clang  9.0.0svn
ArrayBoundCheckerV2.cpp
Go to the documentation of this file.
1 //== ArrayBoundCheckerV2.cpp ------------------------------------*- C++ -*--==//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This file defines ArrayBoundCheckerV2, which is a path-sensitive check
10 // which looks for an out-of-bound array element access.
11 //
12 //===----------------------------------------------------------------------===//
13 
14 #include "Taint.h"
15 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
16 #include "clang/AST/CharUnits.h"
17 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
18 #include "clang/StaticAnalyzer/Core/Checker.h"
19 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
20 #include "clang/StaticAnalyzer/Core/PathSensitive/APSIntType.h"
21 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
22 #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
23 #include "llvm/ADT/SmallString.h"
24 #include "llvm/Support/raw_ostream.h"
25 
26 using namespace clang;
27 using namespace ento;
28 using namespace taint;
29 
30 namespace {
31 class ArrayBoundCheckerV2 :
32  public Checker<check::Location> {
33  mutable std::unique_ptr<BuiltinBug> BT;
34 
35  enum OOB_Kind { OOB_Precedes, OOB_Excedes, OOB_Tainted };
36 
37  void reportOOB(CheckerContext &C, ProgramStateRef errorState, OOB_Kind kind,
38  std::unique_ptr<BugReporterVisitor> Visitor = nullptr) const;
39 
40 public:
41  void checkLocation(SVal l, bool isLoad, const Stmt*S,
42  CheckerContext &C) const;
43 };
44 
45 // FIXME: Eventually replace RegionRawOffset with this class.
46 class RegionRawOffsetV2 {
47 private:
48  const SubRegion *baseRegion;
49  SVal byteOffset;
50 
51  RegionRawOffsetV2()
52  : baseRegion(nullptr), byteOffset(UnknownVal()) {}
53 
54 public:
55  RegionRawOffsetV2(const SubRegion* base, SVal offset)
56  : baseRegion(base), byteOffset(offset) {}
57 
58  NonLoc getByteOffset() const { return byteOffset.castAs<NonLoc>(); }
59  const SubRegion *getRegion() const { return baseRegion; }
60 
61  static RegionRawOffsetV2 computeOffset(ProgramStateRef state,
62  SValBuilder &svalBuilder,
63  SVal location);
64 
65  void dump() const;
66  void dumpToStream(raw_ostream &os) const;
67 };
68 }
69 
70 static SVal computeExtentBegin(SValBuilder &svalBuilder,
71  const MemRegion *region) {
72  const MemSpaceRegion *SR = region->getMemorySpace();
73  if (SR->getKind() == MemRegion::UnknownSpaceRegionKind)
74  return UnknownVal();
75  else
76  return svalBuilder.makeZeroArrayIndex();
77 }
78 
79 // TODO: once the constraint manager is smart enough to handle non simplified
80 // symbolic expressions remove this function. Note that this can not be used in
81 // the constraint manager as is, since this does not handle overflows. It is
82 // safe to assume, however, that memory offsets will not overflow.
83 static std::pair<NonLoc, nonloc::ConcreteInt>
84 getSimplifiedOffsets(NonLoc offset, nonloc::ConcreteInt extent,
85  SValBuilder &svalBuilder) {
86  Optional<nonloc::SymbolVal> SymVal = offset.getAs<nonloc::SymbolVal>();
87  if (SymVal && SymVal->isExpression()) {
88  if (const SymIntExpr *SIE = dyn_cast<SymIntExpr>(SymVal->getSymbol())) {
89  llvm::APSInt constant =
90  APSIntType(extent.getValue()).convert(SIE->getRHS());
91  switch (SIE->getOpcode()) {
92  case BO_Mul:
93  // The constant should never be 0 here, since it the result of scaling
94  // based on the size of a type which is never 0.
95  if ((extent.getValue() % constant) != 0)
96  return std::pair<NonLoc, nonloc::ConcreteInt>(offset, extent);
97  else
98  return getSimplifiedOffsets(
99  nonloc::SymbolVal(SIE->getLHS()),
100  svalBuilder.makeIntVal(extent.getValue() / constant),
101  svalBuilder);
102  case BO_Add:
103  return getSimplifiedOffsets(
104  nonloc::SymbolVal(SIE->getLHS()),
105  svalBuilder.makeIntVal(extent.getValue() - constant), svalBuilder);
106  default:
107  break;
108  }
109  }
110  }
111 
112  return std::pair<NonLoc, nonloc::ConcreteInt>(offset, extent);
113 }
114 
115 void ArrayBoundCheckerV2::checkLocation(SVal location, bool isLoad,
116  const Stmt* LoadS,
117  CheckerContext &checkerContext) const {
118 
119  // NOTE: Instead of using ProgramState::assumeInBound(), we are prototyping
120  // some new logic here that reasons directly about memory region extents.
