1//===- BugReporterVisitors.cpp - Helpers for reporting bugs ---------------===// 2// 3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4// See https://llvm.org/LICENSE.txt for license information. 5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6// 7//===----------------------------------------------------------------------===// 8// 9// This file defines a set of BugReporter "visitors" which can be used to 10// enhance the diagnostics reported for a bug. 11// 12//===----------------------------------------------------------------------===// 13 14#include "clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h" 15#include "clang/AST/ASTContext.h" 16#include "clang/AST/Decl.h" 17#include "clang/AST/DeclBase.h" 18#include "clang/AST/DeclCXX.h" 19#include "clang/AST/Expr.h" 20#include "clang/AST/ExprCXX.h" 21#include "clang/AST/ExprObjC.h" 22#include "clang/AST/Stmt.h" 23#include "clang/AST/Type.h" 24#include "clang/ASTMatchers/ASTMatchFinder.h" 25#include "clang/Analysis/Analyses/Dominators.h" 26#include "clang/Analysis/AnalysisDeclContext.h" 27#include "clang/Analysis/CFG.h" 28#include "clang/Analysis/CFGStmtMap.h" 29#include "clang/Analysis/PathDiagnostic.h" 30#include "clang/Analysis/ProgramPoint.h" 31#include "clang/Basic/IdentifierTable.h" 32#include "clang/Basic/LLVM.h" 33#include "clang/Basic/SourceLocation.h" 34#include "clang/Basic/SourceManager.h" 35#include "clang/Lex/Lexer.h" 36#include "clang/StaticAnalyzer/Core/AnalyzerOptions.h" 37#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h" 38#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h" 39#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 40#include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h" 41#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" 42#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h" 43#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 44#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h" 45#include "clang/StaticAnalyzer/Core/PathSensitive/SMTConv.h" 46#include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h" 47#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h" 48#include "llvm/ADT/ArrayRef.h" 49#include "llvm/ADT/None.h" 50#include "llvm/ADT/Optional.h" 51#include "llvm/ADT/STLExtras.h" 52#include "llvm/ADT/SmallPtrSet.h" 53#include "llvm/ADT/SmallString.h" 54#include "llvm/ADT/SmallVector.h" 55#include "llvm/ADT/StringExtras.h" 56#include "llvm/ADT/StringRef.h" 57#include "llvm/Support/Casting.h" 58#include "llvm/Support/ErrorHandling.h" 59#include "llvm/Support/raw_ostream.h" 60#include <cassert> 61#include <deque> 62#include <memory> 63#include <string> 64#include <utility> 65 66using namespace clang; 67using namespace ento; 68 69//===----------------------------------------------------------------------===// 70// Utility functions. 71//===----------------------------------------------------------------------===// 72 73static const Expr *peelOffPointerArithmetic(const BinaryOperator *B) { 74 if (B->isAdditiveOp() && B->getType()->isPointerType()) { 75 if (B->getLHS()->getType()->isPointerType()) { 76 return B->getLHS(); 77 } else if (B->getRHS()->getType()->isPointerType()) { 78 return B->getRHS(); 79 } 80 } 81 return nullptr; 82} 83 84/// Given that expression S represents a pointer that would be dereferenced, 85/// try to find a sub-expression from which the pointer came from. 86/// This is used for tracking down origins of a null or undefined value: 87/// "this is null because that is null because that is null" etc. 88/// We wipe away field and element offsets because they merely add offsets. 89/// We also wipe away all casts except lvalue-to-rvalue casts, because the 90/// latter represent an actual pointer dereference; however, we remove 91/// the final lvalue-to-rvalue cast before returning from this function 92/// because it demonstrates more clearly from where the pointer rvalue was 93/// loaded. Examples: 94/// x->y.z ==> x (lvalue) 95/// foo()->y.z ==> foo() (rvalue) 96const Expr *bugreporter::getDerefExpr(const Stmt *S) { 97 const auto *E = dyn_cast<Expr>(S); 98 if (!E) 99 return nullptr; 100 101 while (true) { 102 if (const auto *CE = dyn_cast<CastExpr>(E)) { 103 if (CE->getCastKind() == CK_LValueToRValue) { 104 // This cast represents the load we're looking for. 105 break; 106 } 107 E = CE->getSubExpr(); 108 } else if (const auto *B = dyn_cast<BinaryOperator>(E)) { 109 // Pointer arithmetic: '*(x + 2)' -> 'x') etc. 110 if (const Expr *Inner = peelOffPointerArithmetic(B)) { 111 E = Inner; 112 } else { 113 // Probably more arithmetic can be pattern-matched here, 114 // but for now give up. 115 break; 116 } 117 } else if (const auto *U = dyn_cast<UnaryOperator>(E)) { 118 if (U->getOpcode() == UO_Deref || U->getOpcode() == UO_AddrOf || 119 (U->isIncrementDecrementOp() && U->getType()->isPointerType())) { 120 // Operators '*' and '&' don't actually mean anything. 121 // We look at casts instead. 122 E = U->getSubExpr(); 123 } else { 124 // Probably more arithmetic can be pattern-matched here, 125 // but for now give up. 126 break; 127 } 128 } 129 // Pattern match for a few useful cases: a[0], p->f, *p etc. 130 else if (const auto *ME = dyn_cast<MemberExpr>(E)) { 131 E = ME->getBase(); 132 } else if (const auto *IvarRef = dyn_cast<ObjCIvarRefExpr>(E)) { 133 E = IvarRef->getBase(); 134 } else if (const auto *AE = dyn_cast<ArraySubscriptExpr>(E)) { 135 E = AE->getBase(); 136 } else if (const auto *PE = dyn_cast<ParenExpr>(E)) { 137 E = PE->getSubExpr(); 138 } else if (const auto *FE = dyn_cast<FullExpr>(E)) { 139 E = FE->getSubExpr(); 140 } else { 141 // Other arbitrary stuff. 142 break; 143 } 144 } 145 146 // Special case: remove the final lvalue-to-rvalue cast, but do not recurse 147 // deeper into the sub-expression. This way we return the lvalue from which 148 // our pointer rvalue was loaded. 149 if (const auto *CE = dyn_cast<ImplicitCastExpr>(E)) 150 if (CE->getCastKind() == CK_LValueToRValue) 151 E = CE->getSubExpr(); 152 153 return E; 154} 155 156static const MemRegion * 157getLocationRegionIfReference(const Expr *E, const ExplodedNode *N, 158 bool LookingForReference = true) { 159 if (const auto *DR = dyn_cast<DeclRefExpr>(E)) { 160 if (const auto *VD = dyn_cast<VarDecl>(DR->getDecl())) { 161 if (LookingForReference && !VD->getType()->isReferenceType()) 162 return nullptr; 163 return N->getState() 164 ->getLValue(VD, N->getLocationContext()) 165 .getAsRegion(); 166 } 167 } 168 169 // FIXME: This does not handle other kinds of null references, 170 // for example, references from FieldRegions: 171 // struct Wrapper { int &ref; }; 172 // Wrapper w = { *(int *)0 }; 173 // w.ref = 1; 174 175 return nullptr; 176} 177 178/// Comparing internal representations of symbolic values (via 179/// SVal::operator==()) is a valid way to check if the value was updated, 180/// unless it's a LazyCompoundVal that may have a different internal 181/// representation every time it is loaded from the state. In this function we 182/// do an approximate comparison for lazy compound values, checking that they 183/// are the immediate snapshots of the tracked region's bindings within the 184/// node's respective states but not really checking that these snapshots 185/// actually contain the same set of bindings. 186static bool hasVisibleUpdate(const ExplodedNode *LeftNode, SVal LeftVal, 187 const ExplodedNode *RightNode, SVal RightVal) { 188 if (LeftVal == RightVal) 189 return true; 190 191 const auto LLCV = LeftVal.getAs<nonloc::LazyCompoundVal>(); 192 if (!LLCV) 193 return false; 194 195 const auto RLCV = RightVal.getAs<nonloc::LazyCompoundVal>(); 196 if (!RLCV) 197 return false; 198 199 return LLCV->getRegion() == RLCV->getRegion() && 200 LLCV->getStore() == LeftNode->getState()->getStore() && 201 RLCV->getStore() == RightNode->getState()->getStore(); 202} 203 204static Optional<SVal> getSValForVar(const Expr *CondVarExpr, 205 const ExplodedNode *N) { 206 ProgramStateRef State = N->getState(); 207 const LocationContext *LCtx = N->getLocationContext(); 208 209 assert(CondVarExpr); 210 CondVarExpr = CondVarExpr->IgnoreImpCasts(); 211 212 // The declaration of the value may rely on a pointer so take its l-value. 213 // FIXME: As seen in VisitCommonDeclRefExpr, sometimes DeclRefExpr may 214 // evaluate to a FieldRegion when it refers to a declaration of a lambda 215 // capture variable. We most likely need to duplicate that logic here. 216 if (const auto *DRE = dyn_cast<DeclRefExpr>(CondVarExpr)) 217 if (const auto *VD = dyn_cast<VarDecl>(DRE->getDecl())) 218 return State->getSVal(State->getLValue(VD, LCtx)); 219 220 if (const auto *ME = dyn_cast<MemberExpr>(CondVarExpr)) 221 if (const auto *FD = dyn_cast<FieldDecl>(ME->getMemberDecl())) 222 if (auto FieldL = State->getSVal(ME, LCtx).getAs<Loc>()) 223 return State->getRawSVal(*FieldL, FD->getType()); 224 225 return None; 226} 227 228static Optional<const llvm::APSInt *> 229getConcreteIntegerValue(const Expr *CondVarExpr, const ExplodedNode *N) { 230 231 if (Optional<SVal> V = getSValForVar(CondVarExpr, N)) 232 if (auto CI = V->getAs<nonloc::ConcreteInt>()) 233 return &CI->getValue(); 234 return None; 235} 236 237static bool isVarAnInterestingCondition(const Expr *CondVarExpr, 238 const ExplodedNode *N, 239 const PathSensitiveBugReport *B) { 240 // Even if this condition is marked as interesting, it isn't *that* 241 // interesting if it didn't happen in a nested stackframe, the user could just 242 // follow the arrows. 243 if (!B->getErrorNode()->getStackFrame()->isParentOf(N->getStackFrame())) 244 return false; 245 246 if (Optional<SVal> V = getSValForVar(CondVarExpr, N)) 247 if (Optional<bugreporter::TrackingKind> K = B->getInterestingnessKind(*V)) 248 return *K == bugreporter::TrackingKind::Condition; 249 250 return false; 251} 252 253static bool isInterestingExpr(const Expr *E, const ExplodedNode *N, 254 const PathSensitiveBugReport *B) { 255 if (Optional<SVal> V = getSValForVar(E, N)) 256 return B->getInterestingnessKind(*V).hasValue(); 257 return false; 258} 259 260/// \return name of the macro inside the location \p Loc. 261static StringRef getMacroName(SourceLocation Loc, 262 BugReporterContext &BRC) { 263 return Lexer::getImmediateMacroName( 264 Loc, 265 BRC.getSourceManager(), 266 BRC.getASTContext().getLangOpts()); 267} 268 269/// \return Whether given spelling location corresponds to an expansion 270/// of a function-like macro. 271static bool isFunctionMacroExpansion(SourceLocation Loc, 272 const SourceManager &SM) { 273 if (!Loc.isMacroID()) 274 return false; 275 while (SM.isMacroArgExpansion(Loc)) 276 Loc = SM.getImmediateExpansionRange(Loc).getBegin(); 277 std::pair<FileID, unsigned> TLInfo = SM.getDecomposedLoc(Loc); 278 SrcMgr::SLocEntry SE = SM.getSLocEntry(TLInfo.first); 279 const SrcMgr::ExpansionInfo &EInfo = SE.getExpansion(); 280 return EInfo.isFunctionMacroExpansion(); 281} 282 283/// \return Whether \c RegionOfInterest was modified at \p N, 284/// where \p ValueAfter is \c RegionOfInterest's value at the end of the 285/// stack frame. 286static bool wasRegionOfInterestModifiedAt(const SubRegion *RegionOfInterest, 287 const ExplodedNode *N, 288 SVal ValueAfter) { 289 ProgramStateRef State = N->getState(); 290 ProgramStateManager &Mgr = N->getState()->getStateManager(); 291 292 if (!N->getLocationAs<PostStore>() && !N->getLocationAs<PostInitializer>() && 293 !N->getLocationAs<PostStmt>()) 294 return false; 295 296 // Writing into region of interest. 297 if (auto PS = N->getLocationAs<PostStmt>()) 298 if (auto *BO = PS->getStmtAs<BinaryOperator>()) 299 if (BO->isAssignmentOp() && RegionOfInterest->isSubRegionOf( 300 N->getSVal(BO->getLHS()).getAsRegion())) 301 return true; 302 303 // SVal after the state is possibly different. 304 SVal ValueAtN = N->getState()->getSVal(RegionOfInterest); 305 if (!Mgr.getSValBuilder() 306 .areEqual(State, ValueAtN, ValueAfter) 307 .isConstrainedTrue() && 308 (!ValueAtN.isUndef() || !ValueAfter.isUndef())) 309 return true; 310 311 return false; 312} 313 314//===----------------------------------------------------------------------===// 315// Implementation of BugReporterVisitor. 316//===----------------------------------------------------------------------===// 317 318PathDiagnosticPieceRef BugReporterVisitor::getEndPath(BugReporterContext &, 319 const ExplodedNode *, 320 PathSensitiveBugReport &) { 321 return nullptr; 322} 323 324void BugReporterVisitor::finalizeVisitor(BugReporterContext &, 325 const ExplodedNode *, 326 PathSensitiveBugReport &) {} 327 328PathDiagnosticPieceRef 329BugReporterVisitor::getDefaultEndPath(const BugReporterContext &BRC, 330 const ExplodedNode *EndPathNode, 331 const PathSensitiveBugReport &BR) { 332 PathDiagnosticLocation L = BR.getLocation(); 333 const auto &Ranges = BR.getRanges(); 334 335 // Only add the statement itself as a range if we didn't specify any 336 // special ranges for this report. 337 auto P = std::make_shared<PathDiagnosticEventPiece>( 338 L, BR.getDescription(), Ranges.begin() == Ranges.end()); 339 for (SourceRange Range : Ranges) 340 P->addRange(Range); 341 342 return P; 343} 344 345//===----------------------------------------------------------------------===// 346// Implementation of NoStoreFuncVisitor. 347//===----------------------------------------------------------------------===// 348 349namespace { 350 351/// Put a diagnostic on return statement of all inlined functions 352/// for which the region of interest \p RegionOfInterest was passed into, 353/// but not written inside, and it has caused an undefined read or a null 354/// pointer dereference outside. 355class NoStoreFuncVisitor final : public BugReporterVisitor { 356 const SubRegion *RegionOfInterest; 357 MemRegionManager &MmrMgr; 358 const SourceManager &SM; 359 const PrintingPolicy &PP; 360 bugreporter::TrackingKind TKind; 361 362 /// Recursion limit for dereferencing fields when looking for the 363 /// region of interest. 