//=== StdLibraryFunctionsChecker.cpp - Model standard functions -*- C++ -*-===// // // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // See https://llvm.org/LICENSE.txt for license information. // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // //===----------------------------------------------------------------------===// // // This checker improves modeling of a few simple library functions. // // This checker provides a specification format - `Summary' - and // contains descriptions of some library functions in this format. Each // specification contains a list of branches for splitting the program state // upon call, and range constraints on argument and return-value symbols that // are satisfied on each branch. This spec can be expanded to include more // items, like external effects of the function. // // The main difference between this approach and the body farms technique is // in more explicit control over how many branches are produced. For example, // consider standard C function `ispunct(int x)', which returns a non-zero value // iff `x' is a punctuation character, that is, when `x' is in range // ['!', '/'] [':', '@'] U ['[', '\`'] U ['{', '~']. // `Summary' provides only two branches for this function. However, // any attempt to describe this range with if-statements in the body farm // would result in many more branches. Because each branch needs to be analyzed // independently, this significantly reduces performance. Additionally, // once we consider a branch on which `x' is in range, say, ['!', '/'], // we assume that such branch is an important separate path through the program, // which may lead to false positives because considering this particular path // was not consciously intended, and therefore it might have been unreachable. // // This checker uses eval::Call for modeling pure functions (functions without // side effects), for which their `Summary' is a precise model. This avoids // unnecessary invalidation passes. Conflicts with other checkers are unlikely // because if the function has no other effects, other checkers would probably // never want to improve upon the modeling done by this checker. // // Non-pure functions, for which only partial improvement over the default // behavior is expected, are modeled via check::PostCall, non-intrusively. // //===----------------------------------------------------------------------===// #include "ErrnoModeling.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h" #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h" #include "llvm/ADT/STLExtras.h" #include "llvm/ADT/SmallString.h" #include "llvm/ADT/StringExtras.h" #include "llvm/Support/FormatVariadic.h" #include #include using namespace clang; using namespace clang::ento; namespace { class StdLibraryFunctionsChecker : public Checker { class Summary; /// Specify how much the analyzer engine should entrust modeling this function /// to us. enum InvalidationKind { /// No \c eval::Call for the function, it can be modeled elsewhere. /// This checker checks only pre and post conditions. NoEvalCall, /// The function is modeled completely in this checker. EvalCallAsPure }; /// Given a range, should the argument stay inside or outside this range? enum RangeKind { OutOfRange, WithinRange }; static RangeKind negateKind(RangeKind K) { switch (K) { case OutOfRange: return WithinRange; case WithinRange: return OutOfRange; } llvm_unreachable("Unknown range kind"); } /// The universal integral type to use in value range descriptions. /// Unsigned to make sure overflows are well-defined. typedef uint64_t RangeInt; /// Describes a single range constraint. Eg. {{0, 1}, {3, 4}} is /// a non-negative integer, which less than 5 and not equal to 2. typedef std::vector> IntRangeVector; /// A reference to an argument or return value by its number. /// ArgNo in CallExpr and CallEvent is defined as Unsigned, but /// obviously uint32_t should be enough for all practical purposes. typedef uint32_t ArgNo; /// Special argument number for specifying the return value. static const ArgNo Ret; /// Get a string representation of an argument index. /// E.g.: (1) -> '1st arg', (2) - > '2nd arg' static void printArgDesc(ArgNo, llvm::raw_ostream &Out); /// Print value X of the argument in form " (which is X)", /// if the value is a fixed known value, otherwise print nothing. /// This is used as simple explanation of values if possible. static void printArgValueInfo(ArgNo ArgN, ProgramStateRef State, const CallEvent &Call, llvm::raw_ostream &Out); /// Append textual description of a numeric range [RMin,RMax] to /// \p Out. static void appendInsideRangeDesc(llvm::APSInt RMin, llvm::APSInt RMax, QualType ArgT, BasicValueFactory &BVF, llvm::raw_ostream &Out); /// Append textual description of a numeric range out of [RMin,RMax] to /// \p Out. static void appendOutOfRangeDesc(llvm::APSInt RMin, llvm::APSInt RMax, QualType ArgT, BasicValueFactory &BVF, llvm::raw_ostream &Out); class ValueConstraint; /// Pointer to the ValueConstraint. We need a copyable, polymorphic and /// default initializable type (vector needs that). A raw pointer was good, /// however, we cannot default initialize that. unique_ptr makes the Summary /// class non-copyable, therefore not an option. Releasing the copyability /// requirement would render the initialization of the Summary map infeasible. /// Mind that a pointer to a new value constraint is created when the negate /// function is used. using ValueConstraintPtr = std::shared_ptr; /// Polymorphic base class that represents a constraint on a given argument /// (or return value) of a function. Derived classes implement different kind /// of constraints, e.g range constraints or correlation between two /// arguments. /// These are used as argument constraints (preconditions) of functions, in /// which case a bug report may be emitted if the constraint is not satisfied. /// Another use is as conditions for summary cases, to create different /// classes of behavior for a function. In this case no description of the /// constraint is needed because the summary cases have an own (not generated) /// description string. class ValueConstraint { public: ValueConstraint(ArgNo ArgN) : ArgN(ArgN) {} virtual ~ValueConstraint() {} /// Apply the effects of the constraint on the given program state. If null /// is returned then the constraint is not feasible. virtual ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call, const Summary &Summary, CheckerContext &C) const = 0; /// Represents that in which context do we require a description of the /// constraint. enum DescriptionKind { /// Describe a constraint that was violated. /// Description should start with something like "should be". Violation, /// Describe a constraint that was assumed to be true. /// This can be used when a precondition is satisfied, or when a summary /// case is applied. /// Description should start with something like "is". Assumption }; /// Give a description that explains the constraint to the user. Used when /// a bug is reported or when the constraint is applied and displayed as a /// note. The description should not mention the argument (getArgNo). /// See StdLibraryFunctionsChecker::reportBug about how this function is /// used (this function is used not only there). virtual void describe(DescriptionKind DK, const CallEvent &Call, ProgramStateRef State, const Summary &Summary, llvm::raw_ostream &Out) const { // There are some descendant classes that are not used as argument // constraints, e.g. ComparisonConstraint. In that case we can safely // ignore the implementation of this function. llvm_unreachable( "Description not implemented for summary case constraints"); } /// Give a description that explains the actual argument value (where the /// current ValueConstraint applies to) to the user. This function should be /// called only when the current constraint is satisfied by the argument. /// It should produce a more precise description than the constraint itself. /// The actual value of the argument and the program state can be used to /// make the description more precise. In the most simple case, if the /// argument has a fixed known value this value can be printed into \p Out, /// this is done by default. /// The function should return true if a description was printed to \p Out, /// otherwise false. /// See StdLibraryFunctionsChecker::reportBug about how this function is /// used. virtual bool describeArgumentValue(const CallEvent &Call, ProgramStateRef State, const Summary &Summary, llvm::raw_ostream &Out) const { if (auto N = getArgSVal(Call, getArgNo()).getAs()) { if (const llvm::APSInt *Int = N->getAsInteger()) { Out << *Int; return true; } } return false; } /// Return those arguments that should be tracked when we report a bug about /// argument constraint violation. By default it is the argument that is /// constrained, however, in some special cases we need to track other /// arguments as well. E.g. a buffer size might be encoded in another /// argument. /// The "return value" argument number can not occur as returned value. virtual std::vector getArgsToTrack() const { return {ArgN}; } /// Get a constraint that represents exactly the opposite of the current. virtual ValueConstraintPtr negate() const { llvm_unreachable("Not implemented"); }; /// Check whether the constraint is malformed or not. It is malformed if the /// specified argument has a mismatch with the given FunctionDecl (e.g. the /// arg number is out-of-range of the function's argument list). /// This condition can indicate if a probably wrong or unexpected function /// was found where the constraint is to be applied. bool checkValidity(const FunctionDecl *FD) const { const bool ValidArg = ArgN == Ret || ArgN < FD->getNumParams(); assert(ValidArg && "Arg out of range!"); if (!ValidArg) return false; // Subclasses may further refine the validation. return checkSpecificValidity(FD); } /// Return the argument number (may be placeholder for "return value"). ArgNo getArgNo() const { return ArgN; } protected: /// Argument to which to apply the constraint. It can be a real argument of /// the function to check, or a special value to indicate the return value /// of the function. /// Every constraint is assigned to one main argument, even if other /// arguments are involved. ArgNo ArgN; /// Do constraint-specific validation check. virtual bool checkSpecificValidity(const FunctionDecl *FD) const { return true; } }; /// Check if a single argument falls into a specific "range". /// A range is formed as a set of intervals. /// E.g. \code {['A', 'Z'], ['a', 'z'], ['_', '_']} \endcode /// The intervals are closed intervals that contain one or more values. /// /// The default constructed RangeConstraint has an empty range, applying /// such constraint does not involve any assumptions, thus the State remains /// unchanged. This is meaningful, if the range is dependent on a looked up /// type (e.g. [0, Socklen_tMax]). If the type is not found, then the range /// is default initialized to be empty. class RangeConstraint : public ValueConstraint { /// The constraint can be specified by allowing or disallowing the range. /// WithinRange indicates allowing the range, OutOfRange indicates /// disallowing it (allowing the complementary range). RangeKind Kind; /// A set of intervals. IntRangeVector Ranges; /// A textual description of this constraint for the specific case where the /// constraint is used. If empty a generated description will be used that /// is built from the range of the constraint. StringRef Description; public: RangeConstraint(ArgNo ArgN, RangeKind Kind, const IntRangeVector &Ranges, StringRef Desc = "") : ValueConstraint(ArgN), Kind(Kind), Ranges(Ranges), Description(Desc) { } const IntRangeVector &getRanges() const { return Ranges; } ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call, const Summary &Summary, CheckerContext &C) const override; void describe(DescriptionKind DK, const CallEvent &Call, ProgramStateRef State, const Summary &Summary, llvm::raw_ostream &Out) const override; bool describeArgumentValue(const CallEvent &Call, ProgramStateRef State, const Summary &Summary, llvm::raw_ostream &Out) const override; ValueConstraintPtr negate() const override { RangeConstraint Tmp(*this); Tmp.Kind = negateKind(Kind); return std::make_shared(Tmp); } protected: bool checkSpecificValidity(const FunctionDecl *FD) const override { const bool ValidArg = getArgType(FD, ArgN)->isIntegralType(FD->getASTContext()); assert(ValidArg && "This constraint should be applied on an integral type"); return ValidArg; } private: /// A callback function that is used when iterating over the range /// intervals. It gets the begin and end (inclusive) of one interval. /// This is used to make any kind of task possible that needs an iteration /// over the intervals. using RangeApplyFunction = std::function; /// Call a function on the intervals of the range. /// The function is called with all intervals in the range. void applyOnWithinRange(BasicValueFactory &BVF, QualType ArgT, const RangeApplyFunction &F) const; /// Call a function on all intervals in the complementary range. /// The function is called with all intervals that fall out of the range. /// E.g. consider an interval list [A, B] and [C, D] /// \code /// -------+--------+------------------+------------+-----------> /// A B C D /// \endcode /// We get the ranges [-inf, A - 1], [D + 1, +inf], [B + 1, C - 1]. /// The \p ArgT is used to determine the min and max of the type that is /// used as "-inf" and "+inf". void applyOnOutOfRange(BasicValueFactory &BVF, QualType ArgT, const RangeApplyFunction &F) const; /// Call a function on the intervals of the range or the complementary /// range. void applyOnRange(RangeKind Kind, BasicValueFactory &BVF, QualType ArgT, const RangeApplyFunction &F) const { switch (Kind) { case OutOfRange: applyOnOutOfRange(BVF, ArgT, F); break; case WithinRange: applyOnWithinRange(BVF, ArgT, F); break; }; } }; /// Check relation of an argument to another. class ComparisonConstraint : public ValueConstraint { BinaryOperator::Opcode Opcode; ArgNo OtherArgN; public: ComparisonConstraint(ArgNo ArgN, BinaryOperator::Opcode Opcode, ArgNo OtherArgN) : ValueConstraint(ArgN), Opcode(Opcode), OtherArgN(OtherArgN) {} ArgNo getOtherArgNo() const { return OtherArgN; } BinaryOperator::Opcode getOpcode() const { return Opcode; } ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call, const Summary &Summary, CheckerContext &C) const override; }; /// Check null or non-null-ness of an argument that is of pointer type. class NotNullConstraint : public ValueConstraint { using ValueConstraint::ValueConstraint; // This variable has a role when we negate the constraint. bool CannotBeNull = true; public: NotNullConstraint(ArgNo ArgN, bool CannotBeNull = true) : ValueConstraint(ArgN), CannotBeNull(CannotBeNull) {} ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call, const Summary &Summary, CheckerContext &C) const override; void describe(DescriptionKind DK, const CallEvent &Call, ProgramStateRef State, const Summary &Summary, llvm::raw_ostream &Out) const override; bool describeArgumentValue(const CallEvent &Call, ProgramStateRef State, const Summary &Summary, llvm::raw_ostream &Out) const override; ValueConstraintPtr negate() const override { NotNullConstraint Tmp(*this); Tmp.CannotBeNull = !this->CannotBeNull; return std::make_shared(Tmp); } protected: bool checkSpecificValidity(const FunctionDecl *FD) const override { const bool ValidArg = getArgType(FD, ArgN)->isPointerType(); assert(ValidArg && "This constraint should be applied only on a pointer type"); return ValidArg; } }; /// Check null or non-null-ness of an argument that is of pointer type. /// The argument is meant to be a buffer that has a size constraint, and it /// is allowed to have a NULL value if the size is 0. The size can depend on /// 1 or 2 additional arguments, if one of these is 0 the buffer is allowed to /// be NULL. This is useful for functions like `fread` which have this special /// property. class NotNullBufferConstraint : public ValueConstraint { using ValueConstraint::ValueConstraint; ArgNo SizeArg1N; std::optional SizeArg2N; // This variable has a role when we negate the constraint. bool CannotBeNull = true; public: NotNullBufferConstraint(ArgNo ArgN, ArgNo SizeArg1N, std::optional SizeArg2N, bool CannotBeNull = true) : ValueConstraint(ArgN), SizeArg1N(SizeArg1N), SizeArg2N(SizeArg2N), CannotBeNull(CannotBeNull) {} ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call, const Summary &Summary, CheckerContext &C) const override; void describe(DescriptionKind DK, const CallEvent &Call, ProgramStateRef State, const Summary &Summary, llvm::raw_ostream &Out) const override; bool describeArgumentValue(const CallEvent &Call, ProgramStateRef State, const Summary &Summary, llvm::raw_ostream &Out) const override; ValueConstraintPtr negate() const override { NotNullBufferConstraint Tmp(*this); Tmp.CannotBeNull = !this->CannotBeNull; return std::make_shared(Tmp); } protected: bool checkSpecificValidity(const FunctionDecl *FD) const override { const bool ValidArg = getArgType(FD, ArgN)->isPointerType(); assert(ValidArg && "This constraint should be applied only on a pointer type"); return ValidArg; } }; // Represents a buffer argument with an additional size constraint. The // constraint may be a concrete value, or a symbolic value in an argument. // Example 1. Concrete value as the minimum buffer size. // char *asctime_r(const struct tm *restrict tm, char *restrict buf); // // `buf` size must be at least 26 bytes according the POSIX standard. // Example 2. Argument as a buffer size. // ctime_s(char *buffer, rsize_t bufsz, const time_t *time); // Example 3. The size is computed as a multiplication of other args. // size_t fread(void *ptr, size_t size, size_t nmemb, FILE *stream); // // Here, ptr is the buffer, and its minimum size is `size * nmemb`. class BufferSizeConstraint : public ValueConstraint { // The concrete value which is the minimum size for the buffer. std::optional ConcreteSize; // The argument which holds the size of the buffer. std::optional SizeArgN; // The argument which is a multiplier to size. This is set in case of // `fread` like functions where the size is computed as a multiplication of // two arguments. std::optional SizeMultiplierArgN; // The operator we use in apply. This is negated in negate(). BinaryOperator::Opcode Op = BO_LE; public: BufferSizeConstraint(ArgNo Buffer, llvm::APSInt BufMinSize) : ValueConstraint(Buffer), ConcreteSize(BufMinSize) {} BufferSizeConstraint(ArgNo Buffer, ArgNo BufSize) : ValueConstraint(Buffer), SizeArgN(BufSize) {} BufferSizeConstraint(ArgNo Buffer, ArgNo BufSize, ArgNo BufSizeMultiplier) : ValueConstraint(Buffer), SizeArgN(BufSize), SizeMultiplierArgN(BufSizeMultiplier) {} ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call, const Summary &Summary, CheckerContext &C) const override; void describe(DescriptionKind DK, const CallEvent &Call, ProgramStateRef State, const Summary &Summary, llvm::raw_ostream &Out) const override; bool describeArgumentValue(const CallEvent &Call, ProgramStateRef State, const Summary &Summary, llvm::raw_ostream &Out) const override; std::vector getArgsToTrack() const override { std::vector Result{ArgN}; if (SizeArgN) Result.push_back(*SizeArgN); if (SizeMultiplierArgN) Result.push_back(*SizeMultiplierArgN); return Result; } ValueConstraintPtr negate() const override { BufferSizeConstraint Tmp(*this); Tmp.Op = BinaryOperator::negateComparisonOp(Op); return std::make_shared(Tmp); } protected: bool checkSpecificValidity(const FunctionDecl *FD) const override { const bool ValidArg = getArgType(FD, ArgN)->isPointerType(); assert(ValidArg && "This constraint should be applied only on a pointer type"); return ValidArg; } }; /// The complete list of constraints that defines a single branch. using ConstraintSet = std::vector; /// Define how a function affects the system variable 'errno'. /// This works together with the \c ErrnoModeling and \c ErrnoChecker classes. /// Currently 3 use cases exist: success, failure, irrelevant. /// In the future the failure case can be customized to set \c errno to a /// more specific constraint (for example > 0), or new case can be added /// for functions which require check of \c errno in both success and failure /// case. class ErrnoConstraintBase { public: /// Apply specific state changes related to the errno variable. virtual ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call, const Summary &Summary, CheckerContext &C) const = 0; /// Get a description about what happens with 'errno' here and how it causes /// a later bug report created by ErrnoChecker. /// Empty return value means that 'errno' related bug may not happen from /// the current analyzed function. virtual const std::string describe(CheckerContext &C) const { return ""; } virtual ~ErrnoConstraintBase() {} protected: ErrnoConstraintBase() = default; /// This is used for conjure symbol for errno to differentiate from the /// original call expression (same expression is used for the errno symbol). static int Tag; }; /// Reset errno constraints to irrelevant. /// This is applicable to functions that may change 'errno' and are not /// modeled elsewhere. class ResetErrnoConstraint : public ErrnoConstraintBase { public: ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call, const Summary &Summary, CheckerContext &C) const override { return errno_modeling::setErrnoState(State, errno_modeling::Irrelevant); } }; /// Do not change errno constraints. /// This is applicable to functions that are modeled in another checker /// and the already set errno constraints should not be changed in the /// post-call event. class NoErrnoConstraint : public ErrnoConstraintBase { public: ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call, const Summary &Summary, CheckerContext &C) const override { return State; } }; /// Set errno constraint at failure cases of standard functions. /// Failure case: 'errno' becomes not equal to 0 and may or may not be checked /// by the program. \c ErrnoChecker does not emit a bug report after such a /// function call. class FailureErrnoConstraint : public ErrnoConstraintBase { public: ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call, const Summary &Summary, CheckerContext &C) const override { SValBuilder &SVB = C.getSValBuilder(); NonLoc ErrnoSVal = SVB.conjureSymbolVal(&Tag, Call.getOriginExpr(), C.getLocationContext(), C.getASTContext().IntTy, C.blockCount()) .castAs(); return errno_modeling::setErrnoForStdFailure(State, C, ErrnoSVal); } }; /// Set errno constraint at success cases of standard functions. /// Success case: 'errno' is not allowed to be used because the value is /// undefined after successful call. /// \c ErrnoChecker can emit bug report after such a function call if errno /// is used. class SuccessErrnoConstraint : public ErrnoConstraintBase { public: ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call, const Summary &Summary, CheckerContext &C) const override { return errno_modeling::setErrnoForStdSuccess(State, C); } const std::string describe(CheckerContext &C) const override { return "'errno' becomes undefined after the call"; } }; /// Set errno constraint at functions that indicate failure only with 'errno'. /// In this case 'errno' is required to be observed. /// \c ErrnoChecker can emit bug report after such a function call if errno /// is overwritten without a read before. class ErrnoMustBeCheckedConstraint : public ErrnoConstraintBase { public: ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call, const Summary &Summary, CheckerContext &C) const override { return errno_modeling::setErrnoStdMustBeChecked(State, C, Call.getOriginExpr()); } const std::string describe(CheckerContext &C) const override { return "reading 'errno' is required to find out if the call has failed"; } }; /// A single branch of a function summary. /// /// A branch is defined by a series of constraints - "assumptions" - /// that together form a single possible outcome of invoking the function. /// When static analyzer considers a branch, it tries to introduce /// a child node in the Exploded Graph. The child node has to include /// constraints that define the branch. If the constraints contradict /// existing constraints in the state, the node is not created and the branch /// is dropped; otherwise it's queued for future exploration. /// The branch is accompanied by a note text that may be displayed /// to the user when a bug is found on a path that takes this branch. /// /// For example, consider the branches in `isalpha(x)`: /// Branch 1) /// x is in range ['A', 'Z'] or in ['a', 'z'] /// then the return value is not 0. (I.e. out-of-range [0, 0]) /// and the note may say "Assuming the character is alphabetical" /// Branch 2) /// x is out-of-range ['A', 'Z'] and out-of-range ['a', 'z'] /// then the return value is 0 /// and the note may say "Assuming the character is non-alphabetical". class SummaryCase { ConstraintSet Constraints; const ErrnoConstraintBase &ErrnoConstraint; StringRef Note; public: SummaryCase(ConstraintSet &&Constraints, const ErrnoConstraintBase &ErrnoC, StringRef Note) : Constraints(std::move(Constraints)), ErrnoConstraint(ErrnoC), Note(Note) {} SummaryCase(const ConstraintSet &Constraints, const ErrnoConstraintBase &ErrnoC, StringRef Note) : Constraints(Constraints), ErrnoConstraint(ErrnoC), Note(Note) {} const ConstraintSet &getConstraints() const { return Constraints; } const ErrnoConstraintBase &getErrnoConstraint() const { return ErrnoConstraint; } StringRef getNote() const { return Note; } }; using ArgTypes = ArrayRef>; using RetType = std::optional; // A placeholder type, we use it whenever we do not care about the concrete // type in a Signature. const QualType Irrelevant{}; bool static isIrrelevant(QualType T) { return T.isNull(); } // The signature of a function we want to describe with a summary. This is a // concessive signature, meaning there may be irrelevant types in the // signature which we do not check against a function with concrete types. // All types in the spec need to be canonical. class Signature { using ArgQualTypes = std::vector; ArgQualTypes ArgTys; QualType RetTy; // True if any component type is not found by lookup. bool Invalid = false; public: // Construct a signature from optional types. If any of the optional types // are not set then the signature will be invalid. Signature(ArgTypes ArgTys, RetType RetTy) { for (std::optional Arg : ArgTys) { if (!Arg) { Invalid = true; return; } else { assertArgTypeSuitableForSignature(*Arg); this->ArgTys.push_back(*Arg); } } if (!RetTy) { Invalid = true; return; } else { assertRetTypeSuitableForSignature(*RetTy); this->RetTy = *RetTy; } } bool isInvalid() const { return Invalid; } bool matches(const FunctionDecl *FD) const; private: static void assertArgTypeSuitableForSignature(QualType T) { assert((T.isNull() || !T->isVoidType()) && "We should have no void types in the spec"); assert((T.isNull() || T.isCanonical()) && "We should only have canonical types in the spec"); } static void assertRetTypeSuitableForSignature(QualType T) { assert((T.isNull() || T.isCanonical()) && "We should only have canonical types in the spec"); } }; static QualType getArgType(const FunctionDecl *FD, ArgNo ArgN) { assert(FD && "Function must be set"); QualType T = (ArgN == Ret) ? FD->getReturnType().getCanonicalType() : FD->getParamDecl(ArgN)->getType().getCanonicalType(); return T; } using SummaryCases = std::vector; /// A summary includes information about /// * function prototype (signature) /// * approach to invalidation, /// * a list of branches - so, a list of list of ranges, /// * a list of argument constraints, that must be true on every branch. /// If these constraints are not satisfied that means a fatal error /// usually resulting in undefined behaviour. /// /// Application of a summary: /// The signature and argument constraints together contain information /// about which functions are handled by the summary. The signature can use /// "wildcards", i.e. Irrelevant types. Irrelevant type of a parameter in /// a signature means that type is not compared to the type of the parameter /// in the found FunctionDecl. Argument constraints may specify additional /// rules for the given parameter's type, those rules are checked once the /// signature is matched. class Summary { const InvalidationKind InvalidationKd; SummaryCases Cases; ConstraintSet ArgConstraints; // The function to which the summary applies. This is set after lookup and // match to the signature. const FunctionDecl *FD = nullptr; public: Summary(InvalidationKind InvalidationKd) : InvalidationKd(InvalidationKd) {} Summary &Case(ConstraintSet &&CS, const ErrnoConstraintBase &ErrnoC, StringRef Note = "") { Cases.push_back(SummaryCase(std::move(CS), ErrnoC, Note)); return *this; } Summary &Case(const ConstraintSet &CS, const ErrnoConstraintBase &ErrnoC, StringRef Note = "") { Cases.push_back(SummaryCase(CS, ErrnoC, Note)); return *this; } Summary &ArgConstraint(ValueConstraintPtr VC) { assert(VC->getArgNo() != Ret && "Arg constraint should not refer to the return value"); ArgConstraints.push_back(VC); return *this; } InvalidationKind getInvalidationKd() const { return InvalidationKd; } const SummaryCases &getCases() const { return Cases; } const ConstraintSet &getArgConstraints() const { return ArgConstraints; } QualType getArgType(ArgNo ArgN) const { return StdLibraryFunctionsChecker::getArgType(FD, ArgN); } // Returns true if the summary should be applied to the given function. // And if yes then store the function declaration. bool matchesAndSet(const Signature &Sign, const FunctionDecl *FD) { bool Result = Sign.matches(FD) && validateByConstraints(FD); if (Result) { assert(!this->FD && "FD must not be set more than once"); this->FD = FD; } return Result; } private: // Once we know the exact type of the function then do validation check on // all the given constraints. bool validateByConstraints(const FunctionDecl *FD) const { for (const SummaryCase &Case : Cases) for (const ValueConstraintPtr &Constraint : Case.getConstraints()) if (!Constraint->checkValidity(FD)) return false; for (const ValueConstraintPtr &Constraint : ArgConstraints) if (!Constraint->checkValidity(FD)) return false; return true; } }; // The map of all functions supported by the checker. It is initialized // lazily, and it doesn't change after initialization. using FunctionSummaryMapType = llvm::DenseMap; mutable FunctionSummaryMapType FunctionSummaryMap; const BugType BT_InvalidArg{this, "Function call with invalid argument"}; mutable bool SummariesInitialized = false; static SVal getArgSVal(const CallEvent &Call, ArgNo ArgN) { return ArgN == Ret ? Call.getReturnValue() : Call.getArgSVal(ArgN); } static std::string getFunctionName(const CallEvent &Call) { assert(Call.getDecl() && "Call was found by a summary, should have declaration"); return cast(Call.getDecl())->getNameAsString(); } public: void checkPreCall(const CallEvent &Call, CheckerContext &C) const; void checkPostCall(const CallEvent &Call, CheckerContext &C) const; bool evalCall(const CallEvent &Call, CheckerContext &C) const; CheckerNameRef CheckName; bool AddTestFunctions = false; bool DisplayLoadedSummaries = false; bool ModelPOSIX = false; bool ShouldAssumeControlledEnvironment = false; private: std::optional findFunctionSummary(const FunctionDecl *FD, CheckerContext &C) const; std::optional findFunctionSummary(const CallEvent &Call, CheckerContext &C) const; void initFunctionSummaries(CheckerContext &C) const; void reportBug(const CallEvent &Call, ExplodedNode *N, const ValueConstraint *VC, const ValueConstraint *NegatedVC, const Summary &Summary, CheckerContext &C) const { assert(Call.getDecl() && "Function found in summary must have a declaration available"); SmallString<256> Msg; llvm::raw_svector_ostream MsgOs(Msg); MsgOs << "The "; printArgDesc(VC->getArgNo(), MsgOs); MsgOs << " to '" << getFunctionName(Call) << "' "; bool ValuesPrinted = NegatedVC->describeArgumentValue(Call, N->getState(), Summary, MsgOs); if (ValuesPrinted) MsgOs << " but "; else MsgOs << "is out of the accepted range; It "; VC->describe(ValueConstraint::Violation, Call, C.getState(), Summary, MsgOs); Msg[0] = toupper(Msg[0]); auto R = std::make_unique(BT_InvalidArg, Msg, N); for (ArgNo ArgN : VC->getArgsToTrack()) { bugreporter::trackExpressionValue(N, Call.getArgExpr(ArgN), *R); R->markInteresting(Call.getArgSVal(ArgN)); // All tracked arguments are important, highlight them. R->addRange(Call.getArgSourceRange(ArgN)); } C.emitReport(std::move(R)); } /// These are the errno constraints that can be passed to summary cases. /// One of these should fit for a single summary case. /// Usually if a failure return value exists for function, that function /// needs different cases for success and failure with different errno /// constraints (and different return value constraints). const NoErrnoConstraint