StaticAnalyzer/Checkers/StdLibraryFunctionsChecker.cpp

e5dd7070Spatrick//=== StdLibraryFunctionsChecker.cpp - Model standard functions -*- C++ -*-===//
e5dd7070Spatrick//
e5dd7070Spatrick// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
e5dd7070Spatrick// See https://llvm.org/LICENSE.txt for license information.
e5dd7070Spatrick// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
e5dd7070Spatrick//
e5dd7070Spatrick//===----------------------------------------------------------------------===//
e5dd7070Spatrick//
e5dd7070Spatrick// This checker improves modeling of a few simple library functions.
e5dd7070Spatrick//
ec727ea7Spatrick// This checker provides a specification format - `Summary' - and
e5dd7070Spatrick// contains descriptions of some library functions in this format. Each
e5dd7070Spatrick// specification contains a list of branches for splitting the program state
e5dd7070Spatrick// upon call, and range constraints on argument and return-value symbols that
e5dd7070Spatrick// are satisfied on each branch. This spec can be expanded to include more
e5dd7070Spatrick// items, like external effects of the function.
e5dd7070Spatrick//
e5dd7070Spatrick// The main difference between this approach and the body farms technique is
e5dd7070Spatrick// in more explicit control over how many branches are produced. For example,
e5dd7070Spatrick// consider standard C function `ispunct(int x)', which returns a non-zero value
e5dd7070Spatrick// iff `x' is a punctuation character, that is, when `x' is in range
e5dd7070Spatrick//   ['!', '/']   [':', '@']  U  ['[', '\`']  U  ['{', '~'].
ec727ea7Spatrick// `Summary' provides only two branches for this function. However,
e5dd7070Spatrick// any attempt to describe this range with if-statements in the body farm
e5dd7070Spatrick// would result in many more branches. Because each branch needs to be analyzed
e5dd7070Spatrick// independently, this significantly reduces performance. Additionally,
e5dd7070Spatrick// once we consider a branch on which `x' is in range, say, ['!', '/'],
e5dd7070Spatrick// we assume that such branch is an important separate path through the program,
e5dd7070Spatrick// which may lead to false positives because considering this particular path
e5dd7070Spatrick// was not consciously intended, and therefore it might have been unreachable.
e5dd7070Spatrick//
ec727ea7Spatrick// This checker uses eval::Call for modeling pure functions (functions without
ec727ea7Spatrick// side effets), for which their `Summary' is a precise model. This avoids
ec727ea7Spatrick// unnecessary invalidation passes. Conflicts with other checkers are unlikely
ec727ea7Spatrick// because if the function has no other effects, other checkers would probably
ec727ea7Spatrick// never want to improve upon the modeling done by this checker.
e5dd7070Spatrick//
ec727ea7Spatrick// Non-pure functions, for which only partial improvement over the default
e5dd7070Spatrick// behavior is expected, are modeled via check::PostCall, non-intrusively.
e5dd7070Spatrick//
e5dd7070Spatrick// The following standard C functions are currently supported:
e5dd7070Spatrick//
*a9ac8606Spatrick//   fgetc      getline   isdigit   isupper     toascii
e5dd7070Spatrick//   fread      isalnum   isgraph   isxdigit
e5dd7070Spatrick//   fwrite     isalpha   islower   read
e5dd7070Spatrick//   getc       isascii   isprint   write
*a9ac8606Spatrick//   getchar    isblank   ispunct   toupper
*a9ac8606Spatrick//   getdelim   iscntrl   isspace   tolower
e5dd7070Spatrick//
e5dd7070Spatrick//===----------------------------------------------------------------------===//
e5dd7070Spatrick
e5dd7070Spatrick#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
ec727ea7Spatrick#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
e5dd7070Spatrick#include "clang/StaticAnalyzer/Core/Checker.h"
e5dd7070Spatrick#include "clang/StaticAnalyzer/Core/CheckerManager.h"
e5dd7070Spatrick#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
e5dd7070Spatrick#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
ec727ea7Spatrick#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h"
*a9ac8606Spatrick#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h"
*a9ac8606Spatrick#include "llvm/ADT/SmallString.h"
*a9ac8606Spatrick#include "llvm/ADT/StringExtras.h"
*a9ac8606Spatrick
*a9ac8606Spatrick#include <string>
e5dd7070Spatrick
e5dd7070Spatrickusing namespace clang;
e5dd7070Spatrickusing namespace clang::ento;
e5dd7070Spatrick
e5dd7070Spatricknamespace {
ec727ea7Spatrickclass StdLibraryFunctionsChecker
ec727ea7Spatrick    : public Checker<check::PreCall, check::PostCall, eval::Call> {
ec727ea7Spatrick
ec727ea7Spatrick  class Summary;
e5dd7070Spatrick
e5dd7070Spatrick  /// Specify how much the analyzer engine should entrust modeling this function
e5dd7070Spatrick  /// to us. If he doesn't, he performs additional invalidations.
ec727ea7Spatrick  enum InvalidationKind { NoEvalCall, EvalCallAsPure };
e5dd7070Spatrick
e5dd7070Spatrick  // The universal integral type to use in value range descriptions.
e5dd7070Spatrick  // Unsigned to make sure overflows are well-defined.
ec727ea7Spatrick  typedef uint64_t RangeInt;
e5dd7070Spatrick
e5dd7070Spatrick  /// Normally, describes a single range constraint, eg. {{0, 1}, {3, 4}} is
e5dd7070Spatrick  /// a non-negative integer, which less than 5 and not equal to 2. For
e5dd7070Spatrick  /// `ComparesToArgument', holds information about how exactly to compare to
e5dd7070Spatrick  /// the argument.
ec727ea7Spatrick  typedef std::vector<std::pair<RangeInt, RangeInt>> IntRangeVector;
e5dd7070Spatrick
e5dd7070Spatrick  /// A reference to an argument or return value by its number.
e5dd7070Spatrick  /// ArgNo in CallExpr and CallEvent is defined as Unsigned, but
e5dd7070Spatrick  /// obviously uint32_t should be enough for all practical purposes.
ec727ea7Spatrick  typedef uint32_t ArgNo;
ec727ea7Spatrick  static const ArgNo Ret;
e5dd7070Spatrick
*a9ac8606Spatrick  /// Returns the string representation of an argument index.
*a9ac8606Spatrick  /// E.g.: (1) -> '1st arg', (2) - > '2nd arg'
*a9ac8606Spatrick  static SmallString<8> getArgDesc(ArgNo);
*a9ac8606Spatrick
ec727ea7Spatrick  class ValueConstraint;
ec727ea7Spatrick
ec727ea7Spatrick  // Pointer to the ValueConstraint. We need a copyable, polymorphic and
ec727ea7Spatrick  // default initialize able type (vector needs that). A raw pointer was good,
ec727ea7Spatrick  // however, we cannot default initialize that. unique_ptr makes the Summary
ec727ea7Spatrick  // class non-copyable, therefore not an option. Releasing the copyability
ec727ea7Spatrick  // requirement would render the initialization of the Summary map infeasible.
ec727ea7Spatrick  using ValueConstraintPtr = std::shared_ptr<ValueConstraint>;
ec727ea7Spatrick
ec727ea7Spatrick  /// Polymorphic base class that represents a constraint on a given argument
ec727ea7Spatrick  /// (or return value) of a function. Derived classes implement different kind
ec727ea7Spatrick  /// of constraints, e.g range constraints or correlation between two
ec727ea7Spatrick  /// arguments.
ec727ea7Spatrick  class ValueConstraint {
ec727ea7Spatrick  public:
ec727ea7Spatrick    ValueConstraint(ArgNo ArgN) : ArgN(ArgN) {}
ec727ea7Spatrick    virtual ~ValueConstraint() {}
ec727ea7Spatrick    /// Apply the effects of the constraint on the given program state. If null
ec727ea7Spatrick    /// is returned then the constraint is not feasible.
ec727ea7Spatrick    virtual ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
ec727ea7Spatrick                                  const Summary &Summary,
ec727ea7Spatrick                                  CheckerContext &C) const = 0;
ec727ea7Spatrick    virtual ValueConstraintPtr negate() const {
ec727ea7Spatrick      llvm_unreachable("Not implemented");
ec727ea7Spatrick    };
ec727ea7Spatrick
ec727ea7Spatrick    // Check whether the constraint is malformed or not. It is malformed if the
ec727ea7Spatrick    // specified argument has a mismatch with the given FunctionDecl (e.g. the
ec727ea7Spatrick    // arg number is out-of-range of the function's argument list).
ec727ea7Spatrick    bool checkValidity(const FunctionDecl *FD) const {
ec727ea7Spatrick      const bool ValidArg = ArgN == Ret || ArgN < FD->getNumParams();
ec727ea7Spatrick      assert(ValidArg && "Arg out of range!");
ec727ea7Spatrick      if (!ValidArg)
ec727ea7Spatrick        return false;
ec727ea7Spatrick      // Subclasses may further refine the validation.
ec727ea7Spatrick      return checkSpecificValidity(FD);
ec727ea7Spatrick    }
ec727ea7Spatrick    ArgNo getArgNo() const { return ArgN; }
ec727ea7Spatrick
*a9ac8606Spatrick    // Return those arguments that should be tracked when we report a bug. By
*a9ac8606Spatrick    // default it is the argument that is constrained, however, in some special
*a9ac8606Spatrick    // cases we need to track other arguments as well. E.g. a buffer size might
*a9ac8606Spatrick    // be encoded in another argument.
*a9ac8606Spatrick    virtual std::vector<ArgNo> getArgsToTrack() const { return {ArgN}; }
*a9ac8606Spatrick
*a9ac8606Spatrick    virtual StringRef getName() const = 0;
*a9ac8606Spatrick
*a9ac8606Spatrick    // Give a description that explains the constraint to the user. Used when
*a9ac8606Spatrick    // the bug is reported.
*a9ac8606Spatrick    virtual std::string describe(ProgramStateRef State,
*a9ac8606Spatrick                                 const Summary &Summary) const {
*a9ac8606Spatrick      // There are some descendant classes that are not used as argument
*a9ac8606Spatrick      // constraints, e.g. ComparisonConstraint. In that case we can safely
*a9ac8606Spatrick      // ignore the implementation of this function.
*a9ac8606Spatrick      llvm_unreachable("Not implemented");
*a9ac8606Spatrick    }
*a9ac8606Spatrick
ec727ea7Spatrick  protected:
ec727ea7Spatrick    ArgNo ArgN; // Argument to which we apply the constraint.
ec727ea7Spatrick
ec727ea7Spatrick    /// Do polymorphic sanity check on the constraint.
ec727ea7Spatrick    virtual bool checkSpecificValidity(const FunctionDecl *FD) const {
ec727ea7Spatrick      return true;
ec727ea7Spatrick    }
ec727ea7Spatrick  };
ec727ea7Spatrick
ec727ea7Spatrick  /// Given a range, should the argument stay inside or outside this range?
ec727ea7Spatrick  enum RangeKind { OutOfRange, WithinRange };
ec727ea7Spatrick
*a9ac8606Spatrick  /// Encapsulates a range on a single symbol.
ec727ea7Spatrick  class RangeConstraint : public ValueConstraint {
*a9ac8606Spatrick    RangeKind Kind;
*a9ac8606Spatrick    // A range is formed as a set of intervals (sub-ranges).
*a9ac8606Spatrick    // E.g. {['A', 'Z'], ['a', 'z']}
*a9ac8606Spatrick    //
*a9ac8606Spatrick    // The default constructed RangeConstraint has an empty range set, applying
*a9ac8606Spatrick    // such constraint does not involve any assumptions, thus the State remains
*a9ac8606Spatrick    // unchanged. This is meaningful, if the range is dependent on a looked up
*a9ac8606Spatrick    // type (e.g. [0, Socklen_tMax]). If the type is not found, then the range
*a9ac8606Spatrick    // is default initialized to be empty.
*a9ac8606Spatrick    IntRangeVector Ranges;
e5dd7070Spatrick
e5dd7070Spatrick  public:
*a9ac8606Spatrick    StringRef getName() const override { return "Range"; }
*a9ac8606Spatrick    RangeConstraint(ArgNo ArgN, RangeKind Kind, const IntRangeVector &Ranges)
*a9ac8606Spatrick        : ValueConstraint(ArgN), Kind(Kind), Ranges(Ranges) {}
e5dd7070Spatrick
*a9ac8606Spatrick    std::string describe(ProgramStateRef State,
*a9ac8606Spatrick                         const Summary &Summary) const override;
*a9ac8606Spatrick
*a9ac8606Spatrick    const IntRangeVector &getRanges() const { return Ranges; }
e5dd7070Spatrick
e5dd7070Spatrick  private:
ec727ea7Spatrick    ProgramStateRef applyAsOutOfRange(ProgramStateRef State,
ec727ea7Spatrick                                      const CallEvent &Call,
ec727ea7Spatrick                                      const Summary &Summary) const;
ec727ea7Spatrick    ProgramStateRef applyAsWithinRange(ProgramStateRef State,
ec727ea7Spatrick                                       const CallEvent &Call,
ec727ea7Spatrick                                       const Summary &Summary) const;
*a9ac8606Spatrick
e5dd7070Spatrick  public:
e5dd7070Spatrick    ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
ec727ea7Spatrick                          const Summary &Summary,
ec727ea7Spatrick                          CheckerContext &C) const override {
e5dd7070Spatrick      switch (Kind) {
e5dd7070Spatrick      case OutOfRange:
e5dd7070Spatrick        return applyAsOutOfRange(State, Call, Summary);
e5dd7070Spatrick      case WithinRange:
e5dd7070Spatrick        return applyAsWithinRange(State, Call, Summary);
e5dd7070Spatrick      }
ec727ea7Spatrick      llvm_unreachable("Unknown range kind!");
ec727ea7Spatrick    }
ec727ea7Spatrick
ec727ea7Spatrick    ValueConstraintPtr negate() const override {
ec727ea7Spatrick      RangeConstraint Tmp(*this);
ec727ea7Spatrick      switch (Kind) {
ec727ea7Spatrick      case OutOfRange:
ec727ea7Spatrick        Tmp.Kind = WithinRange;
ec727ea7Spatrick        break;
ec727ea7Spatrick      case WithinRange:
ec727ea7Spatrick        Tmp.Kind = OutOfRange;
ec727ea7Spatrick        break;
ec727ea7Spatrick      }
ec727ea7Spatrick      return std::make_shared<RangeConstraint>(Tmp);
ec727ea7Spatrick    }
ec727ea7Spatrick
ec727ea7Spatrick    bool checkSpecificValidity(const FunctionDecl *FD) const override {
ec727ea7Spatrick      const bool ValidArg =
ec727ea7Spatrick          getArgType(FD, ArgN)->isIntegralType(FD->getASTContext());
ec727ea7Spatrick      assert(ValidArg &&
ec727ea7Spatrick             "This constraint should be applied on an integral type");
ec727ea7Spatrick      return ValidArg;
e5dd7070Spatrick    }
e5dd7070Spatrick  };
e5dd7070Spatrick
ec727ea7Spatrick  class ComparisonConstraint : public ValueConstraint {
ec727ea7Spatrick    BinaryOperator::Opcode Opcode;
ec727ea7Spatrick    ArgNo OtherArgN;
e5dd7070Spatrick
e5dd7070Spatrick  public:
*a9ac8606Spatrick    virtual StringRef getName() const override { return "Comparison"; };
ec727ea7Spatrick    ComparisonConstraint(ArgNo ArgN, BinaryOperator::Opcode Opcode,
ec727ea7Spatrick                         ArgNo OtherArgN)
ec727ea7Spatrick        : ValueConstraint(ArgN), Opcode(Opcode), OtherArgN(OtherArgN) {}
ec727ea7Spatrick    ArgNo getOtherArgNo() const { return OtherArgN; }
ec727ea7Spatrick    BinaryOperator::Opcode getOpcode() const { return Opcode; }
ec727ea7Spatrick    ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
ec727ea7Spatrick                          const Summary &Summary,
ec727ea7Spatrick                          CheckerContext &C) const override;
ec727ea7Spatrick  };
ec727ea7Spatrick
ec727ea7Spatrick  class NotNullConstraint : public ValueConstraint {
ec727ea7Spatrick    using ValueConstraint::ValueConstraint;
ec727ea7Spatrick    // This variable has a role when we negate the constraint.
ec727ea7Spatrick    bool CannotBeNull = true;
ec727ea7Spatrick
ec727ea7Spatrick  public:
*a9ac8606Spatrick    std::string describe(ProgramStateRef State,
*a9ac8606Spatrick                         const Summary &Summary) const override;
*a9ac8606Spatrick    StringRef getName() const override { return "NonNull"; }
ec727ea7Spatrick    ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
ec727ea7Spatrick                          const Summary &Summary,
ec727ea7Spatrick                          CheckerContext &C) const override {
ec727ea7Spatrick      SVal V = getArgSVal(Call, getArgNo());
ec727ea7Spatrick      if (V.isUndef())
ec727ea7Spatrick        return State;
ec727ea7Spatrick
ec727ea7Spatrick      DefinedOrUnknownSVal L = V.castAs<DefinedOrUnknownSVal>();
ec727ea7Spatrick      if (!L.getAs<Loc>())
ec727ea7Spatrick        return State;
ec727ea7Spatrick
ec727ea7Spatrick      return State->assume(L, CannotBeNull);
ec727ea7Spatrick    }
ec727ea7Spatrick
ec727ea7Spatrick    ValueConstraintPtr negate() const override {
ec727ea7Spatrick      NotNullConstraint Tmp(*this);
ec727ea7Spatrick      Tmp.CannotBeNull = !this->CannotBeNull;
ec727ea7Spatrick      return std::make_shared<NotNullConstraint>(Tmp);
ec727ea7Spatrick    }
ec727ea7Spatrick
ec727ea7Spatrick    bool checkSpecificValidity(const FunctionDecl *FD) const override {
ec727ea7Spatrick      const bool ValidArg = getArgType(FD, ArgN)->isPointerType();
ec727ea7Spatrick      assert(ValidArg &&
ec727ea7Spatrick             "This constraint should be applied only on a pointer type");
ec727ea7Spatrick      return ValidArg;
ec727ea7Spatrick    }
ec727ea7Spatrick  };
ec727ea7Spatrick
*a9ac8606Spatrick  // Represents a buffer argument with an additional size constraint. The
*a9ac8606Spatrick  // constraint may be a concrete value, or a symbolic value in an argument.
*a9ac8606Spatrick  // Example 1. Concrete value as the minimum buffer size.
*a9ac8606Spatrick  //   char *asctime_r(const struct tm *restrict tm, char *restrict buf);
*a9ac8606Spatrick  //   // `buf` size must be at least 26 bytes according the POSIX standard.
*a9ac8606Spatrick  // Example 2. Argument as a buffer size.
ec727ea7Spatrick  //   ctime_s(char *buffer, rsize_t bufsz, const time_t *time);
*a9ac8606Spatrick  // Example 3. The size is computed as a multiplication of other args.
ec727ea7Spatrick  //   size_t fread(void *ptr, size_t size, size_t nmemb, FILE *stream);
ec727ea7Spatrick  //   // Here, ptr is the buffer, and its minimum size is `size * nmemb`.
ec727ea7Spatrick  class BufferSizeConstraint : public ValueConstraint {
*a9ac8606Spatrick    // The concrete value which is the minimum size for the buffer.
*a9ac8606Spatrick    llvm::Optional<llvm::APSInt> ConcreteSize;
ec727ea7Spatrick    // The argument which holds the size of the buffer.
*a9ac8606Spatrick    llvm::Optional<ArgNo> SizeArgN;
ec727ea7Spatrick    // The argument which is a multiplier to size. This is set in case of
ec727ea7Spatrick    // `fread` like functions where the size is computed as a multiplication of
ec727ea7Spatrick    // two arguments.
ec727ea7Spatrick    llvm::Optional<ArgNo> SizeMultiplierArgN;
ec727ea7Spatrick    // The operator we use in apply. This is negated in negate().
ec727ea7Spatrick    BinaryOperator::Opcode Op = BO_LE;
ec727ea7Spatrick
ec727ea7Spatrick  public:
*a9ac8606Spatrick    StringRef getName() const override { return "BufferSize"; }
*a9ac8606Spatrick    BufferSizeConstraint(ArgNo Buffer, llvm::APSInt BufMinSize)
*a9ac8606Spatrick        : ValueConstraint(Buffer), ConcreteSize(BufMinSize) {}
ec727ea7Spatrick    BufferSizeConstraint(ArgNo Buffer, ArgNo BufSize)
ec727ea7Spatrick        : ValueConstraint(Buffer), SizeArgN(BufSize) {}
ec727ea7Spatrick    BufferSizeConstraint(ArgNo Buffer, ArgNo BufSize, ArgNo BufSizeMultiplier)
ec727ea7Spatrick        : ValueConstraint(Buffer), SizeArgN(BufSize),
ec727ea7Spatrick          SizeMultiplierArgN(BufSizeMultiplier) {}
ec727ea7Spatrick
*a9ac8606Spatrick    std::vector<ArgNo> getArgsToTrack() const override {
*a9ac8606Spatrick      std::vector<ArgNo> Result{ArgN};
*a9ac8606Spatrick      if (SizeArgN)
*a9ac8606Spatrick        Result.push_back(*SizeArgN);
*a9ac8606Spatrick      if (SizeMultiplierArgN)
*a9ac8606Spatrick        Result.push_back(*SizeMultiplierArgN);
*a9ac8606Spatrick      return Result;
*a9ac8606Spatrick    }
*a9ac8606Spatrick
*a9ac8606Spatrick    std::string describe(ProgramStateRef State,
*a9ac8606Spatrick                         const Summary &Summary) const override;
*a9ac8606Spatrick
ec727ea7Spatrick    ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
ec727ea7Spatrick                          const Summary &Summary,
ec727ea7Spatrick                          CheckerContext &C) const override {
ec727ea7Spatrick      SValBuilder &SvalBuilder = C.getSValBuilder();
ec727ea7Spatrick      // The buffer argument.
ec727ea7Spatrick      SVal BufV = getArgSVal(Call, getArgNo());
*a9ac8606Spatrick
*a9ac8606Spatrick      // Get the size constraint.
