10b57cec5SDimitry Andric //===--- CallAndMessageChecker.cpp ------------------------------*- C++ -*--==//
20b57cec5SDimitry Andric //
30b57cec5SDimitry Andric // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
40b57cec5SDimitry Andric // See https://llvm.org/LICENSE.txt for license information.
50b57cec5SDimitry Andric // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
60b57cec5SDimitry Andric //
70b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
80b57cec5SDimitry Andric //
90b57cec5SDimitry Andric // This defines CallAndMessageChecker, a builtin checker that checks for various
100b57cec5SDimitry Andric // errors of call and objc message expressions.
110b57cec5SDimitry Andric //
120b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
130b57cec5SDimitry Andric
145ffd83dbSDimitry Andric #include "clang/AST/ExprCXX.h"
150b57cec5SDimitry Andric #include "clang/AST/ParentMap.h"
160b57cec5SDimitry Andric #include "clang/Basic/TargetInfo.h"
175ffd83dbSDimitry Andric #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
180b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
190b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/Checker.h"
200b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/CheckerManager.h"
210b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
220b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
230b57cec5SDimitry Andric #include "llvm/ADT/SmallString.h"
240b57cec5SDimitry Andric #include "llvm/ADT/StringExtras.h"
255ffd83dbSDimitry Andric #include "llvm/Support/Casting.h"
260b57cec5SDimitry Andric #include "llvm/Support/raw_ostream.h"
270b57cec5SDimitry Andric
280b57cec5SDimitry Andric using namespace clang;
290b57cec5SDimitry Andric using namespace ento;
300b57cec5SDimitry Andric
310b57cec5SDimitry Andric namespace {
320b57cec5SDimitry Andric
330b57cec5SDimitry Andric class CallAndMessageChecker
345ffd83dbSDimitry Andric : public Checker<check::PreObjCMessage, check::ObjCMessageNil,
350b57cec5SDimitry Andric check::PreCall> {
360b57cec5SDimitry Andric mutable std::unique_ptr<BugType> BT_call_null;
370b57cec5SDimitry Andric mutable std::unique_ptr<BugType> BT_call_undef;
380b57cec5SDimitry Andric mutable std::unique_ptr<BugType> BT_cxx_call_null;
390b57cec5SDimitry Andric mutable std::unique_ptr<BugType> BT_cxx_call_undef;
400b57cec5SDimitry Andric mutable std::unique_ptr<BugType> BT_call_arg;
410b57cec5SDimitry Andric mutable std::unique_ptr<BugType> BT_cxx_delete_undef;
420b57cec5SDimitry Andric mutable std::unique_ptr<BugType> BT_msg_undef;
430b57cec5SDimitry Andric mutable std::unique_ptr<BugType> BT_objc_prop_undef;
440b57cec5SDimitry Andric mutable std::unique_ptr<BugType> BT_objc_subscript_undef;
450b57cec5SDimitry Andric mutable std::unique_ptr<BugType> BT_msg_arg;
460b57cec5SDimitry Andric mutable std::unique_ptr<BugType> BT_msg_ret;
470b57cec5SDimitry Andric mutable std::unique_ptr<BugType> BT_call_few_args;
480b57cec5SDimitry Andric
490b57cec5SDimitry Andric public:
505ffd83dbSDimitry Andric // These correspond with the checker options. Looking at other checkers such
515ffd83dbSDimitry Andric // as MallocChecker and CStringChecker, this is similar as to how they pull
525ffd83dbSDimitry Andric // off having a modeling class, but emitting diagnostics under a smaller
535ffd83dbSDimitry Andric // checker's name that can be safely disabled without disturbing the
545ffd83dbSDimitry Andric // underlaying modeling engine.
555ffd83dbSDimitry Andric // The reason behind having *checker options* rather then actual *checkers*
565ffd83dbSDimitry Andric // here is that CallAndMessage is among the oldest checkers out there, and can
575ffd83dbSDimitry Andric // be responsible for the majority of the reports on any given project. This
585ffd83dbSDimitry Andric // is obviously not ideal, but changing checker name has the consequence of
595ffd83dbSDimitry Andric // changing the issue hashes associated with the reports, and databases
605ffd83dbSDimitry Andric // relying on this (CodeChecker, for instance) would suffer greatly.
615ffd83dbSDimitry Andric // If we ever end up making changes to the issue hash generation algorithm, or
625ffd83dbSDimitry Andric // the warning messages here, we should totally jump on the opportunity to
635ffd83dbSDimitry Andric // convert these to actual checkers.
645ffd83dbSDimitry Andric enum CheckKind {
655ffd83dbSDimitry Andric CK_FunctionPointer,
665ffd83dbSDimitry Andric CK_ParameterCount,
675ffd83dbSDimitry Andric CK_CXXThisMethodCall,
685ffd83dbSDimitry Andric CK_CXXDeallocationArg,
695ffd83dbSDimitry Andric CK_ArgInitializedness,
705ffd83dbSDimitry Andric CK_ArgPointeeInitializedness,
715ffd83dbSDimitry Andric CK_NilReceiver,
725ffd83dbSDimitry Andric CK_UndefReceiver,
735ffd83dbSDimitry Andric CK_NumCheckKinds
745ffd83dbSDimitry Andric };
750b57cec5SDimitry Andric
7681ad6265SDimitry Andric bool ChecksEnabled[CK_NumCheckKinds] = {false};
775ffd83dbSDimitry Andric // The original core.CallAndMessage checker name. This should rather be an
785ffd83dbSDimitry Andric // array, as seen in MallocChecker and CStringChecker.
795ffd83dbSDimitry Andric CheckerNameRef OriginalName;
805ffd83dbSDimitry Andric
810b57cec5SDimitry Andric void checkPreObjCMessage(const ObjCMethodCall &msg, CheckerContext &C) const;
820b57cec5SDimitry Andric
830b57cec5SDimitry Andric /// Fill in the return value that results from messaging nil based on the
840b57cec5SDimitry Andric /// return type and architecture and diagnose if the return value will be
850b57cec5SDimitry Andric /// garbage.
