clang 20.0.0git
VLASizeChecker.cpp
Go to the documentation of this file.
1//=== VLASizeChecker.cpp - Undefined dereference checker --------*- C++ -*-===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This defines VLASizeChecker, a builtin check in ExprEngine that
10// performs checks for declaration of VLA of undefined or zero size.
11// In addition, VLASizeChecker is responsible for defining the extent
12// of the MemRegion that represents a VLA.
13//
14//===----------------------------------------------------------------------===//
15
16#include "clang/AST/CharUnits.h"
17#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
18#include "clang/StaticAnalyzer/Checkers/Taint.h"
19#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
20#include "clang/StaticAnalyzer/Core/Checker.h"
21#include "clang/StaticAnalyzer/Core/CheckerManager.h"
22#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
23#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h"
24#include "llvm/ADT/STLExtras.h"
25#include "llvm/ADT/SmallString.h"
26#include "llvm/Support/raw_ostream.h"
27#include <optional>
28
29using namespace clang;
30using namespace ento;
31using namespace taint;
32
33namespace {
34class VLASizeChecker
35 : public Checker<check::PreStmt<DeclStmt>,
36 check::PreStmt<UnaryExprOrTypeTraitExpr>> {
37 const BugType BT{this, "Dangerous variable-length array (VLA) declaration"};
38 const BugType TaintBT{this,
39 "Dangerous variable-length array (VLA) declaration",
40 categories::TaintedData};
41 enum VLASize_Kind { VLA_Garbage, VLA_Zero, VLA_Negative, VLA_Overflow };
42
43 /// Check a VLA for validity.
44 /// Every dimension of the array and the total size is checked for validity.
45 /// Returns null or a new state where the size is validated.
46 /// 'ArraySize' will contain SVal that refers to the total size (in char)
47 /// of the array.
48 ProgramStateRef checkVLA(CheckerContext &C, ProgramStateRef State,
49 const VariableArrayType *VLA, SVal &ArraySize) const;
50 /// Check a single VLA index size expression for validity.
51 ProgramStateRef checkVLAIndexSize(CheckerContext &C, ProgramStateRef State,
52 const Expr *SizeE) const;
53
54 void reportBug(VLASize_Kind Kind, const Expr *SizeE, ProgramStateRef State,
55 CheckerContext &C) const;
56
57 void reportTaintBug(const Expr *SizeE, ProgramStateRef State,
58 CheckerContext &C, SVal TaintedSVal) const;
59
60public:
61 void checkPreStmt(const DeclStmt *DS, CheckerContext &C) const;
62 void checkPreStmt(const UnaryExprOrTypeTraitExpr *UETTE,
63 CheckerContext &C) const;
64};
65} // end anonymous namespace
66
67ProgramStateRef VLASizeChecker::checkVLA(CheckerContext &C,
68 ProgramStateRef State,
69 const VariableArrayType *VLA,
70 SVal &ArraySize) const {
71 assert(VLA && "Function should be called with non-null VLA argument.");
72
73 const VariableArrayType *VLALast = nullptr;
74 llvm::SmallVector<const Expr *, 2> VLASizes;
75
76 // Walk over the VLAs for every dimension until a non-VLA is found.
77 // There is a VariableArrayType for every dimension (fixed or variable) until
78 // the most inner array that is variably modified.
79 // Dimension sizes are collected into 'VLASizes'. 'VLALast' is set to the
80 // innermost VLA that was encountered.
81 // In "int vla[x][2][y][3]" this will be the array for index "y" (with type
82 // int[3]). 'VLASizes' contains 'x', '2', and 'y'.
83 while (VLA) {
84 const Expr *SizeE = VLA->getSizeExpr();
85 State = checkVLAIndexSize(C, State, SizeE);
86 if (!State)
87 return nullptr;
88 VLASizes.push_back(SizeE);
89 VLALast = VLA;
90 VLA = C.getASTContext().getAsVariableArrayType(VLA->getElementType());
91 };
92 assert(VLALast &&
93 "Array should have at least one variably-modified dimension.");
94
95 ASTContext &Ctx = C.getASTContext();
96 SValBuilder &SVB = C.getSValBuilder();
97 CanQualType SizeTy = Ctx.getSizeType();
98 uint64_t SizeMax =
99 SVB.getBasicValueFactory().getMaxValue(SizeTy)->getZExtValue();
100
101 // Get the element size.
