1e5dd7070Spatrick //=== StdLibraryFunctionsChecker.cpp - Model standard functions -*- C++ -*-===//
2e5dd7070Spatrick //
3e5dd7070Spatrick // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4e5dd7070Spatrick // See https://llvm.org/LICENSE.txt for license information.
5e5dd7070Spatrick // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6e5dd7070Spatrick //
7e5dd7070Spatrick //===----------------------------------------------------------------------===//
8e5dd7070Spatrick //
9e5dd7070Spatrick // This checker improves modeling of a few simple library functions.
10e5dd7070Spatrick //
11ec727ea7Spatrick // This checker provides a specification format - `Summary' - and
12e5dd7070Spatrick // contains descriptions of some library functions in this format. Each
13e5dd7070Spatrick // specification contains a list of branches for splitting the program state
14e5dd7070Spatrick // upon call, and range constraints on argument and return-value symbols that
15e5dd7070Spatrick // are satisfied on each branch. This spec can be expanded to include more
16e5dd7070Spatrick // items, like external effects of the function.
17e5dd7070Spatrick //
18e5dd7070Spatrick // The main difference between this approach and the body farms technique is
19e5dd7070Spatrick // in more explicit control over how many branches are produced. For example,
20e5dd7070Spatrick // consider standard C function `ispunct(int x)', which returns a non-zero value
21e5dd7070Spatrick // iff `x' is a punctuation character, that is, when `x' is in range
22e5dd7070Spatrick // ['!', '/'] [':', '@'] U ['[', '\`'] U ['{', '~'].
23ec727ea7Spatrick // `Summary' provides only two branches for this function. However,
24e5dd7070Spatrick // any attempt to describe this range with if-statements in the body farm
25e5dd7070Spatrick // would result in many more branches. Because each branch needs to be analyzed
26e5dd7070Spatrick // independently, this significantly reduces performance. Additionally,
27e5dd7070Spatrick // once we consider a branch on which `x' is in range, say, ['!', '/'],
28e5dd7070Spatrick // we assume that such branch is an important separate path through the program,
29e5dd7070Spatrick // which may lead to false positives because considering this particular path
30e5dd7070Spatrick // was not consciously intended, and therefore it might have been unreachable.
31e5dd7070Spatrick //
32ec727ea7Spatrick // This checker uses eval::Call for modeling pure functions (functions without
33ec727ea7Spatrick // side effets), for which their `Summary' is a precise model. This avoids
34ec727ea7Spatrick // unnecessary invalidation passes. Conflicts with other checkers are unlikely
35ec727ea7Spatrick // because if the function has no other effects, other checkers would probably
36ec727ea7Spatrick // never want to improve upon the modeling done by this checker.
37e5dd7070Spatrick //
38ec727ea7Spatrick // Non-pure functions, for which only partial improvement over the default
39e5dd7070Spatrick // behavior is expected, are modeled via check::PostCall, non-intrusively.
40e5dd7070Spatrick //
41e5dd7070Spatrick //===----------------------------------------------------------------------===//
42e5dd7070Spatrick
43*12c85518Srobert #include "ErrnoModeling.h"
44e5dd7070Spatrick #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
45ec727ea7Spatrick #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
46e5dd7070Spatrick #include "clang/StaticAnalyzer/Core/Checker.h"
47e5dd7070Spatrick #include "clang/StaticAnalyzer/Core/CheckerManager.h"
48e5dd7070Spatrick #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
49e5dd7070Spatrick #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
50ec727ea7Spatrick #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h"
51a9ac8606Spatrick #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h"
52a9ac8606Spatrick #include "llvm/ADT/SmallString.h"
53a9ac8606Spatrick #include "llvm/ADT/StringExtras.h"
54a9ac8606Spatrick
55*12c85518Srobert #include <optional>
56a9ac8606Spatrick #include <string>
57e5dd7070Spatrick
58e5dd7070Spatrick using namespace clang;
59e5dd7070Spatrick using namespace clang::ento;
60e5dd7070Spatrick
61e5dd7070Spatrick namespace {
62ec727ea7Spatrick class StdLibraryFunctionsChecker
63ec727ea7Spatrick : public Checker<check::PreCall, check::PostCall, eval::Call> {
64ec727ea7Spatrick
65ec727ea7Spatrick class Summary;
66e5dd7070Spatrick
67e5dd7070Spatrick /// Specify how much the analyzer engine should entrust modeling this function
68e5dd7070Spatrick /// to us. If he doesn't, he performs additional invalidations.
69ec727ea7Spatrick enum InvalidationKind { NoEvalCall, EvalCallAsPure };
70e5dd7070Spatrick
71e5dd7070Spatrick // The universal integral type to use in value range descriptions.
72e5dd7070Spatrick // Unsigned to make sure overflows are well-defined.
73ec727ea7Spatrick typedef uint64_t RangeInt;
74e5dd7070Spatrick
75e5dd7070Spatrick /// Normally, describes a single range constraint, eg. {{0, 1}, {3, 4}} is
76e5dd7070Spatrick /// a non-negative integer, which less than 5 and not equal to 2. For
77e5dd7070Spatrick /// `ComparesToArgument', holds information about how exactly to compare to
78e5dd7070Spatrick /// the argument.
79ec727ea7Spatrick typedef std::vector<std::pair<RangeInt, RangeInt>> IntRangeVector;
80e5dd7070Spatrick
81e5dd7070Spatrick /// A reference to an argument or return value by its number.
82e5dd7070Spatrick /// ArgNo in CallExpr and CallEvent is defined as Unsigned, but
83e5dd7070Spatrick /// obviously uint32_t should be enough for all practical purposes.
84ec727ea7Spatrick typedef uint32_t ArgNo;
85ec727ea7Spatrick static const ArgNo Ret;
86e5dd7070Spatrick
87a9ac8606Spatrick /// Returns the string representation of an argument index.
88a9ac8606Spatrick /// E.g.: (1) -> '1st arg', (2) - > '2nd arg'
89a9ac8606Spatrick static SmallString<8> getArgDesc(ArgNo);
90a9ac8606Spatrick
91ec727ea7Spatrick class ValueConstraint;
92ec727ea7Spatrick
93ec727ea7Spatrick // Pointer to the ValueConstraint. We need a copyable, polymorphic and
94ec727ea7Spatrick // default initialize able type (vector needs that). A raw pointer was good,
95ec727ea7Spatrick // however, we cannot default initialize that. unique_ptr makes the Summary
96ec727ea7Spatrick // class non-copyable, therefore not an option. Releasing the copyability
97ec727ea7Spatrick // requirement would render the initialization of the Summary map infeasible.
98ec727ea7Spatrick using ValueConstraintPtr = std::shared_ptr<ValueConstraint>;
99ec727ea7Spatrick
100ec727ea7Spatrick /// Polymorphic base class that represents a constraint on a given argument
101ec727ea7Spatrick /// (or return value) of a function. Derived classes implement different kind
102ec727ea7Spatrick /// of constraints, e.g range constraints or correlation between two
103ec727ea7Spatrick /// arguments.
104ec727ea7Spatrick class ValueConstraint {
105ec727ea7Spatrick public:
ValueConstraint(ArgNo ArgN)106ec727ea7Spatrick ValueConstraint(ArgNo ArgN) : ArgN(ArgN) {}
~ValueConstraint()107ec727ea7Spatrick virtual ~ValueConstraint() {}
108ec727ea7Spatrick /// Apply the effects of the constraint on the given program state. If null
109ec727ea7Spatrick /// is returned then the constraint is not feasible.
110ec727ea7Spatrick virtual ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
111ec727ea7Spatrick const Summary &Summary,
112ec727ea7Spatrick CheckerContext &C) const = 0;
negate() const113ec727ea7Spatrick virtual ValueConstraintPtr negate() const {
114ec727ea7Spatrick llvm_unreachable("Not implemented");
115ec727ea7Spatrick };
116ec727ea7Spatrick
117ec727ea7Spatrick // Check whether the constraint is malformed or not. It is malformed if the
118ec727ea7Spatrick // specified argument has a mismatch with the given FunctionDecl (e.g. the
119ec727ea7Spatrick // arg number is out-of-range of the function's argument list).
checkValidity(const FunctionDecl * FD) const120ec727ea7Spatrick bool checkValidity(const FunctionDecl *FD) const {
121ec727ea7Spatrick const bool ValidArg = ArgN == Ret || ArgN < FD->getNumParams();
122ec727ea7Spatrick assert(ValidArg && "Arg out of range!");
123ec727ea7Spatrick if (!ValidArg)
124ec727ea7Spatrick return false;
125ec727ea7Spatrick // Subclasses may further refine the validation.
126ec727ea7Spatrick return checkSpecificValidity(FD);
127ec727ea7Spatrick }
getArgNo() const128ec727ea7Spatrick ArgNo getArgNo() const { return ArgN; }
129ec727ea7Spatrick
130a9ac8606Spatrick // Return those arguments that should be tracked when we report a bug. By
131a9ac8606Spatrick // default it is the argument that is constrained, however, in some special
132a9ac8606Spatrick // cases we need to track other arguments as well. E.g. a buffer size might
133a9ac8606Spatrick // be encoded in another argument.
getArgsToTrack() const134a9ac8606Spatrick virtual std::vector<ArgNo> getArgsToTrack() const { return {ArgN}; }
135a9ac8606Spatrick
136a9ac8606Spatrick virtual StringRef getName() const = 0;
137a9ac8606Spatrick
138*12c85518Srobert // Represents that in which context do we require a description of the
139*12c85518Srobert // constraint.
140*12c85518Srobert enum class DescriptionKind {
141*12c85518Srobert // The constraint is violated.
142*12c85518Srobert Violation,
143*12c85518Srobert // We assume that the constraint is satisfied.
144*12c85518Srobert Assumption
145*12c85518Srobert };
146*12c85518Srobert
147a9ac8606Spatrick // Give a description that explains the constraint to the user. Used when
148a9ac8606Spatrick // the bug is reported.
describe(DescriptionKind DK,ProgramStateRef State,const Summary & Summary) const149*12c85518Srobert virtual std::string describe(DescriptionKind DK, ProgramStateRef State,
150a9ac8606Spatrick const Summary &Summary) const {
151a9ac8606Spatrick // There are some descendant classes that are not used as argument
152a9ac8606Spatrick // constraints, e.g. ComparisonConstraint. In that case we can safely
153a9ac8606Spatrick // ignore the implementation of this function.
154a9ac8606Spatrick llvm_unreachable("Not implemented");
155a9ac8606Spatrick }
156a9ac8606Spatrick
157ec727ea7Spatrick protected:
158ec727ea7Spatrick ArgNo ArgN; // Argument to which we apply the constraint.
159ec727ea7Spatrick
160*12c85518Srobert /// Do polymorphic validation check on the constraint.
checkSpecificValidity(const FunctionDecl * FD) const161ec727ea7Spatrick virtual bool checkSpecificValidity(const FunctionDecl *FD) const {
162ec727ea7Spatrick return true;
163ec727ea7Spatrick }
164ec727ea7Spatrick };
165ec727ea7Spatrick
166ec727ea7Spatrick /// Given a range, should the argument stay inside or outside this range?
167ec727ea7Spatrick enum RangeKind { OutOfRange, WithinRange };
168ec727ea7Spatrick
169a9ac8606Spatrick /// Encapsulates a range on a single symbol.
170ec727ea7Spatrick class RangeConstraint : public ValueConstraint {
171a9ac8606Spatrick RangeKind Kind;
172a9ac8606Spatrick // A range is formed as a set of intervals (sub-ranges).
173a9ac8606Spatrick // E.g. {['A', 'Z'], ['a', 'z']}
174a9ac8606Spatrick //
175a9ac8606Spatrick // The default constructed RangeConstraint has an empty range set, applying
176a9ac8606Spatrick // such constraint does not involve any assumptions, thus the State remains
177a9ac8606Spatrick // unchanged. This is meaningful, if the range is dependent on a looked up
178a9ac8606Spatrick // type (e.g. [0, Socklen_tMax]). If the type is not found, then the range
179a9ac8606Spatrick // is default initialized to be empty.
180a9ac8606Spatrick IntRangeVector Ranges;
181e5dd7070Spatrick
182e5dd7070Spatrick public:
getName() const183a9ac8606Spatrick StringRef getName() const override { return "Range"; }
RangeConstraint(ArgNo ArgN,RangeKind Kind,const IntRangeVector & Ranges)184a9ac8606Spatrick RangeConstraint(ArgNo ArgN, RangeKind Kind, const IntRangeVector &Ranges)
185a9ac8606Spatrick : ValueConstraint(ArgN), Kind(Kind), Ranges(Ranges) {}
186e5dd7070Spatrick
187*12c85518Srobert std::string describe(DescriptionKind DK, ProgramStateRef State,
188a9ac8606Spatrick const Summary &Summary) const override;
189a9ac8606Spatrick
getRanges() const190a9ac8606Spatrick const IntRangeVector &getRanges() const { return Ranges; }
191e5dd7070Spatrick
192e5dd7070Spatrick private:
193ec727ea7Spatrick ProgramStateRef applyAsOutOfRange(ProgramStateRef State,
194ec727ea7Spatrick const CallEvent &Call,
195ec727ea7Spatrick const Summary &Summary) const;
196ec727ea7Spatrick ProgramStateRef applyAsWithinRange(ProgramStateRef State,
197ec727ea7Spatrick const CallEvent &Call,
198ec727ea7Spatrick const Summary &Summary) const;
199a9ac8606Spatrick
200e5dd7070Spatrick public:
apply(ProgramStateRef State,const CallEvent & Call,const Summary & Summary,CheckerContext & C) const201e5dd7070Spatrick ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
202ec727ea7Spatrick const Summary &Summary,
203ec727ea7Spatrick CheckerContext &C) const override {
204e5dd7070Spatrick switch (Kind) {
205e5dd7070Spatrick case OutOfRange:
206e5dd7070Spatrick return applyAsOutOfRange(State, Call, Summary);
207e5dd7070Spatrick case WithinRange:
208e5dd7070Spatrick return applyAsWithinRange(State, Call, Summary);
209e5dd7070Spatrick }
210ec727ea7Spatrick llvm_unreachable("Unknown range kind!");
211ec727ea7Spatrick }
212ec727ea7Spatrick
negate() const213ec727ea7Spatrick ValueConstraintPtr negate() const override {
214ec727ea7Spatrick RangeConstraint Tmp(*this);
215ec727ea7Spatrick switch (Kind) {
216ec727ea7Spatrick case OutOfRange:
217ec727ea7Spatrick Tmp.Kind = WithinRange;
218ec727ea7Spatrick break;
219ec727ea7Spatrick case WithinRange:
220ec727ea7Spatrick Tmp.Kind = OutOfRange;
221ec727ea7Spatrick break;
222ec727ea7Spatrick }
223ec727ea7Spatrick return std::make_shared<RangeConstraint>(Tmp);
224ec727ea7Spatrick }
225ec727ea7Spatrick
checkSpecificValidity(const FunctionDecl * FD) const226ec727ea7Spatrick bool checkSpecificValidity(const FunctionDecl *FD) const override {
227ec727ea7Spatrick const bool ValidArg =
228ec727ea7Spatrick getArgType(FD, ArgN)->isIntegralType(FD->getASTContext());
229ec727ea7Spatrick assert(ValidArg &&
230ec727ea7Spatrick "This constraint should be applied on an integral type");
231ec727ea7Spatrick return ValidArg;
232e5dd7070Spatrick }
233e5dd7070Spatrick };
234e5dd7070Spatrick
235ec727ea7Spatrick class ComparisonConstraint : public ValueConstraint {
236ec727ea7Spatrick BinaryOperator::Opcode Opcode;
237ec727ea7Spatrick ArgNo OtherArgN;
238e5dd7070Spatrick
239e5dd7070Spatrick public:
getName() const240*12c85518Srobert StringRef getName() const override { return "Comparison"; };
ComparisonConstraint(ArgNo ArgN,BinaryOperator::Opcode Opcode,ArgNo OtherArgN)241ec727ea7Spatrick ComparisonConstraint(ArgNo ArgN, BinaryOperator::Opcode Opcode,
242ec727ea7Spatrick ArgNo OtherArgN)
243ec727ea7Spatrick : ValueConstraint(ArgN), Opcode(Opcode), OtherArgN(OtherArgN) {}
getOtherArgNo() const244ec727ea7Spatrick ArgNo getOtherArgNo() const { return OtherArgN; }
getOpcode() const245ec727ea7Spatrick BinaryOperator::Opcode getOpcode() const { return Opcode; }
246ec727ea7Spatrick ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
247ec727ea7Spatrick const Summary &Summary,
248ec727ea7Spatrick CheckerContext &C) const override;
249ec727ea7Spatrick };
250ec727ea7Spatrick
251ec727ea7Spatrick class NotNullConstraint : public ValueConstraint {
252ec727ea7Spatrick using ValueConstraint::ValueConstraint;
253ec727ea7Spatrick // This variable has a role when we negate the constraint.
254ec727ea7Spatrick bool CannotBeNull = true;
255ec727ea7Spatrick
256ec727ea7Spatrick public:
NotNullConstraint(ArgNo ArgN,bool CannotBeNull=true)257*12c85518Srobert NotNullConstraint(ArgNo ArgN, bool CannotBeNull = true)
258*12c85518Srobert : ValueConstraint(ArgN), CannotBeNull(CannotBeNull) {}
259*12c85518Srobert std::string describe(DescriptionKind DK, ProgramStateRef State,
260a9ac8606Spatrick const Summary &Summary) const override;
getName() const261a9ac8606Spatrick StringRef getName() const override { return "NonNull"; }
apply(ProgramStateRef State,const CallEvent & Call,const Summary & Summary,CheckerContext & C) const262ec727ea7Spatrick ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
263ec727ea7Spatrick const Summary &Summary,
264ec727ea7Spatrick CheckerContext &C) const override {
265ec727ea7Spatrick SVal V = getArgSVal(Call, getArgNo());
266ec727ea7Spatrick if (V.isUndef())
267ec727ea7Spatrick return State;
268ec727ea7Spatrick
269ec727ea7Spatrick DefinedOrUnknownSVal L = V.castAs<DefinedOrUnknownSVal>();
270*12c85518Srobert if (!isa<Loc>(L))
271ec727ea7Spatrick return State;
272ec727ea7Spatrick
273ec727ea7Spatrick return State->assume(L, CannotBeNull);
274ec727ea7Spatrick }
275ec727ea7Spatrick
negate() const276ec727ea7Spatrick ValueConstraintPtr negate() const override {
277ec727ea7Spatrick NotNullConstraint Tmp(*this);
278ec727ea7Spatrick Tmp.CannotBeNull = !this->CannotBeNull;
279ec727ea7Spatrick return std::make_shared<NotNullConstraint>(Tmp);
280ec727ea7Spatrick }
281ec727ea7Spatrick
checkSpecificValidity(const FunctionDecl * FD) const282ec727ea7Spatrick bool checkSpecificValidity(const FunctionDecl *FD) const override {
283ec727ea7Spatrick const bool ValidArg = getArgType(FD, ArgN)->isPointerType();
284ec727ea7Spatrick assert(ValidArg &&
285ec727ea7Spatrick "This constraint should be applied only on a pointer type");
286ec727ea7Spatrick return ValidArg;
287ec727ea7Spatrick }
288ec727ea7Spatrick };
289ec727ea7Spatrick
290a9ac8606Spatrick // Represents a buffer argument with an additional size constraint. The
291a9ac8606Spatrick // constraint may be a concrete value, or a symbolic value in an argument.
292a9ac8606Spatrick // Example 1. Concrete value as the minimum buffer size.
293a9ac8606Spatrick // char *asctime_r(const struct tm *restrict tm, char *restrict buf);
294a9ac8606Spatrick // // `buf` size must be at least 26 bytes according the POSIX standard.
295a9ac8606Spatrick // Example 2. Argument as a buffer size.
296ec727ea7Spatrick // ctime_s(char *buffer, rsize_t bufsz, const time_t *time);
297a9ac8606Spatrick // Example 3. The size is computed as a multiplication of other args.
298ec727ea7Spatrick // size_t fread(void *ptr, size_t size, size_t nmemb, FILE *stream);
299ec727ea7Spatrick // // Here, ptr is the buffer, and its minimum size is `size * nmemb`.
300ec727ea7Spatrick class BufferSizeConstraint : public ValueConstraint {
301a9ac8606Spatrick // The concrete value which is the minimum size for the buffer.
302*12c85518Srobert std::optional<llvm::APSInt> ConcreteSize;
303ec727ea7Spatrick // The argument which holds the size of the buffer.
304*12c85518Srobert std::optional<ArgNo> SizeArgN;
305ec727ea7Spatrick // The argument which is a multiplier to size. This is set in case of
306ec727ea7Spatrick // `fread` like functions where the size is computed as a multiplication of
307ec727ea7Spatrick // two arguments.
308*12c85518Srobert std::optional<ArgNo> SizeMultiplierArgN;
309ec727ea7Spatrick // The operator we use in apply. This is negated in negate().
310ec727ea7Spatrick BinaryOperator::Opcode Op = BO_LE;
311ec727ea7Spatrick
312ec727ea7Spatrick public:
getName() const313a9ac8606Spatrick StringRef getName() const override { return "BufferSize"; }
BufferSizeConstraint(ArgNo Buffer,llvm::APSInt BufMinSize)314a9ac8606Spatrick BufferSizeConstraint(ArgNo Buffer, llvm::APSInt BufMinSize)
315a9ac8606Spatrick : ValueConstraint(Buffer), ConcreteSize(BufMinSize) {}
BufferSizeConstraint(ArgNo Buffer,ArgNo BufSize)316ec727ea7Spatrick BufferSizeConstraint(ArgNo Buffer, ArgNo BufSize)
317ec727ea7Spatrick : ValueConstraint(Buffer), SizeArgN(BufSize) {}
BufferSizeConstraint(ArgNo Buffer,ArgNo BufSize,ArgNo BufSizeMultiplier)318ec727ea7Spatrick BufferSizeConstraint(ArgNo Buffer, ArgNo BufSize, ArgNo BufSizeMultiplier)
319ec727ea7Spatrick : ValueConstraint(Buffer), SizeArgN(BufSize),
320ec727ea7Spatrick SizeMultiplierArgN(BufSizeMultiplier) {}
321ec727ea7Spatrick
getArgsToTrack() const322a9ac8606Spatrick std::vector<ArgNo> getArgsToTrack() const override {
323a9ac8606Spatrick std::vector<ArgNo> Result{ArgN};
324a9ac8606Spatrick if (SizeArgN)
325a9ac8606Spatrick Result.push_back(*SizeArgN);
326a9ac8606Spatrick if (SizeMultiplierArgN)
327a9ac8606Spatrick Result.push_back(*SizeMultiplierArgN);
328a9ac8606Spatrick return Result;
329a9ac8606Spatrick }
330a9ac8606Spatrick
331*12c85518Srobert std::string describe(DescriptionKind DK, ProgramStateRef State,
332a9ac8606Spatrick const Summary &Summary) const override;
333a9ac8606Spatrick
apply(ProgramStateRef State,const CallEvent & Call,const Summary & Summary,CheckerContext & C) const334ec727ea7Spatrick ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
335ec727ea7Spatrick const Summary &Summary,
336ec727ea7Spatrick CheckerContext &C) const override {
337ec727ea7Spatrick SValBuilder &SvalBuilder = C.getSValBuilder();
338ec727ea7Spatrick // The buffer argument.
339ec727ea7Spatrick SVal BufV = getArgSVal(Call, getArgNo());
340a9ac8606Spatrick
341a9ac8606Spatrick // Get the size constraint.
342a9ac8606Spatrick const SVal SizeV = [this, &State, &Call, &Summary, &SvalBuilder]() {
343a9ac8606Spatrick if (ConcreteSize) {
344a9ac8606Spatrick return SVal(SvalBuilder.makeIntVal(*ConcreteSize));
345a9ac8606Spatrick }
346a9ac8606Spatrick assert(SizeArgN && "The constraint must be either a concrete value or "
347a9ac8606Spatrick "encoded in an argument.");
348ec727ea7Spatrick // The size argument.
349a9ac8606Spatrick SVal SizeV = getArgSVal(Call, *SizeArgN);
350ec727ea7Spatrick // Multiply with another argument if given.
351ec727ea7Spatrick if (SizeMultiplierArgN) {
352ec727ea7Spatrick SVal SizeMulV = getArgSVal(Call, *SizeMultiplierArgN);
353ec727ea7Spatrick SizeV = SvalBuilder.evalBinOp(State, BO_Mul, SizeV, SizeMulV,
354a9ac8606Spatrick Summary.getArgType(*SizeArgN));
355ec727ea7Spatrick }
356a9ac8606Spatrick return SizeV;
357a9ac8606Spatrick }();
358a9ac8606Spatrick
359ec727ea7Spatrick // The dynamic size of the buffer argument, got from the analyzer engine.
360a9ac8606Spatrick SVal BufDynSize = getDynamicExtentWithOffset(State, BufV);
361ec727ea7Spatrick
362ec727ea7Spatrick SVal Feasible = SvalBuilder.evalBinOp(State, Op, SizeV, BufDynSize,
363ec727ea7Spatrick SvalBuilder.getContext().BoolTy);
364ec727ea7Spatrick if (auto F = Feasible.getAs<DefinedOrUnknownSVal>())
365ec727ea7Spatrick return State->assume(*F, true);
366ec727ea7Spatrick
367ec727ea7Spatrick // We can get here only if the size argument or the dynamic size is
368ec727ea7Spatrick // undefined. But the dynamic size should never be undefined, only
369ec727ea7Spatrick // unknown. So, here, the size of the argument is undefined, i.e. we
370ec727ea7Spatrick // cannot apply the constraint. Actually, other checkers like
371ec727ea7Spatrick // CallAndMessage should catch this situation earlier, because we call a
372ec727ea7Spatrick // function with an uninitialized argument.
373ec727ea7Spatrick llvm_unreachable("Size argument or the dynamic size is Undefined");
374ec727ea7Spatrick }
375ec727ea7Spatrick
negate() const376ec727ea7Spatrick ValueConstraintPtr negate() const override {
377ec727ea7Spatrick BufferSizeConstraint Tmp(*this);
378ec727ea7Spatrick Tmp.Op = BinaryOperator::negateComparisonOp(Op);
379ec727ea7Spatrick return std::make_shared<BufferSizeConstraint>(Tmp);
380ec727ea7Spatrick }
381a9ac8606Spatrick
checkSpecificValidity(const FunctionDecl * FD) const382a9ac8606Spatrick bool checkSpecificValidity(const FunctionDecl *FD) const override {
383a9ac8606Spatrick const bool ValidArg = getArgType(FD, ArgN)->isPointerType();
384a9ac8606Spatrick assert(ValidArg &&
385a9ac8606Spatrick "This constraint should be applied only on a pointer type");
386a9ac8606Spatrick return ValidArg;
387a9ac8606Spatrick }
388ec727ea7Spatrick };
389ec727ea7Spatrick
390ec727ea7Spatrick /// The complete list of constraints that defines a single branch.
391*12c85518Srobert using ConstraintSet = std::vector<ValueConstraintPtr>;
392ec727ea7Spatrick
393*12c85518Srobert /// Define how a function affects the system variable 'errno'.
394*12c85518Srobert /// This works together with the \c ErrnoModeling and \c ErrnoChecker classes.
395*12c85518Srobert /// Currently 3 use cases exist: success, failure, irrelevant.
396*12c85518Srobert /// In the future the failure case can be customized to set \c errno to a
397*12c85518Srobert /// more specific constraint (for example > 0), or new case can be added
398*12c85518Srobert /// for functions which require check of \c errno in both success and failure
399*12c85518Srobert /// case.
400*12c85518Srobert class ErrnoConstraintBase {
401*12c85518Srobert public:
402*12c85518Srobert /// Apply specific state changes related to the errno variable.
403*12c85518Srobert virtual ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
404*12c85518Srobert const Summary &Summary,
405*12c85518Srobert CheckerContext &C) const = 0;
406*12c85518Srobert /// Get a NoteTag about the changes made to 'errno' and the possible bug.
