head 1.1; branch 1.1.1; access; symbols netbsd-11-0-RC4:1.1.1.9 netbsd-11-0-RC3:1.1.1.9 netbsd-11-0-RC2:1.1.1.9 netbsd-11-0-RC1:1.1.1.9 perseant-exfatfs-base-20250801:1.1.1.9 netbsd-11:1.1.1.9.0.10 netbsd-11-base:1.1.1.9 netbsd-10-1-RELEASE:1.1.1.9 perseant-exfatfs-base-20240630:1.1.1.9 perseant-exfatfs:1.1.1.9.0.8 perseant-exfatfs-base:1.1.1.9 netbsd-8-3-RELEASE:1.1.1.6 netbsd-9-4-RELEASE:1.1.1.8 netbsd-10-0-RELEASE:1.1.1.9 netbsd-10-0-RC6:1.1.1.9 netbsd-10-0-RC5:1.1.1.9 netbsd-10-0-RC4:1.1.1.9 netbsd-10-0-RC3:1.1.1.9 netbsd-10-0-RC2:1.1.1.9 netbsd-10-0-RC1:1.1.1.9 netbsd-10:1.1.1.9.0.6 netbsd-10-base:1.1.1.9 netbsd-9-3-RELEASE:1.1.1.8 cjep_sun2x:1.1.1.9.0.4 cjep_sun2x-base:1.1.1.9 cjep_staticlib_x-base1:1.1.1.9 netbsd-9-2-RELEASE:1.1.1.8 cjep_staticlib_x:1.1.1.9.0.2 cjep_staticlib_x-base:1.1.1.9 netbsd-9-1-RELEASE:1.1.1.8 phil-wifi-20200421:1.1.1.9 phil-wifi-20200411:1.1.1.9 phil-wifi-20200406:1.1.1.9 netbsd-8-2-RELEASE:1.1.1.6 netbsd-9-0-RELEASE:1.1.1.8 netbsd-9-0-RC2:1.1.1.8 netbsd-9-0-RC1:1.1.1.8 netbsd-9:1.1.1.8.0.2 netbsd-9-base:1.1.1.8 phil-wifi-20190609:1.1.1.8 netbsd-8-1-RELEASE:1.1.1.6 netbsd-8-1-RC1:1.1.1.6 pgoyette-compat-merge-20190127:1.1.1.7.2.1 pgoyette-compat-20190127:1.1.1.8 pgoyette-compat-20190118:1.1.1.8 pgoyette-compat-1226:1.1.1.8 pgoyette-compat-1126:1.1.1.8 pgoyette-compat-1020:1.1.1.8 pgoyette-compat-0930:1.1.1.8 pgoyette-compat-0906:1.1.1.8 netbsd-7-2-RELEASE:1.1.1.4.2.1 pgoyette-compat-0728:1.1.1.8 clang-337282:1.1.1.8 netbsd-8-0-RELEASE:1.1.1.6 phil-wifi:1.1.1.7.0.4 phil-wifi-base:1.1.1.7 pgoyette-compat-0625:1.1.1.7 netbsd-8-0-RC2:1.1.1.6 pgoyette-compat-0521:1.1.1.7 pgoyette-compat-0502:1.1.1.7 pgoyette-compat-0422:1.1.1.7 netbsd-8-0-RC1:1.1.1.6 pgoyette-compat-0415:1.1.1.7 pgoyette-compat-0407:1.1.1.7 pgoyette-compat-0330:1.1.1.7 pgoyette-compat-0322:1.1.1.7 pgoyette-compat-0315:1.1.1.7 netbsd-7-1-2-RELEASE:1.1.1.4.2.1 pgoyette-compat:1.1.1.7.0.2 pgoyette-compat-base:1.1.1.7 netbsd-7-1-1-RELEASE:1.1.1.4.2.1 clang-319952:1.1.1.7 matt-nb8-mediatek:1.1.1.6.0.12 matt-nb8-mediatek-base:1.1.1.6 clang-309604:1.1.1.7 perseant-stdc-iso10646:1.1.1.6.0.10 perseant-stdc-iso10646-base:1.1.1.6 netbsd-8:1.1.1.6.0.8 netbsd-8-base:1.1.1.6 prg-localcount2-base3:1.1.1.6 prg-localcount2-base2:1.1.1.6 prg-localcount2-base1:1.1.1.6 prg-localcount2:1.1.1.6.0.6 prg-localcount2-base:1.1.1.6 pgoyette-localcount-20170426:1.1.1.6 bouyer-socketcan-base1:1.1.1.6 pgoyette-localcount-20170320:1.1.1.6 netbsd-7-1:1.1.1.4.2.1.0.6 netbsd-7-1-RELEASE:1.1.1.4.2.1 netbsd-7-1-RC2:1.1.1.4.2.1 clang-294123:1.1.1.6 netbsd-7-nhusb-base-20170116:1.1.1.4.2.1 bouyer-socketcan:1.1.1.6.0.4 bouyer-socketcan-base:1.1.1.6 clang-291444:1.1.1.6 pgoyette-localcount-20170107:1.1.1.6 netbsd-7-1-RC1:1.1.1.4.2.1 pgoyette-localcount-20161104:1.1.1.6 netbsd-7-0-2-RELEASE:1.1.1.4.2.1 localcount-20160914:1.1.1.6 netbsd-7-nhusb:1.1.1.4.2.1.0.4 netbsd-7-nhusb-base:1.1.1.4.2.1 clang-280599:1.1.1.6 pgoyette-localcount-20160806:1.1.1.6 pgoyette-localcount-20160726:1.1.1.6 pgoyette-localcount:1.1.1.6.0.2 pgoyette-localcount-base:1.1.1.6 netbsd-7-0-1-RELEASE:1.1.1.4.2.1 clang-261930:1.1.1.6 netbsd-7-0:1.1.1.4.2.1.0.2 netbsd-7-0-RELEASE:1.1.1.4.2.1 netbsd-7-0-RC3:1.1.1.4.2.1 netbsd-7-0-RC2:1.1.1.4.2.1 netbsd-7-0-RC1:1.1.1.4.2.1 clang-237755:1.1.1.5 clang-232565:1.1.1.5 clang-227398:1.1.1.5 tls-maxphys-base:1.1.1.4 tls-maxphys:1.1.1.4.0.4 netbsd-7:1.1.1.4.0.2 netbsd-7-base:1.1.1.4 clang-215315:1.1.1.4 clang-209886:1.1.1.4 yamt-pagecache:1.1.1.3.0.4 yamt-pagecache-base9:1.1.1.3 tls-earlyentropy:1.1.1.3.0.2 tls-earlyentropy-base:1.1.1.4 riastradh-xf86-video-intel-2-7-1-pre-2-21-15:1.1.1.3 riastradh-drm2-base3:1.1.1.3 clang-202566:1.1.1.3 clang-201163:1.1.1.2 clang-199312:1.1.1.1 clang-198450:1.1.1.1 clang-196603:1.1.1.1 clang-195771:1.1.1.1 LLVM:1.1.1; locks; strict; comment @// @; 1.1 date 2013.11.28.14.14.52; author joerg; state Exp; branches 1.1.1.1; next ; commitid ow8OybrawrB1f3fx; 1.1.1.1 date 2013.11.28.14.14.52; author joerg; state Exp; branches; next 1.1.1.2; commitid ow8OybrawrB1f3fx; 1.1.1.2 date 2014.02.14.20.07.25; author joerg; state Exp; branches; next 1.1.1.3; commitid annVkZ1sc17rF6px; 1.1.1.3 date 2014.03.04.19.55.01; author joerg; state Exp; branches 1.1.1.3.2.1 1.1.1.3.4.1; next 1.1.1.4; commitid 29z1hJonZISIXprx; 