首页 发现 帮助
注册 登录
FangSoftSoft
/
clang
2
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
浏览代码

[analyzer] Don't assume values bound to references are automatically non-null.

While there is no such thing as a "null reference" in the C++ standard,
many implementations of references (including Clang's) do not actually
check that the location bound to them is non-null. Thus unlike a regular
null dereference, this will not cause a problem at runtime until the
reference is actually used. In order to catch these cases, we need to not
prune out paths on which the input pointer is null.

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@161288 91177308-0d34-0410-b5e6-96231b3b80d8
Jordan Rose 13 年之前
父节点
aa6eccce0c
当前提交
522f46f497
共有 2 个文件被更改,包括 32 次插入4 次删除
分列视图 显示文件统计
  1. 18 3
      lib/StaticAnalyzer/Checkers/DereferenceChecker.cpp
  2. 14 1
      test/Analysis/reference.cpp

+ 18 - 3
lib/StaticAnalyzer/Checkers/DereferenceChecker.cpp
查看文件 

@@ -233,7 +233,7 @@ void DereferenceChecker::checkLocation(SVal l, bool isLoad, const Stmt* S,
 
 
 void DereferenceChecker::checkBind(SVal L, SVal V, const Stmt *S,
 
                                    CheckerContext &C) const {
 
-  // If we're binding to a reference, check if the value is potentially null.
 
+  // If we're binding to a reference, check if the value is known to be null.
 
   if (V.isUndef())
 
     return;
 
 
@@ -265,8 +265,23 @@ void DereferenceChecker::checkBind(SVal L, SVal V, const Stmt *S,
 
     }
 
   }
 
 
-  // From here on out, assume the value is non-null.
 
-  C.addTransition(StNonNull);
 
+  // Unlike a regular null dereference, initializing a reference with a
 
+  // dereferenced null pointer does not actually cause a runtime exception in
 
+  // Clang's implementation of references.
 
+  //
 
+  //   int &r = *p; // safe??
 
+  //   if (p != NULL) return; // uh-oh
 
+  //   r = 5; // trap here
 
+  //
 
+  // The standard says this is invalid as soon as we try to create a "null
 
+  // reference" (there is no such thing), but turning this into an assumption
 
+  // that 'p' is never null will not match our actual runtime behavior.
 
+  // So we do not record this assumption, allowing us to warn on the last line
 
+  // of this example.
 
+  //
 
+  // We do need to add a transition because we may have generated a sink for
 
+  // the "implicit" null dereference.
 
+  C.addTransition(State, this);
 
 }
 
 
 void ento::registerDereferenceChecker(CheckerManager &mgr) {

+ 14 - 1
test/Analysis/reference.cpp
查看文件 

@@ -91,12 +91,25 @@ namespace PR13440 {
 
   }
 
 }
 
 
-void testRef() {
 
+void testNullReference() {
 
   int *x = 0;
 
   int &y = *x; // expected-warning{{Dereference of null pointer}}
 
   y = 5;
 
 }
 
 
+void testRetroactiveNullReference(int *x) {
 
+  // According to the C++ standard, there is no such thing as a
 
+  // "null reference". So the 'if' statement ought to be dead code.
 
+  // However, Clang (and other compilers) don't actually check that a pointer
 
+  // value is non-null in the implementation of references, so it is possible
 
+  // to produce a supposed "null reference" at runtime. The analyzer shoeuld
 
+  // still warn when it can prove such errors.
 
+  int &y = *x;
 
+  if (x != 0)
 
+    return;
 
+  y = 5; // expected-warning{{Dereference of null pointer}}
 
+}
 
+
 
 
 // ------------------------------------
 
 // False negatives