1 //===--- Checkers.td - Static Analyzer Checkers -===-----------------------===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 10 include "clang/StaticAnalyzer/Checkers/CheckerBase.td" 11 12 //===----------------------------------------------------------------------===// 13 // Packages. 14 //===----------------------------------------------------------------------===// 15 16 def Alpha : Package<"alpha">; 17 18 def Core : Package<"core">; 19 def CoreBuiltin : Package<"builtin">, InPackage<Core>; 20 def CoreUninitialized : Package<"uninitialized">, InPackage<Core>; 21 def CoreAlpha : Package<"core">, InPackage<Alpha>, Hidden; 22 23 def Cplusplus : Package<"cplusplus">; 24 def CplusplusAlpha : Package<"cplusplus">, InPackage<Alpha>, Hidden; 25 26 def DeadCode : Package<"deadcode">; 27 def DeadCodeAlpha : Package<"deadcode">, InPackage<Alpha>, Hidden; 28 29 def Security : Package <"security">; 30 def InsecureAPI : Package<"insecureAPI">, InPackage<Security>; 31 def SecurityAlpha : Package<"security">, InPackage<Alpha>, Hidden; 32 def Taint : Package<"taint">, InPackage<SecurityAlpha>, Hidden; 33 34 def Unix : Package<"unix">; 35 def UnixAlpha : Package<"unix">, InPackage<Alpha>, Hidden; 36 def CString : Package<"cstring">, InPackage<Unix>, Hidden; 37 def CStringAlpha : Package<"cstring">, InPackage<UnixAlpha>, Hidden; 38 39 def OSX : Package<"osx">; 40 def OSXAlpha : Package<"osx">, InPackage<Alpha>, Hidden; 41 def Cocoa : Package<"cocoa">, InPackage<OSX>; 42 def CocoaAlpha : Package<"cocoa">, InPackage<OSXAlpha>, Hidden; 43 def CoreFoundation : Package<"coreFoundation">, InPackage<OSX>; 44 def Containers : Package<"containers">, InPackage<CoreFoundation>; 45 46 def LLVM : Package<"llvm">; 47 def Debug : Package<"debug">; 48 49 //===----------------------------------------------------------------------===// 50 // Core Checkers. 51 //===----------------------------------------------------------------------===// 52 53 let ParentPackage = Core in { 54 55 def DereferenceChecker : Checker<"NullDereference">, 56 HelpText<"Check for dereferences of null pointers">, 57 DescFile<"DereferenceChecker.cpp">; 58 59 def CallAndMessageChecker : Checker<"CallAndMessage">, 60 HelpText<"Check for logical errors for function calls and Objective-C message expressions (e.g., uninitialized arguments, null function pointers)">, 61 DescFile<"CallAndMessageChecker.cpp">; 62 63 def NonNullParamChecker : Checker<"NonNullParamChecker">, 64 HelpText<"Check for null pointers passed as arguments to a function whose arguments are references or marked with the 'nonnull' attribute">, 65 DescFile<"NonNullParamChecker.cpp">; 66 67 def VLASizeChecker : Checker<"VLASize">, 68 HelpText<"Check for declarations of VLA of undefined or zero size">, 69 DescFile<"VLASizeChecker.cpp">; 70 71 def DivZeroChecker : Checker<"DivideZero">, 72 HelpText<"Check for division by zero">, 73 DescFile<"DivZeroChecker.cpp">; 74 75 def UndefResultChecker : Checker<"UndefinedBinaryOperatorResult">, 76 HelpText<"Check for undefined results of binary operators">, 77 DescFile<"UndefResultChecker.cpp">; 78 79 def StackAddrEscapeChecker : Checker<"StackAddressEscape">, 80 HelpText<"Check that addresses to stack memory do not escape the function">, 81 DescFile<"StackAddrEscapeChecker.cpp">; 82 83 def DynamicTypePropagation : Checker<"DynamicTypePropagation">, 84 HelpText<"Generate dynamic type information">, 85 DescFile<"DynamicTypePropagation.cpp">; 86 87 } // end "core" 88 89 let ParentPackage = CoreAlpha in { 90 91 def BoolAssignmentChecker : Checker<"BoolAssignment">, 92 HelpText<"Warn about assigning non-{0,1} values to Boolean variables">, 93 DescFile<"BoolAssignmentChecker.cpp">; 94 95 def CastSizeChecker : Checker<"CastSize">, 96 HelpText<"Check when casting a malloc'ed type T, whether the size is a multiple of the size of T">, 97 DescFile<"CastSizeChecker.cpp">; 98 99 def CastToStructChecker : Checker<"CastToStruct">, 100 HelpText<"Check for cast from non-struct pointer to struct pointer">, 101 DescFile<"CastToStructChecker.cpp">; 102 103 def FixedAddressChecker : Checker<"FixedAddr">, 104 HelpText<"Check for assignment of a fixed address to a pointer">, 105 DescFile<"FixedAddressChecker.cpp">; 106 107 def PointerArithChecker : Checker<"PointerArithm">, 108 HelpText<"Check for pointer arithmetic on locations other than array elements">, 109 DescFile<"PointerArithChecker">; 110 111 def PointerSubChecker : Checker<"PointerSub">, 112 HelpText<"Check for pointer subtractions on two pointers pointing to different memory chunks">, 113 DescFile<"PointerSubChecker">; 114 115 def SizeofPointerChecker : Checker<"SizeofPtr">, 116 HelpText<"Warn about unintended use of sizeof() on pointer expressions">, 117 DescFile<"CheckSizeofPointer.cpp">; 118 119 } // end "alpha.core" 120 121 //===----------------------------------------------------------------------===// 122 // Evaluate "builtin" functions. 123 //===----------------------------------------------------------------------===// 124 125 let ParentPackage = CoreBuiltin in { 126 127 def NoReturnFunctionChecker : Checker<"NoReturnFunctions">, 128 HelpText<"Evaluate \"panic\" functions that are known to not return to the caller">, 129 DescFile<"NoReturnFunctionChecker.cpp">; 130 131 def BuiltinFunctionChecker : Checker<"BuiltinFunctions">, 132 HelpText<"Evaluate compiler builtin functions (e.g., alloca())">, 133 DescFile<"BuiltinFunctionChecker.cpp">; 134 135 } // end "core.builtin" 136 137 //===----------------------------------------------------------------------===// 138 // Uninitialized values checkers. 139 //===----------------------------------------------------------------------===// 140 141 let ParentPackage = CoreUninitialized in { 142 143 def UndefinedArraySubscriptChecker : Checker<"ArraySubscript">, 144 HelpText<"Check for uninitialized values used as array subscripts">, 145 DescFile<"UndefinedArraySubscriptChecker.cpp">; 146 147 def UndefinedAssignmentChecker : Checker<"Assign">, 148 HelpText<"Check for assigning uninitialized values">, 149 DescFile<"UndefinedAssignmentChecker.cpp">; 150 151 def UndefBranchChecker : Checker<"Branch">, 152 HelpText<"Check for uninitialized values used as branch conditions">, 153 DescFile<"UndefBranchChecker.cpp">; 154 155 def UndefCapturedBlockVarChecker : Checker<"CapturedBlockVariable">, 156 HelpText<"Check for blocks that capture uninitialized values">, 157 DescFile<"UndefCapturedBlockVarChecker.cpp">; 158 159 def ReturnUndefChecker : Checker<"UndefReturn">, 160 HelpText<"Check for uninitialized values being returned to the caller">, 161 DescFile<"ReturnUndefChecker.cpp">; 162 163 } // end "core.uninitialized" 164 165 //===----------------------------------------------------------------------===// 166 // C++ checkers. 167 //===----------------------------------------------------------------------===// 168 169 let ParentPackage = CplusplusAlpha in { 170 171 def VirtualCallChecker : Checker<"VirtualCall">, 172 HelpText<"Check virtual function calls during construction or destruction">, 173 DescFile<"VirtualCallChecker.cpp">; 174 175 } // end: "alpha.cplusplus" 176 177 //===----------------------------------------------------------------------===// 178 // Deadcode checkers. 