1 //=== StdLibraryFunctionsChecker.cpp - Model standard functions -*- C++ -*-===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This checker improves modeling of a few simple library functions. 10 // 11 // This checker provides a specification format - `Summary' - and 12 // contains descriptions of some library functions in this format. Each 13 // specification contains a list of branches for splitting the program state 14 // upon call, and range constraints on argument and return-value symbols that 15 // are satisfied on each branch. This spec can be expanded to include more 16 // items, like external effects of the function. 17 // 18 // The main difference between this approach and the body farms technique is 19 // in more explicit control over how many branches are produced. For example, 20 // consider standard C function `ispunct(int x)', which returns a non-zero value 21 // iff `x' is a punctuation character, that is, when `x' is in range 22 // ['!', '/'] [':', '@'] U ['[', '\`'] U ['{', '~']. 23 // `Summary' provides only two branches for this function. However, 24 // any attempt to describe this range with if-statements in the body farm 25 // would result in many more branches. Because each branch needs to be analyzed 26 // independently, this significantly reduces performance. Additionally, 27 // once we consider a branch on which `x' is in range, say, ['!', '/'], 28 // we assume that such branch is an important separate path through the program, 29 // which may lead to false positives because considering this particular path 30 // was not consciously intended, and therefore it might have been unreachable. 31 // 32 // This checker uses eval::Call for modeling pure functions (functions without 33 // side effets), for which their `Summary' is a precise model. This avoids 34 // unnecessary invalidation passes. Conflicts with other checkers are unlikely 35 // because if the function has no other effects, other checkers would probably 36 // never want to improve upon the modeling done by this checker. 37 // 38 // Non-pure functions, for which only partial improvement over the default 39 // behavior is expected, are modeled via check::PostCall, non-intrusively. 40 // 41 //===----------------------------------------------------------------------===// 42 43 #include "ErrnoModeling.h" 44 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" 45 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 46 #include "clang/StaticAnalyzer/Core/Checker.h" 47 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 48 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 49 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 50 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h" 51 #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h" 52 #include "llvm/ADT/STLExtras.h" 53 #include "llvm/ADT/SmallString.h" 54 #include "llvm/ADT/StringExtras.h" 55 #include "llvm/Support/FormatVariadic.h" 56 57 #include <optional> 58 #include <string> 59 60 using namespace clang; 61 using namespace clang::ento; 62 63 namespace { 64 class StdLibraryFunctionsChecker 65 : public Checker<check::PreCall, check::PostCall, eval::Call> { 66 67 class Summary; 68 69 /// Specify how much the analyzer engine should entrust modeling this function 70 /// to us. 71 enum InvalidationKind { 72 /// No \c eval::Call for the function, it can be modeled elsewhere. 73 /// This checker checks only pre and post conditions. 74 NoEvalCall, 75 /// The function is modeled completely in this checker. 76 EvalCallAsPure 77 }; 78 79 /// Given a range, should the argument stay inside or outside this range? 80 enum RangeKind { OutOfRange, WithinRange }; 81 82 static RangeKind negateKind(RangeKind K) { 83 switch (K) { 84 case OutOfRange: 85 return WithinRange; 86 case WithinRange: 87 return OutOfRange; 88 } 89 llvm_unreachable("Unknown range kind"); 90 } 91 92 /// The universal integral type to use in value range descriptions. 93 /// Unsigned to make sure overflows are well-defined. 94 typedef uint64_t RangeInt; 95 96 /// Describes a single range constraint. Eg. {{0, 1}, {3, 4}} is 97 /// a non-negative integer, which less than 5 and not equal to 2. 98 typedef std::vector<std::pair<RangeInt, RangeInt>> IntRangeVector; 99 100 /// A reference to an argument or return value by its number. 101 /// ArgNo in CallExpr and CallEvent is defined as Unsigned, but 102 /// obviously uint32_t should be enough for all practical purposes. 103 typedef uint32_t ArgNo; 104 /// Special argument number for specifying the return value. 105 static const ArgNo Ret; 106 107 /// Get a string representation of an argument index. 108 /// E.g.: (1) -> '1st arg', (2) - > '2nd arg' 109 static void printArgDesc(ArgNo, llvm::raw_ostream &Out); 110 /// Print value X of the argument in form " (which is X)", 111 /// if the value is a fixed known value, otherwise print nothing. 112 /// This is used as simple explanation of values if possible. 113 static void printArgValueInfo(ArgNo ArgN, ProgramStateRef State, 114 const CallEvent &Call, llvm::raw_ostream &Out); 115 /// Append textual description of a numeric range [RMin,RMax] to 116 /// \p Out. 117 static void appendInsideRangeDesc(llvm::APSInt RMin, llvm::APSInt RMax, 118 QualType ArgT, BasicValueFactory &BVF, 119 llvm::raw_ostream &Out); 120 /// Append textual description of a numeric range out of [RMin,RMax] to 121 /// \p Out. 122 static void appendOutOfRangeDesc(llvm::APSInt RMin, llvm::APSInt RMax, 123 QualType ArgT, BasicValueFactory &BVF, 124 llvm::raw_ostream &Out); 125 126 class ValueConstraint; 127 128 /// Pointer to the ValueConstraint. We need a copyable, polymorphic and 129 /// default initializable type (vector needs that). A raw pointer was good, 130 /// however, we cannot default initialize that. unique_ptr makes the Summary 131 /// class non-copyable, therefore not an option. Releasing the copyability 132 /// requirement would render the initialization of the Summary map infeasible. 133 /// Mind that a pointer to a new value constraint is created when the negate 134 /// function is used. 135 using ValueConstraintPtr = std::shared_ptr<ValueConstraint>; 136 137 /// Polymorphic base class that represents a constraint on a given argument 138 /// (or return value) of a function. Derived classes implement different kind 139 /// of constraints, e.g range constraints or correlation between two 140 /// arguments. 141 /// These are used as argument constraints (preconditions) of functions, in 142 /// which case a bug report may be emitted if the constraint is not satisfied. 143 /// Another use is as conditions for summary cases, to create different 144 /// classes of behavior for a function. In this case no description of the 145 /// constraint is needed because the summary cases have an own (not generated) 146 /// description string. 147 class ValueConstraint { 148 public: 149 ValueConstraint(ArgNo ArgN) : ArgN(ArgN) {} 150 virtual ~ValueConstraint() {} 151 152 /// Apply the effects of the constraint on the given program state. If null 153 /// is returned then the constraint is not feasible. 154 virtual ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call, 155 const Summary &Summary, 156 CheckerContext &C) const = 0; 157 158 /// Represents that in which context do we require a description of the 159 /// constraint. 160 enum DescriptionKind { 161 /// Describe a constraint that was violated. 162 /// Description should start with something like "should be". 163 Violation, 164 /// Describe a constraint that was assumed to be true. 165 /// This can be used when a precondition is satisfied, or when a summary 166 /// case is applied. 167 /// Description should start with something like "is". 168 Assumption 169 }; 170 171 /// Give a description that explains the constraint to the user. Used when 172 /// a bug is reported or when the constraint is applied and displayed as a 173 /// note. The description should not mention the argument (getArgNo). 174 /// See StdLibraryFunctionsChecker::reportBug about how this function is 175 /// used (this function is used not only there). 176 virtual void describe(DescriptionKind DK, const CallEvent &Call, 177 ProgramStateRef State, const Summary &Summary, 178 llvm::raw_ostream &Out) const { 179 // There are some descendant classes that are not used as argument 180 // constraints, e.g. ComparisonConstraint. In that case we can safely 181 // ignore the implementation of this function. 182 llvm_unreachable( 183 "Description not implemented for summary case constraints"); 184 } 185 186 /// Give a description that explains the actual argument value (where the 187 /// current ValueConstraint applies to) to the user. This function should be 188 /// called only when the current constraint is satisfied by the argument. 189 /// It should produce a more precise description than the constraint itself. 190 /// The actual value of the argument and the program state can be used to 191 /// make the description more precise. In the most simple case, if the 192 /// argument has a fixed known value this value can be printed into \p Out, 193 /// this is done by default. 194 /// The function should return true if a description was printed to \p Out, 195 /// otherwise false. 196 /// See StdLibraryFunctionsChecker::reportBug about how this function is 197 /// used. 198 virtual bool describeArgumentValue(const CallEvent &Call, 199 ProgramStateRef State, 200 const Summary &Summary, 201 llvm::raw_ostream &Out) const { 202 if (auto N = getArgSVal(Call, getArgNo()).getAs<NonLoc>()) { 203 if (const llvm::APSInt *Int = N->getAsInteger()) { 204 Out << *Int; 205 return true; 206 } 207 } 208 return false; 209 } 210 211 /// Return those arguments that should be tracked when we report a bug about 212 /// argument constraint violation. By default it is the argument that is 213 /// constrained, however, in some special cases we need to track other 214 /// arguments as well. E.g. a buffer size might be encoded in another 215 /// argument. 216 /// The "return value" argument number can not occur as returned value. 217 virtual std::vector<ArgNo> getArgsToTrack() const { return {ArgN}; } 218 219 /// Get a constraint that represents exactly the opposite of the current. 220 virtual ValueConstraintPtr negate() const { 221 llvm_unreachable("Not implemented"); 222 }; 223 224 /// Check whether the constraint is malformed or not. It is malformed if the 225 /// specified argument has a mismatch with the given FunctionDecl (e.g. the 226 /// arg number is out-of-range of the function's argument list). 227 /// This condition can indicate if a probably wrong or unexpected function 228 /// was found where the constraint is to be applied. 229 bool checkValidity(const FunctionDecl *FD) const { 230 const bool ValidArg = ArgN == Ret || ArgN < FD->getNumParams(); 231 assert(ValidArg && "Arg out of range!"); 232 if (!ValidArg) 233 return false; 234 // Subclasses may further refine the validation. 235 return checkSpecificValidity(FD); 236 } 237 238 /// Return the argument number (may be placeholder for "return value"). 239 ArgNo getArgNo() const { return ArgN; } 240 241 protected: 242 /// Argument to which to apply the constraint. It can be a real argument of 243 /// the function to check, or a special value to indicate the return value 244 /// of the function. 245 /// Every constraint is assigned to one main argument, even if other 246 /// arguments are involved. 247 ArgNo ArgN; 248 249 /// Do constraint-specific validation check. 250 virtual bool checkSpecificValidity(const FunctionDecl *FD) const { 251 return true; 252 } 253 }; 254 255 /// Check if a single argument falls into a specific "range". 256 /// A range is formed as a set of intervals. 257 /// E.g. \code {['A', 'Z'], ['a', 'z'], ['_', '_']} \endcode 258 /// The intervals are closed intervals that contain one or more values. 259 /// 260 /// The default constructed RangeConstraint has an empty range, applying 261 /// such constraint does not involve any assumptions, thus the State remains 262 /// unchanged. This is meaningful, if the range is dependent on a looked up 263 /// type (e.g. [0, Socklen_tMax]). If the type is not found, then the range 264 /// is default initialized to be empty. 265 class RangeConstraint : public ValueConstraint { 266 /// The constraint can be specified by allowing or disallowing the range. 267 /// WithinRange indicates allowing the range, OutOfRange indicates 268 /// disallowing it (allowing the complementary range). 269 RangeKind Kind; 270 271 /// A set of intervals. 272 IntRangeVector Ranges; 273 274 /// A textual description of this constraint for the specific case where the 275 /// constraint is used. If empty a generated description will be used that 276 /// is built from the range of the constraint. 277 StringRef Description; 278 279 public: 280 RangeConstraint(ArgNo ArgN, RangeKind Kind, const IntRangeVector &Ranges, 281 StringRef Desc = "") 282 : ValueConstraint(ArgN), Kind(Kind), Ranges(Ranges), Description(Desc) { 283 } 284 285 const IntRangeVector &getRanges() const { return Ranges; } 286 287 ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call, 288 const Summary &Summary, 289 CheckerContext &C) const override; 290 291 void describe(DescriptionKind DK, const CallEvent &Call, 292 ProgramStateRef State, const Summary &Summary, 293 llvm::raw_ostream &Out) const override; 294 295 bool describeArgumentValue(const CallEvent &Call, ProgramStateRef State, 296 const Summary &Summary, 297 llvm::raw_ostream &Out) const override; 298 299 ValueConstraintPtr negate() const override { 300 RangeConstraint Tmp(*this); 301 Tmp.Kind = negateKind(Kind); 302 return std::make_shared<RangeConstraint>(Tmp); 303 } 304 305 protected: 306 bool checkSpecificValidity(const FunctionDecl *FD) const override { 307 const bool ValidArg = 308 getArgType(FD, ArgN)->isIntegralType(FD->getASTContext()); 309 assert(ValidArg && 310 "This constraint should be applied on an integral type"); 311 return ValidArg; 312 } 313 314 private: 315 /// A callback function that is used when iterating over the range 316 /// intervals. It gets the begin and end (inclusive) of one interval. 317 /// This is used to make any kind of task possible that needs an iteration 318 /// over the intervals. 319 using RangeApplyFunction = 320 std::function<bool(const llvm::APSInt &Min, const llvm::APSInt &Max)>; 321 322 /// Call a function on the intervals of the range. 323 /// The function is called with all intervals in the range. 324 void applyOnWithinRange(BasicValueFactory &BVF, QualType ArgT, 325 const RangeApplyFunction &F) const; 326 /// Call a function on all intervals in the complementary range. 327 /// The function is called with all intervals that fall out of the range. 328 /// E.g. consider an interval list [A, B] and [C, D] 329 /// \code 330 /// -------+--------+------------------+------------+-----------> 331 /// A B C D 332 /// \endcode 333 /// We get the ranges [-inf, A - 1], [D + 1, +inf], [B + 1, C - 1]. 334 /// The \p ArgT is used to determine the min and max of the type that is 335 /// used as "-inf" and "+inf". 336 void applyOnOutOfRange(BasicValueFactory &BVF, QualType ArgT, 337 const RangeApplyFunction &F) const; 338 /// Call a function on the intervals of the range or the complementary 339 /// range. 340 void applyOnRange(RangeKind Kind, BasicValueFactory &BVF, QualType ArgT, 341 const RangeApplyFunction &F) const { 342 switch (Kind) { 343 case OutOfRange: 344 applyOnOutOfRange(BVF, ArgT, F); 345 break; 346 case WithinRange: 347 applyOnWithinRange(BVF, ArgT, F); 348 break; 349 }; 350 } 351 }; 352 353 /// Check relation of an argument to another. 354 class ComparisonConstraint : public ValueConstraint { 355 BinaryOperator::Opcode Opcode; 356 ArgNo OtherArgN; 357 358 public: 359 ComparisonConstraint(ArgNo ArgN, BinaryOperator::Opcode Opcode, 360 ArgNo OtherArgN) 361 : ValueConstraint(ArgN), Opcode(Opcode), OtherArgN(OtherArgN) {} 362 ArgNo getOtherArgNo() const { return OtherArgN; } 363 BinaryOperator::Opcode getOpcode() const { return Opcode; } 364 ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call, 365 const Summary &Summary, 366 CheckerContext &C) const override; 367 }; 368 369 /// Check null or non-null-ness of an argument that is of pointer type. 370 class NotNullConstraint : public ValueConstraint { 371 using ValueConstraint::ValueConstraint; 372 // This variable has a role when we negate the constraint. 373 bool CannotBeNull = true; 374 375 public: 376 NotNullConstraint(ArgNo ArgN, bool CannotBeNull = true) 377 : ValueConstraint(ArgN), CannotBeNull(CannotBeNull) {} 378 379 ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call, 380 const Summary &Summary, 381 CheckerContext &C) const override; 382 383 void describe(DescriptionKind DK, const CallEvent &Call, 384 ProgramStateRef State, const Summary &Summary, 385 llvm::raw_ostream &Out) const override; 386 387 bool describeArgumentValue(const CallEvent &Call, ProgramStateRef State, 388 const Summary &Summary, 389 llvm::raw_ostream &Out) const override; 390 391 ValueConstraintPtr negate() const override { 392 NotNullConstraint Tmp(*this); 393 Tmp.CannotBeNull = !this->CannotBeNull; 394 return std::make_shared<NotNullConstraint>(Tmp); 395 } 396 397 protected: 398 bool checkSpecificValidity(const FunctionDecl *FD) const override { 399 const bool ValidArg = getArgType(FD, ArgN)->isPointerType(); 400 assert(ValidArg && 401 "This constraint should be applied only on a pointer type"); 402 return ValidArg; 403 } 404 }; 405 406 // Represents a buffer argument with an additional size constraint. The 407 // constraint may be a concrete value, or a symbolic value in an argument. 408 // Example 1. Concrete value as the minimum buffer size. 409 // char *asctime_r(const struct tm *restrict tm, char *restrict buf); 410 // // `buf` size must be at least 26 bytes according the POSIX standard. 411 // Example 2. Argument as a buffer size. 412 // ctime_s(char *buffer, rsize_t bufsz, const time_t *time); 413 // Example 3. The size is computed as a multiplication of other args. 414 // size_t fread(void *ptr, size_t size, size_t nmemb, FILE *stream); 415 // // Here, ptr is the buffer, and its minimum size is `size * nmemb`. 416 class BufferSizeConstraint : public ValueConstraint { 417 // The concrete value which is the minimum size for the buffer. 418 std::optional<llvm::APSInt> ConcreteSize; 419 // The argument which holds the size of the buffer. 420 std::optional<ArgNo> SizeArgN; 421 // The argument which is a multiplier to size. This is set in case of 422 // `fread` like functions where the size is computed as a multiplication of 423 // two arguments. 424 std::optional<ArgNo> SizeMultiplierArgN; 425 // The operator we use in apply. This is negated in negate(). 