102 CharUnits EleSize = Ctx.getTypeSizeInChars(VLALast->getElementType());
103 NonLoc ArrSize =
104 SVB.makeIntVal(EleSize.getQuantity(), SizeTy).castAs<NonLoc>();
105
106 // Try to calculate the known real size of the array in KnownSize.
107 uint64_t KnownSize = 0;
108 if (const llvm::APSInt *KV = SVB.getKnownValue(State, ArrSize))
109 KnownSize = KV->getZExtValue();
110
111 for (const Expr *SizeE : VLASizes) {
112 auto SizeD = C.getSVal(SizeE).castAs<DefinedSVal>();
113 // Convert the array length to size_t.
114 NonLoc IndexLength =
115 SVB.evalCast(SizeD, SizeTy, SizeE->getType()).castAs<NonLoc>();
116 // Multiply the array length by the element size.
117 SVal Mul = SVB.evalBinOpNN(State, BO_Mul, ArrSize, IndexLength, SizeTy);
118 if (auto MulNonLoc = Mul.getAs<NonLoc>())
119 ArrSize = *MulNonLoc;
120 else
121 // Extent could not be determined.
122 return State;
123
124 if (const llvm::APSInt *IndexLVal = SVB.getKnownValue(State, IndexLength)) {
125 // Check if the array size will overflow.
126 // Size overflow check does not work with symbolic expressions because a
127 // overflow situation can not be detected easily.
128 uint64_t IndexL = IndexLVal->getZExtValue();
129 // FIXME: See https://reviews.llvm.org/D80903 for discussion of
130 // some difference in assume and getKnownValue that leads to
131 // unexpected behavior. Just bail on IndexL == 0 at this point.
132 if (IndexL == 0)
133 return nullptr;
134
135 if (KnownSize <= SizeMax / IndexL) {
136 KnownSize *= IndexL;
137 } else {
138 // Array size does not fit into size_t.
139 reportBug(VLA_Overflow, SizeE, State, C);
140 return nullptr;
141 }
142 } else {
143 KnownSize = 0;
144 }
145 }
146
147 ArraySize = ArrSize;
148
149 return State;
150}
151
152ProgramStateRef VLASizeChecker::checkVLAIndexSize(CheckerContext &C,
153 ProgramStateRef State,
154 const Expr *SizeE) const {
155 SVal SizeV = C.getSVal(SizeE);
156
157 if (SizeV.isUndef()) {
158 reportBug(VLA_Garbage, SizeE, State, C);
159 return nullptr;
160 }
161
162 // See if the size value is known. It can't be undefined because we would have
163 // warned about that already.
164 if (SizeV.isUnknown())
165 return nullptr;
166
167 // Check if the size is zero.
168 DefinedSVal SizeD = SizeV.castAs<DefinedSVal>();
169
170 ProgramStateRef StateNotZero, StateZero;
171 std::tie(StateNotZero, StateZero) = State->assume(SizeD);
172
173 if (StateZero && !StateNotZero) {
174 reportBug(VLA_Zero, SizeE, StateZero, C);
175 return nullptr;
176 }
177
178 // From this point on, assume that the size is not zero.
179 State = StateNotZero;
180
181 // Check if the size is negative.
182 SValBuilder &SVB = C.getSValBuilder();
183
184 QualType SizeTy = SizeE->getType();
185 DefinedOrUnknownSVal Zero = SVB.makeZeroVal(SizeTy);
186
187 SVal LessThanZeroVal =
188 SVB.evalBinOp(State, BO_LT, SizeD, Zero, SVB.getConditionType());
189 ProgramStateRef StatePos, StateNeg;
190 if (std::optional<DefinedSVal> LessThanZeroDVal =
191 LessThanZeroVal.getAs<DefinedSVal>()) {
192 ConstraintManager &CM = C.getConstraintManager();
193
194 std::tie(StateNeg, StatePos) = CM.assumeDual(State, *LessThanZeroDVal);
195 if (StateNeg && !StatePos) {
196 reportBug(VLA_Negative, SizeE, State, C);
197 return nullptr;
198 }
199 State = StatePos;
200 }
201
202 // Check if the size is tainted.
