This is an archive of the discontinued LLVM Phabricator instance.

Differential D74806

[analyzer] NFCi: Refactor CStringChecker: use strongly typed internal API
ClosedPublic

Authored by steakhal on Feb 18 2020, 4:25 PM.

Details

Reviewers
NoQ
baloghadamsoftware
Szelethus
rengolin
Charusso
Commits
rG30e5c7e82fa1: [analyzer] NFCi: Refactor CStringChecker: use strongly typed internal API
Summary

CStringChecker is a huge beast.

My effort in improving the analyzer regarding taint analysis is humbled by multiple factors.
I wanted to extend the diagnostics of the CStringChecker with taintedness.

In the long run, the diagnostic emitting parts of the GenericTaintChecker would be migrated to multiple checkers, leaving it's responsibility only to *model* taint propagation.
Eg. the GenericTaintChecker::checkTaintedBufferSize functionality will be mostly part of the CStringChecker.

This plan requires the CStringChecker to be refactored to support a more flexible reporting mechanism.

This patch does only refactorings, such:

  • eliminates always false parameters (like WarnAboutSize)
  • reduces the number of parameters
  • makes strong types differentiating *source* and *destination* buffers (same with size expressions)
  • binds the argument expression and the index, making diagnostics accurate and easy to emit
  • removes a bunch of default parameters to make it more readable
  • remove random const char * warning message parameters, making clear where and what is going to be emitted

Note that:

  • CheckBufferAccess now checks *only* one buffer, this removed about 100 LOC code duplication
  • not every function was refactored to use the /new/ strongly typed API, since the CString related functions are really closely coupled monolithic beasts, I will refactor them separately
  • all tests are preserved and passing; only *the message changed at some places*. In my opinion, these messages are holding the same information.

I would also highlight that this refactoring caught a bug in clang/test/Analysis/string.c:454 where the diagnostic did not reflect reality. This catch backs my effort on simplifying this monolithic CStringChecker.

Diff Detail

Event Timeline

steakhal created this revision.Feb 18 2020, 4:25 PM
Herald added a reviewer: rengolin. · View Herald TranscriptFeb 18 2020, 4:25 PM
Herald added subscribers: cfe-commits, martong, Charusso and 8 others. · View Herald Transcript
steakhal updated this revision to Diff 245300.Feb 18 2020, 4:27 PM
steakhal edited the summary of this revision. (Show Details)

Upload the right diff.

steakhal added a reviewer: Charusso.Feb 19 2020, 2:00 AM
Harbormaster completed remote builds in B46771: Diff 245291.Feb 19 2020, 3:19 AM
NoQ accepted this revision.Feb 19 2020, 3:24 AM

This is fantastic, i love it!

all tests are preserved and passing; only *the message changed at some places*. In my opinion, these messages are holding the same information.

You make it sound like an accident; i encourage you to have a closer look to make sure that there are no other effects than the ones observed on tests.

clang/test/Analysis/string.c
454

Nice catch indeed!~

This revision is now accepted and ready to land.Feb 19 2020, 3:24 AM
steakhal marked an inline comment as done.Feb 19 2020, 4:32 AM
In D74806#1882300, @NoQ wrote:

This is fantastic, i love it!

all tests are preserved and passing; only *the message changed at some places*. In my opinion, these messages are holding the same information.

You make it sound like an accident; i encourage you to have a closer look to make sure that there are no other effects than the ones observed on tests.

How should I look for differences/regressions without extending and validating systematically the test cases we have for this checker? That seems to be a huge work since bstring.c has 500+ and the string.c has 1600+ lines.

clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp
37

I'm not marking it const in this patch since the 496th line swaps two instances of this class, so it cannot be done without refactoring that function.

494–498

It is really interesting that it swaps the arguments in some sense.

I'm pretty sure that now if a diagnostic is emitted after this swap, the argument indexes used to construct the diagnostic message would mismatch. I will dig into this later, probably refactor the whole function to make the intentions clear. What do you think? @NoQ

1580–1587

This part is really interesting.

Using strong types highlighted this particular code. Since SizeArgExpr is conceptually different than a SourceArgExpr this code did not compile without additional effort.

Previously it passed the size argument if it were given, but if the function were unbounded than it passed the source expression where size was expected, which does not make any sense.

Since I plan to refactor the whole cstring related functions, not just the memset, memcpy etc. I tried to leave it as it were, to preserve the current (broken) semantics of the function.

Closed by commit rG30e5c7e82fa1: [analyzer] NFCi: Refactor CStringChecker: use strongly typed internal API (authored by steakhal). · Explain WhyApr 9 2020, 7:35 AM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: ASDenysPetrov. · View Herald TranscriptApr 9 2020, 7:35 AM

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
584 lines
test/
Analysis/
8 lines
12 lines
7 lines
46 lines

Diff 256301

clang/lib/StaticAnalyzer/Checkers/CStringChecker.cpp

Show All 24 Lines
#include "llvm/ADT/SmallString.h" #include "llvm/ADT/SmallString.h"
#include "llvm/ADT/StringExtras.h" #include "llvm/ADT/StringExtras.h"
#include "llvm/Support/raw_ostream.h" #include "llvm/Support/raw_ostream.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
namespace { namespace {
struct AnyArgExpr {
// FIXME: Remove constructor in C++17 to turn it into an aggregate.
AnyArgExpr(const Expr *Expression, unsigned ArgumentIndex)
: Expression{Expression}, ArgumentIndex{ArgumentIndex} {}
const Expr *Expression;
steakhalAuthorUnsubmitted
Not Done
ReplyInline Actions

I'm not marking it const in this patch since the 496th line swaps two instances of this class, so it cannot be done without refactoring that function.

