1 //=== InnerPointerChecker.cpp -------------------------------------*- C++ -*--// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This file defines a check that marks a raw pointer to a C++ container's 10 // inner buffer released when the object is destroyed. This information can 11 // be used by MallocChecker to detect use-after-free problems. 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "AllocationState.h" 16 #include "InterCheckerAPI.h" 17 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" 18 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 19 #include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h" 20 #include "clang/StaticAnalyzer/Core/Checker.h" 21 #include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h" 22 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 23 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 24 25 using namespace clang; 26 using namespace ento; 27 28 // Associate container objects with a set of raw pointer symbols. 29 REGISTER_SET_FACTORY_WITH_PROGRAMSTATE(PtrSet, SymbolRef) 30 REGISTER_MAP_WITH_PROGRAMSTATE(RawPtrMap, const MemRegion *, PtrSet) 31 32 33 namespace { 34 35 class InnerPointerChecker 36 : public Checker<check::DeadSymbols, check::PostCall> { 37 38 CallDescription AppendFn, AssignFn, AddressofFn, ClearFn, CStrFn, DataFn, 39 DataMemberFn, EraseFn, InsertFn, PopBackFn, PushBackFn, ReplaceFn, 40 ReserveFn, ResizeFn, ShrinkToFitFn, SwapFn; 41 42 public: 43 class InnerPointerBRVisitor : public BugReporterVisitor { 44 SymbolRef PtrToBuf; 45 46 public: 47 InnerPointerBRVisitor(SymbolRef Sym) : PtrToBuf(Sym) {} 48 49 static void *getTag() { 50 static int Tag = 0; 51 return &Tag; 52 } 53 54 void Profile(llvm::FoldingSetNodeID &ID) const override { 55 ID.AddPointer(getTag()); 56 } 57 58 virtual PathDiagnosticPieceRef 59 VisitNode(const ExplodedNode *N, BugReporterContext &BRC, 60 PathSensitiveBugReport &BR) override; 61 62 // FIXME: Scan the map once in the visitor's constructor and do a direct 63 // lookup by region. 64 bool isSymbolTracked(ProgramStateRef State, SymbolRef Sym) { 65 RawPtrMapTy Map = State->get<RawPtrMap>(); 66 for (const auto &Entry : Map) { 67 if (Entry.second.contains(Sym)) 68 return true; 69 } 70 return false; 71 } 72 }; 73 74 InnerPointerChecker() 75 : AppendFn({"std", "basic_string", "append"}), 76 AssignFn({"std", "basic_string", "assign"}), 77 AddressofFn({"std", "addressof"}), 78 ClearFn({"std", "basic_string", "clear"}), 79 CStrFn({"std", "basic_string", "c_str"}), DataFn({"std", "data"}, 1), 80 DataMemberFn({"std", "basic_string", "data"}), 81 EraseFn({"std", "basic_string", "erase"}), 82 InsertFn({"std", "basic_string", "insert"}), 83 PopBackFn({"std", "basic_string", "pop_back"}), 84 PushBackFn({"std", "basic_string", "push_back"}), 85 ReplaceFn({"std", "basic_string", "replace"}), 86 ReserveFn({"std", "basic_string", "reserve"}), 87 ResizeFn({"std", "basic_string", "resize"}), 88 ShrinkToFitFn({"std", "basic_string", "shrink_to_fit"}), 89 SwapFn({"std", "basic_string", "swap"}) {} 90 91 /// Check whether the called member function potentially invalidates 92 /// pointers referring to the container object's inner buffer. 93 bool isInvalidatingMemberFunction(const CallEvent &Call) const; 94 95 /// Check whether the called function returns a raw inner pointer. 96 bool isInnerPointerAccessFunction(const CallEvent &Call) const; 97 98 /// Mark pointer symbols associated with the given memory region released 99 /// in the program state. 100 void markPtrSymbolsReleased(const CallEvent &Call, ProgramStateRef State, 101 const MemRegion *ObjRegion, 102 CheckerContext &C) const; 103 104 /// Standard library functions that take a non-const `basic_string` argument by 105 /// reference may invalidate its inner pointers. Check for these cases and 106 /// mark the pointers released. 107 void checkFunctionArguments(const CallEvent &Call, ProgramStateRef State, 108 CheckerContext &C) const; 109 110 /// Record the connection between raw pointers referring to a container 111 /// object's inner buffer and the object's memory region in the program state. 