clang  8.0.0svn
UnixAPIChecker.cpp
Go to the documentation of this file.
1 //= UnixAPIChecker.h - Checks preconditions for various Unix APIs --*- C++ -*-//
2 //
3 // The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // This defines UnixAPIChecker, which is an assortment of checks on calls
11 // to various, widely used UNIX/Posix functions.
12 //
13 //===----------------------------------------------------------------------===//
14 
15 #include "ClangSACheckers.h"
16 #include "clang/Basic/TargetInfo.h"
17 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
18 #include "clang/StaticAnalyzer/Core/Checker.h"
19 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
20 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
21 #include "llvm/ADT/Optional.h"
22 #include "llvm/ADT/STLExtras.h"
23 #include "llvm/ADT/SmallString.h"
24 #include "llvm/ADT/StringExtras.h"
25 #include "llvm/ADT/StringSwitch.h"
26 #include "llvm/Support/raw_ostream.h"
27 #include <fcntl.h>
28 
29 using namespace clang;
30 using namespace ento;
31 
32 enum class OpenVariant {
33  /// The standard open() call:
34  /// int open(const char *path, int oflag, ...);
35  Open,
36 
37  /// The variant taking a directory file descriptor and a relative path:
38  /// int openat(int fd, const char *path, int oflag, ...);
39  OpenAt
40 };
41 
42 namespace {
43 class UnixAPIChecker : public Checker< check::PreStmt<CallExpr> > {
44  mutable std::unique_ptr<BugType> BT_open, BT_pthreadOnce, BT_mallocZero;
45  mutable Optional<uint64_t> Val_O_CREAT;
46 
47 public:
48  DefaultBool CheckMisuse, CheckPortability;
49 
50  void checkPreStmt(const CallExpr *CE, CheckerContext &C) const;
51 
52  void CheckOpen(CheckerContext &C, const CallExpr *CE) const;
53  void CheckOpenAt(CheckerContext &C, const CallExpr *CE) const;
54 
55  void CheckPthreadOnce(CheckerContext &C, const CallExpr *CE) const;
56  void CheckCallocZero(CheckerContext &C, const CallExpr *CE) const;
57  void CheckMallocZero(CheckerContext &C, const CallExpr *CE) const;
58  void CheckReallocZero(CheckerContext &C, const CallExpr *CE) const;
59  void CheckReallocfZero(CheckerContext &C, const CallExpr *CE) const;
60  void CheckAllocaZero(CheckerContext &C, const CallExpr *CE) const;
61  void CheckAllocaWithAlignZero(CheckerContext &C, const CallExpr *CE) const;
62  void CheckVallocZero(CheckerContext &C, const CallExpr *CE) const;
63 
64  typedef void (UnixAPIChecker::*SubChecker)(CheckerContext &,
65  const CallExpr *) const;
66 private:
67 
68  void CheckOpenVariant(CheckerContext &C,
69  const CallExpr *CE, OpenVariant Variant) const;
70 
71  bool ReportZeroByteAllocation(CheckerContext &C,
72  ProgramStateRef falseState,
73  const Expr *arg,
74  const char *fn_name) const;
75  void BasicAllocationCheck(CheckerContext &C,
76  const CallExpr *CE,
77  const unsigned numArgs,
78  const unsigned sizeArg,
79  const char *fn) const;
80  void LazyInitialize(std::unique_ptr<BugType> &BT, const char *name) const {
81  if (BT)
82  return;
83  BT.reset(new BugType(this, name, categories::UnixAPI));
84  }
85  void ReportOpenBug(CheckerContext &C,
86  ProgramStateRef State,
87  const char *Msg,
88  SourceRange SR) const;
89 };
90 } //end anonymous namespace
91 
92 //===----------------------------------------------------------------------===//
93 // "open" (man 2 open)
94 //===----------------------------------------------------------------------===//
95 
96 void UnixAPIChecker::ReportOpenBug(CheckerContext &C,
97  ProgramStateRef State,
98  const char *Msg,
99  SourceRange SR) const {
100  ExplodedNode *N = C.generateErrorNode(State);
101  if (!N)
102  return;
103 
104  LazyInitialize(BT_open, "Improper use of 'open'");
105 
106  auto Report = llvm::make_unique<BugReport>(*BT_open, Msg, N);
107  Report->addRange(SR);
108  C.emitReport(std::move(Report));
109 }
110 
111 void UnixAPIChecker::CheckOpen(CheckerContext &C, const CallExpr *CE) const {
112  CheckOpenVariant(C, CE, OpenVariant::Open);
113 }
114 
115 void UnixAPIChecker::CheckOpenAt(CheckerContext &C, const CallExpr *CE) const {
116  CheckOpenVariant(C, CE, OpenVariant::OpenAt);
117 }
118 
119 void UnixAPIChecker::CheckOpenVariant(CheckerContext &C,
120  const CallExpr *CE,
121  OpenVariant Variant) const {
122  // The index of the argument taking the flags open flags (O_RDONLY,
123  // O_WRONLY, O_CREAT, etc.),
124  unsigned int FlagsArgIndex;
125  const char *VariantName;
126  switch (Variant) {
127  case OpenVariant::Open:
128  FlagsArgIndex = 1;
129  VariantName = "open";
130  break;
131  case OpenVariant::OpenAt:
132  FlagsArgIndex = 2;
133  VariantName = "openat";
134  break;
135  };
136 
137  // All calls should at least provide arguments up to the 'flags' parameter.
