This is an archive of the discontinued LLVM Phabricator instance.

Differential D2557

Expose the name of the checker producing each diagnostic message.
ClosedPublic

Authored by alexfh on Jan 15 2014, 9:19 AM.

Details

Reviewers
krememek
jordan_rose
Commits
rL201186: Expose the name of the checker producing each diagnostic message.
Summary

In clang-tidy we'd like to know the name of the checker producing each
diagnostic message. PathDiagnostic has BugType and Category fields, which are
both arbitrary human-readable strings, but we need to know the exact name of the
checker in the form that can be used in the CheckersControlList option to
enable/disable the specific checker.

This patch adds the CheckName field to the CheckerBase class, and sets it in
the CheckerManager::registerChecker() method, which gets them from the
CheckerRegistry.

Checkers that implement multiple checks have to store the names of each check
in the respective registerXXXChecker method.

Diff Detail

Event Timeline

jordan_rose added a comment.Jan 15 2014, 9:25 AM

I'm sorry, but again, it's not okay to output a random name or all of the names associated with a checker. Each diagnostic a checker prints has to do with a specific user-visible checker name, not just any old name. It's fine to do something like this for checkers that only implement one set of checks, but for MallocChecker we need to actually get this right or not do it at all.

alexfh updated this revision to Unknown Object (????).Jan 21 2014, 6:11 AM

Output correct check names for checkers implementing multiple sets of checks.

I'm sorry, but again, it's not okay to output a random name or all of the
names associated with a checker. Each diagnostic a checker prints has to do
with a specific user-visible checker name, not just any old name.
It's fine to do something like this for checkers that only implement one set
of checks, but for MallocChecker we need to actually get this right or not do
it at all.

You are right, I didn't get the real complexity of what's going on in
MallocChecker with regard to various check types and possible messages. There
are a few other checkers, that implement multiple check sets, but MallocChecker
is the most convoluted one.

Now I've fixed them all to store the names associated with the specific check
sets and use the right name when reporting a bug. I have a test for the new
functionality in a local patch to clang-tidy (as it's the only front-end, that
currently outputs checker names, and making it a unit-test would be rather
complicated, I guess).

alexfh updated this revision to Unknown Object (????).Jan 21 2014, 6:16 AM

Removed debug output. Fixed a comment.

jordan_rose added a comment.Jan 21 2014, 10:00 AM

Much better! :-) I wish we could cut down a bit on the copying of the name, but to do that we'd have to rely on the CheckerRegistry always living longer than the diagnostics. We could probably assume that for BugType, though. (If we did that, we'd want to use a wrapper data type so that people didn't accidentally pass random strings.)

At the very least, though, even the combined checkers can use StringRef instead of std::string to track the names of the individual checks.

It might be nice to have a BugType constructor overload that takes a Checker and just immediately calls getCheckerName(), just so 90% the clients could pass "this", but that's getting fairly nitpicky.

I'd also like Ted to at least give a thumbs-up before this goes in.

alexfh updated this revision to Unknown Object (????).Jan 22 2014, 5:32 AM

Avoid copying strings when creating BugTypes or reporting errors.
Introduced a wrapper type for checker names to ensure we only get StringRefs
from the CheckerRegistry.

Much better! :-) I wish we could cut down a bit on the copying of the name, but
to do that we'd have to rely on the CheckerRegistry always living longer than
the diagnostics. We could probably assume that for BugType, though. (If we did
that, we'd want to use a wrapper data type so that people didn't accidentally
pass random strings.)

Done.

At the very least, though, even the combined checkers can use StringRef instead
of std::string to track the names of the individual checks.

Done.

It might be nice to have a BugType constructor overload that takes a Checker and
just immediately calls getCheckerName(), just so 90% the clients could pass
"this", but that's getting fairly nitpicky.

Done for BugType and all its descendants.

I'd also like Ted to at least give a thumbs-up before this goes in.

Yes, would be nice to hear from Ted on this.

alexfh updated this revision to Unknown Object (????).Jan 29 2014, 7:45 AM

Don't pass checker names through register.*Checker functions. Store the current checker name in the CheckerManager instead.

Renamed CheckerNameWrapper to CheckerName

jordan_rose added a comment.Feb 3 2014, 10:14 AM

This approach seems fine to me. The shared state is a bit ugly, but seems like a reasonable tradeoff here.

I like "CheckName"; it matches where we want to go a bit better. (Or my impression of where we want to go, anyway.)

Waiting on Ted for final thumbs-up.

include/clang/StaticAnalyzer/Core/CheckerManager.h
135–136 ↗(On Diff #6747)

English nitpick: no comma after "ensure". Also, we should explain why this is important: we want to make sure all checker name strings have a lifetime that keeps them alive at least until the path diagnostics have been processed.

190 ↗(On Diff #6747)

The one thing I would say about this is that it doesn't make sense for checkers that implement multiple checks. If we really cared, we could make it so that if there's already a check name set, we mark the checker as implementing multiple names somehow, and then we can catch cases where such a checker is accidentally used to identify a bug, rather than a specific name. But we don't have to do this now.

alexfh updated this revision to Unknown Object (????).Feb 3 2014, 11:27 AM

CheckerName -> CheckName + fixed a comment.

jordan_rose added a comment.Feb 10 2014, 6:32 PM

Ted and I talked offline about this and other changes and agreed that this is a good move. We have some notions about future work on the analyzer that I'll try to write up and send to you and cfe-dev tomorrow, but they don't seem like goals that would conflict with clang-tidy's.

I've done a pass over the entire patch this time and come up with a few comments, but this mostly looks good. Thank you for doing all the boring work of getting this up and running in all the existing checkers!

include/clang/StaticAnalyzer/Core/BugReporter/BugType.h
40–41 ↗(On Diff #6830)

We try not to shadow class names with field or parameter names. Just "const CheckName Check", maybe?

lib/StaticAnalyzer/Checkers/MallocChecker.cpp
309–312 ↗(On Diff #6830)

Possible alternative:

Optional<CheckKind> getCheckIfTracked(AllocationFamily Family) const;

I personally tend to avoid returning values by reference. What do you think of this version?

2276–2280 ↗(On Diff #6830)

Good work here: if only the leak-checker is enabled, it becomes responsible for the use-after-delete checks, but if both are enabled the normal NewDelete checker will show up. Nice!

lib/StaticAnalyzer/Checkers/UnixAPIChecker.cpp
68–71 ↗(On Diff #6830)

There are no more utility functions, so let's drop this header.

krememek added a comment.Feb 10 2014, 10:37 PM

Yes, this all looks great to me. Sorry for the delay.

alexfh added a comment.Feb 11 2014, 9:48 AM

Jordan, Ted, thanks for the review!

Is it now fine to commit? ;)

include/clang/StaticAnalyzer/Core/BugReporter/BugType.h
40–41 ↗(On Diff #6830)

Done.

lib/StaticAnalyzer/Checkers/MallocChecker.cpp
309–312 ↗(On Diff #6830)

With Optional the user code becomes somewhat less elegant, but if you like it more, I'm fine with it.

2276–2280 ↗(On Diff #6830)

MallocChecker is particularly convoluted. It should be possible to have the same functionality with a simpler structure, then this code would not be necessary =\

lib/StaticAnalyzer/Checkers/UnixAPIChecker.cpp
68–71 ↗(On Diff #6830)

Sure. Done.

alexfh updated this revision to Unknown Object (????).Feb 11 2014, 9:49 AM

Addressed reviewer's comments.

jordan_rose accepted this revision.Feb 11 2014, 9:53 AM

Yes, this looks good!

(Two possible ways to make the Optional change less wordy: use * for getValue(), and name the variable something else so that you don't have to qualify CheckKind with MallocChecker::.)

alexfh closed this revision.Feb 11 2014, 1:55 PM
alexfh closed this revision.

Closed by commit rL201186 (authored by @alexfh).

Revision Contents

PathSize
cfe/
trunk/
examples/
analyzer-plugin/
2 lines
include/
clang/
StaticAnalyzer/
Core/
BugReporter/
11 lines
29 lines
6 lines
6 lines
23 lines
lib/
StaticAnalyzer/
Checkers/
4 lines
5 lines
3 lines
25 lines
2 lines
46 lines
13 lines
48 lines
10 lines
9 lines
16 lines
17 lines
51 lines
8 lines
6 lines
17 lines
5 lines
21 lines
2 lines
6 lines
9 lines
2 lines
15 lines
47 lines
36 lines
2 lines
2 lines
230 lines
14 lines
6 lines
2 lines
29 lines
1 line
5 lines
9 lines
15 lines
2 lines
2 lines
25 lines
7 lines
9 lines
7 lines
5 lines
58 lines
7 lines
8 lines
8 lines
14 lines
22 lines
2 lines
4 lines
3 lines
3 lines
2 lines
2 lines
18 lines
2 lines
3 lines
22 lines
Core/
24 lines
2 lines
1 line
5 lines

Diff 7003

cfe/trunk/examples/analyzer-plugin/MainCallChecker.cpp

Show All 29 Lines if (!II) // if no identifier, not a simple C function
return; return;
if (II->isStr("main")) { if (II->isStr("main")) {
ExplodedNode *N = C.generateSink(); ExplodedNode *N = C.generateSink();
if (!N) if (!N)
return; return;
if (!BT) if (!BT)
BT.reset(new BugType("call to main", "example analyzer plugin")); BT.reset(new BugType(this, "call to main", "example analyzer plugin"));
BugReport *report = new BugReport(*BT, BT->getName(), N); BugReport *report = new BugReport(*BT, BT->getName(), N);
report->addRange(Callee->getSourceRange()); report->addRange(Callee->getSourceRange());
C.emitReport(report); C.emitReport(report);
} }
} }
// Register plugin! // Register plugin!
extern "C" extern "C"
void clang_registerCheckers (CheckerRegistry &registry) { void clang_registerCheckers (CheckerRegistry &registry) {
registry.addChecker<MainCallChecker>("example.MainCallChecker", "Disallows calls to functions called main"); registry.addChecker<MainCallChecker>("example.MainCallChecker", "Disallows calls to functions called main");
} }
extern "C" extern "C"
const char clang_analyzerAPIVersionString[] = CLANG_ANALYZER_API_VERSION_STRING; const char clang_analyzerAPIVersionString[] = CLANG_ANALYZER_API_VERSION_STRING;

cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/BugReporter.h

Show All 13 Lines
#ifndef LLVM_CLANG_GR_BUGREPORTER #ifndef LLVM_CLANG_GR_BUGREPORTER
#define LLVM_CLANG_GR_BUGREPORTER #define LLVM_CLANG_GR_BUGREPORTER
#include "clang/Basic/SourceLocation.h" #include "clang/Basic/SourceLocation.h"
#include "clang/StaticAnalyzer/Core/AnalyzerOptions.h" #include "clang/StaticAnalyzer/Core/AnalyzerOptions.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitor.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitor.h"
#include "clang/StaticAnalyzer/Core/BugReporter/PathDiagnostic.h" #include "clang/StaticAnalyzer/Core/BugReporter/PathDiagnostic.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "llvm/ADT/DenseSet.h" #include "llvm/ADT/DenseSet.h"
#include "llvm/ADT/FoldingSet.h" #include "llvm/ADT/FoldingSet.h"
#include "llvm/ADT/ImmutableSet.h" #include "llvm/ADT/ImmutableSet.h"
#include "llvm/ADT/SmallSet.h" #include "llvm/ADT/SmallSet.h"
#include "llvm/ADT/ilist.h" #include "llvm/ADT/ilist.h"
#include "llvm/ADT/ilist_node.h" #include "llvm/ADT/ilist_node.h"
▲ Show 20 LinesShow All 428 Lines▼ Show 20 Linespublic:
/// \brief Add the given report to the set of reports tracked by BugReporter. /// \brief Add the given report to the set of reports tracked by BugReporter.
/// ///
/// The reports are usually generated by the checkers. Further, they are /// The reports are usually generated by the checkers. Further, they are
/// folded based on the profile value, which is done to coalesce similar /// folded based on the profile value, which is done to coalesce similar
/// reports. /// reports.
void emitReport(BugReport *R); void emitReport(BugReport *R);
void EmitBasicReport(const Decl *DeclWithIssue, void EmitBasicReport(const Decl *DeclWithIssue, const CheckerBase *Checker,
StringRef BugName, StringRef BugCategory,
StringRef BugStr, PathDiagnosticLocation Loc,
ArrayRef<SourceRange> Ranges = None);
void EmitBasicReport(const Decl *DeclWithIssue, CheckName CheckName,
StringRef BugName, StringRef BugCategory, StringRef BugName, StringRef BugCategory,
StringRef BugStr, PathDiagnosticLocation Loc, StringRef BugStr, PathDiagnosticLocation Loc,
ArrayRef<SourceRange> Ranges = None); ArrayRef<SourceRange> Ranges = None);
private: private:
llvm::StringMap<BugType *> StrBugTypes; llvm::StringMap<BugType *> StrBugTypes;
/// \brief Returns a BugType that is associated with the given name and /// \brief Returns a BugType that is associated with the given name and
/// category. /// category.
BugType *getBugTypeForName(StringRef name, StringRef category); BugType *getBugTypeForName(CheckName CheckName, StringRef name,
StringRef category);
}; };
// FIXME: Get rid of GRBugReporter. It's the wrong abstraction. // FIXME: Get rid of GRBugReporter. It's the wrong abstraction.
class GRBugReporter : public BugReporter { class GRBugReporter : public BugReporter {
ExprEngine& Eng; ExprEngine& Eng;
public: public:
GRBugReporter(BugReporterData& d, ExprEngine& eng) GRBugReporter(BugReporterData& d, ExprEngine& eng)
: BugReporter(d, GRBugReporterKind), Eng(eng) {} : BugReporter(d, GRBugReporterKind), Eng(eng) {}
▲ Show 20 LinesShow All 69 LinesShow Last 20 Lines

cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/BugType.h

Show All 10 Lines
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#ifndef LLVM_CLANG_ANALYSIS_BUGTYPE #ifndef LLVM_CLANG_ANALYSIS_BUGTYPE
#define LLVM_CLANG_ANALYSIS_BUGTYPE #define LLVM_CLANG_ANALYSIS_BUGTYPE
#include "clang/Basic/LLVM.h" #include "clang/Basic/LLVM.h"
#include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h" #include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h"
#include "clang/StaticAnalyzer/Core/Checker.h"
#include "llvm/ADT/FoldingSet.h" #include "llvm/ADT/FoldingSet.h"
#include <string> #include <string>
namespace clang { namespace clang {
namespace ento { namespace ento {
class BugReporter; class BugReporter;
class ExplodedNode; class ExplodedNode;
class ExprEngine; class ExprEngine;
class BugType { class BugType {
private: private:
const CheckName CheckName;
const std::string Name; const std::string Name;
const std::string Category; const std::string Category;
bool SuppressonSink; bool SuppressonSink;
virtual void anchor(); virtual void anchor();
public: public:
BugType(StringRef name, StringRef cat) BugType(class CheckName Check, StringRef name, StringRef cat)
: Name(name), Category(cat), SuppressonSink(false) {} : CheckName(Check), Name(name), Category(cat), SuppressonSink(false) {}
BugType(const CheckerBase *checker, StringRef name, StringRef cat)
: CheckName(checker->getCheckName()), Name(name), Category(cat),
SuppressonSink(false) {}
virtual ~BugType() {} virtual ~BugType() {}
// FIXME: Should these be made strings as well? // FIXME: Should these be made strings as well?
StringRef getName() const { return Name; } StringRef getName() const { return Name; }
StringRef getCategory() const { return Category; } StringRef getCategory() const { return Category; }
StringRef getCheckName() const { return CheckName.getName(); }
/// isSuppressOnSink - Returns true if bug reports associated with this bug /// isSuppressOnSink - Returns true if bug reports associated with this bug
/// type should be suppressed if the end node of the report is post-dominated /// type should be suppressed if the end node of the report is post-dominated
/// by a sink node. /// by a sink node.
bool isSuppressOnSink() const { return SuppressonSink; } bool isSuppressOnSink() const { return SuppressonSink; }
void setSuppressOnSink(bool x) { SuppressonSink = x; } void setSuppressOnSink(bool x) { SuppressonSink = x; }
virtual void FlushReports(BugReporter& BR); virtual void FlushReports(BugReporter& BR);
}; };
class BuiltinBug : public BugType { class BuiltinBug : public BugType {
const std::string desc; const std::string desc;
virtual void anchor(); virtual void anchor();
public: public:
BuiltinBug(const char *name, const char *description) BuiltinBug(class CheckName CheckName, const char *name,
: BugType(name, categories::LogicError), desc(description) {} const char *description)
: BugType(CheckName, name, categories::LogicError), desc(description) {}
BuiltinBug(const CheckerBase *checker, const char *name,
const char *description)
: BugType(checker, name, categories::LogicError), desc(description) {}
BuiltinBug(const char *name) BuiltinBug(const CheckerBase *checker, const char *name)
: BugType(name, categories::LogicError), desc(name) {} : BugType(checker, name, categories::LogicError), desc(name) {}
StringRef getDescription() const { return desc; } StringRef getDescription() const { return desc; }
}; };
} // end GR namespace } // end GR namespace
} // end clang namespace } // end clang namespace
#endif #endif

cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/PathDiagnostic.h

Show First 20 LinesShow All 704 Lines▼ Show 20 Linespublic:
virtual void Profile(llvm::FoldingSetNodeID &ID) const; virtual void Profile(llvm::FoldingSetNodeID &ID) const;
}; };
/// PathDiagnostic - PathDiagnostic objects represent a single path-sensitive /// PathDiagnostic - PathDiagnostic objects represent a single path-sensitive
/// diagnostic. It represents an ordered-collection of PathDiagnosticPieces, /// diagnostic. It represents an ordered-collection of PathDiagnosticPieces,
/// each which represent the pieces of the path. /// each which represent the pieces of the path.
class PathDiagnostic : public llvm::FoldingSetNode { class PathDiagnostic : public llvm::FoldingSetNode {
std::string CheckName;
const Decl *DeclWithIssue; const Decl *DeclWithIssue;
std::string BugType; std::string BugType;
std::string VerboseDesc; std::string VerboseDesc;
std::string ShortDesc; std::string ShortDesc;
std::string Category; std::string Category;
std::deque<std::string> OtherDesc; std::deque<std::string> OtherDesc;
/// \brief Loc The location of the path diagnostic report. /// \brief Loc The location of the path diagnostic report.
PathDiagnosticLocation Loc; PathDiagnosticLocation Loc;
PathPieces pathImpl; PathPieces pathImpl;
SmallVector<PathPieces *, 3> pathStack; SmallVector<PathPieces *, 3> pathStack;
/// \brief Important bug uniqueing location. /// \brief Important bug uniqueing location.
/// The location info is useful to differentiate between bugs. /// The location info is useful to differentiate between bugs.
PathDiagnosticLocation UniqueingLoc; PathDiagnosticLocation UniqueingLoc;
const Decl *UniqueingDecl; const Decl *UniqueingDecl;
PathDiagnostic() LLVM_DELETED_FUNCTION; PathDiagnostic() LLVM_DELETED_FUNCTION;
public: public:
PathDiagnostic(const Decl *DeclWithIssue, StringRef bugtype, PathDiagnostic(StringRef CheckName, const Decl *DeclWithIssue,
StringRef verboseDesc, StringRef shortDesc, StringRef bugtype, StringRef verboseDesc, StringRef shortDesc,
StringRef category, PathDiagnosticLocation LocationToUnique, StringRef category, PathDiagnosticLocation LocationToUnique,
const Decl *DeclToUnique); const Decl *DeclToUnique);
~PathDiagnostic(); ~PathDiagnostic();
const PathPieces &path; const PathPieces &path;
/// Return the path currently used by builders for constructing the /// Return the path currently used by builders for constructing the
Show All 40 Linespublic:
/// the location of the report to be the last location in the main source /// the location of the report to be the last location in the main source
/// file. /// file.
void resetDiagnosticLocationToMainFile(); void resetDiagnosticLocationToMainFile();
StringRef getVerboseDescription() const { return VerboseDesc; } StringRef getVerboseDescription() const { return VerboseDesc; }
StringRef getShortDescription() const { StringRef getShortDescription() const {
return ShortDesc.empty() ? VerboseDesc : ShortDesc; return ShortDesc.empty() ? VerboseDesc : ShortDesc;
} }
StringRef getCheckName() const { return CheckName; }
StringRef getBugType() const { return BugType; } StringRef getBugType() const { return BugType; }
StringRef getCategory() const { return Category; } StringRef getCategory() const { return Category; }
/// Return the semantic context where an issue occurred. If the /// Return the semantic context where an issue occurred. If the
/// issue occurs along a path, this represents the "central" area /// issue occurs along a path, this represents the "central" area
/// where the bug manifests. /// where the bug manifests.
const Decl *getDeclWithIssue() const { return DeclWithIssue; } const Decl *getDeclWithIssue() const { return DeclWithIssue; }
▲ Show 20 LinesShow All 44 LinesShow Last 20 Lines

cfe/trunk/include/clang/StaticAnalyzer/Core/Checker.h

Show First 20 LinesShow All 447 Lines▼ Show 20 Lines static void _register(CHECKER *checker, CheckerManager &mgr) {
mgr._registerForEvalCall( mgr._registerForEvalCall(
CheckerManager::EvalCallFunc(checker, _evalCall<CHECKER>)); CheckerManager::EvalCallFunc(checker, _evalCall<CHECKER>));
} }
}; };
} // end eval namespace } // end eval namespace
class CheckerBase : public ProgramPointTag { class CheckerBase : public ProgramPointTag {
CheckName Name;
friend class ::clang::ento::CheckerManager;
public: public:
StringRef getTagDescription() const; StringRef getTagDescription() const;
CheckName getCheckName() const;
/// See CheckerManager::runCheckersForPrintState. /// See CheckerManager::runCheckersForPrintState.
virtual void printState(raw_ostream &Out, ProgramStateRef State, virtual void printState(raw_ostream &Out, ProgramStateRef State,
const char *NL, const char *Sep) const { } const char *NL, const char *Sep) const { }
}; };
template <typename CHECK1, typename CHECK2=check::_VoidCheck, template <typename CHECK1, typename CHECK2=check::_VoidCheck,
typename CHECK3=check::_VoidCheck, typename CHECK4=check::_VoidCheck, typename CHECK3=check::_VoidCheck, typename CHECK4=check::_VoidCheck,
typename CHECK5=check::_VoidCheck, typename CHECK6=check::_VoidCheck, typename CHECK5=check::_VoidCheck, typename CHECK6=check::_VoidCheck,
typename CHECK7=check::_VoidCheck, typename CHECK8=check::_VoidCheck, typename CHECK7=check::_VoidCheck, typename CHECK8=check::_VoidCheck,
typename CHECK9=check::_VoidCheck, typename CHECK10=check::_VoidCheck, typename CHECK9=check::_VoidCheck, typename CHECK10=check::_VoidCheck,
typename CHECK11=check::_VoidCheck,typename CHECK12=check::_VoidCheck, typename CHECK11=check::_VoidCheck,typename CHECK12=check::_VoidCheck,
typename CHECK13=check::_VoidCheck,typename CHECK14=check::_VoidCheck, typename CHECK13=check::_VoidCheck,typename CHECK14=check::_VoidCheck,
typename CHECK15=check::_VoidCheck,typename CHECK16=check::_VoidCheck, typename CHECK15=check::_VoidCheck,typename CHECK16=check::_VoidCheck,
▲ Show 20 LinesShow All 80 LinesShow Last 20 Lines

cfe/trunk/include/clang/StaticAnalyzer/Core/CheckerManager.h

Show All 23 Lines
namespace clang { namespace clang {
class Decl; class Decl;
class Stmt; class Stmt;
class CallExpr; class CallExpr;
namespace ento { namespace ento {
class CheckerBase; class CheckerBase;
class CheckerRegistry;
class ExprEngine; class ExprEngine;
class AnalysisManager; class AnalysisManager;
class BugReporter; class BugReporter;
class CheckerContext; class CheckerContext;
class ObjCMethodCall; class ObjCMethodCall;
class SVal; class SVal;
class ExplodedNode; class ExplodedNode;
class ExplodedNodeSet; class ExplodedNodeSet;
▲ Show 20 LinesShow All 86 Lines▼ Show 20 Linesenum PointerEscapeKind {
/// argument to a function. /// argument to a function.
PSK_IndirectEscapeOnCall, PSK_IndirectEscapeOnCall,
/// The reason for pointer escape is unknown. For example, /// The reason for pointer escape is unknown. For example,
/// a region containing this pointer is invalidated. /// a region containing this pointer is invalidated.
PSK_EscapeOther PSK_EscapeOther
}; };
// This wrapper is used to ensure that only StringRefs originating from the
// CheckerRegistry are used as check names. We want to make sure all check
// name strings have a lifetime that keeps them alive at least until the path
// diagnostics have been processed.
class CheckName {
StringRef Name;
friend class ::clang::ento::CheckerRegistry;
explicit CheckName(StringRef Name) : Name(Name) {}
public:
CheckName() {}
CheckName(const CheckName &Other) : Name(Other.Name) {}
StringRef getName() const { return Name; }
};
class CheckerManager { class CheckerManager {
const LangOptions LangOpts; const LangOptions LangOpts;
AnalyzerOptionsRef AOptions; AnalyzerOptionsRef AOptions;
CheckName CurrentCheckName;
public: public:
CheckerManager(const LangOptions &langOpts, CheckerManager(const LangOptions &langOpts,
AnalyzerOptionsRef AOptions) AnalyzerOptionsRef AOptions)
: LangOpts(langOpts), : LangOpts(langOpts),
AOptions(AOptions) {} AOptions(AOptions) {}
~CheckerManager(); ~CheckerManager();
void setCurrentCheckName(CheckName name) { CurrentCheckName = name; }
CheckName getCurrentCheckName() const { return CurrentCheckName; }
bool hasPathSensitiveCheckers() const; bool hasPathSensitiveCheckers() const;
void finishedCheckerRegistration(); void finishedCheckerRegistration();
const LangOptions &getLangOpts() const { return LangOpts; } const LangOptions &getLangOpts() const { return LangOpts; }
AnalyzerOptions &getAnalyzerOptions() { return *AOptions; } AnalyzerOptions &getAnalyzerOptions() { return *AOptions; }
typedef CheckerBase *CheckerRef; typedef CheckerBase *CheckerRef;
Show All 10 Lines//===----------------------------------------------------------------------===//
template <typename CHECKER> template <typename CHECKER>
CHECKER *registerChecker() { CHECKER *registerChecker() {
CheckerTag tag = getTag<CHECKER>(); CheckerTag tag = getTag<CHECKER>();
CheckerRef &ref = CheckerTags[tag]; CheckerRef &ref = CheckerTags[tag];
if (ref) if (ref)
return static_cast<CHECKER *>(ref); // already registered. return static_cast<CHECKER *>(ref); // already registered.
CHECKER *checker = new CHECKER(); CHECKER *checker = new CHECKER();
checker->Name = CurrentCheckName;
CheckerDtors.push_back(CheckerDtor(checker, destruct<CHECKER>)); CheckerDtors.push_back(CheckerDtor(checker, destruct<CHECKER>));
CHECKER::_register(checker, *this); CHECKER::_register(checker, *this);
ref = checker; ref = checker;
return checker; return checker;
} }
template <typename CHECKER> template <typename CHECKER>
CHECKER *registerChecker(AnalyzerOptions &AOpts) { CHECKER *registerChecker(AnalyzerOptions &AOpts) {
CheckerTag tag = getTag<CHECKER>(); CheckerTag tag = getTag<CHECKER>();
CheckerRef &ref = CheckerTags[tag]; CheckerRef &ref = CheckerTags[tag];
if (ref) if (ref)
return static_cast<CHECKER *>(ref); // already registered. return static_cast<CHECKER *>(ref); // already registered.
CHECKER *checker = new CHECKER(AOpts); CHECKER *checker = new CHECKER(AOpts);
checker->Name = CurrentCheckName;
CheckerDtors.push_back(CheckerDtor(checker, destruct<CHECKER>)); CheckerDtors.push_back(CheckerDtor(checker, destruct<CHECKER>));
CHECKER::_register(checker, *this); CHECKER::_register(checker, *this);
ref = checker; ref = checker;
return checker; return checker;
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Functions for running checkers for AST traversing.. // Functions for running checkers for AST traversing..
▲ Show 20 LinesShow All 447 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/AnalyzerStatsChecker.cpp

Show First 20 LinesShow All 106 Lines▼ Show 20 Linesvoid AnalyzerStatsChecker::checkEndAnalysis(ExplodedGraph &G,
std::string NameOfRootFunction = output.str(); std::string NameOfRootFunction = output.str();
output << " -> Total CFGBlocks: " << total << " | Unreachable CFGBlocks: " output << " -> Total CFGBlocks: " << total << " | Unreachable CFGBlocks: "
<< unreachable << " | Exhausted Block: " << unreachable << " | Exhausted Block: "
<< (Eng.wasBlocksExhausted() ? "yes" : "no") << (Eng.wasBlocksExhausted() ? "yes" : "no")
<< " | Empty WorkList: " << " | Empty WorkList: "
<< (Eng.hasEmptyWorkList() ? "yes" : "no"); << (Eng.hasEmptyWorkList() ? "yes" : "no");
B.EmitBasicReport(D, "Analyzer Statistics", "Internal Statistics", B.EmitBasicReport(D, this, "Analyzer Statistics", "Internal Statistics",
output.str(), PathDiagnosticLocation(D, SM)); output.str(), PathDiagnosticLocation(D, SM));
// Emit warning for each block we bailed out on. // Emit warning for each block we bailed out on.
typedef CoreEngine::BlocksExhausted::const_iterator ExhaustedIterator; typedef CoreEngine::BlocksExhausted::const_iterator ExhaustedIterator;
const CoreEngine &CE = Eng.getCoreEngine(); const CoreEngine &CE = Eng.getCoreEngine();
for (ExhaustedIterator I = CE.blocks_exhausted_begin(), for (ExhaustedIterator I = CE.blocks_exhausted_begin(),
E = CE.blocks_exhausted_end(); I != E; ++I) { E = CE.blocks_exhausted_end(); I != E; ++I) {
const BlockEdge &BE = I->first; const BlockEdge &BE = I->first;
const CFGBlock *Exit = BE.getDst(); const CFGBlock *Exit = BE.getDst();
const CFGElement &CE = Exit->front(); const CFGElement &CE = Exit->front();
if (Optional<CFGStmt> CS = CE.getAs<CFGStmt>()) { if (Optional<CFGStmt> CS = CE.getAs<CFGStmt>()) {
SmallString<128> bufI; SmallString<128> bufI;
llvm::raw_svector_ostream outputI(bufI); llvm::raw_svector_ostream outputI(bufI);
outputI << "(" << NameOfRootFunction << ")" << outputI << "(" << NameOfRootFunction << ")" <<
": The analyzer generated a sink at this point"; ": The analyzer generated a sink at this point";
B.EmitBasicReport( B.EmitBasicReport(
D, "Sink Point", "Internal Statistics", outputI.str(), D, this, "Sink Point", "Internal Statistics", outputI.str(),
PathDiagnosticLocation::createBegin(CS->getStmt(), SM, LC)); PathDiagnosticLocation::createBegin(CS->getStmt(), SM, LC));
} }
} }
} }
void ento::registerAnalyzerStatsChecker(CheckerManager &mgr) { void ento::registerAnalyzerStatsChecker(CheckerManager &mgr) {
mgr.registerChecker<AnalyzerStatsChecker>(); mgr.registerChecker<AnalyzerStatsChecker>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/ArrayBoundChecker.cpp

Show First 20 LinesShow All 60 Lines▼ Show 20 Linesvoid ArrayBoundChecker::checkLocation(SVal l, bool isLoad, const Stmt* LoadS,
ProgramStateRef StInBound = state->assumeInBound(Idx, NumElements, true); ProgramStateRef StInBound = state->assumeInBound(Idx, NumElements, true);
ProgramStateRef StOutBound = state->assumeInBound(Idx, NumElements, false); ProgramStateRef StOutBound = state->assumeInBound(Idx, NumElements, false);
if (StOutBound && !StInBound) { if (StOutBound && !StInBound) {
ExplodedNode *N = C.generateSink(StOutBound); ExplodedNode *N = C.generateSink(StOutBound);
if (!N) if (!N)
return; return;
if (!BT) if (!BT)
BT.reset(new BuiltinBug("Out-of-bound array access", BT.reset(new BuiltinBug(
this, "Out-of-bound array access",
"Access out-of-bound array element (buffer overflow)")); "Access out-of-bound array element (buffer overflow)"));
// FIXME: It would be nice to eventually make this diagnostic more clear, // FIXME: It would be nice to eventually make this diagnostic more clear,
// e.g., by referencing the original declaration or by saying *why* this // e.g., by referencing the original declaration or by saying *why* this
// reference is outside the range. // reference is outside the range.
// Generate a report for this bug. // Generate a report for this bug.
BugReport *report = BugReport *report =
new BugReport(*BT, BT->getDescription(), N); new BugReport(*BT, BT->getDescription(), N);
Show All 14 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/ArrayBoundCheckerV2.cpp

Show First 20 LinesShow All 181 Lines▼ Show 20 Linesvoid ArrayBoundCheckerV2::reportOOB(CheckerContext &checkerContext,
ProgramStateRef errorState, ProgramStateRef errorState,
OOB_Kind kind) const { OOB_Kind kind) const {
ExplodedNode *errorNode = checkerContext.generateSink(errorState); ExplodedNode *errorNode = checkerContext.generateSink(errorState);
if (!errorNode) if (!errorNode)
return; return;
if (!BT) if (!BT)
BT.reset(new BuiltinBug("Out-of-bound access")); BT.reset(new BuiltinBug(this, "Out-of-bound access"));
// FIXME: This diagnostics are preliminary. We should get far better // FIXME: This diagnostics are preliminary. We should get far better
// diagnostics for explaining buffer overruns. // diagnostics for explaining buffer overruns.
SmallString<256> buf; SmallString<256> buf;
llvm::raw_svector_ostream os(buf); llvm::raw_svector_ostream os(buf);
os << "Out of bound memory access "; os << "Out of bound memory access ";
switch (kind) { switch (kind) {
▲ Show 20 LinesShow All 107 Lines▼ Show 20 Lines switch (region->getKind()) {
region = elemReg->getSuperRegion(); region = elemReg->getSuperRegion();
continue; continue;
} }
} }
} }
return RegionRawOffsetV2(); return RegionRawOffsetV2();
} }
void ento::registerArrayBoundCheckerV2(CheckerManager &mgr) { void ento::registerArrayBoundCheckerV2(CheckerManager &mgr) {
mgr.registerChecker<ArrayBoundCheckerV2>(); mgr.registerChecker<ArrayBoundCheckerV2>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/BasicObjCFoundationChecks.cpp

