File Manager

003 File Manager

Current Path: /usr/src/contrib/llvm-project/clang/lib/StaticAnalyzer/Checkers

usr / src / contrib / llvm-project / clang / lib / StaticAnalyzer / Checkers /

📁 ..
📄 AllocationState.h(1.41 KB)
📄 AnalysisOrderChecker.cpp(8.62 KB)
📄 AnalyzerStatsChecker.cpp(5.04 KB)
📄 ArrayBoundChecker.cpp(3.22 KB)
📄 ArrayBoundCheckerV2.cpp(13.07 KB)
📄 BasicObjCFoundationChecks.cpp(43.82 KB)
📄 BlockInCriticalSectionChecker.cpp(6.69 KB)
📄 BoolAssignmentChecker.cpp(3.45 KB)
📄 BuiltinFunctionChecker.cpp(5 KB)
📄 CStringChecker.cpp(93.24 KB)
📄 CStringSyntaxChecker.cpp(9.8 KB)
📄 CXXSelfAssignmentChecker.cpp(3.08 KB)
📄 CallAndMessageChecker.cpp(26.57 KB)
📄 CastSizeChecker.cpp(4.96 KB)
📄 CastToStructChecker.cpp(4.43 KB)
📄 CastValueChecker.cpp(19.65 KB)
📄 CheckObjCDealloc.cpp(37.83 KB)
📄 CheckObjCInstMethSignature.cpp(4.8 KB)
📄 CheckPlacementNew.cpp(11.91 KB)
📄 CheckSecuritySyntaxOnly.cpp(38.79 KB)
📄 CheckSizeofPointer.cpp(3.16 KB)
📄 CheckerDocumentation.cpp(14.64 KB)
📄 ChrootChecker.cpp(4.88 KB)
📄 CloneChecker.cpp(8.28 KB)
📄 ContainerModeling.cpp(39.85 KB)
📄 ConversionChecker.cpp(7.11 KB)
📄 DeadStoresChecker.cpp(17.82 KB)
📄 DebugCheckers.cpp(10.41 KB)
📄 DebugContainerModeling.cpp(4.94 KB)
📄 DebugIteratorModeling.cpp(5.15 KB)
📄 DeleteWithNonVirtualDtorChecker.cpp(5.35 KB)
📄 DereferenceChecker.cpp(10.54 KB)
📄 DirectIvarAssignment.cpp(8.02 KB)
📄 DivZeroChecker.cpp(3.42 KB)
📄 DynamicTypeChecker.cpp(7.31 KB)
📄 DynamicTypePropagation.cpp(42.11 KB)
📄 EnumCastOutOfRangeChecker.cpp(5.75 KB)
📄 ExprInspectionChecker.cpp(15.6 KB)
📄 FixedAddressChecker.cpp(2.33 KB)
📄 FuchsiaHandleChecker.cpp(23.1 KB)
📄 GCDAntipatternChecker.cpp(7.85 KB)
📄 GTestChecker.cpp(10.52 KB)
📄 GenericTaintChecker.cpp(34.31 KB)
📄 IdenticalExprChecker.cpp(18.88 KB)
📄 InnerPointerChecker.cpp(11.54 KB)
📄 InterCheckerAPI.h(1.09 KB)
📄 InvalidatedIteratorChecker.cpp(4.93 KB)
📄 Iterator.cpp(10.62 KB)
📄 Iterator.h(6.32 KB)
📄 IteratorModeling.cpp(31.33 KB)
📄 IteratorRangeChecker.cpp(12.64 KB)
📄 IvarInvalidationChecker.cpp(27.63 KB)
📄 LLVMConventionsChecker.cpp(9.9 KB)
📄 LocalizationChecker.cpp(52.38 KB)
📄 MIGChecker.cpp(11.3 KB)
📁 MPI-Checker
📄 MacOSKeychainAPIChecker.cpp(25.21 KB)
