1 //===--- AttrNonNullChecker.h - Undefined arguments checker ----*- C++ -*--===//
3 // The LLVM Compiler Infrastructure
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
8 //===----------------------------------------------------------------------===//
10 // This defines AttrNonNullChecker, a builtin check in ExprEngine that
11 // performs checks for arguments declared to have nonnull attribute.
13 //===----------------------------------------------------------------------===//
15 #include "ClangSACheckers.h"
16 #include "clang/StaticAnalyzer/Core/Checker.h"
17 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
18 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
19 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
21 using namespace clang;
25 class AttrNonNullChecker
26 : public Checker< check::PreStmt<CallExpr> > {
27 mutable OwningPtr<BugType> BT;
30 void checkPreStmt(const CallExpr *CE, CheckerContext &C) const;
32 } // end anonymous namespace
34 void AttrNonNullChecker::checkPreStmt(const CallExpr *CE,
35 CheckerContext &C) const {
36 ProgramStateRef state = C.getState();
37 const LocationContext *LCtx = C.getLocationContext();
39 // Check if the callee has a 'nonnull' attribute.
40 SVal X = state->getSVal(CE->getCallee(), LCtx);
42 const FunctionDecl *FD = X.getAsFunctionDecl();
46 const NonNullAttr* Att = FD->getAttr<NonNullAttr>();
50 // Iterate through the arguments of CE and check them for null.
53 for (CallExpr::const_arg_iterator I=CE->arg_begin(), E=CE->arg_end(); I!=E;
56 if (!Att->isNonNull(idx))
59 SVal V = state->getSVal(*I, LCtx);
60 DefinedSVal *DV = dyn_cast<DefinedSVal>(&V);
62 // If the value is unknown or undefined, we can't perform this check.
67 // If the argument is a union type, we want to handle a potential
68 // transparent_unoin GCC extension.
69 QualType T = (*I)->getType();
70 const RecordType *UT = T->getAsUnionType();
71 if (!UT || !UT->getDecl()->hasAttr<TransparentUnionAttr>())
73 if (nonloc::CompoundVal *CSV = dyn_cast<nonloc::CompoundVal>(DV)) {
74 nonloc::CompoundVal::iterator CSV_I = CSV->begin();
75 assert(CSV_I != CSV->end());
77 DV = dyn_cast<DefinedSVal>(&V);
78 assert(++CSV_I == CSV->end());
83 // FIXME: Handle LazyCompoundVals?
88 ConstraintManager &CM = C.getConstraintManager();
89 ProgramStateRef stateNotNull, stateNull;
90 llvm::tie(stateNotNull, stateNull) = CM.assumeDual(state, *DV);
92 if (stateNull && !stateNotNull) {
93 // Generate an error node. Check for a null node in case
95 if (ExplodedNode *errorNode = C.generateSink(stateNull)) {
97 // Lazily allocate the BugType object if it hasn't already been
98 // created. Ownership is transferred to the BugReporter object once
99 // the BugReport is passed to 'EmitWarning'.
101 BT.reset(new BugType("Argument with 'nonnull' attribute passed null",
105 new BugReport(*BT, "Null pointer passed as an argument to a "
106 "'nonnull' parameter", errorNode);
108 // Highlight the range of the argument that was null.
109 const Expr *arg = *I;
110 R->addRange(arg->getSourceRange());
111 R->addVisitor(bugreporter::getTrackNullOrUndefValueVisitor(errorNode,
113 // Emit the bug report.
117 // Always return. Either we cached out or we just emitted an error.
121 // If a pointer value passed the check we should assume that it is
122 // indeed not null from this point forward.
123 assert(stateNotNull);
124 state = stateNotNull;
127 // If we reach here all of the arguments passed the nonnull check.
128 // If 'state' has been updated generated a new node.
129 C.addTransition(state);
132 void ento::registerAttrNonNullChecker(CheckerManager &mgr) {
133 mgr.registerChecker<AttrNonNullChecker>();