860b57cec5SDimitry Andric void checkObjCMessageNil(const ObjCMethodCall &msg, CheckerContext &C) const;
870b57cec5SDimitry Andric
880b57cec5SDimitry Andric void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
890b57cec5SDimitry Andric
905ffd83dbSDimitry Andric ProgramStateRef checkFunctionPointerCall(const CallExpr *CE,
915ffd83dbSDimitry Andric CheckerContext &C,
925ffd83dbSDimitry Andric ProgramStateRef State) const;
935ffd83dbSDimitry Andric
945ffd83dbSDimitry Andric ProgramStateRef checkCXXMethodCall(const CXXInstanceCall *CC,
955ffd83dbSDimitry Andric CheckerContext &C,
965ffd83dbSDimitry Andric ProgramStateRef State) const;
975ffd83dbSDimitry Andric
985ffd83dbSDimitry Andric ProgramStateRef checkParameterCount(const CallEvent &Call, CheckerContext &C,
995ffd83dbSDimitry Andric ProgramStateRef State) const;
1005ffd83dbSDimitry Andric
1015ffd83dbSDimitry Andric ProgramStateRef checkCXXDeallocation(const CXXDeallocatorCall *DC,
1025ffd83dbSDimitry Andric CheckerContext &C,
1035ffd83dbSDimitry Andric ProgramStateRef State) const;
1045ffd83dbSDimitry Andric
1055ffd83dbSDimitry Andric ProgramStateRef checkArgInitializedness(const CallEvent &Call,
1065ffd83dbSDimitry Andric CheckerContext &C,
1075ffd83dbSDimitry Andric ProgramStateRef State) const;
1085ffd83dbSDimitry Andric
1090b57cec5SDimitry Andric private:
1100b57cec5SDimitry Andric bool PreVisitProcessArg(CheckerContext &C, SVal V, SourceRange ArgRange,
1110b57cec5SDimitry Andric const Expr *ArgEx, int ArgumentNumber,
1120b57cec5SDimitry Andric bool CheckUninitFields, const CallEvent &Call,
1130b57cec5SDimitry Andric std::unique_ptr<BugType> &BT,
1140b57cec5SDimitry Andric const ParmVarDecl *ParamDecl) const;
1150b57cec5SDimitry Andric
1160b57cec5SDimitry Andric static void emitBadCall(BugType *BT, CheckerContext &C, const Expr *BadE);
1170b57cec5SDimitry Andric void emitNilReceiverBug(CheckerContext &C, const ObjCMethodCall &msg,
1180b57cec5SDimitry Andric ExplodedNode *N) const;
1190b57cec5SDimitry Andric
1200b57cec5SDimitry Andric void HandleNilReceiver(CheckerContext &C,
1210b57cec5SDimitry Andric ProgramStateRef state,
1220b57cec5SDimitry Andric const ObjCMethodCall &msg) const;
1230b57cec5SDimitry Andric
LazyInit_BT(const char * desc,std::unique_ptr<BugType> & BT) const1240b57cec5SDimitry Andric void LazyInit_BT(const char *desc, std::unique_ptr<BugType> &BT) const {
1250b57cec5SDimitry Andric if (!BT)
1265f757f3fSDimitry Andric BT.reset(new BugType(OriginalName, desc));
1270b57cec5SDimitry Andric }
128*647cbc5dSDimitry Andric bool uninitRefOrPointer(CheckerContext &C, SVal V, SourceRange ArgRange,
129*647cbc5dSDimitry Andric const Expr *ArgEx, std::unique_ptr<BugType> &BT,
1300b57cec5SDimitry Andric const ParmVarDecl *ParamDecl, const char *BD,
1310b57cec5SDimitry Andric int ArgumentNumber) const;
1320b57cec5SDimitry Andric };
1330b57cec5SDimitry Andric } // end anonymous namespace
1340b57cec5SDimitry Andric
emitBadCall(BugType * BT,CheckerContext & C,const Expr * BadE)1350b57cec5SDimitry Andric void CallAndMessageChecker::emitBadCall(BugType *BT, CheckerContext &C,
1360b57cec5SDimitry Andric const Expr *BadE) {
1370b57cec5SDimitry Andric ExplodedNode *N = C.generateErrorNode();
1380b57cec5SDimitry Andric if (!N)
1390b57cec5SDimitry Andric return;
1400b57cec5SDimitry Andric
141a7dea167SDimitry Andric auto R = std::make_unique<PathSensitiveBugReport>(*BT, BT->getDescription(), N);
1420b57cec5SDimitry Andric if (BadE) {
1430b57cec5SDimitry Andric R->addRange(BadE->getSourceRange());
1440b57cec5SDimitry Andric if (BadE->isGLValue())
1450b57cec5SDimitry Andric BadE = bugreporter::getDerefExpr(BadE);
1460b57cec5SDimitry Andric bugreporter::trackExpressionValue(N, BadE, *R);
1470b57cec5SDimitry Andric }
1480b57cec5SDimitry Andric C.emitReport(std::move(R));
1490b57cec5SDimitry Andric }
1500b57cec5SDimitry Andric
describeUninitializedArgumentInCall(const CallEvent & Call,int ArgumentNumber,llvm::raw_svector_ostream & Os)1510b57cec5SDimitry Andric static void describeUninitializedArgumentInCall(const CallEvent &Call,
1520b57cec5SDimitry Andric int ArgumentNumber,
1530b57cec5SDimitry Andric llvm::raw_svector_ostream &Os) {
1540b57cec5SDimitry Andric switch (Call.getKind()) {
1550b57cec5SDimitry Andric case CE_ObjCMessage: {
1560b57cec5SDimitry Andric const ObjCMethodCall &Msg = cast<ObjCMethodCall>(Call);
1570b57cec5SDimitry Andric switch (Msg.getMessageKind()) {
1580b57cec5SDimitry Andric case OCM_Message:
1590b57cec5SDimitry Andric Os << (ArgumentNumber + 1) << llvm::getOrdinalSuffix(ArgumentNumber + 1)
1600b57cec5SDimitry Andric << " argument in message expression is an uninitialized value";
1610b57cec5SDimitry Andric return;
1620b57cec5SDimitry Andric case OCM_PropertyAccess:
1630b57cec5SDimitry Andric assert(Msg.isSetter() && "Getters have no args");
1640b57cec5SDimitry Andric Os << "Argument for property setter is an uninitialized value";
1650b57cec5SDimitry Andric return;
1660b57cec5SDimitry Andric case OCM_Subscript:
1670b57cec5SDimitry Andric if (Msg.isSetter() && (ArgumentNumber == 0))
1680b57cec5SDimitry Andric Os << "Argument for subscript setter is an uninitialized value";
1690b57cec5SDimitry Andric else
1700b57cec5SDimitry Andric Os << "Subscript index is an uninitialized value";
1710b57cec5SDimitry Andric return;
1720b57cec5SDimitry Andric }
1730b57cec5SDimitry Andric llvm_unreachable("Unknown message kind.");
1740b57cec5SDimitry Andric }
1750b57cec5SDimitry Andric case CE_Block:
1760b57cec5SDimitry Andric Os << (ArgumentNumber + 1) << llvm::getOrdinalSuffix(ArgumentNumber + 1)
1770b57cec5SDimitry Andric << " block call argument is an uninitialized value";
1780b57cec5SDimitry Andric return;
1790b57cec5SDimitry Andric default:
1800b57cec5SDimitry Andric Os << (ArgumentNumber + 1) << llvm::getOrdinalSuffix(ArgumentNumber + 1)
1810b57cec5SDimitry Andric << " function call argument is an uninitialized value";
1820b57cec5SDimitry Andric return;
1830b57cec5SDimitry Andric }
1840b57cec5SDimitry Andric }
1850b57cec5SDimitry Andric
uninitRefOrPointer(CheckerContext & C,SVal V,SourceRange ArgRange,const Expr * ArgEx,std::unique_ptr<BugType> & BT,const ParmVarDecl * ParamDecl,const char * BD,int ArgumentNumber) const1860b57cec5SDimitry Andric bool CallAndMessageChecker::uninitRefOrPointer(
187*647cbc5dSDimitry Andric CheckerContext &C, SVal V, SourceRange ArgRange, const Expr *ArgEx,
1880b57cec5SDimitry Andric std::unique_ptr<BugType> &BT, const ParmVarDecl *ParamDecl, const char *BD,
1890b57cec5SDimitry Andric int ArgumentNumber) const {
1905ffd83dbSDimitry Andric
1915ffd83dbSDimitry Andric // The pointee being uninitialized is a sign of code smell, not a bug, no need
1925ffd83dbSDimitry Andric // to sink here.
