void ento::RegisterAppleChecks(ExprEngine& Eng, const Decl &D) {
Eng.registerCheck(new NilArgChecker());
Eng.registerCheck(new CFNumberCreateChecker());
RegisterNSErrorChecks(Eng.getBugReporter(), Eng, D);
RegisterNSAutoreleasePoolChecks(Eng);
Eng.registerCheck(new CFRetainReleaseChecker());
Eng.registerCheck(new ClassReleaseChecker());
}
void UndefBranchChecker::checkBranchCondition(const Stmt *Condition,
BranchNodeBuilder &Builder,
ExprEngine &Eng) const {
const GRState *state = Builder.getState();
SVal X = state->getSVal(Condition);
if (X.isUndef()) {
ExplodedNode *N = Builder.generateNode(state, true);
if (N) {
N->markAsSink();
if (!BT)
BT.reset(
new BuiltinBug("Branch condition evaluates to a garbage value"));
// What's going on here: we want to highlight the subexpression of the
// condition that is the most likely source of the "uninitialized
// branch condition." We do a recursive walk of the condition's
// subexpressions and roughly look for the most nested subexpression
// that binds to Undefined. We then highlight that expression's range.
BlockEdge B = cast<BlockEdge>(N->getLocation());
const Expr* Ex = cast<Expr>(B.getSrc()->getTerminatorCondition());
assert (Ex && "Block must have a terminator.");
// Get the predecessor node and check if is a PostStmt with the Stmt
// being the terminator condition. We want to inspect the state
// of that node instead because it will contain main information about
// the subexpressions.
assert (!N->pred_empty());
// Note: any predecessor will do. They should have identical state,
// since all the BlockEdge did was act as an error sink since the value
// had to already be undefined.
ExplodedNode *PrevN = *N->pred_begin();
ProgramPoint P = PrevN->getLocation();
const GRState* St = N->getState();
if (PostStmt* PS = dyn_cast<PostStmt>(&P))
if (PS->getStmt() == Ex)
St = PrevN->getState();
FindUndefExpr FindIt(Eng.getStateManager(), St);
Ex = FindIt.FindExpr(Ex);
// Emit the bug report.
EnhancedBugReport *R = new EnhancedBugReport(*BT, BT->getDescription(),N);
R->addVisitorCreator(bugreporter::registerTrackNullOrUndefValue, Ex);
R->addRange(Ex->getSourceRange());
Eng.getBugReporter().EmitReport(R);
}
Builder.markInfeasible(true);
Builder.markInfeasible(false);
}
}
/// \brief Run checkers for evaluating a call.
/// Only one checker will evaluate the call.
void CheckerManager::runCheckersForEvalCall(ExplodedNodeSet &Dst,
const ExplodedNodeSet &Src,
const CallEvent &Call,
ExprEngine &Eng) {
const CallExpr *CE = cast<CallExpr>(Call.getOriginExpr());
for (ExplodedNodeSet::iterator
NI = Src.begin(), NE = Src.end(); NI != NE; ++NI) {
ExplodedNode *Pred = *NI;
bool anyEvaluated = false;
ExplodedNodeSet checkDst;
NodeBuilder B(Pred, checkDst, Eng.getBuilderContext());
// Check if any of the EvalCall callbacks can evaluate the call.
for (std::vector<EvalCallFunc>::iterator
EI = EvalCallCheckers.begin(), EE = EvalCallCheckers.end();
EI != EE; ++EI) {
ProgramPoint::Kind K = ProgramPoint::PostStmtKind;
const ProgramPoint &L = ProgramPoint::getProgramPoint(CE, K,
Pred->getLocationContext(), EI->Checker);
bool evaluated = false;
{ // CheckerContext generates transitions(populates checkDest) on
// destruction, so introduce the scope to make sure it gets properly
// populated.
CheckerContext C(B, Eng, Pred, L);
evaluated = (*EI)(CE, C);
}
assert(!(evaluated && anyEvaluated)
&& "There are more than one checkers evaluating the call");
if (evaluated) {
anyEvaluated = true;
Dst.insert(checkDst);
#ifdef NDEBUG
break; // on release don't check that no other checker also evals.