426 BinaryOperator::Opcode Op = BO_LE; 427 428 public: 429 BufferSizeConstraint(ArgNo Buffer, llvm::APSInt BufMinSize) 430 : ValueConstraint(Buffer), ConcreteSize(BufMinSize) {} 431 BufferSizeConstraint(ArgNo Buffer, ArgNo BufSize) 432 : ValueConstraint(Buffer), SizeArgN(BufSize) {} 433 BufferSizeConstraint(ArgNo Buffer, ArgNo BufSize, ArgNo BufSizeMultiplier) 434 : ValueConstraint(Buffer), SizeArgN(BufSize), 435 SizeMultiplierArgN(BufSizeMultiplier) {} 436 437 ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call, 438 const Summary &Summary, 439 CheckerContext &C) const override; 440 441 void describe(DescriptionKind DK, const CallEvent &Call, 442 ProgramStateRef State, const Summary &Summary, 443 llvm::raw_ostream &Out) const override; 444 445 bool describeArgumentValue(const CallEvent &Call, ProgramStateRef State, 446 const Summary &Summary, 447 llvm::raw_ostream &Out) const override; 448 449 std::vector<ArgNo> getArgsToTrack() const override { 450 std::vector<ArgNo> Result{ArgN}; 451 if (SizeArgN) 452 Result.push_back(*SizeArgN); 453 if (SizeMultiplierArgN) 454 Result.push_back(*SizeMultiplierArgN); 455 return Result; 456 } 457 458 ValueConstraintPtr negate() const override { 459 BufferSizeConstraint Tmp(*this); 460 Tmp.Op = BinaryOperator::negateComparisonOp(Op); 461 return std::make_shared<BufferSizeConstraint>(Tmp); 462 } 463 464 protected: 465 bool checkSpecificValidity(const FunctionDecl *FD) const override { 466 const bool ValidArg = getArgType(FD, ArgN)->isPointerType(); 467 assert(ValidArg && 468 "This constraint should be applied only on a pointer type"); 469 return ValidArg; 470 } 471 }; 472 473 /// The complete list of constraints that defines a single branch. 474 using ConstraintSet = std::vector<ValueConstraintPtr>; 475 476 /// Define how a function affects the system variable 'errno'. 477 /// This works together with the \c ErrnoModeling and \c ErrnoChecker classes. 478 /// Currently 3 use cases exist: success, failure, irrelevant. 479 /// In the future the failure case can be customized to set \c errno to a 480 /// more specific constraint (for example > 0), or new case can be added 481 /// for functions which require check of \c errno in both success and failure 482 /// case. 483 class ErrnoConstraintBase { 484 public: 485 /// Apply specific state changes related to the errno variable. 486 virtual ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call, 487 const Summary &Summary, 488 CheckerContext &C) const = 0; 489 /// Get a NoteTag about the changes made to 'errno' and the possible bug. 490 /// It may return \c nullptr (if no bug report from \c ErrnoChecker is 491 /// expected). 492 virtual const NoteTag *describe(CheckerContext &C, 493 StringRef FunctionName) const { 494 return nullptr; 495 } 496 497 virtual ~ErrnoConstraintBase() {} 498 499 protected: 500 ErrnoConstraintBase() = default; 501 502 /// This is used for conjure symbol for errno to differentiate from the 503 /// original call expression (same expression is used for the errno symbol). 504 static int Tag; 505 }; 506 507 /// Reset errno constraints to irrelevant. 508 /// This is applicable to functions that may change 'errno' and are not 509 /// modeled elsewhere. 510 class ResetErrnoConstraint : public ErrnoConstraintBase { 511 public: 512 ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call, 513 const Summary &Summary, 514 CheckerContext &C) const override { 515 return errno_modeling::setErrnoState(State, errno_modeling::Irrelevant); 516 } 517 }; 518 519 /// Do not change errno constraints. 520 /// This is applicable to functions that are modeled in another checker 521 /// and the already set errno constraints should not be changed in the 522 /// post-call event. 523 class NoErrnoConstraint : public ErrnoConstraintBase { 524 public: 525 ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call, 526 const Summary &Summary, 527 CheckerContext &C) const override { 528 return State; 529 } 530 }; 531 532 /// Set errno constraint at failure cases of standard functions. 533 /// Failure case: 'errno' becomes not equal to 0 and may or may not be checked 534 /// by the program. \c ErrnoChecker does not emit a bug report after such a 535 /// function call. 536 class FailureErrnoConstraint : public ErrnoConstraintBase { 537 public: 538 ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call, 539 const Summary &Summary, 540 CheckerContext &C) const override { 541 SValBuilder &SVB = C.getSValBuilder(); 542 NonLoc ErrnoSVal = 543 SVB.conjureSymbolVal(&Tag, Call.getOriginExpr(), 544 C.getLocationContext(), C.getASTContext().IntTy, 545 C.blockCount()) 546 .castAs<NonLoc>(); 547 return errno_modeling::setErrnoForStdFailure(State, C, ErrnoSVal); 548 } 549 }; 550 551 /// Set errno constraint at success cases of standard functions. 552 /// Success case: 'errno' is not allowed to be used. 553 /// \c ErrnoChecker can emit bug report after such a function call if errno 554 /// is used. 555 class SuccessErrnoConstraint : public ErrnoConstraintBase { 556 public: 557 ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call, 558 const Summary &Summary, 559 CheckerContext &C) const override { 560 return errno_modeling::setErrnoForStdSuccess(State, C); 561 } 562 563 const NoteTag *describe(CheckerContext &C, 564 StringRef FunctionName) const override { 565 return errno_modeling::getNoteTagForStdSuccess(C, FunctionName); 566 } 567 }; 568 569 class ErrnoMustBeCheckedConstraint : public ErrnoConstraintBase { 570 public: 571 ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call, 572 const Summary &Summary, 573 CheckerContext &C) const override { 574 return errno_modeling::setErrnoStdMustBeChecked(State, C, 575 Call.getOriginExpr()); 576 } 577 578 const NoteTag *describe(CheckerContext &C, 579 StringRef FunctionName) const override { 580 return errno_modeling::getNoteTagForStdMustBeChecked(C, FunctionName); 581 } 582 }; 583 584 /// A single branch of a function summary. 585 /// 586 /// A branch is defined by a series of constraints - "assumptions" - 587 /// that together form a single possible outcome of invoking the function. 588 /// When static analyzer considers a branch, it tries to introduce 589 /// a child node in the Exploded Graph. The child node has to include 590 /// constraints that define the branch. If the constraints contradict 591 /// existing constraints in the state, the node is not created and the branch 592 /// is dropped; otherwise it's queued for future exploration. 593 /// The branch is accompanied by a note text that may be displayed 594 /// to the user when a bug is found on a path that takes this branch. 595 /// 596 /// For example, consider the branches in `isalpha(x)`: 597 /// Branch 1) 598 /// x is in range ['A', 'Z'] or in ['a', 'z'] 599 /// then the return value is not 0. (I.e. out-of-range [0, 0]) 600 /// and the note may say "Assuming the character is alphabetical" 601 /// Branch 2) 602 /// x is out-of-range ['A', 'Z'] and out-of-range ['a', 'z'] 603 /// then the return value is 0 604 /// and the note may say "Assuming the character is non-alphabetical". 605 class SummaryCase { 606 ConstraintSet Constraints; 607 const ErrnoConstraintBase &ErrnoConstraint; 608 StringRef Note; 609 610 public: 611 SummaryCase(ConstraintSet &&Constraints, const ErrnoConstraintBase &ErrnoC, 612 StringRef Note) 613 : Constraints(std::move(Constraints)), ErrnoConstraint(ErrnoC), 614 Note(Note) {} 615 616 SummaryCase(const ConstraintSet &Constraints, 617 const ErrnoConstraintBase &ErrnoC, StringRef Note) 618 : Constraints(Constraints), ErrnoConstraint(ErrnoC), Note(Note) {} 619 620 const ConstraintSet &getConstraints() const { return Constraints; } 621 const ErrnoConstraintBase &getErrnoConstraint() const { 622 return ErrnoConstraint; 623 } 624 StringRef getNote() const { return Note; } 625 }; 626 627 using ArgTypes = std::vector<std::optional<QualType>>; 628 using RetType = std::optional<QualType>; 629 630 // A placeholder type, we use it whenever we do not care about the concrete 631 // type in a Signature. 632 const QualType Irrelevant{}; 633 bool static isIrrelevant(QualType T) { return T.isNull(); } 634 635 // The signature of a function we want to describe with a summary. This is a 636 // concessive signature, meaning there may be irrelevant types in the 637 // signature which we do not check against a function with concrete types. 638 // All types in the spec need to be canonical. 639 class Signature { 640 using ArgQualTypes = std::vector<QualType>; 641 ArgQualTypes ArgTys; 642 QualType RetTy; 643 // True if any component type is not found by lookup. 644 bool Invalid = false; 645 646 public: 647 // Construct a signature from optional types. If any of the optional types 648 // are not set then the signature will be invalid. 649 Signature(ArgTypes ArgTys, RetType RetTy) { 650 for (std::optional<QualType> Arg : ArgTys) { 651 if (!Arg) { 652 Invalid = true; 653 return; 654 } else { 655 assertArgTypeSuitableForSignature(*Arg); 656 this->ArgTys.push_back(*Arg); 657 } 658 } 659 if (!RetTy) { 660 Invalid = true; 661 return; 662 } else { 663 assertRetTypeSuitableForSignature(*RetTy); 664 this->RetTy = *RetTy; 665 } 666 } 667 668 bool isInvalid() const { return Invalid; } 669 bool matches(const FunctionDecl *FD) const; 670 671 private: 672 static void assertArgTypeSuitableForSignature(QualType T) { 673 assert((T.isNull() || !T->isVoidType()) && 674 "We should have no void types in the spec"); 675 assert((T.isNull() || T.isCanonical()) && 676 "We should only have canonical types in the spec"); 677 } 678 static void assertRetTypeSuitableForSignature(QualType T) { 679 assert((T.isNull() || T.isCanonical()) && 680 "We should only have canonical types in the spec"); 681 } 682 }; 683 684 static QualType getArgType(const FunctionDecl *FD, ArgNo ArgN) { 685 assert(FD && "Function must be set"); 686 QualType T = (ArgN == Ret) 687 ? FD->getReturnType().getCanonicalType() 688 : FD->getParamDecl(ArgN)->getType().getCanonicalType(); 689 return T; 690 } 691 692 using SummaryCases = std::vector<SummaryCase>; 693 694 /// A summary includes information about 695 /// * function prototype (signature) 696 /// * approach to invalidation, 697 /// * a list of branches - so, a list of list of ranges, 698 /// * a list of argument constraints, that must be true on every branch. 699 /// If these constraints are not satisfied that means a fatal error 700 /// usually resulting in undefined behaviour. 701 /// 702 /// Application of a summary: 703 /// The signature and argument constraints together contain information 704 /// about which functions are handled by the summary. The signature can use 705 /// "wildcards", i.e. Irrelevant types. Irrelevant type of a parameter in 706 /// a signature means that type is not compared to the type of the parameter 707 /// in the found FunctionDecl. Argument constraints may specify additional 708 /// rules for the given parameter's type, those rules are checked once the 709 /// signature is matched. 710 class Summary { 711 const InvalidationKind InvalidationKd; 712 SummaryCases Cases; 713 ConstraintSet ArgConstraints; 714 715 // The function to which the summary applies. This is set after lookup and 716 // match to the signature. 717 const FunctionDecl *FD = nullptr; 718 719 public: 720 Summary(InvalidationKind InvalidationKd) : InvalidationKd(InvalidationKd) {} 721 722 Summary &Case(ConstraintSet &&CS, const ErrnoConstraintBase &ErrnoC, 723 StringRef Note = "") { 724 Cases.push_back(SummaryCase(std::move(CS), ErrnoC, Note)); 725 return *this; 726 } 727 Summary &Case(const ConstraintSet &CS, const ErrnoConstraintBase &ErrnoC, 728 StringRef Note = "") { 729 Cases.push_back(SummaryCase(CS, ErrnoC, Note)); 730 return *this; 731 } 732 Summary &ArgConstraint(ValueConstraintPtr VC) { 733 assert(VC->getArgNo() != Ret && 734 "Arg constraint should not refer to the return value"); 735 ArgConstraints.push_back(VC); 736 return *this; 737 } 738 739 InvalidationKind getInvalidationKd() const { return InvalidationKd; } 740 const SummaryCases &getCases() const { return Cases; } 741 const ConstraintSet &getArgConstraints() const { return ArgConstraints; } 742 743 QualType getArgType(ArgNo ArgN) const { 744 return StdLibraryFunctionsChecker::getArgType(FD, ArgN); 745 } 746 747 // Returns true if the summary should be applied to the given function. 748 // And if yes then store the function declaration. 749 bool matchesAndSet(const Signature &Sign, const FunctionDecl *FD) { 750 bool Result = Sign.matches(FD) && validateByConstraints(FD); 751 if (Result) { 752 assert(!this->FD && "FD must not be set more than once"); 753 this->FD = FD; 754 } 755 return Result; 756 } 757 758 private: 759 // Once we know the exact type of the function then do validation check on 760 // all the given constraints. 761 bool validateByConstraints(const FunctionDecl *FD) const { 762 for (const SummaryCase &Case : Cases) 763 for (const ValueConstraintPtr &Constraint : Case.getConstraints()) 764 if (!Constraint->checkValidity(FD)) 765 return false; 766 for (const ValueConstraintPtr &Constraint : ArgConstraints) 767 if (!Constraint->checkValidity(FD)) 768 return false; 769 return true; 770 } 771 }; 772 773 // The map of all functions supported by the checker. It is initialized 774 // lazily, and it doesn't change after initialization. 775 using FunctionSummaryMapType = llvm::DenseMap<const FunctionDecl *, Summary>; 776 mutable FunctionSummaryMapType FunctionSummaryMap; 777 778 mutable std::unique_ptr<BugType> BT_InvalidArg; 779 mutable bool SummariesInitialized = false; 780 781 static SVal getArgSVal(const CallEvent &Call, ArgNo ArgN) { 782 return ArgN == Ret ? Call.getReturnValue() : Call.getArgSVal(ArgN); 783 } 784 static std::string getFunctionName(const CallEvent &Call) { 785 assert(Call.getDecl() && 786 "Call was found by a summary, should have declaration"); 787 return cast<NamedDecl>(Call.getDecl())->getNameAsString(); 788 } 789 790 public: 791 void checkPreCall(const CallEvent &Call, CheckerContext &C) const; 792 void checkPostCall(const CallEvent &Call, CheckerContext &C) const; 793 bool evalCall(const CallEvent &Call, CheckerContext &C) const; 794 795 CheckerNameRef CheckName; 796 bool AddTestFunctions = false; 797 798 bool DisplayLoadedSummaries = false; 799 bool ModelPOSIX = false; 800 bool ShouldAssumeControlledEnvironment = false; 801 802 private: 803 std::optional<Summary> findFunctionSummary(const FunctionDecl *FD, 804 CheckerContext &C) const; 805 std::optional<Summary> findFunctionSummary(const CallEvent &Call, 806 CheckerContext &C) const; 807 808 void initFunctionSummaries(CheckerContext &C) const; 809 810 void reportBug(const CallEvent &Call, ExplodedNode *N, 811 const ValueConstraint *VC, const ValueConstraint *NegatedVC, 812 const Summary &Summary, CheckerContext &C) const { 813 assert(Call.getDecl() && 814 "Function found in summary must have a declaration available"); 815 SmallString<256> Msg; 816 llvm::raw_svector_ostream MsgOs(Msg); 817 818 MsgOs << "The "; 819 printArgDesc(VC->getArgNo(), MsgOs); 820 MsgOs << " to '" << getFunctionName(Call) << "' "; 821 bool ValuesPrinted = 822 NegatedVC->describeArgumentValue(Call, N->getState(), Summary, MsgOs); 823 if (ValuesPrinted) 824 MsgOs << " but "; 825 else 826 MsgOs << "is out of the accepted range; It "; 827 VC->describe(ValueConstraint::Violation, Call, C.getState(), Summary, 828 MsgOs); 829 Msg[0] = toupper(Msg[0]); 830 if (!BT_InvalidArg) 831 BT_InvalidArg = std::make_unique<BugType>( 832 CheckName, "Function call with invalid argument", 833 categories::LogicError); 834 auto R = std::make_unique<PathSensitiveBugReport>(*BT_InvalidArg, Msg, N); 835 836 for (ArgNo ArgN : VC->getArgsToTrack()) { 837 bugreporter::trackExpressionValue(N, Call.getArgExpr(ArgN), *R); 838 R->markInteresting(Call.getArgSVal(ArgN)); 839 // All tracked arguments are important, highlight them. 840 R->addRange(Call.getArgSourceRange(ArgN)); 841 } 842 843 C.emitReport(std::move(R)); 844 } 845 846 /// These are the errno constraints that can be passed to summary cases. 847 /// One of these should fit for a single summary case. 848 /// Usually if a failure return value exists for function, that function 849 /// needs different cases for success and failure with different errno 850 /// constraints (and different return value constraints). 851 const NoErrnoConstraint ErrnoUnchanged{}; 852 const ResetErrnoConstraint ErrnoIrrelevant{}; 853 const ErrnoMustBeCheckedConstraint ErrnoMustBeChecked{}; 854 const SuccessErrnoConstraint ErrnoMustNotBeChecked{}; 855 const FailureErrnoConstraint ErrnoNEZeroIrrelevant{}; 856 }; 857 858 int StdLibraryFunctionsChecker::ErrnoConstraintBase::Tag = 0; 859 860 const StdLibraryFunctionsChecker::ArgNo StdLibraryFunctionsChecker::Ret = 861 std::numeric_limits<ArgNo>::max(); 862 863 static BasicValueFactory &getBVF(ProgramStateRef State) { 864 ProgramStateManager &Mgr = State->getStateManager(); 865 SValBuilder &SVB = Mgr.getSValBuilder(); 866 return SVB.getBasicValueFactory(); 867 } 868 869 } // end of anonymous namespace 870 871 void StdLibraryFunctionsChecker::printArgDesc( 872 StdLibraryFunctionsChecker::ArgNo ArgN, llvm::raw_ostream &Out) { 873 Out << std::to_string(ArgN + 1); 874 Out << llvm::getOrdinalSuffix(ArgN + 1); 875 Out << " argument"; 876 } 877 878 void StdLibraryFunctionsChecker::printArgValueInfo(ArgNo ArgN, 879 ProgramStateRef State, 880 const CallEvent &Call, 881 llvm::raw_ostream &Out) { 882 if (const llvm::APSInt *Val = 883 State->getStateManager().getSValBuilder().getKnownValue( 884 State, getArgSVal(Call, ArgN))) 885 Out << " (which is " << *Val << ")"; 886 } 887 888 void StdLibraryFunctionsChecker::appendInsideRangeDesc(llvm::APSInt RMin, 889 llvm::APSInt RMax, 890 QualType ArgT, 891 BasicValueFactory &BVF, 892 llvm::raw_ostream &Out) { 893 if (RMin.isZero() && RMax.isZero()) 894 Out << "zero"; 895 else if (RMin == RMax) 896 Out << RMin; 897 else if (RMin == BVF.getMinValue(ArgT)) { 898 if (RMax == -1) 899 Out << "< 0"; 900 else 901 Out << "<= " << RMax; 902 } else if (RMax == BVF.getMaxValue(ArgT)) { 903 if (RMin.isOne()) 904 Out << "> 0"; 905 else 906 Out << ">= " << RMin; 907 } else if (RMin.isNegative() == RMax.isNegative() && 908 RMin.getLimitedValue() == RMax.getLimitedValue() - 1) { 909 Out << RMin << " or " << RMax; 910 } else { 911 Out << "between " << RMin << " and " << RMax; 912 } 913 } 914 915 void StdLibraryFunctionsChecker::appendOutOfRangeDesc(llvm::APSInt RMin, 916 llvm::APSInt RMax, 917 QualType ArgT, 918 BasicValueFactory &BVF, 919 llvm::raw_ostream &Out) { 920 if (RMin.isZero() && RMax.isZero()) 921 Out << "nonzero"; 922 else if (RMin == RMax) { 923 Out << "not equal to " << RMin; 924 } else if (RMin == BVF.getMinValue(ArgT)) { 925 if (RMax == -1) 926 Out << ">= 0"; 927 else 928 Out << "> " << RMax; 929 } else if (RMax == BVF.getMaxValue(ArgT)) { 930 if (RMin.isOne()) 931 Out << "<= 0"; 932 else 933 Out << "< " << RMin; 934 } else if (RMin.isNegative() == RMax.isNegative() && 935 RMin.getLimitedValue() == RMax.getLimitedValue() - 1) { 936 Out << "not " << RMin << " and not " << RMax; 937 } else { 938 Out << "not between " << RMin << " and " << RMax; 939 } 940 } 941 942 void StdLibraryFunctionsChecker::RangeConstraint::applyOnWithinRange( 943 BasicValueFactory &BVF, QualType ArgT, const RangeApplyFunction &F) const { 944 if (Ranges.empty()) 945 return; 946 947 for (auto [Start, End] : getRanges()) { 948 const llvm::APSInt &Min = BVF.getValue(Start, ArgT); 949 const llvm::APSInt &Max = BVF.getValue(End, ArgT); 950 assert(Min <= Max); 951 if (!F(Min, Max)) 952 return; 953 } 954 } 955 956 void StdLibraryFunctionsChecker::RangeConstraint::applyOnOutOfRange( 957 BasicValueFactory &BVF, QualType ArgT, const RangeApplyFunction &F) const { 958 if (Ranges.empty()) 959 return; 960 961 const IntRangeVector &R = getRanges(); 962 size_t E = R.size(); 963 964 const llvm::APSInt &MinusInf = BVF.getMinValue(ArgT); 965 const llvm::APSInt &PlusInf = BVF.getMaxValue(ArgT); 966 967 const llvm::APSInt &RangeLeft = BVF.getValue(R[0].first - 1ULL, ArgT); 968 const llvm::APSInt &RangeRight = BVF.getValue(R[E - 1].second + 1ULL, ArgT); 969 970 // Iterate over the "holes" between intervals. 