delete [] ArgNums;
}
- bool isNonNull(unsigned arg) {
+ bool isNonNull(unsigned arg) const {
return ArgNums ? std::binary_search(ArgNums, ArgNums+Size, arg) : true;
}
};
};
class SimpleBugType : public BugTypeCacheLocation {
- const char* name;
+ const char* name;
+ const char* desc;
public:
- SimpleBugType(const char* n) : name(n) {}
+ SimpleBugType(const char* n) : name(n), desc(n) {}
+ SimpleBugType(const char* n, const char* d) : name(n), desc(d) {}
virtual const char* getName() const { return name; }
- virtual const char* getDescription() const { return name; }
+ virtual const char* getDescription() const { return desc; }
};
} // end clang namespace
template <typename STATE>
class GRAuditor {
public:
- typedef ExplodedNode<STATE> NodeTy;
+ typedef ExplodedNode<STATE> NodeTy;
+ typedef typename STATE::ManagerTy ManagerTy;
virtual ~GRAuditor() {}
- virtual bool Audit(NodeTy* N) = 0;
+ virtual bool Audit(NodeTy* N, ManagerTy& M) = 0;
};
template<typename STATE>
class GRStmtNodeBuilder {
public:
- typedef STATE StateTy;
- typedef ExplodedNode<StateTy> NodeTy;
+ typedef STATE StateTy;
+ typedef typename StateTy::ManagerTy StateManagerTy;
+ typedef ExplodedNode<StateTy> NodeTy;
private:
GRStmtNodeBuilderImpl& NB;
+ StateManagerTy& Mgr;
const StateTy* CleanedState;
GRAuditor<StateTy>* Auditor;
public:
- GRStmtNodeBuilder(GRStmtNodeBuilderImpl& nb) : NB(nb),
- Auditor(0), PurgingDeadSymbols(false),
+ GRStmtNodeBuilder(GRStmtNodeBuilderImpl& nb, StateManagerTy& mgr) :
+ NB(nb), Mgr(mgr), Auditor(0), PurgingDeadSymbols(false),
BuildSinks(false), HasGeneratedNode(false) {
CleanedState = getLastNode()->getState();
if (BuildSinks)
N->markAsSink();
else {
- if (Auditor && Auditor->Audit(N))
+ if (Auditor && Auditor->Audit(N, Mgr))
N->markAsSink();
Dst.Add(N);
public:
typedef SUBENGINE SubEngineTy;
typedef typename SubEngineTy::StateTy StateTy;
+ typedef typename StateTy::ManagerTy StateManagerTy;
typedef ExplodedGraph<StateTy> GraphTy;
typedef typename GraphTy::NodeTy NodeTy;
}
virtual void ProcessStmt(Stmt* S, GRStmtNodeBuilderImpl& BuilderImpl) {
- GRStmtNodeBuilder<StateTy> Builder(BuilderImpl);
+ GRStmtNodeBuilder<StateTy> Builder(BuilderImpl,SubEngine.getStateManager());
SubEngine.ProcessStmt(S, Builder);
}
#define LLVM_CLANG_ANALYSIS_GRAPICHECKS
#include "clang/Analysis/PathSensitive/GRAuditor.h"
+#include "clang/Analysis/PathSensitive/ValueState.h"
namespace clang {
-class ValueState;
class Diagnostic;
class BugReporter;
class ASTContext;
typedef llvm::ImmutableMap<SymbolID,IntSetTy> ConstNotEqTy;
typedef llvm::ImmutableMap<SymbolID,const llvm::APSInt*> ConstEqTy;
+ typedef ValueStateManager ManagerTy;
+
private:
void operator=(const ValueState& R) const;
// Queries.
bool isNotEqual(SymbolID sym, const llvm::APSInt& V) const;
+ bool isEqual(SymbolID sym, const llvm::APSInt& V) const;
+
const llvm::APSInt* getSymVal(SymbolID sym) const;
RVal LookupExpr(Expr* E) const {
const ValueState* AddNE(const ValueState* St, SymbolID sym,
const llvm::APSInt& V);
+
+ bool isEqual(const ValueState* state, Expr* Ex, const llvm::APSInt& V);
+ bool isEqual(const ValueState* state, Expr* Ex, uint64_t);
+
// Assumption logic.
