This is an archive of the discontinued LLVM Phabricator instance.

Differential D86873

[analyzer][NFC] Refactor ArrayBoundCheckerV2
Needs ReviewPublic

Authored by steakhal on Aug 31 2020, 4:53 AM.

Details

Reviewers
NoQ
vsavchenko
xazax.hun
martong
Szelethus
Summary

This patch refactors the ArrayBoundCheckerV2 to use more SValVisitor machinery.
IMO this pattern leads to a more functional style, thus more readable - compared to an ad-hoc recursion what getSimplifiedOffsets did.
I also drastically reduce the scope of the mutated local variables for readability.
This resulted in a fairly large change:

  • Use MemRegionVisitor to compute RegionRawOffsetV2 of a memory region.
  • Use SymExprVisitor to simplify subscript expression.
  • Remove getSimplifiedOffsets function.
  • Split up ArrayBoundCheckerV2::checkLocation into checkLowerBound and checkUpperBound.

Diff Detail

Event Timeline

steakhal created this revision.Aug 31 2020, 4:53 AM
Herald added a project: Restricted Project. · View Herald TranscriptAug 31 2020, 4:53 AM
Herald added subscribers: cfe-commits, ASDenysPetrov, Charusso and 8 others. · View Herald Transcript
steakhal requested review of this revision.Aug 31 2020, 4:53 AM
steakhal added a parent revision: D86870: [analyzer] Add more tests for ArrayBoundCheckerV2.
steakhal added a child revision: D86874: [analyzer] Fix ArrayBoundCheckerV2 false positive regarding size_t indexer.Aug 31 2020, 5:18 AM
Harbormaster completed remote builds in B70086: Diff 288923.Aug 31 2020, 5:28 AM
martong added inline comments.Sep 1 2020, 1:48 AM
clang/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp
52

Since you are already deep in refactoring. This calculation together with the enclosing class seems to be useful for other Checkers too. Would make sense to put this to CheckerHelpers?
E.g. the PlacementNewChecker could have benefited from this class if it had been available for use during the implementation of the checker.

298

What is the exact difference in between this algorithm and assumeInBound? What are the benefits (and disadvantages) of using each of them?

And oh wait, there's more: assumeInclusiveRange. Is that also related? (StdLibraryFunctionsChecker uses that for range assumptions.)

Szelethus added a comment.Sep 1 2020, 1:54 AM

Before we dive into this too much, if you can point to discussion that explains why we have a 2 versions of the same checker, that would be nice. Why did you chose to work on this one, and not the other? I recall us talking about this in a meeting, but its always great to have it set in stone.

steakhal added inline comments.Sep 1 2020, 2:02 AM
clang/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp
52

You are probably right.
However, I'm not qualified enough to make such a decision.

By the same token, I don't really understand why would anyone do such unfolding by hand?
Could someone clarify the use-cases for RegionRawOffset and RegionRawOffsetV2? @NoQ @vsavchenko @Szelethus?
Eg. we don't use such facilities in the evalBindOpL# functions, but it would probably come handy.

171–172

Here we 'c-style' integral cast the right-hand side value to match the signess and bitwidth of Index. @martong

steakhal mentioned this in D88359: [analyzer][RFC] Complete rewrite of ArrayBoundCheckerV2.Sep 26 2020, 7:39 AM

