clang.llvm.org/doxygen/UndefResultChecker_8cpp_source.html

//=== UndefResultChecker.cpp ------------------------------------*- C++ -*-===//

//

// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.

// See https://llvm.org/LICENSE.txt for license information.

// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

//

//===----------------------------------------------------------------------===//

//

// This defines UndefResultChecker, a builtin check in ExprEngine that

// performs checks for undefined results of non-assignment binary operators.

//

//===----------------------------------------------------------------------===//


#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"

#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"

#include "clang/StaticAnalyzer/Core/Checker.h"

#include "clang/StaticAnalyzer/Core/CheckerManager.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"

#include "llvm/Support/raw_ostream.h"


using namespace clang;

using namespace ento;


namespace {

class UndefResultChecker

  : public Checker< check::PostStmt<BinaryOperator> > {


  const BugType BT{this, "Result of operation is garbage or undefined"};


public:

  void checkPostStmt(const BinaryOperator *B, CheckerContext &C) const;

};

} // end anonymous namespace


static bool isArrayIndexOutOfBounds(CheckerContext &C, const Expr *Ex) {

  ProgramStateRef state = C.getState();


  if (!isa<ArraySubscriptExpr>(Ex))

    return false;


  SVal Loc = C.getSVal(Ex);

  if (!Loc.isValid())

    return false;


  const MemRegion *MR = Loc.castAs<loc::MemRegionVal>().getRegion();

  const ElementRegion *ER = dyn_cast<ElementRegion>(MR);

  if (!ER)

    return false;


  DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();

  DefinedOrUnknownSVal ElementCount = getDynamicElementCount(

      state, ER->getSuperRegion(), C.getSValBuilder(), ER->getValueType());

  ProgramStateRef StInBound, StOutBound;

  std::tie(StInBound, StOutBound) = state->assumeInBoundDual(Idx, ElementCount);

  return StOutBound && !StInBound;

}


void UndefResultChecker::checkPostStmt(const BinaryOperator *B,

                                       CheckerContext &C) const {

  if (C.getSVal(B).isUndef()) {


    // Do not report assignments of uninitialized values inside swap functions.

    // This should allow to swap partially uninitialized structs

    if (const FunctionDecl *EnclosingFunctionDecl =

        dyn_cast<FunctionDecl>(C.getStackFrame()->getDecl()))

      if (C.getCalleeName(EnclosingFunctionDecl) == "swap")

        return;


    // Generate an error node.

    ExplodedNode *N = C.generateErrorNode();

    if (!N)

      return;


    SmallString<256> sbuf;

    llvm::raw_svector_ostream OS(sbuf);

    const Expr *Ex = nullptr;

    bool isLeft = true;


    if (C.getSVal(B->getLHS()).isUndef()) {

      Ex = B->getLHS()->IgnoreParenCasts();

      isLeft = true;

    }

    else if (C.getSVal(B->getRHS()).isUndef()) {

      Ex = B->getRHS()->IgnoreParenCasts();

      isLeft = false;

    }


    if (Ex) {

      OS << "The " << (isLeft ? "left" : "right") << " operand of '"

         << BinaryOperator::getOpcodeStr(B->getOpcode())

         << "' is a garbage value";

      if (isArrayIndexOutOfBounds(C, Ex))

        OS << " due to array index out of bounds";

    } else {

      // Neither operand was undefined, but the result is undefined.

      OS << "The result of the '"

         << BinaryOperator::getOpcodeStr(B->getOpcode())

         << "' expression is undefined";

    }

    auto report = std::make_unique<PathSensitiveBugReport>(BT, OS.str(), N);

    if (Ex) {

      report->addRange(Ex->getSourceRange());

      bugreporter::trackExpressionValue(N, Ex, *report);

    }

    else

      bugreporter::trackExpressionValue(N, B, *report);


    C.emitReport(std::move(report));

  }

}


void ento::registerUndefResultChecker(CheckerManager &mgr) {

  mgr.registerChecker<UndefResultChecker>();

