1 //== ArrayBoundCheckerV2.cpp ------------------------------------*- C++ -*--==// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file defines ArrayBoundCheckerV2, which is a path-sensitive check 11 // which looks for an out-of-bound array element access. 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "ClangSACheckers.h" 16 #include "clang/AST/CharUnits.h" 17 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 18 #include "clang/StaticAnalyzer/Core/Checker.h" 19 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 20 #include "clang/StaticAnalyzer/Core/PathSensitive/APSIntType.h" 21 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 22 #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" 23 #include "llvm/ADT/SmallString.h" 24 #include "llvm/Support/raw_ostream.h" 25 26 using namespace clang; 27 using namespace ento; 28 29 namespace { 30 class ArrayBoundCheckerV2 : 31 public Checker<check::Location> { 32 mutable std::unique_ptr<BuiltinBug> BT; 33 34 enum OOB_Kind { OOB_Precedes, OOB_Excedes, OOB_Tainted }; 35 36 void reportOOB(CheckerContext &C, ProgramStateRef errorState, 37 OOB_Kind kind) const; 38 39 public: 40 void checkLocation(SVal l, bool isLoad, const Stmt*S, 41 CheckerContext &C) const; 42 }; 43 44 // FIXME: Eventually replace RegionRawOffset with this class. 45 class RegionRawOffsetV2 { 46 private: 47 const SubRegion *baseRegion; 48 SVal byteOffset; 49 50 RegionRawOffsetV2() 51 : baseRegion(nullptr), byteOffset(UnknownVal()) {} 52 53 public: 54 RegionRawOffsetV2(const SubRegion* base, SVal offset) 55 : baseRegion(base), byteOffset(offset) {} 56 57 NonLoc getByteOffset() const { return byteOffset.castAs<NonLoc>(); } 58 const SubRegion *getRegion() const { return baseRegion; } 59 60 static RegionRawOffsetV2 computeOffset(ProgramStateRef state, 61 SValBuilder &svalBuilder, 62 SVal location); 63 64 void dump() const; 65 void dumpToStream(raw_ostream &os) const; 66 }; 67 } 68 69 static SVal computeExtentBegin(SValBuilder &svalBuilder, 70 const MemRegion *region) { 71 while (true) 72 switch (region->getKind()) { 73 default: 74 return svalBuilder.makeZeroArrayIndex(); 75 case MemRegion::SymbolicRegionKind: 76 // FIXME: improve this later by tracking symbolic lower bounds 77 // for symbolic regions. 78 return UnknownVal(); 79 case MemRegion::ElementRegionKind: 80 region = cast<SubRegion>(region)->getSuperRegion(); 81 continue; 82 } 83 } 84 85 // TODO: once the constraint manager is smart enough to handle non simplified 86 // symbolic expressions remove this function. Note that this can not be used in 87 // the constraint manager as is, since this does not handle overflows. It is 88 // safe to assume, however, that memory offsets will not overflow. 89 static std::pair<NonLoc, nonloc::ConcreteInt> 90 getSimplifiedOffsets(NonLoc offset, nonloc::ConcreteInt extent, 91 SValBuilder &svalBuilder) { 92 Optional<nonloc::SymbolVal> SymVal = offset.getAs<nonloc::SymbolVal>(); 93 if (SymVal && SymVal->isExpression()) { 94 if (const SymIntExpr *SIE = dyn_cast<SymIntExpr>(SymVal->getSymbol())) { 95 llvm::APSInt constant = 96 APSIntType(extent.getValue()).convert(SIE->getRHS()); 97 switch (SIE->getOpcode()) { 98 case BO_Mul: 99 // The constant should never be 0 here, since it the result of scaling 100 // based on the size of a type which is never 0. 101 if ((extent.getValue() % constant) != 0) 102 return std::pair<NonLoc, nonloc::ConcreteInt>(offset, extent); 103 else 104 return getSimplifiedOffsets( 105 nonloc::SymbolVal(SIE->getLHS()), 106 svalBuilder.makeIntVal(extent.getValue() / constant), 107 svalBuilder); 108 case BO_Add: 109 return getSimplifiedOffsets( 110 nonloc::SymbolVal(SIE->getLHS()), 111 svalBuilder.makeIntVal(extent.getValue() - constant), svalBuilder); 112 default: 113 break; 114 } 115 } 116 } 117 118 return std::pair<NonLoc, nonloc::ConcreteInt>(offset, extent); 119 } 120 121 void ArrayBoundCheckerV2::checkLocation(SVal location, bool isLoad, 122 const Stmt* LoadS, 123 CheckerContext &checkerContext) const { 124 125 // NOTE: Instead of using ProgramState::assumeInBound(), we are prototyping 126 // some new logic here that reasons directly about memory region extents. 