From fdc66e568f5c5b4329b9da07881a16e80179cfb9 Mon Sep 17 00:00:00 2001 From: Xiao Jia Date: Thu, 16 Nov 2023 15:27:04 -0800 Subject: [PATCH] Update --- .bazeliskrc | 1 - .bazelrc | 4 +- analyzer/proto/results.proto | 6 + cruleslib/basic/libtoolingargs.go | 10 +- cruleslib/i18n/localize_misra_analyzer.go | 2 +- cruleslib/runner/runner.go | 2 +- cruleslib/testlib/testlib.go | 15 +- libtooling_includes/cmd_options.h | 12 + misra/analyzer/cmd/Makefile | 3 +- .../cmd/locales/en/messages.gotext.json | 16 +- .../cmd/locales/zh/messages.gotext.json | 16 +- misra/analyzer/cmd/main.go | 32 +- .../checkrule/checkrule.go | 6 + misra/checker_integration/csa/run_csa.go | 4 + misra/libtooling_utils/libtooling_utils.h | 24 + misra/rule_1_1/checker.cc | 86 + misra/rule_1_1/checker.h | 6 + misra/rule_1_1/main.cc | 8 +- .../rule_4_10_1/libtooling/checker.cc | 32 +- .../rule_4_10_1/libtooling/checker.h | 1 + misra_cpp_2008/rule_4_10_1/libtooling/lib.h | 4 +- misra_cpp_2008/rule_4_10_1/libtooling/main.cc | 4 +- .../rule_4_10_1/libtooling/realmain.cc | 1 + podman_image/Containerfile.toyrules | 5 + podman_image/Makefile | 13 + podman_image/bigmain/BUILD | 19 + podman_image/bigmain_symlink | 3 + third_party/cppcheck/addons/misra.py | 94 +- .../clang/StaticAnalyzer/Checkers/Checkers.td | 66 + .../StaticAnalyzer/Checkers/CMakeLists.txt | 4 + .../Checkers/cwe-120-CStringChecker.cpp | 2649 +++++++++++++++++ .../Checkers/cwe-121-ArrayBoundCheckerV2.cpp | 401 +++ .../cwe-124-127-BufferUnderAccessChecker.cpp | 357 +++ .../cwe-126-BufferOverAccessChecker.cpp | 302 ++ .../Checkers/cwe-134-TaintArgvChecker.cpp | 110 + toy_rules/.gitignore | 15 + toy_rules/analyzer/run.go | 54 + toy_rules/rule_1/libtooling/BUILD | 41 + toy_rules/rule_1/libtooling/checker.cc | 70 + toy_rules/rule_1/libtooling/checker.h | 47 + toy_rules/rule_1/libtooling/lib.h | 32 + toy_rules/rule_1/libtooling/main.cc | 24 + toy_rules/rule_1/libtooling/rule_1.cc | 80 + toy_rules/rule_1/rule_1.go | 30 + 44 files changed, 4630 insertions(+), 81 deletions(-) delete mode 100644 .bazeliskrc create mode 100644 podman_image/Containerfile.toyrules create mode 100644 third_party/llvm-project/clang/lib/StaticAnalyzer/Checkers/cwe-120-CStringChecker.cpp create mode 100644 third_party/llvm-project/clang/lib/StaticAnalyzer/Checkers/cwe-121-ArrayBoundCheckerV2.cpp create mode 100644 third_party/llvm-project/clang/lib/StaticAnalyzer/Checkers/cwe-124-127-BufferUnderAccessChecker.cpp create mode 100644 third_party/llvm-project/clang/lib/StaticAnalyzer/Checkers/cwe-126-BufferOverAccessChecker.cpp create mode 100644 third_party/llvm-project/clang/lib/StaticAnalyzer/Checkers/cwe-134-TaintArgvChecker.cpp create mode 100644 toy_rules/.gitignore create mode 100644 toy_rules/analyzer/run.go create mode 100644 toy_rules/rule_1/libtooling/BUILD create mode 100644 toy_rules/rule_1/libtooling/checker.cc create mode 100644 toy_rules/rule_1/libtooling/checker.h create mode 100644 toy_rules/rule_1/libtooling/lib.h create mode 100644 toy_rules/rule_1/libtooling/main.cc create mode 100644 toy_rules/rule_1/libtooling/rule_1.cc create mode 100644 toy_rules/rule_1/rule_1.go diff --git a/.bazeliskrc b/.bazeliskrc deleted file mode 100644 index 56d8926b32..0000000000 --- a/.bazeliskrc +++ /dev/null @@ -1 +0,0 @@ -USE_BAZEL_VERSION=6.0.0 diff --git a/.bazelrc b/.bazelrc index 88455562dd..2717a86852 100644 --- a/.bazelrc +++ b/.bazelrc @@ -20,9 +20,9 @@ build --copt=-Wall --copt=-Werror --host_copt=-Wall --host_copt=-Werror build --copt=-Wno-unused --host_copt=-Wno-unused # To build zlib -# TODO(xjia): remove if https://github.com/madler/zlib/issues/633 is resolved +# TODO: remove if https://github.com/madler/zlib/issues/633 is resolved build --copt=-Wno-deprecated-non-prototype build --host_copt=-Wno-deprecated-non-prototype -# TODO(xjia): remove the following two lines once all of us move to Clang 15+ +# TODO: remove the following two lines once all of us move to Clang 15+ build --copt=-Wno-unknown-warning-option build --host_copt=-Wno-unknown-warning-option diff --git a/analyzer/proto/results.proto b/analyzer/proto/results.proto index 93f950fa08..94fd181215 100644 --- a/analyzer/proto/results.proto +++ b/analyzer/proto/results.proto @@ -66,6 +66,8 @@ message Result { MISRA_C_2012_RULE_1_1_IOM_ID_CHAR = 1010116; MISRA_C_2012_RULE_1_1_NESTED_COND_INCLU = 1010117; MISRA_C_2012_RULE_1_1_BLOCK_ID = 1010118; + MISRA_C_2012_RULE_1_1_NESTED_DECL = 1010119; + MISRA_C_2012_RULE_1_1_MODIFY_DECL = 1010120; MISRA_C_2012_RULE_1_3 = 1010301; MISRA_C_2012_RULE_1_4 = 1010400; MISRA_C_2012_RULE_2_1 = 1020101; @@ -552,6 +554,10 @@ message Result { string nested_cond_inclu_count = 60; string block_id_limit = 61; string block_id_count = 62; + string nested_decl_limit = 63; + string nested_decl_count = 64; + string modify_decl_limit = 65; + string modify_decl_count = 66; int32 severity = 21; string code_line_hash = 22; diff --git a/cruleslib/basic/libtoolingargs.go b/cruleslib/basic/libtoolingargs.go index 97b0cbbe4c..82bca26796 100644 --- a/cruleslib/basic/libtoolingargs.go +++ b/cruleslib/basic/libtoolingargs.go @@ -53,6 +53,8 @@ const ( kIoMIDCharLimit string = "IoMIDCharLimit" // IoM: Internal or Macro kNestedCondIncluLimit string = "NestedCondIncluLimit" kBlockIDLimit string = "BlockIDLimit" + kNestedDeclLimit string = "NestedDeclLimit" + kModifyDeclLimit string = "ModifyDeclLimit" ) var libtoolingExtraArgsMap = map[string][]string{ @@ -60,8 +62,8 @@ var libtoolingExtraArgsMap = map[string][]string{ kNestedRecordLimit, kNestedExprLimit, kSwitchCaseLimit, kEnumConstantLimit, kStringCharLimit, kExternIDLimit, kCaseSensitive, kLimit, kMacroIDLimit, kMacroParmLimit, kMacroArgLimit, kNestedBlockLimit, kNestedIncludeLimit, - kImplicitDecl, kIoMIDCharLimit, kNestedCondIncluLimit, kBlockIDLimit}, - + kImplicitDecl, kIoMIDCharLimit, kNestedCondIncluLimit, kBlockIDLimit, + kNestedDeclLimit, kModifyDeclLimit}, "misra_c_2012/rule_5_1": {kCaseSensitive, kLimit, kImplicitDecl}, "misra_c_2012/rule_13_2": {kAggressiveMode}, "misra_c_2012/rule_13_5": {kAggressiveMode}, @@ -69,8 +71,8 @@ var libtoolingExtraArgsMap = map[string][]string{ kNestedRecordLimit, kNestedExprLimit, kSwitchCaseLimit, kEnumConstantLimit, kStringCharLimit, kExternIDLimit, kCaseSensitive, kLimit, kMacroIDLimit, kMacroParmLimit, kMacroArgLimit, kNestedBlockLimit, kNestedIncludeLimit, - kImplicitDecl, kIoMIDCharLimit, kNestedCondIncluLimit, kBlockIDLimit}, - + kImplicitDecl, kIoMIDCharLimit, kNestedCondIncluLimit, kBlockIDLimit, + kNestedDeclLimit, kModifyDeclLimit}, "misra/rule_5_1": {kCaseSensitive, kLimit, kImplicitDecl}, "misra/rule_13_2": {kAggressiveMode}, "misra/rule_13_5": {kAggressiveMode}, diff --git a/cruleslib/i18n/localize_misra_analyzer.go b/cruleslib/i18n/localize_misra_analyzer.go index 85c1d5e0d4..7047cba737 100644 --- a/cruleslib/i18n/localize_misra_analyzer.go +++ b/cruleslib/i18n/localize_misra_analyzer.go @@ -153,7 +153,7 @@ func localizeErrorMessage(result *pb.Result, p *message.Printer) string { case pb.Result_MISRA_C_2012_RULE_9_5: return p.Sprintf("[C1201][misra-c2012-9.5]: violation of misra-c2012-9.5") case pb.Result_MISRA_C_2012_RULE_10_1: - return p.Sprintf("[C0808][misra-c2012-10.1]: violation of misra-c2012-10.1") + return p.Sprintf("[C0808][misra-c2012-10.1]: violation of misra-c2012-10.1\n%s", result.ExternalMessage) case pb.Result_MISRA_C_2012_RULE_10_2: return p.Sprintf("[C0807][misra-c2012-10.2]: violation of misra-c2012-10.2") case pb.Result_MISRA_C_2012_RULE_10_3: diff --git a/cruleslib/runner/runner.go b/cruleslib/runner/runner.go index e4e959ae21..3f36bb8604 100644 --- a/cruleslib/runner/runner.go +++ b/cruleslib/runner/runner.go @@ -116,7 +116,7 @@ func modifyResult(result *analyzerResult) { } else if edition == "autosar" { ruleName = strings.TrimPrefix(ruleName, "rule_") r.ErrorMessage = fmt.Sprintf("[%s][%s-%s]: %s", ruleName, edition, ruleStr, r.ErrorMessage) - } else { + } else if edition != "misra_c_2012" { r.ErrorMessage = fmt.Sprintf("[%s][%s-%s]: %s", strings.ToUpper(ruleName), edition, ruleName, r.ErrorMessage) } } diff --git a/cruleslib/testlib/testlib.go b/cruleslib/testlib/testlib.go index 3507dba446..237935f3ff 100644 --- a/cruleslib/testlib/testlib.go +++ b/cruleslib/testlib/testlib.go @@ -35,7 +35,20 @@ import ( "naive.systems/analyzer/misra/utils" ) -var checkingStandards = []string{"gjb5369", "gjb8114", "misra_cpp_2008", "cwe", "autosar", "googlecpp", "clang-tidy", "misra", "cppcheck"} +var checkingStandards = []string{ + // BEGIN-INTERNAL + "gjb5369", + "gjb8114", + "cwe", + "clang-tidy", + "cppcheck", + // END-INTERNAL + "misra", + "misra_cpp_2008", + "autosar", + "googlecpp", + "toy_rules", +} func getCheckerConfig(projectBaseDir string) *proto.CheckerConfiguration { checkerConfig := proto.CheckerConfiguration{ diff --git a/libtooling_includes/cmd_options.h b/libtooling_includes/cmd_options.h index 10294be499..3f1de2aaa7 100644 --- a/libtooling_includes/cmd_options.h +++ b/libtooling_includes/cmd_options.h @@ -126,6 +126,18 @@ llvm::cl::opt iom_id_char_limit( "significant initial characters limit count in an internal identifier or a macro name, default 63"), llvm::cl::init(63), llvm::cl::cat(ns_libtooling_checker)); +llvm::cl::opt nested_decl_limit( + "NestedDeclLimit", + llvm::cl::desc( + "nesting level limit count for parenthesized declaration, default 63"), + llvm::cl::init(63), llvm::cl::cat(ns_libtooling_checker)); + +llvm::cl::opt modify_decl_limit( + "ModifyDeclLimit", + llvm::cl::desc( + "pointer, array, and function declarators limit count (in any combinations) modifying an arithmetic, structure, union, or void type in a declaration, default 12"), + llvm::cl::init(12), llvm::cl::cat(ns_libtooling_checker)); + llvm::cl::opt nested_cond_inclu_limit( "NestedCondIncluLimit", llvm::cl::desc( diff --git a/misra/analyzer/cmd/Makefile b/misra/analyzer/cmd/Makefile index 409cec00b1..b03ec33030 100644 --- a/misra/analyzer/cmd/Makefile +++ b/misra/analyzer/cmd/Makefile @@ -1,7 +1,6 @@ LIMIT=0 NUM_WORKERS=0 -LICENSED_TO="测试用户" LANG="zh" all: go generate naive.systems/analyzer/misra/... - go build -tags static -o misra_analyzer -ldflags "-X main.linesLimitStr=$(LIMIT) -X main.licensedEntity=$(LICENSED_TO) -X main.numWorkersStr=$(NUM_WORKERS) -X main.lang=$(LANG)" + go build -tags static -o misra_analyzer -ldflags "-X main.linesLimitStr=$(LIMIT) -X main.numWorkersStr=$(NUM_WORKERS) -X main.lang=$(LANG)" diff --git a/misra/analyzer/cmd/locales/en/messages.gotext.json b/misra/analyzer/cmd/locales/en/messages.gotext.json index a3dbf4fa27..a715da1687 100644 --- a/misra/analyzer/cmd/locales/en/messages.gotext.json +++ b/misra/analyzer/cmd/locales/en/messages.gotext.json @@ -1146,10 +1146,20 @@ "fuzzy": true }, { - "id": "[C0808][misra-c2012-10.1]: violation of misra-c2012-10.1", - "message": "[C0808][misra-c2012-10.1]: violation of misra-c2012-10.1", - "translation": "[C0808][misra-c2012-10.1]: Violation of MISRA C:2012 Rule 10.1: Operands shall not be of an inappropriate essential type", + "id": "[C0808][misra-c2012-10.1]: violation of misra-c2012-10.1\n{ExternalMessage}", + "message": "[C0808][misra-c2012-10.1]: violation of misra-c2012-10.1\n{ExternalMessage}", + "translation": "[C0808][misra-c2012-10.1]: Violation of MISRA C:2012 Rule 10.1: Operands shall not be of an inappropriate essential type\n{ExternalMessage}", "translatorComment": "Copied from source.", + "placeholders": [ + { + "id": "ExternalMessage", + "string": "%[1]s", + "type": "string", + "underlyingType": "string", + "argNum": 1, + "expr": "result.ExternalMessage" + } + ], "fuzzy": true }, { diff --git a/misra/analyzer/cmd/locales/zh/messages.gotext.json b/misra/analyzer/cmd/locales/zh/messages.gotext.json index c8cb2a4f31..ba2ca6f83c 100644 --- a/misra/analyzer/cmd/locales/zh/messages.gotext.json +++ b/misra/analyzer/cmd/locales/zh/messages.gotext.json @@ -1006,9 +1006,19 @@ "translation": "[C1201][misra-c2012-9.5]: 对数组对象进行指定初始化时,必须显式指定数组大小" }, { - "id": "[C0808][misra-c2012-10.1]: violation of misra-c2012-10.1", - "message": "[C0808][misra-c2012-10.1]: violation of misra-c2012-10.1", - "translation": "[C0808][misra-c2012-10.1]: 操作数不得为不合适的基本类型" + "id": "[C0808][misra-c2012-10.1]: violation of misra-c2012-10.1\n{ExternalMessage}", + "message": "[C0808][misra-c2012-10.1]: violation of misra-c2012-10.1\n{ExternalMessage}", + "translation": "[C0808][misra-c2012-10.1]: 操作数不得为不合适的基本类型\n{ExternalMessage}", + "placeholders": [ + { + "id": "ExternalMessage", + "string": "%[1]s", + "type": "string", + "underlyingType": "string", + "argNum": 1, + "expr": "result.ExternalMessage" + } + ] }, { "id": "[C0807][misra-c2012-10.2]: violation of misra-c2012-10.2", diff --git a/misra/analyzer/cmd/main.go b/misra/analyzer/cmd/main.go index d52efd5b30..a74f36a699 100644 --- a/misra/analyzer/cmd/main.go +++ b/misra/analyzer/cmd/main.go @@ -45,6 +45,7 @@ import ( "naive.systems/analyzer/misra/checker_integration/checkrule" misra_c_2012_crules "naive.systems/analyzer/misra_c_2012_crules/analyzer" misra_cpp_2008 "naive.systems/analyzer/misra_cpp_2008/analyzer" + toy_rules "naive.systems/analyzer/toy_rules/analyzer" ) var compileCommandsPath = "/src/compile_commands.json" @@ -53,23 +54,20 @@ var linesLimitStr string = "0" var numWorkersStr string = "0" var lang string = "zh" -var ruleSets = []string{ - "googlecpp", "misra_cpp_2008", "autosar", "misra_c_2012"} +var ruleSets = map[string]string{ + "googlecpp": "cpp", + "misra_cpp_2008": "cpp", + "autosar": "cpp", + "misra_c_2012": "c", + "toy_rules": "cpp", +} -func isCOnly(rule string) bool { - switch rule { - case "misra_c_2012": - return true - } - return false +func isCOnly(ruleSet string) bool { + return ruleSets[ruleSet] == "c" } -func isCPPOnly(rule string) bool { - switch rule { - case "googlecpp", "misra_cpp_2008", "autosar": - return true - } - return false +func isCPPOnly(ruleSet string) bool { + return ruleSets[ruleSet] == "cpp" } func main() { @@ -216,7 +214,7 @@ func main() { csaSystemLibOptionsCopy := parsedCheckerConfig.CsaSystemLibOptions checkerPathsMap := map[string]string{} - for _, ruleSet := range ruleSets { + for ruleSet := range ruleSets { if ruleSet == "misra_c_2012" { checkerPathsMap["misra"] = filepath.Join(sharedOptions.GetCheckerPathRoot(), "misra") continue @@ -224,7 +222,7 @@ func main() { checkerPathsMap[ruleSet] = filepath.Join(sharedOptions.GetCheckerPathRoot(), ruleSet) } - for _, ruleSet := range ruleSets { + for ruleSet := range ruleSets { if isCOnly(ruleSet) && projType == analyzerinterface.Keil { parsedCheckerConfig.CsaSystemLibOptions = *options.ConcatStringField("-isystem /usr/include", &parsedCheckerConfig.CsaSystemLibOptions) } else { @@ -387,6 +385,8 @@ func selectRun(rulePrefix string) (runFuncType, error) { return misra_c_2012_crules.Run, nil case "misra_cpp_2008": return misra_cpp_2008.Run, nil + case "toy_rules": + return toy_rules.Run, nil default: return nil, fmt.Errorf("No such rule runner found: %s", rulePrefix) } diff --git a/misra/checker_integration/checkrule/checkrule.go b/misra/checker_integration/checkrule/checkrule.go index 3835216cb2..56e75a5a25 100644 --- a/misra/checker_integration/checkrule/checkrule.go +++ b/misra/checker_integration/checkrule/checkrule.go @@ -44,6 +44,7 @@ type JSONOption struct { Limit *int `json:"limit,omitempty" yaml:"-"` Standard string `json:"standard,omitempty" yaml:"-"` MaxLoop *int `json:"max-loop,omitempty" yaml:"-"` + MaxNodes *int `json:"max-nodes,omitempty" yaml:"-"` Filters *FilterAndSinkFuncList `json:"taintFilters,omitempty" yaml:"Filters,omitempty"` Sources *SourceFuncList `json:"taintSources,omitempty" yaml:"Propagations,omitempty"` Sinks *FilterAndSinkFuncList `json:"taintSinks,omitempty" yaml:"Sinks,omitempty"` @@ -86,6 +87,8 @@ type JSONOption struct { IoMIDCharLimit *int `json:"iom-id-char-limit,omitempty" yaml:"-"` //misra_c_2012/rule_1_1 NestedCondIncluLimit *int `json:"nested-cond-inclu-limit,omitempty" yaml:"-"` //misra_c_2012/rule_1_1 BlockIDLimit *int `json:"block-id-limit,omitempty" yaml:"-"` //misra_c_2012/rule_1_1 + NestedDeclLimit *int `json:"nested-decl-limit,omitempty" yaml:"-"` //misra_c_2012/rule_1_1 + ModifyDeclLimit *int `json:"modify-decl-limit,omitempty" yaml:"-"` //misra_c_2012/rule_1_1 } type FilterAndSinkFunc struct { @@ -185,6 +188,9 @@ func (jsonOption *JSONOption) Update(newOption JSONOption) { if newOption.MaxLoop != nil { jsonOption.MaxLoop = newOption.MaxLoop } + if newOption.MaxNodes != nil { + jsonOption.MaxNodes = newOption.MaxNodes + } if newOption.Sinks != nil { jsonOption.Sinks = newOption.Sinks } diff --git a/misra/checker_integration/csa/run_csa.go b/misra/checker_integration/csa/run_csa.go index f07962e415..678d1c10c7 100644 --- a/misra/checker_integration/csa/run_csa.go +++ b/misra/checker_integration/csa/run_csa.go @@ -137,6 +137,10 @@ func runSingleCSA( if maxLoop != nil { cmd_arr = append(cmd_arr, "-Xanalyzer", "-analyzer-max-loop", "-Xanalyzer", strconv.Itoa(*maxLoop)) } + maxNodes := jsonOptions.MaxNodes + if maxNodes != nil { + cmd_arr = append(cmd_arr, "-Xanalyzer", "-analyzer-config", "-Xanalyzer", "max-nodes="+strconv.Itoa(*maxNodes)) + } // this cmd is only for cwe 789 if checkerOptions == "-analyzer-checker=cwe.ExcessiveMemoryAllocation" { MaximumAllowedSize := jsonOptions.MaximumAllowedSize diff --git a/misra/libtooling_utils/libtooling_utils.h b/misra/libtooling_utils/libtooling_utils.h index a263d0e126..ed0b022c39 100644 --- a/misra/libtooling_utils/libtooling_utils.h +++ b/misra/libtooling_utils/libtooling_utils.h @@ -237,6 +237,22 @@ class ASTVisitor : public RecursiveASTVisitor { funcDecls.emplace_back(fd); // Store the node return true; // Continue traversal } + bool VisitArrayType(const ArrayType* at) { + arrayTypes.emplace_back(at); // Store the node + return true; // Continue traversal + } + bool VisitFunctionType(const FunctionType* ft) { + funcTypes.emplace_back(ft); // Store the node + return true; // Continue traversal + } + bool VisitPointerType(const PointerType* pt) { + ptrTypes.emplace_back(pt); // Store the node + return true; // Continue traversal + } + bool VisitParenType(const ParenType* pt) { + parenTypes.emplace_back(pt); // Store the node + return true; // Continue traversal + } const vector& getMemberCalls() const { return memberCalls; } @@ -256,6 +272,10 @@ class ASTVisitor : public RecursiveASTVisitor { return binaryOps; } const vector& getFuncDecls() const { return funcDecls; } + const vector& getArrayTypes() const { return arrayTypes; } + const vector& getFuncTypes() const { return funcTypes; } + const vector& getPtrTypes() const { return ptrTypes; } + const vector& getParenTypes() const { return parenTypes; } private: vector memberCalls{}; @@ -266,6 +286,10 @@ class ASTVisitor : public RecursiveASTVisitor { vector varDecls{}; vector binaryOps{}; vector funcDecls{}; + vector arrayTypes{}; + vector funcTypes{}; + vector ptrTypes{}; + vector parenTypes{}; }; string GetExprName(const Expr* expr, SourceManager* sm, ASTContext* context); diff --git a/misra/rule_1_1/checker.cc b/misra/rule_1_1/checker.cc index 0a6015512d..bfe13d021f 100644 --- a/misra/rule_1_1/checker.cc +++ b/misra/rule_1_1/checker.cc @@ -223,6 +223,30 @@ void ReportBlockIDError(int block_id_limit, int block_id_count, string path, pb_result->set_block_id_count(to_string(block_id_count)); } +void ReportNestedDeclError(int nested_decl_limit, int nested_decl_count, + string declarator, string path, int line_number, + ResultsList* results_list) { + analyzer::proto::Result* pb_result = + AddResultToResultsList(results_list, path, line_number, error_message); + pb_result->set_error_kind( + analyzer::proto::Result_ErrorKind_MISRA_C_2012_RULE_1_1_NESTED_DECL); + pb_result->set_nested_decl_limit(to_string(nested_decl_limit)); + pb_result->set_nested_decl_count(to_string(nested_decl_count)); + pb_result->set_name(declarator); +} + +void ReportModifyDeclError(int modify_decl_limit, int modify_decl_count, + string declarator, string path, int line_number, + ResultsList* results_list) { + analyzer::proto::Result* pb_result = + AddResultToResultsList(results_list, path, line_number, error_message); + pb_result->set_error_kind( + analyzer::proto::Result_ErrorKind_MISRA_C_2012_RULE_1_1_MODIFY_DECL); + pb_result->set_modify_decl_limit(to_string(modify_decl_limit)); + pb_result->set_modify_decl_count(to_string(modify_decl_count)); + pb_result->set_name(declarator); +} + } // namespace namespace misra { @@ -663,6 +687,62 @@ class BlockIDCallback : public MatchFinder::MatchCallback { ResultsList* results_list_; }; +class NestedDeclCallback : public MatchFinder::MatchCallback { + public: + void Init(int nested_decl_limit, ResultsList* results_list, + MatchFinder* finder) { + nested_decl_limit_ = nested_decl_limit; + results_list_ = results_list; + finder->addMatcher( + declaratorDecl(unless(isExpansionInSystemHeader())).bind("dd"), this); + } + + void run(const MatchFinder::MatchResult& result) override { + const DeclaratorDecl* dd = result.Nodes.getNodeAs("dd"); + libtooling_utils::ASTVisitor visitor; + visitor.TraverseType(dd->getType()); + unsigned nested_decl_count = visitor.getParenTypes().size(); + if (nested_decl_count > nested_decl_limit_) + ReportNestedDeclError( + nested_decl_limit_, nested_decl_count, dd->getQualifiedNameAsString(), + libtooling_utils::GetFilename(dd, result.SourceManager), + libtooling_utils::GetLine(dd, result.SourceManager), results_list_); + } + + private: + int nested_decl_limit_; + ResultsList* results_list_; +}; + +class ModifyDeclCallback : public MatchFinder::MatchCallback { + public: + void Init(int modify_decl_limit, ResultsList* results_list, + MatchFinder* finder) { + modify_decl_limit_ = modify_decl_limit; + results_list_ = results_list; + finder->addMatcher( + declaratorDecl(unless(isExpansionInSystemHeader())).bind("dd"), this); + } + + void run(const MatchFinder::MatchResult& result) override { + const DeclaratorDecl* dd = result.Nodes.getNodeAs("dd"); + libtooling_utils::ASTVisitor visitor; + visitor.TraverseType(dd->getType()); + unsigned modify_decl_count = visitor.getArrayTypes().size() + + visitor.getPtrTypes().size() + + visitor.getFuncTypes().size(); + if (modify_decl_count > modify_decl_limit_) + ReportModifyDeclError( + modify_decl_limit_, modify_decl_count, dd->getQualifiedNameAsString(), + libtooling_utils::GetFilename(dd, result.SourceManager), + libtooling_utils::GetLine(dd, result.SourceManager), results_list_); + } + + private: + int modify_decl_limit_; + ResultsList* results_list_; +}; + void PPCheck::MacroExpands(const Token& MacroNameTok, const MacroDefinition& MD, SourceRange Range, const MacroArgs* Args) { unsigned arg_count = Args ? Args->getNumMacroArguments() : 0; @@ -773,6 +853,12 @@ void ASTChecker::Init(LimitList* limits, ResultsList* results_list) { intern_id_char_callback_ = new