1*67e74705SXin Li //===--- CallAndMessageChecker.cpp ------------------------------*- C++ -*--==//
2*67e74705SXin Li //
3*67e74705SXin Li // The LLVM Compiler Infrastructure
4*67e74705SXin Li //
5*67e74705SXin Li // This file is distributed under the University of Illinois Open Source
6*67e74705SXin Li // License. See LICENSE.TXT for details.
7*67e74705SXin Li //
8*67e74705SXin Li //===----------------------------------------------------------------------===//
9*67e74705SXin Li //
10*67e74705SXin Li // This defines CallAndMessageChecker, a builtin checker that checks for various
11*67e74705SXin Li // errors of call and objc message expressions.
12*67e74705SXin Li //
13*67e74705SXin Li //===----------------------------------------------------------------------===//
14*67e74705SXin Li
15*67e74705SXin Li #include "ClangSACheckers.h"
16*67e74705SXin Li #include "clang/AST/ParentMap.h"
17*67e74705SXin Li #include "clang/Basic/TargetInfo.h"
18*67e74705SXin Li #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
19*67e74705SXin Li #include "clang/StaticAnalyzer/Core/Checker.h"
20*67e74705SXin Li #include "clang/StaticAnalyzer/Core/CheckerManager.h"
21*67e74705SXin Li #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
22*67e74705SXin Li #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
23*67e74705SXin Li #include "llvm/ADT/SmallString.h"
24*67e74705SXin Li #include "llvm/Support/raw_ostream.h"
25*67e74705SXin Li
26*67e74705SXin Li using namespace clang;
27*67e74705SXin Li using namespace ento;
28*67e74705SXin Li
29*67e74705SXin Li namespace {
30*67e74705SXin Li
31*67e74705SXin Li struct ChecksFilter {
32*67e74705SXin Li DefaultBool Check_CallAndMessageUnInitRefArg;
33*67e74705SXin Li DefaultBool Check_CallAndMessageChecker;
34*67e74705SXin Li
35*67e74705SXin Li CheckName CheckName_CallAndMessageUnInitRefArg;
36*67e74705SXin Li CheckName CheckName_CallAndMessageChecker;
37*67e74705SXin Li };
38*67e74705SXin Li
39*67e74705SXin Li class CallAndMessageChecker
40*67e74705SXin Li : public Checker< check::PreStmt<CallExpr>,
41*67e74705SXin Li check::PreStmt<CXXDeleteExpr>,
42*67e74705SXin Li check::PreObjCMessage,
43*67e74705SXin Li check::ObjCMessageNil,
44*67e74705SXin Li check::PreCall > {
45*67e74705SXin Li mutable std::unique_ptr<BugType> BT_call_null;
46*67e74705SXin Li mutable std::unique_ptr<BugType> BT_call_undef;
47*67e74705SXin Li mutable std::unique_ptr<BugType> BT_cxx_call_null;
48*67e74705SXin Li mutable std::unique_ptr<BugType> BT_cxx_call_undef;
49*67e74705SXin Li mutable std::unique_ptr<BugType> BT_call_arg;
50*67e74705SXin Li mutable std::unique_ptr<BugType> BT_cxx_delete_undef;
51*67e74705SXin Li mutable std::unique_ptr<BugType> BT_msg_undef;
52*67e74705SXin Li mutable std::unique_ptr<BugType> BT_objc_prop_undef;
53*67e74705SXin Li mutable std::unique_ptr<BugType> BT_objc_subscript_undef;
54*67e74705SXin Li mutable std::unique_ptr<BugType> BT_msg_arg;
55*67e74705SXin Li mutable std::unique_ptr<BugType> BT_msg_ret;
56*67e74705SXin Li mutable std::unique_ptr<BugType> BT_call_few_args;
57*67e74705SXin Li
58*67e74705SXin Li public:
59*67e74705SXin Li ChecksFilter Filter;
60*67e74705SXin Li
61*67e74705SXin Li void checkPreStmt(const CallExpr *CE, CheckerContext &C) const;
62*67e74705SXin Li void checkPreStmt(const CXXDeleteExpr *DE, CheckerContext &C) const;
63*67e74705SXin Li void checkPreObjCMessage(const ObjCMethodCall &msg, CheckerContext &C) const;
64*67e74705SXin Li
65*67e74705SXin Li /// Fill in the return value that results from messaging nil based on the
66*67e74705SXin Li /// return type and architecture and diagnose if the return value will be
67*67e74705SXin Li /// garbage.
