Merge branch 'master' into interactive

Author: sim642

.github/workflows/semgrep.yml

@@ -27,7 +27,7 @@ jobs:
           SEMGREP_AGENT_DEBUG: 1 # https://github.com/returntocorp/semgrep-action/issues/429
 
       - name: Upload SARIF file to GitHub Advanced Security Dashboard
-        uses: github/codeql-action/upload-sarif@v1
+        uses: github/codeql-action/upload-sarif@v2
         with:
           sarif_file: semgrep.sarif
         if: always()

src/analyses/accessAnalysis.ml

@@ -66,6 +66,12 @@ struct
       ()
 
   let side_access ctx ty lv_opt (conf, w, loc, e, a) =
+    let ty =
+      if Option.is_some lv_opt then
+        `Type Cil.voidType (* avoid unsound type split for alloc variables *)
+      else
+        ty
+    in
     if !GU.should_warn then
       ctx.sideg (V.access (lv_opt, ty)) (G.create_access (Access.AS.singleton (conf, w, loc, e, a)));
     side_vars ctx lv_opt ty
@@ -199,8 +205,16 @@ struct
         | Some fnc -> (fnc act arglist)
         | _ -> arglist
       in
-      List.iter (access_one_top ctx false true) (arg_acc `Read);
-      List.iter (access_one_top ctx true  true ) (arg_acc `Write);
+      (* TODO: per-argument reach *)
+      let reach =
+        match f.vname with
+        | "memset" | "__builtin_memset" | "__builtin___memset_chk" -> false
+        | "bzero" | "__builtin_bzero" | "explicit_bzero" | "__explicit_bzero_chk" -> false
+        | "__builtin_object_size" -> false
+        | _ -> true
+      in
+      List.iter (access_one_top ctx false reach) (arg_acc `Read);
+      List.iter (access_one_top ctx true  reach) (arg_acc `Write);
       (match lv with
        | Some x -> access_one_top ctx true false (AddrOf x)
        | None -> ());

src/analyses/base.ml

@@ -815,6 +815,8 @@ struct
     match ofs with
     | NoOffset -> `NoOffset
     | Field (fld, ofs) -> `Field (fld, convert_offset a gs st ofs)
+    | Index (CastE (TInt(IInt,[]), Const (CStr ("unknown",No_encoding))), ofs) -> (* special offset added by convertToQueryLval *)
+      `Index (IdxDom.top (), convert_offset a gs st ofs)
     | Index (exp, ofs) ->
       let exp_rv = eval_rv a gs st exp in
       match exp_rv with
@@ -2120,6 +2122,40 @@ struct
     let st: store = ctx.local in
     let gs = ctx.global in
     match LF.classify f.vname args with
+    | `Unknown (("memset" | "__builtin_memset" | "__builtin___memset_chk") as name) ->
+      begin match name, args with
+        | "__builtin___memset_chk", [dest; ch; count; _ (* dest_size *)]
+        | ("memset" | "__builtin_memset"), [dest; ch; count] ->
+          (* TODO: check count *)
+          let eval_ch = eval_rv (Analyses.ask_of_ctx ctx) gs st ch in
+          let dest_lval = mkMem ~addr:(Cil.stripCasts dest) ~off:NoOffset in
+          let dest_a = eval_lv (Analyses.ask_of_ctx ctx) gs st dest_lval in
+          (* let dest_typ = Cilfacade.typeOfLval dest_lval in *)
+          let dest_typ = AD.get_type dest_a in (* TODO: what is the right way? *)
+          let value =
+            match eval_ch with
+            | `Int i when ID.to_int i = Some Z.zero ->
+              VD.zero_init_value dest_typ
+            | _ ->
+              VD.top_value dest_typ
+          in
+          set ~ctx:(Some ctx) (Analyses.ask_of_ctx ctx) gs st dest_a dest_typ value
+        | _, _ -> failwith "strange memset arguments"
+      end
+    | `Unknown (("bzero" | "__builtin_bzero" | "explicit_bzero" | "__explicit_bzero_chk") as name) ->
+      (* TODO: share something with memset special case? *)
+      begin match name, args with
+        | "__explicit_bzero_chk", [dest; count; _ (* dest_size *)]
+        | ("bzero" | "__builtin_bzero" | "explicit_bzero"), [dest; count] ->
+          (* TODO: check count *)
+          let dest_lval = mkMem ~addr:(Cil.stripCasts dest) ~off:NoOffset in
+          let dest_a = eval_lv (Analyses.ask_of_ctx ctx) gs st dest_lval in
+          (* let dest_typ = Cilfacade.typeOfLval dest_lval in *)
+          let dest_typ = AD.get_type dest_a in (* TODO: what is the right way? *)
+          let value = VD.zero_init_value dest_typ in
+          set ~ctx:(Some ctx) (Analyses.ask_of_ctx ctx) gs st dest_a dest_typ value
+        | _, _ -> failwith "strange bzero arguments"
+      end
     | `Unknown "F59" (* strcpy *)
     | `Unknown "F60" (* strncpy *)
     | `Unknown "F63" (* memcpy *)

