1 //===--- CallAndMessageChecker.cpp ------------------------------*- C++ -*--==//
2 //
3 //                     The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // This defines CallAndMessageChecker, a builtin checker that checks for various
11 // errors of call and objc message expressions.
12 //
13 //===----------------------------------------------------------------------===//
14 
15 #include "ClangSACheckers.h"
16 #include "clang/AST/ParentMap.h"
17 #include "clang/Basic/TargetInfo.h"
18 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
19 #include "clang/StaticAnalyzer/Core/Checker.h"
20 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
21 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
22 #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
23 #include "llvm/ADT/SmallString.h"
24 #include "llvm/Support/raw_ostream.h"
25 
26 using namespace clang;
27 using namespace ento;
28 
29 namespace {
30 
31 struct ChecksFilter {
32   DefaultBool Check_CallAndMessageUnInitRefArg;
33   DefaultBool Check_CallAndMessageChecker;
34 
35   CheckName CheckName_CallAndMessageUnInitRefArg;
36   CheckName CheckName_CallAndMessageChecker;
37 };
38 
39 class CallAndMessageChecker
40   : public Checker< check::PreStmt<CallExpr>,
41                     check::PreStmt<CXXDeleteExpr>,
42                     check::PreObjCMessage,
43                     check::ObjCMessageNil,
44                     check::PreCall > {
45   mutable std::unique_ptr<BugType> BT_call_null;
46   mutable std::unique_ptr<BugType> BT_call_undef;
47   mutable std::unique_ptr<BugType> BT_cxx_call_null;
48   mutable std::unique_ptr<BugType> BT_cxx_call_undef;
49   mutable std::unique_ptr<BugType> BT_call_arg;
50   mutable std::unique_ptr<BugType> BT_cxx_delete_undef;
51   mutable std::unique_ptr<BugType> BT_msg_undef;
52   mutable std::unique_ptr<BugType> BT_objc_prop_undef;
53   mutable std::unique_ptr<BugType> BT_objc_subscript_undef;
54   mutable std::unique_ptr<BugType> BT_msg_arg;
55   mutable std::unique_ptr<BugType> BT_msg_ret;
56   mutable std::unique_ptr<BugType> BT_call_few_args;
57 
58 public:
59   ChecksFilter Filter;
60 
61   void checkPreStmt(const CallExpr *CE, CheckerContext &C) const;
62   void checkPreStmt(const CXXDeleteExpr *DE, CheckerContext &C) const;
63   void checkPreObjCMessage(const ObjCMethodCall &msg, CheckerContext &C) const;
64 
65   /// Fill in the return value that results from messaging nil based on the
66   /// return type and architecture and diagnose if the return value will be
67   /// garbage.
68   void checkObjCMessageNil(const ObjCMethodCall &msg, CheckerContext &C) const;
69 
70   void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
71 
72 private:
73   bool PreVisitProcessArg(CheckerContext &C, SVal V, SourceRange ArgRange,
74                           const Expr *ArgEx, bool IsFirstArgument,
75                           bool CheckUninitFields, const CallEvent &Call,
76                           std::unique_ptr<BugType> &BT,
77                           const ParmVarDecl *ParamDecl) const;
78 
79   static void emitBadCall(BugType *BT, CheckerContext &C, const Expr *BadE);
80   void emitNilReceiverBug(CheckerContext &C, const ObjCMethodCall &msg,
81                           ExplodedNode *N) const;
82 
83   void HandleNilReceiver(CheckerContext &C,
84                          ProgramStateRef state,
85                          const ObjCMethodCall &msg) const;
86 
LazyInit_BT(const char * desc,std::unique_ptr<BugType> & BT) const87   void LazyInit_BT(const char *desc, std::unique_ptr<BugType> &BT) const {
88     if (!BT)
89       BT.reset(new BuiltinBug(this, desc));
90   }
91   bool uninitRefOrPointer(CheckerContext &C, const SVal &V,
92                           SourceRange ArgRange,
93                           const Expr *ArgEx, std::unique_ptr<BugType> &BT,
94                           const ParmVarDecl *ParamDecl, const char *BD) const;
95 };
96 } // end anonymous namespace
97 
emitBadCall(BugType * BT,CheckerContext & C,const Expr * BadE)98 void CallAndMessageChecker::emitBadCall(BugType *BT, CheckerContext &C,
99                                         const Expr *BadE) {
100   ExplodedNode *N = C.generateErrorNode();
101   if (!N)
102     return;
103 
104   auto R = llvm::make_unique<BugReport>(*BT, BT->getName(), N);
105   if (BadE) {
106     R->addRange(BadE->getSourceRange());
107     if (BadE->isGLValue())
108       BadE = bugreporter::getDerefExpr(BadE);
109     bugreporter::trackNullOrUndefValue(N, BadE, *R);
110   }
111   C.emitReport(std::move(R));
