1 //=== StdLibraryFunctionsChecker.cpp - Model standard functions -*- C++ -*-===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This checker improves modeling of a few simple library functions.
10 //
11 // This checker provides a specification format - `Summary' - and
12 // contains descriptions of some library functions in this format. Each
13 // specification contains a list of branches for splitting the program state
14 // upon call, and range constraints on argument and return-value symbols that
15 // are satisfied on each branch. This spec can be expanded to include more
16 // items, like external effects of the function.
17 //
18 // The main difference between this approach and the body farms technique is
19 // in more explicit control over how many branches are produced. For example,
20 // consider standard C function `ispunct(int x)', which returns a non-zero value
21 // iff `x' is a punctuation character, that is, when `x' is in range
22 // ['!', '/'] [':', '@'] U ['[', '\`'] U ['{', '~'].
23 // `Summary' provides only two branches for this function. However,
24 // any attempt to describe this range with if-statements in the body farm
25 // would result in many more branches. Because each branch needs to be analyzed
26 // independently, this significantly reduces performance. Additionally,
27 // once we consider a branch on which `x' is in range, say, ['!', '/'],
28 // we assume that such branch is an important separate path through the program,
29 // which may lead to false positives because considering this particular path
30 // was not consciously intended, and therefore it might have been unreachable.
31 //
32 // This checker uses eval::Call for modeling pure functions (functions without
33 // side effets), for which their `Summary' is a precise model. This avoids
34 // unnecessary invalidation passes. Conflicts with other checkers are unlikely
35 // because if the function has no other effects, other checkers would probably
36 // never want to improve upon the modeling done by this checker.
37 //
38 // Non-pure functions, for which only partial improvement over the default
39 // behavior is expected, are modeled via check::PostCall, non-intrusively.
40 //
41 //===----------------------------------------------------------------------===//
42
43 #include "ErrnoModeling.h"
44 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
45 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
46 #include "clang/StaticAnalyzer/Core/Checker.h"
47 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
48 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
49 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
50 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h"
51 #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h"
52 #include "llvm/ADT/SmallString.h"
53 #include "llvm/ADT/StringExtras.h"
54
55 #include <optional>
56 #include <string>
57
58 using namespace clang;
59 using namespace clang::ento;
60
61 namespace {
62 class StdLibraryFunctionsChecker
63 : public Checker<check::PreCall, check::PostCall, eval::Call> {
64
65 class Summary;
66
67 /// Specify how much the analyzer engine should entrust modeling this function
68 /// to us. If he doesn't, he performs additional invalidations.
69 enum InvalidationKind { NoEvalCall, EvalCallAsPure };
70
71 // The universal integral type to use in value range descriptions.
72 // Unsigned to make sure overflows are well-defined.
73 typedef uint64_t RangeInt;
74
75 /// Normally, describes a single range constraint, eg. {{0, 1}, {3, 4}} is
76 /// a non-negative integer, which less than 5 and not equal to 2. For
77 /// `ComparesToArgument', holds information about how exactly to compare to
78 /// the argument.
79 typedef std::vector<std::pair<RangeInt, RangeInt>> IntRangeVector;
80
81 /// A reference to an argument or return value by its number.
82 /// ArgNo in CallExpr and CallEvent is defined as Unsigned, but
83 /// obviously uint32_t should be enough for all practical purposes.
84 typedef uint32_t ArgNo;
85 static const ArgNo Ret;
86
87 /// Returns the string representation of an argument index.
88 /// E.g.: (1) -> '1st arg', (2) - > '2nd arg'
89 static SmallString<8> getArgDesc(ArgNo);
90
91 class ValueConstraint;
92
93 // Pointer to the ValueConstraint. We need a copyable, polymorphic and
94 // default initialize able type (vector needs that). A raw pointer was good,
95 // however, we cannot default initialize that. unique_ptr makes the Summary
96 // class non-copyable, therefore not an option. Releasing the copyability
97 // requirement would render the initialization of the Summary map infeasible.
98 using ValueConstraintPtr = std::shared_ptr<ValueConstraint>;
99
100 /// Polymorphic base class that represents a constraint on a given argument
101 /// (or return value) of a function. Derived classes implement different kind
102 /// of constraints, e.g range constraints or correlation between two
103 /// arguments.
104 class ValueConstraint {
105 public:
ValueConstraint(ArgNo ArgN)106 ValueConstraint(ArgNo ArgN) : ArgN(ArgN) {}
~ValueConstraint()107 virtual ~ValueConstraint() {}
108 /// Apply the effects of the constraint on the given program state. If null
109 /// is returned then the constraint is not feasible.
110 virtual ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
111 const Summary &Summary,
112 CheckerContext &C) const = 0;
negate() const113 virtual ValueConstraintPtr negate() const {
114 llvm_unreachable("Not implemented");
115 };
116
117 // Check whether the constraint is malformed or not. It is malformed if the
118 // specified argument has a mismatch with the given FunctionDecl (e.g. the
119 // arg number is out-of-range of the function's argument list).
checkValidity(const FunctionDecl * FD) const120 bool checkValidity(const FunctionDecl *FD) const {
121 const bool ValidArg = ArgN == Ret || ArgN < FD->getNumParams();
122 assert(ValidArg && "Arg out of range!");
123 if (!ValidArg)
124 return false;
125 // Subclasses may further refine the validation.
126 return checkSpecificValidity(FD);
127 }
getArgNo() const128 ArgNo getArgNo() const { return ArgN; }
129
130 // Return those arguments that should be tracked when we report a bug. By
131 // default it is the argument that is constrained, however, in some special
132 // cases we need to track other arguments as well. E.g. a buffer size might
133 // be encoded in another argument.
getArgsToTrack() const134 virtual std::vector<ArgNo> getArgsToTrack() const { return {ArgN}; }
135
136 virtual StringRef getName() const = 0;
137
138 // Represents that in which context do we require a description of the
139 // constraint.
140 enum class DescriptionKind {
141 // The constraint is violated.
142 Violation,
143 // We assume that the constraint is satisfied.
144 Assumption
145 };
146
147 // Give a description that explains the constraint to the user. Used when
148 // the bug is reported.
describe(DescriptionKind DK,ProgramStateRef State,const Summary & Summary) const149 virtual std::string describe(DescriptionKind DK, ProgramStateRef State,
150 const Summary &Summary) const {
151 // There are some descendant classes that are not used as argument
152 // constraints, e.g. ComparisonConstraint. In that case we can safely
153 // ignore the implementation of this function.
154 llvm_unreachable("Not implemented");
155 }
156
157 protected:
158 ArgNo ArgN; // Argument to which we apply the constraint.
159
160 /// Do polymorphic validation check on the constraint.
checkSpecificValidity(const FunctionDecl * FD) const161 virtual bool checkSpecificValidity(const FunctionDecl *FD) const {
162 return true;
163 }
164 };
165
166 /// Given a range, should the argument stay inside or outside this range?
167 enum RangeKind { OutOfRange, WithinRange };
168
169 /// Encapsulates a range on a single symbol.
170 class RangeConstraint : public ValueConstraint {
171 RangeKind Kind;
172 // A range is formed as a set of intervals (sub-ranges).
173 // E.g. {['A', 'Z'], ['a', 'z']}
174 //
175 // The default constructed RangeConstraint has an empty range set, applying
176 // such constraint does not involve any assumptions, thus the State remains
177 // unchanged. This is meaningful, if the range is dependent on a looked up
178 // type (e.g. [0, Socklen_tMax]). If the type is not found, then the range
179 // is default initialized to be empty.
180 IntRangeVector Ranges;
181
182 public:
getName() const183 StringRef getName() const override { return "Range"; }
RangeConstraint(ArgNo ArgN,RangeKind Kind,const IntRangeVector & Ranges)184 RangeConstraint(ArgNo ArgN, RangeKind Kind, const IntRangeVector &Ranges)
185 : ValueConstraint(ArgN), Kind(Kind), Ranges(Ranges) {}
186
187 std::string describe(DescriptionKind DK, ProgramStateRef State,
188 const Summary &Summary) const override;
189
getRanges() const190 const IntRangeVector &getRanges() const { return Ranges; }
191
192 private:
193 ProgramStateRef applyAsOutOfRange(ProgramStateRef State,
194 const CallEvent &Call,
195 const Summary &Summary) const;
196 ProgramStateRef applyAsWithinRange(ProgramStateRef State,
197 const CallEvent &Call,
198 const Summary &Summary) const;
199
200 public:
apply(ProgramStateRef State,const CallEvent & Call,const Summary & Summary,CheckerContext & C) const201 ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
202 const Summary &Summary,
203 CheckerContext &C) const override {
204 switch (Kind) {
205 case OutOfRange:
206 return applyAsOutOfRange(State, Call, Summary);
207 case WithinRange:
208 return applyAsWithinRange(State, Call, Summary);
209 }
210 llvm_unreachable("Unknown range kind!");
211 }
212
negate() const213 ValueConstraintPtr negate() const override {
214 RangeConstraint Tmp(*this);
215 switch (Kind) {
216 case OutOfRange:
217 Tmp.Kind = WithinRange;
218 break;
219 case WithinRange:
220 Tmp.Kind = OutOfRange;
221 break;
222 }
223 return std::make_shared<RangeConstraint>(Tmp);
224 }
225
checkSpecificValidity(const FunctionDecl * FD) const226 bool checkSpecificValidity(const FunctionDecl *FD) const override {
227 const bool ValidArg =
228 getArgType(FD, ArgN)->isIntegralType(FD->getASTContext());
229 assert(ValidArg &&
230 "This constraint should be applied on an integral type");
231 return ValidArg;
232 }
233 };
234
235 class ComparisonConstraint : public ValueConstraint {
236 BinaryOperator::Opcode Opcode;
237 ArgNo OtherArgN;
238
239 public:
getName() const240 StringRef getName() const override { return "Comparison"; };
ComparisonConstraint(ArgNo ArgN,BinaryOperator::Opcode Opcode,ArgNo OtherArgN)241 ComparisonConstraint(ArgNo ArgN, BinaryOperator::Opcode Opcode,
242 ArgNo OtherArgN)
243 : ValueConstraint(ArgN), Opcode(Opcode), OtherArgN(OtherArgN) {}
getOtherArgNo() const244 ArgNo getOtherArgNo() const { return OtherArgN; }
getOpcode() const245 BinaryOperator::Opcode getOpcode() const { return Opcode; }
246 ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
247 const Summary &Summary,
248 CheckerContext &C) const override;
249 };
250
251 class NotNullConstraint : public ValueConstraint {
252 using ValueConstraint::ValueConstraint;
253 // This variable has a role when we negate the constraint.
254 bool CannotBeNull = true;
255
256 public:
NotNullConstraint(ArgNo ArgN,bool CannotBeNull=true)257 NotNullConstraint(ArgNo ArgN, bool CannotBeNull = true)
258 : ValueConstraint(ArgN), CannotBeNull(CannotBeNull) {}
259 std::string describe(DescriptionKind DK, ProgramStateRef State,
260 const Summary &Summary) const override;
getName() const261 StringRef getName() const override { return "NonNull"; }
apply(ProgramStateRef State,const CallEvent & Call,const Summary & Summary,CheckerContext & C) const262 ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
263 const Summary &Summary,
264 CheckerContext &C) const override {
265 SVal V = getArgSVal(Call, getArgNo());
266 if (V.isUndef())
267 return State;
268
269 DefinedOrUnknownSVal L = V.castAs<DefinedOrUnknownSVal>();
270 if (!isa<Loc>(L))
271 return State;
272
273 return State->assume(L, CannotBeNull);
274 }
275
negate() const276 ValueConstraintPtr negate() const override {
277 NotNullConstraint Tmp(*this);
278 Tmp.CannotBeNull = !this->CannotBeNull;
279 return std::make_shared<NotNullConstraint>(Tmp);
280 }
281
checkSpecificValidity(const FunctionDecl * FD) const282 bool checkSpecificValidity(const FunctionDecl *FD) const override {
283 const bool ValidArg = getArgType(FD, ArgN)->isPointerType();
284 assert(ValidArg &&
285 "This constraint should be applied only on a pointer type");
286 return ValidArg;
287 }
288 };
289
290 // Represents a buffer argument with an additional size constraint. The
291 // constraint may be a concrete value, or a symbolic value in an argument.
292 // Example 1. Concrete value as the minimum buffer size.
293 // char *asctime_r(const struct tm *restrict tm, char *restrict buf);
294 // // `buf` size must be at least 26 bytes according the POSIX standard.
295 // Example 2. Argument as a buffer size.
296 // ctime_s(char *buffer, rsize_t bufsz, const time_t *time);
297 // Example 3. The size is computed as a multiplication of other args.
298 // size_t fread(void *ptr, size_t size, size_t nmemb, FILE *stream);
299 // // Here, ptr is the buffer, and its minimum size is `size * nmemb`.
300 class BufferSizeConstraint : public ValueConstraint {
301 // The concrete value which is the minimum size for the buffer.
302 std::optional<llvm::APSInt> ConcreteSize;
303 // The argument which holds the size of the buffer.
304 std::optional<ArgNo> SizeArgN;
305 // The argument which is a multiplier to size. This is set in case of
306 // `fread` like functions where the size is computed as a multiplication of
307 // two arguments.
308 std::optional<ArgNo> SizeMultiplierArgN;
309 // The operator we use in apply. This is negated in negate().
310 BinaryOperator::Opcode Op = BO_LE;
311
312 public:
getName() const313 StringRef getName() const override { return "BufferSize"; }
BufferSizeConstraint(ArgNo Buffer,llvm::APSInt BufMinSize)314 BufferSizeConstraint(ArgNo Buffer, llvm::APSInt BufMinSize)
315 : ValueConstraint(Buffer), ConcreteSize(BufMinSize) {}
BufferSizeConstraint(ArgNo Buffer,ArgNo BufSize)316 BufferSizeConstraint(ArgNo Buffer, ArgNo BufSize)
317 : ValueConstraint(Buffer), SizeArgN(BufSize) {}
BufferSizeConstraint(ArgNo Buffer,ArgNo BufSize,ArgNo BufSizeMultiplier)318 BufferSizeConstraint(ArgNo Buffer, ArgNo BufSize, ArgNo BufSizeMultiplier)
319 : ValueConstraint(Buffer), SizeArgN(BufSize),
320 SizeMultiplierArgN(BufSizeMultiplier) {}
321
getArgsToTrack() const322 std::vector<ArgNo> getArgsToTrack() const override {
323 std::vector<ArgNo> Result{ArgN};
324 if (SizeArgN)
325 Result.push_back(*SizeArgN);
326 if (SizeMultiplierArgN)
327 Result.push_back(*SizeMultiplierArgN);
328 return Result;
329 }
330
331 std::string describe(DescriptionKind DK, ProgramStateRef State,
332 const Summary &Summary) const override;
333
apply(ProgramStateRef State,const CallEvent & Call,const Summary & Summary,CheckerContext & C) const334 ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
335 const Summary &Summary,
336 CheckerContext &C) const override {
337 SValBuilder &SvalBuilder = C.getSValBuilder();
338 // The buffer argument.
339 SVal BufV = getArgSVal(Call, getArgNo());
340
341 // Get the size constraint.
342 const SVal SizeV = [this, &State, &Call, &Summary, &SvalBuilder]() {
343 if (ConcreteSize) {
344 return SVal(SvalBuilder.makeIntVal(*ConcreteSize));
345 }
346 assert(SizeArgN && "The constraint must be either a concrete value or "
347 "encoded in an argument.");
348 // The size argument.
349 SVal SizeV = getArgSVal(Call, *SizeArgN);
350 // Multiply with another argument if given.
351 if (SizeMultiplierArgN) {
352 SVal SizeMulV = getArgSVal(Call, *SizeMultiplierArgN);
353 SizeV = SvalBuilder.evalBinOp(State, BO_Mul, SizeV, SizeMulV,
354 Summary.getArgType(*SizeArgN));
355 }
356 return SizeV;
357 }();
358
359 // The dynamic size of the buffer argument, got from the analyzer engine.
360 SVal BufDynSize = getDynamicExtentWithOffset(State, BufV);
361
362 SVal Feasible = SvalBuilder.evalBinOp(State, Op, SizeV, BufDynSize,
363 SvalBuilder.getContext().BoolTy);
364 if (auto F = Feasible.getAs<DefinedOrUnknownSVal>())
365 return State->assume(*F, true);
366
367 // We can get here only if the size argument or the dynamic size is
368 // undefined. But the dynamic size should never be undefined, only
369 // unknown. So, here, the size of the argument is undefined, i.e. we
370 // cannot apply the constraint. Actually, other checkers like
371 // CallAndMessage should catch this situation earlier, because we call a
372 // function with an uninitialized argument.
373 llvm_unreachable("Size argument or the dynamic size is Undefined");
374 }
375
negate() const376 ValueConstraintPtr negate() const override {
377 BufferSizeConstraint Tmp(*this);
378 Tmp.Op = BinaryOperator::negateComparisonOp(Op);
379 return std::make_shared<BufferSizeConstraint>(Tmp);
380 }
381
checkSpecificValidity(const FunctionDecl * FD) const382 bool checkSpecificValidity(const FunctionDecl *FD) const override {
383 const bool ValidArg = getArgType(FD, ArgN)->isPointerType();
384 assert(ValidArg &&
385 "This constraint should be applied only on a pointer type");
386 return ValidArg;
387 }
388 };
389
390 /// The complete list of constraints that defines a single branch.
391 using ConstraintSet = std::vector<ValueConstraintPtr>;
392
393 /// Define how a function affects the system variable 'errno'.
394 /// This works together with the \c ErrnoModeling and \c ErrnoChecker classes.
395 /// Currently 3 use cases exist: success, failure, irrelevant.
396 /// In the future the failure case can be customized to set \c errno to a
397 /// more specific constraint (for example > 0), or new case can be added
398 /// for functions which require check of \c errno in both success and failure
399 /// case.
400 class ErrnoConstraintBase {
401 public:
402 /// Apply specific state changes related to the errno variable.
403 virtual ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
404 const Summary &Summary,
405 CheckerContext &C) const = 0;
406 /// Get a NoteTag about the changes made to 'errno' and the possible bug.
407 /// It may return \c nullptr (if no bug report from \c ErrnoChecker is
408 /// expected).
describe(CheckerContext & C,StringRef FunctionName) const409 virtual const NoteTag *describe(CheckerContext &C,
410 StringRef FunctionName) const {
411 return nullptr;
412 }
413
~ErrnoConstraintBase()414 virtual ~ErrnoConstraintBase() {}
415
416 protected:
417 ErrnoConstraintBase() = default;
418
419 /// This is used for conjure symbol for errno to differentiate from the
420 /// original call expression (same expression is used for the errno symbol).
421 static int Tag;
422 };
423
424 /// Reset errno constraints to irrelevant.
425 /// This is applicable to functions that may change 'errno' and are not
426 /// modeled elsewhere.
427 class ResetErrnoConstraint : public ErrnoConstraintBase {
428 public:
apply(ProgramStateRef State,const CallEvent & Call,const Summary & Summary,CheckerContext & C) const429 ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
430 const Summary &Summary,
431 CheckerContext &C) const override {
432 return errno_modeling::setErrnoState(State, errno_modeling::Irrelevant);
433 }
434 };
435
436 /// Do not change errno constraints.
437 /// This is applicable to functions that are modeled in another checker
438 /// and the already set errno constraints should not be changed in the
439 /// post-call event.
440 class NoErrnoConstraint : public ErrnoConstraintBase {
441 public:
apply(ProgramStateRef State,const CallEvent & Call,const Summary & Summary,CheckerContext & C) const442 ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
443 const Summary &Summary,
444 CheckerContext &C) const override {
445 return State;
446 }
447 };
448
449 /// Set errno constraint at failure cases of standard functions.