138  unsigned int MinArgCount = FlagsArgIndex + 1;
139 
140  // If the flags has O_CREAT set then open/openat() require an additional
141  // argument specifying the file mode (permission bits) for the created file.
142  unsigned int CreateModeArgIndex = FlagsArgIndex + 1;
143 
144  // The create mode argument should be the last argument.
145  unsigned int MaxArgCount = CreateModeArgIndex + 1;
146 
147  ProgramStateRef state = C.getState();
148 
149  if (CE->getNumArgs() < MinArgCount) {
150  // The frontend should issue a warning for this case, so this is a sanity
151  // check.
152  return;
153  } else if (CE->getNumArgs() == MaxArgCount) {
154  const Expr *Arg = CE->getArg(CreateModeArgIndex);
155  QualType QT = Arg->getType();
156  if (!QT->isIntegerType()) {
157  SmallString<256> SBuf;
158  llvm::raw_svector_ostream OS(SBuf);
159  OS << "The " << CreateModeArgIndex + 1
160  << llvm::getOrdinalSuffix(CreateModeArgIndex + 1)
161  << " argument to '" << VariantName << "' is not an integer";
162 
163  ReportOpenBug(C, state,
164  SBuf.c_str(),
165  Arg->getSourceRange());
166  return;
167  }
168  } else if (CE->getNumArgs() > MaxArgCount) {
169  SmallString<256> SBuf;
170  llvm::raw_svector_ostream OS(SBuf);
171  OS << "Call to '" << VariantName << "' with more than " << MaxArgCount
172  << " arguments";
173 
174  ReportOpenBug(C, state,
175  SBuf.c_str(),
176  CE->getArg(MaxArgCount)->getSourceRange());
177  return;
178  }
179 
180  // The definition of O_CREAT is platform specific. We need a better way
181  // of querying this information from the checking environment.
182  if (!Val_O_CREAT.hasValue()) {
183  if (C.getASTContext().getTargetInfo().getTriple().getVendor()
184  == llvm::Triple::Apple)
185  Val_O_CREAT = 0x0200;
186  else {
187  // FIXME: We need a more general way of getting the O_CREAT value.
188  // We could possibly grovel through the preprocessor state, but
189  // that would require passing the Preprocessor object to the ExprEngine.
190  // See also: MallocChecker.cpp / M_ZERO.
191  return;
192  }
193  }
194 
195  // Now check if oflags has O_CREAT set.
196  const Expr *oflagsEx = CE->getArg(FlagsArgIndex);
197  const SVal V = C.getSVal(oflagsEx);
198  if (!V.getAs<NonLoc>()) {
199  // The case where 'V' can be a location can only be due to a bad header,
200  // so in this case bail out.
201  return;
202  }
203  NonLoc oflags = V.castAs<NonLoc>();
204  NonLoc ocreateFlag = C.getSValBuilder()
205  .makeIntVal(Val_O_CREAT.getValue(), oflagsEx->getType()).castAs<NonLoc>();
206  SVal maskedFlagsUC = C.getSValBuilder().evalBinOpNN(state, BO_And,
207  oflags, ocreateFlag,
208  oflagsEx->getType());
209  if (maskedFlagsUC.isUnknownOrUndef())
210  return;
211  DefinedSVal maskedFlags = maskedFlagsUC.castAs<DefinedSVal>();
212 
213  // Check if maskedFlags is non-zero.
