From: Zhongxing Xu Date: Mon, 18 Jan 2010 08:54:31 +0000 (+0000) Subject: Add support for computing size in elements for symbolic regions obtained from X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=3ed04d37573c566205d965d2e91d54ccae898d0a;p=clang Add support for computing size in elements for symbolic regions obtained from malloc(). git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@93722 91177308-0d34-0410-b5e6-96231b3b80d8 --- diff --git a/include/clang/Analysis/PathSensitive/Store.h b/include/clang/Analysis/PathSensitive/Store.h index 70c17accb7..5606df0014 100644 --- a/include/clang/Analysis/PathSensitive/Store.h +++ b/include/clang/Analysis/PathSensitive/Store.h @@ -105,7 +105,8 @@ public: // FIXME: Make out-of-line. virtual DefinedOrUnknownSVal getSizeInElements(const GRState *state, - const MemRegion *region) { + const MemRegion *region, + QualType EleTy) { return UnknownVal(); } diff --git a/lib/Analysis/ArrayBoundChecker.cpp b/lib/Analysis/ArrayBoundChecker.cpp index 3d95ab1834..49c8606826 100644 --- a/lib/Analysis/ArrayBoundChecker.cpp +++ b/lib/Analysis/ArrayBoundChecker.cpp @@ -57,7 +57,8 @@ void ArrayBoundChecker::VisitLocation(CheckerContext &C, const Stmt *S, SVal l){ // Get the size of the array. DefinedOrUnknownSVal NumElements - = C.getStoreManager().getSizeInElements(state, ER->getSuperRegion()); + = C.getStoreManager().getSizeInElements(state, ER->getSuperRegion(), + ER->getValueType(C.getASTContext())); const GRState *StInBound = state->AssumeInBound(Idx, NumElements, true); const GRState *StOutBound = state->AssumeInBound(Idx, NumElements, false); diff --git a/lib/Analysis/MallocChecker.cpp b/lib/Analysis/MallocChecker.cpp index 5bd27912e4..28f4db7880 100644 --- a/lib/Analysis/MallocChecker.cpp +++ b/lib/Analysis/MallocChecker.cpp @@ -72,7 +72,7 @@ public: private: void MallocMem(CheckerContext &C, const CallExpr *CE); const GRState *MallocMemAux(CheckerContext &C, const CallExpr *CE, - const GRState *state); + const Expr *SizeEx, const GRState *state); void FreeMem(CheckerContext &C, const CallExpr *CE); const GRState *FreeMemAux(CheckerContext &C, const CallExpr *CE, const GRState *state); @@ -136,18 +136,24 @@ bool MallocChecker::EvalCallExpr(CheckerContext &C, const CallExpr *CE) { } void MallocChecker::MallocMem(CheckerContext &C, const CallExpr *CE) { - const GRState *state = MallocMemAux(C, CE, C.getState()); + const GRState *state = MallocMemAux(C, CE, CE->getArg(0), C.getState()); C.addTransition(state); } const GRState *MallocChecker::MallocMemAux(CheckerContext &C, const CallExpr *CE, + const Expr *SizeEx, const GRState *state) { unsigned Count = C.getNodeBuilder().getCurrentBlockCount(); ValueManager &ValMgr = C.getValueManager(); SVal RetVal = ValMgr.getConjuredSymbolVal(NULL, CE, CE->getType(), Count); + SVal Size = state->getSVal(SizeEx); + + state = C.getEngine().getStoreManager().setExtent(state, RetVal.getAsRegion(), + Size); + state = state->BindExpr(CE, RetVal); SymbolRef Sym = RetVal.getAsLocSymbol(); @@ -216,7 +222,7 @@ void MallocChecker::ReallocMem(CheckerContext &C, const CallExpr *CE) { if (Sym) stateEqual = stateEqual->set(Sym, RefState::getReleased(CE)); - const GRState *stateMalloc = MallocMemAux(C, CE, stateEqual); + const GRState *stateMalloc = MallocMemAux(C, CE, CE->getArg(1), stateEqual); C.addTransition(stateMalloc); } @@ -237,7 +243,8 @@ void MallocChecker::ReallocMem(CheckerContext &C, const CallExpr *CE) { const GRState *stateFree = FreeMemAux(C, CE, stateSizeNotZero); if (stateFree) { // FIXME: We should copy the content of the original buffer. - const GRState *stateRealloc = MallocMemAux(C, CE, stateFree); + const GRState *stateRealloc = MallocMemAux(C, CE, CE->getArg(1), + stateFree); C.addTransition(stateRealloc); } } diff --git a/lib/Analysis/RegionStore.cpp b/lib/Analysis/RegionStore.cpp index 9b5b44be64..a735ed9457 100644 --- a/lib/Analysis/RegionStore.cpp +++ b/lib/Analysis/RegionStore.cpp @@ -21,6 +21,7 @@ #include "clang/Analysis/Analyses/LiveVariables.h" #include "clang/Analysis/Support/Optional.h" #include "clang/Basic/TargetInfo.h" +#include "clang/AST/CharUnits.h" #include "llvm/ADT/ImmutableMap.h" #include "llvm/ADT/ImmutableList.h" @@ -423,9 +424,9 @@ public: // Region "extents". //===------------------------------------------------------------------===// - const GRState *setExtent(const GRState *state, const MemRegion* R, SVal Extent); + const GRState *setExtent(const GRState *state,const MemRegion* R,SVal Extent); DefinedOrUnknownSVal getSizeInElements(const GRState *state, - const MemRegion* R); + const MemRegion* R, QualType EleTy); //===------------------------------------------------------------------===// // Utility methods. @@ -767,7 +768,8 @@ SVal RegionStoreManager::getLValueElement(QualType elementType, SVal Offset, //===----------------------------------------------------------------------===// DefinedOrUnknownSVal RegionStoreManager::getSizeInElements(const GRState *state, - const MemRegion *R) { + const MemRegion *R, + QualType EleTy) { switch (R->getKind()) { case MemRegion::CXXThisRegionKind: @@ -793,10 +795,25 @@ DefinedOrUnknownSVal RegionStoreManager::getSizeInElements(const GRState *state, case MemRegion::ElementRegionKind: case MemRegion::FieldRegionKind: case MemRegion::ObjCIvarRegionKind: - case MemRegion::SymbolicRegionKind: case MemRegion::CXXObjectRegionKind: return UnknownVal(); + case MemRegion::SymbolicRegionKind: { + const SVal *Size = state->get(R); + if (!Size) + return UnknownVal(); + const nonloc::ConcreteInt *CI = dyn_cast(Size); + if (!CI) + return UnknownVal(); + + CharUnits RegionSize = + CharUnits::fromQuantity(CI->getValue().getSExtValue()); + CharUnits EleSize = getContext().getTypeSizeInChars(EleTy); + assert(RegionSize % EleSize == 0); + + return ValMgr.makeIntVal(RegionSize / EleSize, false); + } + case MemRegion::StringRegionKind: { const StringLiteral* Str = cast(R)->getStringLiteral(); // We intentionally made the size value signed because it participates in diff --git a/lib/Analysis/ReturnPointerRangeChecker.cpp b/lib/Analysis/ReturnPointerRangeChecker.cpp index ab0fcab421..b0350cb576 100644 --- a/lib/Analysis/ReturnPointerRangeChecker.cpp +++ b/lib/Analysis/ReturnPointerRangeChecker.cpp @@ -65,7 +65,8 @@ void ReturnPointerRangeChecker::PreVisitReturnStmt(CheckerContext &C, // into a common place. DefinedOrUnknownSVal NumElements - = C.getStoreManager().getSizeInElements(state, ER->getSuperRegion()); + = C.getStoreManager().getSizeInElements(state, ER->getSuperRegion(), + ER->getValueType(C.getASTContext())); const GRState *StInBound = state->AssumeInBound(Idx, NumElements, true); const GRState *StOutBound = state->AssumeInBound(Idx, NumElements, false); diff --git a/test/Analysis/outofbound.c b/test/Analysis/outofbound.c index 2142e9e1f7..68e77caa36 100644 --- a/test/Analysis/outofbound.c +++ b/test/Analysis/outofbound.c @@ -1,7 +1,15 @@ -// RUN: %clang_cc1 -analyze -analyzer-experimental-internal-checks -checker-cfref -analyzer-store=region -verify %s +// RUN: %clang_cc1 -analyze -analyzer-experimental-internal-checks -analyzer-experimental-checks -checker-cfref -analyzer-store=region -verify %s + +typedef __typeof(sizeof(int)) size_t; +void *malloc(size_t); char f1() { char* s = "abcd"; char c = s[4]; // no-warning return s[5] + c; // expected-warning{{Access out-of-bound array element (buffer overflow)}} } + +void f2() { + int *p = malloc(12); + p[3] = 4; // expected-warning{{Access out-of-bound array element (buffer overflow)}} +}