clang 18.0.0git
ValistChecker.cpp
Go to the documentation of this file.
1//== ValistChecker.cpp - stdarg.h macro usage checker -----------*- C++ -*--==//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This defines checkers which detect usage of uninitialized va_list values
10// and va_start calls with no matching va_end.
11//
12//===----------------------------------------------------------------------===//
13
14#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
15#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
16#include "clang/StaticAnalyzer/Core/Checker.h"
17#include "clang/StaticAnalyzer/Core/CheckerManager.h"
18#include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
19#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
20#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
21
22using namespace clang;
23using namespace ento;
24
25REGISTER_SET_WITH_PROGRAMSTATE(InitializedVALists, const MemRegion *)
26
27namespace {
28typedef SmallVector<const MemRegion *, 2> RegionVector;
29
30class ValistChecker : public Checker<check::PreCall, check::PreStmt<VAArgExpr>,
31 check::DeadSymbols> {
32 mutable std::unique_ptr<BugType> BT_leakedvalist, BT_uninitaccess;
33
34 struct VAListAccepter {
35 CallDescription Func;
36 int VAListPos;
37 };
38 static const SmallVector<VAListAccepter, 15> VAListAccepters;
39 static const CallDescription VaStart, VaEnd, VaCopy;
40
41public:
42 enum CheckKind {
43 CK_Uninitialized,
44 CK_Unterminated,
45 CK_CopyToSelf,
46 CK_NumCheckKinds
47 };
48
49 bool ChecksEnabled[CK_NumCheckKinds] = {false};
50 CheckerNameRef CheckNames[CK_NumCheckKinds];
51
52 void checkPreStmt(const VAArgExpr *VAA, CheckerContext &C) const;
53 void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
54 void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
55
56private:
57 const MemRegion *getVAListAsRegion(SVal SV, const Expr *VAExpr,
58 bool &IsSymbolic, CheckerContext &C) const;
59 const ExplodedNode *getStartCallSite(const ExplodedNode *N,
60 const MemRegion *Reg) const;
61
62 void reportUninitializedAccess(const MemRegion *VAList, StringRef Msg,
63 CheckerContext &C) const;
64 void reportLeakedVALists(const RegionVector &LeakedVALists, StringRef Msg1,
65 StringRef Msg2, CheckerContext &C, ExplodedNode *N,
66 bool ReportUninit = false) const;
67
68 void checkVAListStartCall(const CallEvent &Call, CheckerContext &C,
69 bool IsCopy) const;
70 void checkVAListEndCall(const CallEvent &Call, CheckerContext &C) const;
71
72 class ValistBugVisitor : public BugReporterVisitor {
73 public:
74 ValistBugVisitor(const MemRegion *Reg, bool IsLeak = false)
75 : Reg(Reg), IsLeak(IsLeak) {}
76 void Profile(llvm::FoldingSetNodeID &ID) const override {
77 static int X = 0;
78 ID.AddPointer(&X);
79 ID.AddPointer(Reg);
80 }
81 PathDiagnosticPieceRef getEndPath(BugReporterContext &BRC,
82 const ExplodedNode *EndPathNode,
83 PathSensitiveBugReport &BR) override {
84 if (!IsLeak)
85 return nullptr;
86
87 PathDiagnosticLocation L = BR.getLocation();
88 // Do not add the statement itself as a range in case of leak.