1.1.1.4 date 2014.05.30.18.14.44; author joerg; state Exp; branches 1.1.1.4.2.1 1.1.1.4.4.1; next 1.1.1.5; commitid 8q0kdlBlCn09GACx; 1.1.1.5 date 2015.01.29.19.57.30; author joerg; state Exp; branches; next 1.1.1.6; commitid mlISSizlPKvepX7y; 1.1.1.6 date 2016.02.27.22.12.06; author joerg; state Exp; branches; next 1.1.1.7; commitid tIimz3oDlh1NpBWy; 1.1.1.7 date 2017.08.01.19.35.17; author joerg; state Exp; branches 1.1.1.7.2.1 1.1.1.7.4.1; next 1.1.1.8; commitid pMuDy65V0VicSx1A; 1.1.1.8 date 2018.07.17.18.31.08; author joerg; state Exp; branches; next 1.1.1.9; commitid wDzL46ALjrCZgwKA; 1.1.1.9 date 2019.11.13.22.19.28; author joerg; state dead; branches; next ; commitid QD8YATxuNG34YJKB; 1.1.1.3.2.1 date 2014.08.10.07.08.10; author tls; state Exp; branches; next ; commitid t01A1TLTYxkpGMLx; 1.1.1.3.4.1 date 2014.03.04.19.55.01; author yamt; state dead; branches; next 1.1.1.3.4.2; commitid WSrDtL5nYAUyiyBx; 1.1.1.3.4.2 date 2014.05.22.16.18.31; author yamt; state Exp; branches; next ; commitid WSrDtL5nYAUyiyBx; 1.1.1.4.2.1 date 2015.06.04.20.04.30; author snj; state Exp; branches; next ; commitid yRnjq9fueSo6n9oy; 1.1.1.4.4.1 date 2014.05.30.18.14.44; author tls; state dead; branches; next 1.1.1.4.4.2; commitid jTnpym9Qu0o4R1Nx; 1.1.1.4.4.2 date 2014.08.19.23.47.31; author tls; state Exp; branches; next ; commitid jTnpym9Qu0o4R1Nx; 1.1.1.7.2.1 date 2018.07.28.04.33.23; author pgoyette; state Exp; branches; next ; commitid 1UP1xAIUxv1ZgRLA; 1.1.1.7.4.1 date 2019.06.10.21.45.28; author christos; state Exp; branches; next 1.1.1.7.4.2; commitid jtc8rnCzWiEEHGqB; 1.1.1.7.4.2 date 2020.04.13.07.46.39; author martin; state dead; branches; next ; commitid X01YhRUPVUDaec4C; desc @@ 1.1 log @Initial revision @ text @//===--- NonNullParamChecker.cpp - Undefined arguments checker -*- C++ -*--===// // // The LLVM Compiler Infrastructure // // This file is distributed under the University of Illinois Open Source // License. See LICENSE.TXT for details. // //===----------------------------------------------------------------------===// // // This defines NonNullParamChecker, which checks for arguments expected not to // be null due to: // - the corresponding parameters being declared to have nonnull attribute // - the corresponding parameters being references; since the call would form // a reference to a null pointer // //===----------------------------------------------------------------------===// #include "ClangSACheckers.h" #include "clang/AST/Attr.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" using namespace clang; using namespace ento; namespace { class NonNullParamChecker : public Checker< check::PreCall > { mutable OwningPtr BTAttrNonNull; mutable OwningPtr BTNullRefArg; public: void checkPreCall(const CallEvent &Call, CheckerContext &C) const; BugReport *genReportNullAttrNonNull(const ExplodedNode *ErrorN, const Expr *ArgE) const; BugReport *genReportReferenceToNullPointer(const ExplodedNode *ErrorN, const Expr *ArgE) const; }; } // end anonymous namespace void NonNullParamChecker::checkPreCall(const CallEvent &Call, CheckerContext &C) const { const Decl *FD = Call.getDecl(); if (!FD) return; const NonNullAttr *Att = FD->getAttr(); ProgramStateRef state = C.getState(); CallEvent::param_type_iterator TyI = Call.param_type_begin(), TyE = Call.param_type_end(); for (unsigned idx = 0, count = Call.getNumArgs(); idx != count; ++idx){ // Check if the parameter is a reference. We want to report when reference // to a null pointer is passed as a paramter. bool haveRefTypeParam = false; if (TyI != TyE) { haveRefTypeParam = (*TyI)->isReferenceType(); TyI++; } bool haveAttrNonNull = Att && Att->isNonNull(idx); if (!haveRefTypeParam && !haveAttrNonNull) continue; // If the value is unknown or undefined, we can't perform this check. const Expr *ArgE = Call.getArgExpr(idx); SVal V = Call.getArgSVal(idx); Optional DV = V.getAs(); if (!DV) continue; // Process the case when the argument is not a location. assert(!haveRefTypeParam || DV->getAs()); if (haveAttrNonNull && !DV->getAs()) { // If the argument is a union type, we want to handle a potential // transparent_union GCC extension. if (!ArgE) continue; QualType T = ArgE->getType(); const RecordType *UT = T->getAsUnionType(); if (!UT || !UT->getDecl()->hasAttr()) continue; if (Optional CSV = DV->getAs()) { nonloc::CompoundVal::iterator CSV_I = CSV->begin(); assert(CSV_I != CSV->end()); V = *CSV_I; DV = V.getAs(); assert(++CSV_I == CSV->end()); if (!DV) continue; // Retrieve the corresponding expression. if (const CompoundLiteralExpr *CE = dyn_cast(ArgE)) if (const InitListExpr *IE = dyn_cast(CE->getInitializer())) ArgE = dyn_cast(*(IE->begin())); } else { // FIXME: Handle LazyCompoundVals? continue; } } ConstraintManager &CM = C.getConstraintManager(); ProgramStateRef stateNotNull, stateNull; llvm::tie(stateNotNull, stateNull) = CM.assumeDual(state, *DV); if (stateNull && !stateNotNull) { // Generate an error node. Check for a null node in case // we cache out. if (ExplodedNode *errorNode = C.generateSink(stateNull)) { BugReport *R = 0; if (haveAttrNonNull) R = genReportNullAttrNonNull(errorNode, ArgE); else if (haveRefTypeParam) R = genReportReferenceToNullPointer(errorNode, ArgE); // Highlight the range of the argument that was null. R->addRange(Call.getArgSourceRange(idx)); // Emit the bug report. C.emitReport(R); } // Always return. Either we cached out or we just emitted an error. return; } // If a pointer value passed the check we should assume that it is // indeed not null from this point forward. assert(stateNotNull); state = stateNotNull; } // If we reach here all of the arguments passed the nonnull check. // If 'state' has been updated generated a new node. C.addTransition(state); } BugReport *NonNullParamChecker::genReportNullAttrNonNull( const ExplodedNode *ErrorNode, const Expr *ArgE) const { // Lazily allocate the BugType object if it hasn't already been // created. Ownership is transferred to the BugReporter object once // the BugReport is passed to 'EmitWarning'. if (!BTAttrNonNull) BTAttrNonNull.reset(new BugType( "Argument with 'nonnull' attribute passed null", "API")); BugReport *R = new BugReport(*BTAttrNonNull, "Null pointer passed as an argument to a 'nonnull' parameter", ErrorNode); if (ArgE) bugreporter::trackNullOrUndefValue(ErrorNode, ArgE, *R); return R; } BugReport *NonNullParamChecker::genReportReferenceToNullPointer( const ExplodedNode *ErrorNode, const Expr *ArgE) const { if (!BTNullRefArg) BTNullRefArg.reset(new BuiltinBug("Dereference of null pointer")); BugReport *R = new BugReport(*BTNullRefArg, "Forming reference to null pointer", ErrorNode); if (ArgE) { const Expr *ArgEDeref = bugreporter::getDerefExpr(ArgE); if (ArgEDeref == 0) ArgEDeref = ArgE; bugreporter::trackNullOrUndefValue(ErrorNode, ArgEDeref, *R); } return R; } void ento::registerNonNullParamChecker(CheckerManager &mgr) { mgr.registerChecker(); } @ 1.1.1.1 log @Import Clang 3.4rc1 r195771. @ text @@ 1.1.1.2 log @Import Clang 3.5svn r201163. @ text @d46 1 a46 1 CheckerContext &C) const { a68 6 if (!haveAttrNonNull) { // Check if the parameter is also marked 'nonnull'. ArrayRef parms = Call.parameters(); if (idx < parms.size()) haveAttrNonNull = parms[idx]->hasAttr(); } @ 1.1.1.3 log @Import Clang 3.5svn r202566. @ text @d107 1 a107 3 // FIXME: Handle (some_union){ some_other_union_val }, which turns into // a LazyCompoundVal inside a CompoundVal. if (!V.getAs()) d165 2 a166 1 this, "Argument with 'nonnull' attribute passed null", "API")); d180 1 a180 1 BTNullRefArg.reset(new BuiltinBug(this, "Dereference of null pointer")); @ 1.1.1.3.2.1 log @Rebase. @ text @d32 2 a33 3 mutable std::unique_ptr BTAttrNonNull; mutable std::unique_ptr BTNullRefArg; d125 1 a125 1 std::tie(stateNotNull, stateNull) = CM.assumeDual(state, *DV); d132 1 a132 1 BugReport *R = nullptr; d188 1 a188 1 if (!ArgEDeref) @ 1.1.1.4 log @Import Clang 3.5svn r209886. @ text @d32 2 a33 3 mutable std::unique_ptr BTAttrNonNull; mutable std::unique_ptr BTNullRefArg; d125 1 a125 1 std::tie(stateNotNull, stateNull) = CM.assumeDual(state, *DV); d132 1 a132 1 BugReport *R = nullptr; d188 1 a188 1 if (!ArgEDeref) @ 1.1.1.4.2.1 log @Update LLVM to 3.6.1, requested by joerg in ticket 824. @ text @d52 1 a52 14 // Merge all non-null attributes unsigned NumArgs = Call.getNumArgs(); llvm::SmallBitVector AttrNonNull(NumArgs); for (const auto *NonNull : FD->specific_attrs()) { if (!NonNull->args_size()) { AttrNonNull.set(0, NumArgs); break; } for (unsigned Val : NonNull->args()) { if (Val >= NumArgs) continue; AttrNonNull.set(Val); } } d59 1 a59 1 for (unsigned idx = 0; idx < NumArgs; ++idx) { d69 1 a69 1 bool haveAttrNonNull = AttrNonNull[idx]; @ 1.1.1.5 log @Import Clang 3.6RC1 r227398. @ text @d52 1 a52 14 // Merge all non-null attributes unsigned NumArgs = Call.getNumArgs(); llvm::SmallBitVector AttrNonNull(NumArgs); for (const auto *NonNull : FD->specific_attrs()) { if (!NonNull->args_size()) { AttrNonNull.set(0, NumArgs); break; } for (unsigned Val : NonNull->args()) { if (Val >= NumArgs) continue; AttrNonNull.set(Val); } } d59 1 a59 1 for (unsigned idx = 0; idx < NumArgs; ++idx) { d69 1 a69 1 bool haveAttrNonNull = AttrNonNull[idx]; @ 1.1.1.6 log @Import Clang 3.8.0rc3 r261930. @ text @d31 1 a31 1 : public Checker< check::PreCall, EventDispatcher > { d39 4 a42 5 std::unique_ptr genReportNullAttrNonNull(const ExplodedNode *ErrorN, const Expr *ArgE) const; std::unique_ptr genReportReferenceToNullPointer(const ExplodedNode *ErrorN, const Expr *ArgE) const; d141 10 a150 18 if (stateNull) { if (!stateNotNull) { // Generate an error node. Check for a null node in case // we cache out. if (ExplodedNode *errorNode = C.generateErrorNode(stateNull)) { std::unique_ptr R; if (haveAttrNonNull) R = genReportNullAttrNonNull(errorNode, ArgE); else if (haveRefTypeParam) R = genReportReferenceToNullPointer(errorNode, ArgE); // Highlight the range of the argument that was null. R->addRange(Call.getArgSourceRange(idx)); // Emit the bug report. C.emitReport(std::move(R)); } d152 5 a156 8 // Always return. Either we cached out or we just emitted an error. return; } if (ExplodedNode *N = C.generateSink(stateNull, C.getPredecessor())) { ImplicitNullDerefEvent event = { V, false, N, &C.getBugReporter(), /*IsDirectDereference=*/haveRefTypeParam}; dispatchEvent(event); d158 3 d174 2 a175 3 std::unique_ptr NonNullParamChecker::genReportNullAttrNonNull(const ExplodedNode *ErrorNode, const Expr *ArgE) const { d183 3 a185 3 auto R = llvm::make_unique( *BTAttrNonNull, "Null pointer passed as an argument to a 'nonnull' parameter", ErrorNode); d192 2 a193 2 std::unique_ptr NonNullParamChecker::genReportReferenceToNullPointer( const ExplodedNode *ErrorNode, const Expr *ArgE) const { d197 3 a199 2 auto R = llvm::make_unique( *BTNullRefArg, "Forming reference to null pointer", ErrorNode); @ 1.1.1.7 log @Import clang r309604 from branches/release_50 @ text @d76 1 a76 1 // to a null pointer is passed as a parameter. @ 1.1.1.7.4.1 log @Sync with HEAD @ text @d47 2 a48 2 /// \return Bitvector marking non-null attributes. static llvm::SmallBitVector getNonNullAttrs(const CallEvent &Call) { d50 4 d61 2 a62 3 for (const ParamIdx &Idx : NonNull->args()) { unsigned IdxAST = Idx.getASTIndex(); if (IdxAST >= NumArgs) d64 1 a64 1 AttrNonNull.set(IdxAST); a66 2 return AttrNonNull; } d68 1 a68 4 void NonNullParamChecker::checkPreCall(const CallEvent &Call, CheckerContext &C) const { if (!Call.getDecl()) return; d70 2 a71 5 llvm::SmallBitVector AttrNonNull = getNonNullAttrs(Call); unsigned NumArgs = Call.getNumArgs(); ProgramStateRef state = C.getState(); ArrayRef parms = Call.parameters(); a73 2 // For vararg functions, a corresponding parameter decl may not exist. bool HasParam = idx < parms.size(); d77 6 a82 2 bool haveRefTypeParam = HasParam ? parms[idx]->getType()->isReferenceType() : false; d84 6 d91 1 a91 5 // Check if the parameter is also marked 'nonnull'. if (!haveAttrNonNull && HasParam) haveAttrNonNull = parms[idx]->hasAttr(); if (!haveAttrNonNull && !haveRefTypeParam) d97 1 a97 1 auto DV = V.getAs(); d101 1 a103 1 // Process the case when the argument is not a location. d115 16 a130 1 auto CSV = DV->getAs(); d132 2 a133 2 // FIXME: Handle LazyCompoundVals? if (!CSV) d135 1 a135 13 V = *(CSV->begin()); DV = V.getAs(); assert(++CSV->begin() == CSV->end()); // FIXME: Handle (some_union){ some_other_union_val }, which turns into // a LazyCompoundVal inside a CompoundVal. if (!V.getAs()) continue; // Retrieve the corresponding expression. if (const auto *CE = dyn_cast(ArgE)) if (const auto *IE = dyn_cast(CE->getInitializer())) ArgE = dyn_cast(*(IE->begin())); d142 18 a159 10 // Generate an error node. Check for a null node in case // we cache out. if (stateNull && !stateNotNull) { if (ExplodedNode *errorNode = C.generateErrorNode(stateNull)) { std::unique_ptr R; if (haveAttrNonNull) R = genReportNullAttrNonNull(errorNode, ArgE); else if (haveRefTypeParam) R = genReportReferenceToNullPointer(errorNode, ArgE); d161 2 a162 5 // Highlight the range of the argument that was null. R->addRange(Call.getArgSourceRange(idx)); // Emit the bug report. C.emitReport(std::move(R)); a163 6 // Always return. Either we cached out or we just emitted an error. return; } if (stateNull) { d166 2 a167 2 V, false, N, &C.getBugReporter(), /*IsDirectDereference=*/haveRefTypeParam}; d174 1 @ 1.1.1.7.4.2 log @Mostly merge changes from HEAD upto 20200411 @ text @@ 1.1.1.7.2.1 log @Sync with HEAD @ text @d47 2 a48 2 /// \return Bitvector marking non-null attributes. static llvm::SmallBitVector getNonNullAttrs(const CallEvent &Call) { d50 4 d61 2 a62 3 for (const ParamIdx &Idx : NonNull->args()) { unsigned IdxAST = Idx.getASTIndex(); if (IdxAST >= NumArgs) d64 1 a64 1 AttrNonNull.set(IdxAST); a66 2 return AttrNonNull; } d68 1 a68 4 void NonNullParamChecker::checkPreCall(const CallEvent &Call, CheckerContext &C) const { if (!Call.getDecl()) return; d70 2 a71 5 llvm::SmallBitVector AttrNonNull = getNonNullAttrs(Call); unsigned NumArgs = Call.getNumArgs(); ProgramStateRef state = C.getState(); ArrayRef parms = Call.parameters(); a73 2 // For vararg functions, a corresponding parameter decl may not exist. bool HasParam = idx < parms.size(); d77 6 a82 2 bool haveRefTypeParam = HasParam ? parms[idx]->getType()->isReferenceType() : false; d84 6 d91 1 a91 5 // Check if the parameter is also marked 'nonnull'. if (!haveAttrNonNull && HasParam) haveAttrNonNull = parms[idx]->hasAttr(); if (!haveAttrNonNull && !haveRefTypeParam) d97 1 a97 1 auto DV = V.getAs(); d101 1 a103 1 // Process the case when the argument is not a location. d115 16 a130 1 auto CSV = DV->getAs(); d132 2 a133 2 // FIXME: Handle LazyCompoundVals? if (!CSV) d135 1 a135 13 V = *(CSV->begin()); DV = V.getAs(); assert(++CSV->begin() == CSV->end()); // FIXME: Handle (some_union){ some_other_union_val }, which turns into // a LazyCompoundVal inside a CompoundVal. if (!V.getAs()) continue; // Retrieve the corresponding expression. if (const auto *CE = dyn_cast(ArgE)) if (const auto *IE = dyn_cast(CE->getInitializer())) ArgE = dyn_cast(*(IE->begin())); d142 18 a159 10 // Generate an error node. Check for a null node in case // we cache out. if (stateNull && !stateNotNull) { if (ExplodedNode *errorNode = C.generateErrorNode(stateNull)) { std::unique_ptr R; if (haveAttrNonNull) R = genReportNullAttrNonNull(errorNode, ArgE); else if (haveRefTypeParam) R = genReportReferenceToNullPointer(errorNode, ArgE); d161 2 a162 5 // Highlight the range of the argument that was null. R->addRange(Call.getArgSourceRange(idx)); // Emit the bug report. C.emitReport(std::move(R)); a163 6 // Always return. Either we cached out or we just emitted an error. return; } if (stateNull) { d166 2 a167 2 V, false, N, &C.getBugReporter(), /*IsDirectDereference=*/haveRefTypeParam}; d174 1 @ 1.1.1.8 log @Import clang r337282 from trunk @ text @d47 2 a48 2 /// \return Bitvector marking non-null attributes. static llvm::SmallBitVector getNonNullAttrs(const CallEvent &Call) { d50 4 d61 2 a62 3 for (const ParamIdx &Idx : NonNull->args()) { unsigned IdxAST = Idx.getASTIndex(); if (IdxAST >= NumArgs) d64 1 a64 1 AttrNonNull.set(IdxAST); a66 2 return AttrNonNull; } d68 1 a68 4 void NonNullParamChecker::checkPreCall(const CallEvent &Call, CheckerContext &C) const { if (!Call.getDecl()) return; d70 2 a71 5 llvm::SmallBitVector AttrNonNull = getNonNullAttrs(Call); unsigned NumArgs = Call.getNumArgs(); ProgramStateRef state = C.getState(); ArrayRef parms = Call.parameters(); a73 2 // For vararg functions, a corresponding parameter decl may not exist. bool HasParam = idx < parms.size(); d77 6 a82 2 bool haveRefTypeParam = HasParam ? parms[idx]->getType()->isReferenceType() : false; d84 6 d91 1 a91 5 // Check if the parameter is also marked 'nonnull'. if (!haveAttrNonNull && HasParam) haveAttrNonNull = parms[idx]->hasAttr(); if (!haveAttrNonNull && !haveRefTypeParam) d97 1 a97 1 auto DV = V.getAs(); d101 1 a103 1 // Process the case when the argument is not a location. d115 16 a130 1 auto CSV = DV->getAs(); d132 2 a133 2 // FIXME: Handle LazyCompoundVals? if (!CSV) d135 1 a135 13 V = *(CSV->begin()); DV = V.getAs(); assert(++CSV->begin() == CSV->end()); // FIXME: Handle (some_union){ some_other_union_val }, which turns into // a LazyCompoundVal inside a CompoundVal. if (!V.getAs()) continue; // Retrieve the corresponding expression. if (const auto *CE = dyn_cast(ArgE)) if (const auto *IE = dyn_cast(CE->getInitializer())) ArgE = dyn_cast(*(IE->begin())); d142 18 a159 10 // Generate an error node. Check for a null node in case // we cache out. if (stateNull && !stateNotNull) { if (ExplodedNode *errorNode = C.generateErrorNode(stateNull)) { std::unique_ptr R; if (haveAttrNonNull) R = genReportNullAttrNonNull(errorNode, ArgE); else if (haveRefTypeParam) R = genReportReferenceToNullPointer(errorNode, ArgE); d161 2 a162 5 // Highlight the range of the argument that was null. R->addRange(Call.getArgSourceRange(idx)); // Emit the bug report. C.emitReport(std::move(R)); a163 6 // Always return. Either we cached out or we just emitted an error. return; } if (stateNull) { d166 2 a167 2 V, false, N, &C.getBugReporter(), /*IsDirectDereference=*/haveRefTypeParam}; d174 1 @ 1.1.1.9 log @Mark old LLVM instance as dead. @ text @@ 1.1.1.4.4.1 log @file NonNullParamChecker.cpp was added on branch tls-maxphys on 2014-08-19 23:47:31 +0000 @ text @d1 201 @ 1.1.1.4.4.2 log @Rebase to HEAD as of a few days ago. @ text @a0 201 //===--- NonNullParamChecker.cpp - Undefined arguments checker -*- C++ -*--===// // // The LLVM Compiler Infrastructure // // This file is distributed under the University of Illinois Open Source // License. See LICENSE.TXT for details. // //===----------------------------------------------------------------------===// // // This defines NonNullParamChecker, which checks for arguments expected not to // be null due to: // - the corresponding parameters being declared to have nonnull attribute // - the corresponding parameters being references; since the call would form // a reference to a null pointer // //===----------------------------------------------------------------------===// #include "ClangSACheckers.h" #include "clang/AST/Attr.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" using namespace clang; using namespace ento; namespace { class NonNullParamChecker : public Checker< check::PreCall > { mutable std::unique_ptr BTAttrNonNull; mutable std::unique_ptr BTNullRefArg; public: void checkPreCall(const CallEvent &Call, CheckerContext &C) const; BugReport *genReportNullAttrNonNull(const ExplodedNode *ErrorN, const Expr *ArgE) const; BugReport *genReportReferenceToNullPointer(const ExplodedNode *ErrorN, const Expr *ArgE) const; }; } // end anonymous namespace void NonNullParamChecker::checkPreCall(const CallEvent &Call, CheckerContext &C) const { const Decl *FD = Call.getDecl(); if (!FD) return; const NonNullAttr *Att = FD->getAttr(); ProgramStateRef state = C.getState(); CallEvent::param_type_iterator TyI = Call.param_type_begin(), TyE = Call.param_type_end(); for (unsigned idx = 0, count = Call.getNumArgs(); idx != count; ++idx){ // Check if the parameter is a reference. We want to report when reference // to a null pointer is passed as a paramter. bool haveRefTypeParam = false; if (TyI != TyE) { haveRefTypeParam = (*TyI)->isReferenceType(); TyI++; } bool haveAttrNonNull = Att && Att->isNonNull(idx); if (!haveAttrNonNull) { // Check if the parameter is also marked 'nonnull'. ArrayRef parms = Call.parameters(); if (idx < parms.size()) haveAttrNonNull = parms[idx]->hasAttr(); } if (!haveRefTypeParam && !haveAttrNonNull) continue; // If the value is unknown or undefined, we can't perform this check. const Expr *ArgE = Call.getArgExpr(idx); SVal V = Call.getArgSVal(idx); Optional DV = V.getAs(); if (!DV) continue; // Process the case when the argument is not a location. assert(!haveRefTypeParam || DV->getAs()); if (haveAttrNonNull && !DV->getAs()) { // If the argument is a union type, we want to handle a potential // transparent_union GCC extension. if (!ArgE) continue; QualType T = ArgE->getType(); const RecordType *UT = T->getAsUnionType(); if (!UT || !UT->getDecl()->hasAttr()) continue; if (Optional CSV = DV->getAs()) { nonloc::CompoundVal::iterator CSV_I = CSV->begin(); assert(CSV_I != CSV->end()); V = *CSV_I; DV = V.getAs(); assert(++CSV_I == CSV->end()); // FIXME: Handle (some_union){ some_other_union_val }, which turns into // a LazyCompoundVal inside a CompoundVal. if (!V.getAs()) continue; // Retrieve the corresponding expression. if (const CompoundLiteralExpr *CE = dyn_cast(ArgE)) if (const InitListExpr *IE = dyn_cast(CE->getInitializer())) ArgE = dyn_cast(*(IE->begin())); } else { // FIXME: Handle LazyCompoundVals? continue; } } ConstraintManager &CM = C.getConstraintManager(); ProgramStateRef stateNotNull, stateNull; std::tie(stateNotNull, stateNull) = CM.assumeDual(state, *DV); if (stateNull && !stateNotNull) { // Generate an error node. Check for a null node in case // we cache out. if (ExplodedNode *errorNode = C.generateSink(stateNull)) { BugReport *R = nullptr; if (haveAttrNonNull) R = genReportNullAttrNonNull(errorNode, ArgE); else if (haveRefTypeParam) R = genReportReferenceToNullPointer(errorNode, ArgE); // Highlight the range of the argument that was null. R->addRange(Call.getArgSourceRange(idx)); // Emit the bug report. C.emitReport(R); } // Always return. Either we cached out or we just emitted an error. return; } // If a pointer value passed the check we should assume that it is // indeed not null from this point forward. assert(stateNotNull); state = stateNotNull; } // If we reach here all of the arguments passed the nonnull check. // If 'state' has been updated generated a new node. C.addTransition(state); } BugReport *NonNullParamChecker::genReportNullAttrNonNull( const ExplodedNode *ErrorNode, const Expr *ArgE) const { // Lazily allocate the BugType object if it hasn't already been // created. Ownership is transferred to the BugReporter object once // the BugReport is passed to 'EmitWarning'. if (!BTAttrNonNull) BTAttrNonNull.reset(new BugType( this, "Argument with 'nonnull' attribute passed null", "API")); BugReport *R = new BugReport(*BTAttrNonNull, "Null pointer passed as an argument to a 'nonnull' parameter", ErrorNode); if (ArgE) bugreporter::trackNullOrUndefValue(ErrorNode, ArgE, *R); return R; } BugReport *NonNullParamChecker::genReportReferenceToNullPointer( const ExplodedNode *ErrorNode, const Expr *ArgE) const { if (!BTNullRefArg) BTNullRefArg.reset(new BuiltinBug(this, "Dereference of null pointer")); BugReport *R = new BugReport(*BTNullRefArg, "Forming reference to null pointer", ErrorNode); if (ArgE) { const Expr *ArgEDeref = bugreporter::getDerefExpr(ArgE); if (!ArgEDeref) ArgEDeref = ArgE; bugreporter::trackNullOrUndefValue(ErrorNode, ArgEDeref, *R); } return R; } void ento::registerNonNullParamChecker(CheckerManager &mgr) { mgr.registerChecker(); } @ 1.1.1.3.4.1 log @file NonNullParamChecker.cpp was added on branch yamt-pagecache on 2014-05-22 16:18:31 +0000 @ text @d1 200 @ 1.1.1.3.4.2 log @sync with head. for a reference, the tree before this commit was tagged as yamt-pagecache-tag8. this commit was splitted into small chunks to avoid a limitation of cvs. ("Protocol error: too many arguments") @ text @a0 200 //===--- NonNullParamChecker.cpp - Undefined arguments checker -*- C++ -*--===// // // The LLVM Compiler Infrastructure // // This file is distributed under the University of Illinois Open Source // License. See LICENSE.TXT for details. // //===----------------------------------------------------------------------===// // // This defines NonNullParamChecker, which checks for arguments expected not to // be null due to: // - the corresponding parameters being declared to have nonnull attribute // - the corresponding parameters being references; since the call would form // a reference to a null pointer // //===----------------------------------------------------------------------===// #include "ClangSACheckers.h" #include "clang/AST/Attr.