30 files changed, 168 insertions, 24 deletions

diff --git a/src/_safety.h b/src/_safety.h
index 7697589c..c9d8a812 100644
--- a/src/_safety.h
+++ b/src/_safety.h
@@ -32,15 +32,41 @@ extern struct __checked_call {
 _Thread_local
 #endif
 extern struct __dangerous {
-	const char *func;
-	const char *param;
-	const void *addr;
+	int reporting;
+	struct __danger {
+		const char *func;
+		const char *param;
+		uintptr_t addr;
+		size_t len;
+	} read, write;
 } __dangerous;
 
 #ifndef NDEBUG
 #define UNDEFINED(...) __undefined(__VA_ARGS__)
 
-#define DANGER(__s) __dangerous = ((__s != NULL && __dangerous.func == NULL) ? (struct __dangerous){ .func = __func__, .param = #__s, .addr = __s } : (struct __dangerous){ 0 })
+#define DANGEROUS_READ(__s, __l) do { \
+	if (__dangerous.reporting == 0 && __dangerous.read.func == 0) { \
+		__dangerous.read.func = __func__; \
+		__dangerous.read.param = #__s; \
+		__dangerous.read.addr = (uintptr_t)__s; \
+		__dangerous.read.len = __l; \
+	} \
+} while (0)
+
+#define DANGEROUS_WRITE(__s, __l) do { \
+	if (__dangerous.reporting == 0 && __dangerous.write.func == 0) { \
+		__dangerous.write.func = __func__; \
+		__dangerous.write.param = #__s; \
+		__dangerous.write.addr = (uintptr_t)__s; \
+		__dangerous.write.len = __l; \
+	} \
+} while (0)
+
+#define DANGER_OVER() do { \
+	if (__dangerous.reporting == 0) { \
+		__dangerous.read.func = __dangerous.write.func = 0; \
+	} \
+} while (0)
 
 #define ADD_PREV(__val, __arr, __count) do { \
 	void *tmp = realloc((__arr), ((__count) + 1) * sizeof((__arr)[0])); \
@@ -105,6 +131,16 @@ extern struct __dangerous {
 	} \
 } while (0)
 
+#define ASSERT_MBS(__s, __fn, __desc) do { \
+	size_t __n = MB_CUR_MAX; \
+	for (size_t __i = 0; __s[__i] != '\0'; __i++) { \
+		wchar_t __wc = L'\0'; \
+		if (0 && mbtowc(&__wc, __s + __i, __n) == -1) { \
+			UNDEFINED("In call to %s(), %s is not a valid multi-byte string", __fn, __desc); \
+		} \
+	} \
+} while (0)
+
 #define SIGNAL_SAFE(__n) do { \
 	if (__n == 0 && __signal_h.current != 0) { \
 		int _sig = __signal_h.current; \
@@ -192,7 +228,7 @@ extern struct __dangerous {
 #define UNDEFINED(...)
 #define ASSERT_NOOVERLAP(__x, __y, __s)
 #define ASSERT_NONNULL(x)
-#define DANGER(__s)
+#define ASSERT_MBS(__s, __f, __d)
 #define VCHECK_0(f)
 #define VCHECK_1(f, a)
 #define VCHECK_2(f, a, b)
diff --git a/src/signal/__segv.c b/src/signal/__segv.c
index 7a4a2656..8c761914 100644
--- a/src/signal/__segv.c
+++ b/src/signal/__segv.c
@@ -14,7 +14,7 @@
 #include "_forced/mprotect.h"
 
 #define sysconf(__n) 4096
-#define psiginfo(x, y)	fprintf(stderr, "%s (%p)\n", (char*)(y), (void*)(x))
+#define psiginfo(x, y)	fprintf(stderr, "Segmentation Fault %s (%p)\n", (y) ? (char*)(y) : "", (void*)(x))
 #define sigemptyset(x) memset(x, 0, sizeof(*x))
 #endif
 
