10b57cec5SDimitry Andric //===-- DereferenceChecker.cpp - Null dereference checker -----------------===//
20b57cec5SDimitry Andric //
30b57cec5SDimitry Andric // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
40b57cec5SDimitry Andric // See https://llvm.org/LICENSE.txt for license information.
50b57cec5SDimitry Andric // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
60b57cec5SDimitry Andric //
70b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
80b57cec5SDimitry Andric //
90b57cec5SDimitry Andric // This defines NullDerefChecker, a builtin check in ExprEngine that performs
100b57cec5SDimitry Andric // checks for null pointers at loads and stores.
110b57cec5SDimitry Andric //
120b57cec5SDimitry Andric //===----------------------------------------------------------------------===//
130b57cec5SDimitry Andric
140b57cec5SDimitry Andric #include "clang/AST/ExprObjC.h"
150b57cec5SDimitry Andric #include "clang/AST/ExprOpenMP.h"
1681ad6265SDimitry Andric #include "clang/Basic/TargetInfo.h"
1781ad6265SDimitry Andric #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
180b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
190b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/Checker.h"
200b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/CheckerManager.h"
210b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
220b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h"
230b57cec5SDimitry Andric #include "llvm/ADT/SmallString.h"
240b57cec5SDimitry Andric #include "llvm/Support/raw_ostream.h"
250b57cec5SDimitry Andric
260b57cec5SDimitry Andric using namespace clang;
270b57cec5SDimitry Andric using namespace ento;
280b57cec5SDimitry Andric
290b57cec5SDimitry Andric namespace {
300b57cec5SDimitry Andric class DereferenceChecker
310b57cec5SDimitry Andric : public Checker< check::Location,
320b57cec5SDimitry Andric check::Bind,
330b57cec5SDimitry Andric EventDispatcher<ImplicitNullDerefEvent> > {
34*0fca6ea1SDimitry Andric enum DerefKind { NullPointer, UndefinedPointerValue, AddressOfLabel };
350b57cec5SDimitry Andric
36e8d8bef9SDimitry Andric BugType BT_Null{this, "Dereference of null pointer", categories::LogicError};
37e8d8bef9SDimitry Andric BugType BT_Undef{this, "Dereference of undefined pointer value",
38e8d8bef9SDimitry Andric categories::LogicError};
39*0fca6ea1SDimitry Andric BugType BT_Label{this, "Dereference of the address of a label",
40*0fca6ea1SDimitry Andric categories::LogicError};
41e8d8bef9SDimitry Andric
42e8d8bef9SDimitry Andric void reportBug(DerefKind K, ProgramStateRef State, const Stmt *S,
43e8d8bef9SDimitry Andric CheckerContext &C) const;
440b57cec5SDimitry Andric
4581ad6265SDimitry Andric bool suppressReport(CheckerContext &C, const Expr *E) const;
4681ad6265SDimitry Andric
470b57cec5SDimitry Andric public:
480b57cec5SDimitry Andric void checkLocation(SVal location, bool isLoad, const Stmt* S,
490b57cec5SDimitry Andric CheckerContext &C) const;
500b57cec5SDimitry Andric void checkBind(SVal L, SVal V, const Stmt *S, CheckerContext &C) const;
510b57cec5SDimitry Andric
520b57cec5SDimitry Andric static void AddDerefSource(raw_ostream &os,
530b57cec5SDimitry Andric SmallVectorImpl<SourceRange> &Ranges,
540b57cec5SDimitry Andric const Expr *Ex, const ProgramState *state,
550b57cec5SDimitry Andric const LocationContext *LCtx,
560b57cec5SDimitry Andric bool loadedFrom = false);
5781ad6265SDimitry Andric
5881ad6265SDimitry Andric bool SuppressAddressSpaces = false;
590b57cec5SDimitry Andric };
600b57cec5SDimitry Andric } // end anonymous namespace
610b57cec5SDimitry Andric
620b57cec5SDimitry Andric void
AddDerefSource(raw_ostream & os,SmallVectorImpl<SourceRange> & Ranges,const Expr * Ex,const ProgramState * state,const LocationContext * LCtx,bool loadedFrom)630b57cec5SDimitry Andric DereferenceChecker::AddDerefSource(raw_ostream &os,