127 // Once that logic is more mature, we can bring it back to assumeInBound() 128 // for all clients to use. 129 // 130 // The algorithm we are using here for bounds checking is to see if the 131 // memory access is within the extent of the base region. Since we 132 // have some flexibility in defining the base region, we can achieve 133 // various levels of conservatism in our buffer overflow checking. 134 ProgramStateRef state = checkerContext.getState(); 135 ProgramStateRef originalState = state; 136 137 SValBuilder &svalBuilder = checkerContext.getSValBuilder(); 138 const RegionRawOffsetV2 &rawOffset = 139 RegionRawOffsetV2::computeOffset(state, svalBuilder, location); 140 141 if (!rawOffset.getRegion()) 142 return; 143 144 NonLoc rawOffsetVal = rawOffset.getByteOffset(); 145 146 // CHECK LOWER BOUND: Is byteOffset < extent begin? 147 // If so, we are doing a load/store 148 // before the first valid offset in the memory region. 149 150 SVal extentBegin = computeExtentBegin(svalBuilder, rawOffset.getRegion()); 151 152 if (Optional<NonLoc> NV = extentBegin.getAs<NonLoc>()) { 153 if (NV->getAs<nonloc::ConcreteInt>()) { 154 std::pair<NonLoc, nonloc::ConcreteInt> simplifiedOffsets = 155 getSimplifiedOffsets(rawOffset.getByteOffset(), 156 NV->castAs<nonloc::ConcreteInt>(), 157 svalBuilder); 158 rawOffsetVal = simplifiedOffsets.first; 159 *NV = simplifiedOffsets.second; 160 } 161 162 SVal lowerBound = svalBuilder.evalBinOpNN(state, BO_LT, rawOffsetVal, *NV, 163 svalBuilder.getConditionType()); 164 165 Optional<NonLoc> lowerBoundToCheck = lowerBound.getAs<NonLoc>(); 166 if (!lowerBoundToCheck) 167 return; 168 169 ProgramStateRef state_precedesLowerBound, state_withinLowerBound; 170 std::tie(state_precedesLowerBound, state_withinLowerBound) = 171 state->assume(*lowerBoundToCheck); 172 173 // Are we constrained enough to definitely precede the lower bound? 174 if (state_precedesLowerBound && !state_withinLowerBound) { 175 reportOOB(checkerContext, state_precedesLowerBound, OOB_Precedes); 176 return; 177 } 178 179 // Otherwise, assume the constraint of the lower bound. 180 assert(state_withinLowerBound); 181 state = state_withinLowerBound; 182 } 183 184 do { 185 // CHECK UPPER BOUND: Is byteOffset >= extent(baseRegion)? If so, 186 // we are doing a load/store after the last valid offset. 187 DefinedOrUnknownSVal extentVal = 188 rawOffset.getRegion()->getExtent(svalBuilder); 189 if (!extentVal.getAs<NonLoc>()) 190 break; 191 192 if (extentVal.getAs<nonloc::ConcreteInt>()) { 193 std::pair<NonLoc, nonloc::ConcreteInt> simplifiedOffsets = 194 getSimplifiedOffsets(rawOffset.getByteOffset(), 195 extentVal.castAs<nonloc::ConcreteInt>(), 196 svalBuilder); 197 rawOffsetVal = simplifiedOffsets.first; 198 extentVal = simplifiedOffsets.second; 199 } 200 201 SVal upperbound = svalBuilder.evalBinOpNN(state, BO_GE, rawOffsetVal, 202 extentVal.castAs<NonLoc>(), 203 svalBuilder.getConditionType()); 204 205 Optional<NonLoc> upperboundToCheck = upperbound.getAs<NonLoc>(); 206 if (!upperboundToCheck) 207 break; 208 209 ProgramStateRef state_exceedsUpperBound, state_withinUpperBound; 210 std::tie(state_exceedsUpperBound, state_withinUpperBound) = 211 state->assume(*upperboundToCheck); 212 213 // If we are under constrained and the index variables are tainted, report. 214 if (state_exceedsUpperBound && state_withinUpperBound) { 215 if (state->isTainted(rawOffset.getByteOffset())) { 216 reportOOB(checkerContext, state_exceedsUpperBound, OOB_Tainted); 217 return; 218 } 219 } else if (state_exceedsUpperBound) { 220 // If we are constrained enough to definitely exceed the upper bound, 221 // report. 