364 /// The limit of two indicates that we will dereference fields only once. 365 static const unsigned DEREFERENCE_LIMIT = 2; 366 367 /// Frames writing into \c RegionOfInterest. 368 /// This visitor generates a note only if a function does not write into 369 /// a region of interest. This information is not immediately available 370 /// by looking at the node associated with the exit from the function 371 /// (usually the return statement). To avoid recomputing the same information 372 /// many times (going up the path for each node and checking whether the 373 /// region was written into) we instead lazily compute the 374 /// stack frames along the path which write into the region of interest. 375 llvm::SmallPtrSet<const StackFrameContext *, 32> FramesModifyingRegion; 376 llvm::SmallPtrSet<const StackFrameContext *, 32> FramesModifyingCalculated; 377 378 using RegionVector = SmallVector<const MemRegion *, 5>; 379 380public: 381 NoStoreFuncVisitor(const SubRegion *R, bugreporter::TrackingKind TKind) 382 : RegionOfInterest(R), MmrMgr(R->getMemRegionManager()), 383 SM(MmrMgr.getContext().getSourceManager()), 384 PP(MmrMgr.getContext().getPrintingPolicy()), TKind(TKind) {} 385 386 void Profile(llvm::FoldingSetNodeID &ID) const override { 387 static int Tag = 0; 388 ID.AddPointer(&Tag); 389 ID.AddPointer(RegionOfInterest); 390 } 391 392 void *getTag() const { 393 static int Tag = 0; 394 return static_cast<void *>(&Tag); 395 } 396 397 PathDiagnosticPieceRef VisitNode(const ExplodedNode *N, 398 BugReporterContext &BR, 399 PathSensitiveBugReport &R) override; 400 401private: 402 /// Attempts to find the region of interest in a given record decl, 403 /// by either following the base classes or fields. 404 /// Dereferences fields up to a given recursion limit. 405 /// Note that \p Vec is passed by value, leading to quadratic copying cost, 406 /// but it's OK in practice since its length is limited to DEREFERENCE_LIMIT. 407 /// \return A chain fields leading to the region of interest or None. 408 const Optional<RegionVector> 409 findRegionOfInterestInRecord(const RecordDecl *RD, ProgramStateRef State, 410 const MemRegion *R, const RegionVector &Vec = {}, 411 int depth = 0); 412 413 /// Check and lazily calculate whether the region of interest is 414 /// modified in the stack frame to which \p N belongs. 415 /// The calculation is cached in FramesModifyingRegion. 416 bool isRegionOfInterestModifiedInFrame(const ExplodedNode *N) { 417 const LocationContext *Ctx = N->getLocationContext(); 418 const StackFrameContext *SCtx = Ctx->getStackFrame(); 419 if (!FramesModifyingCalculated.count(SCtx)) 420 findModifyingFrames(N); 421 return FramesModifyingRegion.count(SCtx); 422 } 423 424 /// Write to \c FramesModifyingRegion all stack frames along 425 /// the path in the current stack frame which modify \c RegionOfInterest. 426 void findModifyingFrames(const ExplodedNode *N); 427 428 /// Consume the information on the no-store stack frame in order to 429 /// either emit a note or suppress the report enirely. 430 /// \return Diagnostics piece for region not modified in the current function, 431 /// if it decides to emit one. 432 PathDiagnosticPieceRef 433 maybeEmitNote(PathSensitiveBugReport &R, const CallEvent &Call, 434 const ExplodedNode *N, const RegionVector &FieldChain, 435 const MemRegion *MatchedRegion, StringRef FirstElement, 436 bool FirstIsReferenceType, unsigned IndirectionLevel); 437 438 /// Pretty-print region \p MatchedRegion to \p os. 439 /// \return Whether printing succeeded. 440 bool prettyPrintRegionName(StringRef FirstElement, bool FirstIsReferenceType, 441 const MemRegion *MatchedRegion, 442 const RegionVector &FieldChain, 443 int IndirectionLevel, 444 llvm::raw_svector_ostream &os); 445 446 /// Print first item in the chain, return new separator. 447 static StringRef prettyPrintFirstElement(StringRef FirstElement, 448 bool MoreItemsExpected, 449 int IndirectionLevel, 450 llvm::raw_svector_ostream &os); 451}; 452 453} // end of anonymous namespace 454 455/// \return Whether the method declaration \p Parent 456/// syntactically has a binary operation writing into the ivar \p Ivar. 457static bool potentiallyWritesIntoIvar(const Decl *Parent, 458 const ObjCIvarDecl *Ivar) { 459 using namespace ast_matchers; 460 const char *IvarBind = "Ivar"; 461 if (!Parent || !Parent->hasBody()) 462 return false; 463 StatementMatcher WriteIntoIvarM = binaryOperator( 464 hasOperatorName("="), 465 hasLHS(ignoringParenImpCasts( 466 objcIvarRefExpr(hasDeclaration(equalsNode(Ivar))).bind(IvarBind)))); 467 StatementMatcher ParentM = stmt(hasDescendant(WriteIntoIvarM)); 468 auto Matches = match(ParentM, *Parent->getBody(), Parent->getASTContext()); 469 for (BoundNodes &Match : Matches) { 470 auto IvarRef = Match.getNodeAs<ObjCIvarRefExpr>(IvarBind); 471 if (IvarRef->isFreeIvar()) 472 return true; 473 474 const Expr *Base = IvarRef->getBase(); 475 if (const auto *ICE = dyn_cast<ImplicitCastExpr>(Base)) 476 Base = ICE->getSubExpr(); 477 478 if (const auto *DRE = dyn_cast<DeclRefExpr>(Base)) 479 if (const auto *ID = dyn_cast<ImplicitParamDecl>(DRE->getDecl())) 480 if (ID->getParameterKind() == ImplicitParamDecl::ObjCSelf) 481 return true; 482 483 return false; 484 } 485 return false; 486} 487 488/// Get parameters associated with runtime definition in order 489/// to get the correct parameter name. 490static ArrayRef<ParmVarDecl *> getCallParameters(CallEventRef<> Call) { 491 // Use runtime definition, if available. 492 RuntimeDefinition RD = Call->getRuntimeDefinition(); 493 if (const auto *FD = dyn_cast_or_null<FunctionDecl>(RD.getDecl())) 494 return FD->parameters(); 495 if (const auto *MD = dyn_cast_or_null<ObjCMethodDecl>(RD.getDecl())) 496 return MD->parameters(); 497 498 return Call->parameters(); 499} 500 501/// \return whether \p Ty points to a const type, or is a const reference. 502static bool isPointerToConst(QualType Ty) { 503 return !Ty->getPointeeType().isNull() && 504 Ty->getPointeeType().getCanonicalType().isConstQualified(); 505} 506 507/// Attempts to find the region of interest in a given CXX decl, 508/// by either following the base classes or fields. 509/// Dereferences fields up to a given recursion limit. 510/// Note that \p Vec is passed by value, leading to quadratic copying cost, 511/// but it's OK in practice since its length is limited to DEREFERENCE_LIMIT. 512/// \return A chain fields leading to the region of interest or None. 513const Optional<NoStoreFuncVisitor::RegionVector> 514NoStoreFuncVisitor::findRegionOfInterestInRecord( 515 const RecordDecl *RD, ProgramStateRef State, const MemRegion *R, 516 const NoStoreFuncVisitor::RegionVector &Vec /* = {} */, 517 int depth /* = 0 */) { 518 519 if (depth == DEREFERENCE_LIMIT) // Limit the recursion depth. 520 return None; 521 522 if (const auto *RDX = dyn_cast<CXXRecordDecl>(RD)) 523 if (!RDX->hasDefinition()) 524 return None; 525 526 // Recursively examine the base classes. 527 // Note that following base classes does not increase the recursion depth. 528 if (const auto *RDX = dyn_cast<CXXRecordDecl>(RD)) 529 for (const auto &II : RDX->bases()) 530 if (const RecordDecl *RRD = II.getType()->getAsRecordDecl()) 531 if (Optional<RegionVector> Out = 532 findRegionOfInterestInRecord(RRD, State, R, Vec, depth)) 533 return Out; 534 535 for (const FieldDecl *I : RD->fields()) { 536 QualType FT = I->getType(); 537 const FieldRegion *FR = MmrMgr.getFieldRegion(I, cast<SubRegion>(R)); 538 const SVal V = State->getSVal(FR); 539 const MemRegion *VR = V.getAsRegion(); 540 541 RegionVector VecF = Vec; 542 VecF.push_back(FR); 543 544 if (RegionOfInterest == VR) 545 return VecF; 546 547 if (const RecordDecl *RRD = FT->getAsRecordDecl()) 548 if (auto Out = 549 findRegionOfInterestInRecord(RRD, State, FR, VecF, depth + 1)) 550 return Out; 551 552 QualType PT = FT->getPointeeType(); 553 if (PT.isNull() || PT->isVoidType() || !VR) 554 continue; 555 556 if (const RecordDecl *RRD = PT->getAsRecordDecl()) 557 if (Optional<RegionVector> Out = 558 findRegionOfInterestInRecord(RRD, State, VR, VecF, depth + 1)) 559 return Out; 560 } 561 562 return None; 563} 564 565PathDiagnosticPieceRef 566NoStoreFuncVisitor::VisitNode(const ExplodedNode *N, BugReporterContext &BR, 567 PathSensitiveBugReport &R) { 568 569 const LocationContext *Ctx = N->getLocationContext(); 570 const StackFrameContext *SCtx = Ctx->getStackFrame(); 571 ProgramStateRef State = N->getState(); 572 auto CallExitLoc = N->getLocationAs<CallExitBegin>(); 573 574 // No diagnostic if region was modified inside the frame. 575 if (!CallExitLoc || isRegionOfInterestModifiedInFrame(N)) 576 return nullptr; 577 578 CallEventRef<> Call = 579 BR.getStateManager().getCallEventManager().getCaller(SCtx, State); 580 581 // Region of interest corresponds to an IVar, exiting a method 582 // which could have written into that IVar, but did not. 583 if (const auto *MC = dyn_cast<ObjCMethodCall>(Call)) { 584 if (const auto *IvarR = dyn_cast<ObjCIvarRegion>(RegionOfInterest)) { 585 const MemRegion *SelfRegion = MC->getReceiverSVal().getAsRegion(); 586 if (RegionOfInterest->isSubRegionOf(SelfRegion) && 587 potentiallyWritesIntoIvar(Call->getRuntimeDefinition().getDecl(), 588 IvarR->getDecl())) 589 return maybeEmitNote(R, *Call, N, {}, SelfRegion, "self", 590 /*FirstIsReferenceType=*/false, 1); 591 } 592 } 593 594 if (const auto *CCall = dyn_cast<CXXConstructorCall>(Call)) { 595 const MemRegion *ThisR = CCall->getCXXThisVal().getAsRegion(); 596 if (RegionOfInterest->isSubRegionOf(ThisR) && 597 !CCall->getDecl()->isImplicit()) 598 return maybeEmitNote(R, *Call, N, {}, ThisR, "this", 599 /*FirstIsReferenceType=*/false, 1); 600 601 // Do not generate diagnostics for not modified parameters in 602 // constructors. 603 return nullptr; 604 } 605 606 ArrayRef<ParmVarDecl *> parameters = getCallParameters(Call); 607 for (unsigned I = 0; I < Call->getNumArgs() && I < parameters.size(); ++I) { 608 const ParmVarDecl *PVD = parameters[I]; 609 SVal V = Call->getArgSVal(I); 610 bool ParamIsReferenceType = PVD->getType()->isReferenceType(); 611 std::string ParamName = PVD->getNameAsString(); 612 613 int IndirectionLevel = 1; 614 QualType T = PVD->getType(); 615 while (const MemRegion *MR = V.getAsRegion()) { 616 if (RegionOfInterest->isSubRegionOf(MR) && !isPointerToConst(T)) 617 return maybeEmitNote(R, *Call, N, {}, MR, ParamName, 618 ParamIsReferenceType, IndirectionLevel); 619 620 QualType PT = T->getPointeeType(); 621 if (PT.isNull() || PT->isVoidType()) 622 break; 623 624 if (const RecordDecl *RD = PT->getAsRecordDecl()) 625 if (Optional<RegionVector> P = 626 findRegionOfInterestInRecord(RD, State, MR)) 627 return maybeEmitNote(R, *Call, N, *P, RegionOfInterest, ParamName, 628 ParamIsReferenceType, IndirectionLevel); 629 630 V = State->getSVal(MR, PT); 631 T = PT; 632 IndirectionLevel++; 633 } 634 } 635 636 return nullptr; 637} 638 639void NoStoreFuncVisitor::findModifyingFrames(const ExplodedNode *N) { 640 assert(N->getLocationAs<CallExitBegin>()); 641 ProgramStateRef LastReturnState = N->getState(); 642 SVal ValueAtReturn = LastReturnState->getSVal(RegionOfInterest); 643 const LocationContext *Ctx = N->getLocationContext(); 644 const StackFrameContext *OriginalSCtx = Ctx->getStackFrame(); 645 646 do { 647 ProgramStateRef State = N->getState(); 648 auto CallExitLoc = N->getLocationAs<CallExitBegin>(); 649 if (CallExitLoc) { 650 LastReturnState = State; 651 ValueAtReturn = LastReturnState->getSVal(RegionOfInterest); 652 } 653 654 FramesModifyingCalculated.insert(N->getLocationContext()->getStackFrame()); 655 656 if (wasRegionOfInterestModifiedAt(RegionOfInterest, N, ValueAtReturn)) { 657 const StackFrameContext *SCtx = N->getStackFrame(); 658 while (!SCtx->inTopFrame()) { 659 auto p = FramesModifyingRegion.insert(SCtx); 660 if (!p.second) 661 break; // Frame and all its parents already inserted. 662 SCtx = SCtx->getParent()->getStackFrame(); 663 } 664 } 665 666 // Stop calculation at the call to the current function. 667 if (auto CE = N->getLocationAs<CallEnter>()) 668 if (CE->getCalleeContext() == OriginalSCtx) 669 break; 670 671 N = N->getFirstPred(); 672 } while (N); 673} 674 675static llvm::StringLiteral WillBeUsedForACondition = 676 ", which participates in a condition later"; 677 678PathDiagnosticPieceRef NoStoreFuncVisitor::maybeEmitNote( 679 PathSensitiveBugReport &R, const CallEvent &Call, const ExplodedNode *N, 680 const RegionVector &FieldChain, const MemRegion *MatchedRegion, 681 StringRef FirstElement, bool FirstIsReferenceType, 682 unsigned IndirectionLevel) { 683 // Optimistically suppress uninitialized value bugs that result 684 // from system headers having a chance to initialize the value 685 // but failing to do so. It's too unlikely a system header's fault. 686 // It's much more likely a situation in which the function has a failure 687 // mode that the user decided not to check. If we want to hunt such 688 // omitted checks, we should provide an explicit function-specific note 689 // describing the precondition under which the function isn't supposed to 690 // initialize its out-parameter, and additionally check that such 691 // precondition can actually be fulfilled on the current path. 692 if (Call.isInSystemHeader()) { 693 // We make an exception for system header functions that have no branches. 694 // Such functions unconditionally fail to initialize the variable. 695 // If they call other functions that have more paths within them, 696 // this suppression would still apply when we visit these inner functions. 697 // One common example of a standard function that doesn't ever initialize 698 // its out parameter is operator placement new; it's up to the follow-up 699 // constructor (if any) to initialize the memory. 