📄 MacOSXAPIChecker.cpp(6.61 KB)
📄 MallocChecker.cpp(127.38 KB)
📄 MallocOverflowSecurityChecker.cpp(11.91 KB)
📄 MallocSizeofChecker.cpp(8.03 KB)
📄 MismatchedIteratorChecker.cpp(11.01 KB)
📄 MmapWriteExecChecker.cpp(3.22 KB)
📄 Move.h(1.07 KB)
📄 MoveChecker.cpp(27 KB)
📄 NSAutoreleasePoolChecker.cpp(2.93 KB)
📄 NSErrorChecker.cpp(10.6 KB)
📄 NoReturnFunctionChecker.cpp(5.48 KB)
📄 NonNullParamChecker.cpp(11.22 KB)
📄 NonnullGlobalConstantsChecker.cpp(5.09 KB)
📄 NullabilityChecker.cpp(46.95 KB)
📄 NumberObjectConversionChecker.cpp(13.69 KB)
📄 OSObjectCStyleCast.cpp(3.14 KB)
📄 ObjCAtSyncChecker.cpp(3.34 KB)
📄 ObjCAutoreleaseWriteChecker.cpp(8.62 KB)
📄 ObjCContainersASTChecker.cpp(5.5 KB)
📄 ObjCContainersChecker.cpp(6.71 KB)
📄 ObjCMissingSuperCallChecker.cpp(9.23 KB)
📄 ObjCPropertyChecker.cpp(3.03 KB)
📄 ObjCSelfInitChecker.cpp(16.21 KB)
📄 ObjCSuperDeallocChecker.cpp(9.33 KB)
📄 ObjCUnusedIVarsChecker.cpp(6.01 KB)
📄 PaddingChecker.cpp(14.26 KB)
📄 PointerArithChecker.cpp(12.18 KB)
📄 PointerIterationChecker.cpp(3.79 KB)
📄 PointerSortingChecker.cpp(4.5 KB)
📄 PointerSubChecker.cpp(2.56 KB)
📄 PthreadLockChecker.cpp(28.42 KB)
📁 RetainCountChecker
📄 ReturnPointerRangeChecker.cpp(3.39 KB)
📄 ReturnUndefChecker.cpp(4.1 KB)
📄 ReturnValueChecker.cpp(5.79 KB)
📄 RunLoopAutoreleaseLeakChecker.cpp(7.2 KB)
📄 STLAlgorithmModeling.cpp(7 KB)
📄 SimpleStreamChecker.cpp(9.43 KB)
📄 SmartPtr.h(1.17 KB)
📄 SmartPtrChecker.cpp(2.68 KB)
📄 SmartPtrModeling.cpp(8.05 KB)
📄 StackAddrEscapeChecker.cpp(15 KB)
📄 StdLibraryFunctionsChecker.cpp(74.86 KB)
📄 StreamChecker.cpp(37.36 KB)
📄 Taint.cpp(9.04 KB)
📄 Taint.h(4.19 KB)
📄 TaintTesterChecker.cpp(2.17 KB)
📄 TestAfterDivZeroChecker.cpp(8.19 KB)
📄 TraversalChecker.cpp(4.38 KB)
📄 TrustNonnullChecker.cpp(9.12 KB)
📄 UndefBranchChecker.cpp(3.82 KB)
📄 UndefCapturedBlockVarChecker.cpp(3.64 KB)
📄 UndefResultChecker.cpp(7.19 KB)
📄 UndefinedArraySubscriptChecker.cpp(2.36 KB)
📄 UndefinedAssignmentChecker.cpp(3.74 KB)
📁 UninitializedObject
📄 UnixAPIChecker.cpp(18.05 KB)
📄 UnreachableCodeChecker.cpp(9.59 KB)
📄 VLASizeChecker.cpp(10.95 KB)
📄 ValistChecker.cpp(15.65 KB)
📄 VforkChecker.cpp(7.67 KB)
📄 VirtualCallChecker.cpp(8.11 KB)
📁 WebKit
📄 Yaml.h(2.06 KB)
📁 cert

