This is an archive of the discontinued LLVM Phabricator instance.

Differential D71566

New checks for fortified sprintf
ClosedPublic

Authored by serge-sans-paille on Dec 16 2019, 1:19 PM.

Details

Reviewers
erik.pilkington
aaron.ballman
rsmith
Commits
rG6d485ff455ea: Improve static checks for sprintf and __builtin___sprintf_chk
Summary

Implement a pessimistic evaluator of the minimal required size for a buffer based on the format string, and couple that with the fortified version to emit a warning when the buffer size is lower than the lower bound computed from the format string.

See the test cases for examples of warnings, and https://github.com/serge-sans-paille/llvm-project/pull/6/checks for the cross-platform validation.

Note: The lower bound could be improved, but I'd rather do that in an incremental commit, if that's okay with the reviewers.

Edit: thanks to @aaron.ballman interest, I've been able to support al(most|l) the scanf specification, ending up with a rather complete support.

Diff Detail

Event Timeline

serge-sans-paille created this revision.Dec 16 2019, 1:19 PM
Herald added subscribers: cfe-commits, dexonsmith. · View Herald TranscriptDec 16 2019, 1:19 PM
erik.pilkington added a comment.Dec 16 2019, 5:03 PM

Thanks for working on this! I think this would be a really useful diagnostic to have.

clang/lib/Sema/SemaChecking.cpp
392

nit: namespace {

580–581

Can you delete this comment now?

596

Optional<APSInt> might be a better way of representing this?

601

Can't you do this for Builtin::sprintf as well? The diagnostic would still be worth issuing when _FORTIFY_SOURCE is disabled.

605

Will this assert on: sprintf(buf, L"foo");? Not that that makes any sense, but we shouldn't crash.

612

I'm not sure why you're using min here, can you add a comment?

serge-sans-paille updated this revision to Diff 234262.Dec 17 2019, 3:46 AM

Take remarks into account:

  • support sprintf when the buffer has a known static size
  • use llvm::Optional
  • some extra minor tweaks.
serge-sans-paille marked 7 inline comments as done.Dec 17 2019, 3:47 AM
serge-sans-paille added inline comments.
clang/lib/Sema/SemaChecking.cpp
580–581

I only deleted the one related to sprintf

605

Still need to check that.

serge-sans-paille updated this revision to Diff 234282.Dec 17 2019, 5:41 AM
serge-sans-paille marked an inline comment as done.
  • Prevent assert upon wide string format
  • More test cases
serge-sans-paille marked 2 inline comments as done.Dec 17 2019, 5:41 AM
serge-sans-paille added inline comments.
clang/lib/Sema/SemaChecking.cpp
605

Checked and fixed!

riccibruno added a subscriber: riccibruno.Dec 17 2019, 6:46 AM
serge-sans-paille updated this revision to Diff 234327.Dec 17 2019, 9:25 AM

Support %% and %c

serge-sans-paille added a comment.Jan 10 2020, 5:55 AM

@erik.pilkington up?

serge-sans-paille added a comment.Jan 16 2020, 3:08 AM

@erik.pilkington up?

erik.pilkington added reviewers: aaron.ballman, rsmith.Jan 16 2020, 9:45 PM
erik.pilkington added inline comments.
clang/lib/Sema/SemaChecking.cpp
621

Wait, does this actually return a smaller length if there is a null-terminator embedded in the string? It looks like Format->getString() returns a StringRef with embedded nul bytes and .size() is returning the length. You might have to do something like: FormatStrRef.find('0');. Can you add a test for this?

serge-sans-paille updated this revision to Diff 238868.Jan 17 2020, 1:03 PM

Update size computation + test case involving null byte inside the format string.

merge_guards_bot added a subscriber: merge_guards_bot.Jan 17 2020, 1:22 PM

Unit tests: fail. 61975 tests passed, 1 failed and 783 were skipped.

failed: LLVM.Bindings/Go/go.test

clang-tidy: unknown.

clang-format: fail. Please format your changes with clang-format by running git-clang-format HEAD^ or applying this patch.

Build artifacts: diff.json, clang-format.patch, CMakeCache.txt, console-log.txt, test-results.xml

Harbormaster failed remote builds in B44312: Diff 238868!Jan 17 2020, 1:26 PM
aaron.ballman added inline comments.Jan 20 2020, 8:29 AM
clang/include/clang/Basic/DiagnosticSemaKinds.td
745–746

I'm fine with the current wording because it's consistent with the existing diagnostics, but I wish we would quantify the size with units in these diagnostics. (e.g., mention that this is measured in bytes as opposed to anything else).

clang/lib/Sema/SemaChecking.cpp
405–406

Naming nits: StartSpecifier and SpecifierLen. It looks like startSpecifier isn't used and the name can probably just be dropped.

436–437

Why is size incremented by 3 here instead of 2 as above with a leading 0x?

448

Guard against wraparound?

607

Spurious whitespace.

608

We can handle UTF-8 format strings even when they contain non-ASCII characters?

8382

Spurious whitespace change?

serge-sans-paille updated this revision to Diff 239197.Jan 20 2020, 1:40 PM
serge-sans-paille marked an inline comment as done.

Finer grain lower bound computations, and simpler control-flow for the checking function.

merge_guards_bot added a comment.Jan 20 2020, 1:54 PM

Unit tests: pass. 62028 tests passed, 0 failed and 783 were skipped.

clang-tidy: unknown.

clang-format: fail. Please format your changes with clang-format by running git-clang-format HEAD^ or applying this patch.

