[clang] [clang][analyzer] Add StoreToImmutable checker (PR #150417)

Endre Fülöp via cfe-commits Tue, 29 Jul 2025 04:16:11 -0700

================
@@ -0,0 +1,134 @@
+//=== StoreToImmutableChecker.cpp - Store to immutable memory ---*- C++ 
-*-===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM 
Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+//
+// This file defines StoreToImmutableChecker, a checker that detects writes
+// to immutable memory regions. This implements part of SEI CERT Rule ENV30-C.
+//
+//===----------------------------------------------------------------------===//
+
+#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
+#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
+#include "clang/StaticAnalyzer/Core/Checker.h"
+#include "clang/StaticAnalyzer/Core/CheckerManager.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"
+
+using namespace clang;
+using namespace ento;
+
+namespace {
+class StoreToImmutableChecker : public Checker<check::Bind> {
+  const BugType BT{this, "Write to immutable memory", "CERT Environment 
(ENV)"};
+
+public:
+  void checkBind(SVal Loc, SVal Val, const Stmt *S, CheckerContext &C) const;
+
+private:
+  bool isConstVariable(const MemRegion *MR, CheckerContext &C) const;
+  bool isConstQualifiedType(const MemRegion *MR, CheckerContext &C) const;
+};
+} // end anonymous namespace
+
+bool StoreToImmutableChecker::isConstVariable(const MemRegion *MR,
+                                              CheckerContext &C) const {
+  // Check if the region is in the global immutable space
+  const MemSpaceRegion *MS = MR->getMemorySpace(C.getState());
+  if (isa<GlobalImmutableSpaceRegion>(MS))
+    return true;
+
+  // Check if this is a VarRegion with a const-qualified type
+  if (const VarRegion *VR = dyn_cast<VarRegion>(MR)) {
+    const VarDecl *VD = VR->getDecl();
+    if (VD && VD->getType().isConstQualified())
+      return true;
+  }
----------------
gamesh411 wrote:


I think a *const-typed* variable need not live inside a 
`GlobalImmutableSpaceRegion`. A local (stack) variable that has a const 
qualified type lives in the `StackLocalsSpaceRegion` memory space, so this 
check is kind of expected. We only check for `GlobalImmutableSpaceRegion` at 
the very beginning of the logic, if it is definitely fishy to do anything with 
with that memory.

I have tested these:
Global const variable (global_const):
```
const int global_const = 42; void test_global_const() { *(int*)&global_const = 
100; }
```
Region kind: NonParamVarRegion
Memory space: GlobalImmutableSpaceRegion
Triggers a warning because it's in the immutable space

Local const variable (x):
```
void test_const_local() { const int x = 42; *(int*)&x = 100; }
```
Region kind: NonParamVarRegion
Memory space: StackLocalsSpaceRegion
Does NOT trigger a warning because it's not in the immutable space


https://github.com/llvm/llvm-project/pull/150417
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[clang] [clang][analyzer] Add StoreToImmutable checker (PR #150417)

Reply via email to