450 /// Failure case: 'errno' becomes not equal to 0 and may or may not be checked
451 /// by the program. \c ErrnoChecker does not emit a bug report after such a
452 /// function call.
453 class FailureErrnoConstraint : public ErrnoConstraintBase {
454 public:
apply(ProgramStateRef State,const CallEvent & Call,const Summary & Summary,CheckerContext & C) const455 ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
456 const Summary &Summary,
457 CheckerContext &C) const override {
458 SValBuilder &SVB = C.getSValBuilder();
459 NonLoc ErrnoSVal =
460 SVB.conjureSymbolVal(&Tag, Call.getOriginExpr(),
461 C.getLocationContext(), C.getASTContext().IntTy,
462 C.blockCount())
463 .castAs<NonLoc>();
464 return errno_modeling::setErrnoForStdFailure(State, C, ErrnoSVal);
465 }
466 };
467
468 /// Set errno constraint at success cases of standard functions.
469 /// Success case: 'errno' is not allowed to be used.
470 /// \c ErrnoChecker can emit bug report after such a function call if errno
471 /// is used.
472 class SuccessErrnoConstraint : public ErrnoConstraintBase {
473 public:
apply(ProgramStateRef State,const CallEvent & Call,const Summary & Summary,CheckerContext & C) const474 ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
475 const Summary &Summary,
476 CheckerContext &C) const override {
477 return errno_modeling::setErrnoForStdSuccess(State, C);
478 }
479
describe(CheckerContext & C,StringRef FunctionName) const480 const NoteTag *describe(CheckerContext &C,
481 StringRef FunctionName) const override {
482 return errno_modeling::getNoteTagForStdSuccess(C, FunctionName);
483 }
484 };
485
486 class ErrnoMustBeCheckedConstraint : public ErrnoConstraintBase {
487 public:
apply(ProgramStateRef State,const CallEvent & Call,const Summary & Summary,CheckerContext & C) const488 ProgramStateRef apply(ProgramStateRef State, const CallEvent &Call,
489 const Summary &Summary,
490 CheckerContext &C) const override {
491 return errno_modeling::setErrnoStdMustBeChecked(State, C,
492 Call.getOriginExpr());
493 }
494
describe(CheckerContext & C,StringRef FunctionName) const495 const NoteTag *describe(CheckerContext &C,
496 StringRef FunctionName) const override {
497 return errno_modeling::getNoteTagForStdMustBeChecked(C, FunctionName);
498 }
499 };
500
501 /// A single branch of a function summary.
502 ///
503 /// A branch is defined by a series of constraints - "assumptions" -
504 /// that together form a single possible outcome of invoking the function.
505 /// When static analyzer considers a branch, it tries to introduce
506 /// a child node in the Exploded Graph. The child node has to include
507 /// constraints that define the branch. If the constraints contradict
508 /// existing constraints in the state, the node is not created and the branch
509 /// is dropped; otherwise it's queued for future exploration.
510 /// The branch is accompanied by a note text that may be displayed
511 /// to the user when a bug is found on a path that takes this branch.
512 ///
513 /// For example, consider the branches in `isalpha(x)`:
514 /// Branch 1)
515 /// x is in range ['A', 'Z'] or in ['a', 'z']
516 /// then the return value is not 0. (I.e. out-of-range [0, 0])
517 /// and the note may say "Assuming the character is alphabetical"
518 /// Branch 2)
519 /// x is out-of-range ['A', 'Z'] and out-of-range ['a', 'z']
520 /// then the return value is 0
521 /// and the note may say "Assuming the character is non-alphabetical".
522 class SummaryCase {
523 ConstraintSet Constraints;
524 const ErrnoConstraintBase &ErrnoConstraint;
525 StringRef Note;
526
527 public:
SummaryCase(ConstraintSet && Constraints,const ErrnoConstraintBase & ErrnoC,StringRef Note)528 SummaryCase(ConstraintSet &&Constraints, const ErrnoConstraintBase &ErrnoC,
529 StringRef Note)
530 : Constraints(std::move(Constraints)), ErrnoConstraint(ErrnoC),
531 Note(Note) {}
532
SummaryCase(const ConstraintSet & Constraints,const ErrnoConstraintBase & ErrnoC,StringRef Note)533 SummaryCase(const ConstraintSet &Constraints,
534 const ErrnoConstraintBase &ErrnoC, StringRef Note)
535 : Constraints(Constraints), ErrnoConstraint(ErrnoC), Note(Note) {}
536
getConstraints() const537 const ConstraintSet &getConstraints() const { return Constraints; }
getErrnoConstraint() const538 const ErrnoConstraintBase &getErrnoConstraint() const {
539 return ErrnoConstraint;
540 }
getNote() const541 StringRef getNote() const { return Note; }
542 };
543
544 using ArgTypes = std::vector<std::optional<QualType>>;
545 using RetType = std::optional<QualType>;
546
547 // A placeholder type, we use it whenever we do not care about the concrete
548 // type in a Signature.
549 const QualType Irrelevant{};
isIrrelevant(QualType T)550 bool static isIrrelevant(QualType T) { return T.isNull(); }
551
552 // The signature of a function we want to describe with a summary. This is a
553 // concessive signature, meaning there may be irrelevant types in the
554 // signature which we do not check against a function with concrete types.
555 // All types in the spec need to be canonical.
556 class Signature {
557 using ArgQualTypes = std::vector<QualType>;
558 ArgQualTypes ArgTys;
559 QualType RetTy;
560 // True if any component type is not found by lookup.
561 bool Invalid = false;
562
563 public:
564 // Construct a signature from optional types. If any of the optional types
565 // are not set then the signature will be invalid.
Signature(ArgTypes ArgTys,RetType RetTy)566 Signature(ArgTypes ArgTys, RetType RetTy) {
567 for (std::optional<QualType> Arg : ArgTys) {
568 if (!Arg) {
569 Invalid = true;
570 return;
571 } else {
572 assertArgTypeSuitableForSignature(*Arg);
573 this->ArgTys.push_back(*Arg);
574 }
575 }
576 if (!RetTy) {
577 Invalid = true;
578 return;
579 } else {
580 assertRetTypeSuitableForSignature(*RetTy);
581 this->RetTy = *RetTy;
582 }
583 }
584
isInvalid() const585 bool isInvalid() const { return Invalid; }
586 bool matches(const FunctionDecl *FD) const;
587
588 private:
assertArgTypeSuitableForSignature(QualType T)589 static void assertArgTypeSuitableForSignature(QualType T) {
590 assert((T.isNull() || !T->isVoidType()) &&
591 "We should have no void types in the spec");
592 assert((T.isNull() || T.isCanonical()) &&
593 "We should only have canonical types in the spec");
594 }
assertRetTypeSuitableForSignature(QualType T)595 static void assertRetTypeSuitableForSignature(QualType T) {
596 assert((T.isNull() || T.isCanonical()) &&
597 "We should only have canonical types in the spec");
598 }
599 };
600
getArgType(const FunctionDecl * FD,ArgNo ArgN)601 static QualType getArgType(const FunctionDecl *FD, ArgNo ArgN) {
602 assert(FD && "Function must be set");
603 QualType T = (ArgN == Ret)
604 ? FD->getReturnType().getCanonicalType()
605 : FD->getParamDecl(ArgN)->getType().getCanonicalType();
606 return T;
607 }
608
609 using SummaryCases = std::vector<SummaryCase>;
610
611 /// A summary includes information about
612 /// * function prototype (signature)
613 /// * approach to invalidation,
614 /// * a list of branches - so, a list of list of ranges,
615 /// * a list of argument constraints, that must be true on every branch.
616 /// If these constraints are not satisfied that means a fatal error
617 /// usually resulting in undefined behaviour.
618 ///
619 /// Application of a summary:
620 /// The signature and argument constraints together contain information
621 /// about which functions are handled by the summary. The signature can use
622 /// "wildcards", i.e. Irrelevant types. Irrelevant type of a parameter in
623 /// a signature means that type is not compared to the type of the parameter
624 /// in the found FunctionDecl. Argument constraints may specify additional
625 /// rules for the given parameter's type, those rules are checked once the
626 /// signature is matched.
627 class Summary {
628 const InvalidationKind InvalidationKd;
629 SummaryCases Cases;
630 ConstraintSet ArgConstraints;
631
632 // The function to which the summary applies. This is set after lookup and
633 // match to the signature.
634 const FunctionDecl *FD = nullptr;
635
636 public:
Summary(InvalidationKind InvalidationKd)637 Summary(InvalidationKind InvalidationKd) : InvalidationKd(InvalidationKd) {}
638
Case(ConstraintSet && CS,const ErrnoConstraintBase & ErrnoC,StringRef Note="")639 Summary &Case(ConstraintSet &&CS, const ErrnoConstraintBase &ErrnoC,
640 StringRef Note = "") {
641 Cases.push_back(SummaryCase(std::move(CS), ErrnoC, Note));
642 return *this;
643 }
Case(const ConstraintSet & CS,const ErrnoConstraintBase & ErrnoC,StringRef Note="")644 Summary &Case(const ConstraintSet &CS, const ErrnoConstraintBase &ErrnoC,
645 StringRef Note = "") {
646 Cases.push_back(SummaryCase(CS, ErrnoC, Note));
647 return *this;
648 }
ArgConstraint(ValueConstraintPtr VC)649 Summary &ArgConstraint(ValueConstraintPtr VC) {
650 assert(VC->getArgNo() != Ret &&
651 "Arg constraint should not refer to the return value");
652 ArgConstraints.push_back(VC);
653 return *this;
654 }
655
getInvalidationKd() const656 InvalidationKind getInvalidationKd() const { return InvalidationKd; }
getCases() const657 const SummaryCases &getCases() const { return Cases; }
getArgConstraints() const658 const ConstraintSet &getArgConstraints() const { return ArgConstraints; }
659
getArgType(ArgNo ArgN) const660 QualType getArgType(ArgNo ArgN) const {
661 return StdLibraryFunctionsChecker::getArgType(FD, ArgN);
662 }
663
664 // Returns true if the summary should be applied to the given function.
665 // And if yes then store the function declaration.
matchesAndSet(const Signature & Sign,const FunctionDecl * FD)666 bool matchesAndSet(const Signature &Sign, const FunctionDecl *FD) {
667 bool Result = Sign.matches(FD) && validateByConstraints(FD);
668 if (Result) {
669 assert(!this->FD && "FD must not be set more than once");
670 this->FD = FD;
671 }
672 return Result;
673 }
674
675 private:
676 // Once we know the exact type of the function then do validation check on
677 // all the given constraints.
validateByConstraints(const FunctionDecl * FD) const678 bool validateByConstraints(const FunctionDecl *FD) const {
679 for (const SummaryCase &Case : Cases)
680 for (const ValueConstraintPtr &Constraint : Case.getConstraints())
681 if (!Constraint->checkValidity(FD))
682 return false;
683 for (const ValueConstraintPtr &Constraint : ArgConstraints)
684 if (!Constraint->checkValidity(FD))
685 return false;
686 return true;
687 }
688 };
689
690 // The map of all functions supported by the checker. It is initialized
691 // lazily, and it doesn't change after initialization.
692 using FunctionSummaryMapType = llvm::DenseMap<const FunctionDecl *, Summary>;
693 mutable FunctionSummaryMapType FunctionSummaryMap;
694
695 mutable std::unique_ptr<BugType> BT_InvalidArg;
696 mutable bool SummariesInitialized = false;
697
getArgSVal(const CallEvent & Call,ArgNo ArgN)698 static SVal getArgSVal(const CallEvent &Call, ArgNo ArgN) {
699 return ArgN == Ret ? Call.getReturnValue() : Call.getArgSVal(ArgN);
700 }
701
702 public:
703 void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
704 void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
705 bool evalCall(const CallEvent &Call, CheckerContext &C) const;
706
707 enum CheckKind {
708 CK_StdCLibraryFunctionArgsChecker,
709 CK_StdCLibraryFunctionsTesterChecker,
710 CK_NumCheckKinds
711 };
712 bool ChecksEnabled[CK_NumCheckKinds] = {false};
713 CheckerNameRef CheckNames[CK_NumCheckKinds];
714
715 bool DisplayLoadedSummaries = false;
716 bool ModelPOSIX = false;
717 bool ShouldAssumeControlledEnvironment = false;
718
719 private:
720 std::optional<Summary> findFunctionSummary(const FunctionDecl *FD,
721 CheckerContext &C) const;
722 std::optional<Summary> findFunctionSummary(const CallEvent &Call,
723 CheckerContext &C) const;
724
725 void initFunctionSummaries(CheckerContext &C) const;
726
reportBug(const CallEvent & Call,ExplodedNode * N,const ValueConstraint * VC,const Summary & Summary,CheckerContext & C) const727 void reportBug(const CallEvent &Call, ExplodedNode *N,
728 const ValueConstraint *VC, const Summary &Summary,
729 CheckerContext &C) const {
730 if (!ChecksEnabled[CK_StdCLibraryFunctionArgsChecker])
731 return;
732 std::string Msg =
733 (Twine("Function argument constraint is not satisfied, constraint: ") +
734 VC->getName().data())
735 .str();
736 if (!BT_InvalidArg)
737 BT_InvalidArg = std::make_unique<BugType>(
738 CheckNames[CK_StdCLibraryFunctionArgsChecker],
739 "Unsatisfied argument constraints", categories::LogicError);
740 auto R = std::make_unique<PathSensitiveBugReport>(*BT_InvalidArg, Msg, N);
741
742 for (ArgNo ArgN : VC->getArgsToTrack())
743 bugreporter::trackExpressionValue(N, Call.getArgExpr(ArgN), *R);
744
745 // Highlight the range of the argument that was violated.
746 R->addRange(Call.getArgSourceRange(VC->getArgNo()));
747
748 // Describe the argument constraint violation in a note.
749 std::string Descr = VC->describe(
750 ValueConstraint::DescriptionKind::Violation, C.getState(), Summary);
751 // Capitalize the first letter b/c we want a full sentence.
752 Descr[0] = toupper(Descr[0]);
753 R->addNote(Descr, R->getLocation(), Call.getArgSourceRange(VC->getArgNo()));
754
755 C.emitReport(std::move(R));
756 }
757
758 /// These are the errno constraints that can be passed to summary cases.
759 /// One of these should fit for a single summary case.
760 /// Usually if a failure return value exists for function, that function
761 /// needs different cases for success and failure with different errno
762 /// constraints (and different return value constraints).
763 const NoErrnoConstraint ErrnoUnchanged{};
764 const ResetErrnoConstraint ErrnoIrrelevant{};
765 const ErrnoMustBeCheckedConstraint ErrnoMustBeChecked{};
766 const SuccessErrnoConstraint ErrnoMustNotBeChecked{};
767 const FailureErrnoConstraint ErrnoNEZeroIrrelevant{};
768 };
769
770 int StdLibraryFunctionsChecker::ErrnoConstraintBase::Tag = 0;
771
772 const StdLibraryFunctionsChecker::ArgNo StdLibraryFunctionsChecker::Ret =
773 std::numeric_limits<ArgNo>::max();
774
775 } // end of anonymous namespace
776
getBVF(ProgramStateRef State)777 static BasicValueFactory &getBVF(ProgramStateRef State) {
778 ProgramStateManager &Mgr = State->getStateManager();
779 SValBuilder &SVB = Mgr.getSValBuilder();
780 return SVB.getBasicValueFactory();
781 }
782
describe(DescriptionKind DK,ProgramStateRef State,const Summary & Summary) const783 std::string StdLibraryFunctionsChecker::NotNullConstraint::describe(
784 DescriptionKind DK, ProgramStateRef State, const Summary &Summary) const {
785 SmallString<48> Result;
786 const auto Violation = ValueConstraint::DescriptionKind::Violation;
787 Result += "the ";
788 Result += getArgDesc(ArgN);
789 Result += DK == Violation ? " should not be NULL" : " is not NULL";
790 return Result.c_str();
791 }
792
describe(DescriptionKind DK,ProgramStateRef State,const Summary & Summary) const793 std::string StdLibraryFunctionsChecker::RangeConstraint::describe(
794 DescriptionKind DK, ProgramStateRef State, const Summary &Summary) const {
795
796 BasicValueFactory &BVF = getBVF(State);
797
798 QualType T = Summary.getArgType(getArgNo());
799 SmallString<48> Result;
800 const auto Violation = ValueConstraint::DescriptionKind::Violation;
801 Result += "the ";
802 Result += getArgDesc(ArgN);
803 Result += DK == Violation ? " should be " : " is ";
804
805 // Range kind as a string.
806 Kind == OutOfRange ? Result += "out of" : Result += "within";
807
808 // Get the range values as a string.
809 Result += " the range ";
810 if (Ranges.size() > 1)
811 Result += "[";
812 unsigned I = Ranges.size();
813 for (const std::pair<RangeInt, RangeInt> &R : Ranges) {
814 Result += "[";
815 const llvm::APSInt &Min = BVF.getValue(R.first, T);
816 const llvm::APSInt &Max = BVF.getValue(R.second, T);
817 Min.toString(Result);
818 Result += ", ";
819 Max.toString(Result);
820 Result += "]";
821 if (--I > 0)
822 Result += ", ";
823 }
824 if (Ranges.size() > 1)
825 Result += "]";
826
827 return Result.c_str();
828 }
829
830 SmallString<8>
getArgDesc(StdLibraryFunctionsChecker::ArgNo ArgN)831 StdLibraryFunctionsChecker::getArgDesc(StdLibraryFunctionsChecker::ArgNo ArgN) {
832 SmallString<8> Result;
833 Result += std::to_string(ArgN + 1);
834 Result += llvm::getOrdinalSuffix(ArgN + 1);
835 Result += " argument";
836 return Result;
837 }
838
describe(DescriptionKind DK,ProgramStateRef State,const Summary & Summary) const839 std::string StdLibraryFunctionsChecker::BufferSizeConstraint::describe(
840 DescriptionKind DK, ProgramStateRef State, const Summary &Summary) const {
841 SmallString<96> Result;
842 const auto Violation = ValueConstraint::DescriptionKind::Violation;
843 Result += "the size of the ";
844 Result += getArgDesc(ArgN);
845 Result += DK == Violation ? " should be " : " is ";
846 Result += "equal to or greater than the value of ";
847 if (ConcreteSize) {
848 ConcreteSize->toString(Result);
849 } else if (SizeArgN) {
850 Result += "the ";
851 Result += getArgDesc(*SizeArgN);
852 if (SizeMultiplierArgN) {
853 Result += " times the ";
854 Result += getArgDesc(*SizeMultiplierArgN);
855 }
856 }
857 return Result.c_str();
858 }
859
applyAsOutOfRange(ProgramStateRef State,const CallEvent & Call,const Summary & Summary) const860 ProgramStateRef StdLibraryFunctionsChecker::RangeConstraint::applyAsOutOfRange(
861 ProgramStateRef State, const CallEvent &Call,
862 const Summary &Summary) const {
863 if (Ranges.empty())
864 return State;
865
866 ProgramStateManager &Mgr = State->getStateManager();
867 SValBuilder &SVB = Mgr.getSValBuilder();
868 BasicValueFactory &BVF = SVB.getBasicValueFactory();
869 ConstraintManager &CM = Mgr.getConstraintManager();
870 QualType T = Summary.getArgType(getArgNo());
871 SVal V = getArgSVal(Call, getArgNo());
872
873 if (auto N = V.getAs<NonLoc>()) {
874 const IntRangeVector &R = getRanges();
875 size_t E = R.size();
876 for (size_t I = 0; I != E; ++I) {
877 const llvm::APSInt &Min = BVF.getValue(R[I].first, T);
878 const llvm::APSInt &Max = BVF.getValue(R[I].second, T);
879 assert(Min <= Max);
880 State = CM.assumeInclusiveRange(State, *N, Min, Max, false);
881 if (!State)
882 break;
883 }
884 }
885
886 return State;
887 }
888
applyAsWithinRange(ProgramStateRef State,const CallEvent & Call,const Summary & Summary) const889 ProgramStateRef StdLibraryFunctionsChecker::RangeConstraint::applyAsWithinRange(
890 ProgramStateRef State, const CallEvent &Call,
891 const Summary &Summary) const {
892 if (Ranges.empty())
893 return State;
894
895 ProgramStateManager &Mgr = State->getStateManager();
896 SValBuilder &SVB = Mgr.getSValBuilder();
897 BasicValueFactory &BVF = SVB.getBasicValueFactory();
898 ConstraintManager &CM = Mgr.getConstraintManager();
899 QualType T = Summary.getArgType(getArgNo());
900 SVal V = getArgSVal(Call, getArgNo());
901
902 // "WithinRange R" is treated as "outside [T_MIN, T_MAX] \ R".
