clang  15.0.0git
ArrayBoundChecker.cpp
Go to the documentation of this file.
1 //== ArrayBoundChecker.cpp ------------------------------*- C++ -*--==//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This file defines ArrayBoundChecker, which is a path-sensitive check
10 // which looks for an out-of-bound array element access.
11 //
12 //===----------------------------------------------------------------------===//
13 
21 
22 using namespace clang;
23 using namespace ento;
24 
25 namespace {
26 class ArrayBoundChecker :
27  public Checker<check::Location> {
28  mutable std::unique_ptr<BuiltinBug> BT;
29 
30 public:
31  void checkLocation(SVal l, bool isLoad, const Stmt* S,
32  CheckerContext &C) const;
33 };
34 }
35 
36 void ArrayBoundChecker::checkLocation(SVal l, bool isLoad, const Stmt* LoadS,
37  CheckerContext &C) const {
38  // Check for out of bound array element access.
39  const MemRegion *R = l.getAsRegion();
40  if (!R)
41  return;
42 
43  const ElementRegion *ER = dyn_cast<ElementRegion>(R);
44  if (!ER)
45  return;
46 
47  // Get the index of the accessed element.
48  DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();
49 
50  // Zero index is always in bound, this also passes ElementRegions created for
51  // pointer casts.
52  if (Idx.isZeroConstant())
53  return;
54 
55  ProgramStateRef state = C.getState();
56 
57  // Get the size of the array.
58  DefinedOrUnknownSVal ElementCount = getDynamicElementCount(
59  state, ER->getSuperRegion(), C.getSValBuilder(), ER->getValueType());
60 
61  ProgramStateRef StInBound, StOutBound;
62  std::tie(StInBound, StOutBound) = state->assumeInBoundDual(Idx, ElementCount);
63  if (StOutBound && !StInBound) {
64  ExplodedNode *N = C.generateErrorNode(StOutBound);
65  if (!N)
66  return;
67 
68  if (!BT)
69  BT.reset(new BuiltinBug(
70  this, "Out-of-bound array access",
71  "Access out-of-bound array element (buffer overflow)"));
72 
73  // FIXME: It would be nice to eventually make this diagnostic more clear,
74  // e.g., by referencing the original declaration or by saying *why* this
75  // reference is outside the range.
76 
77  // Generate a report for this bug.
78  auto report =
79  std::make_unique<PathSensitiveBugReport>(*BT, BT->getDescription(), N);
80 
81  report->addRange(LoadS->getSourceRange());
82  C.emitReport(std::move(report));
83  return;
84  }
85 
86  // Array bound check succeeded. From this point forward the array bound
87  // should always succeed.
88  C.addTransition(StInBound);
89 }
90 
91 void ento::registerArrayBoundChecker(CheckerManager &mgr) {
92  mgr.registerChecker<ArrayBoundChecker>();
93 }
94 
95 bool ento::shouldRegisterArrayBoundChecker(const CheckerManager &mgr) {
96  return true;
97 }
DynamicExtent.h
clang::Stmt::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:324
clang::ento::ProgramStateRef
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
Definition: ProgramState_Fwd.h:37
AttributeLangSupport::C
@ C
Definition: SemaDeclAttr.cpp:55
BuiltinCheckerRegistration.h
CheckerManager.h
clang::ento::getDynamicElementCount
DefinedOrUnknownSVal getDynamicElementCount(ProgramStateRef State, const MemRegion *MR, SValBuilder &SVB, QualType Ty)
state
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded which has the entry program point and initial state
Definition: README.txt:30
BugType.h
CheckerContext.h
Checker.h
ExprEngine.h
clang
Definition: CalledOnceCheck.h:17
clang::Stmt
Stmt - This represents one statement.
Definition: Stmt.h:70