maxjhandsome
/
llvm-project
forked from OSchip/llvm-project
1
0
Fork 0
Code Issues Pull Requests Packages Releases Wiki Activity
llvm-project/clang/lib/StaticAnalyzer/Checkers/DereferenceChecker.cpp

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

317 lines
11 KiB
C++
Raw Normal View History

Fix file headers. NFC llvm-svn: 355176
2019-03-01 14:49:51 +08:00
//===-- DereferenceChecker.cpp - Null dereference checker -----------------===//
Move all logic for the null dereference checker from GRExprEngineInternalChecks.cpp to a separate .cpp file. llvm-svn: 85595
2009-10-31 01:24:47 +08:00
//
Update the file headers across all of the LLVM projects in the monorepo to reflect the new license. We understand that people may be surprised that we're moving the header entirely to discuss the new license. We checked this carefully with the Foundation's lawyer and we believe this is the correct approach. Essentially, all code in the project is now made available by the LLVM project under our new license, so you will see that the license headers include that license only. Some of our contributors have contributed code under our old license, and accordingly, we have retained a copy of our old license notice in the top-level files in each project and repository. llvm-svn: 351636
2019-01-19 16:50:56 +08:00
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
Move all logic for the null dereference checker from GRExprEngineInternalChecks.cpp to a separate .cpp file. llvm-svn: 85595
2009-10-31 01:24:47 +08:00
//
//===----------------------------------------------------------------------===//
//
[analyzer] Refactoring: Drop the 'GR' prefix. llvm-svn: 122424
2010-12-23 02:53:44 +08:00
// This defines NullDerefChecker, a builtin check in ExprEngine that performs
Move all logic for the null dereference checker from GRExprEngineInternalChecks.cpp to a separate .cpp file. llvm-svn: 85595
2009-10-31 01:24:47 +08:00
// checks for null pointers at loads and stores.
//
//===----------------------------------------------------------------------===//
[analyzer][NFC] Move CheckerRegistry from the Core directory to Frontend ClangCheckerRegistry is a very non-obvious, poorly documented, weird concept. It derives from CheckerRegistry, and is placed in lib/StaticAnalyzer/Frontend, whereas it's base is located in lib/StaticAnalyzer/Core. It was, from what I can imagine, used to circumvent the problem that the registry functions of the checkers are located in the clangStaticAnalyzerCheckers library, but that library depends on clangStaticAnalyzerCore. However, clangStaticAnalyzerFrontend depends on both of those libraries. One can make the observation however, that CheckerRegistry has no place in Core, it isn't used there at all! The only place where it is used is Frontend, which is where it ultimately belongs. This move implies that since include/clang/StaticAnalyzer/Checkers/ClangCheckers.h only contained a single function: class CheckerRegistry; void registerBuiltinCheckers(CheckerRegistry &registry); it had to re purposed, as CheckerRegistry is no longer available to clangStaticAnalyzerCheckers. It was renamed to BuiltinCheckerRegistration.h, which actually describes it a lot better -- it does not contain the registration functions for checkers, but only those generated by the tblgen files. Differential Revision: https://reviews.llvm.org/D54436 llvm-svn: 349275
2018-12-16 00:23:51 +08:00
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
StaticAnalyzer: Move ObjC- and CXX-specific methods out of line so checkers that don't care about the language don't have to pull in all the headers. llvm-svn: 149178
2012-01-28 20:06:22 +08:00
#include "clang/AST/ExprObjC.h"
[OPENMP 4.0] Initial support for array sections. Adds parsing/sema analysis/serialization/deserialization for array sections in OpenMP constructs (introduced in OpenMP 4.0). Currently it is allowed to use array sections only in OpenMP clauses that accepts list of expressions. Differential Revision: http://reviews.llvm.org/D10732 llvm-svn: 245937
2015-08-25 22:24:04 +08:00
#include "clang/AST/ExprOpenMP.h"
Sort all of Clang's files under 'lib', and fix up the broken headers uncovered. This required manually correcting all of the incorrect main-module headers I could find, and running the new llvm/utils/sort_includes.py script over the files. I also manually added quite a few missing headers that were uncovered by shuffling the order or moving headers up to be main-module-headers. llvm-svn: 169237
2012-12-04 17:13:33 +08:00
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
[analyzer] Rename CheckerV2 -> Checker. llvm-svn: 126726
2011-03-01 09:16:21 +08:00
#include "clang/StaticAnalyzer/Core/Checker.h"
[analyzer] Migrate NSErrorChecker and DereferenceChecker to CheckerV2. They cooperate in that NSErrorChecker listens for ImplicitNullDerefEvent events that DereferenceChecker can dispatch. ImplicitNullDerefEvent is when we dereferenced a location that may be null. llvm-svn: 126659
2011-03-01 01:36:18 +08:00
#include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
[analyzer] Add VforkChecker to find unsafe code in vforked process. This checker looks for unsafe constructs in vforked process: function calls (excluding whitelist), memory write and returns. This was originally motivated by a vfork-related bug in xtables package. Patch by Yury Gribov. Differential revision: http://reviews.llvm.org/D14014 llvm-svn: 252285
2015-11-06 19:16:31 +08:00
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h"
Move a method from IdentifierTable.h out of line and remove the SmallString include. Fix all the transitive include users. llvm-svn: 149783
2012-02-04 21:45:25 +08:00
#include "llvm/ADT/SmallString.h"
Include pruning and general cleanup. llvm-svn: 169095
2012-12-02 01:12:56 +08:00
#include "llvm/Support/raw_ostream.h"
Move all logic for the null dereference checker from GRExprEngineInternalChecks.cpp to a separate .cpp file. llvm-svn: 85595
2009-10-31 01:24:47 +08:00
using namespace clang;
Rename static analyzer namespace 'GR' to 'ento'. llvm-svn: 122492
2010-12-23 15:20:52 +08:00
using namespace ento;
Move all logic for the null dereference checker from GRExprEngineInternalChecks.cpp to a separate .cpp file. llvm-svn: 85595
