Coverage Report

Created: 2019-07-24 05:18

/Users/buildslave/jenkins/workspace/clang-stage2-coverage-R/llvm/tools/clang/lib/StaticAnalyzer/Checkers/DeleteWithNonVirtualDtorChecker.cpp
Line
Count
Source (jump to first uncovered line)
1
//===-- DeleteWithNonVirtualDtorChecker.cpp -----------------------*- C++ -*--//
2
//
3
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4
// See https://llvm.org/LICENSE.txt for license information.
5
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6
//
7
//===----------------------------------------------------------------------===//
8
//
9
// Defines a checker for the OOP52-CPP CERT rule: Do not delete a polymorphic
10
// object without a virtual destructor.
11
//
12
// Diagnostic flags -Wnon-virtual-dtor and -Wdelete-non-virtual-dtor report if
13
// an object with a virtual function but a non-virtual destructor exists or is
14
// deleted, respectively.
15
//
16
// This check exceeds them by comparing the dynamic and static types of the
17
// object at the point of destruction and only warns if it happens through a
18
// pointer to a base type without a virtual destructor. The check places a note
19
// at the last point where the conversion from derived to base happened.
20
//
21
//===----------------------------------------------------------------------===//
22
23
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
24
#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
25
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
26
#include "clang/StaticAnalyzer/Core/Checker.h"
27
#include "clang/StaticAnalyzer/Core/CheckerManager.h"
28
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
29
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
30
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeMap.h"
31
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
32
33
using namespace clang;
34
using namespace ento;
35
36
namespace {
37
class DeleteWithNonVirtualDtorChecker
38
    : public Checker<check::PreStmt<CXXDeleteExpr>> {
39
  mutable std::unique_ptr<BugType> BT;
40
41
  class DeleteBugVisitor : public BugReporterVisitor {
42
  public:
43
13
    DeleteBugVisitor() : Satisfied(false) {}
44
13
    void Profile(llvm::FoldingSetNodeID &ID) const override {
45
13
      static int X = 0;
46
13
      ID.AddPointer(&X);
47
13
    }
48
    std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N,
49
                                                   BugReporterContext &BRC,
50
                                                   BugReport &BR) override;
51
52
  private:
53
    bool Satisfied;
54
  };
55
56
public:
57
  void checkPreStmt(const CXXDeleteExpr *DE, CheckerContext &C) const;
58
};
59
} // end anonymous namespace
60
61
void DeleteWithNonVirtualDtorChecker::checkPreStmt(const CXXDeleteExpr *DE,
62
23
                                                   CheckerContext &C) const {
63
23
  const Expr *DeletedObj = DE->getArgument();
64
23
  const MemRegion *MR = C.getSVal(DeletedObj).getAsRegion();
65
23
  if (!MR)
66
0
    return;
67
23
68
23
  const auto *BaseClassRegion = MR->getAs<TypedValueRegion>();
69
23
  const auto *DerivedClassRegion = MR->getBaseRegion()->getAs<SymbolicRegion>();
70
23
  if (!BaseClassRegion || 
!DerivedClassRegion19
)
71
5
    return;
72
18
73
18
  const auto *BaseClass = BaseClassRegion->getValueType()->getAsCXXRecordDecl();
74
18
  const auto *DerivedClass =
75
18
      DerivedClassRegion->getSymbol()->getType()->getPointeeCXXRecordDecl();
76
18
  if (!BaseClass || !DerivedClass)
77
0
    return;
78
18
79
18
  if (!BaseClass->hasDefinition() || !DerivedClass->hasDefinition())
80
0
    return;
81
18
82
18
  if (BaseClass->getDestructor()->isVirtual())
83
2
    return;
84
16
85
16
  if (!DerivedClass->isDerivedFrom(BaseClass))
86
3
    return;
87
13
88
13
  if (!BT)
89
1
    BT.reset(new BugType(this,
90
1
                         "Destruction of a polymorphic object with no "
91
1
                         "virtual destructor",
92
1
                         "Logic error"));
93
13
94
13
  ExplodedNode *N = C.generateNonFatalErrorNode();
95
13
  auto R = llvm::make_unique<BugReport>(*BT, BT->getName(), N);
96
13
97
13
  // Mark region of problematic base class for later use in the BugVisitor.
98
13
  R->markInteresting(BaseClassRegion);
99
13
  R->addVisitor(llvm::make_unique<DeleteBugVisitor>());
100
13
  C.emitReport(std::move(R));
101
13
}
102
103
std::shared_ptr<PathDiagnosticPiece>
104
DeleteWithNonVirtualDtorChecker::DeleteBugVisitor::VisitNode(
105
    const ExplodedNode *N, BugReporterContext &BRC,
106
492
    BugReport &BR) {
107
492
  // Stop traversal after the first conversion was found on a path.
108
492
  if (Satisfied)
109
293
    return nullptr;
110
199
111
199
  const Stmt *S = PathDiagnosticLocation::getStmt(N);
112
199
  if (!S)
113
44
    return nullptr;
114
155
115
155
  const auto *CastE = dyn_cast<CastExpr>(S);
116
155
  if (!CastE)
117
111
    return nullptr;
118
44
119
44
  // Only interested in DerivedToBase implicit casts.
120
44
  // Explicit casts can have different CastKinds.
121
44
  if (const auto *ImplCastE = dyn_cast<ImplicitCastExpr>(CastE)) {
122
40
    if (ImplCastE->getCastKind() != CK_DerivedToBase)
123
31
      return nullptr;
124
13
  }
125
13
126
13
  // Region associated with the current cast expression.
127
13
  const MemRegion *M = N->getSVal(CastE).getAsRegion();
128
13
  if (!M)
129
0
    return nullptr;
130
13
131
13
  // Check if target region was marked as problematic previously.
132
13
  if (!BR.isInteresting(M))
133
0
    return nullptr;
134
13
135
13
  // Stop traversal on this path.
136
13
  Satisfied = true;
137
13
138
13
  SmallString<256> Buf;
139
13
  llvm::raw_svector_ostream OS(Buf);
140
13
  OS << "Conversion from derived to base happened here";
141
13
  PathDiagnosticLocation Pos(S, BRC.getSourceManager(),
142
13
                             N->getLocationContext());
143
13
  return std::make_shared<PathDiagnosticEventPiece>(Pos, OS.str(), true,
144
13
                                                    nullptr);
145
13
}
146
147
2
void ento::registerDeleteWithNonVirtualDtorChecker(CheckerManager &mgr) {
148
2
  mgr.registerChecker<DeleteWithNonVirtualDtorChecker>();
149
2
}
150
151
bool ento::shouldRegisterDeleteWithNonVirtualDtorChecker(
152
2
                                                        const LangOptions &LO) {
153
2
  return true;
154
2
}