1 //== BoolAssignmentChecker.cpp - Boolean assignment checker -----*- C++ -*--==// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This defines BoolAssignmentChecker, a builtin check in ExprEngine that 10 // performs checks for assignment of non-Boolean values to Boolean variables. 11 // 12 //===----------------------------------------------------------------------===// 13 14 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" 15 #include "clang/StaticAnalyzer/Checkers/Taint.h" 16 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 17 #include "clang/StaticAnalyzer/Core/Checker.h" 18 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 19 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 20 #include <optional> 21 22 using namespace clang; 23 using namespace ento; 24 25 namespace { 26 class BoolAssignmentChecker : public Checker< check::Bind > { 27 mutable std::unique_ptr<BuiltinBug> BT; 28 void emitReport(ProgramStateRef state, CheckerContext &C, 29 bool IsTainted = false) const; 30 31 public: 32 void checkBind(SVal loc, SVal val, const Stmt *S, CheckerContext &C) const; 33 }; 34 } // end anonymous namespace 35 36 void BoolAssignmentChecker::emitReport(ProgramStateRef state, CheckerContext &C, 37 bool IsTainted) const { 38 if (ExplodedNode *N = C.generateNonFatalErrorNode(state)) { 39 if (!BT) 40 BT.reset(new BuiltinBug(this, "Assignment of a non-Boolean value")); 41 42 StringRef Msg = IsTainted ? "Might assign a tainted non-Boolean value" 43 : "Assignment of a non-Boolean value"; 44 C.emitReport(std::make_unique<PathSensitiveBugReport>(*BT, Msg, N)); 45 } 46 } 47 48 static bool isBooleanType(QualType Ty) { 49 if (Ty->isBooleanType()) // C++ or C99 50 return true; 51 52 if (const TypedefType *TT = Ty->getAs<TypedefType>()) 53 return TT->getDecl()->getName() == "BOOL" || // Objective-C 54 TT->getDecl()->getName() == "_Bool" || // stdbool.h < C99 55 TT->getDecl()->getName() == "Boolean"; // MacTypes.h 56 57 return false; 58 } 59 60 void BoolAssignmentChecker::checkBind(SVal loc, SVal val, const Stmt *S, 61 CheckerContext &C) const { 62 63 // We are only interested in stores into Booleans. 64 const TypedValueRegion *TR = 65 dyn_cast_or_null<TypedValueRegion>(loc.getAsRegion()); 66 67 if (!TR) 68 return; 69 70 QualType valTy = TR->getValueType(); 71 72 if (!isBooleanType(valTy)) 73 return; 74 75 // Get the value of the right-hand side. We only care about values 76 // that are defined (UnknownVals and UndefinedVals are handled by other 77 // checkers). 78 std::optional<NonLoc> NV = val.getAs<NonLoc>(); 79 if (!NV) 80 return; 81 82 // Check if the assigned value meets our criteria for correctness. It must 83 // be a value that is either 0 or 1. One way to check this is to see if 84 // the value is possibly < 0 (for a negative value) or greater than 1. 85 ProgramStateRef state = C.getState(); 86 SValBuilder &svalBuilder = C.getSValBuilder(); 87 BasicValueFactory &BVF = svalBuilder.getBasicValueFactory(); 88 ConstraintManager &CM = C.getConstraintManager(); 89 90 llvm::APSInt Zero = BVF.getValue(0, valTy); 91 llvm::APSInt One = BVF.getValue(1, valTy); 92 93 ProgramStateRef StIn, StOut; 94 std::tie(StIn, StOut) = CM.assumeInclusiveRangeDual(state, *NV, Zero, One); 95 96 if (!StIn) 97 emitReport(StOut, C); 98 if (StIn && StOut && taint::isTainted(state, *NV)) 99 emitReport(StOut, C, /*IsTainted=*/true); 100 } 101 102 void ento::registerBoolAssignmentChecker(CheckerManager &mgr) { 103 mgr.registerChecker<BoolAssignmentChecker>(); 104 } 105 106 bool ento::shouldRegisterBoolAssignmentChecker(const CheckerManager &mgr) { 107 return true; 108 } 109