700 if (!N->getStackFrame()->getCFG()->isLinear()) 701 R.markInvalid(getTag(), nullptr); 702 return nullptr; 703 } 704 705 PathDiagnosticLocation L = 706 PathDiagnosticLocation::create(N->getLocation(), SM); 707 708 // For now this shouldn't trigger, but once it does (as we add more 709 // functions to the body farm), we'll need to decide if these reports 710 // are worth suppressing as well. 711 if (!L.hasValidLocation()) 712 return nullptr; 713 714 SmallString<256> sbuf; 715 llvm::raw_svector_ostream os(sbuf); 716 os << "Returning without writing to '"; 717 718 // Do not generate the note if failed to pretty-print. 719 if (!prettyPrintRegionName(FirstElement, FirstIsReferenceType, MatchedRegion, 720 FieldChain, IndirectionLevel, os)) 721 return nullptr; 722 723 os << "'"; 724 if (TKind == bugreporter::TrackingKind::Condition) 725 os << WillBeUsedForACondition; 726 return std::make_shared<PathDiagnosticEventPiece>(L, os.str()); 727} 728 729bool NoStoreFuncVisitor::prettyPrintRegionName(StringRef FirstElement, 730 bool FirstIsReferenceType, 731 const MemRegion *MatchedRegion, 732 const RegionVector &FieldChain, 733 int IndirectionLevel, 734 llvm::raw_svector_ostream &os) { 735 736 if (FirstIsReferenceType) 737 IndirectionLevel--; 738 739 RegionVector RegionSequence; 740 741 // Add the regions in the reverse order, then reverse the resulting array. 742 assert(RegionOfInterest->isSubRegionOf(MatchedRegion)); 743 const MemRegion *R = RegionOfInterest; 744 while (R != MatchedRegion) { 745 RegionSequence.push_back(R); 746 R = cast<SubRegion>(R)->getSuperRegion(); 747 } 748 std::reverse(RegionSequence.begin(), RegionSequence.end()); 749 RegionSequence.append(FieldChain.begin(), FieldChain.end()); 750 751 StringRef Sep; 752 for (const MemRegion *R : RegionSequence) { 753 754 // Just keep going up to the base region. 755 // Element regions may appear due to casts. 756 if (isa<CXXBaseObjectRegion>(R) || isa<CXXTempObjectRegion>(R)) 757 continue; 758 759 if (Sep.empty()) 760 Sep = prettyPrintFirstElement(FirstElement, 761 /*MoreItemsExpected=*/true, 762 IndirectionLevel, os); 763 764 os << Sep; 765 766 // Can only reasonably pretty-print DeclRegions. 767 if (!isa<DeclRegion>(R)) 768 return false; 769 770 const auto *DR = cast<DeclRegion>(R); 771 Sep = DR->getValueType()->isAnyPointerType() ? "->" : "."; 772 DR->getDecl()->getDeclName().print(os, PP); 773 } 774 775 if (Sep.empty()) 776 prettyPrintFirstElement(FirstElement, 777 /*MoreItemsExpected=*/false, IndirectionLevel, os); 778 return true; 779} 780 781StringRef NoStoreFuncVisitor::prettyPrintFirstElement( 782 StringRef FirstElement, bool MoreItemsExpected, int IndirectionLevel, 783 llvm::raw_svector_ostream &os) { 784 StringRef Out = "."; 785 786 if (IndirectionLevel > 0 && MoreItemsExpected) { 787 IndirectionLevel--; 788 Out = "->"; 789 } 790 791 if (IndirectionLevel > 0 && MoreItemsExpected) 792 os << "("; 793 794 for (int i = 0; i < IndirectionLevel; i++) 795 os << "*"; 796 os << FirstElement; 797 798 if (IndirectionLevel > 0 && MoreItemsExpected) 799 os << ")"; 800 801 return Out; 802} 803 804//===----------------------------------------------------------------------===// 805// Implementation of MacroNullReturnSuppressionVisitor. 806//===----------------------------------------------------------------------===// 807 808namespace { 809 810/// Suppress null-pointer-dereference bugs where dereferenced null was returned 811/// the macro. 812class MacroNullReturnSuppressionVisitor final : public BugReporterVisitor { 813 const SubRegion *RegionOfInterest; 814 const SVal ValueAtDereference; 815 816 // Do not invalidate the reports where the value was modified 817 // after it got assigned to from the macro. 818 bool WasModified = false; 819 820public: 821 MacroNullReturnSuppressionVisitor(const SubRegion *R, const SVal V) 822 : RegionOfInterest(R), ValueAtDereference(V) {} 823 824 PathDiagnosticPieceRef VisitNode(const ExplodedNode *N, 825 BugReporterContext &BRC, 826 PathSensitiveBugReport &BR) override { 827 if (WasModified) 828 return nullptr; 829 830 auto BugPoint = BR.getErrorNode()->getLocation().getAs<StmtPoint>(); 831 if (!BugPoint) 832 return nullptr; 833 834 const SourceManager &SMgr = BRC.getSourceManager(); 835 if (auto Loc = matchAssignment(N)) { 836 if (isFunctionMacroExpansion(*Loc, SMgr)) { 837 std::string MacroName = std::string(getMacroName(*Loc, BRC)); 838 SourceLocation BugLoc = BugPoint->getStmt()->getBeginLoc(); 839 if (!BugLoc.isMacroID() || getMacroName(BugLoc, BRC) != MacroName) 840 BR.markInvalid(getTag(), MacroName.c_str()); 841 } 842 } 843 844 if (wasRegionOfInterestModifiedAt(RegionOfInterest, N, ValueAtDereference)) 845 WasModified = true; 846 847 return nullptr; 848 } 849 850 static void addMacroVisitorIfNecessary( 851 const ExplodedNode *N, const MemRegion *R, 852 bool EnableNullFPSuppression, PathSensitiveBugReport &BR, 853 const SVal V) { 854 AnalyzerOptions &Options = N->getState()->getAnalysisManager().options; 855 if (EnableNullFPSuppression && 856 Options.ShouldSuppressNullReturnPaths && V.getAs<Loc>()) 857 BR.addVisitor(std::make_unique<MacroNullReturnSuppressionVisitor>( 858 R->getAs<SubRegion>(), V)); 859 } 860 861 void* getTag() const { 862 static int Tag = 0; 863 return static_cast<void *>(&Tag); 864 } 865 866 void Profile(llvm::FoldingSetNodeID &ID) const override { 867 ID.AddPointer(getTag()); 868 } 869 870private: 871 /// \return Source location of right hand side of an assignment 872 /// into \c RegionOfInterest, empty optional if none found. 873 Optional<SourceLocation> matchAssignment(const ExplodedNode *N) { 874 const Stmt *S = N->getStmtForDiagnostics(); 875 ProgramStateRef State = N->getState(); 876 auto *LCtx = N->getLocationContext(); 877 if (!S) 878 return None; 879 880 if (const auto *DS = dyn_cast<DeclStmt>(S)) { 881 if (const auto *VD = dyn_cast<VarDecl>(DS->getSingleDecl())) 882 if (const Expr *RHS = VD->getInit()) 883 if (RegionOfInterest->isSubRegionOf( 884 State->getLValue(VD, LCtx).getAsRegion())) 885 return RHS->getBeginLoc(); 886 } else if (const auto *BO = dyn_cast<BinaryOperator>(S)) { 887 const MemRegion *R = N->getSVal(BO->getLHS()).getAsRegion(); 888 const Expr *RHS = BO->getRHS(); 889 if (BO->isAssignmentOp() && RegionOfInterest->isSubRegionOf(R)) { 890 return RHS->getBeginLoc(); 891 } 892 } 893 return None; 894 } 895}; 896 897} // end of anonymous namespace 898 899namespace { 900 901/// Emits an extra note at the return statement of an interesting stack frame. 902/// 903/// The returned value is marked as an interesting value, and if it's null, 904/// adds a visitor to track where it became null. 905/// 906/// This visitor is intended to be used when another visitor discovers that an 907/// interesting value comes from an inlined function call. 908class ReturnVisitor : public BugReporterVisitor { 909 const StackFrameContext *CalleeSFC; 910 enum { 911 Initial, 912 MaybeUnsuppress, 913 Satisfied 914 } Mode = Initial; 915 916 bool EnableNullFPSuppression; 917 bool ShouldInvalidate = true; 918 AnalyzerOptions& Options; 919 bugreporter::TrackingKind TKind; 920 921public: 922 ReturnVisitor(const StackFrameContext *Frame, bool Suppressed, 923 AnalyzerOptions &Options, bugreporter::TrackingKind TKind) 924 : CalleeSFC(Frame), EnableNullFPSuppression(Suppressed), 925 Options(Options), TKind(TKind) {} 926 927 static void *getTag() { 928 static int Tag = 0; 929 return static_cast<void *>(&Tag); 930 } 931 932 void Profile(llvm::FoldingSetNodeID &ID) const override { 933 ID.AddPointer(ReturnVisitor::getTag()); 934 ID.AddPointer(CalleeSFC); 935 ID.AddBoolean(EnableNullFPSuppression); 936 } 937 938 /// Adds a ReturnVisitor if the given statement represents a call that was 939 /// inlined. 940 /// 941 /// This will search back through the ExplodedGraph, starting from the given 942 /// node, looking for when the given statement was processed. If it turns out 943 /// the statement is a call that was inlined, we add the visitor to the 944 /// bug report, so it can print a note later. 945 static void addVisitorIfNecessary(const ExplodedNode *Node, const Stmt *S, 946 PathSensitiveBugReport &BR, 947 bool InEnableNullFPSuppression, 948 bugreporter::TrackingKind TKind) { 949 if (!CallEvent::isCallStmt(S)) 950 return; 951 952 // First, find when we processed the statement. 953 // If we work with a 'CXXNewExpr' that is going to be purged away before 954 // its call take place. We would catch that purge in the last condition 955 // as a 'StmtPoint' so we have to bypass it. 956 const bool BypassCXXNewExprEval = isa<CXXNewExpr>(S); 957 958 // This is moving forward when we enter into another context. 959 const StackFrameContext *CurrentSFC = Node->getStackFrame(); 960 961 do { 962 // If that is satisfied we found our statement as an inlined call. 963 if (Optional<CallExitEnd> CEE = Node->getLocationAs<CallExitEnd>()) 964 if (CEE->getCalleeContext()->getCallSite() == S) 965 break; 966 967 // Try to move forward to the end of the call-chain. 968 Node = Node->getFirstPred(); 969 if (!Node) 970 break; 971 972 const StackFrameContext *PredSFC = Node->getStackFrame(); 973 974 // If that is satisfied we found our statement. 975 // FIXME: This code currently bypasses the call site for the 976 // conservatively evaluated allocator. 977 if (!BypassCXXNewExprEval) 978 if (Optional<StmtPoint> SP = Node->getLocationAs<StmtPoint>()) 979 // See if we do not enter into another context. 980 if (SP->getStmt() == S && CurrentSFC == PredSFC) 981 break; 982 983 CurrentSFC = PredSFC; 984 } while (Node->getStackFrame() == CurrentSFC); 985 986 // Next, step over any post-statement checks. 987 while (Node && Node->getLocation().getAs<PostStmt>()) 988 Node = Node->getFirstPred(); 989 if (!Node) 990 return; 991 992 // Finally, see if we inlined the call. 993 Optional<CallExitEnd> CEE = Node->getLocationAs<CallExitEnd>(); 994 if (!CEE) 995 return; 996 997 const StackFrameContext *CalleeContext = CEE->getCalleeContext(); 998 if (CalleeContext->getCallSite() != S) 999 return; 1000 1001 // Check the return value. 1002 ProgramStateRef State = Node->getState(); 1003 SVal RetVal = Node->getSVal(S); 1004 1005 // Handle cases where a reference is returned and then immediately used. 1006 if (cast<Expr>(S)->isGLValue()) 1007 if (Optional<Loc> LValue = RetVal.getAs<Loc>()) 1008 RetVal = State->getSVal(*LValue); 1009 1010 // See if the return value is NULL. If so, suppress the report. 1011 AnalyzerOptions &Options = State->getAnalysisManager().options; 1012 1013 bool EnableNullFPSuppression = false; 1014 if (InEnableNullFPSuppression && 1015 Options.ShouldSuppressNullReturnPaths) 1016 if (Optional<Loc> RetLoc = RetVal.getAs<Loc>()) 1017 EnableNullFPSuppression = State->isNull(*RetLoc).isConstrainedTrue(); 1018 1019 BR.addVisitor(std::make_unique<ReturnVisitor>(CalleeContext, 1020 EnableNullFPSuppression, 1021 Options, TKind)); 1022 } 1023 1024 PathDiagnosticPieceRef visitNodeInitial(const ExplodedNode *N, 1025 BugReporterContext &BRC, 1026 PathSensitiveBugReport &BR) { 1027 // Only print a message at the interesting return statement. 1028 if (N->getLocationContext() != CalleeSFC) 1029 return nullptr; 1030 1031 Optional<StmtPoint> SP = N->getLocationAs<StmtPoint>(); 1032 if (!SP) 1033 return nullptr; 1034 1035 const auto *Ret = dyn_cast<ReturnStmt>(SP->getStmt()); 1036 if (!Ret) 1037 return nullptr; 1038 1039 // Okay, we're at the right return statement, but do we have the return 1040 // value available? 1041 ProgramStateRef State = N->getState(); 1042 SVal V = State->getSVal(Ret, CalleeSFC); 1043 if (V.isUnknownOrUndef()) 1044 return nullptr; 1045 1046 // Don't print any more notes after this one. 1047 Mode = Satisfied; 1048 1049 const Expr *RetE = Ret->getRetValue(); 1050 assert(RetE && "Tracking a return value for a void function"); 1051 1052 // Handle cases where a reference is returned and then immediately used. 1053 Optional<Loc> LValue; 1054 if (RetE->isGLValue()) { 1055 if ((LValue = V.getAs<Loc>())) { 1056 SVal RValue = State->getRawSVal(*LValue, RetE->getType()); 1057 if (RValue.getAs<DefinedSVal>()) 1058 V = RValue; 1059 } 1060 } 1061 1062 // Ignore aggregate rvalues. 1063 if (V.getAs<nonloc::LazyCompoundVal>() || 1064 V.getAs<nonloc::CompoundVal>()) 1065 return nullptr; 1066 1067 RetE = RetE->IgnoreParenCasts(); 1068 1069 // Let's track the return value. 1070 bugreporter::trackExpressionValue( 1071 N, RetE, BR, TKind, EnableNullFPSuppression); 1072 1073 // Build an appropriate message based on the return value. 1074 SmallString<64> Msg; 1075 llvm::raw_svector_ostream Out(Msg); 1076 1077 bool WouldEventBeMeaningless = false; 1078 1079 if (State->isNull(V).isConstrainedTrue()) { 1080 if (V.getAs<Loc>()) { 1081 1082 // If we have counter-suppression enabled, make sure we keep visiting 1083 // future nodes. We want to emit a path note as well, in case 1084 // the report is resurrected as valid later on. 1085 if (EnableNullFPSuppression && 1086 Options.ShouldAvoidSuppressingNullArgumentPaths) 1087 Mode = MaybeUnsuppress; 1088 1089 if (RetE->getType()->isObjCObjectPointerType()) { 1090 Out << "Returning nil"; 1091 } else { 1092 Out << "Returning null pointer"; 1093 } 1094 } else { 1095 Out << "Returning zero"; 1096 } 1097 1098 } else { 1099 if (auto CI = V.getAs<nonloc::ConcreteInt>()) { 1100 Out << "Returning the value " << CI->getValue(); 1101 } else { 1102 // There is nothing interesting about returning a value, when it is 1103 // plain value without any constraints, and the function is guaranteed 1104 // to return that every time. We could use CFG::isLinear() here, but 1105 // constexpr branches are obvious to the compiler, not necesserily to 1106 // the programmer. 1107 if (N->getCFG().size() == 3) 1108 WouldEventBeMeaningless = true; 1109 1110 if (V.getAs<Loc>()) 1111 Out << "Returning pointer"; 1112 else 1113 Out << "Returning value"; 1114 } 1115 } 1116 1117 if (LValue) { 1118 if (const MemRegion *MR = LValue->getAsRegion()) { 1119 if (MR->canPrintPretty()) { 1120 Out << " (reference to "; 1121 MR->printPretty(Out); 1122 Out << ")"; 1123 } 1124 } 1125 } else { 1126 // FIXME: We should have a more generalized location printing mechanism. 