This is an archive of the discontinued LLVM Phabricator instance.

Differential D12780

[analyzer] Add generateErrorNode() APIs to CheckerContext
ClosedPublic

Authored by dcoughlin on Sep 10 2015, 3:47 PM.

Details

Reviewers
krememek
zaks.anna
Commits
rGe39bd407ba29: [analyzer] Add generateErrorNode() APIs to CheckerContext.
rC247859: [analyzer] Add generateErrorNode() APIs to CheckerContext.
rL247859: [analyzer] Add generateErrorNode() APIs to CheckerContext.
Summary

The analyzer trims unnecessary nodes from the exploded graph before reporting path diagnostics. However, in some cases it can trim all nodes (including the error node), leading to an assertion failure (see https://llvm.org/bugs/show_bug.cgi?id=24184).

This patch addresses the issue by adding two new APIs to CheckerContext to explicitly create error nodes. Unless the client provides a custom tag, these APIs tag the node with the checker's tag -- preventing it from being trimmed. The generateErrorNode() method creates a sink error node, while generateNonFatalErrorNode() creates an error node for a path that should continue being explored.

The intent is that one of these two methods should be used whenever a checker creates an error node.

I've updated the checkers to use these APIs. You'll notice that these APIs (unlike addTransition() and generateSink()) do not take an explicit Pred node. This is because I did not find any error nodes in the checkers that were created with an explicit node that was different than the default (the CheckerContext's Pred node). Do you think this is a reasonable simplification, or should we permit checkers to specify Pred explicitly?

I also added a test case written by Ying Yi as part of http://reviews.llvm.org/D12163 (that patch originally addressed this issue but was reverted because it introduced false positive regressions).

Diff Detail

Repository
rL LLVM

Event Timeline

dcoughlin updated this revision to Diff 34480.Sep 10 2015, 3:47 PM
dcoughlin retitled this revision from to [analyzer] Add generateErrorNode() APIs to CheckerContext.
dcoughlin updated this object.
dcoughlin added reviewers: zaks.anna, krememek.
dcoughlin added subscribers: jordan_rose, cfe-commits, xazax.hun.
dcoughlin added a subscriber: MaggieYi.
jordan_rose added inline comments.Sep 10 2015, 6:46 PM
include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h
321 ↗(On Diff #34480)

What does "has made a mistake" mean? What is the mistake and how will they discover it?

zaks.anna added inline comments.Sep 10 2015, 6:46 PM
include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h
229 ↗(On Diff #34480)

Most likely there are not much uses of this left and to avoid confusion we could require State and Pred inputs. What do you think?

244 ↗(On Diff #34480)

Please, use a non-null Pred for clarity

lib/StaticAnalyzer/Checkers/ExprInspectionChecker.cpp
89 ↗(On Diff #34480)

We should not generate a transition on an early exit here..

116 ↗(On Diff #34480)

Same here, no reason to generate a transition unless we are ready to report a bug. I'just pass C.generateNonFatalErrorNode() to llvm::make_unique<BugReport>.

lib/StaticAnalyzer/Checkers/FixedAddressChecker.cpp
53 ↗(On Diff #34480)

Can this ever fail? In some cases we just assume it won't in others we tests..

Maybe it only fails when we cache out?

xazax.hun added a comment.Sep 11 2015, 12:13 PM

In general I like this change, the node handling of the checkers are more readable and reflects the intent in a clearer way. I have some comments inline.

include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h
244 ↗(On Diff #34480)

The following workflow is not supported by this API: a checker that generates multiple transition in the same callback (the generated nodes are added sequentially to the path), and one of the might be an error node.

This also applies to generateNonFatalErrorNode.

In case we would like to improve the documentation it might be useful to give some pointers to the users which when should an error node be considered as fatal.

322 ↗(On Diff #34480)

As a slightly related note: is it documented anywhere what "cache out" means? Maybe it would be great to refer to that document or write it if it is not written yet.

jordan_rose added inline comments.Sep 11 2015, 12:30 PM
lib/StaticAnalyzer/Checkers/FixedAddressChecker.cpp
53 ↗(On Diff #34480)

It does fail when we cache out, and I think we can still cache out if Pred has a different tag the second time around.

zaks.anna added inline comments.Sep 11 2015, 1:34 PM
include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h
244 ↗(On Diff #34480)
  • We could introduce another API that requires a Pred node.
  • The workflow is supported right now by directly using addTransition API.
lib/StaticAnalyzer/Checkers/FixedAddressChecker.cpp
53 ↗(On Diff #34480)

There some instances in this patch where we do not check if the returned node is null. We should be consistent.

dcoughlin marked 3 inline comments as done.Sep 11 2015, 4:05 PM
dcoughlin added inline comments.
include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h
229 ↗(On Diff #34480)

There are 7 uses left. Requiring State and Pred seems like the right thing to me. I will change it.

321 ↗(On Diff #34480)

The mistake this guard protects against is adding a transition from a state to itself, which would normally cause a cache out. My understanding is that the whole point of this guard is to silently swallow that mistake. I found that surprising, which is why I added the comment.

lib/StaticAnalyzer/Checkers/FixedAddressChecker.cpp
53 ↗(On Diff #34480)

Ok, I'll go through and add checks where they are missing.

zaks.anna added inline comments.Sep 11 2015, 4:09 PM
include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h
321 ↗(On Diff #34480)

Should we add an assert here? I wonder if/how much it will get triggered.

dcoughlin updated this revision to Diff 34917.Sep 16 2015, 12:42 PM

Added checks for null generated error nodes in the few cases in checkers were they were missing and updated comments.

include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h
321 ↗(On Diff #34480)

I tried adding an assert to the inverse of the 'if' condition here. The DereferenceChecker, CallAndMessageChecker, and DynamicTypePropagation all trigger it. Added a note about this in a comment.

322 ↗(On Diff #34480)

I've defined "cache out" in the comment.

lib/StaticAnalyzer/Checkers/FixedAddressChecker.cpp
53 ↗(On Diff #34480)

There were 9 locations where checks for null error generated error nodes were missing. I added them.

zaks.anna accepted this revision.Sep 16 2015, 12:48 PM
zaks.anna edited edge metadata.
This revision is now accepted and ready to land.Sep 16 2015, 12:48 PM
xazax.hun added inline comments.Sep 16 2015, 1:10 PM
include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h
328 ↗(On Diff #34917)

I think the most common form of relying on this branch is adding a transition to an unchanged state.

Closed by commit rL247859: [analyzer] Add generateErrorNode() APIs to CheckerContext. (authored by dcoughlin). · Explain WhySep 16 2015, 3:04 PM
This revision was automatically updated to reflect the committed changes.
chapuni added a subscriber: chapuni.Sep 16 2015, 4:01 PM

Did you forget to update examples/analyzer-plugin? Fixed in r247862.

Revision Contents

Diff 34930

cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h

Show First 20 LinesShow All 218 Lines▼ Show 20 Linespublic:
/// @param Tag The tag to uniquely identify the creation site. /// @param Tag The tag to uniquely identify the creation site.
ExplodedNode *addTransition(ProgramStateRef State, ExplodedNode *addTransition(ProgramStateRef State,
ExplodedNode *Pred, ExplodedNode *Pred,
const ProgramPointTag *Tag = nullptr) { const ProgramPointTag *Tag = nullptr) {
return addTransitionImpl(State, false, Pred, Tag); return addTransitionImpl(State, false, Pred, Tag);
} }
/// \brief Generate a sink node. Generating a sink stops exploration of the /// \brief Generate a sink node. Generating a sink stops exploration of the
/// given path. /// given path. To create a sink node for the purpose of reporting an error,
ExplodedNode *generateSink(ProgramStateRef State = nullptr, /// checkers should use generateErrorNode() instead.
ExplodedNode *Pred = nullptr, ExplodedNode *generateSink(ProgramStateRef State, ExplodedNode *Pred,
const ProgramPointTag *Tag = nullptr) { const ProgramPointTag *Tag = nullptr) {
return addTransitionImpl(State ? State : getState(), true, Pred, Tag); return addTransitionImpl(State ? State : getState(), true, Pred, Tag);
} }
/// \brief Generate a transition to a node that will be used to report
/// an error. This node will be a sink. That is, it will stop exploration of
/// the given path.
///
/// @param State The state of the generated node.
/// @param Tag The tag to uniquely identify the creation site. If null,
/// the default tag for the checker will be used.
ExplodedNode *generateErrorNode(ProgramStateRef State = nullptr,
const ProgramPointTag *Tag = nullptr) {
return generateSink(State, Pred,
(Tag ? Tag : Location.getTag()));
}
/// \brief Generate a transition to a node that will be used to report
/// an error. This node will not be a sink. That is, exploration will
/// continue along this path.
///
/// @param State The state of the generated node.
/// @param Tag The tag to uniquely identify the creation site. If null,
/// the default tag for the checker will be used.
ExplodedNode *
generateNonFatalErrorNode(ProgramStateRef State = nullptr,
const ProgramPointTag *Tag = nullptr) {
return addTransition(State, (Tag ? Tag : Location.getTag()));
}
/// \brief Emit the diagnostics report. /// \brief Emit the diagnostics report.
void emitReport(std::unique_ptr<BugReport> R) { void emitReport(std::unique_ptr<BugReport> R) {
Changed = true; Changed = true;
Eng.getBugReporter().emitReport(std::move(R)); Eng.getBugReporter().emitReport(std::move(R));
} }
/// \brief Get the declaration of the called function (path-sensitive). /// \brief Get the declaration of the called function (path-sensitive).
const FunctionDecl *getCalleeDecl(const CallExpr *CE) const; const FunctionDecl *getCalleeDecl(const CallExpr *CE) const;
Show All 40 Linespublic:
/// \sa clang::Lexer::getSpelling(), clang::Lexer::getImmediateMacroName(). /// \sa clang::Lexer::getSpelling(), clang::Lexer::getImmediateMacroName().
StringRef getMacroNameOrSpelling(SourceLocation &Loc); StringRef getMacroNameOrSpelling(SourceLocation &Loc);
private: private:
ExplodedNode *addTransitionImpl(ProgramStateRef State, ExplodedNode *addTransitionImpl(ProgramStateRef State,
bool MarkAsSink, bool MarkAsSink,
ExplodedNode *P = nullptr, ExplodedNode *P = nullptr,
const ProgramPointTag *Tag = nullptr) { const ProgramPointTag *Tag = nullptr) {
// The analyzer may stop exploring if it sees a state it has previously
// visited ("cache out"). The early return here is a defensive check to
// prevent accidental caching out by checker API clients. Unless there is a
// tag or the the client checker has requested that the generated node be
// marked as a sink, we assume that a client requesting a transition to a
// state that is the same as the predecessor state has made a mistake. We
// return the predecessor rather than cache out.
//
// TODO: We could potentially change the return to an assertion to alert
// clients to their mistake, but several checkers (including
// DereferenceChecker, CallAndMessageChecker, and DynamicTypePropagation)
// rely upon the defensive behavior and would need to be updated.
if (!State || (State == Pred->getState() && !Tag && !MarkAsSink)) if (!State || (State == Pred->getState() && !Tag && !MarkAsSink))
return Pred; return Pred;
Changed = true; Changed = true;
const ProgramPoint &LocalLoc = (Tag ? Location.withTag(Tag) : Location); const ProgramPoint &LocalLoc = (Tag ? Location.withTag(Tag) : Location);
if (!P) if (!P)
P = Pred; P = Pred;
Show All 14 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/ArrayBoundChecker.cpp

Show First 20 LinesShow All 56 Lines▼ Show 20 Linesvoid ArrayBoundChecker::checkLocation(SVal l, bool isLoad, const Stmt* LoadS,
// Get the size of the array. // Get the size of the array.
DefinedOrUnknownSVal NumElements DefinedOrUnknownSVal NumElements
= C.getStoreManager().getSizeInElements(state, ER->getSuperRegion(), = C.getStoreManager().getSizeInElements(state, ER->getSuperRegion(),
ER->getValueType()); ER->getValueType());
ProgramStateRef StInBound = state->assumeInBound(Idx, NumElements, true); ProgramStateRef StInBound = state->assumeInBound(Idx, NumElements, true);
ProgramStateRef StOutBound = state->assumeInBound(Idx, NumElements, false); ProgramStateRef StOutBound = state->assumeInBound(Idx, NumElements, false);
if (StOutBound && !StInBound) { if (StOutBound && !StInBound) {
ExplodedNode *N = C.generateSink(StOutBound); ExplodedNode *N = C.generateErrorNode(StOutBound);
if (!N) if (!N)
return; return;
if (!BT) if (!BT)
BT.reset(new BuiltinBug( BT.reset(new BuiltinBug(
this, "Out-of-bound array access", this, "Out-of-bound array access",
"Access out-of-bound array element (buffer overflow)")); "Access out-of-bound array element (buffer overflow)"));
Show All 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp

Show First 20 LinesShow All 176 Lines▼ Show 20 Linesvoid ArrayBoundCheckerV2::checkLocation(SVal location, bool isLoad,
if (state != originalState) if (state != originalState)
checkerContext.addTransition(state); checkerContext.addTransition(state);
} }
void ArrayBoundCheckerV2::reportOOB(CheckerContext &checkerContext, void ArrayBoundCheckerV2::reportOOB(CheckerContext &checkerContext,
ProgramStateRef errorState, ProgramStateRef errorState,
OOB_Kind kind) const { OOB_Kind kind) const {
ExplodedNode *errorNode = checkerContext.generateSink(errorState); ExplodedNode *errorNode = checkerContext.generateErrorNode(errorState);
if (!errorNode) if (!errorNode)
return; return;
if (!BT) if (!BT)
BT.reset(new BuiltinBug(this, "Out-of-bound access")); BT.reset(new BuiltinBug(this, "Out-of-bound access"));
// FIXME: This diagnostics are preliminary. We should get far better // FIXME: This diagnostics are preliminary. We should get far better
// diagnostics for explaining buffer overruns. // diagnostics for explaining buffer overruns.
▲ Show 20 LinesShow All 113 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/BasicObjCFoundationChecks.cpp