2009-10-31 01:24:47 +08:00
Refactor DereferenceChecker to use only the new Checker API instead of the old builder API. This percolated a bunch of changes up to the Checker class (where CheckLocation has been renamed VisitLocation) and GRExprEngine. ProgramPoint now has the notion of a "LocationCheck" point (with PreLoad and PreStore respectively), and a bunch of the old ProgramPoints that are no longer used have been removed. llvm-svn: 86798
2009-11-11 11:26:34 +08:00
namespace {
[analyzer] Migrate NSErrorChecker and DereferenceChecker to CheckerV2. They cooperate in that NSErrorChecker listens for ImplicitNullDerefEvent events that DereferenceChecker can dispatch. ImplicitNullDerefEvent is when we dereferenced a location that may be null. llvm-svn: 126659
2011-03-01 01:36:18 +08:00
class DereferenceChecker
[analyzer] Rename CheckerV2 -> Checker. llvm-svn: 126726
2011-03-01 09:16:21 +08:00
: public Checker< check::Location,
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
check::Bind,
EventDispatcher<ImplicitNullDerefEvent> > {
[Analyzer] Improve invalid dereference bug reporting in DereferenceChecker. Report undefined pointer dereference in similar way as null pointer dereference. Reviewed By: NoQ Differential Revision: https://reviews.llvm.org/D84520
2020-08-11 15:03:22 +08:00
enum DerefKind { NullPointer, UndefinedPointerValue };
[Analyzer] Use of BugType in DereferenceChecker (NFC). Use of BuiltinBug is replaced by BugType. Class BuiltinBug seems to have no benefits and is confusing. Reviewed By: Szelethus, martong, NoQ, vsavchenko Differential Revision: https://reviews.llvm.org/D84494
2020-07-30 14:31:39 +08:00
BugType BT_Null{this, "Dereference of null pointer", categories::LogicError};
BugType BT_Undef{this, "Dereference of undefined pointer value",
categories::LogicError};
[analyzer] Migrate NSErrorChecker and DereferenceChecker to CheckerV2. They cooperate in that NSErrorChecker listens for ImplicitNullDerefEvent events that DereferenceChecker can dispatch. ImplicitNullDerefEvent is when we dereferenced a location that may be null. llvm-svn: 126659
2011-03-01 01:36:18 +08:00
[Analyzer] Improve invalid dereference bug reporting in DereferenceChecker. Report undefined pointer dereference in similar way as null pointer dereference. Reviewed By: NoQ Differential Revision: https://reviews.llvm.org/D84520
2020-08-11 15:03:22 +08:00
void reportBug(DerefKind K, ProgramStateRef State, const Stmt *S,
CheckerContext &C) const;
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
Refactor DereferenceChecker to use only the new Checker API instead of the old builder API. This percolated a bunch of changes up to the Checker class (where CheckLocation has been renamed VisitLocation) and GRExprEngine. ProgramPoint now has the notion of a "LocationCheck" point (with PreLoad and PreStore respectively), and a bunch of the old ProgramPoints that are no longer used have been removed. llvm-svn: 86798
2009-11-11 11:26:34 +08:00
public:
[analyzer] Remove the dependency on CheckerContext::getStmt() as well as the method itself. llvm-svn: 141262
2011-10-06 08:43:15 +08:00
void checkLocation(SVal location, bool isLoad, const Stmt* S,
CheckerContext &C) const;
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
void checkBind(SVal L, SVal V, const Stmt *S, CheckerContext &C) const;
[analyzer] Migrate NSErrorChecker and DereferenceChecker to CheckerV2. They cooperate in that NSErrorChecker listens for ImplicitNullDerefEvent events that DereferenceChecker can dispatch. ImplicitNullDerefEvent is when we dereferenced a location that may be null. llvm-svn: 126659
2011-03-01 01:36:18 +08:00
[analyzer] Remove unneeded code. This region is set as interesting as part of trackNullOrUndefValue call, no need to mark it as interesting twice. llvm-svn: 163260
2012-09-06 06:31:49 +08:00
static void AddDerefSource(raw_ostream &os,
remove unneeded llvm:: namespace qualifiers on some core types now that LLVM.h imports them into the clang namespace. llvm-svn: 135852
2011-07-23 18:55:15 +08:00
SmallVectorImpl<SourceRange> &Ranges,
[analyzer] Implement basic path diagnostic pruning based on "interesting" symbols and regions. Essentially, a bug centers around a story for various symbols and regions. We should only include the path diagnostic events that relate to those symbols and regions. The pruning is done by associating a set of interesting symbols and regions with a BugReporter, which can be modified at BugReport creation or by BugReporterVisitors. This patch reduces the diagnostics emitted in several of our test cases. I've vetted these as having desired behavior. The only regression is a missing null check diagnostic for the return value of realloc() in test/Analysis/malloc-plist.c. This will require some investigation to fix, and I have added a FIXME to the test case. llvm-svn: 152361
2012-03-09 09:13:14 +08:00
const Expr *Ex, const ProgramState *state,
const LocationContext *LCtx,
bool loadedFrom = false);
Refactor DereferenceChecker to use only the new Checker API instead of the old builder API. This percolated a bunch of changes up to the Checker class (where CheckLocation has been renamed VisitLocation) and GRExprEngine. ProgramPoint now has the notion of a "LocationCheck" point (with PreLoad and PreStore respectively), and a bunch of the old ProgramPoints that are no longer used have been removed. llvm-svn: 86798
2009-11-11 11:26:34 +08:00
};
} // end anonymous namespace
Move all logic for the null dereference checker from GRExprEngineInternalChecks.cpp to a separate .cpp file. llvm-svn: 85595
2009-10-31 01:24:47 +08:00
[analyzer] Remove unneeded code. This region is set as interesting as part of trackNullOrUndefValue call, no need to mark it as interesting twice. llvm-svn: 163260
2012-09-06 06:31:49 +08:00
void