971 for (size_t I = 1; I != E; ++I) { 972 const llvm::APSInt &Min = BVF.getValue(R[I - 1].second + 1ULL, ArgT); 973 const llvm::APSInt &Max = BVF.getValue(R[I].first - 1ULL, ArgT); 974 if (Min <= Max) { 975 if (!F(Min, Max)) 976 return; 977 } 978 } 979 // Check the interval [T_MIN, min(R) - 1]. 980 if (RangeLeft != PlusInf) { 981 assert(MinusInf <= RangeLeft); 982 if (!F(MinusInf, RangeLeft)) 983 return; 984 } 985 // Check the interval [max(R) + 1, T_MAX], 986 if (RangeRight != MinusInf) { 987 assert(RangeRight <= PlusInf); 988 if (!F(RangeRight, PlusInf)) 989 return; 990 } 991 } 992 993 ProgramStateRef StdLibraryFunctionsChecker::RangeConstraint::apply( 994 ProgramStateRef State, const CallEvent &Call, const Summary &Summary, 995 CheckerContext &C) const { 996 ConstraintManager &CM = C.getConstraintManager(); 997 SVal V = getArgSVal(Call, getArgNo()); 998 QualType T = Summary.getArgType(getArgNo()); 999 1000 if (auto N = V.getAs<NonLoc>()) { 1001 auto ExcludeRangeFromArg = [&](const llvm::APSInt &Min, 1002 const llvm::APSInt &Max) { 1003 State = CM.assumeInclusiveRange(State, *N, Min, Max, false); 1004 return static_cast<bool>(State); 1005 }; 1006 // "OutOfRange R" is handled by excluding all ranges in R. 1007 // "WithinRange R" is treated as "OutOfRange [T_MIN, T_MAX] \ R". 1008 applyOnRange(negateKind(Kind), C.getSValBuilder().getBasicValueFactory(), T, 1009 ExcludeRangeFromArg); 1010 } 1011 1012 return State; 1013 } 1014 1015 void StdLibraryFunctionsChecker::RangeConstraint::describe( 1016 DescriptionKind DK, const CallEvent &Call, ProgramStateRef State, 1017 const Summary &Summary, llvm::raw_ostream &Out) const { 1018 1019 BasicValueFactory &BVF = getBVF(State); 1020 QualType T = Summary.getArgType(getArgNo()); 1021 1022 Out << ((DK == Violation) ? "should be " : "is "); 1023 if (!Description.empty()) { 1024 Out << Description; 1025 } else { 1026 unsigned I = Ranges.size(); 1027 if (Kind == WithinRange) { 1028 for (const std::pair<RangeInt, RangeInt> &R : Ranges) { 1029 appendInsideRangeDesc(BVF.getValue(R.first, T), 1030 BVF.getValue(R.second, T), T, BVF, Out); 1031 if (--I > 0) 1032 Out << " or "; 1033 } 1034 } else { 1035 for (const std::pair<RangeInt, RangeInt> &R : Ranges) { 1036 appendOutOfRangeDesc(BVF.getValue(R.first, T), 1037 BVF.getValue(R.second, T), T, BVF, Out); 1038 if (--I > 0) 1039 Out << " and "; 1040 } 1041 } 1042 } 1043 } 1044 1045 bool StdLibraryFunctionsChecker::RangeConstraint::describeArgumentValue( 1046 const CallEvent &Call, ProgramStateRef State, const Summary &Summary, 1047 llvm::raw_ostream &Out) const { 1048 unsigned int NRanges = 0; 1049 bool HaveAllRanges = true; 1050 1051 ProgramStateManager &Mgr = State->getStateManager(); 1052 BasicValueFactory &BVF = Mgr.getSValBuilder().getBasicValueFactory(); 1053 ConstraintManager &CM = Mgr.getConstraintManager(); 1054 SVal V = getArgSVal(Call, getArgNo()); 1055 1056 if (auto N = V.getAs<NonLoc>()) { 1057 if (const llvm::APSInt *Int = N->getAsInteger()) { 1058 Out << "is "; 1059 Out << *Int; 1060 return true; 1061 } 1062 QualType T = Summary.getArgType(getArgNo()); 1063 SmallString<128> MoreInfo; 1064 llvm::raw_svector_ostream MoreInfoOs(MoreInfo); 1065 auto ApplyF = [&](const llvm::APSInt &Min, const llvm::APSInt &Max) { 1066 if (CM.assumeInclusiveRange(State, *N, Min, Max, true)) { 1067 if (NRanges > 0) 1068 MoreInfoOs << " or "; 1069 appendInsideRangeDesc(Min, Max, T, BVF, MoreInfoOs); 1070 ++NRanges; 1071 } else { 1072 HaveAllRanges = false; 1073 } 1074 return true; 1075 }; 1076 1077 applyOnRange(Kind, BVF, T, ApplyF); 1078 assert(NRanges > 0); 1079 if (!HaveAllRanges || NRanges == 1) { 1080 Out << "is "; 1081 Out << MoreInfo; 1082 return true; 1083 } 1084 } 1085 return false; 1086 } 1087 1088 ProgramStateRef StdLibraryFunctionsChecker::ComparisonConstraint::apply( 1089 ProgramStateRef State, const CallEvent &Call, const Summary &Summary, 1090 CheckerContext &C) const { 1091 1092 ProgramStateManager &Mgr = State->getStateManager(); 1093 SValBuilder &SVB = Mgr.getSValBuilder(); 1094 QualType CondT = SVB.getConditionType(); 1095 QualType T = Summary.getArgType(getArgNo()); 1096 SVal V = getArgSVal(Call, getArgNo()); 1097 1098 BinaryOperator::Opcode Op = getOpcode(); 1099 ArgNo OtherArg = getOtherArgNo(); 1100 SVal OtherV = getArgSVal(Call, OtherArg); 1101 QualType OtherT = Summary.getArgType(OtherArg); 1102 // Note: we avoid integral promotion for comparison. 1103 OtherV = SVB.evalCast(OtherV, T, OtherT); 1104 if (auto CompV = SVB.evalBinOp(State, Op, V, OtherV, CondT) 1105 .getAs<DefinedOrUnknownSVal>()) 1106 State = State->assume(*CompV, true); 1107 return State; 1108 } 1109 1110 ProgramStateRef StdLibraryFunctionsChecker::NotNullConstraint::apply( 1111 ProgramStateRef State, const CallEvent &Call, const Summary &Summary, 1112 CheckerContext &C) const { 1113 SVal V = getArgSVal(Call, getArgNo()); 1114 if (V.isUndef()) 1115 return State; 1116 1117 DefinedOrUnknownSVal L = V.castAs<DefinedOrUnknownSVal>(); 1118 if (!isa<Loc>(L)) 1119 return State; 1120 1121 return State->assume(L, CannotBeNull); 1122 } 1123 1124 void StdLibraryFunctionsChecker::NotNullConstraint::describe( 1125 DescriptionKind DK, const CallEvent &Call, ProgramStateRef State, 1126 const Summary &Summary, llvm::raw_ostream &Out) const { 1127 assert(CannotBeNull && 1128 "Describe should not be used when the value must be NULL"); 1129 if (DK == Violation) 1130 Out << "should not be NULL"; 1131 else 1132 Out << "is not NULL"; 1133 } 1134 1135 bool StdLibraryFunctionsChecker::NotNullConstraint::describeArgumentValue( 1136 const CallEvent &Call, ProgramStateRef State, const Summary &Summary, 1137 llvm::raw_ostream &Out) const { 1138 assert(!CannotBeNull && "This function is used when the value is NULL"); 1139 Out << "is NULL"; 1140 return true; 1141 } 1142 1143 ProgramStateRef StdLibraryFunctionsChecker::BufferSizeConstraint::apply( 1144 ProgramStateRef State, const CallEvent &Call, const Summary &Summary, 1145 CheckerContext &C) const { 1146 SValBuilder &SvalBuilder = C.getSValBuilder(); 1147 // The buffer argument. 1148 SVal BufV = getArgSVal(Call, getArgNo()); 1149 1150 // Get the size constraint. 1151 const SVal SizeV = [this, &State, &Call, &Summary, &SvalBuilder]() { 1152 if (ConcreteSize) { 1153 return SVal(SvalBuilder.makeIntVal(*ConcreteSize)); 1154 } 1155 assert(SizeArgN && "The constraint must be either a concrete value or " 1156 "encoded in an argument."); 1157 // The size argument. 1158 SVal SizeV = getArgSVal(Call, *SizeArgN); 1159 // Multiply with another argument if given. 1160 if (SizeMultiplierArgN) { 1161 SVal SizeMulV = getArgSVal(Call, *SizeMultiplierArgN); 1162 SizeV = SvalBuilder.evalBinOp(State, BO_Mul, SizeV, SizeMulV, 1163 Summary.getArgType(*SizeArgN)); 1164 } 1165 return SizeV; 1166 }(); 1167 1168 // The dynamic size of the buffer argument, got from the analyzer engine. 1169 SVal BufDynSize = getDynamicExtentWithOffset(State, BufV); 1170 1171 SVal Feasible = SvalBuilder.evalBinOp(State, Op, SizeV, BufDynSize, 1172 SvalBuilder.getContext().BoolTy); 1173 if (auto F = Feasible.getAs<DefinedOrUnknownSVal>()) 1174 return State->assume(*F, true); 1175 1176 // We can get here only if the size argument or the dynamic size is 1177 // undefined. But the dynamic size should never be undefined, only 1178 // unknown. So, here, the size of the argument is undefined, i.e. we 1179 // cannot apply the constraint. Actually, other checkers like 1180 // CallAndMessage should catch this situation earlier, because we call a 1181 // function with an uninitialized argument. 1182 llvm_unreachable("Size argument or the dynamic size is Undefined"); 1183 } 1184 1185 void StdLibraryFunctionsChecker::BufferSizeConstraint::describe( 1186 DescriptionKind DK, const CallEvent &Call, ProgramStateRef State, 1187 const Summary &Summary, llvm::raw_ostream &Out) const { 1188 Out << ((DK == Violation) ? "should be " : "is "); 1189 Out << "a buffer with size equal to or greater than "; 1190 if (ConcreteSize) { 1191 Out << *ConcreteSize; 1192 } else if (SizeArgN) { 1193 Out << "the value of the "; 1194 printArgDesc(*SizeArgN, Out); 1195 printArgValueInfo(*SizeArgN, State, Call, Out); 1196 if (SizeMultiplierArgN) { 1197 Out << " times the "; 1198 printArgDesc(*SizeMultiplierArgN, Out); 1199 printArgValueInfo(*SizeMultiplierArgN, State, Call, Out); 1200 } 1201 } 1202 } 1203 1204 bool StdLibraryFunctionsChecker::BufferSizeConstraint::describeArgumentValue( 1205 const CallEvent &Call, ProgramStateRef State, const Summary &Summary, 1206 llvm::raw_ostream &Out) const { 1207 SVal BufV = getArgSVal(Call, getArgNo()); 1208 SVal BufDynSize = getDynamicExtentWithOffset(State, BufV); 1209 if (const llvm::APSInt *Val = 1210 State->getStateManager().getSValBuilder().getKnownValue(State, 1211 BufDynSize)) { 1212 Out << "is a buffer with size " << *Val; 1213 return true; 1214 } 1215 return false; 1216 } 1217 1218 void StdLibraryFunctionsChecker::checkPreCall(const CallEvent &Call, 1219 CheckerContext &C) const { 1220 std::optional<Summary> FoundSummary = findFunctionSummary(Call, C); 1221 if (!FoundSummary) 1222 return; 1223 1224 const Summary &Summary = *FoundSummary; 1225 ProgramStateRef State = C.getState(); 1226 1227 ProgramStateRef NewState = State; 1228 ExplodedNode *NewNode = C.getPredecessor(); 1229 for (const ValueConstraintPtr &Constraint : Summary.getArgConstraints()) { 1230 ValueConstraintPtr NegatedConstraint = Constraint->negate(); 1231 ProgramStateRef SuccessSt = Constraint->apply(NewState, Call, Summary, C); 1232 ProgramStateRef FailureSt = 1233 NegatedConstraint->apply(NewState, Call, Summary, C); 1234 // The argument constraint is not satisfied. 1235 if (FailureSt && !SuccessSt) { 1236 if (ExplodedNode *N = C.generateErrorNode(State, NewNode)) 1237 reportBug(Call, N, Constraint.get(), NegatedConstraint.get(), Summary, 1238 C); 1239 break; 1240 } 1241 // We will apply the constraint even if we cannot reason about the 1242 // argument. This means both SuccessSt and FailureSt can be true. If we 1243 // weren't applying the constraint that would mean that symbolic 1244 // execution continues on a code whose behaviour is undefined. 1245 assert(SuccessSt); 1246 NewState = SuccessSt; 1247 if (NewState != State) { 1248 SmallString<128> Msg; 1249 llvm::raw_svector_ostream Os(Msg); 1250 Os << "Assuming that the "; 1251 printArgDesc(Constraint->getArgNo(), Os); 1252 Os << " to '"; 1253 Os << getFunctionName(Call); 1254 Os << "' "; 1255 Constraint->describe(ValueConstraint::Assumption, Call, NewState, Summary, 1256 Os); 1257 const auto ArgSVal = Call.getArgSVal(Constraint->getArgNo()); 1258 NewNode = C.addTransition( 1259 NewState, NewNode, 1260 C.getNoteTag([Msg = std::move(Msg), ArgSVal]( 1261 PathSensitiveBugReport &BR, llvm::raw_ostream &OS) { 1262 if (BR.isInteresting(ArgSVal)) 1263 OS << Msg; 1264 })); 1265 } 1266 } 1267 } 1268 1269 void StdLibraryFunctionsChecker::checkPostCall(const CallEvent &Call, 1270 CheckerContext &C) const { 1271 std::optional<Summary> FoundSummary = findFunctionSummary(Call, C); 1272 if (!FoundSummary) 1273 return; 1274 1275 // Now apply the constraints. 1276 const Summary &Summary = *FoundSummary; 1277 ProgramStateRef State = C.getState(); 1278 ExplodedNode *Node = C.getPredecessor(); 1279 1280 // Apply case/branch specifications. 1281 for (const SummaryCase &Case : Summary.getCases()) { 1282 ProgramStateRef NewState = State; 1283 for (const ValueConstraintPtr &Constraint : Case.getConstraints()) { 1284 NewState = Constraint->apply(NewState, Call, Summary, C); 1285 if (!NewState) 1286 break; 1287 } 1288 1289 if (NewState) 1290 NewState = Case.getErrnoConstraint().apply(NewState, Call, Summary, C); 1291 1292 if (!NewState) 1293 continue; 1294 1295 // It is possible that NewState == State is true. 1296 // It can occur if another checker has applied the state before us. 1297 // Still add these note tags, the other checker should add only its 1298 // specialized note tags. These general note tags are handled always by 1299 // StdLibraryFunctionsChecker. 1300 ExplodedNode *Pred = Node; 1301 if (!Case.getNote().empty()) { 1302 const SVal RV = Call.getReturnValue(); 1303 // If there is a description for this execution branch (summary case), 1304 // use it as a note tag. 1305 std::string Note = 1306 llvm::formatv(Case.getNote().str().c_str(), 1307 cast<NamedDecl>(Call.getDecl())->getDeclName()); 1308 if (Summary.getInvalidationKd() == EvalCallAsPure) { 1309 const NoteTag *Tag = C.getNoteTag( 1310 [Node, Note, RV](PathSensitiveBugReport &BR) -> std::string { 1311 // Try to omit the note if we know in advance which branch is 1312 // taken (this means, only one branch exists). 1313 // This check is performed inside the lambda, after other 1314 // (or this) checkers had a chance to add other successors. 1315 // Dereferencing the saved node object is valid because it's part 1316 // of a bug report call sequence. 1317 // FIXME: This check is not exact. We may be here after a state 1318 // split that was performed by another checker (and can not find 1319 // the successors). This is why this check is only used in the 1320 // EvalCallAsPure case. 1321 if (BR.isInteresting(RV) && Node->succ_size() > 1) 1322 return Note; 1323 return ""; 1324 }); 1325 Pred = C.addTransition(NewState, Pred, Tag); 1326 } else { 1327 const NoteTag *Tag = 1328 C.getNoteTag([Note, RV](PathSensitiveBugReport &BR) -> std::string { 1329 if (BR.isInteresting(RV)) 1330 return Note; 1331 return ""; 1332 }); 1333 Pred = C.addTransition(NewState, Pred, Tag); 1334 } 1335 if (!Pred) 1336 continue; 1337 } 1338 1339 // If we can get a note tag for the errno change, add this additionally to 1340 // the previous. This note is only about value of 'errno' and is displayed 1341 // if 'errno' is interesting. 1342 if (const auto *D = dyn_cast<FunctionDecl>(Call.getDecl())) 1343 if (const NoteTag *NT = 1344 Case.getErrnoConstraint().describe(C, D->getNameAsString())) 1345 Pred = C.addTransition(NewState, Pred, NT); 1346 1347 // Add the transition if no note tag could be added. 1348 if (Pred == Node && NewState != State) 1349 C.addTransition(NewState); 1350 } 1351 } 1352 1353 bool StdLibraryFunctionsChecker::evalCall(const CallEvent &Call, 1354 CheckerContext &C) const { 1355 std::optional<Summary> FoundSummary = findFunctionSummary(Call, C); 1356 if (!FoundSummary) 1357 return false; 1358 1359 const Summary &Summary = *FoundSummary; 1360 switch (Summary.getInvalidationKd()) { 1361 case EvalCallAsPure: { 1362 ProgramStateRef State = C.getState(); 1363 const LocationContext *LC = C.getLocationContext(); 1364 const auto *CE = cast<CallExpr>(Call.getOriginExpr()); 1365 SVal V = C.getSValBuilder().conjureSymbolVal( 1366 CE, LC, CE->getType().getCanonicalType(), C.blockCount()); 1367 State = State->BindExpr(CE, LC, V); 1368 1369 C.addTransition(State); 1370 1371 return true; 1372 } 1373 case NoEvalCall: 1374 // Summary tells us to avoid performing eval::Call. The function is possibly 1375 // evaluated by another checker, or evaluated conservatively. 1376 return false; 1377 } 1378 llvm_unreachable("Unknown invalidation kind!"); 1379 } 1380 1381 bool StdLibraryFunctionsChecker::Signature::matches( 1382 const FunctionDecl *FD) const { 1383 assert(!isInvalid()); 1384 // Check the number of arguments. 1385 if (FD->param_size() != ArgTys.size()) 1386 return false; 1387 1388 // The "restrict" keyword is illegal in C++, however, many libc 1389 // implementations use the "__restrict" compiler intrinsic in functions 1390 // prototypes. The "__restrict" keyword qualifies a type as a restricted type 1391 // even in C++. 1392 // In case of any non-C99 languages, we don't want to match based on the 1393 // restrict qualifier because we cannot know if the given libc implementation 1394 // qualifies the paramter type or not. 1395 auto RemoveRestrict = [&FD](QualType T) { 1396 if (!FD->getASTContext().getLangOpts().C99) 1397 T.removeLocalRestrict(); 1398 return T; 1399 }; 1400 1401 // Check the return type. 1402 if (!isIrrelevant(RetTy)) { 1403 QualType FDRetTy = RemoveRestrict(FD->getReturnType().getCanonicalType()); 1404 if (RetTy != FDRetTy) 1405 return false; 1406 } 1407 1408 // Check the argument types. 1409 for (auto [Idx, ArgTy] : llvm::enumerate(ArgTys)) { 1410 if (isIrrelevant(ArgTy)) 1411 continue; 1412 QualType FDArgTy = 1413 RemoveRestrict(FD->getParamDecl(Idx)->getType().getCanonicalType()); 1414 if (ArgTy != FDArgTy) 1415 return false; 1416 } 1417 1418 return true; 1419 } 1420 1421 std::optional<StdLibraryFunctionsChecker::Summary> 1422 StdLibraryFunctionsChecker::findFunctionSummary(const FunctionDecl *FD, 1423 CheckerContext &C) const { 1424 if (!FD) 1425 return std::nullopt; 1426 1427 initFunctionSummaries(C); 1428 1429 auto FSMI = FunctionSummaryMap.find(FD->getCanonicalDecl()); 1430 if (FSMI == FunctionSummaryMap.end()) 1431 return std::nullopt; 1432 return FSMI->second; 1433 } 1434 1435 std::optional<StdLibraryFunctionsChecker::Summary> 1436 StdLibraryFunctionsChecker::findFunctionSummary(const CallEvent &Call, 1437 CheckerContext &C) const { 1438 const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(Call.getDecl()); 1439 if (!FD) 1440 return std::nullopt; 1441 return findFunctionSummary(FD, C); 1442 } 1443 1444 void StdLibraryFunctionsChecker::initFunctionSummaries( 1445 CheckerContext &C) const { 1446 if (SummariesInitialized) 1447 return; 1448 SummariesInitialized = true; 1449 1450 SValBuilder &SVB = C.getSValBuilder(); 1451 BasicValueFactory &BVF = SVB.getBasicValueFactory(); 1452 const ASTContext &ACtx = BVF.getContext(); 1453 Preprocessor &PP = C.getPreprocessor(); 1454 1455 // Helper class to lookup a type by its name. 1456 class LookupType { 1457 const ASTContext &ACtx; 1458 1459 public: 1460 LookupType(const ASTContext &ACtx) : ACtx(ACtx) {} 1461 1462 // Find the type. If not found then the optional is not set. 1463 std::optional<QualType> operator()(StringRef Name) { 1464 IdentifierInfo &II = ACtx.Idents.get(Name); 1465 auto LookupRes = ACtx.getTranslationUnitDecl()->lookup(&II); 1466 if (LookupRes.empty()) 1467 return std::nullopt; 1468 1469 // Prioritze typedef declarations. 