ErrnoUnchanged{}; const ResetErrnoConstraint ErrnoIrrelevant{}; const ErrnoMustBeCheckedConstraint ErrnoMustBeChecked{}; const SuccessErrnoConstraint ErrnoMustNotBeChecked{}; const FailureErrnoConstraint ErrnoNEZeroIrrelevant{}; }; int StdLibraryFunctionsChecker::ErrnoConstraintBase::Tag = 0; const StdLibraryFunctionsChecker::ArgNo StdLibraryFunctionsChecker::Ret = std::numeric_limits::max(); static BasicValueFactory &getBVF(ProgramStateRef State) { ProgramStateManager &Mgr = State->getStateManager(); SValBuilder &SVB = Mgr.getSValBuilder(); return SVB.getBasicValueFactory(); } } // end of anonymous namespace void StdLibraryFunctionsChecker::printArgDesc( StdLibraryFunctionsChecker::ArgNo ArgN, llvm::raw_ostream &Out) { Out << std::to_string(ArgN + 1); Out << llvm::getOrdinalSuffix(ArgN + 1); Out << " argument"; } void StdLibraryFunctionsChecker::printArgValueInfo(ArgNo ArgN, ProgramStateRef State, const CallEvent &Call, llvm::raw_ostream &Out) { if (const llvm::APSInt *Val = State->getStateManager().getSValBuilder().getKnownValue( State, getArgSVal(Call, ArgN))) Out << " (which is " << *Val << ")"; } void StdLibraryFunctionsChecker::appendInsideRangeDesc(llvm::APSInt RMin, llvm::APSInt RMax, QualType ArgT, BasicValueFactory &BVF, llvm::raw_ostream &Out) { if (RMin.isZero() && RMax.isZero()) Out << "zero"; else if (RMin == RMax) Out << RMin; else if (RMin == BVF.getMinValue(ArgT)) { if (RMax == -1) Out << "< 0"; else Out << "<= " << RMax; } else if (RMax == BVF.getMaxValue(ArgT)) { if (RMin.isOne()) Out << "> 0"; else Out << ">= " << RMin; } else if (RMin.isNegative() == RMax.isNegative() && RMin.getLimitedValue() == RMax.getLimitedValue() - 1) { Out << RMin << " or " << RMax; } else { Out << "between " << RMin << " and " << RMax; } } void StdLibraryFunctionsChecker::appendOutOfRangeDesc(llvm::APSInt RMin, llvm::APSInt RMax, QualType ArgT, BasicValueFactory &BVF, llvm::raw_ostream &Out) { if (RMin.isZero() && RMax.isZero()) Out << "nonzero"; else if (RMin == RMax) { Out << "not equal to " << RMin; } else if (RMin == BVF.getMinValue(ArgT)) { if (RMax == -1) Out << ">= 0"; else Out << "> " << RMax; } else if (RMax == BVF.getMaxValue(ArgT)) { if (RMin.isOne()) Out << "<= 0"; else Out << "< " << RMin; } else if (RMin.isNegative() == RMax.isNegative() && RMin.getLimitedValue() == RMax.getLimitedValue() - 1) { Out << "not " << RMin << " and not " << RMax; } else { Out << "not between " << RMin << " and " << RMax; } } void StdLibraryFunctionsChecker::RangeConstraint::applyOnWithinRange( BasicValueFactory &BVF, QualType ArgT, const RangeApplyFunction &F) const { if (Ranges.empty()) return; for (auto [Start, End] : getRanges()) { const llvm::APSInt &Min = BVF.getValue(Start, ArgT); const llvm::APSInt &Max = BVF.getValue(End, ArgT); assert(Min <= Max); if (!F(Min, Max)) return; } } void StdLibraryFunctionsChecker::RangeConstraint::applyOnOutOfRange( BasicValueFactory &BVF, QualType ArgT, const RangeApplyFunction &F) const { if (Ranges.empty()) return; const IntRangeVector &R = getRanges(); size_t E = R.size(); const llvm::APSInt &MinusInf = BVF.getMinValue(ArgT); const llvm::APSInt &PlusInf = BVF.getMaxValue(ArgT); const llvm::APSInt &RangeLeft = BVF.getValue(R[0].first - 1ULL, ArgT); const llvm::APSInt &RangeRight = BVF.getValue(R[E - 1].second + 1ULL, ArgT); // Iterate over the "holes" between intervals. for (size_t I = 1; I != E; ++I) { const llvm::APSInt &Min = BVF.getValue(R[I - 1].second + 1ULL, ArgT); const llvm::APSInt &Max = BVF.getValue(R[I].first - 1ULL, ArgT); if (Min <= Max) { if (!F(Min, Max)) return; } } // Check the interval [T_MIN, min(R) - 1]. if (RangeLeft != PlusInf) { assert(MinusInf <= RangeLeft); if (!F(MinusInf, RangeLeft)) return; } // Check the interval [max(R) + 1, T_MAX], if (RangeRight != MinusInf) { assert(RangeRight <= PlusInf); if (!F(RangeRight, PlusInf)) return; } } ProgramStateRef StdLibraryFunctionsChecker::RangeConstraint::apply( ProgramStateRef State, const CallEvent &Call, const Summary &Summary, CheckerContext &C) const { ConstraintManager &CM = C.getConstraintManager(); SVal V = getArgSVal(Call, getArgNo()); QualType T = Summary.getArgType(getArgNo()); if (auto N = V.getAs()) { auto ExcludeRangeFromArg = [&](const llvm::APSInt &Min, const llvm::APSInt &Max) { State = CM.assumeInclusiveRange(State, *N, Min, Max, false); return static_cast(State); }; // "OutOfRange R" is handled by excluding all ranges in R. // "WithinRange R" is treated as "OutOfRange [T_MIN, T_MAX] \ R". applyOnRange(negateKind(Kind), C.getSValBuilder().getBasicValueFactory(), T, ExcludeRangeFromArg); } return State; } void StdLibraryFunctionsChecker::RangeConstraint::describe( DescriptionKind DK, const CallEvent &Call, ProgramStateRef State, const Summary &Summary, llvm::raw_ostream &Out) const { BasicValueFactory &BVF = getBVF(State); QualType T = Summary.getArgType(getArgNo()); Out << ((DK == Violation) ? "should be " : "is "); if (!Description.empty()) { Out << Description; } else { unsigned I = Ranges.size(); if (Kind == WithinRange) { for (const std::pair &R : Ranges) { appendInsideRangeDesc(BVF.getValue(R.first, T), BVF.getValue(R.second, T), T, BVF, Out); if (--I > 0) Out << " or "; } } else { for (const std::pair &R : Ranges) { appendOutOfRangeDesc(BVF.getValue(R.first, T), BVF.getValue(R.second, T), T, BVF, Out); if (--I > 0) Out << " and "; } } } } bool StdLibraryFunctionsChecker::RangeConstraint::describeArgumentValue( const CallEvent &Call, ProgramStateRef State, const Summary &Summary, llvm::raw_ostream &Out) const { unsigned int NRanges = 0; bool HaveAllRanges = true; ProgramStateManager &Mgr = State->getStateManager(); BasicValueFactory &BVF = Mgr.getSValBuilder().getBasicValueFactory(); ConstraintManager &CM = Mgr.getConstraintManager(); SVal V = getArgSVal(Call, getArgNo()); if (auto N = V.getAs()) { if (const llvm::APSInt *Int = N->getAsInteger()) { Out << "is "; Out << *Int; return true; } QualType T = Summary.getArgType(getArgNo()); SmallString<128> MoreInfo; llvm::raw_svector_ostream MoreInfoOs(MoreInfo); auto ApplyF = [&](const llvm::APSInt &Min, const llvm::APSInt &Max) { if (CM.assumeInclusiveRange(State, *N, Min, Max, true)) { if (NRanges > 0) MoreInfoOs << " or "; appendInsideRangeDesc(Min, Max, T, BVF, MoreInfoOs); ++NRanges; } else { HaveAllRanges = false; } return true; }; applyOnRange(Kind, BVF, T, ApplyF); assert(NRanges > 0); if (!HaveAllRanges || NRanges == 1) { Out << "is "; Out << MoreInfo; return true; } } return false; } ProgramStateRef StdLibraryFunctionsChecker::ComparisonConstraint::apply( ProgramStateRef State, const CallEvent &Call, const Summary &Summary, CheckerContext &C) const { ProgramStateManager &Mgr = State->getStateManager(); SValBuilder &SVB = Mgr.getSValBuilder(); QualType CondT = SVB.getConditionType(); QualType T = Summary.getArgType(getArgNo()); SVal V = getArgSVal(Call, getArgNo()); BinaryOperator::Opcode Op = getOpcode(); ArgNo OtherArg = getOtherArgNo(); SVal OtherV = getArgSVal(Call, OtherArg); QualType OtherT = Summary.getArgType(OtherArg); // Note: we avoid integral promotion for comparison. OtherV = SVB.evalCast(OtherV, T, OtherT); if (auto CompV = SVB.evalBinOp(State, Op, V, OtherV, CondT) .getAs()) State = State->assume(*CompV, true); return State; } ProgramStateRef StdLibraryFunctionsChecker::NotNullConstraint::apply( ProgramStateRef State, const CallEvent &Call, const Summary &Summary, CheckerContext &C) const { SVal V = getArgSVal(Call, getArgNo()); if (V.isUndef()) return State; DefinedOrUnknownSVal L = V.castAs(); if (!isa(L)) return State; return State->assume(L, CannotBeNull); } void StdLibraryFunctionsChecker::NotNullConstraint::describe( DescriptionKind DK, const CallEvent &Call, ProgramStateRef State, const Summary &Summary, llvm::raw_ostream &Out) const { assert(CannotBeNull && "Describe should not be used when the value must be NULL"); if (DK == Violation) Out << "should not be NULL"; else Out << "is not NULL"; } bool StdLibraryFunctionsChecker::NotNullConstraint::describeArgumentValue( const CallEvent &Call, ProgramStateRef State, const Summary &Summary, llvm::raw_ostream &Out) const { assert(!CannotBeNull && "This function is used when the value is NULL"); Out << "is NULL"; return true; } ProgramStateRef StdLibraryFunctionsChecker::NotNullBufferConstraint::apply( ProgramStateRef State, const CallEvent &Call, const Summary &Summary, CheckerContext &C) const { SVal V = getArgSVal(Call, getArgNo()); if (V.isUndef()) return State; DefinedOrUnknownSVal L = V.castAs(); if (!isa(L)) return State; std::optional SizeArg1 = getArgSVal(Call, SizeArg1N).getAs(); std::optional SizeArg2; if (SizeArg2N) SizeArg2 = getArgSVal(Call, *SizeArg2N).getAs(); auto IsArgZero = [State](std::optional Val) { if (!Val) return false; auto [IsNonNull, IsNull] = State->assume(*Val); return IsNull && !IsNonNull; }; if (IsArgZero(SizeArg1) || IsArgZero(SizeArg2)) return State; return State->assume(L, CannotBeNull); } void StdLibraryFunctionsChecker::NotNullBufferConstraint::describe( DescriptionKind DK, const CallEvent &Call, ProgramStateRef State, const Summary &Summary, llvm::raw_ostream &Out) const { assert(CannotBeNull && "Describe should not be used when the value must be NULL"); if (DK == Violation) Out << "should not be NULL"; else Out << "is not NULL"; } bool StdLibraryFunctionsChecker::NotNullBufferConstraint::describeArgumentValue( const CallEvent &Call, ProgramStateRef State, const Summary &Summary, llvm::raw_ostream &Out) const { assert(!CannotBeNull && "This function is used when the value is NULL"); Out << "is NULL"; return true; } ProgramStateRef StdLibraryFunctionsChecker::BufferSizeConstraint::apply( ProgramStateRef State, const CallEvent &Call, const Summary &Summary, CheckerContext &C) const { SValBuilder &SvalBuilder = C.getSValBuilder(); // The buffer argument. SVal BufV = getArgSVal(Call, getArgNo()); // Get the size constraint. const SVal SizeV = [this, &State, &Call, &Summary, &SvalBuilder]() { if (ConcreteSize) { return SVal(SvalBuilder.makeIntVal(*ConcreteSize)); } assert(SizeArgN && "The constraint must be either a concrete value or " "encoded in an argument."); // The size argument. SVal SizeV = getArgSVal(Call, *SizeArgN); // Multiply with another argument if given. if (SizeMultiplierArgN) { SVal SizeMulV = getArgSVal(Call, *SizeMultiplierArgN); SizeV = SvalBuilder.evalBinOp(State, BO_Mul, SizeV, SizeMulV, Summary.getArgType(*SizeArgN)); } return SizeV; }(); // The dynamic size of the buffer argument, got from the analyzer engine. SVal BufDynSize = getDynamicExtentWithOffset(State, BufV); SVal Feasible = SvalBuilder.evalBinOp(State, Op, SizeV, BufDynSize, SvalBuilder.getContext().BoolTy); if (auto F = Feasible.getAs()) return State->assume(*F, true); // We can get here only if the size argument or the dynamic size is // undefined. But the dynamic size should never be undefined, only // unknown. So, here, the size of the argument is undefined, i.e. we // cannot apply the constraint. Actually, other checkers like // CallAndMessage should catch this situation earlier, because we call a // function with an uninitialized argument. llvm_unreachable("Size argument or the dynamic size is Undefined"); } void StdLibraryFunctionsChecker::BufferSizeConstraint::describe( DescriptionKind DK, const CallEvent &Call, ProgramStateRef State, const Summary &Summary, llvm::raw_ostream &Out) const { Out << ((DK == Violation) ? "should be " : "is "); Out << "a buffer with size equal to or greater than "; if (ConcreteSize) { Out << *ConcreteSize; } else if (SizeArgN) { Out << "the value of the "; printArgDesc(*SizeArgN, Out); printArgValueInfo(*SizeArgN, State, Call, Out); if (SizeMultiplierArgN) { Out << " times the "; printArgDesc(*SizeMultiplierArgN, Out); printArgValueInfo(*SizeMultiplierArgN, State, Call, Out); } } } bool StdLibraryFunctionsChecker::BufferSizeConstraint::describeArgumentValue( const CallEvent &Call, ProgramStateRef State, const Summary &Summary, llvm::raw_ostream &Out) const { SVal BufV = getArgSVal(Call, getArgNo()); SVal BufDynSize = getDynamicExtentWithOffset(State, BufV); if (const llvm::APSInt *Val = State->getStateManager().getSValBuilder().getKnownValue(State, BufDynSize)) { Out << "is a buffer with size " << *Val; return true; } return false; } void StdLibraryFunctionsChecker::checkPreCall(const CallEvent &Call, CheckerContext &C) const { std::optional FoundSummary = findFunctionSummary(Call, C); if (!FoundSummary) return; const Summary &Summary = *FoundSummary; ProgramStateRef State = C.getState(); ProgramStateRef NewState = State; ExplodedNode *NewNode = C.getPredecessor(); for (const ValueConstraintPtr &Constraint : Summary.getArgConstraints()) { ValueConstraintPtr NegatedConstraint = Constraint->negate(); ProgramStateRef SuccessSt = Constraint->apply(NewState, Call, Summary, C); ProgramStateRef FailureSt = NegatedConstraint->apply(NewState, Call, Summary, C); // The argument constraint is not satisfied. if (FailureSt && !SuccessSt) { if (ExplodedNode *N = C.generateErrorNode(State, NewNode)) reportBug(Call, N, Constraint.get(), NegatedConstraint.get(), Summary, C); break; } // We will apply the constraint even if we cannot reason about the // argument. This means both SuccessSt and FailureSt can be true. If we // weren't applying the constraint that would mean that symbolic // execution continues on a code whose behaviour is undefined. assert(SuccessSt); NewState = SuccessSt; if (NewState != State) { SmallString<128> Msg; llvm::raw_svector_ostream Os(Msg); Os << "Assuming that the "; printArgDesc(Constraint->getArgNo(), Os); Os << " to '"; Os << getFunctionName(Call); Os << "' "; Constraint->describe(ValueConstraint::Assumption, Call, NewState, Summary, Os); const auto ArgSVal = Call.getArgSVal(Constraint->getArgNo()); NewNode = C.addTransition( NewState, NewNode, C.getNoteTag([Msg = std::move(Msg), ArgSVal]( PathSensitiveBugReport &BR, llvm::raw_ostream &OS) { if (BR.isInteresting(ArgSVal)) OS << Msg; })); } } } void StdLibraryFunctionsChecker::checkPostCall(const CallEvent &Call, CheckerContext &C) const { std::optional FoundSummary = findFunctionSummary(Call, C); if (!FoundSummary) return; // Now apply the constraints. const Summary &Summary = *FoundSummary; ProgramStateRef State = C.getState(); ExplodedNode *Node = C.getPredecessor(); // Apply case/branch specifications. for (const SummaryCase &Case : Summary.getCases()) { ProgramStateRef NewState = State; for (const ValueConstraintPtr &Constraint : Case.getConstraints()) { NewState = Constraint->apply(NewState, Call, Summary, C); if (!NewState) break; } if (NewState) NewState = Case.getErrnoConstraint().apply(NewState, Call, Summary, C); if (!NewState) continue; // Here it's possible that NewState == State, e.g. when other checkers // already applied the same constraints (or stricter ones). // Still add these note tags, the other checker should add only its // specialized note tags. These general note tags are handled always by // StdLibraryFunctionsChecker. ExplodedNode *Pred = Node; DeclarationName FunctionName = cast(Call.getDecl())->getDeclName(); std::string ErrnoNote = Case.getErrnoConstraint().describe(C); std::string CaseNote; if (Case.getNote().empty()) { if (!ErrnoNote.empty()) ErrnoNote = llvm::formatv("After calling '{0}' {1}", FunctionName, ErrnoNote); } else { CaseNote = llvm::formatv(Case.getNote().str().c_str(), FunctionName); } const SVal RV = Call.getReturnValue(); if (Summary.getInvalidationKd() == EvalCallAsPure) { // Do not expect that errno is interesting (the "pure" functions do not // affect it). if (!CaseNote.empty()) { const NoteTag *Tag = C.getNoteTag( [Node, CaseNote, RV](PathSensitiveBugReport &BR) -> std::string { // Try to omit the note if we know in advance which branch is // taken (this means, only one branch exists). // This check is performed inside the lambda, after other // (or this) checkers had a chance to add other successors. // Dereferencing the saved node object is valid because it's part // of a bug report call sequence. // FIXME: This check is not exact. We may be here after a state // split that was performed by another checker (and can not find // the successors). This is why this check is only used in the // EvalCallAsPure case. if (BR.isInteresting(RV) && Node->succ_size() > 1) return CaseNote; return ""; }); Pred = C.addTransition(NewState, Pred, Tag); } } else { if (!CaseNote.empty() || !ErrnoNote.empty()) { const NoteTag *Tag = C.getNoteTag([CaseNote, ErrnoNote, RV](PathSensitiveBugReport &BR) -> std::string { // If 'errno' is