68*67e74705SXin Li void checkObjCMessageNil(const ObjCMethodCall &msg, CheckerContext &C) const;
69*67e74705SXin Li
70*67e74705SXin Li void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
71*67e74705SXin Li
72*67e74705SXin Li private:
73*67e74705SXin Li bool PreVisitProcessArg(CheckerContext &C, SVal V, SourceRange ArgRange,
74*67e74705SXin Li const Expr *ArgEx, bool IsFirstArgument,
75*67e74705SXin Li bool CheckUninitFields, const CallEvent &Call,
76*67e74705SXin Li std::unique_ptr<BugType> &BT,
77*67e74705SXin Li const ParmVarDecl *ParamDecl) const;
78*67e74705SXin Li
79*67e74705SXin Li static void emitBadCall(BugType *BT, CheckerContext &C, const Expr *BadE);
80*67e74705SXin Li void emitNilReceiverBug(CheckerContext &C, const ObjCMethodCall &msg,
81*67e74705SXin Li ExplodedNode *N) const;
82*67e74705SXin Li
83*67e74705SXin Li void HandleNilReceiver(CheckerContext &C,
84*67e74705SXin Li ProgramStateRef state,
85*67e74705SXin Li const ObjCMethodCall &msg) const;
86*67e74705SXin Li
LazyInit_BT(const char * desc,std::unique_ptr<BugType> & BT) const87*67e74705SXin Li void LazyInit_BT(const char *desc, std::unique_ptr<BugType> &BT) const {
88*67e74705SXin Li if (!BT)
89*67e74705SXin Li BT.reset(new BuiltinBug(this, desc));
90*67e74705SXin Li }
91*67e74705SXin Li bool uninitRefOrPointer(CheckerContext &C, const SVal &V,
92*67e74705SXin Li SourceRange ArgRange,
93*67e74705SXin Li const Expr *ArgEx, std::unique_ptr<BugType> &BT,
94*67e74705SXin Li const ParmVarDecl *ParamDecl, const char *BD) const;
95*67e74705SXin Li };
96*67e74705SXin Li } // end anonymous namespace
97*67e74705SXin Li
emitBadCall(BugType * BT,CheckerContext & C,const Expr * BadE)98*67e74705SXin Li void CallAndMessageChecker::emitBadCall(BugType *BT, CheckerContext &C,
99*67e74705SXin Li const Expr *BadE) {
100*67e74705SXin Li ExplodedNode *N = C.generateErrorNode();
101*67e74705SXin Li if (!N)
102*67e74705SXin Li return;
103*67e74705SXin Li
104*67e74705SXin Li auto R = llvm::make_unique<BugReport>(*BT, BT->getName(), N);
105*67e74705SXin Li if (BadE) {
106*67e74705SXin Li R->addRange(BadE->getSourceRange());
107*67e74705SXin Li if (BadE->isGLValue())
108*67e74705SXin Li BadE = bugreporter::getDerefExpr(BadE);
109*67e74705SXin Li bugreporter::trackNullOrUndefValue(N, BadE, *R);
110*67e74705SXin Li }
111*67e74705SXin Li C.emitReport(std::move(R));
112*67e74705SXin Li }
113*67e74705SXin Li
describeUninitializedArgumentInCall(const CallEvent & Call,bool IsFirstArgument)114*67e74705SXin Li static StringRef describeUninitializedArgumentInCall(const CallEvent &Call,
115*67e74705SXin Li bool IsFirstArgument) {
116*67e74705SXin Li switch (Call.getKind()) {
117*67e74705SXin Li case CE_ObjCMessage: {
118*67e74705SXin Li const ObjCMethodCall &Msg = cast<ObjCMethodCall>(Call);
119*67e74705SXin Li switch (Msg.getMessageKind()) {
120*67e74705SXin Li case OCM_Message:
121*67e74705SXin Li return "Argument in message expression is an uninitialized value";
122*67e74705SXin Li case OCM_PropertyAccess:
123*67e74705SXin Li assert(Msg.isSetter() && "Getters have no args");
124*67e74705SXin Li return "Argument for property setter is an uninitialized value";
125*67e74705SXin Li case OCM_Subscript:
126*67e74705SXin Li if (Msg.isSetter() && IsFirstArgument)
127*67e74705SXin Li return "Argument for subscript setter is an uninitialized value";
128*67e74705SXin Li return "Subscript index is an uninitialized value";
129*67e74705SXin Li }
130*67e74705SXin Li llvm_unreachable("Unknown message kind.");
131*67e74705SXin Li }
132*67e74705SXin Li case CE_Block:
133*67e74705SXin Li return "Block call argument is an uninitialized value";
134*67e74705SXin Li default:
135*67e74705SXin Li return "Function call argument is an uninitialized value";
136*67e74705SXin Li }
137*67e74705SXin Li }
138*67e74705SXin Li
uninitRefOrPointer(CheckerContext & C,const SVal & V,SourceRange ArgRange,const Expr * ArgEx,std::unique_ptr<BugType> & BT,const ParmVarDecl * ParamDecl,const char * BD) const139*67e74705SXin Li bool CallAndMessageChecker::uninitRefOrPointer(CheckerContext &C,
140*67e74705SXin Li const SVal &V,
141*67e74705SXin Li SourceRange ArgRange,
142*67e74705SXin Li const Expr *ArgEx,
143*67e74705SXin Li std::unique_ptr<BugType> &BT,
144*67e74705SXin Li const ParmVarDecl *ParamDecl,
145*67e74705SXin Li const char *BD) const {
146*67e74705SXin Li if (!Filter.Check_CallAndMessageUnInitRefArg)
147*67e74705SXin Li return false;
148*67e74705SXin Li
149*67e74705SXin Li // No parameter declaration available, i.e. variadic function argument.
