Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/contrib/llvm-project/clang/lib/StaticAnalyzer/Checkers/ArrayBoundChecker.cpp
35266 views
1
//== ArrayBoundChecker.cpp ------------------------------*- C++ -*--==//

2
//

3
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.

4
// See https://llvm.org/LICENSE.txt for license information.

5
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

6
//

7
//===----------------------------------------------------------------------===//

8
//

9
// This file defines ArrayBoundChecker, which is a path-sensitive check

10
// which looks for an out-of-bound array element access.

11
//

12
//===----------------------------------------------------------------------===//

13


14
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"

15
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"

16
#include "clang/StaticAnalyzer/Core/Checker.h"

17
#include "clang/StaticAnalyzer/Core/CheckerManager.h"

18
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"

19
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h"

20
#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"

21


22
using namespace clang;

23
using namespace ento;

24


25
namespace {

26
class ArrayBoundChecker :

27
    public Checker<check::Location> {

28
  const BugType BT{this, "Out-of-bound array access"};

29


30
public:

31
  void checkLocation(SVal l, bool isLoad, const Stmt* S,

32
                     CheckerContext &C) const;

33
};

34
}

35


36
void ArrayBoundChecker::checkLocation(SVal l, bool isLoad, const Stmt* LoadS,

37
                                      CheckerContext &C) const {

38
  // Check for out of bound array element access.

39
  const MemRegion *R = l.getAsRegion();

40
  if (!R)

41
    return;

42


43
  const ElementRegion *ER = dyn_cast<ElementRegion>(R);

44
  if (!ER)

45
    return;

46


47
  // Get the index of the accessed element.

48
  DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();

49


50
  // Zero index is always in bound, this also passes ElementRegions created for

51
  // pointer casts.

52
  if (Idx.isZeroConstant())

53
    return;

54


55
  ProgramStateRef state = C.getState();

56


57
  // Get the size of the array.

58
  DefinedOrUnknownSVal ElementCount = getDynamicElementCount(

59
      state, ER->getSuperRegion(), C.getSValBuilder(), ER->getValueType());

60


61
  ProgramStateRef StInBound, StOutBound;

62
  std::tie(StInBound, StOutBound) = state->assumeInBoundDual(Idx, ElementCount);

63
  if (StOutBound && !StInBound) {

64
    ExplodedNode *N = C.generateErrorNode(StOutBound);

65
    if (!N)

66
      return;

67


68
    // FIXME: It would be nice to eventually make this diagnostic more clear,

69
    // e.g., by referencing the original declaration or by saying *why* this

70
    // reference is outside the range.

71


72
    // Generate a report for this bug.

73
    auto report = std::make_unique<PathSensitiveBugReport>(

74
        BT, "Access out-of-bound array element (buffer overflow)", N);

75


76
    report->addRange(LoadS->getSourceRange());

77
    C.emitReport(std::move(report));

78
    return;

79
  }

80


81
  // Array bound check succeeded.  From this point forward the array bound

82
  // should always succeed.

83
  C.addTransition(StInBound);

84
}

85


86
void ento::registerArrayBoundChecker(CheckerManager &mgr) {

87
  mgr.registerChecker<ArrayBoundChecker>();

88
}

89


90
bool ento::shouldRegisterArrayBoundChecker(const CheckerManager &mgr) {

91
  return true;

92
}

93


94