203 if ((StateNeg || StateZero) && isTainted(State, SizeV)) {
204 reportTaintBug(SizeE, State, C, SizeV);
205 return nullptr;
206 }
207
208 return State;
209}
210
211void VLASizeChecker::reportTaintBug(const Expr *SizeE, ProgramStateRef State,
212 CheckerContext &C, SVal TaintedSVal) const {
213 // Generate an error node.
214 ExplodedNode *N = C.generateErrorNode(State);
215 if (!N)
216 return;
217
218 SmallString<256> buf;
219 llvm::raw_svector_ostream os(buf);
220 os << "Declared variable-length array (VLA) ";
221 os << "has tainted (attacker controlled) size that can be 0 or negative";
222
223 auto report = std::make_unique<PathSensitiveBugReport>(TaintBT, os.str(), N);
224 report->addRange(SizeE->getSourceRange());
225 bugreporter::trackExpressionValue(N, SizeE, *report);
226 // The vla size may be a complex expression where multiple memory locations
227 // are tainted.
228 for (auto Sym : getTaintedSymbols(State, TaintedSVal))
229 report->markInteresting(Sym);
230 C.emitReport(std::move(report));
231}
232
233void VLASizeChecker::reportBug(VLASize_Kind Kind, const Expr *SizeE,
234 ProgramStateRef State, CheckerContext &C) const {
235 // Generate an error node.
236 ExplodedNode *N = C.generateErrorNode(State);
237 if (!N)
238 return;
239
240 SmallString<256> buf;
241 llvm::raw_svector_ostream os(buf);
242 os << "Declared variable-length array (VLA) ";
243 switch (Kind) {
244 case VLA_Garbage:
245 os << "uses a garbage value as its size";
246 break;
247 case VLA_Zero:
248 os << "has zero size";
249 break;
250 case VLA_Negative:
251 os << "has negative size";
252 break;
253 case VLA_Overflow:
254 os << "has too large size";
255 break;
256 }
257
258 auto report = std::make_unique<PathSensitiveBugReport>(BT, os.str(), N);
259 report->addRange(SizeE->getSourceRange());
260 bugreporter::trackExpressionValue(N, SizeE, *report);
261 C.emitReport(std::move(report));
262}
263
264void VLASizeChecker::checkPreStmt(const DeclStmt *DS, CheckerContext &C) const {
265 if (!DS->isSingleDecl())
266 return;
267
268 ASTContext &Ctx = C.getASTContext();
269 ProgramStateRef State = C.getState();
270 QualType TypeToCheck;
271
272 const VarDecl *VD = dyn_cast<VarDecl>(DS->getSingleDecl());
273
274 if (VD)
275 TypeToCheck = VD->getType().getCanonicalType();
276 else if (const auto *TND = dyn_cast<TypedefNameDecl>(DS->getSingleDecl()))
277 TypeToCheck = TND->getUnderlyingType().getCanonicalType();
278 else
279 return;
280
281 const VariableArrayType *VLA = Ctx.getAsVariableArrayType(TypeToCheck);
282 if (!VLA)
283 return;
284
285 // Check the VLA sizes for validity.
286
287 SVal ArraySize;
288
289 State = checkVLA(C, State, VLA, ArraySize);
290 if (!State)
291 return;
292
293 if (!isa<NonLoc>(ArraySize)) {
294 // Array size could not be determined but state may contain new assumptions.
295 C.addTransition(State);
296 return;
297 }
298
299 // VLASizeChecker is responsible for defining the extent of the array.
300 if (VD) {
301 State =
302 setDynamicExtent(State, State->getRegion(VD, C.getLocationContext()),
303 ArraySize.castAs<NonLoc>());
304 }
305
306 // Remember our assumptions!