steakhal: I'm not marking it `const` in this patch since the 496th line swaps two instances of this class…
unsigned ArgumentIndex;
};
struct SourceArgExpr : AnyArgExpr {
using AnyArgExpr::AnyArgExpr; // FIXME: Remove using in C++17.
};
struct DestinationArgExpr : AnyArgExpr {
using AnyArgExpr::AnyArgExpr; // FIXME: Same.
};
struct SizeArgExpr : AnyArgExpr {
using AnyArgExpr::AnyArgExpr; // FIXME: Same.
};
using ErrorMessage = SmallString<128>;
enum class AccessKind { write, read };
static ErrorMessage createOutOfBoundErrorMsg(StringRef FunctionDescription,
AccessKind Access) {
ErrorMessage Message;
llvm::raw_svector_ostream Os(Message);
// Function classification like: Memory copy function
Os << toUppercase(FunctionDescription.front())
<< &FunctionDescription.data()[1];
if (Access == AccessKind::write) {
Os << " overflows the destination buffer";
} else { // read access
Os << " accesses out-of-bound array element";
}
return Message;
}
enum class ConcatFnKind { none = 0, strcat = 1, strlcat = 2 }; enum class ConcatFnKind { none = 0, strcat = 1, strlcat = 2 };
class CStringChecker : public Checker< eval::Call, class CStringChecker : public Checker< eval::Call,
check::PreStmt<DeclStmt>, check::PreStmt<DeclStmt>,
check::LiveSymbols, check::LiveSymbols,
check::DeadSymbols, check::DeadSymbols,
check::RegionChanges check::RegionChanges
> { > {
mutable std::unique_ptr<BugType> BT_Null, BT_Bounds, BT_Overlap, mutable std::unique_ptr<BugType> BT_Null, BT_Bounds, BT_Overlap,
▲ Show 20 LinesShow All 67 Lines▼ Show 20 Lines CallDescription StdCopy{{"std", "copy"}, 3},
StdCopyBackward{{"std", "copy_backward"}, 3}; StdCopyBackward{{"std", "copy_backward"}, 3};
FnCheck identifyCall(const CallEvent &Call, CheckerContext &C) const; FnCheck identifyCall(const CallEvent &Call, CheckerContext &C) const;
void evalMemcpy(CheckerContext &C, const CallExpr *CE) const; void evalMemcpy(CheckerContext &C, const CallExpr *CE) const;
void evalMempcpy(CheckerContext &C, const CallExpr *CE) const; void evalMempcpy(CheckerContext &C, const CallExpr *CE) const;
void evalMemmove(CheckerContext &C, const CallExpr *CE) const; void evalMemmove(CheckerContext &C, const CallExpr *CE) const;
void evalBcopy(CheckerContext &C, const CallExpr *CE) const; void evalBcopy(CheckerContext &C, const CallExpr *CE) const;
void evalCopyCommon(CheckerContext &C, const CallExpr *CE, void evalCopyCommon(CheckerContext &C, const CallExpr *CE,
ProgramStateRef state, ProgramStateRef state, SizeArgExpr Size,
const Expr *Size, DestinationArgExpr Dest, SourceArgExpr Source,
const Expr *Source, bool Restricted, bool IsMempcpy) const;
const Expr *Dest,
bool Restricted = false,
bool IsMempcpy = false) const;
void evalMemcmp(CheckerContext &C, const CallExpr *CE) const; void evalMemcmp(CheckerContext &C, const CallExpr *CE) const;
void evalstrLength(CheckerContext &C, const CallExpr *CE) const; void evalstrLength(CheckerContext &C, const CallExpr *CE) const;
void evalstrnLength(CheckerContext &C, const CallExpr *CE) const; void evalstrnLength(CheckerContext &C, const CallExpr *CE) const;
void evalstrLengthCommon(CheckerContext &C, void evalstrLengthCommon(CheckerContext &C,
const CallExpr *CE, const CallExpr *CE,
bool IsStrnlen = false) const; bool IsStrnlen = false) const;
▲ Show 20 LinesShow All 60 Lines▼ Show 20 Linespublic:
static bool SummarizeRegion(raw_ostream &os, ASTContext &Ctx, static bool SummarizeRegion(raw_ostream &os, ASTContext &Ctx,
const MemRegion *MR); const MemRegion *MR);
static bool memsetAux(const Expr *DstBuffer, SVal CharE, static bool memsetAux(const Expr *DstBuffer, SVal CharE,
const Expr *Size, CheckerContext &C, const Expr *Size, CheckerContext &C,
ProgramStateRef &State); ProgramStateRef &State);
// Re-usable checks // Re-usable checks
ProgramStateRef checkNonNull(CheckerContext &C, ProgramStateRef checkNonNull(CheckerContext &C, ProgramStateRef State,
ProgramStateRef state, AnyArgExpr Arg, SVal l) const;
const Expr *S, ProgramStateRef CheckLocation(CheckerContext &C, ProgramStateRef state,
SVal l, AnyArgExpr Buffer, SVal Element,
unsigned IdxOfArg) const; AccessKind Access) const;
ProgramStateRef CheckLocation(CheckerContext &C, ProgramStateRef CheckBufferAccess(CheckerContext &C, ProgramStateRef State,
ProgramStateRef state, AnyArgExpr Buffer, SizeArgExpr Size,
const Expr *S, AccessKind Access) const;
SVal l, ProgramStateRef CheckOverlap(CheckerContext &C, ProgramStateRef state,
const char *message = nullptr) const; SizeArgExpr Size, AnyArgExpr First,
ProgramStateRef CheckBufferAccess(CheckerContext &C, AnyArgExpr Second) const;
ProgramStateRef state,
const Expr *Size,
const Expr *FirstBuf,
const Expr *SecondBuf,
const char *firstMessage = nullptr,
const char *secondMessage = nullptr,
bool WarnAboutSize = false) const;
ProgramStateRef CheckBufferAccess(CheckerContext &C,
ProgramStateRef state,
const Expr *Size,
const Expr *Buf,
const char *message = nullptr,
bool WarnAboutSize = false) const {
// This is a convenience overload.
return CheckBufferAccess(C, state, Size, Buf, nullptr, message, nullptr,
WarnAboutSize);
}
ProgramStateRef CheckOverlap(CheckerContext &C,
ProgramStateRef state,
const Expr *Size,
const Expr *First,
const Expr *Second) const;
void emitOverlapBug(CheckerContext &C, void emitOverlapBug(CheckerContext &C,
ProgramStateRef state, ProgramStateRef state,
const Stmt *First, const Stmt *First,
const Stmt *Second) const; const Stmt *Second) const;
void emitNullArgBug(CheckerContext &C, ProgramStateRef State, const Stmt *S, void emitNullArgBug(CheckerContext &C, ProgramStateRef State, const Stmt *S,
StringRef WarningMsg) const; StringRef WarningMsg) const;
void emitOutOfBoundsBug(CheckerContext &C, ProgramStateRef State, void emitOutOfBoundsBug(CheckerContext &C, ProgramStateRef State,
Show All 32 Lines if (!val)
return std::pair<ProgramStateRef , ProgramStateRef >(state, state); return std::pair<ProgramStateRef , ProgramStateRef >(state, state);
SValBuilder &svalBuilder = C.getSValBuilder(); SValBuilder &svalBuilder = C.getSValBuilder();
DefinedOrUnknownSVal zero = svalBuilder.makeZeroVal(Ty); DefinedOrUnknownSVal zero = svalBuilder.makeZeroVal(Ty);
return state->assume(svalBuilder.evalEQ(state, *val, zero)); return state->assume(svalBuilder.evalEQ(state, *val, zero));
} }
ProgramStateRef CStringChecker::checkNonNull(CheckerContext &C, ProgramStateRef CStringChecker::checkNonNull(CheckerContext &C,
ProgramStateRef state, ProgramStateRef State,
const Expr *S, SVal l, AnyArgExpr Arg, SVal l) const {
unsigned IdxOfArg) const {
// If a previous check has failed, propagate the failure. // If a previous check has failed, propagate the failure.
if (!state) if (!State)
return nullptr; return nullptr;
ProgramStateRef stateNull, stateNonNull; ProgramStateRef stateNull, stateNonNull;
std::tie(stateNull, stateNonNull) = assumeZero(C, state, l, S->getType()); std::tie(stateNull, stateNonNull) =
assumeZero(C, State, l, Arg.Expression->getType());
if (stateNull && !stateNonNull) { if (stateNull && !stateNonNull) {
if (Filter.CheckCStringNullArg) { if (Filter.CheckCStringNullArg) {
SmallString<80> buf; SmallString<80> buf;
llvm::raw_svector_ostream OS(buf); llvm::raw_svector_ostream OS(buf);
assert(CurrentFunctionDescription); assert(CurrentFunctionDescription);
OS << "Null pointer passed as " << IdxOfArg OS << "Null pointer passed as " << (Arg.ArgumentIndex + 1)
<< llvm::getOrdinalSuffix(IdxOfArg) << " argument to " << llvm::getOrdinalSuffix(Arg.ArgumentIndex + 1) << " argument to "
<< CurrentFunctionDescription; << CurrentFunctionDescription;
emitNullArgBug(C, stateNull, S, OS.str()); emitNullArgBug(C, stateNull, Arg.Expression, OS.str());
} }
return nullptr; return nullptr;
} }
// From here on, assume that the value is non-null. // From here on, assume that the value is non-null.
assert(stateNonNull); assert(stateNonNull);
return stateNonNull; return stateNonNull;
} }
// FIXME: This was originally copied from ArrayBoundChecker.cpp. Refactor? // FIXME: This was originally copied from ArrayBoundChecker.cpp. Refactor?
ProgramStateRef CStringChecker::CheckLocation(CheckerContext &C, ProgramStateRef CStringChecker::CheckLocation(CheckerContext &C,
ProgramStateRef state, ProgramStateRef state,
const Expr *S, SVal l, AnyArgExpr Buffer, SVal Element,
const char *warningMsg) const { AccessKind Access) const {
// If a previous check has failed, propagate the failure. // If a previous check has failed, propagate the failure.
if (!state) if (!state)
return nullptr; return nullptr;
// Check for out of bound array element access. // Check for out of bound array element access.
const MemRegion *R = l.getAsRegion(); const MemRegion *R = Element.getAsRegion();
if (!R) if (!R)
return state; return state;
const ElementRegion *ER = dyn_cast<ElementRegion>(R); const auto *ER = dyn_cast<ElementRegion>(R);
if (!ER) if (!ER)
return state; return state;
if (ER->getValueType() != C.getASTContext().CharTy) if (ER->getValueType() != C.getASTContext().CharTy)
return state; return state;
// Get the size of the array. // Get the size of the array.
const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion()); const auto *superReg = cast<SubRegion>(ER->getSuperRegion());
DefinedOrUnknownSVal Size = DefinedOrUnknownSVal Size =
getDynamicSize(state, superReg, C.getSValBuilder()); getDynamicSize(state, superReg, C.getSValBuilder());
// Get the index of the accessed element. // Get the index of the accessed element.
DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>(); DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();
ProgramStateRef StInBound = state->assumeInBound(Idx, Size, true); ProgramStateRef StInBound = state->assumeInBound(Idx, Size, true);
ProgramStateRef StOutBound = state->assumeInBound(Idx, Size, false); ProgramStateRef StOutBound = state->assumeInBound(Idx, Size, false);
if (StOutBound && !StInBound) { if (StOutBound && !StInBound) {
// These checks are either enabled by the CString out-of-bounds checker // These checks are either enabled by the CString out-of-bounds checker
// explicitly or implicitly by the Malloc checker. // explicitly or implicitly by the Malloc checker.
// In the latter case we only do modeling but do not emit warning. // In the latter case we only do modeling but do not emit warning.
if (!Filter.CheckCStringOutOfBounds) if (!Filter.CheckCStringOutOfBounds)
return nullptr; return nullptr;
// Emit a bug report.
if (warningMsg) {
emitOutOfBoundsBug(C, StOutBound, S, warningMsg);
} else {
assert(CurrentFunctionDescription);
assert(CurrentFunctionDescription[0] != '\0');
SmallString<80> buf; // Emit a bug report.
llvm::raw_svector_ostream os(buf); ErrorMessage Message =
os << toUppercase(CurrentFunctionDescription[0]) createOutOfBoundErrorMsg(CurrentFunctionDescription, Access);
<< &CurrentFunctionDescription[1] emitOutOfBoundsBug(C, StOutBound, Buffer.Expression, Message);
<< " accesses out-of-bound array element";
emitOutOfBoundsBug(C, StOutBound, S, os.str());
}
return nullptr; return nullptr;
} }
// Array bound check succeeded. From this point forward the array bound // Array bound check succeeded. From this point forward the array bound
// should always succeed. // should always succeed.
return StInBound; return StInBound;
} }
ProgramStateRef CStringChecker::CheckBufferAccess(CheckerContext &C, ProgramStateRef CStringChecker::CheckBufferAccess(CheckerContext &C,
ProgramStateRef state, ProgramStateRef State,
const Expr *Size, AnyArgExpr Buffer,
const Expr *FirstBuf, SizeArgExpr Size,
const Expr *SecondBuf, AccessKind Access) const {
const char *firstMessage,
const char *secondMessage,
bool WarnAboutSize) const {
// If a previous check has failed, propagate the failure. // If a previous check has failed, propagate the failure.
if (!state) if (!State)
return nullptr; return nullptr;
SValBuilder &svalBuilder = C.getSValBuilder(); SValBuilder &svalBuilder = C.getSValBuilder();
ASTContext &Ctx = svalBuilder.getContext(); ASTContext &Ctx = svalBuilder.getContext();
const LocationContext *LCtx = C.getLocationContext();
QualType sizeTy = Size->getType(); QualType SizeTy = Size.Expression->getType();
QualType PtrTy = Ctx.getPointerType(Ctx.CharTy); QualType PtrTy = Ctx.getPointerType(Ctx.CharTy);
// Check that the first buffer is non-null. // Check that the first buffer is non-null.
SVal BufVal = C.getSVal(FirstBuf); SVal BufVal = C.getSVal(Buffer.Expression);
state = checkNonNull(C, state, FirstBuf, BufVal, 1); State = checkNonNull(C, State, Buffer, BufVal);
if (!state) if (!State)
return nullptr; return nullptr;
// If out-of-bounds checking is turned off, skip the rest. // If out-of-bounds checking is turned off, skip the rest.
if (!Filter.CheckCStringOutOfBounds) if (!Filter.CheckCStringOutOfBounds)
return state; return State;
// Get the access length and make sure it is known. // Get the access length and make sure it is known.
// FIXME: This assumes the caller has already checked that the access length // FIXME: This assumes the caller has already checked that the access length
// is positive. And that it's unsigned. // is positive. And that it's unsigned.
SVal LengthVal = C.getSVal(Size); SVal LengthVal = C.getSVal(Size.Expression);
Optional<NonLoc> Length = LengthVal.getAs<NonLoc>(); Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
if (!Length) if (!Length)
return state; return State;
// Compute the offset of the last element to be accessed: size-1. // Compute the offset of the last element to be accessed: size-1.
NonLoc One = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>(); NonLoc One = svalBuilder.makeIntVal(1, SizeTy).castAs<NonLoc>();
SVal Offset = svalBuilder.evalBinOpNN(state, BO_Sub, *Length, One, sizeTy); SVal Offset = svalBuilder.evalBinOpNN(State, BO_Sub, *Length, One, SizeTy);
if (Offset.isUnknown()) if (Offset.isUnknown())
return nullptr; return nullptr;
NonLoc LastOffset = Offset.castAs<NonLoc>(); NonLoc LastOffset = Offset.castAs<NonLoc>();
// Check that the first buffer is sufficiently long. // Check that the first buffer is sufficiently long.
SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType()); SVal BufStart =
svalBuilder.evalCast(BufVal, PtrTy, Buffer.Expression->getType());
if (Optional<Loc> BufLoc = BufStart.getAs<Loc>()) { if (Optional<Loc> BufLoc = BufStart.getAs<Loc>()) {
const Expr *warningExpr = (WarnAboutSize ? Size : FirstBuf);
SVal BufEnd = svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc, SVal BufEnd =
LastOffset, PtrTy); svalBuilder.evalBinOpLN(State, BO_Add, *BufLoc, LastOffset, PtrTy);
state = CheckLocation(C, state, warningExpr, BufEnd, firstMessage);
// If the buffer isn't large enough, abort. State = CheckLocation(C, State, Buffer, BufEnd, Access);
if (!state)
return nullptr;
}
// If there's a second buffer, check it as well. // If the buffer isn't large enough, abort.
if (SecondBuf) { if (!State)
BufVal = state->getSVal(SecondBuf, LCtx);
state = checkNonNull(C, state, SecondBuf, BufVal, 2);
if (!state)
return nullptr; return nullptr;
BufStart = svalBuilder.evalCast(BufVal, PtrTy, SecondBuf->getType());
if (Optional<Loc> BufLoc = BufStart.getAs<Loc>()) {
const Expr *warningExpr = (WarnAboutSize ? Size : SecondBuf);
SVal BufEnd = svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc,
LastOffset, PtrTy);
state = CheckLocation(C, state, warningExpr, BufEnd, secondMessage);
}
} }
// Large enough or not, return this state! // Large enough or not, return this state!
return state; return State;
} }
ProgramStateRef CStringChecker::CheckOverlap(CheckerContext &C, ProgramStateRef CStringChecker::CheckOverlap(CheckerContext &C,
ProgramStateRef state, ProgramStateRef state,
const Expr *Size, SizeArgExpr Size, AnyArgExpr First,
const Expr *First, AnyArgExpr Second) const {
const Expr *Second) const {
if (!Filter.CheckCStringBufferOverlap) if (!Filter.CheckCStringBufferOverlap)
return state; return state;
// Do a simple check for overlap: if the two arguments are from the same // Do a simple check for overlap: if the two arguments are from the same
// buffer, see if the end of the first is greater than the start of the second // buffer, see if the end of the first is greater than the start of the second
// or vice versa. // or vice versa.
// If a previous check has failed, propagate the failure. // If a previous check has failed, propagate the failure.
if (!state) if (!state)
return nullptr; return nullptr;
ProgramStateRef stateTrue, stateFalse; ProgramStateRef stateTrue, stateFalse;
// Get the buffer values and make sure they're known locations. // Get the buffer values and make sure they're known locations.
const LocationContext *LCtx = C.getLocationContext(); const LocationContext *LCtx = C.getLocationContext();
SVal firstVal = state->getSVal(First, LCtx); SVal firstVal = state->getSVal(First.Expression, LCtx);
SVal secondVal = state->getSVal(Second, LCtx); SVal secondVal = state->getSVal(Second.Expression, LCtx);
Optional<Loc> firstLoc = firstVal.getAs<Loc>(); Optional<Loc> firstLoc = firstVal.getAs<Loc>();
if (!firstLoc) if (!firstLoc)
return state; return state;
Optional<Loc> secondLoc = secondVal.getAs<Loc>(); Optional<Loc> secondLoc = secondVal.getAs<Loc>();
if (!secondLoc) if (!secondLoc)
return state; return state;
// Are the two values the same? // Are the two values the same?
SValBuilder &svalBuilder = C.getSValBuilder(); SValBuilder &svalBuilder = C.getSValBuilder();
std::tie(stateTrue, stateFalse) = std::tie(stateTrue, stateFalse) =
state->assume(svalBuilder.evalEQ(state, *firstLoc, *secondLoc)); state->assume(svalBuilder.evalEQ(state, *firstLoc, *secondLoc));
if (stateTrue && !stateFalse) { if (stateTrue && !stateFalse) {
// If the values are known to be equal, that's automatically an overlap. // If the values are known to be equal, that's automatically an overlap.
emitOverlapBug(C, stateTrue, First, Second); emitOverlapBug(C, stateTrue, First.Expression, Second.Expression);
return nullptr; return nullptr;
} }
// assume the two expressions are not equal. // assume the two expressions are not equal.
assert(stateFalse); assert(stateFalse);
state = stateFalse; state = stateFalse;
// Which value comes first? // Which value comes first?
QualType cmpTy = svalBuilder.getConditionType(); QualType cmpTy = svalBuilder.getConditionType();
SVal reverse = svalBuilder.evalBinOpLL(state, BO_GT, SVal reverse =
*firstLoc, *secondLoc, cmpTy); svalBuilder.evalBinOpLL(state, BO_GT, *firstLoc, *secondLoc, cmpTy);
Optional<DefinedOrUnknownSVal> reverseTest = Optional<DefinedOrUnknownSVal> reverseTest =
reverse.getAs<DefinedOrUnknownSVal>(); reverse.getAs<DefinedOrUnknownSVal>();
if (!reverseTest) if (!reverseTest)
return state; return state;
std::tie(stateTrue, stateFalse) = state->assume(*reverseTest); std::tie(stateTrue, stateFalse) = state->assume(*reverseTest);
if (stateTrue) { if (stateTrue) {
if (stateFalse) { if (stateFalse) {
// If we don't know which one comes first, we can't perform this test. // If we don't know which one comes first, we can't perform this test.
return state; return state;
} else { } else {
// Switch the values so that firstVal is before secondVal. // Switch the values so that firstVal is before secondVal.
std::swap(firstLoc, secondLoc); std::swap(firstLoc, secondLoc);
// Switch the Exprs as well, so that they still correspond. // Switch the Exprs as well, so that they still correspond.
std::swap(First, Second); std::swap(First, Second);
steakhalAuthorUnsubmitted
Not Done
ReplyInline Actions

It is really interesting that it swaps the arguments in some sense.

