clang  3.9.0
CStringChecker.cpp
Go to the documentation of this file.
1 //= CStringChecker.cpp - Checks calls to C string functions --------*- C++ -*-//
2 //
3 // The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // This defines CStringChecker, which is an assortment of checks on calls
11 // to functions in <string.h>.
12 //
13 //===----------------------------------------------------------------------===//
14 
15 #include "ClangSACheckers.h"
16 #include "InterCheckerAPI.h"
17 #include "clang/Basic/CharInfo.h"
23 #include "llvm/ADT/STLExtras.h"
24 #include "llvm/ADT/SmallString.h"
25 #include "llvm/ADT/StringSwitch.h"
26 #include "llvm/Support/raw_ostream.h"
27 
28 using namespace clang;
29 using namespace ento;
30 
31 namespace {
32 class CStringChecker : public Checker< eval::Call,
33  check::PreStmt<DeclStmt>,
34  check::LiveSymbols,
35  check::DeadSymbols,
36  check::RegionChanges
37  > {
38  mutable std::unique_ptr<BugType> BT_Null, BT_Bounds, BT_Overlap,
39  BT_NotCString, BT_AdditionOverflow;
40 
41  mutable const char *CurrentFunctionDescription;
42 
43 public:
44  /// The filter is used to filter out the diagnostics which are not enabled by
45  /// the user.
46  struct CStringChecksFilter {
47  DefaultBool CheckCStringNullArg;
48  DefaultBool CheckCStringOutOfBounds;
49  DefaultBool CheckCStringBufferOverlap;
50  DefaultBool CheckCStringNotNullTerm;
51 
52  CheckName CheckNameCStringNullArg;
53  CheckName CheckNameCStringOutOfBounds;
54  CheckName CheckNameCStringBufferOverlap;
55  CheckName CheckNameCStringNotNullTerm;
56  };
57 
58  CStringChecksFilter Filter;
59 
60  static void *getTag() { static int tag; return &tag; }
61 
62  bool evalCall(const CallExpr *CE, CheckerContext &C) const;
63  void checkPreStmt(const DeclStmt *DS, CheckerContext &C) const;
64  void checkLiveSymbols(ProgramStateRef state, SymbolReaper &SR) const;
65  void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
66  bool wantsRegionChangeUpdate(ProgramStateRef state) const;
67 
69  checkRegionChanges(ProgramStateRef state,
70  const InvalidatedSymbols *,
71  ArrayRef<const MemRegion *> ExplicitRegions,
73  const CallEvent *Call) const;
74 
75  typedef void (CStringChecker::*FnCheck)(CheckerContext &,
76  const CallExpr *) const;
77 
78  void evalMemcpy(CheckerContext &C, const CallExpr *CE) const;
79  void evalMempcpy(CheckerContext &C, const CallExpr *CE) const;
80  void evalMemmove(CheckerContext &C, const CallExpr *CE) const;
81  void evalBcopy(CheckerContext &C, const CallExpr *CE) const;
82  void evalCopyCommon(CheckerContext &C, const CallExpr *CE,
84  const Expr *Size,
85  const Expr *Source,
86  const Expr *Dest,
87  bool Restricted = false,
88  bool IsMempcpy = false) const;
89 
90  void evalMemcmp(CheckerContext &C, const CallExpr *CE) const;
91 
92  void evalstrLength(CheckerContext &C, const CallExpr *CE) const;
93  void evalstrnLength(CheckerContext &C, const CallExpr *CE) const;
94  void evalstrLengthCommon(CheckerContext &C,
95  const CallExpr *CE,
96  bool IsStrnlen = false) const;
97 
98  void evalStrcpy(CheckerContext &C, const CallExpr *CE) const;
99  void evalStrncpy(CheckerContext &C, const CallExpr *CE) const;
100  void evalStpcpy(CheckerContext &C, const CallExpr *CE) const;
101  void evalStrcpyCommon(CheckerContext &C,
102  const CallExpr *CE,
103  bool returnEnd,
104  bool isBounded,
105  bool isAppending) const;
106 
107  void evalStrcat(CheckerContext &C, const CallExpr *CE) const;
108  void evalStrncat(CheckerContext &C, const CallExpr *CE) const;
109 
110  void evalStrcmp(CheckerContext &C, const CallExpr *CE) const;
111  void evalStrncmp(CheckerContext &C, const CallExpr *CE) const;
112  void evalStrcasecmp(CheckerContext &C, const CallExpr *CE) const;
113  void evalStrncasecmp(CheckerContext &C, const CallExpr *CE) const;
114  void evalStrcmpCommon(CheckerContext &C,
115  const CallExpr *CE,
116  bool isBounded = false,
117  bool ignoreCase = false) const;
118 
119  void evalStrsep(CheckerContext &C, const CallExpr *CE) const;
120 
121  void evalStdCopy(CheckerContext &C, const CallExpr *CE) const;
122  void evalStdCopyBackward(CheckerContext &C, const CallExpr *CE) const;
123  void evalStdCopyCommon(CheckerContext &C, const CallExpr *CE) const;
124 
125  // Utility methods
126  std::pair<ProgramStateRef , ProgramStateRef >
127  static assumeZero(CheckerContext &C,
129 
130  static ProgramStateRef setCStringLength(ProgramStateRef state,
131  const MemRegion *MR,
132  SVal strLength);
133  static SVal getCStringLengthForRegion(CheckerContext &C,
135  const Expr *Ex,
136  const MemRegion *MR,
137  bool hypothetical);
138  SVal getCStringLength(CheckerContext &C,
140  const Expr *Ex,
141  SVal Buf,
142  bool hypothetical = false) const;
143 
144  const StringLiteral *getCStringLiteral(CheckerContext &C,
146  const Expr *expr,
147  SVal val) const;
148 
149  static ProgramStateRef InvalidateBuffer(CheckerContext &C,
151  const Expr *Ex, SVal V,
152  bool IsSourceBuffer,
153  const Expr *Size);
154 
155  static bool SummarizeRegion(raw_ostream &os, ASTContext &Ctx,
156  const MemRegion *MR);
157 
158  // Re-usable checks
159  ProgramStateRef checkNonNull(CheckerContext &C,
161  const Expr *S,
162  SVal l) const;
163  ProgramStateRef CheckLocation(CheckerContext &C,
165  const Expr *S,
166  SVal l,
167  const char *message = nullptr) const;
168  ProgramStateRef CheckBufferAccess(CheckerContext &C,
170  const Expr *Size,
171  const Expr *FirstBuf,
172  const Expr *SecondBuf,
173  const char *firstMessage = nullptr,
174  const char *secondMessage = nullptr,
175  bool WarnAboutSize = false) const;
176 
177  ProgramStateRef CheckBufferAccess(CheckerContext &C,
179  const Expr *Size,
180  const Expr *Buf,
181  const char *message = nullptr,
182  bool WarnAboutSize = false) const {
183  // This is a convenience override.
184  return CheckBufferAccess(C, state, Size, Buf, nullptr, message, nullptr,
185  WarnAboutSize);
186  }
187  ProgramStateRef CheckOverlap(CheckerContext &C,
189  const Expr *Size,
190  const Expr *First,
191  const Expr *Second) const;
192  void emitOverlapBug(CheckerContext &C,
194  const Stmt *First,
195  const Stmt *Second) const;
196 
197  ProgramStateRef checkAdditionOverflow(CheckerContext &C,
199  NonLoc left,
200  NonLoc right) const;
201 
202  // Return true if the destination buffer of the copy function may be in bound.
203  // Expects SVal of Size to be positive and unsigned.
204  // Expects SVal of FirstBuf to be a FieldRegion.
205  static bool IsFirstBufInBound(CheckerContext &C,
207  const Expr *FirstBuf,
208  const Expr *Size);
209 };
210 
211 } //end anonymous namespace
212 
213 REGISTER_MAP_WITH_PROGRAMSTATE(CStringLength, const MemRegion *, SVal)
214 
215 //===----------------------------------------------------------------------===//
216 // Individual checks and utility methods.
217 //===----------------------------------------------------------------------===//
218 
219 std::pair<ProgramStateRef , ProgramStateRef >
220 CStringChecker::assumeZero(CheckerContext &C, ProgramStateRef state, SVal V,
221  QualType Ty) {
222  Optional<DefinedSVal> val = V.getAs<DefinedSVal>();
223  if (!val)
224  return std::pair<ProgramStateRef , ProgramStateRef >(state, state);
225 
226  SValBuilder &svalBuilder = C.getSValBuilder();
227  DefinedOrUnknownSVal zero = svalBuilder.makeZeroVal(Ty);
228  return state->assume(svalBuilder.evalEQ(state, *val, zero));
229 }
230 
231 ProgramStateRef CStringChecker::checkNonNull(CheckerContext &C,
232  ProgramStateRef state,
233  const Expr *S, SVal l) const {
234  // If a previous check has failed, propagate the failure.
235  if (!state)
236  return nullptr;
237 
238  ProgramStateRef stateNull, stateNonNull;
239  std::tie(stateNull, stateNonNull) = assumeZero(C, state, l, S->getType());
240 
241  if (stateNull && !stateNonNull) {
242  if (!Filter.CheckCStringNullArg)
243  return nullptr;
244 
245  ExplodedNode *N = C.generateErrorNode(stateNull);
246  if (!N)
247  return nullptr;
248 
249  if (!BT_Null)
250  BT_Null.reset(new BuiltinBug(
251  Filter.CheckNameCStringNullArg, categories::UnixAPI,
252  "Null pointer argument in call to byte string function"));
253 
254  SmallString<80> buf;
255  llvm::raw_svector_ostream os(buf);
256  assert(CurrentFunctionDescription);
257  os << "Null pointer argument in call to " << CurrentFunctionDescription;
258 
259  // Generate a report for this bug.
260  BuiltinBug *BT = static_cast<BuiltinBug*>(BT_Null.get());
261  auto report = llvm::make_unique<BugReport>(*BT, os.str(), N);
262 
263  report->addRange(S->getSourceRange());
264  bugreporter::trackNullOrUndefValue(N, S, *report);
265  C.emitReport(std::move(report));
266  return nullptr;
267  }
268 
269  // From here on, assume that the value is non-null.
270  assert(stateNonNull);
271  return stateNonNull;
272 }
273 
274 // FIXME: This was originally copied from ArrayBoundChecker.cpp. Refactor?
275 ProgramStateRef CStringChecker::CheckLocation(CheckerContext &C,
276  ProgramStateRef state,
277  const Expr *S, SVal l,
278  const char *warningMsg) const {
279  // If a previous check has failed, propagate the failure.
280  if (!state)
281  return nullptr;
282 
283  // Check for out of bound array element access.
284  const MemRegion *R = l.getAsRegion();
285  if (!R)
286  return state;
287 
288  const ElementRegion *ER = dyn_cast<ElementRegion>(R);
289  if (!ER)
290  return state;
291 
292  assert(ER->getValueType() == C.getASTContext().CharTy &&
293  "CheckLocation should only be called with char* ElementRegions");
294 
295  // Get the size of the array.
296  const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion());
297  SValBuilder &svalBuilder = C.getSValBuilder();
298  SVal Extent =
299  svalBuilder.convertToArrayIndex(superReg->getExtent(svalBuilder));
301 
302  // Get the index of the accessed element.
304 
305  ProgramStateRef StInBound = state->assumeInBound(Idx, Size, true);
306  ProgramStateRef StOutBound = state->assumeInBound(Idx, Size, false);
307  if (StOutBound && !StInBound) {
308  ExplodedNode *N = C.generateErrorNode(StOutBound);
309  if (!N)
310  return nullptr;
311 
312  if (!BT_Bounds) {
313  BT_Bounds.reset(new BuiltinBug(
314  Filter.CheckNameCStringOutOfBounds, "Out-of-bound array access",
315  "Byte string function accesses out-of-bound array element"));
316  }
317  BuiltinBug *BT = static_cast<BuiltinBug*>(BT_Bounds.get());
318 
319  // Generate a report for this bug.
320  std::unique_ptr<BugReport> report;
321  if (warningMsg) {
322  report = llvm::make_unique<BugReport>(*BT, warningMsg, N);
323  } else {
324  assert(CurrentFunctionDescription);
325  assert(CurrentFunctionDescription[0] != '\0');
326 
327  SmallString<80> buf;
328  llvm::raw_svector_ostream os(buf);
329  os << toUppercase(CurrentFunctionDescription[0])
330  << &CurrentFunctionDescription[1]
331  << " accesses out-of-bound array element";
332  report = llvm::make_unique<BugReport>(*BT, os.str(), N);
333  }
334 
335  // FIXME: It would be nice to eventually make this diagnostic more clear,
336  // e.g., by referencing the original declaration or by saying *why* this
337  // reference is outside the range.