*a9ac8606Spatrick      const SVal SizeV = [this, &State, &Call, &Summary, &SvalBuilder]() {
*a9ac8606Spatrick        if (ConcreteSize) {
*a9ac8606Spatrick          return SVal(SvalBuilder.makeIntVal(*ConcreteSize));
*a9ac8606Spatrick        }
*a9ac8606Spatrick        assert(SizeArgN && "The constraint must be either a concrete value or "
*a9ac8606Spatrick                           "encoded in an argument.");
ec727ea7Spatrick        // The size argument.
*a9ac8606Spatrick        SVal SizeV = getArgSVal(Call, *SizeArgN);
ec727ea7Spatrick        // Multiply with another argument if given.
ec727ea7Spatrick        if (SizeMultiplierArgN) {
ec727ea7Spatrick          SVal SizeMulV = getArgSVal(Call, *SizeMultiplierArgN);
ec727ea7Spatrick          SizeV = SvalBuilder.evalBinOp(State, BO_Mul, SizeV, SizeMulV,
*a9ac8606Spatrick                                        Summary.getArgType(*SizeArgN));
ec727ea7Spatrick        }
*a9ac8606Spatrick        return SizeV;
*a9ac8606Spatrick      }();
*a9ac8606Spatrick
ec727ea7Spatrick      // The dynamic size of the buffer argument, got from the analyzer engine.
*a9ac8606Spatrick      SVal BufDynSize = getDynamicExtentWithOffset(State, BufV);
ec727ea7Spatrick
ec727ea7Spatrick      SVal Feasible = SvalBuilder.evalBinOp(State, Op, SizeV, BufDynSize,
ec727ea7Spatrick                                            SvalBuilder.getContext().BoolTy);
ec727ea7Spatrick      if (auto F = Feasible.getAs<DefinedOrUnknownSVal>())
ec727ea7Spatrick        return State->assume(*F, true);
ec727ea7Spatrick
ec727ea7Spatrick      // We can get here only if the size argument or the dynamic size is
ec727ea7Spatrick      // undefined. But the dynamic size should never be undefined, only
ec727ea7Spatrick      // unknown. So, here, the size of the argument is undefined, i.e. we
ec727ea7Spatrick      // cannot apply the constraint. Actually, other checkers like
ec727ea7Spatrick      // CallAndMessage should catch this situation earlier, because we call a
ec727ea7Spatrick      // function with an uninitialized argument.
ec727ea7Spatrick      llvm_unreachable("Size argument or the dynamic size is Undefined");
ec727ea7Spatrick    }
ec727ea7Spatrick
ec727ea7Spatrick    ValueConstraintPtr negate() const override {
ec727ea7Spatrick      BufferSizeConstraint Tmp(*this);
ec727ea7Spatrick      Tmp.Op = BinaryOperator::negateComparisonOp(Op);
ec727ea7Spatrick      return std::make_shared<BufferSizeConstraint>(Tmp);
ec727ea7Spatrick    }
*a9ac8606Spatrick
*a9ac8606Spatrick    bool checkSpecificValidity(const FunctionDecl *FD) const override {
*a9ac8606Spatrick      const bool ValidArg = getArgType(FD, ArgN)->isPointerType();
*a9ac8606Spatrick      assert(ValidArg &&
*a9ac8606Spatrick             "This constraint should be applied only on a pointer type");
*a9ac8606Spatrick      return ValidArg;
*a9ac8606Spatrick    }
ec727ea7Spatrick  };
ec727ea7Spatrick
ec727ea7Spatrick  /// The complete list of constraints that defines a single branch.
ec727ea7Spatrick  typedef std::vector<ValueConstraintPtr> ConstraintSet;
ec727ea7Spatrick
*a9ac8606Spatrick  using ArgTypes = std::vector<Optional<QualType>>;
*a9ac8606Spatrick  using RetType = Optional<QualType>;
ec727ea7Spatrick
ec727ea7Spatrick  // A placeholder type, we use it whenever we do not care about the concrete
ec727ea7Spatrick  // type in a Signature.
ec727ea7Spatrick  const QualType Irrelevant{};
ec727ea7Spatrick  bool static isIrrelevant(QualType T) { return T.isNull(); }
ec727ea7Spatrick
ec727ea7Spatrick  // The signature of a function we want to describe with a summary. This is a
ec727ea7Spatrick  // concessive signature, meaning there may be irrelevant types in the
ec727ea7Spatrick  // signature which we do not check against a function with concrete types.
*a9ac8606Spatrick  // All types in the spec need to be canonical.
*a9ac8606Spatrick  class Signature {
*a9ac8606Spatrick    using ArgQualTypes = std::vector<QualType>;
*a9ac8606Spatrick    ArgQualTypes ArgTys;
*a9ac8606Spatrick    QualType RetTy;
*a9ac8606Spatrick    // True if any component type is not found by lookup.
*a9ac8606Spatrick    bool Invalid = false;
*a9ac8606Spatrick
*a9ac8606Spatrick  public:
*a9ac8606Spatrick    // Construct a signature from optional types. If any of the optional types
*a9ac8606Spatrick    // are not set then the signature will be invalid.
*a9ac8606Spatrick    Signature(ArgTypes ArgTys, RetType RetTy) {
*a9ac8606Spatrick      for (Optional<QualType> Arg : ArgTys) {
*a9ac8606Spatrick        if (!Arg) {
*a9ac8606Spatrick          Invalid = true;
*a9ac8606Spatrick          return;
*a9ac8606Spatrick        } else {
*a9ac8606Spatrick          assertArgTypeSuitableForSignature(*Arg);
*a9ac8606Spatrick          this->ArgTys.push_back(*Arg);
ec727ea7Spatrick        }
ec727ea7Spatrick      }
*a9ac8606Spatrick      if (!RetTy) {
*a9ac8606Spatrick        Invalid = true;
*a9ac8606Spatrick        return;
*a9ac8606Spatrick      } else {
*a9ac8606Spatrick        assertRetTypeSuitableForSignature(*RetTy);
*a9ac8606Spatrick        this->RetTy = *RetTy;
*a9ac8606Spatrick      }
*a9ac8606Spatrick    }
*a9ac8606Spatrick
*a9ac8606Spatrick    bool isInvalid() const { return Invalid; }
ec727ea7Spatrick    bool matches(const FunctionDecl *FD) const;
ec727ea7Spatrick
ec727ea7Spatrick  private:
ec727ea7Spatrick    static void assertArgTypeSuitableForSignature(QualType T) {
ec727ea7Spatrick      assert((T.isNull() || !T->isVoidType()) &&
ec727ea7Spatrick             "We should have no void types in the spec");
ec727ea7Spatrick      assert((T.isNull() || T.isCanonical()) &&
ec727ea7Spatrick             "We should only have canonical types in the spec");
ec727ea7Spatrick    }
ec727ea7Spatrick    static void assertRetTypeSuitableForSignature(QualType T) {
ec727ea7Spatrick      assert((T.isNull() || T.isCanonical()) &&
ec727ea7Spatrick             "We should only have canonical types in the spec");
ec727ea7Spatrick    }
ec727ea7Spatrick  };
ec727ea7Spatrick
ec727ea7Spatrick  static QualType getArgType(const FunctionDecl *FD, ArgNo ArgN) {
ec727ea7Spatrick    assert(FD && "Function must be set");
ec727ea7Spatrick    QualType T = (ArgN == Ret)
ec727ea7Spatrick                     ? FD->getReturnType().getCanonicalType()
ec727ea7Spatrick                     : FD->getParamDecl(ArgN)->getType().getCanonicalType();
e5dd7070Spatrick    return T;
e5dd7070Spatrick  }
e5dd7070Spatrick
ec727ea7Spatrick  using Cases = std::vector<ConstraintSet>;
e5dd7070Spatrick
ec727ea7Spatrick  /// A summary includes information about
ec727ea7Spatrick  ///   * function prototype (signature)
ec727ea7Spatrick  ///   * approach to invalidation,
ec727ea7Spatrick  ///   * a list of branches - a list of list of ranges -
ec727ea7Spatrick  ///     A branch represents a path in the exploded graph of a function (which
ec727ea7Spatrick  ///     is a tree). So, a branch is a series of assumptions. In other words,
ec727ea7Spatrick  ///     branches represent split states and additional assumptions on top of
ec727ea7Spatrick  ///     the splitting assumption.
ec727ea7Spatrick  ///     For example, consider the branches in `isalpha(x)`
ec727ea7Spatrick  ///       Branch 1)
ec727ea7Spatrick  ///         x is in range ['A', 'Z'] or in ['a', 'z']
ec727ea7Spatrick  ///         then the return value is not 0. (I.e. out-of-range [0, 0])
ec727ea7Spatrick  ///       Branch 2)
ec727ea7Spatrick  ///         x is out-of-range ['A', 'Z'] and out-of-range ['a', 'z']
ec727ea7Spatrick  ///         then the return value is 0.
ec727ea7Spatrick  ///   * a list of argument constraints, that must be true on every branch.
ec727ea7Spatrick  ///     If these constraints are not satisfied that means a fatal error
ec727ea7Spatrick  ///     usually resulting in undefined behaviour.
ec727ea7Spatrick  ///
ec727ea7Spatrick  /// Application of a summary:
ec727ea7Spatrick  ///   The signature and argument constraints together contain information
ec727ea7Spatrick  ///   about which functions are handled by the summary. The signature can use
ec727ea7Spatrick  ///   "wildcards", i.e. Irrelevant types. Irrelevant type of a parameter in
ec727ea7Spatrick  ///   a signature means that type is not compared to the type of the parameter
ec727ea7Spatrick  ///   in the found FunctionDecl. Argument constraints may specify additional
ec727ea7Spatrick  ///   rules for the given parameter's type, those rules are checked once the
ec727ea7Spatrick  ///   signature is matched.
ec727ea7Spatrick  class Summary {
ec727ea7Spatrick    const InvalidationKind InvalidationKd;
ec727ea7Spatrick    Cases CaseConstraints;
ec727ea7Spatrick    ConstraintSet ArgConstraints;
ec727ea7Spatrick
ec727ea7Spatrick    // The function to which the summary applies. This is set after lookup and
ec727ea7Spatrick    // match to the signature.
ec727ea7Spatrick    const FunctionDecl *FD = nullptr;
ec727ea7Spatrick
ec727ea7Spatrick  public:
*a9ac8606Spatrick    Summary(InvalidationKind InvalidationKd) : InvalidationKd(InvalidationKd) {}
ec727ea7Spatrick
ec727ea7Spatrick    Summary &Case(ConstraintSet &&CS) {
ec727ea7Spatrick      CaseConstraints.push_back(std::move(CS));
ec727ea7Spatrick      return *this;
ec727ea7Spatrick    }
*a9ac8606Spatrick    Summary &Case(const ConstraintSet &CS) {
*a9ac8606Spatrick      CaseConstraints.push_back(CS);
*a9ac8606Spatrick      return *this;
*a9ac8606Spatrick    }
ec727ea7Spatrick    Summary &ArgConstraint(ValueConstraintPtr VC) {
*a9ac8606Spatrick      assert(VC->getArgNo() != Ret &&
*a9ac8606Spatrick             "Arg constraint should not refer to the return value");
ec727ea7Spatrick      ArgConstraints.push_back(VC);
ec727ea7Spatrick      return *this;
ec727ea7Spatrick    }
ec727ea7Spatrick
ec727ea7Spatrick    InvalidationKind getInvalidationKd() const { return InvalidationKd; }
ec727ea7Spatrick    const Cases &getCaseConstraints() const { return CaseConstraints; }
ec727ea7Spatrick    const ConstraintSet &getArgConstraints() const { return ArgConstraints; }
ec727ea7Spatrick
ec727ea7Spatrick    QualType getArgType(ArgNo ArgN) const {
ec727ea7Spatrick      return StdLibraryFunctionsChecker::getArgType(FD, ArgN);
ec727ea7Spatrick    }
ec727ea7Spatrick
ec727ea7Spatrick    // Returns true if the summary should be applied to the given function.
ec727ea7Spatrick    // And if yes then store the function declaration.
*a9ac8606Spatrick    bool matchesAndSet(const Signature &Sign, const FunctionDecl *FD) {
ec727ea7Spatrick      bool Result = Sign.matches(FD) && validateByConstraints(FD);
ec727ea7Spatrick      if (Result) {
ec727ea7Spatrick        assert(!this->FD && "FD must not be set more than once");
ec727ea7Spatrick        this->FD = FD;
ec727ea7Spatrick      }
ec727ea7Spatrick      return Result;
ec727ea7Spatrick    }
ec727ea7Spatrick
ec727ea7Spatrick  private:
ec727ea7Spatrick    // Once we know the exact type of the function then do sanity check on all
ec727ea7Spatrick    // the given constraints.
ec727ea7Spatrick    bool validateByConstraints(const FunctionDecl *FD) const {
ec727ea7Spatrick      for (const ConstraintSet &Case : CaseConstraints)
ec727ea7Spatrick        for (const ValueConstraintPtr &Constraint : Case)
ec727ea7Spatrick          if (!Constraint->checkValidity(FD))
ec727ea7Spatrick            return false;
ec727ea7Spatrick      for (const ValueConstraintPtr &Constraint : ArgConstraints)
ec727ea7Spatrick        if (!Constraint->checkValidity(FD))
ec727ea7Spatrick          return false;
ec727ea7Spatrick      return true;
ec727ea7Spatrick    }
ec727ea7Spatrick  };
e5dd7070Spatrick
e5dd7070Spatrick  // The map of all functions supported by the checker. It is initialized
e5dd7070Spatrick  // lazily, and it doesn't change after initialization.
ec727ea7Spatrick  using FunctionSummaryMapType = llvm::DenseMap<const FunctionDecl *, Summary>;
ec727ea7Spatrick  mutable FunctionSummaryMapType FunctionSummaryMap;
e5dd7070Spatrick
ec727ea7Spatrick  mutable std::unique_ptr<BugType> BT_InvalidArg;
*a9ac8606Spatrick  mutable bool SummariesInitialized = false;
ec727ea7Spatrick
ec727ea7Spatrick  static SVal getArgSVal(const CallEvent &Call, ArgNo ArgN) {
ec727ea7Spatrick    return ArgN == Ret ? Call.getReturnValue() : Call.getArgSVal(ArgN);
e5dd7070Spatrick  }
e5dd7070Spatrick
e5dd7070Spatrickpublic:
ec727ea7Spatrick  void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
e5dd7070Spatrick  void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
e5dd7070Spatrick  bool evalCall(const CallEvent &Call, CheckerContext &C) const;
e5dd7070Spatrick
ec727ea7Spatrick  enum CheckKind {
ec727ea7Spatrick    CK_StdCLibraryFunctionArgsChecker,
ec727ea7Spatrick    CK_StdCLibraryFunctionsTesterChecker,
ec727ea7Spatrick    CK_NumCheckKinds
ec727ea7Spatrick  };
ec727ea7Spatrick  DefaultBool ChecksEnabled[CK_NumCheckKinds];
ec727ea7Spatrick  CheckerNameRef CheckNames[CK_NumCheckKinds];
ec727ea7Spatrick
ec727ea7Spatrick  bool DisplayLoadedSummaries = false;
ec727ea7Spatrick  bool ModelPOSIX = false;
ec727ea7Spatrick
e5dd7070Spatrickprivate:
ec727ea7Spatrick  Optional<Summary> findFunctionSummary(const FunctionDecl *FD,
ec727ea7Spatrick                                        CheckerContext &C) const;
ec727ea7Spatrick  Optional<Summary> findFunctionSummary(const CallEvent &Call,
e5dd7070Spatrick                                        CheckerContext &C) const;
e5dd7070Spatrick
ec727ea7Spatrick  void initFunctionSummaries(CheckerContext &C) const;
ec727ea7Spatrick
ec727ea7Spatrick  void reportBug(const CallEvent &Call, ExplodedNode *N,
*a9ac8606Spatrick                 const ValueConstraint *VC, const Summary &Summary,
ec727ea7Spatrick                 CheckerContext &C) const {
ec727ea7Spatrick    if (!ChecksEnabled[CK_StdCLibraryFunctionArgsChecker])
ec727ea7Spatrick      return;
*a9ac8606Spatrick    std::string Msg =
*a9ac8606Spatrick        (Twine("Function argument constraint is not satisfied, constraint: ") +
*a9ac8606Spatrick         VC->getName().data())
*a9ac8606Spatrick            .str();
ec727ea7Spatrick    if (!BT_InvalidArg)
ec727ea7Spatrick      BT_InvalidArg = std::make_unique<BugType>(
ec727ea7Spatrick          CheckNames[CK_StdCLibraryFunctionArgsChecker],
ec727ea7Spatrick          "Unsatisfied argument constraints", categories::LogicError);
ec727ea7Spatrick    auto R = std::make_unique<PathSensitiveBugReport>(*BT_InvalidArg, Msg, N);
*a9ac8606Spatrick
*a9ac8606Spatrick    for (ArgNo ArgN : VC->getArgsToTrack())
*a9ac8606Spatrick      bugreporter::trackExpressionValue(N, Call.getArgExpr(ArgN), *R);
*a9ac8606Spatrick
*a9ac8606Spatrick    // Highlight the range of the argument that was violated.
*a9ac8606Spatrick    R->addRange(Call.getArgSourceRange(VC->getArgNo()));
*a9ac8606Spatrick
*a9ac8606Spatrick    // Describe the argument constraint in a note.
*a9ac8606Spatrick    R->addNote(VC->describe(C.getState(), Summary), R->getLocation(),
*a9ac8606Spatrick               Call.getArgSourceRange(VC->getArgNo()));
*a9ac8606Spatrick
ec727ea7Spatrick    C.emitReport(std::move(R));
ec727ea7Spatrick  }
e5dd7070Spatrick};
ec727ea7Spatrick
ec727ea7Spatrickconst StdLibraryFunctionsChecker::ArgNo StdLibraryFunctionsChecker::Ret =
ec727ea7Spatrick    std::numeric_limits<ArgNo>::max();
ec727ea7Spatrick
e5dd7070Spatrick} // end of anonymous namespace
e5dd7070Spatrick
*a9ac8606Spatrickstatic BasicValueFactory &getBVF(ProgramStateRef State) {
*a9ac8606Spatrick  ProgramStateManager &Mgr = State->getStateManager();
*a9ac8606Spatrick  SValBuilder &SVB = Mgr.getSValBuilder();
*a9ac8606Spatrick  return SVB.getBasicValueFactory();
*a9ac8606Spatrick}
*a9ac8606Spatrick
*a9ac8606Spatrickstd::string StdLibraryFunctionsChecker::NotNullConstraint::describe(
*a9ac8606Spatrick    ProgramStateRef State, const Summary &Summary) const {
*a9ac8606Spatrick  SmallString<48> Result;
*a9ac8606Spatrick  Result += "The ";
*a9ac8606Spatrick  Result += getArgDesc(ArgN);
*a9ac8606Spatrick  Result += " should not be NULL";
*a9ac8606Spatrick  return Result.c_str();
*a9ac8606Spatrick}
*a9ac8606Spatrick
*a9ac8606Spatrickstd::string StdLibraryFunctionsChecker::RangeConstraint::describe(
*a9ac8606Spatrick    ProgramStateRef State, const Summary &Summary) const {
*a9ac8606Spatrick
*a9ac8606Spatrick  BasicValueFactory &BVF = getBVF(State);
*a9ac8606Spatrick
*a9ac8606Spatrick  QualType T = Summary.getArgType(getArgNo());
*a9ac8606Spatrick  SmallString<48> Result;
*a9ac8606Spatrick  Result += "The ";
*a9ac8606Spatrick  Result += getArgDesc(ArgN);
*a9ac8606Spatrick  Result += " should be ";
*a9ac8606Spatrick
*a9ac8606Spatrick  // Range kind as a string.
*a9ac8606Spatrick  Kind == OutOfRange ? Result += "out of" : Result += "within";
*a9ac8606Spatrick
*a9ac8606Spatrick  // Get the range values as a string.
