#include "clang/StaticAnalyzer/Checkers/BuiltinCheckerRegistration.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/BugReporter/CommonBugCategories.h"
#include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/DynamicType.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
using namespace clang;
using namespace ento;
namespace {
class CXXDeleteChecker : public Checker<check::PreStmt<CXXDeleteExpr>> {
protected:
class PtrCastVisitor : public BugReporterVisitor {
public:
void Profile(llvm::FoldingSetNodeID &ID) const override {
static int X = 0;
ID.AddPointer(&X);
}
PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
BugReporterContext &BRC,
PathSensitiveBugReport &BR) override;
};
virtual void
checkTypedDeleteExpr(const CXXDeleteExpr *DE, CheckerContext &C,
const TypedValueRegion *BaseClassRegion,
const SymbolicRegion *DerivedClassRegion) const = 0;
public:
void checkPreStmt(const CXXDeleteExpr *DE, CheckerContext &C) const;
};
class DeleteWithNonVirtualDtorChecker : public CXXDeleteChecker {
const BugType BT{
this, "Destruction of a polymorphic object with no virtual destructor"};
void
checkTypedDeleteExpr(const CXXDeleteExpr *DE, CheckerContext &C,
const TypedValueRegion *BaseClassRegion,
const SymbolicRegion *DerivedClassRegion) const override;
};
class CXXArrayDeleteChecker : public CXXDeleteChecker {
const BugType BT{this,
"Deleting an array of polymorphic objects is undefined"};
void
checkTypedDeleteExpr(const CXXDeleteExpr *DE, CheckerContext &C,
const TypedValueRegion *BaseClassRegion,
const SymbolicRegion *DerivedClassRegion) const override;
};
}
void CXXDeleteChecker::checkPreStmt(const CXXDeleteExpr *DE,
CheckerContext &C) const {
const Expr *DeletedObj = DE->getArgument();
const MemRegion *MR = C.getSVal(DeletedObj).getAsRegion();
if (!MR)
return;
OverloadedOperatorKind DeleteKind =
DE->getOperatorDelete()->getOverloadedOperator();
if (DeleteKind != OO_Delete && DeleteKind != OO_Array_Delete)
return;
const auto *BaseClassRegion = MR->getAs<TypedValueRegion>();
const auto *DerivedClassRegion = MR->getBaseRegion()->getAs<SymbolicRegion>();
if (!BaseClassRegion || !DerivedClassRegion)
return;
checkTypedDeleteExpr(DE, C, BaseClassRegion, DerivedClassRegion);
}
void DeleteWithNonVirtualDtorChecker::checkTypedDeleteExpr(
const CXXDeleteExpr *DE, CheckerContext &C,
const TypedValueRegion *BaseClassRegion,
const SymbolicRegion *DerivedClassRegion) const {
const auto *BaseClass = BaseClassRegion->getValueType()->getAsCXXRecordDecl();
const auto *DerivedClass =
DerivedClassRegion->getSymbol()->getType()->getPointeeCXXRecordDecl();
if (!BaseClass || !DerivedClass)
return;
if (!BaseClass->hasDefinition() || !DerivedClass->hasDefinition())
return;
if (BaseClass->getDestructor()->isVirtual())
return;
if (!DerivedClass->isDerivedFrom(BaseClass))
return;
ExplodedNode *N = C.generateNonFatalErrorNode();
if (!N)
return;
auto R = std::make_unique<PathSensitiveBugReport>(BT, BT.getDescription(), N);
R->markInteresting(BaseClassRegion);
R->addVisitor<PtrCastVisitor>();
C.emitReport(std::move(R));
}
void CXXArrayDeleteChecker::checkTypedDeleteExpr(
const CXXDeleteExpr *DE, CheckerContext &C,
const TypedValueRegion *BaseClassRegion,
const SymbolicRegion *DerivedClassRegion) const {
const auto *BaseClass = BaseClassRegion->getValueType()->getAsCXXRecordDecl();
const auto *DerivedClass =
DerivedClassRegion->getSymbol()->getType()->getPointeeCXXRecordDecl();
if (!BaseClass || !DerivedClass)
return;
if (!BaseClass->hasDefinition() || !DerivedClass->hasDefinition())
return;
if (DE->getOperatorDelete()->getOverloadedOperator() != OO_Array_Delete)
return;
if (!DerivedClass->isDerivedFrom(BaseClass))
return;
ExplodedNode *N = C.generateNonFatalErrorNode();
if (!N)
return;
SmallString<256> Buf;
llvm::raw_svector_ostream OS(Buf);
QualType SourceType = BaseClassRegion->getValueType();
QualType TargetType =
DerivedClassRegion->getSymbol()->getType()->getPointeeType();
OS << "Deleting an array of '" << TargetType.getAsString()
<< "' objects as their base class '"
<< SourceType.getAsString(C.getASTContext().getPrintingPolicy())
<< "' is undefined";
auto R = std::make_unique<PathSensitiveBugReport>(BT, OS.str(), N);
R->markInteresting(BaseClassRegion);
R->addVisitor<PtrCastVisitor>();
C.emitReport(std::move(R));
}
PathDiagnosticPieceRef
CXXDeleteChecker::PtrCastVisitor::VisitNode(const ExplodedNode *N,
BugReporterContext &BRC,
PathSensitiveBugReport &BR) {
const Stmt *S = N->getStmtForDiagnostics();
if (!S)
return nullptr;
const auto *CastE = dyn_cast<CastExpr>(S);
if (!CastE)
return nullptr;
QualType SourceType = CastE->getSubExpr()->getType()->getPointeeType();
QualType TargetType = CastE->getType()->getPointeeType();
if (SourceType.isNull() || TargetType.isNull() || SourceType == TargetType)
return nullptr;
const MemRegion *M = N->getSVal(CastE).getAsRegion();
if (!M)
return nullptr;
if (!BR.isInteresting(M))
return nullptr;
SmallString<256> Buf;
llvm::raw_svector_ostream OS(Buf);
OS << "Casting from '" << SourceType.getAsString() << "' to '"
<< TargetType.getAsString() << "' here";
PathDiagnosticLocation Pos(S, BRC.getSourceManager(),
N->getLocationContext());
return std::make_shared<PathDiagnosticEventPiece>(Pos, OS.str(),
true);
}
void ento::registerArrayDeleteChecker(CheckerManager &mgr) {
mgr.registerChecker<CXXArrayDeleteChecker>();
}
bool ento::shouldRegisterArrayDeleteChecker(const CheckerManager &mgr) {
return true;
}
void ento::registerDeleteWithNonVirtualDtorChecker(CheckerManager &mgr) {
mgr.registerChecker<DeleteWithNonVirtualDtorChecker>();
}
bool ento::shouldRegisterDeleteWithNonVirtualDtorChecker(
const CheckerManager &mgr) {
return true;
}