llvm · gamesh411 · Aug 4, 2025 · Jul 24, 2025 · Jul 25, 2025 · Jul 28, 2025
diff --git a/clang/docs/analyzer/checkers.rst b/clang/docs/analyzer/checkers.rst
@@ -3077,6 +3077,23 @@ Either the comparison is useless or there is division by zero.
    if (x == 0) { } // warn
  }
 
+.. _alpha-core-StoreToImmutable:
+
+alpha.core.StoreToImmutable (C, C++)
+""""""""""""""""""""""""""""""""""""
+Check for writes to immutable memory regions. This implements part of SEI CERT Rule ENV30-C.
+
+This checker detects attempts to write to memory regions that are marked as immutable,
+including const variables, string literals, and other const-qualified memory.
+
+.. literalinclude:: checkers/storetoimmutable_example.cpp
+    :language: cpp
+
+**Solution**
+
+Avoid writing to const-qualified memory regions. If you need to modify the data,
+remove the const qualifier from the original declaration or use a mutable copy.
+
 alpha.cplusplus
 ^^^^^^^^^^^^^^^
 

diff --git a/clang/docs/analyzer/checkers/storetoimmutable_example.cpp b/clang/docs/analyzer/checkers/storetoimmutable_example.cpp
@@ -0,0 +1,23 @@
+// Global const variable
+const int global_const = 42;
+
+// Const struct member
+struct TestStruct {
+  const int x;
+  int y;
+};
+
+void immutable_violation_examples() {
+  *(int *)&global_const = 100; // warn: Trying to write to immutable memory
+
+  const int local_const = 42;
+  *(int *)&local_const = 43; // warn: Trying to write to immutable memory
+
+  // NOTE: The following works in C++, but not in C, as the analyzer treats
+  // string literals as non-const char arrays in C mode.
+  char *ptr_to_str_literal = (char *)"hello";
+  ptr_to_str_literal[0] = 'H'; // warn: Trying to write to immutable memory
+
+  TestStruct s = {1, 2};
+  *(int *)&s.x = 10; // warn: Trying to write to immutable memory
+}
diff --git a/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td b/clang/include/clang/StaticAnalyzer/Checkers/Checkers.td
@@ -306,6 +306,11 @@ def StackAddrAsyncEscapeChecker : Checker<"StackAddressAsyncEscape">,
   Dependencies<[StackAddrEscapeBase]>,
   Documentation<HasDocumentation>;
 
+def StoreToImmutableChecker : Checker<"StoreToImmutable">,
+  HelpText<"Check for writes to immutable memory regions. "
+           "This implements part of SEI CERT Rule ENV30-C.">,
+  Documentation<HasDocumentation>;
+
 def PthreadLockBase : Checker<"PthreadLockBase">,
   HelpText<"Helper registering multiple checks.">,
   Documentation<NotDocumented>,

diff --git a/clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt b/clang/lib/StaticAnalyzer/Checkers/CMakeLists.txt
@@ -104,6 +104,7 @@ add_clang_library(clangStaticAnalyzerCheckers
   SmartPtrChecker.cpp
   SmartPtrModeling.cpp
   StackAddrEscapeChecker.cpp
+  StoreToImmutableChecker.cpp
   StdLibraryFunctionsChecker.cpp
   StdVariantChecker.cpp
   STLAlgorithmModeling.cpp

