clang  6.0.0svn
UnixAPIChecker.cpp
Go to the documentation of this file.
1 //= UnixAPIChecker.h - Checks preconditions for various Unix APIs --*- C++ -*-//
2 //
3 // The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // This defines UnixAPIChecker, which is an assortment of checks on calls
11 // to various, widely used UNIX/Posix functions.
12 //
13 //===----------------------------------------------------------------------===//
14 
15 #include "ClangSACheckers.h"
16 #include "clang/Basic/TargetInfo.h"
21 #include "llvm/ADT/Optional.h"
22 #include "llvm/ADT/STLExtras.h"
23 #include "llvm/ADT/SmallString.h"
24 #include "llvm/ADT/StringExtras.h"
25 #include "llvm/ADT/StringSwitch.h"
26 #include "llvm/Support/raw_ostream.h"
27 #include <fcntl.h>
28 
29 using namespace clang;
30 using namespace ento;
31 
32 enum class OpenVariant {
33  /// The standard open() call:
34  /// int open(const char *path, int oflag, ...);
35  Open,
36 
37  /// The variant taking a directory file descriptor and a relative path:
38  /// int openat(int fd, const char *path, int oflag, ...);
39  OpenAt
40 };
41 
42 namespace {
43 class UnixAPIChecker : public Checker< check::PreStmt<CallExpr> > {
44  mutable std::unique_ptr<BugType> BT_open, BT_pthreadOnce, BT_mallocZero;
45  mutable Optional<uint64_t> Val_O_CREAT;
46 
47 public:
48  DefaultBool CheckMisuse, CheckPortability;
49 
50  void checkPreStmt(const CallExpr *CE, CheckerContext &C) const;
51 
52  void CheckOpen(CheckerContext &C, const CallExpr *CE) const;
53  void CheckOpenAt(CheckerContext &C, const CallExpr *CE) const;
54 
55  void CheckPthreadOnce(CheckerContext &C, const CallExpr *CE) const;
56  void CheckCallocZero(CheckerContext &C, const CallExpr *CE) const;
57  void CheckMallocZero(CheckerContext &C, const CallExpr *CE) const;
58  void CheckReallocZero(CheckerContext &C, const CallExpr *CE) const;
59  void CheckReallocfZero(CheckerContext &C, const CallExpr *CE) const;
60  void CheckAllocaZero(CheckerContext &C, const CallExpr *CE) const;
61  void CheckAllocaWithAlignZero(CheckerContext &C, const CallExpr *CE) const;
62  void CheckVallocZero(CheckerContext &C, const CallExpr *CE) const;
63 
64  typedef void (UnixAPIChecker::*SubChecker)(CheckerContext &,
65  const CallExpr *) const;
66 private:
67 
68  void CheckOpenVariant(CheckerContext &C,
69  const CallExpr *CE, OpenVariant Variant) const;
70 
71  bool ReportZeroByteAllocation(CheckerContext &C,
72  ProgramStateRef falseState,
73  const Expr *arg,
74  const char *fn_name) const;
75  void BasicAllocationCheck(CheckerContext &C,
76  const CallExpr *CE,
77  const unsigned numArgs,
78  const unsigned sizeArg,
79  const char *fn) const;
80  void LazyInitialize(std::unique_ptr<BugType> &BT, const char *name) const {
81  if (BT)
82  return;
83  BT.reset(new BugType(this, name, categories::UnixAPI));
84  }
85  void ReportOpenBug(CheckerContext &C,
87  const char *Msg,
88  SourceRange SR) const;
89 };
90 } //end anonymous namespace
91 
92 //===----------------------------------------------------------------------===//
93 // "open" (man 2 open)
94 //===----------------------------------------------------------------------===//
95 
96 void UnixAPIChecker::ReportOpenBug(CheckerContext &C,
98  const char *Msg,