Build artifacts: diff.json, clang-format.patch, CMakeCache.txt, console-log.txt, test-results.xml

Harbormaster failed remote builds in B44433: Diff 239197!Jan 20 2020, 1:59 PM
serge-sans-paille updated this revision to Diff 239242.Jan 21 2020, 12:44 AM

More tests

merge_guards_bot added a comment.Jan 21 2020, 1:00 AM

Unit tests: pass. 62043 tests passed, 0 failed and 783 were skipped.

clang-tidy: unknown.

clang-format: fail. Please format your changes with clang-format by running git-clang-format HEAD^ or applying this patch.

Build artifacts: diff.json, clang-format.patch, CMakeCache.txt, console-log.txt, test-results.xml

Harbormaster failed remote builds in B44456: Diff 239242!Jan 21 2020, 1:08 AM
aaron.ballman added a comment.Jan 21 2020, 1:50 PM

(There are still some minor whitespace nits to resolve as well.)

clang/lib/Sema/SemaChecking.cpp
751

I think this assertion can be triggered in the case where no UsedSize was specified but then UsedSizeArg evaluates to 0, can't it? Or does something catch that case and diagnose?

serge-sans-paille updated this revision to Diff 239654.Jan 22 2020, 10:48 AM

Remove useless assert

serge-sans-paille added a comment.Jan 22 2020, 10:49 AM
In D71566#1832394, @aaron.ballman wrote:

(There are still some minor whitespace nits to resolve as well.)

Strange, everything is passed through clang-format-diff :-/

merge_guards_bot added a comment.Jan 22 2020, 11:28 AM

Unit tests: pass. 62112 tests passed, 0 failed and 808 were skipped.

clang-tidy: pass.

clang-format: pass.

Build artifacts: diff.json, clang-tidy.txt, clang-format.patch, CMakeCache.txt, console-log.txt, test-results.xml

Harbormaster completed remote builds in B44614: Diff 239654.Jan 22 2020, 11:37 AM
aaron.ballman accepted this revision.Jan 23 2020, 5:59 AM
In D71566#1834472, @serge-sans-paille wrote:
In D71566#1832394, @aaron.ballman wrote:

(There are still some minor whitespace nits to resolve as well.)

Strange, everything is passed through clang-format-diff :-/

They may have been manually inserted by accident? It's newlines in a few places, I added phab review comments at them.

On the whole, I think this LGTM, assuming the requested test cases don't discover issues.

clang/test/Sema/warn-fortify-source.c
127

I'd like to see some additional tests for things like the + and flags, length modifiers like ll, escape characters, etc. Basically, we should be testing most of the conversion specifiers to verify our conservative length calculations.

This revision is now accepted and ready to land.Jan 23 2020, 5:59 AM
serge-sans-paille updated this revision to Diff 239913.Jan 23 2020, 8:28 AM

Remove extra new lines.
Add more test cases.

serge-sans-paille edited the summary of this revision. (Show Details)Jan 23 2020, 8:35 AM
merge_guards_bot added a comment.Jan 23 2020, 8:40 AM

Unit tests: pass. 62135 tests passed, 0 failed and 812 were skipped.

clang-tidy: pass.

clang-format: fail. Please format your changes with clang-format by running git-clang-format HEAD^ or applying this patch.

Build artifacts: diff.json, clang-tidy.txt, clang-format.patch, CMakeCache.txt, console-log.txt, test-results.xml

Pre-merge checks is in beta. Report issue. Please join beta or enable it for your project.

Harbormaster failed remote builds in B44728: Diff 239913!Jan 23 2020, 8:43 AM
serge-sans-paille updated this revision to Diff 239920.Jan 23 2020, 9:39 AM

clang-format update.

merge_guards_bot added a comment.Jan 23 2020, 11:00 AM

Unit tests: fail. 62134 tests passed, 9 failed and 811 were skipped.

failed: LLVM.MC/AArch64/ete-sysregs.s
failed: LLVM.MC/AArch64/trace-regs.s
failed: LLVM.MC/Disassembler/AArch64/ete.txt
failed: LLVM.MC/Disassembler/AArch64/trace-regs.txt
failed: libc++.std/language_support/cmp/cmp_partialord/partialord.pass.cpp
failed: libc++.std/language_support/cmp/cmp_strongeq/cmp.strongeq.pass.cpp
failed: libc++.std/language_support/cmp/cmp_strongord/strongord.pass.cpp
failed: libc++.std/language_support/cmp/cmp_weakeq/cmp.weakeq.pass.cpp
failed: libc++.std/language_support/cmp/cmp_weakord/weakord.pass.cpp

clang-tidy: pass.

clang-format: pass.

Build artifacts: diff.json, clang-tidy.txt, clang-format.patch, CMakeCache.txt, console-log.txt, test-results.xml

Pre-merge checks is in beta. Report issue. Please join beta or enable it for your project.

Harbormaster failed remote builds in B44735: Diff 239920!Jan 23 2020, 11:05 AM
aaron.ballman added a comment.Jan 24 2020, 12:24 PM

Continues to LG, do you need me to commit on your behalf?

serge-sans-paille added a comment.Jan 24 2020, 1:57 PM
In D71566#1839462, @aaron.ballman wrote:

Continues to LG, do you need me to commit on your behalf?

I was waiting for a last LG as I did some changes, thanks for all the quick iteration, I really enjoyed working with you on that patch! I'll submit it tomorrow morning.

