Gitiles
Code Review Sign In
gerrit-public.fairphone.software / toolchain / llvm-project / e10d5a7659ec3458545e4274dcc57136d6151d05 / . / clang / lib / StaticAnalyzer / Checkers / ArrayBoundChecker.cpp
blob: 535d8eede46ab1d5674b661b0203a9ec446ca5c9 [file] [log] [blame]
Zhongxing Xu4f7759a2009-11-11 12:33:27 +0000[diff] [blame]1//== ArrayBoundChecker.cpp ------------------------------*- C++ -*--==//
2//
3// The LLVM Compiler Infrastructure
4//
5// This file is distributed under the University of Illinois Open Source
6// License. See LICENSE.TXT for details.
7//
8//===----------------------------------------------------------------------===//
9//
10// This file defines ArrayBoundChecker, which is a path-sensitive check
11// which looks for an out-of-bound array element access.
12//
13//===----------------------------------------------------------------------===//
14
Argyrios Kyrtzidisdd407f42011-02-24 08:42:12 +0000[diff] [blame]15#include "ClangSACheckers.h"
Argyrios Kyrtzidis6a5674f2011-03-01 01:16:21 +0000[diff] [blame]16#include "clang/StaticAnalyzer/Core/Checker.h"
Argyrios Kyrtzidisdd407f42011-02-24 08:42:12 +0000[diff] [blame]17#include "clang/StaticAnalyzer/Core/CheckerManager.h"
18#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
Ted Kremenekf8cbac42011-02-10 01:03:03 +0000[diff] [blame]19#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
Ted Kremenekf8cbac42011-02-10 01:03:03 +0000[diff] [blame]20#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
Zhongxing Xu4f7759a2009-11-11 12:33:27 +0000[diff] [blame]21
22using namespace clang;
Ted Kremenek98857c92010-12-23 07:20:52 +0000[diff] [blame]23using namespace ento;
Zhongxing Xu4f7759a2009-11-11 12:33:27 +0000[diff] [blame]24
25namespace {
Kovarththanan Rajaratnam65c65662009-11-28 06:07:30 +0000[diff] [blame]26class ArrayBoundChecker :
Argyrios Kyrtzidis6a5674f2011-03-01 01:16:21 +0000[diff] [blame]27 public Checker<check::Location> {
Dylan Noblesmithe2778992012-02-05 02:12:40 +0000[diff] [blame]28 mutable OwningPtr<BuiltinBug> BT;
Zhongxing Xu4f7759a2009-11-11 12:33:27 +0000[diff] [blame]29public:
Anna Zaks3e0f4152011-10-06 00:43:15 +0000[diff] [blame]30 void checkLocation(SVal l, bool isLoad, const Stmt* S,
31 CheckerContext &C) const;
Zhongxing Xu4f7759a2009-11-11 12:33:27 +0000[diff] [blame]32};
33}
34
Anna Zaks3e0f4152011-10-06 00:43:15 +0000[diff] [blame]35void ArrayBoundChecker::checkLocation(SVal l, bool isLoad, const Stmt* LoadS,
Argyrios Kyrtzidisdd407f42011-02-24 08:42:12 +0000[diff] [blame]36 CheckerContext &C) const {
Zhongxing Xu4f7759a2009-11-11 12:33:27 +0000[diff] [blame]37 // Check for out of bound array element access.
38 const MemRegion *R = l.getAsRegion();
39 if (!R)
40 return;
41
Zhongxing Xu4f7759a2009-11-11 12:33:27 +0000[diff] [blame]42 const ElementRegion *ER = dyn_cast<ElementRegion>(R);
43 if (!ER)
44 return;
45
46 // Get the index of the accessed element.
