/Users/buildslave/jenkins/workspace/coverage/llvm-project/clang/lib/StaticAnalyzer/Checkers/ReturnUndefChecker.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | //== ReturnUndefChecker.cpp -------------------------------------*- C++ -*--==// |
2 | | // |
3 | | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. |
4 | | // See https://llvm.org/LICENSE.txt for license information. |
5 | | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception |
6 | | // |
7 | | //===----------------------------------------------------------------------===// |
8 | | // |
9 | | // This file defines ReturnUndefChecker, which is a path-sensitive |
10 | | // check which looks for undefined or garbage values being returned to the |
11 | | // caller. |
12 | | // |
13 | | //===----------------------------------------------------------------------===// |
14 | | |
15 | | #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" |
16 | | #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" |
17 | | #include "clang/StaticAnalyzer/Core/Checker.h" |
18 | | #include "clang/StaticAnalyzer/Core/CheckerManager.h" |
19 | | #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" |
20 | | #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" |
21 | | |
22 | | using namespace clang; |
23 | | using namespace ento; |
24 | | |
25 | | namespace { |
26 | | class ReturnUndefChecker : public Checker< check::PreStmt<ReturnStmt> > { |
27 | | mutable std::unique_ptr<BugType> BT_Undef; |
28 | | mutable std::unique_ptr<BugType> BT_NullReference; |
29 | | |
30 | | void emitUndef(CheckerContext &C, const Expr *RetE) const; |
31 | | void checkReference(CheckerContext &C, const Expr *RetE, |
32 | | DefinedOrUnknownSVal RetVal) const; |
33 | | public: |
34 | | void checkPreStmt(const ReturnStmt *RS, CheckerContext &C) const; |
35 | | }; |
36 | | } |
37 | | |
38 | | void ReturnUndefChecker::checkPreStmt(const ReturnStmt *RS, |
39 | 23.4k | CheckerContext &C) const { |
40 | 23.4k | const Expr *RetE = RS->getRetValue(); |
41 | 23.4k | if (!RetE) |
42 | 3.06k | return; |
43 | 20.3k | SVal RetVal = C.getSVal(RetE); |
44 | | |
45 | 20.3k | const StackFrameContext *SFC = C.getStackFrame(); |
46 | 20.3k | QualType RT = CallEvent::getDeclaredResultType(SFC->getDecl()); |
47 | | |
48 | 20.3k | if (RetVal.isUndef()) { |
49 | | // "return;" is modeled to evaluate to an UndefinedVal. Allow UndefinedVal |
50 | | // to be returned in functions returning void to support this pattern: |
51 | | // void foo() { |
52 | | // return; |
53 | | // } |
54 | | // void test() { |
55 | | // return foo(); |
56 | | // } |
57 | 55 | if (!RT.isNull() && RT->isVoidType()54 ) |
58 | 2 | return; |
59 | | |
60 | | // Not all blocks have explicitly-specified return types; if the return type |
61 | | // is not available, but the return value expression has 'void' type, assume |
62 | | // Sema already checked it. |
63 | 53 | if (RT.isNull() && isa<BlockDecl>(SFC->getDecl())1 && |
64 | 53 | RetE->getType()->isVoidType()1 ) |
65 | 1 | return; |
66 | | |
67 | 52 | emitUndef(C, RetE); |
68 | 52 | return; |
69 | 53 | } |
70 | | |
71 | 20.3k | if (RT.isNull()) |
72 | 20 | return; |
73 | | |
74 | 20.2k | if (RT->isReferenceType()) { |
75 | 7.14k | checkReference(C, RetE, RetVal.castAs<DefinedOrUnknownSVal>()); |
76 | 7.14k | return; |
77 | 7.14k | } |
78 | 20.2k | } |
79 | | |
80 | | static void emitBug(CheckerContext &C, BugType &BT, StringRef Msg, |
81 | 57 | const Expr *RetE, const Expr *TrackingE = nullptr) { |
82 | 57 | ExplodedNode *N = C.generateErrorNode(); |
83 | 57 | if (!N) |
84 | 0 | return; |
85 | | |
86 | 57 | auto Report = std::make_unique<PathSensitiveBugReport>(BT, Msg, N); |
87 | | |
88 | 57 | Report->addRange(RetE->getSourceRange()); |
89 | 57 | bugreporter::trackExpressionValue(N, TrackingE ? TrackingE5 : RetE52 , *Report); |
90 | | |
91 | 57 | C.emitReport(std::move(Report)); |
92 | 57 | } |
93 | | |
94 | 52 | void ReturnUndefChecker::emitUndef(CheckerContext &C, const Expr *RetE) const { |
95 | 52 | if (!BT_Undef) |
96 | 16 | BT_Undef.reset(new BugType(this, "Garbage return value")); |
97 | 52 | emitBug(C, *BT_Undef, "Undefined or garbage value returned to caller", RetE); |
98 | 52 | } |
99 | | |
100 | | void ReturnUndefChecker::checkReference(CheckerContext &C, const Expr *RetE, |
101 | 7.14k | DefinedOrUnknownSVal RetVal) const { |
102 | 7.14k | ProgramStateRef StNonNull, StNull; |
103 | 7.14k | std::tie(StNonNull, StNull) = C.getState()->assume(RetVal); |
104 | | |
105 | 7.14k | if (StNonNull) { |
106 | | // Going forward, assume the location is non-null. |
107 | 7.14k | C.addTransition(StNonNull); |
108 | 7.14k | return; |
109 | 7.14k | } |
110 | | |
111 | | // The return value is known to be null. Emit a bug report. |
112 | 5 | if (!BT_NullReference) |
113 | 5 | BT_NullReference.reset(new BugType(this, "Returning null reference")); |
114 | | |
115 | 5 | emitBug(C, *BT_NullReference, BT_NullReference->getDescription(), RetE, |
116 | 5 | bugreporter::getDerefExpr(RetE)); |
117 | 5 | } |
118 | | |
119 | 1.27k | void ento::registerReturnUndefChecker(CheckerManager &mgr) { |
120 | 1.27k | mgr.registerChecker<ReturnUndefChecker>(); |
121 | 1.27k | } |
122 | | |
123 | 2.55k | bool ento::shouldRegisterReturnUndefChecker(const CheckerManager &mgr) { |
124 | 2.55k | return true; |
125 | 2.55k | } |