1127 if (const auto *DR = dyn_cast<DeclRefExpr>(RetE)) 1128 if (const auto *DD = dyn_cast<DeclaratorDecl>(DR->getDecl())) 1129 Out << " (loaded from '" << *DD << "')"; 1130 } 1131 1132 PathDiagnosticLocation L(Ret, BRC.getSourceManager(), CalleeSFC); 1133 if (!L.isValid() || !L.asLocation().isValid()) 1134 return nullptr; 1135 1136 if (TKind == bugreporter::TrackingKind::Condition) 1137 Out << WillBeUsedForACondition; 1138 1139 auto EventPiece = std::make_shared<PathDiagnosticEventPiece>(L, Out.str()); 1140 1141 // If we determined that the note is meaningless, make it prunable, and 1142 // don't mark the stackframe interesting. 1143 if (WouldEventBeMeaningless) 1144 EventPiece->setPrunable(true); 1145 else 1146 BR.markInteresting(CalleeSFC); 1147 1148 return EventPiece; 1149 } 1150 1151 PathDiagnosticPieceRef visitNodeMaybeUnsuppress(const ExplodedNode *N, 1152 BugReporterContext &BRC, 1153 PathSensitiveBugReport &BR) { 1154 assert(Options.ShouldAvoidSuppressingNullArgumentPaths); 1155 1156 // Are we at the entry node for this call? 1157 Optional<CallEnter> CE = N->getLocationAs<CallEnter>(); 1158 if (!CE) 1159 return nullptr; 1160 1161 if (CE->getCalleeContext() != CalleeSFC) 1162 return nullptr; 1163 1164 Mode = Satisfied; 1165 1166 // Don't automatically suppress a report if one of the arguments is 1167 // known to be a null pointer. Instead, start tracking /that/ null 1168 // value back to its origin. 1169 ProgramStateManager &StateMgr = BRC.getStateManager(); 1170 CallEventManager &CallMgr = StateMgr.getCallEventManager(); 1171 1172 ProgramStateRef State = N->getState(); 1173 CallEventRef<> Call = CallMgr.getCaller(CalleeSFC, State); 1174 for (unsigned I = 0, E = Call->getNumArgs(); I != E; ++I) { 1175 Optional<Loc> ArgV = Call->getArgSVal(I).getAs<Loc>(); 1176 if (!ArgV) 1177 continue; 1178 1179 const Expr *ArgE = Call->getArgExpr(I); 1180 if (!ArgE) 1181 continue; 1182 1183 // Is it possible for this argument to be non-null? 1184 if (!State->isNull(*ArgV).isConstrainedTrue()) 1185 continue; 1186 1187 if (trackExpressionValue(N, ArgE, BR, TKind, EnableNullFPSuppression)) 1188 ShouldInvalidate = false; 1189 1190 // If we /can't/ track the null pointer, we should err on the side of 1191 // false negatives, and continue towards marking this report invalid. 1192 // (We will still look at the other arguments, though.) 1193 } 1194 1195 return nullptr; 1196 } 1197 1198 PathDiagnosticPieceRef VisitNode(const ExplodedNode *N, 1199 BugReporterContext &BRC, 1200 PathSensitiveBugReport &BR) override { 1201 switch (Mode) { 1202 case Initial: 1203 return visitNodeInitial(N, BRC, BR); 1204 case MaybeUnsuppress: 1205 return visitNodeMaybeUnsuppress(N, BRC, BR); 1206 case Satisfied: 1207 return nullptr; 1208 } 1209 1210 llvm_unreachable("Invalid visit mode!"); 1211 } 1212 1213 void finalizeVisitor(BugReporterContext &, const ExplodedNode *, 1214 PathSensitiveBugReport &BR) override { 1215 if (EnableNullFPSuppression && ShouldInvalidate) 1216 BR.markInvalid(ReturnVisitor::getTag(), CalleeSFC); 1217 } 1218}; 1219 1220} // end of anonymous namespace 1221 1222//===----------------------------------------------------------------------===// 1223// Implementation of FindLastStoreBRVisitor. 1224//===----------------------------------------------------------------------===// 1225 1226void FindLastStoreBRVisitor::Profile(llvm::FoldingSetNodeID &ID) const { 1227 static int tag = 0; 1228 ID.AddPointer(&tag); 1229 ID.AddPointer(R); 1230 ID.Add(V); 1231 ID.AddInteger(static_cast<int>(TKind)); 1232 ID.AddBoolean(EnableNullFPSuppression); 1233} 1234 1235/// Returns true if \p N represents the DeclStmt declaring and initializing 1236/// \p VR. 1237static bool isInitializationOfVar(const ExplodedNode *N, const VarRegion *VR) { 1238 Optional<PostStmt> P = N->getLocationAs<PostStmt>(); 1239 if (!P) 1240 return false; 1241 1242 const DeclStmt *DS = P->getStmtAs<DeclStmt>(); 1243 if (!DS) 1244 return false; 1245 1246 if (DS->getSingleDecl() != VR->getDecl()) 1247 return false; 1248 1249 const MemSpaceRegion *VarSpace = VR->getMemorySpace(); 1250 const auto *FrameSpace = dyn_cast<StackSpaceRegion>(VarSpace); 1251 if (!FrameSpace) { 1252 // If we ever directly evaluate global DeclStmts, this assertion will be 1253 // invalid, but this still seems preferable to silently accepting an 1254 // initialization that may be for a path-sensitive variable. 1255 assert(VR->getDecl()->isStaticLocal() && "non-static stackless VarRegion"); 1256 return true; 1257 } 1258 1259 assert(VR->getDecl()->hasLocalStorage()); 1260 const LocationContext *LCtx = N->getLocationContext(); 1261 return FrameSpace->getStackFrame() == LCtx->getStackFrame(); 1262} 1263 1264/// Show diagnostics for initializing or declaring a region \p R with a bad value. 1265static void showBRDiagnostics(const char *action, llvm::raw_svector_ostream &os, 1266 const MemRegion *NewR, SVal V, 1267 const MemRegion *OldR, const DeclStmt *DS) { 1268 if (NewR->canPrintPretty()) { 1269 NewR->printPretty(os); 1270 os << " "; 1271 } 1272 1273 if (V.getAs<loc::ConcreteInt>()) { 1274 bool b = false; 1275 if (NewR->isBoundable()) { 1276 if (const auto *TR = dyn_cast<TypedValueRegion>(NewR)) { 1277 if (TR->getValueType()->isObjCObjectPointerType()) { 1278 os << action << "nil"; 1279 b = true; 1280 } 1281 } 1282 } 1283 if (!b) 1284 os << action << "a null pointer value"; 1285 1286 } else if (auto CVal = V.getAs<nonloc::ConcreteInt>()) { 1287 os << action << CVal->getValue(); 1288 } else if (OldR && OldR->canPrintPretty()) { 1289 os << action << "the value of "; 1290 OldR->printPretty(os); 1291 } else if (DS) { 1292 if (V.isUndef()) { 1293 if (isa<VarRegion>(NewR)) { 1294 const auto *VD = cast<VarDecl>(DS->getSingleDecl()); 1295 if (VD->getInit()) { 1296 os << (NewR->canPrintPretty() ? "initialized" : "Initializing") 1297 << " to a garbage value"; 1298 } else { 1299 os << (NewR->canPrintPretty() ? "declared" : "Declaring") 1300 << " without an initial value"; 1301 } 1302 } 1303 } else { 1304 os << (NewR->canPrintPretty() ? "initialized" : "Initialized") << " here"; 1305 } 1306 } 1307} 1308 1309/// Display diagnostics for passing bad region as a parameter. 1310static void showBRParamDiagnostics(llvm::raw_svector_ostream &os, 1311 const VarRegion *VR, SVal V, 1312 const MemRegion *ValueR) { 1313 const auto *Param = cast<ParmVarDecl>(VR->getDecl()); 1314 1315 os << "Passing "; 1316 1317 if (V.getAs<loc::ConcreteInt>()) { 1318 if (Param->getType()->isObjCObjectPointerType()) 1319 os << "nil object reference"; 1320 else 1321 os << "null pointer value"; 1322 } else if (V.isUndef()) { 1323 os << "uninitialized value"; 1324 } else if (auto CI = V.getAs<nonloc::ConcreteInt>()) { 1325 os << "the value " << CI->getValue(); 1326 } else if (ValueR && ValueR->canPrintPretty()) { 1327 ValueR->printPretty(os); 1328 } else { 1329 os << "value"; 1330 } 1331 1332 // Printed parameter indexes are 1-based, not 0-based. 1333 unsigned Idx = Param->getFunctionScopeIndex() + 1; 1334 os << " via " << Idx << llvm::getOrdinalSuffix(Idx) << " parameter"; 1335 if (VR->canPrintPretty()) { 1336 os << " "; 1337 VR->printPretty(os); 1338 } 1339} 1340 1341/// Show default diagnostics for storing bad region. 1342static void showBRDefaultDiagnostics(llvm::raw_svector_ostream &os, 1343 const MemRegion *NewR, SVal V, 1344 const MemRegion *OldR) { 1345 if (V.getAs<loc::ConcreteInt>()) { 1346 bool b = false; 1347 if (NewR->isBoundable()) { 1348 if (const auto *TR = dyn_cast<TypedValueRegion>(NewR)) { 1349 if (TR->getValueType()->isObjCObjectPointerType()) { 1350 os << "nil object reference stored"; 1351 b = true; 1352 } 1353 } 1354 } 1355 if (!b) { 1356 if (NewR->canPrintPretty()) 1357 os << "Null pointer value stored"; 1358 else 1359 os << "Storing null pointer value"; 1360 } 1361 1362 } else if (V.isUndef()) { 1363 if (NewR->canPrintPretty()) 1364 os << "Uninitialized value stored"; 1365 else 1366 os << "Storing uninitialized value"; 1367 1368 } else if (auto CV = V.getAs<nonloc::ConcreteInt>()) { 1369 if (NewR->canPrintPretty()) 1370 os << "The value " << CV->getValue() << " is assigned"; 1371 else 1372 os << "Assigning " << CV->getValue(); 1373 1374 } else if (OldR && OldR->canPrintPretty()) { 1375 if (NewR->canPrintPretty()) { 1376 os << "The value of "; 1377 OldR->printPretty(os); 1378 os << " is assigned"; 1379 } else { 1380 os << "Assigning the value of "; 1381 OldR->printPretty(os); 1382 } 1383 1384 } else { 1385 if (NewR->canPrintPretty()) 1386 os << "Value assigned"; 1387 else 1388 os << "Assigning value"; 1389 } 1390 1391 if (NewR->canPrintPretty()) { 1392 os << " to "; 1393 NewR->printPretty(os); 1394 } 1395} 1396 1397PathDiagnosticPieceRef 1398FindLastStoreBRVisitor::VisitNode(const ExplodedNode *Succ, 1399 BugReporterContext &BRC, 1400 PathSensitiveBugReport &BR) { 1401 if (Satisfied) 1402 return nullptr; 1403 1404 const ExplodedNode *StoreSite = nullptr; 1405 const ExplodedNode *Pred = Succ->getFirstPred(); 1406 const Expr *InitE = nullptr; 1407 bool IsParam = false; 1408 1409 // First see if we reached the declaration of the region. 1410 if (const auto *VR = dyn_cast<VarRegion>(R)) { 1411 if (isInitializationOfVar(Pred, VR)) { 1412 StoreSite = Pred; 1413 InitE = VR->getDecl()->getInit(); 1414 } 1415 } 1416 1417 // If this is a post initializer expression, initializing the region, we 1418 // should track the initializer expression. 1419 if (Optional<PostInitializer> PIP = Pred->getLocationAs<PostInitializer>()) { 1420 const MemRegion *FieldReg = (const MemRegion *)PIP->getLocationValue(); 1421 if (FieldReg == R) { 1422 StoreSite = Pred; 1423 InitE = PIP->getInitializer()->getInit(); 1424 } 1425 } 1426 1427 // Otherwise, see if this is the store site: 1428 // (1) Succ has this binding and Pred does not, i.e. this is 1429 // where the binding first occurred. 1430 // (2) Succ has this binding and is a PostStore node for this region, i.e. 1431 // the same binding was re-assigned here. 1432 if (!StoreSite) { 1433 if (Succ->getState()->getSVal(R) != V) 1434 return nullptr; 1435 1436 if (hasVisibleUpdate(Pred, Pred->getState()->getSVal(R), Succ, V)) { 1437 Optional<PostStore> PS = Succ->getLocationAs<PostStore>(); 1438 if (!PS || PS->getLocationValue() != R) 1439 return nullptr; 1440 } 1441 1442 StoreSite = Succ; 1443 1444 // If this is an assignment expression, we can track the value 1445 // being assigned. 1446 if (Optional<PostStmt> P = Succ->getLocationAs<PostStmt>()) 1447 if (const BinaryOperator *BO = P->getStmtAs<BinaryOperator>()) 1448 if (BO->isAssignmentOp()) 1449 InitE = BO->getRHS(); 1450 1451 // If this is a call entry, the variable should be a parameter. 1452 // FIXME: Handle CXXThisRegion as well. (This is not a priority because 1453 // 'this' should never be NULL, but this visitor isn't just for NULL and 1454 // UndefinedVal.) 1455 if (Optional<CallEnter> CE = Succ->getLocationAs<CallEnter>()) { 1456 if (const auto *VR = dyn_cast<VarRegion>(R)) { 1457 1458 if (const auto *Param = dyn_cast<ParmVarDecl>(VR->getDecl())) { 1459 ProgramStateManager &StateMgr = BRC.getStateManager(); 1460 CallEventManager &CallMgr = StateMgr.getCallEventManager(); 1461 1462 CallEventRef<> Call = CallMgr.getCaller(CE->getCalleeContext(), 1463 Succ->getState()); 1464 InitE = Call->getArgExpr(Param->getFunctionScopeIndex()); 1465 } else { 1466 // Handle Objective-C 'self'. 1467 assert(isa<ImplicitParamDecl>(VR->getDecl())); 1468 InitE = cast<ObjCMessageExpr>(CE->getCalleeContext()->getCallSite()) 1469 ->getInstanceReceiver()->IgnoreParenCasts(); 1470 } 1471 IsParam = true; 1472 } 1473 } 1474 1475 // If this is a CXXTempObjectRegion, the Expr responsible for its creation 1476 // is wrapped inside of it. 1477 if (const auto *TmpR = dyn_cast<CXXTempObjectRegion>(R)) 1478 InitE = TmpR->getExpr(); 1479 } 1480 1481 if (!StoreSite) 1482 return nullptr; 1483 1484 Satisfied = true; 1485 1486 // If we have an expression that provided the value, try to track where it 1487 // came from. 1488 if (InitE) { 1489 if (!IsParam) 1490 InitE = InitE->IgnoreParenCasts(); 1491 1492 bugreporter::trackExpressionValue(StoreSite, InitE, BR, TKind, 1493 EnableNullFPSuppression); 1494 } 1495 1496 // Let's try to find the region where the value came from. 1497 const MemRegion *OldRegion = nullptr; 1498 1499 // If we have init expression, it might be simply a reference 1500 // to a variable, so we can use it. 1501 if (InitE) { 1502 // That region might still be not exactly what we are looking for. 1503 // In situations like `int &ref = val;`, we can't say that 1504 // `ref` is initialized with `val`, rather refers to `val`. 1505 // 1506 // In order, to mitigate situations like this, we check if the last 1507 // stored value in that region is the value that we track. 1508 // 1509 // TODO: support other situations better. 1510 if (const MemRegion *Candidate = 1511 getLocationRegionIfReference(InitE, Succ, false)) { 1512 const StoreManager &SM = BRC.getStateManager().getStoreManager(); 1513 1514 // Here we traverse the graph up to find the last node where the 1515 // candidate region is still in the store. 1516 for (const ExplodedNode *N = StoreSite; N; N = N->getFirstPred()) { 1517 if (SM.includedInBindings(N->getState()->getStore(), Candidate)) { 1518 // And if it was bound to the target value, we can use it. 1519 if (N->getState()->getSVal(Candidate) == V) { 1520 OldRegion = Candidate; 1521 } 1522 break; 1523 } 1524 } 1525 } 1526 } 1527 1528 // Otherwise, if the current region does indeed contain the value 1529 // we are looking for, we can look for a region where this value 1530 // was before. 1531 // 1532 // It can be useful for situations like: 1533 // new = identity(old) 1534 // where the analyzer knows that 'identity' returns the value of its 1535 // first argument. 1536 // 1537 // NOTE: If the region R is not a simple var region, it can contain 1538 // V in one of its subregions. 