1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
// SmartPtrChecker.cpp - Check for smart pointer dereference - C++ --------===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// This file defines a checker that check for null dereference of C++ smart
// pointer.
//
//===----------------------------------------------------------------------===//
#include "SmartPtr.h"
#include "clang/AST/DeclCXX.h"
#include "clang/AST/ExprCXX.h"
#include "clang/AST/Type.h"
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SymExpr.h"
#include "llvm/ADT/StringRef.h"
using namespace clang;
using namespace ento;
namespace {
static const BugType *NullDereferenceBugTypePtr;
class SmartPtrChecker : public Checker<check::PreCall> {
public:
void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
BugType NullDereferenceBugType{this, "Null SmartPtr dereference",
"C++ Smart Pointer"};
private:
void reportBug(CheckerContext &C, const MemRegion *DerefRegion,
const CallEvent &Call) const;
void explainDereference(llvm::raw_ostream &OS, const MemRegion *DerefRegion,
const CallEvent &Call) const;
};
} // end of anonymous namespace
// Define the inter-checker API.
namespace clang {
namespace ento {
namespace smartptr {
const BugType *getNullDereferenceBugType() { return NullDereferenceBugTypePtr; }
} // namespace smartptr
} // namespace ento
} // namespace clang
void SmartPtrChecker::checkPreCall(const CallEvent &Call,
CheckerContext &C) const {
if (!smartptr::isStdSmartPtrCall(Call))
return;
ProgramStateRef State = C.getState();
const auto *OC = dyn_cast<CXXMemberOperatorCall>(&Call);
if (!OC)
return;
const MemRegion *ThisRegion = OC->getCXXThisVal().getAsRegion();
if (!ThisRegion)
return;
OverloadedOperatorKind OOK = OC->getOverloadedOperator();
if (OOK == OO_Star || OOK == OO_Arrow) {
if (smartptr::isNullSmartPtr(State, ThisRegion))
reportBug(C, ThisRegion, Call);
}
}
void SmartPtrChecker::reportBug(CheckerContext &C, const MemRegion *DerefRegion,
const CallEvent &Call) const {
ExplodedNode *ErrNode = C.generateErrorNode();
if (!ErrNode)
return;
llvm::SmallString<128> Str;
llvm::raw_svector_ostream OS(Str);
explainDereference(OS, DerefRegion, Call);
auto R = std::make_unique<PathSensitiveBugReport>(NullDereferenceBugType,
OS.str(), ErrNode);
R->markInteresting(DerefRegion);
C.emitReport(std::move(R));
}
void SmartPtrChecker::explainDereference(llvm::raw_ostream &OS,
const MemRegion *DerefRegion,
const CallEvent &Call) const {
OS << "Dereference of null smart pointer ";
DerefRegion->printPretty(OS);
}
void ento::registerSmartPtrChecker(CheckerManager &Mgr) {
SmartPtrChecker *Checker = Mgr.registerChecker<SmartPtrChecker>();
NullDereferenceBugTypePtr = &Checker->NullDereferenceBugType;
}
bool ento::shouldRegisterSmartPtrChecker(const CheckerManager &mgr) {
const LangOptions &LO = mgr.getLangOpts();
return LO.CPlusPlus;
}
|