1935ffd83dbSDimitry Andric if (!ChecksEnabled[CK_ArgPointeeInitializedness])
1940b57cec5SDimitry Andric return false;
1950b57cec5SDimitry Andric
1960b57cec5SDimitry Andric // No parameter declaration available, i.e. variadic function argument.
1970b57cec5SDimitry Andric if(!ParamDecl)
1980b57cec5SDimitry Andric return false;
1990b57cec5SDimitry Andric
2000b57cec5SDimitry Andric // If parameter is declared as pointer to const in function declaration,
2010b57cec5SDimitry Andric // then check if corresponding argument in function call is
2020b57cec5SDimitry Andric // pointing to undefined symbol value (uninitialized memory).
2030b57cec5SDimitry Andric SmallString<200> Buf;
2040b57cec5SDimitry Andric llvm::raw_svector_ostream Os(Buf);
2050b57cec5SDimitry Andric
2060b57cec5SDimitry Andric if (ParamDecl->getType()->isPointerType()) {
2070b57cec5SDimitry Andric Os << (ArgumentNumber + 1) << llvm::getOrdinalSuffix(ArgumentNumber + 1)
2080b57cec5SDimitry Andric << " function call argument is a pointer to uninitialized value";
2090b57cec5SDimitry Andric } else if (ParamDecl->getType()->isReferenceType()) {
2100b57cec5SDimitry Andric Os << (ArgumentNumber + 1) << llvm::getOrdinalSuffix(ArgumentNumber + 1)
2110b57cec5SDimitry Andric << " function call argument is an uninitialized value";
2120b57cec5SDimitry Andric } else
2130b57cec5SDimitry Andric return false;
2140b57cec5SDimitry Andric
2150b57cec5SDimitry Andric if(!ParamDecl->getType()->getPointeeType().isConstQualified())
2160b57cec5SDimitry Andric return false;
2170b57cec5SDimitry Andric
2180b57cec5SDimitry Andric if (const MemRegion *SValMemRegion = V.getAsRegion()) {
2190b57cec5SDimitry Andric const ProgramStateRef State = C.getState();
2200b57cec5SDimitry Andric const SVal PSV = State->getSVal(SValMemRegion, C.getASTContext().CharTy);
2210b57cec5SDimitry Andric if (PSV.isUndef()) {
2220b57cec5SDimitry Andric if (ExplodedNode *N = C.generateErrorNode()) {
2230b57cec5SDimitry Andric LazyInit_BT(BD, BT);
224a7dea167SDimitry Andric auto R = std::make_unique<PathSensitiveBugReport>(*BT, Os.str(), N);
2250b57cec5SDimitry Andric R->addRange(ArgRange);
2260b57cec5SDimitry Andric if (ArgEx)
2270b57cec5SDimitry Andric bugreporter::trackExpressionValue(N, ArgEx, *R);
2280b57cec5SDimitry Andric
2290b57cec5SDimitry Andric C.emitReport(std::move(R));
2300b57cec5SDimitry Andric }
2310b57cec5SDimitry Andric return true;
2320b57cec5SDimitry Andric }
2330b57cec5SDimitry Andric }
2340b57cec5SDimitry Andric return false;
2350b57cec5SDimitry Andric }
2360b57cec5SDimitry Andric
2370b57cec5SDimitry Andric namespace {
2380b57cec5SDimitry Andric class FindUninitializedField {
2390b57cec5SDimitry Andric public:
2400b57cec5SDimitry Andric SmallVector<const FieldDecl *, 10> FieldChain;
2410b57cec5SDimitry Andric
2420b57cec5SDimitry Andric private:
2430b57cec5SDimitry Andric StoreManager &StoreMgr;
2440b57cec5SDimitry Andric MemRegionManager &MrMgr;
2450b57cec5SDimitry Andric Store store;
2460b57cec5SDimitry Andric
2470b57cec5SDimitry Andric public:
FindUninitializedField(StoreManager & storeMgr,MemRegionManager & mrMgr,Store s)2480b57cec5SDimitry Andric FindUninitializedField(StoreManager &storeMgr, MemRegionManager &mrMgr,
2490b57cec5SDimitry Andric Store s)
2500b57cec5SDimitry Andric : StoreMgr(storeMgr), MrMgr(mrMgr), store(s) {}
2510b57cec5SDimitry Andric
Find(const TypedValueRegion * R)2520b57cec5SDimitry Andric bool Find(const TypedValueRegion *R) {
2530b57cec5SDimitry Andric QualType T = R->getValueType();
2540b57cec5SDimitry Andric if (const RecordType *RT = T->getAsStructureType()) {
2550b57cec5SDimitry Andric const RecordDecl *RD = RT->getDecl()->getDefinition();
2560b57cec5SDimitry Andric assert(RD && "Referred record has no definition");
2570b57cec5SDimitry Andric for (const auto *I : RD->fields()) {
2580b57cec5SDimitry Andric const FieldRegion *FR = MrMgr.getFieldRegion(I, R);
2590b57cec5SDimitry Andric FieldChain.push_back(I);
2600b57cec5SDimitry Andric T = I->getType();
2610b57cec5SDimitry Andric if (T->getAsStructureType()) {
2620b57cec5SDimitry Andric if (Find(FR))
2630b57cec5SDimitry Andric return true;
2640b57cec5SDimitry Andric } else {
265*647cbc5dSDimitry Andric SVal V = StoreMgr.getBinding(store, loc::MemRegionVal(FR));
2660b57cec5SDimitry Andric if (V.isUndef())
2670b57cec5SDimitry Andric return true;
2680b57cec5SDimitry Andric }
2690b57cec5SDimitry Andric FieldChain.pop_back();
2700b57cec5SDimitry Andric }
2710b57cec5SDimitry Andric }
2720b57cec5SDimitry Andric
2730b57cec5SDimitry Andric return false;
2740b57cec5SDimitry Andric }
2750b57cec5SDimitry Andric };
2760b57cec5SDimitry Andric } // namespace
2770b57cec5SDimitry Andric
PreVisitProcessArg(CheckerContext & C,SVal V,SourceRange ArgRange,const Expr * ArgEx,int ArgumentNumber,bool CheckUninitFields,const CallEvent & Call,std::unique_ptr<BugType> & BT,const ParmVarDecl * ParamDecl) const2780b57cec5SDimitry Andric bool CallAndMessageChecker::PreVisitProcessArg(CheckerContext &C,
2790b57cec5SDimitry Andric SVal V,
2800b57cec5SDimitry Andric SourceRange ArgRange,
2810b57cec5SDimitry Andric const Expr *ArgEx,
2820b57cec5SDimitry Andric int ArgumentNumber,
2830b57cec5SDimitry Andric bool CheckUninitFields,
2840b57cec5SDimitry Andric const CallEvent &Call,
2850b57cec5SDimitry Andric std::unique_ptr<BugType> &BT,
2860b57cec5SDimitry Andric const ParmVarDecl *ParamDecl
2870b57cec5SDimitry Andric ) const {
2880b57cec5SDimitry Andric const char *BD = "Uninitialized argument value";
2890b57cec5SDimitry Andric
2900b57cec5SDimitry Andric if (uninitRefOrPointer(C, V, ArgRange, ArgEx, BT, ParamDecl, BD,
2910b57cec5SDimitry Andric ArgumentNumber))
2920b57cec5SDimitry Andric return true;
2930b57cec5SDimitry Andric
2940b57cec5SDimitry Andric if (V.isUndef()) {
2955ffd83dbSDimitry Andric if (!ChecksEnabled[CK_ArgInitializedness]) {
2965ffd83dbSDimitry Andric C.addSink();
2975ffd83dbSDimitry Andric return true;
2985ffd83dbSDimitry Andric }
2990b57cec5SDimitry Andric if (ExplodedNode *N = C.generateErrorNode()) {
3000b57cec5SDimitry Andric LazyInit_BT(BD, BT);
3010b57cec5SDimitry Andric // Generate a report for this bug.