*a9ac8606Spatrick  Result += " the range ";
*a9ac8606Spatrick  if (Ranges.size() > 1)
*a9ac8606Spatrick    Result += "[";
*a9ac8606Spatrick  unsigned I = Ranges.size();
*a9ac8606Spatrick  for (const std::pair<RangeInt, RangeInt> &R : Ranges) {
*a9ac8606Spatrick    Result += "[";
*a9ac8606Spatrick    const llvm::APSInt &Min = BVF.getValue(R.first, T);
*a9ac8606Spatrick    const llvm::APSInt &Max = BVF.getValue(R.second, T);
*a9ac8606Spatrick    Min.toString(Result);
*a9ac8606Spatrick    Result += ", ";
*a9ac8606Spatrick    Max.toString(Result);
*a9ac8606Spatrick    Result += "]";
*a9ac8606Spatrick    if (--I > 0)
*a9ac8606Spatrick      Result += ", ";
*a9ac8606Spatrick  }
*a9ac8606Spatrick  if (Ranges.size() > 1)
*a9ac8606Spatrick    Result += "]";
*a9ac8606Spatrick
*a9ac8606Spatrick  return Result.c_str();
*a9ac8606Spatrick}
*a9ac8606Spatrick
*a9ac8606SpatrickSmallString<8>
*a9ac8606SpatrickStdLibraryFunctionsChecker::getArgDesc(StdLibraryFunctionsChecker::ArgNo ArgN) {
*a9ac8606Spatrick  SmallString<8> Result;
*a9ac8606Spatrick  Result += std::to_string(ArgN + 1);
*a9ac8606Spatrick  Result += llvm::getOrdinalSuffix(ArgN + 1);
*a9ac8606Spatrick  Result += " arg";
*a9ac8606Spatrick  return Result;
*a9ac8606Spatrick}
*a9ac8606Spatrick
*a9ac8606Spatrickstd::string StdLibraryFunctionsChecker::BufferSizeConstraint::describe(
*a9ac8606Spatrick    ProgramStateRef State, const Summary &Summary) const {
*a9ac8606Spatrick  SmallString<96> Result;
*a9ac8606Spatrick  Result += "The size of the ";
*a9ac8606Spatrick  Result += getArgDesc(ArgN);
*a9ac8606Spatrick  Result += " should be equal to or less than the value of ";
*a9ac8606Spatrick  if (ConcreteSize) {
*a9ac8606Spatrick    ConcreteSize->toString(Result);
*a9ac8606Spatrick  } else if (SizeArgN) {
*a9ac8606Spatrick    Result += "the ";
*a9ac8606Spatrick    Result += getArgDesc(*SizeArgN);
*a9ac8606Spatrick    if (SizeMultiplierArgN) {
*a9ac8606Spatrick      Result += " times the ";
*a9ac8606Spatrick      Result += getArgDesc(*SizeMultiplierArgN);
*a9ac8606Spatrick    }
*a9ac8606Spatrick  }
*a9ac8606Spatrick  return Result.c_str();
*a9ac8606Spatrick}
*a9ac8606Spatrick
ec727ea7SpatrickProgramStateRef StdLibraryFunctionsChecker::RangeConstraint::applyAsOutOfRange(
e5dd7070Spatrick    ProgramStateRef State, const CallEvent &Call,
ec727ea7Spatrick    const Summary &Summary) const {
*a9ac8606Spatrick  if (Ranges.empty())
*a9ac8606Spatrick    return State;
e5dd7070Spatrick
e5dd7070Spatrick  ProgramStateManager &Mgr = State->getStateManager();
e5dd7070Spatrick  SValBuilder &SVB = Mgr.getSValBuilder();
e5dd7070Spatrick  BasicValueFactory &BVF = SVB.getBasicValueFactory();
e5dd7070Spatrick  ConstraintManager &CM = Mgr.getConstraintManager();
ec727ea7Spatrick  QualType T = Summary.getArgType(getArgNo());
e5dd7070Spatrick  SVal V = getArgSVal(Call, getArgNo());
e5dd7070Spatrick
e5dd7070Spatrick  if (auto N = V.getAs<NonLoc>()) {
ec727ea7Spatrick    const IntRangeVector &R = getRanges();
e5dd7070Spatrick    size_t E = R.size();
e5dd7070Spatrick    for (size_t I = 0; I != E; ++I) {
e5dd7070Spatrick      const llvm::APSInt &Min = BVF.getValue(R[I].first, T);
e5dd7070Spatrick      const llvm::APSInt &Max = BVF.getValue(R[I].second, T);
e5dd7070Spatrick      assert(Min <= Max);
e5dd7070Spatrick      State = CM.assumeInclusiveRange(State, *N, Min, Max, false);
e5dd7070Spatrick      if (!State)
e5dd7070Spatrick        break;
e5dd7070Spatrick    }
e5dd7070Spatrick  }
e5dd7070Spatrick
e5dd7070Spatrick  return State;
e5dd7070Spatrick}
e5dd7070Spatrick
ec727ea7SpatrickProgramStateRef StdLibraryFunctionsChecker::RangeConstraint::applyAsWithinRange(
e5dd7070Spatrick    ProgramStateRef State, const CallEvent &Call,
ec727ea7Spatrick    const Summary &Summary) const {
*a9ac8606Spatrick  if (Ranges.empty())
*a9ac8606Spatrick    return State;
e5dd7070Spatrick
e5dd7070Spatrick  ProgramStateManager &Mgr = State->getStateManager();
e5dd7070Spatrick  SValBuilder &SVB = Mgr.getSValBuilder();
e5dd7070Spatrick  BasicValueFactory &BVF = SVB.getBasicValueFactory();
e5dd7070Spatrick  ConstraintManager &CM = Mgr.getConstraintManager();
ec727ea7Spatrick  QualType T = Summary.getArgType(getArgNo());
e5dd7070Spatrick  SVal V = getArgSVal(Call, getArgNo());
e5dd7070Spatrick
e5dd7070Spatrick  // "WithinRange R" is treated as "outside [T_MIN, T_MAX] \ R".
e5dd7070Spatrick  // We cut off [T_MIN, min(R) - 1] and [max(R) + 1, T_MAX] if necessary,
e5dd7070Spatrick  // and then cut away all holes in R one by one.
ec727ea7Spatrick  //
ec727ea7Spatrick  // E.g. consider a range list R as [A, B] and [C, D]
ec727ea7Spatrick  // -------+--------+------------------+------------+----------->
ec727ea7Spatrick  //        A        B                  C            D
ec727ea7Spatrick  // Then we assume that the value is not in [-inf, A - 1],
ec727ea7Spatrick  // then not in [D + 1, +inf], then not in [B + 1, C - 1]
e5dd7070Spatrick  if (auto N = V.getAs<NonLoc>()) {
ec727ea7Spatrick    const IntRangeVector &R = getRanges();
e5dd7070Spatrick    size_t E = R.size();
e5dd7070Spatrick
e5dd7070Spatrick    const llvm::APSInt &MinusInf = BVF.getMinValue(T);
e5dd7070Spatrick    const llvm::APSInt &PlusInf = BVF.getMaxValue(T);
e5dd7070Spatrick
e5dd7070Spatrick    const llvm::APSInt &Left = BVF.getValue(R[0].first - 1ULL, T);
e5dd7070Spatrick    if (Left != PlusInf) {
e5dd7070Spatrick      assert(MinusInf <= Left);
e5dd7070Spatrick      State = CM.assumeInclusiveRange(State, *N, MinusInf, Left, false);
e5dd7070Spatrick      if (!State)
e5dd7070Spatrick        return nullptr;
e5dd7070Spatrick    }
e5dd7070Spatrick
e5dd7070Spatrick    const llvm::APSInt &Right = BVF.getValue(R[E - 1].second + 1ULL, T);
e5dd7070Spatrick    if (Right != MinusInf) {
e5dd7070Spatrick      assert(Right <= PlusInf);
e5dd7070Spatrick      State = CM.assumeInclusiveRange(State, *N, Right, PlusInf, false);
e5dd7070Spatrick      if (!State)
e5dd7070Spatrick        return nullptr;
e5dd7070Spatrick    }
e5dd7070Spatrick
e5dd7070Spatrick    for (size_t I = 1; I != E; ++I) {
e5dd7070Spatrick      const llvm::APSInt &Min = BVF.getValue(R[I - 1].second + 1ULL, T);
e5dd7070Spatrick      const llvm::APSInt &Max = BVF.getValue(R[I].first - 1ULL, T);
ec727ea7Spatrick      if (Min <= Max) {
e5dd7070Spatrick        State = CM.assumeInclusiveRange(State, *N, Min, Max, false);
e5dd7070Spatrick        if (!State)
e5dd7070Spatrick          return nullptr;
e5dd7070Spatrick      }
e5dd7070Spatrick    }
ec727ea7Spatrick  }
e5dd7070Spatrick
e5dd7070Spatrick  return State;
e5dd7070Spatrick}
e5dd7070Spatrick
ec727ea7SpatrickProgramStateRef StdLibraryFunctionsChecker::ComparisonConstraint::apply(
ec727ea7Spatrick    ProgramStateRef State, const CallEvent &Call, const Summary &Summary,
ec727ea7Spatrick    CheckerContext &C) const {
e5dd7070Spatrick
e5dd7070Spatrick  ProgramStateManager &Mgr = State->getStateManager();
e5dd7070Spatrick  SValBuilder &SVB = Mgr.getSValBuilder();
e5dd7070Spatrick  QualType CondT = SVB.getConditionType();
ec727ea7Spatrick  QualType T = Summary.getArgType(getArgNo());
e5dd7070Spatrick  SVal V = getArgSVal(Call, getArgNo());
e5dd7070Spatrick
e5dd7070Spatrick  BinaryOperator::Opcode Op = getOpcode();
ec727ea7Spatrick  ArgNo OtherArg = getOtherArgNo();
e5dd7070Spatrick  SVal OtherV = getArgSVal(Call, OtherArg);
ec727ea7Spatrick  QualType OtherT = Summary.getArgType(OtherArg);
e5dd7070Spatrick  // Note: we avoid integral promotion for comparison.
e5dd7070Spatrick  OtherV = SVB.evalCast(OtherV, T, OtherT);
e5dd7070Spatrick  if (auto CompV = SVB.evalBinOp(State, Op, V, OtherV, CondT)
e5dd7070Spatrick                       .getAs<DefinedOrUnknownSVal>())
e5dd7070Spatrick    State = State->assume(*CompV, true);
e5dd7070Spatrick  return State;
e5dd7070Spatrick}
e5dd7070Spatrick
ec727ea7Spatrickvoid StdLibraryFunctionsChecker::checkPreCall(const CallEvent &Call,
e5dd7070Spatrick                                              CheckerContext &C) const {
ec727ea7Spatrick  Optional<Summary> FoundSummary = findFunctionSummary(Call, C);
e5dd7070Spatrick  if (!FoundSummary)
e5dd7070Spatrick    return;
e5dd7070Spatrick
ec727ea7Spatrick  const Summary &Summary = *FoundSummary;
e5dd7070Spatrick  ProgramStateRef State = C.getState();
e5dd7070Spatrick
e5dd7070Spatrick  ProgramStateRef NewState = State;
ec727ea7Spatrick  for (const ValueConstraintPtr &Constraint : Summary.getArgConstraints()) {
ec727ea7Spatrick    ProgramStateRef SuccessSt = Constraint->apply(NewState, Call, Summary, C);
ec727ea7Spatrick    ProgramStateRef FailureSt =
ec727ea7Spatrick        Constraint->negate()->apply(NewState, Call, Summary, C);
ec727ea7Spatrick    // The argument constraint is not satisfied.
ec727ea7Spatrick    if (FailureSt && !SuccessSt) {
ec727ea7Spatrick      if (ExplodedNode *N = C.generateErrorNode(NewState))
*a9ac8606Spatrick        reportBug(Call, N, Constraint.get(), Summary, C);
ec727ea7Spatrick      break;
ec727ea7Spatrick    } else {
ec727ea7Spatrick      // We will apply the constraint even if we cannot reason about the
ec727ea7Spatrick      // argument. This means both SuccessSt and FailureSt can be true. If we
ec727ea7Spatrick      // weren't applying the constraint that would mean that symbolic
ec727ea7Spatrick      // execution continues on a code whose behaviour is undefined.
ec727ea7Spatrick      assert(SuccessSt);
ec727ea7Spatrick      NewState = SuccessSt;
ec727ea7Spatrick    }
ec727ea7Spatrick  }
ec727ea7Spatrick  if (NewState && NewState != State)
ec727ea7Spatrick    C.addTransition(NewState);
ec727ea7Spatrick}
ec727ea7Spatrick
ec727ea7Spatrickvoid StdLibraryFunctionsChecker::checkPostCall(const CallEvent &Call,
ec727ea7Spatrick                                               CheckerContext &C) const {
ec727ea7Spatrick  Optional<Summary> FoundSummary = findFunctionSummary(Call, C);
ec727ea7Spatrick  if (!FoundSummary)
ec727ea7Spatrick    return;
ec727ea7Spatrick
ec727ea7Spatrick  // Now apply the constraints.
ec727ea7Spatrick  const Summary &Summary = *FoundSummary;
ec727ea7Spatrick  ProgramStateRef State = C.getState();
ec727ea7Spatrick
ec727ea7Spatrick  // Apply case/branch specifications.
ec727ea7Spatrick  for (const ConstraintSet &Case : Summary.getCaseConstraints()) {
ec727ea7Spatrick    ProgramStateRef NewState = State;
ec727ea7Spatrick    for (const ValueConstraintPtr &Constraint : Case) {
ec727ea7Spatrick      NewState = Constraint->apply(NewState, Call, Summary, C);
e5dd7070Spatrick      if (!NewState)
e5dd7070Spatrick        break;
e5dd7070Spatrick    }
e5dd7070Spatrick
e5dd7070Spatrick    if (NewState && NewState != State)
e5dd7070Spatrick      C.addTransition(NewState);
e5dd7070Spatrick  }
e5dd7070Spatrick}
e5dd7070Spatrick
e5dd7070Spatrickbool StdLibraryFunctionsChecker::evalCall(const CallEvent &Call,
e5dd7070Spatrick                                          CheckerContext &C) const {
ec727ea7Spatrick  Optional<Summary> FoundSummary = findFunctionSummary(Call, C);
e5dd7070Spatrick  if (!FoundSummary)
e5dd7070Spatrick    return false;
e5dd7070Spatrick
ec727ea7Spatrick  const Summary &Summary = *FoundSummary;
ec727ea7Spatrick  switch (Summary.getInvalidationKd()) {
e5dd7070Spatrick  case EvalCallAsPure: {
e5dd7070Spatrick    ProgramStateRef State = C.getState();
e5dd7070Spatrick    const LocationContext *LC = C.getLocationContext();
*a9ac8606Spatrick    const auto *CE = cast<CallExpr>(Call.getOriginExpr());
e5dd7070Spatrick    SVal V = C.getSValBuilder().conjureSymbolVal(
e5dd7070Spatrick        CE, LC, CE->getType().getCanonicalType(), C.blockCount());
e5dd7070Spatrick    State = State->BindExpr(CE, LC, V);
e5dd7070Spatrick    C.addTransition(State);
e5dd7070Spatrick    return true;
e5dd7070Spatrick  }
e5dd7070Spatrick  case NoEvalCall:
e5dd7070Spatrick    // Summary tells us to avoid performing eval::Call. The function is possibly
e5dd7070Spatrick    // evaluated by another checker, or evaluated conservatively.
e5dd7070Spatrick    return false;
e5dd7070Spatrick  }
e5dd7070Spatrick  llvm_unreachable("Unknown invalidation kind!");
e5dd7070Spatrick}
e5dd7070Spatrick
ec727ea7Spatrickbool StdLibraryFunctionsChecker::Signature::matches(
ec727ea7Spatrick    const FunctionDecl *FD) const {
*a9ac8606Spatrick  assert(!isInvalid());
*a9ac8606Spatrick  // Check the number of arguments.
ec727ea7Spatrick  if (FD->param_size() != ArgTys.size())
e5dd7070Spatrick    return false;
e5dd7070Spatrick
*a9ac8606Spatrick  // The "restrict" keyword is illegal in C++, however, many libc
*a9ac8606Spatrick  // implementations use the "__restrict" compiler intrinsic in functions
*a9ac8606Spatrick  // prototypes. The "__restrict" keyword qualifies a type as a restricted type
*a9ac8606Spatrick  // even in C++.
*a9ac8606Spatrick  // In case of any non-C99 languages, we don't want to match based on the
*a9ac8606Spatrick  // restrict qualifier because we cannot know if the given libc implementation
*a9ac8606Spatrick  // qualifies the paramter type or not.
*a9ac8606Spatrick  auto RemoveRestrict = [&FD](QualType T) {
*a9ac8606Spatrick    if (!FD->getASTContext().getLangOpts().C99)
*a9ac8606Spatrick      T.removeLocalRestrict();
*a9ac8606Spatrick    return T;
*a9ac8606Spatrick  };
e5dd7070Spatrick
*a9ac8606Spatrick  // Check the return type.
*a9ac8606Spatrick  if (!isIrrelevant(RetTy)) {
*a9ac8606Spatrick    QualType FDRetTy = RemoveRestrict(FD->getReturnType().getCanonicalType());
*a9ac8606Spatrick    if (RetTy != FDRetTy)
*a9ac8606Spatrick      return false;
*a9ac8606Spatrick  }
*a9ac8606Spatrick
*a9ac8606Spatrick  // Check the argument types.
ec727ea7Spatrick  for (size_t I = 0, E = ArgTys.size(); I != E; ++I) {
ec727ea7Spatrick    QualType ArgTy = ArgTys[I];
ec727ea7Spatrick    if (isIrrelevant(ArgTy))
e5dd7070Spatrick      continue;
*a9ac8606Spatrick    QualType FDArgTy =
*a9ac8606Spatrick        RemoveRestrict(FD->getParamDecl(I)->getType().getCanonicalType());
*a9ac8606Spatrick    if (ArgTy != FDArgTy)
e5dd7070Spatrick      return false;
e5dd7070Spatrick  }
e5dd7070Spatrick
e5dd7070Spatrick  return true;
e5dd7070Spatrick}
e5dd7070Spatrick
ec727ea7SpatrickOptional<StdLibraryFunctionsChecker::Summary>
e5dd7070SpatrickStdLibraryFunctionsChecker::findFunctionSummary(const FunctionDecl *FD,
e5dd7070Spatrick                                                CheckerContext &C) const {
e5dd7070Spatrick  if (!FD)
e5dd7070Spatrick    return None;
e5dd7070Spatrick
ec727ea7Spatrick  initFunctionSummaries(C);
e5dd7070Spatrick
ec727ea7Spatrick  auto FSMI = FunctionSummaryMap.find(FD->getCanonicalDecl());
e5dd7070Spatrick  if (FSMI == FunctionSummaryMap.end())
e5dd7070Spatrick    return None;
ec727ea7Spatrick  return FSMI->second;
ec727ea7Spatrick}
e5dd7070Spatrick
ec727ea7SpatrickOptional<StdLibraryFunctionsChecker::Summary>
ec727ea7SpatrickStdLibraryFunctionsChecker::findFunctionSummary(const CallEvent &Call,
ec727ea7Spatrick                                                CheckerContext &C) const {
ec727ea7Spatrick  const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
ec727ea7Spatrick  if (!FD)
ec727ea7Spatrick    return None;
ec727ea7Spatrick  return findFunctionSummary(FD, C);
ec727ea7Spatrick}
e5dd7070Spatrick
*a9ac8606Spatrickvoid StdLibraryFunctionsChecker::initFunctionSummaries(
*a9ac8606Spatrick    CheckerContext &C) const {
*a9ac8606Spatrick  if (SummariesInitialized)
*a9ac8606Spatrick    return;
*a9ac8606Spatrick
*a9ac8606Spatrick  SValBuilder &SVB = C.getSValBuilder();
*a9ac8606Spatrick  BasicValueFactory &BVF = SVB.getBasicValueFactory();
*a9ac8606Spatrick  const ASTContext &ACtx = BVF.getContext();
*a9ac8606Spatrick
*a9ac8606Spatrick  // Helper class to lookup a type by its name.
*a9ac8606Spatrick  class LookupType {
*a9ac8606Spatrick    const ASTContext &ACtx;
*a9ac8606Spatrick
*a9ac8606Spatrick  public:
*a9ac8606Spatrick    LookupType(const ASTContext &ACtx) : ACtx(ACtx) {}
*a9ac8606Spatrick
*a9ac8606Spatrick    // Find the type. If not found then the optional is not set.
*a9ac8606Spatrick    llvm::Optional<QualType> operator()(StringRef Name) {
ec727ea7Spatrick      IdentifierInfo &II = ACtx.Idents.get(Name);
ec727ea7Spatrick      auto LookupRes = ACtx.getTranslationUnitDecl()->lookup(&II);
*a9ac8606Spatrick      if (LookupRes.empty())
ec727ea7Spatrick        return None;
ec727ea7Spatrick
ec727ea7Spatrick      // Prioritze typedef declarations.
ec727ea7Spatrick      // This is needed in case of C struct typedefs. E.g.:
ec727ea7Spatrick      //   typedef struct FILE FILE;
*a9ac8606Spatrick      // In this case, we have a RecordDecl 'struct FILE' with the name 'FILE'
*a9ac8606Spatrick      // and we have a TypedefDecl with the name 'FILE'.
ec727ea7Spatrick      for (Decl *D : LookupRes)
ec727ea7Spatrick        if (auto *TD = dyn_cast<TypedefNameDecl>(D))
ec727ea7Spatrick          return ACtx.getTypeDeclType(TD).getCanonicalType();
ec727ea7Spatrick
ec727ea7Spatrick      // Find the first TypeDecl.
ec727ea7Spatrick      // There maybe cases when a function has the same name as a struct.
ec727ea7Spatrick      // E.g. in POSIX: `struct stat` and the function `stat()`:
ec727ea7Spatrick      //   int stat(const char *restrict path, struct stat *restrict buf);
ec727ea7Spatrick      for (Decl *D : LookupRes)
ec727ea7Spatrick        if (auto *TD = dyn_cast<TypeDecl>(D))
ec727ea7Spatrick          return ACtx.getTypeDeclType(TD).getCanonicalType();
e5dd7070Spatrick      return None;
e5dd7070Spatrick    }
*a9ac8606Spatrick  } lookupTy(ACtx);
e5dd7070Spatrick
*a9ac8606Spatrick  // Below are auxiliary classes to handle optional types that we get as a
*a9ac8606Spatrick  // result of the lookup.
