1 //===--- UndefinedAssignmentChecker.h ---------------------------*- C++ -*--==// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This defines UndefinedAssignmentChecker, a builtin check in ExprEngine that 10 // checks for assigning undefined values. 11 // 12 //===----------------------------------------------------------------------===// 13 14 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" 15 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 16 #include "clang/StaticAnalyzer/Core/Checker.h" 17 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 18 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 19 20 using namespace clang; 21 using namespace ento; 22 23 namespace { 24 class UndefinedAssignmentChecker 25 : public Checker<check::Bind> { 26 mutable std::unique_ptr<BugType> BT; 27 28 public: 29 void checkBind(SVal location, SVal val, const Stmt *S, 30 CheckerContext &C) const; 31 }; 32 } 33 34 void UndefinedAssignmentChecker::checkBind(SVal location, SVal val, 35 const Stmt *StoreE, 36 CheckerContext &C) const { 37 if (!val.isUndef()) 38 return; 39 40 // Do not report assignments of uninitialized values inside swap functions. 41 // This should allow to swap partially uninitialized structs 42 if (const FunctionDecl *EnclosingFunctionDecl = 43 dyn_cast<FunctionDecl>(C.getStackFrame()->getDecl())) 44 if (C.getCalleeName(EnclosingFunctionDecl) == "swap") 45 return; 46 47 ExplodedNode *N = C.generateErrorNode(); 48 49 if (!N) 50 return; 51 52 static const char *const DefaultMsg = 53 "Assigned value is garbage or undefined"; 54 if (!BT) 55 BT.reset(new BugType(this, DefaultMsg)); 56 57 // Generate a report for this bug. 58 llvm::SmallString<128> Str; 59 llvm::raw_svector_ostream OS(Str); 60 61 const Expr *ex = nullptr; 62 63 while (StoreE) { 64 if (const UnaryOperator *U = dyn_cast<UnaryOperator>(StoreE)) { 65 OS << "The expression is an uninitialized value. " 66 "The computed value will also be garbage"; 67 68 ex = U->getSubExpr(); 69 break; 70 } 71 72 if (const BinaryOperator *B = dyn_cast<BinaryOperator>(StoreE)) { 73 if (B->isCompoundAssignmentOp()) { 74 if (C.getSVal(B->getLHS()).isUndef()) { 75 OS << "The left expression of the compound assignment is an " 76 "uninitialized value. The computed value will also be garbage"; 77 ex = B->getLHS(); 78 break; 79 } 80 } 81 82 ex = B->getRHS(); 83 break; 84 } 85 86 if (const DeclStmt *DS = dyn_cast<DeclStmt>(StoreE)) { 87 const VarDecl *VD = cast<VarDecl>(DS->getSingleDecl()); 88 ex = VD->getInit(); 89 } 90 91 if (const auto *CD = 92 dyn_cast<CXXConstructorDecl>(C.getStackFrame()->getDecl())) { 93 if (CD->isImplicit()) { 94 for (auto *I : CD->inits()) { 95 if (I->getInit()->IgnoreImpCasts() == StoreE) { 96 OS << "Value assigned to field '" << I->getMember()->getName() 97 << "' in implicit constructor is garbage or undefined"; 98 break; 99 } 100 } 101 } 102 } 103 104 break; 105 } 106 107 if (OS.str().empty()) 108 OS << DefaultMsg; 109 110 auto R = std::make_unique<PathSensitiveBugReport>(*BT, OS.str(), N); 111 if (ex) { 112 R->addRange(ex->getSourceRange()); 113 bugreporter::trackExpressionValue(N, ex, *R); 114 } 115 C.emitReport(std::move(R)); 116 } 117 118 void ento::registerUndefinedAssignmentChecker(CheckerManager &mgr) { 119 mgr.registerChecker<UndefinedAssignmentChecker>(); 120 } 121 122 bool ento::shouldRegisterUndefinedAssignmentChecker(const CheckerManager &mgr) { 123 return true; 124 } 125