doxygen/UndefBranchChecker_8cpp_source.html

//=== UndefBranchChecker.cpp -----------------------------------*- C++ -*--===//

//

// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.

// See https://llvm.org/LICENSE.txt for license information.

// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

//

//===----------------------------------------------------------------------===//

//

// This file defines UndefBranchChecker, which checks for undefined branch

// condition.

//

//===----------------------------------------------------------------------===//


#include "clang/AST/StmtObjC.h"

#include "clang/AST/Type.h"

#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"

#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"

#include "clang/StaticAnalyzer/Core/Checker.h"

#include "clang/StaticAnalyzer/Core/CheckerManager.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"

#include <optional>

#include <utility>


using namespace clang;

using namespace ento;


namespace {


class UndefBranchChecker : public Checker<check::BranchCondition> {

  mutable std::unique_ptr<BugType> BT;


  struct FindUndefExpr {

    ProgramStateRef St;

    const LocationContext *LCtx;


    FindUndefExpr(ProgramStateRef S, const LocationContext *L)

        : St(std::move(S)), LCtx(L) {}


    const Expr *FindExpr(const Expr *Ex) {

      if (!MatchesCriteria(Ex))

        return nullptr;


      for (const Stmt *SubStmt : Ex->children())

        if (const Expr *ExI = dyn_cast_or_null<Expr>(SubStmt))

          if (const Expr *E2 = FindExpr(ExI))

            return E2;


      return Ex;

    }


    bool MatchesCriteria(const Expr *Ex) {

      return St->getSVal(Ex, LCtx).isUndef();

    }

  };


public:

  void checkBranchCondition(const Stmt *Condition, CheckerContext &Ctx) const;

};


} // namespace


void UndefBranchChecker::checkBranchCondition(const Stmt *Condition,

                                              CheckerContext &Ctx) const {

  // ObjCForCollection is a loop, but has no actual condition.

  if (isa<ObjCForCollectionStmt>(Condition))

    return;

  SVal X = Ctx.getSVal(Condition);

  if (X.isUndef()) {

    // Generate a sink node, which implicitly marks both outgoing branches as

    // infeasible.

    ExplodedNode *N = Ctx.generateErrorNode();

    if (N) {

      if (!BT)

        BT.reset(

            new BugType(this, "Branch condition evaluates to a garbage value"));


      // What's going on here: we want to highlight the subexpression of the

      // condition that is the most likely source of the "uninitialized

      // branch condition."  We do a recursive walk of the condition's

      // subexpressions and roughly look for the most nested subexpression

      // that binds to Undefined.  We then highlight that expression's range.


      // Get the predecessor node and check if is a PostStmt with the Stmt

      // being the terminator condition.  We want to inspect the state

      // of that node instead because it will contain main information about

      // the subexpressions.


      // Note: any predecessor will do.  They should have identical state,

      // since all the BlockEdge did was act as an error sink since the value

      // had to already be undefined.

      assert (!N->pred_empty());

      const Expr *Ex = cast<Expr>(Condition);

      ExplodedNode *PrevN = *N->pred_begin();

      ProgramPoint P = PrevN->getLocation();

      ProgramStateRef St = N->getState();


      if (std::optional<PostStmt> PS = P.getAs<PostStmt>())

        if (PS->getStmt() == Ex)

          St = PrevN->getState();


      FindUndefExpr FindIt(St, Ctx.getLocationContext());

      Ex = FindIt.FindExpr(Ex);


      // Emit the bug report.

      auto R = std::make_unique<PathSensitiveBugReport>(

          *BT, BT->getDescription(), N);

      bugreporter::trackExpressionValue(N, Ex, *R);

      R->addRange(Ex->getSourceRange());


      Ctx.emitReport(std::move(R));

    }

  }

}


void ento::registerUndefBranchChecker(CheckerManager &mgr) {

  mgr.registerChecker<UndefBranchChecker>();

}


bool ento::shouldRegisterUndefBranchChecker(const CheckerManager &mgr) {

  return true;

}

P
StringRef P
Definition: ASTMatchersInternal.cpp:564

BugType.h

BuiltinCheckerRegistration.h

CheckerContext.h

CheckerManager.h

Checker.h

X
#define X(type, name)
Definition: Value.h:142

StmtObjC.h
Defines the Objective-C statement AST node classes.

Type.h
C Language Family Type Representation.

clang::Expr
This represents one expression.
Definition: Expr.h:110

clang::LocationContext
It wraps the AnalysisDeclContext to represent both the call stack with the help of StackFrameContext ...
Definition: AnalysisDeclContext.h:215

clang::PostStmt
Definition: ProgramPoint.h:306

clang::ProgramPoint
Definition: ProgramPoint.h:58

clang::Stmt
Stmt - This represents one statement.
Definition: Stmt.h:84

clang::Stmt::children
child_range children()
Definition: Stmt.cpp:286

clang::Stmt::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:325

clang::ento::BugType
Definition: BugType.h:27

clang::ento::CheckerContext
Definition: CheckerContext.h:24

clang::ento::CheckerContext::getSVal
SVal getSVal(const Stmt *S) const
Get the value of arbitrary expressions at this point in the path.
Definition: CheckerContext.h:149

clang::ento::CheckerContext::generateErrorNode
ExplodedNode * generateErrorNode(ProgramStateRef State=nullptr, const ProgramPointTag *Tag=nullptr)
Generate a transition to a node that will be used to report an error.
Definition: CheckerContext.h:209

clang::ento::CheckerContext::getLocationContext
const LocationContext * getLocationContext() const
Definition: CheckerContext.h:94

clang::ento::CheckerContext::emitReport
void emitReport(std::unique_ptr< BugReport > R)
Emit the diagnostics report.
Definition: CheckerContext.h:261

clang::ento::CheckerManager
Definition: CheckerManager.h:126

clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Definition: CheckerManager.h:204

clang::ento::Checker
Definition: Checker.h:516

clang::ento::ExplodedNode
Definition: ExplodedGraph.h:66

clang::ento::ExplodedNode::getState
const ProgramStateRef & getState() const
Definition: ExplodedGraph.h:169

clang::ento::ExplodedNode::pred_begin
pred_iterator pred_begin()
Definition: ExplodedGraph.h:238

clang::ento::ExplodedNode::pred_empty
bool pred_empty() const
Definition: ExplodedGraph.h:201

clang::ento::ExplodedNode::getLocation
ProgramPoint getLocation() const
getLocation - Returns the edge associated with the given node.
Definition: ExplodedGraph.h:145

clang::ento::SVal
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:55

llvm::IntrusiveRefCntPtr< const ProgramState >

clang::ento::bugreporter::trackExpressionValue
bool trackExpressionValue(const ExplodedNode *N, const Expr *E, PathSensitiveBugReport &R, TrackingOptions Opts={})
Attempts to add visitors to track expression value back to its point of origin.
Definition: BugReporterVisitors.cpp:2685

clang
Definition: CalledOnceCheck.h:17

clang::DeclaratorContext::Condition
@ Condition

std
Definition: Format.h:5226