cppcheck/lib/bughuntingchecks.cpp

720 lines
30 KiB
C++

/*
* Cppcheck - A tool for static C/C++ code analysis
* Copyright (C) 2007-2022 Cppcheck team.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "bughuntingchecks.h"
#include "astutils.h"
#include "errorlogger.h"
#include "errortypes.h"
#include "library.h"
#include "mathlib.h"
#include "settings.h"
#include "symboldatabase.h"
#include "token.h"
#include "utils.h"
#include "valueflow.h"
#include <algorithm>
#include <cstring>
#include <list>
#include <map>
#include <memory>
#include <string>
#include <utility>
static const CWE CWE_BUFFER_UNDERRUN(786U); // Access of Memory Location Before Start of Buffer
static const CWE CWE_BUFFER_OVERRUN(788U); // Access of Memory Location After End of Buffer
static float getKnownFloatValue(const Token *tok, float def)
{
for (const auto &value: tok->values()) {
if (value.isKnown() && value.valueType == ValueFlow::Value::ValueType::FLOAT)
return value.floatValue;
}
return def;
}
static bool isLessThan(ExprEngine::DataBase *dataBase, ExprEngine::ValuePtr lhs, ExprEngine::ValuePtr rhs)
{
return ExprEngine::BinOpResult("<", lhs, rhs).isTrue(dataBase);
}
static void arrayIndex(const Token *tok, const ExprEngine::Value &value, ExprEngine::DataBase *dataBase)
{
if (!Token::simpleMatch(tok->astParent(), "["))
return;
int nr = 0;
const Token *buf = tok->astParent()->astOperand1();
while (Token::simpleMatch(buf, "[")) {
++nr;
buf = buf->astOperand1();
}
if (!buf || !buf->variable() || !buf->variable()->isArray() || buf == buf->variable()->nameToken())
// TODO
return;
const Token *index = tok->astParent()->astOperand2();
if (tok != index)
// TODO
return;
if (buf->variable()->dimensions().size() > nr && buf->variable()->dimensions()[nr].known) {
const MathLib::bigint bufSize = buf->variable()->dimensions()[nr].num;
if (value.isGreaterThan(dataBase, bufSize - 1)) {
const bool bailout = (value.type == ExprEngine::ValueType::BailoutValue);
dataBase->reportError(tok,
Severity::SeverityType::error,
"bughuntingArrayIndexOutOfBounds",
"Array index out of bounds, cannot determine that " + index->expressionString() + " is less than " + std::to_string(bufSize),
CWE_BUFFER_OVERRUN,
false,
bailout);
}
}
bool isUnsigned = tok->valueType() && tok->valueType()->sign == ::ValueType::Sign::UNSIGNED;
if (!isUnsigned && value.isLessThan(dataBase, 0)) {
const bool bailout = (value.type == ExprEngine::ValueType::BailoutValue);
dataBase->reportError(tok,
Severity::SeverityType::error,
"bughuntingArrayIndexNegative",
"Array index out of bounds, cannot determine that " + index->expressionString() + " is not negative",
CWE_BUFFER_UNDERRUN,
false,
bailout);
}
}
static void bufferOverflow(const Token *tok, const ExprEngine::Value &value, ExprEngine::DataBase *dataBase)
{
if (value.type != ExprEngine::ValueType::FunctionCallArgumentValues)
return;
if (!Token::simpleMatch(tok, "(") || !Token::Match(tok->previous(), "%name% ("))
return;
const Library::Function *func = dataBase->settings->library.getFunction(tok->previous());
if (!func)
return;
const ExprEngine::FunctionCallArgumentValues *functionCallArguments = dynamic_cast<const ExprEngine::FunctionCallArgumentValues *>(&value);
if (!functionCallArguments)
return;
const std::vector<const Token *> arguments = getArguments(tok);
if (functionCallArguments->argValues.size() != arguments.size())
// TODO investigate what to do
return;
int overflowArgument = 0;
bool bailout = false;
for (auto argNrChecks: func->argumentChecks) {
const int argnr = argNrChecks.first;
const Library::ArgumentChecks &checks = argNrChecks.second;
if (argnr <= 0 || argnr > arguments.size() || checks.minsizes.empty())
continue;
ExprEngine::ValuePtr argValue = functionCallArguments->argValues[argnr - 1];
if (!argValue || argValue->type == ExprEngine::ValueType::BailoutValue) {
overflowArgument = argnr;
bailout = true;
break;
}
std::shared_ptr<ExprEngine::ArrayValue> arrayValue = std::dynamic_pointer_cast<ExprEngine::ArrayValue>(argValue);
if (!arrayValue || arrayValue->size.size() != 1) {
// TODO: implement this properly.
