1*e038c9c4Sjoerg // SmartPtrChecker.cpp - Check for smart pointer dereference - C++ --------===//
2*e038c9c4Sjoerg //
3*e038c9c4Sjoerg // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4*e038c9c4Sjoerg // See https://llvm.org/LICENSE.txt for license information.
5*e038c9c4Sjoerg // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6*e038c9c4Sjoerg //
7*e038c9c4Sjoerg //===----------------------------------------------------------------------===//
8*e038c9c4Sjoerg //
9*e038c9c4Sjoerg // This file defines a checker that check for null dereference of C++ smart
10*e038c9c4Sjoerg // pointer.
11*e038c9c4Sjoerg //
12*e038c9c4Sjoerg //===----------------------------------------------------------------------===//
13*e038c9c4Sjoerg #include "SmartPtr.h"
14*e038c9c4Sjoerg
15*e038c9c4Sjoerg #include "clang/AST/DeclCXX.h"
16*e038c9c4Sjoerg #include "clang/AST/ExprCXX.h"
17*e038c9c4Sjoerg #include "clang/AST/Type.h"
18*e038c9c4Sjoerg #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
19*e038c9c4Sjoerg #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
20*e038c9c4Sjoerg #include "clang/StaticAnalyzer/Core/Checker.h"
21*e038c9c4Sjoerg #include "clang/StaticAnalyzer/Core/CheckerManager.h"
22*e038c9c4Sjoerg #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
23*e038c9c4Sjoerg #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
24*e038c9c4Sjoerg #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
25*e038c9c4Sjoerg #include "clang/StaticAnalyzer/Core/PathSensitive/SymExpr.h"
26*e038c9c4Sjoerg #include "llvm/ADT/StringRef.h"
27*e038c9c4Sjoerg
28*e038c9c4Sjoerg using namespace clang;
29*e038c9c4Sjoerg using namespace ento;
30*e038c9c4Sjoerg
31*e038c9c4Sjoerg namespace {
32*e038c9c4Sjoerg
33*e038c9c4Sjoerg static const BugType *NullDereferenceBugTypePtr;
34*e038c9c4Sjoerg
35*e038c9c4Sjoerg class SmartPtrChecker : public Checker<check::PreCall> {
36*e038c9c4Sjoerg public:
37*e038c9c4Sjoerg void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
38*e038c9c4Sjoerg BugType NullDereferenceBugType{this, "Null SmartPtr dereference",
39*e038c9c4Sjoerg "C++ Smart Pointer"};
40*e038c9c4Sjoerg
41*e038c9c4Sjoerg private:
42*e038c9c4Sjoerg void reportBug(CheckerContext &C, const MemRegion *DerefRegion,
43*e038c9c4Sjoerg const CallEvent &Call) const;
44*e038c9c4Sjoerg void explainDereference(llvm::raw_ostream &OS, const MemRegion *DerefRegion,
45*e038c9c4Sjoerg const CallEvent &Call) const;
46*e038c9c4Sjoerg };
47*e038c9c4Sjoerg } // end of anonymous namespace
48*e038c9c4Sjoerg
49*e038c9c4Sjoerg // Define the inter-checker API.