179 //===----------------------------------------------------------------------===// 180 181 let ParentPackage = DeadCode in { 182 183 def DeadStoresChecker : Checker<"DeadStores">, 184 HelpText<"Check for values stored to variables that are never read afterwards">, 185 DescFile<"DeadStoresChecker.cpp">; 186 } // end DeadCode 187 188 let ParentPackage = DeadCodeAlpha in { 189 190 def IdempotentOperationChecker : Checker<"IdempotentOperations">, 191 HelpText<"Warn about idempotent operations">, 192 DescFile<"IdempotentOperationChecker.cpp">; 193 194 def UnreachableCodeChecker : Checker<"UnreachableCode">, 195 HelpText<"Check unreachable code">, 196 DescFile<"UnreachableCodeChecker.cpp">; 197 198 } // end "alpha.deadcode" 199 200 //===----------------------------------------------------------------------===// 201 // Security checkers. 202 //===----------------------------------------------------------------------===// 203 204 let ParentPackage = InsecureAPI in { 205 def gets : Checker<"gets">, 206 HelpText<"Warn on uses of the 'gets' function">, 207 DescFile<"CheckSecuritySyntaxOnly.cpp">; 208 def getpw : Checker<"getpw">, 209 HelpText<"Warn on uses of the 'getpw' function">, 210 DescFile<"CheckSecuritySyntaxOnly.cpp">; 211 def mktemp : Checker<"mktemp">, 212 HelpText<"Warn on uses of the 'mktemp' function">, 213 DescFile<"CheckSecuritySyntaxOnly.cpp">; 214 def mkstemp : Checker<"mkstemp">, 215 HelpText<"Warn when 'mkstemp' is passed fewer than 6 X's in the format string">, 216 DescFile<"CheckSecuritySyntaxOnly.cpp">; 217 def rand : Checker<"rand">, 218 HelpText<"Warn on uses of the 'rand', 'random', and related functions">, 219 DescFile<"CheckSecuritySyntaxOnly.cpp">; 220 def strcpy : Checker<"strcpy">, 221 HelpText<"Warn on uses of the 'strcpy' and 'strcat' functions">, 222 DescFile<"CheckSecuritySyntaxOnly.cpp">; 223 def vfork : Checker<"vfork">, 224 HelpText<"Warn on uses of the 'vfork' function">, 225 DescFile<"CheckSecuritySyntaxOnly.cpp">; 226 def UncheckedReturn : Checker<"UncheckedReturn">, 227 HelpText<"Warn on uses of functions whose return values must be always checked">, 228 DescFile<"CheckSecuritySyntaxOnly.cpp">; 229 } 230 let ParentPackage = Security in { 231 def FloatLoopCounter : Checker<"FloatLoopCounter">, 232 HelpText<"Warn on using a floating point value as a loop counter (CERT: FLP30-C, FLP30-CPP)">, 233 DescFile<"CheckSecuritySyntaxOnly.cpp">; 234 } 235 236 let ParentPackage = SecurityAlpha in { 237 238 def ArrayBoundChecker : Checker<"ArrayBound">, 239 HelpText<"Warn about buffer overflows (older checker)">, 240 DescFile<"ArrayBoundChecker.cpp">; 241 242 def ArrayBoundCheckerV2 : Checker<"ArrayBoundV2">, 243 HelpText<"Warn about buffer overflows (newer checker)">, 244 DescFile<"ArrayBoundCheckerV2.cpp">; 245 246 def ReturnPointerRangeChecker : Checker<"ReturnPtrRange">, 247 HelpText<"Check for an out-of-bound pointer being returned to callers">, 248 DescFile<"ReturnPointerRangeChecker.cpp">; 249 250 def MallocOverflowSecurityChecker : Checker<"MallocOverflow">, 251 HelpText<"Check for overflows in the arguments to malloc()">, 252 DescFile<"MallocOverflowSecurityChecker.cpp">; 253 254 } // end "alpha.security" 255 256 //===----------------------------------------------------------------------===// 257 // Taint checkers. 