3020b57cec5SDimitry Andric SmallString<200> Buf;
3030b57cec5SDimitry Andric llvm::raw_svector_ostream Os(Buf);
3040b57cec5SDimitry Andric describeUninitializedArgumentInCall(Call, ArgumentNumber, Os);
305a7dea167SDimitry Andric auto R = std::make_unique<PathSensitiveBugReport>(*BT, Os.str(), N);
3060b57cec5SDimitry Andric
3070b57cec5SDimitry Andric R->addRange(ArgRange);
3080b57cec5SDimitry Andric if (ArgEx)
3090b57cec5SDimitry Andric bugreporter::trackExpressionValue(N, ArgEx, *R);
3100b57cec5SDimitry Andric C.emitReport(std::move(R));
3110b57cec5SDimitry Andric }
3120b57cec5SDimitry Andric return true;
3130b57cec5SDimitry Andric }
3140b57cec5SDimitry Andric
3150b57cec5SDimitry Andric if (!CheckUninitFields)
3160b57cec5SDimitry Andric return false;
3170b57cec5SDimitry Andric
3180b57cec5SDimitry Andric if (auto LV = V.getAs<nonloc::LazyCompoundVal>()) {
3190b57cec5SDimitry Andric const LazyCompoundValData *D = LV->getCVData();
3200b57cec5SDimitry Andric FindUninitializedField F(C.getState()->getStateManager().getStoreManager(),
3210b57cec5SDimitry Andric C.getSValBuilder().getRegionManager(),
3220b57cec5SDimitry Andric D->getStore());
3230b57cec5SDimitry Andric
3240b57cec5SDimitry Andric if (F.Find(D->getRegion())) {
3255ffd83dbSDimitry Andric if (!ChecksEnabled[CK_ArgInitializedness]) {
3265ffd83dbSDimitry Andric C.addSink();
3275ffd83dbSDimitry Andric return true;
3285ffd83dbSDimitry Andric }
3290b57cec5SDimitry Andric if (ExplodedNode *N = C.generateErrorNode()) {
3300b57cec5SDimitry Andric LazyInit_BT(BD, BT);
3310b57cec5SDimitry Andric SmallString<512> Str;
3320b57cec5SDimitry Andric llvm::raw_svector_ostream os(Str);
3330b57cec5SDimitry Andric os << "Passed-by-value struct argument contains uninitialized data";
3340b57cec5SDimitry Andric
3350b57cec5SDimitry Andric if (F.FieldChain.size() == 1)
3360b57cec5SDimitry Andric os << " (e.g., field: '" << *F.FieldChain[0] << "')";
3370b57cec5SDimitry Andric else {
3380b57cec5SDimitry Andric os << " (e.g., via the field chain: '";
3390b57cec5SDimitry Andric bool first = true;
3400b57cec5SDimitry Andric for (SmallVectorImpl<const FieldDecl *>::iterator
3410b57cec5SDimitry Andric DI = F.FieldChain.begin(), DE = F.FieldChain.end(); DI!=DE;++DI){
3420b57cec5SDimitry Andric if (first)
3430b57cec5SDimitry Andric first = false;
3440b57cec5SDimitry Andric else
3450b57cec5SDimitry Andric os << '.';
3460b57cec5SDimitry Andric os << **DI;
3470b57cec5SDimitry Andric }
3480b57cec5SDimitry Andric os << "')";
3490b57cec5SDimitry Andric }
3500b57cec5SDimitry Andric
3510b57cec5SDimitry Andric // Generate a report for this bug.
352a7dea167SDimitry Andric auto R = std::make_unique<PathSensitiveBugReport>(*BT, os.str(), N);
3530b57cec5SDimitry Andric R->addRange(ArgRange);
3540b57cec5SDimitry Andric
3550b57cec5SDimitry Andric if (ArgEx)
3560b57cec5SDimitry Andric bugreporter::trackExpressionValue(N, ArgEx, *R);
3570b57cec5SDimitry Andric // FIXME: enhance track back for uninitialized value for arbitrary
3580b57cec5SDimitry Andric // memregions
3590b57cec5SDimitry Andric C.emitReport(std::move(R));
3600b57cec5SDimitry Andric }
3610b57cec5SDimitry Andric return true;
3620b57cec5SDimitry Andric }
3630b57cec5SDimitry Andric }
3640b57cec5SDimitry Andric
3650b57cec5SDimitry Andric return false;
3660b57cec5SDimitry Andric }
3670b57cec5SDimitry Andric
checkFunctionPointerCall(const CallExpr * CE,CheckerContext & C,ProgramStateRef State) const3685ffd83dbSDimitry Andric ProgramStateRef CallAndMessageChecker::checkFunctionPointerCall(
3695ffd83dbSDimitry Andric const CallExpr *CE, CheckerContext &C, ProgramStateRef State) const {
3700b57cec5SDimitry Andric
3710b57cec5SDimitry Andric const Expr *Callee = CE->getCallee()->IgnoreParens();
3720b57cec5SDimitry Andric const LocationContext *LCtx = C.getLocationContext();
3730b57cec5SDimitry Andric SVal L = State->getSVal(Callee, LCtx);
3740b57cec5SDimitry Andric
3750b57cec5SDimitry Andric if (L.isUndef()) {
3765ffd83dbSDimitry Andric if (!ChecksEnabled[CK_FunctionPointer]) {
3775ffd83dbSDimitry Andric C.addSink(State);
3785ffd83dbSDimitry Andric return nullptr;
3795ffd83dbSDimitry Andric }
3800b57cec5SDimitry Andric if (!BT_call_undef)
3815f757f3fSDimitry Andric BT_call_undef.reset(new BugType(
3825ffd83dbSDimitry Andric OriginalName,
3835ffd83dbSDimitry Andric "Called function pointer is an uninitialized pointer value"));
3840b57cec5SDimitry Andric emitBadCall(BT_call_undef.get(), C, Callee);
3855ffd83dbSDimitry Andric return nullptr;
3860b57cec5SDimitry Andric }
3870b57cec5SDimitry Andric
3880b57cec5SDimitry Andric ProgramStateRef StNonNull, StNull;
3890b57cec5SDimitry Andric std::tie(StNonNull, StNull) = State->assume(L.castAs<DefinedOrUnknownSVal>());
3900b57cec5SDimitry Andric
3910b57cec5SDimitry Andric if (StNull && !StNonNull) {
3925ffd83dbSDimitry Andric if (!ChecksEnabled[CK_FunctionPointer]) {
3935ffd83dbSDimitry Andric C.addSink(StNull);
3945ffd83dbSDimitry Andric return nullptr;
3955ffd83dbSDimitry Andric }
3960b57cec5SDimitry Andric if (!BT_call_null)
3975f757f3fSDimitry Andric BT_call_null.reset(new BugType(
3985ffd83dbSDimitry Andric OriginalName, "Called function pointer is null (null dereference)"));
3990b57cec5SDimitry Andric emitBadCall(BT_call_null.get(), C, Callee);
4005ffd83dbSDimitry Andric return nullptr;
4010b57cec5SDimitry Andric }
4020b57cec5SDimitry Andric
4035ffd83dbSDimitry Andric return StNonNull;
4040b57cec5SDimitry Andric }
4050b57cec5SDimitry Andric
checkParameterCount(const CallEvent & Call,CheckerContext & C,ProgramStateRef State) const4065ffd83dbSDimitry Andric ProgramStateRef CallAndMessageChecker::checkParameterCount(
4075ffd83dbSDimitry Andric const CallEvent &Call, CheckerContext &C, ProgramStateRef State) const {
4080b57cec5SDimitry Andric
4095ffd83dbSDimitry Andric // If we have a function or block declaration, we can make sure we pass
4105ffd83dbSDimitry Andric // enough parameters.
