clang 18.0.0git
PointerSubChecker.cpp
Go to the documentation of this file.
1//=== PointerSubChecker.cpp - Pointer subtraction checker ------*- C++ -*--===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This files defines PointerSubChecker, a builtin checker that checks for
10// pointer subtractions on two pointers pointing to different memory chunks.
11// This check corresponds to CWE-469.
12//
13//===----------------------------------------------------------------------===//
14
15#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
16#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
17#include "clang/StaticAnalyzer/Core/Checker.h"
18#include "clang/StaticAnalyzer/Core/CheckerManager.h"
19#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
20#include "llvm/ADT/StringRef.h"
21
22using namespace clang;
23using namespace ento;
24
25namespace {
26class PointerSubChecker
27 : public Checker< check::PreStmt<BinaryOperator> > {
28 mutable std::unique_ptr<BugType> BT;
29
30public:
31 void checkPreStmt(const BinaryOperator *B, CheckerContext &C) const;
32};
33}
34
35void PointerSubChecker::checkPreStmt(const BinaryOperator *B,
36 CheckerContext &C) const {
37 // When doing pointer subtraction, if the two pointers do not point to the
38 // same memory chunk, emit a warning.
39 if (B->getOpcode() != BO_Sub)
40 return;
41
42 SVal LV = C.getSVal(B->getLHS());
43 SVal RV = C.getSVal(B->getRHS());
44
45 const MemRegion *LR = LV.getAsRegion();
46 const MemRegion *RR = RV.getAsRegion();
47
48 if (!(LR && RR))
49 return;
50
51 const MemRegion *BaseLR = LR->getBaseRegion();
52 const MemRegion *BaseRR = RR->getBaseRegion();
53
54 if (BaseLR == BaseRR)
55 return;
56
57 // Allow arithmetic on different symbolic regions.
58 if (isa<SymbolicRegion>(BaseLR) || isa<SymbolicRegion>(BaseRR))
59 return;
60
61 if (ExplodedNode *N = C.generateNonFatalErrorNode()) {
62 if (!BT)
63 BT.reset(new BugType(this, "Pointer subtraction"));
64 constexpr llvm::StringLiteral Msg =
65 "Subtraction of two pointers that do not point to the same memory "
66 "chunk may cause incorrect result.";
67 auto R = std::make_unique<PathSensitiveBugReport>(*BT, Msg, N);
68 R->addRange(B->getSourceRange());
69 C.emitReport(std::move(R));
70 }
71}
72
73void ento::registerPointerSubChecker(CheckerManager &mgr) {
74 mgr.registerChecker<PointerSubChecker>();
75}
76
77bool ento::shouldRegisterPointerSubChecker(const CheckerManager &mgr) {
78 return true;
79}
clang::BinaryOperator
A builtin binary operation expression such as "x + y" or "x <= y".
Definition: Expr.h:3862
clang::BinaryOperator::getLHS
Expr * getLHS() const
Definition: Expr.h:3911
clang::BinaryOperator::getRHS
Expr * getRHS() const
Definition: Expr.h:3913
clang::BinaryOperator::getOpcode
Opcode getOpcode() const
Definition: Expr.h:3906
clang::Stmt::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:325
clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Definition: CheckerManager.h:204
clang::ento::MemRegion
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:96
clang::ento::MemRegion::getBaseRegion
LLVM_ATTRIBUTE_RETURNS_NONNULL const MemRegion * getBaseRegion() const
Definition: MemRegion.cpp:1335
clang::ento::SVal
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:55
clang::ento::SVal::getAsRegion
const MemRegion * getAsRegion() const
Definition: SVals.cpp:120
Generated on Wed Dec 6 2023 11:09:31 for clang by doxygen 1.9.6