Index: include/clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h =================================================================== --- include/clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h +++ include/clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h @@ -204,6 +204,8 @@ const LocationContext *LCtx, unsigned count); + DefinedSVal getMemberPointer(const DeclaratorDecl *DD); + DefinedSVal getFunctionPointer(const FunctionDecl *func); DefinedSVal getBlockPointer(const BlockDecl *block, CanQualType locTy, Index: include/clang/StaticAnalyzer/Core/PathSensitive/SVals.h =================================================================== --- include/clang/StaticAnalyzer/Core/PathSensitive/SVals.h +++ include/clang/StaticAnalyzer/Core/PathSensitive/SVals.h @@ -459,6 +459,35 @@ } }; +class PointerToMember : public NonLoc { +public: + explicit PointerToMember(const DeclaratorDecl* D) + : NonLoc(PointerToMemberKind, D) {} + + const DeclaratorDecl *getDecl() const { + return static_cast(Data); + } + + template + const AdjustedDecl* getDeclAs() const { + return dyn_cast_or_null(getDecl()); + } + + bool isNullMemberPointer() {return Data == nullptr;} + +private: + friend class SVal; + PointerToMember() {} + static bool isKind(const SVal& V) { + return V.getBaseKind() == NonLocKind && + V.getSubKind() == PointerToMemberKind; + } + + static bool isKind(const NonLoc& V) { + return V.getSubKind() == PointerToMemberKind; + } +}; + } // end namespace ento::nonloc //==------------------------------------------------------------------------==// Index: include/clang/StaticAnalyzer/Core/PathSensitive/SVals.def =================================================================== --- include/clang/StaticAnalyzer/Core/PathSensitive/SVals.def +++ include/clang/StaticAnalyzer/Core/PathSensitive/SVals.def @@ -66,6 +66,7 @@ NONLOC_SVAL(LazyCompoundVal, NonLoc) NONLOC_SVAL(LocAsInteger, NonLoc) NONLOC_SVAL(SymbolVal, NonLoc) + NONLOC_SVAL(PointerToMember, NonLoc) #undef NONLOC_SVAL #undef LOC_SVAL Index: lib/StaticAnalyzer/Core/ExprEngineC.cpp =================================================================== --- lib/StaticAnalyzer/Core/ExprEngineC.cpp +++ lib/StaticAnalyzer/Core/ExprEngineC.cpp @@ -12,6 +12,7 @@ //===----------------------------------------------------------------------===// #include "clang/AST/ExprCXX.h" +#include "clang/AST/DeclCXX.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" @@ -310,8 +311,17 @@ continue; } case CK_MemberPointerToBoolean: - // FIXME: For now, member pointers are represented by void *. - // FALLTHROUGH + case CK_PointerToBoolean: { + SVal V = state->getSVal(Ex, LCtx); + auto PTMSV = V.getAs(); + if (PTMSV) + V = svalBuilder.makeTruthVal(!PTMSV->isNullMemberPointer(), ExTy); + if (V.isUndef() || PTMSV) { + state = state->BindExpr(CastE, LCtx, V); + Bldr.generateNode(CastE, Pred, state); + continue; + } + } case CK_Dependent: case CK_ArrayToPointerDecay: case CK_BitCast: @@ -319,8 +329,14 @@ case CK_BooleanToSignedIntegral: case CK_NullToPointer: case CK_IntegralToPointer: - case CK_PointerToIntegral: - case CK_PointerToBoolean: + case CK_PointerToIntegral: { + SVal V = state->getSVal(Ex, LCtx); + if (V.getAs()) { + state = state->BindExpr(CastE, LCtx, UnknownVal()); + Bldr.generateNode(CastE, Pred, state); + continue; + } + } case CK_IntegralToBoolean: case CK_IntegralToFloating: case CK_FloatingToIntegral: @@ -435,17 +451,37 @@ continue; } case CK_NullToMemberPointer: { - // FIXME: For now, member pointers are represented by void *. - SVal V = svalBuilder.makeNull(); + SVal V = svalBuilder.getMemberPointer(nullptr); state = state->BindExpr(CastE, LCtx, V); Bldr.generateNode(CastE, Pred, state); continue; } + case CK_DerivedToBaseMemberPointer: + case CK_BaseToDerivedMemberPointer: + case CK_ReinterpretMemberPointer: { + const Expr *UOExpr = CastE->getSubExpr()->IgnoreParenCasts(); + assert(isa(UOExpr) && + "UnaryOperator as Cast's child was expected"); + if (const UnaryOperator *UO = cast(UOExpr)) { + const Expr *DREExpr = UO->getSubExpr()->IgnoreParenCasts(); + assert(isa(DREExpr) && + "DeclRefExpr as UnaryOperator's child was expected"); + if (const DeclRefExpr *DRE = cast(DREExpr)) { + assert(isa(DRE->getDecl()) && + "DeclaratorDecl as DeclRefExpr's Decl is expected"); + if (const DeclaratorDecl *DD = + cast(DRE->getDecl())) { + SVal Result = svalBuilder.getMemberPointer(DD); + state = state->BindExpr(CastE, LCtx, Result); + Bldr.generateNode(CastE, Pred, state); + continue; + } + } + } + //if dyn_cast failed just fall through to default behaviour + } // Various C++ casts that are not handled yet. case CK_ToUnion: - case CK_BaseToDerivedMemberPointer: - case CK_DerivedToBaseMemberPointer: - case CK_ReinterpretMemberPointer: case CK_VectorSplat: { // Recover some path-sensitivty by conjuring a new value. QualType resultType = CastE->getType(); @@ -868,7 +904,22 @@ assert(!U->isGLValue()); // FALL-THROUGH. case UO_Deref: - case UO_AddrOf: + case UO_AddrOf: { + // Process pointer-to-member address operation + const Expr *Ex = U->getSubExpr()->IgnoreParens(); + if (const DeclRefExpr *DRE = dyn_cast(Ex)) { + const ValueDecl *VD = DRE->getDecl(); + + if (isa(VD) || isa(VD)) { + ProgramStateRef State = (*I)->getState(); + const LocationContext *LCtx = (*I)->getLocationContext(); + SVal SV = svalBuilder.getMemberPointer(cast(VD)); + Bldr.generateNode(U, *I, State->BindExpr(U, LCtx, SV)); + break; + } + } + //Fall through in case of not pointer-to-member address operation + } case UO_Extension: { // FIXME: We can probably just have some magic in Environment::getSVal() // that propagates values, instead of creating a new node here. Index: lib/StaticAnalyzer/Core/SValBuilder.cpp =================================================================== --- lib/StaticAnalyzer/Core/SValBuilder.cpp +++ lib/StaticAnalyzer/Core/SValBuilder.cpp @@ -214,6 +214,10 @@ return nonloc::SymbolVal(sym); } +DefinedSVal SValBuilder::getMemberPointer(const DeclaratorDecl* DD) { + return nonloc::PointerToMember(DD); +} + DefinedSVal SValBuilder::getFunctionPointer(const FunctionDecl *func) { return loc::MemRegionVal(MemMgr.getFunctionCodeRegion(func)); } @@ -291,6 +295,18 @@ case Stmt::CXXNullPtrLiteralExprClass: return makeNull(); + case Stmt::UnaryOperatorClass: { + const UnaryOperator *UO = dyn_cast(E); + if (const DeclRefExpr *DRE = + dyn_cast(UO->getSubExpr()->IgnoreParenCasts())) { + if (const DeclaratorDecl *DD = + dyn_cast_or_null(DRE->getDecl())) + if (isa(DD) || isa(DD)) + return getMemberPointer(DD); + } + return None; + } + case Stmt::ImplicitCastExprClass: { const CastExpr *CE = cast(E); switch (CE->getCastKind()) { Index: lib/StaticAnalyzer/Core/SVals.cpp =================================================================== --- lib/StaticAnalyzer/Core/SVals.cpp +++ lib/StaticAnalyzer/Core/SVals.cpp @@ -16,6 +16,7 @@ #include "clang/AST/ExprObjC.h" #include "clang/Basic/IdentifierTable.h" #include "llvm/Support/raw_ostream.h" +#include "clang/AST/DeclCXX.h" using namespace clang; using namespace ento; using llvm::APSInt; @@ -56,6 +57,10 @@ return FD; } + if (auto X = getAs()) + if (const CXXMethodDecl *MD = X->getDeclAs()) + return MD; + return nullptr; } @@ -299,6 +304,15 @@ << '}'; break; } + case nonloc::PointerToMemberKind: { + os << "pointerToMember{"; + const nonloc::PointerToMember &CastRes = + castAs(); + if (CastRes.getDecl()) + os << CastRes.getDecl()->getQualifiedNameAsString(); + os << '}'; + break; + } default: assert (false && "Pretty-printed not implemented for this NonLoc."); break; Index: lib/StaticAnalyzer/Core/SimpleConstraintManager.cpp =================================================================== --- lib/StaticAnalyzer/Core/SimpleConstraintManager.cpp +++ lib/StaticAnalyzer/Core/SimpleConstraintManager.cpp @@ -184,6 +184,12 @@ return isFeasible ? state : nullptr; } + case nonloc::PointerToMemberKind: { + bool IsNull = !Cond.castAs().isNullMemberPointer(); + bool IsFeasible = IsNull ? Assumption : !Assumption; + return