrchr(const CallEvent &Call,
const CallContext &CallC,
CheckerContext &C) const {
if (EnableStr30cChecker)
checkCharPtr(Call, CallC, C);
}
void StrCheckerBase::checkStrstr(const CallEvent &Call,
const CallContext &CallC,
CheckerContext &C) const {
if (EnableStr30cChecker)
checkCharPtr(Call, CallC, C);
}
void StrCheckerBase::checkStrpbrk(const CallEvent &Call,
const CallContext &CallC,
CheckerContext &C) const {
if (EnableStr30cChecker)
checkCharPtr(Call, CallC, C);
}
//===----------------------------------------------------------------------===//
// The following checks STR31-C rules. // The following checks STR31-C rules.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
void StrCheckerBase::checkGets(const CallEvent &Call, const CallContext &CallC, void StrCheckerBase::checkGets(const CallEvent &Call, const CallContext &CallC,
CheckerContext &C) const { CheckerContext &C) const {
if (EnableStr31cChecker) if (EnableStr31cChecker)
createCallOverflowReport(Call, CallC, C); createCallOverflowReport(Call, CallC, C);
} }
Show All 40 Linesvoid StrCheckerBase::checkStrncpy(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
if (EnableStr32cChecker) if (EnableStr32cChecker)
if (isCallOverflow(Call, CallC, C)) if (isCallOverflow(Call, CallC, C))
createCallOverflowReport(Call, CallC, C); createCallOverflowReport(Call, CallC, C);
} }
void StrCheckerBase::checkBind(SVal L, SVal V, const Stmt *S, void StrCheckerBase::checkBind(SVal L, SVal V, const Stmt *S,
CheckerContext &C) const { CheckerContext &C) const {
if (EnableStr30cChecker)
if (isConstantStringModify(L, V, S, C, BT))
return;
if (!EnableStr32cChecker) if (!EnableStr32cChecker)
return; return;
if (isAllocationOverflow(L, V, S, C)) if (isAllocationOverflow(L, V, S, C))
return; return;
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
bool IsNullTermination = false; bool IsNullTermination = false;
▲ Show 20 LinesShow All 92 Lines▼ Show 20 Lines
#define REGISTER_CHECKER(Name) \ #define REGISTER_CHECKER(Name) \
void ento::register##Name(CheckerManager &Mgr) { \ void ento::register##Name(CheckerManager &Mgr) { \
auto *Checker = Mgr.getChecker<StrCheckerBase>(); \ auto *Checker = Mgr.getChecker<StrCheckerBase>(); \
Checker->Enable##Name = true; \ Checker->Enable##Name = true; \
} \ } \
\ \
bool ento::shouldRegister##Name(const CheckerManager &) { return true; } bool ento::shouldRegister##Name(const CheckerManager &) { return true; }
REGISTER_CHECKER(Str30cChecker)
REGISTER_CHECKER(Str31cChecker) REGISTER_CHECKER(Str31cChecker)
REGISTER_CHECKER(Str32cChecker) REGISTER_CHECKER(Str32cChecker)

clang/test/Analysis/cert/str30-c-notes.cpp

  • This file was added.
// RUN: %clang_analyze_cc1 \
// RUN: -analyzer-checker=core,unix,alpha.security.cert.str.30c \
// RUN: -analyzer-output=text -verify %s
// See the examples on the page of STR30-C:
// https://wiki.sei.cmu.edu/confluence/x/VtYxBQ
#include "../Inputs/system-header-simulator.h"
typedef __SIZE_TYPE__ size_t;
void free(void *memblock);
void *malloc(size_t size);
char *strrchr(const char *str, int c);
int puts(const char *str);
namespace test_strrchr_bad {
const char *get_dirname(const char *pathname) {
char *slash;
slash = strrchr(pathname, '/');
// expected-note@-1 {{'strrchr' returns a pointer to the constant 'pathname'}}
slash = strrchr(slash, '/');
// expected-note@-1 {{'strrchr' returns a pointer to the constant 'slash'}}
if (slash) {
// expected-note@-1 {{'slash' is non-null}}
// expected-note@-2 {{Taking true branch}}
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

Needs to be an assumption.

Charusso: Needs to be an assumption.
CharussoAuthorUnsubmitted
Done
ReplyInline Actions

Let us say it is non-null.

Charusso: Let us say it is non-null.
*slash = '\0'; /* Undefined behavior */
// expected-note@-1 {{'*slash' is pointing to a constant string}}
// expected-warning@-2 {{'*slash' is pointing to a constant string}}
}
return pathname;
}
int main(void) {
puts(get_dirname(__FILE__));
// expected-note@-1 {{Calling 'get_dirname'}}
return 0;
}
} // namespace test_strrchr_bad

clang/test/Analysis/cert/str30-c.cpp

  • This file was added.
// RUN: %clang_analyze_cc1 \
// RUN: -analyzer-checker=core,unix,alpha.security.cert.str.30c \
// RUN: -verify %s
// See the examples on the page of STR30-C:
// https://wiki.sei.cmu.edu/confluence/x/VtYxBQ
#include "../Inputs/system-header-simulator.h"
typedef __SIZE_TYPE__ size_t;
typedef __typeof__((char *)0 - (char *)0) ptrdiff_t;
void free(void *memblock);
void *malloc(size_t size);
char *strrchr(const char *str, int c);
int puts(const char *str);
namespace test_strrchr_bad {
const char *get_dirname(const char *pathname) {
char *slash;
slash = strrchr(pathname, '/');
if (slash) {
*slash = '\0'; /* Undefined behavior */
// expected-warning@-1 {{'*slash' is pointing to a constant string}}
}
return pathname;
}
int main(void) {
puts(get_dirname(__FILE__));
return 0;
}
} // namespace test_strrchr_bad
namespace test_strrchr_good {
char *get_dirname(const char *pathname, char *dirname, size_t size) {
const char *slash;
slash = strrchr(pathname, '/');
if (slash) {
ptrdiff_t slash_idx = slash - pathname;
if ((size_t)slash_idx < size) {
memcpy(dirname, pathname, slash_idx);
dirname[slash_idx] = '\0';
return dirname;
}
}
return 0;
}
int main(void) {
char dirname[260];
if (get_dirname(__FILE__, dirname, sizeof(dirname))) {
puts(dirname);
}
return 0;
}
} // namespace test_strrchr_good