1//== ValistChecker.cpp - stdarg.h macro usage checker -----------*- C++ -*--==//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This defines checkers which detect usage of uninitialized va_list values
10// and va_start calls with no matching va_end.
11//
12//===----------------------------------------------------------------------===//
13
14#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
15#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
16#include "clang/StaticAnalyzer/Core/Checker.h"
17#include "clang/StaticAnalyzer/Core/CheckerManager.h"
18#include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
19#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
20#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
21
22using namespace clang;
23using namespace ento;
24
25REGISTER_SET_WITH_PROGRAMSTATE(InitializedVALists, const MemRegion *)
26
27namespace {
28typedef SmallVector<const MemRegion *, 2> RegionVector;
29
30class ValistChecker : public Checker<check::PreCall, check::PreStmt<VAArgExpr>,
31 check::DeadSymbols> {
32 mutable std::unique_ptr<BugType> BT_leakedvalist, BT_uninitaccess;
33
34 struct VAListAccepter {
35 CallDescription Func;
36 int VAListPos;
37 };
38 static const SmallVector<VAListAccepter, 15> VAListAccepters;
39 static const CallDescription VaStart, VaEnd, VaCopy;
40
41public:
42 enum CheckKind {
43 CK_Uninitialized,
44 CK_Unterminated,
45 CK_CopyToSelf,
46 CK_NumCheckKinds
47 };
48
49 bool ChecksEnabled[CK_NumCheckKinds] = {false};
50 CheckerNameRef CheckNames[CK_NumCheckKinds];
51
52 void checkPreStmt(const VAArgExpr *VAA, CheckerContext &C) const;
53 void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
54 void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
55
56private:
57 const MemRegion *getVAListAsRegion(SVal SV, const Expr *VAExpr,
58 bool &IsSymbolic, CheckerContext &C) const;
59 const ExplodedNode *getStartCallSite(const ExplodedNode *N,
60 const MemRegion *Reg) const;
61
62 void reportUninitializedAccess(const MemRegion *VAList, StringRef Msg,
63 CheckerContext &C) const;
64 void reportLeakedVALists(const RegionVector &LeakedVALists, StringRef Msg1,
65 StringRef Msg2, CheckerContext &C, ExplodedNode *N,
66 bool ReportUninit = false) const;
67
68 void checkVAListStartCall(const CallEvent &Call, CheckerContext &C,
69 bool IsCopy) const;
70 void checkVAListEndCall(const CallEvent &Call, CheckerContext &C) const;
71
72 class ValistBugVisitor : public BugReporterVisitor {
73 public:
74 ValistBugVisitor(const MemRegion *Reg, bool IsLeak = false)
75 : Reg(Reg), IsLeak(IsLeak) {}
76 void Profile(llvm::FoldingSetNodeID &ID) const override {
77 static int X = 0;
78 ID.AddPointer(Ptr: &X);
79 ID.AddPointer(Ptr: Reg);
80 }
81 PathDiagnosticPieceRef getEndPath(BugReporterContext &BRC,
82 const ExplodedNode *EndPathNode,
83 PathSensitiveBugReport &BR) override {
84 if (!IsLeak)
85 return nullptr;
86
87 PathDiagnosticLocation L = BR.getLocation();
88 // Do not add the statement itself as a range in case of leak.
89 return std::make_shared<PathDiagnosticEventPiece>(args&: L, args: BR.getDescription(),
90 args: false);
91 }
92 PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
93 BugReporterContext &BRC,
94 PathSensitiveBugReport &BR) override;
95
96 private:
97 const MemRegion *Reg;
98 bool IsLeak;
99 };
100};
101
102const SmallVector<ValistChecker::VAListAccepter, 15>
103 ValistChecker::VAListAccepters = {{.Func: {CDM::CLibrary, {"vfprintf"}, 3}, .VAListPos: 2},
104 {.Func: {CDM::CLibrary, {"vfscanf"}, 3}, .VAListPos: 2},
105 {.Func: {CDM::CLibrary, {"vprintf"}, 2}, .VAListPos: 1},
106 {.Func: {CDM::CLibrary, {"vscanf"}, 2}, .VAListPos: 1},
107 {.Func: {CDM::CLibrary, {"vsnprintf"}, 4}, .VAListPos: 3},
108 {.Func: {CDM::CLibrary, {"vsprintf"}, 3}, .VAListPos: 2},
109 {.Func: {CDM::CLibrary, {"vsscanf"}, 3}, .VAListPos: 2},
110 {.Func: {CDM::CLibrary, {"vfwprintf"}, 3}, .VAListPos: 2},
111 {.Func: {CDM::CLibrary, {"vfwscanf"}, 3}, .VAListPos: 2},
112 {.Func: {CDM::CLibrary, {"vwprintf"}, 2}, .VAListPos: 1},