InternIDCharCallback; intern_id_char_callback_->Init(limits->iom_id_char_limit, results_list_, &finder_); + nested_decl_callback_ = new NestedDeclCallback; + nested_decl_callback_->Init(limits->nested_decl_limit, results_list_, + &finder_); + modify_decl_callback_ = new ModifyDeclCallback; + modify_decl_callback_->Init(limits->modify_decl_limit, results_list_, + &finder_); } void ASTChecker::Report() { diff --git a/misra/rule_1_1/checker.h b/misra/rule_1_1/checker.h index efef301c67..87845da232 100644 --- a/misra/rule_1_1/checker.h +++ b/misra/rule_1_1/checker.h @@ -60,6 +60,8 @@ struct LimitList { int iom_id_char_limit; int nested_cond_inclu_limit; int block_id_limit; + int nested_decl_limit; + int modify_decl_limit; }; class StructMemberCallback; @@ -74,6 +76,8 @@ class ExternIDCallback; class NestedBlockCallback; class InternIDCharCallback; class BlockIDCallback; +class NestedDeclCallback; +class ModifyDeclCallback; class ASTChecker { public: @@ -95,6 +99,8 @@ class ASTChecker { NestedBlockCallback* nested_block_callback_; InternIDCharCallback* intern_id_char_callback_; BlockIDCallback* block_id_callback_; + NestedDeclCallback* nested_decl_callback_; + ModifyDeclCallback* modify_decl_callback_; ast_matchers::MatchFinder finder_; ResultsList* results_list_; }; diff --git a/misra/rule_1_1/main.cc b/misra/rule_1_1/main.cc index 8402a39e51..f11ef177ee 100644 --- a/misra/rule_1_1/main.cc +++ b/misra/rule_1_1/main.cc @@ -46,6 +46,8 @@ extern cl::opt nested_include_limit; extern cl::opt iom_id_char_limit; extern cl::opt nested_cond_inclu_limit; extern cl::opt block_id_limit; +extern cl::opt nested_decl_limit; +extern cl::opt modify_decl_limit; namespace misra { namespace rule_1_1 { @@ -69,15 +71,14 @@ int rule_1_1(int argc, char** argv) { ClangTool tool(options_parser.getCompilations(), options_parser.getSourcePathList()); analyzer::proto::ResultsList all_results; - // running ASTChecker - misra::rule_1_1::ASTChecker ast_checker; LimitList limits{ struct_member_limit, function_parm_limit, function_arg_limit, nested_record_limit, nested_expr_limit, switch_case_limit, enum_constant_limit, string_char_limit, extern_id_limit, macro_id_limit, macro_parm_limit, macro_arg_limit, nested_block_limit, nested_include_limit, iom_id_char_limit, - nested_cond_inclu_limit, block_id_limit}; + nested_cond_inclu_limit, block_id_limit, nested_decl_limit, + modify_decl_limit}; // running PreprocessChecker misra::rule_1_1::PreprocessChecker preprocess_checker{&all_results, &limits}; @@ -85,6 +86,7 @@ int rule_1_1(int argc, char** argv) { LOG(INFO) << "libtooling status (PreprocessChecker): " << status << endl; // running ASTChecker + misra::rule_1_1::ASTChecker ast_checker; ast_checker.Init(&limits, &all_results); status = tool.run(newFrontendActionFactory(ast_checker.GetMatchFinder()).get()); diff --git a/misra_cpp_2008/rule_4_10_1/libtooling/checker.cc b/misra_cpp_2008/rule_4_10_1/libtooling/checker.cc index 45fd6b989b..1141bb708e 100644 --- a/misra_cpp_2008/rule_4_10_1/libtooling/checker.cc +++ b/misra_cpp_2008/rule_4_10_1/libtooling/checker.cc @@ -23,45 +23,47 @@ along with this program. If not, see . #include "absl/strings/str_format.h" #include "misra/libtooling_utils/libtooling_utils.h" -using namespace clang; +using namespace misra::proto_util; using namespace clang::ast_matchers; -using namespace llvm; + +using analyzer::proto::ResultsList; +using std::string; namespace misra_cpp_2008 { namespace rule_4_10_1 { namespace libtooling { -class Callback : public ast_matchers::MatchFinder::MatchCallback { + +class Callback : public MatchFinder::MatchCallback { public: - void Init(analyzer::proto::ResultsList* results_list, - ast_matchers::MatchFinder* finder) { + void Init(ResultsList* results_list, MatchFinder* finder) { results_list_ = results_list; finder->addMatcher( implicitCastExpr(hasSourceExpression(expr(gnuNullExpr())), - hasImplicitDestinationType(isInteger())) + hasImplicitDestinationType(isInteger()), + unless(isExpansionInSystemHeader())) .bind("cast"), this); } - void run(const ast_matchers::MatchFinder::MatchResult& result) override { - const Expr* e = result.Nodes.getNodeAs("cast"); + void run(const MatchFinder::MatchResult& result) override { + const Expr* expr = result.Nodes.getNodeAs("cast"); string error_message = "NULL不得用作整型值"; - string path = misra::libtooling_utils::GetFilename(e, result.SourceManager); - int line = misra::libtooling_utils::GetLine(e, result.SourceManager); + string path = + misra::libtooling_utils::GetFilename(expr, result.SourceManager); + int line = misra::libtooling_utils::GetLine(expr, result.SourceManager); analyzer::proto::Result* pb_result = - misra::proto_util::AddResultToResultsList(results_list_, path, line, - error_message); - pb_result->set_error_kind( - analyzer::proto::Result_ErrorKind_MISRA_CPP_2008_RULE_4_10_1); + AddResultToResultsList(results_list_, path, line, error_message); } private: - analyzer::proto::ResultsList* results_list_; + ResultsList* results_list_; }; void Checker::Init(analyzer::proto::ResultsList* result_list) { callback_ = new Callback; callback_->Init(result_list, &finder_); } + } // namespace libtooling } // namespace rule_4_10_1 } // namespace misra_cpp_2008 diff --git a/misra_cpp_2008/rule_4_10_1/libtooling/checker.h b/misra_cpp_2008/rule_4_10_1/libtooling/checker.h index b6563fd1b7..1c846b38ee 100644 --- a/misra_cpp_2008/rule_4_10_1/libtooling/checker.h +++ b/misra_cpp_2008/rule_4_10_1/libtooling/checker.h @@ -39,6 +39,7 @@ class Checker { ast_matchers::MatchFinder finder_; analyzer::proto::ResultsList* results_list_; }; + } // namespace libtooling } // namespace rule_4_10_1 } // namespace misra_cpp_2008 diff --git a/misra_cpp_2008/rule_4_10_1/libtooling/lib.h b/misra_cpp_2008/rule_4_10_1/libtooling/lib.h index 7115a79be9..87a3f70ecb 100644 --- a/misra_cpp_2008/rule_4_10_1/libtooling/lib.h +++ b/misra_cpp_2008/rule_4_10_1/libtooling/lib.h @@ -25,8 +25,8 @@ namespace libtooling { int rule_4_10_1(int argc, char** argv); -} +} // namespace libtooling } // namespace rule_4_10_1 } // namespace misra_cpp_2008 -#endif +#endif // ANALYZER_MISRA_CPP_2008_RULE_4_10_1_LIBTOOLING_LIB_H_ diff --git a/misra_cpp_2008/rule_4_10_1/libtooling/main.cc b/misra_cpp_2008/rule_4_10_1/libtooling/main.cc index bb4d530c83..45db9a4a09 100644 --- a/misra_cpp_2008/rule_4_10_1/libtooling/main.cc +++ b/misra_cpp_2008/rule_4_10_1/libtooling/main.cc @@ -37,6 +37,7 @@ extern cl::opt results_path; namespace misra_cpp_2008 { namespace rule_4_10_1 { namespace libtooling { + int rule_4_10_1(int argc, char** argv) { google::InitGoogleLogging(argv[0]); gflags::AllowCommandLineReparsing(); @@ -50,7 +51,7 @@ int rule_4_10_1(int argc, char** argv) { libtooling_argc, &const_argv[argc - libtooling_argc], ns_libtooling_checker); if (!ep) { - llvm::errs() << ep.takeError(); + errs() << ep.takeError(); return 1; } tooling::CommonOptionsParser& op = ep.get(); @@ -67,6 +68,7 @@ int rule_4_10_1(int argc, char** argv) { } return 0; } + } // namespace libtooling } // namespace rule_4_10_1 } // namespace misra_cpp_2008 diff --git a/misra_cpp_2008/rule_4_10_1/libtooling/realmain.cc b/misra_cpp_2008/rule_4_10_1/libtooling/realmain.cc index f9cc5c13cc..f225ea1514 100644 --- a/misra_cpp_2008/rule_4_10_1/libtooling/realmain.cc +++ b/misra_cpp_2008/rule_4_10_1/libtooling/realmain.cc @@ -18,6 +18,7 @@ along with this program. If not, see . #include "libtooling_includes/cmd_options.h" #include "misra_cpp_2008/rule_4_10_1/libtooling/lib.h" + int main(int argc, char** argv) { return misra_cpp_2008::rule_4_10_1::libtooling::rule_4_10_1(argc, argv); } diff --git a/podman_image/Containerfile.toyrules b/podman_image/Containerfile.toyrules new file mode 100644 index 0000000000..2c1d567dff --- /dev/null +++ b/podman_image/Containerfile.toyrules @@ -0,0 +1,5 @@ +ARG base_tag=dev + +FROM naive.systems/analyzer/misracpp:${base_tag} + +COPY "bigmain_toy_rules" "/opt/naivesystems/bigmain" diff --git a/podman_image/Makefile b/podman_image/Makefile index f0df0127a7..e8516e906a 100644 --- a/podman_image/Makefile +++ b/podman_image/Makefile @@ -29,6 +29,10 @@ bigmain_misra_c_2012: bigmain_misra_cpp_2008: $(BAZELBUILD) bigmain/bigmain_misra_cpp_2008 +.PHONY: bigmain_toy_rules +bigmain_toy_rules: + $(BAZELBUILD) bigmain/bigmain_toy_rules + .PHONY: build-base build-base: $(BAZELBUILD) @llvm-project//clang && cp ../bazel-bin/external/llvm-project/clang/clang clang @@ -83,6 +87,15 @@ build-autosar-en: podman build -f ./Containerfile.autosar --build-arg base_tag=dev_en -t naive.systems/analyzer/autosar:dev_en ./tmpWorkSpace $(MAKE) clean +.PHONY: build-toy-rules-en +build-toy-rules-en: + $(MAKE) build-misra-cpp-en + mkdir -p tmpWorkSpace + $(MAKE) bigmain_toy_rules + cp ../bazel-bin/podman_image/bigmain/bigmain_toy_rules ./tmpWorkSpace + podman build -f ./Containerfile.toyrules --build-arg base_tag=dev_en -t naive.systems/analyzer/toyrules:dev_en ./tmpWorkSpace + $(MAKE) clean + .PHONY: build-misra-cpp-en build-misra-cpp-en: $(MAKE) build diff --git a/podman_image/bigmain/BUILD b/podman_image/bigmain/BUILD index 80853a336a..a4db4f58de 100644 --- a/podman_image/bigmain/BUILD +++ b/podman_image/bigmain/BUILD @@ -434,6 +434,13 @@ cc_library( ], ) +cc_library( + name = "toy_rules_deps", + deps = [ + "//toy_rules/rule_1/libtooling:rule_1_lib", + ], +) + cc_library( name = "rule", hdrs = ["rule.h"], @@ -504,3 +511,15 @@ cc_binary( ], ) +cc_binary( + name = "bigmain_toy_rules", + srcs = ["main.cc"], + deps = [ + ":rule", + ":toy_rules_deps", + "//libtooling_includes:cmd_options", + "@com_github_google_glog//:glog", + "@com_google_absl//absl/strings:str_format", + ], +) + diff --git a/podman_image/bigmain_symlink b/podman_image/bigmain_symlink index 67e3a8a2d2..69f59af209 100644 --- a/podman_image/bigmain_symlink +++ b/podman_image/bigmain_symlink @@ -404,3 +404,6 @@ ln -s /opt/naivesystems/bigmain /opt/naivesystems/autosar/rule_A8_5_3 ln -s /opt/naivesystems/bigmain /opt/naivesystems/autosar/rule_A8_5_4 ln -s /opt/naivesystems/bigmain /opt/naivesystems/autosar/rule_A9_3_1 ln -s /opt/naivesystems/bigmain /opt/naivesystems/autosar/rule_A9_5_1 + +mkdir /opt/naivesystems/toy_rules +ln -s /opt/naivesystems/bigmain /opt/naivesystems/toy_rules/rule_1 diff --git a/third_party/cppcheck/addons/misra.py b/third_party/cppcheck/addons/misra.py index 10c89b4ae6..13944b01d6 100755 --- a/third_party/cppcheck/addons/misra.py +++ b/third_party/cppcheck/addons/misra.py @@ -1617,7 +1617,7 @@ class Result: "c2012-21.16": "[C0405]", "c2012-21.21": "[C0421]", } - def __init__(self, path, line_num, err_msg, optional_flag = False, other_locations = None, error_numbers = None): + def __init__(self, path, line_num, err_msg, optional_flag = False, other_locations = None, error_numbers = None, external_message = None): ns_tag = "" if err_msg in self.rule_trans_map: ns_tag = self.rule_trans_map[err_msg] @@ -1634,6 +1634,10 @@ def __init__(self, path, line_num, err_msg, optional_flag = False, other_locatio if other_locations is not None: for loc in other_locations: self.locations.append(ErrorLocation(loc.file, loc.linenr)) + if not external_message or external_message == '': + self.external_message = None + else: + self.external_message = external_message class NaiveSystemsResult: rule_trans_map = { @@ -2895,48 +2899,57 @@ def getEnumPrefix(essentialTypeCategory): if token.str not in ('++', '--', '+', '-', '[', '!', '~'): continue if token.str in ('++', '--'): - if e1 in ('bool', 'enum') or e2 in ('bool', 'enum') : - self.reportError(token, 10, 1) + if e1 in ('bool', 'enum'): + self.reportError(token, 10, 1, category = [e1]) + elif e2 in ('bool', 'enum'): + self.reportError(token, 10, 1, category = [e2]) elif token.str in ('+', '-'): if e1 in ('bool', 'enum', 'char'): - self.reportError(token, 10, 1) + self.reportError(token, 10, 1, category = [e1]) elif token.str == '-' and isUnsignedType(e1): - self.reportError(token, 10, 1) + self.reportError(token, 10, 1, category = [e1]) elif token.str == '[': if token.link.str == ']' and e2 in ('bool', 'char', 'floating'): - self.reportError(token, 10, 1) + self.reportError(token, 10, 1, category = [e2]) elif token.str == '!': if e1 != 'bool': - self.reportError(token, 10, 1) + self.reportError(token, 10, 1, category = [e1]) elif token.str == '~': if not isUnsignedType(e1): - self.reportError(token, 10, 1) + self.reportError(token, 10, 1, category = [e1]) if token.str in ('<<', '>>'): if not isUnsignedType(e1): - self.reportError(token, 10, 1) + self.reportError(token, 10, 1, category = [e1, '']) elif not isUnsignedType(e2) and (not token.astOperand2.isNumber or token.astOperand2.getKnownIntValue() < 0): - self.reportError(token, 10, 1) + self.reportError(token, 10, 1, category = ['', e2]) elif token.str in ('+', '-', '+=', '-='): - if e1 in ('bool', 'enum') or e2 in ('bool', 'enum') : - self.reportError(token, 10, 1) + category = [e for e in (e1, e2) if e in ('bool', 'enum')] + if any(category): + self.reportError(token, 10, 1, category = category) elif token.str in ('*', '/', '%'): - if e1 in ('bool', 'enum', 'char') or e2 in ('bool', 'enum', 'char') : - self.reportError(token, 10, 1) - if token.str == '%' and (e1 == 'floating' or e2 == 'floating'): - self.reportError(token, 10, 1) + category = [e for e in (e1, e2) if e in ('bool', 'enum', 'char')] + if any(category): + self.reportError(token, 10, 1, category = category) + if token.str == '%': + category = [e for e in (e1, e2) if e == 'floating'] + if any(category): + self.reportError(token, 10, 1, category = category) elif token.str in ('>', '<', '<=', '>='): - if e1 == 'bool' or e2 == 'bool': - self.reportError(token, 10, 1) + category = [e for e in (e1, e2) if e == 'bool'] + if any(category): + self.reportError(token, 10, 1, category = category) elif token.str in ('&&', '||'): - if e1 != 'bool' or e2 != 'bool': - self.reportError(token, 10, 1) + category = [e for e in (e1, e2) if e != 'bool'] + if any(category): + self.reportError(token, 10, 1, category = category) elif token.str in ('&', '|', '^'): - if not isUnsignedType(e1) or not isUnsignedType(e2): - self.reportError(token, 10, 1) + category = [e for e in (e1, e2) if not isUnsignedType(e)] + if any(category): + self.reportError(token, 10, 1, category = category) elif token.str == '?' and token.astOperand2.str == ':': if e1 != 'bool': - self.reportError(token, 10, 1) + self.reportError(token, 10, 1, category = [e1, '']) def misra_10_2(self, data): def isEssentiallySignedOrUnsigned(op): @@ -6851,8 +6864,36 @@ def reportNaiveSystemsError(self, location, num, other_locations = None): self.violations[naiveSystems_severity] = [] self.violations[naiveSystems_severity].append('naivesystems' + "-" + errorId) - - def reportError(self, location, num1, num2, case_number = 0, optional_flag = False, other_locations = None): + def formExternalMessage(self, location, num1, num2, category): + """Form the external message to report. + location: The token to report an error message. + num1, num2: Error numbers to specify the rule number and the error kind. + category: A list of categories of errors reported. It is used as + indicators to report external messages. The usage may be different + for different rules. + """ + if not category: + return '' + # check for misra_rule_10_1 + if num1 != 10 or num2 != 1: + return '' + if len(category) == 1: + # unary operand + return 'The operand of the %s operator is of an inappropriate essential type category %s.' % (location.str, category[0]) + if len(category) == 2: + # binary operand + left_message = '' + if category[0] != '': + left_message = 'The left operand of the %s operator is of an inappropriate essential type category %s.' % (location.str, category[0]) + if category[1] != '': + right_message = 'The right operand of the %s operator is of an inappropriate essential type category %s.' % (location.str, category[1]) + if left_message != '': + return left_message + '\n' + right_message + return right_message + return left_message + return '' + + def reportError(self, location, num1, num2, case_number = 0, optional_flag = False, other_locations = None, category = None): ruleNum = num1 * 100 + num2 if self.isRuleGloballySuppressed(ruleNum): @@ -6888,7 +6929,8 @@ def reportError(self, location, num1, num2, case_number = 0, optional_flag = Fal # skip it since it has already been displayed. if not this_violation in self.existing_violations: self.existing_violations.add(this_violation) - self.current_json_list.append(Result(location.file, location.linenr, errorId, optional_flag = optional_flag, other_locations = other_locations, error_numbers = [num1, num2, case_number])) + external_message = self.formExternalMessage(location, num1, num2, category) + self.current_json_list.append(Result(location.file, location.linenr, errorId, optional_flag = optional_flag, other_locations = other_locations, error_numbers = [num1, num2, case_number], external_message = external_message)) cppcheckdata.reportError(location, cppcheck_severity, errmsg, 'misra', errorId, misra_severity) if misra_severity not in self.violations: diff --git a/third_party/llvm-project/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td b/third_party/llvm-project/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td index c25a8996b4..01dce95b2a 100644 --- a/third_party/llvm-project/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td +++ b/third_party/llvm-project/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td @@ -127,11 +127,20 @@ def MisraCXX2008 : Package<"misra_cxx_2008">; def Errno : Package<"errno">, ParentPackage; +def CWE : Package<"cwe">; //===----------------------------------------------------------------------===// // Core Checkers. //===----------------------------------------------------------------------===// +let ParentPackage = CWE in { + +def TaintArgvChecker : Checker<"TaintArgv">, + HelpText<"Implementation of CWE-134">, + Documentation; + +} + let ParentPackage = Core in { def CallAndMessageModeling : Checker<"CallAndMessageModeling">, @@ -1053,6 +1062,7 @@ def GenericTaintChecker : Checker<"TaintPropagation">, "", InAlpha>, ]>, + WeakDependencies<[TaintArgvChecker]>, Documentation; } // end "alpha.security.taint" @@ -1923,3 +1933,59 @@ def MisusedTestErrnoMisraChecker : Checker<"MisusedTestErrnoMisra">, Documentation; } + +//===----------------------------------------------------------------------===// +// CWE checkers. +//===----------------------------------------------------------------------===// + +let ParentPackage = CWE in { + +def CWE120CStringModeling : Checker<"CWE120CStringModeling">, + HelpText<"hacked version of CStringModeling">, + Dependencies<[CallAndMessageModeling]>, + Documentation, + Hidden; + +def CStringInsecureBufferCopy : Checker<"InsecureBufferCopy">, + HelpText<"Implementation of CWE-120">, + Dependencies<[CWE120CStringModeling]>, + Documentation; + +def CStringStackBufferOverflow : Checker<"StackBufferOverflow">, + HelpText<"Implementation of CWE-121">, + Dependencies<[CWE120CStringModeling]>, + Documentation; + +def CStringHeapBufferOverflow : Checker<"HeapBufferOverflow">, + HelpText<"Implementation of CWE-122">, + Dependencies<[CWE120CStringModeling]>, + Documentation; + +def ArrayBoundBase : Checker<"ArrayBoundBase">, + HelpText<"hacked version of ArrayBoundCheckerV2">, + Documentation, + Hidden; + +def StackArrayBoundChecker : Checker<"StackArrayBound">, + HelpText<"Implementation of CWE-121, stack array bound check">, + Dependencies<[ArrayBoundBase]>, + Documentation; + +def HeapArrayBoundChecker : Checker<"HeapArrayBound">, + HelpText<"Implementation of CWE-122, heap array bound check">, + Dependencies<[ArrayBoundBase, DynamicMemoryModeling, CStringModeling]>, + Documentation; + +def BufferUnderwriteChecker : Checker<"BufferUnderwrite">, + HelpText<"Implementation of CWE-124">, + Documentation; + +def BufferOverreadChecker : Checker<"BufferOverread">, + HelpText<"Implementation of CWE-126">, + Documentation; + +def BufferUnderreadChecker : Checker<"BufferUnderread">, + HelpText<"Implementation of CWE-127">, + Documentation; + +} // end CWE diff --git a/third_party/llvm-project/clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt b/third_party/llvm-project/clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt index ee2aa8ab92..de0b158f3a 100644 --- a/third_party/llvm-project/clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt +++ b/third_party/llvm-project/clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt @@ -29,6 +29,10 @@ add_clang_library(clangStaticAnalyzerCheckers CloneChecker.cpp ContainerModeling.cpp ConversionChecker.cpp + cwe-120-CStringChecker.cpp + cwe-121-ArrayBoundCheckerV2.cpp + cwe-124-127-BufferUnderAccessChecker.cpp + cwe-126-BuferOverAccessChecker.cpp CXXSelfAssignmentChecker.cpp DeadStoresChecker.cpp DebugCheckers.cpp diff --git a/third_party/llvm-project/clang/lib/StaticAnalyzer/Checkers/cwe-120-CStringChecker.cpp b/third_party/llvm-project/clang/lib/StaticAnalyzer/Checkers/cwe-120-CStringChecker.cpp new file mode 100644 index 0000000000..1c1ef178eb --- /dev/null +++ b/third_party/llvm-project/clang/lib/StaticAnalyzer/Checkers/cwe-120-CStringChecker.cpp @@ -0,0 +1,2649 @@ +/* +NaiveSystems Analyze - A tool for static code analysis +Copyright (C) 2023 Naive Systems Ltd. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . +*/ + +//=== cwe-120-CStringChecker.cpp --------------------------------*- C++ -*-===// +// +// This defines CStringChecker, which is an assortment of checks on calls +// to functions in . +// +//===----------------------------------------------------------------------===// + +#include "InterCheckerAPI.h" +#include "clang/Basic/CharInfo.h" +#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" +#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" +#include "clang/StaticAnalyzer/Core/Checker.h" +#include "clang/StaticAnalyzer/Core/CheckerManager.h" +#include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h" +#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" +#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" +#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h" +#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" +#include "llvm/ADT/STLExtras.h" +#include "llvm/ADT/SmallString.h" +#include "llvm/ADT/StringExtras.h" +#include "llvm/Support/raw_ostream.h" +#include + +using namespace clang; +using namespace ento; +using namespace std::placeholders; + +namespace { +struct AnyArgExpr { + // FIXME: Remove constructor in C++17 to turn it into an aggregate. + AnyArgExpr(const Expr *Expression, unsigned ArgumentIndex) + : Expression{Expression}, ArgumentIndex{ArgumentIndex} {} + const Expr *Expression; + unsigned ArgumentIndex; +}; + +struct SourceArgExpr : AnyArgExpr { + using AnyArgExpr::AnyArgExpr; // FIXME: Remove using in C++17. +}; + +struct DestinationArgExpr : AnyArgExpr { + using AnyArgExpr::AnyArgExpr; // FIXME: Same. +}; + +struct SizeArgExpr : AnyArgExpr { + using AnyArgExpr::AnyArgExpr; // FIXME: Same. +}; + +using ErrorMessage = SmallString<128>; +enum class AccessKind { write, read }; + +static ErrorMessage createOutOfBoundErrorMsg(StringRef FunctionDescription, + AccessKind Access) { + ErrorMessage Message; + llvm::raw_svector_ostream Os(Message); + + // Function classification like: Memory copy function + Os << toUppercase(FunctionDescription.front()) + << &FunctionDescription.data()[1]; + + if (Access == AccessKind::write) { + Os << " overflows the destination buffer"; + } else { // read access + Os << " accesses out-of-bound array element"; + } + + return Message; +} + +enum class ConcatFnKind { none = 0, strcat = 1, strlcat = 2 }; +class CStringChecker : public Checker< eval::Call, + check::PreStmt, + check::LiveSymbols, + check::DeadSymbols, + check::RegionChanges + > { + mutable std::unique_ptr BT_Null, BT_Bounds, BT_Overlap, + BT_NotCString, BT_AdditionOverflow, BT_UninitRead, BT_InsecureBufferCopy, + BT_StackBufferOverflow, BT_HeapBufferOverflow; + + mutable const char *CurrentFunctionDescription; + +public: + /// The filter is used to filter out the diagnostics which are not enabled by + /// the user. + struct CStringChecksFilter { + bool CheckCStringNullArg = false; + bool CheckCStringOutOfBounds = false; + bool CheckCStringBufferOverlap = false; + bool CheckCStringNotNullTerm = false; + bool CheckCStringUninitializedRead = false; + bool CheckCStringInsecureBufferCopy = false; + bool CheckCStringStackBufferOverflow = false; + bool CheckCStringHeapBufferOverflow = false; + + CheckerNameRef CheckNameCStringNullArg; + CheckerNameRef CheckNameCStringOutOfBounds; + CheckerNameRef CheckNameCStringBufferOverlap; + CheckerNameRef CheckNameCStringNotNullTerm; + CheckerNameRef CheckNameCStringUninitializedRead; + CheckerNameRef CheckNameCStringInsecureBufferCopy; + CheckerNameRef CheckNameCStringStackBufferOverflow; + CheckerNameRef CheckNameCStringHeapBufferOverflow; + }; + + CStringChecksFilter Filter; + + static void *getTag() { static int tag; return &tag; } + + bool evalCall(const CallEvent &Call, CheckerContext &C) const; + void checkPreStmt(const DeclStmt *DS, CheckerContext &C) const; + void checkLiveSymbols(ProgramStateRef state, SymbolReaper &SR) const; + void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const; + + ProgramStateRef + checkRegionChanges(ProgramStateRef state, + const InvalidatedSymbols *, + ArrayRef ExplicitRegions, + ArrayRef Regions, + const LocationContext *LCtx, + const CallEvent *Call) const; + + using FnCheck = std::function; + + CallDescriptionMap Callbacks = { + {{CDF_MaybeBuiltin, "memcpy", 3}, + std::bind(&CStringChecker::evalMemcpy, _1, _2, _3, false)}, + {{CDF_MaybeBuiltin, "wmemcpy", 3}, + std::bind(&CStringChecker::evalMemcpy, _1, _2, _3, true)}, + {{CDF_MaybeBuiltin, "mempcpy", 3}, &CStringChecker::evalMempcpy}, + {{CDF_MaybeBuiltin, "memcmp", 3}, &CStringChecker::evalMemcmp}, + {{CDF_MaybeBuiltin, "memmove", 3}, &CStringChecker::evalMemmove}, + {{CDF_MaybeBuiltin, "memset", 3}, &CStringChecker::evalMemset}, + {{CDF_MaybeBuiltin, "memchr", 3}, &CStringChecker::evalMemchr}, + {{CDF_MaybeBuiltin, "explicit_memset", 3}, &CStringChecker::evalMemset}, + {{CDF_MaybeBuiltin, "strcpy", 2}, &CStringChecker::evalStrcpy}, + {{CDF_MaybeBuiltin, "strncpy", 3}, &CStringChecker::evalStrncpy}, + {{CDF_MaybeBuiltin, "stpcpy", 2}, &CStringChecker::evalStpcpy}, + {{CDF_MaybeBuiltin, "strlcpy", 3}, &CStringChecker::evalStrlcpy}, + {{CDF_MaybeBuiltin, "strcat", 2}, &CStringChecker::evalStrcat}, + {{CDF_MaybeBuiltin, "strncat", 3}, &CStringChecker::evalStrncat}, + {{CDF_MaybeBuiltin, "strlcat", 3}, &CStringChecker::evalStrlcat}, + {{CDF_MaybeBuiltin, "strlen", 1}, &CStringChecker::evalstrLength}, + {{CDF_MaybeBuiltin, "wcslen", 1}, &CStringChecker::evalstrLength}, + {{CDF_MaybeBuiltin, "strnlen", 2}, &CStringChecker::evalstrnLength}, + {{CDF_MaybeBuiltin, "wcsnlen", 2}, &CStringChecker::evalstrnLength}, + {{CDF_MaybeBuiltin, "strcmp", 2}, &CStringChecker::evalStrcmp}, + {{CDF_MaybeBuiltin, "strncmp", 3}, &CStringChecker::evalStrncmp}, + {{CDF_MaybeBuiltin, "strcasecmp", 2}, &CStringChecker::evalStrcasecmp}, + {{CDF_MaybeBuiltin, "strncasecmp", 3}, &CStringChecker::evalStrncasecmp}, + {{CDF_MaybeBuiltin, "strsep", 2}, &CStringChecker::evalStrsep}, + {{CDF_MaybeBuiltin, "bcopy", 3}, &CStringChecker::evalBcopy}, + {{CDF_MaybeBuiltin, "bcmp", 3}, &CStringChecker::evalMemcmp}, + {{CDF_MaybeBuiltin, "bzero", 2}, &CStringChecker::evalBzero}, + {{CDF_MaybeBuiltin, "explicit_bzero", 2}, &CStringChecker::evalBzero}, + }; + + // These require a bit of special handling. + CallDescription StdCopy{{"std", "copy"}, 3}, + StdCopyBackward{{"std", "copy_backward"}, 3}; + + FnCheck identifyCall(const CallEvent &Call, CheckerContext &C) const; + void evalMemcpy(CheckerContext &C, const CallExpr *CE, bool IsWide) const; + void evalMempcpy(CheckerContext &C, const CallExpr *CE) const; + void evalMemmove(CheckerContext &C, const CallExpr *CE) const; + void evalBcopy(CheckerContext &C, const CallExpr *CE) const; + void evalCopyCommon(CheckerContext &C, const CallExpr *CE, + ProgramStateRef state, SizeArgExpr Size, + DestinationArgExpr Dest, SourceArgExpr Source, + bool Restricted, bool IsMempcpy, bool IsWide) const; + + void evalMemcmp(CheckerContext &C, const CallExpr *CE) const; + void evalMemchr(CheckerContext &C, const CallExpr *CE) const; + void evalstrLength(CheckerContext &C, const CallExpr *CE) const; + void evalstrnLength(CheckerContext &C, const CallExpr *CE) const; + void evalstrLengthCommon(CheckerContext &C, + const CallExpr *CE, + bool IsStrnlen = false) const; + + void evalStrcpy(CheckerContext &C, const CallExpr *CE) const; + void evalStrncpy(CheckerContext &C, const CallExpr *CE) const; + void evalStpcpy(CheckerContext &C, const CallExpr *CE) const; + void evalStrlcpy(CheckerContext &C, const CallExpr *CE) const; + void evalStrcpyCommon(CheckerContext &C, const CallExpr *CE, bool ReturnEnd, + bool IsBounded, ConcatFnKind appendK, + bool returnPtr = true) const; + + void evalStrcat(CheckerContext &C, const CallExpr *CE) const; + void evalStrncat(CheckerContext &C, const CallExpr *CE) const; + void evalStrlcat(CheckerContext &C, const CallExpr *CE) const; + + void evalStrcmp(CheckerContext &C, const CallExpr *CE) const; + void evalStrncmp(CheckerContext &C, const CallExpr *CE) const; + void evalStrcasecmp(CheckerContext &C, const CallExpr *CE) const; + void evalStrncasecmp(CheckerContext &C, const CallExpr *CE) const; + void evalStrcmpCommon(CheckerContext &C, + const CallExpr *CE, + bool IsBounded = false, + bool IgnoreCase = false) const; + + void evalStrsep(CheckerContext &C, const CallExpr *CE) const; + + void evalStdCopy(CheckerContext &C, const CallExpr *CE) const; + void evalStdCopyBackward(CheckerContext &C, const CallExpr *CE) const; + void evalStdCopyCommon(CheckerContext &C, const CallExpr *CE) const; + void evalMemset(CheckerContext &C, const CallExpr *CE) const; + void evalBzero(CheckerContext &C, const CallExpr *CE) const; + + // Utility methods + std::pair + static assumeZero(CheckerContext &C, + ProgramStateRef state, SVal V, QualType Ty); + + static ProgramStateRef setCStringLength(ProgramStateRef state, + const MemRegion *MR, + SVal strLength); + static SVal getCStringLengthForRegion(CheckerContext &C, + ProgramStateRef &state, + const Expr *Ex, + const MemRegion *MR, + bool hypothetical); + SVal getCStringLength(CheckerContext &C, + ProgramStateRef &state, + const Expr *Ex, + SVal Buf, + bool hypothetical = false) const; + + const StringLiteral *getCStringLiteral(CheckerContext &C, + ProgramStateRef &state, + const Expr *expr, + SVal val) const; + + static ProgramStateRef InvalidateBuffer(CheckerContext &C, + ProgramStateRef state, + const Expr *Ex, SVal V, + bool IsSourceBuffer, + const Expr *Size); + + static bool SummarizeRegion(raw_ostream &os, ASTContext &Ctx, + const MemRegion *MR); + + static bool memsetAux(const Expr *DstBuffer, SVal CharE, + const Expr *Size, CheckerContext &C, + ProgramStateRef &State); + + // Re-usable checks + ProgramStateRef checkNonNull(CheckerContext &C, ProgramStateRef State, + AnyArgExpr Arg, SVal l) const; + ProgramStateRef CheckLocation(CheckerContext &C, ProgramStateRef state, + AnyArgExpr Buffer, SVal Element, + AccessKind Access, bool IsWide = false) const; + ProgramStateRef CheckBufferAccess(CheckerContext &C, ProgramStateRef State, + AnyArgExpr Buffer, SizeArgExpr Size, + AccessKind Access, + bool IsWide = false) const; + ProgramStateRef CheckOverlap(CheckerContext &C, ProgramStateRef state, + SizeArgExpr Size, AnyArgExpr First, + AnyArgExpr Second, bool IsWide = false) const; + void emitOverlapBug(CheckerContext &C, + ProgramStateRef state, + const Stmt *First, + const Stmt *Second) const; + + void emitNullArgBug(CheckerContext &C, ProgramStateRef State, const Stmt *S, + StringRef WarningMsg) const; + void emitOutOfBoundsBug(CheckerContext &C, ProgramStateRef State, + const Stmt *S, StringRef WarningMsg) const; + void emitNotCStringBug(CheckerContext &C, ProgramStateRef State, + const Stmt *S, StringRef WarningMsg) const; + void emitInsecureBufferCopyBug(CheckerContext &C, ProgramStateRef State, + const Stmt *S, StringRef WarningMsg) const; + void emitStackBufferOverflowBug(CheckerContext &C, ProgramStateRef State, + const Stmt *S, StringRef WarningMsg) const; + void emitHeapBufferOverflowBug(CheckerContext &C, ProgramStateRef State, + const Stmt *S, StringRef WarningMsg) const; + void emitAdditionOverflowBug(CheckerContext &C, ProgramStateRef State) const; + void emitUninitializedReadBug(CheckerContext &C, ProgramStateRef State, + const Expr *E) const; + ProgramStateRef checkAdditionOverflow(CheckerContext &C, + ProgramStateRef state, + NonLoc left, + NonLoc right) const; + + // Return true if the destination buffer of the copy function may be in bound. + // Expects SVal of Size to be positive and unsigned. + // Expects SVal of FirstBuf to be a FieldRegion. + static bool IsFirstBufInBound(CheckerContext &C, + ProgramStateRef state, + const Expr *FirstBuf, + const Expr *Size); +}; + +} //end anonymous namespace + +REGISTER_MAP_WITH_PROGRAMSTATE(CStringLength, const MemRegion *, SVal) + +//===----------------------------------------------------------------------===// +// Individual checks and utility methods. +//===----------------------------------------------------------------------===// + +std::pair +CStringChecker::assumeZero(CheckerContext &C, ProgramStateRef state, SVal V, + QualType Ty) { + Optional val = V.getAs(); + if (!val) + return std::pair(state, state); + + SValBuilder &svalBuilder = C.getSValBuilder(); + DefinedOrUnknownSVal zero = svalBuilder.makeZeroVal(Ty); + return state->assume(svalBuilder.evalEQ(state, *val, zero)); +} + +ProgramStateRef CStringChecker::checkNonNull(CheckerContext &C, + ProgramStateRef State, + AnyArgExpr Arg, SVal l) const { + // If a previous check has failed, propagate the failure. + if (!State) + return nullptr; + + ProgramStateRef stateNull, stateNonNull; + std::tie(stateNull, stateNonNull) = + assumeZero(C, State, l, Arg.Expression->getType()); + + if (stateNull && !stateNonNull) { + if (Filter.CheckCStringNullArg) { + SmallString<80> buf; + llvm::raw_svector_ostream OS(buf); + assert(CurrentFunctionDescription); + OS << "Null pointer passed as " << (Arg.ArgumentIndex + 1) + << llvm::getOrdinalSuffix(Arg.ArgumentIndex + 1) << " argument to " + << CurrentFunctionDescription; + + emitNullArgBug(C, stateNull, Arg.Expression, OS.str()); + } + return nullptr; + } + + // From here on, assume that the value is non-null. + assert(stateNonNull); + return stateNonNull; +} + +// FIXME: This was originally copied from ArrayBoundChecker.cpp. Refactor? +ProgramStateRef CStringChecker::CheckLocation(CheckerContext &C, + ProgramStateRef state, + AnyArgExpr Buffer, SVal Element, + AccessKind Access, + bool IsWide) const { + + // If a previous check has failed, propagate the failure. + if (!state) + return nullptr; + + // Check for out of bound array element access. + const MemRegion *R = Element.getAsRegion(); + if (!R) + return state; + + const auto *ER = dyn_cast(R); + if (!ER) + return state; + + SValBuilder &svalBuilder = C.getSValBuilder(); + ASTContext &Ctx = svalBuilder.getContext(); + + // Get the index of the accessed element. + NonLoc Idx = ER->getIndex(); + + if (!IsWide) { + if (ER->getValueType() != Ctx.CharTy) + return state; + } else { + if (ER->getValueType() != Ctx.WideCharTy) + return state; + + QualType SizeTy = Ctx.getSizeType(); + NonLoc WideSize = + svalBuilder + .makeIntVal(Ctx.getTypeSizeInChars(Ctx.WideCharTy).getQuantity(), + SizeTy) + .castAs(); + SVal Offset = svalBuilder.evalBinOpNN(state, BO_Mul, Idx, WideSize, SizeTy); + if (Offset.isUnknown()) + return state; + Idx = Offset.castAs(); + } + + // Get the size of the array. + const auto *superReg = cast(ER->getSuperRegion()); + DefinedOrUnknownSVal Size = + getDynamicExtent(state, superReg, C.getSValBuilder()); + + ProgramStateRef StInBound, StOutBound; + std::tie(StInBound, StOutBound) = state->assumeInBoundDual(Idx, Size); + if (StOutBound && !StInBound) { + // These checks are either enabled by the CString out-of-bounds checker + // explicitly or implicitly by the Malloc checker. + // In the latter case we only do modeling but do not emit warning. + if (!Filter.CheckCStringOutOfBounds) + return nullptr; + + // Emit a bug report. + ErrorMessage Message = + createOutOfBoundErrorMsg(CurrentFunctionDescription, Access); + emitOutOfBoundsBug(C, StOutBound, Buffer.Expression, Message); + return nullptr; + } else if (StOutBound && Filter.CheckCStringInsecureBufferCopy) { + ErrorMessage Message = createOutOfBoundErrorMsg(CurrentFunctionDescription, Access); + emitInsecureBufferCopyBug(C, StOutBound, Buffer.Expression, Message); + return nullptr; + } else if (StOutBound && Filter.CheckCStringStackBufferOverflow && + ER->getSuperRegion()->hasStackStorage()) { + ErrorMessage Message = createOutOfBoundErrorMsg(CurrentFunctionDescription, Access); + emitStackBufferOverflowBug(C, StOutBound, Buffer.Expression, Message); + return nullptr; + } else if (StOutBound && Filter.CheckCStringHeapBufferOverflow && + !ER->getSuperRegion()->hasStackStorage()) { + ErrorMessage Message = createOutOfBoundErrorMsg(CurrentFunctionDescription, Access); + emitHeapBufferOverflowBug(C, StOutBound, Buffer.Expression, Message); + return nullptr; + } + + // Ensure that we wouldn't read uninitialized value. + if (Access == AccessKind::read) { + if (Filter.CheckCStringUninitializedRead && + StInBound->getSVal(ER).isUndef()) { + emitUninitializedReadBug(C, StInBound, Buffer.Expression); + return nullptr; + } + } + + // Array bound check succeeded. From this point forward the array bound + // should always succeed. + return StInBound; +} + +ProgramStateRef +CStringChecker::CheckBufferAccess(CheckerContext &C, ProgramStateRef State, + AnyArgExpr Buffer, SizeArgExpr Size, + AccessKind Access, bool IsWide) const { + // If a previous check has failed, propagate the failure. + if (!State) + return nullptr; + + SValBuilder &svalBuilder = C.getSValBuilder(); + ASTContext &Ctx = svalBuilder.getContext(); + + QualType SizeTy = Size.Expression->getType(); + QualType PtrTy = Ctx.getPointerType(IsWide ? Ctx.WideCharTy : Ctx.CharTy); + + // Check that the first buffer is non-null. + SVal BufVal = C.getSVal(Buffer.Expression); + State = checkNonNull(C, State, Buffer, BufVal); + if (!State) + return nullptr; + + // If out-of-bounds checking is turned off, skip the rest. + if (!Filter.CheckCStringOutOfBounds) + return State; + + // Get the access length and make sure it is known. + // FIXME: This assumes the caller has already checked that the access length + // is positive. And that it's unsigned. + SVal LengthVal = C.getSVal(Size.Expression); + Optional Length = LengthVal.getAs(); + if (!Length) + return State; + + // Compute the offset of the last element to be accessed: size-1. + NonLoc One = svalBuilder.makeIntVal(1, SizeTy).castAs(); + SVal Offset = svalBuilder.evalBinOpNN(State, BO_Sub, *Length, One, SizeTy); + if (Offset.isUnknown()) + return nullptr; + NonLoc LastOffset = Offset.castAs(); + + // Check that the first buffer is sufficiently long. + SVal BufStart = + svalBuilder.evalCast(BufVal, PtrTy, Buffer.Expression->getType()); + if (Optional BufLoc = BufStart.getAs()) { + + SVal BufEnd = + svalBuilder.evalBinOpLN(State, BO_Add, *BufLoc, LastOffset, PtrTy); + State = CheckLocation(C, State, Buffer, BufEnd, Access, IsWide); + + // If the buffer isn't large enough, abort. + if (!State) + return nullptr; + } + + // Large enough or not, return this state! + return State; +} + +ProgramStateRef CStringChecker::CheckOverlap(CheckerContext &C, + ProgramStateRef state, + SizeArgExpr Size, AnyArgExpr First, + AnyArgExpr Second, + bool IsWide) const { + if (!Filter.CheckCStringBufferOverlap) + return state; + + // Do a simple check for overlap: if the two arguments are from the same + // buffer, see if the end of the first is greater than the start of the second + // or vice versa. + + // If a previous check has failed, propagate the failure. + if (!state) + return nullptr; + + ProgramStateRef stateTrue, stateFalse; + + // Assume different address spaces cannot overlap. + if (First.Expression->getType()->getPointeeType().getAddressSpace() != + Second.Expression->getType()->getPointeeType().getAddressSpace()) + return state; + + // Get the buffer values and make sure they're known locations. + const LocationContext *LCtx = C.getLocationContext(); + SVal firstVal = state->getSVal(First.Expression, LCtx); + SVal secondVal = state->getSVal(Second.Expression, LCtx); + + Optional firstLoc = firstVal.getAs(); + if (!firstLoc) + return state; + + Optional secondLoc = secondVal.getAs(); + if (!secondLoc) + return state; + + // Are the two values the same? + SValBuilder &svalBuilder = C.getSValBuilder(); + std::tie(stateTrue, stateFalse) = + state->assume(svalBuilder.evalEQ(state, *firstLoc, *secondLoc)); + + if (stateTrue && !stateFalse) { + // If the values are known to be equal, that's automatically an overlap. + emitOverlapBug(C, stateTrue, First.Expression, Second.Expression); + return nullptr; + } + + // assume the two expressions are not equal. + assert(stateFalse); + state = stateFalse; + + // Which value comes first? + QualType cmpTy = svalBuilder.getConditionType(); + SVal reverse = + svalBuilder.evalBinOpLL(state, BO_GT, *firstLoc, *secondLoc, cmpTy); + Optional reverseTest = + reverse.getAs(); + if (!reverseTest) + return state; + + std::tie(stateTrue, stateFalse) = state->assume(*reverseTest); + if (stateTrue) { + if (stateFalse) { + // If we don't know which one comes first, we can't perform this test. + return state; + } else { + // Switch the values so that firstVal is before secondVal. + std::swap(firstLoc, secondLoc); + + // Switch the Exprs as well, so that they still correspond. + std::swap(First, Second); + } + } + + // Get the length, and make sure it too is known. + SVal LengthVal = state->getSVal(Size.Expression, LCtx); + Optional Length = LengthVal.getAs(); + if (!Length) + return state; + + // Convert the first buffer's start address to char*. + // Bail out if the cast fails. + ASTContext &Ctx = svalBuilder.getContext(); + QualType CharPtrTy = Ctx.getPointerType(IsWide ? Ctx.WideCharTy : Ctx.CharTy); + SVal FirstStart = + svalBuilder.evalCast(*firstLoc, CharPtrTy, First.Expression->getType()); + Optional FirstStartLoc = FirstStart.getAs(); + if (!FirstStartLoc) + return state; + + // Compute the end of the first buffer. Bail out if THAT fails. + SVal FirstEnd = svalBuilder.evalBinOpLN(state, BO_Add, *FirstStartLoc, + *Length, CharPtrTy); + Optional FirstEndLoc = FirstEnd.getAs(); + if (!FirstEndLoc) + return state; + + // Is the end of the first buffer past the start of the second buffer? + SVal Overlap = + svalBuilder.evalBinOpLL(state, BO_GT, *FirstEndLoc, *secondLoc, cmpTy); + Optional OverlapTest = + Overlap.getAs(); + if (!OverlapTest) + return state; + + std::tie(stateTrue, stateFalse) = state->assume(*OverlapTest); + + if (stateTrue && !stateFalse) { + // Overlap! + emitOverlapBug(C, stateTrue, First.Expression, Second.Expression); + return nullptr; + } + + // assume the two expressions don't overlap. + assert(stateFalse); + return stateFalse; +} + +void CStringChecker::emitOverlapBug(CheckerContext &C, ProgramStateRef state, + const Stmt *First, const Stmt *Second) const { + ExplodedNode *N = C.generateErrorNode(state); + if (!N) + return; + + if (!BT_Overlap) + BT_Overlap.reset(new BugType(Filter.CheckNameCStringBufferOverlap, + categories::UnixAPI, "Improper arguments")); + + // Generate a report for this bug. + auto report = std::make_unique( + *BT_Overlap, "Arguments must not be overlapping buffers", N); + report->addRange(First->getSourceRange()); + report->addRange(Second->getSourceRange()); + + C.emitReport(std::move(report)); +} + +void CStringChecker::emitNullArgBug(CheckerContext &C, ProgramStateRef State, + const Stmt *S, StringRef WarningMsg) const { + if (ExplodedNode *N = C.generateErrorNode(State)) { + if (!BT_Null) + BT_Null.reset(new BuiltinBug( + Filter.CheckNameCStringNullArg, categories::UnixAPI, + "Null pointer argument in call to byte string function")); + + BuiltinBug *BT = static_cast(BT_Null.get()); + auto Report = std::make_unique(*BT, WarningMsg, N); + Report->addRange(S->getSourceRange()); + if (const auto *Ex = dyn_cast(S)) + bugreporter::trackExpressionValue(N, Ex, *Report); + C.emitReport(std::move(Report)); + } +} + +void CStringChecker::emitUninitializedReadBug(CheckerContext &C, + ProgramStateRef State, + const Expr *E) const { + if (ExplodedNode *N = C.generateErrorNode(State)) { + const char *Msg = + "Bytes string function accesses uninitialized/garbage values"; + if (!BT_UninitRead) + BT_UninitRead.reset( + new BuiltinBug(Filter.CheckNameCStringUninitializedRead, + "Accessing unitialized/garbage values", Msg)); + + BuiltinBug *BT = static_cast(BT_UninitRead.get()); + + auto Report = std::make_unique(*BT, Msg, N); + Report->addRange(E->getSourceRange()); + bugreporter::trackExpressionValue(N, E, *Report); + C.emitReport(std::move(Report)); + } +} + +void CStringChecker::emitOutOfBoundsBug(CheckerContext &C, + ProgramStateRef State, const Stmt *S, + StringRef WarningMsg) const { + if (ExplodedNode *N = C.generateErrorNode(State)) { + if (!BT_Bounds) + BT_Bounds.reset(new BuiltinBug( + Filter.CheckCStringOutOfBounds ? Filter.CheckNameCStringOutOfBounds + : Filter.CheckNameCStringNullArg, + "Out-of-bound array access", + "Byte string function accesses out-of-bound array element")); + + BuiltinBug *BT = static_cast(BT_Bounds.get()); + + // FIXME: It would be nice to eventually make this