/Users/buildslave/jenkins/workspace/coverage/llvm-project/clang/lib/StaticAnalyzer/Checkers/VLASizeChecker.cpp

Source (jump to first uncovered line)
//=== VLASizeChecker.cpp - Undefined dereference checker --------*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// This defines VLASizeChecker, a builtin check in ExprEngine that
// performs checks for declaration of VLA of undefined or zero size.
// In addition, VLASizeChecker is responsible for defining the extent
// of the MemRegion that represents a VLA.
//
//===----------------------------------------------------------------------===//

#include "clang/AST/CharUnits.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Checkers/Taint.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h"
#include "llvm/ADT/STLExtras.h"
#include "llvm/ADT/SmallString.h"
#include "llvm/Support/raw_ostream.h"
#include <optional>

using namespace clang;
using namespace ento;
using namespace taint;

namespace {
class VLASizeChecker
    : public Checker<check::PreStmt<DeclStmt>,
                     check::PreStmt<UnaryExprOrTypeTraitExpr>> {
  mutable std::unique_ptr<BugType> BT;
  mutable std::unique_ptr<BugType> TaintBT;
  enum VLASize_Kind { VLA_Garbage, VLA_Zero, VLA_Negative, VLA_Overflow };

  /// Check a VLA for validity.
  /// Every dimension of the array and the total size is checked for validity.
  /// Returns null or a new state where the size is validated.
  /// 'ArraySize' will contain SVal that refers to the total size (in char)
  /// of the array.
  ProgramStateRef checkVLA(CheckerContext &C, ProgramStateRef State,
                           const VariableArrayType *VLA, SVal &ArraySize) const;
  /// Check a single VLA index size expression for validity.
  ProgramStateRef checkVLAIndexSize(CheckerContext &C, ProgramStateRef State,
                                    const Expr *SizeE) const;

  void reportBug(VLASize_Kind Kind, const Expr *SizeE, ProgramStateRef State,
                 CheckerContext &C) const;

  void reportTaintBug(const Expr *SizeE, ProgramStateRef State,
                      CheckerContext &C, SVal TaintedSVal) const;

public:
  void checkPreStmt(const DeclStmt *DS, CheckerContext &C) const;
  void checkPreStmt(const UnaryExprOrTypeTraitExpr *UETTE,
                    CheckerContext &C) const;
};
} // end anonymous namespace

ProgramStateRef VLASizeChecker::checkVLA(CheckerContext &C,
                                         ProgramStateRef State,
                                         const VariableArrayType *VLA,
                                         SVal &ArraySize) const {
  assert(VLA && "Function should be called with non-null VLA argument.");

  const VariableArrayType *VLALast = nullptr;
  llvm::SmallVector<const Expr *, 2> VLASizes;

  // Walk over the VLAs for every dimension until a non-VLA is found.
  // There is a VariableArrayType for every dimension (fixed or variable) until
  // the most inner array that is variably modified.
  // Dimension sizes are collected into 'VLASizes'. 'VLALast' is set to the
  // innermost VLA that was encountered.
  // In "int vla[x][2][y][3]" this will be the array for index "y" (with type
  // int[3]). 'VLASizes' contains 'x', '2', and 'y'.
  while (VLA) {
    const Expr *SizeE = VLA->getSizeExpr();
    State = checkVLAIndexSize(C, State, SizeE);
    if (!State)
      return nullptr;
    VLASizes.push_back(SizeE);
    VLALast = VLA;
    VLA = C.getASTContext().getAsVariableArrayType(VLA->getElementType());
  };
  assert(VLALast &&
         "Array should have at least one variably-modified dimension.");

  ASTContext &Ctx = C.getASTContext();
  SValBuilder &SVB = C.getSValBuilder();
  CanQualType SizeTy = Ctx.getSizeType();
  uint64_t SizeMax =
      SVB.getBasicValueFactory().getMaxValue(SizeTy).getZExtValue();

