clang 20.0.0git
DereferenceChecker.cpp
Go to the documentation of this file.
1//===-- DereferenceChecker.cpp - Null dereference checker -----------------===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This defines NullDerefChecker, a builtin check in ExprEngine that performs
10// checks for null pointers at loads and stores.
11//
12//===----------------------------------------------------------------------===//
13
14#include "clang/AST/ExprObjC.h"
15#include "clang/AST/ExprOpenMP.h"
16#include "clang/Basic/TargetInfo.h"
17#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
18#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
19#include "clang/StaticAnalyzer/Core/Checker.h"
20#include "clang/StaticAnalyzer/Core/CheckerManager.h"
21#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
22#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h"
23#include "llvm/ADT/SmallString.h"
24#include "llvm/Support/raw_ostream.h"
25
26using namespace clang;
27using namespace ento;
28
29namespace {
30class DereferenceChecker
31 : public Checker< check::Location,
32 check::Bind,
33 EventDispatcher<ImplicitNullDerefEvent> > {
34 enum DerefKind { NullPointer, UndefinedPointerValue, AddressOfLabel };
35
36 BugType BT_Null{this, "Dereference of null pointer", categories::LogicError};
37 BugType BT_Undef{this, "Dereference of undefined pointer value",
38 categories::LogicError};
39 BugType BT_Label{this, "Dereference of the address of a label",
40 categories::LogicError};
41
42 void reportBug(DerefKind K, ProgramStateRef State, const Stmt *S,
43 CheckerContext &C) const;
44
45 bool suppressReport(CheckerContext &C, const Expr *E) const;
46
47public:
48 void checkLocation(SVal location, bool isLoad, const Stmt* S,
49 CheckerContext &C) const;
50 void checkBind(SVal L, SVal V, const Stmt *S, CheckerContext &C) const;
51
52 static void AddDerefSource(raw_ostream &os,
53 SmallVectorImpl<SourceRange> &Ranges,
54 const Expr *Ex, const ProgramState *state,
55 const LocationContext *LCtx,
56 bool loadedFrom = false);
57
58 bool SuppressAddressSpaces = false;
59};
60} // end anonymous namespace
61
62void
63DereferenceChecker::AddDerefSource(raw_ostream &os,
64 SmallVectorImpl<SourceRange> &Ranges,
65 const Expr *Ex,
66 const ProgramState *state,
67 const LocationContext *LCtx,
68 bool loadedFrom) {
69 Ex = Ex->IgnoreParenLValueCasts();
70 switch (Ex->getStmtClass()) {
71 default:
72 break;
73 case Stmt::DeclRefExprClass: {
74 const DeclRefExpr *DR = cast<DeclRefExpr>(Ex);
75 if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) {
76 os << " (" << (loadedFrom ? "loaded from" : "from")
77 << " variable '" << VD->getName() << "')";
78 Ranges.push_back(DR->getSourceRange());
79 }
80 break;
81 }
82 case Stmt::MemberExprClass: {
83 const MemberExpr *ME = cast<MemberExpr>(Ex);
84 os << " (" << (loadedFrom ? "loaded from" : "via")
85 << " field '" << ME->getMemberNameInfo() << "')";
86 SourceLocation L = ME->getMemberLoc();
87 Ranges.push_back(SourceRange(L, L));
88 break;
89 }
90 case Stmt::ObjCIvarRefExprClass: {
91 const ObjCIvarRefExpr *IV = cast<ObjCIvarRefExpr>(Ex);
92 os << " (" << (loadedFrom ? "loaded from" : "via")
93 << " ivar '" << IV->getDecl()->getName() << "')";
94 SourceLocation L = IV->getLocation();
95 Ranges.push_back(SourceRange(L, L));
96 break;
97 }
98 }
99}
100
101static const Expr *getDereferenceExpr(const Stmt *S, bool IsBind=false){
102 const Expr *E = nullptr;
103
104 // Walk through lvalue casts to get the original expression
105 // that syntactically caused the load.
106 if (const Expr *expr = dyn_cast<Expr>(S))
107 E = expr->IgnoreParenLValueCasts();
108
109 if (IsBind) {
110 const VarDecl *VD;
111 const Expr *Init;
112 std::tie(VD, Init) = parseAssignment(S);
113 if (VD && Init)
114 E = Init;
115 }
116 return E;
117}
118
119bool DereferenceChecker::suppressReport(CheckerContext &C,
120 const Expr *E) const {
121 // Do not report dereferences on memory that use address space #256, #257,
122 // and #258. Those address spaces are used when dereferencing address spaces
123 // relative to the GS, FS, and SS segments on x86/x86-64 targets.
