1 //===--- CallAndMessageChecker.cpp ------------------------------*- C++ -*--==//
3 // The LLVM Compiler Infrastructure
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
8 //===----------------------------------------------------------------------===//
10 // This defines CallAndMessageChecker, a builtin checker that checks for various
11 // errors of call and objc message expressions.
13 //===----------------------------------------------------------------------===//
15 #include "clang/Basic/TargetInfo.h"
16 #include "clang/Checker/PathSensitive/CheckerVisitor.h"
17 #include "clang/Checker/BugReporter/BugReporter.h"
18 #include "clang/AST/ParentMap.h"
19 #include "GRExprEngineInternalChecks.h"
21 using namespace clang;
24 class CallAndMessageChecker
25 : public CheckerVisitor<CallAndMessageChecker> {
26 BugType *BT_call_null;
27 BugType *BT_call_undef;
29 BugType *BT_msg_undef;
33 CallAndMessageChecker() :
34 BT_call_null(0), BT_call_undef(0), BT_call_arg(0),
35 BT_msg_undef(0), BT_msg_arg(0), BT_msg_ret(0) {}
37 static void *getTag() {
42 void PreVisitCallExpr(CheckerContext &C, const CallExpr *CE);
43 void PreVisitObjCMessageExpr(CheckerContext &C, const ObjCMessageExpr *ME);
44 bool EvalNilReceiver(CheckerContext &C, const ObjCMessageExpr *ME);
47 void EmitBadCall(BugType *BT, CheckerContext &C, const CallExpr *CE);
48 void EmitNilReceiverBug(CheckerContext &C, const ObjCMessageExpr *ME,
51 void HandleNilReceiver(CheckerContext &C, const GRState *state,
52 const ObjCMessageExpr *ME);
54 } // end anonymous namespace
56 void clang::RegisterCallAndMessageChecker(GRExprEngine &Eng) {
57 Eng.registerCheck(new CallAndMessageChecker());
60 void CallAndMessageChecker::EmitBadCall(BugType *BT, CheckerContext &C,
62 ExplodedNode *N = C.GenerateSink();
66 EnhancedBugReport *R = new EnhancedBugReport(*BT, BT->getName(), N);
67 R->addVisitorCreator(bugreporter::registerTrackNullOrUndefValue,
68 bugreporter::GetCalleeExpr(N));
72 void CallAndMessageChecker::PreVisitCallExpr(CheckerContext &C,
75 const Expr *Callee = CE->getCallee()->IgnoreParens();
76 SVal L = C.getState()->getSVal(Callee);
81 new BuiltinBug("Called function pointer is an undefined pointer value");
82 EmitBadCall(BT_call_undef, C, CE);
86 if (isa<loc::ConcreteInt>(L)) {
89 new BuiltinBug("Called function pointer is null (null dereference)");
90 EmitBadCall(BT_call_null, C, CE);
93 for (CallExpr::const_arg_iterator I = CE->arg_begin(), E = CE->arg_end();
95 if (C.getState()->getSVal(*I).isUndef()) {
96 if (ExplodedNode *N = C.GenerateSink()) {
98 BT_call_arg = new BuiltinBug("Pass-by-value argument in function call"
100 // Generate a report for this bug.
101 EnhancedBugReport *R = new EnhancedBugReport(*BT_call_arg,
102 BT_call_arg->getName(), N);
103 R->addRange((*I)->getSourceRange());
104 R->addVisitorCreator(bugreporter::registerTrackNullOrUndefValue, *I);
112 void CallAndMessageChecker::PreVisitObjCMessageExpr(CheckerContext &C,
113 const ObjCMessageExpr *ME) {
115 const GRState *state = C.getState();
117 if (const Expr *receiver = ME->getReceiver())
118 if (state->getSVal(receiver).isUndef()) {
119 if (ExplodedNode *N = C.GenerateSink()) {
122 new BuiltinBug("Receiver in message expression is a garbage value");
123 EnhancedBugReport *R =
124 new EnhancedBugReport(*BT_msg_undef, BT_msg_undef->getName(), N);
125 R->addRange(receiver->getSourceRange());
126 R->addVisitorCreator(bugreporter::registerTrackNullOrUndefValue,
133 // Check for any arguments that are uninitialized/undefined.
