| Zhongxing Xu | 4f64e5f | 2009-11-03 05:48:04 +0000 | [diff] [blame^] | 1 | //===--- BadCallChecker.h - Bad call checker --------------------*- C++ -*--==// |
| 2 | // |
| 3 | // The LLVM Compiler Infrastructure |
| 4 | // |
| 5 | // This file is distributed under the University of Illinois Open Source |
| 6 | // License. See LICENSE.TXT for details. |
| 7 | // |
| 8 | //===----------------------------------------------------------------------===// |
| 9 | // |
| 10 | // This defines BadCallChecker, a builtin check in GRExprEngine that performs |
| 11 | // checks for bad callee at call sites. |
| 12 | // |
| 13 | //===----------------------------------------------------------------------===// |
| 14 | |
| 15 | #include "clang/Analysis/PathSensitive/Checkers/BadCallChecker.h" |
| 16 | #include "clang/Analysis/PathSensitive/BugReporter.h" |
| 17 | |
| 18 | using namespace clang; |
| 19 | |
| 20 | void *BadCallChecker::getTag() { |
| 21 | static int x = 0; |
| 22 | return &x; |
| 23 | } |
| 24 | |
| 25 | void BadCallChecker::PreVisitCallExpr(CheckerContext &C, const CallExpr *CE) { |
| 26 | const Expr *Callee = CE->getCallee()->IgnoreParens(); |
| 27 | SVal L = C.getState()->getSVal(Callee); |
| 28 | |
| 29 | if (L.isUndef() || isa<loc::ConcreteInt>(L)) { |
| 30 | if (ExplodedNode *N = C.GenerateNode(CE, true)) { |
| 31 | if (!BT) |
| 32 | BT = new BuiltinBug(0, "Invalid function call", |
| 33 | "Called function pointer is a null or undefined pointer value"); |
| 34 | |
| 35 | EnhancedBugReport *R = |
| 36 | new EnhancedBugReport(*BT, BT->getDescription().c_str(), N); |
| 37 | |
| 38 | R->addVisitorCreator(bugreporter::registerTrackNullOrUndefValue, |
| 39 | bugreporter::GetCalleeExpr(N)); |
| 40 | |
| 41 | C.EmitReport(R); |
| 42 | } |
| 43 | } |
| 44 | } |