407*12c85518Srobert /// It may return \c nullptr (if no bug report from \c ErrnoChecker is
408*12c85518Srobert /// expected).
describe(CheckerContext & C,StringRef FunctionName) const409*12c85518Srobert virtual const NoteTag *describe(CheckerContext &C,
410*12c85518Srobert StringRef FunctionName) const {
411*12c85518Srobert return nullptr;
412*12c85518Srobert }
413*12c85518Srobert
~ErrnoConstraintBase()414*12c85518Srobert virtual ~ErrnoConstraintBase() {}
415*12c85518Srobert
416*12c85518Srobert protected:
417*12c85518Srobert ErrnoConstraintBase() = default;
418*12c85518Srobert
419*12c85518Srobert /// This is used for conjure symbol for errno to differentiate from the
420*12c85518Srobert /// original call expression (same expression is used for the errno symbol).
421*12c85518Srobert static int Tag;
422*12c85518Srobert };
423*12c85518Srobert
424*12c85518Srobert /// Reset errno constraints to irrelevant.
425*12c85518Srobert /// This is applicable to functions that may change 'errno' and are not
426*12c85518Srobert /// modeled elsewhere.
427*12c85518Srobert class ResetErrnoConstraint : public ErrnoConstraintBase {
428*12c85518Srobert public:
apply(ProgramStateRef State,const CallEvent & Call,const Summary & Summary,CheckerContext & C) const429*12c85518Srobert ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
430*12c85518Srobert const Summary &Summary,
431*12c85518Srobert CheckerContext &C) const override {
432*12c85518Srobert return errno_modeling::setErrnoState(State, errno_modeling::Irrelevant);
433*12c85518Srobert }
434*12c85518Srobert };
435*12c85518Srobert
436*12c85518Srobert /// Do not change errno constraints.
437*12c85518Srobert /// This is applicable to functions that are modeled in another checker
438*12c85518Srobert /// and the already set errno constraints should not be changed in the
439*12c85518Srobert /// post-call event.
440*12c85518Srobert class NoErrnoConstraint : public ErrnoConstraintBase {
441*12c85518Srobert public:
apply(ProgramStateRef State,const CallEvent & Call,const Summary & Summary,CheckerContext & C) const442*12c85518Srobert ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
443*12c85518Srobert const Summary &Summary,
444*12c85518Srobert CheckerContext &C) const override {
445*12c85518Srobert return State;
446*12c85518Srobert }
447*12c85518Srobert };
448*12c85518Srobert
449*12c85518Srobert /// Set errno constraint at failure cases of standard functions.
450*12c85518Srobert /// Failure case: 'errno' becomes not equal to 0 and may or may not be checked
451*12c85518Srobert /// by the program. \c ErrnoChecker does not emit a bug report after such a
452*12c85518Srobert /// function call.
453*12c85518Srobert class FailureErrnoConstraint : public ErrnoConstraintBase {
454*12c85518Srobert public:
apply(ProgramStateRef State,const CallEvent & Call,const Summary & Summary,CheckerContext & C) const455*12c85518Srobert ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
456*12c85518Srobert const Summary &Summary,
457*12c85518Srobert CheckerContext &C) const override {
458*12c85518Srobert SValBuilder &SVB = C.getSValBuilder();
459*12c85518Srobert NonLoc ErrnoSVal =
460*12c85518Srobert SVB.conjureSymbolVal(&Tag, Call.getOriginExpr(),
461*12c85518Srobert C.getLocationContext(), C.getASTContext().IntTy,
462*12c85518Srobert C.blockCount())
463*12c85518Srobert .castAs<NonLoc>();
464*12c85518Srobert return errno_modeling::setErrnoForStdFailure(State, C, ErrnoSVal);
465*12c85518Srobert }
466*12c85518Srobert };
467*12c85518Srobert
468*12c85518Srobert /// Set errno constraint at success cases of standard functions.
469*12c85518Srobert /// Success case: 'errno' is not allowed to be used.
470*12c85518Srobert /// \c ErrnoChecker can emit bug report after such a function call if errno
471*12c85518Srobert /// is used.
472*12c85518Srobert class SuccessErrnoConstraint : public ErrnoConstraintBase {
473*12c85518Srobert public:
apply(ProgramStateRef State,const CallEvent & Call,const Summary & Summary,CheckerContext & C) const474*12c85518Srobert ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
475*12c85518Srobert const Summary &Summary,
476*12c85518Srobert CheckerContext &C) const override {
477*12c85518Srobert return errno_modeling::setErrnoForStdSuccess(State, C);
478*12c85518Srobert }
479*12c85518Srobert
describe(CheckerContext & C,StringRef FunctionName) const480*12c85518Srobert const NoteTag *describe(CheckerContext &C,
481*12c85518Srobert StringRef FunctionName) const override {
482*12c85518Srobert return errno_modeling::getNoteTagForStdSuccess(C, FunctionName);
483*12c85518Srobert }
484*12c85518Srobert };
485*12c85518Srobert
486*12c85518Srobert class ErrnoMustBeCheckedConstraint : public ErrnoConstraintBase {
487*12c85518Srobert public:
apply(ProgramStateRef State,const CallEvent & Call,const Summary & Summary,CheckerContext & C) const488*12c85518Srobert ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
489*12c85518Srobert const Summary &Summary,
490*12c85518Srobert CheckerContext &C) const override {
491*12c85518Srobert return errno_modeling::setErrnoStdMustBeChecked(State, C,
492*12c85518Srobert Call.getOriginExpr());
493*12c85518Srobert }
494*12c85518Srobert
describe(CheckerContext & C,StringRef FunctionName) const495*12c85518Srobert const NoteTag *describe(CheckerContext &C,
496*12c85518Srobert StringRef FunctionName) const override {
497*12c85518Srobert return errno_modeling::getNoteTagForStdMustBeChecked(C, FunctionName);
498*12c85518Srobert }
499*12c85518Srobert };
500*12c85518Srobert
501*12c85518Srobert /// A single branch of a function summary.
502*12c85518Srobert ///
503*12c85518Srobert /// A branch is defined by a series of constraints - "assumptions" -
504*12c85518Srobert /// that together form a single possible outcome of invoking the function.
505*12c85518Srobert /// When static analyzer considers a branch, it tries to introduce
506*12c85518Srobert /// a child node in the Exploded Graph. The child node has to include
507*12c85518Srobert /// constraints that define the branch. If the constraints contradict
508*12c85518Srobert /// existing constraints in the state, the node is not created and the branch
509*12c85518Srobert /// is dropped; otherwise it's queued for future exploration.
510*12c85518Srobert /// The branch is accompanied by a note text that may be displayed
511*12c85518Srobert /// to the user when a bug is found on a path that takes this branch.
512*12c85518Srobert ///
513*12c85518Srobert /// For example, consider the branches in `isalpha(x)`:
514*12c85518Srobert /// Branch 1)
515*12c85518Srobert /// x is in range ['A', 'Z'] or in ['a', 'z']
516*12c85518Srobert /// then the return value is not 0. (I.e. out-of-range [0, 0])
517*12c85518Srobert /// and the note may say "Assuming the character is alphabetical"
518*12c85518Srobert /// Branch 2)
519*12c85518Srobert /// x is out-of-range ['A', 'Z'] and out-of-range ['a', 'z']
520*12c85518Srobert /// then the return value is 0
521*12c85518Srobert /// and the note may say "Assuming the character is non-alphabetical".
522*12c85518Srobert class SummaryCase {
523*12c85518Srobert ConstraintSet Constraints;
524*12c85518Srobert const ErrnoConstraintBase &ErrnoConstraint;
525*12c85518Srobert StringRef Note;
526*12c85518Srobert
527*12c85518Srobert public:
SummaryCase(ConstraintSet && Constraints,const ErrnoConstraintBase & ErrnoC,StringRef Note)528*12c85518Srobert SummaryCase(ConstraintSet &&Constraints, const ErrnoConstraintBase &ErrnoC,
529*12c85518Srobert StringRef Note)
530*12c85518Srobert : Constraints(std::move(Constraints)), ErrnoConstraint(ErrnoC),
531*12c85518Srobert Note(Note) {}
532*12c85518Srobert
SummaryCase(const ConstraintSet & Constraints,const ErrnoConstraintBase & ErrnoC,StringRef Note)533*12c85518Srobert SummaryCase(const ConstraintSet &Constraints,
534*12c85518Srobert const ErrnoConstraintBase &ErrnoC, StringRef Note)
535*12c85518Srobert : Constraints(Constraints), ErrnoConstraint(ErrnoC), Note(Note) {}
536*12c85518Srobert
getConstraints() const537*12c85518Srobert const ConstraintSet &getConstraints() const { return Constraints; }
getErrnoConstraint() const538*12c85518Srobert const ErrnoConstraintBase &getErrnoConstraint() const {
539*12c85518Srobert return ErrnoConstraint;
540*12c85518Srobert }
getNote() const541*12c85518Srobert StringRef getNote() const { return Note; }
542*12c85518Srobert };
543*12c85518Srobert
544*12c85518Srobert using ArgTypes = std::vector<std::optional<QualType>>;
545*12c85518Srobert using RetType = std::optional<QualType>;
546ec727ea7Spatrick
547ec727ea7Spatrick // A placeholder type, we use it whenever we do not care about the concrete
548ec727ea7Spatrick // type in a Signature.
549ec727ea7Spatrick const QualType Irrelevant{};
isIrrelevant(QualType T)550ec727ea7Spatrick bool static isIrrelevant(QualType T) { return T.isNull(); }
551ec727ea7Spatrick
552ec727ea7Spatrick // The signature of a function we want to describe with a summary. This is a
553ec727ea7Spatrick // concessive signature, meaning there may be irrelevant types in the
554ec727ea7Spatrick // signature which we do not check against a function with concrete types.
555a9ac8606Spatrick // All types in the spec need to be canonical.
556a9ac8606Spatrick class Signature {
557a9ac8606Spatrick using ArgQualTypes = std::vector<QualType>;
558a9ac8606Spatrick ArgQualTypes ArgTys;
559a9ac8606Spatrick QualType RetTy;
560a9ac8606Spatrick // True if any component type is not found by lookup.
561a9ac8606Spatrick bool Invalid = false;
562a9ac8606Spatrick
563a9ac8606Spatrick public:
564a9ac8606Spatrick // Construct a signature from optional types. If any of the optional types
565a9ac8606Spatrick // are not set then the signature will be invalid.
Signature(ArgTypes ArgTys,RetType RetTy)566a9ac8606Spatrick Signature(ArgTypes ArgTys, RetType RetTy) {
567*12c85518Srobert for (std::optional<QualType> Arg : ArgTys) {
568a9ac8606Spatrick if (!Arg) {
569a9ac8606Spatrick Invalid = true;
570a9ac8606Spatrick return;
571a9ac8606Spatrick } else {
572a9ac8606Spatrick assertArgTypeSuitableForSignature(*Arg);
573a9ac8606Spatrick this->ArgTys.push_back(*Arg);
574ec727ea7Spatrick }
575ec727ea7Spatrick }
576a9ac8606Spatrick if (!RetTy) {
577a9ac8606Spatrick Invalid = true;
578a9ac8606Spatrick return;
579a9ac8606Spatrick } else {
580a9ac8606Spatrick assertRetTypeSuitableForSignature(*RetTy);
581a9ac8606Spatrick this->RetTy = *RetTy;
582a9ac8606Spatrick }
583a9ac8606Spatrick }
584a9ac8606Spatrick
isInvalid() const585a9ac8606Spatrick bool isInvalid() const { return Invalid; }
586ec727ea7Spatrick bool matches(const FunctionDecl *FD) const;
587ec727ea7Spatrick
588ec727ea7Spatrick private:
assertArgTypeSuitableForSignature(QualType T)589ec727ea7Spatrick static void assertArgTypeSuitableForSignature(QualType T) {
590ec727ea7Spatrick assert((T.isNull() || !T->isVoidType()) &&
591ec727ea7Spatrick "We should have no void types in the spec");
592ec727ea7Spatrick assert((T.isNull() || T.isCanonical()) &&
593ec727ea7Spatrick "We should only have canonical types in the spec");
594ec727ea7Spatrick }
assertRetTypeSuitableForSignature(QualType T)595ec727ea7Spatrick static void assertRetTypeSuitableForSignature(QualType T) {
596ec727ea7Spatrick assert((T.isNull() || T.isCanonical()) &&
597ec727ea7Spatrick "We should only have canonical types in the spec");
598ec727ea7Spatrick }
599ec727ea7Spatrick };
600ec727ea7Spatrick
getArgType(const FunctionDecl * FD,ArgNo ArgN)601ec727ea7Spatrick static QualType getArgType(const FunctionDecl *FD, ArgNo ArgN) {
602ec727ea7Spatrick assert(FD && "Function must be set");
603ec727ea7Spatrick QualType T = (ArgN == Ret)
604ec727ea7Spatrick ? FD->getReturnType().getCanonicalType()
605ec727ea7Spatrick : FD->getParamDecl(ArgN)->getType().getCanonicalType();
606e5dd7070Spatrick return T;
607e5dd7070Spatrick }
608e5dd7070Spatrick
609*12c85518Srobert using SummaryCases = std::vector<SummaryCase>;
610e5dd7070Spatrick
611ec727ea7Spatrick /// A summary includes information about
612ec727ea7Spatrick /// * function prototype (signature)
613ec727ea7Spatrick /// * approach to invalidation,
614*12c85518Srobert /// * a list of branches - so, a list of list of ranges,
615ec727ea7Spatrick /// * a list of argument constraints, that must be true on every branch.
616ec727ea7Spatrick /// If these constraints are not satisfied that means a fatal error
617ec727ea7Spatrick /// usually resulting in undefined behaviour.
618ec727ea7Spatrick ///
619ec727ea7Spatrick /// Application of a summary:
620ec727ea7Spatrick /// The signature and argument constraints together contain information
621ec727ea7Spatrick /// about which functions are handled by the summary. The signature can use
622ec727ea7Spatrick /// "wildcards", i.e. Irrelevant types. Irrelevant type of a parameter in
623ec727ea7Spatrick /// a signature means that type is not compared to the type of the parameter
624ec727ea7Spatrick /// in the found FunctionDecl. Argument constraints may specify additional
625ec727ea7Spatrick /// rules for the given parameter's type, those rules are checked once the
626ec727ea7Spatrick /// signature is matched.
627ec727ea7Spatrick class Summary {
628ec727ea7Spatrick const InvalidationKind InvalidationKd;
629*12c85518Srobert SummaryCases Cases;
630ec727ea7Spatrick ConstraintSet ArgConstraints;
631ec727ea7Spatrick
632ec727ea7Spatrick // The function to which the summary applies. This is set after lookup and
633ec727ea7Spatrick // match to the signature.
634ec727ea7Spatrick const FunctionDecl *FD = nullptr;
635ec727ea7Spatrick
636ec727ea7Spatrick public:
Summary(InvalidationKind InvalidationKd)637a9ac8606Spatrick Summary(InvalidationKind InvalidationKd) : InvalidationKd(InvalidationKd) {}
638ec727ea7Spatrick
Case(ConstraintSet && CS,const ErrnoConstraintBase & ErrnoC,StringRef Note="")639*12c85518Srobert Summary &Case(ConstraintSet &&CS, const ErrnoConstraintBase &ErrnoC,
640*12c85518Srobert StringRef Note = "") {
641*12c85518Srobert Cases.push_back(SummaryCase(std::move(CS), ErrnoC, Note));
642ec727ea7Spatrick return *this;
643ec727ea7Spatrick }
Case(const ConstraintSet & CS,const ErrnoConstraintBase & ErrnoC,StringRef Note="")644*12c85518Srobert Summary &Case(const ConstraintSet &CS, const ErrnoConstraintBase &ErrnoC,
645*12c85518Srobert StringRef Note = "") {
646*12c85518Srobert Cases.push_back(SummaryCase(CS, ErrnoC, Note));
647a9ac8606Spatrick return *this;
648a9ac8606Spatrick }
ArgConstraint(ValueConstraintPtr VC)649ec727ea7Spatrick Summary &ArgConstraint(ValueConstraintPtr VC) {
650a9ac8606Spatrick assert(VC->getArgNo() != Ret &&
651a9ac8606Spatrick "Arg constraint should not refer to the return value");
652ec727ea7Spatrick ArgConstraints.push_back(VC);
653ec727ea7Spatrick return *this;
654ec727ea7Spatrick }
655ec727ea7Spatrick
getInvalidationKd() const656ec727ea7Spatrick InvalidationKind getInvalidationKd() const { return InvalidationKd; }
getCases() const657*12c85518Srobert const SummaryCases &getCases() const { return Cases; }
getArgConstraints() const658ec727ea7Spatrick const ConstraintSet &getArgConstraints() const { return ArgConstraints; }
659ec727ea7Spatrick
getArgType(ArgNo ArgN) const660ec727ea7Spatrick QualType getArgType(ArgNo ArgN) const {
661ec727ea7Spatrick return StdLibraryFunctionsChecker::getArgType(FD, ArgN);
662ec727ea7Spatrick }
663ec727ea7Spatrick
664ec727ea7Spatrick // Returns true if the summary should be applied to the given function.
665ec727ea7Spatrick // And if yes then store the function declaration.
matchesAndSet(const Signature & Sign,const FunctionDecl * FD)666a9ac8606Spatrick bool matchesAndSet(const Signature &Sign, const FunctionDecl *FD) {
667ec727ea7Spatrick bool Result = Sign.matches(FD) && validateByConstraints(FD);
668ec727ea7Spatrick if (Result) {
669ec727ea7Spatrick assert(!this->FD && "FD must not be set more than once");
670ec727ea7Spatrick this->FD = FD;
671ec727ea7Spatrick }
672ec727ea7Spatrick return Result;
673ec727ea7Spatrick }
674ec727ea7Spatrick
675ec727ea7Spatrick private:
676*12c85518Srobert // Once we know the exact type of the function then do validation check on
677*12c85518Srobert // all the given constraints.
validateByConstraints(const FunctionDecl * FD) const678ec727ea7Spatrick bool validateByConstraints(const FunctionDecl *FD) const {
679*12c85518Srobert for (const SummaryCase &Case : Cases)
680*12c85518Srobert for (const ValueConstraintPtr &Constraint : Case.getConstraints())
681ec727ea7Spatrick if (!Constraint->checkValidity(FD))
682ec727ea7Spatrick return false;
683ec727ea7Spatrick for (const ValueConstraintPtr &Constraint : ArgConstraints)
684ec727ea7Spatrick if (!Constraint->checkValidity(FD))
685ec727ea7Spatrick return false;
686ec727ea7Spatrick return true;
687ec727ea7Spatrick }
688ec727ea7Spatrick };
689e5dd7070Spatrick
690e5dd7070Spatrick // The map of all functions supported by the checker. It is initialized
691e5dd7070Spatrick // lazily, and it doesn't change after initialization.
692ec727ea7Spatrick using FunctionSummaryMapType = llvm::DenseMap<const FunctionDecl *, Summary>;
693ec727ea7Spatrick mutable FunctionSummaryMapType FunctionSummaryMap;
694e5dd7070Spatrick
695ec727ea7Spatrick mutable std::unique_ptr<BugType> BT_InvalidArg;
696a9ac8606Spatrick mutable bool SummariesInitialized = false;
697ec727ea7Spatrick
getArgSVal(const CallEvent & Call,ArgNo ArgN)698ec727ea7Spatrick static SVal getArgSVal(const CallEvent &Call, ArgNo ArgN) {
699ec727ea7Spatrick return ArgN == Ret ? Call.getReturnValue() : Call.getArgSVal(ArgN);
700e5dd7070Spatrick }
701e5dd7070Spatrick
702e5dd7070Spatrick public:
703ec727ea7Spatrick void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
704e5dd7070Spatrick void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
705e5dd7070Spatrick bool evalCall(const CallEvent &Call, CheckerContext &C) const;
706e5dd7070Spatrick
707ec727ea7Spatrick enum CheckKind {
708ec727ea7Spatrick CK_StdCLibraryFunctionArgsChecker,
709ec727ea7Spatrick CK_StdCLibraryFunctionsTesterChecker,
710ec727ea7Spatrick CK_NumCheckKinds
711ec727ea7Spatrick };
712*12c85518Srobert bool ChecksEnabled[CK_NumCheckKinds] = {false};
713ec727ea7Spatrick CheckerNameRef CheckNames[CK_NumCheckKinds];
714ec727ea7Spatrick
715ec727ea7Spatrick bool DisplayLoadedSummaries = false;
716ec727ea7Spatrick bool ModelPOSIX = false;
717*12c85518Srobert bool ShouldAssumeControlledEnvironment = false;
718ec727ea7Spatrick
719e5dd7070Spatrick private:
720*12c85518Srobert std::optional<Summary> findFunctionSummary(const FunctionDecl *FD,
721ec727ea7Spatrick CheckerContext &C) const;
722*12c85518Srobert std::optional<Summary> findFunctionSummary(const CallEvent &Call,
723e5dd7070Spatrick CheckerContext &C) const;
724e5dd7070Spatrick
725ec727ea7Spatrick void initFunctionSummaries(CheckerContext &C) const;
726ec727ea7Spatrick
reportBug(const CallEvent & Call,ExplodedNode * N,const ValueConstraint * VC,const Summary & Summary,CheckerContext & C) const727ec727ea7Spatrick void reportBug(const CallEvent &Call, ExplodedNode *N,
728a9ac8606Spatrick const ValueConstraint *VC, const Summary &Summary,
729ec727ea7Spatrick CheckerContext &C) const {
730ec727ea7Spatrick if (!ChecksEnabled[CK_StdCLibraryFunctionArgsChecker])
731ec727ea7Spatrick return;
732a9ac8606Spatrick std::string Msg =
733a9ac8606Spatrick (Twine("Function argument constraint is not satisfied, constraint: ") +
734a9ac8606Spatrick VC->getName().data())
735a9ac8606Spatrick .str();
736ec727ea7Spatrick if (!BT_InvalidArg)
737ec727ea7Spatrick BT_InvalidArg = std::make_unique<BugType>(
738ec727ea7Spatrick CheckNames[CK_StdCLibraryFunctionArgsChecker],
739ec727ea7Spatrick "Unsatisfied argument constraints", categories::LogicError);
740ec727ea7Spatrick auto R = std::make_unique<PathSensitiveBugReport>(*BT_InvalidArg, Msg, N);
741a9ac8606Spatrick
742a9ac8606Spatrick for (ArgNo ArgN : VC->getArgsToTrack())
743a9ac8606Spatrick bugreporter::trackExpressionValue(N, Call.getArgExpr(ArgN), *R);
744a9ac8606Spatrick
745a9ac8606Spatrick // Highlight the range of the argument that was violated.
746a9ac8606Spatrick R->addRange(Call.getArgSourceRange(VC->getArgNo()));
747a9ac8606Spatrick
748*12c85518Srobert // Describe the argument constraint violation in a note.
749*12c85518Srobert std::string Descr = VC->describe(
750*12c85518Srobert ValueConstraint::DescriptionKind::Violation, C.getState(), Summary);
751*12c85518Srobert // Capitalize the first letter b/c we want a full sentence.
752*12c85518Srobert Descr[0] = toupper(Descr[0]);
753*12c85518Srobert R->addNote(Descr, R->getLocation(), Call.getArgSourceRange(VC->getArgNo()));
754a9ac8606Spatrick
755ec727ea7Spatrick C.emitReport(std::move(R));
756ec727ea7Spatrick }
757*12c85518Srobert
758*12c85518Srobert /// These are the errno constraints that can be passed to summary cases.
759*12c85518Srobert /// One of these should fit for a single summary case.
760*12c85518Srobert /// Usually if a failure return value exists for function, that function
761*12c85518Srobert /// needs different cases for success and failure with different errno
762*12c85518Srobert /// constraints (and different return value constraints).
763*12c85518Srobert const NoErrnoConstraint ErrnoUnchanged{};
764*12c85518Srobert const ResetErrnoConstraint ErrnoIrrelevant{};
765*12c85518Srobert const ErrnoMustBeCheckedConstraint ErrnoMustBeChecked{};
766*12c85518Srobert const SuccessErrnoConstraint ErrnoMustNotBeChecked{};
767*12c85518Srobert const FailureErrnoConstraint ErrnoNEZeroIrrelevant{};
768e5dd7070Spatrick };
769ec727ea7Spatrick
770*12c85518Srobert int StdLibraryFunctionsChecker::ErrnoConstraintBase::Tag = 0;
771*12c85518Srobert
772ec727ea7Spatrick const StdLibraryFunctionsChecker::ArgNo StdLibraryFunctionsChecker::Ret =
773ec727ea7Spatrick std::numeric_limits<ArgNo>::max();
774ec727ea7Spatrick
775e5dd7070Spatrick } // end of anonymous namespace
776e5dd7070Spatrick
getBVF(ProgramStateRef State)777a9ac8606Spatrick static BasicValueFactory &getBVF(ProgramStateRef State) {
778a9ac8606Spatrick ProgramStateManager &Mgr = State->getStateManager();
779a9ac8606Spatrick SValBuilder &SVB = Mgr.getSValBuilder();
780a9ac8606Spatrick return SVB.getBasicValueFactory();
781a9ac8606Spatrick }
782a9ac8606Spatrick
describe(DescriptionKind DK,ProgramStateRef State,const Summary & Summary) const783a9ac8606Spatrick std::string StdLibraryFunctionsChecker::NotNullConstraint::describe(
784*12c85518Srobert DescriptionKind DK, ProgramStateRef State, const Summary &Summary) const {
785a9ac8606Spatrick SmallString<48> Result;
786*12c85518Srobert const auto Violation = ValueConstraint::DescriptionKind::Violation;
787*12c85518Srobert Result += "the ";
788a9ac8606Spatrick Result += getArgDesc(ArgN);
789*12c85518Srobert Result += DK == Violation ? " should not be NULL" : " is not NULL";
790a9ac8606Spatrick return Result.c_str();
791a9ac8606Spatrick }
792a9ac8606Spatrick
describe(DescriptionKind DK,ProgramStateRef State,const Summary & Summary) const793a9ac8606Spatrick std::string StdLibraryFunctionsChecker::RangeConstraint::describe(
794*12c85518Srobert DescriptionKind DK, ProgramStateRef State, const Summary &Summary) const {
795a9ac8606Spatrick
796a9ac8606Spatrick BasicValueFactory &BVF = getBVF(State);
797a9ac8606Spatrick
798a9ac8606Spatrick QualType T = Summary.getArgType(getArgNo());
799a9ac8606Spatrick SmallString<48> Result;
800*12c85518Srobert const auto Violation = ValueConstraint::DescriptionKind::Violation;
801*12c85518Srobert Result += "the ";
802a9ac8606Spatrick Result += getArgDesc(ArgN);
803*12c85518Srobert Result += DK == Violation ? " should be " : " is ";
804a9ac8606Spatrick
805a9ac8606Spatrick // Range kind as a string.
806a9ac8606Spatrick Kind == OutOfRange ? Result += "out of" : Result += "within";
807a9ac8606Spatrick
808a9ac8606Spatrick // Get the range values as a string.