Show First 20 LinesShow All 134 Lines▼ Show 20 Lines
} }
void NilArgChecker::warnIfNilExpr(const Expr *E, void NilArgChecker::warnIfNilExpr(const Expr *E,
const char *Msg, const char *Msg,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
if (State->isNull(C.getSVal(E)).isConstrainedTrue()) { if (State->isNull(C.getSVal(E)).isConstrainedTrue()) {
if (ExplodedNode *N = C.generateSink()) { if (ExplodedNode *N = C.generateErrorNode()) {
generateBugReport(N, Msg, E->getSourceRange(), E, C); generateBugReport(N, Msg, E->getSourceRange(), E, C);
} }
} }
} }
void NilArgChecker::warnIfNilArg(CheckerContext &C, void NilArgChecker::warnIfNilArg(CheckerContext &C,
const ObjCMethodCall &msg, const ObjCMethodCall &msg,
unsigned int Arg, unsigned int Arg,
FoundationClass Class, FoundationClass Class,
bool CanBeSubscript) const { bool CanBeSubscript) const {
// Check if the argument is nil. // Check if the argument is nil.
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
if (!State->isNull(msg.getArgSVal(Arg)).isConstrainedTrue()) if (!State->isNull(msg.getArgSVal(Arg)).isConstrainedTrue())
return; return;
if (ExplodedNode *N = C.generateSink()) { if (ExplodedNode *N = C.generateErrorNode()) {
SmallString<128> sbuf; SmallString<128> sbuf;
llvm::raw_svector_ostream os(sbuf); llvm::raw_svector_ostream os(sbuf);
if (CanBeSubscript && msg.getMessageKind() == OCM_Subscript) { if (CanBeSubscript && msg.getMessageKind() == OCM_Subscript) {
if (Class == FC_NSArray) { if (Class == FC_NSArray) {
os << "Array element cannot be nil"; os << "Array element cannot be nil";
} else if (Class == FC_NSDictionary) { } else if (Class == FC_NSDictionary) {
▲ Show 20 LinesShow All 315 Lines▼ Show 20 Lines if (!T->isIntegralOrEnumerationType())
return; return;
uint64_t SourceSize = Ctx.getTypeSize(T); uint64_t SourceSize = Ctx.getTypeSize(T);
// CHECK: is SourceSize == TargetSize // CHECK: is SourceSize == TargetSize
if (SourceSize == TargetSize) if (SourceSize == TargetSize)
return; return;
// Generate an error. Only generate a sink if 'SourceSize < TargetSize'; // Generate an error. Only generate a sink error node
// otherwise generate a regular node. // if 'SourceSize < TargetSize'; otherwise generate a non-fatal error node.
// //
// FIXME: We can actually create an abstract "CFNumber" object that has // FIXME: We can actually create an abstract "CFNumber" object that has
// the bits initialized to the provided values. // the bits initialized to the provided values.
// //
if (ExplodedNode *N = SourceSize < TargetSize ? C.generateSink() ExplodedNode *N = SourceSize < TargetSize ? C.generateErrorNode()
: C.addTransition()) { : C.generateNonFatalErrorNode();
if (N) {
SmallString<128> sbuf; SmallString<128> sbuf;
llvm::raw_svector_ostream os(sbuf); llvm::raw_svector_ostream os(sbuf);
os << (SourceSize == 8 ? "An " : "A ") os << (SourceSize == 8 ? "An " : "A ")
<< SourceSize << " bit integer is used to initialize a CFNumber " << SourceSize << " bit integer is used to initialize a CFNumber "
"object that represents " "object that represents "
<< (TargetSize == 8 ? "an " : "a ") << (TargetSize == 8 ? "an " : "a ")
<< TargetSize << " bit integer. "; << TargetSize << " bit integer. ";
▲ Show 20 LinesShow All 76 Lines▼ Show 20 Linesvoid CFRetainReleaseChecker::checkPreStmt(const CallExpr *CE,
// Make an expression asserting that they're equal. // Make an expression asserting that they're equal.
DefinedOrUnknownSVal ArgIsNull = svalBuilder.evalEQ(state, zero, *DefArgVal); DefinedOrUnknownSVal ArgIsNull = svalBuilder.evalEQ(state, zero, *DefArgVal);
// Are they equal? // Are they equal?
ProgramStateRef stateTrue, stateFalse; ProgramStateRef stateTrue, stateFalse;
std::tie(stateTrue, stateFalse) = state->assume(ArgIsNull); std::tie(stateTrue, stateFalse) = state->assume(ArgIsNull);
if (stateTrue && !stateFalse) { if (stateTrue && !stateFalse) {
ExplodedNode *N = C.generateSink(stateTrue); ExplodedNode *N = C.generateErrorNode(stateTrue);
if (!N) if (!N)
return; return;
const char *description; const char *description;
if (FuncII == Retain) if (FuncII == Retain)
description = "Null pointer argument in call to CFRetain"; description = "Null pointer argument in call to CFRetain";
else if (FuncII == Release) else if (FuncII == Release)
description = "Null pointer argument in call to CFRelease"; description = "Null pointer argument in call to CFRelease";
▲ Show 20 LinesShow All 50 Lines▼ Show 20 Lines if (msg.isInstanceMessage())
return; return;
const ObjCInterfaceDecl *Class = msg.getReceiverInterface(); const ObjCInterfaceDecl *Class = msg.getReceiverInterface();
assert(Class); assert(Class);
Selector S = msg.getSelector(); Selector S = msg.getSelector();
if (!(S == releaseS || S == retainS || S == autoreleaseS || S == drainS)) if (!(S == releaseS || S == retainS || S == autoreleaseS || S == drainS))
return; return;
if (ExplodedNode *N = C.addTransition()) { if (ExplodedNode *N = C.generateNonFatalErrorNode()) {
SmallString<200> buf; SmallString<200> buf;
llvm::raw_svector_ostream os(buf); llvm::raw_svector_ostream os(buf);
os << "The '"; os << "The '";
S.print(os); S.print(os);
os << "' message should be sent to instances " os << "' message should be sent to instances "
"of class '" << Class->getName() "of class '" << Class->getName()
<< "' and not the class directly"; << "' and not the class directly";
▲ Show 20 LinesShow All 127 Lines▼ Show 20 Lines if (C.getASTContext().isObjCNSObjectType(ArgTy))
continue; continue;
// Ignore CF references, which can be toll-free bridged. // Ignore CF references, which can be toll-free bridged.
if (coreFoundation::isCFObjectRef(ArgTy)) if (coreFoundation::isCFObjectRef(ArgTy))
continue; continue;
// Generate only one error node to use for all bug reports. // Generate only one error node to use for all bug reports.
if (!errorNode.hasValue()) if (!errorNode.hasValue())
errorNode = C.addTransition(); errorNode = C.generateNonFatalErrorNode();
if (!errorNode.getValue()) if (!errorNode.getValue())
continue; continue;
SmallString<128> sbuf; SmallString<128> sbuf;
llvm::raw_svector_ostream os(sbuf); llvm::raw_svector_ostream os(sbuf);
StringRef TypeName = GetReceiverInterfaceName(msg); StringRef TypeName = GetReceiverInterfaceName(msg);
▲ Show 20 LinesShow All 208 Lines▼ Show 20 Linesvoid ObjCLoopChecker::checkPostStmt(const ObjCForCollectionStmt *FCS,
// Otherwise, this is a branch that goes through the loop body. // Otherwise, this is a branch that goes through the loop body.
} else { } else {
State = checkCollectionNonNil(C, State, FCS); State = checkCollectionNonNil(C, State, FCS);
State = checkElementNonNil(C, State, FCS); State = checkElementNonNil(C, State, FCS);
State = assumeCollectionNonEmpty(C, State, FCS, /*Assumption*/true); State = assumeCollectionNonEmpty(C, State, FCS, /*Assumption*/true);
} }
if (!State) if (!State)
C.generateSink(); C.generateSink(C.getState(), C.getPredecessor());
else if (State != C.getState()) else if (State != C.getState())
C.addTransition(State); C.addTransition(State);
} }
bool ObjCLoopChecker::isCollectionCountMethod(const ObjCMethodCall &M, bool ObjCLoopChecker::isCollectionCountMethod(const ObjCMethodCall &M,
CheckerContext &C) const { CheckerContext &C) const {
Selector S = M.getSelector(); Selector S = M.getSelector();
// Initialize the identifiers on first use. // Initialize the identifiers on first use.
▲ Show 20 LinesShow All 271 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/BoolAssignmentChecker.cpp

Show All 26 Lines class BoolAssignmentChecker : public Checker< check::Bind > {
void emitReport(ProgramStateRef state, CheckerContext &C) const; void emitReport(ProgramStateRef state, CheckerContext &C) const;
public: public:
void checkBind(SVal loc, SVal val, const Stmt *S, CheckerContext &C) const; void checkBind(SVal loc, SVal val, const Stmt *S, CheckerContext &C) const;
}; };
} // end anonymous namespace } // end anonymous namespace
void BoolAssignmentChecker::emitReport(ProgramStateRef state, void BoolAssignmentChecker::emitReport(ProgramStateRef state,
CheckerContext &C) const { CheckerContext &C) const {
if (ExplodedNode *N = C.addTransition(state)) { if (ExplodedNode *N = C.generateNonFatalErrorNode(state)) {
if (!BT) if (!BT)
BT.reset(new BuiltinBug(this, "Assignment of a non-Boolean value")); BT.reset(new BuiltinBug(this, "Assignment of a non-Boolean value"));
C.emitReport(llvm::make_unique<BugReport>(*BT, BT->getDescription(), N)); C.emitReport(llvm::make_unique<BugReport>(*BT, BT->getDescription(), N));
} }
} }
static bool isBooleanType(QualType Ty) { static bool isBooleanType(QualType Ty) {
if (Ty->isBooleanType()) // C++ or C99 if (Ty->isBooleanType()) // C++ or C99
▲ Show 20 LinesShow All 114 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/CStringChecker.cpp

Show First 20 LinesShow All 223 Lines▼ Show 20 LinesProgramStateRef CStringChecker::checkNonNull(CheckerContext &C,
ProgramStateRef stateNull, stateNonNull; ProgramStateRef stateNull, stateNonNull;
std::tie(stateNull, stateNonNull) = assumeZero(C, state, l, S->getType()); std::tie(stateNull, stateNonNull) = assumeZero(C, state, l, S->getType());
if (stateNull && !stateNonNull) { if (stateNull && !stateNonNull) {
if (!Filter.CheckCStringNullArg) if (!Filter.CheckCStringNullArg)
return nullptr; return nullptr;
ExplodedNode *N = C.generateSink(stateNull); ExplodedNode *N = C.generateErrorNode(stateNull);
if (!N) if (!N)
return nullptr; return nullptr;
if (!BT_Null) if (!BT_Null)
BT_Null.reset(new BuiltinBug( BT_Null.reset(new BuiltinBug(
Filter.CheckNameCStringNullArg, categories::UnixAPI, Filter.CheckNameCStringNullArg, categories::UnixAPI,
"Null pointer argument in call to byte string function")); "Null pointer argument in call to byte string function"));
▲ Show 20 LinesShow All 46 Lines▼ Show 20 LinesProgramStateRef CStringChecker::CheckLocation(CheckerContext &C,
DefinedOrUnknownSVal Size = Extent.castAs<DefinedOrUnknownSVal>(); DefinedOrUnknownSVal Size = Extent.castAs<DefinedOrUnknownSVal>();
// Get the index of the accessed element. // Get the index of the accessed element.
DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>(); DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();
ProgramStateRef StInBound = state->assumeInBound(Idx, Size, true); ProgramStateRef StInBound = state->assumeInBound(Idx, Size, true);
ProgramStateRef StOutBound = state->assumeInBound(Idx, Size, false); ProgramStateRef StOutBound = state->assumeInBound(Idx, Size, false);
if (StOutBound && !StInBound) { if (StOutBound && !StInBound) {
ExplodedNode *N = C.generateSink(StOutBound); ExplodedNode *N = C.generateErrorNode(StOutBound);
if (!N) if (!N)
return nullptr; return nullptr;
if (!BT_Bounds) { if (!BT_Bounds) {
BT_Bounds.reset(new BuiltinBug( BT_Bounds.reset(new BuiltinBug(
Filter.CheckNameCStringOutOfBounds, "Out-of-bound array access", Filter.CheckNameCStringOutOfBounds, "Out-of-bound array access",
"Byte string function accesses out-of-bound array element")); "Byte string function accesses out-of-bound array element"));
} }
▲ Show 20 LinesShow All 216 Lines▼ Show 20 LinesProgramStateRef CStringChecker::CheckOverlap(CheckerContext &C,
// assume the two expressions don't overlap. // assume the two expressions don't overlap.
assert(stateFalse); assert(stateFalse);
return stateFalse; return stateFalse;
} }
void CStringChecker::emitOverlapBug(CheckerContext &C, ProgramStateRef state, void CStringChecker::emitOverlapBug(CheckerContext &C, ProgramStateRef state,
const Stmt *First, const Stmt *Second) const { const Stmt *First, const Stmt *Second) const {
ExplodedNode *N = C.generateSink(state); ExplodedNode *N = C.generateErrorNode(state);
if (!N) if (!N)
return; return;
if (!BT_Overlap) if (!BT_Overlap)
BT_Overlap.reset(new BugType(Filter.CheckNameCStringBufferOverlap, BT_Overlap.reset(new BugType(Filter.CheckNameCStringBufferOverlap,
categories::UnixAPI, "Improper arguments")); categories::UnixAPI, "Improper arguments"));
// Generate a report for this bug. // Generate a report for this bug.
▲ Show 20 LinesShow All 43 Lines▼ Show 20 Lines SVal willOverflow = svalBuilder.evalBinOpNN(state, BO_GT, left,
*maxMinusRightNL, cmpTy); *maxMinusRightNL, cmpTy);
ProgramStateRef stateOverflow, stateOkay; ProgramStateRef stateOverflow, stateOkay;
std::tie(stateOverflow, stateOkay) = std::tie(stateOverflow, stateOkay) =
state->assume(willOverflow.castAs<DefinedOrUnknownSVal>()); state->assume(willOverflow.castAs<DefinedOrUnknownSVal>());
if (stateOverflow && !stateOkay) { if (stateOverflow && !stateOkay) {
// We have an overflow. Emit a bug report. // We have an overflow. Emit a bug report.
ExplodedNode *N = C.generateSink(stateOverflow); ExplodedNode *N = C.generateErrorNode(stateOverflow);
if (!N) if (!N)
return nullptr; return nullptr;
if (!BT_AdditionOverflow) if (!BT_AdditionOverflow)
BT_AdditionOverflow.reset( BT_AdditionOverflow.reset(
new BuiltinBug(Filter.CheckNameCStringOutOfBounds, "API", new BuiltinBug(Filter.CheckNameCStringOutOfBounds, "API",
"Sum of expressions causes overflow")); "Sum of expressions causes overflow"));
▲ Show 20 LinesShow All 104 Lines▼ Show 20 LinesSVal CStringChecker::getCStringLength(CheckerContext &C, ProgramStateRef &state,
if (!MR) { if (!MR) {
// If we can't get a region, see if it's something we /know/ isn't a // If we can't get a region, see if it's something we /know/ isn't a
// C string. In the context of locations, the only time we can issue such // C string. In the context of locations, the only time we can issue such
// a warning is for labels. // a warning is for labels.
if (Optional<loc::GotoLabel> Label = Buf.getAs<loc::GotoLabel>()) { if (Optional<loc::GotoLabel> Label = Buf.getAs<loc::GotoLabel>()) {
if (!Filter.CheckCStringNotNullTerm) if (!Filter.CheckCStringNotNullTerm)
return UndefinedVal(); return UndefinedVal();
if (ExplodedNode *N = C.addTransition(state)) { if (ExplodedNode *N = C.generateNonFatalErrorNode(state)) {
if (!BT_NotCString) if (!BT_NotCString)
BT_NotCString.reset(new BuiltinBug( BT_NotCString.reset(new BuiltinBug(
Filter.CheckNameCStringNotNullTerm, categories::UnixAPI, Filter.CheckNameCStringNotNullTerm, categories::UnixAPI,
"Argument is not a null-terminated string.")); "Argument is not a null-terminated string."));
SmallString<120> buf; SmallString<120> buf;
llvm::raw_svector_ostream os(buf); llvm::raw_svector_ostream os(buf);
assert(CurrentFunctionDescription); assert(CurrentFunctionDescription);
▲ Show 20 LinesShow All 43 Lines▼ Show 20 Lines case MemRegion::ElementRegionKind:
return UnknownVal(); return UnknownVal();
default: default:
// Other regions (mostly non-data) can't have a reliable C string length. // Other regions (mostly non-data) can't have a reliable C string length.
// In this case, an error is emitted and UndefinedVal is returned. // In this case, an error is emitted and UndefinedVal is returned.
// The caller should always be prepared to handle this case. // The caller should always be prepared to handle this case.
if (!Filter.CheckCStringNotNullTerm) if (!Filter.CheckCStringNotNullTerm)
return UndefinedVal(); return UndefinedVal();
if (ExplodedNode *N = C.addTransition(state)) { if (ExplodedNode *N = C.generateNonFatalErrorNode(state)) {
if (!BT_NotCString) if (!BT_NotCString)
BT_NotCString.reset(new BuiltinBug( BT_NotCString.reset(new BuiltinBug(
Filter.CheckNameCStringNotNullTerm, categories::UnixAPI, Filter.CheckNameCStringNotNullTerm, categories::UnixAPI,
"Argument is not a null-terminated string.")); "Argument is not a null-terminated string."));
SmallString<120> buf; SmallString<120> buf;
llvm::raw_svector_ostream os(buf); llvm::raw_svector_ostream os(buf);
▲ Show 20 LinesShow All 1,307 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/CallAndMessageChecker.cpp

