1 //= CStringChecker.h - Checks calls to C string functions ----------*- C++ -*-// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This defines CStringChecker, which is an assortment of checks on calls 11 // to functions in <string.h>. 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "ClangSACheckers.h" 16 #include "clang/StaticAnalyzer/Core/Checker.h" 17 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 18 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 19 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 20 #include "clang/StaticAnalyzer/Core/PathSensitive/GRStateTrait.h" 21 #include "llvm/ADT/StringSwitch.h" 22 23 using namespace clang; 24 using namespace ento; 25 26 namespace { 27 class CStringChecker : public Checker< eval::Call, 28 check::PreStmt<DeclStmt>, 29 check::LiveSymbols, 30 check::DeadSymbols, 31 check::RegionChanges 32 > { 33 mutable llvm::OwningPtr<BugType> BT_Null, BT_Bounds, BT_BoundsWrite, 34 BT_Overlap, BT_NotCString; 35 public: 36 static void *getTag() { static int tag; return &tag; } 37 38 bool evalCall(const CallExpr *CE, CheckerContext &C) const; 39 void checkPreStmt(const DeclStmt *DS, CheckerContext &C) const; 40 void checkLiveSymbols(const GRState *state, SymbolReaper &SR) const; 41 void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const; 42 bool wantsRegionChangeUpdate(const GRState *state) const; 43 44 const GRState *checkRegionChanges(const GRState *state, 45 const MemRegion * const *Begin, 46 const MemRegion * const *End) const; 47 48 typedef void (CStringChecker::*FnCheck)(CheckerContext &, 49 const CallExpr *) const; 50 51 void evalMemcpy(CheckerContext &C, const CallExpr *CE) const; 52 void evalMempcpy(CheckerContext &C, const CallExpr *CE) const; 53 void evalMemmove(CheckerContext &C, const CallExpr *CE) const; 54 void evalBcopy(CheckerContext &C, const CallExpr *CE) const; 55 void evalCopyCommon(CheckerContext &C, const CallExpr *CE, 56 const GRState *state, 57 const Expr *Size, const Expr *Source, const Expr *Dest, 58 bool Restricted = false, 59 bool IsMempcpy = false) const; 60 61 void evalMemcmp(CheckerContext &C, const CallExpr *CE) const; 62 63 void evalstrLength(CheckerContext &C, const CallExpr *CE) const; 64 void evalstrnLength(CheckerContext &C, const CallExpr *CE) const; 65 void evalstrLengthCommon(CheckerContext &C, const CallExpr *CE, 66 bool IsStrnlen = false) const; 67 68 void evalStrcpy(CheckerContext &C, const CallExpr *CE) const; 69 void evalStrncpy(CheckerContext &C, const CallExpr *CE) const; 70 void evalStpcpy(CheckerContext &C, const CallExpr *CE) const; 71 void evalStrcpyCommon(CheckerContext &C, const CallExpr *CE, bool returnEnd, 72 bool isBounded, bool isAppending) const; 73 74 void evalStrcat(CheckerContext &C, const CallExpr *CE) const; 75 void evalStrncat(CheckerContext &C, const CallExpr *CE) const; 76 77 void evalStrcmp(CheckerContext &C, const CallExpr *CE) const; 78 void evalStrncmp(CheckerContext &C, const CallExpr *CE) const; 79 void evalStrcasecmp(CheckerContext &C, const CallExpr *CE) const; 80 void evalStrncasecmp(CheckerContext &C, const CallExpr *CE) const; 81 void evalStrcmpCommon(CheckerContext &C, const CallExpr *CE, 82 bool isBounded = false, bool ignoreCase = false) const; 83 84 // Utility methods 85 std::pair<const GRState*, const GRState*> 86 static assumeZero(CheckerContext &C, 87 const GRState *state, SVal V, QualType Ty); 88 89 static const GRState *setCStringLength(const GRState *state, 90 const MemRegion *MR, SVal strLength); 91 static SVal getCStringLengthForRegion(CheckerContext &C, 92 const GRState *&state, 93 const Expr *Ex, const MemRegion *MR); 94 SVal getCStringLength(CheckerContext &C, const GRState *&state, 95 const Expr *Ex, SVal Buf) const; 96 97 const StringLiteral *getCStringLiteral(CheckerContext &C, 98 const GRState *&state, 99 const Expr *expr, 100 SVal val) const; 101 102 static const GRState *InvalidateBuffer(CheckerContext &C, 103 const GRState *state, 104 const Expr *Ex, SVal V); 105 106 static bool SummarizeRegion(llvm::raw_ostream& os, ASTContext& Ctx, 107 const MemRegion *MR); 108 109 // Re-usable checks 110 const GRState *checkNonNull(CheckerContext &C, const GRState *state, 111 const Expr *S, SVal l) const; 112 const GRState *CheckLocation(CheckerContext &C, const GRState *state, 113 const Expr *S, SVal l, 114 bool IsDestination = false) const; 115 const GRState *CheckBufferAccess(CheckerContext &C, const GRState *state, 116 const Expr *Size, 117 const Expr *FirstBuf, 118 const Expr *SecondBuf = NULL, 119 bool FirstIsDestination = false) const; 120 const GRState *CheckOverlap(CheckerContext &C, const GRState *state, 121 const Expr *Size, const Expr *First, 122 const Expr *Second) const; 123 void emitOverlapBug(CheckerContext &C, const GRState *state, 124 const Stmt *First, const Stmt *Second) const; 125 }; 126 127 class CStringLength { 128 public: 129 typedef llvm::ImmutableMap<const MemRegion *, SVal> EntryMap; 130 }; 131 } //end anonymous namespace 132 133 namespace clang { 134 namespace ento { 135 template <> 136 struct GRStateTrait<CStringLength> 137 : public GRStatePartialTrait<CStringLength::EntryMap> { 138 static void *GDMIndex() { return CStringChecker::getTag(); } 139 }; 140 } 141 } 142 143 //===----------------------------------------------------------------------===// 144 // Individual checks and utility methods. 145 //===----------------------------------------------------------------------===// 146 147 std::pair<const GRState*, const GRState*> 148 CStringChecker::assumeZero(CheckerContext &C, const GRState *state, SVal V, 149 QualType Ty) { 150 DefinedSVal *val = dyn_cast<DefinedSVal>(&V); 151 if (!val) 152 return std::pair<const GRState*, const GRState *>(state, state); 153 154 SValBuilder &svalBuilder = C.getSValBuilder(); 155 DefinedOrUnknownSVal zero = svalBuilder.makeZeroVal(Ty); 156 return state->assume(svalBuilder.evalEQ(state, *val, zero)); 157 } 158 159 const GRState *CStringChecker::checkNonNull(CheckerContext &C, 160 const GRState *state, 161 const Expr *S, SVal l) const { 162 // If a previous check has failed, propagate the failure. 