Closed by commit rG6d485ff455ea: Improve static checks for sprintf and __builtin___sprintf_chk (authored by serge-sans-paille). · Explain WhyJan 25 2020, 9:13 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
clang/
include/
clang/
Basic/
6 lines
lib/
Sema/
244 lines
test/
Sema/
87 lines

Diff 240385

clang/include/clang/Basic/DiagnosticSemaKinds.td

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 735 Lines▼ Show 20 Linesdef warn_builtin_chk_overflow : Warning<
InGroup<DiagGroup<"builtin-memcpy-chk-size">>; InGroup<DiagGroup<"builtin-memcpy-chk-size">>;
def warn_fortify_source_overflow def warn_fortify_source_overflow
: Warning<warn_builtin_chk_overflow.Text>, InGroup<FortifySource>; : Warning<warn_builtin_chk_overflow.Text>, InGroup<FortifySource>;
def warn_fortify_source_size_mismatch : Warning< def warn_fortify_source_size_mismatch : Warning<
"'%0' size argument is too large; destination buffer has size %1," "'%0' size argument is too large; destination buffer has size %1,"
" but size argument is %2">, InGroup<FortifySource>; " but size argument is %2">, InGroup<FortifySource>;
def warn_fortify_source_format_overflow : Warning<
"'%0' will always overflow; destination buffer has size %1,"
" but format string expands to at least %2">,
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

I'm fine with the current wording because it's consistent with the existing diagnostics, but I wish we would quantify the size with units in these diagnostics. (e.g., mention that this is measured in bytes as opposed to anything else).

aaron.ballman: I'm fine with the current wording because it's consistent with the existing diagnostics, but I…
InGroup<FortifySource>;
/// main() /// main()
// static main() is not an error in C, just in C++. // static main() is not an error in C, just in C++.
def warn_static_main : Warning<"'main' should not be declared static">, def warn_static_main : Warning<"'main' should not be declared static">,
InGroup<Main>; InGroup<Main>;
def err_static_main : Error<"'main' is not allowed to be declared static">; def err_static_main : Error<"'main' is not allowed to be declared static">;
def err_inline_main : Error<"'main' is not allowed to be declared inline">; def err_inline_main : Error<"'main' is not allowed to be declared inline">;
def ext_variadic_main : ExtWarn< def ext_variadic_main : ExtWarn<
"'main' is not allowed to be declared variadic">, InGroup<Main>; "'main' is not allowed to be declared variadic">, InGroup<Main>;
▲ Show 20 LinesShow All 9,612 LinesShow Last 20 Lines

clang/lib/Sema/SemaChecking.cpp

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 383 Lines▼ Show 20 Linesstatic bool SemaBuiltinCallWithStaticChain(Sema &S, CallExpr *BuiltinCall) {
BuiltinCall->setType(CE->getType()); BuiltinCall->setType(CE->getType());
BuiltinCall->setValueKind(CE->getValueKind()); BuiltinCall->setValueKind(CE->getValueKind());
BuiltinCall->setObjectKind(CE->getObjectKind()); BuiltinCall->setObjectKind(CE->getObjectKind());
BuiltinCall->setCallee(Builtin); BuiltinCall->setCallee(Builtin);
BuiltinCall->setArg(1, ChainResult.get()); BuiltinCall->setArg(1, ChainResult.get());
return false; return false;
} }
erik.pilkingtonUnsubmitted
Done
ReplyInline Actions

nit: namespace {

erik.pilkington: nit: `namespace {`
namespace {
class EstimateSizeFormatHandler
: public analyze_format_string::FormatStringHandler {
size_t Size;
public:
EstimateSizeFormatHandler(StringRef Format)
: Size(std::min(Format.find(0), Format.size()) +
1 /* null byte always written by sprintf */) {}
bool HandlePrintfSpecifier(const analyze_printf::PrintfSpecifier &FS,
const char *, unsigned SpecifierLen) override {
aaron.ballmanUnsubmitted
Done
ReplyInline Actions

Naming nits: StartSpecifier and SpecifierLen. It looks like startSpecifier isn't used and the name can probably just be dropped.

aaron.ballman: Naming nits: `StartSpecifier` and `SpecifierLen`. It looks like `startSpecifier` isn't used and…
const size_t FieldWidth = computeFieldWidth(FS);
const size_t Precision = computePrecision(FS);
// The actual format.
switch (FS.getConversionSpecifier().getKind()) {
// Just a char.
case analyze_format_string::ConversionSpecifier::cArg:
case analyze_format_string::ConversionSpecifier::CArg:
Size += std::max(FieldWidth, (size_t)1);
break;
// Just an integer.
case analyze_format_string::ConversionSpecifier::dArg:
case analyze_format_string::ConversionSpecifier::DArg:
case analyze_format_string::ConversionSpecifier::iArg:
case analyze_format_string::ConversionSpecifier::oArg:
case analyze_format_string::ConversionSpecifier::OArg:
case analyze_format_string::ConversionSpecifier::uArg:
case analyze_format_string::ConversionSpecifier::UArg:
case analyze_format_string::ConversionSpecifier::xArg:
case analyze_format_string::ConversionSpecifier::XArg:
Size += std::max(FieldWidth, Precision);
break;
// %g style conversion switches between %f or %e style dynamically.
// %f always takes less space, so default to it.
case analyze_format_string::ConversionSpecifier::gArg:
case analyze_format_string::ConversionSpecifier::GArg:
// Floating point number in the form '[+]ddd.ddd'.
case analyze_format_string::ConversionSpecifier::fArg:
case analyze_format_string::ConversionSpecifier::FArg:
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

Why is size incremented by 3 here instead of 2 as above with a leading 0x?

aaron.ballman: Why is size incremented by 3 here instead of 2 as above with a leading 0x?
Size += std::max(FieldWidth, 1 /* integer part */ +
(Precision ? 1 + Precision
: 0) /* period + decimal */);
break;
// Floating point number in the form '[-]d.ddde[+-]dd'.
case analyze_format_string::ConversionSpecifier::eArg:
case analyze_format_string::ConversionSpecifier::EArg:
Size +=
std::max(FieldWidth,
1 /* integer part */ +
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

Guard against wraparound?

