doxygen/ReturnUndefChecker_8cpp_source.html

 //== ReturnUndefChecker.cpp -------------------------------------*- C++ -*--==//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 //
 // This file defines ReturnUndefChecker, which is a path-sensitive
 // check which looks for undefined or garbage values being returned to the
 // caller.
 //
 //===----------------------------------------------------------------------===//

 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
 #include "clang/StaticAnalyzer/Core/Checker.h"
 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"

 using namespace clang;
 using namespace ento;

 namespace {
 class ReturnUndefChecker : public Checker< check::PreStmt<ReturnStmt> > {
   mutable std::unique_ptr<BuiltinBug> BT_Undef;
   mutable std::unique_ptr<BuiltinBug> BT_NullReference;

   void emitUndef(CheckerContext &C, const Expr *RetE) const;
   void checkReference(CheckerContext &C, const Expr *RetE,
                       DefinedOrUnknownSVal RetVal) const;
 public:
   void checkPreStmt(const ReturnStmt *RS, CheckerContext &C) const;
 };
 }

 void ReturnUndefChecker::checkPreStmt(const ReturnStmt *RS,
                                       CheckerContext &C) const {
   const Expr *RetE = RS->getRetValue();
   if (!RetE)
     return;
   SVal RetVal = C.getSVal(RetE);

   const StackFrameContext *SFC = C.getStackFrame();
   QualType RT = CallEvent::getDeclaredResultType(SFC->getDecl());

   if (RetVal.isUndef()) {
     // "return;" is modeled to evaluate to an UndefinedVal. Allow UndefinedVal
     // to be returned in functions returning void to support this pattern:
     //   void foo() {
     //     return;
     //   }
     //   void test() {
     //     return foo();
     //   }
     if (!RT.isNull() && RT->isVoidType())
       return;

     // Not all blocks have explicitly-specified return types; if the return type
     // is not available, but the return value expression has 'void' type, assume
     // Sema already checked it.
     if (RT.isNull() && isa<BlockDecl>(SFC->getDecl()) &&
         RetE->getType()->isVoidType())
       return;

     emitUndef(C, RetE);
     return;
   }

   if (RT.isNull())
     return;

   if (RT->isReferenceType()) {
     checkReference(C, RetE, RetVal.castAs<DefinedOrUnknownSVal>());
     return;
   }
 }

 static void emitBug(CheckerContext &C, BuiltinBug &BT, const Expr *RetE,
                     const Expr *TrackingE = nullptr) {
   ExplodedNode *N = C.generateErrorNode();
   if (!N)
     return;

   auto Report =
       std::make_unique<PathSensitiveBugReport>(BT, BT.getDescription(), N);

   Report->addRange(RetE->getSourceRange());
   bugreporter::trackExpressionValue(N, TrackingE ? TrackingE : RetE, *Report);

   C.emitReport(std::move(Report));
 }

 void ReturnUndefChecker::emitUndef(CheckerContext &C, const Expr *RetE) const {
   if (!BT_Undef)
     BT_Undef.reset(
         new BuiltinBug(this, "Garbage return value",
                        "Undefined or garbage value returned to caller"));
   emitBug(C, *BT_Undef, RetE);
 }

 void ReturnUndefChecker::checkReference(CheckerContext &C, const Expr *RetE,
                                         DefinedOrUnknownSVal RetVal) const {
   ProgramStateRef StNonNull, StNull;
   std::tie(StNonNull, StNull) = C.getState()->assume(RetVal);

   if (StNonNull) {
     // Going forward, assume the location is non-null.
     C.addTransition(StNonNull);
     return;
   }

   // The return value is known to be null. Emit a bug report.
   if (!BT_NullReference)
     BT_NullReference.reset(new BuiltinBug(this, "Returning null reference"));

   emitBug(C, *BT_NullReference, RetE, bugreporter::getDerefExpr(RetE));
 }

 void ento::registerReturnUndefChecker(CheckerManager &mgr) {
   mgr.registerChecker<ReturnUndefChecker>();
 }

 bool ento::shouldRegisterReturnUndefChecker(const CheckerManager &mgr) {
   return true;
 }
ento

clang::QualType
A (possibly-)qualified type.
Definition: Type.h:655

clang::ento::ProgramStateRef
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
Definition: ProgramState_Fwd.h:37

BugType.h

emitBug
static void emitBug(CheckerContext &C, BuiltinBug &BT, const Expr *RetE, const Expr *TrackingE=nullptr)
Definition: ReturnUndefChecker.cpp:80

Checker.h

clang::Type::isReferenceType
bool isReferenceType() const
Definition: Type.h:6662

CheckerManager.h

clang::Expr
This represents one expression.
Definition: Expr.h:110

clang::Expr::getType
QualType getType() const
Definition: Expr.h:142

clang::ReturnStmt
ReturnStmt - This represents a return, optionally of an expression: return; return 4;...
Definition: Stmt.h:2677

BuiltinCheckerRegistration.h

clang::QualType::isNull
bool isNull() const
Return true if this QualType doesn&#39;t point to a type yet.
Definition: Type.h:720

clang::ReturnStmt::getRetValue
Expr * getRetValue()
Definition: Stmt.h:2710

clang
Dataflow Directional Tag Classes.
Definition: CFGReachabilityAnalysis.h:21

clang::LocationContext::getDecl
const Decl * getDecl() const
Definition: AnalysisDeclContext.h:245

clang::ento::CallEvent::getDeclaredResultType
static QualType getDeclaredResultType(const Decl *D)
Returns the result type of a function or method declaration.
Definition: CallEvent.cpp:427

clang::LocationContext::getStackFrame
const StackFrameContext * getStackFrame() const
Definition: AnalysisDeclContext.cpp:410

clang::StackFrameContext
It represents a stack frame of the call stack (based on CallEvent).
Definition: AnalysisDeclContext.h:293

clang::Type::isVoidType
bool isVoidType() const
Definition: Type.h:6933

clang::Stmt::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:263

CallEvent.h

CheckerContext.h