Show First 20 LinesShow All 91 Lines▼ Show 20 Lines bool uninitRefOrPointer(CheckerContext &C, const SVal &V,
const SourceRange &ArgRange, const SourceRange &ArgRange,
const Expr *ArgEx, std::unique_ptr<BugType> &BT, const Expr *ArgEx, std::unique_ptr<BugType> &BT,
const ParmVarDecl *ParamDecl, const char *BD) const; const ParmVarDecl *ParamDecl, const char *BD) const;
}; };
} // end anonymous namespace } // end anonymous namespace
void CallAndMessageChecker::emitBadCall(BugType *BT, CheckerContext &C, void CallAndMessageChecker::emitBadCall(BugType *BT, CheckerContext &C,
const Expr *BadE) { const Expr *BadE) {
ExplodedNode *N = C.generateSink(); ExplodedNode *N = C.generateErrorNode();
if (!N) if (!N)
return; return;
auto R = llvm::make_unique<BugReport>(*BT, BT->getName(), N); auto R = llvm::make_unique<BugReport>(*BT, BT->getName(), N);
if (BadE) { if (BadE) {
R->addRange(BadE->getSourceRange()); R->addRange(BadE->getSourceRange());
if (BadE->isGLValue()) if (BadE->isGLValue())
BadE = bugreporter::getDerefExpr(BadE); BadE = bugreporter::getDerefExpr(BadE);
▲ Show 20 LinesShow All 55 Lines▼ Show 20 Linesbool CallAndMessageChecker::uninitRefOrPointer(CheckerContext &C,
if(!ParamDecl->getType()->getPointeeType().isConstQualified()) if(!ParamDecl->getType()->getPointeeType().isConstQualified())
return false; return false;
if (const MemRegion *SValMemRegion = V.getAsRegion()) { if (const MemRegion *SValMemRegion = V.getAsRegion()) {
const ProgramStateRef State = C.getState(); const ProgramStateRef State = C.getState();
const SVal PSV = State->getSVal(SValMemRegion); const SVal PSV = State->getSVal(SValMemRegion);
if (PSV.isUndef()) { if (PSV.isUndef()) {
if (ExplodedNode *N = C.generateSink()) { if (ExplodedNode *N = C.generateErrorNode()) {
LazyInit_BT(BD, BT); LazyInit_BT(BD, BT);
auto R = llvm::make_unique<BugReport>(*BT, Message, N); auto R = llvm::make_unique<BugReport>(*BT, Message, N);
R->addRange(ArgRange); R->addRange(ArgRange);
if (ArgEx) { if (ArgEx) {
bugreporter::trackNullOrUndefValue(N, ArgEx, *R); bugreporter::trackNullOrUndefValue(N, ArgEx, *R);
} }
C.emitReport(std::move(R)); C.emitReport(std::move(R));
} }
Show All 14 Linesbool CallAndMessageChecker::PreVisitProcessArg(CheckerContext &C,
const ParmVarDecl *ParamDecl const ParmVarDecl *ParamDecl
) const { ) const {
const char *BD = "Uninitialized argument value"; const char *BD = "Uninitialized argument value";
if (uninitRefOrPointer(C, V, ArgRange, ArgEx, BT, ParamDecl, BD)) if (uninitRefOrPointer(C, V, ArgRange, ArgEx, BT, ParamDecl, BD))
return true; return true;
if (V.isUndef()) { if (V.isUndef()) {
if (ExplodedNode *N = C.generateSink()) { if (ExplodedNode *N = C.generateErrorNode()) {
LazyInit_BT(BD, BT); LazyInit_BT(BD, BT);
// Generate a report for this bug. // Generate a report for this bug.
StringRef Desc = StringRef Desc =
describeUninitializedArgumentInCall(Call, IsFirstArgument); describeUninitializedArgumentInCall(Call, IsFirstArgument);
auto R = llvm::make_unique<BugReport>(*BT, Desc, N); auto R = llvm::make_unique<BugReport>(*BT, Desc, N);
R->addRange(ArgRange); R->addRange(ArgRange);
if (ArgEx) if (ArgEx)
▲ Show 20 LinesShow All 48 Lines▼ Show 20 Lines if (Optional<nonloc::LazyCompoundVal> LV =
}; };
const LazyCompoundValData *D = LV->getCVData(); const LazyCompoundValData *D = LV->getCVData();
FindUninitializedField F(C.getState()->getStateManager().getStoreManager(), FindUninitializedField F(C.getState()->getStateManager().getStoreManager(),
C.getSValBuilder().getRegionManager(), C.getSValBuilder().getRegionManager(),
D->getStore()); D->getStore());
if (F.Find(D->getRegion())) { if (F.Find(D->getRegion())) {
if (ExplodedNode *N = C.generateSink()) { if (ExplodedNode *N = C.generateErrorNode()) {
LazyInit_BT(BD, BT); LazyInit_BT(BD, BT);
SmallString<512> Str; SmallString<512> Str;
llvm::raw_svector_ostream os(Str); llvm::raw_svector_ostream os(Str);
os << "Passed-by-value struct argument contains uninitialized data"; os << "Passed-by-value struct argument contains uninitialized data";
if (F.FieldChain.size() == 1) if (F.FieldChain.size() == 1)
os << " (e.g., field: '" << *F.FieldChain[0] << "')"; os << " (e.g., field: '" << *F.FieldChain[0] << "')";
else { else {
▲ Show 20 LinesShow All 56 Lines▼ Show 20 Lines
} }
void CallAndMessageChecker::checkPreStmt(const CXXDeleteExpr *DE, void CallAndMessageChecker::checkPreStmt(const CXXDeleteExpr *DE,
CheckerContext &C) const { CheckerContext &C) const {
SVal Arg = C.getSVal(DE->getArgument()); SVal Arg = C.getSVal(DE->getArgument());
if (Arg.isUndef()) { if (Arg.isUndef()) {
StringRef Desc; StringRef Desc;
ExplodedNode *N = C.generateSink(); ExplodedNode *N = C.generateErrorNode();
if (!N) if (!N)
return; return;
if (!BT_cxx_delete_undef) if (!BT_cxx_delete_undef)
BT_cxx_delete_undef.reset( BT_cxx_delete_undef.reset(
new BuiltinBug(this, "Uninitialized argument value")); new BuiltinBug(this, "Uninitialized argument value"));
if (DE->isArrayFormAsWritten()) if (DE->isArrayFormAsWritten())
Desc = "Argument to 'delete[]' is uninitialized"; Desc = "Argument to 'delete[]' is uninitialized";
else else
Show All 40 Linesvoid CallAndMessageChecker::checkPreCall(const CallEvent &Call,
const Decl *D = Call.getDecl(); const Decl *D = Call.getDecl();
const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(D); const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(D);
if (FD) { if (FD) {
// If we have a declaration, we can make sure we pass enough parameters to // If we have a declaration, we can make sure we pass enough parameters to
// the function. // the function.
unsigned Params = FD->getNumParams(); unsigned Params = FD->getNumParams();
if (Call.getNumArgs() < Params) { if (Call.getNumArgs() < Params) {
ExplodedNode *N = C.generateSink(); ExplodedNode *N = C.generateErrorNode();
if (!N) if (!N)
return; return;
LazyInit_BT("Function call with too few arguments", BT_call_few_args); LazyInit_BT("Function call with too few arguments", BT_call_few_args);
SmallString<512> Str; SmallString<512> Str;
llvm::raw_svector_ostream os(Str); llvm::raw_svector_ostream os(Str);
os << "Function taking " << Params << " argument" os << "Function taking " << Params << " argument"
Show All 31 Linesvoid CallAndMessageChecker::checkPreCall(const CallEvent &Call,
// If we make it here, record our assumptions about the callee. // If we make it here, record our assumptions about the callee.
C.addTransition(State); C.addTransition(State);
} }
void CallAndMessageChecker::checkPreObjCMessage(const ObjCMethodCall &msg, void CallAndMessageChecker::checkPreObjCMessage(const ObjCMethodCall &msg,
CheckerContext &C) const { CheckerContext &C) const {
SVal recVal = msg.getReceiverSVal(); SVal recVal = msg.getReceiverSVal();
if (recVal.isUndef()) { if (recVal.isUndef()) {
if (ExplodedNode *N = C.generateSink()) { if (ExplodedNode *N = C.generateErrorNode()) {
BugType *BT = nullptr; BugType *BT = nullptr;
switch (msg.getMessageKind()) { switch (msg.getMessageKind()) {
case OCM_Message: case OCM_Message:
if (!BT_msg_undef) if (!BT_msg_undef)
BT_msg_undef.reset(new BuiltinBug(this, BT_msg_undef.reset(new BuiltinBug(this,
"Receiver in message expression " "Receiver in message expression "
"is an uninitialized value")); "is an uninitialized value"));
BT = BT_msg_undef.get(); BT = BT_msg_undef.get();
▲ Show 20 LinesShow All 99 Lines▼ Show 20 Lines if (CanRetTy != Ctx.VoidTy && C.getLocationContext()->getParentMap()
if (CanRetTy.getTypePtr()->isReferenceType()|| if (CanRetTy.getTypePtr()->isReferenceType()||
(voidPtrSize < returnTypeSize && (voidPtrSize < returnTypeSize &&
!(supportsNilWithFloatRet(Ctx.getTargetInfo().getTriple()) && !(supportsNilWithFloatRet(Ctx.getTargetInfo().getTriple()) &&
(Ctx.FloatTy == CanRetTy || (Ctx.FloatTy == CanRetTy ||
Ctx.DoubleTy == CanRetTy || Ctx.DoubleTy == CanRetTy ||
Ctx.LongDoubleTy == CanRetTy || Ctx.LongDoubleTy == CanRetTy ||
Ctx.LongLongTy == CanRetTy || Ctx.LongLongTy == CanRetTy ||
Ctx.UnsignedLongLongTy == CanRetTy)))) { Ctx.UnsignedLongLongTy == CanRetTy)))) {
if (ExplodedNode *N = C.generateSink(state, nullptr, &Tag)) if (ExplodedNode *N = C.generateErrorNode(state, &Tag))
emitNilReceiverBug(C, Msg, N); emitNilReceiverBug(C, Msg, N);
return; return;
} }
// Handle the safe cases where the return value is 0 if the // Handle the safe cases where the return value is 0 if the
// receiver is nil. // receiver is nil.
// //
// FIXME: For now take the conservative approach that we only // FIXME: For now take the conservative approach that we only
Show All 27 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/CastSizeChecker.cpp

Show First 20 LinesShow All 125 Lines▼ Show 20 Lines if (typeSize.isZero())
return; return;
if (regionSize % typeSize == 0) if (regionSize % typeSize == 0)
return; return;
if (evenFlexibleArraySize(Ctx, regionSize, typeSize, ToPointeeTy)) if (evenFlexibleArraySize(Ctx, regionSize, typeSize, ToPointeeTy))
return; return;
if (ExplodedNode *errorNode = C.generateSink()) { if (ExplodedNode *errorNode = C.generateErrorNode()) {
if (!BT) if (!BT)
BT.reset(new BuiltinBug(this, "Cast region with wrong size.", BT.reset(new BuiltinBug(this, "Cast region with wrong size.",
"Cast a region whose size is not a multiple" "Cast a region whose size is not a multiple"
" of the destination type size.")); " of the destination type size."));
auto R = llvm::make_unique<BugReport>(*BT, BT->getDescription(), errorNode); auto R = llvm::make_unique<BugReport>(*BT, BT->getDescription(), errorNode);
R->addRange(CE->getSourceRange()); R->addRange(CE->getSourceRange());
C.emitReport(std::move(R)); C.emitReport(std::move(R));
} }
} }
void ento::registerCastSizeChecker(CheckerManager &mgr) { void ento::registerCastSizeChecker(CheckerManager &mgr) {
mgr.registerChecker<CastSizeChecker>(); mgr.registerChecker<CastSizeChecker>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/CastToStructChecker.cpp

Show First 20 LinesShow All 50 Lines▼ Show 20 Lines if (!ToPointeeTy->isStructureOrClassType())
return; return;
// We allow cast from void*. // We allow cast from void*.
if (OrigPointeeTy->isVoidType()) if (OrigPointeeTy->isVoidType())
return; return;
// Now the cast-to-type is struct pointer, the original type is not void*. // Now the cast-to-type is struct pointer, the original type is not void*.
if (!OrigPointeeTy->isRecordType()) { if (!OrigPointeeTy->isRecordType()) {
if (ExplodedNode *N = C.addTransition()) { if (ExplodedNode *N = C.generateNonFatalErrorNode()) {
if (!BT) if (!BT)
BT.reset( BT.reset(
new BuiltinBug(this, "Cast from non-struct type to struct type", new BuiltinBug(this, "Cast from non-struct type to struct type",
"Casting a non-structure type to a structure type " "Casting a non-structure type to a structure type "
"and accessing a field can lead to memory access " "and accessing a field can lead to memory access "
"errors or data corruption.")); "errors or data corruption."));
auto R = llvm::make_unique<BugReport>(*BT, BT->getDescription(), N); auto R = llvm::make_unique<BugReport>(*BT, BT->getDescription(), N);
R->addRange(CE->getSourceRange()); R->addRange(CE->getSourceRange());
C.emitReport(std::move(R)); C.emitReport(std::move(R));
} }
} }
} }
void ento::registerCastToStructChecker(CheckerManager &mgr) { void ento::registerCastToStructChecker(CheckerManager &mgr) {
mgr.registerChecker<CastToStructChecker>(); mgr.registerChecker<CastToStructChecker>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/ChrootChecker.cpp

Show First 20 LinesShow All 134 Lines▼ Show 20 Linesvoid ChrootChecker::checkPreStmt(const CallExpr *CE, CheckerContext &C) const {
// Ingnore chroot and chdir. // Ingnore chroot and chdir.
if (FD->getIdentifier() == II_chroot || FD->getIdentifier() == II_chdir) if (FD->getIdentifier() == II_chroot || FD->getIdentifier() == II_chdir)
return; return;
// If jail state is ROOT_CHANGED, generate BugReport. // If jail state is ROOT_CHANGED, generate BugReport.
void *const* k = C.getState()->FindGDM(ChrootChecker::getTag()); void *const* k = C.getState()->FindGDM(ChrootChecker::getTag());
if (k) if (k)
if (isRootChanged((intptr_t) *k)) if (isRootChanged((intptr_t) *k))
if (ExplodedNode *N = C.addTransition()) { if (ExplodedNode *N = C.generateNonFatalErrorNode()) {
if (!BT_BreakJail) if (!BT_BreakJail)
BT_BreakJail.reset(new BuiltinBug( BT_BreakJail.reset(new BuiltinBug(
this, "Break out of jail", "No call of chdir(\"/\") immediately " this, "Break out of jail", "No call of chdir(\"/\") immediately "
"after chroot")); "after chroot"));
C.emitReport(llvm::make_unique<BugReport>( C.emitReport(llvm::make_unique<BugReport>(
*BT_BreakJail, BT_BreakJail->getDescription(), N)); *BT_BreakJail, BT_BreakJail->getDescription(), N));
} }
return; return;
} }
void ento::registerChrootChecker(CheckerManager &mgr) { void ento::registerChrootChecker(CheckerManager &mgr) {
mgr.registerChecker<ChrootChecker>(); mgr.registerChecker<ChrootChecker>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/DereferenceChecker.cpp

Show First 20 LinesShow All 85 Lines▼ Show 20 Lines case Stmt::ObjCIvarRefExprClass: {
break; break;
} }
} }
} }
void DereferenceChecker::reportBug(ProgramStateRef State, const Stmt *S, void DereferenceChecker::reportBug(ProgramStateRef State, const Stmt *S,
CheckerContext &C, bool IsBind) const { CheckerContext &C, bool IsBind) const {
// Generate an error node. // Generate an error node.
ExplodedNode *N = C.generateSink(State); ExplodedNode *N = C.generateErrorNode(State);
if (!N) if (!N)
return; return;
// We know that 'location' cannot be non-null. This is what // We know that 'location' cannot be non-null. This is what
// we call an "explicit" null dereference. // we call an "explicit" null dereference.
if (!BT_null) if (!BT_null)
BT_null.reset(new BuiltinBug(this, "Dereference of null pointer")); BT_null.reset(new BuiltinBug(this, "Dereference of null pointer"));
▲ Show 20 LinesShow All 76 Lines▼ Show 20 Linesvoid DereferenceChecker::reportBug(ProgramStateRef State, const Stmt *S,
C.emitReport(std::move(report)); C.emitReport(std::move(report));
} }
void DereferenceChecker::checkLocation(SVal l, bool isLoad, const Stmt* S, void DereferenceChecker::checkLocation(SVal l, bool isLoad, const Stmt* S,
CheckerContext &C) const { CheckerContext &C) const {
// Check for dereference of an undefined value. // Check for dereference of an undefined value.
if (l.isUndef()) { if (l.isUndef()) {
if (ExplodedNode *N = C.generateSink()) { if (ExplodedNode *N = C.generateErrorNode()) {
if (!BT_undef) if (!BT_undef)
BT_undef.reset( BT_undef.reset(
new BuiltinBug(this, "Dereference of undefined pointer value")); new BuiltinBug(this, "Dereference of undefined pointer value"));
auto report = auto report =
llvm::make_unique<BugReport>(*BT_undef, BT_undef->getDescription(), N); llvm::make_unique<BugReport>(*BT_undef, BT_undef->getDescription(), N);
bugreporter::trackNullOrUndefValue(N, bugreporter::getDerefExpr(S), bugreporter::trackNullOrUndefValue(N, bugreporter::getDerefExpr(S),
*report); *report);
Show All 18 Lines if (nullState) {
if (!notNullState) { if (!notNullState) {
reportBug(nullState, S, C); reportBug(nullState, S, C);
return; return;
} }
// Otherwise, we have the case where the location could either be // Otherwise, we have the case where the location could either be
// null or not-null. Record the error node as an "implicit" null // null or not-null. Record the error node as an "implicit" null
// dereference. // dereference.
if (ExplodedNode *N = C.generateSink(nullState)) { if (ExplodedNode *N = C.generateSink(nullState, C.getPredecessor())) {
ImplicitNullDerefEvent event = {l, isLoad, N, &C.getBugReporter(), ImplicitNullDerefEvent event = {l, isLoad, N, &C.getBugReporter(),
/*IsDirectDereference=*/false}; /*IsDirectDereference=*/false};
dispatchEvent(event); dispatchEvent(event);
} }
} }
// From this point forward, we know that the location is not null. // From this point forward, we know that the location is not null.
C.addTransition(notNullState); C.addTransition(notNullState);
Show All 21 Linesvoid DereferenceChecker::checkBind(SVal L, SVal V, const Stmt *S,
if (StNull) { if (StNull) {
if (!StNonNull) { if (!StNonNull) {
reportBug(StNull, S, C, /*isBind=*/true); reportBug(StNull, S, C, /*isBind=*/true);
return; return;
} }
// At this point the value could be either null or non-null. // At this point the value could be either null or non-null.
// Record this as an "implicit" null dereference. // Record this as an "implicit" null dereference.
if (ExplodedNode *N = C.generateSink(StNull)) { if (ExplodedNode *N = C.generateSink(StNull, C.getPredecessor())) {
ImplicitNullDerefEvent event = {V, /*isLoad=*/true, N, ImplicitNullDerefEvent event = {V, /*isLoad=*/true, N,
&C.getBugReporter(), &C.getBugReporter(),
/*IsDirectDereference=*/false}; /*IsDirectDereference=*/false};
dispatchEvent(event); dispatchEvent(event);
} }
} }
// Unlike a regular null dereference, initializing a reference with a // Unlike a regular null dereference, initializing a reference with a
Show All 21 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/DivZeroChecker.cpp

Show All 29 Lines
public: public:
void checkPreStmt(const BinaryOperator *B, CheckerContext &C) const; void checkPreStmt(const BinaryOperator *B, CheckerContext &C) const;
}; };
} // end anonymous namespace } // end anonymous namespace
void DivZeroChecker::reportBug(const char *Msg, void DivZeroChecker::reportBug(const char *Msg,
ProgramStateRef StateZero, ProgramStateRef StateZero,
CheckerContext &C) const { CheckerContext &C) const {
if (ExplodedNode *N = C.generateSink(StateZero)) { if (ExplodedNode *N = C.generateErrorNode(StateZero)) {
if (!BT) if (!BT)
BT.reset(new BuiltinBug(this, "Division by zero")); BT.reset(new BuiltinBug(this, "Division by zero"));
auto R = llvm::make_unique<BugReport>(*BT, Msg, N); auto R = llvm::make_unique<BugReport>(*BT, Msg, N);
bugreporter::trackNullOrUndefValue(N, bugreporter::GetDenomExpr(N), *R); bugreporter::trackNullOrUndefValue(N, bugreporter::GetDenomExpr(N), *R);
C.emitReport(std::move(R)); C.emitReport(std::move(R));
} }
} }
▲ Show 20 LinesShow All 46 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/ExprInspectionChecker.cpp

