clang 20.0.0git
UncountedLocalVarsChecker.cpp
Go to the documentation of this file.
1//=======- UncountedLocalVarsChecker.cpp -------------------------*- C++ -*-==//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8
9#include "ASTUtils.h"
10#include "DiagOutputUtils.h"
11#include "PtrTypesSemantics.h"
12#include "clang/AST/CXXInheritance.h"
13#include "clang/AST/Decl.h"
14#include "clang/AST/DeclCXX.h"
15#include "clang/AST/ParentMapContext.h"
16#include "clang/AST/RecursiveASTVisitor.h"
17#include "clang/Basic/SourceLocation.h"
18#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
19#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
20#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
21#include "clang/StaticAnalyzer/Core/Checker.h"
22#include <optional>
23
24using namespace clang;
25using namespace ento;
26
27namespace {
28
29// FIXME: should be defined by anotations in the future
30bool isRefcountedStringsHack(const VarDecl *V) {
31 assert(V);
32 auto safeClass = [](const std::string &className) {
33 return className == "String" || className == "AtomString" ||
34 className == "UniquedString" || className == "Identifier";
35 };
36 QualType QT = V->getType();
37 auto *T = QT.getTypePtr();
38 if (auto *CXXRD = T->getAsCXXRecordDecl()) {
39 if (safeClass(safeGetName(CXXRD)))
40 return true;
41 }
42 if (T->isPointerType() || T->isReferenceType()) {
43 if (auto *CXXRD = T->getPointeeCXXRecordDecl()) {
44 if (safeClass(safeGetName(CXXRD)))
45 return true;
46 }
47 }
48 return false;
49}
50
51bool isGuardedScopeEmbeddedInGuardianScope(const VarDecl *Guarded,
52 const VarDecl *MaybeGuardian) {
53 assert(Guarded);
54 assert(MaybeGuardian);
55
56 if (!MaybeGuardian->isLocalVarDecl())
57 return false;
58
59 const CompoundStmt *guardiansClosestCompStmtAncestor = nullptr;
60
61 ASTContext &ctx = MaybeGuardian->getASTContext();
62
63 for (DynTypedNodeList guardianAncestors = ctx.getParents(*MaybeGuardian);
64 !guardianAncestors.empty();
65 guardianAncestors = ctx.getParents(
66 *guardianAncestors
67 .begin()) // FIXME - should we handle all of the parents?
68 ) {
69 for (auto &guardianAncestor : guardianAncestors) {
70 if (auto *CStmtParentAncestor = guardianAncestor.get<CompoundStmt>()) {
71 guardiansClosestCompStmtAncestor = CStmtParentAncestor;
72 break;
73 }
74 }
75 if (guardiansClosestCompStmtAncestor)
76 break;
77 }
78
79 if (!guardiansClosestCompStmtAncestor)
80 return false;
81
82 // We need to skip the first CompoundStmt to avoid situation when guardian is
83 // defined in the same scope as guarded variable.
84 bool HaveSkippedFirstCompoundStmt = false;
85 for (DynTypedNodeList guardedVarAncestors = ctx.getParents(*Guarded);
86 !guardedVarAncestors.empty();
87 guardedVarAncestors = ctx.getParents(
88 *guardedVarAncestors
89 .begin()) // FIXME - should we handle all of the parents?
90 ) {
91 for (auto &guardedVarAncestor : guardedVarAncestors) {
92 if (auto *CStmtAncestor = guardedVarAncestor.get<CompoundStmt>()) {
93 if (!HaveSkippedFirstCompoundStmt) {
94 HaveSkippedFirstCompoundStmt = true;
95 continue;
96 }
97 if (CStmtAncestor == guardiansClosestCompStmtAncestor)
98 return true;
99 }
100 }
101 }
102
103 return false;
104}
105
106class UncountedLocalVarsChecker
107 : public Checker<check::ASTDecl<TranslationUnitDecl>> {
108 BugType Bug{this,
109 "Uncounted raw pointer or reference not provably backed by "
110 "ref-counted variable",
111 "WebKit coding guidelines"};
112 mutable BugReporter *BR;
113
114public:
115 void checkASTDecl(const TranslationUnitDecl *TUD, AnalysisManager &MGR,
116 BugReporter &BRArg) const {
117 BR = &BRArg;
118
119 // The calls to checkAST* from AnalysisConsumer don't
120 // visit template instantiations or lambda classes. We
121 // want to visit those, so we make our own RecursiveASTVisitor.