112 /// Mark potentially invalidated pointers released. 113 void checkPostCall(const CallEvent &Call, CheckerContext &C) const; 114 115 /// Clean up the program state map. 116 void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const; 117 }; 118 119 } // end anonymous namespace 120 121 bool InnerPointerChecker::isInvalidatingMemberFunction( 122 const CallEvent &Call) const { 123 if (const auto *MemOpCall = dyn_cast<CXXMemberOperatorCall>(&Call)) { 124 OverloadedOperatorKind Opc = MemOpCall->getOriginExpr()->getOperator(); 125 if (Opc == OO_Equal || Opc == OO_PlusEqual) 126 return true; 127 return false; 128 } 129 return isa<CXXDestructorCall>(Call) || 130 matchesAny(Call, AppendFn, AssignFn, ClearFn, EraseFn, InsertFn, 131 PopBackFn, PushBackFn, ReplaceFn, ReserveFn, ResizeFn, 132 ShrinkToFitFn, SwapFn); 133 } 134 135 bool InnerPointerChecker::isInnerPointerAccessFunction( 136 const CallEvent &Call) const { 137 return matchesAny(Call, CStrFn, DataFn, DataMemberFn); 138 } 139 140 void InnerPointerChecker::markPtrSymbolsReleased(const CallEvent &Call, 141 ProgramStateRef State, 142 const MemRegion *MR, 143 CheckerContext &C) const { 144 if (const PtrSet *PS = State->get<RawPtrMap>(MR)) { 145 const Expr *Origin = Call.getOriginExpr(); 146 for (const auto Symbol : *PS) { 147 // NOTE: `Origin` may be null, and will be stored so in the symbol's 148 // `RefState` in MallocChecker's `RegionState` program state map. 149 State = allocation_state::markReleased(State, Symbol, Origin); 150 } 151 State = State->remove<RawPtrMap>(MR); 152 C.addTransition(State); 153 return; 154 } 155 } 156 157 void InnerPointerChecker::checkFunctionArguments(const CallEvent &Call, 158 ProgramStateRef State, 159 CheckerContext &C) const { 160 if (const auto *FC = dyn_cast<AnyFunctionCall>(&Call)) { 161 const FunctionDecl *FD = FC->getDecl(); 162 if (!FD || !FD->isInStdNamespace()) 163 return; 164 165 for (unsigned I = 0, E = FD->getNumParams(); I != E; ++I) { 166 QualType ParamTy = FD->getParamDecl(I)->getType(); 167 if (!ParamTy->isReferenceType() || 168 ParamTy->getPointeeType().isConstQualified()) 169 continue; 170 171 // In case of member operator calls, `this` is counted as an 172 // argument but not as a parameter. 173 bool isaMemberOpCall = isa<CXXMemberOperatorCall>(FC); 174 unsigned ArgI = isaMemberOpCall ? I+1 : I; 175 176 SVal Arg = FC->getArgSVal(ArgI); 177 const auto *ArgRegion = 178 dyn_cast_or_null<TypedValueRegion>(Arg.getAsRegion()); 179 if (!ArgRegion) 180 continue; 181 182 // std::addressof function accepts a non-const reference as an argument, 183 // but doesn't modify it. 184 if (AddressofFn.matches(Call)) 185 continue; 186 187 markPtrSymbolsReleased(Call, State, ArgRegion, C); 188 } 189 } 190 } 191 192 // [string.require] 193 // 194 // "References, pointers, and iterators referring to the elements of a 195 // basic_string sequence may be invalidated by the following uses of that 196 // basic_string object: 197 // 198 // -- As an argument to any standard library function taking a reference 199 // to non-const basic_string as an argument. For example, as an argument to 200 // non-member functions swap(), operator>>(), and getline(), or as an argument 201 // to basic_string::swap(). 202 // 203 // -- Calling non-const member functions, except operator[], at, front, back, 204 // begin, rbegin, end, and rend." 205 206 void InnerPointerChecker::checkPostCall(const CallEvent &Call, 207 CheckerContext &C) const { 208 ProgramStateRef State = C.getState(); 209 210 // TODO: Do we need these to be typed? 211 const TypedValueRegion *ObjRegion = nullptr; 212 213 if (const auto *ICall = dyn_cast<CXXInstanceCall>(&Call)) { 214 ObjRegion = dyn_cast_or_null<TypedValueRegion>( 215 ICall->getCXXThisVal().getAsRegion()); 216 217 // Check [string.require] / second point. 