doxygen/DereferenceChecker_8cpp_source.html

//===-- DereferenceChecker.cpp - Null dereference checker -----------------===//

//

// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.

// See https://llvm.org/LICENSE.txt for license information.

// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

//

//===----------------------------------------------------------------------===//

//

// This defines NullDerefChecker, a builtin check in ExprEngine that performs

// checks for null pointers at loads and stores.

//

//===----------------------------------------------------------------------===//


#include "clang/AST/ExprObjC.h"

#include "clang/AST/ExprOpenMP.h"

#include "clang/Basic/TargetInfo.h"

#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"

#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"

#include "clang/StaticAnalyzer/Core/Checker.h"

#include "clang/StaticAnalyzer/Core/CheckerManager.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h"

#include "llvm/ADT/SmallString.h"

#include "llvm/Support/raw_ostream.h"


using namespace clang;

using namespace ento;


namespace {

class DereferenceChecker

    : public Checker< check::Location,

                      check::Bind,

                      EventDispatcher<ImplicitNullDerefEvent> > {

  enum DerefKind { NullPointer, UndefinedPointerValue };


  BugType BT_Null{this, "Dereference of null pointer", categories::LogicError};

  BugType BT_Undef{this, "Dereference of undefined pointer value",

                   categories::LogicError};


  void reportBug(DerefKind K, ProgramStateRef State, const Stmt *S,

                 CheckerContext &C) const;


  bool suppressReport(CheckerContext &C, const Expr *E) const;


public:

  void checkLocation(SVal location, bool isLoad, const Stmt* S,

                     CheckerContext &C) const;

  void checkBind(SVal L, SVal V, const Stmt *S, CheckerContext &C) const;


  static void AddDerefSource(raw_ostream &os,

                             SmallVectorImpl<SourceRange> &Ranges,

                             const Expr *Ex, const ProgramState *state,

                             const LocationContext *LCtx,

                             bool loadedFrom = false);


  bool SuppressAddressSpaces = false;

};

} // end anonymous namespace


void

DereferenceChecker::AddDerefSource(raw_ostream &os,

                                   SmallVectorImpl<SourceRange> &Ranges,

                                   const Expr *Ex,

                                   const ProgramState *state,

                                   const LocationContext *LCtx,

                                   bool loadedFrom) {

  Ex = Ex->IgnoreParenLValueCasts();

  switch (Ex->getStmtClass()) {

    default:

      break;

    case Stmt::DeclRefExprClass: {

      const DeclRefExpr *DR = cast<DeclRefExpr>(Ex);

      if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) {

        os << " (" << (loadedFrom ? "loaded from" : "from")

           << " variable '" <<  VD->getName() << "')";

        Ranges.push_back(DR->getSourceRange());

      }

      break;

    }

    case Stmt::MemberExprClass: {

      const MemberExpr *ME = cast<MemberExpr>(Ex);

      os << " (" << (loadedFrom ? "loaded from" : "via")

         << " field '" << ME->getMemberNameInfo() << "')";

      SourceLocation L = ME->getMemberLoc();

      Ranges.push_back(SourceRange(L, L));

      break;

    }

    case Stmt::ObjCIvarRefExprClass: {

      const ObjCIvarRefExpr *IV = cast<ObjCIvarRefExpr>(Ex);

      os << " (" << (loadedFrom ? "loaded from" : "via")

         << " ivar '" << IV->getDecl()->getName() << "')";

      SourceLocation L = IV->getLocation();

      Ranges.push_back(SourceRange(L, L));

      break;

    }

  }

}


static const Expr *getDereferenceExpr(const Stmt *S, bool IsBind=false){

  const Expr *E = nullptr;


  // Walk through lvalue casts to get the original expression

  // that syntactically caused the load.

  if (const Expr *expr = dyn_cast<Expr>(S))

    E = expr->IgnoreParenLValueCasts();


  if (IsBind) {

    const VarDecl *VD;

    const Expr *Init;

    std::tie(VD, Init) = parseAssignment(S);

    if (VD && Init)

      E = Init;

  }

  return E;

}


bool DereferenceChecker::suppressReport(CheckerContext &C,

                                        const Expr *E) const {

  // Do not report dereferences on memory that use address space #256, #257,

  // and #258. Those address spaces are used when dereferencing address spaces

  // relative to the GS, FS, and SS segments on x86/x86-64 targets.