338 
339  report->addRange(S->getSourceRange());
340  C.emitReport(std::move(report));
341  return nullptr;
342  }
343 
344  // Array bound check succeeded. From this point forward the array bound
345  // should always succeed.
346  return StInBound;
347 }
348 
349 ProgramStateRef CStringChecker::CheckBufferAccess(CheckerContext &C,
350  ProgramStateRef state,
351  const Expr *Size,
352  const Expr *FirstBuf,
353  const Expr *SecondBuf,
354  const char *firstMessage,
355  const char *secondMessage,
356  bool WarnAboutSize) const {
357  // If a previous check has failed, propagate the failure.
358  if (!state)
359  return nullptr;
360 
361  SValBuilder &svalBuilder = C.getSValBuilder();
362  ASTContext &Ctx = svalBuilder.getContext();
363  const LocationContext *LCtx = C.getLocationContext();
364 
365  QualType sizeTy = Size->getType();
366  QualType PtrTy = Ctx.getPointerType(Ctx.CharTy);
367 
368  // Check that the first buffer is non-null.
369  SVal BufVal = state->getSVal(FirstBuf, LCtx);
370  state = checkNonNull(C, state, FirstBuf, BufVal);
371  if (!state)
372  return nullptr;
373 
374  // If out-of-bounds checking is turned off, skip the rest.
375  if (!Filter.CheckCStringOutOfBounds)
376  return state;
377 
378  // Get the access length and make sure it is known.
379  // FIXME: This assumes the caller has already checked that the access length
380  // is positive. And that it's unsigned.
381  SVal LengthVal = state->getSVal(Size, LCtx);
382  Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
383  if (!Length)
384  return state;
385 
386  // Compute the offset of the last element to be accessed: size-1.
387  NonLoc One = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
388  NonLoc LastOffset = svalBuilder
389  .evalBinOpNN(state, BO_Sub, *Length, One, sizeTy).castAs<NonLoc>();
390 
391  // Check that the first buffer is sufficiently long.
392  SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType());
393  if (Optional<Loc> BufLoc = BufStart.getAs<Loc>()) {
394  const Expr *warningExpr = (WarnAboutSize ? Size : FirstBuf);
395 
396  SVal BufEnd = svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc,
397  LastOffset, PtrTy);
398  state = CheckLocation(C, state, warningExpr, BufEnd, firstMessage);
399 
400  // If the buffer isn't large enough, abort.
401  if (!state)
402  return nullptr;
403  }
404 
405  // If there's a second buffer, check it as well.
406  if (SecondBuf) {
407  BufVal = state->getSVal(SecondBuf, LCtx);
408  state = checkNonNull(C, state, SecondBuf, BufVal);
409  if (!state)
410  return nullptr;
411 
412  BufStart = svalBuilder.evalCast(BufVal, PtrTy, SecondBuf->getType());
413  if (Optional<Loc> BufLoc = BufStart.getAs<Loc>()) {
414  const Expr *warningExpr = (WarnAboutSize ? Size : SecondBuf);
415 
416  SVal BufEnd = svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc,
417  LastOffset, PtrTy);
418  state = CheckLocation(C, state, warningExpr, BufEnd, secondMessage);
419  }
420  }
421 
422  // Large enough or not, return this state!
423  return state;
424 }
425 
426 ProgramStateRef CStringChecker::CheckOverlap(CheckerContext &C,
427  ProgramStateRef state,
428  const Expr *Size,
429  const Expr *First,
430  const Expr *Second) const {
431  if (!Filter.CheckCStringBufferOverlap)
432  return state;
433 
434  // Do a simple check for overlap: if the two arguments are from the same
435  // buffer, see if the end of the first is greater than the start of the second
436  // or vice versa.
437 
438  // If a previous check has failed, propagate the failure.
439  if (!state)
440  return nullptr;
441 
442  ProgramStateRef stateTrue, stateFalse;
443 
444  // Get the buffer values and make sure they're known locations.
445  const LocationContext *LCtx = C.getLocationContext();
446  SVal firstVal = state->getSVal(First, LCtx);
447  SVal secondVal = state->getSVal(Second, LCtx);
448 
449  Optional<Loc> firstLoc = firstVal.getAs<Loc>();
450  if (!firstLoc)
451  return state;
452 
453  Optional<Loc> secondLoc = secondVal.getAs<Loc>();
454  if (!secondLoc)
455  return state;
456 
457  // Are the two values the same?
458  SValBuilder &svalBuilder = C.getSValBuilder();
459  std::tie(stateTrue, stateFalse) =
460  state->assume(svalBuilder.evalEQ(state, *firstLoc, *secondLoc));
461 
462  if (stateTrue && !stateFalse) {
463  // If the values are known to be equal, that's automatically an overlap.
464  emitOverlapBug(C, stateTrue, First, Second);
465  return nullptr;
466  }
467 
468  // assume the two expressions are not equal.
469  assert(stateFalse);
470  state = stateFalse;
471 
472  // Which value comes first?
473  QualType cmpTy = svalBuilder.getConditionType();
474  SVal reverse = svalBuilder.evalBinOpLL(state, BO_GT,
475  *firstLoc, *secondLoc, cmpTy);
476  Optional<DefinedOrUnknownSVal> reverseTest =
477  reverse.getAs<DefinedOrUnknownSVal>();
478  if (!reverseTest)
479  return state;
480 
481  std::tie(stateTrue, stateFalse) = state->assume(*reverseTest);
482  if (stateTrue) {
483  if (stateFalse) {
484  // If we don't know which one comes first, we can't perform this test.
485  return state;
486  } else {
487  // Switch the values so that firstVal is before secondVal.
488  std::swap(firstLoc, secondLoc);
489 
490  // Switch the Exprs as well, so that they still correspond.
491  std::swap(First, Second);
492  }
493  }
494 
495  // Get the length, and make sure it too is known.
496  SVal LengthVal = state->getSVal(Size, LCtx);
497  Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
498  if (!Length)
499  return state;
500 
501  // Convert the first buffer's start address to char*.
502  // Bail out if the cast fails.
503  ASTContext &Ctx = svalBuilder.getContext();
504  QualType CharPtrTy = Ctx.getPointerType(Ctx.CharTy);
505  SVal FirstStart = svalBuilder.evalCast(*firstLoc, CharPtrTy,
506  First->getType());
507  Optional<Loc> FirstStartLoc = FirstStart.getAs<Loc>();
508  if (!FirstStartLoc)
509  return state;
510 
511  // Compute the end of the first buffer. Bail out if THAT fails.
512  SVal FirstEnd = svalBuilder.evalBinOpLN(state, BO_Add,
513  *FirstStartLoc, *Length, CharPtrTy);
514  Optional<Loc> FirstEndLoc = FirstEnd.getAs<Loc>();
515  if (!FirstEndLoc)
516  return state;
517 
518  // Is the end of the first buffer past the start of the second buffer?
519  SVal Overlap = svalBuilder.evalBinOpLL(state, BO_GT,
520  *FirstEndLoc, *secondLoc, cmpTy);
521  Optional<DefinedOrUnknownSVal> OverlapTest =
522  Overlap.getAs<DefinedOrUnknownSVal>();
523  if (!OverlapTest)
524  return state;
525 
526  std::tie(stateTrue, stateFalse) = state->assume(*OverlapTest);
527 
528  if (stateTrue && !stateFalse) {
529  // Overlap!
530  emitOverlapBug(C, stateTrue, First, Second);
531  return nullptr;
532  }
533 
534  // assume the two expressions don't overlap.
535  assert(stateFalse);
536  return stateFalse;
537 }
538 
539 void CStringChecker::emitOverlapBug(CheckerContext &C, ProgramStateRef state,
540  const Stmt *First, const Stmt *Second) const {
541  ExplodedNode *N = C.generateErrorNode(state);
542  if (!N)
543  return;
544 
545  if (!BT_Overlap)
546  BT_Overlap.reset(new BugType(Filter.CheckNameCStringBufferOverlap,
547  categories::UnixAPI, "Improper arguments"));
548 
549  // Generate a report for this bug.
550  auto report = llvm::make_unique<BugReport>(
551  *BT_Overlap, "Arguments must not be overlapping buffers", N);
552  report->addRange(First->getSourceRange());
553  report->addRange(Second->getSourceRange());
554 
555  C.emitReport(std::move(report));
556 }
557 
558 ProgramStateRef CStringChecker::checkAdditionOverflow(CheckerContext &C,
559  ProgramStateRef state,
560  NonLoc left,
561  NonLoc right) const {
562  // If out-of-bounds checking is turned off, skip the rest.
563  if (!Filter.CheckCStringOutOfBounds)
564  return state;
565 
566  // If a previous check has failed, propagate the failure.
567  if (!state)
568  return nullptr;
569 
570  SValBuilder &svalBuilder = C.getSValBuilder();
571  BasicValueFactory &BVF = svalBuilder.getBasicValueFactory();
572 
573  QualType sizeTy = svalBuilder.getContext().getSizeType();
574  const llvm::APSInt &maxValInt = BVF.getMaxValue(sizeTy);
575  NonLoc maxVal = svalBuilder.makeIntVal(maxValInt);
576 
577  SVal maxMinusRight;
578  if (right.getAs<nonloc::ConcreteInt>()) {
579  maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, right,
580  sizeTy);
581  } else {
582  // Try switching the operands. (The order of these two assignments is
583  // important!)
584  maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, left,
585  sizeTy);
586  left = right;
587  }
588 
589  if (Optional<NonLoc> maxMinusRightNL = maxMinusRight.getAs<NonLoc>()) {
590  QualType cmpTy = svalBuilder.getConditionType();
591  // If left > max - right, we have an overflow.
592  SVal willOverflow = svalBuilder.evalBinOpNN(state, BO_GT, left,
593  *maxMinusRightNL, cmpTy);
594 
595  ProgramStateRef stateOverflow, stateOkay;
596  std::tie(stateOverflow, stateOkay) =
597  state->assume(willOverflow.castAs<DefinedOrUnknownSVal>());
598 
599  if (stateOverflow && !stateOkay) {
600  // We have an overflow. Emit a bug report.
601  ExplodedNode *N = C.generateErrorNode(stateOverflow);
602  if (!N)
603  return nullptr;
604 
605  if (!BT_AdditionOverflow)
606  BT_AdditionOverflow.reset(
607  new BuiltinBug(Filter.CheckNameCStringOutOfBounds, "API",
608  "Sum of expressions causes overflow"));
609 
610  // This isn't a great error message, but this should never occur in real
611  // code anyway -- you'd have to create a buffer longer than a size_t can
612  // represent, which is sort of a contradiction.
613  const char *warning =
614  "This expression will create a string whose length is too big to "
615  "be represented as a size_t";
616 
617  // Generate a report for this bug.
618  C.emitReport(
619  llvm::make_unique<BugReport>(*BT_AdditionOverflow, warning, N));
620 
621  return nullptr;
622  }
623 
624  // From now on, assume an overflow didn't occur.
625  assert(stateOkay);
626  state = stateOkay;
627  }
628 
629  return state;
630 }
631 
632 ProgramStateRef CStringChecker::setCStringLength(ProgramStateRef state,
633  const MemRegion *MR,
634  SVal strLength) {
635  assert(!strLength.isUndef() && "Attempt to set an undefined string length");
636 
637  MR = MR->StripCasts();
638 
639  switch (MR->getKind()) {
640  case MemRegion::StringRegionKind:
641  // FIXME: This can happen if we strcpy() into a string region. This is
642  // undefined [C99 6.4.5p6], but we should still warn about it.
643  return state;
644 
645  case MemRegion::SymbolicRegionKind:
646  case MemRegion::AllocaRegionKind:
647  case MemRegion::VarRegionKind:
648  case MemRegion::FieldRegionKind:
649  case MemRegion::ObjCIvarRegionKind:
650  // These are the types we can currently track string lengths for.
651  break;
652 
653  case MemRegion::ElementRegionKind:
654  // FIXME: Handle element regions by upper-bounding the parent region's
655  // string length.
656  return state;
657 
658  default:
659  // Other regions (mostly non-data) can't have a reliable C string length.
660  // For now, just ignore the change.