89 return std::make_shared<PathDiagnosticEventPiece>(L, BR.getDescription(),
90 false);
91 }
92 PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
93 BugReporterContext &BRC,
94 PathSensitiveBugReport &BR) override;
95
96 private:
97 const MemRegion *Reg;
98 bool IsLeak;
99 };
100};
101
102const SmallVector<ValistChecker::VAListAccepter, 15>
103 ValistChecker::VAListAccepters = {{{{"vfprintf"}, 3}, 2},
104 {{{"vfscanf"}, 3}, 2},
105 {{{"vprintf"}, 2}, 1},
106 {{{"vscanf"}, 2}, 1},
107 {{{"vsnprintf"}, 4}, 3},
108 {{{"vsprintf"}, 3}, 2},
109 {{{"vsscanf"}, 3}, 2},
110 {{{"vfwprintf"}, 3}, 2},
111 {{{"vfwscanf"}, 3}, 2},
112 {{{"vwprintf"}, 2}, 1},
113 {{{"vwscanf"}, 2}, 1},
114 {{{"vswprintf"}, 4}, 3},
115 // vswprintf is the wide version of
116 // vsnprintf, vsprintf has no wide version
117 {{{"vswscanf"}, 3}, 2}};
118
119const CallDescription ValistChecker::VaStart({"__builtin_va_start"}, /*Args=*/2,
120 /*Params=*/1),
121 ValistChecker::VaCopy({"__builtin_va_copy"}, 2),
122 ValistChecker::VaEnd({"__builtin_va_end"}, 1);
123} // end anonymous namespace
124
125void ValistChecker::checkPreCall(const CallEvent &Call,
126 CheckerContext &C) const {
127 if (!Call.isGlobalCFunction())
128 return;
129 if (VaStart.matches(Call))
130 checkVAListStartCall(Call, C, false);
131 else if (VaCopy.matches(Call))
132 checkVAListStartCall(Call, C, true);
133 else if (VaEnd.matches(Call))
134 checkVAListEndCall(Call, C);
135 else {
136 for (auto FuncInfo : VAListAccepters) {
137 if (!FuncInfo.Func.matches(Call))
138 continue;
139 bool Symbolic;
140 const MemRegion *VAList =
141 getVAListAsRegion(Call.getArgSVal(FuncInfo.VAListPos),
142 Call.getArgExpr(FuncInfo.VAListPos), Symbolic, C);
143 if (!VAList)
144 return;
145
146 if (C.getState()->contains<InitializedVALists>(VAList))
147 return;
148
149 // We did not see va_start call, but the source of the region is unknown.
150 // Be conservative and assume the best.
151 if (Symbolic)
152 return;
153
154 SmallString<80> Errmsg("Function '");
155 Errmsg += FuncInfo.Func.getFunctionName();
156 Errmsg += "' is called with an uninitialized va_list argument";
157 reportUninitializedAccess(VAList, Errmsg.c_str(), C);
158 break;
159 }
160 }
161}
162
163const MemRegion *ValistChecker::getVAListAsRegion(SVal SV, const Expr *E,
164 bool &IsSymbolic,
165 CheckerContext &C) const {
166 const MemRegion *Reg = SV.getAsRegion();
167 if (!Reg)
168 return nullptr;
169 // TODO: In the future this should be abstracted away by the analyzer.
170 bool VaListModelledAsArray = false;
171 if (const auto *Cast = dyn_cast<CastExpr>(E)) {
172 QualType Ty = Cast->getType();
173 VaListModelledAsArray =
174 Ty->isPointerType() && Ty->getPointeeType()->isRecordType();
175 }
176 if (const auto *DeclReg = Reg->getAs<DeclRegion>()) {
177 if (isa<ParmVarDecl>(DeclReg->getDecl()))
178 Reg = C.getState()->getSVal(SV.castAs<Loc>()).getAsRegion();
179 }
180 IsSymbolic = Reg && Reg->getBaseRegion()->getAs<SymbolicRegion>();
181 // Some VarRegion based VA lists reach here as ElementRegions.
