clang  15.0.0git
ReturnUndefChecker.cpp
Go to the documentation of this file.
1 //== ReturnUndefChecker.cpp -------------------------------------*- C++ -*--==//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This file defines ReturnUndefChecker, which is a path-sensitive
10 // check which looks for undefined or garbage values being returned to the
11 // caller.
12 //
13 //===----------------------------------------------------------------------===//
14 
15 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
16 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
17 #include "clang/StaticAnalyzer/Core/Checker.h"
18 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
19 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
20 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
21 
22 using namespace clang;
23 using namespace ento;
24 
25 namespace {
26 class ReturnUndefChecker : public Checker< check::PreStmt<ReturnStmt> > {
27  mutable std::unique_ptr<BuiltinBug> BT_Undef;
28  mutable std::unique_ptr<BuiltinBug> BT_NullReference;
29 
30  void emitUndef(CheckerContext &C, const Expr *RetE) const;
31  void checkReference(CheckerContext &C, const Expr *RetE,
32  DefinedOrUnknownSVal RetVal) const;
33 public:
34  void checkPreStmt(const ReturnStmt *RS, CheckerContext &C) const;
35 };
36 }
37 
38 void ReturnUndefChecker::checkPreStmt(const ReturnStmt *RS,
39  CheckerContext &C) const {
40  const Expr *RetE = RS->getRetValue();
41  if (!RetE)
42  return;
43  SVal RetVal = C.getSVal(RetE);
44 
45  const StackFrameContext *SFC = C.getStackFrame();
46  QualType RT = CallEvent::getDeclaredResultType(SFC->getDecl());
47 
48  if (RetVal.isUndef()) {
49  // "return;" is modeled to evaluate to an UndefinedVal. Allow UndefinedVal
50  // to be returned in functions returning void to support this pattern:
51  // void foo() {
52  // return;
53  // }
54  // void test() {
55  // return foo();
56  // }
57  if (!RT.isNull() && RT->isVoidType())
58  return;
59 
60  // Not all blocks have explicitly-specified return types; if the return type
61  // is not available, but the return value expression has 'void' type, assume
62  // Sema already checked it.
63  if (RT.isNull() && isa<BlockDecl>(SFC->getDecl()) &&
64  RetE->getType()->isVoidType())
65  return;
66 
67  emitUndef(C, RetE);
68  return;
69  }
70 
71  if (RT.isNull())
72  return;
73 
74  if (RT->isReferenceType()) {
75  checkReference(C, RetE, RetVal.castAs<DefinedOrUnknownSVal>());
76  return;
77  }
78 }
79 
80 static void emitBug(CheckerContext &C, BuiltinBug &BT, const Expr *RetE,
81  const Expr *TrackingE = nullptr) {
82  ExplodedNode *N = C.generateErrorNode();
83  if (!N)
84  return;
85 
86  auto Report =
87  std::make_unique<PathSensitiveBugReport>(BT, BT.getDescription(), N);
88 
89  Report->addRange(RetE->getSourceRange());
90  bugreporter::trackExpressionValue(N, TrackingE ? TrackingE : RetE, *Report);
91 
92  C.emitReport(std::move(Report));
93 }
94 
95 void ReturnUndefChecker::emitUndef(CheckerContext &C, const Expr *RetE) const {
96  if (!BT_Undef)
97  BT_Undef.reset(
98  new BuiltinBug(this, "Garbage return value",
99  "Undefined or garbage value returned to caller"));
100  emitBug(C, *BT_Undef, RetE);
101 }
102 
103 void ReturnUndefChecker::checkReference(CheckerContext &C, const Expr *RetE,
104  DefinedOrUnknownSVal RetVal) const {
105  ProgramStateRef StNonNull, StNull;
106  std::tie(StNonNull, StNull) = C.getState()->assume(RetVal);
107 
108  if (StNonNull) {
109  // Going forward, assume the location is non-null.
110  C.addTransition(StNonNull);
111  return;
112  }
113 
114  // The return value is known to be null. Emit a bug report.
115  if (!BT_NullReference)
116  BT_NullReference.reset(new BuiltinBug(this, "Returning null reference"));
117 
118  emitBug(C, *BT_NullReference, RetE, bugreporter::getDerefExpr(RetE));
119 }
120 
121 void ento::registerReturnUndefChecker(CheckerManager &mgr) {
122  mgr.registerChecker<ReturnUndefChecker>();
123 }
124 
125 bool ento::shouldRegisterReturnUndefChecker(const CheckerManager &mgr) {
126  return true;
127 }
clang::ReturnStmt::getRetValue
Expr * getRetValue()
Definition: Stmt.h:2825
clang::Stmt::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:324
clang::ento::ProgramStateRef
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
Definition: ProgramState_Fwd.h:37
clang::QualType
A (possibly-)qualified type.
Definition: Type.h:731
AttributeLangSupport::C
@ C
Definition: SemaDeclAttr.cpp:55
clang::StackFrameContext
It represents a stack frame of the call stack (based on CallEvent).
Definition: AnalysisDeclContext.h:299
clang::Type::isVoidType
bool isVoidType() const
Definition: Type.h:7096
clang::ento::CallEvent::getDeclaredResultType
static QualType getDeclaredResultType(const Decl *D)
Returns the result type of a function or method declaration.
Definition: CallEvent.cpp:349
CallEvent.h
clang::Type::isReferenceType
bool isReferenceType() const
Definition: Type.h:6819
BuiltinCheckerRegistration.h
CheckerManager.h
clang::ento::bugreporter::trackExpressionValue
bool trackExpressionValue(const ExplodedNode *N, const Expr *E, PathSensitiveBugReport &R, TrackingOptions Opts={})
Attempts to add visitors to track expression value back to its point of origin.
clang::ento::bugreporter::getDerefExpr
const Expr * getDerefExpr(const Stmt *S)
BugType.h
clang::QualType::isNull
bool isNull() const
Return true if this QualType doesn't point to a type yet.
Definition: Type.h:796
CheckerContext.h
Checker.h
clang
Definition: CalledOnceCheck.h:17
clang::Expr::getType
QualType getType() const
Definition: Expr.h:141
emitBug
static void emitBug(CheckerContext &C, BuiltinBug &BT, const Expr *RetE, const Expr *TrackingE=nullptr)
Definition: ReturnUndefChecker.cpp:80
clang::Expr
This represents one expression.
Definition: Expr.h:109
clang::LocationContext::getDecl
const Decl * getDecl() const
Definition: AnalysisDeclContext.h:251
clang::ReturnStmt
ReturnStmt - This represents a return, optionally of an expression: return; return 4;.
Definition: Stmt.h:2792
Generated on Mon Jul 4 2022 06:44:14 for clang by   doxygen 1.8.17