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Checkers/
500 lines

Diff 288923

clang/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp

Show All 15 Lines
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/APSIntType.h" #include "clang/StaticAnalyzer/Core/PathSensitive/APSIntType.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h" #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicSize.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SValVisitor.h"
#include "llvm/ADT/SmallString.h" #include "llvm/ADT/SmallString.h"
#include "llvm/Support/raw_ostream.h" #include "llvm/Support/raw_ostream.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
using namespace taint; using namespace taint;
using ConcreteInt = nonloc::ConcreteInt;
using SymbolVal = nonloc::SymbolVal;
namespace { namespace {
class ArrayBoundCheckerV2 : // FIXME: Eventually replace RegionRawOffset with this class.
public Checker<check::Location> { class RegionRawOffsetV2 {
mutable std::unique_ptr<BuiltinBug> BT; private:
const SubRegion *BaseRegion = nullptr;
SVal ByteOffset = UnknownVal();
enum OOB_Kind { OOB_Precedes, OOB_Excedes, OOB_Tainted }; RegionRawOffsetV2() = default;
void reportOOB(CheckerContext &C, ProgramStateRef errorState, OOB_Kind kind, /// Compute a raw byte offset from a base region.
std::unique_ptr<BugReporterVisitor> Visitor = nullptr) const; /// Flatten the nested ElementRegion structure into a byte-offset in a
/// SubRegion. E.g:
/// dereferenced location:
/// &Element{Element{Sym{reg_p}, conj{n, int}, char}, 3, int}
/// Finds the base region:
/// Region: Sym{reg_p}
/// Builds the corresponding symbolic offset expression:
/// Offset: SymIntExpr{conj{n, int}, +, 12, long long}
class RawOffsetCalculator final
martongUnsubmitted
Not Done
ReplyInline Actions

Since you are already deep in refactoring. This calculation together with the enclosing class seems to be useful for other Checkers too. Would make sense to put this to CheckerHelpers?
E.g. the PlacementNewChecker could have benefited from this class if it had been available for use during the implementation of the checker.

martong: Since you are already deep in refactoring. This calculation together with the enclosing class…
steakhalAuthorUnsubmitted
Done
ReplyInline Actions

You are probably right.
However, I'm not qualified enough to make such a decision.

By the same token, I don't really understand why would anyone do such unfolding by hand?
Could someone clarify the use-cases for RegionRawOffset and RegionRawOffsetV2? @NoQ @vsavchenko @Szelethus?
Eg. we don't use such facilities in the evalBindOpL# functions, but it would probably come handy.