overflowArgument = argnr;
bailout = true;
break;
}
for (const Library::ArgumentChecks::MinSize &minsize: checks.minsizes) {
if (minsize.type == Library::ArgumentChecks::MinSize::Type::ARGVALUE && minsize.arg > 0 && minsize.arg <= arguments.size()) {
ExprEngine::ValuePtr otherValue = functionCallArguments->argValues[minsize.arg - 1];
if (!otherValue || otherValue->type == ExprEngine::ValueType::BailoutValue) {
overflowArgument = argnr;
bailout = true;
break;
}
if (isLessThan(dataBase, arrayValue->size[0], otherValue)) {
overflowArgument = argnr;
break;
}
} else if (minsize.type == Library::ArgumentChecks::MinSize::Type::STRLEN && minsize.arg > 0 && minsize.arg <= arguments.size()) {
if (func->formatstr) {
// TODO: implement this properly. check if minsize refers to a format string and check max length of that..
overflowArgument = argnr;
bailout = true;
break;
}
if (Token::Match(arguments[minsize.arg - 1], "%str%")) {
const Token * const str = arguments[minsize.arg - 1];
if (arrayValue->size[0]->isLessThan(dataBase, Token::getStrLength(str))) {
overflowArgument = argnr;
break;
}
} else {
ExprEngine::ValuePtr otherValue = functionCallArguments->argValues[minsize.arg - 1];
if (!otherValue || otherValue->type == ExprEngine::ValueType::BailoutValue) {
overflowArgument = argnr;
bailout = true;
break;
}
std::shared_ptr<ExprEngine::ArrayValue> arrayValue2 = std::dynamic_pointer_cast<ExprEngine::ArrayValue>(otherValue);
if (!arrayValue2 || arrayValue2->size.size() != 1) {
overflowArgument = argnr;
bailout = true;
break;
}
if (isLessThan(dataBase, arrayValue->size[0], arrayValue2->size[0])) {
overflowArgument = argnr;
break;
}
}
}
}
if (overflowArgument > 0)
break;
}
if (overflowArgument == 0)
return;
dataBase->reportError(tok,
Severity::SeverityType::error,
"bughuntingBufferOverflow",
"Buffer read/write, when calling '" + tok->previous()->str() + "' it cannot be determined that " + std::to_string(overflowArgument) + getOrdinalText(overflowArgument) + " argument is not overflowed",
CWE(120),
false,
bailout);
}
static void divByZero(const Token *tok, const ExprEngine::Value &value, ExprEngine::DataBase *dataBase)
{
if (!tok->astParent() || !std::strchr("/%", tok->astParent()->str()[0]))
return;
if (tok->hasKnownIntValue() && tok->getKnownIntValue() != 0)
return;
if (tok->isImpossibleIntValue(0))
return;
if (value.isUninit(dataBase) && value.type != ExprEngine::ValueType::BailoutValue)
return;
float f = getKnownFloatValue(tok, 0.0f);
if (f > 0.0f || f < 0.0f)
return;
if (value.type == ExprEngine::ValueType::BailoutValue) {
if (Token::simpleMatch(tok->previous(), "sizeof ("))
return;
}
if (tok->astParent()->astOperand2() == tok && value.isEqual(dataBase, 0)) {
const char * const id = (tok->valueType() && tok->valueType()->isFloat()) ? "bughuntingDivByZeroFloat" : "bughuntingDivByZero";
const bool bailout = (value.type == ExprEngine::ValueType::BailoutValue);
dataBase->reportError(dataBase->settings->clang ? tok : tok->astParent(),
Severity::SeverityType::error,
id,
"There is division, cannot determine that there can't be a division by zero.",
CWE(369),
false,
bailout);
}
}
#ifdef BUG_HUNTING_INTEGEROVERFLOW
static void integerOverflow(const Token *tok, const ExprEngine::Value &value, ExprEngine::DataBase *dataBase)
{
if (!tok->isArithmeticalOp() || !tok->valueType() || !tok->valueType()->isIntegral() || tok->valueType()->pointer > 0)
return;
const ExprEngine::BinOpResult *b = dynamic_cast<const ExprEngine::BinOpResult *>(&value);
if (!b)
return;
int bits = getIntBitsFromValueType(tok->valueType(), *dataBase->settings);
if (bits == 0 || bits >= 60)
return;
std::string errorMessage;
if (tok->valueType()->sign == ::ValueType::Sign::SIGNED) {
MathLib::bigint v = 1LL << (bits - 1);
if (b->isGreaterThan(dataBase, v-1))
