• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // BugReporterVisitors.cpp - Helpers for reporting bugs -----------*- C++ -*--//
2 //
3 //                     The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 //  This file defines a set of BugReporter "visitors" which can be used to
11 //  enhance the diagnostics reported for a bug.
12 //
13 //===----------------------------------------------------------------------===//
14 
15 #include "clang/AST/Expr.h"
16 #include "clang/AST/ExprObjC.h"
17 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
18 #include "clang/StaticAnalyzer/Core/BugReporter/PathDiagnostic.h"
19 #include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h"
20 #include "clang/StaticAnalyzer/Core/PathSensitive/GRState.h"
21 
22 using namespace clang;
23 using namespace ento;
24 
25 //===----------------------------------------------------------------------===//
26 // Utility functions.
27 //===----------------------------------------------------------------------===//
28 
GetDerefExpr(const ExplodedNode * N)29 const Stmt *bugreporter::GetDerefExpr(const ExplodedNode *N) {
30   // Pattern match for a few useful cases (do something smarter later):
31   //   a[0], p->f, *p
32   const Stmt *S = N->getLocationAs<PostStmt>()->getStmt();
33 
34   if (const UnaryOperator *U = dyn_cast<UnaryOperator>(S)) {
35     if (U->getOpcode() == UO_Deref)
36       return U->getSubExpr()->IgnoreParenCasts();
37   }
38   else if (const MemberExpr *ME = dyn_cast<MemberExpr>(S)) {
39     return ME->getBase()->IgnoreParenCasts();
40   }
41   else if (const ArraySubscriptExpr *AE = dyn_cast<ArraySubscriptExpr>(S)) {
42     // Retrieve the base for arrays since BasicStoreManager doesn't know how
43     // to reason about them.
44     return AE->getBase();
45   }
46 
47   return NULL;
48 }
49 
GetDenomExpr(const ExplodedNode * N)50 const Stmt *bugreporter::GetDenomExpr(const ExplodedNode *N) {
51   const Stmt *S = N->getLocationAs<PreStmt>()->getStmt();
52   if (const BinaryOperator *BE = dyn_cast<BinaryOperator>(S))
53     return BE->getRHS();
54   return NULL;
55 }
56 
GetCalleeExpr(const ExplodedNode * N)57 const Stmt *bugreporter::GetCalleeExpr(const ExplodedNode *N) {
58   // Callee is checked as a PreVisit to the CallExpr.
59   const Stmt *S = N->getLocationAs<PreStmt>()->getStmt();
60   if (const CallExpr *CE = dyn_cast<CallExpr>(S))
61     return CE->getCallee();
62   return NULL;
63 }
64 
GetRetValExpr(const ExplodedNode * N)65 const Stmt *bugreporter::GetRetValExpr(const ExplodedNode *N) {
66   const Stmt *S = N->getLocationAs<PostStmt>()->getStmt();
67   if (const ReturnStmt *RS = dyn_cast<ReturnStmt>(S))
68     return RS->getRetValue();
69   return NULL;
70 }
71 
72 //===----------------------------------------------------------------------===//
73 // Definitions for bug reporter visitors.