661  // FIXME: These are rare but not impossible. We should output some kind of
662  // warning for things like strcpy((char[]){'a', 0}, "b");
663  return state;
664  }
665 
666  if (strLength.isUnknown())
667  return state->remove<CStringLength>(MR);
668 
669  return state->set<CStringLength>(MR, strLength);
670 }
671 
672 SVal CStringChecker::getCStringLengthForRegion(CheckerContext &C,
673  ProgramStateRef &state,
674  const Expr *Ex,
675  const MemRegion *MR,
676  bool hypothetical) {
677  if (!hypothetical) {
678  // If there's a recorded length, go ahead and return it.
679  const SVal *Recorded = state->get<CStringLength>(MR);
680  if (Recorded)
681  return *Recorded;
682  }
683 
684  // Otherwise, get a new symbol and update the state.
685  SValBuilder &svalBuilder = C.getSValBuilder();
686  QualType sizeTy = svalBuilder.getContext().getSizeType();
687  SVal strLength = svalBuilder.getMetadataSymbolVal(CStringChecker::getTag(),
688  MR, Ex, sizeTy,
689  C.blockCount());
690 
691  if (!hypothetical) {
692  if (Optional<NonLoc> strLn = strLength.getAs<NonLoc>()) {
693  // In case of unbounded calls strlen etc bound the range to SIZE_MAX/4
694  BasicValueFactory &BVF = svalBuilder.getBasicValueFactory();
695  const llvm::APSInt &maxValInt = BVF.getMaxValue(sizeTy);
696  llvm::APSInt fourInt = APSIntType(maxValInt).getValue(4);
697  const llvm::APSInt *maxLengthInt = BVF.evalAPSInt(BO_Div, maxValInt,
698  fourInt);
699  NonLoc maxLength = svalBuilder.makeIntVal(*maxLengthInt);
700  SVal evalLength = svalBuilder.evalBinOpNN(state, BO_LE, *strLn,
701  maxLength, sizeTy);
702  state = state->assume(evalLength.castAs<DefinedOrUnknownSVal>(), true);
703  }
704  state = state->set<CStringLength>(MR, strLength);
705  }
706 
707  return strLength;
708 }
709 
710 SVal CStringChecker::getCStringLength(CheckerContext &C, ProgramStateRef &state,
711  const Expr *Ex, SVal Buf,
712  bool hypothetical) const {
713  const MemRegion *MR = Buf.getAsRegion();
714  if (!MR) {
715  // If we can't get a region, see if it's something we /know/ isn't a
716  // C string. In the context of locations, the only time we can issue such
717  // a warning is for labels.
718  if (Optional<loc::GotoLabel> Label = Buf.getAs<loc::GotoLabel>()) {
719  if (!Filter.CheckCStringNotNullTerm)
720  return UndefinedVal();
721 
722  if (ExplodedNode *N = C.generateNonFatalErrorNode(state)) {
723  if (!BT_NotCString)
724  BT_NotCString.reset(new BuiltinBug(
725  Filter.CheckNameCStringNotNullTerm, categories::UnixAPI,
726  "Argument is not a null-terminated string."));
727 
728  SmallString<120> buf;
729  llvm::raw_svector_ostream os(buf);
730  assert(CurrentFunctionDescription);
731  os << "Argument to " << CurrentFunctionDescription
732  << " is the address of the label '" << Label->getLabel()->getName()
733  << "', which is not a null-terminated string";
734 
735  // Generate a report for this bug.
736  auto report = llvm::make_unique<BugReport>(*BT_NotCString, os.str(), N);
737 
738  report->addRange(Ex->getSourceRange());
739  C.emitReport(std::move(report));
740  }
741  return UndefinedVal();
742 
743  }
744 
745  // If it's not a region and not a label, give up.
746  return UnknownVal();
747  }
748 
749  // If we have a region, strip casts from it and see if we can figure out
750  // its length. For anything we can't figure out, just return UnknownVal.
751  MR = MR->StripCasts();
752 
753  switch (MR->getKind()) {
754  case MemRegion::StringRegionKind: {
755  // Modifying the contents of string regions is undefined [C99 6.4.5p6],
756  // so we can assume that the byte length is the correct C string length.
757  SValBuilder &svalBuilder = C.getSValBuilder();
758  QualType sizeTy = svalBuilder.getContext().getSizeType();
759  const StringLiteral *strLit = cast<StringRegion>(MR)->getStringLiteral();
760  return svalBuilder.makeIntVal(strLit->getByteLength(), sizeTy);
761  }
762  case MemRegion::SymbolicRegionKind:
763  case MemRegion::AllocaRegionKind:
764  case MemRegion::VarRegionKind:
765  case MemRegion::FieldRegionKind:
766  case MemRegion::ObjCIvarRegionKind:
767  return getCStringLengthForRegion(C, state, Ex, MR, hypothetical);
768  case MemRegion::CompoundLiteralRegionKind:
769  // FIXME: Can we track this? Is it necessary?
770  return UnknownVal();
771  case MemRegion::ElementRegionKind:
772  // FIXME: How can we handle this? It's not good enough to subtract the
773  // offset from the base string length; consider "123\x00567" and &a[5].
774  return UnknownVal();
775  default:
776  // Other regions (mostly non-data) can't have a reliable C string length.
777  // In this case, an error is emitted and UndefinedVal is returned.
778  // The caller should always be prepared to handle this case.
779  if (!Filter.CheckCStringNotNullTerm)
780  return UndefinedVal();
781 
782  if (ExplodedNode *N = C.generateNonFatalErrorNode(state)) {
783  if (!BT_NotCString)
784  BT_NotCString.reset(new BuiltinBug(
785  Filter.CheckNameCStringNotNullTerm, categories::UnixAPI,
786  "Argument is not a null-terminated string."));
787 
788  SmallString<120> buf;
789  llvm::raw_svector_ostream os(buf);
790 
791  assert(CurrentFunctionDescription);
792  os << "Argument to " << CurrentFunctionDescription << " is ";
793 
794  if (SummarizeRegion(os, C.getASTContext(), MR))
795  os << ", which is not a null-terminated string";
796  else
797  os << "not a null-terminated string";
798 
799  // Generate a report for this bug.
800  auto report = llvm::make_unique<BugReport>(*BT_NotCString, os.str(), N);
801 
802  report->addRange(Ex->getSourceRange());
803  C.emitReport(std::move(report));
804  }
805 
806  return UndefinedVal();
807  }
808 }
809 
810 const StringLiteral *CStringChecker::getCStringLiteral(CheckerContext &C,
811  ProgramStateRef &state, const Expr *expr, SVal val) const {
812 
813  // Get the memory region pointed to by the val.
814  const MemRegion *bufRegion = val.getAsRegion();
815  if (!bufRegion)
816  return nullptr;
817 
818  // Strip casts off the memory region.
819  bufRegion = bufRegion->StripCasts();
820 
821  // Cast the memory region to a string region.
822  const StringRegion *strRegion= dyn_cast<StringRegion>(bufRegion);
823  if (!strRegion)
824  return nullptr;
825 
826  // Return the actual string in the string region.
827  return strRegion->getStringLiteral();
828 }
829 
830 bool CStringChecker::IsFirstBufInBound(CheckerContext &C,
831  ProgramStateRef state,
832  const Expr *FirstBuf,
833  const Expr *Size) {
834  // If we do not know that the buffer is long enough we return 'true'.
835  // Otherwise the parent region of this field region would also get
836  // invalidated, which would lead to warnings based on an unknown state.
837 
838  // Originally copied from CheckBufferAccess and CheckLocation.
839  SValBuilder &svalBuilder = C.getSValBuilder();
840  ASTContext &Ctx = svalBuilder.getContext();
841  const LocationContext *LCtx = C.getLocationContext();
842 
843  QualType sizeTy = Size->getType();
844  QualType PtrTy = Ctx.getPointerType(Ctx.CharTy);
845  SVal BufVal = state->getSVal(FirstBuf, LCtx);
846 
847  SVal LengthVal = state->getSVal(Size, LCtx);
848  Optional<NonLoc> Length = LengthVal.getAs<NonLoc>();
849  if (!Length)
850  return true; // cf top comment.
851 
852  // Compute the offset of the last element to be accessed: size-1.
853  NonLoc One = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
854  NonLoc LastOffset =
855  svalBuilder.evalBinOpNN(state, BO_Sub, *Length, One, sizeTy)
856  .castAs<NonLoc>();
857 
858  // Check that the first buffer is sufficiently long.
859  SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType());
860  Optional<Loc> BufLoc = BufStart.getAs<Loc>();
861  if (!BufLoc)
862  return true; // cf top comment.
863 
864  SVal BufEnd =
865  svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc, LastOffset, PtrTy);
866 
867  // Check for out of bound array element access.
868  const MemRegion *R = BufEnd.getAsRegion();
869  if (!R)
870  return true; // cf top comment.
871 
872  const ElementRegion *ER = dyn_cast<ElementRegion>(R);
873  if (!ER)
874  return true; // cf top comment.
875 
876  assert(ER->getValueType() == C.getASTContext().CharTy &&
877  "IsFirstBufInBound should only be called with char* ElementRegions");
878 
879  // Get the size of the array.
880  const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion());
881  SVal Extent =
882  svalBuilder.convertToArrayIndex(superReg->getExtent(svalBuilder));
883  DefinedOrUnknownSVal ExtentSize = Extent.castAs<DefinedOrUnknownSVal>();
884 
885  // Get the index of the accessed element.
887 
888  ProgramStateRef StInBound = state->assumeInBound(Idx, ExtentSize, true);
889 
890  return static_cast<bool>(StInBound);
891 }
892 
893 ProgramStateRef CStringChecker::InvalidateBuffer(CheckerContext &C,
894  ProgramStateRef state,
895  const Expr *E, SVal V,
896  bool IsSourceBuffer,
897  const Expr *Size) {
898  Optional<Loc> L = V.getAs<Loc>();
899  if (!L)
900  return state;
901 
902  // FIXME: This is a simplified version of what's in CFRefCount.cpp -- it makes
903  // some assumptions about the value that CFRefCount can't. Even so, it should
904  // probably be refactored.
905  if (Optional<loc::MemRegionVal> MR = L->getAs<loc::MemRegionVal>()) {
906  const MemRegion *R = MR->getRegion()->StripCasts();
907 
908  // Are we dealing with an ElementRegion? If so, we should be invalidating
909  // the super-region.
910  if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) {
911  R = ER->getSuperRegion();
912  // FIXME: What about layers of ElementRegions?
913  }
914 
915  // Invalidate this region.
917 
918  bool CausesPointerEscape = false;
920  // Invalidate and escape only indirect regions accessible through the source
921  // buffer.
922  if (IsSourceBuffer) {
923  ITraits.setTrait(R->getBaseRegion(),
926  CausesPointerEscape = true;
927  } else {
928  const MemRegion::Kind& K = R->getKind();
929  if (K == MemRegion::FieldRegionKind)
930  if (Size && IsFirstBufInBound(C, state, E, Size)) {
931  // If destination buffer is a field region and access is in bound,
932  // do not invalidate its super region.
933  ITraits.setTrait(
934  R,
936  }
937  }
938 
939  return state->invalidateRegions(R, E, C.blockCount(), LCtx,
940  CausesPointerEscape, nullptr, nullptr,
941  &ITraits);
942  }
943 
944  // If we have a non-region value by chance, just remove the binding.
945  // FIXME: is this necessary or correct? This handles the non-Region
946  // cases. Is it ever valid to store to these?
947  return state->killBinding(*L);
948 }
949 
950 bool CStringChecker::SummarizeRegion(raw_ostream &os, ASTContext &Ctx,
951  const MemRegion *MR) {
952  const TypedValueRegion *TVR = dyn_cast<TypedValueRegion>(MR);
953 
954  switch (MR->getKind()) {
955  case MemRegion::FunctionCodeRegionKind: {
956  const NamedDecl *FD = cast<FunctionCodeRegion>(MR)->getDecl();
957  if (FD)
958  os << "the address of the function '" << *FD << '\'';
959  else
960  os << "the address of a function";
961  return true;
962  }
963  case MemRegion::BlockCodeRegionKind:
964  os << "block text";
965  return true;
966  case MemRegion::BlockDataRegionKind:
967  os << "a block";
968  return true;
969  case MemRegion::CXXThisRegionKind:
970  case MemRegion::CXXTempObjectRegionKind:
971  os << "a C++ temp object of type " << TVR->getValueType().getAsString();
972  return true;
973  case MemRegion::VarRegionKind:
974  os << "a variable of type" << TVR->getValueType().getAsString();
975  return true;
976  case MemRegion::FieldRegionKind:
977  os << "a field of type " << TVR->getValueType().getAsString();
978  return true;
979  case MemRegion::ObjCIvarRegionKind:
980  os << "an instance variable of type " << TVR->getValueType().getAsString();
981  return true;
982  default:
983  return false;
984  }
985 }
986 
987 //===----------------------------------------------------------------------===//
988 // evaluation of individual function calls.