#endif
}
}
// If none of the checkers evaluated the call, ask ExprEngine to handle it.
if (!anyEvaluated) {
NodeBuilder B(Pred, Dst, Eng.getBuilderContext());
Eng.defaultEvalCall(B, Pred, Call);
}
}
}
void MallocChecker::checkEndPath(EndOfFunctionNodeBuilder &B,
ExprEngine &Eng) const {
const GRState *state = B.getState();
RegionStateTy M = state->get<RegionState>();
for (RegionStateTy::iterator I = M.begin(), E = M.end(); I != E; ++I) {
RefState RS = I->second;
if (RS.isAllocated()) {
ExplodedNode *N = B.generateNode(state);
if (N) {
if (!BT_Leak)
BT_Leak.reset(new BuiltinBug("Memory leak",
"Allocated memory never released. Potential memory leak."));
BugReport *R = new BugReport(*BT_Leak, BT_Leak->getDescription(), N);
Eng.getBugReporter().EmitReport(R);
}
}
}
}
/// \brief Run checkers for evaluating a call.
/// Only one checker will evaluate the call.
void CheckerManager::runCheckersForEvalCall(ExplodedNodeSet &Dst,
const ExplodedNodeSet &Src,
const CallExpr *CE,
ExprEngine &Eng,
GraphExpander *defaultEval) {
if (EvalCallCheckers.empty() && defaultEval == 0) {
Dst.insert(Src);
return;
}
for (ExplodedNodeSet::iterator
NI = Src.begin(), NE = Src.end(); NI != NE; ++NI) {
ExplodedNode *Pred = *NI;
bool anyEvaluated = false;
for (std::vector<EvalCallFunc>::iterator
EI = EvalCallCheckers.begin(), EE = EvalCallCheckers.end();
EI != EE; ++EI) {
ExplodedNodeSet checkDst;
CheckerContext C(checkDst, Eng.getBuilder(), Eng, Pred, EI->Checker,
ProgramPoint::PostStmtKind, 0, CE);
bool evaluated = (*EI)(CE, C);
assert(!(evaluated && anyEvaluated)
&& "There are more than one checkers evaluating the call");
if (evaluated) {
anyEvaluated = true;
Dst.insert(checkDst);
#ifdef NDEBUG
break; // on release don't check that no other checker also evals.
#endif
}
}
if (!anyEvaluated) {
if (defaultEval)
defaultEval->expandGraph(Dst, Pred);
else
Dst.insert(Pred);
}
}
}
void StreamChecker::checkEndPath(EndOfFunctionNodeBuilder &B,
ExprEngine &Eng) const {
const GRState *state = B.getState();
typedef llvm::ImmutableMap<SymbolRef, StreamState> SymMap;
SymMap M = state->get<StreamState>();
for (SymMap::iterator I = M.begin(), E = M.end(); I != E; ++I) {
StreamState SS = I->second;
if (SS.isOpened()) {
ExplodedNode *N = B.generateNode(state);
if (N) {
if (!BT_ResourceLeak)
BT_ResourceLeak.reset(new BuiltinBug("Resource Leak",
"Opened File never closed. Potential Resource leak."));
BugReport *R = new BugReport(*BT_ResourceLeak,
BT_ResourceLeak->getDescription(), N);
Eng.getBugReporter().EmitReport(R);
}
}
}
}
void AnalyzerStatsChecker::checkEndAnalysis(ExplodedGraph &G,
BugReporter &B,
ExprEngine &Eng) const {
const CFG *C = 0;
const SourceManager &SM = B.getSourceManager();
llvm::SmallPtrSet<const CFGBlock*, 256> reachable;
// Root node should have the location context of the top most function.
const ExplodedNode *GraphRoot = *G.roots_begin();
const LocationContext *LC = GraphRoot->getLocation().getLocationContext();
const Decl *D = LC->getDecl();
// Iterate over the exploded graph.
for (ExplodedGraph::node_iterator I = G.nodes_begin();
I != G.nodes_end(); ++I) {
const ProgramPoint &P = I->getLocation();
// Only check the coverage in the top level function (optimization).
if (D != P.getLocationContext()->getDecl())
continue;
if (const BlockEntrance *BE = dyn_cast<BlockEntrance>(&P)) {
const CFGBlock *CB = BE->getBlock();
reachable.insert(CB);
}
}
// Get the CFG and the Decl of this block.
