10b57cec5SDimitry Andric //==--- MacOSKeychainAPIChecker.cpp ------------------------------*- C++ -*-==//
20b57cec5SDimitry Andric //
30b57cec5SDimitry Andric // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
40b57cec5SDimitry Andric // See https://llvm.org/LICENSE.txt for license information.
50b57cec5SDimitry Andric // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
60b57cec5SDimitry Andric //
70b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
80b57cec5SDimitry Andric // This checker flags misuses of KeyChainAPI. In particular, the password data
90b57cec5SDimitry Andric // allocated/returned by SecKeychainItemCopyContent,
100b57cec5SDimitry Andric // SecKeychainFindGenericPassword, SecKeychainFindInternetPassword functions has
110b57cec5SDimitry Andric // to be freed using a call to SecKeychainItemFreeContent.
120b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
130b57cec5SDimitry Andric
140b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
150b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
160b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/Checker.h"
170b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/CheckerManager.h"
180b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
190b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
200b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
210b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
2206c3fb27SDimitry Andric #include "llvm/ADT/STLExtras.h"
230b57cec5SDimitry Andric #include "llvm/ADT/SmallString.h"
240b57cec5SDimitry Andric #include "llvm/Support/raw_ostream.h"
25bdd1243dSDimitry Andric #include <optional>
260b57cec5SDimitry Andric
270b57cec5SDimitry Andric using namespace clang;
280b57cec5SDimitry Andric using namespace ento;
290b57cec5SDimitry Andric
300b57cec5SDimitry Andric namespace {
310b57cec5SDimitry Andric class MacOSKeychainAPIChecker : public Checker<check::PreStmt<CallExpr>,
320b57cec5SDimitry Andric check::PostStmt<CallExpr>,
330b57cec5SDimitry Andric check::DeadSymbols,
340b57cec5SDimitry Andric check::PointerEscape,
350b57cec5SDimitry Andric eval::Assume> {
36647cbc5dSDimitry Andric const BugType BT{this, "Improper use of SecKeychain API",
37647cbc5dSDimitry Andric categories::AppleAPIMisuse};
380b57cec5SDimitry Andric
390b57cec5SDimitry Andric public:
400b57cec5SDimitry Andric /// AllocationState is a part of the checker specific state together with the
410b57cec5SDimitry Andric /// MemRegion corresponding to the allocated data.
420b57cec5SDimitry Andric struct AllocationState {
430b57cec5SDimitry Andric /// The index of the allocator function.
440b57cec5SDimitry Andric unsigned int AllocatorIdx;
450b57cec5SDimitry Andric SymbolRef Region;
460b57cec5SDimitry Andric
AllocationState__anon881ebd640111::MacOSKeychainAPIChecker::AllocationState470b57cec5SDimitry Andric AllocationState(const Expr *E, unsigned int Idx, SymbolRef R) :
480b57cec5SDimitry Andric AllocatorIdx(Idx),
490b57cec5SDimitry Andric Region(R) {}
500b57cec5SDimitry Andric
operator ==__anon881ebd640111::MacOSKeychainAPIChecker::AllocationState510b57cec5SDimitry Andric bool operator==(const AllocationState &X) const {
520b57cec5SDimitry Andric return (AllocatorIdx == X.AllocatorIdx &&
530b57cec5SDimitry Andric Region == X.Region);
540b57cec5SDimitry Andric }
550b57cec5SDimitry Andric
Profile__anon881ebd640111::MacOSKeychainAPIChecker::AllocationState560b57cec5SDimitry Andric void Profile(llvm::FoldingSetNodeID &ID) const {
570b57cec5SDimitry Andric ID.AddInteger(AllocatorIdx);
580b57cec5SDimitry Andric ID.AddPointer(Region);
590b57cec5SDimitry Andric }
600b57cec5SDimitry Andric };
610b57cec5SDimitry Andric
620b57cec5SDimitry Andric void checkPreStmt(const CallExpr *S, CheckerContext &C) const;
630b57cec5SDimitry Andric void checkPostStmt(const CallExpr *S, CheckerContext &C) const;
640b57cec5SDimitry Andric void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const;
650b57cec5SDimitry Andric ProgramStateRef checkPointerEscape(ProgramStateRef State,
660b57cec5SDimitry Andric const InvalidatedSymbols &Escaped,
670b57cec5SDimitry Andric const CallEvent *Call,
680b57cec5SDimitry Andric PointerEscapeKind Kind) const;
690b57cec5SDimitry Andric ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond,
700b57cec5SDimitry Andric bool Assumption) const;
710b57cec5SDimitry Andric void printState(raw_ostream &Out, ProgramStateRef State,
725ffd83dbSDimitry Andric const char *NL, const char *Sep) const override;
730b57cec5SDimitry Andric
740b57cec5SDimitry Andric private:
750b57cec5SDimitry Andric typedef std::pair<SymbolRef, const AllocationState*> AllocationPair;
760b57cec5SDimitry Andric typedef SmallVector<AllocationPair, 2> AllocationPairVec;
770b57cec5SDimitry Andric
780b57cec5SDimitry Andric enum APIKind {
790b57cec5SDimitry Andric /// Denotes functions tracked by this checker.
800b57cec5SDimitry Andric ValidAPI = 0,
810b57cec5SDimitry Andric /// The functions commonly/mistakenly used in place of the given API.
820b57cec5SDimitry Andric ErrorAPI = 1,
830b57cec5SDimitry Andric /// The functions which may allocate the data. These are tracked to reduce
840b57cec5SDimitry Andric /// the false alarm rate.
850b57cec5SDimitry Andric PossibleAPI = 2
860b57cec5SDimitry Andric };
870b57cec5SDimitry Andric /// Stores the information about the allocator and deallocator functions -
880b57cec5SDimitry Andric /// these are the functions the checker is tracking.
890b57cec5SDimitry Andric struct ADFunctionInfo {
900b57cec5SDimitry Andric const char* Name;
910b57cec5SDimitry Andric unsigned int Param;
920b57cec5SDimitry Andric unsigned int DeallocatorIdx;
930b57cec5SDimitry Andric APIKind Kind;
940b57cec5SDimitry Andric };
950b57cec5SDimitry Andric static const unsigned InvalidIdx = 100000;
960b57cec5SDimitry Andric static const unsigned FunctionsToTrackSize = 8;
970b57cec5SDimitry Andric static const ADFunctionInfo FunctionsToTrack[FunctionsToTrackSize];
980b57cec5SDimitry Andric /// The value, which represents no error return value for allocator functions.