99  SourceRange SR) const {
100  ExplodedNode *N = C.generateErrorNode(State);
101  if (!N)
102  return;
103 
104  LazyInitialize(BT_open, "Improper use of 'open'");
105 
106  auto Report = llvm::make_unique<BugReport>(*BT_open, Msg, N);
107  Report->addRange(SR);
108  C.emitReport(std::move(Report));
109 }
110 
111 void UnixAPIChecker::CheckOpen(CheckerContext &C, const CallExpr *CE) const {
112  CheckOpenVariant(C, CE, OpenVariant::Open);
113 }
114 
115 void UnixAPIChecker::CheckOpenAt(CheckerContext &C, const CallExpr *CE) const {
116  CheckOpenVariant(C, CE, OpenVariant::OpenAt);
117 }
118 
119 void UnixAPIChecker::CheckOpenVariant(CheckerContext &C,
120  const CallExpr *CE,
121  OpenVariant Variant) const {
122  // The index of the argument taking the flags open flags (O_RDONLY,
123  // O_WRONLY, O_CREAT, etc.),
124  unsigned int FlagsArgIndex;
125  const char *VariantName;
126  switch (Variant) {
127  case OpenVariant::Open:
128  FlagsArgIndex = 1;
129  VariantName = "open";
130  break;
131  case OpenVariant::OpenAt:
132  FlagsArgIndex = 2;
133  VariantName = "openat";
134  break;
135  };
136 
137  // All calls should at least provide arguments up to the 'flags' parameter.
138  unsigned int MinArgCount = FlagsArgIndex + 1;
139 
140  // If the flags has O_CREAT set then open/openat() require an additional
141  // argument specifying the file mode (permission bits) for the created file.
142  unsigned int CreateModeArgIndex = FlagsArgIndex + 1;
143 
144  // The create mode argument should be the last argument.
145  unsigned int MaxArgCount = CreateModeArgIndex + 1;
146 
148 
149  if (CE->getNumArgs() < MinArgCount) {
150  // The frontend should issue a warning for this case, so this is a sanity
151  // check.
152  return;
153  } else if (CE->getNumArgs() == MaxArgCount) {
154  const Expr *Arg = CE->getArg(CreateModeArgIndex);
155  QualType QT = Arg->getType();
156  if (!QT->isIntegerType()) {
157  SmallString<256> SBuf;
158  llvm::raw_svector_ostream OS(SBuf);
159  OS << "The " << CreateModeArgIndex + 1
160  << llvm::getOrdinalSuffix(CreateModeArgIndex + 1)
161  << " argument to '" << VariantName << "' is not an integer";
162 
163  ReportOpenBug(C, state,
164  SBuf.c_str(),
165  Arg->getSourceRange());
166  return;
167  }
168  } else if (CE->getNumArgs() > MaxArgCount) {
169  SmallString<256> SBuf;
170  llvm::raw_svector_ostream OS(SBuf);
171  OS << "Call to '" << VariantName << "' with more than " << MaxArgCount
172  << " arguments";
173 
174  ReportOpenBug(C, state,
175  SBuf.c_str(),
176  CE->getArg(MaxArgCount)->getSourceRange());
177  return;
178  }
179 
180  // The definition of O_CREAT is platform specific. We need a better way
181  // of querying this information from the checking environment.
182  if (!Val_O_CREAT.hasValue()) {
183  if (C.getASTContext().getTargetInfo().getTriple().getVendor()
184  == llvm::Triple::Apple)
185  Val_O_CREAT = 0x0200;
186  else {
187  // FIXME: We need a more general way of getting the O_CREAT value.
188  // We could possibly grovel through the preprocessor state, but
189  // that would require passing the Preprocessor object to the ExprEngine.
190  // See also: MallocChecker.cpp / M_ZERO.
191  return;
192  }
193  }
194 
195  // Now check if oflags has O_CREAT set.
