[cfe-commits] r86464 - in /cfe/trunk: include/clang/Analysis/LocalCheckers.h include/clang/Frontend/Analyses.def lib/Analysis/CheckSizeofPointer.cpp lib/Frontend/AnalysisConsumer.cpp

Ted Kremenek kremenek at apple.com
Mon Nov 9 15:07:51 PST 2009 

Hi Zhongxing,

I'm a little concerned about the promiscuity of this check in general,  
as it seems like it could produce a lot of false positives.  Have you  
tried running this check over several real-world projects to get a  
feel on the false positive rate (or even the number of times this  
check triggers)?

It also seems to me that this check needs to be flow/path sensitive.   
The diagnostic says that the pointer is "malloced", but in truth the  
check will fire when taking the sizeof of any pointer expression.  In  
order for the check to be accurate, it seems like we would need to  
track if symbol was actually returned from malloc() and then see if it  
is passed to sizeof().  This seems possible by adding a new PreVisit  
method for SizeOfAlignOfExpr, and checking if the SymbolicRegion wraps  
a conjured symbol that is associated with a CallExpr for malloc().   
That would make the check more precise, and at least the diagnostic  
would match with the actual code.

What do you think?

Ted

On Nov 8, 2009, at 5:10 AM, Zhongxing Xu wrote:

> Author: zhongxingxu
> Date: Sun Nov  8 07:10:34 2009
> New Revision: 86464
>
> URL: http://llvm.org/viewvc/llvm-project?rev=86464&view=rev
> Log:
> Add a checker for CWE-467: Use of sizeof() on a Pointer Type.
>
> Added:
>    cfe/trunk/lib/Analysis/CheckSizeofPointer.cpp
> Modified:
>    cfe/trunk/include/clang/Analysis/LocalCheckers.h
>    cfe/trunk/include/clang/Frontend/Analyses.def
>    cfe/trunk/lib/Frontend/AnalysisConsumer.cpp
>
> Modified: cfe/trunk/include/clang/Analysis/LocalCheckers.h
> URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/Analysis/LocalCheckers.h?rev=86464&r1=86463&r2=86464&view=diff
>
> = 
> = 
> = 
> = 
> = 
> = 
> = 
> = 
> ======================================================================
> --- cfe/trunk/include/clang/Analysis/LocalCheckers.h (original)
> +++ cfe/trunk/include/clang/Analysis/LocalCheckers.h Sun Nov  8  
> 07:10:34 2009
> @@ -53,7 +53,7 @@
>
> void CheckSecuritySyntaxOnly(const Decl *D, BugReporter &BR);
>
> -
> +void CheckSizeofPointer(const Decl *D, BugReporter &BR);
> } // end namespace clang
>
> #endif
>
> Modified: cfe/trunk/include/clang/Frontend/Analyses.def
> URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/Frontend/Analyses.def?rev=86464&r1=86463&r2=86464&view=diff
>
> = 
> = 
> = 
> = 
> = 
> = 
> = 
> = 
> ======================================================================
> --- cfe/trunk/include/clang/Frontend/Analyses.def (original)
> +++ cfe/trunk/include/clang/Frontend/Analyses.def Sun Nov  8  
> 07:10:34 2009
> @@ -48,6 +48,9 @@
> ANALYSIS(CheckerCFRef, "checker-cfref",
>          "Run the [Core] Foundation reference count checker", Code)
>
> +ANALYSIS(WarnSizeofPointer, "warn-sizeof-pointer",
> +         "Warn about unintended use of sizeof() on pointer  
> expressions", Code)
> +
> ANALYSIS(InlineCall, "inline-call",
>          "Experimental transfer function inling callees when its  
> definition"
>          " is available.", TranslationUnit)
>
> Added: cfe/trunk/lib/Analysis/CheckSizeofPointer.cpp
> URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/Analysis/CheckSizeofPointer.cpp?rev=86464&view=auto
>
> = 
> = 
> = 
> = 
> = 
> = 
> = 
> = 
> ======================================================================
> --- cfe/trunk/lib/Analysis/CheckSizeofPointer.cpp (added)
> +++ cfe/trunk/lib/Analysis/CheckSizeofPointer.cpp Sun Nov  8  
> 07:10:34 2009
> @@ -0,0 +1,58 @@
> +//==- CheckSizeofPointer.cpp - Check for sizeof on pointers ------ 
> *- C++ -*-==//
> +//
> +//                     The LLVM Compiler Infrastructure
> +//
> +// This file is distributed under the University of Illinois Open  
> Source
> +// License. See LICENSE.TXT for details.
> +//
> +// 
> = 
> = 
> = 
> ----------------------------------------------------------------------= 
> ==//
> +//
> +//  This file defines a check for unintended use of sizeof() on  
> pointer
> +//  expressions.
> +//
> +// 
> = 
> = 
> = 
> ----------------------------------------------------------------------= 
> ==//
> +
> +#include "clang/Analysis/PathSensitive/BugReporter.h"
> +#include "clang/AST/StmtVisitor.h"
> +#include "clang/Analysis/LocalCheckers.h"
> +#include "llvm/Support/Compiler.h"
> +
> +using namespace clang;
> +
> +namespace {
> +class VISIBILITY_HIDDEN WalkAST : public StmtVisitor<WalkAST> {
> +  BugReporter &BR;
> +
> +public:
> +  WalkAST(BugReporter &br) : BR(br) {}
> +  void VisitSizeOfAlignOfExpr(SizeOfAlignOfExpr *E);
> +  void VisitStmt(Stmt *S) { VisitChildren(S); }
> +  void VisitChildren(Stmt *S);
> +};
> +}
> +
> +void WalkAST::VisitChildren(Stmt *S) {
> +  for (Stmt::child_iterator I = S->child_begin(), E = S->child_end 
> (); I!=E; ++I)
> +    if (Stmt *child = *I)
> +      Visit(child);
> +}
> +
> +// CWE-467: Use of sizeof() on a Pointer Type
> +void WalkAST::VisitSizeOfAlignOfExpr(SizeOfAlignOfExpr *E) {
> +  if (!E->isSizeOf())
> +    return;
> +
> +  QualType T = E->getTypeOfArgument();
> +  if (T->isPointerType()) {
> +    SourceRange R = E->getArgumentExpr()->getSourceRange();
> +    BR.EmitBasicReport("Potential unintended use of sizeof() on  
> pointer type",
> +                       "Logic",
> +                       "The code calls sizeof() on a malloced  
> pointer type, which always returns the wordsize/8. This can produce  
> an unexpected result if the programmer intended to determine how  
> much memory has been allocated.",
> +                       E->getLocStart(), &R, 1);
> +  }
> +}
> +
> +void clang::CheckSizeofPointer(const Decl *D, BugReporter &BR) {
> +  WalkAST walker(BR);
> +  walker.Visit(D->getBody());
> +}
>
> Modified: cfe/trunk/lib/Frontend/AnalysisConsumer.cpp
> URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/Frontend/AnalysisConsumer.cpp?rev=86464&r1=86463&r2=86464&view=diff
>
> = 
> = 
> = 
> = 
> = 
> = 
> = 
> = 
> ======================================================================
> --- cfe/trunk/lib/Frontend/AnalysisConsumer.cpp (original)
> +++ cfe/trunk/lib/Frontend/AnalysisConsumer.cpp Sun Nov  8 07:10:34  
> 2009
> @@ -412,6 +412,11 @@
>   CheckObjCInstMethSignature(cast<ObjCImplementationDecl>(D), BR);
> }
>
> +static void ActionWarnSizeofPointer(AnalysisManager &mgr, Decl *D) {
> +  BugReporter BR(mgr);
> +  CheckSizeofPointer(D, BR);
> +}
> +
> static void ActionInlineCall(AnalysisManager &mgr, Decl *D) {
>   if (!D)
>     return;
>
>
> _______________________________________________
> cfe-commits mailing list
> cfe-commits at cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits

More information about the cfe-commits mailing list