  // Dereferencing a null pointer in these address spaces is not defined

  // as an error. All other null dereferences in other address spaces

  // are defined as an error unless explicitly defined.

  // See https://clang.llvm.org/docs/LanguageExtensions.html, the section

  // "X86/X86-64 Language Extensions"


  QualType Ty = E->getType();

  if (!Ty.hasAddressSpace())

    return false;

  if (SuppressAddressSpaces)

    return true;


  const llvm::Triple::ArchType Arch =

      C.getASTContext().getTargetInfo().getTriple().getArch();


  if ((Arch == llvm::Triple::x86) || (Arch == llvm::Triple::x86_64)) {

    switch (toTargetAddressSpace(E->getType().getAddressSpace())) {

    case 256:

    case 257:

    case 258:

      return true;

    }

  }

  return false;

}


static bool isDeclRefExprToReference(const Expr *E) {

  if (const auto *DRE = dyn_cast<DeclRefExpr>(E))

    return DRE->getDecl()->getType()->isReferenceType();

  return false;

}


void DereferenceChecker::reportBug(DerefKind K, ProgramStateRef State,

                                   const Stmt *S, CheckerContext &C) const {

  const BugType *BT = nullptr;

  llvm::StringRef DerefStr1;

  llvm::StringRef DerefStr2;

  switch (K) {

  case DerefKind::NullPointer:

    BT = &BT_Null;

    DerefStr1 = " results in a null pointer dereference";

    DerefStr2 = " results in a dereference of a null pointer";

    break;

  case DerefKind::UndefinedPointerValue:

    BT = &BT_Undef;

    DerefStr1 = " results in an undefined pointer dereference";

    DerefStr2 = " results in a dereference of an undefined pointer value";

    break;

  };


  // Generate an error node.

  ExplodedNode *N = C.generateErrorNode(State);

  if (!N)

    return;


  SmallString<100> buf;

  llvm::raw_svector_ostream os(buf);


  SmallVector<SourceRange, 2> Ranges;


  switch (S->getStmtClass()) {

  case Stmt::ArraySubscriptExprClass: {

    os << "Array access";

    const ArraySubscriptExpr *AE = cast<ArraySubscriptExpr>(S);

    AddDerefSource(os, Ranges, AE->getBase()->IgnoreParenCasts(),

                   State.get(), N->getLocationContext());

    os << DerefStr1;

    break;

  }

  case Stmt::OMPArraySectionExprClass: {

    os << "Array access";

    const OMPArraySectionExpr *AE = cast<OMPArraySectionExpr>(S);

    AddDerefSource(os, Ranges, AE->getBase()->IgnoreParenCasts(),

                   State.get(), N->getLocationContext());

    os << DerefStr1;

    break;

  }

  case Stmt::UnaryOperatorClass: {

    os << BT->getDescription();

    const UnaryOperator *U = cast<UnaryOperator>(S);

    AddDerefSource(os, Ranges, U->getSubExpr()->IgnoreParens(),

                   State.get(), N->getLocationContext(), true);

    break;

  }

  case Stmt::MemberExprClass: {

    const MemberExpr *M = cast<MemberExpr>(S);

    if (M->isArrow() || isDeclRefExprToReference(M->getBase())) {

      os << "Access to field '" << M->getMemberNameInfo() << "'" << DerefStr2;

      AddDerefSource(os, Ranges, M->getBase()->IgnoreParenCasts(),

                     State.get(), N->getLocationContext(), true);

    }

    break;

  }

  case Stmt::ObjCIvarRefExprClass: {

    const ObjCIvarRefExpr *IV = cast<ObjCIvarRefExpr>(S);

    os << "Access to instance variable '" << *IV->getDecl() << "'" << DerefStr2;

    AddDerefSource(os, Ranges, IV->getBase()->IgnoreParenCasts(),

                   State.get(), N->getLocationContext(), true);

    break;

  }

  default:

    break;

