This is an archive of the discontinued LLVM Phabricator instance.

Differential D15448

[analyzer] SVal Visitor.
ClosedPublic

Authored by NoQ on Dec 11 2015, 5:52 AM.

Details

Reviewers
dcoughlin
zaks.anna
xazax.hun
rsmith
Commits
rG895242f9fbb0: [analyzer] Provide .def-files and visitors for SVal/SymExpr/MemRegion, v2.
rGbeb02b5b8f62: [analyzer] Provide .def-files and visitors for SVal/SymExpr/MemRegion.
rC257893: [analyzer] Provide .def-files and visitors for SVal/SymExpr/MemRegion, v2.
rC257605: [analyzer] Provide .def-files and visitors for SVal/SymExpr/MemRegion.
rL257893: [analyzer] Provide .def-files and visitors for SVal/SymExpr/MemRegion, v2.
rL257605: [analyzer] Provide .def-files and visitors for SVal/SymExpr/MemRegion.
Summary

It seems that in several places in the code Clang Static Analyzer tries to recursively traverse the SVal hierarchy, so i made a visitor for SVal, SymExpr, and MemRegion hierarchies. Actually, three separate visitors, but they're rarely useful on their own, so there's FullSValVisitor to merge the three for visiting the whole thing. The approach was literally copied from StmtVisitor etc in an obvious manner.

One thing that could make the visitor a lot more useful, which i'd probably love to implement, is a simple re-usable VisitChildren() method (in case the visitor's return type is void). Because we cannot write such method in every visitor as easily as we do it for, say, StmtVisitor (we don't have a full-featured iterator for child values/symbols/regions). This would allow a trivial implementation of methods like "find all ElementRegion's inside this SVal, and mark their indices"). To-think: how should such method handle lazy compound values?

This review is a bit green, in a sense that there's not much actually delivered yet, apart from the visitor header itself. Some further todo's would be:

  • Refactor some pieces of the code to use the visitor. In fact, we already have the SymbolVisitor class somewhere. Probably SymbolReaper could be simplified.
  • Some checkers, that rely on exploring the hierarchy, may be making use of the visitor. Even if existing checkers don't use it, developers of new checkers may like it.
  • The object responsible for this alpha-renaming thing would most likely look like a FullSValVisitor that returns an SVal.
  • Not sure, maybe split the three visitors into three different header files?

In order to make sure that the visitor header compiles, i started a simple example visitor - the SValExplainer. It explains symbolic values in a human-readable manner, returning an std::string. SValExplainer can be used:

  • for pretty-printing values to the analyzer's end-user, eg. in checker warning messages, or even in "[assuming ...]" diagnostic pieces instead of pretty-printed expressions.
  • for deep-testing analyzer internals, when the test needs to ensure that a particular kind of SVal is produced durign analysis. In fact, one of the tests a FIXME test that exposes a certain problem in the core.
  • as a documentation for SVal kinds (because novice checker developers are often confused about the meaning of different SVal kinds). Users may also rely on it to understand how the analyzer works during debugging, eg. quickly explain what does this particular SVal they obtained in a certain callback actually means.

Todos for SValExplainer include:

  • Explaining more values. In particular, i could use a bit of advice for Objective-C-specific values, because i know very little about this language. I might have also forgotten something. Memory spaces are worth it, most likely.
  • Improving natural language. Probably some bugs would be exposed later. Not sure if the long "of"-chains the explainer produces sound naturally.
  • Probably add various constructor-time flags if there are multiple users of the explainer having different expectations.

In order to test SValExplainer, a new callback was added to the debug.ExprInspectionChecker, namely clang_analyzer_explain(), that causes an explanation of its argument value to be printed as a warning message. I also added another callback - clang_analyzer_getExtent() in order to obtain SymbolExtent for testing. Testing how extents are modeled would probably be useful later as well. Regexps are used in the tests in order to match the start and the end of the warning message.

So, essentially, i'm humbly requesting a quick glance on this code, if this facility is useful, if some stuff is clearly useless, and whether any of the todos are actually wanted.
I'd probably make more updates in the process.

Diff Detail

Event Timeline

NoQ updated this revision to Diff 42516.Dec 11 2015, 5:52 AM
NoQ retitled this revision from to [analyzer] SVal Visitor..
NoQ updated this object.
NoQ added reviewers: zaks.anna, dcoughlin, xazax.hun.
NoQ added a subscriber: cfe-commits.
a.sidorin added a subscriber: a.sidorin.Dec 11 2015, 5:54 AM
j.trofimovich added a subscriber: j.trofimovich.Dec 11 2015, 5:56 AM
zaks.anna edited edge metadata.Dec 15 2015, 5:09 PM

Can/Should something like this be used when dumping SVals (during debugging)? (Possibly in addition to the debug checker.)
What are the advantages of implementing this using visitors? Can this be implemented similarly to SVal::dumpToStream? Do you envision other use cases for the visitors?

A couple of suggestions regarding the implementation of the visitors if we decide to keep them.
You should either use http://llvm.org/docs/TableGen/ like ./include/clang/AST/DeclVisitor.h or even better use something similar to https://github.com/apple/swift/blob/master/include/swift/AST/ExprNodes.def and it's users.

include/clang/StaticAnalyzer/Checkers/SValExplainer.h
89

Using a different name here could lead to confusion.

zaks.anna added a comment.Dec 15 2015, 5:15 PM

Sorry, I forgot to read the description before commenting; I see it is intended to be used not only for debugging purposes:)

NoQ added a comment.Dec 16 2015, 5:24 AM

Good point, will try to make a .def file.

There's a tiny inconsistency with SVal naming that would most likely need to be fixed in this approach:

nonloc::SymbolVal => SymbolValKind
loc::MemRegionVal => MemRegionKind // no "Val"!

Hmm, maybe make a .def file for symbols and regions only? SVals are very small anyway.

zaks.anna added a comment.Dec 16 2015, 5:40 PM

Are you saying that we need to rename "SymbolValKind" to "SymbolKind"? That would probably be a tiny change.

NoQ updated this revision to Diff 43683.Dec 28 2015, 7:09 AM
NoQ edited edge metadata.
NoQ marked an inline comment as done.

An attempt on the .def-files.

The next step would probably be the VisitChildren() thing, and I'll see if it allows to refactor and simplify some code.

Forgot to answer: I guess there are a few minor-but-good things about the visitors in our case compared in-class methods (such as dumpToStream()):

  1. Easy to develop incrementally - no need to put stubs into all subclasses for methods we didn't yet implement.
  2. Easy to create incomplete visitors (eg. we want to visit only SVal's that appear as Store values, and we won't ever see a MemSpaceRegion appear as a Store value)
  3. Cover the whole sub-class with a single method (eg. VisitTypedValueRegion() covers all kinds of TypedValueRegion's).
  4. Easy to create checker-specific traversal methods - if a particular checker needs to visit the hierarchy, it's not forced to adjust all classes.

The question in what way the visitor is better than a recursive function with a very large switch is a bit more complicated (because a visitor essentially is a recursive function with a very large switch); only point 3 of the above still applies. With VisitChildren(), however, it becomes much more convenient.

Hmm. One more thing about VisitChildren(): Normally such method is re-implemented in every visitor easily using child iterators. We don't, however, have fully functional iterators for SVal/SymExpr/MemRegion children (only partial solutions like symbol_begin()..symbol_end()), and also such iterators would need to be polymorphic around these three classes (eg. a symbol-child of a region). In fact, i can make such polymorphic iterators, and that'd probably be a more generic solution.

zaks.anna added inline comments.Jan 5 2016, 4:13 PM
include/clang/StaticAnalyzer/Core/PathSensitive/Regions.def
32

I'd rather rename the "Kind" suffix. Is that possible?

Having REGION and NORMAL_REGION is strange.

include/clang/StaticAnalyzer/Core/PathSensitive/SVals.def
14

Again, we should go ahead and change the kind values if it would make things more uniform. (Can be done in a separate patch committed before this one.)

28

Loc and NonLoc have not been defined yet.

NoQ added inline comments.Jan 6 2016, 6:52 AM
include/clang/StaticAnalyzer/Core/PathSensitive/Regions.def
32

In fact, MemSpaceRegion is quite special, because it is the only thing in the hierarchy that can be both derived from (normally such values are marked as "abstract") and instantiated (for which it has a kind defined). Instances of MemSpaceRegion are used, at least, for holding some code regions. Probably create a new memspace for such regions and remove the kind value?