903 // We cut off [T_MIN, min(R) - 1] and [max(R) + 1, T_MAX] if necessary,
904 // and then cut away all holes in R one by one.
905 //
906 // E.g. consider a range list R as [A, B] and [C, D]
907 // -------+--------+------------------+------------+----------->
908 // A B C D
909 // Then we assume that the value is not in [-inf, A - 1],
910 // then not in [D + 1, +inf], then not in [B + 1, C - 1]
911 if (auto N = V.getAs<NonLoc>()) {
912 const IntRangeVector &R = getRanges();
913 size_t E = R.size();
914
915 const llvm::APSInt &MinusInf = BVF.getMinValue(T);
916 const llvm::APSInt &PlusInf = BVF.getMaxValue(T);
917
918 const llvm::APSInt &Left = BVF.getValue(R[0].first - 1ULL, T);
919 if (Left != PlusInf) {
920 assert(MinusInf <= Left);
921 State = CM.assumeInclusiveRange(State, *N, MinusInf, Left, false);
922 if (!State)
923 return nullptr;
924 }
925
926 const llvm::APSInt &Right = BVF.getValue(R[E - 1].second + 1ULL, T);
927 if (Right != MinusInf) {
928 assert(Right <= PlusInf);
929 State = CM.assumeInclusiveRange(State, *N, Right, PlusInf, false);
930 if (!State)
931 return nullptr;
932 }
933
934 for (size_t I = 1; I != E; ++I) {
935 const llvm::APSInt &Min = BVF.getValue(R[I - 1].second + 1ULL, T);
936 const llvm::APSInt &Max = BVF.getValue(R[I].first - 1ULL, T);
937 if (Min <= Max) {
938 State = CM.assumeInclusiveRange(State, *N, Min, Max, false);
939 if (!State)
940 return nullptr;
941 }
942 }
943 }
944
945 return State;
946 }
947
apply(ProgramStateRef State,const CallEvent & Call,const Summary & Summary,CheckerContext & C) const948 ProgramStateRef StdLibraryFunctionsChecker::ComparisonConstraint::apply(
949 ProgramStateRef State, const CallEvent &Call, const Summary &Summary,
950 CheckerContext &C) const {
951
952 ProgramStateManager &Mgr = State->getStateManager();
953 SValBuilder &SVB = Mgr.getSValBuilder();
954 QualType CondT = SVB.getConditionType();
955 QualType T = Summary.getArgType(getArgNo());
956 SVal V = getArgSVal(Call, getArgNo());
957
958 BinaryOperator::Opcode Op = getOpcode();
959 ArgNo OtherArg = getOtherArgNo();
960 SVal OtherV = getArgSVal(Call, OtherArg);
961 QualType OtherT = Summary.getArgType(OtherArg);
962 // Note: we avoid integral promotion for comparison.
963 OtherV = SVB.evalCast(OtherV, T, OtherT);
964 if (auto CompV = SVB.evalBinOp(State, Op, V, OtherV, CondT)
965 .getAs<DefinedOrUnknownSVal>())
966 State = State->assume(*CompV, true);
967 return State;
968 }
969
checkPreCall(const CallEvent & Call,CheckerContext & C) const970 void StdLibraryFunctionsChecker::checkPreCall(const CallEvent &Call,
971 CheckerContext &C) const {
972 std::optional<Summary> FoundSummary = findFunctionSummary(Call, C);
973 if (!FoundSummary)
974 return;
975
976 const Summary &Summary = *FoundSummary;
977 ProgramStateRef State = C.getState();
978
979 ProgramStateRef NewState = State;
980 ExplodedNode *NewNode = C.getPredecessor();
981 for (const ValueConstraintPtr &Constraint : Summary.getArgConstraints()) {
982 ProgramStateRef SuccessSt = Constraint->apply(NewState, Call, Summary, C);
983 ProgramStateRef FailureSt =
984 Constraint->negate()->apply(NewState, Call, Summary, C);
985 // The argument constraint is not satisfied.
986 if (FailureSt && !SuccessSt) {
987 if (ExplodedNode *N = C.generateErrorNode(NewState, NewNode))
988 reportBug(Call, N, Constraint.get(), Summary, C);
989 break;
990 }
991 // We will apply the constraint even if we cannot reason about the
992 // argument. This means both SuccessSt and FailureSt can be true. If we
993 // weren't applying the constraint that would mean that symbolic
994 // execution continues on a code whose behaviour is undefined.
995 assert(SuccessSt);
996 NewState = SuccessSt;
997 if (NewState != State) {
998 SmallString<64> Msg;
999 Msg += "Assuming ";
1000 Msg += Constraint->describe(ValueConstraint::DescriptionKind::Assumption,
1001 NewState, Summary);
1002 const auto ArgSVal = Call.getArgSVal(Constraint->getArgNo());
1003 NewNode = C.addTransition(
1004 NewState, NewNode,
1005 C.getNoteTag([Msg = std::move(Msg), ArgSVal](
1006 PathSensitiveBugReport &BR, llvm::raw_ostream &OS) {
1007 if (BR.isInteresting(ArgSVal))
1008 OS << Msg;
1009 }));
1010 }
1011 }
1012 }
1013
checkPostCall(const CallEvent & Call,CheckerContext & C) const1014 void StdLibraryFunctionsChecker::checkPostCall(const CallEvent &Call,
1015 CheckerContext &C) const {
1016 std::optional<Summary> FoundSummary = findFunctionSummary(Call, C);
1017 if (!FoundSummary)
1018 return;
1019
1020 // Now apply the constraints.
1021 const Summary &Summary = *FoundSummary;
1022 ProgramStateRef State = C.getState();
1023 const ExplodedNode *Node = C.getPredecessor();
1024
1025 // Apply case/branch specifications.
1026 for (const SummaryCase &Case : Summary.getCases()) {
1027 ProgramStateRef NewState = State;
1028 for (const ValueConstraintPtr &Constraint : Case.getConstraints()) {
1029 NewState = Constraint->apply(NewState, Call, Summary, C);
1030 if (!NewState)
1031 break;
1032 }
1033
1034 if (NewState)
1035 NewState = Case.getErrnoConstraint().apply(NewState, Call, Summary, C);
1036
1037 if (NewState && NewState != State) {
1038 if (Case.getNote().empty()) {
1039 const NoteTag *NT = nullptr;
1040 if (const auto *D = dyn_cast_or_null<FunctionDecl>(Call.getDecl()))
1041 NT = Case.getErrnoConstraint().describe(C, D->getNameAsString());
1042 C.addTransition(NewState, NT);
1043 } else {
1044 StringRef Note = Case.getNote();
1045 const NoteTag *Tag = C.getNoteTag(
1046 // Sorry couldn't help myself.
1047 [Node, Note]() -> std::string {
1048 // Don't emit "Assuming..." note when we ended up
1049 // knowing in advance which branch is taken.
1050 return (Node->succ_size() > 1) ? Note.str() : "";
1051 },
1052 /*IsPrunable=*/true);
1053 C.addTransition(NewState, Tag);
1054 }
1055 } else if (NewState == State) {
1056 // It is possible that the function was evaluated in a checker callback
1057 // where the state constraints are already applied, then no change happens
1058 // here to the state (if the ErrnoConstraint did not change it either).
1059 // If the evaluated function requires a NoteTag for errno change, it is
1060 // added here.
1061 if (const auto *D = dyn_cast_or_null<FunctionDecl>(Call.getDecl()))
1062 if (const NoteTag *NT =
1063 Case.getErrnoConstraint().describe(C, D->getNameAsString()))
1064 C.addTransition(NewState, NT);
1065 }
1066 }
1067 }
1068
evalCall(const CallEvent & Call,CheckerContext & C) const1069 bool StdLibraryFunctionsChecker::evalCall(const CallEvent &Call,
1070 CheckerContext &C) const {
1071 std::optional<Summary> FoundSummary = findFunctionSummary(Call, C);
1072 if (!FoundSummary)
1073 return false;
1074
1075 const Summary &Summary = *FoundSummary;
1076 switch (Summary.getInvalidationKd()) {
1077 case EvalCallAsPure: {
1078 ProgramStateRef State = C.getState();
1079 const LocationContext *LC = C.getLocationContext();
1080 const auto *CE = cast<CallExpr>(Call.getOriginExpr());
1081 SVal V = C.getSValBuilder().conjureSymbolVal(
1082 CE, LC, CE->getType().getCanonicalType(), C.blockCount());
1083 State = State->BindExpr(CE, LC, V);
1084
1085 C.addTransition(State);
1086
1087 return true;
1088 }
1089 case NoEvalCall:
1090 // Summary tells us to avoid performing eval::Call. The function is possibly
1091 // evaluated by another checker, or evaluated conservatively.
1092 return false;
1093 }
1094 llvm_unreachable("Unknown invalidation kind!");
1095 }
1096
matches(const FunctionDecl * FD) const1097 bool StdLibraryFunctionsChecker::Signature::matches(
1098 const FunctionDecl *FD) const {
1099 assert(!isInvalid());
1100 // Check the number of arguments.
1101 if (FD->param_size() != ArgTys.size())
1102 return false;
1103
1104 // The "restrict" keyword is illegal in C++, however, many libc
1105 // implementations use the "__restrict" compiler intrinsic in functions
1106 // prototypes. The "__restrict" keyword qualifies a type as a restricted type
1107 // even in C++.
1108 // In case of any non-C99 languages, we don't want to match based on the
1109 // restrict qualifier because we cannot know if the given libc implementation
1110 // qualifies the paramter type or not.
1111 auto RemoveRestrict = [&FD](QualType T) {
1112 if (!FD->getASTContext().getLangOpts().C99)
1113 T.removeLocalRestrict();
1114 return T;
1115 };
1116
1117 // Check the return type.
1118 if (!isIrrelevant(RetTy)) {
1119 QualType FDRetTy = RemoveRestrict(FD->getReturnType().getCanonicalType());
1120 if (RetTy != FDRetTy)
1121 return false;
1122 }
1123
1124 // Check the argument types.
1125 for (size_t I = 0, E = ArgTys.size(); I != E; ++I) {
1126 QualType ArgTy = ArgTys[I];
1127 if (isIrrelevant(ArgTy))
1128 continue;
1129 QualType FDArgTy =
1130 RemoveRestrict(FD->getParamDecl(I)->getType().getCanonicalType());
1131 if (ArgTy != FDArgTy)
1132 return false;
1133 }
1134
1135 return true;
1136 }
1137
1138 std::optional<StdLibraryFunctionsChecker::Summary>
findFunctionSummary(const FunctionDecl * FD,CheckerContext & C) const1139 StdLibraryFunctionsChecker::findFunctionSummary(const FunctionDecl *FD,
1140 CheckerContext &C) const {
1141 if (!FD)
1142 return std::nullopt;
1143
1144 initFunctionSummaries(C);
1145
1146 auto FSMI = FunctionSummaryMap.find(FD->getCanonicalDecl());
1147 if (FSMI == FunctionSummaryMap.end())
1148 return std::nullopt;
1149 return FSMI->second;
1150 }
1151
1152 std::optional<StdLibraryFunctionsChecker::Summary>
findFunctionSummary(const CallEvent & Call,CheckerContext & C) const1153 StdLibraryFunctionsChecker::findFunctionSummary(const CallEvent &Call,
1154 CheckerContext &C) const {
1155 const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
1156 if (!FD)
1157 return std::nullopt;
1158 return findFunctionSummary(FD, C);
1159 }
1160
initFunctionSummaries(CheckerContext & C) const1161 void StdLibraryFunctionsChecker::initFunctionSummaries(
1162 CheckerContext &C) const {
1163 if (SummariesInitialized)
1164 return;
1165
1166 SValBuilder &SVB = C.getSValBuilder();
1167 BasicValueFactory &BVF = SVB.getBasicValueFactory();
1168 const ASTContext &ACtx = BVF.getContext();
1169
1170 // Helper class to lookup a type by its name.
1171 class LookupType {
1172 const ASTContext &ACtx;
1173
1174 public:
1175 LookupType(const ASTContext &ACtx) : ACtx(ACtx) {}
1176
1177 // Find the type. If not found then the optional is not set.
1178 std::optional<QualType> operator()(StringRef Name) {
1179 IdentifierInfo &II = ACtx.Idents.get(Name);
1180 auto LookupRes = ACtx.getTranslationUnitDecl()->lookup(&II);
1181 if (LookupRes.empty())
1182 return std::nullopt;
1183
1184 // Prioritze typedef declarations.
1185 // This is needed in case of C struct typedefs. E.g.:
1186 // typedef struct FILE FILE;
1187 // In this case, we have a RecordDecl 'struct FILE' with the name 'FILE'
1188 // and we have a TypedefDecl with the name 'FILE'.
1189 for (Decl *D : LookupRes)
1190 if (auto *TD = dyn_cast<TypedefNameDecl>(D))
1191 return ACtx.getTypeDeclType(TD).getCanonicalType();
1192
1193 // Find the first TypeDecl.
1194 // There maybe cases when a function has the same name as a struct.
1195 // E.g. in POSIX: `struct stat` and the function `stat()`:
1196 // int stat(const char *restrict path, struct stat *restrict buf);
1197 for (Decl *D : LookupRes)
1198 if (auto *TD = dyn_cast<TypeDecl>(D))
1199 return ACtx.getTypeDeclType(TD).getCanonicalType();
1200 return std::nullopt;
1201 }
1202 } lookupTy(ACtx);
1203
1204 // Below are auxiliary classes to handle optional types that we get as a
1205 // result of the lookup.
1206 class GetRestrictTy {
1207 const ASTContext &ACtx;
1208
1209 public:
1210 GetRestrictTy(const ASTContext &ACtx) : ACtx(ACtx) {}
1211 QualType operator()(QualType Ty) {
1212 return ACtx.getLangOpts().C99 ? ACtx.getRestrictType(Ty) : Ty;
1213 }
1214 std::optional<QualType> operator()(std::optional<QualType> Ty) {
1215 if (Ty)
1216 return operator()(*Ty);
1217 return std::nullopt;
1218 }
1219 } getRestrictTy(ACtx);
1220 class GetPointerTy {
1221 const ASTContext &ACtx;
1222
1223 public:
1224 GetPointerTy(const ASTContext &ACtx) : ACtx(ACtx) {}
1225 QualType operator()(QualType Ty) { return ACtx.getPointerType(Ty); }
1226 std::optional<QualType> operator()(std::optional<QualType> Ty) {
1227 if (Ty)
1228 return operator()(*Ty);
1229 return std::nullopt;
1230 }
1231 } getPointerTy(ACtx);
1232 class {
1233 public:
1234 std::optional<QualType> operator()(std::optional<QualType> Ty) {
1235 return Ty ? std::optional<QualType>(Ty->withConst()) : std::nullopt;
1236 }
1237 QualType operator()(QualType Ty) { return Ty.withConst(); }
1238 } getConstTy;
1239 class GetMaxValue {
1240 BasicValueFactory &BVF;
1241
1242 public:
1243 GetMaxValue(BasicValueFactory &BVF) : BVF(BVF) {}
1244 std::optional<RangeInt> operator()(QualType Ty) {
1245 return BVF.getMaxValue(Ty).getLimitedValue();
1246 }
1247 std::optional<RangeInt> operator()(std::optional<QualType> Ty) {
1248 if (Ty) {
1249 return operator()(*Ty);
1250 }
1251 return std::nullopt;
1252 }
1253 } getMaxValue(BVF);
1254
1255 // These types are useful for writing specifications quickly,
1256 // New specifications should probably introduce more types.
1257 // Some types are hard to obtain from the AST, eg. "ssize_t".
1258 // In such cases it should be possible to provide multiple variants
1259 // of function summary for common cases (eg. ssize_t could be int or long
1260 // or long long, so three summary variants would be enough).
1261 // Of course, function variants are also useful for C++ overloads.
1262 const QualType VoidTy = ACtx.VoidTy;
1263 const QualType CharTy = ACtx.CharTy;
1264 const QualType WCharTy = ACtx.WCharTy;
1265 const QualType IntTy = ACtx.IntTy;
1266 const QualType UnsignedIntTy = ACtx.UnsignedIntTy;
1267 const QualType LongTy = ACtx.LongTy;
1268 const QualType SizeTy = ACtx.getSizeType();
1269
1270 const QualType VoidPtrTy = getPointerTy(VoidTy); // void *
1271 const QualType IntPtrTy = getPointerTy(IntTy); // int *
1272 const QualType UnsignedIntPtrTy =
1273 getPointerTy(UnsignedIntTy); // unsigned int *
1274 const QualType VoidPtrRestrictTy = getRestrictTy(VoidPtrTy);
1275 const QualType ConstVoidPtrTy =
1276 getPointerTy(getConstTy(VoidTy)); // const void *
1277 const QualType CharPtrTy = getPointerTy(CharTy); // char *
1278 const QualType CharPtrRestrictTy = getRestrictTy(CharPtrTy);
1279 const QualType ConstCharPtrTy =
1280 getPointerTy(getConstTy(CharTy)); // const char *
1281 const QualType ConstCharPtrRestrictTy = getRestrictTy(ConstCharPtrTy);
1282 const QualType Wchar_tPtrTy = getPointerTy(WCharTy); // wchar_t *
1283 const QualType ConstWchar_tPtrTy =
1284 getPointerTy(getConstTy(WCharTy)); // const wchar_t *
1285 const QualType ConstVoidPtrRestrictTy = getRestrictTy(ConstVoidPtrTy);
1286 const QualType SizePtrTy = getPointerTy(SizeTy);
1287 const QualType SizePtrRestrictTy = getRestrictTy(SizePtrTy);
1288
1289 const RangeInt IntMax = BVF.getMaxValue(IntTy).getLimitedValue();
1290 const RangeInt UnsignedIntMax =
1291 BVF.getMaxValue(UnsignedIntTy).getLimitedValue();
1292 const RangeInt LongMax = BVF.getMaxValue(LongTy).getLimitedValue();
1293 const RangeInt SizeMax = BVF.getMaxValue(SizeTy).getLimitedValue();
1294
1295 // Set UCharRangeMax to min of int or uchar maximum value.
1296 // The C standard states that the arguments of functions like isalpha must
1297 // be representable as an unsigned char. Their type is 'int', so the max
1298 // value of the argument should be min(UCharMax, IntMax). This just happen
1299 // to be true for commonly used and well tested instruction set
1300 // architectures, but not for others.