150*67e74705SXin Li if(!ParamDecl)
151*67e74705SXin Li return false;
152*67e74705SXin Li
153*67e74705SXin Li // If parameter is declared as pointer to const in function declaration,
154*67e74705SXin Li // then check if corresponding argument in function call is
155*67e74705SXin Li // pointing to undefined symbol value (uninitialized memory).
156*67e74705SXin Li StringRef Message;
157*67e74705SXin Li
158*67e74705SXin Li if (ParamDecl->getType()->isPointerType()) {
159*67e74705SXin Li Message = "Function call argument is a pointer to uninitialized value";
160*67e74705SXin Li } else if (ParamDecl->getType()->isReferenceType()) {
161*67e74705SXin Li Message = "Function call argument is an uninitialized value";
162*67e74705SXin Li } else
163*67e74705SXin Li return false;
164*67e74705SXin Li
165*67e74705SXin Li if(!ParamDecl->getType()->getPointeeType().isConstQualified())
166*67e74705SXin Li return false;
167*67e74705SXin Li
168*67e74705SXin Li if (const MemRegion *SValMemRegion = V.getAsRegion()) {
169*67e74705SXin Li const ProgramStateRef State = C.getState();
170*67e74705SXin Li const SVal PSV = State->getSVal(SValMemRegion);
171*67e74705SXin Li if (PSV.isUndef()) {
172*67e74705SXin Li if (ExplodedNode *N = C.generateErrorNode()) {
173*67e74705SXin Li LazyInit_BT(BD, BT);
174*67e74705SXin Li auto R = llvm::make_unique<BugReport>(*BT, Message, N);
175*67e74705SXin Li R->addRange(ArgRange);
176*67e74705SXin Li if (ArgEx) {
177*67e74705SXin Li bugreporter::trackNullOrUndefValue(N, ArgEx, *R);
178*67e74705SXin Li }
179*67e74705SXin Li C.emitReport(std::move(R));
180*67e74705SXin Li }
181*67e74705SXin Li return true;
182*67e74705SXin Li }
183*67e74705SXin Li }
184*67e74705SXin Li return false;
185*67e74705SXin Li }
186*67e74705SXin Li
PreVisitProcessArg(CheckerContext & C,SVal V,SourceRange ArgRange,const Expr * ArgEx,bool IsFirstArgument,bool CheckUninitFields,const CallEvent & Call,std::unique_ptr<BugType> & BT,const ParmVarDecl * ParamDecl) const187*67e74705SXin Li bool CallAndMessageChecker::PreVisitProcessArg(CheckerContext &C,
188*67e74705SXin Li SVal V,
189*67e74705SXin Li SourceRange ArgRange,
190*67e74705SXin Li const Expr *ArgEx,
191*67e74705SXin Li bool IsFirstArgument,
192*67e74705SXin Li bool CheckUninitFields,
193*67e74705SXin Li const CallEvent &Call,
194*67e74705SXin Li std::unique_ptr<BugType> &BT,
195*67e74705SXin Li const ParmVarDecl *ParamDecl
196*67e74705SXin Li ) const {
197*67e74705SXin Li const char *BD = "Uninitialized argument value";
198*67e74705SXin Li
199*67e74705SXin Li if (uninitRefOrPointer(C, V, ArgRange, ArgEx, BT, ParamDecl, BD))
200*67e74705SXin Li return true;
201*67e74705SXin Li
202*67e74705SXin Li if (V.isUndef()) {
203*67e74705SXin Li if (ExplodedNode *N = C.generateErrorNode()) {
204*67e74705SXin Li LazyInit_BT(BD, BT);
205*67e74705SXin Li
206*67e74705SXin Li // Generate a report for this bug.