182 const auto *EReg = dyn_cast_or_null<ElementRegion>(Reg);
183 return (EReg && VaListModelledAsArray) ? EReg->getSuperRegion() : Reg;
184}
185
186void ValistChecker::checkPreStmt(const VAArgExpr *VAA,
187 CheckerContext &C) const {
188 ProgramStateRef State = C.getState();
189 const Expr *VASubExpr = VAA->getSubExpr();
190 SVal VAListSVal = C.getSVal(VASubExpr);
191 bool Symbolic;
192 const MemRegion *VAList =
193 getVAListAsRegion(VAListSVal, VASubExpr, Symbolic, C);
194 if (!VAList)
195 return;
196 if (Symbolic)
197 return;
198 if (!State->contains<InitializedVALists>(VAList))
199 reportUninitializedAccess(
200 VAList, "va_arg() is called on an uninitialized va_list", C);
201}
202
203void ValistChecker::checkDeadSymbols(SymbolReaper &SR,
204 CheckerContext &C) const {
205 ProgramStateRef State = C.getState();
206 InitializedVAListsTy TrackedVALists = State->get<InitializedVALists>();
207 RegionVector LeakedVALists;
208 for (auto Reg : TrackedVALists) {
209 if (SR.isLiveRegion(Reg))
210 continue;
211 LeakedVALists.push_back(Reg);
212 State = State->remove<InitializedVALists>(Reg);
213 }
214 if (ExplodedNode *N = C.addTransition(State))
215 reportLeakedVALists(LeakedVALists, "Initialized va_list", " is leaked", C,
216 N);
217}
218
219// This function traverses the exploded graph backwards and finds the node where
220// the va_list is initialized. That node is used for uniquing the bug paths.
221// It is not likely that there are several different va_lists that belongs to
222// different stack frames, so that case is not yet handled.
223const ExplodedNode *
224ValistChecker::getStartCallSite(const ExplodedNode *N,
225 const MemRegion *Reg) const {
226 const LocationContext *LeakContext = N->getLocationContext();
227 const ExplodedNode *StartCallNode = N;
228
229 bool FoundInitializedState = false;
230
231 while (N) {
232 ProgramStateRef State = N->getState();
233 if (!State->contains<InitializedVALists>(Reg)) {
234 if (FoundInitializedState)
235 break;
236 } else {
237 FoundInitializedState = true;
238 }
239 const LocationContext *NContext = N->getLocationContext();
240 if (NContext == LeakContext || NContext->isParentOf(LeakContext))
241 StartCallNode = N;
242 N = N->pred_empty() ? nullptr : *(N->pred_begin());
243 }
244
245 return StartCallNode;
246}
247
248void ValistChecker::reportUninitializedAccess(const MemRegion *VAList,
249 StringRef Msg,
250 CheckerContext &C) const {
251 if (!ChecksEnabled[CK_Uninitialized])
252 return;
253 if (ExplodedNode *N = C.generateErrorNode()) {
254 if (!BT_uninitaccess)
255 BT_uninitaccess.reset(new BugType(CheckNames[CK_Uninitialized],
256 "Uninitialized va_list",
257 categories::MemoryError));
258 auto R = std::make_unique<PathSensitiveBugReport>(*BT_uninitaccess, Msg, N);
259 R->markInteresting(VAList);
260 R->addVisitor(std::make_unique<ValistBugVisitor>(VAList));
261 C.emitReport(std::move(R));
262 }
263}
264
265void ValistChecker::reportLeakedVALists(const RegionVector &LeakedVALists,
266 StringRef Msg1, StringRef Msg2,
267 CheckerContext &C, ExplodedNode *N,
268 bool ReportUninit) const {
269 if (!(ChecksEnabled[CK_Unterminated] ||
270 (ChecksEnabled[CK_Uninitialized] && ReportUninit)))
271 return;
272 for (auto Reg : LeakedVALists) {
273 if (!BT_leakedvalist) {
274 // FIXME: maybe creating a new check name for this type of bug is a better
275 // solution.