*a9ac8606Spatrick  class GetRestrictTy {
*a9ac8606Spatrick    const ASTContext &ACtx;
e5dd7070Spatrick
*a9ac8606Spatrick  public:
*a9ac8606Spatrick    GetRestrictTy(const ASTContext &ACtx) : ACtx(ACtx) {}
*a9ac8606Spatrick    QualType operator()(QualType Ty) {
*a9ac8606Spatrick      return ACtx.getLangOpts().C99 ? ACtx.getRestrictType(Ty) : Ty;
*a9ac8606Spatrick    }
*a9ac8606Spatrick    Optional<QualType> operator()(Optional<QualType> Ty) {
*a9ac8606Spatrick      if (Ty)
*a9ac8606Spatrick        return operator()(*Ty);
*a9ac8606Spatrick      return None;
*a9ac8606Spatrick    }
*a9ac8606Spatrick  } getRestrictTy(ACtx);
*a9ac8606Spatrick  class GetPointerTy {
*a9ac8606Spatrick    const ASTContext &ACtx;
*a9ac8606Spatrick
*a9ac8606Spatrick  public:
*a9ac8606Spatrick    GetPointerTy(const ASTContext &ACtx) : ACtx(ACtx) {}
*a9ac8606Spatrick    QualType operator()(QualType Ty) { return ACtx.getPointerType(Ty); }
*a9ac8606Spatrick    Optional<QualType> operator()(Optional<QualType> Ty) {
*a9ac8606Spatrick      if (Ty)
*a9ac8606Spatrick        return operator()(*Ty);
*a9ac8606Spatrick      return None;
*a9ac8606Spatrick    }
*a9ac8606Spatrick  } getPointerTy(ACtx);
*a9ac8606Spatrick  class {
*a9ac8606Spatrick  public:
*a9ac8606Spatrick    Optional<QualType> operator()(Optional<QualType> Ty) {
*a9ac8606Spatrick      return Ty ? Optional<QualType>(Ty->withConst()) : None;
*a9ac8606Spatrick    }
*a9ac8606Spatrick    QualType operator()(QualType Ty) { return Ty.withConst(); }
*a9ac8606Spatrick  } getConstTy;
*a9ac8606Spatrick  class GetMaxValue {
*a9ac8606Spatrick    BasicValueFactory &BVF;
*a9ac8606Spatrick
*a9ac8606Spatrick  public:
*a9ac8606Spatrick    GetMaxValue(BasicValueFactory &BVF) : BVF(BVF) {}
*a9ac8606Spatrick    Optional<RangeInt> operator()(QualType Ty) {
*a9ac8606Spatrick      return BVF.getMaxValue(Ty).getLimitedValue();
*a9ac8606Spatrick    }
*a9ac8606Spatrick    Optional<RangeInt> operator()(Optional<QualType> Ty) {
*a9ac8606Spatrick      if (Ty) {
*a9ac8606Spatrick        return operator()(*Ty);
*a9ac8606Spatrick      }
*a9ac8606Spatrick      return None;
*a9ac8606Spatrick    }
*a9ac8606Spatrick  } getMaxValue(BVF);
e5dd7070Spatrick
e5dd7070Spatrick  // These types are useful for writing specifications quickly,
e5dd7070Spatrick  // New specifications should probably introduce more types.
e5dd7070Spatrick  // Some types are hard to obtain from the AST, eg. "ssize_t".
e5dd7070Spatrick  // In such cases it should be possible to provide multiple variants
e5dd7070Spatrick  // of function summary for common cases (eg. ssize_t could be int or long
e5dd7070Spatrick  // or long long, so three summary variants would be enough).
e5dd7070Spatrick  // Of course, function variants are also useful for C++ overloads.
ec727ea7Spatrick  const QualType VoidTy = ACtx.VoidTy;
*a9ac8606Spatrick  const QualType CharTy = ACtx.CharTy;
*a9ac8606Spatrick  const QualType WCharTy = ACtx.WCharTy;
ec727ea7Spatrick  const QualType IntTy = ACtx.IntTy;
ec727ea7Spatrick  const QualType UnsignedIntTy = ACtx.UnsignedIntTy;
ec727ea7Spatrick  const QualType LongTy = ACtx.LongTy;
ec727ea7Spatrick  const QualType SizeTy = ACtx.getSizeType();
e5dd7070Spatrick
*a9ac8606Spatrick  const QualType VoidPtrTy = getPointerTy(VoidTy); // void *
*a9ac8606Spatrick  const QualType IntPtrTy = getPointerTy(IntTy);   // int *
ec727ea7Spatrick  const QualType UnsignedIntPtrTy =
*a9ac8606Spatrick      getPointerTy(UnsignedIntTy); // unsigned int *
*a9ac8606Spatrick  const QualType VoidPtrRestrictTy = getRestrictTy(VoidPtrTy);
ec727ea7Spatrick  const QualType ConstVoidPtrTy =
*a9ac8606Spatrick      getPointerTy(getConstTy(VoidTy));            // const void *
*a9ac8606Spatrick  const QualType CharPtrTy = getPointerTy(CharTy); // char *
*a9ac8606Spatrick  const QualType CharPtrRestrictTy = getRestrictTy(CharPtrTy);
ec727ea7Spatrick  const QualType ConstCharPtrTy =
*a9ac8606Spatrick      getPointerTy(getConstTy(CharTy)); // const char *
*a9ac8606Spatrick  const QualType ConstCharPtrRestrictTy = getRestrictTy(ConstCharPtrTy);
*a9ac8606Spatrick  const QualType Wchar_tPtrTy = getPointerTy(WCharTy); // wchar_t *
ec727ea7Spatrick  const QualType ConstWchar_tPtrTy =
*a9ac8606Spatrick      getPointerTy(getConstTy(WCharTy)); // const wchar_t *
*a9ac8606Spatrick  const QualType ConstVoidPtrRestrictTy = getRestrictTy(ConstVoidPtrTy);
*a9ac8606Spatrick  const QualType SizePtrTy = getPointerTy(SizeTy);
*a9ac8606Spatrick  const QualType SizePtrRestrictTy = getRestrictTy(SizePtrTy);
ec727ea7Spatrick
ec727ea7Spatrick  const RangeInt IntMax = BVF.getMaxValue(IntTy).getLimitedValue();
ec727ea7Spatrick  const RangeInt UnsignedIntMax =
ec727ea7Spatrick      BVF.getMaxValue(UnsignedIntTy).getLimitedValue();
ec727ea7Spatrick  const RangeInt LongMax = BVF.getMaxValue(LongTy).getLimitedValue();
ec727ea7Spatrick  const RangeInt SizeMax = BVF.getMaxValue(SizeTy).getLimitedValue();
ec727ea7Spatrick
ec727ea7Spatrick  // Set UCharRangeMax to min of int or uchar maximum value.
ec727ea7Spatrick  // The C standard states that the arguments of functions like isalpha must
ec727ea7Spatrick  // be representable as an unsigned char. Their type is 'int', so the max
ec727ea7Spatrick  // value of the argument should be min(UCharMax, IntMax). This just happen
ec727ea7Spatrick  // to be true for commonly used and well tested instruction set
ec727ea7Spatrick  // architectures, but not for others.
ec727ea7Spatrick  const RangeInt UCharRangeMax =
ec727ea7Spatrick      std::min(BVF.getMaxValue(ACtx.UnsignedCharTy).getLimitedValue(), IntMax);
ec727ea7Spatrick
ec727ea7Spatrick  // The platform dependent value of EOF.
ec727ea7Spatrick  // Try our best to parse this from the Preprocessor, otherwise fallback to -1.
ec727ea7Spatrick  const auto EOFv = [&C]() -> RangeInt {
ec727ea7Spatrick    if (const llvm::Optional<int> OptInt =
ec727ea7Spatrick            tryExpandAsInteger("EOF", C.getPreprocessor()))
ec727ea7Spatrick      return *OptInt;
ec727ea7Spatrick    return -1;
ec727ea7Spatrick  }();
ec727ea7Spatrick
ec727ea7Spatrick  // Auxiliary class to aid adding summaries to the summary map.
ec727ea7Spatrick  struct AddToFunctionSummaryMap {
ec727ea7Spatrick    const ASTContext &ACtx;
ec727ea7Spatrick    FunctionSummaryMapType &Map;
ec727ea7Spatrick    bool DisplayLoadedSummaries;
ec727ea7Spatrick    AddToFunctionSummaryMap(const ASTContext &ACtx, FunctionSummaryMapType &FSM,
ec727ea7Spatrick                            bool DisplayLoadedSummaries)
ec727ea7Spatrick        : ACtx(ACtx), Map(FSM), DisplayLoadedSummaries(DisplayLoadedSummaries) {
ec727ea7Spatrick    }
ec727ea7Spatrick
ec727ea7Spatrick    // Add a summary to a FunctionDecl found by lookup. The lookup is performed
ec727ea7Spatrick    // by the given Name, and in the global scope. The summary will be attached
ec727ea7Spatrick    // to the found FunctionDecl only if the signatures match.
*a9ac8606Spatrick    //
*a9ac8606Spatrick    // Returns true if the summary has been added, false otherwise.
*a9ac8606Spatrick    bool operator()(StringRef Name, Signature Sign, Summary Sum) {
*a9ac8606Spatrick      if (Sign.isInvalid())
*a9ac8606Spatrick        return false;
ec727ea7Spatrick      IdentifierInfo &II = ACtx.Idents.get(Name);
ec727ea7Spatrick      auto LookupRes = ACtx.getTranslationUnitDecl()->lookup(&II);
*a9ac8606Spatrick      if (LookupRes.empty())
*a9ac8606Spatrick        return false;
ec727ea7Spatrick      for (Decl *D : LookupRes) {
ec727ea7Spatrick        if (auto *FD = dyn_cast<FunctionDecl>(D)) {
*a9ac8606Spatrick          if (Sum.matchesAndSet(Sign, FD)) {
*a9ac8606Spatrick            auto Res = Map.insert({FD->getCanonicalDecl(), Sum});
ec727ea7Spatrick            assert(Res.second && "Function already has a summary set!");
ec727ea7Spatrick            (void)Res;
ec727ea7Spatrick            if (DisplayLoadedSummaries) {
ec727ea7Spatrick              llvm::errs() << "Loaded summary for: ";
ec727ea7Spatrick              FD->print(llvm::errs());
ec727ea7Spatrick              llvm::errs() << "\n";
ec727ea7Spatrick            }
*a9ac8606Spatrick            return true;
ec727ea7Spatrick          }
ec727ea7Spatrick        }
ec727ea7Spatrick      }
*a9ac8606Spatrick      return false;
ec727ea7Spatrick    }
*a9ac8606Spatrick    // Add the same summary for different names with the Signature explicitly
*a9ac8606Spatrick    // given.
*a9ac8606Spatrick    void operator()(std::vector<StringRef> Names, Signature Sign, Summary Sum) {
*a9ac8606Spatrick      for (StringRef Name : Names)
*a9ac8606Spatrick        operator()(Name, Sign, Sum);
ec727ea7Spatrick    }
ec727ea7Spatrick  } addToFunctionSummaryMap(ACtx, FunctionSummaryMap, DisplayLoadedSummaries);
e5dd7070Spatrick
ec727ea7Spatrick  // Below are helpers functions to create the summaries.
ec727ea7Spatrick  auto ArgumentCondition = [](ArgNo ArgN, RangeKind Kind,
ec727ea7Spatrick                              IntRangeVector Ranges) {
ec727ea7Spatrick    return std::make_shared<RangeConstraint>(ArgN, Kind, Ranges);
ec727ea7Spatrick  };
ec727ea7Spatrick  auto BufferSize = [](auto... Args) {
ec727ea7Spatrick    return std::make_shared<BufferSizeConstraint>(Args...);
ec727ea7Spatrick  };
ec727ea7Spatrick  struct {
ec727ea7Spatrick    auto operator()(RangeKind Kind, IntRangeVector Ranges) {
ec727ea7Spatrick      return std::make_shared<RangeConstraint>(Ret, Kind, Ranges);
ec727ea7Spatrick    }
ec727ea7Spatrick    auto operator()(BinaryOperator::Opcode Op, ArgNo OtherArgN) {
ec727ea7Spatrick      return std::make_shared<ComparisonConstraint>(Ret, Op, OtherArgN);
ec727ea7Spatrick    }
ec727ea7Spatrick  } ReturnValueCondition;
*a9ac8606Spatrick  struct {
*a9ac8606Spatrick    auto operator()(RangeInt b, RangeInt e) {
ec727ea7Spatrick      return IntRangeVector{std::pair<RangeInt, RangeInt>{b, e}};
*a9ac8606Spatrick    }
*a9ac8606Spatrick    auto operator()(RangeInt b, Optional<RangeInt> e) {
*a9ac8606Spatrick      if (e)
*a9ac8606Spatrick        return IntRangeVector{std::pair<RangeInt, RangeInt>{b, *e}};
*a9ac8606Spatrick      return IntRangeVector{};
*a9ac8606Spatrick    }
*a9ac8606Spatrick    auto operator()(std::pair<RangeInt, RangeInt> i0,
*a9ac8606Spatrick                    std::pair<RangeInt, Optional<RangeInt>> i1) {
*a9ac8606Spatrick      if (i1.second)
*a9ac8606Spatrick        return IntRangeVector{i0, {i1.first, *(i1.second)}};
*a9ac8606Spatrick      return IntRangeVector{i0};
*a9ac8606Spatrick    }
*a9ac8606Spatrick  } Range;
ec727ea7Spatrick  auto SingleValue = [](RangeInt v) {
ec727ea7Spatrick    return IntRangeVector{std::pair<RangeInt, RangeInt>{v, v}};
ec727ea7Spatrick  };
ec727ea7Spatrick  auto LessThanOrEq = BO_LE;
ec727ea7Spatrick  auto NotNull = [&](ArgNo ArgN) {
ec727ea7Spatrick    return std::make_shared<NotNullConstraint>(ArgN);
ec727ea7Spatrick  };
e5dd7070Spatrick
*a9ac8606Spatrick  Optional<QualType> FileTy = lookupTy("FILE");
*a9ac8606Spatrick  Optional<QualType> FilePtrTy = getPointerTy(FileTy);
*a9ac8606Spatrick  Optional<QualType> FilePtrRestrictTy = getRestrictTy(FilePtrTy);
ec727ea7Spatrick
*a9ac8606Spatrick  // We are finally ready to define specifications for all supported functions.
*a9ac8606Spatrick  //
*a9ac8606Spatrick  // Argument ranges should always cover all variants. If return value
*a9ac8606Spatrick  // is completely unknown, omit it from the respective range set.
*a9ac8606Spatrick  //
*a9ac8606Spatrick  // Every item in the list of range sets represents a particular
*a9ac8606Spatrick  // execution path the analyzer would need to explore once
*a9ac8606Spatrick  // the call is modeled - a new program state is constructed
*a9ac8606Spatrick  // for every range set, and each range line in the range set
*a9ac8606Spatrick  // corresponds to a specific constraint within this state.
ec727ea7Spatrick
e5dd7070Spatrick  // The isascii() family of functions.
ec727ea7Spatrick  // The behavior is undefined if the value of the argument is not
ec727ea7Spatrick  // representable as unsigned char or is not equal to EOF. See e.g. C99
ec727ea7Spatrick  // 7.4.1.2 The isalpha function (p: 181-182).
ec727ea7Spatrick  addToFunctionSummaryMap(
*a9ac8606Spatrick      "isalnum", Signature(ArgTypes{IntTy}, RetType{IntTy}),
*a9ac8606Spatrick      Summary(EvalCallAsPure)
ec727ea7Spatrick          // Boils down to isupper() or islower() or isdigit().
ec727ea7Spatrick          .Case({ArgumentCondition(0U, WithinRange,
ec727ea7Spatrick                                   {{'0', '9'}, {'A', 'Z'}, {'a', 'z'}}),
ec727ea7Spatrick                 ReturnValueCondition(OutOfRange, SingleValue(0))})
ec727ea7Spatrick          // The locale-specific range.
e5dd7070Spatrick          // No post-condition. We are completely unaware of
e5dd7070Spatrick          // locale-specific return values.
ec727ea7Spatrick          .Case({ArgumentCondition(0U, WithinRange, {{128, UCharRangeMax}})})
ec727ea7Spatrick          .Case(
ec727ea7Spatrick              {ArgumentCondition(
ec727ea7Spatrick                   0U, OutOfRange,
ec727ea7Spatrick                   {{'0', '9'}, {'A', 'Z'}, {'a', 'z'}, {128, UCharRangeMax}}),
ec727ea7Spatrick               ReturnValueCondition(WithinRange, SingleValue(0))})
ec727ea7Spatrick          .ArgConstraint(ArgumentCondition(
ec727ea7Spatrick              0U, WithinRange, {{EOFv, EOFv}, {0, UCharRangeMax}})));
ec727ea7Spatrick  addToFunctionSummaryMap(
*a9ac8606Spatrick      "isalpha", Signature(ArgTypes{IntTy}, RetType{IntTy}),
*a9ac8606Spatrick      Summary(EvalCallAsPure)
ec727ea7Spatrick          .Case({ArgumentCondition(0U, WithinRange, {{'A', 'Z'}, {'a', 'z'}}),
ec727ea7Spatrick                 ReturnValueCondition(OutOfRange, SingleValue(0))})
ec727ea7Spatrick          // The locale-specific range.
ec727ea7Spatrick          .Case({ArgumentCondition(0U, WithinRange, {{128, UCharRangeMax}})})
ec727ea7Spatrick          .Case({ArgumentCondition(
ec727ea7Spatrick                     0U, OutOfRange,
ec727ea7Spatrick                     {{'A', 'Z'}, {'a', 'z'}, {128, UCharRangeMax}}),
ec727ea7Spatrick                 ReturnValueCondition(WithinRange, SingleValue(0))}));
ec727ea7Spatrick  addToFunctionSummaryMap(
*a9ac8606Spatrick      "isascii", Signature(ArgTypes{IntTy}, RetType{IntTy}),
*a9ac8606Spatrick      Summary(EvalCallAsPure)
ec727ea7Spatrick          .Case({ArgumentCondition(0U, WithinRange, Range(0, 127)),
ec727ea7Spatrick                 ReturnValueCondition(OutOfRange, SingleValue(0))})
ec727ea7Spatrick          .Case({ArgumentCondition(0U, OutOfRange, Range(0, 127)),
ec727ea7Spatrick                 ReturnValueCondition(WithinRange, SingleValue(0))}));
ec727ea7Spatrick  addToFunctionSummaryMap(
*a9ac8606Spatrick      "isblank", Signature(ArgTypes{IntTy}, RetType{IntTy}),
*a9ac8606Spatrick      Summary(EvalCallAsPure)
ec727ea7Spatrick          .Case({ArgumentCondition(0U, WithinRange, {{'\t', '\t'}, {' ', ' '}}),
ec727ea7Spatrick                 ReturnValueCondition(OutOfRange, SingleValue(0))})
ec727ea7Spatrick          .Case({ArgumentCondition(0U, OutOfRange, {{'\t', '\t'}, {' ', ' '}}),
ec727ea7Spatrick                 ReturnValueCondition(WithinRange, SingleValue(0))}));
ec727ea7Spatrick  addToFunctionSummaryMap(
*a9ac8606Spatrick      "iscntrl", Signature(ArgTypes{IntTy}, RetType{IntTy}),
*a9ac8606Spatrick      Summary(EvalCallAsPure)
ec727ea7Spatrick          .Case({ArgumentCondition(0U, WithinRange, {{0, 32}, {127, 127}}),
ec727ea7Spatrick                 ReturnValueCondition(OutOfRange, SingleValue(0))})
ec727ea7Spatrick          .Case({ArgumentCondition(0U, OutOfRange, {{0, 32}, {127, 127}}),
ec727ea7Spatrick                 ReturnValueCondition(WithinRange, SingleValue(0))}));
ec727ea7Spatrick  addToFunctionSummaryMap(
*a9ac8606Spatrick      "isdigit", Signature(ArgTypes{IntTy}, RetType{IntTy}),
*a9ac8606Spatrick      Summary(EvalCallAsPure)
ec727ea7Spatrick          .Case({ArgumentCondition(0U, WithinRange, Range('0', '9')),
ec727ea7Spatrick                 ReturnValueCondition(OutOfRange, SingleValue(0))})
ec727ea7Spatrick          .Case({ArgumentCondition(0U, OutOfRange, Range('0', '9')),
ec727ea7Spatrick                 ReturnValueCondition(WithinRange, SingleValue(0))}));
ec727ea7Spatrick  addToFunctionSummaryMap(
*a9ac8606Spatrick      "isgraph", Signature(ArgTypes{IntTy}, RetType{IntTy}),
*a9ac8606Spatrick      Summary(EvalCallAsPure)
ec727ea7Spatrick          .Case({ArgumentCondition(0U, WithinRange, Range(33, 126)),
ec727ea7Spatrick                 ReturnValueCondition(OutOfRange, SingleValue(0))})
ec727ea7Spatrick          .Case({ArgumentCondition(0U, OutOfRange, Range(33, 126)),
ec727ea7Spatrick                 ReturnValueCondition(WithinRange, SingleValue(0))}));
ec727ea7Spatrick  addToFunctionSummaryMap(
*a9ac8606Spatrick      "islower", Signature(ArgTypes{IntTy}, RetType{IntTy}),
*a9ac8606Spatrick      Summary(EvalCallAsPure)
ec727ea7Spatrick          // Is certainly lowercase.
ec727ea7Spatrick          .Case({ArgumentCondition(0U, WithinRange, Range('a', 'z')),
ec727ea7Spatrick                 ReturnValueCondition(OutOfRange, SingleValue(0))})
ec727ea7Spatrick          // Is ascii but not lowercase.
ec727ea7Spatrick          .Case({ArgumentCondition(0U, WithinRange, Range(0, 127)),
ec727ea7Spatrick                 ArgumentCondition(0U, OutOfRange, Range('a', 'z')),
ec727ea7Spatrick                 ReturnValueCondition(WithinRange, SingleValue(0))})
ec727ea7Spatrick          // The locale-specific range.
ec727ea7Spatrick          .Case({ArgumentCondition(0U, WithinRange, {{128, UCharRangeMax}})})
ec727ea7Spatrick          // Is not an unsigned char.