  // Get the element size.
  CharUnits EleSize = Ctx.getTypeSizeInChars(VLALast->getElementType());
  NonLoc ArrSize =
      SVB.makeIntVal(EleSize.getQuantity(), SizeTy).castAs<NonLoc>();

  // Try to calculate the known real size of the array in KnownSize.
  uint64_t KnownSize = 0;
  if (const llvm::APSInt *KV = SVB.getKnownValue(State, ArrSize))
    KnownSize = KV->getZExtValue();

  for (const Expr *SizeE : VLASizes) {
    auto SizeD = C.getSVal(SizeE).castAs<DefinedSVal>();
    // Convert the array length to size_t.
    NonLoc IndexLength =
        SVB.evalCast(SizeD, SizeTy, SizeE->getType()).castAs<NonLoc>();
    // Multiply the array length by the element size.
    SVal Mul = SVB.evalBinOpNN(State, BO_Mul, ArrSize, IndexLength, SizeTy);
    if (auto MulNonLoc = Mul.getAs<NonLoc>())
      ArrSize = *MulNonLoc;
    else
      // Extent could not be determined.
      return State;

    if (const llvm::APSInt *IndexLVal = SVB.getKnownValue(State, IndexLength)) {
      // Check if the array size will overflow.
      // Size overflow check does not work with symbolic expressions because a
      // overflow situation can not be detected easily.
      uint64_t IndexL = IndexLVal->getZExtValue();
      // FIXME: See https://reviews.llvm.org/D80903 for discussion of
      // some difference in assume and getKnownValue that leads to
      // unexpected behavior. Just bail on IndexL == 0 at this point.
      if (IndexL == 0)
        return nullptr;

      if (KnownSize <= SizeMax / IndexL) {
        KnownSize *= IndexL;
      } else {
        // Array size does not fit into size_t.
        reportBug(VLA_Overflow, SizeE, State, C);
        return nullptr;
      }
    } else {
      KnownSize = 0;
    }
  }

  ArraySize = ArrSize;

  return State;
}

ProgramStateRef VLASizeChecker::checkVLAIndexSize(CheckerContext &C,
                                                  ProgramStateRef State,
                                                  const Expr *SizeE) const {
  SVal SizeV = C.getSVal(SizeE);

  if (SizeV.isUndef()) {
    reportBug(VLA_Garbage, SizeE, State, C);
    return nullptr;
  }

  // See if the size value is known. It can't be undefined because we would have
  // warned about that already.
  if (SizeV.isUnknown())
    return nullptr;

  // Check if the size is tainted.
  if (isTainted(State, SizeV)) {
    reportTaintBug(SizeE, State, C, SizeV);
    return nullptr;
  }

  // Check if the size is zero.
  DefinedSVal SizeD = SizeV.castAs<DefinedSVal>();

  ProgramStateRef StateNotZero, StateZero;
  std::tie(StateNotZero, StateZero) = State->assume(SizeD);

  if (StateZero && !StateNotZero15) {
    reportBug(VLA_Zero, SizeE, StateZero, C);
    return nullptr;
  }

  // From this point on, assume that the size is not zero.
  State = StateNotZero;

  // Check if the size is negative.
  SValBuilder &SVB = C.getSValBuilder();

  QualType SizeTy = SizeE->getType();
  DefinedOrUnknownSVal Zero = SVB.makeZeroVal(SizeTy);

  SVal LessThanZeroVal = SVB.evalBinOp(State, BO_LT, SizeD, Zero, SizeTy);
  if (std::optional<DefinedSVal> LessThanZeroDVal =
          LessThanZeroVal.getAs<DefinedSVal>()) {
    ConstraintManager &CM = C.getConstraintManager();
    ProgramStateRef StatePos, StateNeg;

    std::tie(StateNeg, StatePos) = CM.assumeDual(State, *LessThanZeroDVal);
    if (StateNeg && !StatePos19) {
      reportBug(VLA_Negative, SizeE, State, C);
      return nullptr;
    }
    State = StatePos;
  }

  return State;
}

void VLASizeChecker::reportTaintBug(const Expr *SizeE, ProgramStateRef State,
                                    CheckerContext &C, SVal TaintedSVal) const {
  // Generate an error node.
  ExplodedNode *N = C.generateErrorNode(State);
  if (!N)
    return;

  if (!TaintBT)
    TaintBT.reset(
        new BugType(this, "Dangerous variable-length array (VLA) declaration",
                    categories::TaintedData));