C = LC->getCFG();
unsigned total = 0, unreachable = 0;
// Find CFGBlocks that were not covered by any node
for (CFG::const_iterator I = C->begin(); I != C->end(); ++I) {
const CFGBlock *CB = *I;
++total;
// Check if the block is unreachable
if (!reachable.count(CB)) {
++unreachable;
}
}
// We never 'reach' the entry block, so correct the unreachable count
unreachable--;
// There is no BlockEntrance corresponding to the exit block as well, so
// assume it is reached as well.
unreachable--;
// Generate the warning string
SmallString<128> buf;
llvm::raw_svector_ostream output(buf);
PresumedLoc Loc = SM.getPresumedLoc(D->getLocation());
if (!Loc.isValid())
return;
if (isa<FunctionDecl>(D) || isa<ObjCMethodDecl>(D)) {
const NamedDecl *ND = cast<NamedDecl>(D);
output << *ND;
}
else if (isa<BlockDecl>(D)) {
output << "block(line:" << Loc.getLine() << ":col:" << Loc.getColumn();
}
NumBlocksUnreachable += unreachable;
NumBlocks += total;
std::string NameOfRootFunction = output.str();
output << " -> Total CFGBlocks: " << total << " | Unreachable CFGBlocks: "
<< unreachable << " | Exhausted Block: "
<< (Eng.wasBlocksExhausted() ? "yes" : "no")
<< " | Empty WorkList: "
<< (Eng.hasEmptyWorkList() ? "yes" : "no");
B.EmitBasicReport(D, "Analyzer Statistics", "Internal Statistics",
output.str(), PathDiagnosticLocation(D, SM));
// Emit warning for each block we bailed out on.
typedef CoreEngine::BlocksExhausted::const_iterator ExhaustedIterator;
const CoreEngine &CE = Eng.getCoreEngine();
for (ExhaustedIterator I = CE.blocks_exhausted_begin(),
E = CE.blocks_exhausted_end(); I != E; ++I) {
const BlockEdge &BE = I->first;
const CFGBlock *Exit = BE.getDst();
const CFGElement &CE = Exit->front();
if (const CFGStmt *CS = dyn_cast<CFGStmt>(&CE)) {
SmallString<128> bufI;
llvm::raw_svector_ostream outputI(bufI);
outputI << "(" << NameOfRootFunction << ")" <<
": The analyzer generated a sink at this point";
B.EmitBasicReport(D, "Sink Point", "Internal Statistics", outputI.str(),
PathDiagnosticLocation::createBegin(CS->getStmt(),
SM, LC));
}
}
}
void ento::RegisterOSAtomicChecker(ExprEngine &Eng) {
Eng.registerCheck(new OSAtomicChecker());
}
void UnreachableCodeChecker::checkEndAnalysis(ExplodedGraph &G,
BugReporter &B,
ExprEngine &Eng) const {
CFGBlocksSet reachable, visited;
if (Eng.hasWorkRemaining())
return;
const Decl *D = nullptr;
CFG *C = nullptr;
ParentMap *PM = nullptr;
const LocationContext *LC = nullptr;
// Iterate over ExplodedGraph
for (ExplodedGraph::node_iterator I = G.nodes_begin(), E = G.nodes_end();
I != E; ++I) {
const ProgramPoint &P = I->getLocation();
LC = P.getLocationContext();
if (!LC->inTopFrame())
continue;
if (!D)
D = LC->getAnalysisDeclContext()->getDecl();
// Save the CFG if we don't have it already
if (!C)
C = LC->getAnalysisDeclContext()->getUnoptimizedCFG();
if (!PM)
PM = &LC->getParentMap();
if (Optional<BlockEntrance> BE = P.getAs<BlockEntrance>()) {
const CFGBlock *CB = BE->getBlock();
reachable.insert(CB->getBlockID());
}
}
// Bail out if we didn't get the CFG or the ParentMap.
if (!D || !C || !PM)
return;
// Don't do anything for template instantiations. Proving that code
// in a template instantiation is unreachable means proving that it is
// unreachable in all instantiations.