276 BT_leakedvalist.reset(
277 new BugType(CheckNames[CK_Unterminated].getName().empty()
278 ? CheckNames[CK_Uninitialized]
279 : CheckNames[CK_Unterminated],
280 "Leaked va_list", categories::MemoryError,
281 /*SuppressOnSink=*/true));
282 }
283
284 const ExplodedNode *StartNode = getStartCallSite(N, Reg);
285 PathDiagnosticLocation LocUsedForUniqueing;
286
287 if (const Stmt *StartCallStmt = StartNode->getStmtForDiagnostics())
288 LocUsedForUniqueing = PathDiagnosticLocation::createBegin(
289 StartCallStmt, C.getSourceManager(), StartNode->getLocationContext());
290
291 SmallString<100> Buf;
292 llvm::raw_svector_ostream OS(Buf);
293 OS << Msg1;
294 std::string VariableName = Reg->getDescriptiveName();
295 if (!VariableName.empty())
296 OS << " " << VariableName;
297 OS << Msg2;
298
299 auto R = std::make_unique<PathSensitiveBugReport>(
300 *BT_leakedvalist, OS.str(), N, LocUsedForUniqueing,
301 StartNode->getLocationContext()->getDecl());
302 R->markInteresting(Reg);
303 R->addVisitor(std::make_unique<ValistBugVisitor>(Reg, true));
304 C.emitReport(std::move(R));
305 }
306}
307
308void ValistChecker::checkVAListStartCall(const CallEvent &Call,
309 CheckerContext &C, bool IsCopy) const {
310 bool Symbolic;
311 const MemRegion *VAList =
312 getVAListAsRegion(Call.getArgSVal(0), Call.getArgExpr(0), Symbolic, C);
313 if (!VAList)
314 return;
315
316 ProgramStateRef State = C.getState();
317
318 if (IsCopy) {
319 const MemRegion *Arg2 =
320 getVAListAsRegion(Call.getArgSVal(1), Call.getArgExpr(1), Symbolic, C);
321 if (Arg2) {
322 if (ChecksEnabled[CK_CopyToSelf] && VAList == Arg2) {
323 RegionVector LeakedVALists{VAList};
324 if (ExplodedNode *N = C.addTransition(State))
325 reportLeakedVALists(LeakedVALists, "va_list",
326 " is copied onto itself", C, N, true);
327 return;
328 } else if (!State->contains<InitializedVALists>(Arg2) && !Symbolic) {
329 if (State->contains<InitializedVALists>(VAList)) {
330 State = State->remove<InitializedVALists>(VAList);
331 RegionVector LeakedVALists{VAList};
332 if (ExplodedNode *N = C.addTransition(State))
333 reportLeakedVALists(LeakedVALists, "Initialized va_list",
334 " is overwritten by an uninitialized one", C, N,
335 true);
336 } else {
337 reportUninitializedAccess(Arg2, "Uninitialized va_list is copied", C);
338 }
339 return;
340 }
341 }
342 }
343 if (State->contains<InitializedVALists>(VAList)) {
344 RegionVector LeakedVALists{VAList};
345 if (ExplodedNode *N = C.addTransition(State))
346 reportLeakedVALists(LeakedVALists, "Initialized va_list",
347 " is initialized again", C, N);
348 return;
349 }
350
351 State = State->add<InitializedVALists>(VAList);
352 C.addTransition(State);
353}
354
355void ValistChecker::checkVAListEndCall(const CallEvent &Call,
356 CheckerContext &C) const {
357 bool Symbolic;
358 const MemRegion *VAList =
359 getVAListAsRegion(Call.getArgSVal(0), Call.getArgExpr(0), Symbolic, C);
360 if (!VAList)
361 return;
362
363 // We did not see va_start call, but the source of the region is unknown.
364 // Be conservative and assume the best.
