Add undefined array subscript checker.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@86837 91177308-0d34-0410-b5e6-96231b3b80d8

Add undefined array subscript checker.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@86837 91177308-0d34-0410-b5e6-96231b3b80d8
d694485f · Zhongxing Xu · 6cc46edc · d694485f · d694485f · d694485f
Commit d694485f authored 15 years ago by Zhongxing Xu
--- a/include/clang/Analysis/PathSensitive/CheckerVisitor.def
+++ b/include/clang/Analysis/PathSensitive/CheckerVisitor.def
@@ -11,6 +11,7 @@
 //
 //===---------------------------------------------------------------------===//

+PREVISIT(ArraySubscriptExpr)
 PREVISIT(BinaryOperator)
 PREVISIT(CallExpr)
 PREVISIT(CastExpr)

--- a/lib/Analysis/CMakeLists.txt
+++ b/lib/Analysis/CMakeLists.txt
@@ -52,6 +52,7 @@ add_clang_library(clangAnalysis
  Store.cpp
  SymbolManager.cpp
  UndefinedArgChecker.cpp
+  UndefinedArraySubscriptChecker.cpp
  UndefinedAssignmentChecker.cpp
  UninitializedValues.cpp
  VLASizeChecker.cpp

--- a/lib/Analysis/GRExprEngine.cpp
+++ b/lib/Analysis/GRExprEngine.cpp
@@ -1080,7 +1080,10 @@ void GRExprEngine::VisitArraySubscriptExpr(ArraySubscriptExpr* A,
    ExplodedNodeSet Tmp2;
    Visit(Idx, *I1, Tmp2);     // Evaluate the index.

-    for (ExplodedNodeSet::iterator I2=Tmp2.begin(),E2=Tmp2.end();I2!=E2; ++I2) {
+    ExplodedNodeSet Tmp3;
+    CheckerVisit(A, Tmp3, Tmp2, true);
+
+    for (ExplodedNodeSet::iterator I2=Tmp3.begin(),E2=Tmp3.end();I2!=E2; ++I2) {
      const GRState* state = GetState(*I2);
      SVal V = state->getLValue(A->getType(), state->getSVal(Idx),
                                state->getSVal(Base));

--- a/lib/Analysis/GRExprEngineInternalChecks.cpp
+++ b/lib/Analysis/GRExprEngineInternalChecks.cpp
@@ -415,4 +415,5 @@ void GRExprEngine::RegisterInternalChecks() {

  RegisterCastToStructChecker(*this);
  RegisterArrayBoundChecker(*this);
+  RegisterUndefinedArraySubscriptChecker(*this);
 }
--- a/lib/Analysis/GRExprEngineInternalChecks.h
+++ b/lib/Analysis/GRExprEngineInternalChecks.h
@@ -33,6 +33,7 @@ void RegisterFixedAddressChecker(GRExprEngine &Eng);
 void RegisterCastToStructChecker(GRExprEngine &Eng);
 void RegisterUndefinedArgChecker(GRExprEngine &Eng);
 void RegisterArrayBoundChecker(GRExprEngine &Eng);
+void RegisterUndefinedArraySubscriptChecker(GRExprEngine &Eng);

 } // end clang namespace
 #endif
--- a/lib/Analysis/UndefinedArraySubscriptChecker.cpp
+++ b/lib/Analysis/UndefinedArraySubscriptChecker.cpp
+//===--- UndefinedArraySubscriptChecker.h ----------------------*- C++ -*--===//
+//
+//                     The LLVM Compiler Infrastructure
+//
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+//
+//===----------------------------------------------------------------------===//
+//
+// This defines UndefinedArraySubscriptChecker, a builtin check in GRExprEngine
+// that performs checks for undefined array subscripts.
+//
+//===----------------------------------------------------------------------===//
+
+#include "clang/Analysis/PathSensitive/CheckerVisitor.h"
+#include "clang/Analysis/PathSensitive/BugReporter.h"
+#include "GRExprEngineInternalChecks.h"
+
+using namespace clang;
+
+namespace {
+class VISIBILITY_HIDDEN UndefinedArraySubscriptChecker
+  : public CheckerVisitor<UndefinedArraySubscriptChecker> {
+  BugType *BT;
+public:
+  UndefinedArraySubscriptChecker() : BT(0) {}
+  static void *getTag() {
+    static int x = 0;
+    return &x;
+  }
+  void PreVisitArraySubscriptExpr(CheckerContext &C, 
+                                  const ArraySubscriptExpr *A);
+};
+} // end anonymous namespace
+
+void clang::RegisterUndefinedArraySubscriptChecker(GRExprEngine &Eng) {
+  Eng.registerCheck(new UndefinedArraySubscriptChecker());
+}
+
+void 
+UndefinedArraySubscriptChecker::PreVisitArraySubscriptExpr(CheckerContext &C, 
+                                                const ArraySubscriptExpr *A) {
+  if (C.getState()->getSVal(A->getIdx()).isUndef()) {
+    if (ExplodedNode *N = C.GenerateNode(A, true)) {
+      if (!BT)
+        BT = new BuiltinBug("Array subscript is undefined");
+
+      // Generate a report for this bug.
+      EnhancedBugReport *R = new EnhancedBugReport(*BT, BT->getName().c_str(),
+                                                   N);
+      R->addRange(A->getIdx()->getSourceRange());
+      R->addVisitorCreator(bugreporter::registerTrackNullOrUndefValue, 
+                           A->getIdx());
+      C.EmitReport(R);
+    }
+  }
+}
--- a/test/Analysis/misc-ps.m
+++ b/test/Analysis/misc-ps.m
@@ -745,3 +745,7 @@ NSSwappedFloat test_cast_nonstruct_to_union(float x) {
  return ((union bran *)&x)->sf; // no-warning
 }

+void test_undefined_array_subscript() {
+  int i, a[10];
+  int *p = &a[i]; // expected-warning{{Array subscript is undefined}}
+}