1539 if (!OldRegion && StoreSite->getState()->getSVal(R) == V) { 1540 // Let's go up the graph to find the node where the region is 1541 // bound to V. 1542 const ExplodedNode *NodeWithoutBinding = StoreSite->getFirstPred(); 1543 for (; 1544 NodeWithoutBinding && NodeWithoutBinding->getState()->getSVal(R) == V; 1545 NodeWithoutBinding = NodeWithoutBinding->getFirstPred()) { 1546 } 1547 1548 if (NodeWithoutBinding) { 1549 // Let's try to find a unique binding for the value in that node. 1550 // We want to use this to find unique bindings because of the following 1551 // situations: 1552 // b = a; 1553 // c = identity(b); 1554 // 1555 // Telling the user that the value of 'a' is assigned to 'c', while 1556 // correct, can be confusing. 1557 StoreManager::FindUniqueBinding FB(V.getAsLocSymbol()); 1558 BRC.getStateManager().iterBindings(NodeWithoutBinding->getState(), FB); 1559 if (FB) 1560 OldRegion = FB.getRegion(); 1561 } 1562 } 1563 1564 if (TKind == TrackingKind::Condition && 1565 !OriginSFC->isParentOf(StoreSite->getStackFrame())) 1566 return nullptr; 1567 1568 // Okay, we've found the binding. Emit an appropriate message. 1569 SmallString<256> sbuf; 1570 llvm::raw_svector_ostream os(sbuf); 1571 1572 if (Optional<PostStmt> PS = StoreSite->getLocationAs<PostStmt>()) { 1573 const Stmt *S = PS->getStmt(); 1574 const char *action = nullptr; 1575 const auto *DS = dyn_cast<DeclStmt>(S); 1576 const auto *VR = dyn_cast<VarRegion>(R); 1577 1578 if (DS) { 1579 action = R->canPrintPretty() ? "initialized to " : 1580 "Initializing to "; 1581 } else if (isa<BlockExpr>(S)) { 1582 action = R->canPrintPretty() ? "captured by block as " : 1583 "Captured by block as "; 1584 if (VR) { 1585 // See if we can get the BlockVarRegion. 1586 ProgramStateRef State = StoreSite->getState(); 1587 SVal V = StoreSite->getSVal(S); 1588 if (const auto *BDR = 1589 dyn_cast_or_null<BlockDataRegion>(V.getAsRegion())) { 1590 if (const VarRegion *OriginalR = BDR->getOriginalRegion(VR)) { 1591 if (auto KV = State->getSVal(OriginalR).getAs<KnownSVal>()) 1592 BR.addVisitor(std::make_unique<FindLastStoreBRVisitor>( 1593 *KV, OriginalR, EnableNullFPSuppression, TKind, OriginSFC)); 1594 } 1595 } 1596 } 1597 } 1598 if (action) 1599 showBRDiagnostics(action, os, R, V, OldRegion, DS); 1600 1601 } else if (StoreSite->getLocation().getAs<CallEnter>()) { 1602 if (const auto *VR = dyn_cast<VarRegion>(R)) 1603 showBRParamDiagnostics(os, VR, V, OldRegion); 1604 } 1605 1606 if (os.str().empty()) 1607 showBRDefaultDiagnostics(os, R, V, OldRegion); 1608 1609 if (TKind == bugreporter::TrackingKind::Condition) 1610 os << WillBeUsedForACondition; 1611 1612 // Construct a new PathDiagnosticPiece. 1613 ProgramPoint P = StoreSite->getLocation(); 1614 PathDiagnosticLocation L; 1615 if (P.getAs<CallEnter>() && InitE) 1616 L = PathDiagnosticLocation(InitE, BRC.getSourceManager(), 1617 P.getLocationContext()); 1618 1619 if (!L.isValid() || !L.asLocation().isValid()) 1620 L = PathDiagnosticLocation::create(P, BRC.getSourceManager()); 1621 1622 if (!L.isValid() || !L.asLocation().isValid()) 1623 return nullptr; 1624 1625 return std::make_shared<PathDiagnosticEventPiece>(L, os.str()); 1626} 1627 1628//===----------------------------------------------------------------------===// 1629// Implementation of TrackConstraintBRVisitor. 1630//===----------------------------------------------------------------------===// 1631 1632void TrackConstraintBRVisitor::Profile(llvm::FoldingSetNodeID &ID) const { 1633 static int tag = 0; 1634 ID.AddPointer(&tag); 1635 ID.AddBoolean(Assumption); 1636 ID.Add(Constraint); 1637} 1638 1639/// Return the tag associated with this visitor. This tag will be used 1640/// to make all PathDiagnosticPieces created by this visitor. 1641const char *TrackConstraintBRVisitor::getTag() { 1642 return "TrackConstraintBRVisitor"; 1643} 1644 1645bool TrackConstraintBRVisitor::isUnderconstrained(const ExplodedNode *N) const { 1646 if (IsZeroCheck) 1647 return N->getState()->isNull(Constraint).isUnderconstrained(); 1648 return (bool)N->getState()->assume(Constraint, !Assumption); 1649} 1650 1651PathDiagnosticPieceRef TrackConstraintBRVisitor::VisitNode( 1652 const ExplodedNode *N, BugReporterContext &BRC, PathSensitiveBugReport &) { 1653 const ExplodedNode *PrevN = N->getFirstPred(); 1654 if (IsSatisfied) 1655 return nullptr; 1656 1657 // Start tracking after we see the first state in which the value is 1658 // constrained. 1659 if (!IsTrackingTurnedOn) 1660 if (!isUnderconstrained(N)) 1661 IsTrackingTurnedOn = true; 1662 if (!IsTrackingTurnedOn) 1663 return nullptr; 1664 1665 // Check if in the previous state it was feasible for this constraint 1666 // to *not* be true. 1667 if (isUnderconstrained(PrevN)) { 1668 IsSatisfied = true; 1669 1670 // As a sanity check, make sure that the negation of the constraint 1671 // was infeasible in the current state. If it is feasible, we somehow 1672 // missed the transition point. 1673 assert(!isUnderconstrained(N)); 1674 1675 // We found the transition point for the constraint. We now need to 1676 // pretty-print the constraint. (work-in-progress) 1677 SmallString<64> sbuf; 1678 llvm::raw_svector_ostream os(sbuf); 1679 1680 if (Constraint.getAs<Loc>()) { 1681 os << "Assuming pointer value is "; 1682 os << (Assumption ? "non-null" : "null"); 1683 } 1684 1685 if (os.str().empty()) 1686 return nullptr; 1687 1688 // Construct a new PathDiagnosticPiece. 1689 ProgramPoint P = N->getLocation(); 1690 PathDiagnosticLocation L = 1691 PathDiagnosticLocation::create(P, BRC.getSourceManager()); 1692 if (!L.isValid()) 1693 return nullptr; 1694 1695 auto X = std::make_shared<PathDiagnosticEventPiece>(L, os.str()); 1696 X->setTag(getTag()); 1697 return std::move(X); 1698 } 1699 1700 return nullptr; 1701} 1702 1703//===----------------------------------------------------------------------===// 1704// Implementation of SuppressInlineDefensiveChecksVisitor. 1705//===----------------------------------------------------------------------===// 1706 1707SuppressInlineDefensiveChecksVisitor:: 1708SuppressInlineDefensiveChecksVisitor(DefinedSVal Value, const ExplodedNode *N) 1709 : V(Value) { 1710 // Check if the visitor is disabled. 1711 AnalyzerOptions &Options = N->getState()->getAnalysisManager().options; 1712 if (!Options.ShouldSuppressInlinedDefensiveChecks) 1713 IsSatisfied = true; 1714} 1715 1716void SuppressInlineDefensiveChecksVisitor::Profile( 1717 llvm::FoldingSetNodeID &ID) const { 1718 static int id = 0; 1719 ID.AddPointer(&id); 1720 ID.Add(V); 1721} 1722 1723const char *SuppressInlineDefensiveChecksVisitor::getTag() { 1724 return "IDCVisitor"; 1725} 1726 1727PathDiagnosticPieceRef 1728SuppressInlineDefensiveChecksVisitor::VisitNode(const ExplodedNode *Succ, 1729 BugReporterContext &BRC, 1730 PathSensitiveBugReport &BR) { 1731 const ExplodedNode *Pred = Succ->getFirstPred(); 1732 if (IsSatisfied) 1733 return nullptr; 1734 1735 // Start tracking after we see the first state in which the value is null. 1736 if (!IsTrackingTurnedOn) 1737 if (Succ->getState()->isNull(V).isConstrainedTrue()) 1738 IsTrackingTurnedOn = true; 1739 if (!IsTrackingTurnedOn) 1740 return nullptr; 1741 1742 // Check if in the previous state it was feasible for this value 1743 // to *not* be null. 1744 if (!Pred->getState()->isNull(V).isConstrainedTrue() && 1745 Succ->getState()->isNull(V).isConstrainedTrue()) { 1746 IsSatisfied = true; 1747 1748 // Check if this is inlined defensive checks. 1749 const LocationContext *CurLC = Succ->getLocationContext(); 1750 const LocationContext *ReportLC = BR.getErrorNode()->getLocationContext(); 1751 if (CurLC != ReportLC && !CurLC->isParentOf(ReportLC)) { 1752 BR.markInvalid("Suppress IDC", CurLC); 1753 return nullptr; 1754 } 1755 1756 // Treat defensive checks in function-like macros as if they were an inlined 1757 // defensive check. If the bug location is not in a macro and the 1758 // terminator for the current location is in a macro then suppress the 1759 // warning. 1760 auto BugPoint = BR.getErrorNode()->getLocation().getAs<StmtPoint>(); 1761 1762 if (!BugPoint) 1763 return nullptr; 1764 1765 ProgramPoint CurPoint = Succ->getLocation(); 1766 const Stmt *CurTerminatorStmt = nullptr; 1767 if (auto BE = CurPoint.getAs<BlockEdge>()) { 1768 CurTerminatorStmt = BE->getSrc()->getTerminator().getStmt(); 1769 } else if (auto SP = CurPoint.getAs<StmtPoint>()) { 1770 const Stmt *CurStmt = SP->getStmt(); 1771 if (!CurStmt->getBeginLoc().isMacroID()) 1772 return nullptr; 1773 1774 CFGStmtMap *Map = CurLC->getAnalysisDeclContext()->getCFGStmtMap(); 1775 CurTerminatorStmt = Map->getBlock(CurStmt)->getTerminatorStmt(); 1776 } else { 1777 return nullptr; 1778 } 1779 1780 if (!CurTerminatorStmt) 1781 return nullptr; 1782 1783 SourceLocation TerminatorLoc = CurTerminatorStmt->getBeginLoc(); 1784 if (TerminatorLoc.isMacroID()) { 1785 SourceLocation BugLoc = BugPoint->getStmt()->getBeginLoc(); 1786 1787 // Suppress reports unless we are in that same macro. 1788 if (!BugLoc.isMacroID() || 1789 getMacroName(BugLoc, BRC) != getMacroName(TerminatorLoc, BRC)) { 1790 BR.markInvalid("Suppress Macro IDC", CurLC); 1791 } 1792 return nullptr; 1793 } 1794 } 1795 return nullptr; 1796} 1797 1798//===----------------------------------------------------------------------===// 1799// TrackControlDependencyCondBRVisitor. 1800//===----------------------------------------------------------------------===// 1801 1802namespace { 1803/// Tracks the expressions that are a control dependency of the node that was 1804/// supplied to the constructor. 1805/// For example: 1806/// 1807/// cond = 1; 1808/// if (cond) 1809/// 10 / 0; 1810/// 1811/// An error is emitted at line 3. This visitor realizes that the branch 1812/// on line 2 is a control dependency of line 3, and tracks it's condition via 1813/// trackExpressionValue(). 1814class TrackControlDependencyCondBRVisitor final : public BugReporterVisitor { 1815 const ExplodedNode *Origin; 1816 ControlDependencyCalculator ControlDeps; 1817 llvm::SmallSet<const CFGBlock *, 32> VisitedBlocks; 1818 1819public: 1820 TrackControlDependencyCondBRVisitor(const ExplodedNode *O) 1821 : Origin(O), ControlDeps(&O->getCFG()) {} 1822 1823 void Profile(llvm::FoldingSetNodeID &ID) const override { 1824 static int x = 0; 1825 ID.AddPointer(&x); 1826 } 1827 1828 PathDiagnosticPieceRef VisitNode(const ExplodedNode *N, 1829 BugReporterContext &BRC, 1830 PathSensitiveBugReport &BR) override; 1831}; 1832} // end of anonymous namespace 1833 1834static std::shared_ptr<PathDiagnosticEventPiece> 1835constructDebugPieceForTrackedCondition(const Expr *Cond, 1836 const ExplodedNode *N, 1837 BugReporterContext &BRC) { 1838 1839 if (BRC.getAnalyzerOptions().AnalysisDiagOpt == PD_NONE || 1840 !BRC.getAnalyzerOptions().ShouldTrackConditionsDebug) 1841 return nullptr; 1842 1843 std::string ConditionText = std::string(Lexer::getSourceText( 1844 CharSourceRange::getTokenRange(Cond->getSourceRange()), 1845 BRC.getSourceManager(), BRC.getASTContext().getLangOpts())); 1846 1847 return std::make_shared<PathDiagnosticEventPiece>( 1848 PathDiagnosticLocation::createBegin( 1849 Cond, BRC.getSourceManager(), N->getLocationContext()), 1850 (Twine() + "Tracking condition '" + ConditionText + "'").str()); 1851} 1852 1853static bool isAssertlikeBlock(const CFGBlock *B, ASTContext &Context) { 1854 if (B->succ_size() != 2) 1855 return false; 1856 1857 const CFGBlock *Then = B->succ_begin()->getReachableBlock(); 1858 const CFGBlock *Else = (B->succ_begin() + 1)->getReachableBlock(); 1859 1860 if (!Then || !Else) 1861 return false; 1862 1863 if (Then->isInevitablySinking() != Else->isInevitablySinking()) 1864 return true; 1865 1866 // For the following condition the following CFG would be built: 1867 // 1868 // -------------> 1869 // / \ 1870 // [B1] -> [B2] -> [B3] -> [sink] 1871 // assert(A && B || C); \ \ 1872 // -----------> [go on with the execution] 1873 // 1874 // It so happens that CFGBlock::getTerminatorCondition returns 'A' for block 1875 // B1, 'A && B' for B2, and 'A && B || C' for B3. Let's check whether we 1876 // reached the end of the condition! 1877 if (const Stmt *ElseCond = Else->getTerminatorCondition()) 1878 if (const auto *BinOp = dyn_cast<BinaryOperator>(ElseCond)) 1879 if (BinOp->isLogicalOp()) 1880 return isAssertlikeBlock(Else, Context); 1881 1882 return false; 1883} 1884 1885PathDiagnosticPieceRef 1886TrackControlDependencyCondBRVisitor::VisitNode(const ExplodedNode *N, 1887 BugReporterContext &BRC, 1888 PathSensitiveBugReport &BR) { 1889 // We can only reason about control dependencies within the same stack frame. 1890 if (Origin->getStackFrame() != N->getStackFrame()) 1891 return nullptr; 1892 1893 CFGBlock *NB = const_cast<CFGBlock *>(N->getCFGBlock()); 1894 1895 // Skip if we already inspected this block. 1896 if (!VisitedBlocks.insert(NB).second) 1897 return nullptr; 1898 1899 CFGBlock *OriginB = const_cast<CFGBlock *>(Origin->getCFGBlock()); 1900 1901 // TODO: Cache CFGBlocks for each ExplodedNode. 1902 if (!OriginB || !NB) 1903 return nullptr; 1904 1905 if (isAssertlikeBlock(NB, BRC.getASTContext())) 1906 return nullptr; 1907 1908 if (ControlDeps.isControlDependent(OriginB, NB)) { 1909 // We don't really want to explain for range loops. Evidence suggests that 1910 // the only thing that leads to is the addition of calls to operator!=. 1911 if (llvm::isa_and_nonnull<CXXForRangeStmt>(NB->getTerminatorStmt())) 1912 return nullptr; 1913 1914 if (const Expr *Condition = NB->getLastCondition()) { 1915 // Keeping track of the already tracked conditions on a visitor level 1916 // isn't sufficient, because a new visitor is created for each tracked 1917 // expression, hence the BugReport level set. 1918 if (BR.addTrackedCondition(N)) { 1919 bugreporter::trackExpressionValue( 1920 N, Condition, BR, bugreporter::TrackingKind::Condition, 1921 /*EnableNullFPSuppression=*/false); 1922 return constructDebugPieceForTrackedCondition(Condition, N, BRC); 1923 } 1924 } 1925 } 1926 1927 return nullptr; 1928} 1929 1930//===----------------------------------------------------------------------===// 1931// Implementation of trackExpressionValue. 