Show First 20 LinesShow All 80 Lines▼ Show 20 Lines if (StFalse)
return "FALSE"; return "FALSE";
else else
llvm_unreachable("Invalid constraint; neither true or false."); llvm_unreachable("Invalid constraint; neither true or false.");
} }
} }
void ExprInspectionChecker::analyzerEval(const CallExpr *CE, void ExprInspectionChecker::analyzerEval(const CallExpr *CE,
CheckerContext &C) const { CheckerContext &C) const {
ExplodedNode *N = C.getPredecessor(); const LocationContext *LC = C.getPredecessor()->getLocationContext();
const LocationContext *LC = N->getLocationContext();
// A specific instantiation of an inlined function may have more constrained // A specific instantiation of an inlined function may have more constrained
// values than can generally be assumed. Skip the check. // values than can generally be assumed. Skip the check.
if (LC->getCurrentStackFrame()->getParent() != nullptr) if (LC->getCurrentStackFrame()->getParent() != nullptr)
return; return;
if (!BT) if (!BT)
BT.reset(new BugType(this, "Checking analyzer assumptions", "debug")); BT.reset(new BugType(this, "Checking analyzer assumptions", "debug"));
ExplodedNode *N = C.generateNonFatalErrorNode();
if (!N)
return;
C.emitReport( C.emitReport(
llvm::make_unique<BugReport>(*BT, getArgumentValueString(CE, C), N)); llvm::make_unique<BugReport>(*BT, getArgumentValueString(CE, C), N));
} }
void ExprInspectionChecker::analyzerWarnIfReached(const CallExpr *CE, void ExprInspectionChecker::analyzerWarnIfReached(const CallExpr *CE,
CheckerContext &C) const { CheckerContext &C) const {
ExplodedNode *N = C.getPredecessor();
if (!BT) if (!BT)
BT.reset(new BugType(this, "Checking analyzer assumptions", "debug")); BT.reset(new BugType(this, "Checking analyzer assumptions", "debug"));
ExplodedNode *N = C.generateNonFatalErrorNode();
if (!N)
return;
C.emitReport(llvm::make_unique<BugReport>(*BT, "REACHABLE", N)); C.emitReport(llvm::make_unique<BugReport>(*BT, "REACHABLE", N));
} }
void ExprInspectionChecker::analyzerCheckInlined(const CallExpr *CE, void ExprInspectionChecker::analyzerCheckInlined(const CallExpr *CE,
CheckerContext &C) const { CheckerContext &C) const {
ExplodedNode *N = C.getPredecessor(); const LocationContext *LC = C.getPredecessor()->getLocationContext();
const LocationContext *LC = N->getLocationContext();
// An inlined function could conceivably also be analyzed as a top-level // An inlined function could conceivably also be analyzed as a top-level
// function. We ignore this case and only emit a message (TRUE or FALSE) // function. We ignore this case and only emit a message (TRUE or FALSE)
// when we are analyzing it as an inlined function. This means that // when we are analyzing it as an inlined function. This means that
// clang_analyzer_checkInlined(true) should always print TRUE, but // clang_analyzer_checkInlined(true) should always print TRUE, but
// clang_analyzer_checkInlined(false) should never actually print anything. // clang_analyzer_checkInlined(false) should never actually print anything.
if (LC->getCurrentStackFrame()->getParent() == nullptr) if (LC->getCurrentStackFrame()->getParent() == nullptr)
return; return;
if (!BT) if (!BT)
BT.reset(new BugType(this, "Checking analyzer assumptions", "debug")); BT.reset(new BugType(this, "Checking analyzer assumptions", "debug"));
ExplodedNode *N = C.generateNonFatalErrorNode();
if (!N)
return;
C.emitReport( C.emitReport(
llvm::make_unique<BugReport>(*BT, getArgumentValueString(CE, C), N)); llvm::make_unique<BugReport>(*BT, getArgumentValueString(CE, C), N));
} }
void ExprInspectionChecker::analyzerCrash(const CallExpr *CE, void ExprInspectionChecker::analyzerCrash(const CallExpr *CE,
CheckerContext &C) const { CheckerContext &C) const {
LLVM_BUILTIN_TRAP; LLVM_BUILTIN_TRAP;
} }
void ento::registerExprInspectionChecker(CheckerManager &Mgr) { void ento::registerExprInspectionChecker(CheckerManager &Mgr) {
Mgr.registerChecker<ExprInspectionChecker>(); Mgr.registerChecker<ExprInspectionChecker>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/FixedAddressChecker.cpp

Show First 20 LinesShow All 44 Lines▼ Show 20 Lines if (!T->isPointerType())
return; return;
ProgramStateRef state = C.getState(); ProgramStateRef state = C.getState();
SVal RV = state->getSVal(B->getRHS(), C.getLocationContext()); SVal RV = state->getSVal(B->getRHS(), C.getLocationContext());
if (!RV.isConstant() || RV.isZeroConstant()) if (!RV.isConstant() || RV.isZeroConstant())
return; return;
if (ExplodedNode *N = C.addTransition()) { if (ExplodedNode *N = C.generateNonFatalErrorNode()) {
if (!BT) if (!BT)
BT.reset( BT.reset(
new BuiltinBug(this, "Use fixed address", new BuiltinBug(this, "Use fixed address",
"Using a fixed address is not portable because that " "Using a fixed address is not portable because that "
"address will probably not be valid in all " "address will probably not be valid in all "
"environments or platforms.")); "environments or platforms."));
auto R = llvm::make_unique<BugReport>(*BT, BT->getDescription(), N); auto R = llvm::make_unique<BugReport>(*BT, BT->getDescription(), N);
R->addRange(B->getRHS()->getSourceRange()); R->addRange(B->getRHS()->getSourceRange());
C.emitReport(std::move(R)); C.emitReport(std::move(R));
} }
} }
void ento::registerFixedAddressChecker(CheckerManager &mgr) { void ento::registerFixedAddressChecker(CheckerManager &mgr) {
mgr.registerChecker<FixedAddressChecker>(); mgr.registerChecker<FixedAddressChecker>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp

Show First 20 LinesShow All 634 Lines▼ Show 20 Linesbool GenericTaintChecker::generateReportIfTainted(const Expr *E,
// Check for taint. // Check for taint.
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
if (!State->isTainted(getPointedToSymbol(C, E)) && if (!State->isTainted(getPointedToSymbol(C, E)) &&
!State->isTainted(E, C.getLocationContext())) !State->isTainted(E, C.getLocationContext()))
return false; return false;
// Generate diagnostic. // Generate diagnostic.
if (ExplodedNode *N = C.addTransition()) { if (ExplodedNode *N = C.generateNonFatalErrorNode()) {
initBugType(); initBugType();
auto report = llvm::make_unique<BugReport>(*BT, Msg, N); auto report = llvm::make_unique<BugReport>(*BT, Msg, N);
report->addRange(E->getSourceRange()); report->addRange(E->getSourceRange());
C.emitReport(std::move(report)); C.emitReport(std::move(report));
return true; return true;
} }
return false; return false;
} }
▲ Show 20 LinesShow All 89 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/MacOSKeychainAPIChecker.cpp

Show First 20 LinesShow All 249 Lines▼ Show 20 Lines
// Report deallocator mismatch. Remove the region from tracking - reporting a // Report deallocator mismatch. Remove the region from tracking - reporting a
// missing free error after this one is redundant. // missing free error after this one is redundant.
void MacOSKeychainAPIChecker:: void MacOSKeychainAPIChecker::
generateDeallocatorMismatchReport(const AllocationPair &AP, generateDeallocatorMismatchReport(const AllocationPair &AP,
const Expr *ArgExpr, const Expr *ArgExpr,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
State = State->remove<AllocatedData>(AP.first); State = State->remove<AllocatedData>(AP.first);
ExplodedNode *N = C.addTransition(State); ExplodedNode *N = C.generateNonFatalErrorNode(State);
if (!N) if (!N)
return; return;
initBugType(); initBugType();
SmallString<80> sbuf; SmallString<80> sbuf;
llvm::raw_svector_ostream os(sbuf); llvm::raw_svector_ostream os(sbuf);
unsigned int PDeallocIdx = unsigned int PDeallocIdx =
FunctionsToTrack[AP.second->AllocatorIdx].DeallocatorIdx; FunctionsToTrack[AP.second->AllocatorIdx].DeallocatorIdx;
Show All 29 Lines if (idx != InvalidIdx) {
const Expr *ArgExpr = CE->getArg(paramIdx); const Expr *ArgExpr = CE->getArg(paramIdx);
if (SymbolRef V = getAsPointeeSymbol(ArgExpr, C)) if (SymbolRef V = getAsPointeeSymbol(ArgExpr, C))
if (const AllocationState *AS = State->get<AllocatedData>(V)) { if (const AllocationState *AS = State->get<AllocatedData>(V)) {
if (!definitelyReturnedError(AS->Region, State, C.getSValBuilder())) { if (!definitelyReturnedError(AS->Region, State, C.getSValBuilder())) {
// Remove the value from the state. The new symbol will be added for // Remove the value from the state. The new symbol will be added for
// tracking when the second allocator is processed in checkPostStmt(). // tracking when the second allocator is processed in checkPostStmt().
State = State->remove<AllocatedData>(V); State = State->remove<AllocatedData>(V);
ExplodedNode *N = C.addTransition(State); ExplodedNode *N = C.generateNonFatalErrorNode(State);
if (!N) if (!N)
return; return;
initBugType(); initBugType();
SmallString<128> sbuf; SmallString<128> sbuf;
llvm::raw_svector_ostream os(sbuf); llvm::raw_svector_ostream os(sbuf);
unsigned int DIdx = FunctionsToTrack[AS->AllocatorIdx].DeallocatorIdx; unsigned int DIdx = FunctionsToTrack[AS->AllocatorIdx].DeallocatorIdx;
os << "Allocated data should be released before another call to " os << "Allocated data should be released before another call to "
<< "the allocator: missing a call to '" << "the allocator: missing a call to '"
▲ Show 20 LinesShow All 46 Lines▼ Show 20 Linesvoid MacOSKeychainAPIChecker::checkPreStmt(const CallExpr *CE,
// TODO: We might want a more precise diagnostic for double free // TODO: We might want a more precise diagnostic for double free
// (that would involve tracking all the freed symbols in the checker state). // (that would involve tracking all the freed symbols in the checker state).
if (!AS || RegionArgIsBad) { if (!AS || RegionArgIsBad) {
// It is possible that this is a false positive - the argument might // It is possible that this is a false positive - the argument might
// have entered as an enclosing function parameter. // have entered as an enclosing function parameter.
if (isEnclosingFunctionParam(ArgExpr)) if (isEnclosingFunctionParam(ArgExpr))
return; return;
ExplodedNode *N = C.addTransition(State); ExplodedNode *N = C.generateNonFatalErrorNode(State);
if (!N) if (!N)
return; return;
initBugType(); initBugType();
auto Report = llvm::make_unique<BugReport>( auto Report = llvm::make_unique<BugReport>(
*BT, "Trying to free data which has not been allocated.", N); *BT, "Trying to free data which has not been allocated.", N);
Report->addRange(ArgExpr->getSourceRange()); Report->addRange(ArgExpr->getSourceRange());
if (AS) if (AS)
Report->markInteresting(AS->Region); Report->markInteresting(AS->Region);
▲ Show 20 LinesShow All 49 Lines▼ Show 20 Lines if (PDeallocIdx != idx || (FunctionsToTrack[idx].Kind == ErrorAPI)) {
generateDeallocatorMismatchReport(AP, ArgExpr, C); generateDeallocatorMismatchReport(AP, ArgExpr, C);
return; return;
} }
// If the buffer can be null and the return status can be an error, // If the buffer can be null and the return status can be an error,
// report a bad call to free. // report a bad call to free.
if (State->assume(ArgSVal.castAs<DefinedSVal>(), false) && if (State->assume(ArgSVal.castAs<DefinedSVal>(), false) &&
!definitelyDidnotReturnError(AS->Region, State, C.getSValBuilder())) { !definitelyDidnotReturnError(AS->Region, State, C.getSValBuilder())) {
ExplodedNode *N = C.addTransition(State); ExplodedNode *N = C.generateNonFatalErrorNode(State);
if (!N) if (!N)
return; return;
initBugType(); initBugType();
auto Report = llvm::make_unique<BugReport>( auto Report = llvm::make_unique<BugReport>(
*BT, "Only call free if a valid (non-NULL) buffer was returned.", N); *BT, "Only call free if a valid (non-NULL) buffer was returned.", N);
Report->addVisitor(llvm::make_unique<SecKeychainBugVisitor>(ArgSM)); Report->addVisitor(llvm::make_unique<SecKeychainBugVisitor>(ArgSM));
Report->addRange(ArgExpr->getSourceRange()); Report->addRange(ArgExpr->getSourceRange());
Report->markInteresting(AS->Region); Report->markInteresting(AS->Region);
▲ Show 20 LinesShow All 137 Lines▼ Show 20 Linesvoid MacOSKeychainAPIChecker::checkDeadSymbols(SymbolReaper &SR,
} }
if (!Changed) { if (!Changed) {
// Generate the new, cleaned up state. // Generate the new, cleaned up state.
C.addTransition(State); C.addTransition(State);
return; return;
} }
static CheckerProgramPointTag Tag(this, "DeadSymbolsLeak"); static CheckerProgramPointTag Tag(this, "DeadSymbolsLeak");
ExplodedNode *N = C.addTransition(C.getState(), C.getPredecessor(), &Tag); ExplodedNode *N = C.generateNonFatalErrorNode(C.getState(), &Tag);
if (!N)
return;
// Generate the error reports. // Generate the error reports.
for (const auto P : Errors) for (const auto P : Errors)
C.emitReport(generateAllocatedDataNotReleasedReport(P, N, C)); C.emitReport(generateAllocatedDataNotReleasedReport(P, N, C));
// Generate the new, cleaned up state. // Generate the new, cleaned up state.
C.addTransition(State, N); C.addTransition(State, N);
} }
Show All 34 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/MacOSXAPIChecker.cpp

Show First 20 LinesShow All 56 Lines▼ Show 20 Linesvoid MacOSXAPIChecker::CheckDispatchOnce(CheckerContext &C, const CallExpr *CE,
// Check if the first argument is stack allocated. If so, issue a warning // Check if the first argument is stack allocated. If so, issue a warning
// because that's likely to be bad news. // because that's likely to be bad news.
ProgramStateRef state = C.getState(); ProgramStateRef state = C.getState();
const MemRegion *R = const MemRegion *R =
state->getSVal(CE->getArg(0), C.getLocationContext()).getAsRegion(); state->getSVal(CE->getArg(0), C.getLocationContext()).getAsRegion();
if (!R || !isa<StackSpaceRegion>(R->getMemorySpace())) if (!R || !isa<StackSpaceRegion>(R->getMemorySpace()))
return; return;
ExplodedNode *N = C.generateSink(state); ExplodedNode *N = C.generateErrorNode(state);
if (!N) if (!N)
return; return;
if (!BT_dispatchOnce) if (!BT_dispatchOnce)
BT_dispatchOnce.reset(new BugType(this, "Improper use of 'dispatch_once'", BT_dispatchOnce.reset(new BugType(this, "Improper use of 'dispatch_once'",
"API Misuse (Apple)")); "API Misuse (Apple)"));
// Handle _dispatch_once. In some versions of the OS X SDK we have the case // Handle _dispatch_once. In some versions of the OS X SDK we have the case
▲ Show 20 LinesShow All 55 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp

Show First 20 LinesShow All 1,586 Lines▼ Show 20 Lines if (!ChecksEnabled[CK_MallocChecker] &&
!ChecksEnabled[CK_NewDeleteChecker]) !ChecksEnabled[CK_NewDeleteChecker])
return; return;
Optional<MallocChecker::CheckKind> CheckKind = Optional<MallocChecker::CheckKind> CheckKind =
getCheckIfTracked(C, DeallocExpr); getCheckIfTracked(C, DeallocExpr);
if (!CheckKind.hasValue()) if (!CheckKind.hasValue())
return; return;
if (ExplodedNode *N = C.generateSink()) { if (ExplodedNode *N = C.generateErrorNode()) {
if (!BT_BadFree[*CheckKind]) if (!BT_BadFree[*CheckKind])
BT_BadFree[*CheckKind].reset( BT_BadFree[*CheckKind].reset(
new BugType(CheckNames[*CheckKind], "Bad free", "Memory Error")); new BugType(CheckNames[*CheckKind], "Bad free", "Memory Error"));
SmallString<100> buf; SmallString<100> buf;
llvm::raw_svector_ostream os(buf); llvm::raw_svector_ostream os(buf);
const MemRegion *MR = ArgVal.getAsRegion(); const MemRegion *MR = ArgVal.getAsRegion();
Show All 28 Linesvoid MallocChecker::ReportFreeAlloca(CheckerContext &C, SVal ArgVal,
if (ChecksEnabled[CK_MallocChecker]) if (ChecksEnabled[CK_MallocChecker])
CheckKind = CK_MallocChecker; CheckKind = CK_MallocChecker;
else if (ChecksEnabled[CK_MismatchedDeallocatorChecker]) else if (ChecksEnabled[CK_MismatchedDeallocatorChecker])
CheckKind = CK_MismatchedDeallocatorChecker; CheckKind = CK_MismatchedDeallocatorChecker;
else else
return; return;
if (ExplodedNode *N = C.generateSink()) { if (ExplodedNode *N = C.generateErrorNode()) {
if (!BT_FreeAlloca[*CheckKind]) if (!BT_FreeAlloca[*CheckKind])
BT_FreeAlloca[*CheckKind].reset( BT_FreeAlloca[*CheckKind].reset(
new BugType(CheckNames[*CheckKind], "Free alloca()", "Memory Error")); new BugType(CheckNames[*CheckKind], "Free alloca()", "Memory Error"));
auto R = llvm::make_unique<BugReport>( auto R = llvm::make_unique<BugReport>(
*BT_FreeAlloca[*CheckKind], *BT_FreeAlloca[*CheckKind],
"Memory allocated by alloca() should not be deallocated", N); "Memory allocated by alloca() should not be deallocated", N);
R->markInteresting(ArgVal.getAsRegion()); R->markInteresting(ArgVal.getAsRegion());
R->addRange(Range); R->addRange(Range);
C.emitReport(std::move(R)); C.emitReport(std::move(R));
} }
} }
void MallocChecker::ReportMismatchedDealloc(CheckerContext &C, void MallocChecker::ReportMismatchedDealloc(CheckerContext &C,
SourceRange Range, SourceRange Range,
const Expr *DeallocExpr, const Expr *DeallocExpr,
const RefState *RS, const RefState *RS,
SymbolRef Sym, SymbolRef Sym,
bool OwnershipTransferred) const { bool OwnershipTransferred) const {
if (!ChecksEnabled[CK_MismatchedDeallocatorChecker]) if (!ChecksEnabled[CK_MismatchedDeallocatorChecker])
return; return;
if (ExplodedNode *N = C.generateSink()) { if (ExplodedNode *N = C.generateErrorNode()) {
if (!BT_MismatchedDealloc) if (!BT_MismatchedDealloc)
BT_MismatchedDealloc.reset( BT_MismatchedDealloc.reset(
new BugType(CheckNames[CK_MismatchedDeallocatorChecker], new BugType(CheckNames[CK_MismatchedDeallocatorChecker],
"Bad deallocator", "Memory Error")); "Bad deallocator", "Memory Error"));
SmallString<100> buf; SmallString<100> buf;
llvm::raw_svector_ostream os(buf); llvm::raw_svector_ostream os(buf);
▲ Show 20 LinesShow All 42 Lines▼ Show 20 Lines if (!ChecksEnabled[CK_MallocChecker] &&
!ChecksEnabled[CK_NewDeleteChecker]) !ChecksEnabled[CK_NewDeleteChecker])
return; return;
Optional<MallocChecker::CheckKind> CheckKind = Optional<MallocChecker::CheckKind> CheckKind =
getCheckIfTracked(C, AllocExpr); getCheckIfTracked(C, AllocExpr);
if (!CheckKind.hasValue()) if (!CheckKind.hasValue())
return; return;
ExplodedNode *N = C.generateSink(); ExplodedNode *N = C.generateErrorNode();
if (!N) if (!N)
return; return;
if (!BT_OffsetFree[*CheckKind]) if (!BT_OffsetFree[*CheckKind])
BT_OffsetFree[*CheckKind].reset( BT_OffsetFree[*CheckKind].reset(
new BugType(CheckNames[*CheckKind], "Offset free", "Memory Error")); new BugType(CheckNames[*CheckKind], "Offset free", "Memory Error"));
SmallString<100> buf; SmallString<100> buf;
Show All 37 Linesvoid MallocChecker::ReportUseAfterFree(CheckerContext &C, SourceRange Range,
if (!ChecksEnabled[CK_MallocChecker] && if (!ChecksEnabled[CK_MallocChecker] &&
!ChecksEnabled[CK_NewDeleteChecker]) !ChecksEnabled[CK_NewDeleteChecker])
return; return;
Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
if (!CheckKind.hasValue()) if (!CheckKind.hasValue())
return; return;
if (ExplodedNode *N = C.generateSink()) { if (ExplodedNode *N = C.generateErrorNode()) {
if (!BT_UseFree[*CheckKind]) if (!BT_UseFree[*CheckKind])
BT_UseFree[*CheckKind].reset(new BugType( BT_UseFree[*CheckKind].reset(new BugType(
CheckNames[*CheckKind], "Use-after-free", "Memory Error")); CheckNames[*CheckKind], "Use-after-free", "Memory Error"));
auto R = llvm::make_unique<BugReport>(*BT_UseFree[*CheckKind], auto R = llvm::make_unique<BugReport>(*BT_UseFree[*CheckKind],
"Use of memory after it is freed", N); "Use of memory after it is freed", N);
R->markInteresting(Sym); R->markInteresting(Sym);
Show All 10 Linesvoid MallocChecker::ReportDoubleFree(CheckerContext &C, SourceRange Range,
if (!ChecksEnabled[CK_MallocChecker] && if (!ChecksEnabled[CK_MallocChecker] &&
!ChecksEnabled[CK_NewDeleteChecker]) !ChecksEnabled[CK_NewDeleteChecker])
return; return;
Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
if (!CheckKind.hasValue()) if (!CheckKind.hasValue())
return; return;
if (ExplodedNode *N = C.generateSink()) { if (ExplodedNode *N = C.generateErrorNode()) {
if (!BT_DoubleFree[*CheckKind]) if (!BT_DoubleFree[*CheckKind])
BT_DoubleFree[*CheckKind].reset( BT_DoubleFree[*CheckKind].reset(
new BugType(CheckNames[*CheckKind], "Double free", "Memory Error")); new BugType(CheckNames[*CheckKind], "Double free", "Memory Error"));
auto R = llvm::make_unique<BugReport>( auto R = llvm::make_unique<BugReport>(
*BT_DoubleFree[*CheckKind], *BT_DoubleFree[*CheckKind],
(Released ? "Attempt to free released memory" (Released ? "Attempt to free released memory"
: "Attempt to free non-owned memory"), : "Attempt to free non-owned memory"),
Show All 11 Linesvoid MallocChecker::ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const {
if (!ChecksEnabled[CK_NewDeleteChecker]) if (!ChecksEnabled[CK_NewDeleteChecker])
return; return;
Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
if (!CheckKind.hasValue()) if (!CheckKind.hasValue())
return; return;
if (ExplodedNode *N = C.generateSink()) { if (ExplodedNode *N = C.generateErrorNode()) {
if (!BT_DoubleDelete) if (!BT_DoubleDelete)
BT_DoubleDelete.reset(new BugType(CheckNames[CK_NewDeleteChecker], BT_DoubleDelete.reset(new BugType(CheckNames[CK_NewDeleteChecker],
"Double delete", "Memory Error")); "Double delete", "Memory Error"));
auto R = llvm::make_unique<BugReport>( auto R = llvm::make_unique<BugReport>(
*BT_DoubleDelete, "Attempt to delete released memory", N); *BT_DoubleDelete, "Attempt to delete released memory", N);
R->markInteresting(Sym); R->markInteresting(Sym);
Show All 10 Lines if (!ChecksEnabled[CK_MallocChecker] &&
!ChecksEnabled[CK_NewDeleteChecker]) !ChecksEnabled[CK_NewDeleteChecker])
return; return;
Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym); Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
if (!CheckKind.hasValue()) if (!CheckKind.hasValue())
return; return;
if (ExplodedNode *N = C.generateSink()) { if (ExplodedNode *N = C.generateErrorNode()) {
if (!BT_UseZerroAllocated[*CheckKind]) if (!BT_UseZerroAllocated[*CheckKind])
BT_UseZerroAllocated[*CheckKind].reset(new BugType( BT_UseZerroAllocated[*CheckKind].reset(new BugType(
CheckNames[*CheckKind], "Use of zero allocated", "Memory Error")); CheckNames[*CheckKind], "Use of zero allocated", "Memory Error"));
auto R = llvm::make_unique<BugReport>(*BT_UseZerroAllocated[*CheckKind], auto R = llvm::make_unique<BugReport>(*BT_UseZerroAllocated[*CheckKind],
"Use of zero-allocated memory", N); "Use of zero-allocated memory", N);
R->addRange(Range); R->addRange(Range);
▲ Show 20 LinesShow All 277 Lines▼ Show 20 Lines if (SymReaper.isDead(I->first) ||
state = state->remove<FreeReturnValue>(I->first); state = state->remove<FreeReturnValue>(I->first);
} }
} }
// Generate leak node. // Generate leak node.
ExplodedNode *N = C.getPredecessor(); ExplodedNode *N = C.getPredecessor();
if (!Errors.empty()) { if (!Errors.empty()) {
static CheckerProgramPointTag Tag("MallocChecker", "DeadSymbolsLeak"); static CheckerProgramPointTag Tag("MallocChecker", "DeadSymbolsLeak");
N = C.addTransition(C.getState(), C.getPredecessor(), &Tag); N = C.generateNonFatalErrorNode(C.getState(), &Tag);
if (N) {
for (SmallVectorImpl<SymbolRef>::iterator for (SmallVectorImpl<SymbolRef>::iterator
I = Errors.begin(), E = Errors.end(); I != E; ++I) { I = Errors.begin(), E = Errors.end(); I != E; ++I) {
reportLeak(*I, N, C); reportLeak(*I, N, C);
} }
} }
}
C.addTransition(state->set<RegionState>(RS), N); C.addTransition(state->set<RegionState>(RS), N);
} }
void MallocChecker::checkPreCall(const CallEvent &Call, void MallocChecker::checkPreCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
if (const CXXDestructorCall *DC = dyn_cast<CXXDestructorCall>(&Call)) { if (const CXXDestructorCall *DC = dyn_cast<CXXDestructorCall>(&Call)) {
▲ Show 20 LinesShow All 557 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/NSAutoreleasePoolChecker.cpp

Show First 20 LinesShow All 56 Lines▼ Show 20 Linesvoid NSAutoreleasePoolChecker::checkPreObjCMessage(const ObjCMethodCall &msg,
// Sending 'release' message? // Sending 'release' message?
if (msg.getSelector() != releaseS) if (msg.getSelector() != releaseS)
return; return;
if (!BT) if (!BT)
BT.reset(new BugType(this, "Use -drain instead of -release", BT.reset(new BugType(this, "Use -drain instead of -release",
"API Upgrade (Apple)")); "API Upgrade (Apple)"));
ExplodedNode *N = C.addTransition(); ExplodedNode *N = C.generateNonFatalErrorNode();
if (!N) { if (!N) {
assert(0); assert(0);
return; return;
} }
auto Report = llvm::make_unique<BugReport>( auto Report = llvm::make_unique<BugReport>(
*BT, "Use -drain instead of -release when using NSAutoreleasePool and " *BT, "Use -drain instead of -release when using NSAutoreleasePool and "
"garbage collection", N); "garbage collection", N);
Report->addRange(msg.getSourceRange()); Report->addRange(msg.getSourceRange());
C.emitReport(std::move(Report)); C.emitReport(std::move(Report));
} }
void ento::registerNSAutoreleasePoolChecker(CheckerManager &mgr) { void ento::registerNSAutoreleasePoolChecker(CheckerManager &mgr) {
if (mgr.getLangOpts().getGC() != LangOptions::NonGC) if (mgr.getLangOpts().getGC() != LangOptions::NonGC)
mgr.registerChecker<NSAutoreleasePoolChecker>(); mgr.registerChecker<NSAutoreleasePoolChecker>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/NoReturnFunctionChecker.cpp

Show First 20 LinesShow All 75 Lines▼ Show 20 Lines if (const IdentifierInfo *II = CE.getCalleeIdentifier()) {
.Case("_XCAssertionFailureHandler", true) .Case("_XCAssertionFailureHandler", true)
.Case("_DTAssertionFailureHandler", true) .Case("_DTAssertionFailureHandler", true)
.Case("_TSAssertionFailureHandler", true) .Case("_TSAssertionFailureHandler", true)
.Default(false); .Default(false);
} }
} }
if (BuildSinks) if (BuildSinks)
C.generateSink(); C.generateSink(C.getState(), C.getPredecessor());
} }
void NoReturnFunctionChecker::checkPostObjCMessage(const ObjCMethodCall &Msg, void NoReturnFunctionChecker::checkPostObjCMessage(const ObjCMethodCall &Msg,
CheckerContext &C) const { CheckerContext &C) const {
// Check if the method is annotated with analyzer_noreturn. // Check if the method is annotated with analyzer_noreturn.
if (const ObjCMethodDecl *MD = Msg.getDecl()) { if (const ObjCMethodDecl *MD = Msg.getDecl()) {
MD = MD->getCanonicalDecl(); MD = MD->getCanonicalDecl();
if (MD->hasAttr<AnalyzerNoReturnAttr>()) { if (MD->hasAttr<AnalyzerNoReturnAttr>()) {
C.generateSink(); C.generateSink(C.getState(), C.getPredecessor());
return; return;
} }
} }
// HACK: This entire check is to handle two messages in the Cocoa frameworks: // HACK: This entire check is to handle two messages in the Cocoa frameworks:
// -[NSAssertionHandler // -[NSAssertionHandler
// handleFailureInMethod:object:file:lineNumber:description:] // handleFailureInMethod:object:file:lineNumber:description:]
// -[NSAssertionHandler // -[NSAssertionHandler
Show All 29 Lines lazyInitKeywordSelector(HandleFailureInMethodSel, C.getASTContext(),
"handleFailureInMethod", "object", "file", "handleFailureInMethod", "object", "file",
"lineNumber", "description", nullptr); "lineNumber", "description", nullptr);
if (Sel != HandleFailureInMethodSel) if (Sel != HandleFailureInMethodSel)
return; return;
break; break;
} }
// If we got here, it's one of the messages we care about. // If we got here, it's one of the messages we care about.
C.generateSink(); C.generateSink(C.getState(), C.getPredecessor());
} }
void ento::registerNoReturnFunctionChecker(CheckerManager &mgr) { void ento::registerNoReturnFunctionChecker(CheckerManager &mgr) {
mgr.registerChecker<NoReturnFunctionChecker>(); mgr.registerChecker<NoReturnFunctionChecker>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/NonNullParamChecker.cpp

Show First 20 LinesShow All 137 Lines▼ Show 20 Lines for (unsigned idx = 0; idx < NumArgs; ++idx) {
ConstraintManager &CM = C.getConstraintManager(); ConstraintManager &CM = C.getConstraintManager();
ProgramStateRef stateNotNull, stateNull; ProgramStateRef stateNotNull, stateNull;
std::tie(stateNotNull, stateNull) = CM.assumeDual(state, *DV); std::tie(stateNotNull, stateNull) = CM.assumeDual(state, *DV);
if (stateNull) { if (stateNull) {
if (!stateNotNull) { if (!stateNotNull) {
// Generate an error node. Check for a null node in case // Generate an error node. Check for a null node in case
// we cache out. // we cache out.
if (ExplodedNode *errorNode = C.generateSink(stateNull)) { if (ExplodedNode *errorNode = C.generateErrorNode(stateNull)) {
std::unique_ptr<BugReport> R; std::unique_ptr<BugReport> R;
if (haveAttrNonNull) if (haveAttrNonNull)
R = genReportNullAttrNonNull(errorNode, ArgE); R = genReportNullAttrNonNull(errorNode, ArgE);
else if (haveRefTypeParam) else if (haveRefTypeParam)
R = genReportReferenceToNullPointer(errorNode, ArgE); R = genReportReferenceToNullPointer(errorNode, ArgE);
// Highlight the range of the argument that was null. // Highlight the range of the argument that was null.
R->addRange(Call.getArgSourceRange(idx)); R->addRange(Call.getArgSourceRange(idx));
// Emit the bug report. // Emit the bug report.
C.emitReport(std::move(R)); C.emitReport(std::move(R));
} }
// Always return. Either we cached out or we just emitted an error. // Always return. Either we cached out or we just emitted an error.
return; return;
} }
if (ExplodedNode *N = C.generateSink(stateNull)) { if (ExplodedNode *N = C.generateSink(stateNull, C.getPredecessor())) {
ImplicitNullDerefEvent event = { ImplicitNullDerefEvent event = {
V, false, N, &C.getBugReporter(), V, false, N, &C.getBugReporter(),
/*IsDirectDereference=*/haveRefTypeParam}; /*IsDirectDereference=*/haveRefTypeParam};
dispatchEvent(event); dispatchEvent(event);
} }
} }
// If a pointer value passed the check we should assume that it is // If a pointer value passed the check we should assume that it is
▲ Show 20 LinesShow All 51 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/NullabilityChecker.cpp