I'm pretty sure that now if a diagnostic is emitted after this swap, the argument indexes used to construct the diagnostic message would mismatch. I will dig into this later, probably refactor the whole function to make the intentions clear. What do you think? @NoQ

steakhal: It is really interesting that it swaps the arguments in some sense. I'm pretty sure that now…
} }
} }
// Get the length, and make sure it too is known. // Get the length, and make sure it too is known.
SVal LengthVal = state->getSVal(Size, LCtx); SVal LengthVal = state->getSVal(Size.Expression, LCtx);
Optional<NonLoc> Length = LengthVal.getAs<NonLoc>(); Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
if (!Length) if (!Length)
return state; return state;
// Convert the first buffer's start address to char*. // Convert the first buffer's start address to char*.
// Bail out if the cast fails. // Bail out if the cast fails.
ASTContext &Ctx = svalBuilder.getContext(); ASTContext &Ctx = svalBuilder.getContext();
QualType CharPtrTy = Ctx.getPointerType(Ctx.CharTy); QualType CharPtrTy = Ctx.getPointerType(Ctx.CharTy);
SVal FirstStart = svalBuilder.evalCast(*firstLoc, CharPtrTy, SVal FirstStart =
First->getType()); svalBuilder.evalCast(*firstLoc, CharPtrTy, First.Expression->getType());
Optional<Loc> FirstStartLoc = FirstStart.getAs<Loc>(); Optional<Loc> FirstStartLoc = FirstStart.getAs<Loc>();
if (!FirstStartLoc) if (!FirstStartLoc)
return state; return state;
// Compute the end of the first buffer. Bail out if THAT fails. // Compute the end of the first buffer. Bail out if THAT fails.
SVal FirstEnd = svalBuilder.evalBinOpLN(state, BO_Add, SVal FirstEnd = svalBuilder.evalBinOpLN(state, BO_Add, *FirstStartLoc,
*FirstStartLoc, *Length, CharPtrTy); *Length, CharPtrTy);
Optional<Loc> FirstEndLoc = FirstEnd.getAs<Loc>(); Optional<Loc> FirstEndLoc = FirstEnd.getAs<Loc>();
if (!FirstEndLoc) if (!FirstEndLoc)
return state; return state;
// Is the end of the first buffer past the start of the second buffer? // Is the end of the first buffer past the start of the second buffer?
SVal Overlap = svalBuilder.evalBinOpLL(state, BO_GT, SVal Overlap =
*FirstEndLoc, *secondLoc, cmpTy); svalBuilder.evalBinOpLL(state, BO_GT, *FirstEndLoc, *secondLoc, cmpTy);
Optional<DefinedOrUnknownSVal> OverlapTest = Optional<DefinedOrUnknownSVal> OverlapTest =
Overlap.getAs<DefinedOrUnknownSVal>(); Overlap.getAs<DefinedOrUnknownSVal>();
if (!OverlapTest) if (!OverlapTest)
return state; return state;
std::tie(stateTrue, stateFalse) = state->assume(*OverlapTest); std::tie(stateTrue, stateFalse) = state->assume(*OverlapTest);
if (stateTrue && !stateFalse) { if (stateTrue && !stateFalse) {
// Overlap! // Overlap!
emitOverlapBug(C, stateTrue, First, Second); emitOverlapBug(C, stateTrue, First.Expression, Second.Expression);
return nullptr; return nullptr;
} }
// assume the two expressions don't overlap. // assume the two expressions don't overlap.
assert(stateFalse); assert(stateFalse);
return stateFalse; return stateFalse;
} }
▲ Show 20 LinesShow All 566 Lines▼ Show 20 Linesbool CStringChecker::memsetAux(const Expr *DstBuffer, SVal CharVal,
} }
return true; return true;
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// evaluation of individual function calls. // evaluation of individual function calls.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
void CStringChecker::evalCopyCommon(CheckerContext &C, void CStringChecker::evalCopyCommon(CheckerContext &C, const CallExpr *CE,
const CallExpr *CE, ProgramStateRef state, SizeArgExpr Size,
ProgramStateRef state, DestinationArgExpr Dest,
const Expr *Size, const Expr *Dest, SourceArgExpr Source, bool Restricted,
const Expr *Source, bool Restricted,
bool IsMempcpy) const { bool IsMempcpy) const {
CurrentFunctionDescription = "memory copy function"; CurrentFunctionDescription = "memory copy function";
// See if the size argument is zero. // See if the size argument is zero.
const LocationContext *LCtx = C.getLocationContext(); const LocationContext *LCtx = C.getLocationContext();
SVal sizeVal = state->getSVal(Size, LCtx); SVal sizeVal = state->getSVal(Size.Expression, LCtx);
QualType sizeTy = Size->getType(); QualType sizeTy = Size.Expression->getType();
ProgramStateRef stateZeroSize, stateNonZeroSize; ProgramStateRef stateZeroSize, stateNonZeroSize;
std::tie(stateZeroSize, stateNonZeroSize) = std::tie(stateZeroSize, stateNonZeroSize) =
assumeZero(C, state, sizeVal, sizeTy); assumeZero(C, state, sizeVal, sizeTy);
// Get the value of the Dest. // Get the value of the Dest.
SVal destVal = state->getSVal(Dest, LCtx); SVal destVal = state->getSVal(Dest.Expression, LCtx);
// If the size is zero, there won't be any actual memory access, so // If the size is zero, there won't be any actual memory access, so
// just bind the return value to the destination buffer and return. // just bind the return value to the destination buffer and return.
if (stateZeroSize && !stateNonZeroSize) { if (stateZeroSize && !stateNonZeroSize) {
stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, destVal); stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, destVal);
C.addTransition(stateZeroSize); C.addTransition(stateZeroSize);
return; return;
} }
// If the size can be nonzero, we have to check the other arguments. // If the size can be nonzero, we have to check the other arguments.
if (stateNonZeroSize) { if (stateNonZeroSize) {
state = stateNonZeroSize; state = stateNonZeroSize;
// Ensure the destination is not null. If it is NULL there will be a // Ensure the destination is not null. If it is NULL there will be a
// NULL pointer dereference. // NULL pointer dereference.
state = checkNonNull(C, state, Dest, destVal, 1); state = checkNonNull(C, state, Dest, destVal);
if (!state) if (!state)
return; return;
// Get the value of the Src. // Get the value of the Src.
SVal srcVal = state->getSVal(Source, LCtx); SVal srcVal = state->getSVal(Source.Expression, LCtx);
// Ensure the source is not null. If it is NULL there will be a // Ensure the source is not null. If it is NULL there will be a
// NULL pointer dereference. // NULL pointer dereference.
state = checkNonNull(C, state, Source, srcVal, 2); state = checkNonNull(C, state, Source, srcVal);
if (!state) if (!state)
return; return;
// Ensure the accesses are valid and that the buffers do not overlap. // Ensure the accesses are valid and that the buffers do not overlap.
const char * const writeWarning = state = CheckBufferAccess(C, state, Dest, Size, AccessKind::write);
"Memory copy function overflows destination buffer"; state = CheckBufferAccess(C, state, Source, Size, AccessKind::read);
state = CheckBufferAccess(C, state, Size, Dest, Source,
writeWarning, /* sourceWarning = */ nullptr);
if (Restricted) if (Restricted)
state = CheckOverlap(C, state, Size, Dest, Source); state = CheckOverlap(C, state, Size, Dest, Source);
if (!state) if (!state)
return; return;
// If this is mempcpy, get the byte after the last byte copied and // If this is mempcpy, get the byte after the last byte copied and
// bind the expr. // bind the expr.
if (IsMempcpy) { if (IsMempcpy) {
// Get the byte after the last byte copied. // Get the byte after the last byte copied.
SValBuilder &SvalBuilder = C.getSValBuilder(); SValBuilder &SvalBuilder = C.getSValBuilder();
ASTContext &Ctx = SvalBuilder.getContext(); ASTContext &Ctx = SvalBuilder.getContext();
QualType CharPtrTy = Ctx.getPointerType(Ctx.CharTy); QualType CharPtrTy = Ctx.getPointerType(Ctx.CharTy);
SVal DestRegCharVal = SVal DestRegCharVal =
SvalBuilder.evalCast(destVal, CharPtrTy, Dest->getType()); SvalBuilder.evalCast(destVal, CharPtrTy, Dest.Expression->getType());
SVal lastElement = C.getSValBuilder().evalBinOp( SVal lastElement = C.getSValBuilder().evalBinOp(
state, BO_Add, DestRegCharVal, sizeVal, Dest->getType()); state, BO_Add, DestRegCharVal, sizeVal, Dest.Expression->getType());
// If we don't know how much we copied, we can at least // If we don't know how much we copied, we can at least
// conjure a return value for later. // conjure a return value for later.
if (lastElement.isUnknown()) if (lastElement.isUnknown())
lastElement = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx, lastElement = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
C.blockCount()); C.blockCount());
// The byte after the last byte copied is the return value. // The byte after the last byte copied is the return value.
state = state->BindExpr(CE, LCtx, lastElement); state = state->BindExpr(CE, LCtx, lastElement);
} else { } else {
// All other copies return the destination buffer. // All other copies return the destination buffer.
// (Well, bcopy() has a void return type, but this won't hurt.) // (Well, bcopy() has a void return type, but this won't hurt.)
state = state->BindExpr(CE, LCtx, destVal); state = state->BindExpr(CE, LCtx, destVal);
} }
// Invalidate the destination (regular invalidation without pointer-escaping // Invalidate the destination (regular invalidation without pointer-escaping
// the address of the top-level region). // the address of the top-level region).
// FIXME: Even if we can't perfectly model the copy, we should see if we // FIXME: Even if we can't perfectly model the copy, we should see if we
// can use LazyCompoundVals to copy the source values into the destination. // can use LazyCompoundVals to copy the source values into the destination.
// This would probably remove any existing bindings past the end of the // This would probably remove any existing bindings past the end of the
// copied region, but that's still an improvement over blank invalidation. // copied region, but that's still an improvement over blank invalidation.
state = InvalidateBuffer(C, state, Dest, C.getSVal(Dest), state =
/*IsSourceBuffer*/false, Size); InvalidateBuffer(C, state, Dest.Expression, C.getSVal(Dest.Expression),
/*IsSourceBuffer*/ false, Size.Expression);
// Invalidate the source (const-invalidation without const-pointer-escaping // Invalidate the source (const-invalidation without const-pointer-escaping
// the address of the top-level region). // the address of the top-level region).
state = InvalidateBuffer(C, state, Source, C.getSVal(Source), state = InvalidateBuffer(C, state, Source.Expression,
C.getSVal(Source.Expression),
/*IsSourceBuffer*/true, nullptr); /*IsSourceBuffer*/ true, nullptr);
C.addTransition(state); C.addTransition(state);
} }
} }
void CStringChecker::evalMemcpy(CheckerContext &C, const CallExpr *CE) const { void CStringChecker::evalMemcpy(CheckerContext &C, const CallExpr *CE) const {
// void *memcpy(void *restrict dst, const void *restrict src, size_t n); // void *memcpy(void *restrict dst, const void *restrict src, size_t n);
// The return value is the address of the destination buffer. // The return value is the address of the destination buffer.
const Expr *Dest = CE->getArg(0); DestinationArgExpr Dest = {CE->getArg(0), 0};
ProgramStateRef state = C.getState(); SourceArgExpr Src = {CE->getArg(1), 1};
SizeArgExpr Size = {CE->getArg(2), 2};
evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1), true); ProgramStateRef State = C.getState();
constexpr bool IsRestricted = true;
constexpr bool IsMempcpy = false;
evalCopyCommon(C, CE, State, Size, Dest, Src, IsRestricted, IsMempcpy);
} }
void CStringChecker::evalMempcpy(CheckerContext &C, const CallExpr *CE) const { void CStringChecker::evalMempcpy(CheckerContext &C, const CallExpr *CE) const {
// void *mempcpy(void *restrict dst, const void *restrict src, size_t n); // void *mempcpy(void *restrict dst, const void *restrict src, size_t n);
// The return value is a pointer to the byte following the last written byte. // The return value is a pointer to the byte following the last written byte.
const Expr *Dest = CE->getArg(0); DestinationArgExpr Dest = {CE->getArg(0), 0};
ProgramStateRef state = C.getState(); SourceArgExpr Src = {CE->getArg(1), 1};