1470 // This is needed in case of C struct typedefs. E.g.: 1471 // typedef struct FILE FILE; 1472 // In this case, we have a RecordDecl 'struct FILE' with the name 'FILE' 1473 // and we have a TypedefDecl with the name 'FILE'. 1474 for (Decl *D : LookupRes) 1475 if (auto *TD = dyn_cast<TypedefNameDecl>(D)) 1476 return ACtx.getTypeDeclType(TD).getCanonicalType(); 1477 1478 // Find the first TypeDecl. 1479 // There maybe cases when a function has the same name as a struct. 1480 // E.g. in POSIX: `struct stat` and the function `stat()`: 1481 // int stat(const char *restrict path, struct stat *restrict buf); 1482 for (Decl *D : LookupRes) 1483 if (auto *TD = dyn_cast<TypeDecl>(D)) 1484 return ACtx.getTypeDeclType(TD).getCanonicalType(); 1485 return std::nullopt; 1486 } 1487 } lookupTy(ACtx); 1488 1489 // Below are auxiliary classes to handle optional types that we get as a 1490 // result of the lookup. 1491 class GetRestrictTy { 1492 const ASTContext &ACtx; 1493 1494 public: 1495 GetRestrictTy(const ASTContext &ACtx) : ACtx(ACtx) {} 1496 QualType operator()(QualType Ty) { 1497 return ACtx.getLangOpts().C99 ? ACtx.getRestrictType(Ty) : Ty; 1498 } 1499 std::optional<QualType> operator()(std::optional<QualType> Ty) { 1500 if (Ty) 1501 return operator()(*Ty); 1502 return std::nullopt; 1503 } 1504 } getRestrictTy(ACtx); 1505 class GetPointerTy { 1506 const ASTContext &ACtx; 1507 1508 public: 1509 GetPointerTy(const ASTContext &ACtx) : ACtx(ACtx) {} 1510 QualType operator()(QualType Ty) { return ACtx.getPointerType(Ty); } 1511 std::optional<QualType> operator()(std::optional<QualType> Ty) { 1512 if (Ty) 1513 return operator()(*Ty); 1514 return std::nullopt; 1515 } 1516 } getPointerTy(ACtx); 1517 class { 1518 public: 1519 std::optional<QualType> operator()(std::optional<QualType> Ty) { 1520 return Ty ? std::optional<QualType>(Ty->withConst()) : std::nullopt; 1521 } 1522 QualType operator()(QualType Ty) { return Ty.withConst(); } 1523 } getConstTy; 1524 class GetMaxValue { 1525 BasicValueFactory &BVF; 1526 1527 public: 1528 GetMaxValue(BasicValueFactory &BVF) : BVF(BVF) {} 1529 std::optional<RangeInt> operator()(QualType Ty) { 1530 return BVF.getMaxValue(Ty).getLimitedValue(); 1531 } 1532 std::optional<RangeInt> operator()(std::optional<QualType> Ty) { 1533 if (Ty) { 1534 return operator()(*Ty); 1535 } 1536 return std::nullopt; 1537 } 1538 } getMaxValue(BVF); 1539 1540 // These types are useful for writing specifications quickly, 1541 // New specifications should probably introduce more types. 1542 // Some types are hard to obtain from the AST, eg. "ssize_t". 1543 // In such cases it should be possible to provide multiple variants 1544 // of function summary for common cases (eg. ssize_t could be int or long 1545 // or long long, so three summary variants would be enough). 1546 // Of course, function variants are also useful for C++ overloads. 1547 const QualType VoidTy = ACtx.VoidTy; 1548 const QualType CharTy = ACtx.CharTy; 1549 const QualType WCharTy = ACtx.WCharTy; 1550 const QualType IntTy = ACtx.IntTy; 1551 const QualType UnsignedIntTy = ACtx.UnsignedIntTy; 1552 const QualType LongTy = ACtx.LongTy; 1553 const QualType SizeTy = ACtx.getSizeType(); 1554 1555 const QualType VoidPtrTy = getPointerTy(VoidTy); // void * 1556 const QualType IntPtrTy = getPointerTy(IntTy); // int * 1557 const QualType UnsignedIntPtrTy = 1558 getPointerTy(UnsignedIntTy); // unsigned int * 1559 const QualType VoidPtrRestrictTy = getRestrictTy(VoidPtrTy); 1560 const QualType ConstVoidPtrTy = 1561 getPointerTy(getConstTy(VoidTy)); // const void * 1562 const QualType CharPtrTy = getPointerTy(CharTy); // char * 1563 const QualType CharPtrRestrictTy = getRestrictTy(CharPtrTy); 1564 const QualType ConstCharPtrTy = 1565 getPointerTy(getConstTy(CharTy)); // const char * 1566 const QualType ConstCharPtrRestrictTy = getRestrictTy(ConstCharPtrTy); 1567 const QualType Wchar_tPtrTy = getPointerTy(WCharTy); // wchar_t * 1568 const QualType ConstWchar_tPtrTy = 1569 getPointerTy(getConstTy(WCharTy)); // const wchar_t * 1570 const QualType ConstVoidPtrRestrictTy = getRestrictTy(ConstVoidPtrTy); 1571 const QualType SizePtrTy = getPointerTy(SizeTy); 1572 const QualType SizePtrRestrictTy = getRestrictTy(SizePtrTy); 1573 1574 const RangeInt IntMax = BVF.getMaxValue(IntTy).getLimitedValue(); 1575 const RangeInt UnsignedIntMax = 1576 BVF.getMaxValue(UnsignedIntTy).getLimitedValue(); 1577 const RangeInt LongMax = BVF.getMaxValue(LongTy).getLimitedValue(); 1578 const RangeInt SizeMax = BVF.getMaxValue(SizeTy).getLimitedValue(); 1579 1580 // Set UCharRangeMax to min of int or uchar maximum value. 1581 // The C standard states that the arguments of functions like isalpha must 1582 // be representable as an unsigned char. Their type is 'int', so the max 1583 // value of the argument should be min(UCharMax, IntMax). This just happen 1584 // to be true for commonly used and well tested instruction set 1585 // architectures, but not for others. 1586 const RangeInt UCharRangeMax = 1587 std::min(BVF.getMaxValue(ACtx.UnsignedCharTy).getLimitedValue(), IntMax); 1588 1589 // Get platform dependent values of some macros. 1590 // Try our best to parse this from the Preprocessor, otherwise fallback to a 1591 // default value (what is found in a library header). 1592 const auto EOFv = tryExpandAsInteger("EOF", PP).value_or(-1); 1593 const auto AT_FDCWDv = tryExpandAsInteger("AT_FDCWD", PP).value_or(-100); 1594 1595 // Auxiliary class to aid adding summaries to the summary map. 1596 struct AddToFunctionSummaryMap { 1597 const ASTContext &ACtx; 1598 FunctionSummaryMapType ⤅ 1599 bool DisplayLoadedSummaries; 1600 AddToFunctionSummaryMap(const ASTContext &ACtx, FunctionSummaryMapType &FSM, 1601 bool DisplayLoadedSummaries) 1602 : ACtx(ACtx), Map(FSM), DisplayLoadedSummaries(DisplayLoadedSummaries) { 1603 } 1604 1605 // Add a summary to a FunctionDecl found by lookup. The lookup is performed 1606 // by the given Name, and in the global scope. The summary will be attached 1607 // to the found FunctionDecl only if the signatures match. 1608 // 1609 // Returns true if the summary has been added, false otherwise. 1610 bool operator()(StringRef Name, Signature Sign, Summary Sum) { 1611 if (Sign.isInvalid()) 1612 return false; 1613 IdentifierInfo &II = ACtx.Idents.get(Name); 1614 auto LookupRes = ACtx.getTranslationUnitDecl()->lookup(&II); 1615 if (LookupRes.empty()) 1616 return false; 1617 for (Decl *D : LookupRes) { 1618 if (auto *FD = dyn_cast<FunctionDecl>(D)) { 1619 if (Sum.matchesAndSet(Sign, FD)) { 1620 auto Res = Map.insert({FD->getCanonicalDecl(), Sum}); 1621 assert(Res.second && "Function already has a summary set!"); 1622 (void)Res; 1623 if (DisplayLoadedSummaries) { 1624 llvm::errs() << "Loaded summary for: "; 1625 FD->print(llvm::errs()); 1626 llvm::errs() << "\n"; 1627 } 1628 return true; 1629 } 1630 } 1631 } 1632 return false; 1633 } 1634 // Add the same summary for different names with the Signature explicitly 1635 // given. 1636 void operator()(std::vector<StringRef> Names, Signature Sign, Summary Sum) { 1637 for (StringRef Name : Names) 1638 operator()(Name, Sign, Sum); 1639 } 1640 } addToFunctionSummaryMap(ACtx, FunctionSummaryMap, DisplayLoadedSummaries); 1641 1642 // Below are helpers functions to create the summaries. 1643 auto ArgumentCondition = [](ArgNo ArgN, RangeKind Kind, IntRangeVector Ranges, 1644 StringRef Desc = "") { 1645 return std::make_shared<RangeConstraint>(ArgN, Kind, Ranges, Desc); 1646 }; 1647 auto BufferSize = [](auto... Args) { 1648 return std::make_shared<BufferSizeConstraint>(Args...); 1649 }; 1650 struct { 1651 auto operator()(RangeKind Kind, IntRangeVector Ranges) { 1652 return std::make_shared<RangeConstraint>(Ret, Kind, Ranges); 1653 } 1654 auto operator()(BinaryOperator::Opcode Op, ArgNo OtherArgN) { 1655 return std::make_shared<ComparisonConstraint>(Ret, Op, OtherArgN); 1656 } 1657 } ReturnValueCondition; 1658 struct { 1659 auto operator()(RangeInt b, RangeInt e) { 1660 return IntRangeVector{std::pair<RangeInt, RangeInt>{b, e}}; 1661 } 1662 auto operator()(RangeInt b, std::optional<RangeInt> e) { 1663 if (e) 1664 return IntRangeVector{std::pair<RangeInt, RangeInt>{b, *e}}; 1665 return IntRangeVector{}; 1666 } 1667 auto operator()(std::pair<RangeInt, RangeInt> i0, 1668 std::pair<RangeInt, std::optional<RangeInt>> i1) { 1669 if (i1.second) 1670 return IntRangeVector{i0, {i1.first, *(i1.second)}}; 1671 return IntRangeVector{i0}; 1672 } 1673 } Range; 1674 auto SingleValue = [](RangeInt v) { 1675 return IntRangeVector{std::pair<RangeInt, RangeInt>{v, v}}; 1676 }; 1677 auto LessThanOrEq = BO_LE; 1678 auto NotNull = [&](ArgNo ArgN) { 1679 return std::make_shared<NotNullConstraint>(ArgN); 1680 }; 1681 auto IsNull = [&](ArgNo ArgN) { 1682 return std::make_shared<NotNullConstraint>(ArgN, false); 1683 }; 1684 1685 std::optional<QualType> FileTy = lookupTy("FILE"); 1686 std::optional<QualType> FilePtrTy = getPointerTy(FileTy); 1687 std::optional<QualType> FilePtrRestrictTy = getRestrictTy(FilePtrTy); 1688 1689 std::optional<QualType> FPosTTy = lookupTy("fpos_t"); 1690 std::optional<QualType> FPosTPtrTy = getPointerTy(FPosTTy); 1691 std::optional<QualType> ConstFPosTPtrTy = getPointerTy(getConstTy(FPosTTy)); 1692 std::optional<QualType> FPosTPtrRestrictTy = getRestrictTy(FPosTPtrTy); 1693 1694 constexpr llvm::StringLiteral GenericSuccessMsg( 1695 "Assuming that '{0}' is successful"); 1696 constexpr llvm::StringLiteral GenericFailureMsg("Assuming that '{0}' fails"); 1697 1698 // We are finally ready to define specifications for all supported functions. 1699 // 1700 // Argument ranges should always cover all variants. If return value 1701 // is completely unknown, omit it from the respective range set. 1702 // 1703 // Every item in the list of range sets represents a particular 1704 // execution path the analyzer would need to explore once 1705 // the call is modeled - a new program state is constructed 1706 // for every range set, and each range line in the range set 1707 // corresponds to a specific constraint within this state. 1708 1709 // The isascii() family of functions. 1710 // The behavior is undefined if the value of the argument is not 1711 // representable as unsigned char or is not equal to EOF. See e.g. C99 1712 // 7.4.1.2 The isalpha function (p: 181-182). 1713 addToFunctionSummaryMap( 1714 "isalnum", Signature(ArgTypes{IntTy}, RetType{IntTy}), 1715 Summary(EvalCallAsPure) 1716 // Boils down to isupper() or islower() or isdigit(). 1717 .Case({ArgumentCondition(0U, WithinRange, 1718 {{'0', '9'}, {'A', 'Z'}, {'a', 'z'}}), 1719 ReturnValueCondition(OutOfRange, SingleValue(0))}, 1720 ErrnoIrrelevant, "Assuming the character is alphanumeric") 1721 // The locale-specific range. 1722 // No post-condition. We are completely unaware of 1723 // locale-specific return values. 1724 .Case({ArgumentCondition(0U, WithinRange, {{128, UCharRangeMax}})}, 1725 ErrnoIrrelevant) 1726 .Case( 1727 {ArgumentCondition( 1728 0U, OutOfRange, 1729 {{'0', '9'}, {'A', 'Z'}, {'a', 'z'}, {128, UCharRangeMax}}), 1730 ReturnValueCondition(WithinRange, SingleValue(0))}, 1731 ErrnoIrrelevant, "Assuming the character is non-alphanumeric") 1732 .ArgConstraint(ArgumentCondition(0U, WithinRange, 1733 {{EOFv, EOFv}, {0, UCharRangeMax}}, 1734 "an unsigned char value or EOF"))); 1735 addToFunctionSummaryMap( 1736 "isalpha", Signature(ArgTypes{IntTy}, RetType{IntTy}), 1737 Summary(EvalCallAsPure) 1738 .Case({ArgumentCondition(0U, WithinRange, {{'A', 'Z'}, {'a', 'z'}}), 1739 ReturnValueCondition(OutOfRange, SingleValue(0))}, 1740 ErrnoIrrelevant, "Assuming the character is alphabetical") 1741 // The locale-specific range. 1742 .Case({ArgumentCondition(0U, WithinRange, {{128, UCharRangeMax}})}, 1743 ErrnoIrrelevant) 1744 .Case({ArgumentCondition( 1745 0U, OutOfRange, 1746 {{'A', 'Z'}, {'a', 'z'}, {128, UCharRangeMax}}), 1747 ReturnValueCondition(WithinRange, SingleValue(0))}, 1748 ErrnoIrrelevant, "Assuming the character is non-alphabetical")); 1749 addToFunctionSummaryMap( 1750 "isascii", Signature(ArgTypes{IntTy}, RetType{IntTy}), 1751 Summary(EvalCallAsPure) 1752 .Case({ArgumentCondition(0U, WithinRange, Range(0, 127)), 1753 ReturnValueCondition(OutOfRange, SingleValue(0))}, 1754 ErrnoIrrelevant, "Assuming the character is an ASCII character") 1755 .Case({ArgumentCondition(0U, OutOfRange, Range(0, 127)), 1756 ReturnValueCondition(WithinRange, SingleValue(0))}, 1757 ErrnoIrrelevant, 1758 "Assuming the character is not an ASCII character")); 1759 addToFunctionSummaryMap( 1760 "isblank", Signature(ArgTypes{IntTy}, RetType{IntTy}), 1761 Summary(EvalCallAsPure) 1762 .Case({ArgumentCondition(0U, WithinRange, {{'\t', '\t'}, {' ', ' '}}), 1763 ReturnValueCondition(OutOfRange, SingleValue(0))}, 1764 ErrnoIrrelevant, "Assuming the character is a blank character") 1765 .Case({ArgumentCondition(0U, OutOfRange, {{'\t', '\t'}, {' ', ' '}}), 1766 ReturnValueCondition(WithinRange, SingleValue(0))}, 1767 ErrnoIrrelevant, 1768 "Assuming the character is not a blank character")); 1769 addToFunctionSummaryMap( 1770 "iscntrl", Signature(ArgTypes{IntTy}, RetType{IntTy}), 1771 Summary(EvalCallAsPure) 1772 .Case({ArgumentCondition(0U, WithinRange, {{0, 32}, {127, 127}}), 1773 ReturnValueCondition(OutOfRange, SingleValue(0))}, 1774 ErrnoIrrelevant, 1775 "Assuming the character is a control character") 1776 .Case({ArgumentCondition(0U, OutOfRange, {{0, 32}, {127, 127}}), 1777 ReturnValueCondition(WithinRange, SingleValue(0))}, 1778 ErrnoIrrelevant, 1779 "Assuming the character is not a control character")); 1780 addToFunctionSummaryMap( 1781 "isdigit", Signature(ArgTypes{IntTy}, RetType{IntTy}), 1782 Summary(EvalCallAsPure) 1783 .Case({ArgumentCondition(0U, WithinRange, Range('0', '9')), 1784 ReturnValueCondition(OutOfRange, SingleValue(0))}, 1785 ErrnoIrrelevant, "Assuming the character is a digit") 1786 .Case({ArgumentCondition(0U, OutOfRange, Range('0', '9')), 1787 ReturnValueCondition(WithinRange, SingleValue(0))}, 1788 ErrnoIrrelevant, "Assuming the character is not a digit")); 1789 addToFunctionSummaryMap( 1790 "isgraph", Signature(ArgTypes{IntTy}, RetType{IntTy}), 1791 Summary(EvalCallAsPure) 1792 .Case({ArgumentCondition(0U, WithinRange, Range(33, 126)), 1793 ReturnValueCondition(OutOfRange, SingleValue(0))}, 1794 ErrnoIrrelevant, 1795 "Assuming the character has graphical representation") 1796 .Case( 1797 {ArgumentCondition(0U, OutOfRange, Range(33, 126)), 1798 ReturnValueCondition(WithinRange, SingleValue(0))}, 1799 ErrnoIrrelevant, 1800 "Assuming the character does not have graphical representation")); 1801 addToFunctionSummaryMap( 1802 "islower", Signature(ArgTypes{IntTy}, RetType{IntTy}), 1803 Summary(EvalCallAsPure) 1804 // Is certainly lowercase. 1805 .Case({ArgumentCondition(0U, WithinRange, Range('a', 'z')), 1806 ReturnValueCondition(OutOfRange, SingleValue(0))}, 1807 ErrnoIrrelevant, "Assuming the character is a lowercase letter") 1808 // Is ascii but not lowercase. 1809 .Case({ArgumentCondition(0U, WithinRange, Range(0, 127)), 1810 ArgumentCondition(0U, OutOfRange, Range('a', 'z')), 1811 ReturnValueCondition(WithinRange, SingleValue(0))}, 1812 ErrnoIrrelevant, 1813 "Assuming the character is not a lowercase letter") 1814 // The locale-specific range. 1815 .Case({ArgumentCondition(0U, WithinRange, {{128, UCharRangeMax}})}, 1816 ErrnoIrrelevant) 1817 // Is not an unsigned char. 1818 .Case({ArgumentCondition(0U, OutOfRange, Range(0, UCharRangeMax)), 1819 ReturnValueCondition(WithinRange, SingleValue(0))}, 1820 ErrnoIrrelevant)); 1821 addToFunctionSummaryMap( 1822 "isprint", Signature(ArgTypes{IntTy}, RetType{IntTy}), 1823 Summary(EvalCallAsPure) 1824 .Case({ArgumentCondition(0U, WithinRange, Range(32, 126)), 1825 ReturnValueCondition(OutOfRange, SingleValue(0))}, 1826 ErrnoIrrelevant, "Assuming the character is printable") 1827 .Case({ArgumentCondition(0U, OutOfRange, Range(32, 126)), 1828 ReturnValueCondition(WithinRange, SingleValue(0))}, 1829 ErrnoIrrelevant, "Assuming the character is non-printable")); 1830 addToFunctionSummaryMap( 1831 "ispunct", Signature(ArgTypes{IntTy}, RetType{IntTy}), 1832 Summary(EvalCallAsPure) 1833 .Case({ArgumentCondition( 1834 0U, WithinRange, 1835 {{'!', '/'}, {':', '@'}, {'[', '`'}, {'{', '~'}}), 1836 ReturnValueCondition(OutOfRange, SingleValue(0))}, 1837 ErrnoIrrelevant, "Assuming the character is a punctuation mark") 1838 .Case({ArgumentCondition( 1839 0U, OutOfRange, 1840 {{'!', '/'}, {':', '@'}, {'[', '`'}, {'{', '~'}}), 1841 ReturnValueCondition(WithinRange, SingleValue(0))}, 1842 ErrnoIrrelevant, 1843 "Assuming the character is not a punctuation mark")); 1844 addToFunctionSummaryMap( 1845 "isspace", Signature(ArgTypes{IntTy}, RetType{IntTy}), 1846 Summary(EvalCallAsPure) 1847 // Space, '\f', '\n', '\r', '\t', '\v'. 1848 .Case({ArgumentCondition(0U, WithinRange, {{9, 13}, {' ', ' '}}), 1849 ReturnValueCondition(OutOfRange, SingleValue(0))}, 1850 ErrnoIrrelevant, 1851 "Assuming the character is a whitespace character") 1852 // The locale-specific range. 1853 .Case({ArgumentCondition(0U, WithinRange, {{128, UCharRangeMax}})}, 1854 ErrnoIrrelevant) 1855 .Case({ArgumentCondition(0U, OutOfRange, 1856 {{9, 13}, {' ', ' '}, {128, UCharRangeMax}}), 1857 ReturnValueCondition(WithinRange, SingleValue(0))}, 1858 ErrnoIrrelevant, 1859 "Assuming the character is not a whitespace character")); 1860 addToFunctionSummaryMap( 1861 "isupper", Signature(ArgTypes{IntTy}, RetType{IntTy}), 1862 Summary(EvalCallAsPure) 1863 // Is certainly uppercase. 1864 .Case({ArgumentCondition(0U, WithinRange, Range('A', 'Z')), 1865 ReturnValueCondition(OutOfRange, SingleValue(0))}, 1866 ErrnoIrrelevant, 1867 "Assuming the character is an uppercase letter") 1868 // The locale-specific range. 1869 .Case({ArgumentCondition(0U, WithinRange, {{128, UCharRangeMax}})}, 1870 ErrnoIrrelevant) 1871 // Other. 