maxjhandsome
/
llvm-project
forked from OSchip/llvm-project
1
0
Fork 0
Code Issues Pull Requests Packages Releases Wiki Activity
llvm-project/clang/lib/StaticAnalyzer/Checkers/DereferenceChecker.cpp

306 lines
10 KiB
C++
Raw Normal View History

Move all logic for the null dereference checker from GRExprEngineInternalChecks.cpp to a separate .cpp file. llvm-svn: 85595
2009-10-31 01:24:47 +08:00
//== NullDerefChecker.cpp - Null dereference checker ------------*- C++ -*--==//
//
Update the file headers across all of the LLVM projects in the monorepo to reflect the new license. We understand that people may be surprised that we're moving the header entirely to discuss the new license. We checked this carefully with the Foundation's lawyer and we believe this is the correct approach. Essentially, all code in the project is now made available by the LLVM project under our new license, so you will see that the license headers include that license only. Some of our contributors have contributed code under our old license, and accordingly, we have retained a copy of our old license notice in the top-level files in each project and repository. llvm-svn: 351636
2019-01-19 16:50:56 +08:00
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
Move all logic for the null dereference checker from GRExprEngineInternalChecks.cpp to a separate .cpp file. llvm-svn: 85595
2009-10-31 01:24:47 +08:00
//
//===----------------------------------------------------------------------===//
//
[analyzer] Refactoring: Drop the 'GR' prefix. llvm-svn: 122424
2010-12-23 02:53:44 +08:00
// This defines NullDerefChecker, a builtin check in ExprEngine that performs
Move all logic for the null dereference checker from GRExprEngineInternalChecks.cpp to a separate .cpp file. llvm-svn: 85595
2009-10-31 01:24:47 +08:00
// checks for null pointers at loads and stores.
//
//===----------------------------------------------------------------------===//
[analyzer][NFC] Move CheckerRegistry from the Core directory to Frontend ClangCheckerRegistry is a very non-obvious, poorly documented, weird concept. It derives from CheckerRegistry, and is placed in lib/StaticAnalyzer/Frontend, whereas it's base is located in lib/StaticAnalyzer/Core. It was, from what I can imagine, used to circumvent the problem that the registry functions of the checkers are located in the clangStaticAnalyzerCheckers library, but that library depends on clangStaticAnalyzerCore. However, clangStaticAnalyzerFrontend depends on both of those libraries. One can make the observation however, that CheckerRegistry has no place in Core, it isn't used there at all! The only place where it is used is Frontend, which is where it ultimately belongs. This move implies that since include/clang/StaticAnalyzer/Checkers/ClangCheckers.h only contained a single function: class CheckerRegistry; void registerBuiltinCheckers(CheckerRegistry &registry); it had to re purposed, as CheckerRegistry is no longer available to clangStaticAnalyzerCheckers. It was renamed to BuiltinCheckerRegistration.h, which actually describes it a lot better -- it does not contain the registration functions for checkers, but only those generated by the tblgen files. Differential Revision: https://reviews.llvm.org/D54436 llvm-svn: 349275
2018-12-16 00:23:51 +08:00
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
StaticAnalyzer: Move ObjC- and CXX-specific methods out of line so checkers that don't care about the language don't have to pull in all the headers. llvm-svn: 149178
2012-01-28 20:06:22 +08:00
#include "clang/AST/ExprObjC.h"
[OPENMP 4.0] Initial support for array sections. Adds parsing/sema analysis/serialization/deserialization for array sections in OpenMP constructs (introduced in OpenMP 4.0). Currently it is allowed to use array sections only in OpenMP clauses that accepts list of expressions. Differential Revision: http://reviews.llvm.org/D10732 llvm-svn: 245937
2015-08-25 22:24:04 +08:00
#include "clang/AST/ExprOpenMP.h"
Sort all of Clang's files under 'lib', and fix up the broken headers uncovered. This required manually correcting all of the incorrect main-module headers I could find, and running the new llvm/utils/sort_includes.py script over the files. I also manually added quite a few missing headers that were uncovered by shuffling the order or moving headers up to be main-module-headers. llvm-svn: 169237
2012-12-04 17:13:33 +08:00
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
[analyzer] Rename CheckerV2 -> Checker. llvm-svn: 126726
2011-03-01 09:16:21 +08:00
#include "clang/StaticAnalyzer/Core/Checker.h"
[analyzer] Migrate NSErrorChecker and DereferenceChecker to CheckerV2. They cooperate in that NSErrorChecker listens for ImplicitNullDerefEvent events that DereferenceChecker can dispatch. ImplicitNullDerefEvent is when we dereferenced a location that may be null. llvm-svn: 126659
2011-03-01 01:36:18 +08:00
#include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
[analyzer] Add VforkChecker to find unsafe code in vforked process. This checker looks for unsafe constructs in vforked process: function calls (excluding whitelist), memory write and returns. This was originally motivated by a vfork-related bug in xtables package. Patch by Yury Gribov. Differential revision: http://reviews.llvm.org/D14014 llvm-svn: 252285
2015-11-06 19:16:31 +08:00
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h"
Move a method from IdentifierTable.h out of line and remove the SmallString include. Fix all the transitive include users. llvm-svn: 149783
2012-02-04 21:45:25 +08:00
#include "llvm/ADT/SmallString.h"
Include pruning and general cleanup. llvm-svn: 169095
2012-12-02 01:12:56 +08:00
#include "llvm/Support/raw_ostream.h"
Move all logic for the null dereference checker from GRExprEngineInternalChecks.cpp to a separate .cpp file. llvm-svn: 85595