const ValueState* Assume(const ValueState* St, RVal Cond, bool Assumption,
bool& isFeasible) {
delete *I;
}
- virtual bool Audit(ExplodedNode<ValueState>* N);
+ virtual bool Audit(ExplodedNode<ValueState>* N, ValueStateManager&);
virtual void EmitWarnings(BugReporter& BR);
-bool BasicObjCFoundationChecks::Audit(ExplodedNode<ValueState>* N) {
+bool BasicObjCFoundationChecks::Audit(ExplodedNode<ValueState>* N,
+ ValueStateManager&) {
ObjCMessageExpr* ME =
cast<ObjCMessageExpr>(cast<PostStmt>(N->getLocation()).getStmt());
virtual ~AuditCFNumberCreate() {}
- virtual bool Audit(ExplodedNode<ValueState>* N);
+ virtual bool Audit(ExplodedNode<ValueState>* N, ValueStateManager&);
virtual void EmitWarnings(BugReporter& BR) {
Desc.EmitWarnings(BR);
}
#endif
-bool AuditCFNumberCreate::Audit(ExplodedNode<ValueState>* N) {
+bool AuditCFNumberCreate::Audit(ExplodedNode<ValueState>* N,ValueStateManager&){
CallExpr* CE = cast<CallExpr>(cast<PostStmt>(N->getLocation()).getStmt());
Expr* Callee = CE->getCallee();
RVal CallV = GetRVal(N->getState(), Callee);
}
}
- virtual bool Audit(NodeTy* N) {
+ virtual bool Audit(NodeTy* N, ValueStateManager& VMgr) {
Stmt* S = cast<PostStmt>(N->getLocation()).getStmt();
void* key = reinterpret_cast<void*>((uintptr_t) S->getStmtClass());
MapTy::iterator MI = M.find(key);
bool isSink = false;
for (Checks::iterator I=MI->second.begin(), E=MI->second.end(); I!=E; ++I)
- isSink |= (*I)->Audit(N);
+ isSink |= (*I)->Audit(N, VMgr);
return isSink;
}
}
}
+//===----------------------------------------------------------------------===//
+// __attribute__(nonnull) checking
+
+class VISIBILITY_HIDDEN CheckAttrNonNull : public GRSimpleAPICheck {
+ SimpleBugType BT;
+ std::list<RangedBugReport> Reports;
+
+public:
+ CheckAttrNonNull() :
+ BT("'nonnull' argument passed null",
+ "Null pointer passed as an argument to a 'nonnull' parameter") {}
+
+
+ virtual bool Audit(ExplodedNode<ValueState>* N, ValueStateManager& VMgr) {
+ CallExpr* CE = cast<CallExpr>(cast<PostStmt>(N->getLocation()).getStmt());
+ const ValueState* state = N->getState();
+
+ RVal X = VMgr.GetRVal(state, CE->getCallee());
+
+ if (!isa<lval::FuncVal>(X))
+ return false;
+
+ FunctionDecl* FD = dyn_cast<FunctionDecl>(cast<lval::FuncVal>(X).getDecl());
+ const NonNullAttr* Att = FD->getAttr<NonNullAttr>();
+
+ if (!Att)
+ return false;
+
+ // Iterate through the arguments of CE and check them for null.
+
+ unsigned idx = 0;
+ bool hasError = false;
+
+ for (CallExpr::arg_iterator I=CE->arg_begin(), E=CE->arg_end(); I!=E;
+ ++I, ++idx) {
+
+ if (!VMgr.isEqual(state, *I, 0) || !Att->isNonNull(idx))
+ continue;
+
+ RangedBugReport R(BT, N);
+ R.addRange((*I)->getSourceRange());
+ Reports.push_back(R);
+ hasError = true;
+ }
+
+ return hasError;
+ }
+
+ virtual void EmitWarnings(BugReporter& BR) {
+ for (std::list<RangedBugReport>::iterator I=Reports.begin(),
+ E=Reports.end(); I!=E; ++I)
+ BR.EmitWarning(*I);
+ }
+};
+
+//===----------------------------------------------------------------------===//
+// Check registration.
void GRSimpleVals::RegisterChecks(GRExprEngine& Eng) {
Check = CreateAuditCFNumberCreate(Ctx, VMgr);
Eng.AddCheck(Check, Stmt::CallExprClass);
+ Eng.AddCheck(new CheckAttrNonNull(), Stmt::CallExprClass);
}
//===----------------------------------------------------------------------===//
return T ? T->contains(&V) : false;
}
+bool ValueState::isEqual(SymbolID sym, const llvm::APSInt& V) const {
+
+ // Retrieve the EQ-set associated with the given symbol.
+ const ConstEqTy::data_type* T = ConstEq.lookup(sym);
+
+ // See if V is present in the EQ-set.
+ return T ? **T == V : false;
+}
+
const llvm::APSInt* ValueState::getSymVal(SymbolID sym) const {
ConstEqTy::data_type* T = ConstEq.lookup(sym);
return T ? *T : NULL;
P->PrintCheckerState(Out, CheckerState, nl, sep);
}
+
+//===----------------------------------------------------------------------===//
+// Queries.
+//===----------------------------------------------------------------------===//
+
+bool ValueStateManager::isEqual(const ValueState* state, Expr* Ex,
+ const llvm::APSInt& Y) {
+ RVal V = GetRVal(state, Ex);
+
+ if (lval::ConcreteInt* X = dyn_cast<lval::ConcreteInt>(&V))
+ return X->getValue() == Y;
+
+ if (nonlval::ConcreteInt* X = dyn_cast<nonlval::ConcreteInt>(&V))
+ return X->getValue() == Y;
+
+ if (nonlval::SymbolVal* X = dyn_cast<nonlval::SymbolVal>(&V))
+ return state->isEqual(X->getSymbol(), Y);
+
+ if (lval::SymbolVal* X = dyn_cast<lval::SymbolVal>(&V))
+ return state->isEqual(X->getSymbol(), Y);
+
+ return false;
+}
+
+bool ValueStateManager::isEqual(const ValueState* state, Expr* Ex,
+ uint64_t x) {
+ return isEqual(state, Ex, BasicVals.getValue(x, Ex->getType()));
+}
+
//===----------------------------------------------------------------------===//
// "Assume" logic.
//===----------------------------------------------------------------------===//
return s[0]; // no-warning
}
+int bar(int* p) __attribute__((nonnull));
+
+int f6(int *p) {
+ return !p ? bar(p) : *p; // expected-warning {{Null pointer passed as an argument to a 'nonnull' parameter}}
+}
+
+
projects / clang / commitdiff