50*e038c9c4Sjoerg namespace clang {
51*e038c9c4Sjoerg namespace ento {
52*e038c9c4Sjoerg namespace smartptr {
53*e038c9c4Sjoerg
getNullDereferenceBugType()54*e038c9c4Sjoerg const BugType *getNullDereferenceBugType() { return NullDereferenceBugTypePtr; }
55*e038c9c4Sjoerg
56*e038c9c4Sjoerg } // namespace smartptr
57*e038c9c4Sjoerg } // namespace ento
58*e038c9c4Sjoerg } // namespace clang
59*e038c9c4Sjoerg
checkPreCall(const CallEvent & Call,CheckerContext & C) const60*e038c9c4Sjoerg void SmartPtrChecker::checkPreCall(const CallEvent &Call,
61*e038c9c4Sjoerg CheckerContext &C) const {
62*e038c9c4Sjoerg if (!smartptr::isStdSmartPtrCall(Call))
63*e038c9c4Sjoerg return;
64*e038c9c4Sjoerg ProgramStateRef State = C.getState();
65*e038c9c4Sjoerg const auto *OC = dyn_cast<CXXMemberOperatorCall>(&Call);
66*e038c9c4Sjoerg if (!OC)
67*e038c9c4Sjoerg return;
68*e038c9c4Sjoerg const MemRegion *ThisRegion = OC->getCXXThisVal().getAsRegion();
69*e038c9c4Sjoerg if (!ThisRegion)
70*e038c9c4Sjoerg return;
71*e038c9c4Sjoerg
72*e038c9c4Sjoerg OverloadedOperatorKind OOK = OC->getOverloadedOperator();
73*e038c9c4Sjoerg if (OOK == OO_Star || OOK == OO_Arrow) {
74*e038c9c4Sjoerg if (smartptr::isNullSmartPtr(State, ThisRegion))
75*e038c9c4Sjoerg reportBug(C, ThisRegion, Call);
76*e038c9c4Sjoerg }
77*e038c9c4Sjoerg }
78*e038c9c4Sjoerg
reportBug(CheckerContext & C,const MemRegion * DerefRegion,const CallEvent & Call) const79*e038c9c4Sjoerg void SmartPtrChecker::reportBug(CheckerContext &C, const MemRegion *DerefRegion,
80*e038c9c4Sjoerg const CallEvent &Call) const {
81*e038c9c4Sjoerg ExplodedNode *ErrNode = C.generateErrorNode();
82*e038c9c4Sjoerg if (!ErrNode)
83*e038c9c4Sjoerg return;
84*e038c9c4Sjoerg llvm::SmallString<128> Str;
85*e038c9c4Sjoerg llvm::raw_svector_ostream OS(Str);
86*e038c9c4Sjoerg explainDereference(OS, DerefRegion, Call);
87*e038c9c4Sjoerg auto R = std::make_unique<PathSensitiveBugReport>(NullDereferenceBugType,
88*e038c9c4Sjoerg OS.str(), ErrNode);
89*e038c9c4Sjoerg R->markInteresting(DerefRegion);
90*e038c9c4Sjoerg C.emitReport(std::move(R));
91*e038c9c4Sjoerg }
92*e038c9c4Sjoerg
explainDereference(llvm::raw_ostream & OS,const MemRegion * DerefRegion,const CallEvent & Call) const93*e038c9c4Sjoerg void SmartPtrChecker::explainDereference(llvm::raw_ostream &OS,
94*e038c9c4Sjoerg const MemRegion *DerefRegion,
95*e038c9c4Sjoerg const CallEvent &Call) const {
96*e038c9c4Sjoerg OS << "Dereference of null smart pointer ";
97*e038c9c4Sjoerg DerefRegion->printPretty(OS);
98*e038c9c4Sjoerg }
99*e038c9c4Sjoerg
registerSmartPtrChecker(CheckerManager & Mgr)100*e038c9c4Sjoerg void ento::registerSmartPtrChecker(CheckerManager &Mgr) {
101*e038c9c4Sjoerg SmartPtrChecker *Checker = Mgr.registerChecker<SmartPtrChecker>();
102*e038c9c4Sjoerg NullDereferenceBugTypePtr = &Checker->NullDereferenceBugType;
103*e038c9c4Sjoerg }
104*e038c9c4Sjoerg
shouldRegisterSmartPtrChecker(const CheckerManager & mgr)105*e038c9c4Sjoerg bool ento::shouldRegisterSmartPtrChecker(const CheckerManager &mgr) {
106*e038c9c4Sjoerg const LangOptions &LO = mgr.getLangOpts();
107*e038c9c4Sjoerg return LO.CPlusPlus;
108*e038c9c4Sjoerg }
109