Show All 33 Lines
#include "llvm/Support/raw_ostream.h" #include "llvm/Support/raw_ostream.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
namespace { namespace {
class APIMisuse : public BugType { class APIMisuse : public BugType {
public: public:
APIMisuse(const char* name) : BugType(name, "API Misuse (Apple)") {} APIMisuse(const CheckerBase *checker, const char *name)
: BugType(checker, name, "API Misuse (Apple)") {}
}; };
} // end anonymous namespace } // end anonymous namespace
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Utility functions. // Utility functions.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
static StringRef GetReceiverInterfaceName(const ObjCMethodCall &msg) { static StringRef GetReceiverInterfaceName(const ObjCMethodCall &msg) {
▲ Show 20 LinesShow All 135 Lines▼ Show 20 Lines
} }
void NilArgChecker::generateBugReport(ExplodedNode *N, void NilArgChecker::generateBugReport(ExplodedNode *N,
StringRef Msg, StringRef Msg,
SourceRange Range, SourceRange Range,
const Expr *E, const Expr *E,
CheckerContext &C) const { CheckerContext &C) const {
if (!BT) if (!BT)
BT.reset(new APIMisuse("nil argument")); BT.reset(new APIMisuse(this, "nil argument"));
BugReport *R = new BugReport(*BT, Msg, N); BugReport *R = new BugReport(*BT, Msg, N);
R->addRange(Range); R->addRange(Range);
bugreporter::trackNullOrUndefValue(N, E, *R); bugreporter::trackNullOrUndefValue(N, E, *R);
C.emitReport(R); C.emitReport(R);
} }
void NilArgChecker::checkPreObjCMessage(const ObjCMethodCall &msg, void NilArgChecker::checkPreObjCMessage(const ObjCMethodCall &msg,
▲ Show 20 LinesShow All 275 Lines▼ Show 20 Lines if (ExplodedNode *N = SourceSize < TargetSize ? C.generateSink()
if (SourceSize < TargetSize) if (SourceSize < TargetSize)
os << (TargetSize - SourceSize) os << (TargetSize - SourceSize)
<< " bits of the CFNumber value will be garbage." ; << " bits of the CFNumber value will be garbage." ;
else else
os << (SourceSize - TargetSize) os << (SourceSize - TargetSize)
<< " bits of the input integer will be lost."; << " bits of the input integer will be lost.";
if (!BT) if (!BT)
BT.reset(new APIMisuse("Bad use of CFNumberCreate")); BT.reset(new APIMisuse(this, "Bad use of CFNumberCreate"));
BugReport *report = new BugReport(*BT, os.str(), N); BugReport *report = new BugReport(*BT, os.str(), N);
report->addRange(CE->getArg(2)->getSourceRange()); report->addRange(CE->getArg(2)->getSourceRange());
C.emitReport(report); C.emitReport(report);
} }
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// CFRetain/CFRelease/CFMakeCollectable checking for null arguments. // CFRetain/CFRelease/CFMakeCollectable checking for null arguments.
Show All 21 Linesvoid CFRetainReleaseChecker::checkPreStmt(const CallExpr *CE,
if (!FD) if (!FD)
return; return;
if (!BT) { if (!BT) {
ASTContext &Ctx = C.getASTContext(); ASTContext &Ctx = C.getASTContext();
Retain = &Ctx.Idents.get("CFRetain"); Retain = &Ctx.Idents.get("CFRetain");
Release = &Ctx.Idents.get("CFRelease"); Release = &Ctx.Idents.get("CFRelease");
MakeCollectable = &Ctx.Idents.get("CFMakeCollectable"); MakeCollectable = &Ctx.Idents.get("CFMakeCollectable");
BT.reset( BT.reset(new APIMisuse(
new APIMisuse("null passed to CFRetain/CFRelease/CFMakeCollectable")); this, "null passed to CFRetain/CFRelease/CFMakeCollectable"));
} }
// Check if we called CFRetain/CFRelease/CFMakeCollectable. // Check if we called CFRetain/CFRelease/CFMakeCollectable.
const IdentifierInfo *FuncII = FD->getIdentifier(); const IdentifierInfo *FuncII = FD->getIdentifier();
if (!(FuncII == Retain || FuncII == Release || FuncII == MakeCollectable)) if (!(FuncII == Retain || FuncII == Release || FuncII == MakeCollectable))
return; return;
// FIXME: The rest of this just checks that the argument is non-null. // FIXME: The rest of this just checks that the argument is non-null.
▲ Show 20 LinesShow All 60 Lines▼ Show 20 Linespublic:
void checkPreObjCMessage(const ObjCMethodCall &msg, CheckerContext &C) const; void checkPreObjCMessage(const ObjCMethodCall &msg, CheckerContext &C) const;
}; };
} }
void ClassReleaseChecker::checkPreObjCMessage(const ObjCMethodCall &msg, void ClassReleaseChecker::checkPreObjCMessage(const ObjCMethodCall &msg,
CheckerContext &C) const { CheckerContext &C) const {
if (!BT) { if (!BT) {
BT.reset(new APIMisuse("message incorrectly sent to class instead of class " BT.reset(new APIMisuse(
"instance")); this, "message incorrectly sent to class instead of class instance"));
ASTContext &Ctx = C.getASTContext(); ASTContext &Ctx = C.getASTContext();
releaseS = GetNullarySelector("release", Ctx); releaseS = GetNullarySelector("release", Ctx);
retainS = GetNullarySelector("retain", Ctx); retainS = GetNullarySelector("retain", Ctx);
autoreleaseS = GetNullarySelector("autorelease", Ctx); autoreleaseS = GetNullarySelector("autorelease", Ctx);
drainS = GetNullarySelector("drain", Ctx); drainS = GetNullarySelector("drain", Ctx);
} }
if (msg.isInstanceMessage()) if (msg.isInstanceMessage())
▲ Show 20 LinesShow All 89 Lines▼ Show 20 Lines switch (findKnownClass(Class)) {
return false; return false;
} }
} }
} }
void VariadicMethodTypeChecker::checkPreObjCMessage(const ObjCMethodCall &msg, void VariadicMethodTypeChecker::checkPreObjCMessage(const ObjCMethodCall &msg,
CheckerContext &C) const { CheckerContext &C) const {
if (!BT) { if (!BT) {
BT.reset(new APIMisuse("Arguments passed to variadic method aren't all " BT.reset(new APIMisuse(this,
"Arguments passed to variadic method aren't all "
"Objective-C pointer types")); "Objective-C pointer types"));
ASTContext &Ctx = C.getASTContext(); ASTContext &Ctx = C.getASTContext();
arrayWithObjectsS = GetUnarySelector("arrayWithObjects", Ctx); arrayWithObjectsS = GetUnarySelector("arrayWithObjects", Ctx);
dictionaryWithObjectsAndKeysS = dictionaryWithObjectsAndKeysS =
GetUnarySelector("dictionaryWithObjectsAndKeys", Ctx); GetUnarySelector("dictionaryWithObjectsAndKeys", Ctx);
setWithObjectsS = GetUnarySelector("setWithObjects", Ctx); setWithObjectsS = GetUnarySelector("setWithObjects", Ctx);
orderedSetWithObjectsS = GetUnarySelector("orderedSetWithObjects", Ctx); orderedSetWithObjectsS = GetUnarySelector("orderedSetWithObjects", Ctx);
▲ Show 20 LinesShow All 538 Lines▼ Show 20 Lines
void ento::registerVariadicMethodTypeChecker(CheckerManager &mgr) { void ento::registerVariadicMethodTypeChecker(CheckerManager &mgr) {
mgr.registerChecker<VariadicMethodTypeChecker>(); mgr.registerChecker<VariadicMethodTypeChecker>();
} }
void ento::registerObjCLoopChecker(CheckerManager &mgr) { void ento::registerObjCLoopChecker(CheckerManager &mgr) {
mgr.registerChecker<ObjCLoopChecker>(); mgr.registerChecker<ObjCLoopChecker>();
} }
void ento::registerObjCNonNilReturnValueChecker(CheckerManager &mgr) { void
ento::registerObjCNonNilReturnValueChecker(CheckerManager &mgr) {
mgr.registerChecker<ObjCNonNilReturnValueChecker>(); mgr.registerChecker<ObjCNonNilReturnValueChecker>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/BoolAssignmentChecker.cpp

Show All 28 Lines public:
void checkBind(SVal loc, SVal val, const Stmt *S, CheckerContext &C) const; void checkBind(SVal loc, SVal val, const Stmt *S, CheckerContext &C) const;
}; };
} // end anonymous namespace } // end anonymous namespace
void BoolAssignmentChecker::emitReport(ProgramStateRef state, void BoolAssignmentChecker::emitReport(ProgramStateRef state,
CheckerContext &C) const { CheckerContext &C) const {
if (ExplodedNode *N = C.addTransition(state)) { if (ExplodedNode *N = C.addTransition(state)) {
if (!BT) if (!BT)
BT.reset(new BuiltinBug("Assignment of a non-Boolean value")); BT.reset(new BuiltinBug(this, "Assignment of a non-Boolean value"));
C.emitReport(new BugReport(*BT, BT->getDescription(), N)); C.emitReport(new BugReport(*BT, BT->getDescription(), N));
} }
} }
static bool isBooleanType(QualType Ty) { static bool isBooleanType(QualType Ty) {
if (Ty->isBooleanType()) // C++ or C99 if (Ty->isBooleanType()) // C++ or C99
return true; return true;
▲ Show 20 LinesShow All 112 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/CStringChecker.cpp

Show First 20 LinesShow All 45 Lines▼ Show 20 Lines
public: public:
/// The filter is used to filter out the diagnostics which are not enabled by /// The filter is used to filter out the diagnostics which are not enabled by
/// the user. /// the user.
struct CStringChecksFilter { struct CStringChecksFilter {
DefaultBool CheckCStringNullArg; DefaultBool CheckCStringNullArg;
DefaultBool CheckCStringOutOfBounds; DefaultBool CheckCStringOutOfBounds;
DefaultBool CheckCStringBufferOverlap; DefaultBool CheckCStringBufferOverlap;
DefaultBool CheckCStringNotNullTerm; DefaultBool CheckCStringNotNullTerm;
CheckName CheckNameCStringNullArg;
CheckName CheckNameCStringOutOfBounds;
CheckName CheckNameCStringBufferOverlap;
CheckName CheckNameCStringNotNullTerm;
}; };
CStringChecksFilter Filter; CStringChecksFilter Filter;
static void *getTag() { static int tag; return &tag; } static void *getTag() { static int tag; return &tag; }
bool evalCall(const CallExpr *CE, CheckerContext &C) const; bool evalCall(const CallExpr *CE, CheckerContext &C) const;
void checkPreStmt(const DeclStmt *DS, CheckerContext &C) const; void checkPreStmt(const DeclStmt *DS, CheckerContext &C) const;
▲ Show 20 LinesShow All 165 Lines▼ Show 20 Lines if (stateNull && !stateNonNull) {
if (!Filter.CheckCStringNullArg) if (!Filter.CheckCStringNullArg)
return NULL; return NULL;
ExplodedNode *N = C.generateSink(stateNull); ExplodedNode *N = C.generateSink(stateNull);
if (!N) if (!N)
return NULL; return NULL;
if (!BT_Null) if (!BT_Null)
BT_Null.reset(new BuiltinBug(categories::UnixAPI, BT_Null.reset(new BuiltinBug(
Filter.CheckNameCStringNullArg, categories::UnixAPI,
"Null pointer argument in call to byte string function")); "Null pointer argument in call to byte string function"));
SmallString<80> buf; SmallString<80> buf;
llvm::raw_svector_ostream os(buf); llvm::raw_svector_ostream os(buf);
assert(CurrentFunctionDescription); assert(CurrentFunctionDescription);
os << "Null pointer argument in call to " << CurrentFunctionDescription; os << "Null pointer argument in call to " << CurrentFunctionDescription;
// Generate a report for this bug. // Generate a report for this bug.
BuiltinBug *BT = static_cast<BuiltinBug*>(BT_Null.get()); BuiltinBug *BT = static_cast<BuiltinBug*>(BT_Null.get());
▲ Show 20 LinesShow All 44 Lines▼ Show 20 LinesProgramStateRef CStringChecker::CheckLocation(CheckerContext &C,
ProgramStateRef StInBound = state->assumeInBound(Idx, Size, true); ProgramStateRef StInBound = state->assumeInBound(Idx, Size, true);
ProgramStateRef StOutBound = state->assumeInBound(Idx, Size, false); ProgramStateRef StOutBound = state->assumeInBound(Idx, Size, false);
if (StOutBound && !StInBound) { if (StOutBound && !StInBound) {
ExplodedNode *N = C.generateSink(StOutBound); ExplodedNode *N = C.generateSink(StOutBound);
if (!N) if (!N)
return NULL; return NULL;
if (!BT_Bounds) { if (!BT_Bounds) {
BT_Bounds.reset(new BuiltinBug("Out-of-bound array access", BT_Bounds.reset(new BuiltinBug(
Filter.CheckNameCStringOutOfBounds, "Out-of-bound array access",
"Byte string function accesses out-of-bound array element")); "Byte string function accesses out-of-bound array element"));
} }
BuiltinBug *BT = static_cast<BuiltinBug*>(BT_Bounds.get()); BuiltinBug *BT = static_cast<BuiltinBug*>(BT_Bounds.get());
// Generate a report for this bug. // Generate a report for this bug.
BugReport *report; BugReport *report;
if (warningMsg) { if (warningMsg) {
report = new BugReport(*BT, warningMsg, N); report = new BugReport(*BT, warningMsg, N);
} else { } else {
▲ Show 20 LinesShow All 214 Lines▼ Show 20 Lines
void CStringChecker::emitOverlapBug(CheckerContext &C, ProgramStateRef state, void CStringChecker::emitOverlapBug(CheckerContext &C, ProgramStateRef state,
const Stmt *First, const Stmt *Second) const { const Stmt *First, const Stmt *Second) const {
ExplodedNode *N = C.generateSink(state); ExplodedNode *N = C.generateSink(state);
if (!N) if (!N)
return; return;
if (!BT_Overlap) if (!BT_Overlap)
BT_Overlap.reset(new BugType(categories::UnixAPI, "Improper arguments")); BT_Overlap.reset(new BugType(Filter.CheckNameCStringBufferOverlap,
categories::UnixAPI, "Improper arguments"));
// Generate a report for this bug. // Generate a report for this bug.
BugReport *report = BugReport *report =
new BugReport(*BT_Overlap, new BugReport(*BT_Overlap,
"Arguments must not be overlapping buffers", N); "Arguments must not be overlapping buffers", N);
report->addRange(First->getSourceRange()); report->addRange(First->getSourceRange());
report->addRange(Second->getSourceRange()); report->addRange(Second->getSourceRange());
▲ Show 20 LinesShow All 43 Lines▼ Show 20 Lines if (Optional<NonLoc> maxMinusRightNL = maxMinusRight.getAs<NonLoc>()) {
if (stateOverflow && !stateOkay) { if (stateOverflow && !stateOkay) {
// We have an overflow. Emit a bug report. // We have an overflow. Emit a bug report.
ExplodedNode *N = C.generateSink(stateOverflow); ExplodedNode *N = C.generateSink(stateOverflow);
if (!N) if (!N)
return NULL; return NULL;
if (!BT_AdditionOverflow) if (!BT_AdditionOverflow)
BT_AdditionOverflow.reset(new BuiltinBug("API", BT_AdditionOverflow.reset(
new BuiltinBug(Filter.CheckNameCStringOutOfBounds, "API",
"Sum of expressions causes overflow")); "Sum of expressions causes overflow"));
// This isn't a great error message, but this should never occur in real // This isn't a great error message, but this should never occur in real
// code anyway -- you'd have to create a buffer longer than a size_t can // code anyway -- you'd have to create a buffer longer than a size_t can
// represent, which is sort of a contradiction. // represent, which is sort of a contradiction.
const char *warning = const char *warning =
"This expression will create a string whose length is too big to " "This expression will create a string whose length is too big to "
"be represented as a size_t"; "be represented as a size_t";
▲ Show 20 LinesShow All 99 Lines▼ Show 20 Lines if (!MR) {
// C string. In the context of locations, the only time we can issue such // C string. In the context of locations, the only time we can issue such
// a warning is for labels. // a warning is for labels.
if (Optional<loc::GotoLabel> Label = Buf.getAs<loc::GotoLabel>()) { if (Optional<loc::GotoLabel> Label = Buf.getAs<loc::GotoLabel>()) {
if (!Filter.CheckCStringNotNullTerm) if (!Filter.CheckCStringNotNullTerm)
return UndefinedVal(); return UndefinedVal();
if (ExplodedNode *N = C.addTransition(state)) { if (ExplodedNode *N = C.addTransition(state)) {
if (!BT_NotCString) if (!BT_NotCString)
BT_NotCString.reset(new BuiltinBug(categories::UnixAPI, BT_NotCString.reset(new BuiltinBug(
Filter.CheckNameCStringNotNullTerm, categories::UnixAPI,
"Argument is not a null-terminated string.")); "Argument is not a null-terminated string."));
SmallString<120> buf; SmallString<120> buf;
llvm::raw_svector_ostream os(buf); llvm::raw_svector_ostream os(buf);
assert(CurrentFunctionDescription); assert(CurrentFunctionDescription);
os << "Argument to " << CurrentFunctionDescription os << "Argument to " << CurrentFunctionDescription
<< " is the address of the label '" << Label->getLabel()->getName() << " is the address of the label '" << Label->getLabel()->getName()
<< "', which is not a null-terminated string"; << "', which is not a null-terminated string";
// Generate a report for this bug. // Generate a report for this bug.
BugReport *report = new BugReport(*BT_NotCString, BugReport *report = new BugReport(*BT_NotCString, os.str(), N);
os.str(), N);
report->addRange(Ex->getSourceRange()); report->addRange(Ex->getSourceRange());
C.emitReport(report); C.emitReport(report);
} }
return UndefinedVal(); return UndefinedVal();
} }
Show All 31 Lines default:
// Other regions (mostly non-data) can't have a reliable C string length. // Other regions (mostly non-data) can't have a reliable C string length.
// In this case, an error is emitted and UndefinedVal is returned. // In this case, an error is emitted and UndefinedVal is returned.
// The caller should always be prepared to handle this case. // The caller should always be prepared to handle this case.
if (!Filter.CheckCStringNotNullTerm) if (!Filter.CheckCStringNotNullTerm)
return UndefinedVal(); return UndefinedVal();
if (ExplodedNode *N = C.addTransition(state)) { if (ExplodedNode *N = C.addTransition(state)) {
if (!BT_NotCString) if (!BT_NotCString)
BT_NotCString.reset(new BuiltinBug(categories::UnixAPI, BT_NotCString.reset(new BuiltinBug(
Filter.CheckNameCStringNotNullTerm, categories::UnixAPI,
"Argument is not a null-terminated string.")); "Argument is not a null-terminated string."));
SmallString<120> buf; SmallString<120> buf;
llvm::raw_svector_ostream os(buf); llvm::raw_svector_ostream os(buf);
assert(CurrentFunctionDescription); assert(CurrentFunctionDescription);
os << "Argument to " << CurrentFunctionDescription << " is "; os << "Argument to " << CurrentFunctionDescription << " is ";
if (SummarizeRegion(os, C.getASTContext(), MR)) if (SummarizeRegion(os, C.getASTContext(), MR))
▲ Show 20 LinesShow All 1,276 Lines▼ Show 20 Lines if (SymbolRef Sym = Len.getAsSymbol()) {
Entries = F.remove(Entries, I.getKey()); Entries = F.remove(Entries, I.getKey());
} }
} }
state = state->set<CStringLength>(Entries); state = state->set<CStringLength>(Entries);
C.addTransition(state); C.addTransition(state);
} }
#define REGISTER_CHECKER(name) \ #define REGISTER_CHECKER(name) \
void ento::register##name(CheckerManager &mgr) {\ void ento::register##name(CheckerManager &mgr) { \
mgr.registerChecker<CStringChecker>()->Filter.Check##name = true; \ CStringChecker *checker = mgr.registerChecker<CStringChecker>(); \
checker->Filter.Check##name = true; \
checker->Filter.CheckName##name = mgr.getCurrentCheckName(); \
} }
REGISTER_CHECKER(CStringNullArg) REGISTER_CHECKER(CStringNullArg)
REGISTER_CHECKER(CStringOutOfBounds) REGISTER_CHECKER(CStringOutOfBounds)
REGISTER_CHECKER(CStringBufferOverlap) REGISTER_CHECKER(CStringBufferOverlap)
REGISTER_CHECKER(CStringNotNullTerm) REGISTER_CHECKER(CStringNotNullTerm)
void ento::registerCStringCheckerBasic(CheckerManager &Mgr) { void ento::registerCStringCheckerBasic(CheckerManager &Mgr) {
registerCStringNullArg(Mgr); registerCStringNullArg(Mgr);
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/CStringSyntaxChecker.cpp

Show All 25 Lines
#include "llvm/ADT/SmallString.h" #include "llvm/ADT/SmallString.h"
#include "llvm/Support/raw_ostream.h" #include "llvm/Support/raw_ostream.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
namespace { namespace {
class WalkAST: public StmtVisitor<WalkAST> { class WalkAST: public StmtVisitor<WalkAST> {
const CheckerBase *Checker;
BugReporter &BR; BugReporter &BR;
AnalysisDeclContext* AC; AnalysisDeclContext* AC;
/// Check if two expressions refer to the same declaration. /// Check if two expressions refer to the same declaration.
inline bool sameDecl(const Expr *A1, const Expr *A2) { inline bool sameDecl(const Expr *A1, const Expr *A2) {
if (const DeclRefExpr *D1 = dyn_cast<DeclRefExpr>(A1->IgnoreParenCasts())) if (const DeclRefExpr *D1 = dyn_cast<DeclRefExpr>(A1->IgnoreParenCasts()))
if (const DeclRefExpr *D2 = dyn_cast<DeclRefExpr>(A2->IgnoreParenCasts())) if (const DeclRefExpr *D2 = dyn_cast<DeclRefExpr>(A2->IgnoreParenCasts()))
return D1->getDecl() == D2->getDecl(); return D1->getDecl() == D2->getDecl();
Show All 34 Lines inline StringRef getPrintableName(const Expr *E) {
return StringRef(); return StringRef();
} }
/// Identify erroneous patterns in the last argument to strncat - the number /// Identify erroneous patterns in the last argument to strncat - the number
/// of bytes to copy. /// of bytes to copy.
bool containsBadStrncatPattern(const CallExpr *CE); bool containsBadStrncatPattern(const CallExpr *CE);
public: public:
WalkAST(BugReporter &br, AnalysisDeclContext* ac) : WalkAST(const CheckerBase *checker, BugReporter &br, AnalysisDeclContext *ac)
BR(br), AC(ac) { : Checker(checker), BR(br), AC(ac) {}
}
// Statement visitor methods. // Statement visitor methods.
void VisitChildren(Stmt *S); void VisitChildren(Stmt *S);
void VisitStmt(Stmt *S) { void VisitStmt(Stmt *S) {
VisitChildren(S); VisitChildren(S);
} }
void VisitCallExpr(CallExpr *CE); void VisitCallExpr(CallExpr *CE);
}; };
▲ Show 20 LinesShow All 57 Lines▼ Show 20 Lines if (containsBadStrncatPattern(CE)) {
if (!DstName.empty()) { if (!DstName.empty()) {
os << "Replace with 'sizeof(" << DstName << ") " os << "Replace with 'sizeof(" << DstName << ") "
"- strlen(" << DstName <<") - 1'"; "- strlen(" << DstName <<") - 1'";
os << " or u"; os << " or u";
} else } else
os << "U"; os << "U";
os << "se a safer 'strlcat' API"; os << "se a safer 'strlcat' API";
BR.EmitBasicReport(FD, "Anti-pattern in the argument", "C String API", BR.EmitBasicReport(FD, Checker, "Anti-pattern in the argument",
os.str(), Loc, LenArg->getSourceRange()); "C String API", os.str(), Loc,
LenArg->getSourceRange());
} }
} }
// Recurse and check children. // Recurse and check children.
VisitChildren(CE); VisitChildren(CE);
} }
void WalkAST::VisitChildren(Stmt *S) { void WalkAST::VisitChildren(Stmt *S) {
for (Stmt::child_iterator I = S->child_begin(), E = S->child_end(); I != E; for (Stmt::child_iterator I = S->child_begin(), E = S->child_end(); I != E;
++I) ++I)
if (Stmt *child = *I) if (Stmt *child = *I)
Visit(child); Visit(child);
} }
namespace { namespace {
class CStringSyntaxChecker: public Checker<check::ASTCodeBody> { class CStringSyntaxChecker: public Checker<check::ASTCodeBody> {
public: public:
void checkASTCodeBody(const Decl *D, AnalysisManager& Mgr, void checkASTCodeBody(const Decl *D, AnalysisManager& Mgr,
BugReporter &BR) const { BugReporter &BR) const {
WalkAST walker(BR, Mgr.getAnalysisDeclContext(D)); WalkAST walker(this, BR, Mgr.getAnalysisDeclContext(D));
walker.Visit(D->getBody()); walker.Visit(D->getBody());
} }
}; };
} }
void ento::registerCStringSyntaxChecker(CheckerManager &mgr) { void ento::registerCStringSyntaxChecker(CheckerManager &mgr) {
mgr.registerChecker<CStringSyntaxChecker>(); mgr.registerChecker<CStringSyntaxChecker>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/CallAndMessageChecker.cpp

Show First 20 LinesShow All 46 Lines▼ Show 20 Lines
public: public:
void checkPreStmt(const CallExpr *CE, CheckerContext &C) const; void checkPreStmt(const CallExpr *CE, CheckerContext &C) const;
void checkPreStmt(const CXXDeleteExpr *DE, CheckerContext &C) const; void checkPreStmt(const CXXDeleteExpr *DE, CheckerContext &C) const;
void checkPreObjCMessage(const ObjCMethodCall &msg, CheckerContext &C) const; void checkPreObjCMessage(const ObjCMethodCall &msg, CheckerContext &C) const;
void checkPreCall(const CallEvent &Call, CheckerContext &C) const; void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
private: private:
static bool PreVisitProcessArg(CheckerContext &C, SVal V, bool PreVisitProcessArg(CheckerContext &C, SVal V, SourceRange argRange,
SourceRange argRange, const Expr *argEx, const Expr *argEx, bool IsFirstArgument,
bool IsFirstArgument, bool checkUninitFields, bool checkUninitFields, const CallEvent &Call,
const CallEvent &Call, OwningPtr<BugType> &BT); OwningPtr<BugType> &BT) const;
static void emitBadCall(BugType *BT, CheckerContext &C, const Expr *BadE); static void emitBadCall(BugType *BT, CheckerContext &C, const Expr *BadE);
void emitNilReceiverBug(CheckerContext &C, const ObjCMethodCall &msg, void emitNilReceiverBug(CheckerContext &C, const ObjCMethodCall &msg,
ExplodedNode *N) const; ExplodedNode *N) const;
void HandleNilReceiver(CheckerContext &C, void HandleNilReceiver(CheckerContext &C,
ProgramStateRef state, ProgramStateRef state,
const ObjCMethodCall &msg) const; const ObjCMethodCall &msg) const;
static void LazyInit_BT(const char *desc, OwningPtr<BugType> &BT) { void LazyInit_BT(const char *desc, OwningPtr<BugType> &BT) const {
if (!BT) if (!BT)
BT.reset(new BuiltinBug(desc)); BT.reset(new BuiltinBug(this, desc));
} }
}; };
} // end anonymous namespace } // end anonymous namespace
void CallAndMessageChecker::emitBadCall(BugType *BT, CheckerContext &C, void CallAndMessageChecker::emitBadCall(BugType *BT, CheckerContext &C,
const Expr *BadE) { const Expr *BadE) {
ExplodedNode *N = C.generateSink(); ExplodedNode *N = C.generateSink();
if (!N) if (!N)
Show All 35 Lines
} }
bool CallAndMessageChecker::PreVisitProcessArg(CheckerContext &C, bool CallAndMessageChecker::PreVisitProcessArg(CheckerContext &C,
SVal V, SourceRange argRange, SVal V, SourceRange argRange,
const Expr *argEx, const Expr *argEx,
bool IsFirstArgument, bool IsFirstArgument,
bool checkUninitFields, bool checkUninitFields,
const CallEvent &Call, const CallEvent &Call,
OwningPtr<BugType> &BT) { OwningPtr<BugType> &BT) const {
if (V.isUndef()) { if (V.isUndef()) {
if (ExplodedNode *N = C.generateSink()) { if (ExplodedNode *N = C.generateSink()) {
LazyInit_BT("Uninitialized argument value", BT); LazyInit_BT("Uninitialized argument value", BT);
// Generate a report for this bug. // Generate a report for this bug.
StringRef Desc = describeUninitializedArgumentInCall(Call, StringRef Desc = describeUninitializedArgumentInCall(Call,
IsFirstArgument); IsFirstArgument);
BugReport *R = new BugReport(*BT, Desc, N); BugReport *R = new BugReport(*BT, Desc, N);
▲ Show 20 LinesShow All 98 Lines▼ Show 20 Linesvoid CallAndMessageChecker::checkPreStmt(const CallExpr *CE,
const Expr *Callee = CE->getCallee()->IgnoreParens(); const Expr *Callee = CE->getCallee()->IgnoreParens();
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
const LocationContext *LCtx = C.getLocationContext(); const LocationContext *LCtx = C.getLocationContext();
SVal L = State->getSVal(Callee, LCtx); SVal L = State->getSVal(Callee, LCtx);
if (L.isUndef()) { if (L.isUndef()) {
if (!BT_call_undef) if (!BT_call_undef)
BT_call_undef.reset(new BuiltinBug("Called function pointer is an " BT_call_undef.reset(new BuiltinBug(
"uninitalized pointer value")); this, "Called function pointer is an uninitalized pointer value"));
emitBadCall(BT_call_undef.get(), C, Callee); emitBadCall(BT_call_undef.get(), C, Callee);
return; return;
} }
ProgramStateRef StNonNull, StNull; ProgramStateRef StNonNull, StNull;
llvm::tie(StNonNull, StNull) = llvm::tie(StNonNull, StNull) =
State->assume(L.castAs<DefinedOrUnknownSVal>()); State->assume(L.castAs<DefinedOrUnknownSVal>());
if (StNull && !StNonNull) { if (StNull && !StNonNull) {
if (!BT_call_null) if (!BT_call_null)
BT_call_null.reset( BT_call_null.reset(new BuiltinBug(
new BuiltinBug("Called function pointer is null (null dereference)")); this, "Called function pointer is null (null dereference)"));
emitBadCall(BT_call_null.get(), C, Callee); emitBadCall(BT_call_null.get(), C, Callee);
return; return;
} }
C.addTransition(StNonNull); C.addTransition(StNonNull);
} }
void CallAndMessageChecker::checkPreStmt(const CXXDeleteExpr *DE, void CallAndMessageChecker::checkPreStmt(const CXXDeleteExpr *DE,
CheckerContext &C) const { CheckerContext &C) const {
SVal Arg = C.getSVal(DE->getArgument()); SVal Arg = C.getSVal(DE->getArgument());
if (Arg.isUndef()) { if (Arg.isUndef()) {
StringRef Desc; StringRef Desc;
ExplodedNode *N = C.generateSink(); ExplodedNode *N = C.generateSink();
if (!N) if (!N)
return; return;
if (!BT_cxx_delete_undef) if (!BT_cxx_delete_undef)
BT_cxx_delete_undef.reset(new BuiltinBug("Uninitialized argument value")); BT_cxx_delete_undef.reset(
new BuiltinBug(this, "Uninitialized argument value"));
if (DE->isArrayFormAsWritten()) if (DE->isArrayFormAsWritten())
Desc = "Argument to 'delete[]' is uninitialized"; Desc = "Argument to 'delete[]' is uninitialized";
else else
Desc = "Argument to 'delete' is uninitialized"; Desc = "Argument to 'delete' is uninitialized";
BugType *BT = BT_cxx_delete_undef.get(); BugType *BT = BT_cxx_delete_undef.get();
BugReport *R = new BugReport(*BT, Desc, N); BugReport *R = new BugReport(*BT, Desc, N);
bugreporter::trackNullOrUndefValue(N, DE, *R); bugreporter::trackNullOrUndefValue(N, DE, *R);
C.emitReport(R); C.emitReport(R);
return; return;
} }
} }
void CallAndMessageChecker::checkPreCall(const CallEvent &Call, void CallAndMessageChecker::checkPreCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
// If this is a call to a C++ method, check if the callee is null or // If this is a call to a C++ method, check if the callee is null or
// undefined. // undefined.
if (const CXXInstanceCall *CC = dyn_cast<CXXInstanceCall>(&Call)) { if (const CXXInstanceCall *CC = dyn_cast<CXXInstanceCall>(&Call)) {
SVal V = CC->getCXXThisVal(); SVal V = CC->getCXXThisVal();
if (V.isUndef()) { if (V.isUndef()) {
if (!BT_cxx_call_undef) if (!BT_cxx_call_undef)
BT_cxx_call_undef.reset(new BuiltinBug("Called C++ object pointer is " BT_cxx_call_undef.reset(
"uninitialized")); new BuiltinBug(this, "Called C++ object pointer is uninitialized"));
emitBadCall(BT_cxx_call_undef.get(), C, CC->getCXXThisExpr()); emitBadCall(BT_cxx_call_undef.get(), C, CC->getCXXThisExpr());
return; return;
} }
ProgramStateRef StNonNull, StNull; ProgramStateRef StNonNull, StNull;
llvm::tie(StNonNull, StNull) = llvm::tie(StNonNull, StNull) =
State->assume(V.castAs<DefinedOrUnknownSVal>()); State->assume(V.castAs<DefinedOrUnknownSVal>());
if (StNull && !StNonNull) { if (StNull && !StNonNull) {
if (!BT_cxx_call_null) if (!BT_cxx_call_null)
BT_cxx_call_null.reset(new BuiltinBug("Called C++ object pointer " BT_cxx_call_null.reset(
"is null")); new BuiltinBug(this, "Called C++ object pointer is null"));
emitBadCall(BT_cxx_call_null.get(), C, CC->getCXXThisExpr()); emitBadCall(BT_cxx_call_null.get(), C, CC->getCXXThisExpr());
return; return;
} }
State = StNonNull; State = StNonNull;
} }
const Decl *D = Call.getDecl(); const Decl *D = Call.getDecl();
▲ Show 20 LinesShow All 46 Lines▼ Show 20 Linesvoid CallAndMessageChecker::checkPreObjCMessage(const ObjCMethodCall &msg,
CheckerContext &C) const { CheckerContext &C) const {
SVal recVal = msg.getReceiverSVal(); SVal recVal = msg.getReceiverSVal();
if (recVal.isUndef()) { if (recVal.isUndef()) {
if (ExplodedNode *N = C.generateSink()) { if (ExplodedNode *N = C.generateSink()) {
BugType *BT = 0; BugType *BT = 0;
switch (msg.getMessageKind()) { switch (msg.getMessageKind()) {
case OCM_Message: case OCM_Message:
if (!BT_msg_undef) if (!BT_msg_undef)
BT_msg_undef.reset(new BuiltinBug("Receiver in message expression " BT_msg_undef.reset(new BuiltinBug(this,
"Receiver in message expression "
"is an uninitialized value")); "is an uninitialized value"));
BT = BT_msg_undef.get(); BT = BT_msg_undef.get();
break; break;
case OCM_PropertyAccess: case OCM_PropertyAccess:
if (!BT_objc_prop_undef) if (!BT_objc_prop_undef)
BT_objc_prop_undef.reset(new BuiltinBug("Property access on an " BT_objc_prop_undef.reset(new BuiltinBug(
"uninitialized object " this, "Property access on an uninitialized object pointer"));
"pointer"));
BT = BT_objc_prop_undef.get(); BT = BT_objc_prop_undef.get();
break; break;
case OCM_Subscript: case OCM_Subscript:
if (!BT_objc_subscript_undef) if (!BT_objc_subscript_undef)
BT_objc_subscript_undef.reset(new BuiltinBug("Subscript access on an " BT_objc_subscript_undef.reset(new BuiltinBug(
"uninitialized object " this, "Subscript access on an uninitialized object pointer"));
"pointer"));
BT = BT_objc_subscript_undef.get(); BT = BT_objc_subscript_undef.get();
break; break;
} }
assert(BT && "Unknown message kind."); assert(BT && "Unknown message kind.");
BugReport *R = new BugReport(*BT, BT->getName(), N); BugReport *R = new BugReport(*BT, BT->getName(), N);
const ObjCMessageExpr *ME = msg.getOriginExpr(); const ObjCMessageExpr *ME = msg.getOriginExpr();
R->addRange(ME->getReceiverRange()); R->addRange(ME->getReceiverRange());
Show All 21 Lines
} }
void CallAndMessageChecker::emitNilReceiverBug(CheckerContext &C, void CallAndMessageChecker::emitNilReceiverBug(CheckerContext &C,
const ObjCMethodCall &msg, const ObjCMethodCall &msg,
ExplodedNode *N) const { ExplodedNode *N) const {
if (!BT_msg_ret) if (!BT_msg_ret)
BT_msg_ret.reset( BT_msg_ret.reset(
new BuiltinBug("Receiver in message expression is 'nil'")); new BuiltinBug(this, "Receiver in message expression is 'nil'"));
const ObjCMessageExpr *ME = msg.getOriginExpr(); const ObjCMessageExpr *ME = msg.getOriginExpr();
QualType ResTy = msg.getResultType(); QualType ResTy = msg.getResultType();
SmallString<200> buf; SmallString<200> buf;
llvm::raw_svector_ostream os(buf); llvm::raw_svector_ostream os(buf);
os << "The receiver of message '"; os << "The receiver of message '";
▲ Show 20 LinesShow All 87 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/CastSizeChecker.cpp