163 if (!state) 164 return NULL; 165 166 const GRState *stateNull, *stateNonNull; 167 llvm::tie(stateNull, stateNonNull) = assumeZero(C, state, l, S->getType()); 168 169 if (stateNull && !stateNonNull) { 170 ExplodedNode *N = C.generateSink(stateNull); 171 if (!N) 172 return NULL; 173 174 if (!BT_Null) 175 BT_Null.reset(new BuiltinBug("API", 176 "Null pointer argument in call to byte string function")); 177 178 // Generate a report for this bug. 179 BuiltinBug *BT = static_cast<BuiltinBug*>(BT_Null.get()); 180 EnhancedBugReport *report = new EnhancedBugReport(*BT, 181 BT->getDescription(), N); 182 183 report->addRange(S->getSourceRange()); 184 report->addVisitorCreator(bugreporter::registerTrackNullOrUndefValue, S); 185 C.EmitReport(report); 186 return NULL; 187 } 188 189 // From here on, assume that the value is non-null. 190 assert(stateNonNull); 191 return stateNonNull; 192 } 193 194 // FIXME: This was originally copied from ArrayBoundChecker.cpp. Refactor? 195 const GRState *CStringChecker::CheckLocation(CheckerContext &C, 196 const GRState *state, 197 const Expr *S, SVal l, 198 bool IsDestination) const { 199 // If a previous check has failed, propagate the failure. 200 if (!state) 201 return NULL; 202 203 // Check for out of bound array element access. 204 const MemRegion *R = l.getAsRegion(); 205 if (!R) 206 return state; 207 208 const ElementRegion *ER = dyn_cast<ElementRegion>(R); 209 if (!ER) 210 return state; 211 212 assert(ER->getValueType() == C.getASTContext().CharTy && 213 "CheckLocation should only be called with char* ElementRegions"); 214 215 // Get the size of the array. 216 const SubRegion *superReg = cast<SubRegion>(ER->getSuperRegion()); 217 SValBuilder &svalBuilder = C.getSValBuilder(); 218 SVal Extent = svalBuilder.convertToArrayIndex(superReg->getExtent(svalBuilder)); 219 DefinedOrUnknownSVal Size = cast<DefinedOrUnknownSVal>(Extent); 220 221 // Get the index of the accessed element. 222 DefinedOrUnknownSVal Idx = cast<DefinedOrUnknownSVal>(ER->getIndex()); 223 224 const GRState *StInBound = state->assumeInBound(Idx, Size, true); 225 const GRState *StOutBound = state->assumeInBound(Idx, Size, false); 226 if (StOutBound && !StInBound) { 227 ExplodedNode *N = C.generateSink(StOutBound); 228 if (!N) 229 return NULL; 230 231 BuiltinBug *BT; 232 if (IsDestination) { 233 if (!BT_BoundsWrite) { 234 BT_BoundsWrite.reset(new BuiltinBug("Out-of-bound array access", 235 "Byte string function overflows destination buffer")); 236 } 237 BT = static_cast<BuiltinBug*>(BT_BoundsWrite.get()); 238 } else { 239 if (!BT_Bounds) { 240 BT_Bounds.reset(new BuiltinBug("Out-of-bound array access", 241 "Byte string function accesses out-of-bound array element")); 242 } 243 BT = static_cast<BuiltinBug*>(BT_Bounds.get()); 244 } 245 246 // FIXME: It would be nice to eventually make this diagnostic more clear, 247 // e.g., by referencing the original declaration or by saying *why* this 248 // reference is outside the range. 249 250 // Generate a report for this bug. 251 RangedBugReport *report = new RangedBugReport(*BT, BT->getDescription(), N); 252 253 report->addRange(S->getSourceRange()); 254 C.EmitReport(report); 255 return NULL; 256 } 257 258 // Array bound check succeeded. From this point forward the array bound 259 // should always succeed. 260 return StInBound; 261 } 262 263 const GRState *CStringChecker::CheckBufferAccess(CheckerContext &C, 264 const GRState *state, 265 const Expr *Size, 266 const Expr *FirstBuf, 267 const Expr *SecondBuf, 268 bool FirstIsDestination) const { 269 // If a previous check has failed, propagate the failure. 270 if (!state) 271 return NULL; 272 273 SValBuilder &svalBuilder = C.getSValBuilder(); 274 ASTContext &Ctx = C.getASTContext(); 275 276 QualType sizeTy = Size->getType(); 277 QualType PtrTy = Ctx.getPointerType(Ctx.CharTy); 278 279 // Check that the first buffer is non-null. 280 SVal BufVal = state->getSVal(FirstBuf); 281 state = checkNonNull(C, state, FirstBuf, BufVal); 282 if (!state) 283 return NULL; 284 285 // Get the access length and make sure it is known. 286 SVal LengthVal = state->getSVal(Size); 287 NonLoc *Length = dyn_cast<NonLoc>(&LengthVal); 288 if (!Length) 289 return state; 290 291 // Compute the offset of the last element to be accessed: size-1. 292 NonLoc One = cast<NonLoc>(svalBuilder.makeIntVal(1, sizeTy)); 293 NonLoc LastOffset = cast<NonLoc>(svalBuilder.evalBinOpNN(state, BO_Sub, 294 *Length, One, sizeTy)); 295 296 // Check that the first buffer is sufficiently long. 297 SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType()); 298 if (Loc *BufLoc = dyn_cast<Loc>(&BufStart)) { 299 SVal BufEnd = svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc, 300 LastOffset, PtrTy); 301 state = CheckLocation(C, state, FirstBuf, BufEnd, FirstIsDestination); 302 303 // If the buffer isn't large enough, abort. 304 if (!state) 305 return NULL; 306 } 307 308 // If there's a second buffer, check it as well. 309 if (SecondBuf) { 310 BufVal = state->getSVal(SecondBuf); 311 state = checkNonNull(C, state, SecondBuf, BufVal); 312 if (!state) 313 return NULL; 314 315 BufStart = svalBuilder.evalCast(BufVal, PtrTy, SecondBuf->getType()); 316 if (Loc *BufLoc = dyn_cast<Loc>(&BufStart)) { 317 SVal BufEnd = svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc, 318 LastOffset, PtrTy); 319 state = CheckLocation(C, state, SecondBuf, BufEnd); 320 } 321 } 322 323 // Large enough or not, return this state! 324 return state; 325 } 326 327 const GRState *CStringChecker::CheckOverlap(CheckerContext &C, 328 const GRState *state, 329 const Expr *Size, 330 const Expr *First, 331 const Expr *Second) const { 332 // Do a simple check for overlap: if the two arguments are from the same 333 // buffer, see if the end of the first is greater than the start of the second 334 // or vice versa. 335 336 // If a previous check has failed, propagate the failure. 337 if (!state) 338 return NULL; 339 340 const GRState *stateTrue, *stateFalse; 341 342 // Get the buffer values and make sure they're known locations. 