2009-10-31 01:24:47 +08:00
using namespace clang;
Rename static analyzer namespace 'GR' to 'ento'. llvm-svn: 122492
2010-12-23 15:20:52 +08:00
using namespace ento;
Move all logic for the null dereference checker from GRExprEngineInternalChecks.cpp to a separate .cpp file. llvm-svn: 85595
2009-10-31 01:24:47 +08:00
Refactor DereferenceChecker to use only the new Checker API instead of the old builder API. This percolated a bunch of changes up to the Checker class (where CheckLocation has been renamed VisitLocation) and GRExprEngine. ProgramPoint now has the notion of a "LocationCheck" point (with PreLoad and PreStore respectively), and a bunch of the old ProgramPoints that are no longer used have been removed. llvm-svn: 86798
2009-11-11 11:26:34 +08:00
namespace {
[analyzer] Migrate NSErrorChecker and DereferenceChecker to CheckerV2. They cooperate in that NSErrorChecker listens for ImplicitNullDerefEvent events that DereferenceChecker can dispatch. ImplicitNullDerefEvent is when we dereferenced a location that may be null. llvm-svn: 126659
2011-03-01 01:36:18 +08:00
class DereferenceChecker
[analyzer] Rename CheckerV2 -> Checker. llvm-svn: 126726
2011-03-01 09:16:21 +08:00
: public Checker< check::Location,
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
check::Bind,
EventDispatcher<ImplicitNullDerefEvent> > {
Replace OwningPtr with std::unique_ptr. This compiles cleanly with lldb/lld/clang-tools-extra/llvm. llvm-svn: 203279
2014-03-08 04:03:18 +08:00
mutable std::unique_ptr<BuiltinBug> BT_null;
mutable std::unique_ptr<BuiltinBug> BT_undef;
[analyzer] Migrate NSErrorChecker and DereferenceChecker to CheckerV2. They cooperate in that NSErrorChecker listens for ImplicitNullDerefEvent events that DereferenceChecker can dispatch. ImplicitNullDerefEvent is when we dereferenced a location that may be null. llvm-svn: 126659
2011-03-01 01:36:18 +08:00
[analyzer] Don't report null dereferences on address_space annotated memory llvm-svn: 256885
2016-01-06 08:32:49 +08:00
void reportBug(ProgramStateRef State, const Stmt *S, CheckerContext &C) const;
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
Refactor DereferenceChecker to use only the new Checker API instead of the old builder API. This percolated a bunch of changes up to the Checker class (where CheckLocation has been renamed VisitLocation) and GRExprEngine. ProgramPoint now has the notion of a "LocationCheck" point (with PreLoad and PreStore respectively), and a bunch of the old ProgramPoints that are no longer used have been removed. llvm-svn: 86798
2009-11-11 11:26:34 +08:00
public:
[analyzer] Remove the dependency on CheckerContext::getStmt() as well as the method itself. llvm-svn: 141262
2011-10-06 08:43:15 +08:00
void checkLocation(SVal location, bool isLoad, const Stmt* S,
CheckerContext &C) const;
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
void checkBind(SVal L, SVal V, const Stmt *S, CheckerContext &C) const;
[analyzer] Migrate NSErrorChecker and DereferenceChecker to CheckerV2. They cooperate in that NSErrorChecker listens for ImplicitNullDerefEvent events that DereferenceChecker can dispatch. ImplicitNullDerefEvent is when we dereferenced a location that may be null. llvm-svn: 126659
2011-03-01 01:36:18 +08:00
[analyzer] Remove unneeded code. This region is set as interesting as part of trackNullOrUndefValue call, no need to mark it as interesting twice. llvm-svn: 163260
2012-09-06 06:31:49 +08:00
static void AddDerefSource(raw_ostream &os,
remove unneeded llvm:: namespace qualifiers on some core types now that LLVM.h imports them into the clang namespace. llvm-svn: 135852
2011-07-23 18:55:15 +08:00
SmallVectorImpl<SourceRange> &Ranges,
[analyzer] Implement basic path diagnostic pruning based on "interesting" symbols and regions. Essentially, a bug centers around a story for various symbols and regions. We should only include the path diagnostic events that relate to those symbols and regions. The pruning is done by associating a set of interesting symbols and regions with a BugReporter, which can be modified at BugReport creation or by BugReporterVisitors. This patch reduces the diagnostics emitted in several of our test cases. I've vetted these as having desired behavior. The only regression is a missing null check diagnostic for the return value of realloc() in test/Analysis/malloc-plist.c. This will require some investigation to fix, and I have added a FIXME to the test case. llvm-svn: 152361
2012-03-09 09:13:14 +08:00
const Expr *Ex, const ProgramState *state,
const LocationContext *LCtx,
bool loadedFrom = false);
Refactor DereferenceChecker to use only the new Checker API instead of the old builder API. This percolated a bunch of changes up to the Checker class (where CheckLocation has been renamed VisitLocation) and GRExprEngine. ProgramPoint now has the notion of a "LocationCheck" point (with PreLoad and PreStore respectively), and a bunch of the old ProgramPoints that are no longer used have been removed. llvm-svn: 86798
2009-11-11 11:26:34 +08:00
};
} // end anonymous namespace
Move all logic for the null dereference checker from GRExprEngineInternalChecks.cpp to a separate .cpp file. llvm-svn: 85595
2009-10-31 01:24:47 +08:00
[analyzer] Remove unneeded code. This region is set as interesting as part of trackNullOrUndefValue call, no need to mark it as interesting twice. llvm-svn: 163260
2012-09-06 06:31:49 +08:00
void
[analyzer] Implement basic path diagnostic pruning based on "interesting" symbols and regions. Essentially, a bug centers around a story for various symbols and regions. We should only include the path diagnostic events that relate to those symbols and regions. The pruning is done by associating a set of interesting symbols and regions with a BugReporter, which can be modified at BugReport creation or by BugReporterVisitors. This patch reduces the diagnostics emitted in several of our test cases. I've vetted these as having desired behavior. The only regression is a missing null check diagnostic for the return value of realloc() in test/Analysis/malloc-plist.c. This will require some investigation to fix, and I have added a FIXME to the test case. llvm-svn: 152361