if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D))
if (FD->isTemplateInstantiation())
return;
// Find CFGBlocks that were not covered by any node
for (CFG::const_iterator I = C->begin(), E = C->end(); I != E; ++I) {
const CFGBlock *CB = *I;
// Check if the block is unreachable
if (reachable.count(CB->getBlockID()))
continue;
// Check if the block is empty (an artificial block)
if (isEmptyCFGBlock(CB))
continue;
// Find the entry points for this block
if (!visited.count(CB->getBlockID()))
FindUnreachableEntryPoints(CB, reachable, visited);
// This block may have been pruned; check if we still want to report it
if (reachable.count(CB->getBlockID()))
continue;
// Check for false positives
if (isInvalidPath(CB, *PM))
continue;
// It is good practice to always have a "default" label in a "switch", even
// if we should never get there. It can be used to detect errors, for
// instance. Unreachable code directly under a "default" label is therefore
// likely to be a false positive.
if (const Stmt *label = CB->getLabel())
if (label->getStmtClass() == Stmt::DefaultStmtClass)
continue;
// Special case for __builtin_unreachable.
// FIXME: This should be extended to include other unreachable markers,
// such as llvm_unreachable.
if (!CB->empty()) {
bool foundUnreachable = false;
for (CFGBlock::const_iterator ci = CB->begin(), ce = CB->end();
ci != ce; ++ci) {
if (Optional<CFGStmt> S = (*ci).getAs<CFGStmt>())
if (const CallExpr *CE = dyn_cast<CallExpr>(S->getStmt())) {
if (CE->getBuiltinCallee() == Builtin::BI__builtin_unreachable ||
CE->isBuiltinAssumeFalse(Eng.getContext())) {
foundUnreachable = true;
break;
}
}
}
if (foundUnreachable)
continue;
}
// We found a block that wasn't covered - find the statement to report
SourceRange SR;
PathDiagnosticLocation DL;
SourceLocation SL;
if (const Stmt *S = getUnreachableStmt(CB)) {
// In macros, 'do {...} while (0)' is often used. Don't warn about the
// condition 0 when it is unreachable.
if (S->getBeginLoc().isMacroID())
if (const auto *I = dyn_cast<IntegerLiteral>(S))
if (I->getValue() == 0ULL)
if (const Stmt *Parent = PM->getParent(S))
if (isa<DoStmt>(Parent))
continue;
SR = S->getSourceRange();
DL = PathDiagnosticLocation::createBegin(S, B.getSourceManager(), LC);
SL = DL.asLocation();
if (SR.isInvalid() || !SL.isValid())
continue;
}
else
continue;
// Check if the SourceLocation is in a system header
const SourceManager &SM = B.getSourceManager();
if (SM.isInSystemHeader(SL) || SM.isInExternCSystemHeader(SL))
continue;
B.EmitBasicReport(D, this, "Unreachable code", "Dead code",
"This statement is never executed", DL, SR);
}
}
/// \brief Run checkers for evaluating a call.
/// Only one checker will evaluate the call.
void CheckerManager::runCheckersForEvalCall(ExplodedNodeSet &Dst,
const ExplodedNodeSet &Src,
const CallExpr *CE,
ExprEngine &Eng,
GraphExpander *defaultEval) {
if (EvalCallCheckers.empty() &&
InlineCallCheckers.empty() &&
defaultEval == 0) {
Dst.insert(Src);
return;
}
for (ExplodedNodeSet::iterator
NI = Src.begin(), NE = Src.end(); NI != NE; ++NI) {
ExplodedNode *Pred = *NI;
bool anyEvaluated = false;
// First, check if any of the InlineCall callbacks can evaluate the call.
assert(InlineCallCheckers.size() <= 1 &&
"InlineCall is a special hacky callback to allow intrusive"
"evaluation of the call (which simulates inlining). It is "
"currently only used by OSAtomicChecker and should go away "
"at some point.");
for (std::vector<InlineCallFunc>::iterator
EI = InlineCallCheckers.begin(), EE = InlineCallCheckers.end();
EI != EE; ++EI) {
ExplodedNodeSet checkDst;
bool evaluated = (*EI)(CE, Eng, Pred, checkDst);
assert(!(evaluated && anyEvaluated)
&& "There are more than one checkers evaluating the call");
if (evaluated) {
anyEvaluated = true;
Dst.insert(checkDst);
#ifdef NDEBUG
break; // on release don't check that no other checker also evals.
