10b57cec5SDimitry Andric //===-- DereferenceChecker.cpp - Null dereference checker -----------------===// 20b57cec5SDimitry Andric // 30b57cec5SDimitry Andric // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 40b57cec5SDimitry Andric // See https://llvm.org/LICENSE.txt for license information. 50b57cec5SDimitry Andric // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 60b57cec5SDimitry Andric // 70b57cec5SDimitry Andric //===----------------------------------------------------------------------===// 80b57cec5SDimitry Andric // 90b57cec5SDimitry Andric // This defines NullDerefChecker, a builtin check in ExprEngine that performs 100b57cec5SDimitry Andric // checks for null pointers at loads and stores. 110b57cec5SDimitry Andric // 120b57cec5SDimitry Andric //===----------------------------------------------------------------------===// 130b57cec5SDimitry Andric 140b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" 150b57cec5SDimitry Andric #include "clang/AST/ExprObjC.h" 160b57cec5SDimitry Andric #include "clang/AST/ExprOpenMP.h" 170b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 180b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/Checker.h" 190b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/CheckerManager.h" 200b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 210b57cec5SDimitry Andric #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerHelpers.h" 220b57cec5SDimitry Andric #include "llvm/ADT/SmallString.h" 230b57cec5SDimitry Andric #include "llvm/Support/raw_ostream.h" 240b57cec5SDimitry Andric 250b57cec5SDimitry Andric using namespace clang; 260b57cec5SDimitry Andric using namespace ento; 270b57cec5SDimitry Andric 280b57cec5SDimitry Andric namespace { 290b57cec5SDimitry Andric class DereferenceChecker 300b57cec5SDimitry Andric : public Checker< check::Location, 310b57cec5SDimitry Andric check::Bind, 320b57cec5SDimitry Andric EventDispatcher<ImplicitNullDerefEvent> > { 33e8d8bef9SDimitry Andric enum DerefKind { NullPointer, UndefinedPointerValue }; 340b57cec5SDimitry Andric 35e8d8bef9SDimitry Andric BugType BT_Null{this, "Dereference of null pointer", categories::LogicError}; 36e8d8bef9SDimitry Andric BugType BT_Undef{this, "Dereference of undefined pointer value", 37e8d8bef9SDimitry Andric categories::LogicError}; 38e8d8bef9SDimitry Andric 39e8d8bef9SDimitry Andric void reportBug(DerefKind K, ProgramStateRef State, const Stmt *S, 40e8d8bef9SDimitry Andric CheckerContext &C) const; 410b57cec5SDimitry Andric 420b57cec5SDimitry Andric public: 430b57cec5SDimitry Andric void checkLocation(SVal location, bool isLoad, const Stmt* S, 440b57cec5SDimitry Andric CheckerContext &C) const; 450b57cec5SDimitry Andric void checkBind(SVal L, SVal V, const Stmt *S, CheckerContext &C) const; 460b57cec5SDimitry Andric 470b57cec5SDimitry Andric static void AddDerefSource(raw_ostream &os, 480b57cec5SDimitry Andric SmallVectorImpl<SourceRange> &Ranges, 490b57cec5SDimitry Andric const Expr *Ex, const ProgramState *state, 500b57cec5SDimitry Andric const LocationContext *LCtx, 510b57cec5SDimitry Andric bool loadedFrom = false); 520b57cec5SDimitry Andric }; 530b57cec5SDimitry Andric } // end anonymous namespace 540b57cec5SDimitry Andric 550b57cec5SDimitry Andric void 560b57cec5SDimitry Andric DereferenceChecker::AddDerefSource(raw_ostream &os, 570b57cec5SDimitry Andric SmallVectorImpl<SourceRange> &Ranges, 580b57cec5SDimitry Andric const Expr *Ex, 590b57cec5SDimitry Andric const ProgramState *state, 600b57cec5SDimitry Andric const LocationContext *LCtx, 610b57cec5SDimitry Andric