haoNoQ
diff --git a/‎clang/docs/analyzer/checkers.rst
Lines changed: 55 additions & 2 deletions b/‎clang/docs/analyzer/checkers.rst
Lines changed: 55 additions & 2 deletions
diff --git a/‎clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
Lines changed: 9 additions & 0 deletions b/‎clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
Lines changed: 9 additions & 0 deletions
diff --git a/‎clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt
Lines changed: 1 addition & 0 deletions b/‎clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt
Lines changed: 1 addition & 0 deletions
diff --git a/‎clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
Lines changed: 279 additions & 0 deletions b/‎clang/lib/StaticAnalyzer/Checkers/cert/InvalidPtrChecker.cpp
Lines changed: 279 additions & 0 deletions
@@ -2075,10 +2075,63 @@ Finds calls to the ``putenv`` function which pass a pointer to an automatic vari
     if (retval < 0 || (size_t)retval >= sizeof(env)) {
         /* Handle error */
     }
- 
+
     return putenv(env); // putenv function should not be called with auto variables
   }
-  
+
+alpha.security.cert.env
+^^^^^^^^^^^^^^^^^^^^^^^
+
+SEI CERT checkers of `POSIX C coding rules <https://wiki.sei.cmu.edu/confluence/x/JdcxBQ>`_.
+
+.. _alpha-security-cert-env-InvalidPtr:
+
+alpha.security.cert.env.InvalidPtr
+"""""""""""""""""""""""""""
+
+Corresponds to SEI CERT Rules ENV31-C and ENV34-C.
+
+ENV31-C:
+Rule is about the possible problem with `main` function's third argument, environment pointer,
+"envp". When enviornment array is modified using some modification function
+such as putenv, setenv or others, It may happen that memory is reallocated,
+however "envp" is not updated to reflect the changes and points to old memory
+region.
+
+ENV34-C:
+Some functions return a pointer to a statically allocated buffer.
+Consequently, subsequent call of these functions will invalidate previous
+pointer. These functions include: getenv, localeconv, asctime, setlocale, strerror
+
+.. code-block:: c
+
+  int main(int argc, const char *argv[], const char *envp[]) {
+    if (setenv("MY_NEW_VAR", "new_value", 1) != 0) {
+      // setenv call may invalidate 'envp'
+      /* Handle error */
+    }
+    if (envp != NULL) {
+      for (size_t i = 0; envp[i] != NULL; ++i) {
+        puts(envp[i]);
+        // envp may no longer point to the current environment
+        // this program has unanticipated behavior, since envp
+        // does not reflect changes made by setenv function.
+      }
+    }
+    return 0;
+  }
+
+  void previous_call_invalidation() {
+    char *p, *pp;
+
+    p = getenv("VAR");
+    pp = getenv("VAR2");
+    // subsequent call to 'getenv' invalidated previous one
+
+    *p;
+    // dereferencing invalid pointer
+  }
+
 .. _alpha-security-ArrayBound:
 
 alpha.security.ArrayBound (C)
 
@@ -73,6 +73,7 @@ def Taint : Package<"taint">, ParentPackage<SecurityAlpha>;
 
 def CERT : Package<"cert">, ParentPackage<SecurityAlpha>;
 def POS : Package<"pos">, ParentPackage<CERT>;
+def ENV : Package<"env">, ParentPackage<CERT>;
 
 def Unix : Package<"unix">;
 def UnixAlpha : Package<"unix">, ParentPackage<Alpha>;
@@ -947,6 +948,14 @@ let ParentPackage = POS in {
 
 } // end "alpha.cert.pos"
 
+let ParentPackage = ENV in {
+
+  def InvalidPtrChecker : Checker<"InvalidPtr">,
+  HelpText<"Finds usages of possibly invalidated pointers">,
+  Documentation<HasDocumentation>;
+
+} // end "alpha.cert.env"
+
 let ParentPackage = SecurityAlpha in {
 
 def ArrayBoundChecker : Checker<"ArrayBound">,
 
@@ -49,6 +49,7 @@ add_clang_library(clangStaticAnalyzerCheckers
   IdenticalExprChecker.cpp
   InnerPointerChecker.cpp
   InvalidatedIteratorChecker.cpp
+  cert/InvalidPtrChecker.cpp
   Iterator.cpp
   IteratorModeling.cpp
   IteratorRangeChecker.cpp
 