989 //===----------------------------------------------------------------------===//
990 
991 void CStringChecker::evalCopyCommon(CheckerContext &C,
992  const CallExpr *CE,
993  ProgramStateRef state,
994  const Expr *Size, const Expr *Dest,
995  const Expr *Source, bool Restricted,
996  bool IsMempcpy) const {
997  CurrentFunctionDescription = "memory copy function";
998 
999  // See if the size argument is zero.
1000  const LocationContext *LCtx = C.getLocationContext();
1001  SVal sizeVal = state->getSVal(Size, LCtx);
1002  QualType sizeTy = Size->getType();
1003 
1004  ProgramStateRef stateZeroSize, stateNonZeroSize;
1005  std::tie(stateZeroSize, stateNonZeroSize) =
1006  assumeZero(C, state, sizeVal, sizeTy);
1007 
1008  // Get the value of the Dest.
1009  SVal destVal = state->getSVal(Dest, LCtx);
1010 
1011  // If the size is zero, there won't be any actual memory access, so
1012  // just bind the return value to the destination buffer and return.
1013  if (stateZeroSize && !stateNonZeroSize) {
1014  stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, destVal);
1015  C.addTransition(stateZeroSize);
1016  return;
1017  }
1018 
1019  // If the size can be nonzero, we have to check the other arguments.
1020  if (stateNonZeroSize) {
1021  state = stateNonZeroSize;
1022 
1023  // Ensure the destination is not null. If it is NULL there will be a
1024  // NULL pointer dereference.
1025  state = checkNonNull(C, state, Dest, destVal);
1026  if (!state)
1027  return;
1028 
1029  // Get the value of the Src.
1030  SVal srcVal = state->getSVal(Source, LCtx);
1031 
1032  // Ensure the source is not null. If it is NULL there will be a
1033  // NULL pointer dereference.
1034  state = checkNonNull(C, state, Source, srcVal);
1035  if (!state)
1036  return;
1037 
1038  // Ensure the accesses are valid and that the buffers do not overlap.
1039  const char * const writeWarning =
1040  "Memory copy function overflows destination buffer";
1041  state = CheckBufferAccess(C, state, Size, Dest, Source,
1042  writeWarning, /* sourceWarning = */ nullptr);
1043  if (Restricted)
1044  state = CheckOverlap(C, state, Size, Dest, Source);
1045 
1046  if (!state)
1047  return;
1048 
1049  // If this is mempcpy, get the byte after the last byte copied and
1050  // bind the expr.
1051  if (IsMempcpy) {
1052  loc::MemRegionVal destRegVal = destVal.castAs<loc::MemRegionVal>();
1053 
1054  // Get the length to copy.
1055  if (Optional<NonLoc> lenValNonLoc = sizeVal.getAs<NonLoc>()) {
1056  // Get the byte after the last byte copied.
1057  SValBuilder &SvalBuilder = C.getSValBuilder();
1058  ASTContext &Ctx = SvalBuilder.getContext();
1059  QualType CharPtrTy = Ctx.getPointerType(Ctx.CharTy);
1060  loc::MemRegionVal DestRegCharVal = SvalBuilder.evalCast(destRegVal,
1061  CharPtrTy, Dest->getType()).castAs<loc::MemRegionVal>();
1062  SVal lastElement = C.getSValBuilder().evalBinOpLN(state, BO_Add,
1063  DestRegCharVal,
1064  *lenValNonLoc,
1065  Dest->getType());
1066 
1067  // The byte after the last byte copied is the return value.
1068  state = state->BindExpr(CE, LCtx, lastElement);
1069  } else {
1070  // If we don't know how much we copied, we can at least
1071  // conjure a return value for later.
1072  SVal result = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
1073  C.blockCount());
1074  state = state->BindExpr(CE, LCtx, result);
1075  }
1076 
1077  } else {
1078  // All other copies return the destination buffer.
1079  // (Well, bcopy() has a void return type, but this won't hurt.)
1080  state = state->BindExpr(CE, LCtx, destVal);
1081  }
1082 
1083  // Invalidate the destination (regular invalidation without pointer-escaping
1084  // the address of the top-level region).
1085  // FIXME: Even if we can't perfectly model the copy, we should see if we
1086  // can use LazyCompoundVals to copy the source values into the destination.
1087  // This would probably remove any existing bindings past the end of the
1088  // copied region, but that's still an improvement over blank invalidation.
1089  state = InvalidateBuffer(C, state, Dest, C.getSVal(Dest),
1090  /*IsSourceBuffer*/false, Size);
1091 
1092  // Invalidate the source (const-invalidation without const-pointer-escaping
1093  // the address of the top-level region).
1094  state = InvalidateBuffer(C, state, Source, C.getSVal(Source),
1095  /*IsSourceBuffer*/true, nullptr);
1096 
1097  C.addTransition(state);
1098  }
1099 }
1100 
1101 
1102 void CStringChecker::evalMemcpy(CheckerContext &C, const CallExpr *CE) const {
1103  if (CE->getNumArgs() < 3)
1104  return;
1105 
1106  // void *memcpy(void *restrict dst, const void *restrict src, size_t n);
1107  // The return value is the address of the destination buffer.
1108  const Expr *Dest = CE->getArg(0);
1109  ProgramStateRef state = C.getState();
1110 
1111  evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1), true);
1112 }
1113 
1114 void CStringChecker::evalMempcpy(CheckerContext &C, const CallExpr *CE) const {
1115  if (CE->getNumArgs() < 3)
1116  return;
1117 
1118  // void *mempcpy(void *restrict dst, const void *restrict src, size_t n);
1119  // The return value is a pointer to the byte following the last written byte.
1120  const Expr *Dest = CE->getArg(0);
1121  ProgramStateRef state = C.getState();
1122 
1123  evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1), true, true);
1124 }
1125 
1126 void CStringChecker::evalMemmove(CheckerContext &C, const CallExpr *CE) const {
1127  if (CE->getNumArgs() < 3)
1128  return;
1129 
1130  // void *memmove(void *dst, const void *src, size_t n);
1131  // The return value is the address of the destination buffer.
1132  const Expr *Dest = CE->getArg(0);
1133  ProgramStateRef state = C.getState();
1134 
1135  evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1));
1136 }
1137 
1138 void CStringChecker::evalBcopy(CheckerContext &C, const CallExpr *CE) const {
1139  if (CE->getNumArgs() < 3)
1140  return;
1141 
1142  // void bcopy(const void *src, void *dst, size_t n);
1143  evalCopyCommon(C, CE, C.getState(),
1144  CE->getArg(2), CE->getArg(1), CE->getArg(0));
1145 }
1146 
1147 void CStringChecker::evalMemcmp(CheckerContext &C, const CallExpr *CE) const {
1148  if (CE->getNumArgs() < 3)
1149  return;
1150 
1151  // int memcmp(const void *s1, const void *s2, size_t n);
1152  CurrentFunctionDescription = "memory comparison function";
1153 
1154  const Expr *Left = CE->getArg(0);
1155  const Expr *Right = CE->getArg(1);
1156  const Expr *Size = CE->getArg(2);
1157 
1158  ProgramStateRef state = C.getState();
1159  SValBuilder &svalBuilder = C.getSValBuilder();
1160 
1161  // See if the size argument is zero.
1162  const LocationContext *LCtx = C.getLocationContext();
1163  SVal sizeVal = state->getSVal(Size, LCtx);
1164  QualType sizeTy = Size->getType();
1165 
1166  ProgramStateRef stateZeroSize, stateNonZeroSize;
1167  std::tie(stateZeroSize, stateNonZeroSize) =
1168  assumeZero(C, state, sizeVal, sizeTy);
1169 
1170  // If the size can be zero, the result will be 0 in that case, and we don't
1171  // have to check either of the buffers.
1172  if (stateZeroSize) {
1173  state = stateZeroSize;
1174  state = state->BindExpr(CE, LCtx,
1175  svalBuilder.makeZeroVal(CE->getType()));
1176  C.addTransition(state);
1177  }
1178 
1179  // If the size can be nonzero, we have to check the other arguments.
1180  if (stateNonZeroSize) {
1181  state = stateNonZeroSize;
1182  // If we know the two buffers are the same, we know the result is 0.
1183  // First, get the two buffers' addresses. Another checker will have already
1184  // made sure they're not undefined.
1186  state->getSVal(Left, LCtx).castAs<DefinedOrUnknownSVal>();
1188  state->getSVal(Right, LCtx).castAs<DefinedOrUnknownSVal>();
1189 
1190  // See if they are the same.
1191  DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV);
1192  ProgramStateRef StSameBuf, StNotSameBuf;
1193  std::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf);
1194 
1195  // If the two arguments might be the same buffer, we know the result is 0,
1196  // and we only need to check one size.
1197  if (StSameBuf) {
1198  state = StSameBuf;
1199  state = CheckBufferAccess(C, state, Size, Left);
1200  if (state) {
1201  state = StSameBuf->BindExpr(CE, LCtx,
1202  svalBuilder.makeZeroVal(CE->getType()));
1203  C.addTransition(state);
1204  }
1205  }
1206 
1207  // If the two arguments might be different buffers, we have to check the
1208  // size of both of them.
1209  if (StNotSameBuf) {
1210  state = StNotSameBuf;
1211  state = CheckBufferAccess(C, state, Size, Left, Right);
1212  if (state) {
1213  // The return value is the comparison result, which we don't know.
1214  SVal CmpV = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx,
1215  C.blockCount());
1216  state = state->BindExpr(CE, LCtx, CmpV);
1217  C.addTransition(state);
1218  }
1219  }
1220  }
1221 }
1222 
1223 void CStringChecker::evalstrLength(CheckerContext &C,
1224  const CallExpr *CE) const {
1225  if (CE->getNumArgs() < 1)
1226  return;
1227 
1228  // size_t strlen(const char *s);
1229  evalstrLengthCommon(C, CE, /* IsStrnlen = */ false);
1230 }
1231 
1232 void CStringChecker::evalstrnLength(CheckerContext &C,
1233  const CallExpr *CE) const {
1234  if (CE->getNumArgs() < 2)
1235  return;
1236 
1237  // size_t strnlen(const char *s, size_t maxlen);
1238  evalstrLengthCommon(C, CE, /* IsStrnlen = */ true);
1239 }
1240 
1241 void CStringChecker::evalstrLengthCommon(CheckerContext &C, const CallExpr *CE,
1242  bool IsStrnlen) const {
1243  CurrentFunctionDescription = "string length function";
1244  ProgramStateRef state = C.getState();
1245  const LocationContext *LCtx = C.getLocationContext();
1246 
1247  if (IsStrnlen) {
1248  const Expr *maxlenExpr = CE->getArg(1);
1249  SVal maxlenVal = state->getSVal(maxlenExpr, LCtx);
1250 
1251  ProgramStateRef stateZeroSize, stateNonZeroSize;
1252  std::tie(stateZeroSize, stateNonZeroSize) =
1253  assumeZero(C, state, maxlenVal, maxlenExpr->getType());
1254 
1255  // If the size can be zero, the result will be 0 in that case, and we don't
1256  // have to check the string itself.
1257  if (stateZeroSize) {
1258  SVal zero = C.getSValBuilder().makeZeroVal(CE->getType());
1259  stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, zero);
1260  C.addTransition(stateZeroSize);
1261  }
1262 
1263  // If the size is GUARANTEED to be zero, we're done!
1264  if (!stateNonZeroSize)
1265  return;
1266 
1267  // Otherwise, record the assumption that the size is nonzero.
1268  state = stateNonZeroSize;
1269  }
1270 
1271  // Check that the string argument is non-null.
1272  const Expr *Arg = CE->getArg(0);
1273  SVal ArgVal = state->getSVal(Arg, LCtx);
1274 
1275  state = checkNonNull(C, state, Arg, ArgVal);
1276 
1277  if (!state)
1278  return;
1279 
1280  SVal strLength = getCStringLength(C, state, Arg, ArgVal);
1281 
1282  // If the argument isn't a valid C string, there's no valid state to
1283  // transition to.
1284  if (strLength.isUndef())
1285  return;
1286 
1287  DefinedOrUnknownSVal result = UnknownVal();
1288 
1289  // If the check is for strnlen() then bind the return value to no more than
1290  // the maxlen value.
