[cfe-commits] r86523 - in /cfe/trunk: include/clang/Analysis/PathSensitive/SVals.h lib/Analysis/FixedAddressChecker.cpp lib/Analysis/GRExprEngineInternalChecks.cpp lib/Analysis/GRExprEngineInternalChecks.h lib/Analysis/SVals.cpp test/Analysis/ptr-arith.c
Ted Kremenek
kremenek at apple.com
Mon Nov 9 15:55:44 PST 2009
Hi Zhongxing,
Very nice I vaguely recall we use to do this check, albeit not as
directly. How do we want to handle cases like PR 5272 (http://llvm.org/bugs/show_bug.cgi?id=5272
)? Using hardcoded addresses is fine in certain circumstances.
On Nov 8, 2009, at 10:52 PM, Zhongxing Xu wrote:
> Author: zhongxingxu
> Date: Mon Nov 9 00:52:44 2009
> New Revision: 86523
>
> URL: http://llvm.org/viewvc/llvm-project?rev=86523&view=rev
> Log:
> Add checker for CWE-587: Assignment of a Fixed Address to a Pointer.
>
> Added:
> cfe/trunk/lib/Analysis/FixedAddressChecker.cpp
> Modified:
> cfe/trunk/include/clang/Analysis/PathSensitive/SVals.h
> cfe/trunk/lib/Analysis/GRExprEngineInternalChecks.cpp
> cfe/trunk/lib/Analysis/GRExprEngineInternalChecks.h
> cfe/trunk/lib/Analysis/SVals.cpp
> cfe/trunk/test/Analysis/ptr-arith.c
>
> Modified: cfe/trunk/include/clang/Analysis/PathSensitive/SVals.h
> URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/Analysis/PathSensitive/SVals.h?rev=86523&r1=86522&r2=86523&view=diff
>
> =
> =
> =
> =
> =
> =
> =
> =
> ======================================================================
> --- cfe/trunk/include/clang/Analysis/PathSensitive/SVals.h (original)
> +++ cfe/trunk/include/clang/Analysis/PathSensitive/SVals.h Mon Nov
> 9 00:52:44 2009
> @@ -96,6 +96,8 @@
> return getRawKind() > UnknownKind;
> }
>
> + bool isConstant() const;
> +
> bool isZeroConstant() const;
>
> /// hasConjuredSymbol - If this SVal wraps a conjured symbol,
> return true;
>
> Added: cfe/trunk/lib/Analysis/FixedAddressChecker.cpp
> URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/Analysis/FixedAddressChecker.cpp?rev=86523&view=auto
>
> =
> =
> =
> =
> =
> =
> =
> =
> ======================================================================
> --- cfe/trunk/lib/Analysis/FixedAddressChecker.cpp (added)
> +++ cfe/trunk/lib/Analysis/FixedAddressChecker.cpp Mon Nov 9
> 00:52:44 2009
> @@ -0,0 +1,69 @@
> +//=== FixedAddressChecker.cpp - Fixed address usage checker ----*- C
> ++ -*--===//
> +//
> +// The LLVM Compiler Infrastructure
> +//
> +// This file is distributed under the University of Illinois Open
> Source
> +// License. See LICENSE.TXT for details.
> +//
> +//
> =
> =
> =
> ----------------------------------------------------------------------=
> ==//
> +//
> +// This files defines FixedAddressChecker, a builtin checker that
> checks for
> +// assignment of a fixed address to a pointer.
> +// This check corresponds to CWE-587.
> +//
> +//
> =
> =
> =
> ----------------------------------------------------------------------=
> ==//
> +
> +#include "clang/Analysis/PathSensitive/CheckerVisitor.h"
> +#include "GRExprEngineInternalChecks.h"
> +
> +using namespace clang;
> +
> +namespace {
> +class VISIBILITY_HIDDEN FixedAddressChecker
> + : public CheckerVisitor<FixedAddressChecker> {
> + BuiltinBug *BT;
> +public:
> + FixedAddressChecker() : BT(0) {}
> + static void *getTag();
> + void PreVisitBinaryOperator(CheckerContext &C, const
> BinaryOperator *B);
> +};
> +}
> +
> +void *FixedAddressChecker::getTag() {
> + static int x;
> + return &x;
> +}
> +
> +void FixedAddressChecker::PreVisitBinaryOperator(CheckerContext &C,
> + const
> BinaryOperator *B) {
> + // Using a fixed address is not portable because that address
> will probably
> + // not be valid in all environments or platforms.
