clang: lib/StaticAnalyzer/Checkers/ReturnUndefChecker.cpp Source File (original) (raw)

1

2

3

4

5

6

7

8

9

10

11

12

13

14

21

22using namespace clang;

23using namespace ento;

24

25namespace {

26class ReturnUndefChecker : public Checker< check::PreStmt > {

27 const BugType BT_Undef{this, "Garbage return value"};

28 const BugType BT_NullReference{this, "Returning null reference"};

29

33public:

35};

36}

37

38void ReturnUndefChecker::checkPreStmt(const ReturnStmt *RS,

41 if (!RetE)

42 return;

43 SVal RetVal = C.getSVal(RetE);

44

47

49

50

51

52

53

54

55

56

58 return;

59

60

61

62

63 if (RT.isNull() && isa(SFC->getDecl()) &&

65 return;

66

67 emitUndef(C, RetE);

68 return;

69 }

70

72 return;

73

76 return;

77 }

78}

79

81 const Expr *RetE, const Expr *TrackingE = nullptr) {

83 if (!N)

84 return;

85

86 auto Report = std::make_unique(BT, Msg, N);

87

90

91 C.emitReport(std::move(Report));

92}

93

94void ReturnUndefChecker::emitUndef(CheckerContext &C, const Expr *RetE) const {

95 emitBug(C, BT_Undef, "Undefined or garbage value returned to caller", RetE);

96}

97

98void ReturnUndefChecker::checkReference(CheckerContext &C, const Expr *RetE,

101 std::tie(StNonNull, StNull) = C.getState()->assume(RetVal);

102

103 if (StNonNull) {

104

105 C.addTransition(StNonNull);

106 return;

107 }

108

109

110 emitBug(C, BT_NullReference, BT_NullReference.getDescription(), RetE,

112}

113

114void ento::registerReturnUndefChecker(CheckerManager &mgr) {

116}

117

118bool ento::shouldRegisterReturnUndefChecker(const CheckerManager &mgr) {

119 return true;

120}

static void emitBug(CheckerContext &C, const BugType &BT, StringRef Msg, const Expr *RetE, const Expr *TrackingE=nullptr)

This represents one expression.

const Decl * getDecl() const

A (possibly-)qualified type.

bool isNull() const

Return true if this QualType doesn't point to a type yet.

ReturnStmt - This represents a return, optionally of an expression: return; return 4;.

It represents a stack frame of the call stack (based on CallEvent).

SourceRange getSourceRange() const LLVM_READONLY

SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...

bool isReferenceType() const

static QualType getDeclaredResultType(const Decl *D)

Returns the result type of a function or method declaration.

CHECKER * registerChecker(AT &&... Args)

Used to register checkers.

SVal - This represents a symbolic expression, which can be either an L-value or an R-value.

T castAs() const

Convert to the specified SVal type, asserting that this SVal is of the desired type.

const Expr * getDerefExpr(const Stmt *S)

Given that expression S represents a pointer that would be dereferenced, try to find a sub-expression...

bool trackExpressionValue(const ExplodedNode *N, const Expr *E, PathSensitiveBugReport &R, TrackingOptions Opts={})

Attempts to add visitors to track expression value back to its point of origin.

The JSON file list parser is used to communicate input to InstallAPI.