doxygen/UndefResultChecker_8cpp_source.html

//=== UndefResultChecker.cpp ------------------------------------*- C++ -*-===//

//

// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.

// See https://llvm.org/LICENSE.txt for license information.

// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

//

//===----------------------------------------------------------------------===//

//

// This defines UndefResultChecker, a builtin check in ExprEngine that

// performs checks for undefined results of non-assignment binary operators.

//

//===----------------------------------------------------------------------===//


#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"

#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"

#include "clang/StaticAnalyzer/Core/Checker.h"

#include "clang/StaticAnalyzer/Core/CheckerManager.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"

#include "llvm/ADT/SmallString.h"

#include "llvm/Support/raw_ostream.h"


using namespace clang;

using namespace ento;


namespace {

class UndefResultChecker

  : public Checker< check::PostStmt<BinaryOperator> > {


  mutable std::unique_ptr<BugType> BT;


public:

  void checkPostStmt(const BinaryOperator *B, CheckerContext &C) const;

};

} // end anonymous namespace


static bool isArrayIndexOutOfBounds(CheckerContext &C, const Expr *Ex) {

  ProgramStateRef state = C.getState();


  if (!isa<ArraySubscriptExpr>(Ex))

    return false;


  SVal Loc = C.getSVal(Ex);

  if (!Loc.isValid())

    return false;


  const MemRegion *MR = Loc.castAs<loc::MemRegionVal>().getRegion();

  const ElementRegion *ER = dyn_cast<ElementRegion>(MR);

  if (!ER)

    return false;


  DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();

  DefinedOrUnknownSVal ElementCount = getDynamicElementCount(

      state, ER->getSuperRegion(), C.getSValBuilder(), ER->getValueType());

  ProgramStateRef StInBound, StOutBound;

  std::tie(StInBound, StOutBound) = state->assumeInBoundDual(Idx, ElementCount);

  return StOutBound && !StInBound;

}


static bool isShiftOverflow(const BinaryOperator *B, CheckerContext &C) {

  return C.isGreaterOrEqual(

      B->getRHS(), C.getASTContext().getIntWidth(B->getLHS()->getType()));

}


static bool isLeftShiftResultUnrepresentable(const BinaryOperator *B,

                                             CheckerContext &C) {

  SValBuilder &SB = C.getSValBuilder();

  ProgramStateRef State = C.getState();

  const llvm::APSInt *LHS = SB.getKnownValue(State, C.getSVal(B->getLHS()));

  const llvm::APSInt *RHS = SB.getKnownValue(State, C.getSVal(B->getRHS()));

  assert(LHS && RHS && "Values unknown, inconsistent state");

  return (unsigned)RHS->getZExtValue() > LHS->countl_zero();

}


void UndefResultChecker::checkPostStmt(const BinaryOperator *B,

                                       CheckerContext &C) const {

  if (C.getSVal(B).isUndef()) {


    // Do not report assignments of uninitialized values inside swap functions.

    // This should allow to swap partially uninitialized structs

    // (radar://14129997)

    if (const FunctionDecl *EnclosingFunctionDecl =

        dyn_cast<FunctionDecl>(C.getStackFrame()->getDecl()))

      if (C.getCalleeName(EnclosingFunctionDecl) == "swap")

        return;


    // Generate an error node.

    ExplodedNode *N = C.generateErrorNode();

    if (!N)

      return;


    if (!BT)

      BT.reset(

          new BuiltinBug(this, "Result of operation is garbage or undefined"));


    SmallString<256> sbuf;

    llvm::raw_svector_ostream OS(sbuf);

    const Expr *Ex = nullptr;

    bool isLeft = true;


    if (C.getSVal(B->getLHS()).isUndef()) {

      Ex = B->getLHS()->IgnoreParenCasts();

      isLeft = true;

    }

    else if (C.getSVal(B->getRHS()).isUndef()) {

      Ex = B->getRHS()->IgnoreParenCasts();

      isLeft = false;