1291  if (IsStrnlen) {
1293 
1294  // It's a little unfortunate to be getting this again,
1295  // but it's not that expensive...
1296  const Expr *maxlenExpr = CE->getArg(1);
1297  SVal maxlenVal = state->getSVal(maxlenExpr, LCtx);
1298 
1299  Optional<NonLoc> strLengthNL = strLength.getAs<NonLoc>();
1300  Optional<NonLoc> maxlenValNL = maxlenVal.getAs<NonLoc>();
1301 
1302  if (strLengthNL && maxlenValNL) {
1303  ProgramStateRef stateStringTooLong, stateStringNotTooLong;
1304 
1305  // Check if the strLength is greater than the maxlen.
1306  std::tie(stateStringTooLong, stateStringNotTooLong) = state->assume(
1307  C.getSValBuilder()
1308  .evalBinOpNN(state, BO_GT, *strLengthNL, *maxlenValNL, cmpTy)
1310 
1311  if (stateStringTooLong && !stateStringNotTooLong) {
1312  // If the string is longer than maxlen, return maxlen.
1313  result = *maxlenValNL;
1314  } else if (stateStringNotTooLong && !stateStringTooLong) {
1315  // If the string is shorter than maxlen, return its length.
1316  result = *strLengthNL;
1317  }
1318  }
1319 
1320  if (result.isUnknown()) {
1321  // If we don't have enough information for a comparison, there's
1322  // no guarantee the full string length will actually be returned.
1323  // All we know is the return value is the min of the string length
1324  // and the limit. This is better than nothing.
1325  result = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
1326  C.blockCount());
1327  NonLoc resultNL = result.castAs<NonLoc>();
1328 
1329  if (strLengthNL) {
1330  state = state->assume(C.getSValBuilder().evalBinOpNN(
1331  state, BO_LE, resultNL, *strLengthNL, cmpTy)
1332  .castAs<DefinedOrUnknownSVal>(), true);
1333  }
1334 
1335  if (maxlenValNL) {
1336  state = state->assume(C.getSValBuilder().evalBinOpNN(
1337  state, BO_LE, resultNL, *maxlenValNL, cmpTy)
1338  .castAs<DefinedOrUnknownSVal>(), true);
1339  }
1340  }
1341 
1342  } else {
1343  // This is a plain strlen(), not strnlen().
1344  result = strLength.castAs<DefinedOrUnknownSVal>();
1345 
1346  // If we don't know the length of the string, conjure a return
1347  // value, so it can be used in constraints, at least.
1348  if (result.isUnknown()) {
1349  result = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx,
1350  C.blockCount());
1351  }
1352  }
1353 
1354  // Bind the return value.
1355  assert(!result.isUnknown() && "Should have conjured a value by now");
1356  state = state->BindExpr(CE, LCtx, result);
1357  C.addTransition(state);
1358 }
1359 
1360 void CStringChecker::evalStrcpy(CheckerContext &C, const CallExpr *CE) const {
1361  if (CE->getNumArgs() < 2)
1362  return;
1363 
1364  // char *strcpy(char *restrict dst, const char *restrict src);
1365  evalStrcpyCommon(C, CE,
1366  /* returnEnd = */ false,
1367  /* isBounded = */ false,
1368  /* isAppending = */ false);
1369 }
1370 
1371 void CStringChecker::evalStrncpy(CheckerContext &C, const CallExpr *CE) const {
1372  if (CE->getNumArgs() < 3)
1373  return;
1374 
1375  // char *strncpy(char *restrict dst, const char *restrict src, size_t n);
1376  evalStrcpyCommon(C, CE,
1377  /* returnEnd = */ false,
1378  /* isBounded = */ true,
1379  /* isAppending = */ false);
1380 }
1381 
1382 void CStringChecker::evalStpcpy(CheckerContext &C, const CallExpr *CE) const {
1383  if (CE->getNumArgs() < 2)
1384  return;
1385 
1386  // char *stpcpy(char *restrict dst, const char *restrict src);
1387  evalStrcpyCommon(C, CE,
1388  /* returnEnd = */ true,
1389  /* isBounded = */ false,
1390  /* isAppending = */ false);
1391 }
1392 
1393 void CStringChecker::evalStrcat(CheckerContext &C, const CallExpr *CE) const {
1394  if (CE->getNumArgs() < 2)
1395  return;
1396 
1397  //char *strcat(char *restrict s1, const char *restrict s2);
1398  evalStrcpyCommon(C, CE,
1399  /* returnEnd = */ false,
1400  /* isBounded = */ false,
1401  /* isAppending = */ true);
1402 }
1403 
1404 void CStringChecker::evalStrncat(CheckerContext &C, const CallExpr *CE) const {
1405  if (CE->getNumArgs() < 3)
1406  return;
1407 
1408  //char *strncat(char *restrict s1, const char *restrict s2, size_t n);
1409  evalStrcpyCommon(C, CE,
1410  /* returnEnd = */ false,
1411  /* isBounded = */ true,
1412  /* isAppending = */ true);
1413 }
1414 
1415 void CStringChecker::evalStrcpyCommon(CheckerContext &C, const CallExpr *CE,
1416  bool returnEnd, bool isBounded,
1417  bool isAppending) const {
1418  CurrentFunctionDescription = "string copy function";
1419  ProgramStateRef state = C.getState();
1420  const LocationContext *LCtx = C.getLocationContext();
1421 
1422  // Check that the destination is non-null.
1423  const Expr *Dst = CE->getArg(0);
1424  SVal DstVal = state->getSVal(Dst, LCtx);
1425 
1426  state = checkNonNull(C, state, Dst, DstVal);
1427  if (!state)
1428  return;
1429 
1430  // Check that the source is non-null.
1431  const Expr *srcExpr = CE->getArg(1);
1432  SVal srcVal = state->getSVal(srcExpr, LCtx);
1433  state = checkNonNull(C, state, srcExpr, srcVal);
1434  if (!state)
1435  return;
1436 
1437  // Get the string length of the source.
1438  SVal strLength = getCStringLength(C, state, srcExpr, srcVal);
1439 
1440  // If the source isn't a valid C string, give up.
1441  if (strLength.isUndef())
1442  return;
1443 
1444  SValBuilder &svalBuilder = C.getSValBuilder();
1445  QualType cmpTy = svalBuilder.getConditionType();
1446  QualType sizeTy = svalBuilder.getContext().getSizeType();
1447 
1448  // These two values allow checking two kinds of errors:
1449  // - actual overflows caused by a source that doesn't fit in the destination
1450  // - potential overflows caused by a bound that could exceed the destination
1451  SVal amountCopied = UnknownVal();
1452  SVal maxLastElementIndex = UnknownVal();
1453  const char *boundWarning = nullptr;
1454 
1455  // If the function is strncpy, strncat, etc... it is bounded.
1456  if (isBounded) {
1457  // Get the max number of characters to copy.
1458  const Expr *lenExpr = CE->getArg(2);
1459  SVal lenVal = state->getSVal(lenExpr, LCtx);
1460 
1461  // Protect against misdeclared strncpy().
1462  lenVal = svalBuilder.evalCast(lenVal, sizeTy, lenExpr->getType());
1463 
1464  Optional<NonLoc> strLengthNL = strLength.getAs<NonLoc>();
1465  Optional<NonLoc> lenValNL = lenVal.getAs<NonLoc>();
1466 
1467  // If we know both values, we might be able to figure out how much
1468  // we're copying.
1469  if (strLengthNL && lenValNL) {
1470  ProgramStateRef stateSourceTooLong, stateSourceNotTooLong;
1471 
1472  // Check if the max number to copy is less than the length of the src.
1473  // If the bound is equal to the source length, strncpy won't null-
1474  // terminate the result!
1475  std::tie(stateSourceTooLong, stateSourceNotTooLong) = state->assume(
1476  svalBuilder.evalBinOpNN(state, BO_GE, *strLengthNL, *lenValNL, cmpTy)
1478 
1479  if (stateSourceTooLong && !stateSourceNotTooLong) {
1480  // Max number to copy is less than the length of the src, so the actual
1481  // strLength copied is the max number arg.
1482  state = stateSourceTooLong;
1483  amountCopied = lenVal;
1484 
1485  } else if (!stateSourceTooLong && stateSourceNotTooLong) {
1486  // The source buffer entirely fits in the bound.
1487  state = stateSourceNotTooLong;
1488  amountCopied = strLength;
1489  }
1490  }
1491 
1492  // We still want to know if the bound is known to be too large.
1493  if (lenValNL) {
1494  if (isAppending) {
1495  // For strncat, the check is strlen(dst) + lenVal < sizeof(dst)
1496 
1497  // Get the string length of the destination. If the destination is
1498  // memory that can't have a string length, we shouldn't be copying
1499  // into it anyway.
1500  SVal dstStrLength = getCStringLength(C, state, Dst, DstVal);
1501  if (dstStrLength.isUndef())
1502  return;
1503 
1504  if (Optional<NonLoc> dstStrLengthNL = dstStrLength.getAs<NonLoc>()) {
1505  maxLastElementIndex = svalBuilder.evalBinOpNN(state, BO_Add,
1506  *lenValNL,
1507  *dstStrLengthNL,
1508  sizeTy);
1509  boundWarning = "Size argument is greater than the free space in the "
1510  "destination buffer";
1511  }
1512 
1513  } else {
1514  // For strncpy, this is just checking that lenVal <= sizeof(dst)
1515  // (Yes, strncpy and strncat differ in how they treat termination.
1516  // strncat ALWAYS terminates, but strncpy doesn't.)
1517 
1518  // We need a special case for when the copy size is zero, in which
1519  // case strncpy will do no work at all. Our bounds check uses n-1
1520  // as the last element accessed, so n == 0 is problematic.
1521  ProgramStateRef StateZeroSize, StateNonZeroSize;
1522  std::tie(StateZeroSize, StateNonZeroSize) =
1523  assumeZero(C, state, *lenValNL, sizeTy);
1524 
1525  // If the size is known to be zero, we're done.
1526  if (StateZeroSize && !StateNonZeroSize) {
1527  StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, DstVal);
1528  C.addTransition(StateZeroSize);
1529  return;
1530  }
1531 
1532  // Otherwise, go ahead and figure out the last element we'll touch.
1533  // We don't record the non-zero assumption here because we can't
1534  // be sure. We won't warn on a possible zero.
1535  NonLoc one = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>();
1536  maxLastElementIndex = svalBuilder.evalBinOpNN(state, BO_Sub, *lenValNL,
1537  one, sizeTy);
1538  boundWarning = "Size argument is greater than the length of the "
1539  "destination buffer";
1540  }
1541  }
1542 
1543  // If we couldn't pin down the copy length, at least bound it.
1544  // FIXME: We should actually run this code path for append as well, but
1545  // right now it creates problems with constraints (since we can end up
1546  // trying to pass constraints from symbol to symbol).
1547  if (amountCopied.isUnknown() && !isAppending) {
1548  // Try to get a "hypothetical" string length symbol, which we can later
1549  // set as a real value if that turns out to be the case.
1550  amountCopied = getCStringLength(C, state, lenExpr, srcVal, true);
1551  assert(!amountCopied.isUndef());
1552 
1553  if (Optional<NonLoc> amountCopiedNL = amountCopied.getAs<NonLoc>()) {
1554  if (lenValNL) {
1555  // amountCopied <= lenVal
1556  SVal copiedLessThanBound = svalBuilder.evalBinOpNN(state, BO_LE,
1557  *amountCopiedNL,
1558  *lenValNL,
1559  cmpTy);
1560  state = state->assume(
1561  copiedLessThanBound.castAs<DefinedOrUnknownSVal>(), true);
1562  if (!state)
1563  return;
1564  }
1565 
1566  if (strLengthNL) {
1567  // amountCopied <= strlen(source)
1568  SVal copiedLessThanSrc = svalBuilder.evalBinOpNN(state, BO_LE,
1569  *amountCopiedNL,
1570  *strLengthNL,
1571  cmpTy);
1572  state = state->assume(
1573  copiedLessThanSrc.castAs<DefinedOrUnknownSVal>(), true);
1574  if (!state)
1575  return;
1576  }
1577  }
1578  }
1579 
1580  } else {
1581  // The function isn't bounded. The amount copied should match the length
1582  // of the source buffer.
1583  amountCopied = strLength;
1584  }
1585 
1586  assert(state);
1587 
1588  // This represents the number of characters copied into the destination
1589  // buffer. (It may not actually be the strlen if the destination buffer
1590  // is not terminated.)