2012-03-09 09:13:14 +08:00
DereferenceChecker::AddDerefSource(raw_ostream &os,
SmallVectorImpl<SourceRange> &Ranges,
const Expr *Ex,
const ProgramState *state,
const LocationContext *LCtx,
bool loadedFrom) {
Although we currently have explicit lvalue-to-rvalue conversions, they're not actually frequently used, because ImpCastExprToType only creates a node if the types differ. So explicitly create an ICE in the lvalue-to-rvalue conversion code in DefaultFunctionArrayLvalueConversion() as well as several other new places, and consistently deal with the consequences throughout the compiler. In addition, introduce a new cast kind for loading an ObjCProperty l-value, and make sure we emit those nodes whenever an ObjCProperty l-value appears that's not on the LHS of an assignment operator. This breaks a couple of rewriter tests, which I've x-failed until future development occurs on the rewriter. Ted Kremenek kindly contributed the analyzer workarounds in this patch. llvm-svn: 120890
2010-12-04 11:47:34 +08:00
Ex = Ex->IgnoreParenLValueCasts();
Tweak null dereference checker to give better diagnostics for null dereferences resulting from array accesses. llvm-svn: 117334
2010-10-26 08:06:13 +08:00
switch (Ex->getStmtClass()) {
default:
[analyzer] Implement basic path diagnostic pruning based on "interesting" symbols and regions. Essentially, a bug centers around a story for various symbols and regions. We should only include the path diagnostic events that relate to those symbols and regions. The pruning is done by associating a set of interesting symbols and regions with a BugReporter, which can be modified at BugReport creation or by BugReporterVisitors. This patch reduces the diagnostics emitted in several of our test cases. I've vetted these as having desired behavior. The only regression is a missing null check diagnostic for the return value of realloc() in test/Analysis/malloc-plist.c. This will require some investigation to fix, and I have added a FIXME to the test case. llvm-svn: 152361
2012-03-09 09:13:14 +08:00
break;
Tweak null dereference checker to give better diagnostics for null dereferences resulting from array accesses. llvm-svn: 117334
2010-10-26 08:06:13 +08:00
case Stmt::DeclRefExprClass: {
const DeclRefExpr *DR = cast<DeclRefExpr>(Ex);
if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) {
os << " (" << (loadedFrom ? "loaded from" : "from")
<< " variable '" << VD->getName() << "')";
Ranges.push_back(DR->getSourceRange());
}
[analyzer] Implement basic path diagnostic pruning based on "interesting" symbols and regions. Essentially, a bug centers around a story for various symbols and regions. We should only include the path diagnostic events that relate to those symbols and regions. The pruning is done by associating a set of interesting symbols and regions with a BugReporter, which can be modified at BugReport creation or by BugReporterVisitors. This patch reduces the diagnostics emitted in several of our test cases. I've vetted these as having desired behavior. The only regression is a missing null check diagnostic for the return value of realloc() in test/Analysis/malloc-plist.c. This will require some investigation to fix, and I have added a FIXME to the test case. llvm-svn: 152361
2012-03-09 09:13:14 +08:00
break;
Tweak null dereference checker to give better diagnostics for null dereferences resulting from array accesses. llvm-svn: 117334
2010-10-26 08:06:13 +08:00
}
case Stmt::MemberExprClass: {
const MemberExpr *ME = cast<MemberExpr>(Ex);
os << " (" << (loadedFrom ? "loaded from" : "via")
<< " field '" << ME->getMemberNameInfo() << "')";
SourceLocation L = ME->getMemberLoc();
Ranges.push_back(SourceRange(L, L));
break;
}
[analyzer] tracking stores/constraints now works for ObjC ivars or struct fields. This required more changes than I originally expected: - ObjCIvarRegion implements "canPrintPretty" et al - DereferenceChecker indicates the null pointer source is an ivar - bugreporter::trackNullOrUndefValue() uses an alternate algorithm to compute the location region to track by scouring the ExplodedGraph. This allows us to get the actual MemRegion for variables, ivars, fields, etc. We only hand construct a VarRegion for C++ references. - ExplodedGraph no longer drops nodes for expressions that are marked 'lvalue'. This is to facilitate the logic in the previous bullet. This may lead to a slight increase in size in the ExplodedGraph, which I have not measured, but it is likely not to be a big deal. I have validated each of the changed plist output. Fixes <rdar://problem/12114812> llvm-svn: 175988
2013-02-24 15:21:01 +08:00
case Stmt::ObjCIvarRefExprClass: {
const ObjCIvarRefExpr *IV = cast<ObjCIvarRefExpr>(Ex);
os << " (" << (loadedFrom ? "loaded from" : "via")
<< " ivar '" << IV->getDecl()->getName() << "')";
SourceLocation L = IV->getLocation();
Ranges.push_back(SourceRange(L, L));
break;
[analyzer] Apply whitespace cleanups by Honggyu Kim. llvm-svn: 246978
2015-09-08 11:50:52 +08:00
}
Tweak null dereference checker to give better diagnostics for null dereferences resulting from array accesses. llvm-svn: 117334
2010-10-26 08:06:13 +08:00
}
}
[analyzer] Don't report null dereferences on address_space annotated memory llvm-svn: 256885
2016-01-06 08:32:49 +08:00
static const Expr *getDereferenceExpr(const Stmt *S, bool IsBind=false){
const Expr *E = nullptr;
// Walk through lvalue casts to get the original expression
// that syntactically caused the load.