74 //===----------------------------------------------------------------------===//
75 
76 namespace {
77 class FindLastStoreBRVisitor : public BugReporterVisitor {
78   const MemRegion *R;
79   SVal V;
80   bool satisfied;
81   const ExplodedNode *StoreSite;
82 public:
FindLastStoreBRVisitor(SVal v,const MemRegion * r)83   FindLastStoreBRVisitor(SVal v, const MemRegion *r)
84   : R(r), V(v), satisfied(false), StoreSite(0) {}
85 
Profile(llvm::FoldingSetNodeID & ID) const86   virtual void Profile(llvm::FoldingSetNodeID &ID) const {
87     static int tag = 0;
88     ID.AddPointer(&tag);
89     ID.AddPointer(R);
90     ID.Add(V);
91   }
92 
VisitNode(const ExplodedNode * N,const ExplodedNode * PrevN,BugReporterContext & BRC)93   PathDiagnosticPiece* VisitNode(const ExplodedNode *N,
94                                  const ExplodedNode *PrevN,
95                                  BugReporterContext& BRC) {
96 
97     if (satisfied)
98       return NULL;
99 
100     if (!StoreSite) {
101       const ExplodedNode *Node = N, *Last = NULL;
102 
103       for ( ; Node ; Last = Node, Node = Node->getFirstPred()) {
104 
105         if (const VarRegion *VR = dyn_cast<VarRegion>(R)) {
106           if (const PostStmt *P = Node->getLocationAs<PostStmt>())
107             if (const DeclStmt *DS = P->getStmtAs<DeclStmt>())
108               if (DS->getSingleDecl() == VR->getDecl()) {
109                 Last = Node;
110                 break;
111               }
112         }
113 
114         if (Node->getState()->getSVal(R) != V)
115           break;
116       }
117 
118       if (!Node || !Last) {
119         satisfied = true;
120         return NULL;
121       }
122 
123       StoreSite = Last;
124     }
125 
126     if (StoreSite != N)
127       return NULL;
128 
129     satisfied = true;
130     llvm::SmallString<256> sbuf;
131     llvm::raw_svector_ostream os(sbuf);
132 
133     if (const PostStmt *PS = N->getLocationAs<PostStmt>()) {
134       if (const DeclStmt *DS = PS->getStmtAs<DeclStmt>()) {
135 
136         if (const VarRegion *VR = dyn_cast<VarRegion>(R)) {
137           os << "Variable '" << VR->getDecl() << "' ";
138         }
139         else
140           return NULL;
141 
142         if (isa<loc::ConcreteInt>(V)) {
143           bool b = false;
144           if (R->isBoundable()) {
145             if (const TypedRegion *TR = dyn_cast<TypedRegion>(R)) {
146               if (TR->getValueType()->isObjCObjectPointerType()) {
147                 os << "initialized to nil";
148                 b = true;
149               }
150             }
151           }
152 
153           if (!b)
154             os << "initialized to a null pointer value";
155         }
156         else if (isa<nonloc::ConcreteInt>(V)) {
157           os << "initialized to " << cast<nonloc::ConcreteInt>(V).getValue();
158         }
159         else if (V.isUndef()) {
160           if (isa<VarRegion>(R)) {
161             const VarDecl *VD = cast<VarDecl>(DS->getSingleDecl());
162             if (VD->getInit())
163               os << "initialized to a garbage value";
164             else
165               os << "declared without an initial value";
166           }
167         }
168       }
169     }
170 
171     if (os.str().empty()) {
172       if (isa<loc::ConcreteInt>(V)) {
173         bool b = false;
174         if (R->isBoundable()) {
175           if (const TypedRegion *TR = dyn_cast<TypedRegion>(R)) {
176             if (TR->getValueType()->isObjCObjectPointerType()) {
177               os << "nil object reference stored to ";
178               b = true;
179             }
180           }
181         }
182 
183         if (!b)
184           os << "Null pointer value stored to ";
185       }
186       else if (V.isUndef()) {
187         os << "Uninitialized value stored to ";
188       }
189       else if (isa<nonloc::ConcreteInt>(V)) {
190         os << "The value " << cast<nonloc::ConcreteInt>(V).getValue()
191            << " is assigned to ";
192       }
193       else
194         return NULL;
195 
196       if (const VarRegion *VR = dyn_cast<VarRegion>(R)) {
197         os << '\'' << VR->getDecl() << '\'';
198       }
199       else
200         return NULL;
201     }
202 
203     // FIXME: Refactor this into BugReporterContext.
204     const Stmt *S = 0;
205     ProgramPoint P = N->getLocation();
206 
207     if (BlockEdge *BE = dyn_cast<BlockEdge>(&P)) {
208       const CFGBlock *BSrc = BE->getSrc();
209       S = BSrc->getTerminatorCondition();
210     }
211     else if (PostStmt *PS = dyn_cast<PostStmt>(&P)) {
212       S = PS->getStmt();
213     }
214 
215     if (!S)
216       return NULL;
217 
218     // Construct a new PathDiagnosticPiece.