113 {.Func: {CDM::CLibrary, {"vwscanf"}, 2}, .VAListPos: 1},
114 {.Func: {CDM::CLibrary, {"vswprintf"}, 4}, .VAListPos: 3},
115 // vswprintf is the wide version of
116 // vsnprintf, vsprintf has no wide version
117 {.Func: {CDM::CLibrary, {"vswscanf"}, 3}, .VAListPos: 2}};
118
119const CallDescription ValistChecker::VaStart(CDM::CLibrary,
120 {"__builtin_va_start"}, /*Args=*/2,
121 /*Params=*/1),
122 ValistChecker::VaCopy(CDM::CLibrary, {"__builtin_va_copy"}, 2),
123 ValistChecker::VaEnd(CDM::CLibrary, {"__builtin_va_end"}, 1);
124} // end anonymous namespace
125
126void ValistChecker::checkPreCall(const CallEvent &Call,
127 CheckerContext &C) const {
128 if (VaStart.matches(Call))
129 checkVAListStartCall(Call, C, IsCopy: false);
130 else if (VaCopy.matches(Call))
131 checkVAListStartCall(Call, C, IsCopy: true);
132 else if (VaEnd.matches(Call))
133 checkVAListEndCall(Call, C);
134 else {
135 for (auto FuncInfo : VAListAccepters) {
136 if (!FuncInfo.Func.matches(Call))
137 continue;
138 bool Symbolic;
139 const MemRegion *VAList =
140 getVAListAsRegion(SV: Call.getArgSVal(Index: FuncInfo.VAListPos),
141 VAExpr: Call.getArgExpr(Index: FuncInfo.VAListPos), IsSymbolic&: Symbolic, C);
142 if (!VAList)
143 return;
144
145 if (C.getState()->contains<InitializedVALists>(key: VAList))
146 return;
147
148 // We did not see va_start call, but the source of the region is unknown.
149 // Be conservative and assume the best.
150 if (Symbolic)
151 return;
152
153 SmallString<80> Errmsg("Function '");
154 Errmsg += FuncInfo.Func.getFunctionName();
155 Errmsg += "' is called with an uninitialized va_list argument";
156 reportUninitializedAccess(VAList, Msg: Errmsg.c_str(), C);
157 break;
158 }
159 }
160}
161
162const MemRegion *ValistChecker::getVAListAsRegion(SVal SV, const Expr *E,
163 bool &IsSymbolic,
164 CheckerContext &C) const {
165 const MemRegion *Reg = SV.getAsRegion();
166 if (!Reg)
167 return nullptr;
168 // TODO: In the future this should be abstracted away by the analyzer.
169 bool VaListModelledAsArray = false;
170 if (const auto *Cast = dyn_cast<CastExpr>(Val: E)) {
171 QualType Ty = Cast->getType();
172 VaListModelledAsArray =
173 Ty->isPointerType() && Ty->getPointeeType()->isRecordType();
174 }
175 if (const auto *DeclReg = Reg->getAs<DeclRegion>()) {
176 if (isa<ParmVarDecl>(Val: DeclReg->getDecl()))
177 Reg = C.getState()->getSVal(LV: SV.castAs<Loc>()).getAsRegion();
178 }
179 IsSymbolic = Reg && Reg->getBaseRegion()->getAs<SymbolicRegion>();
180 // Some VarRegion based VA lists reach here as ElementRegions.
181 const auto *EReg = dyn_cast_or_null<ElementRegion>(Val: Reg);
182 return (EReg && VaListModelledAsArray) ? EReg->getSuperRegion() : Reg;
183}
184
185void ValistChecker::checkPreStmt(const VAArgExpr *VAA,
186 CheckerContext &C) const {
187 ProgramStateRef State = C.getState();
188 const Expr *VASubExpr = VAA->getSubExpr();
189 SVal VAListSVal = C.getSVal(VASubExpr);
190 bool Symbolic;
191 const MemRegion *VAList =
192 getVAListAsRegion(SV: VAListSVal, E: VASubExpr, IsSymbolic&: Symbolic, C);
193 if (!VAList)
194 return;
195 if (Symbolic)
196 return;
197 if (!State->contains<InitializedVALists>(key: VAList))
198 reportUninitializedAccess(
199 VAList, Msg: "va_arg() is called on an uninitialized va_list", C);
200}
201
202void ValistChecker::checkDeadSymbols(SymbolReaper &SR,
203 CheckerContext &C) const {
204 ProgramStateRef State = C.getState();
205 InitializedVAListsTy TrackedVALists = State->get<InitializedVALists>();
206 RegionVector LeakedVALists;
207 for (auto Reg : TrackedVALists) {
208 if (SR.isLiveRegion(region: Reg))
209 continue;
210 LeakedVALists.push_back(Elt: Reg);
211 State = State->remove<InitializedVALists>(K: Reg);
212 }
213 if (ExplodedNode *N = C.addTransition(State))
214 reportLeakedVALists(LeakedVALists, Msg1: "Initialized va_list", Msg2: " is leaked", C,
215 N);
216}
217
218// This function traverses the exploded graph backwards and finds the node where
219// the va_list is initialized. That node is used for uniquing the bug paths.