aaron.ballman: Guard against wraparound?
(Precision ? 1 + Precision : 0) /* period + decimal */ +
1 /* e or E letter */ + 2 /* exponent */);
break;
// Floating point number in the form '[-]0xh.hhhhp±dd'.
case analyze_format_string::ConversionSpecifier::aArg:
case analyze_format_string::ConversionSpecifier::AArg:
Size +=
std::max(FieldWidth,
2 /* 0x */ + 1 /* integer part */ +
(Precision ? 1 + Precision : 0) /* period + decimal */ +
1 /* p or P letter */ + 1 /* + or - */ + 1 /* value */);
break;
// Just a string.
case analyze_format_string::ConversionSpecifier::sArg:
case analyze_format_string::ConversionSpecifier::SArg:
Size += FieldWidth;
break;
// Just a pointer in the form '0xddd'.
case analyze_format_string::ConversionSpecifier::pArg:
Size += std::max(FieldWidth, 2 /* leading 0x */ + Precision);
break;
// A plain percent.
case analyze_format_string::ConversionSpecifier::PercentArg:
Size += 1;
break;
default:
break;
}
Size += FS.hasPlusPrefix() || FS.hasSpacePrefix();
if (FS.hasAlternativeForm()) {
switch (FS.getConversionSpecifier().getKind()) {
default:
break;
// Force a leading '0'.
case analyze_format_string::ConversionSpecifier::oArg:
Size += 1;
break;
// Force a leading '0x'.
case analyze_format_string::ConversionSpecifier::xArg:
case analyze_format_string::ConversionSpecifier::XArg:
Size += 2;
break;
// Force a period '.' before decimal, even if precision is 0.
case analyze_format_string::ConversionSpecifier::aArg:
case analyze_format_string::ConversionSpecifier::AArg:
case analyze_format_string::ConversionSpecifier::eArg:
case analyze_format_string::ConversionSpecifier::EArg:
case analyze_format_string::ConversionSpecifier::fArg:
case analyze_format_string::ConversionSpecifier::FArg:
case analyze_format_string::ConversionSpecifier::gArg:
case analyze_format_string::ConversionSpecifier::GArg:
Size += (Precision ? 0 : 1);
break;
}
}
assert(SpecifierLen <= Size && "no underflow");
Size -= SpecifierLen;
return true;
}
size_t getSizeLowerBound() const { return Size; }
private:
static size_t computeFieldWidth(const analyze_printf::PrintfSpecifier &FS) {
const analyze_format_string::OptionalAmount &FW = FS.getFieldWidth();
size_t FieldWidth = 0;
if (FW.getHowSpecified() == analyze_format_string::OptionalAmount::Constant)
FieldWidth = FW.getConstantAmount();
return FieldWidth;
}
static size_t computePrecision(const analyze_printf::PrintfSpecifier &FS) {
const analyze_format_string::OptionalAmount &FW = FS.getPrecision();
size_t Precision = 0;
// See man 3 printf for default precision value based on the specifier.
switch (FW.getHowSpecified()) {
case analyze_format_string::OptionalAmount::NotSpecified:
switch (FS.getConversionSpecifier().getKind()) {
default:
break;
case analyze_format_string::ConversionSpecifier::dArg: // %d
case analyze_format_string::ConversionSpecifier::DArg: // %D
case analyze_format_string::ConversionSpecifier::iArg: // %i
Precision = 1;
break;
case analyze_format_string::ConversionSpecifier::oArg: // %d
case analyze_format_string::ConversionSpecifier::OArg: // %D
case analyze_format_string::ConversionSpecifier::uArg: // %d
case analyze_format_string::ConversionSpecifier::UArg: // %D
case analyze_format_string::ConversionSpecifier::xArg: // %d
case analyze_format_string::ConversionSpecifier::XArg: // %D
Precision = 1;
break;
case analyze_format_string::ConversionSpecifier::fArg: // %f
case analyze_format_string::ConversionSpecifier::FArg: // %F
case analyze_format_string::ConversionSpecifier::eArg: // %e
case analyze_format_string::ConversionSpecifier::EArg: // %E
case analyze_format_string::ConversionSpecifier::gArg: // %g
case analyze_format_string::ConversionSpecifier::GArg: // %G
Precision = 6;
break;
case analyze_format_string::ConversionSpecifier::pArg: // %d
Precision = 1;
break;
}
break;
case analyze_format_string::OptionalAmount::Constant:
Precision = FW.getConstantAmount();
break;
default:
break;
}
return Precision;
}
};
} // namespace
/// Check a call to BuiltinID for buffer overflows. If BuiltinID is a /// Check a call to BuiltinID for buffer overflows. If BuiltinID is a
/// __builtin_*_chk function, then use the object size argument specified in the /// __builtin_*_chk function, then use the object size argument specified in the
/// source. Otherwise, infer the object size using __builtin_object_size. /// source. Otherwise, infer the object size using __builtin_object_size.
void Sema::checkFortifiedBuiltinMemoryFunction(FunctionDecl *FD, void Sema::checkFortifiedBuiltinMemoryFunction(FunctionDecl *FD,
CallExpr *TheCall) { CallExpr *TheCall) {
// FIXME: There are some more useful checks we could be doing here: // FIXME: There are some more useful checks we could be doing here:
// - Analyze the format string of sprintf to see how much of buffer is used.
// - Evaluate strlen of strcpy arguments, use as object size. // - Evaluate strlen of strcpy arguments, use as object size.
erik.pilkingtonUnsubmitted
Done
ReplyInline Actions

Can you delete this comment now?

erik.pilkington: Can you delete this comment now?
serge-sans-pailleAuthorUnsubmitted
Done
ReplyInline Actions

