clang  9.0.0
ArrayBoundChecker.cpp
Go to the documentation of this file.
1 //== ArrayBoundChecker.cpp ------------------------------*- C++ -*--==//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This file defines ArrayBoundChecker, which is a path-sensitive check
10 // which looks for an out-of-bound array element access.
11 //
12 //===----------------------------------------------------------------------===//
13 
20 
21 using namespace clang;
22 using namespace ento;
23 
24 namespace {
25 class ArrayBoundChecker :
26  public Checker<check::Location> {
27  mutable std::unique_ptr<BuiltinBug> BT;
28 
29 public:
30  void checkLocation(SVal l, bool isLoad, const Stmt* S,
31  CheckerContext &C) const;
32 };
33 }
34 
35 void ArrayBoundChecker::checkLocation(SVal l, bool isLoad, const Stmt* LoadS,
36  CheckerContext &C) const {
37  // Check for out of bound array element access.
38  const MemRegion *R = l.getAsRegion();
39  if (!R)
40  return;
41 
42  const ElementRegion *ER = dyn_cast<ElementRegion>(R);
43  if (!ER)
44  return;
45 
46  // Get the index of the accessed element.
47  DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();
48 
49  // Zero index is always in bound, this also passes ElementRegions created for
50  // pointer casts.
51  if (Idx.isZeroConstant())
52  return;
53 
54  ProgramStateRef state = C.getState();
55 
56  // Get the size of the array.
57  DefinedOrUnknownSVal NumElements
58  = C.getStoreManager().getSizeInElements(state, ER->getSuperRegion(),
59  ER->getValueType());
60 
61  ProgramStateRef StInBound = state->assumeInBound(Idx, NumElements, true);
62  ProgramStateRef StOutBound = state->assumeInBound(Idx, NumElements, false);
63  if (StOutBound && !StInBound) {
64  ExplodedNode *N = C.generateErrorNode(StOutBound);
65  if (!N)
66  return;
67 
68  if (!BT)
69  BT.reset(new BuiltinBug(
70  this, "Out-of-bound array access",
71  "Access out-of-bound array element (buffer overflow)"));
72 
73  // FIXME: It would be nice to eventually make this diagnostic more clear,
74  // e.g., by referencing the original declaration or by saying *why* this
75  // reference is outside the range.
76 
77  // Generate a report for this bug.
78  auto report = llvm::make_unique<BugReport>(*BT, BT->getDescription(), N);
79 
80  report->addRange(LoadS->getSourceRange());
81  C.emitReport(std::move(report));
82  return;
83  }
84 
85  // Array bound check succeeded. From this point forward the array bound
86  // should always succeed.
87  C.addTransition(StInBound);
88 }
89 
90 void ento::registerArrayBoundChecker(CheckerManager &mgr) {
91  mgr.registerChecker<ArrayBoundChecker>();
92 }
93 
94 bool ento::shouldRegisterArrayBoundChecker(const LangOptions &LO) {
95  return true;
96 }
Stmt - This represents one statement.
Definition: Stmt.h:66
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
Keeps track of the various options that can be enabled, which controls the dialect of C or C++ that i...
Definition: LangOptions.h:49
i32 captured_struct **param SharedsTy A type which contains references the shared variables *param Shareds Context with the list of shared variables from the p *TaskFunction *param Data Additional data for task generation like final * state
Dataflow Directional Tag Classes.
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:251