809a9ac8606Spatrick Result += " the range ";
810a9ac8606Spatrick if (Ranges.size() > 1)
811a9ac8606Spatrick Result += "[";
812a9ac8606Spatrick unsigned I = Ranges.size();
813a9ac8606Spatrick for (const std::pair<RangeInt, RangeInt> &R : Ranges) {
814a9ac8606Spatrick Result += "[";
815a9ac8606Spatrick const llvm::APSInt &Min = BVF.getValue(R.first, T);
816a9ac8606Spatrick const llvm::APSInt &Max = BVF.getValue(R.second, T);
817a9ac8606Spatrick Min.toString(Result);
818a9ac8606Spatrick Result += ", ";
819a9ac8606Spatrick Max.toString(Result);
820a9ac8606Spatrick Result += "]";
821a9ac8606Spatrick if (--I > 0)
822a9ac8606Spatrick Result += ", ";
823a9ac8606Spatrick }
824a9ac8606Spatrick if (Ranges.size() > 1)
825a9ac8606Spatrick Result += "]";
826a9ac8606Spatrick
827a9ac8606Spatrick return Result.c_str();
828a9ac8606Spatrick }
829a9ac8606Spatrick
830a9ac8606Spatrick SmallString<8>
getArgDesc(StdLibraryFunctionsChecker::ArgNo ArgN)831a9ac8606Spatrick StdLibraryFunctionsChecker::getArgDesc(StdLibraryFunctionsChecker::ArgNo ArgN) {
832a9ac8606Spatrick SmallString<8> Result;
833a9ac8606Spatrick Result += std::to_string(ArgN + 1);
834a9ac8606Spatrick Result += llvm::getOrdinalSuffix(ArgN + 1);
835*12c85518Srobert Result += " argument";
836a9ac8606Spatrick return Result;
837a9ac8606Spatrick }
838a9ac8606Spatrick
describe(DescriptionKind DK,ProgramStateRef State,const Summary & Summary) const839a9ac8606Spatrick std::string StdLibraryFunctionsChecker::BufferSizeConstraint::describe(
840*12c85518Srobert DescriptionKind DK, ProgramStateRef State, const Summary &Summary) const {
841a9ac8606Spatrick SmallString<96> Result;
842*12c85518Srobert const auto Violation = ValueConstraint::DescriptionKind::Violation;
843*12c85518Srobert Result += "the size of the ";
844a9ac8606Spatrick Result += getArgDesc(ArgN);
845*12c85518Srobert Result += DK == Violation ? " should be " : " is ";
846*12c85518Srobert Result += "equal to or greater than the value of ";
847a9ac8606Spatrick if (ConcreteSize) {
848a9ac8606Spatrick ConcreteSize->toString(Result);
849a9ac8606Spatrick } else if (SizeArgN) {
850a9ac8606Spatrick Result += "the ";
851a9ac8606Spatrick Result += getArgDesc(*SizeArgN);
852a9ac8606Spatrick if (SizeMultiplierArgN) {
853a9ac8606Spatrick Result += " times the ";
854a9ac8606Spatrick Result += getArgDesc(*SizeMultiplierArgN);
855a9ac8606Spatrick }
856a9ac8606Spatrick }
857a9ac8606Spatrick return Result.c_str();
858a9ac8606Spatrick }
859a9ac8606Spatrick
applyAsOutOfRange(ProgramStateRef State,const CallEvent & Call,const Summary & Summary) const860ec727ea7Spatrick ProgramStateRef StdLibraryFunctionsChecker::RangeConstraint::applyAsOutOfRange(
861e5dd7070Spatrick ProgramStateRef State, const CallEvent &Call,
862ec727ea7Spatrick const Summary &Summary) const {
863a9ac8606Spatrick if (Ranges.empty())
864a9ac8606Spatrick return State;
865e5dd7070Spatrick
866e5dd7070Spatrick ProgramStateManager &Mgr = State->getStateManager();
867e5dd7070Spatrick SValBuilder &SVB = Mgr.getSValBuilder();
868e5dd7070Spatrick BasicValueFactory &BVF = SVB.getBasicValueFactory();
869e5dd7070Spatrick ConstraintManager &CM = Mgr.getConstraintManager();
870ec727ea7Spatrick QualType T = Summary.getArgType(getArgNo());
871e5dd7070Spatrick SVal V = getArgSVal(Call, getArgNo());
872e5dd7070Spatrick
873e5dd7070Spatrick if (auto N = V.getAs<NonLoc>()) {
874ec727ea7Spatrick const IntRangeVector &R = getRanges();
875e5dd7070Spatrick size_t E = R.size();
876e5dd7070Spatrick for (size_t I = 0; I != E; ++I) {
877e5dd7070Spatrick const llvm::APSInt &Min = BVF.getValue(R[I].first, T);
878e5dd7070Spatrick const llvm::APSInt &Max = BVF.getValue(R[I].second, T);
879e5dd7070Spatrick assert(Min <= Max);
880e5dd7070Spatrick State = CM.assumeInclusiveRange(State, *N, Min, Max, false);
881e5dd7070Spatrick if (!State)
882e5dd7070Spatrick break;
883e5dd7070Spatrick }
884e5dd7070Spatrick }
885e5dd7070Spatrick
886e5dd7070Spatrick return State;
887e5dd7070Spatrick }
888e5dd7070Spatrick
applyAsWithinRange(ProgramStateRef State,const CallEvent & Call,const Summary & Summary) const889ec727ea7Spatrick ProgramStateRef StdLibraryFunctionsChecker::RangeConstraint::applyAsWithinRange(
890e5dd7070Spatrick ProgramStateRef State, const CallEvent &Call,
891ec727ea7Spatrick const Summary &Summary) const {
892a9ac8606Spatrick if (Ranges.empty())
893a9ac8606Spatrick return State;
894e5dd7070Spatrick
895e5dd7070Spatrick ProgramStateManager &Mgr = State->getStateManager();
896e5dd7070Spatrick SValBuilder &SVB = Mgr.getSValBuilder();
897e5dd7070Spatrick BasicValueFactory &BVF = SVB.getBasicValueFactory();
898e5dd7070Spatrick ConstraintManager &CM = Mgr.getConstraintManager();
899ec727ea7Spatrick QualType T = Summary.getArgType(getArgNo());
900e5dd7070Spatrick SVal V = getArgSVal(Call, getArgNo());
901e5dd7070Spatrick
902e5dd7070Spatrick // "WithinRange R" is treated as "outside [T_MIN, T_MAX] \ R".
903e5dd7070Spatrick // We cut off [T_MIN, min(R) - 1] and [max(R) + 1, T_MAX] if necessary,
904e5dd7070Spatrick // and then cut away all holes in R one by one.
905ec727ea7Spatrick //
906ec727ea7Spatrick // E.g. consider a range list R as [A, B] and [C, D]
907ec727ea7Spatrick // -------+--------+------------------+------------+----------->
908ec727ea7Spatrick // A B C D
909ec727ea7Spatrick // Then we assume that the value is not in [-inf, A - 1],
910ec727ea7Spatrick // then not in [D + 1, +inf], then not in [B + 1, C - 1]
911e5dd7070Spatrick if (auto N = V.getAs<NonLoc>()) {
912ec727ea7Spatrick const IntRangeVector &R = getRanges();
913e5dd7070Spatrick size_t E = R.size();
914e5dd7070Spatrick
915e5dd7070Spatrick const llvm::APSInt &MinusInf = BVF.getMinValue(T);
916e5dd7070Spatrick const llvm::APSInt &PlusInf = BVF.getMaxValue(T);
917e5dd7070Spatrick
918e5dd7070Spatrick const llvm::APSInt &Left = BVF.getValue(R[0].first - 1ULL, T);
919e5dd7070Spatrick if (Left != PlusInf) {
920e5dd7070Spatrick assert(MinusInf <= Left);
921e5dd7070Spatrick State = CM.assumeInclusiveRange(State, *N, MinusInf, Left, false);
922e5dd7070Spatrick if (!State)
923e5dd7070Spatrick return nullptr;
924e5dd7070Spatrick }
925e5dd7070Spatrick
926e5dd7070Spatrick const llvm::APSInt &Right = BVF.getValue(R[E - 1].second + 1ULL, T);
927e5dd7070Spatrick if (Right != MinusInf) {
928e5dd7070Spatrick assert(Right <= PlusInf);
929e5dd7070Spatrick State = CM.assumeInclusiveRange(State, *N, Right, PlusInf, false);
930e5dd7070Spatrick if (!State)
931e5dd7070Spatrick return nullptr;
932e5dd7070Spatrick }
933e5dd7070Spatrick
934e5dd7070Spatrick for (size_t I = 1; I != E; ++I) {
935e5dd7070Spatrick const llvm::APSInt &Min = BVF.getValue(R[I - 1].second + 1ULL, T);
936e5dd7070Spatrick const llvm::APSInt &Max = BVF.getValue(R[I].first - 1ULL, T);
937ec727ea7Spatrick if (Min <= Max) {
938e5dd7070Spatrick State = CM.assumeInclusiveRange(State, *N, Min, Max, false);
939e5dd7070Spatrick if (!State)
940e5dd7070Spatrick return nullptr;
941e5dd7070Spatrick }
942e5dd7070Spatrick }
943ec727ea7Spatrick }
944e5dd7070Spatrick
945e5dd7070Spatrick return State;
946e5dd7070Spatrick }
947e5dd7070Spatrick
apply(ProgramStateRef State,const CallEvent & Call,const Summary & Summary,CheckerContext & C) const948ec727ea7Spatrick ProgramStateRef StdLibraryFunctionsChecker::ComparisonConstraint::apply(
949ec727ea7Spatrick ProgramStateRef State, const CallEvent &Call, const Summary &Summary,
950ec727ea7Spatrick CheckerContext &C) const {
951e5dd7070Spatrick
952e5dd7070Spatrick ProgramStateManager &Mgr = State->getStateManager();
953e5dd7070Spatrick SValBuilder &SVB = Mgr.getSValBuilder();
954e5dd7070Spatrick QualType CondT = SVB.getConditionType();
955ec727ea7Spatrick QualType T = Summary.getArgType(getArgNo());
956e5dd7070Spatrick SVal V = getArgSVal(Call, getArgNo());
957e5dd7070Spatrick
958e5dd7070Spatrick BinaryOperator::Opcode Op = getOpcode();
959ec727ea7Spatrick ArgNo OtherArg = getOtherArgNo();
960e5dd7070Spatrick SVal OtherV = getArgSVal(Call, OtherArg);
961ec727ea7Spatrick QualType OtherT = Summary.getArgType(OtherArg);
962e5dd7070Spatrick // Note: we avoid integral promotion for comparison.
963e5dd7070Spatrick OtherV = SVB.evalCast(OtherV, T, OtherT);
964e5dd7070Spatrick if (auto CompV = SVB.evalBinOp(State, Op, V, OtherV, CondT)
965e5dd7070Spatrick .getAs<DefinedOrUnknownSVal>())
966e5dd7070Spatrick State = State->assume(*CompV, true);
967e5dd7070Spatrick return State;
968e5dd7070Spatrick }
969e5dd7070Spatrick
checkPreCall(const CallEvent & Call,CheckerContext & C) const970ec727ea7Spatrick void StdLibraryFunctionsChecker::checkPreCall(const CallEvent &Call,
971e5dd7070Spatrick CheckerContext &C) const {
972*12c85518Srobert std::optional<Summary> FoundSummary = findFunctionSummary(Call, C);
973e5dd7070Spatrick if (!FoundSummary)
974e5dd7070Spatrick return;
975e5dd7070Spatrick
976ec727ea7Spatrick const Summary &Summary = *FoundSummary;
977e5dd7070Spatrick ProgramStateRef State = C.getState();
978e5dd7070Spatrick
979e5dd7070Spatrick ProgramStateRef NewState = State;
980*12c85518Srobert ExplodedNode *NewNode = C.getPredecessor();
981ec727ea7Spatrick for (const ValueConstraintPtr &Constraint : Summary.getArgConstraints()) {
982ec727ea7Spatrick ProgramStateRef SuccessSt = Constraint->apply(NewState, Call, Summary, C);
983ec727ea7Spatrick ProgramStateRef FailureSt =
984ec727ea7Spatrick Constraint->negate()->apply(NewState, Call, Summary, C);
985ec727ea7Spatrick // The argument constraint is not satisfied.
986ec727ea7Spatrick if (FailureSt && !SuccessSt) {
987*12c85518Srobert if (ExplodedNode *N = C.generateErrorNode(NewState, NewNode))
988a9ac8606Spatrick reportBug(Call, N, Constraint.get(), Summary, C);
989ec727ea7Spatrick break;
990*12c85518Srobert }
991ec727ea7Spatrick // We will apply the constraint even if we cannot reason about the
992ec727ea7Spatrick // argument. This means both SuccessSt and FailureSt can be true. If we
993ec727ea7Spatrick // weren't applying the constraint that would mean that symbolic
994ec727ea7Spatrick // execution continues on a code whose behaviour is undefined.
995ec727ea7Spatrick assert(SuccessSt);
996ec727ea7Spatrick NewState = SuccessSt;
997*12c85518Srobert if (NewState != State) {
998*12c85518Srobert SmallString<64> Msg;
999*12c85518Srobert Msg += "Assuming ";
1000*12c85518Srobert Msg += Constraint->describe(ValueConstraint::DescriptionKind::Assumption,
1001*12c85518Srobert NewState, Summary);
1002*12c85518Srobert const auto ArgSVal = Call.getArgSVal(Constraint->getArgNo());
1003*12c85518Srobert NewNode = C.addTransition(
1004*12c85518Srobert NewState, NewNode,
1005*12c85518Srobert C.getNoteTag([Msg = std::move(Msg), ArgSVal](
1006*12c85518Srobert PathSensitiveBugReport &BR, llvm::raw_ostream &OS) {
1007*12c85518Srobert if (BR.isInteresting(ArgSVal))
1008*12c85518Srobert OS << Msg;
1009*12c85518Srobert }));
1010ec727ea7Spatrick }
1011ec727ea7Spatrick }
1012ec727ea7Spatrick }
1013ec727ea7Spatrick
checkPostCall(const CallEvent & Call,CheckerContext & C) const1014ec727ea7Spatrick void StdLibraryFunctionsChecker::checkPostCall(const CallEvent &Call,
1015ec727ea7Spatrick CheckerContext &C) const {
1016*12c85518Srobert std::optional<Summary> FoundSummary = findFunctionSummary(Call, C);
1017ec727ea7Spatrick if (!FoundSummary)
1018ec727ea7Spatrick return;
1019ec727ea7Spatrick
1020ec727ea7Spatrick // Now apply the constraints.
1021ec727ea7Spatrick const Summary &Summary = *FoundSummary;
1022ec727ea7Spatrick ProgramStateRef State = C.getState();
1023*12c85518Srobert const ExplodedNode *Node = C.getPredecessor();
1024ec727ea7Spatrick
1025ec727ea7Spatrick // Apply case/branch specifications.
1026*12c85518Srobert for (const SummaryCase &Case : Summary.getCases()) {
1027ec727ea7Spatrick ProgramStateRef NewState = State;
1028*12c85518Srobert for (const ValueConstraintPtr &Constraint : Case.getConstraints()) {
1029ec727ea7Spatrick NewState = Constraint->apply(NewState, Call, Summary, C);
1030e5dd7070Spatrick if (!NewState)
1031e5dd7070Spatrick break;
1032e5dd7070Spatrick }
1033e5dd7070Spatrick
1034*12c85518Srobert if (NewState)
1035*12c85518Srobert NewState = Case.getErrnoConstraint().apply(NewState, Call, Summary, C);
1036*12c85518Srobert
1037*12c85518Srobert if (NewState && NewState != State) {
1038*12c85518Srobert if (Case.getNote().empty()) {
1039*12c85518Srobert const NoteTag *NT = nullptr;
1040*12c85518Srobert if (const auto *D = dyn_cast_or_null<FunctionDecl>(Call.getDecl()))
1041*12c85518Srobert NT = Case.getErrnoConstraint().describe(C, D->getNameAsString());
1042*12c85518Srobert C.addTransition(NewState, NT);
1043*12c85518Srobert } else {
1044*12c85518Srobert StringRef Note = Case.getNote();
1045*12c85518Srobert const NoteTag *Tag = C.getNoteTag(
1046*12c85518Srobert // Sorry couldn't help myself.
1047*12c85518Srobert [Node, Note]() -> std::string {
1048*12c85518Srobert // Don't emit "Assuming..." note when we ended up
1049*12c85518Srobert // knowing in advance which branch is taken.
1050*12c85518Srobert return (Node->succ_size() > 1) ? Note.str() : "";
1051*12c85518Srobert },
1052*12c85518Srobert /*IsPrunable=*/true);
1053*12c85518Srobert C.addTransition(NewState, Tag);
1054*12c85518Srobert }
1055*12c85518Srobert } else if (NewState == State) {
1056*12c85518Srobert // It is possible that the function was evaluated in a checker callback
1057*12c85518Srobert // where the state constraints are already applied, then no change happens
1058*12c85518Srobert // here to the state (if the ErrnoConstraint did not change it either).
1059*12c85518Srobert // If the evaluated function requires a NoteTag for errno change, it is
1060*12c85518Srobert // added here.
1061*12c85518Srobert if (const auto *D = dyn_cast_or_null<FunctionDecl>(Call.getDecl()))
1062*12c85518Srobert if (const NoteTag *NT =
1063*12c85518Srobert Case.getErrnoConstraint().describe(C, D->getNameAsString()))
1064*12c85518Srobert C.addTransition(NewState, NT);
1065*12c85518Srobert }
1066e5dd7070Spatrick }
1067e5dd7070Spatrick }
1068e5dd7070Spatrick
evalCall(const CallEvent & Call,CheckerContext & C) const1069e5dd7070Spatrick bool StdLibraryFunctionsChecker::evalCall(const CallEvent &Call,
1070e5dd7070Spatrick CheckerContext &C) const {
1071*12c85518Srobert std::optional<Summary> FoundSummary = findFunctionSummary(Call, C);
1072e5dd7070Spatrick if (!FoundSummary)
1073e5dd7070Spatrick return false;
1074e5dd7070Spatrick
1075ec727ea7Spatrick const Summary &Summary = *FoundSummary;
1076ec727ea7Spatrick switch (Summary.getInvalidationKd()) {
1077e5dd7070Spatrick case EvalCallAsPure: {
1078e5dd7070Spatrick ProgramStateRef State = C.getState();
1079e5dd7070Spatrick const LocationContext *LC = C.getLocationContext();
1080a9ac8606Spatrick const auto *CE = cast<CallExpr>(Call.getOriginExpr());
1081e5dd7070Spatrick SVal V = C.getSValBuilder().conjureSymbolVal(
1082e5dd7070Spatrick CE, LC, CE->getType().getCanonicalType(), C.blockCount());
1083e5dd7070Spatrick State = State->BindExpr(CE, LC, V);
1084*12c85518Srobert
1085e5dd7070Spatrick C.addTransition(State);
1086*12c85518Srobert
1087e5dd7070Spatrick return true;
1088e5dd7070Spatrick }
1089e5dd7070Spatrick case NoEvalCall:
1090e5dd7070Spatrick // Summary tells us to avoid performing eval::Call. The function is possibly
1091e5dd7070Spatrick // evaluated by another checker, or evaluated conservatively.
1092e5dd7070Spatrick return false;
1093e5dd7070Spatrick }
1094e5dd7070Spatrick llvm_unreachable("Unknown invalidation kind!");
1095e5dd7070Spatrick }
1096e5dd7070Spatrick
matches(const FunctionDecl * FD) const1097ec727ea7Spatrick bool StdLibraryFunctionsChecker::Signature::matches(
1098ec727ea7Spatrick const FunctionDecl *FD) const {
1099a9ac8606Spatrick assert(!isInvalid());
1100a9ac8606Spatrick // Check the number of arguments.
1101ec727ea7Spatrick if (FD->param_size() != ArgTys.size())
1102e5dd7070Spatrick return false;
1103e5dd7070Spatrick
1104a9ac8606Spatrick // The "restrict" keyword is illegal in C++, however, many libc
1105a9ac8606Spatrick // implementations use the "__restrict" compiler intrinsic in functions
1106a9ac8606Spatrick // prototypes. The "__restrict" keyword qualifies a type as a restricted type
1107a9ac8606Spatrick // even in C++.
1108a9ac8606Spatrick // In case of any non-C99 languages, we don't want to match based on the
1109a9ac8606Spatrick // restrict qualifier because we cannot know if the given libc implementation
1110a9ac8606Spatrick // qualifies the paramter type or not.
1111a9ac8606Spatrick auto RemoveRestrict = [&FD](QualType T) {
1112a9ac8606Spatrick if (!FD->getASTContext().getLangOpts().C99)
1113a9ac8606Spatrick T.removeLocalRestrict();
1114a9ac8606Spatrick return T;
1115a9ac8606Spatrick };
1116e5dd7070Spatrick
1117a9ac8606Spatrick // Check the return type.
1118a9ac8606Spatrick if (!isIrrelevant(RetTy)) {
1119a9ac8606Spatrick QualType FDRetTy = RemoveRestrict(FD->getReturnType().getCanonicalType());
1120a9ac8606Spatrick if (RetTy != FDRetTy)
1121a9ac8606Spatrick return false;
1122a9ac8606Spatrick }
1123a9ac8606Spatrick
1124a9ac8606Spatrick // Check the argument types.
1125ec727ea7Spatrick for (size_t I = 0, E = ArgTys.size(); I != E; ++I) {
1126ec727ea7Spatrick QualType ArgTy = ArgTys[I];
1127ec727ea7Spatrick if (isIrrelevant(ArgTy))
1128e5dd7070Spatrick continue;
1129a9ac8606Spatrick QualType FDArgTy =
1130a9ac8606Spatrick RemoveRestrict(FD->getParamDecl(I)->getType().getCanonicalType());
1131a9ac8606Spatrick if (ArgTy != FDArgTy)
1132e5dd7070Spatrick return false;
1133e5dd7070Spatrick }
1134e5dd7070Spatrick
1135e5dd7070Spatrick return true;
1136e5dd7070Spatrick }
1137e5dd7070Spatrick
1138*12c85518Srobert std::optional<StdLibraryFunctionsChecker::Summary>
findFunctionSummary(const FunctionDecl * FD,CheckerContext & C) const1139e5dd7070Spatrick StdLibraryFunctionsChecker::findFunctionSummary(const FunctionDecl *FD,
1140e5dd7070Spatrick CheckerContext &C) const {
1141e5dd7070Spatrick if (!FD)
1142*12c85518Srobert return std::nullopt;
1143e5dd7070Spatrick
1144ec727ea7Spatrick initFunctionSummaries(C);
1145e5dd7070Spatrick
1146ec727ea7Spatrick auto FSMI = FunctionSummaryMap.find(FD->getCanonicalDecl());
1147e5dd7070Spatrick if (FSMI == FunctionSummaryMap.end())
1148*12c85518Srobert return std::nullopt;
1149ec727ea7Spatrick return FSMI->second;
1150ec727ea7Spatrick }
1151e5dd7070Spatrick
1152*12c85518Srobert std::optional<StdLibraryFunctionsChecker::Summary>
findFunctionSummary(const CallEvent & Call,CheckerContext & C) const1153ec727ea7Spatrick StdLibraryFunctionsChecker::findFunctionSummary(const CallEvent &Call,
1154ec727ea7Spatrick CheckerContext &C) const {
1155ec727ea7Spatrick const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
1156ec727ea7Spatrick if (!FD)
1157*12c85518Srobert return std::nullopt;
1158ec727ea7Spatrick return findFunctionSummary(FD, C);
1159ec727ea7Spatrick }
1160e5dd7070Spatrick
initFunctionSummaries(CheckerContext & C) const1161a9ac8606Spatrick void StdLibraryFunctionsChecker::initFunctionSummaries(
1162a9ac8606Spatrick CheckerContext &C) const {
1163a9ac8606Spatrick if (SummariesInitialized)
1164a9ac8606Spatrick return;
1165a9ac8606Spatrick
1166a9ac8606Spatrick SValBuilder &SVB = C.getSValBuilder();
1167a9ac8606Spatrick BasicValueFactory &BVF = SVB.getBasicValueFactory();
1168a9ac8606Spatrick const ASTContext &ACtx = BVF.getContext();
1169a9ac8606Spatrick
1170a9ac8606Spatrick // Helper class to lookup a type by its name.
1171a9ac8606Spatrick class LookupType {
1172a9ac8606Spatrick const ASTContext &ACtx;
1173a9ac8606Spatrick
1174a9ac8606Spatrick public:
1175a9ac8606Spatrick LookupType(const ASTContext &ACtx) : ACtx(ACtx) {}
1176a9ac8606Spatrick
1177a9ac8606Spatrick // Find the type. If not found then the optional is not set.
1178*12c85518Srobert std::optional<QualType> operator()(StringRef Name) {
1179ec727ea7Spatrick IdentifierInfo &II = ACtx.Idents.get(Name);
1180ec727ea7Spatrick auto LookupRes = ACtx.getTranslationUnitDecl()->lookup(&II);
1181a9ac8606Spatrick if (LookupRes.empty())
1182*12c85518Srobert return std::nullopt;
1183ec727ea7Spatrick
1184ec727ea7Spatrick // Prioritze typedef declarations.
1185ec727ea7Spatrick // This is needed in case of C struct typedefs. E.g.:
1186ec727ea7Spatrick // typedef struct FILE FILE;
1187a9ac8606Spatrick // In this case, we have a RecordDecl 'struct FILE' with the name 'FILE'
1188a9ac8606Spatrick // and we have a TypedefDecl with the name 'FILE'.
1189ec727ea7Spatrick for (Decl *D : LookupRes)
1190ec727ea7Spatrick if (auto *TD = dyn_cast<TypedefNameDecl>(D))
1191ec727ea7Spatrick return ACtx.getTypeDeclType(TD).getCanonicalType();
1192ec727ea7Spatrick
1193ec727ea7Spatrick // Find the first TypeDecl.
1194ec727ea7Spatrick // There maybe cases when a function has the same name as a struct.
1195ec727ea7Spatrick // E.g. in POSIX: `struct stat` and the function `stat()`:
1196ec727ea7Spatrick // int stat(const char *restrict path, struct stat *restrict buf);
1197ec727ea7Spatrick for (Decl *D : LookupRes)
1198ec727ea7Spatrick if (auto *TD = dyn_cast<TypeDecl>(D))
1199ec727ea7Spatrick return ACtx.getTypeDeclType(TD).getCanonicalType();
1200*12c85518Srobert return std::nullopt;
1201e5dd7070Spatrick }
1202a9ac8606Spatrick } lookupTy(ACtx);
1203e5dd7070Spatrick
1204a9ac8606Spatrick // Below are auxiliary classes to handle optional types that we get as a
1205a9ac8606Spatrick // result of the lookup.
1206a9ac8606Spatrick class GetRestrictTy {
1207a9ac8606Spatrick const ASTContext &ACtx;
1208e5dd7070Spatrick
1209a9ac8606Spatrick public:
1210a9ac8606Spatrick GetRestrictTy(const ASTContext &ACtx) : ACtx(ACtx) {}
1211a9ac8606Spatrick QualType operator()(QualType Ty) {
1212a9ac8606Spatrick return ACtx.getLangOpts().C99 ? ACtx.getRestrictType(Ty) : Ty;
1213a9ac8606Spatrick }
1214*12c85518Srobert std::optional<QualType> operator()(std::optional<QualType> Ty) {
1215a9ac8606Spatrick if (Ty)
1216a9ac8606Spatrick return operator()(*Ty);
1217*12c85518Srobert return std::nullopt;
1218a9ac8606Spatrick }
1219a9ac8606Spatrick } getRestrictTy(ACtx);
1220a9ac8606Spatrick class GetPointerTy {
1221a9ac8606Spatrick const ASTContext &ACtx;
1222a9ac8606Spatrick
1223a9ac8606Spatrick public:
1224a9ac8606Spatrick GetPointerTy(const ASTContext &ACtx) : ACtx(ACtx) {}
1225a9ac8606Spatrick QualType operator()(QualType Ty) { return ACtx.getPointerType(Ty); }
1226*12c85518Srobert std::optional<QualType> operator()(std::optional<QualType> Ty) {
1227a9ac8606Spatrick if (Ty)
1228a9ac8606Spatrick return operator()(*Ty);
1229*12c85518Srobert return std::nullopt;
1230a9ac8606Spatrick }
1231a9ac8606Spatrick } getPointerTy(ACtx);
1232a9ac8606Spatrick class {
1233a9ac8606Spatrick public:
1234*12c85518Srobert std::optional<QualType> operator()(std::optional<QualType> Ty) {
1235*12c85518Srobert return Ty ? std::optional<QualType>(Ty->withConst()) : std::nullopt;
1236a9ac8606Spatrick }
1237a9ac8606Spatrick QualType operator()(QualType Ty) { return Ty.withConst(); }
1238a9ac8606Spatrick } getConstTy;
1239a9ac8606Spatrick class GetMaxValue {
1240a9ac8606Spatrick BasicValueFactory &BVF;
1241a9ac8606Spatrick
1242a9ac8606Spatrick public:
1243a9ac8606Spatrick GetMaxValue(BasicValueFactory &BVF) : BVF(BVF) {}
1244*12c85518Srobert std::optional<RangeInt> operator()(QualType Ty) {
1245a9ac8606Spatrick return BVF.getMaxValue(Ty).getLimitedValue();
1246a9ac8606Spatrick }
1247*12c85518Srobert std::optional<RangeInt> operator()(std::optional<QualType> Ty) {
1248a9ac8606Spatrick if (Ty) {
1249a9ac8606Spatrick return operator()(*Ty);
1250a9ac8606Spatrick }
1251*12c85518Srobert return std::nullopt;
1252a9ac8606Spatrick }
1253a9ac8606Spatrick } getMaxValue(BVF);
1254e5dd7070Spatrick
1255e5dd7070Spatrick // These types are useful for writing specifications quickly,
1256e5dd7070Spatrick // New specifications should probably introduce more types.