Show First 20 LinesShow All 63 Lines▼ Show 20 Linesvoid CastSizeChecker::checkPreStmt(const CastExpr *CE,CheckerContext &C) const {
// Ignore void, and a few other un-sizeable types. // Ignore void, and a few other un-sizeable types.
if (typeSize.isZero()) if (typeSize.isZero())
return; return;
if (regionSize % typeSize != 0) { if (regionSize % typeSize != 0) {
if (ExplodedNode *errorNode = C.generateSink()) { if (ExplodedNode *errorNode = C.generateSink()) {
if (!BT) if (!BT)
BT.reset(new BuiltinBug("Cast region with wrong size.", BT.reset(
new BuiltinBug(this, "Cast region with wrong size.",
"Cast a region whose size is not a multiple of the" "Cast a region whose size is not a multiple of the"
" destination type size.")); " destination type size."));
BugReport *R = new BugReport(*BT, BT->getDescription(), BugReport *R = new BugReport(*BT, BT->getDescription(),
errorNode); errorNode);
R->addRange(CE->getSourceRange()); R->addRange(CE->getSourceRange());
C.emitReport(R); C.emitReport(R);
} }
} }
} }
void ento::registerCastSizeChecker(CheckerManager &mgr) { void ento::registerCastSizeChecker(CheckerManager &mgr) {
mgr.registerChecker<CastSizeChecker>(); mgr.registerChecker<CastSizeChecker>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/CastToStructChecker.cpp

Show First 20 LinesShow All 52 Lines▼ Show 20 Linesvoid CastToStructChecker::checkPreStmt(const CastExpr *CE,
// We allow cast from void*. // We allow cast from void*.
if (OrigPointeeTy->isVoidType()) if (OrigPointeeTy->isVoidType())
return; return;
// Now the cast-to-type is struct pointer, the original type is not void*. // Now the cast-to-type is struct pointer, the original type is not void*.
if (!OrigPointeeTy->isRecordType()) { if (!OrigPointeeTy->isRecordType()) {
if (ExplodedNode *N = C.addTransition()) { if (ExplodedNode *N = C.addTransition()) {
if (!BT) if (!BT)
BT.reset(new BuiltinBug("Cast from non-struct type to struct type", BT.reset(
new BuiltinBug(this, "Cast from non-struct type to struct type",
"Casting a non-structure type to a structure type " "Casting a non-structure type to a structure type "
"and accessing a field can lead to memory access " "and accessing a field can lead to memory access "
"errors or data corruption.")); "errors or data corruption."));
BugReport *R = new BugReport(*BT,BT->getDescription(), N); BugReport *R = new BugReport(*BT,BT->getDescription(), N);
R->addRange(CE->getSourceRange()); R->addRange(CE->getSourceRange());
C.emitReport(R); C.emitReport(R);
} }
} }
} }
void ento::registerCastToStructChecker(CheckerManager &mgr) { void ento::registerCastToStructChecker(CheckerManager &mgr) {
mgr.registerChecker<CastToStructChecker>(); mgr.registerChecker<CastToStructChecker>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/CheckObjCDealloc.cpp

Show First 20 LinesShow All 91 Lines▼ Show 20 Linesstatic bool scan_ivar_release(Stmt *S, ObjCIvarDecl *ID,
// Recurse to children. // Recurse to children.
for (Stmt::child_iterator I = S->child_begin(), E= S->child_end(); I!=E; ++I) for (Stmt::child_iterator I = S->child_begin(), E= S->child_end(); I!=E; ++I)
if (*I && scan_ivar_release(*I, ID, PD, Release, SelfII, Ctx)) if (*I && scan_ivar_release(*I, ID, PD, Release, SelfII, Ctx))
return true; return true;
return false; return false;
} }
static void checkObjCDealloc(const ObjCImplementationDecl *D, static void checkObjCDealloc(const CheckerBase *Checker,
const ObjCImplementationDecl *D,
const LangOptions& LOpts, BugReporter& BR) { const LangOptions &LOpts, BugReporter &BR) {
assert (LOpts.getGC() != LangOptions::GCOnly); assert (LOpts.getGC() != LangOptions::GCOnly);
ASTContext &Ctx = BR.getContext(); ASTContext &Ctx = BR.getContext();
const ObjCInterfaceDecl *ID = D->getClassInterface(); const ObjCInterfaceDecl *ID = D->getClassInterface();
// Does the class contain any ivars that are pointers (or id<...>)? // Does the class contain any ivars that are pointers (or id<...>)?
// If not, skip the check entirely. // If not, skip the check entirely.
▲ Show 20 LinesShow All 65 Lines▼ Show 20 Lines if (!MD) { // No dealloc found.
const char* name = LOpts.getGC() == LangOptions::NonGC const char* name = LOpts.getGC() == LangOptions::NonGC
? "missing -dealloc" ? "missing -dealloc"
: "missing -dealloc (Hybrid MM, non-GC)"; : "missing -dealloc (Hybrid MM, non-GC)";
std::string buf; std::string buf;
llvm::raw_string_ostream os(buf); llvm::raw_string_ostream os(buf);
os << "Objective-C class '" << *D << "' lacks a 'dealloc' instance method"; os << "Objective-C class '" << *D << "' lacks a 'dealloc' instance method";
BR.EmitBasicReport(D, name, categories::CoreFoundationObjectiveC, BR.EmitBasicReport(D, Checker, name, categories::CoreFoundationObjectiveC,
os.str(), DLoc); os.str(), DLoc);
return; return;
} }
// dealloc found. Scan for missing [super dealloc]. // dealloc found. Scan for missing [super dealloc].
if (MD->getBody() && !scan_dealloc(MD->getBody(), S)) { if (MD->getBody() && !scan_dealloc(MD->getBody(), S)) {
const char* name = LOpts.getGC() == LangOptions::NonGC const char* name = LOpts.getGC() == LangOptions::NonGC
? "missing [super dealloc]" ? "missing [super dealloc]"
: "missing [super dealloc] (Hybrid MM, non-GC)"; : "missing [super dealloc] (Hybrid MM, non-GC)";
std::string buf; std::string buf;
llvm::raw_string_ostream os(buf); llvm::raw_string_ostream os(buf);
os << "The 'dealloc' instance method in Objective-C class '" << *D os << "The 'dealloc' instance method in Objective-C class '" << *D
<< "' does not send a 'dealloc' message to its super class" << "' does not send a 'dealloc' message to its super class"
" (missing [super dealloc])"; " (missing [super dealloc])";
BR.EmitBasicReport(MD, name, categories::CoreFoundationObjectiveC, BR.EmitBasicReport(MD, Checker, name, categories::CoreFoundationObjectiveC,
os.str(), DLoc); os.str(), DLoc);
return; return;
} }
// Get the "release" selector. // Get the "release" selector.
IdentifierInfo* RII = &Ctx.Idents.get("release"); IdentifierInfo* RII = &Ctx.Idents.get("release");
Selector RS = Ctx.Selectors.getSelector(0, &RII); Selector RS = Ctx.Selectors.getSelector(0, &RII);
▲ Show 20 LinesShow All 49 Lines▼ Show 20 Lines if (scan_ivar_release(MD->getBody(), ID, PD, RS, SelfII, Ctx)
os << "The '" << *ID os << "The '" << *ID
<< "' instance variable was not retained by a synthesized property " << "' instance variable was not retained by a synthesized property "
"but was released in 'dealloc'"; "but was released in 'dealloc'";
} }
PathDiagnosticLocation SDLoc = PathDiagnosticLocation SDLoc =
PathDiagnosticLocation::createBegin(*I, BR.getSourceManager()); PathDiagnosticLocation::createBegin(*I, BR.getSourceManager());
BR.EmitBasicReport(MD, name, categories::CoreFoundationObjectiveC, BR.EmitBasicReport(MD, Checker, name,
os.str(), SDLoc); categories::CoreFoundationObjectiveC, os.str(), SDLoc);
} }
} }
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// ObjCDeallocChecker // ObjCDeallocChecker
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
namespace { namespace {
class ObjCDeallocChecker : public Checker< class ObjCDeallocChecker : public Checker<
check::ASTDecl<ObjCImplementationDecl> > { check::ASTDecl<ObjCImplementationDecl> > {
public: public:
void checkASTDecl(const ObjCImplementationDecl *D, AnalysisManager& mgr, void checkASTDecl(const ObjCImplementationDecl *D, AnalysisManager& mgr,
BugReporter &BR) const { BugReporter &BR) const {
if (mgr.getLangOpts().getGC() == LangOptions::GCOnly) if (mgr.getLangOpts().getGC() == LangOptions::GCOnly)
return; return;
checkObjCDealloc(cast<ObjCImplementationDecl>(D), mgr.getLangOpts(), BR); checkObjCDealloc(this, cast<ObjCImplementationDecl>(D), mgr.getLangOpts(),
BR);
} }
}; };
} }
void ento::registerObjCDeallocChecker(CheckerManager &mgr) { void ento::registerObjCDeallocChecker(CheckerManager &mgr) {
mgr.registerChecker<ObjCDeallocChecker>(); mgr.registerChecker<ObjCDeallocChecker>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/CheckObjCInstMethSignature.cpp

Show All 34 Lines if (Derived->isAnyPointerType() && Ancestor->isAnyPointerType())
return true; return true;
return C.typesAreCompatible(Derived, Ancestor); return C.typesAreCompatible(Derived, Ancestor);
} }
static void CompareReturnTypes(const ObjCMethodDecl *MethDerived, static void CompareReturnTypes(const ObjCMethodDecl *MethDerived,
const ObjCMethodDecl *MethAncestor, const ObjCMethodDecl *MethAncestor,
BugReporter &BR, ASTContext &Ctx, BugReporter &BR, ASTContext &Ctx,
const ObjCImplementationDecl *ID) { const ObjCImplementationDecl *ID,
const CheckerBase *Checker) {
QualType ResDerived = MethDerived->getReturnType(); QualType ResDerived = MethDerived->getReturnType();
QualType ResAncestor = MethAncestor->getReturnType(); QualType ResAncestor = MethAncestor->getReturnType();
if (!AreTypesCompatible(ResDerived, ResAncestor, Ctx)) { if (!AreTypesCompatible(ResDerived, ResAncestor, Ctx)) {
std::string sbuf; std::string sbuf;
llvm::raw_string_ostream os(sbuf); llvm::raw_string_ostream os(sbuf);
Show All 12 Lines os << "' whose return type is '"
<< ResAncestor.getAsString() << ResAncestor.getAsString()
<< "'. These two types are incompatible, and may result in undefined " << "'. These two types are incompatible, and may result in undefined "
"behavior for clients of these classes."; "behavior for clients of these classes.";
PathDiagnosticLocation MethDLoc = PathDiagnosticLocation MethDLoc =
PathDiagnosticLocation::createBegin(MethDerived, PathDiagnosticLocation::createBegin(MethDerived,
BR.getSourceManager()); BR.getSourceManager());
BR.EmitBasicReport(MethDerived, BR.EmitBasicReport(
"Incompatible instance method return type", MethDerived, Checker, "Incompatible instance method return type",
categories::CoreFoundationObjectiveC, categories::CoreFoundationObjectiveC, os.str(), MethDLoc);
os.str(), MethDLoc);
} }
} }
static void CheckObjCInstMethSignature(const ObjCImplementationDecl *ID, static void CheckObjCInstMethSignature(const ObjCImplementationDecl *ID,
BugReporter& BR) { BugReporter &BR,
const CheckerBase *Checker) {
const ObjCInterfaceDecl *D = ID->getClassInterface(); const ObjCInterfaceDecl *D = ID->getClassInterface();
const ObjCInterfaceDecl *C = D->getSuperClass(); const ObjCInterfaceDecl *C = D->getSuperClass();
if (!C) if (!C)
return; return;
ASTContext &Ctx = BR.getContext(); ASTContext &Ctx = BR.getContext();
Show All 24 Lines for (ObjCInterfaceDecl::instmeth_iterator I=C->instmeth_begin(),
if (MI == IMeths.end() || MI->second == 0) if (MI == IMeths.end() || MI->second == 0)
continue; continue;
--NumMethods; --NumMethods;
ObjCMethodDecl *MethDerived = MI->second; ObjCMethodDecl *MethDerived = MI->second;
MI->second = 0; MI->second = 0;
CompareReturnTypes(MethDerived, M, BR, Ctx, ID); CompareReturnTypes(MethDerived, M, BR, Ctx, ID, Checker);
} }
C = C->getSuperClass(); C = C->getSuperClass();
} }
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// ObjCMethSigsChecker // ObjCMethSigsChecker
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
namespace { namespace {
class ObjCMethSigsChecker : public Checker< class ObjCMethSigsChecker : public Checker<
check::ASTDecl<ObjCImplementationDecl> > { check::ASTDecl<ObjCImplementationDecl> > {
public: public:
void checkASTDecl(const ObjCImplementationDecl *D, AnalysisManager& mgr, void checkASTDecl(const ObjCImplementationDecl *D, AnalysisManager& mgr,
BugReporter &BR) const { BugReporter &BR) const {
CheckObjCInstMethSignature(D, BR); CheckObjCInstMethSignature(D, BR, this);
} }
}; };
} }
void ento::registerObjCMethSigsChecker(CheckerManager &mgr) { void ento::registerObjCMethSigsChecker(CheckerManager &mgr) {
mgr.registerChecker<ObjCMethSigsChecker>(); mgr.registerChecker<ObjCMethSigsChecker>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/CheckSecuritySyntaxOnly.cpp

Show All 40 Linesstruct ChecksFilter {
DefaultBool check_getpw; DefaultBool check_getpw;
DefaultBool check_mktemp; DefaultBool check_mktemp;
DefaultBool check_mkstemp; DefaultBool check_mkstemp;
DefaultBool check_strcpy; DefaultBool check_strcpy;
DefaultBool check_rand; DefaultBool check_rand;
DefaultBool check_vfork; DefaultBool check_vfork;
DefaultBool check_FloatLoopCounter; DefaultBool check_FloatLoopCounter;
DefaultBool check_UncheckedReturn; DefaultBool check_UncheckedReturn;
CheckName checkName_gets;
CheckName checkName_getpw;
CheckName checkName_mktemp;
CheckName checkName_mkstemp;
CheckName checkName_strcpy;
CheckName checkName_rand;
CheckName checkName_vfork;
CheckName checkName_FloatLoopCounter;
CheckName checkName_UncheckedReturn;
}; };
class WalkAST : public StmtVisitor<WalkAST> { class WalkAST : public StmtVisitor<WalkAST> {
BugReporter &BR; BugReporter &BR;
AnalysisDeclContext* AC; AnalysisDeclContext* AC;
enum { num_setids = 6 }; enum { num_setids = 6 };
IdentifierInfo *II_setid[num_setids]; IdentifierInfo *II_setid[num_setids];
const bool CheckRand; const bool CheckRand;
const ChecksFilter &filter; const ChecksFilter &filter;
▲ Show 20 LinesShow All 217 Lines▼ Show 20 Linesvoid WalkAST::checkLoopConditionForFloat(const ForStmt *FS) {
ranges.push_back(drCond->getSourceRange()); ranges.push_back(drCond->getSourceRange());
ranges.push_back(drInc->getSourceRange()); ranges.push_back(drInc->getSourceRange());
const char *bugType = "Floating point variable used as loop counter"; const char *bugType = "Floating point variable used as loop counter";
PathDiagnosticLocation FSLoc = PathDiagnosticLocation FSLoc =
PathDiagnosticLocation::createBegin(FS, BR.getSourceManager(), AC); PathDiagnosticLocation::createBegin(FS, BR.getSourceManager(), AC);
BR.EmitBasicReport(AC->getDecl(), BR.EmitBasicReport(AC->getDecl(), filter.checkName_FloatLoopCounter,
bugType, "Security", os.str(), bugType, "Security", os.str(),
FSLoc, ranges); FSLoc, ranges);
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Check: Any use of 'gets' is insecure. // Check: Any use of 'gets' is insecure.
// Originally: <rdar://problem/6335715> // Originally: <rdar://problem/6335715>
// Implements (part of): 300-BSI (buildsecurityin.us-cert.gov) // Implements (part of): 300-BSI (buildsecurityin.us-cert.gov)
Show All 18 Lines if (!PT)
return; return;
if (PT->getPointeeType().getUnqualifiedType() != BR.getContext().CharTy) if (PT->getPointeeType().getUnqualifiedType() != BR.getContext().CharTy)
return; return;
// Issue a warning. // Issue a warning.
PathDiagnosticLocation CELoc = PathDiagnosticLocation CELoc =
PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC); PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
BR.EmitBasicReport(AC->getDecl(), BR.EmitBasicReport(AC->getDecl(), filter.checkName_gets,
"Potential buffer overflow in call to 'gets'", "Potential buffer overflow in call to 'gets'",
"Security", "Security",
"Call to function 'gets' is extremely insecure as it can " "Call to function 'gets' is extremely insecure as it can "
"always result in a buffer overflow", "always result in a buffer overflow",
CELoc, CE->getCallee()->getSourceRange()); CELoc, CE->getCallee()->getSourceRange());
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
Show All 23 Lines if (!PT)
return; return;
if (PT->getPointeeType().getUnqualifiedType() != BR.getContext().CharTy) if (PT->getPointeeType().getUnqualifiedType() != BR.getContext().CharTy)
return; return;
// Issue a warning. // Issue a warning.
PathDiagnosticLocation CELoc = PathDiagnosticLocation CELoc =
PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC); PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
BR.EmitBasicReport(AC->getDecl(), BR.EmitBasicReport(AC->getDecl(), filter.checkName_getpw,
"Potential buffer overflow in call to 'getpw'", "Potential buffer overflow in call to 'getpw'",
"Security", "Security",
"The getpw() function is dangerous as it may overflow the " "The getpw() function is dangerous as it may overflow the "
"provided buffer. It is obsoleted by getpwuid().", "provided buffer. It is obsoleted by getpwuid().",
CELoc, CE->getCallee()->getSourceRange()); CELoc, CE->getCallee()->getSourceRange());
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
Show All 24 Linesvoid WalkAST::checkCall_mktemp(const CallExpr *CE, const FunctionDecl *FD) {
// Verify that the argument is a 'char*'. // Verify that the argument is a 'char*'.
if (PT->getPointeeType().getUnqualifiedType() != BR.getContext().CharTy) if (PT->getPointeeType().getUnqualifiedType() != BR.getContext().CharTy)
return; return;
// Issue a waring. // Issue a waring.
PathDiagnosticLocation CELoc = PathDiagnosticLocation CELoc =
PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC); PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
BR.EmitBasicReport(AC->getDecl(), BR.EmitBasicReport(AC->getDecl(), filter.checkName_mktemp,
"Potential insecure temporary file in call 'mktemp'", "Potential insecure temporary file in call 'mktemp'",
"Security", "Security",
"Call to function 'mktemp' is insecure as it always " "Call to function 'mktemp' is insecure as it always "
"creates or uses insecure temporary file. Use 'mkstemp' " "creates or uses insecure temporary file. Use 'mkstemp' "
"instead", "instead",
CELoc, CE->getCallee()->getSourceRange()); CELoc, CE->getCallee()->getSourceRange());
} }
▲ Show 20 LinesShow All 69 Lines▼ Show 20 Linesvoid WalkAST::checkCall_mkstemp(const CallExpr *CE, const FunctionDecl *FD) {
out << " seen"; out << " seen";
if (suffix) { if (suffix) {
out << ", " << suffix << " character"; out << ", " << suffix << " character";
if (suffix > 1) if (suffix > 1)
out << 's'; out << 's';
out << " used as a suffix"; out << " used as a suffix";
} }
out << ')'; out << ')';
BR.EmitBasicReport(AC->getDecl(), BR.EmitBasicReport(AC->getDecl(), filter.checkName_mkstemp,
"Insecure temporary file creation", "Security", "Insecure temporary file creation", "Security",
out.str(), CELoc, strArg->getSourceRange()); out.str(), CELoc, strArg->getSourceRange());
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Check: Any use of 'strcpy' is insecure. // Check: Any use of 'strcpy' is insecure.
// //
// CWE-119: Improper Restriction of Operations within // CWE-119: Improper Restriction of Operations within
// the Bounds of a Memory Buffer // the Bounds of a Memory Buffer
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
void WalkAST::checkCall_strcpy(const CallExpr *CE, const FunctionDecl *FD) { void WalkAST::checkCall_strcpy(const CallExpr *CE, const FunctionDecl *FD) {
if (!filter.check_strcpy) if (!filter.check_strcpy)
return; return;
if (!checkCall_strCommon(CE, FD)) if (!checkCall_strCommon(CE, FD))
return; return;
// Issue a warning. // Issue a warning.
PathDiagnosticLocation CELoc = PathDiagnosticLocation CELoc =
PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC); PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
BR.EmitBasicReport(AC->getDecl(), BR.EmitBasicReport(AC->getDecl(), filter.checkName_strcpy,
"Potential insecure memory buffer bounds restriction in " "Potential insecure memory buffer bounds restriction in "
"call 'strcpy'", "call 'strcpy'",
"Security", "Security",
"Call to function 'strcpy' is insecure as it does not " "Call to function 'strcpy' is insecure as it does not "
"provide bounding of the memory buffer. Replace " "provide bounding of the memory buffer. Replace "
"unbounded copy functions with analogous functions that " "unbounded copy functions with analogous functions that "
"support length arguments such as 'strlcpy'. CWE-119.", "support length arguments such as 'strlcpy'. CWE-119.",
CELoc, CE->getCallee()->getSourceRange()); CELoc, CE->getCallee()->getSourceRange());
Show All 10 Lines if (!filter.check_strcpy)
return; return;
if (!checkCall_strCommon(CE, FD)) if (!checkCall_strCommon(CE, FD))
return; return;
// Issue a warning. // Issue a warning.
PathDiagnosticLocation CELoc = PathDiagnosticLocation CELoc =
PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC); PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
BR.EmitBasicReport(AC->getDecl(), BR.EmitBasicReport(AC->getDecl(), filter.checkName_strcpy,
"Potential insecure memory buffer bounds restriction in " "Potential insecure memory buffer bounds restriction in "
"call 'strcat'", "call 'strcat'",
"Security", "Security",
"Call to function 'strcat' is insecure as it does not " "Call to function 'strcat' is insecure as it does not "
"provide bounding of the memory buffer. Replace " "provide bounding of the memory buffer. Replace "
"unbounded copy functions with analogous functions that " "unbounded copy functions with analogous functions that "
"support length arguments such as 'strlcat'. CWE-119.", "support length arguments such as 'strlcat'. CWE-119.",
CELoc, CE->getCallee()->getSourceRange()); CELoc, CE->getCallee()->getSourceRange());
▲ Show 20 LinesShow All 61 Lines▼ Show 20 Linesvoid WalkAST::checkCall_rand(const CallExpr *CE, const FunctionDecl *FD) {
SmallString<256> buf2; SmallString<256> buf2;
llvm::raw_svector_ostream os2(buf2); llvm::raw_svector_ostream os2(buf2);
os2 << "Function '" << *FD os2 << "Function '" << *FD
<< "' is obsolete because it implements a poor random number generator." << "' is obsolete because it implements a poor random number generator."
<< " Use 'arc4random' instead"; << " Use 'arc4random' instead";
PathDiagnosticLocation CELoc = PathDiagnosticLocation CELoc =
PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC); PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
BR.EmitBasicReport(AC->getDecl(), os1.str(), "Security", os2.str(), BR.EmitBasicReport(AC->getDecl(), filter.checkName_rand, os1.str(),
CELoc, CE->getCallee()->getSourceRange()); "Security", os2.str(), CELoc,
CE->getCallee()->getSourceRange());
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Check: 'random' should not be used // Check: 'random' should not be used
// Originally: <rdar://problem/63371000> // Originally: <rdar://problem/63371000>
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
void WalkAST::checkCall_random(const CallExpr *CE, const FunctionDecl *FD) { void WalkAST::checkCall_random(const CallExpr *CE, const FunctionDecl *FD) {
if (!CheckRand || !filter.check_rand) if (!CheckRand || !filter.check_rand)
return; return;
const FunctionProtoType *FTP = FD->getType()->getAs<FunctionProtoType>(); const FunctionProtoType *FTP = FD->getType()->getAs<FunctionProtoType>();
if (!FTP) if (!FTP)
return; return;
// Verify that the function takes no argument. // Verify that the function takes no argument.
if (FTP->getNumParams() != 0) if (FTP->getNumParams() != 0)
return; return;
// Issue a warning. // Issue a warning.
PathDiagnosticLocation CELoc = PathDiagnosticLocation CELoc =
PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC); PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
BR.EmitBasicReport(AC->getDecl(), BR.EmitBasicReport(AC->getDecl(), filter.checkName_rand,
"'random' is not a secure random number generator", "'random' is not a secure random number generator",
"Security", "Security",
"The 'random' function produces a sequence of values that " "The 'random' function produces a sequence of values that "
"an adversary may be able to predict. Use 'arc4random' " "an adversary may be able to predict. Use 'arc4random' "
"instead", CELoc, CE->getCallee()->getSourceRange()); "instead", CELoc, CE->getCallee()->getSourceRange());
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Check: 'vfork' should not be used. // Check: 'vfork' should not be used.
// POS33-C: Do not use vfork(). // POS33-C: Do not use vfork().
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
void WalkAST::checkCall_vfork(const CallExpr *CE, const FunctionDecl *FD) { void WalkAST::checkCall_vfork(const CallExpr *CE, const FunctionDecl *FD) {
if (!filter.check_vfork) if (!filter.check_vfork)
return; return;
// All calls to vfork() are insecure, issue a warning. // All calls to vfork() are insecure, issue a warning.
PathDiagnosticLocation CELoc = PathDiagnosticLocation CELoc =
PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC); PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
BR.EmitBasicReport(AC->getDecl(), BR.EmitBasicReport(AC->getDecl(), filter.checkName_vfork,
"Potential insecure implementation-specific behavior in " "Potential insecure implementation-specific behavior in "
"call 'vfork'", "call 'vfork'",
"Security", "Security",
"Call to function 'vfork' is insecure as it can lead to " "Call to function 'vfork' is insecure as it can lead to "
"denial of service situations in the parent process. " "denial of service situations in the parent process. "
"Replace calls to vfork with calls to the safer " "Replace calls to vfork with calls to the safer "
"'posix_spawn' function", "'posix_spawn' function",
CELoc, CE->getCallee()->getSourceRange()); CELoc, CE->getCallee()->getSourceRange());
▲ Show 20 LinesShow All 54 Lines▼ Show 20 Linesvoid WalkAST::checkUncheckedReturnValue(CallExpr *CE) {
SmallString<256> buf2; SmallString<256> buf2;
llvm::raw_svector_ostream os2(buf2); llvm::raw_svector_ostream os2(buf2);
os2 << "The return value from the call to '" << *FD os2 << "The return value from the call to '" << *FD
<< "' is not checked. If an error occurs in '" << *FD << "' is not checked. If an error occurs in '" << *FD
<< "', the following code may execute with unexpected privileges"; << "', the following code may execute with unexpected privileges";
PathDiagnosticLocation CELoc = PathDiagnosticLocation CELoc =
PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC); PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
BR.EmitBasicReport(AC->getDecl(), os1.str(), "Security", os2.str(), BR.EmitBasicReport(AC->getDecl(), filter.checkName_UncheckedReturn, os1.str(),
CELoc, CE->getCallee()->getSourceRange()); "Security", os2.str(), CELoc,
CE->getCallee()->getSourceRange());
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// SecuritySyntaxChecker // SecuritySyntaxChecker
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
namespace { namespace {
class SecuritySyntaxChecker : public Checker<check::ASTCodeBody> { class SecuritySyntaxChecker : public Checker<check::ASTCodeBody> {
public: public:
ChecksFilter filter; ChecksFilter filter;
void checkASTCodeBody(const Decl *D, AnalysisManager& mgr, void checkASTCodeBody(const Decl *D, AnalysisManager& mgr,
BugReporter &BR) const { BugReporter &BR) const {
WalkAST walker(BR, mgr.getAnalysisDeclContext(D), filter); WalkAST walker(BR, mgr.getAnalysisDeclContext(D), filter);
walker.Visit(D->getBody()); walker.Visit(D->getBody());
} }
}; };
} }
#define REGISTER_CHECKER(name) \ #define REGISTER_CHECKER(name) \
void ento::register##name(CheckerManager &mgr) {\ void ento::register##name(CheckerManager &mgr) { \
mgr.registerChecker<SecuritySyntaxChecker>()->filter.check_##name = true;\ SecuritySyntaxChecker *checker = \
mgr.registerChecker<SecuritySyntaxChecker>(); \
checker->filter.check_##name = true; \
checker->filter.checkName_##name = mgr.getCurrentCheckName(); \
} }
REGISTER_CHECKER(gets) REGISTER_CHECKER(gets)
REGISTER_CHECKER(getpw) REGISTER_CHECKER(getpw)
REGISTER_CHECKER(mkstemp) REGISTER_CHECKER(mkstemp)
REGISTER_CHECKER(mktemp) REGISTER_CHECKER(mktemp)
REGISTER_CHECKER(strcpy) REGISTER_CHECKER(strcpy)
REGISTER_CHECKER(rand) REGISTER_CHECKER(rand)
REGISTER_CHECKER(vfork) REGISTER_CHECKER(vfork)
REGISTER_CHECKER(FloatLoopCounter) REGISTER_CHECKER(FloatLoopCounter)
REGISTER_CHECKER(UncheckedReturn) REGISTER_CHECKER(UncheckedReturn)

cfe/trunk/lib/StaticAnalyzer/Checkers/CheckSizeofPointer.cpp

Show All 18 Lines
#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
namespace { namespace {
class WalkAST : public StmtVisitor<WalkAST> { class WalkAST : public StmtVisitor<WalkAST> {
BugReporter &BR; BugReporter &BR;
const CheckerBase *Checker;
AnalysisDeclContext* AC; AnalysisDeclContext* AC;
public: public:
WalkAST(BugReporter &br, AnalysisDeclContext* ac) : BR(br), AC(ac) {} WalkAST(BugReporter &br, const CheckerBase *checker, AnalysisDeclContext *ac)
: BR(br), Checker(checker), AC(ac) {}
void VisitUnaryExprOrTypeTraitExpr(UnaryExprOrTypeTraitExpr *E); void VisitUnaryExprOrTypeTraitExpr(UnaryExprOrTypeTraitExpr *E);
void VisitStmt(Stmt *S) { VisitChildren(S); } void VisitStmt(Stmt *S) { VisitChildren(S); }
void VisitChildren(Stmt *S); void VisitChildren(Stmt *S);
}; };
} }
void WalkAST::VisitChildren(Stmt *S) { void WalkAST::VisitChildren(Stmt *S) {
for (Stmt::child_iterator I = S->child_begin(), E = S->child_end(); I!=E; ++I) for (Stmt::child_iterator I = S->child_begin(), E = S->child_end(); I!=E; ++I)
Show All 18 Lines if (T->isPointerType()) {
// because people know what they are doing when they intentionally // because people know what they are doing when they intentionally
// dereference the pointer. // dereference the pointer.
Expr *ArgEx = E->getArgumentExpr(); Expr *ArgEx = E->getArgumentExpr();
if (!isa<DeclRefExpr>(ArgEx->IgnoreParens())) if (!isa<DeclRefExpr>(ArgEx->IgnoreParens()))
return; return;
PathDiagnosticLocation ELoc = PathDiagnosticLocation ELoc =
PathDiagnosticLocation::createBegin(E, BR.getSourceManager(), AC); PathDiagnosticLocation::createBegin(E, BR.getSourceManager(), AC);
BR.EmitBasicReport(AC->getDecl(), BR.EmitBasicReport(AC->getDecl(), Checker,
"Potential unintended use of sizeof() on pointer type", "Potential unintended use of sizeof() on pointer type",
categories::LogicError, categories::LogicError,
"The code calls sizeof() on a pointer type. " "The code calls sizeof() on a pointer type. "
"This can produce an unexpected result.", "This can produce an unexpected result.",
ELoc, ArgEx->getSourceRange()); ELoc, ArgEx->getSourceRange());
} }
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// SizeofPointerChecker // SizeofPointerChecker
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
namespace { namespace {
class SizeofPointerChecker : public Checker<check::ASTCodeBody> { class SizeofPointerChecker : public Checker<check::ASTCodeBody> {
public: public:
void checkASTCodeBody(const Decl *D, AnalysisManager& mgr, void checkASTCodeBody(const Decl *D, AnalysisManager& mgr,
BugReporter &BR) const { BugReporter &BR) const {
WalkAST walker(BR, mgr.getAnalysisDeclContext(D)); WalkAST walker(BR, this, mgr.getAnalysisDeclContext(D));
walker.Visit(D->getBody()); walker.Visit(D->getBody());
} }
}; };
} }
void ento::registerSizeofPointerChecker(CheckerManager &mgr) { void ento::registerSizeofPointerChecker(CheckerManager &mgr) {
mgr.registerChecker<SizeofPointerChecker>(); mgr.registerChecker<SizeofPointerChecker>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/ChrootChecker.cpp