214  ProgramStateRef trueState, falseState;
215  std::tie(trueState, falseState) = state->assume(maskedFlags);
216 
217  // Only emit an error if the value of 'maskedFlags' is properly
218  // constrained;
219  if (!(trueState && !falseState))
220  return;
221 
222  if (CE->getNumArgs() < MaxArgCount) {
223  SmallString<256> SBuf;
224  llvm::raw_svector_ostream OS(SBuf);
225  OS << "Call to '" << VariantName << "' requires a "
226  << CreateModeArgIndex + 1
227  << llvm::getOrdinalSuffix(CreateModeArgIndex + 1)
228  << " argument when the 'O_CREAT' flag is set";
229  ReportOpenBug(C, trueState,
230  SBuf.c_str(),
231  oflagsEx->getSourceRange());
232  }
233 }
234 
235 //===----------------------------------------------------------------------===//
236 // pthread_once
237 //===----------------------------------------------------------------------===//
238 
239 void UnixAPIChecker::CheckPthreadOnce(CheckerContext &C,
240  const CallExpr *CE) const {
241 
242  // This is similar to 'CheckDispatchOnce' in the MacOSXAPIChecker.
243  // They can possibly be refactored.
244 
245  if (CE->getNumArgs() < 1)
246  return;
247 
248  // Check if the first argument is stack allocated. If so, issue a warning
249  // because that's likely to be bad news.
250  ProgramStateRef state = C.getState();
251  const MemRegion *R = C.getSVal(CE->getArg(0)).getAsRegion();
252  if (!R || !isa<StackSpaceRegion>(R->getMemorySpace()))
253  return;
254 
255  ExplodedNode *N = C.generateErrorNode(state);
256  if (!N)
257  return;
258 
259  SmallString<256> S;
260  llvm::raw_svector_ostream os(S);
261  os << "Call to 'pthread_once' uses";
262  if (const VarRegion *VR = dyn_cast<VarRegion>(R))
263  os << " the local variable '" << VR->getDecl()->getName() << '\'';
264  else
265  os << " stack allocated memory";
266  os << " for the \"control\" value. Using such transient memory for "
267  "the control value is potentially dangerous.";
268  if (isa<VarRegion>(R) && isa<StackLocalsSpaceRegion>(R->getMemorySpace()))
269  os << " Perhaps you intended to declare the variable as 'static'?";
270 
271  LazyInitialize(BT_pthreadOnce, "Improper use of 'pthread_once'");
272 
273  auto report = llvm::make_unique<BugReport>(*BT_pthreadOnce, os.str(), N);
274  report->addRange(CE->getArg(0)->getSourceRange());
275  C.emitReport(std::move(report));
276 }
277 
278 //===----------------------------------------------------------------------===//
279 // "calloc", "malloc", "realloc", "reallocf", "alloca" and "valloc"
280 // with allocation size 0
281 //===----------------------------------------------------------------------===//
282 // FIXME: Eventually these should be rolled into the MallocChecker, but right now
283 // they're more basic and valuable for widespread use.
284 
285 // Returns true if we try to do a zero byte allocation, false otherwise.
286 // Fills in trueState and falseState.
287 static bool IsZeroByteAllocation(ProgramStateRef state,
288  const SVal argVal,
289  ProgramStateRef *trueState,
290  ProgramStateRef *falseState) {
291  std::tie(*trueState, *falseState) =
292  state->assume(argVal.castAs<DefinedSVal>());
293 
294  return (*falseState && !*trueState);
295 }
296 
297 // Generates an error report, indicating that the function whose name is given
298 // will perform a zero byte allocation.
299 // Returns false if an error occurred, true otherwise.
300 bool UnixAPIChecker::ReportZeroByteAllocation(CheckerContext &C,
301  ProgramStateRef falseState,
302  const Expr *arg,
303  const char *fn_name) const {
304  ExplodedNode *N = C.generateErrorNode(falseState);
305  if (!N)
306  return false;
307 
308  LazyInitialize(BT_mallocZero,
309  "Undefined allocation of 0 bytes (CERT MEM04-C; CWE-131)");
310 
311  SmallString<256> S;
312  llvm::raw_svector_ostream os(S);
313  os << "Call to '" << fn_name << "' has an allocation size of 0 bytes";
314  auto report = llvm::make_unique<BugReport>(*BT_mallocZero, os.str(), N);
315 
316  report->addRange(arg->getSourceRange());
317  bugreporter::trackNullOrUndefValue(N, arg, *report);
318  C.emitReport(std::move(report));
319 
320  return true;
321 }
322 
323 // Does a basic check for 0-sized allocations suitable for most of the below
324 // functions (modulo "calloc")
325 void UnixAPIChecker::BasicAllocationCheck(CheckerContext &C,
326  const CallExpr *CE,
327  const unsigned numArgs,
328  const unsigned sizeArg,
329  const char *fn) const {
330  // Sanity check for the correct number of arguments
331  if (CE->getNumArgs() != numArgs)
332  return;
333 
334  // Check if the allocation size is 0.