1872 .Case({ArgumentCondition(0U, OutOfRange, 1873 {{'A', 'Z'}, {128, UCharRangeMax}}), 1874 ReturnValueCondition(WithinRange, SingleValue(0))}, 1875 ErrnoIrrelevant, 1876 "Assuming the character is not an uppercase letter")); 1877 addToFunctionSummaryMap( 1878 "isxdigit", Signature(ArgTypes{IntTy}, RetType{IntTy}), 1879 Summary(EvalCallAsPure) 1880 .Case({ArgumentCondition(0U, WithinRange, 1881 {{'0', '9'}, {'A', 'F'}, {'a', 'f'}}), 1882 ReturnValueCondition(OutOfRange, SingleValue(0))}, 1883 ErrnoIrrelevant, 1884 "Assuming the character is a hexadecimal digit") 1885 .Case({ArgumentCondition(0U, OutOfRange, 1886 {{'0', '9'}, {'A', 'F'}, {'a', 'f'}}), 1887 ReturnValueCondition(WithinRange, SingleValue(0))}, 1888 ErrnoIrrelevant, 1889 "Assuming the character is not a hexadecimal digit")); 1890 addToFunctionSummaryMap( 1891 "toupper", Signature(ArgTypes{IntTy}, RetType{IntTy}), 1892 Summary(EvalCallAsPure) 1893 .ArgConstraint(ArgumentCondition(0U, WithinRange, 1894 {{EOFv, EOFv}, {0, UCharRangeMax}}, 1895 "an unsigned char value or EOF"))); 1896 addToFunctionSummaryMap( 1897 "tolower", Signature(ArgTypes{IntTy}, RetType{IntTy}), 1898 Summary(EvalCallAsPure) 1899 .ArgConstraint(ArgumentCondition(0U, WithinRange, 1900 {{EOFv, EOFv}, {0, UCharRangeMax}}, 1901 "an unsigned char value or EOF"))); 1902 addToFunctionSummaryMap( 1903 "toascii", Signature(ArgTypes{IntTy}, RetType{IntTy}), 1904 Summary(EvalCallAsPure) 1905 .ArgConstraint(ArgumentCondition(0U, WithinRange, 1906 {{EOFv, EOFv}, {0, UCharRangeMax}}, 1907 "an unsigned char value or EOF"))); 1908 1909 // The getc() family of functions that returns either a char or an EOF. 1910 addToFunctionSummaryMap( 1911 {"getc", "fgetc"}, Signature(ArgTypes{FilePtrTy}, RetType{IntTy}), 1912 Summary(NoEvalCall) 1913 .Case({ReturnValueCondition(WithinRange, 1914 {{EOFv, EOFv}, {0, UCharRangeMax}})}, 1915 ErrnoIrrelevant)); 1916 addToFunctionSummaryMap( 1917 "getchar", Signature(ArgTypes{}, RetType{IntTy}), 1918 Summary(NoEvalCall) 1919 .Case({ReturnValueCondition(WithinRange, 1920 {{EOFv, EOFv}, {0, UCharRangeMax}})}, 1921 ErrnoIrrelevant)); 1922 1923 // read()-like functions that never return more than buffer size. 1924 auto FreadSummary = 1925 Summary(NoEvalCall) 1926 .Case({ArgumentCondition(1U, WithinRange, Range(1, SizeMax)), 1927 ArgumentCondition(2U, WithinRange, Range(1, SizeMax)), 1928 ReturnValueCondition(BO_LT, ArgNo(2)), 1929 ReturnValueCondition(WithinRange, Range(0, SizeMax))}, 1930 ErrnoNEZeroIrrelevant, GenericFailureMsg) 1931 .Case({ArgumentCondition(1U, WithinRange, Range(1, SizeMax)), 1932 ReturnValueCondition(BO_EQ, ArgNo(2)), 1933 ReturnValueCondition(WithinRange, Range(0, SizeMax))}, 1934 ErrnoMustNotBeChecked, GenericSuccessMsg) 1935 .Case({ArgumentCondition(1U, WithinRange, SingleValue(0)), 1936 ReturnValueCondition(WithinRange, SingleValue(0))}, 1937 ErrnoMustNotBeChecked, GenericSuccessMsg) 1938 .ArgConstraint(NotNull(ArgNo(0))) 1939 .ArgConstraint(NotNull(ArgNo(3))) 1940 // FIXME: It should be allowed to have a null buffer if any of 1941 // args 1 or 2 are zero. Remove NotNull check of arg 0, add a check 1942 // for non-null buffer if non-zero size to BufferSizeConstraint? 1943 .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(0), /*BufSize=*/ArgNo(1), 1944 /*BufSizeMultiplier=*/ArgNo(2))); 1945 1946 // size_t fread(void *restrict ptr, size_t size, size_t nitems, 1947 // FILE *restrict stream); 1948 addToFunctionSummaryMap( 1949 "fread", 1950 Signature(ArgTypes{VoidPtrRestrictTy, SizeTy, SizeTy, FilePtrRestrictTy}, 1951 RetType{SizeTy}), 1952 FreadSummary); 1953 // size_t fwrite(const void *restrict ptr, size_t size, size_t nitems, 1954 // FILE *restrict stream); 1955 addToFunctionSummaryMap("fwrite", 1956 Signature(ArgTypes{ConstVoidPtrRestrictTy, SizeTy, 1957 SizeTy, FilePtrRestrictTy}, 1958 RetType{SizeTy}), 1959 FreadSummary); 1960 1961 std::optional<QualType> Ssize_tTy = lookupTy("ssize_t"); 1962 std::optional<RangeInt> Ssize_tMax = getMaxValue(Ssize_tTy); 1963 1964 auto ReadSummary = 1965 Summary(NoEvalCall) 1966 .Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)), 1967 ReturnValueCondition(WithinRange, Range(-1, Ssize_tMax))}, 1968 ErrnoIrrelevant); 1969 1970 // FIXME these are actually defined by POSIX and not by the C standard, we 1971 // should handle them together with the rest of the POSIX functions. 1972 // ssize_t read(int fildes, void *buf, size_t nbyte); 1973 addToFunctionSummaryMap( 1974 "read", Signature(ArgTypes{IntTy, VoidPtrTy, SizeTy}, RetType{Ssize_tTy}), 1975 ReadSummary); 1976 // ssize_t write(int fildes, const void *buf, size_t nbyte); 1977 addToFunctionSummaryMap( 1978 "write", 1979 Signature(ArgTypes{IntTy, ConstVoidPtrTy, SizeTy}, RetType{Ssize_tTy}), 1980 ReadSummary); 1981 1982 auto GetLineSummary = 1983 Summary(NoEvalCall) 1984 .Case({ReturnValueCondition(WithinRange, 1985 Range({-1, -1}, {1, Ssize_tMax}))}, 1986 ErrnoIrrelevant); 1987 1988 QualType CharPtrPtrRestrictTy = getRestrictTy(getPointerTy(CharPtrTy)); 1989 1990 // getline()-like functions either fail or read at least the delimiter. 1991 // FIXME these are actually defined by POSIX and not by the C standard, we 1992 // should handle them together with the rest of the POSIX functions. 1993 // ssize_t getline(char **restrict lineptr, size_t *restrict n, 1994 // FILE *restrict stream); 1995 addToFunctionSummaryMap( 1996 "getline", 1997 Signature( 1998 ArgTypes{CharPtrPtrRestrictTy, SizePtrRestrictTy, FilePtrRestrictTy}, 1999 RetType{Ssize_tTy}), 2000 GetLineSummary); 2001 // ssize_t getdelim(char **restrict lineptr, size_t *restrict n, 2002 // int delimiter, FILE *restrict stream); 2003 addToFunctionSummaryMap( 2004 "getdelim", 2005 Signature(ArgTypes{CharPtrPtrRestrictTy, SizePtrRestrictTy, IntTy, 2006 FilePtrRestrictTy}, 2007 RetType{Ssize_tTy}), 2008 GetLineSummary); 2009 2010 { 2011 Summary GetenvSummary = 2012 Summary(NoEvalCall) 2013 .ArgConstraint(NotNull(ArgNo(0))) 2014 .Case({NotNull(Ret)}, ErrnoIrrelevant, 2015 "Assuming the environment variable exists"); 2016 // In untrusted environments the envvar might not exist. 2017 if (!ShouldAssumeControlledEnvironment) 2018 GetenvSummary.Case({NotNull(Ret)->negate()}, ErrnoIrrelevant, 2019 "Assuming the environment variable does not exist"); 2020 2021 // char *getenv(const char *name); 2022 addToFunctionSummaryMap( 2023 "getenv", Signature(ArgTypes{ConstCharPtrTy}, RetType{CharPtrTy}), 2024 std::move(GetenvSummary)); 2025 } 2026 2027 if (ModelPOSIX) { 2028 const auto ReturnsZeroOrMinusOne = 2029 ConstraintSet{ReturnValueCondition(WithinRange, Range(-1, 0))}; 2030 const auto ReturnsZero = 2031 ConstraintSet{ReturnValueCondition(WithinRange, SingleValue(0))}; 2032 const auto ReturnsMinusOne = 2033 ConstraintSet{ReturnValueCondition(WithinRange, SingleValue(-1))}; 2034 const auto ReturnsNonnegative = 2035 ConstraintSet{ReturnValueCondition(WithinRange, Range(0, IntMax))}; 2036 const auto ReturnsNonZero = 2037 ConstraintSet{ReturnValueCondition(OutOfRange, SingleValue(0))}; 2038 const auto ReturnsFileDescriptor = 2039 ConstraintSet{ReturnValueCondition(WithinRange, Range(-1, IntMax))}; 2040 const auto &ReturnsValidFileDescriptor = ReturnsNonnegative; 2041 2042 auto ValidFileDescriptorOrAtFdcwd = [&](ArgNo ArgN) { 2043 return std::make_shared<RangeConstraint>( 2044 ArgN, WithinRange, Range({AT_FDCWDv, AT_FDCWDv}, {0, IntMax}), 2045 "a valid file descriptor or AT_FDCWD"); 2046 }; 2047 2048 // FILE *fopen(const char *restrict pathname, const char *restrict mode); 2049 addToFunctionSummaryMap( 2050 "fopen", 2051 Signature(ArgTypes{ConstCharPtrRestrictTy, ConstCharPtrRestrictTy}, 2052 RetType{FilePtrTy}), 2053 Summary(NoEvalCall) 2054 .Case({NotNull(Ret)}, ErrnoMustNotBeChecked, GenericSuccessMsg) 2055 .Case({IsNull(Ret)}, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2056 .ArgConstraint(NotNull(ArgNo(0))) 2057 .ArgConstraint(NotNull(ArgNo(1)))); 2058 2059 // FILE *tmpfile(void); 2060 addToFunctionSummaryMap( 2061 "tmpfile", Signature(ArgTypes{}, RetType{FilePtrTy}), 2062 Summary(NoEvalCall) 2063 .Case({NotNull(Ret)}, ErrnoMustNotBeChecked, GenericSuccessMsg) 2064 .Case({IsNull(Ret)}, ErrnoNEZeroIrrelevant, GenericFailureMsg)); 2065 2066 // FILE *freopen(const char *restrict pathname, const char *restrict mode, 2067 // FILE *restrict stream); 2068 addToFunctionSummaryMap( 2069 "freopen", 2070 Signature(ArgTypes{ConstCharPtrRestrictTy, ConstCharPtrRestrictTy, 2071 FilePtrRestrictTy}, 2072 RetType{FilePtrTy}), 2073 Summary(NoEvalCall) 2074 .Case({ReturnValueCondition(BO_EQ, ArgNo(2))}, 2075 ErrnoMustNotBeChecked, GenericSuccessMsg) 2076 .Case({IsNull(Ret)}, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2077 .ArgConstraint(NotNull(ArgNo(1))) 2078 .ArgConstraint(NotNull(ArgNo(2)))); 2079 2080 // int fclose(FILE *stream); 2081 addToFunctionSummaryMap( 2082 "fclose", Signature(ArgTypes{FilePtrTy}, RetType{IntTy}), 2083 Summary(NoEvalCall) 2084 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2085 .Case({ReturnValueCondition(WithinRange, SingleValue(EOFv))}, 2086 ErrnoNEZeroIrrelevant, GenericFailureMsg) 2087 .ArgConstraint(NotNull(ArgNo(0)))); 2088 2089 // int fseek(FILE *stream, long offset, int whence); 2090 // FIXME: It can be possible to get the 'SEEK_' values (like EOFv) and use 2091 // these for condition of arg 2. 2092 // Now the range [0,2] is used (the `SEEK_*` constants are usually 0,1,2). 2093 addToFunctionSummaryMap( 2094 "fseek", Signature(ArgTypes{FilePtrTy, LongTy, IntTy}, RetType{IntTy}), 2095 Summary(NoEvalCall) 2096 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2097 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2098 .ArgConstraint(NotNull(ArgNo(0))) 2099 .ArgConstraint(ArgumentCondition(2, WithinRange, {{0, 2}}))); 2100 2101 // int fgetpos(FILE *restrict stream, fpos_t *restrict pos); 2102 // From 'The Open Group Base Specifications Issue 7, 2018 edition': 2103 // "The fgetpos() function shall not change the setting of errno if 2104 // successful." 2105 addToFunctionSummaryMap( 2106 "fgetpos", 2107 Signature(ArgTypes{FilePtrRestrictTy, FPosTPtrRestrictTy}, 2108 RetType{IntTy}), 2109 Summary(NoEvalCall) 2110 .Case(ReturnsZero, ErrnoUnchanged, GenericSuccessMsg) 2111 .Case(ReturnsNonZero, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2112 .ArgConstraint(NotNull(ArgNo(0))) 2113 .ArgConstraint(NotNull(ArgNo(1)))); 2114 2115 // int fsetpos(FILE *stream, const fpos_t *pos); 2116 // From 'The Open Group Base Specifications Issue 7, 2018 edition': 2117 // "The fsetpos() function shall not change the setting of errno if 2118 // successful." 2119 addToFunctionSummaryMap( 2120 "fsetpos", 2121 Signature(ArgTypes{FilePtrTy, ConstFPosTPtrTy}, RetType{IntTy}), 2122 Summary(NoEvalCall) 2123 .Case(ReturnsZero, ErrnoUnchanged, GenericSuccessMsg) 2124 .Case(ReturnsNonZero, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2125 .ArgConstraint(NotNull(ArgNo(0))) 2126 .ArgConstraint(NotNull(ArgNo(1)))); 2127 2128 // long ftell(FILE *stream); 2129 // From 'The Open Group Base Specifications Issue 7, 2018 edition': 2130 // "The ftell() function shall not change the setting of errno if 2131 // successful." 2132 addToFunctionSummaryMap( 2133 "ftell", Signature(ArgTypes{FilePtrTy}, RetType{LongTy}), 2134 Summary(NoEvalCall) 2135 .Case({ReturnValueCondition(WithinRange, Range(1, LongMax))}, 2136 ErrnoUnchanged, GenericSuccessMsg) 2137 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2138 .ArgConstraint(NotNull(ArgNo(0)))); 2139 2140 // int fileno(FILE *stream); 2141 addToFunctionSummaryMap( 2142 "fileno", Signature(ArgTypes{FilePtrTy}, RetType{IntTy}), 2143 Summary(NoEvalCall) 2144 .Case(ReturnsValidFileDescriptor, ErrnoMustNotBeChecked, 2145 GenericSuccessMsg) 2146 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2147 .ArgConstraint(NotNull(ArgNo(0)))); 2148 2149 // void rewind(FILE *stream); 2150 // This function indicates error only by setting of 'errno'. 2151 addToFunctionSummaryMap("rewind", 2152 Signature(ArgTypes{FilePtrTy}, RetType{VoidTy}), 2153 Summary(NoEvalCall) 2154 .Case({}, ErrnoMustBeChecked) 2155 .ArgConstraint(NotNull(ArgNo(0)))); 2156 2157 // void clearerr(FILE *stream); 2158 addToFunctionSummaryMap( 2159 "clearerr", Signature(ArgTypes{FilePtrTy}, RetType{VoidTy}), 2160 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); 2161 2162 // int feof(FILE *stream); 2163 addToFunctionSummaryMap( 2164 "feof", Signature(ArgTypes{FilePtrTy}, RetType{IntTy}), 2165 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); 2166 2167 // int ferror(FILE *stream); 2168 addToFunctionSummaryMap( 2169 "ferror", Signature(ArgTypes{FilePtrTy}, RetType{IntTy}), 2170 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); 2171 2172 // long a64l(const char *str64); 2173 addToFunctionSummaryMap( 2174 "a64l", Signature(ArgTypes{ConstCharPtrTy}, RetType{LongTy}), 2175 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); 2176 2177 // char *l64a(long value); 2178 addToFunctionSummaryMap("l64a", 2179 Signature(ArgTypes{LongTy}, RetType{CharPtrTy}), 2180 Summary(NoEvalCall) 2181 .ArgConstraint(ArgumentCondition( 2182 0, WithinRange, Range(0, LongMax)))); 2183 2184 // int open(const char *path, int oflag, ...); 2185 addToFunctionSummaryMap( 2186 "open", Signature(ArgTypes{ConstCharPtrTy, IntTy}, RetType{IntTy}), 2187 Summary(NoEvalCall) 2188 .Case(ReturnsValidFileDescriptor, ErrnoMustNotBeChecked, 2189 GenericSuccessMsg) 2190 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2191 .ArgConstraint(NotNull(ArgNo(0)))); 2192 2193 // int openat(int fd, const char *path, int oflag, ...); 2194 addToFunctionSummaryMap( 2195 "openat", 2196 Signature(ArgTypes{IntTy, ConstCharPtrTy, IntTy}, RetType{IntTy}), 2197 Summary(NoEvalCall) 2198 .Case(ReturnsValidFileDescriptor, ErrnoMustNotBeChecked, 2199 GenericSuccessMsg) 2200 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2201 .ArgConstraint(ValidFileDescriptorOrAtFdcwd(ArgNo(0))) 2202 .ArgConstraint(NotNull(ArgNo(1)))); 2203 2204 // int access(const char *pathname, int amode); 2205 addToFunctionSummaryMap( 2206 "access", Signature(ArgTypes{ConstCharPtrTy, IntTy}, RetType{IntTy}), 2207 Summary(NoEvalCall) 2208 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2209 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2210 .ArgConstraint(NotNull(ArgNo(0)))); 2211 2212 // int faccessat(int dirfd, const char *pathname, int mode, int flags); 2213 addToFunctionSummaryMap( 2214 "faccessat", 2215 Signature(ArgTypes{IntTy, ConstCharPtrTy, IntTy, IntTy}, 2216 RetType{IntTy}), 2217 Summary(NoEvalCall) 2218 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2219 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2220 .ArgConstraint(ValidFileDescriptorOrAtFdcwd(ArgNo(0))) 2221 .ArgConstraint(NotNull(ArgNo(1)))); 2222 2223 // int dup(int fildes); 2224 addToFunctionSummaryMap( 2225 "dup", Signature(ArgTypes{IntTy}, RetType{IntTy}), 2226 Summary(NoEvalCall) 2227 .Case(ReturnsValidFileDescriptor, ErrnoMustNotBeChecked, 2228 GenericSuccessMsg) 2229 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2230 .ArgConstraint( 2231 ArgumentCondition(0, WithinRange, Range(0, IntMax)))); 2232 2233 // int dup2(int fildes1, int filedes2); 2234 addToFunctionSummaryMap( 2235 "dup2", Signature(ArgTypes{IntTy, IntTy}, RetType{IntTy}), 2236 Summary(NoEvalCall) 2237 .Case(ReturnsValidFileDescriptor, ErrnoMustNotBeChecked, 2238 GenericSuccessMsg) 2239 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2240 .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax))) 2241 .ArgConstraint( 2242 ArgumentCondition(1, WithinRange, Range(0, IntMax)))); 2243 2244 // int fdatasync(int fildes); 2245 addToFunctionSummaryMap( 2246 "fdatasync", Signature(ArgTypes{IntTy}, RetType{IntTy}), 2247 Summary(NoEvalCall) 2248 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2249 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2250 .ArgConstraint( 2251 ArgumentCondition(0, WithinRange, Range(0, IntMax)))); 2252 2253 // int fnmatch(const char *pattern, const char *string, int flags); 2254 addToFunctionSummaryMap( 2255 "fnmatch", 2256 Signature(ArgTypes{ConstCharPtrTy, ConstCharPtrTy, IntTy}, 2257 RetType{IntTy}), 2258 Summary(NoEvalCall) 2259 .ArgConstraint(NotNull(ArgNo(0))) 2260 .ArgConstraint(NotNull(ArgNo(1)))); 2261 2262 // int fsync(int fildes); 2263 addToFunctionSummaryMap( 2264 "fsync", Signature(ArgTypes{IntTy}, RetType{IntTy}), 2265 Summary(NoEvalCall) 2266 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2267 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2268 .ArgConstraint( 2269 ArgumentCondition(0, WithinRange, Range(0, IntMax)))); 2270 2271 std::optional<QualType> Off_tTy = lookupTy("off_t"); 2272 2273 // int truncate(const char *path, off_t length); 2274 addToFunctionSummaryMap( 2275 "truncate", 2276 Signature(ArgTypes{ConstCharPtrTy, Off_tTy}, RetType{IntTy}), 2277 Summary(NoEvalCall) 2278 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2279 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2280 .ArgConstraint(NotNull(ArgNo(0)))); 2281 2282 // int symlink(const char *oldpath, const char *newpath); 2283 addToFunctionSummaryMap( 2284 "symlink", 2285 Signature(ArgTypes{ConstCharPtrTy, ConstCharPtrTy}, RetType{IntTy}), 2286 Summary(NoEvalCall) 2287 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2288 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2289 .ArgConstraint(NotNull(ArgNo(0))) 2290 .ArgConstraint(NotNull(ArgNo(1)))); 2291 2292 // int symlinkat(const char *oldpath, int newdirfd, const char *newpath); 2293 addToFunctionSummaryMap( 2294 "symlinkat", 2295 Signature(ArgTypes{ConstCharPtrTy, IntTy, ConstCharPtrTy}, 2296 RetType{IntTy}), 2297 Summary(NoEvalCall) 2298 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2299 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2300 .ArgConstraint(NotNull(ArgNo(0))) 2301 .ArgConstraint(ValidFileDescriptorOrAtFdcwd(ArgNo(1))) 2302 .ArgConstraint(NotNull(ArgNo(2)))); 2303 2304 // int lockf(int fd, int cmd, off_t len); 2305 addToFunctionSummaryMap( 2306 "lockf", Signature(ArgTypes{IntTy, IntTy, Off_tTy}, RetType{IntTy}), 2307 Summary(NoEvalCall) 2308 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2309 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2310 .ArgConstraint( 2311 ArgumentCondition(0, WithinRange, Range(0, IntMax)))); 2312 2313 std::optional<QualType> Mode_tTy = lookupTy("mode_t"); 2314 2315 // int creat(const char *pathname, mode_t mode); 2316 addToFunctionSummaryMap( 2317 "creat", Signature(ArgTypes{ConstCharPtrTy, Mode_tTy}, RetType{IntTy}), 2318 Summary(NoEvalCall) 2319 .Case(ReturnsValidFileDescriptor, ErrnoMustNotBeChecked, 2320 GenericSuccessMsg) 2321 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2322 .ArgConstraint(NotNull(ArgNo(0)))); 2323 2324 // unsigned int sleep(unsigned int seconds); 2325 addToFunctionSummaryMap( 2326 "sleep", Signature(ArgTypes{UnsignedIntTy}, RetType{UnsignedIntTy}), 2327 Summary(NoEvalCall) 2328 .ArgConstraint( 2329 ArgumentCondition(0, WithinRange, Range(0, UnsignedIntMax)))); 2330 2331 std::optional<QualType> DirTy = lookupTy("DIR"); 2332 std::optional<QualType> DirPtrTy = getPointerTy(DirTy); 2333 2334 // int dirfd(DIR *dirp); 2335 addToFunctionSummaryMap( 2336 "dirfd", Signature(ArgTypes{DirPtrTy}, RetType{IntTy}), 2337 Summary(NoEvalCall) 2338 .Case(ReturnsValidFileDescriptor, ErrnoMustNotBeChecked, 2339 GenericSuccessMsg) 2340 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2341 .ArgConstraint(NotNull(ArgNo(0)))); 2342 2343 // unsigned int alarm(unsigned int seconds); 2344 addToFunctionSummaryMap( 2345 "alarm", Signature(ArgTypes{UnsignedIntTy}, RetType{UnsignedIntTy}), 2346 Summary(NoEvalCall) 2347 .ArgConstraint( 2348 ArgumentCondition(0, WithinRange, Range(0, UnsignedIntMax)))); 2349 2350 // int closedir(DIR *dir); 2351 addToFunctionSummaryMap( 2352 "closedir", Signature(ArgTypes{DirPtrTy}, RetType{IntTy}), 2353 Summary(NoEvalCall) 2354 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2355 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2356 .ArgConstraint(NotNull(ArgNo(0)))); 2357 2358 // char *strdup(const char *s); 2359 addToFunctionSummaryMap( 2360 "strdup", Signature(ArgTypes{ConstCharPtrTy}, RetType{CharPtrTy}), 2361 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); 2362 2363 // char *strndup(const char *s, size_t n); 2364 addToFunctionSummaryMap( 2365 "strndup", 2366 Signature(ArgTypes{ConstCharPtrTy, SizeTy}, RetType{CharPtrTy}), 2367 Summary(NoEvalCall) 2368 .ArgConstraint(NotNull(ArgNo(0))) 2369 .ArgConstraint( 2370 ArgumentCondition(1, WithinRange, Range(0, SizeMax)))); 2371 2372 // wchar_t *wcsdup(const wchar_t *s); 2373 addToFunctionSummaryMap( 2374 "wcsdup", Signature(ArgTypes{ConstWchar_tPtrTy}, RetType{Wchar_tPtrTy}), 2375 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); 2376 2377 // int mkstemp(char *template); 2378 addToFunctionSummaryMap( 2379 "mkstemp", Signature(ArgTypes{CharPtrTy}, RetType{IntTy}), 2380 Summary(NoEvalCall) 2381 .Case(ReturnsValidFileDescriptor, ErrnoMustNotBeChecked, 2382 GenericSuccessMsg) 2383 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2384 .ArgConstraint(NotNull(ArgNo(0)))); 2385 2386 // char *mkdtemp(char *template); 2387 // FIXME: Improve for errno modeling. 