IsFeasible ? state : nullptr; + } + case nonloc::LocAsIntegerKind: return assume(state, Cond.castAs().getLoc(), Assumption); Index: lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp =================================================================== --- lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp +++ lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp @@ -69,6 +69,9 @@ bool isLocType = Loc::isLocType(castTy); + if (val.getAs()) + return val; + if (Optional LI = val.getAs()) { if (isLocType) return LI->getLoc(); @@ -335,6 +338,21 @@ switch (lhs.getSubKind()) { default: return makeSymExprValNN(state, op, lhs, rhs, resultTy); + case nonloc::PointerToMemberKind: { + assert(rhs.getSubKind() == nonloc::PointerToMemberKind && + "Both SVals should have pointer-to-member-type"); + const DeclaratorDecl *LDD = + lhs.castAs().getDecl(), + *RDD = rhs.castAs().getDecl(); + switch (op) { + case BO_EQ: + return makeTruthVal(LDD == RDD, resultTy); + case BO_NE: + return makeTruthVal(LDD != RDD, resultTy); + default: + return UnknownVal(); + } + } case nonloc::LocAsIntegerKind: { Loc lhsL = lhs.castAs().getLoc(); switch (rhs.getSubKind()) { @@ -857,6 +875,17 @@ SVal SimpleSValBuilder::evalBinOpLN(ProgramStateRef state, BinaryOperator::Opcode op, Loc lhs, NonLoc rhs, QualType resultTy) { + if (op >= BO_PtrMemD && op <= BO_PtrMemI) { + if (auto PTMSV = rhs.getAs()) { + if (PTMSV->isNullMemberPointer()) + return UndefinedVal(); + if (const FieldDecl *FD = PTMSV->getDeclAs()) + return state->getLValue(FD, lhs); + } + + return rhs; + } + assert(!BinaryOperator::isComparisonOp(op) && "arguments to comparison ops must be of the same type"); Index: test/Analysis/pointer-to-member.cpp =================================================================== --- test/Analysis/pointer-to-member.cpp +++ test/Analysis/pointer-to-member.cpp @@ -35,8 +35,7 @@ clang_analyzer_eval(&A::getPtr == &A::getPtr); // expected-warning{{TRUE}} clang_analyzer_eval(&A::getPtr == 0); // expected-warning{{FALSE}} - // FIXME: Should be TRUE. - clang_analyzer_eval(&A::m_ptr == &A::m_ptr); // expected-warning{{UNKNOWN}} + clang_analyzer_eval(&A::m_ptr == &A::m_ptr); // expected-warning{{TRUE}} } namespace PR15742 { @@ -62,21 +61,70 @@ } } -// --------------- -// FALSE NEGATIVES -// --------------- - bool testDereferencing() { A obj; obj.m_ptr = 0; A::MemberPointer member = &A::m_ptr; - // FIXME: Should be TRUE. - clang_analyzer_eval(obj.*member == 0); // expected-warning{{UNKNOWN}} + clang_analyzer_eval(obj.*member == 0); // expected-warning{{TRUE}} member = 0; - // FIXME: Should emit a null dereference. - return obj.*member; // no-warning + return obj.*member; // expected-warning{{}} } + +namespace testPointerToMemberFunction { + struct A { + virtual int foo() { return 1; } + int bar() { return 2; } + }; + + struct B : public A { + virtual int foo() { return 3; } + }; + + typedef int (A::*AFnPointer)(); + typedef int (B::*BFnPointer)(); + + void testPointerToMemberCasts() { + AFnPointer AFP = &A::bar; + BFnPointer StaticCastedBase2Derived = static_cast(&A::bar), + CCastedBase2Derived = (BFnPointer) (&A::bar); + A a; + B b; + + clang_analyzer_eval((a.*AFP)() == 2); // expected-warning{{TRUE}} + clang_analyzer_eval((b.*StaticCastedBase2Derived)() == 2); // expected-warning{{TRUE}} + clang_analyzer_eval(((b.*CCastedBase2Derived)() == 2)); // expected-warning{{TRUE}} + } + + void testPointerToMemberVirtualCall() { + A a; + B b; + A *APtr = &a; + AFnPointer AFP = &A::foo; + + clang_analyzer_eval((APtr->*AFP)() == 1); // expected-warning{{TRUE}} + + APtr = &b; + + clang_analyzer_eval((APtr->*AFP)() == 3); // expected-warning{{TRUE}} + } +} // end of testPointerToMemberFunction namespace + +namespace testPointerToMemberData { + struct A { + int i; + }; + + void testPointerToMemberData() { + int A::*AMdPointer = &A::i; + A a; + + a.i = 42; + a.*AMdPointer += 1; + + clang_analyzer_eval(a.i == 43); // expected-warning{{TRUE}} + } +} // end of testPointerToMemberData namespace