1 //== ObjCContainersChecker.cpp - Path sensitive checker for CFArray *- C++ -*=// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // Performs path sensitive checks of Core Foundation static containers like 11 // CFArray. 12 // 1) Check for buffer overflows: 13 // In CFArrayGetArrayAtIndex( myArray, index), if the index is outside the 14 // index space of theArray (0 to N-1 inclusive (where N is the count of 15 // theArray), the behavior is undefined. 16 // 17 //===----------------------------------------------------------------------===// 18 19 #include "ClangSACheckers.h" 20 #include "clang/AST/ParentMap.h" 21 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 22 #include "clang/StaticAnalyzer/Core/Checker.h" 23 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 24 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 25 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" 26 27 using namespace clang; 28 using namespace ento; 29 30 namespace { 31 class ObjCContainersChecker : public Checker< check::PreStmt<CallExpr>, 32 check::PostStmt<CallExpr> > { 33 mutable OwningPtr<BugType> BT; 34 inline void initBugType() const { 35 if (!BT) 36 BT.reset(new BugType("CFArray API", 37 categories::CoreFoundationObjectiveC)); 38 } 39 40 inline SymbolRef getArraySym(const Expr *E, CheckerContext &C) const { 41 SVal ArrayRef = C.getState()->getSVal(E, C.getLocationContext()); 42 SymbolRef ArraySym = ArrayRef.getAsSymbol(); 43 return ArraySym; 44 } 45 46 void addSizeInfo(const Expr *Array, const Expr *Size, 47 CheckerContext &C) const; 48 49 public: 50 /// A tag to id this checker. 51 static void *getTag() { static int Tag; return &Tag; } 52 53 void checkPostStmt(const CallExpr *CE, CheckerContext &C) const; 54 void checkPreStmt(const CallExpr *CE, CheckerContext &C) const; 55 }; 56 } // end anonymous namespace 57 58 // ProgramState trait - a map from array symbol to its state. 59 REGISTER_MAP_WITH_PROGRAMSTATE(ArraySizeMap, SymbolRef, DefinedSVal) 60 61 void ObjCContainersChecker::addSizeInfo(const Expr *Array, const Expr *Size, 62 CheckerContext &C) const { 63 ProgramStateRef State = C.getState(); 64 SVal SizeV = State->getSVal(Size, C.getLocationContext()); 65 // Undefined is reported by another checker. 66 if (SizeV.isUnknownOrUndef()) 67 return; 68 69 // Get the ArrayRef symbol. 70 SVal ArrayRef = State->getSVal(Array, C.getLocationContext()); 71 SymbolRef ArraySym = ArrayRef.getAsSymbol(); 72 if (!ArraySym) 73 return; 74 75 C.addTransition( 76 State->set<ArraySizeMap>(ArraySym, SizeV.castAs<DefinedSVal>())); 77 return; 78 } 79 80 void ObjCContainersChecker::checkPostStmt(const CallExpr *CE, 81 CheckerContext &C) const { 82 StringRef Name = C.getCalleeName(CE); 83 if (Name.empty() || CE->getNumArgs() < 1) 84 return; 85 86 // Add array size information to the state. 87 if (Name.equals("CFArrayCreate")) { 88 if (CE->getNumArgs() < 3) 89 return; 90 // Note, we can visit the Create method in the post-visit because 91 // the CFIndex parameter is passed in by value and will not be invalidated 92 // by the call. 93 addSizeInfo(CE, CE->getArg(2), C); 94 return; 95 } 96 97 if (Name.equals("CFArrayGetCount")) { 98 addSizeInfo(CE->getArg(0), CE, C); 99 return; 100 } 101 } 102 103 void ObjCContainersChecker::checkPreStmt(const CallExpr *CE, 104 CheckerContext &C) const { 105 StringRef Name = C.getCalleeName(CE); 106 if (Name.empty() || CE->getNumArgs() < 2) 107 return; 108 109 // Check the array access. 110 if (Name.equals("CFArrayGetValueAtIndex")) { 111 ProgramStateRef State = C.getState(); 112 // Retrieve the size. 113 // Find out if we saw this array symbol before and have information about it. 114 const Expr *ArrayExpr = CE->getArg(0); 115 SymbolRef ArraySym = getArraySym(ArrayExpr, C); 116 if (!ArraySym) 117 return; 118 119 const DefinedSVal *Size = State->get<ArraySizeMap>(ArraySym); 120 121 if (!Size) 122 return; 123 124 // Get the index. 125 const Expr *IdxExpr = CE->getArg(1); 126 SVal IdxVal = State->getSVal(IdxExpr, C.getLocationContext()); 127 if (IdxVal.isUnknownOrUndef()) 128 return; 129 DefinedSVal Idx = IdxVal.castAs<DefinedSVal>(); 130 131 // Now, check if 'Idx in [0, Size-1]'. 132 const QualType T = IdxExpr->getType(); 133 ProgramStateRef StInBound = State->assumeInBound(Idx, *Size, true, T); 134 ProgramStateRef StOutBound = State->assumeInBound(Idx, *Size, false, T); 135 if (StOutBound && !StInBound) { 136 ExplodedNode *N = C.generateSink(StOutBound); 137 if (!N) 138 return; 139 initBugType(); 140 BugReport *R = new BugReport(*BT, "Index is out of bounds", N); 141 R->addRange(IdxExpr->getSourceRange()); 142 C.emitReport(R); 143 return; 144 } 145 } 146 } 147 148 /// Register checker. 149 void ento::registerObjCContainersChecker(CheckerManager &mgr) { 150 mgr.registerChecker<ObjCContainersChecker>(); 151 } 152