bool loadedFrom) { 620b57cec5SDimitry Andric Ex = Ex->IgnoreParenLValueCasts(); 630b57cec5SDimitry Andric switch (Ex->getStmtClass()) { 640b57cec5SDimitry Andric default: 650b57cec5SDimitry Andric break; 660b57cec5SDimitry Andric case Stmt::DeclRefExprClass: { 670b57cec5SDimitry Andric const DeclRefExpr *DR = cast<DeclRefExpr>(Ex); 680b57cec5SDimitry Andric if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) { 690b57cec5SDimitry Andric os << " (" << (loadedFrom ? "loaded from" : "from") 700b57cec5SDimitry Andric << " variable '" << VD->getName() << "')"; 710b57cec5SDimitry Andric Ranges.push_back(DR->getSourceRange()); 720b57cec5SDimitry Andric } 730b57cec5SDimitry Andric break; 740b57cec5SDimitry Andric } 750b57cec5SDimitry Andric case Stmt::MemberExprClass: { 760b57cec5SDimitry Andric const MemberExpr *ME = cast<MemberExpr>(Ex); 770b57cec5SDimitry Andric os << " (" << (loadedFrom ? "loaded from" : "via") 780b57cec5SDimitry Andric << " field '" << ME->getMemberNameInfo() << "')"; 790b57cec5SDimitry Andric SourceLocation L = ME->getMemberLoc(); 800b57cec5SDimitry Andric Ranges.push_back(SourceRange(L, L)); 810b57cec5SDimitry Andric break; 820b57cec5SDimitry Andric } 830b57cec5SDimitry Andric case Stmt::ObjCIvarRefExprClass: { 840b57cec5SDimitry Andric const ObjCIvarRefExpr *IV = cast<ObjCIvarRefExpr>(Ex); 850b57cec5SDimitry Andric os << " (" << (loadedFrom ? "loaded from" : "via") 860b57cec5SDimitry Andric << " ivar '" << IV->getDecl()->getName() << "')"; 870b57cec5SDimitry Andric SourceLocation L = IV->getLocation(); 880b57cec5SDimitry Andric Ranges.push_back(SourceRange(L, L)); 890b57cec5SDimitry Andric break; 900b57cec5SDimitry Andric } 910b57cec5SDimitry Andric } 920b57cec5SDimitry Andric } 930b57cec5SDimitry Andric 940b57cec5SDimitry Andric static const Expr *getDereferenceExpr(const Stmt *S, bool IsBind=false){ 950b57cec5SDimitry Andric const Expr *E = nullptr; 960b57cec5SDimitry Andric 970b57cec5SDimitry Andric // Walk through lvalue casts to get the original expression 980b57cec5SDimitry Andric // that syntactically caused the load. 990b57cec5SDimitry Andric if (const Expr *expr = dyn_cast<Expr>(S)) 1000b57cec5SDimitry Andric E = expr->IgnoreParenLValueCasts(); 1010b57cec5SDimitry Andric 1020b57cec5SDimitry Andric if (IsBind) { 1030b57cec5SDimitry Andric const VarDecl *VD; 1040b57cec5SDimitry Andric const Expr *Init; 1050b57cec5SDimitry Andric std::tie(VD, Init) = parseAssignment(S); 1060b57cec5SDimitry Andric if (VD && Init) 1070b57cec5SDimitry Andric E = Init; 1080b57cec5SDimitry Andric } 1090b57cec5SDimitry Andric return E; 1100b57cec5SDimitry Andric } 1110b57cec5SDimitry Andric 1120b57cec5SDimitry Andric static bool suppressReport(const Expr *E) { 1130b57cec5SDimitry Andric // Do not report dereferences on memory in non-default address spaces. 114480093f4SDimitry Andric return E->getType().hasAddressSpace(); 1150b57cec5SDimitry Andric } 1160b57cec5SDimitry Andric 1170b57cec5SDimitry Andric static bool isDeclRefExprToReference(const Expr *E) { 1180b57cec5SDimitry Andric if (const auto *DRE = dyn_cast<DeclRefExpr>(E)) 1190b57cec5SDimitry Andric return DRE->getDecl()->getType()->isReferenceType(); 1200b57cec5SDimitry Andric return false; 1210b57cec5SDimitry Andric } 1220b57cec5SDimitry Andric 123e8d8bef9SDimitry Andric void DereferenceChecker::reportBug(DerefKind K, ProgramStateRef State, 124e8d8bef9SDimitry Andric const Stmt *S, CheckerContext &C) const { 125e8d8bef9SDimitry Andric const BugType *BT = nullptr; 126e8d8bef9SDimitry Andric llvm::StringRef DerefStr1; 127e8d8bef9SDimitry