• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 //===--- AttrNonNullChecker.h - Undefined arguments checker ----*- C++ -*--===//
2 //
3 //                     The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // This defines AttrNonNullChecker, a builtin check in ExprEngine that
11 // performs checks for arguments declared to have nonnull attribute.
12 //
13 //===----------------------------------------------------------------------===//
14 
15 #include "ClangSACheckers.h"
16 #include "clang/StaticAnalyzer/Core/Checker.h"
17 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
18 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
19 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
20 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
21 
22 using namespace clang;
23 using namespace ento;
24 
25 namespace {
26 class AttrNonNullChecker
27   : public Checker< check::PreCall > {
28   mutable OwningPtr<BugType> BT;
29 public:
30 
31   void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
32 };
33 } // end anonymous namespace
34 
checkPreCall(const CallEvent & Call,CheckerContext & C) const35 void AttrNonNullChecker::checkPreCall(const CallEvent &Call,
36                                       CheckerContext &C) const {
37   const Decl *FD = Call.getDecl();
38   if (!FD)
39     return;
40 
41   const NonNullAttr *Att = FD->getAttr<NonNullAttr>();
42   if (!Att)
43     return;
44 
45   ProgramStateRef state = C.getState();
46 
47   // Iterate through the arguments of CE and check them for null.
48   for (unsigned idx = 0, count = Call.getNumArgs(); idx != count; ++idx) {
49     if (!Att->isNonNull(idx))
50       continue;
51 
52     SVal V = Call.getArgSVal(idx);
53     DefinedSVal *DV = dyn_cast<DefinedSVal>(&V);
54 
55     // If the value is unknown or undefined, we can't perform this check.
56     if (!DV)
57       continue;
58 
59     if (!isa<Loc>(*DV)) {
60       // If the argument is a union type, we want to handle a potential
61       // transparent_union GCC extension.
62       const Expr *ArgE = Call.getArgExpr(idx);
63       if (!ArgE)
64         continue;
65 
66       QualType T = ArgE->getType();
67       const RecordType *UT = T->getAsUnionType();
68       if (!UT || !UT->getDecl()->hasAttr<TransparentUnionAttr>())
69         continue;
70 
71       if (nonloc::CompoundVal *CSV = dyn_cast<nonloc::CompoundVal>(DV)) {
72         nonloc::CompoundVal::iterator CSV_I = CSV->begin();
73         assert(CSV_I != CSV->end());
74         V = *CSV_I;
75         DV = dyn_cast<DefinedSVal>(&V);
76         assert(++CSV_I == CSV->end());
77         if (!DV)
78           continue;
79       } else {
80         // FIXME: Handle LazyCompoundVals?
81         continue;
82       }
83     }
84 
85     ConstraintManager &CM = C.getConstraintManager();
86     ProgramStateRef stateNotNull, stateNull;
87     llvm::tie(stateNotNull, stateNull) = CM.assumeDual(state, *DV);
88 
89     if (stateNull && !stateNotNull) {
90       // Generate an error node.  Check for a null node in case
91       // we cache out.
92       if (ExplodedNode *errorNode = C.generateSink(stateNull)) {
93 
94         // Lazily allocate the BugType object if it hasn't already been
95         // created. Ownership is transferred to the BugReporter object once
96         // the BugReport is passed to 'EmitWarning'.
97         if (!BT)
98           BT.reset(new BugType("Argument with 'nonnull' attribute passed null",
99                                "API"));
100 
101         BugReport *R =
102           new BugReport(*BT, "Null pointer passed as an argument to a "
103                              "'nonnull' parameter", errorNode);
104 
105         // Highlight the range of the argument that was null.
106         R->addRange(Call.getArgSourceRange(idx));
107         if (const Expr *ArgE = Call.getArgExpr(idx))
108           bugreporter::trackNullOrUndefValue(errorNode, ArgE, *R);
109         // Emit the bug report.
110         C.EmitReport(R);
111       }
112 
113       // Always return.  Either we cached out or we just emitted an error.
114       return;
115     }
116 
117     // If a pointer value passed the check we should assume that it is
118     // indeed not null from this point forward.
119     assert(stateNotNull);
120     state = stateNotNull;
121   }
122 
123   // If we reach here all of the arguments passed the nonnull check.
124   // If 'state' has been updated generated a new node.
125   C.addTransition(state);
126 }
127 
registerAttrNonNullChecker(CheckerManager & mgr)128 void ento::registerAttrNonNullChecker(CheckerManager &mgr) {
129   mgr.registerChecker<AttrNonNullChecker>();
130 }
131