Show First 20 LinesShow All 136 Lines▼ Show 20 Lines if (FD->getIdentifier() == II_chroot || FD->getIdentifier() == II_chdir)
return; return;
// If jail state is ROOT_CHANGED, generate BugReport. // If jail state is ROOT_CHANGED, generate BugReport.
void *const* k = C.getState()->FindGDM(ChrootChecker::getTag()); void *const* k = C.getState()->FindGDM(ChrootChecker::getTag());
if (k) if (k)
if (isRootChanged((intptr_t) *k)) if (isRootChanged((intptr_t) *k))
if (ExplodedNode *N = C.addTransition()) { if (ExplodedNode *N = C.addTransition()) {
if (!BT_BreakJail) if (!BT_BreakJail)
BT_BreakJail.reset(new BuiltinBug("Break out of jail", BT_BreakJail.reset(new BuiltinBug(
"No call of chdir(\"/\") immediately " this, "Break out of jail", "No call of chdir(\"/\") immediately "
"after chroot")); "after chroot"));
BugReport *R = new BugReport(*BT_BreakJail, BugReport *R = new BugReport(*BT_BreakJail,
BT_BreakJail->getDescription(), N); BT_BreakJail->getDescription(), N);
C.emitReport(R); C.emitReport(R);
} }
return; return;
} }
void ento::registerChrootChecker(CheckerManager &mgr) { void ento::registerChrootChecker(CheckerManager &mgr) {
mgr.registerChecker<ChrootChecker>(); mgr.registerChecker<ChrootChecker>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/DeadStoresChecker.cpp

Show First 20 LinesShow All 118 Lines▼ Show 20 LinesLookThroughTransitiveAssignmentsAndCommaOperators(const Expr *Ex) {
return Ex; return Ex;
} }
namespace { namespace {
class DeadStoreObs : public LiveVariables::Observer { class DeadStoreObs : public LiveVariables::Observer {
const CFG &cfg; const CFG &cfg;
ASTContext &Ctx; ASTContext &Ctx;
BugReporter& BR; BugReporter& BR;
const CheckerBase *Checker;
AnalysisDeclContext* AC; AnalysisDeclContext* AC;
ParentMap& Parents; ParentMap& Parents;
llvm::SmallPtrSet<const VarDecl*, 20> Escaped; llvm::SmallPtrSet<const VarDecl*, 20> Escaped;
OwningPtr<ReachableCode> reachableCode; OwningPtr<ReachableCode> reachableCode;
const CFGBlock *currentBlock; const CFGBlock *currentBlock;
OwningPtr<llvm::DenseSet<const VarDecl *> > InEH; OwningPtr<llvm::DenseSet<const VarDecl *> > InEH;
enum DeadStoreKind { Standard, Enclosing, DeadIncrement, DeadInit }; enum DeadStoreKind { Standard, Enclosing, DeadIncrement, DeadInit };
public: public:
DeadStoreObs(const CFG &cfg, ASTContext &ctx, DeadStoreObs(const CFG &cfg, ASTContext &ctx, BugReporter &br,
BugReporter& br, AnalysisDeclContext* ac, ParentMap& parents, const CheckerBase *checker, AnalysisDeclContext *ac,
ParentMap &parents,
llvm::SmallPtrSet<const VarDecl*, 20> &escaped) llvm::SmallPtrSet<const VarDecl *, 20> &escaped)
: cfg(cfg), Ctx(ctx), BR(br), AC(ac), Parents(parents), : cfg(cfg), Ctx(ctx), BR(br), Checker(checker), AC(ac), Parents(parents),
Escaped(escaped), currentBlock(0) {} Escaped(escaped), currentBlock(0) {}
virtual ~DeadStoreObs() {} virtual ~DeadStoreObs() {}
bool isLive(const LiveVariables::LivenessValues &Live, const VarDecl *D) { bool isLive(const LiveVariables::LivenessValues &Live, const VarDecl *D) {
if (Live.isLive(D)) if (Live.isLive(D))
return true; return true;
// Lazily construct the set that records which VarDecls are in // Lazily construct the set that records which VarDecls are in
// EH code. // EH code.
▲ Show 20 LinesShow All 44 Lines▼ Show 20 Lines switch (dsk) {
case Enclosing: case Enclosing:
// Don't report issues in this case, e.g.: "if (x = foo())", // Don't report issues in this case, e.g.: "if (x = foo())",
// where 'x' is unused later. We have yet to see a case where // where 'x' is unused later. We have yet to see a case where
// this is a real bug. // this is a real bug.
return; return;
} }
BR.EmitBasicReport(AC->getDecl(), BugType, "Dead store", os.str(), L, R); BR.EmitBasicReport(AC->getDecl(), Checker, BugType, "Dead store", os.str(),
L, R);
} }
void CheckVarDecl(const VarDecl *VD, const Expr *Ex, const Expr *Val, void CheckVarDecl(const VarDecl *VD, const Expr *Ex, const Expr *Val,
DeadStoreKind dsk, DeadStoreKind dsk,
const LiveVariables::LivenessValues &Live) { const LiveVariables::LivenessValues &Live) {
if (!VD->hasLocalStorage()) if (!VD->hasLocalStorage())
return; return;
▲ Show 20 LinesShow All 223 Lines▼ Show 20 Lines if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D))
return; return;
if (LiveVariables *L = mgr.getAnalysis<LiveVariables>(D)) { if (LiveVariables *L = mgr.getAnalysis<LiveVariables>(D)) {
CFG &cfg = *mgr.getCFG(D); CFG &cfg = *mgr.getCFG(D);
AnalysisDeclContext *AC = mgr.getAnalysisDeclContext(D); AnalysisDeclContext *AC = mgr.getAnalysisDeclContext(D);
ParentMap &pmap = mgr.getParentMap(D); ParentMap &pmap = mgr.getParentMap(D);
FindEscaped FS; FindEscaped FS;
cfg.VisitBlockStmts(FS); cfg.VisitBlockStmts(FS);
DeadStoreObs A(cfg, BR.getContext(), BR, AC, pmap, FS.Escaped); DeadStoreObs A(cfg, BR.getContext(), BR, this, AC, pmap, FS.Escaped);
L->runOnAllBlocks(A); L->runOnAllBlocks(A);
} }
} }
}; };
} }
void ento::registerDeadStoresChecker(CheckerManager &mgr) { void ento::registerDeadStoresChecker(CheckerManager &mgr) {
mgr.registerChecker<DeadStoresChecker>(); mgr.registerChecker<DeadStoresChecker>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/DereferenceChecker.cpp

Show First 20 LinesShow All 91 Lines▼ Show 20 Linesvoid DereferenceChecker::reportBug(ProgramStateRef State, const Stmt *S,
// Generate an error node. // Generate an error node.
ExplodedNode *N = C.generateSink(State); ExplodedNode *N = C.generateSink(State);
if (!N) if (!N)
return; return;
// We know that 'location' cannot be non-null. This is what // We know that 'location' cannot be non-null. This is what
// we call an "explicit" null dereference. // we call an "explicit" null dereference.
if (!BT_null) if (!BT_null)
BT_null.reset(new BuiltinBug("Dereference of null pointer")); BT_null.reset(new BuiltinBug(this, "Dereference of null pointer"));
SmallString<100> buf; SmallString<100> buf;
llvm::raw_svector_ostream os(buf); llvm::raw_svector_ostream os(buf);
SmallVector<SourceRange, 2> Ranges; SmallVector<SourceRange, 2> Ranges;
// Walk through lvalue casts to get the original expression // Walk through lvalue casts to get the original expression
// that syntactically caused the load. // that syntactically caused the load.
▲ Show 20 LinesShow All 66 Lines▼ Show 20 Lines
} }
void DereferenceChecker::checkLocation(SVal l, bool isLoad, const Stmt* S, void DereferenceChecker::checkLocation(SVal l, bool isLoad, const Stmt* S,
CheckerContext &C) const { CheckerContext &C) const {
// Check for dereference of an undefined value. // Check for dereference of an undefined value.
if (l.isUndef()) { if (l.isUndef()) {
if (ExplodedNode *N = C.generateSink()) { if (ExplodedNode *N = C.generateSink()) {
if (!BT_undef) if (!BT_undef)
BT_undef.reset(new BuiltinBug("Dereference of undefined pointer value")); BT_undef.reset(
new BuiltinBug(this, "Dereference of undefined pointer value"));
BugReport *report = BugReport *report =
new BugReport(*BT_undef, BT_undef->getDescription(), N); new BugReport(*BT_undef, BT_undef->getDescription(), N);
bugreporter::trackNullOrUndefValue(N, bugreporter::getDerefExpr(S), bugreporter::trackNullOrUndefValue(N, bugreporter::getDerefExpr(S),
*report); *report);
C.emitReport(report); C.emitReport(report);
} }
return; return;
▲ Show 20 LinesShow All 90 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/DirectIvarAssignment.cpp

Show First 20 LinesShow All 57 Lines▼ Show 20 Linesclass DirectIvarAssignment :
/// A helper class, which walks the AST and locates all assignments to ivars /// A helper class, which walks the AST and locates all assignments to ivars
/// in the given function. /// in the given function.
class MethodCrawler : public ConstStmtVisitor<MethodCrawler> { class MethodCrawler : public ConstStmtVisitor<MethodCrawler> {
const IvarToPropertyMapTy &IvarToPropMap; const IvarToPropertyMapTy &IvarToPropMap;
const ObjCMethodDecl *MD; const ObjCMethodDecl *MD;
const ObjCInterfaceDecl *InterfD; const ObjCInterfaceDecl *InterfD;
BugReporter &BR; BugReporter &BR;
const CheckerBase *Checker;
LocationOrAnalysisDeclContext DCtx; LocationOrAnalysisDeclContext DCtx;
public: public:
MethodCrawler(const IvarToPropertyMapTy &InMap, const ObjCMethodDecl *InMD, MethodCrawler(const IvarToPropertyMapTy &InMap, const ObjCMethodDecl *InMD,
const ObjCInterfaceDecl *InID, const ObjCInterfaceDecl *InID, BugReporter &InBR,
BugReporter &InBR, AnalysisDeclContext *InDCtx) const CheckerBase *Checker, AnalysisDeclContext *InDCtx)
: IvarToPropMap(InMap), MD(InMD), InterfD(InID), BR(InBR), DCtx(InDCtx) {} : IvarToPropMap(InMap), MD(InMD), InterfD(InID), BR(InBR),
Checker(Checker), DCtx(InDCtx) {}
void VisitStmt(const Stmt *S) { VisitChildren(S); } void VisitStmt(const Stmt *S) { VisitChildren(S); }
void VisitBinaryOperator(const BinaryOperator *BO); void VisitBinaryOperator(const BinaryOperator *BO);
void VisitChildren(const Stmt *S) { void VisitChildren(const Stmt *S) {
for (Stmt::const_child_range I = S->children(); I; ++I) for (Stmt::const_child_range I = S->children(); I; ++I)
if (*I) if (*I)
▲ Show 20 LinesShow All 66 Lines▼ Show 20 Lines for (ObjCImplementationDecl::instmeth_iterator I = D->instmeth_begin(),
AnalysisDeclContext *DCtx = Mgr.getAnalysisDeclContext(M); AnalysisDeclContext *DCtx = Mgr.getAnalysisDeclContext(M);
if ((*ShouldSkipMethod)(M)) if ((*ShouldSkipMethod)(M))
continue; continue;
const Stmt *Body = M->getBody(); const Stmt *Body = M->getBody();
assert(Body); assert(Body);
MethodCrawler MC(IvarToPropMap, M->getCanonicalDecl(), InterD, BR, DCtx); MethodCrawler MC(IvarToPropMap, M->getCanonicalDecl(), InterD, BR, this,
DCtx);
MC.VisitStmt(Body); MC.VisitStmt(Body);
} }
} }
static bool isAnnotatedToAllowDirectAssignment(const Decl *D) { static bool isAnnotatedToAllowDirectAssignment(const Decl *D) {
for (specific_attr_iterator<AnnotateAttr> for (specific_attr_iterator<AnnotateAttr>
AI = D->specific_attr_begin<AnnotateAttr>(), AI = D->specific_attr_begin<AnnotateAttr>(),
AE = D->specific_attr_end<AnnotateAttr>(); AI != AE; ++AI) { AE = D->specific_attr_end<AnnotateAttr>(); AI != AE; ++AI) {
Show All 35 Lines if (I != IvarToPropMap.end()) {
InterfD->getInstanceMethod(PD->getSetterName()); InterfD->getInstanceMethod(PD->getSetterName());
if (SetterMethod && SetterMethod->getCanonicalDecl() == MD) if (SetterMethod && SetterMethod->getCanonicalDecl() == MD)
return; return;
if (GetterMethod && GetterMethod->getCanonicalDecl() == MD) if (GetterMethod && GetterMethod->getCanonicalDecl() == MD)
return; return;
BR.EmitBasicReport(MD, BR.EmitBasicReport(
"Property access", MD, Checker, "Property access", categories::CoreFoundationObjectiveC,
categories::CoreFoundationObjectiveC,
"Direct assignment to an instance variable backing a property; " "Direct assignment to an instance variable backing a property; "
"use the setter instead", PathDiagnosticLocation(IvarRef, "use the setter instead",
BR.getSourceManager(), PathDiagnosticLocation(IvarRef, BR.getSourceManager(), DCtx));
DCtx));
} }
} }
} }
} }
// Register the checker that checks for direct accesses in all functions, // Register the checker that checks for direct accesses in all functions,
// except for the initialization and copy routines. // except for the initialization and copy routines.
void ento::registerDirectIvarAssignment(CheckerManager &mgr) { void ento::registerDirectIvarAssignment(CheckerManager &mgr) {
Show All 21 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/DivZeroChecker.cpp

Show All 31 Lines
}; };
} // end anonymous namespace } // end anonymous namespace
void DivZeroChecker::reportBug(const char *Msg, void DivZeroChecker::reportBug(const char *Msg,
ProgramStateRef StateZero, ProgramStateRef StateZero,
CheckerContext &C) const { CheckerContext &C) const {
if (ExplodedNode *N = C.generateSink(StateZero)) { if (ExplodedNode *N = C.generateSink(StateZero)) {
if (!BT) if (!BT)
BT.reset(new BuiltinBug("Division by zero")); BT.reset(new BuiltinBug(this, "Division by zero"));
BugReport *R = new BugReport(*BT, Msg, N); BugReport *R = new BugReport(*BT, Msg, N);
bugreporter::trackNullOrUndefValue(N, bugreporter::GetDenomExpr(N), *R); bugreporter::trackNullOrUndefValue(N, bugreporter::GetDenomExpr(N), *R);
C.emitReport(R); C.emitReport(R);
} }
} }
void DivZeroChecker::checkPreStmt(const BinaryOperator *B, void DivZeroChecker::checkPreStmt(const BinaryOperator *B,
▲ Show 20 LinesShow All 44 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/ExprInspectionChecker.cpp

Show First 20 LinesShow All 89 Lines▼ Show 20 Linesvoid ExprInspectionChecker::analyzerEval(const CallExpr *CE,
const LocationContext *LC = N->getLocationContext(); const LocationContext *LC = N->getLocationContext();
// A specific instantiation of an inlined function may have more constrained // A specific instantiation of an inlined function may have more constrained
// values than can generally be assumed. Skip the check. // values than can generally be assumed. Skip the check.
if (LC->getCurrentStackFrame()->getParent() != 0) if (LC->getCurrentStackFrame()->getParent() != 0)
return; return;
if (!BT) if (!BT)
BT.reset(new BugType("Checking analyzer assumptions", "debug")); BT.reset(new BugType(this, "Checking analyzer assumptions", "debug"));
BugReport *R = new BugReport(*BT, getArgumentValueString(CE, C), N); BugReport *R = new BugReport(*BT, getArgumentValueString(CE, C), N);
C.emitReport(R); C.emitReport(R);
} }
void ExprInspectionChecker::analyzerWarnIfReached(const CallExpr *CE, void ExprInspectionChecker::analyzerWarnIfReached(const CallExpr *CE,
CheckerContext &C) const { CheckerContext &C) const {
ExplodedNode *N = C.getPredecessor(); ExplodedNode *N = C.getPredecessor();
if (!BT) if (!BT)
BT.reset(new BugType("Checking analyzer assumptions", "debug")); BT.reset(new BugType(this, "Checking analyzer assumptions", "debug"));
BugReport *R = new BugReport(*BT, "REACHABLE", N); BugReport *R = new BugReport(*BT, "REACHABLE", N);
C.emitReport(R); C.emitReport(R);
} }
void ExprInspectionChecker::analyzerCheckInlined(const CallExpr *CE, void ExprInspectionChecker::analyzerCheckInlined(const CallExpr *CE,
CheckerContext &C) const { CheckerContext &C) const {
ExplodedNode *N = C.getPredecessor(); ExplodedNode *N = C.getPredecessor();
const LocationContext *LC = N->getLocationContext(); const LocationContext *LC = N->getLocationContext();
// An inlined function could conceivably also be analyzed as a top-level // An inlined function could conceivably also be analyzed as a top-level
// function. We ignore this case and only emit a message (TRUE or FALSE) // function. We ignore this case and only emit a message (TRUE or FALSE)
// when we are analyzing it as an inlined function. This means that // when we are analyzing it as an inlined function. This means that
// clang_analyzer_checkInlined(true) should always print TRUE, but // clang_analyzer_checkInlined(true) should always print TRUE, but
// clang_analyzer_checkInlined(false) should never actually print anything. // clang_analyzer_checkInlined(false) should never actually print anything.
if (LC->getCurrentStackFrame()->getParent() == 0) if (LC->getCurrentStackFrame()->getParent() == 0)
return; return;
if (!BT) if (!BT)
BT.reset(new BugType("Checking analyzer assumptions", "debug")); BT.reset(new BugType(this, "Checking analyzer assumptions", "debug"));
BugReport *R = new BugReport(*BT, getArgumentValueString(CE, C), N); BugReport *R = new BugReport(*BT, getArgumentValueString(CE, C), N);
C.emitReport(R); C.emitReport(R);
} }
void ExprInspectionChecker::analyzerCrash(const CallExpr *CE, void ExprInspectionChecker::analyzerCrash(const CallExpr *CE,
CheckerContext &C) const { CheckerContext &C) const {
LLVM_BUILTIN_TRAP; LLVM_BUILTIN_TRAP;
} }
void ento::registerExprInspectionChecker(CheckerManager &Mgr) { void ento::registerExprInspectionChecker(CheckerManager &Mgr) {
Mgr.registerChecker<ExprInspectionChecker>(); Mgr.registerChecker<ExprInspectionChecker>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/FixedAddressChecker.cpp

Show First 20 LinesShow All 46 Lines▼ Show 20 Linesvoid FixedAddressChecker::checkPreStmt(const BinaryOperator *B,
ProgramStateRef state = C.getState(); ProgramStateRef state = C.getState();
SVal RV = state->getSVal(B->getRHS(), C.getLocationContext()); SVal RV = state->getSVal(B->getRHS(), C.getLocationContext());
if (!RV.isConstant() || RV.isZeroConstant()) if (!RV.isConstant() || RV.isZeroConstant())
return; return;
if (ExplodedNode *N = C.addTransition()) { if (ExplodedNode *N = C.addTransition()) {
if (!BT) if (!BT)
BT.reset(new BuiltinBug("Use fixed address", BT.reset(
new BuiltinBug(this, "Use fixed address",
"Using a fixed address is not portable because that " "Using a fixed address is not portable because that "
"address will probably not be valid in all " "address will probably not be valid in all "
"environments or platforms.")); "environments or platforms."));
BugReport *R = new BugReport(*BT, BT->getDescription(), N); BugReport *R = new BugReport(*BT, BT->getDescription(), N);
R->addRange(B->getRHS()->getSourceRange()); R->addRange(B->getRHS()->getSourceRange());
C.emitReport(R); C.emitReport(R);
} }
} }
void ento::registerFixedAddressChecker(CheckerManager &mgr) { void ento::registerFixedAddressChecker(CheckerManager &mgr) {
mgr.registerChecker<FixedAddressChecker>(); mgr.registerChecker<FixedAddressChecker>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/GenericTaintChecker.cpp

Show All 40 Lines
private: private:
static const unsigned InvalidArgIndex = UINT_MAX; static const unsigned InvalidArgIndex = UINT_MAX;
/// Denotes the return vale. /// Denotes the return vale.
static const unsigned ReturnValueIndex = UINT_MAX - 1; static const unsigned ReturnValueIndex = UINT_MAX - 1;
mutable OwningPtr<BugType> BT; mutable OwningPtr<BugType> BT;
inline void initBugType() const { inline void initBugType() const {
if (!BT) if (!BT)
BT.reset(new BugType("Use of Untrusted Data", "Untrusted Data")); BT.reset(new BugType(this, "Use of Untrusted Data", "Untrusted Data"));
} }
/// \brief Catch taint related bugs. Check if tainted data is passed to a /// \brief Catch taint related bugs. Check if tainted data is passed to a
/// system call etc. /// system call etc.
bool checkPre(const CallExpr *CE, CheckerContext &C) const; bool checkPre(const CallExpr *CE, CheckerContext &C) const;
/// \brief Add taint sources on a pre-visit. /// \brief Add taint sources on a pre-visit.
void addSourcesPre(const CallExpr *CE, CheckerContext &C) const; void addSourcesPre(const CallExpr *CE, CheckerContext &C) const;
▲ Show 20 LinesShow All 688 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/IdenticalExprChecker.cpp

Show All 30 Lines
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// FindIdenticalExprVisitor - Identify nodes using identical expressions. // FindIdenticalExprVisitor - Identify nodes using identical expressions.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
namespace { namespace {
class FindIdenticalExprVisitor class FindIdenticalExprVisitor
: public RecursiveASTVisitor<FindIdenticalExprVisitor> { : public RecursiveASTVisitor<FindIdenticalExprVisitor> {
public: public:
explicit FindIdenticalExprVisitor(BugReporter &B, AnalysisDeclContext *A) explicit FindIdenticalExprVisitor(BugReporter &B,
: BR(B), AC(A) {} const CheckerBase *Checker,
AnalysisDeclContext *A)
: BR(B), Checker(Checker), AC(A) {}
// FindIdenticalExprVisitor only visits nodes // FindIdenticalExprVisitor only visits nodes
// that are binary operators or conditional operators. // that are binary operators or conditional operators.
bool VisitBinaryOperator(const BinaryOperator *B); bool VisitBinaryOperator(const BinaryOperator *B);
bool VisitConditionalOperator(const ConditionalOperator *C); bool VisitConditionalOperator(const ConditionalOperator *C);
private: private:
BugReporter &BR; BugReporter &BR;
const CheckerBase *Checker;
AnalysisDeclContext *AC; AnalysisDeclContext *AC;
}; };
} // end anonymous namespace } // end anonymous namespace
bool FindIdenticalExprVisitor::VisitBinaryOperator(const BinaryOperator *B) { bool FindIdenticalExprVisitor::VisitBinaryOperator(const BinaryOperator *B) {
BinaryOperator::Opcode Op = B->getOpcode(); BinaryOperator::Opcode Op = B->getOpcode();
if (!BinaryOperator::isComparisonOp(Op)) if (!BinaryOperator::isComparisonOp(Op))
return true; return true;
▲ Show 20 LinesShow All 51 Lines▼ Show 20 Linesbool FindIdenticalExprVisitor::VisitBinaryOperator(const BinaryOperator *B) {
if (isIdenticalExpr(AC->getASTContext(), B->getLHS(), B->getRHS())) { if (isIdenticalExpr(AC->getASTContext(), B->getLHS(), B->getRHS())) {
PathDiagnosticLocation ELoc = PathDiagnosticLocation ELoc =
PathDiagnosticLocation::createOperatorLoc(B, BR.getSourceManager()); PathDiagnosticLocation::createOperatorLoc(B, BR.getSourceManager());
StringRef Message; StringRef Message;
if (((Op == BO_EQ) || (Op == BO_LE) || (Op == BO_GE))) if (((Op == BO_EQ) || (Op == BO_LE) || (Op == BO_GE)))
Message = "comparison of identical expressions always evaluates to true"; Message = "comparison of identical expressions always evaluates to true";
else else
Message = "comparison of identical expressions always evaluates to false"; Message = "comparison of identical expressions always evaluates to false";
BR.EmitBasicReport(AC->getDecl(), "Compare of identical expressions", BR.EmitBasicReport(AC->getDecl(), Checker,
"Compare of identical expressions",
categories::LogicError, Message, ELoc); categories::LogicError, Message, ELoc);
} }
// We want to visit ALL nodes (subexpressions of binary comparison // We want to visit ALL nodes (subexpressions of binary comparison
// expressions too) that contains comparison operators. // expressions too) that contains comparison operators.
// True is always returned to traverse ALL nodes. // True is always returned to traverse ALL nodes.
return true; return true;
} }
bool FindIdenticalExprVisitor::VisitConditionalOperator( bool FindIdenticalExprVisitor::VisitConditionalOperator(
const ConditionalOperator *C) { const ConditionalOperator *C) {
// Check if expressions in conditional expression are identical // Check if expressions in conditional expression are identical
// from a symbolic point of view. // from a symbolic point of view.
if (isIdenticalExpr(AC->getASTContext(), C->getTrueExpr(), if (isIdenticalExpr(AC->getASTContext(), C->getTrueExpr(),
C->getFalseExpr(), true)) { C->getFalseExpr(), true)) {
PathDiagnosticLocation ELoc = PathDiagnosticLocation ELoc =
PathDiagnosticLocation::createConditionalColonLoc( PathDiagnosticLocation::createConditionalColonLoc(
C, BR.getSourceManager()); C, BR.getSourceManager());
SourceRange Sr[2]; SourceRange Sr[2];
Sr[0] = C->getTrueExpr()->getSourceRange(); Sr[0] = C->getTrueExpr()->getSourceRange();
Sr[1] = C->getFalseExpr()->getSourceRange(); Sr[1] = C->getFalseExpr()->getSourceRange();
BR.EmitBasicReport( BR.EmitBasicReport(
AC->getDecl(), "Identical expressions in conditional expression", AC->getDecl(), Checker,
"Identical expressions in conditional expression",
categories::LogicError, categories::LogicError,
"identical expressions on both sides of ':' in conditional expression", "identical expressions on both sides of ':' in conditional expression",
ELoc, Sr); ELoc, Sr);
} }
// We want to visit ALL nodes (expressions in conditional // We want to visit ALL nodes (expressions in conditional
// expressions too) that contains conditional operators, // expressions too) that contains conditional operators,
// thus always return true to traverse ALL nodes. // thus always return true to traverse ALL nodes.
return true; return true;
▲ Show 20 LinesShow All 91 Lines▼ Show 20 Lines
// FindIdenticalExprChecker // FindIdenticalExprChecker
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
namespace { namespace {
class FindIdenticalExprChecker : public Checker<check::ASTCodeBody> { class FindIdenticalExprChecker : public Checker<check::ASTCodeBody> {
public: public:
void checkASTCodeBody(const Decl *D, AnalysisManager &Mgr, void checkASTCodeBody(const Decl *D, AnalysisManager &Mgr,
BugReporter &BR) const { BugReporter &BR) const {
FindIdenticalExprVisitor Visitor(BR, Mgr.getAnalysisDeclContext(D)); FindIdenticalExprVisitor Visitor(BR, this, Mgr.getAnalysisDeclContext(D));
Visitor.TraverseDecl(const_cast<Decl *>(D)); Visitor.TraverseDecl(const_cast<Decl *>(D));
} }
}; };
} // end anonymous namespace } // end anonymous namespace
void ento::registerIdenticalExprChecker(CheckerManager &Mgr) { void ento::registerIdenticalExprChecker(CheckerManager &Mgr) {
Mgr.registerChecker<FindIdenticalExprChecker>(); Mgr.registerChecker<FindIdenticalExprChecker>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/IvarInvalidationChecker.cpp

Show First 20 LinesShow All 43 Lines▼ Show 20 Lines
namespace { namespace {
struct ChecksFilter { struct ChecksFilter {
/// Check for missing invalidation method declarations. /// Check for missing invalidation method declarations.
DefaultBool check_MissingInvalidationMethod; DefaultBool check_MissingInvalidationMethod;
/// Check that all ivars are invalidated. /// Check that all ivars are invalidated.
DefaultBool check_InstanceVariableInvalidation; DefaultBool check_InstanceVariableInvalidation;
CheckName checkName_MissingInvalidationMethod;
CheckName checkName_InstanceVariableInvalidation;
}; };
class IvarInvalidationCheckerImpl { class IvarInvalidationCheckerImpl {
typedef llvm::SmallSetVector<const ObjCMethodDecl*, 2> MethodSet; typedef llvm::SmallSetVector<const ObjCMethodDecl*, 2> MethodSet;
typedef llvm::DenseMap<const ObjCMethodDecl*, typedef llvm::DenseMap<const ObjCMethodDecl*,
const ObjCIvarDecl*> MethToIvarMapTy; const ObjCIvarDecl*> MethToIvarMapTy;
typedef llvm::DenseMap<const ObjCPropertyDecl*, typedef llvm::DenseMap<const ObjCPropertyDecl*,
▲ Show 20 LinesShow All 135 Lines▼ Show 20 Lines static const ObjCIvarDecl *findPropertyBackingIvar(
IvarSet &TrackedIvars, IvarSet &TrackedIvars,
const ObjCIvarDecl **FirstIvarDecl); const ObjCIvarDecl **FirstIvarDecl);
/// Print ivar name or the property if the given ivar backs a property. /// Print ivar name or the property if the given ivar backs a property.
static void printIvar(llvm::raw_svector_ostream &os, static void printIvar(llvm::raw_svector_ostream &os,
const ObjCIvarDecl *IvarDecl, const ObjCIvarDecl *IvarDecl,
const IvarToPropMapTy &IvarToPopertyMap); const IvarToPropMapTy &IvarToPopertyMap);
void reportNoInvalidationMethod(const ObjCIvarDecl *FirstIvarDecl, void reportNoInvalidationMethod(CheckName CheckName,
const ObjCIvarDecl *FirstIvarDecl,
const IvarToPropMapTy &IvarToPopertyMap, const IvarToPropMapTy &IvarToPopertyMap,
const ObjCInterfaceDecl *InterfaceD, const ObjCInterfaceDecl *InterfaceD,
bool MissingDeclaration) const; bool MissingDeclaration) const;
void reportIvarNeedsInvalidation(const ObjCIvarDecl *IvarD, void reportIvarNeedsInvalidation(const ObjCIvarDecl *IvarD,
const IvarToPropMapTy &IvarToPopertyMap, const IvarToPropMapTy &IvarToPopertyMap,
const ObjCMethodDecl *MethodD) const; const ObjCMethodDecl *MethodD) const;
AnalysisManager& Mgr; AnalysisManager& Mgr;
▲ Show 20 LinesShow All 259 Lines▼ Show 20 Linesvisit(const ObjCImplementationDecl *ImplD) const {
// Find all invalidation methods in this @interface declaration and parents. // Find all invalidation methods in this @interface declaration and parents.
InvalidationInfo Info; InvalidationInfo Info;
containsInvalidationMethod(InterfaceD, Info, /*LookForPartial*/ false); containsInvalidationMethod(InterfaceD, Info, /*LookForPartial*/ false);
// Report an error in case none of the invalidation methods are declared. // Report an error in case none of the invalidation methods are declared.
if (!Info.needsInvalidation() && !PartialInfo.needsInvalidation()) { if (!Info.needsInvalidation() && !PartialInfo.needsInvalidation()) {
if (Filter.check_MissingInvalidationMethod) if (Filter.check_MissingInvalidationMethod)
reportNoInvalidationMethod(FirstIvarDecl, IvarToPopertyMap, InterfaceD, reportNoInvalidationMethod(Filter.checkName_MissingInvalidationMethod,
FirstIvarDecl, IvarToPopertyMap, InterfaceD,
/*MissingDeclaration*/ true); /*MissingDeclaration*/ true);
// If there are no invalidation methods, there is no ivar validation work // If there are no invalidation methods, there is no ivar validation work
// to be done. // to be done.
return; return;
} }
// Only check if Ivars are invalidated when InstanceVariableInvalidation // Only check if Ivars are invalidated when InstanceVariableInvalidation
// has been requested. // has been requested.
Show All 39 Lines if (!AtImplementationContainsAtLeastOneInvalidationMethod) {
if (AtImplementationContainsAtLeastOnePartialInvalidationMethod) { if (AtImplementationContainsAtLeastOnePartialInvalidationMethod) {
// Warn on the ivars that were not invalidated by the prrtial // Warn on the ivars that were not invalidated by the prrtial
// invalidation methods. // invalidation methods.
for (IvarSet::const_iterator for (IvarSet::const_iterator
I = Ivars.begin(), E = Ivars.end(); I != E; ++I) I = Ivars.begin(), E = Ivars.end(); I != E; ++I)
reportIvarNeedsInvalidation(I->first, IvarToPopertyMap, 0); reportIvarNeedsInvalidation(I->first, IvarToPopertyMap, 0);
} else { } else {
// Otherwise, no invalidation methods were implemented. // Otherwise, no invalidation methods were implemented.
reportNoInvalidationMethod(FirstIvarDecl, IvarToPopertyMap, InterfaceD, reportNoInvalidationMethod(Filter.checkName_InstanceVariableInvalidation,
FirstIvarDecl, IvarToPopertyMap, InterfaceD,
/*MissingDeclaration*/ false); /*MissingDeclaration*/ false);
} }
} }
} }
void IvarInvalidationCheckerImpl:: void IvarInvalidationCheckerImpl::reportNoInvalidationMethod(
reportNoInvalidationMethod(const ObjCIvarDecl *FirstIvarDecl, CheckName CheckName, const ObjCIvarDecl *FirstIvarDecl,
const IvarToPropMapTy &IvarToPopertyMap, const IvarToPropMapTy &IvarToPopertyMap,
const ObjCInterfaceDecl *InterfaceD, const ObjCInterfaceDecl *InterfaceD, bool MissingDeclaration) const {
bool MissingDeclaration) const {
SmallString<128> sbuf; SmallString<128> sbuf;
llvm::raw_svector_ostream os(sbuf); llvm::raw_svector_ostream os(sbuf);
assert(FirstIvarDecl); assert(FirstIvarDecl);
printIvar(os, FirstIvarDecl, IvarToPopertyMap); printIvar(os, FirstIvarDecl, IvarToPopertyMap);
os << "needs to be invalidated; "; os << "needs to be invalidated; ";
if (MissingDeclaration) if (MissingDeclaration)
os << "no invalidation method is declared for "; os << "no invalidation method is declared for ";
else else
os << "no invalidation method is defined in the @implementation for "; os << "no invalidation method is defined in the @implementation for ";
os << InterfaceD->getName(); os << InterfaceD->getName();
PathDiagnosticLocation IvarDecLocation = PathDiagnosticLocation IvarDecLocation =
PathDiagnosticLocation::createBegin(FirstIvarDecl, BR.getSourceManager()); PathDiagnosticLocation::createBegin(FirstIvarDecl, BR.getSourceManager());
BR.EmitBasicReport(FirstIvarDecl, "Incomplete invalidation", BR.EmitBasicReport(FirstIvarDecl, CheckName, "Incomplete invalidation",
categories::CoreFoundationObjectiveC, os.str(), categories::CoreFoundationObjectiveC, os.str(),
IvarDecLocation); IvarDecLocation);
} }
void IvarInvalidationCheckerImpl:: void IvarInvalidationCheckerImpl::
reportIvarNeedsInvalidation(const ObjCIvarDecl *IvarD, reportIvarNeedsInvalidation(const ObjCIvarDecl *IvarD,
const IvarToPropMapTy &IvarToPopertyMap, const IvarToPropMapTy &IvarToPopertyMap,
const ObjCMethodDecl *MethodD) const { const ObjCMethodDecl *MethodD) const {
SmallString<128> sbuf; SmallString<128> sbuf;
llvm::raw_svector_ostream os(sbuf); llvm::raw_svector_ostream os(sbuf);
printIvar(os, IvarD, IvarToPopertyMap); printIvar(os, IvarD, IvarToPopertyMap);
os << "needs to be invalidated or set to nil"; os << "needs to be invalidated or set to nil";
if (MethodD) { if (MethodD) {
PathDiagnosticLocation MethodDecLocation = PathDiagnosticLocation MethodDecLocation =
PathDiagnosticLocation::createEnd(MethodD->getBody(), PathDiagnosticLocation::createEnd(MethodD->getBody(),
BR.getSourceManager(), BR.getSourceManager(),
Mgr.getAnalysisDeclContext(MethodD)); Mgr.getAnalysisDeclContext(MethodD));
BR.EmitBasicReport(MethodD, "Incomplete invalidation", BR.EmitBasicReport(MethodD, Filter.checkName_InstanceVariableInvalidation,
"Incomplete invalidation",
categories::CoreFoundationObjectiveC, os.str(), categories::CoreFoundationObjectiveC, os.str(),
MethodDecLocation); MethodDecLocation);
} else { } else {
BR.EmitBasicReport(IvarD, "Incomplete invalidation", BR.EmitBasicReport(
categories::CoreFoundationObjectiveC, os.str(), IvarD, Filter.checkName_InstanceVariableInvalidation,
PathDiagnosticLocation::createBegin(IvarD, "Incomplete invalidation", categories::CoreFoundationObjectiveC,
BR.getSourceManager())); os.str(),
PathDiagnosticLocation::createBegin(IvarD, BR.getSourceManager()));
} }
} }
void IvarInvalidationCheckerImpl::MethodCrawler::markInvalidated( void IvarInvalidationCheckerImpl::MethodCrawler::markInvalidated(
const ObjCIvarDecl *Iv) { const ObjCIvarDecl *Iv) {
IvarSet::iterator I = IVars.find(Iv); IvarSet::iterator I = IVars.find(Iv);
if (I != IVars.end()) { if (I != IVars.end()) {
// If InvalidationMethod is present, we are processing the message send and // If InvalidationMethod is present, we are processing the message send and
▲ Show 20 LinesShow All 150 Lines▼ Show 20 Linespublic:
void checkASTDecl(const ObjCImplementationDecl *D, AnalysisManager& Mgr, void checkASTDecl(const ObjCImplementationDecl *D, AnalysisManager& Mgr,
BugReporter &BR) const { BugReporter &BR) const {
IvarInvalidationCheckerImpl Walker(Mgr, BR, Filter); IvarInvalidationCheckerImpl Walker(Mgr, BR, Filter);
Walker.visit(D); Walker.visit(D);
} }
}; };
} }
#define REGISTER_CHECKER(name) \ #define REGISTER_CHECKER(name) \
void ento::register##name(CheckerManager &mgr) {\ void ento::register##name(CheckerManager &mgr) { \
mgr.registerChecker<IvarInvalidationChecker>()->Filter.check_##name = true;\ IvarInvalidationChecker *checker = \
mgr.registerChecker<IvarInvalidationChecker>(); \
checker->Filter.check_##name = true; \
checker->Filter.checkName_##name = mgr.getCurrentCheckName(); \
} }
REGISTER_CHECKER(InstanceVariableInvalidation) REGISTER_CHECKER(InstanceVariableInvalidation)
REGISTER_CHECKER(MissingInvalidationMethod) REGISTER_CHECKER(MissingInvalidationMethod)