124 // Dereferencing a null pointer in these address spaces is not defined
125 // as an error. All other null dereferences in other address spaces
126 // are defined as an error unless explicitly defined.
127 // See https://clang.llvm.org/docs/LanguageExtensions.html, the section
128 // "X86/X86-64 Language Extensions"
129
130 QualType Ty = E->getType();
131 if (!Ty.hasAddressSpace())
132 return false;
133 if (SuppressAddressSpaces)
134 return true;
135
136 const llvm::Triple::ArchType Arch =
137 C.getASTContext().getTargetInfo().getTriple().getArch();
138
139 if ((Arch == llvm::Triple::x86) || (Arch == llvm::Triple::x86_64)) {
140 switch (toTargetAddressSpace(E->getType().getAddressSpace())) {
141 case 256:
142 case 257:
143 case 258:
144 return true;
145 }
146 }
147 return false;
148}
149
150static bool isDeclRefExprToReference(const Expr *E) {
151 if (const auto *DRE = dyn_cast<DeclRefExpr>(E))
152 return DRE->getDecl()->getType()->isReferenceType();
153 return false;
154}
155
156void DereferenceChecker::reportBug(DerefKind K, ProgramStateRef State,
157 const Stmt *S, CheckerContext &C) const {
158 const BugType *BT = nullptr;
159 llvm::StringRef DerefStr1;
160 llvm::StringRef DerefStr2;
161 switch (K) {
162 case DerefKind::NullPointer:
163 BT = &BT_Null;
164 DerefStr1 = " results in a null pointer dereference";
165 DerefStr2 = " results in a dereference of a null pointer";
166 break;
167 case DerefKind::UndefinedPointerValue:
168 BT = &BT_Undef;
169 DerefStr1 = " results in an undefined pointer dereference";
170 DerefStr2 = " results in a dereference of an undefined pointer value";
171 break;
172 case DerefKind::AddressOfLabel:
173 BT = &BT_Label;
174 DerefStr1 = " results in an undefined pointer dereference";
175 DerefStr2 = " results in a dereference of an address of a label";
176 break;
177 };
178
179 // Generate an error node.
180 ExplodedNode *N = C.generateErrorNode(State);
181 if (!N)
182 return;
183
184 SmallString<100> buf;
185 llvm::raw_svector_ostream os(buf);
186
187 SmallVector<SourceRange, 2> Ranges;
188
189 switch (S->getStmtClass()) {
190 case Stmt::ArraySubscriptExprClass: {
191 os << "Array access";
192 const ArraySubscriptExpr *AE = cast<ArraySubscriptExpr>(S);
193 AddDerefSource(os, Ranges, AE->getBase()->IgnoreParenCasts(),
194 State.get(), N->getLocationContext());
195 os << DerefStr1;
196 break;
197 }
198 case Stmt::ArraySectionExprClass: {
199 os << "Array access";
200 const ArraySectionExpr *AE = cast<ArraySectionExpr>(S);
201 AddDerefSource(os, Ranges, AE->getBase()->IgnoreParenCasts(),
202 State.get(), N->getLocationContext());
203 os << DerefStr1;
204 break;
205 }
206 case Stmt::UnaryOperatorClass: {
207 os << BT->getDescription();
208 const UnaryOperator *U = cast<UnaryOperator>(S);
209 AddDerefSource(os, Ranges, U->getSubExpr()->IgnoreParens(),
210 State.get(), N->getLocationContext(), true);
211 break;
212 }
213 case Stmt::MemberExprClass: {
214 const MemberExpr *M = cast<MemberExpr>(S);
215 if (M->isArrow() || isDeclRefExprToReference(M->getBase())) {
216 os << "Access to field '" << M->getMemberNameInfo() << "'" << DerefStr2;
217 AddDerefSource(os, Ranges, M->getBase()->IgnoreParenCasts(),
218 State.get(), N->getLocationContext(), true);
219 }
220 break;
221 }
222 case Stmt::ObjCIvarRefExprClass: {
223 const ObjCIvarRefExpr *IV = cast<ObjCIvarRefExpr>(S);
224 os << "Access to instance variable '" << *IV->getDecl() << "'" << DerefStr2;
225 AddDerefSource(os, Ranges, IV->getBase()->IgnoreParenCasts(),
226 State.get(), N->getLocationContext(), true);
227 break;
228 }
229 default:
230 break;
231 }
232
233 auto report = std::make_unique<PathSensitiveBugReport>(
234 *BT, buf.empty() ? BT->getDescription() : buf.str(), N);
235
236 bugreporter::trackExpressionValue(N, bugreporter::getDerefExpr(S), *report);
237
238 for (SmallVectorImpl<SourceRange>::iterator
239 I = Ranges.begin(), E = Ranges.end(); I!=E; ++I)
240 report->addRange(*I);
241
242 C.emitReport(std::move(report));
243}
244
245void DereferenceChecker::checkLocation(SVal l, bool isLoad, const Stmt* S,
246 CheckerContext &C) const {
247 // Check for dereference of an undefined value.