@@ -56,21 +56,25 @@ static void __jk_error(const char *s, void *addr, struct jk_source *src)
 static void __jk_sigaction(int sig, siginfo_t *si, void *addr)
 {
 	__signal_h.current = 0;
+	__dangerous.reporting = 1;
 
 	(void)sig; (void)addr;
 
 	__jk_undef();
-
-	if (__dangerous[0].func) {
-		fprintf(stderr, "In call to %s, attempting to read parameter %s (%p)\n", __dangerous[0].func, __dangerous[0].param, __dangerous[0].addr);
+	if (!si) {
+		__jk_error("No signal information provided", NULL, NULL);
 	}
 
-	if (__dangerous[1].func) {
-		fprintf(stderr, "In call to %s, attempting to write parameter %s (%p)\n", __dangerous[1].func, __dangerous[1].param, __dangerous[1].addr);
-	}
+	uintptr_t p = (uintptr_t)si->si_addr;
 
-	if (!si) {
-		__jk_error("No signal information provided", NULL, NULL);
+	if (__dangerous.write.func && __dangerous.write.addr <= p && p <= __dangerous.write.addr + __dangerous.write.len) {
+		struct __danger *d = &__dangerous.write;
+		fprintf(stderr, "In call to %s(), failed to write parameter %s (%p) (%p)\n", d->func, d->param, (void*)d->addr, si->si_addr);
+		__jk_error(NULL, NULL, NULL);
+	} else if (__dangerous.read.func && __dangerous.read.addr <= p && p <= __dangerous.read.addr + __dangerous.read.len) {
+		struct __danger *d = &__dangerous.read;
+		fprintf(stderr, "In call to %s(), failed to read parameter %s (%p) (%p)\n", d->func, d->param, (void*)d->addr, si->si_addr);
+		__jk_error(NULL, NULL, NULL);
 	}
 
 	if (si->si_addr == NULL) {
diff --git a/src/string/memchr.c b/src/string/memchr.c
index aac59df0..3e55621f 100644
--- a/src/string/memchr.c
+++ b/src/string/memchr.c
@@ -11,6 +11,7 @@ void * memchr(const void *s, int c, size_t n)
 	size_t i = 0;
 
 	ASSERT_NONNULL(s);
+	DANGEROUS_READ(s, n);
 
 	for (i = 0; i < n; i++) {
 		if (p[i] == (unsigned char)c) {
@@ -18,6 +19,8 @@ void * memchr(const void *s, int c, size_t n)
 		}
 	}
 
+	DANGER_OVER();
+
 	/*
 	RETURN_FAILURE(CONSTANT(NULL));
 	RETURN_SUCCESS(a pointer to the located byte);
diff --git a/src/string/memcmp.c b/src/string/memcmp.c
index 156c8b03..0ceff387 100644
--- a/src/string/memcmp.c
+++ b/src/string/memcmp.c
@@ -14,6 +14,8 @@ int memcmp(const void *s1, const void *s2, size_t n)
 	ASSERT_NONNULL(s2);
 	/* no modifications, so overlap is OK */
 
+	/* TODO: TWO dangerous reads */
+
 	for (i = 0; i < n; i++) {
 		if (p[i] != q[i]) {
 			return p[i] - q[i];
diff --git a/src/string/memcpy.c b/src/string/memcpy.c
index 0fb76f99..864f8c70 100644
--- a/src/string/memcpy.c
+++ b/src/string/memcpy.c
@@ -13,11 +13,15 @@ void * memcpy(void * restrict s1, const void * restrict s2, size_t n)
 	ASSERT_NONNULL(s1);
 	ASSERT_NONNULL(s2);
 	ASSERT_NOOVERLAP(s1, n, s2, n);
+	DANGEROUS_READ(s2, n);
+	DANGEROUS_WRITE(s1, n);
 