222 assert(!state_withinUpperBound); 223 reportOOB(checkerContext, state_exceedsUpperBound, OOB_Excedes); 224 return; 225 } 226 227 assert(state_withinUpperBound); 228 state = state_withinUpperBound; 229 } 230 while (false); 231 232 if (state != originalState) 233 checkerContext.addTransition(state); 234 } 235 236 void ArrayBoundCheckerV2::reportOOB(CheckerContext &checkerContext, 237 ProgramStateRef errorState, 238 OOB_Kind kind) const { 239 240 ExplodedNode *errorNode = checkerContext.generateErrorNode(errorState); 241 if (!errorNode) 242 return; 243 244 if (!BT) 245 BT.reset(new BuiltinBug(this, "Out-of-bound access")); 246 247 // FIXME: This diagnostics are preliminary. We should get far better 248 // diagnostics for explaining buffer overruns. 249 250 SmallString<256> buf; 251 llvm::raw_svector_ostream os(buf); 252 os << "Out of bound memory access "; 253 switch (kind) { 254 case OOB_Precedes: 255 os << "(accessed memory precedes memory block)"; 256 break; 257 case OOB_Excedes: 258 os << "(access exceeds upper limit of memory block)"; 259 break; 260 case OOB_Tainted: 261 os << "(index is tainted)"; 262 break; 263 } 264 265 checkerContext.emitReport( 266 llvm::make_unique<BugReport>(*BT, os.str(), errorNode)); 267 } 268 269 LLVM_DUMP_METHOD void RegionRawOffsetV2::dump() const { 270 dumpToStream(llvm::errs()); 271 } 272 273 void RegionRawOffsetV2::dumpToStream(raw_ostream &os) const { 274 os << "raw_offset_v2{" << getRegion() << ',' << getByteOffset() << '}'; 275 } 276 277 278 // Lazily computes a value to be used by 'computeOffset'. If 'val' 279 // is unknown or undefined, we lazily substitute '0'. Otherwise, 280 // return 'val'. 281 static inline SVal getValue(SVal val, SValBuilder &svalBuilder) { 282 return val.getAs<UndefinedVal>() ? svalBuilder.makeArrayIndex(0) : val; 283 } 284 285 // Scale a base value by a scaling factor, and return the scaled 286 // value as an SVal. Used by 'computeOffset'. 287 static inline SVal scaleValue(ProgramStateRef state, 288 NonLoc baseVal, CharUnits scaling, 289 SValBuilder &sb) { 290 return sb.evalBinOpNN(state, BO_Mul, baseVal, 291 sb.makeArrayIndex(scaling.getQuantity()), 292 sb.getArrayIndexType()); 293 } 294 295 // Add an SVal to another, treating unknown and undefined values as 296 // summing to UnknownVal. Used by 'computeOffset'. 297 static SVal addValue(ProgramStateRef state, SVal x, SVal y, 298 SValBuilder &svalBuilder) { 299 // We treat UnknownVals and UndefinedVals the same here because we 300 // only care about computing offsets. 301 if (x.isUnknownOrUndef() || y.isUnknownOrUndef()) 302 return UnknownVal(); 303 304 return svalBuilder.evalBinOpNN(state, BO_Add, x.castAs<NonLoc>(), 305 y.castAs<NonLoc>(), 306 svalBuilder.getArrayIndexType()); 307 } 308 309 /// Compute a raw byte offset from a base region. Used for array bounds 310 /// checking. 311 RegionRawOffsetV2 RegionRawOffsetV2::computeOffset(ProgramStateRef state, 312 SValBuilder &svalBuilder, 313 SVal location) 314 { 315 const MemRegion *region = location.getAsRegion(); 316 SVal offset = UndefinedVal(); 317 318 while (region) { 319 switch (region->getKind()) { 320 default: { 321 if (const SubRegion *subReg = dyn_cast<SubRegion>(region)) { 322 offset = getValue(offset, svalBuilder); 323 if (!offset.isUnknownOrUndef()) 324 return RegionRawOffsetV2(subReg, offset); 325 } 326 return RegionRawOffsetV2(); 327 } 328 case MemRegion::ElementRegionKind: { 329 const ElementRegion *elemReg = cast<ElementRegion>(region); 330 SVal index = elemReg->getIndex(); 331 if (!index.getAs<NonLoc>()) 332 return RegionRawOffsetV2(); 333 QualType elemType = elemReg->getElementType(); 334 // If the element is an incomplete type, go no further. 335 ASTContext &astContext = svalBuilder.getContext(); 336 if (elemType->isIncompleteType()) 337 return RegionRawOffsetV2(); 338 339 // Update the offset. 340 offset = addValue(state, 341 getValue(offset, svalBuilder), 342 scaleValue(state, 343 index.castAs<NonLoc>(), 344 astContext.getTypeSizeInChars(elemType), 345 svalBuilder), 346 svalBuilder); 347 348 if (offset.isUnknownOrUndef()) 349 return RegionRawOffsetV2(); 350 351 region = elemReg->getSuperRegion(); 352 continue; 353 } 354 } 355 } 356 return RegionRawOffsetV2(); 357 } 358 359 void ento::registerArrayBoundCheckerV2(CheckerManager &mgr) { 360 mgr.registerChecker<ArrayBoundCheckerV2>(); 361 } 362