  SmallString<256> buf;
  llvm::raw_svector_ostream os(buf);
  os << "Declared variable-length array (VLA) ";
  os << "has tainted size";

  auto report = std::make_unique<PathSensitiveBugReport>(*TaintBT, os.str(), N);
  report->addRange(SizeE->getSourceRange());
  bugreporter::trackExpressionValue(N, SizeE, *report);
  // The vla size may be a complex expression where multiple memory locations
  // are tainted.
  for (auto Sym : getTaintedSymbols(State, TaintedSVal))
    report->markInteresting(Sym);
  C.emitReport(std::move(report));
}

void VLASizeChecker::reportBug(VLASize_Kind Kind, const Expr *SizeE,
                               ProgramStateRef State, CheckerContext &C) const {
  // Generate an error node.
  ExplodedNode *N = C.generateErrorNode(State);
  if (!N)
    return;

  if (!BT)
    BT.reset(new BugType(this,
                         "Dangerous variable-length array (VLA) declaration",
                         categories::LogicError));

  SmallString<256> buf;
  llvm::raw_svector_ostream os(buf);
  os << "Declared variable-length array (VLA) ";
  switch (Kind) {
  case VLA_Garbage:
    os << "uses a garbage value as its size";
    break;
  case VLA_Zero:
    os << "has zero size";
    break;
  case VLA_Negative:
    os << "has negative size";
    break;
  case VLA_Overflow:
    os << "has too large size";
    break;
  }

  auto report = std::make_unique<PathSensitiveBugReport>(*BT, os.str(), N);
  report->addRange(SizeE->getSourceRange());
  bugreporter::trackExpressionValue(N, SizeE, *report);
  C.emitReport(std::move(report));
}

void VLASizeChecker::checkPreStmt(const DeclStmt *DS, CheckerContext &C) const {
  if (!DS->isSingleDecl())
    return;

  ASTContext &Ctx = C.getASTContext();
  SValBuilder &SVB = C.getSValBuilder();
  ProgramStateRef State = C.getState();
  QualType TypeToCheck;

  const VarDecl *VD = dyn_cast<VarDecl>(DS->getSingleDecl());

  if (VD)
    TypeToCheck = VD->getType().getCanonicalType();
  else if (const auto *TND = dyn_cast<TypedefNameDecl>(DS->getSingleDecl()))
    TypeToCheck = TND->getUnderlyingType().getCanonicalType();
  else
    return;

  const VariableArrayType *VLA = Ctx.getAsVariableArrayType(TypeToCheck);
  if (!VLA)
    return;

  // Check the VLA sizes for validity.

  SVal ArraySize;

  State = checkVLA(C, State, VLA, ArraySize);
  if (!State)
    return;

  if (!isa<NonLoc>(ArraySize)) {
    // Array size could not be determined but state may contain new assumptions.
    C.addTransition(State);
    return;
  }

  // VLASizeChecker is responsible for defining the extent of the array.
  if (VD) {
    State =
        setDynamicExtent(State, State->getRegion(VD, C.getLocationContext()),
                         ArraySize.castAs<NonLoc>(), SVB);
  }

  // Remember our assumptions!
  C.addTransition(State);
}

void VLASizeChecker::checkPreStmt(const UnaryExprOrTypeTraitExpr *UETTE,
                                  CheckerContext &C) const {
  // Want to check for sizeof.
  if (UETTE->getKind() != UETT_SizeOf)
    return;

