1 //===- BugReporterVisitors.cpp - Helpers for reporting bugs ---------------===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This file defines a set of BugReporter "visitors" which can be used to 10 // enhance the diagnostics reported for a bug. 11 // 12 //===----------------------------------------------------------------------===// 13 14 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h" 15 #include "clang/AST/ASTContext.h" 16 #include "clang/AST/Decl.h" 17 #include "clang/AST/DeclBase.h" 18 #include "clang/AST/DeclCXX.h" 19 #include "clang/AST/Expr.h" 20 #include "clang/AST/ExprCXX.h" 21 #include "clang/AST/ExprObjC.h" 22 #include "clang/AST/Stmt.h" 23 #include "clang/AST/Type.h" 24 #include "clang/ASTMatchers/ASTMatchFinder.h" 25 #include "clang/Analysis/Analyses/Dominators.h" 26 #include "clang/Analysis/AnalysisDeclContext.h" 27 #include "clang/Analysis/CFG.h" 28 #include "clang/Analysis/CFGStmtMap.h" 29 #include "clang/Analysis/PathDiagnostic.h" 30 #include "clang/Analysis/ProgramPoint.h" 31 #include "clang/Basic/IdentifierTable.h" 32 #include "clang/Basic/LLVM.h" 33 #include "clang/Basic/SourceLocation.h" 34 #include "clang/Basic/SourceManager.h" 35 #include "clang/Lex/Lexer.h" 36 #include "clang/StaticAnalyzer/Core/AnalyzerOptions.h" 37 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h" 38 #include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h" 39 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 40 #include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h" 41 #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" 42 #include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h" 43 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 44 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h" 45 #include "clang/StaticAnalyzer/Core/PathSensitive/SMTConv.h" 46 #include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h" 47 #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h" 48 #include "llvm/ADT/ArrayRef.h" 49 #include "llvm/ADT/None.h" 50 #include "llvm/ADT/Optional.h" 51 #include "llvm/ADT/STLExtras.h" 52 #include "llvm/ADT/SmallPtrSet.h" 53 #include "llvm/ADT/SmallString.h" 54 #include "llvm/ADT/SmallVector.h" 55 #include "llvm/ADT/StringExtras.h" 56 #include "llvm/ADT/StringRef.h" 57 #include "llvm/Support/Casting.h" 58 #include "llvm/Support/ErrorHandling.h" 59 #include "llvm/Support/raw_ostream.h" 60 #include <cassert> 61 #include <deque> 62 #include <memory> 63 #include <string> 64 #include <utility> 65 66 using namespace clang; 67 using namespace ento; 68 69 //===----------------------------------------------------------------------===// 70 // Utility functions. 71 //===----------------------------------------------------------------------===// 72 73 static const Expr *peelOffPointerArithmetic(const BinaryOperator *B) { 74 if (B->isAdditiveOp() && B->getType()->isPointerType()) { 75 if (B->getLHS()->getType()->isPointerType()) { 76 return B->getLHS(); 77 } else if (B->getRHS()->getType()->isPointerType()) { 78 return B->getRHS(); 79 } 80 } 81 return nullptr; 82 } 83 84 /// Given that expression S represents a pointer that would be dereferenced, 85 /// try to find a sub-expression from which the pointer came from. 86 /// This is used for tracking down origins of a null or undefined value: 87 /// "this is null because that is null because that is null" etc. 88 /// We wipe away field and element offsets because they merely add offsets. 89 /// We also wipe away all casts except lvalue-to-rvalue casts, because the 90 /// latter represent an actual pointer dereference; however, we remove 91 /// the final lvalue-to-rvalue cast before returning from this function 92 /// because it demonstrates more clearly from where the pointer rvalue was 93 /// loaded. Examples: 94 /// x->y.z ==> x (lvalue) 95 /// foo()->y.z ==> foo() (rvalue) 96 const Expr *bugreporter::getDerefExpr(const Stmt *S) { 97 const auto *E = dyn_cast<Expr>(S); 98 if (!E) 99 return nullptr; 100 101 while (true) { 102 if (const auto *CE = dyn_cast<CastExpr>(E)) { 103 if (CE->getCastKind() == CK_LValueToRValue) { 104 // This cast represents the load we're looking for. 105 break; 106 } 107 E = CE->getSubExpr(); 108 } else if (const auto *B = dyn_cast<BinaryOperator>(E)) { 109 // Pointer arithmetic: '*(x + 2)' -> 'x') etc. 110 if (const Expr *Inner = peelOffPointerArithmetic(B)) { 111 E = Inner; 112 } else { 113 // Probably more arithmetic can be pattern-matched here, 114 // but for now give up. 115 break; 116 } 117 } else if (const auto *U = dyn_cast<UnaryOperator>(E)) { 118 if (U->getOpcode() == UO_Deref || U->getOpcode() == UO_AddrOf || 119 (U->isIncrementDecrementOp() && U->getType()->isPointerType())) { 120 // Operators '*' and '&' don't actually mean anything. 121 // We look at casts instead. 122 E = U->getSubExpr(); 123 } else { 124 // Probably more arithmetic can be pattern-matched here, 125 // but for now give up. 126 break; 127 } 128 } 129 // Pattern match for a few useful cases: a[0], p->f, *p etc. 130 else if (const auto *ME = dyn_cast<MemberExpr>(E)) { 131 E = ME->getBase(); 132 } else if (const auto *IvarRef = dyn_cast<ObjCIvarRefExpr>(E)) { 133 E = IvarRef->getBase(); 134 } else if (const auto *AE = dyn_cast<ArraySubscriptExpr>(E)) { 135 E = AE->getBase(); 136 } else if (const auto *PE = dyn_cast<ParenExpr>(E)) { 137 E = PE->getSubExpr(); 138 } else if (const auto *FE = dyn_cast<FullExpr>(E)) { 139 E = FE->getSubExpr(); 140 } else { 141 // Other arbitrary stuff. 142 break; 143 } 144 } 145 146 // Special case: remove the final lvalue-to-rvalue cast, but do not recurse 147 // deeper into the sub-expression. This way we return the lvalue from which 148 // our pointer rvalue was loaded. 149 if (const auto *CE = dyn_cast<ImplicitCastExpr>(E)) 150 if (CE->getCastKind() == CK_LValueToRValue) 151 E = CE->getSubExpr(); 152 153 return E; 154 } 155 156 static const MemRegion * 157 getLocationRegionIfReference(const Expr *E, const ExplodedNode *N, 158 bool LookingForReference = true) { 159 if (const auto *DR = dyn_cast<DeclRefExpr>(E)) { 160 if (const auto *VD = dyn_cast<VarDecl>(DR->getDecl())) { 161 if (LookingForReference && !VD->getType()->isReferenceType()) 162 return nullptr; 163 return N->getState() 164 ->getLValue(VD, N->getLocationContext()) 165 .getAsRegion(); 166 } 167 } 168 169 // FIXME: This does not handle other kinds of null references, 170 // for example, references from FieldRegions: 171 // struct Wrapper { int &ref; }; 172 // Wrapper w = { *(int *)0 }; 173 // w.ref = 1; 174 175 return nullptr; 176 } 177 178 /// Comparing internal representations of symbolic values (via 179 /// SVal::operator==()) is a valid way to check if the value was updated, 180 /// unless it's a LazyCompoundVal that may have a different internal 181 /// representation every time it is loaded from the state. In this function we 182 /// do an approximate comparison for lazy compound values, checking that they 183 /// are the immediate snapshots of the tracked region's bindings within the 184 /// node's respective states but not really checking that these snapshots 185 /// actually contain the same set of bindings. 186 static bool hasVisibleUpdate(const ExplodedNode *LeftNode, SVal LeftVal, 187 const ExplodedNode *RightNode, SVal RightVal) { 188 if (LeftVal == RightVal) 189 return true; 190 191 const auto LLCV = LeftVal.getAs<nonloc::LazyCompoundVal>(); 192 if (!LLCV) 193 return false; 194 195 const auto RLCV = RightVal.getAs<nonloc::LazyCompoundVal>(); 196 if (!RLCV) 197 return false; 198 199 return LLCV->getRegion() == RLCV->getRegion() && 200 LLCV->getStore() == LeftNode->getState()->getStore() && 201 RLCV->getStore() == RightNode->getState()->getStore(); 202 } 203 204 static Optional<SVal> getSValForVar(const Expr *CondVarExpr, 205 const ExplodedNode *N) { 206 ProgramStateRef State = N->getState(); 207 const LocationContext *LCtx = N->getLocationContext(); 208 209 assert(CondVarExpr); 210 CondVarExpr = CondVarExpr->IgnoreImpCasts(); 211 212 // The declaration of the value may rely on a pointer so take its l-value. 213 // FIXME: As seen in VisitCommonDeclRefExpr, sometimes DeclRefExpr may 214 // evaluate to a FieldRegion when it refers to a declaration of a lambda 215 // capture variable. We most likely need to duplicate that logic here. 216 if (const auto *DRE = dyn_cast<DeclRefExpr>(CondVarExpr)) 217 if (const auto *VD = dyn_cast<VarDecl>(DRE->getDecl())) 218 return State->getSVal(State->getLValue(VD, LCtx)); 219 220 if (const auto *ME = dyn_cast<MemberExpr>(CondVarExpr)) 221 if (const auto *FD = dyn_cast<FieldDecl>(ME->getMemberDecl())) 222 if (auto FieldL = State->getSVal(ME, LCtx).getAs<Loc>()) 223 return State->getRawSVal(*FieldL, FD->getType()); 224 225 return None; 226 } 227 228 static Optional<const llvm::APSInt *> 229 getConcreteIntegerValue(const Expr *CondVarExpr, const ExplodedNode *N) { 230 231 if (Optional<SVal> V = getSValForVar(CondVarExpr, N)) 232 if (auto CI = V->getAs<nonloc::ConcreteInt>()) 233 return &CI->getValue(); 234 return None; 235 } 236 237 static bool isVarAnInterestingCondition(const Expr *CondVarExpr, 238 const ExplodedNode *N, 239 const PathSensitiveBugReport *B) { 240 // Even if this condition is marked as interesting, it isn't *that* 241 // interesting if it didn't happen in a nested stackframe, the user could just 242 // follow the arrows. 243 if (!B->getErrorNode()->getStackFrame()->isParentOf(N->getStackFrame())) 244 return false; 245 246 if (Optional<SVal> V = getSValForVar(CondVarExpr, N)) 247 if (Optional<bugreporter::TrackingKind> K = B->getInterestingnessKind(*V)) 248 return *K == bugreporter::TrackingKind::Condition; 249 250 return false; 251 } 252 253 static bool isInterestingExpr(const Expr *E, const ExplodedNode *N, 254 const PathSensitiveBugReport *B) { 255 if (Optional<SVal> V = getSValForVar(E, N)) 256 return B->getInterestingnessKind(*V).hasValue(); 257 return false; 258 } 259 260 /// \return name of the macro inside the location \p Loc. 261 static StringRef getMacroName(SourceLocation Loc, 262 BugReporterContext &BRC) { 263 return Lexer::getImmediateMacroName( 264 Loc, 265 BRC.getSourceManager(), 266 BRC.getASTContext().getLangOpts()); 267 } 268 269 /// \return Whether given spelling location corresponds to an expansion 270 /// of a function-like macro. 271 static bool isFunctionMacroExpansion(SourceLocation Loc, 272 const SourceManager &SM) { 273 if (!Loc.isMacroID()) 274 return false; 275 while (SM.isMacroArgExpansion(Loc)) 276 Loc = SM.getImmediateExpansionRange(Loc).getBegin(); 277 std::pair<FileID, unsigned> TLInfo = SM.getDecomposedLoc(Loc); 278 SrcMgr::SLocEntry SE = SM.getSLocEntry(TLInfo.first); 279 const SrcMgr::ExpansionInfo &EInfo = SE.getExpansion(); 280 return EInfo.isFunctionMacroExpansion(); 281 } 282 283 /// \return Whether \c RegionOfInterest was modified at \p N, 284 /// where \p ValueAfter is \c RegionOfInterest's value at the end of the 285 /// stack frame. 286 static bool wasRegionOfInterestModifiedAt(const SubRegion *RegionOfInterest, 287 const ExplodedNode *N, 288 SVal ValueAfter) { 289 ProgramStateRef State = N->getState(); 290 ProgramStateManager &Mgr = N->getState()->getStateManager(); 291 292 if (!N->getLocationAs<PostStore>() && !N->getLocationAs<PostInitializer>() && 293 !N->getLocationAs<PostStmt>()) 294 return false; 295 296 // Writing into region of interest. 297 if (auto PS = N->getLocationAs<PostStmt>()) 298 if (auto *BO = PS->getStmtAs<BinaryOperator>()) 299 if (BO->isAssignmentOp() && RegionOfInterest->isSubRegionOf( 300 N->getSVal(BO->getLHS()).getAsRegion())) 301 return true; 302 303 // SVal after the state is possibly different. 304 SVal ValueAtN = N->getState()->getSVal(RegionOfInterest); 305 if (!Mgr.getSValBuilder() 306 .areEqual(State, ValueAtN, ValueAfter) 307 .isConstrainedTrue() && 308 (!ValueAtN.isUndef() || !ValueAfter.isUndef())) 309 return true; 310 311 return false; 312 } 313 314 //===----------------------------------------------------------------------===// 315 // Implementation of BugReporterVisitor. 316 //===----------------------------------------------------------------------===// 317 318 PathDiagnosticPieceRef BugReporterVisitor::getEndPath(BugReporterContext &, 319 const ExplodedNode *, 320 PathSensitiveBugReport &) { 321 return nullptr; 322 } 323 324 void BugReporterVisitor::finalizeVisitor(BugReporterContext &, 325 const ExplodedNode *, 326 PathSensitiveBugReport &) {} 327 328 PathDiagnosticPieceRef 329 BugReporterVisitor::getDefaultEndPath(const BugReporterContext &BRC, 330 const ExplodedNode *EndPathNode, 331 const PathSensitiveBugReport &BR) { 332 PathDiagnosticLocation L = BR.getLocation(); 333 const auto &Ranges = BR.getRanges(); 334 335 // Only add the statement itself as a range if we didn't specify any 336 // special ranges for this report. 337 auto P = std::make_shared<PathDiagnosticEventPiece>( 338 L, BR.getDescription(), Ranges.begin() == Ranges.end()); 339 for (SourceRange Range : Ranges) 340 P->addRange(Range); 341 342 return P; 343 } 344 345 //===----------------------------------------------------------------------===// 346 // Implementation of NoStoreFuncVisitor. 347 //===----------------------------------------------------------------------===// 348 349 namespace { 350 351 /// Put a diagnostic on return statement of all inlined functions 352 /// for which the region of interest \p RegionOfInterest was passed into, 353 /// but not written inside, and it has caused an undefined read or a null 354 /// pointer dereference outside. 355 class NoStoreFuncVisitor final : public BugReporterVisitor { 356 const SubRegion *RegionOfInterest; 357 MemRegionManager &MmrMgr; 358 const SourceManager &SM; 359 const PrintingPolicy &PP; 360 bugreporter::TrackingKind TKind; 361 362 /// Recursion limit for dereferencing fields when looking for the 363 /// region of interest. 364 /// The limit of two indicates that we will dereference fields only once. 365 static const unsigned DEREFERENCE_LIMIT = 2; 366 367 /// Frames writing into \c RegionOfInterest. 