Show First 20 LinesShow All 493 Lines▼ Show 20 Linesvoid NullabilityChecker::checkPreStmt(const ReturnStmt *S,
Nullability StaticNullability = Nullability StaticNullability =
getNullabilityAnnotation(FuncType->getReturnType()); getNullabilityAnnotation(FuncType->getReturnType());
if (Filter.CheckNullReturnedFromNonnull && if (Filter.CheckNullReturnedFromNonnull &&
Nullness == NullConstraint::IsNull && Nullness == NullConstraint::IsNull &&
StaticNullability == Nullability::Nonnull) { StaticNullability == Nullability::Nonnull) {
static CheckerProgramPointTag Tag(this, "NullReturnedFromNonnull"); static CheckerProgramPointTag Tag(this, "NullReturnedFromNonnull");
ExplodedNode *N = C.generateSink(State, C.getPredecessor(), &Tag); ExplodedNode *N = C.generateErrorNode(State, &Tag);
if (!N)
return;
reportBugIfPreconditionHolds(ErrorKind::NilReturnedToNonnull, N, nullptr, C, reportBugIfPreconditionHolds(ErrorKind::NilReturnedToNonnull, N, nullptr, C,
RetExpr); RetExpr);
return; return;
} }
const MemRegion *Region = getTrackRegion(*RetSVal); const MemRegion *Region = getTrackRegion(*RetSVal);
if (!Region) if (!Region)
return; return;
▲ Show 20 LinesShow All 53 Lines▼ Show 20 Lines for (const ParmVarDecl *Param : Call.parameters()) {
Nullability ParamNullability = getNullabilityAnnotation(Param->getType()); Nullability ParamNullability = getNullabilityAnnotation(Param->getType());
Nullability ArgStaticNullability = Nullability ArgStaticNullability =
getNullabilityAnnotation(ArgExpr->getType()); getNullabilityAnnotation(ArgExpr->getType());
if (Filter.CheckNullPassedToNonnull && Nullness == NullConstraint::IsNull && if (Filter.CheckNullPassedToNonnull && Nullness == NullConstraint::IsNull &&
ArgStaticNullability != Nullability::Nonnull && ArgStaticNullability != Nullability::Nonnull &&
ParamNullability == Nullability::Nonnull) { ParamNullability == Nullability::Nonnull) {
ExplodedNode *N = C.generateSink(State); ExplodedNode *N = C.generateErrorNode(State);
if (!N)
return;
reportBugIfPreconditionHolds(ErrorKind::NilPassedToNonnull, N, nullptr, C, reportBugIfPreconditionHolds(ErrorKind::NilPassedToNonnull, N, nullptr, C,
ArgExpr); ArgExpr);
return; return;
} }
const MemRegion *Region = getTrackRegion(*ArgSVal); const MemRegion *Region = getTrackRegion(*ArgSVal);
if (!Region) if (!Region)
continue; continue;
▲ Show 20 LinesShow All 305 Lines▼ Show 20 Lines if (SymbolRef Sym = ValDefOrUnknown->getAsSymbol())
ValNullability = getNullabilityAnnotation(Sym->getType()); ValNullability = getNullabilityAnnotation(Sym->getType());
Nullability LocNullability = getNullabilityAnnotation(LocType); Nullability LocNullability = getNullabilityAnnotation(LocType);
if (Filter.CheckNullPassedToNonnull && if (Filter.CheckNullPassedToNonnull &&
RhsNullness == NullConstraint::IsNull && RhsNullness == NullConstraint::IsNull &&
ValNullability != Nullability::Nonnull && ValNullability != Nullability::Nonnull &&
LocNullability == Nullability::Nonnull) { LocNullability == Nullability::Nonnull) {
static CheckerProgramPointTag Tag(this, "NullPassedToNonnull"); static CheckerProgramPointTag Tag(this, "NullPassedToNonnull");
ExplodedNode *N = C.generateSink(State, C.getPredecessor(), &Tag); ExplodedNode *N = C.generateErrorNode(State, &Tag);
if (!N)
return;
reportBugIfPreconditionHolds(ErrorKind::NilAssignedToNonnull, N, nullptr, C, reportBugIfPreconditionHolds(ErrorKind::NilAssignedToNonnull, N, nullptr, C,
S); S);
return; return;
} }
// Intentionally missing case: '0' is bound to a reference. It is handled by // Intentionally missing case: '0' is bound to a reference. It is handled by
// the DereferenceChecker. // the DereferenceChecker.
const MemRegion *ValueRegion = getTrackRegion(*ValDefOrUnknown); const MemRegion *ValueRegion = getTrackRegion(*ValDefOrUnknown);
▲ Show 20 LinesShow All 75 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/ObjCAtSyncChecker.cpp

Show All 37 Linesvoid ObjCAtSyncChecker::checkPreStmt(const ObjCAtSynchronizedStmt *S,
CheckerContext &C) const { CheckerContext &C) const {
const Expr *Ex = S->getSynchExpr(); const Expr *Ex = S->getSynchExpr();
ProgramStateRef state = C.getState(); ProgramStateRef state = C.getState();
SVal V = state->getSVal(Ex, C.getLocationContext()); SVal V = state->getSVal(Ex, C.getLocationContext());
// Uninitialized value used for the mutex? // Uninitialized value used for the mutex?
if (V.getAs<UndefinedVal>()) { if (V.getAs<UndefinedVal>()) {
if (ExplodedNode *N = C.generateSink()) { if (ExplodedNode *N = C.generateErrorNode()) {
if (!BT_undef) if (!BT_undef)
BT_undef.reset(new BuiltinBug(this, "Uninitialized value used as mutex " BT_undef.reset(new BuiltinBug(this, "Uninitialized value used as mutex "
"for @synchronized")); "for @synchronized"));
auto report = auto report =
llvm::make_unique<BugReport>(*BT_undef, BT_undef->getDescription(), N); llvm::make_unique<BugReport>(*BT_undef, BT_undef->getDescription(), N);
bugreporter::trackNullOrUndefValue(N, Ex, *report); bugreporter::trackNullOrUndefValue(N, Ex, *report);
C.emitReport(std::move(report)); C.emitReport(std::move(report));
} }
return; return;
} }
if (V.isUnknown()) if (V.isUnknown())
return; return;
// Check for null mutexes. // Check for null mutexes.
ProgramStateRef notNullState, nullState; ProgramStateRef notNullState, nullState;
std::tie(notNullState, nullState) = state->assume(V.castAs<DefinedSVal>()); std::tie(notNullState, nullState) = state->assume(V.castAs<DefinedSVal>());
if (nullState) { if (nullState) {
if (!notNullState) { if (!notNullState) {
// Generate an error node. This isn't a sink since // Generate an error node. This isn't a sink since
// a null mutex just means no synchronization occurs. // a null mutex just means no synchronization occurs.
if (ExplodedNode *N = C.addTransition(nullState)) { if (ExplodedNode *N = C.generateNonFatalErrorNode(nullState)) {
if (!BT_null) if (!BT_null)
BT_null.reset(new BuiltinBug( BT_null.reset(new BuiltinBug(
this, "Nil value used as mutex for @synchronized() " this, "Nil value used as mutex for @synchronized() "
"(no synchronization will occur)")); "(no synchronization will occur)"));
auto report = auto report =
llvm::make_unique<BugReport>(*BT_null, BT_null->getDescription(), N); llvm::make_unique<BugReport>(*BT_null, BT_null->getDescription(), N);
bugreporter::trackNullOrUndefValue(N, Ex, *report); bugreporter::trackNullOrUndefValue(N, Ex, *report);
Show All 17 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/ObjCContainersChecker.cpp

Show First 20 LinesShow All 133 Lines▼ Show 20 Lines if (IdxVal.isUnknownOrUndef())
return; return;
DefinedSVal Idx = IdxVal.castAs<DefinedSVal>(); DefinedSVal Idx = IdxVal.castAs<DefinedSVal>();
// Now, check if 'Idx in [0, Size-1]'. // Now, check if 'Idx in [0, Size-1]'.
const QualType T = IdxExpr->getType(); const QualType T = IdxExpr->getType();
ProgramStateRef StInBound = State->assumeInBound(Idx, *Size, true, T); ProgramStateRef StInBound = State->assumeInBound(Idx, *Size, true, T);
ProgramStateRef StOutBound = State->assumeInBound(Idx, *Size, false, T); ProgramStateRef StOutBound = State->assumeInBound(Idx, *Size, false, T);
if (StOutBound && !StInBound) { if (StOutBound && !StInBound) {
ExplodedNode *N = C.generateSink(StOutBound); ExplodedNode *N = C.generateErrorNode(StOutBound);
if (!N) if (!N)
return; return;
initBugType(); initBugType();
auto R = llvm::make_unique<BugReport>(*BT, "Index is out of bounds", N); auto R = llvm::make_unique<BugReport>(*BT, "Index is out of bounds", N);
R->addRange(IdxExpr->getSourceRange()); R->addRange(IdxExpr->getSourceRange());
C.emitReport(std::move(R)); C.emitReport(std::move(R));
return; return;
} }
Show All 25 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/ObjCSelfInitChecker.cpp

Show First 20 LinesShow All 147 Lines▼ Show 20 Linesvoid ObjCSelfInitChecker::checkForInvalidSelf(const Expr *E, CheckerContext &C,
if (!C.getState()->get<CalledInit>()) if (!C.getState()->get<CalledInit>())
return; return;
if (!isInvalidSelf(E, C)) if (!isInvalidSelf(E, C))
return; return;
// Generate an error node. // Generate an error node.
ExplodedNode *N = C.generateSink(); ExplodedNode *N = C.generateErrorNode();
if (!N) if (!N)
return; return;
if (!BT) if (!BT)
BT.reset(new BugType(this, "Missing \"self = [(super or self) init...]\"", BT.reset(new BugType(this, "Missing \"self = [(super or self) init...]\"",
categories::CoreFoundationObjectiveC)); categories::CoreFoundationObjectiveC));
C.emitReport(llvm::make_unique<BugReport>(*BT, errorStr, N)); C.emitReport(llvm::make_unique<BugReport>(*BT, errorStr, N));
} }
▲ Show 20 LinesShow All 278 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/PointerArithChecker.cpp

Show First 20 LinesShow All 45 Lines▼ Show 20 Linesvoid PointerArithChecker::checkPreStmt(const BinaryOperator *B,
if (!LR || !RV.isConstant()) if (!LR || !RV.isConstant())
return; return;
// If pointer arithmetic is done on variables of non-array type, this often // If pointer arithmetic is done on variables of non-array type, this often
// means behavior rely on memory organization, which is dangerous. // means behavior rely on memory organization, which is dangerous.
if (isa<VarRegion>(LR) || isa<CodeTextRegion>(LR) || if (isa<VarRegion>(LR) || isa<CodeTextRegion>(LR) ||
isa<CompoundLiteralRegion>(LR)) { isa<CompoundLiteralRegion>(LR)) {
if (ExplodedNode *N = C.addTransition()) { if (ExplodedNode *N = C.generateNonFatalErrorNode()) {
if (!BT) if (!BT)
BT.reset( BT.reset(
new BuiltinBug(this, "Dangerous pointer arithmetic", new BuiltinBug(this, "Dangerous pointer arithmetic",
"Pointer arithmetic done on non-array variables " "Pointer arithmetic done on non-array variables "
"means reliance on memory layout, which is " "means reliance on memory layout, which is "
"dangerous.")); "dangerous."));
auto R = llvm::make_unique<BugReport>(*BT, BT->getDescription(), N); auto R = llvm::make_unique<BugReport>(*BT, BT->getDescription(), N);
R->addRange(B->getSourceRange()); R->addRange(B->getSourceRange());
C.emitReport(std::move(R)); C.emitReport(std::move(R));
} }
} }
} }
void ento::registerPointerArithChecker(CheckerManager &mgr) { void ento::registerPointerArithChecker(CheckerManager &mgr) {
mgr.registerChecker<PointerArithChecker>(); mgr.registerChecker<PointerArithChecker>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/PointerSubChecker.cpp

Show First 20 LinesShow All 54 Lines▼ Show 20 Linesvoid PointerSubChecker::checkPreStmt(const BinaryOperator *B,
if (BaseLR == BaseRR) if (BaseLR == BaseRR)
return; return;
// Allow arithmetic on different symbolic regions. // Allow arithmetic on different symbolic regions.
if (isa<SymbolicRegion>(BaseLR) || isa<SymbolicRegion>(BaseRR)) if (isa<SymbolicRegion>(BaseLR) || isa<SymbolicRegion>(BaseRR))
return; return;
if (ExplodedNode *N = C.addTransition()) { if (ExplodedNode *N = C.generateNonFatalErrorNode()) {
if (!BT) if (!BT)
BT.reset( BT.reset(
new BuiltinBug(this, "Pointer subtraction", new BuiltinBug(this, "Pointer subtraction",
"Subtraction of two pointers that do not point to " "Subtraction of two pointers that do not point to "
"the same memory chunk may cause incorrect result.")); "the same memory chunk may cause incorrect result."));
auto R = llvm::make_unique<BugReport>(*BT, BT->getDescription(), N); auto R = llvm::make_unique<BugReport>(*BT, BT->getDescription(), N);
R->addRange(B->getSourceRange()); R->addRange(B->getSourceRange());
C.emitReport(std::move(R)); C.emitReport(std::move(R));
} }
} }
void ento::registerPointerSubChecker(CheckerManager &mgr) { void ento::registerPointerSubChecker(CheckerManager &mgr) {
mgr.registerChecker<PointerSubChecker>(); mgr.registerChecker<PointerSubChecker>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/PthreadLockChecker.cpp

Show First 20 LinesShow All 136 Lines▼ Show 20 Linesvoid PthreadLockChecker::AcquireLock(CheckerContext &C, const CallExpr *CE,
DefinedSVal retVal = X.castAs<DefinedSVal>(); DefinedSVal retVal = X.castAs<DefinedSVal>();
if (const LockState *LState = state->get<LockMap>(lockR)) { if (const LockState *LState = state->get<LockMap>(lockR)) {
if (LState->isLocked()) { if (LState->isLocked()) {
if (!BT_doublelock) if (!BT_doublelock)
BT_doublelock.reset(new BugType(this, "Double locking", BT_doublelock.reset(new BugType(this, "Double locking",
"Lock checker")); "Lock checker"));
ExplodedNode *N = C.generateSink(); ExplodedNode *N = C.generateErrorNode();
if (!N) if (!N)
return; return;
auto report = llvm::make_unique<BugReport>( auto report = llvm::make_unique<BugReport>(
*BT_doublelock, "This lock has already been acquired", N); *BT_doublelock, "This lock has already been acquired", N);
report->addRange(CE->getArg(0)->getSourceRange()); report->addRange(CE->getArg(0)->getSourceRange());
C.emitReport(std::move(report)); C.emitReport(std::move(report));
return; return;
} else if (LState->isDestroyed()) { } else if (LState->isDestroyed()) {
▲ Show 20 LinesShow All 45 Lines▼ Show 20 Linesvoid PthreadLockChecker::ReleaseLock(CheckerContext &C, const CallExpr *CE,
ProgramStateRef state = C.getState(); ProgramStateRef state = C.getState();
if (const LockState *LState = state->get<LockMap>(lockR)) { if (const LockState *LState = state->get<LockMap>(lockR)) {
if (LState->isUnlocked()) { if (LState->isUnlocked()) {
if (!BT_doubleunlock) if (!BT_doubleunlock)
BT_doubleunlock.reset(new BugType(this, "Double unlocking", BT_doubleunlock.reset(new BugType(this, "Double unlocking",
"Lock checker")); "Lock checker"));
ExplodedNode *N = C.generateSink(); ExplodedNode *N = C.generateErrorNode();
if (!N) if (!N)
return; return;
auto Report = llvm::make_unique<BugReport>( auto Report = llvm::make_unique<BugReport>(
*BT_doubleunlock, "This lock has already been unlocked", N); *BT_doubleunlock, "This lock has already been unlocked", N);
Report->addRange(CE->getArg(0)->getSourceRange()); Report->addRange(CE->getArg(0)->getSourceRange());
C.emitReport(std::move(Report)); C.emitReport(std::move(Report));
return; return;
} else if (LState->isDestroyed()) { } else if (LState->isDestroyed()) {
reportUseDestroyedBug(C, CE); reportUseDestroyedBug(C, CE);
return; return;
} }
} }
LockSetTy LS = state->get<LockSet>(); LockSetTy LS = state->get<LockSet>();
// FIXME: Better analysis requires IPA for wrappers. // FIXME: Better analysis requires IPA for wrappers.
if (!LS.isEmpty()) { if (!LS.isEmpty()) {
const MemRegion *firstLockR = LS.getHead(); const MemRegion *firstLockR = LS.getHead();
if (firstLockR != lockR) { if (firstLockR != lockR) {
if (!BT_lor) if (!BT_lor)
BT_lor.reset(new BugType(this, "Lock order reversal", "Lock checker")); BT_lor.reset(new BugType(this, "Lock order reversal", "Lock checker"));
ExplodedNode *N = C.generateSink(); ExplodedNode *N = C.generateErrorNode();
if (!N) if (!N)
return; return;
auto report = llvm::make_unique<BugReport>( auto report = llvm::make_unique<BugReport>(
*BT_lor, "This was not the most recently acquired lock. Possible " *BT_lor, "This was not the most recently acquired lock. Possible "
"lock order reversal", N); "lock order reversal", N);
report->addRange(CE->getArg(0)->getSourceRange()); report->addRange(CE->getArg(0)->getSourceRange());
C.emitReport(std::move(report)); C.emitReport(std::move(report));
return; return;
Show All 28 Lines if (LState->isLocked()) {
Message = "This lock is still locked"; Message = "This lock is still locked";
} else { } else {
Message = "This lock has already been destroyed"; Message = "This lock has already been destroyed";
} }
if (!BT_destroylock) if (!BT_destroylock)
BT_destroylock.reset(new BugType(this, "Destroy invalid lock", BT_destroylock.reset(new BugType(this, "Destroy invalid lock",
"Lock checker")); "Lock checker"));
ExplodedNode *N = C.generateSink(); ExplodedNode *N = C.generateErrorNode();
if (!N) if (!N)
return; return;
auto Report = llvm::make_unique<BugReport>(*BT_destroylock, Message, N); auto Report = llvm::make_unique<BugReport>(*BT_destroylock, Message, N);
Report->addRange(CE->getArg(0)->getSourceRange()); Report->addRange(CE->getArg(0)->getSourceRange());
C.emitReport(std::move(Report)); C.emitReport(std::move(Report));
} }
void PthreadLockChecker::InitLock(CheckerContext &C, const CallExpr *CE, void PthreadLockChecker::InitLock(CheckerContext &C, const CallExpr *CE,
Show All 18 Lines if (LState->isLocked()) {
Message = "This lock is still being held"; Message = "This lock is still being held";
} else { } else {
Message = "This lock has already been initialized"; Message = "This lock has already been initialized";
} }
if (!BT_initlock) if (!BT_initlock)
BT_initlock.reset(new BugType(this, "Init invalid lock", BT_initlock.reset(new BugType(this, "Init invalid lock",
"Lock checker")); "Lock checker"));
ExplodedNode *N = C.generateSink(); ExplodedNode *N = C.generateErrorNode();
if (!N) if (!N)
return; return;
auto Report = llvm::make_unique<BugReport>(*BT_initlock, Message, N); auto Report = llvm::make_unique<BugReport>(*BT_initlock, Message, N);
Report->addRange(CE->getArg(0)->getSourceRange()); Report->addRange(CE->getArg(0)->getSourceRange());
C.emitReport(std::move(Report)); C.emitReport(std::move(Report));
} }
void PthreadLockChecker::reportUseDestroyedBug(CheckerContext &C, void PthreadLockChecker::reportUseDestroyedBug(CheckerContext &C,
const CallExpr *CE) const { const CallExpr *CE) const {
if (!BT_destroylock) if (!BT_destroylock)
BT_destroylock.reset(new BugType(this, "Use destroyed lock", BT_destroylock.reset(new BugType(this, "Use destroyed lock",
"Lock checker")); "Lock checker"));
ExplodedNode *N = C.generateSink(); ExplodedNode *N = C.generateErrorNode();
if (!N) if (!N)
return; return;
auto Report = llvm::make_unique<BugReport>( auto Report = llvm::make_unique<BugReport>(
*BT_destroylock, "This lock has already been destroyed", N); *BT_destroylock, "This lock has already been destroyed", N);
Report->addRange(CE->getArg(0)->getSourceRange()); Report->addRange(CE->getArg(0)->getSourceRange());
C.emitReport(std::move(Report)); C.emitReport(std::move(Report));
} }
void ento::registerPthreadLockChecker(CheckerManager &mgr) { void ento::registerPthreadLockChecker(CheckerManager &mgr) {
mgr.registerChecker<PthreadLockChecker>(); mgr.registerChecker<PthreadLockChecker>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/RetainCountChecker.cpp