1257e5dd7070Spatrick // Some types are hard to obtain from the AST, eg. "ssize_t".
1258e5dd7070Spatrick // In such cases it should be possible to provide multiple variants
1259e5dd7070Spatrick // of function summary for common cases (eg. ssize_t could be int or long
1260e5dd7070Spatrick // or long long, so three summary variants would be enough).
1261e5dd7070Spatrick // Of course, function variants are also useful for C++ overloads.
1262ec727ea7Spatrick const QualType VoidTy = ACtx.VoidTy;
1263a9ac8606Spatrick const QualType CharTy = ACtx.CharTy;
1264a9ac8606Spatrick const QualType WCharTy = ACtx.WCharTy;
1265ec727ea7Spatrick const QualType IntTy = ACtx.IntTy;
1266ec727ea7Spatrick const QualType UnsignedIntTy = ACtx.UnsignedIntTy;
1267ec727ea7Spatrick const QualType LongTy = ACtx.LongTy;
1268ec727ea7Spatrick const QualType SizeTy = ACtx.getSizeType();
1269e5dd7070Spatrick
1270a9ac8606Spatrick const QualType VoidPtrTy = getPointerTy(VoidTy); // void *
1271a9ac8606Spatrick const QualType IntPtrTy = getPointerTy(IntTy); // int *
1272ec727ea7Spatrick const QualType UnsignedIntPtrTy =
1273a9ac8606Spatrick getPointerTy(UnsignedIntTy); // unsigned int *
1274a9ac8606Spatrick const QualType VoidPtrRestrictTy = getRestrictTy(VoidPtrTy);
1275ec727ea7Spatrick const QualType ConstVoidPtrTy =
1276a9ac8606Spatrick getPointerTy(getConstTy(VoidTy)); // const void *
1277a9ac8606Spatrick const QualType CharPtrTy = getPointerTy(CharTy); // char *
1278a9ac8606Spatrick const QualType CharPtrRestrictTy = getRestrictTy(CharPtrTy);
1279ec727ea7Spatrick const QualType ConstCharPtrTy =
1280a9ac8606Spatrick getPointerTy(getConstTy(CharTy)); // const char *
1281a9ac8606Spatrick const QualType ConstCharPtrRestrictTy = getRestrictTy(ConstCharPtrTy);
1282a9ac8606Spatrick const QualType Wchar_tPtrTy = getPointerTy(WCharTy); // wchar_t *
1283ec727ea7Spatrick const QualType ConstWchar_tPtrTy =
1284a9ac8606Spatrick getPointerTy(getConstTy(WCharTy)); // const wchar_t *
1285a9ac8606Spatrick const QualType ConstVoidPtrRestrictTy = getRestrictTy(ConstVoidPtrTy);
1286a9ac8606Spatrick const QualType SizePtrTy = getPointerTy(SizeTy);
1287a9ac8606Spatrick const QualType SizePtrRestrictTy = getRestrictTy(SizePtrTy);
1288ec727ea7Spatrick
1289ec727ea7Spatrick const RangeInt IntMax = BVF.getMaxValue(IntTy).getLimitedValue();
1290ec727ea7Spatrick const RangeInt UnsignedIntMax =
1291ec727ea7Spatrick BVF.getMaxValue(UnsignedIntTy).getLimitedValue();
1292ec727ea7Spatrick const RangeInt LongMax = BVF.getMaxValue(LongTy).getLimitedValue();
1293ec727ea7Spatrick const RangeInt SizeMax = BVF.getMaxValue(SizeTy).getLimitedValue();
1294ec727ea7Spatrick
1295ec727ea7Spatrick // Set UCharRangeMax to min of int or uchar maximum value.
1296ec727ea7Spatrick // The C standard states that the arguments of functions like isalpha must
1297ec727ea7Spatrick // be representable as an unsigned char. Their type is 'int', so the max
1298ec727ea7Spatrick // value of the argument should be min(UCharMax, IntMax). This just happen
1299ec727ea7Spatrick // to be true for commonly used and well tested instruction set
1300ec727ea7Spatrick // architectures, but not for others.
1301ec727ea7Spatrick const RangeInt UCharRangeMax =
1302ec727ea7Spatrick std::min(BVF.getMaxValue(ACtx.UnsignedCharTy).getLimitedValue(), IntMax);
1303ec727ea7Spatrick
1304ec727ea7Spatrick // The platform dependent value of EOF.
1305ec727ea7Spatrick // Try our best to parse this from the Preprocessor, otherwise fallback to -1.
1306ec727ea7Spatrick const auto EOFv = [&C]() -> RangeInt {
1307*12c85518Srobert if (const std::optional<int> OptInt =
1308ec727ea7Spatrick tryExpandAsInteger("EOF", C.getPreprocessor()))
1309ec727ea7Spatrick return *OptInt;
1310ec727ea7Spatrick return -1;
1311ec727ea7Spatrick }();
1312ec727ea7Spatrick
1313ec727ea7Spatrick // Auxiliary class to aid adding summaries to the summary map.
1314ec727ea7Spatrick struct AddToFunctionSummaryMap {
1315ec727ea7Spatrick const ASTContext &ACtx;
1316ec727ea7Spatrick FunctionSummaryMapType ⤅
1317ec727ea7Spatrick bool DisplayLoadedSummaries;
1318ec727ea7Spatrick AddToFunctionSummaryMap(const ASTContext &ACtx, FunctionSummaryMapType &FSM,
1319ec727ea7Spatrick bool DisplayLoadedSummaries)
1320ec727ea7Spatrick : ACtx(ACtx), Map(FSM), DisplayLoadedSummaries(DisplayLoadedSummaries) {
1321ec727ea7Spatrick }
1322ec727ea7Spatrick
1323ec727ea7Spatrick // Add a summary to a FunctionDecl found by lookup. The lookup is performed
1324ec727ea7Spatrick // by the given Name, and in the global scope. The summary will be attached
1325ec727ea7Spatrick // to the found FunctionDecl only if the signatures match.
1326a9ac8606Spatrick //
1327a9ac8606Spatrick // Returns true if the summary has been added, false otherwise.
1328a9ac8606Spatrick bool operator()(StringRef Name, Signature Sign, Summary Sum) {
1329a9ac8606Spatrick if (Sign.isInvalid())
1330a9ac8606Spatrick return false;
1331ec727ea7Spatrick IdentifierInfo &II = ACtx.Idents.get(Name);
1332ec727ea7Spatrick auto LookupRes = ACtx.getTranslationUnitDecl()->lookup(&II);
1333a9ac8606Spatrick if (LookupRes.empty())
1334a9ac8606Spatrick return false;
1335ec727ea7Spatrick for (Decl *D : LookupRes) {
1336ec727ea7Spatrick if (auto *FD = dyn_cast<FunctionDecl>(D)) {
1337a9ac8606Spatrick if (Sum.matchesAndSet(Sign, FD)) {
1338a9ac8606Spatrick auto Res = Map.insert({FD->getCanonicalDecl(), Sum});
1339ec727ea7Spatrick assert(Res.second && "Function already has a summary set!");
1340ec727ea7Spatrick (void)Res;
1341ec727ea7Spatrick if (DisplayLoadedSummaries) {
1342ec727ea7Spatrick llvm::errs() << "Loaded summary for: ";
1343ec727ea7Spatrick FD->print(llvm::errs());
1344ec727ea7Spatrick llvm::errs() << "\n";
1345ec727ea7Spatrick }
1346a9ac8606Spatrick return true;
1347ec727ea7Spatrick }
1348ec727ea7Spatrick }
1349ec727ea7Spatrick }
1350a9ac8606Spatrick return false;
1351ec727ea7Spatrick }
1352a9ac8606Spatrick // Add the same summary for different names with the Signature explicitly
1353a9ac8606Spatrick // given.
1354a9ac8606Spatrick void operator()(std::vector<StringRef> Names, Signature Sign, Summary Sum) {
1355a9ac8606Spatrick for (StringRef Name : Names)
1356a9ac8606Spatrick operator()(Name, Sign, Sum);
1357ec727ea7Spatrick }
1358ec727ea7Spatrick } addToFunctionSummaryMap(ACtx, FunctionSummaryMap, DisplayLoadedSummaries);
1359e5dd7070Spatrick
1360ec727ea7Spatrick // Below are helpers functions to create the summaries.
1361ec727ea7Spatrick auto ArgumentCondition = [](ArgNo ArgN, RangeKind Kind,
1362ec727ea7Spatrick IntRangeVector Ranges) {
1363ec727ea7Spatrick return std::make_shared<RangeConstraint>(ArgN, Kind, Ranges);
1364ec727ea7Spatrick };
1365ec727ea7Spatrick auto BufferSize = [](auto... Args) {
1366ec727ea7Spatrick return std::make_shared<BufferSizeConstraint>(Args...);
1367ec727ea7Spatrick };
1368ec727ea7Spatrick struct {
1369ec727ea7Spatrick auto operator()(RangeKind Kind, IntRangeVector Ranges) {
1370ec727ea7Spatrick return std::make_shared<RangeConstraint>(Ret, Kind, Ranges);
1371ec727ea7Spatrick }
1372ec727ea7Spatrick auto operator()(BinaryOperator::Opcode Op, ArgNo OtherArgN) {
1373ec727ea7Spatrick return std::make_shared<ComparisonConstraint>(Ret, Op, OtherArgN);
1374ec727ea7Spatrick }
1375ec727ea7Spatrick } ReturnValueCondition;
1376a9ac8606Spatrick struct {
1377a9ac8606Spatrick auto operator()(RangeInt b, RangeInt e) {
1378ec727ea7Spatrick return IntRangeVector{std::pair<RangeInt, RangeInt>{b, e}};
1379a9ac8606Spatrick }
1380*12c85518Srobert auto operator()(RangeInt b, std::optional<RangeInt> e) {
1381a9ac8606Spatrick if (e)
1382a9ac8606Spatrick return IntRangeVector{std::pair<RangeInt, RangeInt>{b, *e}};
1383a9ac8606Spatrick return IntRangeVector{};
1384a9ac8606Spatrick }
1385a9ac8606Spatrick auto operator()(std::pair<RangeInt, RangeInt> i0,
1386*12c85518Srobert std::pair<RangeInt, std::optional<RangeInt>> i1) {
1387a9ac8606Spatrick if (i1.second)
1388a9ac8606Spatrick return IntRangeVector{i0, {i1.first, *(i1.second)}};
1389a9ac8606Spatrick return IntRangeVector{i0};
1390a9ac8606Spatrick }
1391a9ac8606Spatrick } Range;
1392ec727ea7Spatrick auto SingleValue = [](RangeInt v) {
1393ec727ea7Spatrick return IntRangeVector{std::pair<RangeInt, RangeInt>{v, v}};
1394ec727ea7Spatrick };
1395ec727ea7Spatrick auto LessThanOrEq = BO_LE;
1396ec727ea7Spatrick auto NotNull = [&](ArgNo ArgN) {
1397ec727ea7Spatrick return std::make_shared<NotNullConstraint>(ArgN);
1398ec727ea7Spatrick };
1399*12c85518Srobert auto IsNull = [&](ArgNo ArgN) {
1400*12c85518Srobert return std::make_shared<NotNullConstraint>(ArgN, false);
1401*12c85518Srobert };
1402e5dd7070Spatrick
1403*12c85518Srobert std::optional<QualType> FileTy = lookupTy("FILE");
1404*12c85518Srobert std::optional<QualType> FilePtrTy = getPointerTy(FileTy);
1405*12c85518Srobert std::optional<QualType> FilePtrRestrictTy = getRestrictTy(FilePtrTy);
1406*12c85518Srobert
1407*12c85518Srobert std::optional<QualType> FPosTTy = lookupTy("fpos_t");
1408*12c85518Srobert std::optional<QualType> FPosTPtrTy = getPointerTy(FPosTTy);
1409*12c85518Srobert std::optional<QualType> ConstFPosTPtrTy = getPointerTy(getConstTy(FPosTTy));
1410*12c85518Srobert std::optional<QualType> FPosTPtrRestrictTy = getRestrictTy(FPosTPtrTy);
1411ec727ea7Spatrick
1412a9ac8606Spatrick // We are finally ready to define specifications for all supported functions.
1413a9ac8606Spatrick //
1414a9ac8606Spatrick // Argument ranges should always cover all variants. If return value
1415a9ac8606Spatrick // is completely unknown, omit it from the respective range set.
1416a9ac8606Spatrick //
1417a9ac8606Spatrick // Every item in the list of range sets represents a particular
1418a9ac8606Spatrick // execution path the analyzer would need to explore once
1419a9ac8606Spatrick // the call is modeled - a new program state is constructed
1420a9ac8606Spatrick // for every range set, and each range line in the range set
1421a9ac8606Spatrick // corresponds to a specific constraint within this state.
1422ec727ea7Spatrick
1423e5dd7070Spatrick // The isascii() family of functions.
1424ec727ea7Spatrick // The behavior is undefined if the value of the argument is not
1425ec727ea7Spatrick // representable as unsigned char or is not equal to EOF. See e.g. C99
1426ec727ea7Spatrick // 7.4.1.2 The isalpha function (p: 181-182).
1427ec727ea7Spatrick addToFunctionSummaryMap(
1428a9ac8606Spatrick "isalnum", Signature(ArgTypes{IntTy}, RetType{IntTy}),
1429a9ac8606Spatrick Summary(EvalCallAsPure)
1430ec727ea7Spatrick // Boils down to isupper() or islower() or isdigit().
1431ec727ea7Spatrick .Case({ArgumentCondition(0U, WithinRange,
1432ec727ea7Spatrick {{'0', '9'}, {'A', 'Z'}, {'a', 'z'}}),
1433*12c85518Srobert ReturnValueCondition(OutOfRange, SingleValue(0))},
1434*12c85518Srobert ErrnoIrrelevant, "Assuming the character is alphanumeric")
1435ec727ea7Spatrick // The locale-specific range.
1436e5dd7070Spatrick // No post-condition. We are completely unaware of
1437e5dd7070Spatrick // locale-specific return values.
1438*12c85518Srobert .Case({ArgumentCondition(0U, WithinRange, {{128, UCharRangeMax}})},
1439*12c85518Srobert ErrnoIrrelevant)
1440ec727ea7Spatrick .Case(
1441ec727ea7Spatrick {ArgumentCondition(
1442ec727ea7Spatrick 0U, OutOfRange,
1443ec727ea7Spatrick {{'0', '9'}, {'A', 'Z'}, {'a', 'z'}, {128, UCharRangeMax}}),
1444*12c85518Srobert ReturnValueCondition(WithinRange, SingleValue(0))},
1445*12c85518Srobert ErrnoIrrelevant, "Assuming the character is non-alphanumeric")
1446ec727ea7Spatrick .ArgConstraint(ArgumentCondition(
1447ec727ea7Spatrick 0U, WithinRange, {{EOFv, EOFv}, {0, UCharRangeMax}})));
1448ec727ea7Spatrick addToFunctionSummaryMap(
1449a9ac8606Spatrick "isalpha", Signature(ArgTypes{IntTy}, RetType{IntTy}),
1450a9ac8606Spatrick Summary(EvalCallAsPure)
1451ec727ea7Spatrick .Case({ArgumentCondition(0U, WithinRange, {{'A', 'Z'}, {'a', 'z'}}),
1452*12c85518Srobert ReturnValueCondition(OutOfRange, SingleValue(0))},
1453*12c85518Srobert ErrnoIrrelevant, "Assuming the character is alphabetical")
1454ec727ea7Spatrick // The locale-specific range.
1455*12c85518Srobert .Case({ArgumentCondition(0U, WithinRange, {{128, UCharRangeMax}})},
1456*12c85518Srobert ErrnoIrrelevant)
1457ec727ea7Spatrick .Case({ArgumentCondition(
1458ec727ea7Spatrick 0U, OutOfRange,
1459ec727ea7Spatrick {{'A', 'Z'}, {'a', 'z'}, {128, UCharRangeMax}}),
1460*12c85518Srobert ReturnValueCondition(WithinRange, SingleValue(0))},
1461*12c85518Srobert ErrnoIrrelevant, "Assuming the character is non-alphabetical"));
1462ec727ea7Spatrick addToFunctionSummaryMap(
1463a9ac8606Spatrick "isascii", Signature(ArgTypes{IntTy}, RetType{IntTy}),
1464a9ac8606Spatrick Summary(EvalCallAsPure)
1465ec727ea7Spatrick .Case({ArgumentCondition(0U, WithinRange, Range(0, 127)),
1466*12c85518Srobert ReturnValueCondition(OutOfRange, SingleValue(0))},
1467*12c85518Srobert ErrnoIrrelevant, "Assuming the character is an ASCII character")
1468ec727ea7Spatrick .Case({ArgumentCondition(0U, OutOfRange, Range(0, 127)),
1469*12c85518Srobert ReturnValueCondition(WithinRange, SingleValue(0))},
1470*12c85518Srobert ErrnoIrrelevant,
1471*12c85518Srobert "Assuming the character is not an ASCII character"));
1472ec727ea7Spatrick addToFunctionSummaryMap(
1473a9ac8606Spatrick "isblank", Signature(ArgTypes{IntTy}, RetType{IntTy}),
1474a9ac8606Spatrick Summary(EvalCallAsPure)
1475ec727ea7Spatrick .Case({ArgumentCondition(0U, WithinRange, {{'\t', '\t'}, {' ', ' '}}),
1476*12c85518Srobert ReturnValueCondition(OutOfRange, SingleValue(0))},
1477*12c85518Srobert ErrnoIrrelevant, "Assuming the character is a blank character")
1478ec727ea7Spatrick .Case({ArgumentCondition(0U, OutOfRange, {{'\t', '\t'}, {' ', ' '}}),
1479*12c85518Srobert ReturnValueCondition(WithinRange, SingleValue(0))},
1480*12c85518Srobert ErrnoIrrelevant,
1481*12c85518Srobert "Assuming the character is not a blank character"));
1482ec727ea7Spatrick addToFunctionSummaryMap(
1483a9ac8606Spatrick "iscntrl", Signature(ArgTypes{IntTy}, RetType{IntTy}),
1484a9ac8606Spatrick Summary(EvalCallAsPure)
1485ec727ea7Spatrick .Case({ArgumentCondition(0U, WithinRange, {{0, 32}, {127, 127}}),
1486*12c85518Srobert ReturnValueCondition(OutOfRange, SingleValue(0))},
1487*12c85518Srobert ErrnoIrrelevant,
1488*12c85518Srobert "Assuming the character is a control character")
1489ec727ea7Spatrick .Case({ArgumentCondition(0U, OutOfRange, {{0, 32}, {127, 127}}),
1490*12c85518Srobert ReturnValueCondition(WithinRange, SingleValue(0))},
1491*12c85518Srobert ErrnoIrrelevant,
1492*12c85518Srobert "Assuming the character is not a control character"));
1493ec727ea7Spatrick addToFunctionSummaryMap(
1494a9ac8606Spatrick "isdigit", Signature(ArgTypes{IntTy}, RetType{IntTy}),
1495a9ac8606Spatrick Summary(EvalCallAsPure)
1496ec727ea7Spatrick .Case({ArgumentCondition(0U, WithinRange, Range('0', '9')),
1497*12c85518Srobert ReturnValueCondition(OutOfRange, SingleValue(0))},
1498*12c85518Srobert ErrnoIrrelevant, "Assuming the character is a digit")
1499ec727ea7Spatrick .Case({ArgumentCondition(0U, OutOfRange, Range('0', '9')),
1500*12c85518Srobert ReturnValueCondition(WithinRange, SingleValue(0))},
1501*12c85518Srobert ErrnoIrrelevant, "Assuming the character is not a digit"));
1502ec727ea7Spatrick addToFunctionSummaryMap(
1503a9ac8606Spatrick "isgraph", Signature(ArgTypes{IntTy}, RetType{IntTy}),
1504a9ac8606Spatrick Summary(EvalCallAsPure)
1505ec727ea7Spatrick .Case({ArgumentCondition(0U, WithinRange, Range(33, 126)),
1506*12c85518Srobert ReturnValueCondition(OutOfRange, SingleValue(0))},
1507*12c85518Srobert ErrnoIrrelevant,
1508*12c85518Srobert "Assuming the character has graphical representation")
1509*12c85518Srobert .Case(
1510*12c85518Srobert {ArgumentCondition(0U, OutOfRange, Range(33, 126)),
1511*12c85518Srobert ReturnValueCondition(WithinRange, SingleValue(0))},
1512*12c85518Srobert ErrnoIrrelevant,
1513*12c85518Srobert "Assuming the character does not have graphical representation"));
1514ec727ea7Spatrick addToFunctionSummaryMap(
1515a9ac8606Spatrick "islower", Signature(ArgTypes{IntTy}, RetType{IntTy}),
1516a9ac8606Spatrick Summary(EvalCallAsPure)
1517ec727ea7Spatrick // Is certainly lowercase.
1518ec727ea7Spatrick .Case({ArgumentCondition(0U, WithinRange, Range('a', 'z')),
1519*12c85518Srobert ReturnValueCondition(OutOfRange, SingleValue(0))},
1520*12c85518Srobert ErrnoIrrelevant, "Assuming the character is a lowercase letter")
1521ec727ea7Spatrick // Is ascii but not lowercase.
1522ec727ea7Spatrick .Case({ArgumentCondition(0U, WithinRange, Range(0, 127)),
1523ec727ea7Spatrick ArgumentCondition(0U, OutOfRange, Range('a', 'z')),
1524*12c85518Srobert ReturnValueCondition(WithinRange, SingleValue(0))},
1525*12c85518Srobert ErrnoIrrelevant,
1526*12c85518Srobert "Assuming the character is not a lowercase letter")
1527ec727ea7Spatrick // The locale-specific range.
1528*12c85518Srobert .Case({ArgumentCondition(0U, WithinRange, {{128, UCharRangeMax}})},
1529*12c85518Srobert ErrnoIrrelevant)
1530ec727ea7Spatrick // Is not an unsigned char.
1531ec727ea7Spatrick .Case({ArgumentCondition(0U, OutOfRange, Range(0, UCharRangeMax)),
1532*12c85518Srobert ReturnValueCondition(WithinRange, SingleValue(0))},
1533*12c85518Srobert ErrnoIrrelevant));
1534ec727ea7Spatrick addToFunctionSummaryMap(
1535a9ac8606Spatrick "isprint", Signature(ArgTypes{IntTy}, RetType{IntTy}),
1536a9ac8606Spatrick Summary(EvalCallAsPure)
1537ec727ea7Spatrick .Case({ArgumentCondition(0U, WithinRange, Range(32, 126)),
1538*12c85518Srobert ReturnValueCondition(OutOfRange, SingleValue(0))},
1539*12c85518Srobert ErrnoIrrelevant, "Assuming the character is printable")
1540ec727ea7Spatrick .Case({ArgumentCondition(0U, OutOfRange, Range(32, 126)),
1541*12c85518Srobert ReturnValueCondition(WithinRange, SingleValue(0))},
1542*12c85518Srobert ErrnoIrrelevant, "Assuming the character is non-printable"));
1543ec727ea7Spatrick addToFunctionSummaryMap(
1544a9ac8606Spatrick "ispunct", Signature(ArgTypes{IntTy}, RetType{IntTy}),
1545a9ac8606Spatrick Summary(EvalCallAsPure)
1546ec727ea7Spatrick .Case({ArgumentCondition(
1547ec727ea7Spatrick 0U, WithinRange,
1548ec727ea7Spatrick {{'!', '/'}, {':', '@'}, {'[', '`'}, {'{', '~'}}),
1549*12c85518Srobert ReturnValueCondition(OutOfRange, SingleValue(0))},
1550*12c85518Srobert ErrnoIrrelevant, "Assuming the character is a punctuation mark")
1551ec727ea7Spatrick .Case({ArgumentCondition(
1552ec727ea7Spatrick 0U, OutOfRange,
1553ec727ea7Spatrick {{'!', '/'}, {':', '@'}, {'[', '`'}, {'{', '~'}}),
1554*12c85518Srobert ReturnValueCondition(WithinRange, SingleValue(0))},
1555*12c85518Srobert ErrnoIrrelevant,
1556*12c85518Srobert "Assuming the character is not a punctuation mark"));
1557ec727ea7Spatrick addToFunctionSummaryMap(
1558a9ac8606Spatrick "isspace", Signature(ArgTypes{IntTy}, RetType{IntTy}),
1559a9ac8606Spatrick Summary(EvalCallAsPure)
1560ec727ea7Spatrick // Space, '\f', '\n', '\r', '\t', '\v'.
1561ec727ea7Spatrick .Case({ArgumentCondition(0U, WithinRange, {{9, 13}, {' ', ' '}}),
1562*12c85518Srobert ReturnValueCondition(OutOfRange, SingleValue(0))},
1563*12c85518Srobert ErrnoIrrelevant,
1564*12c85518Srobert "Assuming the character is a whitespace character")
1565ec727ea7Spatrick // The locale-specific range.
1566*12c85518Srobert .Case({ArgumentCondition(0U, WithinRange, {{128, UCharRangeMax}})},
1567*12c85518Srobert ErrnoIrrelevant)
1568ec727ea7Spatrick .Case({ArgumentCondition(0U, OutOfRange,
1569ec727ea7Spatrick {{9, 13}, {' ', ' '}, {128, UCharRangeMax}}),
1570*12c85518Srobert ReturnValueCondition(WithinRange, SingleValue(0))},
1571*12c85518Srobert ErrnoIrrelevant,
1572*12c85518Srobert "Assuming the character is not a whitespace character"));
1573ec727ea7Spatrick addToFunctionSummaryMap(
1574a9ac8606Spatrick "isupper", Signature(ArgTypes{IntTy}, RetType{IntTy}),
1575a9ac8606Spatrick Summary(EvalCallAsPure)
1576ec727ea7Spatrick // Is certainly uppercase.
1577ec727ea7Spatrick .Case({ArgumentCondition(0U, WithinRange, Range('A', 'Z')),
1578*12c85518Srobert ReturnValueCondition(OutOfRange, SingleValue(0))},
1579*12c85518Srobert ErrnoIrrelevant,
1580*12c85518Srobert "Assuming the character is an uppercase letter")
1581ec727ea7Spatrick // The locale-specific range.
1582*12c85518Srobert .Case({ArgumentCondition(0U, WithinRange, {{128, UCharRangeMax}})},
1583*12c85518Srobert ErrnoIrrelevant)
1584ec727ea7Spatrick // Other.