207*67e74705SXin Li StringRef Desc =
208*67e74705SXin Li describeUninitializedArgumentInCall(Call, IsFirstArgument);
209*67e74705SXin Li auto R = llvm::make_unique<BugReport>(*BT, Desc, N);
210*67e74705SXin Li R->addRange(ArgRange);
211*67e74705SXin Li if (ArgEx)
212*67e74705SXin Li bugreporter::trackNullOrUndefValue(N, ArgEx, *R);
213*67e74705SXin Li C.emitReport(std::move(R));
214*67e74705SXin Li }
215*67e74705SXin Li return true;
216*67e74705SXin Li }
217*67e74705SXin Li
218*67e74705SXin Li if (!CheckUninitFields)
219*67e74705SXin Li return false;
220*67e74705SXin Li
221*67e74705SXin Li if (Optional<nonloc::LazyCompoundVal> LV =
222*67e74705SXin Li V.getAs<nonloc::LazyCompoundVal>()) {
223*67e74705SXin Li
224*67e74705SXin Li class FindUninitializedField {
225*67e74705SXin Li public:
226*67e74705SXin Li SmallVector<const FieldDecl *, 10> FieldChain;
227*67e74705SXin Li private:
228*67e74705SXin Li StoreManager &StoreMgr;
229*67e74705SXin Li MemRegionManager &MrMgr;
230*67e74705SXin Li Store store;
231*67e74705SXin Li public:
232*67e74705SXin Li FindUninitializedField(StoreManager &storeMgr,
233*67e74705SXin Li MemRegionManager &mrMgr, Store s)
234*67e74705SXin Li : StoreMgr(storeMgr), MrMgr(mrMgr), store(s) {}
235*67e74705SXin Li
236*67e74705SXin Li bool Find(const TypedValueRegion *R) {
237*67e74705SXin Li QualType T = R->getValueType();
238*67e74705SXin Li if (const RecordType *RT = T->getAsStructureType()) {
239*67e74705SXin Li const RecordDecl *RD = RT->getDecl()->getDefinition();
240*67e74705SXin Li assert(RD && "Referred record has no definition");
241*67e74705SXin Li for (const auto *I : RD->fields()) {
242*67e74705SXin Li const FieldRegion *FR = MrMgr.getFieldRegion(I, R);
243*67e74705SXin Li FieldChain.push_back(I);
244*67e74705SXin Li T = I->getType();
245*67e74705SXin Li if (T->getAsStructureType()) {
246*67e74705SXin Li if (Find(FR))
247*67e74705SXin Li return true;
248*67e74705SXin Li }
249*67e74705SXin Li else {
250*67e74705SXin Li const SVal &V = StoreMgr.getBinding(store, loc::MemRegionVal(FR));
251*67e74705SXin Li if (V.isUndef())
252*67e74705SXin Li return true;
253*67e74705SXin Li }
254*67e74705SXin Li FieldChain.pop_back();
255*67e74705SXin Li }
256*67e74705SXin Li }
257*67e74705SXin Li
258*67e74705SXin Li return false;
259*67e74705SXin Li }
260*67e74705SXin Li };
261*67e74705SXin Li
262*67e74705SXin Li const LazyCompoundValData *D = LV->getCVData();
263*67e74705SXin Li FindUninitializedField F(C.getState()->getStateManager().getStoreManager(),
264*67e74705SXin Li C.getSValBuilder().getRegionManager(),
265*67e74705SXin Li D->getStore());
266*67e74705SXin Li
267*67e74705SXin Li if (F.Find(D->getRegion())) {
268*67e74705SXin Li if (ExplodedNode *N = C.generateErrorNode()) {
269*67e74705SXin Li LazyInit_BT(BD, BT);
270*67e74705SXin Li SmallString<512> Str;
271*67e74705SXin Li llvm::raw_svector_ostream os(Str);
272*67e74705SXin Li os << "Passed-by-value struct argument contains uninitialized data";
273*67e74705SXin Li
274*67e74705SXin Li if (F.FieldChain.size() == 1)
275*67e74705SXin Li os << " (e.g., field: '" << *F.FieldChain[0] << "')";
276*67e74705SXin Li else {
277*67e74705SXin Li os << " (e.g., via the field chain: '";
278*67e74705SXin Li bool first = true;
279*67e74705SXin Li for (SmallVectorImpl<const FieldDecl *>::iterator
280*67e74705SXin Li DI = F.FieldChain.begin(), DE = F.FieldChain.end(); DI!=DE;++DI){
281*67e74705SXin Li if (first)
282*67e74705SXin Li first = false;
283*67e74705SXin Li else
284*67e74705SXin Li os << '.';
285*67e74705SXin Li os << **DI;
286*67e74705SXin Li }
287*67e74705SXin Li os << "')";
288*67e74705SXin Li }
289*67e74705SXin Li
290*67e74705SXin Li // Generate a report for this bug.