122 struct LocalVisitor : public RecursiveASTVisitor<LocalVisitor> {
123 const UncountedLocalVarsChecker *Checker;
124
125 TrivialFunctionAnalysis TFA;
126
127 using Base = RecursiveASTVisitor<LocalVisitor>;
128
129 explicit LocalVisitor(const UncountedLocalVarsChecker *Checker)
130 : Checker(Checker) {
131 assert(Checker);
132 }
133
134 bool shouldVisitTemplateInstantiations() const { return true; }
135 bool shouldVisitImplicitCode() const { return false; }
136
137 bool VisitVarDecl(VarDecl *V) {
138 auto *Init = V->getInit();
139 if (Init && V->isLocalVarDecl())
140 Checker->visitVarDecl(V, Init);
141 return true;
142 }
143
144 bool VisitBinaryOperator(const BinaryOperator *BO) {
145 if (BO->isAssignmentOp()) {
146 if (auto *VarRef = dyn_cast<DeclRefExpr>(BO->getLHS())) {
147 if (auto *V = dyn_cast<VarDecl>(VarRef->getDecl()))
148 Checker->visitVarDecl(V, BO->getRHS());
149 }
150 }
151 return true;
152 }
153
154 bool TraverseIfStmt(IfStmt *IS) {
155 if (!TFA.isTrivial(IS))
156 return Base::TraverseIfStmt(IS);
157 return true;
158 }
159
160 bool TraverseForStmt(ForStmt *FS) {
161 if (!TFA.isTrivial(FS))
162 return Base::TraverseForStmt(FS);
163 return true;
164 }
165
166 bool TraverseCXXForRangeStmt(CXXForRangeStmt *FRS) {
167 if (!TFA.isTrivial(FRS))
168 return Base::TraverseCXXForRangeStmt(FRS);
169 return true;
170 }
171
172 bool TraverseWhileStmt(WhileStmt *WS) {
173 if (!TFA.isTrivial(WS))
174 return Base::TraverseWhileStmt(WS);
175 return true;
176 }
177
178 bool TraverseCompoundStmt(CompoundStmt *CS) {
179 if (!TFA.isTrivial(CS))
180 return Base::TraverseCompoundStmt(CS);
181 return true;
182 }
183 };
184
185 LocalVisitor visitor(this);
186 visitor.TraverseDecl(const_cast<TranslationUnitDecl *>(TUD));
187 }
188
189 void visitVarDecl(const VarDecl *V, const Expr *Value) const {
190 if (shouldSkipVarDecl(V))
191 return;
192
193 const auto *ArgType = V->getType().getTypePtr();
194 if (!ArgType)
195 return;
196
197 std::optional<bool> IsUncountedPtr = isUncountedPtr(ArgType);
198 if (IsUncountedPtr && *IsUncountedPtr) {
199 if (tryToFindPtrOrigin(
200 Value, /*StopAtFirstRefCountedObj=*/false,
201 [&](const clang::Expr *InitArgOrigin, bool IsSafe) {
202 if (!InitArgOrigin)
203 return true;
204
205 if (isa<CXXThisExpr>(InitArgOrigin))
206 return true;
207
208 if (isa<CXXNullPtrLiteralExpr>(InitArgOrigin))
209 return true;
210
211 if (isa<IntegerLiteral>(InitArgOrigin))
212 return true;
213
214 if (auto *Ref = llvm::dyn_cast<DeclRefExpr>(InitArgOrigin)) {
215 if (auto *MaybeGuardian =
216 dyn_cast_or_null<VarDecl>(Ref->getFoundDecl())) {
217 const auto *MaybeGuardianArgType =
218 MaybeGuardian->getType().getTypePtr();
219 if (MaybeGuardianArgType) {
220 const CXXRecordDecl *const MaybeGuardianArgCXXRecord =
221 MaybeGuardianArgType->getAsCXXRecordDecl();
222 if (MaybeGuardianArgCXXRecord) {
223 if (MaybeGuardian->isLocalVarDecl() &&
224 (isRefCounted(MaybeGuardianArgCXXRecord) ||
225 isRefcountedStringsHack(MaybeGuardian)) &&
226 isGuardedScopeEmbeddedInGuardianScope(
227 V, MaybeGuardian))
228 return true;
229 }
230 }
231
232 // Parameters are guaranteed to be safe for the duration of
233 // the call by another checker.
