clang 19.0.0git
NSErrorChecker.cpp
Go to the documentation of this file.
1//=- NSErrorChecker.cpp - Coding conventions for uses of NSError -*- C++ -*-==//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This file defines a CheckNSError, a flow-insensitive check
10// that determines if an Objective-C class interface correctly returns
11// a non-void return type.
12//
13// File under feature request PR 2600.
14//
15//===----------------------------------------------------------------------===//
16
17#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
18#include "clang/AST/Decl.h"
19#include "clang/AST/DeclObjC.h"
20#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
21#include "clang/StaticAnalyzer/Core/Checker.h"
22#include "clang/StaticAnalyzer/Core/CheckerManager.h"
23#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
24#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
25#include "llvm/ADT/SmallString.h"
26#include "llvm/Support/raw_ostream.h"
27#include <optional>
28
29using namespace clang;
30using namespace ento;
31
32static bool IsNSError(QualType T, IdentifierInfo *II);
33static bool IsCFError(QualType T, IdentifierInfo *II);
34
35//===----------------------------------------------------------------------===//
36// NSErrorMethodChecker
37//===----------------------------------------------------------------------===//
38
39namespace {
40class NSErrorMethodChecker
41 : public Checker< check::ASTDecl<ObjCMethodDecl> > {
42 mutable IdentifierInfo *II = nullptr;
43
44public:
45 NSErrorMethodChecker() = default;
46
47 void checkASTDecl(const ObjCMethodDecl *D,
48 AnalysisManager &mgr, BugReporter &BR) const;
49};
50}
51
52void NSErrorMethodChecker::checkASTDecl(const ObjCMethodDecl *D,
53 AnalysisManager &mgr,
54 BugReporter &BR) const {
55 if (!D->isThisDeclarationADefinition())
56 return;
57 if (!D->getReturnType()->isVoidType())
58 return;
59
60 if (!II)
61 II = &D->getASTContext().Idents.get("NSError");
62
63 bool hasNSError = false;
64 for (const auto *I : D->parameters()) {
65 if (IsNSError(I->getType(), II)) {
66 hasNSError = true;
67 break;
68 }
69 }
70
71 if (hasNSError) {
72 const char *err = "Method accepting NSError** "
73 "should have a non-void return value to indicate whether or not an "
74 "error occurred";
75 PathDiagnosticLocation L =
76 PathDiagnosticLocation::create(D, BR.getSourceManager());
77 BR.EmitBasicReport(D, this, "Bad return type when passing NSError**",
78 "Coding conventions (Apple)", err, L);
79 }
80}
81
82//===----------------------------------------------------------------------===//
83// CFErrorFunctionChecker
84//===----------------------------------------------------------------------===//
85
86namespace {
87class CFErrorFunctionChecker
88 : public Checker< check::ASTDecl<FunctionDecl> > {
89 mutable IdentifierInfo *II;
90
91public:
92 CFErrorFunctionChecker() : II(nullptr) {}
93
94 void checkASTDecl(const FunctionDecl *D,
95 AnalysisManager &mgr, BugReporter &BR) const;
96};
97}
98
99static bool hasReservedReturnType(const FunctionDecl *D) {
100 if (isa<CXXConstructorDecl>(D))
101 return true;
102
103 // operators delete and delete[] are required to have 'void' return type
104 auto OperatorKind = D->getOverloadedOperator();
105 return OperatorKind == OO_Delete || OperatorKind == OO_Array_Delete;
106}
107
108void CFErrorFunctionChecker::checkASTDecl(const FunctionDecl *D,
109 AnalysisManager &mgr,
110 BugReporter &BR) const {
111 if (!D->doesThisDeclarationHaveABody())
112 return;
113 if (!D->getReturnType()->isVoidType())
114 return;
115 if (hasReservedReturnType(D))
116 return;