248 if (l.isUndef()) {
249 const Expr *DerefExpr = getDereferenceExpr(S);
250 if (!suppressReport(C, DerefExpr))
251 reportBug(DerefKind::UndefinedPointerValue, C.getState(), DerefExpr, C);
252 return;
253 }
254
255 DefinedOrUnknownSVal location = l.castAs<DefinedOrUnknownSVal>();
256
257 // Check for null dereferences.
258 if (!isa<Loc>(location))
259 return;
260
261 ProgramStateRef state = C.getState();
262
263 ProgramStateRef notNullState, nullState;
264 std::tie(notNullState, nullState) = state->assume(location);
265
266 if (nullState) {
267 if (!notNullState) {
268 // We know that 'location' can only be null. This is what
269 // we call an "explicit" null dereference.
270 const Expr *expr = getDereferenceExpr(S);
271 if (!suppressReport(C, expr)) {
272 reportBug(DerefKind::NullPointer, nullState, expr, C);
273 return;
274 }
275 }
276
277 // Otherwise, we have the case where the location could either be
278 // null or not-null. Record the error node as an "implicit" null
279 // dereference.
280 if (ExplodedNode *N = C.generateSink(nullState, C.getPredecessor())) {
281 ImplicitNullDerefEvent event = {l, isLoad, N, &C.getBugReporter(),
282 /*IsDirectDereference=*/true};
283 dispatchEvent(event);
284 }
285 }
286
287 // From this point forward, we know that the location is not null.
288 C.addTransition(notNullState);
289}
290
291void DereferenceChecker::checkBind(SVal L, SVal V, const Stmt *S,
292 CheckerContext &C) const {
293 // If we're binding to a reference, check if the value is known to be null.
294 if (V.isUndef())
295 return;
296
297 // One should never write to label addresses.
298 if (auto Label = L.getAs<loc::GotoLabel>()) {
299 reportBug(DerefKind::AddressOfLabel, C.getState(), S, C);
300 return;
301 }
302
303 const MemRegion *MR = L.getAsRegion();
304 const TypedValueRegion *TVR = dyn_cast_or_null<TypedValueRegion>(MR);
305 if (!TVR)
306 return;
307
308 if (!TVR->getValueType()->isReferenceType())
309 return;
310
311 ProgramStateRef State = C.getState();
312
313 ProgramStateRef StNonNull, StNull;
314 std::tie(StNonNull, StNull) = State->assume(V.castAs<DefinedOrUnknownSVal>());
315
316 if (StNull) {
317 if (!StNonNull) {
318 const Expr *expr = getDereferenceExpr(S, /*IsBind=*/true);
319 if (!suppressReport(C, expr)) {
320 reportBug(DerefKind::NullPointer, StNull, expr, C);
321 return;
322 }
323 }
324
325 // At this point the value could be either null or non-null.
326 // Record this as an "implicit" null dereference.
327 if (ExplodedNode *N = C.generateSink(StNull, C.getPredecessor())) {
328 ImplicitNullDerefEvent event = {V, /*isLoad=*/true, N,
329 &C.getBugReporter(),
330 /*IsDirectDereference=*/true};
331 dispatchEvent(event);
332 }
333 }
334
335 // Unlike a regular null dereference, initializing a reference with a
336 // dereferenced null pointer does not actually cause a runtime exception in
337 // Clang's implementation of references.
