coretrace-stack-analyzer/src/analysis/Reachability.cpp at main · CoreTrace/coretrace-stack-analyzer · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
// SPDX-License-Identifier: Apache-2.0
#include "analysis/Reachability.hpp"

#include "analysis/IRValueUtils.hpp"

#include <llvm/IR/CFG.h>
#include <llvm/IR/Constants.h>
#include <llvm/IR/Function.h>
#include <llvm/IR/Instructions.h>

namespace ctrace::stack::analysis
{

    bool isStaticallyUnreachableStackAccess(const StackBufferOverflowIssue& issue)
    {
        if (!issue.inst)
            return false;

        auto* block = issue.inst->getParent();
        if (!block)
            return false;

        using namespace llvm;

        for (auto* predecessor : predecessors(block))
        {
            auto* branch = dyn_cast<BranchInst>(predecessor->getTerminator());
            if (!branch || !branch->isConditional())
                continue;

            auto* compare = dyn_cast<ICmpInst>(branch->getCondition());
            if (!compare)
                continue;

            const llvm::Function& function = *issue.inst->getFunction();
            auto* lhs = analysis::tryGetConstFromValue(compare->getOperand(0), function);
            auto* rhs = analysis::tryGetConstFromValue(compare->getOperand(1), function);
            if (!lhs || !rhs)
                continue;

            bool condTrue = false;
            const auto& lhsValue = lhs->getValue();
            const auto& rhsValue = rhs->getValue();

            switch (compare->getPredicate())
            {
            case ICmpInst::ICMP_EQ:
                condTrue = (lhsValue == rhsValue);
                break;
            case ICmpInst::ICMP_NE:
                condTrue = (lhsValue != rhsValue);
                break;
            case ICmpInst::ICMP_SLT:
                condTrue = lhsValue.slt(rhsValue);
                break;
            case ICmpInst::ICMP_SLE:
                condTrue = lhsValue.sle(rhsValue);
                break;
            case ICmpInst::ICMP_SGT:
                condTrue = lhsValue.sgt(rhsValue);
                break;
            case ICmpInst::ICMP_SGE:
                condTrue = lhsValue.sge(rhsValue);
                break;
            case ICmpInst::ICMP_ULT:
                condTrue = lhsValue.ult(rhsValue);
                break;
            case ICmpInst::ICMP_ULE:
                condTrue = lhsValue.ule(rhsValue);
                break;
            case ICmpInst::ICMP_UGT:
                condTrue = lhsValue.ugt(rhsValue);
                break;
            case ICmpInst::ICMP_UGE:
                condTrue = lhsValue.uge(rhsValue);
                break;
            default:
                continue;
            }

            if (block == branch->getSuccessor(0) && !condTrue)
                return true;
            if (block == branch->getSuccessor(1) && condTrue)
                return true;
        }

        return false;
    }

} // namespace ctrace::stack::analysis