Split libAnalysis into two libraries: libAnalysis and libChecker.

(1) libAnalysis is a generic analysis library that can be used by Sema. It defines the CFG, basic dataflow analysis primitives, and inexpensive flow-sensitive analyses (e.g. LiveVariables). (2) libChecker contains the guts of the static analyzer, incuding the path-sensitive analysis engine and domain-specific checks. Now any clients that want to use the frontend to build their own tools don't need to link in the entire static analyzer. This change exposes various obvious cleanups that can be made to the layout of files and headers in libChecker. More changes pending. :) This change also exposed a layering violation between AnalysisContext and MemRegion. BlockInvocationContext shouldn't explicitly know about BlockDataRegions. For now I've removed the BlockDataRegion* from BlockInvocationContext (removing context-sensitivity; although this wasn't used yet). We need to have a better way to extend BlockInvocationContext (and any LocationContext) to add context-sensitivty. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@94406 91177308-0d34-0410-b5e6-96231b3b80d8
author: Ted Kremenek <kremenek@apple.com> 2010-01-25 04:41:41 +0000
committer: Ted Kremenek <kremenek@apple.com> 2010-01-25 04:41:41 +0000
commit: 1309f9a3b225ea846e5822691c39a77423125505 (patch)
tree: 1ba6d1976da4f426292619af026dbf9d9314c573 /lib/Checker/ReturnPointerRangeChecker.cpp
parent: 3db9eb1fbe5771d3d64db01af46b4eee9aca8ed0 (diff)
1 files changed, 97 insertions, 0 deletions
diff --git a/lib/Checker/ReturnPointerRangeChecker.cpp b/lib/Checker/ReturnPointerRangeChecker.cpp
new file mode 100644
index 0000000000..0a19254528
--- /dev/null
+++ b/lib/Checker/ReturnPointerRangeChecker.cpp
@@ -0,0 +1,97 @@
+//== ReturnPointerRangeChecker.cpp ------------------------------*- C++ -*--==//
+//
+//                     The LLVM Compiler Infrastructure
+//
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+//
+//===----------------------------------------------------------------------===//
+//
+// This file defines ReturnPointerRangeChecker, which is a path-sensitive check
+// which looks for an out-of-bound pointer being returned to callers.
+//
+//===----------------------------------------------------------------------===//
+
+#include "GRExprEngineInternalChecks.h"
+#include "clang/Checker/PathSensitive/GRExprEngine.h"
+#include "clang/Checker/PathSensitive/BugReporter.h"
+#include "clang/Checker/PathSensitive/CheckerVisitor.h"
+
+using namespace clang;
+
+namespace {
+class ReturnPointerRangeChecker : 
+    public CheckerVisitor<ReturnPointerRangeChecker> {      
+  BuiltinBug *BT;
+public:
+    ReturnPointerRangeChecker() : BT(0) {}
+    static void *getTag();
+    void PreVisitReturnStmt(CheckerContext &C, const ReturnStmt *RS);
+};
+}
+
+void clang::RegisterReturnPointerRangeChecker(GRExprEngine &Eng) {
+  Eng.registerCheck(new ReturnPointerRangeChecker());
+}
+
+void *ReturnPointerRangeChecker::getTag() {
+  static int x = 0; return &x;
+}
+
+void ReturnPointerRangeChecker::PreVisitReturnStmt(CheckerContext &C,
+                                                   const ReturnStmt *RS) {
+  const GRState *state = C.getState();
+
+  const Expr *RetE = RS->getRetValue();
+  if (!RetE)
+    return;
+ 
+  SVal V = state->getSVal(RetE);
+  const MemRegion *R = V.getAsRegion();
+  if (!R)
+    return;
+
+  R = R->StripCasts();
+  if (!R)
+    return;
+
+  const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(R);
+  if (!ER)
+    return;
+
+  DefinedOrUnknownSVal &Idx = cast<DefinedOrUnknownSVal>(ER->getIndex());
+
+  // FIXME: All of this out-of-bounds checking should eventually be refactored
+  // into a common place.
+
+  DefinedOrUnknownSVal NumElements
+    = C.getStoreManager().getSizeInElements(state, ER->getSuperRegion(),
+                                           ER->getValueType(C.getASTContext()));
+
+  const GRState *StInBound = state->AssumeInBound(Idx, NumElements, true);
+  const GRState *StOutBound = state->AssumeInBound(Idx, NumElements, false);
+  if (StOutBound && !StInBound) {
+    ExplodedNode *N = C.GenerateSink(StOutBound);
+
+    if (!N)
+      return;
+  
+    // FIXME: This bug correspond to CWE-466.  Eventually we should have bug
+    // types explicitly reference such exploit categories (when applicable).
+    if (!BT)
+      BT = new BuiltinBug("Return of pointer value outside of expected range",
+           "Returned pointer value points outside the original object "
+           "(potential buffer overflow)");
+
+    // FIXME: It would be nice to eventually make this diagnostic more clear,
+    // e.g., by referencing the original declaration or by saying *why* this
+    // reference is outside the range.
+
+    // Generate a report for this bug.
+    RangedBugReport *report = 
+      new RangedBugReport(*BT, BT->getDescription(), N);
+
+    report->addRange(RetE->getSourceRange());
+    C.EmitReport(report);
+  }
+}
author	Ted Kremenek <kremenek@apple.com>	2010-01-25 04:41:41 +0000
committer	Ted Kremenek <kremenek@apple.com>	2010-01-25 04:41:41 +0000
commit	1309f9a3b225ea846e5822691c39a77423125505 (patch)
tree	1ba6d1976da4f426292619af026dbf9d9314c573 /lib/Checker/ReturnPointerRangeChecker.cpp
parent	3db9eb1fbe5771d3d64db01af46b4eee9aca8ed0 (diff)