4115ffd83dbSDimitry Andric unsigned Params = Call.parameters().size();
4125ffd83dbSDimitry Andric if (Call.getNumArgs() >= Params)
4135ffd83dbSDimitry Andric return State;
4145ffd83dbSDimitry Andric
4155ffd83dbSDimitry Andric if (!ChecksEnabled[CK_ParameterCount]) {
4165ffd83dbSDimitry Andric C.addSink(State);
4175ffd83dbSDimitry Andric return nullptr;
4185ffd83dbSDimitry Andric }
4195ffd83dbSDimitry Andric
4205ffd83dbSDimitry Andric ExplodedNode *N = C.generateErrorNode();
4215ffd83dbSDimitry Andric if (!N)
4225ffd83dbSDimitry Andric return nullptr;
4235ffd83dbSDimitry Andric
4245ffd83dbSDimitry Andric LazyInit_BT("Function call with too few arguments", BT_call_few_args);
4255ffd83dbSDimitry Andric
4265ffd83dbSDimitry Andric SmallString<512> Str;
4275ffd83dbSDimitry Andric llvm::raw_svector_ostream os(Str);
4285ffd83dbSDimitry Andric if (isa<AnyFunctionCall>(Call)) {
4295ffd83dbSDimitry Andric os << "Function ";
4305ffd83dbSDimitry Andric } else {
4315ffd83dbSDimitry Andric assert(isa<BlockCall>(Call));
4325ffd83dbSDimitry Andric os << "Block ";
4335ffd83dbSDimitry Andric }
4345ffd83dbSDimitry Andric os << "taking " << Params << " argument" << (Params == 1 ? "" : "s")
4355ffd83dbSDimitry Andric << " is called with fewer (" << Call.getNumArgs() << ")";
4365ffd83dbSDimitry Andric
4375ffd83dbSDimitry Andric C.emitReport(
4385ffd83dbSDimitry Andric std::make_unique<PathSensitiveBugReport>(*BT_call_few_args, os.str(), N));
4395ffd83dbSDimitry Andric return nullptr;
4405ffd83dbSDimitry Andric }
4415ffd83dbSDimitry Andric
checkCXXMethodCall(const CXXInstanceCall * CC,CheckerContext & C,ProgramStateRef State) const4425ffd83dbSDimitry Andric ProgramStateRef CallAndMessageChecker::checkCXXMethodCall(
4435ffd83dbSDimitry Andric const CXXInstanceCall *CC, CheckerContext &C, ProgramStateRef State) const {
4445ffd83dbSDimitry Andric
4455ffd83dbSDimitry Andric SVal V = CC->getCXXThisVal();
4465ffd83dbSDimitry Andric if (V.isUndef()) {
4475ffd83dbSDimitry Andric if (!ChecksEnabled[CK_CXXThisMethodCall]) {
4485ffd83dbSDimitry Andric C.addSink(State);
4495ffd83dbSDimitry Andric return nullptr;
4505ffd83dbSDimitry Andric }
4515ffd83dbSDimitry Andric if (!BT_cxx_call_undef)
4525f757f3fSDimitry Andric BT_cxx_call_undef.reset(new BugType(
4535ffd83dbSDimitry Andric OriginalName, "Called C++ object pointer is uninitialized"));
4545ffd83dbSDimitry Andric emitBadCall(BT_cxx_call_undef.get(), C, CC->getCXXThisExpr());
4555ffd83dbSDimitry Andric return nullptr;
4565ffd83dbSDimitry Andric }
4575ffd83dbSDimitry Andric
4585ffd83dbSDimitry Andric ProgramStateRef StNonNull, StNull;
4595ffd83dbSDimitry Andric std::tie(StNonNull, StNull) = State->assume(V.castAs<DefinedOrUnknownSVal>());
4605ffd83dbSDimitry Andric
4615ffd83dbSDimitry Andric if (StNull && !StNonNull) {
4625ffd83dbSDimitry Andric if (!ChecksEnabled[CK_CXXThisMethodCall]) {
4635ffd83dbSDimitry Andric C.addSink(StNull);
4645ffd83dbSDimitry Andric return nullptr;
4655ffd83dbSDimitry Andric }
4665ffd83dbSDimitry Andric if (!BT_cxx_call_null)
4675ffd83dbSDimitry Andric BT_cxx_call_null.reset(
4685f757f3fSDimitry Andric new BugType(OriginalName, "Called C++ object pointer is null"));
4695ffd83dbSDimitry Andric emitBadCall(BT_cxx_call_null.get(), C, CC->getCXXThisExpr());
4705ffd83dbSDimitry Andric return nullptr;
4715ffd83dbSDimitry Andric }
4725ffd83dbSDimitry Andric
4735ffd83dbSDimitry Andric return StNonNull;
4745ffd83dbSDimitry Andric }
4755ffd83dbSDimitry Andric
4765ffd83dbSDimitry Andric ProgramStateRef
checkCXXDeallocation(const CXXDeallocatorCall * DC,CheckerContext & C,ProgramStateRef State) const4775ffd83dbSDimitry Andric CallAndMessageChecker::checkCXXDeallocation(const CXXDeallocatorCall *DC,
4785ffd83dbSDimitry Andric CheckerContext &C,
4795ffd83dbSDimitry Andric ProgramStateRef State) const {
4805ffd83dbSDimitry Andric const CXXDeleteExpr *DE = DC->getOriginExpr();
4815ffd83dbSDimitry Andric assert(DE);
4820b57cec5SDimitry Andric SVal Arg = C.getSVal(DE->getArgument());
4835ffd83dbSDimitry Andric if (!Arg.isUndef())
4845ffd83dbSDimitry Andric return State;
4855ffd83dbSDimitry Andric
4865ffd83dbSDimitry Andric if (!ChecksEnabled[CK_CXXDeallocationArg]) {
4875ffd83dbSDimitry Andric C.addSink(State);
4885ffd83dbSDimitry Andric return nullptr;
4895ffd83dbSDimitry Andric }
4905ffd83dbSDimitry Andric
4910b57cec5SDimitry Andric StringRef Desc;
4920b57cec5SDimitry Andric ExplodedNode *N = C.generateErrorNode();
4930b57cec5SDimitry Andric if (!N)