1932//===----------------------------------------------------------------------===// 1933 1934/// \return A subexpression of @c Ex which represents the 1935/// expression-of-interest. 1936static const Expr *peelOffOuterExpr(const Expr *Ex, 1937 const ExplodedNode *N) { 1938 Ex = Ex->IgnoreParenCasts(); 1939 if (const auto *FE = dyn_cast<FullExpr>(Ex)) 1940 return peelOffOuterExpr(FE->getSubExpr(), N); 1941 if (const auto *OVE = dyn_cast<OpaqueValueExpr>(Ex)) 1942 return peelOffOuterExpr(OVE->getSourceExpr(), N); 1943 if (const auto *POE = dyn_cast<PseudoObjectExpr>(Ex)) { 1944 const auto *PropRef = dyn_cast<ObjCPropertyRefExpr>(POE->getSyntacticForm()); 1945 if (PropRef && PropRef->isMessagingGetter()) { 1946 const Expr *GetterMessageSend = 1947 POE->getSemanticExpr(POE->getNumSemanticExprs() - 1); 1948 assert(isa<ObjCMessageExpr>(GetterMessageSend->IgnoreParenCasts())); 1949 return peelOffOuterExpr(GetterMessageSend, N); 1950 } 1951 } 1952 1953 // Peel off the ternary operator. 1954 if (const auto *CO = dyn_cast<ConditionalOperator>(Ex)) { 1955 // Find a node where the branching occurred and find out which branch 1956 // we took (true/false) by looking at the ExplodedGraph. 1957 const ExplodedNode *NI = N; 1958 do { 1959 ProgramPoint ProgPoint = NI->getLocation(); 1960 if (Optional<BlockEdge> BE = ProgPoint.getAs<BlockEdge>()) { 1961 const CFGBlock *srcBlk = BE->getSrc(); 1962 if (const Stmt *term = srcBlk->getTerminatorStmt()) { 1963 if (term == CO) { 1964 bool TookTrueBranch = (*(srcBlk->succ_begin()) == BE->getDst()); 1965 if (TookTrueBranch) 1966 return peelOffOuterExpr(CO->getTrueExpr(), N); 1967 else 1968 return peelOffOuterExpr(CO->getFalseExpr(), N); 1969 } 1970 } 1971 } 1972 NI = NI->getFirstPred(); 1973 } while (NI); 1974 } 1975 1976 if (auto *BO = dyn_cast<BinaryOperator>(Ex)) 1977 if (const Expr *SubEx = peelOffPointerArithmetic(BO)) 1978 return peelOffOuterExpr(SubEx, N); 1979 1980 if (auto *UO = dyn_cast<UnaryOperator>(Ex)) { 1981 if (UO->getOpcode() == UO_LNot) 1982 return peelOffOuterExpr(UO->getSubExpr(), N); 1983 1984 // FIXME: There's a hack in our Store implementation that always computes 1985 // field offsets around null pointers as if they are always equal to 0. 1986 // The idea here is to report accesses to fields as null dereferences 1987 // even though the pointer value that's being dereferenced is actually 1988 // the offset of the field rather than exactly 0. 1989 // See the FIXME in StoreManager's getLValueFieldOrIvar() method. 1990 // This code interacts heavily with this hack; otherwise the value 1991 // would not be null at all for most fields, so we'd be unable to track it. 1992 if (UO->getOpcode() == UO_AddrOf && UO->getSubExpr()->isLValue()) 1993 if (const Expr *DerefEx = bugreporter::getDerefExpr(UO->getSubExpr())) 1994 return peelOffOuterExpr(DerefEx, N); 1995 } 1996 1997 return Ex; 1998} 1999 2000/// Find the ExplodedNode where the lvalue (the value of 'Ex') 2001/// was computed. 2002static const ExplodedNode* findNodeForExpression(const ExplodedNode *N, 2003 const Expr *Inner) { 2004 while (N) { 2005 if (N->getStmtForDiagnostics() == Inner) 2006 return N; 2007 N = N->getFirstPred(); 2008 } 2009 return N; 2010} 2011 2012/// Attempts to add visitors to track an RValue expression back to its point of 2013/// origin. Works similarly to trackExpressionValue, but accepts only RValues. 2014static void trackRValueExpression(const ExplodedNode *InputNode, const Expr *E, 2015 PathSensitiveBugReport &report, 2016 bugreporter::TrackingKind TKind, 2017 bool EnableNullFPSuppression) { 2018 assert(E->isRValue() && "The expression is not an rvalue!"); 2019 const ExplodedNode *RVNode = findNodeForExpression(InputNode, E); 2020 if (!RVNode) 2021 return; 2022 ProgramStateRef RVState = RVNode->getState(); 2023 SVal V = RVState->getSValAsScalarOrLoc(E, RVNode->getLocationContext()); 2024 const auto *BO = dyn_cast<BinaryOperator>(E); 2025 if (!BO) 2026 return; 2027 if (!V.isZeroConstant()) 2028 return; 2029 if (!BO->isMultiplicativeOp()) 2030 return; 2031 2032 SVal RHSV = RVState->getSVal(BO->getRHS(), RVNode->getLocationContext()); 2033 SVal LHSV = RVState->getSVal(BO->getLHS(), RVNode->getLocationContext()); 2034 2035 // Track both LHS and RHS of a multiplication. 2036 if (BO->getOpcode() == BO_Mul) { 2037 if (LHSV.isZeroConstant()) 2038 trackExpressionValue(InputNode, BO->getLHS(), report, TKind, 2039 EnableNullFPSuppression); 2040 if (RHSV.isZeroConstant()) 2041 trackExpressionValue(InputNode, BO->getRHS(), report, TKind, 2042 EnableNullFPSuppression); 2043 } else { // Track only the LHS of a division or a modulo. 2044 if (LHSV.isZeroConstant()) 2045 trackExpressionValue(InputNode, BO->getLHS(), report, TKind, 2046 EnableNullFPSuppression); 2047 } 2048} 2049 2050bool bugreporter::trackExpressionValue(const ExplodedNode *InputNode, 2051 const Expr *E, 2052 PathSensitiveBugReport &report, 2053 bugreporter::TrackingKind TKind, 2054 bool EnableNullFPSuppression) { 2055 2056 if (!E || !InputNode) 2057 return false; 2058 2059 const Expr *Inner = peelOffOuterExpr(E, InputNode); 2060 const ExplodedNode *LVNode = findNodeForExpression(InputNode, Inner); 2061 if (!LVNode) 2062 return false; 2063 2064 ProgramStateRef LVState = LVNode->getState(); 2065 const StackFrameContext *SFC = LVNode->getStackFrame(); 2066 2067 // We only track expressions if we believe that they are important. Chances 2068 // are good that control dependencies to the tracking point are also important 2069 // because of this, let's explain why we believe control reached this point. 2070 // TODO: Shouldn't we track control dependencies of every bug location, rather 2071 // than only tracked expressions? 2072 if (LVState->getAnalysisManager().getAnalyzerOptions().ShouldTrackConditions) 2073 report.addVisitor(std::make_unique<TrackControlDependencyCondBRVisitor>( 2074 InputNode)); 2075 2076 // The message send could be nil due to the receiver being nil. 2077 // At this point in the path, the receiver should be live since we are at the 2078 // message send expr. If it is nil, start tracking it. 2079 if (const Expr *Receiver = NilReceiverBRVisitor::getNilReceiver(Inner, LVNode)) 2080 trackExpressionValue( 2081 LVNode, Receiver, report, TKind, EnableNullFPSuppression); 2082 2083 // Track the index if this is an array subscript. 2084 if (const auto *Arr = dyn_cast<ArraySubscriptExpr>(Inner)) 2085 trackExpressionValue( 2086 LVNode, Arr->getIdx(), report, TKind, /*EnableNullFPSuppression*/false); 2087 2088 // See if the expression we're interested refers to a variable. 2089 // If so, we can track both its contents and constraints on its value. 2090 if (ExplodedGraph::isInterestingLValueExpr(Inner)) { 2091 SVal LVal = LVNode->getSVal(Inner); 2092 2093 const MemRegion *RR = getLocationRegionIfReference(Inner, LVNode); 2094 bool LVIsNull = LVState->isNull(LVal).isConstrainedTrue(); 2095 2096 // If this is a C++ reference to a null pointer, we are tracking the 2097 // pointer. In addition, we should find the store at which the reference 2098 // got initialized. 2099 if (RR && !LVIsNull) 2100 if (auto KV = LVal.getAs<KnownSVal>()) 2101 report.addVisitor(std::make_unique<FindLastStoreBRVisitor>( 2102 *KV, RR, EnableNullFPSuppression, TKind, SFC)); 2103 2104 // In case of C++ references, we want to differentiate between a null 2105 // reference and reference to null pointer. 2106 // If the LVal is null, check if we are dealing with null reference. 2107 // For those, we want to track the location of the reference. 2108 const MemRegion *R = (RR && LVIsNull) ? RR : 2109 LVNode->getSVal(Inner).getAsRegion(); 2110 2111 if (R) { 2112 2113 // Mark both the variable region and its contents as interesting. 2114 SVal V = LVState->getRawSVal(loc::MemRegionVal(R)); 2115 report.addVisitor( 2116 std::make_unique<NoStoreFuncVisitor>(cast<SubRegion>(R), TKind)); 2117 2118 MacroNullReturnSuppressionVisitor::addMacroVisitorIfNecessary( 2119 LVNode, R, EnableNullFPSuppression, report, V); 2120 2121 report.markInteresting(V, TKind); 2122 report.addVisitor(std::make_unique<UndefOrNullArgVisitor>(R)); 2123 2124 // If the contents are symbolic and null, find out when they became null. 2125 if (V.getAsLocSymbol(/*IncludeBaseRegions=*/true)) 2126 if (LVState->isNull(V).isConstrainedTrue()) 2127 report.addVisitor(std::make_unique<TrackConstraintBRVisitor>( 2128 V.castAs<DefinedSVal>(), false)); 2129 2130 // Add visitor, which will suppress inline defensive checks. 2131 if (auto DV = V.getAs<DefinedSVal>()) 2132 if (!DV->isZeroConstant() && EnableNullFPSuppression) { 2133 // Note that LVNode may be too late (i.e., too far from the InputNode) 2134 // because the lvalue may have been computed before the inlined call 2135 // was evaluated. InputNode may as well be too early here, because 2136 // the symbol is already dead; this, however, is fine because we can 2137 // still find the node in which it collapsed to null previously. 2138 report.addVisitor( 2139 std::make_unique<SuppressInlineDefensiveChecksVisitor>( 2140 *DV, InputNode)); 2141 } 2142 2143 if (auto KV = V.getAs<KnownSVal>()) 2144 report.addVisitor(std::make_unique<FindLastStoreBRVisitor>( 2145 *KV, R, EnableNullFPSuppression, TKind, SFC)); 2146 return true; 2147 } 2148 } 2149 2150 // If the expression is not an "lvalue expression", we can still 2151 // track the constraints on its contents. 2152 SVal V = LVState->getSValAsScalarOrLoc(Inner, LVNode->getLocationContext()); 2153 2154 ReturnVisitor::addVisitorIfNecessary( 2155 LVNode, Inner, report, EnableNullFPSuppression, TKind); 2156 2157 // Is it a symbolic value? 2158 if (auto L = V.getAs<loc::MemRegionVal>()) { 2159 // FIXME: this is a hack for fixing a later crash when attempting to 2160 // dereference a void* pointer. 2161 // We should not try to dereference pointers at all when we don't care 2162 // what is written inside the pointer. 2163 bool CanDereference = true; 2164 if (const auto *SR = L->getRegionAs<SymbolicRegion>()) { 2165 if (SR->getSymbol()->getType()->getPointeeType()->isVoidType()) 2166 CanDereference = false; 2167 } else if (L->getRegionAs<AllocaRegion>()) 2168 CanDereference = false; 2169 2170 // At this point we are dealing with the region's LValue. 2171 // However, if the rvalue is a symbolic region, we should track it as well. 2172 // Try to use the correct type when looking up the value. 2173 SVal RVal; 2174 if (ExplodedGraph::isInterestingLValueExpr(Inner)) 2175 RVal = LVState->getRawSVal(L.getValue(), Inner->getType()); 2176 else if (CanDereference) 2177 RVal = LVState->getSVal(L->getRegion()); 2178 2179 if (CanDereference) { 2180 report.addVisitor( 2181 std::make_unique<UndefOrNullArgVisitor>(L->getRegion())); 2182 2183 if (auto KV = RVal.getAs<KnownSVal>()) 2184 report.addVisitor(std::make_unique<FindLastStoreBRVisitor>( 2185 *KV, L->getRegion(), EnableNullFPSuppression, TKind, SFC)); 2186 } 2187 2188 const MemRegion *RegionRVal = RVal.getAsRegion(); 2189 if (RegionRVal && isa<SymbolicRegion>(RegionRVal)) { 2190 report.markInteresting(RegionRVal, TKind); 2191 report.addVisitor(std::make_unique<TrackConstraintBRVisitor>( 2192 loc::MemRegionVal(RegionRVal), /*assumption=*/false)); 2193 } 2194 } 2195 2196 if (Inner->isRValue()) 2197 trackRValueExpression(LVNode, Inner, report, TKind, 2198 EnableNullFPSuppression); 2199 2200 return true; 2201} 2202 2203//===----------------------------------------------------------------------===// 2204// Implementation of NulReceiverBRVisitor. 2205//===----------------------------------------------------------------------===// 2206 2207const Expr *NilReceiverBRVisitor::getNilReceiver(const Stmt *S, 2208 const ExplodedNode *N) { 2209 const auto *ME = dyn_cast<ObjCMessageExpr>(S); 2210 if (!ME) 2211 return nullptr; 2212 if (const Expr *Receiver = ME->getInstanceReceiver()) { 2213 ProgramStateRef state = N->getState(); 2214 SVal V = N->getSVal(Receiver); 2215 if (state->isNull(V).isConstrainedTrue()) 2216 return Receiver; 2217 } 2218 return nullptr; 2219} 2220 2221PathDiagnosticPieceRef 2222NilReceiverBRVisitor::VisitNode(const ExplodedNode *N, BugReporterContext &BRC, 2223 PathSensitiveBugReport &BR) { 2224 Optional<PreStmt> P = N->getLocationAs<PreStmt>(); 2225 if (!P) 2226 return nullptr; 2227 2228 const Stmt *S = P->getStmt(); 2229 const Expr *Receiver = getNilReceiver(S, N); 2230 if (!Receiver) 2231 return nullptr; 2232 2233 llvm::SmallString<256> Buf; 2234 llvm::raw_svector_ostream OS(Buf); 2235 2236 if (const auto *ME = dyn_cast<ObjCMessageExpr>(S)) { 2237 OS << "'"; 2238 ME->getSelector().print(OS); 2239 OS << "' not called"; 2240 } 2241 else { 2242 OS << "No method is called"; 2243 } 2244 OS << " because the receiver is nil"; 2245 2246 // The receiver was nil, and hence the method was skipped. 2247 // Register a BugReporterVisitor to issue a message telling us how 2248 // the receiver was null. 2249 bugreporter::trackExpressionValue( 2250 N, Receiver, BR, bugreporter::TrackingKind::Thorough, 2251 /*EnableNullFPSuppression*/ false); 2252 // Issue a message saying that the method was skipped. 2253 PathDiagnosticLocation L(Receiver, BRC.getSourceManager(), 2254 N->getLocationContext()); 2255 return std::make_shared<PathDiagnosticEventPiece>(L, OS.str()); 2256} 2257 2258//===----------------------------------------------------------------------===// 2259// Visitor that tries to report interesting diagnostics from conditions. 2260//===----------------------------------------------------------------------===// 2261 2262/// Return the tag associated with this visitor. This tag will be used 2263/// to make all PathDiagnosticPieces created by this visitor. 