112 }
113 
describeUninitializedArgumentInCall(const CallEvent & Call,bool IsFirstArgument)114 static StringRef describeUninitializedArgumentInCall(const CallEvent &Call,
115                                                      bool IsFirstArgument) {
116   switch (Call.getKind()) {
117   case CE_ObjCMessage: {
118     const ObjCMethodCall &Msg = cast<ObjCMethodCall>(Call);
119     switch (Msg.getMessageKind()) {
120     case OCM_Message:
121       return "Argument in message expression is an uninitialized value";
122     case OCM_PropertyAccess:
123       assert(Msg.isSetter() && "Getters have no args");
124       return "Argument for property setter is an uninitialized value";
125     case OCM_Subscript:
126       if (Msg.isSetter() && IsFirstArgument)
127         return "Argument for subscript setter is an uninitialized value";
128       return "Subscript index is an uninitialized value";
129     }
130     llvm_unreachable("Unknown message kind.");
131   }
132   case CE_Block:
133     return "Block call argument is an uninitialized value";
134   default:
135     return "Function call argument is an uninitialized value";
136   }
137 }
138 
uninitRefOrPointer(CheckerContext & C,const SVal & V,SourceRange ArgRange,const Expr * ArgEx,std::unique_ptr<BugType> & BT,const ParmVarDecl * ParamDecl,const char * BD) const139 bool CallAndMessageChecker::uninitRefOrPointer(CheckerContext &C,
140                                                const SVal &V,
141                                                SourceRange ArgRange,
142                                                const Expr *ArgEx,
143                                                std::unique_ptr<BugType> &BT,
144                                                const ParmVarDecl *ParamDecl,
145                                                const char *BD) const {
146   if (!Filter.Check_CallAndMessageUnInitRefArg)
147     return false;
148 
149   // No parameter declaration available, i.e. variadic function argument.
150   if(!ParamDecl)
151     return false;
152 
153   // If parameter is declared as pointer to const in function declaration,
154   // then check if corresponding argument in function call is
155   // pointing to undefined symbol value (uninitialized memory).
156   StringRef Message;
157 
158   if (ParamDecl->getType()->isPointerType()) {
159     Message = "Function call argument is a pointer to uninitialized value";
160   } else if (ParamDecl->getType()->isReferenceType()) {
161     Message = "Function call argument is an uninitialized value";
162   } else
163     return false;
164 
165   if(!ParamDecl->getType()->getPointeeType().isConstQualified())
166     return false;
167 
168   if (const MemRegion *SValMemRegion = V.getAsRegion()) {
169     const ProgramStateRef State = C.getState();
170     const SVal PSV = State->getSVal(SValMemRegion);
171     if (PSV.isUndef()) {
172       if (ExplodedNode *N = C.generateErrorNode()) {
173         LazyInit_BT(BD, BT);
174         auto R = llvm::make_unique<BugReport>(*BT, Message, N);
175         R->addRange(ArgRange);
176         if (ArgEx) {
177           bugreporter::trackNullOrUndefValue(N, ArgEx, *R);
178         }
179         C.emitReport(std::move(R));
180       }
181       return true;
182     }
183   }
184   return false;
185 }
186 
PreVisitProcessArg(CheckerContext & C,SVal V,SourceRange ArgRange,const Expr * ArgEx,bool IsFirstArgument,bool CheckUninitFields,const CallEvent & Call,std::unique_ptr<BugType> & BT,const ParmVarDecl * ParamDecl) const187 bool CallAndMessageChecker::PreVisitProcessArg(CheckerContext &C,
188                                                SVal V,
189                                                SourceRange ArgRange,
190                                                const Expr *ArgEx,
191                                                bool IsFirstArgument,
192                                                bool CheckUninitFields,
193                                                const CallEvent &Call,
194                                                std::unique_ptr<BugType> &BT,
195                                                const ParmVarDecl *ParamDecl
196                                                ) const {
197   const char *BD = "Uninitialized argument value";
198 
199   if (uninitRefOrPointer(C, V, ArgRange, ArgEx, BT, ParamDecl, BD))
200     return true;
201 
202   if (V.isUndef()) {
203     if (ExplodedNode *N = C.generateErrorNode()) {
204       LazyInit_BT(BD, BT);
205 
206       // Generate a report for this bug.
