1 //===--- UndefinedAssignmentChecker.h ---------------------------*- C++ -*--==//
2 //
3 // The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // This defines UndefinedAssignmentChecker, a builtin check in ExprEngine that
11 // checks for assigning undefined values.
12 //
13 //===----------------------------------------------------------------------===//
14
15 #include "ClangSACheckers.h"
16 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
17 #include "clang/StaticAnalyzer/Core/Checker.h"
18 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
19 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
20
21 using namespace clang;
22 using namespace ento;
23
24 namespace {
25 class UndefinedAssignmentChecker
26 : public Checker<check::Bind> {
27 mutable std::unique_ptr<BugType> BT;
28
29 public:
30 void checkBind(SVal location, SVal val, const Stmt *S,
31 CheckerContext &C) const;
32 };
33 }
34
checkBind(SVal location,SVal val,const Stmt * StoreE,CheckerContext & C) const35 void UndefinedAssignmentChecker::checkBind(SVal location, SVal val,
36 const Stmt *StoreE,
37 CheckerContext &C) const {
38 if (!val.isUndef())
39 return;
40
41 // Do not report assignments of uninitialized values inside swap functions.
42 // This should allow to swap partially uninitialized structs
43 // (radar://14129997)
44 if (const FunctionDecl *EnclosingFunctionDecl =
45 dyn_cast<FunctionDecl>(C.getStackFrame()->getDecl()))
46 if (C.getCalleeName(EnclosingFunctionDecl) == "swap")
47 return;
48
49 ExplodedNode *N = C.generateSink();
50
51 if (!N)
52 return;
53
54 const char *str = "Assigned value is garbage or undefined";
55
56 if (!BT)
57 BT.reset(new BuiltinBug(this, str));
58
59 // Generate a report for this bug.
60 const Expr *ex = nullptr;
61
62 while (StoreE) {
63 if (const BinaryOperator *B = dyn_cast<BinaryOperator>(StoreE)) {
64 if (B->isCompoundAssignmentOp()) {
65 ProgramStateRef state = C.getState();
66 if (state->getSVal(B->getLHS(), C.getLocationContext()).isUndef()) {
67 str = "The left expression of the compound assignment is an "
68 "uninitialized value. The computed value will also be garbage";
69 ex = B->getLHS();
70 break;
71 }
72 }
73
74 ex = B->getRHS();
75 break;
76 }
77
78 if (const DeclStmt *DS = dyn_cast<DeclStmt>(StoreE)) {
79 const VarDecl *VD = dyn_cast<VarDecl>(DS->getSingleDecl());
80 ex = VD->getInit();
81 }
82
83 break;
84 }
85
86 BugReport *R = new BugReport(*BT, str, N);
87 if (ex) {
88 R->addRange(ex->getSourceRange());
89 bugreporter::trackNullOrUndefValue(N, ex, *R);
90 }
91 C.emitReport(R);
92 }
93
registerUndefinedAssignmentChecker(CheckerManager & mgr)94 void ento::registerUndefinedAssignmentChecker(CheckerManager &mgr) {
95 mgr.registerChecker<UndefinedAssignmentChecker>();
96 }
97