clang API Documentation

PointerSubChecker.cpp
Go to the documentation of this file.
00001 //=== PointerSubChecker.cpp - Pointer subtraction checker ------*- C++ -*--===//
00002 //
00003 //                     The LLVM Compiler Infrastructure
00004 //
00005 // This file is distributed under the University of Illinois Open Source
00006 // License. See LICENSE.TXT for details.
00007 //
00008 //===----------------------------------------------------------------------===//
00009 //
00010 // This files defines PointerSubChecker, a builtin checker that checks for
00011 // pointer subtractions on two pointers pointing to different memory chunks. 
00012 // This check corresponds to CWE-469.
00013 //
00014 //===----------------------------------------------------------------------===//
00015 
00016 #include "ClangSACheckers.h"
00017 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
00018 #include "clang/StaticAnalyzer/Core/Checker.h"
00019 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
00020 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
00021 
00022 using namespace clang;
00023 using namespace ento;
00024 
00025 namespace {
00026 class PointerSubChecker 
00027   : public Checker< check::PreStmt<BinaryOperator> > {
00028   mutable std::unique_ptr<BuiltinBug> BT;
00029 
00030 public:
00031   void checkPreStmt(const BinaryOperator *B, CheckerContext &C) const;
00032 };
00033 }
00034 
00035 void PointerSubChecker::checkPreStmt(const BinaryOperator *B,
00036                                      CheckerContext &C) const {
00037   // When doing pointer subtraction, if the two pointers do not point to the
00038   // same memory chunk, emit a warning.
00039   if (B->getOpcode() != BO_Sub)
00040     return;
00041 
00042   ProgramStateRef state = C.getState();
00043   const LocationContext *LCtx = C.getLocationContext();
00044   SVal LV = state->getSVal(B->getLHS(), LCtx);
00045   SVal RV = state->getSVal(B->getRHS(), LCtx);
00046 
00047   const MemRegion *LR = LV.getAsRegion();
00048   const MemRegion *RR = RV.getAsRegion();
00049 
00050   if (!(LR && RR))
00051     return;
00052 
00053   const MemRegion *BaseLR = LR->getBaseRegion();
00054   const MemRegion *BaseRR = RR->getBaseRegion();
00055 
00056   if (BaseLR == BaseRR)
00057     return;
00058 
00059   // Allow arithmetic on different symbolic regions.
00060   if (isa<SymbolicRegion>(BaseLR) || isa<SymbolicRegion>(BaseRR))
00061     return;
00062 
00063   if (ExplodedNode *N = C.addTransition()) {
00064     if (!BT)
00065       BT.reset(
00066           new BuiltinBug(this, "Pointer subtraction",
00067                          "Subtraction of two pointers that do not point to "
00068                          "the same memory chunk may cause incorrect result."));
00069     BugReport *R = new BugReport(*BT, BT->getDescription(), N);
00070     R->addRange(B->getSourceRange());
00071     C.emitReport(R);
00072   }
00073 }
00074 
00075 void ento::registerPointerSubChecker(CheckerManager &mgr) {
00076   mgr.registerChecker<PointerSubChecker>();
00077 }

Generated on Tue Nov 18 2014 04:29:31 for r222231 by Doxygen 1.7.6.1.

See the Main Clang Web Page for more information.