typedef llvm::SmallPtrSet<NodeTy*,2> UndefResultsTy;
typedef llvm::SmallPtrSet<NodeTy*,2> RetsStackAddrTy;
typedef llvm::SmallPtrSet<NodeTy*,2> RetsUndefTy;
+ typedef llvm::SmallPtrSet<NodeTy*,2> OutOfBoundMemAccessesTy;
protected:
/// message expressions where a pass-by-value argument has an undefined
/// value.
UndefArgsTy MsgExprUndefArgs;
+
+ /// OutOfBoundMemAccesses - Nodes in the ExplodedGraph resulting from
+ /// out-of-bound memory accesses where the index MAY be out-of-bound.
+ OutOfBoundMemAccessesTy ImplicitOOBMemAccesses;
+
+ /// OutOfBoundMemAccesses - Nodes in the ExplodedGraph resulting from
+ /// out-of-bound memory accesses where the index MUST be out-of-bound.
+ OutOfBoundMemAccessesTy ExplicitOOBMemAccesses;
public:
GRExprEngine(CFG& cfg, Decl& CD, ASTContext& Ctx, LiveVariables& L,
bool isUndefArg(const NodeTy* N) const {
return N->isSink() &&
(UndefArgs.find(const_cast<NodeTy*>(N)) != UndefArgs.end() ||
- MsgExprUndefArgs.find(const_cast<NodeTy*>(N)) != MsgExprUndefArgs.end());
+ MsgExprUndefArgs.find(const_cast<NodeTy*>(N)) != MsgExprUndefArgs.end());
}
bool isUndefReceiver(const NodeTy* N) const {
undef_receivers_iterator undef_receivers_end() {
return UndefReceivers.end();
}
-
+
+ typedef OutOfBoundMemAccessesTy::iterator oob_memacc_iterator;
+ oob_memacc_iterator implicit_oob_memacc_begin() {
+ return ImplicitOOBMemAccesses.begin();
+ }
+ oob_memacc_iterator implicit_oob_memacc_end() {
+ return ImplicitOOBMemAccesses.end();
+ }
+ oob_memacc_iterator explicit_oob_memacc_begin() {
+ return ExplicitOOBMemAccesses.begin();
+ }
+ oob_memacc_iterator explicit_oob_memacc_end() {
+ return ExplicitOOBMemAccesses.end();
+ }
+
void AddCheck(GRSimpleAPICheck* A, Stmt::StmtClass C);
/// ProcessStmt - Called by GRCoreEngine. Used to generate new successor
if (isFeasibleOutBound) {
// Report warning.
- StOutBound = 0;
+ // Make sink node manually.
+ ProgramPoint::Kind K = isLoad ? ProgramPoint::PostLoadKind
+ : ProgramPoint::PostStoreKind;
+
+ NodeTy* OOBNode = Builder->generateNode(Ex, StOutBound, Pred, K);
+
+ if (OOBNode) {
+ OOBNode->markAsSink();
+
+ if (isFeasibleInBound)
+ ImplicitOOBMemAccesses.insert(OOBNode);
+ else
+ ExplicitOOBMemAccesses.insert(OOBNode);
+ }
}
return isFeasibleInBound ? StInBound : NULL;
SVal LHSVal;
- if (Result.isUnknown() && (Loc::IsLocType(CTy) ||
- (CTy->isScalarType() && CTy->isIntegerType()))) {
+ if (Result.isUnknown() && (Loc::IsLocType(CTy)
+ || (CTy->isScalarType() && CTy->isIntegerType()))) {
unsigned Count = Builder->getCurrentBlockCount();
? cast<SVal>(loc::SymbolVal(Sym))
: cast<SVal>(nonloc::SymbolVal(Sym));
- // However, we need to convert the symbol to the computation type.
+ // However, we need to convert the symbol to the computation type.
Result = (LTy == CTy) ? LHSVal : EvalCast(LHSVal,CTy);
}
else {
}
};
+class VISIBILITY_HIDDEN OutOfBoundMemoryAccess : public BuiltinBug {
+public:
+ OutOfBoundMemoryAccess() : BuiltinBug("out-of-bound memory access",
+ "Load or store into an out-of-bound memory position.") {}
+
+ virtual void EmitBuiltinWarnings(BugReporter& BR, GRExprEngine& Eng) {
+ Emit(BR, Eng.explicit_oob_memacc_begin(), Eng.explicit_oob_memacc_end());
+ }
+};
+
//===----------------------------------------------------------------------===//
// __attribute__(nonnull) checking
Register(new BadArg());
Register(new BadMsgExprArg());
Register(new BadReceiver());
+ Register(new OutOfBoundMemoryAccess());
AddCheck(new CheckAttrNonNull(), Stmt::CallExprClass);
}
projects / clang / commitdiff