| Zhongxing Xu | ede7eb2 | 2009-11-09 13:23:31 +0000 | [diff] [blame] | 1 | //=== PointerArithChecker.cpp - Pointer arithmetic checker -----*- C++ -*--===// |
| 2 | // |
| 3 | // The LLVM Compiler Infrastructure |
| 4 | // |
| 5 | // This file is distributed under the University of Illinois Open Source |
| 6 | // License. See LICENSE.TXT for details. |
| 7 | // |
| 8 | //===----------------------------------------------------------------------===// |
| 9 | // |
| 10 | // This files defines PointerArithChecker, a builtin checker that checks for |
| 11 | // pointer arithmetic on locations other than array elements. |
| 12 | // |
| 13 | //===----------------------------------------------------------------------===// |
| 14 | |
| Argyrios Kyrtzidis | d2592a3 | 2010-12-22 18:53:44 +0000 | [diff] [blame^] | 15 | #include "ExprEngineInternalChecks.h" |
| Argyrios Kyrtzidis | 98cabba | 2010-12-22 18:51:49 +0000 | [diff] [blame] | 16 | #include "clang/GR/BugReporter/BugType.h" |
| 17 | #include "clang/GR/PathSensitive/CheckerVisitor.h" |
| Zhongxing Xu | ede7eb2 | 2009-11-09 13:23:31 +0000 | [diff] [blame] | 18 | |
| 19 | using namespace clang; |
| Argyrios Kyrtzidis | 5a4f98f | 2010-12-22 18:53:20 +0000 | [diff] [blame] | 20 | using namespace GR; |
| Zhongxing Xu | ede7eb2 | 2009-11-09 13:23:31 +0000 | [diff] [blame] | 21 | |
| 22 | namespace { |
| Kovarththanan Rajaratnam | ba5fb5a | 2009-11-28 06:07:30 +0000 | [diff] [blame] | 23 | class PointerArithChecker |
| Zhongxing Xu | ede7eb2 | 2009-11-09 13:23:31 +0000 | [diff] [blame] | 24 | : public CheckerVisitor<PointerArithChecker> { |
| 25 | BuiltinBug *BT; |
| 26 | public: |
| 27 | PointerArithChecker() : BT(0) {} |
| 28 | static void *getTag(); |
| 29 | void PreVisitBinaryOperator(CheckerContext &C, const BinaryOperator *B); |
| 30 | }; |
| 31 | } |
| 32 | |
| 33 | void *PointerArithChecker::getTag() { |
| 34 | static int x; |
| 35 | return &x; |
| 36 | } |
| 37 | |
| 38 | void PointerArithChecker::PreVisitBinaryOperator(CheckerContext &C, |
| 39 | const BinaryOperator *B) { |
| John McCall | 2de56d1 | 2010-08-25 11:45:40 +0000 | [diff] [blame] | 40 | if (B->getOpcode() != BO_Sub && B->getOpcode() != BO_Add) |
| Zhongxing Xu | ede7eb2 | 2009-11-09 13:23:31 +0000 | [diff] [blame] | 41 | return; |
| 42 | |
| 43 | const GRState *state = C.getState(); |
| Ted Kremenek | 1397663 | 2010-02-08 16:18:51 +0000 | [diff] [blame] | 44 | SVal LV = state->getSVal(B->getLHS()); |
| 45 | SVal RV = state->getSVal(B->getRHS()); |
| Zhongxing Xu | ede7eb2 | 2009-11-09 13:23:31 +0000 | [diff] [blame] | 46 | |
| 47 | const MemRegion *LR = LV.getAsRegion(); |
| 48 | |
| 49 | if (!LR || !RV.isConstant()) |
| 50 | return; |
| 51 | |
| 52 | // If pointer arithmetic is done on variables of non-array type, this often |
| 53 | // means behavior rely on memory organization, which is dangerous. |
| 54 | if (isa<VarRegion>(LR) || isa<CodeTextRegion>(LR) || |
| 55 | isa<CompoundLiteralRegion>(LR)) { |
| 56 | |
| Ted Kremenek | d048c6e | 2010-12-20 21:19:09 +0000 | [diff] [blame] | 57 | if (ExplodedNode *N = C.generateNode()) { |
| Zhongxing Xu | ede7eb2 | 2009-11-09 13:23:31 +0000 | [diff] [blame] | 58 | if (!BT) |
| 59 | BT = new BuiltinBug("Dangerous pointer arithmetic", |
| 60 | "Pointer arithmetic done on non-array variables " |
| 61 | "means reliance on memory layout, which is " |
| 62 | "dangerous."); |
| Benjamin Kramer | d02e232 | 2009-11-14 12:08:24 +0000 | [diff] [blame] | 63 | RangedBugReport *R = new RangedBugReport(*BT, BT->getDescription(), N); |
| Zhongxing Xu | ede7eb2 | 2009-11-09 13:23:31 +0000 | [diff] [blame] | 64 | R->addRange(B->getSourceRange()); |
| 65 | C.EmitReport(R); |
| 66 | } |
| 67 | } |
| 68 | } |
| 69 | |
| Argyrios Kyrtzidis | d2592a3 | 2010-12-22 18:53:44 +0000 | [diff] [blame^] | 70 | void GR::RegisterPointerArithChecker(ExprEngine &Eng) { |
| Zhongxing Xu | ede7eb2 | 2009-11-09 13:23:31 +0000 | [diff] [blame] | 71 | Eng.registerCheck(new PointerArithChecker()); |
| 72 | } |