Ok, i'd go ahead and prepare a separate review for unifying the naming convention :)

zaks.anna added inline comments.Jan 6 2016, 11:36 AM
include/clang/StaticAnalyzer/Core/PathSensitive/Regions.def
32

Please, do if you agree that it makes sense.

Otherwise, this patch LGTM.

NoQ mentioned this in D16062: [analyzer] Rename kind-enumeration values of SVal, SymExpr, MemRegion classes, for consistency..Jan 11 2016, 5:39 AM
NoQ updated this revision to Diff 44475.Jan 11 2016, 6:11 AM
NoQ marked 5 inline comments as done.

Renamed the kinds for consistency (review D16062), this diff is updated to use the new naming convention. The 'kind' column gets removed from the def-files.

NoQ updated this revision to Diff 44629.Jan 12 2016, 6:08 AM

Another rebase on top of D16062.

zaks.anna accepted this revision.Jan 12 2016, 3:40 PM
zaks.anna edited edge metadata.

LGTM. Thank you!

This revision is now accepted and ready to land.Jan 12 2016, 3:40 PM
NoQ updated this revision to Diff 44734.Jan 13 2016, 4:14 AM
NoQ edited edge metadata.

Rebase on top of D12901 - support SymbolCast in the explainer, as it finally appears in the wild.

NoQ added a comment.Jan 13 2016, 5:29 AM

Nope, will commit without SymbolCast support for now, encountered some issues with D12901 that would probably be worth a separate commit.

Closed by commit rL257605: [analyzer] Provide .def-files and visitors for SVal/SymExpr/MemRegion. (authored by dergachev). · Explain WhyJan 13 2016, 7:17 AM
This revision was automatically updated to reflect the committed changes.
NoQ updated this revision to Diff 44758.Jan 13 2016, 9:17 AM
NoQ removed rL LLVM as the repository for this revision.

Reverted the patch due to a few issues. This revision should fix these issues.

The explain-svals test is fixed to target a specific target, in order to make sure that the definition of size_t always agrees with the target triple, otherwise the test would fail (shame on me, should have guessed!).

Not quite sure what to do with the failure of the Modules buildbot (http://lab.llvm.org:8011/builders/clang-x86_64-linux-selfhost-modules/builds/10562/steps/compile.llvm.stage2/logs/stdio). I added the new .def-files to the list of "textual" headers in module.modulemap, but i'm not brave enough to go ahead and commit again and make that sort of thing work through trial and error, as maybe there are more things i need to do.

Fix a small whitespace error introduced by the patch.

Right after committing D16062, i noticed that MemRegion itself also doesn't need to be a friend of MemRegionManager. Added this to this patch, as they're related, i guess.

NoQ added a reviewer: rsmith.Jan 13 2016, 10:33 AM

Richard: excuse me, adding you because you are an expert on the modulemap, could you have a quick look at the proposed changes here and probably point me in the right direction, because i'm not quite sure how to test the modules-enabled build on a local machine before committing?

Sorry for a bit of a newbie panic/noise in this review.

NoQ added a comment.Jan 15 2016, 8:08 AM

Managed to reproduce the build error with -fmodules on my machine.
Committed the updated patch as r257893, the buildbot seems happy.
I hope this review is actually closed now :)

Revision Contents

PathSize
docs/
analyzer/
35 lines
include/
clang/
StaticAnalyzer/
Checkers/
233 lines
Core/
PathSensitive/
51 lines
89 lines
151 lines
19 lines
74 lines
16 lines
55 lines
3 lines
lib/
StaticAnalyzer/
Checkers/
85 lines
test/
Analysis/
98 lines

Diff 44758

docs/analyzer/DebugChecks.rst

Show First 20 LinesShow All 156 Lines▼ Show 20 Lines- void clang_analyzer_warnOnDeadSymbol(int);
Example usage:: Example usage::
do { do {
int x = generate_some_integer(); int x = generate_some_integer();
clang_analyzer_warnOnDeadSymbol(x); clang_analyzer_warnOnDeadSymbol(x);
} while(0); // expected-warning{{SYMBOL DEAD}} } while(0); // expected-warning{{SYMBOL DEAD}}
- void clang_analyzer_explain(a single argument of any type);
This function explains the value of its argument in a human-readable manner
in the warning message. You can make as many overrides of its prototype
in the test code as necessary to explain various integral, pointer,
or even record-type values.
Example usage::
void clang_analyzer_explain(int);
void clang_analyzer_explain(void *);
void foo(int param, void *ptr) {
clang_analyzer_explain(param); // expected-warning{{argument 'param'}}
if (!ptr)
clang_analyzer_explain(ptr); // expected-warning{{memory address '0'}}
}
- size_t clang_analyzer_getExtent(void *);
This function returns the value that represents the extent of a memory region
pointed to by the argument. This value is often difficult to obtain otherwise,
because no valid code that produces this value. However, it may be useful
for testing purposes, to see how well does the analyzer model region extents.
Example usage::
void foo() {
int x, *y;
size_t xs = clang_analyzer_getExtent(&x);
clang_analyzer_explain(xs); // expected-warning{{'4'}}
size_t ys = clang_analyzer_getExtent(&y);
clang_analyzer_explain(ys); // expected-warning{{'8'}}
}
Statistics Statistics
========== ==========
The debug.Stats checker collects various information about the analysis of each The debug.Stats checker collects various information about the analysis of each
function, such as how many blocks were reached and if the analyzer timed out. function, such as how many blocks were reached and if the analyzer timed out.
There is also an additional -analyzer-stats flag, which enables various There is also an additional -analyzer-stats flag, which enables various
statistics within the analyzer engine. Note the Stats checker (which produces at statistics within the analyzer engine. Note the Stats checker (which produces at
least one bug report per function) may actually change the values reported by least one bug report per function) may actually change the values reported by
-analyzer-stats. -analyzer-stats.

include/clang/StaticAnalyzer/Checkers/SValExplainer.h

  • This file was added.
//== SValExplainer.h - Symbolic value explainer -----------------*- C++ -*--==//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
//
// This file defines SValExplainer, a class for pretty-printing a
// human-readable description of a symbolic value. For example,
// "reg_$0<x>" is turned into "initial value of variable 'x'".
//
//===----------------------------------------------------------------------===//
#ifndef LLVM_CLANG_STATICANALYZER_CHECKERS_SVALEXPLAINER_H
#define LLVM_CLANG_STATICANALYZER_CHECKERS_SVALEXPLAINER_H
#include "clang/AST/DeclCXX.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SValVisitor.h"
namespace clang {
namespace ento {
class SValExplainer : public FullSValVisitor<SValExplainer, std::string> {
private:
ASTContext &ACtx;
std::string printStmt(const Stmt *S) {
std::string Str;
llvm::raw_string_ostream OS(Str);
S->printPretty(OS, nullptr, PrintingPolicy(ACtx.getLangOpts()));
return OS.str();
}
bool isThisObject(const SymbolicRegion *R) {
if (auto S = dyn_cast<SymbolRegionValue>(R->getSymbol()))
if (isa<CXXThisRegion>(S->getRegion()))
return true;
return false;
}
public:
SValExplainer(ASTContext &Ctx) : ACtx(Ctx) {}
std::string VisitUnknownVal(UnknownVal V) {
return "unknown value";
}
std::string VisitUndefinedVal(UndefinedVal V) {
return "undefined value";
}
std::string VisitLocMemRegionVal(loc::MemRegionVal V) {
const MemRegion *R = V.getRegion();
// Avoid the weird "pointer to pointee of ...".
if (auto SR = dyn_cast<SymbolicRegion>(R)) {
// However, "pointer to 'this' object" is fine.
if (!isThisObject(SR))
return Visit(SR->getSymbol());
}
return "pointer to " + Visit(R);
}
std::string VisitLocConcreteInt(loc::ConcreteInt V) {
llvm::APSInt I = V.getValue();
std::string Str;
llvm::raw_string_ostream OS(Str);
OS << "concrete memory address '" << I << "'";
return OS.str();
}
std::string VisitNonLocSymbolVal(nonloc::SymbolVal V) {
return Visit(V.getSymbol());
}
std::string VisitNonLocConcreteInt(nonloc::ConcreteInt V) {
llvm::APSInt I = V.getValue();
std::string Str;
llvm::raw_string_ostream OS(Str);
OS << (I.isSigned() ? "signed " : "unsigned ") << I.getBitWidth()
<< "-bit integer '" << I << "'";
return OS.str();
}
std::string VisitNonLocLazyCompoundVal(nonloc::LazyCompoundVal V) {
return "lazily frozen compound value of " + Visit(V.getRegion());
}
zaks.annaUnsubmitted
Done
ReplyInline Actions