    }


    if (Ex) {

      OS << "The " << (isLeft ? "left" : "right") << " operand of '"

         << BinaryOperator::getOpcodeStr(B->getOpcode())

         << "' is a garbage value";

      if (isArrayIndexOutOfBounds(C, Ex))

        OS << " due to array index out of bounds";

    } else {

      // Neither operand was undefined, but the result is undefined.

      if ((B->getOpcode() == BinaryOperatorKind::BO_Shl ||

           B->getOpcode() == BinaryOperatorKind::BO_Shr) &&

          C.isNegative(B->getRHS())) {

        OS << "The result of the "

           << ((B->getOpcode() == BinaryOperatorKind::BO_Shl) ? "left"

                                                              : "right")

           << " shift is undefined because the right operand is negative";

        Ex = B->getRHS();

      } else if ((B->getOpcode() == BinaryOperatorKind::BO_Shl ||

                  B->getOpcode() == BinaryOperatorKind::BO_Shr) &&

                 isShiftOverflow(B, C)) {


        OS << "The result of the "

           << ((B->getOpcode() == BinaryOperatorKind::BO_Shl) ? "left"

                                                              : "right")

           << " shift is undefined due to shifting by ";

        Ex = B->getRHS();


        SValBuilder &SB = C.getSValBuilder();

        const llvm::APSInt *I =

            SB.getKnownValue(C.getState(), C.getSVal(B->getRHS()));

        if (!I)

          OS << "a value that is";

        else if (I->isUnsigned())

          OS << '\'' << I->getZExtValue() << "\', which is";

        else

          OS << '\'' << I->getSExtValue() << "\', which is";


        OS << " greater or equal to the width of type '"

           << B->getLHS()->getType() << "'.";

      } else if (B->getOpcode() == BinaryOperatorKind::BO_Shl &&

                 C.isNegative(B->getLHS())) {

        OS << "The result of the left shift is undefined because the left "

              "operand is negative";

        Ex = B->getLHS();

      } else if (B->getOpcode() == BinaryOperatorKind::BO_Shl &&

                 isLeftShiftResultUnrepresentable(B, C)) {

        ProgramStateRef State = C.getState();

        SValBuilder &SB = C.getSValBuilder();

        const llvm::APSInt *LHS =

            SB.getKnownValue(State, C.getSVal(B->getLHS()));

        const llvm::APSInt *RHS =

            SB.getKnownValue(State, C.getSVal(B->getRHS()));

        OS << "The result of the left shift is undefined due to shifting \'"

           << LHS->getSExtValue() << "\' by \'" << RHS->getZExtValue()

           << "\', which is unrepresentable in the unsigned version of "

           << "the return type \'" << B->getLHS()->getType() << "\'";

        Ex = B->getLHS();

      } else {

        OS << "The result of the '"

           << BinaryOperator::getOpcodeStr(B->getOpcode())

           << "' expression is undefined";

      }

    }

    auto report = std::make_unique<PathSensitiveBugReport>(*BT, OS.str(), N);

    if (Ex) {

      report->addRange(Ex->getSourceRange());

      bugreporter::trackExpressionValue(N, Ex, *report);

    }

    else

      bugreporter::trackExpressionValue(N, B, *report);


    C.emitReport(std::move(report));

  }

}


void ento::registerUndefResultChecker(CheckerManager &mgr) {

  mgr.registerChecker<UndefResultChecker>();

}


bool ento::shouldRegisterUndefResultChecker(const CheckerManager &mgr) {

  return true;