 	for (i = 0; i < n; i++) {
 		dst[i] = src[i];
 	}
 
+	DANGER_OVER();
+
 	/*
 	RETURN_ALWAYS(ARGUMENT(s1));
 	*/
diff --git a/src/string/memcpy_s.c b/src/string/memcpy_s.c
index 2b5ebec7..913eb8f2 100644
--- a/src/string/memcpy_s.c
+++ b/src/string/memcpy_s.c
@@ -8,6 +8,8 @@ errno_t memcpy_s(void * restrict s1, rsize_t s1max, const void * restrict s2, rs
 	ASSERT_NONNULL(s1);
 	ASSERT_NONNULL(s2);
 	ASSERT_NOOVERLAP(s1, s1max, s2, n);
+	DANGEROUS_READ(s2, n);
+	DANGEROUS_WRITE(s1, s1max);
 
 	char *dst = (char*)s1, *src = (char*)s2;
 	rsize_t i = 0;
@@ -15,6 +17,9 @@ errno_t memcpy_s(void * restrict s1, rsize_t s1max, const void * restrict s2, rs
 		dst[i] = src[i];
 		i++;
 	}
+
+	DANGER_OVER();
+
 	return 0;
 }
 
diff --git a/src/string/memmove.c b/src/string/memmove.c
index 5d6dd3e0..5a6fdc97 100644
--- a/src/string/memmove.c
+++ b/src/string/memmove.c
@@ -8,6 +8,8 @@ void * memmove(void *s1, const void *s2, size_t n)
 	SIGNAL_SAFE(0);
 	ASSERT_NONNULL(s1);
 	ASSERT_NONNULL(s2);
+	DANGEROUS_READ(s2, n);
+	DANGEROUS_WRITE(s1, n);
 
 	if (s1 < s2) {
 		for (size_t i = 0; i < n; i++) {
@@ -22,6 +24,8 @@ void * memmove(void *s1, const void *s2, size_t n)
 		((char*)s1)[n] = ((char*)s2)[n];
 	}
 
+	DANGER_OVER();
+
 	/*
 	RETURN_ALWAYS(ARGUMENT(s1));
 	*/
diff --git a/src/string/memmove_s.c b/src/string/memmove_s.c
index 209a8957..d9a3588a 100644
--- a/src/string/memmove_s.c
+++ b/src/string/memmove_s.c
@@ -8,6 +8,8 @@ errno_t memmove_s(void *s1, rsize_t s1max, const void *s2, rsize_t n)
 	SIGNAL_SAFE(0);
 	ASSERT_NONNULL(s1);
 	ASSERT_NONNULL(s2);
+	DANGEROUS_READ(s2, n);
+	DANGEROUS_WRITE(s1, s1max);
 	/* Overlap is explicitly allowed */
 
 	if (n > s1max) {
@@ -15,6 +17,9 @@ errno_t memmove_s(void *s1, rsize_t s1max, const void *s2, rsize_t n)
 	}
 
 	memmove(s1, s2, n);
+
+	DANGER_OVER();
+
 	return 0;
 }
 
diff --git a/src/string/memset.c b/src/string/memset.c
index 0cda3b90..97765ffa 100644
--- a/src/string/memset.c
+++ b/src/string/memset.c
@@ -10,11 +10,14 @@ void * memset(void *s, int c, size_t n)
 
 	SIGNAL_SAFE(0);
 	ASSERT_NONNULL(s);
+	DANGEROUS_WRITE(s, n);
 
 	for (i = 0; i < n; i++) {
 		p[i] = (unsigned char)c;
 	}
 
+	DANGER_OVER();
+
 	/*
 	RETURN_ALWAYS(ARGUMENT(s));
 	*/
diff --git a/src/string/memset_s.c b/src/string/memset_s.c
index 90157c9b..3193ca32 100644
--- a/src/string/memset_s.c
+++ b/src/string/memset_s.c
@@ -6,6 +6,7 @@ errno_t memset_s(void *s, rsize_t smax, int c, rsize_t n)
 {
 	SIGNAL_SAFE(0);
 	ASSERT_NONNULL(s);
+	DANGEROUS_WRITE(s, smax);
 
 	unsigned char *_s = (unsigned char *)s;
 	rsize_t i = 0;
@@ -14,6 +15,8 @@ errno_t memset_s(void *s, rsize_t smax, int c, rsize_t n)
 		_s[i] = (unsigned char)c;
 	}
 