  }


  auto report = std::make_unique<PathSensitiveBugReport>(

      *BT, buf.empty() ? BT->getDescription() : buf.str(), N);


  bugreporter::trackExpressionValue(N, bugreporter::getDerefExpr(S), *report);


  for (SmallVectorImpl<SourceRange>::iterator

       I = Ranges.begin(), E = Ranges.end(); I!=E; ++I)

    report->addRange(*I);


  C.emitReport(std::move(report));

}


void DereferenceChecker::checkLocation(SVal l, bool isLoad, const Stmt* S,

                                       CheckerContext &C) const {

  // Check for dereference of an undefined value.

  if (l.isUndef()) {

    const Expr *DerefExpr = getDereferenceExpr(S);

    if (!suppressReport(C, DerefExpr))

      reportBug(DerefKind::UndefinedPointerValue, C.getState(), DerefExpr, C);

    return;

  }


  DefinedOrUnknownSVal location = l.castAs<DefinedOrUnknownSVal>();


  // Check for null dereferences.

  if (!isa<Loc>(location))

    return;


  ProgramStateRef state = C.getState();


  ProgramStateRef notNullState, nullState;

  std::tie(notNullState, nullState) = state->assume(location);


  if (nullState) {

    if (!notNullState) {

      // We know that 'location' can only be null.  This is what

      // we call an "explicit" null dereference.

      const Expr *expr = getDereferenceExpr(S);

      if (!suppressReport(C, expr)) {

        reportBug(DerefKind::NullPointer, nullState, expr, C);

        return;

      }

    }


    // Otherwise, we have the case where the location could either be

    // null or not-null.  Record the error node as an "implicit" null

    // dereference.

    if (ExplodedNode *N = C.generateSink(nullState, C.getPredecessor())) {

      ImplicitNullDerefEvent event = {l, isLoad, N, &C.getBugReporter(),

                                      /*IsDirectDereference=*/true};

      dispatchEvent(event);

    }

  }


  // From this point forward, we know that the location is not null.

  C.addTransition(notNullState);

}


void DereferenceChecker::checkBind(SVal L, SVal V, const Stmt *S,

                                   CheckerContext &C) const {

  // If we're binding to a reference, check if the value is known to be null.

  if (V.isUndef())

    return;


  const MemRegion *MR = L.getAsRegion();

  const TypedValueRegion *TVR = dyn_cast_or_null<TypedValueRegion>(MR);

  if (!TVR)

    return;


  if (!TVR->getValueType()->isReferenceType())

    return;


  ProgramStateRef State = C.getState();


  ProgramStateRef StNonNull, StNull;

  std::tie(StNonNull, StNull) = State->assume(V.castAs<DefinedOrUnknownSVal>());


  if (StNull) {

    if (!StNonNull) {

      const Expr *expr = getDereferenceExpr(S, /*IsBind=*/true);

      if (!suppressReport(C, expr)) {

        reportBug(DerefKind::NullPointer, StNull, expr, C);

        return;

      }

    }


    // At this point the value could be either null or non-null.

    // Record this as an "implicit" null dereference.

    if (ExplodedNode *N = C.generateSink(StNull, C.getPredecessor())) {

      ImplicitNullDerefEvent event = {V, /*isLoad=*/true, N,

                                      &C.getBugReporter(),

                                      /*IsDirectDereference=*/true};

      dispatchEvent(event);

    }

  }


  // Unlike a regular null dereference, initializing a reference with a

  // dereferenced null pointer does not actually cause a runtime exception in

  // Clang's implementation of references.

  //

  //   int &r = *p; // safe??

  //   if (p != NULL) return; // uh-oh

  //   r = 5; // trap here

  //

  // The standard says this is invalid as soon as we try to create a "null

  // reference" (there is no such thing), but turning this into an assumption

  // that 'p' is never null will not match our actual runtime behavior.

  // So we do not record this assumption, allowing us to warn on the last line

  // of this example.

  //

  // We do need to add a transition because we may have generated a sink for

  // the "implicit" null dereference.