368 /// This visitor generates a note only if a function does not write into 369 /// a region of interest. This information is not immediately available 370 /// by looking at the node associated with the exit from the function 371 /// (usually the return statement). To avoid recomputing the same information 372 /// many times (going up the path for each node and checking whether the 373 /// region was written into) we instead lazily compute the 374 /// stack frames along the path which write into the region of interest. 375 llvm::SmallPtrSet<const StackFrameContext *, 32> FramesModifyingRegion; 376 llvm::SmallPtrSet<const StackFrameContext *, 32> FramesModifyingCalculated; 377 378 using RegionVector = SmallVector<const MemRegion *, 5>; 379 380 public: 381 NoStoreFuncVisitor(const SubRegion *R, bugreporter::TrackingKind TKind) 382 : RegionOfInterest(R), MmrMgr(R->getMemRegionManager()), 383 SM(MmrMgr.getContext().getSourceManager()), 384 PP(MmrMgr.getContext().getPrintingPolicy()), TKind(TKind) {} 385 386 void Profile(llvm::FoldingSetNodeID &ID) const override { 387 static int Tag = 0; 388 ID.AddPointer(&Tag); 389 ID.AddPointer(RegionOfInterest); 390 } 391 392 void *getTag() const { 393 static int Tag = 0; 394 return static_cast<void *>(&Tag); 395 } 396 397 PathDiagnosticPieceRef VisitNode(const ExplodedNode *N, 398 BugReporterContext &BR, 399 PathSensitiveBugReport &R) override; 400 401 private: 402 /// Attempts to find the region of interest in a given record decl, 403 /// by either following the base classes or fields. 404 /// Dereferences fields up to a given recursion limit. 405 /// Note that \p Vec is passed by value, leading to quadratic copying cost, 406 /// but it's OK in practice since its length is limited to DEREFERENCE_LIMIT. 407 /// \return A chain fields leading to the region of interest or None. 408 const Optional<RegionVector> 409 findRegionOfInterestInRecord(const RecordDecl *RD, ProgramStateRef State, 410 const MemRegion *R, const RegionVector &Vec = {}, 411 int depth = 0); 412 413 /// Check and lazily calculate whether the region of interest is 414 /// modified in the stack frame to which \p N belongs. 415 /// The calculation is cached in FramesModifyingRegion. 416 bool isRegionOfInterestModifiedInFrame(const ExplodedNode *N) { 417 const LocationContext *Ctx = N->getLocationContext(); 418 const StackFrameContext *SCtx = Ctx->getStackFrame(); 419 if (!FramesModifyingCalculated.count(SCtx)) 420 findModifyingFrames(N); 421 return FramesModifyingRegion.count(SCtx); 422 } 423 424 /// Write to \c FramesModifyingRegion all stack frames along 425 /// the path in the current stack frame which modify \c RegionOfInterest. 426 void findModifyingFrames(const ExplodedNode *N); 427 428 /// Consume the information on the no-store stack frame in order to 429 /// either emit a note or suppress the report enirely. 430 /// \return Diagnostics piece for region not modified in the current function, 431 /// if it decides to emit one. 432 PathDiagnosticPieceRef 433 maybeEmitNote(PathSensitiveBugReport &R, const CallEvent &Call, 434 const ExplodedNode *N, const RegionVector &FieldChain, 435 const MemRegion *MatchedRegion, StringRef FirstElement, 436 bool FirstIsReferenceType, unsigned IndirectionLevel); 437 438 /// Pretty-print region \p MatchedRegion to \p os. 439 /// \return Whether printing succeeded. 440 bool prettyPrintRegionName(StringRef FirstElement, bool FirstIsReferenceType, 441 const MemRegion *MatchedRegion, 442 const RegionVector &FieldChain, 443 int IndirectionLevel, 444 llvm::raw_svector_ostream &os); 445 446 /// Print first item in the chain, return new separator. 447 static StringRef prettyPrintFirstElement(StringRef FirstElement, 448 bool MoreItemsExpected, 449 int IndirectionLevel, 450 llvm::raw_svector_ostream &os); 451 }; 452 453 } // end of anonymous namespace 454 455 /// \return Whether the method declaration \p Parent 456 /// syntactically has a binary operation writing into the ivar \p Ivar. 457 static bool potentiallyWritesIntoIvar(const Decl *Parent, 458 const ObjCIvarDecl *Ivar) { 459 using namespace ast_matchers; 460 const char *IvarBind = "Ivar"; 461 if (!Parent || !Parent->hasBody()) 462 return false; 463 StatementMatcher WriteIntoIvarM = binaryOperator( 464 hasOperatorName("="), 465 hasLHS(ignoringParenImpCasts( 466 objcIvarRefExpr(hasDeclaration(equalsNode(Ivar))).bind(IvarBind)))); 467 StatementMatcher ParentM = stmt(hasDescendant(WriteIntoIvarM)); 468 auto Matches = match(ParentM, *Parent->getBody(), Parent->getASTContext()); 469 for (BoundNodes &Match : Matches) { 470 auto IvarRef = Match.getNodeAs<ObjCIvarRefExpr>(IvarBind); 471 if (IvarRef->isFreeIvar()) 472 return true; 473 474 const Expr *Base = IvarRef->getBase(); 475 if (const auto *ICE = dyn_cast<ImplicitCastExpr>(Base)) 476 Base = ICE->getSubExpr(); 477 478 if (const auto *DRE = dyn_cast<DeclRefExpr>(Base)) 479 if (const auto *ID = dyn_cast<ImplicitParamDecl>(DRE->getDecl())) 480 if (ID->getParameterKind() == ImplicitParamDecl::ObjCSelf) 481 return true; 482 483 return false; 484 } 485 return false; 486 } 487 488 /// Get parameters associated with runtime definition in order 489 /// to get the correct parameter name. 490 static ArrayRef<ParmVarDecl *> getCallParameters(CallEventRef<> Call) { 491 // Use runtime definition, if available. 492 RuntimeDefinition RD = Call->getRuntimeDefinition(); 493 if (const auto *FD = dyn_cast_or_null<FunctionDecl>(RD.getDecl())) 494 return FD->parameters(); 495 if (const auto *MD = dyn_cast_or_null<ObjCMethodDecl>(RD.getDecl())) 496 return MD->parameters(); 497 498 return Call->parameters(); 499 } 500 501 /// \return whether \p Ty points to a const type, or is a const reference. 502 static bool isPointerToConst(QualType Ty) { 503 return !Ty->getPointeeType().isNull() && 504 Ty->getPointeeType().getCanonicalType().isConstQualified(); 505 } 506 507 /// Attempts to find the region of interest in a given CXX decl, 508 /// by either following the base classes or fields. 509 /// Dereferences fields up to a given recursion limit. 510 /// Note that \p Vec is passed by value, leading to quadratic copying cost, 511 /// but it's OK in practice since its length is limited to DEREFERENCE_LIMIT. 512 /// \return A chain fields leading to the region of interest or None. 513 const Optional<NoStoreFuncVisitor::RegionVector> 514 NoStoreFuncVisitor::findRegionOfInterestInRecord( 515 const RecordDecl *RD, ProgramStateRef State, const MemRegion *R, 516 const NoStoreFuncVisitor::RegionVector &Vec /* = {} */, 517 int depth /* = 0 */) { 518 519 if (depth == DEREFERENCE_LIMIT) // Limit the recursion depth. 520 return None; 521 522 if (const auto *RDX = dyn_cast<CXXRecordDecl>(RD)) 523 if (!RDX->hasDefinition()) 524 return None; 525 526 // Recursively examine the base classes. 527 // Note that following base classes does not increase the recursion depth. 528 if (const auto *RDX = dyn_cast<CXXRecordDecl>(RD)) 529 for (const auto &II : RDX->bases()) 530 if (const RecordDecl *RRD = II.getType()->getAsRecordDecl()) 531 if (Optional<RegionVector> Out = 532 findRegionOfInterestInRecord(RRD, State, R, Vec, depth)) 533 return Out; 534 535 for (const FieldDecl *I : RD->fields()) { 536 QualType FT = I->getType(); 537 const FieldRegion *FR = MmrMgr.getFieldRegion(I, cast<SubRegion>(R)); 538 const SVal V = State->getSVal(FR); 539 const MemRegion *VR = V.getAsRegion(); 540 541 RegionVector VecF = Vec; 542 VecF.push_back(FR); 543 544 if (RegionOfInterest == VR) 545 return VecF; 546 547 if (const RecordDecl *RRD = FT->getAsRecordDecl()) 548 if (auto Out = 549 findRegionOfInterestInRecord(RRD, State, FR, VecF, depth + 1)) 550 return Out; 551 552 QualType PT = FT->getPointeeType(); 553 if (PT.isNull() || PT->isVoidType() || !VR) 554 continue; 555 556 if (const RecordDecl *RRD = PT->getAsRecordDecl()) 557 if (Optional<RegionVector> Out = 558 findRegionOfInterestInRecord(RRD, State, VR, VecF, depth + 1)) 559 return Out; 560 } 561 562 return None; 563 } 564 565 PathDiagnosticPieceRef 566 NoStoreFuncVisitor::VisitNode(const ExplodedNode *N, BugReporterContext &BR, 567 PathSensitiveBugReport &R) { 568 569 const LocationContext *Ctx = N->getLocationContext(); 570 const StackFrameContext *SCtx = Ctx->getStackFrame(); 571 ProgramStateRef State = N->getState(); 572 auto CallExitLoc = N->getLocationAs<CallExitBegin>(); 573 574 // No diagnostic if region was modified inside the frame. 575 if (!CallExitLoc || isRegionOfInterestModifiedInFrame(N)) 576 return nullptr; 577 578 CallEventRef<> Call = 579 BR.getStateManager().getCallEventManager().getCaller(SCtx, State); 580 581 // Region of interest corresponds to an IVar, exiting a method 582 // which could have written into that IVar, but did not. 583 if (const auto *MC = dyn_cast<ObjCMethodCall>(Call)) { 584 if (const auto *IvarR = dyn_cast<ObjCIvarRegion>(RegionOfInterest)) { 585 const MemRegion *SelfRegion = MC->getReceiverSVal().getAsRegion(); 586 if (RegionOfInterest->isSubRegionOf(SelfRegion) && 587 potentiallyWritesIntoIvar(Call->getRuntimeDefinition().getDecl(), 588 IvarR->getDecl())) 589 return maybeEmitNote(R, *Call, N, {}, SelfRegion, "self", 590 /*FirstIsReferenceType=*/false, 1); 591 } 592 } 593 594 if (const auto *CCall = dyn_cast<CXXConstructorCall>(Call)) { 595 const MemRegion *ThisR = CCall->getCXXThisVal().getAsRegion(); 596 if (RegionOfInterest->isSubRegionOf(ThisR) && 597 !CCall->getDecl()->isImplicit()) 598 return maybeEmitNote(R, *Call, N, {}, ThisR, "this", 599 /*FirstIsReferenceType=*/false, 1); 600 601 // Do not generate diagnostics for not modified parameters in 602 // constructors. 603 return nullptr; 604 } 605 606 ArrayRef<ParmVarDecl *> parameters = getCallParameters(Call); 607 for (unsigned I = 0; I < Call->getNumArgs() && I < parameters.size(); ++I) { 608 const ParmVarDecl *PVD = parameters[I]; 609 SVal V = Call->getArgSVal(I); 610 bool ParamIsReferenceType = PVD->getType()->isReferenceType(); 611 std::string ParamName = PVD->getNameAsString(); 612 613 int IndirectionLevel = 1; 614 QualType T = PVD->getType(); 615 while (const MemRegion *MR = V.getAsRegion()) { 616 if (RegionOfInterest->isSubRegionOf(MR) && !isPointerToConst(T)) 617 return maybeEmitNote(R, *Call, N, {}, MR, ParamName, 618 ParamIsReferenceType, IndirectionLevel); 619 620 QualType PT = T->getPointeeType(); 621 if (PT.isNull() || PT->isVoidType()) 622 break; 623 624 if (const RecordDecl *RD = PT->getAsRecordDecl()) 625 if (Optional<RegionVector> P = 626 findRegionOfInterestInRecord(RD, State, MR)) 627 return maybeEmitNote(R, *Call, N, *P, RegionOfInterest, ParamName, 628 ParamIsReferenceType, IndirectionLevel); 629 630 V = State->getSVal(MR, PT); 631 T = PT; 632 IndirectionLevel++; 633 } 634 } 635 636 return nullptr; 637 } 638 639 void NoStoreFuncVisitor::findModifyingFrames(const ExplodedNode *N) { 640 assert(N->getLocationAs<CallExitBegin>()); 641 ProgramStateRef LastReturnState = N->getState(); 642 SVal ValueAtReturn = LastReturnState->getSVal(RegionOfInterest); 643 const LocationContext *Ctx = N->getLocationContext(); 644 const StackFrameContext *OriginalSCtx = Ctx->getStackFrame(); 645 646 do { 647 ProgramStateRef State = N->getState(); 648 auto CallExitLoc = N->getLocationAs<CallExitBegin>(); 649 if (CallExitLoc) { 650 LastReturnState = State; 651 ValueAtReturn = LastReturnState->getSVal(RegionOfInterest); 652 } 653 654 FramesModifyingCalculated.insert(N->getLocationContext()->getStackFrame()); 655 656 if (wasRegionOfInterestModifiedAt(RegionOfInterest, N, ValueAtReturn)) { 657 const StackFrameContext *SCtx = N->getStackFrame(); 658 while (!SCtx->inTopFrame()) { 659 auto p = FramesModifyingRegion.insert(SCtx); 660 if (!p.second) 661 break; // Frame and all its parents already inserted. 662 SCtx = SCtx->getParent()->getStackFrame(); 663 } 664 } 665 666 // Stop calculation at the call to the current function. 667 if (auto CE = N->getLocationAs<CallEnter>()) 668 if (CE->getCalleeContext() == OriginalSCtx) 669 break; 670 671 N = N->getFirstPred(); 672 } while (N); 673 } 674 675 static llvm::StringLiteral WillBeUsedForACondition = 676 ", which participates in a condition later"; 677 678 PathDiagnosticPieceRef NoStoreFuncVisitor::maybeEmitNote( 679 PathSensitiveBugReport &R, const CallEvent &Call, const ExplodedNode *N, 680 const RegionVector &FieldChain, const MemRegion *MatchedRegion, 681 StringRef FirstElement, bool FirstIsReferenceType, 682 unsigned IndirectionLevel) { 683 // Optimistically suppress uninitialized value bugs that result 684 // from system headers having a chance to initialize the value 685 // but failing to do so. It's too unlikely a system header's fault. 686 // It's much more likely a situation in which the function has a failure 687 // mode that the user decided not to check. If we want to hunt such 688 // omitted checks, we should provide an explicit function-specific note 689 // describing the precondition under which the function isn't supposed to 690 // initialize its out-parameter, and additionally check that such 691 // precondition can actually be fulfilled on the current path. 692 if (Call.isInSystemHeader()) { 693 // We make an exception for system header functions that have no branches. 694 // Such functions unconditionally fail to initialize the variable. 695 // If they call other functions that have more paths within them, 696 // this suppression would still apply when we visit these inner functions. 697 // One common example of a standard function that doesn't ever initialize 698 // its out parameter is operator placement new; it's up to the follow-up 699 // constructor (if any) to initialize the memory. 