steakhal: You are probably right. However, I'm not qualified enough to make such a decision. By the same…
: public MemRegionVisitor<RawOffsetCalculator, RegionRawOffsetV2> {
ProgramStateRef State;
SValBuilder &SVB;
RegionRawOffsetV2 Leaf(const SubRegion *R) const {
return {R, SVB.makeArrayIndex(0)};
}
public: public:
void checkLocation(SVal l, bool isLoad, const Stmt*S, RawOffsetCalculator(ProgramStateRef State, SValBuilder &SVB)
CheckerContext &C) const; : State(State), SVB(SVB) {}
using MemRegionVisitor::Visit;
auto VisitMemRegion(const MemRegion *R) {
return Leaf(dyn_cast<SubRegion>(R));
}
RegionRawOffsetV2 VisitElementRegion(const ElementRegion *ER) {
// For: Elem{SuperReg, ElemTy, ElemIdx}
// 1) Calculate the raw offset of the SuperReg.
// 2) Handle the current level.
// Offset := Offset + sizeof(ElemTy) * ElemIdx
const RegionRawOffsetV2 RawOffset = Visit(ER->getSuperRegion());
const QualType ElemTy = ER->getElementType();
const NonLoc Index = ER->getIndex();
// If we can not calculate the sizeof ElemTy, erase result and give up.
if (ElemTy->isIncompleteType())
return Leaf(nullptr);
const NonLoc SizeofElemTy = SVB.makeArrayIndex(
SVB.getContext().getTypeSizeInChars(ElemTy).getQuantity());
const QualType ArrayIndexTy = SVB.getArrayIndexType();
const NonLoc ByteElementOffset =
SVB.evalBinOpNN(State, BO_Mul, Index, SizeofElemTy, ArrayIndexTy)
.castAs<NonLoc>();
SVal NewByteOffset = SVB.evalBinOpNN(
State, BO_Add, RawOffset.getByteOffset().castAs<NonLoc>(),
ByteElementOffset, ArrayIndexTy);
return {RawOffset.getRegion(), NewByteOffset};
}
}; };
// FIXME: Eventually replace RegionRawOffset with this class.
class RegionRawOffsetV2 {
private:
const SubRegion *baseRegion;
SVal byteOffset;
RegionRawOffsetV2()
: baseRegion(nullptr), byteOffset(UnknownVal()) {}
public: public:
RegionRawOffsetV2(const SubRegion* base, SVal offset) RegionRawOffsetV2(const SubRegion *BaseRegion, SVal ByteOffset)
: baseRegion(base), byteOffset(offset) {} : BaseRegion(BaseRegion), ByteOffset(ByteOffset) {}
NonLoc getByteOffset() const { return byteOffset.castAs<NonLoc>(); } NonLoc getByteOffset() const { return ByteOffset.castAs<NonLoc>(); }
const SubRegion *getRegion() const { return baseRegion; } const SubRegion *getRegion() const { return BaseRegion; }
static RegionRawOffsetV2 computeOffset(ProgramStateRef state, static RegionRawOffsetV2 computeOffset(ProgramStateRef State,
SValBuilder &svalBuilder, SValBuilder &SVB,
SVal location); loc::MemRegionVal Location) {
return RawOffsetCalculator(State, SVB).Visit(Location.getRegion());
}
void dump() const; void dump() const;
void dumpToStream(raw_ostream &os) const; void dumpToStream(raw_ostream &os) const;
}; };
}
static SVal computeExtentBegin(SValBuilder &svalBuilder,
const MemRegion *region) {
const MemSpaceRegion *SR = region->getMemorySpace();
if (SR->getKind() == MemRegion::UnknownSpaceRegionKind)
return UnknownVal();
else
return svalBuilder.makeZeroArrayIndex();
}
// TODO: once the constraint manager is smart enough to handle non simplified
// symbolic expressions remove this function. Note that this can not be used in
// the constraint manager as is, since this does not handle overflows. It is
// safe to assume, however, that memory offsets will not overflow.
static std::pair<NonLoc, nonloc::ConcreteInt>
getSimplifiedOffsets(NonLoc offset, nonloc::ConcreteInt extent,
SValBuilder &svalBuilder) {
Optional<nonloc::SymbolVal> SymVal = offset.getAs<nonloc::SymbolVal>();
if (SymVal && SymVal->isExpression()) {
if (const SymIntExpr *SIE = dyn_cast<SymIntExpr>(SymVal->getSymbol())) {
llvm::APSInt constant =
APSIntType(extent.getValue()).convert(SIE->getRHS());
switch (SIE->getOpcode()) {
case BO_Mul:
// The constant should never be 0 here, since it the result of scaling
// based on the size of a type which is never 0.
if ((extent.getValue() % constant) != 0)