990b57cec5SDimitry Andric static const unsigned NoErr = 0;
1000b57cec5SDimitry Andric
1010b57cec5SDimitry Andric /// Given the function name, returns the index of the allocator/deallocator
1020b57cec5SDimitry Andric /// function.
1030b57cec5SDimitry Andric static unsigned getTrackedFunctionIndex(StringRef Name, bool IsAllocator);
1040b57cec5SDimitry Andric
1050b57cec5SDimitry Andric void generateDeallocatorMismatchReport(const AllocationPair &AP,
1060b57cec5SDimitry Andric const Expr *ArgExpr,
1070b57cec5SDimitry Andric CheckerContext &C) const;
1080b57cec5SDimitry Andric
1090b57cec5SDimitry Andric /// Find the allocation site for Sym on the path leading to the node N.
1100b57cec5SDimitry Andric const ExplodedNode *getAllocationNode(const ExplodedNode *N, SymbolRef Sym,
1110b57cec5SDimitry Andric CheckerContext &C) const;
1120b57cec5SDimitry Andric
113a7dea167SDimitry Andric std::unique_ptr<PathSensitiveBugReport>
114a7dea167SDimitry Andric generateAllocatedDataNotReleasedReport(const AllocationPair &AP,
115a7dea167SDimitry Andric ExplodedNode *N,
116a7dea167SDimitry Andric CheckerContext &C) const;
1170b57cec5SDimitry Andric
1180b57cec5SDimitry Andric /// Mark an AllocationPair interesting for diagnostic reporting.
markInteresting(PathSensitiveBugReport * R,const AllocationPair & AP) const119a7dea167SDimitry Andric void markInteresting(PathSensitiveBugReport *R,
120a7dea167SDimitry Andric const AllocationPair &AP) const {
1210b57cec5SDimitry Andric R->markInteresting(AP.first);
1220b57cec5SDimitry Andric R->markInteresting(AP.second->Region);
1230b57cec5SDimitry Andric }
1240b57cec5SDimitry Andric
1250b57cec5SDimitry Andric /// The bug visitor which allows us to print extra diagnostics along the
1260b57cec5SDimitry Andric /// BugReport path. For example, showing the allocation site of the leaked
1270b57cec5SDimitry Andric /// region.
1280b57cec5SDimitry Andric class SecKeychainBugVisitor : public BugReporterVisitor {
1290b57cec5SDimitry Andric protected:
1300b57cec5SDimitry Andric // The allocated region symbol tracked by the main analysis.
1310b57cec5SDimitry Andric SymbolRef Sym;
1320b57cec5SDimitry Andric
1330b57cec5SDimitry Andric public:
SecKeychainBugVisitor(SymbolRef S)1340b57cec5SDimitry Andric SecKeychainBugVisitor(SymbolRef S) : Sym(S) {}
1350b57cec5SDimitry Andric
Profile(llvm::FoldingSetNodeID & ID) const1360b57cec5SDimitry Andric void Profile(llvm::FoldingSetNodeID &ID) const override {
1370b57cec5SDimitry Andric static int X = 0;
1380b57cec5SDimitry Andric ID.AddPointer(&X);
1390b57cec5SDimitry Andric ID.AddPointer(Sym);
1400b57cec5SDimitry Andric }
1410b57cec5SDimitry Andric
142a7dea167SDimitry Andric PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
1430b57cec5SDimitry Andric BugReporterContext &BRC,
144a7dea167SDimitry Andric PathSensitiveBugReport &BR) override;
1450b57cec5SDimitry Andric };
1460b57cec5SDimitry Andric };
1470b57cec5SDimitry Andric }
1480b57cec5SDimitry Andric
1490b57cec5SDimitry Andric /// ProgramState traits to store the currently allocated (and not yet freed)
1500b57cec5SDimitry Andric /// symbols. This is a map from the allocated content symbol to the
1510b57cec5SDimitry Andric /// corresponding AllocationState.
REGISTER_MAP_WITH_PROGRAMSTATE(AllocatedData,SymbolRef,MacOSKeychainAPIChecker::AllocationState)1520b57cec5SDimitry Andric REGISTER_MAP_WITH_PROGRAMSTATE(AllocatedData,
1530b57cec5SDimitry Andric SymbolRef,
1540b57cec5SDimitry Andric MacOSKeychainAPIChecker::AllocationState)
1550b57cec5SDimitry Andric
1560b57cec5SDimitry Andric static bool isEnclosingFunctionParam(const Expr *E) {
1570b57cec5SDimitry Andric E = E->IgnoreParenCasts();
1580b57cec5SDimitry Andric if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) {
1590b57cec5SDimitry Andric const ValueDecl *VD = DRE->getDecl();
160349cc55cSDimitry Andric if (isa<ImplicitParamDecl, ParmVarDecl>(VD))
1610b57cec5SDimitry Andric return true;
1620b57cec5SDimitry Andric }
1630b57cec5SDimitry Andric return false;
1640b57cec5SDimitry Andric }
1650b57cec5SDimitry Andric
1660b57cec5SDimitry Andric const MacOSKeychainAPIChecker::ADFunctionInfo
1670b57cec5SDimitry Andric MacOSKeychainAPIChecker::FunctionsToTrack[FunctionsToTrackSize] = {
1680b57cec5SDimitry Andric {"SecKeychainItemCopyContent", 4, 3, ValidAPI}, // 0
1690b57cec5SDimitry Andric {"SecKeychainFindGenericPassword", 6, 3, ValidAPI}, // 1
1700b57cec5SDimitry Andric {"SecKeychainFindInternetPassword", 13, 3, ValidAPI}, // 2
1710b57cec5SDimitry Andric {"SecKeychainItemFreeContent", 1, InvalidIdx, ValidAPI}, // 3
1720b57cec5SDimitry Andric {"SecKeychainItemCopyAttributesAndData", 5, 5, ValidAPI}, // 4
1730b57cec5SDimitry Andric {"SecKeychainItemFreeAttributesAndData", 1, InvalidIdx, ValidAPI}, // 5
1740b57cec5SDimitry Andric {"free", 0, InvalidIdx, ErrorAPI}, // 6
1750b57cec5SDimitry Andric {"CFStringCreateWithBytesNoCopy", 1, InvalidIdx, PossibleAPI}, // 7
1760b57cec5SDimitry Andric };
1770b57cec5SDimitry Andric
getTrackedFunctionIndex(StringRef Name,bool IsAllocator)1780b57cec5SDimitry Andric unsigned MacOSKeychainAPIChecker::getTrackedFunctionIndex(StringRef Name,
1790b57cec5SDimitry Andric bool IsAllocator) {
1800b57cec5SDimitry Andric for (unsigned I = 0; I < FunctionsToTrackSize; ++I) {
1810b57cec5SDimitry Andric ADFunctionInfo FI = FunctionsToTrack[I];
1820b57cec5SDimitry Andric if (FI.Name != Name)
1830b57cec5SDimitry Andric continue;
1840b57cec5SDimitry Andric // Make sure the function is of the right type (allocator vs deallocator).