ec727ea7Spatrick          .Case({ArgumentCondition(0U, OutOfRange, Range(0, UCharRangeMax)),
ec727ea7Spatrick                 ReturnValueCondition(WithinRange, SingleValue(0))}));
ec727ea7Spatrick  addToFunctionSummaryMap(
*a9ac8606Spatrick      "isprint", Signature(ArgTypes{IntTy}, RetType{IntTy}),
*a9ac8606Spatrick      Summary(EvalCallAsPure)
ec727ea7Spatrick          .Case({ArgumentCondition(0U, WithinRange, Range(32, 126)),
ec727ea7Spatrick                 ReturnValueCondition(OutOfRange, SingleValue(0))})
ec727ea7Spatrick          .Case({ArgumentCondition(0U, OutOfRange, Range(32, 126)),
ec727ea7Spatrick                 ReturnValueCondition(WithinRange, SingleValue(0))}));
ec727ea7Spatrick  addToFunctionSummaryMap(
*a9ac8606Spatrick      "ispunct", Signature(ArgTypes{IntTy}, RetType{IntTy}),
*a9ac8606Spatrick      Summary(EvalCallAsPure)
ec727ea7Spatrick          .Case({ArgumentCondition(
ec727ea7Spatrick                     0U, WithinRange,
ec727ea7Spatrick                     {{'!', '/'}, {':', '@'}, {'[', '`'}, {'{', '~'}}),
ec727ea7Spatrick                 ReturnValueCondition(OutOfRange, SingleValue(0))})
ec727ea7Spatrick          .Case({ArgumentCondition(
ec727ea7Spatrick                     0U, OutOfRange,
ec727ea7Spatrick                     {{'!', '/'}, {':', '@'}, {'[', '`'}, {'{', '~'}}),
ec727ea7Spatrick                 ReturnValueCondition(WithinRange, SingleValue(0))}));
ec727ea7Spatrick  addToFunctionSummaryMap(
*a9ac8606Spatrick      "isspace", Signature(ArgTypes{IntTy}, RetType{IntTy}),
*a9ac8606Spatrick      Summary(EvalCallAsPure)
ec727ea7Spatrick          // Space, '\f', '\n', '\r', '\t', '\v'.
ec727ea7Spatrick          .Case({ArgumentCondition(0U, WithinRange, {{9, 13}, {' ', ' '}}),
ec727ea7Spatrick                 ReturnValueCondition(OutOfRange, SingleValue(0))})
ec727ea7Spatrick          // The locale-specific range.
ec727ea7Spatrick          .Case({ArgumentCondition(0U, WithinRange, {{128, UCharRangeMax}})})
ec727ea7Spatrick          .Case({ArgumentCondition(0U, OutOfRange,
ec727ea7Spatrick                                   {{9, 13}, {' ', ' '}, {128, UCharRangeMax}}),
ec727ea7Spatrick                 ReturnValueCondition(WithinRange, SingleValue(0))}));
ec727ea7Spatrick  addToFunctionSummaryMap(
*a9ac8606Spatrick      "isupper", Signature(ArgTypes{IntTy}, RetType{IntTy}),
*a9ac8606Spatrick      Summary(EvalCallAsPure)
ec727ea7Spatrick          // Is certainly uppercase.
ec727ea7Spatrick          .Case({ArgumentCondition(0U, WithinRange, Range('A', 'Z')),
ec727ea7Spatrick                 ReturnValueCondition(OutOfRange, SingleValue(0))})
ec727ea7Spatrick          // The locale-specific range.
ec727ea7Spatrick          .Case({ArgumentCondition(0U, WithinRange, {{128, UCharRangeMax}})})
ec727ea7Spatrick          // Other.
ec727ea7Spatrick          .Case({ArgumentCondition(0U, OutOfRange,
ec727ea7Spatrick                                   {{'A', 'Z'}, {128, UCharRangeMax}}),
ec727ea7Spatrick                 ReturnValueCondition(WithinRange, SingleValue(0))}));
ec727ea7Spatrick  addToFunctionSummaryMap(
*a9ac8606Spatrick      "isxdigit", Signature(ArgTypes{IntTy}, RetType{IntTy}),
*a9ac8606Spatrick      Summary(EvalCallAsPure)
ec727ea7Spatrick          .Case({ArgumentCondition(0U, WithinRange,
ec727ea7Spatrick                                   {{'0', '9'}, {'A', 'F'}, {'a', 'f'}}),
ec727ea7Spatrick                 ReturnValueCondition(OutOfRange, SingleValue(0))})
ec727ea7Spatrick          .Case({ArgumentCondition(0U, OutOfRange,
ec727ea7Spatrick                                   {{'0', '9'}, {'A', 'F'}, {'a', 'f'}}),
ec727ea7Spatrick                 ReturnValueCondition(WithinRange, SingleValue(0))}));
*a9ac8606Spatrick  addToFunctionSummaryMap(
*a9ac8606Spatrick      "toupper", Signature(ArgTypes{IntTy}, RetType{IntTy}),
*a9ac8606Spatrick      Summary(EvalCallAsPure)
*a9ac8606Spatrick          .ArgConstraint(ArgumentCondition(
*a9ac8606Spatrick              0U, WithinRange, {{EOFv, EOFv}, {0, UCharRangeMax}})));
*a9ac8606Spatrick  addToFunctionSummaryMap(
*a9ac8606Spatrick      "tolower", Signature(ArgTypes{IntTy}, RetType{IntTy}),
*a9ac8606Spatrick      Summary(EvalCallAsPure)
*a9ac8606Spatrick          .ArgConstraint(ArgumentCondition(
*a9ac8606Spatrick              0U, WithinRange, {{EOFv, EOFv}, {0, UCharRangeMax}})));
*a9ac8606Spatrick  addToFunctionSummaryMap(
*a9ac8606Spatrick      "toascii", Signature(ArgTypes{IntTy}, RetType{IntTy}),
*a9ac8606Spatrick      Summary(EvalCallAsPure)
*a9ac8606Spatrick          .ArgConstraint(ArgumentCondition(
*a9ac8606Spatrick              0U, WithinRange, {{EOFv, EOFv}, {0, UCharRangeMax}})));
e5dd7070Spatrick
e5dd7070Spatrick  // The getc() family of functions that returns either a char or an EOF.
ec727ea7Spatrick  addToFunctionSummaryMap(
*a9ac8606Spatrick      {"getc", "fgetc"}, Signature(ArgTypes{FilePtrTy}, RetType{IntTy}),
*a9ac8606Spatrick      Summary(NoEvalCall)
*a9ac8606Spatrick          .Case({ReturnValueCondition(WithinRange,
*a9ac8606Spatrick                                      {{EOFv, EOFv}, {0, UCharRangeMax}})}));
*a9ac8606Spatrick  addToFunctionSummaryMap(
*a9ac8606Spatrick      "getchar", Signature(ArgTypes{}, RetType{IntTy}),
*a9ac8606Spatrick      Summary(NoEvalCall)
*a9ac8606Spatrick          .Case({ReturnValueCondition(WithinRange,
*a9ac8606Spatrick                                      {{EOFv, EOFv}, {0, UCharRangeMax}})}));
e5dd7070Spatrick
e5dd7070Spatrick  // read()-like functions that never return more than buffer size.
*a9ac8606Spatrick  auto FreadSummary =
*a9ac8606Spatrick      Summary(NoEvalCall)
*a9ac8606Spatrick          .Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)),
*a9ac8606Spatrick                 ReturnValueCondition(WithinRange, Range(0, SizeMax))})
*a9ac8606Spatrick          .ArgConstraint(NotNull(ArgNo(0)))
*a9ac8606Spatrick          .ArgConstraint(NotNull(ArgNo(3)))
*a9ac8606Spatrick          .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(0), /*BufSize=*/ArgNo(1),
*a9ac8606Spatrick                                    /*BufSizeMultiplier=*/ArgNo(2)));
ec727ea7Spatrick
*a9ac8606Spatrick  // size_t fread(void *restrict ptr, size_t size, size_t nitems,
*a9ac8606Spatrick  //              FILE *restrict stream);
*a9ac8606Spatrick  addToFunctionSummaryMap(
*a9ac8606Spatrick      "fread",
*a9ac8606Spatrick      Signature(ArgTypes{VoidPtrRestrictTy, SizeTy, SizeTy, FilePtrRestrictTy},
*a9ac8606Spatrick                RetType{SizeTy}),
*a9ac8606Spatrick      FreadSummary);
*a9ac8606Spatrick  // size_t fwrite(const void *restrict ptr, size_t size, size_t nitems,
*a9ac8606Spatrick  //               FILE *restrict stream);
*a9ac8606Spatrick  addToFunctionSummaryMap("fwrite",
*a9ac8606Spatrick                          Signature(ArgTypes{ConstVoidPtrRestrictTy, SizeTy,
*a9ac8606Spatrick                                             SizeTy, FilePtrRestrictTy},
*a9ac8606Spatrick                                    RetType{SizeTy}),
*a9ac8606Spatrick                          FreadSummary);
*a9ac8606Spatrick
*a9ac8606Spatrick  Optional<QualType> Ssize_tTy = lookupTy("ssize_t");
*a9ac8606Spatrick  Optional<RangeInt> Ssize_tMax = getMaxValue(Ssize_tTy);
*a9ac8606Spatrick
*a9ac8606Spatrick  auto ReadSummary =
*a9ac8606Spatrick      Summary(NoEvalCall)
*a9ac8606Spatrick          .Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)),
*a9ac8606Spatrick                 ReturnValueCondition(WithinRange, Range(-1, Ssize_tMax))});
*a9ac8606Spatrick
ec727ea7Spatrick  // FIXME these are actually defined by POSIX and not by the C standard, we
ec727ea7Spatrick  // should handle them together with the rest of the POSIX functions.
*a9ac8606Spatrick  // ssize_t read(int fildes, void *buf, size_t nbyte);
*a9ac8606Spatrick  addToFunctionSummaryMap(
*a9ac8606Spatrick      "read", Signature(ArgTypes{IntTy, VoidPtrTy, SizeTy}, RetType{Ssize_tTy}),
*a9ac8606Spatrick      ReadSummary);
*a9ac8606Spatrick  // ssize_t write(int fildes, const void *buf, size_t nbyte);
*a9ac8606Spatrick  addToFunctionSummaryMap(
*a9ac8606Spatrick      "write",
*a9ac8606Spatrick      Signature(ArgTypes{IntTy, ConstVoidPtrTy, SizeTy}, RetType{Ssize_tTy}),
*a9ac8606Spatrick      ReadSummary);
*a9ac8606Spatrick
*a9ac8606Spatrick  auto GetLineSummary =
*a9ac8606Spatrick      Summary(NoEvalCall)
*a9ac8606Spatrick          .Case({ReturnValueCondition(WithinRange,
*a9ac8606Spatrick                                      Range({-1, -1}, {1, Ssize_tMax}))});
*a9ac8606Spatrick
*a9ac8606Spatrick  QualType CharPtrPtrRestrictTy = getRestrictTy(getPointerTy(CharPtrTy));
e5dd7070Spatrick
e5dd7070Spatrick  // getline()-like functions either fail or read at least the delimiter.
ec727ea7Spatrick  // FIXME these are actually defined by POSIX and not by the C standard, we
ec727ea7Spatrick  // should handle them together with the rest of the POSIX functions.
*a9ac8606Spatrick  // ssize_t getline(char **restrict lineptr, size_t *restrict n,
*a9ac8606Spatrick  //                 FILE *restrict stream);
*a9ac8606Spatrick  addToFunctionSummaryMap(
*a9ac8606Spatrick      "getline",
*a9ac8606Spatrick      Signature(
*a9ac8606Spatrick          ArgTypes{CharPtrPtrRestrictTy, SizePtrRestrictTy, FilePtrRestrictTy},
*a9ac8606Spatrick          RetType{Ssize_tTy}),
*a9ac8606Spatrick      GetLineSummary);
*a9ac8606Spatrick  // ssize_t getdelim(char **restrict lineptr, size_t *restrict n,
*a9ac8606Spatrick  //                  int delimiter, FILE *restrict stream);
*a9ac8606Spatrick  addToFunctionSummaryMap(
*a9ac8606Spatrick      "getdelim",
*a9ac8606Spatrick      Signature(ArgTypes{CharPtrPtrRestrictTy, SizePtrRestrictTy, IntTy,
*a9ac8606Spatrick                         FilePtrRestrictTy},
*a9ac8606Spatrick                RetType{Ssize_tTy}),
*a9ac8606Spatrick      GetLineSummary);
ec727ea7Spatrick
ec727ea7Spatrick  if (ModelPOSIX) {
ec727ea7Spatrick
ec727ea7Spatrick    // long a64l(const char *str64);
ec727ea7Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "a64l", Signature(ArgTypes{ConstCharPtrTy}, RetType{LongTy}),
*a9ac8606Spatrick        Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
ec727ea7Spatrick
ec727ea7Spatrick    // char *l64a(long value);
*a9ac8606Spatrick    addToFunctionSummaryMap("l64a",
*a9ac8606Spatrick                            Signature(ArgTypes{LongTy}, RetType{CharPtrTy}),
*a9ac8606Spatrick                            Summary(NoEvalCall)
*a9ac8606Spatrick                                .ArgConstraint(ArgumentCondition(
*a9ac8606Spatrick                                    0, WithinRange, Range(0, LongMax))));
*a9ac8606Spatrick
*a9ac8606Spatrick    const auto ReturnsZeroOrMinusOne =
*a9ac8606Spatrick        ConstraintSet{ReturnValueCondition(WithinRange, Range(-1, 0))};
*a9ac8606Spatrick    const auto ReturnsFileDescriptor =
*a9ac8606Spatrick        ConstraintSet{ReturnValueCondition(WithinRange, Range(-1, IntMax))};
ec727ea7Spatrick
ec727ea7Spatrick    // int access(const char *pathname, int amode);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "access", Signature(ArgTypes{ConstCharPtrTy, IntTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case(ReturnsZeroOrMinusOne)
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(0))));
ec727ea7Spatrick
ec727ea7Spatrick    // int faccessat(int dirfd, const char *pathname, int mode, int flags);
ec727ea7Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "faccessat",
*a9ac8606Spatrick        Signature(ArgTypes{IntTy, ConstCharPtrTy, IntTy, IntTy},
*a9ac8606Spatrick                  RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case(ReturnsZeroOrMinusOne)
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(1))));
ec727ea7Spatrick
ec727ea7Spatrick    // int dup(int fildes);
*a9ac8606Spatrick    addToFunctionSummaryMap("dup", Signature(ArgTypes{IntTy}, RetType{IntTy}),
*a9ac8606Spatrick                            Summary(NoEvalCall)
*a9ac8606Spatrick                                .Case(ReturnsFileDescriptor)
*a9ac8606Spatrick                                .ArgConstraint(ArgumentCondition(
*a9ac8606Spatrick                                    0, WithinRange, Range(0, IntMax))));
ec727ea7Spatrick
ec727ea7Spatrick    // int dup2(int fildes1, int filedes2);
ec727ea7Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "dup2", Signature(ArgTypes{IntTy, IntTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case(ReturnsFileDescriptor)
ec727ea7Spatrick            .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
ec727ea7Spatrick            .ArgConstraint(
ec727ea7Spatrick                ArgumentCondition(1, WithinRange, Range(0, IntMax))));
ec727ea7Spatrick
ec727ea7Spatrick    // int fdatasync(int fildes);
*a9ac8606Spatrick    addToFunctionSummaryMap("fdatasync",
*a9ac8606Spatrick                            Signature(ArgTypes{IntTy}, RetType{IntTy}),
*a9ac8606Spatrick                            Summary(NoEvalCall)
*a9ac8606Spatrick                                .Case(ReturnsZeroOrMinusOne)
*a9ac8606Spatrick                                .ArgConstraint(ArgumentCondition(
*a9ac8606Spatrick                                    0, WithinRange, Range(0, IntMax))));
ec727ea7Spatrick
ec727ea7Spatrick    // int fnmatch(const char *pattern, const char *string, int flags);
ec727ea7Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "fnmatch",
*a9ac8606Spatrick        Signature(ArgTypes{ConstCharPtrTy, ConstCharPtrTy, IntTy},
*a9ac8606Spatrick                  RetType{IntTy}),
*a9ac8606Spatrick        Summary(EvalCallAsPure)
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(0)))
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(1))));
ec727ea7Spatrick
ec727ea7Spatrick    // int fsync(int fildes);
*a9ac8606Spatrick    addToFunctionSummaryMap("fsync", Signature(ArgTypes{IntTy}, RetType{IntTy}),
*a9ac8606Spatrick                            Summary(NoEvalCall)
*a9ac8606Spatrick                                .Case(ReturnsZeroOrMinusOne)
*a9ac8606Spatrick                                .ArgConstraint(ArgumentCondition(
*a9ac8606Spatrick                                    0, WithinRange, Range(0, IntMax))));
ec727ea7Spatrick
*a9ac8606Spatrick    Optional<QualType> Off_tTy = lookupTy("off_t");
ec727ea7Spatrick
ec727ea7Spatrick    // int truncate(const char *path, off_t length);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "truncate",
*a9ac8606Spatrick        Signature(ArgTypes{ConstCharPtrTy, Off_tTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case(ReturnsZeroOrMinusOne)
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(0))));
ec727ea7Spatrick
ec727ea7Spatrick    // int symlink(const char *oldpath, const char *newpath);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "symlink",
*a9ac8606Spatrick        Signature(ArgTypes{ConstCharPtrTy, ConstCharPtrTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case(ReturnsZeroOrMinusOne)
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(0)))
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(1))));
ec727ea7Spatrick
ec727ea7Spatrick    // int symlinkat(const char *oldpath, int newdirfd, const char *newpath);
ec727ea7Spatrick    addToFunctionSummaryMap(
ec727ea7Spatrick        "symlinkat",
*a9ac8606Spatrick        Signature(ArgTypes{ConstCharPtrTy, IntTy, ConstCharPtrTy},
*a9ac8606Spatrick                  RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case(ReturnsZeroOrMinusOne)
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(0)))
ec727ea7Spatrick            .ArgConstraint(ArgumentCondition(1, WithinRange, Range(0, IntMax)))
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(2))));
ec727ea7Spatrick
ec727ea7Spatrick    // int lockf(int fd, int cmd, off_t len);
ec727ea7Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "lockf", Signature(ArgTypes{IntTy, IntTy, Off_tTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case(ReturnsZeroOrMinusOne)
ec727ea7Spatrick            .ArgConstraint(
ec727ea7Spatrick                ArgumentCondition(0, WithinRange, Range(0, IntMax))));
ec727ea7Spatrick
*a9ac8606Spatrick    Optional<QualType> Mode_tTy = lookupTy("mode_t");
ec727ea7Spatrick
ec727ea7Spatrick    // int creat(const char *pathname, mode_t mode);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "creat", Signature(ArgTypes{ConstCharPtrTy, Mode_tTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case(ReturnsFileDescriptor)
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(0))));
ec727ea7Spatrick
ec727ea7Spatrick    // unsigned int sleep(unsigned int seconds);
ec727ea7Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "sleep", Signature(ArgTypes{UnsignedIntTy}, RetType{UnsignedIntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
ec727ea7Spatrick            .ArgConstraint(
ec727ea7Spatrick                ArgumentCondition(0, WithinRange, Range(0, UnsignedIntMax))));
ec727ea7Spatrick
*a9ac8606Spatrick    Optional<QualType> DirTy = lookupTy("DIR");
*a9ac8606Spatrick    Optional<QualType> DirPtrTy = getPointerTy(DirTy);
ec727ea7Spatrick
ec727ea7Spatrick    // int dirfd(DIR *dirp);
*a9ac8606Spatrick    addToFunctionSummaryMap("dirfd",
*a9ac8606Spatrick                            Signature(ArgTypes{DirPtrTy}, RetType{IntTy}),
*a9ac8606Spatrick                            Summary(NoEvalCall)
*a9ac8606Spatrick                                .Case(ReturnsFileDescriptor)
ec727ea7Spatrick                                .ArgConstraint(NotNull(ArgNo(0))));
ec727ea7Spatrick
ec727ea7Spatrick    // unsigned int alarm(unsigned int seconds);
ec727ea7Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "alarm", Signature(ArgTypes{UnsignedIntTy}, RetType{UnsignedIntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
ec727ea7Spatrick            .ArgConstraint(
ec727ea7Spatrick                ArgumentCondition(0, WithinRange, Range(0, UnsignedIntMax))));
ec727ea7Spatrick
ec727ea7Spatrick    // int closedir(DIR *dir);
*a9ac8606Spatrick    addToFunctionSummaryMap("closedir",
*a9ac8606Spatrick                            Signature(ArgTypes{DirPtrTy}, RetType{IntTy}),
*a9ac8606Spatrick                            Summary(NoEvalCall)
*a9ac8606Spatrick                                .Case(ReturnsZeroOrMinusOne)
ec727ea7Spatrick                                .ArgConstraint(NotNull(ArgNo(0))));
ec727ea7Spatrick
ec727ea7Spatrick    // char *strdup(const char *s);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "strdup", Signature(ArgTypes{ConstCharPtrTy}, RetType{CharPtrTy}),
*a9ac8606Spatrick        Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
ec727ea7Spatrick
ec727ea7Spatrick    // char *strndup(const char *s, size_t n);
ec727ea7Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "strndup",
*a9ac8606Spatrick        Signature(ArgTypes{ConstCharPtrTy, SizeTy}, RetType{CharPtrTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(0)))
*a9ac8606Spatrick            .ArgConstraint(
*a9ac8606Spatrick                ArgumentCondition(1, WithinRange, Range(0, SizeMax))));
ec727ea7Spatrick
ec727ea7Spatrick    // wchar_t *wcsdup(const wchar_t *s);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "wcsdup", Signature(ArgTypes{ConstWchar_tPtrTy}, RetType{Wchar_tPtrTy}),
*a9ac8606Spatrick        Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
ec727ea7Spatrick
ec727ea7Spatrick    // int mkstemp(char *template);
*a9ac8606Spatrick    addToFunctionSummaryMap("mkstemp",
*a9ac8606Spatrick                            Signature(ArgTypes{CharPtrTy}, RetType{IntTy}),
*a9ac8606Spatrick                            Summary(NoEvalCall)
*a9ac8606Spatrick                                .Case(ReturnsFileDescriptor)
ec727ea7Spatrick                                .ArgConstraint(NotNull(ArgNo(0))));
ec727ea7Spatrick
ec727ea7Spatrick    // char *mkdtemp(char *template);
ec727ea7Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "mkdtemp", Signature(ArgTypes{CharPtrTy}, RetType{CharPtrTy}),
*a9ac8606Spatrick        Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
ec727ea7Spatrick
ec727ea7Spatrick    // char *getcwd(char *buf, size_t size);
ec727ea7Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "getcwd", Signature(ArgTypes{CharPtrTy, SizeTy}, RetType{CharPtrTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
ec727ea7Spatrick            .ArgConstraint(
ec727ea7Spatrick                ArgumentCondition(1, WithinRange, Range(0, SizeMax))));
ec727ea7Spatrick
ec727ea7Spatrick    // int mkdir(const char *pathname, mode_t mode);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "mkdir", Signature(ArgTypes{ConstCharPtrTy, Mode_tTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case(ReturnsZeroOrMinusOne)
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(0))));
ec727ea7Spatrick
ec727ea7Spatrick    // int mkdirat(int dirfd, const char *pathname, mode_t mode);
ec727ea7Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "mkdirat",
*a9ac8606Spatrick        Signature(ArgTypes{IntTy, ConstCharPtrTy, Mode_tTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case(ReturnsZeroOrMinusOne)
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(1))));
ec727ea7Spatrick
*a9ac8606Spatrick    Optional<QualType> Dev_tTy = lookupTy("dev_t");
ec727ea7Spatrick
ec727ea7Spatrick    // int mknod(const char *pathname, mode_t mode, dev_t dev);
ec727ea7Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "mknod",
*a9ac8606Spatrick        Signature(ArgTypes{ConstCharPtrTy, Mode_tTy, Dev_tTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case(ReturnsZeroOrMinusOne)
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(0))));
ec727ea7Spatrick
ec727ea7Spatrick    // int mknodat(int dirfd, const char *pathname, mode_t mode, dev_t dev);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "mknodat",
*a9ac8606Spatrick        Signature(ArgTypes{IntTy, ConstCharPtrTy, Mode_tTy, Dev_tTy},
