doxygen/ObjCContainersChecker_8cpp_source.html

//== ObjCContainersChecker.cpp - Path sensitive checker for CFArray *- C++ -*=//

//

// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.

// See https://llvm.org/LICENSE.txt for license information.

// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

//

//===----------------------------------------------------------------------===//

//

// Performs path sensitive checks of Core Foundation static containers like

// CFArray.

// 1) Check for buffer overflows:

//      In CFArrayGetArrayAtIndex( myArray, index), if the index is outside the

//      index space of theArray (0 to N-1 inclusive (where N is the count of

//      theArray), the behavior is undefined.

//

//===----------------------------------------------------------------------===//


#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"

#include "clang/AST/ParentMap.h"

#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"

#include "clang/StaticAnalyzer/Core/Checker.h"

#include "clang/StaticAnalyzer/Core/CheckerManager.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"


using namespace clang;

using namespace ento;


namespace {

class ObjCContainersChecker : public Checker< check::PreStmt<CallExpr>,

                                             check::PostStmt<CallExpr>,

                                             check::PointerEscape> {

  mutable std::unique_ptr<BugType> BT;

  inline void initBugType() const {

    if (!BT)

      BT.reset(new BugType(this, "CFArray API",

                           categories::CoreFoundationObjectiveC));

  }


  inline SymbolRef getArraySym(const Expr *E, CheckerContext &C) const {

    SVal ArrayRef = C.getSVal(E);

    SymbolRef ArraySym = ArrayRef.getAsSymbol();

    return ArraySym;

  }


  void addSizeInfo(const Expr *Array, const Expr *Size,

                   CheckerContext &C) const;


public:

  void checkPostStmt(const CallExpr *CE, CheckerContext &C) const;

  void checkPreStmt(const CallExpr *CE, CheckerContext &C) const;

  ProgramStateRef checkPointerEscape(ProgramStateRef State,

                                     const InvalidatedSymbols &Escaped,

                                     const CallEvent *Call,

                                     PointerEscapeKind Kind) const;


  void printState(raw_ostream &OS, ProgramStateRef State,

                  const char *NL, const char *Sep) const override;

};

} // end anonymous namespace


// ProgramState trait - a map from array symbol to its state.

REGISTER_MAP_WITH_PROGRAMSTATE(ArraySizeMap, SymbolRef, DefinedSVal)


void ObjCContainersChecker::addSizeInfo(const Expr *Array, const Expr *Size,

                                        CheckerContext &C) const {

  ProgramStateRef State = C.getState();

  SVal SizeV = C.getSVal(Size);

  // Undefined is reported by another checker.

  if (SizeV.isUnknownOrUndef())

    return;


  // Get the ArrayRef symbol.

  SVal ArrayRef = C.getSVal(Array);

  SymbolRef ArraySym = ArrayRef.getAsSymbol();

  if (!ArraySym)

    return;


  C.addTransition(

      State->set<ArraySizeMap>(ArraySym, SizeV.castAs<DefinedSVal>()));

}


void ObjCContainersChecker::checkPostStmt(const CallExpr *CE,

                                          CheckerContext &C) const {

  StringRef Name = C.getCalleeName(CE);

  if (Name.empty() || CE->getNumArgs() < 1)

    return;


  // Add array size information to the state.

  if (Name.equals("CFArrayCreate")) {

    if (CE->getNumArgs() < 3)

      return;

    // Note, we can visit the Create method in the post-visit because

    // the CFIndex parameter is passed in by value and will not be invalidated

    // by the call.

    addSizeInfo(CE, CE->getArg(2), C);

    return;

  }


  if (Name.equals("CFArrayGetCount")) {

    addSizeInfo(CE->getArg(0), CE, C);

    return;

  }

}


void ObjCContainersChecker::checkPreStmt(const CallExpr *CE,

                                         CheckerContext &C) const {

  StringRef Name = C.getCalleeName(CE);

  if (Name.empty() || CE->getNumArgs() < 2)

    return;


  // Check the array access.

  if (Name.equals("CFArrayGetValueAtIndex")) {

    ProgramStateRef State = C.getState();

    // Retrieve the size.

    // Find out if we saw this array symbol before and have information about

    // it.

    const Expr *ArrayExpr = CE->getArg(0);

    SymbolRef ArraySym = getArraySym(ArrayExpr, C);

    if (!ArraySym)

      return;


    const DefinedSVal *Size = State->get<ArraySizeMap>(ArraySym);


    if (!Size)

      return;


    // Get the index.

    const Expr *IdxExpr = CE->getArg(1);

    SVal IdxVal = C.getSVal(IdxExpr);

    if (IdxVal.isUnknownOrUndef())

      return;

    DefinedSVal Idx = IdxVal.castAs<DefinedSVal>();


    // Now, check if 'Idx in [0, Size-1]'.

    const QualType T = IdxExpr->getType();

    ProgramStateRef StInBound, StOutBound;

    std::tie(StInBound, StOutBound) = State->assumeInBoundDual(Idx, *Size, T);

    if (StOutBound && !StInBound) {

      ExplodedNode *N = C.generateErrorNode(StOutBound);

      if (!N)

        return;

      initBugType();

      auto R = std::make_unique<PathSensitiveBugReport>(

          *BT, "Index is out of bounds", N);