291*67e74705SXin Li auto R = llvm::make_unique<BugReport>(*BT, os.str(), N);
292*67e74705SXin Li R->addRange(ArgRange);
293*67e74705SXin Li
294*67e74705SXin Li // FIXME: enhance track back for uninitialized value for arbitrary
295*67e74705SXin Li // memregions
296*67e74705SXin Li C.emitReport(std::move(R));
297*67e74705SXin Li }
298*67e74705SXin Li return true;
299*67e74705SXin Li }
300*67e74705SXin Li }
301*67e74705SXin Li
302*67e74705SXin Li return false;
303*67e74705SXin Li }
304*67e74705SXin Li
checkPreStmt(const CallExpr * CE,CheckerContext & C) const305*67e74705SXin Li void CallAndMessageChecker::checkPreStmt(const CallExpr *CE,
306*67e74705SXin Li CheckerContext &C) const{
307*67e74705SXin Li
308*67e74705SXin Li const Expr *Callee = CE->getCallee()->IgnoreParens();
309*67e74705SXin Li ProgramStateRef State = C.getState();
310*67e74705SXin Li const LocationContext *LCtx = C.getLocationContext();
311*67e74705SXin Li SVal L = State->getSVal(Callee, LCtx);
312*67e74705SXin Li
313*67e74705SXin Li if (L.isUndef()) {
314*67e74705SXin Li if (!BT_call_undef)
315*67e74705SXin Li BT_call_undef.reset(new BuiltinBug(
316*67e74705SXin Li this, "Called function pointer is an uninitialized pointer value"));
317*67e74705SXin Li emitBadCall(BT_call_undef.get(), C, Callee);
318*67e74705SXin Li return;
319*67e74705SXin Li }
320*67e74705SXin Li
321*67e74705SXin Li ProgramStateRef StNonNull, StNull;
322*67e74705SXin Li std::tie(StNonNull, StNull) = State->assume(L.castAs<DefinedOrUnknownSVal>());
323*67e74705SXin Li
324*67e74705SXin Li if (StNull && !StNonNull) {
325*67e74705SXin Li if (!BT_call_null)
326*67e74705SXin Li BT_call_null.reset(new BuiltinBug(
327*67e74705SXin Li this, "Called function pointer is null (null dereference)"));
328*67e74705SXin Li emitBadCall(BT_call_null.get(), C, Callee);
329*67e74705SXin Li return;
330*67e74705SXin Li }
331*67e74705SXin Li
332*67e74705SXin Li C.addTransition(StNonNull);
333*67e74705SXin Li }
334*67e74705SXin Li
checkPreStmt(const CXXDeleteExpr * DE,CheckerContext & C) const335*67e74705SXin Li void CallAndMessageChecker::checkPreStmt(const CXXDeleteExpr *DE,
336*67e74705SXin Li CheckerContext &C) const {
337*67e74705SXin Li
338*67e74705SXin Li SVal Arg = C.getSVal(DE->getArgument());
339*67e74705SXin Li if (Arg.isUndef()) {
340*67e74705SXin Li StringRef Desc;
341*67e74705SXin Li ExplodedNode *N = C.generateErrorNode();
342*67e74705SXin Li if (!N)
343*67e74705SXin Li return;
344*67e74705SXin Li if (!BT_cxx_delete_undef)
345*67e74705SXin Li BT_cxx_delete_undef.reset(
346*67e74705SXin Li new BuiltinBug(this, "Uninitialized argument value"));
347*67e74705SXin Li if (DE->isArrayFormAsWritten())
348*67e74705SXin Li Desc = "Argument to 'delete[]' is uninitialized";
349*67e74705SXin Li else
350*67e74705SXin Li Desc = "Argument to 'delete' is uninitialized";
351*67e74705SXin Li BugType *BT = BT_cxx_delete_undef.get();
352*67e74705SXin Li auto R = llvm::make_unique<BugReport>(*BT, Desc, N);
353*67e74705SXin Li bugreporter::trackNullOrUndefValue(N, DE, *R);
354*67e74705SXin Li C.emitReport(std::move(R));
355*67e74705SXin Li return;
356*67e74705SXin Li }
357*67e74705SXin Li }
358*67e74705SXin Li
359*67e74705SXin Li
checkPreCall(const CallEvent & Call,CheckerContext & C) const360*67e74705SXin Li void CallAndMessageChecker::checkPreCall(const CallEvent &Call,
361*67e74705SXin Li CheckerContext &C) const {
362*67e74705SXin Li ProgramStateRef State = C.getState();
363*67e74705SXin Li
364*67e74705SXin Li // If this is a call to a C++ method, check if the callee is null or
365*67e74705SXin Li // undefined.
366*67e74705SXin Li if (const CXXInstanceCall *CC = dyn_cast<CXXInstanceCall>(&Call)) {
367*67e74705SXin Li SVal V = CC->getCXXThisVal();
368*67e74705SXin Li if (V.isUndef()) {
369*67e74705SXin Li if (!BT_cxx_call_undef)
370*67e74705SXin Li BT_cxx_call_undef.reset(
371*67e74705SXin Li new BuiltinBug(this, "Called C++ object pointer is uninitialized"));
372*67e74705SXin Li emitBadCall(BT_cxx_call_undef.get(), C, CC->getCXXThisExpr());
373*67e74705SXin Li return;
374*67e74705SXin Li }
375*67e74705SXin Li
376*67e74705SXin Li ProgramStateRef StNonNull, StNull;
377*67e74705SXin Li std::tie(StNonNull, StNull) =
378*67e74705SXin Li State->assume(V.castAs<DefinedOrUnknownSVal>());
379*67e74705SXin Li
380*67e74705SXin Li if (StNull && !StNonNull) {
381*67e74705SXin Li if (!BT_cxx_call_null)
382*67e74705SXin Li BT_cxx_call_null.reset(
383*67e74705SXin Li new BuiltinBug(this, "Called C++ object pointer is null"));
384*67e74705SXin Li emitBadCall(BT_cxx_call_null.get(), C, CC->getCXXThisExpr());
385*67e74705SXin Li return;
386*67e74705SXin Li }
387*67e74705SXin Li
388*67e74705SXin Li State = StNonNull;
389*67e74705SXin Li }
390*67e74705SXin Li
391*67e74705SXin Li const Decl *D = Call.getDecl();
392*67e74705SXin Li const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(D);
393*67e74705SXin Li if (FD) {
394*67e74705SXin Li // If we have a declaration, we can make sure we pass enough parameters to
395*67e74705SXin Li // the function.