interesting, show the user a note about the case // (what happened at the function call) and about how 'errno' // causes the problem. ErrnoChecker sets the errno (but not RV) to // interesting. // If only the return value is interesting, show only the case // note. std::optional ErrnoLoc = errno_modeling::getErrnoLoc(BR.getErrorNode()->getState()); bool ErrnoImportant = !ErrnoNote.empty() && ErrnoLoc && BR.isInteresting(ErrnoLoc->getAsRegion()); if (ErrnoImportant) { BR.markNotInteresting(ErrnoLoc->getAsRegion()); if (CaseNote.empty()) return ErrnoNote; return llvm::formatv("{0}; {1}", CaseNote, ErrnoNote); } else { if (BR.isInteresting(RV)) return CaseNote; } return ""; }); Pred = C.addTransition(NewState, Pred, Tag); } } // Add the transition if no note tag was added. if (Pred == Node && NewState != State) C.addTransition(NewState); } } bool StdLibraryFunctionsChecker::evalCall(const CallEvent &Call, CheckerContext &C) const { std::optional FoundSummary = findFunctionSummary(Call, C); if (!FoundSummary) return false; const Summary &Summary = *FoundSummary; switch (Summary.getInvalidationKd()) { case EvalCallAsPure: { ProgramStateRef State = C.getState(); const LocationContext *LC = C.getLocationContext(); const auto *CE = cast(Call.getOriginExpr()); SVal V = C.getSValBuilder().conjureSymbolVal( CE, LC, CE->getType().getCanonicalType(), C.blockCount()); State = State->BindExpr(CE, LC, V); C.addTransition(State); return true; } case NoEvalCall: // Summary tells us to avoid performing eval::Call. The function is possibly // evaluated by another checker, or evaluated conservatively. return false; } llvm_unreachable("Unknown invalidation kind!"); } bool StdLibraryFunctionsChecker::Signature::matches( const FunctionDecl *FD) const { assert(!isInvalid()); // Check the number of arguments. if (FD->param_size() != ArgTys.size()) return false; // The "restrict" keyword is illegal in C++, however, many libc // implementations use the "__restrict" compiler intrinsic in functions // prototypes. The "__restrict" keyword qualifies a type as a restricted type // even in C++. // In case of any non-C99 languages, we don't want to match based on the // restrict qualifier because we cannot know if the given libc implementation // qualifies the paramter type or not. auto RemoveRestrict = [&FD](QualType T) { if (!FD->getASTContext().getLangOpts().C99) T.removeLocalRestrict(); return T; }; // Check the return type. if (!isIrrelevant(RetTy)) { QualType FDRetTy = RemoveRestrict(FD->getReturnType().getCanonicalType()); if (RetTy != FDRetTy) return false; } // Check the argument types. for (auto [Idx, ArgTy] : llvm::enumerate(ArgTys)) { if (isIrrelevant(ArgTy)) continue; QualType FDArgTy = RemoveRestrict(FD->getParamDecl(Idx)->getType().getCanonicalType()); if (ArgTy != FDArgTy) return false; } return true; } std::optional StdLibraryFunctionsChecker::findFunctionSummary(const FunctionDecl *FD, CheckerContext &C) const { if (!FD) return std::nullopt; initFunctionSummaries(C); auto FSMI = FunctionSummaryMap.find(FD->getCanonicalDecl()); if (FSMI == FunctionSummaryMap.end()) return std::nullopt; return FSMI->second; } std::optional StdLibraryFunctionsChecker::findFunctionSummary(const CallEvent &Call, CheckerContext &C) const { const FunctionDecl *FD = dyn_cast_or_null(Call.getDecl()); if (!FD) return std::nullopt; return findFunctionSummary(FD, C); } void StdLibraryFunctionsChecker::initFunctionSummaries( CheckerContext &C) const { if (SummariesInitialized) return; SummariesInitialized = true; SValBuilder &SVB = C.getSValBuilder(); BasicValueFactory &BVF = SVB.getBasicValueFactory(); const ASTContext &ACtx = BVF.getContext(); Preprocessor &PP = C.getPreprocessor(); // Helper class to lookup a type by its name. class LookupType { const ASTContext &ACtx; public: LookupType(const ASTContext &ACtx) : ACtx(ACtx) {} // Find the type. If not found then the optional is not set. std::optional operator()(StringRef Name) { IdentifierInfo &II = ACtx.Idents.get(Name); auto LookupRes = ACtx.getTranslationUnitDecl()->lookup(&II); if (LookupRes.empty()) return std::nullopt; // Prioritze typedef declarations. // This is needed in case of C struct typedefs. E.g.: // typedef struct FILE FILE; // In this case, we have a RecordDecl 'struct FILE' with the name 'FILE' // and we have a TypedefDecl with the name 'FILE'. for (Decl *D : LookupRes) if (auto *TD = dyn_cast(D)) return ACtx.getTypeDeclType(TD).getCanonicalType(); // Find the first TypeDecl. // There maybe cases when a function has the same name as a struct. // E.g. in POSIX: `struct stat` and the function `stat()`: // int stat(const char *restrict path, struct stat *restrict buf); for (Decl *D : LookupRes) if (auto *TD = dyn_cast(D)) return ACtx.getTypeDeclType(TD).getCanonicalType(); return std::nullopt; } } lookupTy(ACtx); // Below are auxiliary classes to handle optional types that we get as a // result of the lookup. class GetRestrictTy { const ASTContext &ACtx; public: GetRestrictTy(const ASTContext &ACtx) : ACtx(ACtx) {} QualType operator()(QualType Ty) { return ACtx.getLangOpts().C99 ? ACtx.getRestrictType(Ty) : Ty; } std::optional operator()(std::optional Ty) { if (Ty) return operator()(*Ty); return std::nullopt; } } getRestrictTy(ACtx); class GetPointerTy { const ASTContext &ACtx; public: GetPointerTy(const ASTContext &ACtx) : ACtx(ACtx) {} QualType operator()(QualType Ty) { return ACtx.getPointerType(Ty); } std::optional operator()(std::optional Ty) { if (Ty) return operator()(*Ty); return std::nullopt; } } getPointerTy(ACtx); class { public: std::optional operator()(std::optional Ty) { return Ty ? std::optional(Ty->withConst()) : std::nullopt; } QualType operator()(QualType Ty) { return Ty.withConst(); } } getConstTy; class GetMaxValue { BasicValueFactory &BVF; public: GetMaxValue(BasicValueFactory &BVF) : BVF(BVF) {} std::optional operator()(QualType Ty) { return BVF.getMaxValue(Ty).getLimitedValue(); } std::optional operator()(std::optional Ty) { if (Ty) { return operator()(*Ty); } return std::nullopt; } } getMaxValue(BVF); // These types are useful for writing specifications quickly, // New specifications should probably introduce more types. // Some types are hard to obtain from the AST, eg. "ssize_t". // In such cases it should be possible to provide multiple variants // of function summary for common cases (eg. ssize_t could be int or long // or long long, so three summary variants would be enough). // Of course, function variants are also useful for C++ overloads. const QualType VoidTy = ACtx.VoidTy; const QualType CharTy = ACtx.CharTy; const QualType WCharTy = ACtx.WCharTy; const QualType IntTy = ACtx.IntTy; const QualType UnsignedIntTy = ACtx.UnsignedIntTy; const QualType LongTy = ACtx.LongTy; const QualType SizeTy = ACtx.getSizeType(); const QualType VoidPtrTy = getPointerTy(VoidTy); // void * const QualType IntPtrTy = getPointerTy(IntTy); // int * const QualType UnsignedIntPtrTy = getPointerTy(UnsignedIntTy); // unsigned int * const QualType VoidPtrRestrictTy = getRestrictTy(VoidPtrTy); const QualType ConstVoidPtrTy = getPointerTy(getConstTy(VoidTy)); // const void * const QualType CharPtrTy = getPointerTy(CharTy); // char * const QualType CharPtrRestrictTy = getRestrictTy(CharPtrTy); const QualType ConstCharPtrTy = getPointerTy(getConstTy(CharTy)); // const char * const QualType ConstCharPtrRestrictTy = getRestrictTy(ConstCharPtrTy); const QualType Wchar_tPtrTy = getPointerTy(WCharTy); // wchar_t * const QualType ConstWchar_tPtrTy = getPointerTy(getConstTy(WCharTy)); // const wchar_t * const QualType ConstVoidPtrRestrictTy = getRestrictTy(ConstVoidPtrTy); const QualType SizePtrTy = getPointerTy(SizeTy); const QualType SizePtrRestrictTy = getRestrictTy(SizePtrTy); const RangeInt IntMax = BVF.getMaxValue(IntTy).getLimitedValue(); const RangeInt UnsignedIntMax = BVF.getMaxValue(UnsignedIntTy).getLimitedValue(); const RangeInt LongMax = BVF.getMaxValue(LongTy).getLimitedValue(); const RangeInt SizeMax = BVF.getMaxValue(SizeTy).getLimitedValue(); // Set UCharRangeMax to min of int or uchar maximum value. // The C standard states that the arguments of functions like isalpha must // be representable as an unsigned char. Their type is 'int', so the max // value of the argument should be min(UCharMax, IntMax). This just happen // to be true for commonly used and well tested instruction set // architectures, but not for others. const RangeInt UCharRangeMax = std::min(BVF.getMaxValue(ACtx.UnsignedCharTy).getLimitedValue(), IntMax); // Get platform dependent values of some macros. // Try our best to parse this from the Preprocessor, otherwise fallback to a // default value (what is found in a library header). const auto EOFv = tryExpandAsInteger("EOF", PP).value_or(-1); const auto AT_FDCWDv = tryExpandAsInteger("AT_FDCWD", PP).value_or(-100); // Auxiliary class to aid adding summaries to the summary map. struct AddToFunctionSummaryMap { const ASTContext &ACtx; FunctionSummaryMapType ⤅ bool DisplayLoadedSummaries; AddToFunctionSummaryMap(const ASTContext &ACtx, FunctionSummaryMapType &FSM, bool DisplayLoadedSummaries) : ACtx(ACtx), Map(FSM), DisplayLoadedSummaries(DisplayLoadedSummaries) { } // Add a summary to a FunctionDecl found by lookup. The lookup is performed // by the given Name, and in the global scope. The summary will be attached // to the found FunctionDecl only if the signatures match. // // Returns true if the summary has been added, false otherwise. bool operator()(StringRef Name, Signature Sign, Summary Sum) { if (Sign.isInvalid()) return false; IdentifierInfo &II = ACtx.Idents.get(Name); auto LookupRes = ACtx.getTranslationUnitDecl()->lookup(&II); if (LookupRes.empty()) return false; for (Decl *D : LookupRes) { if (auto *FD = dyn_cast(D)) { if (Sum.matchesAndSet(Sign, FD)) { auto Res = Map.insert({FD->getCanonicalDecl(), Sum}); assert(Res.second && "Function already has a summary set!"); (void)Res; if (DisplayLoadedSummaries) { llvm::errs() << "Loaded summary for: "; FD->print(llvm::errs()); llvm::errs() << "\n"; } return true; } } } return false; } // Add the same summary for different names with the Signature explicitly // given. void operator()(ArrayRef Names, Signature Sign, Summary Sum) { for (StringRef Name : Names) operator()(Name, Sign, Sum); } } addToFunctionSummaryMap(ACtx, FunctionSummaryMap, DisplayLoadedSummaries); // Below are helpers functions to create the summaries. auto ArgumentCondition = [](ArgNo ArgN, RangeKind Kind, IntRangeVector Ranges, StringRef Desc = "") { return std::make_shared(ArgN, Kind, Ranges, Desc); }; auto BufferSize = [](auto... Args) { return std::make_shared(Args...); }; struct { auto operator()(RangeKind Kind, IntRangeVector Ranges) { return std::make_shared(Ret, Kind, Ranges); } auto operator()(BinaryOperator::Opcode Op, ArgNo OtherArgN) { return std::make_shared(Ret, Op, OtherArgN); } } ReturnValueCondition; struct { auto operator()(RangeInt b, RangeInt e) { return IntRangeVector{std::pair{b, e}}; } auto operator()(RangeInt b, std::optional e) { if (e) return IntRangeVector{std::pair{b, *e}}; return IntRangeVector{}; } auto operator()(std::pair i0, std::pair> i1) { if (i1.second) return IntRangeVector{i0, {i1.first, *(i1.second)}}; return IntRangeVector{i0}; } } Range; auto SingleValue = [](RangeInt v) { return IntRangeVector{std::pair{v, v}}; }; auto LessThanOrEq = BO_LE; auto NotNull = [&](ArgNo ArgN) { return std::make_shared(ArgN); }; auto IsNull = [&](ArgNo ArgN) { return std::make_shared(ArgN, false); }; auto NotNullBuffer = [&](ArgNo ArgN, ArgNo SizeArg1N, ArgNo SizeArg2N) { return std::make_shared(ArgN, SizeArg1N, SizeArg2N); }; std::optional FileTy = lookupTy("FILE"); std::optional FilePtrTy = getPointerTy(FileTy); std::optional FilePtrRestrictTy = getRestrictTy(FilePtrTy); std::optional FPosTTy = lookupTy("fpos_t"); std::optional FPosTPtrTy = getPointerTy(FPosTTy); std::optional ConstFPosTPtrTy = getPointerTy(getConstTy(FPosTTy)); std::optional FPosTPtrRestrictTy = getRestrictTy(FPosTPtrTy); constexpr llvm::StringLiteral GenericSuccessMsg( "Assuming that '{0}' is successful"); constexpr llvm::StringLiteral GenericFailureMsg("Assuming that '{0}' fails"); // We are finally ready to define specifications for all supported functions. // // Argument ranges should always cover all variants. If return value // is completely unknown, omit it from the respective range set. // // Every item in the list of range sets represents a particular // execution path the analyzer would need to explore once // the call is modeled - a new program state is constructed // for every range set, and each range line in the range set // corresponds to a specific constraint within this state. // The isascii() family of functions. // The behavior is undefined if the value of the argument is not // representable as unsigned char or is not equal to EOF. See e.g. C99 // 7.4.1.2 The isalpha function (p: 181-182). addToFunctionSummaryMap( "isalnum", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) // Boils down to isupper() or islower() or isdigit(). .Case({ArgumentCondition(0U, WithinRange, {{'0', '9'}, {'A', 'Z'}, {'a', 'z'}}), ReturnValueCondition(OutOfRange, SingleValue(0))}, ErrnoIrrelevant, "Assuming the character is alphanumeric") // The locale-specific range. // No post-condition. We are completely unaware of // locale-specific return values. .Case({ArgumentCondition(0U, WithinRange, {{128, UCharRangeMax}})}, ErrnoIrrelevant) .Case( {ArgumentCondition( 0U, OutOfRange, {{'0', '9'}, {'A', 'Z'}, {'a', 'z'}, {128, UCharRangeMax}}), ReturnValueCondition(WithinRange, SingleValue(0))}, ErrnoIrrelevant, "Assuming the character is non-alphanumeric") .ArgConstraint(ArgumentCondition(0U, WithinRange, {{EOFv, EOFv}, {0, UCharRangeMax}}, "an unsigned char value or EOF"))); addToFunctionSummaryMap( "isalpha", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .Case({ArgumentCondition(0U, WithinRange, {{'A', 'Z'}, {'a', 'z'}}), ReturnValueCondition(OutOfRange, SingleValue(0))}, ErrnoIrrelevant, "Assuming the character is alphabetical") // The locale-specific range. .Case({ArgumentCondition(0U, WithinRange, {{128, UCharRangeMax}})}, ErrnoIrrelevant) .Case({ArgumentCondition( 0U, OutOfRange, {{'A', 'Z'}, {'a', 'z'}, {128, UCharRangeMax}}), ReturnValueCondition(WithinRange, SingleValue(0))}, ErrnoIrrelevant, "Assuming the character is non-alphabetical")); addToFunctionSummaryMap( "isascii", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .Case({ArgumentCondition(0U, WithinRange, Range(0, 127)), ReturnValueCondition(OutOfRange, SingleValue(0))}, ErrnoIrrelevant, "Assuming the character is an ASCII character") .Case({ArgumentCondition(0U, OutOfRange, Range(0, 127)), ReturnValueCondition(WithinRange, SingleValue(0))}, ErrnoIrrelevant, "Assuming the character is not an ASCII character")); addToFunctionSummaryMap( "isblank", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .Case({ArgumentCondition(0U, WithinRange, {{'\t', '\t'}, {' ', ' '}}), ReturnValueCondition(OutOfRange, SingleValue(0))}, ErrnoIrrelevant, "Assuming the character is a blank character") .Case({ArgumentCondition(0U, OutOfRange, {{'\t', '\t'}, {' ', ' '}}), ReturnValueCondition(WithinRange, SingleValue(0))}, ErrnoIrrelevant, "Assuming the character is not a blank character")); addToFunctionSummaryMap( "iscntrl", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .Case({ArgumentCondition(0U, WithinRange, {{0, 32}, {127, 127}}), ReturnValueCondition(OutOfRange, SingleValue(0))}, ErrnoIrrelevant, "Assuming the character is a control character") .Case({ArgumentCondition(0U, OutOfRange, {{0, 32}, {127, 127}}), ReturnValueCondition(WithinRange, SingleValue(0))}, ErrnoIrrelevant, "Assuming the character is not a control character")); addToFunctionSummaryMap( "isdigit", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .Case({ArgumentCondition(0U, WithinRange, Range('0', '9')), ReturnValueCondition(OutOfRange, SingleValue(0))}, ErrnoIrrelevant, "Assuming the character is a digit") .Case({ArgumentCondition(0U, OutOfRange, Range('0', '9')), ReturnValueCondition(WithinRange, SingleValue(0))}, ErrnoIrrelevant, "Assuming the character is not a digit")); addToFunctionSummaryMap( "isgraph", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .Case({ArgumentCondition(0U, WithinRange, Range(33, 126)), ReturnValueCondition(OutOfRange, SingleValue(0))}, ErrnoIrrelevant, "Assuming the character has graphical representation") .Case( {ArgumentCondition(0U, OutOfRange, Range(33, 126)), ReturnValueCondition(WithinRange, SingleValue(0))}, ErrnoIrrelevant, "Assuming