1850b57cec5SDimitry Andric if (IsAllocator && (FI.DeallocatorIdx == InvalidIdx))
1860b57cec5SDimitry Andric return InvalidIdx;
1870b57cec5SDimitry Andric if (!IsAllocator && (FI.DeallocatorIdx != InvalidIdx))
1880b57cec5SDimitry Andric return InvalidIdx;
1890b57cec5SDimitry Andric
1900b57cec5SDimitry Andric return I;
1910b57cec5SDimitry Andric }
1920b57cec5SDimitry Andric // The function is not tracked.
1930b57cec5SDimitry Andric return InvalidIdx;
1940b57cec5SDimitry Andric }
1950b57cec5SDimitry Andric
isBadDeallocationArgument(const MemRegion * Arg)1960b57cec5SDimitry Andric static bool isBadDeallocationArgument(const MemRegion *Arg) {
1970b57cec5SDimitry Andric if (!Arg)
1980b57cec5SDimitry Andric return false;
199349cc55cSDimitry Andric return isa<AllocaRegion, BlockDataRegion, TypedRegion>(Arg);
2000b57cec5SDimitry Andric }
2010b57cec5SDimitry Andric
2020b57cec5SDimitry Andric /// Given the address expression, retrieve the value it's pointing to. Assume
2030b57cec5SDimitry Andric /// that value is itself an address, and return the corresponding symbol.
getAsPointeeSymbol(const Expr * Expr,CheckerContext & C)2040b57cec5SDimitry Andric static SymbolRef getAsPointeeSymbol(const Expr *Expr,
2050b57cec5SDimitry Andric CheckerContext &C) {
2060b57cec5SDimitry Andric ProgramStateRef State = C.getState();
2070b57cec5SDimitry Andric SVal ArgV = C.getSVal(Expr);
2080b57cec5SDimitry Andric
209bdd1243dSDimitry Andric if (std::optional<loc::MemRegionVal> X = ArgV.getAs<loc::MemRegionVal>()) {
2100b57cec5SDimitry Andric StoreManager& SM = C.getStoreManager();
2110b57cec5SDimitry Andric SymbolRef sym = SM.getBinding(State->getStore(), *X).getAsLocSymbol();
2120b57cec5SDimitry Andric if (sym)
2130b57cec5SDimitry Andric return sym;
2140b57cec5SDimitry Andric }
2150b57cec5SDimitry Andric return nullptr;
2160b57cec5SDimitry Andric }
2170b57cec5SDimitry Andric
2180b57cec5SDimitry Andric // Report deallocator mismatch. Remove the region from tracking - reporting a
2190b57cec5SDimitry Andric // missing free error after this one is redundant.
2200b57cec5SDimitry Andric void MacOSKeychainAPIChecker::
generateDeallocatorMismatchReport(const AllocationPair & AP,const Expr * ArgExpr,CheckerContext & C) const2210b57cec5SDimitry Andric generateDeallocatorMismatchReport(const AllocationPair &AP,
2220b57cec5SDimitry Andric const Expr *ArgExpr,
2230b57cec5SDimitry Andric CheckerContext &C) const {
2240b57cec5SDimitry Andric ProgramStateRef State = C.getState();
2250b57cec5SDimitry Andric State = State->remove<AllocatedData>(AP.first);
2260b57cec5SDimitry Andric ExplodedNode *N = C.generateNonFatalErrorNode(State);
2270b57cec5SDimitry Andric
2280b57cec5SDimitry Andric if (!N)
2290b57cec5SDimitry Andric return;
2300b57cec5SDimitry Andric SmallString<80> sbuf;
2310b57cec5SDimitry Andric llvm::raw_svector_ostream os(sbuf);
2320b57cec5SDimitry Andric unsigned int PDeallocIdx =
2330b57cec5SDimitry Andric FunctionsToTrack[AP.second->AllocatorIdx].DeallocatorIdx;
2340b57cec5SDimitry Andric
2350b57cec5SDimitry Andric os << "Deallocator doesn't match the allocator: '"
2360b57cec5SDimitry Andric << FunctionsToTrack[PDeallocIdx].Name << "' should be used.";
237647cbc5dSDimitry Andric auto Report = std::make_unique<PathSensitiveBugReport>(BT, os.str(), N);
238a7dea167SDimitry Andric Report->addVisitor(std::make_unique<SecKeychainBugVisitor>(AP.first));
2390b57cec5SDimitry Andric Report->addRange(ArgExpr->getSourceRange());
2400b57cec5SDimitry Andric markInteresting(Report.get(), AP);
2410b57cec5SDimitry Andric C.emitReport(std::move(Report));
2420b57cec5SDimitry Andric }
2430b57cec5SDimitry Andric
checkPreStmt(const CallExpr * CE,CheckerContext & C) const2440b57cec5SDimitry Andric void MacOSKeychainAPIChecker::checkPreStmt(const CallExpr *CE,
2450b57cec5SDimitry Andric CheckerContext &C) const {
2460b57cec5SDimitry Andric unsigned idx = InvalidIdx;
2470b57cec5SDimitry Andric ProgramStateRef State = C.getState();
2480b57cec5SDimitry Andric
2490b57cec5SDimitry Andric const FunctionDecl *FD = C.getCalleeDecl(CE);
2500b57cec5SDimitry Andric if (!FD || FD->getKind() != Decl::Function)
2510b57cec5SDimitry Andric return;
2520b57cec5SDimitry Andric
2530b57cec5SDimitry Andric StringRef funName = C.getCalleeName(FD);
2540b57cec5SDimitry Andric if (funName.empty())
2550b57cec5SDimitry Andric return;
2560b57cec5SDimitry Andric
2570b57cec5SDimitry Andric // If it is a call to an allocator function, it could be a double allocation.
