clang  10.0.0git
ObjCContainersChecker.cpp
Go to the documentation of this file.
1 //== ObjCContainersChecker.cpp - Path sensitive checker for CFArray *- C++ -*=//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // Performs path sensitive checks of Core Foundation static containers like
10 // CFArray.
11 // 1) Check for buffer overflows:
12 // In CFArrayGetArrayAtIndex( myArray, index), if the index is outside the
13 // index space of theArray (0 to N-1 inclusive (where N is the count of
14 // theArray), the behavior is undefined.
15 //
16 //===----------------------------------------------------------------------===//
17 
19 #include "clang/AST/ParentMap.h"
25 
26 using namespace clang;
27 using namespace ento;
28 
29 namespace {
30 class ObjCContainersChecker : public Checker< check::PreStmt<CallExpr>,
31  check::PostStmt<CallExpr>,
32  check::PointerEscape> {
33  mutable std::unique_ptr<BugType> BT;
34  inline void initBugType() const {
35  if (!BT)
36  BT.reset(new BugType(this, "CFArray API",
38  }
39 
40  inline SymbolRef getArraySym(const Expr *E, CheckerContext &C) const {
41  SVal ArrayRef = C.getSVal(E);
42  SymbolRef ArraySym = ArrayRef.getAsSymbol();
43  return ArraySym;
44  }
45 
46  void addSizeInfo(const Expr *Array, const Expr *Size,
47  CheckerContext &C) const;
48 
49 public:
50  /// A tag to id this checker.
51  static void *getTag() { static int Tag; return &Tag; }
52 
53  void checkPostStmt(const CallExpr *CE, CheckerContext &C) const;
54  void checkPreStmt(const CallExpr *CE, CheckerContext &C) const;
55  ProgramStateRef checkPointerEscape(ProgramStateRef State,
56  const InvalidatedSymbols &Escaped,
57  const CallEvent *Call,
58  PointerEscapeKind Kind) const;
59 
60  void printState(raw_ostream &OS, ProgramStateRef State,
61  const char *NL, const char *Sep) const;
62 };
63 } // end anonymous namespace
64 
65 // ProgramState trait - a map from array symbol to its state.
66 REGISTER_MAP_WITH_PROGRAMSTATE(ArraySizeMap, SymbolRef, DefinedSVal)
67 
68 void ObjCContainersChecker::addSizeInfo(const Expr *Array, const Expr *Size,
69  CheckerContext &C) const {
70  ProgramStateRef State = C.getState();
71  SVal SizeV = C.getSVal(Size);
72  // Undefined is reported by another checker.
73  if (SizeV.isUnknownOrUndef())
74  return;
75 
76  // Get the ArrayRef symbol.
77  SVal ArrayRef = C.getSVal(Array);
78  SymbolRef ArraySym = ArrayRef.getAsSymbol();
79  if (!ArraySym)
80  return;
81 
82  C.addTransition(
83  State->set<ArraySizeMap>(ArraySym, SizeV.castAs<DefinedSVal>()));
84 }
85 
86 void ObjCContainersChecker::checkPostStmt(const CallExpr *CE,
87  CheckerContext &C) const {
88  StringRef Name = C.getCalleeName(CE);
89  if (Name.empty() || CE->getNumArgs() < 1)
90  return;
91 
92  // Add array size information to the state.
93  if (Name.equals("CFArrayCreate")) {
94  if (CE->getNumArgs() < 3)
95  return;
96  // Note, we can visit the Create method in the post-visit because
97  // the CFIndex parameter is passed in by value and will not be invalidated
98  // by the call.
99  addSizeInfo(CE, CE->getArg(2), C);
100  return;
101  }
102 
103  if (Name.equals("CFArrayGetCount")) {
104  addSizeInfo(CE->getArg(0), CE, C);
105  return;
106  }
107 }
108 
109 void ObjCContainersChecker::checkPreStmt(const CallExpr *CE,
110  CheckerContext &C) const {
111  StringRef Name = C.getCalleeName(CE);
112  if (Name.empty() || CE->getNumArgs() < 2)
113  return;
114 
115  // Check the array access.
116  if (Name.equals("CFArrayGetValueAtIndex")) {
117  ProgramStateRef State = C.getState();
118  // Retrieve the size.