2388 addToFunctionSummaryMap( 2389 "mkdtemp", Signature(ArgTypes{CharPtrTy}, RetType{CharPtrTy}), 2390 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); 2391 2392 // char *getcwd(char *buf, size_t size); 2393 // FIXME: Improve for errno modeling. 2394 addToFunctionSummaryMap( 2395 "getcwd", Signature(ArgTypes{CharPtrTy, SizeTy}, RetType{CharPtrTy}), 2396 Summary(NoEvalCall) 2397 .ArgConstraint( 2398 ArgumentCondition(1, WithinRange, Range(0, SizeMax)))); 2399 2400 // int mkdir(const char *pathname, mode_t mode); 2401 addToFunctionSummaryMap( 2402 "mkdir", Signature(ArgTypes{ConstCharPtrTy, Mode_tTy}, RetType{IntTy}), 2403 Summary(NoEvalCall) 2404 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2405 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2406 .ArgConstraint(NotNull(ArgNo(0)))); 2407 2408 // int mkdirat(int dirfd, const char *pathname, mode_t mode); 2409 addToFunctionSummaryMap( 2410 "mkdirat", 2411 Signature(ArgTypes{IntTy, ConstCharPtrTy, Mode_tTy}, RetType{IntTy}), 2412 Summary(NoEvalCall) 2413 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2414 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2415 .ArgConstraint(ValidFileDescriptorOrAtFdcwd(ArgNo(0))) 2416 .ArgConstraint(NotNull(ArgNo(1)))); 2417 2418 std::optional<QualType> Dev_tTy = lookupTy("dev_t"); 2419 2420 // int mknod(const char *pathname, mode_t mode, dev_t dev); 2421 addToFunctionSummaryMap( 2422 "mknod", 2423 Signature(ArgTypes{ConstCharPtrTy, Mode_tTy, Dev_tTy}, RetType{IntTy}), 2424 Summary(NoEvalCall) 2425 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2426 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2427 .ArgConstraint(NotNull(ArgNo(0)))); 2428 2429 // int mknodat(int dirfd, const char *pathname, mode_t mode, dev_t dev); 2430 addToFunctionSummaryMap( 2431 "mknodat", 2432 Signature(ArgTypes{IntTy, ConstCharPtrTy, Mode_tTy, Dev_tTy}, 2433 RetType{IntTy}), 2434 Summary(NoEvalCall) 2435 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2436 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2437 .ArgConstraint(ValidFileDescriptorOrAtFdcwd(ArgNo(0))) 2438 .ArgConstraint(NotNull(ArgNo(1)))); 2439 2440 // int chmod(const char *path, mode_t mode); 2441 addToFunctionSummaryMap( 2442 "chmod", Signature(ArgTypes{ConstCharPtrTy, Mode_tTy}, RetType{IntTy}), 2443 Summary(NoEvalCall) 2444 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2445 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2446 .ArgConstraint(NotNull(ArgNo(0)))); 2447 2448 // int fchmodat(int dirfd, const char *pathname, mode_t mode, int flags); 2449 addToFunctionSummaryMap( 2450 "fchmodat", 2451 Signature(ArgTypes{IntTy, ConstCharPtrTy, Mode_tTy, IntTy}, 2452 RetType{IntTy}), 2453 Summary(NoEvalCall) 2454 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2455 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2456 .ArgConstraint(ValidFileDescriptorOrAtFdcwd(ArgNo(0))) 2457 .ArgConstraint(NotNull(ArgNo(1)))); 2458 2459 // int fchmod(int fildes, mode_t mode); 2460 addToFunctionSummaryMap( 2461 "fchmod", Signature(ArgTypes{IntTy, Mode_tTy}, RetType{IntTy}), 2462 Summary(NoEvalCall) 2463 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2464 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2465 .ArgConstraint( 2466 ArgumentCondition(0, WithinRange, Range(0, IntMax)))); 2467 2468 std::optional<QualType> Uid_tTy = lookupTy("uid_t"); 2469 std::optional<QualType> Gid_tTy = lookupTy("gid_t"); 2470 2471 // int fchownat(int dirfd, const char *pathname, uid_t owner, gid_t group, 2472 // int flags); 2473 addToFunctionSummaryMap( 2474 "fchownat", 2475 Signature(ArgTypes{IntTy, ConstCharPtrTy, Uid_tTy, Gid_tTy, IntTy}, 2476 RetType{IntTy}), 2477 Summary(NoEvalCall) 2478 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2479 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2480 .ArgConstraint(ValidFileDescriptorOrAtFdcwd(ArgNo(0))) 2481 .ArgConstraint(NotNull(ArgNo(1)))); 2482 2483 // int chown(const char *path, uid_t owner, gid_t group); 2484 addToFunctionSummaryMap( 2485 "chown", 2486 Signature(ArgTypes{ConstCharPtrTy, Uid_tTy, Gid_tTy}, RetType{IntTy}), 2487 Summary(NoEvalCall) 2488 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2489 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2490 .ArgConstraint(NotNull(ArgNo(0)))); 2491 2492 // int lchown(const char *path, uid_t owner, gid_t group); 2493 addToFunctionSummaryMap( 2494 "lchown", 2495 Signature(ArgTypes{ConstCharPtrTy, Uid_tTy, Gid_tTy}, RetType{IntTy}), 2496 Summary(NoEvalCall) 2497 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2498 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2499 .ArgConstraint(NotNull(ArgNo(0)))); 2500 2501 // int fchown(int fildes, uid_t owner, gid_t group); 2502 addToFunctionSummaryMap( 2503 "fchown", Signature(ArgTypes{IntTy, Uid_tTy, Gid_tTy}, RetType{IntTy}), 2504 Summary(NoEvalCall) 2505 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2506 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2507 .ArgConstraint( 2508 ArgumentCondition(0, WithinRange, Range(0, IntMax)))); 2509 2510 // int rmdir(const char *pathname); 2511 addToFunctionSummaryMap( 2512 "rmdir", Signature(ArgTypes{ConstCharPtrTy}, RetType{IntTy}), 2513 Summary(NoEvalCall) 2514 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2515 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2516 .ArgConstraint(NotNull(ArgNo(0)))); 2517 2518 // int chdir(const char *path); 2519 addToFunctionSummaryMap( 2520 "chdir", Signature(ArgTypes{ConstCharPtrTy}, RetType{IntTy}), 2521 Summary(NoEvalCall) 2522 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2523 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2524 .ArgConstraint(NotNull(ArgNo(0)))); 2525 2526 // int link(const char *oldpath, const char *newpath); 2527 addToFunctionSummaryMap( 2528 "link", 2529 Signature(ArgTypes{ConstCharPtrTy, ConstCharPtrTy}, RetType{IntTy}), 2530 Summary(NoEvalCall) 2531 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2532 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2533 .ArgConstraint(NotNull(ArgNo(0))) 2534 .ArgConstraint(NotNull(ArgNo(1)))); 2535 2536 // int linkat(int fd1, const char *path1, int fd2, const char *path2, 2537 // int flag); 2538 addToFunctionSummaryMap( 2539 "linkat", 2540 Signature(ArgTypes{IntTy, ConstCharPtrTy, IntTy, ConstCharPtrTy, IntTy}, 2541 RetType{IntTy}), 2542 Summary(NoEvalCall) 2543 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2544 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2545 .ArgConstraint(ValidFileDescriptorOrAtFdcwd(ArgNo(0))) 2546 .ArgConstraint(NotNull(ArgNo(1))) 2547 .ArgConstraint(ValidFileDescriptorOrAtFdcwd(ArgNo(2))) 2548 .ArgConstraint(NotNull(ArgNo(3)))); 2549 2550 // int unlink(const char *pathname); 2551 addToFunctionSummaryMap( 2552 "unlink", Signature(ArgTypes{ConstCharPtrTy}, RetType{IntTy}), 2553 Summary(NoEvalCall) 2554 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2555 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2556 .ArgConstraint(NotNull(ArgNo(0)))); 2557 2558 // int unlinkat(int fd, const char *path, int flag); 2559 addToFunctionSummaryMap( 2560 "unlinkat", 2561 Signature(ArgTypes{IntTy, ConstCharPtrTy, IntTy}, RetType{IntTy}), 2562 Summary(NoEvalCall) 2563 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2564 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2565 .ArgConstraint(ValidFileDescriptorOrAtFdcwd(ArgNo(0))) 2566 .ArgConstraint(NotNull(ArgNo(1)))); 2567 2568 std::optional<QualType> StructStatTy = lookupTy("stat"); 2569 std::optional<QualType> StructStatPtrTy = getPointerTy(StructStatTy); 2570 std::optional<QualType> StructStatPtrRestrictTy = 2571 getRestrictTy(StructStatPtrTy); 2572 2573 // int fstat(int fd, struct stat *statbuf); 2574 addToFunctionSummaryMap( 2575 "fstat", Signature(ArgTypes{IntTy, StructStatPtrTy}, RetType{IntTy}), 2576 Summary(NoEvalCall) 2577 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2578 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2579 .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax))) 2580 .ArgConstraint(NotNull(ArgNo(1)))); 2581 2582 // int stat(const char *restrict path, struct stat *restrict buf); 2583 addToFunctionSummaryMap( 2584 "stat", 2585 Signature(ArgTypes{ConstCharPtrRestrictTy, StructStatPtrRestrictTy}, 2586 RetType{IntTy}), 2587 Summary(NoEvalCall) 2588 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2589 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2590 .ArgConstraint(NotNull(ArgNo(0))) 2591 .ArgConstraint(NotNull(ArgNo(1)))); 2592 2593 // int lstat(const char *restrict path, struct stat *restrict buf); 2594 addToFunctionSummaryMap( 2595 "lstat", 2596 Signature(ArgTypes{ConstCharPtrRestrictTy, StructStatPtrRestrictTy}, 2597 RetType{IntTy}), 2598 Summary(NoEvalCall) 2599 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2600 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2601 .ArgConstraint(NotNull(ArgNo(0))) 2602 .ArgConstraint(NotNull(ArgNo(1)))); 2603 2604 // int fstatat(int fd, const char *restrict path, 2605 // struct stat *restrict buf, int flag); 2606 addToFunctionSummaryMap( 2607 "fstatat", 2608 Signature(ArgTypes{IntTy, ConstCharPtrRestrictTy, 2609 StructStatPtrRestrictTy, IntTy}, 2610 RetType{IntTy}), 2611 Summary(NoEvalCall) 2612 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2613 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2614 .ArgConstraint(ValidFileDescriptorOrAtFdcwd(ArgNo(0))) 2615 .ArgConstraint(NotNull(ArgNo(1))) 2616 .ArgConstraint(NotNull(ArgNo(2)))); 2617 2618 // DIR *opendir(const char *name); 2619 // FIXME: Improve for errno modeling. 2620 addToFunctionSummaryMap( 2621 "opendir", Signature(ArgTypes{ConstCharPtrTy}, RetType{DirPtrTy}), 2622 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); 2623 2624 // DIR *fdopendir(int fd); 2625 // FIXME: Improve for errno modeling. 2626 addToFunctionSummaryMap("fdopendir", 2627 Signature(ArgTypes{IntTy}, RetType{DirPtrTy}), 2628 Summary(NoEvalCall) 2629 .ArgConstraint(ArgumentCondition( 2630 0, WithinRange, Range(0, IntMax)))); 2631 2632 // int isatty(int fildes); 2633 addToFunctionSummaryMap( 2634 "isatty", Signature(ArgTypes{IntTy}, RetType{IntTy}), 2635 Summary(NoEvalCall) 2636 .Case({ReturnValueCondition(WithinRange, Range(0, 1))}, 2637 ErrnoIrrelevant) 2638 .ArgConstraint( 2639 ArgumentCondition(0, WithinRange, Range(0, IntMax)))); 2640 2641 // FILE *popen(const char *command, const char *type); 2642 // FIXME: Improve for errno modeling. 2643 addToFunctionSummaryMap( 2644 "popen", 2645 Signature(ArgTypes{ConstCharPtrTy, ConstCharPtrTy}, RetType{FilePtrTy}), 2646 Summary(NoEvalCall) 2647 .ArgConstraint(NotNull(ArgNo(0))) 2648 .ArgConstraint(NotNull(ArgNo(1)))); 2649 2650 // int pclose(FILE *stream); 2651 // FIXME: Improve for errno modeling. 2652 addToFunctionSummaryMap( 2653 "pclose", Signature(ArgTypes{FilePtrTy}, RetType{IntTy}), 2654 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); 2655 2656 // int close(int fildes); 2657 addToFunctionSummaryMap( 2658 "close", Signature(ArgTypes{IntTy}, RetType{IntTy}), 2659 Summary(NoEvalCall) 2660 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2661 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2662 .ArgConstraint( 2663 ArgumentCondition(0, WithinRange, Range(-1, IntMax)))); 2664 2665 // long fpathconf(int fildes, int name); 2666 addToFunctionSummaryMap("fpathconf", 2667 Signature(ArgTypes{IntTy, IntTy}, RetType{LongTy}), 2668 Summary(NoEvalCall) 2669 .ArgConstraint(ArgumentCondition( 2670 0, WithinRange, Range(0, IntMax)))); 2671 2672 // long pathconf(const char *path, int name); 2673 addToFunctionSummaryMap( 2674 "pathconf", Signature(ArgTypes{ConstCharPtrTy, IntTy}, RetType{LongTy}), 2675 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); 2676 2677 // FILE *fdopen(int fd, const char *mode); 2678 // FIXME: Improve for errno modeling. 2679 addToFunctionSummaryMap( 2680 "fdopen", 2681 Signature(ArgTypes{IntTy, ConstCharPtrTy}, RetType{FilePtrTy}), 2682 Summary(NoEvalCall) 2683 .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax))) 2684 .ArgConstraint(NotNull(ArgNo(1)))); 2685 2686 // void rewinddir(DIR *dir); 2687 addToFunctionSummaryMap( 2688 "rewinddir", Signature(ArgTypes{DirPtrTy}, RetType{VoidTy}), 2689 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); 2690 2691 // void seekdir(DIR *dirp, long loc); 2692 addToFunctionSummaryMap( 2693 "seekdir", Signature(ArgTypes{DirPtrTy, LongTy}, RetType{VoidTy}), 2694 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); 2695 2696 // int rand_r(unsigned int *seedp); 2697 addToFunctionSummaryMap( 2698 "rand_r", Signature(ArgTypes{UnsignedIntPtrTy}, RetType{IntTy}), 2699 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); 2700 2701 // int fseeko(FILE *stream, off_t offset, int whence); 2702 addToFunctionSummaryMap( 2703 "fseeko", 2704 Signature(ArgTypes{FilePtrTy, Off_tTy, IntTy}, RetType{IntTy}), 2705 Summary(NoEvalCall) 2706 .Case(ReturnsZeroOrMinusOne, ErrnoIrrelevant) 2707 .ArgConstraint(NotNull(ArgNo(0)))); 2708 2709 // off_t ftello(FILE *stream); 2710 addToFunctionSummaryMap( 2711 "ftello", Signature(ArgTypes{FilePtrTy}, RetType{Off_tTy}), 2712 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); 2713 2714 // void *mmap(void *addr, size_t length, int prot, int flags, int fd, 2715 // off_t offset); 2716 // FIXME: Improve for errno modeling. 2717 addToFunctionSummaryMap( 2718 "mmap", 2719 Signature(ArgTypes{VoidPtrTy, SizeTy, IntTy, IntTy, IntTy, Off_tTy}, 2720 RetType{VoidPtrTy}), 2721 Summary(NoEvalCall) 2722 .ArgConstraint(ArgumentCondition(1, WithinRange, Range(1, SizeMax))) 2723 .ArgConstraint( 2724 ArgumentCondition(4, WithinRange, Range(-1, IntMax)))); 2725 2726 std::optional<QualType> Off64_tTy = lookupTy("off64_t"); 2727 // void *mmap64(void *addr, size_t length, int prot, int flags, int fd, 2728 // off64_t offset); 2729 // FIXME: Improve for errno modeling. 2730 addToFunctionSummaryMap( 2731 "mmap64", 2732 Signature(ArgTypes{VoidPtrTy, SizeTy, IntTy, IntTy, IntTy, Off64_tTy}, 2733 RetType{VoidPtrTy}), 2734 Summary(NoEvalCall) 2735 .ArgConstraint(ArgumentCondition(1, WithinRange, Range(1, SizeMax))) 2736 .ArgConstraint( 2737 ArgumentCondition(4, WithinRange, Range(-1, IntMax)))); 2738 2739 // int pipe(int fildes[2]); 2740 addToFunctionSummaryMap( 2741 "pipe", Signature(ArgTypes{IntPtrTy}, RetType{IntTy}), 2742 Summary(NoEvalCall) 2743 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2744 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2745 .ArgConstraint(NotNull(ArgNo(0)))); 2746 2747 // off_t lseek(int fildes, off_t offset, int whence); 2748 // In the first case we can not tell for sure if it failed or not. 2749 // A return value different from of the expected offset (that is unknown 2750 // here) may indicate failure. For this reason we do not enforce the errno 2751 // check (can cause false positive). 2752 addToFunctionSummaryMap( 2753 "lseek", Signature(ArgTypes{IntTy, Off_tTy, IntTy}, RetType{Off_tTy}), 2754 Summary(NoEvalCall) 2755 .Case(ReturnsNonnegative, ErrnoIrrelevant) 2756 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2757 .ArgConstraint( 2758 ArgumentCondition(0, WithinRange, Range(0, IntMax)))); 2759 2760 // ssize_t readlink(const char *restrict path, char *restrict buf, 2761 // size_t bufsize); 2762 addToFunctionSummaryMap( 2763 "readlink", 2764 Signature(ArgTypes{ConstCharPtrRestrictTy, CharPtrRestrictTy, SizeTy}, 2765 RetType{Ssize_tTy}), 2766 Summary(NoEvalCall) 2767 .Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)), 2768 ReturnValueCondition(WithinRange, Range(0, Ssize_tMax))}, 2769 ErrnoMustNotBeChecked, GenericSuccessMsg) 2770 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2771 .ArgConstraint(NotNull(ArgNo(0))) 2772 .ArgConstraint(NotNull(ArgNo(1))) 2773 .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(1), 2774 /*BufSize=*/ArgNo(2))) 2775 .ArgConstraint( 2776 ArgumentCondition(2, WithinRange, Range(0, SizeMax)))); 2777 2778 // ssize_t readlinkat(int fd, const char *restrict path, 2779 // char *restrict buf, size_t bufsize); 2780 addToFunctionSummaryMap( 2781 "readlinkat", 2782 Signature( 2783 ArgTypes{IntTy, ConstCharPtrRestrictTy, CharPtrRestrictTy, SizeTy}, 2784 RetType{Ssize_tTy}), 2785 Summary(NoEvalCall) 2786 .Case({ReturnValueCondition(LessThanOrEq, ArgNo(3)), 2787 ReturnValueCondition(WithinRange, Range(0, Ssize_tMax))}, 2788 ErrnoMustNotBeChecked, GenericSuccessMsg) 2789 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2790 .ArgConstraint(ValidFileDescriptorOrAtFdcwd(ArgNo(0))) 2791 .ArgConstraint(NotNull(ArgNo(1))) 2792 .ArgConstraint(NotNull(ArgNo(2))) 2793 .