clang 17.0.0git
ReturnPointerRangeChecker.cpp
Go to the documentation of this file.
1//== ReturnPointerRangeChecker.cpp ------------------------------*- C++ -*--==//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This file defines ReturnPointerRangeChecker, which is a path-sensitive check
10// which looks for an out-of-bound pointer being returned to callers.
11//
12//===----------------------------------------------------------------------===//
13
14#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
15#include "clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h"
16#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
17#include "clang/StaticAnalyzer/Core/Checker.h"
18#include "clang/StaticAnalyzer/Core/CheckerManager.h"
19#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
20#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h"
21#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
22
23using namespace clang;
24using namespace ento;
25
26namespace {
27class ReturnPointerRangeChecker :
28 public Checker< check::PreStmt<ReturnStmt> > {
29 mutable std::unique_ptr<BuiltinBug> BT;
30
31public:
32 void checkPreStmt(const ReturnStmt *RS, CheckerContext &C) const;
33};
34}
35
36void ReturnPointerRangeChecker::checkPreStmt(const ReturnStmt *RS,
37 CheckerContext &C) const {
38 ProgramStateRef state = C.getState();
39
40 const Expr *RetE = RS->getRetValue();
41 if (!RetE)
42 return;
43
44 // Skip "body farmed" functions.
45 if (RetE->getSourceRange().isInvalid())
46 return;
47
48 SVal V = C.getSVal(RetE);
49 const MemRegion *R = V.getAsRegion();
50
51 const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(R);
52 if (!ER)
53 return;
54
55 DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();
56 // Zero index is always in bound, this also passes ElementRegions created for
57 // pointer casts.
58 if (Idx.isZeroConstant())
59 return;
60
61 // FIXME: All of this out-of-bounds checking should eventually be refactored
62 // into a common place.
63 DefinedOrUnknownSVal ElementCount = getDynamicElementCount(
64 state, ER->getSuperRegion(), C.getSValBuilder(), ER->getValueType());
65
66 // We assume that the location after the last element in the array is used as
67 // end() iterator. Reporting on these would return too many false positives.
68 if (Idx == ElementCount)
69 return;
70
71 ProgramStateRef StInBound, StOutBound;
72 std::tie(StInBound, StOutBound) = state->assumeInBoundDual(Idx, ElementCount);
73 if (StOutBound && !StInBound) {
74 ExplodedNode *N = C.generateErrorNode(StOutBound);
75
76 if (!N)
77 return;
78
79 // FIXME: This bug correspond to CWE-466. Eventually we should have bug
80 // types explicitly reference such exploit categories (when applicable).
81 if (!BT)
82 BT.reset(new BuiltinBug(
83 this, "Buffer overflow",
84 "Returned pointer value points outside the original object "
85 "(potential buffer overflow)"));
86
87 // Generate a report for this bug.
88 auto Report =
89 std::make_unique<PathSensitiveBugReport>(*BT, BT->getDescription(), N);
90 Report->addRange(RetE->getSourceRange());
91
92 const auto ConcreteElementCount = ElementCount.getAs<nonloc::ConcreteInt>();
93 const auto ConcreteIdx = Idx.getAs<nonloc::ConcreteInt>();
94
95 const auto *DeclR = ER->getSuperRegion()->getAs<DeclRegion>();
96
97 if (DeclR)
98 Report->addNote("Original object declared here",
99 {DeclR->getDecl(), C.getSourceManager()});
100
101 if (ConcreteElementCount) {
102 SmallString<128> SBuf;
103 llvm::raw_svector_ostream OS(SBuf);
104 OS << "Original object ";
105 if (DeclR) {
106 OS << "'";
107 DeclR->getDecl()->printName(OS);
108 OS << "' ";
109 }
110 OS << "is an array of " << ConcreteElementCount->getValue() << " '";
111 ER->getValueType().print(OS,
112 PrintingPolicy(C.getASTContext().getLangOpts()));
113 OS << "' objects";
114 if (ConcreteIdx) {
115 OS << ", returned pointer points at index " << ConcreteIdx->getValue();
116 }
117
118 Report->addNote(SBuf,
119 {RetE, C.getSourceManager(), C.getLocationContext()});
120 }
121
122 bugreporter::trackExpressionValue(N, RetE, *Report);
123
124 C.emitReport(std::move(Report));
125 }
126}
127
128void ento::registerReturnPointerRangeChecker(CheckerManager &mgr) {
129 mgr.registerChecker<ReturnPointerRangeChecker>();
130}
131
132bool ento::shouldRegisterReturnPointerRangeChecker(const CheckerManager &mgr) {
133 return true;
134}
V
#define V(N, I)
Definition: ASTContext.h:3217
OS
llvm::raw_ostream & OS
Definition: Logger.cpp:24
clang::Expr
This represents one expression.
Definition: Expr.h:110
clang::QualType::print
void print(raw_ostream &OS, const PrintingPolicy &Policy, const Twine &PlaceHolder=Twine(), unsigned Indentation=0) const
Definition: TypePrinter.cpp:2355
clang::ReturnStmt
ReturnStmt - This represents a return, optionally of an expression: return; return 4;.
Definition: Stmt.h:2806
clang::ReturnStmt::getRetValue
Expr * getRetValue()
Definition: Stmt.h:2837
clang::SourceRange::isInvalid
bool isInvalid() const
Definition: SourceLocation.h:226
clang::Stmt::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:325
clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Definition: CheckerManager.h:204
clang::ento::ElementRegion
ElementRegion is used to represent both array elements and casts.
Definition: MemRegion.h:1189
clang::ento::ElementRegion::getValueType
QualType getValueType() const override
Definition: MemRegion.h:1211
clang::ento::ElementRegion::getIndex
NonLoc getIndex() const
Definition: MemRegion.h:1209
clang::ento::MemRegion
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:95
clang::ento::MemRegion::getAs
const RegionTy * getAs() const
Definition: MemRegion.h:1337
clang::ento::SVal
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:72
clang::ento::SVal::isZeroConstant
bool isZeroConstant() const
Definition: SVals.cpp:261
clang::ento::SVal::getAs
std::optional< T > getAs() const
Convert to the specified SVal type, returning std::nullopt if this SVal is not of the desired type.
Definition: SVals.h:103
clang::ento::SVal::castAs
T castAs() const
Convert to the specified SVal type, asserting that this SVal is of the desired type.
Definition: SVals.h:99
clang::ento::SubRegion::getSuperRegion
LLVM_ATTRIBUTE_RETURNS_NONNULL const MemRegion * getSuperRegion() const
Definition: MemRegion.h:455
clang::ento::nonloc::ConcreteInt
Value representing integer constant.
Definition: SVals.h:329
clang::ento::nonloc::ConcreteInt::getValue
const llvm::APSInt & getValue() const
Definition: SVals.h:333
clang::ento::bugreporter::trackExpressionValue
bool trackExpressionValue(const ExplodedNode *N, const Expr *E, PathSensitiveBugReport &R, TrackingOptions Opts={})
Attempts to add visitors to track expression value back to its point of origin.
Definition: BugReporterVisitors.cpp:2667
clang::ento::getDynamicElementCount
DefinedOrUnknownSVal getDynamicElementCount(ProgramStateRef State, const MemRegion *MR, SValBuilder &SVB, QualType Ty)
clang::Language::C
@ C
Languages that the frontend can parse and compile.
clang::PrintingPolicy
Describes how types, statements, expressions, and declarations should be printed.
Definition: PrettyPrinter.h:57
Generated on Tue Mar 28 2023 07:55:07 for clang by doxygen 1.9.6