if (const Expr *expr = dyn_cast<Expr>(S))
E = expr->IgnoreParenLValueCasts();
if (IsBind) {
const VarDecl *VD;
const Expr *Init;
std::tie(VD, Init) = parseAssignment(S);
if (VD && Init)
E = Init;
}
return E;
}
static bool suppressReport(const Expr *E) {
// Do not report dereferences on memory in non-default address spaces.
return E->getType().getQualifiers().hasAddressSpace();
}
[analyzer] Rename trackNullOrUndefValue to trackExpressionValue trackNullOrUndefValue is a long and confusing name, and it does not actually reflect what the function is doing. Give a function a new name, with a relatively clear semantics. Also remove some dead code. Differential Revision: https://reviews.llvm.org/D52758 llvm-svn: 345064
2018-10-24 02:24:53 +08:00
static bool isDeclRefExprToReference(const Expr *E) {
if (const auto *DRE = dyn_cast<DeclRefExpr>(E))
return DRE->getDecl()->getType()->isReferenceType();
return false;
}
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
void DereferenceChecker::reportBug(ProgramStateRef State, const Stmt *S,
[analyzer] Don't report null dereferences on address_space annotated memory llvm-svn: 256885
2016-01-06 08:32:49 +08:00
CheckerContext &C) const {
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
// Generate an error node.
[analyzer] Add generateErrorNode() APIs to CheckerContext. The analyzer trims unnecessary nodes from the exploded graph before reporting path diagnostics. However, in some cases it can trim all nodes (including the error node), leading to an assertion failure (see https://llvm.org/bugs/show_bug.cgi?id=24184). This commit addresses the issue by adding two new APIs to CheckerContext to explicitly create error nodes. Unless the client provides a custom tag, these APIs tag the node with the checker's tag -- preventing it from being trimmed. The generateErrorNode() method creates a sink error node, while generateNonFatalErrorNode() creates an error node for a path that should continue being explored. The intent is that one of these two methods should be used whenever a checker creates an error node. This commit updates the checkers to use these APIs. These APIs (unlike addTransition() and generateSink()) do not take an explicit Pred node. This is because there are not any error nodes in the checkers that were created with an explicit different than the default (the CheckerContext's Pred node). It also changes generateSink() to require state and pred nodes (previously these were optional) to reduce confusion. Additionally, there were several cases where checkers did check whether a generated node could be null; we now explicitly check for null in these places. This commit also includes a test case written by Ying Yi as part of http://reviews.llvm.org/D12163 (that patch originally addressed this issue but was reverted because it introduced false positive regressions). Differential Revision: http://reviews.llvm.org/D12780 llvm-svn: 247859
2015-09-17 06:03:05 +08:00
ExplodedNode *N = C.generateErrorNode(State);
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
if (!N)
return;
// We know that 'location' cannot be non-null. This is what
// we call an "explicit" null dereference.
if (!BT_null)
Expose the name of the checker producing each diagnostic message. Summary: In clang-tidy we'd like to know the name of the checker producing each diagnostic message. PathDiagnostic has BugType and Category fields, which are both arbitrary human-readable strings, but we need to know the exact name of the checker in the form that can be used in the CheckersControlList option to enable/disable the specific checker. This patch adds the CheckName field to the CheckerBase class, and sets it in the CheckerManager::registerChecker() method, which gets them from the CheckerRegistry. Checkers that implement multiple checks have to store the names of each check in the respective registerXXXChecker method. Reviewers: jordan_rose, krememek Reviewed By: jordan_rose CC: cfe-commits Differential Revision: http://llvm-reviews.chandlerc.com/D2557 llvm-svn: 201186
2014-02-12 05:49:21 +08:00
BT_null.reset(new BuiltinBug(this, "Dereference of null pointer"));
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
SmallString<100> buf;
[analyzer] Check that an ObjCIvarRefExpr's base is non-null even as an lvalue. Like with struct fields, we want to catch cases like this early, so that we can produce better diagnostics and path notes: PointObj *p = nil; int *px = &p->_x; // should warn here *px = 1; llvm-svn: 164442
2012-09-22 09:24:38 +08:00
llvm::raw_svector_ostream os(buf);
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
SmallVector<SourceRange, 2> Ranges;
switch (S->getStmtClass()) {
case Stmt::ArraySubscriptExprClass: {
os << "Array access";
const ArraySubscriptExpr *AE = cast<ArraySubscriptExpr>(S);
[analyzer] Remove unneeded code. This region is set as interesting as part of trackNullOrUndefValue call, no need to mark it as interesting twice. llvm-svn: 163260
2012-09-06 06:31:49 +08:00
AddDerefSource(os, Ranges, AE->getBase()->IgnoreParenCasts(),
Track IntrusiveRefCntPtr::get() changes from LLVM r212366 llvm-svn: 212369
2014-07-05 11:08:06 +08:00
State.get(), N->getLocationContext());
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
os << " results in a null pointer dereference";
break;
}
