1 //===-- DeleteWithNonVirtualDtorChecker.cpp -----------------------*- C++ -*--//
3 // The LLVM Compiler Infrastructure
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
8 //===----------------------------------------------------------------------===//
10 // Defines a checker for the OOP52-CPP CERT rule: Do not delete a polymorphic
11 // object without a virtual destructor.
13 // Diagnostic flags -Wnon-virtual-dtor and -Wdelete-non-virtual-dtor report if
14 // an object with a virtual function but a non-virtual destructor exists or is
15 // deleted, respectively.
17 // This check exceeds them by comparing the dynamic and static types of the
18 // object at the point of destruction and only warns if it happens through a
19 // pointer to a base type without a virtual destructor. The check places a note
20 // at the last point where the conversion from derived to base happened.
22 //===----------------------------------------------------------------------===//
24 #include "ClangSACheckers.h"
25 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
26 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
27 #include "clang/StaticAnalyzer/Core/Checker.h"
28 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
29 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
30 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
31 #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeMap.h"
32 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
34 using namespace clang;
38 class DeleteWithNonVirtualDtorChecker
39 : public Checker<check::PreStmt<CXXDeleteExpr>> {
40 mutable std::unique_ptr<BugType> BT;
42 class DeleteBugVisitor : public BugReporterVisitorImpl<DeleteBugVisitor> {
44 DeleteBugVisitor() : Satisfied(false) {}
45 void Profile(llvm::FoldingSetNodeID &ID) const override {
49 std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N,
50 const ExplodedNode *PrevN,
51 BugReporterContext &BRC,
52 BugReport &BR) override;
59 void checkPreStmt(const CXXDeleteExpr *DE, CheckerContext &C) const;
61 } // end anonymous namespace
63 void DeleteWithNonVirtualDtorChecker::checkPreStmt(const CXXDeleteExpr *DE,
64 CheckerContext &C) const {
65 const Expr *DeletedObj = DE->getArgument();
66 const MemRegion *MR = C.getSVal(DeletedObj).getAsRegion();
70 const auto *BaseClassRegion = MR->getAs<TypedValueRegion>();
71 const auto *DerivedClassRegion = MR->getBaseRegion()->getAs<SymbolicRegion>();
72 if (!BaseClassRegion || !DerivedClassRegion)
75 const auto *BaseClass = BaseClassRegion->getValueType()->getAsCXXRecordDecl();
76 const auto *DerivedClass =
77 DerivedClassRegion->getSymbol()->getType()->getPointeeCXXRecordDecl();
78 if (!BaseClass || !DerivedClass)
81 if (!BaseClass->hasDefinition() || !DerivedClass->hasDefinition())
84 if (BaseClass->getDestructor()->isVirtual())
87 if (!DerivedClass->isDerivedFrom(BaseClass))
91 BT.reset(new BugType(this,
92 "Destruction of a polymorphic object with no "
96 ExplodedNode *N = C.generateNonFatalErrorNode();
97 auto R = llvm::make_unique<BugReport>(*BT, BT->getName(), N);
99 // Mark region of problematic base class for later use in the BugVisitor.
100 R->markInteresting(BaseClassRegion);
101 R->addVisitor(llvm::make_unique<DeleteBugVisitor>());
102 C.emitReport(std::move(R));
105 std::shared_ptr<PathDiagnosticPiece>
106 DeleteWithNonVirtualDtorChecker::DeleteBugVisitor::VisitNode(
107 const ExplodedNode *N, const ExplodedNode *PrevN, BugReporterContext &BRC,
109 // Stop traversal after the first conversion was found on a path.
113 ProgramStateRef State = N->getState();
114 const LocationContext *LC = N->getLocationContext();
115 const Stmt *S = PathDiagnosticLocation::getStmt(N);
119 const auto *CastE = dyn_cast<CastExpr>(S);
123 // Only interested in DerivedToBase implicit casts.
124 // Explicit casts can have different CastKinds.
125 if (const auto *ImplCastE = dyn_cast<ImplicitCastExpr>(CastE)) {
126 if (ImplCastE->getCastKind() != CK_DerivedToBase)
130 // Region associated with the current cast expression.
131 const MemRegion *M = State->getSVal(CastE, LC).getAsRegion();
135 // Check if target region was marked as problematic previously.
136 if (!BR.isInteresting(M))
139 // Stop traversal on this path.
142 SmallString<256> Buf;
143 llvm::raw_svector_ostream OS(Buf);
144 OS << "Conversion from derived to base happened here";
145 PathDiagnosticLocation Pos(S, BRC.getSourceManager(),
146 N->getLocationContext());
147 return std::make_shared<PathDiagnosticEventPiece>(Pos, OS.str(), true,
151 void ento::registerDeleteWithNonVirtualDtorChecker(CheckerManager &mgr) {
152 mgr.registerChecker<DeleteWithNonVirtualDtorChecker>();