2580b57cec5SDimitry Andric idx = getTrackedFunctionIndex(funName, true);
2590b57cec5SDimitry Andric if (idx != InvalidIdx) {
2600b57cec5SDimitry Andric unsigned paramIdx = FunctionsToTrack[idx].Param;
2610b57cec5SDimitry Andric if (CE->getNumArgs() <= paramIdx)
2620b57cec5SDimitry Andric return;
2630b57cec5SDimitry Andric
2640b57cec5SDimitry Andric const Expr *ArgExpr = CE->getArg(paramIdx);
2650b57cec5SDimitry Andric if (SymbolRef V = getAsPointeeSymbol(ArgExpr, C))
2660b57cec5SDimitry Andric if (const AllocationState *AS = State->get<AllocatedData>(V)) {
2670b57cec5SDimitry Andric // Remove the value from the state. The new symbol will be added for
2680b57cec5SDimitry Andric // tracking when the second allocator is processed in checkPostStmt().
2690b57cec5SDimitry Andric State = State->remove<AllocatedData>(V);
2700b57cec5SDimitry Andric ExplodedNode *N = C.generateNonFatalErrorNode(State);
2710b57cec5SDimitry Andric if (!N)
2720b57cec5SDimitry Andric return;
2730b57cec5SDimitry Andric SmallString<128> sbuf;
2740b57cec5SDimitry Andric llvm::raw_svector_ostream os(sbuf);
2750b57cec5SDimitry Andric unsigned int DIdx = FunctionsToTrack[AS->AllocatorIdx].DeallocatorIdx;
2760b57cec5SDimitry Andric os << "Allocated data should be released before another call to "
2770b57cec5SDimitry Andric << "the allocator: missing a call to '"
2780b57cec5SDimitry Andric << FunctionsToTrack[DIdx].Name
2790b57cec5SDimitry Andric << "'.";
280647cbc5dSDimitry Andric auto Report = std::make_unique<PathSensitiveBugReport>(BT, os.str(), N);
281a7dea167SDimitry Andric Report->addVisitor(std::make_unique<SecKeychainBugVisitor>(V));
2820b57cec5SDimitry Andric Report->addRange(ArgExpr->getSourceRange());
2830b57cec5SDimitry Andric Report->markInteresting(AS->Region);
2840b57cec5SDimitry Andric C.emitReport(std::move(Report));
2850b57cec5SDimitry Andric }
2860b57cec5SDimitry Andric return;
2870b57cec5SDimitry Andric }
2880b57cec5SDimitry Andric
2890b57cec5SDimitry Andric // Is it a call to one of deallocator functions?
2900b57cec5SDimitry Andric idx = getTrackedFunctionIndex(funName, false);
2910b57cec5SDimitry Andric if (idx == InvalidIdx)
2920b57cec5SDimitry Andric return;
2930b57cec5SDimitry Andric
2940b57cec5SDimitry Andric unsigned paramIdx = FunctionsToTrack[idx].Param;
2950b57cec5SDimitry Andric if (CE->getNumArgs() <= paramIdx)
2960b57cec5SDimitry Andric return;
2970b57cec5SDimitry Andric
2980b57cec5SDimitry Andric // Check the argument to the deallocator.
2990b57cec5SDimitry Andric const Expr *ArgExpr = CE->getArg(paramIdx);
3000b57cec5SDimitry Andric SVal ArgSVal = C.getSVal(ArgExpr);
3010b57cec5SDimitry Andric
3020b57cec5SDimitry Andric // Undef is reported by another checker.
3030b57cec5SDimitry Andric if (ArgSVal.isUndef())
3040b57cec5SDimitry Andric return;
3050b57cec5SDimitry Andric
3060b57cec5SDimitry Andric SymbolRef ArgSM = ArgSVal.getAsLocSymbol();
3070b57cec5SDimitry Andric
3080b57cec5SDimitry Andric // If the argument is coming from the heap, globals, or unknown, do not
3090b57cec5SDimitry Andric // report it.
3100b57cec5SDimitry Andric bool RegionArgIsBad = false;
3110b57cec5SDimitry Andric if (!ArgSM) {
3120b57cec5SDimitry Andric if (!isBadDeallocationArgument(ArgSVal.getAsRegion()))
3130b57cec5SDimitry Andric return;
3140b57cec5SDimitry Andric RegionArgIsBad = true;
3150b57cec5SDimitry Andric }
3160b57cec5SDimitry Andric
3170b57cec5SDimitry Andric // Is the argument to the call being tracked?
3180b57cec5SDimitry Andric const AllocationState *AS = State->get<AllocatedData>(ArgSM);
3190b57cec5SDimitry Andric if (!AS)
3200b57cec5SDimitry Andric return;
3210b57cec5SDimitry Andric
3220b57cec5SDimitry Andric // TODO: We might want to report double free here.
3230b57cec5SDimitry Andric // (that would involve tracking all the freed symbols in the checker state).
3240b57cec5SDimitry Andric if (RegionArgIsBad) {
3250b57cec5SDimitry Andric // It is possible that this is a false positive - the argument might
3260b57cec5SDimitry Andric // have entered as an enclosing function parameter.
3270b57cec5SDimitry Andric if (isEnclosingFunctionParam(ArgExpr))
3280b57cec5SDimitry Andric return;
3290b57cec5SDimitry Andric
3300b57cec5SDimitry Andric ExplodedNode *N = C.generateNonFatalErrorNode(State);
3310b57cec5SDimitry Andric if (!N)
3320b57cec5SDimitry Andric return;
333a7dea167SDimitry Andric auto Report = std::make_unique<PathSensitiveBugReport>(
334647cbc5dSDimitry Andric BT, "Trying to free data which has not been allocated.", N);
3350b57cec5SDimitry Andric Report->addRange(ArgExpr->getSourceRange());
3360b57cec5SDimitry Andric if (AS)
3370b57cec5SDimitry Andric Report->markInteresting(AS->Region);
3380b57cec5SDimitry Andric C.emitReport(std::move(Report));
3390b57cec5SDimitry Andric return;
3400b57cec5SDimitry Andric }
3410b57cec5SDimitry Andric
3420b57cec5SDimitry Andric // Process functions which might deallocate.
