doxygen/ReturnUndefChecker_8cpp_source.html

//== ReturnUndefChecker.cpp -------------------------------------*- C++ -*--==//

//

// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.

// See https://llvm.org/LICENSE.txt for license information.

// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

//

//===----------------------------------------------------------------------===//

//

// This file defines ReturnUndefChecker, which is a path-sensitive

// check which looks for undefined or garbage values being returned to the

// caller.

//

//===----------------------------------------------------------------------===//


#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"

#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"

#include "clang/StaticAnalyzer/Core/Checker.h"

#include "clang/StaticAnalyzer/Core/CheckerManager.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"


using namespace clang;

using namespace ento;


namespace {

class ReturnUndefChecker : public Checker< check::PreStmt<ReturnStmt> > {

  const BugType BT_Undef{this, "Garbage return value"};

  const BugType BT_NullReference{this, "Returning null reference"};


  void emitUndef(CheckerContext &C, const Expr *RetE) const;

  void checkReference(CheckerContext &C, const Expr *RetE,

                      DefinedOrUnknownSVal RetVal) const;

public:

  void checkPreStmt(const ReturnStmt *RS, CheckerContext &C) const;

};

}


void ReturnUndefChecker::checkPreStmt(const ReturnStmt *RS,

                                      CheckerContext &C) const {

  const Expr *RetE = RS->getRetValue();

  if (!RetE)

    return;

  SVal RetVal = C.getSVal(RetE);


  const StackFrameContext *SFC = C.getStackFrame();

  QualType RT = CallEvent::getDeclaredResultType(SFC->getDecl());


  if (RetVal.isUndef()) {

    // "return;" is modeled to evaluate to an UndefinedVal. Allow UndefinedVal

    // to be returned in functions returning void to support this pattern:

    //   void foo() {

    //     return;

    //   }

    //   void test() {

    //     return foo();

    //   }

    if (!RT.isNull() && RT->isVoidType())

      return;


    // Not all blocks have explicitly-specified return types; if the return type

    // is not available, but the return value expression has 'void' type, assume

    // Sema already checked it.

    if (RT.isNull() && isa<BlockDecl>(SFC->getDecl()) &&

        RetE->getType()->isVoidType())

      return;


    emitUndef(C, RetE);

    return;

  }


  if (RT.isNull())

    return;


  if (RT->isReferenceType()) {

    checkReference(C, RetE, RetVal.castAs<DefinedOrUnknownSVal>());

    return;

  }

}


static void emitBug(CheckerContext &C, const BugType &BT, StringRef Msg,

                    const Expr *RetE, const Expr *TrackingE = nullptr) {

  ExplodedNode *N = C.generateErrorNode();

  if (!N)

    return;


  auto Report = std::make_unique<PathSensitiveBugReport>(BT, Msg, N);


  Report->addRange(RetE->getSourceRange());

  bugreporter::trackExpressionValue(N, TrackingE ? TrackingE : RetE, *Report);


  C.emitReport(std::move(Report));

}


void ReturnUndefChecker::emitUndef(CheckerContext &C, const Expr *RetE) const {

  emitBug(C, BT_Undef, "Undefined or garbage value returned to caller", RetE);

}


void ReturnUndefChecker::checkReference(CheckerContext &C, const Expr *RetE,

                                        DefinedOrUnknownSVal RetVal) const {

  ProgramStateRef StNonNull, StNull;

  std::tie(StNonNull, StNull) = C.getState()->assume(RetVal);


  if (StNonNull) {

    // Going forward, assume the location is non-null.

    C.addTransition(StNonNull);

    return;

  }


  // The return value is known to be null. Emit a bug report.

  emitBug(C, BT_NullReference, BT_NullReference.getDescription(), RetE,

          bugreporter::getDerefExpr(RetE));

}


void ento::registerReturnUndefChecker(CheckerManager &mgr) {

  mgr.registerChecker<ReturnUndefChecker>();

}


bool ento::shouldRegisterReturnUndefChecker(const CheckerManager &mgr) {

  return true;

}

BugType.h

BuiltinCheckerRegistration.h

CallEvent.h

CheckerContext.h

CheckerManager.h

Checker.h

emitBug
static void emitBug(CheckerContext &C, const BugType &BT, StringRef Msg, const Expr *RetE, const Expr *TrackingE=nullptr)
Definition: ReturnUndefChecker.cpp:80

clang::Expr
This represents one expression.
Definition: Expr.h:110

clang::Expr::getType
QualType getType() const
Definition: Expr.h:142

clang::LocationContext::getDecl
const Decl * getDecl() const
Definition: AnalysisDeclContext.h:251

clang::QualType
A (possibly-)qualified type.
Definition: Type.h:941

clang::QualType::isNull
bool isNull() const
Return true if this QualType doesn't point to a type yet.
Definition: Type.h:1008

clang::ReturnStmt
ReturnStmt - This represents a return, optionally of an expression: return; return 4;.
Definition: Stmt.h:3029

clang::ReturnStmt::getRetValue
Expr * getRetValue()
Definition: Stmt.h:3060

clang::StackFrameContext
It represents a stack frame of the call stack (based on CallEvent).
Definition: AnalysisDeclContext.h:299

clang::Stmt::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:326

clang::Type::isVoidType
bool isVoidType() const
Definition: Type.h:8319

clang::Type::isReferenceType
bool isReferenceType() const
Definition: Type.h:8021

clang::ento::BugType
Definition: BugType.h:27

clang::ento::CallEvent::getDeclaredResultType
static QualType getDeclaredResultType(const Decl *D)
Returns the result type of a function or method declaration.
Definition: CallEvent.cpp:351

clang::ento::CheckerContext
Definition: CheckerContext.h:24

clang::ento::CheckerManager
Definition: CheckerManager.h:126

clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Definition: CheckerManager.h:204

clang::ento::Checker
Definition: Checker.h:512

clang::ento::DefinedOrUnknownSVal
Definition: SVals.h:199

clang::ento::ExplodedNode
Definition: ExplodedGraph.h:66

clang::ento::SVal
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:55

clang::ento::SVal::isUndef
bool isUndef() const
Definition: SVals.h:104

clang::ento::SVal::castAs
T castAs() const
Convert to the specified SVal type, asserting that this SVal is of the desired type.
Definition: SVals.h:82

llvm::IntrusiveRefCntPtr< const ProgramState >

clang::ento::bugreporter::getDerefExpr
const Expr * getDerefExpr(const Stmt *S)
Given that expression S represents a pointer that would be dereferenced, try to find a sub-expression...
Definition: BugReporterVisitors.cpp:101

clang::ento::bugreporter::trackExpressionValue
bool trackExpressionValue(const ExplodedNode *N, const Expr *E, PathSensitiveBugReport &R, TrackingOptions Opts={})
Attempts to add visitors to track expression value back to its point of origin.
Definition: BugReporterVisitors.cpp:2689

clang
The JSON file list parser is used to communicate input to InstallAPI.
Definition: CalledOnceCheck.h:17

clang::LinkageSpecLanguageIDs::C
@ C