//== InvalidPtrChecker.cpp ------------------------------------- -*- C++ -*--=// // // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // See https://llvm.org/LICENSE.txt for license information. // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // //===----------------------------------------------------------------------===// // // This file defines InvalidPtrChecker which finds usages of possibly // invalidated pointer. // CERT SEI Rules ENV31-C and ENV34-C // For more information see: // https://wiki.sei.cmu.edu/confluence/x/8tYxBQ // https://wiki.sei.cmu.edu/confluence/x/5NUxBQ //===----------------------------------------------------------------------===// #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" usingnamespaceclang; usingnamespaceento; namespace { class InvalidPtrChecker : public Checker<check::Location, check::BeginFunction, check::PostCall> { … }; } // namespace // Set of memory regions that were invalidated REGISTER_SET_WITH_PROGRAMSTATE(…) … // Stores the region of the environment pointer of 'main' (if present). REGISTER_TRAIT_WITH_PROGRAMSTATE(…) … // Stores the regions of environments returned by getenv calls. REGISTER_SET_WITH_PROGRAMSTATE(…) … // Stores key-value pairs, where key is function declaration and value is // pointer to memory region returned by previous call of this function REGISTER_MAP_WITH_PROGRAMSTATE(…) … const NoteTag *InvalidPtrChecker::createEnvInvalidationNote( CheckerContext &C, ProgramStateRef State, StringRef FunctionName) const { … } void InvalidPtrChecker::EnvpInvalidatingCall(const CallEvent &Call, CheckerContext &C) const { … } void InvalidPtrChecker::postPreviousReturnInvalidatingCall( const CallEvent &Call, CheckerContext &C) const { … } // TODO: This seems really ugly. Simplify this. static const MemRegion *findInvalidatedSymbolicBase(ProgramStateRef State, const MemRegion *Reg) { … } // Handle functions in EnvpInvalidatingFunctions, that invalidate environment // pointer from 'main()' Also, check if invalidated region is passed to a // function call as an argument. void InvalidPtrChecker::checkPostCall(const CallEvent &Call, CheckerContext &C) const { … } // Obtain the environment pointer from 'main()', if present. void InvalidPtrChecker::checkBeginFunction(CheckerContext &C) const { … } // Check if invalidated region is being dereferenced. void InvalidPtrChecker::checkLocation(SVal Loc, bool isLoad, const Stmt *S, CheckerContext &C) const { … } void ento::registerInvalidPtrChecker(CheckerManager &Mgr) { … } bool ento::shouldRegisterInvalidPtrChecker(const CheckerManager &) { … }
Codebase Browser
llvm