3430b57cec5SDimitry Andric if (FunctionsToTrack[idx].Kind == PossibleAPI) {
3440b57cec5SDimitry Andric
3450b57cec5SDimitry Andric if (funName == "CFStringCreateWithBytesNoCopy") {
3460b57cec5SDimitry Andric const Expr *DeallocatorExpr = CE->getArg(5)->IgnoreParenCasts();
3470b57cec5SDimitry Andric // NULL ~ default deallocator, so warn.
3480b57cec5SDimitry Andric if (DeallocatorExpr->isNullPointerConstant(C.getASTContext(),
3490b57cec5SDimitry Andric Expr::NPC_ValueDependentIsNotNull)) {
3500b57cec5SDimitry Andric const AllocationPair AP = std::make_pair(ArgSM, AS);
3510b57cec5SDimitry Andric generateDeallocatorMismatchReport(AP, ArgExpr, C);
3520b57cec5SDimitry Andric return;
3530b57cec5SDimitry Andric }
3540b57cec5SDimitry Andric // One of the default allocators, so warn.
3550b57cec5SDimitry Andric if (const DeclRefExpr *DE = dyn_cast<DeclRefExpr>(DeallocatorExpr)) {
3560b57cec5SDimitry Andric StringRef DeallocatorName = DE->getFoundDecl()->getName();
3570b57cec5SDimitry Andric if (DeallocatorName == "kCFAllocatorDefault" ||
3580b57cec5SDimitry Andric DeallocatorName == "kCFAllocatorSystemDefault" ||
3590b57cec5SDimitry Andric DeallocatorName == "kCFAllocatorMalloc") {
3600b57cec5SDimitry Andric const AllocationPair AP = std::make_pair(ArgSM, AS);
3610b57cec5SDimitry Andric generateDeallocatorMismatchReport(AP, ArgExpr, C);
3620b57cec5SDimitry Andric return;
3630b57cec5SDimitry Andric }
3640b57cec5SDimitry Andric // If kCFAllocatorNull, which does not deallocate, we still have to
3650b57cec5SDimitry Andric // find the deallocator.
3660b57cec5SDimitry Andric if (DE->getFoundDecl()->getName() == "kCFAllocatorNull")
3670b57cec5SDimitry Andric return;
3680b57cec5SDimitry Andric }
3690b57cec5SDimitry Andric // In all other cases, assume the user supplied a correct deallocator
3700b57cec5SDimitry Andric // that will free memory so stop tracking.
3710b57cec5SDimitry Andric State = State->remove<AllocatedData>(ArgSM);
3720b57cec5SDimitry Andric C.addTransition(State);
3730b57cec5SDimitry Andric return;
3740b57cec5SDimitry Andric }
3750b57cec5SDimitry Andric
3760b57cec5SDimitry Andric llvm_unreachable("We know of no other possible APIs.");
3770b57cec5SDimitry Andric }
3780b57cec5SDimitry Andric
3790b57cec5SDimitry Andric // The call is deallocating a value we previously allocated, so remove it
3800b57cec5SDimitry Andric // from the next state.
3810b57cec5SDimitry Andric State = State->remove<AllocatedData>(ArgSM);
3820b57cec5SDimitry Andric
3830b57cec5SDimitry Andric // Check if the proper deallocator is used.
3840b57cec5SDimitry Andric unsigned int PDeallocIdx = FunctionsToTrack[AS->AllocatorIdx].DeallocatorIdx;
3850b57cec5SDimitry Andric if (PDeallocIdx != idx || (FunctionsToTrack[idx].Kind == ErrorAPI)) {
3860b57cec5SDimitry Andric const AllocationPair AP = std::make_pair(ArgSM, AS);
3870b57cec5SDimitry Andric generateDeallocatorMismatchReport(AP, ArgExpr, C);
3880b57cec5SDimitry Andric return;
3890b57cec5SDimitry Andric }
3900b57cec5SDimitry Andric
3910b57cec5SDimitry Andric C.addTransition(State);
3920b57cec5SDimitry Andric }
3930b57cec5SDimitry Andric
checkPostStmt(const CallExpr * CE,CheckerContext & C) const3940b57cec5SDimitry Andric void MacOSKeychainAPIChecker::checkPostStmt(const CallExpr *CE,
3950b57cec5SDimitry Andric CheckerContext &C) const {
3960b57cec5SDimitry Andric ProgramStateRef State = C.getState();
3970b57cec5SDimitry Andric const FunctionDecl *FD = C.getCalleeDecl(CE);
3980b57cec5SDimitry Andric if (!FD || FD->getKind() != Decl::Function)
3990b57cec5SDimitry Andric return;
4000b57cec5SDimitry Andric
4010b57cec5SDimitry Andric StringRef funName = C.getCalleeName(FD);
4020b57cec5SDimitry Andric
4030b57cec5SDimitry Andric // If a value has been allocated, add it to the set for tracking.
4040b57cec5SDimitry Andric unsigned idx = getTrackedFunctionIndex(funName, true);
4050b57cec5SDimitry Andric if (idx == InvalidIdx)
4060b57cec5SDimitry Andric return;
4070b57cec5SDimitry Andric
4080b57cec5SDimitry Andric const Expr *ArgExpr = CE->getArg(FunctionsToTrack[idx].Param);
4090b57cec5SDimitry Andric // If the argument entered as an enclosing function parameter, skip it to
4100b57cec5SDimitry Andric // avoid false positives.
4110b57cec5SDimitry Andric if (isEnclosingFunctionParam(ArgExpr) &&
4120b57cec5SDimitry Andric C.getLocationContext()->getParent() == nullptr)
4130b57cec5SDimitry Andric return;
4140b57cec5SDimitry Andric
4150b57cec5SDimitry Andric if (SymbolRef V = getAsPointeeSymbol(ArgExpr, C)) {
4160b57cec5SDimitry Andric // If the argument points to something that's not a symbolic region, it
4170b57cec5SDimitry Andric // can be:
4180b57cec5SDimitry Andric // - unknown (cannot reason about it)
4190b57cec5SDimitry Andric // - undefined (already reported by other checker)
4200b57cec5SDimitry Andric // - constant (null - should not be tracked,
4210b57cec5SDimitry Andric // other constant will generate a compiler warning)
4220b57cec5SDimitry Andric // - goto (should be reported by other checker)
4230b57cec5SDimitry Andric
4240b57cec5SDimitry Andric // The call return value symbol should stay alive for as long as the
4250b57cec5SDimitry Andric // allocated value symbol, since our diagnostics depend on the value
4260b57cec5SDimitry Andric // returned by the call. Ex: Data should only be freed if noErr was
4270b57cec5SDimitry Andric // returned during allocation.)