  // Ensure a type argument.
  if (!UETTE->isArgumentType())
    return;

  const VariableArrayType *VLA = C.getASTContext().getAsVariableArrayType(
      UETTE->getTypeOfArgument().getCanonicalType());
  // Ensure that the type is a VLA.
  if (!VLA)
    return;

  ProgramStateRef State = C.getState();
  SVal ArraySize;
  State = checkVLA(C, State, VLA, ArraySize);
  if (!State)
    return;

  C.addTransition(State);
}

void ento::registerVLASizeChecker(CheckerManager &mgr) {
  mgr.registerChecker<VLASizeChecker>();
}

bool ento::shouldRegisterVLASizeChecker(const CheckerManager &mgr) {
  return true;
}

Coverage Report

Created: 2023-09-12 09:32

Line	Count	Source (jump to first uncovered line)
1		//=== VLASizeChecker.cpp - Undefined dereference checker --------- C++ --===//
2		//
3		// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4		// See https://llvm.org/LICENSE.txt for license information.
5		// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6		//
7		//===----------------------------------------------------------------------===//
8		//
9		// This defines VLASizeChecker, a builtin check in ExprEngine that
10		// performs checks for declaration of VLA of undefined or zero size.
11		// In addition, VLASizeChecker is responsible for defining the extent
12		// of the MemRegion that represents a VLA.
13		//
14		//===----------------------------------------------------------------------===//
15
16		#include "clang/AST/CharUnits.h"
17		#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
18		#include "clang/StaticAnalyzer/Checkers/Taint.h"
19		#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
20		#include "clang/StaticAnalyzer/Core/Checker.h"
21		#include "clang/StaticAnalyzer/Core/CheckerManager.h"
22		#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
23		#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h"
24		#include "llvm/ADT/STLExtras.h"
25		#include "llvm/ADT/SmallString.h"
26		#include "llvm/Support/raw_ostream.h"
27		#include <optional>
28
29		using namespace clang;
30		using namespace ento;
31		using namespace taint;
32
33		namespace {
34		class VLASizeChecker
35		: public Checker<check::PreStmt<DeclStmt>,
36		check::PreStmt<UnaryExprOrTypeTraitExpr>> {
37		mutable std::unique_ptr<BugType> BT;
38		mutable std::unique_ptr<BugType> TaintBT;
39		enum VLASize_Kind { VLA_Garbage, VLA_Zero, VLA_Negative, VLA_Overflow };
40
41		/// Check a VLA for validity.
42		/// Every dimension of the array and the total size is checked for validity.
43		/// Returns null or a new state where the size is validated.
44		/// 'ArraySize' will contain SVal that refers to the total size (in char)
45		/// of the array.
46		ProgramStateRef checkVLA(CheckerContext &C, ProgramStateRef State,
47		const VariableArrayType *VLA, SVal &ArraySize) const;
48		/// Check a single VLA index size expression for validity.
49		ProgramStateRef checkVLAIndexSize(CheckerContext &C, ProgramStateRef State,
50		const Expr *SizeE) const;
51
52		void reportBug(VLASize_Kind Kind, const Expr *SizeE, ProgramStateRef State,
53		CheckerContext &C) const;
54
55		void reportTaintBug(const Expr *SizeE, ProgramStateRef State,
56		CheckerContext &C, SVal TaintedSVal) const;
57
58		public:
59		void checkPreStmt(const DeclStmt *DS, CheckerContext &C) const;
60		void checkPreStmt(const UnaryExprOrTypeTraitExpr *UETTE,
61		CheckerContext &C) const;
62		};
63		} // end anonymous namespace
64
65		ProgramStateRef VLASizeChecker::checkVLA(CheckerContext &C,
66		ProgramStateRef State,
67		const VariableArrayType *VLA,
68	61	SVal &ArraySize) const {
69	61	assert(VLA && "Function should be called with non-null VLA argument.");
70
71	61	const VariableArrayType *VLALast = nullptr;
72	61	llvm::SmallVector<const Expr *, 2> VLASizes;
73
74		// Walk over the VLAs for every dimension until a non-VLA is found.
75		// There is a VariableArrayType for every dimension (fixed or variable) until
76		// the most inner array that is variably modified.
77		// Dimension sizes are collected into 'VLASizes'. 'VLALast' is set to the
78		// innermost VLA that was encountered.
79		// In "int vla[x][2][y][3]" this will be the array for index "y" (with type
80		// int[3]). 'VLASizes' contains 'x', '2', and 'y'.
81	122	while (VLA) {
82	78	const Expr *SizeE = VLA->getSizeExpr();
83	78	State = checkVLAIndexSize(C, State, SizeE);
84	78	if (!State)
85	17	return nullptr;
86	61	VLASizes.push_back(SizeE);
87	61	VLALast = VLA;
88	61	VLA = C.getASTContext().getAsVariableArrayType(VLA->getElementType());
89	61	};
90	44	assert(VLALast &&
91	44	"Array should have at least one variably-modified dimension.");
92
93	44	ASTContext &Ctx = C.getASTContext();
94	44	SValBuilder &SVB = C.getSValBuilder();
95	44	CanQualType SizeTy = Ctx.getSizeType();
96	44	uint64_t SizeMax =
97	44	SVB.getBasicValueFactory().getMaxValue(SizeTy).getZExtValue();
98
99		// Get the element size.
100	44	CharUnits EleSize = Ctx.getTypeSizeInChars(VLALast->getElementType());
101	44	NonLoc ArrSize =
102	44	SVB.makeIntVal(EleSize.getQuantity(), SizeTy).castAs<NonLoc>();
103
104		// Try to calculate the known real size of the array in KnownSize.
105	44	uint64_t KnownSize = 0;
106	44	if (const llvm::APSInt *KV = SVB.getKnownValue(State, ArrSize))
107	44	KnownSize = KV->getZExtValue();
108
109	59	for (const Expr *SizeE : VLASizes) {
110	59	auto SizeD = C.getSVal(SizeE).castAs<DefinedSVal>();
111		// Convert the array length to size_t.
112	59	NonLoc IndexLength =
113	59	SVB.evalCast(SizeD, SizeTy, SizeE->getType()).castAs<NonLoc>();
114		// Multiply the array length by the element size.
115	59	SVal Mul = SVB.evalBinOpNN(State, BO_Mul, ArrSize, IndexLength, SizeTy);
116	59	if (auto MulNonLoc = Mul.getAs<NonLoc>())
117	59	ArrSize = *MulNonLoc;
118	0	else
119		// Extent could not be determined.
120	0	return State;
121
122	59	if (const llvm::APSInt *IndexLVal = SVB.getKnownValue(State, IndexLength)) {
123		// Check if the array size will overflow.
124		// Size overflow check does not work with symbolic expressions because a
125		// overflow situation can not be detected easily.
126	42	uint64_t IndexL = IndexLVal->getZExtValue();
127		// FIXME: See https://reviews.llvm.org/D80903 for discussion of
128		// some difference in assume and getKnownValue that leads to
129		// unexpected behavior. Just bail on IndexL == 0 at this point.
130	42	if (IndexL == 0)
131	0	return nullptr;
132
133	42	if (KnownSize <= SizeMax / IndexL) {
134	40	KnownSize *= IndexL;
135	40	} else {
136		// Array size does not fit into size_t.
