1 //= CStringChecker.h - Checks calls to C string functions ----------*- C++ -*-//
3 // The LLVM Compiler Infrastructure
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
8 //===----------------------------------------------------------------------===//
10 // This defines CStringChecker, which is an assortment of checks on calls
11 // to functions in <string.h>.
13 //===----------------------------------------------------------------------===//
15 #include "ClangSACheckers.h"
16 #include "clang/StaticAnalyzer/Core/Checker.h"
17 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
18 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
19 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
20 #include "clang/StaticAnalyzer/Core/PathSensitive/GRStateTrait.h"
21 #include "llvm/ADT/StringSwitch.h"
23 using namespace clang;
27 class CStringChecker : public Checker< eval::Call,
28 check::PreStmt<DeclStmt>,
33 mutable llvm::OwningPtr<BugType> BT_Null, BT_Bounds,
34 BT_Overlap, BT_NotCString,
36 mutable const char *CurrentFunctionDescription;
39 static void *getTag() { static int tag; return &tag; }
41 bool evalCall(const CallExpr *CE, CheckerContext &C) const;
42 void checkPreStmt(const DeclStmt *DS, CheckerContext &C) const;
43 void checkLiveSymbols(const GRState *state, SymbolReaper &SR) const;
44 void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
45 bool wantsRegionChangeUpdate(const GRState *state) const;
47 const GRState *checkRegionChanges(const GRState *state,
48 const StoreManager::InvalidatedSymbols *,
49 const MemRegion * const *Begin,
50 const MemRegion * const *End) const;
52 typedef void (CStringChecker::*FnCheck)(CheckerContext &,
53 const CallExpr *) const;
55 void evalMemcpy(CheckerContext &C, const CallExpr *CE) const;
56 void evalMempcpy(CheckerContext &C, const CallExpr *CE) const;
57 void evalMemmove(CheckerContext &C, const CallExpr *CE) const;
58 void evalBcopy(CheckerContext &C, const CallExpr *CE) const;
59 void evalCopyCommon(CheckerContext &C, const CallExpr *CE,
61 const Expr *Size, const Expr *Source, const Expr *Dest,
62 bool Restricted = false,
63 bool IsMempcpy = false) const;
65 void evalMemcmp(CheckerContext &C, const CallExpr *CE) const;
67 void evalstrLength(CheckerContext &C, const CallExpr *CE) const;
68 void evalstrnLength(CheckerContext &C, const CallExpr *CE) const;
69 void evalstrLengthCommon(CheckerContext &C, const CallExpr *CE,
70 bool IsStrnlen = false) const;
72 void evalStrcpy(CheckerContext &C, const CallExpr *CE) const;
73 void evalStrncpy(CheckerContext &C, const CallExpr *CE) const;
74 void evalStpcpy(CheckerContext &C, const CallExpr *CE) const;
75 void evalStrcpyCommon(CheckerContext &C, const CallExpr *CE, bool returnEnd,
76 bool isBounded, bool isAppending) const;
78 void evalStrcat(CheckerContext &C, const CallExpr *CE) const;
79 void evalStrncat(CheckerContext &C, const CallExpr *CE) const;
81 void evalStrcmp(CheckerContext &C, const CallExpr *CE) const;
82 void evalStrncmp(CheckerContext &C, const CallExpr *CE) const;
83 void evalStrcasecmp(CheckerContext &C, const CallExpr *CE) const;
84 void evalStrncasecmp(CheckerContext &C, const CallExpr *CE) const;
85 void evalStrcmpCommon(CheckerContext &C, const CallExpr *CE,
86 bool isBounded = false, bool ignoreCase = false) const;
89 std::pair<const GRState*, const GRState*>
90 static assumeZero(CheckerContext &C,
91 const GRState *state, SVal V, QualType Ty);
93 static const GRState *setCStringLength(const GRState *state,
94 const MemRegion *MR, SVal strLength);
95 static SVal getCStringLengthForRegion(CheckerContext &C,
96 const GRState *&state,
97 const Expr *Ex, const MemRegion *MR,
99 SVal getCStringLength(CheckerContext &C, const GRState *&state,
100 const Expr *Ex, SVal Buf,
101 bool hypothetical = false) const;
103 const StringLiteral *getCStringLiteral(CheckerContext &C,
104 const GRState *&state,
108 static const GRState *InvalidateBuffer(CheckerContext &C,
109 const GRState *state,
110 const Expr *Ex, SVal V);
112 static bool SummarizeRegion(llvm::raw_ostream& os, ASTContext& Ctx,
113 const MemRegion *MR);
116 const GRState *checkNonNull(CheckerContext &C, const GRState *state,
117 const Expr *S, SVal l) const;
118 const GRState *CheckLocation(CheckerContext &C, const GRState *state,
119 const Expr *S, SVal l,
120 const char *message = NULL) const;
121 const GRState *CheckBufferAccess(CheckerContext &C, const GRState *state,
123 const Expr *FirstBuf,
124 const Expr *SecondBuf,
125 const char *firstMessage = NULL,
126 const char *secondMessage = NULL,
127 bool WarnAboutSize = false) const;
128 const GRState *CheckBufferAccess(CheckerContext &C, const GRState *state,
129 const Expr *Size, const Expr *Buf,
130 const char *message = NULL,
131 bool WarnAboutSize = false) const {
132 // This is a convenience override.
133 return CheckBufferAccess(C, state, Size, Buf, NULL, message, NULL,
136 const GRState *CheckOverlap(CheckerContext &C, const GRState *state,
137 const Expr *Size, const Expr *First,
138 const Expr *Second) const;
139 void emitOverlapBug(CheckerContext &C, const GRState *state,
140 const Stmt *First, const Stmt *Second) const;
141 const GRState *checkAdditionOverflow(CheckerContext &C, const GRState *state,
142 NonLoc left, NonLoc right) const;
145 class CStringLength {
147 typedef llvm::ImmutableMap<const MemRegion *, SVal> EntryMap;
149 } //end anonymous namespace
154 struct GRStateTrait<CStringLength>
155 : public GRStatePartialTrait<CStringLength::EntryMap> {
156 static void *GDMIndex() { return CStringChecker::getTag(); }
161 //===----------------------------------------------------------------------===//
162 // Individual checks and utility methods.
163 //===----------------------------------------------------------------------===//
165 std::pair<const GRState*, const GRState*>
166 CStringChecker::assumeZero(CheckerContext &C, const GRState *state, SVal V,
168 DefinedSVal *val = dyn_cast<DefinedSVal>(&V);
170 return std::pair<const GRState*, const GRState *>(state, state);
172 SValBuilder &svalBuilder = C.getSValBuilder();
173 DefinedOrUnknownSVal zero = svalBuilder.makeZeroVal(Ty);
174 return state->assume(svalBuilder.evalEQ(state, *val, zero));
177 const GRState *CStringChecker::checkNonNull(CheckerContext &C,
178 const GRState *state,
179 const Expr *S, SVal l) const {
180 // If a previous check has failed, propagate the failure.
184 const GRState *stateNull, *stateNonNull;
185 llvm::tie(stateNull, stateNonNull) = assumeZero(C, state, l, S->getType());
187 if (stateNull && !stateNonNull) {
188 ExplodedNode *N = C.generateSink(stateNull);
193 BT_Null.reset(new BuiltinBug("API",
194 "Null pointer argument in call to byte string function"));
196 llvm::SmallString<80> buf;
197 llvm::raw_svector_ostream os(buf);
198 assert(CurrentFunctionDescription);
199 os << "Null pointer argument in call to " << CurrentFunctionDescription;
201 // Generate a report for this bug.
202 BuiltinBug *BT = static_cast<BuiltinBug*>(BT_Null.get());
203 EnhancedBugReport *report = new EnhancedBugReport(*BT, os.str(), N);
205 report->addRange(S->getSourceRange());
206 report->addVisitorCreator(bugreporter::registerTrackNullOrUndefValue, S);
207 C.EmitReport(report);
211 // From here on, assume that the value is non-null.