218 if (isInvalidatingMemberFunction(Call)) { 219 markPtrSymbolsReleased(Call, State, ObjRegion, C); 220 return; 221 } 222 } 223 224 if (isInnerPointerAccessFunction(Call)) { 225 226 if (isa<SimpleFunctionCall>(Call)) { 227 // NOTE: As of now, we only have one free access function: std::data. 228 // If we add more functions like this in the list, hardcoded 229 // argument index should be changed. 230 ObjRegion = 231 dyn_cast_or_null<TypedValueRegion>(Call.getArgSVal(0).getAsRegion()); 232 } 233 234 if (!ObjRegion) 235 return; 236 237 SVal RawPtr = Call.getReturnValue(); 238 if (SymbolRef Sym = RawPtr.getAsSymbol(/*IncludeBaseRegions=*/true)) { 239 // Start tracking this raw pointer by adding it to the set of symbols 240 // associated with this container object in the program state map. 241 242 PtrSet::Factory &F = State->getStateManager().get_context<PtrSet>(); 243 const PtrSet *SetPtr = State->get<RawPtrMap>(ObjRegion); 244 PtrSet Set = SetPtr ? *SetPtr : F.getEmptySet(); 245 assert(C.wasInlined || !Set.contains(Sym)); 246 Set = F.add(Set, Sym); 247 248 State = State->set<RawPtrMap>(ObjRegion, Set); 249 C.addTransition(State); 250 } 251 252 return; 253 } 254 255 // Check [string.require] / first point. 256 checkFunctionArguments(Call, State, C); 257 } 258 259 void InnerPointerChecker::checkDeadSymbols(SymbolReaper &SymReaper, 260 CheckerContext &C) const { 261 ProgramStateRef State = C.getState(); 262 PtrSet::Factory &F = State->getStateManager().get_context<PtrSet>(); 263 RawPtrMapTy RPM = State->get<RawPtrMap>(); 264 for (const auto &Entry : RPM) { 265 if (!SymReaper.isLiveRegion(Entry.first)) { 266 // Due to incomplete destructor support, some dead regions might 267 // remain in the program state map. Clean them up. 268 State = State->remove<RawPtrMap>(Entry.first); 269 } 270 if (const PtrSet *OldSet = State->get<RawPtrMap>(Entry.first)) { 271 PtrSet CleanedUpSet = *OldSet; 272 for (const auto Symbol : Entry.second) { 273 if (!SymReaper.isLive(Symbol)) 274 CleanedUpSet = F.remove(CleanedUpSet, Symbol); 275 } 276 State = CleanedUpSet.isEmpty() 277 ? State->remove<RawPtrMap>(Entry.first) 278 : State->set<RawPtrMap>(Entry.first, CleanedUpSet); 279 } 280 } 281 C.addTransition(State); 282 } 283 284 namespace clang { 285 namespace ento { 286 namespace allocation_state { 287 288 std::unique_ptr<BugReporterVisitor> getInnerPointerBRVisitor(SymbolRef Sym) { 289 return std::make_unique<InnerPointerChecker::InnerPointerBRVisitor>(Sym); 290 } 291 292 const MemRegion *getContainerObjRegion(ProgramStateRef State, SymbolRef Sym) { 293 RawPtrMapTy Map = State->get<RawPtrMap>(); 294 for (const auto &Entry : Map) { 295 if (Entry.second.contains(Sym)) { 296 return Entry.first; 297 } 298 } 299 return nullptr; 300 } 301 302 } // end namespace allocation_state 303 } // end namespace ento 304 } // end namespace clang 305 306 PathDiagnosticPieceRef InnerPointerChecker::InnerPointerBRVisitor::VisitNode( 307 const ExplodedNode *N, BugReporterContext &BRC, PathSensitiveBugReport &) { 308 if (!isSymbolTracked(N->getState(), PtrToBuf) || 309 isSymbolTracked(N->getFirstPred()->getState(), PtrToBuf)) 310 return nullptr; 311 312 const Stmt *S = N->getStmtForDiagnostics(); 313 if (!S) 314 return nullptr; 315 316 const MemRegion *ObjRegion = 317 allocation_state::getContainerObjRegion(N->getState(), PtrToBuf); 318 const auto *TypedRegion = cast<TypedValueRegion>(ObjRegion); 319 QualType ObjTy = TypedRegion->getValueType(); 320 321 SmallString<256> Buf; 322 llvm::raw_svector_ostream OS(Buf); 323 OS << "Pointer to inner buffer of '" << ObjTy.getAsString() 324 << "' obtained here"; 325 PathDiagnosticLocation Pos(S, BRC.getSourceManager(), 326 N->getLocationContext()); 327 return std::make_shared<PathDiagnosticEventPiece>(Pos, OS.str(), true); 328 } 329 330 void ento::registerInnerPointerChecker(CheckerManager &Mgr) { 331 registerInnerPointerCheckerAux(Mgr); 332 Mgr.registerChecker<InnerPointerChecker>(); 333 } 334 335 bool ento::shouldRegisterInnerPointerChecker(const CheckerManager &mgr) { 336 return true; 337 } 338