clang 19.0.0git
ObjCContainersChecker.cpp
Go to the documentation of this file.
1//== ObjCContainersChecker.cpp - Path sensitive checker for CFArray *- C++ -*=//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// Performs path sensitive checks of Core Foundation static containers like
10// CFArray.
11// 1) Check for buffer overflows:
12// In CFArrayGetArrayAtIndex( myArray, index), if the index is outside the
13// index space of theArray (0 to N-1 inclusive (where N is the count of
14// theArray), the behavior is undefined.
15//
16//===----------------------------------------------------------------------===//
17
19#include "clang/AST/ParentMap.h"
25
26using namespace clang;
27using namespace ento;
28
29namespace {
30class ObjCContainersChecker : public Checker< check::PreStmt<CallExpr>,
31 check::PostStmt<CallExpr>,
32 check::PointerEscape> {
33 const BugType BT{this, "CFArray API", categories::CoreFoundationObjectiveC};
34
35 inline SymbolRef getArraySym(const Expr *E, CheckerContext &C) const {
36 SVal ArrayRef = C.getSVal(E);
37 SymbolRef ArraySym = ArrayRef.getAsSymbol();
38 return ArraySym;
39 }
40
41 void addSizeInfo(const Expr *Array, const Expr *Size,
42 CheckerContext &C) const;
43
44public:
45 void checkPostStmt(const CallExpr *CE, CheckerContext &C) const;
46 void checkPreStmt(const CallExpr *CE, CheckerContext &C) const;
47 ProgramStateRef checkPointerEscape(ProgramStateRef State,
48 const InvalidatedSymbols &Escaped,
49 const CallEvent *Call,
50 PointerEscapeKind Kind) const;
51
52 void printState(raw_ostream &OS, ProgramStateRef State,
53 const char *NL, const char *Sep) const override;
54};
55} // end anonymous namespace
56
57// ProgramState trait - a map from array symbol to its state.
59
60void ObjCContainersChecker::addSizeInfo(const Expr *Array, const Expr *Size,
61 CheckerContext &C) const {
62 ProgramStateRef State = C.getState();
63 SVal SizeV = C.getSVal(Size);
64 // Undefined is reported by another checker.
65 if (SizeV.isUnknownOrUndef())
66 return;
67
68 // Get the ArrayRef symbol.
69 SVal ArrayRef = C.getSVal(Array);
70 SymbolRef ArraySym = ArrayRef.getAsSymbol();
71 if (!ArraySym)
72 return;
73
74 C.addTransition(
75 State->set<ArraySizeMap>(ArraySym, SizeV.castAs<DefinedSVal>()));
76}
77
78void ObjCContainersChecker::checkPostStmt(const CallExpr *CE,
79 CheckerContext &C) const {
80 StringRef Name = C.getCalleeName(CE);
81 if (Name.empty() || CE->getNumArgs() < 1)
82 return;
83
84 // Add array size information to the state.
85 if (Name == "CFArrayCreate") {
86 if (CE->getNumArgs() < 3)
87 return;
88 // Note, we can visit the Create method in the post-visit because
89 // the CFIndex parameter is passed in by value and will not be invalidated
90 // by the call.
91 addSizeInfo(CE, CE->getArg(2), C);
92 return;
93 }
94
95 if (Name == "CFArrayGetCount") {
96 addSizeInfo(CE->getArg(0), CE, C);
97 return;
98 }
99}
100
101void ObjCContainersChecker::checkPreStmt(const CallExpr *CE,
102 CheckerContext &C) const {
103 StringRef Name = C.getCalleeName(CE);
104 if (Name.empty() || CE->getNumArgs() < 2)
105 return;
106
107 // Check the array access.
108 if (Name == "CFArrayGetValueAtIndex") {
109 ProgramStateRef State = C.getState();
110 // Retrieve the size.
111 // Find out if we saw this array symbol before and have information about
112 // it.
113 const Expr *ArrayExpr = CE->getArg(0);
114 SymbolRef ArraySym = getArraySym(ArrayExpr, C);
115 if (!ArraySym)
116 return;
117
118 const DefinedSVal *Size = State->get<ArraySizeMap>(ArraySym);
119
120 if (!Size)
121 return;
122
123 // Get the index.