212 assert(stateNonNull);
216 // FIXME: This was originally copied from ArrayBoundChecker.cpp. Refactor?
217 const GRState *CStringChecker::CheckLocation(CheckerContext &C,
218 const GRState *state,
219 const Expr *S, SVal l,
220 const char *warningMsg) const {
221 // If a previous check has failed, propagate the failure.
225 // Check for out of bound array element access.
226 const MemRegion *R = l.getAsRegion();
230 const ElementRegion *ER = dyn_cast<ElementRegion>(R);
234 assert(ER->getValueType() == C.getASTContext().CharTy &&
235 "CheckLocation should only be called with char* ElementRegions");
237 // Get the size of the array.
238 const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion());
239 SValBuilder &svalBuilder = C.getSValBuilder();
241 svalBuilder.convertToArrayIndex(superReg->getExtent(svalBuilder));
242 DefinedOrUnknownSVal Size = cast<DefinedOrUnknownSVal>(Extent);
244 // Get the index of the accessed element.
245 DefinedOrUnknownSVal Idx = cast<DefinedOrUnknownSVal>(ER->getIndex());
247 const GRState *StInBound = state->assumeInBound(Idx, Size, true);
248 const GRState *StOutBound = state->assumeInBound(Idx, Size, false);
249 if (StOutBound && !StInBound) {
250 ExplodedNode *N = C.generateSink(StOutBound);
255 BT_Bounds.reset(new BuiltinBug("Out-of-bound array access",
256 "Byte string function accesses out-of-bound array element"));
258 BuiltinBug *BT = static_cast<BuiltinBug*>(BT_Bounds.get());
260 // Generate a report for this bug.
261 RangedBugReport *report;
263 report = new RangedBugReport(*BT, warningMsg, N);
265 assert(CurrentFunctionDescription);
266 assert(CurrentFunctionDescription[0] != '\0');
268 llvm::SmallString<80> buf;
269 llvm::raw_svector_ostream os(buf);
270 os << (char)toupper(CurrentFunctionDescription[0])
271 << &CurrentFunctionDescription[1]
272 << " accesses out-of-bound array element";
273 report = new RangedBugReport(*BT, os.str(), N);
276 // FIXME: It would be nice to eventually make this diagnostic more clear,
277 // e.g., by referencing the original declaration or by saying *why* this
278 // reference is outside the range.
280 report->addRange(S->getSourceRange());
281 C.EmitReport(report);
285 // Array bound check succeeded. From this point forward the array bound
286 // should always succeed.
290 const GRState *CStringChecker::CheckBufferAccess(CheckerContext &C,
291 const GRState *state,
293 const Expr *FirstBuf,
294 const Expr *SecondBuf,
295 const char *firstMessage,
296 const char *secondMessage,
297 bool WarnAboutSize) const {
298 // If a previous check has failed, propagate the failure.
302 SValBuilder &svalBuilder = C.getSValBuilder();
303 ASTContext &Ctx = svalBuilder.getContext();
305 QualType sizeTy = Size->getType();
306 QualType PtrTy = Ctx.getPointerType(Ctx.CharTy);
308 // Check that the first buffer is non-null.
309 SVal BufVal = state->getSVal(FirstBuf);
310 state = checkNonNull(C, state, FirstBuf, BufVal);
314 // Get the access length and make sure it is known.
315 // FIXME: This assumes the caller has already checked that the access length
316 // is positive. And that it's unsigned.
317 SVal LengthVal = state->getSVal(Size);
318 NonLoc *Length = dyn_cast<NonLoc>(&LengthVal);
322 // Compute the offset of the last element to be accessed: size-1.
323 NonLoc One = cast<NonLoc>(svalBuilder.makeIntVal(1, sizeTy));
324 NonLoc LastOffset = cast<NonLoc>(svalBuilder.evalBinOpNN(state, BO_Sub,
325 *Length, One, sizeTy));
327 // Check that the first buffer is sufficiently long.
328 SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType());
329 if (Loc *BufLoc = dyn_cast<Loc>(&BufStart)) {
330 const Expr *warningExpr = (WarnAboutSize ? Size : FirstBuf);
332 SVal BufEnd = svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc,
334 state = CheckLocation(C, state, warningExpr, BufEnd, firstMessage);
336 // If the buffer isn't large enough, abort.
341 // If there's a second buffer, check it as well.
343 BufVal = state->getSVal(SecondBuf);
344 state = checkNonNull(C, state, SecondBuf, BufVal);
348 BufStart = svalBuilder.evalCast(BufVal, PtrTy, SecondBuf->getType());
349 if (Loc *BufLoc = dyn_cast<Loc>(&BufStart)) {
350 const Expr *warningExpr = (WarnAboutSize ? Size : SecondBuf);
352 SVal BufEnd = svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc,
354 state = CheckLocation(C, state, warningExpr, BufEnd, secondMessage);
358 // Large enough or not, return this state!
362 const GRState *CStringChecker::CheckOverlap(CheckerContext &C,
363 const GRState *state,
366 const Expr *Second) const {
367 // Do a simple check for overlap: if the two arguments are from the same
368 // buffer, see if the end of the first is greater than the start of the second
371 // If a previous check has failed, propagate the failure.
375 const GRState *stateTrue, *stateFalse;
377 // Get the buffer values and make sure they're known locations.
378 SVal firstVal = state->getSVal(First);
379 SVal secondVal = state->getSVal(Second);
381 Loc *firstLoc = dyn_cast<Loc>(&firstVal);
385 Loc *secondLoc = dyn_cast<Loc>(&secondVal);
389 // Are the two values the same?
390 SValBuilder &svalBuilder = C.getSValBuilder();
391 llvm::tie(stateTrue, stateFalse) =
392 state->assume(svalBuilder.evalEQ(state, *firstLoc, *secondLoc));
394 if (stateTrue && !stateFalse) {
395 // If the values are known to be equal, that's automatically an overlap.
396 emitOverlapBug(C, stateTrue, First, Second);
400 // assume the two expressions are not equal.
404 // Which value comes first?
405 QualType cmpTy = svalBuilder.getConditionType();
406 SVal reverse = svalBuilder.evalBinOpLL(state, BO_GT,
407 *firstLoc, *secondLoc, cmpTy);
408 DefinedOrUnknownSVal *reverseTest = dyn_cast<DefinedOrUnknownSVal>(&reverse);
412 llvm::tie(stateTrue, stateFalse) = state->assume(*reverseTest);
415 // If we don't know which one comes first, we can't perform this test.
418 // Switch the values so that firstVal is before secondVal.
419 Loc *tmpLoc = firstLoc;
420 firstLoc = secondLoc;
423 // Switch the Exprs as well, so that they still correspond.
424 const Expr *tmpExpr = First;
430 // Get the length, and make sure it too is known.
431 SVal LengthVal = state->getSVal(Size);
432 NonLoc *Length = dyn_cast<NonLoc>(&LengthVal);
436 // Convert the first buffer's start address to char*.
437 // Bail out if the cast fails.
438 ASTContext &Ctx = svalBuilder.getContext();
439 QualType CharPtrTy = Ctx.getPointerType(Ctx.CharTy);
440 SVal FirstStart = svalBuilder.evalCast(*firstLoc, CharPtrTy,
442 Loc *FirstStartLoc = dyn_cast<Loc>(&FirstStart);
446 // Compute the end of the first buffer. Bail out if THAT fails.
447 SVal FirstEnd = svalBuilder.evalBinOpLN(state, BO_Add,
448 *FirstStartLoc, *Length, CharPtrTy);
449 Loc *FirstEndLoc = dyn_cast<Loc>(&FirstEnd);
453 // Is the end of the first buffer past the start of the second buffer?
454 SVal Overlap = svalBuilder.evalBinOpLL(state, BO_GT,
455 *FirstEndLoc, *secondLoc, cmpTy);
456 DefinedOrUnknownSVal *OverlapTest = dyn_cast<DefinedOrUnknownSVal>(&Overlap);
460 llvm::tie(stateTrue, stateFalse) = state->assume(*OverlapTest);
462 if (stateTrue && !stateFalse) {
464 emitOverlapBug(C, stateTrue, First, Second);
468 // assume the two expressions don't overlap.
