clang  3.7.0
ObjCContainersChecker.cpp
Go to the documentation of this file.
1 //== ObjCContainersChecker.cpp - Path sensitive checker for CFArray *- C++ -*=//
2 //
3 // The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // Performs path sensitive checks of Core Foundation static containers like
11 // CFArray.
12 // 1) Check for buffer overflows:
13 // In CFArrayGetArrayAtIndex( myArray, index), if the index is outside the
14 // index space of theArray (0 to N-1 inclusive (where N is the count of
15 // theArray), the behavior is undefined.
16 //
17 //===----------------------------------------------------------------------===//
18 
19 #include "ClangSACheckers.h"
20 #include "clang/AST/ParentMap.h"
26 
27 using namespace clang;
28 using namespace ento;
29 
30 namespace {
31 class ObjCContainersChecker : public Checker< check::PreStmt<CallExpr>,
32  check::PostStmt<CallExpr>,
33  check::PointerEscape> {
34  mutable std::unique_ptr<BugType> BT;
35  inline void initBugType() const {
36  if (!BT)
37  BT.reset(new BugType(this, "CFArray API",
39  }
40 
41  inline SymbolRef getArraySym(const Expr *E, CheckerContext &C) const {
42  SVal ArrayRef = C.getState()->getSVal(E, C.getLocationContext());
43  SymbolRef ArraySym = ArrayRef.getAsSymbol();
44  return ArraySym;
45  }
46 
47  void addSizeInfo(const Expr *Array, const Expr *Size,
48  CheckerContext &C) const;
49 
50 public:
51  /// A tag to id this checker.
52  static void *getTag() { static int Tag; return &Tag; }
53 
54  void checkPostStmt(const CallExpr *CE, CheckerContext &C) const;
55  void checkPreStmt(const CallExpr *CE, CheckerContext &C) const;
56  ProgramStateRef checkPointerEscape(ProgramStateRef State,
57  const InvalidatedSymbols &Escaped,
58  const CallEvent *Call,
59  PointerEscapeKind Kind) const;
60 };
61 } // end anonymous namespace
62 
63 // ProgramState trait - a map from array symbol to its state.
65 
66 void ObjCContainersChecker::addSizeInfo(const Expr *Array, const Expr *Size,
67  CheckerContext &C) const {
68  ProgramStateRef State = C.getState();
69  SVal SizeV = State->getSVal(Size, C.getLocationContext());
70  // Undefined is reported by another checker.
71  if (SizeV.isUnknownOrUndef())
72  return;
73 
74  // Get the ArrayRef symbol.
75  SVal ArrayRef = State->getSVal(Array, C.getLocationContext());
76  SymbolRef ArraySym = ArrayRef.getAsSymbol();
77  if (!ArraySym)
78  return;
79 
80  C.addTransition(
81  State->set<ArraySizeMap>(ArraySym, SizeV.castAs<DefinedSVal>()));
82  return;
83 }
84 
85 void ObjCContainersChecker::checkPostStmt(const CallExpr *CE,
86  CheckerContext &C) const {
87  StringRef Name = C.getCalleeName(CE);
88  if (Name.empty() || CE->getNumArgs() < 1)
89  return;
90 
91  // Add array size information to the state.
92  if (Name.equals("CFArrayCreate")) {
93  if (CE->getNumArgs() < 3)
94  return;
95  // Note, we can visit the Create method in the post-visit because
96  // the CFIndex parameter is passed in by value and will not be invalidated
97  // by the call.
98  addSizeInfo(CE, CE->getArg(2), C);
99  return;
100  }
101 
102  if (Name.equals("CFArrayGetCount")) {
103  addSizeInfo(CE->getArg(0), CE, C);
104  return;
105  }
106 }
107 
108 void ObjCContainersChecker::checkPreStmt(const CallExpr *CE,
109  CheckerContext &C) const {
110  StringRef Name = C.getCalleeName(CE);
111  if (Name.empty() || CE->getNumArgs() < 2)
112  return;
113 
114  // Check the array access.
115  if (Name.equals("CFArrayGetValueAtIndex")) {
116  ProgramStateRef State = C.getState();
117  // Retrieve the size.