343 SVal firstVal = state->getSVal(First); 344 SVal secondVal = state->getSVal(Second); 345 346 Loc *firstLoc = dyn_cast<Loc>(&firstVal); 347 if (!firstLoc) 348 return state; 349 350 Loc *secondLoc = dyn_cast<Loc>(&secondVal); 351 if (!secondLoc) 352 return state; 353 354 // Are the two values the same? 355 SValBuilder &svalBuilder = C.getSValBuilder(); 356 llvm::tie(stateTrue, stateFalse) = 357 state->assume(svalBuilder.evalEQ(state, *firstLoc, *secondLoc)); 358 359 if (stateTrue && !stateFalse) { 360 // If the values are known to be equal, that's automatically an overlap. 361 emitOverlapBug(C, stateTrue, First, Second); 362 return NULL; 363 } 364 365 // assume the two expressions are not equal. 366 assert(stateFalse); 367 state = stateFalse; 368 369 // Which value comes first? 370 ASTContext &Ctx = svalBuilder.getContext(); 371 QualType cmpTy = Ctx.IntTy; 372 SVal reverse = svalBuilder.evalBinOpLL(state, BO_GT, 373 *firstLoc, *secondLoc, cmpTy); 374 DefinedOrUnknownSVal *reverseTest = dyn_cast<DefinedOrUnknownSVal>(&reverse); 375 if (!reverseTest) 376 return state; 377 378 llvm::tie(stateTrue, stateFalse) = state->assume(*reverseTest); 379 if (stateTrue) { 380 if (stateFalse) { 381 // If we don't know which one comes first, we can't perform this test. 382 return state; 383 } else { 384 // Switch the values so that firstVal is before secondVal. 385 Loc *tmpLoc = firstLoc; 386 firstLoc = secondLoc; 387 secondLoc = tmpLoc; 388 389 // Switch the Exprs as well, so that they still correspond. 390 const Expr *tmpExpr = First; 391 First = Second; 392 Second = tmpExpr; 393 } 394 } 395 396 // Get the length, and make sure it too is known. 397 SVal LengthVal = state->getSVal(Size); 398 NonLoc *Length = dyn_cast<NonLoc>(&LengthVal); 399 if (!Length) 400 return state; 401 402 // Convert the first buffer's start address to char*. 403 // Bail out if the cast fails. 404 QualType CharPtrTy = Ctx.getPointerType(Ctx.CharTy); 405 SVal FirstStart = svalBuilder.evalCast(*firstLoc, CharPtrTy, First->getType()); 406 Loc *FirstStartLoc = dyn_cast<Loc>(&FirstStart); 407 if (!FirstStartLoc) 408 return state; 409 410 // Compute the end of the first buffer. Bail out if THAT fails. 411 SVal FirstEnd = svalBuilder.evalBinOpLN(state, BO_Add, 412 *FirstStartLoc, *Length, CharPtrTy); 413 Loc *FirstEndLoc = dyn_cast<Loc>(&FirstEnd); 414 if (!FirstEndLoc) 415 return state; 416 417 // Is the end of the first buffer past the start of the second buffer? 418 SVal Overlap = svalBuilder.evalBinOpLL(state, BO_GT, 419 *FirstEndLoc, *secondLoc, cmpTy); 420 DefinedOrUnknownSVal *OverlapTest = dyn_cast<DefinedOrUnknownSVal>(&Overlap); 421 if (!OverlapTest) 422 return state; 423 424 llvm::tie(stateTrue, stateFalse) = state->assume(*OverlapTest); 425 426 if (stateTrue && !stateFalse) { 427 // Overlap! 428 emitOverlapBug(C, stateTrue, First, Second); 429 return NULL; 430 } 431 432 // assume the two expressions don't overlap. 433 assert(stateFalse); 434 return stateFalse; 435 } 436 437 void CStringChecker::emitOverlapBug(CheckerContext &C, const GRState *state, 438 const Stmt *First, const Stmt *Second) const { 439 ExplodedNode *N = C.generateSink(state); 440 if (!N) 441 return; 442 443 if (!BT_Overlap) 444 BT_Overlap.reset(new BugType("Unix API", "Improper arguments")); 445 446 // Generate a report for this bug. 447 RangedBugReport *report = 448 new RangedBugReport(*BT_Overlap, 449 "Arguments must not be overlapping buffers", N); 450 report->addRange(First->getSourceRange()); 451 report->addRange(Second->getSourceRange()); 452 453 C.EmitReport(report); 454 } 455 456 const GRState *CStringChecker::setCStringLength(const GRState *state, 457 const MemRegion *MR, 458 SVal strLength) { 459 assert(!strLength.isUndef() && "Attempt to set an undefined string length"); 460 if (strLength.isUnknown()) 461 return state; 462 463 MR = MR->StripCasts(); 464 465 switch (MR->getKind()) { 466 case MemRegion::StringRegionKind: 467 // FIXME: This can happen if we strcpy() into a string region. This is 468 // undefined [C99 6.4.5p6], but we should still warn about it. 469 return state; 470 471 case MemRegion::SymbolicRegionKind: 472 case MemRegion::AllocaRegionKind: 473 case MemRegion::VarRegionKind: 474 case MemRegion::FieldRegionKind: 475 case MemRegion::ObjCIvarRegionKind: 476 return state->set<CStringLength>(MR, strLength); 477 478 case MemRegion::ElementRegionKind: 479 // FIXME: Handle element regions by upper-bounding the parent region's 480 // string length. 481 return state; 482 483 default: 484 // Other regions (mostly non-data) can't have a reliable C string length. 485 // For now, just ignore the change. 486 // FIXME: These are rare but not impossible. We should output some kind of 487 // warning for things like strcpy((char[]){'a', 0}, "b"); 488 return state; 489 } 490 } 491 492 SVal CStringChecker::getCStringLengthForRegion(CheckerContext &C, 493 const GRState *&state, 494 const Expr *Ex, 495 const MemRegion *MR) { 496 // If there's a recorded length, go ahead and return it. 497 const SVal *Recorded = state->get<CStringLength>(MR); 498 if (Recorded) 499 return *Recorded; 500 501 // Otherwise, get a new symbol and update the state. 502 unsigned Count = C.getNodeBuilder().getCurrentBlockCount(); 503 SValBuilder &svalBuilder = C.getSValBuilder(); 504 QualType sizeTy = svalBuilder.getContext().getSizeType(); 505 SVal strLength = svalBuilder.getMetadataSymbolVal(CStringChecker::getTag(), 506 MR, Ex, sizeTy, Count); 507 state = state->set<CStringLength>(MR, strLength); 508 return strLength; 509 } 510 511 SVal CStringChecker::getCStringLength(CheckerContext &C, const GRState *&state, 512 const Expr *Ex, SVal Buf) const { 513 const MemRegion *MR = Buf.getAsRegion(); 514 if (!MR) { 515 // If we can't get a region, see if it's something we /know/ isn't a 516 // C string. In the context of locations, the only time we can issue such 517 // a warning is for labels. 518 if (loc::GotoLabel *Label = dyn_cast<loc::GotoLabel>(&Buf)) { 519 if (ExplodedNode *N = C.generateNode(state)) { 520 if (!BT_NotCString) 521 BT_NotCString.reset(new BuiltinBug("API", 522 "Argument is not a null-terminated string.")); 523 524 llvm::SmallString<120> buf; 525 llvm::raw_svector_ostream os(buf); 526 os << "Argument to byte string function is the address of the label '" 527 << Label->getLabel()->getName() 528 << "', which is not a null-terminated string"; 529 530 // Generate a report for this bug. 531 EnhancedBugReport *report = new EnhancedBugReport(*BT_NotCString, 532 os.str(), N); 533 534 report->addRange(Ex->getSourceRange()); 535 C.EmitReport(report); 536 } 537 538 return UndefinedVal(); 539 } 540 541 // If it's not a region and not a label, give up. 542 return UnknownVal(); 543 } 544 545 // If we have a region, strip casts from it and see if we can figure out 546 // its length. For anything we can't figure out, just return UnknownVal. 