473 void CStringChecker::emitOverlapBug(CheckerContext &C, const GRState *state,
474 const Stmt *First, const Stmt *Second) const {
475 ExplodedNode *N = C.generateSink(state);
480 BT_Overlap.reset(new BugType("Unix API", "Improper arguments"));
482 // Generate a report for this bug.
483 RangedBugReport *report =
484 new RangedBugReport(*BT_Overlap,
485 "Arguments must not be overlapping buffers", N);
486 report->addRange(First->getSourceRange());
487 report->addRange(Second->getSourceRange());
489 C.EmitReport(report);
492 const GRState *CStringChecker::checkAdditionOverflow(CheckerContext &C,
493 const GRState *state,
495 NonLoc right) const {
496 // If a previous check has failed, propagate the failure.
500 SValBuilder &svalBuilder = C.getSValBuilder();
501 BasicValueFactory &BVF = svalBuilder.getBasicValueFactory();
503 QualType sizeTy = svalBuilder.getContext().getSizeType();
504 const llvm::APSInt &maxValInt = BVF.getMaxValue(sizeTy);
505 NonLoc maxVal = svalBuilder.makeIntVal(maxValInt);
507 SVal maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, right,
510 if (maxMinusRight.isUnknownOrUndef()) {
511 // Try switching the operands. (The order of these two assignments is
513 maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, left,
518 if (NonLoc *maxMinusRightNL = dyn_cast<NonLoc>(&maxMinusRight)) {
519 QualType cmpTy = svalBuilder.getConditionType();
520 // If left > max - right, we have an overflow.
521 SVal willOverflow = svalBuilder.evalBinOpNN(state, BO_GT, left,
522 *maxMinusRightNL, cmpTy);
524 const GRState *stateOverflow, *stateOkay;
525 llvm::tie(stateOverflow, stateOkay) =
526 state->assume(cast<DefinedOrUnknownSVal>(willOverflow));
528 if (stateOverflow && !stateOkay) {
529 // We have an overflow. Emit a bug report.
530 ExplodedNode *N = C.generateSink(stateOverflow);
534 if (!BT_AdditionOverflow)
535 BT_AdditionOverflow.reset(new BuiltinBug("API",
536 "Sum of expressions causes overflow"));
538 // This isn't a great error message, but this should never occur in real
539 // code anyway -- you'd have to create a buffer longer than a size_t can
540 // represent, which is sort of a contradiction.
541 const char *warning =
542 "This expression will create a string whose length is too big to "
543 "be represented as a size_t";
545 // Generate a report for this bug.
546 BugReport *report = new BugReport(*BT_AdditionOverflow, warning, N);
547 C.EmitReport(report);
552 // From now on, assume an overflow didn't occur.
560 const GRState *CStringChecker::setCStringLength(const GRState *state,
563 assert(!strLength.isUndef() && "Attempt to set an undefined string length");
565 MR = MR->StripCasts();
567 switch (MR->getKind()) {
568 case MemRegion::StringRegionKind:
569 // FIXME: This can happen if we strcpy() into a string region. This is
570 // undefined [C99 6.4.5p6], but we should still warn about it.
573 case MemRegion::SymbolicRegionKind:
574 case MemRegion::AllocaRegionKind:
575 case MemRegion::VarRegionKind:
576 case MemRegion::FieldRegionKind:
577 case MemRegion::ObjCIvarRegionKind:
578 // These are the types we can currently track string lengths for.
581 case MemRegion::ElementRegionKind:
582 // FIXME: Handle element regions by upper-bounding the parent region's
587 // Other regions (mostly non-data) can't have a reliable C string length.
588 // For now, just ignore the change.
589 // FIXME: These are rare but not impossible. We should output some kind of
590 // warning for things like strcpy((char[]){'a', 0}, "b");
594 if (strLength.isUnknown())
595 return state->remove<CStringLength>(MR);
597 return state->set<CStringLength>(MR, strLength);
600 SVal CStringChecker::getCStringLengthForRegion(CheckerContext &C,
601 const GRState *&state,
606 // If there's a recorded length, go ahead and return it.
607 const SVal *Recorded = state->get<CStringLength>(MR);
612 // Otherwise, get a new symbol and update the state.
613 unsigned Count = C.getNodeBuilder().getCurrentBlockCount();
614 SValBuilder &svalBuilder = C.getSValBuilder();
615 QualType sizeTy = svalBuilder.getContext().getSizeType();
616 SVal strLength = svalBuilder.getMetadataSymbolVal(CStringChecker::getTag(),
617 MR, Ex, sizeTy, Count);
620 state = state->set<CStringLength>(MR, strLength);
625 SVal CStringChecker::getCStringLength(CheckerContext &C, const GRState *&state,
626 const Expr *Ex, SVal Buf,
627 bool hypothetical) const {
628 const MemRegion *MR = Buf.getAsRegion();
630 // If we can't get a region, see if it's something we /know/ isn't a
631 // C string. In the context of locations, the only time we can issue such
632 // a warning is for labels.
633 if (loc::GotoLabel *Label = dyn_cast<loc::GotoLabel>(&Buf)) {
634 if (ExplodedNode *N = C.generateNode(state)) {
636 BT_NotCString.reset(new BuiltinBug("API",
637 "Argument is not a null-terminated string."));
639 llvm::SmallString<120> buf;
640 llvm::raw_svector_ostream os(buf);
641 assert(CurrentFunctionDescription);
642 os << "Argument to " << CurrentFunctionDescription
643 << " is the address of the label '" << Label->getLabel()->getName()
644 << "', which is not a null-terminated string";
646 // Generate a report for this bug.
647 EnhancedBugReport *report = new EnhancedBugReport(*BT_NotCString,
650 report->addRange(Ex->getSourceRange());
651 C.EmitReport(report);
654 return UndefinedVal();
657 // If it's not a region and not a label, give up.
661 // If we have a region, strip casts from it and see if we can figure out
662 // its length. For anything we can't figure out, just return UnknownVal.
663 MR = MR->StripCasts();
665 switch (MR->getKind()) {
666 case MemRegion::StringRegionKind: {
667 // Modifying the contents of string regions is undefined [C99 6.4.5p6],
668 // so we can assume that the byte length is the correct C string length.
669 SValBuilder &svalBuilder = C.getSValBuilder();
670 QualType sizeTy = svalBuilder.getContext().getSizeType();
671 const StringLiteral *strLit = cast<StringRegion>(MR)->getStringLiteral();
672 return svalBuilder.makeIntVal(strLit->getByteLength(), sizeTy);
674 case MemRegion::SymbolicRegionKind:
675 case MemRegion::AllocaRegionKind:
676 case MemRegion::VarRegionKind:
677 case MemRegion::FieldRegionKind:
678 case MemRegion::ObjCIvarRegionKind:
679 return getCStringLengthForRegion(C, state, Ex, MR, hypothetical);
680 case MemRegion::CompoundLiteralRegionKind:
681 // FIXME: Can we track this? Is it necessary?
683 case MemRegion::ElementRegionKind:
684 // FIXME: How can we handle this? It's not good enough to subtract the
685 // offset from the base string length; consider "123\x00567" and &a[5].
688 // Other regions (mostly non-data) can't have a reliable C string length.
689 // In this case, an error is emitted and UndefinedVal is returned.
690 // The caller should always be prepared to handle this case.
691 if (ExplodedNode *N = C.generateNode(state)) {
693 BT_NotCString.reset(new BuiltinBug("API",
694 "Argument is not a null-terminated string."));
696 llvm::SmallString<120> buf;
697 llvm::raw_svector_ostream os(buf);
699 assert(CurrentFunctionDescription);
700 os << "Argument to " << CurrentFunctionDescription << " is ";
702 if (SummarizeRegion(os, C.getASTContext(), MR))
703 os << ", which is not a null-terminated string";
705 os << "not a null-terminated string";
707 // Generate a report for this bug.
