StaticAnalyzer/Checkers/BoolAssignmentChecker.cpp

*67e74705SXin Li//== BoolAssignmentChecker.cpp - Boolean assignment checker -----*- C++ -*--==//
*67e74705SXin Li//
*67e74705SXin Li//                     The LLVM Compiler Infrastructure
*67e74705SXin Li//
*67e74705SXin Li// This file is distributed under the University of Illinois Open Source
*67e74705SXin Li// License. See LICENSE.TXT for details.
*67e74705SXin Li//
*67e74705SXin Li//===----------------------------------------------------------------------===//
*67e74705SXin Li//
*67e74705SXin Li// This defines BoolAssignmentChecker, a builtin check in ExprEngine that
*67e74705SXin Li// performs checks for assignment of non-Boolean values to Boolean variables.
*67e74705SXin Li//
*67e74705SXin Li//===----------------------------------------------------------------------===//
*67e74705SXin Li
*67e74705SXin Li#include "ClangSACheckers.h"
*67e74705SXin Li#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
*67e74705SXin Li#include "clang/StaticAnalyzer/Core/Checker.h"
*67e74705SXin Li#include "clang/StaticAnalyzer/Core/CheckerManager.h"
*67e74705SXin Li#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
*67e74705SXin Li
*67e74705SXin Liusing namespace clang;
*67e74705SXin Liusing namespace ento;
*67e74705SXin Li
*67e74705SXin Linamespace {
*67e74705SXin Li  class BoolAssignmentChecker : public Checker< check::Bind > {
*67e74705SXin Li    mutable std::unique_ptr<BuiltinBug> BT;
*67e74705SXin Li    void emitReport(ProgramStateRef state, CheckerContext &C) const;
*67e74705SXin Li  public:
*67e74705SXin Li    void checkBind(SVal loc, SVal val, const Stmt *S, CheckerContext &C) const;
*67e74705SXin Li  };
*67e74705SXin Li} // end anonymous namespace
*67e74705SXin Li
*67e74705SXin Livoid BoolAssignmentChecker::emitReport(ProgramStateRef state,
*67e74705SXin Li                                       CheckerContext &C) const {
*67e74705SXin Li  if (ExplodedNode *N = C.generateNonFatalErrorNode(state)) {
*67e74705SXin Li    if (!BT)
*67e74705SXin Li      BT.reset(new BuiltinBug(this, "Assignment of a non-Boolean value"));
*67e74705SXin Li    C.emitReport(llvm::make_unique<BugReport>(*BT, BT->getDescription(), N));
*67e74705SXin Li  }
*67e74705SXin Li}
*67e74705SXin Li
*67e74705SXin Listatic bool isBooleanType(QualType Ty) {
*67e74705SXin Li  if (Ty->isBooleanType()) // C++ or C99
*67e74705SXin Li    return true;
*67e74705SXin Li
*67e74705SXin Li  if (const TypedefType *TT = Ty->getAs<TypedefType>())
*67e74705SXin Li    return TT->getDecl()->getName() == "BOOL"   || // Objective-C
*67e74705SXin Li           TT->getDecl()->getName() == "_Bool"  || // stdbool.h < C99
*67e74705SXin Li           TT->getDecl()->getName() == "Boolean";  // MacTypes.h
*67e74705SXin Li
*67e74705SXin Li  return false;
*67e74705SXin Li}
*67e74705SXin Li
*67e74705SXin Livoid BoolAssignmentChecker::checkBind(SVal loc, SVal val, const Stmt *S,
*67e74705SXin Li                                      CheckerContext &C) const {
*67e74705SXin Li
*67e74705SXin Li  // We are only interested in stores into Booleans.
*67e74705SXin Li  const TypedValueRegion *TR =
*67e74705SXin Li    dyn_cast_or_null<TypedValueRegion>(loc.getAsRegion());
*67e74705SXin Li
*67e74705SXin Li  if (!TR)
*67e74705SXin Li    return;
*67e74705SXin Li
*67e74705SXin Li  QualType valTy = TR->getValueType();
*67e74705SXin Li
*67e74705SXin Li  if (!isBooleanType(valTy))
*67e74705SXin Li    return;
*67e74705SXin Li
*67e74705SXin Li  // Get the value of the right-hand side.  We only care about values
*67e74705SXin Li  // that are defined (UnknownVals and UndefinedVals are handled by other
*67e74705SXin Li  // checkers).
*67e74705SXin Li  Optional<DefinedSVal> DV = val.getAs<DefinedSVal>();
*67e74705SXin Li  if (!DV)
*67e74705SXin Li    return;
*67e74705SXin Li
*67e74705SXin Li  // Check if the assigned value meets our criteria for correctness.  It must
*67e74705SXin Li  // be a value that is either 0 or 1.  One way to check this is to see if
*67e74705SXin Li  // the value is possibly < 0 (for a negative value) or greater than 1.