547 MR = MR->StripCasts(); 548 549 switch (MR->getKind()) { 550 case MemRegion::StringRegionKind: { 551 // Modifying the contents of string regions is undefined [C99 6.4.5p6], 552 // so we can assume that the byte length is the correct C string length. 553 SValBuilder &svalBuilder = C.getSValBuilder(); 554 QualType sizeTy = svalBuilder.getContext().getSizeType(); 555 const StringLiteral *strLit = cast<StringRegion>(MR)->getStringLiteral(); 556 return svalBuilder.makeIntVal(strLit->getByteLength(), sizeTy); 557 } 558 case MemRegion::SymbolicRegionKind: 559 case MemRegion::AllocaRegionKind: 560 case MemRegion::VarRegionKind: 561 case MemRegion::FieldRegionKind: 562 case MemRegion::ObjCIvarRegionKind: 563 return getCStringLengthForRegion(C, state, Ex, MR); 564 case MemRegion::CompoundLiteralRegionKind: 565 // FIXME: Can we track this? Is it necessary? 566 return UnknownVal(); 567 case MemRegion::ElementRegionKind: 568 // FIXME: How can we handle this? It's not good enough to subtract the 569 // offset from the base string length; consider "123\x00567" and &a[5]. 570 return UnknownVal(); 571 default: 572 // Other regions (mostly non-data) can't have a reliable C string length. 573 // In this case, an error is emitted and UndefinedVal is returned. 574 // The caller should always be prepared to handle this case. 575 if (ExplodedNode *N = C.generateNode(state)) { 576 if (!BT_NotCString) 577 BT_NotCString.reset(new BuiltinBug("API", 578 "Argument is not a null-terminated string.")); 579 580 llvm::SmallString<120> buf; 581 llvm::raw_svector_ostream os(buf); 582 583 os << "Argument to byte string function is "; 584 585 if (SummarizeRegion(os, C.getASTContext(), MR)) 586 os << ", which is not a null-terminated string"; 587 else 588 os << "not a null-terminated string"; 589 590 // Generate a report for this bug. 591 EnhancedBugReport *report = new EnhancedBugReport(*BT_NotCString, 592 os.str(), N); 593 594 report->addRange(Ex->getSourceRange()); 595 C.EmitReport(report); 596 } 597 598 return UndefinedVal(); 599 } 600 } 601 602 const StringLiteral *CStringChecker::getCStringLiteral(CheckerContext &C, 603 const GRState *&state, const Expr *expr, SVal val) const { 604 605 // Get the memory region pointed to by the val. 606 const MemRegion *bufRegion = val.getAsRegion(); 607 if (!bufRegion) 608 return NULL; 609 610 // Strip casts off the memory region. 611 bufRegion = bufRegion->StripCasts(); 612 613 // Cast the memory region to a string region. 614 const StringRegion *strRegion= dyn_cast<StringRegion>(bufRegion); 615 if (!strRegion) 616 return NULL; 617 618 // Return the actual string in the string region. 619 return strRegion->getStringLiteral(); 620 } 621 622 const GRState *CStringChecker::InvalidateBuffer(CheckerContext &C, 623 const GRState *state, 624 const Expr *E, SVal V) { 625 Loc *L = dyn_cast<Loc>(&V); 626 if (!L) 627 return state; 628 629 // FIXME: This is a simplified version of what's in CFRefCount.cpp -- it makes 630 // some assumptions about the value that CFRefCount can't. Even so, it should 631 // probably be refactored. 632 if (loc::MemRegionVal* MR = dyn_cast<loc::MemRegionVal>(L)) { 633 const MemRegion *R = MR->getRegion()->StripCasts(); 634 635 // Are we dealing with an ElementRegion? If so, we should be invalidating 636 // the super-region. 637 if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) { 638 R = ER->getSuperRegion(); 639 // FIXME: What about layers of ElementRegions? 640 } 641 642 // Invalidate this region. 643 unsigned Count = C.getNodeBuilder().getCurrentBlockCount(); 644 return state->invalidateRegion(R, E, Count, NULL); 645 } 646 647 // If we have a non-region value by chance, just remove the binding. 648 // FIXME: is this necessary or correct? This handles the non-Region 649 // cases. Is it ever valid to store to these? 650 return state->unbindLoc(*L); 651 } 652 653 bool CStringChecker::SummarizeRegion(llvm::raw_ostream& os, ASTContext& Ctx, 654 const MemRegion *MR) { 655 const TypedRegion *TR = dyn_cast<TypedRegion>(MR); 656 if (!TR) 657 return false; 658 659 switch (TR->getKind()) { 660 case MemRegion::FunctionTextRegionKind: { 661 const FunctionDecl *FD = cast<FunctionTextRegion>(TR)->getDecl(); 662 if (FD) 663 os << "the address of the function '" << FD << "'"; 664 else 665 os << "the address of a function"; 666 return true; 667 } 668 case MemRegion::BlockTextRegionKind: 669 os << "block text"; 670 return true; 671 case MemRegion::BlockDataRegionKind: 672 os << "a block"; 673 return true; 674 case MemRegion::CXXThisRegionKind: 675 case MemRegion::CXXTempObjectRegionKind: 676 os << "a C++ temp object of type " << TR->getValueType().getAsString(); 677 return true; 678 case MemRegion::VarRegionKind: 679 os << "a variable of type" << TR->getValueType().getAsString(); 680 return true; 681 case MemRegion::FieldRegionKind: 682 os << "a field of type " << TR->getValueType().getAsString(); 683 return true; 684 case MemRegion::ObjCIvarRegionKind: 685 os << "an instance variable of type " << TR->getValueType().getAsString(); 686 return true; 687 default: 688 return false; 689 } 690 } 691 692 //===----------------------------------------------------------------------===// 693 // evaluation of individual function calls. 694 //===----------------------------------------------------------------------===// 695 696 void CStringChecker::evalCopyCommon(CheckerContext &C, 697 const CallExpr *CE, 698 const GRState *state, 699 const Expr *Size, const Expr *Dest, 700 const Expr *Source, bool Restricted, 701 bool IsMempcpy) const { 702 // See if the size argument is zero. 703 SVal sizeVal = state->getSVal(Size); 704 QualType sizeTy = Size->getType(); 705 706 const GRState *stateZeroSize, *stateNonZeroSize; 707 llvm::tie(stateZeroSize, stateNonZeroSize) = assumeZero(C, state, sizeVal, sizeTy); 708 709 // Get the value of the Dest. 710 SVal destVal = state->getSVal(Dest); 711 712 // If the size is zero, there won't be any actual memory access, so 713 // just bind the return value to the destination buffer and return. 