708 EnhancedBugReport *report = new EnhancedBugReport(*BT_NotCString,
711 report->addRange(Ex->getSourceRange());
712 C.EmitReport(report);
715 return UndefinedVal();
719 const StringLiteral *CStringChecker::getCStringLiteral(CheckerContext &C,
720 const GRState *&state, const Expr *expr, SVal val) const {
722 // Get the memory region pointed to by the val.
723 const MemRegion *bufRegion = val.getAsRegion();
727 // Strip casts off the memory region.
728 bufRegion = bufRegion->StripCasts();
730 // Cast the memory region to a string region.
731 const StringRegion *strRegion= dyn_cast<StringRegion>(bufRegion);
735 // Return the actual string in the string region.
736 return strRegion->getStringLiteral();
739 const GRState *CStringChecker::InvalidateBuffer(CheckerContext &C,
740 const GRState *state,
741 const Expr *E, SVal V) {
742 Loc *L = dyn_cast<Loc>(&V);
746 // FIXME: This is a simplified version of what's in CFRefCount.cpp -- it makes
747 // some assumptions about the value that CFRefCount can't. Even so, it should
748 // probably be refactored.
749 if (loc::MemRegionVal* MR = dyn_cast<loc::MemRegionVal>(L)) {
750 const MemRegion *R = MR->getRegion()->StripCasts();
752 // Are we dealing with an ElementRegion? If so, we should be invalidating
754 if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) {
755 R = ER->getSuperRegion();
756 // FIXME: What about layers of ElementRegions?
759 // Invalidate this region.
760 unsigned Count = C.getNodeBuilder().getCurrentBlockCount();
761 return state->invalidateRegion(R, E, Count, NULL);
764 // If we have a non-region value by chance, just remove the binding.
765 // FIXME: is this necessary or correct? This handles the non-Region
766 // cases. Is it ever valid to store to these?
767 return state->unbindLoc(*L);
770 bool CStringChecker::SummarizeRegion(llvm::raw_ostream& os, ASTContext& Ctx,
771 const MemRegion *MR) {
772 const TypedRegion *TR = dyn_cast<TypedRegion>(MR);
776 switch (TR->getKind()) {
777 case MemRegion::FunctionTextRegionKind: {
778 const FunctionDecl *FD = cast<FunctionTextRegion>(TR)->getDecl();
780 os << "the address of the function '" << FD << "'";
782 os << "the address of a function";
785 case MemRegion::BlockTextRegionKind:
788 case MemRegion::BlockDataRegionKind:
791 case MemRegion::CXXThisRegionKind:
792 case MemRegion::CXXTempObjectRegionKind:
793 os << "a C++ temp object of type " << TR->getValueType().getAsString();
795 case MemRegion::VarRegionKind:
796 os << "a variable of type" << TR->getValueType().getAsString();
798 case MemRegion::FieldRegionKind:
799 os << "a field of type " << TR->getValueType().getAsString();
801 case MemRegion::ObjCIvarRegionKind:
802 os << "an instance variable of type " << TR->getValueType().getAsString();
809 //===----------------------------------------------------------------------===//
810 // evaluation of individual function calls.
811 //===----------------------------------------------------------------------===//
813 void CStringChecker::evalCopyCommon(CheckerContext &C,
815 const GRState *state,
816 const Expr *Size, const Expr *Dest,
817 const Expr *Source, bool Restricted,
818 bool IsMempcpy) const {
819 CurrentFunctionDescription = "memory copy function";
821 // See if the size argument is zero.
822 SVal sizeVal = state->getSVal(Size);
823 QualType sizeTy = Size->getType();
825 const GRState *stateZeroSize, *stateNonZeroSize;
826 llvm::tie(stateZeroSize, stateNonZeroSize) =
827 assumeZero(C, state, sizeVal, sizeTy);
829 // Get the value of the Dest.
830 SVal destVal = state->getSVal(Dest);
832 // If the size is zero, there won't be any actual memory access, so
833 // just bind the return value to the destination buffer and return.
835 stateZeroSize = stateZeroSize->BindExpr(CE, destVal);
836 C.addTransition(stateZeroSize);
839 // If the size can be nonzero, we have to check the other arguments.
840 if (stateNonZeroSize) {
841 state = stateNonZeroSize;
843 // Ensure the destination is not null. If it is NULL there will be a
844 // NULL pointer dereference.
845 state = checkNonNull(C, state, Dest, destVal);
849 // Get the value of the Src.
850 SVal srcVal = state->getSVal(Source);
852 // Ensure the source is not null. If it is NULL there will be a
853 // NULL pointer dereference.
854 state = checkNonNull(C, state, Source, srcVal);
858 // Ensure the accesses are valid and that the buffers do not overlap.
859 const char * const writeWarning =
860 "Memory copy function overflows destination buffer";
861 state = CheckBufferAccess(C, state, Size, Dest, Source,
862 writeWarning, /* sourceWarning = */ NULL);
864 state = CheckOverlap(C, state, Size, Dest, Source);
869 // If this is mempcpy, get the byte after the last byte copied and
872 loc::MemRegionVal *destRegVal = dyn_cast<loc::MemRegionVal>(&destVal);
873 assert(destRegVal && "Destination should be a known MemRegionVal here");
875 // Get the length to copy.
876 NonLoc *lenValNonLoc = dyn_cast<NonLoc>(&sizeVal);
879 // Get the byte after the last byte copied.
880 SVal lastElement = C.getSValBuilder().evalBinOpLN(state, BO_Add,
885 // The byte after the last byte copied is the return value.
886 state = state->BindExpr(CE, lastElement);
888 // If we don't know how much we copied, we can at least
889 // conjure a return value for later.
890 unsigned Count = C.getNodeBuilder().getCurrentBlockCount();
892 C.getSValBuilder().getConjuredSymbolVal(NULL, CE, Count);
893 state = state->BindExpr(CE, result);
897 // All other copies return the destination buffer.
898 // (Well, bcopy() has a void return type, but this won't hurt.)
899 state = state->BindExpr(CE, destVal);
902 // Invalidate the destination.
903 // FIXME: Even if we can't perfectly model the copy, we should see if we
904 // can use LazyCompoundVals to copy the source values into the destination.
905 // This would probably remove any existing bindings past the end of the
906 // copied region, but that's still an improvement over blank invalidation.
907 state = InvalidateBuffer(C, state, Dest, state->getSVal(Dest));
908 C.addTransition(state);
913 void CStringChecker::evalMemcpy(CheckerContext &C, const CallExpr *CE) const {
914 // void *memcpy(void *restrict dst, const void *restrict src, size_t n);
915 // The return value is the address of the destination buffer.
916 const Expr *Dest = CE->getArg(0);
917 const GRState *state = C.getState();
919 evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1), true);
922 void CStringChecker::evalMempcpy(CheckerContext &C, const CallExpr *CE) const {
923 // void *mempcpy(void *restrict dst, const void *restrict src, size_t n);
924 // The return value is a pointer to the byte following the last written byte.
925 const Expr *Dest = CE->getArg(0);
926 const GRState *state = C.getState();
928 evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1), true, true);
931 void CStringChecker::evalMemmove(CheckerContext &C, const CallExpr *CE) const {
932 // void *memmove(void *dst, const void *src, size_t n);
933 // The return value is the address of the destination buffer.
934 const Expr *Dest = CE->getArg(0);
935 const GRState *state = C.getState();
937 evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1));
940 void CStringChecker::evalBcopy(CheckerContext &C, const CallExpr *CE) const {
941 // void bcopy(const void *src, void *dst, size_t n);
942 evalCopyCommon(C, CE, C.getState(),
943 CE->getArg(2), CE->getArg(1), CE->getArg(0));
946 void CStringChecker::evalMemcmp(CheckerContext &C, const CallExpr *CE) const {
947 // int memcmp(const void *s1, const void *s2, size_t n);
948 CurrentFunctionDescription = "memory comparison function";
950 const Expr *Left = CE->getArg(0);
951 const Expr *Right = CE->getArg(1);
952 const Expr *Size = CE->getArg(2);
954 const GRState *state = C.getState();
955 SValBuilder &svalBuilder = C.getSValBuilder();
957 // See if the size argument is zero.