cfe/trunk/lib/StaticAnalyzer/Checkers/LLVMConventionsChecker.cpp

Show First 20 LinesShow All 109 Lines▼ Show 20 Lines
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// CHECK: a StringRef should not be bound to a temporary std::string whose // CHECK: a StringRef should not be bound to a temporary std::string whose
// lifetime is shorter than the StringRef's. // lifetime is shorter than the StringRef's.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
namespace { namespace {
class StringRefCheckerVisitor : public StmtVisitor<StringRefCheckerVisitor> { class StringRefCheckerVisitor : public StmtVisitor<StringRefCheckerVisitor> {
BugReporter &BR;
const Decl *DeclWithIssue; const Decl *DeclWithIssue;
BugReporter &BR;
const CheckerBase *Checker;
public: public:
StringRefCheckerVisitor(const Decl *declWithIssue, BugReporter &br) StringRefCheckerVisitor(const Decl *declWithIssue, BugReporter &br,
: BR(br), DeclWithIssue(declWithIssue) {} const CheckerBase *checker)
: DeclWithIssue(declWithIssue), BR(br), Checker(checker) {}
void VisitChildren(Stmt *S) { void VisitChildren(Stmt *S) {
for (Stmt::child_iterator I = S->child_begin(), E = S->child_end() ; for (Stmt::child_iterator I = S->child_begin(), E = S->child_end() ;
I != E; ++I) I != E; ++I)
if (Stmt *child = *I) if (Stmt *child = *I)
Visit(child); Visit(child);
} }
void VisitStmt(Stmt *S) { VisitChildren(S); } void VisitStmt(Stmt *S) { VisitChildren(S); }
void VisitDeclStmt(DeclStmt *DS); void VisitDeclStmt(DeclStmt *DS);
private: private:
void VisitVarDecl(VarDecl *VD); void VisitVarDecl(VarDecl *VD);
}; };
} // end anonymous namespace } // end anonymous namespace
static void CheckStringRefAssignedTemporary(const Decl *D, BugReporter &BR) { static void CheckStringRefAssignedTemporary(const Decl *D, BugReporter &BR,
StringRefCheckerVisitor walker(D, BR); const CheckerBase *Checker) {
StringRefCheckerVisitor walker(D, BR, Checker);
walker.Visit(D->getBody()); walker.Visit(D->getBody());
} }
void StringRefCheckerVisitor::VisitDeclStmt(DeclStmt *S) { void StringRefCheckerVisitor::VisitDeclStmt(DeclStmt *S) {
VisitChildren(S); VisitChildren(S);
for (DeclStmt::decl_iterator I = S->decl_begin(), E = S->decl_end();I!=E; ++I) for (DeclStmt::decl_iterator I = S->decl_begin(), E = S->decl_end();I!=E; ++I)
if (VarDecl *VD = dyn_cast<VarDecl>(*I)) if (VarDecl *VD = dyn_cast<VarDecl>(*I))
Show All 28 Linesvoid StringRefCheckerVisitor::VisitVarDecl(VarDecl *VD) {
if (!Ex6 || !IsStdString(Ex6->getType())) if (!Ex6 || !IsStdString(Ex6->getType()))
return; return;
// Okay, badness! Report an error. // Okay, badness! Report an error.
const char *desc = "StringRef should not be bound to temporary " const char *desc = "StringRef should not be bound to temporary "
"std::string that it outlives"; "std::string that it outlives";
PathDiagnosticLocation VDLoc = PathDiagnosticLocation VDLoc =
PathDiagnosticLocation::createBegin(VD, BR.getSourceManager()); PathDiagnosticLocation::createBegin(VD, BR.getSourceManager());
BR.EmitBasicReport(DeclWithIssue, desc, "LLVM Conventions", desc, BR.EmitBasicReport(DeclWithIssue, Checker, desc, "LLVM Conventions", desc,
VDLoc, Init->getSourceRange()); VDLoc, Init->getSourceRange());
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// CHECK: Clang AST nodes should not have fields that can allocate // CHECK: Clang AST nodes should not have fields that can allocate
// memory. // memory.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
Show All 20 Linesstatic bool IsPartOfAST(const CXXRecordDecl *R) {
return false; return false;
} }
namespace { namespace {
class ASTFieldVisitor { class ASTFieldVisitor {
SmallVector<FieldDecl*, 10> FieldChain; SmallVector<FieldDecl*, 10> FieldChain;
const CXXRecordDecl *Root; const CXXRecordDecl *Root;
BugReporter &BR; BugReporter &BR;
const CheckerBase *Checker;
public: public:
ASTFieldVisitor(const CXXRecordDecl *root, BugReporter &br) ASTFieldVisitor(const CXXRecordDecl *root, BugReporter &br,
: Root(root), BR(br) {} const CheckerBase *checker)
: Root(root), BR(br), Checker(checker) {}
void Visit(FieldDecl *D); void Visit(FieldDecl *D);
void ReportError(QualType T); void ReportError(QualType T);
}; };
} // end anonymous namespace } // end anonymous namespace
static void CheckASTMemory(const CXXRecordDecl *R, BugReporter &BR) { static void CheckASTMemory(const CXXRecordDecl *R, BugReporter &BR,
const CheckerBase *Checker) {
if (!IsPartOfAST(R)) if (!IsPartOfAST(R))
return; return;
for (RecordDecl::field_iterator I = R->field_begin(), E = R->field_end(); for (RecordDecl::field_iterator I = R->field_begin(), E = R->field_end();
I != E; ++I) { I != E; ++I) {
ASTFieldVisitor walker(R, BR); ASTFieldVisitor walker(R, BR, Checker);
walker.Visit(*I); walker.Visit(*I);
} }
} }
void ASTFieldVisitor::Visit(FieldDecl *D) { void ASTFieldVisitor::Visit(FieldDecl *D) {
FieldChain.push_back(D); FieldChain.push_back(D);
QualType T = D->getType(); QualType T = D->getType();
Show All 36 Linesvoid ASTFieldVisitor::ReportError(QualType T) {
// class. This is suboptimal, but at least scan-build will merge // class. This is suboptimal, but at least scan-build will merge
// duplicate HTML reports. In the future we need a unified way of merging // duplicate HTML reports. In the future we need a unified way of merging
// duplicate reports across translation units. For C++ classes we cannot // duplicate reports across translation units. For C++ classes we cannot
// just report warnings when we see an out-of-line method definition for a // just report warnings when we see an out-of-line method definition for a
// class, as that heuristic doesn't always work (the complete definition of // class, as that heuristic doesn't always work (the complete definition of
// the class may be in the header file, for example). // the class may be in the header file, for example).
PathDiagnosticLocation L = PathDiagnosticLocation::createBegin( PathDiagnosticLocation L = PathDiagnosticLocation::createBegin(
FieldChain.front(), BR.getSourceManager()); FieldChain.front(), BR.getSourceManager());
BR.EmitBasicReport(Root, "AST node allocates heap memory", "LLVM Conventions", BR.EmitBasicReport(Root, Checker, "AST node allocates heap memory",
os.str(), L); "LLVM Conventions", os.str(), L);
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// LLVMConventionsChecker // LLVMConventionsChecker
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
namespace { namespace {
class LLVMConventionsChecker : public Checker< class LLVMConventionsChecker : public Checker<
check::ASTDecl<CXXRecordDecl>, check::ASTDecl<CXXRecordDecl>,
check::ASTCodeBody > { check::ASTCodeBody > {
public: public:
void checkASTDecl(const CXXRecordDecl *R, AnalysisManager& mgr, void checkASTDecl(const CXXRecordDecl *R, AnalysisManager& mgr,
BugReporter &BR) const { BugReporter &BR) const {
if (R->isCompleteDefinition()) if (R->isCompleteDefinition())
CheckASTMemory(R, BR); CheckASTMemory(R, BR, this);
} }
void checkASTCodeBody(const Decl *D, AnalysisManager& mgr, void checkASTCodeBody(const Decl *D, AnalysisManager& mgr,
BugReporter &BR) const { BugReporter &BR) const {
CheckStringRefAssignedTemporary(D, BR); CheckStringRefAssignedTemporary(D, BR, this);
} }
}; };
} }
void ento::registerLLVMConventionsChecker(CheckerManager &mgr) { void ento::registerLLVMConventionsChecker(CheckerManager &mgr) {
mgr.registerChecker<LLVMConventionsChecker>(); mgr.registerChecker<LLVMConventionsChecker>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/MacOSKeychainAPIChecker.cpp

Show First 20 LinesShow All 85 Lines▼ Show 20 Linesprivate:
static const unsigned NoErr = 0; static const unsigned NoErr = 0;
/// Given the function name, returns the index of the allocator/deallocator /// Given the function name, returns the index of the allocator/deallocator
/// function. /// function.
static unsigned getTrackedFunctionIndex(StringRef Name, bool IsAllocator); static unsigned getTrackedFunctionIndex(StringRef Name, bool IsAllocator);
inline void initBugType() const { inline void initBugType() const {
if (!BT) if (!BT)
BT.reset(new BugType("Improper use of SecKeychain API", BT.reset(new BugType(this, "Improper use of SecKeychain API",
"API Misuse (Apple)")); "API Misuse (Apple)"));
} }
void generateDeallocatorMismatchReport(const AllocationPair &AP, void generateDeallocatorMismatchReport(const AllocationPair &AP,
const Expr *ArgExpr, const Expr *ArgExpr,
CheckerContext &C) const; CheckerContext &C) const;
/// Find the allocation site for Sym on the path leading to the node N. /// Find the allocation site for Sym on the path leading to the node N.
▲ Show 20 LinesShow All 521 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/MacOSXAPIChecker.cpp

Show First 20 LinesShow All 61 Lines▼ Show 20 Linesvoid MacOSXAPIChecker::CheckDispatchOnce(CheckerContext &C, const CallExpr *CE,
if (!R || !isa<StackSpaceRegion>(R->getMemorySpace())) if (!R || !isa<StackSpaceRegion>(R->getMemorySpace()))
return; return;
ExplodedNode *N = C.generateSink(state); ExplodedNode *N = C.generateSink(state);
if (!N) if (!N)
return; return;
if (!BT_dispatchOnce) if (!BT_dispatchOnce)
BT_dispatchOnce.reset(new BugType("Improper use of 'dispatch_once'", BT_dispatchOnce.reset(new BugType(this, "Improper use of 'dispatch_once'",
"API Misuse (Apple)")); "API Misuse (Apple)"));
// Handle _dispatch_once. In some versions of the OS X SDK we have the case // Handle _dispatch_once. In some versions of the OS X SDK we have the case
// that dispatch_once is a macro that wraps a call to _dispatch_once. // that dispatch_once is a macro that wraps a call to _dispatch_once.
// _dispatch_once is then a function which then calls the real dispatch_once. // _dispatch_once is then a function which then calls the real dispatch_once.
// Users do not care; they just want the warning at the top-level call. // Users do not care; they just want the warning at the top-level call.
if (CE->getLocStart().isMacroID()) { if (CE->getLocStart().isMacroID()) {
StringRef TrimmedFName = FName.ltrim("_"); StringRef TrimmedFName = FName.ltrim("_");
▲ Show 20 LinesShow All 50 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/MallocChecker.cpp

Show First 20 LinesShow All 149 Lines▼ Show 20 Linesclass MallocChecker : public Checker<check::DeadSymbols,
check::PostStmt<CallExpr>, check::PostStmt<CallExpr>,
check::PostStmt<CXXNewExpr>, check::PostStmt<CXXNewExpr>,
check::PreStmt<CXXDeleteExpr>, check::PreStmt<CXXDeleteExpr>,
check::PostStmt<BlockExpr>, check::PostStmt<BlockExpr>,
check::PostObjCMessage, check::PostObjCMessage,
check::Location, check::Location,
eval::Assume> eval::Assume>
{ {
mutable OwningPtr<BugType> BT_DoubleFree;
mutable OwningPtr<BugType> BT_DoubleDelete;
mutable OwningPtr<BugType> BT_Leak;
mutable OwningPtr<BugType> BT_UseFree;
mutable OwningPtr<BugType> BT_BadFree;
mutable OwningPtr<BugType> BT_MismatchedDealloc;
mutable OwningPtr<BugType> BT_OffsetFree;
mutable IdentifierInfo *II_malloc, *II_free, *II_realloc, *II_calloc,
*II_valloc, *II_reallocf, *II_strndup, *II_strdup;
public: public:
MallocChecker() : II_malloc(0), II_free(0), II_realloc(0), II_calloc(0), MallocChecker() : II_malloc(0), II_free(0), II_realloc(0), II_calloc(0),
II_valloc(0), II_reallocf(0), II_strndup(0), II_strdup(0) {} II_valloc(0), II_reallocf(0), II_strndup(0), II_strdup(0) {}
/// In pessimistic mode, the checker assumes that it does not know which /// In pessimistic mode, the checker assumes that it does not know which
/// functions might free the memory. /// functions might free the memory.
struct ChecksFilter { enum CheckKind {
DefaultBool CMallocPessimistic; CK_MallocPessimistic,
DefaultBool CMallocOptimistic; CK_MallocOptimistic,
DefaultBool CNewDeleteChecker; CK_NewDeleteChecker,
DefaultBool CNewDeleteLeaksChecker; CK_NewDeleteLeaksChecker,
DefaultBool CMismatchedDeallocatorChecker; CK_MismatchedDeallocatorChecker,
CK_NumCheckKinds
}; };
ChecksFilter Filter; DefaultBool ChecksEnabled[CK_NumCheckKinds];
CheckName CheckNames[CK_NumCheckKinds];
void checkPreCall(const CallEvent &Call, CheckerContext &C) const; void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
void checkPostStmt(const CallExpr *CE, CheckerContext &C) const; void checkPostStmt(const CallExpr *CE, CheckerContext &C) const;
void checkPostStmt(const CXXNewExpr *NE, CheckerContext &C) const; void checkPostStmt(const CXXNewExpr *NE, CheckerContext &C) const;
void checkPreStmt(const CXXDeleteExpr *DE, CheckerContext &C) const; void checkPreStmt(const CXXDeleteExpr *DE, CheckerContext &C) const;
void checkPostObjCMessage(const ObjCMethodCall &Call, CheckerContext &C) const; void checkPostObjCMessage(const ObjCMethodCall &Call, CheckerContext &C) const;
void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const; void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const;
void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const; void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
Show All 11 Lines ProgramStateRef checkConstPointerEscape(ProgramStateRef State,
const InvalidatedSymbols &Escaped, const InvalidatedSymbols &Escaped,
const CallEvent *Call, const CallEvent *Call,
PointerEscapeKind Kind) const; PointerEscapeKind Kind) const;
void printState(raw_ostream &Out, ProgramStateRef State, void printState(raw_ostream &Out, ProgramStateRef State,
const char *NL, const char *Sep) const; const char *NL, const char *Sep) const;
private: private:
mutable OwningPtr<BugType> BT_DoubleFree[CK_NumCheckKinds];
mutable OwningPtr<BugType> BT_DoubleDelete;
mutable OwningPtr<BugType> BT_Leak[CK_NumCheckKinds];
mutable OwningPtr<BugType> BT_UseFree[CK_NumCheckKinds];
mutable OwningPtr<BugType> BT_BadFree[CK_NumCheckKinds];
mutable OwningPtr<BugType> BT_MismatchedDealloc;
mutable OwningPtr<BugType> BT_OffsetFree[CK_NumCheckKinds];
mutable IdentifierInfo *II_malloc, *II_free, *II_realloc, *II_calloc,
*II_valloc, *II_reallocf, *II_strndup, *II_strdup;
void initIdentifierInfo(ASTContext &C) const; void initIdentifierInfo(ASTContext &C) const;
/// \brief Determine family of a deallocation expression. /// \brief Determine family of a deallocation expression.
AllocationFamily getAllocationFamily(CheckerContext &C, const Stmt *S) const; AllocationFamily getAllocationFamily(CheckerContext &C, const Stmt *S) const;
/// \brief Print names of allocators and deallocators. /// \brief Print names of allocators and deallocators.
/// ///
/// \returns true on success. /// \returns true on success.
▲ Show 20 LinesShow All 81 Lines▼ Show 20 Linesprivate:
ProgramStateRef checkPointerEscapeAux(ProgramStateRef State, ProgramStateRef checkPointerEscapeAux(ProgramStateRef State,
const InvalidatedSymbols &Escaped, const InvalidatedSymbols &Escaped,
const CallEvent *Call, const CallEvent *Call,
PointerEscapeKind Kind, PointerEscapeKind Kind,
bool(*CheckRefState)(const RefState*)) const; bool(*CheckRefState)(const RefState*)) const;
///@{ ///@{
/// Tells if a given family/call/symbol is tracked by the current checker. /// Tells if a given family/call/symbol is tracked by the current checker.
bool isTrackedByCurrentChecker(AllocationFamily Family) const; /// Sets CheckKind to the kind of the checker responsible for this
bool isTrackedByCurrentChecker(CheckerContext &C, /// family/call/symbol.
Optional<CheckKind> getCheckIfTracked(AllocationFamily Family) const;
Optional<CheckKind> getCheckIfTracked(CheckerContext &C,
const Stmt *AllocDeallocStmt) const; const Stmt *AllocDeallocStmt) const;
bool isTrackedByCurrentChecker(CheckerContext &C, SymbolRef Sym) const; Optional<CheckKind> getCheckIfTracked(CheckerContext &C, SymbolRef Sym) const;
///@} ///@}
static bool SummarizeValue(raw_ostream &os, SVal V); static bool SummarizeValue(raw_ostream &os, SVal V);
static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR); static bool SummarizeRegion(raw_ostream &os, const MemRegion *MR);
void ReportBadFree(CheckerContext &C, SVal ArgVal, SourceRange Range, void ReportBadFree(CheckerContext &C, SVal ArgVal, SourceRange Range,
const Expr *DeallocExpr) const; const Expr *DeallocExpr) const;
void ReportMismatchedDealloc(CheckerContext &C, SourceRange Range, void ReportMismatchedDealloc(CheckerContext &C, SourceRange Range,
const Expr *DeallocExpr, const RefState *RS, const Expr *DeallocExpr, const RefState *RS,
SymbolRef Sym, bool OwnershipTransferred) const; SymbolRef Sym, bool OwnershipTransferred) const;
▲ Show 20 LinesShow All 183 Lines▼ Show 20 Lines if (FD->getKind() == Decl::Function) {
initIdentifierInfo(C); initIdentifierInfo(C);
if (FunI == II_malloc || FunI == II_realloc || if (FunI == II_malloc || FunI == II_realloc ||
FunI == II_reallocf || FunI == II_calloc || FunI == II_valloc || FunI == II_reallocf || FunI == II_calloc || FunI == II_valloc ||
FunI == II_strdup || FunI == II_strndup) FunI == II_strdup || FunI == II_strndup)
return true; return true;
} }
if (Filter.CMallocOptimistic && FD->hasAttrs()) if (ChecksEnabled[CK_MallocOptimistic] && FD->hasAttrs())
for (specific_attr_iterator<OwnershipAttr> for (specific_attr_iterator<OwnershipAttr>
i = FD->specific_attr_begin<OwnershipAttr>(), i = FD->specific_attr_begin<OwnershipAttr>(),
e = FD->specific_attr_end<OwnershipAttr>(); e = FD->specific_attr_end<OwnershipAttr>();
i != e; ++i) i != e; ++i)
if ((*i)->getOwnKind() == OwnershipAttr::Returns) if ((*i)->getOwnKind() == OwnershipAttr::Returns)
return true; return true;
return false; return false;
} }
bool MallocChecker::isFreeFunction(const FunctionDecl *FD, ASTContext &C) const { bool MallocChecker::isFreeFunction(const FunctionDecl *FD, ASTContext &C) const {
if (!FD) if (!FD)
return false; return false;
if (FD->getKind() == Decl::Function) { if (FD->getKind() == Decl::Function) {
IdentifierInfo *FunI = FD->getIdentifier(); IdentifierInfo *FunI = FD->getIdentifier();
initIdentifierInfo(C); initIdentifierInfo(C);
if (FunI == II_free || FunI == II_realloc || FunI == II_reallocf) if (FunI == II_free || FunI == II_realloc || FunI == II_reallocf)
return true; return true;
} }
if (Filter.CMallocOptimistic && FD->hasAttrs()) if (ChecksEnabled[CK_MallocOptimistic] && FD->hasAttrs())
for (specific_attr_iterator<OwnershipAttr> for (specific_attr_iterator<OwnershipAttr>
i = FD->specific_attr_begin<OwnershipAttr>(), i = FD->specific_attr_begin<OwnershipAttr>(),
e = FD->specific_attr_end<OwnershipAttr>(); e = FD->specific_attr_end<OwnershipAttr>();
i != e; ++i) i != e; ++i)
if ((*i)->getOwnKind() == OwnershipAttr::Takes || if ((*i)->getOwnKind() == OwnershipAttr::Takes ||
(*i)->getOwnKind() == OwnershipAttr::Holds) (*i)->getOwnKind() == OwnershipAttr::Holds)
return true; return true;
return false; return false;
▲ Show 20 LinesShow All 78 Lines▼ Show 20 Lines else if (isStandardNewDelete(FD, C.getASTContext())) {
AF_CXXNewArray); AF_CXXNewArray);
else if (K == OO_Delete || K == OO_Array_Delete) else if (K == OO_Delete || K == OO_Array_Delete)
State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory); State = FreeMemAux(C, CE, State, 0, false, ReleasedAllocatedMemory);
else else
llvm_unreachable("not a new/delete operator"); llvm_unreachable("not a new/delete operator");
} }
} }
if (Filter.CMallocOptimistic || Filter.CMismatchedDeallocatorChecker) { if (ChecksEnabled[CK_MallocOptimistic] ||
ChecksEnabled[CK_MismatchedDeallocatorChecker]) {
// Check all the attributes, if there are any. // Check all the attributes, if there are any.
// There can be multiple of these attributes. // There can be multiple of these attributes.
if (FD->hasAttrs()) if (FD->hasAttrs())
for (specific_attr_iterator<OwnershipAttr> for (specific_attr_iterator<OwnershipAttr>
i = FD->specific_attr_begin<OwnershipAttr>(), i = FD->specific_attr_begin<OwnershipAttr>(),
e = FD->specific_attr_end<OwnershipAttr>(); e = FD->specific_attr_end<OwnershipAttr>();
i != e; ++i) { i != e; ++i) {
switch ((*i)->getOwnKind()) { switch ((*i)->getOwnKind()) {
Show All 30 Linesvoid MallocChecker::checkPostStmt(const CXXNewExpr *NE,
State = MallocUpdateRefState(C, NE, State, NE->isArray() ? AF_CXXNewArray State = MallocUpdateRefState(C, NE, State, NE->isArray() ? AF_CXXNewArray
: AF_CXXNew); : AF_CXXNew);
C.addTransition(State); C.addTransition(State);
} }
void MallocChecker::checkPreStmt(const CXXDeleteExpr *DE, void MallocChecker::checkPreStmt(const CXXDeleteExpr *DE,
CheckerContext &C) const { CheckerContext &C) const {
if (!Filter.CNewDeleteChecker) if (!ChecksEnabled[CK_NewDeleteChecker])
if (SymbolRef Sym = C.getSVal(DE->getArgument()).getAsSymbol()) if (SymbolRef Sym = C.getSVal(DE->getArgument()).getAsSymbol())
checkUseAfterFree(Sym, C, DE->getArgument()); checkUseAfterFree(Sym, C, DE->getArgument());
if (!isStandardNewDelete(DE->getOperatorDelete(), C.getASTContext())) if (!isStandardNewDelete(DE->getOperatorDelete(), C.getASTContext()))
return; return;
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
bool ReleasedAllocated; bool ReleasedAllocated;
▲ Show 20 LinesShow All 404 Lines▼ Show 20 Lines if (Hold)
return State->set<RegionState>(SymBase, return State->set<RegionState>(SymBase,
RefState::getRelinquished(Family, RefState::getRelinquished(Family,
ParentExpr)); ParentExpr));
return State->set<RegionState>(SymBase, return State->set<RegionState>(SymBase,
RefState::getReleased(Family, ParentExpr)); RefState::getReleased(Family, ParentExpr));
} }
bool MallocChecker::isTrackedByCurrentChecker(AllocationFamily Family) const { Optional<MallocChecker::CheckKind>
MallocChecker::getCheckIfTracked(AllocationFamily Family) const {
switch (Family) { switch (Family) {
case AF_Malloc: { case AF_Malloc: {
if (!Filter.CMallocOptimistic && !Filter.CMallocPessimistic) if (ChecksEnabled[CK_MallocOptimistic]) {
return false; return CK_MallocOptimistic;
return true; } else if (ChecksEnabled[CK_MallocPessimistic]) {
return CK_MallocPessimistic;
}
return Optional<MallocChecker::CheckKind>();
} }
case AF_CXXNew: case AF_CXXNew:
case AF_CXXNewArray: { case AF_CXXNewArray: {
if (!Filter.CNewDeleteChecker) if (ChecksEnabled[CK_NewDeleteChecker]) {
return false; return CK_NewDeleteChecker;
return true; }
return Optional<MallocChecker::CheckKind>();
} }
case AF_None: { case AF_None: {
llvm_unreachable("no family"); llvm_unreachable("no family");
} }
} }
llvm_unreachable("unhandled family"); llvm_unreachable("unhandled family");
} }
bool Optional<MallocChecker::CheckKind>
MallocChecker::isTrackedByCurrentChecker(CheckerContext &C, MallocChecker::getCheckIfTracked(CheckerContext &C,
const Stmt *AllocDeallocStmt) const { const Stmt *AllocDeallocStmt) const {
return isTrackedByCurrentChecker(getAllocationFamily(C, AllocDeallocStmt)); return getCheckIfTracked(getAllocationFamily(C, AllocDeallocStmt));
} }
bool MallocChecker::isTrackedByCurrentChecker(CheckerContext &C, Optional<MallocChecker::CheckKind>
SymbolRef Sym) const { MallocChecker::getCheckIfTracked(CheckerContext &C, SymbolRef Sym) const {
const RefState *RS = C.getState()->get<RegionState>(Sym); const RefState *RS = C.getState()->get<RegionState>(Sym);
assert(RS); assert(RS);
return isTrackedByCurrentChecker(RS->getAllocationFamily()); return getCheckIfTracked(RS->getAllocationFamily());
} }
bool MallocChecker::SummarizeValue(raw_ostream &os, SVal V) { bool MallocChecker::SummarizeValue(raw_ostream &os, SVal V) {
if (Optional<nonloc::ConcreteInt> IntVal = V.getAs<nonloc::ConcreteInt>()) if (Optional<nonloc::ConcreteInt> IntVal = V.getAs<nonloc::ConcreteInt>())
os << "an integer (" << IntVal->getValue() << ")"; os << "an integer (" << IntVal->getValue() << ")";
else if (Optional<loc::ConcreteInt> ConstAddr = V.getAs<loc::ConcreteInt>()) else if (Optional<loc::ConcreteInt> ConstAddr = V.getAs<loc::ConcreteInt>())
os << "a constant address (" << ConstAddr->getValue() << ")"; os << "a constant address (" << ConstAddr->getValue() << ")";
else if (Optional<loc::GotoLabel> Label = V.getAs<loc::GotoLabel>()) else if (Optional<loc::GotoLabel> Label = V.getAs<loc::GotoLabel>())
▲ Show 20 LinesShow All 77 Lines▼ Show 20 Linesbool MallocChecker::SummarizeRegion(raw_ostream &os,
} }
} }
} }
void MallocChecker::ReportBadFree(CheckerContext &C, SVal ArgVal, void MallocChecker::ReportBadFree(CheckerContext &C, SVal ArgVal,
SourceRange Range, SourceRange Range,
const Expr *DeallocExpr) const { const Expr *DeallocExpr) const {
if (!Filter.CMallocOptimistic && !Filter.CMallocPessimistic && if (!ChecksEnabled[CK_MallocOptimistic] &&
!Filter.CNewDeleteChecker) !ChecksEnabled[CK_MallocPessimistic] &&
!ChecksEnabled[CK_NewDeleteChecker])
return; return;
if (!isTrackedByCurrentChecker(C, DeallocExpr)) Optional<MallocChecker::CheckKind> CheckKind =
getCheckIfTracked(C, DeallocExpr);
if (!CheckKind.hasValue())
return; return;
if (ExplodedNode *N = C.generateSink()) { if (ExplodedNode *N = C.generateSink()) {
if (!BT_BadFree) if (!BT_BadFree[*CheckKind])
BT_BadFree.reset(new BugType("Bad free", "Memory Error")); BT_BadFree[*CheckKind].reset(
new BugType(CheckNames[*CheckKind], "Bad free", "Memory Error"));
SmallString<100> buf; SmallString<100> buf;
llvm::raw_svector_ostream os(buf); llvm::raw_svector_ostream os(buf);
const MemRegion *MR = ArgVal.getAsRegion(); const MemRegion *MR = ArgVal.getAsRegion();
while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR)) while (const ElementRegion *ER = dyn_cast_or_null<ElementRegion>(MR))
MR = ER->getSuperRegion(); MR = ER->getSuperRegion();
if (MR && isa<AllocaRegion>(MR)) if (MR && isa<AllocaRegion>(MR))
Show All 9 Lines else {
if (Summarized) if (Summarized)
os << ", which is not memory allocated by "; os << ", which is not memory allocated by ";
else else
os << "not memory allocated by "; os << "not memory allocated by ";
printExpectedAllocName(os, C, DeallocExpr); printExpectedAllocName(os, C, DeallocExpr);
} }
BugReport *R = new BugReport(*BT_BadFree, os.str(), N); BugReport *R = new BugReport(*BT_BadFree[*CheckKind], os.str(), N);
R->markInteresting(MR); R->markInteresting(MR);
R->addRange(Range); R->addRange(Range);
C.emitReport(R); C.emitReport(R);
} }
} }
void MallocChecker::ReportMismatchedDealloc(CheckerContext &C, void MallocChecker::ReportMismatchedDealloc(CheckerContext &C,
SourceRange Range, SourceRange Range,
const Expr *DeallocExpr, const Expr *DeallocExpr,
const RefState *RS, const RefState *RS,
SymbolRef Sym, SymbolRef Sym,
bool OwnershipTransferred) const { bool OwnershipTransferred) const {
if (!Filter.CMismatchedDeallocatorChecker) if (!ChecksEnabled[CK_MismatchedDeallocatorChecker])
return; return;
if (ExplodedNode *N = C.generateSink()) { if (ExplodedNode *N = C.generateSink()) {
if (!BT_MismatchedDealloc) if (!BT_MismatchedDealloc)
BT_MismatchedDealloc.reset(new BugType("Bad deallocator", BT_MismatchedDealloc.reset(
"Memory Error")); new BugType(CheckNames[CK_MismatchedDeallocatorChecker],
"Bad deallocator", "Memory Error"));
SmallString<100> buf; SmallString<100> buf;
llvm::raw_svector_ostream os(buf); llvm::raw_svector_ostream os(buf);
const Expr *AllocExpr = cast<Expr>(RS->getStmt()); const Expr *AllocExpr = cast<Expr>(RS->getStmt());
SmallString<20> AllocBuf; SmallString<20> AllocBuf;
llvm::raw_svector_ostream AllocOs(AllocBuf); llvm::raw_svector_ostream AllocOs(AllocBuf);
SmallString<20> DeallocBuf; SmallString<20> DeallocBuf;
llvm::raw_svector_ostream DeallocOs(DeallocBuf); llvm::raw_svector_ostream DeallocOs(DeallocBuf);
Show All 27 Lines if (ExplodedNode *N = C.generateSink()) {
C.emitReport(R); C.emitReport(R);
} }
} }
void MallocChecker::ReportOffsetFree(CheckerContext &C, SVal ArgVal, void MallocChecker::ReportOffsetFree(CheckerContext &C, SVal ArgVal,
SourceRange Range, const Expr *DeallocExpr, SourceRange Range, const Expr *DeallocExpr,
const Expr *AllocExpr) const { const Expr *AllocExpr) const {
if (!Filter.CMallocOptimistic && !Filter.CMallocPessimistic && if (!ChecksEnabled[CK_MallocOptimistic] &&
!Filter.CNewDeleteChecker) !ChecksEnabled[CK_MallocPessimistic] &&
!ChecksEnabled[CK_NewDeleteChecker])
return; return;
if (!isTrackedByCurrentChecker(C, AllocExpr)) Optional<MallocChecker::CheckKind> CheckKind =
getCheckIfTracked(C, AllocExpr);
if (!CheckKind.hasValue())
return; return;
ExplodedNode *N = C.generateSink(); ExplodedNode *N = C.generateSink();
if (N == NULL) if (N == NULL)
return; return;
if (!BT_OffsetFree) if (!BT_OffsetFree[*CheckKind])
BT_OffsetFree.reset(new BugType("Offset free", "Memory Error")); BT_OffsetFree[*CheckKind].reset(
new BugType(CheckNames[*CheckKind], "Offset free", "Memory Error"));
SmallString<100> buf; SmallString<100> buf;
llvm::raw_svector_ostream os(buf); llvm::raw_svector_ostream os(buf);
SmallString<20> AllocNameBuf; SmallString<20> AllocNameBuf;
llvm::raw_svector_ostream AllocNameOs(AllocNameBuf); llvm::raw_svector_ostream AllocNameOs(AllocNameBuf);
const MemRegion *MR = ArgVal.getAsRegion(); const MemRegion *MR = ArgVal.getAsRegion();
assert(MR && "Only MemRegion based symbols can have offset free errors"); assert(MR && "Only MemRegion based symbols can have offset free errors");
Show All 14 Lines os << " is offset by "
<< " " << " "
<< ((abs(offsetBytes) > 1) ? "bytes" : "byte") << ((abs(offsetBytes) > 1) ? "bytes" : "byte")
<< " from the start of "; << " from the start of ";
if (AllocExpr && printAllocDeallocName(AllocNameOs, C, AllocExpr)) if (AllocExpr && printAllocDeallocName(AllocNameOs, C, AllocExpr))
os << "memory allocated by " << AllocNameOs.str(); os << "memory allocated by " << AllocNameOs.str();
else else
os << "allocated memory"; os << "allocated memory";
BugReport *R = new BugReport(*BT_OffsetFree, os.str(), N); BugReport *R = new BugReport(*BT_OffsetFree[*CheckKind], os.str(), N);
R->markInteresting(MR->getBaseRegion()); R->markInteresting(MR->getBaseRegion());
R->addRange(Range); R->addRange(Range);
C.emitReport(R); C.emitReport(R);
} }
void MallocChecker::ReportUseAfterFree(CheckerContext &C, SourceRange Range, void MallocChecker::ReportUseAfterFree(CheckerContext &C, SourceRange Range,
SymbolRef Sym) const { SymbolRef Sym) const {
if (!Filter.CMallocOptimistic && !Filter.CMallocPessimistic && if (!ChecksEnabled[CK_MallocOptimistic] &&
!Filter.CNewDeleteChecker) !ChecksEnabled[CK_MallocPessimistic] &&
!ChecksEnabled[CK_NewDeleteChecker])
return; return;
if (!isTrackedByCurrentChecker(C, Sym)) Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
if (!CheckKind.hasValue())
return; return;
if (ExplodedNode *N = C.generateSink()) { if (ExplodedNode *N = C.generateSink()) {
if (!BT_UseFree) if (!BT_UseFree[*CheckKind])
BT_UseFree.reset(new BugType("Use-after-free", "Memory Error")); BT_UseFree[*CheckKind].reset(new BugType(
CheckNames[*CheckKind], "Use-after-free", "Memory Error"));
BugReport *R = new BugReport(*BT_UseFree, BugReport *R = new BugReport(*BT_UseFree[*CheckKind],
"Use of memory after it is freed", N); "Use of memory after it is freed", N);
R->markInteresting(Sym); R->markInteresting(Sym);
R->addRange(Range); R->addRange(Range);
R->addVisitor(new MallocBugVisitor(Sym)); R->addVisitor(new MallocBugVisitor(Sym));
C.emitReport(R); C.emitReport(R);
} }
} }
void MallocChecker::ReportDoubleFree(CheckerContext &C, SourceRange Range, void MallocChecker::ReportDoubleFree(CheckerContext &C, SourceRange Range,
bool Released, SymbolRef Sym, bool Released, SymbolRef Sym,
SymbolRef PrevSym) const { SymbolRef PrevSym) const {
if (!Filter.CMallocOptimistic && !Filter.CMallocPessimistic && if (!ChecksEnabled[CK_MallocOptimistic] &&
!Filter.CNewDeleteChecker) !ChecksEnabled[CK_MallocPessimistic] &&
!ChecksEnabled[CK_NewDeleteChecker])
return; return;
if (!isTrackedByCurrentChecker(C, Sym)) Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
if (!CheckKind.hasValue())
return; return;
if (ExplodedNode *N = C.generateSink()) { if (ExplodedNode *N = C.generateSink()) {
if (!BT_DoubleFree) if (!BT_DoubleFree[*CheckKind])
BT_DoubleFree.reset(new BugType("Double free", "Memory Error")); BT_DoubleFree[*CheckKind].reset(
new BugType(CheckNames[*CheckKind], "Double free", "Memory Error"));
BugReport *R = new BugReport(*BT_DoubleFree, BugReport *R =
new BugReport(*BT_DoubleFree[*CheckKind],
(Released ? "Attempt to free released memory" (Released ? "Attempt to free released memory"
: "Attempt to free non-owned memory"), : "Attempt to free non-owned memory"),
N); N);
R->addRange(Range); R->addRange(Range);
R->markInteresting(Sym); R->markInteresting(Sym);
if (PrevSym) if (PrevSym)
R->markInteresting(PrevSym); R->markInteresting(PrevSym);
R->addVisitor(new MallocBugVisitor(Sym)); R->addVisitor(new MallocBugVisitor(Sym));
C.emitReport(R); C.emitReport(R);
} }
} }
void MallocChecker::ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const { void MallocChecker::ReportDoubleDelete(CheckerContext &C, SymbolRef Sym) const {
if (!Filter.CNewDeleteChecker) if (!ChecksEnabled[CK_NewDeleteChecker])
return; return;
if (!isTrackedByCurrentChecker(C, Sym)) Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(C, Sym);
if (!CheckKind.hasValue())
return; return;
assert(*CheckKind == CK_NewDeleteChecker && "invalid check kind");
if (ExplodedNode *N = C.generateSink()) { if (ExplodedNode *N = C.generateSink()) {
if (!BT_DoubleDelete) if (!BT_DoubleDelete)
BT_DoubleDelete.reset(new BugType("Double delete", "Memory Error")); BT_DoubleDelete.reset(new BugType(CheckNames[CK_NewDeleteChecker],
"Double delete", "Memory Error"));
BugReport *R = new BugReport(*BT_DoubleDelete, BugReport *R = new BugReport(*BT_DoubleDelete,
"Attempt to delete released memory", N); "Attempt to delete released memory", N);
R->markInteresting(Sym); R->markInteresting(Sym);
R->addVisitor(new MallocBugVisitor(Sym)); R->addVisitor(new MallocBugVisitor(Sym));
C.emitReport(R); C.emitReport(R);
} }
▲ Show 20 LinesShow All 155 Lines▼ Show 20 LinesMallocChecker::getAllocationSite(const ExplodedNode *N, SymbolRef Sym,
} }
return LeakInfo(AllocNode, ReferenceRegion); return LeakInfo(AllocNode, ReferenceRegion);
} }
void MallocChecker::reportLeak(SymbolRef Sym, ExplodedNode *N, void MallocChecker::reportLeak(SymbolRef Sym, ExplodedNode *N,
CheckerContext &C) const { CheckerContext &C) const {
if (!Filter.CMallocOptimistic && !Filter.CMallocPessimistic && if (!ChecksEnabled[CK_MallocOptimistic] &&
!Filter.CNewDeleteLeaksChecker) !ChecksEnabled[CK_MallocPessimistic] &&
!ChecksEnabled[CK_NewDeleteLeaksChecker])
return; return;
const RefState *RS = C.getState()->get<RegionState>(Sym); const RefState *RS = C.getState()->get<RegionState>(Sym);
assert(RS && "cannot leak an untracked symbol"); assert(RS && "cannot leak an untracked symbol");
AllocationFamily Family = RS->getAllocationFamily(); AllocationFamily Family = RS->getAllocationFamily();
if (!isTrackedByCurrentChecker(Family)) Optional<MallocChecker::CheckKind> CheckKind = getCheckIfTracked(Family);
if (!CheckKind.hasValue())
return; return;
// Special case for new and new[]; these are controlled by a separate checker // Special case for new and new[]; these are controlled by a separate checker
// flag so that they can be selectively disabled. // flag so that they can be selectively disabled.
if (Family == AF_CXXNew || Family == AF_CXXNewArray) if (Family == AF_CXXNew || Family == AF_CXXNewArray)
if (!Filter.CNewDeleteLeaksChecker) if (!ChecksEnabled[CK_NewDeleteLeaksChecker])
return; return;
assert(N); assert(N);
if (!BT_Leak) { if (!BT_Leak[*CheckKind]) {
BT_Leak.reset(new BugType("Memory leak", "Memory Error")); BT_Leak[*CheckKind].reset(
new BugType(CheckNames[*CheckKind], "Memory leak", "Memory Error"));
// Leaks should not be reported if they are post-dominated by a sink: // Leaks should not be reported if they are post-dominated by a sink:
// (1) Sinks are higher importance bugs. // (1) Sinks are higher importance bugs.
// (2) NoReturnFunctionChecker uses sink nodes to represent paths ending // (2) NoReturnFunctionChecker uses sink nodes to represent paths ending
// with __noreturn functions such as assert() or exit(). We choose not // with __noreturn functions such as assert() or exit(). We choose not
// to report leaks on such paths. // to report leaks on such paths.
BT_Leak->setSuppressOnSink(true); BT_Leak[*CheckKind]->setSuppressOnSink(true);
} }
// Most bug reports are cached at the location where they occurred. // Most bug reports are cached at the location where they occurred.
// With leaks, we want to unique them by the location where they were // With leaks, we want to unique them by the location where they were
// allocated, and only report a single path. // allocated, and only report a single path.
PathDiagnosticLocation LocUsedForUniqueing; PathDiagnosticLocation LocUsedForUniqueing;
const ExplodedNode *AllocNode = 0; const ExplodedNode *AllocNode = 0;
const MemRegion *Region = 0; const MemRegion *Region = 0;
Show All 14 Linesvoid MallocChecker::reportLeak(SymbolRef Sym, ExplodedNode *N,
llvm::raw_svector_ostream os(buf); llvm::raw_svector_ostream os(buf);
if (Region && Region->canPrintPretty()) { if (Region && Region->canPrintPretty()) {
os << "Potential leak of memory pointed to by "; os << "Potential leak of memory pointed to by ";
Region->printPretty(os); Region->printPretty(os);
} else { } else {
os << "Potential memory leak"; os << "Potential memory leak";
} }
BugReport *R = new BugReport(*BT_Leak, os.str(), N, BugReport *R =
LocUsedForUniqueing, new BugReport(*BT_Leak[*CheckKind], os.str(), N, LocUsedForUniqueing,
AllocNode->getLocationContext()->getDecl()); AllocNode->getLocationContext()->getDecl());
R->markInteresting(Sym); R->markInteresting(Sym);
R->addVisitor(new MallocBugVisitor(Sym, true)); R->addVisitor(new MallocBugVisitor(Sym, true));
C.emitReport(R); C.emitReport(R);
} }
void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper, void MallocChecker::checkDeadSymbols(SymbolReaper &SymReaper,
CheckerContext &C) const CheckerContext &C) const
{ {
▲ Show 20 LinesShow All 57 Lines▼ Show 20 Linesvoid MallocChecker::checkPreCall(const CallEvent &Call,
} }
// We will check for double free in the post visit. // We will check for double free in the post visit.
if (const AnyFunctionCall *FC = dyn_cast<AnyFunctionCall>(&Call)) { if (const AnyFunctionCall *FC = dyn_cast<AnyFunctionCall>(&Call)) {
const FunctionDecl *FD = FC->getDecl(); const FunctionDecl *FD = FC->getDecl();
if (!FD) if (!FD)
return; return;
if ((Filter.CMallocOptimistic || Filter.CMallocPessimistic) && if ((ChecksEnabled[CK_MallocOptimistic] ||
ChecksEnabled[CK_MallocPessimistic]) &&
isFreeFunction(FD, C.getASTContext())) isFreeFunction(FD, C.getASTContext()))
return; return;
if (Filter.CNewDeleteChecker && if (ChecksEnabled[CK_NewDeleteChecker] &&
isStandardNewDelete(FD, C.getASTContext())) isStandardNewDelete(FD, C.getASTContext()))
return; return;
} }
// Check if the callee of a method is deleted. // Check if the callee of a method is deleted.
if (const CXXInstanceCall *CC = dyn_cast<CXXInstanceCall>(&Call)) { if (const CXXInstanceCall *CC = dyn_cast<CXXInstanceCall>(&Call)) {
SymbolRef Sym = CC->getCXXThisVal().getAsSymbol(); SymbolRef Sym = CC->getCXXThisVal().getAsSymbol();
if (!Sym || checkUseAfterFree(Sym, C, CC->getCXXThisExpr())) if (!Sym || checkUseAfterFree(Sym, C, CC->getCXXThisExpr()))
▲ Show 20 LinesShow All 477 Lines▼ Show 20 Lines for (RegionStateTy::iterator I = RS.begin(), E = RS.end(); I != E; ++I) {
I.getData().dump(Out); I.getData().dump(Out);
Out << NL; Out << NL;
} }
} }
} }
void ento::registerNewDeleteLeaksChecker(CheckerManager &mgr) { void ento::registerNewDeleteLeaksChecker(CheckerManager &mgr) {
registerCStringCheckerBasic(mgr); registerCStringCheckerBasic(mgr);
mgr.registerChecker<MallocChecker>()->Filter.CNewDeleteLeaksChecker = true; MallocChecker *checker = mgr.registerChecker<MallocChecker>();
checker->ChecksEnabled[MallocChecker::CK_NewDeleteLeaksChecker] = true;
checker->CheckNames[MallocChecker::CK_NewDeleteLeaksChecker] =
mgr.getCurrentCheckName();
// We currently treat NewDeleteLeaks checker as a subchecker of NewDelete // We currently treat NewDeleteLeaks checker as a subchecker of NewDelete
// checker. // checker.
mgr.registerChecker<MallocChecker>()->Filter.CNewDeleteChecker = true; if (!checker->ChecksEnabled[MallocChecker::CK_NewDeleteChecker]) {
checker->ChecksEnabled[MallocChecker::CK_NewDeleteChecker] = true;
checker->CheckNames[MallocChecker::CK_NewDeleteChecker] =
mgr.getCurrentCheckName();
}
} }
#define REGISTER_CHECKER(name) \ #define REGISTER_CHECKER(name) \
void ento::register##name(CheckerManager &mgr) {\ void ento::register##name(CheckerManager &mgr) { \
registerCStringCheckerBasic(mgr); \ registerCStringCheckerBasic(mgr); \
mgr.registerChecker<MallocChecker>()->Filter.C##name = true;\ MallocChecker *checker = mgr.registerChecker<MallocChecker>(); \
checker->ChecksEnabled[MallocChecker::CK_##name] = true; \
checker->CheckNames[MallocChecker::CK_##name] = mgr.getCurrentCheckName(); \
} }
REGISTER_CHECKER(MallocPessimistic) REGISTER_CHECKER(MallocPessimistic)
REGISTER_CHECKER(MallocOptimistic) REGISTER_CHECKER(MallocOptimistic)
REGISTER_CHECKER(NewDeleteChecker) REGISTER_CHECKER(NewDeleteChecker)
REGISTER_CHECKER(MismatchedDeallocatorChecker) REGISTER_CHECKER(MismatchedDeallocatorChecker)