errorMessage = "greater than " + std::to_string(v - 1);
if (b->isLessThan(dataBase, -v)) {
if (!errorMessage.empty())
errorMessage += " or ";
errorMessage += "less than " + std::to_string(-v);
}
} else {
MathLib::bigint maxValue = (1LL << bits) - 1;
if (b->isGreaterThan(dataBase, maxValue))
errorMessage = "greater than " + std::to_string(maxValue);
if (b->isLessThan(dataBase, 0)) {
if (!errorMessage.empty())
errorMessage += " or ";
errorMessage += "less than 0";
}
}
if (errorMessage.empty())
return;
errorMessage = "There is integer arithmetic, cannot determine that there can't be overflow (if result is " + errorMessage + ").";
if (tok->valueType()->sign == ::ValueType::Sign::UNSIGNED)
errorMessage += " Note that unsigned integer overflow is defined and will wrap around.";
dataBase->reportError(tok, Severity::SeverityType::error, "bughuntingIntegerOverflow", errorMessage, false, value.type == ExprEngine::ValueType::BailoutValue);
}
#endif
/** check if variable is unconditionally assigned */
static bool isVariableAssigned(const Variable *var, const Token *tok, const Token *scopeStart=nullptr)
{
const Token * const start = scopeStart && precedes(var->nameToken(), scopeStart) ? scopeStart : var->nameToken();
for (const Token *prev = tok->previous(); prev; prev = prev->previous()) {
if (!precedes(start, prev))
break;
if (prev->str() == "}") {
if (Token::simpleMatch(prev->link()->tokAt(-2), "} else {")) {
const Token *elseEnd = prev;
const Token *elseStart = prev->link();
const Token *ifEnd = elseStart->tokAt(-2);
const Token *ifStart = ifEnd->link();
if (isVariableAssigned(var, ifEnd, ifStart) && isVariableAssigned(var, elseEnd, elseStart)) {
return true;
}
}
prev = prev->link();
}
if (scopeStart && Token::Match(prev, "return|throw|continue|break"))
return true;
if (Token::Match(prev, "%varid% =", var->declarationId())) {
bool usedInRhs = false;
visitAstNodes(prev->next()->astOperand2(), [&usedInRhs, var](const Token *tok) {
if (tok->varId() == var->declarationId()) {
usedInRhs = true;
return ChildrenToVisit::done;
}
return ChildrenToVisit::op1_and_op2;
});
if (!usedInRhs)
return true;
}
}
return false;
}
static void uninit(const Token *tok, const ExprEngine::Value &value, ExprEngine::DataBase *dataBase)
{
if (!tok->astParent())
return;
std::string uninitStructMember;
if (const auto* structValue = dynamic_cast<const ExprEngine::StructValue*>(&value)) {
uninitStructMember = structValue->getUninitStructMember(dataBase);
// uninitialized struct member => is there data copy of struct..
if (!uninitStructMember.empty()) {
if (!Token::Match(tok->astParent(), "[=,(]"))
return;
}
}
bool uninitData = false;
if (!value.isUninit(dataBase) && uninitStructMember.empty()) {
if (Token::Match(tok->astParent(), "[(,]")) {
if (const auto* arrayValue = dynamic_cast<const ExprEngine::ArrayValue*>(&value)) {
uninitData = arrayValue->data.size() >= 1 && arrayValue->data[0].value->isUninit(dataBase);
}
}
if (!uninitData)
return;
}
// container is not uninitialized
if (tok->valueType() && tok->valueType()->pointer==0 && tok->valueType()->container)
return;
// container element is not uninitialized
if (tok->str() == "[" &&
tok->astOperand1() &&
tok->astOperand1()->valueType() &&
tok->astOperand1()->valueType()->pointer==0 &&
tok->astOperand1()->valueType()->container) {
if (tok->astOperand1()->valueType()->container->stdStringLike)
return;
bool pointerType = false;
for (const Token *typeTok = tok->astOperand1()->valueType()->containerTypeToken; Token::Match(typeTok, "%name%|*|::|<"); typeTok = typeTok->next()) {
if (typeTok->str() == "<" && typeTok->link())
typeTok = typeTok->link();
if (typeTok->str() == "*")
pointerType = true;
}
if (!pointerType)
return;
}
// variable that is not uninitialized..