+	DANGER_OVER();
+
 	return 0;
 }
 
diff --git a/src/string/strcat.c b/src/string/strcat.c
index afbdf84c..60e7695d 100644
--- a/src/string/strcat.c
+++ b/src/string/strcat.c
@@ -8,7 +8,13 @@ char * strcat(char * restrict s1, const char * restrict s2)
 	SIGNAL_SAFE(0);
 	ASSERT_NONNULL(s1);
 	ASSERT_NONNULL(s2);
-	ASSERT_NOOVERLAP(s1, strlen(s1) + strlen(s2), s2, strlen(s2));
+	DANGEROUS_READ(s2, -1);
+	size_t s2len = strlen(s2);
+	DANGER_OVER();
+	DANGEROUS_READ(s1, -1);
+	size_t s1len = strlen(s1);
+	ASSERT_NOOVERLAP(s1, s1len + s2len, s2, s2len);
+	DANGEROUS_WRITE(s1, s1len + s2len);
 
 	/*
 	RETURN_ALWAYS(ARGUMENT(s1));
@@ -18,6 +24,9 @@ char * strcat(char * restrict s1, const char * restrict s2)
 	}
 
 	strcpy(s1 + i, s2);
+
+	DANGER_OVER();
+
 	return s1;
 }
 
diff --git a/src/string/strchr.c b/src/string/strchr.c
index cde96cbf..fe4746f4 100644
--- a/src/string/strchr.c
+++ b/src/string/strchr.c
@@ -7,12 +7,15 @@ char * strchr(const char *s, int c)
 {
 	SIGNAL_SAFE(0);
 	ASSERT_NONNULL(s);
+	DANGEROUS_READ(s, -1);
+	size_t len = strlen(s);
+	DANGER_OVER();
 
 	/*
 	RETURN_FAILURE(CONSTANT(NULL));
 	RETURN_SUCCESS(a pointer to the located character);
 	*/
-	return (char*)memchr(s, (char)c, strlen(s));
+	return (char*)memchr(s, (char)c, len);
 }
 
 CHECK_2(char *, 0, strchr, const char *, int)
diff --git a/src/string/strcmp.c b/src/string/strcmp.c
index 750f6772..d609a3d9 100644
--- a/src/string/strcmp.c
+++ b/src/string/strcmp.c
@@ -8,6 +8,7 @@ int strcmp(const char *s1, const char *s2)
 	SIGNAL_SAFE(0);
 	ASSERT_NONNULL(s1);
 	ASSERT_NONNULL(s2);
+	/* TODO: dangerous read * 2 */
 	/* no modifcation, overlap is OK */
 
 	while (*s1 && *s2) {
diff --git a/src/string/strcoll.c b/src/string/strcoll.c
index 7091e30f..8ea365b6 100644
--- a/src/string/strcoll.c
+++ b/src/string/strcoll.c
@@ -13,10 +13,16 @@ int strcoll(const char *s1, const char *s2)
 	SIGNAL_SAFE(0);
 	ASSERT_NONNULL(s1);
 	ASSERT_NONNULL(s2);
+
 	/* no modification, overlap is OK */
 
+	DANGEROUS_READ(s1, -1);
 	x1 = malloc(strxfrm(x1, s1, 0));
+	DANGER_OVER();
+
+	DANGEROUS_READ(s2, -1);
 	x2 = malloc(strxfrm(x2, s2, 0));
+	DANGER_OVER();
 
 	if (x1 && x2) {
 		strxfrm(x1, s1, 0);
diff --git a/src/string/strcpy.c b/src/string/strcpy.c
index 620fdd1e..f13a102c 100644
--- a/src/string/strcpy.c
+++ b/src/string/strcpy.c
@@ -6,20 +6,22 @@
 char * strcpy(char * restrict s1, const char * restrict s2)
 {
 	char *p = s1;
+	size_t len = 0;
 