117
118 if (!II)
119 II = &D->getASTContext().Idents.get("CFErrorRef");
120
121 bool hasCFError = false;
122 for (auto *I : D->parameters()) {
123 if (IsCFError(I->getType(), II)) {
124 hasCFError = true;
125 break;
126 }
127 }
128
129 if (hasCFError) {
130 const char *err = "Function accepting CFErrorRef* "
131 "should have a non-void return value to indicate whether or not an "
132 "error occurred";
133 PathDiagnosticLocation L =
134 PathDiagnosticLocation::create(D, BR.getSourceManager());
135 BR.EmitBasicReport(D, this, "Bad return type when passing CFErrorRef*",
136 "Coding conventions (Apple)", err, L);
137 }
138}
139
140//===----------------------------------------------------------------------===//
141// NSOrCFErrorDerefChecker
142//===----------------------------------------------------------------------===//
143
144namespace {
145
146class NSErrorDerefBug : public BugType {
147public:
148 NSErrorDerefBug(const CheckerNameRef Checker)
149 : BugType(Checker, "NSError** null dereference",
150 "Coding conventions (Apple)") {}
151};
152
153class CFErrorDerefBug : public BugType {
154public:
155 CFErrorDerefBug(const CheckerNameRef Checker)
156 : BugType(Checker, "CFErrorRef* null dereference",
157 "Coding conventions (Apple)") {}
158};
159
160}
161
162namespace {
163class NSOrCFErrorDerefChecker
164 : public Checker< check::Location,
165 check::Event<ImplicitNullDerefEvent> > {
166 mutable IdentifierInfo *NSErrorII, *CFErrorII;
167 mutable std::unique_ptr<NSErrorDerefBug> NSBT;
168 mutable std::unique_ptr<CFErrorDerefBug> CFBT;
169public:
170 bool ShouldCheckNSError = false, ShouldCheckCFError = false;
171 CheckerNameRef NSErrorName, CFErrorName;
172 NSOrCFErrorDerefChecker() : NSErrorII(nullptr), CFErrorII(nullptr) {}
173
174 void checkLocation(SVal loc, bool isLoad, const Stmt *S,
175 CheckerContext &C) const;
176 void checkEvent(ImplicitNullDerefEvent event) const;
177};
178}
179
180typedef llvm::ImmutableMap<SymbolRef, unsigned> ErrorOutFlag;
181REGISTER_TRAIT_WITH_PROGRAMSTATE(NSErrorOut, ErrorOutFlag)
182REGISTER_TRAIT_WITH_PROGRAMSTATE(CFErrorOut, ErrorOutFlag)
183
184template <typename T>
185static bool hasFlag(SVal val, ProgramStateRef state) {
186 if (SymbolRef sym = val.getAsSymbol())
187 if (const unsigned *attachedFlags = state->get<T>(sym))
188 return *attachedFlags;
189 return false;
190}
191
192template <typename T>
193static void setFlag(ProgramStateRef state, SVal val, CheckerContext &C) {
194 // We tag the symbol that the SVal wraps.
195 if (SymbolRef sym = val.getAsSymbol())
196 C.addTransition(state->set<T>(sym, true));
197}
198
199static QualType parameterTypeFromSVal(SVal val, CheckerContext &C) {
200 const StackFrameContext * SFC = C.getStackFrame();
201 if (std::optional<loc::MemRegionVal> X = val.getAs<loc::MemRegionVal>()) {
202 const MemRegion* R = X->getRegion();
203 if (const VarRegion *VR = R->getAs<VarRegion>())
204 if (const StackArgumentsSpaceRegion *
205 stackReg = dyn_cast<StackArgumentsSpaceRegion>(VR->getMemorySpace()))
206 if (stackReg->getStackFrame() == SFC)
207 return VR->getValueType();
208 }
209
210 return QualType();
211}
212
213void NSOrCFErrorDerefChecker::checkLocation(SVal loc, bool isLoad,
214 const Stmt *S,
215 CheckerContext &C) const {
216 if (!isLoad)
217 return;
218 if (loc.isUndef() || !isa<Loc>(loc))
219 return;
220
221 ASTContext &Ctx = C.getASTContext();
222 ProgramStateRef state = C.getState();
223
224 // If we are loading from NSError**/CFErrorRef* parameter, mark the resulting
225 // SVal so that we can later check it when handling the
226 // ImplicitNullDerefEvent event.