@@ -0,0 +1,279 @@
+//== InvalidPtrChecker.cpp ------------------------------------- -*- C++ -*--=//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+//
+// This file defines InvalidPtrChecker which finds usages of possibly
+// invalidated pointer.
+// CERT SEI Rules ENV31-C and ENV34-C
+// For more information see:
+// https://wiki.sei.cmu.edu/confluence/x/8tYxBQ
+// https://wiki.sei.cmu.edu/confluence/x/5NUxBQ
+//===----------------------------------------------------------------------===//
+
+#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
+#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
+#include "clang/StaticAnalyzer/Core/Checker.h"
+#include "clang/StaticAnalyzer/Core/CheckerManager.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
+
+using namespace clang;
+using namespace ento;
+
+namespace {
+
+class InvalidPtrChecker
+    : public Checker<check::Location, check::BeginFunction, check::PostCall> {
+private:
+  BugType BT{this, "Use of invalidated pointer", categories::MemoryError};
+
+  void EnvpInvalidatingCall(const CallEvent &Call, CheckerContext &C) const;
+
+  using HandlerFn = void (InvalidPtrChecker::*)(const CallEvent &Call,
+                                                CheckerContext &C) const;
+
+  // SEI CERT ENV31-C
+  const CallDescriptionMap<HandlerFn> EnvpInvalidatingFunctions = {
+      {{"setenv", 3}, &InvalidPtrChecker::EnvpInvalidatingCall},
+      {{"unsetenv", 1}, &InvalidPtrChecker::EnvpInvalidatingCall},
+      {{"putenv", 1}, &InvalidPtrChecker::EnvpInvalidatingCall},
+      {{"_putenv_s", 2}, &InvalidPtrChecker::EnvpInvalidatingCall},
+      {{"_wputenv_s", 2}, &InvalidPtrChecker::EnvpInvalidatingCall},
+  };
+
+  void postPreviousReturnInvalidatingCall(const CallEvent &Call,
+                                          CheckerContext &C) const;
+
+  // SEI CERT ENV34-C
+  const CallDescriptionMap<HandlerFn> PreviousCallInvalidatingFunctions = {
+      {{"getenv", 1}, &InvalidPtrChecker::postPreviousReturnInvalidatingCall},
+      {{"setlocale", 2},
+       &InvalidPtrChecker::postPreviousReturnInvalidatingCall},
+      {{"strerror", 1}, &InvalidPtrChecker::postPreviousReturnInvalidatingCall},
+      {{"localeconv", 0},
+       &InvalidPtrChecker::postPreviousReturnInvalidatingCall},
+      {{"asctime", 1}, &InvalidPtrChecker::postPreviousReturnInvalidatingCall},
+  };
+
+public:
+  // Obtain the environment pointer from 'main()' (if present).
+  void checkBeginFunction(CheckerContext &C) const;
+
+  // Handle functions in EnvpInvalidatingFunctions, that invalidate environment
+  // pointer from 'main()'
+  // Handle functions in PreviousCallInvalidatingFunctions.
+  // Also, check if invalidated region is passed to a
+  // conservatively evaluated function call as an argument.
+  void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
+
+  // Check if invalidated region is being dereferenced.
+  void checkLocation(SVal l, bool isLoad, const Stmt *S,
+                     CheckerContext &C) const;
+};
+
+} // namespace
+
+// Set of memory regions that were invalidated
+REGISTER_SET_WITH_PROGRAMSTATE(InvalidMemoryRegions, const MemRegion *)
+
+// Stores the region of the environment pointer of 'main' (if present).
+// Note: This pointer has type 'const MemRegion *', however the trait is only
+// specialized to 'const void*' and 'void*'
+REGISTER_TRAIT_WITH_PROGRAMSTATE(EnvPtrRegion, const void *)
+
+// Stores key-value pairs, where key is function declaration and value is
+// pointer to memory region returned by previous call of this function