I only deleted the one related to sprintf

serge-sans-paille: I only deleted the one related to sprintf
if (TheCall->isValueDependent() || TheCall->isTypeDependent() || if (TheCall->isValueDependent() || TheCall->isTypeDependent() ||
isConstantEvaluated()) isConstantEvaluated())
return; return;
unsigned BuiltinID = FD->getBuiltinID(/*ConsiderWrappers=*/true); unsigned BuiltinID = FD->getBuiltinID(/*ConsiderWrappers=*/true);
if (!BuiltinID) if (!BuiltinID)
return; return;
const TargetInfo &TI = getASTContext().getTargetInfo();
unsigned SizeTypeWidth = TI.getTypeWidth(TI.getSizeType());
unsigned DiagID = 0; unsigned DiagID = 0;
bool IsChkVariant = false; bool IsChkVariant = false;
Optional<llvm::APSInt> UsedSize;
erik.pilkingtonUnsubmitted
Done
ReplyInline Actions

Optional<APSInt> might be a better way of representing this?

erik.pilkington: `Optional<APSInt>` might be a better way of representing this?
unsigned SizeIndex, ObjectIndex; unsigned SizeIndex, ObjectIndex;
switch (BuiltinID) { switch (BuiltinID) {
default: default:
return; return;
case Builtin::BIsprintf:
erik.pilkingtonUnsubmitted
Done
ReplyInline Actions

Can't you do this for Builtin::sprintf as well? The diagnostic would still be worth issuing when _FORTIFY_SOURCE is disabled.

erik.pilkington: Can't you do this for `Builtin::sprintf` as well? The diagnostic would still be worth issuing…
case Builtin::BI__builtin___sprintf_chk: {
size_t FormatIndex = BuiltinID == Builtin::BIsprintf ? 1 : 3;
auto *FormatExpr = TheCall->getArg(FormatIndex)->IgnoreParenImpCasts();
erik.pilkingtonUnsubmitted
Done
ReplyInline Actions

Will this assert on: sprintf(buf, L"foo");? Not that that makes any sense, but we shouldn't crash.

erik.pilkington: Will this assert on: `sprintf(buf, L"foo");`? Not that that makes any sense, but we shouldn't…
serge-sans-pailleAuthorUnsubmitted
Done
ReplyInline Actions

Still need to check that.

serge-sans-paille: Still need to check that.
serge-sans-pailleAuthorUnsubmitted
Done
ReplyInline Actions

Checked and fixed!

serge-sans-paille: Checked and fixed!
if (auto *Format = dyn_cast<StringLiteral>(FormatExpr)) {
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

Spurious whitespace.

aaron.ballman: Spurious whitespace.
if (!Format->isAscii() && !Format->isUTF8())
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

We can handle UTF-8 format strings even when they contain non-ASCII characters?

aaron.ballman: We can handle UTF-8 format strings even when they contain non-ASCII characters?
return;
StringRef FormatStrRef = Format->getString();
EstimateSizeFormatHandler H(FormatStrRef);
erik.pilkingtonUnsubmitted
Done
ReplyInline Actions

I'm not sure why you're using min here, can you add a comment?

erik.pilkington: I'm not sure why you're using `min` here, can you add a comment?
const char *FormatBytes = FormatStrRef.data();
const ConstantArrayType *T =
Context.getAsConstantArrayType(Format->getType());
assert(T && "String literal not of constant array type!");
size_t TypeSize = T->getSize().getZExtValue();
// In case there's a null byte somewhere.
size_t StrLen =
std::min(std::max(TypeSize, size_t(1)) - 1, FormatStrRef.find(0));
erik.pilkingtonUnsubmitted
Not Done
ReplyInline Actions

Wait, does this actually return a smaller length if there is a null-terminator embedded in the string? It looks like Format->getString() returns a StringRef with embedded nul bytes and .size() is returning the length. You might have to do something like: FormatStrRef.find('0');. Can you add a test for this?