258 //===----------------------------------------------------------------------===// 259 260 let ParentPackage = Taint in { 261 262 def GenericTaintChecker : Checker<"TaintPropagation">, 263 HelpText<"Generate taint information used by other checkers">, 264 DescFile<"GenericTaintChecker.cpp">; 265 266 } // end "alpha.security.taint" 267 268 //===----------------------------------------------------------------------===// 269 // Unix API checkers. 270 //===----------------------------------------------------------------------===// 271 272 let ParentPackage = Unix in { 273 274 def UnixAPIChecker : Checker<"API">, 275 HelpText<"Check calls to various UNIX/Posix functions">, 276 DescFile<"UnixAPIChecker.cpp">; 277 278 def MallocPessimistic : Checker<"Malloc">, 279 HelpText<"Check for memory leaks, double free, and use-after-free problems.">, 280 DescFile<"MallocChecker.cpp">; 281 282 def MallocSizeofChecker : Checker<"MallocSizeof">, 283 HelpText<"Check for dubious malloc arguments involving sizeof">, 284 DescFile<"MallocSizeofChecker.cpp">; 285 286 } // end "unix" 287 288 let ParentPackage = UnixAlpha in { 289 290 def ChrootChecker : Checker<"Chroot">, 291 HelpText<"Check improper use of chroot">, 292 DescFile<"ChrootChecker.cpp">; 293 294 def MallocOptimistic : Checker<"MallocWithAnnotations">, 295 HelpText<"Check for memory leaks, double free, and use-after-free problems. Assumes that all user-defined functions which might free a pointer are annotated.">, 296 DescFile<"MallocChecker.cpp">; 297 298 def PthreadLockChecker : Checker<"PthreadLock">, 299 HelpText<"Simple lock -> unlock checker">, 300 DescFile<"PthreadLockChecker.cpp">; 301 302 def StreamChecker : Checker<"Stream">, 303 HelpText<"Check stream handling functions">, 304 DescFile<"StreamChecker.cpp">; 305 306 def SimpleStreamChecker : Checker<"SimpleStream">, 307 HelpText<"Check for misuses of stream APIs">, 308 DescFile<"SimpleStreamChecker.cpp">; 309 310 } // end "alpha.unix" 311 312 let ParentPackage = CString in { 313 314 def CStringNullArg : Checker<"NullArg">, 315 HelpText<"Check for null pointers being passed as arguments to C string functions">, 316 DescFile<"CStringChecker.cpp">; 317 318 def CStringSyntaxChecker : Checker<"BadSizeArg">, 319 HelpText<"Check the size argument passed into C string functions for common erroneous patterns">, 320 DescFile<"CStringSyntaxChecker.cpp">; 321 } 322 323 let ParentPackage = CStringAlpha in { 324 325 def CStringOutOfBounds : Checker<"OutOfBounds">, 326 HelpText<"Check for out-of-bounds access in string functions">, 327 DescFile<"CStringChecker.cpp">; 328 329 def CStringBufferOverlap : Checker<"BufferOverlap">, 330 HelpText<"Checks for overlap in two buffer arguments">, 331 DescFile<"CStringChecker.cpp">; 332 333 def CStringNotNullTerm : Checker<"NotNullTerminated">, 334 HelpText<"Check for arguments which are not null-terminating strings">, 335 DescFile<"CStringChecker.cpp">; 336 } 337 338 //===----------------------------------------------------------------------===// 339 // Mac OS X, Cocoa, and Core Foundation checkers. 340 //===----------------------------------------------------------------------===// 341 342 let ParentPackage = OSX in { 343 344 def MacOSXAPIChecker : Checker<"API">, 345 InPackage<OSX>, 346 HelpText<"Check for proper uses of various Mac OS X APIs">, 347 DescFile<"MacOSXAPIChecker.cpp">; 348 349 def MacOSKeychainAPIChecker : Checker<"SecKeychainAPI">, 350 InPackage<OSX>, 351 HelpText<"Check for proper uses of Secure Keychain APIs">, 352 DescFile<"MacOSKeychainAPIChecker.cpp">; 353 354 } // end "osx" 355 356 let ParentPackage = Cocoa in { 357 358 def ObjCAtSyncChecker : Checker<"AtSync">, 359 HelpText<"Check for nil pointers used as mutexes for @synchronized">, 360 DescFile<"ObjCAtSyncChecker.cpp">; 361 362 def NilArgChecker : Checker<"NilArg">, 363 HelpText<"Check for prohibited nil arguments to ObjC method calls">, 364 DescFile<"BasicObjCFoundationChecks.cpp">; 365 366 def ClassReleaseChecker : Checker<"ClassRelease">, 367 HelpText<"Check for sending 'retain', 'release', or 'autorelease' directly to a Class">, 368 DescFile<"BasicObjCFoundationChecks.cpp">; 369 370 def VariadicMethodTypeChecker : Checker<"VariadicMethodTypes">, 371 HelpText<"Check for passing non-Objective-C types to variadic collection " 372 "initialization methods that expect only Objective-C types">, 373 DescFile<"BasicObjCFoundationChecks.cpp">; 374 375 def NSAutoreleasePoolChecker : Checker<"NSAutoreleasePool">, 376 HelpText<"Warn for suboptimal uses of NSAutoreleasePool in Objective-C GC mode">, 377 DescFile<"NSAutoreleasePoolChecker.cpp">; 378 379 def ObjCMethSigsChecker : Checker<"IncompatibleMethodTypes">, 380 HelpText<"Warn about Objective-C method signatures with type incompatibilities">, 381 DescFile<"CheckObjCInstMethSignature.cpp">; 382 383 def ObjCUnusedIvarsChecker : Checker<"UnusedIvars">, 384 HelpText<"Warn about private ivars that are never used">, 385 DescFile<"ObjCUnusedIVarsChecker.cpp">; 386 387 def ObjCSelfInitChecker : Checker<"SelfInit">, 388 HelpText<"Check that 'self' is properly initialized inside an initializer method">, 389 DescFile<"ObjCSelfInitChecker.cpp">; 390 391 def ObjCLoopChecker : Checker<"Loops">, 392 HelpText<"Improved modeling of loops using Cocoa collection types">, 393 DescFile<"BasicObjCFoundationChecks.cpp">; 394 395 def ObjCNonNilReturnValueChecker : Checker<"NonNilReturnValue">, 396 HelpText<"Model the APIs that are guaranteed to return a non-nil value">, 397 DescFile<"BasicObjCFoundationChecks.cpp">; 398 399 def NSErrorChecker : Checker<"NSError">, 400 HelpText<"Check usage of NSError** parameters">, 401 DescFile<"NSErrorChecker.cpp">; 402 403 def RetainCountChecker : Checker<"RetainCount">, 404 HelpText<"Check for leaks and improper reference count management">, 405 DescFile<"RetainCountChecker.cpp">; 406 407 } // end "osx.cocoa" 408 409 let ParentPackage = CocoaAlpha in { 410 411 def ObjCDeallocChecker : Checker<"Dealloc">, 412 HelpText<"Warn about Objective-C classes that lack a correct implementation of -dealloc">, 413 DescFile<"CheckObjCDealloc.cpp">; 414 415 def InstanceVariableInvalidation : Checker<"InstanceVariableInvalidation">, 416 HelpText<"Check that the invalidatable instance variables are invalidated in the methods annotated with objc_instance_variable_invalidator">, 417 DescFile<"IvarInvalidationChecker.cpp">; 418 419 def MissingInvalidationMethod : Checker<"MissingInvalidationMethod">, 420 HelpText<"Check that the invalidation methods are present in classes that contain invalidatable instance variables">, 421 DescFile<"IvarInvalidationChecker.cpp">; 422 423 def DirectIvarAssignment : Checker<"DirectIvarAssignment">, 424 HelpText<"Check for direct assignments to instance variables">, 425 DescFile<"DirectIvarAssignment.cpp">; 426 427 def DirectIvarAssignmentForAnnotatedFunctions : Checker<"DirectIvarAssignmentForAnnotatedFunctions">, 428 HelpText<"Check for direct assignments to instance variables in the methods annotated with objc_no_direct_instance_variable_assignment">, 429 DescFile<"DirectIvarAssignment.cpp">; 430 431 def ObjCSuperCallChecker : Checker<"MissingSuperCall">, 432 HelpText<"Warn about Objective-C methods