4280b57cec5SDimitry Andric SymbolRef RetStatusSymbol = C.getSVal(CE).getAsSymbol();
4290b57cec5SDimitry Andric C.getSymbolManager().addSymbolDependency(V, RetStatusSymbol);
4300b57cec5SDimitry Andric
4310b57cec5SDimitry Andric // Track the allocated value in the checker state.
4320b57cec5SDimitry Andric State = State->set<AllocatedData>(V, AllocationState(ArgExpr, idx,
4330b57cec5SDimitry Andric RetStatusSymbol));
4340b57cec5SDimitry Andric assert(State);
4350b57cec5SDimitry Andric C.addTransition(State);
4360b57cec5SDimitry Andric }
4370b57cec5SDimitry Andric }
4380b57cec5SDimitry Andric
4390b57cec5SDimitry Andric // TODO: This logic is the same as in Malloc checker.
4400b57cec5SDimitry Andric const ExplodedNode *
getAllocationNode(const ExplodedNode * N,SymbolRef Sym,CheckerContext & C) const4410b57cec5SDimitry Andric MacOSKeychainAPIChecker::getAllocationNode(const ExplodedNode *N,
4420b57cec5SDimitry Andric SymbolRef Sym,
4430b57cec5SDimitry Andric CheckerContext &C) const {
4440b57cec5SDimitry Andric const LocationContext *LeakContext = N->getLocationContext();
4450b57cec5SDimitry Andric // Walk the ExplodedGraph backwards and find the first node that referred to
4460b57cec5SDimitry Andric // the tracked symbol.
4470b57cec5SDimitry Andric const ExplodedNode *AllocNode = N;
4480b57cec5SDimitry Andric
4490b57cec5SDimitry Andric while (N) {
4500b57cec5SDimitry Andric if (!N->getState()->get<AllocatedData>(Sym))
4510b57cec5SDimitry Andric break;
4520b57cec5SDimitry Andric // Allocation node, is the last node in the current or parent context in
4530b57cec5SDimitry Andric // which the symbol was tracked.
4540b57cec5SDimitry Andric const LocationContext *NContext = N->getLocationContext();
4550b57cec5SDimitry Andric if (NContext == LeakContext ||
4560b57cec5SDimitry Andric NContext->isParentOf(LeakContext))
4570b57cec5SDimitry Andric AllocNode = N;
4580b57cec5SDimitry Andric N = N->pred_empty() ? nullptr : *(N->pred_begin());
4590b57cec5SDimitry Andric }
4600b57cec5SDimitry Andric
4610b57cec5SDimitry Andric return AllocNode;
4620b57cec5SDimitry Andric }
4630b57cec5SDimitry Andric
464a7dea167SDimitry Andric std::unique_ptr<PathSensitiveBugReport>
generateAllocatedDataNotReleasedReport(const AllocationPair & AP,ExplodedNode * N,CheckerContext & C) const4650b57cec5SDimitry Andric MacOSKeychainAPIChecker::generateAllocatedDataNotReleasedReport(
4660b57cec5SDimitry Andric const AllocationPair &AP, ExplodedNode *N, CheckerContext &C) const {
4670b57cec5SDimitry Andric const ADFunctionInfo &FI = FunctionsToTrack[AP.second->AllocatorIdx];
4680b57cec5SDimitry Andric SmallString<70> sbuf;
4690b57cec5SDimitry Andric llvm::raw_svector_ostream os(sbuf);
4700b57cec5SDimitry Andric os << "Allocated data is not released: missing a call to '"
4710b57cec5SDimitry Andric << FunctionsToTrack[FI.DeallocatorIdx].Name << "'.";
4720b57cec5SDimitry Andric
4730b57cec5SDimitry Andric // Most bug reports are cached at the location where they occurred.
4740b57cec5SDimitry Andric // With leaks, we want to unique them by the location where they were
4750b57cec5SDimitry Andric // allocated, and only report a single path.
4760b57cec5SDimitry Andric PathDiagnosticLocation LocUsedForUniqueing;
4770b57cec5SDimitry Andric const ExplodedNode *AllocNode = getAllocationNode(N, AP.first, C);
478a7dea167SDimitry Andric const Stmt *AllocStmt = AllocNode->getStmtForDiagnostics();
4790b57cec5SDimitry Andric
4800b57cec5SDimitry Andric if (AllocStmt)
4810b57cec5SDimitry Andric LocUsedForUniqueing = PathDiagnosticLocation::createBegin(AllocStmt,
4820b57cec5SDimitry Andric C.getSourceManager(),
4830b57cec5SDimitry Andric AllocNode->getLocationContext());
4840b57cec5SDimitry Andric
485a7dea167SDimitry Andric auto Report = std::make_unique<PathSensitiveBugReport>(
486647cbc5dSDimitry Andric BT, os.str(), N, LocUsedForUniqueing,
4870b57cec5SDimitry Andric AllocNode->getLocationContext()->getDecl());
4880b57cec5SDimitry Andric
489a7dea167SDimitry Andric Report->addVisitor(std::make_unique<SecKeychainBugVisitor>(AP.first));
4900b57cec5SDimitry Andric markInteresting(Report.get(), AP);
4910b57cec5SDimitry Andric return Report;
4920b57cec5SDimitry Andric }
4930b57cec5SDimitry Andric
4940b57cec5SDimitry Andric /// If the return symbol is assumed to be error, remove the allocated info
4950b57cec5SDimitry Andric /// from consideration.
evalAssume(ProgramStateRef State,SVal Cond,bool Assumption) const4960b57cec5SDimitry Andric ProgramStateRef MacOSKeychainAPIChecker::evalAssume(ProgramStateRef State,
4970b57cec5SDimitry Andric SVal Cond,
4980b57cec5SDimitry Andric bool Assumption) const {
4990b57cec5SDimitry Andric AllocatedDataTy AMap = State->get<AllocatedData>();
5000b57cec5SDimitry Andric if (AMap.isEmpty())
5010b57cec5SDimitry Andric return State;
5020b57cec5SDimitry Andric
503e8d8bef9SDimitry Andric auto *CondBSE = dyn_cast_or_null<BinarySymExpr>(Cond.getAsSymbol());
5040b57cec5SDimitry Andric if (!CondBSE)
5050b57cec5SDimitry Andric return State;
5060b57cec5SDimitry Andric BinaryOperator::Opcode OpCode = CondBSE->getOpcode();
5070b57cec5SDimitry Andric if (OpCode != BO_EQ && OpCode != BO_NE)
5080b57cec5SDimitry Andric return State;
5090b57cec5SDimitry Andric
5100b57cec5SDimitry Andric // Match for a restricted set of patterns for cmparison of error codes.
