2009-11-24 16:24:26 +08:00
|
|
|
//=== UndefResultChecker.cpp ------------------------------------*- C++ -*-===//
|
|
|
|
|
//
|
2019-01-19 16:50:56 +08:00
|
|
|
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
|
|
|
|
|
// See https://llvm.org/LICENSE.txt for license information.
|
|
|
|
|
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
|
2009-11-24 16:24:26 +08:00
|
|
|
//
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
//
|
2015-09-08 11:50:52 +08:00
|
|
|
// This defines UndefResultChecker, a builtin check in ExprEngine that
|
2009-11-24 16:24:26 +08:00
|
|
|
// performs checks for undefined results of non-assignment binary operators.
|
|
|
|
|
//
|
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
[analyzer][NFC] Move CheckerRegistry from the Core directory to Frontend
ClangCheckerRegistry is a very non-obvious, poorly documented, weird concept.
It derives from CheckerRegistry, and is placed in lib/StaticAnalyzer/Frontend,
whereas it's base is located in lib/StaticAnalyzer/Core. It was, from what I can
imagine, used to circumvent the problem that the registry functions of the
checkers are located in the clangStaticAnalyzerCheckers library, but that
library depends on clangStaticAnalyzerCore. However, clangStaticAnalyzerFrontend
depends on both of those libraries.
One can make the observation however, that CheckerRegistry has no place in Core,
it isn't used there at all! The only place where it is used is Frontend, which
is where it ultimately belongs.
This move implies that since
include/clang/StaticAnalyzer/Checkers/ClangCheckers.h only contained a single function:
class CheckerRegistry;
void registerBuiltinCheckers(CheckerRegistry ®istry);
it had to re purposed, as CheckerRegistry is no longer available to
clangStaticAnalyzerCheckers. It was renamed to BuiltinCheckerRegistration.h,
which actually describes it a lot better -- it does not contain the registration
functions for checkers, but only those generated by the tblgen files.
Differential Revision: https://reviews.llvm.org/D54436
llvm-svn: 349275
2018-12-16 00:23:51 +08:00
|
|
|
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
|
2012-12-04 17:13:33 +08:00
|
|
|
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
|
2011-03-01 09:16:21 +08:00
|
|
|
#include "clang/StaticAnalyzer/Core/Checker.h"
|
2011-02-28 09:27:22 +08:00
|
|
|
#include "clang/StaticAnalyzer/Core/CheckerManager.h"
|
|
|
|
|
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
|
2021-04-06 01:20:43 +08:00
|
|
|
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicExtent.h"
|
2011-02-10 09:03:03 +08:00
|
|
|
#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
|
2012-02-04 21:45:25 +08:00
|
|
|
#include "llvm/ADT/SmallString.h"
|
2012-12-02 01:12:56 +08:00
|
|
|
#include "llvm/Support/raw_ostream.h"
|
2009-11-24 16:24:26 +08:00
|
|
|
|
|
|
|
|
using namespace clang;
|
2010-12-23 15:20:52 +08:00
|
|
|
using namespace ento;
|
2009-11-24 16:24:26 +08:00
|
|
|
|
|
|
|
|
namespace {
|
2015-09-08 11:50:52 +08:00
|
|
|
class UndefResultChecker
|
2011-03-01 09:16:21 +08:00
|
|
|