Show First 20 LinesShow All 3,300 Lines▼ Show 20 Linesvoid RetainCountChecker::processNonLeakError(ProgramStateRef St,
// [_contentView retain]; // [_contentView retain];
// [_contentView removeFromSuperview]; // [_contentView removeFromSuperview];
// [self addSubview:_contentView]; // invalidates 'self' // [self addSubview:_contentView]; // invalidates 'self'
// [_contentView release]; // [_contentView release];
if (const RefVal *RV = getRefBinding(St, Sym)) if (const RefVal *RV = getRefBinding(St, Sym))
if (RV->getIvarAccessHistory() != RefVal::IvarAccessHistory::None) if (RV->getIvarAccessHistory() != RefVal::IvarAccessHistory::None)
return; return;
ExplodedNode *N = C.generateSink(St); ExplodedNode *N = C.generateErrorNode(St);
if (!N) if (!N)
return; return;
CFRefBug *BT; CFRefBug *BT;
switch (ErrorKind) { switch (ErrorKind) {
default: default:
llvm_unreachable("Unhandled error."); llvm_unreachable("Unhandled error.");
case RefVal::ErrorUseAfterRelease: case RefVal::ErrorUseAfterRelease:
▲ Show 20 LinesShow All 708 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/ReturnPointerRangeChecker.cpp

Show First 20 LinesShow All 56 Lines▼ Show 20 Linesvoid ReturnPointerRangeChecker::checkPreStmt(const ReturnStmt *RS,
DefinedOrUnknownSVal NumElements DefinedOrUnknownSVal NumElements
= C.getStoreManager().getSizeInElements(state, ER->getSuperRegion(), = C.getStoreManager().getSizeInElements(state, ER->getSuperRegion(),
ER->getValueType()); ER->getValueType());
ProgramStateRef StInBound = state->assumeInBound(Idx, NumElements, true); ProgramStateRef StInBound = state->assumeInBound(Idx, NumElements, true);
ProgramStateRef StOutBound = state->assumeInBound(Idx, NumElements, false); ProgramStateRef StOutBound = state->assumeInBound(Idx, NumElements, false);
if (StOutBound && !StInBound) { if (StOutBound && !StInBound) {
ExplodedNode *N = C.generateSink(StOutBound); ExplodedNode *N = C.generateErrorNode(StOutBound);
if (!N) if (!N)
return; return;
// FIXME: This bug correspond to CWE-466. Eventually we should have bug // FIXME: This bug correspond to CWE-466. Eventually we should have bug
// types explicitly reference such exploit categories (when applicable). // types explicitly reference such exploit categories (when applicable).
if (!BT) if (!BT)
BT.reset(new BuiltinBug( BT.reset(new BuiltinBug(
Show All 19 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/ReturnUndefChecker.cpp

Show First 20 LinesShow All 74 Lines▼ Show 20 Linesvoid ReturnUndefChecker::checkPreStmt(const ReturnStmt *RS,
if (RT->isReferenceType()) { if (RT->isReferenceType()) {
checkReference(C, RetE, RetVal.castAs<DefinedOrUnknownSVal>()); checkReference(C, RetE, RetVal.castAs<DefinedOrUnknownSVal>());
return; return;
} }
} }
static void emitBug(CheckerContext &C, BuiltinBug &BT, const Expr *RetE, static void emitBug(CheckerContext &C, BuiltinBug &BT, const Expr *RetE,
const Expr *TrackingE = nullptr) { const Expr *TrackingE = nullptr) {
ExplodedNode *N = C.generateSink(); ExplodedNode *N = C.generateErrorNode();
if (!N) if (!N)
return; return;
auto Report = llvm::make_unique<BugReport>(BT, BT.getDescription(), N); auto Report = llvm::make_unique<BugReport>(BT, BT.getDescription(), N);
Report->addRange(RetE->getSourceRange()); Report->addRange(RetE->getSourceRange());
bugreporter::trackNullOrUndefValue(N, TrackingE ? TrackingE : RetE, *Report); bugreporter::trackNullOrUndefValue(N, TrackingE ? TrackingE : RetE, *Report);
Show All 32 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/SimpleStreamChecker.cpp

Show First 20 LinesShow All 194 Lines▼ Show 20 Lines for (StreamMapTy::iterator I = TrackedStreams.begin(),
if (isLeaked(Sym, I->second, IsSymDead, State)) if (isLeaked(Sym, I->second, IsSymDead, State))
LeakedStreams.push_back(Sym); LeakedStreams.push_back(Sym);
// Remove the dead symbol from the streams map. // Remove the dead symbol from the streams map.
if (IsSymDead) if (IsSymDead)
State = State->remove<StreamMap>(Sym); State = State->remove<StreamMap>(Sym);
} }
ExplodedNode *N = C.addTransition(State); ExplodedNode *N = C.generateNonFatalErrorNode(State);
if (!N)
return;
reportLeaks(LeakedStreams, C, N); reportLeaks(LeakedStreams, C, N);
} }
void SimpleStreamChecker::reportDoubleClose(SymbolRef FileDescSym, void SimpleStreamChecker::reportDoubleClose(SymbolRef FileDescSym,
const CallEvent &Call, const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
// We reached a bug, stop exploring the path here by generating a sink. // We reached a bug, stop exploring the path here by generating a sink.
ExplodedNode *ErrNode = C.generateSink(); ExplodedNode *ErrNode = C.generateErrorNode();
// If we've already reached this node on another path, return. // If we've already reached this node on another path, return.
if (!ErrNode) if (!ErrNode)
return; return;
// Generate the report. // Generate the report.
auto R = llvm::make_unique<BugReport>(*DoubleCloseBugType, auto R = llvm::make_unique<BugReport>(*DoubleCloseBugType,
"Closing a previously closed file stream", ErrNode); "Closing a previously closed file stream", ErrNode);
R->addRange(Call.getSourceRange()); R->addRange(Call.getSourceRange());
▲ Show 20 LinesShow All 66 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/StackAddrEscapeChecker.cpp

Show First 20 LinesShow All 88 Lines▼ Show 20 Lines else {
llvm_unreachable("Invalid region in ReturnStackAddressChecker."); llvm_unreachable("Invalid region in ReturnStackAddressChecker.");
} }
return range; return range;
} }
void StackAddrEscapeChecker::EmitStackError(CheckerContext &C, const MemRegion *R, void StackAddrEscapeChecker::EmitStackError(CheckerContext &C, const MemRegion *R,
const Expr *RetE) const { const Expr *RetE) const {
ExplodedNode *N = C.generateSink(); ExplodedNode *N = C.generateErrorNode();
if (!N) if (!N)
return; return;
if (!BT_returnstack) if (!BT_returnstack)
BT_returnstack.reset( BT_returnstack.reset(
new BuiltinBug(this, "Return of address to stack-allocated memory")); new BuiltinBug(this, "Return of address to stack-allocated memory"));
▲ Show 20 LinesShow All 100 Lines▼ Show 20 Linesvoid StackAddrEscapeChecker::checkEndFunction(CheckerContext &Ctx) const {
CallBack cb(Ctx); CallBack cb(Ctx);
state->getStateManager().getStoreManager().iterBindings(state->getStore(),cb); state->getStateManager().getStoreManager().iterBindings(state->getStore(),cb);
if (cb.V.empty()) if (cb.V.empty())
return; return;
// Generate an error node. // Generate an error node.
ExplodedNode *N = Ctx.addTransition(state); ExplodedNode *N = Ctx.generateNonFatalErrorNode(state);
if (!N) if (!N)
return; return;
if (!BT_stackleak) if (!BT_stackleak)
BT_stackleak.reset( BT_stackleak.reset(
new BuiltinBug(this, "Stack address stored into global variable", new BuiltinBug(this, "Stack address stored into global variable",
"Stack address was saved into a global variable. " "Stack address was saved into a global variable. "
"This is dangerous because the address will become " "This is dangerous because the address will become "
Show All 22 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/StreamChecker.cpp

Show First 20 LinesShow All 265 Lines▼ Show 20 Linesvoid StreamChecker::Fseek(CheckerContext &C, const CallExpr *CE) const {
if (!CI) if (!CI)
return; return;
int64_t x = CI->getValue().getSExtValue(); int64_t x = CI->getValue().getSExtValue();
if (x >= 0 && x <= 2) if (x >= 0 && x <= 2)
return; return;
if (ExplodedNode *N = C.addTransition(state)) { if (ExplodedNode *N = C.generateNonFatalErrorNode(state)) {
if (!BT_illegalwhence) if (!BT_illegalwhence)
BT_illegalwhence.reset( BT_illegalwhence.reset(
new BuiltinBug(this, "Illegal whence argument", new BuiltinBug(this, "Illegal whence argument",
"The whence argument to fseek() should be " "The whence argument to fseek() should be "
"SEEK_SET, SEEK_END, or SEEK_CUR.")); "SEEK_SET, SEEK_END, or SEEK_CUR."));
C.emitReport(llvm::make_unique<BugReport>( C.emitReport(llvm::make_unique<BugReport>(
*BT_illegalwhence, BT_illegalwhence->getDescription(), N)); *BT_illegalwhence, BT_illegalwhence->getDescription(), N));
} }
▲ Show 20 LinesShow All 61 Lines▼ Show 20 LinesProgramStateRef StreamChecker::CheckNullStream(SVal SV, ProgramStateRef state,
if (!DV) if (!DV)
return nullptr; return nullptr;
ConstraintManager &CM = C.getConstraintManager(); ConstraintManager &CM = C.getConstraintManager();
ProgramStateRef stateNotNull, stateNull; ProgramStateRef stateNotNull, stateNull;
std::tie(stateNotNull, stateNull) = CM.assumeDual(state, *DV); std::tie(stateNotNull, stateNull) = CM.assumeDual(state, *DV);
if (!stateNotNull && stateNull) { if (!stateNotNull && stateNull) {
if (ExplodedNode *N = C.generateSink(stateNull)) { if (ExplodedNode *N = C.generateErrorNode(stateNull)) {
if (!BT_nullfp) if (!BT_nullfp)
BT_nullfp.reset(new BuiltinBug(this, "NULL stream pointer", BT_nullfp.reset(new BuiltinBug(this, "NULL stream pointer",
"Stream pointer might be NULL.")); "Stream pointer might be NULL."));
C.emitReport(llvm::make_unique<BugReport>( C.emitReport(llvm::make_unique<BugReport>(
*BT_nullfp, BT_nullfp->getDescription(), N)); *BT_nullfp, BT_nullfp->getDescription(), N));
} }
return nullptr; return nullptr;
} }
Show All 12 LinesProgramStateRef StreamChecker::CheckDoubleClose(const CallExpr *CE,
// If the file stream is not tracked, return. // If the file stream is not tracked, return.
if (!SS) if (!SS)
return state; return state;
// Check: Double close a File Descriptor could cause undefined behaviour. // Check: Double close a File Descriptor could cause undefined behaviour.
// Conforming to man-pages // Conforming to man-pages
if (SS->isClosed()) { if (SS->isClosed()) {
ExplodedNode *N = C.generateSink(); ExplodedNode *N = C.generateErrorNode();
if (N) { if (N) {
if (!BT_doubleclose) if (!BT_doubleclose)
BT_doubleclose.reset(new BuiltinBug( BT_doubleclose.reset(new BuiltinBug(
this, "Double fclose", "Try to close a file Descriptor already" this, "Double fclose", "Try to close a file Descriptor already"
" closed. Cause undefined behaviour.")); " closed. Cause undefined behaviour."));
C.emitReport(llvm::make_unique<BugReport>( C.emitReport(llvm::make_unique<BugReport>(
*BT_doubleclose, BT_doubleclose->getDescription(), N)); *BT_doubleclose, BT_doubleclose->getDescription(), N));
} }
Show All 11 Lines for (SymbolReaper::dead_iterator I = SymReaper.dead_begin(),
E = SymReaper.dead_end(); I != E; ++I) { E = SymReaper.dead_end(); I != E; ++I) {
SymbolRef Sym = *I; SymbolRef Sym = *I;
ProgramStateRef state = C.getState(); ProgramStateRef state = C.getState();
const StreamState *SS = state->get<StreamMap>(Sym); const StreamState *SS = state->get<StreamMap>(Sym);
if (!SS) if (!SS)
continue; continue;
if (SS->isOpened()) { if (SS->isOpened()) {
ExplodedNode *N = C.generateSink(); ExplodedNode *N = C.generateErrorNode();
if (N) { if (N) {
if (!BT_ResourceLeak) if (!BT_ResourceLeak)
BT_ResourceLeak.reset(new BuiltinBug( BT_ResourceLeak.reset(new BuiltinBug(
this, "Resource Leak", this, "Resource Leak",
"Opened File never closed. Potential Resource leak.")); "Opened File never closed. Potential Resource leak."));
C.emitReport(llvm::make_unique<BugReport>( C.emitReport(llvm::make_unique<BugReport>(
*BT_ResourceLeak, BT_ResourceLeak->getDescription(), N)); *BT_ResourceLeak, BT_ResourceLeak->getDescription(), N));
} }
} }
} }
} }
void ento::registerStreamChecker(CheckerManager &mgr) { void ento::registerStreamChecker(CheckerManager &mgr) {
mgr.registerChecker<StreamChecker>(); mgr.registerChecker<StreamChecker>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/TaintTesterChecker.cpp

Show First 20 LinesShow All 42 Lines▼ Show 20 Lines
void TaintTesterChecker::checkPostStmt(const Expr *E, void TaintTesterChecker::checkPostStmt(const Expr *E,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
if (!State) if (!State)
return; return;
if (State->isTainted(E, C.getLocationContext())) { if (State->isTainted(E, C.getLocationContext())) {
if (ExplodedNode *N = C.addTransition()) { if (ExplodedNode *N = C.generateNonFatalErrorNode()) {
initBugType(); initBugType();
auto report = llvm::make_unique<BugReport>(*BT, "tainted",N); auto report = llvm::make_unique<BugReport>(*BT, "tainted",N);
report->addRange(E->getSourceRange()); report->addRange(E->getSourceRange());
C.emitReport(std::move(report)); C.emitReport(std::move(report));
} }
} }
} }
void ento::registerTaintTesterChecker(CheckerManager &mgr) { void ento::registerTaintTesterChecker(CheckerManager &mgr) {
mgr.registerChecker<TaintTesterChecker>(); mgr.registerChecker<TaintTesterChecker>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/TestAfterDivZeroChecker.cpp

Show First 20 LinesShow All 161 Lines▼ Show 20 Linesbool TestAfterDivZeroChecker::hasDivZeroMap(SVal Var,
if (!SR) if (!SR)
return false; return false;
ZeroState ZS(SR, C.getBlockID(), C.getStackFrame()); ZeroState ZS(SR, C.getBlockID(), C.getStackFrame());
return C.getState()->contains<DivZeroMap>(ZS); return C.getState()->contains<DivZeroMap>(ZS);
} }
void TestAfterDivZeroChecker::reportBug(SVal Val, CheckerContext &C) const { void TestAfterDivZeroChecker::reportBug(SVal Val, CheckerContext &C) const {
if (ExplodedNode *N = C.generateSink(C.getState())) { if (ExplodedNode *N = C.generateErrorNode(C.getState())) {
if (!DivZeroBug) if (!DivZeroBug)
DivZeroBug.reset(new BuiltinBug(this, "Division by zero")); DivZeroBug.reset(new BuiltinBug(this, "Division by zero"));
auto R = llvm::make_unique<BugReport>( auto R = llvm::make_unique<BugReport>(
*DivZeroBug, "Value being compared against zero has already been used " *DivZeroBug, "Value being compared against zero has already been used "
"for division", "for division",
N); N);
▲ Show 20 LinesShow All 87 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/UndefBranchChecker.cpp