640b57cec5SDimitry Andric SmallVectorImpl<SourceRange> &Ranges,
650b57cec5SDimitry Andric const Expr *Ex,
660b57cec5SDimitry Andric const ProgramState *state,
670b57cec5SDimitry Andric const LocationContext *LCtx,
680b57cec5SDimitry Andric bool loadedFrom) {
690b57cec5SDimitry Andric Ex = Ex->IgnoreParenLValueCasts();
700b57cec5SDimitry Andric switch (Ex->getStmtClass()) {
710b57cec5SDimitry Andric default:
720b57cec5SDimitry Andric break;
730b57cec5SDimitry Andric case Stmt::DeclRefExprClass: {
740b57cec5SDimitry Andric const DeclRefExpr *DR = cast<DeclRefExpr>(Ex);
750b57cec5SDimitry Andric if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) {
760b57cec5SDimitry Andric os << " (" << (loadedFrom ? "loaded from" : "from")
770b57cec5SDimitry Andric << " variable '" << VD->getName() << "')";
780b57cec5SDimitry Andric Ranges.push_back(DR->getSourceRange());
790b57cec5SDimitry Andric }
800b57cec5SDimitry Andric break;
810b57cec5SDimitry Andric }
820b57cec5SDimitry Andric case Stmt::MemberExprClass: {
830b57cec5SDimitry Andric const MemberExpr *ME = cast<MemberExpr>(Ex);
840b57cec5SDimitry Andric os << " (" << (loadedFrom ? "loaded from" : "via")
850b57cec5SDimitry Andric << " field '" << ME->getMemberNameInfo() << "')";
860b57cec5SDimitry Andric SourceLocation L = ME->getMemberLoc();
870b57cec5SDimitry Andric Ranges.push_back(SourceRange(L, L));
880b57cec5SDimitry Andric break;
890b57cec5SDimitry Andric }
900b57cec5SDimitry Andric case Stmt::ObjCIvarRefExprClass: {
910b57cec5SDimitry Andric const ObjCIvarRefExpr *IV = cast<ObjCIvarRefExpr>(Ex);
920b57cec5SDimitry Andric os << " (" << (loadedFrom ? "loaded from" : "via")
930b57cec5SDimitry Andric << " ivar '" << IV->getDecl()->getName() << "')";
940b57cec5SDimitry Andric SourceLocation L = IV->getLocation();
950b57cec5SDimitry Andric Ranges.push_back(SourceRange(L, L));
960b57cec5SDimitry Andric break;
970b57cec5SDimitry Andric }
980b57cec5SDimitry Andric }
990b57cec5SDimitry Andric }
1000b57cec5SDimitry Andric
getDereferenceExpr(const Stmt * S,bool IsBind=false)1010b57cec5SDimitry Andric static const Expr *getDereferenceExpr(const Stmt *S, bool IsBind=false){
1020b57cec5SDimitry Andric const Expr *E = nullptr;
1030b57cec5SDimitry Andric
1040b57cec5SDimitry Andric // Walk through lvalue casts to get the original expression
1050b57cec5SDimitry Andric // that syntactically caused the load.
1060b57cec5SDimitry Andric if (const Expr *expr = dyn_cast<Expr>(S))
1070b57cec5SDimitry Andric E = expr->IgnoreParenLValueCasts();
1080b57cec5SDimitry Andric
1090b57cec5SDimitry Andric if (IsBind) {
1100b57cec5SDimitry Andric const VarDecl *VD;
1110b57cec5SDimitry Andric const Expr *Init;
1120b57cec5SDimitry Andric std::tie(VD, Init) = parseAssignment(S);
1130b57cec5SDimitry Andric if (VD && Init)
1140b57cec5SDimitry Andric E = Init;
1150b57cec5SDimitry Andric }
1160b57cec5SDimitry Andric return E;
1170b57cec5SDimitry Andric }
1180b57cec5SDimitry Andric
suppressReport(CheckerContext & C,const Expr * E) const11981ad6265SDimitry Andric bool DereferenceChecker::suppressReport(CheckerContext &C,
12081ad6265SDimitry Andric const Expr *E) const {
12181ad6265SDimitry Andric // Do not report dereferences on memory that use address space #256, #257,
12281ad6265SDimitry Andric // and #258. Those address spaces are used when dereferencing address spaces
12381ad6265SDimitry Andric // relative to the GS, FS, and SS segments on x86/x86-64 targets.
12481ad6265SDimitry Andric // Dereferencing a null pointer in these address spaces is not defined
12581ad6265SDimitry Andric // as an error. All other null dereferences in other address spaces
12681ad6265SDimitry Andric // are defined as an error unless explicitly defined.
