This is an archive of the discontinued LLVM Phabricator instance.

Differential D75431

[analyzer][NFC] Merge checkNewAllocator's paramaters into CXXAllocatorCall
ClosedPublic

Authored by Szelethus on Mar 1 2020, 4:51 PM.

Details

Reviewers
NoQ
baloghadamsoftware
balazske
martong
dcoughlin
xazax.hun
rnkovacs
Charusso
Commits
rGf2be30def37d: [analyzer][NFC] Merge checkNewAllocator's paramaters into CXXAllocatorCall
Summary

Party based on this thread: http://lists.llvm.org/pipermail/cfe-dev/2020-February/064754.html.

This patch merges two of CXXAllocatorCall's parameters, so that we are able to supply a CallEvent object to check::NewAllocatorCall (see the description of D75430 to see why this would be great).

One of the things mentioned by @NoQ was the following:

I think at this point we might actually do a good job sorting out this check::NewAllocator issue because we have a "separate" "Environment" to hold the other SVal, which is "objects under construction"! - so we should probably simply teach CXXAllocatorCall to extract the value from the objects-under-construction trait of the program state and we're good.

I had MallocChecker in my crosshair for now, so I admittedly threw together something as a proof of concept. Now that I know that this effort is worth pursuing though, I'll happily look for a solution better then demonstrated in this patch.

Diff Detail

Event Timeline

Szelethus created this revision.Mar 1 2020, 4:51 PM
Herald added subscribers: cfe-commits, steakhal, Charusso and 7 others. · View Herald TranscriptMar 1 2020, 4:51 PM
Harbormaster completed remote builds in B47736: Diff 247532.Mar 1 2020, 4:59 PM
Szelethus added a parent revision: D75430: [analyzer][NFC] Introduce CXXDeallocatorCall, deploy it in MallocChecker.Mar 1 2020, 5:01 PM
Szelethus added a child revision: D75432: [analyzer][NFC][MallocChecker] Convert many parameters into CallEvent.Mar 1 2020, 5:14 PM
Charusso added a comment.Mar 3 2020, 3:44 AM

look for a solution better then demonstrated in this patch.

I believe this solution exactly what Artem suggested, so there is nothing to feel bad about. Cool.

Charusso accepted this revision.Mar 3 2020, 3:53 AM
This revision is now accepted and ready to land.Mar 3 2020, 3:53 AM
xazax.hun added a comment.Mar 3 2020, 5:15 AM

Other than a nit looks good to me but wait for @NoQ before committing.

clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h
212

Since SValBuilder has relatively little to do with call events I am kind of surprised seeing this here.

NoQ added inline comments.Mar 15 2020, 10:52 PM
clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h
1014

Why does this method accept a state? Can't we use our own state?

Szelethus updated this revision to Diff 254816.Apr 3 2020, 8:20 AM
Szelethus marked 2 inline comments as done.

Inlines addressed, rebase.

Herald added a subscriber: ASDenysPetrov. · View Herald TranscriptApr 3 2020, 8:20 AM
Szelethus added a comment.Apr 3 2020, 4:03 PM

Hmm, upon taking a look at alignment new in previous patches, I think implementing a checker for MEM57-CPP. Avoid using default operator new for over-aligned types seems a very low hanging fruit, though probably not a common source of bugs.

NoQ accepted this revision.Apr 6 2020, 1:11 AM

Great, thanks!!

Closed by commit rGf2be30def37d: [analyzer][NFC] Merge checkNewAllocator's paramaters into CXXAllocatorCall (authored by Szelethus). · Explain WhyMay 19 2020, 4:02 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
clang/
include/
clang/
StaticAnalyzer/
Core/
6 lines
11 lines
PathSensitive/
7 lines
lib/
StaticAnalyzer/
Checkers/
2 lines
11 lines
Core/
31 lines
17 lines
16 lines

Diff 265075

clang/include/clang/StaticAnalyzer/Core/Checker.h

Show First 20 LinesShow All 279 Lines▼ Show 20 Lines static void _register(CHECKER *checker, CheckerManager &mgr) {
mgr._registerForBranchCondition( mgr._registerForBranchCondition(
CheckerManager::CheckBranchConditionFunc(checker, CheckerManager::CheckBranchConditionFunc(checker,
_checkBranchCondition<CHECKER>)); _checkBranchCondition<CHECKER>));
} }
}; };
class NewAllocator { class NewAllocator {
template <typename CHECKER> template <typename CHECKER>
static void _checkNewAllocator(void *checker, const CXXNewExpr *NE, static void _checkNewAllocator(void *checker, const CXXAllocatorCall &Call,
SVal Target, CheckerContext &C) { CheckerContext &C) {
((const CHECKER *)checker)->checkNewAllocator(NE, Target, C); ((const CHECKER *)checker)->checkNewAllocator(Call, C);
} }
public: public:
template <typename CHECKER> template <typename CHECKER>
static void _register(CHECKER *checker, CheckerManager &mgr) { static void _register(CHECKER *checker, CheckerManager &mgr) {
mgr._registerForNewAllocator( mgr._registerForNewAllocator(
CheckerManager::CheckNewAllocatorFunc(checker, CheckerManager::CheckNewAllocatorFunc(checker,
_checkNewAllocator<CHECKER>)); _checkNewAllocator<CHECKER>));
▲ Show 20 LinesShow All 284 LinesShow Last 20 Lines