338 //
339 // int &r = *p; // safe??
340 // if (p != NULL) return; // uh-oh
341 // r = 5; // trap here
342 //
343 // The standard says this is invalid as soon as we try to create a "null
344 // reference" (there is no such thing), but turning this into an assumption
345 // that 'p' is never null will not match our actual runtime behavior.
346 // So we do not record this assumption, allowing us to warn on the last line
347 // of this example.
348 //
349 // We do need to add a transition because we may have generated a sink for
350 // the "implicit" null dereference.
351 C.addTransition(State, this);
352}
353
354void ento::registerDereferenceChecker(CheckerManager &mgr) {
355 auto *Chk = mgr.registerChecker<DereferenceChecker>();
356 Chk->SuppressAddressSpaces = mgr.getAnalyzerOptions().getCheckerBooleanOption(
357 mgr.getCurrentCheckerName(), "SuppressAddressSpaces");
358}
359
360bool ento::shouldRegisterDereferenceChecker(const CheckerManager &mgr) {
361 return true;
362}
V
#define V(N, I)
Definition: ASTContext.h:3341
E
Expr * E
Definition: CheckExprLifetime.cpp:198
getDereferenceExpr
static const Expr * getDereferenceExpr(const Stmt *S, bool IsBind=false)
Definition: DereferenceChecker.cpp:101
isDeclRefExprToReference
static bool isDeclRefExprToReference(const Expr *E)
Definition: DereferenceChecker.cpp:150
Label
std::string Label
Definition: UsingDeclarationsSorter.cpp:96
clang::AnalyzerOptions::getCheckerBooleanOption
bool getCheckerBooleanOption(StringRef CheckerName, StringRef OptionName, bool SearchInParents=false) const
Interprets an option's string value as a boolean.
Definition: AnalyzerOptions.cpp:161
clang::ArraySectionExpr
This class represents BOTH the OpenMP Array Section and OpenACC 'subarray', with a boolean differenti...
Definition: Expr.h:6926
clang::ArraySectionExpr::getBase
Expr * getBase()
Get base of the array section.
Definition: Expr.h:6992
clang::ArraySubscriptExpr
ArraySubscriptExpr - [C99 6.5.2.1] Array Subscripting.
Definition: Expr.h:2674
clang::DeclRefExpr
A reference to a declared variable, function, enum, etc.
Definition: Expr.h:1265
clang::DeclRefExpr::getDecl
ValueDecl * getDecl()
Definition: Expr.h:1333
clang::Expr
This represents one expression.
Definition: Expr.h:110
clang::Expr::IgnoreParenCasts
Expr * IgnoreParenCasts() LLVM_READONLY
Skip past any parentheses and casts which might surround this expression until reaching a fixed point...
Definition: Expr.cpp:3075
clang::Expr::IgnoreParenLValueCasts
Expr * IgnoreParenLValueCasts() LLVM_READONLY
Skip past any parentheses and lvalue casts which might surround this expression until reaching a fixe...
Definition: Expr.cpp:3087
clang::Expr::getType
QualType getType() const
Definition: Expr.h:142
clang::LocationContext
It wraps the AnalysisDeclContext to represent both the call stack with the help of StackFrameContext ...
Definition: AnalysisDeclContext.h:215
clang::MemberExpr
MemberExpr - [C99 6.5.2.3] Structure and Union Members.
Definition: Expr.h:3187
clang::MemberExpr::getMemberLoc
SourceLocation getMemberLoc() const
getMemberLoc - Return the location of the "member", in X->F, it is the location of 'F'.
Definition: Expr.h:3376
clang::MemberExpr::getBase
Expr * getBase() const
Definition: Expr.h:3264
clang::MemberExpr::getMemberNameInfo
DeclarationNameInfo getMemberNameInfo() const
Retrieve the member declaration name info.
Definition: Expr.h:3364
clang::MemberExpr::isArrow
bool isArrow() const
Definition: Expr.h:3371
clang::NamedDecl::getName
StringRef getName() const
Get the name of identifier for this declaration as a StringRef.
Definition: Decl.h:276
clang::ObjCIvarRefExpr
ObjCIvarRefExpr - A reference to an ObjC instance variable.