196  const Expr *oflagsEx = CE->getArg(FlagsArgIndex);
197  const SVal V = state->getSVal(oflagsEx, C.getLocationContext());
198  if (!V.getAs<NonLoc>()) {
199  // The case where 'V' can be a location can only be due to a bad header,
200  // so in this case bail out.
201  return;
202  }
203  NonLoc oflags = V.castAs<NonLoc>();
204  NonLoc ocreateFlag = C.getSValBuilder()
205  .makeIntVal(Val_O_CREAT.getValue(), oflagsEx->getType()).castAs<NonLoc>();
206  SVal maskedFlagsUC = C.getSValBuilder().evalBinOpNN(state, BO_And,
207  oflags, ocreateFlag,
208  oflagsEx->getType());
209  if (maskedFlagsUC.isUnknownOrUndef())
210  return;
211  DefinedSVal maskedFlags = maskedFlagsUC.castAs<DefinedSVal>();
212 
213  // Check if maskedFlags is non-zero.
214  ProgramStateRef trueState, falseState;
215  std::tie(trueState, falseState) = state->assume(maskedFlags);
216 
217  // Only emit an error if the value of 'maskedFlags' is properly
218  // constrained;
219  if (!(trueState && !falseState))
220  return;
221 
222  if (CE->getNumArgs() < MaxArgCount) {
223  SmallString<256> SBuf;
224  llvm::raw_svector_ostream OS(SBuf);
225  OS << "Call to '" << VariantName << "' requires a "
226  << CreateModeArgIndex + 1
227  << llvm::getOrdinalSuffix(CreateModeArgIndex + 1)
228  << " argument when the 'O_CREAT' flag is set";
229  ReportOpenBug(C, trueState,
230  SBuf.c_str(),
231  oflagsEx->getSourceRange());
232  }
233 }
234 
235 //===----------------------------------------------------------------------===//
236 // pthread_once
237 //===----------------------------------------------------------------------===//
238 
239 void UnixAPIChecker::CheckPthreadOnce(CheckerContext &C,
240  const CallExpr *CE) const {
241 
242  // This is similar to 'CheckDispatchOnce' in the MacOSXAPIChecker.
243  // They can possibly be refactored.
244 
245  if (CE->getNumArgs() < 1)
246  return;
247 
248  // Check if the first argument is stack allocated. If so, issue a warning
249  // because that's likely to be bad news.
251  const MemRegion *R =
252  state->getSVal(CE->getArg(0), C.getLocationContext()).getAsRegion();
253  if (!R || !isa<StackSpaceRegion>(R->getMemorySpace()))
254  return;
255 
256  ExplodedNode *N = C.generateErrorNode(state);
257  if (!N)
258  return;
259 
261  llvm::raw_svector_ostream os(S);
262  os << "Call to 'pthread_once' uses";
263  if (const VarRegion *VR = dyn_cast<VarRegion>(R))
264  os << " the local variable '" << VR->getDecl()->getName() << '\'';
265  else
266  os << " stack allocated memory";
267  os << " for the \"control\" value. Using such transient memory for "
268  "the control value is potentially dangerous.";
269  if (isa<VarRegion>(R) && isa<StackLocalsSpaceRegion>(R->getMemorySpace()))
270  os << " Perhaps you intended to declare the variable as 'static'?";
271 
272  LazyInitialize(BT_pthreadOnce, "Improper use of 'pthread_once'");
273 
274  auto report = llvm::make_unique<BugReport>(*BT_pthreadOnce, os.str(), N);
275  report->addRange(CE->getArg(0)->getSourceRange());
276  C.emitReport(std::move(report));
277 }
278 
279 //===----------------------------------------------------------------------===//
280 // "calloc", "malloc", "realloc", "reallocf", "alloca" and "valloc"
281 // with allocation size 0
282 //===----------------------------------------------------------------------===//
283 // FIXME: Eventually these should be rolled into the MallocChecker, but right now
284 // they're more basic and valuable for widespread use.