clang/include/clang/StaticAnalyzer/Core/CheckerManager.h

Show All 31 Lines
class Decl; class Decl;
class LocationContext; class LocationContext;
class Stmt; class Stmt;
class TranslationUnitDecl; class TranslationUnitDecl;
namespace ento { namespace ento {
class AnalysisManager; class AnalysisManager;
class CXXAllocatorCall;
class BugReporter; class BugReporter;
class CallEvent; class CallEvent;
class CheckerBase; class CheckerBase;
class CheckerContext; class CheckerContext;
class CheckerRegistry; class CheckerRegistry;
class ExplodedGraph; class ExplodedGraph;
class ExplodedNode; class ExplodedNode;
class ExplodedNodeSet; class ExplodedNodeSet;
▲ Show 20 LinesShow All 308 Lines▼ Show 20 Lines void runCheckersForEndFunction(NodeBuilderContext &BC,
const ReturnStmt *RS); const ReturnStmt *RS);
/// Run checkers for branch condition. /// Run checkers for branch condition.
void runCheckersForBranchCondition(const Stmt *condition, void runCheckersForBranchCondition(const Stmt *condition,
ExplodedNodeSet &Dst, ExplodedNode *Pred, ExplodedNodeSet &Dst, ExplodedNode *Pred,
ExprEngine &Eng); ExprEngine &Eng);
/// Run checkers between C++ operator new and constructor calls. /// Run checkers between C++ operator new and constructor calls.
void runCheckersForNewAllocator(const CXXNewExpr *NE, SVal Target, void runCheckersForNewAllocator(const CXXAllocatorCall &Call,
ExplodedNodeSet &Dst, ExplodedNodeSet &Dst, ExplodedNode *Pred,
ExplodedNode *Pred, ExprEngine &Eng, bool wasInlined = false);
ExprEngine &Eng,
bool wasInlined = false);
/// Run checkers for live symbols. /// Run checkers for live symbols.
/// ///
/// Allows modifying SymbolReaper object. For example, checkers can explicitly /// Allows modifying SymbolReaper object. For example, checkers can explicitly
/// register symbols of interest as live. These symbols will not be marked /// register symbols of interest as live. These symbols will not be marked
/// dead and removed. /// dead and removed.
void runCheckersForLiveSymbols(ProgramStateRef state, void runCheckersForLiveSymbols(ProgramStateRef state,
SymbolReaper &SymReaper); SymbolReaper &SymReaper);
▲ Show 20 LinesShow All 124 Lines▼ Show 20 Lines//===----------------------------------------------------------------------===//
using CheckEndFunctionFunc = using CheckEndFunctionFunc =
CheckerFn<void (const ReturnStmt *, CheckerContext &)>; CheckerFn<void (const ReturnStmt *, CheckerContext &)>;
using CheckBranchConditionFunc = using CheckBranchConditionFunc =
CheckerFn<void (const Stmt *, CheckerContext &)>; CheckerFn<void (const Stmt *, CheckerContext &)>;
using CheckNewAllocatorFunc = using CheckNewAllocatorFunc =
CheckerFn<void (const CXXNewExpr *, SVal, CheckerContext &)>; CheckerFn<void(const CXXAllocatorCall &Call, CheckerContext &)>;
using CheckDeadSymbolsFunc = using CheckDeadSymbolsFunc =
CheckerFn<void (SymbolReaper &, CheckerContext &)>; CheckerFn<void (SymbolReaper &, CheckerContext &)>;
using CheckLiveSymbolsFunc = CheckerFn<void (ProgramStateRef,SymbolReaper &)>; using CheckLiveSymbolsFunc = CheckerFn<void (ProgramStateRef,SymbolReaper &)>;
using CheckRegionChangesFunc = using CheckRegionChangesFunc =
CheckerFn<ProgramStateRef (ProgramStateRef, CheckerFn<ProgramStateRef (ProgramStateRef,
▲ Show 20 LinesShow All 191 LinesShow Last 20 Lines

clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h

Show All 33 Lines
#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
#include "llvm/ADT/ArrayRef.h" #include "llvm/ADT/ArrayRef.h"
#include "llvm/ADT/IntrusiveRefCntPtr.h" #include "llvm/ADT/IntrusiveRefCntPtr.h"
#include "llvm/ADT/PointerIntPair.h" #include "llvm/ADT/PointerIntPair.h"
#include "llvm/ADT/PointerUnion.h" #include "llvm/ADT/PointerUnion.h"
#include "llvm/ADT/STLExtras.h" #include "llvm/ADT/STLExtras.h"
#include "llvm/ADT/SmallVector.h" #include "llvm/ADT/SmallVector.h"
#include "llvm/ADT/StringRef.h" #include "llvm/ADT/StringRef.h"
#include "llvm/ADT/iterator_range.h"
#include "llvm/Support/Allocator.h" #include "llvm/Support/Allocator.h"
#include "llvm/Support/Casting.h" #include "llvm/Support/Casting.h"
#include "llvm/Support/ErrorHandling.h" #include "llvm/Support/ErrorHandling.h"
#include <cassert> #include <cassert>
#include <limits> #include <limits>
#include <utility> #include <utility>
namespace clang { namespace clang {
▲ Show 20 LinesShow All 153 Lines▼ Show 20 Linespublic:
virtual StringRef getKindAsString() const = 0; virtual StringRef getKindAsString() const = 0;
/// Returns the declaration of the function or method that will be /// Returns the declaration of the function or method that will be
/// called. May be null. /// called. May be null.
virtual const Decl *getDecl() const { virtual const Decl *getDecl() const {
return Origin.dyn_cast<const Decl *>(); return Origin.dyn_cast<const Decl *>();
} }
/// The state in which the call is being evaluated. /// The state in which the call is being evaluated.
xazax.hunUnsubmitted
Done
ReplyInline Actions