121  // Once that logic is more mature, we can bring it back to assumeInBound()
122  // for all clients to use.
123  //
124  // The algorithm we are using here for bounds checking is to see if the
125  // memory access is within the extent of the base region. Since we
126  // have some flexibility in defining the base region, we can achieve
127  // various levels of conservatism in our buffer overflow checking.
128  ProgramStateRef state = checkerContext.getState();
129 
130  SValBuilder &svalBuilder = checkerContext.getSValBuilder();
131  const RegionRawOffsetV2 &rawOffset =
132  RegionRawOffsetV2::computeOffset(state, svalBuilder, location);
133 
134  if (!rawOffset.getRegion())
135  return;
136 
137  NonLoc rawOffsetVal = rawOffset.getByteOffset();
138 
139  // CHECK LOWER BOUND: Is byteOffset < extent begin?
140  // If so, we are doing a load/store
141  // before the first valid offset in the memory region.
142 
143  SVal extentBegin = computeExtentBegin(svalBuilder, rawOffset.getRegion());
144 
145  if (Optional<NonLoc> NV = extentBegin.getAs<NonLoc>()) {
146  if (NV->getAs<nonloc::ConcreteInt>()) {
147  std::pair<NonLoc, nonloc::ConcreteInt> simplifiedOffsets =
148  getSimplifiedOffsets(rawOffset.getByteOffset(),
149  NV->castAs<nonloc::ConcreteInt>(),
150  svalBuilder);
151  rawOffsetVal = simplifiedOffsets.first;
152  *NV = simplifiedOffsets.second;
153  }
154 
155  SVal lowerBound = svalBuilder.evalBinOpNN(state, BO_LT, rawOffsetVal, *NV,
156  svalBuilder.getConditionType());
157 
158  Optional<NonLoc> lowerBoundToCheck = lowerBound.getAs<NonLoc>();
159  if (!lowerBoundToCheck)
160  return;
161 
162  ProgramStateRef state_precedesLowerBound, state_withinLowerBound;
163  std::tie(state_precedesLowerBound, state_withinLowerBound) =
164  state->assume(*lowerBoundToCheck);
165 
166  // Are we constrained enough to definitely precede the lower bound?
167  if (state_precedesLowerBound && !state_withinLowerBound) {
168  reportOOB(checkerContext, state_precedesLowerBound, OOB_Precedes);
169  return;
170  }
171 
172  // Otherwise, assume the constraint of the lower bound.
173  assert(state_withinLowerBound);
174  state = state_withinLowerBound;
175  }
176 
177  do {
178  // CHECK UPPER BOUND: Is byteOffset >= extent(baseRegion)? If so,
179  // we are doing a load/store after the last valid offset.
180  DefinedOrUnknownSVal extentVal =
181  rawOffset.getRegion()->getExtent(svalBuilder);
182  if (!extentVal.getAs<NonLoc>())
183  break;
184 
185  if (extentVal.getAs<nonloc::ConcreteInt>()) {
186  std::pair<NonLoc, nonloc::ConcreteInt> simplifiedOffsets =
187  getSimplifiedOffsets(rawOffset.getByteOffset(),
188  extentVal.castAs<nonloc::ConcreteInt>(),
189  svalBuilder);
190  rawOffsetVal = simplifiedOffsets.first;
191  extentVal = simplifiedOffsets.second;
192  }
193 
194  SVal upperbound = svalBuilder.evalBinOpNN(state, BO_GE, rawOffsetVal,
195  extentVal.castAs<NonLoc>(),
196  svalBuilder.getConditionType());
197 
198  Optional<NonLoc> upperboundToCheck = upperbound.getAs<NonLoc>();
199  if (!upperboundToCheck)
200  break;
201 
202  ProgramStateRef state_exceedsUpperBound, state_withinUpperBound;
203  std::tie(state_exceedsUpperBound, state_withinUpperBound) =
204  state->assume(*upperboundToCheck);
205 
206  // If we are under constrained and the index variables are tainted, report.
