clang 20.0.0git
ArrayBoundChecker.cpp
Go to the documentation of this file.
1//== ArrayBoundChecker.cpp ------------------------------*- C++ -*--==//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This file defines ArrayBoundChecker, which is a path-sensitive check
10// which looks for an out-of-bound array element access.
11//
12//===----------------------------------------------------------------------===//
13
21
22using namespace clang;
23using namespace ento;
24
25namespace {
26class ArrayBoundChecker :
27 public Checker<check::Location> {
28 const BugType BT{this, "Out-of-bound array access"};
29
30public:
31 void checkLocation(SVal l, bool isLoad, const Stmt* S,
32 CheckerContext &C) const;
33};
34}
35
36void ArrayBoundChecker::checkLocation(SVal l, bool isLoad, const Stmt* LoadS,
37 CheckerContext &C) const {
38 // Check for out of bound array element access.
39 const MemRegion *R = l.getAsRegion();
40 if (!R)
41 return;
42
43 const ElementRegion *ER = dyn_cast<ElementRegion>(R);
44 if (!ER)
45 return;
46
47 // Get the index of the accessed element.
49
50 // Zero index is always in bound, this also passes ElementRegions created for
51 // pointer casts.
52 if (Idx.isZeroConstant())
53 return;
54
55 ProgramStateRef state = C.getState();
56
57 // Get the size of the array.
59 state, ER->getSuperRegion(), C.getSValBuilder(), ER->getValueType());
60
61 ProgramStateRef StInBound, StOutBound;
62 std::tie(StInBound, StOutBound) = state->assumeInBoundDual(Idx, ElementCount);
63 if (StOutBound && !StInBound) {
64 ExplodedNode *N = C.generateErrorNode(StOutBound);
65 if (!N)
66 return;
67
68 // FIXME: It would be nice to eventually make this diagnostic more clear,
69 // e.g., by referencing the original declaration or by saying *why* this
70 // reference is outside the range.
71
72 // Generate a report for this bug.
73 auto report = std::make_unique<PathSensitiveBugReport>(
74 BT, "Access out-of-bound array element (buffer overflow)", N);
75
76 report->addRange(LoadS->getSourceRange());
77 C.emitReport(std::move(report));
78 return;
79 }
80
81 // Array bound check succeeded. From this point forward the array bound
82 // should always succeed.
83 C.addTransition(StInBound);
84}
85
86void ento::registerArrayBoundChecker(CheckerManager &mgr) {
87 mgr.registerChecker<ArrayBoundChecker>();
88}
89
90bool ento::shouldRegisterArrayBoundChecker(const CheckerManager &mgr) {
91 return true;
92}
Stmt - This represents one statement.
Definition: Stmt.h:84
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:326
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
ElementRegion is used to represent both array elements and casts.
Definition: MemRegion.h:1199
QualType getValueType() const override
Definition: MemRegion.h:1221
NonLoc getIndex() const
Definition: MemRegion.h:1219
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:97
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:55
bool isZeroConstant() const
Definition: SVals.cpp:258
const MemRegion * getAsRegion() const
Definition: SVals.cpp:120
T castAs() const
Convert to the specified SVal type, asserting that this SVal is of the desired type.
Definition: SVals.h:82
LLVM_ATTRIBUTE_RETURNS_NONNULL const MemRegion * getSuperRegion() const
Definition: MemRegion.h:459
DefinedOrUnknownSVal getDynamicElementCount(ProgramStateRef State, const MemRegion *MR, SValBuilder &SVB, QualType Ty)
The JSON file list parser is used to communicate input to InstallAPI.