cfe/trunk/lib/StaticAnalyzer/Checkers/MallocOverflowSecurityChecker.cpp

Show First 20 LinesShow All 207 Lines▼ Show 20 Linesvoid MallocOverflowSecurityChecker::OutputPossibleOverflows(
c.Visit(mgr.getAnalysisDeclContext(D)->getBody()); c.Visit(mgr.getAnalysisDeclContext(D)->getBody());
// Output warnings for all overflows that are left. // Output warnings for all overflows that are left.
for (CheckOverflowOps::theVecType::iterator for (CheckOverflowOps::theVecType::iterator
i = PossibleMallocOverflows.begin(), i = PossibleMallocOverflows.begin(),
e = PossibleMallocOverflows.end(); e = PossibleMallocOverflows.end();
i != e; i != e;
++i) { ++i) {
BR.EmitBasicReport(D, "malloc() size overflow", categories::UnixAPI, BR.EmitBasicReport(
D, this, "malloc() size overflow", categories::UnixAPI,
"the computation of the size of the memory allocation may overflow", "the computation of the size of the memory allocation may overflow",
PathDiagnosticLocation::createOperatorLoc(i->mulop, PathDiagnosticLocation::createOperatorLoc(i->mulop,
BR.getSourceManager()), BR.getSourceManager()),
i->mulop->getSourceRange()); i->mulop->getSourceRange());
} }
} }
void MallocOverflowSecurityChecker::checkASTCodeBody(const Decl *D, void MallocOverflowSecurityChecker::checkASTCodeBody(const Decl *D,
AnalysisManager &mgr, AnalysisManager &mgr,
BugReporter &BR) const { BugReporter &BR) const {
CFG *cfg = mgr.getCFG(D); CFG *cfg = mgr.getCFG(D);
Show All 28 Lines for (CFGBlock::iterator bi = block->begin(), be = block->end();
} }
} }
} }
} }
OutputPossibleOverflows(PossibleMallocOverflows, D, BR, mgr); OutputPossibleOverflows(PossibleMallocOverflows, D, BR, mgr);
} }
void ento::registerMallocOverflowSecurityChecker(CheckerManager &mgr) { void
ento::registerMallocOverflowSecurityChecker(CheckerManager &mgr) {
mgr.registerChecker<MallocOverflowSecurityChecker>(); mgr.registerChecker<MallocOverflowSecurityChecker>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/MallocSizeofChecker.cpp

Show First 20 LinesShow All 230 Lines▼ Show 20 Lines for (CastedAllocFinder::CallVec::iterator i = Finder.Calls.begin(),
Ranges.push_back(SFinder.Sizeofs[0]->getSourceRange()); Ranges.push_back(SFinder.Sizeofs[0]->getSourceRange());
if (TSI) if (TSI)
Ranges.push_back(TSI->getTypeLoc().getSourceRange()); Ranges.push_back(TSI->getTypeLoc().getSourceRange());
PathDiagnosticLocation L = PathDiagnosticLocation L =
PathDiagnosticLocation::createBegin(i->AllocCall->getCallee(), PathDiagnosticLocation::createBegin(i->AllocCall->getCallee(),
BR.getSourceManager(), ADC); BR.getSourceManager(), ADC);
BR.EmitBasicReport(D, "Allocator sizeof operand mismatch", BR.EmitBasicReport(D, this, "Allocator sizeof operand mismatch",
categories::UnixAPI, categories::UnixAPI, OS.str(), L, Ranges);
OS.str(),
L, Ranges);
} }
} }
} }
}; };
} }
void ento::registerMallocSizeofChecker(CheckerManager &mgr) { void ento::registerMallocSizeofChecker(CheckerManager &mgr) {
mgr.registerChecker<MallocSizeofChecker>(); mgr.registerChecker<MallocSizeofChecker>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/NSAutoreleasePoolChecker.cpp

Show First 20 LinesShow All 53 Lines▼ Show 20 Linesvoid NSAutoreleasePoolChecker::checkPreObjCMessage(const ObjCMethodCall &msg,
if (releaseS.isNull()) if (releaseS.isNull())
releaseS = GetNullarySelector("release", C.getASTContext()); releaseS = GetNullarySelector("release", C.getASTContext());
// Sending 'release' message? // Sending 'release' message?
if (msg.getSelector() != releaseS) if (msg.getSelector() != releaseS)
return; return;
if (!BT) if (!BT)
BT.reset(new BugType("Use -drain instead of -release", BT.reset(new BugType(this, "Use -drain instead of -release",
"API Upgrade (Apple)")); "API Upgrade (Apple)"));
ExplodedNode *N = C.addTransition(); ExplodedNode *N = C.addTransition();
if (!N) { if (!N) {
assert(0); assert(0);
return; return;
} }
Show All 10 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/NSErrorChecker.cpp

Show First 20 LinesShow All 69 Lines▼ Show 20 Linesvoid NSErrorMethodChecker::checkASTDecl(const ObjCMethodDecl *D,
} }
if (hasNSError) { if (hasNSError) {
const char *err = "Method accepting NSError** " const char *err = "Method accepting NSError** "
"should have a non-void return value to indicate whether or not an " "should have a non-void return value to indicate whether or not an "
"error occurred"; "error occurred";
PathDiagnosticLocation L = PathDiagnosticLocation L =
PathDiagnosticLocation::create(D, BR.getSourceManager()); PathDiagnosticLocation::create(D, BR.getSourceManager());
BR.EmitBasicReport(D, "Bad return type when passing NSError**", BR.EmitBasicReport(D, this, "Bad return type when passing NSError**",
"Coding conventions (Apple)", err, L); "Coding conventions (Apple)", err, L);
} }
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// CFErrorFunctionChecker // CFErrorFunctionChecker
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
Show All 31 Linesvoid CFErrorFunctionChecker::checkASTDecl(const FunctionDecl *D,
} }
if (hasCFError) { if (hasCFError) {
const char *err = "Function accepting CFErrorRef* " const char *err = "Function accepting CFErrorRef* "
"should have a non-void return value to indicate whether or not an " "should have a non-void return value to indicate whether or not an "
"error occurred"; "error occurred";
PathDiagnosticLocation L = PathDiagnosticLocation L =
PathDiagnosticLocation::create(D, BR.getSourceManager()); PathDiagnosticLocation::create(D, BR.getSourceManager());
BR.EmitBasicReport(D, "Bad return type when passing CFErrorRef*", BR.EmitBasicReport(D, this, "Bad return type when passing CFErrorRef*",
"Coding conventions (Apple)", err, L); "Coding conventions (Apple)", err, L);
} }
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// NSOrCFErrorDerefChecker // NSOrCFErrorDerefChecker
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
namespace { namespace {
class NSErrorDerefBug : public BugType { class NSErrorDerefBug : public BugType {
public: public:
NSErrorDerefBug() : BugType("NSError** null dereference", NSErrorDerefBug(const CheckerBase *Checker)
: BugType(Checker, "NSError** null dereference",
"Coding conventions (Apple)") {} "Coding conventions (Apple)") {}
}; };
class CFErrorDerefBug : public BugType { class CFErrorDerefBug : public BugType {
public: public:
CFErrorDerefBug() : BugType("CFErrorRef* null dereference", CFErrorDerefBug(const CheckerBase *Checker)
: BugType(Checker, "CFErrorRef* null dereference",
"Coding conventions (Apple)") {} "Coding conventions (Apple)") {}
}; };
} }
namespace { namespace {
class NSOrCFErrorDerefChecker class NSOrCFErrorDerefChecker
: public Checker< check::Location, : public Checker< check::Location,
check::Event<ImplicitNullDerefEvent> > { check::Event<ImplicitNullDerefEvent> > {
▲ Show 20 LinesShow All 104 Lines▼ Show 20 Linesvoid NSOrCFErrorDerefChecker::checkEvent(ImplicitNullDerefEvent event) const {
os << (isNSError os << (isNSError
? "in 'Creating and Returning NSError Objects' the parameter" ? "in 'Creating and Returning NSError Objects' the parameter"
: "documented in CoreFoundation/CFError.h the parameter"); : "documented in CoreFoundation/CFError.h the parameter");
os << " may be null"; os << " may be null";
BugType *bug = 0; BugType *bug = 0;
if (isNSError) if (isNSError)
bug = new NSErrorDerefBug(); bug = new NSErrorDerefBug(this);
else else
bug = new CFErrorDerefBug(); bug = new CFErrorDerefBug(this);
BugReport *report = new BugReport(*bug, os.str(), BugReport *report = new BugReport(*bug, os.str(), event.SinkNode);
event.SinkNode);
BR.emitReport(report); BR.emitReport(report);
} }
static bool IsNSError(QualType T, IdentifierInfo *II) { static bool IsNSError(QualType T, IdentifierInfo *II) {
const PointerType* PPT = T->getAs<PointerType>(); const PointerType* PPT = T->getAs<PointerType>();
if (!PPT) if (!PPT)
return false; return false;
Show All 20 Linesstatic bool IsCFError(QualType T, IdentifierInfo *II) {
const TypedefType* TT = PPT->getPointeeType()->getAs<TypedefType>(); const TypedefType* TT = PPT->getPointeeType()->getAs<TypedefType>();
if (!TT) return false; if (!TT) return false;
return TT->getDecl()->getIdentifier() == II; return TT->getDecl()->getIdentifier() == II;
} }
void ento::registerNSErrorChecker(CheckerManager &mgr) { void ento::registerNSErrorChecker(CheckerManager &mgr) {
mgr.registerChecker<NSErrorMethodChecker>(); mgr.registerChecker<NSErrorMethodChecker>();
NSOrCFErrorDerefChecker * NSOrCFErrorDerefChecker *checker =
checker = mgr.registerChecker<NSOrCFErrorDerefChecker>(); mgr.registerChecker<NSOrCFErrorDerefChecker>();
checker->ShouldCheckNSError = true; checker->ShouldCheckNSError = true;
} }
void ento::registerCFErrorChecker(CheckerManager &mgr) { void ento::registerCFErrorChecker(CheckerManager &mgr) {
mgr.registerChecker<CFErrorFunctionChecker>(); mgr.registerChecker<CFErrorFunctionChecker>();
NSOrCFErrorDerefChecker * NSOrCFErrorDerefChecker *checker =
checker = mgr.registerChecker<NSOrCFErrorDerefChecker>(); mgr.registerChecker<NSOrCFErrorDerefChecker>();
checker->ShouldCheckCFError = true; checker->ShouldCheckCFError = true;
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/NoReturnFunctionChecker.cpp

Show First 20 LinesShow All 144 Lines▼ Show 20 Lines if (!isMultiArgSelector(&Sel, "handleFailureInMethod", "object", "file",
return; return;
break; break;
} }
// If we got here, it's one of the messages we care about. // If we got here, it's one of the messages we care about.
C.generateSink(); C.generateSink();
} }
void ento::registerNoReturnFunctionChecker(CheckerManager &mgr) { void ento::registerNoReturnFunctionChecker(CheckerManager &mgr) {
mgr.registerChecker<NoReturnFunctionChecker>(); mgr.registerChecker<NoReturnFunctionChecker>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/NonNullParamChecker.cpp

Show First 20 LinesShow All 156 Lines▼ Show 20 Lines
BugReport *NonNullParamChecker::genReportNullAttrNonNull( BugReport *NonNullParamChecker::genReportNullAttrNonNull(
const ExplodedNode *ErrorNode, const Expr *ArgE) const { const ExplodedNode *ErrorNode, const Expr *ArgE) const {
// Lazily allocate the BugType object if it hasn't already been // Lazily allocate the BugType object if it hasn't already been
// created. Ownership is transferred to the BugReporter object once // created. Ownership is transferred to the BugReporter object once
// the BugReport is passed to 'EmitWarning'. // the BugReport is passed to 'EmitWarning'.
if (!BTAttrNonNull) if (!BTAttrNonNull)
BTAttrNonNull.reset(new BugType( BTAttrNonNull.reset(new BugType(
"Argument with 'nonnull' attribute passed null", this, "Argument with 'nonnull' attribute passed null", "API"));
"API"));
BugReport *R = new BugReport(*BTAttrNonNull, BugReport *R = new BugReport(*BTAttrNonNull,
"Null pointer passed as an argument to a 'nonnull' parameter", "Null pointer passed as an argument to a 'nonnull' parameter",
ErrorNode); ErrorNode);
if (ArgE) if (ArgE)
bugreporter::trackNullOrUndefValue(ErrorNode, ArgE, *R); bugreporter::trackNullOrUndefValue(ErrorNode, ArgE, *R);
return R; return R;
} }
BugReport *NonNullParamChecker::genReportReferenceToNullPointer( BugReport *NonNullParamChecker::genReportReferenceToNullPointer(
const ExplodedNode *ErrorNode, const Expr *ArgE) const { const ExplodedNode *ErrorNode, const Expr *ArgE) const {
if (!BTNullRefArg) if (!BTNullRefArg)
BTNullRefArg.reset(new BuiltinBug("Dereference of null pointer")); BTNullRefArg.reset(new BuiltinBug(this, "Dereference of null pointer"));
BugReport *R = new BugReport(*BTNullRefArg, BugReport *R = new BugReport(*BTNullRefArg,
"Forming reference to null pointer", "Forming reference to null pointer",
ErrorNode); ErrorNode);
if (ArgE) { if (ArgE) {
const Expr *ArgEDeref = bugreporter::getDerefExpr(ArgE); const Expr *ArgEDeref = bugreporter::getDerefExpr(ArgE);
if (ArgEDeref == 0) if (ArgEDeref == 0)
ArgEDeref = ArgE; ArgEDeref = ArgE;
Show All 11 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/ObjCAtSyncChecker.cpp

Show All 39 Linesvoid ObjCAtSyncChecker::checkPreStmt(const ObjCAtSynchronizedStmt *S,
const Expr *Ex = S->getSynchExpr(); const Expr *Ex = S->getSynchExpr();
ProgramStateRef state = C.getState(); ProgramStateRef state = C.getState();
SVal V = state->getSVal(Ex, C.getLocationContext()); SVal V = state->getSVal(Ex, C.getLocationContext());
// Uninitialized value used for the mutex? // Uninitialized value used for the mutex?
if (V.getAs<UndefinedVal>()) { if (V.getAs<UndefinedVal>()) {
if (ExplodedNode *N = C.generateSink()) { if (ExplodedNode *N = C.generateSink()) {
if (!BT_undef) if (!BT_undef)
BT_undef.reset(new BuiltinBug("Uninitialized value used as mutex " BT_undef.reset(new BuiltinBug(this, "Uninitialized value used as mutex "
"for @synchronized")); "for @synchronized"));
BugReport *report = BugReport *report =
new BugReport(*BT_undef, BT_undef->getDescription(), N); new BugReport(*BT_undef, BT_undef->getDescription(), N);
bugreporter::trackNullOrUndefValue(N, Ex, *report); bugreporter::trackNullOrUndefValue(N, Ex, *report);
C.emitReport(report); C.emitReport(report);
} }
return; return;
} }
if (V.isUnknown()) if (V.isUnknown())
return; return;
// Check for null mutexes. // Check for null mutexes.
ProgramStateRef notNullState, nullState; ProgramStateRef notNullState, nullState;
llvm::tie(notNullState, nullState) = state->assume(V.castAs<DefinedSVal>()); llvm::tie(notNullState, nullState) = state->assume(V.castAs<DefinedSVal>());
if (nullState) { if (nullState) {
if (!notNullState) { if (!notNullState) {
// Generate an error node. This isn't a sink since // Generate an error node. This isn't a sink since
// a null mutex just means no synchronization occurs. // a null mutex just means no synchronization occurs.
if (ExplodedNode *N = C.addTransition(nullState)) { if (ExplodedNode *N = C.addTransition(nullState)) {
if (!BT_null) if (!BT_null)
BT_null.reset(new BuiltinBug("Nil value used as mutex for @synchronized() " BT_null.reset(new BuiltinBug(
this, "Nil value used as mutex for @synchronized() "
"(no synchronization will occur)")); "(no synchronization will occur)"));
BugReport *report = BugReport *report =
new BugReport(*BT_null, BT_null->getDescription(), N); new BugReport(*BT_null, BT_null->getDescription(), N);
bugreporter::trackNullOrUndefValue(N, Ex, *report); bugreporter::trackNullOrUndefValue(N, Ex, *report);
C.emitReport(report); C.emitReport(report);
return; return;
} }
} }
Show All 13 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/ObjCContainersASTChecker.cpp

Show All 21 Lines
#include "llvm/Support/raw_ostream.h" #include "llvm/Support/raw_ostream.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
namespace { namespace {
class WalkAST : public StmtVisitor<WalkAST> { class WalkAST : public StmtVisitor<WalkAST> {
BugReporter &BR; BugReporter &BR;
const CheckerBase *Checker;
AnalysisDeclContext* AC; AnalysisDeclContext* AC;
ASTContext &ASTC; ASTContext &ASTC;
uint64_t PtrWidth; uint64_t PtrWidth;
/// Check if the type has pointer size (very conservative). /// Check if the type has pointer size (very conservative).
inline bool isPointerSize(const Type *T) { inline bool isPointerSize(const Type *T) {
if (!T) if (!T)
return true; return true;
Show All 28 Lines inline bool hasPointerToPointerSizedType(const Expr *E) {
// This could be a null constant, which is allowed. // This could be a null constant, which is allowed.
if (E->isNullPointerConstant(ASTC, Expr::NPC_ValueDependentIsNull)) if (E->isNullPointerConstant(ASTC, Expr::NPC_ValueDependentIsNull))
return true; return true;
return false; return false;
} }
public: public:
WalkAST(BugReporter &br, AnalysisDeclContext* ac) WalkAST(BugReporter &br, const CheckerBase *checker, AnalysisDeclContext *ac)
: BR(br), AC(ac), ASTC(AC->getASTContext()), : BR(br), Checker(checker), AC(ac), ASTC(AC->getASTContext()),
PtrWidth(ASTC.getTargetInfo().getPointerWidth(0)) {} PtrWidth(ASTC.getTargetInfo().getPointerWidth(0)) {}
// Statement visitor methods. // Statement visitor methods.
void VisitChildren(Stmt *S); void VisitChildren(Stmt *S);
void VisitStmt(Stmt *S) { VisitChildren(S); } void VisitStmt(Stmt *S) { VisitChildren(S); }
void VisitCallExpr(CallExpr *CE); void VisitCallExpr(CallExpr *CE);
}; };
} // end anonymous namespace } // end anonymous namespace
▲ Show 20 LinesShow All 52 Lines▼ Show 20 Lines if (Arg) {
// Use "second" and "third" since users will expect 1-based indexing // Use "second" and "third" since users will expect 1-based indexing
// for parameter names when mentioned in prose. // for parameter names when mentioned in prose.
Os << " The "<< ((ArgNum == 1) ? "second" : "third") << " argument to '" Os << " The "<< ((ArgNum == 1) ? "second" : "third") << " argument to '"
<< Name << "' must be a C array of pointer-sized values, not '" << Name << "' must be a C array of pointer-sized values, not '"
<< Arg->getType().getAsString() << "'"; << Arg->getType().getAsString() << "'";
PathDiagnosticLocation CELoc = PathDiagnosticLocation CELoc =
PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC); PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
BR.EmitBasicReport(AC->getDecl(), BR.EmitBasicReport(AC->getDecl(), Checker, OsName.str(),
OsName.str(), categories::CoreFoundationObjectiveC, categories::CoreFoundationObjectiveC, Os.str(), CELoc,
Os.str(), CELoc, Arg->getSourceRange()); Arg->getSourceRange());
} }
// Recurse and check children. // Recurse and check children.
VisitChildren(CE); VisitChildren(CE);
} }
void WalkAST::VisitChildren(Stmt *S) { void WalkAST::VisitChildren(Stmt *S) {
for (Stmt::child_iterator I = S->child_begin(), E = S->child_end(); I!=E; ++I) for (Stmt::child_iterator I = S->child_begin(), E = S->child_end(); I!=E; ++I)
if (Stmt *child = *I) if (Stmt *child = *I)
Visit(child); Visit(child);
} }
namespace { namespace {
class ObjCContainersASTChecker : public Checker<check::ASTCodeBody> { class ObjCContainersASTChecker : public Checker<check::ASTCodeBody> {
public: public:
void checkASTCodeBody(const Decl *D, AnalysisManager& Mgr, void checkASTCodeBody(const Decl *D, AnalysisManager& Mgr,
BugReporter &BR) const { BugReporter &BR) const {
WalkAST walker(BR, Mgr.getAnalysisDeclContext(D)); WalkAST walker(BR, this, Mgr.getAnalysisDeclContext(D));
walker.Visit(D->getBody()); walker.Visit(D->getBody());
} }
}; };
} }
void ento::registerObjCContainersASTChecker(CheckerManager &mgr) { void ento::registerObjCContainersASTChecker(CheckerManager &mgr) {
mgr.registerChecker<ObjCContainersASTChecker>(); mgr.registerChecker<ObjCContainersASTChecker>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/ObjCContainersChecker.cpp