the character does not have graphical representation")); addToFunctionSummaryMap( "islower", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) // Is certainly lowercase. .Case({ArgumentCondition(0U, WithinRange, Range('a', 'z')), ReturnValueCondition(OutOfRange, SingleValue(0))}, ErrnoIrrelevant, "Assuming the character is a lowercase letter") // Is ascii but not lowercase. .Case({ArgumentCondition(0U, WithinRange, Range(0, 127)), ArgumentCondition(0U, OutOfRange, Range('a', 'z')), ReturnValueCondition(WithinRange, SingleValue(0))}, ErrnoIrrelevant, "Assuming the character is not a lowercase letter") // The locale-specific range. .Case({ArgumentCondition(0U, WithinRange, {{128, UCharRangeMax}})}, ErrnoIrrelevant) // Is not an unsigned char. .Case({ArgumentCondition(0U, OutOfRange, Range(0, UCharRangeMax)), ReturnValueCondition(WithinRange, SingleValue(0))}, ErrnoIrrelevant)); addToFunctionSummaryMap( "isprint", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .Case({ArgumentCondition(0U, WithinRange, Range(32, 126)), ReturnValueCondition(OutOfRange, SingleValue(0))}, ErrnoIrrelevant, "Assuming the character is printable") .Case({ArgumentCondition(0U, OutOfRange, Range(32, 126)), ReturnValueCondition(WithinRange, SingleValue(0))}, ErrnoIrrelevant, "Assuming the character is non-printable")); addToFunctionSummaryMap( "ispunct", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .Case({ArgumentCondition( 0U, WithinRange, {{'!', '/'}, {':', '@'}, {'[', '`'}, {'{', '~'}}), ReturnValueCondition(OutOfRange, SingleValue(0))}, ErrnoIrrelevant, "Assuming the character is a punctuation mark") .Case({ArgumentCondition( 0U, OutOfRange, {{'!', '/'}, {':', '@'}, {'[', '`'}, {'{', '~'}}), ReturnValueCondition(WithinRange, SingleValue(0))}, ErrnoIrrelevant, "Assuming the character is not a punctuation mark")); addToFunctionSummaryMap( "isspace", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) // Space, '\f', '\n', '\r', '\t', '\v'. .Case({ArgumentCondition(0U, WithinRange, {{9, 13}, {' ', ' '}}), ReturnValueCondition(OutOfRange, SingleValue(0))}, ErrnoIrrelevant, "Assuming the character is a whitespace character") // The locale-specific range. .Case({ArgumentCondition(0U, WithinRange, {{128, UCharRangeMax}})}, ErrnoIrrelevant) .Case({ArgumentCondition(0U, OutOfRange, {{9, 13}, {' ', ' '}, {128, UCharRangeMax}}), ReturnValueCondition(WithinRange, SingleValue(0))}, ErrnoIrrelevant, "Assuming the character is not a whitespace character")); addToFunctionSummaryMap( "isupper", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) // Is certainly uppercase. .Case({ArgumentCondition(0U, WithinRange, Range('A', 'Z')), ReturnValueCondition(OutOfRange, SingleValue(0))}, ErrnoIrrelevant, "Assuming the character is an uppercase letter") // The locale-specific range. .Case({ArgumentCondition(0U, WithinRange, {{128, UCharRangeMax}})}, ErrnoIrrelevant) // Other. .Case({ArgumentCondition(0U, OutOfRange, {{'A', 'Z'}, {128, UCharRangeMax}}), ReturnValueCondition(WithinRange, SingleValue(0))}, ErrnoIrrelevant, "Assuming the character is not an uppercase letter")); addToFunctionSummaryMap( "isxdigit", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .Case({ArgumentCondition(0U, WithinRange, {{'0', '9'}, {'A', 'F'}, {'a', 'f'}}), ReturnValueCondition(OutOfRange, SingleValue(0))}, ErrnoIrrelevant, "Assuming the character is a hexadecimal digit") .Case({ArgumentCondition(0U, OutOfRange, {{'0', '9'}, {'A', 'F'}, {'a', 'f'}}), ReturnValueCondition(WithinRange, SingleValue(0))}, ErrnoIrrelevant, "Assuming the character is not a hexadecimal digit")); addToFunctionSummaryMap( "toupper", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint(ArgumentCondition(0U, WithinRange, {{EOFv, EOFv}, {0, UCharRangeMax}}, "an unsigned char value or EOF"))); addToFunctionSummaryMap( "tolower", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint(ArgumentCondition(0U, WithinRange, {{EOFv, EOFv}, {0, UCharRangeMax}}, "an unsigned char value or EOF"))); addToFunctionSummaryMap( "toascii", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint(ArgumentCondition(0U, WithinRange, {{EOFv, EOFv}, {0, UCharRangeMax}}, "an unsigned char value or EOF"))); addToFunctionSummaryMap( "getchar", Signature(ArgTypes{}, RetType{IntTy}), Summary(NoEvalCall) .Case({ReturnValueCondition(WithinRange, {{EOFv, EOFv}, {0, UCharRangeMax}})}, ErrnoIrrelevant)); // read()-like functions that never return more than buffer size. auto FreadSummary = Summary(NoEvalCall) .Case({ArgumentCondition(1U, WithinRange, Range(1, SizeMax)), ArgumentCondition(2U, WithinRange, Range(1, SizeMax)), ReturnValueCondition(BO_LT, ArgNo(2)), ReturnValueCondition(WithinRange, Range(0, SizeMax))}, ErrnoNEZeroIrrelevant, GenericFailureMsg) .Case({ArgumentCondition(1U, WithinRange, Range(1, SizeMax)), ReturnValueCondition(BO_EQ, ArgNo(2)), ReturnValueCondition(WithinRange, Range(0, SizeMax))}, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case({ArgumentCondition(1U, WithinRange, SingleValue(0)), ReturnValueCondition(WithinRange, SingleValue(0))}, ErrnoMustNotBeChecked, "Assuming that argument 'size' to '{0}' is 0") .ArgConstraint(NotNullBuffer(ArgNo(0), ArgNo(1), ArgNo(2))) .ArgConstraint(NotNull(ArgNo(3))) .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(0), /*BufSize=*/ArgNo(1), /*BufSizeMultiplier=*/ArgNo(2))); // size_t fread(void *restrict ptr, size_t size, size_t nitems, // FILE *restrict stream); addToFunctionSummaryMap( "fread", Signature(ArgTypes{VoidPtrRestrictTy, SizeTy, SizeTy, FilePtrRestrictTy}, RetType{SizeTy}), FreadSummary); // size_t fwrite(const void *restrict ptr, size_t size, size_t nitems, // FILE *restrict stream); addToFunctionSummaryMap("fwrite", Signature(ArgTypes{ConstVoidPtrRestrictTy, SizeTy, SizeTy, FilePtrRestrictTy}, RetType{SizeTy}), FreadSummary); std::optional Ssize_tTy = lookupTy("ssize_t"); std::optional Ssize_tMax = getMaxValue(Ssize_tTy); auto ReadSummary = Summary(NoEvalCall) .Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)), ReturnValueCondition(WithinRange, Range(-1, Ssize_tMax))}, ErrnoIrrelevant); // FIXME these are actually defined by POSIX and not by the C standard, we // should handle them together with the rest of the POSIX functions. // ssize_t read(int fildes, void *buf, size_t nbyte); addToFunctionSummaryMap( "read", Signature(ArgTypes{IntTy, VoidPtrTy, SizeTy}, RetType{Ssize_tTy}), ReadSummary); // ssize_t write(int fildes, const void *buf, size_t nbyte); addToFunctionSummaryMap( "write", Signature(ArgTypes{IntTy, ConstVoidPtrTy, SizeTy}, RetType{Ssize_tTy}), ReadSummary); auto GetLineSummary = Summary(NoEvalCall) .Case({ReturnValueCondition(WithinRange, Range({-1, -1}, {1, Ssize_tMax}))}, ErrnoIrrelevant); QualType CharPtrPtrRestrictTy = getRestrictTy(getPointerTy(CharPtrTy)); // getline()-like functions either fail or read at least the delimiter. // FIXME these are actually defined by POSIX and not by the C standard, we // should handle them together with the rest of the POSIX functions. // ssize_t getline(char **restrict lineptr, size_t *restrict n, // FILE *restrict stream); addToFunctionSummaryMap( "getline", Signature( ArgTypes{CharPtrPtrRestrictTy, SizePtrRestrictTy, FilePtrRestrictTy}, RetType{Ssize_tTy}), GetLineSummary); // ssize_t getdelim(char **restrict lineptr, size_t *restrict n, // int delimiter, FILE *restrict stream); addToFunctionSummaryMap( "getdelim", Signature(ArgTypes{CharPtrPtrRestrictTy, SizePtrRestrictTy, IntTy, FilePtrRestrictTy}, RetType{Ssize_tTy}), GetLineSummary); { Summary GetenvSummary = Summary(NoEvalCall) .ArgConstraint(NotNull(ArgNo(0))) .Case({NotNull(Ret)}, ErrnoIrrelevant, "Assuming the environment variable exists"); // In untrusted environments the envvar might not exist. if (!ShouldAssumeControlledEnvironment) GetenvSummary.Case({NotNull(Ret)->negate()}, ErrnoIrrelevant, "Assuming the environment variable does not exist"); // char *getenv(const char *name); addToFunctionSummaryMap( "getenv", Signature(ArgTypes{ConstCharPtrTy}, RetType{CharPtrTy}), std::move(GetenvSummary)); } if (!ModelPOSIX) { // Without POSIX use of 'errno' is not specified (in these cases). // Add these functions without 'errno' checks. addToFunctionSummaryMap( {"getc", "fgetc"}, Signature(ArgTypes{FilePtrTy}, RetType{IntTy}), Summary(NoEvalCall) .Case({ReturnValueCondition(WithinRange, {{EOFv, EOFv}, {0, UCharRangeMax}})}, ErrnoIrrelevant) .ArgConstraint(NotNull(ArgNo(0)))); } else { const auto ReturnsZeroOrMinusOne = ConstraintSet{ReturnValueCondition(WithinRange, Range(-1, 0))}; const auto ReturnsZero = ConstraintSet{ReturnValueCondition(WithinRange, SingleValue(0))}; const auto ReturnsMinusOne = ConstraintSet{ReturnValueCondition(WithinRange, SingleValue(-1))}; const auto ReturnsEOF = ConstraintSet{ReturnValueCondition(WithinRange, SingleValue(EOFv))}; const auto ReturnsNonnegative = ConstraintSet{ReturnValueCondition(WithinRange, Range(0, IntMax))}; const auto ReturnsNonZero = ConstraintSet{ReturnValueCondition(OutOfRange, SingleValue(0))}; const auto ReturnsFileDescriptor = ConstraintSet{ReturnValueCondition(WithinRange, Range(-1, IntMax))}; const auto &ReturnsValidFileDescriptor = ReturnsNonnegative; auto ValidFileDescriptorOrAtFdcwd = [&](ArgNo ArgN) { return std::make_shared( ArgN, WithinRange, Range({AT_FDCWDv, AT_FDCWDv}, {0, IntMax}), "a valid file descriptor or AT_FDCWD"); }; // FILE *fopen(const char *restrict pathname, const char *restrict mode); addToFunctionSummaryMap( "fopen", Signature(ArgTypes{ConstCharPtrRestrictTy, ConstCharPtrRestrictTy}, RetType{FilePtrTy}), Summary(NoEvalCall) .Case({NotNull(Ret)}, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case({IsNull(Ret)}, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0))) .ArgConstraint(NotNull(ArgNo(1)))); // FILE *fdopen(int fd, const char *mode); addToFunctionSummaryMap( "fdopen", Signature(ArgTypes{IntTy, ConstCharPtrTy}, RetType{FilePtrTy}), Summary(NoEvalCall) .Case({NotNull(Ret)}, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case({IsNull(Ret)}, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax))) .ArgConstraint(NotNull(ArgNo(1)))); // FILE *tmpfile(void); addToFunctionSummaryMap( "tmpfile", Signature(ArgTypes{}, RetType{FilePtrTy}), Summary(NoEvalCall) .Case({NotNull(Ret)}, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case({IsNull(Ret)}, ErrnoNEZeroIrrelevant, GenericFailureMsg)); // FILE *freopen(const char *restrict pathname, const char *restrict mode, // FILE *restrict stream); addToFunctionSummaryMap( "freopen", Signature(ArgTypes{ConstCharPtrRestrictTy, ConstCharPtrRestrictTy, FilePtrRestrictTy}, RetType{FilePtrTy}), Summary(NoEvalCall) .Case({ReturnValueCondition(BO_EQ, ArgNo(2))}, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case({IsNull(Ret)}, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(1))) .ArgConstraint(NotNull(ArgNo(2)))); // FILE *popen(const char *command, const char *type); addToFunctionSummaryMap( "popen", Signature(ArgTypes{ConstCharPtrTy, ConstCharPtrTy}, RetType{FilePtrTy}), Summary(NoEvalCall) .Case({NotNull(Ret)}, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case({IsNull(Ret)}, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0))) .ArgConstraint(NotNull(ArgNo(1)))); // int fclose(FILE *stream); addToFunctionSummaryMap( "fclose", Signature(ArgTypes{FilePtrTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsEOF, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0)))); // int pclose(FILE *stream); addToFunctionSummaryMap( "pclose", Signature(ArgTypes{FilePtrTy}, RetType{IntTy}), Summary(NoEvalCall) .Case({ReturnValueCondition(WithinRange, {{0, IntMax}})}, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0)))); std::optional Off_tTy = lookupTy("off_t"); std::optional Off_tMax = getMaxValue(Off_tTy); // int fgetc(FILE *stream); // 'getc' is the same as 'fgetc' but may be a macro addToFunctionSummaryMap( {"getc", "fgetc"}, Signature(ArgTypes{FilePtrTy}, RetType{IntTy}), Summary(NoEvalCall) .Case({ReturnValueCondition(WithinRange, {{0, UCharRangeMax}})}, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case({ReturnValueCondition(WithinRange, SingleValue(EOFv))}, ErrnoIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0)))); // int fputc(int c, FILE *stream); // 'putc' is the same as 'fputc' but may be a macro addToFunctionSummaryMap( {"putc", "fputc"}, Signature(ArgTypes{IntTy, FilePtrTy}, RetType{IntTy}), Summary(NoEvalCall) .Case({ArgumentCondition(0, WithinRange, Range(0, UCharRangeMax)), ReturnValueCondition(BO_EQ, ArgNo(0))}, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case({ArgumentCondition(0, OutOfRange, Range(0, UCharRangeMax)), ReturnValueCondition(WithinRange, Range(0, UCharRangeMax))}, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case({ReturnValueCondition(WithinRange, SingleValue(EOFv))}, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(1)))); // char *fgets(char *restrict s, int n, FILE *restrict stream); addToFunctionSummaryMap( "fgets", Signature(ArgTypes{CharPtrRestrictTy, IntTy, FilePtrRestrictTy}, RetType{CharPtrTy}), Summary(NoEvalCall) .Case({ReturnValueCondition(BO_EQ, ArgNo(0))}, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case({IsNull(Ret)}, ErrnoIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0))) .ArgConstraint(ArgumentCondition(1, WithinRange, Range(0, IntMax))) .ArgConstraint( BufferSize(/*Buffer=*/ArgNo(0), /*BufSize=*/ArgNo(1))) .ArgConstraint(NotNull(ArgNo(2)))); // int fputs(const char *restrict s, FILE *restrict stream); addToFunctionSummaryMap( "fputs", Signature(ArgTypes{ConstCharPtrRestrictTy, FilePtrRestrictTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsNonnegative, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case({ReturnValueCondition(WithinRange, SingleValue(EOFv))}, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0))) .ArgConstraint(NotNull(ArgNo(1)))); // int ungetc(int c, FILE *stream); addToFunctionSummaryMap( "ungetc", Signature(ArgTypes{IntTy, FilePtrTy}, RetType{IntTy}), Summary(NoEvalCall) .Case({ReturnValueCondition(BO_EQ, ArgNo(0)), ArgumentCondition(0, WithinRange, {{0, UCharRangeMax}})}, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case({ReturnValueCondition(WithinRange, SingleValue(EOFv)), ArgumentCondition(0, WithinRange, SingleValue(EOFv))}, ErrnoNEZeroIrrelevant, "Assuming that 'ungetc' fails because EOF was passed as " "character") .Case({ReturnValueCondition(WithinRange, SingleValue(EOFv)), ArgumentCondition(0, WithinRange, {{0, UCharRangeMax}})}, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(ArgumentCondition( 0, WithinRange, {{EOFv, EOFv}, {0, UCharRangeMax}})) .ArgConstraint(NotNull(ArgNo(1)))); // int fseek(FILE *stream, long offset, int whence); // FIXME: It can be possible to get the 'SEEK_' values (like EOFv) and use // these for condition of arg 2. // Now the range [0,2] is used (the `SEEK_*` constants are usually 0,1,2). addToFunctionSummaryMap( "fseek", Signature(ArgTypes{FilePtrTy, LongTy, IntTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0))) .ArgConstraint(ArgumentCondition(2, WithinRange, {{0, 2}}))); // int fseeko(FILE *stream, off_t offset, int whence); addToFunctionSummaryMap( "fseeko", Signature(ArgTypes{FilePtrTy, Off_tTy, IntTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0))) .ArgConstraint(ArgumentCondition(2, WithinRange, {{0, 2}}))); // int fgetpos(FILE *restrict stream, fpos_t *restrict pos); // From 'The Open Group Base Specifications Issue 7, 2018 edition': // "The fgetpos() function shall not change the setting of errno if // successful." addToFunctionSummaryMap( "fgetpos", Signature(ArgTypes{FilePtrRestrictTy, FPosTPtrRestrictTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoUnchanged, GenericSuccessMsg) .Case(ReturnsNonZero, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0))) .ArgConstraint(NotNull(ArgNo(1)))); // int fsetpos(FILE *stream, const fpos_t *pos); // From 'The Open Group Base Specifications Issue 7, 2018 edition': // "The fsetpos() function shall not change the setting of errno if // successful." addToFunctionSummaryMap( "fsetpos", Signature(ArgTypes{FilePtrTy, ConstFPosTPtrTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoUnchanged, GenericSuccessMsg) .Case(ReturnsNonZero, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0))) .ArgConstraint(NotNull(ArgNo(1)))); // int fflush(FILE *stream); addToFunctionSummaryMap( "fflush", Signature(ArgTypes{FilePtrTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsEOF, ErrnoNEZeroIrrelevant, GenericFailureMsg)); // long