396*67e74705SXin Li unsigned Params = FD->getNumParams();
397*67e74705SXin Li if (Call.getNumArgs() < Params) {
398*67e74705SXin Li ExplodedNode *N = C.generateErrorNode();
399*67e74705SXin Li if (!N)
400*67e74705SXin Li return;
401*67e74705SXin Li
402*67e74705SXin Li LazyInit_BT("Function call with too few arguments", BT_call_few_args);
403*67e74705SXin Li
404*67e74705SXin Li SmallString<512> Str;
405*67e74705SXin Li llvm::raw_svector_ostream os(Str);
406*67e74705SXin Li os << "Function taking " << Params << " argument"
407*67e74705SXin Li << (Params == 1 ? "" : "s") << " is called with less ("
408*67e74705SXin Li << Call.getNumArgs() << ")";
409*67e74705SXin Li
410*67e74705SXin Li C.emitReport(
411*67e74705SXin Li llvm::make_unique<BugReport>(*BT_call_few_args, os.str(), N));
412*67e74705SXin Li }
413*67e74705SXin Li }
414*67e74705SXin Li
415*67e74705SXin Li // Don't check for uninitialized field values in arguments if the
416*67e74705SXin Li // caller has a body that is available and we have the chance to inline it.
417*67e74705SXin Li // This is a hack, but is a reasonable compromise betweens sometimes warning
418*67e74705SXin Li // and sometimes not depending on if we decide to inline a function.
419*67e74705SXin Li const bool checkUninitFields =
420*67e74705SXin Li !(C.getAnalysisManager().shouldInlineCall() && (D && D->getBody()));
421*67e74705SXin Li
422*67e74705SXin Li std::unique_ptr<BugType> *BT;
423*67e74705SXin Li if (isa<ObjCMethodCall>(Call))
424*67e74705SXin Li BT = &BT_msg_arg;
425*67e74705SXin Li else
426*67e74705SXin Li BT = &BT_call_arg;
427*67e74705SXin Li
428*67e74705SXin Li for (unsigned i = 0, e = Call.getNumArgs(); i != e; ++i) {
429*67e74705SXin Li const ParmVarDecl *ParamDecl = nullptr;
430*67e74705SXin Li if(FD && i < FD->getNumParams())
431*67e74705SXin Li ParamDecl = FD->getParamDecl(i);
432*67e74705SXin Li if (PreVisitProcessArg(C, Call.getArgSVal(i), Call.getArgSourceRange(i),
433*67e74705SXin Li Call.getArgExpr(i), /*IsFirstArgument=*/i == 0,
434*67e74705SXin Li checkUninitFields, Call, *BT, ParamDecl))
435*67e74705SXin Li return;
436*67e74705SXin Li }
437*67e74705SXin Li
438*67e74705SXin Li // If we make it here, record our assumptions about the callee.
439*67e74705SXin Li C.addTransition(State);
440*67e74705SXin Li }
441*67e74705SXin Li
checkPreObjCMessage(const ObjCMethodCall & msg,CheckerContext & C) const442*67e74705SXin Li void CallAndMessageChecker::checkPreObjCMessage(const ObjCMethodCall &msg,
443*67e74705SXin Li CheckerContext &C) const {
444*67e74705SXin Li SVal recVal = msg.getReceiverSVal();
445*67e74705SXin Li if (recVal.isUndef()) {
446*67e74705SXin Li if (ExplodedNode *N = C.generateErrorNode()) {
447*67e74705SXin Li BugType *BT = nullptr;
448*67e74705SXin Li switch (msg.getMessageKind()) {
449*67e74705SXin Li case OCM_Message:
450*67e74705SXin Li if (!BT_msg_undef)
451*67e74705SXin Li BT_msg_undef.reset(new BuiltinBug(this,
452*67e74705SXin Li "Receiver in message expression "
453*67e74705SXin Li "is an uninitialized value"));
454*67e74705SXin Li BT = BT_msg_undef.get();
455*67e74705SXin Li break;
456*67e74705SXin Li case OCM_PropertyAccess:
457*67e74705SXin Li if (!BT_objc_prop_undef)
458*67e74705SXin Li BT_objc_prop_undef.reset(new BuiltinBug(
459*67e74705SXin Li this, "Property access on an uninitialized object pointer"));
460*67e74705SXin Li BT = BT_objc_prop_undef.get();
461*67e74705SXin Li break;
462*67e74705SXin Li case OCM_Subscript:
463*67e74705SXin Li if (!BT_objc_subscript_undef)
464*67e74705SXin Li BT_objc_subscript_undef.reset(new BuiltinBug(
465*67e74705SXin Li this, "Subscript access on an uninitialized object pointer"));
466*67e74705SXin Li BT = BT_objc_subscript_undef.get();
467*67e74705SXin Li break;
468*67e74705SXin Li }
469*67e74705SXin Li assert(BT && "Unknown message kind.");
470*67e74705SXin Li
471*67e74705SXin Li auto R = llvm::make_unique<BugReport>(*BT, BT->getName(), N);
472*67e74705SXin Li const ObjCMessageExpr *ME = msg.getOriginExpr();
473*67e74705SXin Li R->addRange(ME->getReceiverRange());
474*67e74705SXin Li
475*67e74705SXin Li // FIXME: getTrackNullOrUndefValueVisitor can't handle "super" yet.