207       StringRef Desc =
208           describeUninitializedArgumentInCall(Call, IsFirstArgument);
209       auto R = llvm::make_unique<BugReport>(*BT, Desc, N);
210       R->addRange(ArgRange);
211       if (ArgEx)
212         bugreporter::trackNullOrUndefValue(N, ArgEx, *R);
213       C.emitReport(std::move(R));
214     }
215     return true;
216   }
217 
218   if (!CheckUninitFields)
219     return false;
220 
221   if (Optional<nonloc::LazyCompoundVal> LV =
222           V.getAs<nonloc::LazyCompoundVal>()) {
223 
224     class FindUninitializedField {
225     public:
226       SmallVector<const FieldDecl *, 10> FieldChain;
227     private:
228       StoreManager &StoreMgr;
229       MemRegionManager &MrMgr;
230       Store store;
231     public:
232       FindUninitializedField(StoreManager &storeMgr,
233                              MemRegionManager &mrMgr, Store s)
234       : StoreMgr(storeMgr), MrMgr(mrMgr), store(s) {}
235 
236       bool Find(const TypedValueRegion *R) {
237         QualType T = R->getValueType();
238         if (const RecordType *RT = T->getAsStructureType()) {
239           const RecordDecl *RD = RT->getDecl()->getDefinition();
240           assert(RD && "Referred record has no definition");
241           for (const auto *I : RD->fields()) {
242             const FieldRegion *FR = MrMgr.getFieldRegion(I, R);
243             FieldChain.push_back(I);
244             T = I->getType();
245             if (T->getAsStructureType()) {
246               if (Find(FR))
247                 return true;
248             }
249             else {
250               const SVal &V = StoreMgr.getBinding(store, loc::MemRegionVal(FR));
251               if (V.isUndef())
252                 return true;
253             }
254             FieldChain.pop_back();
255           }
256         }
257 
258         return false;
259       }
260     };
261 
262     const LazyCompoundValData *D = LV->getCVData();
263     FindUninitializedField F(C.getState()->getStateManager().getStoreManager(),
264                              C.getSValBuilder().getRegionManager(),
265                              D->getStore());
266 
267     if (F.Find(D->getRegion())) {
268       if (ExplodedNode *N = C.generateErrorNode()) {
269         LazyInit_BT(BD, BT);
270         SmallString<512> Str;
271         llvm::raw_svector_ostream os(Str);
272         os << "Passed-by-value struct argument contains uninitialized data";
273 
274         if (F.FieldChain.size() == 1)
275           os << " (e.g., field: '" << *F.FieldChain[0] << "')";
276         else {
277           os << " (e.g., via the field chain: '";
278           bool first = true;
279           for (SmallVectorImpl<const FieldDecl *>::iterator
280                DI = F.FieldChain.begin(), DE = F.FieldChain.end(); DI!=DE;++DI){
281             if (first)
282               first = false;
283             else
284               os << '.';
285             os << **DI;
286           }
287           os << "')";
288         }
289 
290         // Generate a report for this bug.
