xref: /freebsd/contrib/llvm-project/clang/lib/StaticAnalyzer/Checkers/BoolAssignmentChecker.cpp (revision bdd1243df58e60e85101c09001d9812a789b6bc4) 
10b57cec5SDimitry Andric //== BoolAssignmentChecker.cpp - Boolean assignment checker -----*- C++ -*--==//
20b57cec5SDimitry Andric //
30b57cec5SDimitry Andric // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
40b57cec5SDimitry Andric // See https://llvm.org/LICENSE.txt for license information.
50b57cec5SDimitry Andric // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
60b57cec5SDimitry Andric //
70b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
80b57cec5SDimitry Andric //
90b57cec5SDimitry Andric // This defines BoolAssignmentChecker, a builtin check in ExprEngine that
100b57cec5SDimitry Andric // performs checks for assignment of non-Boolean values to Boolean variables.
110b57cec5SDimitry Andric //
120b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
130b57cec5SDimitry Andric 
140b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
1581ad6265SDimitry Andric #include "clang/StaticAnalyzer/Checkers/Taint.h"
160b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
170b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/Checker.h"
180b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/CheckerManager.h"
190b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
20*bdd1243dSDimitry Andric #include <optional>
210b57cec5SDimitry Andric 
220b57cec5SDimitry Andric using namespace clang;
230b57cec5SDimitry Andric using namespace ento;
240b57cec5SDimitry Andric 
250b57cec5SDimitry Andric namespace {
260b57cec5SDimitry Andric   class BoolAssignmentChecker : public Checker< check::Bind > {
270b57cec5SDimitry Andric     mutable std::unique_ptr<BuiltinBug> BT;
2881ad6265SDimitry Andric     void emitReport(ProgramStateRef state, CheckerContext &C,
2981ad6265SDimitry Andric                     bool IsTainted = false) const;
3081ad6265SDimitry Andric 
310b57cec5SDimitry Andric   public:
320b57cec5SDimitry Andric     void checkBind(SVal loc, SVal val, const Stmt *S, CheckerContext &C) const;
330b57cec5SDimitry Andric   };
340b57cec5SDimitry Andric } // end anonymous namespace
350b57cec5SDimitry Andric 
3681ad6265SDimitry Andric void BoolAssignmentChecker::emitReport(ProgramStateRef state, CheckerContext &C,
3781ad6265SDimitry Andric                                        bool IsTainted) const {
380b57cec5SDimitry Andric   if (ExplodedNode *N = C.generateNonFatalErrorNode(state)) {
390b57cec5SDimitry Andric     if (!BT)
400b57cec5SDimitry Andric       BT.reset(new BuiltinBug(this, "Assignment of a non-Boolean value"));
41a7dea167SDimitry Andric 
4281ad6265SDimitry Andric     StringRef Msg = IsTainted ? "Might assign a tainted non-Boolean value"
4381ad6265SDimitry Andric                               : "Assignment of a non-Boolean value";
4481ad6265SDimitry Andric     C.emitReport(std::make_unique<PathSensitiveBugReport>(*BT, Msg, N));
450b57cec5SDimitry Andric   }
460b57cec5SDimitry Andric }
470b57cec5SDimitry Andric 
480b57cec5SDimitry Andric static bool isBooleanType(QualType Ty) {
490b57cec5SDimitry Andric   if (Ty->isBooleanType()) // C++ or C99
500b57cec5SDimitry Andric     return true;
510b57cec5SDimitry Andric 
520b57cec5SDimitry Andric   if (const TypedefType *TT = Ty->getAs<TypedefType>())
530b57cec5SDimitry Andric     return TT->getDecl()->getName() == "BOOL"   || // Objective-C
540b57cec5SDimitry Andric            TT->getDecl()->getName() == "_Bool"  || // stdbool.h < C99
550b57cec5SDimitry Andric            TT->getDecl()->getName() == "Boolean";  // MacTypes.h
560b57cec5SDimitry Andric 
570b57cec5SDimitry Andric   return false;
580b57cec5SDimitry Andric }
590b57cec5SDimitry Andric 
600b57cec5SDimitry Andric void BoolAssignmentChecker::checkBind(SVal loc, SVal val, const Stmt *S,
610b57cec5SDimitry Andric                                       CheckerContext &C) const {
620b57cec5SDimitry Andric 
630b57cec5SDimitry Andric   // We are only interested in stores into Booleans.
