1 //== ArrayBoundCheckerV2.cpp ------------------------------------*- C++ -*--==// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file defines ArrayBoundCheckerV2, which is a path-sensitive check 11 // which looks for an out-of-bound array element access. 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "ClangSACheckers.h" 16 #include "clang/AST/CharUnits.h" 17 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 18 #include "clang/StaticAnalyzer/Core/Checker.h" 19 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 20 #include "clang/StaticAnalyzer/Core/PathSensitive/APSIntType.h" 21 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 22 #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" 23 #include "llvm/ADT/SmallString.h" 24 #include "llvm/Support/raw_ostream.h" 25 26 using namespace clang; 27 using namespace ento; 28 29 namespace { 30 class ArrayBoundCheckerV2 : 31 public Checker<check::Location> { 32 mutable std::unique_ptr<BuiltinBug> BT; 33 34 enum OOB_Kind { OOB_Precedes, OOB_Excedes, OOB_Tainted }; 35 36 void reportOOB(CheckerContext &C, ProgramStateRef errorState, OOB_Kind kind, 37 std::unique_ptr<BugReporterVisitor> Visitor = nullptr) const; 38 39 public: 40 void checkLocation(SVal l, bool isLoad, const Stmt*S, 41 CheckerContext &C) const; 42 }; 43 44 // FIXME: Eventually replace RegionRawOffset with this class. 45 class RegionRawOffsetV2 { 46 private: 47 const SubRegion *baseRegion; 48 SVal byteOffset; 49 50 RegionRawOffsetV2() 51 : baseRegion(nullptr), byteOffset(UnknownVal()) {} 52 53 public: 54 RegionRawOffsetV2(const SubRegion* base, SVal offset) 55 : baseRegion(base), byteOffset(offset) {} 56 57 NonLoc getByteOffset() const { return byteOffset.castAs<NonLoc>(); } 58 const SubRegion *getRegion() const { return baseRegion; } 59 60 static RegionRawOffsetV2 computeOffset(ProgramStateRef state, 61 SValBuilder &svalBuilder, 62 SVal location); 63 64 void dump() const; 65 void dumpToStream(raw_ostream &os) const; 66 }; 67 } 68 69 static SVal computeExtentBegin(SValBuilder &svalBuilder, 70 const MemRegion *region) { 71 const MemSpaceRegion *SR = region->getMemorySpace(); 72 if (SR->getKind() == MemRegion::UnknownSpaceRegionKind) 73 return UnknownVal(); 74 else 75 return svalBuilder.makeZeroArrayIndex(); 76 } 77 78 // TODO: once the constraint manager is smart enough to handle non simplified 79 // symbolic expressions remove this function. Note that this can not be used in 80 // the constraint manager as is, since this does not handle overflows. It is 81 // safe to assume, however, that memory offsets will not overflow. 82 static std::pair<NonLoc, nonloc::ConcreteInt> 83 getSimplifiedOffsets(NonLoc offset, nonloc::ConcreteInt extent, 84 SValBuilder &svalBuilder) { 85 Optional<nonloc::SymbolVal> SymVal = offset.getAs<nonloc::SymbolVal>(); 86 if (SymVal && SymVal->isExpression()) { 87 if (const SymIntExpr *SIE = dyn_cast<SymIntExpr>(SymVal->getSymbol())) { 88 llvm::APSInt constant = 89 APSIntType(extent.getValue()).convert(SIE->getRHS()); 90 switch (SIE->getOpcode()) { 91 case BO_Mul: 92 // The constant should never be 0 here, since it the result of scaling 93 // based on the size of a type which is never 0. 94 if ((extent.getValue() % constant) != 0) 95 return std::pair<NonLoc, nonloc::ConcreteInt>(offset, extent); 96 else 97 return getSimplifiedOffsets( 98 nonloc::SymbolVal(SIE->getLHS()), 99 svalBuilder.makeIntVal(extent.getValue() / constant), 100 svalBuilder); 101 case BO_Add: 102 return getSimplifiedOffsets( 103 nonloc::SymbolVal(SIE->getLHS()), 104 svalBuilder.makeIntVal(extent.getValue() - constant), svalBuilder); 105 default: 106 break; 107 } 108 } 109 } 110 111 return std::pair<NonLoc, nonloc::ConcreteInt>(offset, extent); 112 } 113 114 void ArrayBoundCheckerV2::checkLocation(SVal location, bool isLoad, 115 const Stmt* LoadS, 116 CheckerContext &checkerContext) const { 117 118 // NOTE: Instead of using ProgramState::assumeInBound(), we are prototyping 119 // some new logic here that reasons directly about memory region extents. 