1591  SVal finalStrLength = UnknownVal();
1592 
1593  // If this is an appending function (strcat, strncat...) then set the
1594  // string length to strlen(src) + strlen(dst) since the buffer will
1595  // ultimately contain both.
1596  if (isAppending) {
1597  // Get the string length of the destination. If the destination is memory
1598  // that can't have a string length, we shouldn't be copying into it anyway.
1599  SVal dstStrLength = getCStringLength(C, state, Dst, DstVal);
1600  if (dstStrLength.isUndef())
1601  return;
1602 
1603  Optional<NonLoc> srcStrLengthNL = amountCopied.getAs<NonLoc>();
1604  Optional<NonLoc> dstStrLengthNL = dstStrLength.getAs<NonLoc>();
1605 
1606  // If we know both string lengths, we might know the final string length.
1607  if (srcStrLengthNL && dstStrLengthNL) {
1608  // Make sure the two lengths together don't overflow a size_t.
1609  state = checkAdditionOverflow(C, state, *srcStrLengthNL, *dstStrLengthNL);
1610  if (!state)
1611  return;
1612 
1613  finalStrLength = svalBuilder.evalBinOpNN(state, BO_Add, *srcStrLengthNL,
1614  *dstStrLengthNL, sizeTy);
1615  }
1616 
1617  // If we couldn't get a single value for the final string length,
1618  // we can at least bound it by the individual lengths.
1619  if (finalStrLength.isUnknown()) {
1620  // Try to get a "hypothetical" string length symbol, which we can later
1621  // set as a real value if that turns out to be the case.
1622  finalStrLength = getCStringLength(C, state, CE, DstVal, true);
1623  assert(!finalStrLength.isUndef());
1624 
1625  if (Optional<NonLoc> finalStrLengthNL = finalStrLength.getAs<NonLoc>()) {
1626  if (srcStrLengthNL) {
1627  // finalStrLength >= srcStrLength
1628  SVal sourceInResult = svalBuilder.evalBinOpNN(state, BO_GE,
1629  *finalStrLengthNL,
1630  *srcStrLengthNL,
1631  cmpTy);
1632  state = state->assume(sourceInResult.castAs<DefinedOrUnknownSVal>(),
1633  true);
1634  if (!state)
1635  return;
1636  }
1637 
1638  if (dstStrLengthNL) {
1639  // finalStrLength >= dstStrLength
1640  SVal destInResult = svalBuilder.evalBinOpNN(state, BO_GE,
1641  *finalStrLengthNL,
1642  *dstStrLengthNL,
1643  cmpTy);
1644  state =
1645  state->assume(destInResult.castAs<DefinedOrUnknownSVal>(), true);
1646  if (!state)
1647  return;
1648  }
1649  }
1650  }
1651 
1652  } else {
1653  // Otherwise, this is a copy-over function (strcpy, strncpy, ...), and
1654  // the final string length will match the input string length.
1655  finalStrLength = amountCopied;
1656  }
1657 
1658  // The final result of the function will either be a pointer past the last
1659  // copied element, or a pointer to the start of the destination buffer.
1660  SVal Result = (returnEnd ? UnknownVal() : DstVal);
1661 
1662  assert(state);
1663 
1664  // If the destination is a MemRegion, try to check for a buffer overflow and
1665  // record the new string length.
1666  if (Optional<loc::MemRegionVal> dstRegVal =
1667  DstVal.getAs<loc::MemRegionVal>()) {
1668  QualType ptrTy = Dst->getType();
1669 
1670  // If we have an exact value on a bounded copy, use that to check for
1671  // overflows, rather than our estimate about how much is actually copied.
1672  if (boundWarning) {
1673  if (Optional<NonLoc> maxLastNL = maxLastElementIndex.getAs<NonLoc>()) {
1674  SVal maxLastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal,
1675  *maxLastNL, ptrTy);
1676  state = CheckLocation(C, state, CE->getArg(2), maxLastElement,
1677  boundWarning);
1678  if (!state)
1679  return;
1680  }
1681  }
1682 
1683  // Then, if the final length is known...
1684  if (Optional<NonLoc> knownStrLength = finalStrLength.getAs<NonLoc>()) {
1685  SVal lastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal,
1686  *knownStrLength, ptrTy);
1687 
1688  // ...and we haven't checked the bound, we'll check the actual copy.
1689  if (!boundWarning) {
1690  const char * const warningMsg =
1691  "String copy function overflows destination buffer";
1692  state = CheckLocation(C, state, Dst, lastElement, warningMsg);
1693  if (!state)
1694  return;
1695  }
1696 
1697  // If this is a stpcpy-style copy, the last element is the return value.
1698  if (returnEnd)
1699  Result = lastElement;
1700  }
1701 
1702  // Invalidate the destination (regular invalidation without pointer-escaping
1703  // the address of the top-level region). This must happen before we set the
1704  // C string length because invalidation will clear the length.
1705  // FIXME: Even if we can't perfectly model the copy, we should see if we
1706  // can use LazyCompoundVals to copy the source values into the destination.
1707  // This would probably remove any existing bindings past the end of the
1708  // string, but that's still an improvement over blank invalidation.
1709  state = InvalidateBuffer(C, state, Dst, *dstRegVal,
1710  /*IsSourceBuffer*/false, nullptr);
1711 
1712  // Invalidate the source (const-invalidation without const-pointer-escaping
1713  // the address of the top-level region).
1714  state = InvalidateBuffer(C, state, srcExpr, srcVal, /*IsSourceBuffer*/true,
1715  nullptr);
1716 
1717  // Set the C string length of the destination, if we know it.
1718  if (isBounded && !isAppending) {
1719  // strncpy is annoying in that it doesn't guarantee to null-terminate
1720  // the result string. If the original string didn't fit entirely inside
1721  // the bound (including the null-terminator), we don't know how long the
1722  // result is.
1723  if (amountCopied != strLength)
1724  finalStrLength = UnknownVal();
1725  }
1726  state = setCStringLength(state, dstRegVal->getRegion(), finalStrLength);
1727  }
1728 
1729  assert(state);
1730 
1731  // If this is a stpcpy-style copy, but we were unable to check for a buffer
1732  // overflow, we still need a result. Conjure a return value.
1733  if (returnEnd && Result.isUnknown()) {
1734  Result = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
1735  }
1736 
1737  // Set the return value.
1738  state = state->BindExpr(CE, LCtx, Result);
1739  C.addTransition(state);
1740 }
1741 
1742 void CStringChecker::evalStrcmp(CheckerContext &C, const CallExpr *CE) const {
1743  if (CE->getNumArgs() < 2)
1744  return;
1745 
1746  //int strcmp(const char *s1, const char *s2);
1747  evalStrcmpCommon(C, CE, /* isBounded = */ false, /* ignoreCase = */ false);
1748 }
1749 
1750 void CStringChecker::evalStrncmp(CheckerContext &C, const CallExpr *CE) const {
1751  if (CE->getNumArgs() < 3)
1752  return;
1753 
1754  //int strncmp(const char *s1, const char *s2, size_t n);
1755  evalStrcmpCommon(C, CE, /* isBounded = */ true, /* ignoreCase = */ false);
1756 }
1757 
1758 void CStringChecker::evalStrcasecmp(CheckerContext &C,
1759  const CallExpr *CE) const {
1760  if (CE->getNumArgs() < 2)
1761  return;
1762 
1763  //int strcasecmp(const char *s1, const char *s2);
1764  evalStrcmpCommon(C, CE, /* isBounded = */ false, /* ignoreCase = */ true);
1765 }
1766 
1767 void CStringChecker::evalStrncasecmp(CheckerContext &C,
1768  const CallExpr *CE) const {
1769  if (CE->getNumArgs() < 3)
1770  return;
1771 
1772  //int strncasecmp(const char *s1, const char *s2, size_t n);
1773  evalStrcmpCommon(C, CE, /* isBounded = */ true, /* ignoreCase = */ true);
1774 }
1775 
1776 void CStringChecker::evalStrcmpCommon(CheckerContext &C, const CallExpr *CE,
1777  bool isBounded, bool ignoreCase) const {
1778  CurrentFunctionDescription = "string comparison function";
1779  ProgramStateRef state = C.getState();
1780  const LocationContext *LCtx = C.getLocationContext();
1781 
1782  // Check that the first string is non-null
1783  const Expr *s1 = CE->getArg(0);
1784  SVal s1Val = state->getSVal(s1, LCtx);
1785  state = checkNonNull(C, state, s1, s1Val);
1786  if (!state)
1787  return;
1788 
1789  // Check that the second string is non-null.
1790  const Expr *s2 = CE->getArg(1);
1791  SVal s2Val = state->getSVal(s2, LCtx);
1792  state = checkNonNull(C, state, s2, s2Val);
1793  if (!state)
1794  return;
1795 
1796  // Get the string length of the first string or give up.
1797  SVal s1Length = getCStringLength(C, state, s1, s1Val);
1798  if (s1Length.isUndef())
1799  return;
1800 
1801  // Get the string length of the second string or give up.
1802  SVal s2Length = getCStringLength(C, state, s2, s2Val);
1803  if (s2Length.isUndef())
1804  return;
1805 
1806  // If we know the two buffers are the same, we know the result is 0.
1807  // First, get the two buffers' addresses. Another checker will have already
1808  // made sure they're not undefined.
1811 
1812  // See if they are the same.
1813  SValBuilder &svalBuilder = C.getSValBuilder();
1814  DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV);
1815  ProgramStateRef StSameBuf, StNotSameBuf;
1816  std::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf);
1817 
1818  // If the two arguments might be the same buffer, we know the result is 0,
1819  // and we only need to check one size.
1820  if (StSameBuf) {
1821  StSameBuf = StSameBuf->BindExpr(CE, LCtx,
1822  svalBuilder.makeZeroVal(CE->getType()));
1823  C.addTransition(StSameBuf);
1824 
1825  // If the two arguments are GUARANTEED to be the same, we're done!
1826  if (!StNotSameBuf)
1827  return;
1828  }
1829 
1830  assert(StNotSameBuf);
1831  state = StNotSameBuf;
1832 
1833  // At this point we can go about comparing the two buffers.
1834  // For now, we only do this if they're both known string literals.
1835 
1836  // Attempt to extract string literals from both expressions.
1837  const StringLiteral *s1StrLiteral = getCStringLiteral(C, state, s1, s1Val);
1838  const StringLiteral *s2StrLiteral = getCStringLiteral(C, state, s2, s2Val);
1839  bool canComputeResult = false;
1840  SVal resultVal = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx,
1841  C.blockCount());
1842 
1843  if (s1StrLiteral && s2StrLiteral) {
1844  StringRef s1StrRef = s1StrLiteral->getString();
1845  StringRef s2StrRef = s2StrLiteral->getString();
1846 
1847  if (isBounded) {
1848  // Get the max number of characters to compare.
1849  const Expr *lenExpr = CE->getArg(2);
1850  SVal lenVal = state->getSVal(lenExpr, LCtx);
1851 
1852  // If the length is known, we can get the right substrings.
1853  if (const llvm::APSInt *len = svalBuilder.getKnownValue(state, lenVal)) {
1854  // Create substrings of each to compare the prefix.
1855  s1StrRef = s1StrRef.substr(0, (size_t)len->getZExtValue());
1856  s2StrRef = s2StrRef.substr(0, (size_t)len->getZExtValue());
1857  canComputeResult = true;
1858  }
1859  } else {
1860  // This is a normal, unbounded strcmp.
1861  canComputeResult = true;
1862  }
1863 
1864  if (canComputeResult) {
1865  // Real strcmp stops at null characters.
1866  size_t s1Term = s1StrRef.find('\0');
1867  if (s1Term != StringRef::npos)
1868  s1StrRef = s1StrRef.substr(0, s1Term);
1869 
1870  size_t s2Term = s2StrRef.find('\0');
1871  if (s2Term != StringRef::npos)
1872  s2StrRef = s2StrRef.substr(0, s2Term);
1873 
1874  // Use StringRef's comparison methods to compute the actual result.
1875  int compareRes = ignoreCase ? s1StrRef.compare_lower(s2StrRef)
1876  : s1StrRef.compare(s2StrRef);
1877 
1878  // The strcmp function returns an integer greater than, equal to, or less
1879  // than zero, [c11, p7.24.4.2].
1880  if (compareRes == 0) {
1881  resultVal = svalBuilder.makeIntVal(compareRes, CE->getType());
1882  }
1883  else {
1884  DefinedSVal zeroVal = svalBuilder.makeIntVal(0, CE->getType());
1885  // Constrain strcmp's result range based on the result of StringRef's
1886  // comparison methods.
