[cfe-commits] r86252 - in /cfe/trunk: include/clang/Analysis/PathSensitive/Checker.h lib/Analysis/CMakeLists.txt lib/Analysis/GRExprEngineInternalChecks.cpp lib/Analysis/GRExprEngineInternalChecks.h lib/Analysis/ReturnPointerRangeChecker.cpp test/Analysis/region-only-test.c
Ted Kremenek
kremenek at apple.com
Fri Nov 6 12:16:57 PST 2009
Awesome!
On Nov 6, 2009, at 5:30 AM, Zhongxing Xu wrote:
> Author: zhongxingxu
> Date: Fri Nov 6 07:30:44 2009
> New Revision: 86252
>
> URL: http://llvm.org/viewvc/llvm-project?rev=86252&view=rev
> Log:
> Add a checker for CWE-466: Return of Pointer Value Outside of
> Expected Range.
>
> Added:
> cfe/trunk/lib/Analysis/ReturnPointerRangeChecker.cpp
> Modified:
> cfe/trunk/include/clang/Analysis/PathSensitive/Checker.h
> cfe/trunk/lib/Analysis/CMakeLists.txt
> cfe/trunk/lib/Analysis/GRExprEngineInternalChecks.cpp
> cfe/trunk/lib/Analysis/GRExprEngineInternalChecks.h
> cfe/trunk/test/Analysis/region-only-test.c
>
> Modified: cfe/trunk/include/clang/Analysis/PathSensitive/Checker.h
> URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/Analysis/PathSensitive/Checker.h?rev=86252&r1=86251&r2=86252&view=diff
>
> =
> =
> =
> =
> =
> =
> =
> =
> ======================================================================
> --- cfe/trunk/include/clang/Analysis/PathSensitive/Checker.h
> (original)
> +++ cfe/trunk/include/clang/Analysis/PathSensitive/Checker.h Fri
> Nov 6 07:30:44 2009
> @@ -64,6 +64,11 @@
> ConstraintManager &getConstraintManager() {
> return Eng.getConstraintManager();
> }
> +
> + StoreManager &getStoreManager() {
> + return Eng.getStoreManager();
> + }
> +
> ExplodedNodeSet &getNodeSet() { return Dst; }
> GRStmtNodeBuilder &getNodeBuilder() { return B; }
> ExplodedNode *&getPredecessor() { return Pred; }
>
> Modified: cfe/trunk/lib/Analysis/CMakeLists.txt
> URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/Analysis/CMakeLists.txt?rev=86252&r1=86251&r2=86252&view=diff
>
> =
> =
> =
> =
> =
> =
> =
> =
> ======================================================================
> --- cfe/trunk/lib/Analysis/CMakeLists.txt (original)
> +++ cfe/trunk/lib/Analysis/CMakeLists.txt Fri Nov 6 07:30:44 2009
> @@ -36,6 +36,7 @@
> PathDiagnostic.cpp
> RangeConstraintManager.cpp
> RegionStore.cpp
> + ReturnPointerRangeChecker.cpp
> ReturnStackAddressChecker.cpp
> ReturnUndefChecker.cpp
> SVals.cpp
>
> Modified: cfe/trunk/lib/Analysis/GRExprEngineInternalChecks.cpp
> URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/Analysis/GRExprEngineInternalChecks.cpp?rev=86252&r1=86251&r2=86252&view=diff
>
> =
> =
> =
> =
> =
> =
> =
> =
> ======================================================================
> --- cfe/trunk/lib/Analysis/GRExprEngineInternalChecks.cpp (original)
> +++ cfe/trunk/lib/Analysis/GRExprEngineInternalChecks.cpp Fri Nov 6
> 07:30:44 2009
> @@ -405,6 +405,7 @@
> // object.
> RegisterReturnStackAddressChecker(*this);
> RegisterReturnUndefChecker(*this);
> + RegisterReturnPointerRangeChecker(*this);
> registerCheck(new AttrNonNullChecker());
> registerCheck(new UndefinedArgChecker());
> registerCheck(new UndefinedAssignmentChecker());
>
> Modified: cfe/trunk/lib/Analysis/GRExprEngineInternalChecks.h
> URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/Analysis/GRExprEngineInternalChecks.h?rev=86252&r1=86251&r2=86252&view=diff
>
> =
> =
> =
> =
> =
> =
> =
> =
> ======================================================================
> --- cfe/trunk/lib/Analysis/GRExprEngineInternalChecks.h (original)
> +++ cfe/trunk/lib/Analysis/GRExprEngineInternalChecks.h Fri Nov 6
> 07:30:44 2009
> @@ -21,6 +21,7 @@
>
> void RegisterReturnStackAddressChecker(GRExprEngine &Eng);
> void RegisterReturnUndefChecker(GRExprEngine &Eng);
> +void RegisterReturnPointerRangeChecker(GRExprEngine &Eng);
>
> } // end clang namespace
> #endif
>
> Added: cfe/trunk/lib/Analysis/ReturnPointerRangeChecker.cpp
> URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/Analysis/ReturnPointerRangeChecker.cpp?rev=86252&view=auto
>
> =
> =
> =
> =
> =
> =
> =
> =
> ======================================================================
> --- cfe/trunk/lib/Analysis/ReturnPointerRangeChecker.cpp (added)
> +++ cfe/trunk/lib/Analysis/ReturnPointerRangeChecker.cpp Fri Nov 6
> 07:30:44 2009
> @@ -0,0 +1,86 @@
> +//== ReturnPointerRangeChecker.cpp ------------------------------*-
> C++ -*--==//
> +//
> +// The LLVM Compiler Infrastructure
> +//
> +// This file is distributed under the University of Illinois Open
> Source
> +// License. See LICENSE.TXT for details.