285 
286 // Returns true if we try to do a zero byte allocation, false otherwise.
287 // Fills in trueState and falseState.
289  const SVal argVal,
290  ProgramStateRef *trueState,
291  ProgramStateRef *falseState) {
292  std::tie(*trueState, *falseState) =
293  state->assume(argVal.castAs<DefinedSVal>());
294 
295  return (*falseState && !*trueState);
296 }
297 
298 // Generates an error report, indicating that the function whose name is given
299 // will perform a zero byte allocation.
300 // Returns false if an error occurred, true otherwise.
301 bool UnixAPIChecker::ReportZeroByteAllocation(CheckerContext &C,
302  ProgramStateRef falseState,
303  const Expr *arg,
304  const char *fn_name) const {
305  ExplodedNode *N = C.generateErrorNode(falseState);
306  if (!N)
307  return false;
308 
309  LazyInitialize(BT_mallocZero,
310  "Undefined allocation of 0 bytes (CERT MEM04-C; CWE-131)");
311 
313  llvm::raw_svector_ostream os(S);
314  os << "Call to '" << fn_name << "' has an allocation size of 0 bytes";
315  auto report = llvm::make_unique<BugReport>(*BT_mallocZero, os.str(), N);
316 
317  report->addRange(arg->getSourceRange());
318  bugreporter::trackNullOrUndefValue(N, arg, *report);
319  C.emitReport(std::move(report));
320 
321  return true;
322 }
323 
324 // Does a basic check for 0-sized allocations suitable for most of the below
325 // functions (modulo "calloc")
326 void UnixAPIChecker::BasicAllocationCheck(CheckerContext &C,
327  const CallExpr *CE,
328  const unsigned numArgs,
329  const unsigned sizeArg,
330  const char *fn) const {
331  // Sanity check for the correct number of arguments
332  if (CE->getNumArgs() != numArgs)
333  return;
334 
335  // Check if the allocation size is 0.
337  ProgramStateRef trueState = nullptr, falseState = nullptr;
338  const Expr *arg = CE->getArg(sizeArg);
339  SVal argVal = state->getSVal(arg, C.getLocationContext());
340 
341  if (argVal.isUnknownOrUndef())
342  return;
343 
344  // Is the value perfectly constrained to zero?
345  if (IsZeroByteAllocation(state, argVal, &trueState, &falseState)) {
346  (void) ReportZeroByteAllocation(C, falseState, arg, fn);
347  return;
348  }
349  // Assume the value is non-zero going forward.
350  assert(trueState);
351  if (trueState != state)
352  C.addTransition(trueState);
353 }
354 
355 void UnixAPIChecker::CheckCallocZero(CheckerContext &C,
356  const CallExpr *CE) const {
357  unsigned int nArgs = CE->getNumArgs();
358  if (nArgs != 2)
359  return;
360 
362  ProgramStateRef trueState = nullptr, falseState = nullptr;
363 
364  unsigned int i;
365  for (i = 0; i < nArgs; i++) {
366  const Expr *arg = CE->getArg(i);
367  SVal argVal = state->getSVal(arg, C.getLocationContext());
368  if (argVal.isUnknownOrUndef()) {
369  if (i == 0)
370  continue;
371  else
372  return;
373  }
374 
375  if (IsZeroByteAllocation(state, argVal, &trueState, &falseState)) {
376  if (ReportZeroByteAllocation(C, falseState, arg, "calloc"))
377  return;
378  else if (i == 0)
379  continue;
380  else
381  return;
382  }
383  }
384 
385  // Assume the value is non-zero going forward.