*a9ac8606Spatrick                  RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case(ReturnsZeroOrMinusOne)
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(1))));
ec727ea7Spatrick
ec727ea7Spatrick    // int chmod(const char *path, mode_t mode);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "chmod", Signature(ArgTypes{ConstCharPtrTy, Mode_tTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case(ReturnsZeroOrMinusOne)
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(0))));
ec727ea7Spatrick
ec727ea7Spatrick    // int fchmodat(int dirfd, const char *pathname, mode_t mode, int flags);
ec727ea7Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "fchmodat",
*a9ac8606Spatrick        Signature(ArgTypes{IntTy, ConstCharPtrTy, Mode_tTy, IntTy},
*a9ac8606Spatrick                  RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case(ReturnsZeroOrMinusOne)
*a9ac8606Spatrick            .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(1))));
ec727ea7Spatrick
ec727ea7Spatrick    // int fchmod(int fildes, mode_t mode);
ec727ea7Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "fchmod", Signature(ArgTypes{IntTy, Mode_tTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case(ReturnsZeroOrMinusOne)
ec727ea7Spatrick            .ArgConstraint(
ec727ea7Spatrick                ArgumentCondition(0, WithinRange, Range(0, IntMax))));
ec727ea7Spatrick
*a9ac8606Spatrick    Optional<QualType> Uid_tTy = lookupTy("uid_t");
*a9ac8606Spatrick    Optional<QualType> Gid_tTy = lookupTy("gid_t");
ec727ea7Spatrick
ec727ea7Spatrick    // int fchownat(int dirfd, const char *pathname, uid_t owner, gid_t group,
ec727ea7Spatrick    //              int flags);
ec727ea7Spatrick    addToFunctionSummaryMap(
ec727ea7Spatrick        "fchownat",
*a9ac8606Spatrick        Signature(ArgTypes{IntTy, ConstCharPtrTy, Uid_tTy, Gid_tTy, IntTy},
*a9ac8606Spatrick                  RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case(ReturnsZeroOrMinusOne)
*a9ac8606Spatrick            .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(1))));
ec727ea7Spatrick
ec727ea7Spatrick    // int chown(const char *path, uid_t owner, gid_t group);
ec727ea7Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "chown",
*a9ac8606Spatrick        Signature(ArgTypes{ConstCharPtrTy, Uid_tTy, Gid_tTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case(ReturnsZeroOrMinusOne)
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(0))));
ec727ea7Spatrick
ec727ea7Spatrick    // int lchown(const char *path, uid_t owner, gid_t group);
ec727ea7Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "lchown",
*a9ac8606Spatrick        Signature(ArgTypes{ConstCharPtrTy, Uid_tTy, Gid_tTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case(ReturnsZeroOrMinusOne)
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(0))));
ec727ea7Spatrick
ec727ea7Spatrick    // int fchown(int fildes, uid_t owner, gid_t group);
ec727ea7Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "fchown", Signature(ArgTypes{IntTy, Uid_tTy, Gid_tTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case(ReturnsZeroOrMinusOne)
*a9ac8606Spatrick            .ArgConstraint(
*a9ac8606Spatrick                ArgumentCondition(0, WithinRange, Range(0, IntMax))));
ec727ea7Spatrick
ec727ea7Spatrick    // int rmdir(const char *pathname);
*a9ac8606Spatrick    addToFunctionSummaryMap("rmdir",
*a9ac8606Spatrick                            Signature(ArgTypes{ConstCharPtrTy}, RetType{IntTy}),
*a9ac8606Spatrick                            Summary(NoEvalCall)
*a9ac8606Spatrick                                .Case(ReturnsZeroOrMinusOne)
ec727ea7Spatrick                                .ArgConstraint(NotNull(ArgNo(0))));
ec727ea7Spatrick
ec727ea7Spatrick    // int chdir(const char *path);
*a9ac8606Spatrick    addToFunctionSummaryMap("chdir",
*a9ac8606Spatrick                            Signature(ArgTypes{ConstCharPtrTy}, RetType{IntTy}),
*a9ac8606Spatrick                            Summary(NoEvalCall)
*a9ac8606Spatrick                                .Case(ReturnsZeroOrMinusOne)
ec727ea7Spatrick                                .ArgConstraint(NotNull(ArgNo(0))));
ec727ea7Spatrick
ec727ea7Spatrick    // int link(const char *oldpath, const char *newpath);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "link",
*a9ac8606Spatrick        Signature(ArgTypes{ConstCharPtrTy, ConstCharPtrTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case(ReturnsZeroOrMinusOne)
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(0)))
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(1))));
ec727ea7Spatrick
ec727ea7Spatrick    // int linkat(int fd1, const char *path1, int fd2, const char *path2,
ec727ea7Spatrick    //            int flag);
ec727ea7Spatrick    addToFunctionSummaryMap(
ec727ea7Spatrick        "linkat",
*a9ac8606Spatrick        Signature(ArgTypes{IntTy, ConstCharPtrTy, IntTy, ConstCharPtrTy, IntTy},
*a9ac8606Spatrick                  RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case(ReturnsZeroOrMinusOne)
ec727ea7Spatrick            .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(1)))
ec727ea7Spatrick            .ArgConstraint(ArgumentCondition(2, WithinRange, Range(0, IntMax)))
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(3))));
ec727ea7Spatrick
ec727ea7Spatrick    // int unlink(const char *pathname);
*a9ac8606Spatrick    addToFunctionSummaryMap("unlink",
*a9ac8606Spatrick                            Signature(ArgTypes{ConstCharPtrTy}, RetType{IntTy}),
*a9ac8606Spatrick                            Summary(NoEvalCall)
*a9ac8606Spatrick                                .Case(ReturnsZeroOrMinusOne)
ec727ea7Spatrick                                .ArgConstraint(NotNull(ArgNo(0))));
ec727ea7Spatrick
ec727ea7Spatrick    // int unlinkat(int fd, const char *path, int flag);
ec727ea7Spatrick    addToFunctionSummaryMap(
ec727ea7Spatrick        "unlinkat",
*a9ac8606Spatrick        Signature(ArgTypes{IntTy, ConstCharPtrTy, IntTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case(ReturnsZeroOrMinusOne)
ec727ea7Spatrick            .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(1))));
ec727ea7Spatrick
*a9ac8606Spatrick    Optional<QualType> StructStatTy = lookupTy("stat");
*a9ac8606Spatrick    Optional<QualType> StructStatPtrTy = getPointerTy(StructStatTy);
*a9ac8606Spatrick    Optional<QualType> StructStatPtrRestrictTy = getRestrictTy(StructStatPtrTy);
ec727ea7Spatrick
ec727ea7Spatrick    // int fstat(int fd, struct stat *statbuf);
ec727ea7Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "fstat", Signature(ArgTypes{IntTy, StructStatPtrTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case(ReturnsZeroOrMinusOne)
*a9ac8606Spatrick            .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(1))));
ec727ea7Spatrick
ec727ea7Spatrick    // int stat(const char *restrict path, struct stat *restrict buf);
ec727ea7Spatrick    addToFunctionSummaryMap(
ec727ea7Spatrick        "stat",
*a9ac8606Spatrick        Signature(ArgTypes{ConstCharPtrRestrictTy, StructStatPtrRestrictTy},
*a9ac8606Spatrick                  RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case(ReturnsZeroOrMinusOne)
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(0)))
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(1))));
ec727ea7Spatrick
ec727ea7Spatrick    // int lstat(const char *restrict path, struct stat *restrict buf);
ec727ea7Spatrick    addToFunctionSummaryMap(
ec727ea7Spatrick        "lstat",
*a9ac8606Spatrick        Signature(ArgTypes{ConstCharPtrRestrictTy, StructStatPtrRestrictTy},
*a9ac8606Spatrick                  RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case(ReturnsZeroOrMinusOne)
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(0)))
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(1))));
ec727ea7Spatrick
ec727ea7Spatrick    // int fstatat(int fd, const char *restrict path,
ec727ea7Spatrick    //             struct stat *restrict buf, int flag);
ec727ea7Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "fstatat",
*a9ac8606Spatrick        Signature(ArgTypes{IntTy, ConstCharPtrRestrictTy,
*a9ac8606Spatrick                           StructStatPtrRestrictTy, IntTy},
*a9ac8606Spatrick                  RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case(ReturnsZeroOrMinusOne)
*a9ac8606Spatrick            .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(1)))
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(2))));
ec727ea7Spatrick
ec727ea7Spatrick    // DIR *opendir(const char *name);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "opendir", Signature(ArgTypes{ConstCharPtrTy}, RetType{DirPtrTy}),
*a9ac8606Spatrick        Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
ec727ea7Spatrick
ec727ea7Spatrick    // DIR *fdopendir(int fd);
*a9ac8606Spatrick    addToFunctionSummaryMap("fdopendir",
*a9ac8606Spatrick                            Signature(ArgTypes{IntTy}, RetType{DirPtrTy}),
*a9ac8606Spatrick                            Summary(NoEvalCall)
*a9ac8606Spatrick                                .ArgConstraint(ArgumentCondition(
*a9ac8606Spatrick                                    0, WithinRange, Range(0, IntMax))));
ec727ea7Spatrick
ec727ea7Spatrick    // int isatty(int fildes);
ec727ea7Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "isatty", Signature(ArgTypes{IntTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case({ReturnValueCondition(WithinRange, Range(0, 1))})
ec727ea7Spatrick            .ArgConstraint(
ec727ea7Spatrick                ArgumentCondition(0, WithinRange, Range(0, IntMax))));
ec727ea7Spatrick
ec727ea7Spatrick    // FILE *popen(const char *command, const char *type);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "popen",
*a9ac8606Spatrick        Signature(ArgTypes{ConstCharPtrTy, ConstCharPtrTy}, RetType{FilePtrTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(0)))
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(1))));
ec727ea7Spatrick
ec727ea7Spatrick    // int pclose(FILE *stream);
ec727ea7Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "pclose", Signature(ArgTypes{FilePtrTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
ec727ea7Spatrick
ec727ea7Spatrick    // int close(int fildes);
*a9ac8606Spatrick    addToFunctionSummaryMap("close", Signature(ArgTypes{IntTy}, RetType{IntTy}),
*a9ac8606Spatrick                            Summary(NoEvalCall)
*a9ac8606Spatrick                                .Case(ReturnsZeroOrMinusOne)
*a9ac8606Spatrick                                .ArgConstraint(ArgumentCondition(
*a9ac8606Spatrick                                    0, WithinRange, Range(-1, IntMax))));
ec727ea7Spatrick
ec727ea7Spatrick    // long fpathconf(int fildes, int name);
*a9ac8606Spatrick    addToFunctionSummaryMap("fpathconf",
*a9ac8606Spatrick                            Signature(ArgTypes{IntTy, IntTy}, RetType{LongTy}),
*a9ac8606Spatrick                            Summary(NoEvalCall)
*a9ac8606Spatrick                                .ArgConstraint(ArgumentCondition(
*a9ac8606Spatrick                                    0, WithinRange, Range(0, IntMax))));
ec727ea7Spatrick
ec727ea7Spatrick    // long pathconf(const char *path, int name);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "pathconf", Signature(ArgTypes{ConstCharPtrTy, IntTy}, RetType{LongTy}),
*a9ac8606Spatrick        Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
ec727ea7Spatrick
ec727ea7Spatrick    // FILE *fdopen(int fd, const char *mode);
ec727ea7Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "fdopen",
*a9ac8606Spatrick        Signature(ArgTypes{IntTy, ConstCharPtrTy}, RetType{FilePtrTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(1))));
ec727ea7Spatrick
ec727ea7Spatrick    // void rewinddir(DIR *dir);
ec727ea7Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "rewinddir", Signature(ArgTypes{DirPtrTy}, RetType{VoidTy}),
*a9ac8606Spatrick        Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
ec727ea7Spatrick
ec727ea7Spatrick    // void seekdir(DIR *dirp, long loc);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "seekdir", Signature(ArgTypes{DirPtrTy, LongTy}, RetType{VoidTy}),
*a9ac8606Spatrick        Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
ec727ea7Spatrick
ec727ea7Spatrick    // int rand_r(unsigned int *seedp);
ec727ea7Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "rand_r", Signature(ArgTypes{UnsignedIntPtrTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
ec727ea7Spatrick
ec727ea7Spatrick    // int fileno(FILE *stream);
*a9ac8606Spatrick    addToFunctionSummaryMap("fileno",
*a9ac8606Spatrick                            Signature(ArgTypes{FilePtrTy}, RetType{IntTy}),
*a9ac8606Spatrick                            Summary(NoEvalCall)
*a9ac8606Spatrick                                .Case(ReturnsFileDescriptor)
ec727ea7Spatrick                                .ArgConstraint(NotNull(ArgNo(0))));
ec727ea7Spatrick
ec727ea7Spatrick    // int fseeko(FILE *stream, off_t offset, int whence);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "fseeko",
*a9ac8606Spatrick        Signature(ArgTypes{FilePtrTy, Off_tTy, IntTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case(ReturnsZeroOrMinusOne)
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(0))));
ec727ea7Spatrick
ec727ea7Spatrick    // off_t ftello(FILE *stream);
ec727ea7Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "ftello", Signature(ArgTypes{FilePtrTy}, RetType{Off_tTy}),
*a9ac8606Spatrick        Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
ec727ea7Spatrick
ec727ea7Spatrick    // void *mmap(void *addr, size_t length, int prot, int flags, int fd,
ec727ea7Spatrick    // off_t offset);
ec727ea7Spatrick    addToFunctionSummaryMap(
ec727ea7Spatrick        "mmap",
*a9ac8606Spatrick        Signature(ArgTypes{VoidPtrTy, SizeTy, IntTy, IntTy, IntTy, Off_tTy},
*a9ac8606Spatrick                  RetType{VoidPtrTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .ArgConstraint(ArgumentCondition(1, WithinRange, Range(1, SizeMax)))
ec727ea7Spatrick            .ArgConstraint(
*a9ac8606Spatrick                ArgumentCondition(4, WithinRange, Range(-1, IntMax))));
ec727ea7Spatrick
*a9ac8606Spatrick    Optional<QualType> Off64_tTy = lookupTy("off64_t");
ec727ea7Spatrick    // void *mmap64(void *addr, size_t length, int prot, int flags, int fd,
ec727ea7Spatrick    // off64_t offset);
ec727ea7Spatrick    addToFunctionSummaryMap(
ec727ea7Spatrick        "mmap64",
*a9ac8606Spatrick        Signature(ArgTypes{VoidPtrTy, SizeTy, IntTy, IntTy, IntTy, Off64_tTy},
*a9ac8606Spatrick                  RetType{VoidPtrTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .ArgConstraint(ArgumentCondition(1, WithinRange, Range(1, SizeMax)))
ec727ea7Spatrick            .ArgConstraint(
*a9ac8606Spatrick                ArgumentCondition(4, WithinRange, Range(-1, IntMax))));
ec727ea7Spatrick
ec727ea7Spatrick    // int pipe(int fildes[2]);
*a9ac8606Spatrick    addToFunctionSummaryMap("pipe",
*a9ac8606Spatrick                            Signature(ArgTypes{IntPtrTy}, RetType{IntTy}),
*a9ac8606Spatrick                            Summary(NoEvalCall)
*a9ac8606Spatrick                                .Case(ReturnsZeroOrMinusOne)
ec727ea7Spatrick                                .ArgConstraint(NotNull(ArgNo(0))));
ec727ea7Spatrick
ec727ea7Spatrick    // off_t lseek(int fildes, off_t offset, int whence);
ec727ea7Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "lseek", Signature(ArgTypes{IntTy, Off_tTy, IntTy}, RetType{Off_tTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .ArgConstraint(
*a9ac8606Spatrick                ArgumentCondition(0, WithinRange, Range(0, IntMax))));
ec727ea7Spatrick
ec727ea7Spatrick    // ssize_t readlink(const char *restrict path, char *restrict buf,
ec727ea7Spatrick    //                  size_t bufsize);
ec727ea7Spatrick    addToFunctionSummaryMap(
ec727ea7Spatrick        "readlink",
*a9ac8606Spatrick        Signature(ArgTypes{ConstCharPtrRestrictTy, CharPtrRestrictTy, SizeTy},
*a9ac8606Spatrick                  RetType{Ssize_tTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)),
*a9ac8606Spatrick                   ReturnValueCondition(WithinRange, Range(-1, Ssize_tMax))})
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(0)))
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(1)))
ec727ea7Spatrick            .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(1),
ec727ea7Spatrick                                      /*BufSize=*/ArgNo(2)))
ec727ea7Spatrick            .ArgConstraint(
ec727ea7Spatrick                ArgumentCondition(2, WithinRange, Range(0, SizeMax))));
ec727ea7Spatrick
ec727ea7Spatrick    // ssize_t readlinkat(int fd, const char *restrict path,
ec727ea7Spatrick    //                    char *restrict buf, size_t bufsize);
ec727ea7Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "readlinkat",
*a9ac8606Spatrick        Signature(
*a9ac8606Spatrick            ArgTypes{IntTy, ConstCharPtrRestrictTy, CharPtrRestrictTy, SizeTy},
*a9ac8606Spatrick            RetType{Ssize_tTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case({ReturnValueCondition(LessThanOrEq, ArgNo(3)),
*a9ac8606Spatrick                   ReturnValueCondition(WithinRange, Range(-1, Ssize_tMax))})
*a9ac8606Spatrick            .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(1)))
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(2)))
ec727ea7Spatrick            .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(2),
ec727ea7Spatrick                                      /*BufSize=*/ArgNo(3)))
*a9ac8606Spatrick            .ArgConstraint(
*a9ac8606Spatrick                ArgumentCondition(3, WithinRange, Range(0, SizeMax))));
ec727ea7Spatrick
ec727ea7Spatrick    // int renameat(int olddirfd, const char *oldpath, int newdirfd, const char
ec727ea7Spatrick    // *newpath);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "renameat",
*a9ac8606Spatrick        Signature(ArgTypes{IntTy, ConstCharPtrTy, IntTy, ConstCharPtrTy},
*a9ac8606Spatrick                  RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case(ReturnsZeroOrMinusOne)
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(1)))
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(3))));
ec727ea7Spatrick
ec727ea7Spatrick    // char *realpath(const char *restrict file_name,
ec727ea7Spatrick    //                char *restrict resolved_name);
ec727ea7Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "realpath",
*a9ac8606Spatrick        Signature(ArgTypes{ConstCharPtrRestrictTy, CharPtrRestrictTy},
*a9ac8606Spatrick                  RetType{CharPtrTy}),
*a9ac8606Spatrick        Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
ec727ea7Spatrick
*a9ac8606Spatrick    QualType CharPtrConstPtr = getPointerTy(getConstTy(CharPtrTy));
ec727ea7Spatrick
ec727ea7Spatrick    // int execv(const char *path, char *const argv[]);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "execv",
*a9ac8606Spatrick        Signature(ArgTypes{ConstCharPtrTy, CharPtrConstPtr}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case({ReturnValueCondition(WithinRange, SingleValue(-1))})
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(0))));
ec727ea7Spatrick
ec727ea7Spatrick    // int execvp(const char *file, char *const argv[]);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "execvp",
*a9ac8606Spatrick        Signature(ArgTypes{ConstCharPtrTy, CharPtrConstPtr}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case({ReturnValueCondition(WithinRange, SingleValue(-1))})
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(0))));
ec727ea7Spatrick
ec727ea7Spatrick    // int getopt(int argc, char * const argv[], const char *optstring);
ec727ea7Spatrick    addToFunctionSummaryMap(
ec727ea7Spatrick        "getopt",
*a9ac8606Spatrick        Signature(ArgTypes{IntTy, CharPtrConstPtr, ConstCharPtrTy},
*a9ac8606Spatrick                  RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case({ReturnValueCondition(WithinRange, Range(-1, UCharRangeMax))})
ec727ea7Spatrick            .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(1)))
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(2))));
*a9ac8606Spatrick
*a9ac8606Spatrick    Optional<QualType> StructSockaddrTy = lookupTy("sockaddr");
*a9ac8606Spatrick    Optional<QualType> StructSockaddrPtrTy = getPointerTy(StructSockaddrTy);
*a9ac8606Spatrick    Optional<QualType> ConstStructSockaddrPtrTy =
*a9ac8606Spatrick        getPointerTy(getConstTy(StructSockaddrTy));
*a9ac8606Spatrick    Optional<QualType> StructSockaddrPtrRestrictTy =
*a9ac8606Spatrick        getRestrictTy(StructSockaddrPtrTy);
*a9ac8606Spatrick    Optional<QualType> ConstStructSockaddrPtrRestrictTy =
*a9ac8606Spatrick        getRestrictTy(ConstStructSockaddrPtrTy);
*a9ac8606Spatrick    Optional<QualType> Socklen_tTy = lookupTy("socklen_t");
*a9ac8606Spatrick    Optional<QualType> Socklen_tPtrTy = getPointerTy(Socklen_tTy);
*a9ac8606Spatrick    Optional<QualType> Socklen_tPtrRestrictTy = getRestrictTy(Socklen_tPtrTy);
*a9ac8606Spatrick    Optional<RangeInt> Socklen_tMax = getMaxValue(Socklen_tTy);
*a9ac8606Spatrick
*a9ac8606Spatrick    // In 'socket.h' of some libc implementations with C99, sockaddr parameter
*a9ac8606Spatrick    // is a transparent union of the underlying sockaddr_ family of pointers
*a9ac8606Spatrick    // instead of being a pointer to struct sockaddr. In these cases, the
*a9ac8606Spatrick    // standardized signature will not match, thus we try to match with another
*a9ac8606Spatrick    // signature that has the joker Irrelevant type. We also remove those
*a9ac8606Spatrick    // constraints which require pointer types for the sockaddr param.