Show First 20 LinesShow All 56 Lines▼ Show 20 Lines
} }
void UndefBranchChecker::checkBranchCondition(const Stmt *Condition, void UndefBranchChecker::checkBranchCondition(const Stmt *Condition,
CheckerContext &Ctx) const { CheckerContext &Ctx) const {
SVal X = Ctx.getState()->getSVal(Condition, Ctx.getLocationContext()); SVal X = Ctx.getState()->getSVal(Condition, Ctx.getLocationContext());
if (X.isUndef()) { if (X.isUndef()) {
// Generate a sink node, which implicitly marks both outgoing branches as // Generate a sink node, which implicitly marks both outgoing branches as
// infeasible. // infeasible.
ExplodedNode *N = Ctx.generateSink(); ExplodedNode *N = Ctx.generateErrorNode();
if (N) { if (N) {
if (!BT) if (!BT)
BT.reset(new BuiltinBug( BT.reset(new BuiltinBug(
this, "Branch condition evaluates to a garbage value")); this, "Branch condition evaluates to a garbage value"));
// What's going on here: we want to highlight the subexpression of the // What's going on here: we want to highlight the subexpression of the
// condition that is the most likely source of the "uninitialized // condition that is the most likely source of the "uninitialized
// branch condition." We do a recursive walk of the condition's // branch condition." We do a recursive walk of the condition's
Show All 37 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/UndefCapturedBlockVarChecker.cpp

Show First 20 LinesShow All 68 Lines▼ Show 20 Lines for (; I != E; ++I) {
const VarDecl *VD = VR->getDecl(); const VarDecl *VD = VR->getDecl();
if (VD->hasAttr<BlocksAttr>() || !VD->hasLocalStorage()) if (VD->hasAttr<BlocksAttr>() || !VD->hasLocalStorage())
continue; continue;
// Get the VarRegion associated with VD in the local stack frame. // Get the VarRegion associated with VD in the local stack frame.
if (Optional<UndefinedVal> V = if (Optional<UndefinedVal> V =
state->getSVal(I.getOriginalRegion()).getAs<UndefinedVal>()) { state->getSVal(I.getOriginalRegion()).getAs<UndefinedVal>()) {
if (ExplodedNode *N = C.generateSink()) { if (ExplodedNode *N = C.generateErrorNode()) {
if (!BT) if (!BT)
BT.reset( BT.reset(
new BuiltinBug(this, "uninitialized variable captured by block")); new BuiltinBug(this, "uninitialized variable captured by block"));
// Generate a bug report. // Generate a bug report.
SmallString<128> buf; SmallString<128> buf;
llvm::raw_svector_ostream os(buf); llvm::raw_svector_ostream os(buf);
Show All 19 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/UndefResultChecker.cpp

Show First 20 LinesShow All 44 Lines▼ Show 20 Lines if (state->getSVal(B, LCtx).isUndef()) {
// This should allow to swap partially uninitialized structs // This should allow to swap partially uninitialized structs
// (radar://14129997) // (radar://14129997)
if (const FunctionDecl *EnclosingFunctionDecl = if (const FunctionDecl *EnclosingFunctionDecl =
dyn_cast<FunctionDecl>(C.getStackFrame()->getDecl())) dyn_cast<FunctionDecl>(C.getStackFrame()->getDecl()))
if (C.getCalleeName(EnclosingFunctionDecl) == "swap") if (C.getCalleeName(EnclosingFunctionDecl) == "swap")
return; return;
// Generate an error node. // Generate an error node.
ExplodedNode *N = C.generateSink(); ExplodedNode *N = C.generateErrorNode();
if (!N) if (!N)
return; return;
if (!BT) if (!BT)
BT.reset( BT.reset(
new BuiltinBug(this, "Result of operation is garbage or undefined")); new BuiltinBug(this, "Result of operation is garbage or undefined"));
SmallString<256> sbuf; SmallString<256> sbuf;
Show All 40 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/UndefinedArraySubscriptChecker.cpp

Show All 40 LinesUndefinedArraySubscriptChecker::checkPreStmt(const ArraySubscriptExpr *A,
// Sema generates anonymous array variables for copying array struct fields. // Sema generates anonymous array variables for copying array struct fields.
// Don't warn if we're in an implicitly-generated constructor. // Don't warn if we're in an implicitly-generated constructor.
const Decl *D = C.getLocationContext()->getDecl(); const Decl *D = C.getLocationContext()->getDecl();
if (const CXXConstructorDecl *Ctor = dyn_cast<CXXConstructorDecl>(D)) if (const CXXConstructorDecl *Ctor = dyn_cast<CXXConstructorDecl>(D))
if (Ctor->isDefaulted()) if (Ctor->isDefaulted())
return; return;
ExplodedNode *N = C.generateSink(); ExplodedNode *N = C.generateErrorNode();
if (!N) if (!N)
return; return;
if (!BT) if (!BT)
BT.reset(new BuiltinBug(this, "Array subscript is undefined")); BT.reset(new BuiltinBug(this, "Array subscript is undefined"));
// Generate a report for this bug. // Generate a report for this bug.
auto R = llvm::make_unique<BugReport>(*BT, BT->getName(), N); auto R = llvm::make_unique<BugReport>(*BT, BT->getName(), N);
R->addRange(A->getIdx()->getSourceRange()); R->addRange(A->getIdx()->getSourceRange());
bugreporter::trackNullOrUndefValue(N, A->getIdx(), *R); bugreporter::trackNullOrUndefValue(N, A->getIdx(), *R);
C.emitReport(std::move(R)); C.emitReport(std::move(R));
} }
void ento::registerUndefinedArraySubscriptChecker(CheckerManager &mgr) { void ento::registerUndefinedArraySubscriptChecker(CheckerManager &mgr) {
mgr.registerChecker<UndefinedArraySubscriptChecker>(); mgr.registerChecker<UndefinedArraySubscriptChecker>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/UndefinedAssignmentChecker.cpp

Show All 40 Linesvoid UndefinedAssignmentChecker::checkBind(SVal location, SVal val,
// Do not report assignments of uninitialized values inside swap functions. // Do not report assignments of uninitialized values inside swap functions.
// This should allow to swap partially uninitialized structs // This should allow to swap partially uninitialized structs
// (radar://14129997) // (radar://14129997)
if (const FunctionDecl *EnclosingFunctionDecl = if (const FunctionDecl *EnclosingFunctionDecl =
dyn_cast<FunctionDecl>(C.getStackFrame()->getDecl())) dyn_cast<FunctionDecl>(C.getStackFrame()->getDecl()))
if (C.getCalleeName(EnclosingFunctionDecl) == "swap") if (C.getCalleeName(EnclosingFunctionDecl) == "swap")
return; return;
ExplodedNode *N = C.generateSink(); ExplodedNode *N = C.generateErrorNode();
if (!N) if (!N)
return; return;
const char *str = "Assigned value is garbage or undefined"; const char *str = "Assigned value is garbage or undefined";
if (!BT) if (!BT)
BT.reset(new BuiltinBug(this, str)); BT.reset(new BuiltinBug(this, str));
Show All 39 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/UnixAPIChecker.cpp

Show First 20 LinesShow All 71 Lines▼ Show 20 Lines
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// "open" (man 2 open) // "open" (man 2 open)
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
void UnixAPIChecker::ReportOpenBug(CheckerContext &C, void UnixAPIChecker::ReportOpenBug(CheckerContext &C,
ProgramStateRef State, ProgramStateRef State,
const char *Msg, const char *Msg,
SourceRange SR) const { SourceRange SR) const {
ExplodedNode *N = C.generateSink(State); ExplodedNode *N = C.generateErrorNode(State);
if (!N) if (!N)
return; return;
LazyInitialize(BT_open, "Improper use of 'open'"); LazyInitialize(BT_open, "Improper use of 'open'");
auto Report = llvm::make_unique<BugReport>(*BT_open, Msg, N); auto Report = llvm::make_unique<BugReport>(*BT_open, Msg, N);
Report->addRange(SR); Report->addRange(SR);
C.emitReport(std::move(Report)); C.emitReport(std::move(Report));
▲ Show 20 LinesShow All 88 Lines▼ Show 20 Linesvoid UnixAPIChecker::CheckPthreadOnce(CheckerContext &C,
// Check if the first argument is stack allocated. If so, issue a warning // Check if the first argument is stack allocated. If so, issue a warning
// because that's likely to be bad news. // because that's likely to be bad news.
ProgramStateRef state = C.getState(); ProgramStateRef state = C.getState();
const MemRegion *R = const MemRegion *R =
state->getSVal(CE->getArg(0), C.getLocationContext()).getAsRegion(); state->getSVal(CE->getArg(0), C.getLocationContext()).getAsRegion();
if (!R || !isa<StackSpaceRegion>(R->getMemorySpace())) if (!R || !isa<StackSpaceRegion>(R->getMemorySpace()))
return; return;
ExplodedNode *N = C.generateSink(state); ExplodedNode *N = C.generateErrorNode(state);
if (!N) if (!N)
return; return;
SmallString<256> S; SmallString<256> S;
llvm::raw_svector_ostream os(S); llvm::raw_svector_ostream os(S);
os << "Call to 'pthread_once' uses"; os << "Call to 'pthread_once' uses";
if (const VarRegion *VR = dyn_cast<VarRegion>(R)) if (const VarRegion *VR = dyn_cast<VarRegion>(R))
os << " the local variable '" << VR->getDecl()->getName() << '\''; os << " the local variable '" << VR->getDecl()->getName() << '\'';
Show All 32 Lines
// Generates an error report, indicating that the function whose name is given // Generates an error report, indicating that the function whose name is given
// will perform a zero byte allocation. // will perform a zero byte allocation.
// Returns false if an error occurred, true otherwise. // Returns false if an error occurred, true otherwise.
bool UnixAPIChecker::ReportZeroByteAllocation(CheckerContext &C, bool UnixAPIChecker::ReportZeroByteAllocation(CheckerContext &C,
ProgramStateRef falseState, ProgramStateRef falseState,
const Expr *arg, const Expr *arg,
const char *fn_name) const { const char *fn_name) const {
ExplodedNode *N = C.generateSink(falseState); ExplodedNode *N = C.generateErrorNode(falseState);
if (!N) if (!N)
return false; return false;
LazyInitialize(BT_mallocZero, LazyInitialize(BT_mallocZero,
"Undefined allocation of 0 bytes (CERT MEM04-C; CWE-131)"); "Undefined allocation of 0 bytes (CERT MEM04-C; CWE-131)");
SmallString<256> S; SmallString<256> S;
llvm::raw_svector_ostream os(S); llvm::raw_svector_ostream os(S);
▲ Show 20 LinesShow All 140 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/VLASizeChecker.cpp

Show All 40 Lines
}; };
} // end anonymous namespace } // end anonymous namespace
void VLASizeChecker::reportBug(VLASize_Kind Kind, void VLASizeChecker::reportBug(VLASize_Kind Kind,
const Expr *SizeE, const Expr *SizeE,
ProgramStateRef State, ProgramStateRef State,
CheckerContext &C) const { CheckerContext &C) const {
// Generate an error node. // Generate an error node.
ExplodedNode *N = C.generateSink(State); ExplodedNode *N = C.generateErrorNode(State);
if (!N) if (!N)
return; return;
if (!BT) if (!BT)
BT.reset(new BuiltinBug( BT.reset(new BuiltinBug(
this, "Dangerous variable-length array (VLA) declaration")); this, "Dangerous variable-length array (VLA) declaration"));
SmallString<256> buf; SmallString<256> buf;
▲ Show 20 LinesShow All 128 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Core/BugReporter.cpp

Show First 20 LinesShow All 3,218 Lines▼ Show 20 Lines
} }
void BugReporter::Register(BugType *BT) { void BugReporter::Register(BugType *BT) {
BugTypes = F.add(BugTypes, BT); BugTypes = F.add(BugTypes, BT);
} }
void BugReporter::emitReport(std::unique_ptr<BugReport> R) { void BugReporter::emitReport(std::unique_ptr<BugReport> R) {
if (const ExplodedNode *E = R->getErrorNode()) { if (const ExplodedNode *E = R->getErrorNode()) {
// An error node must either be a sink or have a tag, otherwise
// it could get reclaimed before the path diagnostic is created.
assert((E->isSink() || E->getLocation().getTag()) &&
"Error node must either be a sink or have a tag");
const AnalysisDeclContext *DeclCtx = const AnalysisDeclContext *DeclCtx =
E->getLocationContext()->getAnalysisDeclContext(); E->getLocationContext()->getAnalysisDeclContext();
// The source of autosynthesized body can be handcrafted AST or a model // The source of autosynthesized body can be handcrafted AST or a model
// file. The locations from handcrafted ASTs have no valid source locations // file. The locations from handcrafted ASTs have no valid source locations
// and have to be discarded. Locations from model files should be preserved // and have to be discarded. Locations from model files should be preserved
// for processing and reporting. // for processing and reporting.
if (DeclCtx->isBodyAutosynthesized() && if (DeclCtx->isBodyAutosynthesized() &&
!DeclCtx->isBodyAutosynthesizedFromModelFile()) !DeclCtx->isBodyAutosynthesizedFromModelFile())
▲ Show 20 LinesShow All 317 LinesShow Last 20 Lines

cfe/trunk/test/Analysis/PR24184.cpp

// RUN: %clang_cc1 -w -analyze -analyzer-eagerly-assume -fcxx-exceptions -analyzer-checker=core -analyzer-checker=alpha.core.PointerArithm,alpha.core.CastToStruct -analyzer-max-loop 64 -verify %s
// RUN: %clang_cc1 -w -analyze -analyzer-checker=core -analyzer-checker=cplusplus -fcxx-exceptions -analyzer-checker alpha.core.PointerArithm,alpha.core.CastToStruct -analyzer-max-loop 63 -verify %s
// These tests used to hit an assertion in the bug report. Test case from http://llvm.org/PR24184.
typedef struct {
int cbData;
unsigned pbData;
} CRYPT_DATA_BLOB;
typedef enum { DT_NONCE_FIXED } DATA_TYPE;
int a;
typedef int *vcreate_t(int *, DATA_TYPE, int, int);
void fn1(unsigned, unsigned) {
char b = 0;
for (; 1; a++, &b + a * 0) // expected-warning{{Pointer arithmetic done on non-array variables means reliance on memory layout, which is dangerous}}
;
}
vcreate_t fn2;
struct A {
CRYPT_DATA_BLOB value;
int m_fn1() {
int c;
value.pbData == 0;
fn1(0, 0);
}
};
struct B {
A IkeHashAlg;
A IkeGType;
A NoncePhase1_r;
};
class C {
int m_fn2(B *);
void m_fn3(B *, int, int, int);
};
int C::m_fn2(B *p1) {
int *d;
int e = p1->IkeHashAlg.m_fn1();
unsigned f = p1->IkeGType.m_fn1(), h;
int g;
d = fn2(0, DT_NONCE_FIXED, (char)0, p1->NoncePhase1_r.value.cbData);
h = 0 | 0;
m_fn3(p1, 0, 0, 0);
}
// case 2:
typedef struct {
int cbData;
unsigned char *pbData;
} CRYPT_DATA_BLOB_1;
typedef unsigned uint32_t;
void fn1_1(void *p1, const void *p2) { p1 != p2; }
void fn2_1(uint32_t *p1, unsigned char *p2, uint32_t p3) {
unsigned i = 0;
for (0; i < p3; i++)
fn1_1(p1 + i, p2 + i * 0); // expected-warning{{Pointer arithmetic done on non-array variables means reliance on memory layout, which is dangerous}}
}
struct A_1 {
CRYPT_DATA_BLOB_1 value;
uint32_t m_fn1() {
uint32_t a;
if (value.pbData)
fn2_1(&a, value.pbData, value.cbData);
return 0;
}
};
struct {
A_1 HashAlgId;
} *b;
void fn3() {
uint32_t c, d;
d = b->HashAlgId.m_fn1();
d << 0 | 0 | 0;
c = 0;
0 | 1 << 0 | 0 && b;
}
// case 3:
struct ST {
char c;
};
char *p;
int foo1(ST);
int foo2() {
ST *p1 = (ST *)(p); // expected-warning{{Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption}}
while (p1->c & 0x0F || p1->c & 0x07)
p1 = p1 + foo1(*p1);
}
int foo3(int *node) {
int i = foo2();
if (i)
return foo2();
}

cfe/trunk/test/Analysis/malloc.c

Show First 20 LinesShow All 1,380 Lines▼ Show 20 Lines
struct HasPtr { struct HasPtr {
char *p; char *p;
}; };
char* reallocButNoMalloc(struct HasPtr *a, int c, int size) { char* reallocButNoMalloc(struct HasPtr *a, int c, int size) {
int *s; int *s;
char *b = realloc(a->p, size); char *b = realloc(a->p, size);
char *m = realloc(a->p, size); // expected-warning {{Attempt to free released memory}} char *m = realloc(a->p, size); // expected-warning {{Attempt to free released memory}}
return a->p; // We don't expect a use-after-free for a->P here because the warning above
// is a sink.
return a->p; // no-warning
} }
// We should not warn in this case since the caller will presumably free a->p in all cases. // We should not warn in this case since the caller will presumably free a->p in all cases.
int reallocButNoMallocPR13674(struct HasPtr *a, int c, int size) { int reallocButNoMallocPR13674(struct HasPtr *a, int c, int size) {
int *s; int *s;
char *b = realloc(a->p, size); char *b = realloc(a->p, size);
if (b == 0) if (b == 0)
return -1; return -1;
▲ Show 20 LinesShow All 251 LinesShow Last 20 Lines