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(2), 2794 /*BufSize=*/ArgNo(3))) 2795 .ArgConstraint( 2796 ArgumentCondition(3, WithinRange, Range(0, SizeMax)))); 2797 2798 // int renameat(int olddirfd, const char *oldpath, int newdirfd, const char 2799 // *newpath); 2800 addToFunctionSummaryMap( 2801 "renameat", 2802 Signature(ArgTypes{IntTy, ConstCharPtrTy, IntTy, ConstCharPtrTy}, 2803 RetType{IntTy}), 2804 Summary(NoEvalCall) 2805 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2806 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2807 .ArgConstraint(ValidFileDescriptorOrAtFdcwd(ArgNo(0))) 2808 .ArgConstraint(NotNull(ArgNo(1))) 2809 .ArgConstraint(ValidFileDescriptorOrAtFdcwd(ArgNo(2))) 2810 .ArgConstraint(NotNull(ArgNo(3)))); 2811 2812 // char *realpath(const char *restrict file_name, 2813 // char *restrict resolved_name); 2814 // FIXME: Improve for errno modeling. 2815 addToFunctionSummaryMap( 2816 "realpath", 2817 Signature(ArgTypes{ConstCharPtrRestrictTy, CharPtrRestrictTy}, 2818 RetType{CharPtrTy}), 2819 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); 2820 2821 QualType CharPtrConstPtr = getPointerTy(getConstTy(CharPtrTy)); 2822 2823 // int execv(const char *path, char *const argv[]); 2824 addToFunctionSummaryMap( 2825 "execv", 2826 Signature(ArgTypes{ConstCharPtrTy, CharPtrConstPtr}, RetType{IntTy}), 2827 Summary(NoEvalCall) 2828 .Case({ReturnValueCondition(WithinRange, SingleValue(-1))}, 2829 ErrnoIrrelevant) 2830 .ArgConstraint(NotNull(ArgNo(0)))); 2831 2832 // int execvp(const char *file, char *const argv[]); 2833 addToFunctionSummaryMap( 2834 "execvp", 2835 Signature(ArgTypes{ConstCharPtrTy, CharPtrConstPtr}, RetType{IntTy}), 2836 Summary(NoEvalCall) 2837 .Case({ReturnValueCondition(WithinRange, SingleValue(-1))}, 2838 ErrnoIrrelevant) 2839 .ArgConstraint(NotNull(ArgNo(0)))); 2840 2841 // int getopt(int argc, char * const argv[], const char *optstring); 2842 addToFunctionSummaryMap( 2843 "getopt", 2844 Signature(ArgTypes{IntTy, CharPtrConstPtr, ConstCharPtrTy}, 2845 RetType{IntTy}), 2846 Summary(NoEvalCall) 2847 .Case({ReturnValueCondition(WithinRange, Range(-1, UCharRangeMax))}, 2848 ErrnoIrrelevant) 2849 .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax))) 2850 .ArgConstraint(NotNull(ArgNo(1))) 2851 .ArgConstraint(NotNull(ArgNo(2)))); 2852 2853 std::optional<QualType> StructSockaddrTy = lookupTy("sockaddr"); 2854 std::optional<QualType> StructSockaddrPtrTy = 2855 getPointerTy(StructSockaddrTy); 2856 std::optional<QualType> ConstStructSockaddrPtrTy = 2857 getPointerTy(getConstTy(StructSockaddrTy)); 2858 std::optional<QualType> StructSockaddrPtrRestrictTy = 2859 getRestrictTy(StructSockaddrPtrTy); 2860 std::optional<QualType> ConstStructSockaddrPtrRestrictTy = 2861 getRestrictTy(ConstStructSockaddrPtrTy); 2862 std::optional<QualType> Socklen_tTy = lookupTy("socklen_t"); 2863 std::optional<QualType> Socklen_tPtrTy = getPointerTy(Socklen_tTy); 2864 std::optional<QualType> Socklen_tPtrRestrictTy = 2865 getRestrictTy(Socklen_tPtrTy); 2866 std::optional<RangeInt> Socklen_tMax = getMaxValue(Socklen_tTy); 2867 2868 // In 'socket.h' of some libc implementations with C99, sockaddr parameter 2869 // is a transparent union of the underlying sockaddr_ family of pointers 2870 // instead of being a pointer to struct sockaddr. In these cases, the 2871 // standardized signature will not match, thus we try to match with another 2872 // signature that has the joker Irrelevant type. We also remove those 2873 // constraints which require pointer types for the sockaddr param. 2874 2875 // int socket(int domain, int type, int protocol); 2876 addToFunctionSummaryMap( 2877 "socket", Signature(ArgTypes{IntTy, IntTy, IntTy}, RetType{IntTy}), 2878 Summary(NoEvalCall) 2879 .Case(ReturnsValidFileDescriptor, ErrnoMustNotBeChecked, 2880 GenericSuccessMsg) 2881 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg)); 2882 2883 auto Accept = 2884 Summary(NoEvalCall) 2885 .Case(ReturnsValidFileDescriptor, ErrnoMustNotBeChecked, 2886 GenericSuccessMsg) 2887 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2888 .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax))); 2889 if (!addToFunctionSummaryMap( 2890 "accept", 2891 // int accept(int socket, struct sockaddr *restrict address, 2892 // socklen_t *restrict address_len); 2893 Signature(ArgTypes{IntTy, StructSockaddrPtrRestrictTy, 2894 Socklen_tPtrRestrictTy}, 2895 RetType{IntTy}), 2896 Accept)) 2897 addToFunctionSummaryMap( 2898 "accept", 2899 Signature(ArgTypes{IntTy, Irrelevant, Socklen_tPtrRestrictTy}, 2900 RetType{IntTy}), 2901 Accept); 2902 2903 // int bind(int socket, const struct sockaddr *address, socklen_t 2904 // address_len); 2905 if (!addToFunctionSummaryMap( 2906 "bind", 2907 Signature(ArgTypes{IntTy, ConstStructSockaddrPtrTy, Socklen_tTy}, 2908 RetType{IntTy}), 2909 Summary(NoEvalCall) 2910 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2911 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2912 .ArgConstraint( 2913 ArgumentCondition(0, WithinRange, Range(0, IntMax))) 2914 .ArgConstraint(NotNull(ArgNo(1))) 2915 .ArgConstraint( 2916 BufferSize(/*Buffer=*/ArgNo(1), /*BufSize=*/ArgNo(2))) 2917 .ArgConstraint( 2918 ArgumentCondition(2, WithinRange, Range(0, Socklen_tMax))))) 2919 // Do not add constraints on sockaddr. 2920 addToFunctionSummaryMap( 2921 "bind", 2922 Signature(ArgTypes{IntTy, Irrelevant, Socklen_tTy}, RetType{IntTy}), 2923 Summary(NoEvalCall) 2924 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2925 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2926 .ArgConstraint( 2927 ArgumentCondition(0, WithinRange, Range(0, IntMax))) 2928 .ArgConstraint( 2929 ArgumentCondition(2, WithinRange, Range(0, Socklen_tMax)))); 2930 2931 // int getpeername(int socket, struct sockaddr *restrict address, 2932 // socklen_t *restrict address_len); 2933 if (!addToFunctionSummaryMap( 2934 "getpeername", 2935 Signature(ArgTypes{IntTy, StructSockaddrPtrRestrictTy, 2936 Socklen_tPtrRestrictTy}, 2937 RetType{IntTy}), 2938 Summary(NoEvalCall) 2939 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2940 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2941 .ArgConstraint( 2942 ArgumentCondition(0, WithinRange, Range(0, IntMax))) 2943 .ArgConstraint(NotNull(ArgNo(1))) 2944 .ArgConstraint(NotNull(ArgNo(2))))) 2945 addToFunctionSummaryMap( 2946 "getpeername", 2947 Signature(ArgTypes{IntTy, Irrelevant, Socklen_tPtrRestrictTy}, 2948 RetType{IntTy}), 2949 Summary(NoEvalCall) 2950 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2951 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2952 .ArgConstraint( 2953 ArgumentCondition(0, WithinRange, Range(0, IntMax)))); 2954 2955 // int getsockname(int socket, struct sockaddr *restrict address, 2956 // socklen_t *restrict address_len); 2957 if (!addToFunctionSummaryMap( 2958 "getsockname", 2959 Signature(ArgTypes{IntTy, StructSockaddrPtrRestrictTy, 2960 Socklen_tPtrRestrictTy}, 2961 RetType{IntTy}), 2962 Summary(NoEvalCall) 2963 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2964 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2965 .ArgConstraint( 2966 ArgumentCondition(0, WithinRange, Range(0, IntMax))) 2967 .ArgConstraint(NotNull(ArgNo(1))) 2968 .ArgConstraint(NotNull(ArgNo(2))))) 2969 addToFunctionSummaryMap( 2970 "getsockname", 2971 Signature(ArgTypes{IntTy, Irrelevant, Socklen_tPtrRestrictTy}, 2972 RetType{IntTy}), 2973 Summary(NoEvalCall) 2974 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2975 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2976 .ArgConstraint( 2977 ArgumentCondition(0, WithinRange, Range(0, IntMax)))); 2978 2979 // int connect(int socket, const struct sockaddr *address, socklen_t 2980 // address_len); 2981 if (!addToFunctionSummaryMap( 2982 "connect", 2983 Signature(ArgTypes{IntTy, ConstStructSockaddrPtrTy, Socklen_tTy}, 2984 RetType{IntTy}), 2985 Summary(NoEvalCall) 2986 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2987 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2988 .ArgConstraint( 2989 ArgumentCondition(0, WithinRange, Range(0, IntMax))) 2990 .ArgConstraint(NotNull(ArgNo(1))))) 2991 addToFunctionSummaryMap( 2992 "connect", 2993 Signature(ArgTypes{IntTy, Irrelevant, Socklen_tTy}, RetType{IntTy}), 2994 Summary(NoEvalCall) 2995 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 2996 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 2997 .ArgConstraint( 2998 ArgumentCondition(0, WithinRange, Range(0, IntMax)))); 2999 3000 auto Recvfrom = 3001 Summary(NoEvalCall) 3002 .Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)), 3003 ReturnValueCondition(WithinRange, Range(0, Ssize_tMax))}, 3004 ErrnoMustNotBeChecked, GenericSuccessMsg) 3005 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 3006 .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax))) 3007 .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(1), 3008 /*BufSize=*/ArgNo(2))); 3009 if (!addToFunctionSummaryMap( 3010 "recvfrom", 3011 // ssize_t recvfrom(int socket, void *restrict buffer, 3012 // size_t length, 3013 // int flags, struct sockaddr *restrict address, 3014 // socklen_t *restrict address_len); 3015 Signature(ArgTypes{IntTy, VoidPtrRestrictTy, SizeTy, IntTy, 3016 StructSockaddrPtrRestrictTy, 3017 Socklen_tPtrRestrictTy}, 3018 RetType{Ssize_tTy}), 3019 Recvfrom)) 3020 addToFunctionSummaryMap( 3021 "recvfrom", 3022 Signature(ArgTypes{IntTy, VoidPtrRestrictTy, SizeTy, IntTy, 3023 Irrelevant, Socklen_tPtrRestrictTy}, 3024 RetType{Ssize_tTy}), 3025 Recvfrom); 3026 3027 auto Sendto = 3028 Summary(NoEvalCall) 3029 .Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)), 3030 ReturnValueCondition(WithinRange, Range(0, Ssize_tMax))}, 3031 ErrnoMustNotBeChecked, GenericSuccessMsg) 3032 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 3033 .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax))) 3034 .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(1), 3035 /*BufSize=*/ArgNo(2))); 3036 if (!addToFunctionSummaryMap( 3037 "sendto", 3038 // ssize_t sendto(int socket, const void *message, size_t length, 3039 // int flags, const struct sockaddr *dest_addr, 3040 // socklen_t dest_len); 3041 Signature(ArgTypes{IntTy, ConstVoidPtrTy, SizeTy, IntTy, 3042 ConstStructSockaddrPtrTy, Socklen_tTy}, 3043 RetType{Ssize_tTy}), 3044 Sendto)) 3045 addToFunctionSummaryMap( 3046 "sendto", 3047 Signature(ArgTypes{IntTy, ConstVoidPtrTy, SizeTy, IntTy, Irrelevant, 3048 Socklen_tTy}, 3049 RetType{Ssize_tTy}), 3050 Sendto); 3051 3052 // int listen(int sockfd, int backlog); 3053 addToFunctionSummaryMap( 3054 "listen", Signature(ArgTypes{IntTy, IntTy}, RetType{IntTy}), 3055 Summary(NoEvalCall) 3056 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 3057 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 3058 .ArgConstraint( 3059 ArgumentCondition(0, WithinRange, Range(0, IntMax)))); 3060 3061 // ssize_t recv(int sockfd, void *buf, size_t len, int flags); 3062 addToFunctionSummaryMap( 3063 "recv", 3064 Signature(ArgTypes{IntTy, VoidPtrTy, SizeTy, IntTy}, 3065 RetType{Ssize_tTy}), 3066 Summary(NoEvalCall) 3067 .Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)), 3068 ReturnValueCondition(WithinRange, Range(0, Ssize_tMax))}, 3069 ErrnoMustNotBeChecked, GenericSuccessMsg) 3070 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 3071 .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax))) 3072 .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(1), 3073 /*BufSize=*/ArgNo(2)))); 3074 3075 std::optional<QualType> StructMsghdrTy = lookupTy("msghdr"); 3076 std::optional<QualType> StructMsghdrPtrTy = getPointerTy(StructMsghdrTy); 3077 std::optional<QualType> ConstStructMsghdrPtrTy = 3078 getPointerTy(getConstTy(StructMsghdrTy)); 3079 3080 // ssize_t recvmsg(int sockfd, struct msghdr *msg, int flags); 3081 addToFunctionSummaryMap( 3082 "recvmsg", 3083 Signature(ArgTypes{IntTy, StructMsghdrPtrTy, IntTy}, 3084 RetType{Ssize_tTy}), 3085 Summary(NoEvalCall) 3086 .Case({ReturnValueCondition(WithinRange, Range(0, Ssize_tMax))}, 3087 ErrnoMustNotBeChecked, GenericSuccessMsg) 3088 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 3089 .ArgConstraint( 3090 ArgumentCondition(0, WithinRange, Range(0, IntMax)))); 3091 3092 // ssize_t sendmsg(int sockfd, const struct msghdr *msg, int flags); 3093 addToFunctionSummaryMap( 3094 "sendmsg", 3095 Signature(ArgTypes{IntTy, ConstStructMsghdrPtrTy, IntTy}, 3096 RetType{Ssize_tTy}), 3097 Summary(NoEvalCall) 3098 .Case({ReturnValueCondition(WithinRange, Range(0, Ssize_tMax))}, 3099 ErrnoMustNotBeChecked, GenericSuccessMsg) 3100 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 3101 .ArgConstraint( 3102 ArgumentCondition(0, WithinRange, Range(0, IntMax)))); 3103 3104 // int setsockopt(int socket, int level, int option_name, 3105 // const void *option_value, socklen_t option_len); 3106 addToFunctionSummaryMap( 3107 "setsockopt", 3108 Signature(ArgTypes{IntTy, IntTy, IntTy, ConstVoidPtrTy, Socklen_tTy}, 3109 RetType{IntTy}), 3110 Summary(NoEvalCall) 3111 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 3112 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 3113 .ArgConstraint(NotNull(ArgNo(3))) 3114 .ArgConstraint( 3115 BufferSize(/*Buffer=*/ArgNo(3), /*BufSize=*/ArgNo(4))) 3116 .ArgConstraint( 3117 ArgumentCondition(4, WithinRange, Range(0, Socklen_tMax)))); 3118 3119 // int getsockopt(int socket, int level, int option_name, 3120 // void *restrict option_value, 3121 // socklen_t *restrict option_len); 3122 addToFunctionSummaryMap( 3123 "getsockopt", 3124 Signature(ArgTypes{IntTy, IntTy, IntTy, VoidPtrRestrictTy, 3125 Socklen_tPtrRestrictTy}, 3126 RetType{IntTy}), 3127 Summary(NoEvalCall) 3128 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 3129 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 3130 .ArgConstraint(NotNull(ArgNo(3))) 3131 .ArgConstraint(NotNull(ArgNo(4)))); 3132 3133 // ssize_t send(int sockfd, const void *buf, size_t len, int flags); 3134 addToFunctionSummaryMap( 3135 "send", 3136 Signature(ArgTypes{IntTy, ConstVoidPtrTy, SizeTy, IntTy}, 3137 RetType{Ssize_tTy}), 3138 Summary(NoEvalCall) 3139 .Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)), 3140 ReturnValueCondition(WithinRange, Range(0, Ssize_tMax))}, 3141 ErrnoMustNotBeChecked, GenericSuccessMsg) 3142 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 3143 .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax))) 3144 .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(1), 3145 /*BufSize=*/ArgNo(2)))); 3146 3147 // int socketpair(int domain, int type, int protocol, int sv[2]); 3148 addToFunctionSummaryMap( 3149 "socketpair", 3150 Signature(ArgTypes{IntTy, IntTy, IntTy, IntPtrTy}, RetType{IntTy}), 3151 Summary(NoEvalCall) 3152 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 3153 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 3154 .ArgConstraint(NotNull(ArgNo(3)))); 3155 3156 // int shutdown(int socket, int how); 3157 addToFunctionSummaryMap( 3158 "shutdown", Signature(ArgTypes{IntTy, IntTy}, RetType{IntTy}), 3159 Summary(NoEvalCall) 3160 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 3161 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 3162 .ArgConstraint( 3163 ArgumentCondition(0, WithinRange, Range(0, IntMax)))); 3164 3165 // int getnameinfo(const struct sockaddr *restrict sa, socklen_t salen, 3166 // char *restrict node, socklen_t nodelen, 3167 // char *restrict service, 3168 // socklen_t servicelen, int flags); 3169 // 3170 // This is defined in netdb.h. And contrary to 'socket.h', the sockaddr 3171 // parameter is never handled as a transparent union in netdb.h 3172 addToFunctionSummaryMap( 3173 "getnameinfo", 3174 Signature(ArgTypes{ConstStructSockaddrPtrRestrictTy, Socklen_tTy, 3175 CharPtrRestrictTy, Socklen_tTy, CharPtrRestrictTy, 3176 Socklen_tTy, IntTy}, 3177 RetType{IntTy}), 3178 Summary(NoEvalCall) 3179 .ArgConstraint( 3180 BufferSize(/*Buffer=*/ArgNo(0), /*BufSize=*/ArgNo(1))) 3181 .ArgConstraint( 3182 ArgumentCondition(1, WithinRange, Range(0, Socklen_tMax))) 3183 .ArgConstraint( 3184 BufferSize(/*Buffer=*/ArgNo(2), /*BufSize=*/ArgNo(3))) 3185 .ArgConstraint( 3186 ArgumentCondition(3, WithinRange, Range(0, Socklen_tMax))) 3187 .ArgConstraint( 3188 BufferSize(/*Buffer=*/ArgNo(4), /*BufSize=*/ArgNo(5))) 3189 .ArgConstraint( 3190 ArgumentCondition(5, WithinRange, Range(0, Socklen_tMax)))); 3191 3192 std::optional<QualType> StructUtimbufTy = lookupTy("utimbuf"); 3193 std::optional<QualType> StructUtimbufPtrTy = getPointerTy(StructUtimbufTy); 3194 3195 // int utime(const char *filename, struct utimbuf *buf); 3196 addToFunctionSummaryMap( 3197 "utime", 3198 Signature(ArgTypes{ConstCharPtrTy, StructUtimbufPtrTy}, RetType{IntTy}), 3199 Summary(NoEvalCall) 3200 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 3201 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 3202 .ArgConstraint(NotNull(ArgNo(0)))); 3203 3204 std::optional<QualType> StructTimespecTy = lookupTy("timespec"); 3205 std::optional<QualType> StructTimespecPtrTy = 3206 getPointerTy(StructTimespecTy); 3207 std::optional<QualType> ConstStructTimespecPtrTy = 3208 getPointerTy(getConstTy(StructTimespecTy)); 3209 3210 // int futimens(int fd, const struct timespec times[2]); 3211 addToFunctionSummaryMap( 3212 "futimens", 3213 Signature(ArgTypes{IntTy, ConstStructTimespecPtrTy}, RetType{IntTy}), 3214 Summary(NoEvalCall) 3215 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 3216 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 3217 .ArgConstraint( 3218 ArgumentCondition(0, WithinRange, Range(0, IntMax)))); 3219 3220 // int utimensat(int dirfd, const char *pathname, 3221 // const struct timespec times[2], int flags); 3222 addToFunctionSummaryMap( 3223 "utimensat", 3224 Signature( 3225 ArgTypes{IntTy, ConstCharPtrTy, ConstStructTimespecPtrTy, IntTy}, 3226 RetType{IntTy}), 3227 Summary(NoEvalCall) 3228 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 3229 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 3230 .ArgConstraint(NotNull(ArgNo(1)))); 3231 3232 std::optional<QualType> StructTimevalTy = lookupTy("timeval"); 3233 std::optional<QualType> ConstStructTimevalPtrTy = 3234 getPointerTy(getConstTy(StructTimevalTy)); 3235 3236 // int utimes(const char *filename, const struct timeval times[2]); 3237 addToFunctionSummaryMap( 3238 "utimes", 3239 Signature(ArgTypes{ConstCharPtrTy, ConstStructTimevalPtrTy}, 3240 RetType{IntTy}), 3241 Summary(NoEvalCall) 3242 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 3243 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 3244 .ArgConstraint(NotNull(ArgNo(0)))); 3245 3246 // int nanosleep(const struct timespec *rqtp, struct timespec *rmtp); 3247 addToFunctionSummaryMap( 3248 "nanosleep", 3249 Signature(ArgTypes{ConstStructTimespecPtrTy, StructTimespecPtrTy}, 3250 RetType{IntTy}), 3251 Summary(NoEvalCall) 3252 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 3253 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 3254 .ArgConstraint(NotNull(ArgNo(0)))); 3255 3256 std::optional<QualType> Time_tTy = lookupTy("time_t"); 3257 std::optional<QualType> ConstTime_tPtrTy = 3258 getPointerTy(getConstTy(Time_tTy)); 3259 std::optional<QualType> ConstTime_tPtrRestrictTy = 3260 getRestrictTy(ConstTime_tPtrTy); 3261 3262 std::optional<QualType> StructTmTy = lookupTy("tm"); 3263 std::optional<QualType> StructTmPtrTy = getPointerTy(StructTmTy); 3264 std::optional<QualType> StructTmPtrRestrictTy = 3265 getRestrictTy(StructTmPtrTy); 3266 std::optional<QualType> ConstStructTmPtrTy = 3267 getPointerTy(getConstTy(StructTmTy)); 3268 std::optional<QualType> ConstStructTmPtrRestrictTy = 3269 getRestrictTy(ConstStructTmPtrTy); 3270 3271 // struct tm * localtime(const time_t *tp); 3272 addToFunctionSummaryMap( 3273 "localtime", 3274 Signature(ArgTypes{ConstTime_tPtrTy}, RetType{StructTmPtrTy}), 3275 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); 3276 3277 // struct tm *localtime_r(const time_t *restrict timer, 3278 // struct tm *restrict result); 3279 addToFunctionSummaryMap( 3280 "localtime_r", 3281 Signature(ArgTypes{ConstTime_tPtrRestrictTy, StructTmPtrRestrictTy}, 3282 RetType{StructTmPtrTy}), 3283 Summary(NoEvalCall) 3284 .ArgConstraint(NotNull(ArgNo(0))) 3285 .ArgConstraint(NotNull(ArgNo(1)))); 3286 3287 // char *asctime_r(const struct tm *restrict tm, char *restrict buf); 3288 addToFunctionSummaryMap( 3289 "asctime_r", 3290 Signature(ArgTypes{ConstStructTmPtrRestrictTy, CharPtrRestrictTy}, 3291 RetType{CharPtrTy}), 3292 Summary(NoEvalCall) 3293 .ArgConstraint(NotNull(ArgNo(0))) 3294 .ArgConstraint(NotNull(ArgNo(1))) 3295 .