erik.pilkington: Wait, does this actually return a smaller length if there is a null-terminator embedded in the…
if (!analyze_format_string::ParsePrintfString(
H, FormatBytes, FormatBytes + StrLen, getLangOpts(),
Context.getTargetInfo(), false)) {
DiagID = diag::warn_fortify_source_format_overflow;
UsedSize = llvm::APSInt::getUnsigned(H.getSizeLowerBound())
.extOrTrunc(SizeTypeWidth);
if (BuiltinID == Builtin::BI__builtin___sprintf_chk) {
IsChkVariant = true;
ObjectIndex = 2;
} else {
IsChkVariant = false;
ObjectIndex = 0;
}
break;
}
}
return;
}
case Builtin::BI__builtin___memcpy_chk: case Builtin::BI__builtin___memcpy_chk:
case Builtin::BI__builtin___memmove_chk: case Builtin::BI__builtin___memmove_chk:
case Builtin::BI__builtin___memset_chk: case Builtin::BI__builtin___memset_chk:
case Builtin::BI__builtin___strlcat_chk: case Builtin::BI__builtin___strlcat_chk:
case Builtin::BI__builtin___strlcpy_chk: case Builtin::BI__builtin___strlcpy_chk:
case Builtin::BI__builtin___strncat_chk: case Builtin::BI__builtin___strncat_chk:
case Builtin::BI__builtin___strncpy_chk: case Builtin::BI__builtin___strncpy_chk:
case Builtin::BI__builtin___stpncpy_chk: case Builtin::BI__builtin___stpncpy_chk:
▲ Show 20 LinesShow All 76 Lines▼ Show 20 Lines if (const auto *POS =
FD->getParamDecl(ObjectIndex)->getAttr<PassObjectSizeAttr>()) FD->getParamDecl(ObjectIndex)->getAttr<PassObjectSizeAttr>())
BOSType = POS->getType(); BOSType = POS->getType();
Expr *ObjArg = TheCall->getArg(ObjectIndex); Expr *ObjArg = TheCall->getArg(ObjectIndex);
uint64_t Result; uint64_t Result;
if (!ObjArg->tryEvaluateObjectSize(Result, getASTContext(), BOSType)) if (!ObjArg->tryEvaluateObjectSize(Result, getASTContext(), BOSType))
return; return;
// Get the object size in the target's size_t width. // Get the object size in the target's size_t width.
const TargetInfo &TI = getASTContext().getTargetInfo();
unsigned SizeTypeWidth = TI.getTypeWidth(TI.getSizeType());
ObjectSize = llvm::APSInt::getUnsigned(Result).extOrTrunc(SizeTypeWidth); ObjectSize = llvm::APSInt::getUnsigned(Result).extOrTrunc(SizeTypeWidth);
} }
// Evaluate the number of bytes of the object that this call will use. // Evaluate the number of bytes of the object that this call will use.
if (!UsedSize) {
Expr::EvalResult Result; Expr::EvalResult Result;
Expr *UsedSizeArg = TheCall->getArg(SizeIndex); Expr *UsedSizeArg = TheCall->getArg(SizeIndex);
if (!UsedSizeArg->EvaluateAsInt(Result, getASTContext())) if (!UsedSizeArg->EvaluateAsInt(Result, getASTContext()))
return; return;
llvm::APSInt UsedSize = Result.Val.getInt(); UsedSize = Result.Val.getInt().extOrTrunc(SizeTypeWidth);
}
if (UsedSize.ule(ObjectSize)) if (UsedSize.getValue().ule(ObjectSize))
return; return;
StringRef FunctionName = getASTContext().BuiltinInfo.getName(BuiltinID); StringRef FunctionName = getASTContext().BuiltinInfo.getName(BuiltinID);
// Skim off the details of whichever builtin was called to produce a better // Skim off the details of whichever builtin was called to produce a better
// diagnostic, as it's unlikley that the user wrote the __builtin explicitly. // diagnostic, as it's unlikley that the user wrote the __builtin explicitly.
if (IsChkVariant) { if (IsChkVariant) {
FunctionName = FunctionName.drop_front(std::strlen("__builtin___")); FunctionName = FunctionName.drop_front(std::strlen("__builtin___"));
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

I think this assertion can be triggered in the case where no UsedSize was specified but then UsedSizeArg evaluates to 0, can't it? Or does something catch that case and diagnose?

aaron.ballman: I think this assertion can be triggered in the case where no `UsedSize` was specified but then…
FunctionName = FunctionName.drop_back(std::strlen("_chk")); FunctionName = FunctionName.drop_back(std::strlen("_chk"));
} else if (FunctionName.startswith("__builtin_")) { } else if (FunctionName.startswith("__builtin_")) {
FunctionName = FunctionName.drop_front(std::strlen("__builtin_")); FunctionName = FunctionName.drop_front(std::strlen("__builtin_"));
} }
DiagRuntimeBehavior(TheCall->getBeginLoc(), TheCall, DiagRuntimeBehavior(TheCall->getBeginLoc(), TheCall,
PDiag(DiagID) PDiag(DiagID)
<< FunctionName << ObjectSize.toString(/*Radix=*/10) << FunctionName << ObjectSize.toString(/*Radix=*/10)
<< UsedSize.toString(/*Radix=*/10)); << UsedSize.getValue().toString(/*Radix=*/10));
} }
static bool SemaBuiltinSEHScopeCheck(Sema &SemaRef, CallExpr *TheCall, static bool SemaBuiltinSEHScopeCheck(Sema &SemaRef, CallExpr *TheCall,
Scope::ScopeFlags NeededScopeFlags, Scope::ScopeFlags NeededScopeFlags,
unsigned DiagID) { unsigned DiagID) {
// Scopes aren't available during instantiation. Fortunately, builtin // Scopes aren't available during instantiation. Fortunately, builtin
// functions cannot be template args so they cannot be formed through template // functions cannot be template args so they cannot be formed through template
// instantiation. Therefore checking once during the parse is sufficient. // instantiation. Therefore checking once during the parse is sufficient.
▲ Show 20 LinesShow All 7,605 Lines▼ Show 20 Lines CheckPrintfHandler H(
HasVAListArg, Args, format_idx, inFunctionCall, CallType, HasVAListArg, Args, format_idx, inFunctionCall, CallType,
CheckedVarArgs, UncoveredArg); CheckedVarArgs, UncoveredArg);
if (!analyze_format_string::ParsePrintfString(H, Str, Str + StrLen, if (!analyze_format_string::ParsePrintfString(H, Str, Str + StrLen,
S.getLangOpts(), S.getLangOpts(),
S.Context.getTargetInfo(), S.Context.getTargetInfo(),
Type == Sema::FST_FreeBSDKPrintf)) Type == Sema::FST_FreeBSDKPrintf))
H.DoneProcessing(); H.DoneProcessing();
} else if (Type == Sema::FST_Scanf) { } else if (Type == Sema::FST_Scanf) {
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

Spurious whitespace change?