714 if (stateZeroSize) { 715 C.addTransition(stateZeroSize); 716 if (IsMempcpy) 717 state->BindExpr(CE, destVal); 718 else 719 state->BindExpr(CE, sizeVal); 720 return; 721 } 722 723 // If the size can be nonzero, we have to check the other arguments. 724 if (stateNonZeroSize) { 725 726 // Ensure the destination is not null. If it is NULL there will be a 727 // NULL pointer dereference. 728 state = checkNonNull(C, state, Dest, destVal); 729 if (!state) 730 return; 731 732 // Get the value of the Src. 733 SVal srcVal = state->getSVal(Source); 734 735 // Ensure the source is not null. If it is NULL there will be a 736 // NULL pointer dereference. 737 state = checkNonNull(C, state, Source, srcVal); 738 if (!state) 739 return; 740 741 // Ensure the buffers do not overlap. 742 state = stateNonZeroSize; 743 state = CheckBufferAccess(C, state, Size, Dest, Source, 744 /* FirstIsDst = */ true); 745 if (Restricted) 746 state = CheckOverlap(C, state, Size, Dest, Source); 747 748 if (state) { 749 750 // If this is mempcpy, get the byte after the last byte copied and 751 // bind the expr. 752 if (IsMempcpy) { 753 loc::MemRegionVal *destRegVal = dyn_cast<loc::MemRegionVal>(&destVal); 754 755 // Get the length to copy. 756 SVal lenVal = state->getSVal(Size); 757 NonLoc *lenValNonLoc = dyn_cast<NonLoc>(&lenVal); 758 759 // Get the byte after the last byte copied. 760 SVal lastElement = C.getSValBuilder().evalBinOpLN(state, BO_Add, 761 *destRegVal, 762 *lenValNonLoc, 763 Dest->getType()); 764 765 // The byte after the last byte copied is the return value. 766 state = state->BindExpr(CE, lastElement); 767 } 768 769 // Invalidate the destination. 770 // FIXME: Even if we can't perfectly model the copy, we should see if we 771 // can use LazyCompoundVals to copy the source values into the destination. 772 // This would probably remove any existing bindings past the end of the 773 // copied region, but that's still an improvement over blank invalidation. 774 state = InvalidateBuffer(C, state, Dest, state->getSVal(Dest)); 775 C.addTransition(state); 776 } 777 } 778 } 779 780 781 void CStringChecker::evalMemcpy(CheckerContext &C, const CallExpr *CE) const { 782 // void *memcpy(void *restrict dst, const void *restrict src, size_t n); 783 // The return value is the address of the destination buffer. 784 const Expr *Dest = CE->getArg(0); 785 const GRState *state = C.getState(); 786 state = state->BindExpr(CE, state->getSVal(Dest)); 787 evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1), true); 788 } 789 790 void CStringChecker::evalMempcpy(CheckerContext &C, const CallExpr *CE) const { 791 // void *mempcpy(void *restrict dst, const void *restrict src, size_t n); 792 // The return value is a pointer to the byte following the last written byte. 793 const Expr *Dest = CE->getArg(0); 794 const GRState *state = C.getState(); 795 796 evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1), true, true); 797 } 798 799 void CStringChecker::evalMemmove(CheckerContext &C, const CallExpr *CE) const { 800 // void *memmove(void *dst, const void *src, size_t n); 801 // The return value is the address of the destination buffer. 802 const Expr *Dest = CE->getArg(0); 803 const GRState *state = C.getState(); 804 state = state->BindExpr(CE, state->getSVal(Dest)); 805 evalCopyCommon(C, CE, state, CE->getArg(2), Dest, CE->getArg(1)); 806 } 807 808 void CStringChecker::evalBcopy(CheckerContext &C, const CallExpr *CE) const { 809 // void bcopy(const void *src, void *dst, size_t n); 810 evalCopyCommon(C, CE, C.getState(), 811 CE->getArg(2), CE->getArg(1), CE->getArg(0)); 812 } 813 814 void CStringChecker::evalMemcmp(CheckerContext &C, const CallExpr *CE) const { 815 // int memcmp(const void *s1, const void *s2, size_t n); 816 const Expr *Left = CE->getArg(0); 817 const Expr *Right = CE->getArg(1); 818 const Expr *Size = CE->getArg(2); 819 820 const GRState *state = C.getState(); 821 SValBuilder &svalBuilder = C.getSValBuilder(); 822 823 // See if the size argument is zero. 824 SVal sizeVal = state->getSVal(Size); 825 QualType sizeTy = Size->getType(); 826 827 const GRState *stateZeroSize, *stateNonZeroSize; 828 llvm::tie(stateZeroSize, stateNonZeroSize) = 829 assumeZero(C, state, sizeVal, sizeTy); 830 831 // If the size can be zero, the result will be 0 in that case, and we don't 832 // have to check either of the buffers. 833 if (stateZeroSize) { 834 state = stateZeroSize; 835 state = state->BindExpr(CE, svalBuilder.makeZeroVal(CE->getType())); 836 C.addTransition(state); 837 } 838 839 // If the size can be nonzero, we have to check the other arguments. 840 if (stateNonZeroSize) { 841 state = stateNonZeroSize; 842 // If we know the two buffers are the same, we know the result is 0. 843 // First, get the two buffers' addresses. Another checker will have already 844 // made sure they're not undefined. 845 DefinedOrUnknownSVal LV = cast<DefinedOrUnknownSVal>(state->getSVal(Left)); 846 DefinedOrUnknownSVal RV = cast<DefinedOrUnknownSVal>(state->getSVal(Right)); 847 848 // See if they are the same. 849 DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV); 850 const GRState *StSameBuf, *StNotSameBuf; 851 llvm::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf); 852 853 // If the two arguments might be the same buffer, we know the result is zero, 854 // and we only need to check one size. 855 if (StSameBuf) { 856 state = StSameBuf; 857 state = CheckBufferAccess(C, state, Size, Left); 858 if (state) { 859 state = StSameBuf->BindExpr(CE, svalBuilder.makeZeroVal(CE->getType())); 860 C.addTransition(state); 861 } 862 } 863 864 // If the two arguments might be different buffers, we have to check the 865 // size of both of them. 866 if (StNotSameBuf) { 867 state = StNotSameBuf; 868 state = CheckBufferAccess(C, state, Size, Left, Right); 869 if (state) { 870 // The return value is the comparison result, which we don't know. 871 unsigned Count = C.getNodeBuilder().getCurrentBlockCount(); 872 SVal CmpV = svalBuilder.getConjuredSymbolVal(NULL, CE, Count); 873 state = state->BindExpr(CE, CmpV); 874 C.addTransition(state); 875 } 876 } 877 } 878 } 879 880 void CStringChecker::evalstrLength(CheckerContext &C, 881 const CallExpr *CE) const { 882 // size_t strlen(const char *s); 883 evalstrLengthCommon(C, CE, /* IsStrnlen = */ false); 884 } 885 886 void CStringChecker::evalstrnLength(CheckerContext &C, 887 const CallExpr *CE) const { 888 // size_t strnlen(const char *s, size_t maxlen); 889 evalstrLengthCommon(C, CE, /* IsStrnlen = */ true); 890 } 891 892 void CStringChecker::evalstrLengthCommon(CheckerContext &C, const CallExpr *CE, 893 bool IsStrnlen) const { 894 const GRState *state = C.getState(); 895 const Expr *Arg = CE->getArg(0); 896 SVal ArgVal = state->getSVal(Arg); 897 898 // Check that the argument is non-null. 899 state = checkNonNull(C, state, Arg, ArgVal); 900 901 if (state) { 902 SVal strLength = getCStringLength(C, state, Arg, ArgVal); 903 904 // If the argument isn't a valid C string, there's no valid state to 905 // transition to. 906 if (strLength.isUndef()) 907 return; 908 909 // If the check is for strnlen() then bind the return value to no more than 910 // the maxlen value. 911 if (IsStrnlen) { 912 const Expr *maxlenExpr = CE->getArg(1); 913 SVal maxlenVal = state->getSVal(maxlenExpr); 914 915 NonLoc *strLengthNL = dyn_cast<NonLoc>(&strLength); 916 NonLoc *maxlenValNL = dyn_cast<NonLoc>(&maxlenVal); 917 918 QualType cmpTy = C.getSValBuilder().getContext().IntTy; 919 const GRState *stateTrue, *stateFalse; 920 921 // Check if the strLength is greater than or equal to the maxlen 922 llvm::tie(stateTrue, stateFalse) = 923 state->assume(cast<DefinedOrUnknownSVal> 924 (C.getSValBuilder().evalBinOpNN(state, BO_GE, 925 *strLengthNL, *maxlenValNL, 926 cmpTy))); 927 928 // If the strLength is greater than or equal to the maxlen, set strLength 929 // to maxlen 930 if (stateTrue && !stateFalse) { 931 strLength = maxlenVal; 932 } 933 } 934 935 // If getCStringLength couldn't figure out the length, conjure a return 936 // value, so it can be used in constraints, at least. 937 if (strLength.isUnknown()) { 938 unsigned Count = C.getNodeBuilder().getCurrentBlockCount(); 939 strLength = C.getSValBuilder().getConjuredSymbolVal(NULL, CE, Count); 940 } 941 942 // Bind the return value. 943 state = state->BindExpr(CE, strLength); 944 C.addTransition(state); 945 } 946 } 947 948 void CStringChecker::evalStrcpy(CheckerContext &C, const CallExpr *CE) const { 949 // char *strcpy(char *restrict dst, const char *restrict src); 950 evalStrcpyCommon(C, CE, 951 /* returnEnd = */ false, 952 /* isBounded = */ false, 953 /* isAppending = */ false); 954 } 955 956 void CStringChecker::evalStrncpy(CheckerContext &C, const CallExpr *CE) const { 957 // char *strcpy(char *restrict dst, const char *restrict src); 958 evalStrcpyCommon(C, CE, 959 /* returnEnd = */ false, 960 /* isBounded = */ true, 961 /* isAppending = */ false); 962 } 963 964 void CStringChecker::evalStpcpy(CheckerContext &C, const CallExpr *CE) const { 965 // char *stpcpy(char *restrict dst, const char *restrict src); 966 evalStrcpyCommon(C, CE, 967 /* returnEnd = */ true, 968 /* isBounded = */ false, 969 /* isAppending = */ false); 970 } 971 972 void CStringChecker::evalStrcat(CheckerContext &C, const CallExpr *CE) const { 973 //char *strcat(char *restrict s1, const char *restrict s2); 974 evalStrcpyCommon(C, CE, 975 /* returnEnd = */ false, 976 /* isBounded = */ false, 977 /* isAppending = */ true); 978 } 979 980 void CStringChecker::evalStrncat(CheckerContext &C, const CallExpr *CE) const { 981 //char *strncat(char *restrict s1, const char *restrict s2, size_t n); 982 evalStrcpyCommon(C, CE, 983 /* returnEnd = */ false, 984 /* isBounded = */ true, 985 /* isAppending = */ true); 986 } 987 988 void CStringChecker::evalStrcpyCommon(CheckerContext &C, const CallExpr *CE, 989 bool returnEnd, bool isBounded, 990 bool isAppending) const { 991 const GRState *state = C.getState(); 992 993 // Check that the destination is non-null. 994 const Expr *Dst = CE->getArg(0); 995 SVal DstVal = state->getSVal(Dst); 996 997 state = checkNonNull(C, state, Dst, DstVal); 998 if (!state) 999 return; 1000 1001 // Check that the source is non-null. 1002 const Expr *srcExpr = CE->getArg(1); 1003 SVal srcVal = state->getSVal(srcExpr); 1004 state = checkNonNull(C, state, srcExpr, srcVal); 1005 if (!state) 1006 return; 1007 1008 // Get the string length of the source. 1009 SVal strLength = getCStringLength(C, state, srcExpr, srcVal); 1010 1011 // If the source isn't a valid C string, give up. 1012 if (strLength.isUndef()) 1013 return; 1014 1015 // If the function is strncpy, strncat, etc... it is bounded. 1016 if (isBounded) { 1017 // Get the max number of characters to copy. 1018 const Expr *lenExpr = CE->getArg(2); 1019 SVal lenVal = state->getSVal(lenExpr); 1020 1021 // Cast the length to a NonLoc SVal. If it is not a NonLoc then give up. 1022 NonLoc *strLengthNL = dyn_cast<NonLoc>(&strLength); 1023 if (!strLengthNL) 1024 return; 1025 1026 // Cast the max length to a NonLoc SVal. If it is not a NonLoc then give up. 1027 NonLoc *lenValNL = dyn_cast<NonLoc>(&lenVal); 1028 if (!lenValNL) 1029 return; 1030 1031 QualType cmpTy = C.getSValBuilder().getContext().IntTy; 1032 const GRState *stateTrue, *stateFalse; 1033 1034 // Check if the max number to copy is less than the length of the src. 1035 llvm::tie(stateTrue, stateFalse) = 1036 state->assume(cast<DefinedOrUnknownSVal> 1037 (C.getSValBuilder().evalBinOpNN(state, BO_GT, 1038 *strLengthNL, *lenValNL, 1039 cmpTy))); 1040 1041 if (stateTrue) { 1042 // Max number to copy is less than the length of the src, so the actual 1043 // strLength copied is the max number arg. 1044 strLength = lenVal; 1045 } 1046 } 1047 1048 // If this is an appending function (strcat, strncat...) then set the 1049 // string length to strlen(src) + strlen(dst) since the buffer will 1050 // ultimately contain both. 1051 if (isAppending) { 1052 // Get the string length of the destination, or give up. 1053 SVal dstStrLength = getCStringLength(C, state, Dst, DstVal); 1054 if (dstStrLength.isUndef()) 1055 return; 1056 1057 NonLoc *srcStrLengthNL = dyn_cast<NonLoc>(&strLength); 1058 NonLoc *dstStrLengthNL = dyn_cast<NonLoc>(&dstStrLength); 1059 1060 // If src or dst cast to NonLoc is NULL, give up. 1061 if ((!srcStrLengthNL) || (!dstStrLengthNL)) 1062 return; 1063 1064 QualType addTy = C.getSValBuilder().getContext().getSizeType(); 1065 1066 strLength = C.getSValBuilder().evalBinOpNN(state, BO_Add, 1067 *srcStrLengthNL, *dstStrLengthNL, 1068 addTy); 1069 } 1070 1071 SVal Result = (returnEnd ? UnknownVal() : DstVal); 1072 1073 // If the destination is a MemRegion, try to check for a buffer overflow and 1074 // record the new string length. 