clang  15.0.0git
PointerSubChecker.cpp
Go to the documentation of this file.
1 //=== PointerSubChecker.cpp - Pointer subtraction checker ------*- C++ -*--===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This files defines PointerSubChecker, a builtin checker that checks for
10 // pointer subtractions on two pointers pointing to different memory chunks.
11 // This check corresponds to CWE-469.
12 //
13 //===----------------------------------------------------------------------===//
14 
15 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
16 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
17 #include "clang/StaticAnalyzer/Core/Checker.h"
18 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
19 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
20 
21 using namespace clang;
22 using namespace ento;
23 
24 namespace {
25 class PointerSubChecker
26  : public Checker< check::PreStmt<BinaryOperator> > {
27  mutable std::unique_ptr<BuiltinBug> BT;
28 
29 public:
30  void checkPreStmt(const BinaryOperator *B, CheckerContext &C) const;
31 };
32 }
33 
34 void PointerSubChecker::checkPreStmt(const BinaryOperator *B,
35  CheckerContext &C) const {
36  // When doing pointer subtraction, if the two pointers do not point to the
37  // same memory chunk, emit a warning.
38  if (B->getOpcode() != BO_Sub)
39  return;
40 
41  SVal LV = C.getSVal(B->getLHS());
42  SVal RV = C.getSVal(B->getRHS());
43 
44  const MemRegion *LR = LV.getAsRegion();
45  const MemRegion *RR = RV.getAsRegion();
46 
47  if (!(LR && RR))
48  return;
49 
50  const MemRegion *BaseLR = LR->getBaseRegion();
51  const MemRegion *BaseRR = RR->getBaseRegion();
52 
53  if (BaseLR == BaseRR)
54  return;
55 
56  // Allow arithmetic on different symbolic regions.
57  if (isa<SymbolicRegion>(BaseLR) || isa<SymbolicRegion>(BaseRR))
58  return;
59 
60  if (ExplodedNode *N = C.generateNonFatalErrorNode()) {
61  if (!BT)
62  BT.reset(
63  new BuiltinBug(this, "Pointer subtraction",
64  "Subtraction of two pointers that do not point to "
65  "the same memory chunk may cause incorrect result."));
66  auto R =
67  std::make_unique<PathSensitiveBugReport>(*BT, BT->getDescription(), N);
68  R->addRange(B->getSourceRange());
69  C.emitReport(std::move(R));
70  }
71 }
72 
73 void ento::registerPointerSubChecker(CheckerManager &mgr) {
74  mgr.registerChecker<PointerSubChecker>();
75 }
76 
77 bool ento::shouldRegisterPointerSubChecker(const CheckerManager &mgr) {
78  return true;
79 }
clang::Stmt::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:324
AttributeLangSupport::C
@ C
Definition: SemaDeclAttr.cpp:55
clang::BinaryOperator::getOpcode
Opcode getOpcode() const
Definition: Expr.h:3851
BuiltinCheckerRegistration.h
clang::BinaryOperator
A builtin binary operation expression such as "x + y" or "x <= y".
Definition: Expr.h:3807
CheckerManager.h
BugType.h
clang::BinaryOperator::getLHS
Expr * getLHS() const
Definition: Expr.h:3856
CheckerContext.h
Checker.h
clang
Definition: CalledOnceCheck.h:17
clang::BinaryOperator::getRHS
Expr * getRHS() const
Definition: Expr.h:3858
Generated on Wed Jul 6 2022 21:05:53 for clang by   doxygen 1.8.17