if (tok->variable() && !tok->variable()->isPointer() && !tok->variable()->isReference()) {
// smart pointer is not uninitialized
if (tok->variable()->isSmartPointer())
return;
// struct
if (tok->variable()->type() && tok->variable()->type()->needInitialization == Type::NeedInitialization::False)
return;
// template variable is not uninitialized
if (Token::findmatch(tok->variable()->typeStartToken(), "%name% <", tok->variable()->typeEndToken()))
return;
}
// lhs in assignment
if (tok->astParent()->str() == "=" && tok == tok->astParent()->astOperand1())
return;
// Avoid FP when there is bailout..
if (value.type == ExprEngine::ValueType::BailoutValue) {
if (tok->hasKnownValue())
return;
if (!tok->variable())
// FIXME
return;
// lhs for scope operator
if (Token::Match(tok, "%name% ::"))
return;
if (tok->astParent()->str() == "::" && tok == tok->astParent()->astOperand1())
return;
// Object allocated on the stack
if (Token::Match(tok, "%var% .") && tok->next()->originalName() != "->")
return;
// Assume that stream object is initialized
if (Token::Match(tok->previous(), "[;{}] %var% <<|>>") && !tok->next()->astParent())
return;
// Containers are not uninitialized
std::vector<const Token *> tokens{tok, tok->astOperand1(), tok->astOperand2()};
if (Token::Match(tok->previous(), ". %name%"))
tokens.push_back(tok->previous()->astOperand1());
for (const Token *t: tokens) {
if (t && t->valueType() && t->valueType()->pointer == 0 && t->valueType()->container)
return;
}
const Variable *var = tok->variable();
if (var && var->nameToken() == tok)
return;
if (var && !var->isLocal())
return; // FIXME
if (var && !var->isPointer()) {
if (!var->isLocal() || var->isStatic())
return;
}
if (var && (Token::Match(var->nameToken(), "%name% [=:({)]") || var->isInit()))
return;
if (var && var->nameToken() == tok)
return;
// Are there unconditional assignment?
if (var && Token::Match(var->nameToken(), "%varid% ;| %varid%| =", tok->varId()))
return;
// Arrays are allocated on the stack
if (var && Token::Match(tok, "%var% [") && var->isArray())
return;
if (tok->variable() && isVariableAssigned(tok->variable(), tok))
return;
}
// Uninitialized function argument
bool inconclusive = false;
if (Token::Match(tok->astParent(), "[,(]")) {
const Token *parent = tok->astParent();
int count = 0;
if (Token::simpleMatch(parent, ",")) {
if (tok == parent->astOperand2())
count = 1;
parent = parent->astParent();
while (Token::simpleMatch(parent, ",")) {
count++;
parent = parent->astParent();
}
}
if (Token::simpleMatch(parent, "(") && parent->astOperand1() != tok) {
if (parent->astOperand1()->function()) {
const Variable *argvar = parent->astOperand1()->function()->getArgumentVar(count);
if (argvar && argvar->isReference() && !argvar->isConst())
return;
if (uninitData && argvar && !argvar->isConst()) {
if (parent->astOperand1()->function()->hasBody())
return;
inconclusive = true;
}
if (!uninitStructMember.empty() && dataBase->isC() && argvar && !argvar->isConst()) {
if (parent->astOperand1()->function()->hasBody())
return;
inconclusive = true;
}
} else if (uninitData) {
if (dataBase->settings->library.getFunction(parent->astOperand1()))
return;
if (parent->astOperand1()->isKeyword())
return;
}
} else if (uninitData)
return;
}
if (inconclusive && !dataBase->settings->certainty.isEnabled(Certainty::inconclusive))
return;
// Avoid FP for array declaration
const Token *parent = tok->astParent();
while (parent && parent->str() == "[")
parent = parent->astParent();
if (!parent)
return;
const std::string inconclusiveMessage(inconclusive ? ". It is inconclusive if there would be a problem in the function call." : "");
if (!uninitStructMember.empty()) {
const std::string symbol = tok->expressionString() + "." + uninitStructMember;
dataBase->reportError(tok,
Severity::SeverityType::error,
"bughuntingUninitStructMember",
"$symbol:" + symbol + "\nCannot determine that '$symbol' is initialized" + inconclusiveMessage,
CWE_USE_OF_UNINITIALIZED_VARIABLE,
inconclusive,
value.type == ExprEngine::ValueType::BailoutValue);
return;
}
std::string uninitexpr = tok->expressionString();
if (uninitData)
uninitexpr += "[0]";
const std::string symbol = (tok->varId() > 0) ? ("$symbol:" + tok->str() + "\n") : std::string();
std::string constMessage;
std::string errorId = "bughuntingUninit";