Editing: StackAddrEscapeChecker.cpp

//=== StackAddrEscapeChecker.cpp ----------------------------------*- C++ -*--//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// This file defines stack address leak checker, which checks if an invalid
// stack address is stored into a global or heap location. See CERT DCL30-C.
//
//===----------------------------------------------------------------------===//

#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/AST/ExprCXX.h"
#include "clang/Basic/SourceManager.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "llvm/ADT/SmallString.h"
#include "llvm/Support/raw_ostream.h"
using namespace clang;
using namespace ento;

namespace {
class StackAddrEscapeChecker
    : public Checker<check::PreCall, check::PreStmt<ReturnStmt>,
                     check::EndFunction> {
  mutable IdentifierInfo *dispatch_semaphore_tII;
  mutable std::unique_ptr<BuiltinBug> BT_stackleak;
  mutable std::unique_ptr<BuiltinBug> BT_returnstack;
  mutable std::unique_ptr<BuiltinBug> BT_capturedstackasync;
  mutable std::unique_ptr<BuiltinBug> BT_capturedstackret;

public:
  enum CheckKind {
    CK_StackAddrEscapeChecker,
    CK_StackAddrAsyncEscapeChecker,
    CK_NumCheckKinds
  };

DefaultBool ChecksEnabled[CK_NumCheckKinds];
  CheckerNameRef CheckNames[CK_NumCheckKinds];

void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
  void checkPreStmt(const ReturnStmt *RS, CheckerContext &C) const;
  void checkEndFunction(const ReturnStmt *RS, CheckerContext &Ctx) const;

private:
  void checkReturnedBlockCaptures(const BlockDataRegion &B,
                                  CheckerContext &C) const;
  void checkAsyncExecutedBlockCaptures(const BlockDataRegion &B,
                                       CheckerContext &C) const;
  void EmitStackError(CheckerContext &C, const MemRegion *R,
                      const Expr *RetE) const;
  bool isSemaphoreCaptured(const BlockDecl &B) const;
  static SourceRange genName(raw_ostream &os, const MemRegion *R,
                             ASTContext &Ctx);
  static SmallVector<const MemRegion *, 4>
  getCapturedStackRegions(const BlockDataRegion &B, CheckerContext &C);
  static bool isArcManagedBlock(const MemRegion *R, CheckerContext &C);
  static bool isNotInCurrentFrame(const MemRegion *R, CheckerContext &C);
};
} // namespace

SourceRange StackAddrEscapeChecker::genName(raw_ostream &os, const MemRegion *R,
                                            ASTContext &Ctx) {
  // Get the base region, stripping away fields and elements.
  R = R->getBaseRegion();
  SourceManager &SM = Ctx.getSourceManager();
  SourceRange range;
  os << "Address of ";

// Check if the region is a compound literal.
  if (const auto *CR = dyn_cast<CompoundLiteralRegion>(R)) {
    const CompoundLiteralExpr *CL = CR->getLiteralExpr();
    os << "stack memory associated with a compound literal "
          "declared on line "
       << SM.getExpansionLineNumber(CL->getBeginLoc()) << " returned to caller";
    range = CL->getSourceRange();
  } else if (const auto *AR = dyn_cast<AllocaRegion>(R)) {
    const Expr *ARE = AR->getExpr();
    SourceLocation L = ARE->getBeginLoc();
    range = ARE->getSourceRange();
    os << "stack memory allocated by call to alloca() on line "
       << SM.getExpansionLineNumber(L);
  } else if (const auto *BR = dyn_cast<BlockDataRegion>(R)) {
    const BlockDecl *BD = BR->getCodeRegion()->getDecl();
    SourceLocation L = BD->getBeginLoc();
    range = BD->getSourceRange();
    os << "stack-allocated block declared on line "
       << SM.getExpansionLineNumber(L);
  } else if (const auto *VR = dyn_cast<VarRegion>(R)) {
    os << "stack memory associated with local variable '" << VR->getString()
       << '\'';
    range = VR->getDecl()->getSourceRange();
  } else if (const auto *TOR = dyn_cast<CXXTempObjectRegion>(R)) {
    QualType Ty = TOR->getValueType().getLocalUnqualifiedType();
    os << "stack memory associated with temporary object of type '";
    Ty.print(os, Ctx.getPrintingPolicy());
    os << "'";
    range = TOR->getExpr()->getSourceRange();
  } else {
    llvm_unreachable("Invalid region in ReturnStackAddressChecker.");
  }