476*67e74705SXin Li if (const Expr *ReceiverE = ME->getInstanceReceiver())
477*67e74705SXin Li bugreporter::trackNullOrUndefValue(N, ReceiverE, *R);
478*67e74705SXin Li C.emitReport(std::move(R));
479*67e74705SXin Li }
480*67e74705SXin Li return;
481*67e74705SXin Li }
482*67e74705SXin Li }
483*67e74705SXin Li
checkObjCMessageNil(const ObjCMethodCall & msg,CheckerContext & C) const484*67e74705SXin Li void CallAndMessageChecker::checkObjCMessageNil(const ObjCMethodCall &msg,
485*67e74705SXin Li CheckerContext &C) const {
486*67e74705SXin Li HandleNilReceiver(C, C.getState(), msg);
487*67e74705SXin Li }
488*67e74705SXin Li
emitNilReceiverBug(CheckerContext & C,const ObjCMethodCall & msg,ExplodedNode * N) const489*67e74705SXin Li void CallAndMessageChecker::emitNilReceiverBug(CheckerContext &C,
490*67e74705SXin Li const ObjCMethodCall &msg,
491*67e74705SXin Li ExplodedNode *N) const {
492*67e74705SXin Li
493*67e74705SXin Li if (!BT_msg_ret)
494*67e74705SXin Li BT_msg_ret.reset(
495*67e74705SXin Li new BuiltinBug(this, "Receiver in message expression is 'nil'"));
496*67e74705SXin Li
497*67e74705SXin Li const ObjCMessageExpr *ME = msg.getOriginExpr();
498*67e74705SXin Li
499*67e74705SXin Li QualType ResTy = msg.getResultType();
500*67e74705SXin Li
501*67e74705SXin Li SmallString<200> buf;
502*67e74705SXin Li llvm::raw_svector_ostream os(buf);
503*67e74705SXin Li os << "The receiver of message '";
504*67e74705SXin Li ME->getSelector().print(os);
505*67e74705SXin Li os << "' is nil";
506*67e74705SXin Li if (ResTy->isReferenceType()) {
507*67e74705SXin Li os << ", which results in forming a null reference";
508*67e74705SXin Li } else {
509*67e74705SXin Li os << " and returns a value of type '";
510*67e74705SXin Li msg.getResultType().print(os, C.getLangOpts());
511*67e74705SXin Li os << "' that will be garbage";
512*67e74705SXin Li }
513*67e74705SXin Li
514*67e74705SXin Li auto report = llvm::make_unique<BugReport>(*BT_msg_ret, os.str(), N);
515*67e74705SXin Li report->addRange(ME->getReceiverRange());
516*67e74705SXin Li // FIXME: This won't track "self" in messages to super.
517*67e74705SXin Li if (const Expr *receiver = ME->getInstanceReceiver()) {
518*67e74705SXin Li bugreporter::trackNullOrUndefValue(N, receiver, *report);
519*67e74705SXin Li }
520*67e74705SXin Li C.emitReport(std::move(report));
521*67e74705SXin Li }
522*67e74705SXin Li
supportsNilWithFloatRet(const llvm::Triple & triple)523*67e74705SXin Li static bool supportsNilWithFloatRet(const llvm::Triple &triple) {
524*67e74705SXin Li return (triple.getVendor() == llvm::Triple::Apple &&
525*67e74705SXin Li (triple.isiOS() || triple.isWatchOS() ||
526*67e74705SXin Li !triple.isMacOSXVersionLT(10,5)));
527*67e74705SXin Li }
528*67e74705SXin Li
HandleNilReceiver(CheckerContext & C,ProgramStateRef state,const ObjCMethodCall & Msg) const529*67e74705SXin Li void CallAndMessageChecker::HandleNilReceiver(CheckerContext &C,
530*67e74705SXin Li ProgramStateRef state,
531*67e74705SXin Li const ObjCMethodCall &Msg) const {
532*67e74705SXin Li ASTContext &Ctx = C.getASTContext();
533*67e74705SXin Li static CheckerProgramPointTag Tag(this, "NilReceiver");
534*67e74705SXin Li
535*67e74705SXin Li // Check the return type of the message expression. A message to nil will
536*67e74705SXin Li // return different values depending on the return type and the architecture.