219     PathDiagnosticLocation L(S, BRC.getSourceManager());
220     return new PathDiagnosticEventPiece(L, os.str());
221   }
222 };
223 
224 
registerFindLastStore(BugReporterContext & BRC,const MemRegion * R,SVal V)225 static void registerFindLastStore(BugReporterContext& BRC, const MemRegion *R,
226                                   SVal V) {
227   BRC.addVisitor(new FindLastStoreBRVisitor(V, R));
228 }
229 
230 class TrackConstraintBRVisitor : public BugReporterVisitor {
231   DefinedSVal Constraint;
232   const bool Assumption;
233   bool isSatisfied;
234 public:
TrackConstraintBRVisitor(DefinedSVal constraint,bool assumption)235   TrackConstraintBRVisitor(DefinedSVal constraint, bool assumption)
236   : Constraint(constraint), Assumption(assumption), isSatisfied(false) {}
237 
Profile(llvm::FoldingSetNodeID & ID) const238   void Profile(llvm::FoldingSetNodeID &ID) const {
239     static int tag = 0;
240     ID.AddPointer(&tag);
241     ID.AddBoolean(Assumption);
242     ID.Add(Constraint);
243   }
244 
VisitNode(const ExplodedNode * N,const ExplodedNode * PrevN,BugReporterContext & BRC)245   PathDiagnosticPiece* VisitNode(const ExplodedNode *N,
246                                  const ExplodedNode *PrevN,
247                                  BugReporterContext& BRC) {
248     if (isSatisfied)
249       return NULL;
250 
251     // Check if in the previous state it was feasible for this constraint
252     // to *not* be true.
253     if (PrevN->getState()->assume(Constraint, !Assumption)) {
254 
255       isSatisfied = true;
256 
257       // As a sanity check, make sure that the negation of the constraint
258       // was infeasible in the current state.  If it is feasible, we somehow
259       // missed the transition point.
260       if (N->getState()->assume(Constraint, !Assumption))
261         return NULL;
262 
263       // We found the transition point for the constraint.  We now need to
264       // pretty-print the constraint. (work-in-progress)
265       std::string sbuf;
266       llvm::raw_string_ostream os(sbuf);
267 
268       if (isa<Loc>(Constraint)) {
269         os << "Assuming pointer value is ";
270         os << (Assumption ? "non-null" : "null");
271       }
272 
273       if (os.str().empty())
274         return NULL;
275 
276       // FIXME: Refactor this into BugReporterContext.
277       const Stmt *S = 0;
278       ProgramPoint P = N->getLocation();
279 
280       if (BlockEdge *BE = dyn_cast<BlockEdge>(&P)) {
281         const CFGBlock *BSrc = BE->getSrc();
282         S = BSrc->getTerminatorCondition();
283       }
284       else if (PostStmt *PS = dyn_cast<PostStmt>(&P)) {
285         S = PS->getStmt();
286       }
287 
288       if (!S)
289         return NULL;
290 
291       // Construct a new PathDiagnosticPiece.
292       PathDiagnosticLocation L(S, BRC.getSourceManager());
293       return new PathDiagnosticEventPiece(L, os.str());
294     }
295 
296     return NULL;
297   }
298 };
299 } // end anonymous namespace
300 
registerTrackConstraint(BugReporterContext & BRC,DefinedSVal Constraint,bool Assumption)301 static void registerTrackConstraint(BugReporterContext& BRC,
302                                     DefinedSVal Constraint,
303                                     bool Assumption) {
304   BRC.addVisitor(new TrackConstraintBRVisitor(Constraint, Assumption));
305 }
306 
registerTrackNullOrUndefValue(BugReporterContext & BRC,const void * data,const ExplodedNode * N)307 void bugreporter::registerTrackNullOrUndefValue(BugReporterContext& BRC,
308                                                 const void *data,
309                                                 const ExplodedNode* N) {
310 
311   const Stmt *S = static_cast<const Stmt*>(data);
312 
313   if (!S)
314     return;
315 
316   GRStateManager &StateMgr = BRC.getStateManager();
317   const GRState *state = N->getState();
318 
319   // Walk through lvalue-to-rvalue conversions.
320   if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(S)) {
321     if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) {
322       const VarRegion *R =
323         StateMgr.getRegionManager().getVarRegion(VD, N->getLocationContext());
324 
325       // What did we load?
326       SVal V = state->getSVal(loc::MemRegionVal(R));
327 
328       if (isa<loc::ConcreteInt>(V) || isa<nonloc::ConcreteInt>(V)
329           || V.isUndef()) {
330         ::registerFindLastStore(BRC, R, V);
331       }
332     }
333   }
334 
335   SVal V = state->getSValAsScalarOrLoc(S);
336 
337   // Uncomment this to find cases where we aren't properly getting the
338   // base value that was dereferenced.
339   // assert(!V.isUnknownOrUndef());
340 
341   // Is it a symbolic value?
