Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / clang / 651f13cea278ec967336033dd032faef0e9fc2ec / . / lib / StaticAnalyzer / Checkers / ArrayBoundChecker.cpp
blob: cb5b01009f1d9546c1f0b642831f6ecf529551bf [file] [log] [blame]
Zhongxing Xu58e689f2009-11-11 12:33:27 +0000[diff] [blame]1//== ArrayBoundChecker.cpp ------------------------------*- C++ -*--==//
2//
3// The LLVM Compiler Infrastructure
4//
5// This file is distributed under the University of Illinois Open Source
6// License. See LICENSE.TXT for details.
7//
8//===----------------------------------------------------------------------===//
9//
10// This file defines ArrayBoundChecker, which is a path-sensitive check
11// which looks for an out-of-bound array element access.
12//
13//===----------------------------------------------------------------------===//
14
Argyrios Kyrtzidis8be5b3a2011-02-24 08:42:12 +0000[diff] [blame]15#include "ClangSACheckers.h"
Chandler Carruth55fc8732012-12-04 09:13:33 +0000[diff] [blame]16#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
Argyrios Kyrtzidisec8605f2011-03-01 01:16:21 +0000[diff] [blame]17#include "clang/StaticAnalyzer/Core/Checker.h"
Argyrios Kyrtzidis8be5b3a2011-02-24 08:42:12 +0000[diff] [blame]18#include "clang/StaticAnalyzer/Core/CheckerManager.h"
19#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
Ted Kremenek9b663712011-02-10 01:03:03 +0000[diff] [blame]20#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
Zhongxing Xu58e689f2009-11-11 12:33:27 +0000[diff] [blame]21
22using namespace clang;
Ted Kremenek9ef65372010-12-23 07:20:52 +0000[diff] [blame]23using namespace ento;
Zhongxing Xu58e689f2009-11-11 12:33:27 +0000[diff] [blame]24
25namespace {
Kovarththanan Rajaratnamba5fb5a2009-11-28 06:07:30 +0000[diff] [blame]26class ArrayBoundChecker :
Argyrios Kyrtzidisec8605f2011-03-01 01:16:21 +0000[diff] [blame]27 public Checker<check::Location> {
Stephen Hines651f13c2014-04-23 16:59:28 -0700[diff] [blame^]28 mutable std::unique_ptr<BuiltinBug> BT;
29
Zhongxing Xu58e689f2009-11-11 12:33:27 +0000[diff] [blame]30public:
Anna Zaks390909c2011-10-06 00:43:15 +0000[diff] [blame]31 void checkLocation(SVal l, bool isLoad, const Stmt* S,
32 CheckerContext &C) const;
Zhongxing Xu58e689f2009-11-11 12:33:27 +0000[diff] [blame]33};
34}
35
Anna Zaks390909c2011-10-06 00:43:15 +0000[diff] [blame]36void ArrayBoundChecker::checkLocation(SVal l, bool isLoad, const Stmt* LoadS,
Argyrios Kyrtzidis8be5b3a2011-02-24 08:42:12 +0000[diff] [blame]37 CheckerContext &C) const {
Zhongxing Xu58e689f2009-11-11 12:33:27 +0000[diff] [blame]38 // Check for out of bound array element access.
39 const MemRegion *R = l.getAsRegion();
40 if (!R)
41 return;
42
Zhongxing Xu58e689f2009-11-11 12:33:27 +0000[diff] [blame]43 const ElementRegion *ER = dyn_cast<ElementRegion>(R);
44 if (!ER)
45 return;
46
47 // Get the index of the accessed element.
David Blaikie7a95de62013-02-21 22:23:56 +0000[diff] [blame]48 DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();
Zhongxing Xu58e689f2009-11-11 12:33:27 +0000[diff] [blame]49
Zhongxing Xu110eaf12010-11-26 09:14:07 +0000[diff] [blame]50 // Zero index is always in bound, this also passes ElementRegions created for
51 // pointer casts.
52 if (Idx.isZeroConstant())
53 return;
54
Ted Kremenek8bef8232012-01-26 21:29:00 +0000[diff] [blame]55 ProgramStateRef state = C.getState();
Zhongxing Xu58e689f2009-11-11 12:33:27 +0000[diff] [blame]56
57 // Get the size of the array.
Zhongxing Xue884ff82009-11-12 02:48:32 +0000[diff] [blame]58 DefinedOrUnknownSVal NumElements
Zhongxing Xu3ed04d32010-01-18 08:54:31 +0000[diff] [blame]59 = C.getStoreManager().getSizeInElements(state, ER->getSuperRegion(),
Zhongxing Xu018220c2010-08-11 06:10:55 +0000[diff] [blame]60 ER->getValueType());
Zhongxing Xu58e689f2009-11-11 12:33:27 +0000[diff] [blame]61
Ted Kremenek8bef8232012-01-26 21:29:00 +0000[diff] [blame]62 ProgramStateRef StInBound = state->assumeInBound(Idx, NumElements, true);
63 ProgramStateRef StOutBound = state->assumeInBound(Idx, NumElements, false);
Zhongxing Xu58e689f2009-11-11 12:33:27 +0000[diff] [blame]64 if (StOutBound && !StInBound) {
Ted Kremenekd048c6e2010-12-20 21:19:09 +0000[diff] [blame]65 ExplodedNode *N = C.generateSink(StOutBound);
Zhongxing Xu58e689f2009-11-11 12:33:27 +0000[diff] [blame]66 if (!N)
67 return;
68
69 if (!BT)
Stephen Hines651f13c2014-04-23 16:59:28 -0700[diff] [blame^]70 BT.reset(new BuiltinBug(
71 this, "Out-of-bound array access",
72 "Access out-of-bound array element (buffer overflow)"));
Zhongxing Xu58e689f2009-11-11 12:33:27 +0000[diff] [blame]73
74 // FIXME: It would be nice to eventually make this diagnostic more clear,
75 // e.g., by referencing the original declaration or by saying *why* this
76 // reference is outside the range.
77
78 // Generate a report for this bug.
Anna Zakse172e8b2011-08-17 23:00:25 +0000[diff] [blame]79 BugReport *report =
80 new BugReport(*BT, BT->getDescription(), N);
Zhongxing Xu58e689f2009-11-11 12:33:27 +0000[diff] [blame]81
Anna Zaks390909c2011-10-06 00:43:15 +0000[diff] [blame]82 report->addRange(LoadS->getSourceRange());
Jordan Rose785950e2012-11-02 01:53:40 +0000[diff] [blame]83 C.emitReport(report);
Ted Kremenekc3120762009-11-23 23:23:26 +0000[diff] [blame]84 return;
Zhongxing Xu58e689f2009-11-11 12:33:27 +0000[diff] [blame]85 }
Ted Kremenekc3120762009-11-23 23:23:26 +0000[diff] [blame]86
87 // Array bound check succeeded. From this point forward the array bound
88 // should always succeed.
Anna Zaks0bd6b112011-10-26 21:06:34 +0000[diff] [blame]89 C.addTransition(StInBound);
Zhongxing Xu58e689f2009-11-11 12:33:27 +0000[diff] [blame]90}
Argyrios Kyrtzidis8be5b3a2011-02-24 08:42:12 +0000[diff] [blame]91
92void ento::registerArrayBoundChecker(CheckerManager &mgr) {
93 mgr.registerChecker<ArrayBoundChecker>();
94}