clang API Documentation

ObjCContainersChecker.cpp
Go to the documentation of this file.
00001 //== ObjCContainersChecker.cpp - Path sensitive checker for CFArray *- C++ -*=//
00002 //
00003 //                     The LLVM Compiler Infrastructure
00004 //
00005 // This file is distributed under the University of Illinois Open Source
00006 // License. See LICENSE.TXT for details.
00007 //
00008 //===----------------------------------------------------------------------===//
00009 //
00010 // Performs path sensitive checks of Core Foundation static containers like
00011 // CFArray.
00012 // 1) Check for buffer overflows:
00013 //      In CFArrayGetArrayAtIndex( myArray, index), if the index is outside the
00014 //      index space of theArray (0 to N-1 inclusive (where N is the count of
00015 //      theArray), the behavior is undefined.
00016 //
00017 //===----------------------------------------------------------------------===//
00018 
00019 #include "ClangSACheckers.h"
00020 #include "clang/AST/ParentMap.h"
00021 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
00022 #include "clang/StaticAnalyzer/Core/Checker.h"
00023 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
00024 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
00025 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
00026 
00027 using namespace clang;
00028 using namespace ento;
00029 
00030 namespace {
00031 class ObjCContainersChecker : public Checker< check::PreStmt<CallExpr>,
00032                                              check::PostStmt<CallExpr> > {
00033   mutable std::unique_ptr<BugType> BT;
00034   inline void initBugType() const {
00035     if (!BT)
00036       BT.reset(new BugType(this, "CFArray API",
00037                            categories::CoreFoundationObjectiveC));
00038   }
00039 
00040   inline SymbolRef getArraySym(const Expr *E, CheckerContext &C) const {
00041     SVal ArrayRef = C.getState()->getSVal(E, C.getLocationContext());
00042     SymbolRef ArraySym = ArrayRef.getAsSymbol();
00043     return ArraySym;
00044   }
00045 
00046   void addSizeInfo(const Expr *Array, const Expr *Size,
00047                    CheckerContext &C) const;
00048 
00049 public:
00050   /// A tag to id this checker.
00051   static void *getTag() { static int Tag; return &Tag; }
00052 
00053   void checkPostStmt(const CallExpr *CE, CheckerContext &C) const;
00054   void checkPreStmt(const CallExpr *CE, CheckerContext &C) const;
00055 };
00056 } // end anonymous namespace
00057 
00058 // ProgramState trait - a map from array symbol to its state.
00059 REGISTER_MAP_WITH_PROGRAMSTATE(ArraySizeMap, SymbolRef, DefinedSVal)
00060 
00061 void ObjCContainersChecker::addSizeInfo(const Expr *Array, const Expr *Size,
00062                                         CheckerContext &C) const {
00063   ProgramStateRef State = C.getState();
00064   SVal SizeV = State->getSVal(Size, C.getLocationContext());
00065   // Undefined is reported by another checker.
00066   if (SizeV.isUnknownOrUndef())
00067     return;
00068 
00069   // Get the ArrayRef symbol.
00070   SVal ArrayRef = State->getSVal(Array, C.getLocationContext());
00071   SymbolRef ArraySym = ArrayRef.getAsSymbol();
00072   if (!ArraySym)
00073     return;
00074 
00075   C.addTransition(
00076       State->set<ArraySizeMap>(ArraySym, SizeV.castAs<DefinedSVal>()));
00077   return;
00078 }
00079 
00080 void ObjCContainersChecker::checkPostStmt(const CallExpr *CE,
00081                                           CheckerContext &C) const {
00082   StringRef Name = C.getCalleeName(CE);
00083   if (Name.empty() || CE->getNumArgs() < 1)
00084     return;
00085 
00086   // Add array size information to the state.
00087   if (Name.equals("CFArrayCreate")) {
00088     if (CE->getNumArgs() < 3)
00089       return;
00090     // Note, we can visit the Create method in the post-visit because
00091     // the CFIndex parameter is passed in by value and will not be invalidated
00092     // by the call.
00093     addSizeInfo(CE, CE->getArg(2), C);
00094     return;
00095   }
00096 
00097   if (Name.equals("CFArrayGetCount")) {
00098     addSizeInfo(CE->getArg(0), CE, C);
00099     return;
00100   }
00101 }
00102 
00103 void ObjCContainersChecker::checkPreStmt(const CallExpr *CE,
00104                                          CheckerContext &C) const {
00105   StringRef Name = C.getCalleeName(CE);
00106   if (Name.empty() || CE->getNumArgs() < 2)
00107     return;
00108 
00109   // Check the array access.
00110   if (Name.equals("CFArrayGetValueAtIndex")) {
00111     ProgramStateRef State = C.getState();
00112     // Retrieve the size.
00113     // Find out if we saw this array symbol before and have information about it.
00114     const Expr *ArrayExpr = CE->getArg(0);
00115     SymbolRef ArraySym = getArraySym(ArrayExpr, C);
00116     if (!ArraySym)
00117       return;
00118 
00119     const DefinedSVal *Size = State->get<ArraySizeMap>(ArraySym);
00120 
00121     if (!Size)
00122       return;
00123 
00124     // Get the index.
00125     const Expr *IdxExpr = CE->getArg(1);
00126     SVal IdxVal = State->getSVal(IdxExpr, C.getLocationContext());
00127     if (IdxVal.isUnknownOrUndef())
00128       return;
00129     DefinedSVal Idx = IdxVal.castAs<DefinedSVal>();
00130     
00131     // Now, check if 'Idx in [0, Size-1]'.
00132     const QualType T = IdxExpr->getType();
00133     ProgramStateRef StInBound = State->assumeInBound(Idx, *Size, true, T);
00134     ProgramStateRef StOutBound = State->assumeInBound(Idx, *Size, false, T);
00135     if (StOutBound && !StInBound) {
00136       ExplodedNode *N = C.generateSink(StOutBound);
00137       if (!N)
00138         return;
00139       initBugType();
00140       BugReport *R = new BugReport(*BT, "Index is out of bounds", N);
00141       R->addRange(IdxExpr->getSourceRange());
00142       C.emitReport(R);
00143       return;
00144     }
00145   }
00146 }
00147 
00148 /// Register checker.
00149 void ento::registerObjCContainersChecker(CheckerManager &mgr) {
00150   mgr.registerChecker<ObjCContainersChecker>();
00151 }