124 const Expr *IdxExpr = CE->getArg(1);
125 SVal IdxVal = C.getSVal(IdxExpr);
126 if (IdxVal.isUnknownOrUndef())
127 return;
128 DefinedSVal Idx = IdxVal.castAs<DefinedSVal>();
129
130 // Now, check if 'Idx in [0, Size-1]'.
131 const QualType T = IdxExpr->getType();
132 ProgramStateRef StInBound, StOutBound;
133 std::tie(StInBound, StOutBound) = State->assumeInBoundDual(Idx, *Size, T);
134 if (StOutBound && !StInBound) {
135 ExplodedNode *N = C.generateErrorNode(StOutBound);
136 if (!N)
137 return;
138
139 auto R = std::make_unique<PathSensitiveBugReport>(
140 BT, "Index is out of bounds", N);
141 R->addRange(IdxExpr->getSourceRange());
143 {bugreporter::TrackingKind::Thorough,
144 /*EnableNullFPSuppression=*/false});
145 C.emitReport(std::move(R));
146 return;
147 }
148 }
149}
150
152ObjCContainersChecker::checkPointerEscape(ProgramStateRef State,
153 const InvalidatedSymbols &Escaped,
154 const CallEvent *Call,
155 PointerEscapeKind Kind) const {
156 for (const auto &Sym : Escaped) {
157 // When a symbol for a mutable array escapes, we can't reason precisely
158 // about its size any more -- so remove it from the map.
159 // Note that we aren't notified here when a CFMutableArrayRef escapes as a
160 // CFArrayRef. This is because CFArrayRef is typedef'd as a pointer to a
161 // const-qualified type.
162 State = State->remove<ArraySizeMap>(Sym);
163 }
164 return State;
165}
166
167void ObjCContainersChecker::printState(raw_ostream &OS, ProgramStateRef State,
168 const char *NL, const char *Sep) const {
169 ArraySizeMapTy Map = State->get<ArraySizeMap>();
170 if (Map.isEmpty())
171 return;
172
173 OS << Sep << "ObjC container sizes :" << NL;
174 for (auto I : Map) {
175 OS << I.first << " : " << I.second << NL;
176 }
177}
178
179/// Register checker.
180void ento::registerObjCContainersChecker(CheckerManager &mgr) {
181 mgr.registerChecker<ObjCContainersChecker>();
182}
183
184bool ento::shouldRegisterObjCContainersChecker(const CheckerManager &mgr) {
185 return true;
186}
#define REGISTER_MAP_WITH_PROGRAMSTATE(Name, Key, Value)
Declares an immutable map of type NameTy, suitable for placement into the ProgramState.
CallExpr - Represents a function call (C99 6.5.2.2, C++ [expr.call]).
Definition: Expr.h:2820
Expr * getArg(unsigned Arg)
getArg - Return the specified argument.
Definition: Expr.h:3011
unsigned getNumArgs() const
getNumArgs - Return the number of actual arguments to this call.
Definition: Expr.h:2998
This represents one expression.
Definition: Expr.h:110
QualType getType() const
Definition: Expr.h:142
A (possibly-)qualified type.
Definition: Type.h:940
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:326
Represents an abstract call to a function or method along a particular path.
Definition: CallEvent.h:153
virtual void printState(raw_ostream &Out, ProgramStateRef State, const char *NL, const char *Sep) const
See CheckerManager::runCheckersForPrintState.
Definition: Checker.h:496
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:55
bool isUnknownOrUndef() const
Definition: SVals.h:106
T castAs() const
Convert to the specified SVal type, asserting that this SVal is of the desired type.
Definition: SVals.h:82
Symbolic value.
Definition: SymExpr.h:30
bool trackExpressionValue(const ExplodedNode *N, const Expr *E, PathSensitiveBugReport &R, TrackingOptions Opts={})
Attempts to add visitors to track expression value back to its point of origin.
const char *const CoreFoundationObjectiveC
PointerEscapeKind
Describes the different reasons a pointer escapes during analysis.
The JSON file list parser is used to communicate input to InstallAPI.
const FunctionProtoType * T