120 // Once that logic is more mature, we can bring it back to assumeInBound() 121 // for all clients to use. 122 // 123 // The algorithm we are using here for bounds checking is to see if the 124 // memory access is within the extent of the base region. Since we 125 // have some flexibility in defining the base region, we can achieve 126 // various levels of conservatism in our buffer overflow checking. 127 ProgramStateRef state = checkerContext.getState(); 128 ProgramStateRef originalState = state; 129 130 SValBuilder &svalBuilder = checkerContext.getSValBuilder(); 131 const RegionRawOffsetV2 &rawOffset = 132 RegionRawOffsetV2::computeOffset(state, svalBuilder, location); 133 134 if (!rawOffset.getRegion()) 135 return; 136 137 NonLoc rawOffsetVal = rawOffset.getByteOffset(); 138 139 // CHECK LOWER BOUND: Is byteOffset < extent begin? 140 // If so, we are doing a load/store 141 // before the first valid offset in the memory region. 142 143 SVal extentBegin = computeExtentBegin(svalBuilder, rawOffset.getRegion()); 144 145 if (Optional<NonLoc> NV = extentBegin.getAs<NonLoc>()) { 146 if (NV->getAs<nonloc::ConcreteInt>()) { 147 std::pair<NonLoc, nonloc::ConcreteInt> simplifiedOffsets = 148 getSimplifiedOffsets(rawOffset.getByteOffset(), 149 NV->castAs<nonloc::ConcreteInt>(), 150 svalBuilder); 151 rawOffsetVal = simplifiedOffsets.first; 152 *NV = simplifiedOffsets.second; 153 } 154 155 SVal lowerBound = svalBuilder.evalBinOpNN(state, BO_LT, rawOffsetVal, *NV, 156 svalBuilder.getConditionType()); 157 158 Optional<NonLoc> lowerBoundToCheck = lowerBound.getAs<NonLoc>(); 159 if (!lowerBoundToCheck) 160 return; 161 162 ProgramStateRef state_precedesLowerBound, state_withinLowerBound; 163 std::tie(state_precedesLowerBound, state_withinLowerBound) = 164 state->assume(*lowerBoundToCheck); 165 166 // Are we constrained enough to definitely precede the lower bound? 167 if (state_precedesLowerBound && !state_withinLowerBound) { 168 reportOOB(checkerContext, state_precedesLowerBound, OOB_Precedes); 169 return; 170 } 171 172 // Otherwise, assume the constraint of the lower bound. 173 assert(state_withinLowerBound); 174 state = state_withinLowerBound; 175 } 176 177 do { 178 // CHECK UPPER BOUND: Is byteOffset >= extent(baseRegion)? If so, 179 // we are doing a load/store after the last valid offset. 180 DefinedOrUnknownSVal extentVal = 181 rawOffset.getRegion()->getExtent(svalBuilder); 182 if (!extentVal.getAs<NonLoc>()) 183 break; 184 185 if (extentVal.getAs<nonloc::ConcreteInt>()) { 186 std::pair<NonLoc, nonloc::ConcreteInt> simplifiedOffsets = 187 getSimplifiedOffsets(rawOffset.getByteOffset(), 188 extentVal.castAs<nonloc::ConcreteInt>(), 189 svalBuilder); 190 rawOffsetVal = simplifiedOffsets.first; 191 extentVal = simplifiedOffsets.second; 192 } 193 194 SVal upperbound = svalBuilder.evalBinOpNN(state, BO_GE, rawOffsetVal, 195 extentVal.castAs<NonLoc>(), 196 svalBuilder.getConditionType()); 197 198 Optional<NonLoc> upperboundToCheck = upperbound.getAs<NonLoc>(); 199 if (!upperboundToCheck) 200 break; 201 202 ProgramStateRef state_exceedsUpperBound, state_withinUpperBound; 203 std::tie(state_exceedsUpperBound, state_withinUpperBound) = 204 state->assume(*upperboundToCheck); 205 206 // If we are under constrained and the index variables are tainted, report. 207 if (state_exceedsUpperBound && state_withinUpperBound) { 208 SVal ByteOffset = rawOffset.getByteOffset(); 209 if (state->isTainted(ByteOffset)) { 210 reportOOB(checkerContext, state_exceedsUpperBound, OOB_Tainted, 211 llvm::make_unique<TaintBugVisitor>(ByteOffset)); 212 return; 213 } 214 } else if (state_exceedsUpperBound) { 215 // If we are constrained enough to definitely exceed the upper bound, 216 // report. 217 assert(!state_withinUpperBound); 218 reportOOB(checkerContext, state_exceedsUpperBound, OOB_Excedes); 219 return; 220 } 221 222 assert(state_withinUpperBound); 223 state = state_withinUpperBound; 224 } 225 while (false); 226 227 if (state != originalState) 228 checkerContext.addTransition(state); 229 } 230 231 void ArrayBoundCheckerV2::reportOOB( 232 CheckerContext &checkerContext, ProgramStateRef errorState, OOB_Kind kind, 233 std::unique_ptr<BugReporterVisitor> Visitor) const { 234 235 ExplodedNode *errorNode = checkerContext.generateErrorNode(errorState); 236 if (!errorNode) 237 return; 238 239 if (!BT) 240 BT.reset(new BuiltinBug(this, "Out-of-bound access")); 241 242 // FIXME: This diagnostics are preliminary. We should get far better 243 // diagnostics for explaining buffer overruns. 