118  // Find out if we saw this array symbol before and have information about
119  // it.
120  const Expr *ArrayExpr = CE->getArg(0);
121  SymbolRef ArraySym = getArraySym(ArrayExpr, C);
122  if (!ArraySym)
123  return;
124 
125  const DefinedSVal *Size = State->get<ArraySizeMap>(ArraySym);
126 
127  if (!Size)
128  return;
129 
130  // Get the index.
131  const Expr *IdxExpr = CE->getArg(1);
132  SVal IdxVal = State->getSVal(IdxExpr, C.getLocationContext());
133  if (IdxVal.isUnknownOrUndef())
134  return;
135  DefinedSVal Idx = IdxVal.castAs<DefinedSVal>();
136 
137  // Now, check if 'Idx in [0, Size-1]'.
138  const QualType T = IdxExpr->getType();
139  ProgramStateRef StInBound = State->assumeInBound(Idx, *Size, true, T);
140  ProgramStateRef StOutBound = State->assumeInBound(Idx, *Size, false, T);
141  if (StOutBound && !StInBound) {
142  ExplodedNode *N = C.generateSink(StOutBound);
143  if (!N)
144  return;
145  initBugType();
146  auto R = llvm::make_unique<BugReport>(*BT, "Index is out of bounds", N);
147  R->addRange(IdxExpr->getSourceRange());
148  C.emitReport(std::move(R));
149  return;
150  }
151  }
152 }
153 
155 ObjCContainersChecker::checkPointerEscape(ProgramStateRef State,
156  const InvalidatedSymbols &Escaped,
157  const CallEvent *Call,
158  PointerEscapeKind Kind) const {
159  for (InvalidatedSymbols::const_iterator I = Escaped.begin(),
160  E = Escaped.end();
161  I != E; ++I) {
162  SymbolRef Sym = *I;
163  // When a symbol for a mutable array escapes, we can't reason precisely
164  // about its size any more -- so remove it from the map.
165  // Note that we aren't notified here when a CFMutableArrayRef escapes as a
166  // CFArrayRef. This is because CFArrayRef is typedef'd as a pointer to a
167  // const-qualified type.
168  State = State->remove<ArraySizeMap>(Sym);
169  }
170  return State;
171 }
172 /// Register checker.
173 void ento::registerObjCContainersChecker(CheckerManager &mgr) {
174  mgr.registerChecker<ObjCContainersChecker>();
175 }
const char *const CoreFoundationObjectiveC
StringRef getCalleeName(const FunctionDecl *FunDecl) const
Get the name of the called function (path-sensitive).
Expr * getArg(unsigned Arg)
getArg - Return the specified argument.
Definition: Expr.h:2216
Symbolic value. These values used to capture symbolic execution of the program.
Definition: SymbolManager.h:42
LineState State
bool isUnknownOrUndef() const
Definition: SVals.h:125
ExplodedNode * generateSink(ProgramStateRef State=nullptr, ExplodedNode *Pred=nullptr, const ProgramPointTag *Tag=nullptr)
Generate a sink node. Generating a sink stops exploration of the given path.
const ProgramStateRef & getState() const
void emitReport(std::unique_ptr< BugReport > R)
Emit the diagnostics report.
Kind
CHECKER * registerChecker()
Used to register checkers.
REGISTER_MAP_WITH_PROGRAMSTATE(AllocatedData, SymbolRef, MacOSKeychainAPIChecker::AllocationState) static bool isEnclosingFunctionParam(const Expr *E)
QualType getType() const
Definition: Expr.h:125
unsigned getNumArgs() const
Definition: Expr.h:2205
Represents an abstract call to a function or method along a particular path.
Definition: CallEvent.h:113
PointerEscapeKind
Describes the different reasons a pointer escapes during analysis.
SymbolRef getAsSymbol(bool IncludeBaseRegions=false) const
If this SVal wraps a symbol return that SymbolRef. Otherwise, return 0.
Definition: SVals.cpp:111
T castAs() const
Convert to the specified SVal type, asserting that this SVal is of the desired type.
Definition: SVals.h:75
const LocationContext * getLocationContext() const