10b57cec5SDimitry Andric //===-- DereferenceChecker.cpp - Null dereference checker -----------------===// 20b57cec5SDimitry Andric // 30b57cec5SDimitry Andric // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 40b57cec5SDimitry Andric // See https://llvm.org/LICENSE.txt for license information. 50b57cec5SDimitry Andric // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 60b57cec5SDimitry Andric // 70b57cec5SDimitry Andric //===----------------------------------------------------------------------===// 80b57cec5SDimitry Andric // 90b57cec5SDimitry Andric // This defines NullDerefChecker, a builtin check in ExprEngine that performs 100b57cec5SDimitry Andric // checks for null pointers at loads and stores. 110b57cec5SDimitry Andric // 120b57cec5SDimitry Andric //===----------------------------------------------------------------------===// 130b57cec5SDimitry Andric 140b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" 150b57cec5SDimitry Andric #include "clang/AST/ExprObjC.h" 160b57cec5SDimitry Andric #include "clang/AST/ExprOpenMP.h" 170b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 180b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/Checker.h" 190b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/CheckerManager.h" 200b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 210b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h" 220b57cec5SDimitry Andric #include "llvm/ADT/SmallString.h" 230b57cec5SDimitry Andric #include "llvm/Support/raw_ostream.h" 240b57cec5SDimitry Andric 250b57cec5SDimitry Andric using namespace clang; 260b57cec5SDimitry Andric using namespace ento; 270b57cec5SDimitry Andric 280b57cec5SDimitry Andric namespace { 290b57cec5SDimitry Andric class DereferenceChecker 300b57cec5SDimitry Andric : public Checker< check::Location, 310b57cec5SDimitry Andric check::Bind, 320b57cec5SDimitry Andric EventDispatcher<ImplicitNullDerefEvent> > { 330b57cec5SDimitry Andric mutable std::unique_ptr<BuiltinBug> BT_null; 340b57cec5SDimitry Andric mutable std::unique_ptr<BuiltinBug> BT_undef; 350b57cec5SDimitry Andric 360b57cec5SDimitry Andric void reportBug(ProgramStateRef State, const Stmt *S, CheckerContext &C) const; 370b57cec5SDimitry Andric 380b57cec5SDimitry Andric public: 390b57cec5SDimitry Andric void checkLocation(SVal location, bool isLoad, const Stmt* S, 400b57cec5SDimitry Andric CheckerContext &C) const; 410b57cec5SDimitry Andric void checkBind(SVal L, SVal V, const Stmt *S, CheckerContext &C) const; 420b57cec5SDimitry Andric 430b57cec5SDimitry Andric static void AddDerefSource(raw_ostream &os, 440b57cec5SDimitry Andric SmallVectorImpl<SourceRange> &Ranges, 450b57cec5SDimitry Andric const Expr *Ex, const ProgramState *state, 460b57cec5SDimitry Andric const LocationContext *LCtx, 470b57cec5SDimitry Andric bool loadedFrom = false); 480b57cec5SDimitry Andric }; 490b57cec5SDimitry Andric } // end anonymous namespace 500b57cec5SDimitry Andric 510b57cec5SDimitry Andric void 520b57cec5SDimitry Andric DereferenceChecker::AddDerefSource(raw_ostream &os, 530b57cec5SDimitry Andric SmallVectorImpl<SourceRange> &Ranges, 540b57cec5SDimitry Andric const Expr *Ex, 550b57cec5SDimitry Andric const ProgramState *state, 560b57cec5SDimitry Andric const LocationContext *LCtx, 570b57cec5SDimitry Andric bool loadedFrom) { 580b57cec5SDimitry Andric Ex = Ex->IgnoreParenLValueCasts(); 590b57cec5SDimitry Andric switch (Ex->getStmtClass()) { 600b57cec5SDimitry Andric default: 610b57cec5SDimitry Andric