Using a different name here could lead to confusion.

zaks.anna: Using a different name here could lead to confusion.
std::string VisitSymbolRegionValue(const SymbolRegionValue *S) {
const MemRegion *R = S->getRegion();
// Special handling for argument values.
if (auto V = dyn_cast<VarRegion>(R))
if (auto D = dyn_cast<ParmVarDecl>(V->getDecl()))
return "argument '" + D->getQualifiedNameAsString() + "'";
return "initial value of " + Visit(R);
}
std::string VisitSymbolConjured(const SymbolConjured *S) {
return "symbol of type '" + S->getType().getAsString() +
"' conjured at statement '" + printStmt(S->getStmt()) + "'";
}
std::string VisitSymbolDerived(const SymbolDerived *S) {
return "value derived from (" + Visit(S->getParentSymbol()) +
") for " + Visit(S->getRegion());
}
std::string VisitSymbolExtent(const SymbolExtent *S) {
return "extent of " + Visit(S->getRegion());
}
std::string VisitSymbolMetadata(const SymbolMetadata *S) {
return "metadata of type '" + S->getType().getAsString() + "' tied to " +
Visit(S->getRegion());
}
std::string VisitSymIntExpr(const SymIntExpr *S) {
std::string Str;
llvm::raw_string_ostream OS(Str);
OS << "(" << Visit(S->getLHS()) << ") "
<< std::string(BinaryOperator::getOpcodeStr(S->getOpcode())) << " "
<< S->getRHS();
return OS.str();
}
// TODO: IntSymExpr doesn't appear in practice.
// Add the relevant code once it does.
std::string VisitSymSymExpr(const SymSymExpr *S) {
return "(" + Visit(S->getLHS()) + ") " +
std::string(BinaryOperator::getOpcodeStr(S->getOpcode())) +
" (" + Visit(S->getRHS()) + ")";
}
// TODO: SymbolCast doesn't appear in practice.
// Add the relevant code once it does.
std::string VisitSymbolicRegion(const SymbolicRegion *R) {
// Explain 'this' object here.
// TODO: Explain CXXThisRegion itself, find a way to test it.
if (isThisObject(R))
return "'this' object";
return "pointee of " + Visit(R->getSymbol());
}
std::string VisitAllocaRegion(const AllocaRegion *R) {
return "region allocated by '" + printStmt(R->getExpr()) + "'";
}
std::string VisitCompoundLiteralRegion(const CompoundLiteralRegion *R) {
return "compound literal " + printStmt(R->getLiteralExpr());
}
std::string VisitStringRegion(const StringRegion *R) {
return "string literal " + R->getString();
}
std::string VisitElementRegion(const ElementRegion *R) {
std::string Str;
llvm::raw_string_ostream OS(Str);
OS << "element of type '" << R->getElementType().getAsString()
<< "' with index ";
// For concrete index: omit type of the index integer.
if (auto I = R->getIndex().getAs<nonloc::ConcreteInt>())
OS << I->getValue();
else
OS << "'" << Visit(R->getIndex()) << "'";
OS << " of " + Visit(R->getSuperRegion());
return OS.str();
}
std::string VisitVarRegion(const VarRegion *R) {
const VarDecl *VD = R->getDecl();
std::string Name = VD->getQualifiedNameAsString();
if (isa<ParmVarDecl>(VD))
return "parameter '" + Name + "'";
else if (VD->hasLocalStorage())
return "local variable '" + Name + "'";
else if (VD->isStaticLocal())
return "static local variable '" + Name + "'";
else if (VD->hasGlobalStorage())
return "global variable '" + Name + "'";
else
llvm_unreachable("A variable is either local or global");
}
std::string VisitFieldRegion(const FieldRegion *R) {
return "field '" + R->getDecl()->getNameAsString() + "' of " +
Visit(R->getSuperRegion());
}
std::string VisitCXXTempObjectRegion(const CXXTempObjectRegion *R) {
return "temporary object constructed at statement '" +
printStmt(R->getExpr()) + "'";
}
std::string VisitCXXBaseObjectRegion(const CXXBaseObjectRegion *R) {
return "base object '" + R->getDecl()->getQualifiedNameAsString() +
"' inside " + Visit(R->getSuperRegion());
}
std::string VisitSVal(SVal V) {
std::string Str;
llvm::raw_string_ostream OS(Str);
OS << V;
return "a value unsupported by the explainer: (" +
std::string(OS.str()) + ")";
}
std::string VisitSymExpr(SymbolRef S) {
std::string Str;
llvm::raw_string_ostream OS(Str);
S->dumpToStream(OS);
return "a symbolic expression unsupported by the explainer: (" +
std::string(OS.str()) + ")";
}
std::string VisitMemRegion(const MemRegion *R) {
std::string Str;
llvm::raw_string_ostream OS(Str);
OS << R;
return "a memory region unsupported by the explainer (" +
std::string(OS.str()) + ")";
}
};
} // end namespace ento
} // end namespace clang
#endif

include/clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h

Show First 20 LinesShow All 70 Lines▼ Show 20 Lines
}; };
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Base region classes. // Base region classes.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
/// MemRegion - The root abstract class for all memory regions. /// MemRegion - The root abstract class for all memory regions.
class MemRegion : public llvm::FoldingSetNode { class MemRegion : public llvm::FoldingSetNode {
friend class MemRegionManager;
public: public:
enum Kind { enum Kind {
// Memory spaces. #define REGION(Id, Parent) Id ## Kind,
CodeSpaceRegionKind, #define REGION_RANGE(Id, First, Last) BEGIN_##Id = First, END_##Id = Last,
StackLocalsSpaceRegionKind, #include "clang/StaticAnalyzer/Core/PathSensitive/Regions.def"
StackArgumentsSpaceRegionKind,
HeapSpaceRegionKind,
UnknownSpaceRegionKind,
StaticGlobalSpaceRegionKind,
GlobalInternalSpaceRegionKind,
GlobalSystemSpaceRegionKind,
GlobalImmutableSpaceRegionKind,
BEGIN_NON_STATIC_GLOBAL_MEMSPACES = GlobalInternalSpaceRegionKind,
END_NON_STATIC_GLOBAL_MEMSPACES = GlobalImmutableSpaceRegionKind,
BEGIN_GLOBAL_MEMSPACES = StaticGlobalSpaceRegionKind,
END_GLOBAL_MEMSPACES = GlobalImmutableSpaceRegionKind,
BEGIN_MEMSPACES = CodeSpaceRegionKind,
END_MEMSPACES = GlobalImmutableSpaceRegionKind,
// Untyped regions.
SymbolicRegionKind,
AllocaRegionKind,
// Typed regions.
BEGIN_TYPED_REGIONS,
FunctionCodeRegionKind = BEGIN_TYPED_REGIONS,
BlockCodeRegionKind,
BlockDataRegionKind,
BEGIN_TYPED_VALUE_REGIONS,
CompoundLiteralRegionKind = BEGIN_TYPED_VALUE_REGIONS,
CXXThisRegionKind,
StringRegionKind,
ObjCStringRegionKind,
ElementRegionKind,
// Decl Regions.
BEGIN_DECL_REGIONS,
VarRegionKind = BEGIN_DECL_REGIONS,
FieldRegionKind,
ObjCIvarRegionKind,
END_DECL_REGIONS = ObjCIvarRegionKind,
CXXTempObjectRegionKind,
CXXBaseObjectRegionKind,
END_TYPED_VALUE_REGIONS = CXXBaseObjectRegionKind,
END_TYPED_REGIONS = CXXBaseObjectRegionKind
}; };
private: private:
const Kind kind; const Kind kind;
protected: protected:
MemRegion(Kind k) : kind(k) {} MemRegion(Kind k) : kind(k) {}
virtual ~MemRegion(); virtual ~MemRegion();
public: public:
▲ Show 20 LinesShow All 249 Lines▼ Show 20 Lines
public: public:
const StackFrameContext *getStackFrame() const { return SFC; } const StackFrameContext *getStackFrame() const { return SFC; }
void Profile(llvm::FoldingSetNodeID &ID) const override; void Profile(llvm::FoldingSetNodeID &ID) const override;
static bool classof(const MemRegion *R) { static bool classof(const MemRegion *R) {
Kind k = R->getKind(); Kind k = R->getKind();
return k >= StackLocalsSpaceRegionKind && return k >= BEGIN_STACK_MEMSPACES && k <= END_STACK_MEMSPACES;
k <= StackArgumentsSpaceRegionKind;
} }
}; };
class StackLocalsSpaceRegion : public StackSpaceRegion { class StackLocalsSpaceRegion : public StackSpaceRegion {
virtual void anchor(); virtual void anchor();
friend class MemRegionManager; friend class MemRegionManager;
StackLocalsSpaceRegion(MemRegionManager *mgr, const StackFrameContext *sfc) StackLocalsSpaceRegion(MemRegionManager *mgr, const StackFrameContext *sfc)
: StackSpaceRegion(mgr, StackLocalsSpaceRegionKind, sfc) {} : StackSpaceRegion(mgr, StackLocalsSpaceRegionKind, sfc) {}
▲ Show 20 LinesShow All 145 Lines▼ Show 20 Linespublic:
void anchor() override; void anchor() override;
protected: protected:
CodeTextRegion(const MemRegion *sreg, Kind k) : TypedRegion(sreg, k) {} CodeTextRegion(const MemRegion *sreg, Kind k) : TypedRegion(sreg, k) {}
public: public:
bool isBoundable() const override { return false; } bool isBoundable() const override { return false; }
static bool classof(const MemRegion* R) { static bool classof(const MemRegion* R) {
Kind k = R->getKind(); Kind k = R->getKind();
return k >= FunctionCodeRegionKind && k <= BlockCodeRegionKind; return k >= BEGIN_CODE_TEXT_REGIONS && k <= END_CODE_TEXT_REGIONS;
} }
}; };
/// FunctionCodeRegion - A region that represents code texts of function. /// FunctionCodeRegion - A region that represents code texts of function.
class FunctionCodeRegion : public CodeTextRegion { class FunctionCodeRegion : public CodeTextRegion {
const NamedDecl *FD; const NamedDecl *FD;
public: public:
FunctionCodeRegion(const NamedDecl *fd, const MemRegion* sreg) FunctionCodeRegion(const NamedDecl *fd, const MemRegion* sreg)
▲ Show 20 LinesShow All 821 LinesShow Last 20 Lines