227 // FIXME: Cumbersome! Maybe add hook at construction of SVals at start of
228 // function ?
229
230 QualType parmT = parameterTypeFromSVal(loc, C);
231 if (parmT.isNull())
232 return;
233
234 if (!NSErrorII)
235 NSErrorII = &Ctx.Idents.get("NSError");
236 if (!CFErrorII)
237 CFErrorII = &Ctx.Idents.get("CFErrorRef");
238
239 if (ShouldCheckNSError && IsNSError(parmT, NSErrorII)) {
240 setFlag<NSErrorOut>(state, state->getSVal(loc.castAs<Loc>()), C);
241 return;
242 }
243
244 if (ShouldCheckCFError && IsCFError(parmT, CFErrorII)) {
245 setFlag<CFErrorOut>(state, state->getSVal(loc.castAs<Loc>()), C);
246 return;
247 }
248}
249
250void NSOrCFErrorDerefChecker::checkEvent(ImplicitNullDerefEvent event) const {
251 if (event.IsLoad)
252 return;
253
254 SVal loc = event.Location;
255 ProgramStateRef state = event.SinkNode->getState();
256 BugReporter &BR = *event.BR;
257
258 bool isNSError = hasFlag<NSErrorOut>(loc, state);
259 bool isCFError = false;
260 if (!isNSError)
261 isCFError = hasFlag<CFErrorOut>(loc, state);
262
263 if (!(isNSError || isCFError))
264 return;
265
266 // Storing to possible null NSError/CFErrorRef out parameter.
267 SmallString<128> Buf;
268 llvm::raw_svector_ostream os(Buf);
269
270 os << "Potential null dereference. According to coding standards ";
271 os << (isNSError
272 ? "in 'Creating and Returning NSError Objects' the parameter"
273 : "documented in CoreFoundation/CFError.h the parameter");
274
275 os << " may be null";
276
277 BugType *bug = nullptr;
278 if (isNSError) {
279 if (!NSBT)
280 NSBT.reset(new NSErrorDerefBug(NSErrorName));
281 bug = NSBT.get();
282 }
283 else {
284 if (!CFBT)
285 CFBT.reset(new CFErrorDerefBug(CFErrorName));
286 bug = CFBT.get();
287 }
288 BR.emitReport(
289 std::make_unique<PathSensitiveBugReport>(*bug, os.str(), event.SinkNode));
290}
291
292static bool IsNSError(QualType T, IdentifierInfo *II) {
293
294 const PointerType* PPT = T->getAs<PointerType>();
295 if (!PPT)
296 return false;
297
298 const ObjCObjectPointerType* PT =
299 PPT->getPointeeType()->getAs<ObjCObjectPointerType>();
300
301 if (!PT)
302 return false;
303
304 const ObjCInterfaceDecl *ID = PT->getInterfaceDecl();
305
306 // FIXME: Can ID ever be NULL?