700 if (!N->getStackFrame()->getCFG()->isLinear()) 701 R.markInvalid(getTag(), nullptr); 702 return nullptr; 703 } 704 705 PathDiagnosticLocation L = 706 PathDiagnosticLocation::create(N->getLocation(), SM); 707 708 // For now this shouldn't trigger, but once it does (as we add more 709 // functions to the body farm), we'll need to decide if these reports 710 // are worth suppressing as well. 711 if (!L.hasValidLocation()) 712 return nullptr; 713 714 SmallString<256> sbuf; 715 llvm::raw_svector_ostream os(sbuf); 716 os << "Returning without writing to '"; 717 718 // Do not generate the note if failed to pretty-print. 719 if (!prettyPrintRegionName(FirstElement, FirstIsReferenceType, MatchedRegion, 720 FieldChain, IndirectionLevel, os)) 721 return nullptr; 722 723 os << "'"; 724 if (TKind == bugreporter::TrackingKind::Condition) 725 os << WillBeUsedForACondition; 726 return std::make_shared<PathDiagnosticEventPiece>(L, os.str()); 727 } 728 729 bool NoStoreFuncVisitor::prettyPrintRegionName(StringRef FirstElement, 730 bool FirstIsReferenceType, 731 const MemRegion *MatchedRegion, 732 const RegionVector &FieldChain, 733 int IndirectionLevel, 734 llvm::raw_svector_ostream &os) { 735 736 if (FirstIsReferenceType) 737 IndirectionLevel--; 738 739 RegionVector RegionSequence; 740 741 // Add the regions in the reverse order, then reverse the resulting array. 742 assert(RegionOfInterest->isSubRegionOf(MatchedRegion)); 743 const MemRegion *R = RegionOfInterest; 744 while (R != MatchedRegion) { 745 RegionSequence.push_back(R); 746 R = cast<SubRegion>(R)->getSuperRegion(); 747 } 748 std::reverse(RegionSequence.begin(), RegionSequence.end()); 749 RegionSequence.append(FieldChain.begin(), FieldChain.end()); 750 751 StringRef Sep; 752 for (const MemRegion *R : RegionSequence) { 753 754 // Just keep going up to the base region. 755 // Element regions may appear due to casts. 756 if (isa<CXXBaseObjectRegion>(R) || isa<CXXTempObjectRegion>(R)) 757 continue; 758 759 if (Sep.empty()) 760 Sep = prettyPrintFirstElement(FirstElement, 761 /*MoreItemsExpected=*/true, 762 IndirectionLevel, os); 763 764 os << Sep; 765 766 // Can only reasonably pretty-print DeclRegions. 767 if (!isa<DeclRegion>(R)) 768 return false; 769 770 const auto *DR = cast<DeclRegion>(R); 771 Sep = DR->getValueType()->isAnyPointerType() ? "->" : "."; 772 DR->getDecl()->getDeclName().print(os, PP); 773 } 774 775 if (Sep.empty()) 776 prettyPrintFirstElement(FirstElement, 777 /*MoreItemsExpected=*/false, IndirectionLevel, os); 778 return true; 779 } 780 781 StringRef NoStoreFuncVisitor::prettyPrintFirstElement( 782 StringRef FirstElement, bool MoreItemsExpected, int IndirectionLevel, 783 llvm::raw_svector_ostream &os) { 784 StringRef Out = "."; 785 786 if (IndirectionLevel > 0 && MoreItemsExpected) { 787 IndirectionLevel--; 788 Out = "->"; 789 } 790 791 if (IndirectionLevel > 0 && MoreItemsExpected) 792 os << "("; 793 794 for (int i = 0; i < IndirectionLevel; i++) 795 os << "*"; 796 os << FirstElement; 797 798 if (IndirectionLevel > 0 && MoreItemsExpected) 799 os << ")"; 800 801 return Out; 802 } 803 804 //===----------------------------------------------------------------------===// 805 // Implementation of MacroNullReturnSuppressionVisitor. 806 //===----------------------------------------------------------------------===// 807 808 namespace { 809 810 /// Suppress null-pointer-dereference bugs where dereferenced null was returned 811 /// the macro. 812 class MacroNullReturnSuppressionVisitor final : public BugReporterVisitor { 813 const SubRegion *RegionOfInterest; 814 const SVal ValueAtDereference; 815 816 // Do not invalidate the reports where the value was modified 817 // after it got assigned to from the macro. 818 bool WasModified = false; 819 820 public: 821 MacroNullReturnSuppressionVisitor(const SubRegion *R, const SVal V) 822 : RegionOfInterest(R), ValueAtDereference(V) {} 823 824 PathDiagnosticPieceRef VisitNode(const ExplodedNode *N, 825 BugReporterContext &BRC, 826 PathSensitiveBugReport &BR) override { 827 if (WasModified) 828 return nullptr; 829 830 auto BugPoint = BR.getErrorNode()->getLocation().getAs<StmtPoint>(); 831 if (!BugPoint) 832 return nullptr; 833 834 const SourceManager &SMgr = BRC.getSourceManager(); 835 if (auto Loc = matchAssignment(N)) { 836 if (isFunctionMacroExpansion(*Loc, SMgr)) { 837 std::string MacroName = std::string(getMacroName(*Loc, BRC)); 838 SourceLocation BugLoc = BugPoint->getStmt()->getBeginLoc(); 839 if (!BugLoc.isMacroID() || getMacroName(BugLoc, BRC) != MacroName) 840 BR.markInvalid(getTag(), MacroName.c_str()); 841 } 842 } 843 844 if (wasRegionOfInterestModifiedAt(RegionOfInterest, N, ValueAtDereference)) 845 WasModified = true; 846 847 return nullptr; 848 } 849 850 static void addMacroVisitorIfNecessary( 851 const ExplodedNode *N, const MemRegion *R, 852 bool EnableNullFPSuppression, PathSensitiveBugReport &BR, 853 const SVal V) { 854 AnalyzerOptions &Options = N->getState()->getAnalysisManager().options; 855 if (EnableNullFPSuppression && Options.ShouldSuppressNullReturnPaths && 856 V.getAs<Loc>()) 857 BR.addVisitor<MacroNullReturnSuppressionVisitor>(R->getAs<SubRegion>(), 858 V); 859 } 860 861 void* getTag() const { 862 static int Tag = 0; 863 return static_cast<void *>(&Tag); 864 } 865 866 void Profile(llvm::FoldingSetNodeID &ID) const override { 867 ID.AddPointer(getTag()); 868 } 869 870 private: 871 /// \return Source location of right hand side of an assignment 872 /// into \c RegionOfInterest, empty optional if none found. 873 Optional<SourceLocation> matchAssignment(const ExplodedNode *N) { 874 const Stmt *S = N->getStmtForDiagnostics(); 875 ProgramStateRef State = N->getState(); 876 auto *LCtx = N->getLocationContext(); 877 if (!S) 878 return None; 879 880 if (const auto *DS = dyn_cast<DeclStmt>(S)) { 881 if (const auto *VD = dyn_cast<VarDecl>(DS->getSingleDecl())) 882 if (const Expr *RHS = VD->getInit()) 883 if (RegionOfInterest->isSubRegionOf( 884 State->getLValue(VD, LCtx).getAsRegion())) 885 return RHS->getBeginLoc(); 886 } else if (const auto *BO = dyn_cast<BinaryOperator>(S)) { 887 const MemRegion *R = N->getSVal(BO->getLHS()).getAsRegion(); 888 const Expr *RHS = BO->getRHS(); 889 if (BO->isAssignmentOp() && RegionOfInterest->isSubRegionOf(R)) { 890 return RHS->getBeginLoc(); 891 } 892 } 893 return None; 894 } 895 }; 896 897 } // end of anonymous namespace 898 899 namespace { 900 901 /// Emits an extra note at the return statement of an interesting stack frame. 902 /// 903 /// The returned value is marked as an interesting value, and if it's null, 904 /// adds a visitor to track where it became null. 905 /// 906 /// This visitor is intended to be used when another visitor discovers that an 907 /// interesting value comes from an inlined function call. 908 class ReturnVisitor : public BugReporterVisitor { 909 const StackFrameContext *CalleeSFC; 910 enum { 911 Initial, 912 MaybeUnsuppress, 913 Satisfied 914 } Mode = Initial; 915 916 bool EnableNullFPSuppression; 917 bool ShouldInvalidate = true; 918 AnalyzerOptions& Options; 919 bugreporter::TrackingKind TKind; 920 921 public: 922 ReturnVisitor(const StackFrameContext *Frame, bool Suppressed, 923 AnalyzerOptions &Options, bugreporter::TrackingKind TKind) 924 : CalleeSFC(Frame), EnableNullFPSuppression(Suppressed), 925 Options(Options), TKind(TKind) {} 926 927 static void *getTag() { 928 static int Tag = 0; 929 return static_cast<void *>(&Tag); 930 } 931 932 void Profile(llvm::FoldingSetNodeID &ID) const override { 933 ID.AddPointer(ReturnVisitor::getTag()); 934 ID.AddPointer(CalleeSFC); 935 ID.AddBoolean(EnableNullFPSuppression); 936 } 937 938 /// Adds a ReturnVisitor if the given statement represents a call that was 939 /// inlined. 940 /// 941 /// This will search back through the ExplodedGraph, starting from the given 942 /// node, looking for when the given statement was processed. If it turns out 943 /// the statement is a call that was inlined, we add the visitor to the 944 /// bug report, so it can print a note later. 945 static void addVisitorIfNecessary(const ExplodedNode *Node, const Stmt *S, 946 PathSensitiveBugReport &BR, 947 bool InEnableNullFPSuppression, 948 bugreporter::TrackingKind TKind) { 949 if (!CallEvent::isCallStmt(S)) 950 return; 951 952 // First, find when we processed the statement. 953 // If we work with a 'CXXNewExpr' that is going to be purged away before 954 // its call take place. We would catch that purge in the last condition 955 // as a 'StmtPoint' so we have to bypass it. 956 const bool BypassCXXNewExprEval = isa<CXXNewExpr>(S); 957 958 // This is moving forward when we enter into another context. 959 const StackFrameContext *CurrentSFC = Node->getStackFrame(); 960 961 do { 962 // If that is satisfied we found our statement as an inlined call. 963 if (Optional<CallExitEnd> CEE = Node->getLocationAs<CallExitEnd>()) 964 if (CEE->getCalleeContext()->getCallSite() == S) 965 break; 966 967 // Try to move forward to the end of the call-chain. 968 Node = Node->getFirstPred(); 969 if (!Node) 970 break; 971 972 const StackFrameContext *PredSFC = Node->getStackFrame(); 973 974 // If that is satisfied we found our statement. 975 // FIXME: This code currently bypasses the call site for the 976 // conservatively evaluated allocator. 977 if (!BypassCXXNewExprEval) 978 if (Optional<StmtPoint> SP = Node->getLocationAs<StmtPoint>()) 979 // See if we do not enter into another context. 980 if (SP->getStmt() == S && CurrentSFC == PredSFC) 981 break; 982 983 CurrentSFC = PredSFC; 984 } while (Node->getStackFrame() == CurrentSFC); 985 986 // Next, step over any post-statement checks. 987 while (Node && Node->getLocation().getAs<PostStmt>()) 988 Node = Node->getFirstPred(); 989 if (!Node) 990 return; 991 992 // Finally, see if we inlined the call. 993 Optional<CallExitEnd> CEE = Node->getLocationAs<CallExitEnd>(); 994 if (!CEE) 995 return; 996 997 const StackFrameContext *CalleeContext = CEE->getCalleeContext(); 998 if (CalleeContext->getCallSite() != S) 999 return; 1000 1001 // Check the return value. 1002 ProgramStateRef State = Node->getState(); 1003 SVal RetVal = Node->getSVal(S); 1004 1005 // Handle cases where a reference is returned and then immediately used. 1006 if (cast<Expr>(S)->isGLValue()) 1007 if (Optional<Loc> LValue = RetVal.getAs<Loc>()) 1008 RetVal = State->getSVal(*LValue); 1009 1010 // See if the return value is NULL. If so, suppress the report. 1011 AnalyzerOptions &Options = State->getAnalysisManager().options; 1012 1013 bool EnableNullFPSuppression = false; 1014 if (InEnableNullFPSuppression && Options.ShouldSuppressNullReturnPaths) 1015 if (Optional<Loc> RetLoc = RetVal.getAs<Loc>()) 1016 EnableNullFPSuppression = State->isNull(*RetLoc).isConstrainedTrue(); 1017 1018 BR.addVisitor<ReturnVisitor>(CalleeContext, EnableNullFPSuppression, 1019 Options, TKind); 1020 } 1021 1022 PathDiagnosticPieceRef visitNodeInitial(const ExplodedNode *N, 1023 BugReporterContext &BRC, 1024 PathSensitiveBugReport &BR) { 1025 // Only print a message at the interesting return statement. 1026 if (N->getLocationContext() != CalleeSFC) 1027 return nullptr; 1028 1029 Optional<StmtPoint> SP = N->getLocationAs<StmtPoint>(); 1030 if (!SP) 1031 return nullptr; 1032 1033 const auto *Ret = dyn_cast<ReturnStmt>(SP->getStmt()); 1034 if (!Ret) 1035 return nullptr; 1036 1037 // Okay, we're at the right return statement, but do we have the return 1038 // value available? 1039 ProgramStateRef State = N->getState(); 1040 SVal V = State->getSVal(Ret, CalleeSFC); 1041 if (V.isUnknownOrUndef()) 1042 return nullptr; 1043 1044 // Don't print any more notes after this one. 1045 Mode = Satisfied; 1046 1047 const Expr *RetE = Ret->getRetValue(); 1048 assert(RetE && "Tracking a return value for a void function"); 1049 1050 // Handle cases where a reference is returned and then immediately used. 1051 Optional<Loc> LValue; 1052 if (RetE->isGLValue()) { 1053 if ((LValue = V.getAs<Loc>())) { 1054 SVal RValue = State->getRawSVal(*LValue, RetE->getType()); 1055 if (RValue.getAs<DefinedSVal>()) 1056 V = RValue; 1057 } 1058 } 1059 1060 // Ignore aggregate rvalues. 1061 if (V.getAs<nonloc::LazyCompoundVal>() || 1062 V.getAs<nonloc::CompoundVal>()) 1063 return nullptr; 1064 1065 RetE = RetE->IgnoreParenCasts(); 1066 1067 // Let's track the return value. 1068 bugreporter::trackExpressionValue( 1069 N, RetE, BR, TKind, EnableNullFPSuppression); 1070 1071 // Build an appropriate message based on the return value. 1072 SmallString<64> Msg; 1073 llvm::raw_svector_ostream Out(Msg); 1074 1075 bool WouldEventBeMeaningless = false; 1076 1077 if (State->isNull(V).isConstrainedTrue()) { 1078 if (V.getAs<Loc>()) { 1079 1080 // If we have counter-suppression enabled, make sure we keep visiting 1081 // future nodes. We want to emit a path note as well, in case 1082 // the report is resurrected as valid later on. 1083 if (EnableNullFPSuppression && 1084 Options.ShouldAvoidSuppressingNullArgumentPaths) 1085 Mode = MaybeUnsuppress; 1086 1087 if (RetE->getType()->isObjCObjectPointerType()) { 1088 Out << "Returning nil"; 1089 } else { 1090 Out << "Returning null pointer"; 1091 } 1092 } else { 1093 Out << "Returning zero"; 1094 } 1095 1096 } else { 1097 if (auto CI = V.getAs<nonloc::ConcreteInt>()) { 1098 Out << "Returning the value " << CI->getValue(); 1099 } else { 1100 // There is nothing interesting about returning a value, when it is 1101 // plain value without any constraints, and the function is guaranteed 1102 // to return that every time. We could use CFG::isLinear() here, but 1103 // constexpr branches are obvious to the compiler, not necesserily to 1104 // the programmer. 1105 if (N->getCFG().size() == 3) 1106 WouldEventBeMeaningless = true; 1107 1108 if (V.getAs<Loc>()) 1109 Out << "Returning pointer"; 1110 else 1111 Out << "Returning value"; 1112 } 1113 } 1114 1115 if (LValue) { 1116 if (const MemRegion *MR = LValue->getAsRegion()) { 1117 if (MR->canPrintPretty()) { 1118 Out << " (reference to "; 1119 MR->printPretty(Out); 1120 Out << ")"; 1121 } 1122 } 1123 } else { 1124 // FIXME: We should have a more generalized location printing mechanism. 