1301 const RangeInt UCharRangeMax =
1302 std::min(BVF.getMaxValue(ACtx.UnsignedCharTy).getLimitedValue(), IntMax);
1303
1304 // The platform dependent value of EOF.
1305 // Try our best to parse this from the Preprocessor, otherwise fallback to -1.
1306 const auto EOFv = [&C]() -> RangeInt {
1307 if (const std::optional<int> OptInt =
1308 tryExpandAsInteger("EOF", C.getPreprocessor()))
1309 return *OptInt;
1310 return -1;
1311 }();
1312
1313 // Auxiliary class to aid adding summaries to the summary map.
1314 struct AddToFunctionSummaryMap {
1315 const ASTContext &ACtx;
1316 FunctionSummaryMapType ⤅
1317 bool DisplayLoadedSummaries;
1318 AddToFunctionSummaryMap(const ASTContext &ACtx, FunctionSummaryMapType &FSM,
1319 bool DisplayLoadedSummaries)
1320 : ACtx(ACtx), Map(FSM), DisplayLoadedSummaries(DisplayLoadedSummaries) {
1321 }
1322
1323 // Add a summary to a FunctionDecl found by lookup. The lookup is performed
1324 // by the given Name, and in the global scope. The summary will be attached
1325 // to the found FunctionDecl only if the signatures match.
1326 //
1327 // Returns true if the summary has been added, false otherwise.
1328 bool operator()(StringRef Name, Signature Sign, Summary Sum) {
1329 if (Sign.isInvalid())
1330 return false;
1331 IdentifierInfo &II = ACtx.Idents.get(Name);
1332 auto LookupRes = ACtx.getTranslationUnitDecl()->lookup(&II);
1333 if (LookupRes.empty())
1334 return false;
1335 for (Decl *D : LookupRes) {
1336 if (auto *FD = dyn_cast<FunctionDecl>(D)) {
1337 if (Sum.matchesAndSet(Sign, FD)) {
1338 auto Res = Map.insert({FD->getCanonicalDecl(), Sum});
1339 assert(Res.second && "Function already has a summary set!");
1340 (void)Res;
1341 if (DisplayLoadedSummaries) {
1342 llvm::errs() << "Loaded summary for: ";
1343 FD->print(llvm::errs());
1344 llvm::errs() << "\n";
1345 }
1346 return true;
1347 }
1348 }
1349 }
1350 return false;
1351 }
1352 // Add the same summary for different names with the Signature explicitly
1353 // given.
1354 void operator()(std::vector<StringRef> Names, Signature Sign, Summary Sum) {
1355 for (StringRef Name : Names)
1356 operator()(Name, Sign, Sum);
1357 }
1358 } addToFunctionSummaryMap(ACtx, FunctionSummaryMap, DisplayLoadedSummaries);
1359
1360 // Below are helpers functions to create the summaries.
1361 auto ArgumentCondition = [](ArgNo ArgN, RangeKind Kind,
1362 IntRangeVector Ranges) {
1363 return std::make_shared<RangeConstraint>(ArgN, Kind, Ranges);
1364 };
1365 auto BufferSize = [](auto... Args) {
1366 return std::make_shared<BufferSizeConstraint>(Args...);
1367 };
1368 struct {
1369 auto operator()(RangeKind Kind, IntRangeVector Ranges) {
1370 return std::make_shared<RangeConstraint>(Ret, Kind, Ranges);
1371 }
1372 auto operator()(BinaryOperator::Opcode Op, ArgNo OtherArgN) {
1373 return std::make_shared<ComparisonConstraint>(Ret, Op, OtherArgN);
1374 }
1375 } ReturnValueCondition;
1376 struct {
1377 auto operator()(RangeInt b, RangeInt e) {
1378 return IntRangeVector{std::pair<RangeInt, RangeInt>{b, e}};
1379 }
1380 auto operator()(RangeInt b, std::optional<RangeInt> e) {
1381 if (e)
1382 return IntRangeVector{std::pair<RangeInt, RangeInt>{b, *e}};
1383 return IntRangeVector{};
1384 }
1385 auto operator()(std::pair<RangeInt, RangeInt> i0,
1386 std::pair<RangeInt, std::optional<RangeInt>> i1) {
1387 if (i1.second)
1388 return IntRangeVector{i0, {i1.first, *(i1.second)}};
1389 return IntRangeVector{i0};
1390 }
1391 } Range;
1392 auto SingleValue = [](RangeInt v) {
1393 return IntRangeVector{std::pair<RangeInt, RangeInt>{v, v}};
1394 };
1395 auto LessThanOrEq = BO_LE;
1396 auto NotNull = [&](ArgNo ArgN) {
1397 return std::make_shared<NotNullConstraint>(ArgN);
1398 };
1399 auto IsNull = [&](ArgNo ArgN) {
1400 return std::make_shared<NotNullConstraint>(ArgN, false);
1401 };
1402
1403 std::optional<QualType> FileTy = lookupTy("FILE");
1404 std::optional<QualType> FilePtrTy = getPointerTy(FileTy);
1405 std::optional<QualType> FilePtrRestrictTy = getRestrictTy(FilePtrTy);
1406
1407 std::optional<QualType> FPosTTy = lookupTy("fpos_t");
1408 std::optional<QualType> FPosTPtrTy = getPointerTy(FPosTTy);
1409 std::optional<QualType> ConstFPosTPtrTy = getPointerTy(getConstTy(FPosTTy));
1410 std::optional<QualType> FPosTPtrRestrictTy = getRestrictTy(FPosTPtrTy);
1411
1412 // We are finally ready to define specifications for all supported functions.
1413 //
1414 // Argument ranges should always cover all variants. If return value
1415 // is completely unknown, omit it from the respective range set.
1416 //
1417 // Every item in the list of range sets represents a particular
1418 // execution path the analyzer would need to explore once
1419 // the call is modeled - a new program state is constructed
1420 // for every range set, and each range line in the range set
1421 // corresponds to a specific constraint within this state.
1422
1423 // The isascii() family of functions.
1424 // The behavior is undefined if the value of the argument is not
1425 // representable as unsigned char or is not equal to EOF. See e.g. C99
1426 // 7.4.1.2 The isalpha function (p: 181-182).
1427 addToFunctionSummaryMap(
1428 "isalnum", Signature(ArgTypes{IntTy}, RetType{IntTy}),
1429 Summary(EvalCallAsPure)
1430 // Boils down to isupper() or islower() or isdigit().
1431 .Case({ArgumentCondition(0U, WithinRange,
1432 {{'0', '9'}, {'A', 'Z'}, {'a', 'z'}}),
1433 ReturnValueCondition(OutOfRange, SingleValue(0))},
1434 ErrnoIrrelevant, "Assuming the character is alphanumeric")
1435 // The locale-specific range.
1436 // No post-condition. We are completely unaware of
1437 // locale-specific return values.
1438 .Case({ArgumentCondition(0U, WithinRange, {{128, UCharRangeMax}})},
1439 ErrnoIrrelevant)
1440 .Case(
1441 {ArgumentCondition(
1442 0U, OutOfRange,
1443 {{'0', '9'}, {'A', 'Z'}, {'a', 'z'}, {128, UCharRangeMax}}),
1444 ReturnValueCondition(WithinRange, SingleValue(0))},
1445 ErrnoIrrelevant, "Assuming the character is non-alphanumeric")
1446 .ArgConstraint(ArgumentCondition(
1447 0U, WithinRange, {{EOFv, EOFv}, {0, UCharRangeMax}})));
1448 addToFunctionSummaryMap(
1449 "isalpha", Signature(ArgTypes{IntTy}, RetType{IntTy}),
1450 Summary(EvalCallAsPure)
1451 .Case({ArgumentCondition(0U, WithinRange, {{'A', 'Z'}, {'a', 'z'}}),
1452 ReturnValueCondition(OutOfRange, SingleValue(0))},
1453 ErrnoIrrelevant, "Assuming the character is alphabetical")
1454 // The locale-specific range.
1455 .Case({ArgumentCondition(0U, WithinRange, {{128, UCharRangeMax}})},
1456 ErrnoIrrelevant)
1457 .Case({ArgumentCondition(
1458 0U, OutOfRange,
1459 {{'A', 'Z'}, {'a', 'z'}, {128, UCharRangeMax}}),
1460 ReturnValueCondition(WithinRange, SingleValue(0))},
1461 ErrnoIrrelevant, "Assuming the character is non-alphabetical"));
1462 addToFunctionSummaryMap(
1463 "isascii", Signature(ArgTypes{IntTy}, RetType{IntTy}),
1464 Summary(EvalCallAsPure)
1465 .Case({ArgumentCondition(0U, WithinRange, Range(0, 127)),
1466 ReturnValueCondition(OutOfRange, SingleValue(0))},
1467 ErrnoIrrelevant, "Assuming the character is an ASCII character")
1468 .Case({ArgumentCondition(0U, OutOfRange, Range(0, 127)),
1469 ReturnValueCondition(WithinRange, SingleValue(0))},
1470 ErrnoIrrelevant,
1471 "Assuming the character is not an ASCII character"));
1472 addToFunctionSummaryMap(
1473 "isblank", Signature(ArgTypes{IntTy}, RetType{IntTy}),
1474 Summary(EvalCallAsPure)
1475 .Case({ArgumentCondition(0U, WithinRange, {{'\t', '\t'}, {' ', ' '}}),
1476 ReturnValueCondition(OutOfRange, SingleValue(0))},
1477 ErrnoIrrelevant, "Assuming the character is a blank character")
1478 .Case({ArgumentCondition(0U, OutOfRange, {{'\t', '\t'}, {' ', ' '}}),
1479 ReturnValueCondition(WithinRange, SingleValue(0))},
1480 ErrnoIrrelevant,
1481 "Assuming the character is not a blank character"));
1482 addToFunctionSummaryMap(
1483 "iscntrl", Signature(ArgTypes{IntTy}, RetType{IntTy}),
1484 Summary(EvalCallAsPure)
1485 .Case({ArgumentCondition(0U, WithinRange, {{0, 32}, {127, 127}}),
1486 ReturnValueCondition(OutOfRange, SingleValue(0))},
1487 ErrnoIrrelevant,
1488 "Assuming the character is a control character")
1489 .Case({ArgumentCondition(0U, OutOfRange, {{0, 32}, {127, 127}}),
1490 ReturnValueCondition(WithinRange, SingleValue(0))},
1491 ErrnoIrrelevant,
1492 "Assuming the character is not a control character"));
1493 addToFunctionSummaryMap(
1494 "isdigit", Signature(ArgTypes{IntTy}, RetType{IntTy}),
1495 Summary(EvalCallAsPure)
1496 .Case({ArgumentCondition(0U, WithinRange, Range('0', '9')),
1497 ReturnValueCondition(OutOfRange, SingleValue(0))},
1498 ErrnoIrrelevant, "Assuming the character is a digit")
1499 .Case({ArgumentCondition(0U, OutOfRange, Range('0', '9')),
1500 ReturnValueCondition(WithinRange, SingleValue(0))},
1501 ErrnoIrrelevant, "Assuming the character is not a digit"));
1502 addToFunctionSummaryMap(
1503 "isgraph", Signature(ArgTypes{IntTy}, RetType{IntTy}),
1504 Summary(EvalCallAsPure)
1505 .Case({ArgumentCondition(0U, WithinRange, Range(33, 126)),
1506 ReturnValueCondition(OutOfRange, SingleValue(0))},
1507 ErrnoIrrelevant,
1508 "Assuming the character has graphical representation")
1509 .Case(
1510 {ArgumentCondition(0U, OutOfRange, Range(33, 126)),
1511 ReturnValueCondition(WithinRange, SingleValue(0))},
1512 ErrnoIrrelevant,
1513 "Assuming the character does not have graphical representation"));
1514 addToFunctionSummaryMap(
1515 "islower", Signature(ArgTypes{IntTy}, RetType{IntTy}),
1516 Summary(EvalCallAsPure)
1517 // Is certainly lowercase.
1518 .Case({ArgumentCondition(0U, WithinRange, Range('a', 'z')),
1519 ReturnValueCondition(OutOfRange, SingleValue(0))},
1520 ErrnoIrrelevant, "Assuming the character is a lowercase letter")
1521 // Is ascii but not lowercase.
1522 .Case({ArgumentCondition(0U, WithinRange, Range(0, 127)),
1523 ArgumentCondition(0U, OutOfRange, Range('a', 'z')),
1524 ReturnValueCondition(WithinRange, SingleValue(0))},
1525 ErrnoIrrelevant,
1526 "Assuming the character is not a lowercase letter")
1527 // The locale-specific range.
1528 .Case({ArgumentCondition(0U, WithinRange, {{128, UCharRangeMax}})},
1529 ErrnoIrrelevant)
1530 // Is not an unsigned char.
1531 .Case({ArgumentCondition(0U, OutOfRange, Range(0, UCharRangeMax)),
1532 ReturnValueCondition(WithinRange, SingleValue(0))},
1533 ErrnoIrrelevant));
1534 addToFunctionSummaryMap(
1535 "isprint", Signature(ArgTypes{IntTy}, RetType{IntTy}),
1536 Summary(EvalCallAsPure)
1537 .Case({ArgumentCondition(0U, WithinRange, Range(32, 126)),
1538 ReturnValueCondition(OutOfRange, SingleValue(0))},
1539 ErrnoIrrelevant, "Assuming the character is printable")
1540 .Case({ArgumentCondition(0U, OutOfRange, Range(32, 126)),
1541 ReturnValueCondition(WithinRange, SingleValue(0))},
1542 ErrnoIrrelevant, "Assuming the character is non-printable"));
1543 addToFunctionSummaryMap(
1544 "ispunct", Signature(ArgTypes{IntTy}, RetType{IntTy}),
1545 Summary(EvalCallAsPure)
1546 .Case({ArgumentCondition(
1547 0U, WithinRange,
1548 {{'!', '/'}, {':', '@'}, {'[', '`'}, {'{', '~'}}),
1549 ReturnValueCondition(OutOfRange, SingleValue(0))},
1550 ErrnoIrrelevant, "Assuming the character is a punctuation mark")
1551 .Case({ArgumentCondition(
1552 0U, OutOfRange,
1553 {{'!', '/'}, {':', '@'}, {'[', '`'}, {'{', '~'}}),
1554 ReturnValueCondition(WithinRange, SingleValue(0))},
1555 ErrnoIrrelevant,
1556 "Assuming the character is not a punctuation mark"));
1557 addToFunctionSummaryMap(
1558 "isspace", Signature(ArgTypes{IntTy}, RetType{IntTy}),
1559 Summary(EvalCallAsPure)
1560 // Space, '\f', '\n', '\r', '\t', '\v'.
1561 .Case({ArgumentCondition(0U, WithinRange, {{9, 13}, {' ', ' '}}),
1562 ReturnValueCondition(OutOfRange, SingleValue(0))},
1563 ErrnoIrrelevant,
1564 "Assuming the character is a whitespace character")
1565 // The locale-specific range.
1566 .Case({ArgumentCondition(0U, WithinRange, {{128, UCharRangeMax}})},
1567 ErrnoIrrelevant)
1568 .Case({ArgumentCondition(0U, OutOfRange,
1569 {{9, 13}, {' ', ' '}, {128, UCharRangeMax}}),
1570 ReturnValueCondition(WithinRange, SingleValue(0))},
1571 ErrnoIrrelevant,
1572 "Assuming the character is not a whitespace character"));
1573 addToFunctionSummaryMap(
1574 "isupper", Signature(ArgTypes{IntTy}, RetType{IntTy}),
1575 Summary(EvalCallAsPure)
1576 // Is certainly uppercase.
1577 .Case({ArgumentCondition(0U, WithinRange, Range('A', 'Z')),
1578 ReturnValueCondition(OutOfRange, SingleValue(0))},
1579 ErrnoIrrelevant,
1580 "Assuming the character is an uppercase letter")
1581 // The locale-specific range.
1582 .Case({ArgumentCondition(0U, WithinRange, {{128, UCharRangeMax}})},
1583 ErrnoIrrelevant)
1584 // Other.
1585 .Case({ArgumentCondition(0U, OutOfRange,
1586 {{'A', 'Z'}, {128, UCharRangeMax}}),
1587 ReturnValueCondition(WithinRange, SingleValue(0))},
1588 ErrnoIrrelevant,
1589 "Assuming the character is not an uppercase letter"));
1590 addToFunctionSummaryMap(
1591 "isxdigit", Signature(ArgTypes{IntTy}, RetType{IntTy}),
1592 Summary(EvalCallAsPure)
1593 .Case({ArgumentCondition(0U, WithinRange,
1594 {{'0', '9'}, {'A', 'F'}, {'a', 'f'}}),
1595 ReturnValueCondition(OutOfRange, SingleValue(0))},
1596 ErrnoIrrelevant,
1597 "Assuming the character is a hexadecimal digit")
1598 .Case({ArgumentCondition(0U, OutOfRange,
1599 {{'0', '9'}, {'A', 'F'}, {'a', 'f'}}),
1600 ReturnValueCondition(WithinRange, SingleValue(0))},
1601 ErrnoIrrelevant,
1602 "Assuming the character is not a hexadecimal digit"));
1603 addToFunctionSummaryMap(
1604 "toupper", Signature(ArgTypes{IntTy}, RetType{IntTy}),
1605 Summary(EvalCallAsPure)
1606 .ArgConstraint(ArgumentCondition(
1607 0U, WithinRange, {{EOFv, EOFv}, {0, UCharRangeMax}})));
1608 addToFunctionSummaryMap(
1609 "tolower", Signature(ArgTypes{IntTy}, RetType{IntTy}),
1610 Summary(EvalCallAsPure)
1611 .ArgConstraint(ArgumentCondition(
1612 0U, WithinRange, {{EOFv, EOFv}, {0, UCharRangeMax}})));
1613 addToFunctionSummaryMap(
1614 "toascii", Signature(ArgTypes{IntTy}, RetType{IntTy}),
1615 Summary(EvalCallAsPure)
1616 .ArgConstraint(ArgumentCondition(
1617 0U, WithinRange, {{EOFv, EOFv}, {0, UCharRangeMax}})));
1618
1619 // The getc() family of functions that returns either a char or an EOF.
1620 addToFunctionSummaryMap(
1621 {"getc", "fgetc"}, Signature(ArgTypes{FilePtrTy}, RetType{IntTy}),
1622 Summary(NoEvalCall)
1623 .Case({ReturnValueCondition(WithinRange,
1624 {{EOFv, EOFv}, {0, UCharRangeMax}})},
1625 ErrnoIrrelevant));
1626 addToFunctionSummaryMap(
1627 "getchar", Signature(ArgTypes{}, RetType{IntTy}),
1628 Summary(NoEvalCall)
1629 .Case({ReturnValueCondition(WithinRange,
1630 {{EOFv, EOFv}, {0, UCharRangeMax}})},
1631 ErrnoIrrelevant));
1632
1633 // read()-like functions that never return more than buffer size.
1634 auto FreadSummary =
1635 Summary(NoEvalCall)
1636 .Case({ArgumentCondition(1U, WithinRange, Range(1, SizeMax)),
1637 ArgumentCondition(2U, WithinRange, Range(1, SizeMax)),
1638 ReturnValueCondition(BO_LT, ArgNo(2)),
1639 ReturnValueCondition(WithinRange, Range(0, SizeMax))},
1640 ErrnoNEZeroIrrelevant)
1641 .Case({ArgumentCondition(1U, WithinRange, Range(1, SizeMax)),
1642 ReturnValueCondition(BO_EQ, ArgNo(2)),
1643 ReturnValueCondition(WithinRange, Range(0, SizeMax))},
1644 ErrnoMustNotBeChecked)
1645 .Case({ArgumentCondition(1U, WithinRange, SingleValue(0)),
1646 ReturnValueCondition(WithinRange, SingleValue(0))},
1647 ErrnoMustNotBeChecked)
1648 .ArgConstraint(NotNull(ArgNo(0)))
1649 .ArgConstraint(NotNull(ArgNo(3)))
1650 // FIXME: It should be allowed to have a null buffer if any of
1651 // args 1 or 2 are zero. Remove NotNull check of arg 0, add a check
1652 // for non-null buffer if non-zero size to BufferSizeConstraint?
