clang 20.0.0git
ReturnUndefChecker.cpp
Go to the documentation of this file.
1//== ReturnUndefChecker.cpp -------------------------------------*- C++ -*--==//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This file defines ReturnUndefChecker, which is a path-sensitive
10// check which looks for undefined or garbage values being returned to the
11// caller.
12//
13//===----------------------------------------------------------------------===//
14
21
22using namespace clang;
23using namespace ento;
24
25namespace {
26class ReturnUndefChecker : public Checker< check::PreStmt<ReturnStmt> > {
27 const BugType BT_Undef{this, "Garbage return value"};
28 const BugType BT_NullReference{this, "Returning null reference"};
29
30 void emitUndef(CheckerContext &C, const Expr *RetE) const;
31 void checkReference(CheckerContext &C, const Expr *RetE,
32 DefinedOrUnknownSVal RetVal) const;
33public:
34 void checkPreStmt(const ReturnStmt *RS, CheckerContext &C) const;
35};
36}
37
38void ReturnUndefChecker::checkPreStmt(const ReturnStmt *RS,
39 CheckerContext &C) const {
40 const Expr *RetE = RS->getRetValue();
41 if (!RetE)
42 return;
43 SVal RetVal = C.getSVal(RetE);
44
45 const StackFrameContext *SFC = C.getStackFrame();
47
48 if (RetVal.isUndef()) {
49 // "return;" is modeled to evaluate to an UndefinedVal. Allow UndefinedVal
50 // to be returned in functions returning void to support this pattern:
51 // void foo() {
52 // return;
53 // }
54 // void test() {
55 // return foo();
56 // }
57 if (!RT.isNull() && RT->isVoidType())
58 return;
59
60 // Not all blocks have explicitly-specified return types; if the return type
61 // is not available, but the return value expression has 'void' type, assume
62 // Sema already checked it.
63 if (RT.isNull() && isa<BlockDecl>(SFC->getDecl()) &&
64 RetE->getType()->isVoidType())
65 return;
66
67 emitUndef(C, RetE);
68 return;
69 }
70
71 if (RT.isNull())
72 return;
73
74 if (RT->isReferenceType()) {
75 checkReference(C, RetE, RetVal.castAs<DefinedOrUnknownSVal>());
76 return;
77 }
78}
79
80static void emitBug(CheckerContext &C, const BugType &BT, StringRef Msg,
81 const Expr *RetE, const Expr *TrackingE = nullptr) {
82 ExplodedNode *N = C.generateErrorNode();
83 if (!N)
84 return;
85
86 auto Report = std::make_unique<PathSensitiveBugReport>(BT, Msg, N);
87
88 Report->addRange(RetE->getSourceRange());
89 bugreporter::trackExpressionValue(N, TrackingE ? TrackingE : RetE, *Report);
90
91 C.emitReport(std::move(Report));
92}
93
94void ReturnUndefChecker::emitUndef(CheckerContext &C, const Expr *RetE) const {
95 emitBug(C, BT_Undef, "Undefined or garbage value returned to caller", RetE);
96}
97
98void ReturnUndefChecker::checkReference(CheckerContext &C, const Expr *RetE,
99 DefinedOrUnknownSVal RetVal) const {
100 ProgramStateRef StNonNull, StNull;
101 std::tie(StNonNull, StNull) = C.getState()->assume(RetVal);
102
103 if (StNonNull) {
104 // Going forward, assume the location is non-null.
105 C.addTransition(StNonNull);
106 return;
107 }
108
109 // The return value is known to be null. Emit a bug report.
110 emitBug(C, BT_NullReference, BT_NullReference.getDescription(), RetE,
112}
113
114void ento::registerReturnUndefChecker(CheckerManager &mgr) {
115 mgr.registerChecker<ReturnUndefChecker>();
116}
117
118bool ento::shouldRegisterReturnUndefChecker(const CheckerManager &mgr) {
119 return true;
120}
static void emitBug(CheckerContext &C, const BugType &BT, StringRef Msg, const Expr *RetE, const Expr *TrackingE=nullptr)
This represents one expression.
Definition: Expr.h:110
QualType getType() const
Definition: Expr.h:142
const Decl * getDecl() const
A (possibly-)qualified type.
Definition: Type.h:929
bool isNull() const
Return true if this QualType doesn't point to a type yet.
Definition: Type.h:996
ReturnStmt - This represents a return, optionally of an expression: return; return 4;.
Definition: Stmt.h:3046
Expr * getRetValue()
Definition: Stmt.h:3077
It represents a stack frame of the call stack (based on CallEvent).
SourceRange getSourceRange() const LLVM_READONLY
SourceLocation tokens are not useful in isolation - they are low level value objects created/interpre...
Definition: Stmt.cpp:333
bool isVoidType() const
Definition: Type.h:8510
bool isReferenceType() const
Definition: Type.h:8204
static QualType getDeclaredResultType(const Decl *D)
Returns the result type of a function or method declaration.
Definition: CallEvent.cpp:352
CHECKER * registerChecker(AT &&... Args)
Used to register checkers.
SVal - This represents a symbolic expression, which can be either an L-value or an R-value.
Definition: SVals.h:56
bool isUndef() const
Definition: SVals.h:107
T castAs() const
Convert to the specified SVal type, asserting that this SVal is of the desired type.
Definition: SVals.h:83
const Expr * getDerefExpr(const Stmt *S)
Given that expression S represents a pointer that would be dereferenced, try to find a sub-expression...
bool trackExpressionValue(const ExplodedNode *N, const Expr *E, PathSensitiveBugReport &R, TrackingOptions Opts={})
Attempts to add visitors to track expression value back to its point of origin.
The JSON file list parser is used to communicate input to InstallAPI.