include/clang/StaticAnalyzer/Core/PathSensitive/Regions.def

  • This file was added.
//===-- Regions.def - Metadata about MemRegion kinds ------------*- C++ -*-===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
//
// The list of regions (MemRegion sub-classes) used in the Static Analyzer.
// In order to use this information, users of this file must define one or more
// of the three macros:
//
// REGION(Id, Parent) - for specific MemRegion sub-classes, reserving
// enum value IdKind for their kind.
//
// ABSTRACT_REGION(Id, Parent) - for abstract region classes,
//
// REGION_RANGE(Id, First, Last) - for ranges of kind-enums,
// allowing to determine abstract class of a region
// based on the kind-enum value.
//
//===----------------------------------------------------------------------===//
#ifndef REGION
#define REGION(Id, Parent)
#endif
#ifndef ABSTRACT_REGION
#define ABSTRACT_REGION(Id, Parent)
#endif
zaks.annaUnsubmitted
Done
ReplyInline Actions

I'd rather rename the "Kind" suffix. Is that possible?

Having REGION and NORMAL_REGION is strange.

zaks.anna: I'd rather rename the "Kind" suffix. Is that possible? Having REGION and NORMAL_REGION is…
NoQAuthorUnsubmitted
Done
ReplyInline Actions

In fact, MemSpaceRegion is quite special, because it is the only thing in the hierarchy that can be both derived from (normally such values are marked as "abstract") and instantiated (for which it has a kind defined). Instances of MemSpaceRegion are used, at least, for holding some code regions. Probably create a new memspace for such regions and remove the kind value?

Ok, i'd go ahead and prepare a separate review for unifying the naming convention :)

NoQ: In fact, `MemSpaceRegion` is quite special, because it is the only thing in the hierarchy that…
zaks.annaUnsubmitted
Done
ReplyInline Actions

Please, do if you agree that it makes sense.

Otherwise, this patch LGTM.

zaks.anna: Please, do if you agree that it makes sense. Otherwise, this patch LGTM.
#ifndef REGION_RANGE
#define REGION_RANGE(Id, First, Last)
#endif
ABSTRACT_REGION(MemSpaceRegion, MemRegion)
REGION(CodeSpaceRegion, MemSpaceRegion)
ABSTRACT_REGION(GlobalsSpaceRegion, MemSpaceRegion)
ABSTRACT_REGION(NonStaticGlobalSpaceRegion, GlobalsSpaceRegion)
REGION(GlobalImmutableSpaceRegion, NonStaticGlobalSpaceRegion)
REGION(GlobalInternalSpaceRegion, NonStaticGlobalSpaceRegion)
REGION(GlobalSystemSpaceRegion, NonStaticGlobalSpaceRegion)
REGION_RANGE(NON_STATIC_GLOBAL_MEMSPACES, GlobalImmutableSpaceRegionKind,
GlobalSystemSpaceRegionKind)
REGION(StaticGlobalSpaceRegion, MemSpaceRegion)
REGION_RANGE(GLOBAL_MEMSPACES, GlobalImmutableSpaceRegionKind,
StaticGlobalSpaceRegionKind)
REGION(HeapSpaceRegion, MemSpaceRegion)
ABSTRACT_REGION(StackSpaceRegion, MemSpaceRegion)
REGION(StackArgumentsSpaceRegion, StackSpaceRegion)
REGION(StackLocalsSpaceRegion, StackSpaceRegion)
REGION_RANGE(STACK_MEMSPACES, StackArgumentsSpaceRegionKind,
StackLocalsSpaceRegionKind)
REGION(UnknownSpaceRegion, MemSpaceRegion)
REGION_RANGE(MEMSPACES, CodeSpaceRegionKind,
UnknownSpaceRegionKind)
ABSTRACT_REGION(SubRegion, MemRegion)
REGION(AllocaRegion, SubRegion)
REGION(SymbolicRegion, SubRegion)
ABSTRACT_REGION(TypedRegion, SubRegion)
REGION(BlockDataRegion, TypedRegion)
ABSTRACT_REGION(CodeTextRegion, TypedRegion)
REGION(BlockCodeRegion, CodeTextRegion)
REGION(FunctionCodeRegion, CodeTextRegion)
REGION_RANGE(CODE_TEXT_REGIONS, BlockCodeRegionKind,
FunctionCodeRegionKind)
ABSTRACT_REGION(TypedValueRegion, TypedRegion)
REGION(CompoundLiteralRegion, TypedValueRegion)
REGION(CXXBaseObjectRegion, TypedValueRegion)
REGION(CXXTempObjectRegion, TypedValueRegion)
REGION(CXXThisRegion, TypedValueRegion)
ABSTRACT_REGION(DeclRegion, TypedValueRegion)
REGION(FieldRegion, DeclRegion)
REGION(ObjCIvarRegion, DeclRegion)
REGION(VarRegion, DeclRegion)
REGION_RANGE(DECL_REGIONS, FieldRegionKind,
VarRegionKind)
REGION(ElementRegion, TypedValueRegion)
REGION(ObjCStringRegion, TypedValueRegion)
REGION(StringRegion, TypedValueRegion)
REGION_RANGE(TYPED_VALUE_REGIONS, CompoundLiteralRegionKind,
StringRegionKind)
REGION_RANGE(TYPED_REGIONS, BlockDataRegionKind,
StringRegionKind)
#undef REGION_RANGE
#undef ABSTRACT_REGION
#undef REGION