Show All 27 Lines
using namespace ento; using namespace ento;
namespace { namespace {
class ObjCContainersChecker : public Checker< check::PreStmt<CallExpr>, class ObjCContainersChecker : public Checker< check::PreStmt<CallExpr>,
check::PostStmt<CallExpr> > { check::PostStmt<CallExpr> > {
mutable OwningPtr<BugType> BT; mutable OwningPtr<BugType> BT;
inline void initBugType() const { inline void initBugType() const {
if (!BT) if (!BT)
BT.reset(new BugType("CFArray API", BT.reset(new BugType(this, "CFArray API",
categories::CoreFoundationObjectiveC)); categories::CoreFoundationObjectiveC));
} }
inline SymbolRef getArraySym(const Expr *E, CheckerContext &C) const { inline SymbolRef getArraySym(const Expr *E, CheckerContext &C) const {
SVal ArrayRef = C.getState()->getSVal(E, C.getLocationContext()); SVal ArrayRef = C.getState()->getSVal(E, C.getLocationContext());
SymbolRef ArraySym = ArrayRef.getAsSymbol(); SymbolRef ArraySym = ArrayRef.getAsSymbol();
return ArraySym; return ArraySym;
} }
▲ Show 20 LinesShow All 107 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/ObjCMissingSuperCallChecker.cpp

Show First 20 LinesShow All 206 Lines▼ Show 20 Lines if (MD->getBody())
const char *Name = "Missing call to superclass"; const char *Name = "Missing call to superclass";
SmallString<320> Buf; SmallString<320> Buf;
llvm::raw_svector_ostream os(Buf); llvm::raw_svector_ostream os(Buf);
os << "The '" << S.getAsString() os << "The '" << S.getAsString()
<< "' instance method in " << SuperclassName.str() << " subclass '" << "' instance method in " << SuperclassName.str() << " subclass '"
<< *D << "' is missing a [super " << S.getAsString() << "] call"; << *D << "' is missing a [super " << S.getAsString() << "] call";
BR.EmitBasicReport(MD, Name, categories::CoreFoundationObjectiveC, BR.EmitBasicReport(MD, this, Name, categories::CoreFoundationObjectiveC,
os.str(), DLoc); os.str(), DLoc);
} }
} }
} }
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
▲ Show 20 LinesShow All 46 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/ObjCSelfInitChecker.cpp

Show First 20 LinesShow All 75 Lines▼ Show 20 Linespublic:
void printState(raw_ostream &Out, ProgramStateRef State, void printState(raw_ostream &Out, ProgramStateRef State,
const char *NL, const char *Sep) const; const char *NL, const char *Sep) const;
}; };
} // end anonymous namespace } // end anonymous namespace
namespace { namespace {
class InitSelfBug : public BugType { class InitSelfBug : public BugType {
const std::string desc;
public: public:
InitSelfBug() : BugType("Missing \"self = [(super or self) init...]\"", InitSelfBug(const CheckerBase *Checker)
: BugType(Checker, "Missing \"self = [(super or self) init...]\"",
categories::CoreFoundationObjectiveC) {} categories::CoreFoundationObjectiveC) {}
}; };
} // end anonymous namespace } // end anonymous namespace
namespace { namespace {
enum SelfFlagEnum { enum SelfFlagEnum {
/// \brief No flag set. /// \brief No flag set.
SelfFlag_None = 0x0, SelfFlag_None = 0x0,
▲ Show 20 LinesShow All 46 Lines▼ Show 20 Lines if (!hasSelfFlag(exprVal, SelfFlag_Self, C))
return false; // value did not come from 'self'. return false; // value did not come from 'self'.
if (hasSelfFlag(exprVal, SelfFlag_InitRes, C)) if (hasSelfFlag(exprVal, SelfFlag_InitRes, C))
return false; // 'self' is properly initialized. return false; // 'self' is properly initialized.
return true; return true;
} }
static void checkForInvalidSelf(const Expr *E, CheckerContext &C, static void checkForInvalidSelf(const Expr *E, CheckerContext &C,
const char *errorStr) { const char *errorStr,
const CheckerBase *Checker) {
if (!E) if (!E)
return; return;
if (!C.getState()->get<CalledInit>()) if (!C.getState()->get<CalledInit>())
return; return;
if (!isInvalidSelf(E, C)) if (!isInvalidSelf(E, C))
return; return;
// Generate an error node. // Generate an error node.
ExplodedNode *N = C.generateSink(); ExplodedNode *N = C.generateSink();
if (!N) if (!N)
return; return;
BugReport *report = BugReport *report = new BugReport(*new InitSelfBug(Checker), errorStr, N);
new BugReport(*new InitSelfBug(), errorStr, N);
C.emitReport(report); C.emitReport(report);
} }
void ObjCSelfInitChecker::checkPostObjCMessage(const ObjCMethodCall &Msg, void ObjCSelfInitChecker::checkPostObjCMessage(const ObjCMethodCall &Msg,
CheckerContext &C) const { CheckerContext &C) const {
// When encountering a message that does initialization (init rule), // When encountering a message that does initialization (init rule),
// tag the return value so that we know later on that if self has this value // tag the return value so that we know later on that if self has this value
// then it is properly initialized. // then it is properly initialized.
Show All 25 Lines
void ObjCSelfInitChecker::checkPostStmt(const ObjCIvarRefExpr *E, void ObjCSelfInitChecker::checkPostStmt(const ObjCIvarRefExpr *E,
CheckerContext &C) const { CheckerContext &C) const {
// FIXME: A callback should disable checkers at the start of functions. // FIXME: A callback should disable checkers at the start of functions.
if (!shouldRunOnFunctionOrMethod(dyn_cast<NamedDecl>( if (!shouldRunOnFunctionOrMethod(dyn_cast<NamedDecl>(
C.getCurrentAnalysisDeclContext()->getDecl()))) C.getCurrentAnalysisDeclContext()->getDecl())))
return; return;
checkForInvalidSelf(E->getBase(), C, checkForInvalidSelf(
E->getBase(), C,
"Instance variable used while 'self' is not set to the result of " "Instance variable used while 'self' is not set to the result of "
"'[(super or self) init...]'"); "'[(super or self) init...]'",
this);
} }
void ObjCSelfInitChecker::checkPreStmt(const ReturnStmt *S, void ObjCSelfInitChecker::checkPreStmt(const ReturnStmt *S,
CheckerContext &C) const { CheckerContext &C) const {
// FIXME: A callback should disable checkers at the start of functions. // FIXME: A callback should disable checkers at the start of functions.
if (!shouldRunOnFunctionOrMethod(dyn_cast<NamedDecl>( if (!shouldRunOnFunctionOrMethod(dyn_cast<NamedDecl>(
C.getCurrentAnalysisDeclContext()->getDecl()))) C.getCurrentAnalysisDeclContext()->getDecl())))
return; return;
checkForInvalidSelf(S->getRetValue(), C, checkForInvalidSelf(S->getRetValue(), C,
"Returning 'self' while it is not set to the result of " "Returning 'self' while it is not set to the result of "
"'[(super or self) init...]'"); "'[(super or self) init...]'",
this);
} }
// When a call receives a reference to 'self', [Pre/Post]Call pass // When a call receives a reference to 'self', [Pre/Post]Call pass
// the SelfFlags from the object 'self' points to before the call to the new // the SelfFlags from the object 'self' points to before the call to the new
// object after the call. This is to avoid invalidation of 'self' by logging // object after the call. This is to avoid invalidation of 'self' by logging
// functions. // functions.
// Another common pattern in classes with multiple initializers is to put the // Another common pattern in classes with multiple initializers is to put the
// subclass's common initialization bits into a static function that receives // subclass's common initialization bits into a static function that receives
▲ Show 20 LinesShow All 215 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/ObjCUnusedIVarsChecker.cpp

Show First 20 LinesShow All 105 Lines▼ Show 20 Lines for (DeclContext::decl_iterator I=C->decls_begin(), E=C->decls_end();
if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(*I)) { if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(*I)) {
SourceLocation L = FD->getLocStart(); SourceLocation L = FD->getLocStart();
if (SM.getFileID(L) == FID) if (SM.getFileID(L) == FID)
Scan(M, FD->getBody()); Scan(M, FD->getBody());
} }
} }
static void checkObjCUnusedIvar(const ObjCImplementationDecl *D, static void checkObjCUnusedIvar(const ObjCImplementationDecl *D,
BugReporter &BR) { BugReporter &BR,
const CheckerBase *Checker) {
const ObjCInterfaceDecl *ID = D->getClassInterface(); const ObjCInterfaceDecl *ID = D->getClassInterface();
IvarUsageMap M; IvarUsageMap M;
// Iterate over the ivars. // Iterate over the ivars.
for (ObjCInterfaceDecl::ivar_iterator I=ID->ivar_begin(), for (ObjCInterfaceDecl::ivar_iterator I=ID->ivar_begin(),
E=ID->ivar_end(); I!=E; ++I) { E=ID->ivar_end(); I!=E; ++I) {
▲ Show 20 LinesShow All 44 Lines▼ Show 20 Lines if (I->second == Unused) {
std::string sbuf; std::string sbuf;
llvm::raw_string_ostream os(sbuf); llvm::raw_string_ostream os(sbuf);
os << "Instance variable '" << *I->first << "' in class '" << *ID os << "Instance variable '" << *I->first << "' in class '" << *ID
<< "' is never used by the methods in its @implementation " << "' is never used by the methods in its @implementation "
"(although it may be used by category methods)."; "(although it may be used by category methods).";
PathDiagnosticLocation L = PathDiagnosticLocation L =
PathDiagnosticLocation::create(I->first, BR.getSourceManager()); PathDiagnosticLocation::create(I->first, BR.getSourceManager());
BR.EmitBasicReport(D, "Unused instance variable", "Optimization", BR.EmitBasicReport(D, Checker, "Unused instance variable", "Optimization",
os.str(), L); os.str(), L);
} }
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// ObjCUnusedIvarsChecker // ObjCUnusedIvarsChecker
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
namespace { namespace {
class ObjCUnusedIvarsChecker : public Checker< class ObjCUnusedIvarsChecker : public Checker<
check::ASTDecl<ObjCImplementationDecl> > { check::ASTDecl<ObjCImplementationDecl> > {
public: public:
void checkASTDecl(const ObjCImplementationDecl *D, AnalysisManager& mgr, void checkASTDecl(const ObjCImplementationDecl *D, AnalysisManager& mgr,
BugReporter &BR) const { BugReporter &BR) const {
checkObjCUnusedIvar(D, BR); checkObjCUnusedIvar(D, BR, this);
} }
}; };
} }
void ento::registerObjCUnusedIvarsChecker(CheckerManager &mgr) { void ento::registerObjCUnusedIvarsChecker(CheckerManager &mgr) {
mgr.registerChecker<ObjCUnusedIvarsChecker>(); mgr.registerChecker<ObjCUnusedIvarsChecker>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/PointerArithChecker.cpp

Show First 20 LinesShow All 47 Lines▼ Show 20 Linesvoid PointerArithChecker::checkPreStmt(const BinaryOperator *B,
// If pointer arithmetic is done on variables of non-array type, this often // If pointer arithmetic is done on variables of non-array type, this often
// means behavior rely on memory organization, which is dangerous. // means behavior rely on memory organization, which is dangerous.
if (isa<VarRegion>(LR) || isa<CodeTextRegion>(LR) || if (isa<VarRegion>(LR) || isa<CodeTextRegion>(LR) ||
isa<CompoundLiteralRegion>(LR)) { isa<CompoundLiteralRegion>(LR)) {
if (ExplodedNode *N = C.addTransition()) { if (ExplodedNode *N = C.addTransition()) {
if (!BT) if (!BT)
BT.reset(new BuiltinBug("Dangerous pointer arithmetic", BT.reset(
new BuiltinBug(this, "Dangerous pointer arithmetic",
"Pointer arithmetic done on non-array variables " "Pointer arithmetic done on non-array variables "
"means reliance on memory layout, which is " "means reliance on memory layout, which is "
"dangerous.")); "dangerous."));
BugReport *R = new BugReport(*BT, BT->getDescription(), N); BugReport *R = new BugReport(*BT, BT->getDescription(), N);
R->addRange(B->getSourceRange()); R->addRange(B->getSourceRange());
C.emitReport(R); C.emitReport(R);
} }
} }
} }
void ento::registerPointerArithChecker(CheckerManager &mgr) { void ento::registerPointerArithChecker(CheckerManager &mgr) {
mgr.registerChecker<PointerArithChecker>(); mgr.registerChecker<PointerArithChecker>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/PointerSubChecker.cpp

Show First 20 LinesShow All 56 Lines▼ Show 20 Lines if (BaseLR == BaseRR)
return; return;
// Allow arithmetic on different symbolic regions. // Allow arithmetic on different symbolic regions.
if (isa<SymbolicRegion>(BaseLR) || isa<SymbolicRegion>(BaseRR)) if (isa<SymbolicRegion>(BaseLR) || isa<SymbolicRegion>(BaseRR))
return; return;
if (ExplodedNode *N = C.addTransition()) { if (ExplodedNode *N = C.addTransition()) {
if (!BT) if (!BT)
BT.reset(new BuiltinBug("Pointer subtraction", BT.reset(
new BuiltinBug(this, "Pointer subtraction",
"Subtraction of two pointers that do not point to " "Subtraction of two pointers that do not point to "
"the same memory chunk may cause incorrect result.")); "the same memory chunk may cause incorrect result."));
BugReport *R = new BugReport(*BT, BT->getDescription(), N); BugReport *R = new BugReport(*BT, BT->getDescription(), N);
R->addRange(B->getSourceRange()); R->addRange(B->getSourceRange());
C.emitReport(R); C.emitReport(R);
} }
} }
void ento::registerPointerSubChecker(CheckerManager &mgr) { void ento::registerPointerSubChecker(CheckerManager &mgr) {
mgr.registerChecker<PointerSubChecker>(); mgr.registerChecker<PointerSubChecker>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/PthreadLockChecker.cpp

Show First 20 LinesShow All 96 Lines▼ Show 20 Linesvoid PthreadLockChecker::AcquireLock(CheckerContext &C, const CallExpr *CE,
SVal X = state->getSVal(CE, C.getLocationContext()); SVal X = state->getSVal(CE, C.getLocationContext());
if (X.isUnknownOrUndef()) if (X.isUnknownOrUndef())
return; return;
DefinedSVal retVal = X.castAs<DefinedSVal>(); DefinedSVal retVal = X.castAs<DefinedSVal>();
if (state->contains<LockSet>(lockR)) { if (state->contains<LockSet>(lockR)) {
if (!BT_doublelock) if (!BT_doublelock)
BT_doublelock.reset(new BugType("Double locking", "Lock checker")); BT_doublelock.reset(new BugType(this, "Double locking", "Lock checker"));
ExplodedNode *N = C.generateSink(); ExplodedNode *N = C.generateSink();
if (!N) if (!N)
return; return;
BugReport *report = new BugReport(*BT_doublelock, BugReport *report = new BugReport(*BT_doublelock,
"This lock has already " "This lock has already "
"been acquired", N); "been acquired", N);
report->addRange(CE->getArg(0)->getSourceRange()); report->addRange(CE->getArg(0)->getSourceRange());
C.emitReport(report); C.emitReport(report);
▲ Show 20 LinesShow All 46 Lines▼ Show 20 Linesvoid PthreadLockChecker::ReleaseLock(CheckerContext &C, const CallExpr *CE,
// FIXME: Better analysis requires IPA for wrappers. // FIXME: Better analysis requires IPA for wrappers.
// FIXME: check for double unlocks // FIXME: check for double unlocks
if (LS.isEmpty()) if (LS.isEmpty())
return; return;
const MemRegion *firstLockR = LS.getHead(); const MemRegion *firstLockR = LS.getHead();
if (firstLockR != lockR) { if (firstLockR != lockR) {
if (!BT_lor) if (!BT_lor)
BT_lor.reset(new BugType("Lock order reversal", "Lock checker")); BT_lor.reset(new BugType(this, "Lock order reversal", "Lock checker"));
ExplodedNode *N = C.generateSink(); ExplodedNode *N = C.generateSink();
if (!N) if (!N)
return; return;
BugReport *report = new BugReport(*BT_lor, BugReport *report = new BugReport(*BT_lor,
"This was not the most " "This was not the most "
"recently acquired lock. " "recently acquired lock. "
"Possible lock order " "Possible lock order "
"reversal", N); "reversal", N);
report->addRange(CE->getArg(0)->getSourceRange()); report->addRange(CE->getArg(0)->getSourceRange());
C.emitReport(report); C.emitReport(report);
return; return;
} }
// Record that the lock was released. // Record that the lock was released.
state = state->set<LockSet>(LS.getTail()); state = state->set<LockSet>(LS.getTail());
C.addTransition(state); C.addTransition(state);
} }
void ento::registerPthreadLockChecker(CheckerManager &mgr) { void ento::registerPthreadLockChecker(CheckerManager &mgr) {
mgr.registerChecker<PthreadLockChecker>(); mgr.registerChecker<PthreadLockChecker>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/RetainCountChecker.cpp

Show First 20 LinesShow All 1,541 Lines▼ Show 20 Lines typedef llvm::DenseMap<const ExplodedNode *, const RetainSummary *>
SummaryLogTy; SummaryLogTy;
//===-------------===// //===-------------===//
// Bug Descriptions. // // Bug Descriptions. //
//===-------------===// //===-------------===//
class CFRefBug : public BugType { class CFRefBug : public BugType {
protected: protected:
CFRefBug(StringRef name) CFRefBug(const CheckerBase *checker, StringRef name)
: BugType(name, categories::MemoryCoreFoundationObjectiveC) {} : BugType(checker, name, categories::MemoryCoreFoundationObjectiveC) {}
public: public:
// FIXME: Eventually remove. // FIXME: Eventually remove.
virtual const char *getDescription() const = 0; virtual const char *getDescription() const = 0;
virtual bool isLeak() const { return false; } virtual bool isLeak() const { return false; }
}; };
class UseAfterRelease : public CFRefBug { class UseAfterRelease : public CFRefBug {
public: public:
UseAfterRelease() : CFRefBug("Use-after-release") {} UseAfterRelease(const CheckerBase *checker)
: CFRefBug(checker, "Use-after-release") {}
const char *getDescription() const { const char *getDescription() const {
return "Reference-counted object is used after it is released"; return "Reference-counted object is used after it is released";
} }
}; };
class BadRelease : public CFRefBug { class BadRelease : public CFRefBug {
public: public:
BadRelease() : CFRefBug("Bad release") {} BadRelease(const CheckerBase *checker) : CFRefBug(checker, "Bad release") {}
const char *getDescription() const { const char *getDescription() const {
return "Incorrect decrement of the reference count of an object that is " return "Incorrect decrement of the reference count of an object that is "
"not owned at this point by the caller"; "not owned at this point by the caller";
} }
}; };
class DeallocGC : public CFRefBug { class DeallocGC : public CFRefBug {
public: public:
DeallocGC() DeallocGC(const CheckerBase *checker)
: CFRefBug("-dealloc called while using garbage collection") {} : CFRefBug(checker, "-dealloc called while using garbage collection") {}
const char *getDescription() const { const char *getDescription() const {
return "-dealloc called while using garbage collection"; return "-dealloc called while using garbage collection";
} }
}; };
class DeallocNotOwned : public CFRefBug { class DeallocNotOwned : public CFRefBug {
public: public:
DeallocNotOwned() DeallocNotOwned(const CheckerBase *checker)
: CFRefBug("-dealloc sent to non-exclusively owned object") {} : CFRefBug(checker, "-dealloc sent to non-exclusively owned object") {}
const char *getDescription() const { const char *getDescription() const {
return "-dealloc sent to object that may be referenced elsewhere"; return "-dealloc sent to object that may be referenced elsewhere";
} }
}; };
class OverAutorelease : public CFRefBug { class OverAutorelease : public CFRefBug {
public: public:
OverAutorelease() OverAutorelease(const CheckerBase *checker)
: CFRefBug("Object autoreleased too many times") {} : CFRefBug(checker, "Object autoreleased too many times") {}
const char *getDescription() const { const char *getDescription() const {
return "Object autoreleased too many times"; return "Object autoreleased too many times";
} }
}; };
class ReturnedNotOwnedForOwned : public CFRefBug { class ReturnedNotOwnedForOwned : public CFRefBug {
public: public:
ReturnedNotOwnedForOwned() ReturnedNotOwnedForOwned(const CheckerBase *checker)
: CFRefBug("Method should return an owned object") {} : CFRefBug(checker, "Method should return an owned object") {}
const char *getDescription() const { const char *getDescription() const {
return "Object with a +0 retain count returned to caller where a +1 " return "Object with a +0 retain count returned to caller where a +1 "
"(owning) retain count is expected"; "(owning) retain count is expected";
} }
}; };
class Leak : public CFRefBug { class Leak : public CFRefBug {
public: public:
Leak(StringRef name) Leak(const CheckerBase *checker, StringRef name) : CFRefBug(checker, name) {
: CFRefBug(name) {
// Leaks should not be reported if they are post-dominated by a sink. // Leaks should not be reported if they are post-dominated by a sink.
setSuppressOnSink(true); setSuppressOnSink(true);
} }
const char *getDescription() const { return ""; } const char *getDescription() const { return ""; }
bool isLeak() const { return true; } bool isLeak() const { return true; }
}; };
▲ Show 20 LinesShow All 769 Lines▼ Show 20 Lines void checkEndAnalysis(ExplodedGraph &G, BugReporter &BR,
ShouldResetSummaryLog = !SummaryLog.empty(); ShouldResetSummaryLog = !SummaryLog.empty();
} }
CFRefBug *getLeakWithinFunctionBug(const LangOptions &LOpts, CFRefBug *getLeakWithinFunctionBug(const LangOptions &LOpts,
bool GCEnabled) const { bool GCEnabled) const {
if (GCEnabled) { if (GCEnabled) {
if (!leakWithinFunctionGC) if (!leakWithinFunctionGC)
leakWithinFunctionGC.reset(new Leak("Leak of object when using " leakWithinFunctionGC.reset(new Leak(this, "Leak of object when using "
"garbage collection")); "garbage collection"));
return leakWithinFunctionGC.get(); return leakWithinFunctionGC.get();
} else { } else {
if (!leakWithinFunction) { if (!leakWithinFunction) {
if (LOpts.getGC() == LangOptions::HybridGC) { if (LOpts.getGC() == LangOptions::HybridGC) {
leakWithinFunction.reset(new Leak("Leak of object when not using " leakWithinFunction.reset(new Leak(this,
"Leak of object when not using "
"garbage collection (GC) in " "garbage collection (GC) in "
"dual GC/non-GC code")); "dual GC/non-GC code"));
} else { } else {
leakWithinFunction.reset(new Leak("Leak")); leakWithinFunction.reset(new Leak(this, "Leak"));
} }
} }
return leakWithinFunction.get(); return leakWithinFunction.get();
} }
} }
CFRefBug *getLeakAtReturnBug(const LangOptions &LOpts, bool GCEnabled) const { CFRefBug *getLeakAtReturnBug(const LangOptions &LOpts, bool GCEnabled) const {
if (GCEnabled) { if (GCEnabled) {
if (!leakAtReturnGC) if (!leakAtReturnGC)
leakAtReturnGC.reset(new Leak("Leak of returned object when using " leakAtReturnGC.reset(new Leak(this,
"Leak of returned object when using "
"garbage collection")); "garbage collection"));
return leakAtReturnGC.get(); return leakAtReturnGC.get();
} else { } else {
if (!leakAtReturn) { if (!leakAtReturn) {
if (LOpts.getGC() == LangOptions::HybridGC) { if (LOpts.getGC() == LangOptions::HybridGC) {
leakAtReturn.reset(new Leak("Leak of returned object when not using " leakAtReturn.reset(new Leak(this,
"Leak of returned object when not using "
"garbage collection (GC) in dual " "garbage collection (GC) in dual "
"GC/non-GC code")); "GC/non-GC code"));
} else { } else {
leakAtReturn.reset(new Leak("Leak of returned object")); leakAtReturn.reset(new Leak(this, "Leak of returned object"));
} }
} }
return leakAtReturn.get(); return leakAtReturn.get();
} }
} }
RetainSummaryManager &getSummaryManager(ASTContext &Ctx, RetainSummaryManager &getSummaryManager(ASTContext &Ctx,
bool GCEnabled) const { bool GCEnabled) const {
▲ Show 20 LinesShow All 622 Lines▼ Show 20 Lines if (!N)
return; return;
CFRefBug *BT; CFRefBug *BT;
switch (ErrorKind) { switch (ErrorKind) {
default: default:
llvm_unreachable("Unhandled error."); llvm_unreachable("Unhandled error.");
case RefVal::ErrorUseAfterRelease: case RefVal::ErrorUseAfterRelease:
if (!useAfterRelease) if (!useAfterRelease)
useAfterRelease.reset(new UseAfterRelease()); useAfterRelease.reset(new UseAfterRelease(this));
BT = &*useAfterRelease; BT = &*useAfterRelease;
break; break;
case RefVal::ErrorReleaseNotOwned: case RefVal::ErrorReleaseNotOwned:
if (!releaseNotOwned) if (!releaseNotOwned)
releaseNotOwned.reset(new BadRelease()); releaseNotOwned.reset(new BadRelease(this));
BT = &*releaseNotOwned; BT = &*releaseNotOwned;
break; break;
case RefVal::ErrorDeallocGC: case RefVal::ErrorDeallocGC:
if (!deallocGC) if (!deallocGC)
deallocGC.reset(new DeallocGC()); deallocGC.reset(new DeallocGC(this));
BT = &*deallocGC; BT = &*deallocGC;
break; break;
case RefVal::ErrorDeallocNotOwned: case RefVal::ErrorDeallocNotOwned:
if (!deallocNotOwned) if (!deallocNotOwned)
deallocNotOwned.reset(new DeallocNotOwned()); deallocNotOwned.reset(new DeallocNotOwned(this));
BT = &*deallocNotOwned; BT = &*deallocNotOwned;
break; break;
} }
assert(BT); assert(BT);
CFRefReport *report = new CFRefReport(*BT, C.getASTContext().getLangOpts(), CFRefReport *report = new CFRefReport(*BT, C.getASTContext().getLangOpts(),
C.isObjCGCEnabled(), SummaryLog, C.isObjCGCEnabled(), SummaryLog,
N, Sym); N, Sym);
▲ Show 20 LinesShow All 235 Lines▼ Show 20 Lines if (RE.isOwned()) {
// owned object. // owned object.
state = setRefBinding(state, Sym, X ^ RefVal::ErrorReturnedNotOwned); state = setRefBinding(state, Sym, X ^ RefVal::ErrorReturnedNotOwned);
static SimpleProgramPointTag static SimpleProgramPointTag
ReturnNotOwnedTag("RetainCountChecker : ReturnNotOwnedForOwned"); ReturnNotOwnedTag("RetainCountChecker : ReturnNotOwnedForOwned");
ExplodedNode *N = C.addTransition(state, Pred, &ReturnNotOwnedTag); ExplodedNode *N = C.addTransition(state, Pred, &ReturnNotOwnedTag);
if (N) { if (N) {
if (!returnNotOwnedForOwned) if (!returnNotOwnedForOwned)
returnNotOwnedForOwned.reset(new ReturnedNotOwnedForOwned()); returnNotOwnedForOwned.reset(new ReturnedNotOwnedForOwned(this));
CFRefReport *report = CFRefReport *report =
new CFRefReport(*returnNotOwnedForOwned, new CFRefReport(*returnNotOwnedForOwned,
C.getASTContext().getLangOpts(), C.getASTContext().getLangOpts(),
C.isObjCGCEnabled(), SummaryLog, N, Sym); C.isObjCGCEnabled(), SummaryLog, N, Sym);
C.emitReport(report); C.emitReport(report);
} }
} }
▲ Show 20 LinesShow All 171 Lines▼ Show 20 Lines if (N) {
os << "Object was autoreleased "; os << "Object was autoreleased ";
if (V.getAutoreleaseCount() > 1) if (V.getAutoreleaseCount() > 1)
os << V.getAutoreleaseCount() << " times but the object "; os << V.getAutoreleaseCount() << " times but the object ";
else else
os << "but "; os << "but ";
os << "has a +" << V.getCount() << " retain count"; os << "has a +" << V.getCount() << " retain count";
if (!overAutorelease) if (!overAutorelease)
overAutorelease.reset(new OverAutorelease()); overAutorelease.reset(new OverAutorelease(this));
const LangOptions &LOpts = Ctx.getASTContext().getLangOpts(); const LangOptions &LOpts = Ctx.getASTContext().getLangOpts();
CFRefReport *report = CFRefReport *report =
new CFRefReport(*overAutorelease, LOpts, /* GCEnabled = */ false, new CFRefReport(*overAutorelease, LOpts, /* GCEnabled = */ false,
SummaryLog, N, Sym, os.str()); SummaryLog, N, Sym, os.str());
Ctx.emitReport(report); Ctx.emitReport(report);
} }
▲ Show 20 LinesShow All 206 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/ReturnPointerRangeChecker.cpp

Show First 20 LinesShow All 63 Lines▼ Show 20 Lines if (StOutBound && !StInBound) {
ExplodedNode *N = C.generateSink(StOutBound); ExplodedNode *N = C.generateSink(StOutBound);
if (!N) if (!N)
return; return;
// FIXME: This bug correspond to CWE-466. Eventually we should have bug // FIXME: This bug correspond to CWE-466. Eventually we should have bug
// types explicitly reference such exploit categories (when applicable). // types explicitly reference such exploit categories (when applicable).
if (!BT) if (!BT)
BT.reset(new BuiltinBug("Return of pointer value outside of expected range", BT.reset(new BuiltinBug(
this, "Return of pointer value outside of expected range",
"Returned pointer value points outside the original object " "Returned pointer value points outside the original object "
"(potential buffer overflow)")); "(potential buffer overflow)"));
// FIXME: It would be nice to eventually make this diagnostic more clear, // FIXME: It would be nice to eventually make this diagnostic more clear,
// e.g., by referencing the original declaration or by saying *why* this // e.g., by referencing the original declaration or by saying *why* this
// reference is outside the range. // reference is outside the range.
// Generate a report for this bug. // Generate a report for this bug.
BugReport *report = BugReport *report =
new BugReport(*BT, BT->getDescription(), N); new BugReport(*BT, BT->getDescription(), N);
Show All 9 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/ReturnUndefChecker.cpp

Show First 20 LinesShow All 88 Lines▼ Show 20 Linesstatic void emitBug(CheckerContext &C, BuiltinBug &BT, const Expr *RetE,
Report->addRange(RetE->getSourceRange()); Report->addRange(RetE->getSourceRange());
bugreporter::trackNullOrUndefValue(N, TrackingE ? TrackingE : RetE, *Report); bugreporter::trackNullOrUndefValue(N, TrackingE ? TrackingE : RetE, *Report);
C.emitReport(Report); C.emitReport(Report);
} }
void ReturnUndefChecker::emitUndef(CheckerContext &C, const Expr *RetE) const { void ReturnUndefChecker::emitUndef(CheckerContext &C, const Expr *RetE) const {
if (!BT_Undef) if (!BT_Undef)
BT_Undef.reset(new BuiltinBug("Garbage return value", BT_Undef.reset(
"Undefined or garbage value " new BuiltinBug(this, "Garbage return value",
"returned to caller")); "Undefined or garbage value returned to caller"));
emitBug(C, *BT_Undef, RetE); emitBug(C, *BT_Undef, RetE);
} }
void ReturnUndefChecker::checkReference(CheckerContext &C, const Expr *RetE, void ReturnUndefChecker::checkReference(CheckerContext &C, const Expr *RetE,
DefinedOrUnknownSVal RetVal) const { DefinedOrUnknownSVal RetVal) const {
ProgramStateRef StNonNull, StNull; ProgramStateRef StNonNull, StNull;
llvm::tie(StNonNull, StNull) = C.getState()->assume(RetVal); llvm::tie(StNonNull, StNull) = C.getState()->assume(RetVal);
if (StNonNull) { if (StNonNull) {
// Going forward, assume the location is non-null. // Going forward, assume the location is non-null.
C.addTransition(StNonNull); C.addTransition(StNonNull);
return; return;
} }
// The return value is known to be null. Emit a bug report. // The return value is known to be null. Emit a bug report.
if (!BT_NullReference) if (!BT_NullReference)
BT_NullReference.reset(new BuiltinBug("Returning null reference")); BT_NullReference.reset(new BuiltinBug(this, "Returning null reference"));
emitBug(C, *BT_NullReference, RetE, bugreporter::getDerefExpr(RetE)); emitBug(C, *BT_NullReference, RetE, bugreporter::getDerefExpr(RetE));
} }
void ento::registerReturnUndefChecker(CheckerManager &mgr) { void ento::registerReturnUndefChecker(CheckerManager &mgr) {
mgr.registerChecker<ReturnUndefChecker>(); mgr.registerChecker<ReturnUndefChecker>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/SimpleStreamChecker.cpp

Show First 20 LinesShow All 103 Lines▼ Show 20 Lines bool VisitSymbol(SymbolRef sym) {
return true; return true;
} }
}; };
} // end anonymous namespace } // end anonymous namespace
SimpleStreamChecker::SimpleStreamChecker() : IIfopen(0), IIfclose(0) { SimpleStreamChecker::SimpleStreamChecker() : IIfopen(0), IIfclose(0) {
// Initialize the bug types. // Initialize the bug types.
DoubleCloseBugType.reset(new BugType("Double fclose", DoubleCloseBugType.reset(
"Unix Stream API Error")); new BugType(this, "Double fclose", "Unix Stream API Error"));
LeakBugType.reset(new BugType("Resource Leak", LeakBugType.reset(
"Unix Stream API Error")); new BugType(this, "Resource Leak", "Unix Stream API Error"));
// Sinks are higher importance bugs as well as calls to assert() or exit(0). // Sinks are higher importance bugs as well as calls to assert() or exit(0).
LeakBugType->setSuppressOnSink(true); LeakBugType->setSuppressOnSink(true);
} }
void SimpleStreamChecker::checkPostCall(const CallEvent &Call, void SimpleStreamChecker::checkPostCall(const CallEvent &Call,
CheckerContext &C) const { CheckerContext &C) const {
initIdentifierInfo(C.getASTContext()); initIdentifierInfo(C.getASTContext());
▲ Show 20 LinesShow All 163 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/StackAddrEscapeChecker.cpp