307 C.addTransition(State);
308}
309
310void VLASizeChecker::checkPreStmt(const UnaryExprOrTypeTraitExpr *UETTE,
311 CheckerContext &C) const {
312 // Want to check for sizeof.
313 if (UETTE->getKind() != UETT_SizeOf)
314 return;
315
316 // Ensure a type argument.
317 if (!UETTE->isArgumentType())
318 return;
319
320 const VariableArrayType *VLA = C.getASTContext().getAsVariableArrayType(
321 UETTE->getTypeOfArgument().getCanonicalType());
322 // Ensure that the type is a VLA.
323 if (!VLA)
324 return;
325
326 ProgramStateRef State = C.getState();
327 SVal ArraySize;
328 State = checkVLA(C, State, VLA, ArraySize);
329 if (!State)
330 return;
331
332 C.addTransition(State);
333}
334
335void ento::registerVLASizeChecker(CheckerManager &mgr) {
336 mgr.registerChecker<VLASizeChecker>();
337}
338
339bool ento::shouldRegisterVLASizeChecker(const CheckerManager &mgr) {
340 return true;
341}
clang::ASTContext
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:188
clang::ASTContext::getSizeType
CanQualType getSizeType() const
Return the unique type for "size_t" (C99 7.17), defined in <stddef.h>.
Definition: ASTContext.cpp:6495
clang::ASTContext::getTypeSizeInChars
CharUnits getTypeSizeInChars(QualType T) const
Return the size of the specified (complete) type T, in characters.
Definition: ASTContext.cpp:2542
clang::ASTContext::getAsVariableArrayType
const VariableArrayType * getAsVariableArrayType(QualType T) const
Definition: ASTContext.h:2918
clang::ArrayType::getElementType
QualType getElementType() const
Definition: Type.h:3589
clang::CharUnits
CharUnits - This is an opaque type for sizes expressed in character units.
Definition: CharUnits.h:38
clang::CharUnits::getQuantity
QuantityType getQuantity() const
getQuantity - Get the raw integer representation of this quantity.
Definition: CharUnits.h:185
clang::DeclStmt
DeclStmt - Adaptor class for mixing declarations with statements and expressions.
Definition: Stmt.h:1519
clang::DeclStmt::isSingleDecl
bool isSingleDecl() const
isSingleDecl - This method returns true if this DeclStmt refers to a single Decl.
Definition: Stmt.h:1532
clang::DeclStmt::getSingleDecl
const Decl * getSingleDecl() const
Definition: Stmt.h:1534
clang::Expr
This represents one expression.
Definition: Expr.h:110
clang::Expr::getType
QualType getType() const
Definition: Expr.h:142
clang::QualType
A (possibly-)qualified type.
Definition: Type.h:929
clang::QualType::getCanonicalType
QualType getCanonicalType() const
Definition: Type.h:7983
clang::Stmt::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:333
clang::UnaryExprOrTypeTraitExpr
UnaryExprOrTypeTraitExpr - expression with either a type or (unevaluated) expression operand.
Definition: Expr.h:2622
clang::UnaryExprOrTypeTraitExpr::getTypeOfArgument
QualType getTypeOfArgument() const
Gets the argument type, or the type of the argument expression, whichever is appropriate.
Definition: Expr.h:2691
clang::UnaryExprOrTypeTraitExpr::isArgumentType
bool isArgumentType() const
Definition: Expr.h:2664
clang::UnaryExprOrTypeTraitExpr::getKind
UnaryExprOrTypeTrait getKind() const
Definition: Expr.h:2654
clang::ValueDecl::getType
QualType getType() const
Definition: Decl.h:682
clang::VarDecl
Represents a variable declaration or definition.
Definition: Decl.h:882
clang::VariableArrayType
Represents a C array with a specified size that is not an integer-constant-expression.
Definition: Type.h:3808
clang::VariableArrayType::getSizeExpr
Expr * getSizeExpr() const
Definition: Type.h:3827
clang::ento::BasicValueFactory::getMaxValue
APSIntPtr getMaxValue(const llvm::APSInt &v)
Definition: BasicValueFactory.h:194
clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Definition: CheckerManager.h:202
clang::ento::ConstraintManager::assumeDual
ProgramStatePair assumeDual(ProgramStateRef State, DefinedSVal Cond)
Returns a pair of states (StTrue, StFalse) where the given condition is assumed to be true or false,...