1125 if (const auto *DR = dyn_cast<DeclRefExpr>(RetE)) 1126 if (const auto *DD = dyn_cast<DeclaratorDecl>(DR->getDecl())) 1127 Out << " (loaded from '" << *DD << "')"; 1128 } 1129 1130 PathDiagnosticLocation L(Ret, BRC.getSourceManager(), CalleeSFC); 1131 if (!L.isValid() || !L.asLocation().isValid()) 1132 return nullptr; 1133 1134 if (TKind == bugreporter::TrackingKind::Condition) 1135 Out << WillBeUsedForACondition; 1136 1137 auto EventPiece = std::make_shared<PathDiagnosticEventPiece>(L, Out.str()); 1138 1139 // If we determined that the note is meaningless, make it prunable, and 1140 // don't mark the stackframe interesting. 1141 if (WouldEventBeMeaningless) 1142 EventPiece->setPrunable(true); 1143 else 1144 BR.markInteresting(CalleeSFC); 1145 1146 return EventPiece; 1147 } 1148 1149 PathDiagnosticPieceRef visitNodeMaybeUnsuppress(const ExplodedNode *N, 1150 BugReporterContext &BRC, 1151 PathSensitiveBugReport &BR) { 1152 assert(Options.ShouldAvoidSuppressingNullArgumentPaths); 1153 1154 // Are we at the entry node for this call? 1155 Optional<CallEnter> CE = N->getLocationAs<CallEnter>(); 1156 if (!CE) 1157 return nullptr; 1158 1159 if (CE->getCalleeContext() != CalleeSFC) 1160 return nullptr; 1161 1162 Mode = Satisfied; 1163 1164 // Don't automatically suppress a report if one of the arguments is 1165 // known to be a null pointer. Instead, start tracking /that/ null 1166 // value back to its origin. 1167 ProgramStateManager &StateMgr = BRC.getStateManager(); 1168 CallEventManager &CallMgr = StateMgr.getCallEventManager(); 1169 1170 ProgramStateRef State = N->getState(); 1171 CallEventRef<> Call = CallMgr.getCaller(CalleeSFC, State); 1172 for (unsigned I = 0, E = Call->getNumArgs(); I != E; ++I) { 1173 Optional<Loc> ArgV = Call->getArgSVal(I).getAs<Loc>(); 1174 if (!ArgV) 1175 continue; 1176 1177 const Expr *ArgE = Call->getArgExpr(I); 1178 if (!ArgE) 1179 continue; 1180 1181 // Is it possible for this argument to be non-null? 1182 if (!State->isNull(*ArgV).isConstrainedTrue()) 1183 continue; 1184 1185 if (trackExpressionValue(N, ArgE, BR, TKind, EnableNullFPSuppression)) 1186 ShouldInvalidate = false; 1187 1188 // If we /can't/ track the null pointer, we should err on the side of 1189 // false negatives, and continue towards marking this report invalid. 1190 // (We will still look at the other arguments, though.) 1191 } 1192 1193 return nullptr; 1194 } 1195 1196 PathDiagnosticPieceRef VisitNode(const ExplodedNode *N, 1197 BugReporterContext &BRC, 1198 PathSensitiveBugReport &BR) override { 1199 switch (Mode) { 1200 case Initial: 1201 return visitNodeInitial(N, BRC, BR); 1202 case MaybeUnsuppress: 1203 return visitNodeMaybeUnsuppress(N, BRC, BR); 1204 case Satisfied: 1205 return nullptr; 1206 } 1207 1208 llvm_unreachable("Invalid visit mode!"); 1209 } 1210 1211 void finalizeVisitor(BugReporterContext &, const ExplodedNode *, 1212 PathSensitiveBugReport &BR) override { 1213 if (EnableNullFPSuppression && ShouldInvalidate) 1214 BR.markInvalid(ReturnVisitor::getTag(), CalleeSFC); 1215 } 1216 }; 1217 1218 } // end of anonymous namespace 1219 1220 //===----------------------------------------------------------------------===// 1221 // Implementation of FindLastStoreBRVisitor. 1222 //===----------------------------------------------------------------------===// 1223 1224 void FindLastStoreBRVisitor::Profile(llvm::FoldingSetNodeID &ID) const { 1225 static int tag = 0; 1226 ID.AddPointer(&tag); 1227 ID.AddPointer(R); 1228 ID.Add(V); 1229 ID.AddInteger(static_cast<int>(TKind)); 1230 ID.AddBoolean(EnableNullFPSuppression); 1231 } 1232 1233 /// Returns true if \p N represents the DeclStmt declaring and initializing 1234 /// \p VR. 1235 static bool isInitializationOfVar(const ExplodedNode *N, const VarRegion *VR) { 1236 Optional<PostStmt> P = N->getLocationAs<PostStmt>(); 1237 if (!P) 1238 return false; 1239 1240 const DeclStmt *DS = P->getStmtAs<DeclStmt>(); 1241 if (!DS) 1242 return false; 1243 1244 if (DS->getSingleDecl() != VR->getDecl()) 1245 return false; 1246 1247 const MemSpaceRegion *VarSpace = VR->getMemorySpace(); 1248 const auto *FrameSpace = dyn_cast<StackSpaceRegion>(VarSpace); 1249 if (!FrameSpace) { 1250 // If we ever directly evaluate global DeclStmts, this assertion will be 1251 // invalid, but this still seems preferable to silently accepting an 1252 // initialization that may be for a path-sensitive variable. 1253 assert(VR->getDecl()->isStaticLocal() && "non-static stackless VarRegion"); 1254 return true; 1255 } 1256 1257 assert(VR->getDecl()->hasLocalStorage()); 1258 const LocationContext *LCtx = N->getLocationContext(); 1259 return FrameSpace->getStackFrame() == LCtx->getStackFrame(); 1260 } 1261 1262 /// Show diagnostics for initializing or declaring a region \p R with a bad value. 1263 static void showBRDiagnostics(const char *action, llvm::raw_svector_ostream &os, 1264 const MemRegion *NewR, SVal V, 1265 const MemRegion *OldR, const DeclStmt *DS) { 1266 if (NewR->canPrintPretty()) { 1267 NewR->printPretty(os); 1268 os << " "; 1269 } 1270 1271 if (V.getAs<loc::ConcreteInt>()) { 1272 bool b = false; 1273 if (NewR->isBoundable()) { 1274 if (const auto *TR = dyn_cast<TypedValueRegion>(NewR)) { 1275 if (TR->getValueType()->isObjCObjectPointerType()) { 1276 os << action << "nil"; 1277 b = true; 1278 } 1279 } 1280 } 1281 if (!b) 1282 os << action << "a null pointer value"; 1283 1284 } else if (auto CVal = V.getAs<nonloc::ConcreteInt>()) { 1285 os << action << CVal->getValue(); 1286 } else if (OldR && OldR->canPrintPretty()) { 1287 os << action << "the value of "; 1288 OldR->printPretty(os); 1289 } else if (DS) { 1290 if (V.isUndef()) { 1291 if (isa<VarRegion>(NewR)) { 1292 const auto *VD = cast<VarDecl>(DS->getSingleDecl()); 1293 if (VD->getInit()) { 1294 os << (NewR->canPrintPretty() ? "initialized" : "Initializing") 1295 << " to a garbage value"; 1296 } else { 1297 os << (NewR->canPrintPretty() ? "declared" : "Declaring") 1298 << " without an initial value"; 1299 } 1300 } 1301 } else { 1302 os << (NewR->canPrintPretty() ? "initialized" : "Initialized") << " here"; 1303 } 1304 } 1305 } 1306 1307 /// Display diagnostics for passing bad region as a parameter. 1308 static void showBRParamDiagnostics(llvm::raw_svector_ostream &os, 1309 const VarRegion *VR, SVal V, 1310 const MemRegion *ValueR) { 1311 const auto *Param = cast<ParmVarDecl>(VR->getDecl()); 1312 1313 os << "Passing "; 1314 1315 if (V.getAs<loc::ConcreteInt>()) { 1316 if (Param->getType()->isObjCObjectPointerType()) 1317 os << "nil object reference"; 1318 else 1319 os << "null pointer value"; 1320 } else if (V.isUndef()) { 1321 os << "uninitialized value"; 1322 } else if (auto CI = V.getAs<nonloc::ConcreteInt>()) { 1323 os << "the value " << CI->getValue(); 1324 } else if (ValueR && ValueR->canPrintPretty()) { 1325 ValueR->printPretty(os); 1326 } else { 1327 os << "value"; 1328 } 1329 1330 // Printed parameter indexes are 1-based, not 0-based. 1331 unsigned Idx = Param->getFunctionScopeIndex() + 1; 1332 os << " via " << Idx << llvm::getOrdinalSuffix(Idx) << " parameter"; 1333 if (VR->canPrintPretty()) { 1334 os << " "; 1335 VR->printPretty(os); 1336 } 1337 } 1338 1339 /// Show default diagnostics for storing bad region. 1340 static void showBRDefaultDiagnostics(llvm::raw_svector_ostream &os, 1341 const MemRegion *NewR, SVal V, 1342 const MemRegion *OldR) { 1343 if (V.getAs<loc::ConcreteInt>()) { 1344 bool b = false; 1345 if (NewR->isBoundable()) { 1346 if (const auto *TR = dyn_cast<TypedValueRegion>(NewR)) { 1347 if (TR->getValueType()->isObjCObjectPointerType()) { 1348 os << "nil object reference stored"; 1349 b = true; 1350 } 1351 } 1352 } 1353 if (!b) { 1354 if (NewR->canPrintPretty()) 1355 os << "Null pointer value stored"; 1356 else 1357 os << "Storing null pointer value"; 1358 } 1359 1360 } else if (V.isUndef()) { 1361 if (NewR->canPrintPretty()) 1362 os << "Uninitialized value stored"; 1363 else 1364 os << "Storing uninitialized value"; 1365 1366 } else if (auto CV = V.getAs<nonloc::ConcreteInt>()) { 1367 if (NewR->canPrintPretty()) 1368 os << "The value " << CV->getValue() << " is assigned"; 1369 else 1370 os << "Assigning " << CV->getValue(); 1371 1372 } else if (OldR && OldR->canPrintPretty()) { 1373 if (NewR->canPrintPretty()) { 1374 os << "The value of "; 1375 OldR->printPretty(os); 1376 os << " is assigned"; 1377 } else { 1378 os << "Assigning the value of "; 1379 OldR->printPretty(os); 1380 } 1381 1382 } else { 1383 if (NewR->canPrintPretty()) 1384 os << "Value assigned"; 1385 else 1386 os << "Assigning value"; 1387 } 1388 1389 if (NewR->canPrintPretty()) { 1390 os << " to "; 1391 NewR->printPretty(os); 1392 } 1393 } 1394 1395 PathDiagnosticPieceRef 1396 FindLastStoreBRVisitor::VisitNode(const ExplodedNode *Succ, 1397 BugReporterContext &BRC, 1398 PathSensitiveBugReport &BR) { 1399 if (Satisfied) 1400 return nullptr; 1401 1402 const ExplodedNode *StoreSite = nullptr; 1403 const ExplodedNode *Pred = Succ->getFirstPred(); 1404 const Expr *InitE = nullptr; 1405 bool IsParam = false; 1406 1407 // First see if we reached the declaration of the region. 1408 if (const auto *VR = dyn_cast<VarRegion>(R)) { 1409 if (isInitializationOfVar(Pred, VR)) { 1410 StoreSite = Pred; 1411 InitE = VR->getDecl()->getInit(); 1412 } 1413 } 1414 1415 // If this is a post initializer expression, initializing the region, we 1416 // should track the initializer expression. 1417 if (Optional<PostInitializer> PIP = Pred->getLocationAs<PostInitializer>()) { 1418 const MemRegion *FieldReg = (const MemRegion *)PIP->getLocationValue(); 1419 if (FieldReg == R) { 1420 StoreSite = Pred; 1421 InitE = PIP->getInitializer()->getInit(); 1422 } 1423 } 1424 1425 // Otherwise, see if this is the store site: 1426 // (1) Succ has this binding and Pred does not, i.e. this is 1427 // where the binding first occurred. 1428 // (2) Succ has this binding and is a PostStore node for this region, i.e. 1429 // the same binding was re-assigned here. 1430 if (!StoreSite) { 1431 if (Succ->getState()->getSVal(R) != V) 1432 return nullptr; 1433 1434 if (hasVisibleUpdate(Pred, Pred->getState()->getSVal(R), Succ, V)) { 1435 Optional<PostStore> PS = Succ->getLocationAs<PostStore>(); 1436 if (!PS || PS->getLocationValue() != R) 1437 return nullptr; 1438 } 1439 1440 StoreSite = Succ; 1441 1442 // If this is an assignment expression, we can track the value 1443 // being assigned. 1444 if (Optional<PostStmt> P = Succ->getLocationAs<PostStmt>()) 1445 if (const BinaryOperator *BO = P->getStmtAs<BinaryOperator>()) 1446 if (BO->isAssignmentOp()) 1447 InitE = BO->getRHS(); 1448 1449 // If this is a call entry, the variable should be a parameter. 1450 // FIXME: Handle CXXThisRegion as well. (This is not a priority because 1451 // 'this' should never be NULL, but this visitor isn't just for NULL and 1452 // UndefinedVal.) 1453 if (Optional<CallEnter> CE = Succ->getLocationAs<CallEnter>()) { 1454 if (const auto *VR = dyn_cast<VarRegion>(R)) { 1455 1456 if (const auto *Param = dyn_cast<ParmVarDecl>(VR->getDecl())) { 1457 ProgramStateManager &StateMgr = BRC.getStateManager(); 1458 CallEventManager &CallMgr = StateMgr.getCallEventManager(); 1459 1460 CallEventRef<> Call = CallMgr.getCaller(CE->getCalleeContext(), 1461 Succ->getState()); 1462 InitE = Call->getArgExpr(Param->getFunctionScopeIndex()); 1463 } else { 1464 // Handle Objective-C 'self'. 1465 assert(isa<ImplicitParamDecl>(VR->getDecl())); 1466 InitE = cast<ObjCMessageExpr>(CE->getCalleeContext()->getCallSite()) 1467 ->getInstanceReceiver()->IgnoreParenCasts(); 1468 } 1469 IsParam = true; 1470 } 1471 } 1472 1473 // If this is a CXXTempObjectRegion, the Expr responsible for its creation 1474 // is wrapped inside of it. 1475 if (const auto *TmpR = dyn_cast<CXXTempObjectRegion>(R)) 1476 InitE = TmpR->getExpr(); 1477 } 1478 1479 if (!StoreSite) 1480 return nullptr; 1481 1482 Satisfied = true; 1483 1484 // If we have an expression that provided the value, try to track where it 1485 // came from. 1486 if (InitE) { 1487 if (!IsParam) 1488 InitE = InitE->IgnoreParenCasts(); 1489 1490 bugreporter::trackExpressionValue(StoreSite, InitE, BR, TKind, 1491 EnableNullFPSuppression); 1492 } 1493 1494 // Let's try to find the region where the value came from. 1495 const MemRegion *OldRegion = nullptr; 1496 1497 // If we have init expression, it might be simply a reference 1498 // to a variable, so we can use it. 1499 if (InitE) { 1500 // That region might still be not exactly what we are looking for. 1501 // In situations like `int &ref = val;`, we can't say that 1502 // `ref` is initialized with `val`, rather refers to `val`. 1503 // 1504 // In order, to mitigate situations like this, we check if the last 1505 // stored value in that region is the value that we track. 1506 // 1507 // TODO: support other situations better. 1508 if (const MemRegion *Candidate = 1509 getLocationRegionIfReference(InitE, Succ, false)) { 1510 const StoreManager &SM = BRC.getStateManager().getStoreManager(); 1511 1512 // Here we traverse the graph up to find the last node where the 1513 // candidate region is still in the store. 1514 for (const ExplodedNode *N = StoreSite; N; N = N->getFirstPred()) { 1515 if (SM.includedInBindings(N->getState()->getStore(), Candidate)) { 1516 // And if it was bound to the target value, we can use it. 1517 if (N->getState()->getSVal(Candidate) == V) { 1518 OldRegion = Candidate; 1519 } 1520 break; 1521 } 1522 } 1523 } 1524 } 1525 1526 // Otherwise, if the current region does indeed contain the value 1527 // we are looking for, we can look for a region where this value 1528 // was before. 1529 // 1530 // It can be useful for situations like: 1531 // new = identity(old) 1532 // where the analyzer knows that 'identity' returns the value of its 1533 // first argument. 1534 // 1535 // NOTE: If the region R is not a simple var region, it can contain 1536 // V in one of its subregions. 