SizeArgExpr Size = {CE->getArg(2), 2};
evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1), true, true);
constexpr bool IsRestricted = true;
constexpr bool IsMempcpy = true;
evalCopyCommon(C, CE, C.getState(), Size, Dest, Src, IsRestricted, IsMempcpy);
} }
void CStringChecker::evalMemmove(CheckerContext &C, const CallExpr *CE) const { void CStringChecker::evalMemmove(CheckerContext &C, const CallExpr *CE) const {
// void *memmove(void *dst, const void *src, size_t n); // void *memmove(void *dst, const void *src, size_t n);
// The return value is the address of the destination buffer. // The return value is the address of the destination buffer.
const Expr *Dest = CE->getArg(0); DestinationArgExpr Dest = {CE->getArg(0), 0};
ProgramStateRef state = C.getState(); SourceArgExpr Src = {CE->getArg(1), 1};
SizeArgExpr Size = {CE->getArg(2), 2};
evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1));
constexpr bool IsRestricted = false;
constexpr bool IsMempcpy = false;
evalCopyCommon(C, CE, C.getState(), Size, Dest, Src, IsRestricted, IsMempcpy);
} }
void CStringChecker::evalBcopy(CheckerContext &C, const CallExpr *CE) const { void CStringChecker::evalBcopy(CheckerContext &C, const CallExpr *CE) const {
// void bcopy(const void *src, void *dst, size_t n); // void bcopy(const void *src, void *dst, size_t n);
evalCopyCommon(C, CE, C.getState(), SourceArgExpr Src(CE->getArg(0), 0);
CE->getArg(2), CE->getArg(1), CE->getArg(0)); DestinationArgExpr Dest = {CE->getArg(1), 1};
SizeArgExpr Size = {CE->getArg(2), 2};
constexpr bool IsRestricted = false;
constexpr bool IsMempcpy = false;
evalCopyCommon(C, CE, C.getState(), Size, Dest, Src, IsRestricted, IsMempcpy);
} }
void CStringChecker::evalMemcmp(CheckerContext &C, const CallExpr *CE) const { void CStringChecker::evalMemcmp(CheckerContext &C, const CallExpr *CE) const {
// int memcmp(const void *s1, const void *s2, size_t n); // int memcmp(const void *s1, const void *s2, size_t n);
CurrentFunctionDescription = "memory comparison function"; CurrentFunctionDescription = "memory comparison function";
const Expr *Left = CE->getArg(0); AnyArgExpr Left = {CE->getArg(0), 0};
const Expr *Right = CE->getArg(1); AnyArgExpr Right = {CE->getArg(1), 1};
const Expr *Size = CE->getArg(2); SizeArgExpr Size = {CE->getArg(2), 2};
ProgramStateRef state = C.getState(); ProgramStateRef State = C.getState();
SValBuilder &svalBuilder = C.getSValBuilder(); SValBuilder &Builder = C.getSValBuilder();
const LocationContext *LCtx = C.getLocationContext();
// See if the size argument is zero. // See if the size argument is zero.
const LocationContext *LCtx = C.getLocationContext(); SVal sizeVal = State->getSVal(Size.Expression, LCtx);
SVal sizeVal = state->getSVal(Size, LCtx); QualType sizeTy = Size.Expression->getType();
QualType sizeTy = Size->getType();
ProgramStateRef stateZeroSize, stateNonZeroSize; ProgramStateRef stateZeroSize, stateNonZeroSize;
std::tie(stateZeroSize, stateNonZeroSize) = std::tie(stateZeroSize, stateNonZeroSize) =
assumeZero(C, state, sizeVal, sizeTy); assumeZero(C, State, sizeVal, sizeTy);
// If the size can be zero, the result will be 0 in that case, and we don't // If the size can be zero, the result will be 0 in that case, and we don't
// have to check either of the buffers. // have to check either of the buffers.
if (stateZeroSize) { if (stateZeroSize) {
state = stateZeroSize; State = stateZeroSize;
state = state->BindExpr(CE, LCtx, State = State->BindExpr(CE, LCtx, Builder.makeZeroVal(CE->getType()));
svalBuilder.makeZeroVal(CE->getType())); C.addTransition(State);
C.addTransition(state);
} }
// If the size can be nonzero, we have to check the other arguments. // If the size can be nonzero, we have to check the other arguments.
if (stateNonZeroSize) { if (stateNonZeroSize) {
state = stateNonZeroSize; State = stateNonZeroSize;
// If we know the two buffers are the same, we know the result is 0. // If we know the two buffers are the same, we know the result is 0.
// First, get the two buffers' addresses. Another checker will have already // First, get the two buffers' addresses. Another checker will have already
// made sure they're not undefined. // made sure they're not undefined.
DefinedOrUnknownSVal LV = DefinedOrUnknownSVal LV =
state->getSVal(Left, LCtx).castAs<DefinedOrUnknownSVal>(); State->getSVal(Left.Expression, LCtx).castAs<DefinedOrUnknownSVal>();
DefinedOrUnknownSVal RV = DefinedOrUnknownSVal RV =
state->getSVal(Right, LCtx).castAs<DefinedOrUnknownSVal>(); State->getSVal(Right.Expression, LCtx).castAs<DefinedOrUnknownSVal>();
// See if they are the same. // See if they are the same.
DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV); ProgramStateRef SameBuffer, NotSameBuffer;
ProgramStateRef StSameBuf, StNotSameBuf; std::tie(SameBuffer, NotSameBuffer) =
std::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf); State->assume(Builder.evalEQ(State, LV, RV));
// If the two arguments are the same buffer, we know the result is 0, // If the two arguments are the same buffer, we know the result is 0,
// and we only need to check one size. // and we only need to check one size.
if (StSameBuf && !StNotSameBuf) { if (SameBuffer && !NotSameBuffer) {
state = StSameBuf; State = SameBuffer;
state = CheckBufferAccess(C, state, Size, Left); State = CheckBufferAccess(C, State, Left, Size, AccessKind::read);
if (state) { if (State) {
state = StSameBuf->BindExpr(CE, LCtx, State =
svalBuilder.makeZeroVal(CE->getType())); SameBuffer->BindExpr(CE, LCtx, Builder.makeZeroVal(CE->getType()));
C.addTransition(state); C.addTransition(State);
} }
return; return;
} }
// If the two arguments might be different buffers, we have to check // If the two arguments might be different buffers, we have to check
// the size of both of them. // the size of both of them.
assert(StNotSameBuf); assert(NotSameBuffer);
state = CheckBufferAccess(C, state, Size, Left, Right); State = CheckBufferAccess(C, State, Right, Size, AccessKind::read);
if (state) { State = CheckBufferAccess(C, State, Left, Size, AccessKind::read);
if (State) {
// The return value is the comparison result, which we don't know. // The return value is the comparison result, which we don't know.
SVal CmpV = SVal CmpV = Builder.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
svalBuilder.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount()); State = State->BindExpr(CE, LCtx, CmpV);
state = state->BindExpr(CE, LCtx, CmpV); C.addTransition(State);
C.addTransition(state);
} }
} }
} }
void CStringChecker::evalstrLength(CheckerContext &C, void CStringChecker::evalstrLength(CheckerContext &C,
const CallExpr *CE) const { const CallExpr *CE) const {
// size_t strlen(const char *s); // size_t strlen(const char *s);
evalstrLengthCommon(C, CE, /* IsStrnlen = */ false); evalstrLengthCommon(C, CE, /* IsStrnlen = */ false);
Show All 31 Lines if (IsStrnlen) {
if (!stateNonZeroSize) if (!stateNonZeroSize)
return; return;
// Otherwise, record the assumption that the size is nonzero. // Otherwise, record the assumption that the size is nonzero.
state = stateNonZeroSize; state = stateNonZeroSize;
} }
// Check that the string argument is non-null. // Check that the string argument is non-null.
const Expr *Arg = CE->getArg(0); AnyArgExpr Arg = {CE->getArg(0), 0};
SVal ArgVal = state->getSVal(Arg, LCtx); SVal ArgVal = state->getSVal(Arg.Expression, LCtx);
state = checkNonNull(C, state, Arg, ArgVal);
state = checkNonNull(C, state, Arg, ArgVal, 1);
if (!state) if (!state)
return; return;
SVal strLength = getCStringLength(C, state, Arg, ArgVal); SVal strLength = getCStringLength(C, state, Arg.Expression, ArgVal);
// If the argument isn't a valid C string, there's no valid state to // If the argument isn't a valid C string, there's no valid state to
// transition to. // transition to.
if (strLength.isUndef()) if (strLength.isUndef())
return; return;
DefinedOrUnknownSVal result = UnknownVal(); DefinedOrUnknownSVal result = UnknownVal();
▲ Show 20 LinesShow All 131 Lines▼ Show 20 Lines
void CStringChecker::evalStrcpyCommon(CheckerContext &C, const CallExpr *CE, void CStringChecker::evalStrcpyCommon(CheckerContext &C, const CallExpr *CE,
bool ReturnEnd, bool IsBounded, bool ReturnEnd, bool IsBounded,
ConcatFnKind appendK, ConcatFnKind appendK,
bool returnPtr) const { bool returnPtr) const {
if (appendK == ConcatFnKind::none) if (appendK == ConcatFnKind::none)
CurrentFunctionDescription = "string copy function"; CurrentFunctionDescription = "string copy function";
else else
CurrentFunctionDescription = "string concatenation function"; CurrentFunctionDescription = "string concatenation function";
ProgramStateRef state = C.getState(); ProgramStateRef state = C.getState();
const LocationContext *LCtx = C.getLocationContext(); const LocationContext *LCtx = C.getLocationContext();
// Check that the destination is non-null. // Check that the destination is non-null.
const Expr *Dst = CE->getArg(0); DestinationArgExpr Dst = {CE->getArg(0), 0};
SVal DstVal = state->getSVal(Dst, LCtx); SVal DstVal = state->getSVal(Dst.Expression, LCtx);
state = checkNonNull(C, state, Dst, DstVal);
state = checkNonNull(C, state, Dst, DstVal, 1);
if (!state) if (!state)
return; return;
// Check that the source is non-null. // Check that the source is non-null.
const Expr *srcExpr = CE->getArg(1); SourceArgExpr srcExpr = {CE->getArg(1), 1};
SVal srcVal = state->getSVal(srcExpr, LCtx); SVal srcVal = state->getSVal(srcExpr.Expression, LCtx);
state = checkNonNull(C, state, srcExpr, srcVal, 2); state = checkNonNull(C, state, srcExpr, srcVal);
if (!state) if (!state)
return; return;
// Get the string length of the source. // Get the string length of the source.
SVal strLength = getCStringLength(C, state, srcExpr, srcVal); SVal strLength = getCStringLength(C, state, srcExpr.Expression, srcVal);
Optional<NonLoc> strLengthNL = strLength.getAs<NonLoc>(); Optional<NonLoc> strLengthNL = strLength.getAs<NonLoc>();
// Get the string length of the destination buffer. // Get the string length of the destination buffer.
SVal dstStrLength = getCStringLength(C, state, Dst, DstVal); SVal dstStrLength = getCStringLength(C, state, Dst.Expression, DstVal);
Optional<NonLoc> dstStrLengthNL = dstStrLength.getAs<NonLoc>(); Optional<NonLoc> dstStrLengthNL = dstStrLength.getAs<NonLoc>();
// If the source isn't a valid C string, give up. // If the source isn't a valid C string, give up.
if (strLength.isUndef()) if (strLength.isUndef())
return; return;
SValBuilder &svalBuilder = C.getSValBuilder(); SValBuilder &svalBuilder = C.getSValBuilder();
QualType cmpTy = svalBuilder.getConditionType(); QualType cmpTy = svalBuilder.getConditionType();
QualType sizeTy = svalBuilder.getContext().getSizeType(); QualType sizeTy = svalBuilder.getContext().getSizeType();
// These two values allow checking two kinds of errors: // These two values allow checking two kinds of errors:
// - actual overflows caused by a source that doesn't fit in the destination // - actual overflows caused by a source that doesn't fit in the destination
// - potential overflows caused by a bound that could exceed the destination // - potential overflows caused by a bound that could exceed the destination
SVal amountCopied = UnknownVal(); SVal amountCopied = UnknownVal();
SVal maxLastElementIndex = UnknownVal(); SVal maxLastElementIndex = UnknownVal();
const char *boundWarning = nullptr; const char *boundWarning = nullptr;
state = CheckOverlap(C, state, IsBounded ? CE->getArg(2) : CE->getArg(1), Dst, // FIXME: Why do we choose the srcExpr if the access has no size?
// Note that the 3rd argument of the call would be the size parameter.
SizeArgExpr SrcExprAsSizeDummy = {srcExpr.Expression, srcExpr.ArgumentIndex};
state = CheckOverlap(
C, state,
(IsBounded ? SizeArgExpr{CE->getArg(2), 2} : SrcExprAsSizeDummy), Dst,
srcExpr); srcExpr);
steakhalAuthorUnsubmitted
Not Done
ReplyInline Actions

This part is really interesting.

