commit 5206f0b913d1a11744c9436c83b24f8daa21152c
author Zhongxing Xu <xuzhongxing@gmail.com> Tue Nov 03 12:13:38 2009 +0000
committer Zhongxing Xu <xuzhongxing@gmail.com> Tue Nov 03 12:13:38 2009 +0000
tree 18e9b48570d6cf34a39e77222b1817de4d0e9586
parent 8112c61789ed077892f4abae55065ab3ce2ae977

Pull VLA size checker into its own files. 
Split it to two checkers, one for undefined size, 
the other for zero size, so that we don't need to query the size
when emitting the bug report.


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@85895 91177308-0d34-0410-b5e6-96231b3b80d8

lib/Analysis/ZeroSizedVLAChecker.cpp

diff --git a/lib/Analysis/ZeroSizedVLAChecker.cpp b/lib/Analysis/ZeroSizedVLAChecker.cpp
new file mode 100644
index 0000000..8984a5f
--- /dev/null
+++ b/lib/Analysis/ZeroSizedVLAChecker.cpp
@@ -0,0 +1,66 @@
+//=== ZeroSizedVLAChecker.cpp - Undefined dereference checker ---*- C++ -*-===//
+//
+//                     The LLVM Compiler Infrastructure
+//
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+//
+//===----------------------------------------------------------------------===//
+//
+// This defines ZeorSizedVLAChecker, a builtin check in GRExprEngine that 
+// performs checks for declaration of VLA of zero size.
+//
+//===----------------------------------------------------------------------===//
+
+#include "clang/Analysis/PathSensitive/Checkers/ZeroSizedVLAChecker.h"
+#include "clang/Analysis/PathSensitive/GRExprEngine.h"
+#include "clang/Analysis/PathSensitive/BugReporter.h"
+
+using namespace clang;
+
+void *ZeroSizedVLAChecker::getTag() {
+  static int x;
+  return &x;
+}
+
+ExplodedNode *ZeroSizedVLAChecker::CheckType(QualType T, ExplodedNode *Pred, 
+                                             const GRState *state, Stmt *S, 
+                                             GRExprEngine &Eng) {
+  GRStmtNodeBuilder &Builder = Eng.getBuilder();
+  BugReporter &BR = Eng.getBugReporter();
+
+  if (VariableArrayType* VLA = dyn_cast<VariableArrayType>(T)) {
+    // FIXME: Handle multi-dimensional VLAs.
+    Expr* SE = VLA->getSizeExpr();
+    SVal Size_untested = state->getSVal(SE);
+
+    DefinedOrUnknownSVal *Size = dyn_cast<DefinedOrUnknownSVal>(&Size_untested);
+    // Undefined size is checked in another checker.
+    if (!Size)
+      return Pred;
+
+    const GRState *zeroState =  state->Assume(*Size, false);
+    state = state->Assume(*Size, true);
+
+    if (zeroState && !state) {
+      if (ExplodedNode* N = Builder.generateNode(S, zeroState, Pred)) {
+        N->markAsSink();
+        if (!BT)
+          BT = new BugType("Declare variable-length array (VLA) of zero size",
+                            "Logic error");
+
+        EnhancedBugReport *R =
+                          new EnhancedBugReport(*BT, BT->getName().c_str(), N);
+        R->addRange(SE->getSourceRange());
+        R->addVisitorCreator(bugreporter::registerTrackNullOrUndefValue, SE);
+        BR.EmitReport(R);
+      }
+    }
+    if (!state)
+      return 0;
+
+    return Builder.generateNode(S, state, Pred);
+  }
+  else
+    return Pred;
+}