Checkers.td revision 266636128f87c167ff5a99e2e6e6136ab2495f08 
1//===--- Checkers.td - Static Analyzer Checkers -===-----------------------===//
2//
3//                     The LLVM Compiler Infrastructure
4//
5// This file is distributed under the University of Illinois Open Source
6// License. See LICENSE.TXT for details.
7//
8//===----------------------------------------------------------------------===//
9
10include "clang/StaticAnalyzer/Checkers/CheckerBase.td"
11
12//===----------------------------------------------------------------------===//
13// Packages.
14//===----------------------------------------------------------------------===//
15
16def Experimental : Package<"experimental">;
17
18def Core : Package<"core">;
19def CoreBuiltin : Package<"builtin">, InPackage<Core>;
20def CoreUninitialized  : Package<"uninitialized">, InPackage<Core>;
21def CoreExperimental : Package<"core">, InPackage<Experimental>, Hidden;
22
23def Cplusplus : Package<"cplusplus">;
24def CplusplusExperimental : Package<"cplusplus">, InPackage<Experimental>, Hidden;
25
26def DeadCode : Package<"deadcode">;
27def DeadCodeExperimental : Package<"deadcode">, InPackage<Experimental>, Hidden;
28
29def Security : Package <"security">;
30def InsecureAPI : Package<"insecureAPI">, InPackage<Security>;
31def SecurityExperimental : Package<"security">, InPackage<Experimental>, Hidden;
32def Taint : Package<"taint">, InPackage<SecurityExperimental>, Hidden;  
33
34def Unix : Package<"unix">;
35def UnixExperimental : Package<"unix">, InPackage<Experimental>, Hidden;
36def CString : Package<"cstring">, InPackage<Unix>, Hidden;
37def CStringExperimental : Package<"cstring">, InPackage<UnixExperimental>, Hidden;
38
39def OSX : Package<"osx">;
40def OSXExperimental : Package<"osx">, InPackage<Experimental>, Hidden;
41def Cocoa : Package<"cocoa">, InPackage<OSX>;
42def CocoaExperimental : Package<"cocoa">, InPackage<OSXExperimental>, Hidden;
43def CoreFoundation : Package<"coreFoundation">, InPackage<OSX>;
44def Containers : Package<"containers">, InPackage<CoreFoundation>;
45
46def LLVM : Package<"llvm">;
47def Debug : Package<"debug">;
48
49//===----------------------------------------------------------------------===//
50// Core Checkers.
51//===----------------------------------------------------------------------===//
52
53let ParentPackage = Core in {
54
55def DereferenceChecker : Checker<"NullDereference">,
56  HelpText<"Check for dereferences of null pointers">,
57  DescFile<"DereferenceChecker.cpp">;
58
59def CallAndMessageChecker : Checker<"CallAndMessage">,
60  HelpText<"Check for logical errors for function calls and Objective-C message expressions (e.g., uninitialized arguments, null function pointers)">,
61  DescFile<"CallAndMessageChecker.cpp">;
62
63def AdjustedReturnValueChecker : Checker<"AdjustedReturnValue">,
64  HelpText<"Check to see if the return value of a function call is different than the caller expects (e.g., from calls through function pointers)">,
65  DescFile<"AdjustedReturnValueChecker.cpp">;
66
67def AttrNonNullChecker : Checker<"AttributeNonNull">,
68  HelpText<"Check for null pointers passed as arguments to a function whose arguments are marked with the 'nonnull' attribute">,
69  DescFile<"AttrNonNullChecker.cpp">;
70
71def VLASizeChecker : Checker<"VLASize">,
72  HelpText<"Check for declarations of VLA of undefined or zero size">,
73  DescFile<"VLASizeChecker.cpp">;
74
75def DivZeroChecker : Checker<"DivideZero">,
76  HelpText<"Check for division by zero">,
77  DescFile<"DivZeroChecker.cpp">;
78
79def UndefResultChecker : Checker<"UndefinedBinaryOperatorResult">,
80  HelpText<"Check for undefined results of binary operators">,
