Newer
Older
Ted Kremenek
committed
//=-- GRExprEngineInternalChecks.cpp - Builtin GRExprEngine Checks---*- C++ -*-=
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
//
// This file defines the BugType classes used by GRExprEngine to report
// bugs derived from builtin checks in the path-sensitive engine.
//
//===----------------------------------------------------------------------===//
#include "clang/Analysis/PathSensitive/BugReporter.h"
#include "clang/Analysis/PathSensitive/GRExprEngine.h"
Ted Kremenek
committed
#include "clang/Basic/SourceManager.h"
Ted Kremenek
committed
#include "llvm/Support/Compiler.h"
#include "llvm/Support/raw_ostream.h"
Ted Kremenek
committed
using namespace clang;
//===----------------------------------------------------------------------===//
// Utility functions.
//===----------------------------------------------------------------------===//
template <typename ITERATOR> inline
ExplodedNode<GRState>* GetNode(ITERATOR I) {
Ted Kremenek
committed
return *I;
}
template <> inline
ExplodedNode<GRState>* GetNode(GRExprEngine::undef_arg_iterator I) {
Ted Kremenek
committed
return I->first;
}
//===----------------------------------------------------------------------===//
// Bug Descriptions.
//===----------------------------------------------------------------------===//
namespace {
class VISIBILITY_HIDDEN BuiltinBug : public BugTypeCacheLocation {
protected:
Ted Kremenek
committed
const char* name;
const char* desc;
public:
Ted Kremenek
committed
BuiltinBug(const char* n, const char* d = 0) : name(n), desc(d) {}
Ted Kremenek
committed
virtual const char* getName() const { return name; }
Ted Kremenek
committed
virtual const char* getDescription() const {
return desc ? desc : name;
}
Ted Kremenek
committed
virtual void EmitBuiltinWarnings(BugReporter& BR, GRExprEngine& Eng) = 0;
virtual void EmitWarnings(BugReporter& BR) {
EmitBuiltinWarnings(BR, cast<GRBugReporter>(BR).getEngine());
}
template <typename ITER>
void Emit(BugReporter& BR, ITER I, ITER E) {
for (; I != E; ++I) {
BugReport R(*this, GetNode(I));
BR.EmitWarning(R);
}
}
virtual const char* getCategory() const { return "Logic Errors"; }
Ted Kremenek
committed
};
class VISIBILITY_HIDDEN NullDeref : public BuiltinBug {
public:
NullDeref() : BuiltinBug("null dereference",
"Dereference of null pointer.") {}
virtual void EmitBuiltinWarnings(BugReporter& BR, GRExprEngine& Eng) {
Emit(BR, Eng.null_derefs_begin(), Eng.null_derefs_end());
}
};
class VISIBILITY_HIDDEN UndefinedDeref : public BuiltinBug {
public:
UndefinedDeref() : BuiltinBug("uninitialized pointer dereference",
Ted Kremenek
committed
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
"Dereference of undefined value.") {}
virtual void EmitBuiltinWarnings(BugReporter& BR, GRExprEngine& Eng) {
Emit(BR, Eng.undef_derefs_begin(), Eng.undef_derefs_end());
}
};
class VISIBILITY_HIDDEN DivZero : public BuiltinBug {
public:
DivZero() : BuiltinBug("divide-by-zero",
"Division by zero/undefined value.") {}
virtual void EmitBuiltinWarnings(BugReporter& BR, GRExprEngine& Eng) {
Emit(BR, Eng.explicit_bad_divides_begin(), Eng.explicit_bad_divides_end());
}
};
class VISIBILITY_HIDDEN UndefResult : public BuiltinBug {
public:
UndefResult() : BuiltinBug("undefined result",
"Result of operation is undefined.") {}
virtual void EmitBuiltinWarnings(BugReporter& BR, GRExprEngine& Eng) {
Emit(BR, Eng.undef_results_begin(), Eng.undef_results_end());
}
};
class VISIBILITY_HIDDEN BadCall : public BuiltinBug {
public:
BadCall()
: BuiltinBug("invalid function call",
"Called function is a NULL or undefined function pointer value.") {}
virtual void EmitBuiltinWarnings(BugReporter& BR, GRExprEngine& Eng) {
Emit(BR, Eng.bad_calls_begin(), Eng.bad_calls_end());
}
};
class VISIBILITY_HIDDEN BadArg : public BuiltinBug {
public:
BadArg() : BuiltinBug("uninitialized argument",
Ted Kremenek
committed
"Pass-by-value argument in function is undefined.") {}
BadArg(const char* d) : BuiltinBug("uninitialized argument", d) {}
Ted Kremenek
committed
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
virtual void EmitBuiltinWarnings(BugReporter& BR, GRExprEngine& Eng) {
for (GRExprEngine::UndefArgsTy::iterator I = Eng.undef_arg_begin(),
E = Eng.undef_arg_end(); I!=E; ++I) {
// Generate a report for this bug.