src/analyses/libraryFunctions.ml

@@ -185,6 +185,9 @@ let invalidate_actions = [
     "__builtin_ctzll", readsAll;
     "__builtin_clz", readsAll;
     "bzero", writes [1]; (*keep 1*)
+    "__builtin_bzero", writes [1]; (*keep [1]*)
+    "explicit_bzero", writes [1];
+    "__explicit_bzero_chk", writes [1];
     "connect", readsAll;          (*safe*)
     "fclose", readsAll;           (*safe*)
     "fflush", writesAll;          (*unsafe*)
@@ -207,9 +210,9 @@ let invalidate_actions = [
     "mempcpy", writes [1];(*keep [1]*)
     "__builtin___memcpy_chk", writes [1];
     "__builtin___mempcpy_chk", writes [1];
-    "memset", writesAll;(*unsafe*)
-    "__builtin_memset", writesAll;(*unsafe*)
-    "__builtin___memset_chk", writesAll;
+    "memset", writes [1];(*unsafe*)
+    "__builtin_memset", writes [1];(*unsafe*)
+    "__builtin___memset_chk", writes [1];
     "printf", readsAll;(*safe*)
     "__printf_chk", readsAll;(*safe*)
     "printk", readsAll;(*safe*)
@@ -398,7 +401,6 @@ let invalidate_actions = [
     "__maskrune", writesAll; (*unsafe*)
     "inet_addr", readsAll; (*safe*)
     "gethostbyname", readsAll; (*safe*)
-    "__builtin_bzero", writes [1]; (*keep [1]*)
     "setsockopt", readsAll; (*safe*)
     "listen", readsAll; (*safe*)
     "getsockname", writes [1;3]; (*keep [1;3]*)

src/analyses/varEq.ml

@@ -193,6 +193,7 @@ struct
     let bt =
       match unrollTypeDeep (Cilfacade.typeOf b) with
       | TPtr (t,_) -> t
+      | exception Cilfacade.TypeOfError _
       | _ -> voidType
     in (* type of thing that changed: typeof( *b ) *)
     let rec type_may_change_apt a =
@@ -408,40 +409,6 @@ struct
     in
     List.fold_right reachable es (Some (Queries.LS.empty ()))
 
-  let rec reachable_from (r:Queries.LS.t) e =
-    if Queries.LS.is_top r then true else
-      let rec is_prefix x1 x2 =
-        match x1, x2 with
-        | _, `NoOffset -> true
-        | Field (f1,o1), `Field (f2,o2) when CilType.Fieldinfo.equal f1 f2 -> is_prefix o1 o2
-        | Index (_,o1), `Index (_,o2) -> is_prefix o1 o2
-        | _ -> false
-      in
-      let has_reachable_prefix v1 ofs =
-        let suitable_prefix (v2,ofs2) =
-          CilType.Varinfo.equal v1 v2
-          && is_prefix ofs ofs2
-        in
-        Queries.LS.exists suitable_prefix r
-      in
-      match e with
-      | SizeOf _
-      | SizeOfE _
-      | SizeOfStr _
-      | AlignOf _
-      | Const _
-      | AlignOfE _
-      | UnOp  _
-      | BinOp _ -> true
-      | AddrOf  (Var v2,ofs)
-      | StartOf (Var v2,ofs)
-      | Lval    (Var v2,ofs) -> has_reachable_prefix v2 ofs
-      | AddrOf  (Mem e,_)
-      | StartOf (Mem e,_)
-      | Lval    (Mem e,_)
-      | CastE (_,e)           -> reachable_from r e
-      | Question _ -> failwith "Logical operations should be compiled away by CIL."
-      | _ -> failwith "Unmatched pattern."
 