81  DescFile<"UndefResultChecker.cpp">;
82
83def StackAddrEscapeChecker : Checker<"StackAddressEscape">,
84  HelpText<"Check that addresses to stack memory do not escape the function">,
85  DescFile<"StackAddrEscapeChecker.cpp">;
86
87def DynamicTypePropagation : Checker<"DynamicTypePropagation">,
88  HelpText<"Generate dynamic type information">,
89  DescFile<"DynamicTypePropagation.cpp">;
90
91} // end "core"
92
93let ParentPackage = CoreExperimental in {
94
95def BoolAssignmentChecker : Checker<"BoolAssignment">,
96  HelpText<"Warn about assigning non-{0,1} values to Boolean variables">,
97  DescFile<"BoolAssignmentChecker.cpp">;
98
99def CastSizeChecker : Checker<"CastSize">,
100  HelpText<"Check when casting a malloc'ed type T, whether the size is a multiple of the size of T">,
101  DescFile<"CastSizeChecker.cpp">;
102
103def CastToStructChecker : Checker<"CastToStruct">,
104  HelpText<"Check for cast from non-struct pointer to struct pointer">,
105  DescFile<"CastToStructChecker.cpp">;
106
107def FixedAddressChecker : Checker<"FixedAddr">,
108  HelpText<"Check for assignment of a fixed address to a pointer">,
109  DescFile<"FixedAddressChecker.cpp">;
110
111def PointerArithChecker : Checker<"PointerArithm">,
112  HelpText<"Check for pointer arithmetic on locations other than array elements">,
113  DescFile<"PointerArithChecker">;
114
115def PointerSubChecker : Checker<"PointerSub">,
116  HelpText<"Check for pointer subtractions on two pointers pointing to different memory chunks">,
117  DescFile<"PointerSubChecker">;
118
119def SizeofPointerChecker : Checker<"SizeofPtr">,
120  HelpText<"Warn about unintended use of sizeof() on pointer expressions">,
121  DescFile<"CheckSizeofPointer.cpp">;
122
123} // end "core.experimental"
124
125//===----------------------------------------------------------------------===//
126// Evaluate "builtin" functions.
127//===----------------------------------------------------------------------===//
128
129let ParentPackage = CoreBuiltin in {
130
131def NoReturnFunctionChecker : Checker<"NoReturnFunctions">,
132  HelpText<"Evaluate \"panic\" functions that are known to not return to the caller">,
133  DescFile<"NoReturnFunctionChecker.cpp">;
134
135def BuiltinFunctionChecker : Checker<"BuiltinFunctions">,
136  HelpText<"Evaluate compiler builtin functions (e.g., alloca())">,
137  DescFile<"BuiltinFunctionChecker.cpp">;
138
139} // end "core.builtin"
140
141//===----------------------------------------------------------------------===//
142// Uninitialized values checkers.
143//===----------------------------------------------------------------------===//
144
145let ParentPackage = CoreUninitialized in {
146
147def UndefinedArraySubscriptChecker : Checker<"ArraySubscript">,
148  HelpText<"Check for uninitialized values used as array subscripts">,
149  DescFile<"UndefinedArraySubscriptChecker.cpp">;
150
151def UndefinedAssignmentChecker : Checker<"Assign">,
152  HelpText<"Check for assigning uninitialized values">,
153  DescFile<"UndefinedAssignmentChecker.cpp">;
154
155def UndefBranchChecker : Checker<"Branch">,
156  HelpText<"Check for uninitialized values used as branch conditions">,
157  DescFile<"UndefBranchChecker.cpp">;
158
159def UndefCapturedBlockVarChecker : Checker<"CapturedBlockVariable">,
160  HelpText<"Check for blocks that capture uninitialized values">,
161  DescFile<"UndefCapturedBlockVarChecker.cpp">;
162  
163def ReturnUndefChecker : Checker<"UndefReturn">,
164  HelpText<"Check for uninitialized values being returned to the caller">,
165  DescFile<"ReturnUndefChecker.cpp">;
166
167} // end "core.uninitialized"
168
169//===----------------------------------------------------------------------===//
170// C++ checkers.