386  assert(trueState);
387  if (trueState != state)
388  C.addTransition(trueState);
389 }
390 
391 void UnixAPIChecker::CheckMallocZero(CheckerContext &C,
392  const CallExpr *CE) const {
393  BasicAllocationCheck(C, CE, 1, 0, "malloc");
394 }
395 
396 void UnixAPIChecker::CheckReallocZero(CheckerContext &C,
397  const CallExpr *CE) const {
398  BasicAllocationCheck(C, CE, 2, 1, "realloc");
399 }
400 
401 void UnixAPIChecker::CheckReallocfZero(CheckerContext &C,
402  const CallExpr *CE) const {
403  BasicAllocationCheck(C, CE, 2, 1, "reallocf");
404 }
405 
406 void UnixAPIChecker::CheckAllocaZero(CheckerContext &C,
407  const CallExpr *CE) const {
408  BasicAllocationCheck(C, CE, 1, 0, "alloca");
409 }
410 
411 void UnixAPIChecker::CheckAllocaWithAlignZero(CheckerContext &C,
412  const CallExpr *CE) const {
413  BasicAllocationCheck(C, CE, 2, 0, "__builtin_alloca_with_align");
414 }
415 
416 void UnixAPIChecker::CheckVallocZero(CheckerContext &C,
417  const CallExpr *CE) const {
418  BasicAllocationCheck(C, CE, 1, 0, "valloc");
419 }
420 
421 
422 //===----------------------------------------------------------------------===//
423 // Central dispatch function.
424 //===----------------------------------------------------------------------===//
425 
426 void UnixAPIChecker::checkPreStmt(const CallExpr *CE,
427  CheckerContext &C) const {
428  const FunctionDecl *FD = C.getCalleeDecl(CE);
429  if (!FD || FD->getKind() != Decl::Function)
430  return;
431 
432  // Don't treat functions in namespaces with the same name a Unix function
433  // as a call to the Unix function.
434  const DeclContext *NamespaceCtx = FD->getEnclosingNamespaceContext();
435  if (NamespaceCtx && isa<NamespaceDecl>(NamespaceCtx))
436  return;
437 
438  StringRef FName = C.getCalleeName(FD);
439  if (FName.empty())
440  return;
441 
442  if (CheckMisuse) {
443  if (SubChecker SC =
444  llvm::StringSwitch<SubChecker>(FName)
445  .Case("open", &UnixAPIChecker::CheckOpen)
446  .Case("openat", &UnixAPIChecker::CheckOpenAt)
447  .Case("pthread_once", &UnixAPIChecker::CheckPthreadOnce)
448  .Default(nullptr)) {
449  (this->*SC)(C, CE);
450  }
451  }
452  if (CheckPortability) {
453  if (SubChecker SC =
454  llvm::StringSwitch<SubChecker>(FName)
455  .Case("calloc", &UnixAPIChecker::CheckCallocZero)
456  .Case("malloc", &UnixAPIChecker::CheckMallocZero)
457  .Case("realloc", &UnixAPIChecker::CheckReallocZero)
458  .Case("reallocf", &UnixAPIChecker::CheckReallocfZero)
459  .Cases("alloca", "__builtin_alloca",
460  &UnixAPIChecker::CheckAllocaZero)
461  .Case("__builtin_alloca_with_align",
462  &UnixAPIChecker::CheckAllocaWithAlignZero)
463  .Case("valloc", &UnixAPIChecker::CheckVallocZero)
464  .Default(nullptr)) {
465  (this->*SC)(C, CE);
466  }
467  }
468 }
469 
470 //===----------------------------------------------------------------------===//
471 // Registration.
472 //===----------------------------------------------------------------------===//
473 
474 #define REGISTER_CHECKER(Name) \
475  void ento::registerUnixAPI##Name##Checker(CheckerManager &mgr) { \
476  mgr.registerChecker<UnixAPIChecker>()->Check##Name = true; \
477  }
478 
479 REGISTER_CHECKER(Misuse)
480 REGISTER_CHECKER(Portability)
FunctionDecl - An instance of this class is created to represent a function declaration or definition...