RangedBugReport report(*this, I->first);
report.addRange(I->second->getSourceRange());
// Emit the warning.
BR.EmitWarning(report);
}
}
};
class VISIBILITY_HIDDEN BadMsgExprArg : public BadArg {
public:
BadMsgExprArg()
: BadArg("Pass-by-value argument in message expression is undefined.") {}
virtual void EmitBuiltinWarnings(BugReporter& BR, GRExprEngine& Eng) {
for (GRExprEngine::UndefArgsTy::iterator I=Eng.msg_expr_undef_arg_begin(),
E = Eng.msg_expr_undef_arg_end(); I!=E; ++I) {
// Generate a report for this bug.
RangedBugReport report(*this, I->first);
report.addRange(I->second->getSourceRange());
// Emit the warning.
BR.EmitWarning(report);
}
}
};
class VISIBILITY_HIDDEN BadReceiver : public BuiltinBug {
public:
BadReceiver()
: BuiltinBug("uninitialized receiver",
Ted Kremenek
committed
"Receiver in message expression is an uninitialized value.") {}
virtual void EmitBuiltinWarnings(BugReporter& BR, GRExprEngine& Eng) {
for (GRExprEngine::ErrorNodes::iterator I=Eng.undef_receivers_begin(),
Ted Kremenek
committed
End = Eng.undef_receivers_end(); I!=End; ++I) {
// Generate a report for this bug.
RangedBugReport report(*this, *I);
Ted Kremenek
committed
Stmt *S = cast<PostStmt>(N->getLocation()).getStmt();
Expr* E = cast<ObjCMessageExpr>(S)->getReceiver();
assert (E && "Receiver cannot be NULL");
report.addRange(E->getSourceRange());
// Emit the warning.
BR.EmitWarning(report);
}
}
};
Ted Kremenek
committed
class VISIBILITY_HIDDEN RetStack : public BuiltinBug {
public:
Ted Kremenek
committed
RetStack() : BuiltinBug("return of stack address") {}
Ted Kremenek
committed
virtual void EmitBuiltinWarnings(BugReporter& BR, GRExprEngine& Eng) {
for (GRExprEngine::ret_stackaddr_iterator I=Eng.ret_stackaddr_begin(),
End = Eng.ret_stackaddr_end(); I!=End; ++I) {
Ted Kremenek
committed
Stmt *S = cast<PostStmt>(N->getLocation()).getStmt();
Expr* E = cast<ReturnStmt>(S)->getRetValue();
assert (E && "Return expression cannot be NULL");
Ted Kremenek
committed
// Get the value associated with E.
Zhongxing Xu
committed
loc::MemRegionVal V =
cast<loc::MemRegionVal>(Eng.getStateManager().GetSVal(N->getState(),
Ted Kremenek
committed
E));
Ted Kremenek
committed
// Generate a report for this bug.
std::string buf;
llvm::raw_string_ostream os(buf);
Ted Kremenek
committed
SourceRange R;
Ted Kremenek
committed
Ted Kremenek
committed
// Check if the region is a compound literal.
if (const CompoundLiteralRegion* CR =
dyn_cast<CompoundLiteralRegion>(V.getRegion())) {
const CompoundLiteralExpr* CL = CR->getLiteralExpr();
os << "Address of stack memory associated with a compound literal "
"declared on line "
<< BR.getSourceManager()
.getInstantiationLineNumber(CL->getLocStart())
Ted Kremenek
committed
<< " returned.";
R = CL->getSourceRange();
}
Ted Kremenek
committed
else if (const AllocaRegion* AR = dyn_cast<AllocaRegion>(V.getRegion())) {
const Expr* ARE = AR->getExpr();
SourceLocation L = ARE->getLocStart();
R = ARE->getSourceRange();
os << "Address of stack memory allocated by call to alloca() on line "
<< BR.getSourceManager().getInstantiationLineNumber(L)
Ted Kremenek
committed
<< " returned.";
}
Ted Kremenek
committed
else {
os << "Address of stack memory associated with local variable '"
<< V.getRegion()->getString() << "' returned.";
}
Ted Kremenek
committed
RangedBugReport report(*this, N, os.str().c_str());
report.addRange(E->getSourceRange());
Ted Kremenek
committed
if (R.isValid()) report.addRange(R);
// Emit the warning.