[analyzer] Implement basic path diagnostic pruning based on "interesting" symbols and regions. Essentially, a bug centers around a story for various symbols and regions. We should only include the path diagnostic events that relate to those symbols and regions. The pruning is done by associating a set of interesting symbols and regions with a BugReporter, which can be modified at BugReport creation or by BugReporterVisitors. This patch reduces the diagnostics emitted in several of our test cases. I've vetted these as having desired behavior. The only regression is a missing null check diagnostic for the return value of realloc() in test/Analysis/malloc-plist.c. This will require some investigation to fix, and I have added a FIXME to the test case. llvm-svn: 152361
2012-03-09 09:13:14 +08:00
DereferenceChecker::AddDerefSource(raw_ostream &os,
SmallVectorImpl<SourceRange> &Ranges,
const Expr *Ex,
const ProgramState *state,
const LocationContext *LCtx,
bool loadedFrom) {
Although we currently have explicit lvalue-to-rvalue conversions, they're not actually frequently used, because ImpCastExprToType only creates a node if the types differ. So explicitly create an ICE in the lvalue-to-rvalue conversion code in DefaultFunctionArrayLvalueConversion() as well as several other new places, and consistently deal with the consequences throughout the compiler. In addition, introduce a new cast kind for loading an ObjCProperty l-value, and make sure we emit those nodes whenever an ObjCProperty l-value appears that's not on the LHS of an assignment operator. This breaks a couple of rewriter tests, which I've x-failed until future development occurs on the rewriter. Ted Kremenek kindly contributed the analyzer workarounds in this patch. llvm-svn: 120890
2010-12-04 11:47:34 +08:00
Ex = Ex->IgnoreParenLValueCasts();
Tweak null dereference checker to give better diagnostics for null dereferences resulting from array accesses. llvm-svn: 117334
2010-10-26 08:06:13 +08:00
switch (Ex->getStmtClass()) {
default:
[analyzer] Implement basic path diagnostic pruning based on "interesting" symbols and regions. Essentially, a bug centers around a story for various symbols and regions. We should only include the path diagnostic events that relate to those symbols and regions. The pruning is done by associating a set of interesting symbols and regions with a BugReporter, which can be modified at BugReport creation or by BugReporterVisitors. This patch reduces the diagnostics emitted in several of our test cases. I've vetted these as having desired behavior. The only regression is a missing null check diagnostic for the return value of realloc() in test/Analysis/malloc-plist.c. This will require some investigation to fix, and I have added a FIXME to the test case. llvm-svn: 152361
2012-03-09 09:13:14 +08:00
break;
Tweak null dereference checker to give better diagnostics for null dereferences resulting from array accesses. llvm-svn: 117334
2010-10-26 08:06:13 +08:00
case Stmt::DeclRefExprClass: {
const DeclRefExpr *DR = cast<DeclRefExpr>(Ex);
if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) {
os << " (" << (loadedFrom ? "loaded from" : "from")
<< " variable '" << VD->getName() << "')";
Ranges.push_back(DR->getSourceRange());
}
[analyzer] Implement basic path diagnostic pruning based on "interesting" symbols and regions. Essentially, a bug centers around a story for various symbols and regions. We should only include the path diagnostic events that relate to those symbols and regions. The pruning is done by associating a set of interesting symbols and regions with a BugReporter, which can be modified at BugReport creation or by BugReporterVisitors. This patch reduces the diagnostics emitted in several of our test cases. I've vetted these as having desired behavior. The only regression is a missing null check diagnostic for the return value of realloc() in test/Analysis/malloc-plist.c. This will require some investigation to fix, and I have added a FIXME to the test case. llvm-svn: 152361
2012-03-09 09:13:14 +08:00
break;
Tweak null dereference checker to give better diagnostics for null dereferences resulting from array accesses. llvm-svn: 117334
2010-10-26 08:06:13 +08:00
}
case Stmt::MemberExprClass: {
const MemberExpr *ME = cast<MemberExpr>(Ex);
os << " (" << (loadedFrom ? "loaded from" : "via")
<< " field '" << ME->getMemberNameInfo() << "')";
SourceLocation L = ME->getMemberLoc();
Ranges.push_back(SourceRange(L, L));
break;
}
[analyzer] tracking stores/constraints now works for ObjC ivars or struct fields. This required more changes than I originally expected: - ObjCIvarRegion implements "canPrintPretty" et al - DereferenceChecker indicates the null pointer source is an ivar - bugreporter::trackNullOrUndefValue() uses an alternate algorithm to compute the location region to track by scouring the ExplodedGraph. This allows us to get the actual MemRegion for variables, ivars, fields, etc. We only hand construct a VarRegion for C++ references. - ExplodedGraph no longer drops nodes for expressions that are marked 'lvalue'. This is to facilitate the logic in the previous bullet. This may lead to a slight increase in size in the ExplodedGraph, which I have not measured, but it is likely not to be a big deal. I have validated each of the changed plist output. Fixes <rdar://problem/12114812> llvm-svn: 175988
2013-02-24 15:21:01 +08:00
case Stmt::ObjCIvarRefExprClass: {
const ObjCIvarRefExpr *IV = cast<ObjCIvarRefExpr>(Ex);
os << " (" << (loadedFrom ? "loaded from" : "via")
<< " ivar '" << IV->getDecl()->getName() << "')";
SourceLocation L = IV->getLocation();
Ranges.push_back(SourceRange(L, L));
break;
[analyzer] Apply whitespace cleanups by Honggyu Kim. llvm-svn: 246978
2015-09-08 11:50:52 +08:00
}
Tweak null dereference checker to give better diagnostics for null dereferences resulting from array accesses. llvm-svn: 117334
2010-10-26 08:06:13 +08:00
}
}
[analyzer] Don't report null dereferences on address_space annotated memory llvm-svn: 256885
2016-01-06 08:32:49 +08:00
static const Expr *getDereferenceExpr(const Stmt *S, bool IsBind=false){
const Expr *E = nullptr;
// Walk through lvalue casts to get the original expression
// that syntactically caused the load.
if (const Expr *expr = dyn_cast<Expr>(S))
E = expr->IgnoreParenLValueCasts();
if (IsBind) {
const VarDecl *VD;
const Expr *Init;
std::tie(VD, Init) = parseAssignment(S);
if (VD && Init)
E = Init;
}
return E;
}
static bool suppressReport(const Expr *E) {
// Do not report dereferences on memory in non-default address spaces.