break; 620b57cec5SDimitry Andric case Stmt::DeclRefExprClass: { 630b57cec5SDimitry Andric const DeclRefExpr *DR = cast<DeclRefExpr>(Ex); 640b57cec5SDimitry Andric if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) { 650b57cec5SDimitry Andric os << " (" << (loadedFrom ? "loaded from" : "from") 660b57cec5SDimitry Andric << " variable '" << VD->getName() << "')"; 670b57cec5SDimitry Andric Ranges.push_back(DR->getSourceRange()); 680b57cec5SDimitry Andric } 690b57cec5SDimitry Andric break; 700b57cec5SDimitry Andric } 710b57cec5SDimitry Andric case Stmt::MemberExprClass: { 720b57cec5SDimitry Andric const MemberExpr *ME = cast<MemberExpr>(Ex); 730b57cec5SDimitry Andric os << " (" << (loadedFrom ? "loaded from" : "via") 740b57cec5SDimitry Andric << " field '" << ME->getMemberNameInfo() << "')"; 750b57cec5SDimitry Andric SourceLocation L = ME->getMemberLoc(); 760b57cec5SDimitry Andric Ranges.push_back(SourceRange(L, L)); 770b57cec5SDimitry Andric break; 780b57cec5SDimitry Andric } 790b57cec5SDimitry Andric case Stmt::ObjCIvarRefExprClass: { 800b57cec5SDimitry Andric const ObjCIvarRefExpr *IV = cast<ObjCIvarRefExpr>(Ex); 810b57cec5SDimitry Andric os << " (" << (loadedFrom ? "loaded from" : "via") 820b57cec5SDimitry Andric << " ivar '" << IV->getDecl()->getName() << "')"; 830b57cec5SDimitry Andric SourceLocation L = IV->getLocation(); 840b57cec5SDimitry Andric Ranges.push_back(SourceRange(L, L)); 850b57cec5SDimitry Andric break; 860b57cec5SDimitry Andric } 870b57cec5SDimitry Andric } 880b57cec5SDimitry Andric } 890b57cec5SDimitry Andric 900b57cec5SDimitry Andric static const Expr *getDereferenceExpr(const Stmt *S, bool IsBind=false){ 910b57cec5SDimitry Andric const Expr *E = nullptr; 920b57cec5SDimitry Andric 930b57cec5SDimitry Andric // Walk through lvalue casts to get the original expression 940b57cec5SDimitry Andric // that syntactically caused the load. 950b57cec5SDimitry Andric if (const Expr *expr = dyn_cast<Expr>(S)) 960b57cec5SDimitry Andric E = expr->IgnoreParenLValueCasts(); 970b57cec5SDimitry Andric 980b57cec5SDimitry Andric if (IsBind) { 990b57cec5SDimitry Andric const VarDecl *VD; 1000b57cec5SDimitry Andric const Expr *Init; 1010b57cec5SDimitry Andric std::tie(VD, Init) = parseAssignment(S); 1020b57cec5SDimitry Andric if (VD && Init) 1030b57cec5SDimitry Andric E = Init; 1040b57cec5SDimitry Andric } 1050b57cec5SDimitry Andric return E; 1060b57cec5SDimitry Andric } 1070b57cec5SDimitry Andric 1080b57cec5SDimitry Andric static bool suppressReport(const Expr *E) { 1090b57cec5SDimitry Andric // Do not report dereferences on memory in non-default address spaces. 110*480093f4SDimitry Andric return E->getType().hasAddressSpace(); 1110b57cec5SDimitry Andric } 1120b57cec5SDimitry Andric 1130b57cec5SDimitry Andric static bool isDeclRefExprToReference(const Expr *E) { 1140b57cec5SDimitry Andric if (const auto *DRE = dyn_cast<DeclRefExpr>(E)) 1150b57cec5SDimitry Andric return DRE->getDecl()->getType()->isReferenceType(); 1160b57cec5SDimitry Andric return false; 1170b57cec5SDimitry Andric } 1180b57cec5SDimitry Andric 1190b57cec5SDimitry Andric void DereferenceChecker::reportBug(ProgramStateRef State, const Stmt *S, 1200b57cec5SDimitry Andric CheckerContext &C) const { 1210b57cec5SDimitry Andric // Generate an error node. 1220b57cec5SDimitry Andric ExplodedNode *N = C.generateErrorNode(State); 1230b57cec5SDimitry Andric if (!N) 1240b57cec5SDimitry Andric return; 1250b57cec5SDimitry Andric 1260b57cec5SDimitry Andric // We know that 'location' cannot be non-null. This is what 1270b57cec5SDimitry Andric // we call an "explicit" null dereference. 