BR.EmitWarning(report);
}
Ted Kremenek
committed
}
};
class VISIBILITY_HIDDEN RetUndef : public BuiltinBug {
public:
RetUndef() : BuiltinBug("uninitialized return value",
"Uninitialized or undefined return value returned to caller.") {}
virtual void EmitBuiltinWarnings(BugReporter& BR, GRExprEngine& Eng) {
Emit(BR, Eng.ret_undef_begin(), Eng.ret_undef_end());
}
};
Ted Kremenek
committed
class VISIBILITY_HIDDEN UndefBranch : public BuiltinBug {
struct VISIBILITY_HIDDEN FindUndefExpr {
Ted Kremenek
committed
FindUndefExpr(GRStateManager& V, const GRState* S) : VM(V), St(S) {}
Ted Kremenek
committed
Expr* FindExpr(Expr* Ex) {
Ted Kremenek
committed
if (!MatchesCriteria(Ex))
return 0;
Ted Kremenek
committed
for (Stmt::child_iterator I=Ex->child_begin(), E=Ex->child_end();I!=E;++I)
Ted Kremenek
committed
if (Expr* ExI = dyn_cast_or_null<Expr>(*I)) {
Expr* E2 = FindExpr(ExI);
if (E2) return E2;
}
return Ex;
}
Zhongxing Xu
committed
bool MatchesCriteria(Expr* Ex) { return VM.GetSVal(St, Ex).isUndef(); }
Ted Kremenek
committed
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
};
public:
UndefBranch()
: BuiltinBug("uninitialized value",
"Branch condition evaluates to an uninitialized value.") {}
virtual void EmitBuiltinWarnings(BugReporter& BR, GRExprEngine& Eng) {
for (GRExprEngine::undef_branch_iterator I=Eng.undef_branches_begin(),
E=Eng.undef_branches_end(); I!=E; ++I) {
// What's going on here: we want to highlight the subexpression of the
// condition that is the most likely source of the "uninitialized
// branch condition." We do a recursive walk of the condition's
// subexpressions and roughly look for the most nested subexpression
// that binds to Undefined. We then highlight that expression's range.
BlockEdge B = cast<BlockEdge>((*I)->getLocation());
Expr* Ex = cast<Expr>(B.getSrc()->getTerminatorCondition());
assert (Ex && "Block must have a terminator.");
// Get the predecessor node and check if is a PostStmt with the Stmt
// being the terminator condition. We want to inspect the state
// of that node instead because it will contain main information about
// the subexpressions.
assert (!(*I)->pred_empty());
// Note: any predecessor will do. They should have identical state,
// since all the BlockEdge did was act as an error sink since the value
// had to already be undefined.
ExplodedNode<GRState> *N = *(*I)->pred_begin();
Ted Kremenek
committed
ProgramPoint P = N->getLocation();
Ted Kremenek
committed
if (PostStmt* PS = dyn_cast<PostStmt>(&P))
if (PS->getStmt() == Ex)
St = N->getState();
FindUndefExpr FindIt(Eng.getStateManager(), St);
Ex = FindIt.FindExpr(Ex);
RangedBugReport R(*this, *I);
R.addRange(Ex->getSourceRange());
BR.EmitWarning(R);
}
}
};
class VISIBILITY_HIDDEN OutOfBoundMemoryAccess : public BuiltinBug {
public:
OutOfBoundMemoryAccess() : BuiltinBug("out-of-bound memory access",
"Load or store into an out-of-bound memory position.") {}
virtual void EmitBuiltinWarnings(BugReporter& BR, GRExprEngine& Eng) {
Emit(BR, Eng.explicit_oob_memacc_begin(), Eng.explicit_oob_memacc_end());
}
};
class VISIBILITY_HIDDEN BadSizeVLA : public BuiltinBug {
BadSizeVLA() : BuiltinBug("Zero-sized VLA",
"VLAs with zero-size are undefined.") {}
virtual void EmitBuiltinWarnings(BugReporter& BR, GRExprEngine& Eng) {
for (GRExprEngine::ErrorNodes::iterator
I = Eng.ExplicitBadSizedVLA.begin(),
E = Eng.ExplicitBadSizedVLA.end(); I!=E; ++I) {
// Determine whether this was a 'zero-sized' VLA or a VLA with an
// undefined size.