1537 if (!OldRegion && StoreSite->getState()->getSVal(R) == V) { 1538 // Let's go up the graph to find the node where the region is 1539 // bound to V. 1540 const ExplodedNode *NodeWithoutBinding = StoreSite->getFirstPred(); 1541 for (; 1542 NodeWithoutBinding && NodeWithoutBinding->getState()->getSVal(R) == V; 1543 NodeWithoutBinding = NodeWithoutBinding->getFirstPred()) { 1544 } 1545 1546 if (NodeWithoutBinding) { 1547 // Let's try to find a unique binding for the value in that node. 1548 // We want to use this to find unique bindings because of the following 1549 // situations: 1550 // b = a; 1551 // c = identity(b); 1552 // 1553 // Telling the user that the value of 'a' is assigned to 'c', while 1554 // correct, can be confusing. 1555 StoreManager::FindUniqueBinding FB(V.getAsLocSymbol()); 1556 BRC.getStateManager().iterBindings(NodeWithoutBinding->getState(), FB); 1557 if (FB) 1558 OldRegion = FB.getRegion(); 1559 } 1560 } 1561 1562 if (TKind == TrackingKind::Condition && 1563 !OriginSFC->isParentOf(StoreSite->getStackFrame())) 1564 return nullptr; 1565 1566 // Okay, we've found the binding. Emit an appropriate message. 1567 SmallString<256> sbuf; 1568 llvm::raw_svector_ostream os(sbuf); 1569 1570 if (Optional<PostStmt> PS = StoreSite->getLocationAs<PostStmt>()) { 1571 const Stmt *S = PS->getStmt(); 1572 const char *action = nullptr; 1573 const auto *DS = dyn_cast<DeclStmt>(S); 1574 const auto *VR = dyn_cast<VarRegion>(R); 1575 1576 if (DS) { 1577 action = R->canPrintPretty() ? "initialized to " : 1578 "Initializing to "; 1579 } else if (isa<BlockExpr>(S)) { 1580 action = R->canPrintPretty() ? "captured by block as " : 1581 "Captured by block as "; 1582 if (VR) { 1583 // See if we can get the BlockVarRegion. 1584 ProgramStateRef State = StoreSite->getState(); 1585 SVal V = StoreSite->getSVal(S); 1586 if (const auto *BDR = 1587 dyn_cast_or_null<BlockDataRegion>(V.getAsRegion())) { 1588 if (const VarRegion *OriginalR = BDR->getOriginalRegion(VR)) { 1589 if (auto KV = State->getSVal(OriginalR).getAs<KnownSVal>()) 1590 BR.addVisitor<FindLastStoreBRVisitor>( 1591 *KV, OriginalR, EnableNullFPSuppression, TKind, OriginSFC); 1592 } 1593 } 1594 } 1595 } 1596 if (action) 1597 showBRDiagnostics(action, os, R, V, OldRegion, DS); 1598 1599 } else if (StoreSite->getLocation().getAs<CallEnter>()) { 1600 if (const auto *VR = dyn_cast<VarRegion>(R)) 1601 showBRParamDiagnostics(os, VR, V, OldRegion); 1602 } 1603 1604 if (os.str().empty()) 1605 showBRDefaultDiagnostics(os, R, V, OldRegion); 1606 1607 if (TKind == bugreporter::TrackingKind::Condition) 1608 os << WillBeUsedForACondition; 1609 1610 // Construct a new PathDiagnosticPiece. 1611 ProgramPoint P = StoreSite->getLocation(); 1612 PathDiagnosticLocation L; 1613 if (P.getAs<CallEnter>() && InitE) 1614 L = PathDiagnosticLocation(InitE, BRC.getSourceManager(), 1615 P.getLocationContext()); 1616 1617 if (!L.isValid() || !L.asLocation().isValid()) 1618 L = PathDiagnosticLocation::create(P, BRC.getSourceManager()); 1619 1620 if (!L.isValid() || !L.asLocation().isValid()) 1621 return nullptr; 1622 1623 return std::make_shared<PathDiagnosticEventPiece>(L, os.str()); 1624 } 1625 1626 //===----------------------------------------------------------------------===// 1627 // Implementation of TrackConstraintBRVisitor. 1628 //===----------------------------------------------------------------------===// 1629 1630 void TrackConstraintBRVisitor::Profile(llvm::FoldingSetNodeID &ID) const { 1631 static int tag = 0; 1632 ID.AddPointer(&tag); 1633 ID.AddBoolean(Assumption); 1634 ID.Add(Constraint); 1635 } 1636 1637 /// Return the tag associated with this visitor. This tag will be used 1638 /// to make all PathDiagnosticPieces created by this visitor. 1639 const char *TrackConstraintBRVisitor::getTag() { 1640 return "TrackConstraintBRVisitor"; 1641 } 1642 1643 bool TrackConstraintBRVisitor::isUnderconstrained(const ExplodedNode *N) const { 1644 if (IsZeroCheck) 1645 return N->getState()->isNull(Constraint).isUnderconstrained(); 1646 return (bool)N->getState()->assume(Constraint, !Assumption); 1647 } 1648 1649 PathDiagnosticPieceRef TrackConstraintBRVisitor::VisitNode( 1650 const ExplodedNode *N, BugReporterContext &BRC, PathSensitiveBugReport &) { 1651 const ExplodedNode *PrevN = N->getFirstPred(); 1652 if (IsSatisfied) 1653 return nullptr; 1654 1655 // Start tracking after we see the first state in which the value is 1656 // constrained. 1657 if (!IsTrackingTurnedOn) 1658 if (!isUnderconstrained(N)) 1659 IsTrackingTurnedOn = true; 1660 if (!IsTrackingTurnedOn) 1661 return nullptr; 1662 1663 // Check if in the previous state it was feasible for this constraint 1664 // to *not* be true. 1665 if (isUnderconstrained(PrevN)) { 1666 IsSatisfied = true; 1667 1668 // As a sanity check, make sure that the negation of the constraint 1669 // was infeasible in the current state. If it is feasible, we somehow 1670 // missed the transition point. 1671 assert(!isUnderconstrained(N)); 1672 1673 // We found the transition point for the constraint. We now need to 1674 // pretty-print the constraint. (work-in-progress) 1675 SmallString<64> sbuf; 1676 llvm::raw_svector_ostream os(sbuf); 1677 1678 if (Constraint.getAs<Loc>()) { 1679 os << "Assuming pointer value is "; 1680 os << (Assumption ? "non-null" : "null"); 1681 } 1682 1683 if (os.str().empty()) 1684 return nullptr; 1685 1686 // Construct a new PathDiagnosticPiece. 1687 ProgramPoint P = N->getLocation(); 1688 PathDiagnosticLocation L = 1689 PathDiagnosticLocation::create(P, BRC.getSourceManager()); 1690 if (!L.isValid()) 1691 return nullptr; 1692 1693 auto X = std::make_shared<PathDiagnosticEventPiece>(L, os.str()); 1694 X->setTag(getTag()); 1695 return std::move(X); 1696 } 1697 1698 return nullptr; 1699 } 1700 1701 //===----------------------------------------------------------------------===// 1702 // Implementation of SuppressInlineDefensiveChecksVisitor. 1703 //===----------------------------------------------------------------------===// 1704 1705 SuppressInlineDefensiveChecksVisitor:: 1706 SuppressInlineDefensiveChecksVisitor(DefinedSVal Value, const ExplodedNode *N) 1707 : V(Value) { 1708 // Check if the visitor is disabled. 1709 AnalyzerOptions &Options = N->getState()->getAnalysisManager().options; 1710 if (!Options.ShouldSuppressInlinedDefensiveChecks) 1711 IsSatisfied = true; 1712 } 1713 1714 void SuppressInlineDefensiveChecksVisitor::Profile( 1715 llvm::FoldingSetNodeID &ID) const { 1716 static int id = 0; 1717 ID.AddPointer(&id); 1718 ID.Add(V); 1719 } 1720 1721 const char *SuppressInlineDefensiveChecksVisitor::getTag() { 1722 return "IDCVisitor"; 1723 } 1724 1725 PathDiagnosticPieceRef 1726 SuppressInlineDefensiveChecksVisitor::VisitNode(const ExplodedNode *Succ, 1727 BugReporterContext &BRC, 1728 PathSensitiveBugReport &BR) { 1729 const ExplodedNode *Pred = Succ->getFirstPred(); 1730 if (IsSatisfied) 1731 return nullptr; 1732 1733 // Start tracking after we see the first state in which the value is null. 1734 if (!IsTrackingTurnedOn) 1735 if (Succ->getState()->isNull(V).isConstrainedTrue()) 1736 IsTrackingTurnedOn = true; 1737 if (!IsTrackingTurnedOn) 1738 return nullptr; 1739 1740 // Check if in the previous state it was feasible for this value 1741 // to *not* be null. 1742 if (!Pred->getState()->isNull(V).isConstrainedTrue() && 1743 Succ->getState()->isNull(V).isConstrainedTrue()) { 1744 IsSatisfied = true; 1745 1746 // Check if this is inlined defensive checks. 1747 const LocationContext *CurLC = Succ->getLocationContext(); 1748 const LocationContext *ReportLC = BR.getErrorNode()->getLocationContext(); 1749 if (CurLC != ReportLC && !CurLC->isParentOf(ReportLC)) { 1750 BR.markInvalid("Suppress IDC", CurLC); 1751 return nullptr; 1752 } 1753 1754 // Treat defensive checks in function-like macros as if they were an inlined 1755 // defensive check. If the bug location is not in a macro and the 1756 // terminator for the current location is in a macro then suppress the 1757 // warning. 1758 auto BugPoint = BR.getErrorNode()->getLocation().getAs<StmtPoint>(); 1759 1760 if (!BugPoint) 1761 return nullptr; 1762 1763 ProgramPoint CurPoint = Succ->getLocation(); 1764 const Stmt *CurTerminatorStmt = nullptr; 1765 if (auto BE = CurPoint.getAs<BlockEdge>()) { 1766 CurTerminatorStmt = BE->getSrc()->getTerminator().getStmt(); 1767 } else if (auto SP = CurPoint.getAs<StmtPoint>()) { 1768 const Stmt *CurStmt = SP->getStmt(); 1769 if (!CurStmt->getBeginLoc().isMacroID()) 1770 return nullptr; 1771 1772 CFGStmtMap *Map = CurLC->getAnalysisDeclContext()->getCFGStmtMap(); 1773 CurTerminatorStmt = Map->getBlock(CurStmt)->getTerminatorStmt(); 1774 } else { 1775 return nullptr; 1776 } 1777 1778 if (!CurTerminatorStmt) 1779 return nullptr; 1780 1781 SourceLocation TerminatorLoc = CurTerminatorStmt->getBeginLoc(); 1782 if (TerminatorLoc.isMacroID()) { 1783 SourceLocation BugLoc = BugPoint->getStmt()->getBeginLoc(); 1784 1785 // Suppress reports unless we are in that same macro. 1786 if (!BugLoc.isMacroID() || 1787 getMacroName(BugLoc, BRC) != getMacroName(TerminatorLoc, BRC)) { 1788 BR.markInvalid("Suppress Macro IDC", CurLC); 1789 } 1790 return nullptr; 1791 } 1792 } 1793 return nullptr; 1794 } 1795 1796 //===----------------------------------------------------------------------===// 1797 // TrackControlDependencyCondBRVisitor. 1798 //===----------------------------------------------------------------------===// 1799 1800 namespace { 1801 /// Tracks the expressions that are a control dependency of the node that was 1802 /// supplied to the constructor. 1803 /// For example: 1804 /// 1805 /// cond = 1; 1806 /// if (cond) 1807 /// 10 / 0; 1808 /// 1809 /// An error is emitted at line 3. This visitor realizes that the branch 1810 /// on line 2 is a control dependency of line 3, and tracks it's condition via 1811 /// trackExpressionValue(). 1812 class TrackControlDependencyCondBRVisitor final : public BugReporterVisitor { 1813 const ExplodedNode *Origin; 1814 ControlDependencyCalculator ControlDeps; 1815 llvm::SmallSet<const CFGBlock *, 32> VisitedBlocks; 1816 1817 public: 1818 TrackControlDependencyCondBRVisitor(const ExplodedNode *O) 1819 : Origin(O), ControlDeps(&O->getCFG()) {} 1820 1821 void Profile(llvm::FoldingSetNodeID &ID) const override { 1822 static int x = 0; 1823 ID.AddPointer(&x); 1824 } 1825 1826 PathDiagnosticPieceRef VisitNode(const ExplodedNode *N, 1827 BugReporterContext &BRC, 1828 PathSensitiveBugReport &BR) override; 1829 }; 1830 } // end of anonymous namespace 1831 1832 static std::shared_ptr<PathDiagnosticEventPiece> 1833 constructDebugPieceForTrackedCondition(const Expr *Cond, 1834 const ExplodedNode *N, 1835 BugReporterContext &BRC) { 1836 1837 if (BRC.getAnalyzerOptions().AnalysisDiagOpt == PD_NONE || 1838 !BRC.getAnalyzerOptions().ShouldTrackConditionsDebug) 1839 return nullptr; 1840 1841 std::string ConditionText = std::string(Lexer::getSourceText( 1842 CharSourceRange::getTokenRange(Cond->getSourceRange()), 1843 BRC.getSourceManager(), BRC.getASTContext().getLangOpts())); 1844 1845 return std::make_shared<PathDiagnosticEventPiece>( 1846 PathDiagnosticLocation::createBegin( 1847 Cond, BRC.getSourceManager(), N->getLocationContext()), 1848 (Twine() + "Tracking condition '" + ConditionText + "'").str()); 1849 } 1850 1851 static bool isAssertlikeBlock(const CFGBlock *B, ASTContext &Context) { 1852 if (B->succ_size() != 2) 1853 return false; 1854 1855 const CFGBlock *Then = B->succ_begin()->getReachableBlock(); 1856 const CFGBlock *Else = (B->succ_begin() + 1)->getReachableBlock(); 1857 1858 if (!Then || !Else) 1859 return false; 1860 1861 if (Then->isInevitablySinking() != Else->isInevitablySinking()) 1862 return true; 1863 1864 // For the following condition the following CFG would be built: 1865 // 1866 // -------------> 1867 // / \ 1868 // [B1] -> [B2] -> [B3] -> [sink] 1869 // assert(A && B || C); \ \ 1870 // -----------> [go on with the execution] 1871 // 1872 // It so happens that CFGBlock::getTerminatorCondition returns 'A' for block 1873 // B1, 'A && B' for B2, and 'A && B || C' for B3. Let's check whether we 1874 // reached the end of the condition! 1875 if (const Stmt *ElseCond = Else->getTerminatorCondition()) 1876 if (const auto *BinOp = dyn_cast<BinaryOperator>(ElseCond)) 1877 if (BinOp->isLogicalOp()) 1878 return isAssertlikeBlock(Else, Context); 1879 1880 return false; 1881 } 1882 1883 PathDiagnosticPieceRef 1884 TrackControlDependencyCondBRVisitor::VisitNode(const ExplodedNode *N, 1885 BugReporterContext &BRC, 1886 PathSensitiveBugReport &BR) { 1887 // We can only reason about control dependencies within the same stack frame. 1888 if (Origin->getStackFrame() != N->getStackFrame()) 1889 return nullptr; 1890 1891 CFGBlock *NB = const_cast<CFGBlock *>(N->getCFGBlock()); 1892 1893 // Skip if we already inspected this block. 1894 if (!VisitedBlocks.insert(NB).second) 1895 return nullptr; 1896 1897 CFGBlock *OriginB = const_cast<CFGBlock *>(Origin->getCFGBlock()); 1898 1899 // TODO: Cache CFGBlocks for each ExplodedNode. 1900 if (!OriginB || !NB) 1901 return nullptr; 1902 1903 if (isAssertlikeBlock(NB, BRC.getASTContext())) 1904 return nullptr; 1905 1906 if (ControlDeps.isControlDependent(OriginB, NB)) { 1907 // We don't really want to explain for range loops. Evidence suggests that 1908 // the only thing that leads to is the addition of calls to operator!=. 1909 if (llvm::isa_and_nonnull<CXXForRangeStmt>(NB->getTerminatorStmt())) 1910 return nullptr; 1911 1912 if (const Expr *Condition = NB->getLastCondition()) { 1913 // Keeping track of the already tracked conditions on a visitor level 1914 // isn't sufficient, because a new visitor is created for each tracked 1915 // expression, hence the BugReport level set. 1916 if (BR.addTrackedCondition(N)) { 1917 bugreporter::trackExpressionValue( 1918 N, Condition, BR, bugreporter::TrackingKind::Condition, 1919 /*EnableNullFPSuppression=*/false); 1920 return constructDebugPieceForTrackedCondition(Condition, N, BRC); 1921 } 1922 } 1923 } 1924 1925 return nullptr; 1926 } 1927 1928 //===----------------------------------------------------------------------===// 1929 // Implementation of trackExpressionValue. 