doxygen/ReturnUndefChecker_8cpp_source.html

//== ReturnUndefChecker.cpp -------------------------------------*- C++ -*--==//

//

// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.

// See https://llvm.org/LICENSE.txt for license information.

// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

//

//===----------------------------------------------------------------------===//

//

// This file defines ReturnUndefChecker, which is a path-sensitive

// check which looks for undefined or garbage values being returned to the

// caller.

//

//===----------------------------------------------------------------------===//


#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"

#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"

#include "clang/StaticAnalyzer/Core/Checker.h"

#include "clang/StaticAnalyzer/Core/CheckerManager.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"


using namespace clang;

using namespace ento;


namespace {

class ReturnUndefChecker : public Checker< check::PreStmt<ReturnStmt> > {

  const BugType BT_Undef{this, "Garbage return value"};

  const BugType BT_NullReference{this, "Returning null reference"};


  void emitUndef(CheckerContext &C, const Expr *RetE) const;

  void checkReference(CheckerContext &C, const Expr *RetE,

                      DefinedOrUnknownSVal RetVal) const;

public:

  void checkPreStmt(const ReturnStmt *RS, CheckerContext &C) const;

};

}


void ReturnUndefChecker::checkPreStmt(const ReturnStmt *RS,

                                      CheckerContext &C) const {

  const Expr *RetE = RS->getRetValue();

  if (!RetE)

    return;

  SVal RetVal = C.getSVal(RetE);


  const StackFrameContext *SFC = C.getStackFrame();

  QualType RT = CallEvent::getDeclaredResultType(SFC->getDecl());


  if (RetVal.isUndef()) {

    // "return;" is modeled to evaluate to an UndefinedVal. Allow UndefinedVal

    // to be returned in functions returning void to support this pattern:

    //   void foo() {

    //     return;

    //   }

    //   void test() {

    //     return foo();

    //   }

    if (!RT.isNull() && RT->isVoidType())

      return;


    // Not all blocks have explicitly-specified return types; if the return type

    // is not available, but the return value expression has 'void' type, assume

    // Sema already checked it.

    if (RT.isNull() && isa<BlockDecl>(SFC->getDecl()) &&

        RetE->getType()->isVoidType())

      return;


    emitUndef(C, RetE);

    return;

  }


  if (RT.isNull())

    return;


  if (RT->isReferenceType()) {

    checkReference(C, RetE, RetVal.castAs<DefinedOrUnknownSVal>());

    return;

  }

}


static void emitBug(CheckerContext &C, const BugType &BT, StringRef Msg,

                    const Expr *RetE, const Expr *TrackingE = nullptr) {

  ExplodedNode *N = C.generateErrorNode();

  if (!N)

    return;


  auto Report = std::make_unique<PathSensitiveBugReport>(BT, Msg, N);


  Report->addRange(RetE->getSourceRange());

  bugreporter::trackExpressionValue(N, TrackingE ? TrackingE : RetE, *Report);


  C.emitReport(std::move(Report));

}


void ReturnUndefChecker::emitUndef(CheckerContext &C, const Expr *RetE) const {

  emitBug(C, BT_Undef, "Undefined or garbage value returned to caller", RetE);

}


void ReturnUndefChecker::checkReference(CheckerContext &C, const Expr *RetE,

                                        DefinedOrUnknownSVal RetVal) const {

  ProgramStateRef StNonNull, StNull;

  std::tie(StNonNull, StNull) = C.getState()->assume(RetVal);


  if (StNonNull) {

    // Going forward, assume the location is non-null.

    C.addTransition(StNonNull);

    return;

  }


  // The return value is known to be null. Emit a bug report.

  emitBug(C, BT_NullReference, BT_NullReference.getDescription(), RetE,

          bugreporter::getDerefExpr(RetE));

}


void ento::registerReturnUndefChecker(CheckerManager &mgr) {

  mgr.registerChecker<ReturnUndefChecker>();

}


bool ento::shouldRegisterReturnUndefChecker(const CheckerManager &mgr) {

  return true;

}

BugType.h

BuiltinCheckerRegistration.h

CallEvent.h

CheckerContext.h

CheckerManager.h

Checker.h

emitBug
static void emitBug(CheckerContext &C, const BugType &BT, StringRef Msg, const Expr *RetE, const Expr *TrackingE=nullptr)
Definition ReturnUndefChecker.cpp:80

clang::Expr
This represents one expression.
Definition Expr.h:112

clang::Expr::getType
QualType getType() const
Definition Expr.h:144

clang::LocationContext::getDecl
const Decl * getDecl() const
Definition AnalysisDeclContext.h:251

clang::QualType::isNull
bool isNull() const
Return true if this QualType doesn't point to a type yet.
Definition TypeBase.h:1004

clang::ReturnStmt
ReturnStmt - This represents a return, optionally of an expression: return; return 4;.
Definition Stmt.h:3160

clang::ReturnStmt::getRetValue
Expr * getRetValue()
Definition Stmt.h:3187

clang::Stmt::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition Stmt.cpp:334

clang::Type::isVoidType
bool isVoidType() const
Definition TypeBase.h:8878

clang::Type::isReferenceType
bool isReferenceType() const
Definition TypeBase.h:8546

clang::ento::BugType
Definition BugType.h:28

clang::ento::BugType::getDescription
StringRef getDescription() const
Definition BugType.h:58

clang::ento::CallEvent::getDeclaredResultType
static QualType getDeclaredResultType(const Decl *D)
Returns the result type of a function or method declaration.
Definition CallEvent.cpp:350

clang::ento::CheckerContext
Definition CheckerContext.h:24

clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&...Args)
Register a single-part checker (derived from Checker): construct its singleton instance,...
Definition CheckerManager.h:218

clang::ento::Checker
Simple checker classes that implement one frontend (i.e.
Definition Checker.h:553

clang::ento::ExplodedNode
Definition ExplodedGraph.h:66

clang::ento::SVal::isUndef
bool isUndef() const
Definition SVals.h:107

clang::ento::SVal::castAs
T castAs() const
Convert to the specified SVal type, asserting that this SVal is of the desired type.
Definition SVals.h:83

clang::ento::bugreporter::getDerefExpr
const Expr * getDerefExpr(const Stmt *S)
Given that expression S represents a pointer that would be dereferenced, try to find a sub-expression...
Definition BugReporterVisitors.cpp:97

clang::ento::bugreporter::trackExpressionValue
bool trackExpressionValue(const ExplodedNode *N, const Expr *E, PathSensitiveBugReport &R, TrackingOptions Opts={})
Attempts to add visitors to track expression value back to its point of origin.
Definition BugReporterVisitors.cpp:2641

clang::ento
Definition CocoaConventions.h:23

clang::ento::ProgramStateRef
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
Definition ProgramState_Fwd.h:37

clang::sema::Report
@ Report
Definition CheckExprLifetime.cpp:1182

clang
The JSON file list parser is used to communicate input to InstallAPI.
Definition CalledOnceCheck.h:17

clang::isa
bool isa(CodeGen::Address addr)
Definition Address.h:330

clang::LinkageSpecLanguageIDs::C
@ C
Definition DeclCXX.h:3001