Add `QualType::hasAddressSpace`. NFC. - Add that as a shorthand of <T>.getQualifiers().hasAddressSpace(). - Simplify related code.
2019-12-07 00:48:15 +08:00
return E->getType().hasAddressSpace();
[analyzer] Don't report null dereferences on address_space annotated memory llvm-svn: 256885
2016-01-06 08:32:49 +08:00
}
[analyzer] Rename trackNullOrUndefValue to trackExpressionValue trackNullOrUndefValue is a long and confusing name, and it does not actually reflect what the function is doing. Give a function a new name, with a relatively clear semantics. Also remove some dead code. Differential Revision: https://reviews.llvm.org/D52758 llvm-svn: 345064
2018-10-24 02:24:53 +08:00
static bool isDeclRefExprToReference(const Expr *E) {
if (const auto *DRE = dyn_cast<DeclRefExpr>(E))
return DRE->getDecl()->getType()->isReferenceType();
return false;
}
[Analyzer] Improve invalid dereference bug reporting in DereferenceChecker. Report undefined pointer dereference in similar way as null pointer dereference. Reviewed By: NoQ Differential Revision: https://reviews.llvm.org/D84520
2020-08-11 15:03:22 +08:00
void DereferenceChecker::reportBug(DerefKind K, ProgramStateRef State,
const Stmt *S, CheckerContext &C) const {
const BugType *BT = nullptr;
llvm::StringRef DerefStr1;
llvm::StringRef DerefStr2;
switch (K) {
case DerefKind::NullPointer:
BT = &BT_Null;
DerefStr1 = " results in a null pointer dereference";
DerefStr2 = " results in a dereference of a null pointer";
break;
case DerefKind::UndefinedPointerValue:
BT = &BT_Undef;
DerefStr1 = " results in an undefined pointer dereference";
DerefStr2 = " results in a dereference of an undefined pointer value";
break;
};
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
// Generate an error node.
[analyzer] Add generateErrorNode() APIs to CheckerContext. The analyzer trims unnecessary nodes from the exploded graph before reporting path diagnostics. However, in some cases it can trim all nodes (including the error node), leading to an assertion failure (see https://llvm.org/bugs/show_bug.cgi?id=24184). This commit addresses the issue by adding two new APIs to CheckerContext to explicitly create error nodes. Unless the client provides a custom tag, these APIs tag the node with the checker's tag -- preventing it from being trimmed. The generateErrorNode() method creates a sink error node, while generateNonFatalErrorNode() creates an error node for a path that should continue being explored. The intent is that one of these two methods should be used whenever a checker creates an error node. This commit updates the checkers to use these APIs. These APIs (unlike addTransition() and generateSink()) do not take an explicit Pred node. This is because there are not any error nodes in the checkers that were created with an explicit different than the default (the CheckerContext's Pred node). It also changes generateSink() to require state and pred nodes (previously these were optional) to reduce confusion. Additionally, there were several cases where checkers did check whether a generated node could be null; we now explicitly check for null in these places. This commit also includes a test case written by Ying Yi as part of http://reviews.llvm.org/D12163 (that patch originally addressed this issue but was reverted because it introduced false positive regressions). Differential Revision: http://reviews.llvm.org/D12780 llvm-svn: 247859
2015-09-17 06:03:05 +08:00
ExplodedNode *N = C.generateErrorNode(State);
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
if (!N)
return;
SmallString<100> buf;
[analyzer] Check that an ObjCIvarRefExpr's base is non-null even as an lvalue. Like with struct fields, we want to catch cases like this early, so that we can produce better diagnostics and path notes: PointObj *p = nil; int *px = &p->_x; // should warn here *px = 1; llvm-svn: 164442
2012-09-22 09:24:38 +08:00
llvm::raw_svector_ostream os(buf);
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
SmallVector<SourceRange, 2> Ranges;
switch (S->getStmtClass()) {
case Stmt::ArraySubscriptExprClass: {
os << "Array access";
const ArraySubscriptExpr *AE = cast<ArraySubscriptExpr>(S);
[analyzer] Remove unneeded code. This region is set as interesting as part of trackNullOrUndefValue call, no need to mark it as interesting twice. llvm-svn: 163260
2012-09-06 06:31:49 +08:00
AddDerefSource(os, Ranges, AE->getBase()->IgnoreParenCasts(),
Track IntrusiveRefCntPtr::get() changes from LLVM r212366 llvm-svn: 212369
2014-07-05 11:08:06 +08:00
State.get(), N->getLocationContext());
[Analyzer] Improve invalid dereference bug reporting in DereferenceChecker. Report undefined pointer dereference in similar way as null pointer dereference. Reviewed By: NoQ Differential Revision: https://reviews.llvm.org/D84520
2020-08-11 15:03:22 +08:00
os << DerefStr1;
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
break;
}
[OPENMP 4.0] Initial support for array sections. Adds parsing/sema analysis/serialization/deserialization for array sections in OpenMP constructs (introduced in OpenMP 4.0). Currently it is allowed to use array sections only in OpenMP clauses that accepts list of expressions. Differential Revision: http://reviews.llvm.org/D10732 llvm-svn: 245937
2015-08-25 22:24:04 +08:00
case Stmt::OMPArraySectionExprClass: {
os << "Array access";
const OMPArraySectionExpr *AE = cast<OMPArraySectionExpr>(S);
AddDerefSource(os, Ranges, AE->getBase()->IgnoreParenCasts(),
State.get(), N->getLocationContext());
[Analyzer] Improve invalid dereference bug reporting in DereferenceChecker. Report undefined pointer dereference in similar way as null pointer dereference. Reviewed By: NoQ Differential Revision: https://reviews.llvm.org/D84520
2020-08-11 15:03:22 +08:00
os << DerefStr1;
[OPENMP 4.0] Initial support for array sections. Adds parsing/sema analysis/serialization/deserialization for array sections in OpenMP constructs (introduced in OpenMP 4.0). Currently it is allowed to use array sections only in OpenMP clauses that accepts list of expressions. Differential Revision: http://reviews.llvm.org/D10732 llvm-svn: 245937