1075 if (loc::MemRegionVal *dstRegVal = dyn_cast<loc::MemRegionVal>(&DstVal)) { 1076 // If the length is known, we can check for an overflow. 1077 if (NonLoc *knownStrLength = dyn_cast<NonLoc>(&strLength)) { 1078 SVal lastElement = 1079 C.getSValBuilder().evalBinOpLN(state, BO_Add, *dstRegVal, 1080 *knownStrLength, Dst->getType()); 1081 1082 state = CheckLocation(C, state, Dst, lastElement, /* IsDst = */ true); 1083 if (!state) 1084 return; 1085 1086 // If this is a stpcpy-style copy, the last element is the return value. 1087 if (returnEnd) 1088 Result = lastElement; 1089 } 1090 1091 // Invalidate the destination. This must happen before we set the C string 1092 // length because invalidation will clear the length. 1093 // FIXME: Even if we can't perfectly model the copy, we should see if we 1094 // can use LazyCompoundVals to copy the source values into the destination. 1095 // This would probably remove any existing bindings past the end of the 1096 // string, but that's still an improvement over blank invalidation. 1097 state = InvalidateBuffer(C, state, Dst, *dstRegVal); 1098 1099 // Set the C string length of the destination. 1100 state = setCStringLength(state, dstRegVal->getRegion(), strLength); 1101 } 1102 1103 // If this is a stpcpy-style copy, but we were unable to check for a buffer 1104 // overflow, we still need a result. Conjure a return value. 1105 if (returnEnd && Result.isUnknown()) { 1106 SValBuilder &svalBuilder = C.getSValBuilder(); 1107 unsigned Count = C.getNodeBuilder().getCurrentBlockCount(); 1108 strLength = svalBuilder.getConjuredSymbolVal(NULL, CE, Count); 1109 } 1110 1111 // Set the return value. 1112 state = state->BindExpr(CE, Result); 1113 C.addTransition(state); 1114 } 1115 1116 void CStringChecker::evalStrcmp(CheckerContext &C, const CallExpr *CE) const { 1117 //int strcmp(const char *restrict s1, const char *restrict s2); 1118 evalStrcmpCommon(C, CE, /* isBounded = */ false, /* ignoreCase = */ false); 1119 } 1120 1121 void CStringChecker::evalStrncmp(CheckerContext &C, const CallExpr *CE) const { 1122 //int strncmp(const char *restrict s1, const char *restrict s2, size_t n); 1123 evalStrcmpCommon(C, CE, /* isBounded = */ true, /* ignoreCase = */ false); 1124 } 1125 1126 void CStringChecker::evalStrcasecmp(CheckerContext &C, 1127 const CallExpr *CE) const { 1128 //int strcasecmp(const char *restrict s1, const char *restrict s2); 1129 evalStrcmpCommon(C, CE, /* isBounded = */ false, /* ignoreCase = */ true); 1130 } 1131 1132 void CStringChecker::evalStrncasecmp(CheckerContext &C, 1133 const CallExpr *CE) const { 1134 //int strncasecmp(const char *restrict s1, const char *restrict s2, size_t n); 1135 evalStrcmpCommon(C, CE, /* isBounded = */ true, /* ignoreCase = */ true); 1136 } 1137 1138 void CStringChecker::evalStrcmpCommon(CheckerContext &C, const CallExpr *CE, 1139 bool isBounded, bool ignoreCase) const { 1140 const GRState *state = C.getState(); 1141 1142 // Check that the first string is non-null 1143 const Expr *s1 = CE->getArg(0); 1144 SVal s1Val = state->getSVal(s1); 1145 state = checkNonNull(C, state, s1, s1Val); 1146 if (!state) 1147 return; 1148 1149 // Check that the second string is non-null. 1150 const Expr *s2 = CE->getArg(1); 1151 SVal s2Val = state->getSVal(s2); 1152 state = checkNonNull(C, state, s2, s2Val); 1153 if (!state) 1154 return; 1155 1156 // Get the string length of the first string or give up. 1157 SVal s1Length = getCStringLength(C, state, s1, s1Val); 1158 if (s1Length.isUndef()) 1159 return; 1160 1161 // Get the string length of the second string or give up. 1162 SVal s2Length = getCStringLength(C, state, s2, s2Val); 1163 if (s2Length.isUndef()) 1164 return; 1165 1166 // Get the string literal of the first string. 1167 const StringLiteral *s1StrLiteral = getCStringLiteral(C, state, s1, s1Val); 1168 if (!s1StrLiteral) 1169 return; 1170 llvm::StringRef s1StrRef = s1StrLiteral->getString(); 1171 1172 // Get the string literal of the second string. 1173 const StringLiteral *s2StrLiteral = getCStringLiteral(C, state, s2, s2Val); 1174 if (!s2StrLiteral) 1175 return; 1176 llvm::StringRef s2StrRef = s2StrLiteral->getString(); 1177 1178 int result; 1179 if (isBounded) { 1180 // Get the max number of characters to compare. 1181 const Expr *lenExpr = CE->getArg(2); 1182 SVal lenVal = state->getSVal(lenExpr); 1183 1184 // Dynamically cast the length to a ConcreteInt. If it is not a ConcreteInt 1185 // then give up, otherwise get the value and use it as the bounds. 1186 nonloc::ConcreteInt *CI = dyn_cast<nonloc::ConcreteInt>(&lenVal); 1187 if (!CI) 1188 return; 1189 llvm::APSInt lenInt(CI->getValue()); 1190 1191 // Create substrings of each to compare the prefix. 1192 s1StrRef = s1StrRef.substr(0, (size_t)lenInt.getLimitedValue()); 1193 s2StrRef = s2StrRef.substr(0, (size_t)lenInt.getLimitedValue()); 1194 } 1195 1196 if (ignoreCase) { 1197 // Compare string 1 to string 2 the same way strcasecmp() does. 1198 result = s1StrRef.compare_lower(s2StrRef); 1199 } else { 1200 // Compare string 1 to string 2 the same way strcmp() does. 1201 result = s1StrRef.compare(s2StrRef); 1202 } 1203 1204 // Build the SVal of the comparison to bind the return value. 1205 SValBuilder &svalBuilder = C.getSValBuilder(); 1206 QualType intTy = svalBuilder.getContext().IntTy; 1207 SVal resultVal = svalBuilder.makeIntVal(result, intTy); 1208 1209 // Bind the return value of the expression. 1210 // Set the return value. 1211 state = state->BindExpr(CE, resultVal); 1212 C.addTransition(state); 1213 } 1214 1215 //===----------------------------------------------------------------------===// 1216 // The driver method, and other Checker callbacks. 