2264const char *ConditionBRVisitor::getTag() { return "ConditionBRVisitor"; } 2265 2266PathDiagnosticPieceRef 2267ConditionBRVisitor::VisitNode(const ExplodedNode *N, BugReporterContext &BRC, 2268 PathSensitiveBugReport &BR) { 2269 auto piece = VisitNodeImpl(N, BRC, BR); 2270 if (piece) { 2271 piece->setTag(getTag()); 2272 if (auto *ev = dyn_cast<PathDiagnosticEventPiece>(piece.get())) 2273 ev->setPrunable(true, /* override */ false); 2274 } 2275 return piece; 2276} 2277 2278PathDiagnosticPieceRef 2279ConditionBRVisitor::VisitNodeImpl(const ExplodedNode *N, 2280 BugReporterContext &BRC, 2281 PathSensitiveBugReport &BR) { 2282 ProgramPoint ProgPoint = N->getLocation(); 2283 const std::pair<const ProgramPointTag *, const ProgramPointTag *> &Tags = 2284 ExprEngine::geteagerlyAssumeBinOpBifurcationTags(); 2285 2286 // If an assumption was made on a branch, it should be caught 2287 // here by looking at the state transition. 2288 if (Optional<BlockEdge> BE = ProgPoint.getAs<BlockEdge>()) { 2289 const CFGBlock *SrcBlock = BE->getSrc(); 2290 if (const Stmt *Term = SrcBlock->getTerminatorStmt()) { 2291 // If the tag of the previous node is 'Eagerly Assume...' the current 2292 // 'BlockEdge' has the same constraint information. We do not want to 2293 // report the value as it is just an assumption on the predecessor node 2294 // which will be caught in the next VisitNode() iteration as a 'PostStmt'. 2295 const ProgramPointTag *PreviousNodeTag = 2296 N->getFirstPred()->getLocation().getTag(); 2297 if (PreviousNodeTag == Tags.first || PreviousNodeTag == Tags.second) 2298 return nullptr; 2299 2300 return VisitTerminator(Term, N, SrcBlock, BE->getDst(), BR, BRC); 2301 } 2302 return nullptr; 2303 } 2304 2305 if (Optional<PostStmt> PS = ProgPoint.getAs<PostStmt>()) { 2306 const ProgramPointTag *CurrentNodeTag = PS->getTag(); 2307 if (CurrentNodeTag != Tags.first && CurrentNodeTag != Tags.second) 2308 return nullptr; 2309 2310 bool TookTrue = CurrentNodeTag == Tags.first; 2311 return VisitTrueTest(cast<Expr>(PS->getStmt()), BRC, BR, N, TookTrue); 2312 } 2313 2314 return nullptr; 2315} 2316 2317PathDiagnosticPieceRef ConditionBRVisitor::VisitTerminator( 2318 const Stmt *Term, const ExplodedNode *N, const CFGBlock *srcBlk, 2319 const CFGBlock *dstBlk, PathSensitiveBugReport &R, 2320 BugReporterContext &BRC) { 2321 const Expr *Cond = nullptr; 2322 2323 // In the code below, Term is a CFG terminator and Cond is a branch condition 2324 // expression upon which the decision is made on this terminator. 2325 // 2326 // For example, in "if (x == 0)", the "if (x == 0)" statement is a terminator, 2327 // and "x == 0" is the respective condition. 2328 // 2329 // Another example: in "if (x && y)", we've got two terminators and two 2330 // conditions due to short-circuit nature of operator "&&": 2331 // 1. The "if (x && y)" statement is a terminator, 2332 // and "y" is the respective condition. 2333 // 2. Also "x && ..." is another terminator, 2334 // and "x" is its condition. 2335 2336 switch (Term->getStmtClass()) { 2337 // FIXME: Stmt::SwitchStmtClass is worth handling, however it is a bit 2338 // more tricky because there are more than two branches to account for. 2339 default: 2340 return nullptr; 2341 case Stmt::IfStmtClass: 2342 Cond = cast<IfStmt>(Term)->getCond(); 2343 break; 2344 case Stmt::ConditionalOperatorClass: 2345 Cond = cast<ConditionalOperator>(Term)->getCond(); 2346 break; 2347 case Stmt::BinaryOperatorClass: 2348 // When we encounter a logical operator (&& or ||) as a CFG terminator, 2349 // then the condition is actually its LHS; otherwise, we'd encounter 2350 // the parent, such as if-statement, as a terminator. 2351 const auto *BO = cast<BinaryOperator>(Term); 2352 assert(BO->isLogicalOp() && 2353 "CFG terminator is not a short-circuit operator!"); 2354 Cond = BO->getLHS(); 2355 break; 2356 } 2357 2358 Cond = Cond->IgnoreParens(); 2359 2360 // However, when we encounter a logical operator as a branch condition, 2361 // then the condition is actually its RHS, because LHS would be 2362 // the condition for the logical operator terminator. 2363 while (const auto *InnerBO = dyn_cast<BinaryOperator>(Cond)) { 2364 if (!InnerBO->isLogicalOp()) 2365 break; 2366 Cond = InnerBO->getRHS()->IgnoreParens(); 2367 } 2368 2369 assert(Cond); 2370 assert(srcBlk->succ_size() == 2); 2371 const bool TookTrue = *(srcBlk->succ_begin()) == dstBlk; 2372 return VisitTrueTest(Cond, BRC, R, N, TookTrue); 2373} 2374 2375PathDiagnosticPieceRef 2376ConditionBRVisitor::VisitTrueTest(const Expr *Cond, BugReporterContext &BRC, 2377 PathSensitiveBugReport &R, 2378 const ExplodedNode *N, bool TookTrue) { 2379 ProgramStateRef CurrentState = N->getState(); 2380 ProgramStateRef PrevState = N->getFirstPred()->getState(); 2381 const LocationContext *LCtx = N->getLocationContext(); 2382 2383 // If the constraint information is changed between the current and the 2384 // previous program state we assuming the newly seen constraint information. 2385 // If we cannot evaluate the condition (and the constraints are the same) 2386 // the analyzer has no information about the value and just assuming it. 2387 bool IsAssuming = 2388 !BRC.getStateManager().haveEqualConstraints(CurrentState, PrevState) || 2389 CurrentState->getSVal(Cond, LCtx).isUnknownOrUndef(); 2390 2391 // These will be modified in code below, but we need to preserve the original 2392 // values in case we want to throw the generic message. 2393 const Expr *CondTmp = Cond; 2394 bool TookTrueTmp = TookTrue; 2395 2396 while (true) { 2397 CondTmp = CondTmp->IgnoreParenCasts(); 2398 switch (CondTmp->getStmtClass()) { 2399 default: 2400 break; 2401 case Stmt::BinaryOperatorClass: 2402 if (auto P = VisitTrueTest(Cond, cast<BinaryOperator>(CondTmp), 2403 BRC, R, N, TookTrueTmp, IsAssuming)) 2404 return P; 2405 break; 2406 case Stmt::DeclRefExprClass: 2407 if (auto P = VisitTrueTest(Cond, cast<DeclRefExpr>(CondTmp), 2408 BRC, R, N, TookTrueTmp, IsAssuming)) 2409 return P; 2410 break; 2411 case Stmt::MemberExprClass: 2412 if (auto P = VisitTrueTest(Cond, cast<MemberExpr>(CondTmp), 2413 BRC, R, N, TookTrueTmp, IsAssuming)) 2414 return P; 2415 break; 2416 case Stmt::UnaryOperatorClass: { 2417 const auto *UO = cast<UnaryOperator>(CondTmp); 2418 if (UO->getOpcode() == UO_LNot) { 2419 TookTrueTmp = !TookTrueTmp; 2420 CondTmp = UO->getSubExpr(); 2421 continue; 2422 } 2423 break; 2424 } 2425 } 2426 break; 2427 } 2428 2429 // Condition too complex to explain? Just say something so that the user 2430 // knew we've made some path decision at this point. 2431 // If it is too complex and we know the evaluation of the condition do not 2432 // repeat the note from 'BugReporter.cpp' 2433 if (!IsAssuming) 2434 return nullptr; 2435 2436 PathDiagnosticLocation Loc(Cond, BRC.getSourceManager(), LCtx); 2437 if (!Loc.isValid() || !Loc.asLocation().isValid()) 2438 return nullptr; 2439 2440 return std::make_shared<PathDiagnosticEventPiece>( 2441 Loc, TookTrue ? GenericTrueMessage : GenericFalseMessage); 2442} 2443 2444bool ConditionBRVisitor::patternMatch(const Expr *Ex, 2445 const Expr *ParentEx, 2446 raw_ostream &Out, 2447 BugReporterContext &BRC, 2448 PathSensitiveBugReport &report, 2449 const ExplodedNode *N, 2450 Optional<bool> &prunable, 2451 bool IsSameFieldName) { 2452 const Expr *OriginalExpr = Ex; 2453 Ex = Ex->IgnoreParenCasts(); 2454 2455 if (isa<GNUNullExpr>(Ex) || isa<ObjCBoolLiteralExpr>(Ex) || 2456 isa<CXXBoolLiteralExpr>(Ex) || isa<IntegerLiteral>(Ex) || 2457 isa<FloatingLiteral>(Ex)) { 2458 // Use heuristics to determine if the expression is a macro 2459 // expanding to a literal and if so, use the macro's name. 2460 SourceLocation BeginLoc = OriginalExpr->getBeginLoc(); 2461 SourceLocation EndLoc = OriginalExpr->getEndLoc(); 2462 if (BeginLoc.isMacroID() && EndLoc.isMacroID()) { 2463 const SourceManager &SM = BRC.getSourceManager(); 2464 const LangOptions &LO = BRC.getASTContext().getLangOpts(); 2465 if (Lexer::isAtStartOfMacroExpansion(BeginLoc, SM, LO) && 2466 Lexer::isAtEndOfMacroExpansion(EndLoc, SM, LO)) { 2467 CharSourceRange R = Lexer::getAsCharRange({BeginLoc, EndLoc}, SM, LO); 2468 Out << Lexer::getSourceText(R, SM, LO); 2469 return false; 2470 } 2471 } 2472 } 2473 2474 if (const auto *DR = dyn_cast<DeclRefExpr>(Ex)) { 2475 const bool quotes = isa<VarDecl>(DR->getDecl()); 2476 if (quotes) { 2477 Out << '\''; 2478 const LocationContext *LCtx = N->getLocationContext(); 2479 const ProgramState *state = N->getState().get(); 2480 if (const MemRegion *R = state->getLValue(cast<VarDecl>(DR->getDecl()), 2481 LCtx).getAsRegion()) { 2482 if (report.isInteresting(R)) 2483 prunable = false; 2484 else { 2485 const ProgramState *state = N->getState().get(); 2486 SVal V = state->getSVal(R); 2487 if (report.isInteresting(V)) 2488 prunable = false; 2489 } 2490 } 2491 } 2492 Out << DR->getDecl()->getDeclName().getAsString(); 2493 if (quotes) 2494 Out << '\''; 2495 return quotes; 2496 } 2497 2498 if (const auto *IL = dyn_cast<IntegerLiteral>(Ex)) { 2499 QualType OriginalTy = OriginalExpr->getType(); 2500 if (OriginalTy->isPointerType()) { 2501 if (IL->getValue() == 0) { 2502 Out << "null"; 2503 return false; 2504 } 2505 } 2506 else if (OriginalTy->isObjCObjectPointerType()) { 2507 if (IL->getValue() == 0) { 2508 Out << "nil"; 2509 return false; 2510 } 2511 } 2512 2513 Out << IL->getValue(); 2514 return false; 2515 } 2516 2517 if (const auto *ME = dyn_cast<MemberExpr>(Ex)) { 2518 if (!IsSameFieldName) 2519 Out << "field '" << ME->getMemberDecl()->getName() << '\''; 2520 else 2521 Out << '\'' 2522 << Lexer::getSourceText( 2523 CharSourceRange::getTokenRange(Ex->getSourceRange()), 2524 BRC.getSourceManager(), BRC.getASTContext().getLangOpts(), 0) 2525 << '\''; 2526 } 2527 2528 return false; 2529} 2530 2531PathDiagnosticPieceRef ConditionBRVisitor::VisitTrueTest( 2532 const Expr *Cond, const BinaryOperator *BExpr, BugReporterContext &BRC, 2533 PathSensitiveBugReport &R, const ExplodedNode *N, bool TookTrue, 2534 bool IsAssuming) { 2535 bool shouldInvert = false; 2536 Optional<bool> shouldPrune; 2537 2538 // Check if the field name of the MemberExprs is ambiguous. Example: 2539 // " 'a.d' is equal to 'h.d' " in 'test/Analysis/null-deref-path-notes.cpp'. 2540 bool IsSameFieldName = false; 2541 const auto *LhsME = dyn_cast<MemberExpr>(BExpr->getLHS()->IgnoreParenCasts()); 2542 const auto *RhsME = dyn_cast<MemberExpr>(BExpr->getRHS()->IgnoreParenCasts()); 2543 2544 if (LhsME && RhsME) 2545 IsSameFieldName = 2546 LhsME->getMemberDecl()->getName() == RhsME->getMemberDecl()->getName(); 2547 2548 SmallString<128> LhsString, RhsString; 2549 { 2550 llvm::raw_svector_ostream OutLHS(LhsString), OutRHS(RhsString); 2551 const bool isVarLHS = patternMatch(BExpr->getLHS(), BExpr, OutLHS, BRC, R, 2552 N, shouldPrune, IsSameFieldName); 2553 const bool isVarRHS = patternMatch(BExpr->getRHS(), BExpr, OutRHS, BRC, R, 2554 N, shouldPrune, IsSameFieldName); 2555 2556 shouldInvert = !isVarLHS && isVarRHS; 2557 } 2558 2559 BinaryOperator::Opcode Op = BExpr->getOpcode(); 2560 2561 if (BinaryOperator::isAssignmentOp(Op)) { 2562 // For assignment operators, all that we care about is that the LHS 2563 // evaluates to "true" or "false". 2564 return VisitConditionVariable(LhsString, BExpr->getLHS(), BRC, R, N, 2565 TookTrue); 2566 } 2567 2568 // For non-assignment operations, we require that we can understand 2569 // both the LHS and RHS. 2570 if (LhsString.empty() || RhsString.empty() || 2571 !BinaryOperator::isComparisonOp(Op) || Op == BO_Cmp) 2572 return nullptr; 2573 2574 // Should we invert the strings if the LHS is not a variable name? 2575 SmallString<256> buf; 2576 llvm::raw_svector_ostream Out(buf); 2577 Out << (IsAssuming ? "Assuming " : "") 2578 << (shouldInvert ? RhsString : LhsString) << " is "; 2579 2580 // Do we need to invert the opcode? 2581 if (shouldInvert) 2582 switch (Op) { 2583 default: break; 2584 case BO_LT: Op = BO_GT; break; 2585 case BO_GT: Op = BO_LT; break; 2586 case BO_LE: Op = BO_GE; break; 2587 case BO_GE: Op = BO_LE; break; 2588 } 2589 2590 if (!TookTrue) 2591 switch (Op) { 2592 case BO_EQ: Op = BO_NE; break; 2593 case BO_NE: Op = BO_EQ; break; 2594 case BO_LT: Op = BO_GE; break; 2595 case BO_GT: Op = BO_LE; break; 2596 case BO_LE: Op = BO_GT; break; 2597 case BO_GE: Op = BO_LT; break; 2598 default: 2599 return nullptr; 2600 } 2601 2602 switch (Op) { 2603 case BO_EQ: 2604 Out << "equal to "; 2605 break; 2606 case BO_NE: 2607 Out << "not equal to "; 2608 break; 2609 default: 2610 Out << BinaryOperator::getOpcodeStr(Op) << ' '; 2611 break; 2612 } 2613 2614 Out << (shouldInvert ? LhsString : RhsString); 2615 const LocationContext *LCtx = N->getLocationContext(); 2616 const SourceManager &SM = BRC.getSourceManager(); 2617 2618 if (isVarAnInterestingCondition(BExpr->getLHS(), N, &R) || 2619 isVarAnInterestingCondition(BExpr->getRHS(), N, &R)) 2620 Out << WillBeUsedForACondition; 2621 2622 // Convert 'field ...' to 'Field ...' if it is a MemberExpr. 2623 std::string Message = std::string(Out.str()); 2624 Message[0] = toupper(Message[0]); 2625 2626 // If we know the value create a pop-up note to the value part of 'BExpr'. 