307 if (ID)
308 return II == ID->getIdentifier();
309
310 return false;
311}
312
313static bool IsCFError(QualType T, IdentifierInfo *II) {
314 const PointerType* PPT = T->getAs<PointerType>();
315 if (!PPT) return false;
316
317 const TypedefType* TT = PPT->getPointeeType()->getAs<TypedefType>();
318 if (!TT) return false;
319
320 return TT->getDecl()->getIdentifier() == II;
321}
322
323void ento::registerNSOrCFErrorDerefChecker(CheckerManager &mgr) {
324 mgr.registerChecker<NSOrCFErrorDerefChecker>();
325}
326
327bool ento::shouldRegisterNSOrCFErrorDerefChecker(const CheckerManager &mgr) {
328 return true;
329}
330
331void ento::registerNSErrorChecker(CheckerManager &mgr) {
332 mgr.registerChecker<NSErrorMethodChecker>();
333 NSOrCFErrorDerefChecker *checker = mgr.getChecker<NSOrCFErrorDerefChecker>();
334 checker->ShouldCheckNSError = true;
335 checker->NSErrorName = mgr.getCurrentCheckerName();
336}
337
338bool ento::shouldRegisterNSErrorChecker(const CheckerManager &mgr) {
339 return true;
340}
341
342void ento::registerCFErrorChecker(CheckerManager &mgr) {
343 mgr.registerChecker<CFErrorFunctionChecker>();
344 NSOrCFErrorDerefChecker *checker = mgr.getChecker<NSOrCFErrorDerefChecker>();
345 checker->ShouldCheckCFError = true;
346 checker->CFErrorName = mgr.getCurrentCheckerName();
347}
348
349bool ento::shouldRegisterCFErrorChecker(const CheckerManager &mgr) {
350 return true;
351}
X
#define X(type, name)
Definition: Value.h:143
hasFlag
static bool hasFlag(SVal val, ProgramStateRef state)
Definition: NSErrorChecker.cpp:185
IsCFError
static bool IsCFError(QualType T, IdentifierInfo *II)
Definition: NSErrorChecker.cpp:313
setFlag
static void setFlag(ProgramStateRef state, SVal val, CheckerContext &C)
Definition: NSErrorChecker.cpp:193
parameterTypeFromSVal
static QualType parameterTypeFromSVal(SVal val, CheckerContext &C)
Definition: NSErrorChecker.cpp:199
IsNSError
static bool IsNSError(QualType T, IdentifierInfo *II)
Definition: NSErrorChecker.cpp:292
hasReservedReturnType
static bool hasReservedReturnType(const FunctionDecl *D)
Definition: NSErrorChecker.cpp:99
ErrorOutFlag
llvm::ImmutableMap< SymbolRef, unsigned > ErrorOutFlag
Definition: NSErrorChecker.cpp:180
REGISTER_TRAIT_WITH_PROGRAMSTATE
#define REGISTER_TRAIT_WITH_PROGRAMSTATE(Name, Type)
Declares a program state trait for type Type called Name, and introduce a type named NameTy.
Definition: ProgramStateTrait.h:34
clang::ASTContext
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:182
clang::ASTContext::Idents
IdentifierTable & Idents
Definition: ASTContext.h:644
clang::Decl::getASTContext
ASTContext & getASTContext() const LLVM_READONLY
Definition: DeclBase.cpp:501
clang::FunctionDecl
Represents a function declaration or definition.
Definition: Decl.h:1971
clang::FunctionDecl::getReturnType
QualType getReturnType() const
Definition: Decl.h:2755
clang::FunctionDecl::parameters
ArrayRef< ParmVarDecl * > parameters() const
Definition: Decl.h:2684
clang::FunctionDecl::doesThisDeclarationHaveABody
bool doesThisDeclarationHaveABody() const
Returns whether this specific declaration of the function has a body.
Definition: Decl.h:2296
clang::FunctionDecl::getOverloadedOperator
OverloadedOperatorKind getOverloadedOperator() const
getOverloadedOperator - Which C++ overloaded operator this function represents, if any.
Definition: Decl.cpp:3979
clang::IdentifierInfo
One of these records is kept for each identifier that is lexed.
Definition: IdentifierTable.h:117
clang::IdentifierTable::get
IdentifierInfo & get(StringRef Name)
Return the identifier token info for the specified named identifier.
Definition: IdentifierTable.h:688
clang::NamedDecl::getIdentifier
IdentifierInfo * getIdentifier() const
Get the identifier that names this declaration, if there is one.
Definition: Decl.h:270
clang::ObjCInterfaceDecl
Represents an ObjC class declaration.
Definition: DeclObjC.h:1152
clang::ObjCMethodDecl
ObjCMethodDecl - Represents an instance or class method declaration.
Definition: DeclObjC.h:140
clang::ObjCMethodDecl::parameters
ArrayRef< ParmVarDecl * > parameters() const
Definition: DeclObjC.h:373
clang::ObjCMethodDecl::isThisDeclarationADefinition
bool isThisDeclarationADefinition() const
Returns whether this specific method is a definition.
Definition: DeclObjC.h:534
clang::ObjCMethodDecl::getReturnType
QualType getReturnType() const
Definition: DeclObjC.h:329
clang::ObjCObjectPointerType
Represents a pointer to an Objective C object.