ftell(FILE *stream); // From 'The Open Group Base Specifications Issue 7, 2018 edition': // "The ftell() function shall not change the setting of errno if // successful." addToFunctionSummaryMap( "ftell", Signature(ArgTypes{FilePtrTy}, RetType{LongTy}), Summary(NoEvalCall) .Case({ReturnValueCondition(WithinRange, Range(0, LongMax))}, ErrnoUnchanged, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0)))); // off_t ftello(FILE *stream); addToFunctionSummaryMap( "ftello", Signature(ArgTypes{FilePtrTy}, RetType{Off_tTy}), Summary(NoEvalCall) .Case({ReturnValueCondition(WithinRange, Range(0, Off_tMax))}, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0)))); // int fileno(FILE *stream); // According to POSIX 'fileno' may fail and set 'errno'. // But in Linux it may fail only if the specified file pointer is invalid. // At many places 'fileno' is used without check for failure and a failure // case here would produce a large amount of likely false positive warnings. // To avoid this, we assume here that it does not fail. addToFunctionSummaryMap( "fileno", Signature(ArgTypes{FilePtrTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsValidFileDescriptor, ErrnoUnchanged, GenericSuccessMsg) .ArgConstraint(NotNull(ArgNo(0)))); // void rewind(FILE *stream); // This function indicates error only by setting of 'errno'. addToFunctionSummaryMap("rewind", Signature(ArgTypes{FilePtrTy}, RetType{VoidTy}), Summary(NoEvalCall) .Case({}, ErrnoMustBeChecked) .ArgConstraint(NotNull(ArgNo(0)))); // void clearerr(FILE *stream); addToFunctionSummaryMap( "clearerr", Signature(ArgTypes{FilePtrTy}, RetType{VoidTy}), Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); // int feof(FILE *stream); addToFunctionSummaryMap( "feof", Signature(ArgTypes{FilePtrTy}, RetType{IntTy}), Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); // int ferror(FILE *stream); addToFunctionSummaryMap( "ferror", Signature(ArgTypes{FilePtrTy}, RetType{IntTy}), Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); // long a64l(const char *str64); addToFunctionSummaryMap( "a64l", Signature(ArgTypes{ConstCharPtrTy}, RetType{LongTy}), Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); // char *l64a(long value); addToFunctionSummaryMap("l64a", Signature(ArgTypes{LongTy}, RetType{CharPtrTy}), Summary(NoEvalCall) .ArgConstraint(ArgumentCondition( 0, WithinRange, Range(0, LongMax)))); // int open(const char *path, int oflag, ...); addToFunctionSummaryMap( "open", Signature(ArgTypes{ConstCharPtrTy, IntTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsValidFileDescriptor, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0)))); // int openat(int fd, const char *path, int oflag, ...); addToFunctionSummaryMap( "openat", Signature(ArgTypes{IntTy, ConstCharPtrTy, IntTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsValidFileDescriptor, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(ValidFileDescriptorOrAtFdcwd(ArgNo(0))) .ArgConstraint(NotNull(ArgNo(1)))); // int access(const char *pathname, int amode); addToFunctionSummaryMap( "access", Signature(ArgTypes{ConstCharPtrTy, IntTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0)))); // int faccessat(int dirfd, const char *pathname, int mode, int flags); addToFunctionSummaryMap( "faccessat", Signature(ArgTypes{IntTy, ConstCharPtrTy, IntTy, IntTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(ValidFileDescriptorOrAtFdcwd(ArgNo(0))) .ArgConstraint(NotNull(ArgNo(1)))); // int dup(int fildes); addToFunctionSummaryMap( "dup", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsValidFileDescriptor, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint( ArgumentCondition(0, WithinRange, Range(0, IntMax)))); // int dup2(int fildes1, int filedes2); addToFunctionSummaryMap( "dup2", Signature(ArgTypes{IntTy, IntTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsValidFileDescriptor, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax))) .ArgConstraint( ArgumentCondition(1, WithinRange, Range(0, IntMax)))); // int fdatasync(int fildes); addToFunctionSummaryMap( "fdatasync", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint( ArgumentCondition(0, WithinRange, Range(0, IntMax)))); // int fnmatch(const char *pattern, const char *string, int flags); addToFunctionSummaryMap( "fnmatch", Signature(ArgTypes{ConstCharPtrTy, ConstCharPtrTy, IntTy}, RetType{IntTy}), Summary(NoEvalCall) .ArgConstraint(NotNull(ArgNo(0))) .ArgConstraint(NotNull(ArgNo(1)))); // int fsync(int fildes); addToFunctionSummaryMap( "fsync", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint( ArgumentCondition(0, WithinRange, Range(0, IntMax)))); // int truncate(const char *path, off_t length); addToFunctionSummaryMap( "truncate", Signature(ArgTypes{ConstCharPtrTy, Off_tTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0)))); // int symlink(const char *oldpath, const char *newpath); addToFunctionSummaryMap( "symlink", Signature(ArgTypes{ConstCharPtrTy, ConstCharPtrTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0))) .ArgConstraint(NotNull(ArgNo(1)))); // int symlinkat(const char *oldpath, int newdirfd, const char *newpath); addToFunctionSummaryMap( "symlinkat", Signature(ArgTypes{ConstCharPtrTy, IntTy, ConstCharPtrTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0))) .ArgConstraint(ValidFileDescriptorOrAtFdcwd(ArgNo(1))) .ArgConstraint(NotNull(ArgNo(2)))); // int lockf(int fd, int cmd, off_t len); addToFunctionSummaryMap( "lockf", Signature(ArgTypes{IntTy, IntTy, Off_tTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint( ArgumentCondition(0, WithinRange, Range(0, IntMax)))); std::optional Mode_tTy = lookupTy("mode_t"); // int creat(const char *pathname, mode_t mode); addToFunctionSummaryMap( "creat", Signature(ArgTypes{ConstCharPtrTy, Mode_tTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsValidFileDescriptor, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0)))); // unsigned int sleep(unsigned int seconds); addToFunctionSummaryMap( "sleep", Signature(ArgTypes{UnsignedIntTy}, RetType{UnsignedIntTy}), Summary(NoEvalCall) .ArgConstraint( ArgumentCondition(0, WithinRange, Range(0, UnsignedIntMax)))); std::optional DirTy = lookupTy("DIR"); std::optional DirPtrTy = getPointerTy(DirTy); // int dirfd(DIR *dirp); addToFunctionSummaryMap( "dirfd", Signature(ArgTypes{DirPtrTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsValidFileDescriptor, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0)))); // unsigned int alarm(unsigned int seconds); addToFunctionSummaryMap( "alarm", Signature(ArgTypes{UnsignedIntTy}, RetType{UnsignedIntTy}), Summary(NoEvalCall) .ArgConstraint( ArgumentCondition(0, WithinRange, Range(0, UnsignedIntMax)))); // int closedir(DIR *dir); addToFunctionSummaryMap( "closedir", Signature(ArgTypes{DirPtrTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0)))); // char *strdup(const char *s); addToFunctionSummaryMap( "strdup", Signature(ArgTypes{ConstCharPtrTy}, RetType{CharPtrTy}), Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); // char *strndup(const char *s, size_t n); addToFunctionSummaryMap( "strndup", Signature(ArgTypes{ConstCharPtrTy, SizeTy}, RetType{CharPtrTy}), Summary(NoEvalCall) .ArgConstraint(NotNull(ArgNo(0))) .ArgConstraint( ArgumentCondition(1, WithinRange, Range(0, SizeMax)))); // wchar_t *wcsdup(const wchar_t *s); addToFunctionSummaryMap( "wcsdup", Signature(ArgTypes{ConstWchar_tPtrTy}, RetType{Wchar_tPtrTy}), Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); // int mkstemp(char *template); addToFunctionSummaryMap( "mkstemp", Signature(ArgTypes{CharPtrTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsValidFileDescriptor, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0)))); // char *mkdtemp(char *template); addToFunctionSummaryMap( "mkdtemp", Signature(ArgTypes{CharPtrTy}, RetType{CharPtrTy}), Summary(NoEvalCall) .Case({ReturnValueCondition(BO_EQ, ArgNo(0))}, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case({IsNull(Ret)}, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0)))); // char *getcwd(char *buf, size_t size); addToFunctionSummaryMap( "getcwd", Signature(ArgTypes{CharPtrTy, SizeTy}, RetType{CharPtrTy}), Summary(NoEvalCall) .Case({ArgumentCondition(1, WithinRange, Range(1, SizeMax)), ReturnValueCondition(BO_EQ, ArgNo(0))}, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case({ArgumentCondition(1, WithinRange, SingleValue(0)), IsNull(Ret)}, ErrnoNEZeroIrrelevant, "Assuming that argument 'size' is 0") .Case({ArgumentCondition(1, WithinRange, Range(1, SizeMax)), IsNull(Ret)}, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0))) .ArgConstraint( BufferSize(/*Buffer*/ ArgNo(0), /*BufSize*/ ArgNo(1))) .ArgConstraint( ArgumentCondition(1, WithinRange, Range(0, SizeMax)))); // int mkdir(const char *pathname, mode_t mode); addToFunctionSummaryMap( "mkdir", Signature(ArgTypes{ConstCharPtrTy, Mode_tTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0)))); // int mkdirat(int dirfd, const char *pathname, mode_t mode); addToFunctionSummaryMap( "mkdirat", Signature(ArgTypes{IntTy, ConstCharPtrTy, Mode_tTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(ValidFileDescriptorOrAtFdcwd(ArgNo(0))) .ArgConstraint(NotNull(ArgNo(1)))); std::optional Dev_tTy = lookupTy("dev_t"); // int mknod(const char *pathname, mode_t mode, dev_t dev); addToFunctionSummaryMap( "mknod", Signature(ArgTypes{ConstCharPtrTy, Mode_tTy, Dev_tTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0)))); // int mknodat(int dirfd, const char *pathname, mode_t mode, dev_t dev); addToFunctionSummaryMap( "mknodat", Signature(ArgTypes{IntTy, ConstCharPtrTy, Mode_tTy, Dev_tTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(ValidFileDescriptorOrAtFdcwd(ArgNo(0))) .ArgConstraint(NotNull(ArgNo(1)))); // int chmod(const char *path, mode_t mode); addToFunctionSummaryMap( "chmod", Signature(ArgTypes{ConstCharPtrTy, Mode_tTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0)))); // int fchmodat(int dirfd, const char *pathname, mode_t mode, int flags); addToFunctionSummaryMap( "fchmodat", Signature(ArgTypes{IntTy, ConstCharPtrTy, Mode_tTy, IntTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(ValidFileDescriptorOrAtFdcwd(ArgNo(0))) .ArgConstraint(NotNull(ArgNo(1)))); // int fchmod(int fildes, mode_t mode); addToFunctionSummaryMap( "fchmod", Signature(ArgTypes{IntTy, Mode_tTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint( ArgumentCondition(0, WithinRange, Range(0, IntMax)))); std::optional Uid_tTy = lookupTy("uid_t"); std::optional Gid_tTy = lookupTy("gid_t"); // int fchownat(int dirfd, const char *pathname, uid_t owner, gid_t group, // int flags); addToFunctionSummaryMap( "fchownat", Signature(ArgTypes{IntTy, ConstCharPtrTy, Uid_tTy, Gid_tTy, IntTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(ValidFileDescriptorOrAtFdcwd(ArgNo(0))) .ArgConstraint(NotNull(ArgNo(1)))); // int chown(const char *path, uid_t owner, gid_t group); addToFunctionSummaryMap( "chown", Signature(ArgTypes{ConstCharPtrTy, Uid_tTy, Gid_tTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0)))); // int lchown(const char *path, uid_t owner, gid_t group); addToFunctionSummaryMap( "lchown", Signature(ArgTypes{ConstCharPtrTy, Uid_tTy, Gid_tTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0)))); // int fchown(int fildes, uid_t owner, gid_t group); addToFunctionSummaryMap( "fchown", Signature(ArgTypes{IntTy, Uid_tTy, Gid_tTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint( ArgumentCondition(0, WithinRange, Range(0, IntMax)))); // int rmdir(const char *pathname); addToFunctionSummaryMap( "rmdir", Signature(ArgTypes{ConstCharPtrTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0)))); // int chdir(const char *path); addToFunctionSummaryMap( "chdir", Signature(ArgTypes{ConstCharPtrTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0)))); // int link(const char *oldpath, const char *newpath); addToFunctionSummaryMap( "link", Signature(ArgTypes{ConstCharPtrTy, ConstCharPtrTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0))) .ArgConstraint(NotNull(ArgNo(1)))); // int linkat(int fd1, const char *path1, int fd2, const char *path2, // int flag); addToFunctionSummaryMap( "linkat", Signature(ArgTypes{IntTy, ConstCharPtrTy, IntTy, ConstCharPtrTy, IntTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(ValidFileDescriptorOrAtFdcwd(ArgNo(0))) .ArgConstraint(NotNull(ArgNo(1))) .ArgConstraint(ValidFileDescriptorOrAtFdcwd(ArgNo(2))) .ArgConstraint(NotNull(ArgNo(3)))); // int unlink(const char *pathname); addToFunctionSummaryMap( "unlink", Signature(ArgTypes{ConstCharPtrTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0)))); // int unlinkat(int fd, const char *path, int flag); addToFunctionSummaryMap( "unlinkat", Signature(ArgTypes{IntTy, ConstCharPtrTy, IntTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(ValidFileDescriptorOrAtFdcwd(ArgNo(0))) .ArgConstraint(NotNull(ArgNo(1)))); std::optional StructStatTy = lookupTy("stat"); std::optional StructStatPtrTy = getPointerTy(StructStatTy); std::optional StructStatPtrRestrictTy = getRestrictTy(StructStatPtrTy); // int fstat(int fd, struct stat *statbuf); addToFunctionSummaryMap( "fstat", Signature(ArgTypes{IntTy, StructStatPtrTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax))) .ArgConstraint(NotNull(ArgNo(1)))); // int stat(const char *restrict path, struct stat *restrict buf); addToFunctionSummaryMap( "stat", Signature(ArgTypes{ConstCharPtrRestrictTy, StructStatPtrRestrictTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0))) .ArgConstraint(NotNull(ArgNo(1)))); // int lstat(const char *restrict path, struct stat *restrict buf); addToFunctionSummaryMap( "lstat", Signature(ArgTypes{ConstCharPtrRestrictTy, StructStatPtrRestrictTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0))) .ArgConstraint(NotNull(ArgNo(1)))); // int fstatat(int fd, const char *restrict path, // struct stat *restrict buf, int flag); addToFunctionSummaryMap( "fstatat", Signature(ArgTypes{IntTy, ConstCharPtrRestrictTy, StructStatPtrRestrictTy, IntTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(ValidFileDescriptorOrAtFdcwd(ArgNo(0))) .ArgConstraint(NotNull(ArgNo(1))) .ArgConstraint(NotNull(ArgNo(2)))); // DIR *opendir(const char *name); addToFunctionSummaryMap( "opendir", Signature(ArgTypes{ConstCharPtrTy}, RetType{DirPtrTy}), Summary(NoEvalCall) .Case({NotNull(Ret)}, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case({IsNull(Ret)}, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0)))); // DIR *fdopendir(int fd); addToFunctionSummaryMap( "fdopendir", Signature(ArgTypes{IntTy}, RetType{DirPtrTy}), Summary(NoEvalCall) .Case({NotNull(Ret)}, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case({IsNull(Ret)}, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint( ArgumentCondition(0, WithinRange, Range(0, IntMax)))); // int isatty(int fildes); addToFunctionSummaryMap( "isatty", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(NoEvalCall) .Case({ReturnValueCondition(WithinRange, Range(0, 1))}, ErrnoIrrelevant) .ArgConstraint( ArgumentCondition(0, WithinRange, Range(0, IntMax)))); // int close(int fildes); addToFunctionSummaryMap( "close", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint( ArgumentCondition(0, WithinRange, Range(-1, IntMax)))); // long fpathconf(int fildes, int name); addToFunctionSummaryMap("fpathconf", Signature(ArgTypes{IntTy, IntTy}, RetType{LongTy}), Summary(NoEvalCall) .ArgConstraint(ArgumentCondition( 0, WithinRange, Range(0, IntMax)))); // long pathconf(const char *path, int name); addToFunctionSummaryMap( "pathconf", Signature(ArgTypes{ConstCharPtrTy, IntTy}, RetType{LongTy}), Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); // void rewinddir(DIR *dir); addToFunctionSummaryMap( "rewinddir", Signature(ArgTypes{DirPtrTy}, RetType{VoidTy}), Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); // void seekdir(DIR *dirp, long loc); addToFunctionSummaryMap( "seekdir", Signature(ArgTypes{DirPtrTy, LongTy}, RetType{VoidTy}), Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); // int rand_r(unsigned int *seedp); addToFunctionSummaryMap( "rand_r", Signature(ArgTypes{UnsignedIntPtrTy}, RetType{IntTy}), Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); // void *mmap(void *addr, size_t length, int prot, int flags, int fd, // off_t offset); // FIXME: Improve for errno modeling. addToFunctionSummaryMap( "mmap", Signature(ArgTypes{VoidPtrTy, SizeTy, IntTy, IntTy, IntTy, Off_tTy}, RetType{VoidPtrTy}), Summary(NoEvalCall) .ArgConstraint(ArgumentCondition(1, WithinRange, Range(1, SizeMax))) .ArgConstraint( ArgumentCondition(4, WithinRange, Range(-1, IntMax)))); std::optional Off64_tTy = lookupTy("off64_t"); // void *mmap64(void *addr, size_t length, int prot, int flags, int fd, // off64_t offset); // FIXME: Improve for errno modeling. addToFunctionSummaryMap( "mmap64", Signature(ArgTypes{VoidPtrTy, SizeTy, IntTy, IntTy, IntTy, Off64_tTy}, RetType{VoidPtrTy}), Summary(NoEvalCall) .ArgConstraint(ArgumentCondition(1, WithinRange, Range(1, SizeMax))) .ArgConstraint( ArgumentCondition(4, WithinRange, Range(-1, IntMax)))); // int pipe(int fildes[2]); addToFunctionSummaryMap( "pipe", Signature(ArgTypes{IntPtrTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0)))); // off_t lseek(int fildes, off_t offset, int whence); // In the first case we can not tell for sure if it failed or not. // A return value different from of the expected offset (that is unknown // here) may indicate failure. For this reason we do not enforce the errno // check (can cause false positive). addToFunctionSummaryMap( "lseek", Signature(ArgTypes{IntTy, Off_tTy, IntTy}, RetType{Off_tTy}), Summary(NoEvalCall) .Case(ReturnsNonnegative, ErrnoIrrelevant) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint( ArgumentCondition(0, WithinRange, Range(0, IntMax)))); // ssize_t readlink(const char *restrict path, char *restrict buf, // size_t bufsize); addToFunctionSummaryMap( "readlink", Signature(ArgTypes{ConstCharPtrRestrictTy, CharPtrRestrictTy, SizeTy}, RetType{Ssize_tTy}), Summary(NoEvalCall) .Case({ArgumentCondition(2, WithinRange, Range(1, IntMax)), ReturnValueCondition(LessThanOrEq, ArgNo(2)), ReturnValueCondition(WithinRange, Range(1, Ssize_tMax))}, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case({ArgumentCondition(2, WithinRange, SingleValue(0)), ReturnValueCondition(WithinRange, SingleValue(0))}, ErrnoMustNotBeChecked, "Assuming that argument 'bufsize' is 0") .