Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / clang / 4f3dc698a1bbeea16155e51dfc7d0f69ff689598^! / . / lib / Analysis
commit4f3dc698a1bbeea16155e51dfc7d0f69ff689598[log] [tgz]
authorZhongxing Xu <xuzhongxing@gmail.com>Mon Nov 09 08:07:38 2009 +0000
committerZhongxing Xu <xuzhongxing@gmail.com>Mon Nov 09 08:07:38 2009 +0000
treefbcb706badb2dfb55b585650186a4dfe520f96b1
parent2900ca37218a80c6e42b41c0076235276027f320 [diff]
Add checker for CWE-588: Attempt to Access Child of a Non-structure Pointer.


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@86529 91177308-0d34-0410-b5e6-96231b3b80d8

diff --git a/lib/Analysis/CastToStructChecker.cpp b/lib/Analysis/CastToStructChecker.cpp
new file mode 100644
index 0000000..5d0110e
--- /dev/null
+++ b/lib/Analysis/CastToStructChecker.cpp

@@ -0,0 +1,78 @@
+//=== CastToStructChecker.cpp - Fixed address usage checker ----*- C++ -*--===//
+//
+//                     The LLVM Compiler Infrastructure
+//
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+//
+//===----------------------------------------------------------------------===//
+//
+// This files defines CastToStructChecker, a builtin checker that checks for
+// assignment of a fixed address to a pointer.
+// This check corresponds to CWE-588.
+//
+//===----------------------------------------------------------------------===//
+
+#include "clang/Analysis/PathSensitive/CheckerVisitor.h"
+#include "GRExprEngineInternalChecks.h"
+
+using namespace clang;
+
+namespace {
+class VISIBILITY_HIDDEN CastToStructChecker 
+  : public CheckerVisitor<CastToStructChecker> {
+  BuiltinBug *BT;
+public:
+  CastToStructChecker() : BT(0) {}
+  static void *getTag();
+  void PreVisitCastExpr(CheckerContext &C, const CastExpr *B);
+};
+}
+
+void *CastToStructChecker::getTag() {
+  static int x;
+  return &x;
+}
+
+void CastToStructChecker::PreVisitCastExpr(CheckerContext &C,
+                                           const CastExpr *CE) {
+  const Expr *E = CE->getSubExpr();
+  ASTContext &Ctx = C.getASTContext();
+  QualType OrigTy = Ctx.getCanonicalType(E->getType());
+  QualType ToTy = Ctx.getCanonicalType(CE->getType());
+
+  PointerType *OrigPTy = dyn_cast<PointerType>(OrigTy.getTypePtr());
+  PointerType *ToPTy = dyn_cast<PointerType>(ToTy.getTypePtr());
+
+  if (!ToPTy || !OrigPTy)
+    return;
+
+  QualType OrigPointeeTy = OrigPTy->getPointeeType();
+  QualType ToPointeeTy = ToPTy->getPointeeType();
+
+  if (!ToPointeeTy->isRecordType())
+    return;
+
+  // We allow cast from void*.
+  if (OrigPointeeTy->isVoidType())
+    return;
+
+  // Now the cast-to-type is struct pointer, the original type is not void*.
+  if (!OrigPointeeTy->isRecordType()) {
+    if (ExplodedNode *N = C.GenerateNode(CE)) {
+      if (!BT)
+        BT = new BuiltinBug("Cast from non-struct type to struct type",
+                            "Casting a non-structure type to a structure type "
+                            "and accessing a field can lead to memory access "
+                            "errors or data corruption.");
+      RangedBugReport *R = new RangedBugReport(*BT,BT->getDescription().c_str(),
+                                               N);
+      R->addRange(CE->getSourceRange());
+      C.EmitReport(R);
+    }
+  }
+}
+
+void clang::RegisterCastToStructChecker(GRExprEngine &Eng) {
+  Eng.registerCheck(new CastToStructChecker());
+}

diff --git a/lib/Analysis/GRExprEngine.cpp b/lib/Analysis/GRExprEngine.cpp
index eaa4e27..41c5da9 100644
--- a/lib/Analysis/GRExprEngine.cpp
+++ b/lib/Analysis/GRExprEngine.cpp

@@ -2035,7 +2035,8 @@
 // Transfer functions: Miscellaneous statements.
 //===----------------------------------------------------------------------===//
 
-void GRExprEngine::VisitCast(Expr* CastE, Expr* Ex, ExplodedNode* Pred, ExplodedNodeSet& Dst){
+void GRExprEngine::VisitCast(Expr* CastE, Expr* Ex, ExplodedNode* Pred, 
+                             ExplodedNodeSet& Dst){
   ExplodedNodeSet S1;
   QualType T = CastE->getType();
   QualType ExTy = Ex->getType();
@@ -2048,16 +2049,18 @@
   else
     Visit(Ex, Pred, S1);
 
+  ExplodedNodeSet S2;
+  CheckerVisit(CastE, S2, S1, true);
+
   // Check for casting to "void".
   if (T->isVoidType()) {
-    for (ExplodedNodeSet::iterator I1 = S1.begin(), E1 = S1.end(); I1 != E1; ++I1)
-      Dst.Add(*I1);
-
+    for (ExplodedNodeSet::iterator I = S2.begin(), E = S2.end(); I != E; ++I)
+      Dst.Add(*I);
     return;
   }
 
-  for (ExplodedNodeSet::iterator I1 = S1.begin(), E1 = S1.end(); I1 != E1; ++I1) {
-    ExplodedNode* N = *I1;
+  for (ExplodedNodeSet::iterator I = S2.begin(), E = S2.end(); I != E; ++I) {
+    ExplodedNode* N = *I;
     const GRState* state = GetState(N);
     SVal V = state->getSVal(Ex);
     const SValuator::CastResult &Res = SVator.EvalCast(V, state, T, ExTy);

diff --git a/lib/Analysis/GRExprEngineInternalChecks.cpp b/lib/Analysis/GRExprEngineInternalChecks.cpp
index 37e7bfd..41bb655 100644
--- a/lib/Analysis/GRExprEngineInternalChecks.cpp
+++ b/lib/Analysis/GRExprEngineInternalChecks.cpp

@@ -416,4 +416,6 @@
   RegisterFixedAddressChecker(*this);
   // Note that this must be registered after ReturnStackAddressChecker.
   RegisterReturnPointerRangeChecker(*this);
+
+  RegisterCastToStructChecker(*this);
 }

diff --git a/lib/Analysis/GRExprEngineInternalChecks.h b/lib/Analysis/GRExprEngineInternalChecks.h
index 90a2826..4f8baad 100644
--- a/lib/Analysis/GRExprEngineInternalChecks.h
+++ b/lib/Analysis/GRExprEngineInternalChecks.h

@@ -26,5 +26,6 @@
 void RegisterVLASizeChecker(GRExprEngine &Eng);
 void RegisterPointerSubChecker(GRExprEngine &Eng);
 void RegisterFixedAddressChecker(GRExprEngine &Eng);
+void RegisterCastToStructChecker(GRExprEngine &Eng);
 } // end clang namespace
 #endif