: public Checker< check::PostStmt<BinaryOperator> > {
|
2009-11-24 16:24:26 +08:00
|
|
|
|
2014-03-08 04:03:18 +08:00
|
|
|
mutable std::unique_ptr<BugType> BT;
|
|
|
|
|
|
2009-11-24 16:24:26 +08:00
|
|
|
public:
|
2011-02-28 09:27:22 +08:00
|
|
|
void checkPostStmt(const BinaryOperator *B, CheckerContext &C) const;
|
2009-11-24 16:24:26 +08:00
|
|
|
};
|
|
|
|
|
} // end anonymous namespace
|
|
|
|
|
|
2017-02-27 18:44:24 +08:00
|
|
|
static bool isArrayIndexOutOfBounds(CheckerContext &C, const Expr *Ex) {
|
|
|
|
|
ProgramStateRef state = C.getState();
|
|
|
|
|
|
|
|
|
|
if (!isa<ArraySubscriptExpr>(Ex))
|
|
|
|
|
return false;
|
|
|
|
|
|
2018-01-18 04:27:29 +08:00
|
|
|
SVal Loc = C.getSVal(Ex);
|
2017-02-27 18:44:24 +08:00
|
|
|
if (!Loc.isValid())
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
const MemRegion *MR = Loc.castAs<loc::MemRegionVal>().getRegion();
|
|
|
|
|
const ElementRegion *ER = dyn_cast<ElementRegion>(MR);
|
|
|
|
|
if (!ER)
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
DefinedOrUnknownSVal Idx = ER->getIndex().castAs<DefinedOrUnknownSVal>();
|
2020-01-30 23:51:26 +08:00
|
|
|
DefinedOrUnknownSVal ElementCount = getDynamicElementCount(
|
|
|
|
|
state, ER->getSuperRegion(), C.getSValBuilder(), ER->getValueType());
|
|
|
|
|
ProgramStateRef StInBound = state->assumeInBound(Idx, ElementCount, true);
|
|
|
|
|
ProgramStateRef StOutBound = state->assumeInBound(Idx, ElementCount, false);
|
2017-02-27 18:44:24 +08:00
|
|
|
return StOutBound && !StInBound;
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-11 22:49:35 +08:00
|
|
|
static bool isShiftOverflow(const BinaryOperator *B, CheckerContext &C) {
|
|
|
|
|
return C.isGreaterOrEqual(
|
|
|
|
|
B->getRHS(), C.getASTContext().getIntWidth(B->getLHS()->getType()));
|
|
|
|
|
}
|
|
|
|
|
|
2018-01-22 21:32:10 +08:00
|
|
|
static bool isLeftShiftResultUnrepresentable(const BinaryOperator *B,
|
|
|
|
|
CheckerContext &C) {
|
|
|
|
|
SValBuilder &SB = C.getSValBuilder();
|
|
|
|
|
ProgramStateRef State = C.getState();
|
|
|
|
|
const llvm::APSInt *LHS = SB.getKnownValue(State, C.getSVal(B->getLHS()));
|
|
|
|
|
const llvm::APSInt *RHS = SB.getKnownValue(State, C.getSVal(B->getRHS()));
|
2018-08-30 04:29:59 +08:00
|
|
|
assert(LHS && RHS && "Values unknown, inconsistent state");
|
2018-01-22 21:32:10 +08:00
|
|
|
return (unsigned)RHS->getZExtValue() > LHS->countLeadingZeros();
|
|
|
|
|
}
|
|
|
|
|
|
2011-02-28 09:27:22 +08:00
|
|
|
void UndefResultChecker::checkPostStmt(const BinaryOperator *B,
|
|
|
|
|
CheckerContext &C) const {
|
2018-01-18 04:27:29 +08:00
|
|
|
if (C.getSVal(B).isUndef()) {
|
2013-06-19 07:16:15 +08:00
|
|
|
|
|
|
|
|
// Do not report assignments of uninitialized values inside swap functions.
|
|
|
|
|
// This should allow to swap partially uninitialized structs
|
|
|
|
|
// (radar://14129997)
|
|
|
|
|
if (const FunctionDecl *EnclosingFunctionDecl =
|
|
|
|
|
dyn_cast<FunctionDecl>(C.getStackFrame()->getDecl()))
|
|
|
|
|
if (C.getCalleeName(EnclosingFunctionDecl) == "swap")
|
|
|
|
|
return;
|
|
|
|
|
|
2009-11-24 16:24:26 +08:00
|
|
|
// Generate an error node.