291         auto R = llvm::make_unique<BugReport>(*BT, os.str(), N);
292         R->addRange(ArgRange);
293 
294         // FIXME: enhance track back for uninitialized value for arbitrary
295         // memregions
296         C.emitReport(std::move(R));
297       }
298       return true;
299     }
300   }
301 
302   return false;
303 }
304 
checkPreStmt(const CallExpr * CE,CheckerContext & C) const305 void CallAndMessageChecker::checkPreStmt(const CallExpr *CE,
306                                          CheckerContext &C) const{
307 
308   const Expr *Callee = CE->getCallee()->IgnoreParens();
309   ProgramStateRef State = C.getState();
310   const LocationContext *LCtx = C.getLocationContext();
311   SVal L = State->getSVal(Callee, LCtx);
312 
313   if (L.isUndef()) {
314     if (!BT_call_undef)
315       BT_call_undef.reset(new BuiltinBug(
316           this, "Called function pointer is an uninitalized pointer value"));
317     emitBadCall(BT_call_undef.get(), C, Callee);
318     return;
319   }
320 
321   ProgramStateRef StNonNull, StNull;
322   std::tie(StNonNull, StNull) = State->assume(L.castAs<DefinedOrUnknownSVal>());
323 
324   if (StNull && !StNonNull) {
325     if (!BT_call_null)
326       BT_call_null.reset(new BuiltinBug(
327           this, "Called function pointer is null (null dereference)"));
328     emitBadCall(BT_call_null.get(), C, Callee);
329     return;
330   }
331 
332   C.addTransition(StNonNull);
333 }
334 
checkPreStmt(const CXXDeleteExpr * DE,CheckerContext & C) const335 void CallAndMessageChecker::checkPreStmt(const CXXDeleteExpr *DE,
336                                          CheckerContext &C) const {
337 
338   SVal Arg = C.getSVal(DE->getArgument());
339   if (Arg.isUndef()) {
340     StringRef Desc;
341     ExplodedNode *N = C.generateErrorNode();
342     if (!N)
343       return;
344     if (!BT_cxx_delete_undef)
345       BT_cxx_delete_undef.reset(
346           new BuiltinBug(this, "Uninitialized argument value"));
347     if (DE->isArrayFormAsWritten())
348       Desc = "Argument to 'delete[]' is uninitialized";
349     else
350       Desc = "Argument to 'delete' is uninitialized";
351     BugType *BT = BT_cxx_delete_undef.get();
352     auto R = llvm::make_unique<BugReport>(*BT, Desc, N);
353     bugreporter::trackNullOrUndefValue(N, DE, *R);
354     C.emitReport(std::move(R));
355     return;
356   }
357 }
358 
359 
checkPreCall(const CallEvent & Call,CheckerContext & C) const360 void CallAndMessageChecker::checkPreCall(const CallEvent &Call,
361                                          CheckerContext &C) const {
362   ProgramStateRef State = C.getState();
363 
364   // If this is a call to a C++ method, check if the callee is null or
365   // undefined.
366   if (const CXXInstanceCall *CC = dyn_cast<CXXInstanceCall>(&Call)) {
367     SVal V = CC->getCXXThisVal();
368     if (V.isUndef()) {
369       if (!BT_cxx_call_undef)
370         BT_cxx_call_undef.reset(
371             new BuiltinBug(this, "Called C++ object pointer is uninitialized"));
372       emitBadCall(BT_cxx_call_undef.get(), C, CC->getCXXThisExpr());
373       return;
374     }
375 
376     ProgramStateRef StNonNull, StNull;
377     std::tie(StNonNull, StNull) =
378         State->assume(V.castAs<DefinedOrUnknownSVal>());
379 
380     if (StNull && !StNonNull) {
381       if (!BT_cxx_call_null)
382         BT_cxx_call_null.reset(
383             new BuiltinBug(this, "Called C++ object pointer is null"));
384       emitBadCall(BT_cxx_call_null.get(), C, CC->getCXXThisExpr());
385       return;
386     }
387 
388     State = StNonNull;
389   }
390 
391   const Decl *D = Call.getDecl();
392   const FunctionDecl *FD = dyn_cast_or_null<FunctionDecl>(D);
393   if (FD) {
394     // If we have a declaration, we can make sure we pass enough parameters to
395     // the function.
396     unsigned Params = FD->getNumParams();
397     if (Call.getNumArgs() < Params) {
398       ExplodedNode *N = C.generateErrorNode();
399       if (!N)
400         return;
401 
402       LazyInit_BT("Function call with too few arguments", BT_call_few_args);
403 
404       SmallString<512> Str;
405       llvm::raw_svector_ostream os(Str);
406       os << "Function taking " << Params << " argument"
407          << (Params == 1 ? "" : "s") << " is called with less ("
408          << Call.getNumArgs() << ")";
409 
410       C.emitReport(
411           llvm::make_unique<BugReport>(*BT_call_few_args, os.str(), N));
412     }
413   }
414 
415   // Don't check for uninitialized field values in arguments if the
416   // caller has a body that is available and we have the chance to inline it.
417   // This is a hack, but is a reasonable compromise betweens sometimes warning
418   // and sometimes not depending on if we decide to inline a function.