{
const Token *vartok = tok;
while (Token::Match(vartok, ".|["))
vartok = vartok->astOperand1();
const Variable *var = vartok ? vartok->variable() : nullptr;
if (var && var->isArgument()) {
errorId += "NonConstArg";
constMessage = " (you can use 'const' to say data must be initialized)";
}
}
dataBase->reportError(tok,
Severity::SeverityType::error,
errorId.c_str(),
symbol + "Cannot determine that '" + uninitexpr + "' is initialized" + constMessage + inconclusiveMessage,
CWE_USE_OF_UNINITIALIZED_VARIABLE,
inconclusive,
value.type == ExprEngine::ValueType::BailoutValue);
}
static void checkFunctionCall(const Token *tok, const ExprEngine::Value &value, ExprEngine::DataBase *dataBase)
{
if (!Token::Match(tok->astParent(), "[(,]"))
return;
const Token *parent = tok->astParent();
while (Token::simpleMatch(parent, ","))
parent = parent->astParent();
if (!parent || parent->str() != "(")
return;
int num = 0;
for (const Token *argTok: getArguments(parent->astOperand1())) {
--num;
if (argTok == tok) {
num = -num;
break;
}
}
if (num <= 0)
return;
if (parent->astOperand1()->function()) {
const Variable *arg = parent->astOperand1()->function()->getArgumentVar(num - 1);
if (arg && arg->nameToken()) {
std::string bad;
MathLib::bigint low;
if (arg->nameToken()->getCppcheckAttribute(TokenImpl::CppcheckAttributes::Type::LOW, &low)) {
if (!(tok->hasKnownIntValue() && tok->getKnownIntValue() >= low) && value.isLessThan(dataBase, low))
bad = "__cppcheck_low__(" + std::to_string(low) + ")";
}
MathLib::bigint high;
if (arg->nameToken()->getCppcheckAttribute(TokenImpl::CppcheckAttributes::Type::HIGH, &high)) {
if (!(tok->hasKnownIntValue() && tok->getKnownIntValue() <= high) && value.isGreaterThan(dataBase, high))
bad = "__cppcheck_high__(" + std::to_string(high) + ")";
}
if (!bad.empty()) {
dataBase->reportError(tok,
Severity::SeverityType::error,
"bughuntingInvalidArgValue",
"There is function call, cannot determine that " + std::to_string(num) + getOrdinalText(num) + " argument value meets the attribute " + bad,
CWE(0),
false);
return;
}
}
}
// Check invalid function argument values..
for (const Library::InvalidArgValue &invalidArgValue : Library::getInvalidArgValues(dataBase->settings->library.validarg(parent->astOperand1(), num))) {
bool err = false;
std::string bad;
switch (invalidArgValue.type) {
case Library::InvalidArgValue::Type::eq:
if (!tok->hasKnownIntValue() || tok->getKnownIntValue() == MathLib::toLongNumber(invalidArgValue.op1))
err = value.isEqual(dataBase, MathLib::toLongNumber(invalidArgValue.op1));
bad = "equals " + invalidArgValue.op1;
break;
case Library::InvalidArgValue::Type::le:
if (!tok->hasKnownIntValue() || tok->getKnownIntValue() <= MathLib::toLongNumber(invalidArgValue.op1))
err = value.isLessThan(dataBase, MathLib::toLongNumber(invalidArgValue.op1) + 1);
bad = "less equal " + invalidArgValue.op1;
break;
case Library::InvalidArgValue::Type::lt:
if (!tok->hasKnownIntValue() || tok->getKnownIntValue() < MathLib::toLongNumber(invalidArgValue.op1))
err = value.isLessThan(dataBase, MathLib::toLongNumber(invalidArgValue.op1));
bad = "less than " + invalidArgValue.op1;
break;
case Library::InvalidArgValue::Type::ge:
if (!tok->hasKnownIntValue() || tok->getKnownIntValue() >= MathLib::toLongNumber(invalidArgValue.op1))
err = value.isGreaterThan(dataBase, MathLib::toLongNumber(invalidArgValue.op1) - 1);
bad = "greater equal " + invalidArgValue.op1;
break;
case Library::InvalidArgValue::Type::gt:
if (!tok->hasKnownIntValue() || tok->getKnownIntValue() > MathLib::toLongNumber(invalidArgValue.op1))
err = value.isGreaterThan(dataBase, MathLib::toLongNumber(invalidArgValue.op1));
bad = "greater than " + invalidArgValue.op1;
break;
case Library::InvalidArgValue::Type::range:
// TODO
err = value.isEqual(dataBase, MathLib::toLongNumber(invalidArgValue.op1));
err |= value.isEqual(dataBase, MathLib::toLongNumber(invalidArgValue.op2));
bad = "range " + invalidArgValue.op1 + "-" + invalidArgValue.op2;
break;
}
if (err) {
dataBase->reportError(tok, Severity::SeverityType::error, "bughuntingInvalidArgValue", "There is function call, cannot determine that " + std::to_string(num) + getOrdinalText(num) + " argument value is valid. Bad value: " + bad, CWE(0), false);
break;
}
}
// Uninitialized function argument..
