1 //== ObjCContainersChecker.cpp - Path sensitive checker for CFArray *- C++ -*=// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // Performs path sensitive checks of Core Foundation static containers like 11 // CFArray. 12 // 1) Check for buffer overflows: 13 // In CFArrayGetArrayAtIndex( myArray, index), if the index is outside the 14 // index space of theArray (0 to N-1 inclusive (where N is the count of 15 // theArray), the behavior is undefined. 16 // 17 //===----------------------------------------------------------------------===// 18 19 #include "ClangSACheckers.h" 20 #include "clang/StaticAnalyzer/Core/Checker.h" 21 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 22 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 23 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h" 24 #include "clang/StaticAnalyzer/Core/PathSensitive/ObjCMessage.h" 25 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 26 #include "clang/AST/ParentMap.h" 27 28 using namespace clang; 29 using namespace ento; 30 31 namespace { 32 class ObjCContainersChecker : public Checker< check::PreStmt<CallExpr>, 33 check::PostStmt<CallExpr> > { 34 mutable llvm::OwningPtr<BugType> BT; 35 inline void initBugType() const { 36 if (!BT) 37 BT.reset(new BugType("CFArray API", "Core Foundation/Objective-C API")); 38 } 39 40 inline SymbolRef getArraySym(const Expr *E, CheckerContext &C) const { 41 SVal ArrayRef = C.getState()->getSVal(E, C.getLocationContext()); 42 SymbolRef ArraySym = ArrayRef.getAsSymbol(); 43 assert(ArraySym); 44 return ArraySym; 45 } 46 47 void addSizeInfo(const Expr *Array, const Expr *Size, 48 CheckerContext &C) const; 49 50 public: 51 /// A tag to id this checker. 52 static void *getTag() { static int Tag; return &Tag; } 53 54 void checkPostStmt(const CallExpr *CE, CheckerContext &C) const; 55 void checkPreStmt(const CallExpr *CE, CheckerContext &C) const; 56 }; 57 } // end anonymous namespace 58 59 // Array state stores the array size on creation (allocation). 60 // Size might be an unsigned or a symbol. 61 struct ArraySize { 62 SVal NLSize; 63 ArraySize(SVal s) : NLSize(s) {} 64 void Profile(llvm::FoldingSetNodeID &ID) const { 65 NLSize.Profile(ID); 66 } 67 }; 68 69 // ProgramState trait - a map from array symbol to it's state. 70 typedef llvm::ImmutableMap<SymbolRef, SVal> ArraySizeM; 71 72 namespace { struct ArraySizeMap {}; } 73 namespace clang { namespace ento { 74 template<> struct ProgramStateTrait<ArraySizeMap> 75 : public ProgramStatePartialTrait<ArraySizeM > { 76 static void *GDMIndex() { return ObjCContainersChecker::getTag(); } 77 }; 78 }} 79 80 void ObjCContainersChecker::addSizeInfo(const Expr *Array, const Expr *Size, 81 CheckerContext &C) const { 82 ProgramStateRef State = C.getState(); 83 SVal SizeV = State->getSVal(Size, C.getLocationContext()); 84 // Undefined is reported by another checker. 85 if (SizeV.isUnknownOrUndef()) 86 return; 87 88 // Get the ArrayRef symbol. 89 SVal ArrayRef = State->getSVal(Array, C.getLocationContext()); 90 SymbolRef ArraySym = ArrayRef.getAsSymbol(); 91 if (!ArraySym) 92 return; 93 94 C.addTransition(State->set<ArraySizeMap>(ArraySym, SizeV)); 95 return; 96 } 97 98 void ObjCContainersChecker::checkPostStmt(const CallExpr *CE, 99 CheckerContext &C) const { 100 StringRef Name = C.getCalleeName(CE); 101 if (Name.empty()) 102 return; 103 104 // Add array size information to the state. 105 if (Name.equals("CFArrayCreate")) { 106 // Note, we can visit the Create method in the post-visit because 107 // the CFIndex parameter is passed in by value and will not be invalidated 108 // by the call. 109 addSizeInfo(CE, CE->getArg(2), C); 110 return; 111 } 112 113 if (Name.equals("CFArrayGetCount")) { 114 addSizeInfo(CE->getArg(0), CE, C); 115 return; 116 } 117 } 118 119 void ObjCContainersChecker::checkPreStmt(const CallExpr *CE, 120 CheckerContext &C) const { 121 StringRef Name = C.getCalleeName(CE); 122 if (Name.empty()) 123 return; 124 125 // Check the array access. 126 if (Name.equals("CFArrayGetValueAtIndex")) { 127 ProgramStateRef State = C.getState(); 128 // Retrieve the size. 129 // Find out if we saw this array symbol before and have information about it. 130 const Expr *ArrayExpr = CE->getArg(0); 131 const SVal *SizeVal = State->get<ArraySizeMap>(getArraySym(ArrayExpr, C)); 132 if (!SizeVal) 133 return; 134 DefinedOrUnknownSVal Size = cast<DefinedOrUnknownSVal>(*SizeVal); 135 136 // Get the index. 137 const Expr *IdxExpr = CE->getArg(1); 138 SVal IdxVal = State->getSVal(IdxExpr, C.getLocationContext()); 139 DefinedOrUnknownSVal Idx = cast<DefinedOrUnknownSVal>(IdxVal); 140 141 // Now, check if 'Idx in [0, Size-1]'. 142 const QualType T = IdxExpr->getType(); 143 ProgramStateRef StInBound = State->assumeInBound(Idx, Size, true, T); 144 ProgramStateRef StOutBound = State->assumeInBound(Idx, Size, false, T); 145 if (StOutBound && !StInBound) { 146 ExplodedNode *N = C.generateSink(StOutBound); 147 if (!N) 148 return; 149 initBugType(); 150 BugReport *R = new BugReport(*BT, "Index is out of bounds", N); 151 R->addRange(IdxExpr->getSourceRange()); 152 C.EmitReport(R); 153 return; 154 } 155 } 156 } 157 158 /// Register checker. 159 void ento::registerObjCContainersChecker(CheckerManager &mgr) { 160 mgr.registerChecker<ObjCContainersChecker>(); 161 } 162