171//===----------------------------------------------------------------------===//
172
173let ParentPackage = CplusplusExperimental in {
174
175def VirtualCallChecker : Checker<"VirtualCall">,
176  HelpText<"Check virtual function calls during construction or destruction">, 
177  DescFile<"VirtualCallChecker.cpp">;
178
179} // end: "cplusplus.experimental"
180
181//===----------------------------------------------------------------------===//
182// Deadcode checkers.
183//===----------------------------------------------------------------------===//
184
185let ParentPackage = DeadCode in {
186
187def DeadStoresChecker : Checker<"DeadStores">,
188  HelpText<"Check for values stored to variables that are never read afterwards">,
189  DescFile<"DeadStoresChecker.cpp">;
190} // end DeadCode
191
192let ParentPackage = DeadCodeExperimental in {
193
194def IdempotentOperationChecker : Checker<"IdempotentOperations">,
195  HelpText<"Warn about idempotent operations">,
196  DescFile<"IdempotentOperationChecker.cpp">;
197
198def UnreachableCodeChecker : Checker<"UnreachableCode">,
199  HelpText<"Check unreachable code">,
200  DescFile<"UnreachableCodeChecker.cpp">;
201
202} // end "deadcode.experimental"
203
204//===----------------------------------------------------------------------===//
205// Security checkers.
206//===----------------------------------------------------------------------===//
207
208let ParentPackage = InsecureAPI in {
209  def gets : Checker<"gets">,
210    HelpText<"Warn on uses of the 'gets' function">,
211    DescFile<"CheckSecuritySyntaxOnly.cpp">;
212  def getpw : Checker<"getpw">,
213    HelpText<"Warn on uses of the 'getpw' function">,
214    DescFile<"CheckSecuritySyntaxOnly.cpp">;
215  def mktemp : Checker<"mktemp">,
216    HelpText<"Warn on uses of the 'mktemp' function">,
217    DescFile<"CheckSecuritySyntaxOnly.cpp">;
218  def mkstemp : Checker<"mkstemp">,
219    HelpText<"Warn when 'mkstemp' is passed fewer than 6 X's in the format string">,
220    DescFile<"CheckSecuritySyntaxOnly.cpp">;
221  def rand : Checker<"rand">,
222    HelpText<"Warn on uses of the 'rand', 'random', and related functions">,
223    DescFile<"CheckSecuritySyntaxOnly.cpp">;
224  def strcpy : Checker<"strcpy">,
225    HelpText<"Warn on uses of the 'strcpy' and 'strcat' functions">,
226    DescFile<"CheckSecuritySyntaxOnly.cpp">;
227  def vfork : Checker<"vfork">,
228    HelpText<"Warn on uses of the 'vfork' function">,
229    DescFile<"CheckSecuritySyntaxOnly.cpp">;
230  def UncheckedReturn : Checker<"UncheckedReturn">,
231    HelpText<"Warn on uses of functions whose return values must be always checked">,
232    DescFile<"CheckSecuritySyntaxOnly.cpp">;
233}
234let ParentPackage = Security in {
235  def FloatLoopCounter : Checker<"FloatLoopCounter">,
236    HelpText<"Warn on using a floating point value as a loop counter (CERT: FLP30-C, FLP30-CPP)">,
237    DescFile<"CheckSecuritySyntaxOnly.cpp">;
238}
239
240let ParentPackage = SecurityExperimental in {
241
242def ArrayBoundChecker : Checker<"ArrayBound">,
243  HelpText<"Warn about buffer overflows (older checker)">,
244  DescFile<"ArrayBoundChecker.cpp">;  
245
246def ArrayBoundCheckerV2 : Checker<"ArrayBoundV2">,
247  HelpText<"Warn about buffer overflows (newer checker)">,
248  DescFile<"ArrayBoundCheckerV2.cpp">;
249
250def ReturnPointerRangeChecker : Checker<"ReturnPtrRange">,
251  HelpText<"Check for an out-of-bound pointer being returned to callers">,
252  DescFile<"ReturnPointerRangeChecker.cpp">;
253
254def MallocOverflowSecurityChecker : Checker<"MallocOverflow">,
255  HelpText<"Check for overflows in the arguments to malloc()">,
256  DescFile<"MallocOverflowSecurityChecker.cpp">;
257
258} // end "security.experimental"
259
260//===----------------------------------------------------------------------===//
261// Taint checkers.