1585ec727ea7Spatrick .Case({ArgumentCondition(0U, OutOfRange,
1586ec727ea7Spatrick {{'A', 'Z'}, {128, UCharRangeMax}}),
1587*12c85518Srobert ReturnValueCondition(WithinRange, SingleValue(0))},
1588*12c85518Srobert ErrnoIrrelevant,
1589*12c85518Srobert "Assuming the character is not an uppercase letter"));
1590ec727ea7Spatrick addToFunctionSummaryMap(
1591a9ac8606Spatrick "isxdigit", Signature(ArgTypes{IntTy}, RetType{IntTy}),
1592a9ac8606Spatrick Summary(EvalCallAsPure)
1593ec727ea7Spatrick .Case({ArgumentCondition(0U, WithinRange,
1594ec727ea7Spatrick {{'0', '9'}, {'A', 'F'}, {'a', 'f'}}),
1595*12c85518Srobert ReturnValueCondition(OutOfRange, SingleValue(0))},
1596*12c85518Srobert ErrnoIrrelevant,
1597*12c85518Srobert "Assuming the character is a hexadecimal digit")
1598ec727ea7Spatrick .Case({ArgumentCondition(0U, OutOfRange,
1599ec727ea7Spatrick {{'0', '9'}, {'A', 'F'}, {'a', 'f'}}),
1600*12c85518Srobert ReturnValueCondition(WithinRange, SingleValue(0))},
1601*12c85518Srobert ErrnoIrrelevant,
1602*12c85518Srobert "Assuming the character is not a hexadecimal digit"));
1603a9ac8606Spatrick addToFunctionSummaryMap(
1604a9ac8606Spatrick "toupper", Signature(ArgTypes{IntTy}, RetType{IntTy}),
1605a9ac8606Spatrick Summary(EvalCallAsPure)
1606a9ac8606Spatrick .ArgConstraint(ArgumentCondition(
1607a9ac8606Spatrick 0U, WithinRange, {{EOFv, EOFv}, {0, UCharRangeMax}})));
1608a9ac8606Spatrick addToFunctionSummaryMap(
1609a9ac8606Spatrick "tolower", Signature(ArgTypes{IntTy}, RetType{IntTy}),
1610a9ac8606Spatrick Summary(EvalCallAsPure)
1611a9ac8606Spatrick .ArgConstraint(ArgumentCondition(
1612a9ac8606Spatrick 0U, WithinRange, {{EOFv, EOFv}, {0, UCharRangeMax}})));
1613a9ac8606Spatrick addToFunctionSummaryMap(
1614a9ac8606Spatrick "toascii", Signature(ArgTypes{IntTy}, RetType{IntTy}),
1615a9ac8606Spatrick Summary(EvalCallAsPure)
1616a9ac8606Spatrick .ArgConstraint(ArgumentCondition(
1617a9ac8606Spatrick 0U, WithinRange, {{EOFv, EOFv}, {0, UCharRangeMax}})));
1618e5dd7070Spatrick
1619e5dd7070Spatrick // The getc() family of functions that returns either a char or an EOF.
1620ec727ea7Spatrick addToFunctionSummaryMap(
1621a9ac8606Spatrick {"getc", "fgetc"}, Signature(ArgTypes{FilePtrTy}, RetType{IntTy}),
1622a9ac8606Spatrick Summary(NoEvalCall)
1623a9ac8606Spatrick .Case({ReturnValueCondition(WithinRange,
1624*12c85518Srobert {{EOFv, EOFv}, {0, UCharRangeMax}})},
1625*12c85518Srobert ErrnoIrrelevant));
1626a9ac8606Spatrick addToFunctionSummaryMap(
1627a9ac8606Spatrick "getchar", Signature(ArgTypes{}, RetType{IntTy}),
1628a9ac8606Spatrick Summary(NoEvalCall)
1629a9ac8606Spatrick .Case({ReturnValueCondition(WithinRange,
1630*12c85518Srobert {{EOFv, EOFv}, {0, UCharRangeMax}})},
1631*12c85518Srobert ErrnoIrrelevant));
1632e5dd7070Spatrick
1633e5dd7070Spatrick // read()-like functions that never return more than buffer size.
1634a9ac8606Spatrick auto FreadSummary =
1635a9ac8606Spatrick Summary(NoEvalCall)
1636*12c85518Srobert .Case({ArgumentCondition(1U, WithinRange, Range(1, SizeMax)),
1637*12c85518Srobert ArgumentCondition(2U, WithinRange, Range(1, SizeMax)),
1638*12c85518Srobert ReturnValueCondition(BO_LT, ArgNo(2)),
1639*12c85518Srobert ReturnValueCondition(WithinRange, Range(0, SizeMax))},
1640*12c85518Srobert ErrnoNEZeroIrrelevant)
1641*12c85518Srobert .Case({ArgumentCondition(1U, WithinRange, Range(1, SizeMax)),
1642*12c85518Srobert ReturnValueCondition(BO_EQ, ArgNo(2)),
1643*12c85518Srobert ReturnValueCondition(WithinRange, Range(0, SizeMax))},
1644*12c85518Srobert ErrnoMustNotBeChecked)
1645*12c85518Srobert .Case({ArgumentCondition(1U, WithinRange, SingleValue(0)),
1646*12c85518Srobert ReturnValueCondition(WithinRange, SingleValue(0))},
1647*12c85518Srobert ErrnoMustNotBeChecked)
1648a9ac8606Spatrick .ArgConstraint(NotNull(ArgNo(0)))
1649a9ac8606Spatrick .ArgConstraint(NotNull(ArgNo(3)))
1650*12c85518Srobert // FIXME: It should be allowed to have a null buffer if any of
1651*12c85518Srobert // args 1 or 2 are zero. Remove NotNull check of arg 0, add a check
1652*12c85518Srobert // for non-null buffer if non-zero size to BufferSizeConstraint?
1653a9ac8606Spatrick .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(0), /*BufSize=*/ArgNo(1),
1654a9ac8606Spatrick /*BufSizeMultiplier=*/ArgNo(2)));
1655ec727ea7Spatrick
1656a9ac8606Spatrick // size_t fread(void *restrict ptr, size_t size, size_t nitems,
1657a9ac8606Spatrick // FILE *restrict stream);
1658a9ac8606Spatrick addToFunctionSummaryMap(
1659a9ac8606Spatrick "fread",
1660a9ac8606Spatrick Signature(ArgTypes{VoidPtrRestrictTy, SizeTy, SizeTy, FilePtrRestrictTy},
1661a9ac8606Spatrick RetType{SizeTy}),
1662a9ac8606Spatrick FreadSummary);
1663a9ac8606Spatrick // size_t fwrite(const void *restrict ptr, size_t size, size_t nitems,
1664a9ac8606Spatrick // FILE *restrict stream);
1665a9ac8606Spatrick addToFunctionSummaryMap("fwrite",
1666a9ac8606Spatrick Signature(ArgTypes{ConstVoidPtrRestrictTy, SizeTy,
1667a9ac8606Spatrick SizeTy, FilePtrRestrictTy},
1668a9ac8606Spatrick RetType{SizeTy}),
1669a9ac8606Spatrick FreadSummary);
1670a9ac8606Spatrick
1671*12c85518Srobert std::optional<QualType> Ssize_tTy = lookupTy("ssize_t");
1672*12c85518Srobert std::optional<RangeInt> Ssize_tMax = getMaxValue(Ssize_tTy);
1673a9ac8606Spatrick
1674a9ac8606Spatrick auto ReadSummary =
1675a9ac8606Spatrick Summary(NoEvalCall)
1676a9ac8606Spatrick .Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)),
1677*12c85518Srobert ReturnValueCondition(WithinRange, Range(-1, Ssize_tMax))},
1678*12c85518Srobert ErrnoIrrelevant);
1679a9ac8606Spatrick
1680ec727ea7Spatrick // FIXME these are actually defined by POSIX and not by the C standard, we
1681ec727ea7Spatrick // should handle them together with the rest of the POSIX functions.
1682a9ac8606Spatrick // ssize_t read(int fildes, void *buf, size_t nbyte);
1683a9ac8606Spatrick addToFunctionSummaryMap(
1684a9ac8606Spatrick "read", Signature(ArgTypes{IntTy, VoidPtrTy, SizeTy}, RetType{Ssize_tTy}),
1685a9ac8606Spatrick ReadSummary);
1686a9ac8606Spatrick // ssize_t write(int fildes, const void *buf, size_t nbyte);
1687a9ac8606Spatrick addToFunctionSummaryMap(
1688a9ac8606Spatrick "write",
1689a9ac8606Spatrick Signature(ArgTypes{IntTy, ConstVoidPtrTy, SizeTy}, RetType{Ssize_tTy}),
1690a9ac8606Spatrick ReadSummary);
1691a9ac8606Spatrick
1692a9ac8606Spatrick auto GetLineSummary =
1693a9ac8606Spatrick Summary(NoEvalCall)
1694a9ac8606Spatrick .Case({ReturnValueCondition(WithinRange,
1695*12c85518Srobert Range({-1, -1}, {1, Ssize_tMax}))},
1696*12c85518Srobert ErrnoIrrelevant);
1697a9ac8606Spatrick
1698a9ac8606Spatrick QualType CharPtrPtrRestrictTy = getRestrictTy(getPointerTy(CharPtrTy));
1699e5dd7070Spatrick
1700e5dd7070Spatrick // getline()-like functions either fail or read at least the delimiter.
1701ec727ea7Spatrick // FIXME these are actually defined by POSIX and not by the C standard, we
1702ec727ea7Spatrick // should handle them together with the rest of the POSIX functions.
1703a9ac8606Spatrick // ssize_t getline(char **restrict lineptr, size_t *restrict n,
1704a9ac8606Spatrick // FILE *restrict stream);
1705a9ac8606Spatrick addToFunctionSummaryMap(
1706a9ac8606Spatrick "getline",
1707a9ac8606Spatrick Signature(
1708a9ac8606Spatrick ArgTypes{CharPtrPtrRestrictTy, SizePtrRestrictTy, FilePtrRestrictTy},
1709a9ac8606Spatrick RetType{Ssize_tTy}),
1710a9ac8606Spatrick GetLineSummary);
1711a9ac8606Spatrick // ssize_t getdelim(char **restrict lineptr, size_t *restrict n,
1712a9ac8606Spatrick // int delimiter, FILE *restrict stream);
1713a9ac8606Spatrick addToFunctionSummaryMap(
1714a9ac8606Spatrick "getdelim",
1715a9ac8606Spatrick Signature(ArgTypes{CharPtrPtrRestrictTy, SizePtrRestrictTy, IntTy,
1716a9ac8606Spatrick FilePtrRestrictTy},
1717a9ac8606Spatrick RetType{Ssize_tTy}),
1718a9ac8606Spatrick GetLineSummary);
1719ec727ea7Spatrick
1720*12c85518Srobert {
1721*12c85518Srobert Summary GetenvSummary =
1722*12c85518Srobert Summary(NoEvalCall)
1723*12c85518Srobert .ArgConstraint(NotNull(ArgNo(0)))
1724*12c85518Srobert .Case({NotNull(Ret)}, ErrnoIrrelevant,
1725*12c85518Srobert "Assuming the environment variable exists");
1726*12c85518Srobert // In untrusted environments the envvar might not exist.
1727*12c85518Srobert if (!ShouldAssumeControlledEnvironment)
1728*12c85518Srobert GetenvSummary.Case({NotNull(Ret)->negate()}, ErrnoIrrelevant,
1729*12c85518Srobert "Assuming the environment variable does not exist");
1730*12c85518Srobert
1731*12c85518Srobert // char *getenv(const char *name);
1732*12c85518Srobert addToFunctionSummaryMap(
1733*12c85518Srobert "getenv", Signature(ArgTypes{ConstCharPtrTy}, RetType{CharPtrTy}),
1734*12c85518Srobert std::move(GetenvSummary));
1735*12c85518Srobert }
1736*12c85518Srobert
1737ec727ea7Spatrick if (ModelPOSIX) {
1738*12c85518Srobert const auto ReturnsZeroOrMinusOne =
1739*12c85518Srobert ConstraintSet{ReturnValueCondition(WithinRange, Range(-1, 0))};
1740*12c85518Srobert const auto ReturnsZero =
1741*12c85518Srobert ConstraintSet{ReturnValueCondition(WithinRange, SingleValue(0))};
1742*12c85518Srobert const auto ReturnsMinusOne =
1743*12c85518Srobert ConstraintSet{ReturnValueCondition(WithinRange, SingleValue(-1))};
1744*12c85518Srobert const auto ReturnsNonnegative =
1745*12c85518Srobert ConstraintSet{ReturnValueCondition(WithinRange, Range(0, IntMax))};
1746*12c85518Srobert const auto ReturnsNonZero =
1747*12c85518Srobert ConstraintSet{ReturnValueCondition(OutOfRange, SingleValue(0))};
1748*12c85518Srobert const auto ReturnsFileDescriptor =
1749*12c85518Srobert ConstraintSet{ReturnValueCondition(WithinRange, Range(-1, IntMax))};
1750*12c85518Srobert const auto &ReturnsValidFileDescriptor = ReturnsNonnegative;
1751*12c85518Srobert
1752*12c85518Srobert // FILE *fopen(const char *restrict pathname, const char *restrict mode);
1753*12c85518Srobert addToFunctionSummaryMap(
1754*12c85518Srobert "fopen",
1755*12c85518Srobert Signature(ArgTypes{ConstCharPtrRestrictTy, ConstCharPtrRestrictTy},
1756*12c85518Srobert RetType{FilePtrTy}),
1757*12c85518Srobert Summary(NoEvalCall)
1758*12c85518Srobert .Case({NotNull(Ret)}, ErrnoMustNotBeChecked)
1759*12c85518Srobert .Case({IsNull(Ret)}, ErrnoNEZeroIrrelevant)
1760*12c85518Srobert .ArgConstraint(NotNull(ArgNo(0)))
1761*12c85518Srobert .ArgConstraint(NotNull(ArgNo(1))));
1762*12c85518Srobert
1763*12c85518Srobert // FILE *tmpfile(void);
1764*12c85518Srobert addToFunctionSummaryMap("tmpfile",
1765*12c85518Srobert Signature(ArgTypes{}, RetType{FilePtrTy}),
1766*12c85518Srobert Summary(NoEvalCall)
1767*12c85518Srobert .Case({NotNull(Ret)}, ErrnoMustNotBeChecked)
1768*12c85518Srobert .Case({IsNull(Ret)}, ErrnoNEZeroIrrelevant));
1769*12c85518Srobert
1770*12c85518Srobert // FILE *freopen(const char *restrict pathname, const char *restrict mode,
1771*12c85518Srobert // FILE *restrict stream);
1772*12c85518Srobert addToFunctionSummaryMap(
1773*12c85518Srobert "freopen",
1774*12c85518Srobert Signature(ArgTypes{ConstCharPtrRestrictTy, ConstCharPtrRestrictTy,
1775*12c85518Srobert FilePtrRestrictTy},
1776*12c85518Srobert RetType{FilePtrTy}),
1777*12c85518Srobert Summary(NoEvalCall)
1778*12c85518Srobert .Case({ReturnValueCondition(BO_EQ, ArgNo(2))},
1779*12c85518Srobert ErrnoMustNotBeChecked)
1780*12c85518Srobert .Case({IsNull(Ret)}, ErrnoNEZeroIrrelevant)
1781*12c85518Srobert .ArgConstraint(NotNull(ArgNo(1)))
1782*12c85518Srobert .ArgConstraint(NotNull(ArgNo(2))));
1783*12c85518Srobert
1784*12c85518Srobert // int fclose(FILE *stream);
1785*12c85518Srobert addToFunctionSummaryMap(
1786*12c85518Srobert "fclose", Signature(ArgTypes{FilePtrTy}, RetType{IntTy}),
1787*12c85518Srobert Summary(NoEvalCall)
1788*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
1789*12c85518Srobert .Case({ReturnValueCondition(WithinRange, SingleValue(EOFv))},
1790*12c85518Srobert ErrnoNEZeroIrrelevant)
1791*12c85518Srobert .ArgConstraint(NotNull(ArgNo(0))));
1792*12c85518Srobert
1793*12c85518Srobert // int fseek(FILE *stream, long offset, int whence);
1794*12c85518Srobert // FIXME: It can be possible to get the 'SEEK_' values (like EOFv) and use
1795*12c85518Srobert // these for condition of arg 2.
1796*12c85518Srobert // Now the range [0,2] is used (the `SEEK_*` constants are usually 0,1,2).
1797*12c85518Srobert addToFunctionSummaryMap(
1798*12c85518Srobert "fseek", Signature(ArgTypes{FilePtrTy, LongTy, IntTy}, RetType{IntTy}),
1799*12c85518Srobert Summary(NoEvalCall)
1800*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
1801*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
1802*12c85518Srobert .ArgConstraint(NotNull(ArgNo(0)))
1803*12c85518Srobert .ArgConstraint(ArgumentCondition(2, WithinRange, {{0, 2}})));
1804*12c85518Srobert
1805*12c85518Srobert // int fgetpos(FILE *restrict stream, fpos_t *restrict pos);
1806*12c85518Srobert // From 'The Open Group Base Specifications Issue 7, 2018 edition':
1807*12c85518Srobert // "The fgetpos() function shall not change the setting of errno if
1808*12c85518Srobert // successful."
1809*12c85518Srobert addToFunctionSummaryMap(
1810*12c85518Srobert "fgetpos",
1811*12c85518Srobert Signature(ArgTypes{FilePtrRestrictTy, FPosTPtrRestrictTy},
1812*12c85518Srobert RetType{IntTy}),
1813*12c85518Srobert Summary(NoEvalCall)
1814*12c85518Srobert .Case(ReturnsZero, ErrnoUnchanged)
1815*12c85518Srobert .Case(ReturnsNonZero, ErrnoNEZeroIrrelevant)
1816*12c85518Srobert .ArgConstraint(NotNull(ArgNo(0)))
1817*12c85518Srobert .ArgConstraint(NotNull(ArgNo(1))));
1818*12c85518Srobert
1819*12c85518Srobert // int fsetpos(FILE *stream, const fpos_t *pos);
1820*12c85518Srobert // From 'The Open Group Base Specifications Issue 7, 2018 edition':
1821*12c85518Srobert // "The fsetpos() function shall not change the setting of errno if
1822*12c85518Srobert // successful."
1823*12c85518Srobert addToFunctionSummaryMap(
1824*12c85518Srobert "fsetpos",
1825*12c85518Srobert Signature(ArgTypes{FilePtrTy, ConstFPosTPtrTy}, RetType{IntTy}),
1826*12c85518Srobert Summary(NoEvalCall)
1827*12c85518Srobert .Case(ReturnsZero, ErrnoUnchanged)
1828*12c85518Srobert .Case(ReturnsNonZero, ErrnoNEZeroIrrelevant)
1829*12c85518Srobert .ArgConstraint(NotNull(ArgNo(0)))
1830*12c85518Srobert .ArgConstraint(NotNull(ArgNo(1))));
1831*12c85518Srobert
1832*12c85518Srobert // long ftell(FILE *stream);
1833*12c85518Srobert // From 'The Open Group Base Specifications Issue 7, 2018 edition':
1834*12c85518Srobert // "The ftell() function shall not change the setting of errno if
1835*12c85518Srobert // successful."
1836*12c85518Srobert addToFunctionSummaryMap(
1837*12c85518Srobert "ftell", Signature(ArgTypes{FilePtrTy}, RetType{LongTy}),
1838*12c85518Srobert Summary(NoEvalCall)
1839*12c85518Srobert .Case({ReturnValueCondition(WithinRange, Range(1, LongMax))},
1840*12c85518Srobert ErrnoUnchanged)
1841*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
1842*12c85518Srobert .ArgConstraint(NotNull(ArgNo(0))));
1843*12c85518Srobert
1844*12c85518Srobert // int fileno(FILE *stream);
1845*12c85518Srobert addToFunctionSummaryMap(
1846*12c85518Srobert "fileno", Signature(ArgTypes{FilePtrTy}, RetType{IntTy}),
1847*12c85518Srobert Summary(NoEvalCall)
1848*12c85518Srobert .Case(ReturnsValidFileDescriptor, ErrnoMustNotBeChecked)
1849*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
1850*12c85518Srobert .ArgConstraint(NotNull(ArgNo(0))));
1851*12c85518Srobert
1852*12c85518Srobert // void rewind(FILE *stream);
1853*12c85518Srobert // This function indicates error only by setting of 'errno'.
1854*12c85518Srobert addToFunctionSummaryMap("rewind",
1855*12c85518Srobert Signature(ArgTypes{FilePtrTy}, RetType{VoidTy}),
1856*12c85518Srobert Summary(NoEvalCall)
1857*12c85518Srobert .Case({}, ErrnoMustBeChecked)
1858*12c85518Srobert .ArgConstraint(NotNull(ArgNo(0))));
1859*12c85518Srobert
1860*12c85518Srobert // void clearerr(FILE *stream);
1861*12c85518Srobert addToFunctionSummaryMap(
1862*12c85518Srobert "clearerr", Signature(ArgTypes{FilePtrTy}, RetType{VoidTy}),
1863*12c85518Srobert Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
1864*12c85518Srobert
1865*12c85518Srobert // int feof(FILE *stream);
1866*12c85518Srobert addToFunctionSummaryMap(
1867*12c85518Srobert "feof", Signature(ArgTypes{FilePtrTy}, RetType{IntTy}),
1868*12c85518Srobert Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
1869*12c85518Srobert
1870*12c85518Srobert // int ferror(FILE *stream);
1871*12c85518Srobert addToFunctionSummaryMap(
1872*12c85518Srobert "ferror", Signature(ArgTypes{FilePtrTy}, RetType{IntTy}),
1873*12c85518Srobert Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
1874ec727ea7Spatrick
1875ec727ea7Spatrick // long a64l(const char *str64);
1876ec727ea7Spatrick addToFunctionSummaryMap(
1877a9ac8606Spatrick "a64l", Signature(ArgTypes{ConstCharPtrTy}, RetType{LongTy}),
1878a9ac8606Spatrick Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
1879ec727ea7Spatrick
1880ec727ea7Spatrick // char *l64a(long value);
1881a9ac8606Spatrick addToFunctionSummaryMap("l64a",
1882a9ac8606Spatrick Signature(ArgTypes{LongTy}, RetType{CharPtrTy}),
1883a9ac8606Spatrick Summary(NoEvalCall)
1884a9ac8606Spatrick .ArgConstraint(ArgumentCondition(
1885a9ac8606Spatrick 0, WithinRange, Range(0, LongMax))));
1886a9ac8606Spatrick
1887ec727ea7Spatrick // int access(const char *pathname, int amode);
1888a9ac8606Spatrick addToFunctionSummaryMap(
1889a9ac8606Spatrick "access", Signature(ArgTypes{ConstCharPtrTy, IntTy}, RetType{IntTy}),
1890a9ac8606Spatrick Summary(NoEvalCall)
1891*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
1892*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
1893ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(0))));
1894ec727ea7Spatrick
1895ec727ea7Spatrick // int faccessat(int dirfd, const char *pathname, int mode, int flags);
1896ec727ea7Spatrick addToFunctionSummaryMap(
1897a9ac8606Spatrick "faccessat",
1898a9ac8606Spatrick Signature(ArgTypes{IntTy, ConstCharPtrTy, IntTy, IntTy},
1899a9ac8606Spatrick RetType{IntTy}),
1900a9ac8606Spatrick Summary(NoEvalCall)
1901*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
1902*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
1903ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(1))));
1904ec727ea7Spatrick
1905ec727ea7Spatrick // int dup(int fildes);
1906*12c85518Srobert addToFunctionSummaryMap(
1907*12c85518Srobert "dup", Signature(ArgTypes{IntTy}, RetType{IntTy}),
1908a9ac8606Spatrick Summary(NoEvalCall)
1909*12c85518Srobert .Case(ReturnsValidFileDescriptor, ErrnoMustNotBeChecked)
1910*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
1911*12c85518Srobert .ArgConstraint(
1912*12c85518Srobert ArgumentCondition(0, WithinRange, Range(0, IntMax))));
1913ec727ea7Spatrick
1914ec727ea7Spatrick // int dup2(int fildes1, int filedes2);
1915ec727ea7Spatrick addToFunctionSummaryMap(
1916a9ac8606Spatrick "dup2", Signature(ArgTypes{IntTy, IntTy}, RetType{IntTy}),
1917a9ac8606Spatrick Summary(NoEvalCall)
1918*12c85518Srobert .Case(ReturnsValidFileDescriptor, ErrnoMustNotBeChecked)
1919*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
1920ec727ea7Spatrick .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
1921ec727ea7Spatrick .ArgConstraint(
1922ec727ea7Spatrick ArgumentCondition(1, WithinRange, Range(0, IntMax))));
1923ec727ea7Spatrick
1924ec727ea7Spatrick // int fdatasync(int fildes);
1925a9ac8606Spatrick addToFunctionSummaryMap("fdatasync",
1926a9ac8606Spatrick Signature(ArgTypes{IntTy}, RetType{IntTy}),
1927a9ac8606Spatrick Summary(NoEvalCall)
1928*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
1929*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
1930a9ac8606Spatrick .ArgConstraint(ArgumentCondition(
1931a9ac8606Spatrick 0, WithinRange, Range(0, IntMax))));
1932ec727ea7Spatrick
1933ec727ea7Spatrick // int fnmatch(const char *pattern, const char *string, int flags);
1934ec727ea7Spatrick addToFunctionSummaryMap(
1935a9ac8606Spatrick "fnmatch",
1936a9ac8606Spatrick Signature(ArgTypes{ConstCharPtrTy, ConstCharPtrTy, IntTy},
1937a9ac8606Spatrick RetType{IntTy}),
1938*12c85518Srobert Summary(NoEvalCall)
1939ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(0)))
1940ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(1))));
1941ec727ea7Spatrick
1942ec727ea7Spatrick // int fsync(int fildes);
1943a9ac8606Spatrick addToFunctionSummaryMap("fsync", Signature(ArgTypes{IntTy}, RetType{IntTy}),
1944a9ac8606Spatrick Summary(NoEvalCall)
1945*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
1946*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
1947a9ac8606Spatrick .ArgConstraint(ArgumentCondition(
1948a9ac8606Spatrick 0, WithinRange, Range(0, IntMax))));
1949ec727ea7Spatrick
1950*12c85518Srobert std::optional<QualType> Off_tTy = lookupTy("off_t");
1951ec727ea7Spatrick
1952ec727ea7Spatrick // int truncate(const char *path, off_t length);
1953a9ac8606Spatrick addToFunctionSummaryMap(
1954a9ac8606Spatrick "truncate",
1955a9ac8606Spatrick Signature(ArgTypes{ConstCharPtrTy, Off_tTy}, RetType{IntTy}),
1956a9ac8606Spatrick Summary(NoEvalCall)
1957*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
1958*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
1959ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(0))));
1960ec727ea7Spatrick
1961ec727ea7Spatrick // int symlink(const char *oldpath, const char *newpath);
1962a9ac8606Spatrick addToFunctionSummaryMap(
1963a9ac8606Spatrick "symlink",
1964a9ac8606Spatrick Signature(ArgTypes{ConstCharPtrTy, ConstCharPtrTy}, RetType{IntTy}),
1965a9ac8606Spatrick Summary(NoEvalCall)
1966*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
1967*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
1968ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(0)))
1969ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(1))));
1970ec727ea7Spatrick
1971ec727ea7Spatrick // int symlinkat(const char *oldpath, int newdirfd, const char *newpath);
1972ec727ea7Spatrick addToFunctionSummaryMap(
1973ec727ea7Spatrick "symlinkat",
1974a9ac8606Spatrick Signature(ArgTypes{ConstCharPtrTy, IntTy, ConstCharPtrTy},
1975a9ac8606Spatrick RetType{IntTy}),
1976a9ac8606Spatrick Summary(NoEvalCall)
1977*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
1978*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
1979ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(0)))
1980ec727ea7Spatrick .ArgConstraint(ArgumentCondition(1, WithinRange, Range(0, IntMax)))
1981ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(2))));
1982ec727ea7Spatrick
1983ec727ea7Spatrick // int lockf(int fd, int cmd, off_t len);
1984ec727ea7Spatrick addToFunctionSummaryMap(
1985a9ac8606Spatrick "lockf", Signature(ArgTypes{IntTy, IntTy, Off_tTy}, RetType{IntTy}),
1986a9ac8606Spatrick Summary(NoEvalCall)
1987*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
1988*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
1989ec727ea7Spatrick .ArgConstraint(
1990ec727ea7Spatrick ArgumentCondition(0, WithinRange, Range(0, IntMax))));
1991ec727ea7Spatrick
1992*12c85518Srobert std::optional<QualType> Mode_tTy = lookupTy("mode_t");
1993ec727ea7Spatrick
1994ec727ea7Spatrick // int creat(const char *pathname, mode_t mode);
1995a9ac8606Spatrick addToFunctionSummaryMap(
1996a9ac8606Spatrick "creat", Signature(ArgTypes{ConstCharPtrTy, Mode_tTy}, RetType{IntTy}),
1997a9ac8606Spatrick Summary(NoEvalCall)
1998*12c85518Srobert .Case(ReturnsValidFileDescriptor, ErrnoMustNotBeChecked)
1999*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2000ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(0))));
2001ec727ea7Spatrick
2002ec727ea7Spatrick // unsigned int sleep(unsigned int seconds);
2003ec727ea7Spatrick addToFunctionSummaryMap(
2004a9ac8606Spatrick "sleep", Signature(ArgTypes{UnsignedIntTy}, RetType{UnsignedIntTy}),
2005a9ac8606Spatrick Summary(NoEvalCall)
2006ec727ea7Spatrick .ArgConstraint(
2007ec727ea7Spatrick ArgumentCondition(0, WithinRange, Range(0, UnsignedIntMax))));
2008ec727ea7Spatrick
2009*12c85518Srobert std::optional<QualType> DirTy = lookupTy("DIR");
2010*12c85518Srobert std::optional<QualType> DirPtrTy = getPointerTy(DirTy);
2011ec727ea7Spatrick
2012ec727ea7Spatrick // int dirfd(DIR *dirp);
2013*12c85518Srobert addToFunctionSummaryMap(
2014*12c85518Srobert "dirfd", Signature(ArgTypes{DirPtrTy}, RetType{IntTy}),
2015a9ac8606Spatrick Summary(NoEvalCall)
2016*12c85518Srobert .Case(ReturnsValidFileDescriptor, ErrnoMustNotBeChecked)
2017*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2018ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(0))));
2019ec727ea7Spatrick
2020ec727ea7Spatrick // unsigned int alarm(unsigned int seconds);
2021ec727ea7Spatrick addToFunctionSummaryMap(
2022a9ac8606Spatrick "alarm", Signature(ArgTypes{UnsignedIntTy}, RetType{UnsignedIntTy}),
2023a9ac8606Spatrick Summary(NoEvalCall)
2024ec727ea7Spatrick .ArgConstraint(
2025ec727ea7Spatrick ArgumentCondition(0, WithinRange, Range(0, UnsignedIntMax))));
2026ec727ea7Spatrick
2027ec727ea7Spatrick // int closedir(DIR *dir);
2028a9ac8606Spatrick addToFunctionSummaryMap("closedir",
2029a9ac8606Spatrick Signature(ArgTypes{DirPtrTy}, RetType{IntTy}),
2030a9ac8606Spatrick Summary(NoEvalCall)
2031*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2032*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2033ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(0))));
2034ec727ea7Spatrick
2035ec727ea7Spatrick // char *strdup(const char *s);
2036a9ac8606Spatrick addToFunctionSummaryMap(
2037a9ac8606Spatrick "strdup", Signature(ArgTypes{ConstCharPtrTy}, RetType{CharPtrTy}),
2038a9ac8606Spatrick Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
2039ec727ea7Spatrick
2040ec727ea7Spatrick // char *strndup(const char *s, size_t n);
2041ec727ea7Spatrick addToFunctionSummaryMap(
2042a9ac8606Spatrick "strndup",
2043a9ac8606Spatrick Signature(ArgTypes{ConstCharPtrTy, SizeTy}, RetType{CharPtrTy}),
2044a9ac8606Spatrick Summary(NoEvalCall)
2045ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(0)))
2046a9ac8606Spatrick .ArgConstraint(
2047a9ac8606Spatrick ArgumentCondition(1, WithinRange, Range(0, SizeMax))));
2048ec727ea7Spatrick
2049ec727ea7Spatrick // wchar_t *wcsdup(const wchar_t *s);
2050a9ac8606Spatrick addToFunctionSummaryMap(
2051a9ac8606Spatrick "wcsdup", Signature(ArgTypes{ConstWchar_tPtrTy}, RetType{Wchar_tPtrTy}),
2052a9ac8606Spatrick Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
2053ec727ea7Spatrick
2054ec727ea7Spatrick // int mkstemp(char *template);
2055*12c85518Srobert addToFunctionSummaryMap(
2056*12c85518Srobert "mkstemp", Signature(ArgTypes{CharPtrTy}, RetType{IntTy}),
2057a9ac8606Spatrick Summary(NoEvalCall)
2058*12c85518Srobert .Case(ReturnsValidFileDescriptor, ErrnoMustNotBeChecked)
2059*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2060ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(0))));
2061ec727ea7Spatrick
2062ec727ea7Spatrick // char *mkdtemp(char *template);
2063*12c85518Srobert // FIXME: Improve for errno modeling.
