clang 17.0.0git
PointerSubChecker.cpp
Go to the documentation of this file.
1//=== PointerSubChecker.cpp - Pointer subtraction checker ------*- C++ -*--===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This files defines PointerSubChecker, a builtin checker that checks for
10// pointer subtractions on two pointers pointing to different memory chunks.
11// This check corresponds to CWE-469.
12//
13//===----------------------------------------------------------------------===//
14
15#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
16#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
17#include "clang/StaticAnalyzer/Core/Checker.h"
18#include "clang/StaticAnalyzer/Core/CheckerManager.h"
19#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
20
21using namespace clang;
22using namespace ento;
23
24namespace {
25class PointerSubChecker
26 : public Checker< check::PreStmt<BinaryOperator> > {
27 mutable std::unique_ptr<BuiltinBug> BT;
28
29public:
30 void checkPreStmt(const BinaryOperator *B, CheckerContext &C) const;
31};
32}
33
34void PointerSubChecker::checkPreStmt(const BinaryOperator *B,
35 CheckerContext &C) const {
36 // When doing pointer subtraction, if the two pointers do not point to the
37 // same memory chunk, emit a warning.
38 if (B->getOpcode() != BO_Sub)
39 return;
40
41 SVal LV = C.getSVal(B->getLHS());
42 SVal RV = C.getSVal(B->getRHS());
43
44 const MemRegion *LR = LV.getAsRegion();
45 const MemRegion *RR = RV.getAsRegion();
46
47 if (!(LR && RR))
48 return;
49
50 const MemRegion *BaseLR = LR->getBaseRegion();
51 const MemRegion *BaseRR = RR->getBaseRegion();
52
53 if (BaseLR == BaseRR)
54 return;
55
56 // Allow arithmetic on different symbolic regions.
57 if (isa<SymbolicRegion>(BaseLR) || isa<SymbolicRegion>(BaseRR))
58 return;
59
60 if (ExplodedNode *N = C.generateNonFatalErrorNode()) {
61 if (!BT)
62 BT.reset(
63 new BuiltinBug(this, "Pointer subtraction",
64 "Subtraction of two pointers that do not point to "
65 "the same memory chunk may cause incorrect result."));
66 auto R =
67 std::make_unique<PathSensitiveBugReport>(*BT, BT->getDescription(), N);
68 R->addRange(B->getSourceRange());
69 C.emitReport(std::move(R));
70 }
71}
72
73void ento::registerPointerSubChecker(CheckerManager &mgr) {
74 mgr.registerChecker<PointerSubChecker>();
75}
76
77bool ento::shouldRegisterPointerSubChecker(const CheckerManager &mgr) {
78 return true;
79}
clang::BinaryOperator
A builtin binary operation expression such as "x + y" or "x <= y".
Definition: Expr.h:3819
clang::BinaryOperator::getLHS
Expr * getLHS() const
Definition: Expr.h:3868
clang::BinaryOperator::getRHS
Expr * getRHS() const
Definition: Expr.h:3870
clang::BinaryOperator::getOpcode
Opcode getOpcode() const
Definition: Expr.h:3863
clang::Stmt::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:325
clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Definition: CheckerManager.h:204
clang::ento::MemRegion
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:95
clang::ento::MemRegion::getBaseRegion
LLVM_ATTRIBUTE_RETURNS_NONNULL const MemRegion * getBaseRegion() const
Definition: MemRegion.cpp:1307
clang::ento::SVal
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:72
clang::ento::SVal::getAsRegion
const MemRegion * getAsRegion() const
Definition: SVals.cpp:120
clang::Language::C
@ C
Languages that the frontend can parse and compile.
Generated on Mon May 29 2023 20:26:25 for clang by doxygen 1.9.6