1 //===----- UninitializedObjectChecker.cpp ------------------------*- C++ -*-==// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This file defines a checker that reports uninitialized fields in objects 10 // created after a constructor call. 11 // 12 // To read about command line options and how the checker works, refer to the 13 // top of the file and inline comments in UninitializedObject.h. 14 // 15 // Some of the logic is implemented in UninitializedPointee.cpp, to reduce the 16 // complexity of this file. 17 // 18 //===----------------------------------------------------------------------===// 19 20 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" 21 #include "UninitializedObject.h" 22 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 23 #include "clang/StaticAnalyzer/Core/Checker.h" 24 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 25 #include "clang/StaticAnalyzer/Core/PathSensitive/DynamicTypeMap.h" 26 27 using namespace clang; 28 using namespace clang::ento; 29 30 /// We'll mark fields (and pointee of fields) that are confirmed to be 31 /// uninitialized as already analyzed. 32 REGISTER_SET_WITH_PROGRAMSTATE(AnalyzedRegions, const MemRegion *) 33 34 namespace { 35 36 class UninitializedObjectChecker 37 : public Checker<check::EndFunction, check::DeadSymbols> { 38 std::unique_ptr<BuiltinBug> BT_uninitField; 39 40 public: 41 // The fields of this struct will be initialized when registering the checker. 42 UninitObjCheckerOptions Opts; 43 44 UninitializedObjectChecker() 45 : BT_uninitField(new BuiltinBug(this, "Uninitialized fields")) {} 46 47 void checkEndFunction(const ReturnStmt *RS, CheckerContext &C) const; 48 void checkDeadSymbols(SymbolReaper &SR, CheckerContext &C) const; 49 }; 50 51 /// A basic field type, that is not a pointer or a reference, it's dynamic and 52 /// static type is the same. 53 class RegularField final : public FieldNode { 54 public: 55 RegularField(const FieldRegion *FR) : FieldNode(FR) {} 56 57 virtual void printNoteMsg(llvm::raw_ostream &Out) const override { 58 Out << "uninitialized field "; 59 } 60 61 virtual void printPrefix(llvm::raw_ostream &Out) const override {} 62 63 virtual void printNode(llvm::raw_ostream &Out) const override { 64 Out << getVariableName(getDecl()); 65 } 66 67 virtual void printSeparator(llvm::raw_ostream &Out) const override { 68 Out << '.'; 69 } 70 }; 71 72 /// Represents that the FieldNode that comes after this is declared in a base 73 /// of the previous FieldNode. As such, this descendant doesn't wrap a 74 /// FieldRegion, and is purely a tool to describe a relation between two other 75 /// FieldRegion wrapping descendants. 76 class BaseClass final : public FieldNode { 77 const QualType BaseClassT; 78 79 public: 80 BaseClass(const QualType &T) : FieldNode(nullptr), BaseClassT(T) { 81 assert(!T.isNull()); 82 assert(T->getAsCXXRecordDecl()); 83 } 84 85 virtual void printNoteMsg(llvm::raw_ostream &Out) const override { 86 llvm_unreachable("This node can never be the final node in the " 87 "fieldchain!"); 88 } 89 90 virtual void printPrefix(llvm::raw_ostream &Out) const override {} 91 92 virtual void printNode(llvm::raw_ostream &Out) const override { 93 Out << BaseClassT->getAsCXXRecordDecl()->getName() << "::"; 94 } 95 96 virtual void printSeparator(llvm::raw_ostream &Out) const override {} 97 98 virtual bool isBase() const override { return true; } 99 }; 100 101 } // end of anonymous namespace 102 103 // Utility function declarations. 