12781ad6265SDimitry Andric // See https://clang.llvm.org/docs/LanguageExtensions.html, the section
12881ad6265SDimitry Andric // "X86/X86-64 Language Extensions"
12981ad6265SDimitry Andric
13081ad6265SDimitry Andric QualType Ty = E->getType();
13181ad6265SDimitry Andric if (!Ty.hasAddressSpace())
13281ad6265SDimitry Andric return false;
13381ad6265SDimitry Andric if (SuppressAddressSpaces)
13481ad6265SDimitry Andric return true;
13581ad6265SDimitry Andric
13681ad6265SDimitry Andric const llvm::Triple::ArchType Arch =
13781ad6265SDimitry Andric C.getASTContext().getTargetInfo().getTriple().getArch();
13881ad6265SDimitry Andric
13981ad6265SDimitry Andric if ((Arch == llvm::Triple::x86) || (Arch == llvm::Triple::x86_64)) {
14081ad6265SDimitry Andric switch (toTargetAddressSpace(E->getType().getAddressSpace())) {
14181ad6265SDimitry Andric case 256:
14281ad6265SDimitry Andric case 257:
14381ad6265SDimitry Andric case 258:
14481ad6265SDimitry Andric return true;
14581ad6265SDimitry Andric }
14681ad6265SDimitry Andric }
14781ad6265SDimitry Andric return false;
1480b57cec5SDimitry Andric }
1490b57cec5SDimitry Andric
isDeclRefExprToReference(const Expr * E)1500b57cec5SDimitry Andric static bool isDeclRefExprToReference(const Expr *E) {
1510b57cec5SDimitry Andric if (const auto *DRE = dyn_cast<DeclRefExpr>(E))
1520b57cec5SDimitry Andric return DRE->getDecl()->getType()->isReferenceType();
1530b57cec5SDimitry Andric return false;
1540b57cec5SDimitry Andric }
1550b57cec5SDimitry Andric
reportBug(DerefKind K,ProgramStateRef State,const Stmt * S,CheckerContext & C) const156e8d8bef9SDimitry Andric void DereferenceChecker::reportBug(DerefKind K, ProgramStateRef State,
157e8d8bef9SDimitry Andric const Stmt *S, CheckerContext &C) const {
158e8d8bef9SDimitry Andric const BugType *BT = nullptr;
159e8d8bef9SDimitry Andric llvm::StringRef DerefStr1;
160e8d8bef9SDimitry Andric llvm::StringRef DerefStr2;
161e8d8bef9SDimitry Andric switch (K) {
162e8d8bef9SDimitry Andric case DerefKind::NullPointer:
163e8d8bef9SDimitry Andric BT = &BT_Null;
164e8d8bef9SDimitry Andric DerefStr1 = " results in a null pointer dereference";
165e8d8bef9SDimitry Andric DerefStr2 = " results in a dereference of a null pointer";
166e8d8bef9SDimitry Andric break;
167e8d8bef9SDimitry Andric case DerefKind::UndefinedPointerValue:
168e8d8bef9SDimitry Andric BT = &BT_Undef;
169e8d8bef9SDimitry Andric DerefStr1 = " results in an undefined pointer dereference";
170e8d8bef9SDimitry Andric DerefStr2 = " results in a dereference of an undefined pointer value";
171e8d8bef9SDimitry Andric break;
172*0fca6ea1SDimitry Andric case DerefKind::AddressOfLabel:
173*0fca6ea1SDimitry Andric BT = &BT_Label;
174*0fca6ea1SDimitry Andric DerefStr1 = " results in an undefined pointer dereference";
175*0fca6ea1SDimitry Andric DerefStr2 = " results in a dereference of an address of a label";
176*0fca6ea1SDimitry Andric break;
177e8d8bef9SDimitry Andric };
178e8d8bef9SDimitry Andric
1790b57cec5SDimitry Andric // Generate an error node.