|
2015-09-17 06:03:05 +08:00
|
|
|
ExplodedNode *N = C.generateErrorNode();
|
2009-11-24 16:24:26 +08:00
|
|
|
if (!N)
|
|
|
|
|
return;
|
2015-09-08 11:50:52 +08:00
|
|
|
|
2009-11-24 16:24:26 +08:00
|
|
|
if (!BT)
|
2014-02-12 05:49:21 +08:00
|
|
|
BT.reset(
|
|
|
|
|
new BuiltinBug(this, "Result of operation is garbage or undefined"));
|
2009-11-24 16:24:26 +08:00
|
|
|
|
2012-02-05 10:13:05 +08:00
|
|
|
SmallString<256> sbuf;
|
2009-11-24 16:24:26 +08:00
|
|
|
llvm::raw_svector_ostream OS(sbuf);
|
2014-05-27 10:45:47 +08:00
|
|
|
const Expr *Ex = nullptr;
|
2009-11-24 16:24:26 +08:00
|
|
|
bool isLeft = true;
|
2015-09-08 11:50:52 +08:00
|
|
|
|
2018-01-18 04:27:29 +08:00
|
|
|
if (C.getSVal(B->getLHS()).isUndef()) {
|
2009-11-24 16:24:26 +08:00
|
|
|
Ex = B->getLHS()->IgnoreParenCasts();
|
|
|
|
|
isLeft = true;
|
|
|
|
|
}
|
2018-01-18 04:27:29 +08:00
|
|
|
else if (C.getSVal(B->getRHS()).isUndef()) {
|
2009-11-24 16:24:26 +08:00
|
|
|
Ex = B->getRHS()->IgnoreParenCasts();
|
|
|
|
|
isLeft = false;
|
|
|
|
|
}
|
2015-09-08 11:50:52 +08:00
|
|
|
|
2009-11-24 16:24:26 +08:00
|
|
|
if (Ex) {
|
2017-10-11 22:49:35 +08:00
|
|
|
OS << "The " << (isLeft ? "left" : "right") << " operand of '"
|
2009-11-24 16:24:26 +08:00
|
|
|
<< BinaryOperator::getOpcodeStr(B->getOpcode())
|
|
|
|
|
<< "' is a garbage value";
|
2017-02-27 18:44:24 +08:00
|
|
|
if (isArrayIndexOutOfBounds(C, Ex))
|
|
|
|
|
OS << " due to array index out of bounds";
|
2017-10-11 22:49:35 +08:00
|
|
|
} else {
|
2009-11-24 16:24:26 +08:00
|
|
|
// Neither operand was undefined, but the result is undefined.
|
2017-10-11 22:49:35 +08:00
|
|
|
if ((B->getOpcode() == BinaryOperatorKind::BO_Shl ||
|
|
|
|
|
B->getOpcode() == BinaryOperatorKind::BO_Shr) &&
|
|
|
|
|
C.isNegative(B->getRHS())) {
|
|
|
|
|
OS << "The result of the "
|
|
|
|
|
<< ((B->getOpcode() == BinaryOperatorKind::BO_Shl) ? "left"
|
|
|
|
|
: "right")
|
|
|
|
|
<< " shift is undefined because the right operand is negative";
|
2018-08-23 07:17:02 +08:00
|
|
|
Ex = B->getRHS();
|
2017-10-11 22:49:35 +08:00
|
|
|
} else if ((B->getOpcode() == BinaryOperatorKind::BO_Shl ||
|
|
|
|
|
B->getOpcode() == BinaryOperatorKind::BO_Shr) &&
|
|
|
|
|
isShiftOverflow(B, C)) {
|
|
|
|
|
|
|
|
|
|
OS << "The result of the "
|
|
|
|
|
<< ((B->getOpcode() == BinaryOperatorKind::BO_Shl) ? "left"
|
|
|
|
|
: "right")
|
|
|
|
|
<< " shift is undefined due to shifting by ";
|
2018-08-23 07:17:02 +08:00
|
|
|
Ex = B->getRHS();
|
2017-10-11 22:49:35 +08:00
|
|
|
|
|
|
|
|
SValBuilder &SB = C.getSValBuilder();
|
|
|
|
|
const llvm::APSInt *I =
|
|
|
|
|
SB.getKnownValue(C.getState(), C.getSVal(B->getRHS()));
|