Using strong types highlighted this particular code. Since SizeArgExpr is conceptually different than a SourceArgExpr this code did not compile without additional effort.

Previously it passed the size argument if it were given, but if the function were unbounded than it passed the source expression where size was expected, which does not make any sense.

Since I plan to refactor the whole cstring related functions, not just the memset, memcpy etc. I tried to leave it as it were, to preserve the current (broken) semantics of the function.

steakhal: This part is really interesting. Using strong types highlighted this particular code. Since…
if (!state) if (!state)
return; return;
// If the function is strncpy, strncat, etc... it is bounded. // If the function is strncpy, strncat, etc... it is bounded.
if (IsBounded) { if (IsBounded) {
// Get the max number of characters to copy. // Get the max number of characters to copy.
const Expr *lenExpr = CE->getArg(2); SizeArgExpr lenExpr = {CE->getArg(2), 2};
SVal lenVal = state->getSVal(lenExpr, LCtx); SVal lenVal = state->getSVal(lenExpr.Expression, LCtx);
// Protect against misdeclared strncpy(). // Protect against misdeclared strncpy().
lenVal = svalBuilder.evalCast(lenVal, sizeTy, lenExpr->getType()); lenVal =
svalBuilder.evalCast(lenVal, sizeTy, lenExpr.Expression->getType());
Optional<NonLoc> lenValNL = lenVal.getAs<NonLoc>(); Optional<NonLoc> lenValNL = lenVal.getAs<NonLoc>();
// If we know both values, we might be able to figure out how much // If we know both values, we might be able to figure out how much
// we're copying. // we're copying.
if (strLengthNL && lenValNL) { if (strLengthNL && lenValNL) {
switch (appendK) { switch (appendK) {
case ConcatFnKind::none: case ConcatFnKind::none:
▲ Show 20 LinesShow All 226 Lines▼ Show 20 Linesvoid CStringChecker::evalStrcpyCommon(CheckerContext &C, const CallExpr *CE,
} }
assert(state); assert(state);
// If the destination is a MemRegion, try to check for a buffer overflow and // If the destination is a MemRegion, try to check for a buffer overflow and
// record the new string length. // record the new string length.
if (Optional<loc::MemRegionVal> dstRegVal = if (Optional<loc::MemRegionVal> dstRegVal =
DstVal.getAs<loc::MemRegionVal>()) { DstVal.getAs<loc::MemRegionVal>()) {
QualType ptrTy = Dst->getType(); QualType ptrTy = Dst.Expression->getType();
// If we have an exact value on a bounded copy, use that to check for // If we have an exact value on a bounded copy, use that to check for
// overflows, rather than our estimate about how much is actually copied. // overflows, rather than our estimate about how much is actually copied.
if (boundWarning) {
if (Optional<NonLoc> maxLastNL = maxLastElementIndex.getAs<NonLoc>()) { if (Optional<NonLoc> maxLastNL = maxLastElementIndex.getAs<NonLoc>()) {
SVal maxLastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal, SVal maxLastElement =
*maxLastNL, ptrTy); svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal, *maxLastNL, ptrTy);
state = CheckLocation(C, state, CE->getArg(2), maxLastElement,
boundWarning); state = CheckLocation(C, state, Dst, maxLastElement, AccessKind::write);
if (!state) if (!state)
return; return;
} }
}
// Then, if the final length is known... // Then, if the final length is known...
if (Optional<NonLoc> knownStrLength = finalStrLength.getAs<NonLoc>()) { if (Optional<NonLoc> knownStrLength = finalStrLength.getAs<NonLoc>()) {
SVal lastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal, SVal lastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal,
*knownStrLength, ptrTy); *knownStrLength, ptrTy);
// ...and we haven't checked the bound, we'll check the actual copy. // ...and we haven't checked the bound, we'll check the actual copy.
if (!boundWarning) { if (!boundWarning) {
const char * const warningMsg = state = CheckLocation(C, state, Dst, lastElement, AccessKind::write);
"String copy function overflows destination buffer";
state = CheckLocation(C, state, Dst, lastElement, warningMsg);
if (!state) if (!state)
return; return;
} }
// If this is a stpcpy-style copy, the last element is the return value. // If this is a stpcpy-style copy, the last element is the return value.
if (returnPtr && ReturnEnd) if (returnPtr && ReturnEnd)
Result = lastElement; Result = lastElement;
} }
// Invalidate the destination (regular invalidation without pointer-escaping // Invalidate the destination (regular invalidation without pointer-escaping
// the address of the top-level region). This must happen before we set the // the address of the top-level region). This must happen before we set the
// C string length because invalidation will clear the length. // C string length because invalidation will clear the length.
// FIXME: Even if we can't perfectly model the copy, we should see if we // FIXME: Even if we can't perfectly model the copy, we should see if we
// can use LazyCompoundVals to copy the source values into the destination. // can use LazyCompoundVals to copy the source values into the destination.
// This would probably remove any existing bindings past the end of the // This would probably remove any existing bindings past the end of the
// string, but that's still an improvement over blank invalidation. // string, but that's still an improvement over blank invalidation.
state = InvalidateBuffer(C, state, Dst, *dstRegVal, state = InvalidateBuffer(C, state, Dst.Expression, *dstRegVal,
/*IsSourceBuffer*/false, nullptr); /*IsSourceBuffer*/ false, nullptr);
// Invalidate the source (const-invalidation without const-pointer-escaping // Invalidate the source (const-invalidation without const-pointer-escaping
// the address of the top-level region). // the address of the top-level region).
state = InvalidateBuffer(C, state, srcExpr, srcVal, /*IsSourceBuffer*/true, state = InvalidateBuffer(C, state, srcExpr.Expression, srcVal,
nullptr); /*IsSourceBuffer*/ true, nullptr);
// Set the C string length of the destination, if we know it. // Set the C string length of the destination, if we know it.
if (IsBounded && (appendK == ConcatFnKind::none)) { if (IsBounded && (appendK == ConcatFnKind::none)) {
// strncpy is annoying in that it doesn't guarantee to null-terminate // strncpy is annoying in that it doesn't guarantee to null-terminate
// the result string. If the original string didn't fit entirely inside // the result string. If the original string didn't fit entirely inside
// the bound (including the null-terminator), we don't know how long the // the bound (including the null-terminator), we don't know how long the
// result is. // result is.
if (amountCopied != strLength) if (amountCopied != strLength)
Show All 40 Lines
void CStringChecker::evalStrcmpCommon(CheckerContext &C, const CallExpr *CE, void CStringChecker::evalStrcmpCommon(CheckerContext &C, const CallExpr *CE,
bool IsBounded, bool IgnoreCase) const { bool IsBounded, bool IgnoreCase) const {
CurrentFunctionDescription = "string comparison function"; CurrentFunctionDescription = "string comparison function";
ProgramStateRef state = C.getState(); ProgramStateRef state = C.getState();
const LocationContext *LCtx = C.getLocationContext(); const LocationContext *LCtx = C.getLocationContext();
// Check that the first string is non-null // Check that the first string is non-null
const Expr *s1 = CE->getArg(0); AnyArgExpr Left = {CE->getArg(0), 0};
SVal s1Val = state->getSVal(s1, LCtx); SVal LeftVal = state->getSVal(Left.Expression, LCtx);
state = checkNonNull(C, state, s1, s1Val, 1); state = checkNonNull(C, state, Left, LeftVal);
if (!state) if (!state)
return; return;
// Check that the second string is non-null. // Check that the second string is non-null.
const Expr *s2 = CE->getArg(1); AnyArgExpr Right = {CE->getArg(1), 1};
SVal s2Val = state->getSVal(s2, LCtx); SVal RightVal = state->getSVal(Right.Expression, LCtx);
state = checkNonNull(C, state, s2, s2Val, 2); state = checkNonNull(C, state, Right, RightVal);
if (!state) if (!state)
return; return;
// Get the string length of the first string or give up. // Get the string length of the first string or give up.
SVal s1Length = getCStringLength(C, state, s1, s1Val); SVal LeftLength = getCStringLength(C, state, Left.Expression, LeftVal);
if (s1Length.isUndef()) if (LeftLength.isUndef())
return; return;
// Get the string length of the second string or give up. // Get the string length of the second string or give up.
SVal s2Length = getCStringLength(C, state, s2, s2Val); SVal RightLength = getCStringLength(C, state, Right.Expression, RightVal);
if (s2Length.isUndef()) if (RightLength.isUndef())
return; return;
// If we know the two buffers are the same, we know the result is 0. // If we know the two buffers are the same, we know the result is 0.
// First, get the two buffers' addresses. Another checker will have already // First, get the two buffers' addresses. Another checker will have already
// made sure they're not undefined. // made sure they're not undefined.
DefinedOrUnknownSVal LV = s1Val.castAs<DefinedOrUnknownSVal>(); DefinedOrUnknownSVal LV = LeftVal.castAs<DefinedOrUnknownSVal>();
DefinedOrUnknownSVal RV = s2Val.castAs<DefinedOrUnknownSVal>(); DefinedOrUnknownSVal RV = RightVal.castAs<DefinedOrUnknownSVal>();
// See if they are the same. // See if they are the same.
SValBuilder &svalBuilder = C.getSValBuilder(); SValBuilder &svalBuilder = C.getSValBuilder();
DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV); DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV);
ProgramStateRef StSameBuf, StNotSameBuf; ProgramStateRef StSameBuf, StNotSameBuf;
std::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf); std::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf);
// If the two arguments might be the same buffer, we know the result is 0, // If the two arguments might be the same buffer, we know the result is 0,
Show All 10 Linesvoid CStringChecker::evalStrcmpCommon(CheckerContext &C, const CallExpr *CE,
assert(StNotSameBuf); assert(StNotSameBuf);
state = StNotSameBuf; state = StNotSameBuf;
// At this point we can go about comparing the two buffers. // At this point we can go about comparing the two buffers.
// For now, we only do this if they're both known string literals. // For now, we only do this if they're both known string literals.
// Attempt to extract string literals from both expressions. // Attempt to extract string literals from both expressions.
const StringLiteral *s1StrLiteral = getCStringLiteral(C, state, s1, s1Val); const StringLiteral *LeftStrLiteral =
const StringLiteral *s2StrLiteral = getCStringLiteral(C, state, s2, s2Val); getCStringLiteral(C, state, Left.Expression, LeftVal);
const StringLiteral *RightStrLiteral =
getCStringLiteral(C, state, Right.Expression, RightVal);
bool canComputeResult = false; bool canComputeResult = false;
SVal resultVal = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx, SVal resultVal = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx,
C.blockCount()); C.blockCount());
if (s1StrLiteral && s2StrLiteral) { if (LeftStrLiteral && RightStrLiteral) {
StringRef s1StrRef = s1StrLiteral->getString(); StringRef LeftStrRef = LeftStrLiteral->getString();
StringRef s2StrRef = s2StrLiteral->getString(); StringRef RightStrRef = RightStrLiteral->getString();
if (IsBounded) { if (IsBounded) {
// Get the max number of characters to compare. // Get the max number of characters to compare.
const Expr *lenExpr = CE->getArg(2); const Expr *lenExpr = CE->getArg(2);
SVal lenVal = state->getSVal(lenExpr, LCtx); SVal lenVal = state->getSVal(lenExpr, LCtx);
// If the length is known, we can get the right substrings. // If the length is known, we can get the right substrings.