2064ec727ea7Spatrick addToFunctionSummaryMap(
2065a9ac8606Spatrick "mkdtemp", Signature(ArgTypes{CharPtrTy}, RetType{CharPtrTy}),
2066a9ac8606Spatrick Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
2067ec727ea7Spatrick
2068ec727ea7Spatrick // char *getcwd(char *buf, size_t size);
2069*12c85518Srobert // FIXME: Improve for errno modeling.
2070ec727ea7Spatrick addToFunctionSummaryMap(
2071a9ac8606Spatrick "getcwd", Signature(ArgTypes{CharPtrTy, SizeTy}, RetType{CharPtrTy}),
2072a9ac8606Spatrick Summary(NoEvalCall)
2073ec727ea7Spatrick .ArgConstraint(
2074ec727ea7Spatrick ArgumentCondition(1, WithinRange, Range(0, SizeMax))));
2075ec727ea7Spatrick
2076ec727ea7Spatrick // int mkdir(const char *pathname, mode_t mode);
2077a9ac8606Spatrick addToFunctionSummaryMap(
2078a9ac8606Spatrick "mkdir", Signature(ArgTypes{ConstCharPtrTy, Mode_tTy}, RetType{IntTy}),
2079a9ac8606Spatrick Summary(NoEvalCall)
2080*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2081*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2082ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(0))));
2083ec727ea7Spatrick
2084ec727ea7Spatrick // int mkdirat(int dirfd, const char *pathname, mode_t mode);
2085ec727ea7Spatrick addToFunctionSummaryMap(
2086a9ac8606Spatrick "mkdirat",
2087a9ac8606Spatrick Signature(ArgTypes{IntTy, ConstCharPtrTy, Mode_tTy}, RetType{IntTy}),
2088a9ac8606Spatrick Summary(NoEvalCall)
2089*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2090*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2091ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(1))));
2092ec727ea7Spatrick
2093*12c85518Srobert std::optional<QualType> Dev_tTy = lookupTy("dev_t");
2094ec727ea7Spatrick
2095ec727ea7Spatrick // int mknod(const char *pathname, mode_t mode, dev_t dev);
2096ec727ea7Spatrick addToFunctionSummaryMap(
2097a9ac8606Spatrick "mknod",
2098a9ac8606Spatrick Signature(ArgTypes{ConstCharPtrTy, Mode_tTy, Dev_tTy}, RetType{IntTy}),
2099a9ac8606Spatrick Summary(NoEvalCall)
2100*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2101*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2102ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(0))));
2103ec727ea7Spatrick
2104ec727ea7Spatrick // int mknodat(int dirfd, const char *pathname, mode_t mode, dev_t dev);
2105a9ac8606Spatrick addToFunctionSummaryMap(
2106a9ac8606Spatrick "mknodat",
2107a9ac8606Spatrick Signature(ArgTypes{IntTy, ConstCharPtrTy, Mode_tTy, Dev_tTy},
2108a9ac8606Spatrick RetType{IntTy}),
2109a9ac8606Spatrick Summary(NoEvalCall)
2110*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2111*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2112ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(1))));
2113ec727ea7Spatrick
2114ec727ea7Spatrick // int chmod(const char *path, mode_t mode);
2115a9ac8606Spatrick addToFunctionSummaryMap(
2116a9ac8606Spatrick "chmod", Signature(ArgTypes{ConstCharPtrTy, Mode_tTy}, RetType{IntTy}),
2117a9ac8606Spatrick Summary(NoEvalCall)
2118*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2119*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2120ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(0))));
2121ec727ea7Spatrick
2122ec727ea7Spatrick // int fchmodat(int dirfd, const char *pathname, mode_t mode, int flags);
2123ec727ea7Spatrick addToFunctionSummaryMap(
2124a9ac8606Spatrick "fchmodat",
2125a9ac8606Spatrick Signature(ArgTypes{IntTy, ConstCharPtrTy, Mode_tTy, IntTy},
2126a9ac8606Spatrick RetType{IntTy}),
2127a9ac8606Spatrick Summary(NoEvalCall)
2128*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2129*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2130a9ac8606Spatrick .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
2131ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(1))));
2132ec727ea7Spatrick
2133ec727ea7Spatrick // int fchmod(int fildes, mode_t mode);
2134ec727ea7Spatrick addToFunctionSummaryMap(
2135a9ac8606Spatrick "fchmod", Signature(ArgTypes{IntTy, Mode_tTy}, RetType{IntTy}),
2136a9ac8606Spatrick Summary(NoEvalCall)
2137*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2138*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2139ec727ea7Spatrick .ArgConstraint(
2140ec727ea7Spatrick ArgumentCondition(0, WithinRange, Range(0, IntMax))));
2141ec727ea7Spatrick
2142*12c85518Srobert std::optional<QualType> Uid_tTy = lookupTy("uid_t");
2143*12c85518Srobert std::optional<QualType> Gid_tTy = lookupTy("gid_t");
2144ec727ea7Spatrick
2145ec727ea7Spatrick // int fchownat(int dirfd, const char *pathname, uid_t owner, gid_t group,
2146ec727ea7Spatrick // int flags);
2147ec727ea7Spatrick addToFunctionSummaryMap(
2148ec727ea7Spatrick "fchownat",
2149a9ac8606Spatrick Signature(ArgTypes{IntTy, ConstCharPtrTy, Uid_tTy, Gid_tTy, IntTy},
2150a9ac8606Spatrick RetType{IntTy}),
2151a9ac8606Spatrick Summary(NoEvalCall)
2152*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2153*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2154a9ac8606Spatrick .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
2155ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(1))));
2156ec727ea7Spatrick
2157ec727ea7Spatrick // int chown(const char *path, uid_t owner, gid_t group);
2158ec727ea7Spatrick addToFunctionSummaryMap(
2159a9ac8606Spatrick "chown",
2160a9ac8606Spatrick Signature(ArgTypes{ConstCharPtrTy, Uid_tTy, Gid_tTy}, RetType{IntTy}),
2161a9ac8606Spatrick Summary(NoEvalCall)
2162*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2163*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2164ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(0))));
2165ec727ea7Spatrick
2166ec727ea7Spatrick // int lchown(const char *path, uid_t owner, gid_t group);
2167ec727ea7Spatrick addToFunctionSummaryMap(
2168a9ac8606Spatrick "lchown",
2169a9ac8606Spatrick Signature(ArgTypes{ConstCharPtrTy, Uid_tTy, Gid_tTy}, RetType{IntTy}),
2170a9ac8606Spatrick Summary(NoEvalCall)
2171*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2172*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2173ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(0))));
2174ec727ea7Spatrick
2175ec727ea7Spatrick // int fchown(int fildes, uid_t owner, gid_t group);
2176ec727ea7Spatrick addToFunctionSummaryMap(
2177a9ac8606Spatrick "fchown", Signature(ArgTypes{IntTy, Uid_tTy, Gid_tTy}, RetType{IntTy}),
2178a9ac8606Spatrick Summary(NoEvalCall)
2179*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2180*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2181a9ac8606Spatrick .ArgConstraint(
2182a9ac8606Spatrick ArgumentCondition(0, WithinRange, Range(0, IntMax))));
2183ec727ea7Spatrick
2184ec727ea7Spatrick // int rmdir(const char *pathname);
2185a9ac8606Spatrick addToFunctionSummaryMap("rmdir",
2186a9ac8606Spatrick Signature(ArgTypes{ConstCharPtrTy}, RetType{IntTy}),
2187a9ac8606Spatrick Summary(NoEvalCall)
2188*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2189*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2190ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(0))));
2191ec727ea7Spatrick
2192ec727ea7Spatrick // int chdir(const char *path);
2193a9ac8606Spatrick addToFunctionSummaryMap("chdir",
2194a9ac8606Spatrick Signature(ArgTypes{ConstCharPtrTy}, RetType{IntTy}),
2195a9ac8606Spatrick Summary(NoEvalCall)
2196*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2197*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2198ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(0))));
2199ec727ea7Spatrick
2200ec727ea7Spatrick // int link(const char *oldpath, const char *newpath);
2201a9ac8606Spatrick addToFunctionSummaryMap(
2202a9ac8606Spatrick "link",
2203a9ac8606Spatrick Signature(ArgTypes{ConstCharPtrTy, ConstCharPtrTy}, RetType{IntTy}),
2204a9ac8606Spatrick Summary(NoEvalCall)
2205*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2206*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2207ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(0)))
2208ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(1))));
2209ec727ea7Spatrick
2210ec727ea7Spatrick // int linkat(int fd1, const char *path1, int fd2, const char *path2,
2211ec727ea7Spatrick // int flag);
2212ec727ea7Spatrick addToFunctionSummaryMap(
2213ec727ea7Spatrick "linkat",
2214a9ac8606Spatrick Signature(ArgTypes{IntTy, ConstCharPtrTy, IntTy, ConstCharPtrTy, IntTy},
2215a9ac8606Spatrick RetType{IntTy}),
2216a9ac8606Spatrick Summary(NoEvalCall)
2217*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2218*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2219ec727ea7Spatrick .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
2220ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(1)))
2221ec727ea7Spatrick .ArgConstraint(ArgumentCondition(2, WithinRange, Range(0, IntMax)))
2222ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(3))));
2223ec727ea7Spatrick
2224ec727ea7Spatrick // int unlink(const char *pathname);
2225a9ac8606Spatrick addToFunctionSummaryMap("unlink",
2226a9ac8606Spatrick Signature(ArgTypes{ConstCharPtrTy}, RetType{IntTy}),
2227a9ac8606Spatrick Summary(NoEvalCall)
2228*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2229*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2230ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(0))));
2231ec727ea7Spatrick
2232ec727ea7Spatrick // int unlinkat(int fd, const char *path, int flag);
2233ec727ea7Spatrick addToFunctionSummaryMap(
2234ec727ea7Spatrick "unlinkat",
2235a9ac8606Spatrick Signature(ArgTypes{IntTy, ConstCharPtrTy, IntTy}, RetType{IntTy}),
2236a9ac8606Spatrick Summary(NoEvalCall)
2237*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2238*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2239ec727ea7Spatrick .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
2240ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(1))));
2241ec727ea7Spatrick
2242*12c85518Srobert std::optional<QualType> StructStatTy = lookupTy("stat");
2243*12c85518Srobert std::optional<QualType> StructStatPtrTy = getPointerTy(StructStatTy);
2244*12c85518Srobert std::optional<QualType> StructStatPtrRestrictTy =
2245*12c85518Srobert getRestrictTy(StructStatPtrTy);
2246ec727ea7Spatrick
2247ec727ea7Spatrick // int fstat(int fd, struct stat *statbuf);
2248ec727ea7Spatrick addToFunctionSummaryMap(
2249a9ac8606Spatrick "fstat", Signature(ArgTypes{IntTy, StructStatPtrTy}, RetType{IntTy}),
2250a9ac8606Spatrick Summary(NoEvalCall)
2251*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2252*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2253a9ac8606Spatrick .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
2254ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(1))));
2255ec727ea7Spatrick
2256ec727ea7Spatrick // int stat(const char *restrict path, struct stat *restrict buf);
2257ec727ea7Spatrick addToFunctionSummaryMap(
2258ec727ea7Spatrick "stat",
2259a9ac8606Spatrick Signature(ArgTypes{ConstCharPtrRestrictTy, StructStatPtrRestrictTy},
2260a9ac8606Spatrick RetType{IntTy}),
2261a9ac8606Spatrick Summary(NoEvalCall)
2262*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2263*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2264ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(0)))
2265ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(1))));
2266ec727ea7Spatrick
2267ec727ea7Spatrick // int lstat(const char *restrict path, struct stat *restrict buf);
2268ec727ea7Spatrick addToFunctionSummaryMap(
2269ec727ea7Spatrick "lstat",
2270a9ac8606Spatrick Signature(ArgTypes{ConstCharPtrRestrictTy, StructStatPtrRestrictTy},
2271a9ac8606Spatrick RetType{IntTy}),
2272a9ac8606Spatrick Summary(NoEvalCall)
2273*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2274*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2275ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(0)))
2276ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(1))));
2277ec727ea7Spatrick
2278ec727ea7Spatrick // int fstatat(int fd, const char *restrict path,
2279ec727ea7Spatrick // struct stat *restrict buf, int flag);
2280ec727ea7Spatrick addToFunctionSummaryMap(
2281a9ac8606Spatrick "fstatat",
2282a9ac8606Spatrick Signature(ArgTypes{IntTy, ConstCharPtrRestrictTy,
2283a9ac8606Spatrick StructStatPtrRestrictTy, IntTy},
2284a9ac8606Spatrick RetType{IntTy}),
2285a9ac8606Spatrick Summary(NoEvalCall)
2286*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2287*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2288a9ac8606Spatrick .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
2289ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(1)))
2290ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(2))));
2291ec727ea7Spatrick
2292ec727ea7Spatrick // DIR *opendir(const char *name);
2293*12c85518Srobert // FIXME: Improve for errno modeling.
2294a9ac8606Spatrick addToFunctionSummaryMap(
2295a9ac8606Spatrick "opendir", Signature(ArgTypes{ConstCharPtrTy}, RetType{DirPtrTy}),
2296a9ac8606Spatrick Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
2297ec727ea7Spatrick
2298ec727ea7Spatrick // DIR *fdopendir(int fd);
2299*12c85518Srobert // FIXME: Improve for errno modeling.
2300a9ac8606Spatrick addToFunctionSummaryMap("fdopendir",
2301a9ac8606Spatrick Signature(ArgTypes{IntTy}, RetType{DirPtrTy}),
2302a9ac8606Spatrick Summary(NoEvalCall)
2303a9ac8606Spatrick .ArgConstraint(ArgumentCondition(
2304a9ac8606Spatrick 0, WithinRange, Range(0, IntMax))));
2305ec727ea7Spatrick
2306ec727ea7Spatrick // int isatty(int fildes);
2307ec727ea7Spatrick addToFunctionSummaryMap(
2308a9ac8606Spatrick "isatty", Signature(ArgTypes{IntTy}, RetType{IntTy}),
2309a9ac8606Spatrick Summary(NoEvalCall)
2310*12c85518Srobert .Case({ReturnValueCondition(WithinRange, Range(0, 1))},
2311*12c85518Srobert ErrnoIrrelevant)
2312ec727ea7Spatrick .ArgConstraint(
2313ec727ea7Spatrick ArgumentCondition(0, WithinRange, Range(0, IntMax))));
2314ec727ea7Spatrick
2315ec727ea7Spatrick // FILE *popen(const char *command, const char *type);
2316*12c85518Srobert // FIXME: Improve for errno modeling.
2317a9ac8606Spatrick addToFunctionSummaryMap(
2318a9ac8606Spatrick "popen",
2319a9ac8606Spatrick Signature(ArgTypes{ConstCharPtrTy, ConstCharPtrTy}, RetType{FilePtrTy}),
2320a9ac8606Spatrick Summary(NoEvalCall)
2321ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(0)))
2322ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(1))));
2323ec727ea7Spatrick
2324ec727ea7Spatrick // int pclose(FILE *stream);
2325*12c85518Srobert // FIXME: Improve for errno modeling.
2326ec727ea7Spatrick addToFunctionSummaryMap(
2327a9ac8606Spatrick "pclose", Signature(ArgTypes{FilePtrTy}, RetType{IntTy}),
2328a9ac8606Spatrick Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
2329ec727ea7Spatrick
2330ec727ea7Spatrick // int close(int fildes);
2331a9ac8606Spatrick addToFunctionSummaryMap("close", Signature(ArgTypes{IntTy}, RetType{IntTy}),
2332a9ac8606Spatrick Summary(NoEvalCall)
2333*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2334*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2335a9ac8606Spatrick .ArgConstraint(ArgumentCondition(
2336a9ac8606Spatrick 0, WithinRange, Range(-1, IntMax))));
2337ec727ea7Spatrick
2338ec727ea7Spatrick // long fpathconf(int fildes, int name);
2339a9ac8606Spatrick addToFunctionSummaryMap("fpathconf",
2340a9ac8606Spatrick Signature(ArgTypes{IntTy, IntTy}, RetType{LongTy}),
2341a9ac8606Spatrick Summary(NoEvalCall)
2342a9ac8606Spatrick .ArgConstraint(ArgumentCondition(
2343a9ac8606Spatrick 0, WithinRange, Range(0, IntMax))));
2344ec727ea7Spatrick
2345ec727ea7Spatrick // long pathconf(const char *path, int name);
2346a9ac8606Spatrick addToFunctionSummaryMap(
2347a9ac8606Spatrick "pathconf", Signature(ArgTypes{ConstCharPtrTy, IntTy}, RetType{LongTy}),
2348a9ac8606Spatrick Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
2349ec727ea7Spatrick
2350ec727ea7Spatrick // FILE *fdopen(int fd, const char *mode);
2351*12c85518Srobert // FIXME: Improve for errno modeling.
2352ec727ea7Spatrick addToFunctionSummaryMap(
2353a9ac8606Spatrick "fdopen",
2354a9ac8606Spatrick Signature(ArgTypes{IntTy, ConstCharPtrTy}, RetType{FilePtrTy}),
2355a9ac8606Spatrick Summary(NoEvalCall)
2356a9ac8606Spatrick .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
2357ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(1))));
2358ec727ea7Spatrick
2359ec727ea7Spatrick // void rewinddir(DIR *dir);
2360ec727ea7Spatrick addToFunctionSummaryMap(
2361a9ac8606Spatrick "rewinddir", Signature(ArgTypes{DirPtrTy}, RetType{VoidTy}),
2362a9ac8606Spatrick Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
2363ec727ea7Spatrick
2364ec727ea7Spatrick // void seekdir(DIR *dirp, long loc);
2365a9ac8606Spatrick addToFunctionSummaryMap(
2366a9ac8606Spatrick "seekdir", Signature(ArgTypes{DirPtrTy, LongTy}, RetType{VoidTy}),
2367a9ac8606Spatrick Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
2368ec727ea7Spatrick
2369ec727ea7Spatrick // int rand_r(unsigned int *seedp);
2370ec727ea7Spatrick addToFunctionSummaryMap(
2371a9ac8606Spatrick "rand_r", Signature(ArgTypes{UnsignedIntPtrTy}, RetType{IntTy}),
2372a9ac8606Spatrick Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
2373ec727ea7Spatrick
2374ec727ea7Spatrick // int fseeko(FILE *stream, off_t offset, int whence);
2375a9ac8606Spatrick addToFunctionSummaryMap(
2376a9ac8606Spatrick "fseeko",
2377a9ac8606Spatrick Signature(ArgTypes{FilePtrTy, Off_tTy, IntTy}, RetType{IntTy}),
2378a9ac8606Spatrick Summary(NoEvalCall)
2379*12c85518Srobert .Case(ReturnsZeroOrMinusOne, ErrnoIrrelevant)
2380ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(0))));
2381ec727ea7Spatrick
2382ec727ea7Spatrick // off_t ftello(FILE *stream);
2383ec727ea7Spatrick addToFunctionSummaryMap(
2384a9ac8606Spatrick "ftello", Signature(ArgTypes{FilePtrTy}, RetType{Off_tTy}),
2385a9ac8606Spatrick Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
2386ec727ea7Spatrick
2387ec727ea7Spatrick // void *mmap(void *addr, size_t length, int prot, int flags, int fd,
2388ec727ea7Spatrick // off_t offset);
2389*12c85518Srobert // FIXME: Improve for errno modeling.
2390ec727ea7Spatrick addToFunctionSummaryMap(
2391ec727ea7Spatrick "mmap",
2392a9ac8606Spatrick Signature(ArgTypes{VoidPtrTy, SizeTy, IntTy, IntTy, IntTy, Off_tTy},
2393a9ac8606Spatrick RetType{VoidPtrTy}),
2394a9ac8606Spatrick Summary(NoEvalCall)
2395a9ac8606Spatrick .ArgConstraint(ArgumentCondition(1, WithinRange, Range(1, SizeMax)))
2396ec727ea7Spatrick .ArgConstraint(
2397a9ac8606Spatrick ArgumentCondition(4, WithinRange, Range(-1, IntMax))));
2398ec727ea7Spatrick
2399*12c85518Srobert std::optional<QualType> Off64_tTy = lookupTy("off64_t");
2400ec727ea7Spatrick // void *mmap64(void *addr, size_t length, int prot, int flags, int fd,
2401ec727ea7Spatrick // off64_t offset);
2402*12c85518Srobert // FIXME: Improve for errno modeling.
2403ec727ea7Spatrick addToFunctionSummaryMap(
2404ec727ea7Spatrick "mmap64",
2405a9ac8606Spatrick Signature(ArgTypes{VoidPtrTy, SizeTy, IntTy, IntTy, IntTy, Off64_tTy},
2406a9ac8606Spatrick RetType{VoidPtrTy}),
2407a9ac8606Spatrick Summary(NoEvalCall)
2408a9ac8606Spatrick .ArgConstraint(ArgumentCondition(1, WithinRange, Range(1, SizeMax)))
2409ec727ea7Spatrick .ArgConstraint(
2410a9ac8606Spatrick ArgumentCondition(4, WithinRange, Range(-1, IntMax))));
2411ec727ea7Spatrick
2412ec727ea7Spatrick // int pipe(int fildes[2]);
2413a9ac8606Spatrick addToFunctionSummaryMap("pipe",
2414a9ac8606Spatrick Signature(ArgTypes{IntPtrTy}, RetType{IntTy}),
2415a9ac8606Spatrick Summary(NoEvalCall)
2416*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2417*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2418ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(0))));
2419ec727ea7Spatrick
2420ec727ea7Spatrick // off_t lseek(int fildes, off_t offset, int whence);
2421*12c85518Srobert // In the first case we can not tell for sure if it failed or not.
2422*12c85518Srobert // A return value different from of the expected offset (that is unknown
2423*12c85518Srobert // here) may indicate failure. For this reason we do not enforce the errno
2424*12c85518Srobert // check (can cause false positive).
