This is an archive of the discontinued LLVM Phabricator instance.

Differential D29303

In VirtualCallChecker, handle indirect calls
ClosedPublic

Authored by sammccall on Jan 30 2017, 1:15 PM.

Details

Reviewers
bkramer
Commits
rGe6df079e920e: Merging r293604: --------------------------------------------------------------…
rG93590e09d517: In VirtualCallChecker, handle indirect calls
rC293604: In VirtualCallChecker, handle indirect calls
rL296154: Merging r293604:
rL293604: In VirtualCallChecker, handle indirect calls
Summary

In VirtualCallChecker, handle indirect calls.

getDirectCallee() can be nullptr, and dyn_cast(nullptr) is UB

Diff Detail

Event Timeline

sammccall updated this revision to Diff 86337.Jan 30 2017, 1:15 PM
sammccall created this revision.

Oops, reverted noise :(

Harbormaster completed remote builds in B3414: Diff 86337.Jan 30 2017, 1:17 PM
sammccall added a comment.Jan 30 2017, 1:21 PM

I couldn't work out how to add a test for this, advice appreciated.

Closest I could get was adding something like this to test/Analysis/virtualcall.cpp:

class F { public: F(); void foo(); };
F::F() { void (F::* ptr) = &F::foo; (this->*ptr)(); }

which crashes, but only if I add extra logging :\

bkramer edited edge metadata.Jan 30 2017, 1:40 PM

Your test case is fine, it crashes with assertions enabled.

sammccall updated this revision to Diff 86342.Jan 30 2017, 1:59 PM

Add regression test.

bkramer accepted this revision.Jan 30 2017, 2:17 PM

lg

This revision is now accepted and ready to land.Jan 30 2017, 2:17 PM
Closed by commit rL293604: In VirtualCallChecker, handle indirect calls (authored by sammccall). · Explain WhyJan 30 2017, 9:34 PM
This revision was automatically updated to reflect the committed changes.
zaks.anna added a subscriber: zaks.anna.Feb 17 2017, 5:46 PM

Has this been cherry-picked into the clang 4.0 release branch? If not, we should definitely do that!