Since SValBuilder has relatively little to do with call events I am kind of surprised seeing this here.

xazax.hun: Since `SValBuilder` has relatively little to do with call events I am kind of surprised seeing…
const ProgramStateRef &getState() const { const ProgramStateRef &getState() const {
return State; return State;
} }
/// The context in which the call is being evaluated. /// The context in which the call is being evaluated.
const LocationContext *getLocationContext() const { const LocationContext *getLocationContext() const {
return LCtx; return LCtx;
} }
▲ Show 20 LinesShow All 785 Lines▼ Show 20 Linespublic:
virtual const CXXNewExpr *getOriginExpr() const { virtual const CXXNewExpr *getOriginExpr() const {
return cast<CXXNewExpr>(AnyFunctionCall::getOriginExpr()); return cast<CXXNewExpr>(AnyFunctionCall::getOriginExpr());
} }
const FunctionDecl *getDecl() const override { const FunctionDecl *getDecl() const override {
return getOriginExpr()->getOperatorNew(); return getOriginExpr()->getOperatorNew();
} }
SVal getObjectUnderConstruction() const {
NoQUnsubmitted
Done
ReplyInline Actions

Why does this method accept a state? Can't we use our own state?

NoQ: Why does this method accept a state? Can't we use our own state?
return ExprEngine::getObjectUnderConstruction(getState(), getOriginExpr(),
getLocationContext())
.getValue();
}
/// Number of non-placement arguments to the call. It is equal to 2 for /// Number of non-placement arguments to the call. It is equal to 2 for
/// C++17 aligned operator new() calls that have alignment implicitly /// C++17 aligned operator new() calls that have alignment implicitly
/// passed as the second argument, and to 1 for other operator new() calls. /// passed as the second argument, and to 1 for other operator new() calls.
unsigned getNumImplicitArgs() const { unsigned getNumImplicitArgs() const {
return getOriginExpr()->passAlignment() ? 2 : 1; return getOriginExpr()->passAlignment() ? 2 : 1;
} }
unsigned getNumArgs() const override { unsigned getNumArgs() const override {
▲ Show 20 LinesShow All 457 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Checkers/AnalysisOrderChecker.cpp

Show First 20 LinesShow All 159 Lines▼ Show 20 Linespublic:
} }
void checkEndAnalysis(ExplodedGraph &G, BugReporter &BR, void checkEndAnalysis(ExplodedGraph &G, BugReporter &BR,
ExprEngine &Eng) const { ExprEngine &Eng) const {
if (isCallbackEnabled(BR.getAnalyzerOptions(), "EndAnalysis")) if (isCallbackEnabled(BR.getAnalyzerOptions(), "EndAnalysis"))
llvm::errs() << "EndAnalysis\n"; llvm::errs() << "EndAnalysis\n";
} }
void checkNewAllocator(const CXXNewExpr *CNE, SVal Target, void checkNewAllocator(const CXXAllocatorCall &Call,
CheckerContext &C) const { CheckerContext &C) const {
if (isCallbackEnabled(C, "NewAllocator")) if (isCallbackEnabled(C, "NewAllocator"))
llvm::errs() << "NewAllocator\n"; llvm::errs() << "NewAllocator\n";
} }
void checkBind(SVal Loc, SVal Val, const Stmt *S, CheckerContext &C) const { void checkBind(SVal Loc, SVal Val, const Stmt *S, CheckerContext &C) const {
if (isCallbackEnabled(C, "Bind")) if (isCallbackEnabled(C, "Bind"))
llvm::errs() << "Bind\n"; llvm::errs() << "Bind\n";
Show All 40 Lines

clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp

Show First 20 LinesShow All 309 Lines▼ Show 20 Linespublic:
using LeakInfo = std::pair<const ExplodedNode *, const MemRegion *>; using LeakInfo = std::pair<const ExplodedNode *, const MemRegion *>;
DefaultBool ChecksEnabled[CK_NumCheckKinds]; DefaultBool ChecksEnabled[CK_NumCheckKinds];
CheckerNameRef CheckNames[CK_NumCheckKinds]; CheckerNameRef CheckNames[CK_NumCheckKinds];
void checkPreCall(const CallEvent &Call, CheckerContext &C) const; void checkPreCall(const CallEvent &Call, CheckerContext &C) const;
void checkPostCall(const CallEvent &Call, CheckerContext &C) const; void checkPostCall(const CallEvent &Call, CheckerContext &C) const;
void checkPostStmt(const CXXNewExpr *NE, CheckerContext &C) const; void checkPostStmt(const CXXNewExpr *NE, CheckerContext &C) const;
void checkNewAllocator(const CXXNewExpr *NE, SVal Target, void checkPreStmt(const CXXDeleteExpr *DE, CheckerContext &C) const;
CheckerContext &C) const; void checkNewAllocator(const CXXAllocatorCall &Call, CheckerContext &C) const;
void checkPostObjCMessage(const ObjCMethodCall &Call, CheckerContext &C) const; void checkPostObjCMessage(const ObjCMethodCall &Call, CheckerContext &C) const;
void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const; void checkPostStmt(const BlockExpr *BE, CheckerContext &C) const;
void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const; void checkDeadSymbols(SymbolReaper &SymReaper, CheckerContext &C) const;
void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const; void checkPreStmt(const ReturnStmt *S, CheckerContext &C) const;
void checkEndFunction(const ReturnStmt *S, CheckerContext &C) const; void checkEndFunction(const ReturnStmt *S, CheckerContext &C) const;
ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond, ProgramStateRef evalAssume(ProgramStateRef state, SVal Cond,
bool Assumption) const; bool Assumption) const;
void checkLocation(SVal l, bool isLoad, const Stmt *S, void checkLocation(SVal l, bool isLoad, const Stmt *S,
▲ Show 20 LinesShow All 1,024 Lines▼ Show 20 Linesvoid MallocChecker::checkPostStmt(const CXXNewExpr *NE,
CheckerContext &C) const { CheckerContext &C) const {
if (!C.getAnalysisManager().getAnalyzerOptions().MayInlineCXXAllocator) { if (!C.getAnalysisManager().getAnalyzerOptions().MayInlineCXXAllocator) {
if (NE->isArray()) if (NE->isArray())
processNewAllocation(NE, C, C.getSVal(NE), processNewAllocation(NE, C, C.getSVal(NE),
(NE->isArray() ? AF_CXXNewArray : AF_CXXNew)); (NE->isArray() ? AF_CXXNewArray : AF_CXXNew));
} }
} }
void MallocChecker::checkNewAllocator(const CXXNewExpr *NE, SVal Target, void MallocChecker::checkNewAllocator(const CXXAllocatorCall &Call,
CheckerContext &C) const { CheckerContext &C) const {
if (!C.wasInlined) { if (!C.wasInlined) {
processNewAllocation(NE, C, Target, processNewAllocation(
(NE->isArray() ? AF_CXXNewArray : AF_CXXNew)); Call.getOriginExpr(), C, Call.getObjectUnderConstruction(),
(Call.getOriginExpr()->isArray() ? AF_CXXNewArray : AF_CXXNew));
} }
} }
// Sets the extent value of the MemRegion allocated by // Sets the extent value of the MemRegion allocated by
// new expression NE to its size in Bytes. // new expression NE to its size in Bytes.
// //
ProgramStateRef MallocChecker::addExtentSize(CheckerContext &C, ProgramStateRef MallocChecker::addExtentSize(CheckerContext &C,
const CXXNewExpr *NE, const CXXNewExpr *NE,
▲ Show 20 LinesShow All 2,003 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/CheckerManager.cpp