return std::pair<NonLoc, nonloc::ConcreteInt>(offset, extent);
else
return getSimplifiedOffsets(
nonloc::SymbolVal(SIE->getLHS()),
svalBuilder.makeIntVal(extent.getValue() / constant),
svalBuilder);
case BO_Add:
return getSimplifiedOffsets(
nonloc::SymbolVal(SIE->getLHS()),
svalBuilder.makeIntVal(extent.getValue() - constant), svalBuilder);
default:
break;
}
}
}
return std::pair<NonLoc, nonloc::ConcreteInt>(offset, extent); /// Check if the pointer dereference would access (read or write) a memory
} /// region outside of an array.
/// It has much smarter logic dealing with constant addition and multiplication
/// in the indexer expression, such as: For 'buf[x+3]' it would check if 'x' is
/// either **below** '-3' or 'x' is greater then or equal to 'extentOf(buf)' to
/// emit a bug report. Otherwise, we will assume that the indexer expression
/// **in bound of** the valid range.
class ArrayBoundCheckerV2 : public Checker<check::Location> {
mutable std::unique_ptr<BuiltinBug> BT;
void ArrayBoundCheckerV2::checkLocation(SVal location, bool isLoad, enum OOB_Kind { OOB_Precedes, OOB_Excedes, OOB_Tainted };
const Stmt* LoadS,
CheckerContext &checkerContext) const {
// NOTE: Instead of using ProgramState::assumeInBound(), we are prototyping void reportOOB(CheckerContext &C, ProgramStateRef errorState, OOB_Kind kind,
// some new logic here that reasons directly about memory region extents. std::unique_ptr<BugReporterVisitor> Visitor = nullptr) const;
// Once that logic is more mature, we can bring it back to assumeInBound()
// for all clients to use.
//
// The algorithm we are using here for bounds checking is to see if the
// memory access is within the extent of the base region. Since we
// have some flexibility in defining the base region, we can achieve
// various levels of conservatism in our buffer overflow checking.
ProgramStateRef state = checkerContext.getState();
SValBuilder &svalBuilder = checkerContext.getSValBuilder(); // Returns null state if reported bug, non-null otherwise.
const RegionRawOffsetV2 &rawOffset = ProgramStateRef checkLowerBound(CheckerContext &Ctx, SValBuilder &SVB,
RegionRawOffsetV2::computeOffset(state, svalBuilder, location); const ProgramStateRef State,
RegionRawOffsetV2 RawOffset) const;
// Returns null state if reported bug, non-null otherwise.
ProgramStateRef checkUpperBound(CheckerContext &Ctx, SValBuilder &SVB,
const ProgramStateRef State,
RegionRawOffsetV2 RawOffset) const;
if (!rawOffset.getRegion()) public:
return; void checkLocation(SVal l, bool isLoad, const Stmt *S,
CheckerContext &Ctx) const;
};
NonLoc rawOffsetVal = rawOffset.getByteOffset(); std::pair<NonLoc, ConcreteInt> simplify(SValBuilder &SVB, NonLoc Root,
ConcreteInt Index) {
/// Peel of SymIntExprs one by one while folding the constants on the right.
///
/// It reorders the expression `Root` and `Index` at the same time.
/// Eg: if `Root` is:
/// `x + 5` then `Index := Index - (typeof(Index))5`
/// `x * 5` then `Index := Index / (typeof(Index))5`
/// Then recurse on `x`.
class SymExprSimplifier final : public SymExprVisitor<SymExprSimplifier> {
SValBuilder &SVB;
const SymExpr *RootSymbol;
ConcreteInt Index;
// CHECK LOWER BOUND: Is byteOffset < extent begin? public:
// If so, we are doing a load/store SymExprSimplifier(SValBuilder &SVB, const SymExpr *RootSymbol,
// before the first valid offset in the memory region. ConcreteInt Index)
: SVB(SVB), RootSymbol(RootSymbol), Index(Index) {}
using SymExprVisitor::Visit;
void VisitSymIntExpr(const SymIntExpr *E) {
const BinaryOperator::Opcode Op = E->getOpcode();
if (Op != BO_Add && Op != BO_Mul)
return;
SVal extentBegin = computeExtentBegin(svalBuilder, rawOffset.getRegion()); llvm::APSInt RHSConstant =
APSIntType(Index.getValue()).convert(E->getRHS());
steakhalAuthorUnsubmitted
Done
ReplyInline Actions