640b57cec5SDimitry Andric   const TypedValueRegion *TR =
650b57cec5SDimitry Andric     dyn_cast_or_null<TypedValueRegion>(loc.getAsRegion());
660b57cec5SDimitry Andric 
670b57cec5SDimitry Andric   if (!TR)
680b57cec5SDimitry Andric     return;
690b57cec5SDimitry Andric 
700b57cec5SDimitry Andric   QualType valTy = TR->getValueType();
710b57cec5SDimitry Andric 
720b57cec5SDimitry Andric   if (!isBooleanType(valTy))
730b57cec5SDimitry Andric     return;
740b57cec5SDimitry Andric 
750b57cec5SDimitry Andric   // Get the value of the right-hand side.  We only care about values
760b57cec5SDimitry Andric   // that are defined (UnknownVals and UndefinedVals are handled by other
770b57cec5SDimitry Andric   // checkers).
78*bdd1243dSDimitry Andric   std::optional<NonLoc> NV = val.getAs<NonLoc>();
795ffd83dbSDimitry Andric   if (!NV)
800b57cec5SDimitry Andric     return;
810b57cec5SDimitry Andric 
820b57cec5SDimitry Andric   // Check if the assigned value meets our criteria for correctness.  It must
830b57cec5SDimitry Andric   // be a value that is either 0 or 1.  One way to check this is to see if
840b57cec5SDimitry Andric   // the value is possibly < 0 (for a negative value) or greater than 1.
850b57cec5SDimitry Andric   ProgramStateRef state = C.getState();
860b57cec5SDimitry Andric   SValBuilder &svalBuilder = C.getSValBuilder();
875ffd83dbSDimitry Andric   BasicValueFactory &BVF = svalBuilder.getBasicValueFactory();
880b57cec5SDimitry Andric   ConstraintManager &CM = C.getConstraintManager();
890b57cec5SDimitry Andric 
905ffd83dbSDimitry Andric   llvm::APSInt Zero = BVF.getValue(0, valTy);
915ffd83dbSDimitry Andric   llvm::APSInt One = BVF.getValue(1, valTy);
920b57cec5SDimitry Andric 
935ffd83dbSDimitry Andric   ProgramStateRef StIn, StOut;
945ffd83dbSDimitry Andric   std::tie(StIn, StOut) = CM.assumeInclusiveRangeDual(state, *NV, Zero, One);
950b57cec5SDimitry Andric 
965ffd83dbSDimitry Andric   if (!StIn)
975ffd83dbSDimitry Andric     emitReport(StOut, C);
9881ad6265SDimitry Andric   if (StIn && StOut && taint::isTainted(state, *NV))
9981ad6265SDimitry Andric     emitReport(StOut, C, /*IsTainted=*/true);
1000b57cec5SDimitry Andric }
1010b57cec5SDimitry Andric 
1020b57cec5SDimitry Andric void ento::registerBoolAssignmentChecker(CheckerManager &mgr) {
1030b57cec5SDimitry Andric     mgr.registerChecker<BoolAssignmentChecker>();
1040b57cec5SDimitry Andric }
1050b57cec5SDimitry Andric 
1065ffd83dbSDimitry Andric bool ento::shouldRegisterBoolAssignmentChecker(const CheckerManager &mgr) {
1070b57cec5SDimitry Andric   return true;
1080b57cec5SDimitry Andric }
109