MIGChecker.cpp - OpenGrok cross reference for /freebsd/contrib/llvm-project/clang/lib/StaticAnalyzer/Checkers/MIGChecker.cpp

Lines Matching +full:up +full:- +full:counting
1 //== MIGChecker.cpp - MIG calling convention checker ------------*- C++ -*--==//
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
7 //===----------------------------------------------------------------------===//
11 // - When a server routine returns an error code that represents success, it
14 // - Additionally, when returning success, all out-parameters must be
16 // - When it returns any other error code, it must not take ownership,
17 //   because the message and its out-of-line parameters will be destroyed
20 // use-after-free exploits.
22 //===----------------------------------------------------------------------===//
41   BugType BT{this, "Use-after-free (MIG calling convention violation)",
44   // The checker knows that an out-of-line object is deallocated if it is
55       // consume-on-success convention.
87       // consume-on-success convention.
105   // but now we step into it in the top-level function.
120 // reference counting is being performed.  in REGISTER_TRAIT_WITH_PROGRAMSTATE()
130   // If we optimistically assume that the MIG routine never re-uses the storage  in REGISTER_TRAIT_WITH_PROGRAMSTATE()
135   while (const MemRegion *MR = Sym->getOriginRegion()) {  in REGISTER_TRAIT_WITH_PROGRAMSTATE()
137     if (VR && VR->hasStackParametersStorage() &&  in REGISTER_TRAIT_WITH_PROGRAMSTATE()
138            VR->getStackFrame()->inTopFrame())  in REGISTER_TRAIT_WITH_PROGRAMSTATE()
139       return cast<ParmVarDecl>(VR->getDecl());  in REGISTER_TRAIT_WITH_PROGRAMSTATE()
141     const SymbolicRegion *SR = MR->getSymbolicBase();  in REGISTER_TRAIT_WITH_PROGRAMSTATE()
145     Sym = SR->getSymbol();  in REGISTER_TRAIT_WITH_PROGRAMSTATE()
158     SFC = LC->getStackFrame();  in isInMIGCall()
159     LC = SFC->getParent();  in isInMIGCall()
162   const Decl *D = SFC->getDecl();  in isInMIGCall()
170     if (!AC->getReturnType(C.getASTContext())  in isInMIGCall()
171              .getCanonicalType()->isSignedIntegerType())  in isInMIGCall()
175   if (D->hasAttr<MIGServerRoutineAttr>())  in isInMIGCall()
180     for (const auto *OMD: MD->overridden_methods())  in isInMIGCall()
181       if (OMD->hasAttr<MIGServerRoutineAttr>())  in isInMIGCall()
189     // If the code is doing reference counting over the parameter,  in checkPostCall()
190     // it opens up an opportunity for safely calling a destructor function.  in checkPostCall()
191     // TODO: We should still check for over-releases.  in checkPostCall()
194       // We never need to clean up the program state because these are  in checkPostCall()
195       // top-level parameters anyway, so they're always live.  in checkPostCall()
196       C.addTransition(C.getState()->add<RefCountedParameters>(PVD));  in checkPostCall()
212   if (!PVD || State->contains<RefCountedParameters>(PVD))  in checkPostCall()
216     C.getNoteTag([this, PVD](PathSensitiveBugReport &BR) -> std::string {  in checkPostCall()
221         OS << "Value passed through parameter '" << PVD->getName()  in checkPostCall()
225   C.addTransition(State->set<ReleasedParameter>(true), T);  in checkPostCall()
233   if (!State->isNull(V).isConstrainedFalse())  in mayBeSuccess()
240   static const int MigNoReply = -305;  in mayBeSuccess()
242   if (!State->isNull(V).isConstrainedTrue())  in mayBeSuccess()
264   // We know that the function is non-void, but what if the return statement  in checkReturnAux()
270   if (!State->get<ReleasedParameter>())  in checkReturnAux()
284       "This is a use-after-free vulnerability because the caller will try to "  in checkReturnAux()
288   R->addRange(RS->getSourceRange());  in checkReturnAux()
290       N, RS->getRetValue(), *R,  in checkReturnAux()