Here we 'c-style' integral cast the right-hand side value to match the signess and bitwidth of Index. @martong

steakhal: Here we 'c-style' integral cast the right-hand side value to match the signess and bitwidth of…
if (Optional<NonLoc> NV = extentBegin.getAs<NonLoc>()) { if (Op == BO_Add) {
if (NV->getAs<nonloc::ConcreteInt>()) { Index = SVB.makeIntVal(Index.getValue() - RHSConstant);
std::pair<NonLoc, nonloc::ConcreteInt> simplifiedOffsets = RootSymbol = E->getLHS();
getSimplifiedOffsets(rawOffset.getByteOffset(), Visit(RootSymbol);
NV->castAs<nonloc::ConcreteInt>(), return;
svalBuilder);
rawOffsetVal = simplifiedOffsets.first;
*NV = simplifiedOffsets.second;
} }
SVal lowerBound = svalBuilder.evalBinOpNN(state, BO_LT, rawOffsetVal, *NV, assert(Op == BO_Mul);
svalBuilder.getConditionType());
Optional<NonLoc> lowerBoundToCheck = lowerBound.getAs<NonLoc>(); // The constant should never be 0 here, since it the result of scaling
if (!lowerBoundToCheck) // based on the size of a type which is never 0.
return; assert(!RHSConstant.isNullValue());
ProgramStateRef state_precedesLowerBound, state_withinLowerBound; // If the NewExtent is not divisible, we can not further simplify
std::tie(state_precedesLowerBound, state_withinLowerBound) = // expressions.
state->assume(*lowerBoundToCheck); if ((Index.getValue() % RHSConstant) != 0)
// Are we constrained enough to definitely precede the lower bound?
if (state_precedesLowerBound && !state_withinLowerBound) {
reportOOB(checkerContext, state_precedesLowerBound, OOB_Precedes);
return; return;
}
// Otherwise, assume the constraint of the lower bound. Index = SVB.makeIntVal(Index.getValue() / RHSConstant);
assert(state_withinLowerBound); RootSymbol = E->getLHS();
state = state_withinLowerBound; Visit(RootSymbol);
} }
do { SymbolVal getRootSymbol() const { return RootSymbol; }
// CHECK UPPER BOUND: Is byteOffset >= size(baseRegion)? If so, ConcreteInt getFoldedIndex() const { return Index; }
// we are doing a load/store after the last valid offset. };
const MemRegion *MR = rawOffset.getRegion(); if (const auto SymbolicRoot = Root.getAs<SymbolVal>()) {
DefinedOrUnknownSVal Size = getDynamicSize(state, MR, svalBuilder); SymExprSimplifier Visitor(SVB, SymbolicRoot->getSymbol(), Index);
if (!Size.getAs<NonLoc>()) Visitor.Visit(SymbolicRoot->getSymbol());
break; return {Visitor.getRootSymbol(), Visitor.getFoldedIndex()};
}
if (Size.getAs<nonloc::ConcreteInt>()) { assert(Root.getAs<ConcreteInt>() && "Root must be either int or symbol.");
std::pair<NonLoc, nonloc::ConcreteInt> simplifiedOffsets = return {Root, Index};
getSimplifiedOffsets(rawOffset.getByteOffset(), }
Size.castAs<nonloc::ConcreteInt>(), svalBuilder); } // namespace
rawOffsetVal = simplifiedOffsets.first;
Size = simplifiedOffsets.second; ProgramStateRef
ArrayBoundCheckerV2::checkLowerBound(CheckerContext &Ctx, SValBuilder &SVB,
const ProgramStateRef State,
RegionRawOffsetV2 RawOffset) const {
// If we don't know that the pointer points to the beginning of the region,
// skip lower-bound check.
if (isa<UnknownSpaceRegion>(RawOffset.getRegion()->getMemorySpace()))
return State;
ConcreteInt Zero = SVB.makeZeroArrayIndex().castAs<ConcreteInt>();
SVal RootNonLoc;
SVal ConstantFoldedRHS;
std::tie(RootNonLoc, ConstantFoldedRHS) =
simplify(SVB, RawOffset.getByteOffset(), Zero);
NonLoc LowerBoundCheck =
SVB.evalBinOpNN(State, BO_LT, RootNonLoc.castAs<NonLoc>(),