aaron.ballman: Spurious whitespace change?
CheckScanfHandler H(S, FExpr, OrigFormatExpr, Type, firstDataArg, CheckScanfHandler H(S, FExpr, OrigFormatExpr, Type, firstDataArg,
numDataArgs, Str, HasVAListArg, Args, format_idx, numDataArgs, Str, HasVAListArg, Args, format_idx,
inFunctionCall, CallType, CheckedVarArgs, UncoveredArg); inFunctionCall, CallType, CheckedVarArgs, UncoveredArg);
if (!analyze_format_string::ParseScanfString(H, Str, Str + StrLen, if (!analyze_format_string::ParseScanfString(H, Str, Str + StrLen,
S.getLangOpts(), S.getLangOpts(),
S.Context.getTargetInfo())) S.Context.getTargetInfo()))
H.DoneProcessing(); H.DoneProcessing();
▲ Show 20 LinesShow All 6,088 LinesShow Last 20 Lines

clang/test/Sema/warn-fortify-source.c

// RUN: %clang_cc1 -triple x86_64-apple-macosx10.14.0 %s -verify // RUN: %clang_cc1 -triple x86_64-apple-macosx10.14.0 %s -verify
// RUN: %clang_cc1 -triple x86_64-apple-macosx10.14.0 %s -verify -DUSE_PASS_OBJECT_SIZE // RUN: %clang_cc1 -triple x86_64-apple-macosx10.14.0 %s -verify -DUSE_PASS_OBJECT_SIZE
// RUN: %clang_cc1 -triple x86_64-apple-macosx10.14.0 %s -verify -DUSE_BUILTINS // RUN: %clang_cc1 -triple x86_64-apple-macosx10.14.0 %s -verify -DUSE_BUILTINS
// RUN: %clang_cc1 -xc++ -triple x86_64-apple-macosx10.14.0 %s -verify // RUN: %clang_cc1 -xc++ -triple x86_64-apple-macosx10.14.0 %s -verify
// RUN: %clang_cc1 -xc++ -triple x86_64-apple-macosx10.14.0 %s -verify -DUSE_PASS_OBJECT_SIZE // RUN: %clang_cc1 -xc++ -triple x86_64-apple-macosx10.14.0 %s -verify -DUSE_PASS_OBJECT_SIZE
// RUN: %clang_cc1 -xc++ -triple x86_64-apple-macosx10.14.0 %s -verify -DUSE_BUILTINS // RUN: %clang_cc1 -xc++ -triple x86_64-apple-macosx10.14.0 %s -verify -DUSE_BUILTINS
typedef unsigned long size_t; typedef unsigned long size_t;
#ifdef __cplusplus #ifdef __cplusplus
extern "C" { extern "C" {
#endif #endif
extern int sprintf(char *str, const char *format, ...);
#if defined(USE_PASS_OBJECT_SIZE) #if defined(USE_PASS_OBJECT_SIZE)
void *memcpy(void *dst, const void *src, size_t c); void *memcpy(void *dst, const void *src, size_t c);
static void *memcpy(void *dst __attribute__((pass_object_size(1))), const void *src, size_t c) __attribute__((overloadable)) __asm__("merp"); static void *memcpy(void *dst __attribute__((pass_object_size(1))), const void *src, size_t c) __attribute__((overloadable)) __asm__("merp");
static void *memcpy(void *const dst __attribute__((pass_object_size(1))), const void *src, size_t c) __attribute__((overloadable)) { static void *memcpy(void *const dst __attribute__((pass_object_size(1))), const void *src, size_t c) __attribute__((overloadable)) {
return 0; return 0;
} }
#elif defined(USE_BUILTINS) #elif defined(USE_BUILTINS)
#define memcpy(x,y,z) __builtin_memcpy(x,y,z) #define memcpy(x,y,z) __builtin_memcpy(x,y,z)
▲ Show 20 LinesShow All 69 Lines▼ Show 20 Lines
void call_vsnprintf() { void call_vsnprintf() {
char buf[10]; char buf[10];
__builtin_va_list list; __builtin_va_list list;
__builtin_vsnprintf(buf, 10, "merp", list); __builtin_vsnprintf(buf, 10, "merp", list);
__builtin_vsnprintf(buf, 11, "merp", list); // expected-warning {{'vsnprintf' size argument is too large; destination buffer has size 10, but size argument is 11}} __builtin_vsnprintf(buf, 11, "merp", list); // expected-warning {{'vsnprintf' size argument is too large; destination buffer has size 10, but size argument is 11}}
} }
void call_sprintf_chk(char *buf) {
__builtin___sprintf_chk(buf, 1, 6, "hell\n");
__builtin___sprintf_chk(buf, 1, 5, "hell\n"); // expected-warning {{'sprintf' will always overflow; destination buffer has size 5, but format string expands to at least 6}}
__builtin___sprintf_chk(buf, 1, 6, "hell\0 boy"); // expected-warning {{format string contains '\0' within the string body}}
__builtin___sprintf_chk(buf, 1, 2, "hell\0 boy"); // expected-warning {{format string contains '\0' within the string body}}
// expected-warning@-1 {{'sprintf' will always overflow; destination buffer has size 2, but format string expands to at least 5}}
__builtin___sprintf_chk(buf, 1, 6, "hello");
__builtin___sprintf_chk(buf, 1, 5, "hello"); // expected-warning {{'sprintf' will always overflow; destination buffer has size 5, but format string expands to at least 6}}
__builtin___sprintf_chk(buf, 1, 2, "%c", '9');
__builtin___sprintf_chk(buf, 1, 1, "%c", '9'); // expected-warning {{'sprintf' will always overflow; destination buffer has size 1, but format string expands to at least 2}}
__builtin___sprintf_chk(buf, 1, 2, "%d", 9);
__builtin___sprintf_chk(buf, 1, 1, "%d", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 1, but format string expands to at least 2}}
__builtin___sprintf_chk(buf, 1, 2, "%i", 9);
__builtin___sprintf_chk(buf, 1, 1, "%i", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 1, but format string expands to at least 2}}
__builtin___sprintf_chk(buf, 1, 2, "%o", 9);
__builtin___sprintf_chk(buf, 1, 1, "%o", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 1, but format string expands to at least 2}}
__builtin___sprintf_chk(buf, 1, 2, "%u", 9);
__builtin___sprintf_chk(buf, 1, 1, "%u", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 1, but format string expands to at least 2}}
__builtin___sprintf_chk(buf, 1, 2, "%x", 9);
__builtin___sprintf_chk(buf, 1, 1, "%x", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 1, but format string expands to at least 2}}
__builtin___sprintf_chk(buf, 1, 2, "%X", 9);
__builtin___sprintf_chk(buf, 1, 1, "%X", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 1, but format string expands to at least 2}}
__builtin___sprintf_chk(buf, 1, 2, "%hhd", (char)9);
__builtin___sprintf_chk(buf, 1, 1, "%hhd", (char)9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 1, but format string expands to at least 2}}
__builtin___sprintf_chk(buf, 1, 2, "%hd", (short)9);
__builtin___sprintf_chk(buf, 1, 1, "%hd", (short)9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 1, but format string expands to at least 2}}
__builtin___sprintf_chk(buf, 1, 2, "%ld", 9l);
aaron.ballmanUnsubmitted
Not Done
ReplyInline Actions

