1 //===--- UndefinedAssignmentChecker.h ---------------------------*- C++ -*--==// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This defines UndefinedAssignmentChecker, a builtin check in ExprEngine that 10 // checks for assigning undefined values. 11 // 12 //===----------------------------------------------------------------------===// 13 14 #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h" 15 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 16 #include "clang/StaticAnalyzer/Core/Checker.h" 17 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 18 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" 19 20 using namespace clang; 21 using namespace ento; 22 23 namespace { 24 class UndefinedAssignmentChecker 25 : public Checker<check::Bind> { 26 const BugType BT{this, "Assigned value is garbage or undefined"}; 27 28 public: 29 void checkBind(SVal location, SVal val, const Stmt *S, 30 CheckerContext &C) const; 31 }; 32 } 33 34 void UndefinedAssignmentChecker::checkBind(SVal location, SVal val, 35 const Stmt *StoreE, 36 CheckerContext &C) const { 37 if (!val.isUndef()) 38 return; 39 40 // Do not report assignments of uninitialized values inside swap functions. 41 // This should allow to swap partially uninitialized structs 42 if (const FunctionDecl *EnclosingFunctionDecl = 43 dyn_cast<FunctionDecl>(C.getStackFrame()->getDecl())) 44 if (C.getCalleeName(EnclosingFunctionDecl) == "swap") 45 return; 46 47 ExplodedNode *N = C.generateErrorNode(); 48 49 if (!N) 50 return; 51 52 // Generate a report for this bug. 53 llvm::SmallString<128> Str; 54 llvm::raw_svector_ostream OS(Str); 55 56 const Expr *ex = nullptr; 57 58 while (StoreE) { 59 if (const UnaryOperator *U = dyn_cast<UnaryOperator>(StoreE)) { 60 OS << "The expression is an uninitialized value. " 61 "The computed value will also be garbage"; 62 63 ex = U->getSubExpr(); 64 break; 65 } 66 67 if (const BinaryOperator *B = dyn_cast<BinaryOperator>(StoreE)) { 68 if (B->isCompoundAssignmentOp()) { 69 if (C.getSVal(B->getLHS()).isUndef()) { 70 OS << "The left expression of the compound assignment is an " 71 "uninitialized value. The computed value will also be garbage"; 72 ex = B->getLHS(); 73 break; 74 } 75 } 76 77 ex = B->getRHS(); 78 break; 79 } 80 81 if (const DeclStmt *DS = dyn_cast<DeclStmt>(StoreE)) { 82 const VarDecl *VD = cast<VarDecl>(DS->getSingleDecl()); 83 ex = VD->getInit(); 84 } 85 86 if (const auto *CD = 87 dyn_cast<CXXConstructorDecl>(C.getStackFrame()->getDecl())) { 88 if (CD->isImplicit()) { 89 for (auto *I : CD->inits()) { 90 if (I->getInit()->IgnoreImpCasts() == StoreE) { 91 OS << "Value assigned to field '" << I->getMember()->getName() 92 << "' in implicit constructor is garbage or undefined"; 93 break; 94 } 95 } 96 } 97 } 98 99 break; 100 } 101 102 if (OS.str().empty()) 103 OS << BT.getDescription(); 104 105 auto R = std::make_unique<PathSensitiveBugReport>(BT, OS.str(), N); 106 if (ex) { 107 R->addRange(ex->getSourceRange()); 108 bugreporter::trackExpressionValue(N, ex, *R); 109 } 110 C.emitReport(std::move(R)); 111 } 112 113 void ento::registerUndefinedAssignmentChecker(CheckerManager &mgr) { 114 mgr.registerChecker<UndefinedAssignmentChecker>(); 115 } 116 117 bool ento::shouldRegisterUndefinedAssignmentChecker(const CheckerManager &mgr) { 118 return true; 119 } 120