if (const llvm::APSInt *len = svalBuilder.getKnownValue(state, lenVal)) { if (const llvm::APSInt *len = svalBuilder.getKnownValue(state, lenVal)) {
// Create substrings of each to compare the prefix. // Create substrings of each to compare the prefix.
s1StrRef = s1StrRef.substr(0, (size_t)len->getZExtValue()); LeftStrRef = LeftStrRef.substr(0, (size_t)len->getZExtValue());
s2StrRef = s2StrRef.substr(0, (size_t)len->getZExtValue()); RightStrRef = RightStrRef.substr(0, (size_t)len->getZExtValue());
canComputeResult = true; canComputeResult = true;
} }
} else { } else {
// This is a normal, unbounded strcmp. // This is a normal, unbounded strcmp.
canComputeResult = true; canComputeResult = true;
} }
if (canComputeResult) { if (canComputeResult) {
// Real strcmp stops at null characters. // Real strcmp stops at null characters.
size_t s1Term = s1StrRef.find('\0'); size_t s1Term = LeftStrRef.find('\0');
if (s1Term != StringRef::npos) if (s1Term != StringRef::npos)
s1StrRef = s1StrRef.substr(0, s1Term); LeftStrRef = LeftStrRef.substr(0, s1Term);
size_t s2Term = s2StrRef.find('\0'); size_t s2Term = RightStrRef.find('\0');
if (s2Term != StringRef::npos) if (s2Term != StringRef::npos)
s2StrRef = s2StrRef.substr(0, s2Term); RightStrRef = RightStrRef.substr(0, s2Term);
// Use StringRef's comparison methods to compute the actual result. // Use StringRef's comparison methods to compute the actual result.
int compareRes = IgnoreCase ? s1StrRef.compare_lower(s2StrRef) int compareRes = IgnoreCase ? LeftStrRef.compare_lower(RightStrRef)
: s1StrRef.compare(s2StrRef); : LeftStrRef.compare(RightStrRef);
// The strcmp function returns an integer greater than, equal to, or less // The strcmp function returns an integer greater than, equal to, or less
// than zero, [c11, p7.24.4.2]. // than zero, [c11, p7.24.4.2].
if (compareRes == 0) { if (compareRes == 0) {
resultVal = svalBuilder.makeIntVal(compareRes, CE->getType()); resultVal = svalBuilder.makeIntVal(compareRes, CE->getType());
} }
else { else {
DefinedSVal zeroVal = svalBuilder.makeIntVal(0, CE->getType()); DefinedSVal zeroVal = svalBuilder.makeIntVal(0, CE->getType());
Show All 13 Linesvoid CStringChecker::evalStrcmpCommon(CheckerContext &C, const CallExpr *CE,
// Record this as a possible path. // Record this as a possible path.
C.addTransition(state); C.addTransition(state);
} }
void CStringChecker::evalStrsep(CheckerContext &C, const CallExpr *CE) const { void CStringChecker::evalStrsep(CheckerContext &C, const CallExpr *CE) const {
//char *strsep(char **stringp, const char *delim); //char *strsep(char **stringp, const char *delim);
// Sanity: does the search string parameter match the return type? // Sanity: does the search string parameter match the return type?
const Expr *SearchStrPtr = CE->getArg(0); SourceArgExpr SearchStrPtr = {CE->getArg(0), 0};
QualType CharPtrTy = SearchStrPtr->getType()->getPointeeType();
QualType CharPtrTy = SearchStrPtr.Expression->getType()->getPointeeType();
if (CharPtrTy.isNull() || if (CharPtrTy.isNull() ||
CE->getType().getUnqualifiedType() != CharPtrTy.getUnqualifiedType()) CE->getType().getUnqualifiedType() != CharPtrTy.getUnqualifiedType())
return; return;
CurrentFunctionDescription = "strsep()"; CurrentFunctionDescription = "strsep()";
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
const LocationContext *LCtx = C.getLocationContext(); const LocationContext *LCtx = C.getLocationContext();
// Check that the search string pointer is non-null (though it may point to // Check that the search string pointer is non-null (though it may point to
// a null string). // a null string).
SVal SearchStrVal = State->getSVal(SearchStrPtr, LCtx); SVal SearchStrVal = State->getSVal(SearchStrPtr.Expression, LCtx);
State = checkNonNull(C, State, SearchStrPtr, SearchStrVal, 1); State = checkNonNull(C, State, SearchStrPtr, SearchStrVal);
if (!State) if (!State)
return; return;
// Check that the delimiter string is non-null. // Check that the delimiter string is non-null.
const Expr *DelimStr = CE->getArg(1); AnyArgExpr DelimStr = {CE->getArg(1), 1};
SVal DelimStrVal = State->getSVal(DelimStr, LCtx); SVal DelimStrVal = State->getSVal(DelimStr.Expression, LCtx);
State = checkNonNull(C, State, DelimStr, DelimStrVal, 2); State = checkNonNull(C, State, DelimStr, DelimStrVal);
if (!State) if (!State)
return; return;
SValBuilder &SVB = C.getSValBuilder(); SValBuilder &SVB = C.getSValBuilder();
SVal Result; SVal Result;
if (Optional<Loc> SearchStrLoc = SearchStrVal.getAs<Loc>()) { if (Optional<Loc> SearchStrLoc = SearchStrVal.getAs<Loc>()) {
// Get the current value of the search string pointer, as a char*. // Get the current value of the search string pointer, as a char*.
Result = State->getSVal(*SearchStrLoc, CharPtrTy); Result = State->getSVal(*SearchStrLoc, CharPtrTy);
// Invalidate the search string, representing the change of one delimiter // Invalidate the search string, representing the change of one delimiter
// character to NUL. // character to NUL.
State = InvalidateBuffer(C, State, SearchStrPtr, Result, State = InvalidateBuffer(C, State, SearchStrPtr.Expression, Result,
/*IsSourceBuffer*/false, nullptr); /*IsSourceBuffer*/ false, nullptr);
// Overwrite the search string pointer. The new value is either an address // Overwrite the search string pointer. The new value is either an address
// further along in the same string, or NULL if there are no more tokens. // further along in the same string, or NULL if there are no more tokens.
State = State->bindLoc(*SearchStrLoc, State = State->bindLoc(*SearchStrLoc,
SVB.conjureSymbolVal(getTag(), SVB.conjureSymbolVal(getTag(),
CE, CE,
LCtx, LCtx,
CharPtrTy, CharPtrTy,
▲ Show 20 LinesShow All 44 Lines▼ Show 20 Linesvoid CStringChecker::evalStdCopyCommon(CheckerContext &C,
SVal ResultVal = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount()); SVal ResultVal = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
State = State->BindExpr(CE, LCtx, ResultVal); State = State->BindExpr(CE, LCtx, ResultVal);
C.addTransition(State); C.addTransition(State);
} }
void CStringChecker::evalMemset(CheckerContext &C, const CallExpr *CE) const { void CStringChecker::evalMemset(CheckerContext &C, const CallExpr *CE) const {
// void *memset(void *s, int c, size_t n);
CurrentFunctionDescription = "memory set function"; CurrentFunctionDescription = "memory set function";
const Expr *Mem = CE->getArg(0); DestinationArgExpr Buffer = {CE->getArg(0), 0};
const Expr *CharE = CE->getArg(1); AnyArgExpr CharE = {CE->getArg(1), 1};
const Expr *Size = CE->getArg(2); SizeArgExpr Size = {CE->getArg(2), 2};
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
// See if the size argument is zero. // See if the size argument is zero.
const LocationContext *LCtx = C.getLocationContext(); const LocationContext *LCtx = C.getLocationContext();
SVal SizeVal = State->getSVal(Size, LCtx); SVal SizeVal = C.getSVal(Size.Expression);
QualType SizeTy = Size->getType(); QualType SizeTy = Size.Expression->getType();
ProgramStateRef StateZeroSize, StateNonZeroSize; ProgramStateRef ZeroSize, NonZeroSize;
std::tie(StateZeroSize, StateNonZeroSize) = std::tie(ZeroSize, NonZeroSize) = assumeZero(C, State, SizeVal, SizeTy);
assumeZero(C, State, SizeVal, SizeTy);
// Get the value of the memory area. // Get the value of the memory area.
SVal MemVal = State->getSVal(Mem, LCtx); SVal BufferPtrVal = C.getSVal(Buffer.Expression);
// If the size is zero, there won't be any actual memory access, so // If the size is zero, there won't be any actual memory access, so
// just bind the return value to the Mem buffer and return. // just bind the return value to the buffer and return.
if (StateZeroSize && !StateNonZeroSize) { if (ZeroSize && !NonZeroSize) {
StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, MemVal); ZeroSize = ZeroSize->BindExpr(CE, LCtx, BufferPtrVal);
C.addTransition(StateZeroSize); C.addTransition(ZeroSize);
return; return;
} }
// Ensure the memory area is not null. // Ensure the memory area is not null.
// If it is NULL there will be a NULL pointer dereference. // If it is NULL there will be a NULL pointer dereference.
State = checkNonNull(C, StateNonZeroSize, Mem, MemVal, 1); State = checkNonNull(C, NonZeroSize, Buffer, BufferPtrVal);
if (!State) if (!State)
return; return;
State = CheckBufferAccess(C, State, Size, Mem); State = CheckBufferAccess(C, State, Buffer, Size, AccessKind::write);
if (!State) if (!State)
return; return;
// According to the values of the arguments, bind the value of the second // According to the values of the arguments, bind the value of the second
// argument to the destination buffer and set string length, or just // argument to the destination buffer and set string length, or just
// invalidate the destination buffer. // invalidate the destination buffer.
if (!memsetAux(Mem, C.getSVal(CharE), Size, C, State)) if (!memsetAux(Buffer.Expression, C.getSVal(CharE.Expression),
Size.Expression, C, State))
return; return;
State = State->BindExpr(CE, LCtx, MemVal); State = State->BindExpr(CE, LCtx, BufferPtrVal);
C.addTransition(State); C.addTransition(State);
} }
void CStringChecker::evalBzero(CheckerContext &C, const CallExpr *CE) const { void CStringChecker::evalBzero(CheckerContext &C, const CallExpr *CE) const {
CurrentFunctionDescription = "memory clearance function"; CurrentFunctionDescription = "memory clearance function";
const Expr *Mem = CE->getArg(0); DestinationArgExpr Buffer = {CE->getArg(0), 0};
const Expr *Size = CE->getArg(1); SizeArgExpr Size = {CE->getArg(1), 1};
SVal Zero = C.getSValBuilder().makeZeroVal(C.getASTContext().IntTy); SVal Zero = C.getSValBuilder().makeZeroVal(C.getASTContext().IntTy);
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
// See if the size argument is zero. // See if the size argument is zero.
SVal SizeVal = C.getSVal(Size); SVal SizeVal = C.getSVal(Size.Expression);
QualType SizeTy = Size->getType(); QualType SizeTy = Size.Expression->getType();
ProgramStateRef StateZeroSize, StateNonZeroSize; ProgramStateRef StateZeroSize, StateNonZeroSize;
std::tie(StateZeroSize, StateNonZeroSize) = std::tie(StateZeroSize, StateNonZeroSize) =
assumeZero(C, State, SizeVal, SizeTy); assumeZero(C, State, SizeVal, SizeTy);
// If the size is zero, there won't be any actual memory access, // If the size is zero, there won't be any actual memory access,
// In this case we just return. // In this case we just return.
if (StateZeroSize && !StateNonZeroSize) { if (StateZeroSize && !StateNonZeroSize) {
C.addTransition(StateZeroSize); C.addTransition(StateZeroSize);
return; return;
} }
// Get the value of the memory area. // Get the value of the memory area.
SVal MemVal = C.getSVal(Mem); SVal MemVal = C.getSVal(Buffer.Expression);
// Ensure the memory area is not null. // Ensure the memory area is not null.
// If it is NULL there will be a NULL pointer dereference. // If it is NULL there will be a NULL pointer dereference.
State = checkNonNull(C, StateNonZeroSize, Mem, MemVal, 1); State = checkNonNull(C, StateNonZeroSize, Buffer, MemVal);
if (!State) if (!State)
return; return;
State = CheckBufferAccess(C, State, Size, Mem); State = CheckBufferAccess(C, State, Buffer, Size, AccessKind::write);
if (!State) if (!State)
return; return;
if (!memsetAux(Mem, Zero, Size, C, State)) if (!memsetAux(Buffer.Expression, Zero, Size.Expression, C, State))
return; return;
C.addTransition(State); C.addTransition(State);
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// The driver method, and other Checker callbacks. // The driver method, and other Checker callbacks.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
▲ Show 20 LinesShow All 200 LinesShow Last 20 Lines

