19a542f75SGeorge Karpenkov //==- NonnullGlobalConstantsChecker.cpp ---------------------------*- C++ -*--//
29a542f75SGeorge Karpenkov //
32946cd70SChandler Carruth // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
42946cd70SChandler Carruth // See https://llvm.org/LICENSE.txt for license information.
52946cd70SChandler Carruth // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
69a542f75SGeorge Karpenkov //
79a542f75SGeorge Karpenkov //===----------------------------------------------------------------------===//
89a542f75SGeorge Karpenkov //
99a542f75SGeorge Karpenkov // This checker adds an assumption that constant globals of certain types* are
109a542f75SGeorge Karpenkov // non-null, as otherwise they generally do not convey any useful information.
119a542f75SGeorge Karpenkov // The assumption is useful, as many framework use e. g. global const strings,
129a542f75SGeorge Karpenkov // and the analyzer might not be able to infer the global value if the
139a542f75SGeorge Karpenkov // definition is in a separate translation unit.
149a542f75SGeorge Karpenkov // The following types (and their typedef aliases) are considered to be
159a542f75SGeorge Karpenkov // non-null:
169a542f75SGeorge Karpenkov // - `char* const`
179a542f75SGeorge Karpenkov // - `const CFStringRef` from CoreFoundation
189a542f75SGeorge Karpenkov // - `NSString* const` from Foundation
199a542f75SGeorge Karpenkov // - `CFBooleanRef` from Foundation
209a542f75SGeorge Karpenkov //
219a542f75SGeorge Karpenkov //===----------------------------------------------------------------------===//
229a542f75SGeorge Karpenkov
2376a21502SKristof Umann #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
249a542f75SGeorge Karpenkov #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
259a542f75SGeorge Karpenkov #include "clang/StaticAnalyzer/Core/Checker.h"
269a542f75SGeorge Karpenkov #include "clang/StaticAnalyzer/Core/CheckerManager.h"
279a542f75SGeorge Karpenkov #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
289a542f75SGeorge Karpenkov #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
299a542f75SGeorge Karpenkov
309a542f75SGeorge Karpenkov using namespace clang;
319a542f75SGeorge Karpenkov using namespace ento;
329a542f75SGeorge Karpenkov
339a542f75SGeorge Karpenkov namespace {
349a542f75SGeorge Karpenkov
359a542f75SGeorge Karpenkov class NonnullGlobalConstantsChecker : public Checker<check::Location> {
369a542f75SGeorge Karpenkov mutable IdentifierInfo *NSStringII = nullptr;
379a542f75SGeorge Karpenkov mutable IdentifierInfo *CFStringRefII = nullptr;
389a542f75SGeorge Karpenkov mutable IdentifierInfo *CFBooleanRefII = nullptr;
39badba511SArtem Dergachev mutable IdentifierInfo *CFNullRefII = nullptr;
409a542f75SGeorge Karpenkov
419a542f75SGeorge Karpenkov public:
NonnullGlobalConstantsChecker()429a542f75SGeorge Karpenkov NonnullGlobalConstantsChecker() {}
439a542f75SGeorge Karpenkov
449a542f75SGeorge Karpenkov void checkLocation(SVal l, bool isLoad, const Stmt *S,
459a542f75SGeorge Karpenkov CheckerContext &C) const;
469a542f75SGeorge Karpenkov
479a542f75SGeorge Karpenkov private:
489a542f75SGeorge Karpenkov void initIdentifierInfo(ASTContext &Ctx) const;
499a542f75SGeorge Karpenkov
509a542f75SGeorge Karpenkov bool isGlobalConstString(SVal V) const;
519a542f75SGeorge Karpenkov
529a542f75SGeorge Karpenkov bool isNonnullType(QualType Ty) const;
539a542f75SGeorge Karpenkov };
549a542f75SGeorge Karpenkov
559a542f75SGeorge Karpenkov } // namespace
569a542f75SGeorge Karpenkov
572a8c18d9SAlexander Kornienko /// Lazily initialize cache for required identifier information.