244 245 SmallString<256> buf; 246 llvm::raw_svector_ostream os(buf); 247 os << "Out of bound memory access "; 248 switch (kind) { 249 case OOB_Precedes: 250 os << "(accessed memory precedes memory block)"; 251 break; 252 case OOB_Excedes: 253 os << "(access exceeds upper limit of memory block)"; 254 break; 255 case OOB_Tainted: 256 os << "(index is tainted)"; 257 break; 258 } 259 260 auto BR = llvm::make_unique<BugReport>(*BT, os.str(), errorNode); 261 BR->addVisitor(std::move(Visitor)); 262 checkerContext.emitReport(std::move(BR)); 263 } 264 265 #ifndef NDEBUG 266 LLVM_DUMP_METHOD void RegionRawOffsetV2::dump() const { 267 dumpToStream(llvm::errs()); 268 } 269 270 void RegionRawOffsetV2::dumpToStream(raw_ostream &os) const { 271 os << "raw_offset_v2{" << getRegion() << ',' << getByteOffset() << '}'; 272 } 273 #endif 274 275 // Lazily computes a value to be used by 'computeOffset'. If 'val' 276 // is unknown or undefined, we lazily substitute '0'. Otherwise, 277 // return 'val'. 278 static inline SVal getValue(SVal val, SValBuilder &svalBuilder) { 279 return val.getAs<UndefinedVal>() ? svalBuilder.makeArrayIndex(0) : val; 280 } 281 282 // Scale a base value by a scaling factor, and return the scaled 283 // value as an SVal. Used by 'computeOffset'. 284 static inline SVal scaleValue(ProgramStateRef state, 285 NonLoc baseVal, CharUnits scaling, 286 SValBuilder &sb) { 287 return sb.evalBinOpNN(state, BO_Mul, baseVal, 288 sb.makeArrayIndex(scaling.getQuantity()), 289 sb.getArrayIndexType()); 290 } 291 292 // Add an SVal to another, treating unknown and undefined values as 293 // summing to UnknownVal. Used by 'computeOffset'. 294 static SVal addValue(ProgramStateRef state, SVal x, SVal y, 295 SValBuilder &svalBuilder) { 296 // We treat UnknownVals and UndefinedVals the same here because we 297 // only care about computing offsets. 298 if (x.isUnknownOrUndef() || y.isUnknownOrUndef()) 299 return UnknownVal(); 300 301 return svalBuilder.evalBinOpNN(state, BO_Add, x.castAs<NonLoc>(), 302 y.castAs<NonLoc>(), 303 svalBuilder.getArrayIndexType()); 304 } 305 306 /// Compute a raw byte offset from a base region. Used for array bounds 307 /// checking. 308 RegionRawOffsetV2 RegionRawOffsetV2::computeOffset(ProgramStateRef state, 309 SValBuilder &svalBuilder, 310 SVal location) 311 { 312 const MemRegion *region = location.getAsRegion(); 313 SVal offset = UndefinedVal(); 314 315 while (region) { 316 switch (region->getKind()) { 317 default: { 318 if (const SubRegion *subReg = dyn_cast<SubRegion>(region)) { 319 offset = getValue(offset, svalBuilder); 320 if (!offset.isUnknownOrUndef()) 321 return RegionRawOffsetV2(subReg, offset); 322 } 323 return RegionRawOffsetV2(); 324 } 325 case MemRegion::ElementRegionKind: { 326 const ElementRegion *elemReg = cast<ElementRegion>(region); 327 SVal index = elemReg->getIndex(); 328 if (!index.getAs<NonLoc>()) 329 return RegionRawOffsetV2(); 330 QualType elemType = elemReg->getElementType(); 331 // If the element is an incomplete type, go no further. 332 ASTContext &astContext = svalBuilder.getContext(); 333 if (elemType->isIncompleteType()) 334 return RegionRawOffsetV2(); 335 336 // Update the offset. 337 offset = addValue(state, 338 getValue(offset, svalBuilder), 339 scaleValue(state, 340 index.castAs<NonLoc>(), 341 astContext.getTypeSizeInChars(elemType), 342 svalBuilder), 343 svalBuilder); 344 345 if (offset.isUnknownOrUndef()) 346 return RegionRawOffsetV2(); 347 348 region = elemReg->getSuperRegion(); 349 continue; 350 } 351 } 352 } 353 return RegionRawOffsetV2(); 354 } 355 356 void ento::registerArrayBoundCheckerV2(CheckerManager &mgr) { 357 mgr.registerChecker<ArrayBoundCheckerV2>(); 358 } 359