  C.addTransition(State, this);

}


void ento::registerDereferenceChecker(CheckerManager &mgr) {

  auto *Chk = mgr.registerChecker<DereferenceChecker>();

  Chk->SuppressAddressSpaces = mgr.getAnalyzerOptions().getCheckerBooleanOption(

      mgr.getCurrentCheckerName(), "SuppressAddressSpaces");

}


bool ento::shouldRegisterDereferenceChecker(const CheckerManager &mgr) {

  return true;

}

V
#define V(N, I)
Definition: ASTContext.h:3230

BugType.h

BuiltinCheckerRegistration.h

CheckerContext.h

CheckerHelpers.h

CheckerManager.h

Checker.h

getDereferenceExpr
static const Expr * getDereferenceExpr(const Stmt *S, bool IsBind=false)
Definition: DereferenceChecker.cpp:99

isDeclRefExprToReference
static bool isDeclRefExprToReference(const Expr *E)
Definition: DereferenceChecker.cpp:148

ExprObjC.h

ExprOpenMP.h

U

clang::AnalyzerOptions::getCheckerBooleanOption
bool getCheckerBooleanOption(StringRef CheckerName, StringRef OptionName, bool SearchInParents=false) const
Interprets an option's string value as a boolean.
Definition: AnalyzerOptions.cpp:161

clang::ArraySubscriptExpr
ArraySubscriptExpr - [C99 6.5.2.1] Array Subscripting.
Definition: Expr.h:2661

clang::ArraySubscriptExpr::getBase
Expr * getBase()
Definition: Expr.h:2698

clang::DeclRefExpr
A reference to a declared variable, function, enum, etc.
Definition: Expr.h:1237

clang::DeclRefExpr::getDecl
ValueDecl * getDecl()
Definition: Expr.h:1305

clang::Expr
This represents one expression.
Definition: Expr.h:110

clang::Expr::IgnoreParenCasts
Expr * IgnoreParenCasts() LLVM_READONLY
Skip past any parentheses and casts which might surround this expression until reaching a fixed point...
Definition: Expr.cpp:3060

clang::Expr::IgnoreParenLValueCasts
Expr * IgnoreParenLValueCasts() LLVM_READONLY
Skip past any parentheses and lvalue casts which might surround this expression until reaching a fixe...
Definition: Expr.cpp:3072

clang::Expr::getType
QualType getType() const
Definition: Expr.h:142

clang::LocationContext
It wraps the AnalysisDeclContext to represent both the call stack with the help of StackFrameContext ...
Definition: AnalysisDeclContext.h:215

clang::MemberExpr
MemberExpr - [C99 6.5.2.3] Structure and Union Members.
Definition: Expr.h:3180

clang::MemberExpr::getMemberLoc
SourceLocation getMemberLoc() const
getMemberLoc - Return the location of the "member", in X->F, it is the location of 'F'.
Definition: Expr.h:3365

clang::MemberExpr::getBase
Expr * getBase() const
Definition: Expr.h:3253

clang::MemberExpr::getMemberNameInfo
DeclarationNameInfo getMemberNameInfo() const
Retrieve the member declaration name info.
Definition: Expr.h:3353

clang::MemberExpr::isArrow
bool isArrow() const
Definition: Expr.h:3360

clang::NamedDecl::getName
StringRef getName() const
Get the name of identifier for this declaration as a StringRef.
Definition: Decl.h:274

clang::OMPArraySectionExpr
OpenMP 5.0 [2.1.5, Array Sections].
Definition: ExprOpenMP.h:56

clang::OMPArraySectionExpr::getBase
Expr * getBase()
An array section can be written only as Base[LowerBound:Length].
Definition: ExprOpenMP.h:85

clang::ObjCIvarRefExpr
ObjCIvarRefExpr - A reference to an ObjC instance variable.
Definition: ExprObjC.h:548

clang::ObjCIvarRefExpr::getLocation
SourceLocation getLocation() const
Definition: ExprObjC.h:589

clang::ObjCIvarRefExpr::getDecl
ObjCIvarDecl * getDecl()
Definition: ExprObjC.h:576

clang::ObjCIvarRefExpr::getBase
const Expr * getBase() const
Definition: ExprObjC.h:580

clang::QualType
A (possibly-)qualified type.
Definition: Type.h:736

clang::QualType::getAddressSpace
LangAS getAddressSpace() const
Return the address space of this type.
Definition: Type.h:6789

clang::QualType::hasAddressSpace
bool hasAddressSpace() const
Check if this type has any address space qualifier.
Definition: Type.h:6784

