static NullConstraint getNullConstraint(DefinedOrUnknownSVal Val,
ProgramStateRef State) {
ConditionTruthVal Nullness = State->isNull(Val);
if (Nullness.isConstrainedFalse())
return NullConstraint::IsNotNull;
if (Nullness.isConstrainedTrue())
return NullConstraint::IsNull;
return NullConstraint::Unknown;
}
void NilArgChecker::warnIfNilArg(CheckerContext &C,
const ObjCMethodCall &msg,
unsigned int Arg,
FoundationClass Class,
bool CanBeSubscript) const {
// Check if the argument is nil.
ProgramStateRef State = C.getState();
if (!State->isNull(msg.getArgSVal(Arg)).isConstrainedTrue())
return;
// NOTE: We cannot throw non-fatal errors from warnIfNilExpr,
// because it's called multiple times from some callers, so it'd cause
// an unwanted state split if two or more non-fatal errors are thrown
// within the same checker callback. For now we don't want to, but
// it'll need to be fixed if we ever want to.
if (ExplodedNode *N = C.generateErrorNode()) {
SmallString<128> sbuf;
llvm::raw_svector_ostream os(sbuf);
if (CanBeSubscript && msg.getMessageKind() == OCM_Subscript) {
if (Class == FC_NSArray) {
os << "Array element cannot be nil";
} else if (Class == FC_NSDictionary) {
if (Arg == 0) {
os << "Value stored into '";
os << GetReceiverInterfaceName(msg) << "' cannot be nil";
} else {
assert(Arg == 1);
os << "'"<< GetReceiverInterfaceName(msg) << "' key cannot be nil";
}
} else
llvm_unreachable("Missing foundation class for the subscript expr");
} else {
if (Class == FC_NSDictionary) {
if (Arg == 0)
os << "Value argument ";
else {
assert(Arg == 1);
os << "Key argument ";
}
os << "to '";
msg.getSelector().print(os);
os << "' cannot be nil";
} else {
os << "Argument to '" << GetReceiverInterfaceName(msg) << "' method '";
msg.getSelector().print(os);
os << "' cannot be nil";
}
}
generateBugReport(N, os.str(), msg.getArgSourceRange(Arg),
msg.getArgExpr(Arg), C);
}
}
void NilArgChecker::warnIfNilExpr(const Expr *E,
const char *Msg,
CheckerContext &C) const {
ProgramStateRef State = C.getState();
if (State->isNull(C.getSVal(E)).isConstrainedTrue()) {
if (ExplodedNode *N = C.generateErrorNode()) {
generateBugReport(N, Msg, E->getSourceRange(), E, C);
}
}
}
void NilArgChecker::WarnIfNilArg(CheckerContext &C,
const ObjCMethodCall &msg,
unsigned int Arg,
FoundationClass Class,
bool CanBeSubscript) const {
// Check if the argument is nil.
ProgramStateRef State = C.getState();
if (!State->isNull(msg.getArgSVal(Arg)).isConstrainedTrue())
return;
if (!BT)
BT.reset(new APIMisuse("nil argument"));
if (ExplodedNode *N = C.generateSink()) {
SmallString<128> sbuf;
llvm::raw_svector_ostream os(sbuf);
if (CanBeSubscript && msg.getMessageKind() == OCM_Subscript) {
if (Class == FC_NSArray) {
os << "Array element cannot be nil";
} else if (Class == FC_NSDictionary) {
if (Arg == 0) {
os << "Value stored into '";
os << GetReceiverInterfaceName(msg) << "' cannot be nil";
} else {
assert(Arg == 1);
os << "'"<< GetReceiverInterfaceName(msg) << "' key cannot be nil";
}
} else
llvm_unreachable("Missing foundation class for the subscript expr");
} else {
if (Class == FC_NSDictionary) {
if (Arg == 0)
os << "Value argument ";
else {
assert(Arg == 1);
os << "Key argument ";
}
os << "to '" << msg.getSelector().getAsString() << "' cannot be nil";
} else {
os << "Argument to '" << GetReceiverInterfaceName(msg) << "' method '"
<< msg.getSelector().getAsString() << "' cannot be nil";
}
}
BugReport *R = new BugReport(*BT, os.str(), N);
R->addRange(msg.getArgSourceRange(Arg));
bugreporter::trackNullOrUndefValue(N, msg.getArgExpr(Arg), *R);
C.emitReport(R);
}
}
void NilArgChecker::warnIfNilArg(CheckerContext &C,
const ObjCMethodCall &msg,
unsigned int Arg,
FoundationClass Class,
bool CanBeSubscript) const {
// Check if the argument is nil.