5110b57cec5SDimitry Andric // Note, the comparisons of type '0 == st' are transformed into SymIntExpr.
5120b57cec5SDimitry Andric SymbolRef ReturnSymbol = nullptr;
5130b57cec5SDimitry Andric if (auto *SIE = dyn_cast<SymIntExpr>(CondBSE)) {
5140b57cec5SDimitry Andric const llvm::APInt &RHS = SIE->getRHS();
5150b57cec5SDimitry Andric bool ErrorIsReturned = (OpCode == BO_EQ && RHS != NoErr) ||
5160b57cec5SDimitry Andric (OpCode == BO_NE && RHS == NoErr);
5170b57cec5SDimitry Andric if (!Assumption)
5180b57cec5SDimitry Andric ErrorIsReturned = !ErrorIsReturned;
5190b57cec5SDimitry Andric if (ErrorIsReturned)
5200b57cec5SDimitry Andric ReturnSymbol = SIE->getLHS();
5210b57cec5SDimitry Andric }
5220b57cec5SDimitry Andric
5230b57cec5SDimitry Andric if (ReturnSymbol)
52406c3fb27SDimitry Andric for (auto [Sym, AllocState] : AMap) {
52506c3fb27SDimitry Andric if (ReturnSymbol == AllocState.Region)
52606c3fb27SDimitry Andric State = State->remove<AllocatedData>(Sym);
5270b57cec5SDimitry Andric }
5280b57cec5SDimitry Andric
5290b57cec5SDimitry Andric return State;
5300b57cec5SDimitry Andric }
5310b57cec5SDimitry Andric
checkDeadSymbols(SymbolReaper & SR,CheckerContext & C) const5320b57cec5SDimitry Andric void MacOSKeychainAPIChecker::checkDeadSymbols(SymbolReaper &SR,
5330b57cec5SDimitry Andric CheckerContext &C) const {
5340b57cec5SDimitry Andric ProgramStateRef State = C.getState();
5350b57cec5SDimitry Andric AllocatedDataTy AMap = State->get<AllocatedData>();
5360b57cec5SDimitry Andric if (AMap.isEmpty())
5370b57cec5SDimitry Andric return;
5380b57cec5SDimitry Andric
5390b57cec5SDimitry Andric bool Changed = false;
5400b57cec5SDimitry Andric AllocationPairVec Errors;
54106c3fb27SDimitry Andric for (const auto &[Sym, AllocState] : AMap) {
54206c3fb27SDimitry Andric if (!SR.isDead(Sym))
5430b57cec5SDimitry Andric continue;
5440b57cec5SDimitry Andric
5450b57cec5SDimitry Andric Changed = true;
54606c3fb27SDimitry Andric State = State->remove<AllocatedData>(Sym);
5470b57cec5SDimitry Andric // If the allocated symbol is null do not report.
5480b57cec5SDimitry Andric ConstraintManager &CMgr = State->getConstraintManager();
54906c3fb27SDimitry Andric ConditionTruthVal AllocFailed = CMgr.isNull(State, Sym);
5500b57cec5SDimitry Andric if (AllocFailed.isConstrainedTrue())
5510b57cec5SDimitry Andric continue;
55206c3fb27SDimitry Andric Errors.push_back(std::make_pair(Sym, &AllocState));
5530b57cec5SDimitry Andric }
5540b57cec5SDimitry Andric if (!Changed) {
5550b57cec5SDimitry Andric // Generate the new, cleaned up state.
5560b57cec5SDimitry Andric C.addTransition(State);
5570b57cec5SDimitry Andric return;
5580b57cec5SDimitry Andric }
5590b57cec5SDimitry Andric
5600b57cec5SDimitry Andric static CheckerProgramPointTag Tag(this, "DeadSymbolsLeak");
5610b57cec5SDimitry Andric ExplodedNode *N = C.generateNonFatalErrorNode(C.getState(), &Tag);
5620b57cec5SDimitry Andric if (!N)
5630b57cec5SDimitry Andric return;
5640b57cec5SDimitry Andric
5650b57cec5SDimitry Andric // Generate the error reports.
5660b57cec5SDimitry Andric for (const auto &P : Errors)
5670b57cec5SDimitry Andric C.emitReport(generateAllocatedDataNotReleasedReport(P, N, C));
5680b57cec5SDimitry Andric
5690b57cec5SDimitry Andric // Generate the new, cleaned up state.
5700b57cec5SDimitry Andric C.addTransition(State, N);
5710b57cec5SDimitry Andric }
5720b57cec5SDimitry Andric
checkPointerEscape(ProgramStateRef State,const InvalidatedSymbols & Escaped,const CallEvent * Call,PointerEscapeKind Kind) const5730b57cec5SDimitry Andric ProgramStateRef MacOSKeychainAPIChecker::checkPointerEscape(
5740b57cec5SDimitry Andric ProgramStateRef State, const InvalidatedSymbols &Escaped,
5750b57cec5SDimitry Andric const CallEvent *Call, PointerEscapeKind Kind) const {
5760b57cec5SDimitry Andric // FIXME: This branch doesn't make any sense at all, but it is an overfitted
5770b57cec5SDimitry Andric // replacement for a previous overfitted code that was making even less sense.
5780b57cec5SDimitry Andric if (!Call || Call->getDecl())
5790b57cec5SDimitry Andric return State;
5800b57cec5SDimitry Andric
5810b57cec5SDimitry Andric for (auto I : State->get<AllocatedData>()) {
5820b57cec5SDimitry Andric SymbolRef Sym = I.first;
5830b57cec5SDimitry Andric if (Escaped.count(Sym))
5840b57cec5SDimitry Andric State = State->remove<AllocatedData>(Sym);
5850b57cec5SDimitry Andric
5860b57cec5SDimitry Andric // This checker is special. Most checkers in fact only track symbols of
5870b57cec5SDimitry Andric // SymbolConjured type, eg. symbols returned from functions such as
5880b57cec5SDimitry Andric // malloc(). This checker tracks symbols returned as out-parameters.