119  // Find out if we saw this array symbol before and have information about
120  // it.
121  const Expr *ArrayExpr = CE->getArg(0);
122  SymbolRef ArraySym = getArraySym(ArrayExpr, C);
123  if (!ArraySym)
124  return;
125 
126  const DefinedSVal *Size = State->get<ArraySizeMap>(ArraySym);
127 
128  if (!Size)
129  return;
130 
131  // Get the index.
132  const Expr *IdxExpr = CE->getArg(1);
133  SVal IdxVal = C.getSVal(IdxExpr);
134  if (IdxVal.isUnknownOrUndef())
135  return;
136  DefinedSVal Idx = IdxVal.castAs<DefinedSVal>();
137 
138  // Now, check if 'Idx in [0, Size-1]'.
139  const QualType T = IdxExpr->getType();
140  ProgramStateRef StInBound = State->assumeInBound(Idx, *Size, true, T);
141  ProgramStateRef StOutBound = State->assumeInBound(Idx, *Size, false, T);
142  if (StOutBound && !StInBound) {
143  ExplodedNode *N = C.generateErrorNode(StOutBound);
144  if (!N)
145  return;
146  initBugType();
147  auto R = std::make_unique<PathSensitiveBugReport>(
148  *BT, "Index is out of bounds", N);
149  R->addRange(IdxExpr->getSourceRange());
150  bugreporter::trackExpressionValue(
151  N, IdxExpr, *R, bugreporter::TrackingKind::Thorough, false);
152  C.emitReport(std::move(R));
153  return;
154  }
155  }
156 }
157 
159 ObjCContainersChecker::checkPointerEscape(ProgramStateRef State,
160  const InvalidatedSymbols &Escaped,
161  const CallEvent *Call,
162  PointerEscapeKind Kind) const {
163  for (const auto &Sym : Escaped) {
164  // When a symbol for a mutable array escapes, we can't reason precisely
165  // about its size any more -- so remove it from the map.
166  // Note that we aren't notified here when a CFMutableArrayRef escapes as a
167  // CFArrayRef. This is because CFArrayRef is typedef'd as a pointer to a
168  // const-qualified type.
169  State = State->remove<ArraySizeMap>(Sym);
170  }
171  return State;
172 }
173 
174 void ObjCContainersChecker::printState(raw_ostream &OS, ProgramStateRef State,
175  const char *NL, const char *Sep) const {
176  ArraySizeMapTy Map = State->get<ArraySizeMap>();
177  if (Map.isEmpty())
178  return;
179 
180  OS << Sep << "ObjC container sizes :" << NL;
181  for (auto I : Map) {
182  OS << I.first << " : " << I.second << NL;
183  }
184 }
185 
186 /// Register checker.
187 void ento::registerObjCContainersChecker(CheckerManager &mgr) {
188  mgr.registerChecker<ObjCContainersChecker>();
189 }
190 
191 bool ento::shouldRegisterObjCContainersChecker(const LangOptions &LO) {
192  return true;
193 }
const char *const CoreFoundationObjectiveC
A (possibly-)qualified type.
Definition: Type.h:654
Expr * getArg(unsigned Arg)
getArg - Return the specified argument.
Definition: Expr.h:2702
llvm::DenseSet< SymbolRef > InvalidatedSymbols
Definition: Store.h:51
unsigned getNumArgs() const
getNumArgs - Return the number of actual arguments to this call.
Definition: Expr.h:2689
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
const SymExpr * SymbolRef
Definition: SymExpr.h:110
LineState State
Keeps track of the various options that can be enabled, which controls the dialect of C or C++ that i...
Definition: LangOptions.h:53
This represents one expression.
Definition: Expr.h:108
QualType getType() const
Definition: Expr.h:137
Kind
#define REGISTER_MAP_WITH_PROGRAMSTATE(Name, Key, Value)
Declares an immutable map of type NameTy, suitable for placement into the ProgramState.
Dataflow Directional Tag Classes.
PointerEscapeKind
Describes the different reasons a pointer escapes during analysis.
Indicates that the tracking object is a descendant of a referenced-counted OSObject, used in the Darwin kernel.
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:263
CallExpr - Represents a function call (C99 6.5.2.2, C++ [expr.call]).
Definition: Expr.h:2546