*a9ac8606Spatrick    auto Accept =
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case(ReturnsFileDescriptor)
*a9ac8606Spatrick            .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)));
*a9ac8606Spatrick    if (!addToFunctionSummaryMap(
*a9ac8606Spatrick            "accept",
*a9ac8606Spatrick            // int accept(int socket, struct sockaddr *restrict address,
*a9ac8606Spatrick            //            socklen_t *restrict address_len);
*a9ac8606Spatrick            Signature(ArgTypes{IntTy, StructSockaddrPtrRestrictTy,
*a9ac8606Spatrick                               Socklen_tPtrRestrictTy},
*a9ac8606Spatrick                      RetType{IntTy}),
*a9ac8606Spatrick            Accept))
*a9ac8606Spatrick      addToFunctionSummaryMap(
*a9ac8606Spatrick          "accept",
*a9ac8606Spatrick          Signature(ArgTypes{IntTy, Irrelevant, Socklen_tPtrRestrictTy},
*a9ac8606Spatrick                    RetType{IntTy}),
*a9ac8606Spatrick          Accept);
*a9ac8606Spatrick
*a9ac8606Spatrick    // int bind(int socket, const struct sockaddr *address, socklen_t
*a9ac8606Spatrick    //          address_len);
*a9ac8606Spatrick    if (!addToFunctionSummaryMap(
*a9ac8606Spatrick            "bind",
*a9ac8606Spatrick            Signature(ArgTypes{IntTy, ConstStructSockaddrPtrTy, Socklen_tTy},
*a9ac8606Spatrick                      RetType{IntTy}),
*a9ac8606Spatrick            Summary(NoEvalCall)
*a9ac8606Spatrick                .Case(ReturnsZeroOrMinusOne)
*a9ac8606Spatrick                .ArgConstraint(
*a9ac8606Spatrick                    ArgumentCondition(0, WithinRange, Range(0, IntMax)))
*a9ac8606Spatrick                .ArgConstraint(NotNull(ArgNo(1)))
*a9ac8606Spatrick                .ArgConstraint(
*a9ac8606Spatrick                    BufferSize(/*Buffer=*/ArgNo(1), /*BufSize=*/ArgNo(2)))
*a9ac8606Spatrick                .ArgConstraint(
*a9ac8606Spatrick                    ArgumentCondition(2, WithinRange, Range(0, Socklen_tMax)))))
*a9ac8606Spatrick      // Do not add constraints on sockaddr.
*a9ac8606Spatrick      addToFunctionSummaryMap(
*a9ac8606Spatrick          "bind",
*a9ac8606Spatrick          Signature(ArgTypes{IntTy, Irrelevant, Socklen_tTy}, RetType{IntTy}),
*a9ac8606Spatrick          Summary(NoEvalCall)
*a9ac8606Spatrick              .Case(ReturnsZeroOrMinusOne)
*a9ac8606Spatrick              .ArgConstraint(
*a9ac8606Spatrick                  ArgumentCondition(0, WithinRange, Range(0, IntMax)))
*a9ac8606Spatrick              .ArgConstraint(
*a9ac8606Spatrick                  ArgumentCondition(2, WithinRange, Range(0, Socklen_tMax))));
*a9ac8606Spatrick
*a9ac8606Spatrick    // int getpeername(int socket, struct sockaddr *restrict address,
*a9ac8606Spatrick    //                 socklen_t *restrict address_len);
*a9ac8606Spatrick    if (!addToFunctionSummaryMap(
*a9ac8606Spatrick            "getpeername",
*a9ac8606Spatrick            Signature(ArgTypes{IntTy, StructSockaddrPtrRestrictTy,
*a9ac8606Spatrick                               Socklen_tPtrRestrictTy},
*a9ac8606Spatrick                      RetType{IntTy}),
*a9ac8606Spatrick            Summary(NoEvalCall)
*a9ac8606Spatrick                .Case(ReturnsZeroOrMinusOne)
*a9ac8606Spatrick                .ArgConstraint(
*a9ac8606Spatrick                    ArgumentCondition(0, WithinRange, Range(0, IntMax)))
*a9ac8606Spatrick                .ArgConstraint(NotNull(ArgNo(1)))
*a9ac8606Spatrick                .ArgConstraint(NotNull(ArgNo(2)))))
*a9ac8606Spatrick      addToFunctionSummaryMap(
*a9ac8606Spatrick          "getpeername",
*a9ac8606Spatrick          Signature(ArgTypes{IntTy, Irrelevant, Socklen_tPtrRestrictTy},
*a9ac8606Spatrick                    RetType{IntTy}),
*a9ac8606Spatrick          Summary(NoEvalCall)
*a9ac8606Spatrick              .Case(ReturnsZeroOrMinusOne)
*a9ac8606Spatrick              .ArgConstraint(
*a9ac8606Spatrick                  ArgumentCondition(0, WithinRange, Range(0, IntMax))));
*a9ac8606Spatrick
*a9ac8606Spatrick    // int getsockname(int socket, struct sockaddr *restrict address,
*a9ac8606Spatrick    //                 socklen_t *restrict address_len);
*a9ac8606Spatrick    if (!addToFunctionSummaryMap(
*a9ac8606Spatrick            "getsockname",
*a9ac8606Spatrick            Signature(ArgTypes{IntTy, StructSockaddrPtrRestrictTy,
*a9ac8606Spatrick                               Socklen_tPtrRestrictTy},
*a9ac8606Spatrick                      RetType{IntTy}),
*a9ac8606Spatrick            Summary(NoEvalCall)
*a9ac8606Spatrick                .Case(ReturnsZeroOrMinusOne)
*a9ac8606Spatrick                .ArgConstraint(
*a9ac8606Spatrick                    ArgumentCondition(0, WithinRange, Range(0, IntMax)))
*a9ac8606Spatrick                .ArgConstraint(NotNull(ArgNo(1)))
*a9ac8606Spatrick                .ArgConstraint(NotNull(ArgNo(2)))))
*a9ac8606Spatrick      addToFunctionSummaryMap(
*a9ac8606Spatrick          "getsockname",
*a9ac8606Spatrick          Signature(ArgTypes{IntTy, Irrelevant, Socklen_tPtrRestrictTy},
*a9ac8606Spatrick                    RetType{IntTy}),
*a9ac8606Spatrick          Summary(NoEvalCall)
*a9ac8606Spatrick              .Case(ReturnsZeroOrMinusOne)
*a9ac8606Spatrick              .ArgConstraint(
*a9ac8606Spatrick                  ArgumentCondition(0, WithinRange, Range(0, IntMax))));
*a9ac8606Spatrick
*a9ac8606Spatrick    // int connect(int socket, const struct sockaddr *address, socklen_t
*a9ac8606Spatrick    //             address_len);
*a9ac8606Spatrick    if (!addToFunctionSummaryMap(
*a9ac8606Spatrick            "connect",
*a9ac8606Spatrick            Signature(ArgTypes{IntTy, ConstStructSockaddrPtrTy, Socklen_tTy},
*a9ac8606Spatrick                      RetType{IntTy}),
*a9ac8606Spatrick            Summary(NoEvalCall)
*a9ac8606Spatrick                .Case(ReturnsZeroOrMinusOne)
*a9ac8606Spatrick                .ArgConstraint(
*a9ac8606Spatrick                    ArgumentCondition(0, WithinRange, Range(0, IntMax)))
*a9ac8606Spatrick                .ArgConstraint(NotNull(ArgNo(1)))))
*a9ac8606Spatrick      addToFunctionSummaryMap(
*a9ac8606Spatrick          "connect",
*a9ac8606Spatrick          Signature(ArgTypes{IntTy, Irrelevant, Socklen_tTy}, RetType{IntTy}),
*a9ac8606Spatrick          Summary(NoEvalCall)
*a9ac8606Spatrick              .Case(ReturnsZeroOrMinusOne)
*a9ac8606Spatrick              .ArgConstraint(
*a9ac8606Spatrick                  ArgumentCondition(0, WithinRange, Range(0, IntMax))));
*a9ac8606Spatrick
*a9ac8606Spatrick    auto Recvfrom =
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)),
*a9ac8606Spatrick                   ReturnValueCondition(WithinRange, Range(-1, Ssize_tMax))})
*a9ac8606Spatrick            .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
*a9ac8606Spatrick            .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(1),
*a9ac8606Spatrick                                      /*BufSize=*/ArgNo(2)));
*a9ac8606Spatrick    if (!addToFunctionSummaryMap(
*a9ac8606Spatrick            "recvfrom",
*a9ac8606Spatrick            // ssize_t recvfrom(int socket, void *restrict buffer,
*a9ac8606Spatrick            //                  size_t length,
*a9ac8606Spatrick            //                  int flags, struct sockaddr *restrict address,
*a9ac8606Spatrick            //                  socklen_t *restrict address_len);
*a9ac8606Spatrick            Signature(ArgTypes{IntTy, VoidPtrRestrictTy, SizeTy, IntTy,
*a9ac8606Spatrick                               StructSockaddrPtrRestrictTy,
*a9ac8606Spatrick                               Socklen_tPtrRestrictTy},
*a9ac8606Spatrick                      RetType{Ssize_tTy}),
*a9ac8606Spatrick            Recvfrom))
*a9ac8606Spatrick      addToFunctionSummaryMap(
*a9ac8606Spatrick          "recvfrom",
*a9ac8606Spatrick          Signature(ArgTypes{IntTy, VoidPtrRestrictTy, SizeTy, IntTy,
*a9ac8606Spatrick                             Irrelevant, Socklen_tPtrRestrictTy},
*a9ac8606Spatrick                    RetType{Ssize_tTy}),
*a9ac8606Spatrick          Recvfrom);
*a9ac8606Spatrick
*a9ac8606Spatrick    auto Sendto =
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)),
*a9ac8606Spatrick                   ReturnValueCondition(WithinRange, Range(-1, Ssize_tMax))})
*a9ac8606Spatrick            .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
*a9ac8606Spatrick            .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(1),
*a9ac8606Spatrick                                      /*BufSize=*/ArgNo(2)));
*a9ac8606Spatrick    if (!addToFunctionSummaryMap(
*a9ac8606Spatrick            "sendto",
*a9ac8606Spatrick            // ssize_t sendto(int socket, const void *message, size_t length,
*a9ac8606Spatrick            //                int flags, const struct sockaddr *dest_addr,
*a9ac8606Spatrick            //                socklen_t dest_len);
*a9ac8606Spatrick            Signature(ArgTypes{IntTy, ConstVoidPtrTy, SizeTy, IntTy,
*a9ac8606Spatrick                               ConstStructSockaddrPtrTy, Socklen_tTy},
*a9ac8606Spatrick                      RetType{Ssize_tTy}),
*a9ac8606Spatrick            Sendto))
*a9ac8606Spatrick      addToFunctionSummaryMap(
*a9ac8606Spatrick          "sendto",
*a9ac8606Spatrick          Signature(ArgTypes{IntTy, ConstVoidPtrTy, SizeTy, IntTy, Irrelevant,
*a9ac8606Spatrick                             Socklen_tTy},
*a9ac8606Spatrick                    RetType{Ssize_tTy}),
*a9ac8606Spatrick          Sendto);
*a9ac8606Spatrick
*a9ac8606Spatrick    // int listen(int sockfd, int backlog);
*a9ac8606Spatrick    addToFunctionSummaryMap("listen",
*a9ac8606Spatrick                            Signature(ArgTypes{IntTy, IntTy}, RetType{IntTy}),
*a9ac8606Spatrick                            Summary(NoEvalCall)
*a9ac8606Spatrick                                .Case(ReturnsZeroOrMinusOne)
*a9ac8606Spatrick                                .ArgConstraint(ArgumentCondition(
*a9ac8606Spatrick                                    0, WithinRange, Range(0, IntMax))));
*a9ac8606Spatrick
*a9ac8606Spatrick    // ssize_t recv(int sockfd, void *buf, size_t len, int flags);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "recv",
*a9ac8606Spatrick        Signature(ArgTypes{IntTy, VoidPtrTy, SizeTy, IntTy},
*a9ac8606Spatrick                  RetType{Ssize_tTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)),
*a9ac8606Spatrick                   ReturnValueCondition(WithinRange, Range(-1, Ssize_tMax))})
*a9ac8606Spatrick            .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
*a9ac8606Spatrick            .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(1),
*a9ac8606Spatrick                                      /*BufSize=*/ArgNo(2))));
*a9ac8606Spatrick
*a9ac8606Spatrick    Optional<QualType> StructMsghdrTy = lookupTy("msghdr");
*a9ac8606Spatrick    Optional<QualType> StructMsghdrPtrTy = getPointerTy(StructMsghdrTy);
*a9ac8606Spatrick    Optional<QualType> ConstStructMsghdrPtrTy =
*a9ac8606Spatrick        getPointerTy(getConstTy(StructMsghdrTy));
*a9ac8606Spatrick
*a9ac8606Spatrick    // ssize_t recvmsg(int sockfd, struct msghdr *msg, int flags);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "recvmsg",
*a9ac8606Spatrick        Signature(ArgTypes{IntTy, StructMsghdrPtrTy, IntTy},
*a9ac8606Spatrick                  RetType{Ssize_tTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case({ReturnValueCondition(WithinRange, Range(-1, Ssize_tMax))})
*a9ac8606Spatrick            .ArgConstraint(
*a9ac8606Spatrick                ArgumentCondition(0, WithinRange, Range(0, IntMax))));
*a9ac8606Spatrick
*a9ac8606Spatrick    // ssize_t sendmsg(int sockfd, const struct msghdr *msg, int flags);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "sendmsg",
*a9ac8606Spatrick        Signature(ArgTypes{IntTy, ConstStructMsghdrPtrTy, IntTy},
*a9ac8606Spatrick                  RetType{Ssize_tTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case({ReturnValueCondition(WithinRange, Range(-1, Ssize_tMax))})
*a9ac8606Spatrick            .ArgConstraint(
*a9ac8606Spatrick                ArgumentCondition(0, WithinRange, Range(0, IntMax))));
*a9ac8606Spatrick
*a9ac8606Spatrick    // int setsockopt(int socket, int level, int option_name,
*a9ac8606Spatrick    //                const void *option_value, socklen_t option_len);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "setsockopt",
*a9ac8606Spatrick        Signature(ArgTypes{IntTy, IntTy, IntTy, ConstVoidPtrTy, Socklen_tTy},
*a9ac8606Spatrick                  RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case(ReturnsZeroOrMinusOne)
*a9ac8606Spatrick            .ArgConstraint(NotNull(ArgNo(3)))
*a9ac8606Spatrick            .ArgConstraint(
*a9ac8606Spatrick                BufferSize(/*Buffer=*/ArgNo(3), /*BufSize=*/ArgNo(4)))
*a9ac8606Spatrick            .ArgConstraint(
*a9ac8606Spatrick                ArgumentCondition(4, WithinRange, Range(0, Socklen_tMax))));
*a9ac8606Spatrick
*a9ac8606Spatrick    // int getsockopt(int socket, int level, int option_name,
*a9ac8606Spatrick    //                void *restrict option_value,
*a9ac8606Spatrick    //                socklen_t *restrict option_len);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "getsockopt",
*a9ac8606Spatrick        Signature(ArgTypes{IntTy, IntTy, IntTy, VoidPtrRestrictTy,
*a9ac8606Spatrick                           Socklen_tPtrRestrictTy},
*a9ac8606Spatrick                  RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case(ReturnsZeroOrMinusOne)
*a9ac8606Spatrick            .ArgConstraint(NotNull(ArgNo(3)))
*a9ac8606Spatrick            .ArgConstraint(NotNull(ArgNo(4))));
*a9ac8606Spatrick
*a9ac8606Spatrick    // ssize_t send(int sockfd, const void *buf, size_t len, int flags);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "send",
*a9ac8606Spatrick        Signature(ArgTypes{IntTy, ConstVoidPtrTy, SizeTy, IntTy},
*a9ac8606Spatrick                  RetType{Ssize_tTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)),
*a9ac8606Spatrick                   ReturnValueCondition(WithinRange, Range(-1, Ssize_tMax))})
*a9ac8606Spatrick            .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
*a9ac8606Spatrick            .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(1),
*a9ac8606Spatrick                                      /*BufSize=*/ArgNo(2))));
*a9ac8606Spatrick
*a9ac8606Spatrick    // int socketpair(int domain, int type, int protocol, int sv[2]);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "socketpair",
*a9ac8606Spatrick        Signature(ArgTypes{IntTy, IntTy, IntTy, IntPtrTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case(ReturnsZeroOrMinusOne)
*a9ac8606Spatrick            .ArgConstraint(NotNull(ArgNo(3))));
*a9ac8606Spatrick
*a9ac8606Spatrick    // int getnameinfo(const struct sockaddr *restrict sa, socklen_t salen,
*a9ac8606Spatrick    //                 char *restrict node, socklen_t nodelen,
*a9ac8606Spatrick    //                 char *restrict service,
*a9ac8606Spatrick    //                 socklen_t servicelen, int flags);
*a9ac8606Spatrick    //
*a9ac8606Spatrick    // This is defined in netdb.h. And contrary to 'socket.h', the sockaddr
*a9ac8606Spatrick    // parameter is never handled as a transparent union in netdb.h
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "getnameinfo",
*a9ac8606Spatrick        Signature(ArgTypes{ConstStructSockaddrPtrRestrictTy, Socklen_tTy,
*a9ac8606Spatrick                           CharPtrRestrictTy, Socklen_tTy, CharPtrRestrictTy,
*a9ac8606Spatrick                           Socklen_tTy, IntTy},
*a9ac8606Spatrick                  RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .ArgConstraint(
*a9ac8606Spatrick                BufferSize(/*Buffer=*/ArgNo(0), /*BufSize=*/ArgNo(1)))
*a9ac8606Spatrick            .ArgConstraint(
*a9ac8606Spatrick                ArgumentCondition(1, WithinRange, Range(0, Socklen_tMax)))
*a9ac8606Spatrick            .ArgConstraint(
*a9ac8606Spatrick                BufferSize(/*Buffer=*/ArgNo(2), /*BufSize=*/ArgNo(3)))
*a9ac8606Spatrick            .ArgConstraint(
*a9ac8606Spatrick                ArgumentCondition(3, WithinRange, Range(0, Socklen_tMax)))
*a9ac8606Spatrick            .ArgConstraint(
*a9ac8606Spatrick                BufferSize(/*Buffer=*/ArgNo(4), /*BufSize=*/ArgNo(5)))
*a9ac8606Spatrick            .ArgConstraint(
*a9ac8606Spatrick                ArgumentCondition(5, WithinRange, Range(0, Socklen_tMax))));
*a9ac8606Spatrick
*a9ac8606Spatrick    Optional<QualType> StructUtimbufTy = lookupTy("utimbuf");
*a9ac8606Spatrick    Optional<QualType> StructUtimbufPtrTy = getPointerTy(StructUtimbufTy);
*a9ac8606Spatrick
*a9ac8606Spatrick    // int utime(const char *filename, struct utimbuf *buf);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "utime",
*a9ac8606Spatrick        Signature(ArgTypes{ConstCharPtrTy, StructUtimbufPtrTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case(ReturnsZeroOrMinusOne)
*a9ac8606Spatrick            .ArgConstraint(NotNull(ArgNo(0))));
*a9ac8606Spatrick
*a9ac8606Spatrick    Optional<QualType> StructTimespecTy = lookupTy("timespec");
*a9ac8606Spatrick    Optional<QualType> StructTimespecPtrTy = getPointerTy(StructTimespecTy);
*a9ac8606Spatrick    Optional<QualType> ConstStructTimespecPtrTy =
*a9ac8606Spatrick        getPointerTy(getConstTy(StructTimespecTy));
*a9ac8606Spatrick
*a9ac8606Spatrick    // int futimens(int fd, const struct timespec times[2]);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "futimens",
*a9ac8606Spatrick        Signature(ArgTypes{IntTy, ConstStructTimespecPtrTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case(ReturnsZeroOrMinusOne)
*a9ac8606Spatrick            .ArgConstraint(
*a9ac8606Spatrick                ArgumentCondition(0, WithinRange, Range(0, IntMax))));
*a9ac8606Spatrick
*a9ac8606Spatrick    // int utimensat(int dirfd, const char *pathname,
*a9ac8606Spatrick    //               const struct timespec times[2], int flags);
*a9ac8606Spatrick    addToFunctionSummaryMap("utimensat",
*a9ac8606Spatrick                            Signature(ArgTypes{IntTy, ConstCharPtrTy,
*a9ac8606Spatrick                                               ConstStructTimespecPtrTy, IntTy},
*a9ac8606Spatrick                                      RetType{IntTy}),
*a9ac8606Spatrick                            Summary(NoEvalCall)
*a9ac8606Spatrick                                .Case(ReturnsZeroOrMinusOne)
*a9ac8606Spatrick                                .ArgConstraint(NotNull(ArgNo(1))));
*a9ac8606Spatrick
*a9ac8606Spatrick    Optional<QualType> StructTimevalTy = lookupTy("timeval");