[OPENMP 4.0] Initial support for array sections. Adds parsing/sema analysis/serialization/deserialization for array sections in OpenMP constructs (introduced in OpenMP 4.0). Currently it is allowed to use array sections only in OpenMP clauses that accepts list of expressions. Differential Revision: http://reviews.llvm.org/D10732 llvm-svn: 245937
2015-08-25 22:24:04 +08:00
case Stmt::OMPArraySectionExprClass: {
os << "Array access";
const OMPArraySectionExpr *AE = cast<OMPArraySectionExpr>(S);
AddDerefSource(os, Ranges, AE->getBase()->IgnoreParenCasts(),
State.get(), N->getLocationContext());
os << " results in a null pointer dereference";
break;
}
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
case Stmt::UnaryOperatorClass: {
os << "Dereference of null pointer";
const UnaryOperator *U = cast<UnaryOperator>(S);
[analyzer] Remove unneeded code. This region is set as interesting as part of trackNullOrUndefValue call, no need to mark it as interesting twice. llvm-svn: 163260
2012-09-06 06:31:49 +08:00
AddDerefSource(os, Ranges, U->getSubExpr()->IgnoreParens(),
Track IntrusiveRefCntPtr::get() changes from LLVM r212366 llvm-svn: 212369
2014-07-05 11:08:06 +08:00
State.get(), N->getLocationContext(), true);
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
break;
}
case Stmt::MemberExprClass: {
const MemberExpr *M = cast<MemberExpr>(S);
[analyzer] Rename trackNullOrUndefValue to trackExpressionValue trackNullOrUndefValue is a long and confusing name, and it does not actually reflect what the function is doing. Give a function a new name, with a relatively clear semantics. Also remove some dead code. Differential Revision: https://reviews.llvm.org/D52758 llvm-svn: 345064
2018-10-24 02:24:53 +08:00
if (M->isArrow() || isDeclRefExprToReference(M->getBase())) {
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
os << "Access to field '" << M->getMemberNameInfo()
<< "' results in a dereference of a null pointer";
[analyzer] Remove unneeded code. This region is set as interesting as part of trackNullOrUndefValue call, no need to mark it as interesting twice. llvm-svn: 163260
2012-09-06 06:31:49 +08:00
AddDerefSource(os, Ranges, M->getBase()->IgnoreParenCasts(),
Track IntrusiveRefCntPtr::get() changes from LLVM r212366 llvm-svn: 212369
2014-07-05 11:08:06 +08:00
State.get(), N->getLocationContext(), true);
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
}
break;
}
case Stmt::ObjCIvarRefExprClass: {
const ObjCIvarRefExpr *IV = cast<ObjCIvarRefExpr>(S);
[analyzer] Check that an ObjCIvarRefExpr's base is non-null even as an lvalue. Like with struct fields, we want to catch cases like this early, so that we can produce better diagnostics and path notes: PointObj *p = nil; int *px = &p->_x; // should warn here *px = 1; llvm-svn: 164442
2012-09-22 09:24:38 +08:00
os << "Access to instance variable '" << *IV->getDecl()
<< "' results in a dereference of a null pointer";
AddDerefSource(os, Ranges, IV->getBase()->IgnoreParenCasts(),
Track IntrusiveRefCntPtr::get() changes from LLVM r212366 llvm-svn: 212369
2014-07-05 11:08:06 +08:00
State.get(), N->getLocationContext(), true);
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
break;
}
default:
break;
}
Clarify pointer ownership semantics by hoisting the std::unique_ptr creation to the caller instead of hiding it in emitReport. NFC. llvm-svn: 240400
2015-06-23 21:15:32 +08:00
auto report = llvm::make_unique<BugReport>(
*BT_null, buf.empty() ? BT_null->getDescription() : StringRef(buf), N);
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
[analyzer] Rename trackNullOrUndefValue to trackExpressionValue trackNullOrUndefValue is a long and confusing name, and it does not actually reflect what the function is doing. Give a function a new name, with a relatively clear semantics. Also remove some dead code. Differential Revision: https://reviews.llvm.org/D52758 llvm-svn: 345064
2018-10-24 02:24:53 +08:00
bugreporter::trackExpressionValue(N, bugreporter::getDerefExpr(S), *report);
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
for (SmallVectorImpl<SourceRange>::iterator
I = Ranges.begin(), E = Ranges.end(); I!=E; ++I)
report->addRange(*I);
Clarify pointer ownership semantics by hoisting the std::unique_ptr creation to the caller instead of hiding it in emitReport. NFC. llvm-svn: 240400
2015-06-23 21:15:32 +08:00
C.emitReport(std::move(report));
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
}
[analyzer] Remove the dependency on CheckerContext::getStmt() as well as the method itself. llvm-svn: 141262
2011-10-06 08:43:15 +08:00
void DereferenceChecker::checkLocation(SVal l, bool isLoad, const Stmt* S,
[analyzer] Migrate NSErrorChecker and DereferenceChecker to CheckerV2. They cooperate in that NSErrorChecker listens for ImplicitNullDerefEvent events that DereferenceChecker can dispatch. ImplicitNullDerefEvent is when we dereferenced a location that may be null. llvm-svn: 126659
2011-03-01 01:36:18 +08:00
CheckerContext &C) const {
Refactor DereferenceChecker to use only the new Checker API instead of the old builder API. This percolated a bunch of changes up to the Checker class (where CheckLocation has been renamed VisitLocation) and GRExprEngine. ProgramPoint now has the notion of a "LocationCheck" point (with PreLoad and PreStore respectively), and a bunch of the old ProgramPoints that are no longer used have been removed. llvm-svn: 86798
2009-11-11 11:26:34 +08:00
// Check for dereference of an undefined value.