GRExprEngine::NodeTy* N = *I;
PostStmt PS = cast<PostStmt>(N->getLocation());
DeclStmt *DS = cast<DeclStmt>(PS.getStmt());
VarDecl* VD = cast<VarDecl>(*DS->decl_begin());
QualType T = Eng.getContext().getCanonicalType(VD->getType());
VariableArrayType* VT = cast<VariableArrayType>(T);
Expr* SizeExpr = VT->getSizeExpr();
std::string buf;
llvm::raw_string_ostream os(buf);
os << "The expression used to specify the number of elements in the VLA '"
<< VD->getNameAsString() << "' evaluates to ";
SVal X = Eng.getStateManager().GetSVal(N->getState(), SizeExpr);
if (X.isUndef()) {
name = "Undefined size for VLA";
os << "an undefined or garbage value.";
}
else {
name = "Zero-sized VLA";
os << " to 0. VLAs with no elements have undefined behavior.";
}
desc = os.str().c_str();
RangedBugReport report(*this, N);
report.addRange(SizeExpr->getSourceRange());
// Emit the warning.
BR.EmitWarning(report);
}
}
};
Ted Kremenek
committed
//===----------------------------------------------------------------------===//
// __attribute__(nonnull) checking
class VISIBILITY_HIDDEN CheckAttrNonNull : public GRSimpleAPICheck {
SimpleBugType BT;
std::list<RangedBugReport> Reports;
public:
CheckAttrNonNull() :
BT("'nonnull' argument passed null", "API",
Ted Kremenek
committed
"Null pointer passed as an argument to a 'nonnull' parameter") {}
virtual bool Audit(ExplodedNode<GRState>* N, GRStateManager& VMgr) {
Ted Kremenek
committed
CallExpr* CE = cast<CallExpr>(cast<PostStmt>(N->getLocation()).getStmt());
Ted Kremenek
committed
Zhongxing Xu
committed
SVal X = VMgr.GetSVal(state, CE->getCallee());
Ted Kremenek
committed
Zhongxing Xu
committed
if (!isa<loc::FuncVal>(X))
Ted Kremenek
committed
return false;
Zhongxing Xu
committed
FunctionDecl* FD = dyn_cast<FunctionDecl>(cast<loc::FuncVal>(X).getDecl());
Ted Kremenek
committed
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
const NonNullAttr* Att = FD->getAttr<NonNullAttr>();
if (!Att)
return false;
// Iterate through the arguments of CE and check them for null.
unsigned idx = 0;
bool hasError = false;
for (CallExpr::arg_iterator I=CE->arg_begin(), E=CE->arg_end(); I!=E;
++I, ++idx) {
if (!VMgr.isEqual(state, *I, 0) || !Att->isNonNull(idx))
continue;
RangedBugReport R(BT, N);
R.addRange((*I)->getSourceRange());
Reports.push_back(R);
hasError = true;
}
return hasError;
}
virtual void EmitWarnings(BugReporter& BR) {
for (std::list<RangedBugReport>::iterator I=Reports.begin(),
E=Reports.end(); I!=E; ++I)
BR.EmitWarning(*I);
}
};
} // end anonymous namespace
//===----------------------------------------------------------------------===//
// Check registration.
void GRExprEngine::RegisterInternalChecks() {
Register(new NullDeref());
Register(new UndefinedDeref());
Register(new UndefBranch());
Register(new DivZero());
Register(new UndefResult());
Register(new BadCall());
Register(new RetStack());
Register(new RetUndef());
Ted Kremenek
committed
Register(new BadArg());
Register(new BadMsgExprArg());
Register(new BadReceiver());
Register(new OutOfBoundMemoryAccess());
Register(new BadSizeVLA());
Ted Kremenek
committed
AddCheck(new CheckAttrNonNull(), Stmt::CallExprClass);
}