335  ProgramStateRef state = C.getState();
336  ProgramStateRef trueState = nullptr, falseState = nullptr;
337  const Expr *arg = CE->getArg(sizeArg);
338  SVal argVal = C.getSVal(arg);
339 
340  if (argVal.isUnknownOrUndef())
341  return;
342 
343  // Is the value perfectly constrained to zero?
344  if (IsZeroByteAllocation(state, argVal, &trueState, &falseState)) {
345  (void) ReportZeroByteAllocation(C, falseState, arg, fn);
346  return;
347  }
348  // Assume the value is non-zero going forward.
349  assert(trueState);
350  if (trueState != state)
351  C.addTransition(trueState);
352 }
353 
354 void UnixAPIChecker::CheckCallocZero(CheckerContext &C,
355  const CallExpr *CE) const {
356  unsigned int nArgs = CE->getNumArgs();
357  if (nArgs != 2)
358  return;
359 
360  ProgramStateRef state = C.getState();
361  ProgramStateRef trueState = nullptr, falseState = nullptr;
362 
363  unsigned int i;
364  for (i = 0; i < nArgs; i++) {
365  const Expr *arg = CE->getArg(i);
366  SVal argVal = C.getSVal(arg);
367  if (argVal.isUnknownOrUndef()) {
368  if (i == 0)
369  continue;
370  else
371  return;
372  }
373 
374  if (IsZeroByteAllocation(state, argVal, &trueState, &falseState)) {
375  if (ReportZeroByteAllocation(C, falseState, arg, "calloc"))
376  return;
377  else if (i == 0)
378  continue;
379  else
380  return;
381  }
382  }
383 
384  // Assume the value is non-zero going forward.
385  assert(trueState);
386  if (trueState != state)
387  C.addTransition(trueState);
388 }
389 
390 void UnixAPIChecker::CheckMallocZero(CheckerContext &C,
391  const CallExpr *CE) const {
392  BasicAllocationCheck(C, CE, 1, 0, "malloc");
393 }
394 
395 void UnixAPIChecker::CheckReallocZero(CheckerContext &C,
396  const CallExpr *CE) const {
397  BasicAllocationCheck(C, CE, 2, 1, "realloc");
398 }
399 
400 void UnixAPIChecker::CheckReallocfZero(CheckerContext &C,
401  const CallExpr *CE) const {
402  BasicAllocationCheck(C, CE, 2, 1, "reallocf");
403 }
404 
405 void UnixAPIChecker::CheckAllocaZero(CheckerContext &C,
406  const CallExpr *CE) const {
407  BasicAllocationCheck(C, CE, 1, 0, "alloca");
408 }
409 
410 void UnixAPIChecker::CheckAllocaWithAlignZero(CheckerContext &C,
411  const CallExpr *CE) const {
412  BasicAllocationCheck(C, CE, 2, 0, "__builtin_alloca_with_align");
413 }
414 
415 void UnixAPIChecker::CheckVallocZero(CheckerContext &C,
416  const CallExpr *CE) const {
417  BasicAllocationCheck(C, CE, 1, 0, "valloc");
418 }
419 
420 
421 //===----------------------------------------------------------------------===//
422 // Central dispatch function.
423 //===----------------------------------------------------------------------===//
424 
425 void UnixAPIChecker::checkPreStmt(const CallExpr *CE,
426  CheckerContext &C) const {
427  const FunctionDecl *FD = C.getCalleeDecl(CE);
428  if (!FD || FD->getKind() != Decl::Function)
429  return;
430 
431  // Don't treat functions in namespaces with the same name a Unix function
432  // as a call to the Unix function.