234 if (isa<ParmVarDecl>(MaybeGuardian))
235 return true;
236 }
237 }
238
239 return false;
240 }))
241 return;
242
243 reportBug(V, Value);
244 }
245 }
246
247 bool shouldSkipVarDecl(const VarDecl *V) const {
248 assert(V);
249 return BR->getSourceManager().isInSystemHeader(V->getLocation());
250 }
251
252 void reportBug(const VarDecl *V, const Expr *Value) const {
253 assert(V);
254 SmallString<100> Buf;
255 llvm::raw_svector_ostream Os(Buf);
256
257 if (dyn_cast<ParmVarDecl>(V)) {
258 Os << "Assignment to an uncounted parameter ";
259 printQuotedQualifiedName(Os, V);
260 Os << " is unsafe.";
261
262 PathDiagnosticLocation BSLoc(Value->getExprLoc(), BR->getSourceManager());
263 auto Report = std::make_unique<BasicBugReport>(Bug, Os.str(), BSLoc);
264 Report->addRange(Value->getSourceRange());
265 BR->emitReport(std::move(Report));
266 } else {
267 if (V->hasLocalStorage())
268 Os << "Local variable ";
269 else if (V->isStaticLocal())
270 Os << "Static local variable ";
271 else if (V->hasGlobalStorage())
272 Os << "Global variable ";
273 else
274 Os << "Variable ";
275 printQuotedQualifiedName(Os, V);
276 Os << " is uncounted and unsafe.";
277
278 PathDiagnosticLocation BSLoc(V->getLocation(), BR->getSourceManager());
279 auto Report = std::make_unique<BasicBugReport>(Bug, Os.str(), BSLoc);
280 Report->addRange(V->getSourceRange());
281 BR->emitReport(std::move(Report));
282 }
283 }
284};
285} // namespace
286
287void ento::registerUncountedLocalVarsChecker(CheckerManager &Mgr) {
288 Mgr.registerChecker<UncountedLocalVarsChecker>();
289}
290
291bool ento::shouldRegisterUncountedLocalVarsChecker(const CheckerManager &) {
292 return true;
293}
V
#define V(N, I)
Definition: ASTContext.h:3341
DeclCXX.h
Defines the C++ Decl subclasses, other than those for templates (found in DeclTemplate....
SourceLocation.h
Defines the clang::SourceLocation class and associated facilities.
clang::ASTContext
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:187
clang::ASTContext::getParents
DynTypedNodeList getParents(const NodeT &Node)
Forwards to get node parents from the ParentMapContext.
Definition: ParentMapContext.h:131
clang::BinaryOperator
A builtin binary operation expression such as "x + y" or "x <= y".
Definition: Expr.h:3860
clang::BinaryOperator::getLHS
Expr * getLHS() const
Definition: Expr.h:3910
clang::BinaryOperator::getRHS
Expr * getRHS() const
Definition: Expr.h:3912
clang::BinaryOperator::isAssignmentOp
static bool isAssignmentOp(Opcode Opc)
Definition: Expr.h:3996
clang::CXXForRangeStmt
CXXForRangeStmt - This represents C++0x [stmt.ranged]'s ranged for statement, represented as 'for (ra...
Definition: StmtCXX.h:135
clang::CompoundStmt
CompoundStmt - This represents a group of statements like { stmt stmt }.
Definition: Stmt.h:1611
clang::Decl::getASTContext
ASTContext & getASTContext() const LLVM_READONLY
Definition: DeclBase.cpp:523
clang::DynTypedNodeList
Container for either a single DynTypedNode or for an ArrayRef to DynTypedNode.