2425ec727ea7Spatrick addToFunctionSummaryMap(
2426a9ac8606Spatrick "lseek", Signature(ArgTypes{IntTy, Off_tTy, IntTy}, RetType{Off_tTy}),
2427a9ac8606Spatrick Summary(NoEvalCall)
2428*12c85518Srobert .Case(ReturnsNonnegative, ErrnoIrrelevant)
2429*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2430a9ac8606Spatrick .ArgConstraint(
2431a9ac8606Spatrick ArgumentCondition(0, WithinRange, Range(0, IntMax))));
2432ec727ea7Spatrick
2433ec727ea7Spatrick // ssize_t readlink(const char *restrict path, char *restrict buf,
2434ec727ea7Spatrick // size_t bufsize);
2435ec727ea7Spatrick addToFunctionSummaryMap(
2436ec727ea7Spatrick "readlink",
2437a9ac8606Spatrick Signature(ArgTypes{ConstCharPtrRestrictTy, CharPtrRestrictTy, SizeTy},
2438a9ac8606Spatrick RetType{Ssize_tTy}),
2439a9ac8606Spatrick Summary(NoEvalCall)
2440a9ac8606Spatrick .Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)),
2441*12c85518Srobert ReturnValueCondition(WithinRange, Range(0, Ssize_tMax))},
2442*12c85518Srobert ErrnoMustNotBeChecked)
2443*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2444ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(0)))
2445ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(1)))
2446ec727ea7Spatrick .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(1),
2447ec727ea7Spatrick /*BufSize=*/ArgNo(2)))
2448ec727ea7Spatrick .ArgConstraint(
2449ec727ea7Spatrick ArgumentCondition(2, WithinRange, Range(0, SizeMax))));
2450ec727ea7Spatrick
2451ec727ea7Spatrick // ssize_t readlinkat(int fd, const char *restrict path,
2452ec727ea7Spatrick // char *restrict buf, size_t bufsize);
2453ec727ea7Spatrick addToFunctionSummaryMap(
2454a9ac8606Spatrick "readlinkat",
2455a9ac8606Spatrick Signature(
2456a9ac8606Spatrick ArgTypes{IntTy, ConstCharPtrRestrictTy, CharPtrRestrictTy, SizeTy},
2457a9ac8606Spatrick RetType{Ssize_tTy}),
2458a9ac8606Spatrick Summary(NoEvalCall)
2459a9ac8606Spatrick .Case({ReturnValueCondition(LessThanOrEq, ArgNo(3)),
2460*12c85518Srobert ReturnValueCondition(WithinRange, Range(0, Ssize_tMax))},
2461*12c85518Srobert ErrnoMustNotBeChecked)
2462*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2463a9ac8606Spatrick .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
2464ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(1)))
2465ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(2)))
2466ec727ea7Spatrick .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(2),
2467ec727ea7Spatrick /*BufSize=*/ArgNo(3)))
2468a9ac8606Spatrick .ArgConstraint(
2469a9ac8606Spatrick ArgumentCondition(3, WithinRange, Range(0, SizeMax))));
2470ec727ea7Spatrick
2471ec727ea7Spatrick // int renameat(int olddirfd, const char *oldpath, int newdirfd, const char
2472ec727ea7Spatrick // *newpath);
2473a9ac8606Spatrick addToFunctionSummaryMap(
2474a9ac8606Spatrick "renameat",
2475a9ac8606Spatrick Signature(ArgTypes{IntTy, ConstCharPtrTy, IntTy, ConstCharPtrTy},
2476a9ac8606Spatrick RetType{IntTy}),
2477a9ac8606Spatrick Summary(NoEvalCall)
2478*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2479*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2480ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(1)))
2481ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(3))));
2482ec727ea7Spatrick
2483ec727ea7Spatrick // char *realpath(const char *restrict file_name,
2484ec727ea7Spatrick // char *restrict resolved_name);
2485*12c85518Srobert // FIXME: Improve for errno modeling.
2486ec727ea7Spatrick addToFunctionSummaryMap(
2487a9ac8606Spatrick "realpath",
2488a9ac8606Spatrick Signature(ArgTypes{ConstCharPtrRestrictTy, CharPtrRestrictTy},
2489a9ac8606Spatrick RetType{CharPtrTy}),
2490a9ac8606Spatrick Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
2491ec727ea7Spatrick
2492a9ac8606Spatrick QualType CharPtrConstPtr = getPointerTy(getConstTy(CharPtrTy));
2493ec727ea7Spatrick
2494ec727ea7Spatrick // int execv(const char *path, char *const argv[]);
2495a9ac8606Spatrick addToFunctionSummaryMap(
2496a9ac8606Spatrick "execv",
2497a9ac8606Spatrick Signature(ArgTypes{ConstCharPtrTy, CharPtrConstPtr}, RetType{IntTy}),
2498a9ac8606Spatrick Summary(NoEvalCall)
2499*12c85518Srobert .Case({ReturnValueCondition(WithinRange, SingleValue(-1))},
2500*12c85518Srobert ErrnoIrrelevant)
2501ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(0))));
2502ec727ea7Spatrick
2503ec727ea7Spatrick // int execvp(const char *file, char *const argv[]);
2504a9ac8606Spatrick addToFunctionSummaryMap(
2505a9ac8606Spatrick "execvp",
2506a9ac8606Spatrick Signature(ArgTypes{ConstCharPtrTy, CharPtrConstPtr}, RetType{IntTy}),
2507a9ac8606Spatrick Summary(NoEvalCall)
2508*12c85518Srobert .Case({ReturnValueCondition(WithinRange, SingleValue(-1))},
2509*12c85518Srobert ErrnoIrrelevant)
2510ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(0))));
2511ec727ea7Spatrick
2512ec727ea7Spatrick // int getopt(int argc, char * const argv[], const char *optstring);
2513ec727ea7Spatrick addToFunctionSummaryMap(
2514ec727ea7Spatrick "getopt",
2515a9ac8606Spatrick Signature(ArgTypes{IntTy, CharPtrConstPtr, ConstCharPtrTy},
2516a9ac8606Spatrick RetType{IntTy}),
2517a9ac8606Spatrick Summary(NoEvalCall)
2518*12c85518Srobert .Case({ReturnValueCondition(WithinRange, Range(-1, UCharRangeMax))},
2519*12c85518Srobert ErrnoIrrelevant)
2520ec727ea7Spatrick .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
2521ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(1)))
2522ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(2))));
2523a9ac8606Spatrick
2524*12c85518Srobert std::optional<QualType> StructSockaddrTy = lookupTy("sockaddr");
2525*12c85518Srobert std::optional<QualType> StructSockaddrPtrTy =
2526*12c85518Srobert getPointerTy(StructSockaddrTy);
2527*12c85518Srobert std::optional<QualType> ConstStructSockaddrPtrTy =
2528a9ac8606Spatrick getPointerTy(getConstTy(StructSockaddrTy));
2529*12c85518Srobert std::optional<QualType> StructSockaddrPtrRestrictTy =
2530a9ac8606Spatrick getRestrictTy(StructSockaddrPtrTy);
2531*12c85518Srobert std::optional<QualType> ConstStructSockaddrPtrRestrictTy =
2532a9ac8606Spatrick getRestrictTy(ConstStructSockaddrPtrTy);
2533*12c85518Srobert std::optional<QualType> Socklen_tTy = lookupTy("socklen_t");
2534*12c85518Srobert std::optional<QualType> Socklen_tPtrTy = getPointerTy(Socklen_tTy);
2535*12c85518Srobert std::optional<QualType> Socklen_tPtrRestrictTy =
2536*12c85518Srobert getRestrictTy(Socklen_tPtrTy);
2537*12c85518Srobert std::optional<RangeInt> Socklen_tMax = getMaxValue(Socklen_tTy);
2538a9ac8606Spatrick
2539a9ac8606Spatrick // In 'socket.h' of some libc implementations with C99, sockaddr parameter
2540a9ac8606Spatrick // is a transparent union of the underlying sockaddr_ family of pointers
2541a9ac8606Spatrick // instead of being a pointer to struct sockaddr. In these cases, the
2542a9ac8606Spatrick // standardized signature will not match, thus we try to match with another
2543a9ac8606Spatrick // signature that has the joker Irrelevant type. We also remove those
2544a9ac8606Spatrick // constraints which require pointer types for the sockaddr param.
2545a9ac8606Spatrick auto Accept =
2546a9ac8606Spatrick Summary(NoEvalCall)
2547*12c85518Srobert .Case(ReturnsValidFileDescriptor, ErrnoMustNotBeChecked)
2548*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2549a9ac8606Spatrick .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)));
2550a9ac8606Spatrick if (!addToFunctionSummaryMap(
2551a9ac8606Spatrick "accept",
2552a9ac8606Spatrick // int accept(int socket, struct sockaddr *restrict address,
2553a9ac8606Spatrick // socklen_t *restrict address_len);
2554a9ac8606Spatrick Signature(ArgTypes{IntTy, StructSockaddrPtrRestrictTy,
2555a9ac8606Spatrick Socklen_tPtrRestrictTy},
2556a9ac8606Spatrick RetType{IntTy}),
2557a9ac8606Spatrick Accept))
2558a9ac8606Spatrick addToFunctionSummaryMap(
2559a9ac8606Spatrick "accept",
2560a9ac8606Spatrick Signature(ArgTypes{IntTy, Irrelevant, Socklen_tPtrRestrictTy},
2561a9ac8606Spatrick RetType{IntTy}),
2562a9ac8606Spatrick Accept);
2563a9ac8606Spatrick
2564a9ac8606Spatrick // int bind(int socket, const struct sockaddr *address, socklen_t
2565a9ac8606Spatrick // address_len);
2566a9ac8606Spatrick if (!addToFunctionSummaryMap(
2567a9ac8606Spatrick "bind",
2568a9ac8606Spatrick Signature(ArgTypes{IntTy, ConstStructSockaddrPtrTy, Socklen_tTy},
2569a9ac8606Spatrick RetType{IntTy}),
2570a9ac8606Spatrick Summary(NoEvalCall)
2571*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2572*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2573a9ac8606Spatrick .ArgConstraint(
2574a9ac8606Spatrick ArgumentCondition(0, WithinRange, Range(0, IntMax)))
2575a9ac8606Spatrick .ArgConstraint(NotNull(ArgNo(1)))
2576a9ac8606Spatrick .ArgConstraint(
2577a9ac8606Spatrick BufferSize(/*Buffer=*/ArgNo(1), /*BufSize=*/ArgNo(2)))
2578a9ac8606Spatrick .ArgConstraint(
2579a9ac8606Spatrick ArgumentCondition(2, WithinRange, Range(0, Socklen_tMax)))))
2580a9ac8606Spatrick // Do not add constraints on sockaddr.
2581a9ac8606Spatrick addToFunctionSummaryMap(
2582a9ac8606Spatrick "bind",
2583a9ac8606Spatrick Signature(ArgTypes{IntTy, Irrelevant, Socklen_tTy}, RetType{IntTy}),
2584a9ac8606Spatrick Summary(NoEvalCall)
2585*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2586*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2587a9ac8606Spatrick .ArgConstraint(
2588a9ac8606Spatrick ArgumentCondition(0, WithinRange, Range(0, IntMax)))
2589a9ac8606Spatrick .ArgConstraint(
2590a9ac8606Spatrick ArgumentCondition(2, WithinRange, Range(0, Socklen_tMax))));
2591a9ac8606Spatrick
2592a9ac8606Spatrick // int getpeername(int socket, struct sockaddr *restrict address,
2593a9ac8606Spatrick // socklen_t *restrict address_len);
2594a9ac8606Spatrick if (!addToFunctionSummaryMap(
2595a9ac8606Spatrick "getpeername",
2596a9ac8606Spatrick Signature(ArgTypes{IntTy, StructSockaddrPtrRestrictTy,
2597a9ac8606Spatrick Socklen_tPtrRestrictTy},
2598a9ac8606Spatrick RetType{IntTy}),
2599a9ac8606Spatrick Summary(NoEvalCall)
2600*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2601*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2602a9ac8606Spatrick .ArgConstraint(
2603a9ac8606Spatrick ArgumentCondition(0, WithinRange, Range(0, IntMax)))
2604a9ac8606Spatrick .ArgConstraint(NotNull(ArgNo(1)))
2605a9ac8606Spatrick .ArgConstraint(NotNull(ArgNo(2)))))
2606a9ac8606Spatrick addToFunctionSummaryMap(
2607a9ac8606Spatrick "getpeername",
2608a9ac8606Spatrick Signature(ArgTypes{IntTy, Irrelevant, Socklen_tPtrRestrictTy},
2609a9ac8606Spatrick RetType{IntTy}),
2610a9ac8606Spatrick Summary(NoEvalCall)
2611*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2612*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2613a9ac8606Spatrick .ArgConstraint(
2614a9ac8606Spatrick ArgumentCondition(0, WithinRange, Range(0, IntMax))));
2615a9ac8606Spatrick
2616a9ac8606Spatrick // int getsockname(int socket, struct sockaddr *restrict address,
2617a9ac8606Spatrick // socklen_t *restrict address_len);
2618a9ac8606Spatrick if (!addToFunctionSummaryMap(
2619a9ac8606Spatrick "getsockname",
2620a9ac8606Spatrick Signature(ArgTypes{IntTy, StructSockaddrPtrRestrictTy,
2621a9ac8606Spatrick Socklen_tPtrRestrictTy},
2622a9ac8606Spatrick RetType{IntTy}),
2623a9ac8606Spatrick Summary(NoEvalCall)
2624*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2625*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2626a9ac8606Spatrick .ArgConstraint(
2627a9ac8606Spatrick ArgumentCondition(0, WithinRange, Range(0, IntMax)))
2628a9ac8606Spatrick .ArgConstraint(NotNull(ArgNo(1)))
2629a9ac8606Spatrick .ArgConstraint(NotNull(ArgNo(2)))))
2630a9ac8606Spatrick addToFunctionSummaryMap(
2631a9ac8606Spatrick "getsockname",
2632a9ac8606Spatrick Signature(ArgTypes{IntTy, Irrelevant, Socklen_tPtrRestrictTy},
2633a9ac8606Spatrick RetType{IntTy}),
2634a9ac8606Spatrick Summary(NoEvalCall)
2635*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2636*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2637a9ac8606Spatrick .ArgConstraint(
2638a9ac8606Spatrick ArgumentCondition(0, WithinRange, Range(0, IntMax))));
2639a9ac8606Spatrick
2640a9ac8606Spatrick // int connect(int socket, const struct sockaddr *address, socklen_t
2641a9ac8606Spatrick // address_len);
2642a9ac8606Spatrick if (!addToFunctionSummaryMap(
2643a9ac8606Spatrick "connect",
2644a9ac8606Spatrick Signature(ArgTypes{IntTy, ConstStructSockaddrPtrTy, Socklen_tTy},
2645a9ac8606Spatrick RetType{IntTy}),
2646a9ac8606Spatrick Summary(NoEvalCall)
2647*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2648*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2649a9ac8606Spatrick .ArgConstraint(
2650a9ac8606Spatrick ArgumentCondition(0, WithinRange, Range(0, IntMax)))
2651a9ac8606Spatrick .ArgConstraint(NotNull(ArgNo(1)))))
2652a9ac8606Spatrick addToFunctionSummaryMap(
2653a9ac8606Spatrick "connect",
2654a9ac8606Spatrick Signature(ArgTypes{IntTy, Irrelevant, Socklen_tTy}, RetType{IntTy}),
2655a9ac8606Spatrick Summary(NoEvalCall)
2656*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2657*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2658a9ac8606Spatrick .ArgConstraint(
2659a9ac8606Spatrick ArgumentCondition(0, WithinRange, Range(0, IntMax))));
2660a9ac8606Spatrick
2661a9ac8606Spatrick auto Recvfrom =
2662a9ac8606Spatrick Summary(NoEvalCall)
2663a9ac8606Spatrick .Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)),
2664*12c85518Srobert ReturnValueCondition(WithinRange, Range(0, Ssize_tMax))},
2665*12c85518Srobert ErrnoMustNotBeChecked)
2666*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2667a9ac8606Spatrick .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
2668a9ac8606Spatrick .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(1),
2669a9ac8606Spatrick /*BufSize=*/ArgNo(2)));
2670a9ac8606Spatrick if (!addToFunctionSummaryMap(
2671a9ac8606Spatrick "recvfrom",
2672a9ac8606Spatrick // ssize_t recvfrom(int socket, void *restrict buffer,
2673a9ac8606Spatrick // size_t length,
2674a9ac8606Spatrick // int flags, struct sockaddr *restrict address,
2675a9ac8606Spatrick // socklen_t *restrict address_len);
2676a9ac8606Spatrick Signature(ArgTypes{IntTy, VoidPtrRestrictTy, SizeTy, IntTy,
2677a9ac8606Spatrick StructSockaddrPtrRestrictTy,
2678a9ac8606Spatrick Socklen_tPtrRestrictTy},
2679a9ac8606Spatrick RetType{Ssize_tTy}),
2680a9ac8606Spatrick Recvfrom))
2681a9ac8606Spatrick addToFunctionSummaryMap(
2682a9ac8606Spatrick "recvfrom",
2683a9ac8606Spatrick Signature(ArgTypes{IntTy, VoidPtrRestrictTy, SizeTy, IntTy,
2684a9ac8606Spatrick Irrelevant, Socklen_tPtrRestrictTy},
2685a9ac8606Spatrick RetType{Ssize_tTy}),
2686a9ac8606Spatrick Recvfrom);
2687a9ac8606Spatrick
2688a9ac8606Spatrick auto Sendto =
2689a9ac8606Spatrick Summary(NoEvalCall)
2690a9ac8606Spatrick .Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)),
2691*12c85518Srobert ReturnValueCondition(WithinRange, Range(0, Ssize_tMax))},
2692*12c85518Srobert ErrnoMustNotBeChecked)
2693*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2694a9ac8606Spatrick .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
2695a9ac8606Spatrick .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(1),
2696a9ac8606Spatrick /*BufSize=*/ArgNo(2)));
2697a9ac8606Spatrick if (!addToFunctionSummaryMap(
2698a9ac8606Spatrick "sendto",
2699a9ac8606Spatrick // ssize_t sendto(int socket, const void *message, size_t length,
2700a9ac8606Spatrick // int flags, const struct sockaddr *dest_addr,
2701a9ac8606Spatrick // socklen_t dest_len);
2702a9ac8606Spatrick Signature(ArgTypes{IntTy, ConstVoidPtrTy, SizeTy, IntTy,
2703a9ac8606Spatrick ConstStructSockaddrPtrTy, Socklen_tTy},
2704a9ac8606Spatrick RetType{Ssize_tTy}),
2705a9ac8606Spatrick Sendto))
2706a9ac8606Spatrick addToFunctionSummaryMap(
2707a9ac8606Spatrick "sendto",
2708a9ac8606Spatrick Signature(ArgTypes{IntTy, ConstVoidPtrTy, SizeTy, IntTy, Irrelevant,
2709a9ac8606Spatrick Socklen_tTy},
2710a9ac8606Spatrick RetType{Ssize_tTy}),
2711a9ac8606Spatrick Sendto);
2712a9ac8606Spatrick
2713a9ac8606Spatrick // int listen(int sockfd, int backlog);
2714a9ac8606Spatrick addToFunctionSummaryMap("listen",
2715a9ac8606Spatrick Signature(ArgTypes{IntTy, IntTy}, RetType{IntTy}),
2716a9ac8606Spatrick Summary(NoEvalCall)
2717*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2718*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2719a9ac8606Spatrick .ArgConstraint(ArgumentCondition(
2720a9ac8606Spatrick 0, WithinRange, Range(0, IntMax))));
2721a9ac8606Spatrick
2722a9ac8606Spatrick // ssize_t recv(int sockfd, void *buf, size_t len, int flags);
2723a9ac8606Spatrick addToFunctionSummaryMap(
2724a9ac8606Spatrick "recv",
2725a9ac8606Spatrick Signature(ArgTypes{IntTy, VoidPtrTy, SizeTy, IntTy},
2726a9ac8606Spatrick RetType{Ssize_tTy}),
2727a9ac8606Spatrick Summary(NoEvalCall)
2728a9ac8606Spatrick .Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)),
2729*12c85518Srobert ReturnValueCondition(WithinRange, Range(0, Ssize_tMax))},
2730*12c85518Srobert ErrnoMustNotBeChecked)
2731*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2732a9ac8606Spatrick .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
2733a9ac8606Spatrick .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(1),
2734a9ac8606Spatrick /*BufSize=*/ArgNo(2))));
2735a9ac8606Spatrick
2736*12c85518Srobert std::optional<QualType> StructMsghdrTy = lookupTy("msghdr");
2737*12c85518Srobert std::optional<QualType> StructMsghdrPtrTy = getPointerTy(StructMsghdrTy);
2738*12c85518Srobert std::optional<QualType> ConstStructMsghdrPtrTy =
2739a9ac8606Spatrick getPointerTy(getConstTy(StructMsghdrTy));
2740a9ac8606Spatrick
2741a9ac8606Spatrick // ssize_t recvmsg(int sockfd, struct msghdr *msg, int flags);
2742a9ac8606Spatrick addToFunctionSummaryMap(
2743a9ac8606Spatrick "recvmsg",
2744a9ac8606Spatrick Signature(ArgTypes{IntTy, StructMsghdrPtrTy, IntTy},
2745a9ac8606Spatrick RetType{Ssize_tTy}),
2746a9ac8606Spatrick Summary(NoEvalCall)
2747*12c85518Srobert .Case({ReturnValueCondition(WithinRange, Range(0, Ssize_tMax))},
2748*12c85518Srobert ErrnoMustNotBeChecked)
2749*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2750a9ac8606Spatrick .ArgConstraint(
2751a9ac8606Spatrick ArgumentCondition(0, WithinRange, Range(0, IntMax))));
2752a9ac8606Spatrick
2753a9ac8606Spatrick // ssize_t sendmsg(int sockfd, const struct msghdr *msg, int flags);
2754a9ac8606Spatrick addToFunctionSummaryMap(
2755a9ac8606Spatrick "sendmsg",
2756a9ac8606Spatrick Signature(ArgTypes{IntTy, ConstStructMsghdrPtrTy, IntTy},
2757a9ac8606Spatrick RetType{Ssize_tTy}),
2758a9ac8606Spatrick Summary(NoEvalCall)
2759*12c85518Srobert .Case({ReturnValueCondition(WithinRange, Range(0, Ssize_tMax))},
2760*12c85518Srobert ErrnoMustNotBeChecked)
2761*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2762a9ac8606Spatrick .ArgConstraint(
2763a9ac8606Spatrick ArgumentCondition(0, WithinRange, Range(0, IntMax))));
2764a9ac8606Spatrick
2765a9ac8606Spatrick // int setsockopt(int socket, int level, int option_name,
2766a9ac8606Spatrick // const void *option_value, socklen_t option_len);
2767a9ac8606Spatrick addToFunctionSummaryMap(
2768a9ac8606Spatrick "setsockopt",
2769a9ac8606Spatrick Signature(ArgTypes{IntTy, IntTy, IntTy, ConstVoidPtrTy, Socklen_tTy},
2770a9ac8606Spatrick RetType{IntTy}),
2771a9ac8606Spatrick Summary(NoEvalCall)
2772*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2773*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2774a9ac8606Spatrick .ArgConstraint(NotNull(ArgNo(3)))
2775a9ac8606Spatrick .ArgConstraint(
2776a9ac8606Spatrick BufferSize(/*Buffer=*/ArgNo(3), /*BufSize=*/ArgNo(4)))
2777a9ac8606Spatrick .ArgConstraint(
2778a9ac8606Spatrick ArgumentCondition(4, WithinRange, Range(0, Socklen_tMax))));
2779a9ac8606Spatrick
2780a9ac8606Spatrick // int getsockopt(int socket, int level, int option_name,
2781a9ac8606Spatrick // void *restrict option_value,
2782a9ac8606Spatrick // socklen_t *restrict option_len);
2783a9ac8606Spatrick addToFunctionSummaryMap(
2784a9ac8606Spatrick "getsockopt",
2785a9ac8606Spatrick Signature(ArgTypes{IntTy, IntTy, IntTy, VoidPtrRestrictTy,
2786a9ac8606Spatrick Socklen_tPtrRestrictTy},
2787a9ac8606Spatrick RetType{IntTy}),
2788a9ac8606Spatrick Summary(NoEvalCall)
2789*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2790*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2791a9ac8606Spatrick .ArgConstraint(NotNull(ArgNo(3)))
2792a9ac8606Spatrick .ArgConstraint(NotNull(ArgNo(4))));
2793a9ac8606Spatrick
2794a9ac8606Spatrick // ssize_t send(int sockfd, const void *buf, size_t len, int flags);
2795a9ac8606Spatrick addToFunctionSummaryMap(
2796a9ac8606Spatrick "send",
2797a9ac8606Spatrick Signature(ArgTypes{IntTy, ConstVoidPtrTy, SizeTy, IntTy},
2798a9ac8606Spatrick RetType{Ssize_tTy}),
2799a9ac8606Spatrick Summary(NoEvalCall)
2800a9ac8606Spatrick .Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)),
2801*12c85518Srobert ReturnValueCondition(WithinRange, Range(0, Ssize_tMax))},
2802*12c85518Srobert ErrnoMustNotBeChecked)
2803*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2804a9ac8606Spatrick .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
2805a9ac8606Spatrick .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(1),
2806a9ac8606Spatrick /*BufSize=*/ArgNo(2))));
2807a9ac8606Spatrick
2808a9ac8606Spatrick // int socketpair(int domain, int type, int protocol, int sv[2]);
2809a9ac8606Spatrick addToFunctionSummaryMap(
2810a9ac8606Spatrick "socketpair",
2811a9ac8606Spatrick Signature(ArgTypes{IntTy, IntTy, IntTy, IntPtrTy}, RetType{IntTy}),
2812a9ac8606Spatrick Summary(NoEvalCall)
2813*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2814*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2815a9ac8606Spatrick .ArgConstraint(NotNull(ArgNo(3))));
2816a9ac8606Spatrick
2817a9ac8606Spatrick // int getnameinfo(const struct sockaddr *restrict sa, socklen_t salen,
2818a9ac8606Spatrick // char *restrict node, socklen_t nodelen,
2819a9ac8606Spatrick // char *restrict service,
2820a9ac8606Spatrick // socklen_t servicelen, int flags);
2821a9ac8606Spatrick //
2822a9ac8606Spatrick // This is defined in netdb.h. And contrary to 'socket.h', the sockaddr
2823a9ac8606Spatrick // parameter is never handled as a transparent union in netdb.h
2824a9ac8606Spatrick addToFunctionSummaryMap(
2825a9ac8606Spatrick "getnameinfo",
2826a9ac8606Spatrick Signature(ArgTypes{ConstStructSockaddrPtrRestrictTy, Socklen_tTy,
2827a9ac8606Spatrick CharPtrRestrictTy, Socklen_tTy, CharPtrRestrictTy,
2828a9ac8606Spatrick Socklen_tTy, IntTy},
2829a9ac8606Spatrick RetType{IntTy}),
2830a9ac8606Spatrick Summary(NoEvalCall)
2831a9ac8606Spatrick .ArgConstraint(