Revision Contents

PathSize
lib/
StaticAnalyzer/
Checkers/
39 lines

Diff 86335

lib/StaticAnalyzer/Checkers/VirtualCallChecker.cpp

#include <iostream>
//=======- VirtualCallChecker.cpp --------------------------------*- C++ -*-==// //=======- VirtualCallChecker.cpp --------------------------------*- C++ -*-==//
// //
// The LLVM Compiler Infrastructure // The LLVM Compiler Infrastructure
// //
// This file is distributed under the University of Illinois Open Source // This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details. // License. See LICENSE.TXT for details.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
Show All 30 Linesclass WalkAST : public StmtVisitor<WalkAST> {
/// Controlled by the "Interprocedural" analyzer-config option. /// Controlled by the "Interprocedural" analyzer-config option.
bool IsInterprocedural = false; bool IsInterprocedural = false;
/// Whether the checker should only warn for calls to pure virtual functions /// Whether the checker should only warn for calls to pure virtual functions
/// (which is undefined behavior) or for all virtual functions (which may /// (which is undefined behavior) or for all virtual functions (which may
/// may result in unexpected behavior). /// may result in unexpected behavior).
bool ReportPureOnly = false; bool ReportPureOnly = false;
typedef const CallExpr * WorkListUnit; typedef const CallExpr *WorkListUnit;
typedef SmallVector<WorkListUnit, 20> DFSWorkList; typedef SmallVector<WorkListUnit, 20> DFSWorkList;
/// A vector representing the worklist which has a chain of CallExprs. /// A vector representing the worklist which has a chain of CallExprs.
DFSWorkList WList; DFSWorkList WList;
// PreVisited : A CallExpr to this FunctionDecl is in the worklist, but the // PreVisited : A CallExpr to this FunctionDecl is in the worklist, but the
// body has not been visited yet. // body has not been visited yet.
// PostVisited : A CallExpr to this FunctionDecl is in the worklist, and the // PostVisited : A CallExpr to this FunctionDecl is in the worklist, and the
// body has been visited. // body has been visited.
enum Kind { NotVisited, enum Kind {
NotVisited,
PreVisited, /**< A CallExpr to this FunctionDecl is in the PreVisited, /**< A CallExpr to this FunctionDecl is in the
worklist, but the body has not yet been worklist, but the body has not yet been
visited. */ visited. */
PostVisited /**< A CallExpr to this FunctionDecl is in the PostVisited /**< A CallExpr to this FunctionDecl is in the
worklist, and the body has been visited. */ worklist, and the body has been visited. */
}; };
/// A DenseMap that records visited states of FunctionDecls. /// A DenseMap that records visited states of FunctionDecls.
llvm::DenseMap<const FunctionDecl *, Kind> VisitedFunctions; llvm::DenseMap<const FunctionDecl *, Kind> VisitedFunctions;
/// The CallExpr whose body is currently being visited. This is used for /// The CallExpr whose body is currently being visited. This is used for
/// generating bug reports. This is null while visiting the body of a /// generating bug reports. This is null while visiting the body of a
/// constructor or destructor. /// constructor or destructor.
▲ Show 20 LinesShow All 59 Lines▼ Show 20 Linespublic:
// Stmt visitor methods. // Stmt visitor methods.
void VisitCallExpr(CallExpr *CE); void VisitCallExpr(CallExpr *CE);
void VisitCXXMemberCallExpr(CallExpr *CE); void VisitCXXMemberCallExpr(CallExpr *CE);
void VisitStmt(Stmt *S) { VisitChildren(S); } void VisitStmt(Stmt *S) { VisitChildren(S); }
void VisitChildren(Stmt *S); void VisitChildren(Stmt *S);
void ReportVirtualCall(const CallExpr *CE, bool isPure); void ReportVirtualCall(const CallExpr *CE, bool isPure);
}; };
} // end anonymous namespace } // end anonymous namespace
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// AST walking. // AST walking.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
void WalkAST::VisitChildren(Stmt *S) { void WalkAST::VisitChildren(Stmt *S) {
Show All 27 Lines if (Expr *base = CME->getBase()->IgnoreImpCasts()) {
// If the most derived class is marked final, we know that now subclass // If the most derived class is marked final, we know that now subclass
// can override this member. // can override this member.