220// It is not likely that there are several different va_lists that belongs to
221// different stack frames, so that case is not yet handled.
222const ExplodedNode *
223ValistChecker::getStartCallSite(const ExplodedNode *N,
224 const MemRegion *Reg) const {
225 const LocationContext *LeakContext = N->getLocationContext();
226 const ExplodedNode *StartCallNode = N;
227
228 bool FoundInitializedState = false;
229
230 while (N) {
231 ProgramStateRef State = N->getState();
232 if (!State->contains<InitializedVALists>(key: Reg)) {
233 if (FoundInitializedState)
234 break;
235 } else {
236 FoundInitializedState = true;
237 }
238 const LocationContext *NContext = N->getLocationContext();
239 if (NContext == LeakContext || NContext->isParentOf(LC: LeakContext))
240 StartCallNode = N;
241 N = N->pred_empty() ? nullptr : *(N->pred_begin());
242 }
243
244 return StartCallNode;
245}
246
247void ValistChecker::reportUninitializedAccess(const MemRegion *VAList,
248 StringRef Msg,
249 CheckerContext &C) const {
250 if (!ChecksEnabled[CK_Uninitialized])
251 return;
252 if (ExplodedNode *N = C.generateErrorNode()) {
253 if (!BT_uninitaccess)
254 BT_uninitaccess.reset(p: new BugType(CheckNames[CK_Uninitialized],
255 "Uninitialized va_list",
256 categories::MemoryError));
257 auto R = std::make_unique<PathSensitiveBugReport>(args&: *BT_uninitaccess, args&: Msg, args&: N);
258 R->markInteresting(R: VAList);
259 R->addVisitor(visitor: std::make_unique<ValistBugVisitor>(args&: VAList));
260 C.emitReport(R: std::move(R));
261 }
262}
263
264void ValistChecker::reportLeakedVALists(const RegionVector &LeakedVALists,
265 StringRef Msg1, StringRef Msg2,
266 CheckerContext &C, ExplodedNode *N,
267 bool ReportUninit) const {
268 if (!(ChecksEnabled[CK_Unterminated] ||
269 (ChecksEnabled[CK_Uninitialized] && ReportUninit)))
270 return;
271 for (auto Reg : LeakedVALists) {
272 if (!BT_leakedvalist) {
273 // FIXME: maybe creating a new check name for this type of bug is a better
274 // solution.
275 BT_leakedvalist.reset(
276 p: new BugType(CheckNames[CK_Unterminated].getName().empty()
277 ? CheckNames[CK_Uninitialized]
278 : CheckNames[CK_Unterminated],
279 "Leaked va_list", categories::MemoryError,
280 /*SuppressOnSink=*/true));
281 }
282
283 const ExplodedNode *StartNode = getStartCallSite(N, Reg);
284 PathDiagnosticLocation LocUsedForUniqueing;
285
286 if (const Stmt *StartCallStmt = StartNode->getStmtForDiagnostics())
287 LocUsedForUniqueing = PathDiagnosticLocation::createBegin(
288 S: StartCallStmt, SM: C.getSourceManager(), LAC: StartNode->getLocationContext());
289
290 SmallString<100> Buf;
291 llvm::raw_svector_ostream OS(Buf);
292 OS << Msg1;
293 std::string VariableName = Reg->getDescriptiveName();
294 if (!VariableName.empty())
295 OS << " " << VariableName;
296 OS << Msg2;
297
298 auto R = std::make_unique<PathSensitiveBugReport>(
299 args&: *BT_leakedvalist, args: OS.str(), args&: N, args&: LocUsedForUniqueing,
300 args: StartNode->getLocationContext()->getDecl());
301 R->markInteresting(R: Reg);
302 R->addVisitor(visitor: std::make_unique<ValistBugVisitor>(args&: Reg, args: true));
303 C.emitReport(R: std::move(R));
304 }
305}
306
307void ValistChecker::checkVAListStartCall(const CallEvent &Call,
308 CheckerContext &C, bool IsCopy) const {
309 bool Symbolic;
310 const MemRegion *VAList =
311 getVAListAsRegion(SV: Call.getArgSVal(Index: 0), E: Call.getArgExpr(Index: 0), IsSymbolic&: Symbolic, C);
312 if (!VAList)
313 return;
314
315 ProgramStateRef State = C.getState();
316
317 if (IsCopy) {
318 const MemRegion *Arg2 =
319 getVAListAsRegion(SV: Call.getArgSVal(Index: 1), E: Call.getArgExpr(Index: 1), IsSymbolic&: Symbolic, C);
320 if (Arg2) {