Show First 20 LinesShow All 237 Lines▼ Show 20 Lines
/// Run checkers for visiting obj-c messages. /// Run checkers for visiting obj-c messages.
void CheckerManager::runCheckersForObjCMessage(ObjCMessageVisitKind visitKind, void CheckerManager::runCheckersForObjCMessage(ObjCMessageVisitKind visitKind,
ExplodedNodeSet &Dst, ExplodedNodeSet &Dst,
const ExplodedNodeSet &Src, const ExplodedNodeSet &Src,
const ObjCMethodCall &msg, const ObjCMethodCall &msg,
ExprEngine &Eng, ExprEngine &Eng,
bool WasInlined) { bool WasInlined) {
auto &checkers = getObjCMessageCheckers(visitKind); const auto &checkers = getObjCMessageCheckers(visitKind);
CheckObjCMessageContext C(visitKind, checkers, msg, Eng, WasInlined); CheckObjCMessageContext C(visitKind, checkers, msg, Eng, WasInlined);
expandGraphWithCheckers(C, Dst, Src); expandGraphWithCheckers(C, Dst, Src);
} }
const std::vector<CheckerManager::CheckObjCMessageFunc> & const std::vector<CheckerManager::CheckObjCMessageFunc> &
CheckerManager::getObjCMessageCheckers(ObjCMessageVisitKind Kind) const { CheckerManager::getObjCMessageCheckers(ObjCMessageVisitKind Kind) const {
switch (Kind) { switch (Kind) {
case ObjCMessageVisitKind::Pre: case ObjCMessageVisitKind::Pre:
▲ Show 20 LinesShow All 247 Lines▼ Show 20 Lines
} }
namespace { namespace {
struct CheckNewAllocatorContext { struct CheckNewAllocatorContext {
using CheckersTy = std::vector<CheckerManager::CheckNewAllocatorFunc>; using CheckersTy = std::vector<CheckerManager::CheckNewAllocatorFunc>;
const CheckersTy &Checkers; const CheckersTy &Checkers;
const CXXNewExpr *NE; const CXXAllocatorCall &Call;
SVal Target;
bool WasInlined; bool WasInlined;
ExprEngine &Eng; ExprEngine &Eng;
CheckNewAllocatorContext(const CheckersTy &Checkers, const CXXNewExpr *NE, CheckNewAllocatorContext(const CheckersTy &Checkers,
SVal Target, bool WasInlined, ExprEngine &Eng) const CXXAllocatorCall &Call, bool WasInlined,
: Checkers(Checkers), NE(NE), Target(Target), WasInlined(WasInlined), ExprEngine &Eng)
Eng(Eng) {} : Checkers(Checkers), Call(Call), WasInlined(WasInlined), Eng(Eng) {}
CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); } CheckersTy::const_iterator checkers_begin() { return Checkers.begin(); }
CheckersTy::const_iterator checkers_end() { return Checkers.end(); } CheckersTy::const_iterator checkers_end() { return Checkers.end(); }
void runChecker(CheckerManager::CheckNewAllocatorFunc checkFn, void runChecker(CheckerManager::CheckNewAllocatorFunc checkFn,
NodeBuilder &Bldr, ExplodedNode *Pred) { NodeBuilder &Bldr, ExplodedNode *Pred) {
ProgramPoint L = PostAllocatorCall(NE, Pred->getLocationContext()); ProgramPoint L =
PostAllocatorCall(Call.getOriginExpr(), Pred->getLocationContext());
CheckerContext C(Bldr, Eng, Pred, L, WasInlined); CheckerContext C(Bldr, Eng, Pred, L, WasInlined);
checkFn(NE, Target, C); checkFn(cast<CXXAllocatorCall>(*Call.cloneWithState(Pred->getState())),
C);
} }
}; };
} // namespace } // namespace
void CheckerManager::runCheckersForNewAllocator( void CheckerManager::runCheckersForNewAllocator(const CXXAllocatorCall &Call,
const CXXNewExpr *NE, SVal Target, ExplodedNodeSet &Dst, ExplodedNode *Pred, ExplodedNodeSet &Dst,
ExprEngine &Eng, bool WasInlined) { ExplodedNode *Pred,
ExprEngine &Eng,
bool WasInlined) {
ExplodedNodeSet Src; ExplodedNodeSet Src;
Src.insert(Pred); Src.insert(Pred);
CheckNewAllocatorContext C(NewAllocatorCheckers, NE, Target, WasInlined, Eng); CheckNewAllocatorContext C(NewAllocatorCheckers, Call, WasInlined, Eng);
expandGraphWithCheckers(C, Dst, Src); expandGraphWithCheckers(C, Dst, Src);
} }
/// Run checkers for live symbols. /// Run checkers for live symbols.
void CheckerManager::runCheckersForLiveSymbols(ProgramStateRef state, void CheckerManager::runCheckersForLiveSymbols(ProgramStateRef state,
SymbolReaper &SymReaper) { SymbolReaper &SymReaper) {
for (const auto &LiveSymbolsChecker : LiveSymbolsCheckers) for (const auto &LiveSymbolsChecker : LiveSymbolsCheckers)
LiveSymbolsChecker(state, SymReaper); LiveSymbolsChecker(state, SymReaper);
▲ Show 20 LinesShow All 99 Lines▼ Show 20 Lines
} }
/// Run checkers for evaluating a call. /// Run checkers for evaluating a call.
/// Only one checker will evaluate the call. /// Only one checker will evaluate the call.
void CheckerManager::runCheckersForEvalCall(ExplodedNodeSet &Dst, void CheckerManager::runCheckersForEvalCall(ExplodedNodeSet &Dst,
const ExplodedNodeSet &Src, const ExplodedNodeSet &Src,
const CallEvent &Call, const CallEvent &Call,
ExprEngine &Eng) { ExprEngine &Eng) {
for (const auto Pred : Src) { for (auto *const Pred : Src) {
bool anyEvaluated = false; bool anyEvaluated = false;
ExplodedNodeSet checkDst; ExplodedNodeSet checkDst;
NodeBuilder B(Pred, checkDst, Eng.getBuilderContext()); NodeBuilder B(Pred, checkDst, Eng.getBuilderContext());
// Check if any of the EvalCall callbacks can evaluate the call. // Check if any of the EvalCall callbacks can evaluate the call.
for (const auto &EvalCallChecker : EvalCallCheckers) { for (const auto &EvalCallChecker : EvalCallCheckers) {
// TODO: Support the situation when the call doesn't correspond // TODO: Support the situation when the call doesn't correspond
▲ Show 20 LinesShow All 242 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/ExprEngineCXX.cpp