return range;
}

bool StackAddrEscapeChecker::isArcManagedBlock(const MemRegion *R,
                                               CheckerContext &C) {
  assert(R && "MemRegion should not be null");
  return C.getASTContext().getLangOpts().ObjCAutoRefCount &&
         isa<BlockDataRegion>(R);
}

bool StackAddrEscapeChecker::isNotInCurrentFrame(const MemRegion *R,
                                                 CheckerContext &C) {
  const StackSpaceRegion *S = cast<StackSpaceRegion>(R->getMemorySpace());
  return S->getStackFrame() != C.getStackFrame();
}

bool StackAddrEscapeChecker::isSemaphoreCaptured(const BlockDecl &B) const {
  if (!dispatch_semaphore_tII)
    dispatch_semaphore_tII = &B.getASTContext().Idents.get("dispatch_semaphore_t");
  for (const auto &C : B.captures()) {
    const auto *T = C.getVariable()->getType()->getAs<TypedefType>();
    if (T && T->getDecl()->getIdentifier() == dispatch_semaphore_tII)
      return true;
  }
  return false;
}

SmallVector<const MemRegion *, 4>
StackAddrEscapeChecker::getCapturedStackRegions(const BlockDataRegion &B,
                                                CheckerContext &C) {
  SmallVector<const MemRegion *, 4> Regions;
  BlockDataRegion::referenced_vars_iterator I = B.referenced_vars_begin();
  BlockDataRegion::referenced_vars_iterator E = B.referenced_vars_end();
  for (; I != E; ++I) {
    SVal Val = C.getState()->getSVal(I.getCapturedRegion());
    const MemRegion *Region = Val.getAsRegion();
    if (Region && isa<StackSpaceRegion>(Region->getMemorySpace()))
      Regions.push_back(Region);
  }
  return Regions;
}

void StackAddrEscapeChecker::EmitStackError(CheckerContext &C,
                                            const MemRegion *R,
                                            const Expr *RetE) const {
  ExplodedNode *N = C.generateNonFatalErrorNode();
  if (!N)
    return;
  if (!BT_returnstack)
    BT_returnstack = std::make_unique<BuiltinBug>(
        CheckNames[CK_StackAddrEscapeChecker],
        "Return of address to stack-allocated memory");
  // Generate a report for this bug.
  SmallString<128> buf;
  llvm::raw_svector_ostream os(buf);
  SourceRange range = genName(os, R, C.getASTContext());
  os << " returned to caller";
  auto report =
      std::make_unique<PathSensitiveBugReport>(*BT_returnstack, os.str(), N);
  report->addRange(RetE->getSourceRange());
  if (range.isValid())
    report->addRange(range);
  C.emitReport(std::move(report));
}

void StackAddrEscapeChecker::checkAsyncExecutedBlockCaptures(
    const BlockDataRegion &B, CheckerContext &C) const {
  // There is a not-too-uncommon idiom
  // where a block passed to dispatch_async captures a semaphore
  // and then the thread (which called dispatch_async) is blocked on waiting
  // for the completion of the execution of the block
  // via dispatch_semaphore_wait. To avoid false-positives (for now)
  // we ignore all the blocks which have captured
  // a variable of the type "dispatch_semaphore_t".
  if (isSemaphoreCaptured(*B.getDecl()))
    return;
  for (const MemRegion *Region : getCapturedStackRegions(B, C)) {
    // The block passed to dispatch_async may capture another block
    // created on the stack. However, there is no leak in this situaton,
    // no matter if ARC or no ARC is enabled:
    // dispatch_async copies the passed "outer" block (via Block_copy)
    // and if the block has captured another "inner" block,
    // the "inner" block will be copied as well.
    if (isa<BlockDataRegion>(Region))
      continue;
    ExplodedNode *N = C.generateNonFatalErrorNode();
    if (!N)
      continue;
    if (!BT_capturedstackasync)
      BT_capturedstackasync = std::make_unique<BuiltinBug>(
          CheckNames[CK_StackAddrAsyncEscapeChecker],
          "Address of stack-allocated memory is captured");
    SmallString<128> Buf;
    llvm::raw_svector_ostream Out(Buf);
    SourceRange Range = genName(Out, Region, C.getASTContext());
    Out << " is captured by an asynchronously-executed block";
    auto Report = std::make_unique<PathSensitiveBugReport>(
        *BT_capturedstackasync, Out.str(), N);
    if (Range.isValid())
      Report->addRange(Range);
    C.emitReport(std::move(Report));
  }
}