321 if (ChecksEnabled[CK_CopyToSelf] && VAList == Arg2) {
322 RegionVector LeakedVALists{VAList};
323 if (ExplodedNode *N = C.addTransition(State))
324 reportLeakedVALists(LeakedVALists, Msg1: "va_list",
325 Msg2: " is copied onto itself", C, N, ReportUninit: true);
326 return;
327 } else if (!State->contains<InitializedVALists>(key: Arg2) && !Symbolic) {
328 if (State->contains<InitializedVALists>(key: VAList)) {
329 State = State->remove<InitializedVALists>(K: VAList);
330 RegionVector LeakedVALists{VAList};
331 if (ExplodedNode *N = C.addTransition(State))
332 reportLeakedVALists(LeakedVALists, Msg1: "Initialized va_list",
333 Msg2: " is overwritten by an uninitialized one", C, N,
334 ReportUninit: true);
335 } else {
336 reportUninitializedAccess(VAList: Arg2, Msg: "Uninitialized va_list is copied", C);
337 }
338 return;
339 }
340 }
341 }
342 if (State->contains<InitializedVALists>(key: VAList)) {
343 RegionVector LeakedVALists{VAList};
344 if (ExplodedNode *N = C.addTransition(State))
345 reportLeakedVALists(LeakedVALists, Msg1: "Initialized va_list",
346 Msg2: " is initialized again", C, N);
347 return;
348 }
349
350 State = State->add<InitializedVALists>(K: VAList);
351 C.addTransition(State);
352}
353
354void ValistChecker::checkVAListEndCall(const CallEvent &Call,
355 CheckerContext &C) const {
356 bool Symbolic;
357 const MemRegion *VAList =
358 getVAListAsRegion(SV: Call.getArgSVal(Index: 0), E: Call.getArgExpr(Index: 0), IsSymbolic&: Symbolic, C);
359 if (!VAList)
360 return;
361
362 // We did not see va_start call, but the source of the region is unknown.
363 // Be conservative and assume the best.
364 if (Symbolic)
365 return;
366
367 if (!C.getState()->contains<InitializedVALists>(key: VAList)) {
368 reportUninitializedAccess(
369 VAList, Msg: "va_end() is called on an uninitialized va_list", C);
370 return;
371 }
372 ProgramStateRef State = C.getState();
373 State = State->remove<InitializedVALists>(K: VAList);
374 C.addTransition(State);
375}
376
377PathDiagnosticPieceRef ValistChecker::ValistBugVisitor::VisitNode(
378 const ExplodedNode *N, BugReporterContext &BRC, PathSensitiveBugReport &) {
379 ProgramStateRef State = N->getState();
380 ProgramStateRef StatePrev = N->getFirstPred()->getState();
381
382 const Stmt *S = N->getStmtForDiagnostics();
383 if (!S)
384 return nullptr;
385
386 StringRef Msg;
387 if (State->contains<InitializedVALists>(key: Reg) &&
388 !StatePrev->contains<InitializedVALists>(key: Reg))
389 Msg = "Initialized va_list";
390 else if (!State->contains<InitializedVALists>(key: Reg) &&
391 StatePrev->contains<InitializedVALists>(key: Reg))
392 Msg = "Ended va_list";
393
394 if (Msg.empty())
395 return nullptr;
396
397 PathDiagnosticLocation Pos(S, BRC.getSourceManager(),
398 N->getLocationContext());
399 return std::make_shared<PathDiagnosticEventPiece>(args&: Pos, args&: Msg, args: true);
400}
401
402void ento::registerValistBase(CheckerManager &mgr) {
403 mgr.registerChecker<ValistChecker>();
404}
405
406bool ento::shouldRegisterValistBase(const CheckerManager &mgr) {
407 return true;
408}
409
410#define REGISTER_CHECKER(name) \
411 void ento::register##name##Checker(CheckerManager &mgr) { \
412 ValistChecker *checker = mgr.getChecker<ValistChecker>(); \
413 checker->ChecksEnabled[ValistChecker::CK_##name] = true; \
414 checker->CheckNames[ValistChecker::CK_##name] = \
415 mgr.getCurrentCheckerName(); \
416 } \
417 \
418 bool ento::shouldRegister##name##Checker(const CheckerManager &mgr) { \
419 return true; \
420 }
421
422REGISTER_CHECKER(Uninitialized)
423REGISTER_CHECKER(Unterminated)
424REGISTER_CHECKER(CopyToSelf)
425

source code of clang/lib/StaticAnalyzer/Checkers/ValistChecker.cpp