2015-08-25 22:24:04 +08:00
break;
}
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
case Stmt::UnaryOperatorClass: {
[Analyzer] Improve invalid dereference bug reporting in DereferenceChecker. Report undefined pointer dereference in similar way as null pointer dereference. Reviewed By: NoQ Differential Revision: https://reviews.llvm.org/D84520
2020-08-11 15:03:22 +08:00
os << BT->getDescription();
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
const UnaryOperator *U = cast<UnaryOperator>(S);
[analyzer] Remove unneeded code. This region is set as interesting as part of trackNullOrUndefValue call, no need to mark it as interesting twice. llvm-svn: 163260
2012-09-06 06:31:49 +08:00
AddDerefSource(os, Ranges, U->getSubExpr()->IgnoreParens(),
Track IntrusiveRefCntPtr::get() changes from LLVM r212366 llvm-svn: 212369
2014-07-05 11:08:06 +08:00
State.get(), N->getLocationContext(), true);
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
break;
}
case Stmt::MemberExprClass: {
const MemberExpr *M = cast<MemberExpr>(S);
[analyzer] Rename trackNullOrUndefValue to trackExpressionValue trackNullOrUndefValue is a long and confusing name, and it does not actually reflect what the function is doing. Give a function a new name, with a relatively clear semantics. Also remove some dead code. Differential Revision: https://reviews.llvm.org/D52758 llvm-svn: 345064
2018-10-24 02:24:53 +08:00
if (M->isArrow() || isDeclRefExprToReference(M->getBase())) {
[Analyzer] Improve invalid dereference bug reporting in DereferenceChecker. Report undefined pointer dereference in similar way as null pointer dereference. Reviewed By: NoQ Differential Revision: https://reviews.llvm.org/D84520
2020-08-11 15:03:22 +08:00
os << "Access to field '" << M->getMemberNameInfo() << "'" << DerefStr2;
[analyzer] Remove unneeded code. This region is set as interesting as part of trackNullOrUndefValue call, no need to mark it as interesting twice. llvm-svn: 163260
2012-09-06 06:31:49 +08:00
AddDerefSource(os, Ranges, M->getBase()->IgnoreParenCasts(),
Track IntrusiveRefCntPtr::get() changes from LLVM r212366 llvm-svn: 212369
2014-07-05 11:08:06 +08:00
State.get(), N->getLocationContext(), true);
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
}
break;
}
case Stmt::ObjCIvarRefExprClass: {
const ObjCIvarRefExpr *IV = cast<ObjCIvarRefExpr>(S);
[Analyzer] Improve invalid dereference bug reporting in DereferenceChecker. Report undefined pointer dereference in similar way as null pointer dereference. Reviewed By: NoQ Differential Revision: https://reviews.llvm.org/D84520
2020-08-11 15:03:22 +08:00
os << "Access to instance variable '" << *IV->getDecl() << "'" << DerefStr2;
[analyzer] Check that an ObjCIvarRefExpr's base is non-null even as an lvalue. Like with struct fields, we want to catch cases like this early, so that we can produce better diagnostics and path notes: PointObj *p = nil; int *px = &p->_x; // should warn here *px = 1; llvm-svn: 164442
2012-09-22 09:24:38 +08:00
AddDerefSource(os, Ranges, IV->getBase()->IgnoreParenCasts(),
Track IntrusiveRefCntPtr::get() changes from LLVM r212366 llvm-svn: 212369
2014-07-05 11:08:06 +08:00
State.get(), N->getLocationContext(), true);
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
break;
}
default:
break;
}
[analyzer] NFC: Introduce sub-classes for path-sensitive and basic reports. Checkers are now required to specify whether they're creating a path-sensitive report or a path-insensitive report by constructing an object of the respective type. This makes BugReporter more independent from the rest of the Static Analyzer because all Analyzer-specific code is now in sub-classes. Differential Revision: https://reviews.llvm.org/D66572 llvm-svn: 371450
2019-09-10 04:34:40 +08:00
auto report = std::make_unique<PathSensitiveBugReport>(
[Analyzer] Improve invalid dereference bug reporting in DereferenceChecker. Report undefined pointer dereference in similar way as null pointer dereference. Reviewed By: NoQ Differential Revision: https://reviews.llvm.org/D84520
2020-08-11 15:03:22 +08:00
*BT, buf.empty() ? BT->getDescription() : StringRef(buf), N);
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
[analyzer] Rename trackNullOrUndefValue to trackExpressionValue trackNullOrUndefValue is a long and confusing name, and it does not actually reflect what the function is doing. Give a function a new name, with a relatively clear semantics. Also remove some dead code. Differential Revision: https://reviews.llvm.org/D52758 llvm-svn: 345064
2018-10-24 02:24:53 +08:00
bugreporter::trackExpressionValue(N, bugreporter::getDerefExpr(S), *report);
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
for (SmallVectorImpl<SourceRange>::iterator
I = Ranges.begin(), E = Ranges.end(); I!=E; ++I)
report->addRange(*I);
Clarify pointer ownership semantics by hoisting the std::unique_ptr creation to the caller instead of hiding it in emitReport. NFC. llvm-svn: 240400
2015-06-23 21:15:32 +08:00
C.emitReport(std::move(report));
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
}
[analyzer] Remove the dependency on CheckerContext::getStmt() as well as the method itself. llvm-svn: 141262
2011-10-06 08:43:15 +08:00
void DereferenceChecker::checkLocation(SVal l, bool isLoad, const Stmt* S,
[analyzer] Migrate NSErrorChecker and DereferenceChecker to CheckerV2. They cooperate in that NSErrorChecker listens for ImplicitNullDerefEvent events that DereferenceChecker can dispatch. ImplicitNullDerefEvent is when we dereferenced a location that may be null. llvm-svn: 126659
2011-03-01 01:36:18 +08:00
CheckerContext &C) const {
Refactor DereferenceChecker to use only the new Checker API instead of the old builder API. This percolated a bunch of changes up to the Checker class (where CheckLocation has been renamed VisitLocation) and GRExprEngine. ProgramPoint now has the notion of a "LocationCheck" point (with PreLoad and PreStore respectively), and a bunch of the old ProgramPoints that are no longer used have been removed. llvm-svn: 86798
2009-11-11 11:26:34 +08:00
// Check for dereference of an undefined value.