262//===----------------------------------------------------------------------===//
263
264let ParentPackage = Taint in {
265
266def GenericTaintChecker : Checker<"TaintPropagation">,
267  HelpText<"Generate taint information used by other checkers">,
268  DescFile<"GenericTaintChecker.cpp">;
269
270} // end "experimental.security.taint"
271
272//===----------------------------------------------------------------------===//
273// Unix API checkers.
274//===----------------------------------------------------------------------===//
275
276let ParentPackage = Unix in {
277
278def UnixAPIChecker : Checker<"API">,
279  HelpText<"Check calls to various UNIX/Posix functions">,
280  DescFile<"UnixAPIChecker.cpp">;
281
282def MallocPessimistic : Checker<"Malloc">,
283  HelpText<"Check for memory leaks, double free, and use-after-free problems.">,
284  DescFile<"MallocChecker.cpp">;
285  
286def MallocSizeofChecker : Checker<"MallocSizeof">,
287  HelpText<"Check for dubious malloc arguments involving sizeof">,
288  DescFile<"MallocSizeofChecker.cpp">;
289  
290} // end "unix"
291
292let ParentPackage = UnixExperimental in {
293
294def ChrootChecker : Checker<"Chroot">,
295  HelpText<"Check improper use of chroot">,
296  DescFile<"ChrootChecker.cpp">;
297
298def MallocOptimistic : Checker<"MallocWithAnnotations">,
299  HelpText<"Check for memory leaks, double free, and use-after-free problems. Assumes that all user-defined functions which might free a pointer are annotated.">,
300  DescFile<"MallocChecker.cpp">;
301
302def PthreadLockChecker : Checker<"PthreadLock">,
303  HelpText<"Simple lock -> unlock checker">,
304  DescFile<"PthreadLockChecker.cpp">;
305
306def StreamChecker : Checker<"Stream">,
307  HelpText<"Check stream handling functions">,
308  DescFile<"StreamChecker.cpp">;
309
310} // end "unix.experimental"
311
312let ParentPackage = CString in {
313
314def CStringNullArg : Checker<"NullArg">,
315  HelpText<"Check for null pointers being passed as arguments to C string functions">,
316  DescFile<"CStringChecker.cpp">;
317
318def CStringSyntaxChecker : Checker<"BadSizeArg">,
319  HelpText<"Check the size argument passed into C string functions for common erroneous patterns">,
320  DescFile<"CStringSyntaxChecker.cpp">;  
321}
322
323let ParentPackage = CStringExperimental in {
324
325def CStringOutOfBounds : Checker<"OutOfBounds">,
326  HelpText<"Check for out-of-bounds access in string functions">,
327  DescFile<"CStringChecker.cpp">;
328
329def CStringBufferOverlap : Checker<"BufferOverlap">,
330  HelpText<"Checks for overlap in two buffer arguments">,
331  DescFile<"CStringChecker.cpp">;
332
333def CStringNotNullTerm : Checker<"NotNullTerminated">,
334  HelpText<"Check for arguments which are not null-terminating strings">,
335  DescFile<"CStringChecker.cpp">;
336}
337
338//===----------------------------------------------------------------------===//
339// Mac OS X, Cocoa, and Core Foundation checkers.
