clang 20.0.0git
PointerSubChecker.cpp
Go to the documentation of this file.
1//=== PointerSubChecker.cpp - Pointer subtraction checker ------*- C++ -*--===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This files defines PointerSubChecker, a builtin checker that checks for
10// pointer subtractions on two pointers pointing to different memory chunks.
11// This check corresponds to CWE-469.
12//
13//===----------------------------------------------------------------------===//
14
15#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
16#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
17#include "clang/StaticAnalyzer/Core/Checker.h"
18#include "clang/StaticAnalyzer/Core/CheckerManager.h"
19#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
20#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h"
21#include "llvm/ADT/StringRef.h"
22#include "llvm/Support/FormatVariadic.h"
23
24using namespace clang;
25using namespace ento;
26
27namespace {
28class PointerSubChecker
29 : public Checker< check::PreStmt<BinaryOperator> > {
30 const BugType BT{this, "Pointer subtraction"};
31 const llvm::StringLiteral Msg_MemRegionDifferent =
32 "Subtraction of two pointers that do not point into the same array "
33 "is undefined behavior.";
34
35public:
36 void checkPreStmt(const BinaryOperator *B, CheckerContext &C) const;
37};
38}
39
40void PointerSubChecker::checkPreStmt(const BinaryOperator *B,
41 CheckerContext &C) const {
42 // When doing pointer subtraction, if the two pointers do not point to the
43 // same array, emit a warning.
44 if (B->getOpcode() != BO_Sub)
45 return;
46
47 SVal LV = C.getSVal(B->getLHS());
48 SVal RV = C.getSVal(B->getRHS());
49
50 const MemRegion *LR = LV.getAsRegion();
51 const MemRegion *RR = RV.getAsRegion();
52 if (!LR || !RR)
53 return;
54
55 // Allow subtraction of identical pointers.
56 if (LR == RR)
57 return;
58
59 // No warning if one operand is unknown or resides in a region that could be
60 // equal to the other.
61 if (LR->getSymbolicBase() || RR->getSymbolicBase())
62 return;
63
64 if (!B->getLHS()->getType()->isPointerType() ||
65 !B->getRHS()->getType()->isPointerType())
66 return;
67
68 const auto *ElemLR = dyn_cast<ElementRegion>(LR);
69 const auto *ElemRR = dyn_cast<ElementRegion>(RR);
70
71 // Allow cases like "(&x + 1) - &x".
72 if (ElemLR && ElemLR->getSuperRegion() == RR)
73 return;
74 // Allow cases like "&x - (&x + 1)".
75 if (ElemRR && ElemRR->getSuperRegion() == LR)
76 return;
77
78 const ValueDecl *DiffDeclL = nullptr;
79 const ValueDecl *DiffDeclR = nullptr;
80
81 if (ElemLR && ElemRR) {
82 const MemRegion *SuperLR = ElemLR->getSuperRegion();
83 const MemRegion *SuperRR = ElemRR->getSuperRegion();
84 if (SuperLR == SuperRR)
85 return;
86 // Allow arithmetic on different symbolic regions.
87 if (isa<SymbolicRegion>(SuperLR) || isa<SymbolicRegion>(SuperRR))
88 return;
89 if (const auto *SuperDLR = dyn_cast<DeclRegion>(SuperLR))
90 DiffDeclL = SuperDLR->getDecl();
91 if (const auto *SuperDRR = dyn_cast<DeclRegion>(SuperRR))
92 DiffDeclR = SuperDRR->getDecl();
93 }
94
95 if (ExplodedNode *N = C.generateNonFatalErrorNode()) {
96 auto R =
97 std::make_unique<PathSensitiveBugReport>(BT, Msg_MemRegionDifferent, N);
98 R->addRange(B->getSourceRange());
99 // The declarations may be identical even if the regions are different:
100 // struct { int array[10]; } a, b;
101 // do_something(&a.array[5] - &b.array[5]);
102 // In this case don't emit notes.
103 if (DiffDeclL != DiffDeclR) {
104 auto AddNote = [&R, &C](const ValueDecl *D, StringRef SideStr) {
105 if (D) {
106 std::string Msg = llvm::formatv(
107 "{0} at the {1}-hand side of subtraction",
108 D->getType()->isArrayType() ? "Array" : "Object", SideStr);
109 R->addNote(Msg, {D, C.getSourceManager()});
110 }
111 };
112 AddNote(DiffDeclL, "left");
113 AddNote(DiffDeclR, "right");
114 }
115 C.emitReport(std::move(R));
116 }
117}
118
119void ento::registerPointerSubChecker(CheckerManager &mgr) {
120 mgr.registerChecker<PointerSubChecker>();
121}
122
123bool ento::shouldRegisterPointerSubChecker(const CheckerManager &mgr) {
124 return true;
125}
D
const Decl * D
Definition: CheckExprLifetime.cpp:212
clang::BinaryOperator
A builtin binary operation expression such as "x + y" or "x <= y".
Definition: Expr.h:3909
clang::BinaryOperator::getLHS
Expr * getLHS() const
Definition: Expr.h:3959
clang::BinaryOperator::getRHS
Expr * getRHS() const
Definition: Expr.h:3961
clang::BinaryOperator::getOpcode
Opcode getOpcode() const
Definition: Expr.h:3954
clang::Expr::getType
QualType getType() const
Definition: Expr.h:142
clang::Stmt::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:334
clang::Type::isPointerType
bool isPointerType() const
Definition: Type.h:8192
clang::ValueDecl
Represent the declaration of a variable (in which case it is an lvalue) a function (in which case it ...
Definition: Decl.h:671
clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Definition: CheckerManager.h:202
clang::ento::MemRegion
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:97
clang::ento::MemRegion::getSymbolicBase
const SymbolicRegion * getSymbolicBase() const
If this is a symbolic region, returns the region.
Definition: MemRegion.cpp:1435
clang::ento::SVal
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:56
clang::ento::SVal::getAsRegion
const MemRegion * getAsRegion() const
Definition: SVals.cpp:120
clang
The JSON file list parser is used to communicate input to InstallAPI.
Definition: CalledOnceCheck.h:17
Generated on Fri Jul 11 2025 10:29:14 for clang by doxygen 1.9.6