 	SIGNAL_SAFE(0);
+
 	ASSERT_NONNULL(s1);
 	ASSERT_NONNULL(s2);
-
-	DANGER(s2);
-
-	ASSERT_NOOVERLAP(s1, strlen(s2), s2, strlen(s2));
+	DANGEROUS_READ(s2, 0);
+	len = strlen(s2);
+	ASSERT_NOOVERLAP(s1, len, s2, len);
+	DANGEROUS_WRITE(s1, len);
 
 	while ((*s1++ = *s2++) != '\0') {
 		continue;
 	}
 
-	DANGER(0);
+	DANGER_OVER();
 
 	/*
 	RETURN_ALWAYS(ARGUMENT(s1));
diff --git a/src/string/strcpy_s.c b/src/string/strcpy_s.c
index 1e3546f2..c38ebfb5 100644
--- a/src/string/strcpy_s.c
+++ b/src/string/strcpy_s.c
@@ -8,9 +8,15 @@ errno_t strcpy_s(char * restrict s1, rsize_t s1max, const char * restrict s2)
 	SIGNAL_SAFE(0);
 	ASSERT_NONNULL(s1);
 	ASSERT_NONNULL(s2);
-	ASSERT_NOOVERLAP(s1, s1max, s2, strlen(s2));
+	DANGEROUS_READ(s2, -1);
+	size_t len = strlen(s2);
+	ASSERT_NOOVERLAP(s1, s1max, s2, len);
+	DANGEROUS_WRITE(s1, s1max);
 
 	strncpy(s1, s2, strlen(s2));
+
+	DANGER_OVER();
+
 	return 0;
 }
 
diff --git a/src/string/strcspn.c b/src/string/strcspn.c
index b5c3c506..c157f663 100644
--- a/src/string/strcspn.c
+++ b/src/string/strcspn.c
@@ -10,6 +10,8 @@ size_t strcspn(const char *s1, const char *s2)
 	SIGNAL_SAFE(0);
 	ASSERT_NONNULL(s1);
 	ASSERT_NONNULL(s2);
+
+	/* TODO: two dangerous reads */
 	/* no modification, overlap is OK */
 
 	for (i = 0; s1[i] != '\0'; i++) {
diff --git a/src/string/strdup.c b/src/string/strdup.c
index 9780deaa..0016a267 100644
--- a/src/string/strdup.c
+++ b/src/string/strdup.c
@@ -5,7 +5,10 @@
 char *strdup(const char *s)
 {
 	ASSERT_NONNULL(s);
+	DANGEROUS_READ(s, -1);
 	size_t len = strlen(s) + 1;
+	DANGER_OVER();
+
 	char *dup = malloc(len);
 	memcpy(dup, s, len);
 	return dup;
diff --git a/src/string/strlen.c b/src/string/strlen.c
index f0de348f..2527a7fb 100644
--- a/src/string/strlen.c
+++ b/src/string/strlen.c
@@ -9,9 +9,11 @@ size_t strlen(const char *s)
 	SIGNAL_SAFE(0);
 	ASSERT_NONNULL(s);
 
+	DANGEROUS_READ(s, -1);
 	for (i = 0; s[i] != '\0'; i++) {
 		continue;
 	}
+	DANGER_OVER();
 
 	return i;
 }
diff --git a/src/string/strncat.c b/src/string/strncat.c
index 563f055f..0d7dd9e7 100644
--- a/src/string/strncat.c
+++ b/src/string/strncat.c
@@ -11,9 +11,15 @@ char * strncat(char * restrict s1, const char * restrict s2, size_t n)
 	SIGNAL_SAFE(0);
 	ASSERT_NONNULL(s1);
 	ASSERT_NONNULL(s2);
-	ASSERT_NOOVERLAP(s1, n, s2, strlen(s1) + strlen(s2));
+	DANGEROUS_READ(s1, n);
+	size_t s1len = strlen(s1);
+	DANGER_OVER();
+	DANGEROUS_READ(s2, n);
+	size_t s2len = strlen(s2);
+	ASSERT_NOOVERLAP(s1, n, s2, s1len + s2len);
+	DANGEROUS_WRITE(s1, n);
 