340//===----------------------------------------------------------------------===//
341
342let ParentPackage = OSX in {
343
344def MacOSXAPIChecker : Checker<"API">,
345  InPackage<OSX>,
346  HelpText<"Check for proper uses of various Mac OS X APIs">,
347  DescFile<"MacOSXAPIChecker.cpp">;
348
349def OSAtomicChecker : Checker<"AtomicCAS">,
350  InPackage<OSX>,
351  HelpText<"Evaluate calls to OSAtomic functions">,
352  DescFile<"OSAtomicChecker.cpp">;
353
354def MacOSKeychainAPIChecker : Checker<"SecKeychainAPI">,
355  InPackage<OSX>,
356  HelpText<"Check for proper uses of Secure Keychain APIs">,
357  DescFile<"MacOSKeychainAPIChecker.cpp">;
358
359} // end "macosx"
360
361let ParentPackage = Cocoa in {
362
363def ObjCAtSyncChecker : Checker<"AtSync">,
364  HelpText<"Check for nil pointers used as mutexes for @synchronized">,
365  DescFile<"ObjCAtSyncChecker.cpp">;
366
367def NilArgChecker : Checker<"NilArg">,
368  HelpText<"Check for prohibited nil arguments to ObjC method calls">,
369  DescFile<"BasicObjCFoundationChecks.cpp">;
370
371def ClassReleaseChecker : Checker<"ClassRelease">,
372  HelpText<"Check for sending 'retain', 'release', or 'autorelease' directly to a Class">,
373  DescFile<"BasicObjCFoundationChecks.cpp">;
374
375def VariadicMethodTypeChecker : Checker<"VariadicMethodTypes">,
376  HelpText<"Check for passing non-Objective-C types to variadic collection "
377           "initialization methods that expect only Objective-C types">,
378  DescFile<"BasicObjCFoundationChecks.cpp">;
379
380def NSAutoreleasePoolChecker : Checker<"NSAutoreleasePool">,
381  HelpText<"Warn for suboptimal uses of NSAutoreleasePool in Objective-C GC mode">,
382  DescFile<"NSAutoreleasePoolChecker.cpp">;
383
384def ObjCMethSigsChecker : Checker<"IncompatibleMethodTypes">,
385  HelpText<"Warn about Objective-C method signatures with type incompatibilities">,
386  DescFile<"CheckObjCInstMethSignature.cpp">;
387
388def ObjCUnusedIvarsChecker : Checker<"UnusedIvars">,
389  HelpText<"Warn about private ivars that are never used">,
390  DescFile<"ObjCUnusedIVarsChecker.cpp">;
391
392def ObjCSelfInitChecker : Checker<"SelfInit">,
393  HelpText<"Check that 'self' is properly initialized inside an initializer method">,
394  DescFile<"ObjCSelfInitChecker.cpp">;
395
396def ObjCLoopChecker : Checker<"Loops">,
397  HelpText<"Improved modeling of loops using Cocoa collection types">,
398  DescFile<"BasicObjCFoundationChecks.cpp">;
399
400def ObjCNonNilReturnValueChecker : Checker<"NonNilReturnValue">,
401  HelpText<"Model the APIs that are guaranteed to return a non-nil value">,
402  DescFile<"BasicObjCFoundationChecks.cpp">;
403
404def NSErrorChecker : Checker<"NSError">,
405  HelpText<"Check usage of NSError** parameters">,
406  DescFile<"NSErrorChecker.cpp">;
407
408def RetainCountChecker : Checker<"RetainCount">,
409  HelpText<"Check for leaks and improper reference count management">,
410  DescFile<"RetainCountChecker.cpp">;
411
412} // end "osx.cocoa"
413
414let ParentPackage = CocoaExperimental in {
415
416def ObjCDeallocChecker : Checker<"Dealloc">,
417  HelpText<"Warn about Objective-C classes that lack a correct implementation of -dealloc">,
418  DescFile<"CheckObjCDealloc.cpp">;
419
420} // end "cocoa.experimental"
421