diagnostic more clear, + // e.g., by referencing the original declaration or by saying *why* this + // reference is outside the range. + auto Report = std::make_unique(*BT, WarningMsg, N); + Report->addRange(S->getSourceRange()); + C.emitReport(std::move(Report)); + } +} + +void CStringChecker::emitNotCStringBug(CheckerContext &C, ProgramStateRef State, + const Stmt *S, + StringRef WarningMsg) const { + if (ExplodedNode *N = C.generateNonFatalErrorNode(State)) { + if (!BT_NotCString) + BT_NotCString.reset(new BuiltinBug( + Filter.CheckNameCStringNotNullTerm, categories::UnixAPI, + "Argument is not a null-terminated string.")); + + auto Report = + std::make_unique(*BT_NotCString, WarningMsg, N); + + Report->addRange(S->getSourceRange()); + C.emitReport(std::move(Report)); + } +} + +// added to support CWE-120 +void CStringChecker::emitInsecureBufferCopyBug(CheckerContext &C, ProgramStateRef State, + const Stmt *S, + StringRef WarningMsg) const { + if (ExplodedNode *N = C.generateNonFatalErrorNode(State)) { + if (!BT_InsecureBufferCopy) + BT_InsecureBufferCopy.reset(new BuiltinBug( + Filter.CheckNameCStringInsecureBufferCopy, "API", + "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')" + )); + + auto Report = std::make_unique(*BT_InsecureBufferCopy, WarningMsg, N); + Report->addRange(S->getSourceRange()); + C.emitReport(std::move(Report)); + } +} + +// added to support CWE-121 +void CStringChecker::emitStackBufferOverflowBug(CheckerContext &C, ProgramStateRef State, + const Stmt *S, + StringRef WarningMsg) const { + if (ExplodedNode *N = C.generateNonFatalErrorNode(State)) { + if (!BT_StackBufferOverflow) + BT_StackBufferOverflow.reset(new BuiltinBug( + Filter.CheckNameCStringStackBufferOverflow, "API", + "Stack-based Buffer Overflow" + )); + + auto Report = std::make_unique(*BT_StackBufferOverflow, WarningMsg, N); + Report->addRange(S->getSourceRange()); + C.emitReport(std::move(Report)); + } +} + +// added to support CWE-122 +void CStringChecker::emitHeapBufferOverflowBug(CheckerContext &C, ProgramStateRef State, + const Stmt *S, + StringRef WarningMsg) const { + if (ExplodedNode *N = C.generateNonFatalErrorNode(State)) { + if (!BT_HeapBufferOverflow) + BT_HeapBufferOverflow.reset(new BuiltinBug( + Filter.CheckNameCStringHeapBufferOverflow, "API", + "Stack-based Buffer Overflow" + )); + + auto Report = std::make_unique(*BT_HeapBufferOverflow, WarningMsg, N); + Report->addRange(S->getSourceRange()); + C.emitReport(std::move(Report)); + } +} + +void CStringChecker::emitAdditionOverflowBug(CheckerContext &C, + ProgramStateRef State) const { + if (ExplodedNode *N = C.generateErrorNode(State)) { + if (!BT_AdditionOverflow) + BT_AdditionOverflow.reset( + new BuiltinBug(Filter.CheckNameCStringOutOfBounds, "API", + "Sum of expressions causes overflow.")); + + // This isn't a great error message, but this should never occur in real + // code anyway -- you'd have to create a buffer longer than a size_t can + // represent, which is sort of a contradiction. + const char *WarningMsg = + "This expression will create a string whose length is too big to " + "be represented as a size_t"; + + auto Report = std::make_unique(*BT_AdditionOverflow, + WarningMsg, N); + C.emitReport(std::move(Report)); + } +} + +ProgramStateRef CStringChecker::checkAdditionOverflow(CheckerContext &C, + ProgramStateRef state, + NonLoc left, + NonLoc right) const { + // If out-of-bounds checking is turned off, skip the rest. + if (!Filter.CheckCStringOutOfBounds) + return state; + + // If a previous check has failed, propagate the failure. + if (!state) + return nullptr; + + SValBuilder &svalBuilder = C.getSValBuilder(); + BasicValueFactory &BVF = svalBuilder.getBasicValueFactory(); + + QualType sizeTy = svalBuilder.getContext().getSizeType(); + const llvm::APSInt &maxValInt = BVF.getMaxValue(sizeTy); + NonLoc maxVal = svalBuilder.makeIntVal(maxValInt); + + SVal maxMinusRight; + if (isa(right)) { + maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, right, + sizeTy); + } else { + // Try switching the operands. (The order of these two assignments is + // important!) + maxMinusRight = svalBuilder.evalBinOpNN(state, BO_Sub, maxVal, left, + sizeTy); + left = right; + } + + if (Optional maxMinusRightNL = maxMinusRight.getAs()) { + QualType cmpTy = svalBuilder.getConditionType(); + // If left > max - right, we have an overflow. + SVal willOverflow = svalBuilder.evalBinOpNN(state, BO_GT, left, + *maxMinusRightNL, cmpTy); + + ProgramStateRef stateOverflow, stateOkay; + std::tie(stateOverflow, stateOkay) = + state->assume(willOverflow.castAs()); + + if (stateOverflow && !stateOkay) { + // We have an overflow. Emit a bug report. + emitAdditionOverflowBug(C, stateOverflow); + return nullptr; + } + + // From now on, assume an overflow didn't occur. + assert(stateOkay); + state = stateOkay; + } + + return state; +} + +ProgramStateRef CStringChecker::setCStringLength(ProgramStateRef state, + const MemRegion *MR, + SVal strLength) { + assert(!strLength.isUndef() && "Attempt to set an undefined string length"); + + MR = MR->StripCasts(); + + switch (MR->getKind()) { + case MemRegion::StringRegionKind: + // FIXME: This can happen if we strcpy() into a string region. This is + // undefined [C99 6.4.5p6], but we should still warn about it. + return state; + + case MemRegion::SymbolicRegionKind: + case MemRegion::AllocaRegionKind: + case MemRegion::NonParamVarRegionKind: + case MemRegion::ParamVarRegionKind: + case MemRegion::FieldRegionKind: + case MemRegion::ObjCIvarRegionKind: + // These are the types we can currently track string lengths for. + break; + + case MemRegion::ElementRegionKind: + // FIXME: Handle element regions by upper-bounding the parent region's + // string length. + return state; + + default: + // Other regions (mostly non-data) can't have a reliable C string length. + // For now, just ignore the change. + // FIXME: These are rare but not impossible. We should output some kind of + // warning for things like strcpy((char[]){'a', 0}, "b"); + return state; + } + + if (strLength.isUnknown()) + return state->remove(MR); + + return state->set(MR, strLength); +} + +SVal CStringChecker::getCStringLengthForRegion(CheckerContext &C, + ProgramStateRef &state, + const Expr *Ex, + const MemRegion *MR, + bool hypothetical) { + if (!hypothetical) { + // If there's a recorded length, go ahead and return it. + const SVal *Recorded = state->get(MR); + if (Recorded) + return *Recorded; + } + + // Otherwise, get a new symbol and update the state. + SValBuilder &svalBuilder = C.getSValBuilder(); + QualType sizeTy = svalBuilder.getContext().getSizeType(); + SVal strLength = svalBuilder.getMetadataSymbolVal(CStringChecker::getTag(), + MR, Ex, sizeTy, + C.getLocationContext(), + C.blockCount()); + + if (!hypothetical) { + if (Optional strLn = strLength.getAs()) { + // In case of unbounded calls strlen etc bound the range to SIZE_MAX/4 + BasicValueFactory &BVF = svalBuilder.getBasicValueFactory(); + const llvm::APSInt &maxValInt = BVF.getMaxValue(sizeTy); + llvm::APSInt fourInt = APSIntType(maxValInt).getValue(4); + const llvm::APSInt *maxLengthInt = BVF.evalAPSInt(BO_Div, maxValInt, + fourInt); + NonLoc maxLength = svalBuilder.makeIntVal(*maxLengthInt); + SVal evalLength = svalBuilder.evalBinOpNN(state, BO_LE, *strLn, + maxLength, sizeTy); + state = state->assume(evalLength.castAs(), true); + } + state = state->set(MR, strLength); + } + + return strLength; +} + +SVal CStringChecker::getCStringLength(CheckerContext &C, ProgramStateRef &state, + const Expr *Ex, SVal Buf, + bool hypothetical) const { + const MemRegion *MR = Buf.getAsRegion(); + if (!MR) { + // If we can't get a region, see if it's something we /know/ isn't a + // C string. In the context of locations, the only time we can issue such + // a warning is for labels. + if (Optional Label = Buf.getAs()) { + if (Filter.CheckCStringNotNullTerm) { + SmallString<120> buf; + llvm::raw_svector_ostream os(buf); + assert(CurrentFunctionDescription); + os << "Argument to " << CurrentFunctionDescription + << " is the address of the label '" << Label->getLabel()->getName() + << "', which is not a null-terminated string"; + + emitNotCStringBug(C, state, Ex, os.str()); + } + return UndefinedVal(); + } + + // If it's not a region and not a label, give up. + return UnknownVal(); + } + + // If we have a region, strip casts from it and see if we can figure out + // its length. For anything we can't figure out, just return UnknownVal. + MR = MR->StripCasts(); + + switch (MR->getKind()) { + case MemRegion::StringRegionKind: { + // Modifying the contents of string regions is undefined [C99 6.4.5p6], + // so we can assume that the byte length is the correct C string length. + SValBuilder &svalBuilder = C.getSValBuilder(); + QualType sizeTy = svalBuilder.getContext().getSizeType(); + const StringLiteral *strLit = cast(MR)->getStringLiteral(); + return svalBuilder.makeIntVal(strLit->getLength(), sizeTy); + } + case MemRegion::SymbolicRegionKind: + case MemRegion::AllocaRegionKind: + case MemRegion::NonParamVarRegionKind: + case MemRegion::ParamVarRegionKind: + case MemRegion::FieldRegionKind: + case MemRegion::ObjCIvarRegionKind: + return getCStringLengthForRegion(C, state, Ex, MR, hypothetical); + case MemRegion::CompoundLiteralRegionKind: + // FIXME: Can we track this? Is it necessary? + return UnknownVal(); + case MemRegion::ElementRegionKind: + // FIXME: How can we handle this? It's not good enough to subtract the + // offset from the base string length; consider "123\x00567" and &a[5]. + return UnknownVal(); + default: + // Other regions (mostly non-data) can't have a reliable C string length. + // In this case, an error is emitted and UndefinedVal is returned. + // The caller should always be prepared to handle this case. + if (Filter.CheckCStringNotNullTerm) { + SmallString<120> buf; + llvm::raw_svector_ostream os(buf); + + assert(CurrentFunctionDescription); + os << "Argument to " << CurrentFunctionDescription << " is "; + + if (SummarizeRegion(os, C.getASTContext(), MR)) + os << ", which is not a null-terminated string"; + else + os << "not a null-terminated string"; + + emitNotCStringBug(C, state, Ex, os.str()); + } + return UndefinedVal(); + } +} + +const StringLiteral *CStringChecker::getCStringLiteral(CheckerContext &C, + ProgramStateRef &state, const Expr *expr, SVal val) const { + + // Get the memory region pointed to by the val. + const MemRegion *bufRegion = val.getAsRegion(); + if (!bufRegion) + return nullptr; + + // Strip casts off the memory region. + bufRegion = bufRegion->StripCasts(); + + // Cast the memory region to a string region. + const StringRegion *strRegion= dyn_cast(bufRegion); + if (!strRegion) + return nullptr; + + // Return the actual string in the string region. + return strRegion->getStringLiteral(); +} + +bool CStringChecker::IsFirstBufInBound(CheckerContext &C, + ProgramStateRef state, + const Expr *FirstBuf, + const Expr *Size) { + // If we do not know that the buffer is long enough we return 'true'. + // Otherwise the parent region of this field region would also get + // invalidated, which would lead to warnings based on an unknown state. + + // Originally copied from CheckBufferAccess and CheckLocation. + SValBuilder &svalBuilder = C.getSValBuilder(); + ASTContext &Ctx = svalBuilder.getContext(); + const LocationContext *LCtx = C.getLocationContext(); + + QualType sizeTy = Size->getType(); + QualType PtrTy = Ctx.getPointerType(Ctx.CharTy); + SVal BufVal = state->getSVal(FirstBuf, LCtx); + + SVal LengthVal = state->getSVal(Size, LCtx); + Optional Length = LengthVal.getAs(); + if (!Length) + return true; // cf top comment. + + // Compute the offset of the last element to be accessed: size-1. + NonLoc One = svalBuilder.makeIntVal(1, sizeTy).castAs(); + SVal Offset = svalBuilder.evalBinOpNN(state, BO_Sub, *Length, One, sizeTy); + if (Offset.isUnknown()) + return true; // cf top comment + NonLoc LastOffset = Offset.castAs(); + + // Check that the first buffer is sufficiently long. + SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType()); + Optional BufLoc = BufStart.getAs(); + if (!BufLoc) + return true; // cf top comment. + + SVal BufEnd = + svalBuilder.evalBinOpLN(state, BO_Add, *BufLoc, LastOffset, PtrTy); + + // Check for out of bound array element access. + const MemRegion *R = BufEnd.getAsRegion(); + if (!R) + return true; // cf top comment. + + const ElementRegion *ER = dyn_cast(R); + if (!ER) + return true; // cf top comment. + + // FIXME: Does this crash when a non-standard definition + // of a library function is encountered? + assert(ER->getValueType() == C.getASTContext().CharTy && + "IsFirstBufInBound should only be called with char* ElementRegions"); + + // Get the size of the array. + const SubRegion *superReg = cast(ER->getSuperRegion()); + DefinedOrUnknownSVal SizeDV = getDynamicExtent(state, superReg, svalBuilder); + + // Get the index of the accessed element. + DefinedOrUnknownSVal Idx = ER->getIndex().castAs(); + + ProgramStateRef StInBound = state->assumeInBound(Idx, SizeDV, true); + + return static_cast(StInBound); +} + +ProgramStateRef CStringChecker::InvalidateBuffer(CheckerContext &C, + ProgramStateRef state, + const Expr *E, SVal V, + bool IsSourceBuffer, + const Expr *Size) { + Optional L = V.getAs(); + if (!L) + return state; + + // FIXME: This is a simplified version of what's in CFRefCount.cpp -- it makes + // some assumptions about the value that CFRefCount can't. Even so, it should + // probably be refactored. + if (Optional MR = L->getAs()) { + const MemRegion *R = MR->getRegion()->StripCasts(); + + // Are we dealing with an ElementRegion? If so, we should be invalidating + // the super-region. + if (const ElementRegion *ER = dyn_cast(R)) { + R = ER->getSuperRegion(); + // FIXME: What about layers of ElementRegions? + } + + // Invalidate this region. + const LocationContext *LCtx = C.getPredecessor()->getLocationContext(); + + bool CausesPointerEscape = false; + RegionAndSymbolInvalidationTraits ITraits; + // Invalidate and escape only indirect regions accessible through the source + // buffer. + if (IsSourceBuffer) { + ITraits.setTrait(R->getBaseRegion(), + RegionAndSymbolInvalidationTraits::TK_PreserveContents); + ITraits.setTrait(R, RegionAndSymbolInvalidationTraits::TK_SuppressEscape); + CausesPointerEscape = true; + } else { + const MemRegion::Kind& K = R->getKind(); + if (K == MemRegion::FieldRegionKind) + if (Size && IsFirstBufInBound(C, state, E, Size)) { + // If destination buffer is a field region and access is in bound, + // do not invalidate its super region. + ITraits.setTrait( + R, + RegionAndSymbolInvalidationTraits::TK_DoNotInvalidateSuperRegion); + } + } + + return state->invalidateRegions(R, E, C.blockCount(), LCtx, + CausesPointerEscape, nullptr, nullptr, + &ITraits); + } + + // If we have a non-region value by chance, just remove the binding. + // FIXME: is this necessary or correct? This handles the non-Region + // cases. Is it ever valid to store to these? + return state->killBinding(*L); +} + +bool CStringChecker::SummarizeRegion(raw_ostream &os, ASTContext &Ctx, + const MemRegion *MR) { + switch (MR->getKind()) { + case MemRegion::FunctionCodeRegionKind: { + if (const auto *FD = cast(MR)->getDecl()) + os << "the address of the function '" << *FD << '\''; + else + os << "the address of a function"; + return true; + } + case MemRegion::BlockCodeRegionKind: + os << "block text"; + return true; + case MemRegion::BlockDataRegionKind: + os << "a block"; + return true; + case MemRegion::CXXThisRegionKind: + case MemRegion::CXXTempObjectRegionKind: + os << "a C++ temp object of type " + << cast(MR)->getValueType(); + return true; + case MemRegion::NonParamVarRegionKind: + os << "a variable of type" << cast(MR)->getValueType(); + return true; + case MemRegion::ParamVarRegionKind: + os << "a parameter of type" << cast(MR)->getValueType(); + return true; + case MemRegion::FieldRegionKind: + os << "a field of type " << cast(MR)->getValueType(); + return true; + case MemRegion::ObjCIvarRegionKind: + os << "an instance variable of type " + << cast(MR)->getValueType(); + return true; + default: + return false; + } +} + +bool CStringChecker::memsetAux(const Expr *DstBuffer, SVal CharVal, + const Expr *Size, CheckerContext &C, + ProgramStateRef &State) { + SVal MemVal = C.getSVal(DstBuffer); + SVal SizeVal = C.getSVal(Size); + const MemRegion *MR = MemVal.getAsRegion(); + if (!MR) + return false; + + // We're about to model memset by producing a "default binding" in the Store. + // Our current implementation - RegionStore - doesn't support default bindings + // that don't cover the whole base region. So we should first get the offset + // and the base region to figure out whether the offset of buffer is 0. + RegionOffset Offset = MR->getAsOffset(); + const MemRegion *BR = Offset.getRegion(); + + Optional SizeNL = SizeVal.getAs(); + if (!SizeNL) + return false; + + SValBuilder &svalBuilder = C.getSValBuilder(); + ASTContext &Ctx = C.getASTContext(); + + // void *memset(void *dest, int ch, size_t count); + // For now we can only handle the case of offset is 0 and concrete char value. + if (Offset.isValid() && !Offset.hasSymbolicOffset() && + Offset.getOffset() == 0) { + // Get the base region's size. + DefinedOrUnknownSVal SizeDV = getDynamicExtent(State, BR, svalBuilder); + + ProgramStateRef StateWholeReg, StateNotWholeReg; + std::tie(StateWholeReg, StateNotWholeReg) = + State->assume(svalBuilder.evalEQ(State, SizeDV, *SizeNL)); + + // With the semantic of 'memset()', we should convert the CharVal to + // unsigned char. + CharVal = svalBuilder.evalCast(CharVal, Ctx.UnsignedCharTy, Ctx.IntTy); + + ProgramStateRef StateNullChar, StateNonNullChar; + std::tie(StateNullChar, StateNonNullChar) = + assumeZero(C, State, CharVal, Ctx.UnsignedCharTy); + + if (StateWholeReg && !StateNotWholeReg && StateNullChar && + !StateNonNullChar) { + // If the 'memset()' acts on the whole region of destination buffer and + // the value of the second argument of 'memset()' is zero, bind the second + // argument's value to the destination buffer with 'default binding'. + // FIXME: Since there is no perfect way to bind the non-zero character, we + // can only deal with zero value here. In the future, we need to deal with + // the binding of non-zero value in the case of whole region. + State = State->bindDefaultZero(svalBuilder.makeLoc(BR), + C.getLocationContext()); + } else { + // If the destination buffer's extent is not equal to the value of + // third argument, just invalidate buffer. + State = InvalidateBuffer(C, State, DstBuffer, MemVal, + /*IsSourceBuffer*/ false, Size); + } + + if (StateNullChar && !StateNonNullChar) { + // If the value of the second argument of 'memset()' is zero, set the + // string length of destination buffer to 0 directly. + State = setCStringLength(State, MR, + svalBuilder.makeZeroVal(Ctx.getSizeType())); + } else if (!StateNullChar && StateNonNullChar) { + SVal NewStrLen = svalBuilder.getMetadataSymbolVal( + CStringChecker::getTag(), MR, DstBuffer, Ctx.getSizeType(), + C.getLocationContext(), C.blockCount()); + + // If the value of second argument is not zero, then the string length + // is at least the size argument. + SVal NewStrLenGESize = svalBuilder.evalBinOp( + State, BO_GE, NewStrLen, SizeVal, svalBuilder.getConditionType()); + + State = setCStringLength( + State->assume(NewStrLenGESize.castAs(), true), + MR, NewStrLen); + } + } else { + // If the offset is not zero and char value is not concrete, we can do + // nothing but invalidate the buffer. + State = InvalidateBuffer(C, State, DstBuffer, MemVal, + /*IsSourceBuffer*/ false, Size); + } + return true; +} + +//===----------------------------------------------------------------------===// +// evaluation of individual function calls. +//===----------------------------------------------------------------------===// + +void CStringChecker::evalCopyCommon(CheckerContext &C, const CallExpr *CE, + ProgramStateRef state, SizeArgExpr Size, + DestinationArgExpr Dest, + SourceArgExpr Source, bool Restricted, + bool IsMempcpy, bool IsWide) const { + CurrentFunctionDescription = "memory copy function"; + + // See if the size argument is zero. + const LocationContext *LCtx = C.getLocationContext(); + SVal sizeVal = state->getSVal(Size.Expression, LCtx); + QualType sizeTy = Size.Expression->getType(); + + ProgramStateRef stateZeroSize, stateNonZeroSize; + std::tie(stateZeroSize, stateNonZeroSize) = + assumeZero(C, state, sizeVal, sizeTy); + + // Get the value of the Dest. + SVal destVal = state->getSVal(Dest.Expression, LCtx); + + // If the size is zero, there won't be any actual memory access, so + // just bind the return value to the destination buffer and return. + if (stateZeroSize && !stateNonZeroSize) { + stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, destVal); + C.addTransition(stateZeroSize); + return; + } + + // If the size can be nonzero, we have to check the other arguments. + if (stateNonZeroSize) { + state = stateNonZeroSize; + + // Ensure the destination is not null. If it is NULL there will be a + // NULL pointer dereference. + state = checkNonNull(C, state, Dest, destVal); + if (!state) + return; + + // Get the value of the Src. + SVal srcVal = state->getSVal(Source.Expression, LCtx); + + // Ensure the source is not null. If it is NULL there will be a + // NULL pointer dereference. + state = checkNonNull(C, state, Source, srcVal); + if (!state) + return; + + // Ensure the accesses are valid and that the buffers do not overlap. + state = CheckBufferAccess(C, state, Dest, Size, AccessKind::write, IsWide); + state = CheckBufferAccess(C, state, Source, Size, AccessKind::read, IsWide); + + if (Restricted) + state = CheckOverlap(C, state, Size, Dest, Source, IsWide); + + if (!state) + return; + + // If this is mempcpy, get the byte after the last byte copied and + // bind the expr. + if (IsMempcpy) { + // Get the byte after the last byte copied. + SValBuilder &SvalBuilder = C.getSValBuilder(); + ASTContext &Ctx = SvalBuilder.getContext(); + QualType CharPtrTy = Ctx.getPointerType(Ctx.CharTy); + SVal DestRegCharVal = + SvalBuilder.evalCast(destVal, CharPtrTy, Dest.Expression->getType()); + SVal lastElement = C.getSValBuilder().evalBinOp( + state, BO_Add, DestRegCharVal, sizeVal, Dest.Expression->getType()); + // If we don't know how much we copied, we can at least + // conjure a return value for later. + if (lastElement.isUnknown()) + lastElement = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx, + C.blockCount()); + + // The byte after the last byte copied is the return value. + state = state->BindExpr(CE, LCtx, lastElement); + } else { + // All other copies return the destination buffer. + // (Well, bcopy() has a void return type, but this