ProgramStateRef State = C.getState();
if (!State->isNull(msg.getArgSVal(Arg)).isConstrainedTrue())
return;
if (ExplodedNode *N = C.generateErrorNode()) {
SmallString<128> sbuf;
llvm::raw_svector_ostream os(sbuf);
if (CanBeSubscript && msg.getMessageKind() == OCM_Subscript) {
if (Class == FC_NSArray) {
os << "Array element cannot be nil";
} else if (Class == FC_NSDictionary) {
if (Arg == 0) {
os << "Value stored into '";
os << GetReceiverInterfaceName(msg) << "' cannot be nil";
} else {
assert(Arg == 1);
os << "'"<< GetReceiverInterfaceName(msg) << "' key cannot be nil";
}
} else
llvm_unreachable("Missing foundation class for the subscript expr");
} else {
if (Class == FC_NSDictionary) {
if (Arg == 0)
os << "Value argument ";
else {
assert(Arg == 1);
os << "Key argument ";
}
os << "to '";
msg.getSelector().print(os);
os << "' cannot be nil";
} else {
os << "Argument to '" << GetReceiverInterfaceName(msg) << "' method '";
msg.getSelector().print(os);
os << "' cannot be nil";
}
}
generateBugReport(N, os.str(), msg.getArgSourceRange(Arg),
msg.getArgExpr(Arg), C);
}
}
static void generateDiagnosticsForCallLike(ProgramStateRef CurrSt,
const LocationContext *LCtx,
const RefVal &CurrV, SymbolRef &Sym,
const Stmt *S,
llvm::raw_string_ostream &os) {
CallEventManager &Mgr = CurrSt->getStateManager().getCallEventManager();
if (const CallExpr *CE = dyn_cast<CallExpr>(S)) {
// Get the name of the callee (if it is available)
// from the tracked SVal.
SVal X = CurrSt->getSValAsScalarOrLoc(CE->getCallee(), LCtx);
const FunctionDecl *FD = X.getAsFunctionDecl();
// If failed, try to get it from AST.
if (!FD)
FD = dyn_cast<FunctionDecl>(CE->getCalleeDecl());
if (const auto *MD = dyn_cast<CXXMethodDecl>(CE->getCalleeDecl())) {
os << "Call to method '" << MD->getQualifiedNameAsString() << '\'';
} else if (FD) {
os << "Call to function '" << FD->getQualifiedNameAsString() << '\'';
} else {
os << "function call";
}
} else if (isa<CXXNewExpr>(S)) {
os << "Operator 'new'";
} else {
assert(isa<ObjCMessageExpr>(S));
CallEventRef<ObjCMethodCall> Call =
Mgr.getObjCMethodCall(cast<ObjCMessageExpr>(S), CurrSt, LCtx);
switch (Call->getMessageKind()) {
case OCM_Message:
os << "Method";
break;
case OCM_PropertyAccess:
os << "Property";
break;
case OCM_Subscript:
os << "Subscript";
break;
}
}
Optional<CallEventRef<>> CE = Mgr.getCall(S, CurrSt, LCtx);
auto Idx = findArgIdxOfSymbol(CurrSt, LCtx, Sym, CE);
// If index is not found, we assume that the symbol was returned.
if (!Idx) {
os << " returns ";
} else {
os << " writes ";
}
if (CurrV.getObjKind() == ObjKind::CF) {
os << "a Core Foundation object of type '"
<< Sym->getType().getAsString() << "' with a ";
} else if (CurrV.getObjKind() == ObjKind::OS) {
os << "an OSObject of type '" << getPrettyTypeName(Sym->getType())
<< "' with a ";
} else if (CurrV.getObjKind() == ObjKind::Generalized) {
os << "an object of type '" << Sym->getType().getAsString()
<< "' with a ";
} else {
assert(CurrV.getObjKind() == ObjKind::ObjC);
QualType T = Sym->getType();
if (!isa<ObjCObjectPointerType>(T)) {
os << "an Objective-C object with a ";
} else {
const ObjCObjectPointerType *PT = cast<ObjCObjectPointerType>(T);
os << "an instance of " << PT->getPointeeType().getAsString()
<< " with a ";
}
}
if (CurrV.isOwned()) {
os << "+1 retain count";
} else {
assert(CurrV.isNotOwned());
os << "+0 retain count";
}
if (Idx) {
os << " into an out parameter '";
const ParmVarDecl *PVD = (*CE)->parameters()[*Idx];
PVD->getNameForDiagnostic(os, PVD->getASTContext().getPrintingPolicy(),
/*Qualified=*/false);
os << "'";
QualType RT = (*CE)->getResultType();
if (!RT.isNull() && !RT->isVoidType()) {
SVal RV = (*CE)->getReturnValue();
if (CurrSt->isNull(RV).isConstrainedTrue()) {
os << " (assuming the call returns zero)";
} else if (CurrSt->isNonNull(RV).isConstrainedTrue()) {
os << " (assuming the call returns non-zero)";
}
}
}
}