137	2	reportBug(VLA_Overflow, SizeE, State, C);
138	2	return nullptr;
139	2	}
140	42	} else {
141	17	KnownSize = 0;
142	17	}
143	59	}
144
145	42	ArraySize = ArrSize;
146
147	42	return State;
148	44	}
149
150		ProgramStateRef VLASizeChecker::checkVLAIndexSize(CheckerContext &C,
151		ProgramStateRef State,
152	78	const Expr *SizeE) const {
153	78	SVal SizeV = C.getSVal(SizeE);
154
155	78	if (SizeV.isUndef()) {
156	1	reportBug(VLA_Garbage, SizeE, State, C);
157	1	return nullptr;
158	1	}
159
160		// See if the size value is known. It can't be undefined because we would have
161		// warned about that already.
162	77	if (SizeV.isUnknown())
163	3	return nullptr;
164
165		// Check if the size is tainted.
166	74	if (isTainted(State, SizeV)) {
167	3	reportTaintBug(SizeE, State, C, SizeV);
168	3	return nullptr;
169	3	}
170
171		// Check if the size is zero.
172	71	DefinedSVal SizeD = SizeV.castAs<DefinedSVal>();
173
174	71	ProgramStateRef StateNotZero, StateZero;
175	71	std::tie(StateNotZero, StateZero) = State->assume(SizeD);
176
177	71	if (StateZero && !StateNotZero15 ) {
178	3	reportBug(VLA_Zero, SizeE, StateZero, C);
179	3	return nullptr;
180	3	}
181
182		// From this point on, assume that the size is not zero.
183	68	State = StateNotZero;
184
185		// Check if the size is negative.
186	68	SValBuilder &SVB = C.getSValBuilder();
187
188	68	QualType SizeTy = SizeE->getType();
189	68	DefinedOrUnknownSVal Zero = SVB.makeZeroVal(SizeTy);
190
191	68	SVal LessThanZeroVal = SVB.evalBinOp(State, BO_LT, SizeD, Zero, SizeTy);
192	68	if (std::optional<DefinedSVal> LessThanZeroDVal =
193	68	LessThanZeroVal.getAs<DefinedSVal>()) {
194	68	ConstraintManager &CM = C.getConstraintManager();
195	68	ProgramStateRef StatePos, StateNeg;
196
197	68	std::tie(StateNeg, StatePos) = CM.assumeDual(State, *LessThanZeroDVal);
198	68	if (StateNeg && !StatePos19 ) {
199	7	reportBug(VLA_Negative, SizeE, State, C);
200	7	return nullptr;
201	7	}
202	61	State = StatePos;
203	61	}
204
205	61	return State;
206	68	}
207
208		void VLASizeChecker::reportTaintBug(const Expr *SizeE, ProgramStateRef State,
209	3	CheckerContext &C, SVal TaintedSVal) const {
210		// Generate an error node.
211	3	ExplodedNode *N = C.generateErrorNode(State);
212	3	if (!N)
213	0	return;
214
215	3	if (!TaintBT)
216	3	TaintBT.reset(
217	3	new BugType(this, "Dangerous variable-length array (VLA) declaration",
218	3	categories::TaintedData));
219
220	3	SmallString<256> buf;
221	3	llvm::raw_svector_ostream os(buf);
222	3	os << "Declared variable-length array (VLA) ";
223	3	os << "has tainted size";
224
225	3	auto report = std::make_unique<PathSensitiveBugReport>(*TaintBT, os.str(), N);
226	3	report->addRange(SizeE->getSourceRange());
227	3	bugreporter::trackExpressionValue(N, SizeE, *report);
228		// The vla size may be a complex expression where multiple memory locations
229		// are tainted.
230	3	for (auto Sym : getTaintedSymbols(State, TaintedSVal))
231	3	report->markInteresting(Sym);
232	3	C.emitReport(std::move(report));
233	3	}
234
235		void VLASizeChecker::reportBug(VLASize_Kind Kind, const Expr *SizeE,
236	13	ProgramStateRef State, CheckerContext &C) const {
237		// Generate an error node.
238	13	ExplodedNode *N = C.generateErrorNode(State);
239	13	if (!N)