1653 .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(0), /*BufSize=*/ArgNo(1),
1654 /*BufSizeMultiplier=*/ArgNo(2)));
1655
1656 // size_t fread(void *restrict ptr, size_t size, size_t nitems,
1657 // FILE *restrict stream);
1658 addToFunctionSummaryMap(
1659 "fread",
1660 Signature(ArgTypes{VoidPtrRestrictTy, SizeTy, SizeTy, FilePtrRestrictTy},
1661 RetType{SizeTy}),
1662 FreadSummary);
1663 // size_t fwrite(const void *restrict ptr, size_t size, size_t nitems,
1664 // FILE *restrict stream);
1665 addToFunctionSummaryMap("fwrite",
1666 Signature(ArgTypes{ConstVoidPtrRestrictTy, SizeTy,
1667 SizeTy, FilePtrRestrictTy},
1668 RetType{SizeTy}),
1669 FreadSummary);
1670
1671 std::optional<QualType> Ssize_tTy = lookupTy("ssize_t");
1672 std::optional<RangeInt> Ssize_tMax = getMaxValue(Ssize_tTy);
1673
1674 auto ReadSummary =
1675 Summary(NoEvalCall)
1676 .Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)),
1677 ReturnValueCondition(WithinRange, Range(-1, Ssize_tMax))},
1678 ErrnoIrrelevant);
1679
1680 // FIXME these are actually defined by POSIX and not by the C standard, we
1681 // should handle them together with the rest of the POSIX functions.
1682 // ssize_t read(int fildes, void *buf, size_t nbyte);
1683 addToFunctionSummaryMap(
1684 "read", Signature(ArgTypes{IntTy, VoidPtrTy, SizeTy}, RetType{Ssize_tTy}),
1685 ReadSummary);
1686 // ssize_t write(int fildes, const void *buf, size_t nbyte);
1687 addToFunctionSummaryMap(
1688 "write",
1689 Signature(ArgTypes{IntTy, ConstVoidPtrTy, SizeTy}, RetType{Ssize_tTy}),
1690 ReadSummary);
1691
1692 auto GetLineSummary =
1693 Summary(NoEvalCall)
1694 .Case({ReturnValueCondition(WithinRange,
1695 Range({-1, -1}, {1, Ssize_tMax}))},
1696 ErrnoIrrelevant);
1697
1698 QualType CharPtrPtrRestrictTy = getRestrictTy(getPointerTy(CharPtrTy));
1699
1700 // getline()-like functions either fail or read at least the delimiter.
1701 // FIXME these are actually defined by POSIX and not by the C standard, we
1702 // should handle them together with the rest of the POSIX functions.
1703 // ssize_t getline(char **restrict lineptr, size_t *restrict n,
1704 // FILE *restrict stream);
1705 addToFunctionSummaryMap(
1706 "getline",
1707 Signature(
1708 ArgTypes{CharPtrPtrRestrictTy, SizePtrRestrictTy, FilePtrRestrictTy},
1709 RetType{Ssize_tTy}),
1710 GetLineSummary);
1711 // ssize_t getdelim(char **restrict lineptr, size_t *restrict n,
1712 // int delimiter, FILE *restrict stream);
1713 addToFunctionSummaryMap(
1714 "getdelim",
1715 Signature(ArgTypes{CharPtrPtrRestrictTy, SizePtrRestrictTy, IntTy,
1716 FilePtrRestrictTy},
1717 RetType{Ssize_tTy}),
1718 GetLineSummary);
1719
1720 {
1721 Summary GetenvSummary =
1722 Summary(NoEvalCall)
1723 .ArgConstraint(NotNull(ArgNo(0)))
1724 .Case({NotNull(Ret)}, ErrnoIrrelevant,
1725 "Assuming the environment variable exists");
1726 // In untrusted environments the envvar might not exist.
1727 if (!ShouldAssumeControlledEnvironment)
1728 GetenvSummary.Case({NotNull(Ret)->negate()}, ErrnoIrrelevant,
1729 "Assuming the environment variable does not exist");
1730
1731 // char *getenv(const char *name);
1732 addToFunctionSummaryMap(
1733 "getenv", Signature(ArgTypes{ConstCharPtrTy}, RetType{CharPtrTy}),
1734 std::move(GetenvSummary));
1735 }
1736
1737 if (ModelPOSIX) {
1738 const auto ReturnsZeroOrMinusOne =
1739 ConstraintSet{ReturnValueCondition(WithinRange, Range(-1, 0))};
1740 const auto ReturnsZero =
1741 ConstraintSet{ReturnValueCondition(WithinRange, SingleValue(0))};
1742 const auto ReturnsMinusOne =
1743 ConstraintSet{ReturnValueCondition(WithinRange, SingleValue(-1))};
1744 const auto ReturnsNonnegative =
1745 ConstraintSet{ReturnValueCondition(WithinRange, Range(0, IntMax))};
1746 const auto ReturnsNonZero =
1747 ConstraintSet{ReturnValueCondition(OutOfRange, SingleValue(0))};
1748 const auto ReturnsFileDescriptor =
1749 ConstraintSet{ReturnValueCondition(WithinRange, Range(-1, IntMax))};
1750 const auto &ReturnsValidFileDescriptor = ReturnsNonnegative;
1751
1752 // FILE *fopen(const char *restrict pathname, const char *restrict mode);
1753 addToFunctionSummaryMap(
1754 "fopen",
1755 Signature(ArgTypes{ConstCharPtrRestrictTy, ConstCharPtrRestrictTy},
1756 RetType{FilePtrTy}),
1757 Summary(NoEvalCall)
1758 .Case({NotNull(Ret)}, ErrnoMustNotBeChecked)
1759 .Case({IsNull(Ret)}, ErrnoNEZeroIrrelevant)
1760 .ArgConstraint(NotNull(ArgNo(0)))
1761 .ArgConstraint(NotNull(ArgNo(1))));
1762
1763 // FILE *tmpfile(void);
1764 addToFunctionSummaryMap("tmpfile",
1765 Signature(ArgTypes{}, RetType{FilePtrTy}),
1766 Summary(NoEvalCall)
1767 .Case({NotNull(Ret)}, ErrnoMustNotBeChecked)
1768 .Case({IsNull(Ret)}, ErrnoNEZeroIrrelevant));
1769
1770 // FILE *freopen(const char *restrict pathname, const char *restrict mode,
1771 // FILE *restrict stream);
1772 addToFunctionSummaryMap(
1773 "freopen",
1774 Signature(ArgTypes{ConstCharPtrRestrictTy, ConstCharPtrRestrictTy,
1775 FilePtrRestrictTy},
1776 RetType{FilePtrTy}),
1777 Summary(NoEvalCall)
1778 .Case({ReturnValueCondition(BO_EQ, ArgNo(2))},
1779 ErrnoMustNotBeChecked)
1780 .Case({IsNull(Ret)}, ErrnoNEZeroIrrelevant)
1781 .ArgConstraint(NotNull(ArgNo(1)))
1782 .ArgConstraint(NotNull(ArgNo(2))));
1783
1784 // int fclose(FILE *stream);
1785 addToFunctionSummaryMap(
1786 "fclose", Signature(ArgTypes{FilePtrTy}, RetType{IntTy}),
1787 Summary(NoEvalCall)
1788 .Case(ReturnsZero, ErrnoMustNotBeChecked)
1789 .Case({ReturnValueCondition(WithinRange, SingleValue(EOFv))},
1790 ErrnoNEZeroIrrelevant)
1791 .ArgConstraint(NotNull(ArgNo(0))));
1792
1793 // int fseek(FILE *stream, long offset, int whence);
1794 // FIXME: It can be possible to get the 'SEEK_' values (like EOFv) and use
1795 // these for condition of arg 2.
1796 // Now the range [0,2] is used (the `SEEK_*` constants are usually 0,1,2).
1797 addToFunctionSummaryMap(
1798 "fseek", Signature(ArgTypes{FilePtrTy, LongTy, IntTy}, RetType{IntTy}),
1799 Summary(NoEvalCall)
1800 .Case(ReturnsZero, ErrnoMustNotBeChecked)
1801 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
1802 .ArgConstraint(NotNull(ArgNo(0)))
1803 .ArgConstraint(ArgumentCondition(2, WithinRange, {{0, 2}})));
1804
1805 // int fgetpos(FILE *restrict stream, fpos_t *restrict pos);
1806 // From 'The Open Group Base Specifications Issue 7, 2018 edition':
1807 // "The fgetpos() function shall not change the setting of errno if
1808 // successful."
1809 addToFunctionSummaryMap(
1810 "fgetpos",
1811 Signature(ArgTypes{FilePtrRestrictTy, FPosTPtrRestrictTy},
1812 RetType{IntTy}),
1813 Summary(NoEvalCall)
1814 .Case(ReturnsZero, ErrnoUnchanged)
1815 .Case(ReturnsNonZero, ErrnoNEZeroIrrelevant)
1816 .ArgConstraint(NotNull(ArgNo(0)))
1817 .ArgConstraint(NotNull(ArgNo(1))));
1818
1819 // int fsetpos(FILE *stream, const fpos_t *pos);
1820 // From 'The Open Group Base Specifications Issue 7, 2018 edition':
1821 // "The fsetpos() function shall not change the setting of errno if
1822 // successful."
1823 addToFunctionSummaryMap(
1824 "fsetpos",
1825 Signature(ArgTypes{FilePtrTy, ConstFPosTPtrTy}, RetType{IntTy}),
1826 Summary(NoEvalCall)
1827 .Case(ReturnsZero, ErrnoUnchanged)
1828 .Case(ReturnsNonZero, ErrnoNEZeroIrrelevant)
1829 .ArgConstraint(NotNull(ArgNo(0)))
1830 .ArgConstraint(NotNull(ArgNo(1))));
1831
1832 // long ftell(FILE *stream);
1833 // From 'The Open Group Base Specifications Issue 7, 2018 edition':
1834 // "The ftell() function shall not change the setting of errno if
1835 // successful."
1836 addToFunctionSummaryMap(
1837 "ftell", Signature(ArgTypes{FilePtrTy}, RetType{LongTy}),
1838 Summary(NoEvalCall)
1839 .Case({ReturnValueCondition(WithinRange, Range(1, LongMax))},
1840 ErrnoUnchanged)
1841 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
1842 .ArgConstraint(NotNull(ArgNo(0))));
1843
1844 // int fileno(FILE *stream);
1845 addToFunctionSummaryMap(
1846 "fileno", Signature(ArgTypes{FilePtrTy}, RetType{IntTy}),
1847 Summary(NoEvalCall)
1848 .Case(ReturnsValidFileDescriptor, ErrnoMustNotBeChecked)
1849 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
1850 .ArgConstraint(NotNull(ArgNo(0))));
1851
1852 // void rewind(FILE *stream);
1853 // This function indicates error only by setting of 'errno'.
1854 addToFunctionSummaryMap("rewind",
1855 Signature(ArgTypes{FilePtrTy}, RetType{VoidTy}),
1856 Summary(NoEvalCall)
1857 .Case({}, ErrnoMustBeChecked)
1858 .ArgConstraint(NotNull(ArgNo(0))));
1859
1860 // void clearerr(FILE *stream);
1861 addToFunctionSummaryMap(
1862 "clearerr", Signature(ArgTypes{FilePtrTy}, RetType{VoidTy}),
1863 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
1864
1865 // int feof(FILE *stream);
1866 addToFunctionSummaryMap(
1867 "feof", Signature(ArgTypes{FilePtrTy}, RetType{IntTy}),
1868 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
1869
1870 // int ferror(FILE *stream);
1871 addToFunctionSummaryMap(
1872 "ferror", Signature(ArgTypes{FilePtrTy}, RetType{IntTy}),
1873 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
1874
1875 // long a64l(const char *str64);
1876 addToFunctionSummaryMap(
1877 "a64l", Signature(ArgTypes{ConstCharPtrTy}, RetType{LongTy}),
1878 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
1879
1880 // char *l64a(long value);
1881 addToFunctionSummaryMap("l64a",
1882 Signature(ArgTypes{LongTy}, RetType{CharPtrTy}),
1883 Summary(NoEvalCall)
1884 .ArgConstraint(ArgumentCondition(
1885 0, WithinRange, Range(0, LongMax))));
1886
1887 // int access(const char *pathname, int amode);
1888 addToFunctionSummaryMap(
1889 "access", Signature(ArgTypes{ConstCharPtrTy, IntTy}, RetType{IntTy}),
1890 Summary(NoEvalCall)
1891 .Case(ReturnsZero, ErrnoMustNotBeChecked)
1892 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
1893 .ArgConstraint(NotNull(ArgNo(0))));
1894
1895 // int faccessat(int dirfd, const char *pathname, int mode, int flags);
1896 addToFunctionSummaryMap(
1897 "faccessat",
1898 Signature(ArgTypes{IntTy, ConstCharPtrTy, IntTy, IntTy},
1899 RetType{IntTy}),
1900 Summary(NoEvalCall)
1901 .Case(ReturnsZero, ErrnoMustNotBeChecked)
1902 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
1903 .ArgConstraint(NotNull(ArgNo(1))));
1904
1905 // int dup(int fildes);
1906 addToFunctionSummaryMap(
1907 "dup", Signature(ArgTypes{IntTy}, RetType{IntTy}),
1908 Summary(NoEvalCall)
1909 .Case(ReturnsValidFileDescriptor, ErrnoMustNotBeChecked)
1910 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
1911 .ArgConstraint(
1912 ArgumentCondition(0, WithinRange, Range(0, IntMax))));
1913
1914 // int dup2(int fildes1, int filedes2);
1915 addToFunctionSummaryMap(
1916 "dup2", Signature(ArgTypes{IntTy, IntTy}, RetType{IntTy}),
1917 Summary(NoEvalCall)
1918 .Case(ReturnsValidFileDescriptor, ErrnoMustNotBeChecked)
1919 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
1920 .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
1921 .ArgConstraint(
1922 ArgumentCondition(1, WithinRange, Range(0, IntMax))));
1923
1924 // int fdatasync(int fildes);
1925 addToFunctionSummaryMap("fdatasync",
1926 Signature(ArgTypes{IntTy}, RetType{IntTy}),
1927 Summary(NoEvalCall)
1928 .Case(ReturnsZero, ErrnoMustNotBeChecked)
1929 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
1930 .ArgConstraint(ArgumentCondition(
1931 0, WithinRange, Range(0, IntMax))));
1932
1933 // int fnmatch(const char *pattern, const char *string, int flags);
1934 addToFunctionSummaryMap(
1935 "fnmatch",
1936 Signature(ArgTypes{ConstCharPtrTy, ConstCharPtrTy, IntTy},
1937 RetType{IntTy}),
1938 Summary(NoEvalCall)
1939 .ArgConstraint(NotNull(ArgNo(0)))
1940 .ArgConstraint(NotNull(ArgNo(1))));
1941
1942 // int fsync(int fildes);
1943 addToFunctionSummaryMap("fsync", Signature(ArgTypes{IntTy}, RetType{IntTy}),
1944 Summary(NoEvalCall)
1945 .Case(ReturnsZero, ErrnoMustNotBeChecked)
1946 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
1947 .ArgConstraint(ArgumentCondition(
1948 0, WithinRange, Range(0, IntMax))));
1949
1950 std::optional<QualType> Off_tTy = lookupTy("off_t");
1951
1952 // int truncate(const char *path, off_t length);
1953 addToFunctionSummaryMap(
1954 "truncate",
1955 Signature(ArgTypes{ConstCharPtrTy, Off_tTy}, RetType{IntTy}),
1956 Summary(NoEvalCall)
1957 .Case(ReturnsZero, ErrnoMustNotBeChecked)
1958 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
1959 .ArgConstraint(NotNull(ArgNo(0))));
1960
1961 // int symlink(const char *oldpath, const char *newpath);
1962 addToFunctionSummaryMap(
1963 "symlink",
1964 Signature(ArgTypes{ConstCharPtrTy, ConstCharPtrTy}, RetType{IntTy}),
1965 Summary(NoEvalCall)
1966 .Case(ReturnsZero, ErrnoMustNotBeChecked)
1967 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
1968 .ArgConstraint(NotNull(ArgNo(0)))
1969 .ArgConstraint(NotNull(ArgNo(1))));
1970
1971 // int symlinkat(const char *oldpath, int newdirfd, const char *newpath);
1972 addToFunctionSummaryMap(
1973 "symlinkat",
1974 Signature(ArgTypes{ConstCharPtrTy, IntTy, ConstCharPtrTy},
1975 RetType{IntTy}),
1976 Summary(NoEvalCall)
1977 .Case(ReturnsZero, ErrnoMustNotBeChecked)
1978 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
1979 .ArgConstraint(NotNull(ArgNo(0)))
1980 .ArgConstraint(ArgumentCondition(1, WithinRange, Range(0, IntMax)))
1981 .ArgConstraint(NotNull(ArgNo(2))));
1982
1983 // int lockf(int fd, int cmd, off_t len);
1984 addToFunctionSummaryMap(
1985 "lockf", Signature(ArgTypes{IntTy, IntTy, Off_tTy}, RetType{IntTy}),
1986 Summary(NoEvalCall)
1987 .Case(ReturnsZero, ErrnoMustNotBeChecked)
1988 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
1989 .ArgConstraint(
1990 ArgumentCondition(0, WithinRange, Range(0, IntMax))));
1991
1992 std::optional<QualType> Mode_tTy = lookupTy("mode_t");
1993
1994 // int creat(const char *pathname, mode_t mode);
1995 addToFunctionSummaryMap(
1996 "creat", Signature(ArgTypes{ConstCharPtrTy, Mode_tTy}, RetType{IntTy}),
1997 Summary(NoEvalCall)
1998 .Case(ReturnsValidFileDescriptor, ErrnoMustNotBeChecked)
1999 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2000 .ArgConstraint(NotNull(ArgNo(0))));
2001
2002 // unsigned int sleep(unsigned int seconds);
2003 addToFunctionSummaryMap(
2004 "sleep", Signature(ArgTypes{UnsignedIntTy}, RetType{UnsignedIntTy}),
2005 Summary(NoEvalCall)
2006 .ArgConstraint(
2007 ArgumentCondition(0, WithinRange, Range(0, UnsignedIntMax))));
2008
2009 std::optional<QualType> DirTy = lookupTy("DIR");
2010 std::optional<QualType> DirPtrTy = getPointerTy(DirTy);
2011
2012 // int dirfd(DIR *dirp);
2013 addToFunctionSummaryMap(
2014 "dirfd", Signature(ArgTypes{DirPtrTy}, RetType{IntTy}),
2015 Summary(NoEvalCall)
2016 .Case(ReturnsValidFileDescriptor, ErrnoMustNotBeChecked)
2017 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2018 .ArgConstraint(NotNull(ArgNo(0))));
2019
2020 // unsigned int alarm(unsigned int seconds);
2021 addToFunctionSummaryMap(
2022 "alarm", Signature(ArgTypes{UnsignedIntTy}, RetType{UnsignedIntTy}),
2023 Summary(NoEvalCall)
2024 .ArgConstraint(
2025 ArgumentCondition(0, WithinRange, Range(0, UnsignedIntMax))));
2026
2027 // int closedir(DIR *dir);
2028 addToFunctionSummaryMap("closedir",
2029 Signature(ArgTypes{DirPtrTy}, RetType{IntTy}),
2030 Summary(NoEvalCall)
2031 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2032 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2033 .ArgConstraint(NotNull(ArgNo(0))));
2034
2035 // char *strdup(const char *s);
2036 addToFunctionSummaryMap(
2037 "strdup", Signature(ArgTypes{ConstCharPtrTy}, RetType{CharPtrTy}),
2038 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
2039
2040 // char *strndup(const char *s, size_t n);
2041 addToFunctionSummaryMap(
2042 "strndup",
2043 Signature(ArgTypes{ConstCharPtrTy, SizeTy}, RetType{CharPtrTy}),
2044 Summary(NoEvalCall)
2045 .ArgConstraint(NotNull(ArgNo(0)))
2046 .ArgConstraint(
2047 ArgumentCondition(1, WithinRange, Range(0, SizeMax))));
2048
2049 // wchar_t *wcsdup(const wchar_t *s);
2050 addToFunctionSummaryMap(
2051 "wcsdup", Signature(ArgTypes{ConstWchar_tPtrTy}, RetType{Wchar_tPtrTy}),
2052 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
2053
2054 // int mkstemp(char *template);
2055 addToFunctionSummaryMap(
2056 "mkstemp", Signature(ArgTypes{CharPtrTy}, RetType{IntTy}),
2057 Summary(NoEvalCall)
2058 .Case(ReturnsValidFileDescriptor, ErrnoMustNotBeChecked)
2059 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2060 .ArgConstraint(NotNull(ArgNo(0))));
2061
2062 // char *mkdtemp(char *template);
2063 // FIXME: Improve for errno modeling.