> +//
> +//
> =
> =
> =
> ----------------------------------------------------------------------=
> ==//
> +//
> +// This file defines ReturnPointerRangeChecker, which is a path-
> sensitive check
> +// which looks for an out-of-bound pointer being returned to callers.
> +//
> +//
> =
> =
> =
> ----------------------------------------------------------------------=
> ==//
> +
> +#include "GRExprEngineInternalChecks.h"
> +#include "clang/Analysis/PathSensitive/GRExprEngine.h"
> +#include "clang/Analysis/PathSensitive/BugReporter.h"
> +#include "clang/Analysis/PathSensitive/CheckerVisitor.h"
> +
> +using namespace clang;
> +
> +namespace {
> +class VISIBILITY_HIDDEN ReturnPointerRangeChecker :
> + public CheckerVisitor<ReturnPointerRangeChecker> {
> + BuiltinBug *BT;
> +public:
> + ReturnPointerRangeChecker() : BT(0) {}
> + static void *getTag();
> + void PreVisitReturnStmt(CheckerContext &C, const ReturnStmt *RS);
> +};
> +}
> +
> +void clang::RegisterReturnPointerRangeChecker(GRExprEngine &Eng) {
> + Eng.registerCheck(new ReturnPointerRangeChecker());
> +}
> +
> +void *ReturnPointerRangeChecker::getTag() {
> + static int x = 0; return &x;
> +}
> +
> +void ReturnPointerRangeChecker::PreVisitReturnStmt(CheckerContext &C,
> + const ReturnStmt
> *RS) {
> + const GRState *state = C.getState();
> +
> + const Expr *RetE = RS->getRetValue();
> + if (!RetE)
> + return;
> +
> + SVal V = state->getSVal(RetE);
> + const MemRegion *R = V.getAsRegion();
> +
> + const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(R);
> + if (!ER)
> + return;
> +
> + DefinedOrUnknownSVal &Idx = cast<DefinedOrUnknownSVal>(ER-
> >getIndex());
> +
> + // Zero index is always in bound, this also passes ElementRegions
> created for
> + // pointer casts.
> + if (Idx.isZeroConstant())
> + return;
> +
> + SVal NumVal = C.getStoreManager().getSizeInElements(state,
> + ER-
> >getSuperRegion());
> + DefinedOrUnknownSVal &NumElements = cast<DefinedOrUnknownSVal>
> (NumVal);
> +
> + const GRState *StInBound = state->AssumeInBound(Idx, NumElements,
> true);
> + const GRState *StOutBound = state->AssumeInBound(Idx,
> NumElements, false);
> + if (StOutBound && !StInBound) {
> + ExplodedNode *N = C.GenerateNode(RS, StOutBound, true);
> +
> + if (!N)
> + return;
> +
> + if (!BT)
> + BT = new BuiltinBug("Return of Pointer Value Outside of
> Expected Range");
> +
> + // Generate a report for this bug.
> + RangedBugReport *report =
> + new RangedBugReport(*BT, BT->getDescription().c_str(), N);
> +
> + report->addRange(RS->getSourceRange());
> +
> + C.EmitReport(report);
> + }
> +}
>
> Modified: cfe/trunk/test/Analysis/region-only-test.c
> URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/region-only-test.c?rev=86252&r1=86251&r2=86252&view=diff
>
> =
> =
> =
> =
> =
> =
> =
> =
> ======================================================================
> --- cfe/trunk/test/Analysis/region-only-test.c (original)
> +++ cfe/trunk/test/Analysis/region-only-test.c Fri Nov 6 07:30:44
> 2009
> @@ -11,3 +11,10 @@
> if (p[0] == 1)
> (void)*x; // no-warning
> }
> +
> +int a[10];
> +
> +int *f0() {
> + int *p = a+10;
> + return p; // expected-warning{{Return of Pointer Value Outside of
> Expected Range}}
> +}
>
>
> _______________________________________________
> cfe-commits mailing list
> cfe-commits at cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits
More information about the cfe-commits
mailing list