void StackAddrEscapeChecker::checkReturnedBlockCaptures(
    const BlockDataRegion &B, CheckerContext &C) const {
  for (const MemRegion *Region : getCapturedStackRegions(B, C)) {
    if (isArcManagedBlock(Region, C) || isNotInCurrentFrame(Region, C))
      continue;
    ExplodedNode *N = C.generateNonFatalErrorNode();
    if (!N)
      continue;
    if (!BT_capturedstackret)
      BT_capturedstackret = std::make_unique<BuiltinBug>(
          CheckNames[CK_StackAddrEscapeChecker],
          "Address of stack-allocated memory is captured");
    SmallString<128> Buf;
    llvm::raw_svector_ostream Out(Buf);
    SourceRange Range = genName(Out, Region, C.getASTContext());
    Out << " is captured by a returned block";
    auto Report = std::make_unique<PathSensitiveBugReport>(*BT_capturedstackret,
                                                           Out.str(), N);
    if (Range.isValid())
      Report->addRange(Range);
    C.emitReport(std::move(Report));
  }
}

void StackAddrEscapeChecker::checkPreCall(const CallEvent &Call,
                                          CheckerContext &C) const {
  if (!ChecksEnabled[CK_StackAddrAsyncEscapeChecker])
    return;
  if (!Call.isGlobalCFunction("dispatch_after") &&
      !Call.isGlobalCFunction("dispatch_async"))
    return;
  for (unsigned Idx = 0, NumArgs = Call.getNumArgs(); Idx < NumArgs; ++Idx) {
    if (const BlockDataRegion *B = dyn_cast_or_null<BlockDataRegion>(
            Call.getArgSVal(Idx).getAsRegion()))
      checkAsyncExecutedBlockCaptures(*B, C);
  }
}

void StackAddrEscapeChecker::checkPreStmt(const ReturnStmt *RS,
                                          CheckerContext &C) const {
  if (!ChecksEnabled[CK_StackAddrEscapeChecker])
    return;

const Expr *RetE = RS->getRetValue();
  if (!RetE)
    return;
  RetE = RetE->IgnoreParens();

SVal V = C.getSVal(RetE);
  const MemRegion *R = V.getAsRegion();
  if (!R)
    return;

if (const BlockDataRegion *B = dyn_cast<BlockDataRegion>(R))
    checkReturnedBlockCaptures(*B, C);

if (!isa<StackSpaceRegion>(R->getMemorySpace()) ||
      isNotInCurrentFrame(R, C) || isArcManagedBlock(R, C))
    return;

// Returning a record by value is fine. (In this case, the returned
  // expression will be a copy-constructor, possibly wrapped in an
  // ExprWithCleanups node.)
  if (const ExprWithCleanups *Cleanup = dyn_cast<ExprWithCleanups>(RetE))
    RetE = Cleanup->getSubExpr();
  if (isa<CXXConstructExpr>(RetE) && RetE->getType()->isRecordType())
    return;

// The CK_CopyAndAutoreleaseBlockObject cast causes the block to be copied
  // so the stack address is not escaping here.
  if (const auto *ICE = dyn_cast<ImplicitCastExpr>(RetE)) {
    if (isa<BlockDataRegion>(R) &&
        ICE->getCastKind() == CK_CopyAndAutoreleaseBlockObject) {
      return;
    }
  }