419   const bool checkUninitFields =
420     !(C.getAnalysisManager().shouldInlineCall() && (D && D->getBody()));
421 
422   std::unique_ptr<BugType> *BT;
423   if (isa<ObjCMethodCall>(Call))
424     BT = &BT_msg_arg;
425   else
426     BT = &BT_call_arg;
427 
428   for (unsigned i = 0, e = Call.getNumArgs(); i != e; ++i) {
429     const ParmVarDecl *ParamDecl = nullptr;
430     if(FD && i < FD->getNumParams())
431       ParamDecl = FD->getParamDecl(i);
432     if (PreVisitProcessArg(C, Call.getArgSVal(i), Call.getArgSourceRange(i),
433                            Call.getArgExpr(i), /*IsFirstArgument=*/i == 0,
434                            checkUninitFields, Call, *BT, ParamDecl))
435       return;
436   }
437 
438   // If we make it here, record our assumptions about the callee.
439   C.addTransition(State);
440 }
441 
checkPreObjCMessage(const ObjCMethodCall & msg,CheckerContext & C) const442 void CallAndMessageChecker::checkPreObjCMessage(const ObjCMethodCall &msg,
443                                                 CheckerContext &C) const {
444   SVal recVal = msg.getReceiverSVal();
445   if (recVal.isUndef()) {
446     if (ExplodedNode *N = C.generateErrorNode()) {
447       BugType *BT = nullptr;
448       switch (msg.getMessageKind()) {
449       case OCM_Message:
450         if (!BT_msg_undef)
451           BT_msg_undef.reset(new BuiltinBug(this,
452                                             "Receiver in message expression "
453                                             "is an uninitialized value"));
454         BT = BT_msg_undef.get();
455         break;
456       case OCM_PropertyAccess:
457         if (!BT_objc_prop_undef)
458           BT_objc_prop_undef.reset(new BuiltinBug(
459               this, "Property access on an uninitialized object pointer"));
460         BT = BT_objc_prop_undef.get();
461         break;
462       case OCM_Subscript:
463         if (!BT_objc_subscript_undef)
464           BT_objc_subscript_undef.reset(new BuiltinBug(
465               this, "Subscript access on an uninitialized object pointer"));
466         BT = BT_objc_subscript_undef.get();
467         break;
468       }
469       assert(BT && "Unknown message kind.");
470 
471       auto R = llvm::make_unique<BugReport>(*BT, BT->getName(), N);
472       const ObjCMessageExpr *ME = msg.getOriginExpr();
473       R->addRange(ME->getReceiverRange());
474 
475       // FIXME: getTrackNullOrUndefValueVisitor can't handle "super" yet.
476       if (const Expr *ReceiverE = ME->getInstanceReceiver())
477         bugreporter::trackNullOrUndefValue(N, ReceiverE, *R);
478       C.emitReport(std::move(R));
479     }
480     return;
481   }
482 }
483 
checkObjCMessageNil(const ObjCMethodCall & msg,CheckerContext & C) const484 void CallAndMessageChecker::checkObjCMessageNil(const ObjCMethodCall &msg,
485                                                 CheckerContext &C) const {
486   HandleNilReceiver(C, C.getState(), msg);
487 }
488 
emitNilReceiverBug(CheckerContext & C,const ObjCMethodCall & msg,ExplodedNode * N) const489 void CallAndMessageChecker::emitNilReceiverBug(CheckerContext &C,
490                                                const ObjCMethodCall &msg,
491                                                ExplodedNode *N) const {
492 
493   if (!BT_msg_ret)
494     BT_msg_ret.reset(
495         new BuiltinBug(this, "Receiver in message expression is 'nil'"));
496 
497   const ObjCMessageExpr *ME = msg.getOriginExpr();
498 
499   QualType ResTy = msg.getResultType();
500 
501   SmallString<200> buf;
502   llvm::raw_svector_ostream os(buf);
503   os << "The receiver of message '";
504   ME->getSelector().print(os);
505   os << "' is nil";
506   if (ResTy->isReferenceType()) {
507     os << ", which results in forming a null reference";
508   } else {
509     os << " and returns a value of type '";
510     msg.getResultType().print(os, C.getLangOpts());
511     os << "' that will be garbage";
512   }
513 
514   auto report = llvm::make_unique<BugReport>(*BT_msg_ret, os.str(), N);
515   report->addRange(ME->getReceiverRange());
516   // FIXME: This won't track "self" in messages to super.