342   if (loc::MemRegionVal *L = dyn_cast<loc::MemRegionVal>(&V)) {
343     const SubRegion *R = cast<SubRegion>(L->getRegion());
344     while (R && !isa<SymbolicRegion>(R)) {
345       R = dyn_cast<SubRegion>(R->getSuperRegion());
346     }
347 
348     if (R) {
349       assert(isa<SymbolicRegion>(R));
350       registerTrackConstraint(BRC, loc::MemRegionVal(R), false);
351     }
352   }
353 }
354 
registerFindLastStore(BugReporterContext & BRC,const void * data,const ExplodedNode * N)355 void bugreporter::registerFindLastStore(BugReporterContext& BRC,
356                                         const void *data,
357                                         const ExplodedNode* N) {
358 
359   const MemRegion *R = static_cast<const MemRegion*>(data);
360 
361   if (!R)
362     return;
363 
364   const GRState *state = N->getState();
365   SVal V = state->getSVal(R);
366 
367   if (V.isUnknown())
368     return;
369 
370   BRC.addVisitor(new FindLastStoreBRVisitor(V, R));
371 }
372 
373 
374 namespace {
375 class NilReceiverVisitor : public BugReporterVisitor {
376 public:
NilReceiverVisitor()377   NilReceiverVisitor() {}
378 
Profile(llvm::FoldingSetNodeID & ID) const379   void Profile(llvm::FoldingSetNodeID &ID) const {
380     static int x = 0;
381     ID.AddPointer(&x);
382   }
383 
VisitNode(const ExplodedNode * N,const ExplodedNode * PrevN,BugReporterContext & BRC)384   PathDiagnosticPiece* VisitNode(const ExplodedNode *N,
385                                  const ExplodedNode *PrevN,
386                                  BugReporterContext& BRC) {
387 
388     const PostStmt *P = N->getLocationAs<PostStmt>();
389     if (!P)
390       return 0;
391     const ObjCMessageExpr *ME = P->getStmtAs<ObjCMessageExpr>();
392     if (!ME)
393       return 0;
394     const Expr *Receiver = ME->getInstanceReceiver();
395     if (!Receiver)
396       return 0;
397     const GRState *state = N->getState();
398     const SVal &V = state->getSVal(Receiver);
399     const DefinedOrUnknownSVal *DV = dyn_cast<DefinedOrUnknownSVal>(&V);
400     if (!DV)
401       return 0;
402     state = state->assume(*DV, true);
403     if (state)
404       return 0;
405 
406     // The receiver was nil, and hence the method was skipped.
407     // Register a BugReporterVisitor to issue a message telling us how
408     // the receiver was null.
409     bugreporter::registerTrackNullOrUndefValue(BRC, Receiver, N);
410     // Issue a message saying that the method was skipped.
411     PathDiagnosticLocation L(Receiver, BRC.getSourceManager());
412     return new PathDiagnosticEventPiece(L, "No method actually called "
413                                            "because the receiver is nil");
414   }
415 };
416 } // end anonymous namespace
417 
registerNilReceiverVisitor(BugReporterContext & BRC)418 void bugreporter::registerNilReceiverVisitor(BugReporterContext &BRC) {
419   BRC.addVisitor(new NilReceiverVisitor());
420 }
421 
422 // Registers every VarDecl inside a Stmt with a last store vistor.
registerVarDeclsLastStore(BugReporterContext & BRC,const void * stmt,const ExplodedNode * N)423 void bugreporter::registerVarDeclsLastStore(BugReporterContext &BRC,
424                                                    const void *stmt,
425                                                    const ExplodedNode *N) {
426   const Stmt *S = static_cast<const Stmt *>(stmt);
427 
428   std::deque<const Stmt *> WorkList;
429 
430   WorkList.push_back(S);
431 
432   while (!WorkList.empty()) {
433     const Stmt *Head = WorkList.front();
434     WorkList.pop_front();
435 
436     GRStateManager &StateMgr = BRC.getStateManager();
437     const GRState *state = N->getState();
438 
439     if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Head)) {
440       if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) {
441         const VarRegion *R =
442         StateMgr.getRegionManager().getVarRegion(VD, N->getLocationContext());
443 
444         // What did we load?
445         SVal V = state->getSVal(S);
446 
447         if (isa<loc::ConcreteInt>(V) || isa<nonloc::ConcreteInt>(V)) {
448           ::registerFindLastStore(BRC, R, V);
449         }
450       }
451     }
452 
453     for (Stmt::const_child_iterator I = Head->child_begin();
454         I != Head->child_end(); ++I)
455       WorkList.push_back(*I);
456   }
457 }
458