365 if (Symbolic)
366 return;
367
368 if (!C.getState()->contains<InitializedVALists>(VAList)) {
369 reportUninitializedAccess(
370 VAList, "va_end() is called on an uninitialized va_list", C);
371 return;
372 }
373 ProgramStateRef State = C.getState();
374 State = State->remove<InitializedVALists>(VAList);
375 C.addTransition(State);
376}
377
378PathDiagnosticPieceRef ValistChecker::ValistBugVisitor::VisitNode(
379 const ExplodedNode *N, BugReporterContext &BRC, PathSensitiveBugReport &) {
380 ProgramStateRef State = N->getState();
381 ProgramStateRef StatePrev = N->getFirstPred()->getState();
382
383 const Stmt *S = N->getStmtForDiagnostics();
384 if (!S)
385 return nullptr;
386
387 StringRef Msg;
388 if (State->contains<InitializedVALists>(Reg) &&
389 !StatePrev->contains<InitializedVALists>(Reg))
390 Msg = "Initialized va_list";
391 else if (!State->contains<InitializedVALists>(Reg) &&
392 StatePrev->contains<InitializedVALists>(Reg))
393 Msg = "Ended va_list";
394
395 if (Msg.empty())
396 return nullptr;
397
398 PathDiagnosticLocation Pos(S, BRC.getSourceManager(),
399 N->getLocationContext());
400 return std::make_shared<PathDiagnosticEventPiece>(Pos, Msg, true);
401}
402
403void ento::registerValistBase(CheckerManager &mgr) {
404 mgr.registerChecker<ValistChecker>();
405}
406
407bool ento::shouldRegisterValistBase(const CheckerManager &mgr) {
408 return true;
409}
410
411#define REGISTER_CHECKER(name) \
412 void ento::register##name##Checker(CheckerManager &mgr) { \
413 ValistChecker *checker = mgr.getChecker<ValistChecker>(); \
414 checker->ChecksEnabled[ValistChecker::CK_##name] = true; \
415 checker->CheckNames[ValistChecker::CK_##name] = \
416 mgr.getCurrentCheckerName(); \
417 } \
418 \
419 bool ento::shouldRegister##name##Checker(const CheckerManager &mgr) { \
420 return true; \
421 }
422
423REGISTER_CHECKER(Uninitialized)
424REGISTER_CHECKER(Unterminated)
425REGISTER_CHECKER(CopyToSelf)
X
#define X(type, name)
Definition: Value.h:142
REGISTER_SET_WITH_PROGRAMSTATE
#define REGISTER_SET_WITH_PROGRAMSTATE(Name, Elem)
Declares an immutable set of type NameTy, suitable for placement into the ProgramState.
Definition: ProgramStateTrait.h:112
getName
static std::string getName(const CallEvent &Call)
Definition: ReturnValueChecker.cpp:61
Uninitialized
@ Uninitialized
Definition: UninitializedValues.cpp:122
REGISTER_CHECKER
#define REGISTER_CHECKER(name)
Definition: ValistChecker.cpp:411
clang::Expr
This represents one expression.
Definition: Expr.h:110
clang::LocationContext
It wraps the AnalysisDeclContext to represent both the call stack with the help of StackFrameContext ...
Definition: AnalysisDeclContext.h:215
clang::LocationContext::isParentOf
bool isParentOf(const LocationContext *LC) const
Definition: AnalysisDeclContext.cpp:476
clang::LocationContext::getDecl
const Decl * getDecl() const
Definition: AnalysisDeclContext.h:251
clang::QualType
A (possibly-)qualified type.
Definition: Type.h:736
clang::Stmt
Stmt - This represents one statement.
Definition: Stmt.h:84
clang::Type::isPointerType
bool isPointerType() const
Definition: Type.h:7033
clang::Type::getPointeeType
QualType getPointeeType() const
If this is a pointer, ObjC object pointer, or block pointer, this returns the respective pointee.
Definition: Type.cpp:651
clang::Type::isRecordType
bool isRecordType() const
Definition: Type.h:7123
clang::VAArgExpr
Represents a call to the builtin function __builtin_va_arg.
Definition: Expr.h:4689
clang::VAArgExpr::getSubExpr
const Expr * getSubExpr() const
Definition: Expr.h:4705
clang::ento::BugReport::getDescription
StringRef getDescription() const
A verbose warning message that is appropriate for displaying next to the source code that introduces ...