EmitStackError(C, R, RetE);
}

void StackAddrEscapeChecker::checkEndFunction(const ReturnStmt *RS,
                                              CheckerContext &Ctx) const {
  if (!ChecksEnabled[CK_StackAddrEscapeChecker])
    return;

ProgramStateRef State = Ctx.getState();

// Iterate over all bindings to global variables and see if it contains
  // a memory region in the stack space.
  class CallBack : public StoreManager::BindingsHandler {
  private:
    CheckerContext &Ctx;
    const StackFrameContext *CurSFC;

public:
    SmallVector<std::pair<const MemRegion *, const MemRegion *>, 10> V;

CallBack(CheckerContext &CC) : Ctx(CC), CurSFC(CC.getStackFrame()) {}

bool HandleBinding(StoreManager &SMgr, Store S, const MemRegion *Region,
                       SVal Val) override {

if (!isa<GlobalsSpaceRegion>(Region->getMemorySpace()))
        return true;
      const MemRegion *VR = Val.getAsRegion();
      if (VR && isa<StackSpaceRegion>(VR->getMemorySpace()) &&
          !isArcManagedBlock(VR, Ctx) && !isNotInCurrentFrame(VR, Ctx))
        V.emplace_back(Region, VR);
      return true;
    }
  };

CallBack Cb(Ctx);
  State->getStateManager().getStoreManager().iterBindings(State->getStore(),
                                                          Cb);

if (Cb.V.empty())
    return;

// Generate an error node.
  ExplodedNode *N = Ctx.generateNonFatalErrorNode(State);
  if (!N)
    return;

if (!BT_stackleak)
    BT_stackleak = std::make_unique<BuiltinBug>(
        CheckNames[CK_StackAddrEscapeChecker],
        "Stack address stored into global variable",
        "Stack address was saved into a global variable. "
        "This is dangerous because the address will become "
        "invalid after returning from the function");

for (const auto &P : Cb.V) {
    // Generate a report for this bug.
    SmallString<128> Buf;
    llvm::raw_svector_ostream Out(Buf);
    SourceRange Range = genName(Out, P.second, Ctx.getASTContext());
    Out << " is still referred to by the ";
    if (isa<StaticGlobalSpaceRegion>(P.first->getMemorySpace()))
      Out << "static";
    else
      Out << "global";
    Out << " variable '";
    const VarRegion *VR = cast<VarRegion>(P.first->getBaseRegion());
    Out << *VR->getDecl()
        << "' upon returning to the caller.  This will be a dangling reference";
    auto Report =
        std::make_unique<PathSensitiveBugReport>(*BT_stackleak, Out.str(), N);
    if (Range.isValid())
      Report->addRange(Range);

Ctx.emitReport(std::move(Report));
  }
}

void ento::registerStackAddrEscapeBase(CheckerManager &mgr) {
  mgr.registerChecker<StackAddrEscapeChecker>();
}

bool ento::shouldRegisterStackAddrEscapeBase(const CheckerManager &mgr) {
  return true;
}

#define REGISTER_CHECKER(name)                                                 \
  void ento::register##name(CheckerManager &Mgr) {                             \
    StackAddrEscapeChecker *Chk = Mgr.getChecker<StackAddrEscapeChecker>();    \
    Chk->ChecksEnabled[StackAddrEscapeChecker::CK_##name] = true;              \
    Chk->CheckNames[StackAddrEscapeChecker::CK_##name] =                       \
        Mgr.getCurrentCheckerName();                                           \
  }                                                                            \
                                                                               \
  bool ento::shouldRegister##name(const CheckerManager &mgr) { return true; }

REGISTER_CHECKER(StackAddrEscapeChecker)
REGISTER_CHECKER(StackAddrAsyncEscapeChecker)

003 File Manager

Editing: StackAddrEscapeChecker.cpp

Upload File

Create Folder