958 SVal sizeVal = state->getSVal(Size);
959 QualType sizeTy = Size->getType();
961 const GRState *stateZeroSize, *stateNonZeroSize;
962 llvm::tie(stateZeroSize, stateNonZeroSize) =
963 assumeZero(C, state, sizeVal, sizeTy);
965 // If the size can be zero, the result will be 0 in that case, and we don't
966 // have to check either of the buffers.
968 state = stateZeroSize;
969 state = state->BindExpr(CE, svalBuilder.makeZeroVal(CE->getType()));
970 C.addTransition(state);
973 // If the size can be nonzero, we have to check the other arguments.
974 if (stateNonZeroSize) {
975 state = stateNonZeroSize;
976 // If we know the two buffers are the same, we know the result is 0.
977 // First, get the two buffers' addresses. Another checker will have already
978 // made sure they're not undefined.
979 DefinedOrUnknownSVal LV = cast<DefinedOrUnknownSVal>(state->getSVal(Left));
980 DefinedOrUnknownSVal RV = cast<DefinedOrUnknownSVal>(state->getSVal(Right));
982 // See if they are the same.
983 DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV);
984 const GRState *StSameBuf, *StNotSameBuf;
985 llvm::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf);
987 // If the two arguments might be the same buffer, we know the result is 0,
988 // and we only need to check one size.
991 state = CheckBufferAccess(C, state, Size, Left);
993 state = StSameBuf->BindExpr(CE, svalBuilder.makeZeroVal(CE->getType()));
994 C.addTransition(state);
998 // If the two arguments might be different buffers, we have to check the
999 // size of both of them.
1001 state = StNotSameBuf;
1002 state = CheckBufferAccess(C, state, Size, Left, Right);
1004 // The return value is the comparison result, which we don't know.
1005 unsigned Count = C.getNodeBuilder().getCurrentBlockCount();
1006 SVal CmpV = svalBuilder.getConjuredSymbolVal(NULL, CE, Count);
1007 state = state->BindExpr(CE, CmpV);
1008 C.addTransition(state);
1014 void CStringChecker::evalstrLength(CheckerContext &C,
1015 const CallExpr *CE) const {
1016 // size_t strlen(const char *s);
1017 evalstrLengthCommon(C, CE, /* IsStrnlen = */ false);
1020 void CStringChecker::evalstrnLength(CheckerContext &C,
1021 const CallExpr *CE) const {
1022 // size_t strnlen(const char *s, size_t maxlen);
1023 evalstrLengthCommon(C, CE, /* IsStrnlen = */ true);
1026 void CStringChecker::evalstrLengthCommon(CheckerContext &C, const CallExpr *CE,
1027 bool IsStrnlen) const {
1028 CurrentFunctionDescription = "string length function";
1029 const GRState *state = C.getState();
1032 const Expr *maxlenExpr = CE->getArg(1);
1033 SVal maxlenVal = state->getSVal(maxlenExpr);
1035 const GRState *stateZeroSize, *stateNonZeroSize;
1036 llvm::tie(stateZeroSize, stateNonZeroSize) =
1037 assumeZero(C, state, maxlenVal, maxlenExpr->getType());
1039 // If the size can be zero, the result will be 0 in that case, and we don't
1040 // have to check the string itself.
1041 if (stateZeroSize) {
1042 SVal zero = C.getSValBuilder().makeZeroVal(CE->getType());
1043 stateZeroSize = stateZeroSize->BindExpr(CE, zero);
1044 C.addTransition(stateZeroSize);
1047 // If the size is GUARANTEED to be zero, we're done!
1048 if (!stateNonZeroSize)
1051 // Otherwise, record the assumption that the size is nonzero.
1052 state = stateNonZeroSize;
1055 // Check that the string argument is non-null.
1056 const Expr *Arg = CE->getArg(0);
1057 SVal ArgVal = state->getSVal(Arg);
1059 state = checkNonNull(C, state, Arg, ArgVal);
1064 SVal strLength = getCStringLength(C, state, Arg, ArgVal);
1066 // If the argument isn't a valid C string, there's no valid state to
1068 if (strLength.isUndef())
1071 DefinedOrUnknownSVal result = UnknownVal();
1073 // If the check is for strnlen() then bind the return value to no more than
1074 // the maxlen value.
1076 QualType cmpTy = C.getSValBuilder().getConditionType();
1078 // It's a little unfortunate to be getting this again,
1079 // but it's not that expensive...
1080 const Expr *maxlenExpr = CE->getArg(1);
1081 SVal maxlenVal = state->getSVal(maxlenExpr);
1083 NonLoc *strLengthNL = dyn_cast<NonLoc>(&strLength);
1084 NonLoc *maxlenValNL = dyn_cast<NonLoc>(&maxlenVal);
1086 if (strLengthNL && maxlenValNL) {
1087 const GRState *stateStringTooLong, *stateStringNotTooLong;
1089 // Check if the strLength is greater than the maxlen.
1090 llvm::tie(stateStringTooLong, stateStringNotTooLong) =
1091 state->assume(cast<DefinedOrUnknownSVal>
1092 (C.getSValBuilder().evalBinOpNN(state, BO_GT,
1097 if (stateStringTooLong && !stateStringNotTooLong) {
1098 // If the string is longer than maxlen, return maxlen.
1099 result = *maxlenValNL;
1100 } else if (stateStringNotTooLong && !stateStringTooLong) {
1101 // If the string is shorter than maxlen, return its length.
1102 result = *strLengthNL;
1106 if (result.isUnknown()) {
1107 // If we don't have enough information for a comparison, there's
1108 // no guarantee the full string length will actually be returned.
1109 // All we know is the return value is the min of the string length
1110 // and the limit. This is better than nothing.
1111 unsigned Count = C.getNodeBuilder().getCurrentBlockCount();
1112 result = C.getSValBuilder().getConjuredSymbolVal(NULL, CE, Count);
1113 NonLoc *resultNL = cast<NonLoc>(&result);
1116 state = state->assume(cast<DefinedOrUnknownSVal>
1117 (C.getSValBuilder().evalBinOpNN(state, BO_LE,
1124 state = state->assume(cast<DefinedOrUnknownSVal>
1125 (C.getSValBuilder().evalBinOpNN(state, BO_LE,
1133 // This is a plain strlen(), not strnlen().
1134 result = cast<DefinedOrUnknownSVal>(strLength);
1136 // If we don't know the length of the string, conjure a return
1137 // value, so it can be used in constraints, at least.
1138 if (result.isUnknown()) {
1139 unsigned Count = C.getNodeBuilder().getCurrentBlockCount();
1140 result = C.getSValBuilder().getConjuredSymbolVal(NULL, CE, Count);
1144 // Bind the return value.
1145 assert(!result.isUnknown() && "Should have conjured a value by now");
1146 state = state->BindExpr(CE, result);
1147 C.addTransition(state);
1150 void CStringChecker::evalStrcpy(CheckerContext &C, const CallExpr *CE) const {
1151 // char *strcpy(char *restrict dst, const char *restrict src);
1152 evalStrcpyCommon(C, CE,
1153 /* returnEnd = */ false,
1154 /* isBounded = */ false,
1155 /* isAppending = */ false);
1158 void CStringChecker::evalStrncpy(CheckerContext &C, const CallExpr *CE) const {
1159 // char *strncpy(char *restrict dst, const char *restrict src, size_t n);
1160 evalStrcpyCommon(C, CE,
1161 /* returnEnd = */ false,
1162 /* isBounded = */ true,
1163 /* isAppending = */ false);
1166 void CStringChecker::evalStpcpy(CheckerContext &C, const CallExpr *CE) const {
1167 // char *stpcpy(char *restrict dst, const char *restrict src);
1168 evalStrcpyCommon(C, CE,
1169 /* returnEnd = */ true,
1170 /* isBounded = */ false,
1171 /* isAppending = */ false);
1174 void CStringChecker::evalStrcat(CheckerContext &C, const CallExpr *CE) const {
1175 //char *strcat(char *restrict s1, const char *restrict s2);
1176 evalStrcpyCommon(C, CE,
1177 /* returnEnd = */ false,
1178 /* isBounded = */ false,
1179 /* isAppending = */ true);
1182 void CStringChecker::evalStrncat(CheckerContext &C, const CallExpr *CE) const {
1183 //char *strncat(char *restrict s1, const char *restrict s2, size_t n);
1184 evalStrcpyCommon(C, CE,
1185 /* returnEnd = */ false,
1186 /* isBounded = */ true,
1187 /* isAppending = */ true);
1190 void CStringChecker::evalStrcpyCommon(CheckerContext &C, const CallExpr *CE,
1191 bool returnEnd, bool isBounded,
1192 bool isAppending) const {
1193 CurrentFunctionDescription = "string copy function";
1194 const GRState *state = C.getState();
1196 // Check that the destination is non-null.
