1//=== UndefResultChecker.cpp ------------------------------------*- C++ -*-===//
2//
3//                     The LLVM Compiler Infrastructure
4//
5// This file is distributed under the University of Illinois Open Source
6// License. See LICENSE.TXT for details.
7//
8//===----------------------------------------------------------------------===//
9//
10// This defines UndefResultChecker, a builtin check in ExprEngine that
11// performs checks for undefined results of non-assignment binary operators.
12//
13//===----------------------------------------------------------------------===//
14
15#include "ClangSACheckers.h"
16#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
17#include "clang/StaticAnalyzer/Core/Checker.h"
18#include "clang/StaticAnalyzer/Core/CheckerManager.h"
19#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
20#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
21#include "llvm/ADT/SmallString.h"
22#include "llvm/Support/raw_ostream.h"
23
24using namespace clang;
25using namespace ento;
26
27namespace {
28class UndefResultChecker
29  : public Checker< check::PostStmt<BinaryOperator> > {
30
31  mutable std::unique_ptr<BugType> BT;
32
33public:
34  void checkPostStmt(const BinaryOperator *B, CheckerContext &C) const;
35};
36} // end anonymous namespace
37
38void UndefResultChecker::checkPostStmt(const BinaryOperator *B,
39                                       CheckerContext &C) const {
40  ProgramStateRef state = C.getState();
41  const LocationContext *LCtx = C.getLocationContext();
42  if (state->getSVal(B, LCtx).isUndef()) {
43
44    // Do not report assignments of uninitialized values inside swap functions.
45    // This should allow to swap partially uninitialized structs
46    // (radar://14129997)
47    if (const FunctionDecl *EnclosingFunctionDecl =
48        dyn_cast<FunctionDecl>(C.getStackFrame()->getDecl()))
49      if (C.getCalleeName(EnclosingFunctionDecl) == "swap")
50        return;
51
52    // Generate an error node.
53    ExplodedNode *N = C.generateSink();
54    if (!N)
55      return;
56
57    if (!BT)
58      BT.reset(
59          new BuiltinBug(this, "Result of operation is garbage or undefined"));
60
61    SmallString<256> sbuf;
62    llvm::raw_svector_ostream OS(sbuf);
63    const Expr *Ex = nullptr;
64    bool isLeft = true;
65
66    if (state->getSVal(B->getLHS(), LCtx).isUndef()) {
67      Ex = B->getLHS()->IgnoreParenCasts();
68      isLeft = true;
69    }
70    else if (state->getSVal(B->getRHS(), LCtx).isUndef()) {
71      Ex = B->getRHS()->IgnoreParenCasts();
72      isLeft = false;
73    }
74
75    if (Ex) {
76      OS << "The " << (isLeft ? "left" : "right")
77         << " operand of '"
78         << BinaryOperator::getOpcodeStr(B->getOpcode())
79         << "' is a garbage value";
80    }
81    else {
82      // Neither operand was undefined, but the result is undefined.
83      OS << "The result of the '"
84         << BinaryOperator::getOpcodeStr(B->getOpcode())
85         << "' expression is undefined";
86    }
87    BugReport *report = new BugReport(*BT, OS.str(), N);
88    if (Ex) {
89      report->addRange(Ex->getSourceRange());
90      bugreporter::trackNullOrUndefValue(N, Ex, *report);
91    }
92    else
93      bugreporter::trackNullOrUndefValue(N, B, *report);
94
95    C.emitReport(report);
96  }
97}
98
99void ento::registerUndefResultChecker(CheckerManager &mgr) {
100  mgr.registerChecker<UndefResultChecker>();
101}
102