clang::SourceLocation
Encodes a location in the source.
Definition: SourceLocation.h:86

clang::SourceRange
A trivial tuple used to represent a source range.
Definition: SourceLocation.h:210

clang::Stmt
Stmt - This represents one statement.
Definition: Stmt.h:72

clang::Stmt::getStmtClass
StmtClass getStmtClass() const
Definition: Stmt.h:1181

clang::Stmt::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:325

clang::Type::isReferenceType
bool isReferenceType() const
Definition: Type.h:6928

clang::UnaryOperator
UnaryOperator - This represents the unary-expression's (except sizeof and alignof),...
Definition: Expr.h:2181

clang::VarDecl
Represents a variable declaration or definition.
Definition: Decl.h:913

clang::ento::BugType
Definition: BugType.h:27

clang::ento::BugType::getDescription
StringRef getDescription() const
Definition: BugType.h:48

clang::ento::CheckerContext
Definition: CheckerContext.h:24

clang::ento::CheckerManager
Definition: CheckerManager.h:126

clang::ento::CheckerManager::getAnalyzerOptions
const AnalyzerOptions & getAnalyzerOptions() const
Definition: CheckerManager.h:170

clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Definition: CheckerManager.h:204

clang::ento::CheckerManager::getCurrentCheckerName
CheckerNameRef getCurrentCheckerName() const
Definition: CheckerManager.h:163

clang::ento::Checker
Definition: Checker.h:517

clang::ento::DefinedOrUnknownSVal
Definition: SVals.h:220

clang::ento::ExplodedNode
Definition: ExplodedGraph.h:65

clang::ento::ExplodedNode::getLocationContext
const LocationContext * getLocationContext() const
Definition: ExplodedGraph.h:146

clang::ento::MemRegion
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:95

clang::ento::ProgramState
ProgramState - This class encapsulates:
Definition: ProgramState.h:71

clang::ento::SVal
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:72

clang::ento::SVal::isUndef
bool isUndef() const
Definition: SVals.h:128

clang::ento::SVal::getAsRegion
const MemRegion * getAsRegion() const
Definition: SVals.cpp:120

clang::ento::SVal::castAs
T castAs() const
Convert to the specified SVal type, asserting that this SVal is of the desired type.
Definition: SVals.h:99

clang::ento::TypedValueRegion
TypedValueRegion - An abstract class representing regions having a typed value.
Definition: MemRegion.h:531

clang::ento::TypedValueRegion::getValueType
virtual QualType getValueType() const =0

llvm::IntrusiveRefCntPtr< const ProgramState >

llvm::SmallString
Definition: LLVM.h:34

llvm::SmallVectorImpl
Definition: Randstruct.h:18

llvm::SmallVector
Definition: LLVM.h:35

TargetInfo.h
Defines the clang::TargetInfo interface.

clang::ast_matchers::expr
const internal::VariadicDynCastAllOfMatcher< Stmt, Expr > expr
Matches expressions.
Definition: ASTMatchersInternal.cpp:891

clang::ento::bugreporter::getDerefExpr
const Expr * getDerefExpr(const Stmt *S)
Given that expression S represents a pointer that would be dereferenced, try to find a sub-expression...
Definition: BugReporterVisitors.cpp:100

clang::ento::bugreporter::trackExpressionValue
bool trackExpressionValue(const ExplodedNode *N, const Expr *E, PathSensitiveBugReport &R, TrackingOptions Opts={})
Attempts to add visitors to track expression value back to its point of origin.
Definition: BugReporterVisitors.cpp:2667

clang::ento::categories::LogicError
const char *const LogicError
Definition: CommonBugCategories.cpp:17

clang::ento::parseAssignment
std::pair< const clang::VarDecl *, const clang::Expr * > parseAssignment(const Stmt *S)
Definition: CheckerHelpers.cpp:82

clang
Definition: CalledOnceCheck.h:17

clang::toTargetAddressSpace
unsigned toTargetAddressSpace(LangAS AS)
Definition: AddressSpaces.h:81

clang::Language::C
@ C
Languages that the frontend can parse and compile.

clang::ento::ImplicitNullDerefEvent
We dereferenced a location that may be null.
Definition: Checker.h:553