1197 const Expr *Dst = CE->getArg(0);
1198 SVal DstVal = state->getSVal(Dst);
1200 state = checkNonNull(C, state, Dst, DstVal);
1204 // Check that the source is non-null.
1205 const Expr *srcExpr = CE->getArg(1);
1206 SVal srcVal = state->getSVal(srcExpr);
1207 state = checkNonNull(C, state, srcExpr, srcVal);
1211 // Get the string length of the source.
1212 SVal strLength = getCStringLength(C, state, srcExpr, srcVal);
1214 // If the source isn't a valid C string, give up.
1215 if (strLength.isUndef())
1218 SValBuilder &svalBuilder = C.getSValBuilder();
1219 QualType cmpTy = svalBuilder.getConditionType();
1220 QualType sizeTy = svalBuilder.getContext().getSizeType();
1222 // These two values allow checking two kinds of errors:
1223 // - actual overflows caused by a source that doesn't fit in the destination
1224 // - potential overflows caused by a bound that could exceed the destination
1225 SVal amountCopied = UnknownVal();
1226 SVal maxLastElementIndex = UnknownVal();
1227 const char *boundWarning = NULL;
1229 // If the function is strncpy, strncat, etc... it is bounded.
1231 // Get the max number of characters to copy.
1232 const Expr *lenExpr = CE->getArg(2);
1233 SVal lenVal = state->getSVal(lenExpr);
1235 // Protect against misdeclared strncpy().
1236 lenVal = svalBuilder.evalCast(lenVal, sizeTy, lenExpr->getType());
1238 NonLoc *strLengthNL = dyn_cast<NonLoc>(&strLength);
1239 NonLoc *lenValNL = dyn_cast<NonLoc>(&lenVal);
1241 // If we know both values, we might be able to figure out how much
1243 if (strLengthNL && lenValNL) {
1244 const GRState *stateSourceTooLong, *stateSourceNotTooLong;
1246 // Check if the max number to copy is less than the length of the src.
1247 // If the bound is equal to the source length, strncpy won't null-
1248 // terminate the result!
1249 llvm::tie(stateSourceTooLong, stateSourceNotTooLong) =
1250 state->assume(cast<DefinedOrUnknownSVal>
1251 (svalBuilder.evalBinOpNN(state, BO_GE, *strLengthNL,
1252 *lenValNL, cmpTy)));
1254 if (stateSourceTooLong && !stateSourceNotTooLong) {
1255 // Max number to copy is less than the length of the src, so the actual
1256 // strLength copied is the max number arg.
1257 state = stateSourceTooLong;
1258 amountCopied = lenVal;
1260 } else if (!stateSourceTooLong && stateSourceNotTooLong) {
1261 // The source buffer entirely fits in the bound.
1262 state = stateSourceNotTooLong;
1263 amountCopied = strLength;
1267 // We still want to know if the bound is known to be too large.
1270 // For strncat, the check is strlen(dst) + lenVal < sizeof(dst)
1272 // Get the string length of the destination. If the destination is
1273 // memory that can't have a string length, we shouldn't be copying
1275 SVal dstStrLength = getCStringLength(C, state, Dst, DstVal);
1276 if (dstStrLength.isUndef())
1279 if (NonLoc *dstStrLengthNL = dyn_cast<NonLoc>(&dstStrLength)) {
1280 maxLastElementIndex = svalBuilder.evalBinOpNN(state, BO_Add,
1284 boundWarning = "Size argument is greater than the free space in the "
1285 "destination buffer";
1289 // For strncpy, this is just checking that lenVal <= sizeof(dst)
1290 // (Yes, strncpy and strncat differ in how they treat termination.
1291 // strncat ALWAYS terminates, but strncpy doesn't.)
1292 NonLoc one = cast<NonLoc>(svalBuilder.makeIntVal(1, sizeTy));
1293 maxLastElementIndex = svalBuilder.evalBinOpNN(state, BO_Sub, *lenValNL,
1295 boundWarning = "Size argument is greater than the length of the "
1296 "destination buffer";
1300 // If we couldn't pin down the copy length, at least bound it.
1301 // FIXME: We should actually run this code path for append as well, but
1302 // right now it creates problems with constraints (since we can end up
1303 // trying to pass constraints from symbol to symbol).
1304 if (amountCopied.isUnknown() && !isAppending) {
1305 // Try to get a "hypothetical" string length symbol, which we can later
1306 // set as a real value if that turns out to be the case.
1307 amountCopied = getCStringLength(C, state, lenExpr, srcVal, true);
1308 assert(!amountCopied.isUndef());
1310 if (NonLoc *amountCopiedNL = dyn_cast<NonLoc>(&amountCopied)) {
1312 // amountCopied <= lenVal
1313 SVal copiedLessThanBound = svalBuilder.evalBinOpNN(state, BO_LE,
1317 state = state->assume(cast<DefinedOrUnknownSVal>(copiedLessThanBound),
1324 // amountCopied <= strlen(source)
1325 SVal copiedLessThanSrc = svalBuilder.evalBinOpNN(state, BO_LE,
1329 state = state->assume(cast<DefinedOrUnknownSVal>(copiedLessThanSrc),
1338 // The function isn't bounded. The amount copied should match the length
1339 // of the source buffer.
1340 amountCopied = strLength;
1345 // This represents the number of characters copied into the destination
1346 // buffer. (It may not actually be the strlen if the destination buffer
1347 // is not terminated.)
1348 SVal finalStrLength = UnknownVal();
1350 // If this is an appending function (strcat, strncat...) then set the
1351 // string length to strlen(src) + strlen(dst) since the buffer will
1352 // ultimately contain both.
1354 // Get the string length of the destination. If the destination is memory
1355 // that can't have a string length, we shouldn't be copying into it anyway.
1356 SVal dstStrLength = getCStringLength(C, state, Dst, DstVal);
1357 if (dstStrLength.isUndef())
1360 NonLoc *srcStrLengthNL = dyn_cast<NonLoc>(&amountCopied);
1361 NonLoc *dstStrLengthNL = dyn_cast<NonLoc>(&dstStrLength);
1363 // If we know both string lengths, we might know the final string length.
1364 if (srcStrLengthNL && dstStrLengthNL) {
1365 // Make sure the two lengths together don't overflow a size_t.
1366 state = checkAdditionOverflow(C, state, *srcStrLengthNL, *dstStrLengthNL);
1370 finalStrLength = svalBuilder.evalBinOpNN(state, BO_Add, *srcStrLengthNL,
1371 *dstStrLengthNL, sizeTy);
1374 // If we couldn't get a single value for the final string length,
1375 // we can at least bound it by the individual lengths.
1376 if (finalStrLength.isUnknown()) {
1377 // Try to get a "hypothetical" string length symbol, which we can later
1378 // set as a real value if that turns out to be the case.
