doxygen/UndefResultChecker_8cpp_source.html

//=== UndefResultChecker.cpp ------------------------------------*- C++ -*-===//

//

// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.

// See https://llvm.org/LICENSE.txt for license information.

// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

//

//===----------------------------------------------------------------------===//

//

// This defines UndefResultChecker, a builtin check in ExprEngine that

// performs checks for undefined results of non-assignment binary operators.

//

//===----------------------------------------------------------------------===//


#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"

#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"

#include "clang/StaticAnalyzer/Core/Checker.h"

#include "clang/StaticAnalyzer/Core/CheckerManager.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"

#include "llvm/ADT/SmallString.h"

#include "llvm/Support/raw_ostream.h"


using namespace clang;

using namespace ento;


namespace {

class UndefResultChecker

  : public Checker< check::PostStmt<BinaryOperator> > {


  mutable std::unique_ptr<BugType> BT;


public:

  void checkPostStmt(const BinaryOperator *B, CheckerContext &C) const;

};

} // end anonymous namespace


static bool isArrayIndexOutOfBounds(CheckerContext &C, const Expr *Ex) {

  ProgramStateRef state = C.getState();


  if (!isa<ArraySubscriptExpr>(Ex))

    return false;


  SVal Loc = C.getSVal(Ex);

  if (!Loc.isValid())

    return false;


  const MemRegion *MR = Loc.castAs<loc::MemRegionVal>().getRegion();

  const ElementRegion *ER = dyn_cast<ElementRegion>(MR);

  if (!ER)

    return false;


  DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();

  DefinedOrUnknownSVal ElementCount = getDynamicElementCount(

      state, ER->getSuperRegion(), C.getSValBuilder(), ER->getValueType());

  ProgramStateRef StInBound, StOutBound;

  std::tie(StInBound, StOutBound) = state->assumeInBoundDual(Idx, ElementCount);

  return StOutBound && !StInBound;

}


void UndefResultChecker::checkPostStmt(const BinaryOperator *B,

                                       CheckerContext &C) const {

  if (C.getSVal(B).isUndef()) {


    // Do not report assignments of uninitialized values inside swap functions.

    // This should allow to swap partially uninitialized structs

    if (const FunctionDecl *EnclosingFunctionDecl =

        dyn_cast<FunctionDecl>(C.getStackFrame()->getDecl()))

      if (C.getCalleeName(EnclosingFunctionDecl) == "swap")

        return;


    // Generate an error node.

    ExplodedNode *N = C.generateErrorNode();

    if (!N)

      return;


    if (!BT)

      BT.reset(

          new BugType(this, "Result of operation is garbage or undefined"));


    SmallString<256> sbuf;

    llvm::raw_svector_ostream OS(sbuf);

    const Expr *Ex = nullptr;

    bool isLeft = true;


    if (C.getSVal(B->getLHS()).isUndef()) {

      Ex = B->getLHS()->IgnoreParenCasts();

      isLeft = true;

    }

    else if (C.getSVal(B->getRHS()).isUndef()) {

      Ex = B->getRHS()->IgnoreParenCasts();

      isLeft = false;

    }


    if (Ex) {

      OS << "The " << (isLeft ? "left" : "right") << " operand of '"

         << BinaryOperator::getOpcodeStr(B->getOpcode())

         << "' is a garbage value";

      if (isArrayIndexOutOfBounds(C, Ex))

        OS << " due to array index out of bounds";

    } else {

      // Neither operand was undefined, but the result is undefined.

      OS << "The result of the '"

         << BinaryOperator::getOpcodeStr(B->getOpcode())

         << "' expression is undefined";

    }

    auto report = std::make_unique<PathSensitiveBugReport>(*BT, OS.str(), N);

    if (Ex) {

      report->addRange(Ex->getSourceRange());

      bugreporter::trackExpressionValue(N, Ex, *report);

    }

    else

      bugreporter::trackExpressionValue(N, B, *report);


    C.emitReport(std::move(report));

  }

}


void ento::registerUndefResultChecker(CheckerManager &mgr) {

  mgr.registerChecker<UndefResultChecker>();

}


bool ento::shouldRegisterUndefResultChecker(const CheckerManager &mgr) {

  return true;

}

BugType.h

BuiltinCheckerRegistration.h

CheckerContext.h

CheckerManager.h

Checker.h

DynamicExtent.h

ExprEngine.h

isArrayIndexOutOfBounds
static bool isArrayIndexOutOfBounds(CheckerContext &C, const Expr *Ex)
Definition: UndefResultChecker.cpp:38

clang::BinaryOperator
A builtin binary operation expression such as "x + y" or "x <= y".
Definition: Expr.h:3862

clang::BinaryOperator::getLHS
Expr * getLHS() const
Definition: Expr.h:3911

clang::BinaryOperator::getOpcodeStr
StringRef getOpcodeStr() const
Definition: Expr.h:3927

clang::BinaryOperator::getRHS
Expr * getRHS() const
Definition: Expr.h:3913

clang::BinaryOperator::getOpcode
Opcode getOpcode() const
Definition: Expr.h:3906

clang::Expr
This represents one expression.
Definition: Expr.h:110

clang::Expr::IgnoreParenCasts
Expr * IgnoreParenCasts() LLVM_READONLY
Skip past any parentheses and casts which might surround this expression until reaching a fixed point...
Definition: Expr.cpp:3036

clang::FunctionDecl
Represents a function declaration or definition.
Definition: Decl.h:1957

clang::Stmt::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:325

clang::ento::BugType
Definition: BugType.h:27

clang::ento::CheckerContext
Definition: CheckerContext.h:24

clang::ento::CheckerManager
Definition: CheckerManager.h:126

clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Definition: CheckerManager.h:204

clang::ento::Checker
Definition: Checker.h:516

clang::ento::DefinedOrUnknownSVal
Definition: SVals.h:199

clang::ento::DefinedSVal::isValid
bool isValid() const =delete

clang::ento::ElementRegion
ElementRegion is used to represent both array elements and casts.
Definition: MemRegion.h:1194

clang::ento::ElementRegion::getValueType
QualType getValueType() const override
Definition: MemRegion.h:1216

clang::ento::ElementRegion::getIndex
NonLoc getIndex() const
Definition: MemRegion.h:1214

clang::ento::ExplodedNode
Definition: ExplodedGraph.h:66

clang::ento::Loc
Definition: SVals.h:260

clang::ento::MemRegion
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:96

clang::ento::SVal
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:55

clang::ento::SVal::castAs
T castAs() const
Convert to the specified SVal type, asserting that this SVal is of the desired type.
Definition: SVals.h:82

clang::ento::SubRegion::getSuperRegion
LLVM_ATTRIBUTE_RETURNS_NONNULL const MemRegion * getSuperRegion() const
Definition: MemRegion.h:454

clang::ento::loc::MemRegionVal
Definition: SVals.h:441

llvm::IntrusiveRefCntPtr< const ProgramState >

llvm::SmallString
Definition: LLVM.h:34

clang::ento::bugreporter::trackExpressionValue
bool trackExpressionValue(const ExplodedNode *N, const Expr *E, PathSensitiveBugReport &R, TrackingOptions Opts={})
Attempts to add visitors to track expression value back to its point of origin.
Definition: BugReporterVisitors.cpp:2685

clang::ento::getDynamicElementCount
DefinedOrUnknownSVal getDynamicElementCount(ProgramStateRef State, const MemRegion *MR, SValBuilder &SVB, QualType Ty)

clang
Definition: CalledOnceCheck.h:17

clang::LinkageSpecLanguageIDs::C
@ C