#endif
}
}
#ifdef NDEBUG // on release don't check that no other checker also evals.
if (anyEvaluated) {
break;
}
#endif
// Next, check if any of the EvalCall callbacks can evaluate the call.
for (std::vector<EvalCallFunc>::iterator
EI = EvalCallCheckers.begin(), EE = EvalCallCheckers.end();
EI != EE; ++EI) {
ExplodedNodeSet checkDst;
ProgramPoint::Kind K = ProgramPoint::PostStmtKind;
const ProgramPoint &L = ProgramPoint::getProgramPoint(CE, K,
Pred->getLocationContext(), EI->Checker);
bool evaluated = false;
{ // CheckerContext generates transitions(populates checkDest) on
// destruction, so introduce the scope to make sure it gets properly
// populated.
CheckerContext C(checkDst, Eng.getBuilder(), Eng, Pred, L, 0);
evaluated = (*EI)(CE, C);
}
assert(!(evaluated && anyEvaluated)
&& "There are more than one checkers evaluating the call");
if (evaluated) {
anyEvaluated = true;
Dst.insert(checkDst);
#ifdef NDEBUG
break; // on release don't check that no other checker also evals.
#endif
}
}
// If none of the checkers evaluated the call, ask ExprEngine to handle it.
if (!anyEvaluated) {
if (defaultEval)
defaultEval->expandGraph(Dst, Pred);
else
Dst.insert(Pred);
}
}
}
void ento::RegisterArrayBoundCheckerV2(ExprEngine &Eng) {
Eng.registerCheck(new ArrayBoundCheckerV2());
}
void ento::RegisterDivZeroChecker(ExprEngine &Eng) {
Eng.registerCheck(new DivZeroChecker());
}
void ento::RegisterPthreadLockChecker(ExprEngine &Eng) {
Eng.registerCheck(new PthreadLockChecker());
}
void AnalyzerStatsChecker::checkEndAnalysis(ExplodedGraph &G,
BugReporter &B,
ExprEngine &Eng) const {
const CFG *C = 0;
const Decl *D = 0;
const LocationContext *LC = 0;
const SourceManager &SM = B.getSourceManager();
llvm::SmallPtrSet<const CFGBlock*, 256> reachable;
// Iterate over explodedgraph
for (ExplodedGraph::node_iterator I = G.nodes_begin();
I != G.nodes_end(); ++I) {
const ProgramPoint &P = I->getLocation();
// Save the LocationContext if we don't have it already
if (!LC)
LC = P.getLocationContext();
if (const BlockEntrance *BE = dyn_cast<BlockEntrance>(&P)) {
const CFGBlock *CB = BE->getBlock();
reachable.insert(CB);
}
}
// Get the CFG and the Decl of this block
C = LC->getCFG();
D = LC->getAnalysisContext()->getDecl();
unsigned total = 0, unreachable = 0;
// Find CFGBlocks that were not covered by any node
for (CFG::const_iterator I = C->begin(); I != C->end(); ++I) {
const CFGBlock *CB = *I;
++total;
// Check if the block is unreachable
if (!reachable.count(CB)) {
++unreachable;
}
}
// We never 'reach' the entry block, so correct the unreachable count
unreachable--;
// Generate the warning string
llvm::SmallString<128> buf;
llvm::raw_svector_ostream output(buf);
PresumedLoc Loc = SM.getPresumedLoc(D->getLocation());
if (Loc.isValid()) {
output << Loc.getFilename() << " : ";
if (isa<FunctionDecl>(D) || isa<ObjCMethodDecl>(D)) {
const NamedDecl *ND = cast<NamedDecl>(D);
output << ND;
}
else if (isa<BlockDecl>(D)) {
output << "block(line:" << Loc.getLine() << ":col:" << Loc.getColumn();
}
}
output << " -> Total CFGBlocks: " << total << " | Unreachable CFGBlocks: "
<< unreachable << " | Exhausted Block: "
<< (Eng.wasBlocksExhausted() ? "yes" : "no")
<< " | Empty WorkList: "
<< (Eng.hasEmptyWorkList() ? "yes" : "no");
B.EmitBasicReport("Analyzer Statistics", "Internal Statistics", output.str(),
PathDiagnosticLocation(D, SM));
// Emit warning for each block we bailed out on
typedef CoreEngine::BlocksExhausted::const_iterator ExhaustedIterator;
const CoreEngine &CE = Eng.getCoreEngine();
for (ExhaustedIterator I = CE.blocks_exhausted_begin(),
E = CE.blocks_exhausted_end(); I != E; ++I) {
const BlockEdge &BE = I->first;
const CFGBlock *Exit = BE.getDst();
const CFGElement &CE = Exit->front();
if (const CFGStmt *CS = dyn_cast<CFGStmt>(&CE))
B.EmitBasicReport("Bailout Point", "Internal Statistics", "The analyzer "
"stopped analyzing at this point",
PathDiagnosticLocation::createBegin(CS->getStmt(), SM, LC));
}
}
void ento::RegisterVLASizeChecker(ExprEngine &Eng) {
Eng.registerCheck(new VLASizeChecker());
}
void IdempotentOperationChecker::checkEndAnalysis(ExplodedGraph &G,
BugReporter &BR,
ExprEngine &Eng) const {
BugType *BT = new BugType("Idempotent operation", "Dead code");
// Iterate over the hash to see if we have any paths with definite
// idempotent operations.