Definition: ConstraintManager.cpp:93
clang::ento::SValBuilder::makeZeroVal
DefinedOrUnknownSVal makeZeroVal(QualType type)
Construct an SVal representing '0' for the specified type.
Definition: SValBuilder.cpp:62
clang::ento::SValBuilder::getKnownValue
virtual const llvm::APSInt * getKnownValue(ProgramStateRef state, SVal val)=0
Evaluates a given SVal.
clang::ento::SValBuilder::getBasicValueFactory
BasicValueFactory & getBasicValueFactory()
Definition: SValBuilder.h:161
clang::ento::SValBuilder::makeIntVal
nonloc::ConcreteInt makeIntVal(const IntegerLiteral *integer)
Definition: SValBuilder.h:288
clang::ento::SValBuilder::evalBinOpNN
virtual SVal evalBinOpNN(ProgramStateRef state, BinaryOperator::Opcode op, NonLoc lhs, NonLoc rhs, QualType resultTy)=0
Create a new value which represents a binary expression with two non- location operands.
clang::ento::SValBuilder::evalCast
SVal evalCast(SVal V, QualType CastTy, QualType OriginalTy)
Cast a given SVal to another SVal using given QualType's.
Definition: SValBuilder.cpp:1102
clang::ento::SValBuilder::getConditionType
QualType getConditionType() const
Definition: SValBuilder.h:153
clang::ento::SValBuilder::evalBinOp
SVal evalBinOp(ProgramStateRef state, BinaryOperator::Opcode op, SVal lhs, SVal rhs, QualType type)
Definition: SValBuilder.cpp:491
clang::ento::SVal
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:56
clang::ento::SVal::isUndef
bool isUndef() const
Definition: SVals.h:107
clang::ento::SVal::getAs
std::optional< T > getAs() const
Convert to the specified SVal type, returning std::nullopt if this SVal is not of the desired type.
Definition: SVals.h:87
clang::ento::SVal::castAs
T castAs() const
Convert to the specified SVal type, asserting that this SVal is of the desired type.
Definition: SVals.h:83
clang::ento::SVal::isUnknown
bool isUnknown() const
Definition: SVals.h:105
clang::ento::bugreporter::trackExpressionValue
bool trackExpressionValue(const ExplodedNode *N, const Expr *E, PathSensitiveBugReport &R, TrackingOptions Opts={})
Attempts to add visitors to track expression value back to its point of origin.
Definition: BugReporterVisitors.cpp:2600
clang::ento::taint::getTaintedSymbols
std::vector< SymbolRef > getTaintedSymbols(ProgramStateRef State, const Stmt *S, const LocationContext *LCtx, TaintTagType Kind=TaintTagGeneric)
Returns the tainted Symbols for a given Statement and state.
Definition: Taint.cpp:170
clang::ento::taint::isTainted
bool isTainted(ProgramStateRef State, const Stmt *S, const LocationContext *LCtx, TaintTagType Kind=TaintTagGeneric)
Check if the statement has a tainted value in the given state.
Definition: Taint.cpp:148
clang::ento::setDynamicExtent
ProgramStateRef setDynamicExtent(ProgramStateRef State, const MemRegion *MR, DefinedOrUnknownSVal Extent)
Set the dynamic extent Extent of the region MR.
clang::interp::Zero
bool Zero(InterpState &S, CodePtr OpPC)
Definition: Interp.h:2408
clang::interp::Mul
bool Mul(InterpState &S, CodePtr OpPC)
Definition: Interp.h:447
clang
The JSON file list parser is used to communicate input to InstallAPI.
Definition: CalledOnceCheck.h:17
hlsl::uint64_t
unsigned long uint64_t
Definition: hlsl_basic_types.h:42
Generated on Fri Jan 17 2025 17:50:13 for clang by doxygen 1.9.6