1800b57cec5SDimitry Andric ExplodedNode *N = C.generateErrorNode(State);
1810b57cec5SDimitry Andric if (!N)
1820b57cec5SDimitry Andric return;
1830b57cec5SDimitry Andric
1840b57cec5SDimitry Andric SmallString<100> buf;
1850b57cec5SDimitry Andric llvm::raw_svector_ostream os(buf);
1860b57cec5SDimitry Andric
1870b57cec5SDimitry Andric SmallVector<SourceRange, 2> Ranges;
1880b57cec5SDimitry Andric
1890b57cec5SDimitry Andric switch (S->getStmtClass()) {
1900b57cec5SDimitry Andric case Stmt::ArraySubscriptExprClass: {
1910b57cec5SDimitry Andric os << "Array access";
1920b57cec5SDimitry Andric const ArraySubscriptExpr *AE = cast<ArraySubscriptExpr>(S);
1930b57cec5SDimitry Andric AddDerefSource(os, Ranges, AE->getBase()->IgnoreParenCasts(),
1940b57cec5SDimitry Andric State.get(), N->getLocationContext());
195e8d8bef9SDimitry Andric os << DerefStr1;
1960b57cec5SDimitry Andric break;
1970b57cec5SDimitry Andric }
198*0fca6ea1SDimitry Andric case Stmt::ArraySectionExprClass: {
1990b57cec5SDimitry Andric os << "Array access";
200*0fca6ea1SDimitry Andric const ArraySectionExpr *AE = cast<ArraySectionExpr>(S);
2010b57cec5SDimitry Andric AddDerefSource(os, Ranges, AE->getBase()->IgnoreParenCasts(),
2020b57cec5SDimitry Andric State.get(), N->getLocationContext());
203e8d8bef9SDimitry Andric os << DerefStr1;
2040b57cec5SDimitry Andric break;
2050b57cec5SDimitry Andric }
2060b57cec5SDimitry Andric case Stmt::UnaryOperatorClass: {
207e8d8bef9SDimitry Andric os << BT->getDescription();
2080b57cec5SDimitry Andric const UnaryOperator *U = cast<UnaryOperator>(S);
2090b57cec5SDimitry Andric AddDerefSource(os, Ranges, U->getSubExpr()->IgnoreParens(),
2100b57cec5SDimitry Andric State.get(), N->getLocationContext(), true);
2110b57cec5SDimitry Andric break;
2120b57cec5SDimitry Andric }
2130b57cec5SDimitry Andric case Stmt::MemberExprClass: {
2140b57cec5SDimitry Andric const MemberExpr *M = cast<MemberExpr>(S);
2150b57cec5SDimitry Andric if (M->isArrow() || isDeclRefExprToReference(M->getBase())) {
216e8d8bef9SDimitry Andric os << "Access to field '" << M->getMemberNameInfo() << "'" << DerefStr2;
2170b57cec5SDimitry Andric AddDerefSource(os, Ranges, M->getBase()->IgnoreParenCasts(),
2180b57cec5SDimitry Andric State.get(), N->getLocationContext(), true);
2190b57cec5SDimitry Andric }
2200b57cec5SDimitry Andric break;
2210b57cec5SDimitry Andric }
2220b57cec5SDimitry Andric case Stmt::ObjCIvarRefExprClass: {
2230b57cec5SDimitry Andric const ObjCIvarRefExpr *IV = cast<ObjCIvarRefExpr>(S);
224e8d8bef9SDimitry Andric os << "Access to instance variable '" << *IV->getDecl() << "'" << DerefStr2;
2250b57cec5SDimitry Andric AddDerefSource(os, Ranges, IV->getBase()->IgnoreParenCasts(),
2260b57cec5SDimitry Andric State.get(), N->getLocationContext(), true);
2270b57cec5SDimitry Andric break;
2280b57cec5SDimitry Andric }
2290b57cec5SDimitry Andric default:
2300b57cec5SDimitry Andric break;
2310b57cec5SDimitry Andric }
2320b57cec5SDimitry Andric
233a7dea167SDimitry Andric auto report = std::make_unique<PathSensitiveBugReport>(
234fe6060f1SDimitry Andric *BT, buf.empty() ? BT->getDescription() : buf.str(), N);
2350b57cec5SDimitry Andric
2360b57cec5SDimitry Andric bugreporter::trackExpressionValue(N, bugreporter::getDerefExpr(S), *report);
2370b57cec5SDimitry Andric
2380b57cec5SDimitry Andric for (SmallVectorImpl<SourceRange>::iterator
2390b57cec5SDimitry Andric I = Ranges.begin(), E = Ranges.end(); I!=E; ++I)
2400b57cec5SDimitry Andric report->addRange(*I);
2410b57cec5SDimitry Andric
2420b57cec5SDimitry Andric C.emitReport(std::move(report));
2430b57cec5SDimitry Andric }
2440b57cec5SDimitry Andric
checkLocation(SVal l,bool isLoad,const Stmt * S,CheckerContext & C) const2450b57cec5SDimitry Andric void DereferenceChecker::checkLocation(SVal l, bool isLoad, const Stmt* S,
2460b57cec5SDimitry Andric CheckerContext &C) const {
2470b57cec5SDimitry Andric // Check for dereference of an undefined value.