clang/test/Analysis/bsd-string.c

Show All 23 Linesvoid f2() {
clang_analyzer_eval(len == 4); // expected-warning{{TRUE}} clang_analyzer_eval(len == 4); // expected-warning{{TRUE}}
len = strlcat(buf, "efgh", sizeof(buf)); // expected-no-warning len = strlcat(buf, "efgh", sizeof(buf)); // expected-no-warning
clang_analyzer_eval(len == 8); // expected-warning{{TRUE}} clang_analyzer_eval(len == 8); // expected-warning{{TRUE}}
} }
void f3() { void f3() {
char dst[2]; char dst[2];
const char *src = "abdef"; const char *src = "abdef";
strlcpy(dst, src, 5); // expected-warning{{Size argument is greater than the length of the destination buffer}} strlcpy(dst, src, 5); // expected-warning{{String copy function overflows the destination buffer}}
} }
void f4() { void f4() {
strlcpy(NULL, "abcdef", 6); // expected-warning{{Null pointer passed as 1st argument to string copy function}} strlcpy(NULL, "abcdef", 6); // expected-warning{{Null pointer passed as 1st argument to string copy function}}
} }
void f5() { void f5() {
strlcat(NULL, "abcdef", 6); // expected-warning{{Null pointer passed as 1st argument to string concatenation function}} strlcat(NULL, "abcdef", 6); // expected-warning{{Null pointer passed as 1st argument to string concatenation function}}
▲ Show 20 LinesShow All 66 Lines▼ Show 20 Linesvoid f9(int unknown_size, char* unknown_src, char* unknown_dst){
clang_analyzer_eval(strlen(buf));// expected-warning{{UNKNOWN}} clang_analyzer_eval(strlen(buf));// expected-warning{{UNKNOWN}}
//src, dst is unknown //src, dst is unknown
len = strlcpy(unknown_dst, unknown_src, unknown_size); len = strlcpy(unknown_dst, unknown_src, unknown_size);
clang_analyzer_eval(len);// expected-warning{{UNKNOWN}} clang_analyzer_eval(len);// expected-warning{{UNKNOWN}}
clang_analyzer_eval(strlen(unknown_dst));// expected-warning{{UNKNOWN}} clang_analyzer_eval(strlen(unknown_dst));// expected-warning{{UNKNOWN}}
//size is unknown //size is unknown
len = strlcat(buf+2,unknown_src+1, sizeof(buf));// expected-warning{{Size argument is greater than the length of the destination buffer}}; len = strlcat(buf + 2, unknown_src + 1, sizeof(buf));
// expected-warning@-1 {{String concatenation function overflows the destination buffer}}
} }
void f10(){ void f10(){
char buf[8]; char buf[8];
size_t len; size_t len;
len = strlcpy(buf,"abba",sizeof(buf)); len = strlcpy(buf,"abba",sizeof(buf));
clang_analyzer_eval(len==4);// expected-warning{{TRUE}} clang_analyzer_eval(len==4);// expected-warning{{TRUE}}
strlcat(buf, "efghi",9);// expected-warning{{Size argument is greater than the length of the destination buffer}} strlcat(buf, "efghi", 9);
// expected-warning@-1 {{String concatenation function overflows the destination buffer}}
} }
void f11() { void f11() {
//test for Bug 41729 //test for Bug 41729
char a[256], b[256]; char a[256], b[256];
strlcpy(a, "world", sizeof(a)); strlcpy(a, "world", sizeof(a));
strlcpy(b, "hello ", sizeof(b)); strlcpy(b, "hello ", sizeof(b));
strlcat(b, a, sizeof(b)); // no-warning strlcat(b, a, sizeof(b)); // no-warning
} }
int a, b; int a, b;
void unknown_val_crash() { void unknown_val_crash() {
// We're unable to evaluate the integer-to-pointer cast. // We're unable to evaluate the integer-to-pointer cast.
strlcat(&b, a, 0); // no-crash strlcat(&b, a, 0); // no-crash
} }

clang/test/Analysis/bstring.c

Show First 20 LinesShow All 89 Lines▼ Show 20 Linesvoid memcpy1 () {
memcpy(dst, src, 5); // expected-warning{{Memory copy function accesses out-of-bound array element}} memcpy(dst, src, 5); // expected-warning{{Memory copy function accesses out-of-bound array element}}
} }
void memcpy2 () { void memcpy2 () {
char src[] = {1, 2, 3, 4}; char src[] = {1, 2, 3, 4};
char dst[1]; char dst[1];
memcpy(dst, src, 4); // expected-warning{{Memory copy function overflows destination buffer}} memcpy(dst, src, 4); // expected-warning {{Memory copy function overflows the destination buffer}}
#ifndef VARIANT #ifndef VARIANT
// expected-warning@-2{{memcpy' will always overflow; destination buffer has size 1, but size argument is 4}} // expected-warning@-2 {{memcpy' will always overflow; destination buffer has size 1, but size argument is 4}}
#endif #endif
} }
void memcpy3 () { void memcpy3 () {
char src[] = {1, 2, 3, 4}; char src[] = {1, 2, 3, 4};
char dst[3]; char dst[3];
memcpy(dst+1, src+2, 2); // no-warning memcpy(dst+1, src+2, 2); // no-warning
} }
void memcpy4 () { void memcpy4 () {
char src[] = {1, 2, 3, 4}; char src[] = {1, 2, 3, 4};
char dst[10]; char dst[10];
memcpy(dst+2, src+2, 3); // expected-warning{{Memory copy function accesses out-of-bound array element}} memcpy(dst+2, src+2, 3); // expected-warning{{Memory copy function accesses out-of-bound array element}}
} }
void memcpy5() { void memcpy5() {
char src[] = {1, 2, 3, 4}; char src[] = {1, 2, 3, 4};
char dst[3]; char dst[3];
memcpy(dst+2, src+2, 2); // expected-warning{{Memory copy function overflows destination buffer}} memcpy(dst + 2, src + 2, 2); // expected-warning{{Memory copy function overflows the destination buffer}}
#ifndef VARIANT #ifndef VARIANT
// expected-warning@-2{{memcpy' will always overflow; destination buffer has size 1, but size argument is 2}} // expected-warning@-2{{memcpy' will always overflow; destination buffer has size 1, but size argument is 2}}
#endif #endif
} }
void memcpy6() { void memcpy6() {
int a[4] = {0}; int a[4] = {0};
memcpy(a, a, 8); // expected-warning{{overlapping}} memcpy(a, a, 8); // expected-warning{{overlapping}}
▲ Show 20 LinesShow All 85 Lines▼ Show 20 Linesvoid mempcpy1 () {
mempcpy(dst, src, 5); // expected-warning{{Memory copy function accesses out-of-bound array element}} mempcpy(dst, src, 5); // expected-warning{{Memory copy function accesses out-of-bound array element}}
} }
void mempcpy2 () { void mempcpy2 () {
char src[] = {1, 2, 3, 4}; char src[] = {1, 2, 3, 4};
char dst[1]; char dst[1];
mempcpy(dst, src, 4); // expected-warning{{Memory copy function overflows destination buffer}} mempcpy(dst, src, 4); // expected-warning{{Memory copy function overflows the destination buffer}}
#ifndef VARIANT #ifndef VARIANT
// expected-warning@-2{{'mempcpy' will always overflow; destination buffer has size 1, but size argument is 4}} // expected-warning@-2{{'mempcpy' will always overflow; destination buffer has size 1, but size argument is 4}}
#endif #endif
} }
void mempcpy3 () { void mempcpy3 () {
char src[] = {1, 2, 3, 4}; char src[] = {1, 2, 3, 4};
char dst[3]; char dst[3];
mempcpy(dst+1, src+2, 2); // no-warning mempcpy(dst+1, src+2, 2); // no-warning
} }
void mempcpy4 () { void mempcpy4 () {
char src[] = {1, 2, 3, 4}; char src[] = {1, 2, 3, 4};
char dst[10]; char dst[10];
mempcpy(dst+2, src+2, 3); // expected-warning{{Memory copy function accesses out-of-bound array element}} mempcpy(dst+2, src+2, 3); // expected-warning{{Memory copy function accesses out-of-bound array element}}
} }
void mempcpy5() { void mempcpy5() {
char src[] = {1, 2, 3, 4}; char src[] = {1, 2, 3, 4};
char dst[3]; char dst[3];
mempcpy(dst+2, src+2, 2); // expected-warning{{Memory copy function overflows destination buffer}} mempcpy(dst + 2, src + 2, 2); // expected-warning{{Memory copy function overflows the destination buffer}}
#ifndef VARIANT #ifndef VARIANT
// expected-warning@-2{{'mempcpy' will always overflow; destination buffer has size 1, but size argument is 2}} // expected-warning@-2{{'mempcpy' will always overflow; destination buffer has size 1, but size argument is 2}}
#endif #endif
} }
void mempcpy6() { void mempcpy6() {
int a[4] = {0}; int a[4] = {0};
mempcpy(a, a, 8); // expected-warning{{overlapping}} mempcpy(a, a, 8); // expected-warning{{overlapping}}
▲ Show 20 LinesShow All 124 Lines▼ Show 20 Linesvoid memmove1 () {
memmove(dst, src, 5); // expected-warning{{out-of-bound}} memmove(dst, src, 5); // expected-warning{{out-of-bound}}
} }
void memmove2 () { void memmove2 () {
char src[] = {1, 2, 3, 4}; char src[] = {1, 2, 3, 4};
char dst[1]; char dst[1];
memmove(dst, src, 4); // expected-warning{{Memory copy function overflows destination buffer}} memmove(dst, src, 4); // expected-warning{{Memory copy function overflows the destination buffer}}
#ifndef VARIANT #ifndef VARIANT
// expected-warning@-2{{memmove' will always overflow; destination buffer has size 1, but size argument is 4}} // expected-warning@-2{{memmove' will always overflow; destination buffer has size 1, but size argument is 4}}
#endif #endif
} }
//===----------------------------------------------------------------------=== //===----------------------------------------------------------------------===
// memcmp() // memcmp()
//===----------------------------------------------------------------------=== //===----------------------------------------------------------------------===
▲ Show 20 LinesShow All 131 LinesShow Last 20 Lines

clang/test/Analysis/null-deref-ps-region.c

Show First 20 LinesShow All 49 Lines▼ Show 20 Lines
void testHeapSymbol() { void testHeapSymbol() {
char *buf = (char *)malloc(13); char *buf = (char *)malloc(13);
memset(buf, 0, 1); // no-warning memset(buf, 0, 1); // no-warning
free(buf); free(buf);
} }
void testStackArrayOutOfBound() { void testStackArrayOutOfBound() {
char buf[1]; char buf[1];
memset(buf, 0, 1024); // expected-warning {{Memory set function accesses out-of-bound array element}} expected-warning {{'memset' will always overflow; destination buffer has size 1, but size argument is 1024}} memset(buf, 0, 1024);
// expected-warning@-1 {{Memory set function overflows the destination buffer}}
// expected-warning@-2 {{'memset' will always overflow; destination buffer has size 1, but size argument is 1024}}
} }
void testHeapSymbolOutOfBound() { void testHeapSymbolOutOfBound() {
char *buf = (char *)malloc(1); char *buf = (char *)malloc(1);
memset(buf, 0, 1024); // expected-warning {{Memory set function accesses out-of-bound array element}} memset(buf, 0, 1024);
// expected-warning@-1 {{Memory set function overflows the destination buffer}}
free(buf); free(buf);
} }
void testStackArraySameSize() { void testStackArraySameSize() {
char buf[1]; char buf[1];
memset(buf, 0, sizeof(buf)); // no-warning memset(buf, 0, sizeof(buf)); // no-warning
} }
void testHeapSymbolSameSize() { void testHeapSymbolSameSize() {
char *buf = (char *)malloc(1); char *buf = (char *)malloc(1);
memset(buf, 0, 1); // no-warning memset(buf, 0, 1); // no-warning
free(buf); free(buf);
} }