Definition: Type.h:6798
clang::ObjCObjectPointerType::getInterfaceDecl
ObjCInterfaceDecl * getInterfaceDecl() const
If this pointer points to an Objective @interface type, gets the declaration for that interface.
Definition: Type.h:6850
clang::PointerType
PointerType - C99 6.7.5.1 - Pointer Declarators.
Definition: Type.h:2929
clang::PointerType::getPointeeType
QualType getPointeeType() const
Definition: Type.h:2939
clang::QualType
A (possibly-)qualified type.
Definition: Type.h:738
clang::QualType::isNull
bool isNull() const
Return true if this QualType doesn't point to a type yet.
Definition: Type.h:805
clang::StackFrameContext
It represents a stack frame of the call stack (based on CallEvent).
Definition: AnalysisDeclContext.h:299
clang::Stmt
Stmt - This represents one statement.
Definition: Stmt.h:84
clang::Type::isVoidType
bool isVoidType() const
Definition: Type.h:7695
clang::Type::getAs
const T * getAs() const
Member-template getAs<specific type>'.
Definition: Type.h:7913
clang::TypedefType::getDecl
TypedefNameDecl * getDecl() const
Definition: Type.h:5007
clang::ento::BugReporter
BugReporter is a utility class for generating PathDiagnostics for analysis.
Definition: BugReporter.h:585
clang::ento::BugReporter::getSourceManager
const SourceManager & getSourceManager()
Definition: BugReporter.h:623
clang::ento::BugReporter::EmitBasicReport
void EmitBasicReport(const Decl *DeclWithIssue, const CheckerBase *Checker, StringRef BugName, StringRef BugCategory, StringRef BugStr, PathDiagnosticLocation Loc, ArrayRef< SourceRange > Ranges=std::nullopt, ArrayRef< FixItHint > Fixits=std::nullopt)
Definition: BugReporter.cpp:3338
clang::ento::BugReporter::emitReport
virtual void emitReport(std::unique_ptr< BugReport > R)
Add the given report to the set of reports tracked by BugReporter.
Definition: BugReporter.cpp:2907
clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Definition: CheckerManager.h:204
clang::ento::CheckerManager::getCurrentCheckerName
CheckerNameRef getCurrentCheckerName() const
Definition: CheckerManager.h:163
clang::ento::CheckerNameRef
This wrapper is used to ensure that only StringRefs originating from the CheckerRegistry are used as ...
Definition: CheckerManager.h:106
clang::ento::MemRegion
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:96
clang::ento::MemRegion::getAs
const RegionTy * getAs() const
Definition: MemRegion.h:1383
clang::ento::PathDiagnosticLocation::create
static PathDiagnosticLocation create(const Decl *D, const SourceManager &SM)
Create a location corresponding to the given declaration.
Definition: PathDiagnostic.h:248
clang::ento::SVal
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:55
clang::ento::SVal::isUndef
bool isUndef() const
Definition: SVals.h:104
clang::ento::SVal::getAsSymbol
SymbolRef getAsSymbol(bool IncludeBaseRegions=false) const
If this SVal wraps a symbol return that SymbolRef.
Definition: SVals.cpp:104
clang::ento::SVal::getAs
std::optional< T > getAs() const
Convert to the specified SVal type, returning std::nullopt if this SVal is not of the desired type.
Definition: SVals.h:86
clang::ento::SVal::castAs
T castAs() const
Convert to the specified SVal type, asserting that this SVal is of the desired type.
Definition: SVals.h:82
clang::ento::SymExpr
Symbolic value.
Definition: SymExpr.h:30
clang
The JSON file list parser is used to communicate input to InstallAPI.
Definition: CalledOnceCheck.h:17
clang::T
const FunctionProtoType * T
Definition: RecursiveASTVisitor.h:1339
clang::ento::ImplicitNullDerefEvent
We dereferenced a location that may be null.
Definition: Checker.h:548
Generated on Wed Apr 17 2024 13:26:21 for clang by doxygen 1.9.6