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0))) .ArgConstraint(NotNull(ArgNo(1))) .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(1), /*BufSize=*/ArgNo(2))) .ArgConstraint( ArgumentCondition(2, WithinRange, Range(0, SizeMax)))); // ssize_t readlinkat(int fd, const char *restrict path, // char *restrict buf, size_t bufsize); addToFunctionSummaryMap( "readlinkat", Signature( ArgTypes{IntTy, ConstCharPtrRestrictTy, CharPtrRestrictTy, SizeTy}, RetType{Ssize_tTy}), Summary(NoEvalCall) .Case({ArgumentCondition(3, WithinRange, Range(1, IntMax)), ReturnValueCondition(LessThanOrEq, ArgNo(3)), ReturnValueCondition(WithinRange, Range(1, Ssize_tMax))}, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case({ArgumentCondition(3, WithinRange, SingleValue(0)), ReturnValueCondition(WithinRange, SingleValue(0))}, ErrnoMustNotBeChecked, "Assuming that argument 'bufsize' is 0") .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(ValidFileDescriptorOrAtFdcwd(ArgNo(0))) .ArgConstraint(NotNull(ArgNo(1))) .ArgConstraint(NotNull(ArgNo(2))) .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(2), /*BufSize=*/ArgNo(3))) .ArgConstraint( ArgumentCondition(3, WithinRange, Range(0, SizeMax)))); // int renameat(int olddirfd, const char *oldpath, int newdirfd, const char // *newpath); addToFunctionSummaryMap( "renameat", Signature(ArgTypes{IntTy, ConstCharPtrTy, IntTy, ConstCharPtrTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(ValidFileDescriptorOrAtFdcwd(ArgNo(0))) .ArgConstraint(NotNull(ArgNo(1))) .ArgConstraint(ValidFileDescriptorOrAtFdcwd(ArgNo(2))) .ArgConstraint(NotNull(ArgNo(3)))); // char *realpath(const char *restrict file_name, // char *restrict resolved_name); // FIXME: If the argument 'resolved_name' is not NULL, macro 'PATH_MAX' // should be defined in "limits.h" to guarrantee a success. addToFunctionSummaryMap( "realpath", Signature(ArgTypes{ConstCharPtrRestrictTy, CharPtrRestrictTy}, RetType{CharPtrTy}), Summary(NoEvalCall) .Case({NotNull(Ret)}, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case({IsNull(Ret)}, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0)))); QualType CharPtrConstPtr = getPointerTy(getConstTy(CharPtrTy)); // int execv(const char *path, char *const argv[]); addToFunctionSummaryMap( "execv", Signature(ArgTypes{ConstCharPtrTy, CharPtrConstPtr}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant) .ArgConstraint(NotNull(ArgNo(0)))); // int execvp(const char *file, char *const argv[]); addToFunctionSummaryMap( "execvp", Signature(ArgTypes{ConstCharPtrTy, CharPtrConstPtr}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant) .ArgConstraint(NotNull(ArgNo(0)))); // int getopt(int argc, char * const argv[], const char *optstring); addToFunctionSummaryMap( "getopt", Signature(ArgTypes{IntTy, CharPtrConstPtr, ConstCharPtrTy}, RetType{IntTy}), Summary(NoEvalCall) .Case({ReturnValueCondition(WithinRange, Range(-1, UCharRangeMax))}, ErrnoIrrelevant) .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax))) .ArgConstraint(NotNull(ArgNo(1))) .ArgConstraint(NotNull(ArgNo(2)))); std::optional StructSockaddrTy = lookupTy("sockaddr"); std::optional StructSockaddrPtrTy = getPointerTy(StructSockaddrTy); std::optional ConstStructSockaddrPtrTy = getPointerTy(getConstTy(StructSockaddrTy)); std::optional StructSockaddrPtrRestrictTy = getRestrictTy(StructSockaddrPtrTy); std::optional ConstStructSockaddrPtrRestrictTy = getRestrictTy(ConstStructSockaddrPtrTy); std::optional Socklen_tTy = lookupTy("socklen_t"); std::optional Socklen_tPtrTy = getPointerTy(Socklen_tTy); std::optional Socklen_tPtrRestrictTy = getRestrictTy(Socklen_tPtrTy); std::optional Socklen_tMax = getMaxValue(Socklen_tTy); // In 'socket.h' of some libc implementations with C99, sockaddr parameter // is a transparent union of the underlying sockaddr_ family of pointers // instead of being a pointer to struct sockaddr. In these cases, the // standardized signature will not match, thus we try to match with another // signature that has the joker Irrelevant type. We also remove those // constraints which require pointer types for the sockaddr param. // int socket(int domain, int type, int protocol); addToFunctionSummaryMap( "socket", Signature(ArgTypes{IntTy, IntTy, IntTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsValidFileDescriptor, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg)); auto Accept = Summary(NoEvalCall) .Case(ReturnsValidFileDescriptor, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax))); if (!addToFunctionSummaryMap( "accept", // int accept(int socket, struct sockaddr *restrict address, // socklen_t *restrict address_len); Signature(ArgTypes{IntTy, StructSockaddrPtrRestrictTy, Socklen_tPtrRestrictTy}, RetType{IntTy}), Accept)) addToFunctionSummaryMap( "accept", Signature(ArgTypes{IntTy, Irrelevant, Socklen_tPtrRestrictTy}, RetType{IntTy}), Accept); // int bind(int socket, const struct sockaddr *address, socklen_t // address_len); if (!addToFunctionSummaryMap( "bind", Signature(ArgTypes{IntTy, ConstStructSockaddrPtrTy, Socklen_tTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint( ArgumentCondition(0, WithinRange, Range(0, IntMax))) .ArgConstraint(NotNull(ArgNo(1))) .ArgConstraint( BufferSize(/*Buffer=*/ArgNo(1), /*BufSize=*/ArgNo(2))) .ArgConstraint( ArgumentCondition(2, WithinRange, Range(0, Socklen_tMax))))) // Do not add constraints on sockaddr. addToFunctionSummaryMap( "bind", Signature(ArgTypes{IntTy, Irrelevant, Socklen_tTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint( ArgumentCondition(0, WithinRange, Range(0, IntMax))) .ArgConstraint( ArgumentCondition(2, WithinRange, Range(0, Socklen_tMax)))); // int getpeername(int socket, struct sockaddr *restrict address, // socklen_t *restrict address_len); if (!addToFunctionSummaryMap( "getpeername", Signature(ArgTypes{IntTy, StructSockaddrPtrRestrictTy, Socklen_tPtrRestrictTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint( ArgumentCondition(0, WithinRange, Range(0, IntMax))) .ArgConstraint(NotNull(ArgNo(1))) .ArgConstraint(NotNull(ArgNo(2))))) addToFunctionSummaryMap( "getpeername", Signature(ArgTypes{IntTy, Irrelevant, Socklen_tPtrRestrictTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint( ArgumentCondition(0, WithinRange, Range(0, IntMax)))); // int getsockname(int socket, struct sockaddr *restrict address, // socklen_t *restrict address_len); if (!addToFunctionSummaryMap( "getsockname", Signature(ArgTypes{IntTy, StructSockaddrPtrRestrictTy, Socklen_tPtrRestrictTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint( ArgumentCondition(0, WithinRange, Range(0, IntMax))) .ArgConstraint(NotNull(ArgNo(1))) .ArgConstraint(NotNull(ArgNo(2))))) addToFunctionSummaryMap( "getsockname", Signature(ArgTypes{IntTy, Irrelevant, Socklen_tPtrRestrictTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint( ArgumentCondition(0, WithinRange, Range(0, IntMax)))); // int connect(int socket, const struct sockaddr *address, socklen_t // address_len); if (!addToFunctionSummaryMap( "connect", Signature(ArgTypes{IntTy, ConstStructSockaddrPtrTy, Socklen_tTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint( ArgumentCondition(0, WithinRange, Range(0, IntMax))) .ArgConstraint(NotNull(ArgNo(1))))) addToFunctionSummaryMap( "connect", Signature(ArgTypes{IntTy, Irrelevant, Socklen_tTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint( ArgumentCondition(0, WithinRange, Range(0, IntMax)))); auto Recvfrom = Summary(NoEvalCall) .Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)), ReturnValueCondition(WithinRange, Range(1, Ssize_tMax))}, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case({ReturnValueCondition(WithinRange, SingleValue(0)), ArgumentCondition(2, WithinRange, SingleValue(0))}, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax))) .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(1), /*BufSize=*/ArgNo(2))); if (!addToFunctionSummaryMap( "recvfrom", // ssize_t recvfrom(int socket, void *restrict buffer, // size_t length, // int flags, struct sockaddr *restrict address, // socklen_t *restrict address_len); Signature(ArgTypes{IntTy, VoidPtrRestrictTy, SizeTy, IntTy, StructSockaddrPtrRestrictTy, Socklen_tPtrRestrictTy}, RetType{Ssize_tTy}), Recvfrom)) addToFunctionSummaryMap( "recvfrom", Signature(ArgTypes{IntTy, VoidPtrRestrictTy, SizeTy, IntTy, Irrelevant, Socklen_tPtrRestrictTy}, RetType{Ssize_tTy}), Recvfrom); auto Sendto = Summary(NoEvalCall) .Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)), ReturnValueCondition(WithinRange, Range(1, Ssize_tMax))}, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case({ReturnValueCondition(WithinRange, SingleValue(0)), ArgumentCondition(2, WithinRange, SingleValue(0))}, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax))) .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(1), /*BufSize=*/ArgNo(2))); if (!addToFunctionSummaryMap( "sendto", // ssize_t sendto(int socket, const void *message, size_t length, // int flags, const struct sockaddr *dest_addr, // socklen_t dest_len); Signature(ArgTypes{IntTy, ConstVoidPtrTy, SizeTy, IntTy, ConstStructSockaddrPtrTy, Socklen_tTy}, RetType{Ssize_tTy}), Sendto)) addToFunctionSummaryMap( "sendto", Signature(ArgTypes{IntTy, ConstVoidPtrTy, SizeTy, IntTy, Irrelevant, Socklen_tTy}, RetType{Ssize_tTy}), Sendto); // int listen(int sockfd, int backlog); addToFunctionSummaryMap( "listen", Signature(ArgTypes{IntTy, IntTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint( ArgumentCondition(0, WithinRange, Range(0, IntMax)))); // ssize_t recv(int sockfd, void *buf, size_t len, int flags); addToFunctionSummaryMap( "recv", Signature(ArgTypes{IntTy, VoidPtrTy, SizeTy, IntTy}, RetType{Ssize_tTy}), Summary(NoEvalCall) .Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)), ReturnValueCondition(WithinRange, Range(1, Ssize_tMax))}, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case({ReturnValueCondition(WithinRange, SingleValue(0)), ArgumentCondition(2, WithinRange, SingleValue(0))}, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax))) .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(1), /*BufSize=*/ArgNo(2)))); std::optional StructMsghdrTy = lookupTy("msghdr"); std::optional StructMsghdrPtrTy = getPointerTy(StructMsghdrTy); std::optional ConstStructMsghdrPtrTy = getPointerTy(getConstTy(StructMsghdrTy)); // ssize_t recvmsg(int sockfd, struct msghdr *msg, int flags); addToFunctionSummaryMap( "recvmsg", Signature(ArgTypes{IntTy, StructMsghdrPtrTy, IntTy}, RetType{Ssize_tTy}), Summary(NoEvalCall) .Case({ReturnValueCondition(WithinRange, Range(1, Ssize_tMax))}, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint( ArgumentCondition(0, WithinRange, Range(0, IntMax)))); // ssize_t sendmsg(int sockfd, const struct msghdr *msg, int flags); addToFunctionSummaryMap( "sendmsg", Signature(ArgTypes{IntTy, ConstStructMsghdrPtrTy, IntTy}, RetType{Ssize_tTy}), Summary(NoEvalCall) .Case({ReturnValueCondition(WithinRange, Range(1, Ssize_tMax))}, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint( ArgumentCondition(0, WithinRange, Range(0, IntMax)))); // int setsockopt(int socket, int level, int option_name, // const void *option_value, socklen_t option_len); addToFunctionSummaryMap( "setsockopt", Signature(ArgTypes{IntTy, IntTy, IntTy, ConstVoidPtrTy, Socklen_tTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(3))) .ArgConstraint( BufferSize(/*Buffer=*/ArgNo(3), /*BufSize=*/ArgNo(4))) .ArgConstraint( ArgumentCondition(4, WithinRange, Range(0, Socklen_tMax)))); // int getsockopt(int socket, int level, int option_name, // void *restrict option_value, // socklen_t *restrict option_len); addToFunctionSummaryMap( "getsockopt", Signature(ArgTypes{IntTy, IntTy, IntTy, VoidPtrRestrictTy, Socklen_tPtrRestrictTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(3))) .ArgConstraint(NotNull(ArgNo(4)))); // ssize_t send(int sockfd, const void *buf, size_t len, int flags); addToFunctionSummaryMap( "send", Signature(ArgTypes{IntTy, ConstVoidPtrTy, SizeTy, IntTy}, RetType{Ssize_tTy}), Summary(NoEvalCall) .Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)), ReturnValueCondition(WithinRange, Range(1, Ssize_tMax))}, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case({ReturnValueCondition(WithinRange, SingleValue(0)), ArgumentCondition(2, WithinRange, SingleValue(0))}, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax))) .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(1), /*BufSize=*/ArgNo(2)))); // int socketpair(int domain, int type, int protocol, int sv[2]); addToFunctionSummaryMap( "socketpair", Signature(ArgTypes{IntTy, IntTy, IntTy, IntPtrTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(3)))); // int shutdown(int socket, int how); addToFunctionSummaryMap( "shutdown", Signature(ArgTypes{IntTy, IntTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint( ArgumentCondition(0, WithinRange, Range(0, IntMax)))); // int getnameinfo(const struct sockaddr *restrict sa, socklen_t salen, // char *restrict node, socklen_t nodelen, // char *restrict service, // socklen_t servicelen, int flags); // // This is defined in netdb.h. And contrary to 'socket.h', the sockaddr // parameter is never handled as a transparent union in netdb.h addToFunctionSummaryMap( "getnameinfo", Signature(ArgTypes{ConstStructSockaddrPtrRestrictTy, Socklen_tTy, CharPtrRestrictTy, Socklen_tTy, CharPtrRestrictTy, Socklen_tTy, IntTy}, RetType{IntTy}), Summary(NoEvalCall) .ArgConstraint( BufferSize(/*Buffer=*/ArgNo(0), /*BufSize=*/ArgNo(1))) .ArgConstraint( ArgumentCondition(1, WithinRange, Range(0, Socklen_tMax))) .ArgConstraint( BufferSize(/*Buffer=*/ArgNo(2), /*BufSize=*/ArgNo(3))) .ArgConstraint( ArgumentCondition(3, WithinRange, Range(0, Socklen_tMax))) .ArgConstraint( BufferSize(/*Buffer=*/ArgNo(4), /*BufSize=*/ArgNo(5))) .ArgConstraint( ArgumentCondition(5, WithinRange, Range(0, Socklen_tMax)))); std::optional StructUtimbufTy = lookupTy("utimbuf"); std::optional StructUtimbufPtrTy = getPointerTy(StructUtimbufTy); // int utime(const char *filename, struct utimbuf *buf); addToFunctionSummaryMap( "utime", Signature(ArgTypes{ConstCharPtrTy, StructUtimbufPtrTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0)))); std::optional StructTimespecTy = lookupTy("timespec"); std::optional StructTimespecPtrTy = getPointerTy(StructTimespecTy); std::optional ConstStructTimespecPtrTy = getPointerTy(getConstTy(StructTimespecTy)); // int futimens(int fd, const struct timespec times[2]); addToFunctionSummaryMap( "futimens", Signature(ArgTypes{IntTy, ConstStructTimespecPtrTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint( ArgumentCondition(0, WithinRange, Range(0, IntMax)))); // int utimensat(int dirfd, const char *pathname, // const struct timespec times[2], int flags); addToFunctionSummaryMap( "utimensat", Signature( ArgTypes{IntTy, ConstCharPtrTy, ConstStructTimespecPtrTy, IntTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(1)))); std::optional StructTimevalTy = lookupTy("timeval"); std::optional ConstStructTimevalPtrTy = getPointerTy(getConstTy(StructTimevalTy)); // int utimes(const char *filename, const struct timeval times[2]); addToFunctionSummaryMap( "utimes", Signature(ArgTypes{ConstCharPtrTy, ConstStructTimevalPtrTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0)))); // int nanosleep(const struct timespec *rqtp, struct timespec *rmtp); addToFunctionSummaryMap( "nanosleep", Signature(ArgTypes{ConstStructTimespecPtrTy, StructTimespecPtrTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(0)))); std::optional Time_tTy = lookupTy("time_t"); std::optional ConstTime_tPtrTy = getPointerTy(getConstTy(Time_tTy)); std::optional ConstTime_tPtrRestrictTy = getRestrictTy(ConstTime_tPtrTy); std::optional StructTmTy = lookupTy("tm"); std::optional StructTmPtrTy = getPointerTy(StructTmTy); std::optional StructTmPtrRestrictTy = getRestrictTy(StructTmPtrTy); std::optional ConstStructTmPtrTy = getPointerTy(getConstTy(StructTmTy)); std::optional ConstStructTmPtrRestrictTy = getRestrictTy(ConstStructTmPtrTy); // struct tm * localtime(const time_t *tp); addToFunctionSummaryMap( "localtime", Signature(ArgTypes{ConstTime_tPtrTy}, RetType{StructTmPtrTy}), Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); // struct tm *localtime_r(const time_t *restrict timer, // struct tm *restrict result); addToFunctionSummaryMap( "localtime_r", Signature(ArgTypes{ConstTime_tPtrRestrictTy, StructTmPtrRestrictTy}, RetType{StructTmPtrTy}), Summary(NoEvalCall) .ArgConstraint(NotNull(ArgNo(0))) .ArgConstraint(NotNull(ArgNo(1)))); // char *asctime_r(const struct tm *restrict tm, char *restrict buf); addToFunctionSummaryMap( "asctime_r", Signature(ArgTypes{ConstStructTmPtrRestrictTy, CharPtrRestrictTy}, RetType{CharPtrTy}), Summary(NoEvalCall) .ArgConstraint(NotNull(ArgNo(0))) .ArgConstraint(NotNull(ArgNo(1))) .