ObjCContainersChecker.cpp revision e59ec3dfe17c1ceb648861b621a3890a9a56ab0c 
1//== ObjCContainersChecker.cpp - Path sensitive checker for CFArray *- C++ -*=//
2//
3//                     The LLVM Compiler Infrastructure
4//
5// This file is distributed under the University of Illinois Open Source
6// License. See LICENSE.TXT for details.
7//
8//===----------------------------------------------------------------------===//
9//
10// Performs path sensitive checks of Core Foundation static containers like
11// CFArray.
12// 1) Check for buffer overflows:
13//      In CFArrayGetArrayAtIndex( myArray, index), if the index is outside the
14//      index space of theArray (0 to N-1 inclusive (where N is the count of
15//      theArray), the behavior is undefined.
16//
17//===----------------------------------------------------------------------===//
18
19#include "ClangSACheckers.h"
20#include "clang/StaticAnalyzer/Core/Checker.h"
21#include "clang/StaticAnalyzer/Core/CheckerManager.h"
22#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
23#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
24#include "clang/StaticAnalyzer/Core/PathSensitive/ObjCMessage.h"
25#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
26#include "clang/AST/ParentMap.h"
27
28using namespace clang;
29using namespace ento;
30
31namespace {
32class ObjCContainersChecker : public Checker< check::PreStmt<CallExpr>,
33                                             check::PostStmt<CallExpr> > {
34  mutable llvm::OwningPtr<BugType> BT;
35  inline void initBugType() const {
36    if (!BT)
37      BT.reset(new BugType("CFArray API", "Core Foundation/Objective-C"));
38  }
39
40  inline SymbolRef getArraySym(const Expr *E, CheckerContext &C) const {
41    SVal ArrayRef = C.getState()->getSVal(E, C.getLocationContext());
42    SymbolRef ArraySym = ArrayRef.getAsSymbol();
43    assert(ArraySym);
44    return ArraySym;
45  }
46
47  void addSizeInfo(const Expr *Array, const Expr *Size,
48                   CheckerContext &C) const;
49
50public:
51  /// A tag to id this checker.
52  static void *getTag() { static int Tag; return &Tag; }
53
54  void checkPostStmt(const CallExpr *CE, CheckerContext &C) const;
55  void checkPreStmt(const CallExpr *CE, CheckerContext &C) const;
56};
57} // end anonymous namespace
58
59// ProgramState trait - a map from array symbol to it's state.
60typedef llvm::ImmutableMap<SymbolRef, DefinedSVal> ArraySizeM;
61
62namespace { struct ArraySizeMap {}; }
63namespace clang { namespace ento {
64template<> struct ProgramStateTrait<ArraySizeMap>
65    :  public ProgramStatePartialTrait<ArraySizeM > {
66  static void *GDMIndex() { return ObjCContainersChecker::getTag(); }
67};
68}}
69
70void ObjCContainersChecker::addSizeInfo(const Expr *Array, const Expr *Size,
71                                        CheckerContext &C) const {
72  ProgramStateRef State = C.getState();
73  SVal SizeV = State->getSVal(Size, C.getLocationContext());
74  // Undefined is reported by another checker.
75  if (SizeV.isUnknownOrUndef())
76    return;
77
78  // Get the ArrayRef symbol.
79  SVal ArrayRef = State->getSVal(Array, C.getLocationContext());
80  SymbolRef ArraySym = ArrayRef.getAsSymbol();
81  if (!ArraySym)
82    return;
83
84  C.addTransition(State->set<ArraySizeMap>(ArraySym, cast<DefinedSVal>(SizeV)));
85  return;
86}
87
88void ObjCContainersChecker::checkPostStmt(const CallExpr *CE,
89                                          CheckerContext &C) const {
90  StringRef Name = C.getCalleeName(CE);
91  if (Name.empty() || CE->getNumArgs() < 1)
92    return;
93
94  // Add array size information to the state.
95  if (Name.equals("CFArrayCreate")) {
96    if (CE->getNumArgs() < 3)
97      return;
98    // Note, we can visit the Create method in the post-visit because
99    // the CFIndex parameter is passed in by value and will not be invalidated
100    // by the call.
101    addSizeInfo(CE, CE->getArg(2), C);
102    return;
103  }
104
105  if (Name.equals("CFArrayGetCount")) {
106    addSizeInfo(CE->getArg(0), CE, C);
107    return;
108  }
109}
110
111void ObjCContainersChecker::checkPreStmt(const CallExpr *CE,
112                                         CheckerContext &C) const {
113  StringRef Name = C.getCalleeName(CE);
114  if (Name.empty() || CE->getNumArgs() < 2)
115    return;
116
117  // Check the array access.
118  if (Name.equals("CFArrayGetValueAtIndex")) {
119    ProgramStateRef State = C.getState();
120    // Retrieve the size.
121    // Find out if we saw this array symbol before and have information about it.
122    const Expr *ArrayExpr = CE->getArg(0);
123    const DefinedSVal *Size =
124                            State->get<ArraySizeMap>(getArraySym(ArrayExpr, C));
125    if (!Size)
126      return;
127
128    // Get the index.
129    const Expr *IdxExpr = CE->getArg(1);
130    SVal IdxVal = State->getSVal(IdxExpr, C.getLocationContext());
131    if (IdxVal.isUnknownOrUndef())
132      return;
133    DefinedSVal Idx = cast<DefinedSVal>(IdxVal);
134
135    // Now, check if 'Idx in [0, Size-1]'.
136    const QualType T = IdxExpr->getType();
137    ProgramStateRef StInBound = State->assumeInBound(Idx, *Size, true, T);
138    ProgramStateRef StOutBound = State->assumeInBound(Idx, *Size, false, T);
139    if (StOutBound && !StInBound) {
140      ExplodedNode *N = C.generateSink(StOutBound);
141      if (!N)
142        return;
143      initBugType();
144      BugReport *R = new BugReport(*BT, "Index is out of bounds", N);
145      R->addRange(IdxExpr->getSourceRange());
146      C.EmitReport(R);
147      return;
148    }
149  }
150}
151
152/// Register checker.
153void ento::registerObjCContainersChecker(CheckerManager &mgr) {
154  mgr.registerChecker<ObjCContainersChecker>();
155}
156