if (l.isUndef()) {
[analyzer] Add generateErrorNode() APIs to CheckerContext. The analyzer trims unnecessary nodes from the exploded graph before reporting path diagnostics. However, in some cases it can trim all nodes (including the error node), leading to an assertion failure (see https://llvm.org/bugs/show_bug.cgi?id=24184). This commit addresses the issue by adding two new APIs to CheckerContext to explicitly create error nodes. Unless the client provides a custom tag, these APIs tag the node with the checker's tag -- preventing it from being trimmed. The generateErrorNode() method creates a sink error node, while generateNonFatalErrorNode() creates an error node for a path that should continue being explored. The intent is that one of these two methods should be used whenever a checker creates an error node. This commit updates the checkers to use these APIs. These APIs (unlike addTransition() and generateSink()) do not take an explicit Pred node. This is because there are not any error nodes in the checkers that were created with an explicit different than the default (the CheckerContext's Pred node). It also changes generateSink() to require state and pred nodes (previously these were optional) to reduce confusion. Additionally, there were several cases where checkers did check whether a generated node could be null; we now explicitly check for null in these places. This commit also includes a test case written by Ying Yi as part of http://reviews.llvm.org/D12163 (that patch originally addressed this issue but was reverted because it introduced false positive regressions). Differential Revision: http://reviews.llvm.org/D12780 llvm-svn: 247859
2015-09-17 06:03:05 +08:00
if (ExplodedNode *N = C.generateErrorNode()) {
Refactor DereferenceChecker to use only the new Checker API instead of the old builder API. This percolated a bunch of changes up to the Checker class (where CheckLocation has been renamed VisitLocation) and GRExprEngine. ProgramPoint now has the notion of a "LocationCheck" point (with PreLoad and PreStore respectively), and a bunch of the old ProgramPoints that are no longer used have been removed. llvm-svn: 86798
2009-11-11 11:26:34 +08:00
if (!BT_undef)
Expose the name of the checker producing each diagnostic message. Summary: In clang-tidy we'd like to know the name of the checker producing each diagnostic message. PathDiagnostic has BugType and Category fields, which are both arbitrary human-readable strings, but we need to know the exact name of the checker in the form that can be used in the CheckersControlList option to enable/disable the specific checker. This patch adds the CheckName field to the CheckerBase class, and sets it in the CheckerManager::registerChecker() method, which gets them from the CheckerRegistry. Checkers that implement multiple checks have to store the names of each check in the respective registerXXXChecker method. Reviewers: jordan_rose, krememek Reviewed By: jordan_rose CC: cfe-commits Differential Revision: http://llvm-reviews.chandlerc.com/D2557 llvm-svn: 201186
2014-02-12 05:49:21 +08:00
BT_undef.reset(
new BuiltinBug(this, "Dereference of undefined pointer value"));
Tweak null dereference diagnostics to give clearer diagnostics when a null dereference results from a field access. llvm-svn: 99236
2010-03-23 09:11:38 +08:00
Clarify pointer ownership semantics by hoisting the std::unique_ptr creation to the caller instead of hiding it in emitReport. NFC. llvm-svn: 240400
2015-06-23 21:15:32 +08:00
auto report =
llvm::make_unique<BugReport>(*BT_undef, BT_undef->getDescription(), N);
[analyzer] Rename trackNullOrUndefValue to trackExpressionValue trackNullOrUndefValue is a long and confusing name, and it does not actually reflect what the function is doing. Give a function a new name, with a relatively clear semantics. Also remove some dead code. Differential Revision: https://reviews.llvm.org/D52758 llvm-svn: 345064
2018-10-24 02:24:53 +08:00
bugreporter::trackExpressionValue(N, bugreporter::getDerefExpr(S), *report);
Clarify pointer ownership semantics by hoisting the std::unique_ptr creation to the caller instead of hiding it in emitReport. NFC. llvm-svn: 240400
2015-06-23 21:15:32 +08:00
C.emitReport(std::move(report));
Refactor DereferenceChecker to use only the new Checker API instead of the old builder API. This percolated a bunch of changes up to the Checker class (where CheckLocation has been renamed VisitLocation) and GRExprEngine. ProgramPoint now has the notion of a "LocationCheck" point (with PreLoad and PreStore respectively), and a bunch of the old ProgramPoints that are no longer used have been removed. llvm-svn: 86798
2009-11-11 11:26:34 +08:00
}
return;
}
Tweak null dereference diagnostics to give clearer diagnostics when a null dereference results from a field access. llvm-svn: 99236
2010-03-23 09:11:38 +08:00
Replace SVal llvm::cast support to be well-defined. See r175462 for another example/more details. llvm-svn: 175594
2013-02-20 13:52:05 +08:00
DefinedOrUnknownSVal location = l.castAs<DefinedOrUnknownSVal>();
Tweak null dereference diagnostics to give clearer diagnostics when a null dereference results from a field access. llvm-svn: 99236
2010-03-23 09:11:38 +08:00
// Check for null dereferences.
Replace SVal llvm::cast support to be well-defined. See r175462 for another example/more details. llvm-svn: 175594
2013-02-20 13:52:05 +08:00
if (!location.getAs<Loc>())
Refactor DereferenceChecker to use only the new Checker API instead of the old builder API. This percolated a bunch of changes up to the Checker class (where CheckLocation has been renamed VisitLocation) and GRExprEngine. ProgramPoint now has the notion of a "LocationCheck" point (with PreLoad and PreStore respectively), and a bunch of the old ProgramPoints that are no longer used have been removed. llvm-svn: 86798
2009-11-11 11:26:34 +08:00
return;
Tweak null dereference diagnostics to give clearer diagnostics when a null dereference results from a field access. llvm-svn: 99236
2010-03-23 09:11:38 +08:00
Change references to 'const ProgramState *' to typedef 'ProgramStateRef'. At this point this is largely cosmetic, but it opens the door to replace ProgramStateRef with a smart pointer that more eagerly acts in the role of reclaiming unused ProgramState objects. llvm-svn: 149081
2012-01-27 05:29:00 +08:00
ProgramStateRef state = C.getState();
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
Change references to 'const ProgramState *' to typedef 'ProgramStateRef'. At this point this is largely cosmetic, but it opens the door to replace ProgramStateRef with a smart pointer that more eagerly acts in the role of reclaiming unused ProgramState objects. llvm-svn: 149081
2012-01-27 05:29:00 +08:00
ProgramStateRef notNullState, nullState;
[C++11] Replace llvm::tie with std::tie. llvm-svn: 202639
2014-03-02 21:01:17 +08:00
std::tie(notNullState, nullState) = state->assume(location);
Tweak null dereference diagnostics to give clearer diagnostics when a null dereference results from a field access. llvm-svn: 99236
2010-03-23 09:11:38 +08:00
Refactor DereferenceChecker to use only the new Checker API instead of the old builder API. This percolated a bunch of changes up to the Checker class (where CheckLocation has been renamed VisitLocation) and GRExprEngine. ProgramPoint now has the notion of a "LocationCheck" point (with PreLoad and PreStore respectively), and a bunch of the old ProgramPoints that are no longer used have been removed. llvm-svn: 86798
2009-11-11 11:26:34 +08:00
// The explicit NULL case.