+REGISTER_MAP_WITH_PROGRAMSTATE(PreviousCallResultMap, const FunctionDecl *,
+                               const MemRegion *)
+
+void InvalidPtrChecker::EnvpInvalidatingCall(const CallEvent &Call,
+                                             CheckerContext &C) const {
+  StringRef FunctionName = Call.getCalleeIdentifier()->getName();
+  ProgramStateRef State = C.getState();
+  const auto *Reg = State->get<EnvPtrRegion>();
+  if (!Reg)
+    return;
+  const auto *SymbolicEnvPtrRegion =
+      reinterpret_cast<const MemRegion *>(const_cast<const void *>(Reg));
+
+  State = State->add<InvalidMemoryRegions>(SymbolicEnvPtrRegion);
+
+  const NoteTag *Note =
+      C.getNoteTag([SymbolicEnvPtrRegion, FunctionName](
+                       PathSensitiveBugReport &BR, llvm::raw_ostream &Out) {
+        if (!BR.isInteresting(SymbolicEnvPtrRegion))
+          return;
+        Out << '\'' << FunctionName
+            << "' call may invalidate the environment parameter of 'main'";
+      });
+
+  C.addTransition(State, Note);
+}
+
+void InvalidPtrChecker::postPreviousReturnInvalidatingCall(
+    const CallEvent &Call, CheckerContext &C) const {
+  ProgramStateRef State = C.getState();
+
+  const NoteTag *Note = nullptr;
+  const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(Call.getDecl());
+  // Invalidate the region of the previously returned pointer - if there was
+  // one.
+  if (const MemRegion *const *Reg = State->get<PreviousCallResultMap>(FD)) {
+    const MemRegion *PrevReg = *Reg;
+    State = State->add<InvalidMemoryRegions>(PrevReg);
+    Note = C.getNoteTag([PrevReg, FD](PathSensitiveBugReport &BR,
+                                      llvm::raw_ostream &Out) {
+      if (!BR.isInteresting(PrevReg))
+        return;
+      Out << '\'';
+      FD->getNameForDiagnostic(Out, FD->getASTContext().getLangOpts(), true);
+      Out << "' call may invalidate the the result of the previous " << '\'';
+      FD->getNameForDiagnostic(Out, FD->getASTContext().getLangOpts(), true);
+      Out << '\'';
+    });
+  }
+
+  const LocationContext *LCtx = C.getLocationContext();
+  const auto *CE = cast<CallExpr>(Call.getOriginExpr());
+
+  // Function call will return a pointer to the new symbolic region.
+  DefinedOrUnknownSVal RetVal = C.getSValBuilder().conjureSymbolVal(
+      CE, LCtx, CE->getType(), C.blockCount());
+  State = State->BindExpr(CE, LCtx, RetVal);
+
+  // Remember to this region.
+  const auto *SymRegOfRetVal = dyn_cast<SymbolicRegion>(RetVal.getAsRegion());
+  const MemRegion *MR =
+      const_cast<MemRegion *>(SymRegOfRetVal->getBaseRegion());
+  State = State->set<PreviousCallResultMap>(FD, MR);
+
+  ExplodedNode *Node = C.addTransition(State, Note);
+  const NoteTag *PreviousCallNote =
+      C.getNoteTag([MR](PathSensitiveBugReport &BR, llvm::raw_ostream &Out) {
+        if (!BR.isInteresting(MR))
+          return;
+        Out << '\'' << "'previous function call was here" << '\'';
+      });
+
+  C.addTransition(State, Node, PreviousCallNote);
+}
+
+// TODO: This seems really ugly. Simplify this.
+static const MemRegion *findInvalidatedSymbolicBase(ProgramStateRef State,
+                                                    const MemRegion *Reg) {
+  while (Reg) {
+    if (State->contains<InvalidMemoryRegions>(Reg))
+      return Reg;
+    const auto *SymBase = Reg->getSymbolicBase();
+    if (!SymBase)
+      break;
+    const auto *SRV = dyn_cast<SymbolRegionValue>(SymBase->getSymbol());
+    if (!SRV)
+      break;
+    Reg = SRV->getRegion();
+    if (const auto *VarReg = dyn_cast<VarRegion>(SRV->getRegion()))