if (l.isUndef()) {
[Analyzer] Improve invalid dereference bug reporting in DereferenceChecker. Report undefined pointer dereference in similar way as null pointer dereference. Reviewed By: NoQ Differential Revision: https://reviews.llvm.org/D84520
2020-08-11 15:03:22 +08:00
const Expr *DerefExpr = getDereferenceExpr(S);
if (!suppressReport(DerefExpr))
reportBug(DerefKind::UndefinedPointerValue, C.getState(), DerefExpr, C);
Refactor DereferenceChecker to use only the new Checker API instead of the old builder API. This percolated a bunch of changes up to the Checker class (where CheckLocation has been renamed VisitLocation) and GRExprEngine. ProgramPoint now has the notion of a "LocationCheck" point (with PreLoad and PreStore respectively), and a bunch of the old ProgramPoints that are no longer used have been removed. llvm-svn: 86798
2009-11-11 11:26:34 +08:00
return;
}
Tweak null dereference diagnostics to give clearer diagnostics when a null dereference results from a field access. llvm-svn: 99236
2010-03-23 09:11:38 +08:00
Replace SVal llvm::cast support to be well-defined. See r175462 for another example/more details. llvm-svn: 175594
2013-02-20 13:52:05 +08:00
DefinedOrUnknownSVal location = l.castAs<DefinedOrUnknownSVal>();
Tweak null dereference diagnostics to give clearer diagnostics when a null dereference results from a field access. llvm-svn: 99236
2010-03-23 09:11:38 +08:00
// Check for null dereferences.
Replace SVal llvm::cast support to be well-defined. See r175462 for another example/more details. llvm-svn: 175594
2013-02-20 13:52:05 +08:00
if (!location.getAs<Loc>())
Refactor DereferenceChecker to use only the new Checker API instead of the old builder API. This percolated a bunch of changes up to the Checker class (where CheckLocation has been renamed VisitLocation) and GRExprEngine. ProgramPoint now has the notion of a "LocationCheck" point (with PreLoad and PreStore respectively), and a bunch of the old ProgramPoints that are no longer used have been removed. llvm-svn: 86798
2009-11-11 11:26:34 +08:00
return;
Tweak null dereference diagnostics to give clearer diagnostics when a null dereference results from a field access. llvm-svn: 99236
2010-03-23 09:11:38 +08:00
Change references to 'const ProgramState *' to typedef 'ProgramStateRef'. At this point this is largely cosmetic, but it opens the door to replace ProgramStateRef with a smart pointer that more eagerly acts in the role of reclaiming unused ProgramState objects. llvm-svn: 149081
2012-01-27 05:29:00 +08:00
ProgramStateRef state = C.getState();
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
Change references to 'const ProgramState *' to typedef 'ProgramStateRef'. At this point this is largely cosmetic, but it opens the door to replace ProgramStateRef with a smart pointer that more eagerly acts in the role of reclaiming unused ProgramState objects. llvm-svn: 149081
2012-01-27 05:29:00 +08:00
ProgramStateRef notNullState, nullState;
[C++11] Replace llvm::tie with std::tie. llvm-svn: 202639
2014-03-02 21:01:17 +08:00
std::tie(notNullState, nullState) = state->assume(location);
Tweak null dereference diagnostics to give clearer diagnostics when a null dereference results from a field access. llvm-svn: 99236
2010-03-23 09:11:38 +08:00
Refactor DereferenceChecker to use only the new Checker API instead of the old builder API. This percolated a bunch of changes up to the Checker class (where CheckLocation has been renamed VisitLocation) and GRExprEngine. ProgramPoint now has the notion of a "LocationCheck" point (with PreLoad and PreStore respectively), and a bunch of the old ProgramPoints that are no longer used have been removed. llvm-svn: 86798
2009-11-11 11:26:34 +08:00
if (nullState) {
Tweak null dereference diagnostics to give clearer diagnostics when a null dereference results from a field access. llvm-svn: 99236
2010-03-23 09:11:38 +08:00
if (!notNullState) {
[Analyzer] Use of BugType in DereferenceChecker (NFC). Use of BuiltinBug is replaced by BugType. Class BuiltinBug seems to have no benefits and is confusing. Reviewed By: Szelethus, martong, NoQ, vsavchenko Differential Revision: https://reviews.llvm.org/D84494
2020-07-30 14:31:39 +08:00
// We know that 'location' can only be null. This is what
// we call an "explicit" null dereference.
[analyzer] Don't report null dereferences on address_space annotated memory llvm-svn: 256885
2016-01-06 08:32:49 +08:00
const Expr *expr = getDereferenceExpr(S);
if (!suppressReport(expr)) {
[Analyzer] Improve invalid dereference bug reporting in DereferenceChecker. Report undefined pointer dereference in similar way as null pointer dereference. Reviewed By: NoQ Differential Revision: https://reviews.llvm.org/D84520
2020-08-11 15:03:22 +08:00
reportBug(DerefKind::NullPointer, nullState, expr, C);
[analyzer] Don't report null dereferences on address_space annotated memory llvm-svn: 256885
2016-01-06 08:32:49 +08:00
return;
}
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
}
Merge NullDerefChecker.[h,cpp] and UndefDerefChecker.[h,cpp]. They are essentially two parts of the same check. llvm-svn: 85911
2009-11-04 02:41:06 +08:00
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
// Otherwise, we have the case where the location could either be
// null or not-null. Record the error node as an "implicit" null
// dereference.