for (AssumptionMap::const_iterator i = hash.begin(); i != hash.end(); ++i) {
// Unpack the hash contents
const BinaryOperatorData &Data = i->second;
const Assumption &A = Data.assumption;
const ExplodedNodeSet &ES = Data.explodedNodes;
// If there are no nodes accosted with the expression, nothing to report.
// FIXME: This is possible because the checker does part of processing in
// checkPreStmt and part in checkPostStmt.
if (ES.begin() == ES.end())
continue;
const BinaryOperator *B = i->first;
if (A == Impossible)
continue;
// If the analyzer did not finish, check to see if we can still emit this
// warning
if (Eng.hasWorkRemaining()) {
// If we can trace back
AnalysisDeclContext *AC = (*ES.begin())->getLocationContext()
->getAnalysisDeclContext();
if (!pathWasCompletelyAnalyzed(AC,
AC->getCFGStmtMap()->getBlock(B),
Eng.getCoreEngine()))
continue;
}
// Select the error message and SourceRanges to report.
llvm::SmallString<128> buf;
llvm::raw_svector_ostream os(buf);
bool LHSRelevant = false, RHSRelevant = false;
switch (A) {
case Equal:
LHSRelevant = true;
RHSRelevant = true;
if (B->getOpcode() == BO_Assign)
os << "Assigned value is always the same as the existing value";
else
os << "Both operands to '" << B->getOpcodeStr()
<< "' always have the same value";
break;
case LHSis1:
LHSRelevant = true;
os << "The left operand to '" << B->getOpcodeStr() << "' is always 1";
break;
case RHSis1:
RHSRelevant = true;
os << "The right operand to '" << B->getOpcodeStr() << "' is always 1";
break;
case LHSis0:
LHSRelevant = true;
os << "The left operand to '" << B->getOpcodeStr() << "' is always 0";
break;
case RHSis0:
RHSRelevant = true;
os << "The right operand to '" << B->getOpcodeStr() << "' is always 0";
break;
case Possible:
llvm_unreachable("Operation was never marked with an assumption");
case Impossible:
llvm_unreachable(0);
}
// Add a report for each ExplodedNode
for (ExplodedNodeSet::iterator I = ES.begin(), E = ES.end(); I != E; ++I) {
BugReport *report = new BugReport(*BT, os.str(), *I);
// Add source ranges and visitor hooks
if (LHSRelevant) {
const Expr *LHS = i->first->getLHS();
report->addRange(LHS->getSourceRange());
FindLastStoreBRVisitor::registerStatementVarDecls(*report, LHS);
}
if (RHSRelevant) {
const Expr *RHS = i->first->getRHS();
report->addRange(i->first->getRHS()->getSourceRange());
FindLastStoreBRVisitor::registerStatementVarDecls(*report, RHS);
}
BR.EmitReport(report);
}
}
hash.clear();
}
void ento::RegisterIdempotentOperationChecker(ExprEngine &Eng) {
Eng.registerCheck(new IdempotentOperationChecker());
}
void UnreachableCodeChecker::checkEndAnalysis(ExplodedGraph &G,
BugReporter &B,
ExprEngine &Eng) const {
CFGBlocksSet reachable, visited;
if (Eng.hasWorkRemaining())
return;
CFG *C = 0;
ParentMap *PM = 0;
// Iterate over ExplodedGraph
for (ExplodedGraph::node_iterator I = G.nodes_begin(), E = G.nodes_end();
I != E; ++I) {
const ProgramPoint &P = I->getLocation();
const LocationContext *LC = P.getLocationContext();
// Save the CFG if we don't have it already
if (!C)
C = LC->getAnalysisContext()->getUnoptimizedCFG();
if (!PM)
PM = &LC->getParentMap();
if (const BlockEntrance *BE = dyn_cast<BlockEntrance>(&P)) {
const CFGBlock *CB = BE->getBlock();
reachable.insert(CB->getBlockID());
}
}
// Bail out if we didn't get the CFG or the ParentMap.