}


bool ento::shouldRegisterUndefResultChecker(const CheckerManager &mgr) {

  return true;

}

getRegion
static const MemRegion * getRegion(const CallEvent &Call, const MutexDescriptor &Descriptor, bool IsLock)
Definition BlockInCriticalSectionChecker.cpp:309

BugType.h

BuiltinCheckerRegistration.h

CheckerContext.h

CheckerManager.h

Checker.h

DynamicExtent.h

ExprEngine.h

isArrayIndexOutOfBounds
static bool isArrayIndexOutOfBounds(CheckerContext &C, const Expr *Ex)
Definition UndefResultChecker.cpp:37

clang::BinaryOperator
A builtin binary operation expression such as "x + y" or "x <= y".
Definition Expr.h:3974

clang::BinaryOperator::getLHS
Expr * getLHS() const
Definition Expr.h:4024

clang::BinaryOperator::getOpcodeStr
StringRef getOpcodeStr() const
Definition Expr.h:4040

clang::BinaryOperator::getRHS
Expr * getRHS() const
Definition Expr.h:4026

clang::BinaryOperator::getOpcode
Opcode getOpcode() const
Definition Expr.h:4019

clang::Expr
This represents one expression.
Definition Expr.h:112

clang::Expr::IgnoreParenCasts
Expr * IgnoreParenCasts() LLVM_READONLY
Skip past any parentheses and casts which might surround this expression until reaching a fixed point...
Definition Expr.cpp:3078

clang::Stmt::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition Stmt.cpp:334

clang::ento::CheckerContext
Definition CheckerContext.h:24

clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&...Args)
Register a single-part checker (derived from Checker): construct its singleton instance,...
Definition CheckerManager.h:218

clang::ento::Checker
Simple checker classes that implement one frontend (i.e.
Definition Checker.h:553

clang::ento::DefinedOrUnknownSVal
Definition SVals.h:202

clang::ento::DefinedSVal::isValid
bool isValid() const =delete

clang::ento::ElementRegion
ElementRegion is used to represent both array elements and casts.
Definition MemRegion.h:1227

clang::ento::ElementRegion::getValueType
QualType getValueType() const override
Definition MemRegion.h:1249

clang::ento::ElementRegion::getIndex
NonLoc getIndex() const
Definition MemRegion.h:1247

clang::ento::Loc
Definition SVals.h:255

clang::ento::MemRegion
MemRegion - The root abstract class for all memory regions.
Definition MemRegion.h:98

clang::ento::SVal
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition SVals.h:56

clang::ento::SVal::castAs
T castAs() const
Convert to the specified SVal type, asserting that this SVal is of the desired type.
Definition SVals.h:83

clang::ento::SubRegion::getSuperRegion
LLVM_ATTRIBUTE_RETURNS_NONNULL const MemRegion * getSuperRegion() const
Definition MemRegion.h:487

clang::ento::loc::MemRegionVal
Definition SVals.h:485

clang::ento::bugreporter::trackExpressionValue
bool trackExpressionValue(const ExplodedNode *N, const Expr *E, PathSensitiveBugReport &R, TrackingOptions Opts={})
Attempts to add visitors to track expression value back to its point of origin.
Definition BugReporterVisitors.cpp:2641

clang::ento
Definition CocoaConventions.h:23

clang::ento::getDynamicElementCount
DefinedOrUnknownSVal getDynamicElementCount(ProgramStateRef State, const MemRegion *MR, SValBuilder &SVB, QualType Ty)

clang::ento::ProgramStateRef
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
Definition ProgramState_Fwd.h:37

clang::ento::ObjKind::OS
@ OS
Indicates that the tracking object is a descendant of a referenced-counted OSObject,...
Definition RetainSummaryManager.h:51

clang
The JSON file list parser is used to communicate input to InstallAPI.
Definition CalledOnceCheck.h:17

clang::isa
bool isa(CodeGen::Address addr)
Definition Address.h:330

clang::LinkageSpecLanguageIDs::C
@ C
Definition DeclCXX.h:3001