104 105 /// Returns the region that was constructed by CtorDecl, or nullptr if that 106 /// isn't possible. 107 static const TypedValueRegion * 108 getConstructedRegion(const CXXConstructorDecl *CtorDecl, 109 CheckerContext &Context); 110 111 /// Checks whether the object constructed by \p Ctor will be analyzed later 112 /// (e.g. if the object is a field of another object, in which case we'd check 113 /// it multiple times). 114 static bool willObjectBeAnalyzedLater(const CXXConstructorDecl *Ctor, 115 CheckerContext &Context); 116 117 /// Checks whether RD contains a field with a name or type name that matches 118 /// \p Pattern. 119 static bool shouldIgnoreRecord(const RecordDecl *RD, StringRef Pattern); 120 121 //===----------------------------------------------------------------------===// 122 // Methods for UninitializedObjectChecker. 123 //===----------------------------------------------------------------------===// 124 125 void UninitializedObjectChecker::checkEndFunction( 126 const ReturnStmt *RS, CheckerContext &Context) const { 127 128 const auto *CtorDecl = dyn_cast_or_null<CXXConstructorDecl>( 129 Context.getLocationContext()->getDecl()); 130 if (!CtorDecl) 131 return; 132 133 if (!CtorDecl->isUserProvided()) 134 return; 135 136 if (CtorDecl->getParent()->isUnion()) 137 return; 138 139 // This avoids essentially the same error being reported multiple times. 140 if (willObjectBeAnalyzedLater(CtorDecl, Context)) 141 return; 142 143 const TypedValueRegion *R = getConstructedRegion(CtorDecl, Context); 144 if (!R) 145 return; 146 147 FindUninitializedFields F(Context.getState(), R, Opts); 148 149 std::pair<ProgramStateRef, const UninitFieldMap &> UninitInfo = 150 F.getResults(); 151 152 ProgramStateRef UpdatedState = UninitInfo.first; 153 const UninitFieldMap &UninitFields = UninitInfo.second; 154 155 if (UninitFields.empty()) { 156 Context.addTransition(UpdatedState); 157 return; 158 } 159 160 // There are uninitialized fields in the record. 161 162 ExplodedNode *Node = Context.generateNonFatalErrorNode(UpdatedState); 163 if (!Node) 164 return; 165 166 PathDiagnosticLocation LocUsedForUniqueing; 167 const Stmt *CallSite = Context.getStackFrame()->getCallSite(); 168 if (CallSite) 169 LocUsedForUniqueing = PathDiagnosticLocation::createBegin( 170 CallSite, Context.getSourceManager(), Node->getLocationContext()); 171 172 // For Plist consumers that don't support notes just yet, we'll convert notes 173 // to warnings. 174 if (Opts.ShouldConvertNotesToWarnings) { 175 for (const auto &Pair : UninitFields) { 176 177 auto Report = llvm::make_unique<BugReport>( 178 *BT_uninitField, Pair.second, Node, LocUsedForUniqueing, 179 Node->getLocationContext()->getDecl()); 180 Context.emitReport(std::move(Report)); 181 } 182 return; 183 } 184 185 SmallString<100> WarningBuf; 186 llvm::raw_svector_ostream WarningOS(WarningBuf); 187 WarningOS << UninitFields.size() << " uninitialized field" 188 << (UninitFields.size() == 1 ? "" : "s") 189 << " at the end of the constructor call"; 190 191 auto Report = llvm::make_unique<BugReport>( 192 *BT_uninitField, WarningOS.str(), Node, LocUsedForUniqueing, 193 Node->getLocationContext()->getDecl()); 194 195 for (const auto &Pair : UninitFields) { 196 Report->addNote(Pair.second, 197 PathDiagnosticLocation::create(Pair.first->getDecl(), 198 Context.getSourceManager())); 199 } 200 Context.emitReport(std::move(Report)); 201 } 202 203 void UninitializedObjectChecker::checkDeadSymbols(SymbolReaper &SR, 204 CheckerContext &C) const { 205 ProgramStateRef State = C.getState(); 206 for (const MemRegion *R : State->get<AnalyzedRegions>()) { 207 if (!SR.isLiveRegion(R)) 208 State = State->remove<AnalyzedRegions>(R); 209 } 210 } 211 212 //===----------------------------------------------------------------------===// 213 // Methods for FindUninitializedFields. 