   (* Probably ok as is. *)
   let body ctx f = ctx.local
@@ -488,18 +455,16 @@ struct
       | None -> st2
 
   let remove_reachable ctx es =
-    match reachables (Analyses.ask_of_ctx ctx) es with
+    let ask = Analyses.ask_of_ctx ctx in
+    match reachables ask es with
     | None -> D.top ()
     | Some rs ->
-      let remove_reachable1 es st =
-        let remove_reachable2 e st =
-          if reachable_from rs e && not (isConstant e) then remove_exp (Analyses.ask_of_ctx ctx) e st else st
-        in
-        D.B.fold remove_reachable2 es st
-      in
-      (* TODO: do something like this instead to be sound? *)
-      (* List.fold_left (fun st e -> remove_exp (Analyses.ask_of_ctx ctx) e st) ctx.local (Queries.LS.fold (fun lval acc -> mkAddrOf (Lval.CilLval.to_lval lval) :: acc) rs []) *)
-      D.fold remove_reachable1 ctx.local ctx.local
+      (* Prior to https://github.com/goblint/analyzer/pull/694 checks were done "in the other direction":
+         each expression in ctx.local was checked for reachability from es/rs using very conservative but also unsound reachable_from.
+         It is unknown, why that was necessary. *)
+      Queries.LS.fold (fun lval st ->
+          remove ask (Lval.CilLval.to_lval lval) st
+        ) rs ctx.local
 
   let unknown_fn ctx lval f args =
     let args =

src/cdomains/valueDomain.ml

@@ -304,7 +304,7 @@ struct
         M.tracel "casta" "same size\n";
         if not (typ_eq t ta) then err "Cast to different type of same size."
         else (M.tracel "casta" "SUCCESS!\n"; o)
-      | 1 -> (* cast to bigger/outer type *)
+      | c when c > 0 -> (* cast to bigger/outer type *)
         M.tracel "casta" "cast to bigger size\n";
         if d = Some false then err "Ptr-cast to type of incompatible size!" else
         if o = `NoOffset then err "Ptr-cast to outer type, but no offset to remove."

src/domains/access.ml

@@ -10,7 +10,7 @@ module M = Messages
 
 let is_ignorable_type (t: typ): bool =
   match t with
-  | TNamed ({ tname = "atomic_t" | "pthread_mutex_t" | "pthread_rwlock_t" | "spinlock_t"; _ }, _) -> true
+  | TNamed ({ tname = "atomic_t" | "pthread_mutex_t" | "pthread_rwlock_t" | "spinlock_t" | "pthread_cond_t"; _ }, _) -> true
   | TComp ({ cname = "lock_class_key"; _ }, _) -> true
   | TInt (IInt, attr) when hasAttribute "mutex" attr -> true
   | t when hasAttribute "atomic" (typeAttrs t) -> true (* C11 _Atomic *)

tests/regression/01-cpa/24-library_functions.c

@@ -23,7 +23,7 @@ void test_memset() {
 void test_bzero() {
   int n = 1;
   bzero(&n, sizeof(int));
-  assert(n == 1); // UNKNOWN!
+  assert(n == 0);
 }
 
 void test_getopt() {
@@ -52,7 +52,7 @@ void test_free() {
 void test_memcpy() {
   int dest = 0;
   int src = 1;
-  
+
   memcpy(&dest, &src, sizeof(int));
 
   assert(dest == 0); // UNKNOWN!

tests/regression/02-base/75-memset.c

@@ -0,0 +1,27 @@
+#include <string.h>
+#include <assert.h>
+
+struct s {
+  int x;
+  int *p;
+};
+
+int main() {
+  int x;
+  memset(&x, 0, sizeof(int));
+  assert(x == 0);
+  memset(&x, x, sizeof(int));
+  assert(x == 0);
+  memset(&x, 1, sizeof(int));
+  assert(x == 0); // UNKNOWN
+
+  int *p;
+  memset(&p, 0, sizeof(int*));
+  assert(p == NULL);
+
+  struct s s;
+  memset(&s, 0, sizeof(struct s));
+  assert(s.x == 0);
+  assert(s.p == NULL);
+  return 0;
+}