240	0	return;
241
242	13	if (!BT)
243	2	BT.reset(new BugType(this,
244	2	"Dangerous variable-length array (VLA) declaration",
245	2	categories::LogicError));
246
247	13	SmallString<256> buf;
248	13	llvm::raw_svector_ostream os(buf);
249	13	os << "Declared variable-length array (VLA) ";
250	13	switch (Kind) {
251	1	case VLA_Garbage:
252	1	os << "uses a garbage value as its size";
253	1	break;
254	3	case VLA_Zero:
255	3	os << "has zero size";
256	3	break;
257	7	case VLA_Negative:
258	7	os << "has negative size";
259	7	break;
260	2	case VLA_Overflow:
261	2	os << "has too large size";
262	2	break;
263	13	}
264
265	13	auto report = std::make_unique<PathSensitiveBugReport>(*BT, os.str(), N);
266	13	report->addRange(SizeE->getSourceRange());
267	13	bugreporter::trackExpressionValue(N, SizeE, *report);
268	13	C.emitReport(std::move(report));
269	13	}
270
271	41.2k	void VLASizeChecker::checkPreStmt(const DeclStmt *DS, CheckerContext &C) const {
272	41.2k	if (!DS->isSingleDecl())
273	0	return;
274
275	41.2k	ASTContext &Ctx = C.getASTContext();
276	41.2k	SValBuilder &SVB = C.getSValBuilder();
277	41.2k	ProgramStateRef State = C.getState();
278	41.2k	QualType TypeToCheck;
279
280	41.2k	const VarDecl *VD = dyn_cast<VarDecl>(DS->getSingleDecl());
281
282	41.2k	if (VD)
283	41.2k	TypeToCheck = VD->getType().getCanonicalType();
284	5	else if (const auto *TND = dyn_cast<TypedefNameDecl>(DS->getSingleDecl()))
285	5	TypeToCheck = TND->getUnderlyingType().getCanonicalType();
286	0	else
287	0	return;
288
289	41.2k	const VariableArrayType *VLA = Ctx.getAsVariableArrayType(TypeToCheck);
290	41.2k	if (!VLA)
291	41.2k	return;
292
293		// Check the VLA sizes for validity.
294
295	55	SVal ArraySize;
296
297	55	State = checkVLA(C, State, VLA, ArraySize);
298	55	if (!State)
299	17	return;
300
301	38	if (!isa<NonLoc>(ArraySize)) {
302		// Array size could not be determined but state may contain new assumptions.
303	0	C.addTransition(State);
304	0	return;
305	0	}
306
307		// VLASizeChecker is responsible for defining the extent of the array.
308	38	if (VD) {
309	35	State =
310	35	setDynamicExtent(State, State->getRegion(VD, C.getLocationContext()),
311	35	ArraySize.castAs<NonLoc>(), SVB);
312	35	}
313
314		// Remember our assumptions!
315	38	C.addTransition(State);
316	38	}
317
318		void VLASizeChecker::checkPreStmt(const UnaryExprOrTypeTraitExpr *UETTE,
319	1.05k	CheckerContext &C) const {
320		// Want to check for sizeof.
321	1.05k	if (UETTE->getKind() != UETT_SizeOf)
322	3	return;
323
324		// Ensure a type argument.
325	1.05k	if (!UETTE->isArgumentType())
326	394	return;
327
328	662	const VariableArrayType *VLA = C.getASTContext().getAsVariableArrayType(
329	662	UETTE->getTypeOfArgument().getCanonicalType());
330		// Ensure that the type is a VLA.
331	662	if (!VLA)
332	656	return;
333
334	6	ProgramStateRef State = C.getState();
335	6	SVal ArraySize;
336	6	State = checkVLA(C, State, VLA, ArraySize);
337	6	if (!State)
338	2	return;
339
340	4	C.addTransition(State);
341	4	}
342
343	1.27k	void ento::registerVLASizeChecker(CheckerManager &mgr) {
344	1.27k	mgr.registerChecker<VLASizeChecker>();
345	1.27k	}
346
347	2.55k	bool ento::shouldRegisterVLASizeChecker(const CheckerManager &mgr) {
348	2.55k	return true;
349	2.55k	}