diff --git a/clang/lib/StaticAnalyzer/Checkers/StoreToImmutableChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/StoreToImmutableChecker.cpp
@@ -0,0 +1,168 @@
+//=== StoreToImmutableChecker.cpp - Store to immutable memory ---*- C++ -*-===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+//
+// This file defines StoreToImmutableChecker, a checker that detects writes
+// to immutable memory regions. This implements part of SEI CERT Rule ENV30-C.
+//
+//===----------------------------------------------------------------------===//
+
+#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
+#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
+#include "clang/StaticAnalyzer/Core/Checker.h"
+#include "clang/StaticAnalyzer/Core/CheckerManager.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
+#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"
+
+using namespace clang;
+using namespace ento;
+
+namespace {
+class StoreToImmutableChecker : public Checker<check::Bind> {
+  const BugType BT{this, "Write to immutable memory", "CERT Environment (ENV)"};
+
+public:
+  void checkBind(SVal Loc, SVal Val, const Stmt *S, CheckerContext &C) const;
+
+private:
+  bool isInitializationContext(const Stmt *S, CheckerContext &C) const;
+  bool isEffectivelyConstRegion(const MemRegion *MR, CheckerContext &C) const;
+};
+} // end anonymous namespace
+
+bool StoreToImmutableChecker::isInitializationContext(const Stmt *S,
+                                                      CheckerContext &C) const {
+  // Check if this is a DeclStmt (variable declaration)
+  if (isa<DeclStmt>(S))
+    return true;
+
+  // This part is specific for initialization of const lambdas pre-C++17.
+  // Lets look at the AST of the statement:
+  // ```
+  // const auto lambda = [](){};
+  // ```
+  //
+  // The relevant part of the AST for this case prior to C++17 is:
+  // ...
+  // `-DeclStmt
+  //   `-VarDecl
+  //     `-ExprWithCleanups
+  //       `-CXXConstructExpr
+  // ...
+  // In C++17 and later, the AST is different:
+  // ...
+  // `-DeclStmt
+  //   `-VarDecl
+  //     `-ImplicitCastExpr
+  //       `-LambdaExpr
+  //         |-CXXRecordDecl
+  //         `-CXXConstructExpr
+  // ...
+  // And even beside this, the statement `S` that is given to the checkBind
+  // callback is the VarDecl in C++17 and later, and the CXXConstructExpr in
+  // C++14 and before. So in order to support the C++14 we need the following
+  // ugly hack to detect whether this construction is used to initialize a
+  // variable.
+  //
+  // FIXME: This should be eliminated once the API of checkBind would allow to
+  // distinguish between initialization and assignment, because this information
+  // is already available in the engine, it is just not passed to the checker
+  // API.
-  // FIXME: This should be eliminated once the API of checkBind would allow to
-  // distinguish between initialization and assignment, because this information
-  // is already available in the engine, it is just not passed to the checker
-  // API.
+  // FIXME: This should be eliminated by improving the API of checkBind to
+  // ensure that it consistently passes the `VarDecl` (instead of the
+  // `CXXConstructExpr`) when the constructor call denotes the initialization
+  // of a variable with a lambda.
-  // FIXME: This should be eliminated once the API of checkBind would allow to
-  // distinguish between initialization and assignment, because this information
-  // is already available in the engine, it is just not passed to the checker
-  // API.
+  // FIXME: This should be eliminated by improving the API of checkBind to
+  // ensure that it consistently passes the `VarDecl` (instead of the
+  // `CXXConstructExpr`) when the constructor call denotes the initialization
+  // of a variable with a lambda.
+  const auto *ConstructExp = dyn_cast<CXXConstructExpr>(S);
+  return ConstructExp && ConstructExp->isElidable();
+}
+
+static bool isEffectivelyConstRegionAux(const MemRegion *MR,
+                                        CheckerContext &C) {
+  // Check if the region is in the global immutable space
+  const MemSpaceRegion *MS = MR->getMemorySpace(C.getState());
+  if (isa<GlobalImmutableSpaceRegion>(MS))
+    return true;
+
+  // Check if this is a TypedRegion with a const-qualified type
+  if (const auto *TR = dyn_cast<TypedRegion>(MR)) {
+    QualType LocationType = TR->getDesugaredLocationType(C.getASTContext());
+    if (LocationType->isPointerOrReferenceType())
+      LocationType = LocationType->getPointeeType();
+    if (LocationType.isConstQualified())
+      return true;
+  }
+
+  // Check if this is a SymbolicRegion with a const-qualified pointee type
+  if (const auto *SR = dyn_cast<SymbolicRegion>(MR)) {
+    QualType PointeeType = SR->getPointeeStaticType();
+    if (PointeeType.isConstQualified())
+      return true;
+  }
+
+  // NOTE: The only kind of region that is not checked by the above branches is
+  // AllocaRegion. We do not need to check AllocaRegion, as it models untyped
+  // memory, that is allocated on the stack.
+
+  return false;
+}
+
+bool StoreToImmutableChecker::isEffectivelyConstRegion(
+    const MemRegion *MR, CheckerContext &C) const {
+  while (true) {
+    if (isEffectivelyConstRegionAux(MR, C))
+      return true;
+    if (auto *SR = dyn_cast<SubRegion>(MR))
+      MR = SR->getSuperRegion();
+    else
+      return false;
+  }
+}
+
+void StoreToImmutableChecker::checkBind(SVal Loc, SVal Val, const Stmt *S,