if (!C || !PM)
return;
ASTContext &Ctx = B.getContext();
// Find CFGBlocks that were not covered by any node
for (CFG::const_iterator I = C->begin(), E = C->end(); I != E; ++I) {
const CFGBlock *CB = *I;
// Check if the block is unreachable
if (reachable.count(CB->getBlockID()))
continue;
// Check if the block is empty (an artificial block)
if (isEmptyCFGBlock(CB))
continue;
// Find the entry points for this block
if (!visited.count(CB->getBlockID()))
FindUnreachableEntryPoints(CB, reachable, visited);
// This block may have been pruned; check if we still want to report it
if (reachable.count(CB->getBlockID()))
continue;
// Check for false positives
if (CB->size() > 0 && isInvalidPath(CB, *PM))
continue;
// Special case for __builtin_unreachable.
// FIXME: This should be extended to include other unreachable markers,
// such as llvm_unreachable.
if (!CB->empty()) {
CFGElement First = CB->front();
if (const CFGStmt *S = First.getAs<CFGStmt>()) {
if (const CallExpr *CE = dyn_cast<CallExpr>(S->getStmt())) {
if (CE->isBuiltinCall(Ctx) == Builtin::BI__builtin_unreachable)
continue;
}
}
}
// We found a block that wasn't covered - find the statement to report
SourceRange SR;
SourceLocation SL;
if (const Stmt *S = getUnreachableStmt(CB)) {
SR = S->getSourceRange();
SL = S->getLocStart();
if (SR.isInvalid() || SL.isInvalid())
continue;
}
else
continue;
// Check if the SourceLocation is in a system header
const SourceManager &SM = B.getSourceManager();
if (SM.isInSystemHeader(SL) || SM.isInExternCSystemHeader(SL))
continue;
B.EmitBasicReport("Unreachable code", "Dead code", "This statement is never"
" executed", SL, SR);
}
}
void ento::RegisterReturnPointerRangeChecker(ExprEngine &Eng) {
Eng.registerCheck(new ReturnPointerRangeChecker());
}
bool OSAtomicChecker::evalOSAtomicCompareAndSwap(const CallExpr *CE,
ExprEngine &Eng,
ExplodedNode *Pred,
ExplodedNodeSet &Dst) const {
// Not enough arguments to match OSAtomicCompareAndSwap?
if (CE->getNumArgs() != 3)
return false;
ASTContext &Ctx = Eng.getContext();
const Expr *oldValueExpr = CE->getArg(0);
QualType oldValueType = Ctx.getCanonicalType(oldValueExpr->getType());
const Expr *newValueExpr = CE->getArg(1);
QualType newValueType = Ctx.getCanonicalType(newValueExpr->getType());
// Do the types of 'oldValue' and 'newValue' match?
if (oldValueType != newValueType)
return false;
const Expr *theValueExpr = CE->getArg(2);
const PointerType *theValueType=theValueExpr->getType()->getAs<PointerType>();
// theValueType not a pointer?
if (!theValueType)
return false;
QualType theValueTypePointee =
Ctx.getCanonicalType(theValueType->getPointeeType()).getUnqualifiedType();
// The pointee must match newValueType and oldValueType.
if (theValueTypePointee != newValueType)
return false;
static SimpleProgramPointTag OSAtomicLoadTag("OSAtomicChecker : Load");
static SimpleProgramPointTag OSAtomicStoreTag("OSAtomicChecker : Store");
// Load 'theValue'.