2480b57cec5SDimitry Andric if (l.isUndef()) {
249e8d8bef9SDimitry Andric const Expr *DerefExpr = getDereferenceExpr(S);
25081ad6265SDimitry Andric if (!suppressReport(C, DerefExpr))
251e8d8bef9SDimitry Andric reportBug(DerefKind::UndefinedPointerValue, C.getState(), DerefExpr, C);
2520b57cec5SDimitry Andric return;
2530b57cec5SDimitry Andric }
2540b57cec5SDimitry Andric
2550b57cec5SDimitry Andric DefinedOrUnknownSVal location = l.castAs<DefinedOrUnknownSVal>();
2560b57cec5SDimitry Andric
2570b57cec5SDimitry Andric // Check for null dereferences.
25881ad6265SDimitry Andric if (!isa<Loc>(location))
2590b57cec5SDimitry Andric return;
2600b57cec5SDimitry Andric
2610b57cec5SDimitry Andric ProgramStateRef state = C.getState();
2620b57cec5SDimitry Andric
2630b57cec5SDimitry Andric ProgramStateRef notNullState, nullState;
2640b57cec5SDimitry Andric std::tie(notNullState, nullState) = state->assume(location);
2650b57cec5SDimitry Andric
2660b57cec5SDimitry Andric if (nullState) {
2670b57cec5SDimitry Andric if (!notNullState) {
268e8d8bef9SDimitry Andric // We know that 'location' can only be null. This is what
269e8d8bef9SDimitry Andric // we call an "explicit" null dereference.
2700b57cec5SDimitry Andric const Expr *expr = getDereferenceExpr(S);
27181ad6265SDimitry Andric if (!suppressReport(C, expr)) {
272e8d8bef9SDimitry Andric reportBug(DerefKind::NullPointer, nullState, expr, C);
2730b57cec5SDimitry Andric return;
2740b57cec5SDimitry Andric }
2750b57cec5SDimitry Andric }
2760b57cec5SDimitry Andric
2770b57cec5SDimitry Andric // Otherwise, we have the case where the location could either be
2780b57cec5SDimitry Andric // null or not-null. Record the error node as an "implicit" null
2790b57cec5SDimitry Andric // dereference.
2800b57cec5SDimitry Andric if (ExplodedNode *N = C.generateSink(nullState, C.getPredecessor())) {
2810b57cec5SDimitry Andric ImplicitNullDerefEvent event = {l, isLoad, N, &C.getBugReporter(),
2820b57cec5SDimitry Andric /*IsDirectDereference=*/true};
2830b57cec5SDimitry Andric dispatchEvent(event);
2840b57cec5SDimitry Andric }
2850b57cec5SDimitry Andric }
2860b57cec5SDimitry Andric
2870b57cec5SDimitry Andric // From this point forward, we know that the location is not null.
2880b57cec5SDimitry Andric C.addTransition(notNullState);
2890b57cec5SDimitry Andric }
2900b57cec5SDimitry Andric
checkBind(SVal L,SVal V,const Stmt * S,CheckerContext & C) const2910b57cec5SDimitry Andric void DereferenceChecker::checkBind(SVal L, SVal V, const Stmt *S,
2920b57cec5SDimitry Andric CheckerContext &C) const {
2930b57cec5SDimitry Andric // If we're binding to a reference, check if the value is known to be null.
2940b57cec5SDimitry Andric if (V.isUndef())
2950b57cec5SDimitry Andric return;
2960b57cec5SDimitry Andric
297*0fca6ea1SDimitry Andric // One should never write to label addresses.
