UndefResultChecker.cpp revision 52810c51afaa10b30319d236d353d70534cf9356 
1//=== UndefResultChecker.cpp ------------------------------------*- C++ -*-===//
2//
3//                     The LLVM Compiler Infrastructure
4//
5// This file is distributed under the University of Illinois Open Source
6// License. See LICENSE.TXT for details.
7//
8//===----------------------------------------------------------------------===//
9//
10// This defines UndefResultChecker, a builtin check in ExprEngine that
11// performs checks for undefined results of non-assignment binary operators.
12//
13//===----------------------------------------------------------------------===//
14
15#include "ClangSACheckers.h"
16#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
17#include "clang/StaticAnalyzer/Core/Checker.h"
18#include "clang/StaticAnalyzer/Core/CheckerManager.h"
19#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
20#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
21#include "llvm/ADT/SmallString.h"
22#include "llvm/Support/raw_ostream.h"
23
24using namespace clang;
25using namespace ento;
26
27namespace {
28class UndefResultChecker
29  : public Checker< check::PostStmt<BinaryOperator> > {
30
31  mutable OwningPtr<BugType> BT;
32
33public:
34  void checkPostStmt(const BinaryOperator *B, CheckerContext &C) const;
35};
36} // end anonymous namespace
37
38void UndefResultChecker::checkPostStmt(const BinaryOperator *B,
39                                       CheckerContext &C) const {
40  ProgramStateRef state = C.getState();
41  const LocationContext *LCtx = C.getLocationContext();
42  if (state->getSVal(B, LCtx).isUndef()) {
43
44    // Do not report assignments of uninitialized values inside swap functions.
45    // This should allow to swap partially uninitialized structs
46    // (radar://14129997)
47    if (const FunctionDecl *EnclosingFunctionDecl =
48        dyn_cast<FunctionDecl>(C.getStackFrame()->getDecl()))
49      if (C.getCalleeName(EnclosingFunctionDecl) == "swap")
50        return;
51
52    // Generate an error node.
53    ExplodedNode *N = C.generateSink();
54    if (!N)
55      return;
56
57    if (!BT)
58      BT.reset(new BuiltinBug("Result of operation is garbage or undefined"));
59
60    SmallString<256> sbuf;
61    llvm::raw_svector_ostream OS(sbuf);
62    const Expr *Ex = NULL;
63    bool isLeft = true;
64
65    if (state->getSVal(B->getLHS(), LCtx).isUndef()) {
66      Ex = B->getLHS()->IgnoreParenCasts();
67      isLeft = true;
68    }
69    else if (state->getSVal(B->getRHS(), LCtx).isUndef()) {
70      Ex = B->getRHS()->IgnoreParenCasts();
71      isLeft = false;
72    }
73
74    if (Ex) {
75      OS << "The " << (isLeft ? "left" : "right")
76         << " operand of '"
77         << BinaryOperator::getOpcodeStr(B->getOpcode())
78         << "' is a garbage value";
79    }
80    else {
81      // Neither operand was undefined, but the result is undefined.
82      OS << "The result of the '"
83         << BinaryOperator::getOpcodeStr(B->getOpcode())
84         << "' expression is undefined";
85    }
86    BugReport *report = new BugReport(*BT, OS.str(), N);
87    if (Ex) {
88      report->addRange(Ex->getSourceRange());
89      bugreporter::trackNullOrUndefValue(N, Ex, *report);
90    }
91    else
92      bugreporter::trackNullOrUndefValue(N, B, *report);
93
94    C.emitReport(report);
95  }
96}
97
98void ento::registerUndefResultChecker(CheckerManager &mgr) {
99  mgr.registerChecker<UndefResultChecker>();
100}
101