422let ParentPackage = CoreFoundation in {
423
424def CFNumberCreateChecker : Checker<"CFNumber">,
425  HelpText<"Check for proper uses of CFNumberCreate">,
426  DescFile<"BasicObjCFoundationChecks.cpp">;
427
428def CFRetainReleaseChecker : Checker<"CFRetainRelease">,
429  HelpText<"Check for null arguments to CFRetain/CFRelease">,
430  DescFile<"BasicObjCFoundationChecks.cpp">;
431
432def CFErrorChecker : Checker<"CFError">,
433  HelpText<"Check usage of CFErrorRef* parameters">,
434  DescFile<"NSErrorChecker.cpp">;
435}
436
437let ParentPackage = Containers in {
438def ObjCContainersASTChecker : Checker<"PointerSizedValues">,
439  HelpText<"Warns if 'CFArray', 'CFDictionary', 'CFSet' are created with non-pointer-size values">,
440  DescFile<"ObjCContainersASTChecker.cpp">;
441
442def ObjCContainersChecker : Checker<"OutOfBounds">,
443  HelpText<"Checks for index out-of-bounds when using 'CFArray' API">,
444  DescFile<"ObjCContainersChecker.cpp">;
445    
446}
447//===----------------------------------------------------------------------===//
448// Checkers for LLVM development.
449//===----------------------------------------------------------------------===//
450
451def LLVMConventionsChecker : Checker<"Conventions">,
452  InPackage<LLVM>,
453  HelpText<"Check code for LLVM codebase conventions">,
454  DescFile<"LLVMConventionsChecker.cpp">;
455
456//===----------------------------------------------------------------------===//
457// Debugging checkers (for analyzer development).
458//===----------------------------------------------------------------------===//
459
460let ParentPackage = Debug in {
461
462def DominatorsTreeDumper : Checker<"DumpDominators">,
463  HelpText<"Print the dominance tree for a given CFG">,
464  DescFile<"DebugCheckers.cpp">;
465
466def LiveVariablesDumper : Checker<"DumpLiveVars">,
467  HelpText<"Print results of live variable analysis">,
468  DescFile<"DebugCheckers.cpp">;
469
470def CFGViewer : Checker<"ViewCFG">,
471  HelpText<"View Control-Flow Graphs using GraphViz">,
472  DescFile<"DebugCheckers.cpp">;
473
474def CFGDumper : Checker<"DumpCFG">,
475  HelpText<"Display Control-Flow Graphs">,
476  DescFile<"DebugCheckers.cpp">;
477
478def CallGraphViewer : Checker<"ViewCallGraph">,
479  HelpText<"View Call Graph using GraphViz">,
480  DescFile<"DebugCheckers.cpp">;
481
482def CallGraphDumper : Checker<"DumpCallGraph">,
483  HelpText<"Display Call Graph">,
484  DescFile<"DebugCheckers.cpp">;
485
486def TraversalDumper : Checker<"DumpTraversal">,
487  HelpText<"Print branch conditions as they are traversed by the engine">,
488  DescFile<"TraversalChecker.cpp">;
489
490def CallDumper : Checker<"DumpCalls">,
491  HelpText<"Print calls as they are traversed by the engine">,
492  DescFile<"TraversalChecker.cpp">;
493
494def AnalyzerStatsChecker : Checker<"Stats">,
495  HelpText<"Emit warnings with analyzer statistics">,
496  DescFile<"AnalyzerStatsChecker.cpp">;
497
498def TaintTesterChecker : Checker<"TaintTest">,
499  HelpText<"Mark tainted symbols as such.">,
500  DescFile<"TaintTesterChecker.cpp">;
501
502def ExprInspectionChecker : Checker<"ExprInspection">,
503  HelpText<"Check the analyzer's understanding of expressions">,
504  DescFile<"ExprInspectionChecker.cpp">;
505
506} // end "debug"
507
508