I'd like to see some additional tests for things like the + and flags, length modifiers like ll, escape characters, etc. Basically, we should be testing most of the conversion specifiers to verify our conservative length calculations.

aaron.ballman: I'd like to see some additional tests for things like the `+` and ` ` flags, length modifiers…
__builtin___sprintf_chk(buf, 1, 1, "%ld", 9l); // expected-warning {{'sprintf' will always overflow; destination buffer has size 1, but format string expands to at least 2}}
__builtin___sprintf_chk(buf, 1, 2, "%lld", 9ll);
__builtin___sprintf_chk(buf, 1, 1, "%lld", 9ll); // expected-warning {{'sprintf' will always overflow; destination buffer has size 1, but format string expands to at least 2}}
__builtin___sprintf_chk(buf, 1, 2, "%%");
__builtin___sprintf_chk(buf, 1, 1, "%%"); // expected-warning {{'sprintf' will always overflow; destination buffer has size 1, but format string expands to at least 2}}
__builtin___sprintf_chk(buf, 1, 4, "%#x", 9);
__builtin___sprintf_chk(buf, 1, 3, "%#x", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 3, but format string expands to at least 4}}
__builtin___sprintf_chk(buf, 1, 4, "%p", (void *)9);
__builtin___sprintf_chk(buf, 1, 3, "%p", (void *)9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 3, but format string expands to at least 4}}
__builtin___sprintf_chk(buf, 1, 3, "%+d", 9);
__builtin___sprintf_chk(buf, 1, 2, "%+d", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 2, but format string expands to at least 3}}
__builtin___sprintf_chk(buf, 1, 3, "% i", 9);
__builtin___sprintf_chk(buf, 1, 2, "% i", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 2, but format string expands to at least 3}}
__builtin___sprintf_chk(buf, 1, 6, "%5d", 9);
__builtin___sprintf_chk(buf, 1, 5, "%5d", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 5, but format string expands to at least 6}}
__builtin___sprintf_chk(buf, 1, 9, "%f", 9.f);
__builtin___sprintf_chk(buf, 1, 8, "%f", 9.f); // expected-warning {{'sprintf' will always overflow; destination buffer has size 8, but format string expands to at least 9}}
__builtin___sprintf_chk(buf, 1, 9, "%Lf", (long double)9.);
__builtin___sprintf_chk(buf, 1, 8, "%Lf", (long double)9.); // expected-warning {{'sprintf' will always overflow; destination buffer has size 8, but format string expands to at least 9}}
__builtin___sprintf_chk(buf, 1, 10, "%+f", 9.f);
__builtin___sprintf_chk(buf, 1, 9, "%+f", 9.f); // expected-warning {{'sprintf' will always overflow; destination buffer has size 9, but format string expands to at least 10}}
__builtin___sprintf_chk(buf, 1, 12, "%e", 9.f);
__builtin___sprintf_chk(buf, 1, 11, "%e", 9.f); // expected-warning {{'sprintf' will always overflow; destination buffer has size 11, but format string expands to at least 12}}
}
void call_sprintf() {
char buf[6];
sprintf(buf, "hell\0 boy"); // expected-warning {{format string contains '\0' within the string body}}
sprintf(buf, "hello b\0y"); // expected-warning {{format string contains '\0' within the string body}}
// expected-warning@-1 {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 8}}
sprintf(buf, "hello");
sprintf(buf, "hello!"); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}}
sprintf(buf, "1234%%");
sprintf(buf, "12345%%"); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}}
sprintf(buf, "1234%c", '9');
sprintf(buf, "12345%c", '9'); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}}
sprintf(buf, "1234%d", 9);
sprintf(buf, "12345%d", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}}
sprintf(buf, "1234%lld", 9ll);
sprintf(buf, "12345%lld", 9ll); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}}
sprintf(buf, "12%#x", 9);
sprintf(buf, "123%#x", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}}
sprintf(buf, "12%p", (void *)9);
sprintf(buf, "123%p", (void *)9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}}
sprintf(buf, "123%+d", 9);
sprintf(buf, "1234%+d", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}}
sprintf(buf, "123% i", 9);
sprintf(buf, "1234% i", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}}
sprintf(buf, "%5d", 9);
sprintf(buf, "1%5d", 9); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}}
sprintf(buf, "%.3f", 9.f);
sprintf(buf, "5%.3f", 9.f); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}}
sprintf(buf, "%+.2f", 9.f);
sprintf(buf, "%+.3f", 9.f); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 7}}
sprintf(buf, "%.0e", 9.f);
sprintf(buf, "5%.1e", 9.f); // expected-warning {{'sprintf' will always overflow; destination buffer has size 6, but format string expands to at least 8}}
}
#ifdef __cplusplus #ifdef __cplusplus
template <class> struct S { template <class> struct S {
void mf() const { void mf() const {
__builtin_memset(const_cast<char *>(mv), 0, 0); __builtin_memset(const_cast<char *>(mv), 0, 0);
} }
char mv[10]; char mv[10];
}; };
Show All 13 Lines