blob: 914b1e4fbbb4f12dd577a2b95f1e90c0b122761d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
//== AdjustedReturnValueChecker.cpp -----------------------------*- C++ -*--==//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
//
// This file defines AdjustedReturnValueChecker, a simple check to see if the
// return value of a function call is different than the one the caller thinks
// it is.
//
//===----------------------------------------------------------------------===//
#include "ExprEngineInternalChecks.h"
#include "clang/EntoSA/BugReporter/BugReporter.h"
#include "clang/EntoSA/PathSensitive/ExprEngine.h"
#include "clang/EntoSA/PathSensitive/CheckerVisitor.h"
using namespace clang;
using namespace ento;
namespace {
class AdjustedReturnValueChecker :
public CheckerVisitor<AdjustedReturnValueChecker> {
public:
AdjustedReturnValueChecker() {}
void PostVisitCallExpr(CheckerContext &C, const CallExpr *CE);
static void *getTag() {
static int x = 0; return &x;
}
};
}
void ento::RegisterAdjustedReturnValueChecker(ExprEngine &Eng) {
Eng.registerCheck(new AdjustedReturnValueChecker());
}
void AdjustedReturnValueChecker::PostVisitCallExpr(CheckerContext &C,
const CallExpr *CE) {
// Get the result type of the call.
QualType expectedResultTy = CE->getType();
// Fetch the signature of the called function.
const GRState *state = C.getState();
SVal V = state->getSVal(CE);
if (V.isUnknown())
return;
// Casting to void? Discard the value.
if (expectedResultTy->isVoidType()) {
C.generateNode(state->BindExpr(CE, UnknownVal()));
return;
}
const MemRegion *callee = state->getSVal(CE->getCallee()).getAsRegion();
if (!callee)
return;
QualType actualResultTy;
if (const FunctionTextRegion *FT = dyn_cast<FunctionTextRegion>(callee)) {
const FunctionDecl *FD = FT->getDecl();
actualResultTy = FD->getResultType();
}
else if (const BlockDataRegion *BD = dyn_cast<BlockDataRegion>(callee)) {
const BlockTextRegion *BR = BD->getCodeRegion();
const BlockPointerType *BT=BR->getLocationType()->getAs<BlockPointerType>();
const FunctionType *FT = BT->getPointeeType()->getAs<FunctionType>();
actualResultTy = FT->getResultType();
}
// Can this happen?
if (actualResultTy.isNull())
return;
// For now, ignore references.
if (actualResultTy->getAs<ReferenceType>())
return;
// Are they the same?
if (expectedResultTy != actualResultTy) {
// FIXME: Do more checking and actual emit an error. At least performing
// the cast avoids some assertion failures elsewhere.
SValBuilder &svalBuilder = C.getSValBuilder();
V = svalBuilder.evalCast(V, expectedResultTy, actualResultTy);
C.generateNode(state->BindExpr(CE, V));
}
}
|