1930 //===----------------------------------------------------------------------===// 1931 1932 /// \return A subexpression of @c Ex which represents the 1933 /// expression-of-interest. 1934 static const Expr *peelOffOuterExpr(const Expr *Ex, 1935 const ExplodedNode *N) { 1936 Ex = Ex->IgnoreParenCasts(); 1937 if (const auto *FE = dyn_cast<FullExpr>(Ex)) 1938 return peelOffOuterExpr(FE->getSubExpr(), N); 1939 if (const auto *OVE = dyn_cast<OpaqueValueExpr>(Ex)) 1940 return peelOffOuterExpr(OVE->getSourceExpr(), N); 1941 if (const auto *POE = dyn_cast<PseudoObjectExpr>(Ex)) { 1942 const auto *PropRef = dyn_cast<ObjCPropertyRefExpr>(POE->getSyntacticForm()); 1943 if (PropRef && PropRef->isMessagingGetter()) { 1944 const Expr *GetterMessageSend = 1945 POE->getSemanticExpr(POE->getNumSemanticExprs() - 1); 1946 assert(isa<ObjCMessageExpr>(GetterMessageSend->IgnoreParenCasts())); 1947 return peelOffOuterExpr(GetterMessageSend, N); 1948 } 1949 } 1950 1951 // Peel off the ternary operator. 1952 if (const auto *CO = dyn_cast<ConditionalOperator>(Ex)) { 1953 // Find a node where the branching occurred and find out which branch 1954 // we took (true/false) by looking at the ExplodedGraph. 1955 const ExplodedNode *NI = N; 1956 do { 1957 ProgramPoint ProgPoint = NI->getLocation(); 1958 if (Optional<BlockEdge> BE = ProgPoint.getAs<BlockEdge>()) { 1959 const CFGBlock *srcBlk = BE->getSrc(); 1960 if (const Stmt *term = srcBlk->getTerminatorStmt()) { 1961 if (term == CO) { 1962 bool TookTrueBranch = (*(srcBlk->succ_begin()) == BE->getDst()); 1963 if (TookTrueBranch) 1964 return peelOffOuterExpr(CO->getTrueExpr(), N); 1965 else 1966 return peelOffOuterExpr(CO->getFalseExpr(), N); 1967 } 1968 } 1969 } 1970 NI = NI->getFirstPred(); 1971 } while (NI); 1972 } 1973 1974 if (auto *BO = dyn_cast<BinaryOperator>(Ex)) 1975 if (const Expr *SubEx = peelOffPointerArithmetic(BO)) 1976 return peelOffOuterExpr(SubEx, N); 1977 1978 if (auto *UO = dyn_cast<UnaryOperator>(Ex)) { 1979 if (UO->getOpcode() == UO_LNot) 1980 return peelOffOuterExpr(UO->getSubExpr(), N); 1981 1982 // FIXME: There's a hack in our Store implementation that always computes 1983 // field offsets around null pointers as if they are always equal to 0. 1984 // The idea here is to report accesses to fields as null dereferences 1985 // even though the pointer value that's being dereferenced is actually 1986 // the offset of the field rather than exactly 0. 1987 // See the FIXME in StoreManager's getLValueFieldOrIvar() method. 1988 // This code interacts heavily with this hack; otherwise the value 1989 // would not be null at all for most fields, so we'd be unable to track it. 1990 if (UO->getOpcode() == UO_AddrOf && UO->getSubExpr()->isLValue()) 1991 if (const Expr *DerefEx = bugreporter::getDerefExpr(UO->getSubExpr())) 1992 return peelOffOuterExpr(DerefEx, N); 1993 } 1994 1995 return Ex; 1996 } 1997 1998 /// Find the ExplodedNode where the lvalue (the value of 'Ex') 1999 /// was computed. 2000 static const ExplodedNode* findNodeForExpression(const ExplodedNode *N, 2001 const Expr *Inner) { 2002 while (N) { 2003 if (N->getStmtForDiagnostics() == Inner) 2004 return N; 2005 N = N->getFirstPred(); 2006 } 2007 return N; 2008 } 2009 2010 /// Attempts to add visitors to track an RValue expression back to its point of 2011 /// origin. Works similarly to trackExpressionValue, but accepts only RValues. 2012 static void trackRValueExpression(const ExplodedNode *InputNode, const Expr *E, 2013 PathSensitiveBugReport &report, 2014 bugreporter::TrackingKind TKind, 2015 bool EnableNullFPSuppression) { 2016 assert(E->isPRValue() && "The expression is not a prvalue!"); 2017 const ExplodedNode *RVNode = findNodeForExpression(InputNode, E); 2018 if (!RVNode) 2019 return; 2020 ProgramStateRef RVState = RVNode->getState(); 2021 SVal V = RVState->getSValAsScalarOrLoc(E, RVNode->getLocationContext()); 2022 const auto *BO = dyn_cast<BinaryOperator>(E); 2023 if (!BO) 2024 return; 2025 if (!V.isZeroConstant()) 2026 return; 2027 if (!BO->isMultiplicativeOp()) 2028 return; 2029 2030 SVal RHSV = RVState->getSVal(BO->getRHS(), RVNode->getLocationContext()); 2031 SVal LHSV = RVState->getSVal(BO->getLHS(), RVNode->getLocationContext()); 2032 2033 // Track both LHS and RHS of a multiplication. 2034 if (BO->getOpcode() == BO_Mul) { 2035 if (LHSV.isZeroConstant()) 2036 trackExpressionValue(InputNode, BO->getLHS(), report, TKind, 2037 EnableNullFPSuppression); 2038 if (RHSV.isZeroConstant()) 2039 trackExpressionValue(InputNode, BO->getRHS(), report, TKind, 2040 EnableNullFPSuppression); 2041 } else { // Track only the LHS of a division or a modulo. 2042 if (LHSV.isZeroConstant()) 2043 trackExpressionValue(InputNode, BO->getLHS(), report, TKind, 2044 EnableNullFPSuppression); 2045 } 2046 } 2047 2048 bool bugreporter::trackExpressionValue(const ExplodedNode *InputNode, 2049 const Expr *E, 2050 PathSensitiveBugReport &report, 2051 bugreporter::TrackingKind TKind, 2052 bool EnableNullFPSuppression) { 2053 2054 if (!E || !InputNode) 2055 return false; 2056 2057 const Expr *Inner = peelOffOuterExpr(E, InputNode); 2058 const ExplodedNode *LVNode = findNodeForExpression(InputNode, Inner); 2059 if (!LVNode) 2060 return false; 2061 2062 ProgramStateRef LVState = LVNode->getState(); 2063 const StackFrameContext *SFC = LVNode->getStackFrame(); 2064 2065 // We only track expressions if we believe that they are important. Chances 2066 // are good that control dependencies to the tracking point are also important 2067 // because of this, let's explain why we believe control reached this point. 2068 // TODO: Shouldn't we track control dependencies of every bug location, rather 2069 // than only tracked expressions? 2070 if (LVState->getAnalysisManager().getAnalyzerOptions().ShouldTrackConditions) 2071 report.addVisitor<TrackControlDependencyCondBRVisitor>(InputNode); 2072 2073 // The message send could be nil due to the receiver being nil. 2074 // At this point in the path, the receiver should be live since we are at the 2075 // message send expr. If it is nil, start tracking it. 2076 if (const Expr *Receiver = NilReceiverBRVisitor::getNilReceiver(Inner, LVNode)) 2077 trackExpressionValue( 2078 LVNode, Receiver, report, TKind, EnableNullFPSuppression); 2079 2080 // Track the index if this is an array subscript. 2081 if (const auto *Arr = dyn_cast<ArraySubscriptExpr>(Inner)) 2082 trackExpressionValue( 2083 LVNode, Arr->getIdx(), report, TKind, /*EnableNullFPSuppression*/false); 2084 2085 // See if the expression we're interested refers to a variable. 2086 // If so, we can track both its contents and constraints on its value. 2087 if (ExplodedGraph::isInterestingLValueExpr(Inner)) { 2088 SVal LVal = LVNode->getSVal(Inner); 2089 2090 const MemRegion *RR = getLocationRegionIfReference(Inner, LVNode); 2091 bool LVIsNull = LVState->isNull(LVal).isConstrainedTrue(); 2092 2093 // If this is a C++ reference to a null pointer, we are tracking the 2094 // pointer. In addition, we should find the store at which the reference 2095 // got initialized. 2096 if (RR && !LVIsNull) 2097 if (auto KV = LVal.getAs<KnownSVal>()) 2098 report.addVisitor<FindLastStoreBRVisitor>( 2099 *KV, RR, EnableNullFPSuppression, TKind, SFC); 2100 2101 // In case of C++ references, we want to differentiate between a null 2102 // reference and reference to null pointer. 2103 // If the LVal is null, check if we are dealing with null reference. 2104 // For those, we want to track the location of the reference. 2105 const MemRegion *R = (RR && LVIsNull) ? RR : 2106 LVNode->getSVal(Inner).getAsRegion(); 2107 2108 if (R) { 2109 2110 // Mark both the variable region and its contents as interesting. 2111 SVal V = LVState->getRawSVal(loc::MemRegionVal(R)); 2112 report.addVisitor<NoStoreFuncVisitor>(cast<SubRegion>(R), TKind); 2113 2114 MacroNullReturnSuppressionVisitor::addMacroVisitorIfNecessary( 2115 LVNode, R, EnableNullFPSuppression, report, V); 2116 2117 report.markInteresting(V, TKind); 2118 report.addVisitor<UndefOrNullArgVisitor>(R); 2119 2120 // If the contents are symbolic and null, find out when they became null. 2121 if (V.getAsLocSymbol(/*IncludeBaseRegions=*/true)) 2122 if (LVState->isNull(V).isConstrainedTrue()) 2123 report.addVisitor<TrackConstraintBRVisitor>(V.castAs<DefinedSVal>(), 2124 false); 2125 2126 // Add visitor, which will suppress inline defensive checks. 2127 if (auto DV = V.getAs<DefinedSVal>()) 2128 if (!DV->isZeroConstant() && EnableNullFPSuppression) { 2129 // Note that LVNode may be too late (i.e., too far from the InputNode) 2130 // because the lvalue may have been computed before the inlined call 2131 // was evaluated. InputNode may as well be too early here, because 2132 // the symbol is already dead; this, however, is fine because we can 2133 // still find the node in which it collapsed to null previously. 2134 report.addVisitor<SuppressInlineDefensiveChecksVisitor>(*DV, 2135 InputNode); 2136 } 2137 2138 if (auto KV = V.getAs<KnownSVal>()) 2139 report.addVisitor<FindLastStoreBRVisitor>( 2140 *KV, R, EnableNullFPSuppression, TKind, SFC); 2141 return true; 2142 } 2143 } 2144 2145 // If the expression is not an "lvalue expression", we can still 2146 // track the constraints on its contents. 2147 SVal V = LVState->getSValAsScalarOrLoc(Inner, LVNode->getLocationContext()); 2148 2149 ReturnVisitor::addVisitorIfNecessary( 2150 LVNode, Inner, report, EnableNullFPSuppression, TKind); 2151 2152 // Is it a symbolic value? 2153 if (auto L = V.getAs<loc::MemRegionVal>()) { 2154 // FIXME: this is a hack for fixing a later crash when attempting to 2155 // dereference a void* pointer. 2156 // We should not try to dereference pointers at all when we don't care 2157 // what is written inside the pointer. 2158 bool CanDereference = true; 2159 if (const auto *SR = L->getRegionAs<SymbolicRegion>()) { 2160 if (SR->getSymbol()->getType()->getPointeeType()->isVoidType()) 2161 CanDereference = false; 2162 } else if (L->getRegionAs<AllocaRegion>()) 2163 CanDereference = false; 2164 2165 // At this point we are dealing with the region's LValue. 2166 // However, if the rvalue is a symbolic region, we should track it as well. 2167 // Try to use the correct type when looking up the value. 2168 SVal RVal; 2169 if (ExplodedGraph::isInterestingLValueExpr(Inner)) 2170 RVal = LVState->getRawSVal(L.getValue(), Inner->getType()); 2171 else if (CanDereference) 2172 RVal = LVState->getSVal(L->getRegion()); 2173 2174 if (CanDereference) { 2175 report.addVisitor<UndefOrNullArgVisitor>(L->getRegion()); 2176 2177 if (auto KV = RVal.getAs<KnownSVal>()) 2178 report.addVisitor<FindLastStoreBRVisitor>( 2179 *KV, L->getRegion(), EnableNullFPSuppression, TKind, SFC); 2180 } 2181 2182 const MemRegion *RegionRVal = RVal.getAsRegion(); 2183 if (isa_and_nonnull<SymbolicRegion>(RegionRVal)) { 2184 report.markInteresting(RegionRVal, TKind); 2185 report.addVisitor<TrackConstraintBRVisitor>(loc::MemRegionVal(RegionRVal), 2186 /*assumption=*/false); 2187 } 2188 } 2189 2190 if (Inner->isPRValue()) 2191 trackRValueExpression(LVNode, Inner, report, TKind, 2192 EnableNullFPSuppression); 2193 2194 return true; 2195 } 2196 2197 //===----------------------------------------------------------------------===// 2198 // Implementation of NulReceiverBRVisitor. 2199 //===----------------------------------------------------------------------===// 2200 2201 const Expr *NilReceiverBRVisitor::getNilReceiver(const Stmt *S, 2202 const ExplodedNode *N) { 2203 const auto *ME = dyn_cast<ObjCMessageExpr>(S); 2204 if (!ME) 2205 return nullptr; 2206 if (const Expr *Receiver = ME->getInstanceReceiver()) { 2207 ProgramStateRef state = N->getState(); 2208 SVal V = N->getSVal(Receiver); 2209 if (state->isNull(V).isConstrainedTrue()) 2210 return Receiver; 2211 } 2212 return nullptr; 2213 } 2214 2215 PathDiagnosticPieceRef 2216 NilReceiverBRVisitor::VisitNode(const ExplodedNode *N, BugReporterContext &BRC, 2217 PathSensitiveBugReport &BR) { 2218 Optional<PreStmt> P = N->getLocationAs<PreStmt>(); 2219 if (!P) 2220 return nullptr; 2221 2222 const Stmt *S = P->getStmt(); 2223 const Expr *Receiver = getNilReceiver(S, N); 2224 if (!Receiver) 2225 return nullptr; 2226 2227 llvm::SmallString<256> Buf; 2228 llvm::raw_svector_ostream OS(Buf); 2229 2230 if (const auto *ME = dyn_cast<ObjCMessageExpr>(S)) { 2231 OS << "'"; 2232 ME->getSelector().print(OS); 2233 OS << "' not called"; 2234 } 2235 else { 2236 OS << "No method is called"; 2237 } 2238 OS << " because the receiver is nil"; 2239 2240 // The receiver was nil, and hence the method was skipped. 2241 // Register a BugReporterVisitor to issue a message telling us how 2242 // the receiver was null. 2243 bugreporter::trackExpressionValue( 2244 N, Receiver, BR, bugreporter::TrackingKind::Thorough, 2245 /*EnableNullFPSuppression*/ false); 2246 // Issue a message saying that the method was skipped. 2247 PathDiagnosticLocation L(Receiver, BRC.getSourceManager(), 2248 N->getLocationContext()); 2249 return std::make_shared<PathDiagnosticEventPiece>(L, OS.str()); 2250 } 2251 2252 //===----------------------------------------------------------------------===// 2253 // Visitor that tries to report interesting diagnostics from conditions. 2254 //===----------------------------------------------------------------------===// 2255 2256 /// Return the tag associated with this visitor. This tag will be used 2257 /// to make all PathDiagnosticPieces created by this visitor. 2258 const char *ConditionBRVisitor::getTag() { return "ConditionBRVisitor"; } 2259 2260 PathDiagnosticPieceRef 2261 ConditionBRVisitor::VisitNode(const ExplodedNode *N, BugReporterContext &BRC, 2262 PathSensitiveBugReport &BR) { 2263 auto piece = VisitNodeImpl(N, BRC, BR); 2264 if (piece) { 2265 piece->setTag(getTag()); 2266 if (auto *ev = dyn_cast<PathDiagnosticEventPiece>(piece.get())) 2267 ev->setPrunable(true, /* override */ false); 2268 } 2269 return piece; 2270 } 2271 2272 PathDiagnosticPieceRef 2273 ConditionBRVisitor::VisitNodeImpl(const ExplodedNode *N, 2274 BugReporterContext &BRC, 2275 PathSensitiveBugReport &BR) { 2276 ProgramPoint ProgPoint = N->getLocation(); 2277 const std::pair<const ProgramPointTag *, const ProgramPointTag *> &Tags = 2278 ExprEngine::geteagerlyAssumeBinOpBifurcationTags(); 2279 2280 // If an assumption was made on a branch, it should be caught 2281 // here by looking at the state transition. 