NonNullParamChecker.cpp revision 6bcf27bb9a4b5c3f79cb44c0e4654a6d7619ad89
1//===--- NonNullParamChecker.cpp - Undefined arguments checker -*- C++ -*--===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This defines NonNullParamChecker, which checks for arguments expected not to 11// be null due to: 12// - the corresponding parameters being declared to have nonnull attribute 13// - the corresponding parameters being references; since the call would form 14// a reference to a null pointer 15// 16//===----------------------------------------------------------------------===// 17 18#include "ClangSACheckers.h" 19#include "clang/AST/Attr.h" 20#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 21#include "clang/StaticAnalyzer/Core/Checker.h" 22#include "clang/StaticAnalyzer/Core/CheckerManager.h" 23#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" 24#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 25 26using namespace clang; 27using namespace ento; 28 29namespace { 30class NonNullParamChecker 31 : public Checker< check::PreCall > { 32 mutable std::unique_ptr<BugType> BTAttrNonNull; 33 mutable std::unique_ptr<BugType> BTNullRefArg; 34 35public: 36 37 void checkPreCall(const CallEvent &Call, CheckerContext &C) const; 38 39 BugReport *genReportNullAttrNonNull(const ExplodedNode *ErrorN, 40 const Expr *ArgE) const; 41 BugReport *genReportReferenceToNullPointer(const ExplodedNode *ErrorN, 42 const Expr *ArgE) const; 43}; 44} // end anonymous namespace 45 46void NonNullParamChecker::checkPreCall(const CallEvent &Call, 47 CheckerContext &C) const { 48 const Decl *FD = Call.getDecl(); 49 if (!FD) 50 return; 51 52 const NonNullAttr *Att = FD->getAttr<NonNullAttr>(); 53 54 ProgramStateRef state = C.getState(); 55 56 CallEvent::param_type_iterator TyI = Call.param_type_begin(), 57 TyE = Call.param_type_end(); 58 59 for (unsigned idx = 0, count = Call.getNumArgs(); idx != count; ++idx){ 60 61 // Check if the parameter is a reference. We want to report when reference 62 // to a null pointer is passed as a paramter. 63 bool haveRefTypeParam = false; 64 if (TyI != TyE) { 65 haveRefTypeParam = (*TyI)->isReferenceType(); 66 TyI++; 67 } 68 69 bool haveAttrNonNull = Att && Att->isNonNull(idx); 70 if (!haveAttrNonNull) { 71 // Check if the parameter is also marked 'nonnull'. 72 ArrayRef<ParmVarDecl*> parms = Call.parameters(); 73 if (idx < parms.size()) 74 haveAttrNonNull = parms[idx]->hasAttr<NonNullAttr>(); 75 } 76 77 if (!haveRefTypeParam && !haveAttrNonNull) 78 continue; 79 80 // If the value is unknown or undefined, we can't perform this check. 81 const Expr *ArgE = Call.getArgExpr(idx); 82 SVal V = Call.getArgSVal(idx); 83 Optional<DefinedSVal> DV = V.getAs<DefinedSVal>(); 84 if (!DV) 85 continue; 86 87 // Process the case when the argument is not a location. 88 assert(!haveRefTypeParam || DV->getAs<Loc>()); 89 90 if (haveAttrNonNull && !DV->getAs<Loc>()) { 91 // If the argument is a union type, we want to handle a potential 92 // transparent_union GCC extension. 93 if (!ArgE) 94 continue; 95 96 QualType T = ArgE->getType(); 97 const RecordType *UT = T->getAsUnionType(); 98 if (!UT || !UT->getDecl()->hasAttr<TransparentUnionAttr>()) 99 continue; 100 101 if (Optional<nonloc::CompoundVal> CSV = 102 DV->getAs<nonloc::CompoundVal>()) { 103 nonloc::CompoundVal::iterator CSV_I = CSV->begin(); 104 assert(CSV_I != CSV->end()); 105 V = *CSV_I; 106 DV = V.getAs<DefinedSVal>(); 107 assert(++CSV_I == CSV->end()); 108 // FIXME: Handle (some_union){ some_other_union_val }, which turns into 109 // a LazyCompoundVal inside a CompoundVal. 110 if (!V.getAs<Loc>()) 111 continue; 112 // Retrieve the corresponding expression. 113 if (const CompoundLiteralExpr *CE = dyn_cast<CompoundLiteralExpr>(ArgE)) 114 if (const InitListExpr *IE = 115 dyn_cast<InitListExpr>(CE->getInitializer())) 116 ArgE = dyn_cast<Expr>(*(IE->begin())); 117 118 } else { 119 // FIXME: Handle LazyCompoundVals? 120 continue; 121 } 122 } 123 124 ConstraintManager &CM = C.getConstraintManager(); 125 ProgramStateRef stateNotNull, stateNull; 126 std::tie(stateNotNull, stateNull) = CM.assumeDual(state, *DV); 127 128 if (stateNull && !stateNotNull) { 129 // Generate an error node. Check for a null node in case 130 // we cache out. 131 if (ExplodedNode *errorNode = C.generateSink(stateNull)) { 132 133 BugReport *R = nullptr; 134 if (haveAttrNonNull) 135 R = genReportNullAttrNonNull(errorNode, ArgE); 136 else if (haveRefTypeParam) 137 R = genReportReferenceToNullPointer(errorNode, ArgE); 138 139 // Highlight the range of the argument that was null. 140 R->addRange(Call.getArgSourceRange(idx)); 141 142 // Emit the bug report. 143 C.emitReport(R); 144 } 145 146 // Always return. Either we cached out or we just emitted an error. 147 return; 148 } 149 150 // If a pointer value passed the check we should assume that it is 151 // indeed not null from this point forward. 152 assert(stateNotNull); 153 state = stateNotNull; 154 } 155 156 // If we reach here all of the arguments passed the nonnull check. 157 // If 'state' has been updated generated a new node. 158 C.addTransition(state); 159} 160 161BugReport *NonNullParamChecker::genReportNullAttrNonNull( 162 const ExplodedNode *ErrorNode, const Expr *ArgE) const { 163 // Lazily allocate the BugType object if it hasn't already been 164 // created. Ownership is transferred to the BugReporter object once 165 // the BugReport is passed to 'EmitWarning'. 166 if (!BTAttrNonNull) 167 BTAttrNonNull.reset(new BugType( 168 this, "Argument with 'nonnull' attribute passed null", "API")); 169 170 BugReport *R = new BugReport(*BTAttrNonNull, 171 "Null pointer passed as an argument to a 'nonnull' parameter", 172 ErrorNode); 173 if (ArgE) 174 bugreporter::trackNullOrUndefValue(ErrorNode, ArgE, *R); 175 176 return R; 177} 178 179BugReport *NonNullParamChecker::genReportReferenceToNullPointer( 180 const ExplodedNode *ErrorNode, const Expr *ArgE) const { 181 if (!BTNullRefArg) 182 BTNullRefArg.reset(new BuiltinBug(this, "Dereference of null pointer")); 183 184 BugReport *R = new BugReport(*BTNullRefArg, 185 "Forming reference to null pointer", 186 ErrorNode); 187 if (ArgE) { 188 const Expr *ArgEDeref = bugreporter::getDerefExpr(ArgE); 189 if (!ArgEDeref) 190 ArgEDeref = ArgE; 191 bugreporter::trackNullOrUndefValue(ErrorNode, 192 ArgEDeref, 193 *R); 194 } 195 return R; 196 197} 198 199void ento::registerNonNullParamChecker(CheckerManager &mgr) { 200 mgr.registerChecker<NonNullParamChecker>(); 201} 202