517   if (const Expr *receiver = ME->getInstanceReceiver()) {
518     bugreporter::trackNullOrUndefValue(N, receiver, *report);
519   }
520   C.emitReport(std::move(report));
521 }
522 
supportsNilWithFloatRet(const llvm::Triple & triple)523 static bool supportsNilWithFloatRet(const llvm::Triple &triple) {
524   return (triple.getVendor() == llvm::Triple::Apple &&
525           (triple.isiOS() || triple.isWatchOS() ||
526            !triple.isMacOSXVersionLT(10,5)));
527 }
528 
HandleNilReceiver(CheckerContext & C,ProgramStateRef state,const ObjCMethodCall & Msg) const529 void CallAndMessageChecker::HandleNilReceiver(CheckerContext &C,
530                                               ProgramStateRef state,
531                                               const ObjCMethodCall &Msg) const {
532   ASTContext &Ctx = C.getASTContext();
533   static CheckerProgramPointTag Tag(this, "NilReceiver");
534 
535   // Check the return type of the message expression.  A message to nil will
536   // return different values depending on the return type and the architecture.
537   QualType RetTy = Msg.getResultType();
538   CanQualType CanRetTy = Ctx.getCanonicalType(RetTy);
539   const LocationContext *LCtx = C.getLocationContext();
540 
541   if (CanRetTy->isStructureOrClassType()) {
542     // Structure returns are safe since the compiler zeroes them out.
543     SVal V = C.getSValBuilder().makeZeroVal(RetTy);
544     C.addTransition(state->BindExpr(Msg.getOriginExpr(), LCtx, V), &Tag);
545     return;
546   }
547 
548   // Other cases: check if sizeof(return type) > sizeof(void*)
549   if (CanRetTy != Ctx.VoidTy && C.getLocationContext()->getParentMap()
550                                   .isConsumedExpr(Msg.getOriginExpr())) {
551     // Compute: sizeof(void *) and sizeof(return type)
552     const uint64_t voidPtrSize = Ctx.getTypeSize(Ctx.VoidPtrTy);
553     const uint64_t returnTypeSize = Ctx.getTypeSize(CanRetTy);
554 
555     if (CanRetTy.getTypePtr()->isReferenceType()||
556         (voidPtrSize < returnTypeSize &&
557          !(supportsNilWithFloatRet(Ctx.getTargetInfo().getTriple()) &&
558            (Ctx.FloatTy == CanRetTy ||
559             Ctx.DoubleTy == CanRetTy ||
560             Ctx.LongDoubleTy == CanRetTy ||
561             Ctx.LongLongTy == CanRetTy ||
562             Ctx.UnsignedLongLongTy == CanRetTy)))) {
563       if (ExplodedNode *N = C.generateErrorNode(state, &Tag))
564         emitNilReceiverBug(C, Msg, N);
565       return;
566     }
567 
568     // Handle the safe cases where the return value is 0 if the
569     // receiver is nil.
570     //
571     // FIXME: For now take the conservative approach that we only
572     // return null values if we *know* that the receiver is nil.
573     // This is because we can have surprises like:
574     //
575     //   ... = [[NSScreens screens] objectAtIndex:0];
576     //
577     // What can happen is that [... screens] could return nil, but
578     // it most likely isn't nil.  We should assume the semantics
579     // of this case unless we have *a lot* more knowledge.
580     //
581     SVal V = C.getSValBuilder().makeZeroVal(RetTy);
582     C.addTransition(state->BindExpr(Msg.getOriginExpr(), LCtx, V), &Tag);
583     return;
584   }
585 
586   C.addTransition(state);
587 }
588 
589 #define REGISTER_CHECKER(name)                                                 \
590   void ento::register##name(CheckerManager &mgr) {                             \
591     CallAndMessageChecker *Checker =                                           \
592         mgr.registerChecker<CallAndMessageChecker>();                          \
593     Checker->Filter.Check_##name = true;                                       \
594     Checker->Filter.CheckName_##name = mgr.getCurrentCheckName();              \
595   }
596 
597 REGISTER_CHECKER(CallAndMessageUnInitRefArg)
598 REGISTER_CHECKER(CallAndMessageChecker)
599