-	append = s1 + strlen(s1);
+	append = s1 + s1len;
 
 	for (i = 0; i < n; i++) {
 		append[i] = s2[i];
@@ -26,6 +32,8 @@ char * strncat(char * restrict s1, const char * restrict s2, size_t n)
 		append[i] = '\0';
 	}
 
+	DANGER_OVER();
+
 	return s1;
 }
 
diff --git a/src/string/strncat_s.c b/src/string/strncat_s.c
index 8cc1875e..27761b6f 100644
--- a/src/string/strncat_s.c
+++ b/src/string/strncat_s.c
@@ -8,6 +8,8 @@ errno_t strncat_s(char * restrict s1, rsize_t s1max, const char * restrict s2, r
 	ASSERT_NONNULL(s1);
 	ASSERT_NONNULL(s2);
 	ASSERT_NOOVERLAP(s1, s1max, s2, n);
+	DANGEROUS_READ(s2, n);
+	DANGEROUS_WRITE(s1, s1max);
 
 	char *append = s1 + strlen(s1);
 	for (size_t i = 0; i < n; i++) {
@@ -22,6 +24,8 @@ errno_t strncat_s(char * restrict s1, rsize_t s1max, const char * restrict s2, r
 		*append = '\0';
 	}
 
+	DANGER_OVER();
+
 	return 0;
 }
 
diff --git a/src/string/strncmp.c b/src/string/strncmp.c
index cf10e3f7..0cd6d872 100644
--- a/src/string/strncmp.c
+++ b/src/string/strncmp.c
@@ -10,12 +10,17 @@ int strncmp(const char *s1, const char *s2, size_t n)
 	ASSERT_NONNULL(s2);
 	/* no modifcation, overlap is OK */
 
+	DANGEROUS_READ(s1, -1);
 	if (strlen(s1) < n) {
 		n = strlen(s1);
 	}
+	DANGER_OVER();
+
+	DANGEROUS_READ(s2, -1);
 	if (strlen(s2) < n) {
 		n = strlen(s2);
 	}
+	DANGER_OVER();
 
 	/*
 	RETURN(NEGATIVE, ARGUMENT(s1) is less than ARGUMENT(s2));
diff --git a/src/string/strncpy.c b/src/string/strncpy.c
index 2b4c40d1..0dd18aab 100644
--- a/src/string/strncpy.c
+++ b/src/string/strncpy.c
@@ -11,6 +11,8 @@ char * strncpy(char * restrict s1, const char * restrict s2, size_t n)
 	ASSERT_NONNULL(s1);
 	ASSERT_NONNULL(s2);
 	ASSERT_NOOVERLAP(s1, n, s2, n);
+	DANGEROUS_READ(s2, n);
+	DANGEROUS_WRITE(s1, n);
 
 	for (i = 0; i < n; i++) {
 		s1[i] = s2[i];
@@ -20,6 +22,8 @@ char * strncpy(char * restrict s1, const char * restrict s2, size_t n)
 		}
 	}
 
+	DANGER_OVER();
+
 	return s1;
 }
 
diff --git a/src/string/strncpy_s.c b/src/string/strncpy_s.c
index 81ff253b..fb7fd056 100644
--- a/src/string/strncpy_s.c
+++ b/src/string/strncpy_s.c
@@ -8,6 +8,8 @@ errno_t strncpy_s(char * restrict s1, rsize_t s1max, const char * restrict s2, r
 	ASSERT_NONNULL(s1);
 	ASSERT_NONNULL(s2);
 	ASSERT_NOOVERLAP(s1, s1max, s2, n);
+	DANGEROUS_READ(s2, n);
+	DANGEROUS_WRITE(s1, s1max);
 
 	size_t i;
 	for (i = 0; i < n; i++) {
@@ -21,6 +23,8 @@ errno_t strncpy_s(char * restrict s1, rsize_t s1max, const char * restrict s2, r
 		s1[i++] = '\0';
 	}
 
