| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108 |
- //== BoolAssignmentChecker.cpp - Boolean assignment checker -----*- C++ -*--==//
- //
- // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
- // See https://llvm.org/LICENSE.txt for license information.
- // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
- //
- //===----------------------------------------------------------------------===//
- //
- // This defines BoolAssignmentChecker, a builtin check in ExprEngine that
- // performs checks for assignment of non-Boolean values to Boolean variables.
- //
- //===----------------------------------------------------------------------===//
- #include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
- #include "clang/StaticAnalyzer/Checkers/Taint.h"
- #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
- #include "clang/StaticAnalyzer/Core/Checker.h"
- #include "clang/StaticAnalyzer/Core/CheckerManager.h"
- #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
- #include <optional>
- using namespace clang;
- using namespace ento;
- namespace {
- class BoolAssignmentChecker : public Checker< check::Bind > {
- mutable std::unique_ptr<BuiltinBug> BT;
- void emitReport(ProgramStateRef state, CheckerContext &C,
- bool IsTainted = false) const;
- public:
- void checkBind(SVal loc, SVal val, const Stmt *S, CheckerContext &C) const;
- };
- } // end anonymous namespace
- void BoolAssignmentChecker::emitReport(ProgramStateRef state, CheckerContext &C,
- bool IsTainted) const {
- if (ExplodedNode *N = C.generateNonFatalErrorNode(state)) {
- if (!BT)
- BT.reset(new BuiltinBug(this, "Assignment of a non-Boolean value"));
- StringRef Msg = IsTainted ? "Might assign a tainted non-Boolean value"
- : "Assignment of a non-Boolean value";
- C.emitReport(std::make_unique<PathSensitiveBugReport>(*BT, Msg, N));
- }
- }
- static bool isBooleanType(QualType Ty) {
- if (Ty->isBooleanType()) // C++ or C99
- return true;
- if (const TypedefType *TT = Ty->getAs<TypedefType>())
- return TT->getDecl()->getName() == "BOOL" || // Objective-C
- TT->getDecl()->getName() == "_Bool" || // stdbool.h < C99
- TT->getDecl()->getName() == "Boolean"; // MacTypes.h
- return false;
- }
- void BoolAssignmentChecker::checkBind(SVal loc, SVal val, const Stmt *S,
- CheckerContext &C) const {
- // We are only interested in stores into Booleans.
- const TypedValueRegion *TR =
- dyn_cast_or_null<TypedValueRegion>(loc.getAsRegion());
- if (!TR)
- return;
- QualType valTy = TR->getValueType();
- if (!isBooleanType(valTy))
- return;
- // Get the value of the right-hand side. We only care about values
- // that are defined (UnknownVals and UndefinedVals are handled by other
- // checkers).
- std::optional<NonLoc> NV = val.getAs<NonLoc>();
- if (!NV)
- return;
- // Check if the assigned value meets our criteria for correctness. It must
- // be a value that is either 0 or 1. One way to check this is to see if
- // the value is possibly < 0 (for a negative value) or greater than 1.
- ProgramStateRef state = C.getState();
- SValBuilder &svalBuilder = C.getSValBuilder();
- BasicValueFactory &BVF = svalBuilder.getBasicValueFactory();
- ConstraintManager &CM = C.getConstraintManager();
- llvm::APSInt Zero = BVF.getValue(0, valTy);
- llvm::APSInt One = BVF.getValue(1, valTy);
- ProgramStateRef StIn, StOut;
- std::tie(StIn, StOut) = CM.assumeInclusiveRangeDual(state, *NV, Zero, One);
- if (!StIn)
- emitReport(StOut, C);
- if (StIn && StOut && taint::isTainted(state, *NV))
- emitReport(StOut, C, /*IsTainted=*/true);
- }
- void ento::registerBoolAssignmentChecker(CheckerManager &mgr) {
- mgr.registerChecker<BoolAssignmentChecker>();
- }
- bool ento::shouldRegisterBoolAssignmentChecker(const CheckerManager &mgr) {
- return true;
- }
|
