clang 20.0.0git
PointerSubChecker.cpp
Go to the documentation of this file.
1//=== PointerSubChecker.cpp - Pointer subtraction checker ------*- C++ -*--===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This files defines PointerSubChecker, a builtin checker that checks for
10// pointer subtractions on two pointers pointing to different memory chunks.
11// This check corresponds to CWE-469.
12//
13//===----------------------------------------------------------------------===//
14
15#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
16#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
17#include "clang/StaticAnalyzer/Core/Checker.h"
18#include "clang/StaticAnalyzer/Core/CheckerManager.h"
19#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
20#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h"
21#include "llvm/ADT/StringRef.h"
22#include "llvm/Support/FormatVariadic.h"
23
24using namespace clang;
25using namespace ento;
26
27namespace {
28class PointerSubChecker
29 : public Checker< check::PreStmt<BinaryOperator> > {
30 const BugType BT{this, "Pointer subtraction"};
31 const llvm::StringLiteral Msg_MemRegionDifferent =
32 "Subtraction of two pointers that do not point into the same array "
33 "is undefined behavior.";
34
35public:
36 void checkPreStmt(const BinaryOperator *B, CheckerContext &C) const;
37};
38}
39
40void PointerSubChecker::checkPreStmt(const BinaryOperator *B,
41 CheckerContext &C) const {
42 // When doing pointer subtraction, if the two pointers do not point to the
43 // same array, emit a warning.
44 if (B->getOpcode() != BO_Sub)
45 return;
46
47 SVal LV = C.getSVal(B->getLHS());
48 SVal RV = C.getSVal(B->getRHS());
49
50 const MemRegion *LR = LV.getAsRegion();
51 const MemRegion *RR = RV.getAsRegion();
52 if (!LR || !RR)
53 return;
54
55 // Allow subtraction of identical pointers.
56 if (LR == RR)
57 return;
58
59 // No warning if one operand is unknown or resides in a region that could be
60 // equal to the other.
61 if (LR->getSymbolicBase() || RR->getSymbolicBase())
62 return;
63
64 const auto *ElemLR = dyn_cast<ElementRegion>(LR);
65 const auto *ElemRR = dyn_cast<ElementRegion>(RR);
66
67 // Allow cases like "(&x + 1) - &x".
68 if (ElemLR && ElemLR->getSuperRegion() == RR)
69 return;
70 // Allow cases like "&x - (&x + 1)".
71 if (ElemRR && ElemRR->getSuperRegion() == LR)
72 return;
73
74 const ValueDecl *DiffDeclL = nullptr;
75 const ValueDecl *DiffDeclR = nullptr;
76
77 if (ElemLR && ElemRR) {
78 const MemRegion *SuperLR = ElemLR->getSuperRegion();
79 const MemRegion *SuperRR = ElemRR->getSuperRegion();
80 if (SuperLR == SuperRR)
81 return;
82 // Allow arithmetic on different symbolic regions.
83 if (isa<SymbolicRegion>(SuperLR) || isa<SymbolicRegion>(SuperRR))
84 return;
85 if (const auto *SuperDLR = dyn_cast<DeclRegion>(SuperLR))
86 DiffDeclL = SuperDLR->getDecl();
87 if (const auto *SuperDRR = dyn_cast<DeclRegion>(SuperRR))
88 DiffDeclR = SuperDRR->getDecl();
89 }
90
91 if (ExplodedNode *N = C.generateNonFatalErrorNode()) {
92 auto R =
93 std::make_unique<PathSensitiveBugReport>(BT, Msg_MemRegionDifferent, N);
94 R->addRange(B->getSourceRange());
95 // The declarations may be identical even if the regions are different:
96 // struct { int array[10]; } a, b;
97 // do_something(&a.array[5] - &b.array[5]);
98 // In this case don't emit notes.
99 if (DiffDeclL != DiffDeclR) {
100 auto AddNote = [&R, &C](const ValueDecl *D, StringRef SideStr) {
101 if (D) {
102 std::string Msg = llvm::formatv(
103 "{0} at the {1}-hand side of subtraction",
104 D->getType()->isArrayType() ? "Array" : "Object", SideStr);
105 R->addNote(Msg, {D, C.getSourceManager()});
106 }
107 };
108 AddNote(DiffDeclL, "left");
109 AddNote(DiffDeclR, "right");
110 }
111 C.emitReport(std::move(R));
112 }
113}
114
115void ento::registerPointerSubChecker(CheckerManager &mgr) {
116 mgr.registerChecker<PointerSubChecker>();
117}
118
119bool ento::shouldRegisterPointerSubChecker(const CheckerManager &mgr) {
120 return true;
121}
D
const Decl * D
Definition: CheckExprLifetime.cpp:200
clang::BinaryOperator
A builtin binary operation expression such as "x + y" or "x <= y".
Definition: Expr.h:3860
clang::BinaryOperator::getLHS
Expr * getLHS() const
Definition: Expr.h:3910
clang::BinaryOperator::getRHS
Expr * getRHS() const
Definition: Expr.h:3912
clang::BinaryOperator::getOpcode
Opcode getOpcode() const
Definition: Expr.h:3905
clang::Stmt::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:326
clang::ValueDecl
Represent the declaration of a variable (in which case it is an lvalue) a function (in which case it ...
Definition: Decl.h:667
clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Definition: CheckerManager.h:204
clang::ento::MemRegion
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:97
clang::ento::MemRegion::getSymbolicBase
const SymbolicRegion * getSymbolicBase() const
If this is a symbolic region, returns the region.
Definition: MemRegion.cpp:1412
clang::ento::SVal
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:55
clang::ento::SVal::getAsRegion
const MemRegion * getAsRegion() const
Definition: SVals.cpp:120
clang
The JSON file list parser is used to communicate input to InstallAPI.
Definition: CalledOnceCheck.h:17
Generated on Fri Nov 15 2024 16:44:44 for clang by doxygen 1.9.6