Andric llvm::StringRef DerefStr2; 128e8d8bef9SDimitry Andric switch (K) { 129e8d8bef9SDimitry Andric case DerefKind::NullPointer: 130e8d8bef9SDimitry Andric BT = &BT_Null; 131e8d8bef9SDimitry Andric DerefStr1 = " results in a null pointer dereference"; 132e8d8bef9SDimitry Andric DerefStr2 = " results in a dereference of a null pointer"; 133e8d8bef9SDimitry Andric break; 134e8d8bef9SDimitry Andric case DerefKind::UndefinedPointerValue: 135e8d8bef9SDimitry Andric BT = &BT_Undef; 136e8d8bef9SDimitry Andric DerefStr1 = " results in an undefined pointer dereference"; 137e8d8bef9SDimitry Andric DerefStr2 = " results in a dereference of an undefined pointer value"; 138e8d8bef9SDimitry Andric break; 139e8d8bef9SDimitry Andric }; 140e8d8bef9SDimitry Andric 1410b57cec5SDimitry Andric // Generate an error node. 1420b57cec5SDimitry Andric ExplodedNode *N = C.generateErrorNode(State); 1430b57cec5SDimitry Andric if (!N) 1440b57cec5SDimitry Andric return; 1450b57cec5SDimitry Andric 1460b57cec5SDimitry Andric SmallString<100> buf; 1470b57cec5SDimitry Andric llvm::raw_svector_ostream os(buf); 1480b57cec5SDimitry Andric 1490b57cec5SDimitry Andric SmallVector<SourceRange, 2> Ranges; 1500b57cec5SDimitry Andric 1510b57cec5SDimitry Andric switch (S->getStmtClass()) { 1520b57cec5SDimitry Andric case Stmt::ArraySubscriptExprClass: { 1530b57cec5SDimitry Andric os << "Array access"; 1540b57cec5SDimitry Andric const ArraySubscriptExpr *AE = cast<ArraySubscriptExpr>(S); 1550b57cec5SDimitry Andric AddDerefSource(os, Ranges, AE->getBase()->IgnoreParenCasts(), 1560b57cec5SDimitry Andric State.get(), N->getLocationContext()); 157e8d8bef9SDimitry Andric os << DerefStr1; 1580b57cec5SDimitry Andric break; 1590b57cec5SDimitry Andric } 1600b57cec5SDimitry Andric case Stmt::OMPArraySectionExprClass: { 1610b57cec5SDimitry Andric os << "Array access"; 1620b57cec5SDimitry Andric const OMPArraySectionExpr *AE = cast<OMPArraySectionExpr>(S); 1630b57cec5SDimitry Andric AddDerefSource(os, Ranges, AE->getBase()->IgnoreParenCasts(), 1640b57cec5SDimitry Andric State.get(), N->getLocationContext()); 165e8d8bef9SDimitry Andric os << DerefStr1; 1660b57cec5SDimitry Andric break; 1670b57cec5SDimitry Andric } 1680b57cec5SDimitry Andric case Stmt::UnaryOperatorClass: { 169e8d8bef9SDimitry Andric os << BT->getDescription(); 1700b57cec5SDimitry Andric const UnaryOperator *U = cast<UnaryOperator>(S); 1710b57cec5SDimitry Andric AddDerefSource(os, Ranges, U->getSubExpr()->IgnoreParens(), 1720b57cec5SDimitry Andric State.get(), N->getLocationContext(), true); 1730b57cec5SDimitry Andric break; 1740b57cec5SDimitry Andric } 1750b57cec5SDimitry Andric case Stmt::MemberExprClass: { 1760b57cec5SDimitry Andric const MemberExpr *M = cast<MemberExpr>(S); 1770b57cec5SDimitry Andric if (M->isArrow() || isDeclRefExprToReference(M->getBase())) { 178e8d8bef9SDimitry Andric os << "Access to field '" << M->getMemberNameInfo() << "'" << DerefStr2; 1790b57cec5SDimitry Andric AddDerefSource(os, Ranges, M->getBase()->IgnoreParenCasts(), 1800b57cec5SDimitry Andric State.get(), N->getLocationContext(), true); 1810b57cec5SDimitry Andric } 1820b57cec5SDimitry Andric break; 1830b57cec5SDimitry Andric } 1840b57cec5SDimitry Andric case Stmt::ObjCIvarRefExprClass: { 1850b57cec5SDimitry Andric const ObjCIvarRefExpr *IV = cast<ObjCIvarRefExpr>(S); 186e8d8bef9SDimitry Andric os << "Access to instance variable '" << *IV->getDecl() << "'" << DerefStr2; 1870b57cec5SDimitry Andric AddDerefSource(os, Ranges, IV->getBase()->IgnoreParenCasts(), 1880b57cec5SDimitry Andric State.get(), N->getLocationContext(), true); 