clang API Documentation
00001 //== ObjCContainersChecker.cpp - Path sensitive checker for CFArray *- C++ -*=// 00002 // 00003 // The LLVM Compiler Infrastructure 00004 // 00005 // This file is distributed under the University of Illinois Open Source 00006 // License. See LICENSE.TXT for details. 00007 // 00008 //===----------------------------------------------------------------------===// 00009 // 00010 // Performs path sensitive checks of Core Foundation static containers like 00011 // CFArray. 00012 // 1) Check for buffer overflows: 00013 // In CFArrayGetArrayAtIndex( myArray, index), if the index is outside the 00014 // index space of theArray (0 to N-1 inclusive (where N is the count of 00015 // theArray), the behavior is undefined. 00016 // 00017 //===----------------------------------------------------------------------===// 00018 00019 #include "ClangSACheckers.h" 00020 #include "clang/AST/ParentMap.h" 00021 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 00022 #include "clang/StaticAnalyzer/Core/Checker.h" 00023 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 00024 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 00025 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" 00026 00027 using namespace clang; 00028 using namespace ento; 00029 00030 namespace { 00031 class ObjCContainersChecker : public Checker< check::PreStmt<CallExpr>, 00032 check::PostStmt<CallExpr> > { 00033 mutable std::unique_ptr<BugType> BT; 00034 inline void initBugType() const { 00035 if (!BT) 00036 BT.reset(new BugType(this, "CFArray API", 00037 categories::CoreFoundationObjectiveC)); 00038 } 00039 00040 inline SymbolRef getArraySym(const Expr *E, CheckerContext &C) const { 00041 SVal ArrayRef = C.getState()->getSVal(E, C.getLocationContext()); 00042 SymbolRef ArraySym = ArrayRef.getAsSymbol(); 00043 return ArraySym; 00044 } 00045 00046 void addSizeInfo(const Expr *Array, const Expr *Size, 00047 CheckerContext &C) const; 00048 00049 public: 00050 /// A tag to id this checker. 00051 static void *getTag() { static int Tag; return &Tag; } 00052 00053 void checkPostStmt(const CallExpr *CE, CheckerContext &C) const; 00054 void checkPreStmt(const CallExpr *CE, CheckerContext &C) const; 00055 }; 00056 } // end anonymous namespace 00057 00058 // ProgramState trait - a map from array symbol to its state. 00059 REGISTER_MAP_WITH_PROGRAMSTATE(ArraySizeMap, SymbolRef, DefinedSVal) 00060 00061 void ObjCContainersChecker::addSizeInfo(const Expr *Array, const Expr *Size, 00062 CheckerContext &C) const { 00063 ProgramStateRef State = C.getState(); 00064 SVal SizeV = State->getSVal(Size, C.getLocationContext()); 00065 // Undefined is reported by another checker. 00066 if (SizeV.isUnknownOrUndef()) 00067 return; 00068 00069 // Get the ArrayRef symbol. 00070 SVal ArrayRef = State->getSVal(Array, C.getLocationContext()); 00071 SymbolRef ArraySym = ArrayRef.getAsSymbol(); 00072 if (!ArraySym) 00073 return; 00074 00075 C.addTransition( 00076 State->set<ArraySizeMap>(ArraySym, SizeV.castAs<DefinedSVal>())); 00077 return; 00078 } 00079 00080 void ObjCContainersChecker::checkPostStmt(const CallExpr *CE, 00081 CheckerContext &C) const { 00082 StringRef Name = C.getCalleeName(CE); 00083 if (Name.empty() || CE->getNumArgs() < 1) 00084 return; 00085 00086 // Add array size information to the state. 00087 if (Name.equals("CFArrayCreate")) { 00088 if (CE->getNumArgs() < 3) 00089 return; 00090 // Note, we can visit the Create method in the post-visit because 00091 // the CFIndex parameter is passed in by value and will not be invalidated 00092 // by the call. 00093 addSizeInfo(CE, CE->getArg(2), C); 00094 return; 00095 } 00096 00097 if (Name.equals("CFArrayGetCount")) { 00098 addSizeInfo(CE->getArg(0), CE, C); 00099 return; 00100 } 00101 } 00102 00103 void ObjCContainersChecker::checkPreStmt(const CallExpr *CE, 00104 CheckerContext &C) const { 00105 StringRef Name = C.getCalleeName(CE); 00106 if (Name.empty() || CE->getNumArgs() < 2) 00107 return; 00108 00109 // Check the array access. 00110 if (Name.equals("CFArrayGetValueAtIndex")) { 00111 ProgramStateRef State = C.getState(); 00112 // Retrieve the size. 00113 // Find out if we saw this array symbol before and have information about it. 00114 const Expr *ArrayExpr = CE->getArg(0); 00115 SymbolRef ArraySym = getArraySym(ArrayExpr, C); 00116 if (!ArraySym) 00117 return; 00118 00119 const DefinedSVal *Size = State->get<ArraySizeMap>(ArraySym); 00120 00121 if (!Size) 00122 return; 00123 00124 // Get the index. 00125 const Expr *IdxExpr = CE->getArg(1); 00126 SVal IdxVal = State->getSVal(IdxExpr, C.getLocationContext()); 00127 if (IdxVal.isUnknownOrUndef()) 00128 return; 00129 DefinedSVal Idx = IdxVal.castAs<DefinedSVal>(); 00130 00131 // Now, check if 'Idx in [0, Size-1]'. 00132 const QualType T = IdxExpr->getType(); 00133 ProgramStateRef StInBound = State->assumeInBound(Idx, *Size, true, T); 00134 ProgramStateRef StOutBound = State->assumeInBound(Idx, *Size, false, T); 00135 if (StOutBound && !StInBound) { 00136 ExplodedNode *N = C.generateSink(StOutBound); 00137 if (!N) 00138 return; 00139 initBugType(); 00140 BugReport *R = new BugReport(*BT, "Index is out of bounds", N); 00141 R->addRange(IdxExpr->getSourceRange()); 00142 C.emitReport(R); 00143 return; 00144 } 00145 } 00146 } 00147 00148 /// Register checker. 00149 void ento::registerObjCContainersChecker(CheckerManager &mgr) { 00150 mgr.registerChecker<ObjCContainersChecker>(); 00151 }