*a9ac8606Spatrick    Optional<QualType> ConstStructTimevalPtrTy =
*a9ac8606Spatrick        getPointerTy(getConstTy(StructTimevalTy));
*a9ac8606Spatrick
*a9ac8606Spatrick    // int utimes(const char *filename, const struct timeval times[2]);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "utimes",
*a9ac8606Spatrick        Signature(ArgTypes{ConstCharPtrTy, ConstStructTimevalPtrTy},
*a9ac8606Spatrick                  RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case(ReturnsZeroOrMinusOne)
*a9ac8606Spatrick            .ArgConstraint(NotNull(ArgNo(0))));
*a9ac8606Spatrick
*a9ac8606Spatrick    // int nanosleep(const struct timespec *rqtp, struct timespec *rmtp);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "nanosleep",
*a9ac8606Spatrick        Signature(ArgTypes{ConstStructTimespecPtrTy, StructTimespecPtrTy},
*a9ac8606Spatrick                  RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case(ReturnsZeroOrMinusOne)
*a9ac8606Spatrick            .ArgConstraint(NotNull(ArgNo(0))));
*a9ac8606Spatrick
*a9ac8606Spatrick    Optional<QualType> Time_tTy = lookupTy("time_t");
*a9ac8606Spatrick    Optional<QualType> ConstTime_tPtrTy = getPointerTy(getConstTy(Time_tTy));
*a9ac8606Spatrick    Optional<QualType> ConstTime_tPtrRestrictTy =
*a9ac8606Spatrick        getRestrictTy(ConstTime_tPtrTy);
*a9ac8606Spatrick
*a9ac8606Spatrick    Optional<QualType> StructTmTy = lookupTy("tm");
*a9ac8606Spatrick    Optional<QualType> StructTmPtrTy = getPointerTy(StructTmTy);
*a9ac8606Spatrick    Optional<QualType> StructTmPtrRestrictTy = getRestrictTy(StructTmPtrTy);
*a9ac8606Spatrick    Optional<QualType> ConstStructTmPtrTy =
*a9ac8606Spatrick        getPointerTy(getConstTy(StructTmTy));
*a9ac8606Spatrick    Optional<QualType> ConstStructTmPtrRestrictTy =
*a9ac8606Spatrick        getRestrictTy(ConstStructTmPtrTy);
*a9ac8606Spatrick
*a9ac8606Spatrick    // struct tm * localtime(const time_t *tp);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "localtime",
*a9ac8606Spatrick        Signature(ArgTypes{ConstTime_tPtrTy}, RetType{StructTmPtrTy}),
*a9ac8606Spatrick        Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
*a9ac8606Spatrick
*a9ac8606Spatrick    // struct tm *localtime_r(const time_t *restrict timer,
*a9ac8606Spatrick    //                        struct tm *restrict result);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "localtime_r",
*a9ac8606Spatrick        Signature(ArgTypes{ConstTime_tPtrRestrictTy, StructTmPtrRestrictTy},
*a9ac8606Spatrick                  RetType{StructTmPtrTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .ArgConstraint(NotNull(ArgNo(0)))
*a9ac8606Spatrick            .ArgConstraint(NotNull(ArgNo(1))));
*a9ac8606Spatrick
*a9ac8606Spatrick    // char *asctime_r(const struct tm *restrict tm, char *restrict buf);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "asctime_r",
*a9ac8606Spatrick        Signature(ArgTypes{ConstStructTmPtrRestrictTy, CharPtrRestrictTy},
*a9ac8606Spatrick                  RetType{CharPtrTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .ArgConstraint(NotNull(ArgNo(0)))
*a9ac8606Spatrick            .ArgConstraint(NotNull(ArgNo(1)))
*a9ac8606Spatrick            .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(1),
*a9ac8606Spatrick                                      /*MinBufSize=*/BVF.getValue(26, IntTy))));
*a9ac8606Spatrick
*a9ac8606Spatrick    // char *ctime_r(const time_t *timep, char *buf);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "ctime_r",
*a9ac8606Spatrick        Signature(ArgTypes{ConstTime_tPtrTy, CharPtrTy}, RetType{CharPtrTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .ArgConstraint(NotNull(ArgNo(0)))
*a9ac8606Spatrick            .ArgConstraint(NotNull(ArgNo(1)))
*a9ac8606Spatrick            .ArgConstraint(BufferSize(
*a9ac8606Spatrick                /*Buffer=*/ArgNo(1),
*a9ac8606Spatrick                /*MinBufSize=*/BVF.getValue(26, IntTy))));
*a9ac8606Spatrick
*a9ac8606Spatrick    // struct tm *gmtime_r(const time_t *restrict timer,
*a9ac8606Spatrick    //                     struct tm *restrict result);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "gmtime_r",
*a9ac8606Spatrick        Signature(ArgTypes{ConstTime_tPtrRestrictTy, StructTmPtrRestrictTy},
*a9ac8606Spatrick                  RetType{StructTmPtrTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .ArgConstraint(NotNull(ArgNo(0)))
*a9ac8606Spatrick            .ArgConstraint(NotNull(ArgNo(1))));
*a9ac8606Spatrick
*a9ac8606Spatrick    // struct tm * gmtime(const time_t *tp);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "gmtime", Signature(ArgTypes{ConstTime_tPtrTy}, RetType{StructTmPtrTy}),
*a9ac8606Spatrick        Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
*a9ac8606Spatrick
*a9ac8606Spatrick    Optional<QualType> Clockid_tTy = lookupTy("clockid_t");
*a9ac8606Spatrick
*a9ac8606Spatrick    // int clock_gettime(clockid_t clock_id, struct timespec *tp);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "clock_gettime",
*a9ac8606Spatrick        Signature(ArgTypes{Clockid_tTy, StructTimespecPtrTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case(ReturnsZeroOrMinusOne)
*a9ac8606Spatrick            .ArgConstraint(NotNull(ArgNo(1))));
*a9ac8606Spatrick
*a9ac8606Spatrick    Optional<QualType> StructItimervalTy = lookupTy("itimerval");
*a9ac8606Spatrick    Optional<QualType> StructItimervalPtrTy = getPointerTy(StructItimervalTy);
*a9ac8606Spatrick
*a9ac8606Spatrick    // int getitimer(int which, struct itimerval *curr_value);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "getitimer",
*a9ac8606Spatrick        Signature(ArgTypes{IntTy, StructItimervalPtrTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .Case(ReturnsZeroOrMinusOne)
*a9ac8606Spatrick            .ArgConstraint(NotNull(ArgNo(1))));
*a9ac8606Spatrick
*a9ac8606Spatrick    Optional<QualType> Pthread_cond_tTy = lookupTy("pthread_cond_t");
*a9ac8606Spatrick    Optional<QualType> Pthread_cond_tPtrTy = getPointerTy(Pthread_cond_tTy);
*a9ac8606Spatrick    Optional<QualType> Pthread_tTy = lookupTy("pthread_t");
*a9ac8606Spatrick    Optional<QualType> Pthread_tPtrTy = getPointerTy(Pthread_tTy);
*a9ac8606Spatrick    Optional<QualType> Pthread_tPtrRestrictTy = getRestrictTy(Pthread_tPtrTy);
*a9ac8606Spatrick    Optional<QualType> Pthread_mutex_tTy = lookupTy("pthread_mutex_t");
*a9ac8606Spatrick    Optional<QualType> Pthread_mutex_tPtrTy = getPointerTy(Pthread_mutex_tTy);
*a9ac8606Spatrick    Optional<QualType> Pthread_mutex_tPtrRestrictTy =
*a9ac8606Spatrick        getRestrictTy(Pthread_mutex_tPtrTy);
*a9ac8606Spatrick    Optional<QualType> Pthread_attr_tTy = lookupTy("pthread_attr_t");
*a9ac8606Spatrick    Optional<QualType> Pthread_attr_tPtrTy = getPointerTy(Pthread_attr_tTy);
*a9ac8606Spatrick    Optional<QualType> ConstPthread_attr_tPtrTy =
*a9ac8606Spatrick        getPointerTy(getConstTy(Pthread_attr_tTy));
*a9ac8606Spatrick    Optional<QualType> ConstPthread_attr_tPtrRestrictTy =
*a9ac8606Spatrick        getRestrictTy(ConstPthread_attr_tPtrTy);
*a9ac8606Spatrick    Optional<QualType> Pthread_mutexattr_tTy = lookupTy("pthread_mutexattr_t");
*a9ac8606Spatrick    Optional<QualType> ConstPthread_mutexattr_tPtrTy =
*a9ac8606Spatrick        getPointerTy(getConstTy(Pthread_mutexattr_tTy));
*a9ac8606Spatrick    Optional<QualType> ConstPthread_mutexattr_tPtrRestrictTy =
*a9ac8606Spatrick        getRestrictTy(ConstPthread_mutexattr_tPtrTy);
*a9ac8606Spatrick
*a9ac8606Spatrick    QualType PthreadStartRoutineTy = getPointerTy(
*a9ac8606Spatrick        ACtx.getFunctionType(/*ResultTy=*/VoidPtrTy, /*Args=*/VoidPtrTy,
*a9ac8606Spatrick                             FunctionProtoType::ExtProtoInfo()));
*a9ac8606Spatrick
*a9ac8606Spatrick    // int pthread_cond_signal(pthread_cond_t *cond);
*a9ac8606Spatrick    // int pthread_cond_broadcast(pthread_cond_t *cond);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        {"pthread_cond_signal", "pthread_cond_broadcast"},
*a9ac8606Spatrick        Signature(ArgTypes{Pthread_cond_tPtrTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
*a9ac8606Spatrick
*a9ac8606Spatrick    // int pthread_create(pthread_t *restrict thread,
*a9ac8606Spatrick    //                    const pthread_attr_t *restrict attr,
*a9ac8606Spatrick    //                    void *(*start_routine)(void*), void *restrict arg);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "pthread_create",
*a9ac8606Spatrick        Signature(ArgTypes{Pthread_tPtrRestrictTy,
*a9ac8606Spatrick                           ConstPthread_attr_tPtrRestrictTy,
*a9ac8606Spatrick                           PthreadStartRoutineTy, VoidPtrRestrictTy},
*a9ac8606Spatrick                  RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .ArgConstraint(NotNull(ArgNo(0)))
*a9ac8606Spatrick            .ArgConstraint(NotNull(ArgNo(2))));
*a9ac8606Spatrick
*a9ac8606Spatrick    // int pthread_attr_destroy(pthread_attr_t *attr);
*a9ac8606Spatrick    // int pthread_attr_init(pthread_attr_t *attr);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        {"pthread_attr_destroy", "pthread_attr_init"},
*a9ac8606Spatrick        Signature(ArgTypes{Pthread_attr_tPtrTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
*a9ac8606Spatrick
*a9ac8606Spatrick    // int pthread_attr_getstacksize(const pthread_attr_t *restrict attr,
*a9ac8606Spatrick    //                               size_t *restrict stacksize);
*a9ac8606Spatrick    // int pthread_attr_getguardsize(const pthread_attr_t *restrict attr,
*a9ac8606Spatrick    //                               size_t *restrict guardsize);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        {"pthread_attr_getstacksize", "pthread_attr_getguardsize"},
*a9ac8606Spatrick        Signature(ArgTypes{ConstPthread_attr_tPtrRestrictTy, SizePtrRestrictTy},
*a9ac8606Spatrick                  RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .ArgConstraint(NotNull(ArgNo(0)))
*a9ac8606Spatrick            .ArgConstraint(NotNull(ArgNo(1))));
*a9ac8606Spatrick
*a9ac8606Spatrick    // int pthread_attr_setstacksize(pthread_attr_t *attr, size_t stacksize);
*a9ac8606Spatrick    // int pthread_attr_setguardsize(pthread_attr_t *attr, size_t guardsize);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        {"pthread_attr_setstacksize", "pthread_attr_setguardsize"},
*a9ac8606Spatrick        Signature(ArgTypes{Pthread_attr_tPtrTy, SizeTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall)
*a9ac8606Spatrick            .ArgConstraint(NotNull(ArgNo(0)))
*a9ac8606Spatrick            .ArgConstraint(
*a9ac8606Spatrick                ArgumentCondition(1, WithinRange, Range(0, SizeMax))));
*a9ac8606Spatrick
*a9ac8606Spatrick    // int pthread_mutex_init(pthread_mutex_t *restrict mutex, const
*a9ac8606Spatrick    //                        pthread_mutexattr_t *restrict attr);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "pthread_mutex_init",
*a9ac8606Spatrick        Signature(ArgTypes{Pthread_mutex_tPtrRestrictTy,
*a9ac8606Spatrick                           ConstPthread_mutexattr_tPtrRestrictTy},
*a9ac8606Spatrick                  RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
*a9ac8606Spatrick
*a9ac8606Spatrick    // int pthread_mutex_destroy(pthread_mutex_t *mutex);
*a9ac8606Spatrick    // int pthread_mutex_lock(pthread_mutex_t *mutex);
*a9ac8606Spatrick    // int pthread_mutex_trylock(pthread_mutex_t *mutex);
*a9ac8606Spatrick    // int pthread_mutex_unlock(pthread_mutex_t *mutex);
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        {"pthread_mutex_destroy", "pthread_mutex_lock", "pthread_mutex_trylock",
*a9ac8606Spatrick         "pthread_mutex_unlock"},
*a9ac8606Spatrick        Signature(ArgTypes{Pthread_mutex_tPtrTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
ec727ea7Spatrick  }
ec727ea7Spatrick
ec727ea7Spatrick  // Functions for testing.
ec727ea7Spatrick  if (ChecksEnabled[CK_StdCLibraryFunctionsTesterChecker]) {
ec727ea7Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "__not_null", Signature(ArgTypes{IntPtrTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(EvalCallAsPure).ArgConstraint(NotNull(ArgNo(0))));
*a9ac8606Spatrick
*a9ac8606Spatrick    // Test range values.
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "__single_val_1", Signature(ArgTypes{IntTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(EvalCallAsPure)
*a9ac8606Spatrick            .ArgConstraint(ArgumentCondition(0U, WithinRange, SingleValue(1))));
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "__range_1_2", Signature(ArgTypes{IntTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(EvalCallAsPure)
*a9ac8606Spatrick            .ArgConstraint(ArgumentCondition(0U, WithinRange, Range(1, 2))));
*a9ac8606Spatrick    addToFunctionSummaryMap("__range_1_2__4_5",
*a9ac8606Spatrick                            Signature(ArgTypes{IntTy}, RetType{IntTy}),
*a9ac8606Spatrick                            Summary(EvalCallAsPure)
*a9ac8606Spatrick                                .ArgConstraint(ArgumentCondition(
*a9ac8606Spatrick                                    0U, WithinRange, Range({1, 2}, {4, 5}))));
*a9ac8606Spatrick
*a9ac8606Spatrick    // Test range kind.
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "__within", Signature(ArgTypes{IntTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(EvalCallAsPure)
*a9ac8606Spatrick            .ArgConstraint(ArgumentCondition(0U, WithinRange, SingleValue(1))));
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "__out_of", Signature(ArgTypes{IntTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(EvalCallAsPure)
*a9ac8606Spatrick            .ArgConstraint(ArgumentCondition(0U, OutOfRange, SingleValue(1))));
*a9ac8606Spatrick
*a9ac8606Spatrick    addToFunctionSummaryMap(
ec727ea7Spatrick        "__two_constrained_args",
*a9ac8606Spatrick        Signature(ArgTypes{IntTy, IntTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(EvalCallAsPure)
ec727ea7Spatrick            .ArgConstraint(ArgumentCondition(0U, WithinRange, SingleValue(1)))
ec727ea7Spatrick            .ArgConstraint(ArgumentCondition(1U, WithinRange, SingleValue(1))));
ec727ea7Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "__arg_constrained_twice", Signature(ArgTypes{IntTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(EvalCallAsPure)
ec727ea7Spatrick            .ArgConstraint(ArgumentCondition(0U, OutOfRange, SingleValue(1)))
ec727ea7Spatrick            .ArgConstraint(ArgumentCondition(0U, OutOfRange, SingleValue(2))));
ec727ea7Spatrick    addToFunctionSummaryMap(
ec727ea7Spatrick        "__defaultparam",
*a9ac8606Spatrick        Signature(ArgTypes{Irrelevant, IntTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(EvalCallAsPure).ArgConstraint(NotNull(ArgNo(0))));
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "__variadic",
*a9ac8606Spatrick        Signature(ArgTypes{VoidPtrTy, ConstCharPtrTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(EvalCallAsPure)
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(0)))
ec727ea7Spatrick            .ArgConstraint(NotNull(ArgNo(1))));
ec727ea7Spatrick    addToFunctionSummaryMap(
ec727ea7Spatrick        "__buf_size_arg_constraint",
*a9ac8606Spatrick        Signature(ArgTypes{ConstVoidPtrTy, SizeTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(EvalCallAsPure)
ec727ea7Spatrick            .ArgConstraint(
ec727ea7Spatrick                BufferSize(/*Buffer=*/ArgNo(0), /*BufSize=*/ArgNo(1))));
ec727ea7Spatrick    addToFunctionSummaryMap(
ec727ea7Spatrick        "__buf_size_arg_constraint_mul",
*a9ac8606Spatrick        Signature(ArgTypes{ConstVoidPtrTy, SizeTy, SizeTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(EvalCallAsPure)
ec727ea7Spatrick            .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(0), /*BufSize=*/ArgNo(1),
ec727ea7Spatrick                                      /*BufSizeMultiplier=*/ArgNo(2))));
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        "__buf_size_arg_constraint_concrete",
*a9ac8606Spatrick        Signature(ArgTypes{ConstVoidPtrTy}, RetType{IntTy}),
*a9ac8606Spatrick        Summary(EvalCallAsPure)
*a9ac8606Spatrick            .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(0),
*a9ac8606Spatrick                                      /*BufSize=*/BVF.getValue(10, IntTy))));
*a9ac8606Spatrick    addToFunctionSummaryMap(
*a9ac8606Spatrick        {"__test_restrict_param_0", "__test_restrict_param_1",
*a9ac8606Spatrick         "__test_restrict_param_2"},
*a9ac8606Spatrick        Signature(ArgTypes{VoidPtrRestrictTy}, RetType{VoidTy}),
*a9ac8606Spatrick        Summary(EvalCallAsPure));
ec727ea7Spatrick  }
*a9ac8606Spatrick
*a9ac8606Spatrick  SummariesInitialized = true;
e5dd7070Spatrick}
e5dd7070Spatrick
e5dd7070Spatrickvoid ento::registerStdCLibraryFunctionsChecker(CheckerManager &mgr) {
ec727ea7Spatrick  auto *Checker = mgr.registerChecker<StdLibraryFunctionsChecker>();
ec727ea7Spatrick  Checker->DisplayLoadedSummaries =
ec727ea7Spatrick      mgr.getAnalyzerOptions().getCheckerBooleanOption(
ec727ea7Spatrick          Checker, "DisplayLoadedSummaries");
ec727ea7Spatrick  Checker->ModelPOSIX =
ec727ea7Spatrick      mgr.getAnalyzerOptions().getCheckerBooleanOption(Checker, "ModelPOSIX");
e5dd7070Spatrick}
e5dd7070Spatrick
*a9ac8606Spatrickbool ento::shouldRegisterStdCLibraryFunctionsChecker(
*a9ac8606Spatrick    const CheckerManager &mgr) {
e5dd7070Spatrick  return true;
e5dd7070Spatrick}
ec727ea7Spatrick
ec727ea7Spatrick#define REGISTER_CHECKER(name)                                                 \
ec727ea7Spatrick  void ento::register##name(CheckerManager &mgr) {                             \
ec727ea7Spatrick    StdLibraryFunctionsChecker *checker =                                      \
ec727ea7Spatrick        mgr.getChecker<StdLibraryFunctionsChecker>();                          \
ec727ea7Spatrick    checker->ChecksEnabled[StdLibraryFunctionsChecker::CK_##name] = true;      \
ec727ea7Spatrick    checker->CheckNames[StdLibraryFunctionsChecker::CK_##name] =               \
ec727ea7Spatrick        mgr.getCurrentCheckerName();                                           \
ec727ea7Spatrick  }                                                                            \
ec727ea7Spatrick                                                                               \
ec727ea7Spatrick  bool ento::shouldRegister##name(const CheckerManager &mgr) { return true; }
ec727ea7Spatrick
ec727ea7SpatrickREGISTER_CHECKER(StdCLibraryFunctionArgsChecker)
ec727ea7SpatrickREGISTER_CHECKER(StdCLibraryFunctionsTesterChecker)