298*0fca6ea1SDimitry Andric if (auto Label = L.getAs<loc::GotoLabel>()) {
299*0fca6ea1SDimitry Andric reportBug(DerefKind::AddressOfLabel, C.getState(), S, C);
300*0fca6ea1SDimitry Andric return;
301*0fca6ea1SDimitry Andric }
302*0fca6ea1SDimitry Andric
3030b57cec5SDimitry Andric const MemRegion *MR = L.getAsRegion();
3040b57cec5SDimitry Andric const TypedValueRegion *TVR = dyn_cast_or_null<TypedValueRegion>(MR);
3050b57cec5SDimitry Andric if (!TVR)
3060b57cec5SDimitry Andric return;
3070b57cec5SDimitry Andric
3080b57cec5SDimitry Andric if (!TVR->getValueType()->isReferenceType())
3090b57cec5SDimitry Andric return;
3100b57cec5SDimitry Andric
3110b57cec5SDimitry Andric ProgramStateRef State = C.getState();
3120b57cec5SDimitry Andric
3130b57cec5SDimitry Andric ProgramStateRef StNonNull, StNull;
3140b57cec5SDimitry Andric std::tie(StNonNull, StNull) = State->assume(V.castAs<DefinedOrUnknownSVal>());
3150b57cec5SDimitry Andric
3160b57cec5SDimitry Andric if (StNull) {
3170b57cec5SDimitry Andric if (!StNonNull) {
3180b57cec5SDimitry Andric const Expr *expr = getDereferenceExpr(S, /*IsBind=*/true);
31981ad6265SDimitry Andric if (!suppressReport(C, expr)) {
320e8d8bef9SDimitry Andric reportBug(DerefKind::NullPointer, StNull, expr, C);
3210b57cec5SDimitry Andric return;
3220b57cec5SDimitry Andric }
3230b57cec5SDimitry Andric }
3240b57cec5SDimitry Andric
3250b57cec5SDimitry Andric // At this point the value could be either null or non-null.
3260b57cec5SDimitry Andric // Record this as an "implicit" null dereference.
3270b57cec5SDimitry Andric if (ExplodedNode *N = C.generateSink(StNull, C.getPredecessor())) {
3280b57cec5SDimitry Andric ImplicitNullDerefEvent event = {V, /*isLoad=*/true, N,
3290b57cec5SDimitry Andric &C.getBugReporter(),
3300b57cec5SDimitry Andric /*IsDirectDereference=*/true};
3310b57cec5SDimitry Andric dispatchEvent(event);
3320b57cec5SDimitry Andric }
3330b57cec5SDimitry Andric }
3340b57cec5SDimitry Andric
3350b57cec5SDimitry Andric // Unlike a regular null dereference, initializing a reference with a
3360b57cec5SDimitry Andric // dereferenced null pointer does not actually cause a runtime exception in
3370b57cec5SDimitry Andric // Clang's implementation of references.
3380b57cec5SDimitry Andric //
3390b57cec5SDimitry Andric // int &r = *p; // safe??
3400b57cec5SDimitry Andric // if (p != NULL) return; // uh-oh
3410b57cec5SDimitry Andric // r = 5; // trap here
3420b57cec5SDimitry Andric //
3430b57cec5SDimitry Andric // The standard says this is invalid as soon as we try to create a "null
3440b57cec5SDimitry Andric // reference" (there is no such thing), but turning this into an assumption
3450b57cec5SDimitry Andric // that 'p' is never null will not match our actual runtime behavior.
3460b57cec5SDimitry Andric // So we do not record this assumption, allowing us to warn on the last line
3470b57cec5SDimitry Andric // of this example.
3480b57cec5SDimitry Andric //
3490b57cec5SDimitry Andric // We do need to add a transition because we may have generated a sink for
3500b57cec5SDimitry Andric // the "implicit" null dereference.
3510b57cec5SDimitry Andric C.addTransition(State, this);
3520b57cec5SDimitry Andric }
3530b57cec5SDimitry Andric
registerDereferenceChecker(CheckerManager & mgr)3540b57cec5SDimitry Andric void ento::registerDereferenceChecker(CheckerManager &mgr) {
35581ad6265SDimitry Andric auto *Chk = mgr.registerChecker<DereferenceChecker>();
35681ad6265SDimitry Andric Chk->SuppressAddressSpaces = mgr.getAnalyzerOptions().getCheckerBooleanOption(
35781ad6265SDimitry Andric mgr.getCurrentCheckerName(), "SuppressAddressSpaces");
3580b57cec5SDimitry Andric }
3590b57cec5SDimitry Andric
shouldRegisterDereferenceChecker(const CheckerManager & mgr)3605ffd83dbSDimitry Andric bool ento::shouldRegisterDereferenceChecker(const CheckerManager &mgr) {
3610b57cec5SDimitry Andric return true;
3620b57cec5SDimitry Andric }
363