+      Reg = VarReg;
+  }
+  return nullptr;
+}
+
+// Handle functions in EnvpInvalidatingFunctions, that invalidate environment
+// pointer from 'main()' Also, check if invalidated region is passed to a
+// function call as an argument.
+void InvalidPtrChecker::checkPostCall(const CallEvent &Call,
+                                      CheckerContext &C) const {
+  // Check if function invalidates 'envp' argument of 'main'
+  if (const auto *Handler = EnvpInvalidatingFunctions.lookup(Call))
+    (this->**Handler)(Call, C);
+
+  // Check if function invalidates the result of previous call
+  if (const auto *Handler = PreviousCallInvalidatingFunctions.lookup(Call))
+    (this->**Handler)(Call, C);
+
+  // Check if one of the arguments of the function call is invalidated
+
+  // If call was inlined, don't report invalidated argument
+  if (C.wasInlined)
+    return;
+
+  ProgramStateRef State = C.getState();
+
+  for (unsigned I = 0, NumArgs = Call.getNumArgs(); I < NumArgs; ++I) {
+
+    if (const auto *SR = dyn_cast_or_null<SymbolicRegion>(
+            Call.getArgSVal(I).getAsRegion())) {
+      if (const MemRegion *InvalidatedSymbolicBase =
+              findInvalidatedSymbolicBase(State, SR)) {
+        ExplodedNode *ErrorNode = C.generateNonFatalErrorNode();
+        if (!ErrorNode)
+          return;
+
+        SmallString<256> Msg;
+        llvm::raw_svector_ostream Out(Msg);
+        Out << "use of invalidated pointer '";
+        Call.getArgExpr(I)->printPretty(Out, /*Helper=*/nullptr,
+                                        C.getASTContext().getPrintingPolicy());
+        Out << "' in a function call";
+
+        auto Report =
+            std::make_unique<PathSensitiveBugReport>(BT, Out.str(), ErrorNode);
+        Report->markInteresting(InvalidatedSymbolicBase);
+        Report->addRange(Call.getArgSourceRange(I));
+        C.emitReport(std::move(Report));
+      }
+    }
+  }
+}
+
+// Obtain the environment pointer from 'main()', if present.
+void InvalidPtrChecker::checkBeginFunction(CheckerContext &C) const {
+  if (!C.inTopFrame())
+    return;
+
+  const auto *FD = dyn_cast<FunctionDecl>(C.getLocationContext()->getDecl());
+  if (!FD || FD->param_size() != 3 || !FD->isMain())
+    return;
+
+  ProgramStateRef State = C.getState();
+  const MemRegion *EnvpReg =
+      State->getRegion(FD->parameters()[2], C.getLocationContext());
+
+  // Save the memory region pointed by the environment pointer parameter of
+  // 'main'.
+  State = State->set<EnvPtrRegion>(
+      reinterpret_cast<void *>(const_cast<MemRegion *>(EnvpReg)));
+  C.addTransition(State);
+}
+
+// Check if invalidated region is being dereferenced.
+void InvalidPtrChecker::checkLocation(SVal Loc, bool isLoad, const Stmt *S,
+                                      CheckerContext &C) const {
+  ProgramStateRef State = C.getState();
+
+  // Ignore memory operations involving 'non-invalidated' locations.
+  const MemRegion *InvalidatedSymbolicBase =
+      findInvalidatedSymbolicBase(State, Loc.getAsRegion());
+  if (!InvalidatedSymbolicBase)
+    return;
+
+  ExplodedNode *ErrorNode = C.generateNonFatalErrorNode();
+  if (!ErrorNode)
+    return;
+
+  auto Report = std::make_unique<PathSensitiveBugReport>(
+      BT, "dereferencing an invalid pointer", ErrorNode);
+  Report->markInteresting(InvalidatedSymbolicBase);
+  C.emitReport(std::move(Report));
+}
+
+void ento::registerInvalidPtrChecker(CheckerManager &Mgr) {
+  Mgr.registerChecker<InvalidPtrChecker>();
+}
+
+bool ento::shouldRegisterInvalidPtrChecker(const CheckerManager &) {
+  return true;
+}