1280b57cec5SDimitry Andric if (!BT_null) 1290b57cec5SDimitry Andric BT_null.reset(new BuiltinBug(this, "Dereference of null pointer")); 1300b57cec5SDimitry Andric 1310b57cec5SDimitry Andric SmallString<100> buf; 1320b57cec5SDimitry Andric llvm::raw_svector_ostream os(buf); 1330b57cec5SDimitry Andric 1340b57cec5SDimitry Andric SmallVector<SourceRange, 2> Ranges; 1350b57cec5SDimitry Andric 1360b57cec5SDimitry Andric switch (S->getStmtClass()) { 1370b57cec5SDimitry Andric case Stmt::ArraySubscriptExprClass: { 1380b57cec5SDimitry Andric os << "Array access"; 1390b57cec5SDimitry Andric const ArraySubscriptExpr *AE = cast<ArraySubscriptExpr>(S); 1400b57cec5SDimitry Andric AddDerefSource(os, Ranges, AE->getBase()->IgnoreParenCasts(), 1410b57cec5SDimitry Andric State.get(), N->getLocationContext()); 1420b57cec5SDimitry Andric os << " results in a null pointer dereference"; 1430b57cec5SDimitry Andric break; 1440b57cec5SDimitry Andric } 1450b57cec5SDimitry Andric case Stmt::OMPArraySectionExprClass: { 1460b57cec5SDimitry Andric os << "Array access"; 1470b57cec5SDimitry Andric const OMPArraySectionExpr *AE = cast<OMPArraySectionExpr>(S); 1480b57cec5SDimitry Andric AddDerefSource(os, Ranges, AE->getBase()->IgnoreParenCasts(), 1490b57cec5SDimitry Andric State.get(), N->getLocationContext()); 1500b57cec5SDimitry Andric os << " results in a null pointer dereference"; 1510b57cec5SDimitry Andric break; 1520b57cec5SDimitry Andric } 1530b57cec5SDimitry Andric case Stmt::UnaryOperatorClass: { 1540b57cec5SDimitry Andric os << "Dereference of null pointer"; 1550b57cec5SDimitry Andric const UnaryOperator *U = cast<UnaryOperator>(S); 1560b57cec5SDimitry Andric AddDerefSource(os, Ranges, U->getSubExpr()->IgnoreParens(), 1570b57cec5SDimitry Andric State.get(), N->getLocationContext(), true); 1580b57cec5SDimitry Andric break; 1590b57cec5SDimitry Andric } 1600b57cec5SDimitry Andric case Stmt::MemberExprClass: { 1610b57cec5SDimitry Andric const MemberExpr *M = cast<MemberExpr>(S); 1620b57cec5SDimitry Andric if (M->isArrow() || isDeclRefExprToReference(M->getBase())) { 1630b57cec5SDimitry Andric os << "Access to field '" << M->getMemberNameInfo() 1640b57cec5SDimitry Andric << "' results in a dereference of a null pointer"; 1650b57cec5SDimitry Andric AddDerefSource(os, Ranges, M->getBase()->IgnoreParenCasts(), 1660b57cec5SDimitry Andric State.get(), N->getLocationContext(), true); 1670b57cec5SDimitry Andric } 1680b57cec5SDimitry Andric break; 1690b57cec5SDimitry Andric } 1700b57cec5SDimitry Andric case Stmt::ObjCIvarRefExprClass: { 1710b57cec5SDimitry Andric const ObjCIvarRefExpr *IV = cast<ObjCIvarRefExpr>(S); 1720b57cec5SDimitry Andric os << "Access to instance variable '" << *IV->getDecl() 1730b57cec5SDimitry Andric << "' results in a dereference of a null pointer"; 1740b57cec5SDimitry Andric AddDerefSource(os, Ranges, IV->getBase()->IgnoreParenCasts(), 1750b57cec5SDimitry Andric State.get(), N->getLocationContext(), true); 1760b57cec5SDimitry Andric break; 1770b57cec5SDimitry Andric } 1780b57cec5SDimitry Andric default: 1790b57cec5SDimitry Andric break; 1800b57cec5SDimitry Andric } 1810b57cec5SDimitry Andric 182a7dea167SDimitry Andric auto report = std::make_unique<PathSensitiveBugReport>( 1830b57cec5SDimitry Andric *BT_null, buf.empty() ? BT_null->getDescription() : StringRef(buf), N); 1840b57cec5SDimitry Andric 1850b57cec5SDimitry Andric bugreporter::trackExpressionValue(N, bugreporter::getDerefExpr(S), *report); 1860b57cec5SDimitry Andric 1870b57cec5SDimitry Andric for (SmallVectorImpl<SourceRange>::iterator 1880b57cec5SDimitry Andric I = Ranges.begin(), E = Ranges.end(); I!