include/clang/StaticAnalyzer/Core/PathSensitive/SValVisitor.h

  • This file was added.
//===--- SValVisitor.h - Visitor for SVal subclasses ------------*- C++ -*-===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
//
// This file defines the SValVisitor, SymExprVisitor, and MemRegionVisitor
// interfaces, and also FullSValVisitor, which visits all three hierarchies.
//
//===----------------------------------------------------------------------===//
#ifndef LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_SVALVISITOR_H
#define LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_SVALVISITOR_H
#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"
namespace clang {
namespace ento {
/// SValVisitor - this class implements a simple visitor for SVal
/// subclasses.
template <typename ImplClass, typename RetTy = void> class SValVisitor {
public:
#define DISPATCH(NAME, CLASS) \
return static_cast<ImplClass *>(this)->Visit ## NAME(V.castAs<CLASS>())
RetTy Visit(SVal V) {
// Dispatch to VisitFooVal for each FooVal.
// Take namespaces (loc:: and nonloc::) into account.
switch (V.getBaseKind()) {
#define BASIC_SVAL(Id, Parent) case SVal::Id ## Kind: DISPATCH(Id, Id);
#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.def"
case SVal::LocKind:
switch (V.getSubKind()) {
#define LOC_SVAL(Id, Parent) \
case loc::Id ## Kind: DISPATCH(Loc ## Id, loc :: Id);
#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.def"
}
llvm_unreachable("Unknown Loc sub-kind!");
case SVal::NonLocKind:
switch (V.getSubKind()) {
#define NONLOC_SVAL(Id, Parent) \
case nonloc::Id ## Kind: DISPATCH(NonLoc ## Id, nonloc :: Id);
#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.def"
}
llvm_unreachable("Unknown NonLoc sub-kind!");
}
llvm_unreachable("Unknown SVal kind!");
}
#define BASIC_SVAL(Id, Parent) \
RetTy Visit ## Id(Id V) { DISPATCH(Parent, Id); }
#define ABSTRACT_SVAL(Id, Parent) \
BASIC_SVAL(Id, Parent)
#define LOC_SVAL(Id, Parent) \
RetTy VisitLoc ## Id(loc::Id V) { DISPATCH(Parent, Parent); }
#define NONLOC_SVAL(Id, Parent) \
RetTy VisitNonLoc ## Id(nonloc::Id V) { DISPATCH(Parent, Parent); }
#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.def"
// Base case, ignore it. :)
RetTy VisitSVal(SVal V) { return RetTy(); }
#undef DISPATCH
};
/// SymExprVisitor - this class implements a simple visitor for SymExpr
/// subclasses.
template <typename ImplClass, typename RetTy = void> class SymExprVisitor {
public:
#define DISPATCH(CLASS) \
return static_cast<ImplClass *>(this)->Visit ## CLASS(cast<CLASS>(S))
RetTy Visit(SymbolRef S) {
// Dispatch to VisitSymbolFoo for each SymbolFoo.
switch (S->getKind()) {
#define SYMBOL(Id, Parent) \
case SymExpr::Id ## Kind: DISPATCH(Id);
#include "clang/StaticAnalyzer/Core/PathSensitive/Symbols.def"
}
llvm_unreachable("Unknown SymExpr kind!");
}
// If the implementation chooses not to implement a certain visit method, fall
// back on visiting the superclass.
#define SYMBOL(Id, Parent) RetTy Visit ## Id(const Id *S) { DISPATCH(Parent); }
#define ABSTRACT_SYMBOL(Id, Parent) SYMBOL(Id, Parent)
#include "clang/StaticAnalyzer/Core/PathSensitive/Symbols.def"
// Base case, ignore it. :)
RetTy VisitSymExpr(SymbolRef S) { return RetTy(); }
#undef DISPATCH
};
/// MemRegionVisitor - this class implements a simple visitor for MemRegion
/// subclasses.
template <typename ImplClass, typename RetTy = void> class MemRegionVisitor {
public:
#define DISPATCH(CLASS) \
return static_cast<ImplClass *>(this)->Visit ## CLASS(cast<CLASS>(R))
RetTy Visit(const MemRegion *R) {
// Dispatch to VisitFooRegion for each FooRegion.
switch (R->getKind()) {
#define REGION(Id, Parent) case MemRegion::Id ## Kind: DISPATCH(Id);
#include "clang/StaticAnalyzer/Core/PathSensitive/Regions.def"
}
llvm_unreachable("Unknown MemRegion kind!");
}
// If the implementation chooses not to implement a certain visit method, fall
// back on visiting the superclass.
#define REGION(Id, Parent) \
RetTy Visit ## Id(const Id *R) { DISPATCH(Parent); }
#define ABSTRACT_REGION(Id, Parent) \
REGION(Id, Parent)
#include "clang/StaticAnalyzer/Core/PathSensitive/Regions.def"
// Base case, ignore it. :)
RetTy VisitMemRegion(const MemRegion *R) { return RetTy(); }
#undef DISPATCH
};
/// FullSValVisitor - a convenient mixed visitor for all three:
/// SVal, SymExpr and MemRegion subclasses.
template <typename ImplClass, typename RetTy = void>
class FullSValVisitor : public SValVisitor<ImplClass, RetTy>,
public SymExprVisitor<ImplClass, RetTy>,
public MemRegionVisitor<ImplClass, RetTy> {
public:
using SValVisitor<ImplClass, RetTy>::Visit;
using SymExprVisitor<ImplClass, RetTy>::Visit;
using MemRegionVisitor<ImplClass, RetTy>::Visit;
};
} // end namespace ento
} // end namespace clang
#endif

include/clang/StaticAnalyzer/Core/PathSensitive/SVals.h

Show All 39 Lines
/// SVal - This represents a symbolic expression, which can be either /// SVal - This represents a symbolic expression, which can be either
/// an L-value or an R-value. /// an L-value or an R-value.
/// ///
class SVal { class SVal {
public: public:
enum BaseKind { enum BaseKind {
// The enumerators must be representable using 2 bits. // The enumerators must be representable using 2 bits.
UndefinedValKind = 0, // for subclass UndefinedVal (an uninitialized value) #define BASIC_SVAL(Id, Parent) Id ## Kind,
UnknownValKind = 1, // for subclass UnknownVal (a void value) #define ABSTRACT_SVAL_WITH_KIND(Id, Parent) Id ## Kind,
LocKind = 2, // for subclass Loc (an L-value) #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.def"
NonLocKind = 3 // for subclass NonLoc (an R-value that's not
// an L-value)
}; };
enum { BaseBits = 2, BaseMask = 0x3 }; enum { BaseBits = 2, BaseMask = 0x3 };
protected: protected:
const void *Data; const void *Data;
/// The lowest 2 bits are a BaseKind (0 -- 3). /// The lowest 2 bits are a BaseKind (0 -- 3).
/// The higher bits are an unsigned "kind" value. /// The higher bits are an unsigned "kind" value.
▲ Show 20 LinesShow All 240 Lines▼ Show 20 Lines
}; };
//==------------------------------------------------------------------------==// //==------------------------------------------------------------------------==//
// Subclasses of NonLoc. // Subclasses of NonLoc.
//==------------------------------------------------------------------------==// //==------------------------------------------------------------------------==//
namespace nonloc { namespace nonloc {
enum Kind { ConcreteIntKind, SymbolValKind, enum Kind {
LocAsIntegerKind, CompoundValKind, LazyCompoundValKind }; #define NONLOC_SVAL(Id, Parent) Id ## Kind,
#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.def"
};
/// \brief Represents symbolic expression. /// \brief Represents symbolic expression.
class SymbolVal : public NonLoc { class SymbolVal : public NonLoc {
public: public:
SymbolVal(SymbolRef sym) : NonLoc(SymbolValKind, sym) {} SymbolVal(SymbolRef sym) : NonLoc(SymbolValKind, sym) {}
SymbolRef getSymbol() const { SymbolRef getSymbol() const {
return (const SymExpr*) Data; return (const SymExpr*) Data;
▲ Show 20 LinesShow All 141 Lines▼ Show 20 Lines
} // end namespace ento::nonloc } // end namespace ento::nonloc
//==------------------------------------------------------------------------==// //==------------------------------------------------------------------------==//
// Subclasses of Loc. // Subclasses of Loc.
//==------------------------------------------------------------------------==// //==------------------------------------------------------------------------==//
namespace loc { namespace loc {
enum Kind { GotoLabelKind, MemRegionValKind, ConcreteIntKind }; enum Kind {
#define LOC_SVAL(Id, Parent) Id ## Kind,
#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.def"
};
class GotoLabel : public Loc { class GotoLabel : public Loc {
public: public:
explicit GotoLabel(LabelDecl *Label) : Loc(GotoLabelKind, Label) {} explicit GotoLabel(LabelDecl *Label) : Loc(GotoLabelKind, Label) {}
const LabelDecl *getLabel() const { const LabelDecl *getLabel() const {
return static_cast<const LabelDecl*>(Data); return static_cast<const LabelDecl*>(Data);
} }
▲ Show 20 LinesShow All 98 LinesShow Last 20 Lines

include/clang/StaticAnalyzer/Core/PathSensitive/SVals.def

  • This file was added.
//===-- SVals.def - Metadata about SVal kinds -------------------*- C++ -*-===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
//
// The list of symbolic values (SVal kinds and sub-kinds) used in the Static
// Analyzer. The distinction between loc:: and nonloc:: SVal namespaces is
// currently hardcoded, because it is too peculiar and explicit to be handled
// uniformly. In order to use this information, users of this file must define
// one or more of the following macros:
zaks.annaUnsubmitted
Done
ReplyInline Actions

Again, we should go ahead and change the kind values if it would make things more uniform. (Can be done in a separate patch committed before this one.)