1890b57cec5SDimitry Andric break; 1900b57cec5SDimitry Andric } 1910b57cec5SDimitry Andric default: 1920b57cec5SDimitry Andric break; 1930b57cec5SDimitry Andric } 1940b57cec5SDimitry Andric 195a7dea167SDimitry Andric auto report = std::make_unique<PathSensitiveBugReport>( 196*fe6060f1SDimitry Andric *BT, buf.empty() ? BT->getDescription() : buf.str(), N); 1970b57cec5SDimitry Andric 1980b57cec5SDimitry Andric bugreporter::trackExpressionValue(N, bugreporter::getDerefExpr(S), *report); 1990b57cec5SDimitry Andric 2000b57cec5SDimitry Andric for (SmallVectorImpl<SourceRange>::iterator 2010b57cec5SDimitry Andric I = Ranges.begin(), E = Ranges.end(); I!=E; ++I) 2020b57cec5SDimitry Andric report->addRange(*I); 2030b57cec5SDimitry Andric 2040b57cec5SDimitry Andric C.emitReport(std::move(report)); 2050b57cec5SDimitry Andric } 2060b57cec5SDimitry Andric 2070b57cec5SDimitry Andric void DereferenceChecker::checkLocation(SVal l, bool isLoad, const Stmt* S, 2080b57cec5SDimitry Andric CheckerContext &C) const { 2090b57cec5SDimitry Andric // Check for dereference of an undefined value. 2100b57cec5SDimitry Andric if (l.isUndef()) { 211e8d8bef9SDimitry Andric const Expr *DerefExpr = getDereferenceExpr(S); 212e8d8bef9SDimitry Andric if (!suppressReport(DerefExpr)) 213e8d8bef9SDimitry Andric reportBug(DerefKind::UndefinedPointerValue, C.getState(), DerefExpr, C); 2140b57cec5SDimitry Andric return; 2150b57cec5SDimitry Andric } 2160b57cec5SDimitry Andric 2170b57cec5SDimitry Andric DefinedOrUnknownSVal location = l.castAs<DefinedOrUnknownSVal>(); 2180b57cec5SDimitry Andric 2190b57cec5SDimitry Andric // Check for null dereferences. 2200b57cec5SDimitry Andric if (!location.getAs<Loc>()) 2210b57cec5SDimitry Andric return; 2220b57cec5SDimitry Andric 2230b57cec5SDimitry Andric ProgramStateRef state = C.getState(); 2240b57cec5SDimitry Andric 2250b57cec5SDimitry Andric ProgramStateRef notNullState, nullState; 2260b57cec5SDimitry Andric std::tie(notNullState, nullState) = state->assume(location); 2270b57cec5SDimitry Andric 2280b57cec5SDimitry Andric if (nullState) { 2290b57cec5SDimitry Andric if (!notNullState) { 230e8d8bef9SDimitry Andric // We know that 'location' can only be null. This is what 231e8d8bef9SDimitry Andric // we call an "explicit" null dereference. 2320b57cec5SDimitry Andric const Expr *expr = getDereferenceExpr(S); 2330b57cec5SDimitry Andric if (!suppressReport(expr)) { 234e8d8bef9SDimitry Andric reportBug(DerefKind::NullPointer, nullState, expr, C); 2350b57cec5SDimitry Andric return; 2360b57cec5SDimitry Andric } 2370b57cec5SDimitry Andric } 2380b57cec5SDimitry Andric 2390b57cec5SDimitry Andric // Otherwise, we have the case where the location could either be 2400b57cec5SDimitry Andric // null or not-null. Record the error node as an "implicit" null 2410b57cec5SDimitry Andric // dereference. 2420b57cec5SDimitry Andric if (ExplodedNode *N = C.generateSink(nullState, C.getPredecessor())) { 2430b57cec5SDimitry Andric ImplicitNullDerefEvent event = {l, isLoad, N, &C.getBugReporter(), 2440b57cec5SDimitry Andric /*IsDirectDereference=*/true}; 2450b57cec5SDimitry Andric dispatchEvent(event); 2460b57cec5SDimitry Andric } 2470b57cec5SDimitry Andric } 2480b57cec5SDimitry Andric 2490b57cec5SDimitry Andric // From this point forward, we know that the location is not null. 2500b57cec5SDimitry Andric C.addTransition(notNullState); 2510b57cec5SDimitry Andric } 2520b57cec5SDimitry Andric 2530b57cec5SDimitry Andric void DereferenceChecker::checkBind(SVal L, SVal V, const Stmt *S, 2540b57cec5SDimitry Andric