ConstantFoldedRHS.castAs<ConcreteInt>(),
SVB.getConditionType())
.castAs<NonLoc>();
ProgramStateRef PrecedesLowerBound, WithinLowerBound;
std::tie(PrecedesLowerBound, WithinLowerBound) =
State->assume(LowerBoundCheck);
if (PrecedesLowerBound && !WithinLowerBound) {
reportOOB(Ctx, PrecedesLowerBound, OOB_Precedes);
return nullptr;
} }
SVal upperbound = svalBuilder.evalBinOpNN(state, BO_GE, rawOffsetVal, // Otherwise, assume the constraint of the lower bound.
Size.castAs<NonLoc>(), assert(WithinLowerBound);
svalBuilder.getConditionType()); return WithinLowerBound;
}
Optional<NonLoc> upperboundToCheck = upperbound.getAs<NonLoc>();
if (!upperboundToCheck)
break;
ProgramStateRef state_exceedsUpperBound, state_withinUpperBound; // Returns null state if reported bug, non-null otherwise.
std::tie(state_exceedsUpperBound, state_withinUpperBound) = ProgramStateRef
state->assume(*upperboundToCheck); ArrayBoundCheckerV2::checkUpperBound(CheckerContext &Ctx, SValBuilder &SVB,
const ProgramStateRef State,
RegionRawOffsetV2 RawOffset) const {
DefinedOrUnknownSVal Extent =
getDynamicSize(State, RawOffset.getRegion(), SVB);
if (!Extent.getAs<NonLoc>())
return State;
NonLoc RawByteOffset = RawOffset.getByteOffset();
if (const auto ExtentInt = Extent.getAs<ConcreteInt>()) {
std::tie(RawByteOffset, Extent) =
simplify(SVB, RawOffset.getByteOffset(), *ExtentInt);
}
NonLoc UpperBoundCheck =
SVB.evalBinOpNN(State, BO_GE, RawByteOffset, Extent.castAs<NonLoc>(),
SVB.getConditionType())
.castAs<NonLoc>();
ProgramStateRef ExceedsUpperBound, WithinUpperBound;
std::tie(ExceedsUpperBound, WithinUpperBound) =
State->assume(UpperBoundCheck);
// If we are under constrained and the index variables are tainted, report. // If we are under constrained and the index variables are tainted, report.
if (state_exceedsUpperBound && state_withinUpperBound) { if (ExceedsUpperBound && WithinUpperBound) {
SVal ByteOffset = rawOffset.getByteOffset(); SVal ByteOffset = RawOffset.getByteOffset();
if (isTainted(state, ByteOffset)) { if (isTainted(State, ByteOffset)) {
reportOOB(checkerContext, state_exceedsUpperBound, OOB_Tainted, reportOOB(Ctx, ExceedsUpperBound, OOB_Tainted,
std::make_unique<TaintBugVisitor>(ByteOffset)); std::make_unique<TaintBugVisitor>(ByteOffset));
return; return nullptr;
} }
} else if (state_exceedsUpperBound) { } else if (ExceedsUpperBound) {
// If we are constrained enough to definitely exceed the upper bound, // If we are constrained enough to definitely exceed the upper bound,
// report. // report.
assert(!state_withinUpperBound); assert(!WithinUpperBound);
reportOOB(checkerContext, state_exceedsUpperBound, OOB_Excedes); reportOOB(Ctx, ExceedsUpperBound, OOB_Excedes);
return; return nullptr;
} }
assert(state_withinUpperBound); assert(WithinUpperBound);
state = state_withinUpperBound; return WithinUpperBound;
} }
while (false);
checkerContext.addTransition(state); void ArrayBoundCheckerV2::checkLocation(SVal Location, bool, const Stmt *,
CheckerContext &Ctx) const {
// NOTE: Instead of using ProgramState::assumeInBound(), we are prototyping
// some new logic here that reasons directly about memory region extents.
// Once that logic is more mature, we can bring it back to assumeInBound()
// for all clients to use.
//
// The algorithm we are using here for bounds checking is to see if the
martongUnsubmitted
Not Done
ReplyInline Actions