5890b57cec5SDimitry Andric //
5900b57cec5SDimitry Andric // When a function is evaluated conservatively, the out-parameter's pointee
5910b57cec5SDimitry Andric // base region gets invalidated with a SymbolConjured. If the base region is
5920b57cec5SDimitry Andric // larger than the region we're interested in, the value we're interested in
5930b57cec5SDimitry Andric // would be SymbolDerived based on that SymbolConjured. However, such
5940b57cec5SDimitry Andric // SymbolDerived will never be listed in the Escaped set when the base
5950b57cec5SDimitry Andric // region is invalidated because ExprEngine doesn't know which symbols
5960b57cec5SDimitry Andric // were derived from a given symbol, while there can be infinitely many
5970b57cec5SDimitry Andric // valid symbols derived from any given symbol.
5980b57cec5SDimitry Andric //
5990b57cec5SDimitry Andric // Hence the extra boilerplate: remove the derived symbol when its parent
6000b57cec5SDimitry Andric // symbol escapes.
6010b57cec5SDimitry Andric //
6020b57cec5SDimitry Andric if (const auto *SD = dyn_cast<SymbolDerived>(Sym)) {
6030b57cec5SDimitry Andric SymbolRef ParentSym = SD->getParentSymbol();
6040b57cec5SDimitry Andric if (Escaped.count(ParentSym))
6050b57cec5SDimitry Andric State = State->remove<AllocatedData>(Sym);
6060b57cec5SDimitry Andric }
6070b57cec5SDimitry Andric }
6080b57cec5SDimitry Andric return State;
6090b57cec5SDimitry Andric }
6100b57cec5SDimitry Andric
611a7dea167SDimitry Andric PathDiagnosticPieceRef
VisitNode(const ExplodedNode * N,BugReporterContext & BRC,PathSensitiveBugReport & BR)6120b57cec5SDimitry Andric MacOSKeychainAPIChecker::SecKeychainBugVisitor::VisitNode(
613a7dea167SDimitry Andric const ExplodedNode *N, BugReporterContext &BRC,
614a7dea167SDimitry Andric PathSensitiveBugReport &BR) {
6150b57cec5SDimitry Andric const AllocationState *AS = N->getState()->get<AllocatedData>(Sym);
6160b57cec5SDimitry Andric if (!AS)
6170b57cec5SDimitry Andric return nullptr;
6180b57cec5SDimitry Andric const AllocationState *ASPrev =
6190b57cec5SDimitry Andric N->getFirstPred()->getState()->get<AllocatedData>(Sym);
6200b57cec5SDimitry Andric if (ASPrev)
6210b57cec5SDimitry Andric return nullptr;
6220b57cec5SDimitry Andric
6230b57cec5SDimitry Andric // (!ASPrev && AS) ~ We started tracking symbol in node N, it must be the
6240b57cec5SDimitry Andric // allocation site.
6250b57cec5SDimitry Andric const CallExpr *CE =
6260b57cec5SDimitry Andric cast<CallExpr>(N->getLocation().castAs<StmtPoint>().getStmt());
6270b57cec5SDimitry Andric const FunctionDecl *funDecl = CE->getDirectCallee();
6280b57cec5SDimitry Andric assert(funDecl && "We do not support indirect function calls as of now.");
6290b57cec5SDimitry Andric StringRef funName = funDecl->getName();
6300b57cec5SDimitry Andric
6310b57cec5SDimitry Andric // Get the expression of the corresponding argument.
6320b57cec5SDimitry Andric unsigned Idx = getTrackedFunctionIndex(funName, true);
6330b57cec5SDimitry Andric assert(Idx != InvalidIdx && "This should be a call to an allocator.");
6340b57cec5SDimitry Andric const Expr *ArgExpr = CE->getArg(FunctionsToTrack[Idx].Param);
6350b57cec5SDimitry Andric PathDiagnosticLocation Pos(ArgExpr, BRC.getSourceManager(),
6360b57cec5SDimitry Andric N->getLocationContext());
6370b57cec5SDimitry Andric return std::make_shared<PathDiagnosticEventPiece>(Pos,
6380b57cec5SDimitry Andric "Data is allocated here.");
6390b57cec5SDimitry Andric }
6400b57cec5SDimitry Andric
printState(raw_ostream & Out,ProgramStateRef State,const char * NL,const char * Sep) const6410b57cec5SDimitry Andric void MacOSKeychainAPIChecker::printState(raw_ostream &Out,
6420b57cec5SDimitry Andric ProgramStateRef State,
6430b57cec5SDimitry Andric const char *NL,
6440b57cec5SDimitry Andric const char *Sep) const {
6450b57cec5SDimitry Andric
6460b57cec5SDimitry Andric AllocatedDataTy AMap = State->get<AllocatedData>();
6470b57cec5SDimitry Andric
6480b57cec5SDimitry Andric if (!AMap.isEmpty()) {
6490b57cec5SDimitry Andric Out << Sep << "KeychainAPIChecker :" << NL;
65006c3fb27SDimitry Andric for (SymbolRef Sym : llvm::make_first_range(AMap)) {
65106c3fb27SDimitry Andric Sym->dumpToStream(Out);
6520b57cec5SDimitry Andric }
6530b57cec5SDimitry Andric }
6540b57cec5SDimitry Andric }
6550b57cec5SDimitry Andric
6560b57cec5SDimitry Andric
registerMacOSKeychainAPIChecker(CheckerManager & mgr)6570b57cec5SDimitry Andric void ento::registerMacOSKeychainAPIChecker(CheckerManager &mgr) {
6580b57cec5SDimitry Andric mgr.registerChecker<MacOSKeychainAPIChecker>();
6590b57cec5SDimitry Andric }
6600b57cec5SDimitry Andric
shouldRegisterMacOSKeychainAPIChecker(const CheckerManager & mgr)6615ffd83dbSDimitry Andric bool ento::shouldRegisterMacOSKeychainAPIChecker(const CheckerManager &mgr) {
6620b57cec5SDimitry Andric return true;
6630b57cec5SDimitry Andric }
664