2282 if (Optional<BlockEdge> BE = ProgPoint.getAs<BlockEdge>()) { 2283 const CFGBlock *SrcBlock = BE->getSrc(); 2284 if (const Stmt *Term = SrcBlock->getTerminatorStmt()) { 2285 // If the tag of the previous node is 'Eagerly Assume...' the current 2286 // 'BlockEdge' has the same constraint information. We do not want to 2287 // report the value as it is just an assumption on the predecessor node 2288 // which will be caught in the next VisitNode() iteration as a 'PostStmt'. 2289 const ProgramPointTag *PreviousNodeTag = 2290 N->getFirstPred()->getLocation().getTag(); 2291 if (PreviousNodeTag == Tags.first || PreviousNodeTag == Tags.second) 2292 return nullptr; 2293 2294 return VisitTerminator(Term, N, SrcBlock, BE->getDst(), BR, BRC); 2295 } 2296 return nullptr; 2297 } 2298 2299 if (Optional<PostStmt> PS = ProgPoint.getAs<PostStmt>()) { 2300 const ProgramPointTag *CurrentNodeTag = PS->getTag(); 2301 if (CurrentNodeTag != Tags.first && CurrentNodeTag != Tags.second) 2302 return nullptr; 2303 2304 bool TookTrue = CurrentNodeTag == Tags.first; 2305 return VisitTrueTest(cast<Expr>(PS->getStmt()), BRC, BR, N, TookTrue); 2306 } 2307 2308 return nullptr; 2309 } 2310 2311 PathDiagnosticPieceRef ConditionBRVisitor::VisitTerminator( 2312 const Stmt *Term, const ExplodedNode *N, const CFGBlock *srcBlk, 2313 const CFGBlock *dstBlk, PathSensitiveBugReport &R, 2314 BugReporterContext &BRC) { 2315 const Expr *Cond = nullptr; 2316 2317 // In the code below, Term is a CFG terminator and Cond is a branch condition 2318 // expression upon which the decision is made on this terminator. 2319 // 2320 // For example, in "if (x == 0)", the "if (x == 0)" statement is a terminator, 2321 // and "x == 0" is the respective condition. 2322 // 2323 // Another example: in "if (x && y)", we've got two terminators and two 2324 // conditions due to short-circuit nature of operator "&&": 2325 // 1. The "if (x && y)" statement is a terminator, 2326 // and "y" is the respective condition. 2327 // 2. Also "x && ..." is another terminator, 2328 // and "x" is its condition. 2329 2330 switch (Term->getStmtClass()) { 2331 // FIXME: Stmt::SwitchStmtClass is worth handling, however it is a bit 2332 // more tricky because there are more than two branches to account for. 2333 default: 2334 return nullptr; 2335 case Stmt::IfStmtClass: 2336 Cond = cast<IfStmt>(Term)->getCond(); 2337 break; 2338 case Stmt::ConditionalOperatorClass: 2339 Cond = cast<ConditionalOperator>(Term)->getCond(); 2340 break; 2341 case Stmt::BinaryOperatorClass: 2342 // When we encounter a logical operator (&& or ||) as a CFG terminator, 2343 // then the condition is actually its LHS; otherwise, we'd encounter 2344 // the parent, such as if-statement, as a terminator. 2345 const auto *BO = cast<BinaryOperator>(Term); 2346 assert(BO->isLogicalOp() && 2347 "CFG terminator is not a short-circuit operator!"); 2348 Cond = BO->getLHS(); 2349 break; 2350 } 2351 2352 Cond = Cond->IgnoreParens(); 2353 2354 // However, when we encounter a logical operator as a branch condition, 2355 // then the condition is actually its RHS, because LHS would be 2356 // the condition for the logical operator terminator. 2357 while (const auto *InnerBO = dyn_cast<BinaryOperator>(Cond)) { 2358 if (!InnerBO->isLogicalOp()) 2359 break; 2360 Cond = InnerBO->getRHS()->IgnoreParens(); 2361 } 2362 2363 assert(Cond); 2364 assert(srcBlk->succ_size() == 2); 2365 const bool TookTrue = *(srcBlk->succ_begin()) == dstBlk; 2366 return VisitTrueTest(Cond, BRC, R, N, TookTrue); 2367 } 2368 2369 PathDiagnosticPieceRef 2370 ConditionBRVisitor::VisitTrueTest(const Expr *Cond, BugReporterContext &BRC, 2371 PathSensitiveBugReport &R, 2372 const ExplodedNode *N, bool TookTrue) { 2373 ProgramStateRef CurrentState = N->getState(); 2374 ProgramStateRef PrevState = N->getFirstPred()->getState(); 2375 const LocationContext *LCtx = N->getLocationContext(); 2376 2377 // If the constraint information is changed between the current and the 2378 // previous program state we assuming the newly seen constraint information. 2379 // If we cannot evaluate the condition (and the constraints are the same) 2380 // the analyzer has no information about the value and just assuming it. 2381 bool IsAssuming = 2382 !BRC.getStateManager().haveEqualConstraints(CurrentState, PrevState) || 2383 CurrentState->getSVal(Cond, LCtx).isUnknownOrUndef(); 2384 2385 // These will be modified in code below, but we need to preserve the original 2386 // values in case we want to throw the generic message. 2387 const Expr *CondTmp = Cond; 2388 bool TookTrueTmp = TookTrue; 2389 2390 while (true) { 2391 CondTmp = CondTmp->IgnoreParenCasts(); 2392 switch (CondTmp->getStmtClass()) { 2393 default: 2394 break; 2395 case Stmt::BinaryOperatorClass: 2396 if (auto P = VisitTrueTest(Cond, cast<BinaryOperator>(CondTmp), 2397 BRC, R, N, TookTrueTmp, IsAssuming)) 2398 return P; 2399 break; 2400 case Stmt::DeclRefExprClass: 2401 if (auto P = VisitTrueTest(Cond, cast<DeclRefExpr>(CondTmp), 2402 BRC, R, N, TookTrueTmp, IsAssuming)) 2403 return P; 2404 break; 2405 case Stmt::MemberExprClass: 2406 if (auto P = VisitTrueTest(Cond, cast<MemberExpr>(CondTmp), 2407 BRC, R, N, TookTrueTmp, IsAssuming)) 2408 return P; 2409 break; 2410 case Stmt::UnaryOperatorClass: { 2411 const auto *UO = cast<UnaryOperator>(CondTmp); 2412 if (UO->getOpcode() == UO_LNot) { 2413 TookTrueTmp = !TookTrueTmp; 2414 CondTmp = UO->getSubExpr(); 2415 continue; 2416 } 2417 break; 2418 } 2419 } 2420 break; 2421 } 2422 2423 // Condition too complex to explain? Just say something so that the user 2424 // knew we've made some path decision at this point. 2425 // If it is too complex and we know the evaluation of the condition do not 2426 // repeat the note from 'BugReporter.cpp' 2427 if (!IsAssuming) 2428 return nullptr; 2429 2430 PathDiagnosticLocation Loc(Cond, BRC.getSourceManager(), LCtx); 2431 if (!Loc.isValid() || !Loc.asLocation().isValid()) 2432 return nullptr; 2433 2434 return std::make_shared<PathDiagnosticEventPiece>( 2435 Loc, TookTrue ? GenericTrueMessage : GenericFalseMessage); 2436 } 2437 2438 bool ConditionBRVisitor::patternMatch(const Expr *Ex, 2439 const Expr *ParentEx, 2440 raw_ostream &Out, 2441 BugReporterContext &BRC, 2442 PathSensitiveBugReport &report, 2443 const ExplodedNode *N, 2444 Optional<bool> &prunable, 2445 bool IsSameFieldName) { 2446 const Expr *OriginalExpr = Ex; 2447 Ex = Ex->IgnoreParenCasts(); 2448 2449 if (isa<GNUNullExpr>(Ex) || isa<ObjCBoolLiteralExpr>(Ex) || 2450 isa<CXXBoolLiteralExpr>(Ex) || isa<IntegerLiteral>(Ex) || 2451 isa<FloatingLiteral>(Ex)) { 2452 // Use heuristics to determine if the expression is a macro 2453 // expanding to a literal and if so, use the macro's name. 2454 SourceLocation BeginLoc = OriginalExpr->getBeginLoc(); 2455 SourceLocation EndLoc = OriginalExpr->getEndLoc(); 2456 if (BeginLoc.isMacroID() && EndLoc.isMacroID()) { 2457 const SourceManager &SM = BRC.getSourceManager(); 2458 const LangOptions &LO = BRC.getASTContext().getLangOpts(); 2459 if (Lexer::isAtStartOfMacroExpansion(BeginLoc, SM, LO) && 2460 Lexer::isAtEndOfMacroExpansion(EndLoc, SM, LO)) { 2461 CharSourceRange R = Lexer::getAsCharRange({BeginLoc, EndLoc}, SM, LO); 2462 Out << Lexer::getSourceText(R, SM, LO); 2463 return false; 2464 } 2465 } 2466 } 2467 2468 if (const auto *DR = dyn_cast<DeclRefExpr>(Ex)) { 2469 const bool quotes = isa<VarDecl>(DR->getDecl()); 2470 if (quotes) { 2471 Out << '\''; 2472 const LocationContext *LCtx = N->getLocationContext(); 2473 const ProgramState *state = N->getState().get(); 2474 if (const MemRegion *R = state->getLValue(cast<VarDecl>(DR->getDecl()), 2475 LCtx).getAsRegion()) { 2476 if (report.isInteresting(R)) 2477 prunable = false; 2478 else { 2479 const ProgramState *state = N->getState().get(); 2480 SVal V = state->getSVal(R); 2481 if (report.isInteresting(V)) 2482 prunable = false; 2483 } 2484 } 2485 } 2486 Out << DR->getDecl()->getDeclName().getAsString(); 2487 if (quotes) 2488 Out << '\''; 2489 return quotes; 2490 } 2491 2492 if (const auto *IL = dyn_cast<IntegerLiteral>(Ex)) { 2493 QualType OriginalTy = OriginalExpr->getType(); 2494 if (OriginalTy->isPointerType()) { 2495 if (IL->getValue() == 0) { 2496 Out << "null"; 2497 return false; 2498 } 2499 } 2500 else if (OriginalTy->isObjCObjectPointerType()) { 2501 if (IL->getValue() == 0) { 2502 Out << "nil"; 2503 return false; 2504 } 2505 } 2506 2507 Out << IL->getValue(); 2508 return false; 2509 } 2510 2511 if (const auto *ME = dyn_cast<MemberExpr>(Ex)) { 2512 if (!IsSameFieldName) 2513 Out << "field '" << ME->getMemberDecl()->getName() << '\''; 2514 else 2515 Out << '\'' 2516 << Lexer::getSourceText( 2517 CharSourceRange::getTokenRange(Ex->getSourceRange()), 2518 BRC.getSourceManager(), BRC.getASTContext().getLangOpts(), 0) 2519 << '\''; 2520 } 2521 2522 return false; 2523 } 2524 2525 PathDiagnosticPieceRef ConditionBRVisitor::VisitTrueTest( 2526 const Expr *Cond, const BinaryOperator *BExpr, BugReporterContext &BRC, 2527 PathSensitiveBugReport &R, const ExplodedNode *N, bool TookTrue, 2528 bool IsAssuming) { 2529 bool shouldInvert = false; 2530 Optional<bool> shouldPrune; 2531 2532 // Check if the field name of the MemberExprs is ambiguous. Example: 2533 // " 'a.d' is equal to 'h.d' " in 'test/Analysis/null-deref-path-notes.cpp'. 2534 bool IsSameFieldName = false; 2535 const auto *LhsME = dyn_cast<MemberExpr>(BExpr->getLHS()->IgnoreParenCasts()); 2536 const auto *RhsME = dyn_cast<MemberExpr>(BExpr->getRHS()->IgnoreParenCasts()); 2537 2538 if (LhsME && RhsME) 2539 IsSameFieldName = 2540 LhsME->getMemberDecl()->getName() == RhsME->getMemberDecl()->getName(); 2541 2542 SmallString<128> LhsString, RhsString; 2543 { 2544 llvm::raw_svector_ostream OutLHS(LhsString), OutRHS(RhsString); 2545 const bool isVarLHS = patternMatch(BExpr->getLHS(), BExpr, OutLHS, BRC, R, 2546 N, shouldPrune, IsSameFieldName); 2547 const bool isVarRHS = patternMatch(BExpr->getRHS(), BExpr, OutRHS, BRC, R, 2548 N, shouldPrune, IsSameFieldName); 2549 2550 shouldInvert = !isVarLHS && isVarRHS; 2551 } 2552 2553 BinaryOperator::Opcode Op = BExpr->getOpcode(); 2554 2555 if (BinaryOperator::isAssignmentOp(Op)) { 2556 // For assignment operators, all that we care about is that the LHS 2557 // evaluates to "true" or "false". 2558 return VisitConditionVariable(LhsString, BExpr->getLHS(), BRC, R, N, 2559 TookTrue); 2560 } 2561 2562 // For non-assignment operations, we require that we can understand 2563 // both the LHS and RHS. 2564 if (LhsString.empty() || RhsString.empty() || 2565 !BinaryOperator::isComparisonOp(Op) || Op == BO_Cmp) 2566 return nullptr; 2567 2568 // Should we invert the strings if the LHS is not a variable name? 2569 SmallString<256> buf; 2570 llvm::raw_svector_ostream Out(buf); 2571 Out << (IsAssuming ? "Assuming " : "") 2572 << (shouldInvert ? RhsString : LhsString) << " is "; 2573 2574 // Do we need to invert the opcode? 2575 if (shouldInvert) 2576 switch (Op) { 2577 default: break; 2578 case BO_LT: Op = BO_GT; break; 2579 case BO_GT: Op = BO_LT; break; 2580 case BO_LE: Op = BO_GE; break; 2581 case BO_GE: Op = BO_LE; break; 2582 } 2583 2584 if (!TookTrue) 2585 switch (Op) { 2586 case BO_EQ: Op = BO_NE; break; 2587 case BO_NE: Op = BO_EQ; break; 2588 case BO_LT: Op = BO_GE; break; 2589 case BO_GT: Op = BO_LE; break; 2590 case BO_LE: Op = BO_GT; break; 2591 case BO_GE: Op = BO_LT; break; 2592 default: 2593 return nullptr; 2594 } 2595 2596 switch (Op) { 2597 case BO_EQ: 2598 Out << "equal to "; 2599 break; 2600 case BO_NE: 2601 Out << "not equal to "; 2602 break; 2603 default: 2604 Out << BinaryOperator::getOpcodeStr(Op) << ' '; 2605 break; 2606 } 2607 2608 Out << (shouldInvert ? LhsString : RhsString); 2609 const LocationContext *LCtx = N->getLocationContext(); 2610 const SourceManager &SM = BRC.getSourceManager(); 2611 2612 if (isVarAnInterestingCondition(BExpr->getLHS(), N, &R) || 2613 isVarAnInterestingCondition(BExpr->getRHS(), N, &R)) 2614 Out << WillBeUsedForACondition; 2615 2616 // Convert 'field ...' to 'Field ...' if it is a MemberExpr. 2617 std::string Message = std::string(Out.str()); 2618 Message[0] = toupper(Message[0]); 2619 2620 // If we know the value create a pop-up note to the value part of 'BExpr'. 