2832a9ac8606Spatrick BufferSize(/*Buffer=*/ArgNo(0), /*BufSize=*/ArgNo(1)))
2833a9ac8606Spatrick .ArgConstraint(
2834a9ac8606Spatrick ArgumentCondition(1, WithinRange, Range(0, Socklen_tMax)))
2835a9ac8606Spatrick .ArgConstraint(
2836a9ac8606Spatrick BufferSize(/*Buffer=*/ArgNo(2), /*BufSize=*/ArgNo(3)))
2837a9ac8606Spatrick .ArgConstraint(
2838a9ac8606Spatrick ArgumentCondition(3, WithinRange, Range(0, Socklen_tMax)))
2839a9ac8606Spatrick .ArgConstraint(
2840a9ac8606Spatrick BufferSize(/*Buffer=*/ArgNo(4), /*BufSize=*/ArgNo(5)))
2841a9ac8606Spatrick .ArgConstraint(
2842a9ac8606Spatrick ArgumentCondition(5, WithinRange, Range(0, Socklen_tMax))));
2843a9ac8606Spatrick
2844*12c85518Srobert std::optional<QualType> StructUtimbufTy = lookupTy("utimbuf");
2845*12c85518Srobert std::optional<QualType> StructUtimbufPtrTy = getPointerTy(StructUtimbufTy);
2846a9ac8606Spatrick
2847a9ac8606Spatrick // int utime(const char *filename, struct utimbuf *buf);
2848a9ac8606Spatrick addToFunctionSummaryMap(
2849a9ac8606Spatrick "utime",
2850a9ac8606Spatrick Signature(ArgTypes{ConstCharPtrTy, StructUtimbufPtrTy}, RetType{IntTy}),
2851a9ac8606Spatrick Summary(NoEvalCall)
2852*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2853*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2854a9ac8606Spatrick .ArgConstraint(NotNull(ArgNo(0))));
2855a9ac8606Spatrick
2856*12c85518Srobert std::optional<QualType> StructTimespecTy = lookupTy("timespec");
2857*12c85518Srobert std::optional<QualType> StructTimespecPtrTy =
2858*12c85518Srobert getPointerTy(StructTimespecTy);
2859*12c85518Srobert std::optional<QualType> ConstStructTimespecPtrTy =
2860a9ac8606Spatrick getPointerTy(getConstTy(StructTimespecTy));
2861a9ac8606Spatrick
2862a9ac8606Spatrick // int futimens(int fd, const struct timespec times[2]);
2863a9ac8606Spatrick addToFunctionSummaryMap(
2864a9ac8606Spatrick "futimens",
2865a9ac8606Spatrick Signature(ArgTypes{IntTy, ConstStructTimespecPtrTy}, RetType{IntTy}),
2866a9ac8606Spatrick Summary(NoEvalCall)
2867*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2868*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2869a9ac8606Spatrick .ArgConstraint(
2870a9ac8606Spatrick ArgumentCondition(0, WithinRange, Range(0, IntMax))));
2871a9ac8606Spatrick
2872a9ac8606Spatrick // int utimensat(int dirfd, const char *pathname,
2873a9ac8606Spatrick // const struct timespec times[2], int flags);
2874a9ac8606Spatrick addToFunctionSummaryMap("utimensat",
2875a9ac8606Spatrick Signature(ArgTypes{IntTy, ConstCharPtrTy,
2876a9ac8606Spatrick ConstStructTimespecPtrTy, IntTy},
2877a9ac8606Spatrick RetType{IntTy}),
2878a9ac8606Spatrick Summary(NoEvalCall)
2879*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2880*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2881a9ac8606Spatrick .ArgConstraint(NotNull(ArgNo(1))));
2882a9ac8606Spatrick
2883*12c85518Srobert std::optional<QualType> StructTimevalTy = lookupTy("timeval");
2884*12c85518Srobert std::optional<QualType> ConstStructTimevalPtrTy =
2885a9ac8606Spatrick getPointerTy(getConstTy(StructTimevalTy));
2886a9ac8606Spatrick
2887a9ac8606Spatrick // int utimes(const char *filename, const struct timeval times[2]);
2888a9ac8606Spatrick addToFunctionSummaryMap(
2889a9ac8606Spatrick "utimes",
2890a9ac8606Spatrick Signature(ArgTypes{ConstCharPtrTy, ConstStructTimevalPtrTy},
2891a9ac8606Spatrick RetType{IntTy}),
2892a9ac8606Spatrick Summary(NoEvalCall)
2893*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2894*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2895a9ac8606Spatrick .ArgConstraint(NotNull(ArgNo(0))));
2896a9ac8606Spatrick
2897a9ac8606Spatrick // int nanosleep(const struct timespec *rqtp, struct timespec *rmtp);
2898a9ac8606Spatrick addToFunctionSummaryMap(
2899a9ac8606Spatrick "nanosleep",
2900a9ac8606Spatrick Signature(ArgTypes{ConstStructTimespecPtrTy, StructTimespecPtrTy},
2901a9ac8606Spatrick RetType{IntTy}),
2902a9ac8606Spatrick Summary(NoEvalCall)
2903*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2904*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2905a9ac8606Spatrick .ArgConstraint(NotNull(ArgNo(0))));
2906a9ac8606Spatrick
2907*12c85518Srobert std::optional<QualType> Time_tTy = lookupTy("time_t");
2908*12c85518Srobert std::optional<QualType> ConstTime_tPtrTy =
2909*12c85518Srobert getPointerTy(getConstTy(Time_tTy));
2910*12c85518Srobert std::optional<QualType> ConstTime_tPtrRestrictTy =
2911a9ac8606Spatrick getRestrictTy(ConstTime_tPtrTy);
2912a9ac8606Spatrick
2913*12c85518Srobert std::optional<QualType> StructTmTy = lookupTy("tm");
2914*12c85518Srobert std::optional<QualType> StructTmPtrTy = getPointerTy(StructTmTy);
2915*12c85518Srobert std::optional<QualType> StructTmPtrRestrictTy =
2916*12c85518Srobert getRestrictTy(StructTmPtrTy);
2917*12c85518Srobert std::optional<QualType> ConstStructTmPtrTy =
2918a9ac8606Spatrick getPointerTy(getConstTy(StructTmTy));
2919*12c85518Srobert std::optional<QualType> ConstStructTmPtrRestrictTy =
2920a9ac8606Spatrick getRestrictTy(ConstStructTmPtrTy);
2921a9ac8606Spatrick
2922a9ac8606Spatrick // struct tm * localtime(const time_t *tp);
2923a9ac8606Spatrick addToFunctionSummaryMap(
2924a9ac8606Spatrick "localtime",
2925a9ac8606Spatrick Signature(ArgTypes{ConstTime_tPtrTy}, RetType{StructTmPtrTy}),
2926a9ac8606Spatrick Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
2927a9ac8606Spatrick
2928a9ac8606Spatrick // struct tm *localtime_r(const time_t *restrict timer,
2929a9ac8606Spatrick // struct tm *restrict result);
2930a9ac8606Spatrick addToFunctionSummaryMap(
2931a9ac8606Spatrick "localtime_r",
2932a9ac8606Spatrick Signature(ArgTypes{ConstTime_tPtrRestrictTy, StructTmPtrRestrictTy},
2933a9ac8606Spatrick RetType{StructTmPtrTy}),
2934a9ac8606Spatrick Summary(NoEvalCall)
2935a9ac8606Spatrick .ArgConstraint(NotNull(ArgNo(0)))
2936a9ac8606Spatrick .ArgConstraint(NotNull(ArgNo(1))));
2937a9ac8606Spatrick
2938a9ac8606Spatrick // char *asctime_r(const struct tm *restrict tm, char *restrict buf);
2939a9ac8606Spatrick addToFunctionSummaryMap(
2940a9ac8606Spatrick "asctime_r",
2941a9ac8606Spatrick Signature(ArgTypes{ConstStructTmPtrRestrictTy, CharPtrRestrictTy},
2942a9ac8606Spatrick RetType{CharPtrTy}),
2943a9ac8606Spatrick Summary(NoEvalCall)
2944a9ac8606Spatrick .ArgConstraint(NotNull(ArgNo(0)))
2945a9ac8606Spatrick .ArgConstraint(NotNull(ArgNo(1)))
2946a9ac8606Spatrick .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(1),
2947a9ac8606Spatrick /*MinBufSize=*/BVF.getValue(26, IntTy))));
2948a9ac8606Spatrick
2949a9ac8606Spatrick // char *ctime_r(const time_t *timep, char *buf);
2950a9ac8606Spatrick addToFunctionSummaryMap(
2951a9ac8606Spatrick "ctime_r",
2952a9ac8606Spatrick Signature(ArgTypes{ConstTime_tPtrTy, CharPtrTy}, RetType{CharPtrTy}),
2953a9ac8606Spatrick Summary(NoEvalCall)
2954a9ac8606Spatrick .ArgConstraint(NotNull(ArgNo(0)))
2955a9ac8606Spatrick .ArgConstraint(NotNull(ArgNo(1)))
2956a9ac8606Spatrick .ArgConstraint(BufferSize(
2957a9ac8606Spatrick /*Buffer=*/ArgNo(1),
2958a9ac8606Spatrick /*MinBufSize=*/BVF.getValue(26, IntTy))));
2959a9ac8606Spatrick
2960a9ac8606Spatrick // struct tm *gmtime_r(const time_t *restrict timer,
2961a9ac8606Spatrick // struct tm *restrict result);
2962a9ac8606Spatrick addToFunctionSummaryMap(
2963a9ac8606Spatrick "gmtime_r",
2964a9ac8606Spatrick Signature(ArgTypes{ConstTime_tPtrRestrictTy, StructTmPtrRestrictTy},
2965a9ac8606Spatrick RetType{StructTmPtrTy}),
2966a9ac8606Spatrick Summary(NoEvalCall)
2967a9ac8606Spatrick .ArgConstraint(NotNull(ArgNo(0)))
2968a9ac8606Spatrick .ArgConstraint(NotNull(ArgNo(1))));
2969a9ac8606Spatrick
2970a9ac8606Spatrick // struct tm * gmtime(const time_t *tp);
2971a9ac8606Spatrick addToFunctionSummaryMap(
2972a9ac8606Spatrick "gmtime", Signature(ArgTypes{ConstTime_tPtrTy}, RetType{StructTmPtrTy}),
2973a9ac8606Spatrick Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
2974a9ac8606Spatrick
2975*12c85518Srobert std::optional<QualType> Clockid_tTy = lookupTy("clockid_t");
2976a9ac8606Spatrick
2977a9ac8606Spatrick // int clock_gettime(clockid_t clock_id, struct timespec *tp);
2978a9ac8606Spatrick addToFunctionSummaryMap(
2979a9ac8606Spatrick "clock_gettime",
2980a9ac8606Spatrick Signature(ArgTypes{Clockid_tTy, StructTimespecPtrTy}, RetType{IntTy}),
2981a9ac8606Spatrick Summary(NoEvalCall)
2982*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2983*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2984a9ac8606Spatrick .ArgConstraint(NotNull(ArgNo(1))));
2985a9ac8606Spatrick
2986*12c85518Srobert std::optional<QualType> StructItimervalTy = lookupTy("itimerval");
2987*12c85518Srobert std::optional<QualType> StructItimervalPtrTy =
2988*12c85518Srobert getPointerTy(StructItimervalTy);
2989a9ac8606Spatrick
2990a9ac8606Spatrick // int getitimer(int which, struct itimerval *curr_value);
2991a9ac8606Spatrick addToFunctionSummaryMap(
2992a9ac8606Spatrick "getitimer",
2993a9ac8606Spatrick Signature(ArgTypes{IntTy, StructItimervalPtrTy}, RetType{IntTy}),
2994a9ac8606Spatrick Summary(NoEvalCall)
2995*12c85518Srobert .Case(ReturnsZero, ErrnoMustNotBeChecked)
2996*12c85518Srobert .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2997a9ac8606Spatrick .ArgConstraint(NotNull(ArgNo(1))));
2998a9ac8606Spatrick
2999*12c85518Srobert std::optional<QualType> Pthread_cond_tTy = lookupTy("pthread_cond_t");
3000*12c85518Srobert std::optional<QualType> Pthread_cond_tPtrTy =
3001*12c85518Srobert getPointerTy(Pthread_cond_tTy);
3002*12c85518Srobert std::optional<QualType> Pthread_tTy = lookupTy("pthread_t");
3003*12c85518Srobert std::optional<QualType> Pthread_tPtrTy = getPointerTy(Pthread_tTy);
3004*12c85518Srobert std::optional<QualType> Pthread_tPtrRestrictTy =
3005*12c85518Srobert getRestrictTy(Pthread_tPtrTy);
3006*12c85518Srobert std::optional<QualType> Pthread_mutex_tTy = lookupTy("pthread_mutex_t");
3007*12c85518Srobert std::optional<QualType> Pthread_mutex_tPtrTy =
3008*12c85518Srobert getPointerTy(Pthread_mutex_tTy);
3009*12c85518Srobert std::optional<QualType> Pthread_mutex_tPtrRestrictTy =
3010a9ac8606Spatrick getRestrictTy(Pthread_mutex_tPtrTy);
3011*12c85518Srobert std::optional<QualType> Pthread_attr_tTy = lookupTy("pthread_attr_t");
3012*12c85518Srobert std::optional<QualType> Pthread_attr_tPtrTy =
3013*12c85518Srobert getPointerTy(Pthread_attr_tTy);
3014*12c85518Srobert std::optional<QualType> ConstPthread_attr_tPtrTy =
3015a9ac8606Spatrick getPointerTy(getConstTy(Pthread_attr_tTy));
3016*12c85518Srobert std::optional<QualType> ConstPthread_attr_tPtrRestrictTy =
3017a9ac8606Spatrick getRestrictTy(ConstPthread_attr_tPtrTy);
3018*12c85518Srobert std::optional<QualType> Pthread_mutexattr_tTy =
3019*12c85518Srobert lookupTy("pthread_mutexattr_t");
3020*12c85518Srobert std::optional<QualType> ConstPthread_mutexattr_tPtrTy =
3021a9ac8606Spatrick getPointerTy(getConstTy(Pthread_mutexattr_tTy));
3022*12c85518Srobert std::optional<QualType> ConstPthread_mutexattr_tPtrRestrictTy =
3023a9ac8606Spatrick getRestrictTy(ConstPthread_mutexattr_tPtrTy);
3024a9ac8606Spatrick
3025a9ac8606Spatrick QualType PthreadStartRoutineTy = getPointerTy(
3026a9ac8606Spatrick ACtx.getFunctionType(/*ResultTy=*/VoidPtrTy, /*Args=*/VoidPtrTy,
3027a9ac8606Spatrick FunctionProtoType::ExtProtoInfo()));
3028a9ac8606Spatrick
3029a9ac8606Spatrick // int pthread_cond_signal(pthread_cond_t *cond);
3030a9ac8606Spatrick // int pthread_cond_broadcast(pthread_cond_t *cond);
3031a9ac8606Spatrick addToFunctionSummaryMap(
3032a9ac8606Spatrick {"pthread_cond_signal", "pthread_cond_broadcast"},
3033a9ac8606Spatrick Signature(ArgTypes{Pthread_cond_tPtrTy}, RetType{IntTy}),
3034a9ac8606Spatrick Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
3035a9ac8606Spatrick
3036a9ac8606Spatrick // int pthread_create(pthread_t *restrict thread,
3037a9ac8606Spatrick // const pthread_attr_t *restrict attr,
3038a9ac8606Spatrick // void *(*start_routine)(void*), void *restrict arg);
3039a9ac8606Spatrick addToFunctionSummaryMap(
3040a9ac8606Spatrick "pthread_create",
3041a9ac8606Spatrick Signature(ArgTypes{Pthread_tPtrRestrictTy,
3042a9ac8606Spatrick ConstPthread_attr_tPtrRestrictTy,
3043a9ac8606Spatrick PthreadStartRoutineTy, VoidPtrRestrictTy},
3044a9ac8606Spatrick RetType{IntTy}),
3045a9ac8606Spatrick Summary(NoEvalCall)
3046a9ac8606Spatrick .ArgConstraint(NotNull(ArgNo(0)))
3047a9ac8606Spatrick .ArgConstraint(NotNull(ArgNo(2))));
3048a9ac8606Spatrick
3049a9ac8606Spatrick // int pthread_attr_destroy(pthread_attr_t *attr);
3050a9ac8606Spatrick // int pthread_attr_init(pthread_attr_t *attr);
3051a9ac8606Spatrick addToFunctionSummaryMap(
3052a9ac8606Spatrick {"pthread_attr_destroy", "pthread_attr_init"},
3053a9ac8606Spatrick Signature(ArgTypes{Pthread_attr_tPtrTy}, RetType{IntTy}),
3054a9ac8606Spatrick Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
3055a9ac8606Spatrick
3056a9ac8606Spatrick // int pthread_attr_getstacksize(const pthread_attr_t *restrict attr,
3057a9ac8606Spatrick // size_t *restrict stacksize);
3058a9ac8606Spatrick // int pthread_attr_getguardsize(const pthread_attr_t *restrict attr,
3059a9ac8606Spatrick // size_t *restrict guardsize);
3060a9ac8606Spatrick addToFunctionSummaryMap(
3061a9ac8606Spatrick {"pthread_attr_getstacksize", "pthread_attr_getguardsize"},
3062a9ac8606Spatrick Signature(ArgTypes{ConstPthread_attr_tPtrRestrictTy, SizePtrRestrictTy},
3063a9ac8606Spatrick RetType{IntTy}),
3064a9ac8606Spatrick Summary(NoEvalCall)
3065a9ac8606Spatrick .ArgConstraint(NotNull(ArgNo(0)))
3066a9ac8606Spatrick .ArgConstraint(NotNull(ArgNo(1))));
3067a9ac8606Spatrick
3068a9ac8606Spatrick // int pthread_attr_setstacksize(pthread_attr_t *attr, size_t stacksize);
3069a9ac8606Spatrick // int pthread_attr_setguardsize(pthread_attr_t *attr, size_t guardsize);
3070a9ac8606Spatrick addToFunctionSummaryMap(
3071a9ac8606Spatrick {"pthread_attr_setstacksize", "pthread_attr_setguardsize"},
3072a9ac8606Spatrick Signature(ArgTypes{Pthread_attr_tPtrTy, SizeTy}, RetType{IntTy}),
3073a9ac8606Spatrick Summary(NoEvalCall)
3074a9ac8606Spatrick .ArgConstraint(NotNull(ArgNo(0)))
3075a9ac8606Spatrick .ArgConstraint(
3076a9ac8606Spatrick ArgumentCondition(1, WithinRange, Range(0, SizeMax))));
3077a9ac8606Spatrick
3078a9ac8606Spatrick // int pthread_mutex_init(pthread_mutex_t *restrict mutex, const
3079a9ac8606Spatrick // pthread_mutexattr_t *restrict attr);
3080a9ac8606Spatrick addToFunctionSummaryMap(
3081a9ac8606Spatrick "pthread_mutex_init",
3082a9ac8606Spatrick Signature(ArgTypes{Pthread_mutex_tPtrRestrictTy,
3083a9ac8606Spatrick ConstPthread_mutexattr_tPtrRestrictTy},
3084a9ac8606Spatrick RetType{IntTy}),
3085a9ac8606Spatrick Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
3086a9ac8606Spatrick
3087a9ac8606Spatrick // int pthread_mutex_destroy(pthread_mutex_t *mutex);
3088a9ac8606Spatrick // int pthread_mutex_lock(pthread_mutex_t *mutex);
3089a9ac8606Spatrick // int pthread_mutex_trylock(pthread_mutex_t *mutex);
3090a9ac8606Spatrick // int pthread_mutex_unlock(pthread_mutex_t *mutex);
3091a9ac8606Spatrick addToFunctionSummaryMap(
3092a9ac8606Spatrick {"pthread_mutex_destroy", "pthread_mutex_lock", "pthread_mutex_trylock",
3093a9ac8606Spatrick "pthread_mutex_unlock"},
3094a9ac8606Spatrick Signature(ArgTypes{Pthread_mutex_tPtrTy}, RetType{IntTy}),
3095a9ac8606Spatrick Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
3096ec727ea7Spatrick }
3097ec727ea7Spatrick
3098ec727ea7Spatrick // Functions for testing.
3099ec727ea7Spatrick if (ChecksEnabled[CK_StdCLibraryFunctionsTesterChecker]) {
3100ec727ea7Spatrick addToFunctionSummaryMap(
3101a9ac8606Spatrick "__not_null", Signature(ArgTypes{IntPtrTy}, RetType{IntTy}),
3102a9ac8606Spatrick Summary(EvalCallAsPure).ArgConstraint(NotNull(ArgNo(0))));
3103a9ac8606Spatrick
3104a9ac8606Spatrick // Test range values.
3105a9ac8606Spatrick addToFunctionSummaryMap(
3106*12c85518Srobert "__single_val_0", Signature(ArgTypes{IntTy}, RetType{IntTy}),
3107*12c85518Srobert Summary(EvalCallAsPure)
3108*12c85518Srobert .ArgConstraint(ArgumentCondition(0U, WithinRange, SingleValue(0))));
3109*12c85518Srobert addToFunctionSummaryMap(
3110a9ac8606Spatrick "__single_val_1", Signature(ArgTypes{IntTy}, RetType{IntTy}),
3111a9ac8606Spatrick Summary(EvalCallAsPure)
3112a9ac8606Spatrick .ArgConstraint(ArgumentCondition(0U, WithinRange, SingleValue(1))));
3113a9ac8606Spatrick addToFunctionSummaryMap(
3114a9ac8606Spatrick "__range_1_2", Signature(ArgTypes{IntTy}, RetType{IntTy}),
3115a9ac8606Spatrick Summary(EvalCallAsPure)
3116a9ac8606Spatrick .ArgConstraint(ArgumentCondition(0U, WithinRange, Range(1, 2))));
3117a9ac8606Spatrick addToFunctionSummaryMap("__range_1_2__4_5",
3118a9ac8606Spatrick Signature(ArgTypes{IntTy}, RetType{IntTy}),
3119a9ac8606Spatrick Summary(EvalCallAsPure)
3120a9ac8606Spatrick .ArgConstraint(ArgumentCondition(
3121a9ac8606Spatrick 0U, WithinRange, Range({1, 2}, {4, 5}))));
3122a9ac8606Spatrick
3123a9ac8606Spatrick // Test range kind.
3124a9ac8606Spatrick addToFunctionSummaryMap(
3125a9ac8606Spatrick "__within", Signature(ArgTypes{IntTy}, RetType{IntTy}),
3126a9ac8606Spatrick Summary(EvalCallAsPure)
3127a9ac8606Spatrick .ArgConstraint(ArgumentCondition(0U, WithinRange, SingleValue(1))));
3128a9ac8606Spatrick addToFunctionSummaryMap(
3129a9ac8606Spatrick "__out_of", Signature(ArgTypes{IntTy}, RetType{IntTy}),
3130a9ac8606Spatrick Summary(EvalCallAsPure)
3131a9ac8606Spatrick .ArgConstraint(ArgumentCondition(0U, OutOfRange, SingleValue(1))));
3132a9ac8606Spatrick
3133a9ac8606Spatrick addToFunctionSummaryMap(
3134ec727ea7Spatrick "__two_constrained_args",
3135a9ac8606Spatrick Signature(ArgTypes{IntTy, IntTy}, RetType{IntTy}),
3136a9ac8606Spatrick Summary(EvalCallAsPure)
3137ec727ea7Spatrick .ArgConstraint(ArgumentCondition(0U, WithinRange, SingleValue(1)))
3138ec727ea7Spatrick .ArgConstraint(ArgumentCondition(1U, WithinRange, SingleValue(1))));
3139ec727ea7Spatrick addToFunctionSummaryMap(
3140a9ac8606Spatrick "__arg_constrained_twice", Signature(ArgTypes{IntTy}, RetType{IntTy}),
3141a9ac8606Spatrick Summary(EvalCallAsPure)
3142ec727ea7Spatrick .ArgConstraint(ArgumentCondition(0U, OutOfRange, SingleValue(1)))
3143ec727ea7Spatrick .ArgConstraint(ArgumentCondition(0U, OutOfRange, SingleValue(2))));
3144ec727ea7Spatrick addToFunctionSummaryMap(
3145ec727ea7Spatrick "__defaultparam",
3146a9ac8606Spatrick Signature(ArgTypes{Irrelevant, IntTy}, RetType{IntTy}),
3147a9ac8606Spatrick Summary(EvalCallAsPure).ArgConstraint(NotNull(ArgNo(0))));
3148a9ac8606Spatrick addToFunctionSummaryMap(
3149a9ac8606Spatrick "__variadic",
3150a9ac8606Spatrick Signature(ArgTypes{VoidPtrTy, ConstCharPtrTy}, RetType{IntTy}),
3151a9ac8606Spatrick Summary(EvalCallAsPure)
3152ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(0)))
3153ec727ea7Spatrick .ArgConstraint(NotNull(ArgNo(1))));
3154ec727ea7Spatrick addToFunctionSummaryMap(
3155ec727ea7Spatrick "__buf_size_arg_constraint",
3156a9ac8606Spatrick Signature(ArgTypes{ConstVoidPtrTy, SizeTy}, RetType{IntTy}),
3157a9ac8606Spatrick Summary(EvalCallAsPure)
3158ec727ea7Spatrick .ArgConstraint(
3159ec727ea7Spatrick BufferSize(/*Buffer=*/ArgNo(0), /*BufSize=*/ArgNo(1))));
3160ec727ea7Spatrick addToFunctionSummaryMap(
3161ec727ea7Spatrick "__buf_size_arg_constraint_mul",
3162a9ac8606Spatrick Signature(ArgTypes{ConstVoidPtrTy, SizeTy, SizeTy}, RetType{IntTy}),
3163a9ac8606Spatrick Summary(EvalCallAsPure)
3164ec727ea7Spatrick .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(0), /*BufSize=*/ArgNo(1),
3165ec727ea7Spatrick /*BufSizeMultiplier=*/ArgNo(2))));
3166a9ac8606Spatrick addToFunctionSummaryMap(
3167a9ac8606Spatrick "__buf_size_arg_constraint_concrete",
3168a9ac8606Spatrick Signature(ArgTypes{ConstVoidPtrTy}, RetType{IntTy}),
3169a9ac8606Spatrick Summary(EvalCallAsPure)
3170a9ac8606Spatrick .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(0),
3171a9ac8606Spatrick /*BufSize=*/BVF.getValue(10, IntTy))));
3172a9ac8606Spatrick addToFunctionSummaryMap(
3173a9ac8606Spatrick {"__test_restrict_param_0", "__test_restrict_param_1",
3174a9ac8606Spatrick "__test_restrict_param_2"},
3175a9ac8606Spatrick Signature(ArgTypes{VoidPtrRestrictTy}, RetType{VoidTy}),
3176a9ac8606Spatrick Summary(EvalCallAsPure));
3177*12c85518Srobert
3178*12c85518Srobert // Test the application of cases.
3179*12c85518Srobert addToFunctionSummaryMap(
3180*12c85518Srobert "__test_case_note", Signature(ArgTypes{}, RetType{IntTy}),
3181*12c85518Srobert Summary(EvalCallAsPure)
3182*12c85518Srobert .Case({ReturnValueCondition(WithinRange, SingleValue(0))},
3183*12c85518Srobert ErrnoIrrelevant, "Function returns 0")
3184*12c85518Srobert .Case({ReturnValueCondition(WithinRange, SingleValue(1))},
3185*12c85518Srobert ErrnoIrrelevant, "Function returns 1"));
3186ec727ea7Spatrick }
3187a9ac8606Spatrick
3188a9ac8606Spatrick SummariesInitialized = true;
3189e5dd7070Spatrick }
3190e5dd7070Spatrick
registerStdCLibraryFunctionsChecker(CheckerManager & mgr)3191e5dd7070Spatrick void ento::registerStdCLibraryFunctionsChecker(CheckerManager &mgr) {
3192ec727ea7Spatrick auto *Checker = mgr.registerChecker<StdLibraryFunctionsChecker>();
3193*12c85518Srobert const AnalyzerOptions &Opts = mgr.getAnalyzerOptions();
3194ec727ea7Spatrick Checker->DisplayLoadedSummaries =
3195*12c85518Srobert Opts.getCheckerBooleanOption(Checker, "DisplayLoadedSummaries");
3196*12c85518Srobert Checker->ModelPOSIX = Opts.getCheckerBooleanOption(Checker, "ModelPOSIX");
3197*12c85518Srobert Checker->ShouldAssumeControlledEnvironment =
3198*12c85518Srobert Opts.ShouldAssumeControlledEnvironment;
3199e5dd7070Spatrick }
3200e5dd7070Spatrick
shouldRegisterStdCLibraryFunctionsChecker(const CheckerManager & mgr)3201a9ac8606Spatrick bool ento::shouldRegisterStdCLibraryFunctionsChecker(
3202a9ac8606Spatrick const CheckerManager &mgr) {
3203e5dd7070Spatrick return true;
3204e5dd7070Spatrick }
3205ec727ea7Spatrick
3206ec727ea7Spatrick #define REGISTER_CHECKER(name) \
3207ec727ea7Spatrick void ento::register##name(CheckerManager &mgr) { \
3208ec727ea7Spatrick StdLibraryFunctionsChecker *checker = \
3209ec727ea7Spatrick mgr.getChecker<StdLibraryFunctionsChecker>(); \
3210ec727ea7Spatrick checker->ChecksEnabled[StdLibraryFunctionsChecker::CK_##name] = true; \
3211ec727ea7Spatrick checker->CheckNames[StdLibraryFunctionsChecker::CK_##name] = \
3212ec727ea7Spatrick mgr.getCurrentCheckerName(); \
3213ec727ea7Spatrick } \
3214ec727ea7Spatrick \
3215ec727ea7Spatrick bool ento::shouldRegister##name(const CheckerManager &mgr) { return true; }
3216ec727ea7Spatrick
3217ec727ea7Spatrick REGISTER_CHECKER(StdCLibraryFunctionArgsChecker)
3218ec727ea7Spatrick REGISTER_CHECKER(StdCLibraryFunctionsTesterChecker)
3219