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(1), 3296 /*MinBufSize=*/BVF.getValue(26, IntTy)))); 3297 3298 // char *ctime_r(const time_t *timep, char *buf); 3299 addToFunctionSummaryMap( 3300 "ctime_r", 3301 Signature(ArgTypes{ConstTime_tPtrTy, CharPtrTy}, RetType{CharPtrTy}), 3302 Summary(NoEvalCall) 3303 .ArgConstraint(NotNull(ArgNo(0))) 3304 .ArgConstraint(NotNull(ArgNo(1))) 3305 .ArgConstraint(BufferSize( 3306 /*Buffer=*/ArgNo(1), 3307 /*MinBufSize=*/BVF.getValue(26, IntTy)))); 3308 3309 // struct tm *gmtime_r(const time_t *restrict timer, 3310 // struct tm *restrict result); 3311 addToFunctionSummaryMap( 3312 "gmtime_r", 3313 Signature(ArgTypes{ConstTime_tPtrRestrictTy, StructTmPtrRestrictTy}, 3314 RetType{StructTmPtrTy}), 3315 Summary(NoEvalCall) 3316 .ArgConstraint(NotNull(ArgNo(0))) 3317 .ArgConstraint(NotNull(ArgNo(1)))); 3318 3319 // struct tm * gmtime(const time_t *tp); 3320 addToFunctionSummaryMap( 3321 "gmtime", Signature(ArgTypes{ConstTime_tPtrTy}, RetType{StructTmPtrTy}), 3322 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); 3323 3324 std::optional<QualType> Clockid_tTy = lookupTy("clockid_t"); 3325 3326 // int clock_gettime(clockid_t clock_id, struct timespec *tp); 3327 addToFunctionSummaryMap( 3328 "clock_gettime", 3329 Signature(ArgTypes{Clockid_tTy, StructTimespecPtrTy}, RetType{IntTy}), 3330 Summary(NoEvalCall) 3331 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 3332 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 3333 .ArgConstraint(NotNull(ArgNo(1)))); 3334 3335 std::optional<QualType> StructItimervalTy = lookupTy("itimerval"); 3336 std::optional<QualType> StructItimervalPtrTy = 3337 getPointerTy(StructItimervalTy); 3338 3339 // int getitimer(int which, struct itimerval *curr_value); 3340 addToFunctionSummaryMap( 3341 "getitimer", 3342 Signature(ArgTypes{IntTy, StructItimervalPtrTy}, RetType{IntTy}), 3343 Summary(NoEvalCall) 3344 .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) 3345 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) 3346 .ArgConstraint(NotNull(ArgNo(1)))); 3347 3348 std::optional<QualType> Pthread_cond_tTy = lookupTy("pthread_cond_t"); 3349 std::optional<QualType> Pthread_cond_tPtrTy = 3350 getPointerTy(Pthread_cond_tTy); 3351 std::optional<QualType> Pthread_tTy = lookupTy("pthread_t"); 3352 std::optional<QualType> Pthread_tPtrTy = getPointerTy(Pthread_tTy); 3353 std::optional<QualType> Pthread_tPtrRestrictTy = 3354 getRestrictTy(Pthread_tPtrTy); 3355 std::optional<QualType> Pthread_mutex_tTy = lookupTy("pthread_mutex_t"); 3356 std::optional<QualType> Pthread_mutex_tPtrTy = 3357 getPointerTy(Pthread_mutex_tTy); 3358 std::optional<QualType> Pthread_mutex_tPtrRestrictTy = 3359 getRestrictTy(Pthread_mutex_tPtrTy); 3360 std::optional<QualType> Pthread_attr_tTy = lookupTy("pthread_attr_t"); 3361 std::optional<QualType> Pthread_attr_tPtrTy = 3362 getPointerTy(Pthread_attr_tTy); 3363 std::optional<QualType> ConstPthread_attr_tPtrTy = 3364 getPointerTy(getConstTy(Pthread_attr_tTy)); 3365 std::optional<QualType> ConstPthread_attr_tPtrRestrictTy = 3366 getRestrictTy(ConstPthread_attr_tPtrTy); 3367 std::optional<QualType> Pthread_mutexattr_tTy = 3368 lookupTy("pthread_mutexattr_t"); 3369 std::optional<QualType> ConstPthread_mutexattr_tPtrTy = 3370 getPointerTy(getConstTy(Pthread_mutexattr_tTy)); 3371 std::optional<QualType> ConstPthread_mutexattr_tPtrRestrictTy = 3372 getRestrictTy(ConstPthread_mutexattr_tPtrTy); 3373 3374 QualType PthreadStartRoutineTy = getPointerTy( 3375 ACtx.getFunctionType(/*ResultTy=*/VoidPtrTy, /*Args=*/VoidPtrTy, 3376 FunctionProtoType::ExtProtoInfo())); 3377 3378 // int pthread_cond_signal(pthread_cond_t *cond); 3379 // int pthread_cond_broadcast(pthread_cond_t *cond); 3380 addToFunctionSummaryMap( 3381 {"pthread_cond_signal", "pthread_cond_broadcast"}, 3382 Signature(ArgTypes{Pthread_cond_tPtrTy}, RetType{IntTy}), 3383 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); 3384 3385 // int pthread_create(pthread_t *restrict thread, 3386 // const pthread_attr_t *restrict attr, 3387 // void *(*start_routine)(void*), void *restrict arg); 3388 addToFunctionSummaryMap( 3389 "pthread_create", 3390 Signature(ArgTypes{Pthread_tPtrRestrictTy, 3391 ConstPthread_attr_tPtrRestrictTy, 3392 PthreadStartRoutineTy, VoidPtrRestrictTy}, 3393 RetType{IntTy}), 3394 Summary(NoEvalCall) 3395 .ArgConstraint(NotNull(ArgNo(0))) 3396 .ArgConstraint(NotNull(ArgNo(2)))); 3397 3398 // int pthread_attr_destroy(pthread_attr_t *attr); 3399 // int pthread_attr_init(pthread_attr_t *attr); 3400 addToFunctionSummaryMap( 3401 {"pthread_attr_destroy", "pthread_attr_init"}, 3402 Signature(ArgTypes{Pthread_attr_tPtrTy}, RetType{IntTy}), 3403 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); 3404 3405 // int pthread_attr_getstacksize(const pthread_attr_t *restrict attr, 3406 // size_t *restrict stacksize); 3407 // int pthread_attr_getguardsize(const pthread_attr_t *restrict attr, 3408 // size_t *restrict guardsize); 3409 addToFunctionSummaryMap( 3410 {"pthread_attr_getstacksize", "pthread_attr_getguardsize"}, 3411 Signature(ArgTypes{ConstPthread_attr_tPtrRestrictTy, SizePtrRestrictTy}, 3412 RetType{IntTy}), 3413 Summary(NoEvalCall) 3414 .ArgConstraint(NotNull(ArgNo(0))) 3415 .ArgConstraint(NotNull(ArgNo(1)))); 3416 3417 // int pthread_attr_setstacksize(pthread_attr_t *attr, size_t stacksize); 3418 // int pthread_attr_setguardsize(pthread_attr_t *attr, size_t guardsize); 3419 addToFunctionSummaryMap( 3420 {"pthread_attr_setstacksize", "pthread_attr_setguardsize"}, 3421 Signature(ArgTypes{Pthread_attr_tPtrTy, SizeTy}, RetType{IntTy}), 3422 Summary(NoEvalCall) 3423 .ArgConstraint(NotNull(ArgNo(0))) 3424 .ArgConstraint( 3425 ArgumentCondition(1, WithinRange, Range(0, SizeMax)))); 3426 3427 // int pthread_mutex_init(pthread_mutex_t *restrict mutex, const 3428 // pthread_mutexattr_t *restrict attr); 3429 addToFunctionSummaryMap( 3430 "pthread_mutex_init", 3431 Signature(ArgTypes{Pthread_mutex_tPtrRestrictTy, 3432 ConstPthread_mutexattr_tPtrRestrictTy}, 3433 RetType{IntTy}), 3434 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); 3435 3436 // int pthread_mutex_destroy(pthread_mutex_t *mutex); 3437 // int pthread_mutex_lock(pthread_mutex_t *mutex); 3438 // int pthread_mutex_trylock(pthread_mutex_t *mutex); 3439 // int pthread_mutex_unlock(pthread_mutex_t *mutex); 3440 addToFunctionSummaryMap( 3441 {"pthread_mutex_destroy", "pthread_mutex_lock", "pthread_mutex_trylock", 3442 "pthread_mutex_unlock"}, 3443 Signature(ArgTypes{Pthread_mutex_tPtrTy}, RetType{IntTy}), 3444 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); 3445 } 3446 3447 // Functions for testing. 3448 if (AddTestFunctions) { 3449 const RangeInt IntMin = BVF.getMinValue(IntTy).getLimitedValue(); 3450 3451 addToFunctionSummaryMap( 3452 "__not_null", Signature(ArgTypes{IntPtrTy}, RetType{IntTy}), 3453 Summary(EvalCallAsPure).ArgConstraint(NotNull(ArgNo(0)))); 3454 3455 // Test inside range constraints. 3456 addToFunctionSummaryMap( 3457 "__single_val_0", Signature(ArgTypes{IntTy}, RetType{IntTy}), 3458 Summary(EvalCallAsPure) 3459 .ArgConstraint(ArgumentCondition(0U, WithinRange, SingleValue(0)))); 3460 addToFunctionSummaryMap( 3461 "__single_val_1", Signature(ArgTypes{IntTy}, RetType{IntTy}), 3462 Summary(EvalCallAsPure) 3463 .ArgConstraint(ArgumentCondition(0U, WithinRange, SingleValue(1)))); 3464 addToFunctionSummaryMap( 3465 "__range_1_2", Signature(ArgTypes{IntTy}, RetType{IntTy}), 3466 Summary(EvalCallAsPure) 3467 .ArgConstraint(ArgumentCondition(0U, WithinRange, Range(1, 2)))); 3468 addToFunctionSummaryMap( 3469 "__range_m1_1", Signature(ArgTypes{IntTy}, RetType{IntTy}), 3470 Summary(EvalCallAsPure) 3471 .ArgConstraint(ArgumentCondition(0U, WithinRange, Range(-1, 1)))); 3472 addToFunctionSummaryMap( 3473 "__range_m2_m1", Signature(ArgTypes{IntTy}, RetType{IntTy}), 3474 Summary(EvalCallAsPure) 3475 .ArgConstraint(ArgumentCondition(0U, WithinRange, Range(-2, -1)))); 3476 addToFunctionSummaryMap( 3477 "__range_m10_10", Signature(ArgTypes{IntTy}, RetType{IntTy}), 3478 Summary(EvalCallAsPure) 3479 .ArgConstraint(ArgumentCondition(0U, WithinRange, Range(-10, 10)))); 3480 addToFunctionSummaryMap("__range_m1_inf", 3481 Signature(ArgTypes{IntTy}, RetType{IntTy}), 3482 Summary(EvalCallAsPure) 3483 .ArgConstraint(ArgumentCondition( 3484 0U, WithinRange, Range(-1, IntMax)))); 3485 addToFunctionSummaryMap("__range_0_inf", 3486 Signature(ArgTypes{IntTy}, RetType{IntTy}), 3487 Summary(EvalCallAsPure) 3488 .ArgConstraint(ArgumentCondition( 3489 0U, WithinRange, Range(0, IntMax)))); 3490 addToFunctionSummaryMap("__range_1_inf", 3491 Signature(ArgTypes{IntTy}, RetType{IntTy}), 3492 Summary(EvalCallAsPure) 3493 .ArgConstraint(ArgumentCondition( 3494 0U, WithinRange, Range(1, IntMax)))); 3495 addToFunctionSummaryMap("__range_minf_m1", 3496 Signature(ArgTypes{IntTy}, RetType{IntTy}), 3497 Summary(EvalCallAsPure) 3498 .ArgConstraint(ArgumentCondition( 3499 0U, WithinRange, Range(IntMin, -1)))); 3500 addToFunctionSummaryMap("__range_minf_0", 3501 Signature(ArgTypes{IntTy}, RetType{IntTy}), 3502 Summary(EvalCallAsPure) 3503 .ArgConstraint(ArgumentCondition( 3504 0U, WithinRange, Range(IntMin, 0)))); 3505 addToFunctionSummaryMap("__range_minf_1", 3506 Signature(ArgTypes{IntTy}, RetType{IntTy}), 3507 Summary(EvalCallAsPure) 3508 .ArgConstraint(ArgumentCondition( 3509 0U, WithinRange, Range(IntMin, 1)))); 3510 addToFunctionSummaryMap("__range_1_2__4_6", 3511 Signature(ArgTypes{IntTy}, RetType{IntTy}), 3512 Summary(EvalCallAsPure) 3513 .ArgConstraint(ArgumentCondition( 3514 0U, WithinRange, Range({1, 2}, {4, 6})))); 3515 addToFunctionSummaryMap( 3516 "__range_1_2__4_inf", Signature(ArgTypes{IntTy}, RetType{IntTy}), 3517 Summary(EvalCallAsPure) 3518 .ArgConstraint(ArgumentCondition(0U, WithinRange, 3519 Range({1, 2}, {4, IntMax})))); 3520 3521 // Test out of range constraints. 3522 addToFunctionSummaryMap( 3523 "__single_val_out_0", Signature(ArgTypes{IntTy}, RetType{IntTy}), 3524 Summary(EvalCallAsPure) 3525 .ArgConstraint(ArgumentCondition(0U, OutOfRange, SingleValue(0)))); 3526 addToFunctionSummaryMap( 3527 "__single_val_out_1", Signature(ArgTypes{IntTy}, RetType{IntTy}), 3528 Summary(EvalCallAsPure) 3529 .ArgConstraint(ArgumentCondition(0U, OutOfRange, SingleValue(1)))); 3530 addToFunctionSummaryMap( 3531 "__range_out_1_2", Signature(ArgTypes{IntTy}, RetType{IntTy}), 3532 Summary(EvalCallAsPure) 3533 .ArgConstraint(ArgumentCondition(0U, OutOfRange, Range(1, 2)))); 3534 addToFunctionSummaryMap( 3535 "__range_out_m1_1", Signature(ArgTypes{IntTy}, RetType{IntTy}), 3536 Summary(EvalCallAsPure) 3537 .ArgConstraint(ArgumentCondition(0U, OutOfRange, Range(-1, 1)))); 3538 addToFunctionSummaryMap( 3539 "__range_out_m2_m1", Signature(ArgTypes{IntTy}, RetType{IntTy}), 3540 Summary(EvalCallAsPure) 3541 .ArgConstraint(ArgumentCondition(0U, OutOfRange, Range(-2, -1)))); 3542 addToFunctionSummaryMap( 3543 "__range_out_m10_10", Signature(ArgTypes{IntTy}, RetType{IntTy}), 3544 Summary(EvalCallAsPure) 3545 .ArgConstraint(ArgumentCondition(0U, OutOfRange, Range(-10, 10)))); 3546 addToFunctionSummaryMap("__range_out_m1_inf", 3547 Signature(ArgTypes{IntTy}, RetType{IntTy}), 3548 Summary(EvalCallAsPure) 3549 .ArgConstraint(ArgumentCondition( 3550 0U, OutOfRange, Range(-1, IntMax)))); 3551 addToFunctionSummaryMap("__range_out_0_inf", 3552 Signature(ArgTypes{IntTy}, RetType{IntTy}), 3553 Summary(EvalCallAsPure) 3554 .ArgConstraint(ArgumentCondition( 3555 0U, OutOfRange, Range(0, IntMax)))); 3556 addToFunctionSummaryMap("__range_out_1_inf", 3557 Signature(ArgTypes{IntTy}, RetType{IntTy}), 3558 Summary(EvalCallAsPure) 3559 .ArgConstraint(ArgumentCondition( 3560 0U, OutOfRange, Range(1, IntMax)))); 3561 addToFunctionSummaryMap("__range_out_minf_m1", 3562 Signature(ArgTypes{IntTy}, RetType{IntTy}), 3563 Summary(EvalCallAsPure) 3564 .ArgConstraint(ArgumentCondition( 3565 0U, OutOfRange, Range(IntMin, -1)))); 3566 addToFunctionSummaryMap("__range_out_minf_0", 3567 Signature(ArgTypes{IntTy}, RetType{IntTy}), 3568 Summary(EvalCallAsPure) 3569 .ArgConstraint(ArgumentCondition( 3570 0U, OutOfRange, Range(IntMin, 0)))); 3571 addToFunctionSummaryMap("__range_out_minf_1", 3572 Signature(ArgTypes{IntTy}, RetType{IntTy}), 3573 Summary(EvalCallAsPure) 3574 .ArgConstraint(ArgumentCondition( 3575 0U, OutOfRange, Range(IntMin, 1)))); 3576 addToFunctionSummaryMap("__range_out_1_2__4_6", 3577 Signature(ArgTypes{IntTy}, RetType{IntTy}), 3578 Summary(EvalCallAsPure) 3579 .ArgConstraint(ArgumentCondition( 3580 0U, OutOfRange, Range({1, 2}, {4, 6})))); 3581 addToFunctionSummaryMap( 3582 "__range_out_1_2__4_inf", Signature(ArgTypes{IntTy}, RetType{IntTy}), 3583 Summary(EvalCallAsPure) 3584 .ArgConstraint( 3585 ArgumentCondition(0U, OutOfRange, Range({1, 2}, {4, IntMax})))); 3586 3587 // Test range kind. 3588 addToFunctionSummaryMap( 3589 "__within", Signature(ArgTypes{IntTy}, RetType{IntTy}), 3590 Summary(EvalCallAsPure) 3591 .ArgConstraint(ArgumentCondition(0U, WithinRange, SingleValue(1)))); 3592 addToFunctionSummaryMap( 3593 "__out_of", Signature(ArgTypes{IntTy}, RetType{IntTy}), 3594 Summary(EvalCallAsPure) 3595 .ArgConstraint(ArgumentCondition(0U, OutOfRange, SingleValue(1)))); 3596 3597 addToFunctionSummaryMap( 3598 "__two_constrained_args", 3599 Signature(ArgTypes{IntTy, IntTy}, RetType{IntTy}), 3600 Summary(EvalCallAsPure) 3601 .ArgConstraint(ArgumentCondition(0U, WithinRange, SingleValue(1))) 3602 .ArgConstraint(ArgumentCondition(1U, WithinRange, SingleValue(1)))); 3603 addToFunctionSummaryMap( 3604 "__arg_constrained_twice", Signature(ArgTypes{IntTy}, RetType{IntTy}), 3605 Summary(EvalCallAsPure) 3606 .ArgConstraint(ArgumentCondition(0U, OutOfRange, SingleValue(1))) 3607 .ArgConstraint(ArgumentCondition(0U, OutOfRange, SingleValue(2)))); 3608 addToFunctionSummaryMap( 3609 "__defaultparam", 3610 Signature(ArgTypes{Irrelevant, IntTy}, RetType{IntTy}), 3611 Summary(EvalCallAsPure).ArgConstraint(NotNull(ArgNo(0)))); 3612 addToFunctionSummaryMap( 3613 "__variadic", 3614 Signature(ArgTypes{VoidPtrTy, ConstCharPtrTy}, RetType{IntTy}), 3615 Summary(EvalCallAsPure) 3616 .ArgConstraint(NotNull(ArgNo(0))) 3617 .ArgConstraint(NotNull(ArgNo(1)))); 3618 addToFunctionSummaryMap( 3619 "__buf_size_arg_constraint", 3620 Signature(ArgTypes{ConstVoidPtrTy, SizeTy}, RetType{IntTy}), 3621 Summary(EvalCallAsPure) 3622 .ArgConstraint( 3623 BufferSize(/*Buffer=*/ArgNo(0), /*BufSize=*/ArgNo(1)))); 3624 addToFunctionSummaryMap( 3625 "__buf_size_arg_constraint_mul", 3626 Signature(ArgTypes{ConstVoidPtrTy, SizeTy, SizeTy}, RetType{IntTy}), 3627 Summary(EvalCallAsPure) 3628 .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(0), /*BufSize=*/ArgNo(1), 3629 /*BufSizeMultiplier=*/ArgNo(2)))); 3630 addToFunctionSummaryMap( 3631 "__buf_size_arg_constraint_concrete", 3632 Signature(ArgTypes{ConstVoidPtrTy}, RetType{IntTy}), 3633 Summary(EvalCallAsPure) 3634 .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(0), 3635 /*BufSize=*/BVF.getValue(10, IntTy)))); 3636 addToFunctionSummaryMap( 3637 {"__test_restrict_param_0", "__test_restrict_param_1", 3638 "__test_restrict_param_2"}, 3639 Signature(ArgTypes{VoidPtrRestrictTy}, RetType{VoidTy}), 3640 Summary(EvalCallAsPure)); 3641 3642 // Test the application of cases. 3643 addToFunctionSummaryMap( 3644 "__test_case_note", Signature(ArgTypes{}, RetType{IntTy}), 3645 Summary(EvalCallAsPure) 3646 .Case({ReturnValueCondition(WithinRange, SingleValue(0))}, 3647 ErrnoIrrelevant, "Function returns 0") 3648 .Case({ReturnValueCondition(WithinRange, SingleValue(1))}, 3649 ErrnoIrrelevant, "Function returns 1")); 3650 addToFunctionSummaryMap( 3651 "__test_case_range_1_2__4_6", 3652 Signature(ArgTypes{IntTy}, RetType{IntTy}), 3653 Summary(EvalCallAsPure) 3654 .Case({ArgumentCondition(0U, WithinRange, 3655 IntRangeVector{{IntMin, 0}, {3, 3}}), 3656 ReturnValueCondition(WithinRange, SingleValue(1))}, 3657 ErrnoIrrelevant) 3658 .Case({ArgumentCondition(0U, WithinRange, 3659 IntRangeVector{{3, 3}, {7, IntMax}}), 3660 ReturnValueCondition(WithinRange, SingleValue(2))}, 3661 ErrnoIrrelevant) 3662 .Case({ArgumentCondition(0U, WithinRange, 3663 IntRangeVector{{IntMin, 0}, {7, IntMax}}), 3664 ReturnValueCondition(WithinRange, SingleValue(3))}, 3665 ErrnoIrrelevant) 3666 .Case({ArgumentCondition( 3667 0U, WithinRange, 3668 IntRangeVector{{IntMin, 0}, {3, 3}, {7, IntMax}}), 3669 ReturnValueCondition(WithinRange, SingleValue(4))}, 3670 ErrnoIrrelevant)); 3671 } 3672 } 3673 3674 void ento::registerStdCLibraryFunctionsChecker(CheckerManager &mgr) { 3675 auto *Checker = mgr.registerChecker<StdLibraryFunctionsChecker>(); 3676 Checker->CheckName = mgr.getCurrentCheckerName(); 3677 const AnalyzerOptions &Opts = mgr.getAnalyzerOptions(); 3678 Checker->DisplayLoadedSummaries = 3679 Opts.getCheckerBooleanOption(Checker, "DisplayLoadedSummaries"); 3680 Checker->ModelPOSIX = Opts.getCheckerBooleanOption(Checker, "ModelPOSIX"); 3681 Checker->ShouldAssumeControlledEnvironment = 3682 Opts.ShouldAssumeControlledEnvironment; 3683 } 3684 3685 bool ento::shouldRegisterStdCLibraryFunctionsChecker( 3686 const CheckerManager &mgr) { 3687 return true; 3688 } 3689 3690 void ento::registerStdCLibraryFunctionsTesterChecker(CheckerManager &mgr) { 3691 auto *Checker = mgr.getChecker<StdLibraryFunctionsChecker>(); 3692 Checker->AddTestFunctions = true; 3693 } 3694 3695 bool ento::shouldRegisterStdCLibraryFunctionsTesterChecker( 3696 const CheckerManager &mgr) { 3697 return true; 3698 } 3699