1379 finalStrLength = getCStringLength(C, state, CE, DstVal, true);
1380 assert(!finalStrLength.isUndef());
1382 if (NonLoc *finalStrLengthNL = dyn_cast<NonLoc>(&finalStrLength)) {
1383 if (srcStrLengthNL) {
1384 // finalStrLength >= srcStrLength
1385 SVal sourceInResult = svalBuilder.evalBinOpNN(state, BO_GE,
1389 state = state->assume(cast<DefinedOrUnknownSVal>(sourceInResult),
1395 if (dstStrLengthNL) {
1396 // finalStrLength >= dstStrLength
1397 SVal destInResult = svalBuilder.evalBinOpNN(state, BO_GE,
1401 state = state->assume(cast<DefinedOrUnknownSVal>(destInResult),
1410 // Otherwise, this is a copy-over function (strcpy, strncpy, ...), and
1411 // the final string length will match the input string length.
1412 finalStrLength = amountCopied;
1415 // The final result of the function will either be a pointer past the last
1416 // copied element, or a pointer to the start of the destination buffer.
1417 SVal Result = (returnEnd ? UnknownVal() : DstVal);
1421 // If the destination is a MemRegion, try to check for a buffer overflow and
1422 // record the new string length.
1423 if (loc::MemRegionVal *dstRegVal = dyn_cast<loc::MemRegionVal>(&DstVal)) {
1424 QualType ptrTy = Dst->getType();
1426 // If we have an exact value on a bounded copy, use that to check for
1427 // overflows, rather than our estimate about how much is actually copied.
1429 if (NonLoc *maxLastNL = dyn_cast<NonLoc>(&maxLastElementIndex)) {
1430 SVal maxLastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal,
1432 state = CheckLocation(C, state, CE->getArg(2), maxLastElement,
1439 // Then, if the final length is known...
1440 if (NonLoc *knownStrLength = dyn_cast<NonLoc>(&finalStrLength)) {
1441 SVal lastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal,
1442 *knownStrLength, ptrTy);
1444 // ...and we haven't checked the bound, we'll check the actual copy.
1445 if (!boundWarning) {
1446 const char * const warningMsg =
1447 "String copy function overflows destination buffer";
1448 state = CheckLocation(C, state, Dst, lastElement, warningMsg);
1453 // If this is a stpcpy-style copy, the last element is the return value.
1455 Result = lastElement;
1458 // Invalidate the destination. This must happen before we set the C string
1459 // length because invalidation will clear the length.
1460 // FIXME: Even if we can't perfectly model the copy, we should see if we
1461 // can use LazyCompoundVals to copy the source values into the destination.
1462 // This would probably remove any existing bindings past the end of the
1463 // string, but that's still an improvement over blank invalidation.
1464 state = InvalidateBuffer(C, state, Dst, *dstRegVal);
1466 // Set the C string length of the destination, if we know it.
1467 if (isBounded && !isAppending) {
1468 // strncpy is annoying in that it doesn't guarantee to null-terminate
1469 // the result string. If the original string didn't fit entirely inside
1470 // the bound (including the null-terminator), we don't know how long the
1472 if (amountCopied != strLength)
1473 finalStrLength = UnknownVal();
1475 state = setCStringLength(state, dstRegVal->getRegion(), finalStrLength);
1480 // If this is a stpcpy-style copy, but we were unable to check for a buffer
1481 // overflow, we still need a result. Conjure a return value.
1482 if (returnEnd && Result.isUnknown()) {
1483 unsigned Count = C.getNodeBuilder().getCurrentBlockCount();
1484 Result = svalBuilder.getConjuredSymbolVal(NULL, CE, Count);
1487 // Set the return value.
1488 state = state->BindExpr(CE, Result);
1489 C.addTransition(state);
1492 void CStringChecker::evalStrcmp(CheckerContext &C, const CallExpr *CE) const {
1493 //int strcmp(const char *s1, const char *s2);
1494 evalStrcmpCommon(C, CE, /* isBounded = */ false, /* ignoreCase = */ false);
1497 void CStringChecker::evalStrncmp(CheckerContext &C, const CallExpr *CE) const {
1498 //int strncmp(const char *s1, const char *s2, size_t n);
1499 evalStrcmpCommon(C, CE, /* isBounded = */ true, /* ignoreCase = */ false);
1502 void CStringChecker::evalStrcasecmp(CheckerContext &C,
1503 const CallExpr *CE) const {
1504 //int strcasecmp(const char *s1, const char *s2);
1505 evalStrcmpCommon(C, CE, /* isBounded = */ false, /* ignoreCase = */ true);
1508 void CStringChecker::evalStrncasecmp(CheckerContext &C,
1509 const CallExpr *CE) const {
1510 //int strncasecmp(const char *s1, const char *s2, size_t n);
1511 evalStrcmpCommon(C, CE, /* isBounded = */ true, /* ignoreCase = */ true);
1514 void CStringChecker::evalStrcmpCommon(CheckerContext &C, const CallExpr *CE,
1515 bool isBounded, bool ignoreCase) const {
1516 CurrentFunctionDescription = "string comparison function";
1517 const GRState *state = C.getState();
1519 // Check that the first string is non-null
1520 const Expr *s1 = CE->getArg(0);
1521 SVal s1Val = state->getSVal(s1);
1522 state = checkNonNull(C, state, s1, s1Val);
1526 // Check that the second string is non-null.
1527 const Expr *s2 = CE->getArg(1);
1528 SVal s2Val = state->getSVal(s2);
1529 state = checkNonNull(C, state, s2, s2Val);
1533 // Get the string length of the first string or give up.
1534 SVal s1Length = getCStringLength(C, state, s1, s1Val);
1535 if (s1Length.isUndef())
1538 // Get the string length of the second string or give up.
1539 SVal s2Length = getCStringLength(C, state, s2, s2Val);
1540 if (s2Length.isUndef())
1543 // If we know the two buffers are the same, we know the result is 0.
1544 // First, get the two buffers' addresses. Another checker will have already
1545 // made sure they're not undefined.
1546 DefinedOrUnknownSVal LV = cast<DefinedOrUnknownSVal>(s1Val);
1547 DefinedOrUnknownSVal RV = cast<DefinedOrUnknownSVal>(s2Val);
1549 // See if they are the same.
1550 SValBuilder &svalBuilder = C.getSValBuilder();
1551 DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV);
1552 const GRState *StSameBuf, *StNotSameBuf;
1553 llvm::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf);
1555 // If the two arguments might be the same buffer, we know the result is 0,
1556 // and we only need to check one size.
1558 StSameBuf = StSameBuf->BindExpr(CE, svalBuilder.makeZeroVal(CE->getType()));
1559 C.addTransition(StSameBuf);
1561 // If the two arguments are GUARANTEED to be the same, we're done!
1566 assert(StNotSameBuf);
1567 state = StNotSameBuf;
1569 // At this point we can go about comparing the two buffers.
1570 // For now, we only do this if they're both known string literals.
1572 // Attempt to extract string literals from both expressions.
1573 const StringLiteral *s1StrLiteral = getCStringLiteral(C, state, s1, s1Val);
1574 const StringLiteral *s2StrLiteral = getCStringLiteral(C, state, s2, s2Val);
1575 bool canComputeResult = false;
1577 if (s1StrLiteral && s2StrLiteral) {
1578 llvm::StringRef s1StrRef = s1StrLiteral->getString();
1579 llvm::StringRef s2StrRef = s2StrLiteral->getString();
1582 // Get the max number of characters to compare.
1583 const Expr *lenExpr = CE->getArg(2);
1584 SVal lenVal = state->getSVal(lenExpr);
1586 // If the length is known, we can get the right substrings.
1587 if (const llvm::APSInt *len = svalBuilder.getKnownValue(state, lenVal)) {
1588 // Create substrings of each to compare the prefix.
1589 s1StrRef = s1StrRef.substr(0, (size_t)len->getZExtValue());
1590 s2StrRef = s2StrRef.substr(0, (size_t)len->getZExtValue());
1591 canComputeResult = true;
1594 // This is a normal, unbounded strcmp.
1595 canComputeResult = true;
1598 if (canComputeResult) {
1599 // Real strcmp stops at null characters.
1600 size_t s1Term = s1StrRef.find('\0');
1601 if (s1Term != llvm::StringRef::npos)
1602 s1StrRef = s1StrRef.substr(0, s1Term);
1604 size_t s2Term = s2StrRef.find('\0');
1605 if (s2Term != llvm::StringRef::npos)
1606 s2StrRef = s2StrRef.substr(0, s2Term);
1608 // Use StringRef's comparison methods to compute the actual result.