if (nullState) {
Tweak null dereference diagnostics to give clearer diagnostics when a null dereference results from a field access. llvm-svn: 99236
2010-03-23 09:11:38 +08:00
if (!notNullState) {
[analyzer] Don't report null dereferences on address_space annotated memory llvm-svn: 256885
2016-01-06 08:32:49 +08:00
const Expr *expr = getDereferenceExpr(S);
if (!suppressReport(expr)) {
reportBug(nullState, expr, C);
return;
}
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
}
Merge NullDerefChecker.[h,cpp] and UndefDerefChecker.[h,cpp]. They are essentially two parts of the same check. llvm-svn: 85911
2009-11-04 02:41:06 +08:00
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
// Otherwise, we have the case where the location could either be
// null or not-null. Record the error node as an "implicit" null
// dereference.
[analyzer] Add generateErrorNode() APIs to CheckerContext. The analyzer trims unnecessary nodes from the exploded graph before reporting path diagnostics. However, in some cases it can trim all nodes (including the error node), leading to an assertion failure (see https://llvm.org/bugs/show_bug.cgi?id=24184). This commit addresses the issue by adding two new APIs to CheckerContext to explicitly create error nodes. Unless the client provides a custom tag, these APIs tag the node with the checker's tag -- preventing it from being trimmed. The generateErrorNode() method creates a sink error node, while generateNonFatalErrorNode() creates an error node for a path that should continue being explored. The intent is that one of these two methods should be used whenever a checker creates an error node. This commit updates the checkers to use these APIs. These APIs (unlike addTransition() and generateSink()) do not take an explicit Pred node. This is because there are not any error nodes in the checkers that were created with an explicit different than the default (the CheckerContext's Pred node). It also changes generateSink() to require state and pred nodes (previously these were optional) to reduce confusion. Additionally, there were several cases where checkers did check whether a generated node could be null; we now explicitly check for null in these places. This commit also includes a test case written by Ying Yi as part of http://reviews.llvm.org/D12163 (that patch originally addressed this issue but was reverted because it introduced false positive regressions). Differential Revision: http://reviews.llvm.org/D12780 llvm-svn: 247859
2015-09-17 06:03:05 +08:00
if (ExplodedNode *N = C.generateSink(nullState, C.getPredecessor())) {
[Static Analyzer] Make NonNullParamChecker emit implicit null dereference events. Differential Revision: http://reviews.llvm.org/D11433 llvm-svn: 246182
2015-08-28 02:49:07 +08:00
ImplicitNullDerefEvent event = {l, isLoad, N, &C.getBugReporter(),
[analyzer] Improve Nullability checker diagnostics - Include the position of the argument on which the nullability is violated - Differentiate between a 'method' and a 'function' in the message wording - Test for the error message text in the tests - Fix a bug with setting 'IsDirectDereference' which resulted in regular dereferences assumed to have call context. llvm-svn: 259221
2016-01-30 02:43:15 +08:00
/*IsDirectDereference=*/true};
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
dispatchEvent(event);
}
}
Enhance null dereference diagnostics by indicating what variable (if any) was dereferenced. Addresses <rdar://problem/7039161>. llvm-svn: 89726
2009-11-24 09:33:10 +08:00
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
// From this point forward, we know that the location is not null.
C.addTransition(notNullState);
}
Tweak null dereference diagnostics to give clearer diagnostics when a null dereference results from a field access. llvm-svn: 99236
2010-03-23 09:11:38 +08:00
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
void DereferenceChecker::checkBind(SVal L, SVal V, const Stmt *S,
CheckerContext &C) const {
[analyzer] Don't assume values bound to references are automatically non-null. While there is no such thing as a "null reference" in the C++ standard, many implementations of references (including Clang's) do not actually check that the location bound to them is non-null. Thus unlike a regular null dereference, this will not cause a problem at runtime until the reference is actually used. In order to catch these cases, we need to not prune out paths on which the input pointer is null. llvm-svn: 161288
2012-08-04 08:25:30 +08:00
// If we're binding to a reference, check if the value is known to be null.