*67e74705SXin Li  ProgramStateRef state = C.getState();
*67e74705SXin Li  SValBuilder &svalBuilder = C.getSValBuilder();
*67e74705SXin Li  ConstraintManager &CM = C.getConstraintManager();
*67e74705SXin Li
*67e74705SXin Li  // First, ensure that the value is >= 0.
*67e74705SXin Li  DefinedSVal zeroVal = svalBuilder.makeIntVal(0, valTy);
*67e74705SXin Li  SVal greaterThanOrEqualToZeroVal =
*67e74705SXin Li    svalBuilder.evalBinOp(state, BO_GE, *DV, zeroVal,
*67e74705SXin Li                          svalBuilder.getConditionType());
*67e74705SXin Li
*67e74705SXin Li  Optional<DefinedSVal> greaterThanEqualToZero =
*67e74705SXin Li      greaterThanOrEqualToZeroVal.getAs<DefinedSVal>();
*67e74705SXin Li
*67e74705SXin Li  if (!greaterThanEqualToZero) {
*67e74705SXin Li    // The SValBuilder cannot construct a valid SVal for this condition.
*67e74705SXin Li    // This means we cannot properly reason about it.
*67e74705SXin Li    return;
*67e74705SXin Li  }
*67e74705SXin Li
*67e74705SXin Li  ProgramStateRef stateLT, stateGE;
*67e74705SXin Li  std::tie(stateGE, stateLT) = CM.assumeDual(state, *greaterThanEqualToZero);
*67e74705SXin Li
*67e74705SXin Li  // Is it possible for the value to be less than zero?
*67e74705SXin Li  if (stateLT) {
*67e74705SXin Li    // It is possible for the value to be less than zero.  We only
*67e74705SXin Li    // want to emit a warning, however, if that value is fully constrained.
*67e74705SXin Li    // If it it possible for the value to be >= 0, then essentially the
*67e74705SXin Li    // value is underconstrained and there is nothing left to be done.
*67e74705SXin Li    if (!stateGE)
*67e74705SXin Li      emitReport(stateLT, C);
*67e74705SXin Li
*67e74705SXin Li    // In either case, we are done.
*67e74705SXin Li    return;
*67e74705SXin Li  }
*67e74705SXin Li
*67e74705SXin Li  // If we reach here, it must be the case that the value is constrained
*67e74705SXin Li  // to only be >= 0.
*67e74705SXin Li  assert(stateGE == state);
*67e74705SXin Li
*67e74705SXin Li  // At this point we know that the value is >= 0.
*67e74705SXin Li  // Now check to ensure that the value is <= 1.
*67e74705SXin Li  DefinedSVal OneVal = svalBuilder.makeIntVal(1, valTy);
*67e74705SXin Li  SVal lessThanEqToOneVal =
*67e74705SXin Li    svalBuilder.evalBinOp(state, BO_LE, *DV, OneVal,
*67e74705SXin Li                          svalBuilder.getConditionType());
*67e74705SXin Li
*67e74705SXin Li  Optional<DefinedSVal> lessThanEqToOne =
*67e74705SXin Li      lessThanEqToOneVal.getAs<DefinedSVal>();
*67e74705SXin Li
*67e74705SXin Li  if (!lessThanEqToOne) {
*67e74705SXin Li    // The SValBuilder cannot construct a valid SVal for this condition.
*67e74705SXin Li    // This means we cannot properly reason about it.
*67e74705SXin Li    return;
*67e74705SXin Li  }
*67e74705SXin Li
*67e74705SXin Li  ProgramStateRef stateGT, stateLE;
*67e74705SXin Li  std::tie(stateLE, stateGT) = CM.assumeDual(state, *lessThanEqToOne);
*67e74705SXin Li
*67e74705SXin Li  // Is it possible for the value to be greater than one?
*67e74705SXin Li  if (stateGT) {
*67e74705SXin Li    // It is possible for the value to be greater than one.  We only
*67e74705SXin Li    // want to emit a warning, however, if that value is fully constrained.
*67e74705SXin Li    // If it is possible for the value to be <= 1, then essentially the
*67e74705SXin Li    // value is underconstrained and there is nothing left to be done.
*67e74705SXin Li    if (!stateLE)
*67e74705SXin Li      emitReport(stateGT, C);
*67e74705SXin Li
*67e74705SXin Li    // In either case, we are done.
*67e74705SXin Li    return;
*67e74705SXin Li  }
*67e74705SXin Li
*67e74705SXin Li  // If we reach here, it must be the case that the value is constrained
*67e74705SXin Li  // to only be <= 1.
*67e74705SXin Li  assert(stateLE == state);
*67e74705SXin Li}
*67e74705SXin Li
*67e74705SXin Livoid ento::registerBoolAssignmentChecker(CheckerManager &mgr) {
*67e74705SXin Li    mgr.registerChecker<BoolAssignmentChecker>();
*67e74705SXin Li}