clang: UndefinedAssignmentChecker.cpp Source File

Go to the documentation of this file.
00001 //===--- UndefinedAssignmentChecker.h ---------------------------*- C++ -*--==//
00002 //
00003 //                     The LLVM Compiler Infrastructure
00004 //
00005 // This file is distributed under the University of Illinois Open Source
00006 // License. See LICENSE.TXT for details.
00007 //
00008 //===----------------------------------------------------------------------===//
00009 //
00010 // This defines UndefinedAssignmentChecker, a builtin check in ExprEngine that
00011 // checks for assigning undefined values.
00012 //
00013 //===----------------------------------------------------------------------===//
00014 
00015 #include "ClangSACheckers.h"
00016 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
00017 #include "clang/StaticAnalyzer/Core/Checker.h"
00018 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
00019 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
00020 
00021 using namespace clang;
00022 using namespace ento;
00023 
00024 namespace {
00025 class UndefinedAssignmentChecker
00026   : public Checker<check::Bind> {
00027   mutable std::unique_ptr<BugType> BT;
00028 
00029 public:
00030   void checkBind(SVal location, SVal val, const Stmt *S,
00031                  CheckerContext &C) const;
00032 };
00033 }
00034 
00035 void UndefinedAssignmentChecker::checkBind(SVal location, SVal val,
00036                                            const Stmt *StoreE,
00037                                            CheckerContext &C) const {
00038   if (!val.isUndef())
00039     return;
00040 
00041   // Do not report assignments of uninitialized values inside swap functions.
00042   // This should allow to swap partially uninitialized structs
00043   // (radar://14129997)
00044   if (const FunctionDecl *EnclosingFunctionDecl =
00045       dyn_cast<FunctionDecl>(C.getStackFrame()->getDecl()))
00046     if (C.getCalleeName(EnclosingFunctionDecl) == "swap")
00047       return;
00048 
00049   ExplodedNode *N = C.generateSink();
00050 
00051   if (!N)
00052     return;
00053 
00054   const char *str = "Assigned value is garbage or undefined";
00055 
00056   if (!BT)
00057     BT.reset(new BuiltinBug(this, str));
00058 
00059   // Generate a report for this bug.
00060   const Expr *ex = nullptr;
00061 
00062   while (StoreE) {
00063     if (const BinaryOperator *B = dyn_cast<BinaryOperator>(StoreE)) {
00064       if (B->isCompoundAssignmentOp()) {
00065         ProgramStateRef state = C.getState();
00066         if (state->getSVal(B->getLHS(), C.getLocationContext()).isUndef()) {
00067           str = "The left expression of the compound assignment is an "
00068                 "uninitialized value. The computed value will also be garbage";
00069           ex = B->getLHS();
00070           break;
00071         }
00072       }
00073 
00074       ex = B->getRHS();
00075       break;
00076     }
00077 
00078     if (const DeclStmt *DS = dyn_cast<DeclStmt>(StoreE)) {
00079       const VarDecl *VD = dyn_cast<VarDecl>(DS->getSingleDecl());
00080       ex = VD->getInit();
00081     }
00082 
00083     break;
00084   }
00085 
00086   BugReport *R = new BugReport(*BT, str, N);
00087   if (ex) {
00088     R->addRange(ex->getSourceRange());
00089     bugreporter::trackNullOrUndefValue(N, ex, *R);
00090   }
00091   C.emitReport(R);
00092 }
00093 
00094 void ento::registerUndefinedAssignmentChecker(CheckerManager &mgr) {
00095   mgr.registerChecker<UndefinedAssignmentChecker>();
00096 }