| Ted Kremenek | bc3a021 | 2009-10-30 17:24:47 +0000 | [diff] [blame] | 1 | //== NullDerefChecker.cpp - Null dereference checker ------------*- C++ -*--==// |
| 2 | // |
| 3 | // The LLVM Compiler Infrastructure |
| 4 | // |
| 5 | // This file is distributed under the University of Illinois Open Source |
| 6 | // License. See LICENSE.TXT for details. |
| 7 | // |
| 8 | //===----------------------------------------------------------------------===// |
| 9 | // |
| 10 | // This defines NullDerefChecker, a builtin check in GRExprEngine that performs |
| 11 | // checks for null pointers at loads and stores. |
| 12 | // |
| 13 | //===----------------------------------------------------------------------===// |
| 14 | |
| Ted Kremenek | d86caaa | 2009-10-30 17:28:40 +0000 | [diff] [blame] | 15 | #include "clang/Analysis/PathSensitive/Checkers/NullDerefChecker.h" |
| Ted Kremenek | bc3a021 | 2009-10-30 17:24:47 +0000 | [diff] [blame] | 16 | #include "clang/Analysis/PathSensitive/GRExprEngine.h" |
| 17 | #include "clang/Analysis/PathSensitive/BugReporter.h" |
| 18 | |
| 19 | using namespace clang; |
| 20 | |
| 21 | void *NullDerefChecker::getTag() { |
| 22 | static int x = 0; |
| 23 | return &x; |
| 24 | } |
| 25 | |
| 26 | ExplodedNode *NullDerefChecker::CheckLocation(const Stmt *S, ExplodedNode *Pred, |
| 27 | const GRState *state, SVal V, |
| 28 | GRExprEngine &Eng) { |
| 29 | Loc *LV = dyn_cast<Loc>(&V); |
| 30 | |
| 31 | // If the value is not a location, don't touch the node. |
| 32 | if (!LV) |
| 33 | return Pred; |
| 34 | |
| 35 | const GRState *NotNullState = state->Assume(*LV, true); |
| 36 | const GRState *NullState = state->Assume(*LV, false); |
| 37 | |
| 38 | GRStmtNodeBuilder &Builder = Eng.getBuilder(); |
| 39 | BugReporter &BR = Eng.getBugReporter(); |
| 40 | |
| 41 | // The explicit NULL case. |
| 42 | if (NullState) { |
| 43 | // Use the GDM to mark in the state what lval was null. |
| 44 | const SVal *PersistentLV = Eng.getBasicVals().getPersistentSVal(*LV); |
| 45 | NullState = NullState->set<GRState::NullDerefTag>(PersistentLV); |
| 46 | |
| 47 | ExplodedNode *N = Builder.generateNode(S, NullState, Pred, |
| Zhongxing Xu | ff04174 | 2009-10-31 03:36:08 +0000 | [diff] [blame^] | 48 | ProgramPoint::PostNullCheckFailedKind); |
| Ted Kremenek | bc3a021 | 2009-10-30 17:24:47 +0000 | [diff] [blame] | 49 | if (N) { |
| 50 | N->markAsSink(); |
| 51 | |
| 52 | if (!NotNullState) { // Explicit null case. |
| 53 | if (!BT) |
| 54 | BT = new BuiltinBug(NULL, "Null dereference", |
| 55 | "Dereference of null pointer"); |
| 56 | |
| 57 | EnhancedBugReport *R = |
| 58 | new EnhancedBugReport(*BT, BT->getDescription().c_str(), N); |
| 59 | |
| 60 | R->addVisitorCreator(bugreporter::registerTrackNullOrUndefValue, |
| 61 | bugreporter::GetDerefExpr(N)); |
| 62 | |
| 63 | BR.EmitReport(R); |
| 64 | |
| 65 | return 0; |
| 66 | } else // Implicit null case. |
| 67 | ImplicitNullDerefNodes.push_back(N); |
| 68 | } |
| 69 | } |
| 70 | |
| 71 | if (!NotNullState) |
| 72 | return 0; |
| 73 | |
| 74 | return Builder.generateNode(S, NotNullState, Pred, |
| 75 | ProgramPoint::PostLocationChecksSucceedKind); |
| 76 | } |