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" using namespace clang; using namespace ento; namespace { class NonNullParamChecker : public Checker< check::PreCall > { mutable OwningPtr BTAttrNonNull; mutable OwningPtr BTNullRefArg; public: void checkPreCall(const CallEvent &Call, CheckerContext &C) const; BugReport *genReportNullAttrNonNull(const ExplodedNode *ErrorN, const Expr *ArgE) const; BugReport *genReportReferenceToNullPointer(const ExplodedNode *ErrorN, const Expr *ArgE) const; }; } // end anonymous namespace void NonNullParamChecker::checkPreCall(const CallEvent &Call, CheckerContext &C) const { const Decl *FD = Call.getDecl(); if (!FD) return; const NonNullAttr *Att = FD->getAttr(); ProgramStateRef state = C.getState(); CallEvent::param_type_iterator TyI = Call.param_type_begin(), TyE = Call.param_type_end(); for (unsigned idx = 0, count = Call.getNumArgs(); idx != count; ++idx){ // Check if the parameter is a reference. We want to report when reference // to a null pointer is passed as a paramter. bool haveRefTypeParam = false; if (TyI != TyE) { haveRefTypeParam = (*TyI)->isReferenceType(); TyI++; } bool haveAttrNonNull = Att && Att->isNonNull(idx); if (!haveAttrNonNull) { // Check if the parameter is also marked 'nonnull'. ArrayRef parms = Call.parameters(); if (idx < parms.size()) haveAttrNonNull = parms[idx]->hasAttr(); } if (!haveRefTypeParam && !haveAttrNonNull) continue; // If the value is unknown or undefined, we can't perform this check. const Expr *ArgE = Call.getArgExpr(idx); SVal V = Call.getArgSVal(idx); Optional DV = V.getAs(); if (!DV) continue; // Process the case when the argument is not a location. assert(!haveRefTypeParam || DV->getAs()); if (haveAttrNonNull && !DV->getAs()) { // If the argument is a union type, we want to handle a potential // transparent_union GCC extension. if (!ArgE) continue; QualType T = ArgE->getType(); const RecordType *UT = T->getAsUnionType(); if (!UT || !UT->getDecl()->hasAttr()) continue; if (Optional CSV = DV->getAs()) { nonloc::CompoundVal::iterator CSV_I = CSV->begin(); assert(CSV_I != CSV->end()); V = *CSV_I; DV = V.getAs(); assert(++CSV_I == CSV->end()); // FIXME: Handle (some_union){ some_other_union_val }, which turns into // a LazyCompoundVal inside a CompoundVal. if (!V.getAs()) continue; // Retrieve the corresponding expression. if (const CompoundLiteralExpr *CE = dyn_cast(ArgE)) if (const InitListExpr *IE = dyn_cast(CE->getInitializer())) ArgE = dyn_cast(*(IE->begin())); } else { // FIXME: Handle LazyCompoundVals? continue; } } ConstraintManager &CM = C.getConstraintManager(); ProgramStateRef stateNotNull, stateNull; llvm::tie(stateNotNull, stateNull) = CM.assumeDual(state, *DV); if (stateNull && !stateNotNull) { // Generate an error node. Check for a null node in case // we cache out. if (ExplodedNode *errorNode = C.generateSink(stateNull)) { BugReport *R = 0; if (haveAttrNonNull) R = genReportNullAttrNonNull(errorNode, ArgE); else if (haveRefTypeParam) R = genReportReferenceToNullPointer(errorNode, ArgE); // Highlight the range of the argument that was null. R->addRange(Call.getArgSourceRange(idx)); // Emit the bug report. C.emitReport(R); } // Always return. Either we cached out or we just emitted an error. return; } // If a pointer value passed the check we should assume that it is // indeed not null from this point forward. assert(stateNotNull); state = stateNotNull; } // If we reach here all of the arguments passed the nonnull check. // If 'state' has been updated generated a new node. C.addTransition(state); } BugReport *NonNullParamChecker::genReportNullAttrNonNull( const ExplodedNode *ErrorNode, const Expr *ArgE) const { // Lazily allocate the BugType object if it hasn't already been // created. Ownership is transferred to the BugReporter object once // the BugReport is passed to 'EmitWarning'. if (!BTAttrNonNull) BTAttrNonNull.reset(new BugType( this, "Argument with 'nonnull' attribute passed null", "API")); BugReport *R = new BugReport(*BTAttrNonNull, "Null pointer passed as an argument to a 'nonnull' parameter", ErrorNode); if (ArgE) bugreporter::trackNullOrUndefValue(ErrorNode, ArgE, *R); return R; } BugReport *NonNullParamChecker::genReportReferenceToNullPointer( const ExplodedNode *ErrorNode, const Expr *ArgE) const { if (!BTNullRefArg) BTNullRefArg.reset(new BuiltinBug(this, "Dereference of null pointer")); BugReport *R = new BugReport(*BTNullRefArg, "Forming reference to null pointer", ErrorNode); if (ArgE) { const Expr *ArgEDeref = bugreporter::getDerefExpr(ArgE); if (ArgEDeref == 0) ArgEDeref = ArgE; bugreporter::trackNullOrUndefValue(ErrorNode, ArgEDeref, *R); } return R; } void ento::registerNonNullParamChecker(CheckerManager &mgr) { mgr.registerChecker(); } @