Add undefined array subscript checker.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@86837 91177308-0d34-0410-b5e6-96231b3b80d8

diff --git a/include/clang/Analysis/PathSensitive/CheckerVisitor.def b/include/clang/Analysis/PathSensitive/CheckerVisitor.def
index e533d9e1e5b6977cfca7a52a3ae2daee9b345b72..44c6f18f0d7613ef8f2f9d8ba7d444afa8e36cc4 100644 (file)
--- a/include/clang/Analysis/PathSensitive/CheckerVisitor.def
+++ b/include/clang/Analysis/PathSensitive/CheckerVisitor.def
@@ -11,6 +11,7 @@
 //
 //===---------------------------------------------------------------------===//
 
+PREVISIT(ArraySubscriptExpr)
 PREVISIT(BinaryOperator)
 PREVISIT(CallExpr)
 PREVISIT(CastExpr)

diff --git a/lib/Analysis/CMakeLists.txt b/lib/Analysis/CMakeLists.txt
index 82ef9842be46bb33936fff3753840300fc7caa79..eb83ad56bf3e7e63ec1289b4e453a09b8c40ca67 100644 (file)
--- a/lib/Analysis/CMakeLists.txt
+++ b/lib/Analysis/CMakeLists.txt
@@ -52,6 +52,7 @@ add_clang_library(clangAnalysis
   Store.cpp
   SymbolManager.cpp
   UndefinedArgChecker.cpp
+  UndefinedArraySubscriptChecker.cpp
   UndefinedAssignmentChecker.cpp
   UninitializedValues.cpp
   VLASizeChecker.cpp

diff --git a/lib/Analysis/GRExprEngine.cpp b/lib/Analysis/GRExprEngine.cpp
index 40283a1925e2fe170cc0278fe339ff6af5d75c9a..7f1e4c0694483ae190367dd8a5a674ab2320c54f 100644 (file)
--- a/lib/Analysis/GRExprEngine.cpp
+++ b/lib/Analysis/GRExprEngine.cpp
@@ -1080,7 +1080,10 @@ void GRExprEngine::VisitArraySubscriptExpr(ArraySubscriptExpr* A,
     ExplodedNodeSet Tmp2;
     Visit(Idx, *I1, Tmp2);     // Evaluate the index.
 
-    for (ExplodedNodeSet::iterator I2=Tmp2.begin(),E2=Tmp2.end();I2!=E2; ++I2) {
+    ExplodedNodeSet Tmp3;
+    CheckerVisit(A, Tmp3, Tmp2, true);
+
+    for (ExplodedNodeSet::iterator I2=Tmp3.begin(),E2=Tmp3.end();I2!=E2; ++I2) {
       const GRState* state = GetState(*I2);
       SVal V = state->getLValue(A->getType(), state->getSVal(Idx),
                                 state->getSVal(Base));

diff --git a/lib/Analysis/GRExprEngineInternalChecks.cpp b/lib/Analysis/GRExprEngineInternalChecks.cpp
index ea508a05f751d9794c3b3a5fde240aeadb2ada3b..984526c908ae6da85ffe713ec41eb0a37bfb7806 100644 (file)
--- a/lib/Analysis/GRExprEngineInternalChecks.cpp
+++ b/lib/Analysis/GRExprEngineInternalChecks.cpp
@@ -415,4 +415,5 @@ void GRExprEngine::RegisterInternalChecks() {
 
   RegisterCastToStructChecker(*this);
   RegisterArrayBoundChecker(*this);
+  RegisterUndefinedArraySubscriptChecker(*this);
 }

diff --git a/lib/Analysis/GRExprEngineInternalChecks.h b/lib/Analysis/GRExprEngineInternalChecks.h
index a0687fd10bbe51434897de2d89f1e910f2614660..a9077bf75715bf3c5af24de0df0ff27169b72fbe 100644 (file)
--- a/lib/Analysis/GRExprEngineInternalChecks.h
+++ b/lib/Analysis/GRExprEngineInternalChecks.h
@@ -33,6 +33,7 @@ void RegisterFixedAddressChecker(GRExprEngine &Eng);
 void RegisterCastToStructChecker(GRExprEngine &Eng);
 void RegisterUndefinedArgChecker(GRExprEngine &Eng);
 void RegisterArrayBoundChecker(GRExprEngine &Eng);
+void RegisterUndefinedArraySubscriptChecker(GRExprEngine &Eng);
 
 } // end clang namespace
 #endif

diff --git a/lib/Analysis/UndefinedArraySubscriptChecker.cpp b/lib/Analysis/UndefinedArraySubscriptChecker.cpp
new file mode 100644 (file)
index 0000000..47d615d
--- /dev/null
+++ b/lib/Analysis/UndefinedArraySubscriptChecker.cpp
@@ -0,0 +1,57 @@
+//===--- UndefinedArraySubscriptChecker.h ----------------------*- C++ -*--===//
+//
+//                     The LLVM Compiler Infrastructure
+//
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+//
+//===----------------------------------------------------------------------===//
+//
+// This defines UndefinedArraySubscriptChecker, a builtin check in GRExprEngine
+// that performs checks for undefined array subscripts.
+//
+//===----------------------------------------------------------------------===//
+
+#include "clang/Analysis/PathSensitive/CheckerVisitor.h"
+#include "clang/Analysis/PathSensitive/BugReporter.h"
+#include "GRExprEngineInternalChecks.h"
+
+using namespace clang;
+
+namespace {
+class VISIBILITY_HIDDEN UndefinedArraySubscriptChecker
+  : public CheckerVisitor<UndefinedArraySubscriptChecker> {
+  BugType *BT;
+public:
+  UndefinedArraySubscriptChecker() : BT(0) {}
+  static void *getTag() {
+    static int x = 0;
+    return &x;
+  }
+  void PreVisitArraySubscriptExpr(CheckerContext &C, 
+                                  const ArraySubscriptExpr *A);
+};
+} // end anonymous namespace
+
+void clang::RegisterUndefinedArraySubscriptChecker(GRExprEngine &Eng) {
+  Eng.registerCheck(new UndefinedArraySubscriptChecker());
+}
+
+void 
+UndefinedArraySubscriptChecker::PreVisitArraySubscriptExpr(CheckerContext &C, 
+                                                const ArraySubscriptExpr *A) {
+  if (C.getState()->getSVal(A->getIdx()).isUndef()) {
+    if (ExplodedNode *N = C.GenerateNode(A, true)) {
+      if (!BT)
+        BT = new BuiltinBug("Array subscript is undefined");
+
+      // Generate a report for this bug.
+      EnhancedBugReport *R = new EnhancedBugReport(*BT, BT->getName().c_str(),
+                                                   N);
+      R->addRange(A->getIdx()->getSourceRange());
+      R->addVisitorCreator(bugreporter::registerTrackNullOrUndefValue, 
+                           A->getIdx());
+      C.EmitReport(R);
+    }
+  }
+}

diff --git a/test/Analysis/misc-ps.m b/test/Analysis/misc-ps.m
index b3b4e9ab7aba3763d7f2ef2d9850070d2bba24b1..de53d41e7855fa0649fc2d8d175aa1cfab20b904 100644 (file)
--- a/test/Analysis/misc-ps.m
+++ b/test/Analysis/misc-ps.m
@@ -745,3 +745,7 @@ NSSwappedFloat test_cast_nonstruct_to_union(float x) {
   return ((union bran *)&x)->sf; // no-warning
 }
 
+void test_undefined_array_subscript() {
+  int i, a[10];
+  int *p = &a[i]; // expected-warning{{Array subscript is undefined}}
+}