2064 addToFunctionSummaryMap(
2065 "mkdtemp", Signature(ArgTypes{CharPtrTy}, RetType{CharPtrTy}),
2066 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
2067
2068 // char *getcwd(char *buf, size_t size);
2069 // FIXME: Improve for errno modeling.
2070 addToFunctionSummaryMap(
2071 "getcwd", Signature(ArgTypes{CharPtrTy, SizeTy}, RetType{CharPtrTy}),
2072 Summary(NoEvalCall)
2073 .ArgConstraint(
2074 ArgumentCondition(1, WithinRange, Range(0, SizeMax))));
2075
2076 // int mkdir(const char *pathname, mode_t mode);
2077 addToFunctionSummaryMap(
2078 "mkdir", Signature(ArgTypes{ConstCharPtrTy, Mode_tTy}, RetType{IntTy}),
2079 Summary(NoEvalCall)
2080 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2081 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2082 .ArgConstraint(NotNull(ArgNo(0))));
2083
2084 // int mkdirat(int dirfd, const char *pathname, mode_t mode);
2085 addToFunctionSummaryMap(
2086 "mkdirat",
2087 Signature(ArgTypes{IntTy, ConstCharPtrTy, Mode_tTy}, RetType{IntTy}),
2088 Summary(NoEvalCall)
2089 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2090 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2091 .ArgConstraint(NotNull(ArgNo(1))));
2092
2093 std::optional<QualType> Dev_tTy = lookupTy("dev_t");
2094
2095 // int mknod(const char *pathname, mode_t mode, dev_t dev);
2096 addToFunctionSummaryMap(
2097 "mknod",
2098 Signature(ArgTypes{ConstCharPtrTy, Mode_tTy, Dev_tTy}, RetType{IntTy}),
2099 Summary(NoEvalCall)
2100 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2101 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2102 .ArgConstraint(NotNull(ArgNo(0))));
2103
2104 // int mknodat(int dirfd, const char *pathname, mode_t mode, dev_t dev);
2105 addToFunctionSummaryMap(
2106 "mknodat",
2107 Signature(ArgTypes{IntTy, ConstCharPtrTy, Mode_tTy, Dev_tTy},
2108 RetType{IntTy}),
2109 Summary(NoEvalCall)
2110 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2111 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2112 .ArgConstraint(NotNull(ArgNo(1))));
2113
2114 // int chmod(const char *path, mode_t mode);
2115 addToFunctionSummaryMap(
2116 "chmod", Signature(ArgTypes{ConstCharPtrTy, Mode_tTy}, RetType{IntTy}),
2117 Summary(NoEvalCall)
2118 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2119 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2120 .ArgConstraint(NotNull(ArgNo(0))));
2121
2122 // int fchmodat(int dirfd, const char *pathname, mode_t mode, int flags);
2123 addToFunctionSummaryMap(
2124 "fchmodat",
2125 Signature(ArgTypes{IntTy, ConstCharPtrTy, Mode_tTy, IntTy},
2126 RetType{IntTy}),
2127 Summary(NoEvalCall)
2128 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2129 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2130 .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
2131 .ArgConstraint(NotNull(ArgNo(1))));
2132
2133 // int fchmod(int fildes, mode_t mode);
2134 addToFunctionSummaryMap(
2135 "fchmod", Signature(ArgTypes{IntTy, Mode_tTy}, RetType{IntTy}),
2136 Summary(NoEvalCall)
2137 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2138 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2139 .ArgConstraint(
2140 ArgumentCondition(0, WithinRange, Range(0, IntMax))));
2141
2142 std::optional<QualType> Uid_tTy = lookupTy("uid_t");
2143 std::optional<QualType> Gid_tTy = lookupTy("gid_t");
2144
2145 // int fchownat(int dirfd, const char *pathname, uid_t owner, gid_t group,
2146 // int flags);
2147 addToFunctionSummaryMap(
2148 "fchownat",
2149 Signature(ArgTypes{IntTy, ConstCharPtrTy, Uid_tTy, Gid_tTy, IntTy},
2150 RetType{IntTy}),
2151 Summary(NoEvalCall)
2152 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2153 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2154 .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
2155 .ArgConstraint(NotNull(ArgNo(1))));
2156
2157 // int chown(const char *path, uid_t owner, gid_t group);
2158 addToFunctionSummaryMap(
2159 "chown",
2160 Signature(ArgTypes{ConstCharPtrTy, Uid_tTy, Gid_tTy}, RetType{IntTy}),
2161 Summary(NoEvalCall)
2162 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2163 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2164 .ArgConstraint(NotNull(ArgNo(0))));
2165
2166 // int lchown(const char *path, uid_t owner, gid_t group);
2167 addToFunctionSummaryMap(
2168 "lchown",
2169 Signature(ArgTypes{ConstCharPtrTy, Uid_tTy, Gid_tTy}, RetType{IntTy}),
2170 Summary(NoEvalCall)
2171 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2172 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2173 .ArgConstraint(NotNull(ArgNo(0))));
2174
2175 // int fchown(int fildes, uid_t owner, gid_t group);
2176 addToFunctionSummaryMap(
2177 "fchown", Signature(ArgTypes{IntTy, Uid_tTy, Gid_tTy}, RetType{IntTy}),
2178 Summary(NoEvalCall)
2179 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2180 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2181 .ArgConstraint(
2182 ArgumentCondition(0, WithinRange, Range(0, IntMax))));
2183
2184 // int rmdir(const char *pathname);
2185 addToFunctionSummaryMap("rmdir",
2186 Signature(ArgTypes{ConstCharPtrTy}, RetType{IntTy}),
2187 Summary(NoEvalCall)
2188 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2189 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2190 .ArgConstraint(NotNull(ArgNo(0))));
2191
2192 // int chdir(const char *path);
2193 addToFunctionSummaryMap("chdir",
2194 Signature(ArgTypes{ConstCharPtrTy}, RetType{IntTy}),
2195 Summary(NoEvalCall)
2196 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2197 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2198 .ArgConstraint(NotNull(ArgNo(0))));
2199
2200 // int link(const char *oldpath, const char *newpath);
2201 addToFunctionSummaryMap(
2202 "link",
2203 Signature(ArgTypes{ConstCharPtrTy, ConstCharPtrTy}, RetType{IntTy}),
2204 Summary(NoEvalCall)
2205 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2206 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2207 .ArgConstraint(NotNull(ArgNo(0)))
2208 .ArgConstraint(NotNull(ArgNo(1))));
2209
2210 // int linkat(int fd1, const char *path1, int fd2, const char *path2,
2211 // int flag);
2212 addToFunctionSummaryMap(
2213 "linkat",
2214 Signature(ArgTypes{IntTy, ConstCharPtrTy, IntTy, ConstCharPtrTy, IntTy},
2215 RetType{IntTy}),
2216 Summary(NoEvalCall)
2217 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2218 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2219 .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
2220 .ArgConstraint(NotNull(ArgNo(1)))
2221 .ArgConstraint(ArgumentCondition(2, WithinRange, Range(0, IntMax)))
2222 .ArgConstraint(NotNull(ArgNo(3))));
2223
2224 // int unlink(const char *pathname);
2225 addToFunctionSummaryMap("unlink",
2226 Signature(ArgTypes{ConstCharPtrTy}, RetType{IntTy}),
2227 Summary(NoEvalCall)
2228 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2229 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2230 .ArgConstraint(NotNull(ArgNo(0))));
2231
2232 // int unlinkat(int fd, const char *path, int flag);
2233 addToFunctionSummaryMap(
2234 "unlinkat",
2235 Signature(ArgTypes{IntTy, ConstCharPtrTy, IntTy}, RetType{IntTy}),
2236 Summary(NoEvalCall)
2237 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2238 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2239 .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
2240 .ArgConstraint(NotNull(ArgNo(1))));
2241
2242 std::optional<QualType> StructStatTy = lookupTy("stat");
2243 std::optional<QualType> StructStatPtrTy = getPointerTy(StructStatTy);
2244 std::optional<QualType> StructStatPtrRestrictTy =
2245 getRestrictTy(StructStatPtrTy);
2246
2247 // int fstat(int fd, struct stat *statbuf);
2248 addToFunctionSummaryMap(
2249 "fstat", Signature(ArgTypes{IntTy, StructStatPtrTy}, RetType{IntTy}),
2250 Summary(NoEvalCall)
2251 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2252 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2253 .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
2254 .ArgConstraint(NotNull(ArgNo(1))));
2255
2256 // int stat(const char *restrict path, struct stat *restrict buf);
2257 addToFunctionSummaryMap(
2258 "stat",
2259 Signature(ArgTypes{ConstCharPtrRestrictTy, StructStatPtrRestrictTy},
2260 RetType{IntTy}),
2261 Summary(NoEvalCall)
2262 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2263 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2264 .ArgConstraint(NotNull(ArgNo(0)))
2265 .ArgConstraint(NotNull(ArgNo(1))));
2266
2267 // int lstat(const char *restrict path, struct stat *restrict buf);
2268 addToFunctionSummaryMap(
2269 "lstat",
2270 Signature(ArgTypes{ConstCharPtrRestrictTy, StructStatPtrRestrictTy},
2271 RetType{IntTy}),
2272 Summary(NoEvalCall)
2273 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2274 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2275 .ArgConstraint(NotNull(ArgNo(0)))
2276 .ArgConstraint(NotNull(ArgNo(1))));
2277
2278 // int fstatat(int fd, const char *restrict path,
2279 // struct stat *restrict buf, int flag);
2280 addToFunctionSummaryMap(
2281 "fstatat",
2282 Signature(ArgTypes{IntTy, ConstCharPtrRestrictTy,
2283 StructStatPtrRestrictTy, IntTy},
2284 RetType{IntTy}),
2285 Summary(NoEvalCall)
2286 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2287 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2288 .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
2289 .ArgConstraint(NotNull(ArgNo(1)))
2290 .ArgConstraint(NotNull(ArgNo(2))));
2291
2292 // DIR *opendir(const char *name);
2293 // FIXME: Improve for errno modeling.
2294 addToFunctionSummaryMap(
2295 "opendir", Signature(ArgTypes{ConstCharPtrTy}, RetType{DirPtrTy}),
2296 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
2297
2298 // DIR *fdopendir(int fd);
2299 // FIXME: Improve for errno modeling.
2300 addToFunctionSummaryMap("fdopendir",
2301 Signature(ArgTypes{IntTy}, RetType{DirPtrTy}),
2302 Summary(NoEvalCall)
2303 .ArgConstraint(ArgumentCondition(
2304 0, WithinRange, Range(0, IntMax))));
2305
2306 // int isatty(int fildes);
2307 addToFunctionSummaryMap(
2308 "isatty", Signature(ArgTypes{IntTy}, RetType{IntTy}),
2309 Summary(NoEvalCall)
2310 .Case({ReturnValueCondition(WithinRange, Range(0, 1))},
2311 ErrnoIrrelevant)
2312 .ArgConstraint(
2313 ArgumentCondition(0, WithinRange, Range(0, IntMax))));
2314
2315 // FILE *popen(const char *command, const char *type);
2316 // FIXME: Improve for errno modeling.
2317 addToFunctionSummaryMap(
2318 "popen",
2319 Signature(ArgTypes{ConstCharPtrTy, ConstCharPtrTy}, RetType{FilePtrTy}),
2320 Summary(NoEvalCall)
2321 .ArgConstraint(NotNull(ArgNo(0)))
2322 .ArgConstraint(NotNull(ArgNo(1))));
2323
2324 // int pclose(FILE *stream);
2325 // FIXME: Improve for errno modeling.
2326 addToFunctionSummaryMap(
2327 "pclose", Signature(ArgTypes{FilePtrTy}, RetType{IntTy}),
2328 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
2329
2330 // int close(int fildes);
2331 addToFunctionSummaryMap("close", Signature(ArgTypes{IntTy}, RetType{IntTy}),
2332 Summary(NoEvalCall)
2333 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2334 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2335 .ArgConstraint(ArgumentCondition(
2336 0, WithinRange, Range(-1, IntMax))));
2337
2338 // long fpathconf(int fildes, int name);
2339 addToFunctionSummaryMap("fpathconf",
2340 Signature(ArgTypes{IntTy, IntTy}, RetType{LongTy}),
2341 Summary(NoEvalCall)
2342 .ArgConstraint(ArgumentCondition(
2343 0, WithinRange, Range(0, IntMax))));
2344
2345 // long pathconf(const char *path, int name);
2346 addToFunctionSummaryMap(
2347 "pathconf", Signature(ArgTypes{ConstCharPtrTy, IntTy}, RetType{LongTy}),
2348 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
2349
2350 // FILE *fdopen(int fd, const char *mode);
2351 // FIXME: Improve for errno modeling.
2352 addToFunctionSummaryMap(
2353 "fdopen",
2354 Signature(ArgTypes{IntTy, ConstCharPtrTy}, RetType{FilePtrTy}),
2355 Summary(NoEvalCall)
2356 .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
2357 .ArgConstraint(NotNull(ArgNo(1))));
2358
2359 // void rewinddir(DIR *dir);
2360 addToFunctionSummaryMap(
2361 "rewinddir", Signature(ArgTypes{DirPtrTy}, RetType{VoidTy}),
2362 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
2363
2364 // void seekdir(DIR *dirp, long loc);
2365 addToFunctionSummaryMap(
2366 "seekdir", Signature(ArgTypes{DirPtrTy, LongTy}, RetType{VoidTy}),
2367 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
2368
2369 // int rand_r(unsigned int *seedp);
2370 addToFunctionSummaryMap(
2371 "rand_r", Signature(ArgTypes{UnsignedIntPtrTy}, RetType{IntTy}),
2372 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
2373
2374 // int fseeko(FILE *stream, off_t offset, int whence);
2375 addToFunctionSummaryMap(
2376 "fseeko",
2377 Signature(ArgTypes{FilePtrTy, Off_tTy, IntTy}, RetType{IntTy}),
2378 Summary(NoEvalCall)
2379 .Case(ReturnsZeroOrMinusOne, ErrnoIrrelevant)
2380 .ArgConstraint(NotNull(ArgNo(0))));
2381
2382 // off_t ftello(FILE *stream);
2383 addToFunctionSummaryMap(
2384 "ftello", Signature(ArgTypes{FilePtrTy}, RetType{Off_tTy}),
2385 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
2386
2387 // void *mmap(void *addr, size_t length, int prot, int flags, int fd,
2388 // off_t offset);
2389 // FIXME: Improve for errno modeling.
2390 addToFunctionSummaryMap(
2391 "mmap",
2392 Signature(ArgTypes{VoidPtrTy, SizeTy, IntTy, IntTy, IntTy, Off_tTy},
2393 RetType{VoidPtrTy}),
2394 Summary(NoEvalCall)
2395 .ArgConstraint(ArgumentCondition(1, WithinRange, Range(1, SizeMax)))
2396 .ArgConstraint(
2397 ArgumentCondition(4, WithinRange, Range(-1, IntMax))));
2398
2399 std::optional<QualType> Off64_tTy = lookupTy("off64_t");
2400 // void *mmap64(void *addr, size_t length, int prot, int flags, int fd,
2401 // off64_t offset);
2402 // FIXME: Improve for errno modeling.
2403 addToFunctionSummaryMap(
2404 "mmap64",
2405 Signature(ArgTypes{VoidPtrTy, SizeTy, IntTy, IntTy, IntTy, Off64_tTy},
2406 RetType{VoidPtrTy}),
2407 Summary(NoEvalCall)
2408 .ArgConstraint(ArgumentCondition(1, WithinRange, Range(1, SizeMax)))
2409 .ArgConstraint(
2410 ArgumentCondition(4, WithinRange, Range(-1, IntMax))));
2411
2412 // int pipe(int fildes[2]);
2413 addToFunctionSummaryMap("pipe",
2414 Signature(ArgTypes{IntPtrTy}, RetType{IntTy}),
2415 Summary(NoEvalCall)
2416 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2417 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2418 .ArgConstraint(NotNull(ArgNo(0))));
2419
2420 // off_t lseek(int fildes, off_t offset, int whence);
2421 // In the first case we can not tell for sure if it failed or not.
2422 // A return value different from of the expected offset (that is unknown
2423 // here) may indicate failure. For this reason we do not enforce the errno
2424 // check (can cause false positive).
2425 addToFunctionSummaryMap(
2426 "lseek", Signature(ArgTypes{IntTy, Off_tTy, IntTy}, RetType{Off_tTy}),
2427 Summary(NoEvalCall)
2428 .Case(ReturnsNonnegative, ErrnoIrrelevant)
2429 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2430 .ArgConstraint(
2431 ArgumentCondition(0, WithinRange, Range(0, IntMax))));
2432
2433 // ssize_t readlink(const char *restrict path, char *restrict buf,
2434 // size_t bufsize);
2435 addToFunctionSummaryMap(
2436 "readlink",
2437 Signature(ArgTypes{ConstCharPtrRestrictTy, CharPtrRestrictTy, SizeTy},
2438 RetType{Ssize_tTy}),
2439 Summary(NoEvalCall)
2440 .Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)),
2441 ReturnValueCondition(WithinRange, Range(0, Ssize_tMax))},
2442 ErrnoMustNotBeChecked)
2443 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2444 .ArgConstraint(NotNull(ArgNo(0)))
2445 .ArgConstraint(NotNull(ArgNo(1)))
2446 .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(1),
2447 /*BufSize=*/ArgNo(2)))
2448 .ArgConstraint(
2449 ArgumentCondition(2, WithinRange, Range(0, SizeMax))));
2450
2451 // ssize_t readlinkat(int fd, const char *restrict path,
2452 // char *restrict buf, size_t bufsize);
2453 addToFunctionSummaryMap(
2454 "readlinkat",
2455 Signature(
2456 ArgTypes{IntTy, ConstCharPtrRestrictTy, CharPtrRestrictTy, SizeTy},
2457 RetType{Ssize_tTy}),
2458 Summary(NoEvalCall)
2459 .Case({ReturnValueCondition(LessThanOrEq, ArgNo(3)),
2460 ReturnValueCondition(WithinRange, Range(0, Ssize_tMax))},
2461 ErrnoMustNotBeChecked)
2462 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2463 .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
2464 .ArgConstraint(NotNull(ArgNo(1)))
2465 .ArgConstraint(NotNull(ArgNo(2)))
2466 .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(2),
2467 /*BufSize=*/ArgNo(3)))
2468 .ArgConstraint(
2469 ArgumentCondition(3, WithinRange, Range(0, SizeMax))));
2470
2471 // int renameat(int olddirfd, const char *oldpath, int newdirfd, const char
2472 // *newpath);
2473 addToFunctionSummaryMap(
2474 "renameat",
2475 Signature(ArgTypes{IntTy, ConstCharPtrTy, IntTy, ConstCharPtrTy},
2476 RetType{IntTy}),
2477 Summary(NoEvalCall)
2478 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2479 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2480 .ArgConstraint(NotNull(ArgNo(1)))
2481 .ArgConstraint(NotNull(ArgNo(3))));
2482
2483 // char *realpath(const char *restrict file_name,
2484 // char *restrict resolved_name);
2485 // FIXME: Improve for errno modeling.
