[clang] [clang][StaticAnalyzer] Adding getentropy to CStringChecker. (PR #83675)

Balázs Kéri via cfe-commits cfe-commits at lists.llvm.org
Thu Mar 28 03:36:22 PDT 2024 

================
@@ -2515,6 +2517,53 @@ void CStringChecker::evalSprintfCommon(CheckerContext &C, const CallEvent &Call,
   C.addTransition(State);
 }
 
+void CStringChecker::evalGetentropy(CheckerContext &C, const CallEvent &Call) const {
+  DestinationArgExpr Buffer = {{Call.getArgExpr(0), 0}};
+  SizeArgExpr Size = {{Call.getArgExpr(1), 1}};
+  ProgramStateRef State = C.getState();
+  SValBuilder &SVB = C.getSValBuilder();
+  SVal MaxLength = SVB.makeIntVal(256, C.getASTContext().IntTy);
+
+  SVal SizeVal = C.getSVal(Size.Expression);
+  QualType SizeTy = Size.Expression->getType();
+
+  ProgramStateRef StateZeroSize, StateNonZeroSize;
+  std::tie(StateZeroSize, StateNonZeroSize) =
+      assumeZero(C, State, SizeVal, SizeTy);
+
+  if (StateZeroSize) {
+    StateZeroSize = State->BindExpr(Call.getOriginExpr(), C.getLocationContext(),
+                              SVB.makeZeroVal(C.getASTContext().IntTy));
+    C.addTransition(StateZeroSize);
+    return;
+  }
+
+  SVal Buff = C.getSVal(Buffer.Expression);
+  State = checkNonNull(C, StateNonZeroSize, Buffer, Buff);
+  if (!State)
+    return;
+
+  QualType cmpTy = C.getSValBuilder().getConditionType();
+  ProgramStateRef sizeAboveLimit, sizeNotAboveLimit;
+  std::tie(sizeAboveLimit, sizeNotAboveLimit) = State->assume(
+	 SVB
+	.evalBinOpNN(State, BO_GT, *SizeVal.getAs<NonLoc>(), *MaxLength.getAs<NonLoc>(), cmpTy)
+	.castAs<DefinedOrUnknownSVal>());
+  if (sizeAboveLimit) {
+    ErrorMessage Message;
+    emitOutOfBoundsBug(C, sizeAboveLimit, Buffer.Expression, "must be smaller than or equal to 256");
+  } else {
+    State = CheckBufferAccess(C, State, Buffer, Size, AccessKind::write);
+    if (!State)
+      return;
+
+    State = invalidateDestinationBufferBySize(C, State, Buffer.Expression,
+                                            Buff,
+                                            SizeVal, SizeTy);
+    C.addTransition(State);
----------------
balazske wrote:

This branch separation and setting of `errno` can be done with `StdLibraryFunctionsChecker`. If in this checker the return value is not important it is enough to assume it is in the correct range. The other checker runs in `postCall` and can change the state further.

https://github.com/llvm/llvm-project/pull/83675

More information about the cfe-commits mailing list