that lack a necessary call to super">, 433 DescFile<"ObjCMissingSuperCallChecker.cpp">; 434 435 } // end "alpha.osx.cocoa" 436 437 let ParentPackage = CoreFoundation in { 438 439 def CFNumberCreateChecker : Checker<"CFNumber">, 440 HelpText<"Check for proper uses of CFNumberCreate">, 441 DescFile<"BasicObjCFoundationChecks.cpp">; 442 443 def CFRetainReleaseChecker : Checker<"CFRetainRelease">, 444 HelpText<"Check for null arguments to CFRetain/CFRelease/CFMakeCollectable">, 445 DescFile<"BasicObjCFoundationChecks.cpp">; 446 447 def CFErrorChecker : Checker<"CFError">, 448 HelpText<"Check usage of CFErrorRef* parameters">, 449 DescFile<"NSErrorChecker.cpp">; 450 } 451 452 let ParentPackage = Containers in { 453 def ObjCContainersASTChecker : Checker<"PointerSizedValues">, 454 HelpText<"Warns if 'CFArray', 'CFDictionary', 'CFSet' are created with non-pointer-size values">, 455 DescFile<"ObjCContainersASTChecker.cpp">; 456 457 def ObjCContainersChecker : Checker<"OutOfBounds">, 458 HelpText<"Checks for index out-of-bounds when using 'CFArray' API">, 459 DescFile<"ObjCContainersChecker.cpp">; 460 461 } 462 //===----------------------------------------------------------------------===// 463 // Checkers for LLVM development. 464 //===----------------------------------------------------------------------===// 465 466 def LLVMConventionsChecker : Checker<"Conventions">, 467 InPackage<LLVM>, 468 HelpText<"Check code for LLVM codebase conventions">, 469 DescFile<"LLVMConventionsChecker.cpp">; 470 471 //===----------------------------------------------------------------------===// 472 // Debugging checkers (for analyzer development). 473 //===----------------------------------------------------------------------===// 474 475 let ParentPackage = Debug in { 476 477 def DominatorsTreeDumper : Checker<"DumpDominators">, 478 HelpText<"Print the dominance tree for a given CFG">, 479 DescFile<"DebugCheckers.cpp">; 480 481 def LiveVariablesDumper : Checker<"DumpLiveVars">, 482 HelpText<"Print results of live variable analysis">, 483 DescFile<"DebugCheckers.cpp">; 484 485 def CFGViewer : Checker<"ViewCFG">, 486 HelpText<"View Control-Flow Graphs using GraphViz">, 487 DescFile<"DebugCheckers.cpp">; 488 489 def CFGDumper : Checker<"DumpCFG">, 490 HelpText<"Display Control-Flow Graphs">, 491 DescFile<"DebugCheckers.cpp">; 492 493 def CallGraphViewer : Checker<"ViewCallGraph">, 494 HelpText<"View Call Graph using GraphViz">, 495 DescFile<"DebugCheckers.cpp">; 496 497 def CallGraphDumper : Checker<"DumpCallGraph">, 498 HelpText<"Display Call Graph">, 499 DescFile<"DebugCheckers.cpp">; 500 501 def ConfigDumper : Checker<"ConfigDumper">, 502 HelpText<"Dump config table">, 503 DescFile<"DebugCheckers.cpp">; 504 505 def TraversalDumper : Checker<"DumpTraversal">, 506 HelpText<"Print branch conditions as they are traversed by the engine">, 507 DescFile<"TraversalChecker.cpp">; 508 509 def CallDumper : Checker<"DumpCalls">, 510 HelpText<"Print calls as they are traversed by the engine">, 511 DescFile<"TraversalChecker.cpp">; 512 513 def AnalyzerStatsChecker : Checker<"Stats">, 514 HelpText<"Emit warnings with analyzer statistics">, 515 DescFile<"AnalyzerStatsChecker.cpp">; 516 517 def TaintTesterChecker : Checker<"TaintTest">, 518 HelpText<"Mark tainted symbols as such.">, 519 DescFile<"TaintTesterChecker.cpp">; 520 521 def ExprInspectionChecker : Checker<"ExprInspection">, 522 HelpText<"Check the analyzer's understanding of expressions">, 523 DescFile<"ExprInspectionChecker.cpp">; 524 525 } // end "debug" 526 527