537*67e74705SXin Li QualType RetTy = Msg.getResultType();
538*67e74705SXin Li CanQualType CanRetTy = Ctx.getCanonicalType(RetTy);
539*67e74705SXin Li const LocationContext *LCtx = C.getLocationContext();
540*67e74705SXin Li
541*67e74705SXin Li if (CanRetTy->isStructureOrClassType()) {
542*67e74705SXin Li // Structure returns are safe since the compiler zeroes them out.
543*67e74705SXin Li SVal V = C.getSValBuilder().makeZeroVal(RetTy);
544*67e74705SXin Li C.addTransition(state->BindExpr(Msg.getOriginExpr(), LCtx, V), &Tag);
545*67e74705SXin Li return;
546*67e74705SXin Li }
547*67e74705SXin Li
548*67e74705SXin Li // Other cases: check if sizeof(return type) > sizeof(void*)
549*67e74705SXin Li if (CanRetTy != Ctx.VoidTy && C.getLocationContext()->getParentMap()
550*67e74705SXin Li .isConsumedExpr(Msg.getOriginExpr())) {
551*67e74705SXin Li // Compute: sizeof(void *) and sizeof(return type)
552*67e74705SXin Li const uint64_t voidPtrSize = Ctx.getTypeSize(Ctx.VoidPtrTy);
553*67e74705SXin Li const uint64_t returnTypeSize = Ctx.getTypeSize(CanRetTy);
554*67e74705SXin Li
555*67e74705SXin Li if (CanRetTy.getTypePtr()->isReferenceType()||
556*67e74705SXin Li (voidPtrSize < returnTypeSize &&
557*67e74705SXin Li !(supportsNilWithFloatRet(Ctx.getTargetInfo().getTriple()) &&
558*67e74705SXin Li (Ctx.FloatTy == CanRetTy ||
559*67e74705SXin Li Ctx.DoubleTy == CanRetTy ||
560*67e74705SXin Li Ctx.LongDoubleTy == CanRetTy ||
561*67e74705SXin Li Ctx.LongLongTy == CanRetTy ||
562*67e74705SXin Li Ctx.UnsignedLongLongTy == CanRetTy)))) {
563*67e74705SXin Li if (ExplodedNode *N = C.generateErrorNode(state, &Tag))
564*67e74705SXin Li emitNilReceiverBug(C, Msg, N);
565*67e74705SXin Li return;
566*67e74705SXin Li }
567*67e74705SXin Li
568*67e74705SXin Li // Handle the safe cases where the return value is 0 if the
569*67e74705SXin Li // receiver is nil.
570*67e74705SXin Li //
571*67e74705SXin Li // FIXME: For now take the conservative approach that we only
572*67e74705SXin Li // return null values if we *know* that the receiver is nil.
573*67e74705SXin Li // This is because we can have surprises like:
574*67e74705SXin Li //
575*67e74705SXin Li // ... = [[NSScreens screens] objectAtIndex:0];
576*67e74705SXin Li //
577*67e74705SXin Li // What can happen is that [... screens] could return nil, but
578*67e74705SXin Li // it most likely isn't nil. We should assume the semantics
579*67e74705SXin Li // of this case unless we have *a lot* more knowledge.
580*67e74705SXin Li //
581*67e74705SXin Li SVal V = C.getSValBuilder().makeZeroVal(RetTy);
582*67e74705SXin Li C.addTransition(state->BindExpr(Msg.getOriginExpr(), LCtx, V), &Tag);
583*67e74705SXin Li return;
584*67e74705SXin Li }
585*67e74705SXin Li
586*67e74705SXin Li C.addTransition(state);
587*67e74705SXin Li }
588*67e74705SXin Li
589*67e74705SXin Li #define REGISTER_CHECKER(name) \
590*67e74705SXin Li void ento::register##name(CheckerManager &mgr) { \
591*67e74705SXin Li CallAndMessageChecker *Checker = \
592*67e74705SXin Li mgr.registerChecker<CallAndMessageChecker>(); \
593*67e74705SXin Li Checker->Filter.Check_##name = true; \
594*67e74705SXin Li Checker->Filter.CheckName_##name = mgr.getCurrentCheckName(); \
595*67e74705SXin Li }
596*67e74705SXin Li
597*67e74705SXin Li REGISTER_CHECKER(CallAndMessageUnInitRefArg)
598*67e74705SXin Li REGISTER_CHECKER(CallAndMessageChecker)
599