+                                        CheckerContext &C) const {
+  // We are only interested in stores to memory regions
+  const MemRegion *MR = Loc.getAsRegion();
+  if (!MR)
+    return;
+
+  // Skip variable declarations and initializations - we only want to catch
+  // actual writes
+  // FIXME: If the API of checkBind would allow to distinguish between
+  // initialization and assignment, we could use that instead.
+  if (isInitializationContext(S, C))
+    return;
+
+  // Check if the region corresponds to a const variable
+  if (!isEffectivelyConstRegion(MR, C))
+    return;
+
+  // Generate the bug report
+  ExplodedNode *N = C.generateNonFatalErrorNode();
+  if (!N)
+    return;
+
+  constexpr llvm::StringLiteral Msg = "Trying to write to immutable memory.";
+
+  auto R = std::make_unique<PathSensitiveBugReport>(BT, Msg, N);
+  R->addRange(S->getSourceRange());
+
+  // If the location that is being written to has a declaration, place a note.
+  if (const DeclRegion *DR = dyn_cast<DeclRegion>(MR)) {
+    R->addNote(
+        "Memory region is declared as immutable here",
+        PathDiagnosticLocation::create(DR->getDecl(), C.getSourceManager()));
+  }
+
+  // For this checker, we are only interested in the value being written, no
+  // need to mark the value being assigned interesting.
+
+  C.emitReport(std::move(R));
+}
+
+void ento::registerStoreToImmutableChecker(CheckerManager &mgr) {
+  mgr.registerChecker<StoreToImmutableChecker>();
+}
+
+bool ento::shouldRegisterStoreToImmutableChecker(const CheckerManager &mgr) {
+  return true;
+}
diff --git a/clang/test/Analysis/store-to-immutable-basic.c b/clang/test/Analysis/store-to-immutable-basic.c
@@ -0,0 +1,120 @@
+// RUN: %clang_analyze_cc1 -analyzer-checker=alpha.core.StoreToImmutable -verify %s
+
+// Test basic functionality of StoreToImmutable checker for the C programming language.
+
+const int tentative_global_const; // expected-note {{Memory region is declared as immutable here}}
+
+void test_direct_write_to_tentative_const_global() {
+  *(int*)&tentative_global_const = 100; // expected-warning {{Trying to write to immutable memory}}
+}
+
+const int global_const = 42; // expected-note {{Memory region is declared as immutable here}}
+
+void test_direct_write_to_const_global() {
+  // This should trigger a warning about writing to immutable memory
+  *(int*)&global_const = 100; // expected-warning {{Trying to write to immutable memory}}
+}
+
+void test_write_through_const_pointer() {
+  const int local_const = 10; // expected-note {{Memory region is declared as immutable here}}
+  int *ptr = (int*)&local_const;
+  *ptr = 20; // expected-warning {{Trying to write to immutable memory}}
+}
+
+void test_write_to_const_array() {
+  const int arr[5] = {1, 2, 3, 4, 5};
+  int *ptr = (int*)arr;
+  ptr[0] = 10; // expected-warning {{Trying to write to immutable memory}}
+}
+
+struct TestStruct {
+  const int x; // expected-note 2 {{Memory region is declared as immutable here}}
+  int y;
+};
+
+void test_write_to_const_struct_member() {
+  struct TestStruct s = {1, 2};
+  int *ptr = (int*)&s.x;
+  *ptr = 10; // expected-warning {{Trying to write to immutable memory}}
+}
+
+const int global_array[3] = {1, 2, 3};
+
+void test_write_to_const_global_array() {
+  int *ptr = (int*)global_array;
+  ptr[0] = 10; // expected-warning {{Trying to write to immutable memory}}
+}
+
+const struct TestStruct global_struct = {1, 2};
+
+void test_write_to_const_global_struct() {
+  int *ptr = (int*)&global_struct.x;
+  *ptr = 10; // expected-warning {{Trying to write to immutable memory}}
+}
+
+void test_write_to_const_param(const int param) { // expected-note {{Memory region is declared as immutable here}}
+  *(int*)&param = 100; // expected-warning {{Trying to write to immutable memory}}
+}
+
+void test_write_to_const_ptr_param(const int *param) {
+  *(int*)param = 100; // expected-warning {{Trying to write to immutable memory}}
+}
+
+void test_write_to_const_array_param(const int arr[5]) {
+  *(int*)arr = 100; // expected-warning {{Trying to write to immutable memory}}
+}
+
+struct ParamStruct {
+  const int z; // expected-note 2 {{Memory region is declared as immutable here}}
+  int w;
+};
+
+void test_write_to_const_struct_param(const struct ParamStruct s) {
+  *(int*)&s.z = 100; // expected-warning {{Trying to write to immutable memory}}
+}
+
+void test_write_to_const_struct_ptr_param(const struct ParamStruct *s) {
+  *(int*)&s->z = 100; // expected-warning {{Trying to write to immutable memory}}
+}
+
+void test_write_to_nonconst() {
+  int non_const = 42;
+  *(int*)&non_const = 100; // No warning expected
+}
+
+int global_non_const = 42;
+
+void test_write_to_nonconst_global() {
+  *(int*)&global_non_const = 100; // No warning expected
+}
+
+struct NonConstStruct {
+  int x;
+  int y;
+};
+
+void test_write_to_nonconst_struct_member() {
+  struct NonConstStruct s = {1, 2};
+  *(int*)&s.x = 100; // No warning expected
+}
+
+void test_write_to_nonconst_param(int param) {
+  *(int*)&param = 100; // No warning expected
+}
+
+void test_normal_assignment() {
+  int x = 42;
+  x = 100; // No warning expected
+}
+
+void test_const_ptr_to_nonconst_data() {
+  int data = 42;
+  const int *ptr = &data;
+  *(int*)ptr = 100; // No warning expected
+}
+
+void test_const_ptr_to_const_data() {
+  const int data = 42; // expected-note {{Memory region is declared as immutable here}}
+  const int *ptr = &data;
+  *(int*)ptr = 100; // expected-warning {{Trying to write to immutable memory}}
+}