[analyzer] Add generateErrorNode() APIs to CheckerContext. The analyzer trims unnecessary nodes from the exploded graph before reporting path diagnostics. However, in some cases it can trim all nodes (including the error node), leading to an assertion failure (see https://llvm.org/bugs/show_bug.cgi?id=24184). This commit addresses the issue by adding two new APIs to CheckerContext to explicitly create error nodes. Unless the client provides a custom tag, these APIs tag the node with the checker's tag -- preventing it from being trimmed. The generateErrorNode() method creates a sink error node, while generateNonFatalErrorNode() creates an error node for a path that should continue being explored. The intent is that one of these two methods should be used whenever a checker creates an error node. This commit updates the checkers to use these APIs. These APIs (unlike addTransition() and generateSink()) do not take an explicit Pred node. This is because there are not any error nodes in the checkers that were created with an explicit different than the default (the CheckerContext's Pred node). It also changes generateSink() to require state and pred nodes (previously these were optional) to reduce confusion. Additionally, there were several cases where checkers did check whether a generated node could be null; we now explicitly check for null in these places. This commit also includes a test case written by Ying Yi as part of http://reviews.llvm.org/D12163 (that patch originally addressed this issue but was reverted because it introduced false positive regressions). Differential Revision: http://reviews.llvm.org/D12780 llvm-svn: 247859
2015-09-17 06:03:05 +08:00
if (ExplodedNode *N = C.generateSink(nullState, C.getPredecessor())) {
[Static Analyzer] Make NonNullParamChecker emit implicit null dereference events. Differential Revision: http://reviews.llvm.org/D11433 llvm-svn: 246182
2015-08-28 02:49:07 +08:00
ImplicitNullDerefEvent event = {l, isLoad, N, &C.getBugReporter(),
[analyzer] Improve Nullability checker diagnostics - Include the position of the argument on which the nullability is violated - Differentiate between a 'method' and a 'function' in the message wording - Test for the error message text in the tests - Fix a bug with setting 'IsDirectDereference' which resulted in regular dereferences assumed to have call context. llvm-svn: 259221
2016-01-30 02:43:15 +08:00
/*IsDirectDereference=*/true};
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
dispatchEvent(event);
}
}
Enhance null dereference diagnostics by indicating what variable (if any) was dereferenced. Addresses <rdar://problem/7039161>. llvm-svn: 89726
2009-11-24 09:33:10 +08:00
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
// From this point forward, we know that the location is not null.
C.addTransition(notNullState);
}
Tweak null dereference diagnostics to give clearer diagnostics when a null dereference results from a field access. llvm-svn: 99236
2010-03-23 09:11:38 +08:00
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
void DereferenceChecker::checkBind(SVal L, SVal V, const Stmt *S,
CheckerContext &C) const {
[analyzer] Don't assume values bound to references are automatically non-null. While there is no such thing as a "null reference" in the C++ standard, many implementations of references (including Clang's) do not actually check that the location bound to them is non-null. Thus unlike a regular null dereference, this will not cause a problem at runtime until the reference is actually used. In order to catch these cases, we need to not prune out paths on which the input pointer is null. llvm-svn: 161288
2012-08-04 08:25:30 +08:00
// If we're binding to a reference, check if the value is known to be null.
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
if (V.isUndef())
return;
Tweak null dereference diagnostics to give clearer diagnostics when a null dereference results from a field access. llvm-svn: 99236
2010-03-23 09:11:38 +08:00
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
const MemRegion *MR = L.getAsRegion();
const TypedValueRegion *TVR = dyn_cast_or_null<TypedValueRegion>(MR);
if (!TVR)
return;
[analyzer] Implement basic path diagnostic pruning based on "interesting" symbols and regions. Essentially, a bug centers around a story for various symbols and regions. We should only include the path diagnostic events that relate to those symbols and regions. The pruning is done by associating a set of interesting symbols and regions with a BugReporter, which can be modified at BugReport creation or by BugReporterVisitors. This patch reduces the diagnostics emitted in several of our test cases. I've vetted these as having desired behavior. The only regression is a missing null check diagnostic for the return value of realloc() in test/Analysis/malloc-plist.c. This will require some investigation to fix, and I have added a FIXME to the test case. llvm-svn: 152361
2012-03-09 09:13:14 +08:00
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
if (!TVR->getValueType()->isReferenceType())
return;
ProgramStateRef State = C.getState();
ProgramStateRef StNonNull, StNull;
[C++11] Replace llvm::tie with std::tie. llvm-svn: 202639
2014-03-02 21:01:17 +08:00
std::tie(StNonNull, StNull) = State->assume(V.castAs<DefinedOrUnknownSVal>());
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
if (StNull) {
if (!StNonNull) {
[analyzer] Don't report null dereferences on address_space annotated memory llvm-svn: 256885
2016-01-06 08:32:49 +08:00
const Expr *expr = getDereferenceExpr(S, /*IsBind=*/true);
if (!suppressReport(expr)) {
[Analyzer] Improve invalid dereference bug reporting in DereferenceChecker. Report undefined pointer dereference in similar way as null pointer dereference. Reviewed By: NoQ Differential Revision: https://reviews.llvm.org/D84520
2020-08-11 15:03:22 +08:00
reportBug(DerefKind::NullPointer, StNull, expr, C);
[analyzer] Don't report null dereferences on address_space annotated memory llvm-svn: 256885
2016-01-06 08:32:49 +08:00
return;
}
Restructure DereferenceChecker slightly to handle caching out when we would report a null dereference more than once. llvm-svn: 89526
2009-11-21 09:50:48 +08:00
}
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
// At this point the value could be either null or non-null.
// Record this as an "implicit" null dereference.