214 //===----------------------------------------------------------------------===// 215 216 FindUninitializedFields::FindUninitializedFields( 217 ProgramStateRef State, const TypedValueRegion *const R, 218 const UninitObjCheckerOptions &Opts) 219 : State(State), ObjectR(R), Opts(Opts) { 220 221 isNonUnionUninit(ObjectR, FieldChainInfo(ChainFactory)); 222 223 // In non-pedantic mode, if ObjectR doesn't contain a single initialized 224 // field, we'll assume that Object was intentionally left uninitialized. 225 if (!Opts.IsPedantic && !isAnyFieldInitialized()) 226 UninitFields.clear(); 227 } 228 229 bool FindUninitializedFields::addFieldToUninits(FieldChainInfo Chain, 230 const MemRegion *PointeeR) { 231 const FieldRegion *FR = Chain.getUninitRegion(); 232 233 assert((PointeeR || !isDereferencableType(FR->getDecl()->getType())) && 234 "One must also pass the pointee region as a parameter for " 235 "dereferenceable fields!"); 236 237 if (State->contains<AnalyzedRegions>(FR)) 238 return false; 239 240 if (PointeeR) { 241 if (State->contains<AnalyzedRegions>(PointeeR)) { 242 return false; 243 } 244 State = State->add<AnalyzedRegions>(PointeeR); 245 } 246 247 State = State->add<AnalyzedRegions>(FR); 248 249 if (State->getStateManager().getContext().getSourceManager().isInSystemHeader( 250 FR->getDecl()->getLocation())) 251 return false; 252 253 UninitFieldMap::mapped_type NoteMsgBuf; 254 llvm::raw_svector_ostream OS(NoteMsgBuf); 255 Chain.printNoteMsg(OS); 256 return UninitFields.insert({FR, std::move(NoteMsgBuf)}).second; 257 } 258 259 bool FindUninitializedFields::isNonUnionUninit(const TypedValueRegion *R, 260 FieldChainInfo LocalChain) { 261 assert(R->getValueType()->isRecordType() && 262 !R->getValueType()->isUnionType() && 263 "This method only checks non-union record objects!"); 264 265 const RecordDecl *RD = R->getValueType()->getAsRecordDecl()->getDefinition(); 266 267 if (!RD) { 268 IsAnyFieldInitialized = true; 269 return true; 270 } 271 272 if (!Opts.IgnoredRecordsWithFieldPattern.empty() && 273 shouldIgnoreRecord(RD, Opts.IgnoredRecordsWithFieldPattern)) { 274 IsAnyFieldInitialized = true; 275 return false; 276 } 277 278 bool ContainsUninitField = false; 279 280 // Are all of this non-union's fields initialized? 281 for (const FieldDecl *I : RD->fields()) { 282 283 const auto FieldVal = 284 State->getLValue(I, loc::MemRegionVal(R)).castAs<loc::MemRegionVal>(); 285 const auto *FR = FieldVal.getRegionAs<FieldRegion>(); 286 QualType T = I->getType(); 287 288 // If LocalChain already contains FR, then we encountered a cyclic 289 // reference. In this case, region FR is already under checking at an 290 // earlier node in the directed tree. 291 if (LocalChain.contains(FR)) 292 return false; 293 294 if (T->isStructureOrClassType()) { 295 if (isNonUnionUninit(FR, LocalChain.add(RegularField(FR)))) 296 ContainsUninitField = true; 297 continue; 298 } 299 300 if (T->isUnionType()) { 301 if (isUnionUninit(FR)) { 302 if (addFieldToUninits(LocalChain.add(RegularField(FR)))) 303 ContainsUninitField = true; 304 } else 305 IsAnyFieldInitialized = true; 306 continue; 307 } 308 309 if (T->isArrayType()) { 310 IsAnyFieldInitialized = true; 311 continue; 312 } 313 314 SVal V = State->getSVal(FieldVal); 315 316 if (isDereferencableType(T) || V.getAs<nonloc::LocAsInteger>()) { 317 if (isDereferencableUninit(FR, LocalChain)) 318 ContainsUninitField = true; 319 continue; 320 } 321 322 if (isPrimitiveType(T)) { 323 if (isPrimitiveUninit(V)) { 324 if (addFieldToUninits(LocalChain.add(RegularField(FR)))) 325 ContainsUninitField = true; 326 } 327 continue; 328 } 329 330 llvm_unreachable("All cases are handled!"); 331 } 332 333 // Checking bases. The checker will regard inherited data members as direct 334 // fields. 