Show First 20 LinesShow All 94 Lines▼ Show 20 Lines
void StackAddrEscapeChecker::EmitStackError(CheckerContext &C, const MemRegion *R, void StackAddrEscapeChecker::EmitStackError(CheckerContext &C, const MemRegion *R,
const Expr *RetE) const { const Expr *RetE) const {
ExplodedNode *N = C.generateSink(); ExplodedNode *N = C.generateSink();
if (!N) if (!N)
return; return;
if (!BT_returnstack) if (!BT_returnstack)
BT_returnstack.reset( BT_returnstack.reset(
new BuiltinBug("Return of address to stack-allocated memory")); new BuiltinBug(this, "Return of address to stack-allocated memory"));
// Generate a report for this bug. // Generate a report for this bug.
SmallString<512> buf; SmallString<512> buf;
llvm::raw_svector_ostream os(buf); llvm::raw_svector_ostream os(buf);
SourceRange range = genName(os, R, C.getASTContext()); SourceRange range = genName(os, R, C.getASTContext());
os << " returned to caller"; os << " returned to caller";
BugReport *report = new BugReport(*BT_returnstack, os.str(), N); BugReport *report = new BugReport(*BT_returnstack, os.str(), N);
report->addRange(RetE->getSourceRange()); report->addRange(RetE->getSourceRange());
▲ Show 20 LinesShow All 99 Lines▼ Show 20 Linesvoid StackAddrEscapeChecker::checkEndFunction(CheckerContext &Ctx) const {
// Generate an error node. // Generate an error node.
ExplodedNode *N = Ctx.addTransition(state); ExplodedNode *N = Ctx.addTransition(state);
if (!N) if (!N)
return; return;
if (!BT_stackleak) if (!BT_stackleak)
BT_stackleak.reset( BT_stackleak.reset(
new BuiltinBug("Stack address stored into global variable", new BuiltinBug(this, "Stack address stored into global variable",
"Stack address was saved into a global variable. " "Stack address was saved into a global variable. "
"This is dangerous because the address will become " "This is dangerous because the address will become "
"invalid after returning from the function")); "invalid after returning from the function"));
for (unsigned i = 0, e = cb.V.size(); i != e; ++i) { for (unsigned i = 0, e = cb.V.size(); i != e; ++i) {
// Generate a report for this bug. // Generate a report for this bug.
SmallString<512> buf; SmallString<512> buf;
llvm::raw_svector_ostream os(buf); llvm::raw_svector_ostream os(buf);
SourceRange range = genName(os, cb.V[i].second, Ctx.getASTContext()); SourceRange range = genName(os, cb.V[i].second, Ctx.getASTContext());
os << " is still referred to by the global variable '"; os << " is still referred to by the global variable '";
const VarRegion *VR = cast<VarRegion>(cb.V[i].first->getBaseRegion()); const VarRegion *VR = cast<VarRegion>(cb.V[i].first->getBaseRegion());
os << *VR->getDecl() os << *VR->getDecl()
Show All 12 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/StreamChecker.cpp

Show First 20 LinesShow All 264 Lines▼ Show 20 Lines if (!CI)
return; return;
int64_t x = CI->getValue().getSExtValue(); int64_t x = CI->getValue().getSExtValue();
if (x >= 0 && x <= 2) if (x >= 0 && x <= 2)
return; return;
if (ExplodedNode *N = C.addTransition(state)) { if (ExplodedNode *N = C.addTransition(state)) {
if (!BT_illegalwhence) if (!BT_illegalwhence)
BT_illegalwhence.reset(new BuiltinBug("Illegal whence argument", BT_illegalwhence.reset(
new BuiltinBug(this, "Illegal whence argument",
"The whence argument to fseek() should be " "The whence argument to fseek() should be "
"SEEK_SET, SEEK_END, or SEEK_CUR.")); "SEEK_SET, SEEK_END, or SEEK_CUR."));
BugReport *R = new BugReport(*BT_illegalwhence, BugReport *R = new BugReport(*BT_illegalwhence,
BT_illegalwhence->getDescription(), N); BT_illegalwhence->getDescription(), N);
C.emitReport(R); C.emitReport(R);
} }
} }
void StreamChecker::Ftell(CheckerContext &C, const CallExpr *CE) const { void StreamChecker::Ftell(CheckerContext &C, const CallExpr *CE) const {
ProgramStateRef state = C.getState(); ProgramStateRef state = C.getState();
▲ Show 20 LinesShow All 59 Lines▼ Show 20 LinesProgramStateRef StreamChecker::CheckNullStream(SVal SV, ProgramStateRef state,
ConstraintManager &CM = C.getConstraintManager(); ConstraintManager &CM = C.getConstraintManager();
ProgramStateRef stateNotNull, stateNull; ProgramStateRef stateNotNull, stateNull;
llvm::tie(stateNotNull, stateNull) = CM.assumeDual(state, *DV); llvm::tie(stateNotNull, stateNull) = CM.assumeDual(state, *DV);
if (!stateNotNull && stateNull) { if (!stateNotNull && stateNull) {
if (ExplodedNode *N = C.generateSink(stateNull)) { if (ExplodedNode *N = C.generateSink(stateNull)) {
if (!BT_nullfp) if (!BT_nullfp)
BT_nullfp.reset(new BuiltinBug("NULL stream pointer", BT_nullfp.reset(new BuiltinBug(this, "NULL stream pointer",
"Stream pointer might be NULL.")); "Stream pointer might be NULL."));
BugReport *R =new BugReport(*BT_nullfp, BT_nullfp->getDescription(), N); BugReport *R =new BugReport(*BT_nullfp, BT_nullfp->getDescription(), N);
C.emitReport(R); C.emitReport(R);
} }
return 0; return 0;
} }
return stateNotNull; return stateNotNull;
} }
Show All 12 Lines if (!SS)
return state; return state;
// Check: Double close a File Descriptor could cause undefined behaviour. // Check: Double close a File Descriptor could cause undefined behaviour.
// Conforming to man-pages // Conforming to man-pages
if (SS->isClosed()) { if (SS->isClosed()) {
ExplodedNode *N = C.generateSink(); ExplodedNode *N = C.generateSink();
if (N) { if (N) {
if (!BT_doubleclose) if (!BT_doubleclose)
BT_doubleclose.reset(new BuiltinBug("Double fclose", BT_doubleclose.reset(new BuiltinBug(
"Try to close a file Descriptor already" this, "Double fclose", "Try to close a file Descriptor already"
" closed. Cause undefined behaviour.")); " closed. Cause undefined behaviour."));
BugReport *R = new BugReport(*BT_doubleclose, BugReport *R = new BugReport(*BT_doubleclose,
BT_doubleclose->getDescription(), N); BT_doubleclose->getDescription(), N);
C.emitReport(R); C.emitReport(R);
} }
return NULL; return NULL;
} }
// Close the File Descriptor. // Close the File Descriptor.
Show All 10 Lines for (SymbolReaper::dead_iterator I = SymReaper.dead_begin(),
const StreamState *SS = state->get<StreamMap>(Sym); const StreamState *SS = state->get<StreamMap>(Sym);
if (!SS) if (!SS)
continue; continue;
if (SS->isOpened()) { if (SS->isOpened()) {
ExplodedNode *N = C.generateSink(); ExplodedNode *N = C.generateSink();
if (N) { if (N) {
if (!BT_ResourceLeak) if (!BT_ResourceLeak)
BT_ResourceLeak.reset(new BuiltinBug("Resource Leak", BT_ResourceLeak.reset(new BuiltinBug(
this, "Resource Leak",
"Opened File never closed. Potential Resource leak.")); "Opened File never closed. Potential Resource leak."));
BugReport *R = new BugReport(*BT_ResourceLeak, BugReport *R = new BugReport(*BT_ResourceLeak,
BT_ResourceLeak->getDescription(), N); BT_ResourceLeak->getDescription(), N);
C.emitReport(R); C.emitReport(R);
} }
} }
} }
} }
void ento::registerStreamChecker(CheckerManager &mgr) { void ento::registerStreamChecker(CheckerManager &mgr) {
mgr.registerChecker<StreamChecker>(); mgr.registerChecker<StreamChecker>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/TaintTesterChecker.cpp

Show All 32 Lines
public: public:
void checkPostStmt(const Expr *E, CheckerContext &C) const; void checkPostStmt(const Expr *E, CheckerContext &C) const;
}; };
} }
inline void TaintTesterChecker::initBugType() const { inline void TaintTesterChecker::initBugType() const {
if (!BT) if (!BT)
BT.reset(new BugType("Tainted data", "General")); BT.reset(new BugType(this, "Tainted data", "General"));
} }
void TaintTesterChecker::checkPostStmt(const Expr *E, void TaintTesterChecker::checkPostStmt(const Expr *E,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
if (!State) if (!State)
return; return;
Show All 13 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/UndefBranchChecker.cpp

Show First 20 LinesShow All 61 Lines▼ Show 20 Linesvoid UndefBranchChecker::checkBranchCondition(const Stmt *Condition,
CheckerContext &Ctx) const { CheckerContext &Ctx) const {
SVal X = Ctx.getState()->getSVal(Condition, Ctx.getLocationContext()); SVal X = Ctx.getState()->getSVal(Condition, Ctx.getLocationContext());
if (X.isUndef()) { if (X.isUndef()) {
// Generate a sink node, which implicitly marks both outgoing branches as // Generate a sink node, which implicitly marks both outgoing branches as
// infeasible. // infeasible.
ExplodedNode *N = Ctx.generateSink(); ExplodedNode *N = Ctx.generateSink();
if (N) { if (N) {
if (!BT) if (!BT)
BT.reset( BT.reset(new BuiltinBug(
new BuiltinBug("Branch condition evaluates to a garbage value")); this, "Branch condition evaluates to a garbage value"));
// What's going on here: we want to highlight the subexpression of the // What's going on here: we want to highlight the subexpression of the
// condition that is the most likely source of the "uninitialized // condition that is the most likely source of the "uninitialized
// branch condition." We do a recursive walk of the condition's // branch condition." We do a recursive walk of the condition's
// subexpressions and roughly look for the most nested subexpression // subexpressions and roughly look for the most nested subexpression
// that binds to Undefined. We then highlight that expression's range. // that binds to Undefined. We then highlight that expression's range.
// Get the predecessor node and check if is a PostStmt with the Stmt // Get the predecessor node and check if is a PostStmt with the Stmt
Show All 33 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/UndefCapturedBlockVarChecker.cpp

Show First 20 LinesShow All 73 Lines▼ Show 20 Lines for (; I != E; ++I) {
if (VD->hasAttr<BlocksAttr>() || !VD->hasLocalStorage()) if (VD->hasAttr<BlocksAttr>() || !VD->hasLocalStorage())
continue; continue;
// Get the VarRegion associated with VD in the local stack frame. // Get the VarRegion associated with VD in the local stack frame.
if (Optional<UndefinedVal> V = if (Optional<UndefinedVal> V =
state->getSVal(I.getOriginalRegion()).getAs<UndefinedVal>()) { state->getSVal(I.getOriginalRegion()).getAs<UndefinedVal>()) {
if (ExplodedNode *N = C.generateSink()) { if (ExplodedNode *N = C.generateSink()) {
if (!BT) if (!BT)
BT.reset(new BuiltinBug("uninitialized variable captured by block")); BT.reset(
new BuiltinBug(this, "uninitialized variable captured by block"));
// Generate a bug report. // Generate a bug report.
SmallString<128> buf; SmallString<128> buf;
llvm::raw_svector_ostream os(buf); llvm::raw_svector_ostream os(buf);
os << "Variable '" << VD->getName() os << "Variable '" << VD->getName()
<< "' is uninitialized when captured by block"; << "' is uninitialized when captured by block";
Show All 16 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/UndefResultChecker.cpp

Show First 20 LinesShow All 49 Lines▼ Show 20 Lines if (const FunctionDecl *EnclosingFunctionDecl =
return; return;
// Generate an error node. // Generate an error node.
ExplodedNode *N = C.generateSink(); ExplodedNode *N = C.generateSink();
if (!N) if (!N)
return; return;
if (!BT) if (!BT)
BT.reset(new BuiltinBug("Result of operation is garbage or undefined")); BT.reset(
new BuiltinBug(this, "Result of operation is garbage or undefined"));
SmallString<256> sbuf; SmallString<256> sbuf;
llvm::raw_svector_ostream OS(sbuf); llvm::raw_svector_ostream OS(sbuf);
const Expr *Ex = NULL; const Expr *Ex = NULL;
bool isLeft = true; bool isLeft = true;
if (state->getSVal(B->getLHS(), LCtx).isUndef()) { if (state->getSVal(B->getLHS(), LCtx).isUndef()) {
Ex = B->getLHS()->IgnoreParenCasts(); Ex = B->getLHS()->IgnoreParenCasts();
Show All 34 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/UndefinedArraySubscriptChecker.cpp

Show First 20 LinesShow All 44 Lines▼ Show 20 LinesUndefinedArraySubscriptChecker::checkPreStmt(const ArraySubscriptExpr *A,
if (const CXXConstructorDecl *Ctor = dyn_cast<CXXConstructorDecl>(D)) if (const CXXConstructorDecl *Ctor = dyn_cast<CXXConstructorDecl>(D))
if (Ctor->isDefaulted()) if (Ctor->isDefaulted())
return; return;
ExplodedNode *N = C.generateSink(); ExplodedNode *N = C.generateSink();
if (!N) if (!N)
return; return;
if (!BT) if (!BT)
BT.reset(new BuiltinBug("Array subscript is undefined")); BT.reset(new BuiltinBug(this, "Array subscript is undefined"));
// Generate a report for this bug. // Generate a report for this bug.
BugReport *R = new BugReport(*BT, BT->getName(), N); BugReport *R = new BugReport(*BT, BT->getName(), N);
R->addRange(A->getIdx()->getSourceRange()); R->addRange(A->getIdx()->getSourceRange());
bugreporter::trackNullOrUndefValue(N, A->getIdx(), *R); bugreporter::trackNullOrUndefValue(N, A->getIdx(), *R);
C.emitReport(R); C.emitReport(R);
} }
void ento::registerUndefinedArraySubscriptChecker(CheckerManager &mgr) { void ento::registerUndefinedArraySubscriptChecker(CheckerManager &mgr) {
mgr.registerChecker<UndefinedArraySubscriptChecker>(); mgr.registerChecker<UndefinedArraySubscriptChecker>();
} }

cfe/trunk/lib/StaticAnalyzer/Checkers/UndefinedAssignmentChecker.cpp

Show First 20 LinesShow All 48 Lines▼ Show 20 Linesvoid UndefinedAssignmentChecker::checkBind(SVal location, SVal val,
ExplodedNode *N = C.generateSink(); ExplodedNode *N = C.generateSink();
if (!N) if (!N)
return; return;
const char *str = "Assigned value is garbage or undefined"; const char *str = "Assigned value is garbage or undefined";
if (!BT) if (!BT)
BT.reset(new BuiltinBug(str)); BT.reset(new BuiltinBug(this, str));
// Generate a report for this bug. // Generate a report for this bug.
const Expr *ex = 0; const Expr *ex = 0;
while (StoreE) { while (StoreE) {
if (const BinaryOperator *B = dyn_cast<BinaryOperator>(StoreE)) { if (const BinaryOperator *B = dyn_cast<BinaryOperator>(StoreE)) {
if (B->isCompoundAssignmentOp()) { if (B->isCompoundAssignmentOp()) {
ProgramStateRef state = C.getState(); ProgramStateRef state = C.getState();
Show All 31 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/UnixAPIChecker.cpp

Show First 20 LinesShow All 51 Lines▼ Show 20 Lines bool ReportZeroByteAllocation(CheckerContext &C,
ProgramStateRef falseState, ProgramStateRef falseState,
const Expr *arg, const Expr *arg,
const char *fn_name) const; const char *fn_name) const;
void BasicAllocationCheck(CheckerContext &C, void BasicAllocationCheck(CheckerContext &C,
const CallExpr *CE, const CallExpr *CE,
const unsigned numArgs, const unsigned numArgs,
const unsigned sizeArg, const unsigned sizeArg,
const char *fn) const; const char *fn) const;
}; void LazyInitialize(OwningPtr<BugType> &BT, const char *name) const {
} //end anonymous namespace
//===----------------------------------------------------------------------===//
// Utility functions.
//===----------------------------------------------------------------------===//
static inline void LazyInitialize(OwningPtr<BugType> &BT,
const char *name) {
if (BT) if (BT)
return; return;
BT.reset(new BugType(name, categories::UnixAPI)); BT.reset(new BugType(this, name, categories::UnixAPI));
} }
};
} //end anonymous namespace
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// "open" (man 2 open) // "open" (man 2 open)
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
void UnixAPIChecker::CheckOpen(CheckerContext &C, const CallExpr *CE) const { void UnixAPIChecker::CheckOpen(CheckerContext &C, const CallExpr *CE) const {
// The definition of O_CREAT is platform specific. We need a better way // The definition of O_CREAT is platform specific. We need a better way
// of querying this information from the checking environment. // of querying this information from the checking environment.
▲ Show 20 LinesShow All 131 Lines▼ Show 20 Linesbool UnixAPIChecker::ReportZeroByteAllocation(CheckerContext &C,
ProgramStateRef falseState, ProgramStateRef falseState,
const Expr *arg, const Expr *arg,
const char *fn_name) const { const char *fn_name) const {
ExplodedNode *N = C.generateSink(falseState); ExplodedNode *N = C.generateSink(falseState);
if (!N) if (!N)
return false; return false;
LazyInitialize(BT_mallocZero, LazyInitialize(BT_mallocZero,
"Undefined allocation of 0 bytes (CERT MEM04-C; CWE-131)"); "Undefined allocation of 0 bytes (CERT MEM04-C; CWE-131)");
SmallString<256> S; SmallString<256> S;
llvm::raw_svector_ostream os(S); llvm::raw_svector_ostream os(S);
os << "Call to '" << fn_name << "' has an allocation size of 0 bytes"; os << "Call to '" << fn_name << "' has an allocation size of 0 bytes";
BugReport *report = new BugReport(*BT_mallocZero, os.str(), N); BugReport *report = new BugReport(*BT_mallocZero, os.str(), N);
report->addRange(arg->getSourceRange()); report->addRange(arg->getSourceRange());
bugreporter::trackNullOrUndefValue(N, arg, *report); bugreporter::trackNullOrUndefValue(N, arg, *report);
▲ Show 20 LinesShow All 135 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/UnreachableCodeChecker.cpp

Show First 20 LinesShow All 159 Lines▼ Show 20 Lines for (CFG::const_iterator I = C->begin(), E = C->end(); I != E; ++I) {
else else
continue; continue;
// Check if the SourceLocation is in a system header // Check if the SourceLocation is in a system header
const SourceManager &SM = B.getSourceManager(); const SourceManager &SM = B.getSourceManager();
if (SM.isInSystemHeader(SL) || SM.isInExternCSystemHeader(SL)) if (SM.isInSystemHeader(SL) || SM.isInExternCSystemHeader(SL))
continue; continue;
B.EmitBasicReport(D, "Unreachable code", "Dead code", B.EmitBasicReport(D, this, "Unreachable code", "Dead code",
"This statement is never executed", DL, SR); "This statement is never executed", DL, SR);
} }
} }
// Recursively finds the entry point(s) for this dead CFGBlock. // Recursively finds the entry point(s) for this dead CFGBlock.
void UnreachableCodeChecker::FindUnreachableEntryPoints(const CFGBlock *CB, void UnreachableCodeChecker::FindUnreachableEntryPoints(const CFGBlock *CB,
CFGBlocksSet &reachable, CFGBlocksSet &reachable,
CFGBlocksSet &visited) { CFGBlocksSet &visited) {
▲ Show 20 LinesShow All 74 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/VLASizeChecker.cpp

Show First 20 LinesShow All 45 Lines▼ Show 20 Linesvoid VLASizeChecker::reportBug(VLASize_Kind Kind,
ProgramStateRef State, ProgramStateRef State,
CheckerContext &C) const { CheckerContext &C) const {
// Generate an error node. // Generate an error node.
ExplodedNode *N = C.generateSink(State); ExplodedNode *N = C.generateSink(State);
if (!N) if (!N)
return; return;
if (!BT) if (!BT)
BT.reset(new BuiltinBug("Dangerous variable-length array (VLA) declaration")); BT.reset(new BuiltinBug(
this, "Dangerous variable-length array (VLA) declaration"));
SmallString<256> buf; SmallString<256> buf;
llvm::raw_svector_ostream os(buf); llvm::raw_svector_ostream os(buf);
os << "Declared variable-length array (VLA) "; os << "Declared variable-length array (VLA) ";
switch (Kind) { switch (Kind) {
case VLA_Garbage: case VLA_Garbage:
os << "uses a garbage value as its size"; os << "uses a garbage value as its size";
break; break;
▲ Show 20 LinesShow All 100 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/VirtualCallChecker.cpp

Show All 22 Lines
#include "llvm/Support/raw_ostream.h" #include "llvm/Support/raw_ostream.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
namespace { namespace {
class WalkAST : public StmtVisitor<WalkAST> { class WalkAST : public StmtVisitor<WalkAST> {
const CheckerBase *Checker;
BugReporter &BR; BugReporter &BR;
AnalysisDeclContext *AC; AnalysisDeclContext *AC;
typedef const CallExpr * WorkListUnit; typedef const CallExpr * WorkListUnit;
typedef SmallVector<WorkListUnit, 20> DFSWorkList; typedef SmallVector<WorkListUnit, 20> DFSWorkList;
/// A vector representing the worklist which has a chain of CallExprs. /// A vector representing the worklist which has a chain of CallExprs.
DFSWorkList WList; DFSWorkList WList;
Show All 14 Linesclass WalkAST : public StmtVisitor<WalkAST> {
llvm::DenseMap<const FunctionDecl *, Kind> VisitedFunctions; llvm::DenseMap<const FunctionDecl *, Kind> VisitedFunctions;
/// The CallExpr whose body is currently being visited. This is used for /// The CallExpr whose body is currently being visited. This is used for
/// generating bug reports. This is null while visiting the body of a /// generating bug reports. This is null while visiting the body of a
/// constructor or destructor. /// constructor or destructor.
const CallExpr *visitingCallExpr; const CallExpr *visitingCallExpr;
public: public:
WalkAST(BugReporter &br, AnalysisDeclContext *ac) WalkAST(const CheckerBase *checker, BugReporter &br,
: BR(br), AnalysisDeclContext *ac)
AC(ac), : Checker(checker), BR(br), AC(ac), visitingCallExpr(0) {}
visitingCallExpr(0) {}
bool hasWork() const { return !WList.empty(); } bool hasWork() const { return !WList.empty(); }
/// This method adds a CallExpr to the worklist and marks the callee as /// This method adds a CallExpr to the worklist and marks the callee as
/// being PreVisited. /// being PreVisited.
void Enqueue(WorkListUnit WLUnit) { void Enqueue(WorkListUnit WLUnit) {
const FunctionDecl *FD = WLUnit->getDirectCallee(); const FunctionDecl *FD = WLUnit->getDirectCallee();
if (!FD || !FD->getBody()) if (!FD || !FD->getBody())
return; return;
▲ Show 20 LinesShow All 108 Lines▼ Show 20 Linesvoid WalkAST::ReportVirtualCall(const CallExpr *CE, bool isPure) {
PathDiagnosticLocation CELoc = PathDiagnosticLocation CELoc =
PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC); PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
SourceRange R = CE->getCallee()->getSourceRange(); SourceRange R = CE->getCallee()->getSourceRange();
if (isPure) { if (isPure) {
os << "\n" << "Call pure virtual functions during construction or " os << "\n" << "Call pure virtual functions during construction or "
<< "destruction may leads undefined behaviour"; << "destruction may leads undefined behaviour";
BR.EmitBasicReport(AC->getDecl(), BR.EmitBasicReport(AC->getDecl(), Checker,
"Call pure virtual function during construction or " "Call pure virtual function during construction or "
"Destruction", "Destruction",
"Cplusplus", "Cplusplus", os.str(), CELoc, R);
os.str(), CELoc, R);
return; return;
} }
else { else {
os << "\n" << "Call virtual functions during construction or " os << "\n" << "Call virtual functions during construction or "
<< "destruction will never go to a more derived class"; << "destruction will never go to a more derived class";
BR.EmitBasicReport(AC->getDecl(), BR.EmitBasicReport(AC->getDecl(), Checker,
"Call virtual function during construction or " "Call virtual function during construction or "
"Destruction", "Destruction",
"Cplusplus", "Cplusplus", os.str(), CELoc, R);
os.str(), CELoc, R);
return; return;
} }
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// VirtualCallChecker // VirtualCallChecker
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
namespace { namespace {
class VirtualCallChecker : public Checker<check::ASTDecl<CXXRecordDecl> > { class VirtualCallChecker : public Checker<check::ASTDecl<CXXRecordDecl> > {
public: public:
void checkASTDecl(const CXXRecordDecl *RD, AnalysisManager& mgr, void checkASTDecl(const CXXRecordDecl *RD, AnalysisManager& mgr,
BugReporter &BR) const { BugReporter &BR) const {
WalkAST walker(BR, mgr.getAnalysisDeclContext(RD)); WalkAST walker(this, BR, mgr.getAnalysisDeclContext(RD));
// Check the constructors. // Check the constructors.
for (CXXRecordDecl::ctor_iterator I = RD->ctor_begin(), E = RD->ctor_end(); for (CXXRecordDecl::ctor_iterator I = RD->ctor_begin(), E = RD->ctor_end();
I != E; ++I) { I != E; ++I) {
if (!I->isCopyOrMoveConstructor()) if (!I->isCopyOrMoveConstructor())
if (Stmt *Body = I->getBody()) { if (Stmt *Body = I->getBody()) {
walker.Visit(Body); walker.Visit(Body);
walker.Execute(); walker.Execute();
Show All 16 Lines

cfe/trunk/lib/StaticAnalyzer/Core/BugReporter.cpp

Show First 20 LinesShow All 3,414 Lines▼ Show 20 Linesvoid BugReporter::FlushReport(BugReport *exampleReport,
PathDiagnosticConsumer &PD, PathDiagnosticConsumer &PD,
ArrayRef<BugReport*> bugReports) { ArrayRef<BugReport*> bugReports) {
// FIXME: Make sure we use the 'R' for the path that was actually used. // FIXME: Make sure we use the 'R' for the path that was actually used.
// Probably doesn't make a difference in practice. // Probably doesn't make a difference in practice.
BugType& BT = exampleReport->getBugType(); BugType& BT = exampleReport->getBugType();
OwningPtr<PathDiagnostic> OwningPtr<PathDiagnostic>
D(new PathDiagnostic(exampleReport->getDeclWithIssue(), D(new PathDiagnostic(exampleReport->getBugType().getCheckName(),
exampleReport->getDeclWithIssue(),
exampleReport->getBugType().getName(), exampleReport->getBugType().getName(),
exampleReport->getDescription(), exampleReport->getDescription(),
exampleReport->getShortDescription(/*Fallback=*/false), exampleReport->getShortDescription(/*Fallback=*/false),
BT.getCategory(), BT.getCategory(),
exampleReport->getUniqueingLocation(), exampleReport->getUniqueingLocation(),
exampleReport->getUniqueingDecl())); exampleReport->getUniqueingDecl()));
MaxBugClassSize = std::max(bugReports.size(), MaxBugClassSize = std::max(bugReports.size(),
Show All 35 Lines for (BugReport::ExtraTextList::const_iterator i = Meta.begin(),
e = Meta.end(); i != e; ++i) { e = Meta.end(); i != e; ++i) {
D->addMeta(*i); D->addMeta(*i);
} }
PD.HandlePathDiagnostic(D.take()); PD.HandlePathDiagnostic(D.take());
} }
void BugReporter::EmitBasicReport(const Decl *DeclWithIssue, void BugReporter::EmitBasicReport(const Decl *DeclWithIssue,
StringRef name, const CheckerBase *Checker,
StringRef category, StringRef Name, StringRef Category,
StringRef Str, PathDiagnosticLocation Loc,
ArrayRef<SourceRange> Ranges) {
EmitBasicReport(DeclWithIssue, Checker->getCheckName(), Name, Category, Str,
Loc, Ranges);
}
void BugReporter::EmitBasicReport(const Decl *DeclWithIssue,
CheckName CheckName,
StringRef name, StringRef category,
StringRef str, PathDiagnosticLocation Loc, StringRef str, PathDiagnosticLocation Loc,
ArrayRef<SourceRange> Ranges) { ArrayRef<SourceRange> Ranges) {
// 'BT' is owned by BugReporter. // 'BT' is owned by BugReporter.
BugType *BT = getBugTypeForName(name, category); BugType *BT = getBugTypeForName(CheckName, name, category);
BugReport *R = new BugReport(*BT, str, Loc); BugReport *R = new BugReport(*BT, str, Loc);
R->setDeclWithIssue(DeclWithIssue); R->setDeclWithIssue(DeclWithIssue);
for (ArrayRef<SourceRange>::iterator I = Ranges.begin(), E = Ranges.end(); for (ArrayRef<SourceRange>::iterator I = Ranges.begin(), E = Ranges.end();
I != E; ++I) I != E; ++I)
R->addRange(*I); R->addRange(*I);
emitReport(R); emitReport(R);
} }
BugType *BugReporter::getBugTypeForName(StringRef name, BugType *BugReporter::getBugTypeForName(CheckName CheckName, StringRef name,
StringRef category) { StringRef category) {
SmallString<136> fullDesc; SmallString<136> fullDesc;
llvm::raw_svector_ostream(fullDesc) << name << ":" << category; llvm::raw_svector_ostream(fullDesc) << CheckName.getName() << ":" << name
<< ":" << category;
llvm::StringMapEntry<BugType *> & llvm::StringMapEntry<BugType *> &
entry = StrBugTypes.GetOrCreateValue(fullDesc); entry = StrBugTypes.GetOrCreateValue(fullDesc);
BugType *BT = entry.getValue(); BugType *BT = entry.getValue();
if (!BT) { if (!BT) {
BT = new BugType(name, category); BT = new BugType(CheckName, name, category);
entry.setValue(BT); entry.setValue(BT);
} }
return BT; return BT;
} }
LLVM_DUMP_METHOD void PathPieces::dump() const { LLVM_DUMP_METHOD void PathPieces::dump() const {
unsigned index = 0; unsigned index = 0;
for (PathPieces::const_iterator I = begin(), E = end(); I != E; ++I) { for (PathPieces::const_iterator I = begin(), E = end(); I != E; ++I) {
▲ Show 20 LinesShow All 70 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Core/Checker.cpp

Show All 16 Lines
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
StringRef CheckerBase::getTagDescription() const { StringRef CheckerBase::getTagDescription() const {
// FIXME: We want to return the package + name of the checker here. // FIXME: We want to return the package + name of the checker here.
return "A Checker"; return "A Checker";
} }
CheckName CheckerBase::getCheckName() const { return Name; }
void Checker<check::_VoidCheck, check::_VoidCheck, check::_VoidCheck, void Checker<check::_VoidCheck, check::_VoidCheck, check::_VoidCheck,
check::_VoidCheck, check::_VoidCheck, check::_VoidCheck, check::_VoidCheck, check::_VoidCheck, check::_VoidCheck,
check::_VoidCheck, check::_VoidCheck, check::_VoidCheck, check::_VoidCheck, check::_VoidCheck, check::_VoidCheck,
check::_VoidCheck, check::_VoidCheck, check::_VoidCheck, check::_VoidCheck, check::_VoidCheck, check::_VoidCheck,
check::_VoidCheck, check::_VoidCheck, check::_VoidCheck, check::_VoidCheck, check::_VoidCheck, check::_VoidCheck,
check::_VoidCheck, check::_VoidCheck, check::_VoidCheck check::_VoidCheck, check::_VoidCheck, check::_VoidCheck
>::anchor() { } >::anchor() { }

cfe/trunk/lib/StaticAnalyzer/Core/CheckerRegistry.cpp

Show First 20 LinesShow All 100 Lines▼ Show 20 Linesvoid CheckerRegistry::initializeManager(CheckerManager &checkerMgr,
for (SmallVectorImpl<CheckerOptInfo>::iterator for (SmallVectorImpl<CheckerOptInfo>::iterator
i = opts.begin(), e = opts.end(); i != e; ++i) { i = opts.begin(), e = opts.end(); i != e; ++i) {
collectCheckers(Checkers, Packages, *i, enabledCheckers); collectCheckers(Checkers, Packages, *i, enabledCheckers);
} }
// Initialize the CheckerManager with all enabled checkers. // Initialize the CheckerManager with all enabled checkers.
for (CheckerInfoSet::iterator for (CheckerInfoSet::iterator
i = enabledCheckers.begin(), e = enabledCheckers.end(); i != e; ++i) { i = enabledCheckers.begin(), e = enabledCheckers.end(); i != e; ++i) {
checkerMgr.setCurrentCheckName(CheckName((*i)->FullName));
(*i)->Initialize(checkerMgr); (*i)->Initialize(checkerMgr);
} }
} }
void CheckerRegistry::printHelp(raw_ostream &out, void CheckerRegistry::printHelp(raw_ostream &out,
size_t maxNameChars) const { size_t maxNameChars) const {
// FIXME: Alphabetical sort puts 'experimental' in the middle. // FIXME: Alphabetical sort puts 'experimental' in the middle.
// Would it be better to name it '~experimental' or something else // Would it be better to name it '~experimental' or something else
Show All 35 Lines

cfe/trunk/lib/StaticAnalyzer/Core/PathDiagnostic.cpp

Show First 20 LinesShow All 100 Lines▼ Show 20 Lines case PathDiagnosticPiece::ControlFlow:
break; break;
} }
} }
} }
PathDiagnostic::~PathDiagnostic() {} PathDiagnostic::~PathDiagnostic() {}
PathDiagnostic::PathDiagnostic(const Decl *declWithIssue, PathDiagnostic::PathDiagnostic(StringRef CheckName, const Decl *declWithIssue,
StringRef bugtype, StringRef verboseDesc, StringRef bugtype, StringRef verboseDesc,
StringRef shortDesc, StringRef category, StringRef shortDesc, StringRef category,
PathDiagnosticLocation LocationToUnique, PathDiagnosticLocation LocationToUnique,
const Decl *DeclToUnique) const Decl *DeclToUnique)
: DeclWithIssue(declWithIssue), : CheckName(CheckName),
DeclWithIssue(declWithIssue),
BugType(StripTrailingDots(bugtype)), BugType(StripTrailingDots(bugtype)),
VerboseDesc(StripTrailingDots(verboseDesc)), VerboseDesc(StripTrailingDots(verboseDesc)),
ShortDesc(StripTrailingDots(shortDesc)), ShortDesc(StripTrailingDots(shortDesc)),
Category(StripTrailingDots(category)), Category(StripTrailingDots(category)),
UniqueingLoc(LocationToUnique), UniqueingLoc(LocationToUnique),
UniqueingDecl(DeclToUnique), UniqueingDecl(DeclToUnique),
path(pathImpl) {} path(pathImpl) {}
▲ Show 20 LinesShow All 1,061 LinesShow Last 20 Lines