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
if (V.isUndef())
return;
Tweak null dereference diagnostics to give clearer diagnostics when a null dereference results from a field access. llvm-svn: 99236
2010-03-23 09:11:38 +08:00
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
const MemRegion *MR = L.getAsRegion();
const TypedValueRegion *TVR = dyn_cast_or_null<TypedValueRegion>(MR);
if (!TVR)
return;
[analyzer] Implement basic path diagnostic pruning based on "interesting" symbols and regions. Essentially, a bug centers around a story for various symbols and regions. We should only include the path diagnostic events that relate to those symbols and regions. The pruning is done by associating a set of interesting symbols and regions with a BugReporter, which can be modified at BugReport creation or by BugReporterVisitors. This patch reduces the diagnostics emitted in several of our test cases. I've vetted these as having desired behavior. The only regression is a missing null check diagnostic for the return value of realloc() in test/Analysis/malloc-plist.c. This will require some investigation to fix, and I have added a FIXME to the test case. llvm-svn: 152361
2012-03-09 09:13:14 +08:00
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
if (!TVR->getValueType()->isReferenceType())
return;
ProgramStateRef State = C.getState();
ProgramStateRef StNonNull, StNull;
[C++11] Replace llvm::tie with std::tie. llvm-svn: 202639
2014-03-02 21:01:17 +08:00
std::tie(StNonNull, StNull) = State->assume(V.castAs<DefinedOrUnknownSVal>());
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
if (StNull) {
if (!StNonNull) {
[analyzer] Don't report null dereferences on address_space annotated memory llvm-svn: 256885
2016-01-06 08:32:49 +08:00
const Expr *expr = getDereferenceExpr(S, /*IsBind=*/true);
if (!suppressReport(expr)) {
reportBug(StNull, expr, C);
return;
}
Restructure DereferenceChecker slightly to handle caching out when we would report a null dereference more than once. llvm-svn: 89526
2009-11-21 09:50:48 +08:00
}
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
// At this point the value could be either null or non-null.
// Record this as an "implicit" null dereference.
[analyzer] Add generateErrorNode() APIs to CheckerContext. The analyzer trims unnecessary nodes from the exploded graph before reporting path diagnostics. However, in some cases it can trim all nodes (including the error node), leading to an assertion failure (see https://llvm.org/bugs/show_bug.cgi?id=24184). This commit addresses the issue by adding two new APIs to CheckerContext to explicitly create error nodes. Unless the client provides a custom tag, these APIs tag the node with the checker's tag -- preventing it from being trimmed. The generateErrorNode() method creates a sink error node, while generateNonFatalErrorNode() creates an error node for a path that should continue being explored. The intent is that one of these two methods should be used whenever a checker creates an error node. This commit updates the checkers to use these APIs. These APIs (unlike addTransition() and generateSink()) do not take an explicit Pred node. This is because there are not any error nodes in the checkers that were created with an explicit different than the default (the CheckerContext's Pred node). It also changes generateSink() to require state and pred nodes (previously these were optional) to reduce confusion. Additionally, there were several cases where checkers did check whether a generated node could be null; we now explicitly check for null in these places. This commit also includes a test case written by Ying Yi as part of http://reviews.llvm.org/D12163 (that patch originally addressed this issue but was reverted because it introduced false positive regressions). Differential Revision: http://reviews.llvm.org/D12780 llvm-svn: 247859
2015-09-17 06:03:05 +08:00
if (ExplodedNode *N = C.generateSink(StNull, C.getPredecessor())) {
[Static Analyzer] Make NonNullParamChecker emit implicit null dereference events. Differential Revision: http://reviews.llvm.org/D11433 llvm-svn: 246182
2015-08-28 02:49:07 +08:00
ImplicitNullDerefEvent event = {V, /*isLoad=*/true, N,
&C.getBugReporter(),
[analyzer] Improve Nullability checker diagnostics - Include the position of the argument on which the nullability is violated - Differentiate between a 'method' and a 'function' in the message wording - Test for the error message text in the tests - Fix a bug with setting 'IsDirectDereference' which resulted in regular dereferences assumed to have call context. llvm-svn: 259221
2016-01-30 02:43:15 +08:00
/*IsDirectDereference=*/true};
[analyzer] Add a simple check for initializing reference variables with null. There's still more work to be done here; this doesn't catch reference parameters or return values. But it's a step in the right direction. Part of <rdar://problem/11212286>. llvm-svn: 161214
2012-08-03 05:33:42 +08:00
dispatchEvent(event);
Merge NullDerefChecker.[h,cpp] and UndefDerefChecker.[h,cpp]. They are essentially two parts of the same check. llvm-svn: 85911
2009-11-04 02:41:06 +08:00
}
}
Tweak null dereference diagnostics to give clearer diagnostics when a null dereference results from a field access. llvm-svn: 99236
2010-03-23 09:11:38 +08:00
[analyzer] Don't assume values bound to references are automatically non-null. While there is no such thing as a "null reference" in the C++ standard, many implementations of references (including Clang's) do not actually check that the location bound to them is non-null. Thus unlike a regular null dereference, this will not cause a problem at runtime until the reference is actually used. In order to catch these cases, we need to not prune out paths on which the input pointer is null. llvm-svn: 161288
2012-08-04 08:25:30 +08:00
// Unlike a regular null dereference, initializing a reference with a
// dereferenced null pointer does not actually cause a runtime exception in
// Clang's implementation of references.
//
// int &r = *p; // safe??
// if (p != NULL) return; // uh-oh
// r = 5; // trap here
//
// The standard says this is invalid as soon as we try to create a "null
// reference" (there is no such thing), but turning this into an assumption
// that 'p' is never null will not match our actual runtime behavior.
// So we do not record this assumption, allowing us to warn on the last line
// of this example.
//
// We do need to add a transition because we may have generated a sink for
// the "implicit" null dereference.
C.addTransition(State, this);
Merge NullDerefChecker.[h,cpp] and UndefDerefChecker.[h,cpp]. They are essentially two parts of the same check. llvm-svn: 85911
2009-11-04 02:41:06 +08:00
}
[analyzer] Migrate NSErrorChecker and DereferenceChecker to CheckerV2. They cooperate in that NSErrorChecker listens for ImplicitNullDerefEvent events that DereferenceChecker can dispatch. ImplicitNullDerefEvent is when we dereferenced a location that may be null. llvm-svn: 126659
2011-03-01 01:36:18 +08:00
void ento::registerDereferenceChecker(CheckerManager &mgr) {
mgr.registerChecker<DereferenceChecker>();
}