1612 // Compare string 1 to string 2 the same way strcasecmp() does.
1613 result = s1StrRef.compare_lower(s2StrRef);
1615 // Compare string 1 to string 2 the same way strcmp() does.
1616 result = s1StrRef.compare(s2StrRef);
1619 // Build the SVal of the comparison and bind the return value.
1620 SVal resultVal = svalBuilder.makeIntVal(result, CE->getType());
1621 state = state->BindExpr(CE, resultVal);
1625 if (!canComputeResult) {
1626 // Conjure a symbolic value. It's the best we can do.
1627 unsigned Count = C.getNodeBuilder().getCurrentBlockCount();
1628 SVal resultVal = svalBuilder.getConjuredSymbolVal(NULL, CE, Count);
1629 state = state->BindExpr(CE, resultVal);
1632 // Record this as a possible path.
1633 C.addTransition(state);
1636 //===----------------------------------------------------------------------===//
1637 // The driver method, and other Checker callbacks.
1638 //===----------------------------------------------------------------------===//
1640 bool CStringChecker::evalCall(const CallExpr *CE, CheckerContext &C) const {
1641 // Get the callee. All the functions we care about are C functions
1642 // with simple identifiers.
1643 const GRState *state = C.getState();
1644 const Expr *Callee = CE->getCallee();
1645 const FunctionDecl *FD = state->getSVal(Callee).getAsFunctionDecl();
1650 // Get the name of the callee. If it's a builtin, strip off the prefix.
1651 IdentifierInfo *II = FD->getIdentifier();
1652 if (!II) // if no identifier, not a simple C function
1654 llvm::StringRef Name = II->getName();
1655 if (Name.startswith("__builtin_"))
1656 Name = Name.substr(10);
1658 FnCheck evalFunction = llvm::StringSwitch<FnCheck>(Name)
1659 .Cases("memcpy", "__memcpy_chk", &CStringChecker::evalMemcpy)
1660 .Cases("mempcpy", "__mempcpy_chk", &CStringChecker::evalMempcpy)
1661 .Cases("memcmp", "bcmp", &CStringChecker::evalMemcmp)
1662 .Cases("memmove", "__memmove_chk", &CStringChecker::evalMemmove)
1663 .Cases("strcpy", "__strcpy_chk", &CStringChecker::evalStrcpy)
1664 .Cases("strncpy", "__strncpy_chk", &CStringChecker::evalStrncpy)
1665 .Cases("stpcpy", "__stpcpy_chk", &CStringChecker::evalStpcpy)
1666 .Cases("strcat", "__strcat_chk", &CStringChecker::evalStrcat)
1667 .Cases("strncat", "__strncat_chk", &CStringChecker::evalStrncat)
1668 .Case("strlen", &CStringChecker::evalstrLength)
1669 .Case("strnlen", &CStringChecker::evalstrnLength)
1670 .Case("strcmp", &CStringChecker::evalStrcmp)
1671 .Case("strncmp", &CStringChecker::evalStrncmp)
1672 .Case("strcasecmp", &CStringChecker::evalStrcasecmp)
1673 .Case("strncasecmp", &CStringChecker::evalStrncasecmp)
1674 .Case("bcopy", &CStringChecker::evalBcopy)
1677 // If the callee isn't a string function, let another checker handle it.
1681 // Make sure each function sets its own description.
1682 // (But don't bother in a release build.)
1683 assert(!(CurrentFunctionDescription = NULL));
1685 // Check and evaluate the call.
1686 (this->*evalFunction)(C, CE);
1690 void CStringChecker::checkPreStmt(const DeclStmt *DS, CheckerContext &C) const {
1691 // Record string length for char a[] = "abc";
1692 const GRState *state = C.getState();
1694 for (DeclStmt::const_decl_iterator I = DS->decl_begin(), E = DS->decl_end();
1696 const VarDecl *D = dyn_cast<VarDecl>(*I);
1700 // FIXME: Handle array fields of structs.
1701 if (!D->getType()->isArrayType())
1704 const Expr *Init = D->getInit();
1707 if (!isa<StringLiteral>(Init))
1710 Loc VarLoc = state->getLValue(D, C.getPredecessor()->getLocationContext());
1711 const MemRegion *MR = VarLoc.getAsRegion();
1715 SVal StrVal = state->getSVal(Init);
1716 assert(StrVal.isValid() && "Initializer string is unknown or undefined");
1717 DefinedOrUnknownSVal strLength
1718 = cast<DefinedOrUnknownSVal>(getCStringLength(C, state, Init, StrVal));
1720 state = state->set<CStringLength>(MR, strLength);
1723 C.addTransition(state);
1726 bool CStringChecker::wantsRegionChangeUpdate(const GRState *state) const {
1727 CStringLength::EntryMap Entries = state->get<CStringLength>();
1728 return !Entries.isEmpty();
1732 CStringChecker::checkRegionChanges(const GRState *state,
1733 const StoreManager::InvalidatedSymbols *,
1734 const MemRegion * const *Begin,
1735 const MemRegion * const *End) const {
1736 CStringLength::EntryMap Entries = state->get<CStringLength>();
1737 if (Entries.isEmpty())
1740 llvm::SmallPtrSet<const MemRegion *, 8> Invalidated;
1741 llvm::SmallPtrSet<const MemRegion *, 32> SuperRegions;
1743 // First build sets for the changed regions and their super-regions.
1744 for ( ; Begin != End; ++Begin) {
1745 const MemRegion *MR = *Begin;
1746 Invalidated.insert(MR);
1748 SuperRegions.insert(MR);
1749 while (const SubRegion *SR = dyn_cast<SubRegion>(MR)) {
1750 MR = SR->getSuperRegion();
1751 SuperRegions.insert(MR);
1755 CStringLength::EntryMap::Factory &F = state->get_context<CStringLength>();
1757 // Then loop over the entries in the current state.
1758 for (CStringLength::EntryMap::iterator I = Entries.begin(),
1759 E = Entries.end(); I != E; ++I) {
1760 const MemRegion *MR = I.getKey();
1762 // Is this entry for a super-region of a changed region?
1763 if (SuperRegions.count(MR)) {
1764 Entries = F.remove(Entries, MR);
1768 // Is this entry for a sub-region of a changed region?
1769 const MemRegion *Super = MR;
1770 while (const SubRegion *SR = dyn_cast<SubRegion>(Super)) {
1771 Super = SR->getSuperRegion();
1772 if (Invalidated.count(Super)) {
1773 Entries = F.remove(Entries, MR);
1779 return state->set<CStringLength>(Entries);
1782 void CStringChecker::checkLiveSymbols(const GRState *state,
1783 SymbolReaper &SR) const {
1784 // Mark all symbols in our string length map as valid.
1785 CStringLength::EntryMap Entries = state->get<CStringLength>();
1787 for (CStringLength::EntryMap::iterator I = Entries.begin(), E = Entries.end();
1789 SVal Len = I.getData();
1791 for (SVal::symbol_iterator si = Len.symbol_begin(), se = Len.symbol_end();
1797 void CStringChecker::checkDeadSymbols(SymbolReaper &SR,
1798 CheckerContext &C) const {
1799 if (!SR.hasDeadSymbols())
1802 const GRState *state = C.getState();
1803 CStringLength::EntryMap Entries = state->get<CStringLength>();
1804 if (Entries.isEmpty())
1807 CStringLength::EntryMap::Factory &F = state->get_context<CStringLength>();
1808 for (CStringLength::EntryMap::iterator I = Entries.begin(), E = Entries.end();
1810 SVal Len = I.getData();
1811 if (SymbolRef Sym = Len.getAsSymbol()) {
1813 Entries = F.remove(Entries, I.getKey());
1817 state = state->set<CStringLength>(Entries);
1818 C.generateNode(state);
1821 void ento::registerCStringChecker(CheckerManager &mgr) {
1822 mgr.registerChecker<CStringChecker>();