=E; ++I) 1890b57cec5SDimitry Andric report->addRange(*I); 1900b57cec5SDimitry Andric 1910b57cec5SDimitry Andric C.emitReport(std::move(report)); 1920b57cec5SDimitry Andric } 1930b57cec5SDimitry Andric 1940b57cec5SDimitry Andric void DereferenceChecker::checkLocation(SVal l, bool isLoad, const Stmt* S, 1950b57cec5SDimitry Andric CheckerContext &C) const { 1960b57cec5SDimitry Andric // Check for dereference of an undefined value. 1970b57cec5SDimitry Andric if (l.isUndef()) { 1980b57cec5SDimitry Andric if (ExplodedNode *N = C.generateErrorNode()) { 1990b57cec5SDimitry Andric if (!BT_undef) 2000b57cec5SDimitry Andric BT_undef.reset( 2010b57cec5SDimitry Andric new BuiltinBug(this, "Dereference of undefined pointer value")); 2020b57cec5SDimitry Andric 203a7dea167SDimitry Andric auto report = std::make_unique<PathSensitiveBugReport>( 204a7dea167SDimitry Andric *BT_undef, BT_undef->getDescription(), N); 2050b57cec5SDimitry Andric bugreporter::trackExpressionValue(N, bugreporter::getDerefExpr(S), *report); 2060b57cec5SDimitry Andric C.emitReport(std::move(report)); 2070b57cec5SDimitry Andric } 2080b57cec5SDimitry Andric return; 2090b57cec5SDimitry Andric } 2100b57cec5SDimitry Andric 2110b57cec5SDimitry Andric DefinedOrUnknownSVal location = l.castAs<DefinedOrUnknownSVal>(); 2120b57cec5SDimitry Andric 2130b57cec5SDimitry Andric // Check for null dereferences. 2140b57cec5SDimitry Andric if (!location.getAs<Loc>()) 2150b57cec5SDimitry Andric return; 2160b57cec5SDimitry Andric 2170b57cec5SDimitry Andric ProgramStateRef state = C.getState(); 2180b57cec5SDimitry Andric 2190b57cec5SDimitry Andric ProgramStateRef notNullState, nullState; 2200b57cec5SDimitry Andric std::tie(notNullState, nullState) = state->assume(location); 2210b57cec5SDimitry Andric 2220b57cec5SDimitry Andric // The explicit NULL case. 2230b57cec5SDimitry Andric if (nullState) { 2240b57cec5SDimitry Andric if (!notNullState) { 2250b57cec5SDimitry Andric const Expr *expr = getDereferenceExpr(S); 2260b57cec5SDimitry Andric if (!suppressReport(expr)) { 2270b57cec5SDimitry Andric reportBug(nullState, expr, C); 2280b57cec5SDimitry Andric return; 2290b57cec5SDimitry Andric } 2300b57cec5SDimitry Andric } 2310b57cec5SDimitry Andric 2320b57cec5SDimitry Andric // Otherwise, we have the case where the location could either be 2330b57cec5SDimitry Andric // null or not-null. Record the error node as an "implicit" null 2340b57cec5SDimitry Andric // dereference. 2350b57cec5SDimitry Andric if (ExplodedNode *N = C.generateSink(nullState, C.getPredecessor())) { 2360b57cec5SDimitry Andric ImplicitNullDerefEvent event = {l, isLoad, N, &C.getBugReporter(), 2370b57cec5SDimitry Andric /*IsDirectDereference=*/true}; 2380b57cec5SDimitry Andric dispatchEvent(event); 2390b57cec5SDimitry Andric } 2400b57cec5SDimitry Andric } 2410b57cec5SDimitry Andric 2420b57cec5SDimitry Andric // From this point forward, we know that the location is not null. 2430b57cec5SDimitry Andric C.addTransition(notNullState); 2440b57cec5SDimitry Andric } 2450b57cec5SDimitry Andric 2460b57cec5SDimitry Andric void DereferenceChecker::checkBind(SVal L, SVal V, const Stmt *S, 2470b57cec5SDimitry Andric CheckerContext &C) const { 2480b57cec5SDimitry Andric // If