Welcome > Arch > Secure Virtual Architecture > SAFECode > Passes > Static Array Bound Checks

Static Array Bound Checks

lib/ArrayBoundChecks: This library contains serveral analysis passes for static array bounds checking¹.

safecode/lib/ArrayBoundChecks/ArrayBoundCheckLocal.cpp:

“ArrayBoundsCheckLocal - It tries to prove a GEP is safe only based on local information, that is, the size of global variables and the size of objects being allocated inside a function.”

Code sinppets:

Entry:

bool
ArrayBoundsCheckLocal::runOnFunction(Function & F) {
  //
  // Get required analysis passes.
  //
  TD = &F.getParent()->getDataLayout();
  SE = &getAnalysis<ScalarEvolution>();

  //
  // Look for all GEPs in the function and try to prove that they're safe.
  //
  visit (F);

  //
  // We modify nothing; return false.
  //
  return false;
}

//
  // If the offset is less than zero, then we know that we are indexing
  // backwards from the beginning of the object.  We know that this is illegal;
  // declare it unsafe.
  //
  if ((SE->getSMaxExpr(offset, zero) == zero) && (offset != zero)) {
    ++unsafeGEPs;
    return;
  }

  //
  // Otherwise, we are indexing zero or more bytes forward.  Determine whether
  // we will index past the end of the object.
  //
  if ((SE->getSMaxExpr(diff, zero) == diff) && (diff != zero)) {
    ++safeGEPs;
    SafeGEPs.insert (&GEP);
    return;
  }
  //
  // We cannot statically prove that the GEP is safe.
  //
  return;

Array Bound Proof/Check

safecode/lib/ArrayBoundChecks/ArrayBoundCheckStruct.cpp:

“This file implements the ArrayBoundsCheckStruct pass. This pass utilizes type-safety information from points-to analysis to prove whether GEPs² are safe (they do not create a pointer outside of the memory object). It is primarily designed to alleviate run-time checks on GEPs used for structure indexing (hence the clever name).”

safecode/lib/ArrayBoundChecks/BottomUpCallGraph.cpp:

“I believe this pass does two things:”

” o) It attempts to improve upon the call graph calculated by DSA for those call sites in which a callee was not found.”

” o) It finds functions that are part of Strongly Connected Components (SCCs) in the call graph and marks them being a part of an SCC.”

” FIXME: I believe the fixup of the call graph is no longer necessary; DSA asserts if it can’t find a callee for a call instruction.”

safecode/lib/ArrayBoundChecks/BreakConstantGEPs.cpp:

“ This pass changes all GEP constant expressions into GEP instructions. This permits the rest of SAFECode to put run-time checks on them if necessary.”

safecode/lib/ArrayBoundChecks/ConstraintGeneration.cpp “ Now we use the control dependence, post dominance frontier to generate constraints for ?”

SAFECode Software Architecture Manual ↩
GEP: GetElementPtr instruction in LLVM. ↩

If you could revise
the fundmental principles of
computer system design
to improve security...

... what would you change?