ProgramStateRef state = Pred->getState();
const LocationContext *LCtx = Pred->getLocationContext();
ExplodedNodeSet Tmp;
SVal location = state->getSVal(theValueExpr, LCtx);
// Here we should use the value type of the region as the load type, because
// we are simulating the semantics of the function, not the semantics of
// passing argument. So the type of theValue expr is not we are loading.
// But usually the type of the varregion is not the type we want either,
// we still need to do a CastRetrievedVal in store manager. So actually this
// LoadTy specifying can be omitted. But we put it here to emphasize the
// semantics.
QualType LoadTy;
if (const TypedValueRegion *TR =
dyn_cast_or_null<TypedValueRegion>(location.getAsRegion())) {
LoadTy = TR->getValueType();
}
Eng.evalLoad(Tmp, CE, theValueExpr, Pred,
state, location, &OSAtomicLoadTag, LoadTy);
if (Tmp.empty()) {
// If no nodes were generated, other checkers must have generated sinks.
// We return an empty Dst.
return true;
}
for (ExplodedNodeSet::iterator I = Tmp.begin(), E = Tmp.end();
I != E; ++I) {
ExplodedNode *N = *I;
ProgramStateRef stateLoad = N->getState();
// Use direct bindings from the environment since we are forcing a load
// from a location that the Environment would typically not be used
// to bind a value.
SVal theValueVal_untested = stateLoad->getSVal(theValueExpr, LCtx, true);
SVal oldValueVal_untested = stateLoad->getSVal(oldValueExpr, LCtx);
// FIXME: Issue an error.
if (theValueVal_untested.isUndef() || oldValueVal_untested.isUndef()) {
return false;
}
DefinedOrUnknownSVal theValueVal =
cast<DefinedOrUnknownSVal>(theValueVal_untested);
DefinedOrUnknownSVal oldValueVal =
cast<DefinedOrUnknownSVal>(oldValueVal_untested);
SValBuilder &svalBuilder = Eng.getSValBuilder();
// Perform the comparison.
DefinedOrUnknownSVal Cmp =
svalBuilder.evalEQ(stateLoad,theValueVal,oldValueVal);
ProgramStateRef stateEqual = stateLoad->assume(Cmp, true);
// Were they equal?
if (stateEqual) {
// Perform the store.
ExplodedNodeSet TmpStore;
SVal val = stateEqual->getSVal(newValueExpr, LCtx);
// Handle implicit value casts.
if (const TypedValueRegion *R =
dyn_cast_or_null<TypedValueRegion>(location.getAsRegion())) {
val = svalBuilder.evalCast(val,R->getValueType(), newValueExpr->getType());
}
Eng.evalStore(TmpStore, CE, theValueExpr, N,
stateEqual, location, val, &OSAtomicStoreTag);
if (TmpStore.empty()) {
// If no nodes were generated, other checkers must have generated sinks.
// We return an empty Dst.
return true;
}
StmtNodeBuilder B(TmpStore, Dst, Eng.getBuilderContext());
// Now bind the result of the comparison.
for (ExplodedNodeSet::iterator I2 = TmpStore.begin(),
E2 = TmpStore.end(); I2 != E2; ++I2) {
ExplodedNode *predNew = *I2;
ProgramStateRef stateNew = predNew->getState();
// Check for 'void' return type if we have a bogus function prototype.
SVal Res = UnknownVal();
QualType T = CE->getType();
if (!T->isVoidType())
Res = Eng.getSValBuilder().makeTruthVal(true, T);
B.generateNode(CE, predNew, stateNew->BindExpr(CE, LCtx, Res), this);
}
}
// Were they not equal?
if (ProgramStateRef stateNotEqual = stateLoad->assume(Cmp, false)) {
// Check for 'void' return type if we have a bogus function prototype.
SVal Res = UnknownVal();
QualType T = CE->getType();
if (!T->isVoidType())
Res = Eng.getSValBuilder().makeTruthVal(false, CE->getType());
StmtNodeBuilder B(N, Dst, Eng.getBuilderContext());
B.generateNode(CE, N, stateNotEqual->BindExpr(CE, LCtx, Res), this);
}
}
return true;
}
void ento::RegisterObjCAtSyncChecker(ExprEngine &Eng) {
// @synchronized is an Objective-C 2 feature.
if (Eng.getContext().getLangOptions().ObjC2)
Eng.registerCheck(new ObjCAtSyncChecker());
}