335 const auto *CXXRD = dyn_cast<CXXRecordDecl>(RD); 336 if (!CXXRD) 337 return ContainsUninitField; 338 339 for (const CXXBaseSpecifier &BaseSpec : CXXRD->bases()) { 340 const auto *BaseRegion = State->getLValue(BaseSpec, R) 341 .castAs<loc::MemRegionVal>() 342 .getRegionAs<TypedValueRegion>(); 343 344 // If the head of the list is also a BaseClass, we'll overwrite it to avoid 345 // note messages like 'this->A::B::x'. 346 if (!LocalChain.isEmpty() && LocalChain.getHead().isBase()) { 347 if (isNonUnionUninit(BaseRegion, LocalChain.replaceHead( 348 BaseClass(BaseSpec.getType())))) 349 ContainsUninitField = true; 350 } else { 351 if (isNonUnionUninit(BaseRegion, 352 LocalChain.add(BaseClass(BaseSpec.getType())))) 353 ContainsUninitField = true; 354 } 355 } 356 357 return ContainsUninitField; 358 } 359 360 bool FindUninitializedFields::isUnionUninit(const TypedValueRegion *R) { 361 assert(R->getValueType()->isUnionType() && 362 "This method only checks union objects!"); 363 // TODO: Implement support for union fields. 364 return false; 365 } 366 367 bool FindUninitializedFields::isPrimitiveUninit(const SVal &V) { 368 if (V.isUndef()) 369 return true; 370 371 IsAnyFieldInitialized = true; 372 return false; 373 } 374 375 //===----------------------------------------------------------------------===// 376 // Methods for FieldChainInfo. 377 //===----------------------------------------------------------------------===// 378 379 bool FieldChainInfo::contains(const FieldRegion *FR) const { 380 for (const FieldNode &Node : Chain) { 381 if (Node.isSameRegion(FR)) 382 return true; 383 } 384 return false; 385 } 386 387 /// Prints every element except the last to `Out`. Since ImmutableLists store 388 /// elements in reverse order, and have no reverse iterators, we use a 389 /// recursive function to print the fieldchain correctly. The last element in 390 /// the chain is to be printed by `FieldChainInfo::print`. 391 static void printTail(llvm::raw_ostream &Out, 392 const FieldChainInfo::FieldChain L); 393 394 // FIXME: This function constructs an incorrect string in the following case: 395 // 396 // struct Base { int x; }; 397 // struct D1 : Base {}; struct D2 : Base {}; 398 // 399 // struct MostDerived : D1, D2 { 400 // MostDerived() {} 401 // } 402 // 403 // A call to MostDerived::MostDerived() will cause two notes that say 404 // "uninitialized field 'this->x'", but we can't refer to 'x' directly, 405 // we need an explicit namespace resolution whether the uninit field was 406 // 'D1::x' or 'D2::x'. 407 void FieldChainInfo::printNoteMsg(llvm::raw_ostream &Out) const { 408 if (Chain.isEmpty()) 409 return; 410 411 const FieldNode &LastField = getHead(); 412 413 LastField.printNoteMsg(Out); 414 Out << '\''; 415 416 for (const FieldNode &Node : Chain) 417 Node.printPrefix(Out); 418 419 Out << "this->"; 420 printTail(Out, Chain.getTail()); 421 LastField.printNode(Out); 422 Out << '\''; 423 } 424 425 static void printTail(llvm::raw_ostream &Out, 426 const FieldChainInfo::FieldChain L) { 427 if (L.isEmpty()) 428 return; 429 430 printTail(Out, L.getTail()); 431 432 L.getHead().printNode(Out); 433 L.getHead().printSeparator(Out); 434 } 435 436 //===----------------------------------------------------------------------===// 437 // Utility functions. 