433  const DeclContext *NamespaceCtx = FD->getEnclosingNamespaceContext();
434  if (NamespaceCtx && isa<NamespaceDecl>(NamespaceCtx))
435  return;
436 
437  StringRef FName = C.getCalleeName(FD);
438  if (FName.empty())
439  return;
440 
441  if (CheckMisuse) {
442  if (SubChecker SC =
443  llvm::StringSwitch<SubChecker>(FName)
444  .Case("open", &UnixAPIChecker::CheckOpen)
445  .Case("openat", &UnixAPIChecker::CheckOpenAt)
446  .Case("pthread_once", &UnixAPIChecker::CheckPthreadOnce)
447  .Default(nullptr)) {
448  (this->*SC)(C, CE);
449  }
450  }
451  if (CheckPortability) {
452  if (SubChecker SC =
453  llvm::StringSwitch<SubChecker>(FName)
454  .Case("calloc", &UnixAPIChecker::CheckCallocZero)
455  .Case("malloc", &UnixAPIChecker::CheckMallocZero)
456  .Case("realloc", &UnixAPIChecker::CheckReallocZero)
457  .Case("reallocf", &UnixAPIChecker::CheckReallocfZero)
458  .Cases("alloca", "__builtin_alloca",
459  &UnixAPIChecker::CheckAllocaZero)
460  .Case("__builtin_alloca_with_align",
461  &UnixAPIChecker::CheckAllocaWithAlignZero)
462  .Case("valloc", &UnixAPIChecker::CheckVallocZero)
463  .Default(nullptr)) {
464  (this->*SC)(C, CE);
465  }
466  }
467 }
468 
469 //===----------------------------------------------------------------------===//
470 // Registration.
471 //===----------------------------------------------------------------------===//
472 
473 #define REGISTER_CHECKER(Name) \
474  void ento::registerUnixAPI##Name##Checker(CheckerManager &mgr) { \
475  mgr.registerChecker<UnixAPIChecker>()->Check##Name = true; \
476  }
477 
478 REGISTER_CHECKER(Misuse)
479 REGISTER_CHECKER(Portability)
clang::FunctionDecl
Represents a function declaration or definition.
Definition: Decl.h:1732
clang::QualType
A (possibly-)qualified type.
Definition: Type.h:642
clang::CallExpr::getArg
Expr * getArg(unsigned Arg)
getArg - Return the specified argument.
Definition: Expr.h:2359
clang::CallExpr::getNumArgs
unsigned getNumArgs() const
getNumArgs - Return the number of actual arguments to this call.
Definition: Expr.h:2347
clang::ento::ProgramStateRef
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
Definition: ProgramState_Fwd.h:38
clang::XRayInstrKind::Function
constexpr XRayInstrMask Function
Definition: XRayInstr.h:39
State
LineState State
Definition: UnwrappedLineFormatter.cpp:877
clang::CodeGen::state
i32 captured_struct **param SharedsTy A type which contains references the shared variables *param Shareds Context with the list of shared variables from the p *TaskFunction *param Data Additional data for task generation like final * state
Definition: CGOpenMPRuntime.h:727
clang::DeclContext::getEnclosingNamespaceContext
DeclContext * getEnclosingNamespaceContext()
Retrieve the nearest enclosing namespace context.
Definition: DeclBase.cpp:1733
clang::Expr
This represents one expression.
Definition: Expr.h:105
IsZeroByteAllocation
static bool IsZeroByteAllocation(ProgramStateRef state, const SVal argVal, ProgramStateRef *trueState, ProgramStateRef *falseState)
Definition: UnixAPIChecker.cpp:287
clang::Expr::getType
QualType getType() const
Definition: Expr.h:127
clang
Dataflow Directional Tag Classes.
Definition: CFGReachabilityAnalysis.h:22
clang::DeclContext
DeclContext - This is used only as base class of specific decl types that can act as declaration cont...
Definition: DeclBase.h:1261
clang::Decl::getKind
Kind getKind() const
Definition: DeclBase.h:421
OpenVariant::Open
The standard open() call: int open(const char *path, int oflag, ...);.
OpenVariant::OpenAt
The variant taking a directory file descriptor and a relative path: int openat(int fd...
clang::Type::isIntegerType
bool isIntegerType() const
isIntegerType() does not include complex integers (a GCC extension).
Definition: Type.h:6531
clang::Stmt::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:268
TargetInfo.h
Defines the clang::TargetInfo interface.
clang::CallExpr
CallExpr - Represents a function call (C99 6.5.2.2, C++ [expr.call]).
Definition: Expr.h:2290
REGISTER_CHECKER
#define REGISTER_CHECKER(Name)
Definition: UnixAPIChecker.cpp:473
OpenVariant
OpenVariant
Definition: UnixAPIChecker.cpp:32
clang::SourceRange
A trivial tuple used to represent a source range.
Definition: SourceLocation.h:198
Generated on Sat Oct 20 2018 00:54:23 for clang by   doxygen 1.8.13