2621 if (!IsAssuming) { 2622 PathDiagnosticLocation Loc; 2623 if (!shouldInvert) { 2624 if (LhsME && LhsME->getMemberLoc().isValid()) 2625 Loc = PathDiagnosticLocation(LhsME->getMemberLoc(), SM); 2626 else 2627 Loc = PathDiagnosticLocation(BExpr->getLHS(), SM, LCtx); 2628 } else { 2629 if (RhsME && RhsME->getMemberLoc().isValid()) 2630 Loc = PathDiagnosticLocation(RhsME->getMemberLoc(), SM); 2631 else 2632 Loc = PathDiagnosticLocation(BExpr->getRHS(), SM, LCtx); 2633 } 2634 2635 return std::make_shared<PathDiagnosticPopUpPiece>(Loc, Message); 2636 } 2637 2638 PathDiagnosticLocation Loc(Cond, SM, LCtx); 2639 auto event = std::make_shared<PathDiagnosticEventPiece>(Loc, Message); 2640 if (shouldPrune.hasValue()) 2641 event->setPrunable(shouldPrune.getValue()); 2642 return event; 2643 } 2644 2645 PathDiagnosticPieceRef ConditionBRVisitor::VisitConditionVariable( 2646 StringRef LhsString, const Expr *CondVarExpr, BugReporterContext &BRC, 2647 PathSensitiveBugReport &report, const ExplodedNode *N, bool TookTrue) { 2648 // FIXME: If there's already a constraint tracker for this variable, 2649 // we shouldn't emit anything here (c.f. the double note in 2650 // test/Analysis/inlining/path-notes.c) 2651 SmallString<256> buf; 2652 llvm::raw_svector_ostream Out(buf); 2653 Out << "Assuming " << LhsString << " is "; 2654 2655 if (!printValue(CondVarExpr, Out, N, TookTrue, /*IsAssuming=*/true)) 2656 return nullptr; 2657 2658 const LocationContext *LCtx = N->getLocationContext(); 2659 PathDiagnosticLocation Loc(CondVarExpr, BRC.getSourceManager(), LCtx); 2660 2661 if (isVarAnInterestingCondition(CondVarExpr, N, &report)) 2662 Out << WillBeUsedForACondition; 2663 2664 auto event = std::make_shared<PathDiagnosticEventPiece>(Loc, Out.str()); 2665 2666 if (isInterestingExpr(CondVarExpr, N, &report)) 2667 event->setPrunable(false); 2668 2669 return event; 2670 } 2671 2672 PathDiagnosticPieceRef ConditionBRVisitor::VisitTrueTest( 2673 const Expr *Cond, const DeclRefExpr *DRE, BugReporterContext &BRC, 2674 PathSensitiveBugReport &report, const ExplodedNode *N, bool TookTrue, 2675 bool IsAssuming) { 2676 const auto *VD = dyn_cast<VarDecl>(DRE->getDecl()); 2677 if (!VD) 2678 return nullptr; 2679 2680 SmallString<256> Buf; 2681 llvm::raw_svector_ostream Out(Buf); 2682 2683 Out << (IsAssuming ? "Assuming '" : "'") << VD->getDeclName() << "' is "; 2684 2685 if (!printValue(DRE, Out, N, TookTrue, IsAssuming)) 2686 return nullptr; 2687 2688 const LocationContext *LCtx = N->getLocationContext(); 2689 2690 if (isVarAnInterestingCondition(DRE, N, &report)) 2691 Out << WillBeUsedForACondition; 2692 2693 // If we know the value create a pop-up note to the 'DRE'. 2694 if (!IsAssuming) { 2695 PathDiagnosticLocation Loc(DRE, BRC.getSourceManager(), LCtx); 2696 return std::make_shared<PathDiagnosticPopUpPiece>(Loc, Out.str()); 2697 } 2698 2699 PathDiagnosticLocation Loc(Cond, BRC.getSourceManager(), LCtx); 2700 auto event = std::make_shared<PathDiagnosticEventPiece>(Loc, Out.str()); 2701 2702 if (isInterestingExpr(DRE, N, &report)) 2703 event->setPrunable(false); 2704 2705 return std::move(event); 2706 } 2707 2708 PathDiagnosticPieceRef ConditionBRVisitor::VisitTrueTest( 2709 const Expr *Cond, const MemberExpr *ME, BugReporterContext &BRC, 2710 PathSensitiveBugReport &report, const ExplodedNode *N, bool TookTrue, 2711 bool IsAssuming) { 2712 SmallString<256> Buf; 2713 llvm::raw_svector_ostream Out(Buf); 2714 2715 Out << (IsAssuming ? "Assuming field '" : "Field '") 2716 << ME->getMemberDecl()->getName() << "' is "; 2717 2718 if (!printValue(ME, Out, N, TookTrue, IsAssuming)) 2719 return nullptr; 2720 2721 const LocationContext *LCtx = N->getLocationContext(); 2722 PathDiagnosticLocation Loc; 2723 2724 // If we know the value create a pop-up note to the member of the MemberExpr. 2725 if (!IsAssuming && ME->getMemberLoc().isValid()) 2726 Loc = PathDiagnosticLocation(ME->getMemberLoc(), BRC.getSourceManager()); 2727 else 2728 Loc = PathDiagnosticLocation(Cond, BRC.getSourceManager(), LCtx); 2729 2730 if (!Loc.isValid() || !Loc.asLocation().isValid()) 2731 return nullptr; 2732 2733 if (isVarAnInterestingCondition(ME, N, &report)) 2734 Out << WillBeUsedForACondition; 2735 2736 // If we know the value create a pop-up note. 2737 if (!IsAssuming) 2738 return std::make_shared<PathDiagnosticPopUpPiece>(Loc, Out.str()); 2739 2740 auto event = std::make_shared<PathDiagnosticEventPiece>(Loc, Out.str()); 2741 if (isInterestingExpr(ME, N, &report)) 2742 event->setPrunable(false); 2743 return event; 2744 } 2745 2746 bool ConditionBRVisitor::printValue(const Expr *CondVarExpr, raw_ostream &Out, 2747 const ExplodedNode *N, bool TookTrue, 2748 bool IsAssuming) { 2749 QualType Ty = CondVarExpr->getType(); 2750 2751 if (Ty->isPointerType()) { 2752 Out << (TookTrue ? "non-null" : "null"); 2753 return true; 2754 } 2755 2756 if (Ty->isObjCObjectPointerType()) { 2757 Out << (TookTrue ? "non-nil" : "nil"); 2758 return true; 2759 } 2760 2761 if (!Ty->isIntegralOrEnumerationType()) 2762 return false; 2763 2764 Optional<const llvm::APSInt *> IntValue; 2765 if (!IsAssuming) 2766 IntValue = getConcreteIntegerValue(CondVarExpr, N); 2767 2768 if (IsAssuming || !IntValue.hasValue()) { 2769 if (Ty->isBooleanType()) 2770 Out << (TookTrue ? "true" : "false"); 2771 else 2772 Out << (TookTrue ? "not equal to 0" : "0"); 2773 } else { 2774 if (Ty->isBooleanType()) 2775 Out << (IntValue.getValue()->getBoolValue() ? "true" : "false"); 2776 else 2777 Out << *IntValue.getValue(); 2778 } 2779 2780 return true; 2781 } 2782 2783 constexpr llvm::StringLiteral ConditionBRVisitor::GenericTrueMessage; 2784 constexpr llvm::StringLiteral ConditionBRVisitor::GenericFalseMessage; 2785 2786 bool ConditionBRVisitor::isPieceMessageGeneric( 2787 const PathDiagnosticPiece *Piece) { 2788 return Piece->getString() == GenericTrueMessage || 2789 Piece->getString() == GenericFalseMessage; 2790 } 2791 2792 //===----------------------------------------------------------------------===// 2793 // Implementation of LikelyFalsePositiveSuppressionBRVisitor. 2794 //===----------------------------------------------------------------------===// 2795 2796 void LikelyFalsePositiveSuppressionBRVisitor::finalizeVisitor( 2797 BugReporterContext &BRC, const ExplodedNode *N, 2798 PathSensitiveBugReport &BR) { 2799 // Here we suppress false positives coming from system headers. This list is 2800 // based on known issues. 2801 const AnalyzerOptions &Options = BRC.getAnalyzerOptions(); 2802 const Decl *D = N->getLocationContext()->getDecl(); 2803 2804 if (AnalysisDeclContext::isInStdNamespace(D)) { 2805 // Skip reports within the 'std' namespace. Although these can sometimes be 2806 // the user's fault, we currently don't report them very well, and 2807 // Note that this will not help for any other data structure libraries, like 2808 // TR1, Boost, or llvm/ADT. 2809 if (Options.ShouldSuppressFromCXXStandardLibrary) { 2810 BR.markInvalid(getTag(), nullptr); 2811 return; 2812 } else { 2813 // If the complete 'std' suppression is not enabled, suppress reports 2814 // from the 'std' namespace that are known to produce false positives. 2815 2816 // The analyzer issues a false use-after-free when std::list::pop_front 2817 // or std::list::pop_back are called multiple times because we cannot 2818 // reason about the internal invariants of the data structure. 2819 if (const auto *MD = dyn_cast<CXXMethodDecl>(D)) { 2820 const CXXRecordDecl *CD = MD->getParent(); 2821 if (CD->getName() == "list") { 2822 BR.markInvalid(getTag(), nullptr); 2823 return; 2824 } 2825 } 2826 2827 // The analyzer issues a false positive when the constructor of 2828 // std::__independent_bits_engine from algorithms is used. 2829 if (const auto *MD = dyn_cast<CXXConstructorDecl>(D)) { 2830 const CXXRecordDecl *CD = MD->getParent(); 2831 if (CD->getName() == "__independent_bits_engine") { 2832 BR.markInvalid(getTag(), nullptr); 2833 return; 2834 } 2835 } 2836 2837 for (const LocationContext *LCtx = N->getLocationContext(); LCtx; 2838 LCtx = LCtx->getParent()) { 2839 const auto *MD = dyn_cast<CXXMethodDecl>(LCtx->getDecl()); 2840 if (!MD) 2841 continue; 2842 2843 const CXXRecordDecl *CD = MD->getParent(); 2844 // The analyzer issues a false positive on 2845 // std::basic_string<uint8_t> v; v.push_back(1); 2846 // and 2847 // std::u16string s; s += u'a'; 2848 // because we cannot reason about the internal invariants of the 2849 // data structure. 2850 if (CD->getName() == "basic_string") { 2851 BR.markInvalid(getTag(), nullptr); 2852 return; 2853 } 2854 2855 // The analyzer issues a false positive on 2856 // std::shared_ptr<int> p(new int(1)); p = nullptr; 2857 // because it does not reason properly about temporary destructors. 2858 if (CD->getName() == "shared_ptr") { 2859 BR.markInvalid(getTag(), nullptr); 2860 return; 2861 } 2862 } 2863 } 2864 } 2865 2866 // Skip reports within the sys/queue.h macros as we do not have the ability to 2867 // reason about data structure shapes. 2868 const SourceManager &SM = BRC.getSourceManager(); 2869 FullSourceLoc Loc = BR.getLocation().asLocation(); 2870 while (Loc.isMacroID()) { 2871 Loc = Loc.getSpellingLoc(); 2872 if (SM.getFilename(Loc).endswith("sys/queue.h")) { 2873 BR.markInvalid(getTag(), nullptr); 2874 return; 2875 } 2876 } 2877 } 2878 2879 //===----------------------------------------------------------------------===// 2880 // Implementation of UndefOrNullArgVisitor. 2881 //===----------------------------------------------------------------------===// 2882 2883 PathDiagnosticPieceRef 2884 UndefOrNullArgVisitor::VisitNode(const ExplodedNode *N, BugReporterContext &BRC, 2885 PathSensitiveBugReport &BR) { 2886 ProgramStateRef State = N->getState(); 2887 ProgramPoint ProgLoc = N->getLocation(); 2888 2889 // We are only interested in visiting CallEnter nodes. 2890 Optional<CallEnter> CEnter = ProgLoc.getAs<CallEnter>(); 2891 if (!CEnter) 2892 return nullptr; 2893 2894 // Check if one of the arguments is the region the visitor is tracking. 2895 CallEventManager &CEMgr = BRC.getStateManager().getCallEventManager(); 2896 CallEventRef<> Call = CEMgr.getCaller(CEnter->getCalleeContext(), State); 2897 unsigned Idx = 0; 2898 ArrayRef<ParmVarDecl *> parms = Call->parameters(); 2899 2900 for (const auto ParamDecl : parms) { 2901 const MemRegion *ArgReg = Call->getArgSVal(Idx).getAsRegion(); 2902 ++Idx; 2903 2904 // Are we tracking the argument or its subregion? 2905 if ( !ArgReg || !R->isSubRegionOf(ArgReg->StripCasts())) 2906 continue; 2907 2908 // Check the function parameter type. 2909 assert(ParamDecl && "Formal parameter has no decl?"); 2910 QualType T = ParamDecl->getType(); 2911 2912 if (!(T->isAnyPointerType() || T->isReferenceType())) { 2913 // Function can only change the value passed in by address. 2914 continue; 2915 } 2916 2917 // If it is a const pointer value, the function does not intend to 2918 // change the value. 2919 if (T->getPointeeType().isConstQualified()) 2920 continue; 2921 2922 // Mark the call site (LocationContext) as interesting if the value of the 2923 // argument is undefined or '0'/'NULL'. 2924 SVal BoundVal = State->getSVal(R); 2925 if (BoundVal.isUndef() || BoundVal.isZeroConstant()) { 2926 BR.markInteresting(CEnter->getCalleeContext()); 2927 return nullptr; 2928 } 2929 } 2930 return nullptr; 2931 } 2932 2933 //===----------------------------------------------------------------------===// 2934 // Implementation of FalsePositiveRefutationBRVisitor. 2935 //===----------------------------------------------------------------------===// 2936 2937 FalsePositiveRefutationBRVisitor::FalsePositiveRefutationBRVisitor() 2938 : Constraints(ConstraintMap::Factory().getEmptyMap()) {} 2939 2940 void FalsePositiveRefutationBRVisitor::finalizeVisitor( 2941 BugReporterContext &BRC, const ExplodedNode *EndPathNode, 2942 PathSensitiveBugReport &BR) { 2943 // Collect new constraints 2944 addConstraints(EndPathNode, /*OverwriteConstraintsOnExistingSyms=*/true); 2945 2946 // Create a refutation manager 2947 llvm::SMTSolverRef RefutationSolver = llvm::CreateZ3Solver(); 2948 ASTContext &Ctx = BRC.getASTContext(); 2949 2950 // Add constraints to the solver 2951 for (const auto &I : Constraints) { 2952 const SymbolRef Sym = I.first; 2953 auto RangeIt = I.second.begin(); 2954 2955 llvm::SMTExprRef SMTConstraints = SMTConv::getRangeExpr( 2956 RefutationSolver, Ctx, Sym, RangeIt->From(), RangeIt->To(), 2957 /*InRange=*/true); 2958 while ((++RangeIt) != I.second.end()) { 2959 SMTConstraints = RefutationSolver->mkOr( 2960 SMTConstraints, SMTConv::getRangeExpr(RefutationSolver, Ctx, Sym, 2961 RangeIt->From(), RangeIt->To(), 2962 /*InRange=*/true)); 2963 } 2964 2965 RefutationSolver->addConstraint(SMTConstraints); 2966 } 2967 2968 // And check for satisfiability 2969 Optional<bool> IsSAT = RefutationSolver->check(); 2970 if (!IsSAT.hasValue()) 2971 return; 2972 2973 if (!IsSAT.getValue()) 2974 BR.markInvalid("Infeasible constraints", EndPathNode->getLocationContext()); 2975 } 2976 2977 void FalsePositiveRefutationBRVisitor::addConstraints( 2978 const ExplodedNode *N, bool OverwriteConstraintsOnExistingSyms) { 2979 // Collect new constraints 2980 ConstraintMap NewCs = getConstraintMap(N->getState()); 2981 ConstraintMap::Factory &CF = N->getState()->get_context<ConstraintMap>(); 2982 2983 // Add constraints if we don't have them yet 2984 for (auto const &C : NewCs) { 2985 const SymbolRef &Sym = C.first; 2986 if (!Constraints.contains(Sym)) { 2987 // This symbol is new, just add the constraint. 2988 Constraints = CF.add(Constraints, Sym, C.second); 2989 } else if (OverwriteConstraintsOnExistingSyms) { 2990 // Overwrite the associated constraint of the Symbol. 2991 Constraints = CF.remove(Constraints, Sym); 2992 Constraints = CF.add(Constraints, Sym, C.second); 2993 } 2994 } 2995 } 2996 2997 PathDiagnosticPieceRef FalsePositiveRefutationBRVisitor::VisitNode( 2998 const ExplodedNode *N, BugReporterContext &, PathSensitiveBugReport &) { 2999 addConstraints(N, /*OverwriteConstraintsOnExistingSyms=*/false); 3000 return nullptr; 3001 } 3002 3003 void FalsePositiveRefutationBRVisitor::Profile( 3004 llvm::FoldingSetNodeID &ID) const { 3005 static int Tag = 0; 3006 ID.AddPointer(&Tag); 3007 } 3008 3009 //===----------------------------------------------------------------------===// 3010 // Implementation of TagVisitor. 3011 //===----------------------------------------------------------------------===// 3012 3013 int NoteTag::Kind = 0; 3014 3015 void TagVisitor::Profile(llvm::FoldingSetNodeID &ID) const { 3016 static int Tag = 0; 3017 ID.AddPointer(&Tag); 3018 } 3019 3020 PathDiagnosticPieceRef TagVisitor::VisitNode(const ExplodedNode *N, 3021 BugReporterContext &BRC, 3022 PathSensitiveBugReport &R) { 3023 ProgramPoint PP = N->getLocation(); 3024 const NoteTag *T = dyn_cast_or_null<NoteTag>(PP.getTag()); 3025 if (!T) 3026 return nullptr; 3027 3028 if (Optional<std::string> Msg = T->generateMessage(BRC, R)) { 3029 PathDiagnosticLocation Loc = 3030 PathDiagnosticLocation::create(PP, BRC.getSourceManager()); 3031 auto Piece = std::make_shared<PathDiagnosticEventPiece>(Loc, *Msg); 3032 Piece->setPrunable(T->isPrunable()); 3033 return Piece; 3034 } 3035 3036 return nullptr; 3037 } 3038