438 //===----------------------------------------------------------------------===// 439 440 static const TypedValueRegion * 441 getConstructedRegion(const CXXConstructorDecl *CtorDecl, 442 CheckerContext &Context) { 443 444 Loc ThisLoc = Context.getSValBuilder().getCXXThis(CtorDecl, 445 Context.getStackFrame()); 446 447 SVal ObjectV = Context.getState()->getSVal(ThisLoc); 448 449 auto *R = ObjectV.getAsRegion()->getAs<TypedValueRegion>(); 450 if (R && !R->getValueType()->getAsCXXRecordDecl()) 451 return nullptr; 452 453 return R; 454 } 455 456 static bool willObjectBeAnalyzedLater(const CXXConstructorDecl *Ctor, 457 CheckerContext &Context) { 458 459 const TypedValueRegion *CurrRegion = getConstructedRegion(Ctor, Context); 460 if (!CurrRegion) 461 return false; 462 463 const LocationContext *LC = Context.getLocationContext(); 464 while ((LC = LC->getParent())) { 465 466 // If \p Ctor was called by another constructor. 467 const auto *OtherCtor = dyn_cast<CXXConstructorDecl>(LC->getDecl()); 468 if (!OtherCtor) 469 continue; 470 471 const TypedValueRegion *OtherRegion = 472 getConstructedRegion(OtherCtor, Context); 473 if (!OtherRegion) 474 continue; 475 476 // If the CurrRegion is a subregion of OtherRegion, it will be analyzed 477 // during the analysis of OtherRegion. 478 if (CurrRegion->isSubRegionOf(OtherRegion)) 479 return true; 480 } 481 482 return false; 483 } 484 485 static bool shouldIgnoreRecord(const RecordDecl *RD, StringRef Pattern) { 486 llvm::Regex R(Pattern); 487 488 for (const FieldDecl *FD : RD->fields()) { 489 if (R.match(FD->getType().getAsString())) 490 return true; 491 if (R.match(FD->getName())) 492 return true; 493 } 494 495 return false; 496 } 497 498 std::string clang::ento::getVariableName(const FieldDecl *Field) { 499 // If Field is a captured lambda variable, Field->getName() will return with 500 // an empty string. We can however acquire it's name from the lambda's 501 // captures. 502 const auto *CXXParent = dyn_cast<CXXRecordDecl>(Field->getParent()); 503 504 if (CXXParent && CXXParent->isLambda()) { 505 assert(CXXParent->captures_begin()); 506 auto It = CXXParent->captures_begin() + Field->getFieldIndex(); 507 508 if (It->capturesVariable()) 509 return llvm::Twine("/*captured variable*/" + 510 It->getCapturedVar()->getName()) 511 .str(); 512 513 if (It->capturesThis()) 514 return "/*'this' capture*/"; 515 516 llvm_unreachable("No other capture type is expected!"); 517 } 518 519 return Field->getName(); 520 } 521 522 void ento::registerUninitializedObjectChecker(CheckerManager &Mgr) { 523 auto Chk = Mgr.registerChecker<UninitializedObjectChecker>(); 524 525 AnalyzerOptions &AnOpts = Mgr.getAnalyzerOptions(); 526 UninitObjCheckerOptions &ChOpts = Chk->Opts; 527 528 ChOpts.IsPedantic = 529 AnOpts.getCheckerBooleanOption("Pedantic", /*DefaultVal*/ false, Chk); 530 ChOpts.ShouldConvertNotesToWarnings = 531 AnOpts.getCheckerBooleanOption("NotesAsWarnings", /*DefaultVal*/ false, Chk); 532 ChOpts.CheckPointeeInitialization = AnOpts.getCheckerBooleanOption( 533 "CheckPointeeInitialization", /*DefaultVal*/ false, Chk); 534 ChOpts.IgnoredRecordsWithFieldPattern = 535 AnOpts.getCheckerStringOption("IgnoreRecordsWithField", 536 /*DefaultVal*/ "", Chk); 537 } 538