2486 addToFunctionSummaryMap(
2487 "realpath",
2488 Signature(ArgTypes{ConstCharPtrRestrictTy, CharPtrRestrictTy},
2489 RetType{CharPtrTy}),
2490 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
2491
2492 QualType CharPtrConstPtr = getPointerTy(getConstTy(CharPtrTy));
2493
2494 // int execv(const char *path, char *const argv[]);
2495 addToFunctionSummaryMap(
2496 "execv",
2497 Signature(ArgTypes{ConstCharPtrTy, CharPtrConstPtr}, RetType{IntTy}),
2498 Summary(NoEvalCall)
2499 .Case({ReturnValueCondition(WithinRange, SingleValue(-1))},
2500 ErrnoIrrelevant)
2501 .ArgConstraint(NotNull(ArgNo(0))));
2502
2503 // int execvp(const char *file, char *const argv[]);
2504 addToFunctionSummaryMap(
2505 "execvp",
2506 Signature(ArgTypes{ConstCharPtrTy, CharPtrConstPtr}, RetType{IntTy}),
2507 Summary(NoEvalCall)
2508 .Case({ReturnValueCondition(WithinRange, SingleValue(-1))},
2509 ErrnoIrrelevant)
2510 .ArgConstraint(NotNull(ArgNo(0))));
2511
2512 // int getopt(int argc, char * const argv[], const char *optstring);
2513 addToFunctionSummaryMap(
2514 "getopt",
2515 Signature(ArgTypes{IntTy, CharPtrConstPtr, ConstCharPtrTy},
2516 RetType{IntTy}),
2517 Summary(NoEvalCall)
2518 .Case({ReturnValueCondition(WithinRange, Range(-1, UCharRangeMax))},
2519 ErrnoIrrelevant)
2520 .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
2521 .ArgConstraint(NotNull(ArgNo(1)))
2522 .ArgConstraint(NotNull(ArgNo(2))));
2523
2524 std::optional<QualType> StructSockaddrTy = lookupTy("sockaddr");
2525 std::optional<QualType> StructSockaddrPtrTy =
2526 getPointerTy(StructSockaddrTy);
2527 std::optional<QualType> ConstStructSockaddrPtrTy =
2528 getPointerTy(getConstTy(StructSockaddrTy));
2529 std::optional<QualType> StructSockaddrPtrRestrictTy =
2530 getRestrictTy(StructSockaddrPtrTy);
2531 std::optional<QualType> ConstStructSockaddrPtrRestrictTy =
2532 getRestrictTy(ConstStructSockaddrPtrTy);
2533 std::optional<QualType> Socklen_tTy = lookupTy("socklen_t");
2534 std::optional<QualType> Socklen_tPtrTy = getPointerTy(Socklen_tTy);
2535 std::optional<QualType> Socklen_tPtrRestrictTy =
2536 getRestrictTy(Socklen_tPtrTy);
2537 std::optional<RangeInt> Socklen_tMax = getMaxValue(Socklen_tTy);
2538
2539 // In 'socket.h' of some libc implementations with C99, sockaddr parameter
2540 // is a transparent union of the underlying sockaddr_ family of pointers
2541 // instead of being a pointer to struct sockaddr. In these cases, the
2542 // standardized signature will not match, thus we try to match with another
2543 // signature that has the joker Irrelevant type. We also remove those
2544 // constraints which require pointer types for the sockaddr param.
2545 auto Accept =
2546 Summary(NoEvalCall)
2547 .Case(ReturnsValidFileDescriptor, ErrnoMustNotBeChecked)
2548 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2549 .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)));
2550 if (!addToFunctionSummaryMap(
2551 "accept",
2552 // int accept(int socket, struct sockaddr *restrict address,
2553 // socklen_t *restrict address_len);
2554 Signature(ArgTypes{IntTy, StructSockaddrPtrRestrictTy,
2555 Socklen_tPtrRestrictTy},
2556 RetType{IntTy}),
2557 Accept))
2558 addToFunctionSummaryMap(
2559 "accept",
2560 Signature(ArgTypes{IntTy, Irrelevant, Socklen_tPtrRestrictTy},
2561 RetType{IntTy}),
2562 Accept);
2563
2564 // int bind(int socket, const struct sockaddr *address, socklen_t
2565 // address_len);
2566 if (!addToFunctionSummaryMap(
2567 "bind",
2568 Signature(ArgTypes{IntTy, ConstStructSockaddrPtrTy, Socklen_tTy},
2569 RetType{IntTy}),
2570 Summary(NoEvalCall)
2571 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2572 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2573 .ArgConstraint(
2574 ArgumentCondition(0, WithinRange, Range(0, IntMax)))
2575 .ArgConstraint(NotNull(ArgNo(1)))
2576 .ArgConstraint(
2577 BufferSize(/*Buffer=*/ArgNo(1), /*BufSize=*/ArgNo(2)))
2578 .ArgConstraint(
2579 ArgumentCondition(2, WithinRange, Range(0, Socklen_tMax)))))
2580 // Do not add constraints on sockaddr.
2581 addToFunctionSummaryMap(
2582 "bind",
2583 Signature(ArgTypes{IntTy, Irrelevant, Socklen_tTy}, RetType{IntTy}),
2584 Summary(NoEvalCall)
2585 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2586 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2587 .ArgConstraint(
2588 ArgumentCondition(0, WithinRange, Range(0, IntMax)))
2589 .ArgConstraint(
2590 ArgumentCondition(2, WithinRange, Range(0, Socklen_tMax))));
2591
2592 // int getpeername(int socket, struct sockaddr *restrict address,
2593 // socklen_t *restrict address_len);
2594 if (!addToFunctionSummaryMap(
2595 "getpeername",
2596 Signature(ArgTypes{IntTy, StructSockaddrPtrRestrictTy,
2597 Socklen_tPtrRestrictTy},
2598 RetType{IntTy}),
2599 Summary(NoEvalCall)
2600 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2601 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2602 .ArgConstraint(
2603 ArgumentCondition(0, WithinRange, Range(0, IntMax)))
2604 .ArgConstraint(NotNull(ArgNo(1)))
2605 .ArgConstraint(NotNull(ArgNo(2)))))
2606 addToFunctionSummaryMap(
2607 "getpeername",
2608 Signature(ArgTypes{IntTy, Irrelevant, Socklen_tPtrRestrictTy},
2609 RetType{IntTy}),
2610 Summary(NoEvalCall)
2611 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2612 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2613 .ArgConstraint(
2614 ArgumentCondition(0, WithinRange, Range(0, IntMax))));
2615
2616 // int getsockname(int socket, struct sockaddr *restrict address,
2617 // socklen_t *restrict address_len);
2618 if (!addToFunctionSummaryMap(
2619 "getsockname",
2620 Signature(ArgTypes{IntTy, StructSockaddrPtrRestrictTy,
2621 Socklen_tPtrRestrictTy},
2622 RetType{IntTy}),
2623 Summary(NoEvalCall)
2624 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2625 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2626 .ArgConstraint(
2627 ArgumentCondition(0, WithinRange, Range(0, IntMax)))
2628 .ArgConstraint(NotNull(ArgNo(1)))
2629 .ArgConstraint(NotNull(ArgNo(2)))))
2630 addToFunctionSummaryMap(
2631 "getsockname",
2632 Signature(ArgTypes{IntTy, Irrelevant, Socklen_tPtrRestrictTy},
2633 RetType{IntTy}),
2634 Summary(NoEvalCall)
2635 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2636 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2637 .ArgConstraint(
2638 ArgumentCondition(0, WithinRange, Range(0, IntMax))));
2639
2640 // int connect(int socket, const struct sockaddr *address, socklen_t
2641 // address_len);
2642 if (!addToFunctionSummaryMap(
2643 "connect",
2644 Signature(ArgTypes{IntTy, ConstStructSockaddrPtrTy, Socklen_tTy},
2645 RetType{IntTy}),
2646 Summary(NoEvalCall)
2647 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2648 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2649 .ArgConstraint(
2650 ArgumentCondition(0, WithinRange, Range(0, IntMax)))
2651 .ArgConstraint(NotNull(ArgNo(1)))))
2652 addToFunctionSummaryMap(
2653 "connect",
2654 Signature(ArgTypes{IntTy, Irrelevant, Socklen_tTy}, RetType{IntTy}),
2655 Summary(NoEvalCall)
2656 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2657 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2658 .ArgConstraint(
2659 ArgumentCondition(0, WithinRange, Range(0, IntMax))));
2660
2661 auto Recvfrom =
2662 Summary(NoEvalCall)
2663 .Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)),
2664 ReturnValueCondition(WithinRange, Range(0, Ssize_tMax))},
2665 ErrnoMustNotBeChecked)
2666 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2667 .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
2668 .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(1),
2669 /*BufSize=*/ArgNo(2)));
2670 if (!addToFunctionSummaryMap(
2671 "recvfrom",
2672 // ssize_t recvfrom(int socket, void *restrict buffer,
2673 // size_t length,
2674 // int flags, struct sockaddr *restrict address,
2675 // socklen_t *restrict address_len);
2676 Signature(ArgTypes{IntTy, VoidPtrRestrictTy, SizeTy, IntTy,
2677 StructSockaddrPtrRestrictTy,
2678 Socklen_tPtrRestrictTy},
2679 RetType{Ssize_tTy}),
2680 Recvfrom))
2681 addToFunctionSummaryMap(
2682 "recvfrom",
2683 Signature(ArgTypes{IntTy, VoidPtrRestrictTy, SizeTy, IntTy,
2684 Irrelevant, Socklen_tPtrRestrictTy},
2685 RetType{Ssize_tTy}),
2686 Recvfrom);
2687
2688 auto Sendto =
2689 Summary(NoEvalCall)
2690 .Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)),
2691 ReturnValueCondition(WithinRange, Range(0, Ssize_tMax))},
2692 ErrnoMustNotBeChecked)
2693 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2694 .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
2695 .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(1),
2696 /*BufSize=*/ArgNo(2)));
2697 if (!addToFunctionSummaryMap(
2698 "sendto",
2699 // ssize_t sendto(int socket, const void *message, size_t length,
2700 // int flags, const struct sockaddr *dest_addr,
2701 // socklen_t dest_len);
2702 Signature(ArgTypes{IntTy, ConstVoidPtrTy, SizeTy, IntTy,
2703 ConstStructSockaddrPtrTy, Socklen_tTy},
2704 RetType{Ssize_tTy}),
2705 Sendto))
2706 addToFunctionSummaryMap(
2707 "sendto",
2708 Signature(ArgTypes{IntTy, ConstVoidPtrTy, SizeTy, IntTy, Irrelevant,
2709 Socklen_tTy},
2710 RetType{Ssize_tTy}),
2711 Sendto);
2712
2713 // int listen(int sockfd, int backlog);
2714 addToFunctionSummaryMap("listen",
2715 Signature(ArgTypes{IntTy, IntTy}, RetType{IntTy}),
2716 Summary(NoEvalCall)
2717 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2718 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2719 .ArgConstraint(ArgumentCondition(
2720 0, WithinRange, Range(0, IntMax))));
2721
2722 // ssize_t recv(int sockfd, void *buf, size_t len, int flags);
2723 addToFunctionSummaryMap(
2724 "recv",
2725 Signature(ArgTypes{IntTy, VoidPtrTy, SizeTy, IntTy},
2726 RetType{Ssize_tTy}),
2727 Summary(NoEvalCall)
2728 .Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)),
2729 ReturnValueCondition(WithinRange, Range(0, Ssize_tMax))},
2730 ErrnoMustNotBeChecked)
2731 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2732 .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
2733 .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(1),
2734 /*BufSize=*/ArgNo(2))));
2735
2736 std::optional<QualType> StructMsghdrTy = lookupTy("msghdr");
2737 std::optional<QualType> StructMsghdrPtrTy = getPointerTy(StructMsghdrTy);
2738 std::optional<QualType> ConstStructMsghdrPtrTy =
2739 getPointerTy(getConstTy(StructMsghdrTy));
2740
2741 // ssize_t recvmsg(int sockfd, struct msghdr *msg, int flags);
2742 addToFunctionSummaryMap(
2743 "recvmsg",
2744 Signature(ArgTypes{IntTy, StructMsghdrPtrTy, IntTy},
2745 RetType{Ssize_tTy}),
2746 Summary(NoEvalCall)
2747 .Case({ReturnValueCondition(WithinRange, Range(0, Ssize_tMax))},
2748 ErrnoMustNotBeChecked)
2749 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2750 .ArgConstraint(
2751 ArgumentCondition(0, WithinRange, Range(0, IntMax))));
2752
2753 // ssize_t sendmsg(int sockfd, const struct msghdr *msg, int flags);
2754 addToFunctionSummaryMap(
2755 "sendmsg",
2756 Signature(ArgTypes{IntTy, ConstStructMsghdrPtrTy, IntTy},
2757 RetType{Ssize_tTy}),
2758 Summary(NoEvalCall)
2759 .Case({ReturnValueCondition(WithinRange, Range(0, Ssize_tMax))},
2760 ErrnoMustNotBeChecked)
2761 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2762 .ArgConstraint(
2763 ArgumentCondition(0, WithinRange, Range(0, IntMax))));
2764
2765 // int setsockopt(int socket, int level, int option_name,
2766 // const void *option_value, socklen_t option_len);
2767 addToFunctionSummaryMap(
2768 "setsockopt",
2769 Signature(ArgTypes{IntTy, IntTy, IntTy, ConstVoidPtrTy, Socklen_tTy},
2770 RetType{IntTy}),
2771 Summary(NoEvalCall)
2772 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2773 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2774 .ArgConstraint(NotNull(ArgNo(3)))
2775 .ArgConstraint(
2776 BufferSize(/*Buffer=*/ArgNo(3), /*BufSize=*/ArgNo(4)))
2777 .ArgConstraint(
2778 ArgumentCondition(4, WithinRange, Range(0, Socklen_tMax))));
2779
2780 // int getsockopt(int socket, int level, int option_name,
2781 // void *restrict option_value,
2782 // socklen_t *restrict option_len);
2783 addToFunctionSummaryMap(
2784 "getsockopt",
2785 Signature(ArgTypes{IntTy, IntTy, IntTy, VoidPtrRestrictTy,
2786 Socklen_tPtrRestrictTy},
2787 RetType{IntTy}),
2788 Summary(NoEvalCall)
2789 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2790 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2791 .ArgConstraint(NotNull(ArgNo(3)))
2792 .ArgConstraint(NotNull(ArgNo(4))));
2793
2794 // ssize_t send(int sockfd, const void *buf, size_t len, int flags);
2795 addToFunctionSummaryMap(
2796 "send",
2797 Signature(ArgTypes{IntTy, ConstVoidPtrTy, SizeTy, IntTy},
2798 RetType{Ssize_tTy}),
2799 Summary(NoEvalCall)
2800 .Case({ReturnValueCondition(LessThanOrEq, ArgNo(2)),
2801 ReturnValueCondition(WithinRange, Range(0, Ssize_tMax))},
2802 ErrnoMustNotBeChecked)
2803 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2804 .ArgConstraint(ArgumentCondition(0, WithinRange, Range(0, IntMax)))
2805 .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(1),
2806 /*BufSize=*/ArgNo(2))));
2807
2808 // int socketpair(int domain, int type, int protocol, int sv[2]);
2809 addToFunctionSummaryMap(
2810 "socketpair",
2811 Signature(ArgTypes{IntTy, IntTy, IntTy, IntPtrTy}, RetType{IntTy}),
2812 Summary(NoEvalCall)
2813 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2814 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2815 .ArgConstraint(NotNull(ArgNo(3))));
2816
2817 // int getnameinfo(const struct sockaddr *restrict sa, socklen_t salen,
2818 // char *restrict node, socklen_t nodelen,
2819 // char *restrict service,
2820 // socklen_t servicelen, int flags);
2821 //
2822 // This is defined in netdb.h. And contrary to 'socket.h', the sockaddr
2823 // parameter is never handled as a transparent union in netdb.h
2824 addToFunctionSummaryMap(
2825 "getnameinfo",
2826 Signature(ArgTypes{ConstStructSockaddrPtrRestrictTy, Socklen_tTy,
2827 CharPtrRestrictTy, Socklen_tTy, CharPtrRestrictTy,
2828 Socklen_tTy, IntTy},
2829 RetType{IntTy}),
2830 Summary(NoEvalCall)
2831 .ArgConstraint(
2832 BufferSize(/*Buffer=*/ArgNo(0), /*BufSize=*/ArgNo(1)))
2833 .ArgConstraint(
2834 ArgumentCondition(1, WithinRange, Range(0, Socklen_tMax)))
2835 .ArgConstraint(
2836 BufferSize(/*Buffer=*/ArgNo(2), /*BufSize=*/ArgNo(3)))
2837 .ArgConstraint(
2838 ArgumentCondition(3, WithinRange, Range(0, Socklen_tMax)))
2839 .ArgConstraint(
2840 BufferSize(/*Buffer=*/ArgNo(4), /*BufSize=*/ArgNo(5)))
2841 .ArgConstraint(
2842 ArgumentCondition(5, WithinRange, Range(0, Socklen_tMax))));
2843
2844 std::optional<QualType> StructUtimbufTy = lookupTy("utimbuf");
2845 std::optional<QualType> StructUtimbufPtrTy = getPointerTy(StructUtimbufTy);
2846
2847 // int utime(const char *filename, struct utimbuf *buf);
2848 addToFunctionSummaryMap(
2849 "utime",
2850 Signature(ArgTypes{ConstCharPtrTy, StructUtimbufPtrTy}, RetType{IntTy}),
2851 Summary(NoEvalCall)
2852 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2853 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2854 .ArgConstraint(NotNull(ArgNo(0))));
2855
2856 std::optional<QualType> StructTimespecTy = lookupTy("timespec");
2857 std::optional<QualType> StructTimespecPtrTy =
2858 getPointerTy(StructTimespecTy);
2859 std::optional<QualType> ConstStructTimespecPtrTy =