207  if (state_exceedsUpperBound && state_withinUpperBound) {
208  SVal ByteOffset = rawOffset.getByteOffset();
209  if (isTainted(state, ByteOffset)) {
210  reportOOB(checkerContext, state_exceedsUpperBound, OOB_Tainted,
211  llvm::make_unique<TaintBugVisitor>(ByteOffset));
212  return;
213  }
214  } else if (state_exceedsUpperBound) {
215  // If we are constrained enough to definitely exceed the upper bound,
216  // report.
217  assert(!state_withinUpperBound);
218  reportOOB(checkerContext, state_exceedsUpperBound, OOB_Excedes);
219  return;
220  }
221 
222  assert(state_withinUpperBound);
223  state = state_withinUpperBound;
224  }
225  while (false);
226 
227  checkerContext.addTransition(state);
228 }
229 
230 void ArrayBoundCheckerV2::reportOOB(
231  CheckerContext &checkerContext, ProgramStateRef errorState, OOB_Kind kind,
232  std::unique_ptr<BugReporterVisitor> Visitor) const {
233 
234  ExplodedNode *errorNode = checkerContext.generateErrorNode(errorState);
235  if (!errorNode)
236  return;
237 
238  if (!BT)
239  BT.reset(new BuiltinBug(this, "Out-of-bound access"));
240 
241  // FIXME: This diagnostics are preliminary. We should get far better
242  // diagnostics for explaining buffer overruns.
243 
244  SmallString<256> buf;
245  llvm::raw_svector_ostream os(buf);
246  os << "Out of bound memory access ";
247  switch (kind) {
248  case OOB_Precedes:
249  os << "(accessed memory precedes memory block)";
250  break;
251  case OOB_Excedes:
252  os << "(access exceeds upper limit of memory block)";
253  break;
254  case OOB_Tainted:
255  os << "(index is tainted)";
256  break;
257  }
258 
259  auto BR = llvm::make_unique<BugReport>(*BT, os.str(), errorNode);
260  BR->addVisitor(std::move(Visitor));
261  checkerContext.emitReport(std::move(BR));
262 }
263 
264 #ifndef NDEBUG
265 LLVM_DUMP_METHOD void RegionRawOffsetV2::dump() const {
266  dumpToStream(llvm::errs());
267 }
268 
269 void RegionRawOffsetV2::dumpToStream(raw_ostream &os) const {
270  os << "raw_offset_v2{" << getRegion() << ',' << getByteOffset() << '}';
271 }
272 #endif
273 
274 // Lazily computes a value to be used by 'computeOffset'. If 'val'
275 // is unknown or undefined, we lazily substitute '0'. Otherwise,
276 // return 'val'.
277 static inline SVal getValue(SVal val, SValBuilder &svalBuilder) {
278  return val.getAs<UndefinedVal>() ? svalBuilder.makeArrayIndex(0) : val;
279 }
280 
281 // Scale a base value by a scaling factor, and return the scaled
282 // value as an SVal. Used by 'computeOffset'.
283 static inline SVal scaleValue(ProgramStateRef state,
284  NonLoc baseVal, CharUnits scaling,
285  SValBuilder &sb) {
286  return sb.evalBinOpNN(state, BO_Mul, baseVal,
287  sb.makeArrayIndex(scaling.getQuantity()),
288  sb.getArrayIndexType());
289 }
290 
291 // Add an SVal to another, treating unknown and undefined values as
292 // summing to UnknownVal. Used by 'computeOffset'.
293 static SVal addValue(ProgramStateRef state, SVal x, SVal y,
294  SValBuilder &svalBuilder) {
295  // We treat UnknownVals and UndefinedVals the same here because we
296  // only care about computing offsets.
297  if (x.isUnknownOrUndef() || y.isUnknownOrUndef())
298  return UnknownVal();
299 
300  return svalBuilder.evalBinOpNN(state, BO_Add, x.castAs<NonLoc>(),
301  y.castAs<NonLoc>(),
302  svalBuilder.getArrayIndexType());
303 }
304 
305 /// Compute a raw byte offset from a base region. Used for array bounds
306 /// checking.
307 RegionRawOffsetV2 RegionRawOffsetV2::computeOffset(ProgramStateRef state,
308  SValBuilder &svalBuilder,
309  SVal location)
310 {
311  const MemRegion *region = location.getAsRegion();
312  SVal offset = UndefinedVal();
313 
314  while (region) {
315  switch (region->getKind()) {
316  default: {
317  if (const SubRegion *subReg = dyn_cast<SubRegion>(region)) {
318  offset = getValue(offset, svalBuilder);
319  if (!offset.isUnknownOrUndef())
320  return RegionRawOffsetV2(subReg, offset);
321  }
322  return RegionRawOffsetV2();
323  }
324  case MemRegion::ElementRegionKind: {
325  const ElementRegion *elemReg = cast<ElementRegion>(region);
326  SVal index = elemReg->getIndex();
327  if (!index.getAs<NonLoc>())
328  return RegionRawOffsetV2();
329  QualType elemType = elemReg->getElementType();
330  // If the element is an incomplete type, go no further.