clang/test/Analysis/string.c

Show First 20 LinesShow All 347 Lines▼ Show 20 Linesvoid strcpy_effects(char *x, char *y) {
clang_analyzer_eval(a == x[0]); // expected-warning{{UNKNOWN}} clang_analyzer_eval(a == x[0]); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(globalInt == 42); // expected-warning{{TRUE}} clang_analyzer_eval(globalInt == 42); // expected-warning{{TRUE}}
} }
#ifndef SUPPRESS_OUT_OF_BOUND #ifndef SUPPRESS_OUT_OF_BOUND
void strcpy_overflow(char *y) { void strcpy_overflow(char *y) {
char x[4]; char x[4];
if (strlen(y) == 4) if (strlen(y) == 4)
strcpy(x, y); // expected-warning{{String copy function overflows destination buffer}} strcpy(x, y); // expected-warning{{String copy function overflows the destination buffer}}
} }
#endif #endif
void strcpy_no_overflow(char *y) { void strcpy_no_overflow(char *y) {
char x[4]; char x[4];
if (strlen(y) == 3) if (strlen(y) == 3)
strcpy(x, y); // no-warning strcpy(x, y); // no-warning
} }
Show All 24 Linesvoid stpcpy_effect(char *x, char *y) {
clang_analyzer_eval(strlen(x) == strlen(y)); // expected-warning{{TRUE}} clang_analyzer_eval(strlen(x) == strlen(y)); // expected-warning{{TRUE}}
clang_analyzer_eval(a == x[0]); // expected-warning{{UNKNOWN}} clang_analyzer_eval(a == x[0]); // expected-warning{{UNKNOWN}}
} }
#ifndef SUPPRESS_OUT_OF_BOUND #ifndef SUPPRESS_OUT_OF_BOUND
void stpcpy_overflow(char *y) { void stpcpy_overflow(char *y) {
char x[4]; char x[4];
if (strlen(y) == 4) if (strlen(y) == 4)
stpcpy(x, y); // expected-warning{{String copy function overflows destination buffer}} stpcpy(x, y); // expected-warning{{String copy function overflows the destination buffer}}
} }
#endif #endif
void stpcpy_no_overflow(char *y) { void stpcpy_no_overflow(char *y) {
char x[4]; char x[4];
if (strlen(y) == 3) if (strlen(y) == 3)
stpcpy(x, y); // no-warning stpcpy(x, y); // no-warning
} }
Show All 40 Linesvoid strcat_effects(char *y) {
clang_analyzer_eval(strcat(x, y) == x); // expected-warning{{TRUE}} clang_analyzer_eval(strcat(x, y) == x); // expected-warning{{TRUE}}
clang_analyzer_eval((int)strlen(x) == (orig_len + strlen(y))); // expected-warning{{TRUE}} clang_analyzer_eval((int)strlen(x) == (orig_len + strlen(y))); // expected-warning{{TRUE}}
} }
#ifndef SUPPRESS_OUT_OF_BOUND #ifndef SUPPRESS_OUT_OF_BOUND
void strcat_overflow_0(char *y) { void strcat_overflow_0(char *y) {
char x[4] = "12"; char x[4] = "12";
if (strlen(y) == 4) if (strlen(y) == 4)
strcat(x, y); // expected-warning{{String copy function overflows destination buffer}} strcat(x, y); // expected-warning{{String concatenation function overflows the destination buffer}}
NoQUnsubmitted
Done
ReplyInline Actions

Nice catch indeed!~

NoQ: Nice catch indeed!~
} }
void strcat_overflow_1(char *y) { void strcat_overflow_1(char *y) {
char x[4] = "12"; char x[4] = "12";
if (strlen(y) == 3) if (strlen(y) == 3)
strcat(x, y); // expected-warning{{String copy function overflows destination buffer}} strcat(x, y); // expected-warning{{String concatenation function overflows the destination buffer}}
} }
void strcat_overflow_2(char *y) { void strcat_overflow_2(char *y) {
char x[4] = "12"; char x[4] = "12";
if (strlen(y) == 2) if (strlen(y) == 2)
strcat(x, y); // expected-warning{{String copy function overflows destination buffer}} strcat(x, y); // expected-warning{{String concatenation function overflows the destination buffer}}
} }
#endif #endif
void strcat_no_overflow(char *y) { void strcat_no_overflow(char *y) {
char x[5] = "12"; char x[5] = "12";
if (strlen(y) == 2) if (strlen(y) == 2)
strcat(x, y); // no-warning strcat(x, y); // no-warning
} }
▲ Show 20 LinesShow All 67 Lines▼ Show 20 Linesvoid strncpy_effects(char *x, char *y) {
clang_analyzer_eval(a == x[0]); // expected-warning{{UNKNOWN}} clang_analyzer_eval(a == x[0]); // expected-warning{{UNKNOWN}}
} }
#ifndef SUPPRESS_OUT_OF_BOUND #ifndef SUPPRESS_OUT_OF_BOUND
// Enabling the malloc checker enables some of the buffer-checking portions // Enabling the malloc checker enables some of the buffer-checking portions
// of the C-string checker. // of the C-string checker.
void cstringchecker_bounds_nocrash() { void cstringchecker_bounds_nocrash() {
char *p = malloc(2); char *p = malloc(2);
strncpy(p, "AAA", sizeof("AAA")); // expected-warning {{Size argument is greater than the length of the destination buffer}} strncpy(p, "AAA", sizeof("AAA"));
// expected-warning@-1 {{String copy function overflows the destination buffer}}
free(p); free(p);
} }
void strncpy_overflow(char *y) { void strncpy_overflow(char *y) {
char x[4]; char x[4];
if (strlen(y) == 4) if (strlen(y) == 4)
strncpy(x, y, 5); // expected-warning{{Size argument is greater than the length of the destination buffer}} strncpy(x, y, 5);
// expected-warning@-1 {{String copy function overflows the destination buffer}}
#ifndef VARIANT #ifndef VARIANT
// expected-warning@-2{{size argument is too large; destination buffer has size 4, but size argument is 5}} // expected-warning@-3 {{size argument is too large; destination buffer has size 4, but size argument is 5}}
#endif #endif
} }
void strncpy_no_overflow(char *y) { void strncpy_no_overflow(char *y) {
char x[4]; char x[4];
if (strlen(y) == 3) if (strlen(y) == 3)
strncpy(x, y, 5); // expected-warning{{Size argument is greater than the length of the destination buffer}} strncpy(x, y, 5);
// expected-warning@-1 {{String copy function overflows the destination buffer}}
#ifndef VARIANT #ifndef VARIANT
// expected-warning@-2{{size argument is too large; destination buffer has size 4, but size argument is 5}} // expected-warning@-3 {{size argument is too large; destination buffer has size 4, but size argument is 5}}
#endif #endif
} }
void strncpy_no_overflow2(char *y, int n) { void strncpy_no_overflow2(char *y, int n) {
if (n <= 4) if (n <= 4)
return; return;
char x[4]; char x[4];
if (strlen(y) == 3) if (strlen(y) == 3)
strncpy(x, y, n); // expected-warning{{Size argument is greater than the length of the destination buffer}} strncpy(x, y, n);
// expected-warning@-1 {{String copy function overflows the destination buffer}}
} }
#endif #endif
void strncpy_truncate(char *y) { void strncpy_truncate(char *y) {
char x[4]; char x[4];
if (strlen(y) == 4) if (strlen(y) == 4)
strncpy(x, y, 3); // no-warning strncpy(x, y, 3); // no-warning
} }
▲ Show 20 LinesShow All 66 Lines▼ Show 20 Linesvoid strncat_effects(char *y) {
clang_analyzer_eval(strncat(x, y, strlen(y)) == x); // expected-warning{{TRUE}} clang_analyzer_eval(strncat(x, y, strlen(y)) == x); // expected-warning{{TRUE}}
clang_analyzer_eval(strlen(x) == (orig_len + strlen(y))); // expected-warning{{TRUE}} clang_analyzer_eval(strlen(x) == (orig_len + strlen(y))); // expected-warning{{TRUE}}
} }
#ifndef SUPPRESS_OUT_OF_BOUND #ifndef SUPPRESS_OUT_OF_BOUND
void strncat_overflow_0(char *y) { void strncat_overflow_0(char *y) {
char x[4] = "12"; char x[4] = "12";
if (strlen(y) == 4) if (strlen(y) == 4)
strncat(x, y, strlen(y)); // expected-warning{{Size argument is greater than the free space in the destination buffer}} strncat(x, y, strlen(y));
// expected-warning@-1 {{String concatenation function overflows the destination buffer}}
} }
void strncat_overflow_1(char *y) { void strncat_overflow_1(char *y) {
char x[4] = "12"; char x[4] = "12";
if (strlen(y) == 3) if (strlen(y) == 3)
strncat(x, y, strlen(y)); // expected-warning{{Size argument is greater than the free space in the destination buffer}} strncat(x, y, strlen(y));
// expected-warning@-1 {{String concatenation function overflows the destination buffer}}
} }
void strncat_overflow_2(char *y) { void strncat_overflow_2(char *y) {
char x[4] = "12"; char x[4] = "12";
if (strlen(y) == 2) if (strlen(y) == 2)
strncat(x, y, strlen(y)); // expected-warning{{Size argument is greater than the free space in the destination buffer}} strncat(x, y, strlen(y));
// expected-warning@-1 {{String concatenation function overflows the destination buffer}}
} }
void strncat_overflow_3(char *y) { void strncat_overflow_3(char *y) {
char x[4] = "12"; char x[4] = "12";
if (strlen(y) == 4) if (strlen(y) == 4)
strncat(x, y, 2); // expected-warning{{Size argument is greater than the free space in the destination buffer}} strncat(x, y, 2);
// expected-warning@-1 {{String concatenation function overflows the destination buffer}}
} }
#endif #endif
void strncat_no_overflow_1(char *y) { void strncat_no_overflow_1(char *y) {
char x[5] = "12"; char x[5] = "12";
if (strlen(y) == 2) if (strlen(y) == 2)
strncat(x, y, strlen(y)); // no-warning strncat(x, y, strlen(y)); // no-warning
} }
Show All 11 Lines
#ifndef SUPPRESS_OUT_OF_BOUND #ifndef SUPPRESS_OUT_OF_BOUND
void strncat_symbolic_src_length(char *src) { void strncat_symbolic_src_length(char *src) {
char dst[8] = "1234"; char dst[8] = "1234";
strncat(dst, src, 3); strncat(dst, src, 3);
clang_analyzer_eval(strlen(dst) >= 4); // expected-warning{{TRUE}} clang_analyzer_eval(strlen(dst) >= 4); // expected-warning{{TRUE}}
char dst2[8] = "1234"; char dst2[8] = "1234";
strncat(dst2, src, 4); // expected-warning{{Size argument is greater than the free space in the destination buffer}} strncat(dst2, src, 4);
// expected-warning@-1 {{String concatenation function overflows the destination buffer}}
} }
void strncat_unknown_src_length(char *src, int offset) { void strncat_unknown_src_length(char *src, int offset) {
char dst[8] = "1234"; char dst[8] = "1234";
strncat(dst, &src[offset], 3); strncat(dst, &src[offset], 3);
clang_analyzer_eval(strlen(dst) >= 4); // expected-warning{{TRUE}} clang_analyzer_eval(strlen(dst) >= 4); // expected-warning{{TRUE}}
char dst2[8] = "1234"; char dst2[8] = "1234";
strncat(dst2, &src[offset], 4); // expected-warning{{Size argument is greater than the free space in the destination buffer}} strncat(dst2, &src[offset], 4);
// expected-warning@-1 {{String concatenation function overflows the destination buffer}}
} }
#endif #endif
// There is no strncat_unknown_dst_length because if we can't get a symbolic // There is no strncat_unknown_dst_length because if we can't get a symbolic
// length for the "before" strlen, we won't be able to set one for "after". // length for the "before" strlen, we won't be able to set one for "after".
void strncat_symbolic_limit(unsigned limit) { void strncat_symbolic_limit(unsigned limit) {
char dst[6] = "1234"; char dst[6] = "1234";
▲ Show 20 LinesShow All 766 Lines▼ Show 20 Lines
void explicit_bzero3_out_ofbound() { void explicit_bzero3_out_ofbound() {
char *privkey = (char *)malloc(7); char *privkey = (char *)malloc(7);
const char newprivkey[10] = "mysafekey"; const char newprivkey[10] = "mysafekey";
strcpy(privkey, "random"); strcpy(privkey, "random");
explicit_bzero(privkey, sizeof(newprivkey)); explicit_bzero(privkey, sizeof(newprivkey));
#ifndef SUPPRESS_OUT_OF_BOUND #ifndef SUPPRESS_OUT_OF_BOUND
// expected-warning@-2 {{Memory clearance function accesses out-of-bound array element}} // expected-warning@-2 {{Memory clearance function overflows the destination buffer}}
#endif #endif
clang_analyzer_eval(privkey[0] == '\0'); clang_analyzer_eval(privkey[0] == '\0');
#ifdef SUPPRESS_OUT_OF_BOUND #ifdef SUPPRESS_OUT_OF_BOUND
// expected-warning@-2 {{UNKNOWN}} // expected-warning@-2 {{UNKNOWN}}
#endif #endif
free(privkey); free(privkey);
} }
▲ Show 20 LinesShow All 123 LinesShow Last 20 Lines