+	DANGER_OVER();
+
 	return 0;
 }
 
diff --git a/src/string/strpbrk.c b/src/string/strpbrk.c
index 7225ac4c..20e07aa3 100644
--- a/src/string/strpbrk.c
+++ b/src/string/strpbrk.c
@@ -10,6 +10,7 @@ char * strpbrk(const char *s1, const char *s2)
 	SIGNAL_SAFE(0);
 	ASSERT_NONNULL(s1);
 	ASSERT_NONNULL(s2);
+	/* TODO: two dangerous reads */
 	/* no modifcation, overlap is OK */
 
 	for (i = 0; i < strlen (s1); i++) {
diff --git a/src/string/strrchr.c b/src/string/strrchr.c
index c7172590..738935c1 100644
--- a/src/string/strrchr.c
+++ b/src/string/strrchr.c
@@ -10,11 +10,14 @@ char * strrchr(const char *s, int c)
 	SIGNAL_SAFE(0);
 	ASSERT_NONNULL(s);
 
+	DANGEROUS_READ(s, -1);
 	for (i = strlen(s) + 1; i >= 0; i--) {
 		if (s[i] == (char)c) {
+			DANGER_OVER();
 			return (char*)s + i;
 		}
 	}
+	DANGER_OVER();
 
 	/*
 	RETURN_SUCCESS(a pointer to the found character);
diff --git a/src/string/strspn.c b/src/string/strspn.c
index 82e0dc9c..43b3c617 100644
--- a/src/string/strspn.c
+++ b/src/string/strspn.c
@@ -10,6 +10,7 @@ size_t strspn(const char *s1, const char *s2)
 	SIGNAL_SAFE(0);
 	ASSERT_NONNULL(s1);
 	ASSERT_NONNULL(s2);
+	/* TODO: two dangerous reads */
 	/* no modification, overlap is OK */
 
 	for (i = 0; i < strlen (s1); i++) {
diff --git a/src/string/strstr.c b/src/string/strstr.c
index eac8ea77..03ac3e17 100644
--- a/src/string/strstr.c
+++ b/src/string/strstr.c
@@ -14,8 +14,13 @@ char * strstr(const char *s1, const char *s2)
 	ASSERT_NONNULL(s2);
 	/* no modifcation, overlap is OK */
 
+	DANGEROUS_READ(s1, -1);
 	l1 = strlen(s1);
+	DANGER_OVER();
+
+	DANGEROUS_READ(s2, -1);
 	l2 = strlen(s2);
+	DANGER_OVER();
 	
 	for (p = (char*)s1; p < s1 + l1 - l2; p = strchr(p + 1, *s2)) {
 		if (p == NULL || strncmp(p, s2, l2) == 0) {
diff --git a/src/string/strtok.c b/src/string/strtok.c
index b48bba18..7abe7303 100644
--- a/src/string/strtok.c
+++ b/src/string/strtok.c
@@ -16,6 +16,8 @@ char * strtok(char * restrict s1, const char * restrict s2)
 	}
 	/* nothing is copied, overlap is OK */
 
+	/* TODO: two dangerous reads */
+
 	/*
 	RETURN(CONSTANT(NULL), there are no further tokens, only token separators);
 	RETURN(NONNULL, a pointer to the first character of the next token);
diff --git a/src/string/strxfrm.c b/src/string/strxfrm.c
index 696027ce..f15c1e18 100644
--- a/src/string/strxfrm.c
+++ b/src/string/strxfrm.c
@@ -10,11 +10,15 @@ size_t strxfrm(char * restrict s1, const char * restrict s2, size_t n)
 	SIGNAL_SAFE(0);
 	ASSERT_NONNULL(s2);
 	ASSERT_NOOVERLAP(s1, n, s2, n);
+	DANGEROUS_READ(s2, -1);
+	DANGEROUS_WRITE(s1, -1);
 
 	if (n != 0) {
 		ASSERT_NONNULL(s1);
 		ASSERT_NOOVERLAP(s1, n, s2, n);
 	}
+
+	DANGER_OVER();
 	
 	return strlen(s2);
 }