initIdentifierInfo(ASTContext & Ctx) const589a542f75SGeorge Karpenkov void NonnullGlobalConstantsChecker::initIdentifierInfo(ASTContext &Ctx) const {
599a542f75SGeorge Karpenkov if (NSStringII)
609a542f75SGeorge Karpenkov return;
619a542f75SGeorge Karpenkov
629a542f75SGeorge Karpenkov NSStringII = &Ctx.Idents.get("NSString");
639a542f75SGeorge Karpenkov CFStringRefII = &Ctx.Idents.get("CFStringRef");
649a542f75SGeorge Karpenkov CFBooleanRefII = &Ctx.Idents.get("CFBooleanRef");
65badba511SArtem Dergachev CFNullRefII = &Ctx.Idents.get("CFNullRef");
669a542f75SGeorge Karpenkov }
679a542f75SGeorge Karpenkov
689a542f75SGeorge Karpenkov /// Add an assumption that const string-like globals are non-null.
checkLocation(SVal location,bool isLoad,const Stmt * S,CheckerContext & C) const699a542f75SGeorge Karpenkov void NonnullGlobalConstantsChecker::checkLocation(SVal location, bool isLoad,
709a542f75SGeorge Karpenkov const Stmt *S,
719a542f75SGeorge Karpenkov CheckerContext &C) const {
729a542f75SGeorge Karpenkov initIdentifierInfo(C.getASTContext());
739a542f75SGeorge Karpenkov if (!isLoad || !location.isValid())
749a542f75SGeorge Karpenkov return;
759a542f75SGeorge Karpenkov
769a542f75SGeorge Karpenkov ProgramStateRef State = C.getState();
779a542f75SGeorge Karpenkov
789a542f75SGeorge Karpenkov if (isGlobalConstString(location)) {
7953c1c10bSGeorge Karpenkov SVal V = State->getSVal(location.castAs<Loc>());
809a542f75SGeorge Karpenkov Optional<DefinedOrUnknownSVal> Constr = V.getAs<DefinedOrUnknownSVal>();
819a542f75SGeorge Karpenkov
829a542f75SGeorge Karpenkov if (Constr) {
839a542f75SGeorge Karpenkov
849a542f75SGeorge Karpenkov // Assume that the variable is non-null.
859a542f75SGeorge Karpenkov ProgramStateRef OutputState = State->assume(*Constr, true);
869a542f75SGeorge Karpenkov C.addTransition(OutputState);
879a542f75SGeorge Karpenkov }
889a542f75SGeorge Karpenkov }
899a542f75SGeorge Karpenkov }
909a542f75SGeorge Karpenkov
919a542f75SGeorge Karpenkov /// \param V loaded lvalue.
921cb15b10SAaron Puchert /// \return whether @c val is a string-like const global.
isGlobalConstString(SVal V) const939a542f75SGeorge Karpenkov bool NonnullGlobalConstantsChecker::isGlobalConstString(SVal V) const {
949a542f75SGeorge Karpenkov Optional<loc::MemRegionVal> RegionVal = V.getAs<loc::MemRegionVal>();
959a542f75SGeorge Karpenkov if (!RegionVal)
969a542f75SGeorge Karpenkov return false;
979a542f75SGeorge Karpenkov auto *Region = dyn_cast<VarRegion>(RegionVal->getAsRegion());
989a542f75SGeorge Karpenkov if (!Region)
999a542f75SGeorge Karpenkov return false;
1009a542f75SGeorge Karpenkov const VarDecl *Decl = Region->getDecl();
1019a542f75SGeorge Karpenkov
1029a542f75SGeorge Karpenkov if (!Decl->hasGlobalStorage())
1039a542f75SGeorge Karpenkov return false;
1049a542f75SGeorge Karpenkov
1059a542f75SGeorge Karpenkov QualType Ty = Decl->getType();
1069a542f75SGeorge Karpenkov bool HasConst = Ty.isConstQualified();
1079a542f75SGeorge Karpenkov if (isNonnullType(Ty) && HasConst)
1089a542f75SGeorge Karpenkov return true;
1099a542f75SGeorge Karpenkov
1109a542f75SGeorge Karpenkov // Look through the typedefs.