4945ffd83dbSDimitry Andric return nullptr;
4950b57cec5SDimitry Andric if (!BT_cxx_delete_undef)
4960b57cec5SDimitry Andric BT_cxx_delete_undef.reset(
4975f757f3fSDimitry Andric new BugType(OriginalName, "Uninitialized argument value"));
4980b57cec5SDimitry Andric if (DE->isArrayFormAsWritten())
4990b57cec5SDimitry Andric Desc = "Argument to 'delete[]' is uninitialized";
5000b57cec5SDimitry Andric else
5010b57cec5SDimitry Andric Desc = "Argument to 'delete' is uninitialized";
5025f757f3fSDimitry Andric auto R =
5035f757f3fSDimitry Andric std::make_unique<PathSensitiveBugReport>(*BT_cxx_delete_undef, Desc, N);
5040b57cec5SDimitry Andric bugreporter::trackExpressionValue(N, DE, *R);
5050b57cec5SDimitry Andric C.emitReport(std::move(R));
5065ffd83dbSDimitry Andric return nullptr;
5070b57cec5SDimitry Andric }
5080b57cec5SDimitry Andric
checkArgInitializedness(const CallEvent & Call,CheckerContext & C,ProgramStateRef State) const5095ffd83dbSDimitry Andric ProgramStateRef CallAndMessageChecker::checkArgInitializedness(
5105ffd83dbSDimitry Andric const CallEvent &Call, CheckerContext &C, ProgramStateRef State) const {
5110b57cec5SDimitry Andric
5120b57cec5SDimitry Andric const Decl *D = Call.getDecl();
5130b57cec5SDimitry Andric
5140b57cec5SDimitry Andric // Don't check for uninitialized field values in arguments if the
5150b57cec5SDimitry Andric // caller has a body that is available and we have the chance to inline it.
5160b57cec5SDimitry Andric // This is a hack, but is a reasonable compromise betweens sometimes warning
5170b57cec5SDimitry Andric // and sometimes not depending on if we decide to inline a function.
5180b57cec5SDimitry Andric const bool checkUninitFields =
5190b57cec5SDimitry Andric !(C.getAnalysisManager().shouldInlineCall() && (D && D->getBody()));
5200b57cec5SDimitry Andric
5210b57cec5SDimitry Andric std::unique_ptr<BugType> *BT;
5220b57cec5SDimitry Andric if (isa<ObjCMethodCall>(Call))
5230b57cec5SDimitry Andric BT = &BT_msg_arg;
5240b57cec5SDimitry Andric else
5250b57cec5SDimitry Andric BT = &BT_call_arg;
5260b57cec5SDimitry Andric
5270b57cec5SDimitry Andric const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(D);
5280b57cec5SDimitry Andric for (unsigned i = 0, e = Call.getNumArgs(); i != e; ++i) {
5290b57cec5SDimitry Andric const ParmVarDecl *ParamDecl = nullptr;
5300b57cec5SDimitry Andric if (FD && i < FD->getNumParams())
5310b57cec5SDimitry Andric ParamDecl = FD->getParamDecl(i);
5320b57cec5SDimitry Andric if (PreVisitProcessArg(C, Call.getArgSVal(i), Call.getArgSourceRange(i),
5335ffd83dbSDimitry Andric Call.getArgExpr(i), i, checkUninitFields, Call, *BT,
5345ffd83dbSDimitry Andric ParamDecl))
5355ffd83dbSDimitry Andric return nullptr;
5360b57cec5SDimitry Andric }
5375ffd83dbSDimitry Andric return State;
5385ffd83dbSDimitry Andric }
5395ffd83dbSDimitry Andric
checkPreCall(const CallEvent & Call,CheckerContext & C) const5405ffd83dbSDimitry Andric void CallAndMessageChecker::checkPreCall(const CallEvent &Call,
5415ffd83dbSDimitry Andric CheckerContext &C) const {
5425ffd83dbSDimitry Andric ProgramStateRef State = C.getState();
5435ffd83dbSDimitry Andric
5445ffd83dbSDimitry Andric if (const CallExpr *CE = dyn_cast_or_null<CallExpr>(Call.getOriginExpr()))
5455ffd83dbSDimitry Andric State = checkFunctionPointerCall(CE, C, State);
5465ffd83dbSDimitry Andric
5475ffd83dbSDimitry Andric if (!State)
5485ffd83dbSDimitry Andric return;
5495ffd83dbSDimitry Andric
5505ffd83dbSDimitry Andric if (Call.getDecl())
5515ffd83dbSDimitry Andric State = checkParameterCount(Call, C, State);
5525ffd83dbSDimitry Andric
5535ffd83dbSDimitry Andric if (!State)
5545ffd83dbSDimitry Andric return;
5555ffd83dbSDimitry Andric
5565ffd83dbSDimitry Andric if (const auto *CC = dyn_cast<CXXInstanceCall>(&Call))
5575ffd83dbSDimitry Andric State = checkCXXMethodCall(CC, C, State);
5585ffd83dbSDimitry Andric
5595ffd83dbSDimitry Andric if (!State)
5605ffd83dbSDimitry Andric return;
5615ffd83dbSDimitry Andric
5625ffd83dbSDimitry Andric if (const auto *DC = dyn_cast<CXXDeallocatorCall>(&Call))
5635ffd83dbSDimitry Andric State = checkCXXDeallocation(DC, C, State);
5645ffd83dbSDimitry Andric
5655ffd83dbSDimitry Andric if (!State)
5665ffd83dbSDimitry Andric return;
5675ffd83dbSDimitry Andric
5685ffd83dbSDimitry Andric State = checkArgInitializedness(Call, C, State);
5690b57cec5SDimitry Andric
5700b57cec5SDimitry Andric // If we make it here, record our assumptions about the callee.