1217 //===----------------------------------------------------------------------===// 1218 1219 bool CStringChecker::evalCall(const CallExpr *CE, CheckerContext &C) const { 1220 // Get the callee. All the functions we care about are C functions 1221 // with simple identifiers. 1222 const GRState *state = C.getState(); 1223 const Expr *Callee = CE->getCallee(); 1224 const FunctionDecl *FD = state->getSVal(Callee).getAsFunctionDecl(); 1225 1226 if (!FD) 1227 return false; 1228 1229 // Get the name of the callee. If it's a builtin, strip off the prefix. 1230 IdentifierInfo *II = FD->getIdentifier(); 1231 if (!II) // if no identifier, not a simple C function 1232 return false; 1233 llvm::StringRef Name = II->getName(); 1234 if (Name.startswith("__builtin_")) 1235 Name = Name.substr(10); 1236 1237 FnCheck evalFunction = llvm::StringSwitch<FnCheck>(Name) 1238 .Cases("memcpy", "__memcpy_chk", &CStringChecker::evalMemcpy) 1239 .Case("mempcpy", &CStringChecker::evalMempcpy) 1240 .Cases("memcmp", "bcmp", &CStringChecker::evalMemcmp) 1241 .Cases("memmove", "__memmove_chk", &CStringChecker::evalMemmove) 1242 .Cases("strcpy", "__strcpy_chk", &CStringChecker::evalStrcpy) 1243 .Cases("strncpy", "__strncpy_chk", &CStringChecker::evalStrncpy) 1244 .Cases("stpcpy", "__stpcpy_chk", &CStringChecker::evalStpcpy) 1245 .Cases("strcat", "__strcat_chk", &CStringChecker::evalStrcat) 1246 .Cases("strncat", "__strncat_chk", &CStringChecker::evalStrncat) 1247 .Case("strlen", &CStringChecker::evalstrLength) 1248 .Case("strnlen", &CStringChecker::evalstrnLength) 1249 .Case("strcmp", &CStringChecker::evalStrcmp) 1250 .Case("strncmp", &CStringChecker::evalStrncmp) 1251 .Case("strcasecmp", &CStringChecker::evalStrcasecmp) 1252 .Case("strncasecmp", &CStringChecker::evalStrncasecmp) 1253 .Case("bcopy", &CStringChecker::evalBcopy) 1254 .Default(NULL); 1255 1256 // If the callee isn't a string function, let another checker handle it. 1257 if (!evalFunction) 1258 return false; 1259 1260 // Check and evaluate the call. 1261 (this->*evalFunction)(C, CE); 1262 return true; 1263 } 1264 1265 void CStringChecker::checkPreStmt(const DeclStmt *DS, CheckerContext &C) const { 1266 // Record string length for char a[] = "abc"; 1267 const GRState *state = C.getState(); 1268 1269 for (DeclStmt::const_decl_iterator I = DS->decl_begin(), E = DS->decl_end(); 1270 I != E; ++I) { 1271 const VarDecl *D = dyn_cast<VarDecl>(*I); 1272 if (!D) 1273 continue; 1274 1275 // FIXME: Handle array fields of structs. 1276 if (!D->getType()->isArrayType()) 1277 continue; 1278 1279 const Expr *Init = D->getInit(); 1280 if (!Init) 1281 continue; 1282 if (!isa<StringLiteral>(Init)) 1283 continue; 1284 1285 Loc VarLoc = state->getLValue(D, C.getPredecessor()->getLocationContext()); 1286 const MemRegion *MR = VarLoc.getAsRegion(); 1287 if (!MR) 1288 continue; 1289 1290 SVal StrVal = state->getSVal(Init); 1291 assert(StrVal.isValid() && "Initializer string is unknown or undefined"); 1292 DefinedOrUnknownSVal strLength 1293 = cast<DefinedOrUnknownSVal>(getCStringLength(C, state, Init, StrVal)); 1294 1295 state = state->set<CStringLength>(MR, strLength); 1296 } 1297 1298 C.addTransition(state); 1299 } 1300 1301 bool CStringChecker::wantsRegionChangeUpdate(const GRState *state) const { 1302 CStringLength::EntryMap Entries = state->get<CStringLength>(); 1303 return !Entries.isEmpty(); 1304 } 1305 1306 const GRState * 1307 CStringChecker::checkRegionChanges(const GRState *state, 1308 const MemRegion * const *Begin, 1309 const MemRegion * const *End) const { 1310 CStringLength::EntryMap Entries = state->get<CStringLength>(); 1311 if (Entries.isEmpty()) 1312 return state; 1313 1314 llvm::SmallPtrSet<const MemRegion *, 8> Invalidated; 1315 llvm::SmallPtrSet<const MemRegion *, 32> SuperRegions; 1316 1317 // First build sets for the changed regions and their super-regions. 1318 for ( ; Begin != End; ++Begin) { 1319 const MemRegion *MR = *Begin; 1320 Invalidated.insert(MR); 1321 1322 SuperRegions.insert(MR); 1323 while (const SubRegion *SR = dyn_cast<SubRegion>(MR)) { 1324 MR = SR->getSuperRegion(); 1325 SuperRegions.insert(MR); 1326 } 1327 } 1328 1329 CStringLength::EntryMap::Factory &F = state->get_context<CStringLength>(); 1330 1331 // Then loop over the entries in the current state. 1332 for (CStringLength::EntryMap::iterator I = Entries.begin(), 1333 E = Entries.end(); I != E; ++I) { 1334 const MemRegion *MR = I.getKey(); 1335 1336 // Is this entry for a super-region of a changed region? 1337 if (SuperRegions.count(MR)) { 1338 Entries = F.remove(Entries, MR); 1339 continue; 1340 } 1341 1342 // Is this entry for a sub-region of a changed region? 1343 const MemRegion *Super = MR; 1344 while (const SubRegion *SR = dyn_cast<SubRegion>(Super)) { 1345 Super = SR->getSuperRegion(); 1346 if (Invalidated.count(Super)) { 1347 Entries = F.remove(Entries, MR); 1348 break; 1349 } 1350 } 1351 } 1352 1353 return state->set<CStringLength>(Entries); 1354 } 1355 1356 void CStringChecker::checkLiveSymbols(const GRState *state, 1357 SymbolReaper &SR) const { 1358 // Mark all symbols in our string length map as valid. 1359 CStringLength::EntryMap Entries = state->get<CStringLength>(); 1360 1361 for (CStringLength::EntryMap::iterator I = Entries.begin(), E = Entries.end(); 1362 I != E; ++I) { 1363 SVal Len = I.getData(); 1364 if (SymbolRef Sym = Len.getAsSymbol()) 1365 SR.markInUse(Sym); 1366 } 1367 } 1368 1369 void CStringChecker::checkDeadSymbols(SymbolReaper &SR, 1370 CheckerContext &C) const { 1371 if (!SR.hasDeadSymbols()) 1372 return; 1373 1374 const GRState *state = C.getState(); 1375 CStringLength::EntryMap Entries = state->get<CStringLength>(); 1376 if (Entries.isEmpty()) 1377 return; 1378 1379 CStringLength::EntryMap::Factory &F = state->get_context<CStringLength>(); 1380 for (CStringLength::EntryMap::iterator I = Entries.begin(), E = Entries.end(); 1381 I != E; ++I) { 1382 SVal Len = I.getData(); 1383 if (SymbolRef Sym = Len.getAsSymbol()) { 1384 if (SR.isDead(Sym)) 1385 Entries = F.remove(Entries, I.getKey()); 1386 } 1387 } 1388 1389 state = state->set<CStringLength>(Entries); 1390 C.generateNode(state); 1391 } 1392 1393 void ento::registerCStringChecker(CheckerManager &mgr) { 1394 mgr.registerChecker<CStringChecker>(); 1395 } 1396