111512f4838SArtem Dergachev while (const Type *T = Ty.getTypePtr()) {
112*888673b6SJonas Devlieghere if (const auto *TT = dyn_cast<TypedefType>(T)) {
113512f4838SArtem Dergachev Ty = TT->getDecl()->getUnderlyingType();
1149a542f75SGeorge Karpenkov // It is sufficient for any intermediate typedef
1159a542f75SGeorge Karpenkov // to be classified const.
1169a542f75SGeorge Karpenkov HasConst = HasConst || Ty.isConstQualified();
1179a542f75SGeorge Karpenkov if (isNonnullType(Ty) && HasConst)
1189a542f75SGeorge Karpenkov return true;
119*888673b6SJonas Devlieghere } else if (const auto *AT = dyn_cast<AttributedType>(T)) {
120*888673b6SJonas Devlieghere if (AT->getAttrKind() == attr::TypeNonNull)
121*888673b6SJonas Devlieghere return true;
122*888673b6SJonas Devlieghere Ty = AT->getModifiedType();
123512f4838SArtem Dergachev } else {
124512f4838SArtem Dergachev return false;
125512f4838SArtem Dergachev }
1269a542f75SGeorge Karpenkov }
1279a542f75SGeorge Karpenkov return false;
1289a542f75SGeorge Karpenkov }
1299a542f75SGeorge Karpenkov
1301cb15b10SAaron Puchert /// \return whether @c type is extremely unlikely to be null
isNonnullType(QualType Ty) const1319a542f75SGeorge Karpenkov bool NonnullGlobalConstantsChecker::isNonnullType(QualType Ty) const {
1329a542f75SGeorge Karpenkov
1339a542f75SGeorge Karpenkov if (Ty->isPointerType() && Ty->getPointeeType()->isCharType())
1349a542f75SGeorge Karpenkov return true;
1359a542f75SGeorge Karpenkov
1369a542f75SGeorge Karpenkov if (auto *T = dyn_cast<ObjCObjectPointerType>(Ty)) {
1379a542f75SGeorge Karpenkov return T->getInterfaceDecl() &&
1389a542f75SGeorge Karpenkov T->getInterfaceDecl()->getIdentifier() == NSStringII;
139*888673b6SJonas Devlieghere } else if (auto *T = dyn_cast<TypedefType>(Ty)) {
1409a542f75SGeorge Karpenkov IdentifierInfo* II = T->getDecl()->getIdentifier();
141badba511SArtem Dergachev return II == CFStringRefII || II == CFBooleanRefII || II == CFNullRefII;
1429a542f75SGeorge Karpenkov }
1439a542f75SGeorge Karpenkov return false;
1449a542f75SGeorge Karpenkov }
1459a542f75SGeorge Karpenkov
registerNonnullGlobalConstantsChecker(CheckerManager & Mgr)1469a542f75SGeorge Karpenkov void ento::registerNonnullGlobalConstantsChecker(CheckerManager &Mgr) {
1479a542f75SGeorge Karpenkov Mgr.registerChecker<NonnullGlobalConstantsChecker>();
1489a542f75SGeorge Karpenkov }
149058a7a45SKristof Umann
shouldRegisterNonnullGlobalConstantsChecker(const CheckerManager & mgr)150bda3dd0dSKirstóf Umann bool ento::shouldRegisterNonnullGlobalConstantsChecker(const CheckerManager &mgr) {
151058a7a45SKristof Umann return true;
152058a7a45SKristof Umann }
153