CheckerContext &C) const { 2550b57cec5SDimitry Andric // If we're binding to a reference, check if the value is known to be null. 2560b57cec5SDimitry Andric if (V.isUndef()) 2570b57cec5SDimitry Andric return; 2580b57cec5SDimitry Andric 2590b57cec5SDimitry Andric const MemRegion *MR = L.getAsRegion(); 2600b57cec5SDimitry Andric const TypedValueRegion *TVR = dyn_cast_or_null<TypedValueRegion>(MR); 2610b57cec5SDimitry Andric if (!TVR) 2620b57cec5SDimitry Andric return; 2630b57cec5SDimitry Andric 2640b57cec5SDimitry Andric if (!TVR->getValueType()->isReferenceType()) 2650b57cec5SDimitry Andric return; 2660b57cec5SDimitry Andric 2670b57cec5SDimitry Andric ProgramStateRef State = C.getState(); 2680b57cec5SDimitry Andric 2690b57cec5SDimitry Andric ProgramStateRef StNonNull, StNull; 2700b57cec5SDimitry Andric std::tie(StNonNull, StNull) = State->assume(V.castAs<DefinedOrUnknownSVal>()); 2710b57cec5SDimitry Andric 2720b57cec5SDimitry Andric if (StNull) { 2730b57cec5SDimitry Andric if (!StNonNull) { 2740b57cec5SDimitry Andric const Expr *expr = getDereferenceExpr(S, /*IsBind=*/true); 2750b57cec5SDimitry Andric if (!suppressReport(expr)) { 276e8d8bef9SDimitry Andric reportBug(DerefKind::NullPointer, StNull, expr, C); 2770b57cec5SDimitry Andric return; 2780b57cec5SDimitry Andric } 2790b57cec5SDimitry Andric } 2800b57cec5SDimitry Andric 2810b57cec5SDimitry Andric // At this point the value could be either null or non-null. 2820b57cec5SDimitry Andric // Record this as an "implicit" null dereference. 2830b57cec5SDimitry Andric if (ExplodedNode *N = C.generateSink(StNull, C.getPredecessor())) { 2840b57cec5SDimitry Andric ImplicitNullDerefEvent event = {V, /*isLoad=*/true, N, 2850b57cec5SDimitry Andric &C.getBugReporter(), 2860b57cec5SDimitry Andric /*IsDirectDereference=*/true}; 2870b57cec5SDimitry Andric dispatchEvent(event); 2880b57cec5SDimitry Andric } 2890b57cec5SDimitry Andric } 2900b57cec5SDimitry Andric 2910b57cec5SDimitry Andric // Unlike a regular null dereference, initializing a reference with a 2920b57cec5SDimitry Andric // dereferenced null pointer does not actually cause a runtime exception in 2930b57cec5SDimitry Andric // Clang's implementation of references. 2940b57cec5SDimitry Andric // 2950b57cec5SDimitry Andric // int &r = *p; // safe?? 2960b57cec5SDimitry Andric // if (p != NULL) return; // uh-oh 2970b57cec5SDimitry Andric // r = 5; // trap here 2980b57cec5SDimitry Andric // 2990b57cec5SDimitry Andric // The standard says this is invalid as soon as we try to create a "null 3000b57cec5SDimitry Andric // reference" (there is no such thing), but turning this into an assumption 3010b57cec5SDimitry Andric // that 'p' is never null will not match our actual runtime behavior. 3020b57cec5SDimitry Andric // So we do not record this assumption, allowing us to warn on the last line 3030b57cec5SDimitry Andric // of this example. 3040b57cec5SDimitry Andric // 3050b57cec5SDimitry Andric // We do need to add a transition because we may have generated a sink for 3060b57cec5SDimitry Andric // the "implicit" null dereference. 3070b57cec5SDimitry Andric C.addTransition(State, this); 3080b57cec5SDimitry Andric } 3090b57cec5SDimitry Andric 3100b57cec5SDimitry Andric void ento::registerDereferenceChecker(CheckerManager &mgr) { 3110b57cec5SDimitry Andric mgr.registerChecker<DereferenceChecker>(); 3120b57cec5SDimitry Andric } 3130b57cec5SDimitry Andric 3145ffd83dbSDimitry Andric bool ento::shouldRegisterDereferenceChecker(const CheckerManager &mgr) { 3150b57cec5SDimitry Andric return true; 3160b57cec5SDimitry Andric } 317