lib/StaticAnalyzer/Checkers/UndefBranchChecker.cpp

   1 //=== UndefBranchChecker.cpp -----------------------------------*- C++ -*--===//
   2 //
   3 //                     The LLVM Compiler Infrastructure
   4 //
   5 // This file is distributed under the University of Illinois Open Source
   6 // License. See LICENSE.TXT for details.
   7 //
   8 //===----------------------------------------------------------------------===//
   9 //
  10 // This file defines UndefBranchChecker, which checks for undefined branch
  11 // condition.
  12 //
  13 //===----------------------------------------------------------------------===//
  14
  15 #include "InternalChecks.h"
  16 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
  17 #include "clang/StaticAnalyzer/Core/PathSensitive/Checker.h"
  18
  19 using namespace clang;
  20 using namespace ento;
  21
  22 namespace {
  23
  24 class UndefBranchChecker : public Checker {
  25   BuiltinBug *BT;
  26
  27   struct FindUndefExpr {
  28     GRStateManager& VM;
  29     const GRState* St;
  30
  31     FindUndefExpr(GRStateManager& V, const GRState* S) : VM(V), St(S) {}
  32
  33     const Expr* FindExpr(const Expr* Ex) {
  34       if (!MatchesCriteria(Ex))
  35         return 0;
  36
  37       for (Stmt::const_child_iterator I = Ex->child_begin(),
  38                                       E = Ex->child_end();I!=E;++I)
  39         if (const Expr* ExI = dyn_cast_or_null<Expr>(*I)) {
  40           const Expr* E2 = FindExpr(ExI);
  41           if (E2) return E2;
  42         }
  43
  44       return Ex;
  45     }
  46
  47     bool MatchesCriteria(const Expr* Ex) { return St->getSVal(Ex).isUndef(); }
  48   };
  49
  50 public:
  51   UndefBranchChecker() : BT(0) {}
  52   static void *getTag();
  53   void VisitBranchCondition(BranchNodeBuilder &Builder, ExprEngine &Eng,
  54                             const Stmt *Condition, void *tag);
  55 };
  56
  57 }
  58
  59 void ento::RegisterUndefBranchChecker(ExprEngine &Eng) {
  60   Eng.registerCheck(new UndefBranchChecker());
  61 }
  62
  63 void *UndefBranchChecker::getTag() {
  64   static int x;
  65   return &x;
  66 }
  67
  68 void UndefBranchChecker::VisitBranchCondition(BranchNodeBuilder &Builder,
  69                                               ExprEngine &Eng,
  70                                               const Stmt *Condition, void *tag){
  71   const GRState *state = Builder.getState();
  72   SVal X = state->getSVal(Condition);
  73   if (X.isUndef()) {
  74     ExplodedNode *N = Builder.generateNode(state, true);
  75     if (N) {
  76       N->markAsSink();
  77       if (!BT)
  78         BT = new BuiltinBug("Branch condition evaluates to a garbage value");
  79
  80       // What's going on here: we want to highlight the subexpression of the
  81       // condition that is the most likely source of the "uninitialized
  82       // branch condition."  We do a recursive walk of the condition's
  83       // subexpressions and roughly look for the most nested subexpression
  84       // that binds to Undefined.  We then highlight that expression's range.
  85       BlockEdge B = cast<BlockEdge>(N->getLocation());
  86       const Expr* Ex = cast<Expr>(B.getSrc()->getTerminatorCondition());
  87       assert (Ex && "Block must have a terminator.");
  88
  89       // Get the predecessor node and check if is a PostStmt with the Stmt
  90       // being the terminator condition.  We want to inspect the state
  91       // of that node instead because it will contain main information about
  92       // the subexpressions.
  93       assert (!N->pred_empty());
  94
  95       // Note: any predecessor will do.  They should have identical state,
  96       // since all the BlockEdge did was act as an error sink since the value
  97       // had to already be undefined.
  98       ExplodedNode *PrevN = *N->pred_begin();
  99       ProgramPoint P = PrevN->getLocation();
 100       const GRState* St = N->getState();
 101
 102       if (PostStmt* PS = dyn_cast<PostStmt>(&P))
 103         if (PS->getStmt() == Ex)
 104           St = PrevN->getState();
 105
 106       FindUndefExpr FindIt(Eng.getStateManager(), St);
 107       Ex = FindIt.FindExpr(Ex);
 108
 109       // Emit the bug report.
 110       EnhancedBugReport *R = new EnhancedBugReport(*BT, BT->getDescription(),N);
 111       R->addVisitorCreator(bugreporter::registerTrackNullOrUndefValue, Ex);
 112       R->addRange(Ex->getSourceRange());
 113
 114       Eng.getBugReporter().EmitReport(R);
 115     }
 116
 117     Builder.markInfeasible(true);
 118     Builder.markInfeasible(false);
 119   }
 120 }