1 //== ObjCContainersChecker.cpp - Path sensitive checker for CFArray *- C++ -*=// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // Performs path sensitive checks of Core Foundation static containers like 11 // CFArray. 12 // 1) Check for buffer overflows: 13 // In CFArrayGetArrayAtIndex( myArray, index), if the index is outside the 14 // index space of theArray (0 to N-1 inclusive (where N is the count of 15 // theArray), the behavior is undefined. 16 // 17 //===----------------------------------------------------------------------===// 18 19 #include "ClangSACheckers.h" 20 #include "clang/AST/ParentMap.h" 21 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 22 #include "clang/StaticAnalyzer/Core/Checker.h" 23 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 24 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 25 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" 26 27 using namespace clang; 28 using namespace ento; 29 30 namespace { 31 class ObjCContainersChecker : public Checker< check::PreStmt<CallExpr>, 32 check::PostStmt<CallExpr>, 33 check::PointerEscape> { 34 mutable std::unique_ptr<BugType> BT; 35 inline void initBugType() const { 36 if (!BT) 37 BT.reset(new BugType(this, "CFArray API", 38 categories::CoreFoundationObjectiveC)); 39 } 40 41 inline SymbolRef getArraySym(const Expr *E, CheckerContext &C) const { 42 SVal ArrayRef = C.getState()->getSVal(E, C.getLocationContext()); 43 SymbolRef ArraySym = ArrayRef.getAsSymbol(); 44 return ArraySym; 45 } 46 47 void addSizeInfo(const Expr *Array, const Expr *Size, 48 CheckerContext &C) const; 49 50 public: 51 /// A tag to id this checker. 52 static void *getTag() { static int Tag; return &Tag; } 53 54 void checkPostStmt(const CallExpr *CE, CheckerContext &C) const; 55 void checkPreStmt(const CallExpr *CE, CheckerContext &C) const; 56 ProgramStateRef checkPointerEscape(ProgramStateRef State, 57 const InvalidatedSymbols &Escaped, 58 const CallEvent *Call, 59 PointerEscapeKind Kind) const; 60 }; 61 } // end anonymous namespace 62 63 // ProgramState trait - a map from array symbol to its state. 64 REGISTER_MAP_WITH_PROGRAMSTATE(ArraySizeMap, SymbolRef, DefinedSVal) 65 66 void ObjCContainersChecker::addSizeInfo(const Expr *Array, const Expr *Size, 67 CheckerContext &C) const { 68 ProgramStateRef State = C.getState(); 69 SVal SizeV = State->getSVal(Size, C.getLocationContext()); 70 // Undefined is reported by another checker. 71 if (SizeV.isUnknownOrUndef()) 72 return; 73 74 // Get the ArrayRef symbol. 75 SVal ArrayRef = State->getSVal(Array, C.getLocationContext()); 76 SymbolRef ArraySym = ArrayRef.getAsSymbol(); 77 if (!ArraySym) 78 return; 79 80 C.addTransition( 81 State->set<ArraySizeMap>(ArraySym, SizeV.castAs<DefinedSVal>())); 82 return; 83 } 84 85 void ObjCContainersChecker::checkPostStmt(const CallExpr *CE, 86 CheckerContext &C) const { 87 StringRef Name = C.getCalleeName(CE); 88 if (Name.empty() || CE->getNumArgs() < 1) 89 return; 90 91 // Add array size information to the state. 92 if (Name.equals("CFArrayCreate")) { 93 if (CE->getNumArgs() < 3) 94 return; 95 // Note, we can visit the Create method in the post-visit because 96 // the CFIndex parameter is passed in by value and will not be invalidated 97 // by the call. 98 addSizeInfo(CE, CE->getArg(2), C); 99 return; 100 } 101 102 if (Name.equals("CFArrayGetCount")) { 103 addSizeInfo(CE->getArg(0), CE, C); 104 return; 105 } 106 } 107 108 void ObjCContainersChecker::checkPreStmt(const CallExpr *CE, 109 CheckerContext &C) const { 110 StringRef Name = C.getCalleeName(CE); 111 if (Name.empty() || CE->getNumArgs() < 2) 112 return; 113 114 // Check the array access. 115 if (Name.equals("CFArrayGetValueAtIndex")) { 116 ProgramStateRef State = C.getState(); 117 // Retrieve the size. 118 // Find out if we saw this array symbol before and have information about 119 // it. 120 const Expr *ArrayExpr = CE->getArg(0); 121 SymbolRef ArraySym = getArraySym(ArrayExpr, C); 122 if (!ArraySym) 123 return; 124 125 const DefinedSVal *Size = State->get<ArraySizeMap>(ArraySym); 126 127 if (!Size) 128 return; 129 130 // Get the index. 131 const Expr *IdxExpr = CE->getArg(1); 132 SVal IdxVal = State->getSVal(IdxExpr, C.getLocationContext()); 133 if (IdxVal.isUnknownOrUndef()) 134 return; 135 DefinedSVal Idx = IdxVal.castAs<DefinedSVal>(); 136 137 // Now, check if 'Idx in [0, Size-1]'. 138 const QualType T = IdxExpr->getType(); 139 ProgramStateRef StInBound = State->assumeInBound(Idx, *Size, true, T); 140 ProgramStateRef StOutBound = State->assumeInBound(Idx, *Size, false, T); 141 if (StOutBound && !StInBound) { 142 ExplodedNode *N = C.generateErrorNode(StOutBound); 143 if (!N) 144 return; 145 initBugType(); 146 auto R = llvm::make_unique<BugReport>(*BT, "Index is out of bounds", N); 147 R->addRange(IdxExpr->getSourceRange()); 148 C.emitReport(std::move(R)); 149 return; 150 } 151 } 152 } 153 154 ProgramStateRef 155 ObjCContainersChecker::checkPointerEscape(ProgramStateRef State, 156 const InvalidatedSymbols &Escaped, 157 const CallEvent *Call, 158 PointerEscapeKind Kind) const { 159 for (InvalidatedSymbols::const_iterator I = Escaped.begin(), 160 E = Escaped.end(); 161 I != E; ++I) { 162 SymbolRef Sym = *I; 163 // When a symbol for a mutable array escapes, we can't reason precisely 164 // about its size any more -- so remove it from the map. 165 // Note that we aren't notified here when a CFMutableArrayRef escapes as a 166 // CFArrayRef. This is because CFArrayRef is typedef'd as a pointer to a 167 // const-qualified type. 168 State = State->remove<ArraySizeMap>(Sym); 169 } 170 return State; 171 } 172 /// Register checker. 173 void ento::registerObjCContainersChecker(CheckerManager &mgr) { 174 mgr.registerChecker<ObjCContainersChecker>(); 175 } 176