5710b57cec5SDimitry Andric C.addTransition(State);
5720b57cec5SDimitry Andric }
5730b57cec5SDimitry Andric
checkPreObjCMessage(const ObjCMethodCall & msg,CheckerContext & C) const5740b57cec5SDimitry Andric void CallAndMessageChecker::checkPreObjCMessage(const ObjCMethodCall &msg,
5750b57cec5SDimitry Andric CheckerContext &C) const {
5760b57cec5SDimitry Andric SVal recVal = msg.getReceiverSVal();
5770b57cec5SDimitry Andric if (recVal.isUndef()) {
5785ffd83dbSDimitry Andric if (!ChecksEnabled[CK_UndefReceiver]) {
5795ffd83dbSDimitry Andric C.addSink();
5805ffd83dbSDimitry Andric return;
5815ffd83dbSDimitry Andric }
5820b57cec5SDimitry Andric if (ExplodedNode *N = C.generateErrorNode()) {
5830b57cec5SDimitry Andric BugType *BT = nullptr;
5840b57cec5SDimitry Andric switch (msg.getMessageKind()) {
5850b57cec5SDimitry Andric case OCM_Message:
5860b57cec5SDimitry Andric if (!BT_msg_undef)
5875f757f3fSDimitry Andric BT_msg_undef.reset(new BugType(OriginalName,
5880b57cec5SDimitry Andric "Receiver in message expression "
5890b57cec5SDimitry Andric "is an uninitialized value"));
5900b57cec5SDimitry Andric BT = BT_msg_undef.get();
5910b57cec5SDimitry Andric break;
5920b57cec5SDimitry Andric case OCM_PropertyAccess:
5930b57cec5SDimitry Andric if (!BT_objc_prop_undef)
5945f757f3fSDimitry Andric BT_objc_prop_undef.reset(new BugType(
5955ffd83dbSDimitry Andric OriginalName,
5965ffd83dbSDimitry Andric "Property access on an uninitialized object pointer"));
5970b57cec5SDimitry Andric BT = BT_objc_prop_undef.get();
5980b57cec5SDimitry Andric break;
5990b57cec5SDimitry Andric case OCM_Subscript:
6000b57cec5SDimitry Andric if (!BT_objc_subscript_undef)
6015f757f3fSDimitry Andric BT_objc_subscript_undef.reset(new BugType(
6025ffd83dbSDimitry Andric OriginalName,
6035ffd83dbSDimitry Andric "Subscript access on an uninitialized object pointer"));
6040b57cec5SDimitry Andric BT = BT_objc_subscript_undef.get();
6050b57cec5SDimitry Andric break;
6060b57cec5SDimitry Andric }
6070b57cec5SDimitry Andric assert(BT && "Unknown message kind.");
6080b57cec5SDimitry Andric
609a7dea167SDimitry Andric auto R = std::make_unique<PathSensitiveBugReport>(*BT, BT->getDescription(), N);
6100b57cec5SDimitry Andric const ObjCMessageExpr *ME = msg.getOriginExpr();
6110b57cec5SDimitry Andric R->addRange(ME->getReceiverRange());
6120b57cec5SDimitry Andric
6130b57cec5SDimitry Andric // FIXME: getTrackNullOrUndefValueVisitor can't handle "super" yet.
6140b57cec5SDimitry Andric if (const Expr *ReceiverE = ME->getInstanceReceiver())
6150b57cec5SDimitry Andric bugreporter::trackExpressionValue(N, ReceiverE, *R);
6160b57cec5SDimitry Andric C.emitReport(std::move(R));
6170b57cec5SDimitry Andric }
6180b57cec5SDimitry Andric return;
6190b57cec5SDimitry Andric }
6200b57cec5SDimitry Andric }
6210b57cec5SDimitry Andric
checkObjCMessageNil(const ObjCMethodCall & msg,CheckerContext & C) const6220b57cec5SDimitry Andric void CallAndMessageChecker::checkObjCMessageNil(const ObjCMethodCall &msg,
6230b57cec5SDimitry Andric CheckerContext &C) const {
6240b57cec5SDimitry Andric HandleNilReceiver(C, C.getState(), msg);
6250b57cec5SDimitry Andric }
6260b57cec5SDimitry Andric
emitNilReceiverBug(CheckerContext & C,const ObjCMethodCall & msg,ExplodedNode * N) const6270b57cec5SDimitry Andric void CallAndMessageChecker::emitNilReceiverBug(CheckerContext &C,
6280b57cec5SDimitry Andric const ObjCMethodCall &msg,
6290b57cec5SDimitry Andric ExplodedNode *N) const {
6305ffd83dbSDimitry Andric if (!ChecksEnabled[CK_NilReceiver]) {
6315ffd83dbSDimitry Andric C.addSink();
6325ffd83dbSDimitry Andric return;
6335ffd83dbSDimitry Andric }
6340b57cec5SDimitry Andric
6350b57cec5SDimitry Andric if (!BT_msg_ret)
6365f757f3fSDimitry Andric BT_msg_ret.reset(
6375f757f3fSDimitry Andric new BugType(OriginalName, "Receiver in message expression is 'nil'"));
6380b57cec5SDimitry Andric
6390b57cec5SDimitry Andric const ObjCMessageExpr *ME = msg.getOriginExpr();
6400b57cec5SDimitry Andric
6410b57cec5SDimitry Andric QualType ResTy = msg.getResultType();
6420b57cec5SDimitry Andric
6430b57cec5SDimitry Andric SmallString<200> buf;
6440b57cec5SDimitry Andric llvm::raw_svector_ostream os(buf);
6450b57cec5SDimitry Andric os << "The receiver of message '";
6460b57cec5SDimitry Andric ME->getSelector().print(os);
6470b57cec5SDimitry Andric os << "' is nil";
6480b57cec5SDimitry Andric if (ResTy->isReferenceType()) {
6490b57cec5SDimitry Andric os << ", which results in forming a null reference";
6500b57cec5SDimitry Andric } else {
6510b57cec5SDimitry Andric os << " and returns a value of type '";
6520b57cec5SDimitry Andric msg.getResultType().print(os, C.getLangOpts());
6530b57cec5SDimitry Andric os << "' that will be garbage";
6540b57cec5SDimitry Andric }
6550b57cec5SDimitry Andric
656a7dea167SDimitry Andric auto report =
657a7dea167SDimitry Andric std::make_unique<PathSensitiveBugReport>(*BT_msg_ret, os.str(), N);
6580b57cec5SDimitry Andric report->addRange(ME->getReceiverRange());
6590b57cec5SDimitry Andric // FIXME: This won't track "self" in messages to super.
6600b57cec5SDimitry Andric if (const Expr *receiver = ME->getInstanceReceiver()) {
6610b57cec5SDimitry Andric bugreporter::trackExpressionValue(N, receiver, *report);
6620b57cec5SDimitry Andric }
6630b57cec5SDimitry Andric C.emitReport(std::move(report));
6640b57cec5SDimitry Andric }
6650b57cec5SDimitry Andric
supportsNilWithFloatRet(const llvm::Triple & triple)6660b57cec5SDimitry Andric static bool supportsNilWithFloatRet(const llvm::Triple &triple) {
6670b57cec5SDimitry Andric return (triple.getVendor() == llvm::Triple::Apple &&
6680b57cec5SDimitry Andric (triple.isiOS() || triple.isWatchOS() ||
6690b57cec5SDimitry Andric !triple.isMacOSXVersionLT(10,5)));
6700b57cec5SDimitry Andric }
6710b57cec5SDimitry Andric
HandleNilReceiver(CheckerContext & C,ProgramStateRef state,const ObjCMethodCall & Msg) const6720b57cec5SDimitry Andric void CallAndMessageChecker::HandleNilReceiver(CheckerContext &C,
6730b57cec5SDimitry Andric ProgramStateRef state,
6740b57cec5SDimitry Andric const ObjCMethodCall &Msg) const {
6750b57cec5SDimitry Andric ASTContext &Ctx = C.getASTContext();
6760b57cec5SDimitry Andric static CheckerProgramPointTag Tag(this, "NilReceiver");
6770b57cec5SDimitry Andric
6780b57cec5SDimitry Andric // Check the return type of the message expression. A message to nil will
6790b57cec5SDimitry Andric // return different values depending on the return type and the architecture.