Definition: Decl.h:1698
nonloc::ConcreteInt makeIntVal(const IntegerLiteral *integer)
Definition: SValBuilder.h:254
A (possibly-)qualified type.
Definition: Type.h:653
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:79
ExplodedNode * generateErrorNode(ProgramStateRef State=nullptr, const ProgramPointTag *Tag=nullptr)
Generate a transition to a node that will be used to report an error.
Expr * getArg(unsigned Arg)
getArg - Return the specified argument.
Definition: Expr.h:2278
unsigned getNumArgs() const
getNumArgs - Return the number of actual arguments to this call.
Definition: Expr.h:2266
A helper class which wraps a boolean value set to false by default.
Definition: Checker.h:551
const llvm::Triple & getTriple() const
Returns the target triple of the primary target.
Definition: TargetInfo.h:783
ExplodedNode * addTransition(ProgramStateRef State=nullptr, const ProgramPointTag *Tag=nullptr)
Generates a new transition in the program state graph (ExplodedGraph).
const TargetInfo & getTargetInfo() const
Definition: ASTContext.h:645
const FunctionDecl * getCalleeDecl(const CallExpr *CE) const
Get the declaration of the called function (path-sensitive).
StringRef getCalleeName(const FunctionDecl *FunDecl) const
Get the name of the called function (path-sensitive).
LineState State
i32 captured_struct **param SharedsTy A type which contains references the shared variables *param Shareds Context with the list of shared variables from the p *TaskFunction *param Data Additional data for task generation like final * state
DeclContext * getEnclosingNamespaceContext()
Retrieve the nearest enclosing namespace context.
Definition: DeclBase.cpp:1656
const MemSpaceRegion * getMemorySpace() const
Definition: MemRegion.cpp:1059
Expr - This represents one expression.
Definition: Expr.h:106
static bool IsZeroByteAllocation(ProgramStateRef state, const SVal argVal, ProgramStateRef *trueState, ProgramStateRef *falseState)
QualType getType() const
Definition: Expr.h:128
Optional< T > getAs() const
Convert to the specified SVal type, returning None if this SVal is not of the desired type...
Definition: SVals.h:100
void emitReport(std::unique_ptr< BugReport > R)
Emit the diagnostics report.
SVal - This represents a symbolic expression, which can be either an L-value or an R-value...
Definition: SVals.h:63
virtual SVal evalBinOpNN(ProgramStateRef state, BinaryOperator::Opcode op, NonLoc lhs, NonLoc rhs, QualType resultTy)=0
Create a new value which represents a binary expression with two non- location operands.
Dataflow Directional Tag Classes.
DeclContext - This is used only as base class of specific decl types that can act as declaration cont...
Definition: DeclBase.h:1252
Kind getKind() const
Definition: DeclBase.h:419
The standard open() call: int open(const char *path, int oflag, ...);.
The variant taking a directory file descriptor and a relative path: int openat(int fd...
T castAs() const
Convert to the specified SVal type, asserting that this SVal is of the desired type.
Definition: SVals.h:92
bool isIntegerType() const
isIntegerType() does not include complex integers (a GCC extension).
Definition: Type.h:6201
const ProgramStateRef & getState() const
bool trackNullOrUndefValue(const ExplodedNode *N, const Stmt *S, BugReport &R, bool IsArg=false, bool EnableNullFPSuppression=true)
Attempts to add visitors to trace a null or undefined value back to its point of origin, whether it is a symbol constrained to null or an explicit assignment.
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:265
SValBuilder & getSValBuilder()
Defines the clang::TargetInfo interface.
CallExpr - Represents a function call (C99 6.5.2.2, C++ [expr.call]).
Definition: Expr.h:2209
#define REGISTER_CHECKER(Name)
OpenVariant
A trivial tuple used to represent a source range.
const LocationContext * getLocationContext() const
bool isUnknownOrUndef() const
Definition: SVals.h:133