2627 if (!IsAssuming) { 2628 PathDiagnosticLocation Loc; 2629 if (!shouldInvert) { 2630 if (LhsME && LhsME->getMemberLoc().isValid()) 2631 Loc = PathDiagnosticLocation(LhsME->getMemberLoc(), SM); 2632 else 2633 Loc = PathDiagnosticLocation(BExpr->getLHS(), SM, LCtx); 2634 } else { 2635 if (RhsME && RhsME->getMemberLoc().isValid()) 2636 Loc = PathDiagnosticLocation(RhsME->getMemberLoc(), SM); 2637 else 2638 Loc = PathDiagnosticLocation(BExpr->getRHS(), SM, LCtx); 2639 } 2640 2641 return std::make_shared<PathDiagnosticPopUpPiece>(Loc, Message); 2642 } 2643 2644 PathDiagnosticLocation Loc(Cond, SM, LCtx); 2645 auto event = std::make_shared<PathDiagnosticEventPiece>(Loc, Message); 2646 if (shouldPrune.hasValue()) 2647 event->setPrunable(shouldPrune.getValue()); 2648 return event; 2649} 2650 2651PathDiagnosticPieceRef ConditionBRVisitor::VisitConditionVariable( 2652 StringRef LhsString, const Expr *CondVarExpr, BugReporterContext &BRC, 2653 PathSensitiveBugReport &report, const ExplodedNode *N, bool TookTrue) { 2654 // FIXME: If there's already a constraint tracker for this variable, 2655 // we shouldn't emit anything here (c.f. the double note in 2656 // test/Analysis/inlining/path-notes.c) 2657 SmallString<256> buf; 2658 llvm::raw_svector_ostream Out(buf); 2659 Out << "Assuming " << LhsString << " is "; 2660 2661 if (!printValue(CondVarExpr, Out, N, TookTrue, /*IsAssuming=*/true)) 2662 return nullptr; 2663 2664 const LocationContext *LCtx = N->getLocationContext(); 2665 PathDiagnosticLocation Loc(CondVarExpr, BRC.getSourceManager(), LCtx); 2666 2667 if (isVarAnInterestingCondition(CondVarExpr, N, &report)) 2668 Out << WillBeUsedForACondition; 2669 2670 auto event = std::make_shared<PathDiagnosticEventPiece>(Loc, Out.str()); 2671 2672 if (isInterestingExpr(CondVarExpr, N, &report)) 2673 event->setPrunable(false); 2674 2675 return event; 2676} 2677 2678PathDiagnosticPieceRef ConditionBRVisitor::VisitTrueTest( 2679 const Expr *Cond, const DeclRefExpr *DRE, BugReporterContext &BRC, 2680 PathSensitiveBugReport &report, const ExplodedNode *N, bool TookTrue, 2681 bool IsAssuming) { 2682 const auto *VD = dyn_cast<VarDecl>(DRE->getDecl()); 2683 if (!VD) 2684 return nullptr; 2685 2686 SmallString<256> Buf; 2687 llvm::raw_svector_ostream Out(Buf); 2688 2689 Out << (IsAssuming ? "Assuming '" : "'") << VD->getDeclName() << "' is "; 2690 2691 if (!printValue(DRE, Out, N, TookTrue, IsAssuming)) 2692 return nullptr; 2693 2694 const LocationContext *LCtx = N->getLocationContext(); 2695 2696 if (isVarAnInterestingCondition(DRE, N, &report)) 2697 Out << WillBeUsedForACondition; 2698 2699 // If we know the value create a pop-up note to the 'DRE'. 2700 if (!IsAssuming) { 2701 PathDiagnosticLocation Loc(DRE, BRC.getSourceManager(), LCtx); 2702 return std::make_shared<PathDiagnosticPopUpPiece>(Loc, Out.str()); 2703 } 2704 2705 PathDiagnosticLocation Loc(Cond, BRC.getSourceManager(), LCtx); 2706 auto event = std::make_shared<PathDiagnosticEventPiece>(Loc, Out.str()); 2707 2708 if (isInterestingExpr(DRE, N, &report)) 2709 event->setPrunable(false); 2710 2711 return std::move(event); 2712} 2713 2714PathDiagnosticPieceRef ConditionBRVisitor::VisitTrueTest( 2715 const Expr *Cond, const MemberExpr *ME, BugReporterContext &BRC, 2716 PathSensitiveBugReport &report, const ExplodedNode *N, bool TookTrue, 2717 bool IsAssuming) { 2718 SmallString<256> Buf; 2719 llvm::raw_svector_ostream Out(Buf); 2720 2721 Out << (IsAssuming ? "Assuming field '" : "Field '") 2722 << ME->getMemberDecl()->getName() << "' is "; 2723 2724 if (!printValue(ME, Out, N, TookTrue, IsAssuming)) 2725 return nullptr; 2726 2727 const LocationContext *LCtx = N->getLocationContext(); 2728 PathDiagnosticLocation Loc; 2729 2730 // If we know the value create a pop-up note to the member of the MemberExpr. 2731 if (!IsAssuming && ME->getMemberLoc().isValid()) 2732 Loc = PathDiagnosticLocation(ME->getMemberLoc(), BRC.getSourceManager()); 2733 else 2734 Loc = PathDiagnosticLocation(Cond, BRC.getSourceManager(), LCtx); 2735 2736 if (!Loc.isValid() || !Loc.asLocation().isValid()) 2737 return nullptr; 2738 2739 if (isVarAnInterestingCondition(ME, N, &report)) 2740 Out << WillBeUsedForACondition; 2741 2742 // If we know the value create a pop-up note. 2743 if (!IsAssuming) 2744 return std::make_shared<PathDiagnosticPopUpPiece>(Loc, Out.str()); 2745 2746 auto event = std::make_shared<PathDiagnosticEventPiece>(Loc, Out.str()); 2747 if (isInterestingExpr(ME, N, &report)) 2748 event->setPrunable(false); 2749 return event; 2750} 2751 2752bool ConditionBRVisitor::printValue(const Expr *CondVarExpr, raw_ostream &Out, 2753 const ExplodedNode *N, bool TookTrue, 2754 bool IsAssuming) { 2755 QualType Ty = CondVarExpr->getType(); 2756 2757 if (Ty->isPointerType()) { 2758 Out << (TookTrue ? "non-null" : "null"); 2759 return true; 2760 } 2761 2762 if (Ty->isObjCObjectPointerType()) { 2763 Out << (TookTrue ? "non-nil" : "nil"); 2764 return true; 2765 } 2766 2767 if (!Ty->isIntegralOrEnumerationType()) 2768 return false; 2769 2770 Optional<const llvm::APSInt *> IntValue; 2771 if (!IsAssuming) 2772 IntValue = getConcreteIntegerValue(CondVarExpr, N); 2773 2774 if (IsAssuming || !IntValue.hasValue()) { 2775 if (Ty->isBooleanType()) 2776 Out << (TookTrue ? "true" : "false"); 2777 else 2778 Out << (TookTrue ? "not equal to 0" : "0"); 2779 } else { 2780 if (Ty->isBooleanType()) 2781 Out << (IntValue.getValue()->getBoolValue() ? "true" : "false"); 2782 else 2783 Out << *IntValue.getValue(); 2784 } 2785 2786 return true; 2787} 2788 2789constexpr llvm::StringLiteral ConditionBRVisitor::GenericTrueMessage; 2790constexpr llvm::StringLiteral ConditionBRVisitor::GenericFalseMessage; 2791 2792bool ConditionBRVisitor::isPieceMessageGeneric( 2793 const PathDiagnosticPiece *Piece) { 2794 return Piece->getString() == GenericTrueMessage || 2795 Piece->getString() == GenericFalseMessage; 2796} 2797 2798//===----------------------------------------------------------------------===// 2799// Implementation of LikelyFalsePositiveSuppressionBRVisitor. 2800//===----------------------------------------------------------------------===// 2801 2802void LikelyFalsePositiveSuppressionBRVisitor::finalizeVisitor( 2803 BugReporterContext &BRC, const ExplodedNode *N, 2804 PathSensitiveBugReport &BR) { 2805 // Here we suppress false positives coming from system headers. This list is 2806 // based on known issues. 2807 const AnalyzerOptions &Options = BRC.getAnalyzerOptions(); 2808 const Decl *D = N->getLocationContext()->getDecl(); 2809 2810 if (AnalysisDeclContext::isInStdNamespace(D)) { 2811 // Skip reports within the 'std' namespace. Although these can sometimes be 2812 // the user's fault, we currently don't report them very well, and 2813 // Note that this will not help for any other data structure libraries, like 2814 // TR1, Boost, or llvm/ADT. 2815 if (Options.ShouldSuppressFromCXXStandardLibrary) { 2816 BR.markInvalid(getTag(), nullptr); 2817 return; 2818 } else { 2819 // If the complete 'std' suppression is not enabled, suppress reports 2820 // from the 'std' namespace that are known to produce false positives. 2821 2822 // The analyzer issues a false use-after-free when std::list::pop_front 2823 // or std::list::pop_back are called multiple times because we cannot 2824 // reason about the internal invariants of the data structure. 2825 if (const auto *MD = dyn_cast<CXXMethodDecl>(D)) { 2826 const CXXRecordDecl *CD = MD->getParent(); 2827 if (CD->getName() == "list") { 2828 BR.markInvalid(getTag(), nullptr); 2829 return; 2830 } 2831 } 2832 2833 // The analyzer issues a false positive when the constructor of 2834 // std::__independent_bits_engine from algorithms is used. 2835 if (const auto *MD = dyn_cast<CXXConstructorDecl>(D)) { 2836 const CXXRecordDecl *CD = MD->getParent(); 2837 if (CD->getName() == "__independent_bits_engine") { 2838 BR.markInvalid(getTag(), nullptr); 2839 return; 2840 } 2841 } 2842 2843 for (const LocationContext *LCtx = N->getLocationContext(); LCtx; 2844 LCtx = LCtx->getParent()) { 2845 const auto *MD = dyn_cast<CXXMethodDecl>(LCtx->getDecl()); 2846 if (!MD) 2847 continue; 2848 2849 const CXXRecordDecl *CD = MD->getParent(); 2850 // The analyzer issues a false positive on 2851 // std::basic_string<uint8_t> v; v.push_back(1); 2852 // and 2853 // std::u16string s; s += u'a'; 2854 // because we cannot reason about the internal invariants of the 2855 // data structure. 2856 if (CD->getName() == "basic_string") { 2857 BR.markInvalid(getTag(), nullptr); 2858 return; 2859 } 2860 2861 // The analyzer issues a false positive on 2862 // std::shared_ptr<int> p(new int(1)); p = nullptr; 2863 // because it does not reason properly about temporary destructors. 2864 if (CD->getName() == "shared_ptr") { 2865 BR.markInvalid(getTag(), nullptr); 2866 return; 2867 } 2868 } 2869 } 2870 } 2871 2872 // Skip reports within the sys/queue.h macros as we do not have the ability to 2873 // reason about data structure shapes. 2874 const SourceManager &SM = BRC.getSourceManager(); 2875 FullSourceLoc Loc = BR.getLocation().asLocation(); 2876 while (Loc.isMacroID()) { 2877 Loc = Loc.getSpellingLoc(); 2878 if (SM.getFilename(Loc).endswith("sys/queue.h")) { 2879 BR.markInvalid(getTag(), nullptr); 2880 return; 2881 } 2882 } 2883} 2884 2885//===----------------------------------------------------------------------===// 2886// Implementation of UndefOrNullArgVisitor. 2887//===----------------------------------------------------------------------===// 2888 2889PathDiagnosticPieceRef 2890UndefOrNullArgVisitor::VisitNode(const ExplodedNode *N, BugReporterContext &BRC, 2891 PathSensitiveBugReport &BR) { 2892 ProgramStateRef State = N->getState(); 2893 ProgramPoint ProgLoc = N->getLocation(); 2894 2895 // We are only interested in visiting CallEnter nodes. 2896 Optional<CallEnter> CEnter = ProgLoc.getAs<CallEnter>(); 2897 if (!CEnter) 2898 return nullptr; 2899 2900 // Check if one of the arguments is the region the visitor is tracking. 2901 CallEventManager &CEMgr = BRC.getStateManager().getCallEventManager(); 2902 CallEventRef<> Call = CEMgr.getCaller(CEnter->getCalleeContext(), State); 2903 unsigned Idx = 0; 2904 ArrayRef<ParmVarDecl *> parms = Call->parameters(); 2905 2906 for (const auto ParamDecl : parms) { 2907 const MemRegion *ArgReg = Call->getArgSVal(Idx).getAsRegion(); 2908 ++Idx; 2909 2910 // Are we tracking the argument or its subregion? 2911 if ( !ArgReg || !R->isSubRegionOf(ArgReg->StripCasts())) 2912 continue; 2913 2914 // Check the function parameter type. 2915 assert(ParamDecl && "Formal parameter has no decl?"); 2916 QualType T = ParamDecl->getType(); 2917 2918 if (!(T->isAnyPointerType() || T->isReferenceType())) { 2919 // Function can only change the value passed in by address. 2920 continue; 2921 } 2922 2923 // If it is a const pointer value, the function does not intend to 2924 // change the value. 2925 if (T->getPointeeType().isConstQualified()) 2926 continue; 2927 2928 // Mark the call site (LocationContext) as interesting if the value of the 2929 // argument is undefined or '0'/'NULL'. 2930 SVal BoundVal = State->getSVal(R); 2931 if (BoundVal.isUndef() || BoundVal.isZeroConstant()) { 2932 BR.markInteresting(CEnter->getCalleeContext()); 2933 return nullptr; 2934 } 2935 } 2936 return nullptr; 2937} 2938 2939//===----------------------------------------------------------------------===// 2940// Implementation of FalsePositiveRefutationBRVisitor. 2941//===----------------------------------------------------------------------===// 2942 2943FalsePositiveRefutationBRVisitor::FalsePositiveRefutationBRVisitor() 2944 : Constraints(ConstraintMap::Factory().getEmptyMap()) {} 2945 2946void FalsePositiveRefutationBRVisitor::finalizeVisitor( 2947 BugReporterContext &BRC, const ExplodedNode *EndPathNode, 2948 PathSensitiveBugReport &BR) { 2949 // Collect new constraints 2950 addConstraints(EndPathNode, /*OverwriteConstraintsOnExistingSyms=*/true); 2951 2952 // Create a refutation manager 2953 llvm::SMTSolverRef RefutationSolver = llvm::CreateZ3Solver(); 2954 ASTContext &Ctx = BRC.getASTContext(); 2955 2956 // Add constraints to the solver 2957 for (const auto &I : Constraints) { 2958 const SymbolRef Sym = I.first; 2959 auto RangeIt = I.second.begin(); 2960 2961 llvm::SMTExprRef SMTConstraints = SMTConv::getRangeExpr( 2962 RefutationSolver, Ctx, Sym, RangeIt->From(), RangeIt->To(), 2963 /*InRange=*/true); 2964 while ((++RangeIt) != I.second.end()) { 2965 SMTConstraints = RefutationSolver->mkOr( 2966 SMTConstraints, SMTConv::getRangeExpr(RefutationSolver, Ctx, Sym, 2967 RangeIt->From(), RangeIt->To(), 2968 /*InRange=*/true)); 2969 } 2970 2971 RefutationSolver->addConstraint(SMTConstraints); 2972 } 2973 2974 // And check for satisfiability 2975 Optional<bool> IsSAT = RefutationSolver->check(); 2976 if (!IsSAT.hasValue()) 2977 return; 2978 2979 if (!IsSAT.getValue()) 2980 BR.markInvalid("Infeasible constraints", EndPathNode->getLocationContext()); 2981} 2982 2983void FalsePositiveRefutationBRVisitor::addConstraints( 2984 const ExplodedNode *N, bool OverwriteConstraintsOnExistingSyms) { 2985 // Collect new constraints 2986 ConstraintMap NewCs = getConstraintMap(N->getState()); 2987 ConstraintMap::Factory &CF = N->getState()->get_context<ConstraintMap>(); 2988 2989 // Add constraints if we don't have them yet 2990 for (auto const &C : NewCs) { 2991 const SymbolRef &Sym = C.first; 2992 if (!Constraints.contains(Sym)) { 2993 // This symbol is new, just add the constraint. 2994 Constraints = CF.add(Constraints, Sym, C.second); 2995 } else if (OverwriteConstraintsOnExistingSyms) { 2996 // Overwrite the associated constraint of the Symbol. 2997 Constraints = CF.remove(Constraints, Sym); 2998 Constraints = CF.add(Constraints, Sym, C.second); 2999 } 3000 } 3001} 3002 3003PathDiagnosticPieceRef FalsePositiveRefutationBRVisitor::VisitNode( 3004 const ExplodedNode *N, BugReporterContext &, PathSensitiveBugReport &) { 3005 addConstraints(N, /*OverwriteConstraintsOnExistingSyms=*/false); 3006 return nullptr; 3007} 3008 3009void FalsePositiveRefutationBRVisitor::Profile( 3010 llvm::FoldingSetNodeID &ID) const { 3011 static int Tag = 0; 3012 ID.AddPointer(&Tag); 3013} 3014 3015//===----------------------------------------------------------------------===// 3016// Implementation of TagVisitor. 3017//===----------------------------------------------------------------------===// 3018 3019int NoteTag::Kind = 0; 3020 3021void TagVisitor::Profile(llvm::FoldingSetNodeID &ID) const { 3022 static int Tag = 0; 3023 ID.AddPointer(&Tag); 3024} 3025 3026PathDiagnosticPieceRef TagVisitor::VisitNode(const ExplodedNode *N, 3027 BugReporterContext &BRC, 3028 PathSensitiveBugReport &R) { 3029 ProgramPoint PP = N->getLocation(); 3030 const NoteTag *T = dyn_cast_or_null<NoteTag>(PP.getTag()); 3031 if (!T) 3032 return nullptr; 3033 3034 if (Optional<std::string> Msg = T->generateMessage(BRC, R)) { 3035 PathDiagnosticLocation Loc = 3036 PathDiagnosticLocation::create(PP, BRC.getSourceManager()); 3037 auto Piece = std::make_shared<PathDiagnosticEventPiece>(Loc, *Msg); 3038 Piece->setPrunable(T->isPrunable()); 3039 return Piece; 3040 } 3041 3042 return nullptr; 3043} 3044