}

BugType.h

BuiltinCheckerRegistration.h

CheckerContext.h

CheckerManager.h

Checker.h

DynamicExtent.h

ExprEngine.h

OS
llvm::raw_ostream & OS
Definition: Logger.cpp:24

isLeftShiftResultUnrepresentable
static bool isLeftShiftResultUnrepresentable(const BinaryOperator *B, CheckerContext &C)
Definition: UndefResultChecker.cpp:66

isArrayIndexOutOfBounds
static bool isArrayIndexOutOfBounds(CheckerContext &C, const Expr *Ex)
Definition: UndefResultChecker.cpp:38

isShiftOverflow
static bool isShiftOverflow(const BinaryOperator *B, CheckerContext &C)
Definition: UndefResultChecker.cpp:61

clang::BinaryOperator
A builtin binary operation expression such as "x + y" or "x <= y".
Definition: Expr.h:3814

clang::BinaryOperator::getLHS
Expr * getLHS() const
Definition: Expr.h:3863

clang::BinaryOperator::getOpcodeStr
StringRef getOpcodeStr() const
Definition: Expr.h:3879

clang::BinaryOperator::getRHS
Expr * getRHS() const
Definition: Expr.h:3865

clang::BinaryOperator::getOpcode
Opcode getOpcode() const
Definition: Expr.h:3858

clang::Expr
This represents one expression.
Definition: Expr.h:110

clang::Expr::IgnoreParenCasts
Expr * IgnoreParenCasts() LLVM_READONLY
Skip past any parentheses and casts which might surround this expression until reaching a fixed point...
Definition: Expr.cpp:3051

clang::Expr::getType
QualType getType() const
Definition: Expr.h:142

clang::FunctionDecl
Represents a function declaration or definition.
Definition: Decl.h:1917

clang::Stmt::getSourceRange
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:325

clang::ento::BuiltinBug
Definition: BugType.h:67

clang::ento::CheckerContext
Definition: CheckerContext.h:24

clang::ento::CheckerManager
Definition: CheckerManager.h:126

clang::ento::CheckerManager::registerChecker
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
Definition: CheckerManager.h:204

clang::ento::Checker
Definition: Checker.h:517

clang::ento::DefinedOrUnknownSVal
Definition: SVals.h:220

clang::ento::DefinedSVal::isValid
bool isValid() const =delete

clang::ento::ElementRegion
ElementRegion is used to represent both array elements and casts.
Definition: MemRegion.h:1189

clang::ento::ElementRegion::getValueType
QualType getValueType() const override
Definition: MemRegion.h:1211

clang::ento::ElementRegion::getIndex
NonLoc getIndex() const
Definition: MemRegion.h:1209

clang::ento::ExplodedNode
Definition: ExplodedGraph.h:65

clang::ento::Loc
Definition: SVals.h:281

clang::ento::MemRegion
MemRegion - The root abstract class for all memory regions.
Definition: MemRegion.h:95

clang::ento::SValBuilder
Definition: SValBuilder.h:53

clang::ento::SValBuilder::getKnownValue
virtual const llvm::APSInt * getKnownValue(ProgramStateRef state, SVal val)=0
Evaluates a given SVal.

clang::ento::SVal
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:72

clang::ento::SVal::castAs
T castAs() const
Convert to the specified SVal type, asserting that this SVal is of the desired type.
Definition: SVals.h:99

clang::ento::SubRegion::getSuperRegion
LLVM_ATTRIBUTE_RETURNS_NONNULL const MemRegion * getSuperRegion() const
Definition: MemRegion.h:455

clang::ento::loc::MemRegionVal
Definition: SVals.h:505

llvm::IntrusiveRefCntPtr< const ProgramState >

llvm::SmallString
Definition: LLVM.h:34

clang::ento::bugreporter::trackExpressionValue
bool trackExpressionValue(const ExplodedNode *N, const Expr *E, PathSensitiveBugReport &R, TrackingOptions Opts={})
Attempts to add visitors to track expression value back to its point of origin.
Definition: BugReporterVisitors.cpp:2667

clang::ento::getDynamicElementCount
DefinedOrUnknownSVal getDynamicElementCount(ProgramStateRef State, const MemRegion *MR, SValBuilder &SVB, QualType Ty)

clang
Definition: CalledOnceCheck.h:17

clang::Language::C
@ C
Languages that the frontend can parse and compile.