Gabor Greif230ddf32010-09-09 10:51:37 +0000[diff] [blame]47 DefinedOrUnknownSVal Idx = cast<DefinedOrUnknownSVal>(ER->getIndex());
Zhongxing Xu4f7759a2009-11-11 12:33:27 +0000[diff] [blame]48
Zhongxing Xue1e85652010-11-26 09:14:07 +0000[diff] [blame]49 // Zero index is always in bound, this also passes ElementRegions created for
50 // pointer casts.
51 if (Idx.isZeroConstant())
52 return;
53
Ted Kremenek49b1e382012-01-26 21:29:00 +0000[diff] [blame]54 ProgramStateRef state = C.getState();
Zhongxing Xu4f7759a2009-11-11 12:33:27 +0000[diff] [blame]55
56 // Get the size of the array.
Zhongxing Xu383c2732009-11-12 02:48:32 +0000[diff] [blame]57 DefinedOrUnknownSVal NumElements
Zhongxing Xu228b0d42010-01-18 08:54:31 +0000[diff] [blame]58 = C.getStoreManager().getSizeInElements(state, ER->getSuperRegion(),
Zhongxing Xu8de0a3d2010-08-11 06:10:55 +0000[diff] [blame]59 ER->getValueType());
Zhongxing Xu4f7759a2009-11-11 12:33:27 +0000[diff] [blame]60
Ted Kremenek49b1e382012-01-26 21:29:00 +0000[diff] [blame]61 ProgramStateRef StInBound = state->assumeInBound(Idx, NumElements, true);
62 ProgramStateRef StOutBound = state->assumeInBound(Idx, NumElements, false);
Zhongxing Xu4f7759a2009-11-11 12:33:27 +0000[diff] [blame]63 if (StOutBound && !StInBound) {
Ted Kremenek750b7ac2010-12-20 21:19:09 +0000[diff] [blame]64 ExplodedNode *N = C.generateSink(StOutBound);
Zhongxing Xu4f7759a2009-11-11 12:33:27 +0000[diff] [blame]65 if (!N)
66 return;
67
68 if (!BT)
Argyrios Kyrtzidisdd407f42011-02-24 08:42:12 +0000[diff] [blame]69 BT.reset(new BuiltinBug("Out-of-bound array access",
70 "Access out-of-bound array element (buffer overflow)"));
Zhongxing Xu4f7759a2009-11-11 12:33:27 +0000[diff] [blame]71
72 // FIXME: It would be nice to eventually make this diagnostic more clear,
73 // e.g., by referencing the original declaration or by saying *why* this
74 // reference is outside the range.
75
76 // Generate a report for this bug.
Anna Zaks3a6bdf82011-08-17 23:00:25 +0000[diff] [blame]77 BugReport *report =
78 new BugReport(*BT, BT->getDescription(), N);
Zhongxing Xu4f7759a2009-11-11 12:33:27 +0000[diff] [blame]79
Anna Zaks3e0f4152011-10-06 00:43:15 +0000[diff] [blame]80 report->addRange(LoadS->getSourceRange());
Jordan Rosee10d5a72012-11-02 01:53:40 +0000[diff] [blame^]81 C.emitReport(report);
Ted Kremenekb0c0b082009-11-23 23:23:26 +0000[diff] [blame]82 return;
Zhongxing Xu4f7759a2009-11-11 12:33:27 +0000[diff] [blame]83 }
Ted Kremenekb0c0b082009-11-23 23:23:26 +0000[diff] [blame]84
85 // Array bound check succeeded. From this point forward the array bound
86 // should always succeed.
Anna Zaksda4c8d62011-10-26 21:06:34 +0000[diff] [blame]87 C.addTransition(StInBound);
Zhongxing Xu4f7759a2009-11-11 12:33:27 +0000[diff] [blame]88}
Argyrios Kyrtzidisdd407f42011-02-24 08:42:12 +0000[diff] [blame]89
90void ento::registerArrayBoundChecker(CheckerManager &mgr) {
91 mgr.registerChecker<ArrayBoundChecker>();
92}