1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
|
//=== StringChecker.cpp -------------------------------------------*- C++ -*--//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// This file implements the modeling of the std::basic_string type.
// This involves checking preconditions of the operations and applying the
// effects of the operations, e.g. their post-conditions.
//
//===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallDescription.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
using namespace clang;
using namespace ento;
namespace {
class StringChecker : public Checker<check::PreCall> {
BugType BT_Null{this, "Dereference of null pointer", categories::LogicError};
mutable const FunctionDecl *StringConstCharPtrCtor = nullptr;
mutable CanQualType SizeTypeTy;
const CallDescription TwoParamStdStringCtor = {
{"std", "basic_string", "basic_string"}, 2, 2};
bool isCharToStringCtor(const CallEvent &Call, const ASTContext &ACtx) const;
public:
void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
};
bool StringChecker::isCharToStringCtor(const CallEvent &Call,
const ASTContext &ACtx) const {
if (!TwoParamStdStringCtor.matches(Call))
return false;
const auto *FD = dyn_cast<FunctionDecl>(Call.getDecl());
assert(FD);
// See if we already cached it.
if (StringConstCharPtrCtor && StringConstCharPtrCtor == FD)
return true;
// Verify that the parameters have the expected types:
// - arg 1: `const CharT *`
// - arg 2: some allocator - which is definately not `size_t`.
const QualType Arg1Ty = Call.getArgExpr(0)->getType().getCanonicalType();
const QualType Arg2Ty = Call.getArgExpr(1)->getType().getCanonicalType();
if (!Arg1Ty->isPointerType())
return false;
// It makes sure that we don't select the `string(const char* p, size_t len)`
// overload accidentally.
if (Arg2Ty.getCanonicalType() == ACtx.getSizeType())
return false;
StringConstCharPtrCtor = FD; // Cache the decl of the right overload.
return true;
}
void StringChecker::checkPreCall(const CallEvent &Call,
CheckerContext &C) const {
if (!isCharToStringCtor(Call, C.getASTContext()))
return;
const auto Param = Call.getArgSVal(0).getAs<Loc>();
if (!Param)
return;
// We managed to constrain the parameter to non-null.
ProgramStateRef NotNull, Null;
std::tie(NotNull, Null) = C.getState()->assume(*Param);
if (NotNull) {
const auto Callback = [Param](PathSensitiveBugReport &BR) -> std::string {
return BR.isInteresting(*Param) ? "Assuming the pointer is not null."
: "";
};
// Emit note only if this operation constrained the pointer to be null.
C.addTransition(NotNull, Null ? C.getNoteTag(Callback) : nullptr);
return;
}
// We found a path on which the parameter is NULL.
if (ExplodedNode *N = C.generateErrorNode(C.getState())) {
auto R = std::make_unique<PathSensitiveBugReport>(
BT_Null, "The parameter must not be null", N);
bugreporter::trackExpressionValue(N, Call.getArgExpr(0), *R);
C.emitReport(std::move(R));
}
}
} // end anonymous namespace
void ento::registerStringChecker(CheckerManager &Mgr) {
Mgr.registerChecker<StringChecker>();
}
bool ento::shouldRegisterStringChecker(const CheckerManager &) { return true; }
|