What is the exact difference in between this algorithm and assumeInBound? What are the benefits (and disadvantages) of using each of them?

And oh wait, there's more: assumeInclusiveRange. Is that also related? (StdLibraryFunctionsChecker uses that for range assumptions.)

martong: What is the exact difference in between this algorithm and `assumeInBound`? What are the…
// memory access is within the extent of the base region. Since we
// have some flexibility in defining the base region, we can achieve
// various levels of conservatism in our buffer overflow checking.
// TODO: Check if these comments are still valid:
// - Why would anyone use this 'experimental logic' if it does not handle
// overflows?
// - "we can achieve various levels of conservatism" What?
ProgramStateRef State = Ctx.getState();
SValBuilder &SVB = Ctx.getSValBuilder();
const RegionRawOffsetV2 RawOffset = RegionRawOffsetV2::computeOffset(
State, SVB, Location.castAs<loc::MemRegionVal>());
assert(RawOffset.getRegion() && "It should be a valid region.");
// Is byteOffset < extent begin?
// If so, we are doing a load/store before the first valid offset in the
// memory region.
State = checkLowerBound(Ctx, SVB, State, RawOffset);
if (!State)
return;
// Is byteOffset >= extentOf(BaseRegion)?
// If so, we are doing a load/store after the last valid offset.
State = checkUpperBound(Ctx, SVB, State, RawOffset);
if (!State)
return;
// Continue the analysis while we know that this access must be valid.
Ctx.addTransition(State);
} }
void ArrayBoundCheckerV2::reportOOB( void ArrayBoundCheckerV2::reportOOB(
CheckerContext &checkerContext, ProgramStateRef errorState, OOB_Kind kind, CheckerContext &checkerContext, ProgramStateRef errorState, OOB_Kind kind,
std::unique_ptr<BugReporterVisitor> Visitor) const { std::unique_ptr<BugReporterVisitor> Visitor) const {
ExplodedNode *errorNode = checkerContext.generateErrorNode(errorState); ExplodedNode *errorNode = checkerContext.generateErrorNode(errorState);
if (!errorNode) if (!errorNode)
Show All 30 LinesLLVM_DUMP_METHOD void RegionRawOffsetV2::dump() const {
dumpToStream(llvm::errs()); dumpToStream(llvm::errs());
} }
void RegionRawOffsetV2::dumpToStream(raw_ostream &os) const { void RegionRawOffsetV2::dumpToStream(raw_ostream &os) const {
os << "raw_offset_v2{" << getRegion() << ',' << getByteOffset() << '}'; os << "raw_offset_v2{" << getRegion() << ',' << getByteOffset() << '}';
} }
#endif #endif
// Lazily computes a value to be used by 'computeOffset'. If 'val'
// is unknown or undefined, we lazily substitute '0'. Otherwise,
// return 'val'.
static inline SVal getValue(SVal val, SValBuilder &svalBuilder) {
return val.getAs<UndefinedVal>() ? svalBuilder.makeArrayIndex(0) : val;
}
// Scale a base value by a scaling factor, and return the scaled
// value as an SVal. Used by 'computeOffset'.
static inline SVal scaleValue(ProgramStateRef state,
NonLoc baseVal, CharUnits scaling,
SValBuilder &sb) {
return sb.evalBinOpNN(state, BO_Mul, baseVal,
sb.makeArrayIndex(scaling.getQuantity()),
sb.getArrayIndexType());
}
// Add an SVal to another, treating unknown and undefined values as
// summing to UnknownVal. Used by 'computeOffset'.
static SVal addValue(ProgramStateRef state, SVal x, SVal y,
SValBuilder &svalBuilder) {
// We treat UnknownVals and UndefinedVals the same here because we
// only care about computing offsets.
if (x.isUnknownOrUndef() || y.isUnknownOrUndef())
return UnknownVal();
return svalBuilder.evalBinOpNN(state, BO_Add, x.castAs<NonLoc>(),
y.castAs<NonLoc>(),
svalBuilder.getArrayIndexType());
}
/// Compute a raw byte offset from a base region. Used for array bounds
/// checking.
RegionRawOffsetV2 RegionRawOffsetV2::computeOffset(ProgramStateRef state,
SValBuilder &svalBuilder,
SVal location)
{
const MemRegion *region = location.getAsRegion();
SVal offset = UndefinedVal();
while (region) {
switch (region->getKind()) {
default: {
if (const SubRegion *subReg = dyn_cast<SubRegion>(region)) {
offset = getValue(offset, svalBuilder);
if (!offset.isUnknownOrUndef())
return RegionRawOffsetV2(subReg, offset);
}
return RegionRawOffsetV2();
}
case MemRegion::ElementRegionKind: {
const ElementRegion *elemReg = cast<ElementRegion>(region);
SVal index = elemReg->getIndex();
if (!index.getAs<NonLoc>())
return RegionRawOffsetV2();
QualType elemType = elemReg->getElementType();
// If the element is an incomplete type, go no further.
ASTContext &astContext = svalBuilder.getContext();
if (elemType->isIncompleteType())
return RegionRawOffsetV2();
// Update the offset.
offset = addValue(state,
getValue(offset, svalBuilder),
scaleValue(state,
index.castAs<NonLoc>(),
astContext.getTypeSizeInChars(elemType),
svalBuilder),
svalBuilder);
if (offset.isUnknownOrUndef())
return RegionRawOffsetV2();
region = elemReg->getSuperRegion();
continue;
}
}
}
return RegionRawOffsetV2();
}
void ento::registerArrayBoundCheckerV2(CheckerManager &mgr) { void ento::registerArrayBoundCheckerV2(CheckerManager &mgr) {
mgr.registerChecker<ArrayBoundCheckerV2>(); mgr.registerChecker<ArrayBoundCheckerV2>();
} }
bool ento::shouldRegisterArrayBoundCheckerV2(const CheckerManager &mgr) { bool ento::shouldRegisterArrayBoundCheckerV2(const CheckerManager &mgr) {
return true; return true;
} }