if (dataBase->settings->library.isuninitargbad(parent->astOperand1(), num) && dataBase->settings->library.isnullargbad(parent->astOperand1(), num) && value.type == ExprEngine::ValueType::ArrayValue) {
const ExprEngine::ArrayValue &arrayValue = static_cast<const ExprEngine::ArrayValue &>(value);
auto index0 = std::make_shared<ExprEngine::IntRange>("0", 0, 0);
for (const auto &v: arrayValue.read(index0)) {
if (v.second->isUninit(dataBase)) {
dataBase->reportError(tok, Severity::SeverityType::error, "bughuntingUninitArg", "There is function call, cannot determine that " + std::to_string(num) + getOrdinalText(num) + " argument is initialized.", CWE_USE_OF_UNINITIALIZED_VARIABLE, false);
break;
}
}
}
}
static void checkAssignment(const Token *tok, const ExprEngine::Value &value, ExprEngine::DataBase *dataBase)
{
if (!Token::simpleMatch(tok->astParent(), "="))
return;
const Token *lhs = tok->astParent()->astOperand1();
while (Token::simpleMatch(lhs, "."))
lhs = lhs->astOperand2();
if (!lhs || !lhs->variable() || !lhs->variable()->nameToken())
return;
const Token *vartok = lhs->variable()->nameToken();
bool executable = false;
std::string fullName = lhs->variable()->name();
for (const Scope *s = lhs->variable()->nameToken()->scope(); s->type != Scope::ScopeType::eGlobal; s = s->nestedIn) {
if (s->isExecutable()) {
executable = true;
break;
}
fullName = s->className + "::" + fullName;
}
auto getMinMaxValue = [=](TokenImpl::CppcheckAttributes::Type type, MathLib::bigint *val) {
if (vartok->getCppcheckAttribute(type, val))
return true;
if (!executable) {
const auto it = dataBase->settings->variableContracts.find(fullName);
if (it != dataBase->settings->variableContracts.end()) {
const std::string *str;
if (type == TokenImpl::CppcheckAttributes::Type::LOW)
str = &it->second.minValue;
else if (type == TokenImpl::CppcheckAttributes::Type::HIGH)
str = &it->second.maxValue;
else
return false;
*val = MathLib::toLongNumber(*str);
return !str->empty();
}
}
return false;
};
MathLib::bigint low;
if (getMinMaxValue(TokenImpl::CppcheckAttributes::Type::LOW, &low)) {
if (value.isLessThan(dataBase, low))
dataBase->reportError(tok, Severity::SeverityType::error, "bughuntingAssign", "There is assignment, cannot determine that value is greater or equal with " + std::to_string(low), CWE_INCORRECT_CALCULATION, false);
}
MathLib::bigint high;
if (getMinMaxValue(TokenImpl::CppcheckAttributes::Type::HIGH, &high)) {
if (value.isGreaterThan(dataBase, high))
dataBase->reportError(tok, Severity::SeverityType::error, "bughuntingAssign", "There is assignment, cannot determine that value is lower or equal with " + std::to_string(high), CWE_INCORRECT_CALCULATION, false);
}
}
void addBughuntingChecks(std::vector<ExprEngine::Callback> *callbacks)
{
callbacks->push_back(arrayIndex);
callbacks->push_back(bufferOverflow);
callbacks->push_back(divByZero);
callbacks->push_back(checkFunctionCall);
callbacks->push_back(checkAssignment);
#ifdef BUG_HUNTING_INTEGEROVERFLOW
callbacks->push_back(integerOverflow);
#endif
callbacks->push_back(uninit);
}