      R->addRange(IdxExpr->getSourceRange());

      bugreporter::trackExpressionValue(N, IdxExpr, *R,

                                        {bugreporter::TrackingKind::Thorough,

                                         /*EnableNullFPSuppression=*/false});

      C.emitReport(std::move(R));

      return;

    }

  }

}


ProgramStateRef

ObjCContainersChecker::checkPointerEscape(ProgramStateRef State,

                                          const InvalidatedSymbols &Escaped,

                                          const CallEvent *Call,

                                          PointerEscapeKind Kind) const {

  for (const auto &Sym : Escaped) {

    // When a symbol for a mutable array escapes, we can't reason precisely

    // about its size any more -- so remove it from the map.

    // Note that we aren't notified here when a CFMutableArrayRef escapes as a

    // CFArrayRef. This is because CFArrayRef is typedef'd as a pointer to a

    // const-qualified type.

    State = State->remove<ArraySizeMap>(Sym);

  }

  return State;

}


void ObjCContainersChecker::printState(raw_ostream &OS, ProgramStateRef State,

                                       const char *NL, const char *Sep) const {

  ArraySizeMapTy Map = State->get<ArraySizeMap>();

  if (Map.isEmpty())

    return;


  OS << Sep << "ObjC container sizes :" << NL;

  for (auto I : Map) {

    OS << I.first << " : " << I.second << NL;

  }

}


/// Register checker.

void ento::registerObjCContainersChecker(CheckerManager &mgr) {

  mgr.registerChecker<ObjCContainersChecker>();

}


bool ento::shouldRegisterObjCContainersChecker(const CheckerManager &mgr) {

  return true;

}

BugType.h

BuiltinCheckerRegistration.h

CheckerContext.h

CheckerManager.h

Checker.h

ParentMap.h

ProgramStateTrait.h

REGISTER_MAP_WITH_PROGRAMSTATE
#define REGISTER_MAP_WITH_PROGRAMSTATE(Name, Key, Value)
Declares an immutable map of type NameTy, suitable for placement into the ProgramState.
Definition: ProgramStateTrait.h:87

clang::CallExpr
CallExpr - Represents a function call (C99 6.5.2.2, C++ [expr.call]).
Definition: Expr.h:2847

clang::CallExpr::getArg
Expr * getArg(unsigned Arg)
getArg - Return the specified argument.
Definition: Expr.h:3038

clang::CallExpr::getNumArgs
unsigned getNumArgs() const
getNumArgs - Return the number of actual arguments to this call.
Definition: Expr.h:3025

clang::Expr
This represents one expression.
Definition: Expr.h:110

clang::Expr::getType
QualType getType() const
Definition: Expr.h:142

clang::QualType
A (possibly-)qualified type.
Definition: Type.h:736

clang::Stmt::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:325

clang::ento::BugType
Definition: BugType.h:27

clang::ento::CallEvent
Represents an abstract call to a function or method along a particular path.
Definition: CallEvent.h:152

clang::ento::CheckerBase::printState
virtual void printState(raw_ostream &Out, ProgramStateRef State, const char *NL, const char *Sep) const
See CheckerManager::runCheckersForPrintState.
Definition: Checker.h:500

clang::ento::CheckerContext
Definition: CheckerContext.h:24

clang::ento::CheckerManager
Definition: CheckerManager.h:126

clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Definition: CheckerManager.h:204

clang::ento::Checker
Definition: Checker.h:516

clang::ento::DefinedSVal
Definition: SVals.h:220

clang::ento::ExplodedNode
Definition: ExplodedGraph.h:66

clang::ento::SVal
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:55

clang::ento::SVal::isUnknownOrUndef
bool isUnknownOrUndef() const
Definition: SVals.h:106

clang::ento::SVal::castAs
T castAs() const
Convert to the specified SVal type, asserting that this SVal is of the desired type.
Definition: SVals.h:82

clang::ento::SymExpr
Symbolic value.
Definition: SymExpr.h:30

llvm::ArrayRef
Definition: LLVM.h:31

llvm::DenseSet< SymbolRef >

llvm::IntrusiveRefCntPtr< const ProgramState >

clang::ento::bugreporter::trackExpressionValue
bool trackExpressionValue(const ExplodedNode *N, const Expr *E, PathSensitiveBugReport &R, TrackingOptions Opts={})
Attempts to add visitors to track expression value back to its point of origin.
Definition: BugReporterVisitors.cpp:2685

clang::ento::categories::CoreFoundationObjectiveC
const char *const CoreFoundationObjectiveC
Definition: CommonBugCategories.cpp:16

clang::ento::PointerEscapeKind
PointerEscapeKind
Describes the different reasons a pointer escapes during analysis.
Definition: CheckerManager.h:78

clang::syntax::NodeRole::Size
@ Size

clang
Definition: CalledOnceCheck.h:17

clang::LinkageSpecLanguageIDs::C
@ C

clang::OMPDeclareReductionInitKind::Call
@ Call