Show First 20 LinesShow All 571 Lines▼ Show 20 Linesvoid ExprEngine::handleConstructor(const Expr *E,
// and the just-called constructor created a temporary object then // and the just-called constructor created a temporary object then
// stop exploration if the temporary object has a noreturn constructor. // stop exploration if the temporary object has a noreturn constructor.
// This can lose coverage because the destructor, if it were present // This can lose coverage because the destructor, if it were present
// in the CFG, would be called at the end of the full expression or // in the CFG, would be called at the end of the full expression or
// later (for life-time extended temporaries) -- but avoids infeasible // later (for life-time extended temporaries) -- but avoids infeasible
// paths when no-return temporary destructors are used for assertions. // paths when no-return temporary destructors are used for assertions.
const AnalysisDeclContext *ADC = LCtx->getAnalysisDeclContext(); const AnalysisDeclContext *ADC = LCtx->getAnalysisDeclContext();
if (!ADC->getCFGBuildOptions().AddTemporaryDtors) { if (!ADC->getCFGBuildOptions().AddTemporaryDtors) {
if (TargetRegion && isa<CXXTempObjectRegion>(TargetRegion) && if (llvm::isa_and_nonnull<CXXTempObjectRegion>(TargetRegion) &&
cast<CXXConstructorDecl>(Call->getDecl()) cast<CXXConstructorDecl>(Call->getDecl())
->getParent()->isAnyDestructorNoReturn()) { ->getParent()
->isAnyDestructorNoReturn()) {
// If we've inlined the constructor, then DstEvaluated would be empty. // If we've inlined the constructor, then DstEvaluated would be empty.
// In this case we still want a sink, which could be implemented // In this case we still want a sink, which could be implemented
// in processCallExit. But we don't have that implemented at the moment, // in processCallExit. But we don't have that implemented at the moment,
// so if you hit this assertion, see if you can avoid inlining // so if you hit this assertion, see if you can avoid inlining
// the respective constructor when analyzer-config cfg-temporary-dtors // the respective constructor when analyzer-config cfg-temporary-dtors
// is set to false. // is set to false.
// Otherwise there's nothing wrong with inlining such constructor. // Otherwise there's nothing wrong with inlining such constructor.
assert(!DstEvaluated.empty() && assert(!DstEvaluated.empty() &&
"We should not have inlined this constructor!"); "We should not have inlined this constructor!");
for (ExplodedNode *N : DstEvaluated) { for (ExplodedNode *N : DstEvaluated) {
Bldr.generateSink(E, N, N->getState()); Bldr.generateSink(E, N, N->getState());
} }
// There is no need to run the PostCall and PostStmt checker // There is no need to run the PostCall and PostStmt checker
// callbacks because we just generated sinks on all nodes in th // callbacks because we just generated sinks on all nodes in th
// frontier. // frontier.
return; return;
} }
} }
ExplodedNodeSet DstPostArgumentCleanup; ExplodedNodeSet DstPostArgumentCleanup;
for (auto I : DstEvaluated) for (ExplodedNode *I : DstEvaluated)
finishArgumentConstruction(DstPostArgumentCleanup, I, *Call); finishArgumentConstruction(DstPostArgumentCleanup, I, *Call);
// If there were other constructors called for object-type arguments // If there were other constructors called for object-type arguments
// of this constructor, clean them up. // of this constructor, clean them up.
ExplodedNodeSet DstPostCall; ExplodedNodeSet DstPostCall;
getCheckerManager().runCheckersForPostCall(DstPostCall, getCheckerManager().runCheckersForPostCall(DstPostCall,
DstPostArgumentCleanup, DstPostArgumentCleanup,
*Call, *this); *Call, *this);
▲ Show 20 LinesShow All 92 Lines▼ Show 20 Lines CallEventRef<CXXAllocatorCall> Call =
CEMgr.getCXXAllocatorCall(CNE, State, LCtx); CEMgr.getCXXAllocatorCall(CNE, State, LCtx);