Definition: ParentMapContext.h:92
clang::Expr
This represents one expression.
Definition: Expr.h:110
clang::ForStmt
ForStmt - This represents a 'for (init;cond;inc)' stmt.
Definition: Stmt.h:2791
clang::IfStmt
IfStmt - This represents an if/then/else.
Definition: Stmt.h:2148
clang::QualType
A (possibly-)qualified type.
Definition: Type.h:941
clang::QualType::getTypePtr
const Type * getTypePtr() const
Retrieves a pointer to the underlying (unqualified) type.
Definition: Type.h:7750
clang::RecursiveASTVisitor
A class that does preorder or postorder depth-first traversal on the entire Clang AST and visits each...
Definition: RecursiveASTVisitor.h:154
clang::SourceManager::isInSystemHeader
bool isInSystemHeader(SourceLocation Loc) const
Returns if a SourceLocation is in a system header.
Definition: SourceManager.h:1533
clang::TranslationUnitDecl
The top declaration context.
Definition: Decl.h:84
clang::TrivialFunctionAnalysis
An inter-procedural analysis facility that detects functions with "trivial" behavior with respect to ...
Definition: PtrTypesSemantics.h:75
clang::TrivialFunctionAnalysis::isTrivial
bool isTrivial(const Decl *D) const
Definition: PtrTypesSemantics.h:78
clang::Type::getAsCXXRecordDecl
CXXRecordDecl * getAsCXXRecordDecl() const
Retrieves the CXXRecordDecl that this type refers to, either because the type is a RecordType or beca...
Definition: Type.cpp:1882
clang::Type::isPointerType
bool isPointerType() const
Definition: Type.h:8003
clang::Type::isReferenceType
bool isReferenceType() const
Definition: Type.h:8021
clang::Type::getPointeeCXXRecordDecl
const CXXRecordDecl * getPointeeCXXRecordDecl() const
If this is a pointer or reference to a RecordType, return the CXXRecordDecl that the type refers to.
Definition: Type.cpp:1867
clang::VarDecl
Represents a variable declaration or definition.
Definition: Decl.h:879
clang::VarDecl::isLocalVarDecl
bool isLocalVarDecl() const
Returns true for local variable declarations other than parameters.
Definition: Decl.h:1201
clang::WhileStmt
WhileStmt - This represents a 'while' stmt.
Definition: Stmt.h:2594
clang::ento::BugReporter
BugReporter is a utility class for generating PathDiagnostics for analysis.
Definition: BugReporter.h:585
clang::ento::BugReporter::getSourceManager
const SourceManager & getSourceManager()
Definition: BugReporter.h:623
clang::ento::BugReporter::emitReport
virtual void emitReport(std::unique_ptr< BugReport > R)
Add the given report to the set of reports tracked by BugReporter.
Definition: BugReporter.cpp:2931
clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Definition: CheckerManager.h:204
clang
The JSON file list parser is used to communicate input to InstallAPI.
Definition: CalledOnceCheck.h:17
clang::isUncountedPtr
std::optional< bool > isUncountedPtr(const Type *T)
Definition: PtrTypesSemantics.cpp:159
clang::if
if(T->getSizeExpr()) TRY_TO(TraverseStmt(const_cast< Expr * >(T -> getSizeExpr())))
Definition: RecursiveASTVisitor.h:1111
clang::printQuotedQualifiedName
void printQuotedQualifiedName(llvm::raw_ostream &Os, const NamedDeclDerivedT &D)
Definition: DiagOutputUtils.h:18
clang::T
const FunctionProtoType * T
Definition: RecursiveASTVisitor.h:1359
clang::tryToFindPtrOrigin
bool tryToFindPtrOrigin(const Expr *E, bool StopAtFirstRefCountedObj, std::function< bool(const clang::Expr *, bool)> callback)
This function de-facto defines a set of transformations that we consider safe (in heuristical sense).
Definition: ASTUtils.cpp:19
clang::safeGetName
std::string safeGetName(const T *ASTNode)
Definition: ASTUtils.h:68
Generated on Sat Nov 16 2024 13:06:47 for clang by doxygen 1.9.6