Home Explore Help
Register Sign In
FangSoftSoft
/
clang
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 04291a7c76
Branches Tags
clang
/
lib
/
StaticAnalyzer
/
Checkers
/
PointerSubChecker.cpp

PointerSubChecker.cpp 2.4 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879 
  1. //=== PointerSubChecker.cpp - Pointer subtraction checker ------*- C++ -*--===//
    2. 

  2. //
    3. 

  3. //                     The LLVM Compiler Infrastructure
    4. 

  4. //
    5. 

  5. // This file is distributed under the University of Illinois Open Source
    6. 

  6. // License. See LICENSE.TXT for details.
    7. 

  7. //
    8. 

  8. //===----------------------------------------------------------------------===//
    9. 

  9. //
    10. 

  10. // This files defines PointerSubChecker, a builtin checker that checks for
    11. 

  11. // pointer subtractions on two pointers pointing to different memory chunks. 
    12. 

  12. // This check corresponds to CWE-469.
    13. 

  13. //
    14. 

  14. //===----------------------------------------------------------------------===//
    15. 

  15. 

  16. #include "InternalChecks.h"
    17. 

  17. #include "clang/StaticAnalyzer/BugReporter/BugType.h"
    18. 

  18. #include "clang/StaticAnalyzer/PathSensitive/CheckerVisitor.h"
    19. 

  19. 

  20. using namespace clang;
    21. 

  21. using namespace ento;
    22. 

  22. 

  23. namespace {
    24. 

  24. class PointerSubChecker 
    25. 

  25.   : public CheckerVisitor<PointerSubChecker> {
    26. 

  26.   BuiltinBug *BT;
    27. 

  27. public:
    28. 

  28.   PointerSubChecker() : BT(0) {}
    29. 

  29.   static void *getTag();
    30. 

  30.   void PreVisitBinaryOperator(CheckerContext &C, const BinaryOperator *B);
    31. 

  31. };
    32. 

  32. }
    33. 

  33. 

  34. void *PointerSubChecker::getTag() {
    35. 

  35.   static int x;
    36. 

  36.   return &x;
    37. 

  37. }
    38. 

  38. 

  39. void PointerSubChecker::PreVisitBinaryOperator(CheckerContext &C,
    40. 

  40.                                                const BinaryOperator *B) {
    41. 

  41.   // When doing pointer subtraction, if the two pointers do not point to the
    42. 

  42.   // same memory chunk, emit a warning.
    43. 

  43.   if (B->getOpcode() != BO_Sub)
    44. 

  44.     return;
    45. 

  45. 

  46.   const GRState *state = C.getState();
    47. 

  47.   SVal LV = state->getSVal(B->getLHS());
    48. 

  48.   SVal RV = state->getSVal(B->getRHS());
    49. 

  49. 

  50.   const MemRegion *LR = LV.getAsRegion();
    51. 

  51.   const MemRegion *RR = RV.getAsRegion();
    52. 

  52. 

  53.   if (!(LR && RR))
    54. 

  54.     return;
    55. 

  55. 

  56.   const MemRegion *BaseLR = LR->getBaseRegion();
    57. 

  57.   const MemRegion *BaseRR = RR->getBaseRegion();
    58. 

  58. 

  59.   if (BaseLR == BaseRR)
    60. 

  60.     return;
    61. 

  61. 

  62.   // Allow arithmetic on different symbolic regions.
    63. 

  63.   if (isa<SymbolicRegion>(BaseLR) || isa<SymbolicRegion>(BaseRR))
    64. 

  64.     return;
    65. 

  65. 

  66.   if (ExplodedNode *N = C.generateNode()) {
    67. 

  67.     if (!BT)
    68. 

  68.       BT = new BuiltinBug("Pointer subtraction", 
    69. 

  69.                           "Subtraction of two pointers that do not point to "
    70. 

  70.                           "the same memory chunk may cause incorrect result.");
    71. 

  71.     RangedBugReport *R = new RangedBugReport(*BT, BT->getDescription(), N);
    72. 

  72.     R->addRange(B->getSourceRange());
    73. 

  73.     C.EmitReport(R);
    74. 

  74.   }
    75. 

  75. }
    76. 

  76. 

  77. void ento::RegisterPointerSubChecker(ExprEngine &Eng) {
    78. 

  78.   Eng.registerCheck(new PointerSubChecker());
    79. 

  79. }
    80.