1887  BinaryOperatorKind op = (compareRes == 1) ? BO_GT : BO_LT;
1888  SVal compareWithZero =
1889  svalBuilder.evalBinOp(state, op, resultVal, zeroVal,
1890  svalBuilder.getConditionType());
1891  DefinedSVal compareWithZeroVal = compareWithZero.castAs<DefinedSVal>();
1892  state = state->assume(compareWithZeroVal, true);
1893  }
1894  }
1895  }
1896 
1897  state = state->BindExpr(CE, LCtx, resultVal);
1898 
1899  // Record this as a possible path.
1900  C.addTransition(state);
1901 }
1902 
1903 void CStringChecker::evalStrsep(CheckerContext &C, const CallExpr *CE) const {
1904  //char *strsep(char **stringp, const char *delim);
1905  if (CE->getNumArgs() < 2)
1906  return;
1907 
1908  // Sanity: does the search string parameter match the return type?
1909  const Expr *SearchStrPtr = CE->getArg(0);
1910  QualType CharPtrTy = SearchStrPtr->getType()->getPointeeType();
1911  if (CharPtrTy.isNull() ||
1912  CE->getType().getUnqualifiedType() != CharPtrTy.getUnqualifiedType())
1913  return;
1914 
1915  CurrentFunctionDescription = "strsep()";
1916  ProgramStateRef State = C.getState();
1917  const LocationContext *LCtx = C.getLocationContext();
1918 
1919  // Check that the search string pointer is non-null (though it may point to
1920  // a null string).
1921  SVal SearchStrVal = State->getSVal(SearchStrPtr, LCtx);
1922  State = checkNonNull(C, State, SearchStrPtr, SearchStrVal);
1923  if (!State)
1924  return;
1925 
1926  // Check that the delimiter string is non-null.
1927  const Expr *DelimStr = CE->getArg(1);
1928  SVal DelimStrVal = State->getSVal(DelimStr, LCtx);
1929  State = checkNonNull(C, State, DelimStr, DelimStrVal);
1930  if (!State)
1931  return;
1932 
1933  SValBuilder &SVB = C.getSValBuilder();
1934  SVal Result;
1935  if (Optional<Loc> SearchStrLoc = SearchStrVal.getAs<Loc>()) {
1936  // Get the current value of the search string pointer, as a char*.
1937  Result = State->getSVal(*SearchStrLoc, CharPtrTy);
1938 
1939  // Invalidate the search string, representing the change of one delimiter
1940  // character to NUL.
1941  State = InvalidateBuffer(C, State, SearchStrPtr, Result,
1942  /*IsSourceBuffer*/false, nullptr);
1943 
1944  // Overwrite the search string pointer. The new value is either an address
1945  // further along in the same string, or NULL if there are no more tokens.
1946  State = State->bindLoc(*SearchStrLoc,
1947  SVB.conjureSymbolVal(getTag(), CE, LCtx, CharPtrTy,
1948  C.blockCount()));
1949  } else {
1950  assert(SearchStrVal.isUnknown());
1951  // Conjure a symbolic value. It's the best we can do.
1952  Result = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
1953  }
1954 
1955  // Set the return value, and finish.
1956  State = State->BindExpr(CE, LCtx, Result);
1957  C.addTransition(State);
1958 }
1959 
1960 // These should probably be moved into a C++ standard library checker.
1961 void CStringChecker::evalStdCopy(CheckerContext &C, const CallExpr *CE) const {
1962  evalStdCopyCommon(C, CE);
1963 }
1964 
1965 void CStringChecker::evalStdCopyBackward(CheckerContext &C,
1966  const CallExpr *CE) const {
1967  evalStdCopyCommon(C, CE);
1968 }
1969 
1970 void CStringChecker::evalStdCopyCommon(CheckerContext &C,
1971  const CallExpr *CE) const {
1972  if (CE->getNumArgs() < 3)
1973  return;
1974 
1975  ProgramStateRef State = C.getState();
1976 
1977  const LocationContext *LCtx = C.getLocationContext();
1978 
1979  // template <class _InputIterator, class _OutputIterator>
1980  // _OutputIterator
1981  // copy(_InputIterator __first, _InputIterator __last,
1982  // _OutputIterator __result)
1983 
1984  // Invalidate the destination buffer
1985  const Expr *Dst = CE->getArg(2);
1986  SVal DstVal = State->getSVal(Dst, LCtx);
1987  State = InvalidateBuffer(C, State, Dst, DstVal, /*IsSource=*/false,
1988  /*Size=*/nullptr);
1989 
1990  SValBuilder &SVB = C.getSValBuilder();
1991 
1992  SVal ResultVal = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount());
1993  State = State->BindExpr(CE, LCtx, ResultVal);
1994 
1995  C.addTransition(State);
1996 }
1997 
1998 static bool isCPPStdLibraryFunction(const FunctionDecl *FD, StringRef Name) {
1999  IdentifierInfo *II = FD->getIdentifier();
2000  if (!II)
2001  return false;
2002 
2004  return false;
2005 
2006  if (II->getName().equals(Name))
2007  return true;
2008 
2009  return false;
2010 }
2011 //===----------------------------------------------------------------------===//
2012 // The driver method, and other Checker callbacks.
2013 //===----------------------------------------------------------------------===//
2014 
2015 bool CStringChecker::evalCall(const CallExpr *CE, CheckerContext &C) const {
2016  const FunctionDecl *FDecl = C.getCalleeDecl(CE);
2017 
2018  if (!FDecl)
2019  return false;
2020 
2021  // FIXME: Poorly-factored string switches are slow.
2022  FnCheck evalFunction = nullptr;
2023  if (C.isCLibraryFunction(FDecl, "memcpy"))
2024  evalFunction = &CStringChecker::evalMemcpy;
2025  else if (C.isCLibraryFunction(FDecl, "mempcpy"))
2026  evalFunction = &CStringChecker::evalMempcpy;
2027  else if (C.isCLibraryFunction(FDecl, "memcmp"))
2028  evalFunction = &CStringChecker::evalMemcmp;
2029  else if (C.isCLibraryFunction(FDecl, "memmove"))
2030  evalFunction = &CStringChecker::evalMemmove;
2031  else if (C.isCLibraryFunction(FDecl, "strcpy"))
2032  evalFunction = &CStringChecker::evalStrcpy;
2033  else if (C.isCLibraryFunction(FDecl, "strncpy"))
2034  evalFunction = &CStringChecker::evalStrncpy;
2035  else if (C.isCLibraryFunction(FDecl, "stpcpy"))
2036  evalFunction = &CStringChecker::evalStpcpy;
2037  else if (C.isCLibraryFunction(FDecl, "strcat"))
2038  evalFunction = &CStringChecker::evalStrcat;
2039  else if (C.isCLibraryFunction(FDecl, "strncat"))
2040  evalFunction = &CStringChecker::evalStrncat;
2041  else if (C.isCLibraryFunction(FDecl, "strlen"))
2042  evalFunction = &CStringChecker::evalstrLength;
2043  else if (C.isCLibraryFunction(FDecl, "strnlen"))
2044  evalFunction = &CStringChecker::evalstrnLength;
2045  else if (C.isCLibraryFunction(FDecl, "strcmp"))
2046  evalFunction = &CStringChecker::evalStrcmp;
2047  else if (C.isCLibraryFunction(FDecl, "strncmp"))
2048  evalFunction = &CStringChecker::evalStrncmp;
2049  else if (C.isCLibraryFunction(FDecl, "strcasecmp"))
2050  evalFunction = &CStringChecker::evalStrcasecmp;
2051  else if (C.isCLibraryFunction(FDecl, "strncasecmp"))
2052  evalFunction = &CStringChecker::evalStrncasecmp;
2053  else if (C.isCLibraryFunction(FDecl, "strsep"))
2054  evalFunction = &CStringChecker::evalStrsep;
2055  else if (C.isCLibraryFunction(FDecl, "bcopy"))
2056  evalFunction = &CStringChecker::evalBcopy;
2057  else if (C.isCLibraryFunction(FDecl, "bcmp"))
2058  evalFunction = &CStringChecker::evalMemcmp;
2059  else if (isCPPStdLibraryFunction(FDecl, "copy"))
2060  evalFunction = &CStringChecker::evalStdCopy;
2061  else if (isCPPStdLibraryFunction(FDecl, "copy_backward"))
2062  evalFunction = &CStringChecker::evalStdCopyBackward;
2063 
2064  // If the callee isn't a string function, let another checker handle it.
2065  if (!evalFunction)
2066  return false;
2067 
2068  // Check and evaluate the call.
2069  (this->*evalFunction)(C, CE);
2070 
2071  // If the evaluate call resulted in no change, chain to the next eval call
2072  // handler.
2073  // Note, the custom CString evaluation calls assume that basic safety
2074  // properties are held. However, if the user chooses to turn off some of these
2075  // checks, we ignore the issues and leave the call evaluation to a generic
2076  // handler.
2077  return C.isDifferent();
2078 }
2079 
2080 void CStringChecker::checkPreStmt(const DeclStmt *DS, CheckerContext &C) const {
2081  // Record string length for char a[] = "abc";
2082  ProgramStateRef state = C.getState();
2083 
2084  for (const auto *I : DS->decls()) {
2085  const VarDecl *D = dyn_cast<VarDecl>(I);
2086  if (!D)
2087  continue;
2088 
2089  // FIXME: Handle array fields of structs.
2090  if (!D->getType()->isArrayType())
2091  continue;
2092 
2093  const Expr *Init = D->getInit();
2094  if (!Init)
2095  continue;
2096  if (!isa<StringLiteral>(Init))
2097  continue;
2098 
2099  Loc VarLoc = state->getLValue(D, C.getLocationContext());
2100  const MemRegion *MR = VarLoc.getAsRegion();
2101  if (!MR)
2102  continue;
2103 
2104  SVal StrVal = state->getSVal(Init, C.getLocationContext());
2105  assert(StrVal.isValid() && "Initializer string is unknown or undefined");
2106  DefinedOrUnknownSVal strLength =
2107  getCStringLength(C, state, Init, StrVal).castAs<DefinedOrUnknownSVal>();
2108 
2109  state = state->set<CStringLength>(MR, strLength);
2110  }
2111 
2112  C.addTransition(state);
2113 }
2114 
2115 bool CStringChecker::wantsRegionChangeUpdate(ProgramStateRef state) const {
2116  CStringLengthTy Entries = state->get<CStringLength>();
2117  return !Entries.isEmpty();
2118 }
2119 
2120 ProgramStateRef
2121 CStringChecker::checkRegionChanges(ProgramStateRef state,
2122  const InvalidatedSymbols *,
2123  ArrayRef<const MemRegion *> ExplicitRegions,
2125  const CallEvent *Call) const {
2126  CStringLengthTy Entries = state->get<CStringLength>();
2127  if (Entries.isEmpty())
2128  return state;
2129 
2130  llvm::SmallPtrSet<const MemRegion *, 8> Invalidated;
2131  llvm::SmallPtrSet<const MemRegion *, 32> SuperRegions;
2132 
2133  // First build sets for the changed regions and their super-regions.
2135  I = Regions.begin(), E = Regions.end(); I != E; ++I) {
2136  const MemRegion *MR = *I;
2137  Invalidated.insert(MR);
2138 
2139  SuperRegions.insert(MR);
2140  while (const SubRegion *SR = dyn_cast<SubRegion>(MR)) {
2141  MR = SR->getSuperRegion();
2142  SuperRegions.insert(MR);
2143  }
2144  }
2145 
2146  CStringLengthTy::Factory &F = state->get_context<CStringLength>();
2147 
2148  // Then loop over the entries in the current state.
2149  for (CStringLengthTy::iterator I = Entries.begin(),
2150  E = Entries.end(); I != E; ++I) {
2151  const MemRegion *MR = I.getKey();
2152 
2153  // Is this entry for a super-region of a changed region?
2154  if (SuperRegions.count(MR)) {
2155  Entries = F.remove(Entries, MR);
2156  continue;
2157  }
2158 
2159  // Is this entry for a sub-region of a changed region?
2160  const MemRegion *Super = MR;
2161  while (const SubRegion *SR = dyn_cast<SubRegion>(Super)) {
2162  Super = SR->getSuperRegion();
2163  if (Invalidated.count(Super)) {
2164  Entries = F.remove(Entries, MR);
2165  break;
2166  }
2167  }
2168  }
2169 
2170  return state->set<CStringLength>(Entries);
2171 }
2172 
2173 void CStringChecker::checkLiveSymbols(ProgramStateRef state,
2174  SymbolReaper &SR) const {
2175  // Mark all symbols in our string length map as valid.