331  ASTContext &astContext = svalBuilder.getContext();
332  if (elemType->isIncompleteType())
333  return RegionRawOffsetV2();
334 
335  // Update the offset.
336  offset = addValue(state,
337  getValue(offset, svalBuilder),
338  scaleValue(state,
339  index.castAs<NonLoc>(),
340  astContext.getTypeSizeInChars(elemType),
341  svalBuilder),
342  svalBuilder);
343 
344  if (offset.isUnknownOrUndef())
345  return RegionRawOffsetV2();
346 
347  region = elemReg->getSuperRegion();
348  continue;
349  }
350  }
351  }
352  return RegionRawOffsetV2();
353 }
354 
355 void ento::registerArrayBoundCheckerV2(CheckerManager &mgr) {
356  mgr.registerChecker<ArrayBoundCheckerV2>();
357 }
358 
359 bool ento::shouldRegisterArrayBoundCheckerV2(const LangOptions &LO) {
360  return true;
361 }
clang::QualType
A (possibly-)qualified type.
Definition: Type.h:639
addValue
static SVal addValue(ProgramStateRef state, SVal x, SVal y, SValBuilder &svalBuilder)
Definition: ArrayBoundCheckerV2.cpp:293
clang::Stmt
Stmt - This represents one statement.
Definition: Stmt.h:65
clang::ento::ProgramStateRef
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
Definition: ProgramState_Fwd.h:37
clang::ASTContext
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:154
clang::LangOptions
Keeps track of the various options that can be enabled, which controls the dialect of C or C++ that i...
Definition: LangOptions.h:49
clang::CodeGen::state
i32 captured_struct **param SharedsTy A type which contains references the shared variables *param Shareds Context with the list of shared variables from the p *TaskFunction *param Data Additional data for task generation like final * state
Definition: CGOpenMPRuntime.h:764
clang::CharUnits
CharUnits - This is an opaque type for sizes expressed in character units.
Definition: CharUnits.h:37
dump
static void dump(llvm::raw_ostream &OS, StringRef FunctionName, ArrayRef< CounterExpression > Expressions, ArrayRef< CounterMappingRegion > Regions)
Definition: CoverageMappingGen.cpp:1290
computeExtentBegin
static SVal computeExtentBegin(SValBuilder &svalBuilder, const MemRegion *region)
Definition: ArrayBoundCheckerV2.cpp:70
clang::CharUnits::getQuantity
QuantityType getQuantity() const
getQuantity - Get the raw integer representation of this quantity.
Definition: CharUnits.h:178
getValue
static SVal getValue(SVal val, SValBuilder &svalBuilder)
Definition: ArrayBoundCheckerV2.cpp:277
clang::ento::taint::isTainted
bool isTainted(ProgramStateRef State, const Stmt *S, const LocationContext *LCtx, TaintTagType Kind=TaintTagGeneric)
Check if the statement has a tainted value in the given state.
scaleValue
static SVal scaleValue(ProgramStateRef state, NonLoc baseVal, CharUnits scaling, SValBuilder &sb)
Definition: ArrayBoundCheckerV2.cpp:283
clang
Dataflow Directional Tag Classes.
Definition: CFGReachabilityAnalysis.h:21
clang::Type::isIncompleteType
bool isIncompleteType(NamedDecl **Def=nullptr) const
Types are partitioned into 3 broad categories (C99 6.2.5p1): object types, function types...
Definition: Type.cpp:2062
clang::diag::kind
unsigned kind
All of the diagnostics that can be emitted by the frontend.
Definition: DiagnosticIDs.h:60
getSimplifiedOffsets
static std::pair< NonLoc, nonloc::ConcreteInt > getSimplifiedOffsets(NonLoc offset, nonloc::ConcreteInt extent, SValBuilder &svalBuilder)
Definition: ArrayBoundCheckerV2.cpp:84
clang::ASTContext::getTypeSizeInChars
CharUnits getTypeSizeInChars(QualType T) const
Return the size of the specified (complete) type T, in characters.
Definition: ASTContext.cpp:2163
Generated on Wed May 22 2019 00:54:12 for clang by   doxygen 1.8.13