134 for (ObjCMessageExpr::const_arg_iterator I = ME->arg_begin(),
135 E = ME->arg_end(); I != E; ++I) {
136 if (state->getSVal(*I).isUndef()) {
137 if (ExplodedNode *N = C.GenerateSink()) {
140 new BuiltinBug("Pass-by-value argument in message expression"
142 // Generate a report for this bug.
143 EnhancedBugReport *R = new EnhancedBugReport(*BT_msg_arg,
144 BT_msg_arg->getName(), N);
145 R->addRange((*I)->getSourceRange());
146 R->addVisitorCreator(bugreporter::registerTrackNullOrUndefValue, *I);
154 bool CallAndMessageChecker::EvalNilReceiver(CheckerContext &C,
155 const ObjCMessageExpr *ME) {
156 HandleNilReceiver(C, C.getState(), ME);
157 return true; // Nil receiver is not handled elsewhere.
160 void CallAndMessageChecker::EmitNilReceiverBug(CheckerContext &C,
161 const ObjCMessageExpr *ME,
166 new BuiltinBug("Receiver in message expression is "
167 "'nil' and returns a garbage value");
169 llvm::SmallString<200> buf;
170 llvm::raw_svector_ostream os(buf);
171 os << "The receiver of message '" << ME->getSelector().getAsString()
172 << "' is nil and returns a value of type '"
173 << ME->getType().getAsString() << "' that will be garbage";
175 EnhancedBugReport *report = new EnhancedBugReport(*BT_msg_ret, os.str(), N);
176 const Expr *receiver = ME->getReceiver();
177 report->addRange(receiver->getSourceRange());
178 report->addVisitorCreator(bugreporter::registerTrackNullOrUndefValue,
180 C.EmitReport(report);
183 static bool SupportsNilWithFloatRet(const llvm::Triple &triple) {
184 return triple.getVendor() == llvm::Triple::Apple &&
185 triple.getDarwinMajorNumber() >= 9;
188 void CallAndMessageChecker::HandleNilReceiver(CheckerContext &C,
189 const GRState *state,
190 const ObjCMessageExpr *ME) {
192 // Check the return type of the message expression. A message to nil will
193 // return different values depending on the return type and the architecture.
194 QualType RetTy = ME->getType();
196 ASTContext &Ctx = C.getASTContext();
197 CanQualType CanRetTy = Ctx.getCanonicalType(RetTy);
199 if (CanRetTy->isStructureType()) {
200 // FIXME: At some point we shouldn't rely on isConsumedExpr(), but instead
201 // have the "use of undefined value" be smarter about where the
202 // undefined value came from.
203 if (C.getPredecessor()->getParentMap().isConsumedExpr(ME)) {
204 if (ExplodedNode* N = C.GenerateSink(state))
205 EmitNilReceiverBug(C, ME, N);
209 // The result is not consumed by a surrounding expression. Just propagate
210 // the current state.
211 C.addTransition(state);
215 // Other cases: check if the return type is smaller than void*.
216 if (CanRetTy != Ctx.VoidTy &&
217 C.getPredecessor()->getParentMap().isConsumedExpr(ME)) {
218 // Compute: sizeof(void *) and sizeof(return type)
219 const uint64_t voidPtrSize = Ctx.getTypeSize(Ctx.VoidPtrTy);
220 const uint64_t returnTypeSize = Ctx.getTypeSize(CanRetTy);
222 if (voidPtrSize < returnTypeSize &&
223 !(SupportsNilWithFloatRet(Ctx.Target.getTriple()) &&
224 (Ctx.FloatTy == CanRetTy ||
225 Ctx.DoubleTy == CanRetTy ||
226 Ctx.LongDoubleTy == CanRetTy ||
227 Ctx.LongLongTy == CanRetTy))) {
228 if (ExplodedNode* N = C.GenerateSink(state))
229 EmitNilReceiverBug(C, ME, N);
233 // Handle the safe cases where the return value is 0 if the
236 // FIXME: For now take the conservative approach that we only
237 // return null values if we *know* that the receiver is nil.
238 // This is because we can have surprises like:
240 // ... = [[NSScreens screens] objectAtIndex:0];
242 // What can happen is that [... screens] could return nil, but
243 // it most likely isn't nil. We should assume the semantics
244 // of this case unless we have *a lot* more knowledge.
246 SVal V = C.getValueManager().makeZeroVal(ME->getType());
247 C.GenerateNode(state->BindExpr(ME, V));
251 C.addTransition(state);
projects / FreeBSD / FreeBSD.git / blob