ExplodedNodeSet DstPreCall; ExplodedNodeSet DstPreCall;
getCheckerManager().runCheckersForPreCall(DstPreCall, Pred, getCheckerManager().runCheckersForPreCall(DstPreCall, Pred,
*Call, *this); *Call, *this);
ExplodedNodeSet DstPostCall; ExplodedNodeSet DstPostCall;
StmtNodeBuilder CallBldr(DstPreCall, DstPostCall, *currBldrCtx); StmtNodeBuilder CallBldr(DstPreCall, DstPostCall, *currBldrCtx);
for (auto I : DstPreCall) { for (ExplodedNode *I : DstPreCall) {
// FIXME: Provide evalCall for checkers? // FIXME: Provide evalCall for checkers?
defaultEvalCall(CallBldr, I, *Call); defaultEvalCall(CallBldr, I, *Call);
} }
// If the call is inlined, DstPostCall will be empty and we bail out now. // If the call is inlined, DstPostCall will be empty and we bail out now.
// Store return value of operator new() for future use, until the actual // Store return value of operator new() for future use, until the actual
// CXXNewExpr gets processed. // CXXNewExpr gets processed.
ExplodedNodeSet DstPostValue; ExplodedNodeSet DstPostValue;
StmtNodeBuilder ValueBldr(DstPostCall, DstPostValue, *currBldrCtx); StmtNodeBuilder ValueBldr(DstPostCall, DstPostValue, *currBldrCtx);
for (auto I : DstPostCall) { for (ExplodedNode *I : DstPostCall) {
// FIXME: Because CNE serves as the "call site" for the allocator (due to // FIXME: Because CNE serves as the "call site" for the allocator (due to
// lack of a better expression in the AST), the conjured return value symbol // lack of a better expression in the AST), the conjured return value symbol
// is going to be of the same type (C++ object pointer type). Technically // is going to be of the same type (C++ object pointer type). Technically
// this is not correct because the operator new's prototype always says that // this is not correct because the operator new's prototype always says that
// it returns a 'void *'. So we should change the type of the symbol, // it returns a 'void *'. So we should change the type of the symbol,
// and then evaluate the cast over the symbolic pointer from 'void *' to // and then evaluate the cast over the symbolic pointer from 'void *' to
// the object pointer type. But without changing the symbol's type it // the object pointer type. But without changing the symbol's type it
// is breaking too much to evaluate the no-op symbolic cast over it, so we // is breaking too much to evaluate the no-op symbolic cast over it, so we
Show All 17 Lines for (ExplodedNode *I : DstPostCall) {
ValueBldr.generateNode( ValueBldr.generateNode(
CNE, I, addObjectUnderConstruction(State, CNE, LCtx, RetVal)); CNE, I, addObjectUnderConstruction(State, CNE, LCtx, RetVal));
} }
ExplodedNodeSet DstPostPostCallCallback; ExplodedNodeSet DstPostPostCallCallback;
getCheckerManager().runCheckersForPostCall(DstPostPostCallCallback, getCheckerManager().runCheckersForPostCall(DstPostPostCallCallback,
DstPostValue, *Call, *this); DstPostValue, *Call, *this);
for (auto I : DstPostPostCallCallback) { for (ExplodedNode *I : DstPostPostCallCallback) {
getCheckerManager().runCheckersForNewAllocator( getCheckerManager().runCheckersForNewAllocator(*Call, Dst, I, *this);
CNE, *getObjectUnderConstruction(I->getState(), CNE, LCtx), Dst, I,
*this);
} }
} }
void ExprEngine::VisitCXXNewExpr(const CXXNewExpr *CNE, ExplodedNode *Pred, void ExprEngine::VisitCXXNewExpr(const CXXNewExpr *CNE, ExplodedNode *Pred,
ExplodedNodeSet &Dst) { ExplodedNodeSet &Dst) {
// FIXME: Much of this should eventually migrate to CXXAllocatorCall. // FIXME: Much of this should eventually migrate to CXXAllocatorCall.
// Also, we need to decide how allocators actually work -- they're not // Also, we need to decide how allocators actually work -- they're not
// really part of the CXXNewExpr because they happen BEFORE the // really part of the CXXNewExpr because they happen BEFORE the
▲ Show 20 LinesShow All 203 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp

Show All 15 Lines
#include "clang/AST/DeclCXX.h" #include "clang/AST/DeclCXX.h"
#include "clang/Analysis/Analyses/LiveVariables.h" #include "clang/Analysis/Analyses/LiveVariables.h"
#include "clang/Analysis/ConstructionContext.h" #include "clang/Analysis/ConstructionContext.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
#include "llvm/ADT/SmallSet.h" #include "llvm/ADT/SmallSet.h"
#include "llvm/ADT/Statistic.h" #include "llvm/ADT/Statistic.h"
#include "llvm/Support/Casting.h"
#include "llvm/Support/Compiler.h" #include "llvm/Support/Compiler.h"
#include "llvm/Support/SaveAndRestore.h" #include "llvm/Support/SaveAndRestore.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
#define DEBUG_TYPE "ExprEngine" #define DEBUG_TYPE "ExprEngine"
▲ Show 20 LinesShow All 288 Lines▼ Show 20 Lines for (ExplodedNodeSet::iterator I = CleanedNodes.begin(),
NodeBuilderContext Ctx(Engine, calleeCtx->getCallSiteBlock(), CEENode); NodeBuilderContext Ctx(Engine, calleeCtx->getCallSiteBlock(), CEENode);
SaveAndRestore<const NodeBuilderContext*> NBCSave(currBldrCtx, SaveAndRestore<const NodeBuilderContext*> NBCSave(currBldrCtx,
&Ctx); &Ctx);
SaveAndRestore<unsigned> CBISave(currStmtIdx, calleeCtx->getIndex()); SaveAndRestore<unsigned> CBISave(currStmtIdx, calleeCtx->getIndex());
CallEventRef<> UpdatedCall = Call.cloneWithState(CEEState); CallEventRef<> UpdatedCall = Call.cloneWithState(CEEState);
ExplodedNodeSet DstPostCall; ExplodedNodeSet DstPostCall;
if (const CXXNewExpr *CNE = dyn_cast_or_null<CXXNewExpr>(CE)) { if (llvm::isa_and_nonnull<CXXNewExpr>(CE)) {
ExplodedNodeSet DstPostPostCallCallback; ExplodedNodeSet DstPostPostCallCallback;
getCheckerManager().runCheckersForPostCall(DstPostPostCallCallback, getCheckerManager().runCheckersForPostCall(DstPostPostCallCallback,
CEENode, *UpdatedCall, *this, CEENode, *UpdatedCall, *this,
/*wasInlined=*/true); /*wasInlined=*/true);
for (auto I : DstPostPostCallCallback) { for (ExplodedNode *I : DstPostPostCallCallback) {
getCheckerManager().runCheckersForNewAllocator( getCheckerManager().runCheckersForNewAllocator(
CNE, cast<CXXAllocatorCall>(*UpdatedCall), DstPostCall, I, *this,
*getObjectUnderConstruction(I->getState(), CNE,
calleeCtx->getParent()),
DstPostCall, I, *this,
/*wasInlined=*/true); /*wasInlined=*/true);
} }
} else { } else {
getCheckerManager().runCheckersForPostCall(DstPostCall, CEENode, getCheckerManager().runCheckersForPostCall(DstPostCall, CEENode,
*UpdatedCall, *this, *UpdatedCall, *this,
/*wasInlined=*/true); /*wasInlined=*/true);
} }
ExplodedNodeSet Dst; ExplodedNodeSet Dst;
▲ Show 20 LinesShow All 239 Lines▼ Show 20 Linesvoid ExprEngine::evalCall(ExplodedNodeSet &Dst, ExplodedNode *Pred,
// defaultEvalCall if all of them fail. // defaultEvalCall if all of them fail.
ExplodedNodeSet dstCallEvaluated; ExplodedNodeSet dstCallEvaluated;
getCheckerManager().runCheckersForEvalCall(dstCallEvaluated, dstPreVisit, getCheckerManager().runCheckersForEvalCall(dstCallEvaluated, dstPreVisit,
Call, *this); Call, *this);
// If there were other constructors called for object-type arguments // If there were other constructors called for object-type arguments
// of this call, clean them up. // of this call, clean them up.
ExplodedNodeSet dstArgumentCleanup; ExplodedNodeSet dstArgumentCleanup;
for (auto I : dstCallEvaluated) for (ExplodedNode *I : dstCallEvaluated)
finishArgumentConstruction(dstArgumentCleanup, I, Call); finishArgumentConstruction(dstArgumentCleanup, I, Call);
ExplodedNodeSet dstPostCall; ExplodedNodeSet dstPostCall;
getCheckerManager().runCheckersForPostCall(dstPostCall, dstArgumentCleanup, getCheckerManager().runCheckersForPostCall(dstPostCall, dstArgumentCleanup,
Call, *this); Call, *this);
// Escaping symbols conjured during invalidating the regions above. // Escaping symbols conjured during invalidating the regions above.
// Note that, for inlined calls the nodes were put back into the worklist, // Note that, for inlined calls the nodes were put back into the worklist,
// so we can assume that every node belongs to a conservative call at this // so we can assume that every node belongs to a conservative call at this
// point. // point.
// Run pointerEscape callback with the newly conjured symbols. // Run pointerEscape callback with the newly conjured symbols.
SmallVector<std::pair<SVal, SVal>, 8> Escaped; SmallVector<std::pair<SVal, SVal>, 8> Escaped;
for (auto I : dstPostCall) { for (ExplodedNode *I : dstPostCall) {
NodeBuilder B(I, Dst, *currBldrCtx); NodeBuilder B(I, Dst, *currBldrCtx);
ProgramStateRef State = I->getState(); ProgramStateRef State = I->getState();
Escaped.clear(); Escaped.clear();
{ {
unsigned Arg = -1; unsigned Arg = -1;
for (const ParmVarDecl *PVD : Call.parameters()) { for (const ParmVarDecl *PVD : Call.parameters()) {
++Arg; ++Arg;
QualType ParamTy = PVD->getType(); QualType ParamTy = PVD->getType();
▲ Show 20 LinesShow All 121 Lines▼ Show 20 Lines case CE_CXXConstructor: {
const CXXConstructorCall &Ctor = cast<CXXConstructorCall>(Call); const CXXConstructorCall &Ctor = cast<CXXConstructorCall>(Call);
const CXXConstructExpr *CtorExpr = Ctor.getOriginExpr(); const CXXConstructExpr *CtorExpr = Ctor.getOriginExpr();
auto CCE = getCurrentCFGElement().getAs<CFGConstructor>(); auto CCE = getCurrentCFGElement().getAs<CFGConstructor>();
const ConstructionContext *CC = CCE ? CCE->getConstructionContext() const ConstructionContext *CC = CCE ? CCE->getConstructionContext()
: nullptr; : nullptr;
if (CC && isa<NewAllocatedObjectConstructionContext>(CC) && if (llvm::isa_and_nonnull<NewAllocatedObjectConstructionContext>(CC) &&
!Opts.MayInlineCXXAllocator) !Opts.MayInlineCXXAllocator)
return CIP_DisallowedOnce; return CIP_DisallowedOnce;
// FIXME: We don't handle constructors or destructors for arrays properly. // FIXME: We don't handle constructors or destructors for arrays properly.
// Even once we do, we still need to be careful about implicitly-generated // Even once we do, we still need to be careful about implicitly-generated
// initializers for array fields in default move/copy constructors. // initializers for array fields in default move/copy constructors.
// We still allow construction into ElementRegion targets when they don't // We still allow construction into ElementRegion targets when they don't
// represent array elements. // represent array elements.
▲ Show 20 LinesShow All 395 LinesShow Last 20 Lines