won't hurt.) + state = state->BindExpr(CE, LCtx, destVal); + } + + // Invalidate the destination (regular invalidation without pointer-escaping + // the address of the top-level region). + // FIXME: Even if we can't perfectly model the copy, we should see if we + // can use LazyCompoundVals to copy the source values into the destination. + // This would probably remove any existing bindings past the end of the + // copied region, but that's still an improvement over blank invalidation. + state = + InvalidateBuffer(C, state, Dest.Expression, C.getSVal(Dest.Expression), + /*IsSourceBuffer*/ false, Size.Expression); + + // Invalidate the source (const-invalidation without const-pointer-escaping + // the address of the top-level region). + state = InvalidateBuffer(C, state, Source.Expression, + C.getSVal(Source.Expression), + /*IsSourceBuffer*/ true, nullptr); + + C.addTransition(state); + } +} + +void CStringChecker::evalMemcpy(CheckerContext &C, const CallExpr *CE, + bool IsWide) const { + // void *memcpy(void *restrict dst, const void *restrict src, size_t n); + // The return value is the address of the destination buffer. + DestinationArgExpr Dest = {CE->getArg(0), 0}; + SourceArgExpr Src = {CE->getArg(1), 1}; + SizeArgExpr Size = {CE->getArg(2), 2}; + + ProgramStateRef State = C.getState(); + + constexpr bool IsRestricted = true; + constexpr bool IsMempcpy = false; + evalCopyCommon(C, CE, State, Size, Dest, Src, IsRestricted, IsMempcpy, + IsWide); +} + +void CStringChecker::evalMempcpy(CheckerContext &C, const CallExpr *CE) const { + // void *mempcpy(void *restrict dst, const void *restrict src, size_t n); + // The return value is a pointer to the byte following the last written byte. + DestinationArgExpr Dest = {CE->getArg(0), 0}; + SourceArgExpr Src = {CE->getArg(1), 1}; + SizeArgExpr Size = {CE->getArg(2), 2}; + + constexpr bool IsRestricted = true; + constexpr bool IsMempcpy = true; + evalCopyCommon(C, CE, C.getState(), Size, Dest, Src, IsRestricted, IsMempcpy, + false); +} + +void CStringChecker::evalMemmove(CheckerContext &C, const CallExpr *CE) const { + // void *memmove(void *dst, const void *src, size_t n); + // The return value is the address of the destination buffer. + DestinationArgExpr Dest = {CE->getArg(0), 0}; + SourceArgExpr Src = {CE->getArg(1), 1}; + SizeArgExpr Size = {CE->getArg(2), 2}; + + constexpr bool IsRestricted = false; + constexpr bool IsMempcpy = false; + evalCopyCommon(C, CE, C.getState(), Size, Dest, Src, IsRestricted, IsMempcpy, + false); +} + +void CStringChecker::evalBcopy(CheckerContext &C, const CallExpr *CE) const { + // void bcopy(const void *src, void *dst, size_t n); + SourceArgExpr Src(CE->getArg(0), 0); + DestinationArgExpr Dest = {CE->getArg(1), 1}; + SizeArgExpr Size = {CE->getArg(2), 2}; + + constexpr bool IsRestricted = false; + constexpr bool IsMempcpy = false; + evalCopyCommon(C, CE, C.getState(), Size, Dest, Src, IsRestricted, IsMempcpy, + false); +} + +void CStringChecker::evalMemchr(CheckerContext &C, const CallExpr *CE) const { + // void * memchr (void * ptr, int value, size_t n); + CurrentFunctionDescription = "Locate character in block of memory"; + + AnyArgExpr Left = {CE->getArg(0), 0}; + SizeArgExpr Size = {CE->getArg(2), 2}; + + ProgramStateRef State = C.getState(); + SValBuilder &Builder = C.getSValBuilder(); + const LocationContext *LCtx = C.getLocationContext(); + + // See if the size argument is zero. + SVal sizeVal = State->getSVal(Size.Expression, LCtx); + QualType sizeTy = Size.Expression->getType(); + + ProgramStateRef stateZeroSize, stateNonZeroSize; + std::tie(stateZeroSize, stateNonZeroSize) = + assumeZero(C, State, sizeVal, sizeTy); + // If the size can be zero, the result will be NULL in that case, and we don't + // have to check either of the buffers. + if (stateZeroSize) { + State = stateZeroSize; + State = State->BindExpr(CE, LCtx, Builder.makeZeroVal(CE->getType())); + C.addTransition(State); + } + if (stateNonZeroSize) { + State = CheckBufferAccess(C, State, Left, Size, AccessKind::read); + } +} + +void CStringChecker::evalMemcmp(CheckerContext &C, const CallExpr *CE) const { + // int memcmp(const void *s1, const void *s2, size_t n); + CurrentFunctionDescription = "memory comparison function"; + + AnyArgExpr Left = {CE->getArg(0), 0}; + AnyArgExpr Right = {CE->getArg(1), 1}; + SizeArgExpr Size = {CE->getArg(2), 2}; + + ProgramStateRef State = C.getState(); + SValBuilder &Builder = C.getSValBuilder(); + const LocationContext *LCtx = C.getLocationContext(); + + // See if the size argument is zero. + SVal sizeVal = State->getSVal(Size.Expression, LCtx); + QualType sizeTy = Size.Expression->getType(); + + ProgramStateRef stateZeroSize, stateNonZeroSize; + std::tie(stateZeroSize, stateNonZeroSize) = + assumeZero(C, State, sizeVal, sizeTy); + + // If the size can be zero, the result will be 0 in that case, and we don't + // have to check either of the buffers. + if (stateZeroSize) { + State = stateZeroSize; + State = State->BindExpr(CE, LCtx, Builder.makeZeroVal(CE->getType())); + C.addTransition(State); + } + + // If the size can be nonzero, we have to check the other arguments. + if (stateNonZeroSize) { + State = stateNonZeroSize; + // If we know the two buffers are the same, we know the result is 0. + // First, get the two buffers' addresses. Another checker will have already + // made sure they're not undefined. + DefinedOrUnknownSVal LV = + State->getSVal(Left.Expression, LCtx).castAs(); + DefinedOrUnknownSVal RV = + State->getSVal(Right.Expression, LCtx).castAs(); + + // See if they are the same. + ProgramStateRef SameBuffer, NotSameBuffer; + std::tie(SameBuffer, NotSameBuffer) = + State->assume(Builder.evalEQ(State, LV, RV)); + + // If the two arguments are the same buffer, we know the result is 0, + // and we only need to check one size. + if (SameBuffer && !NotSameBuffer) { + State = SameBuffer; + State = CheckBufferAccess(C, State, Left, Size, AccessKind::read); + if (State) { + State = + SameBuffer->BindExpr(CE, LCtx, Builder.makeZeroVal(CE->getType())); + C.addTransition(State); + } + return; + } + + // If the two arguments might be different buffers, we have to check + // the size of both of them. + assert(NotSameBuffer); + State = CheckBufferAccess(C, State, Right, Size, AccessKind::read); + State = CheckBufferAccess(C, State, Left, Size, AccessKind::read); + if (State) { + // The return value is the comparison result, which we don't know. + SVal CmpV = Builder.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount()); + State = State->BindExpr(CE, LCtx, CmpV); + C.addTransition(State); + } + } +} + +void CStringChecker::evalstrLength(CheckerContext &C, + const CallExpr *CE) const { + // size_t strlen(const char *s); + evalstrLengthCommon(C, CE, /* IsStrnlen = */ false); +} + +void CStringChecker::evalstrnLength(CheckerContext &C, + const CallExpr *CE) const { + // size_t strnlen(const char *s, size_t maxlen); + evalstrLengthCommon(C, CE, /* IsStrnlen = */ true); +} + +void CStringChecker::evalstrLengthCommon(CheckerContext &C, const CallExpr *CE, + bool IsStrnlen) const { + CurrentFunctionDescription = "string length function"; + ProgramStateRef state = C.getState(); + const LocationContext *LCtx = C.getLocationContext(); + + if (IsStrnlen) { + const Expr *maxlenExpr = CE->getArg(1); + SVal maxlenVal = state->getSVal(maxlenExpr, LCtx); + + ProgramStateRef stateZeroSize, stateNonZeroSize; + std::tie(stateZeroSize, stateNonZeroSize) = + assumeZero(C, state, maxlenVal, maxlenExpr->getType()); + + // If the size can be zero, the result will be 0 in that case, and we don't + // have to check the string itself. + if (stateZeroSize) { + SVal zero = C.getSValBuilder().makeZeroVal(CE->getType()); + stateZeroSize = stateZeroSize->BindExpr(CE, LCtx, zero); + C.addTransition(stateZeroSize); + } + + // If the size is GUARANTEED to be zero, we're done! + if (!stateNonZeroSize) + return; + + // Otherwise, record the assumption that the size is nonzero. + state = stateNonZeroSize; + } + + // Check that the string argument is non-null. + AnyArgExpr Arg = {CE->getArg(0), 0}; + SVal ArgVal = state->getSVal(Arg.Expression, LCtx); + state = checkNonNull(C, state, Arg, ArgVal); + + if (!state) + return; + + SVal strLength = getCStringLength(C, state, Arg.Expression, ArgVal); + + // If the argument isn't a valid C string, there's no valid state to + // transition to. + if (strLength.isUndef()) + return; + + DefinedOrUnknownSVal result = UnknownVal(); + + // If the check is for strnlen() then bind the return value to no more than + // the maxlen value. + if (IsStrnlen) { + QualType cmpTy = C.getSValBuilder().getConditionType(); + + // It's a little unfortunate to be getting this again, + // but it's not that expensive... + const Expr *maxlenExpr = CE->getArg(1); + SVal maxlenVal = state->getSVal(maxlenExpr, LCtx); + + Optional strLengthNL = strLength.getAs(); + Optional maxlenValNL = maxlenVal.getAs(); + + if (strLengthNL && maxlenValNL) { + ProgramStateRef stateStringTooLong, stateStringNotTooLong; + + // Check if the strLength is greater than the maxlen. + std::tie(stateStringTooLong, stateStringNotTooLong) = state->assume( + C.getSValBuilder() + .evalBinOpNN(state, BO_GT, *strLengthNL, *maxlenValNL, cmpTy) + .castAs()); + + if (stateStringTooLong && !stateStringNotTooLong) { + // If the string is longer than maxlen, return maxlen. + result = *maxlenValNL; + } else if (stateStringNotTooLong && !stateStringTooLong) { + // If the string is shorter than maxlen, return its length. + result = *strLengthNL; + } + } + + if (result.isUnknown()) { + // If we don't have enough information for a comparison, there's + // no guarantee the full string length will actually be returned. + // All we know is the return value is the min of the string length + // and the limit. This is better than nothing. + result = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx, + C.blockCount()); + NonLoc resultNL = result.castAs(); + + if (strLengthNL) { + state = state->assume(C.getSValBuilder().evalBinOpNN( + state, BO_LE, resultNL, *strLengthNL, cmpTy) + .castAs(), true); + } + + if (maxlenValNL) { + state = state->assume(C.getSValBuilder().evalBinOpNN( + state, BO_LE, resultNL, *maxlenValNL, cmpTy) + .castAs(), true); + } + } + + } else { + // This is a plain strlen(), not strnlen(). + result = strLength.castAs(); + + // If we don't know the length of the string, conjure a return + // value, so it can be used in constraints, at least. + if (result.isUnknown()) { + result = C.getSValBuilder().conjureSymbolVal(nullptr, CE, LCtx, + C.blockCount()); + } + } + + // Bind the return value. + assert(!result.isUnknown() && "Should have conjured a value by now"); + state = state->BindExpr(CE, LCtx, result); + C.addTransition(state); +} + +void CStringChecker::evalStrcpy(CheckerContext &C, const CallExpr *CE) const { + // char *strcpy(char *restrict dst, const char *restrict src); + evalStrcpyCommon(C, CE, + /* ReturnEnd = */ false, + /* IsBounded = */ false, + /* appendK = */ ConcatFnKind::none); +} + +void CStringChecker::evalStrncpy(CheckerContext &C, const CallExpr *CE) const { + // char *strncpy(char *restrict dst, const char *restrict src, size_t n); + evalStrcpyCommon(C, CE, + /* ReturnEnd = */ false, + /* IsBounded = */ true, + /* appendK = */ ConcatFnKind::none); +} + +void CStringChecker::evalStpcpy(CheckerContext &C, const CallExpr *CE) const { + // char *stpcpy(char *restrict dst, const char *restrict src); + evalStrcpyCommon(C, CE, + /* ReturnEnd = */ true, + /* IsBounded = */ false, + /* appendK = */ ConcatFnKind::none); +} + +void CStringChecker::evalStrlcpy(CheckerContext &C, const CallExpr *CE) const { + // size_t strlcpy(char *dest, const char *src, size_t size); + evalStrcpyCommon(C, CE, + /* ReturnEnd = */ true, + /* IsBounded = */ true, + /* appendK = */ ConcatFnKind::none, + /* returnPtr = */ false); +} + +void CStringChecker::evalStrcat(CheckerContext &C, const CallExpr *CE) const { + // char *strcat(char *restrict s1, const char *restrict s2); + evalStrcpyCommon(C, CE, + /* ReturnEnd = */ false, + /* IsBounded = */ false, + /* appendK = */ ConcatFnKind::strcat); +} + +void CStringChecker::evalStrncat(CheckerContext &C, const CallExpr *CE) const { + // char *strncat(char *restrict s1, const char *restrict s2, size_t n); + evalStrcpyCommon(C, CE, + /* ReturnEnd = */ false, + /* IsBounded = */ true, + /* appendK = */ ConcatFnKind::strcat); +} + +void CStringChecker::evalStrlcat(CheckerContext &C, const CallExpr *CE) const { + // size_t strlcat(char *dst, const char *src, size_t size); + // It will append at most size - strlen(dst) - 1 bytes, + // NULL-terminating the result. + evalStrcpyCommon(C, CE, + /* ReturnEnd = */ false, + /* IsBounded = */ true, + /* appendK = */ ConcatFnKind::strlcat, + /* returnPtr = */ false); +} + +void CStringChecker::evalStrcpyCommon(CheckerContext &C, const CallExpr *CE, + bool ReturnEnd, bool IsBounded, + ConcatFnKind appendK, + bool returnPtr) const { + if (appendK == ConcatFnKind::none) + CurrentFunctionDescription = "string copy function"; + else + CurrentFunctionDescription = "string concatenation function"; + + ProgramStateRef state = C.getState(); + const LocationContext *LCtx = C.getLocationContext(); + + // Check that the destination is non-null. + DestinationArgExpr Dst = {CE->getArg(0), 0}; + SVal DstVal = state->getSVal(Dst.Expression, LCtx); + state = checkNonNull(C, state, Dst, DstVal); + if (!state) + return; + + // Check that the source is non-null. + SourceArgExpr srcExpr = {CE->getArg(1), 1}; + SVal srcVal = state->getSVal(srcExpr.Expression, LCtx); + state = checkNonNull(C, state, srcExpr, srcVal); + if (!state) + return; + + // Get the string length of the source. + SVal strLength = getCStringLength(C, state, srcExpr.Expression, srcVal); + Optional strLengthNL = strLength.getAs(); + + // Get the string length of the destination buffer. + SVal dstStrLength = getCStringLength(C, state, Dst.Expression, DstVal); + Optional dstStrLengthNL = dstStrLength.getAs(); + + // If the source isn't a valid C string, give up. + if (strLength.isUndef()) + return; + + SValBuilder &svalBuilder = C.getSValBuilder(); + QualType cmpTy = svalBuilder.getConditionType(); + QualType sizeTy = svalBuilder.getContext().getSizeType(); + + // These two values allow checking two kinds of errors: + // - actual overflows caused by a source that doesn't fit in the destination + // - potential overflows caused by a bound that could exceed the destination + SVal amountCopied = UnknownVal(); + SVal maxLastElementIndex = UnknownVal(); + const char *boundWarning = nullptr; + + // FIXME: Why do we choose the srcExpr if the access has no size? + // Note that the 3rd argument of the call would be the size parameter. + SizeArgExpr SrcExprAsSizeDummy = {srcExpr.Expression, srcExpr.ArgumentIndex}; + state = CheckOverlap( + C, state, + (IsBounded ? SizeArgExpr{CE->getArg(2), 2} : SrcExprAsSizeDummy), Dst, + srcExpr); + + if (!state) + return; + + // If the function is strncpy, strncat, etc... it is bounded. + if (IsBounded) { + // Get the max number of characters to copy. + SizeArgExpr lenExpr = {CE->getArg(2), 2}; + SVal lenVal = state->getSVal(lenExpr.Expression, LCtx); + + // Protect against misdeclared strncpy(). + lenVal = + svalBuilder.evalCast(lenVal, sizeTy, lenExpr.Expression->getType()); + + Optional lenValNL = lenVal.getAs(); + + // If we know both values, we might be able to figure out how much + // we're copying. + if (strLengthNL && lenValNL) { + switch (appendK) { + case ConcatFnKind::none: + case ConcatFnKind::strcat: { + ProgramStateRef stateSourceTooLong, stateSourceNotTooLong; + // Check if the max number to copy is less than the length of the src. + // If the bound is equal to the source length, strncpy won't null- + // terminate the result! + std::tie(stateSourceTooLong, stateSourceNotTooLong) = state->assume( + svalBuilder + .evalBinOpNN(state, BO_GE, *strLengthNL, *lenValNL, cmpTy) + .castAs()); + + if (stateSourceTooLong && !stateSourceNotTooLong) { + // Max number to copy is less than the length of the src, so the + // actual strLength copied is the max number arg. + state = stateSourceTooLong; + amountCopied = lenVal; + + } else if (!stateSourceTooLong && stateSourceNotTooLong) { + // The source buffer entirely fits in the bound. + state = stateSourceNotTooLong; + amountCopied = strLength; + } + break; + } + case ConcatFnKind::strlcat: + if (!dstStrLengthNL) + return; + + // amountCopied = min (size - dstLen - 1 , srcLen) + SVal freeSpace = svalBuilder.evalBinOpNN(state, BO_Sub, *lenValNL, + *dstStrLengthNL, sizeTy); + if (!isa(freeSpace)) + return; + freeSpace = + svalBuilder.evalBinOp(state, BO_Sub, freeSpace, + svalBuilder.makeIntVal(1, sizeTy), sizeTy); + Optional freeSpaceNL = freeSpace.getAs(); + + // While unlikely, it is possible that the subtraction is + // too complex to compute, let's check whether it succeeded. + if (!freeSpaceNL) + return; + SVal hasEnoughSpace = svalBuilder.evalBinOpNN( + state, BO_LE, *strLengthNL, *freeSpaceNL, cmpTy); + + ProgramStateRef TrueState, FalseState; + std::tie(TrueState, FalseState) = + state->assume(hasEnoughSpace.castAs()); + + // srcStrLength <= size - dstStrLength -1 + if (TrueState && !FalseState) { + amountCopied = strLength; + } + + // srcStrLength > size - dstStrLength -1 + if (!TrueState && FalseState) { + amountCopied = freeSpace; + } + + if (TrueState && FalseState) + amountCopied = UnknownVal(); + break; + } + } + // We still want to know if the bound is known to be too large. + if (lenValNL) { + switch (appendK) { + case ConcatFnKind::strcat: + // For strncat, the check is strlen(dst) + lenVal < sizeof(dst) + + // Get the string length of the destination. If the destination is + // memory that can't have a string length, we shouldn't be copying + // into it anyway. + if (dstStrLength.isUndef()) + return; + + if (dstStrLengthNL) { + maxLastElementIndex = svalBuilder.evalBinOpNN( + state, BO_Add, *lenValNL, *dstStrLengthNL, sizeTy); + + boundWarning = "Size argument is greater than the free space in the " + "destination buffer"; + } + break; + case ConcatFnKind::none: + case ConcatFnKind::strlcat: + // For strncpy and strlcat, this is just checking + // that lenVal <= sizeof(dst). + // (Yes, strncpy and strncat differ in how they treat termination. + // strncat ALWAYS terminates, but strncpy doesn't.) + + // We need a special case for when the copy size is zero, in which + // case strncpy will do no work at all. Our bounds check uses n-1 + // as the last element accessed, so n == 0 is problematic. + ProgramStateRef StateZeroSize, StateNonZeroSize; + std::tie(StateZeroSize, StateNonZeroSize) = + assumeZero(C, state, *lenValNL, sizeTy); + + // If the size is known to be zero, we're done. + if (StateZeroSize && !StateNonZeroSize) { + if (returnPtr) { + StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, DstVal); + } else { + if (appendK == ConcatFnKind::none) { + // strlcpy returns strlen(src) + StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, strLength); + } else { + // strlcat returns strlen(src) + strlen(dst) + SVal retSize = svalBuilder.evalBinOp( + state, BO_Add, strLength, dstStrLength, sizeTy); + StateZeroSize = StateZeroSize->BindExpr(CE, LCtx, retSize); + } + } + C.addTransition(StateZeroSize); + return; + } + + // Otherwise, go ahead and figure out the last element we'll touch. + // We don't record the non-zero assumption here because we can't + // be sure. We won't warn on a possible zero. + NonLoc one = svalBuilder.makeIntVal(1, sizeTy).castAs(); + maxLastElementIndex = + svalBuilder.evalBinOpNN(state, BO_Sub, *lenValNL, one, sizeTy); + boundWarning = "Size argument is greater than the length of the " + "destination buffer"; + break; + } + } + } else { + // The function isn't bounded. The amount copied should match the length + // of the source buffer. + amountCopied = strLength; + } + + assert(state); + + // This represents the number of characters copied into the destination + // buffer. (It may not actually be the strlen if the destination buffer + // is not terminated.) + SVal finalStrLength = UnknownVal(); + SVal strlRetVal = UnknownVal(); + + if (appendK == ConcatFnKind::none && !returnPtr) { + // strlcpy returns the sizeof(src) + strlRetVal = strLength; + } + + // If this is an appending function (strcat, strncat...) then set the + // string length to strlen(src) + strlen(dst) since the buffer will + // ultimately contain both. + if (appendK != ConcatFnKind::none) { + // Get the string length of the destination. If the destination is memory + // that can't have a string length, we shouldn't be copying into it anyway. + if (dstStrLength.isUndef()) + return; + + if (appendK == ConcatFnKind::strlcat && dstStrLengthNL && strLengthNL) { + strlRetVal = svalBuilder.evalBinOpNN(state, BO_Add, *strLengthNL, + *dstStrLengthNL, sizeTy); + } + + Optional amountCopiedNL = amountCopied.getAs(); + + // If we know both string lengths, we might know the final string length. + if (amountCopiedNL && dstStrLengthNL) { + // Make sure the two lengths together don't overflow a size_t. + state = checkAdditionOverflow(C, state, *amountCopiedNL, *dstStrLengthNL); + if (!state) + return; + + finalStrLength = svalBuilder.evalBinOpNN(state, BO_Add, *amountCopiedNL, + *dstStrLengthNL, sizeTy); + } + + // If we couldn't get a single value for the final string length, + // we can at least bound it by the individual lengths. + if (finalStrLength.isUnknown()) { + // Try to get a "hypothetical" string length symbol, which we can later + // set as a real value if that turns out to be the case. + finalStrLength = getCStringLength(C, state, CE, DstVal, true); + assert(!finalStrLength.isUndef()); + + if (Optional finalStrLengthNL = finalStrLength.getAs()) { + if (amountCopiedNL && appendK == ConcatFnKind::none) { + // we overwrite dst string with the src + // finalStrLength >= srcStrLength + SVal sourceInResult = svalBuilder.evalBinOpNN( + state, BO_GE, *finalStrLengthNL, *amountCopiedNL, cmpTy); + state = state->assume(sourceInResult.castAs(), + true); + if (!state) + return; + } + + if (dstStrLengthNL && appendK != ConcatFnKind::none) { + // we extend the dst string with the src + // finalStrLength >= dstStrLength + SVal destInResult = svalBuilder.evalBinOpNN(state, BO_GE, + *finalStrLengthNL, + *dstStrLengthNL, + cmpTy); + state = + state->assume(destInResult.castAs(), true); + if (!state) + return; + } + } + } + + } else { + // Otherwise, this is a copy-over function (strcpy, strncpy, ...), and + // the final string length will match the input string length. + finalStrLength = amountCopied; + } + + SVal Result; + + if (returnPtr) { + // The final result of the function will either be a pointer past the last + // copied element, or a pointer to the