if (base->getBestDynamicClassType()->hasAttr<FinalAttr>()) if (base->getBestDynamicClassType()->hasAttr<FinalAttr>())
callIsNonVirtual = true; callIsNonVirtual = true;
} }
} }
// Get the callee. // Get the callee.
const CXXMethodDecl *MD = dyn_cast<CXXMethodDecl>(CE->getDirectCallee()); const CXXMethodDecl *MD =
dyn_cast_or_null<CXXMethodDecl>(CE->getDirectCallee());
if (MD && MD->isVirtual() && !callIsNonVirtual && !MD->hasAttr<FinalAttr>() && if (MD && MD->isVirtual() && !callIsNonVirtual && !MD->hasAttr<FinalAttr>() &&
!MD->getParent()->hasAttr<FinalAttr>()) !MD->getParent()->hasAttr<FinalAttr>())
ReportVirtualCall(CE, MD->isPure()); ReportVirtualCall(CE, MD->isPure());
if (IsInterprocedural) if (IsInterprocedural)
Enqueue(CE); Enqueue(CE);
} }
Show All 12 Lines if (IsInterprocedural) {
// Name of current visiting CallExpr. // Name of current visiting CallExpr.
os << *CE->getDirectCallee(); os << *CE->getDirectCallee();
// Name of the CallExpr whose body is current being walked. // Name of the CallExpr whose body is current being walked.
if (visitingCallExpr) if (visitingCallExpr)
os << " <-- " << *visitingCallExpr->getDirectCallee(); os << " <-- " << *visitingCallExpr->getDirectCallee();
// Names of FunctionDecls in worklist with state PostVisited. // Names of FunctionDecls in worklist with state PostVisited.
for (SmallVectorImpl<const CallExpr *>::iterator I = WList.end(), for (SmallVectorImpl<const CallExpr *>::iterator I = WList.end(),
E = WList.begin(); I != E; --I) { E = WList.begin();
I != E; --I) {
const FunctionDecl *FD = (*(I-1))->getDirectCallee(); const FunctionDecl *FD = (*(I - 1))->getDirectCallee();
assert(FD); assert(FD);
if (VisitedFunctions[FD] == PostVisited) if (VisitedFunctions[FD] == PostVisited)
os << " <-- " << *FD; os << " <-- " << *FD;
} }
os << "\n"; os << "\n";
} }
PathDiagnosticLocation CELoc = PathDiagnosticLocation CELoc =
PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC); PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
SourceRange R = CE->getCallee()->getSourceRange(); SourceRange R = CE->getCallee()->getSourceRange();
os << "Call to "; os << "Call to ";
if (isPure) if (isPure)
os << "pure "; os << "pure ";
os << "virtual function during "; os << "virtual function during ";
Show All 13 Lines BR.EmitBasicReport(AC->getDecl(), Checker,
"C++ Object Lifecycle", os.str(), CELoc, R); "C++ Object Lifecycle", os.str(), CELoc, R);
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// VirtualCallChecker // VirtualCallChecker
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
namespace { namespace {
class VirtualCallChecker : public Checker<check::ASTDecl<CXXRecordDecl> > { class VirtualCallChecker : public Checker<check::ASTDecl<CXXRecordDecl>> {
public: public:
DefaultBool isInterprocedural; DefaultBool isInterprocedural;
DefaultBool isPureOnly; DefaultBool isPureOnly;
void checkASTDecl(const CXXRecordDecl *RD, AnalysisManager& mgr, void checkASTDecl(const CXXRecordDecl *RD, AnalysisManager &mgr,
BugReporter &BR) const { BugReporter &BR) const {
AnalysisDeclContext *ADC = mgr.getAnalysisDeclContext(RD); AnalysisDeclContext *ADC = mgr.getAnalysisDeclContext(RD);
// Check the constructors. // Check the constructors.
for (const auto *I : RD->ctors()) { for (const auto *I : RD->ctors()) {
if (!I->isCopyOrMoveConstructor()) if (!I->isCopyOrMoveConstructor())
if (Stmt *Body = I->getBody()) { if (Stmt *Body = I->getBody()) {
WalkAST walker(this, BR, ADC, I, isInterprocedural, isPureOnly); WalkAST walker(this, BR, ADC, I, isInterprocedural, isPureOnly);
Show All 10 Lines if (CXXDestructorDecl *DD = RD->getDestructor())
walker.Execute(); walker.Execute();
} }
} }
}; };
} }
void ento::registerVirtualCallChecker(CheckerManager &mgr) { void ento::registerVirtualCallChecker(CheckerManager &mgr) {
VirtualCallChecker *checker = mgr.registerChecker<VirtualCallChecker>(); VirtualCallChecker *checker = mgr.registerChecker<VirtualCallChecker>();
checker->isInterprocedural = checker->isInterprocedural = mgr.getAnalyzerOptions().getBooleanOption(
mgr.getAnalyzerOptions().getBooleanOption("Interprocedural", false, "Interprocedural", false, checker);
checker);
checker->isPureOnly = checker->isPureOnly =
mgr.getAnalyzerOptions().getBooleanOption("PureOnly", false, mgr.getAnalyzerOptions().getBooleanOption("PureOnly", false, checker);
checker);
} }