Definition: BugReporter.h:156
clang::ento::BugReporterContext::getSourceManager
const SourceManager & getSourceManager() const
Definition: BugReporter.h:721
clang::ento::BugReporterVisitor
BugReporterVisitors are used to add custom diagnostics along a path.
Definition: BugReporterVisitors.h:49
clang::ento::CallDescription
This class represents a description of a function call using the number of arguments and the name of ...
Definition: CallDescription.h:43
clang::ento::CallDescription::matches
bool matches(const CallEvent &Call) const
Returns true if the CallEvent is a call to a function that matches the CallDescription.
Definition: CallDescription.cpp:57
clang::ento::CallEvent
Represents an abstract call to a function or method along a particular path.
Definition: CallEvent.h:152
clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Definition: CheckerManager.h:204
clang::ento::CheckerNameRef
This wrapper is used to ensure that only StringRefs originating from the CheckerRegistry are used as ...
Definition: CheckerManager.h:106
clang::ento::ExplodedNode::getState
const ProgramStateRef & getState() const
Definition: ExplodedGraph.h:169
clang::ento::ExplodedNode::pred_begin
pred_iterator pred_begin()
Definition: ExplodedGraph.h:238
clang::ento::ExplodedNode::getStmtForDiagnostics
const Stmt * getStmtForDiagnostics() const
If the node's program point corresponds to a statement, retrieve that statement.
Definition: ExplodedGraph.cpp:319
clang::ento::ExplodedNode::getLocationContext
const LocationContext * getLocationContext() const
Definition: ExplodedGraph.h:147
clang::ento::ExplodedNode::getFirstPred
ExplodedNode * getFirstPred()
Definition: ExplodedGraph.h:209
clang::ento::MemRegion
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:96
clang::ento::MemRegion::getDescriptiveName
std::string getDescriptiveName(bool UseQuotes=true) const
Get descriptive name for memory region.
Definition: MemRegion.cpp:707
clang::ento::MemRegion::getBaseRegion
LLVM_ATTRIBUTE_RETURNS_NONNULL const MemRegion * getBaseRegion() const
Definition: MemRegion.cpp:1335
clang::ento::MemRegion::getAs
const RegionTy * getAs() const
Definition: MemRegion.h:1383
clang::ento::PathDiagnosticLocation::createBegin
static PathDiagnosticLocation createBegin(const Decl *D, const SourceManager &SM)
Create a location for the beginning of the declaration.
Definition: PathDiagnostic.cpp:581
clang::ento::PathSensitiveBugReport::getLocation
PathDiagnosticLocation getLocation() const override
The primary location of the bug report that points at the undesirable behavior in the code.
Definition: BugReporter.cpp:2408
clang::ento::SVal
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:55
clang::ento::SVal::getAsRegion
const MemRegion * getAsRegion() const
Definition: SVals.cpp:120
clang::ento::SVal::castAs
T castAs() const
Convert to the specified SVal type, asserting that this SVal is of the desired type.
Definition: SVals.h:82
clang::ento::SubRegion::getSuperRegion
LLVM_ATTRIBUTE_RETURNS_NONNULL const MemRegion * getSuperRegion() const
Definition: MemRegion.h:454
clang::ento::SymbolReaper
A class responsible for cleaning up unused symbols.
Definition: SymbolManager.h:573
clang::ento::SymbolReaper::isLiveRegion
bool isLiveRegion(const MemRegion *region)
Definition: SymbolManager.cpp:428
clang::ento::SymbolicRegion
SymbolicRegion - A special, "non-concrete" region.
Definition: MemRegion.h:775
clang::ento::PathDiagnosticPieceRef
std::shared_ptr< PathDiagnosticPiece > PathDiagnosticPieceRef
Definition: PathDiagnostic.h:492
clang::interp::Cast
bool Cast(InterpState &S, CodePtr OpPC)
Definition: Interp.h:1557
Generated on Wed Dec 6 2023 11:09:33 for clang by doxygen 1.9.6