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(1), /*MinBufSize=*/BVF.getValue(26, IntTy)))); // char *ctime_r(const time_t *timep, char *buf); addToFunctionSummaryMap( "ctime_r", Signature(ArgTypes{ConstTime_tPtrTy, CharPtrTy}, RetType{CharPtrTy}), Summary(NoEvalCall) .ArgConstraint(NotNull(ArgNo(0))) .ArgConstraint(NotNull(ArgNo(1))) .ArgConstraint(BufferSize( /*Buffer=*/ArgNo(1), /*MinBufSize=*/BVF.getValue(26, IntTy)))); // struct tm *gmtime_r(const time_t *restrict timer, // struct tm *restrict result); addToFunctionSummaryMap( "gmtime_r", Signature(ArgTypes{ConstTime_tPtrRestrictTy, StructTmPtrRestrictTy}, RetType{StructTmPtrTy}), Summary(NoEvalCall) .ArgConstraint(NotNull(ArgNo(0))) .ArgConstraint(NotNull(ArgNo(1)))); // struct tm * gmtime(const time_t *tp); addToFunctionSummaryMap( "gmtime", Signature(ArgTypes{ConstTime_tPtrTy}, RetType{StructTmPtrTy}), Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); std::optional Clockid_tTy = lookupTy("clockid_t"); // int clock_gettime(clockid_t clock_id, struct timespec *tp); addToFunctionSummaryMap( "clock_gettime", Signature(ArgTypes{Clockid_tTy, StructTimespecPtrTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(1)))); std::optional StructItimervalTy = lookupTy("itimerval"); std::optional StructItimervalPtrTy = getPointerTy(StructItimervalTy); // int getitimer(int which, struct itimerval *curr_value); addToFunctionSummaryMap( "getitimer", Signature(ArgTypes{IntTy, StructItimervalPtrTy}, RetType{IntTy}), Summary(NoEvalCall) .Case(ReturnsZero, ErrnoMustNotBeChecked, GenericSuccessMsg) .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant, GenericFailureMsg) .ArgConstraint(NotNull(ArgNo(1)))); std::optional Pthread_cond_tTy = lookupTy("pthread_cond_t"); std::optional Pthread_cond_tPtrTy = getPointerTy(Pthread_cond_tTy); std::optional Pthread_tTy = lookupTy("pthread_t"); std::optional Pthread_tPtrTy = getPointerTy(Pthread_tTy); std::optional Pthread_tPtrRestrictTy = getRestrictTy(Pthread_tPtrTy); std::optional Pthread_mutex_tTy = lookupTy("pthread_mutex_t"); std::optional Pthread_mutex_tPtrTy = getPointerTy(Pthread_mutex_tTy); std::optional Pthread_mutex_tPtrRestrictTy = getRestrictTy(Pthread_mutex_tPtrTy); std::optional Pthread_attr_tTy = lookupTy("pthread_attr_t"); std::optional Pthread_attr_tPtrTy = getPointerTy(Pthread_attr_tTy); std::optional ConstPthread_attr_tPtrTy = getPointerTy(getConstTy(Pthread_attr_tTy)); std::optional ConstPthread_attr_tPtrRestrictTy = getRestrictTy(ConstPthread_attr_tPtrTy); std::optional Pthread_mutexattr_tTy = lookupTy("pthread_mutexattr_t"); std::optional ConstPthread_mutexattr_tPtrTy = getPointerTy(getConstTy(Pthread_mutexattr_tTy)); std::optional ConstPthread_mutexattr_tPtrRestrictTy = getRestrictTy(ConstPthread_mutexattr_tPtrTy); QualType PthreadStartRoutineTy = getPointerTy( ACtx.getFunctionType(/*ResultTy=*/VoidPtrTy, /*Args=*/VoidPtrTy, FunctionProtoType::ExtProtoInfo())); // int pthread_cond_signal(pthread_cond_t *cond); // int pthread_cond_broadcast(pthread_cond_t *cond); addToFunctionSummaryMap( {"pthread_cond_signal", "pthread_cond_broadcast"}, Signature(ArgTypes{Pthread_cond_tPtrTy}, RetType{IntTy}), Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); // int pthread_create(pthread_t *restrict thread, // const pthread_attr_t *restrict attr, // void *(*start_routine)(void*), void *restrict arg); addToFunctionSummaryMap( "pthread_create", Signature(ArgTypes{Pthread_tPtrRestrictTy, ConstPthread_attr_tPtrRestrictTy, PthreadStartRoutineTy, VoidPtrRestrictTy}, RetType{IntTy}), Summary(NoEvalCall) .ArgConstraint(NotNull(ArgNo(0))) .ArgConstraint(NotNull(ArgNo(2)))); // int pthread_attr_destroy(pthread_attr_t *attr); // int pthread_attr_init(pthread_attr_t *attr); addToFunctionSummaryMap( {"pthread_attr_destroy", "pthread_attr_init"}, Signature(ArgTypes{Pthread_attr_tPtrTy}, RetType{IntTy}), Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); // int pthread_attr_getstacksize(const pthread_attr_t *restrict attr, // size_t *restrict stacksize); // int pthread_attr_getguardsize(const pthread_attr_t *restrict attr, // size_t *restrict guardsize); addToFunctionSummaryMap( {"pthread_attr_getstacksize", "pthread_attr_getguardsize"}, Signature(ArgTypes{ConstPthread_attr_tPtrRestrictTy, SizePtrRestrictTy}, RetType{IntTy}), Summary(NoEvalCall) .ArgConstraint(NotNull(ArgNo(0))) .ArgConstraint(NotNull(ArgNo(1)))); // int pthread_attr_setstacksize(pthread_attr_t *attr, size_t stacksize); // int pthread_attr_setguardsize(pthread_attr_t *attr, size_t guardsize); addToFunctionSummaryMap( {"pthread_attr_setstacksize", "pthread_attr_setguardsize"}, Signature(ArgTypes{Pthread_attr_tPtrTy, SizeTy}, RetType{IntTy}), Summary(NoEvalCall) .ArgConstraint(NotNull(ArgNo(0))) .ArgConstraint( ArgumentCondition(1, WithinRange, Range(0, SizeMax)))); // int pthread_mutex_init(pthread_mutex_t *restrict mutex, const // pthread_mutexattr_t *restrict attr); addToFunctionSummaryMap( "pthread_mutex_init", Signature(ArgTypes{Pthread_mutex_tPtrRestrictTy, ConstPthread_mutexattr_tPtrRestrictTy}, RetType{IntTy}), Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); // int pthread_mutex_destroy(pthread_mutex_t *mutex); // int pthread_mutex_lock(pthread_mutex_t *mutex); // int pthread_mutex_trylock(pthread_mutex_t *mutex); // int pthread_mutex_unlock(pthread_mutex_t *mutex); addToFunctionSummaryMap( {"pthread_mutex_destroy", "pthread_mutex_lock", "pthread_mutex_trylock", "pthread_mutex_unlock"}, Signature(ArgTypes{Pthread_mutex_tPtrTy}, RetType{IntTy}), Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0)))); } // Functions for testing. if (AddTestFunctions) { const RangeInt IntMin = BVF.getMinValue(IntTy).getLimitedValue(); addToFunctionSummaryMap( "__not_null", Signature(ArgTypes{IntPtrTy}, RetType{IntTy}), Summary(EvalCallAsPure).ArgConstraint(NotNull(ArgNo(0)))); addToFunctionSummaryMap( "__not_null_buffer", Signature(ArgTypes{VoidPtrTy, IntTy, IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint(NotNullBuffer(ArgNo(0), ArgNo(1), ArgNo(2)))); // Test inside range constraints. addToFunctionSummaryMap( "__single_val_0", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint(ArgumentCondition(0U, WithinRange, SingleValue(0)))); addToFunctionSummaryMap( "__single_val_1", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint(ArgumentCondition(0U, WithinRange, SingleValue(1)))); addToFunctionSummaryMap( "__range_1_2", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint(ArgumentCondition(0U, WithinRange, Range(1, 2)))); addToFunctionSummaryMap( "__range_m1_1", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint(ArgumentCondition(0U, WithinRange, Range(-1, 1)))); addToFunctionSummaryMap( "__range_m2_m1", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint(ArgumentCondition(0U, WithinRange, Range(-2, -1)))); addToFunctionSummaryMap( "__range_m10_10", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint(ArgumentCondition(0U, WithinRange, Range(-10, 10)))); addToFunctionSummaryMap("__range_m1_inf", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint(ArgumentCondition( 0U, WithinRange, Range(-1, IntMax)))); addToFunctionSummaryMap("__range_0_inf", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint(ArgumentCondition( 0U, WithinRange, Range(0, IntMax)))); addToFunctionSummaryMap("__range_1_inf", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint(ArgumentCondition( 0U, WithinRange, Range(1, IntMax)))); addToFunctionSummaryMap("__range_minf_m1", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint(ArgumentCondition( 0U, WithinRange, Range(IntMin, -1)))); addToFunctionSummaryMap("__range_minf_0", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint(ArgumentCondition( 0U, WithinRange, Range(IntMin, 0)))); addToFunctionSummaryMap("__range_minf_1", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint(ArgumentCondition( 0U, WithinRange, Range(IntMin, 1)))); addToFunctionSummaryMap("__range_1_2__4_6", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint(ArgumentCondition( 0U, WithinRange, Range({1, 2}, {4, 6})))); addToFunctionSummaryMap( "__range_1_2__4_inf", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint(ArgumentCondition(0U, WithinRange, Range({1, 2}, {4, IntMax})))); // Test out of range constraints. addToFunctionSummaryMap( "__single_val_out_0", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint(ArgumentCondition(0U, OutOfRange, SingleValue(0)))); addToFunctionSummaryMap( "__single_val_out_1", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint(ArgumentCondition(0U, OutOfRange, SingleValue(1)))); addToFunctionSummaryMap( "__range_out_1_2", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint(ArgumentCondition(0U, OutOfRange, Range(1, 2)))); addToFunctionSummaryMap( "__range_out_m1_1", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint(ArgumentCondition(0U, OutOfRange, Range(-1, 1)))); addToFunctionSummaryMap( "__range_out_m2_m1", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint(ArgumentCondition(0U, OutOfRange, Range(-2, -1)))); addToFunctionSummaryMap( "__range_out_m10_10", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint(ArgumentCondition(0U, OutOfRange, Range(-10, 10)))); addToFunctionSummaryMap("__range_out_m1_inf", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint(ArgumentCondition( 0U, OutOfRange, Range(-1, IntMax)))); addToFunctionSummaryMap("__range_out_0_inf", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint(ArgumentCondition( 0U, OutOfRange, Range(0, IntMax)))); addToFunctionSummaryMap("__range_out_1_inf", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint(ArgumentCondition( 0U, OutOfRange, Range(1, IntMax)))); addToFunctionSummaryMap("__range_out_minf_m1", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint(ArgumentCondition( 0U, OutOfRange, Range(IntMin, -1)))); addToFunctionSummaryMap("__range_out_minf_0", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint(ArgumentCondition( 0U, OutOfRange, Range(IntMin, 0)))); addToFunctionSummaryMap("__range_out_minf_1", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint(ArgumentCondition( 0U, OutOfRange, Range(IntMin, 1)))); addToFunctionSummaryMap("__range_out_1_2__4_6", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint(ArgumentCondition( 0U, OutOfRange, Range({1, 2}, {4, 6})))); addToFunctionSummaryMap( "__range_out_1_2__4_inf", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint( ArgumentCondition(0U, OutOfRange, Range({1, 2}, {4, IntMax})))); // Test range kind. addToFunctionSummaryMap( "__within", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint(ArgumentCondition(0U, WithinRange, SingleValue(1)))); addToFunctionSummaryMap( "__out_of", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint(ArgumentCondition(0U, OutOfRange, SingleValue(1)))); addToFunctionSummaryMap( "__two_constrained_args", Signature(ArgTypes{IntTy, IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint(ArgumentCondition(0U, WithinRange, SingleValue(1))) .ArgConstraint(ArgumentCondition(1U, WithinRange, SingleValue(1)))); addToFunctionSummaryMap( "__arg_constrained_twice", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint(ArgumentCondition(0U, OutOfRange, SingleValue(1))) .ArgConstraint(ArgumentCondition(0U, OutOfRange, SingleValue(2)))); addToFunctionSummaryMap( "__defaultparam", Signature(ArgTypes{Irrelevant, IntTy}, RetType{IntTy}), Summary(EvalCallAsPure).ArgConstraint(NotNull(ArgNo(0)))); addToFunctionSummaryMap( "__variadic", Signature(ArgTypes{VoidPtrTy, ConstCharPtrTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint(NotNull(ArgNo(0))) .ArgConstraint(NotNull(ArgNo(1)))); addToFunctionSummaryMap( "__buf_size_arg_constraint", Signature(ArgTypes{ConstVoidPtrTy, SizeTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint( BufferSize(/*Buffer=*/ArgNo(0), /*BufSize=*/ArgNo(1)))); addToFunctionSummaryMap( "__buf_size_arg_constraint_mul", Signature(ArgTypes{ConstVoidPtrTy, SizeTy, SizeTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(0), /*BufSize=*/ArgNo(1), /*BufSizeMultiplier=*/ArgNo(2)))); addToFunctionSummaryMap( "__buf_size_arg_constraint_concrete", Signature(ArgTypes{ConstVoidPtrTy}, RetType{IntTy}), Summary(EvalCallAsPure) .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(0), /*BufSize=*/BVF.getValue(10, IntTy)))); addToFunctionSummaryMap( {"__test_restrict_param_0", "__test_restrict_param_1", "__test_restrict_param_2"}, Signature(ArgTypes{VoidPtrRestrictTy}, RetType{VoidTy}), Summary(EvalCallAsPure)); // Test the application of cases. addToFunctionSummaryMap( "__test_case_note", Signature(ArgTypes{}, RetType{IntTy}), Summary(EvalCallAsPure) .Case({ReturnValueCondition(WithinRange, SingleValue(0))}, ErrnoIrrelevant, "Function returns 0") .Case({ReturnValueCondition(WithinRange, SingleValue(1))}, ErrnoIrrelevant, "Function returns 1")); addToFunctionSummaryMap( "__test_case_range_1_2__4_6", Signature(ArgTypes{IntTy}, RetType{IntTy}), Summary(EvalCallAsPure) .Case({ArgumentCondition(0U, WithinRange, IntRangeVector{{IntMin, 0}, {3, 3}}), ReturnValueCondition(WithinRange, SingleValue(1))}, ErrnoIrrelevant) .Case({ArgumentCondition(0U, WithinRange, IntRangeVector{{3, 3}, {7, IntMax}}), ReturnValueCondition(WithinRange, SingleValue(2))}, ErrnoIrrelevant) .Case({ArgumentCondition(0U, WithinRange, IntRangeVector{{IntMin, 0}, {7, IntMax}}), ReturnValueCondition(WithinRange, SingleValue(3))}, ErrnoIrrelevant) .Case({ArgumentCondition( 0U, WithinRange, IntRangeVector{{IntMin, 0}, {3, 3}, {7, IntMax}}), ReturnValueCondition(WithinRange, SingleValue(4))}, ErrnoIrrelevant)); } } void ento::registerStdCLibraryFunctionsChecker(CheckerManager &mgr) { auto *Checker = mgr.registerChecker(); Checker->CheckName = mgr.getCurrentCheckerName(); const AnalyzerOptions &Opts = mgr.getAnalyzerOptions(); Checker->DisplayLoadedSummaries = Opts.getCheckerBooleanOption(Checker, "DisplayLoadedSummaries"); Checker->ModelPOSIX = Opts.getCheckerBooleanOption(Checker, "ModelPOSIX"); Checker->ShouldAssumeControlledEnvironment = Opts.ShouldAssumeControlledEnvironment; } bool ento::shouldRegisterStdCLibraryFunctionsChecker( const CheckerManager &mgr) { return true; } void ento::registerStdCLibraryFunctionsTesterChecker(CheckerManager &mgr) { auto *Checker = mgr.getChecker(); Checker->AddTestFunctions = true; } bool ento::shouldRegisterStdCLibraryFunctionsTesterChecker( const CheckerManager &mgr) { return true; }