we're binding to a reference, check if the value is known to be null. 2490b57cec5SDimitry Andric if (V.isUndef()) 2500b57cec5SDimitry Andric return; 2510b57cec5SDimitry Andric 2520b57cec5SDimitry Andric const MemRegion *MR = L.getAsRegion(); 2530b57cec5SDimitry Andric const TypedValueRegion *TVR = dyn_cast_or_null<TypedValueRegion>(MR); 2540b57cec5SDimitry Andric if (!TVR) 2550b57cec5SDimitry Andric return; 2560b57cec5SDimitry Andric 2570b57cec5SDimitry Andric if (!TVR->getValueType()->isReferenceType()) 2580b57cec5SDimitry Andric return; 2590b57cec5SDimitry Andric 2600b57cec5SDimitry Andric ProgramStateRef State = C.getState(); 2610b57cec5SDimitry Andric 2620b57cec5SDimitry Andric ProgramStateRef StNonNull, StNull; 2630b57cec5SDimitry Andric std::tie(StNonNull, StNull) = State->assume(V.castAs<DefinedOrUnknownSVal>()); 2640b57cec5SDimitry Andric 2650b57cec5SDimitry Andric if (StNull) { 2660b57cec5SDimitry Andric if (!StNonNull) { 2670b57cec5SDimitry Andric const Expr *expr = getDereferenceExpr(S, /*IsBind=*/true); 2680b57cec5SDimitry Andric if (!suppressReport(expr)) { 2690b57cec5SDimitry Andric reportBug(StNull, expr, C); 2700b57cec5SDimitry Andric return; 2710b57cec5SDimitry Andric } 2720b57cec5SDimitry Andric } 2730b57cec5SDimitry Andric 2740b57cec5SDimitry Andric // At this point the value could be either null or non-null. 2750b57cec5SDimitry Andric // Record this as an "implicit" null dereference. 2760b57cec5SDimitry Andric if (ExplodedNode *N = C.generateSink(StNull, C.getPredecessor())) { 2770b57cec5SDimitry Andric ImplicitNullDerefEvent event = {V, /*isLoad=*/true, N, 2780b57cec5SDimitry Andric &C.getBugReporter(), 2790b57cec5SDimitry Andric /*IsDirectDereference=*/true}; 2800b57cec5SDimitry Andric dispatchEvent(event); 2810b57cec5SDimitry Andric } 2820b57cec5SDimitry Andric } 2830b57cec5SDimitry Andric 2840b57cec5SDimitry Andric // Unlike a regular null dereference, initializing a reference with a 2850b57cec5SDimitry Andric // dereferenced null pointer does not actually cause a runtime exception in 2860b57cec5SDimitry Andric // Clang's implementation of references. 2870b57cec5SDimitry Andric // 2880b57cec5SDimitry Andric // int &r = *p; // safe?? 2890b57cec5SDimitry Andric // if (p != NULL) return; // uh-oh 2900b57cec5SDimitry Andric // r = 5; // trap here 2910b57cec5SDimitry Andric // 2920b57cec5SDimitry Andric // The standard says this is invalid as soon as we try to create a "null 2930b57cec5SDimitry Andric // reference" (there is no such thing), but turning this into an assumption 2940b57cec5SDimitry Andric // that 'p' is never null will not match our actual runtime behavior. 2950b57cec5SDimitry Andric // So we do not record this assumption, allowing us to warn on the last line 2960b57cec5SDimitry Andric // of this example. 2970b57cec5SDimitry Andric // 2980b57cec5SDimitry Andric // We do need to add a transition because we may have generated a sink for 2990b57cec5SDimitry Andric // the "implicit" null dereference. 3000b57cec5SDimitry Andric C.addTransition(State, this); 3010b57cec5SDimitry Andric } 3020b57cec5SDimitry Andric 3030b57cec5SDimitry Andric void ento::registerDereferenceChecker(CheckerManager &mgr) { 3040b57cec5SDimitry Andric mgr.registerChecker<DereferenceChecker>(); 3050b57cec5SDimitry Andric } 3060b57cec5SDimitry Andric 3070b57cec5SDimitry Andric bool ento::shouldRegisterDereferenceChecker(const LangOptions &LO) { 3080b57cec5SDimitry Andric return true; 3090b57cec5SDimitry Andric } 310