[analyzer] Add generateErrorNode() APIs to CheckerContext. The analyzer trims unnecessary nodes from the exploded graph before reporting path diagnostics. However, in some cases it can trim all nodes (including the error node), leading to an assertion failure (see https://llvm.org/bugs/show_bug.cgi?id=24184). This commit addresses the issue by adding two new APIs to CheckerContext to explicitly create error nodes. Unless the client provides a custom tag, these APIs tag the node with the checker's tag -- preventing it from being trimmed. The generateErrorNode() method creates a sink error node, while generateNonFatalErrorNode() creates an error node for a path that should continue being explored. The intent is that one of these two methods should be used whenever a checker creates an error node. This commit updates the checkers to use these APIs. These APIs (unlike addTransition() and generateSink()) do not take an explicit Pred node. This is because there are not any error nodes in the checkers that were created with an explicit different than the default (the CheckerContext's Pred node). It also changes generateSink() to require state and pred nodes (previously these were optional) to reduce confusion. Additionally, there were several cases where checkers did check whether a generated node could be null; we now explicitly check for null in these places. This commit also includes a test case written by Ying Yi as part of http://reviews.llvm.org/D12163 (that patch originally addressed this issue but was reverted because it introduced false positive regressions). Differential Revision: http://reviews.llvm.org/D12780 llvm-svn: 247859
2015-09-17 06:03:05 +08:00
if (ExplodedNode *N = C.generateSink(StNull, C.getPredecessor())) {
[Static Analyzer] Make NonNullParamChecker emit implicit null dereference events. Differential Revision: http://reviews.llvm.org/D11433 llvm-svn: 246182
2015-08-28 02:49:07 +08:00
ImplicitNullDerefEvent event = {V, /*isLoad=*/true, N,
&C.getBugReporter(),
[analyzer] Improve Nullability checker diagnostics - Include the position of the argument on which the nullability is violated - Differentiate between a 'method' and a 'function' in the message wording - Test for the error message text in the tests - Fix a bug with setting 'IsDirectDereference' which resulted in regular dereferences assumed to have call context. llvm-svn: 259221
2016-01-30 02:43:15 +08:00
/*IsDirectDereference=*/true};
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
dispatchEvent(event);
Merge NullDerefChecker.[h,cpp] and UndefDerefChecker.[h,cpp]. They are essentially two parts of the same check. llvm-svn: 85911
2009-11-04 02:41:06 +08:00
}
}
Tweak null dereference diagnostics to give clearer diagnostics when a null dereference results from a field access. llvm-svn: 99236
2010-03-23 09:11:38 +08:00
[analyzer] Don't assume values bound to references are automatically non-null. While there is no such thing as a "null reference" in the C++ standard, many implementations of references (including Clang's) do not actually check that the location bound to them is non-null. Thus unlike a regular null dereference, this will not cause a problem at runtime until the reference is actually used. In order to catch these cases, we need to not prune out paths on which the input pointer is null. llvm-svn: 161288
2012-08-04 08:25:30 +08:00
// Unlike a regular null dereference, initializing a reference with a
// dereferenced null pointer does not actually cause a runtime exception in
// Clang's implementation of references.
//
// int &r = *p; // safe??
// if (p != NULL) return; // uh-oh
// r = 5; // trap here
//
// The standard says this is invalid as soon as we try to create a "null
// reference" (there is no such thing), but turning this into an assumption
// that 'p' is never null will not match our actual runtime behavior.
// So we do not record this assumption, allowing us to warn on the last line
// of this example.
//
// We do need to add a transition because we may have generated a sink for
// the "implicit" null dereference.
C.addTransition(State, this);
Merge NullDerefChecker.[h,cpp] and UndefDerefChecker.[h,cpp]. They are essentially two parts of the same check. llvm-svn: 85911
2009-11-04 02:41:06 +08:00
}
[analyzer] Migrate NSErrorChecker and DereferenceChecker to CheckerV2. They cooperate in that NSErrorChecker listens for ImplicitNullDerefEvent events that DereferenceChecker can dispatch. ImplicitNullDerefEvent is when we dereferenced a location that may be null. llvm-svn: 126659
2011-03-01 01:36:18 +08:00
void ento::registerDereferenceChecker(CheckerManager &mgr) {
mgr.registerChecker<DereferenceChecker>();
}
[analyzer] Supply all checkers with a shouldRegister function Introduce the boolean ento::shouldRegister##CHECKERNAME(const LangOptions &LO) function very similarly to ento::register##CHECKERNAME. This will force every checker to implement this function, but maybe it isn't that bad: I saw a lot of ObjC or C++ specific checkers that should probably not register themselves based on some LangOptions (mine too), but they do anyways. A big benefit of this is that all registry functions now register their checker, once it is called, registration is guaranteed. This patch is a part of a greater effort to reinvent checker registration, more info here: D54438#1315953 Differential Revision: https://reviews.llvm.org/D55424 llvm-svn: 352277
2019-01-26 22:23:08 +08:00
[analyzer][NFC] Change LangOptions to CheckerManager in the shouldRegister* functions Some checkers may not only depend on language options but also analyzer options. To make this possible this patch changes the parameter of the shouldRegister* function to CheckerManager to be able to query the analyzer options when deciding whether the checker should be registered. Differential Revision: https://reviews.llvm.org/D75271
2020-03-27 21:29:31 +08:00
bool ento::shouldRegisterDereferenceChecker(const CheckerManager &mgr) {
[analyzer] Supply all checkers with a shouldRegister function Introduce the boolean ento::shouldRegister##CHECKERNAME(const LangOptions &LO) function very similarly to ento::register##CHECKERNAME. This will force every checker to implement this function, but maybe it isn't that bad: I saw a lot of ObjC or C++ specific checkers that should probably not register themselves based on some LangOptions (mine too), but they do anyways. A big benefit of this is that all registry functions now register their checker, once it is called, registration is guaranteed. This patch is a part of a greater effort to reinvent checker registration, more info here: D54438#1315953 Differential Revision: https://reviews.llvm.org/D55424 llvm-svn: 352277
2019-01-26 22:23:08 +08:00
return true;
}