zaks.anna: Again, we should go ahead and change the kind values if it would make things more uniform. (Can…
//
// BASIC_SVAL(Id, Parent) - for specific SVal sub-kinds, which are
// neither in loc:: nor in nonloc:: namespace; these classes occupy
// their own base kind IdKind.
//
// ABSTRACT_SVAL(Id, Parent) - for abstract SVal classes which are
// neither in loc:: nor in nonloc:: namespace,
//
// ABSTRACT_SVAL_WITH_KIND(Id, Parent) - for SVal classes which are also
// neither in loc:: nor in nonloc:: namespace, but occupy a whole base kind
// identifier IdKind, much like BASIC_SVALs.
//
// LOC_SVAL(Id, Parent) - for values in loc:: namespace, which occupy a sub-kind
// loc::IdKind.
zaks.annaUnsubmitted
Done
ReplyInline Actions

Loc and NonLoc have not been defined yet.

zaks.anna: Loc and NonLoc have not been defined yet.
//
// NONLOC_SVAL(Id, Parent) - for values in nonloc:: namespace, which occupy a
// sub-kind nonloc::IdKind.
//
//===----------------------------------------------------------------------===//
#ifndef BASIC_SVAL
#define BASIC_SVAL(Id, Parent)
#endif
#ifndef ABSTRACT_SVAL
#define ABSTRACT_SVAL(Id, Parent)
#endif
#ifndef ABSTRACT_SVAL_WITH_KIND
#define ABSTRACT_SVAL_WITH_KIND(Id, Parent) ABSTRACT_SVAL(Id, Parent)
#endif
#ifndef LOC_SVAL
#define LOC_SVAL(Id, Parent)
#endif
#ifndef NONLOC_SVAL
#define NONLOC_SVAL(Id, Parent)
#endif
BASIC_SVAL(UndefinedVal, SVal)
ABSTRACT_SVAL(DefinedOrUnknownSVal, SVal)
BASIC_SVAL(UnknownVal, DefinedOrUnknownSVal)
ABSTRACT_SVAL(DefinedSVal, DefinedOrUnknownSVal)
ABSTRACT_SVAL_WITH_KIND(Loc, DefinedSVal)
LOC_SVAL(ConcreteInt, Loc)
LOC_SVAL(GotoLabel, Loc)
LOC_SVAL(MemRegionVal, Loc)
ABSTRACT_SVAL_WITH_KIND(NonLoc, DefinedSVal)
NONLOC_SVAL(CompoundVal, NonLoc)
NONLOC_SVAL(ConcreteInt, NonLoc)
NONLOC_SVAL(LazyCompoundVal, NonLoc)
NONLOC_SVAL(LocAsInteger, NonLoc)
NONLOC_SVAL(SymbolVal, NonLoc)
#undef NONLOC_SVAL
#undef LOC_SVAL
#undef ABSTRACT_SVAL_WITH_KIND
#undef ABSTRACT_SVAL
#undef BASIC_SVAL

include/clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h

Show All 37 Linesnamespace ento {
class VarRegion; class VarRegion;
/// \brief Symbolic value. These values used to capture symbolic execution of /// \brief Symbolic value. These values used to capture symbolic execution of
/// the program. /// the program.
class SymExpr : public llvm::FoldingSetNode { class SymExpr : public llvm::FoldingSetNode {
virtual void anchor(); virtual void anchor();
public: public:
enum Kind { enum Kind {
SymbolRegionValueKind, #define SYMBOL(Id, Parent) Id ## Kind,
SymbolConjuredKind, #define SYMBOL_RANGE(Id, First, Last) BEGIN_##Id = First, END_##Id = Last,
SymbolDerivedKind, #include "clang/StaticAnalyzer/Core/PathSensitive/Symbols.def"
SymbolExtentKind,
SymbolMetadataKind,
BEGIN_SYMBOLS = SymbolRegionValueKind,
END_SYMBOLS = SymbolMetadataKind,
SymIntExprKind,
IntSymExprKind,
SymSymExprKind,
BEGIN_BINARYSYMEXPRS = SymIntExprKind,
END_BINARYSYMEXPRS = SymSymExprKind,
SymbolCastKind
}; };
private: private:
Kind K; Kind K;
protected: protected:
SymExpr(Kind k) : K(k) {} SymExpr(Kind k) : K(k) {}
▲ Show 20 LinesShow All 621 LinesShow Last 20 Lines

include/clang/StaticAnalyzer/Core/PathSensitive/Symbols.def

  • This file was added.
//===-- Symbols.def - Metadata about SymExpr kinds --------------*- C++ -*-===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
//
// The list of symbols (SymExpr sub-classes) used in the Static Analyzer.
// In order to use this information, users of this file must define
// one or more of the three macros:
//
// SYMBOL(Id, Parent) - for specific SymExpr sub-classes, reserving the
// IdKind identifier for its kind enumeration value.
//
// ABSTRACT_SYMBOL(Id, Parent) - for abstract symbol classes,
//
// SYMBOL_RANGE(Id, First, Last) - for ranges of kind-enums,
// allowing to determine abstract class of a symbol
// based on the kind enumeration value.
//
//===----------------------------------------------------------------------===//
#ifndef SYMBOL
#define SYMBOL(Id, Parent)
#endif
#ifndef ABSTRACT_SYMBOL
#define ABSTRACT_SYMBOL(Id, Parent)
#endif
#ifndef SYMBOL_RANGE
#define SYMBOL_RANGE(Id, First, Last)
#endif
ABSTRACT_SYMBOL(BinarySymExpr, SymExpr)
SYMBOL(IntSymExpr, BinarySymExpr)
SYMBOL(SymIntExpr, BinarySymExpr)
SYMBOL(SymSymExpr, BinarySymExpr)
SYMBOL_RANGE(BINARYSYMEXPRS, IntSymExprKind, SymSymExprKind)
SYMBOL(SymbolCast, SymExpr)
ABSTRACT_SYMBOL(SymbolData, SymExpr)
SYMBOL(SymbolConjured, SymbolData)
SYMBOL(SymbolDerived, SymbolData)
SYMBOL(SymbolExtent, SymbolData)
SYMBOL(SymbolMetadata, SymbolData)
SYMBOL(SymbolRegionValue, SymbolData)
SYMBOL_RANGE(SYMBOLS, SymbolConjuredKind, SymbolRegionValueKind)
#undef SYMBOL
#undef ABSTRACT_SYMBOL
#undef SYMBOL_RANGE

include/clang/module.modulemap

Show First 20 LinesShow All 102 Lines▼ Show 20 Lines
module Clang_Sema { requires cplusplus umbrella "Sema" module * { export * } } module Clang_Sema { requires cplusplus umbrella "Sema" module * { export * } }
module Clang_Serialization { requires cplusplus umbrella "Serialization" module * { export * } } module Clang_Serialization { requires cplusplus umbrella "Serialization" module * { export * } }
module Clang_StaticAnalyzer_Core { module Clang_StaticAnalyzer_Core {
requires cplusplus requires cplusplus
umbrella "StaticAnalyzer/Core" umbrella "StaticAnalyzer/Core"
textual header "StaticAnalyzer/Core/Analyses.def" textual header "StaticAnalyzer/Core/Analyses.def"
textual header "StaticAnalyzer/Core/PathSensitive/SVals.def"
textual header "StaticAnalyzer/Core/PathSensitive/Symbols.def"
textual header "StaticAnalyzer/Core/PathSensitive/Regions.def"
module * { export * } module * { export * }
} }
module Clang_StaticAnalyzer_Checkers { module Clang_StaticAnalyzer_Checkers {
requires cplusplus requires cplusplus
umbrella "StaticAnalyzer/Checkers" umbrella "StaticAnalyzer/Checkers"
module * { export * } module * { export * }
Show All 16 Lines

