clang  14.0.0git
UndefBranchChecker.cpp
Go to the documentation of this file.
1 //=== UndefBranchChecker.cpp -----------------------------------*- C++ -*--===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This file defines UndefBranchChecker, which checks for undefined branch
10 // condition.
11 //
12 //===----------------------------------------------------------------------===//
13 
14 #include "clang/AST/StmtObjC.h"
15 #include "clang/AST/Type.h"
21 #include <utility>
22 
23 using namespace clang;
24 using namespace ento;
25 
26 namespace {
27 
28 class UndefBranchChecker : public Checker<check::BranchCondition> {
29  mutable std::unique_ptr<BuiltinBug> BT;
30 
31  struct FindUndefExpr {
32  ProgramStateRef St;
33  const LocationContext *LCtx;
34 
35  FindUndefExpr(ProgramStateRef S, const LocationContext *L)
36  : St(std::move(S)), LCtx(L) {}
37 
38  const Expr *FindExpr(const Expr *Ex) {
39  if (!MatchesCriteria(Ex))
40  return nullptr;
41 
42  for (const Stmt *SubStmt : Ex->children())
43  if (const Expr *ExI = dyn_cast_or_null<Expr>(SubStmt))
44  if (const Expr *E2 = FindExpr(ExI))
45  return E2;
46 
47  return Ex;
48  }
49 
50  bool MatchesCriteria(const Expr *Ex) {
51  return St->getSVal(Ex, LCtx).isUndef();
52  }
53  };
54 
55 public:
56  void checkBranchCondition(const Stmt *Condition, CheckerContext &Ctx) const;
57 };
58 
59 } // namespace
60 
61 void UndefBranchChecker::checkBranchCondition(const Stmt *Condition,
62  CheckerContext &Ctx) const {
63  // ObjCForCollection is a loop, but has no actual condition.
64  if (isa<ObjCForCollectionStmt>(Condition))
65  return;
66  SVal X = Ctx.getSVal(Condition);
67  if (X.isUndef()) {
68  // Generate a sink node, which implicitly marks both outgoing branches as
69  // infeasible.
70  ExplodedNode *N = Ctx.generateErrorNode();
71  if (N) {
72  if (!BT)
73  BT.reset(new BuiltinBug(
74  this, "Branch condition evaluates to a garbage value"));
75 
76  // What's going on here: we want to highlight the subexpression of the
77  // condition that is the most likely source of the "uninitialized
78  // branch condition." We do a recursive walk of the condition's
79  // subexpressions and roughly look for the most nested subexpression
80  // that binds to Undefined. We then highlight that expression's range.
81 
82  // Get the predecessor node and check if is a PostStmt with the Stmt
83  // being the terminator condition. We want to inspect the state
84  // of that node instead because it will contain main information about
85  // the subexpressions.
86 
87  // Note: any predecessor will do. They should have identical state,
88  // since all the BlockEdge did was act as an error sink since the value
89  // had to already be undefined.
90  assert (!N->pred_empty());
91  const Expr *Ex = cast<Expr>(Condition);
92  ExplodedNode *PrevN = *N->pred_begin();
93  ProgramPoint P = PrevN->getLocation();
94  ProgramStateRef St = N->getState();
95 
96  if (Optional<PostStmt> PS = P.getAs<PostStmt>())
97  if (PS->getStmt() == Ex)
98  St = PrevN->getState();
99 
100  FindUndefExpr FindIt(St, Ctx.getLocationContext());
101  Ex = FindIt.FindExpr(Ex);
102 
103  // Emit the bug report.
104  auto R = std::make_unique<PathSensitiveBugReport>(
105  *BT, BT->getDescription(), N);
107  R->addRange(Ex->getSourceRange());
108 
109  Ctx.emitReport(std::move(R));
110  }
111  }
112 }
113 
114 void ento::registerUndefBranchChecker(CheckerManager &mgr) {
115  mgr.registerChecker<UndefBranchChecker>();
116 }
117 
118 bool ento::shouldRegisterUndefBranchChecker(const CheckerManager &mgr) {
119  return true;
120 }
clang::LocationContext
It wraps the AnalysisDeclContext to represent both the call stack with the help of StackFrameContext ...
Definition: AnalysisDeclContext.h:215
clang::Stmt::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:324
clang::ento::ProgramStateRef
IntrusiveRefCntPtr< const ProgramState > ProgramStateRef
Definition: ProgramState_Fwd.h:37
llvm::Optional
Definition: LLVM.h:40
clang::tooling::X
static ToolExecutorPluginRegistry::Add< AllTUsToolExecutorPlugin > X("all-TUs", "Runs FrontendActions on all TUs in the compilation database. " "Tool results are stored in memory.")
BuiltinCheckerRegistration.h
CheckerManager.h
clang::Stmt::children
child_range children()
Definition: Stmt.cpp:285
Type.h
StmtObjC.h
clang::ento::bugreporter::trackExpressionValue
bool trackExpressionValue(const ExplodedNode *N, const Expr *E, PathSensitiveBugReport &R, TrackingOptions Opts={})
Attempts to add visitors to track expression value back to its point of origin.
clang::PostStmt
Definition: ProgramPoint.h:311
P
StringRef P
Definition: ASTMatchersInternal.cpp:563
BugType.h
CheckerContext.h
Checker.h
std
Definition: Format.h:4034
clang
Definition: CalledOnceCheck.h:17
clang::Stmt
Stmt - This represents one statement.
Definition: Stmt.h:69
clang::Expr
This represents one expression.
Definition: Expr.h:109
clang::ProgramPoint
Definition: ProgramPoint.h:59