|
|
|
|
if (!I)
|
|
|
|
|
OS << "a value that is";
|
|
|
|
|
else if (I->isUnsigned())
|
|
|
|
|
OS << '\'' << I->getZExtValue() << "\', which is";
|
|
|
|
|
else
|
|
|
|
|
OS << '\'' << I->getSExtValue() << "\', which is";
|
|
|
|
|
|
|
|
|
|
OS << " greater or equal to the width of type '"
|
|
|
|
|
<< B->getLHS()->getType().getAsString() << "'.";
|
2017-10-31 01:06:42 +08:00
|
|
|
} else if (B->getOpcode() == BinaryOperatorKind::BO_Shl &&
|
|
|
|
|
C.isNegative(B->getLHS())) {
|
|
|
|
|
OS << "The result of the left shift is undefined because the left "
|
|
|
|
|
"operand is negative";
|
2018-08-23 07:17:02 +08:00
|
|
|
Ex = B->getLHS();
|
2018-01-22 21:32:10 +08:00
|
|
|
} else if (B->getOpcode() == BinaryOperatorKind::BO_Shl &&
|
|
|
|
|
isLeftShiftResultUnrepresentable(B, C)) {
|
|
|
|
|
ProgramStateRef State = C.getState();
|
|
|
|
|
SValBuilder &SB = C.getSValBuilder();
|
|
|
|
|
const llvm::APSInt *LHS =
|
|
|
|
|
SB.getKnownValue(State, C.getSVal(B->getLHS()));
|
|
|
|
|
const llvm::APSInt *RHS =
|
|
|
|
|
SB.getKnownValue(State, C.getSVal(B->getRHS()));
|
|
|
|
|
OS << "The result of the left shift is undefined due to shifting \'"
|
|
|
|
|
<< LHS->getSExtValue() << "\' by \'" << RHS->getZExtValue()
|
|
|
|
|
<< "\', which is unrepresentable in the unsigned version of "
|
|
|
|
|
<< "the return type \'" << B->getLHS()->getType().getAsString()
|
|
|
|
|
<< "\'";
|
2018-08-23 07:17:02 +08:00
|
|
|
Ex = B->getLHS();
|
2017-10-11 22:49:35 +08:00
|
|
|
} else {
|
|
|
|
|
OS << "The result of the '"
|
|
|
|
|
<< BinaryOperator::getOpcodeStr(B->getOpcode())
|
|
|
|
|
<< "' expression is undefined";
|
|
|
|
|
}
|
2009-11-24 16:24:26 +08:00
|
|
|
}
|
2019-09-10 04:34:40 +08:00
|
|
|
auto report = std::make_unique<PathSensitiveBugReport>(*BT, OS.str(), N);
|
2009-11-29 14:37:44 +08:00
|
|
|
if (Ex) {
|
|
|
|
|
report->addRange(Ex->getSourceRange());
|
2018-10-24 02:24:53 +08:00
|
|
|
bugreporter::trackExpressionValue(N, Ex, *report);
|
2009-11-29 14:37:44 +08:00
|
|
|
}
|
2009-11-24 16:24:26 +08:00
|
|
|
else
|
2018-10-24 02:24:53 +08:00
|
|
|
bugreporter::trackExpressionValue(N, B, *report);
|
2015-09-08 11:50:52 +08:00
|
|
|
|
2015-06-23 21:15:32 +08:00
|
|
|
C.emitReport(std::move(report));
|
2009-11-24 16:24:26 +08:00
|
|
|
}
|
|
|
|
|
}
|
2011-02-28 09:27:22 +08:00
|
|
|
|
|
|
|
|
void ento::registerUndefResultChecker(CheckerManager &mgr) {
|
|
|
|
|
mgr.registerChecker<UndefResultChecker>();
|
|
|
|
|
}
|
2019-01-26 22:23:08 +08:00
|
|
|
|
2020-03-27 21:29:31 +08:00
|
|
|
bool ento::shouldRegisterUndefResultChecker(const CheckerManager &mgr) {
|
2019-01-26 22:23:08 +08:00
|
|
|
return true;
|
|
|
|
|
}
|