lib/StaticAnalyzer/Checkers/ExprInspectionChecker.cpp

//==- ExprInspectionChecker.cpp - Used for regression tests ------*- C++ -*-==// //==- ExprInspectionChecker.cpp - Used for regression tests ------*- C++ -*-==//
// //
// The LLVM Compiler Infrastructure // The LLVM Compiler Infrastructure
// //
// This file is distributed under the University of Illinois Open Source // This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details. // License. See LICENSE.TXT for details.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "ClangSACheckers.h" #include "ClangSACheckers.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
#include "clang/StaticAnalyzer/Core/Checker.h" #include "clang/StaticAnalyzer/Core/Checker.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"
#include "clang/StaticAnalyzer/Checkers/SValExplainer.h"
#include "llvm/ADT/StringSwitch.h" #include "llvm/ADT/StringSwitch.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
namespace { namespace {
class ExprInspectionChecker : public Checker<eval::Call, check::DeadSymbols> { class ExprInspectionChecker : public Checker<eval::Call, check::DeadSymbols> {
mutable std::unique_ptr<BugType> BT; mutable std::unique_ptr<BugType> BT;
void analyzerEval(const CallExpr *CE, CheckerContext &C) const; void analyzerEval(const CallExpr *CE, CheckerContext &C) const;
void analyzerCheckInlined(const CallExpr *CE, CheckerContext &C) const; void analyzerCheckInlined(const CallExpr *CE, CheckerContext &C) const;
void analyzerWarnIfReached(const CallExpr *CE, CheckerContext &C) const; void analyzerWarnIfReached(const CallExpr *CE, CheckerContext &C) const;
void analyzerCrash(const CallExpr *CE, CheckerContext &C) const; void analyzerCrash(const CallExpr *CE, CheckerContext &C) const;
void analyzerWarnOnDeadSymbol(const CallExpr *CE, CheckerContext &C) const; void analyzerWarnOnDeadSymbol(const CallExpr *CE, CheckerContext &C) const;
void analyzerExplain(const CallExpr *CE, CheckerContext &C) const;
void analyzerGetExtent(const CallExpr *CE, CheckerContext &C) const;
typedef void (ExprInspectionChecker::*FnCheck)(const CallExpr *, typedef void (ExprInspectionChecker::*FnCheck)(const CallExpr *,
CheckerContext &C) const; CheckerContext &C) const;
void reportBug(llvm::StringRef Msg, CheckerContext &C) const;
public: public:
bool evalCall(const CallExpr *CE, CheckerContext &C) const; bool evalCall(const CallExpr *CE, CheckerContext &C) const;
void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const; void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
}; };
} }
REGISTER_SET_WITH_PROGRAMSTATE(MarkedSymbols, const void *) REGISTER_SET_WITH_PROGRAMSTATE(MarkedSymbols, SymbolRef)
bool ExprInspectionChecker::evalCall(const CallExpr *CE, bool ExprInspectionChecker::evalCall(const CallExpr *CE,
CheckerContext &C) const { CheckerContext &C) const {
// These checks should have no effect on the surrounding environment // These checks should have no effect on the surrounding environment
// (globals should not be invalidated, etc), hence the use of evalCall. // (globals should not be invalidated, etc), hence the use of evalCall.
FnCheck Handler = llvm::StringSwitch<FnCheck>(C.getCalleeName(CE)) FnCheck Handler = llvm::StringSwitch<FnCheck>(C.getCalleeName(CE))
.Case("clang_analyzer_eval", &ExprInspectionChecker::analyzerEval) .Case("clang_analyzer_eval", &ExprInspectionChecker::analyzerEval)
.Case("clang_analyzer_checkInlined", .Case("clang_analyzer_checkInlined",
&ExprInspectionChecker::analyzerCheckInlined) &ExprInspectionChecker::analyzerCheckInlined)
.Case("clang_analyzer_crash", &ExprInspectionChecker::analyzerCrash) .Case("clang_analyzer_crash", &ExprInspectionChecker::analyzerCrash)
.Case("clang_analyzer_warnIfReached", .Case("clang_analyzer_warnIfReached",
&ExprInspectionChecker::analyzerWarnIfReached) &ExprInspectionChecker::analyzerWarnIfReached)
.Case("clang_analyzer_warnOnDeadSymbol", .Case("clang_analyzer_warnOnDeadSymbol",
&ExprInspectionChecker::analyzerWarnOnDeadSymbol) &ExprInspectionChecker::analyzerWarnOnDeadSymbol)
.Case("clang_analyzer_explain", &ExprInspectionChecker::analyzerExplain)
.Case("clang_analyzer_getExtent", &ExprInspectionChecker::analyzerGetExtent)
.Default(nullptr); .Default(nullptr);
if (!Handler) if (!Handler)
return false; return false;
(this->*Handler)(CE, C); (this->*Handler)(CE, C);
return true; return true;
} }
Show All 25 Linesstatic const char *getArgumentValueString(const CallExpr *CE,
} else { } else {
if (StFalse) if (StFalse)
return "FALSE"; return "FALSE";
else else
llvm_unreachable("Invalid constraint; neither true or false."); llvm_unreachable("Invalid constraint; neither true or false.");
} }
} }
void ExprInspectionChecker::reportBug(llvm::StringRef Msg,
CheckerContext &C) const {
if (!BT)
BT.reset(new BugType(this, "Checking analyzer assumptions", "debug"));
ExplodedNode *N = C.generateNonFatalErrorNode();
if (!N)
return;
C.emitReport(llvm::make_unique<BugReport>(*BT, Msg, N));
}
void ExprInspectionChecker::analyzerEval(const CallExpr *CE, void ExprInspectionChecker::analyzerEval(const CallExpr *CE,
CheckerContext &C) const { CheckerContext &C) const {
const LocationContext *LC = C.getPredecessor()->getLocationContext(); const LocationContext *LC = C.getPredecessor()->getLocationContext();
// A specific instantiation of an inlined function may have more constrained // A specific instantiation of an inlined function may have more constrained
// values than can generally be assumed. Skip the check. // values than can generally be assumed. Skip the check.
if (LC->getCurrentStackFrame()->getParent() != nullptr) if (LC->getCurrentStackFrame()->getParent() != nullptr)
return; return;
if (!BT) reportBug(getArgumentValueString(CE, C), C);
BT.reset(new BugType(this, "Checking analyzer assumptions", "debug"));
ExplodedNode *N = C.generateNonFatalErrorNode();
if (!N)
return;
C.emitReport(
llvm::make_unique<BugReport>(*BT, getArgumentValueString(CE, C), N));
} }
void ExprInspectionChecker::analyzerWarnIfReached(const CallExpr *CE, void ExprInspectionChecker::analyzerWarnIfReached(const CallExpr *CE,
CheckerContext &C) const { CheckerContext &C) const {
reportBug("REACHABLE", C);
if (!BT)
BT.reset(new BugType(this, "Checking analyzer assumptions", "debug"));
ExplodedNode *N = C.generateNonFatalErrorNode();
if (!N)
return;
C.emitReport(llvm::make_unique<BugReport>(*BT, "REACHABLE", N));
} }
void ExprInspectionChecker::analyzerCheckInlined(const CallExpr *CE, void ExprInspectionChecker::analyzerCheckInlined(const CallExpr *CE,
CheckerContext &C) const { CheckerContext &C) const {
const LocationContext *LC = C.getPredecessor()->getLocationContext(); const LocationContext *LC = C.getPredecessor()->getLocationContext();
// An inlined function could conceivably also be analyzed as a top-level // An inlined function could conceivably also be analyzed as a top-level
// function. We ignore this case and only emit a message (TRUE or FALSE) // function. We ignore this case and only emit a message (TRUE or FALSE)
// when we are analyzing it as an inlined function. This means that // when we are analyzing it as an inlined function. This means that
// clang_analyzer_checkInlined(true) should always print TRUE, but // clang_analyzer_checkInlined(true) should always print TRUE, but
// clang_analyzer_checkInlined(false) should never actually print anything. // clang_analyzer_checkInlined(false) should never actually print anything.
if (LC->getCurrentStackFrame()->getParent() == nullptr) if (LC->getCurrentStackFrame()->getParent() == nullptr)
return; return;
if (!BT) reportBug(getArgumentValueString(CE, C), C);
BT.reset(new BugType(this, "Checking analyzer assumptions", "debug")); }
ExplodedNode *N = C.generateNonFatalErrorNode(); void ExprInspectionChecker::analyzerExplain(const CallExpr *CE,
if (!N) CheckerContext &C) const {
return; if (CE->getNumArgs() == 0)
C.emitReport( reportBug("Missing argument for explaining", C);
llvm::make_unique<BugReport>(*BT, getArgumentValueString(CE, C), N));
SVal V = C.getSVal(CE->getArg(0));
SValExplainer Ex(C.getASTContext());
reportBug(Ex.Visit(V), C);
}
void ExprInspectionChecker::analyzerGetExtent(const CallExpr *CE,
CheckerContext &C) const {
if (CE->getNumArgs() == 0)
reportBug("Missing region for obtaining extent", C);
auto MR = dyn_cast_or_null<SubRegion>(C.getSVal(CE->getArg(0)).getAsRegion());
if (!MR)
reportBug("Obtaining extent of a non-region", C);
ProgramStateRef State = C.getState();
State = State->BindExpr(CE, C.getLocationContext(),
MR->getExtent(C.getSValBuilder()));
C.addTransition(State);
} }
void ExprInspectionChecker::analyzerWarnOnDeadSymbol(const CallExpr *CE, void ExprInspectionChecker::analyzerWarnOnDeadSymbol(const CallExpr *CE,
CheckerContext &C) const { CheckerContext &C) const {
if (CE->getNumArgs() == 0) if (CE->getNumArgs() == 0)
return; return;
SVal Val = C.getSVal(CE->getArg(0)); SVal Val = C.getSVal(CE->getArg(0));
SymbolRef Sym = Val.getAsSymbol(); SymbolRef Sym = Val.getAsSymbol();
if (!Sym) if (!Sym)
return; return;
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
State = State->add<MarkedSymbols>(Sym); State = State->add<MarkedSymbols>(Sym);
C.addTransition(State); C.addTransition(State);
} }
void ExprInspectionChecker::checkDeadSymbols(SymbolReaper &SymReaper, void ExprInspectionChecker::checkDeadSymbols(SymbolReaper &SymReaper,
CheckerContext &C) const { CheckerContext &C) const {
ProgramStateRef State = C.getState(); ProgramStateRef State = C.getState();
const MarkedSymbolsTy &Syms = State->get<MarkedSymbols>(); const MarkedSymbolsTy &Syms = State->get<MarkedSymbols>();
for (auto I = Syms.begin(), E = Syms.end(); I != E; ++I) { for (auto I = Syms.begin(), E = Syms.end(); I != E; ++I) {
SymbolRef Sym = static_cast<SymbolRef>(*I); SymbolRef Sym = *I;
if (!SymReaper.isDead(Sym)) if (!SymReaper.isDead(Sym))
continue; continue;
if (!BT) reportBug("SYMBOL DEAD", C);
BT.reset(new BugType(this, "Checking analyzer assumptions", "debug")); State = State->remove<MarkedSymbols>(Sym);
ExplodedNode *N = C.generateNonFatalErrorNode();
if (!N)
return;
C.emitReport(llvm::make_unique<BugReport>(*BT, "SYMBOL DEAD", N));
C.addTransition(State->remove<MarkedSymbols>(Sym), N);
} }
C.addTransition(State);
} }
void ExprInspectionChecker::analyzerCrash(const CallExpr *CE, void ExprInspectionChecker::analyzerCrash(const CallExpr *CE,
CheckerContext &C) const { CheckerContext &C) const {
LLVM_BUILTIN_TRAP; LLVM_BUILTIN_TRAP;
} }
void ento::registerExprInspectionChecker(CheckerManager &Mgr) { void ento::registerExprInspectionChecker(CheckerManager &Mgr) {
Mgr.registerChecker<ExprInspectionChecker>(); Mgr.registerChecker<ExprInspectionChecker>();
} }