> +
> + if (B->getOpcode() != BinaryOperator::Assign)
> + return;
> +
> + QualType T = B->getType();
> + if (!T->isPointerType())
> + return;
> +
> + const GRState *state = C.getState();
> +
> + SVal RV = state->getSVal(B->getRHS());
> +
> + if (!RV.isConstant() || RV.isZeroConstant())
> + return;
> +
> + if (ExplodedNode *N = C.GenerateNode(B)) {
> + if (!BT)
> + BT = new BuiltinBug("Use fixed address",
> + "Using a fixed address is not portable
> because that address will probably not be valid in all environments
> or platforms.");
> + RangedBugReport *R = new RangedBugReport(*BT, BT->getDescription
> ().c_str(),
> + N);
> + R->addRange(B->getRHS()->getSourceRange());
> + C.EmitReport(R);
> + }
> +}
> +
> +void clang::RegisterFixedAddressChecker(GRExprEngine &Eng) {
> + Eng.registerCheck(new FixedAddressChecker());
> +}
>
> Modified: cfe/trunk/lib/Analysis/GRExprEngineInternalChecks.cpp
> URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/Analysis/GRExprEngineInternalChecks.cpp?rev=86523&r1=86522&r2=86523&view=diff
>
> =
> =
> =
> =
> =
> =
> =
> =
> ======================================================================
> --- cfe/trunk/lib/Analysis/GRExprEngineInternalChecks.cpp (original)
> +++ cfe/trunk/lib/Analysis/GRExprEngineInternalChecks.cpp Mon Nov 9
> 00:52:44 2009
> @@ -413,7 +413,7 @@
> RegisterReturnStackAddressChecker(*this);
> RegisterReturnUndefChecker(*this);
> RegisterPointerSubChecker(*this);
> -
> + RegisterFixedAddressChecker(*this);
> // Note that this must be registered after
> ReturnStackAddressChecker.
> RegisterReturnPointerRangeChecker(*this);
> }
>
> Modified: cfe/trunk/lib/Analysis/GRExprEngineInternalChecks.h
> URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/Analysis/GRExprEngineInternalChecks.h?rev=86523&r1=86522&r2=86523&view=diff
>
> =
> =
> =
> =
> =
> =
> =
> =
> ======================================================================
> --- cfe/trunk/lib/Analysis/GRExprEngineInternalChecks.h (original)
> +++ cfe/trunk/lib/Analysis/GRExprEngineInternalChecks.h Mon Nov 9
> 00:52:44 2009
> @@ -24,6 +24,7 @@
> void RegisterReturnStackAddressChecker(GRExprEngine &Eng);
> void RegisterReturnUndefChecker(GRExprEngine &Eng);
> void RegisterVLASizeChecker(GRExprEngine &Eng);
> -void RegisterPointerSubChecker(GRExprEngine &Eng);
> +void RegisterPointerSubChecker(GRExprEngine &Eng);
> +void RegisterFixedAddressChecker(GRExprEngine &Eng);
> } // end clang namespace
> #endif
>
> Modified: cfe/trunk/lib/Analysis/SVals.cpp
> URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/Analysis/SVals.cpp?rev=86523&r1=86522&r2=86523&view=diff
>
> =
> =
> =
> =
> =
> =
> =
> =
> ======================================================================
> --- cfe/trunk/lib/Analysis/SVals.cpp (original)
> +++ cfe/trunk/lib/Analysis/SVals.cpp Mon Nov 9 00:52:44 2009
> @@ -173,6 +173,10 @@
> // Useful predicates.
> //
> =
> =
> =
> ----------------------------------------------------------------------=
> ==//
>
> +bool SVal::isConstant() const {
> + return isa<nonloc::ConcreteInt>(this) || isa<loc::ConcreteInt>
> (this);
> +}
> +
> bool SVal::isZeroConstant() const {
> if (isa<loc::ConcreteInt>(*this))
> return cast<loc::ConcreteInt>(*this).getValue() == 0;
>
> Modified: cfe/trunk/test/Analysis/ptr-arith.c
> URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/ptr-arith.c?rev=86523&r1=86522&r2=86523&view=diff
>
> =
> =
> =
> =
> =
> =
> =
> =
> ======================================================================
> --- cfe/trunk/test/Analysis/ptr-arith.c (original)
> +++ cfe/trunk/test/Analysis/ptr-arith.c Mon Nov 9 00:52:44 2009
> @@ -36,3 +36,8 @@
> int x, y;
> int d = &y - &x; // expected-warning{{Subtraction of two pointers
> that do not point to the same memory chunk may cause incorrect
> result.}}
> }
> +
> +void f4() {
> + int *p;
> + p = (int*) 0x10000; // expected-warning{{Using a fixed address is
> not portable because that address will probably not be valid in all
> environments or platforms.}}
> +}
>
>
> _______________________________________________
> cfe-commits mailing list
> cfe-commits at cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits
More information about the cfe-commits
mailing list