6800b57cec5SDimitry Andric QualType RetTy = Msg.getResultType();
6810b57cec5SDimitry Andric CanQualType CanRetTy = Ctx.getCanonicalType(RetTy);
6820b57cec5SDimitry Andric const LocationContext *LCtx = C.getLocationContext();
6830b57cec5SDimitry Andric
6840b57cec5SDimitry Andric if (CanRetTy->isStructureOrClassType()) {
6850b57cec5SDimitry Andric // Structure returns are safe since the compiler zeroes them out.
6860b57cec5SDimitry Andric SVal V = C.getSValBuilder().makeZeroVal(RetTy);
6870b57cec5SDimitry Andric C.addTransition(state->BindExpr(Msg.getOriginExpr(), LCtx, V), &Tag);
6880b57cec5SDimitry Andric return;
6890b57cec5SDimitry Andric }
6900b57cec5SDimitry Andric
6910b57cec5SDimitry Andric // Other cases: check if sizeof(return type) > sizeof(void*)
6920b57cec5SDimitry Andric if (CanRetTy != Ctx.VoidTy && C.getLocationContext()->getParentMap()
6930b57cec5SDimitry Andric .isConsumedExpr(Msg.getOriginExpr())) {
6940b57cec5SDimitry Andric // Compute: sizeof(void *) and sizeof(return type)
6950b57cec5SDimitry Andric const uint64_t voidPtrSize = Ctx.getTypeSize(Ctx.VoidPtrTy);
6960b57cec5SDimitry Andric const uint64_t returnTypeSize = Ctx.getTypeSize(CanRetTy);
6970b57cec5SDimitry Andric
6980b57cec5SDimitry Andric if (CanRetTy.getTypePtr()->isReferenceType()||
6990b57cec5SDimitry Andric (voidPtrSize < returnTypeSize &&
7000b57cec5SDimitry Andric !(supportsNilWithFloatRet(Ctx.getTargetInfo().getTriple()) &&
7010b57cec5SDimitry Andric (Ctx.FloatTy == CanRetTy ||
7020b57cec5SDimitry Andric Ctx.DoubleTy == CanRetTy ||
7030b57cec5SDimitry Andric Ctx.LongDoubleTy == CanRetTy ||
7040b57cec5SDimitry Andric Ctx.LongLongTy == CanRetTy ||
7050b57cec5SDimitry Andric Ctx.UnsignedLongLongTy == CanRetTy)))) {
7060b57cec5SDimitry Andric if (ExplodedNode *N = C.generateErrorNode(state, &Tag))
7070b57cec5SDimitry Andric emitNilReceiverBug(C, Msg, N);
7080b57cec5SDimitry Andric return;
7090b57cec5SDimitry Andric }
7100b57cec5SDimitry Andric
7110b57cec5SDimitry Andric // Handle the safe cases where the return value is 0 if the
7120b57cec5SDimitry Andric // receiver is nil.
7130b57cec5SDimitry Andric //
7140b57cec5SDimitry Andric // FIXME: For now take the conservative approach that we only
7150b57cec5SDimitry Andric // return null values if we *know* that the receiver is nil.
7160b57cec5SDimitry Andric // This is because we can have surprises like:
7170b57cec5SDimitry Andric //
7180b57cec5SDimitry Andric // ... = [[NSScreens screens] objectAtIndex:0];
7190b57cec5SDimitry Andric //
7200b57cec5SDimitry Andric // What can happen is that [... screens] could return nil, but
7210b57cec5SDimitry Andric // it most likely isn't nil. We should assume the semantics
7220b57cec5SDimitry Andric // of this case unless we have *a lot* more knowledge.
7230b57cec5SDimitry Andric //
7240b57cec5SDimitry Andric SVal V = C.getSValBuilder().makeZeroVal(RetTy);
7250b57cec5SDimitry Andric C.addTransition(state->BindExpr(Msg.getOriginExpr(), LCtx, V), &Tag);
7260b57cec5SDimitry Andric return;
7270b57cec5SDimitry Andric }
7280b57cec5SDimitry Andric
7290b57cec5SDimitry Andric C.addTransition(state);
7300b57cec5SDimitry Andric }
7310b57cec5SDimitry Andric
registerCallAndMessageModeling(CheckerManager & mgr)7325ffd83dbSDimitry Andric void ento::registerCallAndMessageModeling(CheckerManager &mgr) {
7330b57cec5SDimitry Andric mgr.registerChecker<CallAndMessageChecker>();
7340b57cec5SDimitry Andric }
7350b57cec5SDimitry Andric
shouldRegisterCallAndMessageModeling(const CheckerManager & mgr)7365ffd83dbSDimitry Andric bool ento::shouldRegisterCallAndMessageModeling(const CheckerManager &mgr) {
7370b57cec5SDimitry Andric return true;
7380b57cec5SDimitry Andric }
7390b57cec5SDimitry Andric
registerCallAndMessageChecker(CheckerManager & mgr)7405ffd83dbSDimitry Andric void ento::registerCallAndMessageChecker(CheckerManager &mgr) {
7415ffd83dbSDimitry Andric CallAndMessageChecker *checker = mgr.getChecker<CallAndMessageChecker>();
7425ffd83dbSDimitry Andric
7435ffd83dbSDimitry Andric checker->OriginalName = mgr.getCurrentCheckerName();
7445ffd83dbSDimitry Andric
7455ffd83dbSDimitry Andric #define QUERY_CHECKER_OPTION(OPTION) \
7465ffd83dbSDimitry Andric checker->ChecksEnabled[CallAndMessageChecker::CK_##OPTION] = \
7475ffd83dbSDimitry Andric mgr.getAnalyzerOptions().getCheckerBooleanOption( \
7485ffd83dbSDimitry Andric mgr.getCurrentCheckerName(), #OPTION);
7495ffd83dbSDimitry Andric
7505ffd83dbSDimitry Andric QUERY_CHECKER_OPTION(FunctionPointer)
7515ffd83dbSDimitry Andric QUERY_CHECKER_OPTION(ParameterCount)
7525ffd83dbSDimitry Andric QUERY_CHECKER_OPTION(CXXThisMethodCall)
7535ffd83dbSDimitry Andric QUERY_CHECKER_OPTION(CXXDeallocationArg)
7545ffd83dbSDimitry Andric QUERY_CHECKER_OPTION(ArgInitializedness)
7555ffd83dbSDimitry Andric QUERY_CHECKER_OPTION(ArgPointeeInitializedness)
7565ffd83dbSDimitry Andric QUERY_CHECKER_OPTION(NilReceiver)
7575ffd83dbSDimitry Andric QUERY_CHECKER_OPTION(UndefReceiver)
7580b57cec5SDimitry Andric }
7590b57cec5SDimitry Andric
shouldRegisterCallAndMessageChecker(const CheckerManager & mgr)7605ffd83dbSDimitry Andric bool ento::shouldRegisterCallAndMessageChecker(const CheckerManager &mgr) {
7610b57cec5SDimitry Andric return true;
7620b57cec5SDimitry Andric }
763