2176  CStringLengthTy Entries = state->get<CStringLength>();
2177 
2178  for (CStringLengthTy::iterator I = Entries.begin(), E = Entries.end();
2179  I != E; ++I) {
2180  SVal Len = I.getData();
2181 
2182  for (SymExpr::symbol_iterator si = Len.symbol_begin(),
2183  se = Len.symbol_end(); si != se; ++si)
2184  SR.markInUse(*si);
2185  }
2186 }
2187 
2188 void CStringChecker::checkDeadSymbols(SymbolReaper &SR,
2189  CheckerContext &C) const {
2190  if (!SR.hasDeadSymbols())
2191  return;
2192 
2193  ProgramStateRef state = C.getState();
2194  CStringLengthTy Entries = state->get<CStringLength>();
2195  if (Entries.isEmpty())
2196  return;
2197 
2198  CStringLengthTy::Factory &F = state->get_context<CStringLength>();
2199  for (CStringLengthTy::iterator I = Entries.begin(), E = Entries.end();
2200  I != E; ++I) {
2201  SVal Len = I.getData();
2202  if (SymbolRef Sym = Len.getAsSymbol()) {
2203  if (SR.isDead(Sym))
2204  Entries = F.remove(Entries, I.getKey());
2205  }
2206  }
2207 
2208  state = state->set<CStringLength>(Entries);
2209  C.addTransition(state);
2210 }
2211 
2212 #define REGISTER_CHECKER(name) \
2213  void ento::register##name(CheckerManager &mgr) { \
2214  CStringChecker *checker = mgr.registerChecker<CStringChecker>(); \
2215  checker->Filter.Check##name = true; \
2216  checker->Filter.CheckName##name = mgr.getCurrentCheckName(); \
2217  }
2218 
2219 REGISTER_CHECKER(CStringNullArg)
2220 REGISTER_CHECKER(CStringOutOfBounds)
2221 REGISTER_CHECKER(CStringBufferOverlap)
2222 REGISTER_CHECKER(CStringNotNullTerm)
2223 
2225  registerCStringNullArg(Mgr);
2226 }
FunctionDecl - An instance of this class is created to represent a function declaration or definition...
Definition: Decl.h:1561
const internal::VariadicDynCastAllOfMatcher< Stmt, Expr > expr
Matches expressions.
Definition: ASTMatchers.h:1367
TypedValueRegion - An abstract class representing regions having a typed value.
Definition: MemRegion.h:494
nonloc::ConcreteInt makeIntVal(const IntegerLiteral *integer)
Definition: SValBuilder.h:237
unsigned Length
A (possibly-)qualified type.
Definition: Type.h:598
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:79
ExplodedNode * generateErrorNode(ProgramStateRef State=nullptr, const ProgramPointTag *Tag=nullptr)
Generate a transition to a node that will be used to report an error.
Expr * getArg(unsigned Arg)
getArg - Return the specified argument.
Definition: Expr.h:2217
bool hasDeadSymbols() const
IdentifierInfo * getIdentifier() const
getIdentifier - Get the identifier that names this declaration, if there is one.
Definition: Decl.h:232
Information about invalidation for a particular region/symbol.
Definition: MemRegion.h:1316
CanQualType getSizeType() const
Return the unique type for "size_t" (C99 7.17), defined in <stddef.h>.
A helper class which wraps a boolean value set to false by default.
Definition: Checker.h:556
ExplodedNode * addTransition(ProgramStateRef State=nullptr, const ProgramPointTag *Tag=nullptr)
Generates a new transition in the program state graph (ExplodedGraph).
virtual QualType getValueType() const =0
std::string getAsString() const
Definition: Type.h:924
const Expr * getInit() const
Definition: Decl.h:1139
SVal evalCast(SVal val, QualType castTy, QualType originalType)
Value representing integer constant.
Definition: SVals.h:341
VarDecl - An instance of this class is created to represent a variable declaration or definition...
Definition: Decl.h:768
void setTrait(SymbolRef Sym, InvalidationKinds IK)
Definition: MemRegion.cpp:1526
ExplodedNode * getPredecessor()
Returns the previous node in the exploded graph, which includes the state of the program before the c...
const MemRegion * getBaseRegion() const
Definition: MemRegion.cpp:1129
Symbolic value.
Definition: SymExpr.h:29
void markInUse(SymbolRef sym)
Marks a symbol as important to a checker.
One of these records is kept for each identifier that is lexed.
virtual SVal evalBinOpLN(ProgramStateRef state, BinaryOperator::Opcode op, Loc lhs, NonLoc rhs, QualType resultTy)=0
Create a new value which represents a binary expression with a memory location and non-location opera...
class LLVM_ALIGNAS(8) DependentTemplateSpecializationType const IdentifierInfo * Name
Represents a template specialization type whose template cannot be resolved, e.g. ...
Definition: Type.h:4549
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:92
const FunctionDecl * getCalleeDecl(const CallExpr *CE) const
Get the declaration of the called function (path-sensitive).
LineState State
Kind getKind() const
Definition: MemRegion.h:148
unsigned blockCount() const
Returns the number of times the current block has been visited along the analyzed path...
i32 captured_struct **param SharedsTy A type which contains references the shared variables *param Shareds Context with the list of shared variables from the p *TaskFunction *param Data Additional data for task generation like final * state
void registerCStringCheckerBasic(CheckerManager &Mgr)
Register the checker which evaluates CString API calls.
BinaryOperatorKind
static bool isInStdNamespace(const Decl *D)
Returns true if the root namespace of the given declaration is the 'std' C++ namespace.
const StringLiteral * getStringLiteral() const
Definition: MemRegion.h:751
static bool isCPPStdLibraryFunction(const FunctionDecl *FD, StringRef Name)
A record of the "type" of an APSInt, used for conversions.
Definition: APSIntType.h:20
SymExpr::symbol_iterator symbol_begin() const
Definition: SVals.h:177
bool isValid() const
Definition: SVals.h:129
detail::InMemoryDirectory::const_iterator I
QualType getType() const
Definition: Decl.h:599
const MemRegion * getSuperRegion() const
Definition: MemRegion.h:417
const LocationContext * getLocationContext() const
#define REGISTER_CHECKER(name)
#define REGISTER_MAP_WITH_PROGRAMSTATE(Name, Key, Value)
Declares an immutable map of type NameTy, suitable for placement into the ProgramState.
const MemRegion * StripCasts(bool StripBaseCasts=true) const
Definition: MemRegion.cpp:1155
QualType getPointeeType() const
If this is a pointer, ObjC object pointer, or block pointer, this returns the respective pointee...
Definition: Type.cpp:415
bool isDead(SymbolRef sym) const
Returns whether or not a symbol has been confirmed dead.
DefinedOrUnknownSVal makeZeroVal(QualType type)
Construct an SVal representing '0' for the specified type.
Definition: SValBuilder.cpp:32
Expr - This represents one expression.
Definition: Expr.h:105
StringRef getName() const
Return the actual identifier string.
const ProgramStateRef & getState() const
static bool isCLibraryFunction(const FunctionDecl *FD, StringRef Name=StringRef())
Returns true if the callee is an externally-visible function in the top-level namespace, such as malloc.
Optional< T > getAs() const
Convert to the specified SVal type, returning None if this SVal is not of the desired type...
Definition: SVals.h:86
virtual SVal evalBinOpLL(ProgramStateRef state, BinaryOperator::Opcode op, Loc lhs, Loc rhs, QualType resultTy)=0
Create a new value which represents a binary expression with two memory location operands.
ExplodedNode * generateNonFatalErrorNode(ProgramStateRef State=nullptr, const ProgramPointTag *Tag=nullptr)
Generate a transition to a node that will be used to report an error.
The result type of a method or function.
QualType getConditionType() const
Definition: SValBuilder.h:131
void emitReport(std::unique_ptr< BugReport > R)
Emit the diagnostics report.
DefinedOrUnknownSVal conjureSymbolVal(const void *symbolTag, const Expr *expr, const LocationContext *LCtx, unsigned count)
Create a new symbol with a unique 'name'.
const TemplateArgument * iterator
Definition: Type.h:4233
DeclStmt - Adaptor class for mixing declarations with statements and expressions. ...
Definition: Stmt.h:443
ASTContext & getContext()
Definition: SValBuilder.h:126
SymExpr::symbol_iterator symbol_end() const
Definition: SVals.h:185
SVal - This represents a symbolic expression, which can be either an L-value or an R-value...
Definition: SVals.h:46
A class responsible for cleaning up unused symbols.
bool isUndef() const
Definition: SVals.h:121
const llvm::APSInt * evalAPSInt(BinaryOperator::Opcode Op, const llvm::APSInt &V1, const llvm::APSInt &V2)
Tells that a region's contents is not changed.
Definition: MemRegion.h:1330
NonLoc getIndex() const
Definition: MemRegion.h:1023
virtual SVal evalBinOpNN(ProgramStateRef state, BinaryOperator::Opcode op, NonLoc lhs, NonLoc rhs, QualType resultTy)=0
Create a new value which represents a binary expression with two non- location operands.
QualType getType() const
Definition: Expr.h:126
CanQualType CharTy
Definition: ASTContext.h:895
llvm::APSInt getValue(uint64_t RawValue) const LLVM_READONLY
Definition: APSIntType.h:70
unsigned getByteLength() const
Definition: Expr.h:1546
QualType getPointerType(QualType T) const
Return the uniqued reference to the type for a pointer to the specified type.
StringRef getString() const
Definition: Expr.h:1514
DefinedSVal getMetadataSymbolVal(const void *symbolTag, const MemRegion *region, const Expr *expr, QualType type, unsigned count)
detail::InMemoryDirectory::const_iterator E
const MemRegion * getAsRegion() const
Definition: SVals.cpp:135
unsigned getNumArgs() const
getNumArgs - Return the number of actual arguments to this call.
Definition: Expr.h:2205
Represents an abstract call to a function or method along a particular path.
Definition: CallEvent.h:138
SVal convertToArrayIndex(SVal val)
Definition: SValBuilder.cpp:76
BasicValueFactory & getBasicValueFactory()
Definition: SValBuilder.h:139
SubRegion - A region that subsets another larger region.
Definition: MemRegion.h:410
bool isUnknown() const
Definition: SVals.h:117
decl_range decls()
Definition: Stmt.h:491
QualType getUnqualifiedType() const
Retrieve the unqualified variant of the given type, removing as little sugar as possible.
Definition: Type.h:5339
DefinedOrUnknownSVal evalEQ(ProgramStateRef state, DefinedOrUnknownSVal lhs, DefinedOrUnknownSVal rhs)
bool trackNullOrUndefValue(const ExplodedNode *N, const Stmt *S, BugReport &R, bool IsArg=false, bool EnableNullFPSuppression=true)
Attempts to add visitors to trace a null or undefined value back to its point of origin, whether it is a symbol constrained to null or an explicit assignment.
QualType getValueType() const override
Definition: MemRegion.h:1025
SymbolRef getAsSymbol(bool IncludeBaseRegions=false) const
If this SVal wraps a symbol return that SymbolRef.
Definition: SVals.cpp:111
bool isArrayType() const
Definition: Type.h:5521
SValBuilder & getSValBuilder()
StringLiteral - This represents a string literal expression, e.g.
Definition: Expr.h:1466
CallExpr - Represents a function call (C99 6.5.2.2, C++ [expr.call]).
Definition: Expr.h:2148
const llvm::APSInt & getMaxValue(const llvm::APSInt &v)
StringRegion - Region associated with a StringLiteral.
Definition: MemRegion.h:737
ElementRegin is used to represent both array elements and casts.
Definition: MemRegion.h:1004
static LLVM_READONLY char toUppercase(char c)
Converts the given ASCII character to its uppercase equivalent.
Definition: CharInfo.h:174
NamedDecl - This represents a decl with a name.
Definition: Decl.h:213
bool isNull() const
Return true if this QualType doesn't point to a type yet.
Definition: Type.h:665
T castAs() const
Convert to the specified SVal type, asserting that this SVal is of the desired type.
Definition: SVals.h:75
bool isDifferent()
Check if the checker changed the state of the execution; ex: added a new transition or a bug report...
const LocationContext * getLocationContext() const
SVal getSVal(const Stmt *S) const
Get the value of arbitrary expressions at this point in the path.
Iterator over symbols that the current symbol depends on.
Definition: SymExpr.h:62