2860 getPointerTy(getConstTy(StructTimespecTy));
2861
2862 // int futimens(int fd, const struct timespec times[2]);
2863 addToFunctionSummaryMap(
2864 "futimens",
2865 Signature(ArgTypes{IntTy, ConstStructTimespecPtrTy}, RetType{IntTy}),
2866 Summary(NoEvalCall)
2867 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2868 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2869 .ArgConstraint(
2870 ArgumentCondition(0, WithinRange, Range(0, IntMax))));
2871
2872 // int utimensat(int dirfd, const char *pathname,
2873 // const struct timespec times[2], int flags);
2874 addToFunctionSummaryMap("utimensat",
2875 Signature(ArgTypes{IntTy, ConstCharPtrTy,
2876 ConstStructTimespecPtrTy, IntTy},
2877 RetType{IntTy}),
2878 Summary(NoEvalCall)
2879 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2880 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2881 .ArgConstraint(NotNull(ArgNo(1))));
2882
2883 std::optional<QualType> StructTimevalTy = lookupTy("timeval");
2884 std::optional<QualType> ConstStructTimevalPtrTy =
2885 getPointerTy(getConstTy(StructTimevalTy));
2886
2887 // int utimes(const char *filename, const struct timeval times[2]);
2888 addToFunctionSummaryMap(
2889 "utimes",
2890 Signature(ArgTypes{ConstCharPtrTy, ConstStructTimevalPtrTy},
2891 RetType{IntTy}),
2892 Summary(NoEvalCall)
2893 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2894 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2895 .ArgConstraint(NotNull(ArgNo(0))));
2896
2897 // int nanosleep(const struct timespec *rqtp, struct timespec *rmtp);
2898 addToFunctionSummaryMap(
2899 "nanosleep",
2900 Signature(ArgTypes{ConstStructTimespecPtrTy, StructTimespecPtrTy},
2901 RetType{IntTy}),
2902 Summary(NoEvalCall)
2903 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2904 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2905 .ArgConstraint(NotNull(ArgNo(0))));
2906
2907 std::optional<QualType> Time_tTy = lookupTy("time_t");
2908 std::optional<QualType> ConstTime_tPtrTy =
2909 getPointerTy(getConstTy(Time_tTy));
2910 std::optional<QualType> ConstTime_tPtrRestrictTy =
2911 getRestrictTy(ConstTime_tPtrTy);
2912
2913 std::optional<QualType> StructTmTy = lookupTy("tm");
2914 std::optional<QualType> StructTmPtrTy = getPointerTy(StructTmTy);
2915 std::optional<QualType> StructTmPtrRestrictTy =
2916 getRestrictTy(StructTmPtrTy);
2917 std::optional<QualType> ConstStructTmPtrTy =
2918 getPointerTy(getConstTy(StructTmTy));
2919 std::optional<QualType> ConstStructTmPtrRestrictTy =
2920 getRestrictTy(ConstStructTmPtrTy);
2921
2922 // struct tm * localtime(const time_t *tp);
2923 addToFunctionSummaryMap(
2924 "localtime",
2925 Signature(ArgTypes{ConstTime_tPtrTy}, RetType{StructTmPtrTy}),
2926 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
2927
2928 // struct tm *localtime_r(const time_t *restrict timer,
2929 // struct tm *restrict result);
2930 addToFunctionSummaryMap(
2931 "localtime_r",
2932 Signature(ArgTypes{ConstTime_tPtrRestrictTy, StructTmPtrRestrictTy},
2933 RetType{StructTmPtrTy}),
2934 Summary(NoEvalCall)
2935 .ArgConstraint(NotNull(ArgNo(0)))
2936 .ArgConstraint(NotNull(ArgNo(1))));
2937
2938 // char *asctime_r(const struct tm *restrict tm, char *restrict buf);
2939 addToFunctionSummaryMap(
2940 "asctime_r",
2941 Signature(ArgTypes{ConstStructTmPtrRestrictTy, CharPtrRestrictTy},
2942 RetType{CharPtrTy}),
2943 Summary(NoEvalCall)
2944 .ArgConstraint(NotNull(ArgNo(0)))
2945 .ArgConstraint(NotNull(ArgNo(1)))
2946 .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(1),
2947 /*MinBufSize=*/BVF.getValue(26, IntTy))));
2948
2949 // char *ctime_r(const time_t *timep, char *buf);
2950 addToFunctionSummaryMap(
2951 "ctime_r",
2952 Signature(ArgTypes{ConstTime_tPtrTy, CharPtrTy}, RetType{CharPtrTy}),
2953 Summary(NoEvalCall)
2954 .ArgConstraint(NotNull(ArgNo(0)))
2955 .ArgConstraint(NotNull(ArgNo(1)))
2956 .ArgConstraint(BufferSize(
2957 /*Buffer=*/ArgNo(1),
2958 /*MinBufSize=*/BVF.getValue(26, IntTy))));
2959
2960 // struct tm *gmtime_r(const time_t *restrict timer,
2961 // struct tm *restrict result);
2962 addToFunctionSummaryMap(
2963 "gmtime_r",
2964 Signature(ArgTypes{ConstTime_tPtrRestrictTy, StructTmPtrRestrictTy},
2965 RetType{StructTmPtrTy}),
2966 Summary(NoEvalCall)
2967 .ArgConstraint(NotNull(ArgNo(0)))
2968 .ArgConstraint(NotNull(ArgNo(1))));
2969
2970 // struct tm * gmtime(const time_t *tp);
2971 addToFunctionSummaryMap(
2972 "gmtime", Signature(ArgTypes{ConstTime_tPtrTy}, RetType{StructTmPtrTy}),
2973 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
2974
2975 std::optional<QualType> Clockid_tTy = lookupTy("clockid_t");
2976
2977 // int clock_gettime(clockid_t clock_id, struct timespec *tp);
2978 addToFunctionSummaryMap(
2979 "clock_gettime",
2980 Signature(ArgTypes{Clockid_tTy, StructTimespecPtrTy}, RetType{IntTy}),
2981 Summary(NoEvalCall)
2982 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2983 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2984 .ArgConstraint(NotNull(ArgNo(1))));
2985
2986 std::optional<QualType> StructItimervalTy = lookupTy("itimerval");
2987 std::optional<QualType> StructItimervalPtrTy =
2988 getPointerTy(StructItimervalTy);
2989
2990 // int getitimer(int which, struct itimerval *curr_value);
2991 addToFunctionSummaryMap(
2992 "getitimer",
2993 Signature(ArgTypes{IntTy, StructItimervalPtrTy}, RetType{IntTy}),
2994 Summary(NoEvalCall)
2995 .Case(ReturnsZero, ErrnoMustNotBeChecked)
2996 .Case(ReturnsMinusOne, ErrnoNEZeroIrrelevant)
2997 .ArgConstraint(NotNull(ArgNo(1))));
2998
2999 std::optional<QualType> Pthread_cond_tTy = lookupTy("pthread_cond_t");
3000 std::optional<QualType> Pthread_cond_tPtrTy =
3001 getPointerTy(Pthread_cond_tTy);
3002 std::optional<QualType> Pthread_tTy = lookupTy("pthread_t");
3003 std::optional<QualType> Pthread_tPtrTy = getPointerTy(Pthread_tTy);
3004 std::optional<QualType> Pthread_tPtrRestrictTy =
3005 getRestrictTy(Pthread_tPtrTy);
3006 std::optional<QualType> Pthread_mutex_tTy = lookupTy("pthread_mutex_t");
3007 std::optional<QualType> Pthread_mutex_tPtrTy =
3008 getPointerTy(Pthread_mutex_tTy);
3009 std::optional<QualType> Pthread_mutex_tPtrRestrictTy =
3010 getRestrictTy(Pthread_mutex_tPtrTy);
3011 std::optional<QualType> Pthread_attr_tTy = lookupTy("pthread_attr_t");
3012 std::optional<QualType> Pthread_attr_tPtrTy =
3013 getPointerTy(Pthread_attr_tTy);
3014 std::optional<QualType> ConstPthread_attr_tPtrTy =
3015 getPointerTy(getConstTy(Pthread_attr_tTy));
3016 std::optional<QualType> ConstPthread_attr_tPtrRestrictTy =
3017 getRestrictTy(ConstPthread_attr_tPtrTy);
3018 std::optional<QualType> Pthread_mutexattr_tTy =
3019 lookupTy("pthread_mutexattr_t");
3020 std::optional<QualType> ConstPthread_mutexattr_tPtrTy =
3021 getPointerTy(getConstTy(Pthread_mutexattr_tTy));
3022 std::optional<QualType> ConstPthread_mutexattr_tPtrRestrictTy =
3023 getRestrictTy(ConstPthread_mutexattr_tPtrTy);
3024
3025 QualType PthreadStartRoutineTy = getPointerTy(
3026 ACtx.getFunctionType(/*ResultTy=*/VoidPtrTy, /*Args=*/VoidPtrTy,
3027 FunctionProtoType::ExtProtoInfo()));
3028
3029 // int pthread_cond_signal(pthread_cond_t *cond);
3030 // int pthread_cond_broadcast(pthread_cond_t *cond);
3031 addToFunctionSummaryMap(
3032 {"pthread_cond_signal", "pthread_cond_broadcast"},
3033 Signature(ArgTypes{Pthread_cond_tPtrTy}, RetType{IntTy}),
3034 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
3035
3036 // int pthread_create(pthread_t *restrict thread,
3037 // const pthread_attr_t *restrict attr,
3038 // void *(*start_routine)(void*), void *restrict arg);
3039 addToFunctionSummaryMap(
3040 "pthread_create",
3041 Signature(ArgTypes{Pthread_tPtrRestrictTy,
3042 ConstPthread_attr_tPtrRestrictTy,
3043 PthreadStartRoutineTy, VoidPtrRestrictTy},
3044 RetType{IntTy}),
3045 Summary(NoEvalCall)
3046 .ArgConstraint(NotNull(ArgNo(0)))
3047 .ArgConstraint(NotNull(ArgNo(2))));
3048
3049 // int pthread_attr_destroy(pthread_attr_t *attr);
3050 // int pthread_attr_init(pthread_attr_t *attr);
3051 addToFunctionSummaryMap(
3052 {"pthread_attr_destroy", "pthread_attr_init"},
3053 Signature(ArgTypes{Pthread_attr_tPtrTy}, RetType{IntTy}),
3054 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
3055
3056 // int pthread_attr_getstacksize(const pthread_attr_t *restrict attr,
3057 // size_t *restrict stacksize);
3058 // int pthread_attr_getguardsize(const pthread_attr_t *restrict attr,
3059 // size_t *restrict guardsize);
3060 addToFunctionSummaryMap(
3061 {"pthread_attr_getstacksize", "pthread_attr_getguardsize"},
3062 Signature(ArgTypes{ConstPthread_attr_tPtrRestrictTy, SizePtrRestrictTy},
3063 RetType{IntTy}),
3064 Summary(NoEvalCall)
3065 .ArgConstraint(NotNull(ArgNo(0)))
3066 .ArgConstraint(NotNull(ArgNo(1))));
3067
3068 // int pthread_attr_setstacksize(pthread_attr_t *attr, size_t stacksize);
3069 // int pthread_attr_setguardsize(pthread_attr_t *attr, size_t guardsize);
3070 addToFunctionSummaryMap(
3071 {"pthread_attr_setstacksize", "pthread_attr_setguardsize"},
3072 Signature(ArgTypes{Pthread_attr_tPtrTy, SizeTy}, RetType{IntTy}),
3073 Summary(NoEvalCall)
3074 .ArgConstraint(NotNull(ArgNo(0)))
3075 .ArgConstraint(
3076 ArgumentCondition(1, WithinRange, Range(0, SizeMax))));
3077
3078 // int pthread_mutex_init(pthread_mutex_t *restrict mutex, const
3079 // pthread_mutexattr_t *restrict attr);
3080 addToFunctionSummaryMap(
3081 "pthread_mutex_init",
3082 Signature(ArgTypes{Pthread_mutex_tPtrRestrictTy,
3083 ConstPthread_mutexattr_tPtrRestrictTy},
3084 RetType{IntTy}),
3085 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
3086
3087 // int pthread_mutex_destroy(pthread_mutex_t *mutex);
3088 // int pthread_mutex_lock(pthread_mutex_t *mutex);
3089 // int pthread_mutex_trylock(pthread_mutex_t *mutex);
3090 // int pthread_mutex_unlock(pthread_mutex_t *mutex);
3091 addToFunctionSummaryMap(
3092 {"pthread_mutex_destroy", "pthread_mutex_lock", "pthread_mutex_trylock",
3093 "pthread_mutex_unlock"},
3094 Signature(ArgTypes{Pthread_mutex_tPtrTy}, RetType{IntTy}),
3095 Summary(NoEvalCall).ArgConstraint(NotNull(ArgNo(0))));
3096 }
3097
3098 // Functions for testing.
3099 if (ChecksEnabled[CK_StdCLibraryFunctionsTesterChecker]) {
3100 addToFunctionSummaryMap(
3101 "__not_null", Signature(ArgTypes{IntPtrTy}, RetType{IntTy}),
3102 Summary(EvalCallAsPure).ArgConstraint(NotNull(ArgNo(0))));
3103
3104 // Test range values.
3105 addToFunctionSummaryMap(
3106 "__single_val_0", Signature(ArgTypes{IntTy}, RetType{IntTy}),
3107 Summary(EvalCallAsPure)
3108 .ArgConstraint(ArgumentCondition(0U, WithinRange, SingleValue(0))));
3109 addToFunctionSummaryMap(
3110 "__single_val_1", Signature(ArgTypes{IntTy}, RetType{IntTy}),
3111 Summary(EvalCallAsPure)
3112 .ArgConstraint(ArgumentCondition(0U, WithinRange, SingleValue(1))));
3113 addToFunctionSummaryMap(
3114 "__range_1_2", Signature(ArgTypes{IntTy}, RetType{IntTy}),
3115 Summary(EvalCallAsPure)
3116 .ArgConstraint(ArgumentCondition(0U, WithinRange, Range(1, 2))));
3117 addToFunctionSummaryMap("__range_1_2__4_5",
3118 Signature(ArgTypes{IntTy}, RetType{IntTy}),
3119 Summary(EvalCallAsPure)
3120 .ArgConstraint(ArgumentCondition(
3121 0U, WithinRange, Range({1, 2}, {4, 5}))));
3122
3123 // Test range kind.
3124 addToFunctionSummaryMap(
3125 "__within", Signature(ArgTypes{IntTy}, RetType{IntTy}),
3126 Summary(EvalCallAsPure)
3127 .ArgConstraint(ArgumentCondition(0U, WithinRange, SingleValue(1))));
3128 addToFunctionSummaryMap(
3129 "__out_of", Signature(ArgTypes{IntTy}, RetType{IntTy}),
3130 Summary(EvalCallAsPure)
3131 .ArgConstraint(ArgumentCondition(0U, OutOfRange, SingleValue(1))));
3132
3133 addToFunctionSummaryMap(
3134 "__two_constrained_args",
3135 Signature(ArgTypes{IntTy, IntTy}, RetType{IntTy}),
3136 Summary(EvalCallAsPure)
3137 .ArgConstraint(ArgumentCondition(0U, WithinRange, SingleValue(1)))
3138 .ArgConstraint(ArgumentCondition(1U, WithinRange, SingleValue(1))));
3139 addToFunctionSummaryMap(
3140 "__arg_constrained_twice", Signature(ArgTypes{IntTy}, RetType{IntTy}),
3141 Summary(EvalCallAsPure)
3142 .ArgConstraint(ArgumentCondition(0U, OutOfRange, SingleValue(1)))
3143 .ArgConstraint(ArgumentCondition(0U, OutOfRange, SingleValue(2))));
3144 addToFunctionSummaryMap(
3145 "__defaultparam",
3146 Signature(ArgTypes{Irrelevant, IntTy}, RetType{IntTy}),
3147 Summary(EvalCallAsPure).ArgConstraint(NotNull(ArgNo(0))));
3148 addToFunctionSummaryMap(
3149 "__variadic",
3150 Signature(ArgTypes{VoidPtrTy, ConstCharPtrTy}, RetType{IntTy}),
3151 Summary(EvalCallAsPure)
3152 .ArgConstraint(NotNull(ArgNo(0)))
3153 .ArgConstraint(NotNull(ArgNo(1))));
3154 addToFunctionSummaryMap(
3155 "__buf_size_arg_constraint",
3156 Signature(ArgTypes{ConstVoidPtrTy, SizeTy}, RetType{IntTy}),
3157 Summary(EvalCallAsPure)
3158 .ArgConstraint(
3159 BufferSize(/*Buffer=*/ArgNo(0), /*BufSize=*/ArgNo(1))));
3160 addToFunctionSummaryMap(
3161 "__buf_size_arg_constraint_mul",
3162 Signature(ArgTypes{ConstVoidPtrTy, SizeTy, SizeTy}, RetType{IntTy}),
3163 Summary(EvalCallAsPure)
3164 .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(0), /*BufSize=*/ArgNo(1),
3165 /*BufSizeMultiplier=*/ArgNo(2))));
3166 addToFunctionSummaryMap(
3167 "__buf_size_arg_constraint_concrete",
3168 Signature(ArgTypes{ConstVoidPtrTy}, RetType{IntTy}),
3169 Summary(EvalCallAsPure)
3170 .ArgConstraint(BufferSize(/*Buffer=*/ArgNo(0),
3171 /*BufSize=*/BVF.getValue(10, IntTy))));
3172 addToFunctionSummaryMap(
3173 {"__test_restrict_param_0", "__test_restrict_param_1",
3174 "__test_restrict_param_2"},
3175 Signature(ArgTypes{VoidPtrRestrictTy}, RetType{VoidTy}),
3176 Summary(EvalCallAsPure));
3177
3178 // Test the application of cases.
3179 addToFunctionSummaryMap(
3180 "__test_case_note", Signature(ArgTypes{}, RetType{IntTy}),
3181 Summary(EvalCallAsPure)
3182 .Case({ReturnValueCondition(WithinRange, SingleValue(0))},
3183 ErrnoIrrelevant, "Function returns 0")
3184 .Case({ReturnValueCondition(WithinRange, SingleValue(1))},
3185 ErrnoIrrelevant, "Function returns 1"));
3186 }
3187
3188 SummariesInitialized = true;
3189 }
3190
registerStdCLibraryFunctionsChecker(CheckerManager & mgr)3191 void ento::registerStdCLibraryFunctionsChecker(CheckerManager &mgr) {
3192 auto *Checker = mgr.registerChecker<StdLibraryFunctionsChecker>();
3193 const AnalyzerOptions &Opts = mgr.getAnalyzerOptions();
3194 Checker->DisplayLoadedSummaries =
3195 Opts.getCheckerBooleanOption(Checker, "DisplayLoadedSummaries");
3196 Checker->ModelPOSIX = Opts.getCheckerBooleanOption(Checker, "ModelPOSIX");
3197 Checker->ShouldAssumeControlledEnvironment =
3198 Opts.ShouldAssumeControlledEnvironment;
3199 }
3200
shouldRegisterStdCLibraryFunctionsChecker(const CheckerManager & mgr)3201 bool ento::shouldRegisterStdCLibraryFunctionsChecker(
3202 const CheckerManager &mgr) {
3203 return true;
3204 }
3205
3206 #define REGISTER_CHECKER(name) \
3207 void ento::register##name(CheckerManager &mgr) { \
3208 StdLibraryFunctionsChecker *checker = \
3209 mgr.getChecker<StdLibraryFunctionsChecker>(); \
3210 checker->ChecksEnabled[StdLibraryFunctionsChecker::CK_##name] = true; \
3211 checker->CheckNames[StdLibraryFunctionsChecker::CK_##name] = \
3212 mgr.getCurrentCheckerName(); \
3213 } \
3214 \
3215 bool ento::shouldRegister##name(const CheckerManager &mgr) { return true; }
3216
3217 REGISTER_CHECKER(StdCLibraryFunctionArgsChecker)
3218 REGISTER_CHECKER(StdCLibraryFunctionsTesterChecker)
3219