Definition: ExprObjC.h:549
clang::ObjCIvarRefExpr::getLocation
SourceLocation getLocation() const
Definition: ExprObjC.h:592
clang::ObjCIvarRefExpr::getDecl
ObjCIvarDecl * getDecl()
Definition: ExprObjC.h:579
clang::ObjCIvarRefExpr::getBase
const Expr * getBase() const
Definition: ExprObjC.h:583
clang::QualType
A (possibly-)qualified type.
Definition: Type.h:941
clang::QualType::getAddressSpace
LangAS getAddressSpace() const
Return the address space of this type.
Definition: Type.h:7876
clang::QualType::hasAddressSpace
bool hasAddressSpace() const
Check if this type has any address space qualifier.
Definition: Type.h:7871
clang::SourceLocation
Encodes a location in the source.
Definition: SourceLocation.h:88
clang::SourceRange
A trivial tuple used to represent a source range.
Definition: SourceLocation.h:213
clang::Stmt
Stmt - This represents one statement.
Definition: Stmt.h:84
clang::Stmt::getStmtClass
StmtClass getStmtClass() const
Definition: Stmt.h:1363
clang::Stmt::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:326
clang::Type::isReferenceType
bool isReferenceType() const
Definition: Type.h:8021
clang::UnaryOperator
UnaryOperator - This represents the unary-expression's (except sizeof and alignof),...
Definition: Expr.h:2188
clang::VarDecl
Represents a variable declaration or definition.
Definition: Decl.h:879
clang::ento::BugType::getDescription
StringRef getDescription() const
Definition: BugType.h:48
clang::ento::CheckerManager::getAnalyzerOptions
const AnalyzerOptions & getAnalyzerOptions() const
Definition: CheckerManager.h:170
clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Definition: CheckerManager.h:204
clang::ento::CheckerManager::getCurrentCheckerName
CheckerNameRef getCurrentCheckerName() const
Definition: CheckerManager.h:163
clang::ento::ExplodedNode::getLocationContext
const LocationContext * getLocationContext() const
Definition: ExplodedGraph.h:147
clang::ento::MemRegion
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:97
clang::ento::ProgramState
ProgramState - This class encapsulates:
Definition: ProgramState.h:71
clang::ento::SVal
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:55
clang::ento::SVal::isUndef
bool isUndef() const
Definition: SVals.h:104
clang::ento::SVal::getAs
std::optional< T > getAs() const
Convert to the specified SVal type, returning std::nullopt if this SVal is not of the desired type.
Definition: SVals.h:86
clang::ento::SVal::getAsRegion
const MemRegion * getAsRegion() const
Definition: SVals.cpp:120
clang::ento::SVal::castAs
T castAs() const
Convert to the specified SVal type, asserting that this SVal is of the desired type.
Definition: SVals.h:82
clang::ento::TypedValueRegion
TypedValueRegion - An abstract class representing regions having a typed value.
Definition: MemRegion.h:535
clang::ento::TypedValueRegion::getValueType
virtual QualType getValueType() const =0
TargetInfo.h
Defines the clang::TargetInfo interface.
clang::ast_matchers::expr
const internal::VariadicDynCastAllOfMatcher< Stmt, Expr > expr
Matches expressions.
Definition: ASTMatchersInternal.cpp:906
clang::ento::bugreporter::getDerefExpr
const Expr * getDerefExpr(const Stmt *S)
Given that expression S represents a pointer that would be dereferenced, try to find a sub-expression...
Definition: BugReporterVisitors.cpp:101
clang::ento::bugreporter::trackExpressionValue
bool trackExpressionValue(const ExplodedNode *N, const Expr *E, PathSensitiveBugReport &R, TrackingOptions Opts={})
Attempts to add visitors to track expression value back to its point of origin.
Definition: BugReporterVisitors.cpp:2689
clang::ento::parseAssignment
std::pair< const clang::VarDecl *, const clang::Expr * > parseAssignment(const Stmt *S)
Definition: CheckerHelpers.cpp:83
clang
The JSON file list parser is used to communicate input to InstallAPI.
Definition: CalledOnceCheck.h:17
clang::toTargetAddressSpace
unsigned toTargetAddressSpace(LangAS AS)
Definition: AddressSpaces.h:81
clang::ento::ImplicitNullDerefEvent
We dereferenced a location that may be null.
Definition: Checker.h:548
Generated on Fri Nov 15 2024 16:44:41 for clang by doxygen 1.9.6