start of the destination buffer. + Result = (ReturnEnd ? UnknownVal() : DstVal); + } else { + if (appendK == ConcatFnKind::strlcat || appendK == ConcatFnKind::none) + //strlcpy, strlcat + Result = strlRetVal; + else + Result = finalStrLength; + } + + assert(state); + + // If the destination is a MemRegion, try to check for a buffer overflow and + // record the new string length. + if (Optional dstRegVal = + DstVal.getAs()) { + QualType ptrTy = Dst.Expression->getType(); + + // If we have an exact value on a bounded copy, use that to check for + // overflows, rather than our estimate about how much is actually copied. + if (Optional maxLastNL = maxLastElementIndex.getAs()) { + SVal maxLastElement = + svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal, *maxLastNL, ptrTy); + + state = CheckLocation(C, state, Dst, maxLastElement, AccessKind::write); + if (!state) + return; + } + + // Then, if the final length is known... + if (Optional knownStrLength = finalStrLength.getAs()) { + SVal lastElement = svalBuilder.evalBinOpLN(state, BO_Add, *dstRegVal, + *knownStrLength, ptrTy); + + // ...and we haven't checked the bound, we'll check the actual copy. + if (!boundWarning) { + state = CheckLocation(C, state, Dst, lastElement, AccessKind::write); + if (!state) + return; + } + + // If this is a stpcpy-style copy, the last element is the return value. + if (returnPtr && ReturnEnd) + Result = lastElement; + } + + // Invalidate the destination (regular invalidation without pointer-escaping + // the address of the top-level region). This must happen before we set the + // C string length because invalidation will clear the length. + // FIXME: Even if we can't perfectly model the copy, we should see if we + // can use LazyCompoundVals to copy the source values into the destination. + // This would probably remove any existing bindings past the end of the + // string, but that's still an improvement over blank invalidation. + state = InvalidateBuffer(C, state, Dst.Expression, *dstRegVal, + /*IsSourceBuffer*/ false, nullptr); + + // Invalidate the source (const-invalidation without const-pointer-escaping + // the address of the top-level region). + state = InvalidateBuffer(C, state, srcExpr.Expression, srcVal, + /*IsSourceBuffer*/ true, nullptr); + + // Set the C string length of the destination, if we know it. + if (IsBounded && (appendK == ConcatFnKind::none)) { + // strncpy is annoying in that it doesn't guarantee to null-terminate + // the result string. If the original string didn't fit entirely inside + // the bound (including the null-terminator), we don't know how long the + // result is. + if (amountCopied != strLength) + finalStrLength = UnknownVal(); + } + state = setCStringLength(state, dstRegVal->getRegion(), finalStrLength); + } + + assert(state); + + if (returnPtr) { + // If this is a stpcpy-style copy, but we were unable to check for a buffer + // overflow, we still need a result. Conjure a return value. + if (ReturnEnd && Result.isUnknown()) { + Result = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount()); + } + } + // Set the return value. + state = state->BindExpr(CE, LCtx, Result); + C.addTransition(state); +} + +void CStringChecker::evalStrcmp(CheckerContext &C, const CallExpr *CE) const { + //int strcmp(const char *s1, const char *s2); + evalStrcmpCommon(C, CE, /* IsBounded = */ false, /* IgnoreCase = */ false); +} + +void CStringChecker::evalStrncmp(CheckerContext &C, const CallExpr *CE) const { + //int strncmp(const char *s1, const char *s2, size_t n); + evalStrcmpCommon(C, CE, /* IsBounded = */ true, /* IgnoreCase = */ false); +} + +void CStringChecker::evalStrcasecmp(CheckerContext &C, + const CallExpr *CE) const { + //int strcasecmp(const char *s1, const char *s2); + evalStrcmpCommon(C, CE, /* IsBounded = */ false, /* IgnoreCase = */ true); +} + +void CStringChecker::evalStrncasecmp(CheckerContext &C, + const CallExpr *CE) const { + //int strncasecmp(const char *s1, const char *s2, size_t n); + evalStrcmpCommon(C, CE, /* IsBounded = */ true, /* IgnoreCase = */ true); +} + +void CStringChecker::evalStrcmpCommon(CheckerContext &C, const CallExpr *CE, + bool IsBounded, bool IgnoreCase) const { + CurrentFunctionDescription = "string comparison function"; + ProgramStateRef state = C.getState(); + const LocationContext *LCtx = C.getLocationContext(); + + // Check that the first string is non-null + AnyArgExpr Left = {CE->getArg(0), 0}; + SVal LeftVal = state->getSVal(Left.Expression, LCtx); + state = checkNonNull(C, state, Left, LeftVal); + if (!state) + return; + + // Check that the second string is non-null. + AnyArgExpr Right = {CE->getArg(1), 1}; + SVal RightVal = state->getSVal(Right.Expression, LCtx); + state = checkNonNull(C, state, Right, RightVal); + if (!state) + return; + + // Get the string length of the first string or give up. + SVal LeftLength = getCStringLength(C, state, Left.Expression, LeftVal); + if (LeftLength.isUndef()) + return; + + // Get the string length of the second string or give up. + SVal RightLength = getCStringLength(C, state, Right.Expression, RightVal); + if (RightLength.isUndef()) + return; + + // If we know the two buffers are the same, we know the result is 0. + // First, get the two buffers' addresses. Another checker will have already + // made sure they're not undefined. + DefinedOrUnknownSVal LV = LeftVal.castAs(); + DefinedOrUnknownSVal RV = RightVal.castAs(); + + // See if they are the same. + SValBuilder &svalBuilder = C.getSValBuilder(); + DefinedOrUnknownSVal SameBuf = svalBuilder.evalEQ(state, LV, RV); + ProgramStateRef StSameBuf, StNotSameBuf; + std::tie(StSameBuf, StNotSameBuf) = state->assume(SameBuf); + + // If the two arguments might be the same buffer, we know the result is 0, + // and we only need to check one size. + if (StSameBuf) { + StSameBuf = StSameBuf->BindExpr(CE, LCtx, + svalBuilder.makeZeroVal(CE->getType())); + C.addTransition(StSameBuf); + + // If the two arguments are GUARANTEED to be the same, we're done! + if (!StNotSameBuf) + return; + } + + assert(StNotSameBuf); + state = StNotSameBuf; + + // At this point we can go about comparing the two buffers. + // For now, we only do this if they're both known string literals. + + // Attempt to extract string literals from both expressions. + const StringLiteral *LeftStrLiteral = + getCStringLiteral(C, state, Left.Expression, LeftVal); + const StringLiteral *RightStrLiteral = + getCStringLiteral(C, state, Right.Expression, RightVal); + bool canComputeResult = false; + SVal resultVal = svalBuilder.conjureSymbolVal(nullptr, CE, LCtx, + C.blockCount()); + + if (LeftStrLiteral && RightStrLiteral) { + StringRef LeftStrRef = LeftStrLiteral->getString(); + StringRef RightStrRef = RightStrLiteral->getString(); + + if (IsBounded) { + // Get the max number of characters to compare. + const Expr *lenExpr = CE->getArg(2); + SVal lenVal = state->getSVal(lenExpr, LCtx); + + // If the length is known, we can get the right substrings. + if (const llvm::APSInt *len = svalBuilder.getKnownValue(state, lenVal)) { + // Create substrings of each to compare the prefix. + LeftStrRef = LeftStrRef.substr(0, (size_t)len->getZExtValue()); + RightStrRef = RightStrRef.substr(0, (size_t)len->getZExtValue()); + canComputeResult = true; + } + } else { + // This is a normal, unbounded strcmp. + canComputeResult = true; + } + + if (canComputeResult) { + // Real strcmp stops at null characters. + size_t s1Term = LeftStrRef.find('\0'); + if (s1Term != StringRef::npos) + LeftStrRef = LeftStrRef.substr(0, s1Term); + + size_t s2Term = RightStrRef.find('\0'); + if (s2Term != StringRef::npos) + RightStrRef = RightStrRef.substr(0, s2Term); + + // Use StringRef's comparison methods to compute the actual result. + int compareRes = IgnoreCase ? LeftStrRef.compare_insensitive(RightStrRef) + : LeftStrRef.compare(RightStrRef); + + // The strcmp function returns an integer greater than, equal to, or less + // than zero, [c11, p7.24.4.2]. + if (compareRes == 0) { + resultVal = svalBuilder.makeIntVal(compareRes, CE->getType()); + } + else { + DefinedSVal zeroVal = svalBuilder.makeIntVal(0, CE->getType()); + // Constrain strcmp's result range based on the result of StringRef's + // comparison methods. + BinaryOperatorKind op = (compareRes == 1) ? BO_GT : BO_LT; + SVal compareWithZero = + svalBuilder.evalBinOp(state, op, resultVal, zeroVal, + svalBuilder.getConditionType()); + DefinedSVal compareWithZeroVal = compareWithZero.castAs(); + state = state->assume(compareWithZeroVal, true); + } + } + } + + state = state->BindExpr(CE, LCtx, resultVal); + + // Record this as a possible path. + C.addTransition(state); +} + +void CStringChecker::evalStrsep(CheckerContext &C, const CallExpr *CE) const { + // char *strsep(char **stringp, const char *delim); + // Verify whether the search string parameter matches the return type. + SourceArgExpr SearchStrPtr = {CE->getArg(0), 0}; + + QualType CharPtrTy = SearchStrPtr.Expression->getType()->getPointeeType(); + if (CharPtrTy.isNull() || + CE->getType().getUnqualifiedType() != CharPtrTy.getUnqualifiedType()) + return; + + CurrentFunctionDescription = "strsep()"; + ProgramStateRef State = C.getState(); + const LocationContext *LCtx = C.getLocationContext(); + + // Check that the search string pointer is non-null (though it may point to + // a null string). + SVal SearchStrVal = State->getSVal(SearchStrPtr.Expression, LCtx); + State = checkNonNull(C, State, SearchStrPtr, SearchStrVal); + if (!State) + return; + + // Check that the delimiter string is non-null. + AnyArgExpr DelimStr = {CE->getArg(1), 1}; + SVal DelimStrVal = State->getSVal(DelimStr.Expression, LCtx); + State = checkNonNull(C, State, DelimStr, DelimStrVal); + if (!State) + return; + + SValBuilder &SVB = C.getSValBuilder(); + SVal Result; + if (Optional SearchStrLoc = SearchStrVal.getAs()) { + // Get the current value of the search string pointer, as a char*. + Result = State->getSVal(*SearchStrLoc, CharPtrTy); + + // Invalidate the search string, representing the change of one delimiter + // character to NUL. + State = InvalidateBuffer(C, State, SearchStrPtr.Expression, Result, + /*IsSourceBuffer*/ false, nullptr); + + // Overwrite the search string pointer. The new value is either an address + // further along in the same string, or NULL if there are no more tokens. + State = State->bindLoc(*SearchStrLoc, + SVB.conjureSymbolVal(getTag(), + CE, + LCtx, + CharPtrTy, + C.blockCount()), + LCtx); + } else { + assert(SearchStrVal.isUnknown()); + // Conjure a symbolic value. It's the best we can do. + Result = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount()); + } + + // Set the return value, and finish. + State = State->BindExpr(CE, LCtx, Result); + C.addTransition(State); +} + +// These should probably be moved into a C++ standard library checker. +void CStringChecker::evalStdCopy(CheckerContext &C, const CallExpr *CE) const { + evalStdCopyCommon(C, CE); +} + +void CStringChecker::evalStdCopyBackward(CheckerContext &C, + const CallExpr *CE) const { + evalStdCopyCommon(C, CE); +} + +void CStringChecker::evalStdCopyCommon(CheckerContext &C, + const CallExpr *CE) const { + if (!CE->getArg(2)->getType()->isPointerType()) + return; + + ProgramStateRef State = C.getState(); + + const LocationContext *LCtx = C.getLocationContext(); + + // template + // _OutputIterator + // copy(_InputIterator __first, _InputIterator __last, + // _OutputIterator __result) + + // Invalidate the destination buffer + const Expr *Dst = CE->getArg(2); + SVal DstVal = State->getSVal(Dst, LCtx); + State = InvalidateBuffer(C, State, Dst, DstVal, /*IsSource=*/false, + /*Size=*/nullptr); + + SValBuilder &SVB = C.getSValBuilder(); + + SVal ResultVal = SVB.conjureSymbolVal(nullptr, CE, LCtx, C.blockCount()); + State = State->BindExpr(CE, LCtx, ResultVal); + + C.addTransition(State); +} + +void CStringChecker::evalMemset(CheckerContext &C, const CallExpr *CE) const { + // void *memset(void *s, int c, size_t n); + CurrentFunctionDescription = "memory set function"; + + DestinationArgExpr Buffer = {CE->getArg(0), 0}; + AnyArgExpr CharE = {CE->getArg(1), 1}; + SizeArgExpr Size = {CE->getArg(2), 2}; + + ProgramStateRef State = C.getState(); + + // See if the size argument is zero. + const LocationContext *LCtx = C.getLocationContext(); + SVal SizeVal = C.getSVal(Size.Expression); + QualType SizeTy = Size.Expression->getType(); + + ProgramStateRef ZeroSize, NonZeroSize; + std::tie(ZeroSize, NonZeroSize) = assumeZero(C, State, SizeVal, SizeTy); + + // Get the value of the memory area. + SVal BufferPtrVal = C.getSVal(Buffer.Expression); + + // If the size is zero, there won't be any actual memory access, so + // just bind the return value to the buffer and return. + if (ZeroSize && !NonZeroSize) { + ZeroSize = ZeroSize->BindExpr(CE, LCtx, BufferPtrVal); + C.addTransition(ZeroSize); + return; + } + + // Ensure the memory area is not null. + // If it is NULL there will be a NULL pointer dereference. + State = checkNonNull(C, NonZeroSize, Buffer, BufferPtrVal); + if (!State) + return; + + State = CheckBufferAccess(C, State, Buffer, Size, AccessKind::write); + if (!State) + return; + + // According to the values of the arguments, bind the value of the second + // argument to the destination buffer and set string length, or just + // invalidate the destination buffer. + if (!memsetAux(Buffer.Expression, C.getSVal(CharE.Expression), + Size.Expression, C, State)) + return; + + State = State->BindExpr(CE, LCtx, BufferPtrVal); + C.addTransition(State); +} + +void CStringChecker::evalBzero(CheckerContext &C, const CallExpr *CE) const { + CurrentFunctionDescription = "memory clearance function"; + + DestinationArgExpr Buffer = {CE->getArg(0), 0}; + SizeArgExpr Size = {CE->getArg(1), 1}; + SVal Zero = C.getSValBuilder().makeZeroVal(C.getASTContext().IntTy); + + ProgramStateRef State = C.getState(); + + // See if the size argument is zero. + SVal SizeVal = C.getSVal(Size.Expression); + QualType SizeTy = Size.Expression->getType(); + + ProgramStateRef StateZeroSize, StateNonZeroSize; + std::tie(StateZeroSize, StateNonZeroSize) = + assumeZero(C, State, SizeVal, SizeTy); + + // If the size is zero, there won't be any actual memory access, + // In this case we just return. + if (StateZeroSize && !StateNonZeroSize) { + C.addTransition(StateZeroSize); + return; + } + + // Get the value of the memory area. + SVal MemVal = C.getSVal(Buffer.Expression); + + // Ensure the memory area is not null. + // If it is NULL there will be a NULL pointer dereference. + State = checkNonNull(C, StateNonZeroSize, Buffer, MemVal); + if (!State) + return; + + State = CheckBufferAccess(C, State, Buffer, Size, AccessKind::write); + if (!State) + return; + + if (!memsetAux(Buffer.Expression, Zero, Size.Expression, C, State)) + return; + + C.addTransition(State); +} + +//===----------------------------------------------------------------------===// +// The driver method, and other Checker callbacks. +//===----------------------------------------------------------------------===// + +CStringChecker::FnCheck CStringChecker::identifyCall(const CallEvent &Call, + CheckerContext &C) const { + const auto *CE = dyn_cast_or_null(Call.getOriginExpr()); + if (!CE) + return nullptr; + + const FunctionDecl *FD = dyn_cast_or_null(Call.getDecl()); + if (!FD) + return nullptr; + + if (StdCopy.matches(Call)) + return &CStringChecker::evalStdCopy; + if (StdCopyBackward.matches(Call)) + return &CStringChecker::evalStdCopyBackward; + + // Pro-actively check that argument types are safe to do arithmetic upon. + // We do not want to crash if someone accidentally passes a structure + // into, say, a C++ overload of any of these functions. We could not check + // that for std::copy because they may have arguments of other types. + for (auto I : CE->arguments()) { + QualType T = I->getType(); + if (!T->isIntegralOrEnumerationType() && !T->isPointerType()) + return nullptr; + } + + const FnCheck *Callback = Callbacks.lookup(Call); + if (Callback) + return *Callback; + + return nullptr; +} + +bool CStringChecker::evalCall(const CallEvent &Call, CheckerContext &C) const { + FnCheck Callback = identifyCall(Call, C); + + // If the callee isn't a string function, let another checker handle it. + if (!Callback) + return false; + + // Check and evaluate the call. + const auto *CE = cast(Call.getOriginExpr()); + Callback(this, C, CE); + + // If the evaluate call resulted in no change, chain to the next eval call + // handler. + // Note, the custom CString evaluation calls assume that basic safety + // properties are held. However, if the user chooses to turn off some of these + // checks, we ignore the issues and leave the call evaluation to a generic + // handler. + return C.isDifferent(); +} + +void CStringChecker::checkPreStmt(const DeclStmt *DS, CheckerContext &C) const { + // Record string length for char a[] = "abc"; + ProgramStateRef state = C.getState(); + + for (const auto *I : DS->decls()) { + const VarDecl *D = dyn_cast(I); + if (!D) + continue; + + // FIXME: Handle array fields of structs. + if (!D->getType()->isArrayType()) + continue; + + const Expr *Init = D->getInit(); + if (!Init) + continue; + if (!isa(Init)) + continue; + + Loc VarLoc = state->getLValue(D, C.getLocationContext()); + const MemRegion *MR = VarLoc.getAsRegion(); + if (!MR) + continue; + + SVal StrVal = C.getSVal(Init); + assert(StrVal.isValid() && "Initializer string is unknown or undefined"); + DefinedOrUnknownSVal strLength = + getCStringLength(C, state, Init, StrVal).castAs(); + + state = state->set(MR, strLength); + } + + C.addTransition(state); +} + +ProgramStateRef +CStringChecker::checkRegionChanges(ProgramStateRef state, + const InvalidatedSymbols *, + ArrayRef ExplicitRegions, + ArrayRef Regions, + const LocationContext *LCtx, + const CallEvent *Call) const { + CStringLengthTy Entries = state->get(); + if (Entries.isEmpty()) + return state; + + llvm::SmallPtrSet Invalidated; + llvm::SmallPtrSet SuperRegions; + + // First build sets for the changed regions and their super-regions. + for (ArrayRef::iterator + I = Regions.begin(), E = Regions.end(); I != E; ++I) { + const MemRegion *MR = *I; + Invalidated.insert(MR); + + SuperRegions.insert(MR); + while (const SubRegion *SR = dyn_cast(MR)) { + MR = SR->getSuperRegion(); + SuperRegions.insert(MR); + } + } + + CStringLengthTy::Factory &F = state->get_context(); + + // Then loop over the entries in the current state. + for (CStringLengthTy::iterator I = Entries.begin(), + E = Entries.end(); I != E; ++I) { + const MemRegion *MR = I.getKey(); + + // Is this entry for a super-region of a changed region? + if (SuperRegions.count(MR)) { + Entries = F.remove(Entries, MR); + continue; + } + + // Is this entry for a sub-region of a changed region? + const MemRegion *Super = MR; + while (const SubRegion *SR = dyn_cast(Super)) { + Super = SR->getSuperRegion(); + if (Invalidated.count(Super)) { + Entries = F.remove(Entries, MR); + break; + } + } + } + + return state->set(Entries); +} + +void CStringChecker::checkLiveSymbols(ProgramStateRef state, + SymbolReaper &SR) const { + // Mark all symbols in our string length map as valid. + CStringLengthTy Entries = state->get(); + + for (CStringLengthTy::iterator I = Entries.begin(), E = Entries.end(); + I != E; ++I) { + SVal Len = I.getData(); + + for (SymExpr::symbol_iterator si = Len.symbol_begin(), + se = Len.symbol_end(); si != se; ++si) + SR.markInUse(*si); + } +} + +void CStringChecker::checkDeadSymbols(SymbolReaper &SR, + CheckerContext &C) const { + ProgramStateRef state = C.getState(); + CStringLengthTy Entries = state->get(); + if (Entries.isEmpty()) + return; + + CStringLengthTy::Factory &F = state->get_context(); + for (CStringLengthTy::iterator I = Entries.begin(), E = Entries.end(); + I != E; ++I) { + SVal Len = I.getData(); + if (SymbolRef Sym = Len.getAsSymbol()) { + if (SR.isDead(Sym)) + Entries = F.remove(Entries, I.getKey()); + } + } + + state = state->set(Entries); + C.addTransition(state); +} + +void ento::registerCWE120CStringModeling(CheckerManager &Mgr) { + Mgr.registerChecker(); +} + +bool ento::shouldRegisterCWE120CStringModeling(const CheckerManager &mgr) { + return true; +} + +#define REGISTER_CHECKER(name) \ + void ento::register##name(CheckerManager &mgr) { \ + CStringChecker *checker = mgr.getChecker(); \ + checker->Filter.Check##name = true; \ + checker->Filter.CheckName##name = mgr.getCurrentCheckerName(); \ + } \ + \ + bool ento::shouldRegister##name(const CheckerManager &mgr) { return true; } + +REGISTER_CHECKER(CStringInsecureBufferCopy) +REGISTER_CHECKER(CStringStackBufferOverflow) +REGISTER_CHECKER(CStringHeapBufferOverflow) diff --git a/third_party/llvm-project/clang/lib/StaticAnalyzer/Checkers/cwe-121-ArrayBoundCheckerV2.cpp b/third_party/llvm-project/clang/lib/StaticAnalyzer/Checkers/cwe-121-ArrayBoundCheckerV2.cpp new file mode 100644 index 0000000000..cff3e4571a --- /dev/null +++ b/third_party/llvm-project/clang/lib/StaticAnalyzer/Checkers/cwe-121-ArrayBoundCheckerV2.cpp @@ -0,0 +1,401 @@ +/* +NaiveSystems Analyze - A tool for static code analysis +Copyright (C) 2023 Naive Systems Ltd. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . +*/ + +//=== cwe-121-ArrayBoundCheckerV2.cpp ---------------------=-----*- C++ -*-===// +// +// This file defines ArrayBoundCheckerV2, which is a path-sensitive check +// which looks for an out-of-bound array element access. +// +//===----------------------------------------------------------------------===// + +#include "clang/AST/CharUnits.h" +#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" +#include "clang/StaticAnalyzer/Checkers/Taint.h" +#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" +#include "clang/StaticAnalyzer/Core/Checker.h" +#include "clang/StaticAnalyzer/Core/CheckerManager.h" +#include "clang/StaticAnalyzer/Core/PathSensitive/APSIntType.h" +#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" +#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h" +#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" +#include "llvm/ADT/SmallString.h" +#include "llvm/Support/raw_ostream.h" + +using namespace clang; +using namespace ento; +using namespace taint; + +namespace { +class ArrayBoundCheckerV2 : + public Checker { + mutable std::unique_ptr BT; + + enum OOB_Kind { OOB_Precedes, OOB_Excedes, OOB_Tainted }; + + void reportOOB(CheckerContext &C, ProgramStateRef errorState, OOB_Kind kind, + std::unique_ptr Visitor = nullptr) const; + +public: + bool ShouldCheckStackArray; + bool ShouldCheckHeapArray; + CheckerNameRef CheckName; + void checkLocation(SVal l, bool isLoad, const Stmt*S, + CheckerContext &C) const; +}; + +// FIXME: Eventually replace RegionRawOffset with this class. +class RegionRawOffsetV2 { +private: + const SubRegion *baseRegion; + SVal byteOffset; + + RegionRawOffsetV2() + : baseRegion(nullptr), byteOffset(UnknownVal()) {} + +public: + RegionRawOffsetV2(const SubRegion* base, SVal offset) + : baseRegion(base), byteOffset(offset) {} + + NonLoc getByteOffset() const { return byteOffset.castAs(); } + const SubRegion *getRegion() const { return baseRegion; } + + static RegionRawOffsetV2 computeOffset(ProgramStateRef state, + SValBuilder &svalBuilder, + SVal location); + + void dump() const; + void dumpToStream(raw_ostream &os) const; +}; +} + +static SVal computeExtentBegin(SValBuilder &svalBuilder, + const MemRegion *region) { + const MemSpaceRegion *SR = region->getMemorySpace(); + if (SR->getKind() == MemRegion::UnknownSpaceRegionKind) + return UnknownVal(); + else + return svalBuilder.makeZeroArrayIndex(); +} + +// TODO: once the constraint manager is smart enough to handle non simplified +// symbolic expressions remove this function. Note that this can not be used in +// the constraint manager as is, since this does not handle overflows. It is +// safe to assume, however, that memory offsets will not overflow. +static std::pair +getSimplifiedOffsets(NonLoc offset, nonloc::ConcreteInt extent, + SValBuilder &svalBuilder) { + Optional SymVal = offset.getAs(); + if (SymVal && SymVal->isExpression()) { + if (const SymIntExpr *SIE = dyn_cast(SymVal->getSymbol())) { + llvm::APSInt constant = + APSIntType(extent.getValue()).convert(SIE->getRHS()); + switch (SIE->getOpcode()) { + case BO_Mul: + // The constant should never be 0 here, since it the result of scaling + // based on the size of a type which is never 0. + if ((extent.getValue() % constant) != 0) + return std::pair(offset, extent); + else + return getSimplifiedOffsets( + nonloc::SymbolVal(SIE->getLHS()), + svalBuilder.makeIntVal(extent.getValue() / constant), + svalBuilder); + case BO_Add: + return getSimplifiedOffsets( + nonloc::SymbolVal(SIE->getLHS()), + svalBuilder.makeIntVal(extent.getValue() - constant), svalBuilder); + default: + break; + } + } + } + + return std::pair(offset, extent); +} + +void ArrayBoundCheckerV2::checkLocation(SVal location, bool isLoad, + const Stmt* LoadS, + CheckerContext &checkerContext) const { + + // NOTE: Instead of using ProgramState::assumeInBound(), we are prototyping + // some new logic here that reasons directly about memory region extents. + // Once that logic is more mature, we can bring it back to assumeInBound() + // for all clients to use. + // + // The algorithm we are using here for bounds checking is to see if the + // memory access is within the extent of the base region. Since we + // have some flexibility in defining the base region, we can achieve + // various levels of conservatism in our buffer overflow checking. + ProgramStateRef state = checkerContext.getState(); + + SValBuilder &svalBuilder = checkerContext.getSValBuilder(); + const RegionRawOffsetV2 &rawOffset = + RegionRawOffsetV2::computeOffset(state, svalBuilder, location); + + if (!rawOffset.getRegion()) + return; + if (rawOffset.getRegion()->getSuperRegion()->hasStackStorage() + && !ShouldCheckStackArray) + return; + if (!rawOffset.getRegion()->getSuperRegion()->hasStackStorage() + && !ShouldCheckHeapArray) + return; + + NonLoc rawOffsetVal = rawOffset.getByteOffset(); + + // CHECK LOWER BOUND: Is byteOffset < extent begin? + // If so, we are doing a load/store + // before the first valid offset in the memory region. + + SVal extentBegin = computeExtentBegin(svalBuilder, rawOffset.getRegion()); + + if (Optional NV = extentBegin.getAs()) { + if (auto ConcreteNV = NV->getAs()) { + std::pair simplifiedOffsets = + getSimplifiedOffsets(rawOffset.getByteOffset(), *ConcreteNV, + svalBuilder); + rawOffsetVal = simplifiedOffsets.first; + *NV = simplifiedOffsets.second; + } + + SVal lowerBound = svalBuilder.evalBinOpNN(state, BO_LT, rawOffsetVal, *NV, + svalBuilder.getConditionType()); + + Optional lowerBoundToCheck = lowerBound.getAs(); + if (!lowerBoundToCheck) + return; + + ProgramStateRef state_precedesLowerBound, state_withinLowerBound; + std::tie(state_precedesLowerBound, state_withinLowerBound) = + state->assume(*lowerBoundToCheck); + + // Are we constrained enough to definitely precede the lower bound? + if (state_precedesLowerBound && !state_withinLowerBound) { + reportOOB(checkerContext, state_precedesLowerBound, OOB_Precedes); + return; + } + + // Otherwise, assume the constraint of the lower bound. + assert(state_withinLowerBound); + state = state_withinLowerBound; + } + + do { + // CHECK UPPER BOUND: Is byteOffset >= size(baseRegion)? If so, + // we are doing a load/store after the last valid offset. + const MemRegion *MR = rawOffset.getRegion(); + DefinedOrUnknownSVal Size = getDynamicExtent(state, MR, svalBuilder); + if (!isa(Size)) + break; + + if (auto ConcreteSize = Size.getAs()) { + std::pair simplifiedOffsets = + getSimplifiedOffsets(rawOffset.getByteOffset(), *ConcreteSize, + svalBuilder); + rawOffsetVal = simplifiedOffsets.first; + Size = simplifiedOffsets.second; + } + + SVal upperbound = svalBuilder.evalBinOpNN(state, BO_GE, rawOffsetVal, + Size.castAs(), + svalBuilder.getConditionType()); + + Optional upperboundToCheck = upperbound.getAs(); + if (!upperboundToCheck) + break; + + ProgramStateRef state_exceedsUpperBound, state_withinUpperBound; + std::tie(state_exceedsUpperBound, state_withinUpperBound) = + state->assume(*upperboundToCheck); + + // If we are under constrained and the index variables are tainted, report. + if (state_exceedsUpperBound && state_withinUpperBound) { + SVal ByteOffset = rawOffset.getByteOffset(); + if (isTainted(state, ByteOffset)) { + reportOOB(checkerContext, state_exceedsUpperBound, OOB_Tainted, + std::make_unique(ByteOffset)); + return; + } + } else if (state_exceedsUpperBound) { + // If we are constrained enough to definitely exceed the upper bound, + // report. + assert(!state_withinUpperBound); + reportOOB(checkerContext, state_exceedsUpperBound, OOB_Excedes); + return; + } + + assert(state_withinUpperBound); + state = state_withinUpperBound; + } + while (false); + + checkerContext.addTransition(state); +} + +void ArrayBoundCheckerV2::reportOOB( + CheckerContext &checkerContext, ProgramStateRef errorState, OOB_Kind kind, + std::unique_ptr Visitor) const { + + ExplodedNode *errorNode = checkerContext.generateErrorNode(errorState); + if (!errorNode) + return; + + if (!BT) + BT.reset(new BuiltinBug(CheckName, "Out-of-bound access")); + + // FIXME: This diagnostics are preliminary. We should get far better + // diagnostics for explaining buffer overruns. + + SmallString<256> buf; + llvm::raw_svector_ostream os(buf); + os << "Out of bound memory access "; + switch (kind) { + case OOB_Precedes: + os << "(accessed memory precedes memory block)"; + break; + case OOB_Excedes: + os << "(access exceeds upper limit of memory block)"; + break; + case OOB_Tainted: + os << "(index is tainted)"; + break; + } + + auto BR = std::make_unique(*BT, os.str(), errorNode); + BR->addVisitor(std::move(Visitor)); + checkerContext.emitReport(std::move(BR)); +} + +#ifndef NDEBUG +LLVM_DUMP_METHOD void RegionRawOffsetV2::dump() const { + dumpToStream(llvm::errs()); +} + +void RegionRawOffsetV2::dumpToStream(raw_ostream &os) const { + os << "raw_offset_v2{" << getRegion() << ',' << getByteOffset() << '}'; +} +#endif + +// Lazily computes a value to be used by 'computeOffset'. If 'val' +// is unknown or undefined, we lazily substitute '0'. Otherwise, +// return 'val'. +static inline SVal getValue(SVal val, SValBuilder &svalBuilder) { + return val.isUndef() ? svalBuilder.makeZeroArrayIndex() : val; +} + +// Scale a base value by a scaling factor, and return the scaled +// value as an SVal. Used by 'computeOffset'. +static inline SVal scaleValue(ProgramStateRef state, + NonLoc baseVal, CharUnits scaling, + SValBuilder &sb) { + return sb.evalBinOpNN(state, BO_Mul, baseVal, + sb.makeArrayIndex(scaling.getQuantity()), + sb.getArrayIndexType()); +} + +// Add an SVal to another, treating unknown and undefined values as +// summing to UnknownVal. Used by 'computeOffset'. +static SVal addValue(ProgramStateRef state, SVal x, SVal y, + SValBuilder &svalBuilder) { + // We treat UnknownVals and UndefinedVals the same here because we + // only care about computing offsets. + if (x.isUnknownOrUndef() || y.isUnknownOrUndef()) + return UnknownVal(); + + return svalBuilder.evalBinOpNN(state, BO_Add, x.castAs(), + y.castAs(), + svalBuilder.getArrayIndexType()); +} + +/// Compute a raw byte offset from a base region. Used for array bounds +/// checking. +RegionRawOffsetV2 RegionRawOffsetV2::computeOffset(ProgramStateRef state, + SValBuilder &svalBuilder, + SVal location) +{ + const MemRegion *region = location.getAsRegion(); + SVal offset = UndefinedVal(); + + while (region) { + switch (region->getKind()) { + default: { + if (const SubRegion *subReg = dyn_cast(region)) { + offset = getValue(offset, svalBuilder); + if (!offset.isUnknownOrUndef()) + return RegionRawOffsetV2(subReg, offset); + } + return RegionRawOffsetV2(); + } + case MemRegion::ElementRegionKind: { + const ElementRegion *elemReg = cast(region); + SVal index = elemReg->getIndex(); + if (!isa(index)) + return RegionRawOffsetV2(); + QualType elemType = elemReg->getElementType(); + // If the element is an incomplete type, go no further. + ASTContext &astContext = svalBuilder.getContext(); + if (elemType->isIncompleteType()) + return RegionRawOffsetV2(); + + // Update the offset. + offset = addValue(state, + getValue(offset, svalBuilder), + scaleValue(state, + index.castAs(), + astContext.getTypeSizeInChars(elemType), + svalBuilder), + svalBuilder); + + if (offset.isUnknownOrUndef()) + return RegionRawOffsetV2(); + + region = elemReg->getSuperRegion(); + continue; + } + } + } + return RegionRawOffsetV2(); +} + +void ento::registerArrayBoundBase(CheckerManager &mgr) { + mgr.registerChecker(); +} + +bool ento::shouldRegisterArrayBoundBase(const CheckerManager &mgr) { + return true; +} + +void ento::registerStackArrayBoundChecker(CheckerManager &mgr) { + ArrayBoundCheckerV2 *checker = mgr.getChecker(); + checker->ShouldCheckStackArray = true; + checker->CheckName = mgr.getCurrentCheckerName(); +} + +bool ento::shouldRegisterStackArrayBoundChecker(const CheckerManager &mgr) { + return true; +} + +void ento::registerHeapArrayBoundChecker(CheckerManager &mgr) { + ArrayBoundCheckerV2 *checker = mgr.getChecker(); + checker->ShouldCheckHeapArray = true; + checker->CheckName = mgr.getCurrentCheckerName(); +} + +bool ento::shouldRegisterHeapArrayBoundChecker(const CheckerManager &mgr) { + return true; +} diff --git a/third_party/llvm-project/clang/lib/StaticAnalyzer/Checkers/cwe-124-127-BufferUnderAccessChecker.cpp b/third_party/llvm-project/clang/lib/StaticAnalyzer/Checkers/cwe-124-127-BufferUnderAccessChecker.cpp new file mode 100644 index 0000000000..30fc95367c --- /dev/null +++ b/third_party/llvm-project/clang/lib/StaticAnalyzer/Checkers/cwe-124-127-BufferUnderAccessChecker.cpp @@ -0,0 +1,357 @@ +/* +NaiveSystems Analyze - A tool for static code analysis +Copyright (C) 2023 Naive Systems Ltd. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . +*/ + +//=== cwe-124-127-BufferUnderAccessChecker.cpp ------------------*- C++ -*-===// +// +// The checker that is responsible for both CWE-124 and CWE-127. +// +// We will check all dereferences, if they are Element MemRegion, +// including a[k] or *(a+k), in the callback checkLocation(). +// For library functions, we check the args that we are interested in. +// +//===----------------------------------------------------------------------===// + +#include "InterCheckerAPI.h" +#include "clang/Basic/CharInfo.h" +#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" +#include "clang/StaticAnalyzer/Checkers/NaiveCStdLibFunctionsInfo.h" +#include "clang/StaticAnalyzer/Checkers/Taint.h" +#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" +#include "clang/StaticAnalyzer/Core/Checker.h" +#include "clang/StaticAnalyzer/Core/CheckerManager.h" +#include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h" +#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" +#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" +#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h" +#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" +#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h" +#include "clang/include/clang/StaticAnalyzer/Core/Checker.h" +#include "llvm/ADT/STLExtras.h" +#include "llvm/ADT/SmallString.h" +#include "llvm/ADT/StringExtras.h" +#include "llvm/Support/Debug.h" +#include "llvm/Support/raw_ostream.h" +#include +#include +#include + +using namespace clang; +using namespace ento; +using namespace naive; +using namespace std::placeholders; + +namespace { + +constexpr llvm::StringLiteral MsgNegWrite = + "Try to write to memory that may be prior to beginning of the buffer." + "(CWE-124: Buffer Underwrite)"; +constexpr llvm::StringLiteral MsgNegRead = + "Try to read memory that may be prior to beginning of the buffer." + "(CWE-127: Buffer Underread)"; + +class BufferUnderAccessChecker + : public Checker { + enum AccessType { Read, Write }; + +public: + struct BufferUnderAccessFilter { + bool CheckBufferUnderread = false; + bool CheckBufferUnderwrite = false; + } Filter; + + BufferUnderAccessChecker(); + + std::unique_ptr BufferUnderAccessBugType; + void checkLocation(SVal Loc, bool IsLoad, const Stmt *S, + CheckerContext &) const; + void checkPreCall(const CallEvent &Call, CheckerContext &C) const; + +private: + void checkNegElement(CheckerContext &C, SVal Loc, AccessType Type) const; + void emitBug(CheckerContext &C, ProgramStateRef errorState, + AccessType Type) const; +}; + +// FIXME: Eventually replace RegionRawOffset with this class. +class RegionRawOffsetV2 { +private: + const SubRegion *baseRegion; + SVal byteOffset; + + RegionRawOffsetV2() : baseRegion(nullptr), byteOffset(UnknownVal()) {} + +public: + RegionRawOffsetV2(const SubRegion *base, SVal offset) + : baseRegion(base), byteOffset(offset) {} + + NonLoc getByteOffset() const { return byteOffset.castAs(); } + const SubRegion *getRegion() const { return baseRegion; } + + static RegionRawOffsetV2 + computeOffset(ProgramStateRef state, SValBuilder &svalBuilder, SVal location); +}; +} // end anonymous namespace + +static SVal computeExtentBegin(SValBuilder &svalBuilder, + const MemRegion *region) { + // If we only get a char*, assume it's begin + return svalBuilder.makeZeroArrayIndex(); +} + +// TODO: once the constraint manager is smart enough to handle non simplified +// symbolic expressions remove this function. Note that this can not be used in +// the constraint manager as is, since this does not handle overflows. It is +// safe to assume, however, that memory offsets will not overflow. +static std::pair +getSimplifiedOffsets(NonLoc offset, nonloc::ConcreteInt extent, + SValBuilder &svalBuilder) { + Optional SymVal = offset.getAs(); + if (SymVal && SymVal->isExpression()) { + if (const SymIntExpr *SIE = dyn_cast(SymVal->getSymbol())) { + llvm::APSInt constant = + APSIntType(extent.getValue()).convert(SIE->getRHS()); + switch (SIE->getOpcode()) { + case BO_Mul: + // The constant should never be 0 here, since it the result of scaling + // based on the size of a type which is never 0. + if ((extent.getValue() % constant) != 0) + return std::pair(offset, extent); + else + return getSimplifiedOffsets( + nonloc::SymbolVal(SIE->getLHS()), + svalBuilder.makeIntVal(extent.getValue() / constant), + svalBuilder); + case BO_Add: + return getSimplifiedOffsets( + nonloc::SymbolVal(SIE->getLHS()), + svalBuilder.makeIntVal(extent.getValue() - constant), svalBuilder); + default: + break; + } + } + } + + return std::pair(offset, extent); +} + +// Check a MemRegion may read negative index +void BufferUnderAccessChecker::checkNegElement(CheckerContext &C, SVal Loc, + AccessType Type) const { + // NOTE: Instead of using ProgramState::assumeInBound(), we are prototyping + // some new logic here that reasons directly about memory region extents. + // Once that logic is more mature, we can bring it back to assumeInBound() + // for all clients to use. + // + // The algorithm we are using here for bounds checking is to see if the + // memory access is within the extent of the base region. Since we + // have some flexibility in defining the base region, we can achieve + // various levels of conservatism in our buffer overflow checking. + ProgramStateRef state = C.getState(); + + SValBuilder &svalBuilder = C.getSValBuilder(); + const RegionRawOffsetV2 &rawOffset = + RegionRawOffsetV2::computeOffset(state, svalBuilder, Loc); + + if (!rawOffset.getRegion()) + return; + + NonLoc rawOffsetVal = rawOffset.getByteOffset(); + + // CHECK LOWER BOUND: Is byteOffset < extent begin? + // If so, we are doing a load/store + // before the first valid offset in the memory region. + + SVal extentBegin = computeExtentBegin(svalBuilder, rawOffset.getRegion()); + + if (Optional NV = extentBegin.getAs()) { + if (auto ConcreteNV = NV->getAs()) { + std::pair simplifiedOffsets = + getSimplifiedOffsets(rawOffset.getByteOffset(), *ConcreteNV, + svalBuilder); + rawOffsetVal = simplifiedOffsets.first; + *NV = simplifiedOffsets.second; + } + + SVal lowerBound = svalBuilder.evalBinOpNN(state, BO_LT, rawOffsetVal, *NV, + svalBuilder.getConditionType()); + + Optional lowerBoundToCheck = lowerBound.getAs(); + if (!lowerBoundToCheck) + return; + + ProgramStateRef state_precedesLowerBound, state_withinLowerBound; + std::tie(state_precedesLowerBound, state_withinLowerBound) = + state->assume(*lowerBoundToCheck); + + // Are we constrained enough to definitely precede the lower bound? + if (state_precedesLowerBound) { + emitBug(C, state_precedesLowerBound, Type); + return; + } + + // Otherwise, assume the constraint of the lower bound. + assert(state_withinLowerBound); + state = state_withinLowerBound; + } +} + +void BufferUnderAccessChecker::checkLocation(SVal Loc, bool IsLoad, + const Stmt *S, + CheckerContext &C) const { + if (!IsLoad && Filter.CheckBufferUnderwrite) // cwe124 only cares write + checkNegElement(C, Loc, Write); + if (IsLoad && Filter.CheckBufferUnderread) // cwe127 only cares read + checkNegElement(C, Loc, Read); +} + +void BufferUnderAccessChecker::checkPreCall(const CallEvent &Call, + CheckerContext &C) const { + const CallExpr *CE = dyn_cast_or_null(Call.getOriginExpr()); + if (!CE) + return; + const std::pair *Args = FuncArgsMayReadOrWrite.lookup(Call); + if (!Args) + return; + + // Evaluate the args that the function may access. + auto CheckArg = [&](const ArgSet &Args, const AccessType &Type) { + for (ArgIdxTy i = 0; i != Call.getNumArgs(); i++) { + if (Args.contains(i)) { + SVal arg = Call.getArgSVal(i); + checkNegElement(C, arg, Type); + } + } + }; + if (Filter.CheckBufferUnderread) + CheckArg(Args->first, Read); + if (Filter.CheckBufferUnderwrite) + CheckArg(Args->second, Write); +} + +void BufferUnderAccessChecker::emitBug(CheckerContext &C, + ProgramStateRef errorState, + AccessType Type) const { + if (ExplodedNode *ErrNode = C.generateErrorNode()) { + auto R = std::make_unique( + *BufferUnderAccessBugType, Type == Write ? MsgNegWrite : MsgNegRead, + ErrNode); + C.emitReport(std::move(R)); + } +} + +BufferUnderAccessChecker::BufferUnderAccessChecker() { + BufferUnderAccessBugType.reset( + new BugType(this, "Buffer UnderAccess", "Out-of-bounds Access Error")); +} + +// Lazily computes a value to be used by 'computeOffset'. If 'val' +// is unknown or undefined, we lazily substitute '0'. Otherwise, +// return 'val'. +static inline SVal getValue(SVal val, SValBuilder &svalBuilder) { + return val.isUndef() ? svalBuilder.makeZeroArrayIndex() : val; +} + +// Scale a base value by a scaling factor, and return the scaled +// value as an SVal. Used by 'computeOffset'. +static inline SVal scaleValue(ProgramStateRef state, NonLoc baseVal, + CharUnits scaling, SValBuilder &sb) { + return sb.evalBinOpNN(state, BO_Mul, baseVal, + sb.makeArrayIndex(scaling.getQuantity()), + sb.getArrayIndexType()); +} + +// Add an SVal to another, treating unknown and undefined values as +// summing to UnknownVal. Used by 'computeOffset'. +static SVal addValue(ProgramStateRef state, SVal x, SVal y, + SValBuilder &svalBuilder) { + // We treat UnknownVals and UndefinedVals the same here because we + // only care about computing offsets. + if (x.isUnknownOrUndef() || y.isUnknownOrUndef()) + return UnknownVal(); + + return svalBuilder.evalBinOpNN(state, BO_Add, x.castAs(), + y.castAs(), + svalBuilder.getArrayIndexType()); +} + +/// Compute a raw byte offset from a base region. Used for array bounds +/// checking. +RegionRawOffsetV2 RegionRawOffsetV2::computeOffset(ProgramStateRef state, + SValBuilder &svalBuilder, + SVal location) { + const MemRegion *region = location.getAsRegion(); + SVal offset = UndefinedVal(); + + while (region) { + switch (region->getKind()) { + default: { + if (const SubRegion *subReg = dyn_cast(region)) { + offset = getValue(offset, svalBuilder); + if (!offset.isUnknownOrUndef()) + return RegionRawOffsetV2(subReg, offset); + } + return RegionRawOffsetV2(); + } + case MemRegion::ElementRegionKind: { + const ElementRegion *elemReg = cast(region); + SVal index = elemReg->getIndex(); + if (!isa(index)) + return RegionRawOffsetV2(); + QualType elemType = elemReg->getElementType(); + // If the element is an incomplete type, go no further. + ASTContext &astContext = svalBuilder.getContext(); + if (elemType->isIncompleteType()) + return RegionRawOffsetV2(); + + // Update the offset. + offset = addValue(state, getValue(offset, svalBuilder), + scaleValue(state, index.castAs(), + astContext.getTypeSizeInChars(elemType), + svalBuilder), + svalBuilder); + + if (offset.isUnknownOrUndef()) + return RegionRawOffsetV2(); + + region = elemReg->getSuperRegion(); + continue; + } + } + } + return RegionRawOffsetV2(); +} + +void ento::registerBufferUnderwriteChecker(CheckerManager &Mgr) { + BufferUnderAccessChecker *checker = + Mgr.registerChecker(); + checker->Filter.CheckBufferUnderwrite = true; +} + +bool ento::shouldRegisterBufferUnderwriteChecker(const CheckerManager &mgr) { + return true; +} + +void ento::registerBufferUnderreadChecker(CheckerManager &Mgr) { + BufferUnderAccessChecker *checker = + Mgr.registerChecker(); + checker->Filter.CheckBufferUnderread = true; +} + +bool ento::shouldRegisterBufferUnderreadChecker(const CheckerManager &mgr) { + return true; +} diff --git a/third_party/llvm-project/clang/lib/StaticAnalyzer/Checkers/cwe-126-BufferOverAccessChecker.cpp b/third_party/llvm-project/clang/lib/StaticAnalyzer/Checkers/cwe-126-BufferOverAccessChecker.cpp new file mode 100644 index 0000000000..ef6e2cd96b --- /dev/null +++ b/third_party/llvm-project/clang/lib/StaticAnalyzer/Checkers/cwe-126-BufferOverAccessChecker.cpp @@ -0,0 +1,302 @@ +/* +NaiveSystems Analyze - A tool for static code analysis +Copyright (C) 2023 Naive Systems Ltd. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . +*/ + +//=== cwe-126-BufferOverAccessChecker.cpp -----------------------*- C++ -*-===// +// +// The checker is reponsible for CWE-126. +// +//===----------------------------------------------------------------------===// + +#include "clang/AST/CharUnits.h" +#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" +#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" +#include "clang/StaticAnalyzer/Core/Checker.h" +#include "clang/StaticAnalyzer/Core/CheckerManager.h" +#include "clang/StaticAnalyzer/Core/PathSensitive/APSIntType.h" +#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" +#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h" +#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" +#include "llvm/ADT/SmallString.h" +#include "llvm/Support/raw_ostream.h" + +using namespace clang; +using namespace ento; + +namespace { +class BufferOverAccessChecker : + public Checker { + mutable std::unique_ptr BT; + + void reportOOB(CheckerContext &C, ProgramStateRef errorState, + std::unique_ptr Visitor = nullptr) const; + +public: + void checkLocation(SVal l, bool isLoad, const Stmt*S, + CheckerContext &C) const; +}; + +// FIXME: Eventually replace RegionRawOffset with this class. +class RegionRawOffsetV2 { +private: + const SubRegion *baseRegion; + SVal byteOffset; + + RegionRawOffsetV2() + : baseRegion(nullptr), byteOffset(UnknownVal()) {} + +public: + RegionRawOffsetV2(const SubRegion* base, SVal offset) + : baseRegion(base), byteOffset(offset) {} + + NonLoc getByteOffset() const { return byteOffset.castAs(); } + const SubRegion *getRegion() const { return baseRegion; } + + static RegionRawOffsetV2 computeOffset(ProgramStateRef state, + SValBuilder &svalBuilder, + SVal location); + + void dump() const; + void dumpToStream(raw_ostream &os) const; +}; +} + +// TODO: once the constraint manager is smart enough to handle non simplified +// symbolic expressions remove this function. Note that this can not be used in +// the constraint manager as is, since this does not handle overflows. It is +// safe to assume, however, that memory offsets will not overflow. +static std::pair +getSimplifiedOffsets(NonLoc offset, nonloc::ConcreteInt extent, + SValBuilder &svalBuilder) { + Optional SymVal = offset.getAs(); + if (SymVal && SymVal->isExpression()) { + if (const SymIntExpr *SIE = dyn_cast(SymVal->getSymbol())) { + llvm::APSInt constant = + APSIntType(extent.getValue()).convert(SIE->getRHS()); + switch (SIE->getOpcode()) { + case BO_Mul: + // The constant should never be 0 here, since it the result of scaling + // based on the size of a type which is never 0. + if ((extent.getValue() % constant) != 0) + return std::pair(offset, extent); + else + return getSimplifiedOffsets( + nonloc::SymbolVal(SIE->getLHS()), + svalBuilder.makeIntVal(extent.getValue() / constant), + svalBuilder); + case BO_Add: + return getSimplifiedOffsets( + nonloc::SymbolVal(SIE->getLHS()), + svalBuilder.makeIntVal(extent.getValue() - constant), svalBuilder); + default: + break; + } + } + } + + return std::pair(offset, extent); +} + +void BufferOverAccessChecker::checkLocation(SVal location, bool isLoad, + const Stmt* LoadS, + CheckerContext &checkerContext) const { + if (!isLoad) // CWE-126 only cares about read + return; + + // NOTE: Instead of using ProgramState::assumeInBound(), we are prototyping + // some new logic here that reasons directly about memory region extents. + // Once that logic is more mature, we can bring it back to assumeInBound() + // for all clients to use. + // + // The algorithm we are using here for bounds checking is to see if the + // memory access is within the extent of the base region. Since we + // have some flexibility in defining the base region, we can achieve + // various levels of conservatism in our buffer overflow checking. + ProgramStateRef state = checkerContext.getState(); + + SValBuilder &svalBuilder = checkerContext.getSValBuilder(); + const RegionRawOffsetV2 &rawOffset = + RegionRawOffsetV2::computeOffset(state, svalBuilder, location); + + if (!rawOffset.getRegion()) + return; + + NonLoc rawOffsetVal = rawOffset.getByteOffset(); + + do { + // CHECK UPPER BOUND: Is byteOffset >= size(baseRegion)? If so, + // we are doing a load/store after the last valid offset. + const MemRegion *MR = rawOffset.getRegion(); + DefinedOrUnknownSVal Size = getDynamicExtent(state, MR, svalBuilder); + if (!isa(Size)) + break; + + if (auto ConcreteSize = Size.getAs()) { + std::pair simplifiedOffsets = + getSimplifiedOffsets(rawOffset.getByteOffset(), *ConcreteSize, + svalBuilder); + rawOffsetVal = simplifiedOffsets.first; + Size = simplifiedOffsets.second; + } + + SVal upperbound = svalBuilder.evalBinOpNN(state, BO_GE, rawOffsetVal, + Size.castAs(), + svalBuilder.getConditionType()); + + Optional upperboundToCheck = upperbound.getAs(); + if (!upperboundToCheck) + break; + + ProgramStateRef state_exceedsUpperBound, state_withinUpperBound; + std::tie(state_exceedsUpperBound, state_withinUpperBound) = + state->assume(*upperboundToCheck); + + if (state_exceedsUpperBound) { + if(state_withinUpperBound) return; + reportOOB(checkerContext, state_exceedsUpperBound); + return; + } + + assert(state_withinUpperBound); + state = state_withinUpperBound; + } + while (false); + + checkerContext.addTransition(state); +} + +void BufferOverAccessChecker::reportOOB( + CheckerContext &checkerContext, ProgramStateRef errorState, + std::unique_ptr Visitor) const { + + ExplodedNode *errorNode = checkerContext.generateErrorNode(errorState); + if (!errorNode) + return; + + if (!BT) + BT.reset(new BuiltinBug(this, "Out-of-bound access")); + + // FIXME: This diagnostics are preliminary. We should get far better + // diagnostics for explaining buffer overruns. + + SmallString<256> buf; + llvm::raw_svector_ostream os(buf); + os << "Out of bound memory access "; + + auto BR = std::make_unique(*BT, os.str(), errorNode); + BR->addVisitor(std::move(Visitor)); + checkerContext.emitReport(std::move(BR)); +} + +#ifndef NDEBUG +LLVM_DUMP_METHOD void RegionRawOffsetV2::dump() const { + dumpToStream(llvm::errs()); +} + +void RegionRawOffsetV2::dumpToStream(raw_ostream &os) const { + os << "raw_offset_v2{" << getRegion() << ',' << getByteOffset() << '}'; +} +#endif + +// Lazily computes a value to be used by 'computeOffset'. If 'val' +// is unknown or undefined, we lazily substitute '0'. Otherwise, +// return 'val'. +static inline SVal getValue(SVal val, SValBuilder &svalBuilder) { + return val.isUndef() ? svalBuilder.makeZeroArrayIndex() : val; +} + +// Scale a base value by a scaling factor, and return the scaled +// value as an SVal. Used by 'computeOffset'. +static inline SVal scaleValue(ProgramStateRef state, + NonLoc baseVal, CharUnits scaling, + SValBuilder &sb) { + return sb.evalBinOpNN(state, BO_Mul, baseVal, + sb.makeArrayIndex(scaling.getQuantity()), + sb.getArrayIndexType()); +} + +// Add an SVal to another, treating unknown and undefined values as +// summing to UnknownVal. Used by 'computeOffset'. +static SVal addValue(ProgramStateRef state, SVal x, SVal y, + SValBuilder &svalBuilder) { + // We treat UnknownVals and UndefinedVals the same here because we + // only care about computing offsets. + if (x.isUnknownOrUndef() || y.isUnknownOrUndef()) + return UnknownVal(); + + return svalBuilder.evalBinOpNN(state, BO_Add, x.castAs(), + y.castAs(), + svalBuilder.getArrayIndexType()); +} + +/// Compute a raw byte offset from a base region. Used for array bounds +/// checking. +RegionRawOffsetV2 RegionRawOffsetV2::computeOffset(ProgramStateRef state, + SValBuilder &svalBuilder, + SVal location) +{ + const MemRegion *region = location.getAsRegion(); + SVal offset = UndefinedVal(); + + while (region) { + switch (region->getKind()) { + default: { + if (const SubRegion *subReg = dyn_cast(region)) { + offset = getValue(offset, svalBuilder); + if (!offset.isUnknownOrUndef()) + return RegionRawOffsetV2(subReg, offset); + } + return RegionRawOffsetV2(); + } + case MemRegion::ElementRegionKind: { + const ElementRegion *elemReg = cast(region); + SVal index = elemReg->getIndex(); + if (!isa(index)) + return RegionRawOffsetV2(); + QualType elemType = elemReg->getElementType(); + // If the element is an incomplete type, go no further. + ASTContext &astContext = svalBuilder.getContext(); + if (elemType->isIncompleteType()) + return RegionRawOffsetV2(); + + // Update the offset. + offset = addValue(state, + getValue(offset, svalBuilder), + scaleValue(state, + index.castAs(), + astContext.getTypeSizeInChars(elemType), + svalBuilder), + svalBuilder); + + if (offset.isUnknownOrUndef()) + return RegionRawOffsetV2(); + + region = elemReg->getSuperRegion(); + continue; + } + } + } + return RegionRawOffsetV2(); +} + +void ento::registerBufferOverreadChecker(CheckerManager &mgr) { + mgr.registerChecker(); +} + +bool ento::shouldRegisterBufferOverreadChecker(const CheckerManager &mgr) { + return true; +} diff --git a/third_party/llvm-project/clang/lib/StaticAnalyzer/Checkers/cwe-134-TaintArgvChecker.cpp b/third_party/llvm-project/clang/lib/StaticAnalyzer/Checkers/cwe-134-TaintArgvChecker.cpp new file mode 100644 index 0000000000..c89065a17b --- /dev/null +++ b/third_party/llvm-project/clang/lib/StaticAnalyzer/Checkers/cwe-134-TaintArgvChecker.cpp @@ -0,0 +1,110 @@ +/* +NaiveSystems Analyze - A tool for static code analysis +Copyright (C) 2023 Naive Systems Ltd. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . +*/ + +//=== cwe-134-TaintArgvChecker.cpp ------------------------------*- C++ -*-===// +// +// TaintArgvChecker marks argv tainted from "int main(int argc, char** argv)". +// +//===----------------------------------------------------------------------===// + +#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" +#include "clang/StaticAnalyzer/Checkers/Taint.h" +#include "clang/StaticAnalyzer/Core/Checker.h" +#include "clang/StaticAnalyzer/Core/CheckerManager.h" +#include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h" +#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" +#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" + +using namespace clang; +using namespace ento; +using namespace taint; + +namespace { + +class TaintArgvChecker : public Checker { +public: + void checkPreCall(const CallEvent &Call, CheckerContext &C) const; +}; + +// Check if the region the expression evaluates to is the argv parameter. +// argv = SymRegion{reg_$1} +const SymbolicRegion *isArgv(SVal Val, CheckerContext &C) { + const SymbolicRegion *SymReg = + dyn_cast_or_null(Val.getAsRegion()); + if (!SymReg) + return nullptr; + // NOTE: currently, clang static analyzer handles one top-level function + // parameter as a NonParamVarRegion R and R.getDecl() returns a ParamVarDecl. + // This behavior is uncommon and may change in the future. + const auto *DeclReg = dyn_cast_or_null( + SymReg->getSymbol()->getOriginRegion()); + if (!DeclReg) + return nullptr; + if (const ParmVarDecl *VD = dyn_cast(DeclReg->getDecl())) { + if (const FunctionDecl *FD = dyn_cast(VD->getDeclContext())) { + if (FD->getDeclName().isIdentifier() && FD->getName() == "main" && FD->getNumParams() == 2 && + VD->getFunctionScopeIndex() == 1 && VD->getType()->isPointerType()) + return SymReg; + } + } + return nullptr; +} + +// Check if the region the expression evaluates to is the argv[i] +// argv[1] = &SymRegion{reg_$2},1 +// S64b,char *}>} +const SymbolicRegion *isArgvScript(SVal Val, CheckerContext &C) { + const SymbolicRegion *SymReg = + dyn_cast_or_null(Val.getAsRegion()); + if (!SymReg) + return nullptr; + const ElementRegion *ElmReg = + dyn_cast_or_null(SymReg->getSymbol()->getOriginRegion()); + if (!ElmReg) + return nullptr; + SymReg = dyn_cast_or_null(ElmReg->getBaseRegion()); + if (!SymReg) + return nullptr; + return isArgv(C.getSValBuilder().makeLoc(SymReg), C); +} +} // namespace + +void TaintArgvChecker::checkPreCall(const CallEvent &Call, + CheckerContext &C) const { + ProgramStateRef State = C.getState(); + for (int i = 0; i < Call.getNumArgs(); i++) { + SVal Val = Call.getArgSVal(i); + if (const SymbolicRegion *SymReg = isArgv(Val, C)) { + State = addTaint(State, SymReg); + continue; + } + if (const SymbolicRegion *SymReg = isArgvScript(Val, C)) { + State = addTaint(State, SymReg); + continue; + } + } + C.addTransition(State); +} + +void ento::registerTaintArgvChecker(CheckerManager &mgr) { + mgr.registerChecker(); +} + +bool ento::shouldRegisterTaintArgvChecker(const CheckerManager &mgr) { + return true; +} diff --git a/toy_rules/.gitignore b/toy_rules/.gitignore new file mode 100644 index 0000000000..6eb2f3adad --- /dev/null +++ b/toy_rules/.gitignore @@ -0,0 +1,15 @@ +*.ctu-info +*.dump +*.log +*.o +checker-out +clangsema-out +compile_commands.json +filtered_compile_commands.json +infer_filtered_compile_commands.json +*/libtooling/*.INFO* +libtooling-out* +*.cmake +CMakeFiles +CMakeCache.txt +.cache diff --git a/toy_rules/analyzer/run.go b/toy_rules/analyzer/run.go new file mode 100644 index 0000000000..e37b03f63e --- /dev/null +++ b/toy_rules/analyzer/run.go @@ -0,0 +1,54 @@ +/* +NaiveSystems Analyze - A tool for static code analysis +Copyright (C) 2023 Naive Systems Ltd. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . +*/ + +package analyzer + +import ( + pb "naive.systems/analyzer/analyzer/proto" + "naive.systems/analyzer/cruleslib/options" + "naive.systems/analyzer/cruleslib/runner" + "naive.systems/analyzer/misra/checker_integration/checkrule" + "naive.systems/analyzer/toy_rules/rule_1" + "strings" +) + +func Run(rules []checkrule.CheckRule, srcdir string, envOpts *options.EnvOptions) (*pb.ResultsList, []error) { + taskNums := len(rules) + numWorkers := envOpts.NumWorkers + paraTaskRunner := runner.NewParaTaskRunner(numWorkers, taskNums, envOpts.CheckProgress, envOpts.Lang) + + for i, rule := range rules { + exiting_results, exiting_errors := paraTaskRunner.CheckSignalExiting() + if exiting_results != nil { + return exiting_results, exiting_errors + } + + ruleSpecific := options.NewRuleSpecificOptions(rule.Name, envOpts.ResultsDir) + ruleOptions := options.MakeCheckOptions(&rule.JSONOptions, envOpts, ruleSpecific) + x := func(analyze func(srcdir string, opts *options.CheckOptions) (*pb.ResultsList, error)) { + paraTaskRunner.AddTask(runner.AnalyzerTask{Id: i, Srcdir: srcdir, Opts: &ruleOptions, Rule: rule.Name, Analyze: analyze}) + } + ruleName := rule.Name + ruleName = strings.TrimPrefix(ruleName, "toy_rules/") + switch ruleName { + case "rule_1": + x(rule_1.Analyze) + } + } + return paraTaskRunner.CollectResultsAndErrors() +} diff --git a/toy_rules/rule_1/libtooling/BUILD b/toy_rules/rule_1/libtooling/BUILD new file mode 100644 index 0000000000..ff147da7e4 --- /dev/null +++ b/toy_rules/rule_1/libtooling/BUILD @@ -0,0 +1,41 @@ +load("@rules_cc//cc:defs.bzl", "cc_binary") + +cc_library( + name = "checker", + srcs = ["checker.cc"], + hdrs = ["checker.h"], + deps = [ + "//analyzer/proto:analyzer_cc_proto", + "//misra:proto_util", + "//misra/libtooling_utils", + "@com_github_google_glog//:glog", + "@com_google_absl//absl/strings", + "@llvm-project//clang:tooling", + ], +) + +cc_library( + name = "rule_1_lib", + srcs = ["rule_1.cc"], + hdrs = ["lib.h"], + visibility = ["//visibility:public"], + deps = [ + ":checker", + "//libtooling_includes:cmd_options", + "//misra:proto_util", + "//misra/libtooling_utils", + "//podman_image/bigmain:suffix_rule", + "@com_github_google_glog//:glog", + "@llvm-project//clang:tooling", + ], + alwayslink = True, +) + +cc_binary( + name = "rule_1", + srcs = ["main.cc"], + deps = [ + ":rule_1_lib", + "//libtooling_includes:cmd_options", + ], +) diff --git a/toy_rules/rule_1/libtooling/checker.cc b/toy_rules/rule_1/libtooling/checker.cc new file mode 100644 index 0000000000..4f7c32482c --- /dev/null +++ b/toy_rules/rule_1/libtooling/checker.cc @@ -0,0 +1,70 @@ +/* +NaiveSystems Analyze - A tool for static code analysis +Copyright (C) 2023 Naive Systems Ltd. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . +*/ + +#include "toy_rules/rule_1/libtooling/checker.h" + +#include + +#include "absl/strings/str_format.h" +#include "misra/libtooling_utils/libtooling_utils.h" + +using namespace misra::proto_util; +using namespace clang::ast_matchers; + +using analyzer::proto::ResultsList; +using std::string; + +namespace toy_rules { +namespace rule_1 { +namespace libtooling { + +class Callback : public MatchFinder::MatchCallback { + public: + void Init(ResultsList* results_list, MatchFinder* finder) { + results_list_ = results_list; + finder->addMatcher( + implicitCastExpr(hasSourceExpression(expr(gnuNullExpr())), + hasImplicitDestinationType(isInteger()), + unless(isExpansionInSystemHeader())) + .bind("cast"), + this); + } + + void run(const MatchFinder::MatchResult& result) override { + const Expr* expr = result.Nodes.getNodeAs("cast"); + string error_message = "NULL不得用作整型值"; + string path = + misra::libtooling_utils::GetFilename(expr, result.SourceManager); + int line = misra::libtooling_utils::GetLine(expr, result.SourceManager); + analyzer::proto::Result* pb_result = + AddResultToResultsList(results_list_, path, line, error_message); + } + + private: + ResultsList* results_list_; +}; + +void Checker::Init(ResultsList* result_list) { + results_list_ = result_list; + callback_ = new Callback; + callback_->Init(results_list_, &finder_); +} + +} // namespace libtooling +} // namespace rule_1 +} // namespace toy_rules diff --git a/toy_rules/rule_1/libtooling/checker.h b/toy_rules/rule_1/libtooling/checker.h new file mode 100644 index 0000000000..4fa84f7aa6 --- /dev/null +++ b/toy_rules/rule_1/libtooling/checker.h @@ -0,0 +1,47 @@ +/* +NaiveSystems Analyze - A tool for static code analysis +Copyright (C) 2023 Naive Systems Ltd. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . +*/ + +#ifndef ANALYZER_TOY_RULES_1_LIBTOOLING_CHECKER_H_ +#define ANALYZER_TOY_RULES_1_LIBTOOLING_CHECKER_H_ + +#include + +#include "misra/proto_util.h" + +namespace toy_rules { +namespace rule_1 { +namespace libtooling { + +class Callback; + +class Checker { + public: + void Init(analyzer::proto::ResultsList* results_list); + clang::ast_matchers::MatchFinder* GetMatchFinder() { return &finder_; } + + private: + Callback* callback_; + clang::ast_matchers::MatchFinder finder_; + analyzer::proto::ResultsList* results_list_; +}; + +} // namespace libtooling +} // namespace rule_1 +} // namespace toy_rules + +#endif // ANALYZER_TOY_RULES_1_LIBTOOLING_CHECKER_H_ diff --git a/toy_rules/rule_1/libtooling/lib.h b/toy_rules/rule_1/libtooling/lib.h new file mode 100644 index 0000000000..4dc041064f --- /dev/null +++ b/toy_rules/rule_1/libtooling/lib.h @@ -0,0 +1,32 @@ +/* +NaiveSystems Analyze - A tool for static code analysis +Copyright (C) 2023 Naive Systems Ltd. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . +*/ + +#ifndef ANALYZER_TOY_RULES_RULE_1_LIBTOOLING_LIB_H_ +#define ANALYZER_TOY_RULES_RULE_1_LIBTOOLING_LIB_H_ + +namespace toy_rules { +namespace rule_1 { +namespace libtooling { + +int rule_1(int argc, char** argv); + +} // namespace libtooling +} // namespace rule_1 +} // namespace toy_rules + +#endif // ANALYZER_TOY_RULES_RULE_1_LIBTOOLING_LIB_H_ diff --git a/toy_rules/rule_1/libtooling/main.cc b/toy_rules/rule_1/libtooling/main.cc new file mode 100644 index 0000000000..36c0c3e46c --- /dev/null +++ b/toy_rules/rule_1/libtooling/main.cc @@ -0,0 +1,24 @@ +/* +NaiveSystems Analyze - A tool for static code analysis +Copyright (C) 2023 Naive Systems Ltd. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . +*/ + +#include "libtooling_includes/cmd_options.h" +#include "toy_rules/rule_1/libtooling/lib.h" + +int main(int argc, char** argv) { + return toy_rules::rule_1::libtooling::rule_1(argc, argv); +} diff --git a/toy_rules/rule_1/libtooling/rule_1.cc b/toy_rules/rule_1/libtooling/rule_1.cc new file mode 100644 index 0000000000..7c46c3a323 --- /dev/null +++ b/toy_rules/rule_1/libtooling/rule_1.cc @@ -0,0 +1,80 @@ +/* +NaiveSystems Analyze - A tool for static code analysis +Copyright (C) 2023 Naive Systems Ltd. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . +*/ + +#include +#include +#include + +#include "absl/strings/match.h" +#include "misra/libtooling_utils/libtooling_utils.h" +#include "misra/proto_util.h" +#include "podman_image/bigmain/suffix_rule.h" +#include "toy_rules/rule_1/libtooling/checker.h" +#include "toy_rules/rule_1/libtooling/lib.h" + +using namespace clang::tooling; +using namespace llvm; + +extern cl::OptionCategory ns_libtooling_checker; +extern cl::opt results_path; + +namespace toy_rules { +namespace rule_1 { +namespace libtooling { + +int rule_1(int argc, char** argv) { + google::InitGoogleLogging(argv[0]); + gflags::AllowCommandLineReparsing(); + int gflag_argc = argc; + int libtooling_argc = argc; + misra::libtooling_utils::SplitArg(&gflag_argc, &libtooling_argc, argc, argv); + const char** const_argv = const_cast(argv); + auto expected_parser = CommonOptionsParser::create( + libtooling_argc, &const_argv[argc - libtooling_argc], + ns_libtooling_checker); + gflags::ParseCommandLineFlags(&gflag_argc, &argv, false); + if (!expected_parser) { + errs() << expected_parser.takeError(); + return 1; + } + CommonOptionsParser& options_parser = expected_parser.get(); + ClangTool tool(options_parser.getCompilations(), + options_parser.getSourcePathList()); + analyzer::proto::ResultsList all_results; + + toy_rules::rule_1::libtooling::Checker checker; + checker.Init(&all_results); + int status = + tool.run(newFrontendActionFactory(checker.GetMatchFinder()).get()); + LOG(INFO) << "libtooling status: " << status; + if (misra::proto_util::GenerateProtoFile(all_results, results_path).ok()) { + LOG(INFO) << "rule 1 check done"; + } + return 0; +} + +} // namespace libtooling +} // namespace rule_1 +} // namespace toy_rules + +namespace { + +podman_image::bigmain::SuffixRule _("toy_rules/rule_1", + toy_rules::rule_1::libtooling::rule_1); + +} // namespace diff --git a/toy_rules/rule_1/rule_1.go b/toy_rules/rule_1/rule_1.go new file mode 100644 index 0000000000..a3cd35f62b --- /dev/null +++ b/toy_rules/rule_1/rule_1.go @@ -0,0 +1,30 @@ +/* +NaiveSystems Analyze - A tool for static code analysis +Copyright (C) 2023 Naive Systems Ltd. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see . +*/ + +package rule_1 + +import ( + pb "naive.systems/analyzer/analyzer/proto" + "naive.systems/analyzer/cruleslib/options" + "naive.systems/analyzer/cruleslib/runner" + "naive.systems/analyzer/misra/checker_integration" +) + +func Analyze(srcdir string, opts *options.CheckOptions) (*pb.ResultsList, error) { + return runner.RunLibtooling(srcdir, "toy_rules/rule_1", checker_integration.Libtooling_STU, opts) +}