test/Analysis/explain-svals.cpp

  • This file was added.
// RUN: %clang_cc1 -triple i386-apple-darwin10 -analyze -analyzer-checker=core.builtin,debug.ExprInspection,unix.cstring -verify %s
typedef unsigned long size_t;
struct S {
struct S3 {
int y[10];
};
struct S2 : S3 {
int *x;
} s2[10];
int z;
};
void clang_analyzer_explain(int);
void clang_analyzer_explain(void *);
void clang_analyzer_explain(S);
size_t clang_analyzer_getExtent(void *);
size_t strlen(const char *);
int conjure();
S conjure_S();
int glob;
static int stat_glob;
void *glob_ptr;
// Test strings are regex'ed because we need to match exact string
// rather than a substring.
void test_1(int param, void *ptr) {
clang_analyzer_explain(&glob); // expected-warning-re{{{{^pointer to global variable 'glob'$}}}}
clang_analyzer_explain(param); // expected-warning-re{{{{^argument 'param'$}}}}
clang_analyzer_explain(ptr); // expected-warning-re{{{{^argument 'ptr'$}}}}
if (param == 42)
clang_analyzer_explain(param); // expected-warning-re{{{{^signed 32-bit integer '42'$}}}}
}
void test_2(char *ptr, int ext) {
clang_analyzer_explain((void *) "asdf"); // expected-warning-re{{{{^pointer to element of type 'char' with index 0 of string literal "asdf"$}}}}
clang_analyzer_explain(strlen(ptr)); // expected-warning-re{{{{^metadata of type 'unsigned long' tied to pointee of argument 'ptr'$}}}}
clang_analyzer_explain(conjure()); // expected-warning-re{{{{^symbol of type 'int' conjured at statement 'conjure\(\)'$}}}}
clang_analyzer_explain(glob); // expected-warning-re{{{{^value derived from \(symbol of type 'int' conjured at statement 'conjure\(\)'\) for global variable 'glob'$}}}}
clang_analyzer_explain(glob_ptr); // expected-warning-re{{{{^value derived from \(symbol of type 'int' conjured at statement 'conjure\(\)'\) for global variable 'glob_ptr'$}}}}
clang_analyzer_explain(clang_analyzer_getExtent(ptr)); // expected-warning-re{{{{^extent of pointee of argument 'ptr'$}}}}
int *x = new int[ext];
clang_analyzer_explain(x); // expected-warning-re{{{{^pointer to element of type 'int' with index 0 of pointee of symbol of type 'int \*' conjured at statement 'new int \[ext\]'$}}}}
// Sic! What gets computed is the extent of the element-region.
clang_analyzer_explain(clang_analyzer_getExtent(x)); // expected-warning-re{{{{^signed 32-bit integer '4'$}}}}
delete[] x;
}
void test_3(S s) {
clang_analyzer_explain(&s); // expected-warning-re{{{{^pointer to parameter 's'$}}}}
clang_analyzer_explain(s.z); // expected-warning-re{{{{^initial value of field 'z' of parameter 's'$}}}}
clang_analyzer_explain(&s.s2[5].y[3]); // expected-warning-re{{{{^pointer to element of type 'int' with index 3 of field 'y' of base object 'S::S3' inside element of type 'struct S::S2' with index 5 of field 's2' of parameter 's'$}}}}
if (!s.s2[7].x) {
clang_analyzer_explain(s.s2[7].x); // expected-warning-re{{{{^concrete memory address '0'$}}}}
// FIXME: we need to be explaining '1' rather than '0' here; not explainer bug.
clang_analyzer_explain(s.s2[7].x + 1); // expected-warning-re{{{{^concrete memory address '0'$}}}}
}
}
void test_4(int x, int y) {
int z;
static int stat;
clang_analyzer_explain(x + 1); // expected-warning-re{{{{^\(argument 'x'\) \+ 1$}}}}
clang_analyzer_explain(1 + y); // expected-warning-re{{{{^\(argument 'y'\) \+ 1$}}}}
clang_analyzer_explain(x + y); // expected-warning-re{{{{^unknown value$}}}}
clang_analyzer_explain(z); // expected-warning-re{{{{^undefined value$}}}}
clang_analyzer_explain(&z); // expected-warning-re{{{{^pointer to local variable 'z'$}}}}
clang_analyzer_explain(stat); // expected-warning-re{{{{^signed 32-bit integer '0'$}}}}
clang_analyzer_explain(&stat); // expected-warning-re{{{{^pointer to static local variable 'stat'$}}}}
clang_analyzer_explain(stat_glob); // expected-warning-re{{{{^initial value of global variable 'stat_glob'$}}}}
clang_analyzer_explain(&stat_glob); // expected-warning-re{{{{^pointer to global variable 'stat_glob'$}}}}
clang_analyzer_explain((int[]){1, 2, 3}); // expected-warning-re{{{{^pointer to element of type 'int' with index 0 of compound literal \(int \[3\]\)\{1, 2, 3\}$}}}}
}
namespace {
class C {
int x[10];
public:
void test_5(int i) {
clang_analyzer_explain(this); // expected-warning-re{{{{^pointer to 'this' object$}}}}
clang_analyzer_explain(&x[i]); // expected-warning-re{{{{^pointer to element of type 'int' with index 'argument 'i'' of field 'x' of 'this' object$}}}}
clang_analyzer_explain(__builtin_alloca(i)); // expected-warning-re{{{{^pointer to region allocated by '__builtin_alloca\(i\)'$}}}}
}
};
} // end of anonymous namespace
void test_6() {
clang_analyzer_explain(conjure_S()); // expected-warning-re{{{{^lazily frozen compound value of temporary object constructed at statement 'conjure_S\(\)'$}}}}
clang_analyzer_explain(conjure_S().z); // expected-warning-re{{{{^value derived from \(symbol of type 'struct S' conjured at statement 'conjure_S\(\)'\) for field 'z' of temporary object constructed at statement 'conjure_S\(\)'$}}}}
}